pedump 0.5.2 → 0.6.2

data/lib/pedump.rb

@@ -2,6 +2,7 @@
 require 'stringio'
 require 'iostruct'
 require 'zhexdump'
+require 'set'
 
 unless Object.new.respond_to?(:try) && nil.respond_to?(:try)
   require 'pedump/core_ext/try'
@@ -16,6 +17,7 @@ require 'pedump/security'
 require 'pedump/packer'
 require 'pedump/ne'
 require 'pedump/ne/version_info'
+require 'pedump/te'
 
 # pedump.rb by zed_0xff
 #
@@ -27,6 +29,10 @@ class PEdump
 
   VERSION    = Version::STRING
   MAX_ERRORS = 100
+  MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in https://pedump.me/03ad7400080678c6b1984f995d36fd04
+  GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
+  SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 
   @@logger = nil
 
@@ -255,7 +261,7 @@ class PEdump
 
   # http://ntcore.com/files/richsign.htm
   class RichHdr < String
-    attr_accessor :offset, :key # xor key
+    attr_accessor :offset, :skip, :key # xor key
 
     class Entry < Struct.new(:version,:id,:times)
       def inspect
@@ -264,8 +270,21 @@ class PEdump
     end
 
     def self.from_dos_stub stub
+      #stub.hexdump
       key = stub[stub.index('Rich')+4,4]
       start_idx = stub.index(key.xor('DanS'))
+      skip = 0
+      if start_idx
+        skip = 4
+      else
+        PEdump.logger.warn "[?] cannot find rich_hdr start_idx, using heuristics"
+        start_idx = stub.index("$\x00\x00\x00\x00\x00\x00\x00")
+        unless start_idx
+          PEdump.logger.warn "[?] heuristics failed :("
+          return nil
+        end
+        start_idx += 8
+      end
       end_idx   = stub.index('Rich')+8
       if stub[end_idx..-1].tr("\x00",'') != ''
         t = stub[end_idx..-1]
@@ -273,14 +292,16 @@ class PEdump
         PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}"
         return nil
       end
+      #stub[start_idx, end_idx-start_idx].hexdump
       RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x|
         x.key = key
         x.offset = stub.offset + start_idx
+        x.skip = skip
       end
     end
 
     def dexor
-      self[4..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
+      self[skip..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
     end
 
     def decode
@@ -318,9 +339,9 @@ class PEdump
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
-          logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
+          #logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
         else
-          logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
+          #logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
           return nil
         end
       end
@@ -376,6 +397,13 @@ class PEdump
   def va2file va, h={}
     return nil if va.nil?
 
+    va0 = va # save for log output of original addr
+    if pe?
+      # most common case, do nothing
+    elsif te?
+      va = va - te_shift()
+    end
+
     sections.each do |s|
       if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
         offset = va - s.VirtualAddress
@@ -407,9 +435,9 @@ class PEdump
     # TODO: not all VirtualAdresses == 0 case
 
     if h[:quiet]
-      logger.debug "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)} (quiet=true)"
+      logger.debug "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)} (quiet=true)"
     else
-      logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+      logger.error "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)}"
     end
     nil
   end
@@ -427,16 +455,22 @@ class PEdump
   end
 
   def _dump_handle h
-    return unless pe(h) # also calls mz(h)
-    rich_hdr h
-    resources h
-    imports h   # also calls tls(h)
-    exports h
-    packer h
+    if pe(h) # also calls mz(h)
+      rich_hdr h
+      resources h
+      imports h   # also calls tls(h)
+      exports h
+      packer h
+    elsif te(h)
+    end
   end
 
   def data_directory f=@io
-    pe(f) && pe.ioh && pe.ioh.DataDirectory
+    if pe(f)
+      pe.ioh && pe.ioh.DataDirectory
+    elsif te(f)
+      te.DataDirectory
+    end
   end
 
   def sections f=@io
@@ -444,16 +478,52 @@ class PEdump
       pe.section_table
     elsif ne(f)
       ne.segments
+    elsif te(f)
+      te.sections
     end
   end
   alias :section_table :sections
 
-  def ne?
-    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  def supported_file? f=@io
+    pos = f.tell
+    sig = f.read(2)
+    f.seek(pos)
+    if SUPPORTED_SIGNATURES.include?(sig)
+      true
+    else
+      unless @not_supported_sig_warned
+        msg = "no supported signature. want: #{SUPPORTED_SIGNATURES.join("/")}, got: #{sig.inspect}"
+        if @force
+          logger.warn  "[?] #{msg}"
+        else
+          logger.error "[!] #{msg}. (not forced)"
+        end
+        @not_supported_sig_warned = true
+      end
+      false
+    end
+  end
+
+  def _detect_format
+    return :pe if @pe
+    return :ne if @ne
+    return :te if @te
+    return :pe if pe()
+    return :ne if ne()
+    return :te if te()
+    nil
   end
 
   def pe?
-    @pe ? true  : (@ne ? false : (pe ? true : false ))
+    _detect_format() == :pe
+  end
+
+  def ne?
+    _detect_format() == :ne
+  end
+
+  def te?
+    _detect_format() == :te
   end
 
   ##############################################################################
@@ -498,6 +568,8 @@ class PEdump
       pe_imports(f)
     elsif ne(f)
       ne(f).imports
+    else
+      []
     end
   end
 
@@ -527,7 +599,11 @@ class PEdump
           # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
           break
         end
-        t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+        if r.size >= MAX_IMAGE_IMPORT_DESCRIPTORS
+          logger.warn "[!] too many IMAGE_IMPORT_DESCRIPTORs, not reading more than #{r.size}"
+          break
+        end
+        t = IMAGE_IMPORT_DESCRIPTOR.read(f)
         break if t.Name.to_i == 0 # also catches EOF
         r << t
         file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
@@ -536,8 +612,16 @@ class PEdump
       logger.warn "[?] imports info beyond EOF"
     end
 
+    n_bad_names = 0
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" if t && !t.empty?
-    @imports = r.each do |x|
+    @imports = r
+    r = nil
+    @imports.each_with_index do |x, iidx|
+      if n_bad_names > MAX_ERRORS
+        logger.warn "[!] too many bad imported function names. skipping further imports parsing"
+        @imports = @imports[0,iidx]
+        break
+      end
       if x.Name.to_i != 0 && (ofs = va2file(x.Name))
         begin
         f.seek ofs
@@ -572,12 +656,18 @@ class PEdump
                 logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
                 nil
               else
-                ImportedFunction.new(
-                  f.read(2).unpack('v').first,
-                  f.gets("\x00").chomp("\x00"),
-                  nil,
-                  va
-                )
+                hint = f.read(2).unpack('v').first
+                name = f.gets("\x00").to_s.chomp("\x00")
+                if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
+                  n_bad_names += 1
+                  if n_bad_names > MAX_ERRORS
+                    nil
+                  else
+                    ImportedFunction.new(hint, name, nil, va)
+                  end
+                else
+                  ImportedFunction.new(hint, name, nil, va)
+                end
               end
             elsif tbl == :original_first_thunk
               # OriginalFirstThunk entries can not be invalid, show a warning msg
@@ -592,7 +682,7 @@ class PEdump
             end
         end
         x[tbl] && x[tbl].compact!
-      end
+      end # [:original_first_thunk, :first_thunk].each
       if x.original_first_thunk && !x.first_thunk
         logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
@@ -603,7 +693,8 @@ class PEdump
           logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
         end
       end
-    end
+    end # r.each
+    @imports
   end
 
   ##############################################################################
@@ -720,9 +811,9 @@ class PEdump
       ord2name = {}
       if x.names && x.names.any?
         n = x.NumberOfNames
-        if n > 2048
-          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to 2048"
-          n = 2048
+        if n > MAX_EXPORT_NUMBER_OF_NAMES
+          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to #{MAX_EXPORT_NUMBER_OF_NAMES}"
+          n = MAX_EXPORT_NUMBER_OF_NAMES
         end
         n.times do |i|
           ord2name[x.name_ordinals[i]] ||= []

data/lib/pedump/cli.rb

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/rich'
 require 'pedump/version_info'
 require 'optparse'
 
@@ -33,13 +34,14 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe ne data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
+    %w'mz dos_stub rich pe ne te data_directory sections tls security' +
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only' +
+    %w'extract' # 'disasm'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console extract disasm'.map(&:to_sym)
 
-  URL_BASE = "http://pedump.me"
+  URL_BASE = "https://pedump.me"
 
   def initialize argv = ARGV
     @argv = argv
@@ -65,8 +67,8 @@ class PEdump::CLI
         @options[:force] ||= 0
         @options[:force] += 1
       end
-      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table, :yaml],
-        "Output format: bin,c,dump,hex,inspect,table,yaml","(default: table)" do |v|
+      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :json, :table, :yaml],
+        "Output format: bin,c,dump,hex,inspect,json,table,yaml","(default: table)" do |v|
         @options[:format] = v
       end
       KNOWN_ACTIONS.each do |t|
@@ -96,8 +98,24 @@ class PEdump::CLI
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
+
+      opts.separator ''
+
+#      opts.on "--disasm [X]", "Disassemble a symbol/VA" do |v|
+#        @actions << [:disasm, v]
+#      end
+      opts.on("--extract ID", "Extract a resource/section/data_dir",
+              "ID: datadir:EXPORT     - datadir by type",
+              "ID: resource:0x98478   - resource by offset",
+              "ID: resource:ICON/#1   - resource by type & name",
+              "ID: section:.text      - section by name",
+              "ID: section:rva/0x1000 - section by RVA",
+              "ID: section:raw/0x400  - section by RAW_PTR",
+             ) do |v|
+        @actions << [:extract, v]
+      end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
-        @actions << [:va2file,va]
+        @actions << [:va2file, va]
       end
 
       opts.separator ''
@@ -133,9 +151,9 @@ class PEdump::CLI
       @file_name = fname
 
       File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
+        @pedump = create_pedump f
 
-        next if !@options[:force] && !@pedump.mz(f)
+        next if !@options[:force] && !@pedump.supported_file?(f)
 
         @actions.each do |action|
           case action
@@ -152,8 +170,8 @@ class PEdump::CLI
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
   end
 
-  def create_pedump fname
-    PEdump.new(fname, :force => @options[:force]).tap do |x|
+  def create_pedump io
+    PEdump.new(io, :force => @options[:force]).tap do |x|
       x.logger.level =
         case @options[:verbose]
         when -100..-3
@@ -194,16 +212,14 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    attr_reader :pbar
-
-    def initialize file
-      @file = file
-      @pbar = ProgressBar.new("[.] uploading", file.size, STDOUT)
-      @pbar.try(:file_transfer_mode)
-      @pbar.bar_mark = '='
+    def initialize file, prefix = "[.] uploading: ", io = $stdout
+      @file   = file
+      @io     = io
+      @prefix = prefix
     end
     def read *args
-      @pbar.inc args.first
+      @io.write("\r#{@prefix}#{@file.tell}/#{@file.size} ")
+      @io.flush
       @file.read *args
     end
     def method_missing *args
@@ -212,6 +228,10 @@ class PEdump::CLI
     def respond_to? *args
       @file.respond_to?(args.first) || super(*args)
     end
+
+    def finish!
+      @io.write("\r#{@prefix}#{@file.size}/#{@file.size} \n")
+    end
   end
 
   def upload f
@@ -224,17 +244,17 @@ class PEdump::CLI
     require 'open-uri'
     require 'net/http'
     require 'net/http/post/multipart'
-    require 'progressbar'
 
-    stdout_sync = STDOUT.sync
-    STDOUT.sync = true
+    stdout_sync = $stdout.sync
+    $stdout.sync = true
 
     md5 = Digest::MD5.file(f.path).hexdigest
     @pedump.logger.info "[.] md5: #{md5}"
     file_url = "#{URL_BASE}/#{md5}/"
 
     @pedump.logger.warn "[.] checking if file already uploaded.."
-    Net::HTTP.start('pedump.me') do |http|
+    uri = URI.parse URL_BASE
+    Net::HTTP.start(uri.host, uri.port, use_ssl: (uri.scheme == 'https')) do |http|
       http.open_timeout = 10
       http.read_timeout = 10
       # doing HTTP HEAD is a lot faster than open-uri
@@ -250,24 +270,26 @@ class PEdump::CLI
 
     f.rewind
 
-    # upload with progressbar
+    # upload with progress
     post_url = URI.parse(URL_BASE+'/')
+    # UploadIO is from multipart-post
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
-    res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
-    ppx.pbar.finish
-
-    puts
-    puts "[.] analyzing..."
+    res = Net::HTTP.start(post_url.host, post_url.port, use_ssl: (post_url.scheme == 'https')) do |http|
+      http.request(req)
+    end
+    ppx.finish!
 
-    if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
-      raise "invalid server response: #{r}"
+    unless [200, 302, 303].include?(res.code.to_i)
+      @pedump.logger.fatal "[!] invalid server response: #{res.code} #{res.msg}"
+      @pedump.logger.fatal res.body unless res.body.empty?
+      exit(1)
     end
 
     puts "[.] uploaded: #{file_url}"
   ensure
-    STDOUT.sync = stdout_sync
+    $stdout.sync = stdout_sync
   end
 
   def console f
@@ -311,6 +333,10 @@ class PEdump::CLI
   def dump_action action, f
     if action.is_a?(Array)
       case action[0]
+      when :disasm
+        return
+      when :extract
+        return extract action[1]
       when :va2file
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
@@ -326,7 +352,7 @@ class PEdump::CLI
 
     puts action_title(action) unless @options[:format] == :binary
 
-    return dump(data) if [:inspect, :table, :yaml].include?(@options[:format])
+    return dump(data) if [:inspect, :table, :json, :yaml].include?(@options[:format])
 
     dump_opts = {:name => action}
     case action
@@ -376,6 +402,9 @@ class PEdump::CLI
     when :yaml
       require 'yaml'
       puts data.to_yaml
+    when :json
+      require 'json'
+      puts data.to_json
     end
   end
 
@@ -454,6 +483,8 @@ class PEdump::CLI
       case data.first
       when PEdump::IMAGE_DATA_DIRECTORY
         dump_data_dir data
+      when PEdump::EFI_IMAGE_DATA_DIRECTORY
+        dump_efi_data_dir data
       when PEdump::IMAGE_SECTION_HEADER
         dump_sections data
       when PEdump::Resource
@@ -778,19 +809,26 @@ class PEdump::CLI
     end
   end
 
-
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i
     end
   end
 
+  def dump_efi_data_dir data
+    data.each_with_index do |row, idx|
+      printf "  %-12s  rva:0x%8x   size:0x %8x\n", PEdump::EFI_IMAGE_DATA_DIRECTORY::TYPES[idx], row.va.to_i, row.size.to_i
+    end
+  end
+
   def dump_rich_hdr data
     if decoded = data.decode
-      puts "    LIB_ID        VERSION        TIMES_USED   "
+      puts "   ID   VER         COUNT  DESCRIPTION"
       decoded.each do |row|
-        printf " %5d  %2x    %7d  %4x   %7d %3x\n",
-          row.id, row.id, row.version, row.version, row.times, row.times
+#        printf " %5d  %4x    %7d  %4x   %12d %8x\n",
+#          row.id, row.id, row.version, row.version, row.times, row.times
+        printf " %4x  %4x  %12d  %s\n",
+          row.id, row.version, row.times, ::PEdump::RICH_IDS[(row.id<<16) + row.version]
       end
     else
       puts "# raw:"
@@ -801,4 +839,79 @@ class PEdump::CLI
     end
   end
 
+  def disasm x
+    puts "TODO"
+  end
+
+  def extract x
+    a = x.split(':',2)
+    case a[0]
+    when 'datadir'
+      extract_datadir a[1]
+    when 'resource'
+      extract_resource a[1]
+    when 'section'
+      extract_section a[1]
+    else
+      raise "invalid #{x.inspect}"
+    end
+  end
+
+  def extract_datadir id
+    entry = @pedump.data_directory.find{ |x| x.type == id }
+    unless entry
+      @pedump.logger.fatal "[!] entry #{id.inspect} not found"
+      exit(1)
+    end
+    if entry.size != 0
+      IO::copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+    end
+  end
+
+  def extract_resource id
+    res = nil
+    if id =~ /\A0x\h+\Z/
+      needle = id.to_i(16)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id =~ /\A\d+\Z/
+      needle = id.to_i(10)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id['/']
+      type, name = id.split('/', 2)
+      res = @pedump.resources.find{ |r| r.type == type && r.name == name }
+    else
+      @pedump.logger.fatal "[!] invalid resource id #{id.inspect}"
+      exit(1)
+    end
+    unless res
+      @pedump.logger.fatal "[!] resource #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, res.size, res.file_offset
+  end
+
+  def extract_section id
+    section = nil
+    if id['/']
+      a = id.split('/',2)
+      if a[0] == 'rva'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.VirtualAddress == value }
+      elsif a[0] == 'raw'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.PointerToRawData == value }
+      else
+        @pedump.logger.fatal "[!] invalid section id #{id.inspect}"
+        exit(1)
+      end
+    else
+      section = @pedump.sections.find{ |s| s.Name == id }
+    end
+    unless section
+      @pedump.logger.fatal "[!] section #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
+  end
+
 end # class PEdump::CLI