pedump 0.5.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (43) hide show
  1. checksums.yaml +7 -0
  2. data/Gemfile +16 -0
  3. data/Gemfile.lock +90 -0
  4. data/LICENSE.txt +20 -0
  5. data/README.md +410 -0
  6. data/Rakefile +179 -0
  7. data/VERSION +1 -0
  8. data/bin/pedump +7 -0
  9. data/data/fs.txt +224 -0
  10. data/data/jc-userdb.txt +14371 -0
  11. data/data/sig.bin +0 -0
  12. data/data/signatures.txt +678 -0
  13. data/data/userdb.txt +14083 -0
  14. data/lib/pedump.rb +868 -0
  15. data/lib/pedump/cli.rb +804 -0
  16. data/lib/pedump/comparer.rb +147 -0
  17. data/lib/pedump/composite_io.rb +56 -0
  18. data/lib/pedump/core.rb +38 -0
  19. data/lib/pedump/core_ext/try.rb +57 -0
  20. data/lib/pedump/loader.rb +393 -0
  21. data/lib/pedump/loader/minidump.rb +351 -0
  22. data/lib/pedump/loader/section.rb +57 -0
  23. data/lib/pedump/logger.rb +67 -0
  24. data/lib/pedump/ne.rb +425 -0
  25. data/lib/pedump/ne/version_info.rb +171 -0
  26. data/lib/pedump/packer.rb +173 -0
  27. data/lib/pedump/pe.rb +121 -0
  28. data/lib/pedump/resources.rb +436 -0
  29. data/lib/pedump/security.rb +58 -0
  30. data/lib/pedump/sig_parser.rb +507 -0
  31. data/lib/pedump/tls.rb +17 -0
  32. data/lib/pedump/unpacker.rb +26 -0
  33. data/lib/pedump/unpacker/aspack.rb +858 -0
  34. data/lib/pedump/unpacker/upx.rb +13 -0
  35. data/lib/pedump/version.rb +10 -0
  36. data/lib/pedump/version_info.rb +171 -0
  37. data/misc/aspack/Makefile +3 -0
  38. data/misc/aspack/aspack_unlzx.c +92 -0
  39. data/misc/aspack/lzxdec.c +479 -0
  40. data/misc/aspack/lzxdec.h +56 -0
  41. data/misc/nedump.c +751 -0
  42. data/pedump.gemspec +109 -0
  43. metadata +227 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: '09298f0bc9e608f9b7636a80f6f4b9aeb29aaf6f8f3bf72aa743a06d1bc3dd30'
4
+ data.tar.gz: e86dc4d6edd01222416e4937cec876a2551dea3b4ba8cb7eefb7aaa09d0375ce
5
+ SHA512:
6
+ metadata.gz: 3b83b01e940fb0388a95566d4ca53fe61913f02b9d474987a35deb9c0b4073d66712a9179f801bc617f7202a3d42fd0d05e5a1cbe34ec332f3cf38c494e2f660
7
+ data.tar.gz: 64d7ae8c83a01f7e9772ed1e7e631474079baedd914f19ec26c725bb2a663155076d50777c14080532de3bcc3241fa0423705326e8f20067ec568b10e934d84b
data/Gemfile ADDED
@@ -0,0 +1,16 @@
1
+ source "https://rubygems.org"
2
+ #gemspec
3
+
4
+ gem 'rainbow'
5
+ gem "awesome_print"
6
+ gem "iostruct", ">= 0.0.4"
7
+ gem "multipart-post", ">= 2.0.0"
8
+ gem "progressbar"
9
+ gem "zhexdump", ">= 0.0.2"
10
+
11
+ group :development do
12
+ gem "rspec", "~> 3.9.0"
13
+ gem "rspec-its", "~> 1.3.0"
14
+ gem "bundler", "~> 2.1.4"
15
+ gem "jeweler", "~> 2.3.9"
16
+ end
data/Gemfile.lock ADDED
@@ -0,0 +1,90 @@
1
+ GEM
2
+ remote: https://rubygems.org/
3
+ specs:
4
+ addressable (2.4.0)
5
+ awesome_print (1.8.0)
6
+ builder (3.2.4)
7
+ descendants_tracker (0.0.4)
8
+ thread_safe (~> 0.3, >= 0.3.1)
9
+ diff-lcs (1.3)
10
+ faraday (0.9.2)
11
+ multipart-post (>= 1.2, < 3)
12
+ git (1.5.0)
13
+ github_api (0.16.0)
14
+ addressable (~> 2.4.0)
15
+ descendants_tracker (~> 0.0.4)
16
+ faraday (~> 0.8, < 0.10)
17
+ hashie (>= 3.4)
18
+ mime-types (>= 1.16, < 3.0)
19
+ oauth2 (~> 1.0)
20
+ hashie (4.0.0)
21
+ highline (2.0.3)
22
+ iostruct (0.0.4)
23
+ jeweler (2.3.9)
24
+ builder
25
+ bundler
26
+ git (>= 1.2.5)
27
+ github_api (~> 0.16.0)
28
+ highline (>= 1.6.15)
29
+ nokogiri (>= 1.5.10)
30
+ psych
31
+ rake
32
+ rdoc
33
+ semver2
34
+ jwt (2.2.1)
35
+ mime-types (2.99.3)
36
+ mini_portile2 (2.4.0)
37
+ multi_json (1.14.1)
38
+ multi_xml (0.6.0)
39
+ multipart-post (2.0.0)
40
+ nokogiri (1.10.7)
41
+ mini_portile2 (~> 2.4.0)
42
+ oauth2 (1.4.2)
43
+ faraday (>= 0.8, < 2.0)
44
+ jwt (>= 1.0, < 3.0)
45
+ multi_json (~> 1.3)
46
+ multi_xml (~> 0.5)
47
+ rack (>= 1.2, < 3)
48
+ progressbar (1.10.1)
49
+ psych (3.1.0)
50
+ rack (2.1.1)
51
+ rainbow (3.0.0)
52
+ rake (13.0.1)
53
+ rdoc (6.2.1)
54
+ rspec (3.9.0)
55
+ rspec-core (~> 3.9.0)
56
+ rspec-expectations (~> 3.9.0)
57
+ rspec-mocks (~> 3.9.0)
58
+ rspec-core (3.9.1)
59
+ rspec-support (~> 3.9.1)
60
+ rspec-expectations (3.9.0)
61
+ diff-lcs (>= 1.2.0, < 2.0)
62
+ rspec-support (~> 3.9.0)
63
+ rspec-its (1.3.0)
64
+ rspec-core (>= 3.0.0)
65
+ rspec-expectations (>= 3.0.0)
66
+ rspec-mocks (3.9.1)
67
+ diff-lcs (>= 1.2.0, < 2.0)
68
+ rspec-support (~> 3.9.0)
69
+ rspec-support (3.9.2)
70
+ semver2 (3.4.2)
71
+ thread_safe (0.3.6)
72
+ zhexdump (0.0.2)
73
+
74
+ PLATFORMS
75
+ ruby
76
+
77
+ DEPENDENCIES
78
+ awesome_print
79
+ bundler (~> 2.1.4)
80
+ iostruct (>= 0.0.4)
81
+ jeweler (~> 2.3.9)
82
+ multipart-post (>= 2.0.0)
83
+ progressbar
84
+ rainbow
85
+ rspec (~> 3.9.0)
86
+ rspec-its (~> 1.3.0)
87
+ zhexdump (>= 0.0.2)
88
+
89
+ BUNDLED WITH
90
+ 2.1.4
data/LICENSE.txt ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Andrey "Zed" Zaikin
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,410 @@
1
+ pedump [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![Dependency Status](https://gemnasium.com/zed-0xff/pedump.png)](https://gemnasium.com/zed-0xff/pedump)
2
+ ======
3
+
4
+ Description
5
+ -----------
6
+ A pure ruby implementation of win32 PE binary files dumper.
7
+
8
+ Supported formats:
9
+
10
+ * DOS MZ EXE
11
+ * win16 NE
12
+ * win32 PE
13
+ * win64 PE
14
+
15
+ Can dump:
16
+
17
+ * MZ/NE/PE Header
18
+ * DOS stub
19
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
20
+ * Data Directory
21
+ * Sections
22
+ * Resources
23
+ * Strings
24
+ * Imports & Exports
25
+ * VS_VERSIONINFO parsing
26
+ * PE Packer/Compiler detection
27
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
28
+
29
+ Installation
30
+ ------------
31
+ gem install pedump
32
+
33
+ Usage
34
+ -----
35
+
36
+ # pedump -h
37
+
38
+ Usage: pedump [options]
39
+ --version Print version information and exit
40
+ -v, --verbose Run verbosely
41
+ (can be used multiple times)
42
+ -q, --quiet Silent any warnings
43
+ (can be used multiple times)
44
+ -F, --force Try to dump by all means
45
+ (can cause exceptions & heavy wounds)
46
+ -f, --format FORMAT Output format: bin,c,dump,hex,inspect,table,yaml
47
+ (default: table)
48
+ --mz
49
+ --dos-stub
50
+ --rich
51
+ --pe
52
+ --ne
53
+ --data-directory
54
+ -S, --sections
55
+ --tls
56
+ --security
57
+ -s, --strings
58
+ -R, --resources
59
+ --resource-directory
60
+ -I, --imports
61
+ -E, --exports
62
+ -V, --version-info
63
+ --packer
64
+ --deep packer deep scan, significantly slower
65
+ -P, --packer-only packer/compiler detect only,
66
+ mimics 'file' command output
67
+ -r, --recursive recurse dirs in packer detect
68
+ --all Dump all but resource-directory (default)
69
+ --va2file VA Convert RVA to file offset
70
+ -W, --web Uploads files to a http://pedump.me
71
+ for a nice HTML tables with image previews,
72
+ candies & stuff
73
+
74
+ ### MZ Header
75
+
76
+ # pedump --mz calc.exe
77
+
78
+ === MZ Header ===
79
+
80
+ signature: "MZ"
81
+ bytes_in_last_block: 144 0x90
82
+ blocks_in_file: 3 3
83
+ num_relocs: 0 0
84
+ header_paragraphs: 4 4
85
+ min_extra_paragraphs: 0 0
86
+ max_extra_paragraphs: 65535 0xffff
87
+ ss: 0 0
88
+ sp: 184 0xb8
89
+ checksum: 0 0
90
+ ip: 0 0
91
+ cs: 0 0
92
+ reloc_table_offset: 64 0x40
93
+ overlay_number: 0 0
94
+ reserved0: 0 0
95
+ oem_id: 0 0
96
+ oem_info: 0 0
97
+ reserved2: 0 0
98
+ reserved3: 0 0
99
+ reserved4: 0 0
100
+ reserved5: 0 0
101
+ reserved6: 0 0
102
+ lfanew: 232 0xe8
103
+
104
+ ### DOS stub
105
+
106
+ # pedump --dos-stub calc.exe
107
+
108
+ === DOS STUB ===
109
+
110
+ 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
111
+ 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
112
+ 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
113
+ 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
114
+
115
+ ### 'Rich' Header
116
+
117
+ # pedump --rich calc.exe
118
+
119
+ === RICH Header ===
120
+
121
+ LIB_ID VERSION TIMES_USED
122
+ 149 95 21022 521e 9 9
123
+ 1 1 0 0 367 16f
124
+ 147 93 21022 521e 29 1d
125
+ 132 84 21022 521e 129 81
126
+ 131 83 21022 521e 25 19
127
+ 148 94 21022 521e 1 1
128
+ 145 91 21022 521e 1 1
129
+
130
+ ### PE Header
131
+
132
+ # pedump --pe calc.exe
133
+
134
+ === PE Header ===
135
+
136
+ signature: "PE\x00\x00"
137
+
138
+ # IMAGE_FILE_HEADER:
139
+ Machine: 332 0x14c x86
140
+ NumberOfSections: 4 4
141
+ TimeDateStamp: "2008-09-14 07:28:52"
142
+ PointerToSymbolTable: 0 0
143
+ NumberOfSymbols: 0 0
144
+ SizeOfOptionalHeader: 224 0xe0
145
+ Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
146
+
147
+ # IMAGE_OPTIONAL_HEADER32:
148
+ Magic: 267 0x10b 32-bit executable
149
+ LinkerVersion: 9.0
150
+ SizeOfCode: 305664 0x4aa00
151
+ SizeOfInitializedData: 340480 0x53200
152
+ SizeOfUninitializedData: 0 0
153
+ AddressOfEntryPoint: 230155 0x3830b
154
+ BaseOfCode: 4096 0x1000
155
+ BaseOfData: 311296 0x4c000
156
+ ImageBase: 16777216 0x1000000
157
+ SectionAlignment: 4096 0x1000
158
+ FileAlignment: 512 0x200
159
+ OperatingSystemVersion: 5.1
160
+ ImageVersion: 5.256
161
+ SubsystemVersion: 5.1
162
+ Reserved1: 0 0
163
+ SizeOfImage: 659456 0xa1000
164
+ SizeOfHeaders: 1024 0x400
165
+ CheckSum: 690555 0xa897b
166
+ Subsystem: 2 2 WINDOWS_GUI
167
+ DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
168
+ TERMINAL_SERVER_AWARE
169
+ SizeOfStackReserve: 262144 0x40000
170
+ SizeOfStackCommit: 8192 0x2000
171
+ SizeOfHeapReserve: 1048576 0x100000
172
+ SizeOfHeapCommit: 4096 0x1000
173
+ LoaderFlags: 0 0
174
+ NumberOfRvaAndSizes: 16 0x10
175
+
176
+ ### Data Directory
177
+
178
+ # pedump --data-directory calc.exe
179
+
180
+ === DATA DIRECTORY ===
181
+
182
+ EXPORT rva:0x 0 size:0x 0
183
+ IMPORT rva:0x 49c1c size:0x 12c
184
+ RESOURCE rva:0x 51000 size:0x 4ab07
185
+ EXCEPTION rva:0x 0 size:0x 0
186
+ SECURITY rva:0x 0 size:0x 0
187
+ BASERELOC rva:0x 9c000 size:0x 3588
188
+ DEBUG rva:0x 1610 size:0x 1c
189
+ ARCHITECTURE rva:0x 0 size:0x 0
190
+ GLOBALPTR rva:0x 0 size:0x 0
191
+ TLS rva:0x 0 size:0x 0
192
+ LOAD_CONFIG rva:0x 3d78 size:0x 40
193
+ Bound_IAT rva:0x 280 size:0x 12c
194
+ IAT rva:0x 1000 size:0x 594
195
+ Delay_IAT rva:0x 49bac size:0x 40
196
+ CLR_Header rva:0x 0 size:0x 0
197
+ rva:0x 0 size:0x 0
198
+
199
+ ### Sections
200
+
201
+ # pedump --sections calc.exe
202
+
203
+ === SECTIONS ===
204
+
205
+ NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
206
+ .text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
207
+ .data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
208
+ .rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
209
+ .reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
210
+
211
+ ### Resources
212
+
213
+ # pedump --resources calc.exe
214
+
215
+ === RESOURCES ===
216
+
217
+ FILE_OFFSET CP LANG SIZE TYPE NAME
218
+ 0x4ec84 0 0x409 7465 IMAGE #157
219
+ 0x509b0 0 0x409 4086 IMAGE #165
220
+ 0x519a8 0 0x409 4234 IMAGE #170
221
+ 0x52a34 0 0x409 4625 IMAGE #175
222
+ 0x53c48 0 0x409 4873 IMAGE #180
223
+ 0x54f54 0 0x409 3048 IMAGE #204
224
+ 0x55b3c 0 0x409 3052 IMAGE #208
225
+ 0x56728 0 0x409 3217 IMAGE #212
226
+ 0x573bc 0 0x409 3338 IMAGE #216
227
+ 0x580c8 0 0x409 4191 IMAGE #217
228
+ 0x59128 0 0x409 4229 IMAGE #218
229
+ 0x5a1b0 0 0x409 4110 IMAGE #219
230
+ 0x5b1c0 0 0x409 4065 IMAGE #220
231
+ 0x5c1a4 0 0x409 3235 IMAGE #961
232
+ 0x5ce48 0 0x409 470 IMAGE #981
233
+ 0x5d020 0 0x409 587 IMAGE #982
234
+ 0x5d26c 0 0x409 518 IMAGE #983
235
+ 0x5d474 0 0x409 5344 IMAGE #3000
236
+ 0x5e954 0 0x409 4154 IMAGE #3015
237
+ 0x5f990 0 0x409 4815 IMAGE #3045
238
+ 0x60c60 0 0x409 6038 IMAGE #3051
239
+ 0x623f8 0 0x409 4290 IMAGE #3060
240
+ ...
241
+
242
+ ### Strings
243
+
244
+ # pedump --strings calc.exe.mui
245
+
246
+ === STRINGS ===
247
+
248
+ ID ID LANG STRING
249
+ 0 0 409 "+/-"
250
+ 1 1 409 "C"
251
+ 2 2 409 "CE"
252
+ 3 3 409 "Backspace"
253
+ 4 4 409 "."
254
+ 6 6 409 "And"
255
+ 7 7 409 "Or"
256
+ 8 8 409 "Xor"
257
+ 9 9 409 "Lsh"
258
+ 10 a 409 "Rsh"
259
+ 11 b 409 "/"
260
+ 12 c 409 "*"
261
+ 13 d 409 "+"
262
+ 14 e 409 "-"
263
+ 15 f 409 "Mod"
264
+ 16 10 409 "R"
265
+ 17 11 409 "^"
266
+ 18 12 409 "Int"
267
+ 19 13 409 "RoL"
268
+ 20 14 409 "RoR"
269
+ 21 15 409 "Not"
270
+ 22 16 409 "sin"
271
+ ...
272
+
273
+ ### Imports
274
+
275
+ # pedump --imports zlib.dll
276
+
277
+ === IMPORTS ===
278
+
279
+ MODULE_NAME HINT ORD FUNCTION_NAME
280
+ KERNEL32.dll e1 GetLastError
281
+ KERNEL32.dll 153 HeapAlloc
282
+ KERNEL32.dll 159 HeapFree
283
+ KERNEL32.dll 9f GetCommandLineA
284
+ KERNEL32.dll 103 GetProcAddress
285
+ KERNEL32.dll eb GetModuleHandleA
286
+ KERNEL32.dll 137 GetVersion
287
+ KERNEL32.dll 164 InitializeCriticalSection
288
+ KERNEL32.dll 44 DeleteCriticalSection
289
+ KERNEL32.dll 4f EnterCriticalSection
290
+ KERNEL32.dll 177 LeaveCriticalSection
291
+ KERNEL32.dll 1fa SetHandleCount
292
+ KERNEL32.dll dc GetFileType
293
+ KERNEL32.dll 116 GetStdHandle
294
+ KERNEL32.dll 114 GetStartupInfoA
295
+ KERNEL32.dll 155 HeapCreate
296
+ KERNEL32.dll 157 HeapDestroy
297
+ KERNEL32.dll c7 GetCurrentThreadId
298
+ KERNEL32.dll 222 TlsSetValue
299
+ KERNEL32.dll 21f TlsAlloc
300
+ KERNEL32.dll 220 TlsFree
301
+ KERNEL32.dll 1fd SetLastError
302
+ KERNEL32.dll 221 TlsGetValue
303
+ KERNEL32.dll 62 ExitProcess
304
+ KERNEL32.dll 1b8 ReadFile
305
+ KERNEL32.dll 16 CloseHandle
306
+ KERNEL32.dll 24f WriteFile
307
+ KERNEL32.dll 83 FlushFileBuffers
308
+ KERNEL32.dll e9 GetModuleFileNameA
309
+ KERNEL32.dll 98 GetCPInfo
310
+ KERNEL32.dll 92 GetACP
311
+ KERNEL32.dll f6 GetOEMCP
312
+ KERNEL32.dll 8b FreeEnvironmentStringsA
313
+ KERNEL32.dll d0 GetEnvironmentStrings
314
+ KERNEL32.dll 8c FreeEnvironmentStringsW
315
+ KERNEL32.dll d2 GetEnvironmentStringsW
316
+ KERNEL32.dll 242 WideCharToMultiByte
317
+ KERNEL32.dll 2b CreateFileA
318
+ KERNEL32.dll 1f8 SetFilePointer
319
+ KERNEL32.dll 206 SetStdHandle
320
+ KERNEL32.dll 178 LoadLibraryA
321
+ KERNEL32.dll 1ef SetEndOfFile
322
+
323
+ ### Exports
324
+
325
+ # pedump --exports zlib.dll
326
+
327
+ === EXPORTS ===
328
+
329
+ # module "zlib.dll"
330
+ # flags=0x0 ts="1996-05-07 08:46:46" version=0.0 ord_base=1
331
+ # nFuncs=27 nNames=27
332
+
333
+ ORD ENTRY_VA NAME
334
+ 1 76d0 adler32
335
+ 2 2db0 compress
336
+ 3 4aa0 crc32
337
+ 4 3c90 deflate
338
+ 5 4060 deflateCopy
339
+ 6 3fd0 deflateEnd
340
+ 7 37f0 deflateInit2_
341
+ 8 37c0 deflateInit_
342
+ 9 3bc0 deflateParams
343
+ a 3b40 deflateReset
344
+ b 3a40 deflateSetDictionary
345
+ c 7510 gzclose
346
+ d 6f00 gzdopen
347
+ e 75a0 gzerror
348
+ f 73f0 gzflush
349
+ 10 6c50 gzopen
350
+ 11 7190 gzread
351
+ 12 7350 gzwrite
352
+ 13 4e50 inflate
353
+ 14 4cc0 inflateEnd
354
+ 15 4d20 inflateInit2_
355
+ 16 4e30 inflateInit_
356
+ 17 4c70 inflateReset
357
+ 18 5260 inflateSetDictionary
358
+ 19 52f0 inflateSync
359
+ 1a 4bd0 uncompress
360
+ 1b e340 zlib_version
361
+
362
+ ### VS_VERSIONINFO parsing
363
+
364
+ # pedump --version-info calc.exe
365
+
366
+ === VERSION INFO ===
367
+
368
+ # VS_FIXEDFILEINFO:
369
+ FileVersion : 6.1.6801.0
370
+ ProductVersion : 6.1.6801.0
371
+ StrucVersion : 0x10000
372
+ FileFlagsMask : 0x3f
373
+ FileFlags : 0
374
+ FileOS : 0x40004
375
+ FileType : 1
376
+ FileSubtype : 0
377
+
378
+ # StringTable 040904B0:
379
+ CompanyName : "Microsoft Corporation"
380
+ FileDescription : "Windows Calculator"
381
+ FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
382
+ InternalName : "CALC"
383
+ LegalCopyright : "© Microsoft Corporation. All rights reserved."
384
+ OriginalFilename : "CALC.EXE"
385
+ ProductName : "Microsoft® Windows® Operating System"
386
+ ProductVersion : "6.1.6801.0"
387
+
388
+ VarFileInfo : [ 0x409, 0x4b0 ]
389
+
390
+ ### Packer / Compiler detection
391
+
392
+ # pedump --packer zlib.dll
393
+
394
+ === Packer / Compiler ===
395
+
396
+ MS Visual C v2.0
397
+
398
+ #### pedump can mimic 'file' command output:
399
+
400
+ #pedump --packer-only -qqq samples/*
401
+
402
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
403
+ samples/control.exe: ASPack v2.12
404
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
405
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
406
+ samples/zlib.dll: Microsoft Visual C v2.0
407
+
408
+ License
409
+ -------
410
+ Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.