pedump 0.5.4 → 0.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c167f3c637d0eb649e1ff15a7d18a58682ed89b318d2425c8f6713e5c203409e
-  data.tar.gz: f362fd8c83ad8697439b212751c7c8b5c4514a92fd5becaf4769bde5566f752a
+  metadata.gz: fec0ab884ccfca5ee83392a6a50f4d50ecfb0e81251ecbd687f2fc1d52217630
+  data.tar.gz: f2c76574347491eb4c96498fa566b3a8fc7e9bfad7691f14f28b1d4966c457bc
 SHA512:
-  metadata.gz: 8997606d9577b1e43e47681151017edfde52b32da1125ee67fab26c9649a9f6d03a9fdb3e5259a790c1519def75e536c124fefe59608af861e17d86e7e201a63
-  data.tar.gz: 62ad9a8fef0aaea4cc0b637f033705ee02e1623320bf043ad4e08c8834d95ce92f1b04639ec5e7e46c5212ba23d132181a664d41dd84d454cd72ed55ac19f6a7
+  metadata.gz: 81b7b2fd8a6a33f17703db959fd6abe6fc5b229959432e841cba6b7fd9e44208b0ebf40d36e06668f6884447e38eb360b1a6dcf94cbb84a8be77d89db06e4b0f
+  data.tar.gz: b128b6f7e7d05806bf9e350a701d7ed14d1bf363938b4fccf89c36c43e761e78b7dc6a8b017c129d7c7981c86bebbfcad344ae11765e2ad588a22c7dfd14cae3

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at zed.0xff@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

data/Gemfile

@@ -5,12 +5,11 @@ gem 'rainbow'
 gem "awesome_print"
 gem "iostruct",       ">= 0.0.4"
 gem "multipart-post", ">= 2.0.0"
-gem "progressbar"
 gem "zhexdump",       ">= 0.0.2"
 
 group :development do
   gem "rspec",   "~> 3.9.0"
   gem "rspec-its", "~> 1.3.0"
-  gem "bundler", "~> 2.1.4"
+  gem "bundler", "~> 2.2.3"
   gem "jeweler", "~> 2.3.9"
 end

data/Gemfile.lock

@@ -2,14 +2,15 @@ GEM
   remote: https://rubygems.org/
   specs:
     addressable (2.4.0)
-    awesome_print (1.8.0)
+    awesome_print (1.9.2)
     builder (3.2.4)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    diff-lcs (1.3)
+    diff-lcs (1.4.4)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    git (1.5.0)
+    git (1.8.1)
+      rchardet (~> 1.8)
     github_api (0.16.0)
       addressable (~> 2.4.0)
       descendants_tracker (~> 0.0.4)
@@ -17,7 +18,7 @@ GEM
       hashie (>= 3.4)
       mime-types (>= 1.16, < 3.0)
       oauth2 (~> 1.0)
-    hashie (4.0.0)
+    hashie (4.1.0)
     highline (2.0.3)
     iostruct (0.0.4)
     jeweler (2.3.9)
@@ -31,33 +32,35 @@ GEM
       rake
       rdoc
       semver2
-    jwt (2.2.1)
+    jwt (2.2.2)
     mime-types (2.99.3)
-    mini_portile2 (2.4.0)
-    multi_json (1.14.1)
+    mini_portile2 (2.6.1)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nokogiri (1.10.7)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.2)
+    multipart-post (2.1.1)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
+      racc (~> 1.4)
+    oauth2 (1.4.4)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    progressbar (1.10.1)
-    psych (3.1.0)
-    rack (2.1.1)
+    psych (3.3.0)
+    racc (1.5.2)
+    rack (2.2.3)
     rainbow (3.0.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
+    rake (13.0.3)
+    rchardet (1.8.0)
+    rdoc (6.3.2)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-its (1.3.0)
@@ -66,7 +69,7 @@ GEM
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
+    rspec-support (3.9.4)
     semver2 (3.4.2)
     thread_safe (0.3.6)
     zhexdump (0.0.2)
@@ -76,15 +79,14 @@ PLATFORMS
 
 DEPENDENCIES
   awesome_print
-  bundler (~> 2.1.4)
+  bundler (~> 2.2.3)
   iostruct (>= 0.0.4)
   jeweler (~> 2.3.9)
   multipart-post (>= 2.0.0)
-  progressbar
   rainbow
   rspec (~> 3.9.0)
   rspec-its (~> 1.3.0)
   zhexdump (>= 0.0.2)
 
 BUNDLED WITH
-   2.1.4
+   2.2.3

data/README.md

@@ -1,6 +1,17 @@
-pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![Dependency Status](https://gemnasium.com/zed-0xff/pedump.png)](https://gemnasium.com/zed-0xff/pedump)
+pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/K3K81Z3W5)
 ======
 
+News
+----
+```
+2021.02.18 - updated gems; changed open-uri to URI.open; enabled SSL on https://pedump.me/
+2020.08.09 - CLI: added resource extracting with --extract ID
+2020.07.28 - 0.6.1; better RICH HDR parsing/output
+2020.07.27 - 0.6.0
+2020.07.26 - now travis autotests run on ARM and OSX too!
+2020.07.25 - added EFI TE parsing; removed 'progressbar' gem dependency
+```
+
 Description
 -----------
 A pure ruby implementation of win32 PE binary files dumper.
@@ -11,6 +22,7 @@ Supported formats:
  * win16 NE
  * win32 PE
  * win64 PE
+ * EFI TE
 
 Can dump:
 
@@ -24,7 +36,7 @@ Can dump:
  * Imports & Exports
  * VS_VERSIONINFO parsing
  * PE Packer/Compiler detection
- * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+ * a convenient way to upload your PE's to https://pedump.me for a nice HTML tables with image previews, candies & stuff
 
 Installation
 ------------
@@ -50,6 +62,7 @@ Usage
             --rich
             --pe
             --ne
+            --te
             --data-directory
         -S, --sections
             --tls
@@ -66,9 +79,17 @@ Usage
                                          mimics 'file' command output
         -r, --recursive                  recurse dirs in packer detect
             --all                        Dump all but resource-directory (default)
+    
+            --extract ID                 Extract a resource/section/data_dir
+                                         ID: datadir:EXPORT     - datadir by type
+                                         ID: resource:0x98478   - resource by offset
+                                         ID: resource:ICON/#1   - resource by type & name
+                                         ID: section:.text      - section by name
+                                         ID: section:rva/0x1000 - section by RVA
+                                         ID: section:raw/0x400  - section by RAW_PTR
             --va2file VA                 Convert RVA to file offset
     
-        -W, --web                        Uploads files to a http://pedump.me
+        -W, --web                        Uploads files to a https://pedump.me
                                          for a nice HTML tables with image previews,
                                          candies & stuff
         -C, --console                    opens IRB console with specified file loaded
@@ -120,14 +141,14 @@ Usage
 
     === RICH Header ===
     
-        LIB_ID        VERSION        TIMES_USED   
-       149  95      21022  521e         9   9
-         1   1          0     0       367 16f
-       147  93      21022  521e        29  1d
-       132  84      21022  521e       129  81
-       131  83      21022  521e        25  19
-       148  94      21022  521e         1   1
-       145  91      21022  521e         1   1
+       ID   VER         COUNT  DESCRIPTION
+       95  521e             9  [ASM] VS2008 build 21022
+        1     0           367  [---] Unmarked objects
+       93  521e            29  [IMP] VS2008 build 21022
+       84  521e           129  [C++] VS2008 build 21022
+       83  521e            25  [ C ] VS2008 build 21022
+       94  521e             1  [RES] VS2008 build 21022
+       91  521e             1  [LNK] VS2008 build 21022
 
 ### PE Header
 
@@ -407,6 +428,78 @@ Usage
     samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
     samples/zlib.dll:                         Microsoft Visual C v2.0
 
+### Extracting
+
+#### Resources
+
+by name:
+
+    # pedump calc.exe --extract resource:VERSION/#1 | hexdump -C | head
+
+    00000000  78 03 34 00 00 00 56 00  53 00 5f 00 56 00 45 00  |x.4...V.S._.V.E.|
+    00000010  52 00 53 00 49 00 4f 00  4e 00 5f 00 49 00 4e 00  |R.S.I.O.N._.I.N.|
+    00000020  46 00 4f 00 00 00 00 00  bd 04 ef fe 00 00 01 00  |F.O.............|
+    00000030  01 00 06 00 00 00 91 1a  01 00 06 00 00 00 91 1a  |................|
+    00000040  3f 00 00 00 00 00 00 00  04 00 04 00 01 00 00 00  |?...............|
+    00000050  00 00 00 00 00 00 00 00  00 00 00 00 d6 02 00 00  |................|
+    00000060  01 00 53 00 74 00 72 00  69 00 6e 00 67 00 46 00  |..S.t.r.i.n.g.F.|
+    00000070  69 00 6c 00 65 00 49 00  6e 00 66 00 6f 00 00 00  |i.l.e.I.n.f.o...|
+    00000080  b2 02 00 00 01 00 30 00  34 00 30 00 39 00 30 00  |......0.4.0.9.0.|
+    00000090  34 00 42 00 30 00 00 00  4c 00 16 00 01 00 43 00  |4.B.0...L.....C.|
+
+by offset:
+
+    # pedump calc.exe --extract resource:0x98478 | head
+
+    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+    <!-- Copyright (c) Microsoft Corporation -->
+    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+        name="Microsoft.Windows.Shell.calc"
+        processorArchitecture="x86"
+        version="5.1.0.0"
+        type="win32"/>
+    <description>Windows Shell</description>
+    <dependency>
+
+#### Sections
+
+by name:
+
+    # pedump calc.exe --extract section:.text | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RVA:
+
+    # pedump calc.exe --extract section:rva/0x1000 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RAW_PTR (file offset):
+
+    # pedump calc.exe --extract section:raw/0x400 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+#### Data Directory
+
+    # pedump calc.exe --extract datadir:IMPORT | hexdump -C | head -4
+
+    00000000  90 9f 04 00 ff ff ff ff  ff ff ff ff dc a2 04 00  |................|
+    00000010  48 12 00 00 f4 a0 04 00  ff ff ff ff ff ff ff ff  |H...............|
+    00000020  10 a5 04 00 ac 13 00 00  48 9d 04 00 ff ff ff ff  |........H.......|
+    00000030  ff ff ff ff f6 a5 04 00  00 10 00 00 5c 9f 04 00  |............\...|
+
 License
 -------
 Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.

data/Rakefile

@@ -23,7 +23,7 @@ Jeweler::Tasks.new do |gem|
   gem.authors = ["Andrey \"Zed\" Zaikin"]
   gem.executables = %w'pedump'
   gem.files.include "lib/**/*.rb"
-  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl'
+  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl .github/**/*'
   gem.extra_rdoc_files.exclude 'README.md.tpl'
   # dependencies defined in Gemfile
 end
@@ -35,7 +35,7 @@ require 'rspec/core/rake_task'
 desc "run specs"
 RSpec::Core::RakeTask.new
 
-task :default => :spec
+task :default => [:spec, :readme]
 
 namespace :test do
   desc "test on all files in given path"
@@ -74,17 +74,20 @@ namespace :test do
   end
 end
 
-def check_file url, prefix=nil
+def check_file url, params = {}
   require 'digest/md5'
   require 'open-uri'
 
+  params[:min_size] ||= 80_000
+
   STDOUT.sync = true
+  prefix = params[:prefix]
   fname = File.join 'data', (prefix ? "#{prefix}-" : '') + File.basename(url)
   existing_md5 = File.exist?(fname) ? Digest::MD5.file(fname).hexdigest : ''
   print "[.] fetching #{url} .. "
-  remote_data  = open(url).read.force_encoding('cp1252').encode('utf-8')
+  remote_data = URI.open(url).read.force_encoding('cp1252').encode('utf-8')
   puts "#{remote_data.size} bytes"
-  raise "too small remote data (#{remote_data.size})" if remote_data.size < 80_000
+  raise "too small remote data (#{remote_data.size})" if remote_data.size < params[:min_size]
   remote_md5   = Digest::MD5.hexdigest(remote_data)
   if remote_md5 == existing_md5
     puts "[.] same as local"
@@ -95,13 +98,45 @@ def check_file url, prefix=nil
   end
 end
 
+RICH_IDS_URL = "https://raw.githubusercontent.com/dishather/richprint/master/comp_id.txt"
+
+namespace :rich do
+  desc "update rich comp_id db from net"
+  task :update do
+    check_file RICH_IDS_URL, :min_size => 30_000
+  end
+
+  desc "convert"
+  task :convert do
+    result = [
+      "class PEdump",
+      "  # data from #{RICH_IDS_URL}",
+      "  RICH_IDS = {"
+    ]
+    n = 0
+    t0 = Time.now
+    File.readlines(File.join("data", File.basename(RICH_IDS_URL))).each do |line|
+      line.strip!
+      next if line.empty? || line[0] == '#'
+      comp_id, desc = line.split(nil, 2)
+      raise unless comp_id =~ /\A[0-9a-fA-F]+\Z/
+      result << "    0x#{comp_id} => #{desc.inspect},"
+      n += 1
+    end
+    result << "  }"
+    result << "end"
+    printf "[.] parsed %d definitions in %6.3fs\n", n, Time.now-t0
+    File.write("lib/pedump/rich.rb", result.join("\n") + "\n")
+  end
+end
+
 namespace :sigs do
   desc "update packers db from net"
   task :update do
     require './lib/pedump/packer'
     check_file "http://research.pandasecurity.com/blogs/images/userdb.txt"
     check_file "http://fuu.googlecode.com/svn/trunk/src/x86/Tools/Signaturesdb/signatures.txt"
-    check_file "http://handlers.sans.edu/jclausing/userdb.txt", "jc"
+    check_file "http://handlers.sans.edu/jclausing/userdb.txt", :prefix => "jc"
   end
 
   desc "convert txt2bin"

data/VERSION

@@ -1 +1 @@
-0.5.4
+0.6.3