pedump 0.5.4 → 0.6.3

data/lib/pedump/cli.rb

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/rich'
 require 'pedump/version_info'
 require 'optparse'
 
@@ -33,13 +34,14 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe ne data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
+    %w'mz dos_stub rich pe ne te data_directory sections tls security' +
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only' +
+    %w'extract' # 'disasm'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console extract disasm'.map(&:to_sym)
 
-  URL_BASE = "http://pedump.me"
+  URL_BASE = "https://pedump.me"
 
   def initialize argv = ARGV
     @argv = argv
@@ -96,8 +98,24 @@ class PEdump::CLI
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
+
+      opts.separator ''
+
+#      opts.on "--disasm [X]", "Disassemble a symbol/VA" do |v|
+#        @actions << [:disasm, v]
+#      end
+      opts.on("--extract ID", "Extract a resource/section/data_dir",
+              "ID: datadir:EXPORT     - datadir by type",
+              "ID: resource:0x98478   - resource by offset",
+              "ID: resource:ICON/#1   - resource by type & name",
+              "ID: section:.text      - section by name",
+              "ID: section:rva/0x1000 - section by RVA",
+              "ID: section:raw/0x400  - section by RAW_PTR",
+             ) do |v|
+        @actions << [:extract, v]
+      end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
-        @actions << [:va2file,va]
+        @actions << [:va2file, va]
       end
 
       opts.separator ''
@@ -133,9 +151,9 @@ class PEdump::CLI
       @file_name = fname
 
       File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
+        @pedump = create_pedump f
 
-        next if !@options[:force] && !@pedump.mz(f)
+        next if !@options[:force] && !@pedump.supported_file?(f)
 
         @actions.each do |action|
           case action
@@ -152,8 +170,8 @@ class PEdump::CLI
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
   end
 
-  def create_pedump fname
-    PEdump.new(fname, :force => @options[:force]).tap do |x|
+  def create_pedump io
+    PEdump.new(io, :force => @options[:force]).tap do |x|
       x.logger.level =
         case @options[:verbose]
         when -100..-3
@@ -194,16 +212,14 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    attr_reader :pbar
-
-    def initialize file
-      @file = file
-      @pbar = ProgressBar.new("[.] uploading", file.size, STDOUT)
-      @pbar.try(:file_transfer_mode)
-      @pbar.bar_mark = '='
+    def initialize file, prefix = "[.] uploading: ", io = $stdout
+      @file   = file
+      @io     = io
+      @prefix = prefix
     end
     def read *args
-      @pbar.inc args.first
+      @io.write("\r#{@prefix}#{@file.tell}/#{@file.size} ")
+      @io.flush
       @file.read *args
     end
     def method_missing *args
@@ -212,6 +228,10 @@ class PEdump::CLI
     def respond_to? *args
       @file.respond_to?(args.first) || super(*args)
     end
+
+    def finish!
+      @io.write("\r#{@prefix}#{@file.size}/#{@file.size} \n")
+    end
   end
 
   def upload f
@@ -224,17 +244,17 @@ class PEdump::CLI
     require 'open-uri'
     require 'net/http'
     require 'net/http/post/multipart'
-    require 'progressbar'
 
-    stdout_sync = STDOUT.sync
-    STDOUT.sync = true
+    stdout_sync = $stdout.sync
+    $stdout.sync = true
 
     md5 = Digest::MD5.file(f.path).hexdigest
     @pedump.logger.info "[.] md5: #{md5}"
     file_url = "#{URL_BASE}/#{md5}/"
 
     @pedump.logger.warn "[.] checking if file already uploaded.."
-    Net::HTTP.start('pedump.me') do |http|
+    uri = URI.parse URL_BASE
+    Net::HTTP.start(uri.host, uri.port, use_ssl: (uri.scheme == 'https')) do |http|
       http.open_timeout = 10
       http.read_timeout = 10
       # doing HTTP HEAD is a lot faster than open-uri
@@ -250,24 +270,26 @@ class PEdump::CLI
 
     f.rewind
 
-    # upload with progressbar
+    # upload with progress
     post_url = URI.parse(URL_BASE+'/')
+    # UploadIO is from multipart-post
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
-    res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
-    ppx.pbar.finish
-
-    puts
-    puts "[.] analyzing..."
+    res = Net::HTTP.start(post_url.host, post_url.port, use_ssl: (post_url.scheme == 'https')) do |http|
+      http.request(req)
+    end
+    ppx.finish!
 
-    if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
-      raise "invalid server response: #{r}"
+    unless [200, 302, 303].include?(res.code.to_i)
+      @pedump.logger.fatal "[!] invalid server response: #{res.code} #{res.msg}"
+      @pedump.logger.fatal res.body unless res.body.empty?
+      exit(1)
     end
 
     puts "[.] uploaded: #{file_url}"
   ensure
-    STDOUT.sync = stdout_sync
+    $stdout.sync = stdout_sync
   end
 
   def console f
@@ -311,6 +333,10 @@ class PEdump::CLI
   def dump_action action, f
     if action.is_a?(Array)
       case action[0]
+      when :disasm
+        return
+      when :extract
+        return extract action[1]
       when :va2file
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
@@ -457,6 +483,8 @@ class PEdump::CLI
       case data.first
       when PEdump::IMAGE_DATA_DIRECTORY
         dump_data_dir data
+      when PEdump::EFI_IMAGE_DATA_DIRECTORY
+        dump_efi_data_dir data
       when PEdump::IMAGE_SECTION_HEADER
         dump_sections data
       when PEdump::Resource
@@ -781,19 +809,26 @@ class PEdump::CLI
     end
   end
 
-
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i
     end
   end
 
+  def dump_efi_data_dir data
+    data.each_with_index do |row, idx|
+      printf "  %-12s  rva:0x%8x   size:0x %8x\n", PEdump::EFI_IMAGE_DATA_DIRECTORY::TYPES[idx], row.va.to_i, row.size.to_i
+    end
+  end
+
   def dump_rich_hdr data
     if decoded = data.decode
-      puts "    LIB_ID        VERSION        TIMES_USED   "
+      puts "   ID   VER         COUNT  DESCRIPTION"
       decoded.each do |row|
-        printf " %5d  %2x    %7d  %4x   %7d %3x\n",
-          row.id, row.id, row.version, row.version, row.times, row.times
+#        printf " %5d  %4x    %7d  %4x   %12d %8x\n",
+#          row.id, row.id, row.version, row.version, row.times, row.times
+        printf " %4x  %4x  %12d  %s\n",
+          row.id, row.version, row.times, ::PEdump::RICH_IDS[(row.id<<16) + row.version]
       end
     else
       puts "# raw:"
@@ -804,4 +839,79 @@ class PEdump::CLI
     end
   end
 
+  def disasm x
+    puts "TODO"
+  end
+
+  def extract x
+    a = x.split(':',2)
+    case a[0]
+    when 'datadir'
+      extract_datadir a[1]
+    when 'resource'
+      extract_resource a[1]
+    when 'section'
+      extract_section a[1]
+    else
+      raise "invalid #{x.inspect}"
+    end
+  end
+
+  def extract_datadir id
+    entry = @pedump.data_directory.find{ |x| x.type == id }
+    unless entry
+      @pedump.logger.fatal "[!] entry #{id.inspect} not found"
+      exit(1)
+    end
+    if entry.size != 0
+      IO::copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+    end
+  end
+
+  def extract_resource id
+    res = nil
+    if id =~ /\A0x\h+\Z/
+      needle = id.to_i(16)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id =~ /\A\d+\Z/
+      needle = id.to_i(10)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id['/']
+      type, name = id.split('/', 2)
+      res = @pedump.resources.find{ |r| r.type == type && r.name == name }
+    else
+      @pedump.logger.fatal "[!] invalid resource id #{id.inspect}"
+      exit(1)
+    end
+    unless res
+      @pedump.logger.fatal "[!] resource #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, res.size, res.file_offset
+  end
+
+  def extract_section id
+    section = nil
+    if id['/']
+      a = id.split('/',2)
+      if a[0] == 'rva'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.VirtualAddress == value }
+      elsif a[0] == 'raw'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.PointerToRawData == value }
+      else
+        @pedump.logger.fatal "[!] invalid section id #{id.inspect}"
+        exit(1)
+      end
+    else
+      section = @pedump.sections.find{ |s| s.Name == id }
+    end
+    unless section
+      @pedump.logger.fatal "[!] section #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
+  end
+
 end # class PEdump::CLI

data/lib/pedump/loader/section.rb

@@ -10,15 +10,16 @@ class PEdump::Loader
         @hdr = x.dup
       end
       @data = EMPTY_DATA.dup
+      @delta = args[:delta] || 0
       @deferred_load_io   = args[:deferred_load_io]
-      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
+      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && (@hdr.PointerToRawData - @delta))
       @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
       @image_base = args[:image_base] || 0
     end
 
     def name;  @hdr.Name; end
-    def va  ;  @hdr.VirtualAddress + @image_base; end
-    def rva ;  @hdr.VirtualAddress; end
+    def va  ;  @hdr.VirtualAddress + @image_base - @delta; end
+    def rva ;  @hdr.VirtualAddress - @delta; end
     def vsize; @hdr.VirtualSize; end
     def flags; @hdr.Characteristics; end
     def flags= f; @hdr.Characteristics= f; end
@@ -51,6 +52,7 @@ class PEdump::Loader
         @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
       ]
       r << (" dlpos=%8x" % @deferred_load_pos) if @deferred_load_pos
+      r << (" delta=%3x" % @delta) if @delta != 0
       r << ">"
     end
   end

data/lib/pedump/loader.rb

@@ -15,7 +15,15 @@ class PEdump::Loader
 
   # shortcuts
   alias :pe :pe_hdr
-  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+
+  def ep
+    if @pe_hdr
+      @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
+    elsif @te_hdr
+      @te_hdr.AddressOfEntryPoint - @delta
+    end
+  end
+
   def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
 
   ########################################################################
@@ -23,12 +31,24 @@ class PEdump::Loader
   ########################################################################
 
   def initialize io = nil, params = {}
+    # @delta is for EFI TE loading, based on https://github.com/gdbinit/TELoader/blob/master/teloader.cpp
+    @delta = 0
     @pedump = PEdump.new(io, params)
     if io
       @mz_hdr     = @pedump.mz
       @dos_stub   = @pedump.dos_stub
       @pe_hdr     = @pedump.pe
-      @image_base = params[:image_base] || @pe_hdr.try(:ioh).try(:ImageBase) || 0
+      @te_hdr     = @pedump.te
+
+      @image_base = params[:image_base]
+      if @pe_hdr
+        @image_base ||= @pe_hdr.try(:ioh).try(:ImageBase)
+      elsif @te_hdr
+        @image_base ||= @te_hdr.ImageBase
+        @delta = @pedump.te_shift
+      end
+      @image_base ||= 0
+
       load_sections @pedump.sections, io
     end
     @find_limit = params[:find_limit] || DEFAULT_FIND_LIMIT
@@ -38,7 +58,7 @@ class PEdump::Loader
     if section_hdrs.is_a?(Array)
       @sections = section_hdrs.map do |x|
         raise "unknown section hdr: #{x.inspect}" unless x.is_a?(PEdump::IMAGE_SECTION_HEADER)
-        Section.new(x, :deferred_load_io => f, :image_base => @image_base )
+        Section.new(x, :deferred_load_io => f, :image_base => @image_base, :delta => @delta )
       end
       if f.respond_to?(:seek) && f.respond_to?(:read)
         #
@@ -249,10 +269,12 @@ class PEdump::Loader
   def names
     return @names if @names
     @names = {}
-    if oep = @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
-      oep += @image_base
-      @names[oep] = 'start'
+
+    oep = ep()
+    if oep
+      @names[oep + @image_base] = 'start'
     end
+
     _parse_imports
     _parse_exports
     #TODO: debug info

data/lib/pedump/ne.rb

@@ -405,7 +405,7 @@ class PEdump
       begin
         ne_offset = mz(f) && mz(f).lfanew
         if ne_offset.nil?
-          logger.fatal "[!] NULL NE offset (e_lfanew)."
+          logger.debug "[!] NULL NE offset (e_lfanew)."
           nil
         elsif ne_offset > f.size
           logger.fatal "[!] NE offset beyond EOF."

data/lib/pedump/pe.rb

@@ -24,78 +24,87 @@ class PEdump
       signature + ifh.pack + ioh.pack
     end
 
-    def self.read f, args = {}
+    def self.read_sections f, nToRead, args = {}
       force = args[:force]
 
+      if nToRead > 0xffff
+        if force.is_a?(Numeric) && force > 1
+          PEdump.logger.warn "[!] too many sections (#{nToRead}). forced. reading all"
+        else
+          PEdump.logger.warn "[!] too many sections (#{nToRead}). not forced, reading first 65535"
+          nToRead = 65535
+        end
+      end
+
+      sections = []
+      nToRead.times do
+        break if f.eof?
+        sections << IMAGE_SECTION_HEADER.read(f)
+      end
+
+      if sections.any?
+        # zero all missing values of last section
+        sections.last.tap do |last_section|
+          last_section.each_pair do |k,v|
+            last_section[k] = 0 if v.nil?
+          end
+        end
+      end
+
+      sections
+    end
+
+    def self.read f, args = {}
       pe_offset = f.tell
       pe_sig = f.read 4
       #logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
       if pe_sig != "PE\x00\x00"
-        if force
+        if args[:force]
           logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
         else
           logger.debug "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
           return nil
         end
       end
-      PE.new(pe_sig).tap do |pe|
-        pe.image_file_header = IMAGE_FILE_HEADER.read(f)
-        ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
-        if pe.ifh.SizeOfOptionalHeader.to_i > 0
-          if pe.x64?
-            pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
-          else
-            pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
-          end
+      pe = PE.new(pe_sig)
+      pe.image_file_header = IMAGE_FILE_HEADER.read(f)
+      ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
+      if pe.ifh.SizeOfOptionalHeader.to_i > 0
+        if pe.x64?
+          pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
+        else
+          pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
         end
+      end
 
-        if (nToRead=pe.ifh.NumberOfSections.to_i) > 0xffff
-          if force.is_a?(Numeric) && force > 1
-            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
-          else
-            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
-            nToRead = 65535
-          end
-        end
+      nToRead=pe.ifh.NumberOfSections.to_i
 
-        # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
-        # // http://www.phreedom.org/research/tinype/
-        f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
-        pe.sections = []
-        nToRead.times do
-          break if f.eof?
-          pe.sections << IMAGE_SECTION_HEADER.read(f)
-        end
+      # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
+      # // http://www.phreedom.org/research/tinype/
+      f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
+      pe.sections = read_sections(f, nToRead, args)
 
-        if pe.sections.any?
-          # zero all missing values of last section
-          pe.sections.last.tap do |last_section|
-            last_section.each_pair do |k,v|
-              last_section[k] = 0 if v.nil?
-            end
-          end
-        end
+      pe_end = f.tell
+      if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
+        if args[:pass2]
+          # already called with CompositeIO ?
+          PEdump.logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
 
-        pe_end = f.tell
-        if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
-          if args[:pass2]
-            # already called with CompositeIO ?
-            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
-
-          elsif pe_end-pe_offset < 0x100_000
-            logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
-            f.seek pe_offset
-            data = f.read(s.va-pe_offset)
-            f.seek s.PointerToRawData
-            io = CompositeIO.new(StringIO.new(data), f)
-            args1 = args.dup
-            args1[:pass2] = true
-            return PE.read(io, args1)
-          else
-            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
-          end
+        elsif pe_end-pe_offset < 0x100_000
+          PEdump.logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
+          f.seek pe_offset
+          data = f.read(s.va-pe_offset)
+          f.seek s.PointerToRawData
+          io = CompositeIO.new(StringIO.new(data), f)
+          args1 = args.dup
+          args1[:pass2] = true
+          return PE.read(io, args1)
+        else
+          PEdump.logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
         end
       end
+
+      pe
     end
 
     def self.logger; PEdump.logger; end
@@ -106,7 +115,7 @@ class PEdump
       begin
         pe_offset = mz(f) && mz(f).lfanew
         if pe_offset.nil?
-          logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
+          logger.debug "[!] NULL PE offset (e_lfanew). cannot continue."
           nil
         elsif pe_offset > f.size
           logger.fatal "[!] PE offset beyond EOF. cannot continue."