pedump 0.5.4 → 0.6.3

data/lib/pedump.rb

@@ -17,6 +17,7 @@ require 'pedump/security'
 require 'pedump/packer'
 require 'pedump/ne'
 require 'pedump/ne/version_info'
+require 'pedump/te'
 
 # pedump.rb by zed_0xff
 #
@@ -29,8 +30,9 @@ class PEdump
   VERSION    = Version::STRING
   MAX_ERRORS = 100
   MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
-  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in http://pedump.me/03ad7400080678c6b1984f995d36fd04
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in https://pedump.me/03ad7400080678c6b1984f995d36fd04
   GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
+  SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 
   @@logger = nil
 
@@ -259,7 +261,7 @@ class PEdump
 
   # http://ntcore.com/files/richsign.htm
   class RichHdr < String
-    attr_accessor :offset, :key # xor key
+    attr_accessor :offset, :skip, :key # xor key
 
     class Entry < Struct.new(:version,:id,:times)
       def inspect
@@ -268,8 +270,21 @@ class PEdump
     end
 
     def self.from_dos_stub stub
+      #stub.hexdump
       key = stub[stub.index('Rich')+4,4]
       start_idx = stub.index(key.xor('DanS'))
+      skip = 0
+      if start_idx
+        skip = 4
+      else
+        PEdump.logger.warn "[?] cannot find rich_hdr start_idx, using heuristics"
+        start_idx = stub.index("$\x00\x00\x00\x00\x00\x00\x00")
+        unless start_idx
+          PEdump.logger.warn "[?] heuristics failed :("
+          return nil
+        end
+        start_idx += 8
+      end
       end_idx   = stub.index('Rich')+8
       if stub[end_idx..-1].tr("\x00",'') != ''
         t = stub[end_idx..-1]
@@ -277,14 +292,16 @@ class PEdump
         PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}"
         return nil
       end
+      #stub[start_idx, end_idx-start_idx].hexdump
       RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x|
         x.key = key
         x.offset = stub.offset + start_idx
+        x.skip = skip
       end
     end
 
     def dexor
-      self[4..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
+      self[skip..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
     end
 
     def decode
@@ -322,9 +339,9 @@ class PEdump
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
-          logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
+          #logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
         else
-          logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
+          #logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
           return nil
         end
       end
@@ -380,6 +397,13 @@ class PEdump
   def va2file va, h={}
     return nil if va.nil?
 
+    va0 = va # save for log output of original addr
+    if pe?
+      # most common case, do nothing
+    elsif te?
+      va = va - te_shift()
+    end
+
     sections.each do |s|
       if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
         offset = va - s.VirtualAddress
@@ -411,9 +435,9 @@ class PEdump
     # TODO: not all VirtualAdresses == 0 case
 
     if h[:quiet]
-      logger.debug "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)} (quiet=true)"
+      logger.debug "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)} (quiet=true)"
     else
-      logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+      logger.error "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)}"
     end
     nil
   end
@@ -431,16 +455,22 @@ class PEdump
   end
 
   def _dump_handle h
-    return unless pe(h) # also calls mz(h)
-    rich_hdr h
-    resources h
-    imports h   # also calls tls(h)
-    exports h
-    packer h
+    if pe(h) # also calls mz(h)
+      rich_hdr h
+      resources h
+      imports h   # also calls tls(h)
+      exports h
+      packer h
+    elsif te(h)
+    end
   end
 
   def data_directory f=@io
-    pe(f) && pe.ioh && pe.ioh.DataDirectory
+    if pe(f)
+      pe.ioh && pe.ioh.DataDirectory
+    elsif te(f)
+      te.DataDirectory
+    end
   end
 
   def sections f=@io
@@ -448,16 +478,52 @@ class PEdump
       pe.section_table
     elsif ne(f)
       ne.segments
+    elsif te(f)
+      te.sections
     end
   end
   alias :section_table :sections
 
-  def ne?
-    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  def supported_file? f=@io
+    pos = f.tell
+    sig = f.read(2)
+    f.seek(pos)
+    if SUPPORTED_SIGNATURES.include?(sig)
+      true
+    else
+      unless @not_supported_sig_warned
+        msg = "no supported signature. want: #{SUPPORTED_SIGNATURES.join("/")}, got: #{sig.inspect}"
+        if @force
+          logger.warn  "[?] #{msg}"
+        else
+          logger.error "[!] #{msg}. (not forced)"
+        end
+        @not_supported_sig_warned = true
+      end
+      false
+    end
+  end
+
+  def _detect_format
+    return :pe if @pe
+    return :ne if @ne
+    return :te if @te
+    return :pe if pe()
+    return :ne if ne()
+    return :te if te()
+    nil
   end
 
   def pe?
-    @pe ? true  : (@ne ? false : (pe ? true : false ))
+    _detect_format() == :pe
+  end
+
+  def ne?
+    _detect_format() == :ne
+  end
+
+  def te?
+    _detect_format() == :te
   end
 
   ##############################################################################
@@ -502,6 +568,8 @@ class PEdump
       pe_imports(f)
     elsif ne(f)
       ne(f).imports
+    else
+      []
     end
   end
 
@@ -589,7 +657,7 @@ class PEdump
                 nil
               else
                 hint = f.read(2).unpack('v').first
-                name = f.gets("\x00").chomp("\x00")
+                name = f.gets("\x00").to_s.chomp("\x00")
                 if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
                   n_bad_names += 1
                   if n_bad_names > MAX_ERRORS

data/misc/aspack/aspack_unlzx.c

@@ -30,6 +30,7 @@ int unpack(BYTE*packed_data, size_t packed_size, size_t unpacked_size){
     LZX_CONTEXT LZX;
     BYTE* unpacked_data = NULL;
     size_t decoded_size;
+    int r;
 
     bzero(&LZX, sizeof(LZX));
 
@@ -38,8 +39,9 @@ int unpack(BYTE*packed_data, size_t packed_size, size_t unpacked_size){
         return(ERR_NO_MEM);
     }
 
-    decoded_size = DecodeLZX(&LZX, packed_data, unpacked_data, packed_size, unpacked_size);
-    if ( decoded_size < 0 || decoded_size < unpacked_size ) {
+    r = DecodeLZX(&LZX, packed_data, unpacked_data, packed_size, unpacked_size);
+    decoded_size = (size_t)r;
+    if ( r < 0 || decoded_size < unpacked_size ) {
         free(unpacked_data);
         fprintf(stderr,"ERR_UNPACK\n");
         return(ERR_UNPACK);
@@ -58,7 +60,7 @@ int main(int argc, char*argv[]){
     if(argc != 3){
         fprintf(stderr, "ASPack unLZX\n");
         fprintf(stderr, "usage: %s <packed_size> <unpacked_size>\n", argv[0]);
-        fprintf(stderr, "(data is read from stdin and written to stdout)\n", argv[0]);
+        fprintf(stderr, "(data is read from stdin and written to stdout)\n");
         return 1;
     }
 

data/pedump.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: pedump 0.5.4 ruby lib
+# stub: pedump 0.6.3 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "pedump".freeze
-  s.version = "0.5.4"
+  s.version = "0.6.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Andrey \"Zed\" Zaikin".freeze]
-  s.date = "2020-01-25"
+  s.date = "2021-12-07"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc".freeze
   s.email = "zed.0xff@gmail.com".freeze
   s.executables = ["pedump".freeze]
@@ -20,6 +20,7 @@ Gem::Specification.new do |s|
     "README.md"
   ]
   s.files = [
+    "CODE_OF_CONDUCT.md",
     "Gemfile",
     "Gemfile.lock",
     "LICENSE.txt",
@@ -27,6 +28,7 @@ Gem::Specification.new do |s|
     "Rakefile",
     "VERSION",
     "bin/pedump",
+    "data/comp_id.txt",
     "data/fs.txt",
     "data/jc-userdb.txt",
     "data/sig.bin",
@@ -47,8 +49,10 @@ Gem::Specification.new do |s|
     "lib/pedump/packer.rb",
     "lib/pedump/pe.rb",
     "lib/pedump/resources.rb",
+    "lib/pedump/rich.rb",
     "lib/pedump/security.rb",
     "lib/pedump/sig_parser.rb",
+    "lib/pedump/te.rb",
     "lib/pedump/tls.rb",
     "lib/pedump/unpacker.rb",
     "lib/pedump/unpacker/aspack.rb",
@@ -64,45 +68,32 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/zed-0xff/pedump".freeze
   s.licenses = ["MIT".freeze]
-  s.rubygems_version = "2.7.10".freeze
+  s.rubygems_version = "3.2.22".freeze
   s.summary = "dump win32 PE executable files with a pure ruby".freeze
 
   if s.respond_to? :specification_version then
     s.specification_version = 4
+  end
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_runtime_dependency(%q<progressbar>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_development_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_development_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_development_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    else
-      s.add_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_dependency(%q<progressbar>.freeze, [">= 0"])
-      s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    end
+  if s.respond_to? :add_runtime_dependency then
+    s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
+    s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
+    s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
+    s.add_development_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
+    s.add_development_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
+    s.add_development_dependency(%q<bundler>.freeze, ["~> 2.2.3"])
+    s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
   else
     s.add_dependency(%q<rainbow>.freeze, [">= 0"])
     s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
     s.add_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
     s.add_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-    s.add_dependency(%q<progressbar>.freeze, [">= 0"])
     s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
     s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
     s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-    s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
+    s.add_dependency(%q<bundler>.freeze, ["~> 2.2.3"])
     s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.6.3
 platform: ruby
 authors:
 - Andrey "Zed" Zaikin
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-01-25 00:00:00.000000000 Z
+date: 2021-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
@@ -66,20 +66,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
-- !ruby/object:Gem::Dependency
-  name: progressbar
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: zhexdump
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 2.2.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: jeweler
   requirement: !ruby/object:Gem::Requirement
@@ -159,6 +145,7 @@ extra_rdoc_files:
 - LICENSE.txt
 - README.md
 files:
+- CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -166,6 +153,7 @@ files:
 - Rakefile
 - VERSION
 - bin/pedump
+- data/comp_id.txt
 - data/fs.txt
 - data/jc-userdb.txt
 - data/sig.bin
@@ -186,8 +174,10 @@ files:
 - lib/pedump/packer.rb
 - lib/pedump/pe.rb
 - lib/pedump/resources.rb
+- lib/pedump/rich.rb
 - lib/pedump/security.rb
 - lib/pedump/sig_parser.rb
+- lib/pedump/te.rb
 - lib/pedump/tls.rb
 - lib/pedump/unpacker.rb
 - lib/pedump/unpacker/aspack.rb
@@ -204,7 +194,7 @@ homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -219,9 +209,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.10
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: dump win32 PE executable files with a pure ruby
 test_files: []