pedump 0.6.0 → 0.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73c28547719cedc77a48cbcd0b519283d09d061c358c24fd14fcff8e130072bf
-  data.tar.gz: 4444e01ee15c6920856ed30e63d118bc027758de0e696ea02d1c1bd3a6486bee
+  metadata.gz: ed5cf8d6da63d21d766d921afb91035107d72eb09715617deb3a0510e0a9b10d
+  data.tar.gz: '06594246525ac31a0ca890762ab6940e03b30d2341b6ec4812cc92d8b5c46ce5'
 SHA512:
-  metadata.gz: d35bdf91d6081245a723b569837b7332baf0b61962747d6595a0afed6625fba3f15fa1e7ae5db9734ed7e08f03008031037254fc2df60f655c10b0e95db5d005
-  data.tar.gz: e9ac50ac19c5814f6364dde31dd0a16c0e263015e752c4a82b04e707c08a3e999255572c643da990ce9fabb4d3e624e85bdab53697e702044f941772fc96974e
+  metadata.gz: a0dcc1224a0e1d37033c4ec10b8cb7cc78e0d29e7b48e2c93b669b376f1af98ce1c6dfa11df4363a730cda9155b1a7163c225dae782cdb1796fa2d04d92bbccc
+  data.tar.gz: b38264f296b3b170cc3229567f6ec9378fe4947010b7acce6773f28bf5de29995fea06c880ddfcaeb5a1c15471db9e8fe07696b0fc8848949f38fe1a89b082c2

data/Gemfile

@@ -8,8 +8,8 @@ gem "multipart-post", ">= 2.0.0"
 gem "zhexdump",       ">= 0.0.2"
 
 group :development do
-  gem "rspec",   "~> 3.9.0"
-  gem "rspec-its", "~> 1.3.0"
-  gem "bundler", "~> 2.1.4"
-  gem "jeweler", "~> 2.3.9"
+  gem "rspec"
+  gem "rspec-its"
+  gem "bundler"
+  gem "juwelier"
 end

data/Gemfile.lock

@@ -1,72 +1,104 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.4.0)
-    awesome_print (1.8.0)
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    awesome_print (1.9.2)
     builder (3.2.4)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    diff-lcs (1.3)
-    faraday (0.9.2)
+    diff-lcs (1.5.0)
+    faraday (1.9.3)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.0)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
+      faraday-retry (~> 1.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-httpclient (1.0.1)
+    faraday-multipart (1.0.3)
       multipart-post (>= 1.2, < 3)
-    git (1.5.0)
-    github_api (0.16.0)
-      addressable (~> 2.4.0)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday-retry (1.0.3)
+    git (1.10.2)
+      rchardet (~> 1.8)
+    github_api (0.19.0)
+      addressable (~> 2.4)
       descendants_tracker (~> 0.0.4)
-      faraday (~> 0.8, < 0.10)
-      hashie (>= 3.4)
-      mime-types (>= 1.16, < 3.0)
+      faraday (>= 0.8, < 2)
+      hashie (~> 3.5, >= 3.5.2)
       oauth2 (~> 1.0)
-    hashie (4.0.0)
+    hashie (3.6.0)
     highline (2.0.3)
     iostruct (0.0.4)
-    jeweler (2.3.9)
+    juwelier (2.4.9)
       builder
       bundler
-      git (>= 1.2.5)
-      github_api (~> 0.16.0)
-      highline (>= 1.6.15)
-      nokogiri (>= 1.5.10)
+      git
+      github_api
+      highline
+      kamelcase (~> 0)
+      nokogiri
       psych
       rake
       rdoc
       semver2
-    jwt (2.2.1)
-    mime-types (2.99.3)
-    mini_portile2 (2.4.0)
-    multi_json (1.14.1)
+    jwt (2.3.0)
+    kamelcase (0.0.2)
+      semver2 (~> 3)
+    mini_portile2 (2.7.1)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
-    nokogiri (1.10.8)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.2)
+    nokogiri (1.13.1)
+      mini_portile2 (~> 2.7.0)
+      racc (~> 1.4)
+    oauth2 (1.4.7)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    psych (3.1.0)
+    psych (4.0.3)
+      stringio
+    public_suffix (4.0.6)
+    racc (1.6.0)
     rack (2.2.3)
-    rainbow (3.0.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    rchardet (1.8.0)
+    rdoc (6.4.0)
+      psych (>= 4.0.0)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.2)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
+      rspec-support (~> 3.10.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.9.1)
+    rspec-mocks (3.10.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.3)
+    ruby2_keywords (0.0.5)
     semver2 (3.4.2)
+    stringio (3.0.1)
     thread_safe (0.3.6)
     zhexdump (0.0.2)
 
@@ -75,14 +107,14 @@ PLATFORMS
 
 DEPENDENCIES
   awesome_print
-  bundler (~> 2.1.4)
+  bundler
   iostruct (>= 0.0.4)
-  jeweler (~> 2.3.9)
+  juwelier
   multipart-post (>= 2.0.0)
   rainbow
-  rspec (~> 3.9.0)
-  rspec-its (~> 1.3.0)
+  rspec
+  rspec-its
   zhexdump (>= 0.0.2)
 
 BUNDLED WITH
-   2.1.4
+   2.2.32

data/README.md

@@ -3,8 +3,14 @@ pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=mast
 
 News
 ----
+```
+2021.02.18 - updated gems; changed open-uri to URI.open; enabled SSL on https://pedump.me/
+2020.08.09 - CLI: added resource extracting with --extract ID
+2020.07.28 - 0.6.1; better RICH HDR parsing/output
+2020.07.27 - 0.6.0
 2020.07.26 - now travis autotests run on ARM and OSX too!
 2020.07.25 - added EFI TE parsing; removed 'progressbar' gem dependency
+```
 
 Description
 -----------
@@ -30,7 +36,7 @@ Can dump:
  * Imports & Exports
  * VS_VERSIONINFO parsing
  * PE Packer/Compiler detection
- * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+ * a convenient way to upload your PE's to https://pedump.me for a nice HTML tables with image previews, candies & stuff
 
 Installation
 ------------
@@ -73,9 +79,17 @@ Usage
                                          mimics 'file' command output
         -r, --recursive                  recurse dirs in packer detect
             --all                        Dump all but resource-directory (default)
+    
+            --extract ID                 Extract a resource/section/data_dir
+                                         ID: datadir:EXPORT     - datadir by type
+                                         ID: resource:0x98478   - resource by offset
+                                         ID: resource:ICON/#1   - resource by type & name
+                                         ID: section:.text      - section by name
+                                         ID: section:rva/0x1000 - section by RVA
+                                         ID: section:raw/0x400  - section by RAW_PTR
             --va2file VA                 Convert RVA to file offset
     
-        -W, --web                        Uploads files to a http://pedump.me
+        -W, --web                        Uploads files to a https://pedump.me
                                          for a nice HTML tables with image previews,
                                          candies & stuff
         -C, --console                    opens IRB console with specified file loaded
@@ -127,14 +141,14 @@ Usage
 
     === RICH Header ===
     
-        LIB_ID        VERSION        TIMES_USED   
-       149  95      21022  521e         9   9
-         1   1          0     0       367 16f
-       147  93      21022  521e        29  1d
-       132  84      21022  521e       129  81
-       131  83      21022  521e        25  19
-       148  94      21022  521e         1   1
-       145  91      21022  521e         1   1
+       ID   VER         COUNT  DESCRIPTION
+       95  521e             9  [ASM] VS2008 build 21022
+        1     0           367  [---] Unmarked objects
+       93  521e            29  [IMP] VS2008 build 21022
+       84  521e           129  [C++] VS2008 build 21022
+       83  521e            25  [ C ] VS2008 build 21022
+       94  521e             1  [RES] VS2008 build 21022
+       91  521e             1  [LNK] VS2008 build 21022
 
 ### PE Header
 
@@ -414,6 +428,78 @@ Usage
     samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
     samples/zlib.dll:                         Microsoft Visual C v2.0
 
+### Extracting
+
+#### Resources
+
+by name:
+
+    # pedump calc.exe --extract resource:VERSION/#1 | hexdump -C | head
+
+    00000000  78 03 34 00 00 00 56 00  53 00 5f 00 56 00 45 00  |x.4...V.S._.V.E.|
+    00000010  52 00 53 00 49 00 4f 00  4e 00 5f 00 49 00 4e 00  |R.S.I.O.N._.I.N.|
+    00000020  46 00 4f 00 00 00 00 00  bd 04 ef fe 00 00 01 00  |F.O.............|
+    00000030  01 00 06 00 00 00 91 1a  01 00 06 00 00 00 91 1a  |................|
+    00000040  3f 00 00 00 00 00 00 00  04 00 04 00 01 00 00 00  |?...............|
+    00000050  00 00 00 00 00 00 00 00  00 00 00 00 d6 02 00 00  |................|
+    00000060  01 00 53 00 74 00 72 00  69 00 6e 00 67 00 46 00  |..S.t.r.i.n.g.F.|
+    00000070  69 00 6c 00 65 00 49 00  6e 00 66 00 6f 00 00 00  |i.l.e.I.n.f.o...|
+    00000080  b2 02 00 00 01 00 30 00  34 00 30 00 39 00 30 00  |......0.4.0.9.0.|
+    00000090  34 00 42 00 30 00 00 00  4c 00 16 00 01 00 43 00  |4.B.0...L.....C.|
+
+by offset:
+
+    # pedump calc.exe --extract resource:0x98478 | head
+
+    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+    <!-- Copyright (c) Microsoft Corporation -->
+    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+        name="Microsoft.Windows.Shell.calc"
+        processorArchitecture="x86"
+        version="5.1.0.0"
+        type="win32"/>
+    <description>Windows Shell</description>
+    <dependency>
+
+#### Sections
+
+by name:
+
+    # pedump calc.exe --extract section:.text | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RVA:
+
+    # pedump calc.exe --extract section:rva/0x1000 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RAW_PTR (file offset):
+
+    # pedump calc.exe --extract section:raw/0x400 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+#### Data Directory
+
+    # pedump calc.exe --extract datadir:IMPORT | hexdump -C | head -4
+
+    00000000  90 9f 04 00 ff ff ff ff  ff ff ff ff dc a2 04 00  |................|
+    00000010  48 12 00 00 f4 a0 04 00  ff ff ff ff ff ff ff ff  |H...............|
+    00000020  10 a5 04 00 ac 13 00 00  48 9d 04 00 ff ff ff ff  |........H.......|
+    00000030  ff ff ff ff f6 a5 04 00  00 10 00 00 5c 9f 04 00  |............\...|
+
 License
 -------
 Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.

data/Rakefile

@@ -11,8 +11,8 @@ rescue Bundler::BundlerError => e
 end
 require 'rake'
 
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
+require 'juwelier'
+Juwelier::Tasks.new do |gem|
   # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
   gem.name = "pedump"
   gem.homepage = "http://github.com/zed-0xff/pedump"
@@ -23,11 +23,11 @@ Jeweler::Tasks.new do |gem|
   gem.authors = ["Andrey \"Zed\" Zaikin"]
   gem.executables = %w'pedump'
   gem.files.include "lib/**/*.rb"
-  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl'
+  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl .github/**/*'
   gem.extra_rdoc_files.exclude 'README.md.tpl'
   # dependencies defined in Gemfile
 end
-Jeweler::RubygemsDotOrgTasks.new
+Juwelier::RubygemsDotOrgTasks.new
 
 require 'rspec/core'
 require 'rspec/core/rake_task'
@@ -35,7 +35,7 @@ require 'rspec/core/rake_task'
 desc "run specs"
 RSpec::Core::RakeTask.new
 
-task :default => :spec
+task :default => [:spec, :readme]
 
 namespace :test do
   desc "test on all files in given path"
@@ -74,17 +74,20 @@ namespace :test do
   end
 end
 
-def check_file url, prefix=nil
+def check_file url, params = {}
   require 'digest/md5'
   require 'open-uri'
 
+  params[:min_size] ||= 80_000
+
   STDOUT.sync = true
+  prefix = params[:prefix]
   fname = File.join 'data', (prefix ? "#{prefix}-" : '') + File.basename(url)
   existing_md5 = File.exist?(fname) ? Digest::MD5.file(fname).hexdigest : ''
   print "[.] fetching #{url} .. "
-  remote_data  = open(url).read.force_encoding('cp1252').encode('utf-8')
+  remote_data = URI.open(url).read.force_encoding('cp1252').encode('utf-8')
   puts "#{remote_data.size} bytes"
-  raise "too small remote data (#{remote_data.size})" if remote_data.size < 80_000
+  raise "too small remote data (#{remote_data.size})" if remote_data.size < params[:min_size]
   remote_md5   = Digest::MD5.hexdigest(remote_data)
   if remote_md5 == existing_md5
     puts "[.] same as local"
@@ -95,13 +98,45 @@ def check_file url, prefix=nil
   end
 end
 
+RICH_IDS_URL = "https://raw.githubusercontent.com/dishather/richprint/master/comp_id.txt"
+
+namespace :rich do
+  desc "update rich comp_id db from net"
+  task :update do
+    check_file RICH_IDS_URL, :min_size => 30_000
+  end
+
+  desc "convert"
+  task :convert do
+    result = [
+      "class PEdump",
+      "  # data from #{RICH_IDS_URL}",
+      "  RICH_IDS = {"
+    ]
+    n = 0
+    t0 = Time.now
+    File.readlines(File.join("data", File.basename(RICH_IDS_URL))).each do |line|
+      line.strip!
+      next if line.empty? || line[0] == '#'
+      comp_id, desc = line.split(nil, 2)
+      raise unless comp_id =~ /\A[0-9a-fA-F]+\Z/
+      result << "    0x#{comp_id} => #{desc.inspect},"
+      n += 1
+    end
+    result << "  }"
+    result << "end"
+    printf "[.] parsed %d definitions in %6.3fs\n", n, Time.now-t0
+    File.write("lib/pedump/rich.rb", result.join("\n") + "\n")
+  end
+end
+
 namespace :sigs do
   desc "update packers db from net"
   task :update do
     require './lib/pedump/packer'
     check_file "http://research.pandasecurity.com/blogs/images/userdb.txt"
     check_file "http://fuu.googlecode.com/svn/trunk/src/x86/Tools/Signaturesdb/signatures.txt"
-    check_file "http://handlers.sans.edu/jclausing/userdb.txt", "jc"
+    check_file "http://handlers.sans.edu/jclausing/userdb.txt", :prefix => "jc"
   end
 
   desc "convert txt2bin"

data/VERSION

@@ -1 +1 @@
-0.6.0
+0.6.4