pedump 0.6.0 → 0.6.4

data/lib/pedump/cli.rb

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/rich'
 require 'pedump/version_info'
 require 'optparse'
 
@@ -34,12 +35,13 @@ class PEdump::CLI
 
   KNOWN_ACTIONS = (
     %w'mz dos_stub rich pe ne te data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only' +
+    %w'extract' # 'disasm'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console extract disasm'.map(&:to_sym)
 
-  URL_BASE = "http://pedump.me"
+  URL_BASE = "https://pedump.me"
 
   def initialize argv = ARGV
     @argv = argv
@@ -96,8 +98,24 @@ class PEdump::CLI
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
+
+      opts.separator ''
+
+#      opts.on "--disasm [X]", "Disassemble a symbol/VA" do |v|
+#        @actions << [:disasm, v]
+#      end
+      opts.on("--extract ID", "Extract a resource/section/data_dir",
+              "ID: datadir:EXPORT     - datadir by type",
+              "ID: resource:0x98478   - resource by offset",
+              "ID: resource:ICON/#1   - resource by type & name",
+              "ID: section:.text      - section by name",
+              "ID: section:rva/0x1000 - section by RVA",
+              "ID: section:raw/0x400  - section by RAW_PTR",
+             ) do |v|
+        @actions << [:extract, v]
+      end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
-        @actions << [:va2file,va]
+        @actions << [:va2file, va]
       end
 
       opts.separator ''
@@ -133,7 +151,7 @@ class PEdump::CLI
       @file_name = fname
 
       File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
+        @pedump = create_pedump f
 
         next if !@options[:force] && !@pedump.supported_file?(f)
 
@@ -152,8 +170,8 @@ class PEdump::CLI
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
   end
 
-  def create_pedump fname
-    PEdump.new(fname, :force => @options[:force]).tap do |x|
+  def create_pedump io
+    PEdump.new(io, :force => @options[:force]).tap do |x|
       x.logger.level =
         case @options[:verbose]
         when -100..-3
@@ -194,7 +212,7 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    def initialize file, prefix = "[.] uploading: ", io = STDOUT
+    def initialize file, prefix = "[.] uploading: ", io = $stdout
       @file   = file
       @io     = io
       @prefix = prefix
@@ -227,15 +245,16 @@ class PEdump::CLI
     require 'net/http'
     require 'net/http/post/multipart'
 
-    stdout_sync = STDOUT.sync
-    STDOUT.sync = true
+    stdout_sync = $stdout.sync
+    $stdout.sync = true
 
     md5 = Digest::MD5.file(f.path).hexdigest
     @pedump.logger.info "[.] md5: #{md5}"
     file_url = "#{URL_BASE}/#{md5}/"
 
     @pedump.logger.warn "[.] checking if file already uploaded.."
-    Net::HTTP.start('pedump.me') do |http|
+    uri = URI.parse URL_BASE
+    Net::HTTP.start(uri.host, uri.port, use_ssl: (uri.scheme == 'https')) do |http|
       http.open_timeout = 10
       http.read_timeout = 10
       # doing HTTP HEAD is a lot faster than open-uri
@@ -257,18 +276,20 @@ class PEdump::CLI
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
-    res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
+    res = Net::HTTP.start(post_url.host, post_url.port, use_ssl: (post_url.scheme == 'https')) do |http|
+      http.request(req)
+    end
     ppx.finish!
 
-    puts "[.] analyzing..."
-
-    if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
-      raise "invalid server response: #{r}"
+    unless [200, 302, 303].include?(res.code.to_i)
+      @pedump.logger.fatal "[!] invalid server response: #{res.code} #{res.msg}"
+      @pedump.logger.fatal res.body unless res.body.empty?
+      exit(1)
     end
 
     puts "[.] uploaded: #{file_url}"
   ensure
-    STDOUT.sync = stdout_sync
+    $stdout.sync = stdout_sync
   end
 
   def console f
@@ -312,6 +333,10 @@ class PEdump::CLI
   def dump_action action, f
     if action.is_a?(Array)
       case action[0]
+      when :disasm
+        return
+      when :extract
+        return extract action[1]
       when :va2file
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
@@ -798,10 +823,12 @@ class PEdump::CLI
 
   def dump_rich_hdr data
     if decoded = data.decode
-      puts "    LIB_ID        VERSION        TIMES_USED   "
+      puts "   ID   VER         COUNT  DESCRIPTION"
       decoded.each do |row|
-        printf " %5d  %2x    %7d  %4x   %7d %3x\n",
-          row.id, row.id, row.version, row.version, row.times, row.times
+#        printf " %5d  %4x    %7d  %4x   %12d %8x\n",
+#          row.id, row.id, row.version, row.version, row.times, row.times
+        printf " %4x  %4x  %12d  %s\n",
+          row.id, row.version, row.times, ::PEdump::RICH_IDS[(row.id<<16) + row.version]
       end
     else
       puts "# raw:"
@@ -812,4 +839,79 @@ class PEdump::CLI
     end
   end
 
+  def disasm x
+    puts "TODO"
+  end
+
+  def extract x
+    a = x.split(':',2)
+    case a[0]
+    when 'datadir'
+      extract_datadir a[1]
+    when 'resource'
+      extract_resource a[1]
+    when 'section'
+      extract_section a[1]
+    else
+      raise "invalid #{x.inspect}"
+    end
+  end
+
+  def extract_datadir id
+    entry = @pedump.data_directory.find{ |x| x.type == id }
+    unless entry
+      @pedump.logger.fatal "[!] entry #{id.inspect} not found"
+      exit(1)
+    end
+    if entry.size != 0
+      IO::copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+    end
+  end
+
+  def extract_resource id
+    res = nil
+    if id =~ /\A0x\h+\Z/
+      needle = id.to_i(16)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id =~ /\A\d+\Z/
+      needle = id.to_i(10)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id['/']
+      type, name = id.split('/', 2)
+      res = @pedump.resources.find{ |r| r.type == type && r.name == name }
+    else
+      @pedump.logger.fatal "[!] invalid resource id #{id.inspect}"
+      exit(1)
+    end
+    unless res
+      @pedump.logger.fatal "[!] resource #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, res.size, res.file_offset
+  end
+
+  def extract_section id
+    section = nil
+    if id['/']
+      a = id.split('/',2)
+      if a[0] == 'rva'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.VirtualAddress == value }
+      elsif a[0] == 'raw'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.PointerToRawData == value }
+      else
+        @pedump.logger.fatal "[!] invalid section id #{id.inspect}"
+        exit(1)
+      end
+    else
+      section = @pedump.sections.find{ |s| s.Name == id }
+    end
+    unless section
+      @pedump.logger.fatal "[!] section #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
+  end
+
 end # class PEdump::CLI

data/lib/pedump/loader/section.rb

@@ -10,15 +10,16 @@ class PEdump::Loader
         @hdr = x.dup
       end
       @data = EMPTY_DATA.dup
+      @delta = args[:delta] || 0
       @deferred_load_io   = args[:deferred_load_io]
-      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
+      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && (@hdr.PointerToRawData - @delta))
       @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
       @image_base = args[:image_base] || 0
     end
 
     def name;  @hdr.Name; end
-    def va  ;  @hdr.VirtualAddress + @image_base; end
-    def rva ;  @hdr.VirtualAddress; end
+    def va  ;  @hdr.VirtualAddress + @image_base - @delta; end
+    def rva ;  @hdr.VirtualAddress - @delta; end
     def vsize; @hdr.VirtualSize; end
     def flags; @hdr.Characteristics; end
     def flags= f; @hdr.Characteristics= f; end
@@ -51,6 +52,7 @@ class PEdump::Loader
         @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
       ]
       r << (" dlpos=%8x" % @deferred_load_pos) if @deferred_load_pos
+      r << (" delta=%3x" % @delta) if @delta != 0
       r << ">"
     end
   end

data/lib/pedump/loader.rb

@@ -15,7 +15,15 @@ class PEdump::Loader
 
   # shortcuts
   alias :pe :pe_hdr
-  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+
+  def ep
+    if @pe_hdr
+      @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
+    elsif @te_hdr
+      @te_hdr.AddressOfEntryPoint - @delta
+    end
+  end
+
   def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
 
   ########################################################################
@@ -23,12 +31,24 @@ class PEdump::Loader
   ########################################################################
 
   def initialize io = nil, params = {}
+    # @delta is for EFI TE loading, based on https://github.com/gdbinit/TELoader/blob/master/teloader.cpp
+    @delta = 0
     @pedump = PEdump.new(io, params)
     if io
       @mz_hdr     = @pedump.mz
       @dos_stub   = @pedump.dos_stub
       @pe_hdr     = @pedump.pe
-      @image_base = params[:image_base] || @pe_hdr.try(:ioh).try(:ImageBase) || 0
+      @te_hdr     = @pedump.te
+
+      @image_base = params[:image_base]
+      if @pe_hdr
+        @image_base ||= @pe_hdr.try(:ioh).try(:ImageBase)
+      elsif @te_hdr
+        @image_base ||= @te_hdr.ImageBase
+        @delta = @pedump.te_shift
+      end
+      @image_base ||= 0
+
       load_sections @pedump.sections, io
     end
     @find_limit = params[:find_limit] || DEFAULT_FIND_LIMIT
@@ -38,7 +58,7 @@ class PEdump::Loader
     if section_hdrs.is_a?(Array)
       @sections = section_hdrs.map do |x|
         raise "unknown section hdr: #{x.inspect}" unless x.is_a?(PEdump::IMAGE_SECTION_HEADER)
-        Section.new(x, :deferred_load_io => f, :image_base => @image_base )
+        Section.new(x, :deferred_load_io => f, :image_base => @image_base, :delta => @delta )
       end
       if f.respond_to?(:seek) && f.respond_to?(:read)
         #
@@ -249,10 +269,12 @@ class PEdump::Loader
   def names
     return @names if @names
     @names = {}
-    if oep = @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
-      oep += @image_base
-      @names[oep] = 'start'
+
+    oep = ep()
+    if oep
+      @names[oep + @image_base] = 'start'
     end
+
     _parse_imports
     _parse_exports
     #TODO: debug info