pedump 0.6.10 → 0.7.1

data/lib/pedump/cli.rb

@@ -31,15 +31,28 @@ rescue LoadError
 end
 
 class PEdump::CLI
-  attr_accessor :data, :argv
+  attr_accessor :data, :argv, :success
+
+  SHORTCUT_ACTIONS = {
+    clr: %i'clr_header clr_readytorun clr_metadata clr_streams clr_strings clr_tables',
+  }
+
+  ACTION_COMMENTS = {}
+  SHORTCUT_ACTIONS.each do |k,v|
+    ACTION_COMMENTS[k] = 'a shortcut for --' + v.join(', --')
+  end
+
+  ACTION_ARGS = {
+    clr_tables: "[TABLES]",
+  }
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe ne te data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info imphash packer web console packer_only' +
-    %w'extract' # 'disasm'
-  ).map(&:to_sym)
+    %i'mz dos_stub rich pe ne te data_directory clr_header clr_metadata clr_readytorun clr_streams clr_strings clr_tables sections tls security' +
+    %i'strings resources resource_directory imports exports version_info imphash packer web console packer_only' +
+    %i'extract tail'
+  ) + SHORTCUT_ACTIONS.keys
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console extract disasm'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %i'resource_directory web packer_only console extract disasm clr clr_tables' - SHORTCUT_ACTIONS.keys
 
   URL_BASE = "https://pedump.me"
 
@@ -48,6 +61,7 @@ class PEdump::CLI
   end
 
   def run
+    @success = true
     @actions = []
     @options = { :format => :table, :verbose => 0 }
     optparser = OptionParser.new do |opts|
@@ -71,16 +85,23 @@ class PEdump::CLI
         "Output format: bin,c,dump,hex,inspect,json,table,yaml","(default: table)" do |v|
         @options[:format] = v
       end
-      KNOWN_ACTIONS.each do |t|
+
+      opts.separator ''
+      KNOWN_ACTIONS.sort.each do |t|
         a = [
-          "--#{t.to_s.tr('_','-')}",
-          eval("lambda{ |_| @actions << :#{t.to_s.tr('-','_')} }")
+          "--#{t.to_s.tr('_','-')}" + (ACTION_ARGS[t] ? " #{ACTION_ARGS[t]}" : ""),
+          ACTION_COMMENTS[t] || t.to_s,
+          lambda{ |arg| @actions << (arg && ACTION_ARGS[t] ? [t, arg] : t) },
         ]
         a.unshift(a[0][1,2].upcase) if a[0] =~ /--(((ex|im)port|section|resource)s|version-info)/
         a.unshift(a[0][1,2]) if a[0] =~ /--strings/
         opts.on *a
       end
 
+      opts.separator ''
+      opts.on "--tokens", "Show CLR tokens" do
+        @options[:tokens] = true
+      end
       opts.on "--deep", "packer deep scan, significantly slower" do
         @options[:deep] ||= 0
         @options[:deep] += 1
@@ -111,13 +132,21 @@ class PEdump::CLI
               "ID: section:.text      - section by name",
               "ID: section:rva/0x1000 - section by RVA",
               "ID: section:raw/0x400  - section by RAW_PTR",
+              "ID: tail               - file tail",
+              "ID: tail:c00           - file tail + 0xc00 offset",
              ) do |v|
         @actions << [:extract, v]
       end
-      opts.on "--va2file VA", "Convert RVA to file offset" do |va|
+
+      opts.separator ''
+      opts.on "--va2file VA", "Convert VA to file offset" do |va|
         @actions << [:va2file, va]
       end
+      opts.on "--file2va OFFSET", "Convert file offset to VA" do |offset|
+        @actions << [:file2va, offset]
+      end
 
+      opts.separator ''
       opts.on "--set-os-version VER", "Patch OS version in PE header" do |ver|
         @actions << [:set_os_version, ver]
       end
@@ -152,6 +181,12 @@ class PEdump::CLI
       return
     end
 
+    SHORTCUT_ACTIONS.each do |k,v|
+      if idx = @actions.index(k)
+        @actions[idx,1] = *v
+      end
+    end
+
     argv.each_with_index do |fname,idx|
       @need_fname_header = (argv.size > 1)
       @file_idx  = idx
@@ -172,9 +207,11 @@ class PEdump::CLI
         end
       end
     end
+    @success
   rescue Errno::EPIPE
     # output interrupt, f.ex. when piping output to a 'head' command
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
+    @success
   end
 
   def create_pedump io
@@ -331,6 +368,8 @@ class PEdump::CLI
       puts "# -----------------------------------------------"
     end
 
+    action = action.first if action.is_a?(Array)
+
     s = action.to_s.upcase.tr('_',' ')
     s += " Header" if [:mz, :pe, :rich].include?(action)
     s = "Packer / Compiler" if action == :packer
@@ -339,27 +378,35 @@ class PEdump::CLI
   end
 
   def dump_action action, f
+    data = nil
+    got_data = false
+
     if action.is_a?(Array)
       case action[0]
       when :disasm
         return
-      when :extract
-        return extract action[1]
-      when :set_os_version
-        return set_os_version action[1]
-      when :set_dll_char
-        return set_dll_char action[1]
-      when :va2file
+      when :va2file, :file2va
+        cmd = action[0]
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
-        file_offset = @pedump.va2file(va)
-        printf "va2file(0x%x) = 0x%x  (%d)\n", va, file_offset, file_offset
+        file_offset = @pedump.send(cmd, va)
+        if file_offset
+          printf("%s(0x%x) = 0x%x  (%d)\n", cmd, va, file_offset, file_offset)
+        else
+          @success = false
+        end
         return
-      else raise "unknown action #{action.inspect}"
+      else
+        if respond_to?(action[0])
+          return send(*action)
+        else
+          data = @pedump.send(*action)
+          got_data = true
+        end
       end
     end
 
-    data = @pedump.send(action, f)
+    data = @pedump.send(action, f) unless got_data
     return if !data || (data.respond_to?(:empty?) && data.empty?)
 
     puts action_title(action) unless @options[:format] == :binary || @actions == [:imphash]
@@ -421,26 +468,47 @@ class PEdump::CLI
   end
 
   COMMENTS = {
-    :Machine => {
-      0x014c => 'x86',
-      0x0200 => 'Intel Itanium',
-      0x8664 => 'x64',
-      'default' => '???'
+    PEdump::IMAGE_FILE_HEADER => {
+      Characteristics: Proc.new{ |v| _flags2string(v.flags) },
+      Machine: {
+        0x014c => 'x86',
+        0x0200 => 'Intel Itanium',
+        0x8664 => 'x64',
+        default: '???'
+      }
     },
-    :Magic => {
-      0x010b => '32-bit executable',
-      0x020b => '64-bit executable',
-      0x0107 => 'ROM image',
-      'default' => '???'
+    PEdump::IMAGE_COR20_HEADER => {
+      Flags: Proc.new{ |v| _flags2string(v.flags) },
+    },
+    PEdump::CLR::MetadataTableStreamHeader => {
+      HeapSizes: Proc.new{ |v| _flags2string(v.heap_sizes) },
+      Valid:     Proc.new{ |v| _flags2string(v.valid_flags) },
+      Sorted:    Proc.new{ |v| _flags2string(v.sorted_flags) },
+    },
+    PEdump::CLR::READYTORUN_CORE_HEADER => {
+      Flags: Proc.new{ |v| _flags2string(v.flags) },
     },
-    :Subsystem => PEdump::IMAGE_SUBSYSTEMS
   }
+  [PEdump::IMAGE_OPTIONAL_HEADER32, PEdump::IMAGE_OPTIONAL_HEADER64].each do |klass|
+    COMMENTS[klass] = {
+      Magic: {
+        0x010b => '32-bit executable',
+        0x020b => '64-bit executable',
+        0x0107 => 'ROM image',
+        default: '???'
+      },
+      Subsystem: PEdump::IMAGE_SUBSYSTEMS,
+      DllCharacteristics: Proc.new{ |v| _flags2string(v.flags) },
+    }
+  end
 
-  def _flags2string flags
+  def self._flags2string flags, max_width: 80
     return '' if !flags || flags.empty?
-    a = [flags.shift.dup]
+    flags.map!{ |f| f.is_a?(String) ? f.dup : f.to_s }
+
+    a = [flags.shift]
     flags.each do |f|
-      if (a.last.size + f.size) < 40
+      if (a.last.size + f.size) < max_width
         a.last << ", " << f
       else
         a << f.dup
@@ -452,6 +520,7 @@ class PEdump::CLI
   def dump_generic_table data
     data.each_pair do |k,v|
       next if [:DataDirectory, :section_table].include?(k)
+
       case v
       when Numeric
         case k
@@ -461,17 +530,35 @@ class PEdump::CLI
         when /TimeDateStamp/
           printf "%30s: %24s\n", k, Time.at(v).utc.strftime('"%Y-%m-%d %H:%M:%S"')
         else
-          comment = ''
-          if COMMENTS[k]
-            comment = COMMENTS[k][v] || (COMMENTS[k].is_a?(Hash) ? COMMENTS[k]['default'] : '') || ''
-          elsif data.is_a?(PEdump::IMAGE_FILE_HEADER) && k == :Characteristics
-            comment = _flags2string(data.flags)
-          elsif k == :DllCharacteristics
-            comment = _flags2string(data.flags)
-          end
+          comment =
+            if COMMENTS[data.class] && cmt=COMMENTS[data.class][k]
+              case cmt
+              when Hash
+                cmt[v] || cmt[:default]
+              when Array
+                cmt[v]
+              when Proc
+                cmt.call(data)
+              else
+                raise "invalid comment type: #{cmt.inspect}"
+              end
+            end
+          comment ||= ''
           comment.strip!
           comment = "  #{comment}" unless comment.empty?
-          printf "%30s: %10d  %12s%s\n", k, v, v<10 ? v : ("0x"+v.to_s(16)), comment
+          if v.to_s.size > 10 || v < 10
+            # don't show decimal
+            printf "%30s: %6s  %16s%s\n", k, "", v.to_s(16), comment
+          else
+            printf "%30s: %10d  %12s%s\n", k, v, v.to_s(16), comment
+          end
+        end
+      when PEdump::IMAGE_DATA_DIRECTORY
+        # in CLR headers
+        if v.va.to_i != 0 && v.size.to_i != 0
+          printf "%30s: {va: %x, size: %x}\n", k, v.va, v.size
+        else
+          printf "%30s:\n", k
         end
       when Struct
         # IMAGE_FILE_HEADER:
@@ -481,15 +568,44 @@ class PEdump::CLI
       when Time
         printf "%30s: %24s\n", k, v.strftime('"%Y-%m-%d %H:%M:%S"')
       else
-        printf "%30s: %24s\n", k, v.to_s.inspect
+        if v.is_a?(Array) && v.all?{ |x| x.is_a?(Struct) }
+          a = v
+          printf "%30s: %24s\n", k, a[0]
+          a[1..-1].each do |v|
+            printf "%30s  %24s\n", "", v
+          end
+        else
+          printf "%30s: %24s\n", k, v.to_s.inspect
+        end
       end
     end
   end
 
   def dump_table data, opts = {}
+    case data
+    when File
+      # tail
+      printf "0x%x (%d) bytes starting at 0x%x:\n\n", data.size-data.tell, data.size-data.tell, data.tell
+
+      a = data.read(4096).to_hexdump.split("\n", 11)
+      if a.size > 10
+        a[10] = "..."
+      end
+      puts a.join("\n")
+      return
+    when PEdump::CLR::TablesHash
+      return dump_clr_tables data
+    when PEdump::CLR::StringsHash
+      data.each do |offset, str|
+        printf "%8x: %s\n", offset, str.inspect
+      end
+      return
+    end
+
     if data.is_a?(Struct)
       return dump_res_dir(data) if data.is_a?(PEdump::IMAGE_RESOURCE_DIRECTORY)
       return dump_exports(data) if data.is_a?(PEdump::IMAGE_EXPORT_DIRECTORY)
+
       dump_generic_table data
     elsif data.is_a?(Enumerable) && data.map(&:class).uniq.size == 1
       case data.first
@@ -515,8 +631,10 @@ class PEdump::CLI
         dump_security data
       when PEdump::NE::Segment
         dump_ne_segments data
+      when PEdump::CLR::MetadataStreamHeader
+        dump_clr_streams data
       else
-        puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
+        puts "[?] dump_table: don't know how to dump: #{data.inspect[0,50]}" unless (data.respond_to?(:empty?) && data.empty?)
       end
     elsif data.is_a?(PEdump::DOSStub)
       data.hexdump
@@ -532,6 +650,136 @@ class PEdump::CLI
     end
   end
 
+  def dump_clr_streams data
+    clr_header = @pedump.clr_header
+    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.va2file(clr_header.MetaData.va)
+
+    fmt = "%8x %8x  %-32s\n"
+    printf fmt.tr('x','s'), *%w'offset size name'
+    data.each do |s|
+      printf fmt, s.offset, s.size, s.name.inspect
+      if clr_data_file_ofs && s.offset < clr_header.MetaData.size
+        if s.name == "#-" || s.name == "#~"
+          pos = clr_data_file_ofs + s.offset
+          @pedump.io.seek(pos)
+          hdr = PEdump::CLR::MetadataTableStreamHeader.read(@pedump.io)
+          dump hdr
+        end
+      end
+    end
+  end
+
+  def dump_clr_tables data
+    strings = @pedump.clr_strings rescue {}
+    strings ||= {}
+    blob_stream = @pedump.clr_streams.find{ |s| s.name == "#Blob" }
+
+    clr_header = @pedump.clr_header
+    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.va2file(clr_header.MetaData.va)
+    blob_file_ofs = blob_stream.offset + clr_data_file_ofs if blob_stream
+    blob_size = blob_stream&.size
+
+    prev_signature = nil
+    data.each do |key, table|
+      table_idx = PEdump::CLR::MetadataTableStreamHeader::FLAGS.keys.index(key)
+      printf "# %02x %s: [%d]\n", table_idx, key, table.size
+      table.each_with_index do |row, idx|
+        next if idx == 0 && row.nil?
+
+        if @options[:tokens]
+          token = (table_idx << 24) | idx
+          printf "%08x: ", token
+        else
+          printf "%6x: ", idx
+        end
+        print row.to_table
+
+        comments = []
+        if row.respond_to?(:decode_Class)
+          table_key, idx = row.decode_Class
+          if table_key && idx
+            referred_row = data[table_key]&.at(idx)
+            comments << referred_row&.get_name(strings)
+          end
+        end
+
+        signature = nil
+        if row.respond_to?(:Signature) && blob_file_ofs && blob_size && row.Signature < blob_size
+          @pedump.io.seek(blob_file_ofs + row.Signature + 1)
+          signature = PEdump::CLR::Signature.read(@pedump.io, key)
+        end
+
+        comments << row.get_name(strings) || row.to_s
+        if comments.any?
+          name_with_ns = comments.join(key == :MemberRef ? '.' : ' ')
+          if signature
+            prefix = 
+              if signature.respond_to?(:ret_type)
+                "#{signature.ret_type} "
+              elsif signature.respond_to?(:type)
+                "#{signature.type} "
+              else
+                ''
+              end
+
+            suffix = ''
+            if signature.respond_to?(:params) && signature.params
+              suffix = '(' + signature.params.join(', ') + ')'
+            end
+
+            name_with_ns = prefix + name_with_ns + suffix
+            name_with_ns.gsub!(/(?:CLASS|VALUE) (\h{7,8})/) do |orig|
+              id = $1.to_i(16)
+              table_id = id >> 24
+              table_key = PEdump::CLR::MetadataTableStreamHeader::FLAGS.keys[table_id]
+              idx = id & 0xffffff
+              referred_row = data[table_key]&.at(idx)
+              referred_name = referred_row&.get_name(strings) || referred_row&.to_s
+              referred_name || orig
+            end
+            name_with_ns.gsub!(/System\.Nullable\`1 <([^<>]+)>/, '\1?')
+          end
+          printf "   %s", name_with_ns
+        end
+        puts
+
+        if @options[:verbose] > 0
+          was = false
+          h = row.to_h
+          h.keys.each do |field_key|
+            if row.respond_to?("decode_#{field_key}")
+              was = true
+              a = row.send("decode_#{field_key}")
+              printf "%20s: %-20s", field_key, a.inspect  
+              table_key, idx = a
+              if table_key && idx
+                referred_row = data[table_key]&.at(idx)
+                if referred_row
+                  printf "%s", referred_row.get_name(strings) || referred_row.to_s
+                end
+              end
+              puts
+            end
+            if field_key == :Signature && signature && prev_signature != row.Signature
+              printf "%20s: ", "Signature"
+              @pedump.io.seek(blob_file_ofs + row.Signature + 1)
+              sig_data = @pedump.io.read(32) # not real length
+              puts sig_data.bytes.map{ |b| "%02x" % b }.join(' ')
+
+              printf "%20s  ", ""
+              p signature
+                
+              was = true
+              prev_signature = row.Signature
+            end
+          end
+          puts if was
+        end
+      end
+      puts
+    end
+  end
+
   def dump_security data
     return unless data
     data.each do |win_cert|
@@ -675,7 +923,8 @@ class PEdump::CLI
     data.each do |x|
       case x
       when PEdump::IMAGE_IMPORT_DESCRIPTOR
-        (Array(x.original_first_thunk) + Array(x.first_thunk)).uniq.each do |f|
+        # (Array(x.original_first_thunk) + Array(x.first_thunk)).uniq.each do |f|
+        (x.original_first_thunk || x.first_thunk).each do |f|
           next unless f
           # imported function
           printf fmt,
@@ -869,6 +1118,8 @@ class PEdump::CLI
       extract_resource a[1]
     when 'section'
       extract_section a[1]
+    when 'tail'
+      extract_tail a[1]
     else
       raise "invalid #{x.inspect}"
     end
@@ -931,6 +1182,12 @@ class PEdump::CLI
     _copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
   end
 
+  def extract_tail offset
+    io = @pedump.tail
+    io.seek(offset.to_i(16), IO::SEEK_CUR) if offset
+    _copy_stream io, $stdout
+  end
+
   def set_dll_char x
     @pedump.pe.image_optional_header.DllCharacteristics = x.to_i(0)
     io = @pedump.io.reopen(@file_name,'rb+')
@@ -977,7 +1234,7 @@ class PEdump::CLI
 
   # https://github.com/zed-0xff/pedump/issues/44
   # https://redmine.ruby-lang.org/issues/12280
-  def _copy_stream(src, dst, src_length = nil, src_offset = 0)
+  def _copy_stream(src, dst, src_length = nil, src_offset = nil)
     IO::copy_stream(src, dst, src_length, src_offset)
   rescue NotImplementedError # `copy_stream': pread() not implemented (NotImplementedError)
     src_length ||= src.size - src_offset

data/lib/pedump/clr/readytorun.rb

@@ -0,0 +1,115 @@
+#!/usr/bin/env ruby
+#coding: binary
+
+# https://github.com/dotnet/runtime/blob/main/docs/design/coreclr/botr/readytorun-format.md
+class PEdump
+  module CLR
+    class READYTORUN_HEADER < IOStruct.new(
+      'LSS',
+
+      :Signature,
+      :MajorVersion,
+      :MinorVersion,
+      :CoreHeader    # READYTORUN_CORE_HEADER - dynamic size!
+    )
+
+      MAGIC = 0x00525452 # 'RTR\0'
+
+      def valid?
+        self.Signature == MAGIC
+      end
+
+      def self.read io
+        super.tap do |r|
+          r.CoreHeader = READYTORUN_CORE_HEADER.read(io)
+        end
+      end
+    end
+
+    class READYTORUN_CORE_HEADER < IOStruct.new('LL', :Flags, :NumberOfSections, :Sections)
+      FLAGS = {
+        0x01 => 'PLATFORM_NEUTRAL_SOURCE',    # Set if the original IL image was platform neutral. The platform neutrality is part of assembly name. This flag can be used to reconstruct the full original assembly name.
+        0x02 => 'COMPOSITE',                  # The image represents a composite R2R file resulting from a combined compilation of a larger number of input MSIL assemblies.
+        0x04 => 'PARTIAL',
+        0x08 => 'NONSHARED_PINVOKE_STUBS',    # PInvoke stubs compiled into image are non-shareable (no secret parameter)
+        0x10 => 'EMBEDDED_MSIL',              # Input MSIL is embedded in the R2R image.
+        0x20 => 'COMPONENT',                  # is a component assembly of a composite R2R image
+        0x40 => 'MULTIMODULE_VERSION_BUBBLE', # has multiple modules within its version bubble (For versions before version 6.3, all modules are assumed to possibly have this characteristic)
+        0x80 => 'UNRELATED_R2R_CODE'          # has code in it that would not be naturally encoded into this module
+      }
+
+      def flags
+        FLAGS.find_all{ |k,v| (self.Flags & k) != 0 }.map(&:last)
+      end
+
+      def self.read io
+        super.tap do |r|
+          r.Sections = r.NumberOfSections.times.map do
+            READYTORUN_SECTION.read(io)
+          end
+        end
+      end
+    end
+
+    # https://github.com/dotnet/runtime/blob/main/docs/design/coreclr/botr/readytorun-format.md#readytorun_section
+    class READYTORUN_SECTION < IOStruct.new('L',
+                                            :Type,
+                                            :Section # IMAGE_DATA_DIRECTORY
+                                           )
+
+      SECTION_TYPES = {
+        100 => "CompilerIdentifier",        # Image
+        101 => "ImportSections",            # Image
+        102 => "RuntimeFunctions",          # Image
+        103 => "MethodDefEntryPoints",      # Assembly
+        104 => "ExceptionInfo",             # Assembly
+        105 => "DebugInfo",                 # Assembly
+        106 => "DelayLoadMethodCallThunks", # Assembly
+        107 => "AvailableTypes",            # (obsolete - used by an older format)
+        108 => "AvailableTypes",            # Assembly
+        109 => "InstanceMethodEntryPoints", # Image
+        110 => "InliningInfo",              # Assembly (added in V2.1)
+        111 => "ProfileDataInfo",           # Image (added in V2.2)
+        112 => "ManifestMetadata",          # Image (added in V2.3)
+        113 => "AttributePresence",         # Assembly (added in V3.1)
+        114 => "InliningInfo2",             # Image (added in V4.1)
+        115 => "ComponentAssemblies",       # Image (added in V4.1)
+        116 => "OwnerCompositeExecutable",  # Image (added in V4.1)
+        117 => "PgoInstrumentationData",    # Image (added in V5.2)
+        118 => "ManifestAssemblyMvids",     # Image (added in V5.3)
+        119 => "CrossModuleInlineInfo",     # Image (added in V6.3)
+        120 => "HotColdMap",                # Image (added in V8.0)
+        121 => "MethodIsGenericMap",        # Assembly (Added in V9.0)
+        122 => "EnclosingTypeMap",          # Assembly (Added in V9.0)
+        123 => "TypeGenericInfoMap",        # Assembly (Added in V9.0)
+      }
+
+      def to_s
+        "<%s Type=%3d va=%8x size=%8x>  %s" % [self.class, self.Type, self.Section.va, self.Section.size, SECTION_TYPES[self.Type] || "?"]
+      end
+
+      def self.read io
+        super.tap do |r|
+          r.Section = IMAGE_DATA_DIRECTORY.read(io)
+        end
+      end
+    end
+  end # module CLR
+
+  def clr_readytorun f=@io
+    return nil unless hdr = clr_header(f)
+
+    dir = hdr.ManagedNativeHeader
+    return nil if !dir || (dir.va.to_i == 0 && dir.size.to_i == 0)
+
+    file_offset = va2file(dir.va)
+    return nil unless file_offset
+
+    f.seek(file_offset)
+    magic = f.read(4).unpack1('L')
+    return nil if magic != CLR::READYTORUN_HEADER::MAGIC
+
+    f.seek(file_offset)
+    CLR::READYTORUN_HEADER.read(f)
+  end
+end