RubyGems - pedump - Versions diffs - 0.6.10 → 0.7.1 - Mend

pedump 0.6.10 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/Gemfile.lock +85 -34
data/README.md +89 -72
data/Rakefile +1 -1
data/VERSION +1 -1
data/bin/pedump +1 -1
data/data/jc-userdb.txt +0 -8
data/data/signatures.txt +1 -2
data/data/userdb.txt +0 -8
data/lib/pedump/cli.rb +305 -48
data/lib/pedump/clr/readytorun.rb +115 -0
data/lib/pedump/clr/signature.rb +318 -0
data/lib/pedump/clr.rb +709 -0
data/lib/pedump/logger.rb +1 -1
data/lib/pedump.rb +41 -5
data/pedump.gemspec +8 -5
metadata +8 -8

data/lib/pedump/logger.rb CHANGED Viewed

@@ -22,7 +22,7 @@ class PEdump
       if params[:logger]
         params[:logger]
       else
-        logdev = params[:logdev] || STDERR
+        logdev = params[:logdev] || $stderr
         logger_class =
           if params.key?(:color)
             # forced color or not

data/lib/pedump.rb CHANGED Viewed

@@ -20,6 +20,7 @@ require 'pedump/packer'
 require 'pedump/ne'
 require 'pedump/ne/version_info'
 require 'pedump/te'
+require 'pedump/clr'
 # pedump.rb by zed_0xff
 #
@@ -220,7 +221,7 @@ class PEdump
     %w'EXPORT IMPORT RESOURCE EXCEPTION SECURITY BASERELOC DEBUG ARCHITECTURE GLOBALPTR TLS LOAD_CONFIG
     Bound_IAT IAT Delay_IAT CLR_Header'
   IMAGE_DATA_DIRECTORY::TYPES.each_with_index do |type,idx|
-    IMAGE_DATA_DIRECTORY.const_set(type,idx)
+    IMAGE_DATA_DIRECTORY.const_set(type, idx)
   end
   IMAGE_SECTION_HEADER = IOStruct.new( 'A8V6v2V',
@@ -444,6 +445,26 @@ class PEdump
     nil
   end
+  def file2va offset, h = {}
+    return nil if offset.nil?
+    # a special case - PE without sections
+    return offset if sections.empty?
+    sections.each do |s|
+      if (s.PointerToRawData...(s.PointerToRawData+s.SizeOfRawData)).include?(offset)
+        return s.VirtualAddress + s.PointerToRawData - offset
+      end
+    end
+    if h[:quiet]
+      logger.debug "[?] can't find VA for file_offset 0x#{offset.to_i.to_s(16)} (quiet=true)"
+    else
+      logger.error "[?] can't find VA for file_offset 0x#{offset.to_i.to_s(16)}"
+    end
+    nil
+  end
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
   def dump f=@io
     if f.is_a?(String)
@@ -586,7 +607,8 @@ class PEdump
     imports.each do |iid|
       next unless iid.module_name
-      names = [iid.original_first_thunk, iid.first_thunk].compact.flatten.map do |x|
+      # was: [iid.original_first_thunk, iid.first_thunk].compact.flatten
+      names = (iid.original_first_thunk || iid.first_thunk).map do |x|
         x.name || PEdump.ordlookup(iid.module_name, x.ordinal, make_name: true)
       end.compact.map(&:downcase).uniq
       libname = iid.module_name.downcase.sub(/\.(ocx|sys|dll)$/,'') # as in python's pefile
@@ -717,9 +739,9 @@ class PEdump
         logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
       elsif logger.debug?
         # compare all but VAs
-        if x.original_first_thunk != x.first_thunk
-          logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
-        end
+        #if x.original_first_thunk != x.first_thunk
+        #  logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
+        #end
       end
     end # r.each
     @imports
@@ -919,6 +941,20 @@ class PEdump
       end
   end
   alias :packers :packer
+  ##############################################################################
+  # tail data
+  ##############################################################################
+  def tail f=@io
+    tail_start = sections(f).map{ |s| s.PointerToRawData + s.SizeOfRawData }.max
+    if tail_start && tail_start < f.size
+      f.seek tail_start
+      f
+    else
+      nil
+    end
+  end
 end
 ####################################################################################

data/pedump.gemspec CHANGED Viewed

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: pedump 0.6.10 ruby lib
+# stub: pedump 0.7.1 ruby lib
 Gem::Specification.new do |s|
   s.name = "pedump".freeze
-  s.version = "0.6.10".freeze
+  s.version = "0.7.1".freeze
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Andrey \"Zed\" Zaikin".freeze]
-  s.date = "2024-05-10"
+  s.date = "1980-01-02"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc".freeze
   s.email = "zed.0xff@gmail.com".freeze
   s.executables = ["pedump".freeze]
@@ -40,6 +40,9 @@ Gem::Specification.new do |s|
     "data/userdb.txt",
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
+    "lib/pedump/clr.rb",
+    "lib/pedump/clr/readytorun.rb",
+    "lib/pedump/clr/signature.rb",
     "lib/pedump/comparer.rb",
     "lib/pedump/composite_io.rb",
     "lib/pedump/core.rb",
@@ -73,14 +76,14 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/zed-0xff/pedump".freeze
   s.licenses = ["MIT".freeze]
-  s.rubygems_version = "3.5.6".freeze
+  s.rubygems_version = "3.6.9".freeze
   s.summary = "dump win32 PE executable files with a pure ruby".freeze
   s.specification_version = 4
   s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0".freeze])
   s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0".freeze])
-  s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4".freeze])
+  s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.5.0".freeze])
   s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0".freeze])
   s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2".freeze])
   s.add_development_dependency(%q<rspec>.freeze, [">= 0".freeze])

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.6.10
+  version: 0.7.1
 platform: ruby
 authors:
 - Andrey "Zed" Zaikin
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-10 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
@@ -44,14 +43,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.4
+        version: 0.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.4
+        version: 0.5.0
 - !ruby/object:Gem::Dependency
   name: multipart-post
   requirement: !ruby/object:Gem::Requirement
@@ -165,6 +164,9 @@ files:
 - data/userdb.txt
 - lib/pedump.rb
 - lib/pedump/cli.rb
+- lib/pedump/clr.rb
+- lib/pedump/clr/readytorun.rb
+- lib/pedump/clr/signature.rb
 - lib/pedump/comparer.rb
 - lib/pedump/composite_io.rb
 - lib/pedump/core.rb
@@ -199,7 +201,6 @@ homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -214,8 +215,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.6
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: dump win32 PE executable files with a pure ruby
 test_files: []