pedump 0.6.6 → 0.6.9

data/data/ordlookup/pefile2json.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+import yaml
+from pefile import ordlookup
+#from PE import ordlookup
+
+for dll, ord_names in ordlookup.ords.items():
+    if isinstance(list(ord_names.keys())[0], bytes):
+        ord_names = {k: v.decode("utf-8") for k, v in ord_names.items()}
+    
+    yaml_data = yaml.dump(ord_names, allow_unicode=True, default_flow_style=False)
+
+    if isinstance(dll, bytes):
+        dll = dll.decode("utf-8")
+    file_name = dll + ".yml"
+    with open(file_name, 'w', encoding='utf-8') as yaml_file:
+        yaml_file.write(yaml_data)
+

data/data/ordlookup/ws2_32.dll.yml

@@ -0,0 +1,234 @@
+1: !!binary |
+  YWNjZXB0
+2: !!binary |
+  YmluZA==
+3: !!binary |
+  Y2xvc2Vzb2NrZXQ=
+4: !!binary |
+  Y29ubmVjdA==
+5: !!binary |
+  Z2V0cGVlcm5hbWU=
+6: !!binary |
+  Z2V0c29ja25hbWU=
+7: !!binary |
+  Z2V0c29ja29wdA==
+8: !!binary |
+  aHRvbmw=
+9: !!binary |
+  aHRvbnM=
+10: !!binary |
+  aW9jdGxzb2NrZXQ=
+11: !!binary |
+  aW5ldF9hZGRy
+12: !!binary |
+  aW5ldF9udG9h
+13: !!binary |
+  bGlzdGVu
+14: !!binary |
+  bnRvaGw=
+15: !!binary |
+  bnRvaHM=
+16: !!binary |
+  cmVjdg==
+17: !!binary |
+  cmVjdmZyb20=
+18: !!binary |
+  c2VsZWN0
+19: !!binary |
+  c2VuZA==
+20: !!binary |
+  c2VuZHRv
+21: !!binary |
+  c2V0c29ja29wdA==
+22: !!binary |
+  c2h1dGRvd24=
+23: !!binary |
+  c29ja2V0
+24: !!binary |
+  R2V0QWRkckluZm9X
+25: !!binary |
+  R2V0TmFtZUluZm9X
+26: !!binary |
+  V1NBcFNldFBvc3RSb3V0aW5l
+27: !!binary |
+  RnJlZUFkZHJJbmZvVw==
+28: !!binary |
+  V1BVQ29tcGxldGVPdmVybGFwcGVkUmVxdWVzdA==
+29: !!binary |
+  V1NBQWNjZXB0
+30: !!binary |
+  V1NBQWRkcmVzc1RvU3RyaW5nQQ==
+31: !!binary |
+  V1NBQWRkcmVzc1RvU3RyaW5nVw==
+32: !!binary |
+  V1NBQ2xvc2VFdmVudA==
+33: !!binary |
+  V1NBQ29ubmVjdA==
+34: !!binary |
+  V1NBQ3JlYXRlRXZlbnQ=
+35: !!binary |
+  V1NBRHVwbGljYXRlU29ja2V0QQ==
+36: !!binary |
+  V1NBRHVwbGljYXRlU29ja2V0Vw==
+37: !!binary |
+  V1NBRW51bU5hbWVTcGFjZVByb3ZpZGVyc0E=
+38: !!binary |
+  V1NBRW51bU5hbWVTcGFjZVByb3ZpZGVyc1c=
+39: !!binary |
+  V1NBRW51bU5ldHdvcmtFdmVudHM=
+40: !!binary |
+  V1NBRW51bVByb3RvY29sc0E=
+41: !!binary |
+  V1NBRW51bVByb3RvY29sc1c=
+42: !!binary |
+  V1NBRXZlbnRTZWxlY3Q=
+43: !!binary |
+  V1NBR2V0T3ZlcmxhcHBlZFJlc3VsdA==
+44: !!binary |
+  V1NBR2V0UU9TQnlOYW1l
+45: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzSW5mb0E=
+46: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzSW5mb1c=
+47: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzTmFtZUJ5Q2xhc3NJZEE=
+48: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzTmFtZUJ5Q2xhc3NJZFc=
+49: !!binary |
+  V1NBSHRvbmw=
+50: !!binary |
+  V1NBSHRvbnM=
+51: !!binary |
+  Z2V0aG9zdGJ5YWRkcg==
+52: !!binary |
+  Z2V0aG9zdGJ5bmFtZQ==
+53: !!binary |
+  Z2V0cHJvdG9ieW5hbWU=
+54: !!binary |
+  Z2V0cHJvdG9ieW51bWJlcg==
+55: !!binary |
+  Z2V0c2VydmJ5bmFtZQ==
+56: !!binary |
+  Z2V0c2VydmJ5cG9ydA==
+57: !!binary |
+  Z2V0aG9zdG5hbWU=
+58: !!binary |
+  V1NBSW5zdGFsbFNlcnZpY2VDbGFzc0E=
+59: !!binary |
+  V1NBSW5zdGFsbFNlcnZpY2VDbGFzc1c=
+60: !!binary |
+  V1NBSW9jdGw=
+61: !!binary |
+  V1NBSm9pbkxlYWY=
+62: !!binary |
+  V1NBTG9va3VwU2VydmljZUJlZ2luQQ==
+63: !!binary |
+  V1NBTG9va3VwU2VydmljZUJlZ2luVw==
+64: !!binary |
+  V1NBTG9va3VwU2VydmljZUVuZA==
+65: !!binary |
+  V1NBTG9va3VwU2VydmljZU5leHRB
+66: !!binary |
+  V1NBTG9va3VwU2VydmljZU5leHRX
+67: !!binary |
+  V1NBTlNQSW9jdGw=
+68: !!binary |
+  V1NBTnRvaGw=
+69: !!binary |
+  V1NBTnRvaHM=
+70: !!binary |
+  V1NBUHJvdmlkZXJDb25maWdDaGFuZ2U=
+71: !!binary |
+  V1NBUmVjdg==
+72: !!binary |
+  V1NBUmVjdkRpc2Nvbm5lY3Q=
+73: !!binary |
+  V1NBUmVjdkZyb20=
+74: !!binary |
+  V1NBUmVtb3ZlU2VydmljZUNsYXNz
+75: !!binary |
+  V1NBUmVzZXRFdmVudA==
+76: !!binary |
+  V1NBU2VuZA==
+77: !!binary |
+  V1NBU2VuZERpc2Nvbm5lY3Q=
+78: !!binary |
+  V1NBU2VuZFRv
+79: !!binary |
+  V1NBU2V0RXZlbnQ=
+80: !!binary |
+  V1NBU2V0U2VydmljZUE=
+81: !!binary |
+  V1NBU2V0U2VydmljZVc=
+82: !!binary |
+  V1NBU29ja2V0QQ==
+83: !!binary |
+  V1NBU29ja2V0Vw==
+84: !!binary |
+  V1NBU3RyaW5nVG9BZGRyZXNzQQ==
+85: !!binary |
+  V1NBU3RyaW5nVG9BZGRyZXNzVw==
+86: !!binary |
+  V1NBV2FpdEZvck11bHRpcGxlRXZlbnRz
+87: !!binary |
+  V1NDRGVpbnN0YWxsUHJvdmlkZXI=
+88: !!binary |
+  V1NDRW5hYmxlTlNQcm92aWRlcg==
+89: !!binary |
+  V1NDRW51bVByb3RvY29scw==
+90: !!binary |
+  V1NDR2V0UHJvdmlkZXJQYXRo
+91: !!binary |
+  V1NDSW5zdGFsbE5hbWVTcGFjZQ==
+92: !!binary |
+  V1NDSW5zdGFsbFByb3ZpZGVy
+93: !!binary |
+  V1NDVW5JbnN0YWxsTmFtZVNwYWNl
+94: !!binary |
+  V1NDVXBkYXRlUHJvdmlkZXI=
+95: !!binary |
+  V1NDV3JpdGVOYW1lU3BhY2VPcmRlcg==
+96: !!binary |
+  V1NDV3JpdGVQcm92aWRlck9yZGVy
+97: !!binary |
+  ZnJlZWFkZHJpbmZv
+98: !!binary |
+  Z2V0YWRkcmluZm8=
+99: !!binary |
+  Z2V0bmFtZWluZm8=
+101: !!binary |
+  V1NBQXN5bmNTZWxlY3Q=
+102: !!binary |
+  V1NBQXN5bmNHZXRIb3N0QnlBZGRy
+103: !!binary |
+  V1NBQXN5bmNHZXRIb3N0QnlOYW1l
+104: !!binary |
+  V1NBQXN5bmNHZXRQcm90b0J5TnVtYmVy
+105: !!binary |
+  V1NBQXN5bmNHZXRQcm90b0J5TmFtZQ==
+106: !!binary |
+  V1NBQXN5bmNHZXRTZXJ2QnlQb3J0
+107: !!binary |
+  V1NBQXN5bmNHZXRTZXJ2QnlOYW1l
+108: !!binary |
+  V1NBQ2FuY2VsQXN5bmNSZXF1ZXN0
+109: !!binary |
+  V1NBU2V0QmxvY2tpbmdIb29r
+110: !!binary |
+  V1NBVW5ob29rQmxvY2tpbmdIb29r
+111: !!binary |
+  V1NBR2V0TGFzdEVycm9y
+112: !!binary |
+  V1NBU2V0TGFzdEVycm9y
+113: !!binary |
+  V1NBQ2FuY2VsQmxvY2tpbmdDYWxs
+114: !!binary |
+  V1NBSXNCbG9ja2luZw==
+115: !!binary |
+  V1NBU3RhcnR1cA==
+116: !!binary |
+  V1NBQ2xlYW51cA==
+151: !!binary |
+  X19XU0FGRElzU2V0
+500: !!binary |
+  V0VQ

data/data/ordlookup/wsock32.dll.yml

@@ -0,0 +1,234 @@
+1: !!binary |
+  YWNjZXB0
+2: !!binary |
+  YmluZA==
+3: !!binary |
+  Y2xvc2Vzb2NrZXQ=
+4: !!binary |
+  Y29ubmVjdA==
+5: !!binary |
+  Z2V0cGVlcm5hbWU=
+6: !!binary |
+  Z2V0c29ja25hbWU=
+7: !!binary |
+  Z2V0c29ja29wdA==
+8: !!binary |
+  aHRvbmw=
+9: !!binary |
+  aHRvbnM=
+10: !!binary |
+  aW9jdGxzb2NrZXQ=
+11: !!binary |
+  aW5ldF9hZGRy
+12: !!binary |
+  aW5ldF9udG9h
+13: !!binary |
+  bGlzdGVu
+14: !!binary |
+  bnRvaGw=
+15: !!binary |
+  bnRvaHM=
+16: !!binary |
+  cmVjdg==
+17: !!binary |
+  cmVjdmZyb20=
+18: !!binary |
+  c2VsZWN0
+19: !!binary |
+  c2VuZA==
+20: !!binary |
+  c2VuZHRv
+21: !!binary |
+  c2V0c29ja29wdA==
+22: !!binary |
+  c2h1dGRvd24=
+23: !!binary |
+  c29ja2V0
+24: !!binary |
+  R2V0QWRkckluZm9X
+25: !!binary |
+  R2V0TmFtZUluZm9X
+26: !!binary |
+  V1NBcFNldFBvc3RSb3V0aW5l
+27: !!binary |
+  RnJlZUFkZHJJbmZvVw==
+28: !!binary |
+  V1BVQ29tcGxldGVPdmVybGFwcGVkUmVxdWVzdA==
+29: !!binary |
+  V1NBQWNjZXB0
+30: !!binary |
+  V1NBQWRkcmVzc1RvU3RyaW5nQQ==
+31: !!binary |
+  V1NBQWRkcmVzc1RvU3RyaW5nVw==
+32: !!binary |
+  V1NBQ2xvc2VFdmVudA==
+33: !!binary |
+  V1NBQ29ubmVjdA==
+34: !!binary |
+  V1NBQ3JlYXRlRXZlbnQ=
+35: !!binary |
+  V1NBRHVwbGljYXRlU29ja2V0QQ==
+36: !!binary |
+  V1NBRHVwbGljYXRlU29ja2V0Vw==
+37: !!binary |
+  V1NBRW51bU5hbWVTcGFjZVByb3ZpZGVyc0E=
+38: !!binary |
+  V1NBRW51bU5hbWVTcGFjZVByb3ZpZGVyc1c=
+39: !!binary |
+  V1NBRW51bU5ldHdvcmtFdmVudHM=
+40: !!binary |
+  V1NBRW51bVByb3RvY29sc0E=
+41: !!binary |
+  V1NBRW51bVByb3RvY29sc1c=
+42: !!binary |
+  V1NBRXZlbnRTZWxlY3Q=
+43: !!binary |
+  V1NBR2V0T3ZlcmxhcHBlZFJlc3VsdA==
+44: !!binary |
+  V1NBR2V0UU9TQnlOYW1l
+45: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzSW5mb0E=
+46: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzSW5mb1c=
+47: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzTmFtZUJ5Q2xhc3NJZEE=
+48: !!binary |
+  V1NBR2V0U2VydmljZUNsYXNzTmFtZUJ5Q2xhc3NJZFc=
+49: !!binary |
+  V1NBSHRvbmw=
+50: !!binary |
+  V1NBSHRvbnM=
+51: !!binary |
+  Z2V0aG9zdGJ5YWRkcg==
+52: !!binary |
+  Z2V0aG9zdGJ5bmFtZQ==
+53: !!binary |
+  Z2V0cHJvdG9ieW5hbWU=
+54: !!binary |
+  Z2V0cHJvdG9ieW51bWJlcg==
+55: !!binary |
+  Z2V0c2VydmJ5bmFtZQ==
+56: !!binary |
+  Z2V0c2VydmJ5cG9ydA==
+57: !!binary |
+  Z2V0aG9zdG5hbWU=
+58: !!binary |
+  V1NBSW5zdGFsbFNlcnZpY2VDbGFzc0E=
+59: !!binary |
+  V1NBSW5zdGFsbFNlcnZpY2VDbGFzc1c=
+60: !!binary |
+  V1NBSW9jdGw=
+61: !!binary |
+  V1NBSm9pbkxlYWY=
+62: !!binary |
+  V1NBTG9va3VwU2VydmljZUJlZ2luQQ==
+63: !!binary |
+  V1NBTG9va3VwU2VydmljZUJlZ2luVw==
+64: !!binary |
+  V1NBTG9va3VwU2VydmljZUVuZA==
+65: !!binary |
+  V1NBTG9va3VwU2VydmljZU5leHRB
+66: !!binary |
+  V1NBTG9va3VwU2VydmljZU5leHRX
+67: !!binary |
+  V1NBTlNQSW9jdGw=
+68: !!binary |
+  V1NBTnRvaGw=
+69: !!binary |
+  V1NBTnRvaHM=
+70: !!binary |
+  V1NBUHJvdmlkZXJDb25maWdDaGFuZ2U=
+71: !!binary |
+  V1NBUmVjdg==
+72: !!binary |
+  V1NBUmVjdkRpc2Nvbm5lY3Q=
+73: !!binary |
+  V1NBUmVjdkZyb20=
+74: !!binary |
+  V1NBUmVtb3ZlU2VydmljZUNsYXNz
+75: !!binary |
+  V1NBUmVzZXRFdmVudA==
+76: !!binary |
+  V1NBU2VuZA==
+77: !!binary |
+  V1NBU2VuZERpc2Nvbm5lY3Q=
+78: !!binary |
+  V1NBU2VuZFRv
+79: !!binary |
+  V1NBU2V0RXZlbnQ=
+80: !!binary |
+  V1NBU2V0U2VydmljZUE=
+81: !!binary |
+  V1NBU2V0U2VydmljZVc=
+82: !!binary |
+  V1NBU29ja2V0QQ==
+83: !!binary |
+  V1NBU29ja2V0Vw==
+84: !!binary |
+  V1NBU3RyaW5nVG9BZGRyZXNzQQ==
+85: !!binary |
+  V1NBU3RyaW5nVG9BZGRyZXNzVw==
+86: !!binary |
+  V1NBV2FpdEZvck11bHRpcGxlRXZlbnRz
+87: !!binary |
+  V1NDRGVpbnN0YWxsUHJvdmlkZXI=
+88: !!binary |
+  V1NDRW5hYmxlTlNQcm92aWRlcg==
+89: !!binary |
+  V1NDRW51bVByb3RvY29scw==
+90: !!binary |
+  V1NDR2V0UHJvdmlkZXJQYXRo
+91: !!binary |
+  V1NDSW5zdGFsbE5hbWVTcGFjZQ==
+92: !!binary |
+  V1NDSW5zdGFsbFByb3ZpZGVy
+93: !!binary |
+  V1NDVW5JbnN0YWxsTmFtZVNwYWNl
+94: !!binary |
+  V1NDVXBkYXRlUHJvdmlkZXI=
+95: !!binary |
+  V1NDV3JpdGVOYW1lU3BhY2VPcmRlcg==
+96: !!binary |
+  V1NDV3JpdGVQcm92aWRlck9yZGVy
+97: !!binary |
+  ZnJlZWFkZHJpbmZv
+98: !!binary |
+  Z2V0YWRkcmluZm8=
+99: !!binary |
+  Z2V0bmFtZWluZm8=
+101: !!binary |
+  V1NBQXN5bmNTZWxlY3Q=
+102: !!binary |
+  V1NBQXN5bmNHZXRIb3N0QnlBZGRy
+103: !!binary |
+  V1NBQXN5bmNHZXRIb3N0QnlOYW1l
+104: !!binary |
+  V1NBQXN5bmNHZXRQcm90b0J5TnVtYmVy
+105: !!binary |
+  V1NBQXN5bmNHZXRQcm90b0J5TmFtZQ==
+106: !!binary |
+  V1NBQXN5bmNHZXRTZXJ2QnlQb3J0
+107: !!binary |
+  V1NBQXN5bmNHZXRTZXJ2QnlOYW1l
+108: !!binary |
+  V1NBQ2FuY2VsQXN5bmNSZXF1ZXN0
+109: !!binary |
+  V1NBU2V0QmxvY2tpbmdIb29r
+110: !!binary |
+  V1NBVW5ob29rQmxvY2tpbmdIb29r
+111: !!binary |
+  V1NBR2V0TGFzdEVycm9y
+112: !!binary |
+  V1NBU2V0TGFzdEVycm9y
+113: !!binary |
+  V1NBQ2FuY2VsQmxvY2tpbmdDYWxs
+114: !!binary |
+  V1NBSXNCbG9ja2luZw==
+115: !!binary |
+  V1NBU3RhcnR1cA==
+116: !!binary |
+  V1NBQ2xlYW51cA==
+151: !!binary |
+  X19XU0FGRElzU2V0
+500: !!binary |
+  V0VQ

data/lib/pedump/cli.rb

@@ -35,7 +35,7 @@ class PEdump::CLI
 
   KNOWN_ACTIONS = (
     %w'mz dos_stub rich pe ne te data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web console packer_only' +
+    %w'strings resources resource_directory imports exports version_info imphash packer web console packer_only' +
     %w'extract' # 'disasm'
   ).map(&:to_sym)
 
@@ -118,6 +118,13 @@ class PEdump::CLI
         @actions << [:va2file, va]
       end
 
+      opts.on "--set-os-version VER", "Patch OS version in PE header" do |ver|
+        @actions << [:set_os_version, ver]
+      end
+      opts.on "--set-dll-char X", "Patch IMAGE_OPTIONAL_HEADER32.DllCharacteristics" do |x|
+        @actions << [:set_dll_char, x]
+      end
+
       opts.separator ''
 
       opts.on "-W", "--web", "Uploads files to a #{URL_BASE}","for a nice HTML tables with image previews,","candies & stuff" do
@@ -327,6 +334,7 @@ class PEdump::CLI
     s = action.to_s.upcase.tr('_',' ')
     s += " Header" if [:mz, :pe, :rich].include?(action)
     s = "Packer / Compiler" if action == :packer
+    s = "imphash" if action == :imphash
     "\n=== %s ===\n\n" % s
   end
 
@@ -337,6 +345,10 @@ class PEdump::CLI
         return
       when :extract
         return extract action[1]
+      when :set_os_version
+        return set_os_version action[1]
+      when :set_dll_char
+        return set_dll_char action[1]
       when :va2file
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
@@ -350,9 +362,9 @@ class PEdump::CLI
     data = @pedump.send(action, f)
     return if !data || (data.respond_to?(:empty?) && data.empty?)
 
-    puts action_title(action) unless @options[:format] == :binary
+    puts action_title(action) unless @options[:format] == :binary || @actions == [:imphash]
 
-    return dump(data) if [:inspect, :table, :json, :yaml].include?(@options[:format])
+    return dump(data, action:) if [:inspect, :table, :json, :yaml].include?(@options[:format])
 
     dump_opts = {:name => action}
     case action
@@ -398,7 +410,7 @@ class PEdump::CLI
       require 'pp'
       pp data
     when :table
-      dump_table data
+      dump_table data, opts
     when :yaml
       require 'yaml'
       puts data.to_yaml
@@ -474,7 +486,7 @@ class PEdump::CLI
     end
   end
 
-  def dump_table data
+  def dump_table data, opts = {}
     if data.is_a?(Struct)
       return dump_res_dir(data) if data.is_a?(PEdump::IMAGE_RESOURCE_DIRECTORY)
       return dump_exports(data) if data.is_a?(PEdump::IMAGE_EXPORT_DIRECTORY)
@@ -511,7 +523,12 @@ class PEdump::CLI
     elsif data.is_a?(PEdump::RichHdr)
       dump_rich_hdr data
     else
-      puts "[?] Don't know how to display #{data.inspect[0,50]}... as a table"
+      case opts[:action]
+      when :imphash
+        puts "#{data} #{@file_name}"
+      else
+        puts "[?] Don't know how to display #{data.inspect[0,50]}... as a table"
+      end
     end
   end
 
@@ -864,7 +881,7 @@ class PEdump::CLI
       exit(1)
     end
     if entry.size != 0
-      IO::copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+      _copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
     end
   end
 
@@ -887,7 +904,7 @@ class PEdump::CLI
       @pedump.logger.fatal "[!] resource #{id.inspect} not found"
       exit(1)
     end
-    IO::copy_stream @pedump.io, $stdout, res.size, res.file_offset
+    _copy_stream @pedump.io, $stdout, res.size, res.file_offset
   end
 
   def extract_section id
@@ -911,7 +928,73 @@ class PEdump::CLI
       @pedump.logger.fatal "[!] section #{id.inspect} not found"
       exit(1)
     end
-    IO::copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
+    _copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
   end
 
+  def set_dll_char x
+    @pedump.pe.image_optional_header.DllCharacteristics = x.to_i(0)
+    io = @pedump.io.reopen(@file_name,'rb+')
+    io.seek @pedump.pe.ioh_offset
+    io.write @pedump.pe.image_optional_header.pack
+    io.close
+  end
+
+  def set_os_version ver
+    raise "[!] invalid version #{ver.inspect}" unless ver =~ /\A(\d+)\.(\d+)\Z/
+    raise "[!] no IMAGE_OPTIONAL_HEADER" if @pedump.pe.ifh.SizeOfOptionalHeader.to_i == 0
+    major = $1.to_i
+    minor = $2.to_i
+    ver = "#{major}.#{minor}"
+    ioh = @pedump.pe.image_optional_header
+
+    prev_os_ver = "#{ioh.MajorOperatingSystemVersion}.#{ioh.MinorOperatingSystemVersion}"
+    prev_ss_ver = "#{ioh.MajorSubsystemVersion}.#{ioh.MinorSubsystemVersion}"
+
+    if prev_os_ver == ver && prev_ss_ver == ver
+      @pedump.logger.warn "[?] already has #{ver}"
+      return
+    end
+
+    if prev_os_ver != ver
+      ioh.MajorOperatingSystemVersion = major
+      ioh.MinorOperatingSystemVersion = minor
+      @pedump.logger.warn "[.] MajorOperatingSystemVersion: #{prev_os_ver} -> #{ver}"
+    end
+
+    if prev_ss_ver != ver
+      ioh.MajorSubsystemVersion = major
+      ioh.MinorSubsystemVersion = minor
+      @pedump.logger.warn "[.] MajorSubsystemVersion:       #{prev_ss_ver} -> #{ver}"
+    end
+
+    io = @pedump.io.reopen(@file_name,'rb+')
+    io.seek @pedump.pe.ioh_offset
+    io.write ioh.pack
+    io.close
+  end
+
+  private
+
+  # https://github.com/zed-0xff/pedump/issues/44
+  # https://redmine.ruby-lang.org/issues/12280
+  def _copy_stream(src, dst, src_length = nil, src_offset = 0)
+    IO::copy_stream(src, dst, src_length, src_offset)
+  rescue NotImplementedError # `copy_stream': pread() not implemented (NotImplementedError)
+    src_length ||= src.size - src_offset
+    bufsize = 16384
+    buf = ("\x00".force_encoding('binary')) * bufsize
+    src.binmode
+    dst.binmode
+    saved_pos = src.tell
+    src.seek(src_offset)
+    bytes_copied = 0
+    while src_length > 0 && buf.size != 0
+      src.read([bufsize, src_length].min, buf)
+      dst.write(buf)
+      src_length -= buf.size
+      bytes_copied += buf.size
+    end
+    src.seek(saved_pos)
+    bytes_copied
+  end
 end # class PEdump::CLI

data/lib/pedump/ordlookup.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+require 'yaml'
+
+class PEdump
+  def self.ordlookup(dll, ord, make_name: false)
+    dll = dll.downcase
+    @ordlookup ||= {}
+    @ordlookup[dll] ||= 
+      begin
+        yml_fname = File.expand_path(File.dirname(__FILE__) + "/../../data/ordlookup/" + dll + ".yml")
+        if File.exist?(yml_fname)
+          YAML.load_file(yml_fname)
+        else
+          {}
+        end
+      end
+    @ordlookup[dll][ord] || (make_name ? "ord#{ord}" : nil)
+  end
+end

data/lib/pedump/pe.rb

@@ -7,6 +7,8 @@ class PEdump
     :image_optional_header, # includes data directory
     :section_table
   )
+    attr_accessor :ioh_offset
+
     alias :ifh       :image_file_header
     alias :ifh=      :image_file_header=
     alias :ioh       :image_optional_header
@@ -68,7 +70,7 @@ class PEdump
       end
       pe = PE.new(pe_sig)
       pe.image_file_header = IMAGE_FILE_HEADER.read(f)
-      ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
+      pe.ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
       if pe.ifh.SizeOfOptionalHeader.to_i > 0
         if pe.x64?
           pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
@@ -81,7 +83,7 @@ class PEdump
 
       # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
       # // http://www.phreedom.org/research/tinype/
-      f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
+      f.seek( pe.ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
       pe.sections = read_sections(f, nToRead, args)
 
       pe_end = f.tell