pedump 0.7.1 → 0.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f62755e13d849d3d46673271976e7ae6305f2d4fcd1e413397bbe811c272d58
-  data.tar.gz: 782654a01c07eeecc88f61515a76292b4d9eac9701f75a94fd8165d084bce736
+  metadata.gz: 0a9b3066ff9e670b8562e068856e45b94e82cbcaf27f95626da87abc09b94f8f
+  data.tar.gz: 6f05ee901ce249c363ccafd0f54a04e693c8fcefd4c6ecca2663169a6db2cefd
 SHA512:
-  metadata.gz: 3aafd3254ce0cfda67887212a7de2fc97a04fb705c756fe564a4bc5501bfa0f025c461a35bcc6075f8803953893e79b0c13059734ba39737758e878dedba3224
-  data.tar.gz: 8f3db8a1fb8903657cfc30f3adbe20fce26ba99d414862ff8c46cec01221f4807b1c7a7b5e13a582c2826b1ab63ca12ed84d164a925a92cbb1c27f97a96e8086
+  metadata.gz: c8a3eae0788ed2e1723324d1c4409f88f922ab23db56e899b1624847879506677cd98a437ce0f5980012fd6c1d6f70cae43bec9f9f8f75ad9ca09e7aad2e9cb5
+  data.tar.gz: 410622db1bc1052d2bbb114ea6e2d92989004a06e72ebbf9efaade47e4bc95d15ca028122901eba2ed087d40c97df765bc0e68bd38c4a0527d10925dc1c3954f

data/Gemfile

@@ -3,7 +3,7 @@ source "https://rubygems.org"
 
 gem 'rainbow'
 gem "awesome_print"
-gem "iostruct",       ">= 0.5.0"
+gem "iostruct",       ">= 0.7.0"
 gem "multipart-post", ">= 2.0.0"
 gem "zhexdump",       ">= 0.0.2"
 

data/Gemfile.lock

@@ -1,33 +1,33 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (8.0.1)
+    activesupport (8.1.2)
       base64
-      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
       logger (>= 1.4.2)
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
     awesome_print (1.9.2)
-    base64 (0.2.0)
-    benchmark (0.4.0)
-    bigdecimal (3.1.9)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
     builder (3.3.0)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.0)
-    date (3.4.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    date (3.5.1)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    diff-lcs (1.6.0)
-    drb (2.2.1)
+    diff-lcs (1.6.2)
+    drb (2.2.3)
+    erb (6.0.1)
     faraday (1.10.4)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
@@ -41,21 +41,21 @@ GEM
       faraday-retry (~> 1.0)
       ruby2_keywords (>= 0.0.4)
     faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
+    faraday-em_synchrony (1.0.1)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.1.0)
+    faraday-multipart (1.2.0)
       multipart-post (~> 2.0)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
     faraday-retry (1.0.3)
-    git (2.3.3)
+    git (4.3.0)
       activesupport (>= 5.0)
       addressable (~> 2.8)
-      process_executer (~> 1.1)
-      rchardet (~> 1.8)
+      process_executer (~> 4.0)
+      rchardet (~> 1.9)
     github_api (0.19.0)
       addressable (~> 2.4)
       descendants_tracker (~> 0.0.4)
@@ -65,10 +65,11 @@ GEM
     hashie (3.6.0)
     highline (3.1.2)
       reline
-    i18n (1.14.7)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
-    iostruct (0.5.0)
+    io-console (0.8.2)
+    iostruct (0.7.0)
+    json (2.18.0)
     juwelier (2.4.9)
       builder
       bundler
@@ -81,29 +82,30 @@ GEM
       rake
       rdoc
       semver2
-    jwt (2.10.1)
+    jwt (2.10.2)
       base64
     kamelcase (0.0.2)
       semver2 (~> 3)
-    logger (1.6.6)
-    mini_portile2 (2.8.8)
-    minitest (5.25.4)
-    multi_json (1.15.0)
-    multi_xml (0.7.1)
-      bigdecimal (~> 3.1)
+    logger (1.7.0)
+    mini_portile2 (2.8.9)
+    minitest (6.0.1)
+      prism (~> 1.5)
+    multi_json (1.19.1)
+    multi_xml (0.8.1)
+      bigdecimal (>= 3.1, < 5)
     multipart-post (2.4.1)
-    nokogiri (1.18.4)
+    nokogiri (1.19.0)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.18.4-aarch64-linux-gnu)
+    nokogiri (1.19.0-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.4-arm-linux-gnu)
+    nokogiri (1.19.0-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.4-arm64-darwin)
+    nokogiri (1.19.0-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.4-x86_64-darwin)
+    nokogiri (1.19.0-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.4-x86_64-linux-gnu)
+    nokogiri (1.19.0-x86_64-linux-gnu)
       racc (~> 1.4)
     oauth2 (1.4.11)
       faraday (>= 0.17.3, < 3.0)
@@ -111,45 +113,51 @@ GEM
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-    process_executer (1.3.0)
-    psych (5.2.3)
+    prism (1.9.0)
+    process_executer (4.0.2)
+      track_open_instances (~> 0.1)
+    psych (5.3.1)
       date
       stringio
-    public_suffix (6.0.1)
+    public_suffix (7.0.2)
     racc (1.8.1)
-    rack (3.1.12)
+    rack (3.2.4)
     rainbow (3.1.1)
-    rake (13.2.1)
-    rchardet (1.9.0)
-    rdoc (6.12.0)
+    rake (13.3.1)
+    rchardet (1.10.0)
+    rdoc (7.1.0)
+      erb
       psych (>= 4.0.0)
-    reline (0.6.0)
+      tsort
+    reline (0.6.3)
       io-console (~> 0.5)
-    rspec (3.13.0)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.3)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-its (2.0.0)
       rspec-core (>= 3.13.0)
       rspec-expectations (>= 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
+    rspec-support (3.13.6)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
     semver2 (3.4.2)
-    stringio (3.1.5)
+    stringio (3.2.0)
     thread_safe (0.3.6)
+    track_open_instances (0.1.15)
+    tsort (0.2.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    uri (1.0.3)
-    zhexdump (0.2.0)
+    uri (1.1.1)
+    zhexdump (0.3.0)
 
 PLATFORMS
   aarch64-linux
@@ -162,7 +170,7 @@ PLATFORMS
 DEPENDENCIES
   awesome_print
   bundler
-  iostruct (>= 0.5.0)
+  iostruct (>= 0.7.0)
   juwelier
   multipart-post (>= 2.0.0)
   rainbow

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2011 Andrey "Zed" Zaikin
+Copyright (c) 2011-2025 Andrey "Zed" Zaikin
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -4,6 +4,8 @@ pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=mast
 News
 ----
 ```
+2026.01.28 - 0.7.4; update iostruct
+2025.11.11 - 0.7.3; CLI: fix --file2va command :]
 2025.11.11 - 0.7.1; CLI: add --file2va command
 2025.03.16 - added .NET CLR parsing
 2024.04.20 - cli: add --set-dll-char to patch dll characteristics
@@ -111,6 +113,8 @@ Usage
     
             --va2file VA                 Convert VA to file offset
             --file2va OFFSET             Convert file offset to VA
+            --rva2file RVA               Convert RVA to file offset
+            --file2rva OFFSET            Convert file offset to RVA
     
             --set-os-version VER         Patch OS version in PE header
             --set-dll-char X             Patch IMAGE_OPTIONAL_HEADER32.DllCharacteristics
@@ -221,6 +225,28 @@ Usage
                        LoaderFlags:                        0
                NumberOfRvaAndSizes:         16            10
 
+### Convert (R)VA to file offset and back
+
+    # pedump --rva2file 0x4c000 calc.exe
+
+    rva2file(0x4c000) = 0x4ae00  (306688)
+
+    # pedump --file2rva 0x4ae00 calc.exe
+
+    file2rva(0x4ae00) = 0x4c000  (311296)
+
+    # pedump --va2file 0x104c000 calc.exe
+
+    va2file(0x104c000) = 0x4ae00  (306688)
+
+    # pedump --file2va 0x4ae00 calc.exe
+
+    file2va(0x4ae00) = 0x104c000  (17088512)
+
+    # pedump --file2va 0x4ae00 calc.exe --format hex
+
+    104c000
+
 ### Data Directory
 
     # pedump --data-directory calc.exe

data/Rakefile

@@ -37,11 +37,15 @@ RSpec::Core::RakeTask.new
 
 task :default => [:spec, :readme]
 
+task :init do
+  $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), 'lib'))
+  require 'pedump'
+  require 'pedump/cli'
+end
+
 namespace :test do
   desc "test on all files in given path"
-  task :all_files do
-    require './lib/pedump'
-    require './lib/pedump/cli'
+  task :all_files => :init do
     path = ENV['path'] || raise("run me with path=...")
     `find #{path} -type f`.split("\n").each do |fname|
       puts "\n### #{fname}\n"
@@ -51,9 +55,7 @@ namespace :test do
 
   namespace :all_files do
     desc "output file name to stderr, use with stdout redirection"
-    task :stderr do
-      require './lib/pedump'
-      require './lib/pedump/cli'
+    task :stderr => :init do
       path = ENV['path'] || raise("run me with path=...")
       `find #{path} -type f`.split("\n").each do |fname|
         STDERR.puts "\n### #{fname}\n"
@@ -63,9 +65,7 @@ namespace :test do
   end
 
   desc "test on corkami binaries"
-  task :corkami do
-      require './lib/pedump'
-      require './lib/pedump/cli'
+  task :corkami => :init do
       path = "samples/corkami"
       `find #{path} -type f`.split("\n").each do |fname|
         STDERR.puts "\n### #{fname}\n"
@@ -183,7 +183,7 @@ task :readme do
     r << "\n"
   end
   Dir.chdir 'samples'
-  result = ERB.new(tpl,nil,'%>').result
+  result = ERB.new(tpl, trim_mode: '%>').result
   Dir.chdir '..'
   File.open('README.md','w'){ |f| f << result }
 end

data/VERSION

@@ -1 +1 @@
-0.7.1
+0.7.4

data/lib/pedump/cli.rb

@@ -145,6 +145,12 @@ class PEdump::CLI
       opts.on "--file2va OFFSET", "Convert file offset to VA" do |offset|
         @actions << [:file2va, offset]
       end
+      opts.on "--rva2file RVA", "Convert RVA to file offset" do |va|
+        @actions << [:rva2file, va]
+      end
+      opts.on "--file2rva OFFSET", "Convert file offset to RVA" do |offset|
+        @actions << [:file2rva, offset]
+      end
 
       opts.separator ''
       opts.on "--set-os-version VER", "Patch OS version in PE header" do |ver|
@@ -385,13 +391,17 @@ class PEdump::CLI
       case action[0]
       when :disasm
         return
-      when :va2file, :file2va
+      when :rva2file, :file2rva, :va2file, :file2va
         cmd = action[0]
         @pedump.sections(f)
-        va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
-        file_offset = @pedump.send(cmd, va)
-        if file_offset
-          printf("%s(0x%x) = 0x%x  (%d)\n", cmd, va, file_offset, file_offset)
+        arg = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
+        result = @pedump.send(cmd, arg)
+        if result
+          if @options[:format] == :hex
+            puts result.to_s(16)
+          else
+            printf("%s(0x%x) = 0x%x  (%d)\n", cmd, arg, result, result)
+          end
         else
           @success = false
         end
@@ -652,7 +662,7 @@ class PEdump::CLI
 
   def dump_clr_streams data
     clr_header = @pedump.clr_header
-    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.va2file(clr_header.MetaData.va)
+    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.rva2file(clr_header.MetaData.va)
 
     fmt = "%8x %8x  %-32s\n"
     printf fmt.tr('x','s'), *%w'offset size name'
@@ -675,7 +685,7 @@ class PEdump::CLI
     blob_stream = @pedump.clr_streams.find{ |s| s.name == "#Blob" }
 
     clr_header = @pedump.clr_header
-    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.va2file(clr_header.MetaData.va)
+    clr_data_file_ofs = clr_header.MetaData.va.to_i > 0 && @pedump.rva2file(clr_header.MetaData.va)
     blob_file_ofs = blob_stream.offset + clr_data_file_ofs if blob_stream
     blob_size = blob_stream&.size
 
@@ -892,7 +902,7 @@ class PEdump::CLI
     if @options[:verbose] > 0
       [%w'Names', %w'EntryPoints Functions', %w'Ordinals NameOrdinals'].each do |x|
         va  = data["AddressOf"+x.last]
-        ofs = @pedump.va2file(va) || '?'
+        ofs = @pedump.rva2file(va) || '?'
         printf("# %-12s rva=0x%08x  file_offset=%8s\n", x.first, va, ofs) if va
       end
     end
@@ -1132,7 +1142,7 @@ class PEdump::CLI
       exit(1)
     end
     if entry.size != 0
-      _copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+      _copy_stream @pedump.io, $stdout, entry.size, @pedump.rva2file(entry.va)
     end
   end
 

data/lib/pedump/clr/readytorun.rb

@@ -102,7 +102,7 @@ class PEdump
     dir = hdr.ManagedNativeHeader
     return nil if !dir || (dir.va.to_i == 0 && dir.size.to_i == 0)
 
-    file_offset = va2file(dir.va)
+    file_offset = rva2file(dir.va)
     return nil unless file_offset
 
     f.seek(file_offset)

data/lib/pedump/clr.rb

@@ -584,7 +584,7 @@ class PEdump
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::CLR_Header]
     return nil if !dir || (dir.va == 0 && dir.size == 0)
 
-    file_offset = va2file(dir.va)
+    file_offset = rva2file(dir.va)
     return nil unless file_offset
 
     if f.checked_seek(file_offset)
@@ -601,7 +601,7 @@ class PEdump
     dir = hdr&.MetaData
     return nil if !dir || (dir.va.to_i == 0 || dir.size.to_i == 0)
 
-    file_offset = va2file(dir.va)
+    file_offset = rva2file(dir.va)
     return nil unless file_offset
 
     if f.checked_seek(file_offset)
@@ -635,7 +635,7 @@ class PEdump
     streams.each do |stream|
       next unless stream.name == '#Strings'
 
-      unless f.checked_seek(va2file(dir.va) + stream.offset)
+      unless f.checked_seek(rva2file(dir.va) + stream.offset)
         logger.warn "[?] Error seeking to CLR strings stream"
         return nil
       end
@@ -678,7 +678,7 @@ class PEdump
     streams.each do |stream|
       next if stream.name != '#~' && stream.name != '#-' # Metadata Table Stream
 
-      unless f.checked_seek(va2file(dir.va) + stream.offset)
+      unless f.checked_seek(rva2file(dir.va) + stream.offset)
         logger.warn "[?] Error seeking to CLR table stream"
         return nil
       end

data/lib/pedump/loader/minidump.rb

@@ -21,13 +21,13 @@ class PEdump
 
   MINIDUMP_LOCATION_DESCRIPTOR = IOStruct.new 'LL', :DataSize, :Rva
 
-  class MINIDUMP_DIRECTORY < IOStruct.new 'L', :StreamType, :Location
-    def self.read io
-      r = super
-      r.Location = MINIDUMP_LOCATION_DESCRIPTOR.read(io)
-      r
-    end
-  end
+  # Using nested struct - Location is automatically parsed
+  MINIDUMP_DIRECTORY = IOStruct.new(
+    fields: {
+      StreamType: 'uint32_t',
+      Location:   MINIDUMP_LOCATION_DESCRIPTOR,
+    }
+  )
 
   MINIDUMP_MEMORY_INFO = IOStruct.new 'QQLLQLLLL',
     :BaseAddress,

data/lib/pedump/packer.rb

@@ -73,7 +73,7 @@ class PEdump
         elsif va == 0 && pe.dll?
           pedump.logger.debug "[.] it's a DLL with no EntryPoint"
           nil
-        elsif !(ofs = pedump.va2file(va))
+        elsif !(ofs = pedump.rva2file(va))
           pedump.logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
           nil
         else

data/lib/pedump/resources.rb

@@ -403,7 +403,7 @@ class PEdump
             end
           end
         when IMAGE_RESOURCE_DATA_ENTRY
-          file_offset = va2file(entry.data.OffsetToData, :quiet => (@pe_res_errors > MAX_ERRORS))
+          file_offset = rva2file(entry.data.OffsetToData, :quiet => (@pe_res_errors > MAX_ERRORS))
           unless file_offset
             @pe_res_errors += 1
             if @pe_res_errors > MAX_ERRORS

data/lib/pedump/te.rb

@@ -4,33 +4,33 @@ class PEdump
   # https://formats.kaitai.io/uefi_te/index.html
   # http://ho.ax/tag/efi/
   # https://github.com/gdbinit/TELoader
-  
-  EFI_IMAGE_DATA_DIRECTORY = IOStruct.new( "VV", :va, :size )
+
+  EFI_IMAGE_DATA_DIRECTORY = IOStruct.new("VV", :va, :size)
   EFI_IMAGE_DATA_DIRECTORY::TYPES = %w'BASERELOC DEBUG'
-  EFI_IMAGE_DATA_DIRECTORY::TYPES.each_with_index do |type,idx|
-    EFI_IMAGE_DATA_DIRECTORY.const_set(type,idx)
+  EFI_IMAGE_DATA_DIRECTORY::TYPES.each_with_index do |type, idx|
+    EFI_IMAGE_DATA_DIRECTORY.const_set(type, idx)
   end
 
-  class EFI_TE_IMAGE_HEADER < IOStruct.new 'vvCCvVVQ',
-    :Signature,
-    :Machine,
-    :NumberOfSections,
-    :Subsystem,
-    :StrippedSize,
-    :AddressOfEntryPoint,
-    :BaseOfCode,
-    :ImageBase,
-    :DataDirectory # readed manually: EFI_IMAGE_DATA_DIRECTORY DataDirectory[2]
-
-    REAL_SIZE = SIZE + EFI_IMAGE_DATA_DIRECTORY::SIZE * 2
+  # Using hash format with nested struct array for DataDirectory
+  class EFI_TE_IMAGE_HEADER < IOStruct.new(
+    fields: {
+      Signature:          'uint16_t',
+      Machine:            'uint16_t',
+      NumberOfSections:   'uint8_t',
+      Subsystem:          'uint8_t',
+      StrippedSize:       'uint16_t',
+      AddressOfEntryPoint: 'uint32_t',
+      BaseOfCode:         'uint32_t',
+      ImageBase:          'uint64_t',
+      DataDirectory:      { type: EFI_IMAGE_DATA_DIRECTORY, count: 2 },
+    }
+  )
+    REAL_SIZE = SIZE
 
     attr_accessor :sections
 
     def self.read io, args = {}
       super(io).tap do |te|
-        te.DataDirectory = 2.times.map do
-          EFI_IMAGE_DATA_DIRECTORY.read(io)
-        end
         te.sections = PE.read_sections(io, te.NumberOfSections, args)
       end
     end

data/lib/pedump/tls.rb

@@ -1,17 +1,15 @@
 class PEdump
-  IMAGE_TLS_DIRECTORY32 = IOStruct.new 'V6',
-    :StartAddressOfRawData,
-    :EndAddressOfRawData,
-    :AddressOfIndex,
-    :AddressOfCallBacks,
-    :SizeOfZeroFill,
-    :Characteristics
+  TLS_DIRECTORY_FIELDS = %i[
+    StartAddressOfRawData
+    EndAddressOfRawData
+    AddressOfIndex
+    AddressOfCallBacks
+    SizeOfZeroFill
+    Characteristics
+  ].freeze
 
-  IMAGE_TLS_DIRECTORY64 = IOStruct.new 'Q4V2',
-    :StartAddressOfRawData,
-    :EndAddressOfRawData,
-    :AddressOfIndex,
-    :AddressOfCallBacks,
-    :SizeOfZeroFill,
-    :Characteristics
+  # 32-bit: all fields are 32-bit (V6)
+  # 64-bit: first 4 fields are 64-bit pointers (Q4), last 2 are 32-bit (V2)
+  IMAGE_TLS_DIRECTORY32 = IOStruct.new('V6', *TLS_DIRECTORY_FIELDS)
+  IMAGE_TLS_DIRECTORY64 = IOStruct.new('Q4V2', *TLS_DIRECTORY_FIELDS)
 end

data/lib/pedump/unpacker/aspack.rb

@@ -788,13 +788,13 @@ class PEdump::Unpacker::ASPack
     ###
 
     rebuild_tls :step => 1
-    sorted_obj_tbl = @obj_tbl.sort_by{ |x| @ldr.pedump.va2file(x.va) }
+    sorted_obj_tbl = @obj_tbl.sort_by{ |x| @ldr.pedump.rva2file(x.va) }
     sorted_obj_tbl.each_with_index do |obj,idx|
       # restore section flags, if any
       @ldr.va2section(obj.va).flags = obj.flags if obj.flags
 
       next if obj.size < 0 # empty section
-      #file_offset = @ldr.pedump.va2file(obj.va)
+      #file_offset = @ldr.pedump.rva2file(obj.va)
       #@io.seek file_offset
       packed_size =
         if idx == sorted_obj_tbl.size - 1
@@ -802,7 +802,7 @@ class PEdump::Unpacker::ASPack
           obj.size
         else
           # subtract this file_offset from next object file_offset
-          @ldr.pedump.va2file(sorted_obj_tbl[idx+1].va) - @ldr.pedump.va2file(obj.va)
+          @ldr.pedump.rva2file(sorted_obj_tbl[idx+1].va) - @ldr.pedump.rva2file(obj.va)
         end
       #packed_data = @io.read packed_size
       packed_data = @ldr[obj.va, packed_size]

data/lib/pedump.rb

@@ -397,7 +397,7 @@ class PEdump
   alias :rich_header :rich_hdr
   alias :rich        :rich_hdr
 
-  def va2file va, h={}
+  def rva2file va, h={}
     return nil if va.nil?
 
     va0 = va # save for log output of original addr
@@ -445,7 +445,11 @@ class PEdump
     nil
   end
 
-  def file2va offset, h = {}
+  def va2file va, h = {}
+    va && rva2file(va - @pe.ioh.ImageBase.to_i, h)
+  end
+
+  def file2rva offset, h = {}
     return nil if offset.nil?
 
     # a special case - PE without sections
@@ -453,7 +457,7 @@ class PEdump
 
     sections.each do |s|
       if (s.PointerToRawData...(s.PointerToRawData+s.SizeOfRawData)).include?(offset)
-        return s.VirtualAddress + s.PointerToRawData - offset
+        return s.VirtualAddress + offset - s.PointerToRawData
       end
     end
 
@@ -465,6 +469,11 @@ class PEdump
     nil
   end
 
+  def file2va offset, h = {}
+    va = file2rva(offset, h)
+    va && (va + @pe.ioh.ImageBase.to_i)
+  end
+
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
   def dump f=@io
     if f.is_a?(String)
@@ -601,7 +610,7 @@ class PEdump
     return nil unless pe(f) && pe(f).ioh && f
 
     imports = imports(f)
-    return nil if imports.empty?
+    return nil if imports.nil? || imports.empty?
 
     a = []
     imports.each do |iid|
@@ -628,7 +637,7 @@ class PEdump
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
     return [] if !dir || (dir.va == 0 && dir.size == 0)
 
-    file_offset = va2file(dir.va)
+    file_offset = rva2file(dir.va)
     return nil unless file_offset
 
     # scan TLS first, to catch many fake imports trick from
@@ -636,7 +645,7 @@ class PEdump
     tls_aoi = nil
     if (tls = tls(f)) && tls.any?
       tls_aoi = tls.first.AddressOfIndex.to_i - @pe.ioh.ImageBase.to_i
-      tls_aoi = tls_aoi > 0 ? va2file(tls_aoi) : nil
+      tls_aoi = tls_aoi > 0 ? rva2file(tls_aoi) : nil
     end
 
     r = []; t = nil
@@ -672,7 +681,7 @@ class PEdump
         @imports = @imports[0,iidx]
         break
       end
-      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+      if x.Name.to_i != 0 && (ofs = rva2file(x.Name))
         begin
         f.seek ofs
         rescue
@@ -683,7 +692,7 @@ class PEdump
       end
       [:original_first_thunk, :first_thunk].each do |tbl|
         camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
-        if x[camel].to_i != 0 && (ofs = va2file(x[camel])) && f.checked_seek(ofs)
+        if x[camel].to_i != 0 && (ofs = rva2file(x[camel])) && f.checked_seek(ofs)
           x[tbl] ||= []
           if pe.x64?
             x[tbl] << t while (t = f.read(8).to_s.unpack('Q').first).to_i != 0
@@ -701,7 +710,7 @@ class PEdump
           cache[t] ||=
             if t & mask > 0                                 # 0x8000_0000(_0000_0000)
               ImportedFunction.new(nil,nil,t & (mask-1),va) # 0x7fff_ffff(_ffff_ffff)
-            elsif ofs=va2file(t, :quiet => true)
+            elsif ofs=rva2file(t, :quiet => true)
               if !f.checked_seek(ofs) || f.eof?
                 logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
                 nil
@@ -788,7 +797,7 @@ class PEdump
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
     return nil if !dir || (dir.va == 0 && dir.size == 0)
     va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT].va
-    file_offset = va2file(va)
+    file_offset = rva2file(va)
     return nil unless file_offset
     if !f.checked_seek(file_offset) || f.eof?
       logger.warn "[?] exports info beyond EOF"
@@ -798,7 +807,7 @@ class PEdump
       x.entry_points = []
       x.name_ordinals = []
       x.names = []
-      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+      if x.Name.to_i != 0 && (ofs = rva2file(x.Name))
         f.seek ofs
         if f.eof?
           logger.warn "[?] export ofs 0x#{ofs.to_s(16)} beyond EOF"
@@ -808,7 +817,7 @@ class PEdump
         end
       end
       if x.NumberOfFunctions.to_i > 0
-        if x.AddressOfFunctions.to_i !=0 && (ofs = va2file(x.AddressOfFunctions))
+        if x.AddressOfFunctions.to_i !=0 && (ofs = rva2file(x.AddressOfFunctions))
           f.seek ofs
           x.entry_points = []
           x.NumberOfFunctions.times do
@@ -819,7 +828,7 @@ class PEdump
             x.entry_points << f.read(4).unpack('V').first
           end
         end
-        if x.AddressOfNameOrdinals.to_i !=0 && (ofs = va2file(x.AddressOfNameOrdinals))
+        if x.AddressOfNameOrdinals.to_i !=0 && (ofs = rva2file(x.AddressOfNameOrdinals))
           f.seek ofs
           x.name_ordinals = []
           x.NumberOfNames.times do
@@ -831,7 +840,7 @@ class PEdump
           end
         end
       end
-      if x.NumberOfNames.to_i > 0 && x.AddressOfNames.to_i !=0 && (ofs = va2file(x.AddressOfNames))
+      if x.NumberOfNames.to_i > 0 && x.AddressOfNames.to_i !=0 && (ofs = rva2file(x.AddressOfNames))
         f.seek ofs
         x.names = []
         x.NumberOfNames.times do
@@ -844,7 +853,7 @@ class PEdump
         nErrors = 0
         x.names.size.times do |i|
           begin
-            f.seek va2file(x.names[i])
+            f.seek rva2file(x.names[i])
             x.names[i] = f.gets("\x00").to_s.chomp("\x00")
           rescue
             nErrors += 1
@@ -890,7 +899,7 @@ class PEdump
       begin
         dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
         return nil if !dir || dir.va == 0
-        return nil unless file_offset = va2file(dir.va)
+        return nil unless file_offset = rva2file(dir.va)
         f.seek file_offset
         if f.eof?
           logger.info "[?] TLS info beyond EOF"
@@ -947,7 +956,10 @@ class PEdump
   ##############################################################################
 
   def tail f=@io
-    tail_start = sections(f).map{ |s| s.PointerToRawData + s.SizeOfRawData }.max
+    secs = sections(f)
+    return nil if secs.nil? || secs.empty?
+
+    tail_start = secs.map{ |s| s.PointerToRawData + s.SizeOfRawData }.max
     if tail_start && tail_start < f.size
       f.seek tail_start
       f

data/pedump.gemspec

@@ -2,11 +2,11 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: pedump 0.7.1 ruby lib
+# stub: pedump 0.7.4 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "pedump".freeze
-  s.version = "0.7.1".freeze
+  s.version = "0.7.4".freeze
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
@@ -83,7 +83,7 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0".freeze])
   s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0".freeze])
-  s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.5.0".freeze])
+  s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.7.0".freeze])
   s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0".freeze])
   s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2".freeze])
   s.add_development_dependency(%q<rspec>.freeze, [">= 0".freeze])

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.4
 platform: ruby
 authors:
 - Andrey "Zed" Zaikin
@@ -43,14 +43,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: multipart-post
   requirement: !ruby/object:Gem::Requirement