pedump 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/lib/pedump.rb +25 -8
- data/lib/pedump/cli.rb +4 -1
- data/pedump.gemspec +1 -1
- metadata +10 -10
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.1
|
data/lib/pedump.rb
CHANGED
|
@@ -322,9 +322,14 @@ class PEdump
|
|
|
322
322
|
end
|
|
323
323
|
|
|
324
324
|
def mz f=nil
|
|
325
|
-
@mz ||= MZ.read(f).tap do |mz|
|
|
325
|
+
@mz ||= f && MZ.read(f).tap do |mz|
|
|
326
326
|
if mz.signature != 'MZ' && mz.signature != 'ZM'
|
|
327
|
-
|
|
327
|
+
if @force
|
|
328
|
+
logger.warn "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
|
|
329
|
+
else
|
|
330
|
+
logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
|
|
331
|
+
return nil
|
|
332
|
+
end
|
|
328
333
|
end
|
|
329
334
|
end
|
|
330
335
|
end
|
|
@@ -332,7 +337,7 @@ class PEdump
|
|
|
332
337
|
def dos_stub f=nil
|
|
333
338
|
@dos_stub ||=
|
|
334
339
|
begin
|
|
335
|
-
mz = mz(f)
|
|
340
|
+
return nil unless mz = mz(f)
|
|
336
341
|
dos_stub_offset = mz.header_paragraphs.to_i * 0x10
|
|
337
342
|
dos_stub_size = mz.lfanew.to_i - dos_stub_offset
|
|
338
343
|
if dos_stub_offset <= 0
|
|
@@ -374,7 +379,7 @@ class PEdump
|
|
|
374
379
|
def pe f=nil
|
|
375
380
|
@pe ||=
|
|
376
381
|
begin
|
|
377
|
-
pe_offset = mz(f).
|
|
382
|
+
pe_offset = mz(f) && mz(f).lfanew
|
|
378
383
|
if pe_offset.nil?
|
|
379
384
|
logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
|
|
380
385
|
nil
|
|
@@ -385,7 +390,14 @@ class PEdump
|
|
|
385
390
|
f.seek pe_offset
|
|
386
391
|
pe_sig = f.read 4
|
|
387
392
|
logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
|
|
388
|
-
|
|
393
|
+
if pe_sig != "PE\x00\x00"
|
|
394
|
+
if @force
|
|
395
|
+
logger.warn "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
|
|
396
|
+
else
|
|
397
|
+
logger.error "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
|
|
398
|
+
return nil
|
|
399
|
+
end
|
|
400
|
+
end
|
|
389
401
|
PE.new(pe_sig).tap do |pe|
|
|
390
402
|
pe.image_file_header = IMAGE_FILE_HEADER.read(f)
|
|
391
403
|
if pe.ifh.SizeOfOptionalHeader > 0
|
|
@@ -397,7 +409,7 @@ class PEdump
|
|
|
397
409
|
end
|
|
398
410
|
|
|
399
411
|
if (nToRead=pe.ifh.NumberOfSections) > 32
|
|
400
|
-
if @force
|
|
412
|
+
if @force.is_a?(Numeric) && @force > 1
|
|
401
413
|
logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
|
|
402
414
|
else
|
|
403
415
|
logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 32"
|
|
@@ -418,10 +430,15 @@ class PEdump
|
|
|
418
430
|
|
|
419
431
|
# OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
|
|
420
432
|
def dump f=nil
|
|
421
|
-
f ?
|
|
433
|
+
f ? _dump_handle(f) : File.open(@fname){ |f| _dump_handle(f) }
|
|
422
434
|
self
|
|
423
435
|
end
|
|
424
436
|
|
|
437
|
+
def _dump_handle h
|
|
438
|
+
rich_hdr(h) # includes mz(h)
|
|
439
|
+
resources(h) # includes pe(h)
|
|
440
|
+
end
|
|
441
|
+
|
|
425
442
|
def data_directory f=nil
|
|
426
443
|
pe(f) && pe.ioh && pe.ioh.DataDirectory
|
|
427
444
|
end
|
|
@@ -517,7 +534,7 @@ class PEdump
|
|
|
517
534
|
end
|
|
518
535
|
|
|
519
536
|
def _read_resource_directory_tree f
|
|
520
|
-
return nil unless pe(f).
|
|
537
|
+
return nil unless pe(f) && pe(f).ioh && f
|
|
521
538
|
res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
|
|
522
539
|
return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
|
|
523
540
|
res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
|
data/lib/pedump/cli.rb
CHANGED
|
@@ -30,7 +30,8 @@ class PEdump::CLI
|
|
|
30
30
|
@options[:verbose] += 1
|
|
31
31
|
end
|
|
32
32
|
opts.on "-F", "--force", "Try to dump by all means (can cause exceptions & heavy wounds)" do |v|
|
|
33
|
-
@options[:force]
|
|
33
|
+
@options[:force] ||= 0
|
|
34
|
+
@options[:force] += 1
|
|
34
35
|
end
|
|
35
36
|
opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table],
|
|
36
37
|
"Output format: bin,c,dump,hex,inspect,table (default)" do |v|
|
|
@@ -71,6 +72,8 @@ class PEdump::CLI
|
|
|
71
72
|
end
|
|
72
73
|
end
|
|
73
74
|
|
|
75
|
+
return if !@options[:force] && !@pedump.mz(f)
|
|
76
|
+
|
|
74
77
|
@actions.each do |action|
|
|
75
78
|
dump_action action,f
|
|
76
79
|
end
|
data/pedump.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pedump
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -13,7 +13,7 @@ date: 2011-12-09 00:00:00.000000000Z
|
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rspec
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70262192852620 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ~>
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 2.3.0
|
|
22
22
|
type: :development
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70262192852620
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: bundler
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70262192851380 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ~>
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 1.0.0
|
|
33
33
|
type: :development
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70262192851380
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: jeweler
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &70262192849440 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ~>
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 1.6.4
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *70262192849440
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: rcov
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &70262192846320 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,7 +54,7 @@ dependencies:
|
|
|
54
54
|
version: '0'
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *70262192846320
|
|
58
58
|
description: dump headers, sections, extract resources of win32 PE exe,dll,etc
|
|
59
59
|
email: zed.0xff@gmail.com
|
|
60
60
|
executables:
|
|
@@ -93,7 +93,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
93
93
|
version: '0'
|
|
94
94
|
segments:
|
|
95
95
|
- 0
|
|
96
|
-
hash:
|
|
96
|
+
hash: -2508940562784118037
|
|
97
97
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
98
98
|
none: false
|
|
99
99
|
requirements:
|