RubyGems - pedump - Versions diffs - 0.1.1 → 0.2.0 - Mend

pedump 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.1.1
1	+ 0.2.0

data/lib/pedump.rb CHANGED Viewed

@@ -126,14 +126,18 @@ class PEdump
     :lfanew
   )
-  PE = Struct.new(
+  class PE < Struct.new(
     :signature,            # "PE\x00\x00"
     :image_file_header,
     :image_optional_header,
     :section_table
   )
-  class PE; alias :ifh :image_file_header; end
-  class PE; alias :ioh :image_optional_header; end
+    alias :ifh :image_file_header
+    alias :ioh :image_optional_header
+    def x64?
+      ifh && ifh.Machine == 0x8664
+    end
+  end
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
   IMAGE_FILE_HEADER = create_struct( 'v2V3v2',
@@ -401,7 +405,7 @@ class PEdump
           PE.new(pe_sig).tap do |pe|
             pe.image_file_header = IMAGE_FILE_HEADER.read(f)
             if pe.ifh.SizeOfOptionalHeader > 0
-              if pe.ifh.Machine == 0x8664
+              if pe.x64?
                 pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
               else
                 pe.image_optional_header = IMAGE_OPTIONAL_HEADER.read(f, pe.ifh.SizeOfOptionalHeader)
@@ -448,6 +452,126 @@ class PEdump
   end
   alias :section_table :sections
+  ##############################################################################
+  # imports
+  ##############################################################################
+  # http://sandsprite.com/CodeStuff/Understanding_imports.html
+  # http://stackoverflow.com/questions/5631317/import-table-it-vs-import-address-table-iat
+  IMAGE_IMPORT_DESCRIPTOR = create_struct 'V5',
+    :OriginalFirstThunk,
+    :TimeDateStamp,
+    :ForwarderChain,
+    :Name,
+    :FirstThunk,
+    # manual:
+    :module_name,
+    :original_first_thunk,
+    :first_thunk
+  ImportedFunction = Struct.new(:hint, :name, :ordinal)
+  def imports f=nil
+    return nil unless pe(f) && pe(f).ioh && f
+    dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
+    return [] if !dir || (dir.va == 0 && dir.size == 0)
+    va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT].va
+    f.seek va2file(va)
+    r = []
+    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).empty?
+      r << t
+    end
+    r.each do |x|
+      if x.Name.to_i != 0 && (va = va2file(x.Name))
+        f.seek va
+        x.module_name = f.gets("\x00").chop
+      end
+      [:original_first_thunk, :first_thunk].each do |tbl|
+        camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
+        if x[camel].to_i != 0 && (va = va2file(x[camel]))
+          f.seek va
+          x[tbl] ||= []
+          if pe.x64?
+            x[tbl] << t while (t = f.read(8).unpack('Q').first) != 0
+          else
+            x[tbl] << t while (t = f.read(4).unpack('V').first) != 0
+          end
+        end
+        cache = {}
+        bits = pe.x64? ? 64 : 32
+        x[tbl] && x[tbl].map! do |t|
+          cache[t] ||=
+            if t & (2**(bits-1)) > 0                            # 0x8000_0000(_0000_0000)
+              ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
+            elsif va=va2file(t)
+              f.seek va
+              ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
+            else
+              nil
+            end
+        end
+      end
+      if x.original_first_thunk != x.first_thunk
+        logger.warn "[?] import table: #{x.module_name}: original_first_thunk != first_thunk"
+      end
+    end
+  end
+  ##############################################################################
+  # exports
+  ##############################################################################
+  #http://msdn.microsoft.com/en-us/library/ms809762.aspx
+  IMAGE_EXPORT_DIRECTORY = create_struct 'V2v2V7',
+    :Characteristics,
+    :TimeDateStamp,
+    :MajorVersion,          # These fields appear to be unused and are set to 0.
+    :MinorVersion,          # These fields appear to be unused and are set to 0.
+    :Name,
+    :Base,                  # The starting ordinal number for exported functions
+    :NumberOfFunctions,
+    :NumberOfNames,
+    :AddressOfFunctions,
+    :AddressOfNames,
+    :AddressOfNameOrdinals,
+    # manual:
+    :name, :entry_points, :names, :ordinals
+  def exports f=nil
+    return nil unless pe(f) && pe(f).ioh && f
+    dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
+    return [] if !dir || (dir.va == 0 && dir.size == 0)
+    va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT].va
+    f.seek va2file(va)
+    IMAGE_EXPORT_DIRECTORY.read(f).tap do |x|
+      if x.Name.to_i != 0 && (va = va2file(x.Name))
+        f.seek va
+        x.name = f.gets("\x00").chop
+      end
+      if x.NumberOfFunctions.to_i != 0
+        if x.AddressOfFunctions.to_i !=0 && (va = va2file(x.AddressOfFunctions))
+          f.seek va
+          x.entry_points = f.read(x.NumberOfFunctions*4).unpack('V*')
+        end
+        if x.AddressOfNameOrdinals.to_i !=0 && (va = va2file(x.AddressOfNameOrdinals))
+          f.seek va
+          x.ordinals = f.read(x.NumberOfFunctions*2).unpack('v*').map{ |o| o+x.Base }
+        end
+      end
+      if x.NumberOfNames.to_i != 0 && x.AddressOfNames.to_i !=0 && (va = va2file(x.AddressOfNames))
+        f.seek va
+        x.names = f.read(x.NumberOfNames*4).unpack('V*').map do |va|
+          f.seek va2file(va)
+          f.gets("\x00").chop
+        end
+      end
+    end
+  end
+  ##############################################################################
+  # resources
+  ##############################################################################
   IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
     :Characteristics, :TimeDateStamp, # 2dw
     :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
@@ -581,7 +705,11 @@ class PEdump
     def restore_bitmap src_fname
       File.open(src_fname, "rb") do |f|
         parse f
-        bitmap_hdr + f.read(@palette_size + @imgdata_size)
+        if data.first == "PNG"
+          "\x89PNG" +f.read(self.size-4)
+        else
+          bitmap_hdr + f.read(@palette_size + @imgdata_size)
+        end
       end
     end
@@ -620,7 +748,12 @@ class PEdump
       case type
       when 'BITMAP','ICON'
         f.seek file_offset
-        data << BITMAPINFOHEADER.read(f)
+        if f.read(4) == "\x89PNG"
+          data << 'PNG'
+        else
+          f.seek file_offset
+          data << BITMAPINFOHEADER.read(f)
+        end
       when 'CURSOR'
         f.seek file_offset
         data << CURSOR_HOTSPOT.read(f)

data/lib/pedump/cli.rb CHANGED Viewed

@@ -3,8 +3,8 @@ require 'optparse'
 unless Object.instance_methods.include?(:try)
   class Object
-    def try(method)
-      send method if respond_to? method
+    def try(*x)
+      send(*x) if respond_to?(x.first)
     end
   end
 end
@@ -12,7 +12,11 @@ end
 class PEdump::CLI
   attr_accessor :data, :argv
-  KNOWN_ACTIONS = %w'mz dos_stub rich pe data_directory sections strings resources resource_directory'.map(&:to_sym)
+  KNOWN_ACTIONS = (
+    %w'mz dos_stub rich pe data_directory sections' +
+    %w'strings resources resource_directory imports exports'
+  ).map(&:to_sym)
   DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory'.map(&:to_sym)
   def initialize argv = ARGV
@@ -108,6 +112,10 @@ class PEdump::CLI
         return dump_resources(data)
       when :strings
         return dump_strings(data)
+      when :imports
+        return dump_imports(data)
+      when :exports
+        return dump_exports(data)
       else
         if data.is_a?(Struct) && data.respond_to?(:pack)
           data = data.pack
@@ -158,35 +166,42 @@ class PEdump::CLI
     :Subsystem => PEdump::IMAGE_SUBSYSTEMS
   }
-  def dump_table data
-    if data.is_a?(Struct)
-      return dump_res_dir(data) if data.is_a?(PEdump::IMAGE_RESOURCE_DIRECTORY)
-      data.each_pair do |k,v|
-        case v
-        when Numeric
-          case k
-          when /\AMajor.*Version\Z/
-            printf "%30s: %24s\n", k.to_s.sub('Major',''), "#{v}.#{data[k.to_s.sub('Major','Minor')]}"
-          when /\AMinor.*Version\Z/
+  def dump_generic_table data
+    data.each_pair do |k,v|
+      case v
+      when Numeric
+        case k
+        when /\AMajor.*Version\Z/
+          printf "%30s: %24s\n", k.to_s.sub('Major',''), "#{v}.#{data[k.to_s.sub('Major','Minor')]}"
+        when /\AMinor.*Version\Z/
+        when /TimeDateStamp/
+          printf "%30s: %24s\n", k, Time.at(v).strftime('"%Y-%m-%d %H:%M:%S"')
+        else
+          if COMMENTS[k]
+            printf "%30s: %10d  %12s  %s\n", k, v, v<10 ? v : ("0x"+v.to_s(16)),
+              COMMENTS[k][v] || (COMMENTS[k].is_a?(Hash) ? COMMENTS[k]['default'] : '') || ''
           else
-            if COMMENTS[k]
-              printf "%30s: %10d  %12s  %s\n", k, v, v<10 ? v : ("0x"+v.to_s(16)),
-                COMMENTS[k][v] || (COMMENTS[k].is_a?(Hash) ? COMMENTS[k]['default'] : '') || ''
-            else
-              printf "%30s: %10d  %12s\n", k, v, v<10 ? v : ("0x"+v.to_s(16))
-            end
+            printf "%30s: %10d  %12s\n", k, v, v<10 ? v : ("0x"+v.to_s(16))
           end
-        when Struct
-          printf "\n# %s:\n", v.class.to_s.split('::').last
-          dump_table v
-        when Time
-          printf "%30s: %24s\n", k, v.strftime('"%Y-%m-%d %H:%M:%S"')
-        when Array
-          next if %w'DataDirectory section_table'.include?(k)
-        else
-          printf "%30s: %24s\n", k, v.to_s.inspect
         end
+      when Struct
+        printf "\n# %s:\n", v.class.to_s.split('::').last
+        dump_table v
+      when Time
+        printf "%30s: %24s\n", k, v.strftime('"%Y-%m-%d %H:%M:%S"')
+      when Array
+        next if %w'DataDirectory section_table'.include?(k)
+      else
+        printf "%30s: %24s\n", k, v.to_s.inspect
       end
+    end
+  end
+  def dump_table data
+    if data.is_a?(Struct)
+      return dump_res_dir(data) if data.is_a?(PEdump::IMAGE_RESOURCE_DIRECTORY)
+      return dump_exports(data) if data.is_a?(PEdump::IMAGE_EXPORT_DIRECTORY)
+      dump_generic_table data
     elsif data.is_a?(Enumerable) && data.map(&:class).uniq.size == 1
       case data.first
       when PEdump::IMAGE_DATA_DIRECTORY
@@ -197,6 +212,8 @@ class PEdump::CLI
         dump_resources data
       when PEdump::STRING
         dump_strings data
+      when PEdump::IMAGE_IMPORT_DESCRIPTOR
+        dump_imports data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -209,6 +226,44 @@ class PEdump::CLI
     end
   end
+  def dump_exports data
+    printf "# module_name=%s  flags=0x%x  ts=%s  version=%d.%d\n",
+      data.name.inspect,
+      data.Characteristics,
+      Time.at(data.TimeDateStamp.to_i).strftime('"%Y-%m-%d %H:%M:%S"'),
+      data.MajorVersion, data.MinorVersion
+    printf "# n_funcs=%d  n_names=%d\n",
+      data.NumberOfFunctions,
+      data.NumberOfNames
+    puts
+    printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
+    data.NumberOfFunctions.times do |i|
+      printf "%5s %8x  %s\n",
+        data.ordinals[i].try(:to_s,16),
+        data.entry_points[i],
+        data.names[i]
+    end
+  end
+  def dump_imports data
+    fmt = "%-15s %5s %5s %s\n"
+    printf fmt, "MODULE_NAME", "HINT", "ORD", "FUNCTION_NAME"
+    data.each do |iid|
+      # image import descriptor
+      (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |f|
+        # imported function
+        printf fmt,
+          iid.module_name,
+          f.hint ? f.hint.to_s(16) : '',
+          f.ordinal ? f.ordinal.to_s(16) : '',
+          f.name
+      end
+    end
+  end
   def dump_strings data
     printf "%5s %5s  %4s  %s\n", "ID", "ID", "LANG", "STRING"
     prev_lang = nil

data/pedump.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.1.1"
+  s.version = "0.2.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-09"
+  s.date = "2011-12-10"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
   prerelease:
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-12-09 00:00:00.000000000Z
+date: 2011-12-10 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70262192852620 !ruby/object:Gem::Requirement
+  requirement: &70291670384640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70262192852620
+  version_requirements: *70291670384640
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70262192851380 !ruby/object:Gem::Requirement
+  requirement: &70291670381860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70262192851380
+  version_requirements: *70291670381860
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70262192849440 !ruby/object:Gem::Requirement
+  requirement: &70291670379240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70262192849440
+  version_requirements: *70291670379240
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70262192846320 !ruby/object:Gem::Requirement
+  requirement: &70291670377460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +54,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70262192846320
+  version_requirements: *70291670377460
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -93,7 +93,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2508940562784118037
+      hash: 3280002266277389467
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: