pedump 0.3.3 → 0.4.0

data/Gemfile

@@ -12,4 +12,5 @@ group :development do
   gem "bundler", "~> 1.0.0"
   gem "jeweler", "~> 1.6.4"
   gem "rcov", ">= 0"
+  gem "awesome_print"
 end

data/Gemfile.lock

@@ -1,6 +1,7 @@
 GEM
   remote: http://rubygems.org/
   specs:
+    awesome_print (0.4.0)
     diff-lcs (1.1.3)
     git (1.2.5)
     jeweler (1.6.4)
@@ -24,6 +25,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  awesome_print
   bundler (~> 1.0.0)
   jeweler (~> 1.6.4)
   multipart-post (~> 1.1.4)

data/README.md

@@ -14,19 +14,25 @@ A pure ruby implementation of win32 PE binary files dumper, including:
  * Resources
  * Strings
  * Imports & Exports
+ * VS_VERSIONINFO parsing
  * PE Packer/Compiler detection
- * a conventient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
 
 Installation
 ------------
     gem install pedump
 
-Usage and documentation
------------------------
+Usage
+-----
+
+    # pedump -h
 
     Usage: pedump [options]
-        -V, --version                    Print version information and exit
-        -v, --[no-]verbose               Run verbosely
+            --version                    Print version information and exit
+        -v, --verbose                    Run verbosely
+                                         (can be used multiple times)
+        -q, --quiet                      Silent any warnings
+                                         (can be used multiple times)
         -F, --force                      Try to dump by all means
                                          (can cause exceptions & heavy wounds)
         -f, --format FORMAT              Output format: bin,c,dump,hex,inspect,table
@@ -36,13 +42,15 @@ Usage and documentation
             --rich
             --pe
             --data-directory
-            --sections
-            --strings
-            --resources
+        -S, --sections
+        -s, --strings
+        -R, --resources
             --resource-directory
-            --imports
-            --exports
+        -I, --imports
+        -E, --exports
+        -V, --version-info
             --packer
+            --deep                       packer deep scan, significantly slower
         -P, --packer-only                packer/compiler detect only,
                                          mimics 'file' command output
             --all                        Dump all but resource-directory (default)
@@ -51,6 +59,340 @@ Usage and documentation
                                          for a nice HTML tables with image previews,
                                          candies & stuff
 
+### MZ Header
+
+    # pedump --mz calc.exe
+
+    === MZ Header ===
+    
+                         signature:                     "MZ"
+               bytes_in_last_block:        144          0x90
+                    blocks_in_file:          3             3
+                        num_relocs:          0             0
+                 header_paragraphs:          4             4
+              min_extra_paragraphs:          0             0
+              max_extra_paragraphs:      65535        0xffff
+                                ss:          0             0
+                                sp:        184          0xb8
+                          checksum:          0             0
+                                ip:          0             0
+                                cs:          0             0
+                reloc_table_offset:         64          0x40
+                    overlay_number:          0             0
+                         reserved0:          0             0
+                            oem_id:          0             0
+                          oem_info:          0             0
+                         reserved2:          0             0
+                         reserved3:          0             0
+                         reserved4:          0             0
+                         reserved5:          0             0
+                         reserved6:          0             0
+                            lfanew:        232          0xe8
+
+### DOS stub
+
+    # pedump --dos-stub calc.exe
+
+    === DOS STUB ===
+    
+    00000000:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
+    00000010:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
+    00000020:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
+    00000030:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
+
+### 'Rich' Header
+
+    # pedump --rich calc.exe
+
+    === RICH Header ===
+    
+        LIB_ID        VERSION        TIMES_USED   
+       149  95      21022  521e         9   9
+         1   1          0     0       367 16f
+       147  93      21022  521e        29  1d
+       132  84      21022  521e       129  81
+       131  83      21022  521e        25  19
+       148  94      21022  521e         1   1
+       145  91      21022  521e         1   1
+
+### PE Header
+
+    # pedump --pe calc.exe
+
+    === PE Header ===
+    
+                         signature:             "PE\x00\x00"
+    
+    # IMAGE_FILE_HEADER:
+                           Machine:        332         0x14c  x86
+                  NumberOfSections:          4             4
+                     TimeDateStamp:    "2008-09-14 11:28:52"
+              PointerToSymbolTable:          0             0
+                   NumberOfSymbols:          0             0
+              SizeOfOptionalHeader:        224          0xe0
+                   Characteristics:        258         0x102  EXECUTABLE_IMAGE, 32BIT_MACHINE
+    
+    # IMAGE_OPTIONAL_HEADER32:
+                             Magic:        267         0x10b  32-bit executable
+                     LinkerVersion:                      9.0
+                        SizeOfCode:     305664       0x4aa00
+             SizeOfInitializedData:     340480       0x53200
+           SizeOfUninitializedData:          0             0
+               AddressOfEntryPoint:     230155       0x3830b
+                        BaseOfCode:       4096        0x1000
+                        BaseOfData:     311296       0x4c000
+                         ImageBase:   16777216     0x1000000
+                  SectionAlignment:       4096        0x1000
+                     FileAlignment:        512         0x200
+            OperatingSystemVersion:                      5.1
+                      ImageVersion:                    5.256
+                  SubsystemVersion:                      5.1
+                         Reserved1:          0             0
+                       SizeOfImage:     659456       0xa1000
+                     SizeOfHeaders:       1024         0x400
+                          CheckSum:     690555       0xa897b
+                         Subsystem:          2             2  WINDOWS_GUI
+                DllCharacteristics:      33088        0x8140  DYNAMIC_BASE, NX_COMPAT
+                                                              TERMINAL_SERVER_AWARE
+                SizeOfStackReserve:     262144       0x40000
+                 SizeOfStackCommit:       8192        0x2000
+                 SizeOfHeapReserve:    1048576      0x100000
+                  SizeOfHeapCommit:       4096        0x1000
+                       LoaderFlags:          0             0
+               NumberOfRvaAndSizes:         16          0x10
+
+### Data Directory
+
+    # pedump --data-directory calc.exe
+
+    === DATA DIRECTORY ===
+    
+      EXPORT        rva:0x       0   size:0x        0
+      IMPORT        rva:0x   49c1c   size:0x      12c
+      RESOURCE      rva:0x   51000   size:0x    4ab07
+      EXCEPTION     rva:0x       0   size:0x        0
+      SECURITY      rva:0x       0   size:0x        0
+      BASERELOC     rva:0x   9c000   size:0x     3588
+      DEBUG         rva:0x    1610   size:0x       1c
+      ARCHITECTURE  rva:0x       0   size:0x        0
+      GLOBALPTR     rva:0x       0   size:0x        0
+      TLS           rva:0x       0   size:0x        0
+      LOAD_CONFIG   rva:0x    3d78   size:0x       40
+      Bound_IAT     rva:0x     280   size:0x      12c
+      IAT           rva:0x    1000   size:0x      594
+      Delay_IAT     rva:0x   49bac   size:0x       40
+      CLR_Header    rva:0x       0   size:0x        0
+                    rva:0x       0   size:0x        0
+
+### Sections
+
+    # pedump --sections calc.exe
+
+    === SECTIONS ===
+    
+      NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
+      .text        1000    4a99a    4aa00      400     0        0     0        0  60000020  R-X CODE
+      .data       4c000     431c     3000    4ae00     0        0     0        0  c0000040  RW- IDATA
+      .rsrc       51000    4ab07    4ac00    4de00     0        0     0        0  40000040  R-- IDATA
+      .reloc      9c000     41f6     4200    98a00     0        0     0        0  42000040  R-- IDATA DISCARDABLE
+
+### Resources
+
+    # pedump --resources calc.exe
+
+    === RESOURCES ===
+    
+    FILE_OFFSET    CP  LANG     SIZE  TYPE          NAME
+        0x4ec84     0 0x409     7465  IMAGE         #157
+        0x509b0     0 0x409     4086  IMAGE         #165
+        0x519a8     0 0x409     4234  IMAGE         #170
+        0x52a34     0 0x409     4625  IMAGE         #175
+        0x53c48     0 0x409     4873  IMAGE         #180
+        0x54f54     0 0x409     3048  IMAGE         #204
+        0x55b3c     0 0x409     3052  IMAGE         #208
+        0x56728     0 0x409     3217  IMAGE         #212
+        0x573bc     0 0x409     3338  IMAGE         #216
+        0x580c8     0 0x409     4191  IMAGE         #217
+        0x59128     0 0x409     4229  IMAGE         #218
+        0x5a1b0     0 0x409     4110  IMAGE         #219
+        0x5b1c0     0 0x409     4065  IMAGE         #220
+        0x5c1a4     0 0x409     3235  IMAGE         #961
+        0x5ce48     0 0x409      470  IMAGE         #981
+        0x5d020     0 0x409      587  IMAGE         #982
+        0x5d26c     0 0x409      518  IMAGE         #983
+        0x5d474     0 0x409     5344  IMAGE         #3000
+        0x5e954     0 0x409     4154  IMAGE         #3015
+        0x5f990     0 0x409     4815  IMAGE         #3045
+        0x60c60     0 0x409     6038  IMAGE         #3051
+        0x623f8     0 0x409     4290  IMAGE         #3060
+    ...
+
+### Strings
+
+    # pedump --strings calc.exe.mui
+
+    === STRINGS ===
+    
+       ID    ID  LANG  STRING
+        0     0   409  "+/-"
+        1     1   409  "C"
+        2     2   409  "CE"
+        3     3   409  "Backspace"
+        4     4   409  "."
+        6     6   409  "And"
+        7     7   409  "Or"
+        8     8   409  "Xor"
+        9     9   409  "Lsh"
+       10     a   409  "Rsh"
+       11     b   409  "/"
+       12     c   409  "*"
+       13     d   409  "+"
+       14     e   409  "-"
+       15     f   409  "Mod"
+       16    10   409  "R"
+       17    11   409  "^"
+       18    12   409  "Int"
+       19    13   409  "RoL"
+       20    14   409  "RoR"
+       21    15   409  "Not"
+       22    16   409  "sin"
+    ...
+
+### Imports
+
+    # pedump --imports zlib.dll
+
+    === IMPORTS ===
+    
+    MODULE_NAME      HINT   ORD  FUNCTION_NAME
+    KERNEL32.dll       e1        GetLastError
+    KERNEL32.dll      153        HeapAlloc
+    KERNEL32.dll      159        HeapFree
+    KERNEL32.dll       9f        GetCommandLineA
+    KERNEL32.dll      103        GetProcAddress
+    KERNEL32.dll       eb        GetModuleHandleA
+    KERNEL32.dll      137        GetVersion
+    KERNEL32.dll      164        InitializeCriticalSection
+    KERNEL32.dll       44        DeleteCriticalSection
+    KERNEL32.dll       4f        EnterCriticalSection
+    KERNEL32.dll      177        LeaveCriticalSection
+    KERNEL32.dll      1fa        SetHandleCount
+    KERNEL32.dll       dc        GetFileType
+    KERNEL32.dll      116        GetStdHandle
+    KERNEL32.dll      114        GetStartupInfoA
+    KERNEL32.dll      155        HeapCreate
+    KERNEL32.dll      157        HeapDestroy
+    KERNEL32.dll       c7        GetCurrentThreadId
+    KERNEL32.dll      222        TlsSetValue
+    KERNEL32.dll      21f        TlsAlloc
+    KERNEL32.dll      220        TlsFree
+    KERNEL32.dll      1fd        SetLastError
+    KERNEL32.dll      221        TlsGetValue
+    KERNEL32.dll       62        ExitProcess
+    KERNEL32.dll      1b8        ReadFile
+    KERNEL32.dll       16        CloseHandle
+    KERNEL32.dll      24f        WriteFile
+    KERNEL32.dll       83        FlushFileBuffers
+    KERNEL32.dll       e9        GetModuleFileNameA
+    KERNEL32.dll       98        GetCPInfo
+    KERNEL32.dll       92        GetACP
+    KERNEL32.dll       f6        GetOEMCP
+    KERNEL32.dll       8b        FreeEnvironmentStringsA
+    KERNEL32.dll       d0        GetEnvironmentStrings
+    KERNEL32.dll       8c        FreeEnvironmentStringsW
+    KERNEL32.dll       d2        GetEnvironmentStringsW
+    KERNEL32.dll      242        WideCharToMultiByte
+    KERNEL32.dll       2b        CreateFileA
+    KERNEL32.dll      1f8        SetFilePointer
+    KERNEL32.dll      206        SetStdHandle
+    KERNEL32.dll      178        LoadLibraryA
+    KERNEL32.dll      1ef        SetEndOfFile
+
+### Exports
+
+    # pedump --exports zlib.dll
+
+    === EXPORTS ===
+    
+    # module "zlib.dll"
+    # flags=0x0  ts="1996-05-07 12:46:46"  version=0.0  ord_base=1
+    # nFuncs=27  nNames=27
+    
+      ORD ENTRY_VA  NAME
+        1     76d0  adler32
+        2     2db0  compress
+        3     4aa0  crc32
+        4     3c90  deflate
+        5     4060  deflateCopy
+        6     3fd0  deflateEnd
+        7     37f0  deflateInit2_
+        8     37c0  deflateInit_
+        9     3bc0  deflateParams
+       10     3b40  deflateReset
+       11     3a40  deflateSetDictionary
+       12     7510  gzclose
+       13     6f00  gzdopen
+       14     75a0  gzerror
+       15     73f0  gzflush
+       16     6c50  gzopen
+       17     7190  gzread
+       18     7350  gzwrite
+       19     4e50  inflate
+       20     4cc0  inflateEnd
+       21     4d20  inflateInit2_
+       22     4e30  inflateInit_
+       23     4c70  inflateReset
+       24     5260  inflateSetDictionary
+       25     52f0  inflateSync
+       26     4bd0  uncompress
+       27     e340  zlib_version
+
+### VS_VERSIONINFO parsing
+
+    # pedump --version-info calc.exe
+
+    === VERSION INFO ===
+    
+    # VS_FIXEDFILEINFO:
+      FileVersion         :  6.1.6801.0
+      ProductVersion      :  6.1.6801.0
+      StrucVersion        :  0x10000
+      FileFlagsMask       :  0x3f
+      FileFlags           :  0
+      FileOS              :  0x40004
+      FileType            :  1
+      FileSubtype         :  0
+    
+    # StringTable 040904B0:
+      CompanyName         :  "Microsoft Corporation"
+      FileDescription     :  "Windows Calculator"
+      FileVersion         :  "6.1.6801.0 (winmain_win7m3.080913-2030)"
+      InternalName        :  "CALC"
+      LegalCopyright      :  "© Microsoft Corporation. All rights reserved."
+      OriginalFilename    :  "CALC.EXE"
+      ProductName         :  "Microsoft® Windows® Operating System"
+      ProductVersion      :  "6.1.6801.0"
+    
+      VarFileInfo         :  [ 0x409, 0x4b0 ]
+
+### Packer / Compiler detection
+
+    # pedump --packer zlib.dll
+
+    === Packer / Compiler ===
+    
+      MS Visual C v2.0
+
+#### pedump can mimic 'file' command output:
+
+    #pedump --packer-only -qqq samples/*
+    
+    samples/StringLoader.dll:                 Microsoft Visual C++ 6.0 DLL (Debug)
+    samples/control.exe:                      ASPack v2.12
+    samples/gms_v1_0_3.exe:                   UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
+    samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
+    samples/zlib.dll:                         Microsoft Visual C v2.0
+
 License
 -------
 Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.

data/README.md.tpl

@@ -14,8 +14,9 @@ A pure ruby implementation of win32 PE binary files dumper, including:
  * Resources
  * Strings
  * Imports & Exports
+ * VS_VERSIONINFO parsing
  * PE Packer/Compiler detection
- * a conventient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
 
 Installation
 ------------
@@ -28,7 +29,61 @@ Usage
 
 ### MZ Header
 
-% pedump --mz 
+% pedump --mz calc.exe
+
+### DOS stub
+
+% pedump --dos-stub calc.exe
+
+### 'Rich' Header
+
+% pedump --rich calc.exe
+
+### PE Header
+
+% pedump --pe calc.exe
+
+### Data Directory
+
+% pedump --data-directory calc.exe
+
+### Sections
+
+% pedump --sections calc.exe
+
+### Resources
+
+% pedump --resources calc.exe
+
+### Strings
+
+% pedump --strings calc.exe.mui
+
+### Imports
+
+% pedump --imports zlib.dll
+
+### Exports
+
+% pedump --exports zlib.dll
+
+### VS_VERSIONINFO parsing
+
+% pedump --version-info calc.exe
+
+### Packer / Compiler detection
+
+% pedump --packer zlib.dll
+
+#### pedump can mimic 'file' command output:
+
+    #pedump --packer-only -qqq samples/*
+    
+    samples/StringLoader.dll:                 Microsoft Visual C++ 6.0 DLL (Debug)
+    samples/control.exe:                      ASPack v2.12
+    samples/gms_v1_0_3.exe:                   UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
+    samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
+    samples/zlib.dll:                         Microsoft Visual C v2.0
 
 License
 -------