pedump 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile +1 -0
- data/Gemfile.lock +2 -0
- data/README.md +352 -10
- data/README.md.tpl +57 -2
- data/Rakefile +54 -27
- data/VERSION +1 -1
- data/data/fs.txt +1595 -0
- data/data/sig.bin +0 -0
- data/data/signatures.txt +678 -0
- data/data/{sig.txt → userdb.txt} +0 -0
- data/lib/pedump.rb +125 -64
- data/lib/pedump/cli.rb +135 -25
- data/lib/pedump/packer.rb +66 -65
- data/lib/pedump/sig_parser.rb +386 -0
- data/lib/pedump/version.rb +2 -2
- data/lib/pedump/version_info.rb +166 -0
- data/pedump.gemspec +14 -3
- data/samples/zlib.dll +0 -0
- data/spec/pedump_spec.rb +3 -3
- data/spec/resource_spec.rb +13 -0
- data/spec/sig_all_packers_spec.rb +14 -0
- data/spec/sig_spec.rb +63 -0
- metadata +35 -16
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
GEM
|
2
2
|
remote: http://rubygems.org/
|
3
3
|
specs:
|
4
|
+
awesome_print (0.4.0)
|
4
5
|
diff-lcs (1.1.3)
|
5
6
|
git (1.2.5)
|
6
7
|
jeweler (1.6.4)
|
@@ -24,6 +25,7 @@ PLATFORMS
|
|
24
25
|
ruby
|
25
26
|
|
26
27
|
DEPENDENCIES
|
28
|
+
awesome_print
|
27
29
|
bundler (~> 1.0.0)
|
28
30
|
jeweler (~> 1.6.4)
|
29
31
|
multipart-post (~> 1.1.4)
|
data/README.md
CHANGED
@@ -14,19 +14,25 @@ A pure ruby implementation of win32 PE binary files dumper, including:
|
|
14
14
|
* Resources
|
15
15
|
* Strings
|
16
16
|
* Imports & Exports
|
17
|
+
* VS_VERSIONINFO parsing
|
17
18
|
* PE Packer/Compiler detection
|
18
|
-
* a
|
19
|
+
* a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
|
19
20
|
|
20
21
|
Installation
|
21
22
|
------------
|
22
23
|
gem install pedump
|
23
24
|
|
24
|
-
Usage
|
25
|
-
|
25
|
+
Usage
|
26
|
+
-----
|
27
|
+
|
28
|
+
# pedump -h
|
26
29
|
|
27
30
|
Usage: pedump [options]
|
28
|
-
|
29
|
-
-v, --
|
31
|
+
--version Print version information and exit
|
32
|
+
-v, --verbose Run verbosely
|
33
|
+
(can be used multiple times)
|
34
|
+
-q, --quiet Silent any warnings
|
35
|
+
(can be used multiple times)
|
30
36
|
-F, --force Try to dump by all means
|
31
37
|
(can cause exceptions & heavy wounds)
|
32
38
|
-f, --format FORMAT Output format: bin,c,dump,hex,inspect,table
|
@@ -36,13 +42,15 @@ Usage and documentation
|
|
36
42
|
--rich
|
37
43
|
--pe
|
38
44
|
--data-directory
|
39
|
-
|
40
|
-
|
41
|
-
|
45
|
+
-S, --sections
|
46
|
+
-s, --strings
|
47
|
+
-R, --resources
|
42
48
|
--resource-directory
|
43
|
-
|
44
|
-
|
49
|
+
-I, --imports
|
50
|
+
-E, --exports
|
51
|
+
-V, --version-info
|
45
52
|
--packer
|
53
|
+
--deep packer deep scan, significantly slower
|
46
54
|
-P, --packer-only packer/compiler detect only,
|
47
55
|
mimics 'file' command output
|
48
56
|
--all Dump all but resource-directory (default)
|
@@ -51,6 +59,340 @@ Usage and documentation
|
|
51
59
|
for a nice HTML tables with image previews,
|
52
60
|
candies & stuff
|
53
61
|
|
62
|
+
### MZ Header
|
63
|
+
|
64
|
+
# pedump --mz calc.exe
|
65
|
+
|
66
|
+
=== MZ Header ===
|
67
|
+
|
68
|
+
signature: "MZ"
|
69
|
+
bytes_in_last_block: 144 0x90
|
70
|
+
blocks_in_file: 3 3
|
71
|
+
num_relocs: 0 0
|
72
|
+
header_paragraphs: 4 4
|
73
|
+
min_extra_paragraphs: 0 0
|
74
|
+
max_extra_paragraphs: 65535 0xffff
|
75
|
+
ss: 0 0
|
76
|
+
sp: 184 0xb8
|
77
|
+
checksum: 0 0
|
78
|
+
ip: 0 0
|
79
|
+
cs: 0 0
|
80
|
+
reloc_table_offset: 64 0x40
|
81
|
+
overlay_number: 0 0
|
82
|
+
reserved0: 0 0
|
83
|
+
oem_id: 0 0
|
84
|
+
oem_info: 0 0
|
85
|
+
reserved2: 0 0
|
86
|
+
reserved3: 0 0
|
87
|
+
reserved4: 0 0
|
88
|
+
reserved5: 0 0
|
89
|
+
reserved6: 0 0
|
90
|
+
lfanew: 232 0xe8
|
91
|
+
|
92
|
+
### DOS stub
|
93
|
+
|
94
|
+
# pedump --dos-stub calc.exe
|
95
|
+
|
96
|
+
=== DOS STUB ===
|
97
|
+
|
98
|
+
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
|
99
|
+
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
|
100
|
+
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
|
101
|
+
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
|
102
|
+
|
103
|
+
### 'Rich' Header
|
104
|
+
|
105
|
+
# pedump --rich calc.exe
|
106
|
+
|
107
|
+
=== RICH Header ===
|
108
|
+
|
109
|
+
LIB_ID VERSION TIMES_USED
|
110
|
+
149 95 21022 521e 9 9
|
111
|
+
1 1 0 0 367 16f
|
112
|
+
147 93 21022 521e 29 1d
|
113
|
+
132 84 21022 521e 129 81
|
114
|
+
131 83 21022 521e 25 19
|
115
|
+
148 94 21022 521e 1 1
|
116
|
+
145 91 21022 521e 1 1
|
117
|
+
|
118
|
+
### PE Header
|
119
|
+
|
120
|
+
# pedump --pe calc.exe
|
121
|
+
|
122
|
+
=== PE Header ===
|
123
|
+
|
124
|
+
signature: "PE\x00\x00"
|
125
|
+
|
126
|
+
# IMAGE_FILE_HEADER:
|
127
|
+
Machine: 332 0x14c x86
|
128
|
+
NumberOfSections: 4 4
|
129
|
+
TimeDateStamp: "2008-09-14 11:28:52"
|
130
|
+
PointerToSymbolTable: 0 0
|
131
|
+
NumberOfSymbols: 0 0
|
132
|
+
SizeOfOptionalHeader: 224 0xe0
|
133
|
+
Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
|
134
|
+
|
135
|
+
# IMAGE_OPTIONAL_HEADER32:
|
136
|
+
Magic: 267 0x10b 32-bit executable
|
137
|
+
LinkerVersion: 9.0
|
138
|
+
SizeOfCode: 305664 0x4aa00
|
139
|
+
SizeOfInitializedData: 340480 0x53200
|
140
|
+
SizeOfUninitializedData: 0 0
|
141
|
+
AddressOfEntryPoint: 230155 0x3830b
|
142
|
+
BaseOfCode: 4096 0x1000
|
143
|
+
BaseOfData: 311296 0x4c000
|
144
|
+
ImageBase: 16777216 0x1000000
|
145
|
+
SectionAlignment: 4096 0x1000
|
146
|
+
FileAlignment: 512 0x200
|
147
|
+
OperatingSystemVersion: 5.1
|
148
|
+
ImageVersion: 5.256
|
149
|
+
SubsystemVersion: 5.1
|
150
|
+
Reserved1: 0 0
|
151
|
+
SizeOfImage: 659456 0xa1000
|
152
|
+
SizeOfHeaders: 1024 0x400
|
153
|
+
CheckSum: 690555 0xa897b
|
154
|
+
Subsystem: 2 2 WINDOWS_GUI
|
155
|
+
DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
|
156
|
+
TERMINAL_SERVER_AWARE
|
157
|
+
SizeOfStackReserve: 262144 0x40000
|
158
|
+
SizeOfStackCommit: 8192 0x2000
|
159
|
+
SizeOfHeapReserve: 1048576 0x100000
|
160
|
+
SizeOfHeapCommit: 4096 0x1000
|
161
|
+
LoaderFlags: 0 0
|
162
|
+
NumberOfRvaAndSizes: 16 0x10
|
163
|
+
|
164
|
+
### Data Directory
|
165
|
+
|
166
|
+
# pedump --data-directory calc.exe
|
167
|
+
|
168
|
+
=== DATA DIRECTORY ===
|
169
|
+
|
170
|
+
EXPORT rva:0x 0 size:0x 0
|
171
|
+
IMPORT rva:0x 49c1c size:0x 12c
|
172
|
+
RESOURCE rva:0x 51000 size:0x 4ab07
|
173
|
+
EXCEPTION rva:0x 0 size:0x 0
|
174
|
+
SECURITY rva:0x 0 size:0x 0
|
175
|
+
BASERELOC rva:0x 9c000 size:0x 3588
|
176
|
+
DEBUG rva:0x 1610 size:0x 1c
|
177
|
+
ARCHITECTURE rva:0x 0 size:0x 0
|
178
|
+
GLOBALPTR rva:0x 0 size:0x 0
|
179
|
+
TLS rva:0x 0 size:0x 0
|
180
|
+
LOAD_CONFIG rva:0x 3d78 size:0x 40
|
181
|
+
Bound_IAT rva:0x 280 size:0x 12c
|
182
|
+
IAT rva:0x 1000 size:0x 594
|
183
|
+
Delay_IAT rva:0x 49bac size:0x 40
|
184
|
+
CLR_Header rva:0x 0 size:0x 0
|
185
|
+
rva:0x 0 size:0x 0
|
186
|
+
|
187
|
+
### Sections
|
188
|
+
|
189
|
+
# pedump --sections calc.exe
|
190
|
+
|
191
|
+
=== SECTIONS ===
|
192
|
+
|
193
|
+
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
|
194
|
+
.text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
|
195
|
+
.data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
|
196
|
+
.rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
|
197
|
+
.reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
|
198
|
+
|
199
|
+
### Resources
|
200
|
+
|
201
|
+
# pedump --resources calc.exe
|
202
|
+
|
203
|
+
=== RESOURCES ===
|
204
|
+
|
205
|
+
FILE_OFFSET CP LANG SIZE TYPE NAME
|
206
|
+
0x4ec84 0 0x409 7465 IMAGE #157
|
207
|
+
0x509b0 0 0x409 4086 IMAGE #165
|
208
|
+
0x519a8 0 0x409 4234 IMAGE #170
|
209
|
+
0x52a34 0 0x409 4625 IMAGE #175
|
210
|
+
0x53c48 0 0x409 4873 IMAGE #180
|
211
|
+
0x54f54 0 0x409 3048 IMAGE #204
|
212
|
+
0x55b3c 0 0x409 3052 IMAGE #208
|
213
|
+
0x56728 0 0x409 3217 IMAGE #212
|
214
|
+
0x573bc 0 0x409 3338 IMAGE #216
|
215
|
+
0x580c8 0 0x409 4191 IMAGE #217
|
216
|
+
0x59128 0 0x409 4229 IMAGE #218
|
217
|
+
0x5a1b0 0 0x409 4110 IMAGE #219
|
218
|
+
0x5b1c0 0 0x409 4065 IMAGE #220
|
219
|
+
0x5c1a4 0 0x409 3235 IMAGE #961
|
220
|
+
0x5ce48 0 0x409 470 IMAGE #981
|
221
|
+
0x5d020 0 0x409 587 IMAGE #982
|
222
|
+
0x5d26c 0 0x409 518 IMAGE #983
|
223
|
+
0x5d474 0 0x409 5344 IMAGE #3000
|
224
|
+
0x5e954 0 0x409 4154 IMAGE #3015
|
225
|
+
0x5f990 0 0x409 4815 IMAGE #3045
|
226
|
+
0x60c60 0 0x409 6038 IMAGE #3051
|
227
|
+
0x623f8 0 0x409 4290 IMAGE #3060
|
228
|
+
...
|
229
|
+
|
230
|
+
### Strings
|
231
|
+
|
232
|
+
# pedump --strings calc.exe.mui
|
233
|
+
|
234
|
+
=== STRINGS ===
|
235
|
+
|
236
|
+
ID ID LANG STRING
|
237
|
+
0 0 409 "+/-"
|
238
|
+
1 1 409 "C"
|
239
|
+
2 2 409 "CE"
|
240
|
+
3 3 409 "Backspace"
|
241
|
+
4 4 409 "."
|
242
|
+
6 6 409 "And"
|
243
|
+
7 7 409 "Or"
|
244
|
+
8 8 409 "Xor"
|
245
|
+
9 9 409 "Lsh"
|
246
|
+
10 a 409 "Rsh"
|
247
|
+
11 b 409 "/"
|
248
|
+
12 c 409 "*"
|
249
|
+
13 d 409 "+"
|
250
|
+
14 e 409 "-"
|
251
|
+
15 f 409 "Mod"
|
252
|
+
16 10 409 "R"
|
253
|
+
17 11 409 "^"
|
254
|
+
18 12 409 "Int"
|
255
|
+
19 13 409 "RoL"
|
256
|
+
20 14 409 "RoR"
|
257
|
+
21 15 409 "Not"
|
258
|
+
22 16 409 "sin"
|
259
|
+
...
|
260
|
+
|
261
|
+
### Imports
|
262
|
+
|
263
|
+
# pedump --imports zlib.dll
|
264
|
+
|
265
|
+
=== IMPORTS ===
|
266
|
+
|
267
|
+
MODULE_NAME HINT ORD FUNCTION_NAME
|
268
|
+
KERNEL32.dll e1 GetLastError
|
269
|
+
KERNEL32.dll 153 HeapAlloc
|
270
|
+
KERNEL32.dll 159 HeapFree
|
271
|
+
KERNEL32.dll 9f GetCommandLineA
|
272
|
+
KERNEL32.dll 103 GetProcAddress
|
273
|
+
KERNEL32.dll eb GetModuleHandleA
|
274
|
+
KERNEL32.dll 137 GetVersion
|
275
|
+
KERNEL32.dll 164 InitializeCriticalSection
|
276
|
+
KERNEL32.dll 44 DeleteCriticalSection
|
277
|
+
KERNEL32.dll 4f EnterCriticalSection
|
278
|
+
KERNEL32.dll 177 LeaveCriticalSection
|
279
|
+
KERNEL32.dll 1fa SetHandleCount
|
280
|
+
KERNEL32.dll dc GetFileType
|
281
|
+
KERNEL32.dll 116 GetStdHandle
|
282
|
+
KERNEL32.dll 114 GetStartupInfoA
|
283
|
+
KERNEL32.dll 155 HeapCreate
|
284
|
+
KERNEL32.dll 157 HeapDestroy
|
285
|
+
KERNEL32.dll c7 GetCurrentThreadId
|
286
|
+
KERNEL32.dll 222 TlsSetValue
|
287
|
+
KERNEL32.dll 21f TlsAlloc
|
288
|
+
KERNEL32.dll 220 TlsFree
|
289
|
+
KERNEL32.dll 1fd SetLastError
|
290
|
+
KERNEL32.dll 221 TlsGetValue
|
291
|
+
KERNEL32.dll 62 ExitProcess
|
292
|
+
KERNEL32.dll 1b8 ReadFile
|
293
|
+
KERNEL32.dll 16 CloseHandle
|
294
|
+
KERNEL32.dll 24f WriteFile
|
295
|
+
KERNEL32.dll 83 FlushFileBuffers
|
296
|
+
KERNEL32.dll e9 GetModuleFileNameA
|
297
|
+
KERNEL32.dll 98 GetCPInfo
|
298
|
+
KERNEL32.dll 92 GetACP
|
299
|
+
KERNEL32.dll f6 GetOEMCP
|
300
|
+
KERNEL32.dll 8b FreeEnvironmentStringsA
|
301
|
+
KERNEL32.dll d0 GetEnvironmentStrings
|
302
|
+
KERNEL32.dll 8c FreeEnvironmentStringsW
|
303
|
+
KERNEL32.dll d2 GetEnvironmentStringsW
|
304
|
+
KERNEL32.dll 242 WideCharToMultiByte
|
305
|
+
KERNEL32.dll 2b CreateFileA
|
306
|
+
KERNEL32.dll 1f8 SetFilePointer
|
307
|
+
KERNEL32.dll 206 SetStdHandle
|
308
|
+
KERNEL32.dll 178 LoadLibraryA
|
309
|
+
KERNEL32.dll 1ef SetEndOfFile
|
310
|
+
|
311
|
+
### Exports
|
312
|
+
|
313
|
+
# pedump --exports zlib.dll
|
314
|
+
|
315
|
+
=== EXPORTS ===
|
316
|
+
|
317
|
+
# module "zlib.dll"
|
318
|
+
# flags=0x0 ts="1996-05-07 12:46:46" version=0.0 ord_base=1
|
319
|
+
# nFuncs=27 nNames=27
|
320
|
+
|
321
|
+
ORD ENTRY_VA NAME
|
322
|
+
1 76d0 adler32
|
323
|
+
2 2db0 compress
|
324
|
+
3 4aa0 crc32
|
325
|
+
4 3c90 deflate
|
326
|
+
5 4060 deflateCopy
|
327
|
+
6 3fd0 deflateEnd
|
328
|
+
7 37f0 deflateInit2_
|
329
|
+
8 37c0 deflateInit_
|
330
|
+
9 3bc0 deflateParams
|
331
|
+
10 3b40 deflateReset
|
332
|
+
11 3a40 deflateSetDictionary
|
333
|
+
12 7510 gzclose
|
334
|
+
13 6f00 gzdopen
|
335
|
+
14 75a0 gzerror
|
336
|
+
15 73f0 gzflush
|
337
|
+
16 6c50 gzopen
|
338
|
+
17 7190 gzread
|
339
|
+
18 7350 gzwrite
|
340
|
+
19 4e50 inflate
|
341
|
+
20 4cc0 inflateEnd
|
342
|
+
21 4d20 inflateInit2_
|
343
|
+
22 4e30 inflateInit_
|
344
|
+
23 4c70 inflateReset
|
345
|
+
24 5260 inflateSetDictionary
|
346
|
+
25 52f0 inflateSync
|
347
|
+
26 4bd0 uncompress
|
348
|
+
27 e340 zlib_version
|
349
|
+
|
350
|
+
### VS_VERSIONINFO parsing
|
351
|
+
|
352
|
+
# pedump --version-info calc.exe
|
353
|
+
|
354
|
+
=== VERSION INFO ===
|
355
|
+
|
356
|
+
# VS_FIXEDFILEINFO:
|
357
|
+
FileVersion : 6.1.6801.0
|
358
|
+
ProductVersion : 6.1.6801.0
|
359
|
+
StrucVersion : 0x10000
|
360
|
+
FileFlagsMask : 0x3f
|
361
|
+
FileFlags : 0
|
362
|
+
FileOS : 0x40004
|
363
|
+
FileType : 1
|
364
|
+
FileSubtype : 0
|
365
|
+
|
366
|
+
# StringTable 040904B0:
|
367
|
+
CompanyName : "Microsoft Corporation"
|
368
|
+
FileDescription : "Windows Calculator"
|
369
|
+
FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
|
370
|
+
InternalName : "CALC"
|
371
|
+
LegalCopyright : "© Microsoft Corporation. All rights reserved."
|
372
|
+
OriginalFilename : "CALC.EXE"
|
373
|
+
ProductName : "Microsoft® Windows® Operating System"
|
374
|
+
ProductVersion : "6.1.6801.0"
|
375
|
+
|
376
|
+
VarFileInfo : [ 0x409, 0x4b0 ]
|
377
|
+
|
378
|
+
### Packer / Compiler detection
|
379
|
+
|
380
|
+
# pedump --packer zlib.dll
|
381
|
+
|
382
|
+
=== Packer / Compiler ===
|
383
|
+
|
384
|
+
MS Visual C v2.0
|
385
|
+
|
386
|
+
#### pedump can mimic 'file' command output:
|
387
|
+
|
388
|
+
#pedump --packer-only -qqq samples/*
|
389
|
+
|
390
|
+
samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
|
391
|
+
samples/control.exe: ASPack v2.12
|
392
|
+
samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
|
393
|
+
samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
|
394
|
+
samples/zlib.dll: Microsoft Visual C v2.0
|
395
|
+
|
54
396
|
License
|
55
397
|
-------
|
56
398
|
Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.
|
data/README.md.tpl
CHANGED
@@ -14,8 +14,9 @@ A pure ruby implementation of win32 PE binary files dumper, including:
|
|
14
14
|
* Resources
|
15
15
|
* Strings
|
16
16
|
* Imports & Exports
|
17
|
+
* VS_VERSIONINFO parsing
|
17
18
|
* PE Packer/Compiler detection
|
18
|
-
* a
|
19
|
+
* a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
|
19
20
|
|
20
21
|
Installation
|
21
22
|
------------
|
@@ -28,7 +29,61 @@ Usage
|
|
28
29
|
|
29
30
|
### MZ Header
|
30
31
|
|
31
|
-
% pedump --mz
|
32
|
+
% pedump --mz calc.exe
|
33
|
+
|
34
|
+
### DOS stub
|
35
|
+
|
36
|
+
% pedump --dos-stub calc.exe
|
37
|
+
|
38
|
+
### 'Rich' Header
|
39
|
+
|
40
|
+
% pedump --rich calc.exe
|
41
|
+
|
42
|
+
### PE Header
|
43
|
+
|
44
|
+
% pedump --pe calc.exe
|
45
|
+
|
46
|
+
### Data Directory
|
47
|
+
|
48
|
+
% pedump --data-directory calc.exe
|
49
|
+
|
50
|
+
### Sections
|
51
|
+
|
52
|
+
% pedump --sections calc.exe
|
53
|
+
|
54
|
+
### Resources
|
55
|
+
|
56
|
+
% pedump --resources calc.exe
|
57
|
+
|
58
|
+
### Strings
|
59
|
+
|
60
|
+
% pedump --strings calc.exe.mui
|
61
|
+
|
62
|
+
### Imports
|
63
|
+
|
64
|
+
% pedump --imports zlib.dll
|
65
|
+
|
66
|
+
### Exports
|
67
|
+
|
68
|
+
% pedump --exports zlib.dll
|
69
|
+
|
70
|
+
### VS_VERSIONINFO parsing
|
71
|
+
|
72
|
+
% pedump --version-info calc.exe
|
73
|
+
|
74
|
+
### Packer / Compiler detection
|
75
|
+
|
76
|
+
% pedump --packer zlib.dll
|
77
|
+
|
78
|
+
#### pedump can mimic 'file' command output:
|
79
|
+
|
80
|
+
#pedump --packer-only -qqq samples/*
|
81
|
+
|
82
|
+
samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
|
83
|
+
samples/control.exe: ASPack v2.12
|
84
|
+
samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
|
85
|
+
samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
|
86
|
+
samples/zlib.dll: Microsoft Visual C v2.0
|
32
87
|
|
33
88
|
License
|
34
89
|
-------
|