pedump 0.3.3 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
data/Gemfile CHANGED
@@ -12,4 +12,5 @@ group :development do
12
12
  gem "bundler", "~> 1.0.0"
13
13
  gem "jeweler", "~> 1.6.4"
14
14
  gem "rcov", ">= 0"
15
+ gem "awesome_print"
15
16
  end
@@ -1,6 +1,7 @@
1
1
  GEM
2
2
  remote: http://rubygems.org/
3
3
  specs:
4
+ awesome_print (0.4.0)
4
5
  diff-lcs (1.1.3)
5
6
  git (1.2.5)
6
7
  jeweler (1.6.4)
@@ -24,6 +25,7 @@ PLATFORMS
24
25
  ruby
25
26
 
26
27
  DEPENDENCIES
28
+ awesome_print
27
29
  bundler (~> 1.0.0)
28
30
  jeweler (~> 1.6.4)
29
31
  multipart-post (~> 1.1.4)
data/README.md CHANGED
@@ -14,19 +14,25 @@ A pure ruby implementation of win32 PE binary files dumper, including:
14
14
  * Resources
15
15
  * Strings
16
16
  * Imports & Exports
17
+ * VS_VERSIONINFO parsing
17
18
  * PE Packer/Compiler detection
18
- * a conventient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
19
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
19
20
 
20
21
  Installation
21
22
  ------------
22
23
  gem install pedump
23
24
 
24
- Usage and documentation
25
- -----------------------
25
+ Usage
26
+ -----
27
+
28
+ # pedump -h
26
29
 
27
30
  Usage: pedump [options]
28
- -V, --version Print version information and exit
29
- -v, --[no-]verbose Run verbosely
31
+ --version Print version information and exit
32
+ -v, --verbose Run verbosely
33
+ (can be used multiple times)
34
+ -q, --quiet Silent any warnings
35
+ (can be used multiple times)
30
36
  -F, --force Try to dump by all means
31
37
  (can cause exceptions & heavy wounds)
32
38
  -f, --format FORMAT Output format: bin,c,dump,hex,inspect,table
@@ -36,13 +42,15 @@ Usage and documentation
36
42
  --rich
37
43
  --pe
38
44
  --data-directory
39
- --sections
40
- --strings
41
- --resources
45
+ -S, --sections
46
+ -s, --strings
47
+ -R, --resources
42
48
  --resource-directory
43
- --imports
44
- --exports
49
+ -I, --imports
50
+ -E, --exports
51
+ -V, --version-info
45
52
  --packer
53
+ --deep packer deep scan, significantly slower
46
54
  -P, --packer-only packer/compiler detect only,
47
55
  mimics 'file' command output
48
56
  --all Dump all but resource-directory (default)
@@ -51,6 +59,340 @@ Usage and documentation
51
59
  for a nice HTML tables with image previews,
52
60
  candies & stuff
53
61
 
62
+ ### MZ Header
63
+
64
+ # pedump --mz calc.exe
65
+
66
+ === MZ Header ===
67
+
68
+ signature: "MZ"
69
+ bytes_in_last_block: 144 0x90
70
+ blocks_in_file: 3 3
71
+ num_relocs: 0 0
72
+ header_paragraphs: 4 4
73
+ min_extra_paragraphs: 0 0
74
+ max_extra_paragraphs: 65535 0xffff
75
+ ss: 0 0
76
+ sp: 184 0xb8
77
+ checksum: 0 0
78
+ ip: 0 0
79
+ cs: 0 0
80
+ reloc_table_offset: 64 0x40
81
+ overlay_number: 0 0
82
+ reserved0: 0 0
83
+ oem_id: 0 0
84
+ oem_info: 0 0
85
+ reserved2: 0 0
86
+ reserved3: 0 0
87
+ reserved4: 0 0
88
+ reserved5: 0 0
89
+ reserved6: 0 0
90
+ lfanew: 232 0xe8
91
+
92
+ ### DOS stub
93
+
94
+ # pedump --dos-stub calc.exe
95
+
96
+ === DOS STUB ===
97
+
98
+ 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
99
+ 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
100
+ 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
101
+ 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
102
+
103
+ ### 'Rich' Header
104
+
105
+ # pedump --rich calc.exe
106
+
107
+ === RICH Header ===
108
+
109
+ LIB_ID VERSION TIMES_USED
110
+ 149 95 21022 521e 9 9
111
+ 1 1 0 0 367 16f
112
+ 147 93 21022 521e 29 1d
113
+ 132 84 21022 521e 129 81
114
+ 131 83 21022 521e 25 19
115
+ 148 94 21022 521e 1 1
116
+ 145 91 21022 521e 1 1
117
+
118
+ ### PE Header
119
+
120
+ # pedump --pe calc.exe
121
+
122
+ === PE Header ===
123
+
124
+ signature: "PE\x00\x00"
125
+
126
+ # IMAGE_FILE_HEADER:
127
+ Machine: 332 0x14c x86
128
+ NumberOfSections: 4 4
129
+ TimeDateStamp: "2008-09-14 11:28:52"
130
+ PointerToSymbolTable: 0 0
131
+ NumberOfSymbols: 0 0
132
+ SizeOfOptionalHeader: 224 0xe0
133
+ Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
134
+
135
+ # IMAGE_OPTIONAL_HEADER32:
136
+ Magic: 267 0x10b 32-bit executable
137
+ LinkerVersion: 9.0
138
+ SizeOfCode: 305664 0x4aa00
139
+ SizeOfInitializedData: 340480 0x53200
140
+ SizeOfUninitializedData: 0 0
141
+ AddressOfEntryPoint: 230155 0x3830b
142
+ BaseOfCode: 4096 0x1000
143
+ BaseOfData: 311296 0x4c000
144
+ ImageBase: 16777216 0x1000000
145
+ SectionAlignment: 4096 0x1000
146
+ FileAlignment: 512 0x200
147
+ OperatingSystemVersion: 5.1
148
+ ImageVersion: 5.256
149
+ SubsystemVersion: 5.1
150
+ Reserved1: 0 0
151
+ SizeOfImage: 659456 0xa1000
152
+ SizeOfHeaders: 1024 0x400
153
+ CheckSum: 690555 0xa897b
154
+ Subsystem: 2 2 WINDOWS_GUI
155
+ DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
156
+ TERMINAL_SERVER_AWARE
157
+ SizeOfStackReserve: 262144 0x40000
158
+ SizeOfStackCommit: 8192 0x2000
159
+ SizeOfHeapReserve: 1048576 0x100000
160
+ SizeOfHeapCommit: 4096 0x1000
161
+ LoaderFlags: 0 0
162
+ NumberOfRvaAndSizes: 16 0x10
163
+
164
+ ### Data Directory
165
+
166
+ # pedump --data-directory calc.exe
167
+
168
+ === DATA DIRECTORY ===
169
+
170
+ EXPORT rva:0x 0 size:0x 0
171
+ IMPORT rva:0x 49c1c size:0x 12c
172
+ RESOURCE rva:0x 51000 size:0x 4ab07
173
+ EXCEPTION rva:0x 0 size:0x 0
174
+ SECURITY rva:0x 0 size:0x 0
175
+ BASERELOC rva:0x 9c000 size:0x 3588
176
+ DEBUG rva:0x 1610 size:0x 1c
177
+ ARCHITECTURE rva:0x 0 size:0x 0
178
+ GLOBALPTR rva:0x 0 size:0x 0
179
+ TLS rva:0x 0 size:0x 0
180
+ LOAD_CONFIG rva:0x 3d78 size:0x 40
181
+ Bound_IAT rva:0x 280 size:0x 12c
182
+ IAT rva:0x 1000 size:0x 594
183
+ Delay_IAT rva:0x 49bac size:0x 40
184
+ CLR_Header rva:0x 0 size:0x 0
185
+ rva:0x 0 size:0x 0
186
+
187
+ ### Sections
188
+
189
+ # pedump --sections calc.exe
190
+
191
+ === SECTIONS ===
192
+
193
+ NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
194
+ .text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
195
+ .data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
196
+ .rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
197
+ .reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
198
+
199
+ ### Resources
200
+
201
+ # pedump --resources calc.exe
202
+
203
+ === RESOURCES ===
204
+
205
+ FILE_OFFSET CP LANG SIZE TYPE NAME
206
+ 0x4ec84 0 0x409 7465 IMAGE #157
207
+ 0x509b0 0 0x409 4086 IMAGE #165
208
+ 0x519a8 0 0x409 4234 IMAGE #170
209
+ 0x52a34 0 0x409 4625 IMAGE #175
210
+ 0x53c48 0 0x409 4873 IMAGE #180
211
+ 0x54f54 0 0x409 3048 IMAGE #204
212
+ 0x55b3c 0 0x409 3052 IMAGE #208
213
+ 0x56728 0 0x409 3217 IMAGE #212
214
+ 0x573bc 0 0x409 3338 IMAGE #216
215
+ 0x580c8 0 0x409 4191 IMAGE #217
216
+ 0x59128 0 0x409 4229 IMAGE #218
217
+ 0x5a1b0 0 0x409 4110 IMAGE #219
218
+ 0x5b1c0 0 0x409 4065 IMAGE #220
219
+ 0x5c1a4 0 0x409 3235 IMAGE #961
220
+ 0x5ce48 0 0x409 470 IMAGE #981
221
+ 0x5d020 0 0x409 587 IMAGE #982
222
+ 0x5d26c 0 0x409 518 IMAGE #983
223
+ 0x5d474 0 0x409 5344 IMAGE #3000
224
+ 0x5e954 0 0x409 4154 IMAGE #3015
225
+ 0x5f990 0 0x409 4815 IMAGE #3045
226
+ 0x60c60 0 0x409 6038 IMAGE #3051
227
+ 0x623f8 0 0x409 4290 IMAGE #3060
228
+ ...
229
+
230
+ ### Strings
231
+
232
+ # pedump --strings calc.exe.mui
233
+
234
+ === STRINGS ===
235
+
236
+ ID ID LANG STRING
237
+ 0 0 409 "+/-"
238
+ 1 1 409 "C"
239
+ 2 2 409 "CE"
240
+ 3 3 409 "Backspace"
241
+ 4 4 409 "."
242
+ 6 6 409 "And"
243
+ 7 7 409 "Or"
244
+ 8 8 409 "Xor"
245
+ 9 9 409 "Lsh"
246
+ 10 a 409 "Rsh"
247
+ 11 b 409 "/"
248
+ 12 c 409 "*"
249
+ 13 d 409 "+"
250
+ 14 e 409 "-"
251
+ 15 f 409 "Mod"
252
+ 16 10 409 "R"
253
+ 17 11 409 "^"
254
+ 18 12 409 "Int"
255
+ 19 13 409 "RoL"
256
+ 20 14 409 "RoR"
257
+ 21 15 409 "Not"
258
+ 22 16 409 "sin"
259
+ ...
260
+
261
+ ### Imports
262
+
263
+ # pedump --imports zlib.dll
264
+
265
+ === IMPORTS ===
266
+
267
+ MODULE_NAME HINT ORD FUNCTION_NAME
268
+ KERNEL32.dll e1 GetLastError
269
+ KERNEL32.dll 153 HeapAlloc
270
+ KERNEL32.dll 159 HeapFree
271
+ KERNEL32.dll 9f GetCommandLineA
272
+ KERNEL32.dll 103 GetProcAddress
273
+ KERNEL32.dll eb GetModuleHandleA
274
+ KERNEL32.dll 137 GetVersion
275
+ KERNEL32.dll 164 InitializeCriticalSection
276
+ KERNEL32.dll 44 DeleteCriticalSection
277
+ KERNEL32.dll 4f EnterCriticalSection
278
+ KERNEL32.dll 177 LeaveCriticalSection
279
+ KERNEL32.dll 1fa SetHandleCount
280
+ KERNEL32.dll dc GetFileType
281
+ KERNEL32.dll 116 GetStdHandle
282
+ KERNEL32.dll 114 GetStartupInfoA
283
+ KERNEL32.dll 155 HeapCreate
284
+ KERNEL32.dll 157 HeapDestroy
285
+ KERNEL32.dll c7 GetCurrentThreadId
286
+ KERNEL32.dll 222 TlsSetValue
287
+ KERNEL32.dll 21f TlsAlloc
288
+ KERNEL32.dll 220 TlsFree
289
+ KERNEL32.dll 1fd SetLastError
290
+ KERNEL32.dll 221 TlsGetValue
291
+ KERNEL32.dll 62 ExitProcess
292
+ KERNEL32.dll 1b8 ReadFile
293
+ KERNEL32.dll 16 CloseHandle
294
+ KERNEL32.dll 24f WriteFile
295
+ KERNEL32.dll 83 FlushFileBuffers
296
+ KERNEL32.dll e9 GetModuleFileNameA
297
+ KERNEL32.dll 98 GetCPInfo
298
+ KERNEL32.dll 92 GetACP
299
+ KERNEL32.dll f6 GetOEMCP
300
+ KERNEL32.dll 8b FreeEnvironmentStringsA
301
+ KERNEL32.dll d0 GetEnvironmentStrings
302
+ KERNEL32.dll 8c FreeEnvironmentStringsW
303
+ KERNEL32.dll d2 GetEnvironmentStringsW
304
+ KERNEL32.dll 242 WideCharToMultiByte
305
+ KERNEL32.dll 2b CreateFileA
306
+ KERNEL32.dll 1f8 SetFilePointer
307
+ KERNEL32.dll 206 SetStdHandle
308
+ KERNEL32.dll 178 LoadLibraryA
309
+ KERNEL32.dll 1ef SetEndOfFile
310
+
311
+ ### Exports
312
+
313
+ # pedump --exports zlib.dll
314
+
315
+ === EXPORTS ===
316
+
317
+ # module "zlib.dll"
318
+ # flags=0x0 ts="1996-05-07 12:46:46" version=0.0 ord_base=1
319
+ # nFuncs=27 nNames=27
320
+
321
+ ORD ENTRY_VA NAME
322
+ 1 76d0 adler32
323
+ 2 2db0 compress
324
+ 3 4aa0 crc32
325
+ 4 3c90 deflate
326
+ 5 4060 deflateCopy
327
+ 6 3fd0 deflateEnd
328
+ 7 37f0 deflateInit2_
329
+ 8 37c0 deflateInit_
330
+ 9 3bc0 deflateParams
331
+ 10 3b40 deflateReset
332
+ 11 3a40 deflateSetDictionary
333
+ 12 7510 gzclose
334
+ 13 6f00 gzdopen
335
+ 14 75a0 gzerror
336
+ 15 73f0 gzflush
337
+ 16 6c50 gzopen
338
+ 17 7190 gzread
339
+ 18 7350 gzwrite
340
+ 19 4e50 inflate
341
+ 20 4cc0 inflateEnd
342
+ 21 4d20 inflateInit2_
343
+ 22 4e30 inflateInit_
344
+ 23 4c70 inflateReset
345
+ 24 5260 inflateSetDictionary
346
+ 25 52f0 inflateSync
347
+ 26 4bd0 uncompress
348
+ 27 e340 zlib_version
349
+
350
+ ### VS_VERSIONINFO parsing
351
+
352
+ # pedump --version-info calc.exe
353
+
354
+ === VERSION INFO ===
355
+
356
+ # VS_FIXEDFILEINFO:
357
+ FileVersion : 6.1.6801.0
358
+ ProductVersion : 6.1.6801.0
359
+ StrucVersion : 0x10000
360
+ FileFlagsMask : 0x3f
361
+ FileFlags : 0
362
+ FileOS : 0x40004
363
+ FileType : 1
364
+ FileSubtype : 0
365
+
366
+ # StringTable 040904B0:
367
+ CompanyName : "Microsoft Corporation"
368
+ FileDescription : "Windows Calculator"
369
+ FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
370
+ InternalName : "CALC"
371
+ LegalCopyright : "© Microsoft Corporation. All rights reserved."
372
+ OriginalFilename : "CALC.EXE"
373
+ ProductName : "Microsoft® Windows® Operating System"
374
+ ProductVersion : "6.1.6801.0"
375
+
376
+ VarFileInfo : [ 0x409, 0x4b0 ]
377
+
378
+ ### Packer / Compiler detection
379
+
380
+ # pedump --packer zlib.dll
381
+
382
+ === Packer / Compiler ===
383
+
384
+ MS Visual C v2.0
385
+
386
+ #### pedump can mimic 'file' command output:
387
+
388
+ #pedump --packer-only -qqq samples/*
389
+
390
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
391
+ samples/control.exe: ASPack v2.12
392
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
393
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
394
+ samples/zlib.dll: Microsoft Visual C v2.0
395
+
54
396
  License
55
397
  -------
56
398
  Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.
@@ -14,8 +14,9 @@ A pure ruby implementation of win32 PE binary files dumper, including:
14
14
  * Resources
15
15
  * Strings
16
16
  * Imports & Exports
17
+ * VS_VERSIONINFO parsing
17
18
  * PE Packer/Compiler detection
18
- * a conventient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
19
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
19
20
 
20
21
  Installation
21
22
  ------------
@@ -28,7 +29,61 @@ Usage
28
29
 
29
30
  ### MZ Header
30
31
 
31
- % pedump --mz
32
+ % pedump --mz calc.exe
33
+
34
+ ### DOS stub
35
+
36
+ % pedump --dos-stub calc.exe
37
+
38
+ ### 'Rich' Header
39
+
40
+ % pedump --rich calc.exe
41
+
42
+ ### PE Header
43
+
44
+ % pedump --pe calc.exe
45
+
46
+ ### Data Directory
47
+
48
+ % pedump --data-directory calc.exe
49
+
50
+ ### Sections
51
+
52
+ % pedump --sections calc.exe
53
+
54
+ ### Resources
55
+
56
+ % pedump --resources calc.exe
57
+
58
+ ### Strings
59
+
60
+ % pedump --strings calc.exe.mui
61
+
62
+ ### Imports
63
+
64
+ % pedump --imports zlib.dll
65
+
66
+ ### Exports
67
+
68
+ % pedump --exports zlib.dll
69
+
70
+ ### VS_VERSIONINFO parsing
71
+
72
+ % pedump --version-info calc.exe
73
+
74
+ ### Packer / Compiler detection
75
+
76
+ % pedump --packer zlib.dll
77
+
78
+ #### pedump can mimic 'file' command output:
79
+
80
+ #pedump --packer-only -qqq samples/*
81
+
82
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
83
+ samples/control.exe: ASPack v2.12
84
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
85
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
86
+ samples/zlib.dll: Microsoft Visual C v2.0
32
87
 
33
88
  License
34
89
  -------