pedump 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/lib/pedump/packer.rb +1 -0
- data/lib/pedump/version.rb +1 -1
- data/lib/pedump.rb +37 -2
- data/pedump.gemspec +1 -1
- metadata +16 -16
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.4.
|
|
1
|
+
0.4.2
|
data/lib/pedump/packer.rb
CHANGED
data/lib/pedump/version.rb
CHANGED
data/lib/pedump.rb
CHANGED
|
@@ -226,6 +226,7 @@ class PEdump
|
|
|
226
226
|
cFORMAT = self.const_get 'FORMAT'
|
|
227
227
|
size ||= cSIZE
|
|
228
228
|
PEdump.logger.warn "[?] unusual size of IMAGE_OPTIONAL_HEADER = #{size} (must be #{usual_size})" if size != usual_size
|
|
229
|
+
PEdump.logger.warn "[?] #{size-usual_size} spare bytes after IMAGE_OPTIONAL_HEADER" if size > usual_size
|
|
229
230
|
new(*file.read([size,cSIZE].min).to_s.unpack(cFORMAT)).tap do |ioh|
|
|
230
231
|
ioh.DataDirectory = []
|
|
231
232
|
|
|
@@ -240,6 +241,9 @@ class PEdump
|
|
|
240
241
|
ioh.DataDirectory.last.type = IMAGE_DATA_DIRECTORY::TYPES[idx]
|
|
241
242
|
end
|
|
242
243
|
#ioh.DataDirectory.pop while ioh.DataDirectory.last.empty?
|
|
244
|
+
|
|
245
|
+
# skip spare bytes, if any. XXX may contain suspicious data
|
|
246
|
+
file.seek(size-usual_size, IO::SEEK_CUR) if size > usual_size
|
|
243
247
|
end
|
|
244
248
|
end
|
|
245
249
|
end
|
|
@@ -479,8 +483,24 @@ class PEdump
|
|
|
479
483
|
nToRead = 65535
|
|
480
484
|
end
|
|
481
485
|
end
|
|
482
|
-
pe.section_table =
|
|
483
|
-
|
|
486
|
+
pe.section_table = []
|
|
487
|
+
nToRead.times do
|
|
488
|
+
break if f.eof?
|
|
489
|
+
pe.section_table << IMAGE_SECTION_HEADER.read(f)
|
|
490
|
+
end
|
|
491
|
+
|
|
492
|
+
# if pe.section_table.empty?
|
|
493
|
+
# pe.section_table << IMAGE_SECTION_HEADER.new("")
|
|
494
|
+
# logger.warn "[?] no sections, appending empty one"
|
|
495
|
+
# end
|
|
496
|
+
|
|
497
|
+
if pe.section_table.any?
|
|
498
|
+
# zero all missing values of last section
|
|
499
|
+
pe.section_table.last.tap do |last_section|
|
|
500
|
+
last_section.each_pair do |k,v|
|
|
501
|
+
last_section[k] = 0 if v.nil?
|
|
502
|
+
end
|
|
503
|
+
end
|
|
484
504
|
end
|
|
485
505
|
end
|
|
486
506
|
end
|
|
@@ -731,12 +751,27 @@ class PEdump
|
|
|
731
751
|
return va - s.VirtualAddress + s.PointerToRawData
|
|
732
752
|
end
|
|
733
753
|
end
|
|
754
|
+
|
|
734
755
|
# not found with regular search. assume any of VirtualSize was 0, and try with RawSize
|
|
735
756
|
sections.each do |s|
|
|
736
757
|
if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
|
|
737
758
|
return va - s.VirtualAddress + s.PointerToRawData
|
|
738
759
|
end
|
|
739
760
|
end
|
|
761
|
+
|
|
762
|
+
# still not found, bad/zero VirtualSizes & RawSizes ?
|
|
763
|
+
|
|
764
|
+
# a special case - PE without sections
|
|
765
|
+
return va if sections.empty?
|
|
766
|
+
|
|
767
|
+
# check if only one section
|
|
768
|
+
if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
|
|
769
|
+
s = sections.first
|
|
770
|
+
return va - s.VirtualAddress + s.PointerToRawData
|
|
771
|
+
end
|
|
772
|
+
|
|
773
|
+
# TODO: not all VirtualAdresses == 0 case
|
|
774
|
+
|
|
740
775
|
logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
|
|
741
776
|
nil
|
|
742
777
|
end
|
data/pedump.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pedump
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -13,7 +13,7 @@ date: 2011-12-19 00:00:00.000000000 Z
|
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: multipart-post
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70341710237060 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ~>
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 1.1.4
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70341710237060
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: progressbar
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70341710236340 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ~>
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 0.9.2
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70341710236340
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: rspec
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &70341710257880 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ~>
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 2.3.0
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *70341710257880
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &70341710257240 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ~>
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: 1.0.0
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *70341710257240
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: jeweler
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &70341710256380 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ~>
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: 1.6.4
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *70341710256380
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: rcov
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &70341710255420 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,10 +76,10 @@ dependencies:
|
|
|
76
76
|
version: '0'
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *70341710255420
|
|
80
80
|
- !ruby/object:Gem::Dependency
|
|
81
81
|
name: awesome_print
|
|
82
|
-
requirement: &
|
|
82
|
+
requirement: &70341710253940 !ruby/object:Gem::Requirement
|
|
83
83
|
none: false
|
|
84
84
|
requirements:
|
|
85
85
|
- - ! '>='
|
|
@@ -87,7 +87,7 @@ dependencies:
|
|
|
87
87
|
version: '0'
|
|
88
88
|
type: :development
|
|
89
89
|
prerelease: false
|
|
90
|
-
version_requirements: *
|
|
90
|
+
version_requirements: *70341710253940
|
|
91
91
|
description: dump headers, sections, extract resources of win32 PE exe,dll,etc
|
|
92
92
|
email: zed.0xff@gmail.com
|
|
93
93
|
executables:
|
|
@@ -148,7 +148,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
148
148
|
version: '0'
|
|
149
149
|
segments:
|
|
150
150
|
- 0
|
|
151
|
-
hash:
|
|
151
|
+
hash: 1913101081356959317
|
|
152
152
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
153
153
|
none: false
|
|
154
154
|
requirements:
|