pedump 0.4.2 → 0.4.3

data/Rakefile

@@ -98,6 +98,17 @@ namespace :test do
       end
     end
   end
+
+  desc "test on corkami binaries"
+  task :corkami do
+      require './lib/pedump'
+      require './lib/pedump/cli'
+      path = "samples/corkami"
+      `find #{path} -type f`.split("\n").each do |fname|
+        STDERR.puts "\n### #{fname}\n"
+        PEdump::CLI.new(fname).run
+      end
+  end
 end
 
 def check_file url

data/VERSION

@@ -1 +1 @@
-0.4.2
+0.4.3

data/lib/pedump.rb

@@ -1,5 +1,8 @@
 #!/usr/bin/env ruby
 require 'logger'
+require 'stringio'
+require 'pedump/composite_io'
+require 'pedump/pe'
 require 'pedump/version'
 
 # pedump.rb by zed_0xff
@@ -135,22 +138,6 @@ class PEdump
     :lfanew
   )
 
-  class PE < Struct.new(
-    :signature,            # "PE\x00\x00"
-    :image_file_header,
-    :image_optional_header,
-    :section_table
-  )
-    alias :ifh :image_file_header
-    alias :ioh :image_optional_header
-    def x64?
-      ifh && ifh.Machine == 0x8664
-    end
-    def dll?
-      ifh && ifh.flags.include?('DLL')
-    end
-  end
-
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
   class IMAGE_FILE_HEADER < create_struct( 'v2V3v2',
     :Machine,              # w
@@ -307,6 +294,7 @@ class PEdump
   )
   class IMAGE_SECTION_HEADER
     alias :flags :Characteristics
+    alias :va    :VirtualAddress
     def flags_desc
       r = ''
       f = self.flags.to_i
@@ -455,54 +443,7 @@ class PEdump
           nil
         else
           f.seek pe_offset
-          pe_sig = f.read 4
-          logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
-          if pe_sig != "PE\x00\x00"
-            if @force
-              logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
-            else
-              logger.error "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
-              return nil
-            end
-          end
-          PE.new(pe_sig).tap do |pe|
-            pe.image_file_header = IMAGE_FILE_HEADER.read(f)
-            if pe.ifh.SizeOfOptionalHeader > 0
-              if pe.x64?
-                pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
-              else
-                pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
-              end
-            end
-
-            if (nToRead=pe.ifh.NumberOfSections) > 0xffff
-              if @force.is_a?(Numeric) && @force > 1
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
-              else
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
-                nToRead = 65535
-              end
-            end
-            pe.section_table = []
-            nToRead.times do
-              break if f.eof?
-              pe.section_table << IMAGE_SECTION_HEADER.read(f)
-            end
-
-#            if pe.section_table.empty?
-#              pe.section_table << IMAGE_SECTION_HEADER.new("")
-#              logger.warn "[?] no sections, appending empty one"
-#            end
-
-            if pe.section_table.any?
-              # zero all missing values of last section
-              pe.section_table.last.tap do |last_section|
-                last_section.each_pair do |k,v|
-                  last_section[k] = 0 if v.nil?
-                end
-              end
-            end
-          end
+          PE.read f, :force => @force
         end
       end
   end
@@ -591,7 +532,12 @@ class PEdump
               ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
             elsif va=va2file(t)
               f.seek va
-              ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
+              if f.eof?
+                logger.warn "[?] import va 0x#{va.to_s(16)} beyond EOF"
+                nil
+              else
+                ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
+              end
             else
               nil
             end
@@ -632,34 +578,65 @@ class PEdump
     return @exports if @exports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
-    return [] if !dir || (dir.va == 0 && dir.size == 0)
+    return nil if !dir || (dir.va == 0 && dir.size == 0)
     va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT].va
     file_offset = va2file(va)
     return nil unless file_offset
     f.seek file_offset
+    if f.eof?
+      logger.info "[?] exports info beyond EOF"
+      return nil
+    end
     @exports = IMAGE_EXPORT_DIRECTORY.read(f).tap do |x|
       x.entry_points = []
       x.name_ordinals = []
       x.names = []
       if x.Name.to_i != 0 && (va = va2file(x.Name))
         f.seek va
-        x.name = f.gets("\x00").chop
+        if f.eof?
+          logger.warn "[?] export va 0x#{va.to_s(16)} beyond EOF"
+          nil
+        else
+          x.name = f.gets("\x00").chomp("\x00")
+        end
       end
       if x.NumberOfFunctions.to_i != 0
         if x.AddressOfFunctions.to_i !=0 && (va = va2file(x.AddressOfFunctions))
           f.seek va
-          x.entry_points = f.read(x.NumberOfFunctions*4).unpack('V*')
+          x.entry_points = []
+          x.NumberOfFunctions.times do
+            if f.eof?
+              logger.warn "[?] got EOF while reading exports entry_points"
+              break
+            end
+            x.entry_points << f.read(4).unpack('V').first
+          end
         end
         if x.AddressOfNameOrdinals.to_i !=0 && (va = va2file(x.AddressOfNameOrdinals))
           f.seek va
-          x.name_ordinals = f.read(x.NumberOfNames*2).unpack('v*').map{ |o| o+x.Base }
+          x.name_ordinals = []
+          x.NumberOfNames.times do
+            if f.eof?
+              logger.warn "[?] got EOF while reading exports name_ordinals"
+              break
+            end
+            x.name_ordinals << f.read(2).unpack('v').first + x.Base
+          end
         end
       end
       if x.NumberOfNames.to_i != 0 && x.AddressOfNames.to_i !=0 && (va = va2file(x.AddressOfNames))
         f.seek va
-        x.names = f.read(x.NumberOfNames*4).unpack('V*').map do |va|
+        x.names = []
+        x.NumberOfNames.times do
+          if f.eof?
+            logger.warn "[?] got EOF while reading exports names"
+            break
+          end
+          x.names << f.read(4).unpack('V').first
+        end
+        x.names.map! do |va|
           f.seek va2file(va)
-          f.gets("\x00").chop
+          f.gets("\x00").to_s.chomp("\x00")
         end
       end
     end
@@ -746,6 +723,8 @@ class PEdump
     :OffsetToData, :Size, :CodePage, :Reserved
 
   def va2file va
+    return nil if va.nil?
+
     sections.each do |s|
       if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
         return va - s.VirtualAddress + s.PointerToRawData

data/lib/pedump/cli.rb

@@ -486,8 +486,8 @@ class PEdump::CLI
       data.name.inspect,
       data.Characteristics.to_i,
       Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
-      data.MajorVersion, data.MinorVersion,
-      data.Base
+      data.MajorVersion.to_i, data.MinorVersion.to_i,
+      data.Base.to_i
 
     if @options[:verbose] > 0
       [%w'Names', %w'EntryPoints Functions', %w'Ordinals NameOrdinals'].each do |x|
@@ -498,25 +498,26 @@ class PEdump::CLI
     end
 
     printf "# nFuncs=%d  nNames=%d\n",
-      data.NumberOfFunctions,
-      data.NumberOfNames
+      data.NumberOfFunctions.to_i,
+      data.NumberOfNames.to_i
 
     return unless data.name_ordinals.any? || data.entry_points.any? || data.names.any?
 
     puts
 
     ord2name = {}
-    data.NumberOfNames.times do |i|
-      ord2name[data.name_ordinals[i]] ||= []
-      ord2name[data.name_ordinals[i]] << data.names[i]
+    if data.names && data.names.any?
+      data.NumberOfNames.times do |i|
+        ord2name[data.name_ordinals[i]] ||= []
+        ord2name[data.name_ordinals[i]] << data.names[i]
+      end
     end
 
     printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
-    data.NumberOfFunctions.times do |i|
-      ep = data.entry_points[i]
+    data.entry_points.each_with_index do |ep,i|
       names = ord2name[i+data.Base].try(:join,', ')
       next if ep.to_i == 0 && names.nil?
-      printf "%5d %8x  %s\n", i + data.Base, ep, names
+      printf "%5x %8x  %s\n", i + data.Base, ep, names
     end
   end
 

data/lib/pedump/composite_io.rb

@@ -0,0 +1,33 @@
+class PEdump
+  class CompositeIO
+    def initialize(*ios)
+      @ios = ios.flatten
+      @pos = 0
+    end
+
+    def read(amount = nil, buf = nil)
+      buf ||= ''; buf1 = ''
+
+      # truncates buffer to zero length if nothing read
+      @ios.first.read(amount,buf)
+
+      @ios[1..-1].each do |io|
+        break if amount && buf.size >= amount
+        io.read(amount ? (amount-buf.size) : nil, buf1)
+        buf << buf1
+      end
+
+      @pos += buf.size
+
+      buf.size > 0 ? buf : (amount ? nil : buf )
+    end
+
+    def tell
+      @pos
+    end
+
+    def eof?
+      @ios.all?(&:eof?)
+    end
+  end
+end

data/lib/pedump/pe.rb

@@ -0,0 +1,89 @@
+class PEdump
+  class PE < Struct.new(
+    :signature,             # "PE\x00\x00"
+    :image_file_header,
+    :image_optional_header, # includes data directory
+    :section_table
+  )
+    alias :ifh       :image_file_header
+    alias :ioh       :image_optional_header
+    alias :sections  :section_table
+    alias :sections= :section_table=
+    def x64?
+      ifh && ifh.Machine == 0x8664
+    end
+    def dll?
+      ifh && ifh.flags.include?('DLL')
+    end
+
+
+    def self.read f, args = nil
+      force = args.is_a?(Hash) && args[:force]
+
+      pe_offset = f.tell
+      pe_sig = f.read 4
+      logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
+      if pe_sig != "PE\x00\x00"
+        if force
+          logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
+        else
+          logger.error "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
+          return nil
+        end
+      end
+      PE.new(pe_sig).tap do |pe|
+        pe.image_file_header = IMAGE_FILE_HEADER.read(f)
+        if pe.ifh.SizeOfOptionalHeader > 0
+          if pe.x64?
+            pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
+          else
+            pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
+          end
+        end
+
+        if (nToRead=pe.ifh.NumberOfSections) > 0xffff
+          if force.is_a?(Numeric) && force > 1
+            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
+          else
+            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
+            nToRead = 65535
+          end
+        end
+        pe.sections = []
+        nToRead.times do
+          break if f.eof?
+          pe.sections << IMAGE_SECTION_HEADER.read(f)
+        end
+
+        if pe.sections.any?
+          # zero all missing values of last section
+          pe.sections.last.tap do |last_section|
+            last_section.each_pair do |k,v|
+              last_section[k] = 0 if v.nil?
+            end
+          end
+        end
+
+        pe_end = f.tell
+        if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
+          if !f.respond_to?(:seek)
+            # already called with CompositeIO ?
+            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
+
+          elsif pe_end-pe_offset < 0x100_000
+            logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
+            f.seek pe_offset
+            data = f.read(s.va-pe_offset)
+            f.seek s.PointerToRawData
+            io = CompositeIO.new(StringIO.new(data), f)
+            return PE.read(io, args)
+          else
+            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
+          end
+        end
+      end
+    end
+
+    def self.logger; PEdump.logger; end
+  end
+end

data/lib/pedump/version.rb

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 2
+    PATCH = 3
     BUILD = nil
 
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.2"
+  s.version = "0.4.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-19"
+  s.date = "2011-12-20"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
@@ -35,17 +35,20 @@ Gem::Specification.new do |s|
     "data/userdb.txt",
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
+    "lib/pedump/composite_io.rb",
     "lib/pedump/packer.rb",
+    "lib/pedump/pe.rb",
     "lib/pedump/sig_parser.rb",
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
-    "samples/65535sects.7z",
     "samples/calc.7z",
-    "samples/imports_badterm.exe",
-    "samples/imports_vterm.exe",
+    "samples/corkami.7z",
     "samples/zlib.dll",
     "spec/65535sects_spec.rb",
+    "spec/composite_io_spec.rb",
+    "spec/dllord_spec.rb",
+    "spec/foldedhdr_spec.rb",
     "spec/imports_badterm_spec.rb",
     "spec/imports_vterm_spec.rb",
     "spec/pe_spec.rb",
@@ -53,7 +56,8 @@ Gem::Specification.new do |s|
     "spec/resource_spec.rb",
     "spec/sig_all_packers_spec.rb",
     "spec/sig_spec.rb",
-    "spec/spec_helper.rb"
+    "spec/spec_helper.rb",
+    "spec/virtsectblXP_spec.rb"
   ]
   s.homepage = "http://github.com/zed-0xff/pedump"
   s.licenses = ["MIT"]

data/spec/65535sects_spec.rb

@@ -1,16 +1,8 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
 
-describe 'a PE file with 65535 sections' do
-  before :all do
-    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/65535sects.exe')
-    File.open(fname,"rb") do |f|
-      @pedump = PEdump.new(fname)
-      @sections = @pedump.sections(f)
-    end
-  end
-
+describe 'corkami/65535sects.exe' do
   it "should have 65535 sections" do
-    @sections.size.should == 65535
+    sample.sections.size.should == 65535
   end
 end

data/spec/composite_io_spec.rb

@@ -0,0 +1,72 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/composite_io')
+
+describe PEdump::CompositeIO do
+  it "concatenates" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo'),
+      StringIO.new('bar'),
+      StringIO.new('baz')
+    )
+    io.read.should == 'foobarbaz'
+  end
+
+  it "reads sequentally" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.read(3).should == 'foo'
+    io.read(3).should == '1ba'
+    io.read(3).should == 'r2b'
+    io.read(3).should == 'az'
+  end
+
+  it "behaves like StringIO" do
+    io1 = StringIO.new('foo')
+    io2 = PEdump::CompositeIO.new(StringIO.new('foo'))
+
+    io1.read.should == io2.read       # 'foo'
+    io1.read.should == io2.read       # ''
+    io1.read(3).should == io2.read(3) # nil
+  end
+
+  it "tracks number of bytes read" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.tell.should == 0
+    io.read(3)
+    io.tell.should == 3
+    io.read(4)
+    io.tell.should == 7
+    io.read
+    io.tell.should == 11
+    io.read
+    io.tell.should == 11
+    io.read 10
+    io.tell.should == 11
+  end
+
+  it "chains eof? call" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.eof?.should be_false
+    io.read(3)
+    io.eof?.should be_false
+    io.read(4)
+    io.eof?.should be_false
+    io.read
+    io.eof?.should be_true
+    io.read
+    io.eof?.should be_true
+    io.read 10
+    io.eof?.should be_true
+  end
+end

data/spec/dllord_spec.rb

@@ -0,0 +1,21 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/dllord.dll' do
+  it "should have 1 import" do
+    sample.imports.size.should == 1
+    sample.imports.map(&:module_name).should == %w'msvcrt.dll'
+    sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["printf"]
+  end
+
+  it "exports at least 2 entries" do
+    sample.exports.Base.should == 0x313
+    sample.exports.name.should be_nil
+    sample.exports.names.should be_empty
+    sample.exports.name_ordinals.should be_empty
+    sample.exports.entry_points[0].should == 0xffff_ffff
+    sample.exports.entry_points[1].should == 0x1008
+  end
+end

data/spec/foldedhdr_spec.rb

@@ -0,0 +1,28 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+[ 'corkami/foldedhdr.exe', 'corkami/foldedhdrW7.exe' ].each do |fname|
+  describe fname do
+    before :all do
+      @sample = sample
+    end
+
+    it "should have 2 imports" do
+      @sample.imports.size.should == 2
+      @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+      @sample.imports.map do |iid|
+        (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+      end.flatten.should == ["ExitProcess", "printf"]
+    end
+
+    it "should have 1 section" do
+      @sample.sections.size.should == 1
+      s = @sample.sections.first
+      s.VirtualSize.should == 0x1000
+      s.VirtualAddress.should == 0x1000
+      s.SizeOfRawData.should == 0x200
+      s.PointerToRawData.should == 0x200
+      s.flags.should == 0xa0000000
+    end
+  end
+end

data/spec/imports_badterm_spec.rb

@@ -1,58 +1,52 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
 
-describe 'Imports' do
+describe 'corkami/imports_badterm.exe' do
   # PE with a 'bad' imports terminator, just the dll name is empty
   # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_badterm.asm
-  describe "imports_badterm.exe" do
-    before :all do
-      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_badterm.exe')
-      File.open(fname,"rb") do |f|
-        @pedump = PEdump.new(fname)
-        @imports = @pedump.imports(f)
-      end
-    end
+  before :all do
+    @imports = sample.imports
+  end
 
-    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
-      @imports.size.should == 2
-    end
+  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.size.should == 2
+  end
 
-    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
-      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
-    end
+  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+  end
 
-    it "should have all entries thunks equal" do
-      @imports.each do |iid|
-        iid.first_thunk.should == iid.original_first_thunk
-      end
+  it "should have all entries thunks equal" do
+    @imports.each do |iid|
+      iid.first_thunk.should == iid.original_first_thunk
     end
+  end
 
-    describe "1st image_import_descriptor" do
-      it "should be from kernel32.dll" do
-        @imports[0].module_name.should == "kernel32.dll"
-      end
-      it "should have 1 function" do
-        @imports[0].first_thunk.size.should == 1
-      end
-      it "should have ExitProcess" do
-        @imports[0].first_thunk.first.name.should == "ExitProcess"
-        @imports[0].first_thunk.first.hint.should == 0
-        @imports[0].first_thunk.first.ordinal.should be_nil
-      end
+  describe "1st image_import_descriptor" do
+    it "should be from kernel32.dll" do
+      @imports[0].module_name.should == "kernel32.dll"
+    end
+    it "should have 1 function" do
+      @imports[0].first_thunk.size.should == 1
+    end
+    it "should have ExitProcess" do
+      @imports[0].first_thunk.first.name.should == "ExitProcess"
+      @imports[0].first_thunk.first.hint.should == 0
+      @imports[0].first_thunk.first.ordinal.should be_nil
     end
+  end
 
-    describe "2nd image_import_descriptor" do
-      it "should be from msvcrt.dll" do
-        @imports[1].module_name.should == "msvcrt.dll"
-      end
-      it "should have 1 function" do
-        @imports[1].first_thunk.size.should == 1
-      end
-      it "should have printf" do
-        @imports[1].first_thunk.first.name.should == "printf"
-        @imports[1].first_thunk.first.hint.should == 0
-        @imports[1].first_thunk.first.ordinal.should be_nil
-      end
+  describe "2nd image_import_descriptor" do
+    it "should be from msvcrt.dll" do
+      @imports[1].module_name.should == "msvcrt.dll"
+    end
+    it "should have 1 function" do
+      @imports[1].first_thunk.size.should == 1
+    end
+    it "should have printf" do
+      @imports[1].first_thunk.first.name.should == "printf"
+      @imports[1].first_thunk.first.hint.should == 0
+      @imports[1].first_thunk.first.ordinal.should be_nil
     end
   end
 end

data/spec/imports_vterm_spec.rb

@@ -1,58 +1,52 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
 
-describe 'Imports' do
+describe 'corkami/imports_vterm.exe' do
   # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_vterm.asm
   #describe "import terminator in virtual space" do
-  describe "imports_vterm.exe" do
-    before :all do
-      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_vterm.exe')
-      File.open(fname,"rb") do |f|
-        @pedump = PEdump.new(fname)
-        @imports = @pedump.imports(f)
-      end
-    end
+  before :all do
+    @imports = sample.imports
+  end
 
-    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
-      @imports.size.should == 2
-    end
+  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.size.should == 2
+  end
 
-    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
-      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
-    end
+  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+  end
 
-    it "should have all entries thunks equal" do
-      @imports.each do |iid|
-        iid.first_thunk.should == iid.original_first_thunk
-      end
+  it "should have all entries thunks equal" do
+    @imports.each do |iid|
+      iid.first_thunk.should == iid.original_first_thunk
     end
+  end
 
-    describe "1st image_import_descriptor" do
-      it "should be from kernel32.dll" do
-        @imports[0].module_name.should == "kernel32.dll"
-      end
-      it "should have 1 function" do
-        @imports[0].first_thunk.size.should == 1
-      end
-      it "should have ExitProcess" do
-        @imports[0].first_thunk.first.name.should == "ExitProcess"
-        @imports[0].first_thunk.first.hint.should == 0
-        @imports[0].first_thunk.first.ordinal.should be_nil
-      end
+  describe "1st image_import_descriptor" do
+    it "should be from kernel32.dll" do
+      @imports[0].module_name.should == "kernel32.dll"
+    end
+    it "should have 1 function" do
+      @imports[0].first_thunk.size.should == 1
+    end
+    it "should have ExitProcess" do
+      @imports[0].first_thunk.first.name.should == "ExitProcess"
+      @imports[0].first_thunk.first.hint.should == 0
+      @imports[0].first_thunk.first.ordinal.should be_nil
     end
+  end
 
-    describe "2nd image_import_descriptor" do
-      it "should be from msvcrt.dll" do
-        @imports[1].module_name.should == "msvcrt.dll"
-      end
-      it "should have 1 function" do
-        @imports[1].first_thunk.size.should == 1
-      end
-      it "should have printf" do
-        @imports[1].first_thunk.first.name.should == "printf"
-        @imports[1].first_thunk.first.hint.should == 0
-        @imports[1].first_thunk.first.ordinal.should be_nil
-      end
+  describe "2nd image_import_descriptor" do
+    it "should be from msvcrt.dll" do
+      @imports[1].module_name.should == "msvcrt.dll"
+    end
+    it "should have 1 function" do
+      @imports[1].first_thunk.size.should == 1
+    end
+    it "should have printf" do
+      @imports[1].first_thunk.first.name.should == "printf"
+      @imports[1].first_thunk.first.hint.should == 0
+      @imports[1].first_thunk.first.ordinal.should be_nil
     end
   end
 end

data/spec/sig_all_packers_spec.rb

@@ -3,12 +3,22 @@ require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
 
 describe "PEdump::Packer" do
   describe "matchers" do
-    PEdump::SigParser.parse(:raw => true).each do |sig|
-      data = sig.re.join
-      next if data == "This program cannot be run in DOS mo"
-      it "should find #{sig.name}" do
-        PEdump::Packer.of(data).map(&:name).should include(sig.name)
+    if ENV['SLOW']
+      PEdump::SigParser.parse(:raw => true).each do |sig|
+        data = sig.re.join
+        next if data == "This program cannot be run in DOS mo"
+        it "should find #{sig.name}" do
+          a = PEdump::Packer.of(data).map(&:name)
+          a.size.should > 0
+
+          a = sig.name.split - a.join(' ').split - ['Exe','PE']
+          a.delete_if{ |x| x[/[vV\.\/()\[\]]/] }
+          p a if a.size > 1
+          a.size.should < 2
+        end
       end
+    else
+      pending "SLOW"
     end
   end
 end

data/spec/spec_helper.rb

@@ -8,5 +8,22 @@ require 'pedump'
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
 
 RSpec.configure do |config|
-  
+end
+
+def sample
+  @pedump ||=
+    begin
+      fname =
+        if self.example
+          # called from it(...)
+          self.example.full_description.split.first
+        else
+          # called from before(:all)
+          self.class.metadata[:example_group][:description_args].first
+        end
+      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/' + fname)
+      File.open(fname,"rb") do |f|
+        PEdump.new(fname).dump
+      end
+    end
 end

data/spec/virtsectblXP_spec.rb

@@ -0,0 +1,12 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/virtsectblXP.exe' do
+  it "should have 2 imports" do
+    sample.imports.size.should == 2
+    sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+    sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["ExitProcess", "printf"]
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.4.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-19 00:00:00.000000000 Z
+date: 2011-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70341710237060 !ruby/object:Gem::Requirement
+  requirement: &70155235875660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70341710237060
+  version_requirements: *70155235875660
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70341710236340 !ruby/object:Gem::Requirement
+  requirement: &70155235891480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70341710236340
+  version_requirements: *70155235891480
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70341710257880 !ruby/object:Gem::Requirement
+  requirement: &70155235890940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70341710257880
+  version_requirements: *70155235890940
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70341710257240 !ruby/object:Gem::Requirement
+  requirement: &70155235890060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70341710257240
+  version_requirements: *70155235890060
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70341710256380 !ruby/object:Gem::Requirement
+  requirement: &70155235889180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70341710256380
+  version_requirements: *70155235889180
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70341710255420 !ruby/object:Gem::Requirement
+  requirement: &70155235888640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70341710255420
+  version_requirements: *70155235888640
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70341710253940 !ruby/object:Gem::Requirement
+  requirement: &70155235888120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70341710253940
+  version_requirements: *70155235888120
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -114,17 +114,20 @@ files:
 - data/userdb.txt
 - lib/pedump.rb
 - lib/pedump/cli.rb
+- lib/pedump/composite_io.rb
 - lib/pedump/packer.rb
+- lib/pedump/pe.rb
 - lib/pedump/sig_parser.rb
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
-- samples/65535sects.7z
 - samples/calc.7z
-- samples/imports_badterm.exe
-- samples/imports_vterm.exe
+- samples/corkami.7z
 - samples/zlib.dll
 - spec/65535sects_spec.rb
+- spec/composite_io_spec.rb
+- spec/dllord_spec.rb
+- spec/foldedhdr_spec.rb
 - spec/imports_badterm_spec.rb
 - spec/imports_vterm_spec.rb
 - spec/pe_spec.rb
@@ -133,6 +136,7 @@ files:
 - spec/sig_all_packers_spec.rb
 - spec/sig_spec.rb
 - spec/spec_helper.rb
+- spec/virtsectblXP_spec.rb
 homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
@@ -148,7 +152,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1913101081356959317
+      hash: 2848967461238967885
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: