RubyGems - pedump - Versions diffs - 0.4.3 → 0.4.4 - Mend

pedump 0.4.3 → 0.4.4

Files changed (11) hide show

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.4.3
1	+ 0.4.4

data/lib/pedump.rb CHANGED

@@ -1,43 +1,16 @@
 #!/usr/bin/env ruby
-require 'logger'
 require 'stringio'
-require 'pedump/composite_io'
+require 'pedump/core'
 require 'pedump/pe'
-require 'pedump/version'
+require 'pedump/resources'
+require 'pedump/version_info'
+require 'pedump/tls'
 # pedump.rb by zed_0xff
 #
 #   http://zed.0xff.me
 #   http://github.com/zed-0xff
-class String
-  def xor x
-    if x.is_a?(String)
-      r = ''
-      j = 0
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x[j].ord).chr
-        j+=1
-        j=0 if j>= x.size
-      end
-      r
-    else
-      r = ''
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x).chr
-      end
-      r
-    end
-  end
-end
-class File
-  def checked_seek newpos
-    @file_range ||= (0..size)
-    @file_range.include?(newpos) && (seek(newpos) || true)
-  end
-end
 class PEdump
   attr_accessor :fname, :logger, :force
@@ -51,66 +24,6 @@ class PEdump
     @logger = @@logger = params[:logger] || PEdump::Logger.new(STDERR)
   end
-  class Logger < ::Logger
-    def initialize *args
-      super
-      @formatter = proc do |severity,_,_,msg|
-        # quick and dirty way to remove duplicate messages
-        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
-          ''
-        else
-          @prevmsg = msg
-          "#{msg}\n"
-        end
-      end
-      @level = Logger::WARN
-    end
-  end
-  module Readable
-    def read file, size = nil
-      size ||= const_get 'SIZE'
-      data = file.read(size).to_s
-      if data.size < size && PEdump.logger
-        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
-      end
-      new(*data.unpack(const_get('FORMAT')))
-    end
-  end
-  class << self
-    def logger;    @@logger;   end
-    def logger= l; @@logger=l; end
-    def create_struct fmt, *args
-      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
-        [len.to_i, 1].max *
-          case f
-          when /[aAC]/ then 1
-          when 'v' then 2
-          when 'V' then 4
-          when 'Q' then 8
-          else raise "unknown fmt #{f.inspect}"
-          end
-      end.inject(&:+)
-      Struct.new( *args ).tap do |x|
-        x.const_set 'FORMAT', fmt
-        x.const_set 'SIZE',  size
-        x.class_eval do
-          def pack
-            to_a.pack self.class.const_get('FORMAT')
-          end
-          def empty?
-            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
-          end
-        end
-        x.extend Readable
-      end
-    end
-  end
   # http://www.delorie.com/djgpp/doc/exe/
   MZ = create_struct( "a2v13Qv2V6",
     :signature,
@@ -448,8 +361,37 @@ class PEdump
       end
   end
-  def resource_directory f=nil
-    @resource_directory ||= _read_resource_directory_tree(f)
+  def va2file va
+    return nil if va.nil?
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
+        return va - s.VirtualAddress + s.PointerToRawData
+      end
+    end
+    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
+        return va - s.VirtualAddress + s.PointerToRawData
+      end
+    end
+    # still not found, bad/zero VirtualSizes & RawSizes ?
+    # a special case - PE without sections
+    return va if sections.empty?
+    # check if only one section
+    if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
+      s = sections.first
+      return va - s.VirtualAddress + s.PointerToRawData
+    end
+    # TODO: not all VirtualAdresses == 0 case
+    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+    nil
   end
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
@@ -499,14 +441,34 @@ class PEdump
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
     return [] if !dir || (dir.va == 0 && dir.size == 0)
-    va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT].va
-    file_offset = va2file(va)
+    file_offset = va2file(dir.va)
     return nil unless file_offset
+    # scan TLS first, to catch many fake imports trick from
+    # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+    tls_aoi = nil
+    if (tls = tls(f)) && tls.any?
+      tls_aoi = tls.first.AddressOfIndex.to_i - @pe.ioh.ImageBase.to_i
+      tls_aoi = tls_aoi > 0 ? va2file(tls_aoi) : nil
+    end
     f.seek file_offset
     r = []
-    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).Name.to_i == 0
+    while true
+      if tls_aoi && tls_aoi == file_offset+16
+        # catched the neat trick! :)
+        # f.tell + 12  =  offset of 'FirstThunk' field from start of IMAGE_IMPORT_DESCRIPTOR structure
+        logger.warn "[!] catched the 'imports terminator in TLS trick'"
+        # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+        break
+      end
+      t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+      break if t.Name.to_i == 0 # also catches EOF
       r << t
+      file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
+      break if r.size == 3
     end
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
     @imports = r.each do |x|
       if x.Name.to_i != 0 && (va = va2file(x.Name))
@@ -643,356 +605,40 @@ class PEdump
   end
   ##############################################################################
-  # resources
+  # TLS
   ##############################################################################
-  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
-    :Characteristics, :TimeDateStamp, # 2dw
-    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
-    :entries # manual
-  class IMAGE_RESOURCE_DIRECTORY
-    class << self
-      attr_accessor :base
-      alias :read_without_children :read
-      def read f, root=true
-        if root
-          @@loopchk1 = Hash.new(0)
-          @@loopchk2 = Hash.new(0)
-          @@loopchk3 = Hash.new(0)
-        elsif (@@loopchk1[f.tell] += 1) > 1
-          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
+  def tls f=nil
+    @tls ||= pe(f) && pe(f).ioh && f &&
+      begin
+        dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
+        return nil if !dir || dir.va == 0
+        return nil unless file_offset = va2file(dir.va)
+        f.seek file_offset
+        if f.eof?
+          logger.info "[?] TLS info beyond EOF"
           return nil
         end
-        read_without_children(f).tap do |r|
-          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
-          r.entries = []
-          nToRead.times do |i|
-            if f.eof?
-              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
-              break
-            end
-            if (@@loopchk2[f.tell] += 1) > 1
-              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
-              next
-            end
-            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
-          end
-          #r.entries.uniq!
-          r.entries.each do |entry|
-            entry.name =
-              if entry.Name.to_i & 0x8000_0000 > 0
-                # Name is an address of unicode string
-                f.seek base + entry.Name & 0x7fff_ffff
-                nChars = f.read(2).to_s.unpack("v").first.to_i
-                begin
-                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
-                rescue
-                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
-                  "???"
-                end
-              else
-                # Name is a numeric id
-                "##{entry.Name}"
-              end
-            if entry.OffsetToData && f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
-              if (@@loopchk3[f.tell] += 1) > 1
-                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
-                next
-              end
-              entry.data =
-                if entry.OffsetToData & 0x8000_0000 > 0
-                  # child is a directory
-                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
-                else
-                  # child is a resource
-                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
-                end
-            end
-          end
-          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
-        end
-      end
-    end
-  end
-  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
-    :Name, :OffsetToData,
-    :name, :data
-  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
-    :OffsetToData, :Size, :CodePage, :Reserved
+        start_offset = f.tell
-  def va2file va
-    return nil if va.nil?
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    # still not found, bad/zero VirtualSizes & RawSizes ?
-    # a special case - PE without sections
-    return va if sections.empty?
-    # check if only one section
-    if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
-      s = sections.first
-      return va - s.VirtualAddress + s.PointerToRawData
-    end
-    # TODO: not all VirtualAdresses == 0 case
-    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
-    nil
-  end
-  def _read_resource_directory_tree f
-    return nil unless pe(f) && pe(f).ioh && f
-    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
-    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
-    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
-    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
-    unless res_section
-      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
-      return []
-    end
-    f.seek res_section.PointerToRawData
-    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
-    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
-    IMAGE_RESOURCE_DIRECTORY.read(f)
-  end
-  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
-    def bitmap_hdr
-      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
-      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
-      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
-      colors_used = bmp_info_hdr.biClrUsed
-      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
-      # XXX: one byte in each color is unused!
-      @palette_size = colors_used * 4 # each color takes 4 bytes
-      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
-      # XXX: some data may be hidden in padding bytes!
-      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
-      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
-      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
-      "BM" + [
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
-        0,
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size
-      ].pack("V3") + bmp_info_hdr.pack
-    ensure
-      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
-    end
-    # only valid for types BITMAP, ICON & CURSOR
-    def restore_bitmap src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        if data.first == "PNG"
-          "\x89PNG" +f.read(self.size-4)
-        else
-          bitmap_hdr + f.read(@palette_size + @imgdata_size)
-        end
-      end
-    end
-    def bitmap_mask src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        bmp_info_hdr = bitmap_hdr
-        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
-        return nil if bitmap_size >= self.size
-        mask_size = self.size - bitmap_size
-        f.seek file_offset + bitmap_size
-        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
-        bmp_info_hdr.biBitCount = 1
-        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
-        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
-        palette = [0,0xffffff].pack('V2')
-        @palette_size = palette.size
-        "BM" + [
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
-          0,
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size
-        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
-      end
-    end
-    # also sets the file position for restore_bitmap next call
-    def parse f
-      raise "called parse with type not set" unless self.type
-      #return if self.data
-      self.data = []
-      case type
-      when 'BITMAP','ICON'
-        f.seek file_offset
-        if f.read(4) == "\x89PNG"
-          data << 'PNG'
-        else
-          f.seek file_offset
-          data << BITMAPINFOHEADER.read(f)
-        end
-      when 'CURSOR'
-        f.seek file_offset
-        data << CURSOR_HOTSPOT.read(f)
-        data << BITMAPINFOHEADER.read(f)
-      when 'GROUP_CURSOR'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
-            break
-          end
-          data  << CURDIRENTRY.read(f)
-          nRead += CURDIRENTRY::SIZE
-        end
-      when 'GROUP_ICON'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
+        klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
+        r = []
+        while !f.eof? && (entry = klass.read(f))
+          if entry.AddressOfCallBacks.to_i == 0
+            logger.warn "[?] non-empty TLS terminator: #{entry.inspect}" unless entry.empty?
             break
           end
-          data  << ICODIRENTRY.read(f)
-          nRead += ICODIRENTRY::SIZE
-        end
-      when 'STRING'
-        f.seek file_offset
-        16.times do
-          break if f.tell >= file_offset+self.size
-          nChars = f.read(2).to_s.unpack('v').first.to_i
-          t =
-            if nChars*2 + 1 > self.size
-              # TODO: if it's not 1st string in table then truncated size must be less
-              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
-              f.read(self.size-2)
-            else
-              f.read(nChars*2)
-            end
-          data <<
-            begin
-              t.force_encoding('UTF-16LE').encode!('UTF-8')
-            rescue
-              t.force_encoding('ASCII')
-              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
-              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
-              [nChars,t].pack('va*')
-            end
+          r << entry
+          break if dir.size > 0 && f.tell >= (start_offset+dir.size)
         end
-        # XXX: check if readed strings summary length is less than resource data length
-      when 'VERSION'
-        require 'pedump/version_info'
-        f.seek file_offset
-        data << PEdump::VS_VERSIONINFO.read(f)
-      end
-      data.delete_if do |x|
-        valid = !x.respond_to?(:valid?) || x.valid?
-        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
-        !valid
+        r
       end
-    ensure
-      validate
-    end
-    def validate
-      self.valid =
-        case type
-        when 'BITMAP','ICON','CURSOR'
-          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
-        else
-          true
-        end
-    end
   end
-  STRING = Struct.new(:id, :lang, :value)
-  def strings f=nil
-    r = []
-    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
-      res.data.each_with_index do |string,idx|
-        r << STRING.new( ((res.id-1)<<4) + idx, res.lang, string ) unless string.empty?
-      end
-    end
-    r
-  end
-  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
-  class BITMAPINFOHEADER < create_struct 'V3v2V6',
-    :biSize,          # BITMAPINFOHEADER::SIZE
-    :biWidth,
-    :biHeight,
-    :biPlanes,
-    :biBitCount,
-    :biCompression,
-    :biSizeImage,
-    :biXPelsPerMeter,
-    :biYPelsPerMeter,
-    :biClrUsed,
-    :biClrImportant
-    def valid?
-      self.biSize == 40
-    end
-  end
-  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
-  CUR_ICO_HEADER = create_struct('v3',
-    :wReserved, # always 0
-    :wResID,    # always 2
-    :wNumImages # Number of cursor images/directory entries
-  )
-  CURDIRENTRY = create_struct 'v4Vv',
-    :wWidth,
-    :wHeight, # Divide by 2 to get the actual height.
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
-  ICODIRENTRY = create_struct 'C4v2Vv',
-    :bWidth,
-    :bHeight,
-    :bColors,
-    :bReserved,
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-  ROOT_RES_NAMES = [nil] + # numeration is started from 1
-    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
-    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
-    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
+  ##############################################################################
+  # resources
+  ##############################################################################
   def resources f=nil
     @resources ||= _scan_resources(f)
@@ -1002,48 +648,9 @@ class PEdump
     resources(f) && resources(f).find_all{ |res| res.type == 'VERSION' }.map(&:data).flatten
   end
-  def _scan_resources f=nil, dir=nil
-    dir ||= resource_directory(f)
-    return nil unless dir
-    dir.entries.map do |entry|
-      case entry.data
-        when IMAGE_RESOURCE_DIRECTORY
-          if dir == @resource_directory # root resource directory
-            entry_type =
-              if entry.Name & 0x8000_0000 == 0
-                # root resource directory & entry name is a number
-                ROOT_RES_NAMES[entry.Name] || entry.name
-              else
-                entry.name
-              end
-            _scan_resources(f,entry.data).each do |res|
-              res.type = entry_type
-              res.parse f
-            end
-          else
-            _scan_resources(f,entry.data).each do |res|
-              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
-              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
-            end
-          end
-        when IMAGE_RESOURCE_DATA_ENTRY
-          Resource.new(
-            nil,          # type
-            entry.name,
-            nil,          # id
-            entry.Name,   # lang
-            #entry.data.OffsetToData + @resource_data_base,
-            va2file(entry.data.OffsetToData),
-            entry.data.Size,
-            entry.data.CodePage,
-            entry.data.Reserved
-          )
-        else
-          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
-          nil
-      end
-    end.flatten.compact
-  end
+  ##############################################################################
+  # packer / compiler detection
+  ##############################################################################
   def packer f = nil
     @packer ||= pe(f) && @pe.ioh &&

data/lib/pedump/cli.rb CHANGED

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/version_info'
 require 'optparse'
 unless Object.instance_methods.include?(:try)
@@ -14,7 +15,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe data_directory sections' +
+    %w'mz dos_stub rich pe data_directory sections tls' +
     %w'strings resources resource_directory imports exports version_info packer web packer_only'
   ).map(&:to_sym)
@@ -400,6 +401,8 @@ class PEdump::CLI
         dump_packers data
       when PEdump::VS_VERSIONINFO
         dump_version_info data
+      when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
+        dump_tls data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -412,6 +415,20 @@ class PEdump::CLI
     end
   end
+  def dump_tls data
+    fmt = "%10x %10x %8x  %8x  %8x  %8x\n"
+    printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
+    data.each do |tls|
+      printf fmt,
+        tls.StartAddressOfRawData,
+        tls.EndAddressOfRawData,
+        tls.AddressOfIndex,
+        tls.AddressOfCallBacks,
+        tls.SizeOfZeroFill,
+        tls.Characteristics
+    end
+  end
   def dump_version_info data
     if @options[:format] != :table
       File.open(@file_name,'rb') do |f|

data/lib/pedump/core.rb ADDED

@@ -0,0 +1,91 @@
+require 'logger'
+require 'pedump/version'
+class String
+  def xor x
+    if x.is_a?(String)
+      r = ''
+      j = 0
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x[j].ord).chr
+        j+=1
+        j=0 if j>= x.size
+      end
+      r
+    else
+      r = ''
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x).chr
+      end
+      r
+    end
+  end
+end
+class File
+  def checked_seek newpos
+    @file_range ||= (0..size)
+    @file_range.include?(newpos) && (seek(newpos) || true)
+  end
+end
+class PEdump
+  class Logger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          "#{msg}\n"
+        end
+      end
+      @level = Logger::WARN
+    end
+  end
+  module Readable
+    def read file, size = nil
+      size ||= const_get 'SIZE'
+      data = file.read(size).to_s
+      if data.size < size && PEdump.logger
+        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
+      end
+      new(*data.unpack(const_get('FORMAT')))
+    end
+  end
+  class << self
+    def logger;    @@logger;   end
+    def logger= l; @@logger=l; end
+    def create_struct fmt, *args
+      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
+        [len.to_i, 1].max *
+          case f
+          when /[aAC]/ then 1
+          when 'v' then 2
+          when 'V' then 4
+          when 'Q' then 8
+          else raise "unknown fmt #{f.inspect}"
+          end
+      end.inject(&:+)
+      Struct.new( *args ).tap do |x|
+        x.const_set 'FORMAT', fmt
+        x.const_set 'SIZE',  size
+        x.class_eval do
+          def pack
+            to_a.pack self.class.const_get('FORMAT')
+          end
+          def empty?
+            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
+          end
+        end
+        x.extend Readable
+      end
+    end
+  end
+end

data/lib/pedump/pe.rb CHANGED

@@ -1,3 +1,5 @@
+require 'pedump/composite_io'
 class PEdump
   class PE < Struct.new(
     :signature,             # "PE\x00\x00"

data/lib/pedump/resources.rb ADDED

@@ -0,0 +1,364 @@
+class PEdump
+  def resource_directory f=nil
+    @resource_directory ||= _read_resource_directory_tree(f)
+  end
+  def _read_resource_directory_tree f
+    return nil unless pe(f) && pe(f).ioh && f
+    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
+    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
+    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
+    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
+    unless res_section
+      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
+      return []
+    end
+    f.seek res_section.PointerToRawData
+    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
+    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
+    IMAGE_RESOURCE_DIRECTORY.read(f)
+  end
+  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
+    def bitmap_hdr
+      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
+      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
+      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
+      colors_used = bmp_info_hdr.biClrUsed
+      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
+      # XXX: one byte in each color is unused!
+      @palette_size = colors_used * 4 # each color takes 4 bytes
+      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
+      # XXX: some data may be hidden in padding bytes!
+      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
+      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
+      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
+      "BM" + [
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
+        0,
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size
+      ].pack("V3") + bmp_info_hdr.pack
+    ensure
+      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
+    end
+    # only valid for types BITMAP, ICON & CURSOR
+    def restore_bitmap src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        if data.first == "PNG"
+          "\x89PNG" +f.read(self.size-4)
+        else
+          bitmap_hdr + f.read(@palette_size + @imgdata_size)
+        end
+      end
+    end
+    def bitmap_mask src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        bmp_info_hdr = bitmap_hdr
+        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
+        return nil if bitmap_size >= self.size
+        mask_size = self.size - bitmap_size
+        f.seek file_offset + bitmap_size
+        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
+        bmp_info_hdr.biBitCount = 1
+        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
+        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
+        palette = [0,0xffffff].pack('V2')
+        @palette_size = palette.size
+        "BM" + [
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
+          0,
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size
+        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
+      end
+    end
+    # also sets the file position for restore_bitmap next call
+    def parse f
+      raise "called parse with type not set" unless self.type
+      #return if self.data
+      self.data = []
+      case type
+      when 'BITMAP','ICON'
+        f.seek file_offset
+        if f.read(4) == "\x89PNG"
+          data << 'PNG'
+        else
+          f.seek file_offset
+          data << BITMAPINFOHEADER.read(f)
+        end
+      when 'CURSOR'
+        f.seek file_offset
+        data << CURSOR_HOTSPOT.read(f)
+        data << BITMAPINFOHEADER.read(f)
+      when 'GROUP_CURSOR'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
+            break
+          end
+          data  << CURDIRENTRY.read(f)
+          nRead += CURDIRENTRY::SIZE
+        end
+      when 'GROUP_ICON'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
+            break
+          end
+          data  << ICODIRENTRY.read(f)
+          nRead += ICODIRENTRY::SIZE
+        end
+      when 'STRING'
+        f.seek file_offset
+        16.times do
+          break if f.tell >= file_offset+self.size
+          nChars = f.read(2).to_s.unpack('v').first.to_i
+          t =
+            if nChars*2 + 1 > self.size
+              # TODO: if it's not 1st string in table then truncated size must be less
+              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
+              f.read(self.size-2)
+            else
+              f.read(nChars*2)
+            end
+          data <<
+            begin
+              t.force_encoding('UTF-16LE').encode!('UTF-8')
+            rescue
+              t.force_encoding('ASCII')
+              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
+              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
+              [nChars,t].pack('va*')
+            end
+        end
+        # XXX: check if readed strings summary length is less than resource data length
+      when 'VERSION'
+        require 'pedump/version_info'
+        f.seek file_offset
+        data << PEdump::VS_VERSIONINFO.read(f)
+      end
+      data.delete_if do |x|
+        valid = !x.respond_to?(:valid?) || x.valid?
+        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
+        !valid
+      end
+    ensure
+      validate
+    end
+    def validate
+      self.valid =
+        case type
+        when 'BITMAP','ICON','CURSOR'
+          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
+        else
+          true
+        end
+    end
+  end
+  STRING = Struct.new(:id, :lang, :value)
+  def strings f=nil
+    r = []
+    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
+      res.data.each_with_index do |string,idx|
+        r << STRING.new( ((res.id-1)<<4) + idx, res.lang, string ) unless string.empty?
+      end
+    end
+    r
+  end
+  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
+  class BITMAPINFOHEADER < create_struct 'V3v2V6',
+    :biSize,          # BITMAPINFOHEADER::SIZE
+    :biWidth,
+    :biHeight,
+    :biPlanes,
+    :biBitCount,
+    :biCompression,
+    :biSizeImage,
+    :biXPelsPerMeter,
+    :biYPelsPerMeter,
+    :biClrUsed,
+    :biClrImportant
+    def valid?
+      self.biSize == 40
+    end
+  end
+  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
+  CUR_ICO_HEADER = create_struct('v3',
+    :wReserved, # always 0
+    :wResID,    # always 2
+    :wNumImages # Number of cursor images/directory entries
+  )
+  CURDIRENTRY = create_struct 'v4Vv',
+    :wWidth,
+    :wHeight, # Divide by 2 to get the actual height.
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
+  ICODIRENTRY = create_struct 'C4v2Vv',
+    :bWidth,
+    :bHeight,
+    :bColors,
+    :bReserved,
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+  ROOT_RES_NAMES = [nil] + # numeration is started from 1
+    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
+    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
+    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
+  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
+    :Name, :OffsetToData,
+    :name, :data
+  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
+    :OffsetToData, :Size, :CodePage, :Reserved
+  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
+    :Characteristics, :TimeDateStamp, # 2dw
+    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
+    :entries # manual
+  class IMAGE_RESOURCE_DIRECTORY
+    class << self
+      attr_accessor :base
+      alias :read_without_children :read
+      def read f, root=true
+        if root
+          @@loopchk1 = Hash.new(0)
+          @@loopchk2 = Hash.new(0)
+          @@loopchk3 = Hash.new(0)
+        elsif (@@loopchk1[f.tell] += 1) > 1
+          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
+          return nil
+        end
+        read_without_children(f).tap do |r|
+          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
+          r.entries = []
+          nToRead.times do |i|
+            if f.eof?
+              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
+              break
+            end
+            if (@@loopchk2[f.tell] += 1) > 1
+              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
+              next
+            end
+            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
+          end
+          #r.entries.uniq!
+          r.entries.each do |entry|
+            entry.name =
+              if entry.Name.to_i & 0x8000_0000 > 0
+                # Name is an address of unicode string
+                f.seek base + entry.Name & 0x7fff_ffff
+                nChars = f.read(2).to_s.unpack("v").first.to_i
+                begin
+                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
+                rescue
+                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
+                  "???"
+                end
+              else
+                # Name is a numeric id
+                "##{entry.Name}"
+              end
+            if entry.OffsetToData && f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
+              if (@@loopchk3[f.tell] += 1) > 1
+                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
+                next
+              end
+              entry.data =
+                if entry.OffsetToData & 0x8000_0000 > 0
+                  # child is a directory
+                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
+                else
+                  # child is a resource
+                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
+                end
+            end
+          end
+          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
+        end
+      end
+    end
+  end
+  def _scan_resources f=nil, dir=nil
+    dir ||= resource_directory(f)
+    return nil unless dir
+    dir.entries.map do |entry|
+      case entry.data
+        when IMAGE_RESOURCE_DIRECTORY
+          if dir == @resource_directory # root resource directory
+            entry_type =
+              if entry.Name & 0x8000_0000 == 0
+                # root resource directory & entry name is a number
+                ROOT_RES_NAMES[entry.Name] || entry.name
+              else
+                entry.name
+              end
+            _scan_resources(f,entry.data).each do |res|
+              res.type = entry_type
+              res.parse f
+            end
+          else
+            _scan_resources(f,entry.data).each do |res|
+              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
+              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
+            end
+          end
+        when IMAGE_RESOURCE_DATA_ENTRY
+          Resource.new(
+            nil,          # type
+            entry.name,
+            nil,          # id
+            entry.Name,   # lang
+            #entry.data.OffsetToData + @resource_data_base,
+            va2file(entry.data.OffsetToData),
+            entry.data.Size,
+            entry.data.CodePage,
+            entry.data.Reserved
+          )
+        else
+          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
+          nil
+      end
+    end.flatten.compact
+  end
+end

data/lib/pedump/tls.rb ADDED

@@ -0,0 +1,17 @@
+class PEdump
+  IMAGE_TLS_DIRECTORY32 = create_struct 'V6',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+  IMAGE_TLS_DIRECTORY64 = create_struct 'Q4V2',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+end

data/lib/pedump/version.rb CHANGED

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 3
+    PATCH = 4
     BUILD = nil
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec CHANGED

@@ -5,7 +5,7 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.3"
+  s.version = "0.4.4"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
@@ -36,9 +36,12 @@ Gem::Specification.new do |s|
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
     "lib/pedump/composite_io.rb",
+    "lib/pedump/core.rb",
     "lib/pedump/packer.rb",
     "lib/pedump/pe.rb",
+    "lib/pedump/resources.rb",
     "lib/pedump/sig_parser.rb",
+    "lib/pedump/tls.rb",
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
@@ -51,6 +54,7 @@ Gem::Specification.new do |s|
     "spec/foldedhdr_spec.rb",
     "spec/imports_badterm_spec.rb",
     "spec/imports_vterm_spec.rb",
+    "spec/manyimportsW7_spec.rb",
     "spec/pe_spec.rb",
     "spec/pedump_spec.rb",
     "spec/resource_spec.rb",

data/spec/manyimportsW7_spec.rb ADDED

@@ -0,0 +1,22 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe "corkami/manyimportsW7.exe" do
+  before :all do
+    @sample = sample
+  end
+  it "should have 2 imports" do
+    @sample.imports.size.should == 2
+    @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+    @sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["ExitProcess", "printf"]
+  end
+  it "should have 1 TLS" do
+    @sample.tls.size.should == 1
+    @sample.tls.first.AddressOfIndex.should == 0x401148
+    @sample.tls.first.AddressOfCallBacks.should == 0x401100
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
   prerelease:
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2011-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70155235875660 !ruby/object:Gem::Requirement
+  requirement: &70245146676060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70155235875660
+  version_requirements: *70245146676060
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70155235891480 !ruby/object:Gem::Requirement
+  requirement: &70245146675500 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70155235891480
+  version_requirements: *70245146675500
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70155235890940 !ruby/object:Gem::Requirement
+  requirement: &70245146674820 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70155235890940
+  version_requirements: *70245146674820
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70155235890060 !ruby/object:Gem::Requirement
+  requirement: &70245146674020 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70155235890060
+  version_requirements: *70245146674020
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70155235889180 !ruby/object:Gem::Requirement
+  requirement: &70245146673180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70155235889180
+  version_requirements: *70245146673180
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70155235888640 !ruby/object:Gem::Requirement
+  requirement: &70245146672260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70155235888640
+  version_requirements: *70245146672260
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70155235888120 !ruby/object:Gem::Requirement
+  requirement: &70245146671740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70155235888120
+  version_requirements: *70245146671740
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -115,9 +115,12 @@ files:
 - lib/pedump.rb
 - lib/pedump/cli.rb
 - lib/pedump/composite_io.rb
+- lib/pedump/core.rb
 - lib/pedump/packer.rb
 - lib/pedump/pe.rb
+- lib/pedump/resources.rb
 - lib/pedump/sig_parser.rb
+- lib/pedump/tls.rb
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
@@ -130,6 +133,7 @@ files:
 - spec/foldedhdr_spec.rb
 - spec/imports_badterm_spec.rb
 - spec/imports_vterm_spec.rb
+- spec/manyimportsW7_spec.rb
 - spec/pe_spec.rb
 - spec/pedump_spec.rb
 - spec/resource_spec.rb
@@ -152,7 +156,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2848967461238967885
+      hash: -576155968655045053
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: