RubyGems - pedump - Versions diffs - 0.4.3 → 0.4.4 - Mend

pedump 0.4.3 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.4.3
1	+ 0.4.4

data/lib/pedump.rb CHANGED

@@ -1,43 +1,16 @@
 #!/usr/bin/env ruby
-require 'logger'
 require 'stringio'
-require 'pedump/composite_io'
+require 'pedump/core'
 require 'pedump/pe'
-require 'pedump/version'
+require 'pedump/resources'
+require 'pedump/version_info'
+require 'pedump/tls'
 # pedump.rb by zed_0xff
 #
 #   http://zed.0xff.me
 #   http://github.com/zed-0xff
-class String
-  def xor x
-    if x.is_a?(String)
-      r = ''
-      j = 0
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x[j].ord).chr
-        j+=1
-        j=0 if j>= x.size
-      end
-      r
-    else
-      r = ''
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x).chr
-      end
-      r
-    end
-  end
-end
-class File
-  def checked_seek newpos
-    @file_range ||= (0..size)
-    @file_range.include?(newpos) && (seek(newpos) || true)
-  end
-end
 class PEdump
   attr_accessor :fname, :logger, :force
@@ -51,66 +24,6 @@ class PEdump
     @logger = @@logger = params[:logger] || PEdump::Logger.new(STDERR)
   end
-  class Logger < ::Logger
-    def initialize *args
-      super
-      @formatter = proc do |severity,_,_,msg|
-        # quick and dirty way to remove duplicate messages
-        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
-          ''
-        else
-          @prevmsg = msg
-          "#{msg}\n"
-        end
-      end
-      @level = Logger::WARN
-    end
-  end
-  module Readable
-    def read file, size = nil
-      size ||= const_get 'SIZE'
-      data = file.read(size).to_s
-      if data.size < size && PEdump.logger
-        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
-      end
-      new(*data.unpack(const_get('FORMAT')))
-    end
-  end
-  class << self
-    def logger;    @@logger;   end
-    def logger= l; @@logger=l; end
-    def create_struct fmt, *args
-      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
-        [len.to_i, 1].max *
-          case f
-          when /[aAC]/ then 1
-          when 'v' then 2
-          when 'V' then 4
-          when 'Q' then 8
-          else raise "unknown fmt #{f.inspect}"
-          end
-      end.inject(&:+)
-      Struct.new( *args ).tap do |x|
-        x.const_set 'FORMAT', fmt
-        x.const_set 'SIZE',  size
-        x.class_eval do
-          def pack
-            to_a.pack self.class.const_get('FORMAT')
-          end
-          def empty?
-            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
-          end
-        end
-        x.extend Readable
-      end
-    end
-  end
   # http://www.delorie.com/djgpp/doc/exe/
   MZ = create_struct( "a2v13Qv2V6",
     :signature,
@@ -448,8 +361,37 @@ class PEdump
       end
   end
-  def resource_directory f=nil
-    @resource_directory ||= _read_resource_directory_tree(f)
+  def va2file va
+    return nil if va.nil?
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
+        return va - s.VirtualAddress + s.PointerToRawData
+      end
+    end
+    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
+        return va - s.VirtualAddress + s.PointerToRawData
+      end
+    end
+    # still not found, bad/zero VirtualSizes & RawSizes ?
+    # a special case - PE without sections
+    return va if sections.empty?
+    # check if only one section
+    if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
+      s = sections.first
+      return va - s.VirtualAddress + s.PointerToRawData
+    end
+    # TODO: not all VirtualAdresses == 0 case
+    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+    nil
   end
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
@@ -499,14 +441,34 @@ class PEdump
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
     return [] if !dir || (dir.va == 0 && dir.size == 0)
-    va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT].va
-    file_offset = va2file(va)
+    file_offset = va2file(dir.va)
     return nil unless file_offset
+    # scan TLS first, to catch many fake imports trick from
+    # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+    tls_aoi = nil
+    if (tls = tls(f)) && tls.any?
+      tls_aoi = tls.first.AddressOfIndex.to_i - @pe.ioh.ImageBase.to_i
+      tls_aoi = tls_aoi > 0 ? va2file(tls_aoi) : nil
+    end
     f.seek file_offset
     r = []
-    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).Name.to_i == 0
+    while true
+      if tls_aoi && tls_aoi == file_offset+16
+        # catched the neat trick! :)
+        # f.tell + 12  =  offset of 'FirstThunk' field from start of IMAGE_IMPORT_DESCRIPTOR structure
+        logger.warn "[!] catched the 'imports terminator in TLS trick'"
+        # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+        break
+      end
+      t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+      break if t.Name.to_i == 0 # also catches EOF
       r << t
+      file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
+      break if r.size == 3
     end
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
     @imports = r.each do |x|
       if x.Name.to_i != 0 && (va = va2file(x.Name))
@@ -643,356 +605,40 @@ class PEdump
   end
   ##############################################################################
-  # resources
+  # TLS
   ##############################################################################
-  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
-    :Characteristics, :TimeDateStamp, # 2dw
-    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
-    :entries # manual
-  class IMAGE_RESOURCE_DIRECTORY
-    class << self
-      attr_accessor :base
-      alias :read_without_children :read
-      def read f, root=true
-        if root
-          @@loopchk1 = Hash.new(0)
-          @@loopchk2 = Hash.new(0)
-          @@loopchk3 = Hash.new(0)
-        elsif (@@loopchk1[f.tell] += 1) > 1
-          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
+  def tls f=nil
+    @tls ||= pe(f) && pe(f).ioh && f &&
+      begin
+        dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
+        return nil if !dir || dir.va == 0
+        return nil unless file_offset = va2file(dir.va)
+        f.seek file_offset
+        if f.eof?
+          logger.info "[?] TLS info beyond EOF"
           return nil
         end
-        read_without_children(f).tap do |r|
-          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
-          r.entries = []
-          nToRead.times do |i|
-            if f.eof?
-              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
-              break
-            end
-            if (@@loopchk2[f.tell] += 1) > 1
-              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
-              next
-            end
-            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
-          end
-          #r.entries.uniq!
-          r.entries.each do |entry|
-            entry.name =
-              if entry.Name.to_i & 0x8000_0000 > 0
-                # Name is an address of unicode string
-                f.seek base + entry.Name & 0x7fff_ffff
-                nChars = f.read(2).to_s.unpack("v").first.to_i
-                begin
-                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
-                rescue
-                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
-                  "???"
-                end
-              else
-                # Name is a numeric id
-                "##{entry.Name}"
-              end
-            if entry.OffsetToData && f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
-              if (@@loopchk3[f.tell] += 1) > 1
-                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
-                next
-              end
-              entry.data =
-                if entry.OffsetToData & 0x8000_0000 > 0
-                  # child is a directory
-                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
-                else
-                  # child is a resource
-                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
-                end
-            end
-          end
-          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
-        end
-      end
-    end
-  end
-  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
-    :Name, :OffsetToData,
-    :name, :data
-  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
-    :OffsetToData, :Size, :CodePage, :Reserved
+        start_offset = f.tell
-  def va2file va
-    return nil if va.nil?
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    # still not found, bad/zero VirtualSizes & RawSizes ?
-    # a special case - PE without sections
-    return va if sections.empty?
-    # check if only one section
-    if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
-      s = sections.first
-      return va - s.VirtualAddress + s.PointerToRawData
-    end
-    # TODO: not all VirtualAdresses == 0 case
-    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
-    nil
-  end
-  def _read_resource_directory_tree f
-    return nil unless pe(f) && pe(f).ioh && f
-    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
-    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
-    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
-    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
-    unless res_section
-      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
-      return []
-    end
-    f.seek res_section.PointerToRawData
-    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
-    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
-    IMAGE_RESOURCE_DIRECTORY.read(f)
-  end
-  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
-    def bitmap_hdr
-      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
-      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
-      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
-      colors_used = bmp_info_hdr.biClrUsed
-      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
-      # XXX: one byte in each color is unused!
-      @palette_size = colors_used * 4 # each color takes 4 bytes
-      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
-      # XXX: some data may be hidden in padding bytes!
-      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
-      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
-      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
-      "BM" + [
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
-        0,
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size
-      ].pack("V3") + bmp_info_hdr.pack
-    ensure
-      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
-    end
-    # only valid for types BITMAP, ICON & CURSOR
-    def restore_bitmap src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        if data.first == "PNG"
-          "\x89PNG" +f.read(self.size-4)
-        else
-          bitmap_hdr + f.read(@palette_size + @imgdata_size)
-        end
-      end
-    end
-    def bitmap_mask src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        bmp_info_hdr = bitmap_hdr
-        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
-        return nil if bitmap_size >= self.size
-        mask_size = self.size - bitmap_size
-        f.seek file_offset + bitmap_size
-        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
-        bmp_info_hdr.biBitCount = 1
-        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
-        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
-        palette = [0,0xffffff].pack('V2')
-        @palette_size = palette.size
-        "BM" + [
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
-          0,
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size
-        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
-      end
-    end
-    # also sets the file position for restore_bitmap next call
-    def parse f
-      raise "called parse with type not set" unless self.type
-      #return if self.data
-      self.data = []
-      case type
-      when 'BITMAP','ICON'
-        f.seek file_offset
-        if f.read(4) == "\x89PNG"
-          data << 'PNG'
-        else
-          f.seek file_offset
-          data << BITMAPINFOHEADER.read(f)
-        end
-      when 'CURSOR'
-        f.seek file_offset
-        data << CURSOR_HOTSPOT.read(f)
-        data << BITMAPINFOHEADER.read(f)
-      when 'GROUP_CURSOR'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
-            break
-          end
-          data  << CURDIRENTRY.read(f)
-          nRead += CURDIRENTRY::SIZE
-        end
-      when 'GROUP_ICON'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
+        klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
+        r = []
+        while !f.eof? && (entry = klass.read(f))
+          if entry.AddressOfCallBacks.to_i == 0
+            logger.warn "[?] non-empty TLS terminator: #{entry.inspect}" unless entry.empty?
             break
           end
-          data  << ICODIRENTRY.read(f)
-          nRead += ICODIRENTRY::SIZE
-        end
-      when 'STRING'
-        f.seek file_offset
-        16.times do
-          break if f.tell >= file_offset+self.size
-          nChars = f.read(2).to_s.unpack('v').first.to_i
-          t =
-            if nChars*2 + 1 > self.size
-              # TODO: if it's not 1st string in table then truncated size must be less
-              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
-              f.read(self.size-2)
-            else
-              f.read(nChars*2)
-            end
-          data <<
-            begin
-              t.force_encoding('UTF-16LE').encode!('UTF-8')
-            rescue
-              t.force_encoding('ASCII')
-              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
-              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
-              [nChars,t].pack('va*')
-            end
+          r << entry
+          break if dir.size > 0 && f.tell >= (start_offset+dir.size)
         end
-        # XXX: check if readed strings summary length is less than resource data length
-      when 'VERSION'
-        require 'pedump/version_info'
-        f.seek file_offset
-        data << PEdump::VS_VERSIONINFO.read(f)
-      end
-      data.delete_if do |x|
-        valid = !x.respond_to?(:valid?) || x.valid?
-        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
-        !valid
+        r
       end
-    ensure
-      validate
-    end
-    def validate
-      self.valid =
-        case type
-        when 'BITMAP','ICON','CURSOR'
-          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
-        else
-          true
-        end
-    end
   end
-  STRING = Struct.new(:id, :lang, :value)
-  def strings f=nil
-    r = []
-    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
-      res.data.each_with_index do |string,idx|
-        r << STRING.new( ((res.id-1)<<4) + idx, res.lang, string ) unless string.empty?
-      end
-    end
-    r
-  end
-  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
-  class BITMAPINFOHEADER < create_struct 'V3v2V6',
-    :biSize,          # BITMAPINFOHEADER::SIZE
-    :biWidth,
-    :biHeight,
-    :biPlanes,
-    :biBitCount,
-    :biCompression,
-    :biSizeImage,
-    :biXPelsPerMeter,
-    :biYPelsPerMeter,
-    :biClrUsed,
-    :biClrImportant
-    def valid?
-      self.biSize == 40
-    end
-  end
-  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
-  CUR_ICO_HEADER = create_struct('v3',
-    :wReserved, # always 0
-    :wResID,    # always 2
-    :wNumImages # Number of cursor images/directory entries
-  )
-  CURDIRENTRY = create_struct 'v4Vv',
-    :wWidth,
-    :wHeight, # Divide by 2 to get the actual height.
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
-  ICODIRENTRY = create_struct 'C4v2Vv',
-    :bWidth,
-    :bHeight,
-    :bColors,
-    :bReserved,
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-  ROOT_RES_NAMES = [nil] + # numeration is started from 1
-    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
-    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
-    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
+  ##############################################################################
+  # resources
+  ##############################################################################
   def resources f=nil
     @resources ||= _scan_resources(f)
@@ -1002,48 +648,9 @@ class PEdump
     resources(f) && resources(f).find_all{ |res| res.type == 'VERSION' }.map(&:data).flatten
   end
-  def _scan_resources f=nil, dir=nil
-    dir ||= resource_directory(f)
-    return nil unless dir
-    dir.entries.map do |entry|
-      case entry.data
-        when IMAGE_RESOURCE_DIRECTORY
-          if dir == @resource_directory # root resource directory
-            entry_type =
-              if entry.Name & 0x8000_0000 == 0
-                # root resource directory & entry name is a number
-                ROOT_RES_NAMES[entry.Name] || entry.name
-              else
-                entry.name
-              end
-            _scan_resources(f,entry.data).each do |res|
-              res.type = entry_type
-              res.parse f
-            end
-          else
-            _scan_resources(f,entry.data).each do |res|
-              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
-              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
-            end
-          end
-        when IMAGE_RESOURCE_DATA_ENTRY
-          Resource.new(
-            nil,          # type
-            entry.name,
-            nil,          # id
-            entry.Name,   # lang
-            #entry.data.OffsetToData + @resource_data_base,
-            va2file(entry.data.OffsetToData),
-            entry.data.Size,
-            entry.data.CodePage,
-            entry.data.Reserved
-          )
-        else
-          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
-          nil
-      end
-    end.flatten.compact
-  end
+  ##############################################################################
+  # packer / compiler detection
+  ##############################################################################
   def packer f = nil
     @packer ||= pe(f) && @pe.ioh &&

data/lib/pedump/cli.rb CHANGED

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/version_info'
 require 'optparse'
 unless Object.instance_methods.include?(:try)
@@ -14,7 +15,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe data_directory sections' +
+    %w'mz dos_stub rich pe data_directory sections tls' +
     %w'strings resources resource_directory imports exports version_info packer web packer_only'
   ).map(&:to_sym)
@@ -400,6 +401,8 @@ class PEdump::CLI
         dump_packers data
       when PEdump::VS_VERSIONINFO
         dump_version_info data
+      when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
+        dump_tls data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -412,6 +415,20 @@ class PEdump::CLI
     end
   end
+  def dump_tls data
+    fmt = "%10x %10x %8x  %8x  %8x  %8x\n"
+    printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
+    data.each do |tls|
+      printf fmt,
+        tls.StartAddressOfRawData,
+        tls.EndAddressOfRawData,
+        tls.AddressOfIndex,
+        tls.AddressOfCallBacks,
+        tls.SizeOfZeroFill,
+        tls.Characteristics
+    end
+  end
   def dump_version_info data
     if @options[:format] != :table
       File.open(@file_name,'rb') do |f|

data/lib/pedump/core.rb ADDED

@@ -0,0 +1,91 @@
+require 'logger'
+require 'pedump/version'
+class String
+  def xor x
+    if x.is_a?(String)
+      r = ''
+      j = 0
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x[j].ord).chr
+        j+=1
+        j=0 if j>= x.size
+      end
+      r
+    else
+      r = ''
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x).chr
+      end
+      r
+    end
+  end
+end
+class File
+  def checked_seek newpos
+    @file_range ||= (0..size)
+    @file_range.include?(newpos) && (seek(newpos) || true)
+  end
+end
+class PEdump
+  class Logger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          "#{msg}\n"
+        end
+      end
+      @level = Logger::WARN
+    end
+  end
+  module Readable
+    def read file, size = nil
+      size ||= const_get 'SIZE'
+      data = file.read(size).to_s
+      if data.size < size && PEdump.logger
+        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
+      end
+      new(*data.unpack(const_get('FORMAT')))
+    end
+  end
+  class << self
+    def logger;    @@logger;   end
+    def logger= l; @@logger=l; end
+    def create_struct fmt, *args
+      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
+        [len.to_i, 1].max *
+          case f
+          when /[aAC]/ then 1
+          when 'v' then 2
+          when 'V' then 4
+          when 'Q' then 8
+          else raise "unknown fmt #{f.inspect}"
+          end
+      end.inject(&:+)
+      Struct.new( *args ).tap do |x|
+        x.const_set 'FORMAT', fmt
+        x.const_set 'SIZE',  size
+        x.class_eval do
+          def pack
+            to_a.pack self.class.const_get('FORMAT')
+          end
+          def empty?
+            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
+          end
+        end
+        x.extend Readable
+      end
+    end
+  end
+end

data/lib/pedump/pe.rb CHANGED

@@ -1,3 +1,5 @@
+require 'pedump/composite_io'
 class PEdump
   class PE < Struct.new(
     :signature,             # "PE\x00\x00"

data/lib/pedump/resources.rb ADDED

@@ -0,0 +1,364 @@
+class PEdump
+  def resource_directory f=nil
+    @resource_directory ||= _read_resource_directory_tree(f)
+  end
+  def _read_resource_directory_tree f
+    return nil unless pe(f) && pe(f).ioh && f
+    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
+    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
+    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
+    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
+    unless res_section
+      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
+      return []
+    end
+    f.seek res_section.PointerToRawData
+    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
+    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
+    IMAGE_RESOURCE_DIRECTORY.read(f)
+  end
+  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
+    def bitmap_hdr
+      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
+      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
+      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
+      colors_used = bmp_info_hdr.biClrUsed
+      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
+      # XXX: one byte in each color is unused!
+      @palette_size = colors_used * 4 # each color takes 4 bytes
+      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
+      # XXX: some data may be hidden in padding bytes!
+      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
+      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
+      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
+      "BM" + [
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
+        0,
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size
+      ].pack("V3") + bmp_info_hdr.pack
+    ensure
+      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
+    end
+    # only valid for types BITMAP, ICON & CURSOR
+    def restore_bitmap src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        if data.first == "PNG"
+          "\x89PNG" +f.read(self.size-4)
+        else
+          bitmap_hdr + f.read(@palette_size + @imgdata_size)
+        end
+      end
+    end
+    def bitmap_mask src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        bmp_info_hdr = bitmap_hdr
+        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
+        return nil if bitmap_size >= self.size
+        mask_size = self.size - bitmap_size
+        f.seek file_offset + bitmap_size
+        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
+        bmp_info_hdr.biBitCount = 1
+        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
+        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
+        palette = [0,0xffffff].pack('V2')
+        @palette_size = palette.size
+        "BM" + [
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
+          0,
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size
+        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
+      end
+    end
+    # also sets the file position for restore_bitmap next call
+    def parse f
+      raise "called parse with type not set" unless self.type
+      #return if self.data
+      self.data = []
+      case type
+      when 'BITMAP','ICON'
+        f.seek file_offset
+        if f.read(4) == "\x89PNG"
+          data << 'PNG'
+        else
+          f.seek file_offset
+          data << BITMAPINFOHEADER.read(f)
+        end
+      when 'CURSOR'
+        f.seek file_offset
+        data << CURSOR_HOTSPOT.read(f)
+        data << BITMAPINFOHEADER.read(f)
+      when 'GROUP_CURSOR'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
+            break
+          end
+          data  << CURDIRENTRY.read(f)
+          nRead += CURDIRENTRY::SIZE
+        end
+      when 'GROUP_ICON'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
+            break
+          end
+          data  << ICODIRENTRY.read(f)
+          nRead += ICODIRENTRY::SIZE
+        end
+      when 'STRING'
+        f.seek file_offset
+        16.times do
+          break if f.tell >= file_offset+self.size
+          nChars = f.read(2).to_s.unpack('v').first.to_i
+          t =
+            if nChars*2 + 1 > self.size
+              # TODO: if it's not 1st string in table then truncated size must be less
+              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
+              f.read(self.size-2)
+            else
+              f.read(nChars*2)
+            end
+          data <<
+            begin
+              t.force_encoding('UTF-16LE').encode!('UTF-8')
+            rescue
+              t.force_encoding('ASCII')
+              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
+              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
+              [nChars,t].pack('va*')
+            end
+        end
+        # XXX: check if readed strings summary length is less than resource data length
+      when 'VERSION'
+        require 'pedump/version_info'
+        f.seek file_offset
+        data << PEdump::VS_VERSIONINFO.read(f)
+      end
+      data.delete_if do |x|
+        valid = !x.respond_to?(:valid?) || x.valid?
+        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
+        !valid
+      end
+    ensure
+      validate
+    end
+    def validate
+      self.valid =
+        case type
+        when 'BITMAP','ICON','CURSOR'
+          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
+        else
+          true
+        end
+    end
+  end
+  STRING = Struct.new(:id, :lang, :value)
+  def strings f=nil
+    r = []
+    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
+      res.data.each_with_index do |string,idx|
+        r << STRING.new( ((res.id-1)<<4) + idx, res.lang, string ) unless string.empty?
+      end
+    end
+    r
+  end
+  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
+  class BITMAPINFOHEADER < create_struct 'V3v2V6',
+    :biSize,          # BITMAPINFOHEADER::SIZE
+    :biWidth,
+    :biHeight,
+    :biPlanes,
+    :biBitCount,
+    :biCompression,
+    :biSizeImage,
+    :biXPelsPerMeter,
+    :biYPelsPerMeter,
+    :biClrUsed,
+    :biClrImportant
+    def valid?
+      self.biSize == 40
+    end
+  end
+  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
+  CUR_ICO_HEADER = create_struct('v3',
+    :wReserved, # always 0
+    :wResID,    # always 2
+    :wNumImages # Number of cursor images/directory entries
+  )
+  CURDIRENTRY = create_struct 'v4Vv',
+    :wWidth,
+    :wHeight, # Divide by 2 to get the actual height.
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
+  ICODIRENTRY = create_struct 'C4v2Vv',
+    :bWidth,
+    :bHeight,
+    :bColors,
+    :bReserved,
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+  ROOT_RES_NAMES = [nil] + # numeration is started from 1
+    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
+    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
+    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
+  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
+    :Name, :OffsetToData,
+    :name, :data
+  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
+    :OffsetToData, :Size, :CodePage, :Reserved
+  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
+    :Characteristics, :TimeDateStamp, # 2dw
+    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
+    :entries # manual
+  class IMAGE_RESOURCE_DIRECTORY
+    class << self
+      attr_accessor :base
+      alias :read_without_children :read
+      def read f, root=true
+        if root
+          @@loopchk1 = Hash.new(0)
+          @@loopchk2 = Hash.new(0)
+          @@loopchk3 = Hash.new(0)
+        elsif (@@loopchk1[f.tell] += 1) > 1
+          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
+          return nil
+        end
+        read_without_children(f).tap do |r|
+          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
+          r.entries = []
+          nToRead.times do |i|
+            if f.eof?
+              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
+              break
+            end
+            if (@@loopchk2[f.tell] += 1) > 1
+              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
+              next
+            end
+            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
+          end
+          #r.entries.uniq!
+          r.entries.each do |entry|
+            entry.name =
+              if entry.Name.to_i & 0x8000_0000 > 0
+                # Name is an address of unicode string
+                f.seek base + entry.Name & 0x7fff_ffff
+                nChars = f.read(2).to_s.unpack("v").first.to_i
+                begin
+                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
+                rescue
+                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
+                  "???"
+                end
+              else
+                # Name is a numeric id
+                "##{entry.Name}"
+              end
+            if entry.OffsetToData && f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
+              if (@@loopchk3[f.tell] += 1) > 1
+                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
+                next
+              end
+              entry.data =
+                if entry.OffsetToData & 0x8000_0000 > 0
+                  # child is a directory
+                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
+                else
+                  # child is a resource
+                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
+                end
+            end
+          end
+          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
+        end
+      end
+    end
+  end
+  def _scan_resources f=nil, dir=nil
+    dir ||= resource_directory(f)
+    return nil unless dir
+    dir.entries.map do |entry|
+      case entry.data
+        when IMAGE_RESOURCE_DIRECTORY
+          if dir == @resource_directory # root resource directory
+            entry_type =
+              if entry.Name & 0x8000_0000 == 0
+                # root resource directory & entry name is a number
+                ROOT_RES_NAMES[entry.Name] || entry.name
+              else
+                entry.name
+              end
+            _scan_resources(f,entry.data).each do |res|
+              res.type = entry_type
+              res.parse f
+            end
+          else
+            _scan_resources(f,entry.data).each do |res|
+              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
+              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
+            end
+          end
+        when IMAGE_RESOURCE_DATA_ENTRY
+          Resource.new(
+            nil,          # type
+            entry.name,
+            nil,          # id
+            entry.Name,   # lang
+            #entry.data.OffsetToData + @resource_data_base,
+            va2file(entry.data.OffsetToData),
+            entry.data.Size,
+            entry.data.CodePage,
+            entry.data.Reserved
+          )
+        else
+          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
+          nil
+      end
+    end.flatten.compact
+  end
+end

data/lib/pedump/tls.rb ADDED

@@ -0,0 +1,17 @@
+class PEdump
+  IMAGE_TLS_DIRECTORY32 = create_struct 'V6',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+  IMAGE_TLS_DIRECTORY64 = create_struct 'Q4V2',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+end

data/lib/pedump/version.rb CHANGED

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 3
+    PATCH = 4
     BUILD = nil
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec CHANGED

@@ -5,7 +5,7 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.3"
+  s.version = "0.4.4"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
@@ -36,9 +36,12 @@ Gem::Specification.new do |s|
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
     "lib/pedump/composite_io.rb",
+    "lib/pedump/core.rb",
     "lib/pedump/packer.rb",
     "lib/pedump/pe.rb",
+    "lib/pedump/resources.rb",
     "lib/pedump/sig_parser.rb",
+    "lib/pedump/tls.rb",
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
@@ -51,6 +54,7 @@ Gem::Specification.new do |s|
     "spec/foldedhdr_spec.rb",
     "spec/imports_badterm_spec.rb",
     "spec/imports_vterm_spec.rb",
+    "spec/manyimportsW7_spec.rb",
     "spec/pe_spec.rb",
     "spec/pedump_spec.rb",
     "spec/resource_spec.rb",

data/spec/manyimportsW7_spec.rb ADDED

@@ -0,0 +1,22 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe "corkami/manyimportsW7.exe" do
+  before :all do
+    @sample = sample
+  end
+  it "should have 2 imports" do
+    @sample.imports.size.should == 2
+    @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+    @sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["ExitProcess", "printf"]
+  end
+  it "should have 1 TLS" do
+    @sample.tls.size.should == 1
+    @sample.tls.first.AddressOfIndex.should == 0x401148
+    @sample.tls.first.AddressOfCallBacks.should == 0x401100
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
   prerelease:
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2011-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70155235875660 !ruby/object:Gem::Requirement
+  requirement: &70245146676060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70155235875660
+  version_requirements: *70245146676060
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70155235891480 !ruby/object:Gem::Requirement
+  requirement: &70245146675500 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70155235891480
+  version_requirements: *70245146675500
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70155235890940 !ruby/object:Gem::Requirement
+  requirement: &70245146674820 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70155235890940
+  version_requirements: *70245146674820
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70155235890060 !ruby/object:Gem::Requirement
+  requirement: &70245146674020 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70155235890060
+  version_requirements: *70245146674020
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70155235889180 !ruby/object:Gem::Requirement
+  requirement: &70245146673180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70155235889180
+  version_requirements: *70245146673180
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70155235888640 !ruby/object:Gem::Requirement
+  requirement: &70245146672260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70155235888640
+  version_requirements: *70245146672260
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70155235888120 !ruby/object:Gem::Requirement
+  requirement: &70245146671740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70155235888120
+  version_requirements: *70245146671740
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -115,9 +115,12 @@ files:
 - lib/pedump.rb
 - lib/pedump/cli.rb
 - lib/pedump/composite_io.rb
+- lib/pedump/core.rb
 - lib/pedump/packer.rb
 - lib/pedump/pe.rb
+- lib/pedump/resources.rb
 - lib/pedump/sig_parser.rb
+- lib/pedump/tls.rb
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
@@ -130,6 +133,7 @@ files:
 - spec/foldedhdr_spec.rb
 - spec/imports_badterm_spec.rb
 - spec/imports_vterm_spec.rb
+- spec/manyimportsW7_spec.rb
 - spec/pe_spec.rb
 - spec/pedump_spec.rb
 - spec/resource_spec.rb
@@ -152,7 +156,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2848967461238967885
+      hash: -576155968655045053
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: