pedump 0.4.4 → 0.4.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. data/Rakefile +3 -1
  2. data/VERSION +1 -1
  3. data/lib/pedump.rb +30 -24
  4. data/lib/pedump/version.rb +1 -1
  5. data/pedump.gemspec +2 -7
  6. metadata +16 -21
  7. data/README.md.tpl +0 -90
  8. data/samples/calc.7z +0 -0
  9. data/samples/corkami.7z +0 -0
  10. data/samples/zlib.dll +0 -0
data/Rakefile CHANGED
@@ -25,7 +25,9 @@ Jeweler::Tasks.new do |gem|
25
25
  gem.files.include "lib/**/*.rb"
26
26
  gem.files.include "data/*.bin"
27
27
  gem.files.include "data/*.txt"
28
- # dependencies defined in Gemfile
28
+
29
+ gem.files.exclude "samples/*", "README.md.tpl"
30
+ gem.extra_rdoc_files.exclude "README.md.tpl"
29
31
  end
30
32
  Jeweler::RubygemsDotOrgTasks.new
31
33
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.4.4
1
+ 0.4.5
data/lib/pedump.rb CHANGED
@@ -21,7 +21,7 @@ class PEdump
21
21
  def initialize fname, params = {}
22
22
  @fname = fname
23
23
  @force = params[:force]
24
- @logger = @@logger = params[:logger] || PEdump::Logger.new(STDERR)
24
+ @logger = @@logger = params[:logger] || PEdump::Logger.new(params[:logdev] || STDERR)
25
25
  end
26
26
 
27
27
  # http://www.delorie.com/djgpp/doc/exe/
@@ -282,8 +282,8 @@ class PEdump
282
282
  @logger = @@logger = l
283
283
  end
284
284
 
285
- def self.dump fname
286
- new(fname).dump
285
+ def self.dump fname, params = {}
286
+ new(fname, params).dump
287
287
  end
288
288
 
289
289
  def mz f=nil
@@ -305,7 +305,7 @@ class PEdump
305
305
  return nil unless mz = mz(f)
306
306
  dos_stub_offset = mz.header_paragraphs.to_i * 0x10
307
307
  dos_stub_size = mz.lfanew.to_i - dos_stub_offset
308
- if dos_stub_offset <= 0
308
+ if dos_stub_offset < 0
309
309
  logger.warn "[?] invalid DOS stub offset #{dos_stub_offset}"
310
310
  nil
311
311
  elsif f && dos_stub_offset > f.size
@@ -321,6 +321,7 @@ class PEdump
321
321
  # no open file, it's ok
322
322
  nil
323
323
  else
324
+ return nil if dos_stub_size == MZ::SIZE && dos_stub_offset == 0
324
325
  if dos_stub_size > 0x1000
325
326
  logger.warn "[?] DOS stub size too big (#{dos_stub_size}), limiting to 0x1000"
326
327
  dos_stub_size = 0x1000
@@ -361,7 +362,7 @@ class PEdump
361
362
  end
362
363
  end
363
364
 
364
- def va2file va
365
+ def va2file va, h={}
365
366
  return nil if va.nil?
366
367
 
367
368
  sections.each do |s|
@@ -390,7 +391,7 @@ class PEdump
390
391
 
391
392
  # TODO: not all VirtualAdresses == 0 case
392
393
 
393
- logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
394
+ logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}" unless h[:quiet]
394
395
  nil
395
396
  end
396
397
 
@@ -401,11 +402,12 @@ class PEdump
401
402
  end
402
403
 
403
404
  def _dump_handle h
404
- rich_hdr(h) # includes mz(h)
405
- resources(h) # includes pe(h)
406
- imports h
405
+ return unless pe(h) # also calls mz(h)
406
+ rich_hdr h
407
+ resources h
408
+ imports h # also calls tls(h)
407
409
  exports h
408
- packer h
410
+ packer h
409
411
  end
410
412
 
411
413
  def data_directory f=nil
@@ -466,7 +468,6 @@ class PEdump
466
468
  break if t.Name.to_i == 0 # also catches EOF
467
469
  r << t
468
470
  file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
469
- break if r.size == 3
470
471
  end
471
472
 
472
473
  logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
@@ -488,11 +489,13 @@ class PEdump
488
489
  end
489
490
  cache = {}
490
491
  bits = pe.x64? ? 64 : 32
492
+ idx = -1
491
493
  x[tbl] && x[tbl].map! do |t|
494
+ idx += 1
492
495
  cache[t] ||=
493
496
  if t & (2**(bits-1)) > 0 # 0x8000_0000(_0000_0000)
494
497
  ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
495
- elsif va=va2file(t)
498
+ elsif va=va2file(t, :quiet => true)
496
499
  f.seek va
497
500
  if f.eof?
498
501
  logger.warn "[?] import va 0x#{va.to_s(16)} beyond EOF"
@@ -500,18 +503,26 @@ class PEdump
500
503
  else
501
504
  ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
502
505
  end
503
- else
506
+ elsif tbl == :original_first_thunk
507
+ # OriginalFirstThunk entries can not be invalid, show a warning msg
508
+ logger.warn "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
509
+ nil
510
+ elsif tbl == :first_thunk
511
+ # FirstThunk entries can be invalid, so `info` msg only
512
+ logger.info "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
504
513
  nil
514
+ else
515
+ raise "You are not supposed to be here! O_o"
505
516
  end
506
517
  end
507
518
  x[tbl] && x[tbl].compact!
508
519
  end
509
520
  if x.original_first_thunk && !x.first_thunk
510
- logger.warn "[?] import table: empty FirstThunk of #{x.module_name}"
521
+ logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
511
522
  elsif !x.original_first_thunk && x.first_thunk
512
- logger.warn "[?] import table: empty OriginalFirstThunk of #{x.module_name}"
523
+ logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
513
524
  elsif x.original_first_thunk != x.first_thunk
514
- logger.warn "[?] import table: OriginalFirstThunk != FirstThunk of #{x.module_name}"
525
+ logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
515
526
  end
516
527
  end
517
528
  end
@@ -620,17 +631,12 @@ class PEdump
620
631
  return nil
621
632
  end
622
633
 
623
- start_offset = f.tell
624
-
625
634
  klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
635
+ nEntries = [1,dir.size / klass.const_get('SIZE')].max
626
636
  r = []
627
- while !f.eof? && (entry = klass.read(f))
628
- if entry.AddressOfCallBacks.to_i == 0
629
- logger.warn "[?] non-empty TLS terminator: #{entry.inspect}" unless entry.empty?
630
- break
631
- end
637
+ nEntries.times do
638
+ break if f.eof? || !(entry = klass.read(f))
632
639
  r << entry
633
- break if dir.size > 0 && f.tell >= (start_offset+dir.size)
634
640
  end
635
641
  r
636
642
  end
data/lib/pedump/version.rb CHANGED
@@ -2,7 +2,7 @@ class PEdump
2
2
  module Version
3
3
  MAJOR = 0
4
4
  MINOR = 4
5
- PATCH = 4
5
+ PATCH = 5
6
6
  BUILD = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
data/pedump.gemspec CHANGED
@@ -5,7 +5,7 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "pedump"
8
- s.version = "0.4.4"
8
+ s.version = "0.4.5"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Andrey \"Zed\" Zaikin"]
@@ -15,8 +15,7 @@ Gem::Specification.new do |s|
15
15
  s.executables = ["pedump"]
16
16
  s.extra_rdoc_files = [
17
17
  "LICENSE.txt",
18
- "README.md",
19
- "README.md.tpl"
18
+ "README.md"
20
19
  ]
21
20
  s.files = [
22
21
  ".document",
@@ -25,7 +24,6 @@ Gem::Specification.new do |s|
25
24
  "Gemfile.lock",
26
25
  "LICENSE.txt",
27
26
  "README.md",
28
- "README.md.tpl",
29
27
  "Rakefile",
30
28
  "VERSION",
31
29
  "bin/pedump",
@@ -45,9 +43,6 @@ Gem::Specification.new do |s|
45
43
  "lib/pedump/version.rb",
46
44
  "lib/pedump/version_info.rb",
47
45
  "pedump.gemspec",
48
- "samples/calc.7z",
49
- "samples/corkami.7z",
50
- "samples/zlib.dll",
51
46
  "spec/65535sects_spec.rb",
52
47
  "spec/composite_io_spec.rb",
53
48
  "spec/dllord_spec.rb",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pedump
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.4
4
+ version: 0.4.5
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -13,7 +13,7 @@ date: 2011-12-20 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: multipart-post
16
- requirement: &70245146676060 !ruby/object:Gem::Requirement
16
+ requirement: &70360993390840 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: 1.1.4
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *70245146676060
24
+ version_requirements: *70360993390840
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: progressbar
27
- requirement: &70245146675500 !ruby/object:Gem::Requirement
27
+ requirement: &70360993390100 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ~>
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: 0.9.2
33
33
  type: :runtime
34
34
  prerelease: false
35
- version_requirements: *70245146675500
35
+ version_requirements: *70360993390100
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: rspec
38
- requirement: &70245146674820 !ruby/object:Gem::Requirement
38
+ requirement: &70360993389180 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: 2.3.0
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *70245146674820
46
+ version_requirements: *70360993389180
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: bundler
49
- requirement: &70245146674020 !ruby/object:Gem::Requirement
49
+ requirement: &70360993415340 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: 1.0.0
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *70245146674020
57
+ version_requirements: *70360993415340
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: jeweler
60
- requirement: &70245146673180 !ruby/object:Gem::Requirement
60
+ requirement: &70360993414640 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ~>
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: 1.6.4
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *70245146673180
68
+ version_requirements: *70360993414640
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rcov
71
- requirement: &70245146672260 !ruby/object:Gem::Requirement
71
+ requirement: &70360993414140 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *70245146672260
79
+ version_requirements: *70360993414140
80
80
  - !ruby/object:Gem::Dependency
81
81
  name: awesome_print
82
- requirement: &70245146671740 !ruby/object:Gem::Requirement
82
+ requirement: &70360993413580 !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
85
  - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
87
87
  version: '0'
88
88
  type: :development
89
89
  prerelease: false
90
- version_requirements: *70245146671740
90
+ version_requirements: *70360993413580
91
91
  description: dump headers, sections, extract resources of win32 PE exe,dll,etc
92
92
  email: zed.0xff@gmail.com
93
93
  executables:
@@ -96,7 +96,6 @@ extensions: []
96
96
  extra_rdoc_files:
97
97
  - LICENSE.txt
98
98
  - README.md
99
- - README.md.tpl
100
99
  files:
101
100
  - .document
102
101
  - .rspec
@@ -104,7 +103,6 @@ files:
104
103
  - Gemfile.lock
105
104
  - LICENSE.txt
106
105
  - README.md
107
- - README.md.tpl
108
106
  - Rakefile
109
107
  - VERSION
110
108
  - bin/pedump
@@ -124,9 +122,6 @@ files:
124
122
  - lib/pedump/version.rb
125
123
  - lib/pedump/version_info.rb
126
124
  - pedump.gemspec
127
- - samples/calc.7z
128
- - samples/corkami.7z
129
- - samples/zlib.dll
130
125
  - spec/65535sects_spec.rb
131
126
  - spec/composite_io_spec.rb
132
127
  - spec/dllord_spec.rb
@@ -156,7 +151,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
156
151
  version: '0'
157
152
  segments:
158
153
  - 0
159
- hash: -576155968655045053
154
+ hash: 412789632490826090
160
155
  required_rubygems_version: !ruby/object:Gem::Requirement
161
156
  none: false
162
157
  requirements:
data/README.md.tpl DELETED
@@ -1,90 +0,0 @@
1
- pedump
2
- ======
3
-
4
- Description
5
- -----------
6
- A pure ruby implementation of win32 PE binary files dumper, including:
7
-
8
- * MZ Header
9
- * DOS stub
10
- * ['Rich' Header](http://ntcore.com/files/richsign.htm)
11
- * PE Header
12
- * Data Directory
13
- * Sections
14
- * Resources
15
- * Strings
16
- * Imports & Exports
17
- * VS_VERSIONINFO parsing
18
- * PE Packer/Compiler detection
19
- * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
20
-
21
- Installation
22
- ------------
23
- gem install pedump
24
-
25
- Usage
26
- -----
27
-
28
- % pedump -h
29
-
30
- ### MZ Header
31
-
32
- % pedump --mz calc.exe
33
-
34
- ### DOS stub
35
-
36
- % pedump --dos-stub calc.exe
37
-
38
- ### 'Rich' Header
39
-
40
- % pedump --rich calc.exe
41
-
42
- ### PE Header
43
-
44
- % pedump --pe calc.exe
45
-
46
- ### Data Directory
47
-
48
- % pedump --data-directory calc.exe
49
-
50
- ### Sections
51
-
52
- % pedump --sections calc.exe
53
-
54
- ### Resources
55
-
56
- % pedump --resources calc.exe
57
-
58
- ### Strings
59
-
60
- % pedump --strings calc.exe.mui
61
-
62
- ### Imports
63
-
64
- % pedump --imports zlib.dll
65
-
66
- ### Exports
67
-
68
- % pedump --exports zlib.dll
69
-
70
- ### VS_VERSIONINFO parsing
71
-
72
- % pedump --version-info calc.exe
73
-
74
- ### Packer / Compiler detection
75
-
76
- % pedump --packer zlib.dll
77
-
78
- #### pedump can mimic 'file' command output:
79
-
80
- #pedump --packer-only -qqq samples/*
81
-
82
- samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
83
- samples/control.exe: ASPack v2.12
84
- samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
85
- samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
86
- samples/zlib.dll: Microsoft Visual C v2.0
87
-
88
- License
89
- -------
90
- Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.
data/samples/calc.7z DELETED
Binary file
data/samples/corkami.7z DELETED
Binary file
data/samples/zlib.dll DELETED
Binary file