pedump 0.4.16 → 0.5.0

data/Gemfile

@@ -5,6 +5,8 @@ source "http://rubygems.org"
 gem "multipart-post", "~> 1.1.4"
 gem "progressbar"
 gem "awesome_print"
+gem "iostruct", ">= 0.0.4"
+gem "zhexdump", ">= 0.0.2"
 
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.

data/Gemfile.lock

@@ -4,6 +4,7 @@ GEM
     awesome_print (1.1.0)
     diff-lcs (1.1.3)
     git (1.2.5)
+    iostruct (0.0.4)
     jeweler (1.8.4)
       bundler (~> 1.0)
       git (>= 1.2.5)
@@ -12,7 +13,7 @@ GEM
     json (1.7.5)
     multipart-post (1.1.5)
     progressbar (0.12.0)
-    rake (10.0.2)
+    rake (10.0.4)
     rdoc (3.12)
       json (~> 1.4)
     rspec (2.12.0)
@@ -24,6 +25,7 @@ GEM
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.0)
     what_methods (1.0.1)
+    zhexdump (0.0.2)
 
 PLATFORMS
   ruby
@@ -31,8 +33,10 @@ PLATFORMS
 DEPENDENCIES
   awesome_print
   bundler
+  iostruct (>= 0.0.4)
   jeweler
   multipart-post (~> 1.1.4)
   progressbar
   rspec
   what_methods
+  zhexdump (>= 0.0.2)

data/VERSION

@@ -1 +1 @@
-0.4.16
+0.5.0

data/lib/pedump.rb

@@ -1,5 +1,12 @@
 #!/usr/bin/env ruby
 require 'stringio'
+require 'iostruct'
+require 'zhexdump'
+
+unless Object.new.respond_to?(:try) && nil.respond_to?(:try)
+  require 'pedump/core_ext/try'
+end
+
 require 'pedump/core'
 require 'pedump/pe'
 require 'pedump/resources'
@@ -34,7 +41,7 @@ class PEdump
   end
 
   # http://www.delorie.com/djgpp/doc/exe/
-  MZ = create_struct( "a2v13Qv2V6",
+  MZ = IOStruct.new( "a2v13Qv2V6",
     :signature,
     :bytes_in_last_block,
     :blocks_in_file,
@@ -61,7 +68,7 @@ class PEdump
   )
 
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  class IMAGE_FILE_HEADER < create_struct( 'v2V3v2',
+  class IMAGE_FILE_HEADER < IOStruct.new( 'v2V3v2',
     :Machine,              # w
     :NumberOfSections,     # w
     :TimeDateStamp,        # dw
@@ -164,7 +171,7 @@ class PEdump
   end
 
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  class IMAGE_OPTIONAL_HEADER32 < create_struct( 'vC2V9v6V4v2V6',
+  class IMAGE_OPTIONAL_HEADER32 < IOStruct.new( 'vC2V9v6V4v2V6',
     :Magic, # w
     :MajorLinkerVersion, :MinorLinkerVersion, # 2b
     :SizeOfCode, :SizeOfInitializedData, :SizeOfUninitializedData, :AddressOfEntryPoint, # 9dw
@@ -182,7 +189,7 @@ class PEdump
   end
 
   # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=VS.85).aspx)
-  class IMAGE_OPTIONAL_HEADER64 < create_struct( 'vC2V5QV2v6V4v2Q4V2',
+  class IMAGE_OPTIONAL_HEADER64 < IOStruct.new( 'vC2V5QV2v6V4v2Q4V2',
     :Magic, # w
     :MajorLinkerVersion, :MinorLinkerVersion, # 2b
     :SizeOfCode, :SizeOfInitializedData, :SizeOfUninitializedData, :AddressOfEntryPoint, :BaseOfCode, # 5dw
@@ -200,7 +207,7 @@ class PEdump
     include IMAGE_OPTIONAL_HEADER
   end
 
-  IMAGE_DATA_DIRECTORY = create_struct( "VV", :va, :size, :type )
+  IMAGE_DATA_DIRECTORY = IOStruct.new( "VV", :va, :size, :type )
   IMAGE_DATA_DIRECTORY::TYPES =
     %w'EXPORT IMPORT RESOURCE EXCEPTION SECURITY BASERELOC DEBUG ARCHITECTURE GLOBALPTR TLS LOAD_CONFIG
     Bound_IAT IAT Delay_IAT CLR_Header'
@@ -208,7 +215,7 @@ class PEdump
     IMAGE_DATA_DIRECTORY.const_set(type,idx)
   end
 
-  IMAGE_SECTION_HEADER = create_struct( 'A8V6v2V',
+  IMAGE_SECTION_HEADER = IOStruct.new( 'A8V6v2V',
     :Name, # A8 6dw
     :VirtualSize, :VirtualAddress, :SizeOfRawData, :PointerToRawData, :PointerToRelocations, :PointerToLinenumbers,
     :NumberOfRelocations, :NumberOfLinenumbers, # 2w
@@ -455,7 +462,7 @@ class PEdump
 
   # http://sandsprite.com/CodeStuff/Understanding_imports.html
   # http://stackoverflow.com/questions/5631317/import-table-it-vs-import-address-table-iat
-  IMAGE_IMPORT_DESCRIPTOR = create_struct 'V5',
+  IMAGE_IMPORT_DESCRIPTOR = IOStruct.new 'V5',
     :OriginalFirstThunk,
     :TimeDateStamp,
     :ForwarderChain,
@@ -603,7 +610,7 @@ class PEdump
   ##############################################################################
 
   #http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  IMAGE_EXPORT_DIRECTORY = create_struct 'V2v2V7',
+  IMAGE_EXPORT_DIRECTORY = IOStruct.new 'V2v2V7',
     :Characteristics,
     :TimeDateStamp,
     :MajorVersion,          # These fields appear to be unused and are set to 0.
@@ -822,17 +829,13 @@ if $0 == __FILE__
     exit
   end
   p dump.mz
-  require './lib/hexdump_helper' if File.exist?("lib/hexdump_helper.rb")
-  if defined?(HexdumpHelper)
-    include HexdumpHelper
-    puts hexdump(dump.dos_stub) if dump.dos_stub
+  dump.dos_stub.hexdump if dump.dos_stub
+  puts
+  if dump.rich_hdr
+    dump.rich_hdr.hexdump
     puts
-    if dump.rich_hdr
-      puts hexdump(dump.rich_hdr)
-      puts
-      p(dump.rich_hdr.decode)
-      puts hexdump(dump.rich_hdr.dexor)
-    end
+    p(dump.rich_hdr.decode)
+    dump.rich_hdr.dexor.hexdump
   end
   pp dump.pe
   pp dump.resources

data/lib/pedump/cli.rb

@@ -29,23 +29,15 @@ rescue LoadError
   end
 end
 
-unless Object.instance_methods.include?(:try)
-  class Object
-    def try(*x)
-      send(*x) if respond_to?(x.first)
-    end
-  end
-end
-
 class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
     %w'mz dos_stub rich pe ne data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web packer_only'
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
 
   URL_BASE = "http://pedump.me"
 
@@ -107,9 +99,15 @@ class PEdump::CLI
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
         @actions << [:va2file,va]
       end
+
+      opts.separator ''
+
       opts.on "-W", "--web", "Uploads files to a #{URL_BASE}","for a nice HTML tables with image previews,","candies & stuff" do
         @actions << :web
       end
+      opts.on "-C", "--console", "opens IRB console with specified file loaded" do
+        @actions << :console
+      end
     end
 
     if (@argv = optparser.parse(@argv)).empty?
@@ -140,8 +138,9 @@ class PEdump::CLI
         next if !@options[:force] && !@pedump.mz(f)
 
         @actions.each do |action|
-          if action == :web
-            upload f
+          case action
+          when :web; upload f
+          when :console; console f
           else
             dump_action action,f
           end
@@ -271,6 +270,29 @@ class PEdump::CLI
     STDOUT.sync = stdout_sync
   end
 
+  def console f
+    require 'pedump/loader'
+    require 'pp'
+
+    ARGV.clear # clear ARGV so IRB is not confused
+    require 'irb'
+    f.rewind
+    ldr = @ldr = PEdump::Loader.new(f)
+
+    # override IRB.setup, called from IRB.start
+    m0 = IRB.method(:setup)
+    IRB.define_singleton_method :setup do |*args|
+      m0.call *args
+      conf[:IRB_RC] = Proc.new do |context|
+        context.main.instance_variable_set '@ldr', ldr
+        context.main.define_singleton_method(:ldr){ @ldr }
+      end
+    end
+
+    puts "[.] ldr = PEdump::Loader.new(open(#{f.path.inspect}))".gray
+    IRB.start
+  end
+
   def action_title action
     if @need_fname_header
       @need_fname_header = false
@@ -302,7 +324,7 @@ class PEdump::CLI
     data = @pedump.send(action, f)
     return if !data || (data.respond_to?(:empty?) && data.empty?)
 
-    puts action_title(action)
+    puts action_title(action) unless @options[:format] == :binary
 
     return dump(data) if [:inspect, :table, :yaml].include?(@options[:format])
 
@@ -333,7 +355,7 @@ class PEdump::CLI
   def dump data, opts = {}
     case opts[:format] || @options[:format] || :dump
     when :dump, :hexdump
-      puts hexdump(data)
+      data.hexdump
     when :hex
       puts data.each_byte.map{ |x| "%02x" % x }.join(' ')
     when :binary
@@ -454,7 +476,7 @@ class PEdump::CLI
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
     elsif data.is_a?(PEdump::DOSStub)
-      puts hexdump(data)
+      data.hexdump
     elsif data.is_a?(PEdump::RichHdr)
       dump_rich_hdr data
     else
@@ -772,39 +794,11 @@ class PEdump::CLI
       end
     else
       puts "# raw:"
-      puts hexdump(data)
+      data.hexdump
       puts
       puts "# dexored:"
-      puts hexdump(data.dexor)
+      data.dexor.hexdump
     end
   end
 
-  def hexdump *args
-    self.class.hexdump(*args)
-  end
-
-  def self.hexdump data, h = {}
-    offset = h[:offset] || 0
-    add    = h[:add]    || 0
-    size   = h[:size]   || (data.size-offset)
-    tail   = h[:tail]   || "\n"
-    width  = h[:width]  || 0x10                 # row width, in bytes
-
-    size = data.size-offset if size+offset > data.size
-
-    r = ''; s = ''
-    r << "%08x: " % (offset + add)
-    ascii = ''
-    size.times do |i|
-      if i%width==0 && i>0
-        r << "%s |%s|\n%08x: " % [s, ascii, offset + add + i]
-        ascii = ''; s = ''
-      end
-      s << " " if i%width%8==0
-      c = data[offset+i].ord
-      s << "%02x " % c
-      ascii << ((32..126).include?(c) ? c.chr : '.')
-    end
-    r << "%-*s |%-*s|%s" % [width*3+width/8+(width%8==0?0:1), s, width, ascii, tail]
-  end
-end
+end # class PEdump::CLI

data/lib/pedump/core.rb

@@ -31,55 +31,8 @@ class File
 end
 
 class PEdump
-
-  module Readable
-    # src can be IO or String, or anything that responds to :read or :unpack
-    def read src, size = nil
-      size ||= const_get 'SIZE'
-      data =
-        if src.respond_to?(:read)
-          src.read(size).to_s
-        elsif src.respond_to?(:unpack)
-          src
-        else
-          raise "[?] don't know how to read from #{src.inspect}"
-        end
-      if data.size < size && PEdump.logger
-        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
-      end
-      new(*data.unpack(const_get('FORMAT')))
-    end
-  end
-
   class << self
     def logger;    @@logger;   end
     def logger= l; @@logger=l; end
-
-    def create_struct fmt, *args
-      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
-        [len.to_i, 1].max *
-          case f
-          when /[aAC]/ then 1
-          when 'v' then 2
-          when 'V','l' then 4
-          when 'Q' then 8
-          else raise "unknown fmt #{f.inspect}"
-          end
-      end.inject(&:+)
-
-      Struct.new( *args ).tap do |x|
-        x.const_set 'FORMAT', fmt
-        x.const_set 'SIZE',  size
-        x.class_eval do
-          def pack
-            to_a.pack self.class.const_get('FORMAT')
-          end
-          def empty?
-            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
-          end
-        end
-        x.extend Readable
-      end
-    end
   end
 end

data/lib/pedump/core_ext/try.rb

@@ -0,0 +1,57 @@
+class Object
+  # Invokes the method identified by the symbol +method+, passing it any arguments
+  # and/or the block specified, just like the regular Ruby <tt>Object#send</tt> does.
+  #
+  # *Unlike* that method however, a +NoMethodError+ exception will *not* be raised
+  # and +nil+ will be returned instead, if the receiving object is a +nil+ object or NilClass.
+  #
+  # If try is called without a method to call, it will yield any given block with the object.
+  #
+  # Please also note that +try+ is defined on +Object+, therefore it won't work with
+  # subclasses of +BasicObject+. For example, using try with +SimpleDelegator+ will
+  # delegate +try+ to target instead of calling it on delegator itself.
+  #
+  # ==== Examples
+  #
+  # Without +try+
+  #   @person && @person.name
+  # or
+  #   @person ? @person.name : nil
+  #
+  # With +try+
+  #   @person.try(:name)
+  #
+  # +try+ also accepts arguments and/or a block, for the method it is trying
+  #   Person.try(:find, 1)
+  #   @people.try(:collect) {|p| p.name}
+  #
+  # Without a method argument try will yield to the block unless the receiver is nil.
+  #   @person.try { |p| "#{p.first_name} #{p.last_name}" }
+  #--
+  # +try+ behaves like +Object#send+, unless called on +NilClass+.
+  def try(*a, &b)
+    if a.empty? && block_given?
+      yield self
+    else
+      __send__(*a, &b)
+    end
+  end
+end
+
+class NilClass
+  # Calling +try+ on +nil+ always returns +nil+.
+  # It becomes specially helpful when navigating through associations that may return +nil+.
+  #
+  # === Examples
+  #
+  #   nil.try(:name) # => nil
+  #
+  # Without +try+
+  #   @person && !@person.children.blank? && @person.children.first.name
+  #
+  # With +try+
+  #   @person.try(:children).try(:first).try(:name)
+  def try(*args)
+    nil
+  end
+end

data/lib/pedump/loader.rb

@@ -1,9 +1,17 @@
+#!/usr/bin/env ruby
+
 require 'pedump'
 require 'stringio'
 require 'pedump/loader/section'
+require 'pedump/loader/minidump'
 
+# This class is kinda Virtual Machine that mimics executable loading as real OS does.
+# Can be used for unpacking, emulating, reversing, ...
 class PEdump::Loader
-  attr_accessor :mz_hdr, :dos_stub, :pe_hdr, :sections, :pedump
+  attr_accessor :mz_hdr, :dos_stub, :pe_hdr, :sections, :pedump, :image_base
+  attr_accessor :find_limit
+
+  DEFAULT_FIND_LIMIT = 2**64
 
   # shortcuts
   alias :pe :pe_hdr
@@ -14,19 +22,24 @@ class PEdump::Loader
   # constructors
   ########################################################################
 
-  def initialize io = nil, pedump_params = {}
-    @pedump = PEdump.new(io, pedump_params)
+  def initialize io = nil, params = {}
+    @pedump = PEdump.new(io, params)
     if io
       @mz_hdr     = @pedump.mz
       @dos_stub   = @pedump.dos_stub
       @pe_hdr     = @pedump.pe
+      @image_base = params[:image_base] || @pe_hdr.try(:ioh).try(:ImageBase) || 0
       load_sections @pedump.sections, io
     end
+    @find_limit = params[:find_limit] || DEFAULT_FIND_LIMIT
   end
 
   def load_sections section_hdrs, f = nil
-    if section_hdrs.is_a?(Array) && section_hdrs.map(&:class).uniq == [PEdump::IMAGE_SECTION_HEADER]
-      @sections = section_hdrs.map{ |x| Section.new(x, :deferred_load_io => f) }
+    if section_hdrs.is_a?(Array)
+      @sections = section_hdrs.map do |x|
+        raise "unknown section hdr: #{x.inspect}" unless x.is_a?(PEdump::IMAGE_SECTION_HEADER)
+        Section.new(x, :deferred_load_io => f, :image_base => @image_base )
+      end
       if f.respond_to?(:seek) && f.respond_to?(:read)
         #
         # converted to deferred loading
@@ -43,14 +56,41 @@ class PEdump::Loader
     end
   end
 
+  # load MS Minidump (*.dmp) file, that can be created in Task Manager via
+  # right click on process -> save memory dump
+  def load_minidump io, options = {}
+    @sections ||= []
+    md = Minidump.new io
+    options[:merge] = true unless options.key?(:merge)
+    md.memory_ranges(options).each do |mr|
+      hdr = PEdump::IMAGE_SECTION_HEADER.new(
+        :VirtualAddress   => mr.va,
+        :PointerToRawData => mr.file_offset,
+        :SizeOfRawData    => mr.size,
+        :VirtualSize      => mr.size            # XXX may be larger than SizeOfRawData
+      )
+      @sections << Section.new( hdr, :deferred_load_io => io )
+    end
+  end
+
+  def self.load_minidump io
+    new.tap{ |ldr| ldr.load_minidump io }
+  end
+
   ########################################################################
   # VA conversion
   ########################################################################
 
+  # VA to section
   def va2section va
     @sections.find{ |x| x.range.include?(va) }
   end
 
+  # RVA (Relative VA) to section
+  def rva2section rva
+    va2section( rva + @image_base )
+  end
+
   def va2stream va
     return nil unless section = va2section(va)
     StringIO.new(section.data).tap do |io|
@@ -58,23 +98,30 @@ class PEdump::Loader
     end
   end
 
+  def rva2stream rva
+    va2stream( rva + @image_base )
+  end
+
   ########################################################################
   # virtual memory read/write
   ########################################################################
 
-  def [] va, size
+  # read arbitrary string
+  def [] va, size, params = {}
     section = va2section(va)
     raise "no section for va=0x#{va.to_s 16}" unless section
     offset = va - section.va
     raise "negative offset #{offset}" if offset < 0
     r = section.data[offset,size]
-    if r.size < size
+    return nil if r.nil?
+    if r.size < size && params.fetch(:zerofill, true)
       # append some empty data
       r << ("\x00".force_encoding('binary')) * (size - r.size)
     end
     r
   end
 
+  # write arbitrary string
   def []= va, size, data
     raise "data.size != size" if data.size != size
     section = va2section(va)
@@ -88,6 +135,148 @@ class PEdump::Loader
     section.data[offset, data.size] = data
   end
 
+  # returns StringIO with section data, pre-seeked to specified VA
+  # TODO: make io cross sections
+  def io va
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    StringIO.new(section.data).tap{ |io| io.seek offset }
+  end
+
+  # read single DWord (4 bytes) if no 'n' specified
+  # delegate to #dwords otherwise
+  def dw va, n=nil
+    n ? dwords(va,n) : self[va,4].unpack('L')[0]
+  end
+  alias :dword :dw
+
+  # read N DWords, returns array
+  def dwords va, n
+    self[va,4*n].unpack('L*')
+  end
+
+  # check if any section has specified VA in its range
+  def valid_va? va
+    @ranges ||= _merge_ranges
+    @ranges.any?{ |range| range.include?(va) }
+  end
+
+  # increasing max_diff speed ups the :valid_va? method, but may cause false positives
+  def _merge_ranges max_diff = nil
+    max_diff ||=
+      if sections.size > 100
+        1024*1024
+      else
+        0
+      end
+
+    ranges0 = sections.map(&:range).sort_by(&:begin)
+    #puts "[.] #{ranges0.size} ranges"
+    ranges1 = []
+    range = ranges0.shift
+    while ranges0.any?
+      while (ranges0.first.begin-range.end).abs <= max_diff
+        range = range.begin...ranges0.shift.end
+        break if ranges0.empty?
+      end
+      #puts "[.] diff #{ranges0.first.begin-range.end}"
+      ranges1 << range
+      range = ranges0.shift
+    end
+    ranges1 << range
+    #puts "[=] #{ranges1.size} ranges"
+    ranges1.uniq.compact
+  end
+
+  # find first occurence of string
+  # returns VA
+  def find needle, options = {}
+    options[:align] ||= 1
+    options[:limit] ||= @find_limit
+
+    if needle.is_a?(Fixnum)
+      # silently convert to DWORD
+      needle = [needle].pack('L')
+    end
+
+    if options[:align] == 1
+      # fastest find?
+      processed_bytes = 0
+      sections.each do |section|
+        next unless section.data # skip empty sections
+        pos = section.data.index(needle)
+        return section.va+pos if pos
+        processed_bytes += section.vsize
+        return nil if processed_bytes >= options[:limit]
+      end
+    end
+    nil
+  end
+
+  # find all occurences of string
+  # returns array of VAs or empty array
+  def find_all needle, options = {}
+    options[:align] ||= 1
+    options[:limit] ||= @find_limit
+
+    if needle.is_a?(Fixnum)
+      # silently convert to DWORD
+      needle = [needle].pack('L')
+    end
+
+    r = []
+    if options[:align] == 1
+      # fastest find?
+      processed_bytes = 0
+      sections.each do |section|
+        next unless section.data # skip empty sections
+        section.data.scan(needle) do
+          r << $~.begin(0) + section.va
+        end
+        processed_bytes += section.vsize
+        return r if processed_bytes >= options[:limit]
+      end
+    end
+    r
+  end
+
+  ########################################################################
+  # parsing names
+  ########################################################################
+
+  def names
+    return @names if @names
+    @names = {}
+    if oep = @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
+      oep += @image_base
+      @names[oep] = 'start'
+    end
+    _parse_imports
+    _parse_exports
+    #TODO: debug info
+    @names
+  end
+
+  def _parse_imports
+    @pedump.imports.each do |iid| # Image Import Descriptor
+      va = iid.FirstThunk + @image_base
+      (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |func|
+        name = func.name || "##{func.ordinal}"
+        @names[va] = name
+        va += 4
+      end
+    end
+  end
+
+  def _parse_exports
+    return {} unless @pedump.exports
+    @pedump.exports.functions.each do |func|
+      @names[@image_base + func.va] = func.name || "##{func.ordinal}"
+    end
+  end
+
   ########################################################################
   # generating PE binary
   ########################################################################
@@ -95,37 +284,110 @@ class PEdump::Loader
   def section_table
     @sections.map do |section|
       section.hdr.SizeOfRawData = section.data.size
+      section.hdr.PointerToRelocations ||= 0
+      section.hdr.PointerToLinenumbers ||= 0
+      section.hdr.NumberOfRelocations  ||= 0
+      section.hdr.NumberOfLinenumbers  ||= 0
+      section.hdr.Characteristics      ||= 0
       section.hdr.pack
     end.join
   end
 
-  def dump f
-    align = @pe_hdr.ioh.FileAlignment
+  # save a new PE file to specified IO
+  def export io
+    @mz_hdr     ||= PEdump::MZ.new("MZ", *[0]*22)
+    @dos_stub   ||= ''
+    @pe_hdr     ||= PEdump::PE.new("PE\x00\x00")
+    @pe_hdr.ioh ||=
+      PEdump::IMAGE_OPTIONAL_HEADER32.read( StringIO.new("\x00" * 224) ).tap do |ioh|
+        ioh.Magic               = 0x10b # 32-bit executable
+        #ioh.NumberOfRvaAndSizes = 0x10
+      end
+    @pe_hdr.ifh ||= PEdump::IMAGE_FILE_HEADER.new(
+      :Machine              => 0x14c,          # x86
+      :NumberOfSections     => @sections.size,
+      :TimeDateStamp        => 0,
+      :PointerToSymbolTable => 0,
+      :NumberOfSymbols      => 0,
+      :SizeOfOptionalHeader => @pe_hdr.ioh.pack.size,
+      :Characteristics      => 0x102           # EXECUTABLE_IMAGE | 32BIT_MACHINE
+    )
+
+    if @pe_hdr.ioh.FileAlignment.to_i == 0
+      # default file align = 512 bytes
+      @pe_hdr.ioh.FileAlignment = 0x200
+    end
+    if @pe_hdr.ioh.SectionAlignment.to_i == 0
+      # default section align = 4k
+      @pe_hdr.ioh.SectionAlignment = 0x1000
+    end
 
     mz_size = @mz_hdr.pack.size
     raise "odd mz_size #{mz_size}" if mz_size % 0x10 != 0
     @mz_hdr.header_paragraphs = mz_size / 0x10              # offset of dos_stub
     @mz_hdr.lfanew = mz_size + @dos_stub.size               # offset of PE hdr
-    f.write @mz_hdr.pack
-    f.write @dos_stub
-    f.write @pe_hdr.pack
-    f.write @pe_hdr.ioh.DataDirectory.map(&:pack).join
+    io.write @mz_hdr.pack
+    io.write @dos_stub
+    io.write @pe_hdr.pack
+    io.write @pe_hdr.ioh.DataDirectory.map(&:pack).join
 
-    section_tbl_offset = f.tell # store offset for 2nd write of section table
-    f.write section_table
+    section_tbl_offset = io.tell # store offset for 2nd write of section table
+    io.write section_table
 
+    align = @pe_hdr.ioh.FileAlignment
     @sections.each do |section|
-      f.seek(align - (f.tell % align), IO::SEEK_CUR) if f.tell % align != 0
-      section.hdr.PointerToRawData = f.tell  # fix raw_ptr
-      f.write(section.data)
+      io.seek(align - (io.tell % align), IO::SEEK_CUR) if io.tell % align != 0
+      section.hdr.PointerToRawData = io.tell  # fix raw_ptr
+      io.write(section.data)
     end
 
-    eof = f.tell
+    eof = io.tell
 
     # 2nd write of section table with correct raw_ptr's
-    f.seek section_tbl_offset
-    f.write section_table
+    io.seek section_tbl_offset
+    io.write section_table
 
-    f.seek eof
+    io.seek eof
   end
+
+  alias :dump :export
+end
+
+###################################################################
+
+if $0 == __FILE__
+  require 'pp'
+  require 'zhexdump'
+
+  io = open ARGV.first
+  ldr = PEdump::Loader.load_minidump io
+
+  File.open(ARGV.first + ".exe", "wb") do |f|
+    ldr.sections[100..-1] = []
+    ldr.export f
+  end
+  exit
+
+  va = 0x3a10000+0xceb00-0x300+0x18c
+  ZHexdump.dump ldr[va, 0x200], :add => va
+  exit
+
+  #puts
+  #ZHexdump.dump ldr[x,0x100]
+
+  ldr.find_all(va, :limit => 100_000_000).each do |va0|
+    printf "[.] found at VA=%x\n", va0
+    5.times do |i|
+      puts
+      va = ldr.dw(va0+i*4)
+      ZHexdump.dump ldr[va,0x30], :add => va if va != 0
+    end
+  end
+
+  puts "---"
+  ldr.find_all(0x3dff970, :limit => 100_000_000).each do |va|
+    ldr[va,0x20].hexdump
+    puts
+  end
+
 end