pedump 0.6.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23748b86fb8ea0471bd4805e7bafda25f5bb6279cf2acf28f6d05ac5913a33d2
-  data.tar.gz: 327d5c2e046a70d262a957ccc334d53adfc9ce6d55cba61c8b0efa4e3d70ef0c
+  metadata.gz: 9d4f9c13c95df2d30baf18bba07765fa26f1d4066a8abde228cba5cd29bc9df0
+  data.tar.gz: b034a68704793f502843db9ec791ca636e404b20258ae144a349e718eaf8a6b6
 SHA512:
-  metadata.gz: ec5ef9e264bdcfb7d1b2c52be51d2c6fd5548fdd36a4f7e20570998740a5dfd624d546b82398326e339f42291e364d5dfdc156dfe348030a981bf071aee6722f
-  data.tar.gz: a557ebc6dd98b211ff3096bf09fb8d8c4742c7b1cf2db965eeac4f74e77361e22c133a231a946b59ac28925ffc1188e70b110534775b0968438fa93e42163a8d
+  metadata.gz: 5b3187809523a111b8cf6ed608047f19044a4e616591297991ae6f97aabd7a783113b8cbf1c1a04d7968cbff6baa5f188c2aec504540ca305117fa38e7c61273
+  data.tar.gz: b870e93e3cc90785836ed6719599f855e20c026489bec925d4859e493f4c3a65b1b7c60ca15a8040f8be652ed1884171b302009c2ed5a16d6a3887b2d00ed36c

data/.github/workflows/rubocop-analysis.yml

@@ -0,0 +1,39 @@
+name: "Rubocop"
+
+on: push
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif

data/Gemfile

@@ -10,6 +10,6 @@ gem "zhexdump",       ">= 0.0.2"
 group :development do
   gem "rspec",   "~> 3.9.0"
   gem "rspec-its", "~> 1.3.0"
-  gem "bundler", "~> 2.1.4"
+  gem "bundler", "~> 2.2.3"
   gem "jeweler", "~> 2.3.9"
 end

data/Gemfile.lock

@@ -6,10 +6,11 @@ GEM
     builder (3.2.4)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    diff-lcs (1.3)
+    diff-lcs (1.4.4)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    git (1.5.0)
+    git (1.8.1)
+      rchardet (~> 1.8)
     github_api (0.16.0)
       addressable (~> 2.4.0)
       descendants_tracker (~> 0.0.4)
@@ -17,7 +18,7 @@ GEM
       hashie (>= 3.4)
       mime-types (>= 1.16, < 3.0)
       oauth2 (~> 1.0)
-    hashie (4.0.0)
+    hashie (4.1.0)
     highline (2.0.3)
     iostruct (0.0.4)
     jeweler (2.3.9)
@@ -31,32 +32,35 @@ GEM
       rake
       rdoc
       semver2
-    jwt (2.2.1)
+    jwt (2.2.2)
     mime-types (2.99.3)
-    mini_portile2 (2.4.0)
-    multi_json (1.14.1)
+    mini_portile2 (2.5.0)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
-    nokogiri (1.10.8)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.2)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    oauth2 (1.4.4)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    psych (3.1.0)
+    psych (3.3.0)
+    racc (1.5.2)
     rack (2.2.3)
     rainbow (3.0.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
+    rake (13.0.3)
+    rchardet (1.8.0)
+    rdoc (6.3.0)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-its (1.3.0)
@@ -65,7 +69,7 @@ GEM
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
+    rspec-support (3.9.4)
     semver2 (3.4.2)
     thread_safe (0.3.6)
     zhexdump (0.0.2)
@@ -75,7 +79,7 @@ PLATFORMS
 
 DEPENDENCIES
   awesome_print
-  bundler (~> 2.1.4)
+  bundler (~> 2.2.3)
   iostruct (>= 0.0.4)
   jeweler (~> 2.3.9)
   multipart-post (>= 2.0.0)
@@ -85,4 +89,4 @@ DEPENDENCIES
   zhexdump (>= 0.0.2)
 
 BUNDLED WITH
-   2.1.4
+   2.2.3

data/README.md

@@ -3,8 +3,14 @@ pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=mast
 
 News
 ----
+```
+2021.02.18 - updated gems; changed open-uri to URI.open; enabled SSL on https://pedump.me/
+2020.08.09 - CLI: added resource extracting with --extract ID
+2020.07.28 - 0.6.1; better RICH HDR parsing/output
+2020.07.27 - 0.6.0
 2020.07.26 - now travis autotests run on ARM and OSX too!
 2020.07.25 - added EFI TE parsing; removed 'progressbar' gem dependency
+```
 
 Description
 -----------
@@ -30,7 +36,7 @@ Can dump:
  * Imports & Exports
  * VS_VERSIONINFO parsing
  * PE Packer/Compiler detection
- * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+ * a convenient way to upload your PE's to https://pedump.me for a nice HTML tables with image previews, candies & stuff
 
 Installation
 ------------
@@ -73,9 +79,17 @@ Usage
                                          mimics 'file' command output
         -r, --recursive                  recurse dirs in packer detect
             --all                        Dump all but resource-directory (default)
+    
+            --extract ID                 Extract a resource/section/data_dir
+                                         ID: datadir:EXPORT     - datadir by type
+                                         ID: resource:0x98478   - resource by offset
+                                         ID: resource:ICON/#1   - resource by type & name
+                                         ID: section:.text      - section by name
+                                         ID: section:rva/0x1000 - section by RVA
+                                         ID: section:raw/0x400  - section by RAW_PTR
             --va2file VA                 Convert RVA to file offset
     
-        -W, --web                        Uploads files to a http://pedump.me
+        -W, --web                        Uploads files to a https://pedump.me
                                          for a nice HTML tables with image previews,
                                          candies & stuff
         -C, --console                    opens IRB console with specified file loaded
@@ -127,14 +141,14 @@ Usage
 
     === RICH Header ===
     
-        LIB_ID        VERSION        TIMES_USED   
-       149  95      21022  521e         9   9
-         1   1          0     0       367 16f
-       147  93      21022  521e        29  1d
-       132  84      21022  521e       129  81
-       131  83      21022  521e        25  19
-       148  94      21022  521e         1   1
-       145  91      21022  521e         1   1
+       ID   VER         COUNT  DESCRIPTION
+       95  521e             9  [ASM] VS2008 build 21022
+        1     0           367  [---] Unmarked objects
+       93  521e            29  [IMP] VS2008 build 21022
+       84  521e           129  [C++] VS2008 build 21022
+       83  521e            25  [ C ] VS2008 build 21022
+       94  521e             1  [RES] VS2008 build 21022
+       91  521e             1  [LNK] VS2008 build 21022
 
 ### PE Header
 
@@ -414,6 +428,78 @@ Usage
     samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
     samples/zlib.dll:                         Microsoft Visual C v2.0
 
+### Extracting
+
+#### Resources
+
+by name:
+
+    # pedump calc.exe --extract resource:VERSION/#1 | hexdump -C | head
+
+    00000000  78 03 34 00 00 00 56 00  53 00 5f 00 56 00 45 00  |x.4...V.S._.V.E.|
+    00000010  52 00 53 00 49 00 4f 00  4e 00 5f 00 49 00 4e 00  |R.S.I.O.N._.I.N.|
+    00000020  46 00 4f 00 00 00 00 00  bd 04 ef fe 00 00 01 00  |F.O.............|
+    00000030  01 00 06 00 00 00 91 1a  01 00 06 00 00 00 91 1a  |................|
+    00000040  3f 00 00 00 00 00 00 00  04 00 04 00 01 00 00 00  |?...............|
+    00000050  00 00 00 00 00 00 00 00  00 00 00 00 d6 02 00 00  |................|
+    00000060  01 00 53 00 74 00 72 00  69 00 6e 00 67 00 46 00  |..S.t.r.i.n.g.F.|
+    00000070  69 00 6c 00 65 00 49 00  6e 00 66 00 6f 00 00 00  |i.l.e.I.n.f.o...|
+    00000080  b2 02 00 00 01 00 30 00  34 00 30 00 39 00 30 00  |......0.4.0.9.0.|
+    00000090  34 00 42 00 30 00 00 00  4c 00 16 00 01 00 43 00  |4.B.0...L.....C.|
+
+by offset:
+
+    # pedump calc.exe --extract resource:0x98478 | head
+
+    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+    <!-- Copyright (c) Microsoft Corporation -->
+    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+        name="Microsoft.Windows.Shell.calc"
+        processorArchitecture="x86"
+        version="5.1.0.0"
+        type="win32"/>
+    <description>Windows Shell</description>
+    <dependency>
+
+#### Sections
+
+by name:
+
+    # pedump calc.exe --extract section:.text | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RVA:
+
+    # pedump calc.exe --extract section:rva/0x1000 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+by RAW_PTR (file offset):
+
+    # pedump calc.exe --extract section:raw/0x400 | hexdump -C | head -4
+
+    00000000  0b aa cb 77 f7 c4 cc 77  a4 c4 cc 77 c4 c4 cc 77  |...w...w...w...w|
+    00000010  3e d7 ca 77 ec b4 cb 77  69 9c f0 77 dc c4 cc 77  |>..w...wi..w...w|
+    00000020  12 9c cb 77 4d af cb 77  b4 c4 cc 77 6e a8 ee 77  |...wM..w...wn..w|
+    00000030  14 fc f0 77 00 00 00 00  2c 92 04 76 09 62 04 76  |...w....,..v.b.v|
+
+#### Data Directory
+
+    # pedump calc.exe --extract datadir:IMPORT | hexdump -C | head -4
+
+    00000000  90 9f 04 00 ff ff ff ff  ff ff ff ff dc a2 04 00  |................|
+    00000010  48 12 00 00 f4 a0 04 00  ff ff ff ff ff ff ff ff  |H...............|
+    00000020  10 a5 04 00 ac 13 00 00  48 9d 04 00 ff ff ff ff  |........H.......|
+    00000030  ff ff ff ff f6 a5 04 00  00 10 00 00 5c 9f 04 00  |............\...|
+
 License
 -------
 Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.

data/Rakefile

@@ -23,7 +23,7 @@ Jeweler::Tasks.new do |gem|
   gem.authors = ["Andrey \"Zed\" Zaikin"]
   gem.executables = %w'pedump'
   gem.files.include "lib/**/*.rb"
-  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl'
+  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl .github/*'
   gem.extra_rdoc_files.exclude 'README.md.tpl'
   # dependencies defined in Gemfile
 end
@@ -35,7 +35,7 @@ require 'rspec/core/rake_task'
 desc "run specs"
 RSpec::Core::RakeTask.new
 
-task :default => :spec
+task :default => [:spec, :readme]
 
 namespace :test do
   desc "test on all files in given path"
@@ -85,7 +85,7 @@ def check_file url, params = {}
   fname = File.join 'data', (prefix ? "#{prefix}-" : '') + File.basename(url)
   existing_md5 = File.exist?(fname) ? Digest::MD5.file(fname).hexdigest : ''
   print "[.] fetching #{url} .. "
-  remote_data  = open(url).read.force_encoding('cp1252').encode('utf-8')
+  remote_data = URI.open(url).read.force_encoding('cp1252').encode('utf-8')
   puts "#{remote_data.size} bytes"
   raise "too small remote data (#{remote_data.size})" if remote_data.size < params[:min_size]
   remote_md5   = Digest::MD5.hexdigest(remote_data)

data/VERSION

@@ -1 +1 @@
-0.6.1
+0.6.2

data/lib/pedump.rb

@@ -30,7 +30,7 @@ class PEdump
   VERSION    = Version::STRING
   MAX_ERRORS = 100
   MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
-  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in http://pedump.me/03ad7400080678c6b1984f995d36fd04
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in https://pedump.me/03ad7400080678c6b1984f995d36fd04
   GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
   SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 

data/lib/pedump/cli.rb

@@ -35,12 +35,13 @@ class PEdump::CLI
 
   KNOWN_ACTIONS = (
     %w'mz dos_stub rich pe ne te data_directory sections tls security' +
-    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only' +
+    %w'extract' # 'disasm'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console extract disasm'.map(&:to_sym)
 
-  URL_BASE = "http://pedump.me"
+  URL_BASE = "https://pedump.me"
 
   def initialize argv = ARGV
     @argv = argv
@@ -97,8 +98,24 @@ class PEdump::CLI
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
+
+      opts.separator ''
+
+#      opts.on "--disasm [X]", "Disassemble a symbol/VA" do |v|
+#        @actions << [:disasm, v]
+#      end
+      opts.on("--extract ID", "Extract a resource/section/data_dir",
+              "ID: datadir:EXPORT     - datadir by type",
+              "ID: resource:0x98478   - resource by offset",
+              "ID: resource:ICON/#1   - resource by type & name",
+              "ID: section:.text      - section by name",
+              "ID: section:rva/0x1000 - section by RVA",
+              "ID: section:raw/0x400  - section by RAW_PTR",
+             ) do |v|
+        @actions << [:extract, v]
+      end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
-        @actions << [:va2file,va]
+        @actions << [:va2file, va]
       end
 
       opts.separator ''
@@ -134,7 +151,7 @@ class PEdump::CLI
       @file_name = fname
 
       File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
+        @pedump = create_pedump f
 
         next if !@options[:force] && !@pedump.supported_file?(f)
 
@@ -153,8 +170,8 @@ class PEdump::CLI
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
   end
 
-  def create_pedump fname
-    PEdump.new(fname, :force => @options[:force]).tap do |x|
+  def create_pedump io
+    PEdump.new(io, :force => @options[:force]).tap do |x|
       x.logger.level =
         case @options[:verbose]
         when -100..-3
@@ -195,7 +212,7 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    def initialize file, prefix = "[.] uploading: ", io = STDOUT
+    def initialize file, prefix = "[.] uploading: ", io = $stdout
       @file   = file
       @io     = io
       @prefix = prefix
@@ -228,15 +245,16 @@ class PEdump::CLI
     require 'net/http'
     require 'net/http/post/multipart'
 
-    stdout_sync = STDOUT.sync
-    STDOUT.sync = true
+    stdout_sync = $stdout.sync
+    $stdout.sync = true
 
     md5 = Digest::MD5.file(f.path).hexdigest
     @pedump.logger.info "[.] md5: #{md5}"
     file_url = "#{URL_BASE}/#{md5}/"
 
     @pedump.logger.warn "[.] checking if file already uploaded.."
-    Net::HTTP.start('pedump.me') do |http|
+    uri = URI.parse URL_BASE
+    Net::HTTP.start(uri.host, uri.port, use_ssl: (uri.scheme == 'https')) do |http|
       http.open_timeout = 10
       http.read_timeout = 10
       # doing HTTP HEAD is a lot faster than open-uri
@@ -258,18 +276,20 @@ class PEdump::CLI
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
-    res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
+    res = Net::HTTP.start(post_url.host, post_url.port, use_ssl: (post_url.scheme == 'https')) do |http|
+      http.request(req)
+    end
     ppx.finish!
 
-    puts "[.] analyzing..."
-
-    if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
-      raise "invalid server response: #{r}"
+    unless [200, 302, 303].include?(res.code.to_i)
+      @pedump.logger.fatal "[!] invalid server response: #{res.code} #{res.msg}"
+      @pedump.logger.fatal res.body unless res.body.empty?
+      exit(1)
     end
 
     puts "[.] uploaded: #{file_url}"
   ensure
-    STDOUT.sync = stdout_sync
+    $stdout.sync = stdout_sync
   end
 
   def console f
@@ -313,6 +333,10 @@ class PEdump::CLI
   def dump_action action, f
     if action.is_a?(Array)
       case action[0]
+      when :disasm
+        return
+      when :extract
+        return extract action[1]
       when :va2file
         @pedump.sections(f)
         va = action[1] =~ /(^0x)|(h$)/i ? action[1].to_i(16) : action[1].to_i
@@ -815,4 +839,79 @@ class PEdump::CLI
     end
   end
 
+  def disasm x
+    puts "TODO"
+  end
+
+  def extract x
+    a = x.split(':',2)
+    case a[0]
+    when 'datadir'
+      extract_datadir a[1]
+    when 'resource'
+      extract_resource a[1]
+    when 'section'
+      extract_section a[1]
+    else
+      raise "invalid #{x.inspect}"
+    end
+  end
+
+  def extract_datadir id
+    entry = @pedump.data_directory.find{ |x| x.type == id }
+    unless entry
+      @pedump.logger.fatal "[!] entry #{id.inspect} not found"
+      exit(1)
+    end
+    if entry.size != 0
+      IO::copy_stream @pedump.io, $stdout, entry.size, @pedump.va2file(entry.va)
+    end
+  end
+
+  def extract_resource id
+    res = nil
+    if id =~ /\A0x\h+\Z/
+      needle = id.to_i(16)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id =~ /\A\d+\Z/
+      needle = id.to_i(10)
+      res = @pedump.resources.find{ |r| r.file_offset == needle }
+    elsif id['/']
+      type, name = id.split('/', 2)
+      res = @pedump.resources.find{ |r| r.type == type && r.name == name }
+    else
+      @pedump.logger.fatal "[!] invalid resource id #{id.inspect}"
+      exit(1)
+    end
+    unless res
+      @pedump.logger.fatal "[!] resource #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, res.size, res.file_offset
+  end
+
+  def extract_section id
+    section = nil
+    if id['/']
+      a = id.split('/',2)
+      if a[0] == 'rva'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.VirtualAddress == value }
+      elsif a[0] == 'raw'
+        value = a[1].to_i(0) # auto hex/dec, but also can parse oct and bin
+        section = @pedump.sections.find{ |s| s.PointerToRawData == value }
+      else
+        @pedump.logger.fatal "[!] invalid section id #{id.inspect}"
+        exit(1)
+      end
+    else
+      section = @pedump.sections.find{ |s| s.Name == id }
+    end
+    unless section
+      @pedump.logger.fatal "[!] section #{id.inspect} not found"
+      exit(1)
+    end
+    IO::copy_stream @pedump.io, $stdout, section.SizeOfRawData, section.PointerToRawData
+  end
+
 end # class PEdump::CLI

data/pedump.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: pedump 0.6.1 ruby lib
+# stub: pedump 0.6.2 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "pedump".freeze
-  s.version = "0.6.1"
+  s.version = "0.6.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Andrey \"Zed\" Zaikin".freeze]
-  s.date = "2020-07-28"
+  s.date = "2021-02-18"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc".freeze
   s.email = "zed.0xff@gmail.com".freeze
   s.executables = ["pedump".freeze]
@@ -20,8 +20,7 @@ Gem::Specification.new do |s|
     "README.md"
   ]
   s.files = [
-    ".github/FUNDING.yml",
-    ".github/dependabot.yml",
+    ".github/workflows/rubocop-analysis.yml",
     "CODE_OF_CONDUCT.md",
     "Gemfile",
     "Gemfile.lock",
@@ -66,38 +65,27 @@ Gem::Specification.new do |s|
     "misc/aspack/lzxdec.c",
     "misc/aspack/lzxdec.h",
     "misc/nedump.c",
-    "pedump.gemspec",
-    "rich.py"
+    "pedump.gemspec"
   ]
   s.homepage = "http://github.com/zed-0xff/pedump".freeze
   s.licenses = ["MIT".freeze]
-  s.rubygems_version = "2.7.10".freeze
+  s.rubygems_version = "3.2.3".freeze
   s.summary = "dump win32 PE executable files with a pure ruby".freeze
 
   if s.respond_to? :specification_version then
     s.specification_version = 4
+  end
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_development_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_development_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_development_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    else
-      s.add_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    end
+  if s.respond_to? :add_runtime_dependency then
+    s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
+    s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
+    s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
+    s.add_development_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
+    s.add_development_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
+    s.add_development_dependency(%q<bundler>.freeze, ["~> 2.2.3"])
+    s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
   else
     s.add_dependency(%q<rainbow>.freeze, [">= 0"])
     s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
@@ -106,7 +94,7 @@ Gem::Specification.new do |s|
     s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
     s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
     s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-    s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
+    s.add_dependency(%q<bundler>.freeze, ["~> 2.2.3"])
     s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.2
 platform: ruby
 authors:
 - Andrey "Zed" Zaikin
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-28 00:00:00.000000000 Z
+date: 2021-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 2.2.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: jeweler
   requirement: !ruby/object:Gem::Requirement
@@ -145,8 +145,7 @@ extra_rdoc_files:
 - LICENSE.txt
 - README.md
 files:
-- ".github/FUNDING.yml"
-- ".github/dependabot.yml"
+- ".github/workflows/rubocop-analysis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -192,12 +191,11 @@ files:
 - misc/aspack/lzxdec.h
 - misc/nedump.c
 - pedump.gemspec
-- rich.py
 homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -212,9 +210,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.10
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: dump win32 PE executable files with a pure ruby
 test_files: []

data/.github/FUNDING.yml

@@ -1,2 +0,0 @@
-#github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-ko_fi: zed_0xff

data/.github/dependabot.yml

@@ -1,8 +0,0 @@
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: bundler
-    directory: "/"
-    schedule:
-      interval: "weekly"

data/rich.py

@@ -1,353 +0,0 @@
-#!/usr/bin/env python
-# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
-import sys
-import struct
-
-# I'm trying not to bury the magic number...
-CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
-RICH_TEXT = 'Rich'
-RICH_TEXT_LENGTH = len(RICH_TEXT)
-PE_START = 0x3c
-PE_FIELD_LENGTH = 4
-
-# most of values up to AliasObj900 are from old MSVC leak with private PDBs; 
-# rest is from guesses/observations
-PRODID_MAP = {
-  0: "Unknown",
-  1: "Import0",
-  2: "Linker510",
-  3: "Cvtomf510",
-  4: "Linker600",
-  5: "Cvtomf600",
-  6: "Cvtres500",
-  7: "Utc11_Basic",
-  8: "Utc11_C",
-  9: "Utc12_Basic",
-  10: "Utc12_C",
-  11: "Utc12_CPP",
-  12: "AliasObj60",
-  13: "VisualBasic60",
-  14: "Masm613",
-  15: "Masm710",
-  16: "Linker511",
-  17: "Cvtomf511",
-  18: "Masm614",
-  19: "Linker512",
-  20: "Cvtomf512",
-  21: "Utc12_C_Std",
-  22: "Utc12_CPP_Std",
-  23: "Utc12_C_Book",
-  24: "Utc12_CPP_Book",
-  25: "Implib700",
-  26: "Cvtomf700",
-  27: "Utc13_Basic",
-  28: "Utc13_C",
-  29: "Utc13_CPP",
-  30: "Linker610",
-  31: "Cvtomf610",
-  32: "Linker601",
-  33: "Cvtomf601",
-  34: "Utc12_1_Basic",
-  35: "Utc12_1_C",
-  36: "Utc12_1_CPP",
-  37: "Linker620",
-  38: "Cvtomf620",
-  39: "AliasObj70",
-  40: "Linker621",
-  41: "Cvtomf621",
-  42: "Masm615",
-  43: "Utc13_LTCG_C",
-  44: "Utc13_LTCG_CPP",
-  45: "Masm620",
-  46: "ILAsm100",
-  47: "Utc12_2_Basic",
-  48: "Utc12_2_C",
-  49: "Utc12_2_CPP",
-  50: "Utc12_2_C_Std",
-  51: "Utc12_2_CPP_Std",
-  52: "Utc12_2_C_Book",
-  53: "Utc12_2_CPP_Book",
-  54: "Implib622",
-  55: "Cvtomf622",
-  56: "Cvtres501",
-  57: "Utc13_C_Std",
-  58: "Utc13_CPP_Std",
-  59: "Cvtpgd1300",
-  60: "Linker622",
-  61: "Linker700",
-  62: "Export622",
-  63: "Export700",
-  64: "Masm700",
-  65: "Utc13_POGO_I_C",
-  66: "Utc13_POGO_I_CPP",
-  67: "Utc13_POGO_O_C",
-  68: "Utc13_POGO_O_CPP",
-  69: "Cvtres700",
-  70: "Cvtres710p",
-  71: "Linker710p",
-  72: "Cvtomf710p",
-  73: "Export710p",
-  74: "Implib710p",
-  75: "Masm710p",
-  76: "Utc1310p_C",
-  77: "Utc1310p_CPP",
-  78: "Utc1310p_C_Std",
-  79: "Utc1310p_CPP_Std",
-  80: "Utc1310p_LTCG_C",
-  81: "Utc1310p_LTCG_CPP",
-  82: "Utc1310p_POGO_I_C",
-  83: "Utc1310p_POGO_I_CPP",
-  84: "Utc1310p_POGO_O_C",
-  85: "Utc1310p_POGO_O_CPP",
-  86: "Linker624",
-  87: "Cvtomf624",
-  88: "Export624",
-  89: "Implib624",
-  90: "Linker710",
-  91: "Cvtomf710",
-  92: "Export710",
-  93: "Implib710",
-  94: "Cvtres710",
-  95: "Utc1310_C",
-  96: "Utc1310_CPP",
-  97: "Utc1310_C_Std",
-  98: "Utc1310_CPP_Std",
-  99: "Utc1310_LTCG_C",
-  100: "Utc1310_LTCG_CPP",
-  101: "Utc1310_POGO_I_C",
-  102: "Utc1310_POGO_I_CPP",
-  103: "Utc1310_POGO_O_C",
-  104: "Utc1310_POGO_O_CPP",
-  105: "AliasObj710",
-  106: "AliasObj710p",
-  107: "Cvtpgd1310",
-  108: "Cvtpgd1310p",
-  109: "Utc1400_C",
-  110: "Utc1400_CPP",
-  111: "Utc1400_C_Std",
-  112: "Utc1400_CPP_Std",
-  113: "Utc1400_LTCG_C",
-  114: "Utc1400_LTCG_CPP",
-  115: "Utc1400_POGO_I_C",
-  116: "Utc1400_POGO_I_CPP",
-  117: "Utc1400_POGO_O_C",
-  118: "Utc1400_POGO_O_CPP",
-  119: "Cvtpgd1400",
-  120: "Linker800",
-  121: "Cvtomf800",
-  122: "Export800",
-  123: "Implib800",
-  124: "Cvtres800",
-  125: "Masm800",
-  126: "AliasObj800",
-  127: "PhoenixPrerelease",
-  128: "Utc1400_CVTCIL_C",
-  129: "Utc1400_CVTCIL_CPP",
-  130: "Utc1400_LTCG_MSIL",
-  131: "Utc1500_C",
-  132: "Utc1500_CPP",
-  133: "Utc1500_C_Std",
-  134: "Utc1500_CPP_Std",
-  135: "Utc1500_CVTCIL_C",
-  136: "Utc1500_CVTCIL_CPP",
-  137: "Utc1500_LTCG_C",
-  138: "Utc1500_LTCG_CPP",
-  139: "Utc1500_LTCG_MSIL",
-  140: "Utc1500_POGO_I_C",
-  141: "Utc1500_POGO_I_CPP",
-  142: "Utc1500_POGO_O_C",
-  143: "Utc1500_POGO_O_CPP",
-
-  144: "Cvtpgd1500",
-  145: "Linker900",
-  146: "Export900",
-  147: "Implib900",
-  148: "Cvtres900",
-  149: "Masm900",
-  150: "AliasObj900",
-  151: "Resource900",
-
-  152: "AliasObj1000",
-  154: "Cvtres1000",
-  155: "Export1000",
-  156: "Implib1000",
-  157: "Linker1000",
-  158: "Masm1000",
-
-  170: "Utc1600_C",
-  171: "Utc1600_CPP",
-  172: "Utc1600_CVTCIL_C",
-  173: "Utc1600_CVTCIL_CPP",
-  174: "Utc1600_LTCG_C ",
-  175: "Utc1600_LTCG_CPP",
-  176: "Utc1600_LTCG_MSIL",
-  177: "Utc1600_POGO_I_C",
-  178: "Utc1600_POGO_I_CPP",
-  179: "Utc1600_POGO_O_C",
-  180: "Utc1600_POGO_O_CPP",
-  
-  # vvv
-  183: "Linker1010",
-  184: "Export1010",
-  185: "Implib1010",
-  186: "Cvtres1010",
-  187: "Masm1010",
-  188: "AliasObj1010",
-  # ^^^
-
-  199: "AliasObj1100",
-  201: "Cvtres1100",
-  202: "Export1100",
-  203: "Implib1100",
-  204: "Linker1100",
-  205: "Masm1100",
-
-  206: "Utc1700_C",
-  207: "Utc1700_CPP",
-  208: "Utc1700_CVTCIL_C",
-  209: "Utc1700_CVTCIL_CPP",
-  210: "Utc1700_LTCG_C ",
-  211: "Utc1700_LTCG_CPP",
-  212: "Utc1700_LTCG_MSIL",
-  213: "Utc1700_POGO_I_C",
-  214: "Utc1700_POGO_I_CPP",
-  215: "Utc1700_POGO_O_C",
-  216: "Utc1700_POGO_O_CPP",
-}
-
-##
-# A convenient exception to raise if the Rich Header doesn't exist.
-class RichHeaderNotFoundException(Exception):
-    def __init__(self):
-        Exception.__init__(self, "Rich footer does not appear to exist")
-
-##
-# Locate the body of the data that contains the rich header This will be
-# (roughly) between 0x3c and the beginning of the PE header, but the entire
-# thing up to the last checksum will be needed in order to verify the header.
-def get_file_header(file_name):
-    f = open(file_name,'rb')
-
-    #start with 0x3c
-    f.seek(PE_START)
-    data = f.read(PE_FIELD_LENGTH)
-
-    if data == '': #File is empty, bail
-        raise RichHeaderNotFoundException()
-    end = struct.unpack('<L',data)[0] # get the value at 0x3c
-
-    f.seek(0)
-    data = f.read( end ) # read until that value is reached
-    f.close()
-
-    return data
-
-##
-# This class assists in parsing the Rich Header from PE Files.
-# The Rich Header is the section in the PE file following the dos stub but
-# preceding the lfa_new header which is inserted by link.exe when building with
-# the Microsoft Compilers.  The Rich Heder contains the following:
-# <pre>
-# marker, checksum, checksum, checksum, 
-# R_compid_i, R_occurrence_i, 
-# R_compid_i+1, R_occurrence_i+1, ...  
-# R_compid_N-1, R_occurrence_N-1, Rich, marker
-#
-# marker = checksum XOR 0x536e6144
-# R_compid_i is the ith compid XORed with the checksum
-# R_occurrence_i is the ith occurrence  XORed with the checksum
-# Rich = the text string 'Rich'
-# The checksum is the sum of all the PE Header values rotated by their
-# offset and the sum of all compids rotated by their occurrence counts.  
-# </pre>
-# @see _validate_checksum code for checksum calculation
-class ParsedRichHeader:
-    ##
-    # Creates a ParsedRichHeader from the specified PE File.
-    # @throws RichHeaderNotFoundException if the file does not contain a rich header
-    # @param file_name The PE File to be parsed
-    def __init__(self, file_name):
-        ## The file that was parsed
-        self.file_name = file_name
-        self._parse( file_name )
-
-    ##
-    # Used internally to parse the PE File and extract Rich Header data.
-    # Initializes self.compids and self.valid_checksum. 
-    # @param file_name The PE File to be parsed
-    # @throws RichHeaderNotFoundException if the file does not contain a rich header
-    def _parse(self,file_name):
-        #make sure there is a header:
-        data = get_file_header( file_name )
-
-        compid_end_index = data.find(RICH_TEXT) 
-        if compid_end_index == -1:
-            raise RichHeaderNotFoundException()
-
-        rich_offset = compid_end_index + RICH_TEXT_LENGTH
-
-        checksum_text = data[rich_offset:rich_offset+4] 
-        checksum_value = struct.unpack('<L', checksum_text)[0]
-        #start marker denotes the beginning of the rich header
-        start_marker = struct.pack('<LLLL',checksum_value ^ CHECKSUM_MASK, checksum_value, checksum_value, checksum_value )[0] 
-
-        rich_header_start = data.find(start_marker)
-        if rich_header_start == -1:
-            raise RichHeaderNotFoundException()
-
-        compid_start_index = rich_header_start + 16 # move past the marker and 3 checksums
-
-        compids = dict()
-        for i in range(compid_start_index, compid_end_index, 8):
-            compid = struct.unpack('<L',data[i:i+4])[0] ^ checksum_value
-            count = struct.unpack('<L',data[i+4:i+8])[0] ^ checksum_value
-            compids[compid]=count
-        
-        ## A dictionary of compids and their occurrence counts
-        self.compids = compids
-        ## A value for later reference to see if the checksum was valid
-        self.valid_checksum = self._validate_checksum( data, rich_header_start, checksum_value )
-
-    ##
-    # Compute the checksum value and see if it matches the checksum stored in
-    # the Rich Header.
-    # The checksum is the sum of all the PE Header values rotated by their
-    # offset and the sum of all compids rotated by their occurrence counts
-    # @param data A blob of binary data that corresponds to the PE Header data
-    # @param rich_header_start The offset to marker, checksum, checksum, checksum
-    # @returns True if the checksum is valid, false otherwise
-    def _validate_checksum(self, data, rich_header_start, checksum):
-
-        #initialize the checksum offset at which the rich header is located
-        cksum = rich_header_start
-
-        #add the value from the pe header after rotating the value by its offset in the pe header
-        for i in range(0,rich_header_start):
-            if PE_START <= i <= PE_START+PE_FIELD_LENGTH-1:
-                continue
-            temp = ord(data[i])
-            cksum+= ((temp << (i%32)) | (temp >> (32-(i%32))) & 0xff)
-            cksum &=0xffffffff
-
-        #add each compid to the checksum after rotating it by its occurrence count
-        for k in self.compids.keys():
-            cksum += (k << self.compids[k]%32 | k >> ( 32 - (self.compids[k]%32)))
-            cksum &=0xffffffff
-
-        ## A convenient place for storing the checksum that was computing during checksum validation
-        self.checksum = cksum
-
-        return cksum == checksum
-
-if __name__ == "__main__":
-    ph = ParsedRichHeader(sys.argv[1])
-    print ("PRODID   name            build count")
-    for key in ph.compids.keys():
-        count = ph.compids[key]
-        prodid, build = (key>>16), key&0xFFFF
-        prodid_name = PRODID_MAP[prodid] if prodid in PRODID_MAP else "<unknown>"
-        print ('%6d   %-15s %5d %5d' % (prodid, prodid_name, build, count))
-    if ph.valid_checksum:
-        print ("Checksum valid")
-    else:
-        print("Checksum not valid!")