pedump 
Description
A pure ruby implementation of win32 PE binary files dumper.
Supported formats:
- DOS MZ EXE
- win16 NE
- win32 PE
- win64 PE
Can dump:
- MZ/NE/PE Header
- DOS stub
- 'Rich' Header
- Data Directory
- Sections
- Resources
- Strings
- Imports & Exports
- VS_VERSIONINFO parsing
- PE Packer/Compiler detection
- a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
Installation
gem install pedump
Usage
# pedump -h
Usage: pedump [options]
--version Print version information and exit
-v, --verbose Run verbosely
(can be used multiple times)
-q, --quiet Silent any warnings
(can be used multiple times)
-F, --force Try to dump by all means
(can cause exceptions & heavy wounds)
-f, --format FORMAT Output format: bin,c,dump,hex,inspect,table,yaml
(default: table)
--mz
--dos-stub
--rich
--pe
--ne
--data-directory
-S, --sections
--tls
--security
-s, --strings
-R, --resources
--resource-directory
-I, --imports
-E, --exports
-V, --version-info
--packer
--deep packer deep scan, significantly slower
-P, --packer-only packer/compiler detect only,
mimics 'file' command output
-r, --recursive recurse dirs in packer detect
--all Dump all but resource-directory (default)
--va2file VA Convert RVA to file offset
-W, --web Uploads files to a http://pedump.me
for a nice HTML tables with image previews,
candies & stuff
MZ Header
# pedump --mz calc.exe
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 232 0xe8
DOS stub
# pedump --dos-stub calc.exe
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
'Rich' Header
# pedump --rich calc.exe
=== RICH Header ===
LIB_ID VERSION TIMES_USED
149 95 21022 521e 9 9
1 1 0 0 367 16f
147 93 21022 521e 29 1d
132 84 21022 521e 129 81
131 83 21022 521e 25 19
148 94 21022 521e 1 1
145 91 21022 521e 1 1
PE Header
# pedump --pe calc.exe
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 4 4
TimeDateStamp: "2008-09-14 07:28:52"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 9.0
SizeOfCode: 305664 0x4aa00
SizeOfInitializedData: 340480 0x53200
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 230155 0x3830b
BaseOfCode: 4096 0x1000
BaseOfData: 311296 0x4c000
ImageBase: 16777216 0x1000000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 5.1
ImageVersion: 5.256
SubsystemVersion: 5.1
Reserved1: 0 0
SizeOfImage: 659456 0xa1000
SizeOfHeaders: 1024 0x400
CheckSum: 690555 0xa897b
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
TERMINAL_SERVER_AWARE
SizeOfStackReserve: 262144 0x40000
SizeOfStackCommit: 8192 0x2000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
Data Directory
# pedump --data-directory calc.exe
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 49c1c size:0x 12c
RESOURCE rva:0x 51000 size:0x 4ab07
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 9c000 size:0x 3588
DEBUG rva:0x 1610 size:0x 1c
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 3d78 size:0x 40
Bound_IAT rva:0x 280 size:0x 12c
IAT rva:0x 1000 size:0x 594
Delay_IAT rva:0x 49bac size:0x 40
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
Sections
# pedump --sections calc.exe
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
.data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
.rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
.reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
Resources
# pedump --resources calc.exe
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x4ec84 0 0x409 7465 IMAGE #157
0x509b0 0 0x409 4086 IMAGE #165
0x519a8 0 0x409 4234 IMAGE #170
0x52a34 0 0x409 4625 IMAGE #175
0x53c48 0 0x409 4873 IMAGE #180
0x54f54 0 0x409 3048 IMAGE #204
0x55b3c 0 0x409 3052 IMAGE #208
0x56728 0 0x409 3217 IMAGE #212
0x573bc 0 0x409 3338 IMAGE #216
0x580c8 0 0x409 4191 IMAGE #217
0x59128 0 0x409 4229 IMAGE #218
0x5a1b0 0 0x409 4110 IMAGE #219
0x5b1c0 0 0x409 4065 IMAGE #220
0x5c1a4 0 0x409 3235 IMAGE #961
0x5ce48 0 0x409 470 IMAGE #981
0x5d020 0 0x409 587 IMAGE #982
0x5d26c 0 0x409 518 IMAGE #983
0x5d474 0 0x409 5344 IMAGE #3000
0x5e954 0 0x409 4154 IMAGE #3015
0x5f990 0 0x409 4815 IMAGE #3045
0x60c60 0 0x409 6038 IMAGE #3051
0x623f8 0 0x409 4290 IMAGE #3060
...
Strings
# pedump --strings calc.exe.mui
=== STRINGS ===
ID ID LANG STRING
0 0 409 "+/-"
1 1 409 "C"
2 2 409 "CE"
3 3 409 "Backspace"
4 4 409 "."
6 6 409 "And"
7 7 409 "Or"
8 8 409 "Xor"
9 9 409 "Lsh"
10 a 409 "Rsh"
11 b 409 "/"
12 c 409 "*"
13 d 409 "+"
14 e 409 "-"
15 f 409 "Mod"
16 10 409 "R"
17 11 409 "^"
18 12 409 "Int"
19 13 409 "RoL"
20 14 409 "RoR"
21 15 409 "Not"
22 16 409 "sin"
...
Imports
# pedump --imports zlib.dll
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
KERNEL32.dll e1 GetLastError
KERNEL32.dll 153 HeapAlloc
KERNEL32.dll 159 HeapFree
KERNEL32.dll 9f GetCommandLineA
KERNEL32.dll 103 GetProcAddress
KERNEL32.dll eb GetModuleHandleA
KERNEL32.dll 137 GetVersion
KERNEL32.dll 164 InitializeCriticalSection
KERNEL32.dll 44 DeleteCriticalSection
KERNEL32.dll 4f EnterCriticalSection
KERNEL32.dll 177 LeaveCriticalSection
KERNEL32.dll 1fa SetHandleCount
KERNEL32.dll dc GetFileType
KERNEL32.dll 116 GetStdHandle
KERNEL32.dll 114 GetStartupInfoA
KERNEL32.dll 155 HeapCreate
KERNEL32.dll 157 HeapDestroy
KERNEL32.dll c7 GetCurrentThreadId
KERNEL32.dll 222 TlsSetValue
KERNEL32.dll 21f TlsAlloc
KERNEL32.dll 220 TlsFree
KERNEL32.dll 1fd SetLastError
KERNEL32.dll 221 TlsGetValue
KERNEL32.dll 62 ExitProcess
KERNEL32.dll 1b8 ReadFile
KERNEL32.dll 16 CloseHandle
KERNEL32.dll 24f WriteFile
KERNEL32.dll 83 FlushFileBuffers
KERNEL32.dll e9 GetModuleFileNameA
KERNEL32.dll 98 GetCPInfo
KERNEL32.dll 92 GetACP
KERNEL32.dll f6 GetOEMCP
KERNEL32.dll 8b FreeEnvironmentStringsA
KERNEL32.dll d0 GetEnvironmentStrings
KERNEL32.dll 8c FreeEnvironmentStringsW
KERNEL32.dll d2 GetEnvironmentStringsW
KERNEL32.dll 242 WideCharToMultiByte
KERNEL32.dll 2b CreateFileA
KERNEL32.dll 1f8 SetFilePointer
KERNEL32.dll 206 SetStdHandle
KERNEL32.dll 178 LoadLibraryA
KERNEL32.dll 1ef SetEndOfFile
Exports
# pedump --exports zlib.dll
=== EXPORTS ===
# module "zlib.dll"
# flags=0x0 ts="1996-05-07 08:46:46" version=0.0 ord_base=1
# nFuncs=27 nNames=27
ORD ENTRY_VA NAME
1 76d0 adler32
2 2db0 compress
3 4aa0 crc32
4 3c90 deflate
5 4060 deflateCopy
6 3fd0 deflateEnd
7 37f0 deflateInit2_
8 37c0 deflateInit_
9 3bc0 deflateParams
a 3b40 deflateReset
b 3a40 deflateSetDictionary
c 7510 gzclose
d 6f00 gzdopen
e 75a0 gzerror
f 73f0 gzflush
10 6c50 gzopen
11 7190 gzread
12 7350 gzwrite
13 4e50 inflate
14 4cc0 inflateEnd
15 4d20 inflateInit2_
16 4e30 inflateInit_
17 4c70 inflateReset
18 5260 inflateSetDictionary
19 52f0 inflateSync
1a 4bd0 uncompress
1b e340 zlib_version
VS_VERSIONINFO parsing
# pedump --version-info calc.exe
=== VERSION INFO ===
# VS_FIXEDFILEINFO:
FileVersion : 6.1.6801.0
ProductVersion : 6.1.6801.0
StrucVersion : 0x10000
FileFlagsMask : 0x3f
FileFlags : 0
FileOS : 0x40004
FileType : 1
FileSubtype : 0
# StringTable 040904B0:
CompanyName : "Microsoft Corporation"
FileDescription : "Windows Calculator"
FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
InternalName : "CALC"
LegalCopyright : "© Microsoft Corporation. All rights reserved."
OriginalFilename : "CALC.EXE"
ProductName : "Microsoft® Windows® Operating System"
ProductVersion : "6.1.6801.0"
VarFileInfo : [ 0x409, 0x4b0 ]
Packer / Compiler detection
# pedump --packer zlib.dll
=== Packer / Compiler ===
MS Visual C v2.0
pedump can mimic 'file' command output:
#pedump --packer-only -qqq samples/*
samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
samples/control.exe: ASPack v2.12
samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
samples/zlib.dll: Microsoft Visual C v2.0
License
Released under the MIT License. See the LICENSE file for further details.