Class: PEdump::RichHdr

Inherits:

String

• Object
• String
• PEdump::RichHdr

Defined in:

lib/pedump.rb

Overview

ntcore.com/files/richsign.htm

Defined Under Namespace

Classes: Entry

Instance Attribute Summary

• #key ⇒ Object

  xor key.

• #offset ⇒ Object

  xor key.

Class Method Summary

• .from_dos_stub(stub) ⇒ Object

Instance Method Summary

• #decode ⇒ Object
• #dexor ⇒ Object

Methods inherited from String

#xor

Instance Attribute Details

#key ⇒ Object

xor key

# File 'lib/pedump.rb', line 250

def key
  @key
end

#offset ⇒ Object

xor key

# File 'lib/pedump.rb', line 250

def offset
  @offset
end

Class Method Details

.from_dos_stub(stub) ⇒ Object

# File 'lib/pedump.rb', line 258

def self.from_dos_stub stub
  key = stub[stub.index('Rich')+4,4]
  start_idx = stub.index(key.xor('DanS'))
  end_idx   = stub.index('Rich')+8
  if stub[end_idx..-1].tr("\x00",'') != ''
    t = stub[end_idx..-1]
    t = "#{t[0,0x100]}..." if t.size > 0x100
    PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}"
    return nil
  end
  RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x|
    x.key = key
    x.offset = stub.offset + start_idx
  end
end

Instance Method Details

#decode ⇒ Object

# File 'lib/pedump.rb', line 278

def decode
  x = dexor
  if x.size%8 == 0
    x.unpack('vvV'*(x.size/8)).each_slice(3).map{ |slice| Entry.new(*slice)}
  else
    PEdump.logger.error "[?] #{self.class}: dexored size(#{x.size}) must be a multiple of 8"
    nil
  end
end

#dexor ⇒ Object

# File 'lib/pedump.rb', line 274

def dexor
  self[4..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
end