Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/spec/data/templates/pe_headers_spec.rb
59959 views
1
require 'spec_helper'

2
require 'rex/peparsey'

3


4
RSpec.describe 'PE template binaries' do

5
  templates_dir = File.expand_path('../../../../data/templates', __FILE__)

6


7
  # Architecture expectations keyed by filename pattern. Value is the expected

8
  # Machine field from the PE file header.

9
  ARCH_EXPECTATIONS = {

10
    /\btemplate_x86_windows(_svc|_old|_dccw_gdiplus|_mixed_mode)?(\.256kib)?\.(exe|dll)\z/ => Rex::PeParsey::PeBase::IMAGE_FILE_MACHINE_I386,

11
    /\btemplate_x64_windows(_svc|_dccw_gdiplus|_mixed_mode)?(\.256kib)?\.(exe|dll)\z/      => Rex::PeParsey::PeBase::IMAGE_FILE_MACHINE_AMD64,

12
    /\btemplate_aarch64_windows\.exe\z/                                                    => Rex::PeParsey::PeBase::IMAGE_FILE_MACHINE_ARM64

13
  }.freeze

14


15
  # Minimum subsystem version the EXE templates must support. DLLs are not

16
  # checked by the loader for this field, so we only enforce it on EXEs.

17
  # x86 EXEs must run on NT 4.0 (4.0); x64 EXEs must run on Server 2003 (5.2).

18
  EXE_VERSION_EXPECTATIONS = {

19
    /\btemplate_x86_windows(_svc)?\.exe\z/ => [4, 0],

20
    /\btemplate_x64_windows(_svc)?\.exe\z/ => [5, 2]

21
  }.freeze

22


23
  templates = Dir.glob(File.join(templates_dir, 'template_*_windows*.{exe,dll}')).sort

24


25
  it 'has the expected set of PE templates present' do

26
    expect(templates).not_to be_empty

27
  end

28


29
  templates.each do |path|

30
    name = File.basename(path)

31


32
    describe name do

33
      let(:pe) { Rex::PeParsey::Pe.new_from_file(path, true) }

34
      after { pe.close if pe.respond_to?(:close) }

35


36
      arch_pattern, expected_machine = ARCH_EXPECTATIONS.find { |re, _| name =~ re }

37


38
      if arch_pattern

39
        it "has Machine matching its filename (0x#{expected_machine.to_s(16)})" do

40
          expect(pe.hdr.file.Machine).to eq(expected_machine)

41
        end

42
      else

43
        it 'is covered by an architecture expectation' do

44
          fail "no architecture expectation matches #{name}; update ARCH_EXPECTATIONS"

45
        end

46
      end

47


48
      version_pattern, version_expect = EXE_VERSION_EXPECTATIONS.find { |re, _| name =~ re }

49
      if version_pattern

50
        expected_major, expected_minor = version_expect

51


52
        it "has subsystem version #{expected_major}.#{expected_minor} so it runs on legacy Windows" do

53
          actual = [pe.hdr.opt.MajorSubsystemVersion, pe.hdr.opt.MinorSubsystemVersion]

54
          expect(actual).to eq([expected_major, expected_minor])

55
        end

56


57
        it "has OS version #{expected_major}.#{expected_minor}" do

58
          actual = [pe.hdr.opt.MajorOperatingSystemVersion, pe.hdr.opt.MinorOperatingSystemVersion]

59
          expect(actual).to eq([expected_major, expected_minor])

60
        end

61
      end

62
    end

63
  end

64
end

65


66