ScuroNeko
/
VMProtect
mirror of https://github.com/Obfuscator-Collections/VMProtect.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
VMProtect/core/pefile.cc

6125 lines
182 KiB
C++
Raw Blame History

/**
* Support of PE executable files.
*/
#include "../runtime/common.h"
#include "../runtime/crypto.h"
#include "objects.h"
#include "osutils.h"
#include "streams.h"
#include "files.h"
#include "pefile.h"
#include "dotnetfile.h"
#include "processors.h"
#include "intel.h"
#include "lang.h"
#include "core.h"
#include "script.h"
#include "pdb.h"
#ifdef DEMO
#include "win_runtime32demo.dll.inc"
#include "win_runtime64demo.dll.inc"
#include "win_runtime32demo.sys.inc"
#include "win_runtime64demo.sys.inc"
#else
#include "win_runtime32.dll.inc"
#include "win_runtime64.dll.inc"
#include "win_runtime32.sys.inc"
#include "win_runtime64.sys.inc"
#endif
#include "dotnet20_runtime32.dll.inc"
#include "dotnet20_runtime64.dll.inc"
#include "dotnet40_runtime32.dll.inc"
#include "dotnet40_runtime64.dll.inc"
#include "netstandard_runtime32.dll.inc"
#include "netstandard_runtime64.dll.inc"
#include "netcore_runtime32.dll.inc"
#include "netcore_runtime64.dll.inc"
/**
* PESegment
*/
PESegment::PESegment(PESegmentList *owner)
: BaseSection(owner), address_(0), size_(0), physical_offset_(0), physical_size_(0), flags_(0)
{
}
PESegment::PESegment(PESegmentList *owner, uint64_t address, uint32_t size, uint32_t physical_offset,
uint32_t physical_size, uint32_t flags, const std::string &name)
: BaseSection(owner), name_(name), address_(address), size_(size), physical_offset_(physical_offset), physical_size_(physical_size), flags_(flags)
{
}
PESegment::PESegment(PESegmentList *owner, const PESegment &src)
: BaseSection(owner, src)
{
address_ = src.address_;
size_ = src.size_;
physical_offset_ = src.physical_offset_;
physical_size_ = src.physical_size_;
flags_ = src.flags_;
name_ = src.name_;
}
PESegment *PESegment::Clone(ISectionList *owner) const
{
PESegment *section = new PESegment(reinterpret_cast<PESegmentList *>(owner), *this);
return section;
}
void PESegment::ReadFromFile(PEArchitecture &file)
{
IMAGE_SECTION_HEADER section_header;
file.Read(&section_header, sizeof(section_header));
name_ = std::string(reinterpret_cast<char *>(&section_header.Name), strnlen(reinterpret_cast<char *>(&section_header.Name), sizeof(section_header.Name)));
size_ = section_header.Misc.VirtualSize;
address_ = section_header.VirtualAddress + file.image_base();
physical_offset_ = section_header.PointerToRawData;
physical_size_ = section_header.SizeOfRawData;
flags_ = section_header.Characteristics;
}
void PESegment::WriteToFile(PEArchitecture &file) const
{
IMAGE_SECTION_HEADER section_header = IMAGE_SECTION_HEADER();
memcpy(section_header.Name, name_.c_str(), std::min(name_.size(), sizeof(section_header.Name)));
section_header.Misc.VirtualSize = size_;
section_header.VirtualAddress = static_cast<uint32_t>(address_ - file.image_base());
section_header.PointerToRawData = (physical_size_) ? physical_offset_ : 0;
section_header.SizeOfRawData = physical_size_;
section_header.Characteristics = flags_;
file.Write(&section_header, sizeof(section_header));
}
uint32_t PESegment::memory_type() const
{
uint32_t res = mtNone;
if (flags_ & IMAGE_SCN_MEM_READ)
res |= mtReadable;
if (flags_ & IMAGE_SCN_MEM_WRITE)
res |= mtWritable;
if (flags_ & IMAGE_SCN_MEM_EXECUTE)
res |= mtExecutable;
if (flags_ & IMAGE_SCN_MEM_DISCARDABLE)
res |= mtDiscardable;
if (flags_ & IMAGE_SCN_MEM_NOT_PAGED)
res |= mtNotPaged;
if (flags_ & IMAGE_SCN_MEM_SHARED)
res |= mtShared;
return res;
}
void PESegment::update_type(uint32_t mt)
{
if (mt & mtReadable) {
flags_ |= IMAGE_SCN_MEM_READ;
if ((mt & mtExecutable) == 0)
flags_ |= IMAGE_SCN_CNT_INITIALIZED_DATA;
}
if (mt & mtWritable)
flags_ |= IMAGE_SCN_MEM_WRITE;
if (mt & mtExecutable)
flags_ |= IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE;
if ((mt & (mtDiscardable | mtNotDiscardable)) == mtDiscardable)
flags_ |= IMAGE_SCN_MEM_DISCARDABLE;
else
flags_ &= ~IMAGE_SCN_MEM_DISCARDABLE;
if (mt & mtNotPaged)
flags_ |= IMAGE_SCN_MEM_NOT_PAGED;
if (mt & mtShared)
flags_ |= IMAGE_SCN_MEM_SHARED;
}
void PESegment::Rebase(uint64_t delta_base)
{
address_ += delta_base;
}
/**
* PESegmentList
*/
PESegmentList::PESegmentList(PEArchitecture *owner)
: BaseSectionList(owner), header_segment_(NULL)
{
}
PESegmentList::PESegmentList(PEArchitecture *owner, const PESegmentList &src)
: BaseSectionList(owner, src), header_segment_(NULL)
{
if (src.header_segment_)
header_segment_ = src.header_segment_->Clone(NULL);
}
PESegmentList::~PESegmentList()
{
delete header_segment_;
}
PESegmentList *PESegmentList::Clone(PEArchitecture *owner) const
{
PESegmentList *section_list = new PESegmentList(owner, *this);
return section_list;
}
PESegment *PESegmentList::Add()
{
PESegment *section = new PESegment(this);
AddObject(section);
return section;
}
PESegment *PESegmentList::Add(uint64_t address, uint32_t size, uint32_t physical_offset, uint32_t physical_size, uint32_t flags, const std::string &name)
{
PESegment *section = new PESegment(this, address, size, physical_offset, physical_size, flags, name);
AddObject(section);
return section;
}
PESegment *PESegmentList::item(size_t index) const
{
return reinterpret_cast<PESegment *>(BaseSectionList::item(index));
}
PESegment *PESegmentList::GetSectionByAddress(uint64_t address) const
{
PESegment *res = reinterpret_cast<PESegment *>(BaseSectionList::GetSectionByAddress(address));
if (!res && header_segment_ && address >= header_segment_->address() && address < header_segment_->address() + header_segment_->size())
res = header_segment_;
return res;
}
PESegment *PESegmentList::last() const
{
return reinterpret_cast<PESegment *>(BaseSectionList::last());
}
void PESegmentList::ReadFromFile(PEArchitecture &file, uint32_t count)
{
Reserve(count);
for (size_t i = 0; i < count; i++) {
Add()->ReadFromFile(file);
}
if (header_segment_) {
delete header_segment_;
header_segment_ = NULL;
}
if (this->count()) {
PESegment *first_segment = item(0);
header_segment_ = new PESegment(NULL, file.image_base(), static_cast<uint32_t>(first_segment->address() - file.image_base()), 0, first_segment->physical_offset(), 0, ".header");
}
}
void PESegmentList::WriteToFile(PEArchitecture &file) const
{
for (size_t i = 0; i < count(); i++) {
item(i)->WriteToFile(file);
}
}
/**
* PESection
*/
PESection::PESection(PESectionList *owner, PESegment *parent, uint64_t address, uint64_t size, const std::string &name)
: BaseSection(owner), name_(name), address_(address), size_(size), parent_(parent)
{
}
PESection::PESection(PESectionList *owner, const PESection &src)
: BaseSection(owner, src)
{
address_ = src.address_;
size_ = src.size_;
name_ = src.name_;
parent_ = src.parent_;
}
PESection *PESection::Clone(ISectionList *owner) const
{
PESection *section = new PESection(reinterpret_cast<PESectionList *>(owner), *this);
return section;
}
void PESection::Rebase(uint64_t delta_base)
{
address_ += delta_base;
}
/**
* PESectionList
*/
PESectionList::PESectionList(PEArchitecture *owner)
: BaseSectionList(owner)
{
}
PESectionList::PESectionList(PEArchitecture *owner, const PESectionList &src)
: BaseSectionList(owner, src)
{
}
PESectionList *PESectionList::Clone(PEArchitecture *owner) const
{
PESectionList *section_list = new PESectionList(owner, *this);
return section_list;
}
PESection *PESectionList::item(size_t index) const
{
return reinterpret_cast<PESection *>(BaseSectionList::item(index));
}
PESection *PESectionList::Add(PESegment *parent, uint64_t address, uint64_t size, const std::string &name)
{
PESection *section = new PESection(this, parent, address, size, name);
AddObject(section);
return section;
}
/**
* PEDirectory
*/
PEDirectory::PEDirectory(PEDirectoryList *owner, uint32_t type)
: BaseLoadCommand(owner), address_(0), size_(0), type_(type), physical_size_(0)
{
}
PEDirectory::PEDirectory(PEDirectoryList *owner, const PEDirectory &src)
: BaseLoadCommand(owner, src)
{
address_ = src.address_;
size_ = src.size_;
type_ = src.type_;
physical_size_ = src.physical_size_;
}
PEDirectory *PEDirectory::Clone(ILoadCommandList *owner) const
{
PEDirectory *dir = new PEDirectory(reinterpret_cast<PEDirectoryList *>(owner), *this);
return dir;
}
void PEDirectory::clear()
{
address_ = 0;
size_ = 0;
physical_size_ = 0;
}
void PEDirectory::ReadFromFile(PEArchitecture &file)
{
IMAGE_DATA_DIRECTORY dir;
file.Read(&dir, sizeof(IMAGE_DATA_DIRECTORY));
address_ = (dir.VirtualAddress == 0) ? 0 : dir.VirtualAddress + file.image_base();
size_ = dir.Size;
}
void PEDirectory::WriteToFile(PEArchitecture &file) const
{
IMAGE_DATA_DIRECTORY dir;
dir.VirtualAddress = address_ ? static_cast<uint32_t>(address_ - file.image_base()) : 0;
dir.Size = size_;
file.Write(&dir, sizeof(IMAGE_DATA_DIRECTORY));
}
std::string PEDirectory::name() const
{
switch (type_) {
case IMAGE_DIRECTORY_ENTRY_EXPORT:
return std::string("Export");
case IMAGE_DIRECTORY_ENTRY_IMPORT:
return std::string("Import");
case IMAGE_DIRECTORY_ENTRY_RESOURCE:
return std::string("Resource");
case IMAGE_DIRECTORY_ENTRY_EXCEPTION:
return std::string("Exception");
case IMAGE_DIRECTORY_ENTRY_SECURITY:
return std::string("Security");
case IMAGE_DIRECTORY_ENTRY_BASERELOC:
return std::string("Relocation");
case IMAGE_DIRECTORY_ENTRY_DEBUG:
return std::string("Debug");
case IMAGE_DIRECTORY_ENTRY_ARCHITECTURE:
return std::string("Architecture");
case IMAGE_DIRECTORY_ENTRY_GLOBALPTR:
return std::string("Reserved");
case IMAGE_DIRECTORY_ENTRY_TLS:
return std::string("Thread Local Storage");
case IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG:
return std::string("Configuration");
case IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT:
return std::string("Bound Import");
case IMAGE_DIRECTORY_ENTRY_IAT:
return std::string("Import Address Table");
case IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT:
return std::string("Delay Import");
case IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR:
return std::string(".NET MetaData");
}
return BaseLoadCommand::name();
}
void PEDirectory::Rebase(uint64_t delta_base)
{
if (address_)
address_ += delta_base;
}
void PEDirectory::FreeByManager(MemoryManager &manager)
{
if (!address() || !physical_size())
return;
size_t size = physical_size();
manager.Add(address_, size);
IArchitecture *file = manager.owner();
for (size_t i = 0; i < size; i++) {
IFixup *fixup = file->fixup_list()->GetFixupByAddress(address_ + i);
if (fixup)
fixup->set_deleted(true);
}
}
/**
* PEDirectoryList
*/
PEDirectoryList::PEDirectoryList(PEArchitecture *owner)
: BaseCommandList(owner)
{
}
PEDirectoryList::PEDirectoryList(PEArchitecture *owner, const PEDirectoryList &src)
: BaseCommandList(owner, src)
{
}
PEDirectory *PEDirectoryList::item(size_t index) const
{
return reinterpret_cast<PEDirectory *>(BaseCommandList::item(index));
}
PEDirectoryList *PEDirectoryList::Clone(PEArchitecture *owner) const
{
PEDirectoryList *directory_list = new PEDirectoryList(owner, *this);
return directory_list;
}
PEDirectory *PEDirectoryList::Add(uint32_t type)
{
PEDirectory *dir = new PEDirectory(this, type);
AddObject(dir);
return dir;
}
PEDirectory *PEDirectoryList::GetCommandByType(uint32_t type) const
{
return reinterpret_cast<PEDirectory *>(BaseCommandList::GetCommandByType(type));
}
PEDirectory *PEDirectoryList::GetCommandByAddress(uint64_t address) const
{
for (size_t i = 0; i < count(); i++) {
PEDirectory *dir = item(i);
if (dir->address() == address)
return dir;
}
return NULL;
}
void PEDirectoryList::ReadFromFile(PEArchitecture &file, uint32_t count)
{
for (uint32_t i = 0; i < count; i++) {
Add(i)->ReadFromFile(file);
}
}
void PEDirectoryList::WriteToFile(PEArchitecture &file) const
{
for (size_t i = 0; i < count(); i++) {
item(i)->WriteToFile(file);
}
}
/**
* PEImportFunction
*/
PEImportFunction::PEImportFunction(PEImport *owner)
: BaseImportFunction(owner), name_address_(0), address_(0), is_ordinal_(false), ordinal_(0)
{
}
PEImportFunction::PEImportFunction(PEImport *owner, const std::string &name)
: BaseImportFunction(owner), name_(name), name_address_(0), address_(0), is_ordinal_(false), ordinal_(0)
{
}
PEImportFunction::PEImportFunction(PEImport *owner, uint64_t address, APIType type, MapFunction *map_function)
: BaseImportFunction(owner), name_address_(0), address_(address), ordinal_(0), is_ordinal_(false)
{
set_type(type);
set_map_function(map_function);
}
PEImportFunction::PEImportFunction(PEImport *owner, const PEImportFunction &src)
: BaseImportFunction(owner, src)
{
name_ = src.name_;
name_address_ = src.name_address_;
address_ = src.address_;
is_ordinal_ = src.is_ordinal_;
ordinal_ = src.ordinal_;
}
PEImportFunction *PEImportFunction::Clone(IImport *owner) const
{
PEImportFunction *func = new PEImportFunction(reinterpret_cast<PEImport *>(owner), *this);
return func;
}
bool PEImportFunction::ReadFromFile(PEArchitecture &file, uint32_t &rva)
{
address_ = rva + file.image_base();
if (file.cpu_address_size() == osDWord) {
IMAGE_THUNK_DATA32 thunk;
file.Read(&thunk, sizeof(thunk));
name_address_ = thunk.u1.AddressOfData;
if (!name_address_)
return false;
is_ordinal_ = IMAGE_SNAP_BY_ORDINAL32(name_address_);
rva += sizeof(uint32_t);
} else {
IMAGE_THUNK_DATA64 thunk;
file.Read(&thunk, sizeof(thunk));
name_address_ = thunk.u1.AddressOfData;
if (!name_address_)
return false;
is_ordinal_ = IMAGE_SNAP_BY_ORDINAL64(name_address_);
rva += sizeof(uint64_t);
}
if (is_ordinal_) {
ordinal_ = IMAGE_ORDINAL32(name_address_);
name_address_ = 0;
name_ = string_format("Ordinal: %.4X", ordinal_);
} else {
name_address_ += file.image_base();
uint64_t pos = file.Tell();
if (!file.AddressSeek(name_address_ + sizeof(WORD)))
throw std::runtime_error("Format error");
name_ = file.ReadString();
file.Seek(pos);
}
return true;
}
void PEImportFunction::FreeByManager(MemoryManager &manager, bool free_iat)
{
if (name_address_)
manager.Add(name_address_, sizeof(uint16_t) + name_.size() + 1);
if (address_ && free_iat && (options() & (ioHasDataReference | ioNoReferences)) == 0)
manager.Add(address_, OperandSizeToValue(manager.owner()->cpu_address_size()));
}
void PEImportFunction::Rebase(uint64_t delta_base)
{
if (name_address_)
name_address_ += delta_base;
if (address_)
address_ += delta_base;
}
bool PEImportFunction::IsInternal(const CompileContext &ctx) const
{
if ((options() & ioFromRuntime) == 0) {
if (ctx.options.flags & cpResourceProtection) {
if (type() >= atLoadResource && type() <= atEnumResourceTypesW)
return true;
}
}
return false;
}
std::string PEImportFunction::display_name(bool show_ret) const
{
return DemangleName(name_).display_name(show_ret);
}
/**
* PEImport
*/
PEImport::PEImport(PEImportList *owner)
: BaseImport(owner), name_address_(0), is_sdk_(false), original_first_thunk_address_(0), first_thunk_address_(0), time_stamp_(0), forwarder_chain_(0)
{
}
PEImport::PEImport(PEImportList *owner, bool is_sdk)
: BaseImport(owner), name_address_(0), is_sdk_(is_sdk), original_first_thunk_address_(0), first_thunk_address_(0), time_stamp_(0), forwarder_chain_(0)
{
}
PEImport::PEImport(PEImportList *owner, const std::string &name)
: BaseImport(owner), name_(name), name_address_(0), is_sdk_(false), original_first_thunk_address_(0), first_thunk_address_(0), time_stamp_(0), forwarder_chain_(0)
{
}
PEImport::PEImport(PEImportList *owner, const PEImport &src)
: BaseImport(owner, src)
{
name_ = src.name_;
is_sdk_ = src.is_sdk_;
name_address_ = src.name_address_;
original_first_thunk_address_ = src.original_first_thunk_address_;
first_thunk_address_ = src.first_thunk_address_;
time_stamp_ = src.time_stamp_;
forwarder_chain_ = src.forwarder_chain_;
}
PEImport *PEImport::Clone(IImportList *owner) const
{
PEImport *import = new PEImport(reinterpret_cast<PEImportList *>(owner), *this);
return import;
}
PEImportFunction *PEImport::item(size_t index) const
{
return reinterpret_cast<PEImportFunction *>(IImport::item(index));
}
bool PEImport::ReadFromFile(PEArchitecture &file)
{
static const ImportInfo kernel32_info[] = {
{atLoadResource, "LoadResource", ioNone, ctNone},
{atFindResourceA, "FindResourceA", ioNone, ctNone},
{atFindResourceExA, "FindResourceExA", ioNone, ctNone},
{atFindResourceW, "FindResourceW", ioNone, ctNone},
{atFindResourceExW, "FindResourceExW", ioNone, ctNone},
{atEnumResourceNamesA, "EnumResourceNamesA", ioNone, ctNone},
{atEnumResourceNamesW, "EnumResourceNamesW", ioNone, ctNone},
{atEnumResourceLanguagesA, "EnumResourceLanguagesA", ioNone, ctNone},
{atEnumResourceLanguagesW, "EnumResourceLanguagesW", ioNone, ctNone},
{atEnumResourceTypesA, "EnumResourceTypesA", ioNone, ctNone},
{atEnumResourceTypesW, "EnumResourceTypesW", ioNone, ctNone},
{atNone, "ExitProcess", ioNoReturn, ctNone},
{atNone, "ExitThread", ioNoReturn, ctNone},
{atNone, "FreeLibraryAndExitThread", ioNoReturn, ctNone},
{atNone, "GetVersion", ioNative, ctNone},
{atNone, "GetVersionExA", ioNative, ctNone},
{atNone, "GetVersionExW", ioNative, ctNone}
};
static const ImportInfo user32_info[] = {
{atLoadStringA, "LoadStringA", ioNone, ctNone},
{atLoadStringW, "LoadStringW", ioNone, ctNone}
};
static const ImportInfo msvbvm_info[] = {
{atNone, "__vbaError", ioNoReturn, ctNone},
{atNone, "__vbaErrorOverflow", ioNoReturn, ctNone},
{atNone, "__vbaStopExe", ioNoReturn, ctNone},
{atNone, "__vbaFailedFriend", ioNoReturn, ctNone},
{atNone, "__vbaEnd", ioNoReturn, ctNone},
{atNone, "__vbaFPException", ioNoReturn, ctNone},
{atNone, "__vbaGenerateBoundsError", ioNoReturn, ctNone},
{atNone, "Ordinal: 0064", ioNoReturn, ctNone},
};
static const ImportInfo default_info[] = {
{atNone, "@System@@Halt0$qqrv", ioNoReturn, ctNone},
{atNone, "exit", ioNoReturn, ctNone},
{atNone, "abort", ioNoReturn, ctNone},
{atNone, "?terminate@@YAXXZ", ioNoReturn, ctNone},
{atNone, "?unexpected@@YAXXZ", ioNoReturn, ctNone},
{atNone, "__std_terminate", ioNoReturn, ctNone},
{atNone, "?_Xout_of_range@std@@YAXPEBD@Z", ioNoReturn, ctNone},
{atNone, "?_Xlength_error@std@@YAXPEBD@Z", ioNoReturn, ctNone},
{atNone, "_CxxThrowException", ioNoReturn, ctNone},
};
IMAGE_IMPORT_DESCRIPTOR import_descriptor;
uint64_t pos;
PEImportFunction *func;
size_t i, j;
std::string dll_name;
file.Read(&import_descriptor, sizeof(import_descriptor));
if (!import_descriptor.FirstThunk)
return false;
pos = file.Tell();
name_address_ = import_descriptor.Name + file.image_base();
if (!file.AddressSeek(name_address_))
throw std::runtime_error("Format error");
name_ = file.ReadString();
original_first_thunk_address_ = import_descriptor.u.OriginalFirstThunk;
if (original_first_thunk_address_)
original_first_thunk_address_ += file.image_base();
first_thunk_address_ = import_descriptor.FirstThunk;
if (first_thunk_address_)
first_thunk_address_ += file.image_base();
if (!file.AddressSeek((original_first_thunk_address_ != 0) ? original_first_thunk_address_ : first_thunk_address_))
throw std::runtime_error("Format error");
time_stamp_ = import_descriptor.TimeDateStamp;
forwarder_chain_ = import_descriptor.ForwarderChain;
uint32_t rva = import_descriptor.FirstThunk;
while (true) {
func = new PEImportFunction(this);
if (!func->ReadFromFile(file, rva)) {
delete func;
break;
}
AddObject(func);
}
file.Seek(pos);
dll_name = name_;
std::transform(dll_name.begin(), dll_name.end(), dll_name.begin(), tolower);
std::string sdk_name;
if (file.image_type() == itDriver) {
if (dll_name.find('.') == (size_t)-1)
dll_name += ".sys";
sdk_name = string_format("vmprotectddk%d.sys", (file.cpu_address_size() == osDWord) ? 32 : 64);
} else {
if (dll_name.find('.') == (size_t)-1)
dll_name += ".dll";
sdk_name = string_format("vmprotectsdk%d.dll", (file.cpu_address_size() == osDWord) ? 32 : 64);
}
if (dll_name.compare(sdk_name) == 0) {
is_sdk_ = true;
for (i = 0; i < count(); i++) {
func = item(i);
const ImportInfo *import_info = owner()->GetSDKInfo(func->name());
if (import_info) {
func->set_type(import_info->type);
if (import_info->options & ioHasCompilationType) {
func->include_option(ioHasCompilationType);
func->set_compilation_type(import_info->compilation_type);
if (import_info->options & ioLockToKey)
func->include_option(ioLockToKey);
}
}
}
} else {
size_t c;
const ImportInfo *import_info;
if (dll_name.compare("kernel32.dll") == 0) {
import_info = kernel32_info;
c = _countof(kernel32_info);
} else if (dll_name.compare("user32.dll") == 0) {
import_info = user32_info;
c = _countof(user32_info);
} else if (dll_name.compare("msvbvm50.dll") == 0 || dll_name.compare("msvbvm60.dll") == 0) {
import_info = msvbvm_info;
c = _countof(msvbvm_info);
} else {
import_info = default_info;
c = _countof(default_info);
}
if (import_info) {
for (i = 0; i < count(); i++) {
func = item(i);
for (j = 0; j < c; j++) {
if (func->name().compare(import_info[j].name) == 0) {
func->set_type(import_info[j].type);
if (import_info[j].options & ioNative)
func->include_option(ioNative);
if (import_info[j].options & ioNoReturn)
func->include_option(ioNoReturn);
break;
}
}
}
}
}
return true;
}
bool PEImport::FreeByManager(MemoryManager &manager, bool free_iat)
{
if (!name_address_)
return false;
manager.Add(name_address_, name_.size() + 1);
for (size_t i = 0; i < count(); i++) {
item(i)->FreeByManager(manager, free_iat);
}
if (original_first_thunk_address_ && original_first_thunk_address_ != first_thunk_address_)
manager.Add(original_first_thunk_address_, count() * OperandSizeToValue(manager.owner()->cpu_address_size()));
return true;
}
void PEImport::Rebase(uint64_t delta_base)
{
BaseImport::Rebase(delta_base);
if (name_address_)
name_address_ += delta_base;
if (original_first_thunk_address_)
original_first_thunk_address_ += delta_base;
if (first_thunk_address_)
first_thunk_address_ += delta_base;
}
PEImportFunction *PEImport::Add(uint64_t address, APIType type, MapFunction *map_function)
{
PEImportFunction *import_function = new PEImportFunction(this, address, type, map_function);
AddObject(import_function);
return import_function;
}
void PEImport::WriteToFile(PEArchitecture &file) const
{
IMAGE_IMPORT_DESCRIPTOR import_descriptor;
import_descriptor.u.OriginalFirstThunk = original_first_thunk_address_ ? static_cast<uint32_t>(original_first_thunk_address_ - file.image_base()) : 0;
import_descriptor.TimeDateStamp = time_stamp_;
import_descriptor.ForwarderChain = forwarder_chain_;
import_descriptor.Name = static_cast<uint32_t>(name_address_ - file.image_base());
import_descriptor.FirstThunk = first_thunk_address_ ? static_cast<uint32_t>(first_thunk_address_ - file.image_base()) : 0;
file.Write(&import_descriptor, sizeof(import_descriptor));
}
/**
* PEImportList
*/
PEImportList::PEImportList(PEArchitecture *owner)
: BaseImportList(owner), address_(0)
{
}
PEImportList::PEImportList(PEArchitecture *owner, const PEImportList &src)
: BaseImportList(owner, src)
{
address_ = src.address_;
}
PEImportList *PEImportList::Clone(PEArchitecture *owner) const
{
PEImportList *import_list = new PEImportList(owner, *this);
return import_list;
}
PEImport *PEImportList::item(size_t index) const
{
return reinterpret_cast<PEImport *>(BaseImportList::item(index));
}
PEImportFunction *PEImportList::GetFunctionByAddress(uint64_t address) const
{
return reinterpret_cast<PEImportFunction*>(BaseImportList::GetFunctionByAddress(address));
}
void PEImportList::ReadFromFile(PEArchitecture &file, PEDirectory &dir)
{
if (!dir.address())
return;
address_ = dir.address();
if (!file.AddressSeek(address_))
throw std::runtime_error("Format error");
while (true) {
PEImport *imp = new PEImport(this);
if (!imp->ReadFromFile(file)) {
delete imp;
break;
}
AddObject(imp);
}
}
void PEImportList::WriteToFile(PEArchitecture &file, bool skip_sdk) const
{
PEDirectory *dir = file.command_list()->GetCommandByType(IMAGE_DIRECTORY_ENTRY_IMPORT);
if (!dir)
return;
if (!file.AddressSeek(dir->address()))
return;
for (size_t i = 0; i < count(); i++) {
PEImport *import = item(i);
if (skip_sdk && import->is_sdk())
continue;
import->WriteToFile(file);
}
IMAGE_IMPORT_DESCRIPTOR import_descriptor = IMAGE_IMPORT_DESCRIPTOR();
file.Write(&import_descriptor, sizeof(import_descriptor));
}
void PEImportList::FreeByManager(MemoryManager &manager, bool free_iat)
{
if (!address_)
return;
size_t c = 0;
for (size_t i = 0; i < count(); i++) {
if (item(i)->FreeByManager(manager, free_iat))
c++;
}
manager.Add(address_, c * sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
void PEImportList::Rebase(uint64_t delta_base)
{
if (!address_)
return;
BaseImportList::Rebase(delta_base);
address_ += delta_base;
}
PEImport *PEImportList::AddSDK()
{
PEImport *sdk = new PEImport(this, true);
AddObject(sdk);
return sdk;
}
/**
* PEDelayImportFunction
*/
PEDelayImportFunction::PEDelayImportFunction(PEDelayImport *owner)
: IObject(), owner_(owner), is_ordinal_(false), ordinal_(0)
{
}
PEDelayImportFunction::PEDelayImportFunction(PEDelayImport *owner, const PEDelayImportFunction &src)
: IObject(), owner_(owner)
{
name_ = src.name_;
is_ordinal_ = src.is_ordinal_;
ordinal_ = src.ordinal_;
}
PEDelayImportFunction::~PEDelayImportFunction()
{
if (owner_)
owner_->RemoveObject(this);
}
PEDelayImportFunction *PEDelayImportFunction::Clone(PEDelayImport *owner) const
{
PEDelayImportFunction *func = new PEDelayImportFunction(owner, *this);
return func;
}
bool PEDelayImportFunction::ReadFromFile(PEArchitecture &file, uint64_t add_value)
{
uint64_t name_address;
if (file.cpu_address_size() == osDWord) {
IMAGE_THUNK_DATA32 thunk;
file.Read(&thunk, sizeof(thunk));
name_address = thunk.u1.AddressOfData;
if (!name_address)
return false;
is_ordinal_ = IMAGE_SNAP_BY_ORDINAL32(name_address);
} else {
IMAGE_THUNK_DATA64 thunk;
file.Read(&thunk, sizeof(thunk));
name_address = thunk.u1.AddressOfData;
if (!name_address)
return false;
is_ordinal_ = IMAGE_SNAP_BY_ORDINAL64(name_address);
}
if (is_ordinal_) {
ordinal_ = IMAGE_ORDINAL32(name_address);
name_address = 0;
name_ = string_format("Ordinal: %.4X", ordinal_);
} else {
name_address += add_value;
uint64_t pos = file.Tell();
if (!file.AddressSeek(name_address + sizeof(uint16_t)))
throw std::runtime_error("Format error");
name_ = file.ReadString();
file.Seek(pos);
}
return true;
}
/**
* PEDelayImport
*/
PEDelayImport::PEDelayImport(PEDelayImportList *owner)
: ObjectList<PEDelayImportFunction>(), owner_(owner)
{
}
PEDelayImport::PEDelayImport(PEDelayImportList *owner, const PEDelayImport &src)
: ObjectList<PEDelayImportFunction>(), owner_(owner)
{
for (size_t i = 0; i < src.count(); i++) {
AddObject(src.item(i)->Clone(this));
}
name_ = src.name_;
flags_ = src.flags_;
module_ = src.module_;
iat_ = src.iat_;
bound_iat_ = src.bound_iat_;
unload_iat_ = src.unload_iat_;
time_stamp_ = src.time_stamp_;
}
PEDelayImport::~PEDelayImport()
{
if (owner_)
owner_->RemoveObject(this);
}
PEDelayImport *PEDelayImport::Clone(PEDelayImportList *owner) const
{
PEDelayImport *imp = new PEDelayImport(owner, *this);
return imp;
}
bool PEDelayImport::ReadFromFile(PEArchitecture &file)
{
IMAGE_DELAY_IMPORT_DESCRIPTOR import_descriptor;
file.Read(&import_descriptor, sizeof(import_descriptor));
if (!import_descriptor.DllName)
return false;
flags_ = import_descriptor.Attrs;
uint64_t name_address = import_descriptor.DllName;
module_ = import_descriptor.Hmod;
iat_ = import_descriptor.IAT;
uint64_t address = import_descriptor.INT;
bound_iat_ = import_descriptor.BoundIAT;
unload_iat_ = import_descriptor.UnloadIAT;
time_stamp_ = import_descriptor.TimeStamp;
uint64_t add_value;
if (flags_ & 1) {
add_value = file.image_base();
if (name_address)
name_address += add_value;
if (module_)
module_ += add_value;
if (iat_)
iat_ += add_value;
if (address)
address += add_value;
if (bound_iat_)
bound_iat_ += add_value;
if (unload_iat_)
unload_iat_ += add_value;
} else {
if (file.cpu_address_size() != osDWord)
throw std::runtime_error("Format error");
add_value = 0;
}
uint64_t pos = file.Tell();
if (!file.AddressSeek(name_address))
throw std::runtime_error("Format error");
name_ = file.ReadString();
if (!file.AddressSeek(address))
throw std::runtime_error("Format error");
while (true) {
PEDelayImportFunction *func = new PEDelayImportFunction(this);
if (!func->ReadFromFile(file, add_value)) {
delete func;
break;
}
AddObject(func);
}
file.Seek(pos);
return true;
}
/**
* PEDelayImportList
*/
PEDelayImportList::PEDelayImportList()
: ObjectList<PEDelayImport>()
{
}
PEDelayImportList::PEDelayImportList(const PEDelayImportList &src)
: ObjectList<PEDelayImport>()
{
for (size_t i = 0; i < src.count(); i++) {
AddObject(src.item(i)->Clone(this));
}
}
PEDelayImportList *PEDelayImportList::Clone() const
{
PEDelayImportList *import_list = new PEDelayImportList(*this);
return import_list;
}
void PEDelayImportList::ReadFromFile(PEArchitecture &file, PEDirectory &dir)
{
if (!dir.address())
return;
if (!file.AddressSeek(dir.address()))
throw std::runtime_error("Format error");
for (size_t i = 0; i < dir.size(); i += sizeof(IMAGE_DELAY_IMPORT_DESCRIPTOR)) {
PEDelayImport *imp = new PEDelayImport(this);
if (!imp->ReadFromFile(file)) {
delete imp;
break;
}
AddObject(imp);
}
}
/**
* PEExport
*/
PEExport::PEExport(PEExportList *owner, uint64_t address, uint32_t ordinal)
: BaseExport(owner), address_(address), ordinal_(ordinal), address_of_name_(0)
{
}
PEExport::PEExport(PEExportList *owner, const PEExport &src)
: BaseExport(owner, src)
{
address_ = src.address_;
ordinal_ = src.ordinal_;
name_ = src.name_;
forwarded_name_ = src.forwarded_name_;
address_of_name_ = src.address_of_name_;
}
PEExport *PEExport::Clone(IExportList *owner) const
{
PEExport *exp = new PEExport(reinterpret_cast<PEExportList *>(owner), *this);
return exp;
}
int PEExport::CompareWith(const IObject &obj) const
{
const PEExport &exp = reinterpret_cast<const PEExport &>(obj);
if (ordinal() < exp.ordinal())
return -1;
if (ordinal() > exp.ordinal())
return 1;
return 0;
}
void PEExport::ReadFromFile(PEArchitecture &file, uint64_t address_of_name, bool is_forwarded)
{
address_of_name_ = address_of_name;
if (address_of_name_) {
if (!file.AddressSeek(address_of_name_))
throw std::runtime_error("Format error");
name_ = file.ReadString();
}
if (is_forwarded) {
if (!file.AddressSeek(address_))
throw std::runtime_error("Format error");
forwarded_name_ = file.ReadString();
}
}
void PEExport::FreeByManager(MemoryManager &manager)
{
if (!forwarded_name_.empty())
manager.Add(address_, forwarded_name_.size() + 1);
if (address_of_name_)
manager.Add(address_of_name_, name_.size() + 1);
}
void PEExport::Rebase(uint64_t delta_base)
{
if (address_)
address_ += delta_base;
if (address_of_name_)
address_of_name_ += delta_base;
}
std::string PEExport::display_name(bool show_ret) const
{
return DemangleName(name_).display_name(show_ret);
}
/**
* PEExportList
*/
PEExportList::PEExportList(PEArchitecture *owner)
: BaseExportList(owner), address_(0), name_address_(0), characteristics_(0), time_date_stamp_(0), major_version_(0), minor_version_(0),
number_of_functions_(0), address_of_functions_(0), number_of_names_(0), address_of_names_(0), address_of_name_ordinals_(0)
{
}
PEExportList::PEExportList(PEArchitecture *owner, const PEExportList &src)
: BaseExportList(owner, src)
{
address_ = src.address_;
name_address_ = src.name_address_;
characteristics_ = src.characteristics_;
time_date_stamp_ = src.time_date_stamp_;
major_version_ = src.major_version_;
minor_version_ = src.minor_version_;
name_ = src.name_;
number_of_functions_ = src.number_of_functions_;
address_of_functions_ = src.address_of_functions_;
number_of_names_ = src.number_of_names_;
address_of_names_ = src.address_of_names_;
address_of_name_ordinals_ = src.address_of_name_ordinals_;
}
PEExportList *PEExportList::Clone(PEArchitecture *owner) const
{
PEExportList *export_list = new PEExportList(owner, *this);
return export_list;
}
PEExport *PEExportList::item(size_t index) const
{
return reinterpret_cast<PEExport *>(IExportList::item(index));
}
PEExport *PEExportList::Add(uint64_t address, uint32_t ordinal)
{
PEExport *exp = new PEExport(this, address, ordinal);
AddObject(exp);
return exp;
}
void PEExportList::AddAntidebug()
{
size_t i;
PEExport *exp;
std::map<uint32_t, PEExport *> map;
for (i = 0; i < count(); i++) {
exp = item(i);
map[exp->ordinal()] = exp;
}
uint32_t free_ordinal = 0;
for (uint32_t ordinal = 1; ordinal <= 0xffff; ordinal++) {
if (map.find(ordinal) == map.end()) {
free_ordinal = ordinal;
break;
}
}
if (!free_ordinal)
return;
exp = Add(0, free_ordinal);
std::string name;
name.resize(3100);
for (i = 0; i < name.size(); i++) {
name[i] = 1 + rand() % 0xff;
}
exp->set_name(name);
}
PEExport *PEExportList::GetExportByOrdinal(uint32_t ordinal)
{
for (size_t i = 0; i < count(); i++) {
PEExport *exp = item(i);
if (exp->ordinal() == ordinal)
return exp;
}
return NULL;
}
void PEExportList::ReadFromFile(PEArchitecture &file, PEDirectory &dir)
{
IMAGE_EXPORT_DIRECTORY export_directory;
uint32_t i;
uint32_t rva;
PEExport *export_function;
std::vector<NameInfo> name_info_list;
if (!dir.address())
return;
address_ = dir.address();
if (!file.AddressSeek(address_))
throw std::runtime_error("Format error");
file.Read(&export_directory, sizeof(export_directory));
characteristics_ = export_directory.Characteristics;
time_date_stamp_ = export_directory.TimeDateStamp;
major_version_ = export_directory.MajorVersion;
minor_version_ = export_directory.MinorVersion;
name_address_ = export_directory.Name;
if (name_address_) {
name_address_ += file.image_base();
if (!file.AddressSeek(name_address_))
throw std::runtime_error("Format error");
name_ = file.ReadString();
}
number_of_functions_ = export_directory.NumberOfFunctions;
if (number_of_functions_) {
address_of_functions_ = export_directory.AddressOfFunctions + file.image_base();
if (!file.AddressSeek(address_of_functions_))
throw std::runtime_error("Format error");
for (i = 0; i < number_of_functions_; i++) {
rva = file.ReadDWord();
if (rva)
Add(rva + file.image_base(), export_directory.Base + i);
}
}
number_of_names_ = export_directory.NumberOfNames;
if (number_of_names_) {
address_of_names_ = export_directory.AddressOfNames + file.image_base();
if (!file.AddressSeek(address_of_names_))
throw std::runtime_error("Format error");
for (i = 0; i < number_of_names_; i++) {
NameInfo name_info;
name_info.address_of_name = file.ReadDWord();
name_info.ordinal_index = 0;
name_info_list.push_back(name_info);
}
address_of_name_ordinals_ = export_directory.AddressOfNameOrdinals + file.image_base();
if (!file.AddressSeek(address_of_name_ordinals_))
throw std::runtime_error("Format error");
for (i = 0; i < number_of_names_; i++) {
name_info_list[i].ordinal_index = export_directory.Base + file.ReadWord();
}
}
for (i = 0; i < count(); i++) {
export_function = item(i);
std::vector<NameInfo>::iterator it = std::find(name_info_list.begin(), name_info_list.end(), export_function->ordinal());
export_function->ReadFromFile(file, (it == name_info_list.end()) ? 0 : it->address_of_name + file.image_base(),
(export_function->address() >= dir.address() && export_function->address() < dir.address() + dir.size()));
}
}
void PEExportList::FreeByManager(MemoryManager &manager)
{
if (!address_)
return;
manager.Add(address_, sizeof(IMAGE_EXPORT_DIRECTORY));
if (name_address_)
manager.Add(name_address_, name_.size() + 1);
if (number_of_functions_)
manager.Add(address_of_functions_, number_of_functions_ * sizeof(uint32_t));
if (number_of_names_) {
manager.Add(address_of_names_, number_of_names_ * sizeof(uint32_t));
manager.Add(address_of_name_ordinals_, number_of_names_ * sizeof(uint16_t));
}
for (size_t i = 0; i < count(); i++) {
item(i)->FreeByManager(manager);
}
}
void PEExportList::ReadFromBuffer(Buffer &buffer, IArchitecture &file)
{
static const APIType export_function_types[] = {
atSetupImage,
atFreeImage,
atDecryptStringA,
atDecryptStringW,
atFreeString,
atSetSerialNumber,
atGetSerialNumberState,
atGetSerialNumberData,
atGetCurrentHWID,
atActivateLicense,
atDeactivateLicense,
atGetOfflineActivationString,
atGetOfflineDeactivationString,
atIsValidImageCRC,
atIsDebuggerPresent,
atIsVirtualMachinePresent,
atDecryptBuffer,
atIsProtected,
atCalcCRC,
atLoaderData,
atLoadResource,
atFindResourceA,
atFindResourceExA,
atFindResourceW,
atFindResourceExW,
atLoadStringA,
atLoadStringW,
atEnumResourceNamesA,
atEnumResourceNamesW,
atEnumResourceLanguagesA,
atEnumResourceLanguagesW,
atEnumResourceTypesA,
atEnumResourceTypesW
};
BaseExportList::ReadFromBuffer(buffer, file);
assert(count() == _countof(export_function_types));
for (size_t i = 0; i < count(); i++) {
item(i)->set_type(export_function_types[i]);
}
}
uint32_t PEExportList::WriteToData(IFunction &data, uint64_t image_base)
{
if (!count())
return 0;
IntelFunction &func = reinterpret_cast<IntelFunction &>(data);
// export functions must be sorted by ordinals
Sort();
size_t start_index = func.count();
uint32_t ordinal_base = item(0)->ordinal();
func.AddCommand(osDWord, characteristics_);
func.AddCommand(osDWord, time_date_stamp_);
func.AddCommand(osWord, major_version_);
func.AddCommand(osWord, minor_version_);
IntelCommand *name_command = func.AddCommand(osDWord, 0);
func.AddCommand(osDWord, ordinal_base);
IntelCommand *functions_count = func.AddCommand(osDWord, 0);
functions_count->AddLink(0, ltOffset);
IntelCommand *name_pointers_count = func.AddCommand(osDWord, 0);
name_pointers_count->AddLink(0, ltOffset);
IntelCommand *address_table = func.AddCommand(osDWord, 0);
address_table->AddLink(0, ltOffset);
IntelCommand *name_pointers = func.AddCommand(osDWord, 0);
name_pointers->AddLink(0, ltOffset);
IntelCommand *ordinal_table = func.AddCommand(osDWord, 0);
ordinal_table->AddLink(0, ltOffset);
// create ordinals
size_t index = func.count();
uint32_t last_ordinal = ordinal_base;
std::vector<ExportInfo> export_name_list;
PEExport *export_function;
IntelCommand *command;
size_t i, j;
for (i = 0; i < count(); i++) {
export_function = item(i);
if (!export_function->name().empty())
export_name_list.push_back(ExportInfo(export_function));
for (j = last_ordinal; j < export_function->ordinal(); j++) {
func.AddCommand(osDWord, 0);
}
command = func.AddCommand(osDWord, export_function->address() ? export_function->address() - image_base : 0);
if (!export_function->forwarded_name().empty())
command->AddLink(0, ltOffset);
last_ordinal = export_function->ordinal() + 1;
}
address_table->link()->set_to_command(func.item(index));
functions_count->set_operand_value(0, func.count() - index);
// create forwarded names
for (i = 0; i < count(); i++) {
export_function = item(i);
if (export_function->forwarded_name().empty())
continue;
command = func.AddCommand(export_function->forwarded_name());
func.item(index + export_function->ordinal() - ordinal_base)->link()->set_to_command(command);
}
if (!export_name_list.empty()) {
// names must be sorted
std::sort(export_name_list.begin(), export_name_list.end());
// create ordinal table
index = func.count();
for (i = 0; i < export_name_list.size(); i++) {
export_function = export_name_list[i].export_function;
func.AddCommand(osWord, export_function->ordinal() - ordinal_base);
}
name_pointers_count->set_operand_value(0, export_name_list.size());
ordinal_table->link()->set_to_command(func.item(index));
// create names
index = func.count();
for (i = 0; i < export_name_list.size(); i++) {
command = func.AddCommand(osDWord, 0);
command->AddLink(0, ltOffset);
}
for (i = 0; i < export_name_list.size(); i++) {
export_function = export_name_list[i].export_function;
command = func.AddCommand(export_function->name());
func.item(index + i)->link()->set_to_command(command);
}
name_pointers->link()->set_to_command(func.item(index));
}
// create DLL name
if (!name().empty()) {
command = func.AddCommand(name());
name_command->AddLink(0, ltOffset, command);
}
command = func.item(start_index);
command->include_option(roCreateNewBlock);
command->set_alignment(OperandSizeToValue(func.cpu_address_size()));
uint32_t res = 0;
for (i = start_index; i < func.count(); i++) {
command = func.item(i);
if (command->link())
command->link()->set_sub_value(image_base);
command->CompileToNative();
res += (uint32_t)command->dump_size();
}
return res;
}
/**
* PEFixup
*/
PEFixup::PEFixup(PEFixupList *owner, uint64_t address, uint8_t type)
: BaseFixup(owner), address_(address), type_(type)
{
}
PEFixup::PEFixup(PEFixupList *owner, const PEFixup &src)
: BaseFixup(owner, src)
{
address_ = src.address_;
type_ = src.type_;
}
PEFixup *PEFixup::Clone(IFixupList *owner) const
{
PEFixup *fixup = new PEFixup(reinterpret_cast<PEFixupList *>(owner), *this);
return fixup;
}
FixupType PEFixup::type() const
{
switch (type_) {
case IMAGE_REL_BASED_HIGH:
return ftHigh;
case IMAGE_REL_BASED_LOW:
return ftLow;
case IMAGE_REL_BASED_HIGHLOW:
case IMAGE_REL_BASED_DIR64:
return ftHighLow;
default:
return ftUnknown;
}
}
OperandSize PEFixup::size() const
{
return type_ == IMAGE_REL_BASED_DIR64 ? osQWord : osDWord;
}
void PEFixup::Rebase(IArchitecture &file, uint64_t delta_base)
{
if (!file.AddressSeek(address_))
return;
uint64_t pos = file.Tell();
uint64_t value;
switch (type_) {
case IMAGE_REL_BASED_LOW:
value = file.ReadWord();
value += delta_base;
file.Seek(pos);
file.WriteWord(static_cast<uint16_t>(value));
break;
case IMAGE_REL_BASED_HIGH:
value = file.ReadWord();
value += delta_base >> 16;
file.Seek(pos);
file.WriteWord(static_cast<uint16_t>(value));
break;
case IMAGE_REL_BASED_HIGHLOW:
value = file.ReadDWord();
value += delta_base;
file.Seek(pos);
file.WriteDWord(static_cast<uint32_t>(value));
break;
case IMAGE_REL_BASED_DIR64:
value = file.ReadQWord();
value += delta_base;
file.Seek(pos);
file.WriteQWord(value);
break;
}
address_ += delta_base;
}
/**
* PEFixupList
*/
PEFixupList::PEFixupList()
: BaseFixupList()
{
}
PEFixupList::PEFixupList(const PEFixupList &src)
: BaseFixupList(src)
{
}
PEFixup *PEFixupList::item(size_t index) const
{
return reinterpret_cast<PEFixup *>(BaseFixupList::item(index));
}
PEFixupList *PEFixupList::Clone() const
{
PEFixupList *fixup_list = new PEFixupList(*this);
return fixup_list;
}
PEFixup *PEFixupList::Add(uint64_t address, uint8_t type)
{
PEFixup *fixup = new PEFixup(this, address, type);
AddObject(fixup);
return fixup;
}
IFixup *PEFixupList::AddDefault(OperandSize cpu_address_size, bool is_code)
{
return Add(0, (cpu_address_size == osDWord) ? IMAGE_REL_BASED_HIGHLOW : IMAGE_REL_BASED_DIR64);
}
void PEFixupList::ReadFromFile(PEArchitecture &file, PEDirectory &dir)
{
if (!dir.address())
return;
if (!file.AddressSeek(dir.address()))
throw std::runtime_error("Invalid address of the base relocation table");
IMAGE_BASE_RELOCATION reloc;
for (uint32_t processed = 0; processed < dir.size(); processed += reloc.SizeOfBlock) {
file.Read(&reloc, sizeof(reloc));
if (reloc.SizeOfBlock == 0)
break;
if (reloc.SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION) || (reloc.SizeOfBlock & 1) != 0)
throw std::runtime_error("Invalid size of the base relocation block");
size_t c = (reloc.SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
for (size_t i = 0; i < c; i++) {
uint16_t type_offset = file.ReadWord();
uint8_t type = (type_offset >> 12);
if (type == IMAGE_REL_BASED_ABSOLUTE)
continue;
PEFixup *fixup = Add(reloc.VirtualAddress + file.image_base() + (type_offset & 0xfff), type);
if (fixup->type() == ftUnknown)
throw std::runtime_error("Invalid base relocation type");
}
}
}
void PEFixupList::WriteToData(Data &data, uint64_t image_base)
{
Sort();
size_t size_pos = 0;
IMAGE_BASE_RELOCATION reloc = IMAGE_BASE_RELOCATION();
uint16_t empty_offset = 0;
for (size_t i = 0; i < count(); i++) {
PEFixup *fixup = item(i);
uint32_t rva = static_cast<uint32_t>(fixup->address() - image_base);
uint32_t block_rva = rva & 0xfffff000;
if (reloc.SizeOfBlock == 0 || block_rva != reloc.VirtualAddress) {
if (reloc.SizeOfBlock) {
if (reloc.SizeOfBlock & 3) {
data.PushWord(empty_offset);
reloc.SizeOfBlock += sizeof(empty_offset);
}
data.WriteDWord(size_pos, reloc.SizeOfBlock);
}
size_pos = data.size() + 4;
reloc.VirtualAddress = block_rva;
reloc.SizeOfBlock = sizeof(reloc);
data.PushBuff(&reloc, sizeof(reloc));
empty_offset = (static_cast<uint16_t>(rva - block_rva) & 0xf00) << 4 | IMAGE_REL_BASED_ABSOLUTE;
}
uint16_t type_offset = (static_cast<uint16_t>(rva - block_rva) & 0xfff) << 4 | fixup->internal_type();
data.PushWord(type_offset);
reloc.SizeOfBlock += sizeof(type_offset);
}
if (reloc.SizeOfBlock) {
if (reloc.SizeOfBlock & 3) {
data.PushWord(empty_offset);
reloc.SizeOfBlock += sizeof(empty_offset);
}
data.WriteDWord(size_pos, reloc.SizeOfBlock);
}
}
size_t PEFixupList::WriteToFile(PEArchitecture &file)
{
Sort();
Data data;
size_t size_pos = 0;
IMAGE_BASE_RELOCATION reloc = IMAGE_BASE_RELOCATION();
uint16_t empty_offset = 0;
for (size_t i = 0; i < count(); i++) {
PEFixup *fixup = item(i);
uint32_t rva = static_cast<uint32_t>(fixup->address() - file.image_base());
uint32_t block_rva = rva & 0xfffff000;
if (reloc.SizeOfBlock == 0 || block_rva != reloc.VirtualAddress) {
if (reloc.SizeOfBlock) {
if (reloc.SizeOfBlock & 3) {
data.PushWord(empty_offset);
reloc.SizeOfBlock += sizeof(empty_offset);
}
data.WriteDWord(size_pos, reloc.SizeOfBlock);
}
size_pos = data.size() + 4;
reloc.VirtualAddress = block_rva;
reloc.SizeOfBlock = sizeof(reloc);
data.PushBuff(&reloc, sizeof(reloc));
empty_offset = IMAGE_REL_BASED_ABSOLUTE << 12 | (static_cast<uint16_t>(rva - block_rva) & 0xf00);
}
uint16_t type_offset = fixup->internal_type() << 12 | (static_cast<uint16_t>(rva - block_rva) & 0xfff);
data.PushWord(type_offset);
reloc.SizeOfBlock += sizeof(type_offset);
}
if (reloc.SizeOfBlock) {
if (reloc.SizeOfBlock & 3) {
data.PushWord(empty_offset);
reloc.SizeOfBlock += sizeof(empty_offset);
}
data.WriteDWord(size_pos, reloc.SizeOfBlock);
}
return file.Write(data.data(), data.size());
}
/**
* PERelocation
*/
PERelocation::PERelocation(PERelocationList *owner, uint64_t address, uint64_t source, OperandSize size, uint32_t addend)
: BaseRelocation(owner, address, size), source_(source), addend_(addend)
{
}
PERelocation::PERelocation(PERelocationList *owner, const PERelocation &src)
: BaseRelocation(owner, src)
{
source_ = src.source_;
addend_ = src.addend_;
}
PERelocation *PERelocation::Clone(IRelocationList *owner) const
{
PERelocation *relocation = new PERelocation(reinterpret_cast<PERelocationList *>(owner), *this);
return relocation;
}
/**
* PERelocationList
*/
PERelocationList::PERelocationList()
: BaseRelocationList(), address_(0), mem_address_(0)
{
}
PERelocationList::PERelocationList(const PERelocationList &src)
: BaseRelocationList(src)
{
address_ = src.address_;
mem_address_ = src.mem_address_;
}
PERelocationList *PERelocationList::Clone() const
{
PERelocationList *list = new PERelocationList(*this);
return list;
}
PERelocation *PERelocationList::item(size_t index) const
{
return reinterpret_cast<PERelocation *>(IRelocationList::item(index));
}
PERelocation *PERelocationList::Add(uint64_t address, uint64_t target, OperandSize size, uint32_t addend)
{
PERelocation *relocation = new PERelocation(this, address, target, size, addend);
AddObject(relocation);
return relocation;
}
void PERelocationList::ParseMinGW(PEArchitecture &file, uint64_t address, uint64_t start, uint64_t end)
{
if ((end < start) || (end - start < 8) ||
((file.segment_list()->GetMemoryTypeByAddress(address) & mtWritable) == 0) ||
((file.segment_list()->GetMemoryTypeByAddress(start) & mtReadable) == 0))
return;
struct RelocationHeader {
uint32_t magic1;
uint32_t magic2;
uint32_t version;
};
struct RelocationV1 {
uint32_t addend;
uint32_t target;
};
struct RelocationV2 {
uint32_t sym;
uint32_t target;
uint32_t flags;
};
file.AddressSeek(start);
RelocationHeader header;
header.magic1 = 0;
header.magic2 = 0;
header.version = 0;
if (end - start >= sizeof(header)) {
uint64_t pos = file.Tell();
file.Read(&header, sizeof(header));
if (header.magic1 == 0 && header.magic2 == 0) {
start += sizeof(header);
} else {
file.Seek(pos);
header.version = 0;
}
}
address_ = address;
switch (header.version) {
case 0:
while (start < end) {
RelocationV1 item;
file.Read(&item, sizeof(item));
start += sizeof(item);
Add(file.image_base() + item.target, 0, file.cpu_address_size(), item.addend);
}
break;
case 1:
while (start < end) {
RelocationV2 item;
file.Read(&item, sizeof(item));
start += sizeof(item);
OperandSize item_size;
switch (item.flags) {
case 8:
item_size = osByte;
break;
case 16:
item_size = osWord;
break;
case 32:
item_size = osDWord;
break;
case 64:
if (file.cpu_address_size() == osQWord)
item_size = osQWord;
else
throw std::runtime_error("Invalid relocation flags");
break;
default:
throw std::runtime_error("Invalid relocation flags");
}
Add(file.image_base() + item.target, file.image_base() + item.sym, item_size, 0);
}
break;
default:
return;
}
}
void PERelocationList::ReadFromFile(PEArchitecture &file)
{
for (size_t i = 0; i < file.compiler_function_list()->count(); i++) {
CompilerFunction *compiler_function = file.compiler_function_list()->item(i);
if (compiler_function->type() == cfRelocatorMinGW)
ParseMinGW(file, compiler_function->value(0), compiler_function->value(1), compiler_function->value(2));
}
for (size_t i = 0; i < count(); i++) {
PERelocation *relocation = item(i);
if (relocation->source()) {
IImportFunction *import_function = file.import_list()->GetFunctionByAddress(relocation->source());
if (import_function) {
import_function->exclude_option(ioNoReferences);
import_function->include_option(ioHasDataReference);
}
}
}
}
void PERelocationList::WriteToData(Data &data, uint64_t image_base)
{
for (size_t i = 0; i < count(); i++) {
PERelocation *relocation = item(i);
data.PushDWord(static_cast<uint32_t>(relocation->address() - image_base));
if (!relocation->source()) {
data.PushDWord(relocation->addend());
data.PushDWord(0);
} else {
data.PushDWord(static_cast<uint32_t>(relocation->source() - image_base));
data.PushDWord(relocation->size() + 1);
}
}
if (address_) {
data.PushDWord(static_cast<uint32_t>(address_ - image_base));
data.PushDWord(1);
data.PushDWord(0);
}
}
/**
* PESEHandler
*/
PESEHandler::PESEHandler(ISEHandlerList *owner, uint64_t address)
: BaseSEHandler(owner), address_(address), deleted_(false)
{
}
PESEHandler::PESEHandler(ISEHandlerList *owner, const PESEHandler &src)
: BaseSEHandler(owner)
{
address_ = src.address_;
deleted_ = src.deleted_;
}
PESEHandler *PESEHandler::Clone(ISEHandlerList *owner) const
{
PESEHandler *handler = new PESEHandler(owner, *this);
return handler;
}
void PESEHandler::Rebase(uint64_t delta_base)
{
address_ += delta_base;
}
/**
* PESEHandlerList
*/
PESEHandlerList::PESEHandlerList()
: BaseSEHandlerList()
{
}
PESEHandlerList::PESEHandlerList(const PESEHandlerList &src)
: BaseSEHandlerList(src)
{
}
PESEHandlerList *PESEHandlerList::Clone() const
{
PESEHandlerList *list = new PESEHandlerList(*this);
return list;
}
PESEHandler *PESEHandlerList::item(size_t index) const
{
return reinterpret_cast<PESEHandler*>(BaseSEHandlerList::item(index));
}
PESEHandler *PESEHandlerList::Add(uint64_t address)
{
PESEHandler *handler = new PESEHandler(this, address);
AddObject(handler);
return handler;
}
void PESEHandlerList::Rebase(uint64_t delta_base)
{
for (size_t i = 0; i < count(); i++) {
item(i)->Rebase(delta_base);
}
}
void PESEHandlerList::Pack()
{
for (size_t i = count(); i > 0; i--) {
PESEHandler *handler = item(i - 1);
if (handler->is_deleted())
delete handler;
}
}
/**
* PELoadConfigDirectory
*/
PELoadConfigDirectory::PELoadConfigDirectory()
: IObject(), seh_table_address_(0), security_cookie_(0), cfg_table_address_(0), guard_flags_(0), cfg_check_function_(0)
{
seh_handler_list_ = new PESEHandlerList();
cfg_address_list_ = new PECFGAddressTable();
}
PELoadConfigDirectory::PELoadConfigDirectory(const PELoadConfigDirectory &src)
: IObject(src)
{
seh_table_address_ = src.seh_table_address_;
security_cookie_ = src.security_cookie_;
cfg_table_address_ = src.cfg_table_address_;
guard_flags_ = src.guard_flags_;
cfg_check_function_ = src.cfg_check_function_;
seh_handler_list_ = src.seh_handler_list_->Clone();
cfg_address_list_ = src.cfg_address_list_->Clone();
}
PELoadConfigDirectory::~PELoadConfigDirectory()
{
delete seh_handler_list_;
delete cfg_address_list_;
}
PELoadConfigDirectory *PELoadConfigDirectory::Clone() const
{
PELoadConfigDirectory *list = new PELoadConfigDirectory(*this);
return list;
}
void PELoadConfigDirectory::ReadFromFile(PEArchitecture &file, PEDirectory &dir)
{
if (!dir.address())
return;
if (!file.AddressSeek(dir.address()))
throw std::runtime_error("Invalid address of the load config directory");
size_t handler_count;
size_t cfg_table_count;
uint64_t pos = file.Tell();
size_t size = file.ReadDWord();
file.Seek(pos);
if (file.cpu_address_size() == osQWord) {
IMAGE_LOAD_CONFIG_DIRECTORYEX64 load_config_directory = IMAGE_LOAD_CONFIG_DIRECTORYEX64();
file.Read(&load_config_directory, std::min(sizeof(load_config_directory), size));
security_cookie_ = load_config_directory.SecurityCookie;
if (load_config_directory.Size > dir.physical_size())
dir.set_physical_size(load_config_directory.Size);
seh_table_address_ = load_config_directory.SEHandlerTable;
handler_count = static_cast<size_t>(load_config_directory.SEHandlerCount);
cfg_check_function_ = load_config_directory.GuardCFCheckFunctionPointer;
cfg_table_address_ = load_config_directory.GuardCFFunctionTable;
cfg_table_count = static_cast<size_t>(load_config_directory.GuardCFFunctionCount);
guard_flags_ = load_config_directory.GuardFlags;
} else {
IMAGE_LOAD_CONFIG_DIRECTORYEX32 load_config_directory = IMAGE_LOAD_CONFIG_DIRECTORYEX32();
file.Read(&load_config_directory, std::min(sizeof(load_config_directory), size));
security_cookie_ = load_config_directory.SecurityCookie;
if (load_config_directory.Size > dir.physical_size())
dir.set_physical_size(load_config_directory.Size);
seh_table_address_ = load_config_directory.SEHandlerTable;
handler_count = load_config_directory.SEHandlerCount;
cfg_check_function_ = load_config_directory.GuardCFCheckFunctionPointer;
cfg_table_address_ = load_config_directory.GuardCFFunctionTable;
cfg_table_count = load_config_directory.GuardCFFunctionCount;
guard_flags_ = load_config_directory.GuardFlags;
}
if (seh_table_address_) {
if (!file.AddressSeek(seh_table_address_))
throw std::runtime_error("Invalid address of seh handler table");
for (size_t i = 0; i < handler_count; i++) {
seh_handler_list_->Add(file.ReadDWord() + file.image_base());
}
}
if (cfg_table_address_) {
if (!file.AddressSeek(cfg_table_address_))
throw std::runtime_error("Invalid address of cfg handler table");
size_t data_size = (guard_flags_ & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT;
std::vector<uint8_t> data;
data.resize(data_size);
for (size_t i = 0; i < cfg_table_count; i++) {
PECFGAddress *cfg_address = cfg_address_list_->Add(file.ReadDWord() + file.image_base());
if (data_size) {
file.Read(data.data(), data.size());
cfg_address->set_data(data);
}
}
}
}
size_t PELoadConfigDirectory::WriteToFile(PEArchitecture &file)
{
PEDirectory *dir = file.command_list()->GetCommandByType(IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG);
if (!dir || !dir->address())
return 0;
size_t res = 0;
PESegment *last_section = file.segment_list()->last();
if (seh_table_address_) {
seh_handler_list_->Pack();
seh_handler_list_->Sort();
seh_table_address_ = last_section->address() + file.Resize(AlignValue(file.size(), 0x10)) - last_section->physical_offset();
for (size_t i = 0; i < seh_handler_list_->count(); i++) {
res += file.WriteDWord(static_cast<uint32_t>(seh_handler_list_->item(i)->address() - file.image_base()));
}
}
if (cfg_table_address_) {
cfg_table_address_ = last_section->address() + file.Resize(AlignValue(file.size(), 0x10)) - last_section->physical_offset();
size_t data_size = (guard_flags_ & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT;
for (size_t i = 0; i < cfg_address_list_->count(); i++) {
PECFGAddress *cfg_address = cfg_address_list_->item(i);
res += file.WriteDWord(static_cast<uint32_t>(cfg_address->address() - file.image_base()));
if (data_size) {
std::vector<uint8_t> data = cfg_address->data();
if (data.empty())
data.resize(data_size);
res += file.Write(data.data(), data.size());
}
}
}
uint64_t pos = file.Tell();
if (file.AddressSeek(dir->address())) {
uint64_t config_pos = file.Tell();
size_t size = file.ReadDWord();
file.Seek(config_pos);
if (file.cpu_address_size() == osQWord) {
IMAGE_LOAD_CONFIG_DIRECTORYEX64 load_config_directory = IMAGE_LOAD_CONFIG_DIRECTORYEX64();
size = std::min(sizeof(load_config_directory), size);
file.Read(&load_config_directory, size);
load_config_directory.SecurityCookie = security_cookie_;
load_config_directory.SEHandlerTable = seh_table_address_;
load_config_directory.SEHandlerCount = seh_table_address_ ? seh_handler_list_->count() : 0;
load_config_directory.GuardCFCheckFunctionPointer = cfg_check_function_;
load_config_directory.GuardCFFunctionTable = cfg_table_address_;
load_config_directory.GuardCFFunctionCount = cfg_table_address_ ? cfg_address_list_->count() : 0;
file.Seek(config_pos);
file.Write(&load_config_directory, size);
}
else {
IMAGE_LOAD_CONFIG_DIRECTORYEX32 load_config_directory = IMAGE_LOAD_CONFIG_DIRECTORYEX32();
size = std::min(sizeof(load_config_directory), size);
file.Read(&load_config_directory, size);
load_config_directory.SecurityCookie = static_cast<uint32_t>(security_cookie_);
load_config_directory.SEHandlerTable = static_cast<uint32_t>(seh_table_address_);
load_config_directory.SEHandlerCount = seh_table_address_ ? static_cast<uint32_t>(seh_handler_list_->count()) : 0;
load_config_directory.GuardCFCheckFunctionPointer = static_cast<uint32_t>(cfg_check_function_);
load_config_directory.GuardCFFunctionTable = static_cast<uint32_t>(cfg_table_address_);
load_config_directory.GuardCFFunctionCount = cfg_table_address_ ? static_cast<uint32_t>(cfg_address_list_->count()) : 0;
file.Seek(config_pos);
file.Write(&load_config_directory, size);
}
}
file.Seek(pos);
return res;
}
void PELoadConfigDirectory::FreeByManager(MemoryManager &manager)
{
if (seh_table_address_ && seh_handler_list_->count())
manager.Add(seh_table_address_, OperandSizeToValue(osDWord) * seh_handler_list_->count());
if (cfg_table_address_ && cfg_address_list_->count()) {
size_t data_size = (guard_flags_ & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT;
manager.Add(cfg_table_address_, (OperandSizeToValue(osDWord) + data_size) * cfg_address_list_->count());
}
}
void PELoadConfigDirectory::Rebase(uint64_t delta_base)
{
if (seh_table_address_)
seh_table_address_ += delta_base;
if (cfg_table_address_)
cfg_table_address_ += delta_base;
seh_handler_list_->Rebase(delta_base);
cfg_address_list_->Rebase(delta_base);
}
/**
* PECFGAddress
*/
PECFGAddress::PECFGAddress(PECFGAddressTable *owner, uint64_t address)
: IObject(), owner_(owner), address_(address)
{
}
PECFGAddress::PECFGAddress(PECFGAddressTable *owner, const PECFGAddress &src)
: IObject(), owner_(owner)
{
address_ = src.address_;
data_ = src.data_;
}
PECFGAddress::~PECFGAddress()
{
if (owner_)
owner_->RemoveObject(this);
}
PECFGAddress *PECFGAddress::Clone(PECFGAddressTable *owner) const
{
PECFGAddress *res = new PECFGAddress(owner, *this);
return res;
}
void PECFGAddress::Rebase(uint64_t delta_base)
{
address_ += delta_base;
}
/**
* PECFGAddressTable
*/
PECFGAddressTable::PECFGAddressTable()
: ObjectList<PECFGAddress>()
{
}
PECFGAddressTable::PECFGAddressTable(const PECFGAddressTable &src)
: ObjectList<PECFGAddress>()
{
for (size_t i = 0; i < src.count(); i++) {
AddObject(src.item(i)->Clone(this));
}
}
PECFGAddressTable *PECFGAddressTable::Clone() const
{
return new PECFGAddressTable(*this);
}
PECFGAddress *PECFGAddressTable::Add(uint64_t address)
{
PECFGAddress *res = new PECFGAddress(this, address);
AddObject(res);
return res;
}
void PECFGAddressTable::Rebase(uint64_t delta_base)
{
for (size_t i = 0; i < count(); i++) {
item(i)->Rebase(delta_base);
}
}
/**
* PEResource
*/
PEResource::PEResource(IResource *owner, PEResourceType type, uint32_t name_offset, uint32_t data_offset)
: BaseResource(owner), type_(type), name_offset_(name_offset), data_offset_(data_offset),
address_(0), entry_offset_(0), data_entry_offset_(0)
{
memset(&data_, 0, sizeof(data_));
}
PEResource::PEResource(IResource *owner, const PEResource &src)
: BaseResource(owner, src)
{
type_ = src.type_;
name_offset_ = src.name_offset_;
data_offset_ = src.data_offset_;
data_ = src.data_;
name_ = src.name_;
address_ = src.address_;
entry_offset_ = src.entry_offset_;
data_entry_offset_ = src.data_entry_offset_;
}
PEResource *PEResource::Clone(IResource *owner) const
{
PEResource *resource = new PEResource(owner, *this);
return resource;
}
PEResource *PEResource::item(size_t index) const
{
return reinterpret_cast<PEResource *>(IResource::item(index));
}
PEResource *PEResource::GetResourceByName(const std::string &name) const
{
for (size_t i = 0; i < count(); i++) {
PEResource *resource = item(i);
if (resource->has_name() && resource->name_ == name)
return resource;
}
return NULL;
}
PEResource *PEResource::Add(PEResourceType type, uint32_t name_offset, uint32_t data_offset)
{
PEResource *resource = new PEResource(this, type, name_offset, data_offset);
AddObject(resource);
return resource;
}
void PEResource::ReadFromFile(PEArchitecture &file, uint64_t root_address)
{
if (has_name()) {
// name_offset is a string
if (!file.AddressSeek(root_address + (name_offset_ & ~IMAGE_RESOURCE_NAME_IS_STRING)))
throw std::runtime_error("Format error");
uint16_t len = file.ReadWord();
os::unicode_string wname;
wname.resize(len);
if (!wname.empty())
file.Read(&wname[0], wname.size() * sizeof(os::unicode_char));
name_ = os::ToUTF8(wname);
} else {
// name_offset is an Id
name_ = string_format("%d", name_offset_);
}
if (!file.AddressSeek(root_address + (data_offset_ & ~IMAGE_RESOURCE_DATA_IS_DIRECTORY)))
throw std::runtime_error("Format error");
if (is_directory()) {
// read resource directory
IMAGE_RESOURCE_DIRECTORY_ENTRY dir_entry;
size_t i;
file.Read(&data_.dir, sizeof(data_.dir));
for (i = 0; i < static_cast<size_t>(data_.dir.NumberOfIdEntries + data_.dir.NumberOfNamedEntries); i++) {
file.Read(&dir_entry, sizeof(dir_entry));
Add(type_, dir_entry.u.Name, dir_entry.u2.OffsetToData);
}
for (i = 0; i < count(); i++) {
item(i)->ReadFromFile(file, root_address);
}
} else {
// read resource item
file.Read(&data_.item, sizeof(data_.item));
address_ = file.image_base() + data_.item.OffsetToData;
}
}
void PEResource::WriteHeader(Data &data)
{
size_t i;
if (is_directory()) {
// write resource directory
data_offset_ = (uint32_t)(data.size() | IMAGE_RESOURCE_DATA_IS_DIRECTORY);
data.WriteDWord(entry_offset_ + sizeof(uint32_t), data_offset_);
data_.dir.NumberOfIdEntries = 0;
data_.dir.NumberOfNamedEntries = 0;
for (i = 0; i < count(); i++) {
if (item(i)->has_name()) {
data_.dir.NumberOfNamedEntries++;
} else {
data_.dir.NumberOfIdEntries++;
}
}
data.PushBuff(&data_.dir, sizeof(data_.dir));
for (i = 0; i < static_cast<size_t>(data_.dir.NumberOfIdEntries + data_.dir.NumberOfNamedEntries); i++) {
item(i)->WriteEntry(data);
}
} else {
// write resource item
data_entry_offset_ = data.size();
data.WriteDWord(entry_offset_ + sizeof(uint32_t), (uint32_t)data_entry_offset_);
data.PushBuff(&data_.item, sizeof(data_.item));
}
}
void PEResource::WriteHeader(IFunction &data)
{
size_t i, size;
IntelFunction &func = reinterpret_cast<IntelFunction &>(data);
size = 0;
for (i = 0; i < func.count(); i++) {
IntelCommand *command = func.item(i);
size += OperandSizeToValue(command->operand(0).size);
}
if (is_directory()) {
// write resource directory
func.item(entry_offset_ + 1)->set_operand_value(0, size | IMAGE_RESOURCE_DATA_IS_DIRECTORY);
data_.dir.NumberOfIdEntries = 0;
data_.dir.NumberOfNamedEntries = 0;
for (i = 0; i < count(); i++) {
if (item(i)->has_name()) {
data_.dir.NumberOfNamedEntries++;
} else {
data_.dir.NumberOfIdEntries++;
}
}
func.AddCommand(osDWord, data_.dir.NumberOfNamedEntries);
func.AddCommand(osDWord, data_.dir.NumberOfIdEntries);
for (i = 0; i < static_cast<size_t>(data_.dir.NumberOfIdEntries + data_.dir.NumberOfNamedEntries); i++) {
item(i)->WriteEntry(data);
}
} else {
// write resource item
func.item(entry_offset_ + 1)->set_operand_value(0, size);
data_entry_offset_ = func.count();
func.AddCommand(osDWord, 0);
func.AddCommand(osDWord, data_.item.Size);
func.AddCommand(osDWord, data_.item.CodePage);
func.AddCommand(osDWord, data_.item.Reserved);
}
}
void PEResource::WriteEntry(Data &data)
{
IMAGE_RESOURCE_DIRECTORY_ENTRY dir_entry;
entry_offset_ = data.size();
dir_entry.u.Name = name_offset_;
dir_entry.u2.OffsetToData = data_offset_;
data.PushBuff(&dir_entry, sizeof(dir_entry));
}
void PEResource::WriteEntry(IFunction &data)
{
IntelFunction &func = reinterpret_cast<IntelFunction &>(data);
entry_offset_ = func.count();
func.AddCommand(osDWord, name_offset_);
func.AddCommand(osDWord, 0);
}
void PEResource::WriteName(Data &data)
{
if (!has_name())
return;
name_offset_ = (uint32_t)(data.size() | IMAGE_RESOURCE_NAME_IS_STRING);
data.WriteDWord(entry_offset_, name_offset_);
os::unicode_string wname = os::FromUTF8(name_);
data.PushWord(static_cast<uint16_t>(wname.size()));
data.PushBuff(wname.c_str(), wname.size() * sizeof(os::unicode_char));
}
void PEResource::WriteName(IFunction &data, size_t root_index, uint32_t key)
{
if (!has_name())
return;
IntelFunction &func = reinterpret_cast<IntelFunction &>(data);
size_t i, size;
size = 0;
for (i = root_index; i < func.count(); i++) {
IntelCommand *command = func.item(i);
size += (command->type() == cmDB) ? command->dump_size() : OperandSizeToValue(command->operand(0).size);
}
func.item(entry_offset_)->set_operand_value(0, size | IMAGE_RESOURCE_NAME_IS_STRING);
os::unicode_string unicode_name = os::FromUTF8(name_);
const os::unicode_char *p = unicode_name.c_str();
Data str;
for (size_t i = 0; i < unicode_name.size() + 1; i++) {
str.PushWord(static_cast<uint16_t>(p[i] ^ (_rotl32(key, static_cast<int>(i)) + i)));
}
func.AddCommand(str);
}
size_t PEResource::WriteData(Data &data, PEArchitecture &file)
{
if (is_directory())
return -1;
if (!file.AddressSeek(address()))
throw std::runtime_error("Invalid data address");
// resource data must be aligned
size_t new_size = data.size();
new_size = AlignValue(new_size, OperandSizeToValue(file.cpu_address_size()));
for (size_t i = data.size(); i < new_size; i++) {
data.PushByte(0);
}
std::vector<uint8_t> buf;
buf.resize(data_.item.Size);
file.Read(buf.data(), buf.size());
data.WriteDWord(data_entry_offset_, static_cast<uint32_t>(data.size()));
data.PushBuff(buf.data(), buf.size());
return data_entry_offset_;
}
void PEResource::WriteData(IFunction &func, PEArchitecture &file, uint32_t key)
{
if (is_directory() || !data_.item.Size)
return;
if (!file.AddressSeek(address()))
throw std::runtime_error("Invalid data address");
std::vector<uint8_t> buf;
buf.resize(data_.item.Size);
file.Read(buf.data(), buf.size());
Data d;
for (size_t i = 0; i < buf.size(); i++) {
d.PushByte(buf[i] ^ static_cast<uint8_t>(_rotl32(key, static_cast<int>(i)) + i));
}
ICommand *command = func.AddCommand(d);
command->include_option(roCreateNewBlock);
CommandLink *link = func.item(data_entry_offset_)->AddLink(0, ltOffset, command);
link->set_sub_value(file.image_base());
}
bool PEResource::need_store() const
{
switch (type_) {
case rtIcon: case rtGroupIcon: case rtVersionInfo:
case rtManifest: case rtMessageTable: case rtHTML:
return true;
case rtUnknown:
const IResource *resource = this;
while (resource->owner() && resource->owner()->type() != (uint32_t)-1) {
resource = resource->owner();
}
std::string tmp = resource->name();
std::transform(tmp.begin(), tmp.end(), tmp.begin(), toupper);
return (tmp.compare("\"TYPELIB\"") == 0
|| tmp.compare("\"REGISTRY\"") == 0
|| tmp.compare("\"MUI\"") == 0);
}
return false;
}
std::string PEResource::id() const
{
std::string res;
const PEResource *resource = this;
while (resource->owner()) {
res = resource->name() + (res.empty() ? "" : "\\") + res;
resource = reinterpret_cast<PEResource*>(resource->owner());
}
return res;
}
/**
* PEResourceList
*/
PEResourceList::PEResourceList(PEArchitecture *owner)
: BaseResourceList(owner), store_size_(0)
{
memset(&dir_, 0, sizeof(dir_));
}
PEResourceList::PEResourceList(PEArchitecture *owner, const PEResourceList &src)
: BaseResourceList(owner, src)
{
dir_ = src.dir_;
store_size_ = src.store_size_;
}
PEResource *PEResourceList::item(size_t index) const
{
return reinterpret_cast<PEResource *>(IResourceList::item(index));
}
PEResourceList *PEResourceList::Clone(PEArchitecture *owner) const
{
PEResourceList *list = new PEResourceList(owner, *this);
return list;
}
PEResource *PEResourceList::Add(PEResourceType type, uint32_t name_offset, uint32_t data_offset)
{
PEResource *resource = new PEResource(this, type, name_offset, data_offset);
AddObject(resource);
return resource;
}
void PEResourceList::ReadFromFile(PEArchitecture &file, PEDirectory &directory)
{
if (!directory.address())
return;
if (!file.AddressSeek(directory.address()))
throw std::runtime_error("Format error");
size_t i;
IMAGE_RESOURCE_DIRECTORY_ENTRY dir_entry;
file.Read(&dir_, sizeof(dir_));
for (i = 0; i < static_cast<size_t>(dir_.NumberOfNamedEntries) + static_cast<size_t>(dir_.NumberOfIdEntries); i++) {
file.Read(&dir_entry, sizeof(dir_entry));
Add(dir_entry.u.s.NameIsString ? rtUnknown : static_cast<PEResourceType>(dir_entry.u.Id), dir_entry.u.Name, dir_entry.u2.OffsetToData);
}
for (i = 0; i < count(); i++) {
PEResource *resource = item(i);
resource->ReadFromFile(file, directory.address());
switch (resource->type()) {
case rtCursor:
resource->set_name("Cursor");
break;
case rtBitmap:
resource->set_name("Bitmap");
break;
case rtIcon:
resource->set_name("Icon");
break;
case rtMenu:
resource->set_name("Menu");
break;
case rtDialog:
resource->set_name("Dialog");
break;
case rtStringTable:
resource->set_name("String Table");
break;
case rtFontDir:
resource->set_name("Font Directory");
break;
case rtFont:
resource->set_name("Font");
break;
case rtAccelerators:
resource->set_name("Accelerators");
break;
case rtRCData:
resource->set_name("RCData");
break;
case rtMessageTable:
resource->set_name("Message Table");
break;
case rtGroupCursor:
resource->set_name("Cursor Group");
break;
case rtGroupIcon:
resource->set_name("Icon Group");
break;
case rtVersionInfo:
resource->set_name("Version Info");
break;
case rtDlgInclude:
resource->set_name("DlgInclude");
break;
case rtPlugPlay:
resource->set_name("Plug Play");
break;
case rtVXD:
resource->set_name("VXD");
break;
case rtAniCursor:
resource->set_name("Animated Cursor");
break;
case rtAniIcon:
resource->set_name("Animated Icon");
break;
case rtHTML:
resource->set_name("HTML");
break;
case rtManifest:
resource->set_name("Manifest");
break;
case rtDialogInit:
resource->set_name("Dialog Init");
break;
case rtToolbar:
resource->set_name("Toolbar");
break;
}
}
}
void PEResourceList::Compile(PEArchitecture &file, bool for_packing)
{
std::vector<PEResource *> list;
size_t i, j, c, pos;
PEResource *resource;
data_.clear();
link_list_.clear();
// create resource list
for (i = 0; i < count(); i++) {
list.push_back(item(i));
}
for (i = 0; i < list.size(); i++) {
resource = list[i];
for (j = 0; j < resource->count(); j++) {
list.push_back(resource->item(j));
}
}
// write root directory
dir_.NumberOfIdEntries = 0;
dir_.NumberOfNamedEntries = 0;
for (i = 0; i < count(); i++) {
if (item(i)->has_name()) {
dir_.NumberOfNamedEntries++;
} else {
dir_.NumberOfIdEntries++;
}
}
data_.PushBuff(&dir_, sizeof(dir_));
for (i = 0; i < static_cast<size_t>(dir_.NumberOfIdEntries + dir_.NumberOfNamedEntries); i++) {
item(i)->WriteEntry(data_);
}
// write items
for (i = 0; i < list.size(); i++) {
list[i]->WriteHeader(data_);
}
for (i = 0; i < list.size(); i++) {
list[i]->WriteName(data_);
}
store_size_ = 0;
c = for_packing ? 2 : 1;
for (j = 0; j < c; j++) {
for (i = 0; i < list.size(); i++) {
resource = list[i];
if (for_packing) {
if (resource->excluded_from_packing() || resource->need_store()) {
if (j != 0)
continue;
} else {
if (j == 0)
continue;
}
}
pos = resource->WriteData(data_, file);
if (pos != (size_t)-1)
link_list_.push_back(pos);
}
if (j == 0)
store_size_ = data_.size();
}
}
size_t PEResourceList::WriteToFile(PEArchitecture &file, uint64_t address)
{
size_t i, pos;
Data out = data_;
uint32_t rva = static_cast<uint32_t>(address - file.image_base());
for (i = 0; i < link_list_.size(); i++) {
pos = link_list_[i];
out.WriteDWord(pos, out.ReadDWord(pos) + rva);
}
return file.Write(out.data(), (store_size_) ? store_size_ : out.size());
}
void PEResourceList::WritePackData(Data &data)
{
data.PushBuff(data_.data() + store_size_, data_.size() - store_size_);
}
/**
* PERuntimeFunction
*/
PERuntimeFunction::PERuntimeFunction(PERuntimeFunctionList *owner, uint64_t address, uint64_t begin, uint64_t end, uint64_t unwind_address)
: BaseRuntimeFunction(owner), address_(address), begin_(begin), end_(end), unwind_address_(unwind_address)
{
}
PERuntimeFunction::PERuntimeFunction(PERuntimeFunctionList *owner, const PERuntimeFunction &src)
: BaseRuntimeFunction(owner)
{
address_ = src.address_;
begin_ = src.begin_;
end_ = src.end_;
unwind_address_ = src.unwind_address_;
}
PERuntimeFunction *PERuntimeFunction::Clone(IRuntimeFunctionList *owner) const
{
PERuntimeFunction *func = new PERuntimeFunction(reinterpret_cast<PERuntimeFunctionList *>(owner), *this);
return func;
}
void PERuntimeFunction::Rebase(uint64_t delta_base)
{
address_ += delta_base;
begin_ += delta_base;
end_ += delta_base;
unwind_address_ += delta_base;
}
void PERuntimeFunction::Parse(IArchitecture &file, IFunction &dest)
{
union UNWIND_INFO_HELPER {
UNWIND_INFO info;
uint32_t value;
};
IntelFunction &func = reinterpret_cast<IntelFunction &>(dest);
uint64_t address = address_;
if (!file.AddressSeek(address) || func.GetCommandByAddress(address))
return;
size_t i;
size_t c = func.count();
IntelCommand *command;
CommandLink *link;
uint64_t image_base = file.image_base();
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "Begin"));
command->ReadValueFromFile(file, osDWord);
address = command->next_address();
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "End"));
command->ReadValueFromFile(file, osDWord);
address = command->next_address();
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "UnwindData"));
address = command->ReadValueFromFile(file, osDWord);
if (address) {
address += image_base;
link = command->AddLink(0, ltOffset, address);
link->set_sub_value(image_base);
}
for (i = c; i < func.count(); i++) {
command = func.item(i);
command->exclude_option(roClearOriginalCode);
command->exclude_option(roNeedCompile);
}
if (address) {
command = func.GetCommandByAddress(address);
if (command) {
UNWIND_INFO_HELPER unwind_info_helper;
unwind_info_helper.value = static_cast<uint32_t>(command->dump_value(0, osDWord));
UNWIND_INFO unwind_info = unwind_info_helper.info;
func.function_info_list()->Add(begin(), end(), btImageBase, 0, unwind_info.SizeOfProlog, unwind_info.FrameRegister ? unwind_info.FrameRegister : 0xff, this, command);
} else if (file.AddressSeek(address)) {
UNWIND_INFO_HELPER unwind_info_helper;
command = func.Add(address);
unwind_info_helper.value = static_cast<uint32_t>(command->ReadValueFromFile(file, osDWord));
UNWIND_INFO unwind_info = unwind_info_helper.info;
command->set_comment(CommentInfo(ttComment, string_format("Version: %.2X; Flags: %.2X; SizeOfProlog: %.2X; CountOfCodes: %.2X; FrameRegister: %.2X; FrameOffset: %.2X",
unwind_info.Version, unwind_info.Flags, unwind_info.SizeOfProlog, unwind_info.CountOfCodes, unwind_info.FrameRegister, unwind_info.FrameOffset)));
command->set_alignment(OperandSizeToValue(osDWord));
command->include_option(roCreateNewBlock);
address = command->next_address();
func.function_info_list()->Add(begin(), end(), btImageBase, 0, unwind_info.SizeOfProlog, unwind_info.FrameRegister ? unwind_info.FrameRegister : 0xff, this, command);
for (i = 0; i < unwind_info.CountOfCodes; i++) {
command = func.Add(address);
UNWIND_CODE unwind_code;
bool is_epilog = false;
file.Read(&unwind_code, sizeof(unwind_code));
Data data;
data.InsertBuff(0, &unwind_code, sizeof(unwind_code));
switch (unwind_code.UnwindOp) {
case UWOP_PUSH_NONVOL:
command->set_comment(CommentInfo(ttComment, "UWOP_PUSH_NONVOL"));
break;
case UWOP_ALLOC_LARGE:
data.PushWord(file.ReadWord());
i++;
if (unwind_code.OpInfo == 1) {
data.PushWord(file.ReadWord());
i++;
}
command->set_comment(CommentInfo(ttComment, "UWOP_ALLOC_LARGE"));
break;
case UWOP_ALLOC_SMALL:
command->set_comment(CommentInfo(ttComment, "UWOP_ALLOC_SMALL"));
break;
case UWOP_SET_FPREG:
command->set_comment(CommentInfo(ttComment, "UWOP_SET_FPREG"));
break;
case UWOP_SAVE_NONVOL:
data.PushWord(file.ReadWord());
i++;
command->set_comment(CommentInfo(ttComment, "UWOP_SAVE_NONVOL"));
break;
case UWOP_SAVE_NONVOL_FAR:
data.PushWord(file.ReadWord());
data.PushWord(file.ReadWord());
i += 2;
command->set_comment(CommentInfo(ttComment, "UWOP_SAVE_NONVOL_FAR"));
break;
case UWOP_EPILOG:
if (unwind_info.Version == 2) {
is_epilog = true;
if (unwind_code.CodeOffset) {
uint64_t range_begin, range_end;
if ((unwind_code.OpInfo & 1)) {
range_begin = end() - unwind_code.CodeOffset;
range_end = end();
}
else {
UNWIND_CODE next_code;
file.Read(&next_code, sizeof(next_code));
data.PushWord(next_code.FrameOffset);
i++;
range_begin = end() - ((next_code.OpInfo << 8) + next_code.CodeOffset);
range_end = range_begin + unwind_code.CodeOffset;
}
func.range_list()->Add(range_begin, range_end, NULL, NULL, command);
}
command->set_comment(CommentInfo(ttComment, "UWOP_EPILOG"));
}
else {
data.PushWord(file.ReadWord());
i++;
command->set_comment(CommentInfo(ttComment, "UWOP_SAVE_XMM128"));
}
break;
case UWOP_SAVE_XMM128:
data.PushWord(file.ReadWord());
i++;
command->set_comment(CommentInfo(ttComment, "UWOP_SAVE_XMM128"));
break;
case UWOP_SAVE_XMM128_FAR:
data.PushWord(file.ReadWord());
data.PushWord(file.ReadWord());
i += 2;
command->set_comment(CommentInfo(ttComment, "UWOP_SAVE_XMM128_FAR"));
break;
case UWOP_PUSH_MACHFRAME:
command->set_comment(CommentInfo(ttComment, "UWOP_PUSH_MACHFRAME"));
break;
}
command->Init(data);
address = command->next_address();
if (!is_epilog)
func.range_list()->Add(begin(), begin() + unwind_code.CodeOffset, NULL, NULL, NULL);
}
if (unwind_info.CountOfCodes & 1) {
// align to DWORD
command = func.Add(address);
command->ReadArray(file, sizeof(UNWIND_CODE));
address = command->next_address();
}
IntelCommand *handler_data_command = NULL;
if (unwind_info.Flags & UNW_FLAG_CHAININFO) {
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "Begin"));
command->ReadValueFromFile(file, osDWord);
address = command->next_address();
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "End"));
command->ReadValueFromFile(file, osDWord);
address = command->next_address();
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "UnwindData"));
address = command->ReadValueFromFile(file, osDWord);
if (address) {
address += image_base;
link = command->AddLink(0, ltOffset, address);
link->set_sub_value(image_base);
}
}
else if (unwind_info.Flags & (UNW_FLAG_EHANDLER | UNW_FLAG_UHANDLER)) {
command = func.Add(address);
command->set_comment(CommentInfo(ttComment, "Handler"));
address = command->ReadValueFromFile(file, osDWord);
if (address) {
address += image_base;
CommentInfo res;
res.type = ttNone;
MapFunction *map_function = file.map_function_list()->GetFunctionByAddress(address);
if (map_function) {
res.value = string_format("%c %s", 3, map_function->name().c_str());
switch (map_function->type()) {
case otString:
res.type = ttString;
break;
case otExport:
res.type = ttExport;
break;
default:
res.type = ttFunction;
break;
}
command->set_comment(res);
}
link = command->AddLink(0, ltOffset, address);
link->set_sub_value(image_base);
}
address = command->next_address();
handler_data_command = func.Add(address);
handler_data_command->ReadValueFromFile(file, osDWord);
handler_data_command->set_comment(CommentInfo(ttComment, "HandlerData"));
}
for (i = c; i < func.count(); i++) {
command = func.item(i);
command->exclude_option(roClearOriginalCode);
}
if (handler_data_command) {
uint32_t handler_data = static_cast<uint32_t>(handler_data_command->operand(0).value);
if (func.ParseCxxSEH(file, handler_data + image_base)) {
link = handler_data_command->AddLink(0, ltOffset, handler_data + image_base);
link->set_sub_value(image_base);
address = handler_data_command->next_address();
}
else if (func.ParseScopeSEH(file, handler_data_command->next_address(), handler_data)) {
handler_data_command->set_comment(CommentInfo(ttComment, "Count"));
address = handler_data_command->next_address() + handler_data * 0x10;
}
else if (func.ParseCompressedCxxSEH(file, handler_data + image_base, begin())) {
link = handler_data_command->AddLink(0, ltOffset, handler_data + image_base);
link->set_sub_value(image_base);
address = handler_data_command->next_address();
} else
address = 0;
if (address) {
if (!func.GetCommandByAddress(address) && !file.runtime_function_list()->GetFunctionByUnwindAddress(address) && file.AddressSeek(address)) {
command = func.Add(address);
uint32_t value = static_cast<uint32_t>(command->ReadValueFromFile(file, osDWord));
command->set_comment(CommentInfo(ttComment, string_format("EHandler: %.2X; UHandler: %.2X; HasAlignment: %.2X; CookieOffset: %.8X", value & 1, (value & 2) >> 1, (value & 4) >> 2, value & 0xFFFFFFF8)));
command->exclude_option(roClearOriginalCode);
if (value & 4) {
command = func.Add(command->next_address());
command->set_comment(CommentInfo(ttComment, "AlignedBaseOffset"));
command->ReadValueFromFile(file, osDWord);
command->exclude_option(roClearOriginalCode);
command = func.Add(command->next_address());
command->set_comment(CommentInfo(ttComment, "Alignment"));
command->ReadValueFromFile(file, osDWord);
command->exclude_option(roClearOriginalCode);
}
}
}
}
}
}
}
/**
* PERuntimeFunctionList
*/
PERuntimeFunctionList::PERuntimeFunctionList()
: BaseRuntimeFunctionList(), address_(0)
{
}
PERuntimeFunctionList::PERuntimeFunctionList(const PERuntimeFunctionList &src)
: BaseRuntimeFunctionList(src), address_(0)
{
address_ = src.address_;
}
PERuntimeFunctionList *PERuntimeFunctionList::Clone() const
{
PERuntimeFunctionList *list = new PERuntimeFunctionList(*this);
return list;
}
PERuntimeFunction *PERuntimeFunctionList::Add(uint64_t address, uint64_t begin, uint64_t end, uint64_t unwind_address, IRuntimeFunction *source, const std::vector<uint8_t> &call_frame_instructions)
{
PERuntimeFunction *func = new PERuntimeFunction(this, address, begin, end, unwind_address);
AddObject(func);
return func;
}
void PERuntimeFunctionList::ReadFromFile(PEArchitecture &file, PEDirectory &directory)
{
if (!directory.address())
return;
if (!file.AddressSeek(directory.address()))
throw std::runtime_error("Format error");
address_ = directory.address();
uint64_t image_base = file.image_base();
RUNTIME_FUNCTION data;
std::vector<uint8_t> call_frame_instructions;
for (size_t i = 0; i < directory.size(); i += sizeof(data)) {
file.Read(&data, sizeof(data));
Add(address_ + i, data.BeginAddress + image_base, data.EndAddress + image_base, data.UnwindData + image_base, 0, call_frame_instructions);
}
}
size_t PERuntimeFunctionList::WriteToFile(PEArchitecture &file)
{
Sort();
size_t res = 0;
uint64_t image_base = file.image_base();
RUNTIME_FUNCTION data;
for (size_t i = 0; i < count(); i++) {
PERuntimeFunction *runtime_function = item(i);
data.BeginAddress = static_cast<uint32_t>(runtime_function->begin() - image_base);
data.EndAddress = static_cast<uint32_t>(runtime_function->end() - image_base);
data.UnwindData = static_cast<uint32_t>(runtime_function->unwind_address() - image_base);
res += file.Write(&data, sizeof(data));
}
return res;
}
PERuntimeFunction *PERuntimeFunctionList::GetFunctionByAddress(uint64_t address) const
{
return reinterpret_cast<PERuntimeFunction *>(BaseRuntimeFunctionList::GetFunctionByAddress(address));
}
PERuntimeFunction *PERuntimeFunctionList::item(size_t index) const
{
return reinterpret_cast<PERuntimeFunction *>(BaseRuntimeFunctionList::item(index));
}
uint64_t PERuntimeFunctionList::RebaseDWord(IArchitecture &file, uint32_t delta_rva)
{
uint64_t pos = file.Tell();
uint64_t value = file.ReadDWord();
if (value > 1) {
uint64_t address = file.AddressTell() - sizeof(uint32_t);
IntelCommand *command = reinterpret_cast<IntelCommand *>(file.function_list()->GetCommandByAddress(address, false));
if (command && command->type() == cmDD) {
command->set_operand_value(0, command->operand(0).value + delta_rva);
if (command->link())
command->link()->set_sub_value(command->link()->sub_value() - delta_rva);
}
file.Seek(pos);
file.WriteDWord(static_cast<uint32_t>(value) + delta_rva);
value += file.image_base();
}
return value;
}
void PERuntimeFunctionList::RebaseByFile(IArchitecture &file, uint64_t target_image_base, uint64_t delta_base)
{
if (!address_)
return;
uint32_t delta_rva = static_cast<uint32_t>(file.image_base() + delta_base - target_image_base);
std::set<uint64_t> address_list;
std::set<uint64_t> handler_list;
size_t i, j, k;
for (i = 0; i < count(); i++) {
PERuntimeFunction *func = item(i);
if (!file.AddressSeek(func->unwind_address()) || address_list.find(func->unwind_address()) != address_list.end())
continue;
address_list.insert(func->unwind_address());
union UNWIND_INFO_HELPER {
UNWIND_INFO info;
uint32_t value;
};
UNWIND_INFO_HELPER unwind_info_helper;
unwind_info_helper.value = file.ReadDWord();
UNWIND_INFO unwind_info = unwind_info_helper.info;
size_t count_of_codes = unwind_info.CountOfCodes;
if (count_of_codes & 1) {
// align to DWORD
count_of_codes++;
}
for (j = 0; j < count_of_codes; j++) {
file.ReadWord();
}
if (unwind_info.Flags & UNW_FLAG_CHAININFO) {
RebaseDWord(file, delta_rva);
RebaseDWord(file, delta_rva);
RebaseDWord(file, delta_rva);
} else if (unwind_info.Flags & (UNW_FLAG_EHANDLER | UNW_FLAG_UHANDLER)) {
RebaseDWord(file, delta_rva);
uint64_t handler_data_address = file.AddressTell();
uint32_t handler_data = file.ReadDWord();
bool is_cxx_handler = false;
bool is_scope_table = false;
if (file.AddressSeek(handler_data + file.image_base())) {
uint32_t magic = file.ReadDWord();
if (magic == 0x19930520 || magic == 0x19930521 || magic == 0x19930522)
is_cxx_handler = true;
}
if (!is_cxx_handler && file.AddressSeek(handler_data_address + sizeof(handler_data))) {
is_scope_table = true;
for (j = 0; j < handler_data; j++) {
for (size_t k = 0; k < 4; k++) {
uint64_t value = file.ReadDWord();
if (!value || (k == 2 && value == 1))
continue;
if ((file.segment_list()->GetMemoryTypeByAddress(value + file.image_base()) & mtExecutable) == 0) {
is_scope_table = false;
break;
}
}
if (!is_scope_table)
break;
}
}
if (is_cxx_handler) {
file.AddressSeek(handler_data_address);
RebaseDWord(file, delta_rva);
handler_data_address = handler_data + file.image_base();
if (handler_list.find(handler_data_address) != handler_list.end())
continue;
handler_list.insert(handler_data_address);
file.AddressSeek(handler_data_address);
file.ReadDWord();
uint32_t max_state = file.ReadDWord();
uint64_t unwind_map_entry = RebaseDWord(file, delta_rva);
uint32_t try_blocks = file.ReadDWord();
uint64_t try_blocks_entry = RebaseDWord(file, delta_rva);
uint32_t map_count = file.ReadDWord();
uint64_t map_entry = RebaseDWord(file, delta_rva);
if (max_state && file.AddressSeek(unwind_map_entry)) {
for (j = 0; j < max_state; j++) {
file.ReadDWord();
RebaseDWord(file, delta_rva);
}
}
if (try_blocks && file.AddressSeek(try_blocks_entry)) {
for (j = 0; j < try_blocks; j++) {
file.ReadDWord();
file.ReadDWord();
file.ReadDWord();
uint32_t catches = file.ReadDWord();
uint64_t catches_entry = RebaseDWord(file, delta_rva);
uint64_t pos = file.Tell();
if (catches && file.AddressSeek(catches_entry)) {
for (k = 0; k < catches; k++) {
file.ReadDWord();
file.ReadDWord();
file.ReadDWord();
RebaseDWord(file, delta_rva);
if (file.cpu_address_size() == osQWord)
file.ReadDWord();
}
file.Seek(pos);
}
}
}
if (map_count && file.AddressSeek(map_entry)) {
for (j = 0; j < map_count; j++) {
RebaseDWord(file, delta_rva);
file.ReadDWord();
}
}
} else if (is_scope_table) {
file.AddressSeek(handler_data_address + sizeof(handler_data));
for (j = 0; j < handler_data; j++) {
RebaseDWord(file, delta_rva);
RebaseDWord(file, delta_rva);
RebaseDWord(file, delta_rva);
RebaseDWord(file, delta_rva);
}
}
}
}
address_ += delta_base;
BaseRuntimeFunctionList::Rebase(delta_base);
}
void PERuntimeFunctionList::FreeByManager(MemoryManager &manager)
{
if (!address_)
return;
if (count())
manager.Add(address_, sizeof(RUNTIME_FUNCTION) * count());
}
/**
* PETLSDirectory
*/
PETLSDirectory::PETLSDirectory()
: ReferenceList(), address_(0), start_address_of_raw_data_(0), end_address_of_raw_data_(0), address_of_index_(0),
address_of_call_backs_(0), size_of_zero_fill_(0), characteristics_(0)
{
}
PETLSDirectory *PETLSDirectory::Clone() const
{
PETLSDirectory *dir = new PETLSDirectory(*this);
return dir;
}
PETLSDirectory::PETLSDirectory(const PETLSDirectory &src)
: ReferenceList(src)
{
address_ = src.address_;
start_address_of_raw_data_ = src.start_address_of_raw_data_;
end_address_of_raw_data_ = src.end_address_of_raw_data_;
address_of_index_ = src.address_of_index_;
address_of_call_backs_ = src.address_of_call_backs_;
size_of_zero_fill_ = src.size_of_zero_fill_;
characteristics_ = src.characteristics_;
}
void PETLSDirectory::ReadFromFile(PEArchitecture &file, PEDirectory &directory)
{
if (!directory.address())
return;
if (!file.AddressSeek(directory.address()))
throw std::runtime_error("Format error");
address_ = directory.address();
if (file.cpu_address_size() == osDWord) {
IMAGE_TLS_DIRECTORY32 tls;
file.Read(&tls, sizeof(tls));
start_address_of_raw_data_ = tls.StartAddressOfRawData;
end_address_of_raw_data_ = tls.EndAddressOfRawData;
address_of_index_ = tls.AddressOfIndex;
address_of_call_backs_ = tls.AddressOfCallBacks;
size_of_zero_fill_ = tls.SizeOfZeroFill;
characteristics_ = tls.Characteristics;
} else {
IMAGE_TLS_DIRECTORY64 tls;
file.Read(&tls, sizeof(tls));
start_address_of_raw_data_ = tls.StartAddressOfRawData;
end_address_of_raw_data_ = tls.EndAddressOfRawData;
address_of_index_ = tls.AddressOfIndex;
address_of_call_backs_ = tls.AddressOfCallBacks;
size_of_zero_fill_ = tls.SizeOfZeroFill;
characteristics_ = tls.Characteristics;
}
if (!address_of_call_backs_)
return;
if (!file.AddressSeek(address_of_call_backs_))
throw std::runtime_error("Format error");
size_t value_size = OperandSizeToValue(file.cpu_address_size());
uint64_t call_back = 0;
while (true) {
file.Read(&call_back, value_size);
if (!call_back)
break;
Add(call_back, 0);
}
}
void PETLSDirectory::FreeByManager(MemoryManager &manager)
{
if (!address_)
return;
PEArchitecture *file = reinterpret_cast<PEArchitecture *>(manager.owner());
size_t value_size = OperandSizeToValue(file->cpu_address_size());
manager.Add(address_, value_size * 4 + sizeof(uint32_t) * 2);
for (size_t i = 0; i < 4; i++) {
IFixup *fixup = file->fixup_list()->GetFixupByAddress(address_ + value_size * i);
if (fixup)
fixup->set_deleted(true);
}
if (address_of_call_backs_) {
manager.Add(address_of_call_backs_, value_size * (count() + 1));
for (size_t i = 0; i < count(); i++) {
IFixup *fixup = file->fixup_list()->GetFixupByAddress(address_of_call_backs_ + value_size * i);
if (fixup)
fixup->set_deleted(true);
}
}
}
/**
* PEDebugData
*/
PEDebugData::PEDebugData(PEDebugDirectory *owner)
: IObject(), owner_(owner), characteristics_(0), time_date_stamp_(0),
major_version_(0), minor_version_(0), type_(0), size_(0), address_(0),
offset_(0)
{
}
PEDebugData::PEDebugData(PEDebugDirectory *owner, const PEDebugData &src)
: IObject(), owner_(owner)
{
characteristics_ = src.characteristics_;
time_date_stamp_ = src.time_date_stamp_;
major_version_ = src.major_version_;
minor_version_ = src.minor_version_;
type_ = src.type_;
size_ = src.size_;
address_ = src.address_;
offset_ = src.offset_;
}
PEDebugData::~PEDebugData()
{
if (owner_)
owner_->RemoveObject(this);
}
PEDebugData *PEDebugData::Clone(PEDebugDirectory *owner) const
{
PEDebugData *data = new PEDebugData(owner, *this);
return data;
}
void PEDebugData::ReadFromFile(PEArchitecture &file)
{
IMAGE_DEBUG_DIRECTORY data;
file.Read(&data, sizeof(data));
characteristics_ = data.Characteristics;
time_date_stamp_ = data.TimeDateStamp;
major_version_ = data.MajorVersion;
minor_version_ = data.MinorVersion;
type_ = data.Type;
size_ = data.SizeOfData;
address_ = data.AddressOfRawData ? data.AddressOfRawData + file.image_base() : 0;
offset_ = data.PointerToRawData;
}
void PEDebugData::WriteToFile(PEArchitecture &file)
{
IMAGE_DEBUG_DIRECTORY data;
data.Characteristics = characteristics_;
data.TimeDateStamp = time_date_stamp_;
data.MajorVersion = major_version_;
data.MinorVersion = minor_version_;
data.Type = type_;
data.SizeOfData = size_;
data.AddressOfRawData = address_ ? static_cast<uint32_t>(address_ - file.image_base()) : 0;
data.PointerToRawData = offset_;
file.Write(&data, sizeof(data));
}
/**
* PEDebugDirectory
*/
PEDebugDirectory::PEDebugDirectory()
: ObjectList<PEDebugData>(), address_(0)
{
}
PEDebugDirectory::PEDebugDirectory(const PEDebugDirectory &src)
: ObjectList<PEDebugData>(src)
{
address_ = src.address_;
for (size_t i = 0; i < src.count(); i++) {
AddObject(src.item(i)->Clone(this));
}
}
PEDebugDirectory *PEDebugDirectory::Clone() const
{
PEDebugDirectory *res = new PEDebugDirectory(*this);
return res;
}
PEDebugData *PEDebugDirectory::Add()
{
PEDebugData *data = new PEDebugData(this);
AddObject(data);
return data;
}
void PEDebugDirectory::ReadFromFile(PEArchitecture &file, PEDirectory &directory)
{
if (!directory.address())
return;
if (!file.AddressSeek(directory.address()))
throw std::runtime_error("Format error");
address_ = directory.address();
size_t c = directory.size() / sizeof(IMAGE_DEBUG_DIRECTORY);
for (size_t i = 0; i < c; i++) {
PEDebugData *data = Add();
data->ReadFromFile(file);
}
}
void PEDebugDirectory::WriteToFile(PEArchitecture &file)
{
for (size_t i = 0; i < count(); i++) {
item(i)->WriteToFile(file);
}
}
void PEDebugDirectory::FreeByManager(MemoryManager &manager) const
{
if (!address_)
return;
manager.Add(address_, count() * sizeof(IMAGE_DEBUG_DIRECTORY));
for (size_t i = 0; i < count(); i++) {
PEDebugData *data = item(i);
if (data->address() && data->size())
manager.Add(data->address(), data->size());
}
}
/**
* PEFile
*/
PEFile::PEFile(ILog *log)
: IFile(log), runtime_(NULL)
{
}
PEFile::PEFile(const PEFile &src, const char *file_name)
: IFile(src, file_name), runtime_(NULL)
{
for (size_t i = 0; i < src.count(); i++)
AddObject(src.item(i)->Clone(this));
}
PEFile::~PEFile()
{
delete runtime_;
}
OpenStatus PEFile::ReadHeader(uint32_t open_mode)
{
PEArchitecture *arch = new PEArchitecture(this, 0, size());
AddObject(arch);
return arch->ReadFromFile(open_mode);
}
std::string PEFile::format_name() const
{
return std::string("PE");
}
bool PEFile::WriteHeader()
{
for (size_t i = 0 ; i < count(); i++) {
if (!item(i)->WriteToFile())
return false;
}
return true;
}
PEFile *PEFile::Clone(const char *file_name) const
{
PEFile *file = new PEFile(*this, file_name);
return file;
}
bool PEFile::Compile(CompileOptions &options)
{
const ResourceInfo runtime_info[] = {
{win_runtime32_dll_file, sizeof(win_runtime32_dll_file), win_runtime32_dll_code},
{win_runtime64_dll_file, sizeof(win_runtime64_dll_file), win_runtime64_dll_code},
{win_runtime32_sys_file, sizeof(win_runtime32_sys_file), win_runtime32_sys_code},
{win_runtime64_sys_file, sizeof(win_runtime64_sys_file), win_runtime64_sys_code},
{dotnet20_runtime32_dll_file, sizeof(dotnet20_runtime32_dll_file), dotnet20_runtime32_dll_code},
{dotnet20_runtime64_dll_file, sizeof(dotnet20_runtime64_dll_file), dotnet20_runtime64_dll_code},
{dotnet40_runtime32_dll_file, sizeof(dotnet40_runtime32_dll_file), dotnet40_runtime32_dll_code},
{dotnet40_runtime64_dll_file, sizeof(dotnet40_runtime64_dll_file), dotnet40_runtime64_dll_code},
{netstandard_runtime32_dll_file, sizeof(netstandard_runtime32_dll_file), netstandard_runtime32_dll_code},
{netstandard_runtime64_dll_file, sizeof(netstandard_runtime64_dll_file), netstandard_runtime64_dll_code},
{netcore_runtime32_dll_file, sizeof(netcore_runtime32_dll_file), netcore_runtime32_dll_code},
{netcore_runtime64_dll_file, sizeof(netcore_runtime64_dll_file), netcore_runtime64_dll_code},
};
size_t index;
if (count() > 1) {
FrameworkInfo info = reinterpret_cast<NETArchitecture *>(item(1))->command_list()->framework();
switch (info.type) {
case fwFramework:
index = (info.version.major >= 4) ? 6 : 4;
break;
case fwStandard:
index = 8;
break;
default:
index = 10;
break;
}
}
else
index = (arch_pe()->image_type() == itDriver) ? 2 : 0;
ResourceInfo info = runtime_info[index + (arch_pe()->cpu_address_size() == osDWord ? 0 : 1)];
if (info.size > 1) {
runtime_ = new PEFile(NULL);
if (!runtime_->OpenResource(info.file, info.size, true) || count() != runtime_->count())
throw std::runtime_error("Runtime error at OpenResource");
Buffer buffer(info.code);
IArchitecture *arch = runtime_->item(runtime_->count() - 1);
arch->ReadFromBuffer(buffer);
for (size_t i = 0; i < arch->function_list()->count(); i++) {
arch->function_list()->item(i)->set_from_runtime(true);
}
for (size_t i = 0; i < arch->import_list()->count(); i++) {
IImport *import = arch->import_list()->item(i);
for (size_t j = 0; j < import->count(); j++) {
import->item(j)->include_option(ioFromRuntime);
}
}
}
return IFile::Compile(options);
}
std::string PEFile::version() const
{
struct VERSION_INFO {
uint16_t wLength;
uint16_t wValueLength;
uint16_t wType;
uint16_t szKey[1];
};
if (count() == 1) {
IArchitecture *file = item(0);
IResource *resource = file->resource_list()->GetResourceByType(rtVersionInfo);
if (resource)
resource = resource->GetResourceByName("1");
if (resource && resource->count()) {
resource = resource->item(0);
if (resource->size() && file->AddressSeek(resource->address())) {
uint8_t *data = new uint8_t[resource->size()];
file->Read(data, resource->size());
size_t len = 0;
while (reinterpret_cast<VERSION_INFO*>(data)->szKey[len])
len++;
VS_FIXEDFILEINFO *file_info = reinterpret_cast<VS_FIXEDFILEINFO *>(data + AlignValue(offsetof(VERSION_INFO, szKey) + (len + 1) * sizeof(uint16_t), sizeof(uint32_t)));
std::string res = string_format("%d.%d.%d.%d", static_cast<uint16_t>(file_info->dwFileVersionMS >> 16), static_cast<uint16_t>(file_info->dwFileVersionMS), static_cast<uint16_t>(file_info->dwFileVersionLS >> 16), static_cast<uint16_t>(file_info->dwFileVersionLS));
delete [] data;
return res;
}
}
}
return IFile::version();
}
bool PEFile::is_executable() const
{
#ifdef __unix__
return false;
#elif __APPLE__
return false;
#else
for (size_t i = 0; i < count(); i++) {
if (item(i)->is_executable())
return true;
}
#endif
return false;
}
uint32_t PEFile::disable_options() const
{
uint32_t res = 0;
if (count() == 1) {
PEArchitecture *arch = arch_pe();
if (arch->segment_alignment() < 0x1000)
res |= cpPack;
if (arch->image_type() != itExe)
res |= cpStripFixups;
if (arch->image_type() == itDriver) {
res |= cpResourceProtection;
res |= cpVirtualFiles;
}
} else {
res |= cpStripFixups;
}
return res;
}
bool PEFile::GetCheckSum(uint32_t *check_sum)
{
Flush();
return os::FileGetCheckSum(file_name(true).c_str(), check_sum);
}
std::string PEFile::exec_command() const
{
if (count() > 1 && reinterpret_cast<NETArchitecture *>(item(1))->command_list()->framework().type == fwCore)
return "dotnet.exe";
return std::string();
}
/**
* PEArchitecture
*/
PEArchitecture::PEArchitecture(PEFile *owner, uint64_t offset, uint64_t size)
: BaseArchitecture(owner, offset, size), function_list_(NULL), virtual_machine_list_(NULL),
cpu_(0), cpu_address_size_(osDWord), time_stamp_(0), entry_point_(0),
image_base_(0), header_offset_(0), header_size_(0), segment_alignment_(0),
file_alignment_(0), resource_section_(NULL), fixup_section_(NULL),
optimized_section_count_(0), image_type_(itExe), characterictics_(0), check_sum_(0),
low_resize_header_(0), resize_header_(0), operating_system_version_(0), subsystem_version_(0),
dll_characteristics_(0)
{
directory_list_ = new PEDirectoryList(this);
segment_list_ = new PESegmentList(this);
section_list_ = new PESectionList(this);
import_list_ = new PEImportList(this);
export_list_ = new PEExportList(this);
fixup_list_ = new PEFixupList();
relocation_list_ = new PERelocationList();
resource_list_ = new PEResourceList(this);
load_config_directory_ = new PELoadConfigDirectory();
runtime_function_list_ = new PERuntimeFunctionList();
tls_directory_ = new PETLSDirectory();
debug_directory_ = new PEDebugDirectory();
delay_import_list_ = new PEDelayImportList();
}
PEArchitecture::PEArchitecture(PEFile *owner, const PEArchitecture &src)
: BaseArchitecture(owner, src), function_list_(NULL), virtual_machine_list_(NULL),
resource_section_(NULL), fixup_section_(NULL)
{
size_t i, j, k;
cpu_ = src.cpu_;
cpu_address_size_ = src.cpu_address_size_;
entry_point_ = src.entry_point_;
image_base_ = src.image_base_;
header_offset_ = src.header_offset_;
header_size_ = src.header_size_;
segment_alignment_ = src.segment_alignment_;
file_alignment_ = src.file_alignment_;
characterictics_ = src.characterictics_;
image_type_ = src.image_type_;
check_sum_ = src.check_sum_;
low_resize_header_ = src.low_resize_header_;
resize_header_ = src.resize_header_;
operating_system_version_ = src.operating_system_version_;
subsystem_version_ = src.subsystem_version_;
dll_characteristics_ = src.dll_characteristics_;
time_stamp_ = src.time_stamp_;
directory_list_ = src.directory_list_->Clone(this);
segment_list_ = src.segment_list_->Clone(this);
section_list_ = src.section_list_->Clone(this);
import_list_ = src.import_list_->Clone(this);
export_list_ = src.export_list_->Clone(this);
fixup_list_ = src.fixup_list_->Clone();
relocation_list_ = src.relocation_list_->Clone();
resource_list_ = src.resource_list_->Clone(this);
load_config_directory_ = src.load_config_directory_->Clone();
runtime_function_list_ = src.runtime_function_list_->Clone();
tls_directory_ = src.tls_directory_->Clone();
debug_directory_ = src.debug_directory_->Clone();
delay_import_list_ = src.delay_import_list_->Clone();
if (src.function_list_)
function_list_ = src.function_list_->Clone(this);
if (src.virtual_machine_list_)
virtual_machine_list_ = src.virtual_machine_list_->Clone();
if (src.resource_section_)
resource_section_ = segment_list_->item(src.segment_list_->IndexOf(src.resource_section_));
if (src.fixup_section_)
fixup_section_ = segment_list_->item(src.segment_list_->IndexOf(src.fixup_section_));
for (i = 0; i < src.section_list()->count(); i++) {
PESegment *segment = src.section_list()->item(i)->parent();
if (segment)
section_list_->item(i)->set_parent(segment_list_->item(src.segment_list_->IndexOf(segment)));
}
for (i = 0; i < src.import_list_->count(); i++) {
PEImport *import = src.import_list_->item(i);
for (j = 0; j < import->count(); j++) {
MapFunction *map_function = import->item(j)->map_function();
if (map_function)
import_list_->item(i)->item(j)->set_map_function(map_function_list()->item(src.map_function_list()->IndexOf(map_function)));
}
}
if (function_list_) {
for (i = 0; i < function_list_->count(); i++) {
IntelFunction *func = reinterpret_cast<IntelFunction *>(function_list_->item(i));
for (j = 0; j < func->count(); j++) {
IntelCommand *command = func->item(j);
if (command->seh_handler())
command->set_seh_handler(seh_handler_list()->GetHandlerByAddress(command->address()));
for (k = 0; k < 3; k++) {
IntelOperand operand = command->operand(k);
if (operand.type == otNone)
break;
if (operand.fixup)
command->set_operand_fixup(k, fixup_list_->GetFixupByAddress(operand.fixup->address()));
if (operand.relocation)
command->set_operand_relocation(k, relocation_list_->GetRelocationByAddress(operand.relocation->address()));
}
}
for (j = 0; j < func->function_info_list()->count(); j++) {
FunctionInfo *info = func->function_info_list()->item(j);
if (info->source())
info->set_source(runtime_function_list_->GetFunctionByAddress(info->source()->begin()));
}
}
}
}
PEArchitecture::~PEArchitecture()
{
delete export_list_;
delete import_list_;
delete segment_list_;
delete section_list_;
delete directory_list_;
delete fixup_list_;
delete relocation_list_;
delete resource_list_;
delete load_config_directory_;
delete runtime_function_list_;
delete function_list_;
delete virtual_machine_list_;
delete tls_directory_;
delete debug_directory_;
delete delay_import_list_;
}
PEArchitecture *PEArchitecture::Clone(IFile *file) const
{
PEArchitecture *arch = new PEArchitecture(dynamic_cast<PEFile *>(file), *this);
return arch;
}
std::string PEArchitecture::name() const
{
switch (cpu_) {
case IMAGE_FILE_MACHINE_I386:
return std::string("i386");
case IMAGE_FILE_MACHINE_R3000:
case IMAGE_FILE_MACHINE_R4000:
case IMAGE_FILE_MACHINE_R10000:
case IMAGE_FILE_MACHINE_MIPS16:
case IMAGE_FILE_MACHINE_MIPSFPU:
case IMAGE_FILE_MACHINE_MIPSFPU16:
return std::string("mips");
case IMAGE_FILE_MACHINE_WCEMIPSV2:
return std::string("mips_wce_v2");
case IMAGE_FILE_MACHINE_ALPHA:
return std::string("alpha_axp");
case IMAGE_FILE_MACHINE_SH3:
case IMAGE_FILE_MACHINE_SH3DSP:
return std::string("sh3");
case IMAGE_FILE_MACHINE_SH3E:
return std::string("sh3e");
case IMAGE_FILE_MACHINE_SH4:
return std::string("sh4");
case IMAGE_FILE_MACHINE_SH5:
return std::string("sh5");
case IMAGE_FILE_MACHINE_ARM:
return std::string("arm");
case IMAGE_FILE_MACHINE_THUMB:
return std::string("thumb");
case IMAGE_FILE_MACHINE_AM33:
return std::string("am33");
case IMAGE_FILE_MACHINE_POWERPC:
case IMAGE_FILE_MACHINE_POWERPCFP:
return std::string("ppc");
case IMAGE_FILE_MACHINE_IA64:
return std::string("ia64");
case IMAGE_FILE_MACHINE_ALPHA64:
return std::string("alpha64");
case IMAGE_FILE_MACHINE_TRICORE:
return std::string("infineon");
case IMAGE_FILE_MACHINE_CEF:
return std::string("cef");
case IMAGE_FILE_MACHINE_EBC:
return std::string("ebc");
case IMAGE_FILE_MACHINE_AMD64:
return std::string("amd64");
case IMAGE_FILE_MACHINE_M32R:
return std::string("m32r");
case IMAGE_FILE_MACHINE_CEE:
return std::string("cee");
default:
return string_format("unknown 0x%X", cpu_);
}
}
OpenStatus PEArchitecture::ReadFromFile(uint32_t mode)
{
Seek(0);
IMAGE_DOS_HEADER dos_header;
if (size() < sizeof(dos_header))
return osUnknownFormat;
Read(&dos_header, sizeof(dos_header));
if (dos_header.e_magic != IMAGE_DOS_SIGNATURE)
return osUnknownFormat;
Seek(dos_header.e_lfanew);
uint32_t signature = ReadDWord();
if (signature != IMAGE_NT_SIGNATURE)
return osUnknownFormat;
IMAGE_FILE_HEADER image_header;
Read(&image_header, sizeof(image_header));
cpu_ = image_header.Machine;
if (cpu_ != IMAGE_FILE_MACHINE_I386 && cpu_ != IMAGE_FILE_MACHINE_AMD64)
return osUnsupportedCPU;
uint16_t magic = ReadWord();
assert(sizeof(magic) == sizeof(IMAGE_OPTIONAL_HEADER32().Magic));
assert(sizeof(magic) == sizeof(IMAGE_OPTIONAL_HEADER64().Magic));
uint16_t subsystem;
uint32_t dir_count;
switch (magic) {
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
{
IMAGE_OPTIONAL_HEADER32 pe_header = IMAGE_OPTIONAL_HEADER32();
Read(&pe_header.MajorLinkerVersion, sizeof(pe_header) - sizeof(magic) - sizeof(pe_header.DataDirectory));
dir_count = pe_header.NumberOfRvaAndSizes;
entry_point_ = pe_header.AddressOfEntryPoint;
image_base_ = pe_header.ImageBase;
segment_alignment_ = pe_header.SectionAlignment;
file_alignment_ = pe_header.FileAlignment;
cpu_address_size_ = osDWord;
subsystem = pe_header.Subsystem;
check_sum_ = pe_header.CheckSum;
operating_system_version_ = (pe_header.MajorOperatingSystemVersion << 16) | pe_header.MinorOperatingSystemVersion;
subsystem_version_= (pe_header.MajorSubsystemVersion << 16) | pe_header.MinorSubsystemVersion;
dll_characteristics_ = pe_header.DllCharacteristics;
}
break;
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
{
IMAGE_OPTIONAL_HEADER64 pe_header = IMAGE_OPTIONAL_HEADER64();
Read(&pe_header.MajorLinkerVersion, sizeof(pe_header) - sizeof(magic) - sizeof(pe_header.DataDirectory));
dir_count = pe_header.NumberOfRvaAndSizes;
entry_point_ = pe_header.AddressOfEntryPoint;
image_base_ = pe_header.ImageBase;
segment_alignment_ = pe_header.SectionAlignment;
file_alignment_ = pe_header.FileAlignment;
cpu_address_size_ = osQWord;
subsystem = pe_header.Subsystem;
check_sum_ = pe_header.CheckSum;
operating_system_version_ = (pe_header.MajorOperatingSystemVersion << 16) | pe_header.MinorOperatingSystemVersion;
subsystem_version_= (pe_header.MajorSubsystemVersion << 16) | pe_header.MinorSubsystemVersion;
dll_characteristics_ = pe_header.DllCharacteristics;
}
break;
default:
return osInvalidFormat;
}
time_stamp_ = image_header.TimeDateStamp;
characterictics_ = image_header.Characteristics;
switch (subsystem) {
case IMAGE_SUBSYSTEM_NATIVE:
image_type_ = itDriver;
break;
case IMAGE_SUBSYSTEM_WINDOWS_GUI:
case IMAGE_SUBSYSTEM_WINDOWS_CUI:
image_type_ = (characterictics_ & IMAGE_FILE_DLL) ? itLibrary : itExe;
break;
default:
return osUnsupportedSubsystem;
}
if (entry_point_)
entry_point_ += image_base_;
header_offset_ = dos_header.e_lfanew;
header_size_ = image_header.SizeOfOptionalHeader;
directory_list_->ReadFromFile(*this, dir_count);
Seek(header_offset_ + offsetof(IMAGE_NT_HEADERS32, OptionalHeader) + header_size_);
segment_list_->ReadFromFile(*this, image_header.NumberOfSections);
// read long section names from the COFF string table
if (image_header.PointerToSymbolTable) {
Seek(image_header.PointerToSymbolTable + image_header.NumberOfSymbols * sizeof(IMAGE_SYMBOL));
COFFStringTable string_table;
string_table.ReadFromFile(*this);
for (size_t i = 0; i < segment_list_->count(); i++) {
PESegment *segment = segment_list_->item(i);
const std::string &segment_name = segment->name();
if (segment_name.length() && segment_name[0] == '/') {
char *endptr = NULL;
uint32_t name_offset = strtoul(segment_name.c_str() + 1, &endptr, 10);
if (endptr && *endptr == 0)
segment->set_name(string_table.GetString(name_offset));
}
}
}
resource_section_ = NULL;
fixup_section_ = NULL;
for (size_t i = 0; i < directory_list_->count(); i++) {
PEDirectory *dir = directory_list_->item(i);
switch (dir->type()) {
case IMAGE_DIRECTORY_ENTRY_EXPORT:
export_list_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_IMPORT:
import_list_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_RESOURCE:
resource_list_->ReadFromFile(*this, *dir);
if (dir->address()) {
resource_section_ = segment_list_->GetSectionByAddress(dir->address());
if (!resource_section_)
return osInvalidFormat;
if (resource_section_->address() != dir->address() || resource_section_ == segment_list_->header_segment())
resource_section_ = NULL;
}
break;
case IMAGE_DIRECTORY_ENTRY_BASERELOC:
fixup_list_->ReadFromFile(*this, *dir);
if (dir->address()) {
fixup_section_ = segment_list_->GetSectionByAddress(dir->address());
if (!fixup_section_)
return osInvalidFormat;
if (fixup_section_->address() != dir->address() || fixup_section_ == segment_list_->header_segment())
fixup_section_ = NULL;
}
break;
case IMAGE_DIRECTORY_ENTRY_DEBUG:
debug_directory_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_TLS:
tls_directory_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG:
load_config_directory_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_EXCEPTION:
runtime_function_list_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT:
delay_import_list_->ReadFromFile(*this, *dir);
break;
case IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR:
if (dir->address()) {
NETArchitecture *net = new NETArchitecture(reinterpret_cast<PEFile *>(owner()));
owner()->AddObject(net);
OpenStatus res = net->ReadFromFile(mode);
return res;
/*
if (res != osSuccess)
return res;
if ((net->header().Flags & COMIMAGE_FLAGS_ILONLY) == 0) {
switch (cpu_) {
case IMAGE_FILE_MACHINE_I386:
case IMAGE_FILE_MACHINE_AMD64:
function_list_ = new PEIntelFunctionList(this);
break;
default:
return osUnsupportedCPU;
}
if ((mode & foHeaderOnly) == 0) {
map_function_list()->ReadFromFile(*this);
IntelFileHelper helper;
helper.Parse(*this);
}
}
return osSuccess;
*/
}
break;
}
}
if (fixup_section_)
fixup_section_->set_need_parse(false);
if (resource_section_)
resource_section_->set_need_parse(false);
if ((mode & foHeaderOnly) == 0) {
if (!owner()->file_name().empty()) {
std::vector<uint64_t> segments;
for (size_t i = 0; i < segment_list()->count(); i++) {
segments.push_back(segment_list()->item(i)->address());
}
if (std::find(segments.begin(), segments.end(), 0) == segments.end())
segments.insert(segments.begin(), 0);
for (size_t i = 0; i < 3; i++) {
if (i == 0) {
MapFile map_file;
if (map_file.Parse(map_file_name().c_str(), segments)) {
ReadMapFile(map_file);
break;
}
} else if (i == 1) {
PDBFile pdb_file;
if (pdb_file.Parse(pdb_file_name().c_str(), segments)) {
std::vector<uint8_t> guid;
if (pdb_file.guid().size()) {
for (size_t j = 0; j < debug_directory_->count(); j++) {
PEDebugData *data = debug_directory_->item(j);
if (data->type() == IMAGE_DEBUG_TYPE_CODEVIEW) {
if (AddressSeek(data->address())) {
struct PdbInfo
{
uint32_t Signature;
GUID Guid;
uint32_t Age;
// char PdbFileName[1];
} pi;
Read(&pi, sizeof(pi));
if (pi.Signature == 0x53445352) // RSDS
guid.insert(guid.begin(), reinterpret_cast<const uint8_t *>(&pi.Guid), reinterpret_cast<const uint8_t *>(&pi.Guid) + sizeof(pi.Guid));
}
break;
}
}
}
if (guid == pdb_file.guid()) {
pdb_file.set_time_stamp(time_stamp_);
ReadMapFile(pdb_file);
} else
Notify(mtWarning, NULL, string_format(language[lsMAPFileHasIncorrectTimeStamp].c_str(), os::ExtractFileName(pdb_file.file_name().c_str()).c_str()));
break;
}
}
else if (image_header.PointerToSymbolTable) {
COFFFile coff_file;
if (coff_file.Parse(owner()->file_name().c_str(), segments)) {
ReadMapFile(coff_file);
break;
}
}
}
}
map_function_list()->ReadFromFile(*this);
}
switch (cpu_) {
case IMAGE_FILE_MACHINE_I386:
case IMAGE_FILE_MACHINE_AMD64:
function_list_ = new PEIntelFunctionList(this);
virtual_machine_list_ = new IntelVirtualMachineList();
if ((mode & foHeaderOnly) == 0) {
IntelFileHelper helper;
helper.Parse(*this);
relocation_list_->ReadFromFile(*this);
}
break;
default:
return osUnsupportedCPU;
}
return osSuccess;
}
std::string PEArchitecture::pdb_file_name() const
{
if (!owner())
return std::string();
return os::ChangeFileExt(owner()->file_name().c_str(), ".pdb");
}
bool PEArchitecture::ReadMapFile(IMapFile &map_file)
{
if (!BaseArchitecture::ReadMapFile(map_file))
return false;
MapSection *sections = map_file.GetSectionByType(msSections);
if (sections) {
for (size_t i = 0; i < sections->count(); i++) {
MapObject *section = sections->item(i);
uint64_t address = section->address();
PESegment *segment;
if (section->segment() != (size_t)-1) {
if (section->segment() == 0 || section->segment() > segment_list_->count())
continue;
segment = segment_list_->item(section->segment() - 1);
} else {
segment = segment_list_->GetSectionByAddress(address);
if (!segment)
continue;
}
section_list_->Add(segment, address, section->size(), section->name());
}
}
return true;
}
void PEArchitecture::WriteCheckSum()
{
if (check_sum_ && reinterpret_cast<PEFile*>(owner())->GetCheckSum(&check_sum_)) {
Seek(header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) + ((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, CheckSum) : offsetof(IMAGE_OPTIONAL_HEADER64, CheckSum)));
WriteDWord(check_sum_);
}
}
bool PEArchitecture::WriteToFile()
{
IMAGE_FILE_HEADER image_header;
IMAGE_OPTIONAL_HEADER32 pe_header32;
IMAGE_OPTIONAL_HEADER64 pe_header64;
uint32_t image_size, header_size;
PESegment *last_section;
// read header
Seek(header_offset_ + sizeof(uint32_t));
Read(&image_header, sizeof(image_header));
image_header.PointerToSymbolTable = 0;
image_header.NumberOfSymbols = 0;
image_header.NumberOfSections = static_cast<uint16_t>(segment_list_->count());
if (cpu_address_size_ == osDWord) {
Read(&pe_header32, sizeof(pe_header32) - sizeof(pe_header32.DataDirectory));
} else {
Read(&pe_header64, sizeof(pe_header64) - sizeof(pe_header64.DataDirectory));
}
// write header
directory_list_->WriteToFile(*this);
segment_list_->WriteToFile(*this);
header_size = AlignValue(static_cast<uint32_t>(Tell()), file_alignment_);
last_section = segment_list_->last();
image_size = (last_section) ? AlignValue(static_cast<uint32_t>(last_section->address() - image_base() + last_section->size()), segment_alignment_) : 0;
Seek(header_offset_ + sizeof(uint32_t));
image_header.Characteristics = characterictics_;
Write(&image_header, sizeof(image_header));
if (cpu_address_size_ == osDWord) {
pe_header32.AddressOfEntryPoint = (entry_point_) ? static_cast<uint32_t>(entry_point_ - image_base_) : 0;
pe_header32.SizeOfImage = image_size;
if (header_size > pe_header32.SizeOfHeaders)
pe_header32.SizeOfHeaders = header_size;
pe_header32.MajorOperatingSystemVersion = operating_system_version_ >> 16;
pe_header32.MinorOperatingSystemVersion = static_cast<uint16_t>(operating_system_version_);
pe_header32.MajorSubsystemVersion = subsystem_version_ >> 16;
pe_header32.MinorSubsystemVersion = static_cast<uint16_t>(subsystem_version_);
pe_header32.DllCharacteristics = dll_characteristics_;
Write(&pe_header32, sizeof(pe_header32) - sizeof(pe_header32.DataDirectory));
} else {
pe_header64.AddressOfEntryPoint = (entry_point_) ? static_cast<uint32_t>(entry_point_ - image_base_) : 0;
pe_header64.SizeOfImage = image_size;
if (header_size > pe_header64.SizeOfHeaders)
pe_header64.SizeOfHeaders = header_size;
pe_header64.MajorOperatingSystemVersion = operating_system_version_ >> 16;
pe_header64.MinorOperatingSystemVersion = static_cast<uint16_t>(operating_system_version_);
pe_header64.MajorSubsystemVersion = subsystem_version_ >> 16;
pe_header64.MinorSubsystemVersion = static_cast<uint16_t>(subsystem_version_);
pe_header64.DllCharacteristics = dll_characteristics_;
Write(&pe_header64, sizeof(pe_header64) - sizeof(pe_header64.DataDirectory));
}
return true;
}
bool PEArchitecture::Prepare(CompileContext &ctx)
{
if ((ctx.options.flags & cpPack) && segment_alignment_ < 0x1000) {
ctx.options.flags &= ~cpPack;
Notify(mtWarning, NULL, language[lsFileCanNotBePacked].c_str());
}
if (image_type() == itExe && (dll_characteristics_ & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) == 0)
ctx.options.flags |= cpStripFixups;
if (image_type() != itDriver) {
if (ctx.options.flags & cpMemoryProtection)
ctx.options.flags |= cpInternalMemoryProtection;
if (ctx.options.flags & cpResourceProtection) {
std::vector<IResource*> resources = resource_list()->GetResourceList();
bool need_resource_protection = false;
for (size_t i = 0; i < resources.size(); i++) {
IResource *resource = resources[i];
if (!resource->excluded_from_packing() && !resource->need_store()) {
need_resource_protection = true;
break;
}
}
if (!need_resource_protection)
ctx.options.flags &= ~cpResourceProtection;
}
} else {
if (ctx.options.flags & cpResourceProtection)
ctx.options.flags &= ~cpResourceProtection;
#ifdef ULTIMATE
if (ctx.options.file_manager)
ctx.options.file_manager = NULL;
#endif
}
if (!BaseArchitecture::Prepare(ctx))
return false;
size_t i;
PESegment *section;
std::vector<PESegment *> optimized_section_list;
// optimize sections
if (resource_section_)
optimized_section_list.push_back(resource_section_);
if (fixup_section_)
optimized_section_list.push_back(fixup_section_);
if (ctx.options.flags & cpStripDebugInfo) {
for (i = 0; i < segment_list_->count(); i++) {
section = segment_list_->item(i);
if ((section->flags() & (IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_LNK_INFO)) == IMAGE_SCN_MEM_DISCARDABLE && section->name().substr(0, 6) == ".debug")
optimized_section_list.push_back(section);
}
}
optimized_section_count_ = segment_list_->count();
for (i = segment_list_->count(); i > 0; i--) {
section = segment_list_->item(i - 1);
std::vector<PESegment *>::iterator it = std::find(optimized_section_list.begin(), optimized_section_list.end(), section);
if (it != optimized_section_list.end()) {
optimized_section_list.erase(it);
optimized_section_count_--;
} else {
break;
}
}
// calc new header size
uint32_t new_section_count = static_cast<uint32_t>(optimized_section_count_ + 1);
if ((ctx.options.flags & cpStripFixups) == 0)
new_section_count++;
if (resource_list_->count())
new_section_count++;
if (ctx.runtime)
new_section_count += 2;
// calc header resizes
uint32_t new_header_size = header_offset_ + offsetof(IMAGE_NT_HEADERS32, OptionalHeader) + header_size_ + new_section_count * sizeof(IMAGE_SECTION_HEADER);
low_resize_header_ = 0;
if ((ctx.options.flags & cpStripDebugInfo) && header_offset_ > MIN_HEADER_OFFSET) {
low_resize_header_ = header_offset_ - MIN_HEADER_OFFSET;
new_header_size -= low_resize_header_;
}
for (i = 0; i < directory_list_->count(); i++) {
PEDirectory *dir = directory_list_->item(i);
if (!dir->visible() || dir->type() == IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT)
continue;
uint32_t rva = static_cast<uint32_t>(dir->address() - image_base_);
if (low_resize_header_ == 0 && new_header_size > rva && header_offset_ > MIN_HEADER_OFFSET) {
low_resize_header_ = header_offset_ - MIN_HEADER_OFFSET;
new_header_size -= low_resize_header_;
}
if (new_header_size > rva) {
Notify(mtError, NULL, language[lsCreateSegmentError]);
return false;
}
}
uint32_t aligned_header_size = AlignValue(new_header_size, file_alignment_);
resize_header_ = 0;
for (i = 0; i < segment_list_->count(); i++) {
section = segment_list_->item(i);
if (section->physical_size() == 0 || section->physical_offset() == 0 || aligned_header_size <= section->physical_offset())
continue;
uint32_t rva = static_cast<uint32_t>(section->address() - image_base_);
if (low_resize_header_ == 0 && aligned_header_size > rva && header_offset_ > MIN_HEADER_OFFSET) {
low_resize_header_ = header_offset_ - MIN_HEADER_OFFSET;
new_header_size -= low_resize_header_;
aligned_header_size = AlignValue(new_header_size, file_alignment_);
}
if (aligned_header_size > rva) {
Notify(mtError, NULL, language[lsCreateSegmentError]);
return false;
}
if (aligned_header_size > section->physical_offset())
resize_header_ = std::max(resize_header_, aligned_header_size - section->physical_offset());
}
for (i = 0; i < optimized_section_list.size(); i++) {
section = optimized_section_list[i];
ctx.manager->Add(section->address(), std::min(static_cast<uint32_t>(section->size()), section->physical_size()), section->memory_type());
}
if (optimized_section_count_ > 0) {
section = segment_list_->item(optimized_section_count_ - 1);
if (ctx.runtime) {
PEArchitecture *runtime = reinterpret_cast<PEArchitecture *>(ctx.runtime);
if (runtime->segment_list()->count()) {
runtime->Rebase(image_base(), AlignValue(section->address() + section->size(), segment_alignment()) - runtime->segment_list()->item(0)->address());
MemoryManager runtime_manager(runtime);
if (runtime->segment_list()->last() == runtime->fixup_section_) {
delete runtime->fixup_section_;
runtime->fixup_section_ = NULL;
}
if (runtime->load_config_directory()->seh_table_address()) {
section = runtime->segment_list()->last();
if (section->address() == runtime->load_config_directory()->seh_table_address())
delete section;
}
if (runtime->runtime_function_list()->address()) {
section = runtime->segment_list()->last();
if (section->address() == runtime->runtime_function_list()->address())
delete section;
else
runtime->runtime_function_list()->FreeByManager(runtime_manager);
}
runtime->import_list()->FreeByManager(runtime_manager, (ctx.options.flags & cpImportProtection) != 0);
runtime_manager.Pack();
for (i = 0; i < runtime_manager.count(); i++) {
MemoryRegion *region = runtime_manager.item(i);
ctx.manager->Add(region->address(), region->size(), region->type());
}
section = runtime->segment_list()->last();
} else {
runtime->Rebase(image_base(), image_base() - runtime->image_base());
}
}
// add new section
assert(section);
ctx.manager->Add(AlignValue(section->address() + section->size(), segment_alignment()), UINT32_MAX, mtReadable | mtExecutable | mtWritable | mtNotPaged | (runtime_function_list()->count() ? mtSolid : mtNone));
}
if (ctx.runtime)
import_list_->FreeByManager(*ctx.manager, (ctx.options.flags & cpImportProtection) != 0);
if (ctx.options.flags & cpPack) {
export_list_->FreeByManager(*ctx.manager);
tls_directory_->FreeByManager(*ctx.manager);
PEDirectory *dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG);
if (dir)
dir->FreeByManager(*ctx.manager);
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_ARCHITECTURE);
if (dir)
dir->FreeByManager(*ctx.manager);
}
if (ctx.options.flags & (cpPack | cpStripDebugInfo))
debug_directory_->FreeByManager(*ctx.manager);
load_config_directory_->FreeByManager(*ctx.manager);
runtime_function_list_->FreeByManager(*ctx.manager);
return true;
}
bool PEArchitecture::Compile(CompileOptions &options, IArchitecture *runtime)
{
return visible() ? BaseArchitecture::Compile(options, runtime) : true;
}
void PEArchitecture::Save(CompileContext &ctx)
{
PEDirectory *dir;
PESegment *last_section, *section, *vmp_section;
uint64_t pos, address, resource_section_info, resource_packer_info, file_crc_address, loader_crc_address, name_table,
loader_crc_size_address, loader_crc_hash_address, file_crc_size_address;
uint32_t size, file_crc_size, loader_crc_size, name_table_size;
size_t i, j, c;
MemoryRegion *region;
uint32_t resource_section_flags, fixup_section_flags;
std::string resource_section_name, fixup_section_name;
int vmp_index;
MemoryManager *manager = memory_manager();
// erase sections area
{
IMAGE_SECTION_HEADER section_header = IMAGE_SECTION_HEADER();
Seek(header_offset_ + offsetof(IMAGE_NT_HEADERS32, OptionalHeader) + header_size_);
for (i = 0; i < segment_list_->count(); i++) {
Write(&section_header, sizeof(section_header));
}
}
// resize header
if (low_resize_header_ || resize_header_) {
uint32_t new_header_offset = header_offset_ - low_resize_header_;
size_t total_header_size = offsetof(IMAGE_NT_HEADERS32, OptionalHeader) + header_size_ + segment_list_->count() * sizeof(IMAGE_SECTION_HEADER);
const PEArchitecture *src = dynamic_cast<const PEArchitecture *>(source());
if (low_resize_header_) {
Seek(offsetof(IMAGE_DOS_HEADER, e_lfanew));
WriteDWord(new_header_offset);
src->Seek(header_offset_);
Seek(new_header_offset);
CopyFrom(*src, total_header_size);
for (i = 0; i < low_resize_header_; i++) {
WriteByte(0);
}
}
if (resize_header_) {
src->Seek(header_offset_ + total_header_size);
Seek(header_offset_ + total_header_size);
for (i = 0; i < resize_header_; i++) {
WriteByte(0);
}
CopyFrom(*src, this->size() - src->Tell());
section = segment_list_->header_segment();
if (section)
section->set_physical_size(section->physical_size() + resize_header_);
for (i = 0; i < segment_list_->count(); i++) {
section = segment_list_->item(i);
if (section->physical_offset())
section->set_physical_offset(section->physical_offset() + resize_header_);
}
if ((ctx.options.flags & (cpPack | cpStripDebugInfo)) == 0) {
if (debug_directory_->address()) {
for (i = 0; i < debug_directory_->count(); i++) {
PEDebugData *data = debug_directory_->item(i);
data->set_offset(data->offset() + resize_header_);
}
AddressSeek(debug_directory_->address());
debug_directory_->WriteToFile(*this);
}
}
}
header_offset_ = new_header_offset;
}
// add antidebug export
if ((ctx.options.flags & cpCheckDebugger) && image_type() != itDriver && !import_list()->GetImportByName("dbghelp.dll"))
export_list_->AddAntidebug();
// compile modified objects
if ((ctx.options.flags & cpPack) == 0) {
if (source() && !export_list()->is_equal(*source()->export_list())) {
const PEArchitecture *src = dynamic_cast<const PEArchitecture *>(source());
if(src == NULL)
throw std::runtime_error("Runtime error at Save");
src->export_list()->FreeByManager(*manager);
PEIntelExport *pe_export = reinterpret_cast<PEIntelFunctionList *>(function_list())->AddExport(cpu_address_size());
pe_export->Init(ctx);
pe_export->Compile(ctx);
PEDirectory *dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_EXPORT);
if (dir) {
if (pe_export->entry()) {
dir->set_address(pe_export->entry()->address());
dir->set_size(pe_export->size());
} else {
dir->clear();
}
}
}
}
// calc progress maximum
c = 0;
if (ctx.runtime)
c += ctx.runtime->segment_list()->count();
for (i = 0; i < function_list_->count(); i++) {
IFunction *func = function_list_->item(i);
for (j = 0; j < func->block_list()->count(); j++) {
CommandBlock *block = func->block_list()->item(j);
c += block->end_index() - block->start_index() + 1;
}
}
StartProgress(string_format("%s...", language[lsSaving].c_str()), c);
if (resource_list_->count()) {
if (ctx.options.flags & cpResourceProtection) {
for (i = resource_list_->count(); i > 0; i--) {
PEResource *resource = resource_list_->item(i - 1);
if (!resource->need_store())
delete resource;
}
}
resource_list_->Compile(*this, (resource_section_ && resource_section_->excluded_from_packing()) ? false : (ctx.options.flags & cpPack) != 0);
}
resource_section_flags = IMAGE_SCN_MEM_READ | IMAGE_SCN_CNT_INITIALIZED_DATA;
resource_section_name = ".rsrc";
fixup_section_flags = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_CNT_INITIALIZED_DATA;
fixup_section_name = ".reloc";
// need erase optimized sections
for (i = segment_list_->count(); i > optimized_section_count_; i--) {
section = segment_list_->item(i - 1);
if (resource_section_ == section) {
resource_section_flags = section->flags();
resource_section_name = section->name();
resource_section_ = NULL;
} else if (fixup_section_ == section) {
fixup_section_flags = section->flags();
fixup_section_name = section->name();
fixup_section_ = NULL;
}
delete section;
}
// need truncate optimized sections and overlay
for (i = segment_list_->count(); i > 0; i--) {
section = segment_list_->item(i - 1);
if (section->physical_size() > 0) {
Resize(section->physical_offset() + section->physical_size());
break;
}
}
last_section = segment_list_->last();
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
pos = Resize(AlignValue(this->size(), file_alignment_));
vmp_section = segment_list_->Add(address, UINT32_MAX, static_cast<uint32_t>(pos), UINT32_MAX, IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_DISCARDABLE, "");
// merge runtime objects
PEArchitecture *runtime = reinterpret_cast<PEArchitecture*>(ctx.runtime);
if (runtime && runtime->segment_list()->count()) {
// merge sections
SignatureList patch_signatures;
if (image_type() != itDriver) {
if (cpu_address_size() == osDWord)
patch_signatures.Add("817DD800000001741B83C8FF8B4DF0", 0);
}
for (i = 0; i < runtime->segment_list()->count(); i++) {
section = runtime->segment_list()->item(i);
if (section->physical_offset() && section->physical_size()) {
runtime->Seek(section->physical_offset());
size = static_cast<uint32_t>(section->physical_size());
uint8_t *buffer = new uint8_t[size];
runtime->Read(buffer, size);
if ((section->memory_type() & mtExecutable) && patch_signatures.count()) {
patch_signatures.InitSearch();
for (c = 0; c < size; c++) {
uint8_t b = buffer[c];
for (j = 0; j < patch_signatures.count(); j++) {
Signature *sign = patch_signatures.item(j);
if (sign->SearchByte(b)) {
size_t p = c + 1 - sign->size();
buffer[p + 7] = 0xeb;
}
}
}
}
Write(buffer, size);
delete [] buffer;
}
size = static_cast<uint32_t>(AlignValue(section->size(), runtime->segment_alignment()) - section->physical_size());
for (j = 0; j < size; j++) {
WriteByte(0);
}
uint32_t memory_type = section->memory_type();
if (image_type_ != itDriver)
memory_type &= ~mtWritable;
vmp_section->include_write_type(memory_type);
StepProgress();
}
// merge fixups
for (i = 0; i < runtime->fixup_list()->count(); i++) {
PEFixup *fixup = runtime->fixup_list()->item(i);
fixup_list_->AddObject(fixup->Clone(fixup_list_));
}
// merge seh handlers
for (i = 0; i < runtime->seh_handler_list()->count(); i++) {
PESEHandler *handler = runtime->seh_handler_list()->item(i);
load_config_directory_->seh_handler_list()->Add(handler->address());
}
// merge CFG addresses
PECFGAddressTable *cfg_address_list = runtime->load_config_directory_->cfg_address_list();
for (i = 0; i < cfg_address_list->count(); i++) {
load_config_directory_->cfg_address_list()->Add(cfg_address_list->item(i)->address());
}
// merge runtime functions
for (i = 0; i < runtime->runtime_function_list()->count(); i++) {
PERuntimeFunction *runtime_function = runtime->runtime_function_list()->item(i);
runtime_function_list_->AddObject(runtime_function->Clone(runtime_function_list_));
}
}
// write functions
for (i = 0; i < function_list_->count(); i++) {
function_list_->item(i)->WriteToFile(*this);
}
// erase not used memory regions
if (manager->count() > 1) {
// need skip last big region
for (i = 0; i < manager->count() - 1; i++) {
region = manager->item(i);
if (!AddressSeek(region->address()))
continue;
for (j = 0; j < region->size(); j++) {
WriteByte((ctx.options.flags & cpDebugMode) ? 0xcc : rand());
}
}
}
vmp_index = 0;
// need update fixup and resource sections if they are not optimized
if (fixup_section_) {
fixup_section_->set_name(string_format("%s%d", ctx.options.section_name.c_str(), vmp_index++));
if (fixup_section_->write_type()) {
fixup_section_->set_flags(IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_CNT_INITIALIZED_DATA);
fixup_section_->update_type(fixup_section_->write_type());
}
fixup_section_ = NULL;
}
if (resource_section_) {
resource_section_->set_name(string_format("%s%d", ctx.options.section_name.c_str(), vmp_index++));
if (resource_section_->write_type()) {
resource_section_->set_flags(IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_CNT_INITIALIZED_DATA);
resource_section_->update_type(resource_section_->write_type());
}
resource_section_ = NULL;
}
if (!runtime) {
last_section = segment_list_->last();
if (import_list_->has_sdk())
import_list_->WriteToFile(*this, true);
if (load_config_directory_->WriteToFile(*this))
last_section->include_write_type(mtReadable | mtNotDiscardable);
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_EXCEPTION);
if (dir) {
pos = Resize(AlignValue(this->size(), 0x10));
address = last_section->address() + pos - last_section->physical_offset();
size = static_cast<uint32_t>(runtime_function_list_->WriteToFile(*this));
if (size) {
last_section->include_write_type(mtReadable | mtNotDiscardable | mtNotPaged);
dir->set_address(address);
dir->set_size(size);
} else {
dir->clear();
}
}
}
if (vmp_section->write_type() == mtNone) {
delete vmp_section;
} else {
vmp_section->set_name(string_format("%s%d", ctx.options.section_name.c_str(), vmp_index++));
size = static_cast<uint32_t>(this->size() - vmp_section->physical_offset());
vmp_section->set_size(size);
vmp_section->set_physical_size(AlignValue(size, file_alignment_));
vmp_section->update_type(vmp_section->write_type());
Resize(vmp_section->physical_offset() + vmp_section->physical_size());
}
if ((ctx.options.flags & cpPack) && ctx.options.script)
ctx.options.script->DoBeforePackFile();
// write memory CRC table
if (function_list_->crc_table()) {
IntelCRCTable *intel_crc = reinterpret_cast<IntelCRCTable *>(function_list_->crc_table());
CRCTable crc_table(function_list_->crc_cryptor(), intel_crc->table_size());
// add non writable sections
for (i = 0; i < segment_list_->count(); i++) {
section = segment_list_->item(i);
if ((section->memory_type() & (mtReadable | mtWritable)) != mtReadable || section->excluded_from_memory_protection())
continue;
size = std::min(static_cast<uint32_t>(section->size()), section->physical_size());
if (size) {
crc_table.Add(section->address(), size);
if (ctx.options.sdk_flags & cpMemoryProtection)
section->update_type(mtNotPaged);
}
}
// skip writable runtime's sections
if (runtime) {
for (i = 0; i < runtime->segment_list()->count(); i++) {
section = runtime->segment_list()->item(i);
if (section->memory_type() & mtWritable)
crc_table.Remove(section->address(), static_cast<uint32_t>(section->size()));
}
}
// skip IAT
IntelImport *intel_import = reinterpret_cast<IntelFunctionList *>(function_list_)->import();
size = OperandSizeToValue(cpu_address_size());
size_t k = (runtime && runtime->segment_list()->count() > 0) ? 2 : 1;
for (size_t n = 0; n < k; n++) {
PEImportList *import_list = (n == 0) ? import_list_ : runtime->import_list();
for (i = 0; i < import_list->count(); i++) {
PEImport *import = import_list->item(i);
if (ctx.options.flags & cpImportProtection) {
for (j = 0; j < import->count(); j++) {
PEImportFunction *import_function = import->item(j);
address = import_function->address();
IntelCommand *iat_command = intel_import->GetIATCommand(import_function);
if (iat_command)
address = iat_command->address();
crc_table.Remove(address, size);
}
} else {
if (import->count() > 0)
crc_table.Remove(import->item(0)->address(), size * import->count());
}
}
}
// skip fixups
if ((ctx.options.flags & cpStripFixups) == 0) {
for (i = 0; i < fixup_list_->count(); i++) {
PEFixup *fixup = fixup_list_->item(i);
if (!fixup->is_deleted())
crc_table.Remove(fixup->address(), OperandSizeToValue(fixup->size()));
}
}
// skip relocations
for (i = 0; i < relocation_list_->count(); i++) {
PERelocation *relocation = relocation_list_->item(i);
crc_table.Remove(relocation->address(), OperandSizeToValue(relocation->size()));
}
// skip loader_data
IntelFunction *loader_data = reinterpret_cast<IntelFunctionList *>(function_list_)->loader_data();
if (loader_data)
crc_table.Remove(loader_data->entry()->address(), loader_data->entry()->dump_size());
// skip memory CRC table
crc_table.Remove(intel_crc->table_entry()->address(), intel_crc->table_size());
crc_table.Remove(intel_crc->size_entry()->address(), sizeof(uint32_t));
crc_table.Remove(intel_crc->hash_entry()->address(), sizeof(uint32_t));
// write to file
AddressSeek(intel_crc->table_entry()->address());
uint32_t hash;
size = static_cast<uint32_t>(crc_table.WriteToFile(*this, false, &hash));
AddressSeek(intel_crc->size_entry()->address());
WriteDWord(size);
AddressSeek(intel_crc->hash_entry()->address());
WriteDWord(hash);
intel_crc->size_entry()->set_operand_value(0, size);
intel_crc->hash_entry()->set_operand_value(0, hash);
}
EndProgress();
resource_section_info = 0;
resource_packer_info = 0;
file_crc_address = 0;
file_crc_size = 0;
file_crc_size_address = 0;
loader_crc_address = 0;
loader_crc_size = 0;
loader_crc_size_address = 0;
loader_crc_hash_address = 0;
name_table = 0;
name_table_size = 0;
if (runtime) {
uint64_t iat_address = 0;
uint64_t security_cookie_address = 0;
last_section = segment_list_->last();
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
pos = Resize(AlignValue(this->size(), file_alignment_));
size = 0;
// create segment for IAT
{
size_t iat_count = 0;
for (j = 0; j < 2; j++) {
PEArchitecture *source_file = (j == 0) ? this : runtime;
for (i = 0; i < source_file->import_list()->count(); i++) {
IImport *import = source_file->import_list()->item(i);
if (import->is_sdk())
continue;
iat_count += import->count();
if (j == 1 && runtime->segment_list()->count())
iat_count += import->count();
}
}
if (iat_count) {
iat_count++;
iat_address = address + size;
size += static_cast<uint32_t>(iat_count) * OperandSizeToValue(cpu_address_size());
}
}
// create segment for security_cookie
if ((ctx.options.flags & cpPack) && image_type() == itDriver && load_config_directory_->security_cookie() && AddressSeek(load_config_directory_->security_cookie())) {
section = segment_list_->GetSectionByAddress(load_config_directory_->security_cookie());
if (!(section && section->excluded_from_packing())) {
uint32_t value_size = OperandSizeToValue(cpu_address_size());
uint64_t security_cookie_value = 0;
Read(&security_cookie_value, value_size);
Resize(pos + size);
Write(&security_cookie_value, value_size);
security_cookie_address = address + size;
size += value_size;
}
}
// create segment for tls data
if ((ctx.options.flags & cpPack) && tls_directory_->end_address_of_raw_data() > tls_directory_->start_address_of_raw_data()) {
uint32_t data_size = static_cast<uint32_t>(tls_directory_->end_address_of_raw_data() - tls_directory_->start_address_of_raw_data());
Data data;
data.resize(data_size);
if (AddressSeek(tls_directory_->start_address_of_raw_data()))
Read(&data[0], data.size());
Resize(pos + size);
Write(data.data(), data.size());
uint64_t tls_data_address = address + size;
for (i = 0; i < data_size; i++) {
if (IFixup *fixup = fixup_list()->GetFixupByAddress(tls_directory_->start_address_of_raw_data() + i))
fixup->set_address(tls_data_address + i);
}
tls_directory_->set_start_address_of_raw_data(tls_data_address);
tls_directory_->set_end_address_of_raw_data(tls_data_address + data_size);
size += data_size;
}
if (size) {
section = segment_list_->Add(address, size, static_cast<uint32_t>(pos), AlignValue(size, file_alignment_),
IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA,
string_format("%s%d", ctx.options.section_name.c_str(), vmp_index++));
section->set_excluded_from_packing(true);
Resize(section->physical_offset() + section->physical_size());
}
std::vector<IFunction *> processor_list = function_list_->processor_list();
IntelRuntimeCRCTable *runtime_crc_table = reinterpret_cast<IntelFunctionList *>(function_list_)->runtime_crc_table();
PEIntelLoader *loader = new PEIntelLoader(NULL, cpu_address_size());
if (security_cookie_address)
loader->set_security_cookie(security_cookie_address);
if (iat_address)
loader->set_iat_address(iat_address);
last_section = segment_list_->last();
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
manager->clear();
manager->Add(address, UINT32_MAX, mtReadable | mtExecutable | mtWritable | mtNotPaged | (runtime_function_list()->count() ? mtSolid : mtNone));
if (!loader->Prepare(ctx)) {
delete loader;
throw std::runtime_error("Runtime error at Save");
}
size_t write_count = loader->count() + 10000;
size_t processor_count = 0;
for (i = 0; i < processor_list.size(); i++) {
processor_count += processor_list[i]->count();
}
ctx.file->StartProgress(string_format("%s...", language[lsSavingStartupCode].c_str()), loader->count() + write_count + processor_count);
loader->Compile(ctx);
pos = Resize(AlignValue(this->size(), file_alignment_));
section = segment_list_->Add(address, UINT32_MAX, static_cast<uint32_t>(pos), UINT32_MAX,
IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE,
string_format("%s%d", ctx.options.section_name.c_str(), vmp_index++));
c = loader->WriteToFile(*this);
section->update_type(section->write_type() | ((ctx.options.sdk_flags & cpMemoryProtection) ? mtNotPaged : mtNone));
for (i = 0; i < processor_list.size(); i++) {
processor_list[i]->WriteToFile(*this);
}
if (runtime_crc_table)
c += runtime_crc_table->WriteToFile(*this);
// correct progress position
write_count -= c;
if (write_count)
StepProgress(write_count);
// copy directories
{
IArchitecture *source = const_cast<IArchitecture *>(this->source());
last_section = segment_list_->last();
const uint32_t copy_dir_types[] = {IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, IMAGE_DIRECTORY_ENTRY_ARCHITECTURE};
for (j = 0; j < _countof(copy_dir_types); j++) {
if (copy_dir_types[j] != IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && (ctx.options.flags & cpPack) == 0)
continue;
dir = directory_list_->GetCommandByType(copy_dir_types[j]);
if (dir && dir->address() && dir->physical_size() && source->AddressSeek(dir->address())) {
size = dir->physical_size();
pos = Resize(AlignValue(this->size(), 0x10));
CopyFrom(*source, size);
address = last_section->address() + pos - last_section->physical_offset();
for (i = 0; i < size; i++) {
PEFixup *fixup = reinterpret_cast<PEFixup *>(source->fixup_list()->GetFixupByAddress(dir->address() + i));
if (fixup) {
fixup = fixup->Clone(fixup_list_);
fixup->set_address(address + i);
fixup_list_->AddObject(fixup);
}
}
dir->set_address(address);
}
}
if ((ctx.options.flags & (cpPack | cpStripDebugInfo)) == cpPack) {
if (debug_directory_->address()) {
for (i = 0; i < debug_directory_->count(); i++) {
PEDebugData *data = debug_directory_->item(i);
if (source->Seek(data->offset())) {
size = data->size();
pos = Resize(AlignValue(this->size(), 0x10));
CopyFrom(*source, size);
address = last_section->address() + pos - last_section->physical_offset();
data->set_offset(static_cast<uint32_t>(pos));
data->set_address(address);
}
}
pos = Resize(AlignValue(this->size(), 0x10));
address = last_section->address() + pos - last_section->physical_offset();
debug_directory_->WriteToFile(*this);
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_DEBUG);
if (dir)
dir->set_address(address);
}
}
}
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG);
if (dir) {
if (security_cookie_address)
load_config_directory_->set_security_cookie(security_cookie_address);
std::vector<uint64_t> cfg_address_list = loader->cfg_address_list();
for (i = 0; i < cfg_address_list.size(); i++) {
load_config_directory_->cfg_address_list()->Add(cfg_address_list[i]);
}
if (loader->cfg_check_function_entry())
load_config_directory_->set_cfg_check_function(loader->cfg_check_function_entry()->address());
load_config_directory_->WriteToFile(*this);
}
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_EXCEPTION);
if (dir) {
pos = Resize(AlignValue(this->size(), 0x10));
address = section->address() + pos - section->physical_offset();
size = static_cast<uint32_t>(runtime_function_list_->WriteToFile(*this));
if (size) {
section->update_type(mtReadable | mtNotDiscardable | mtNotPaged);
dir->set_address(address);
dir->set_size(size);
} else {
dir->clear();
}
}
size = static_cast<uint32_t>(this->size() - section->physical_offset());
section->set_size(size);
section->set_physical_size(AlignValue(size, file_alignment_));
Resize(section->physical_offset() + section->physical_size());
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_IMPORT);
if (dir) {
dir->set_address(loader->import_entry()->address());
dir->set_size(loader->import_size());
}
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_IAT);
if (dir) {
dir->set_address(loader->iat_entry()->address());
dir->set_size(loader->iat_size());
}
if (loader->export_entry()) {
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_EXPORT);
if (dir) {
if (loader->export_size()) {
dir->set_address(loader->export_entry()->address());
dir->set_size(loader->export_size());
} else {
dir->clear();
}
}
}
if (loader->tls_entry()) {
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_TLS);
if (dir) {
if (loader->tls_size()) {
dir->set_address(loader->tls_entry()->address());
dir->set_size(loader->tls_size());
} else {
dir->clear();
}
}
}
if (loader->delay_import_entry()) {
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);
if (dir) {
if (loader->delay_import_size()) {
dir->set_address(loader->delay_import_entry()->address());
dir->set_size(loader->delay_import_size());
} else {
dir->clear();
}
}
}
entry_point_ = loader->entry()->address();
if (loader->resource_section_info()) {
resource_section_info = loader->resource_section_info()->address();
resource_packer_info = loader->resource_packer_info()->address();
}
if (loader->file_crc_entry()) {
file_crc_address = loader->file_crc_entry()->address();
file_crc_size = loader->file_crc_size();
file_crc_size_address = loader->file_crc_size_entry()->address();
}
if (loader->loader_crc_entry()) {
loader_crc_address = loader->loader_crc_entry()->address();
loader_crc_size = loader->loader_crc_size();
loader_crc_size_address = loader->loader_crc_size_entry()->address();
loader_crc_hash_address = loader->loader_crc_hash_entry()->address();
}
if (loader->name_entry()) {
name_table = loader->name_entry()->address();
name_table_size = loader->name_size();
}
delete loader;
// update versions
if (operating_system_version_ < runtime->operating_system_version_)
operating_system_version_ = runtime->operating_system_version_;
if (subsystem_version_ < runtime->subsystem_version_)
subsystem_version_ = runtime->subsystem_version_;
ctx.file->EndProgress();
}
// save fixups
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_BASERELOC);
if (dir) {
if (fixup_list_->Pack() == 0 || (ctx.options.flags & cpStripFixups) != 0) {
dir->clear();
fixup_section_ = NULL;
} else {
last_section = segment_list_->last();
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
pos = Resize(AlignValue(this->size(), file_alignment_));
size = static_cast<uint32_t>(fixup_list_->WriteToFile(*this));
section = segment_list_->Add(address, size, static_cast<uint32_t>(pos), AlignValue(size, file_alignment_),
fixup_section_flags, fixup_section_name);
fixup_section_ = section;
Resize(section->physical_offset() + section->physical_size());
dir->set_address(address);
dir->set_size(size);
}
}
// save resources
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_RESOURCE);
if (dir) {
if (resource_list_->count() == 0) {
dir->clear();
resource_section_ = NULL;
} else {
last_section = segment_list_->last();
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
pos = Resize(AlignValue(this->size(), file_alignment_));
address = AlignValue(last_section->address() + last_section->size(), segment_alignment_);
size = static_cast<uint32_t>(resource_list_->WriteToFile(*this, address));
section = segment_list_->Add(address, (uint32_t)resource_list_->size(), static_cast<uint32_t>(pos), AlignValue(size, file_alignment_),
resource_section_flags, resource_section_name);
resource_section_ = section;
Resize(section->physical_offset() + section->physical_size());
dir->set_address(address);
dir->set_size((uint32_t)resource_list_->size());
if (resource_section_info) {
pos = Tell();
AddressSeek(resource_section_info);
WriteDWord(static_cast<uint32_t>(address - image_base_));
WriteDWord(static_cast<uint32_t>(resource_list_->size()));
WriteDWord(section->flags());
AddressSeek(resource_packer_info);
WriteDWord(static_cast<uint32_t>(address - image_base_ + resource_list_->store_size()));
Seek(pos);
}
}
}
// clear directories
{
const uint32_t clear_dir_types[] = {IMAGE_DIRECTORY_ENTRY_SECURITY, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT};
for (i = 0; i < _countof(clear_dir_types); i++) {
dir = directory_list_->GetCommandByType(clear_dir_types[i]);
if (dir)
dir->clear();
}
if (ctx.options.flags & cpStripDebugInfo) {
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_DEBUG);
if (dir)
dir->clear();
}
}
// check discardable sections
for (i = segment_list_->count(); i > 1; i--) {
section = segment_list_->item(i - 1);
if ((section->flags() & IMAGE_SCN_MEM_DISCARDABLE) == 0) {
for (j = i - 1; j > 0; j--) {
section = segment_list_->item(j - 1);
section->set_flags(section->flags() & ~IMAGE_SCN_MEM_DISCARDABLE);
}
break;
}
}
if (ctx.options.script)
ctx.options.script->DoAfterSaveFile();
// write header
if (ctx.options.flags & cpStripFixups) {
characterictics_ |= IMAGE_FILE_RELOCS_STRIPPED;
dll_characteristics_ &= ~IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE;
}
if ((ctx.options.flags | ctx.options.sdk_flags) & (cpCheckDebugger | cpCheckVirtualMachine))
dll_characteristics_ &= ~IMAGE_DLLCHARACTERISTICS_NO_SEH;
WriteToFile();
// write header and loader CRC table
if (loader_crc_address) {
CRCTable crc_table(function_list_->crc_cryptor(), loader_crc_size);
uint64_t resources_address = 0;
if (resource_list()->size() > resource_list()->store_size()) {
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_RESOURCE);
if (dir)
resources_address = dir->address();
}
// add header
crc_table.Add(image_base_, header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, DataDirectory) : offsetof(IMAGE_OPTIONAL_HEADER64, DataDirectory)) +
directory_list_->count() * sizeof(IMAGE_DATA_DIRECTORY) +
segment_list_->count() * sizeof(IMAGE_SECTION_HEADER));
// add loader sections
j = segment_list_->IndexOf(segment_list_->GetSectionByAddress(loader_crc_address));
if (j != NOT_ID) {
c = (ctx.options.flags & cpLoaderCRC) ? j + 1 : segment_list_->count();
for (i = j; i < c; i++) {
section = segment_list_->item(i);
if (section->memory_type() & mtWritable)
continue;
if (resources_address && section->address() == resources_address) {
size = (uint32_t)(resource_list()->store_size());
} else {
size = std::min(static_cast<uint32_t>(section->size()), section->physical_size());
}
if (size)
crc_table.Add(section->address(), size);
}
}
// skip IMAGE_DOS_HEADER.e_res
crc_table.Remove(image_base_ + offsetof(IMAGE_DOS_HEADER, e_res), sizeof(uint16_t) * 4);
// skip IMAGE_OPTIONAL_HEADER.CheckSum
crc_table.Remove(image_base_ + header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, CheckSum) : offsetof(IMAGE_OPTIONAL_HEADER64, CheckSum)),
sizeof(uint32_t));
// skip IMAGE_OPTIONAL_HEADER.ImageBase
crc_table.Remove(image_base_ + header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, ImageBase) : offsetof(IMAGE_OPTIONAL_HEADER64, ImageBase)),
OperandSizeToValue(cpu_address_size()));
// skip security directory
crc_table.Remove(image_base_ + header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, DataDirectory) : offsetof(IMAGE_OPTIONAL_HEADER64, DataDirectory)) +
IMAGE_DIRECTORY_ENTRY_SECURITY * sizeof(IMAGE_DATA_DIRECTORY),
sizeof(IMAGE_DATA_DIRECTORY));
// skip IAT directory
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_IAT);
if (dir)
crc_table.Remove(dir->address(), dir->size());
if (image_type_ == itDriver) {
// skip part of import table
if (name_table)
crc_table.Remove(name_table, name_table_size);
} else {
// skip IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp and IMAGE_IMPORT_DESCRIPTOR.ForwarderChain for each import DLL
dir = directory_list_->GetCommandByType(IMAGE_DIRECTORY_ENTRY_IMPORT);
if (dir) {
address = dir->address();
for (i = 0; i < dir->size()/sizeof(IMAGE_IMPORT_DESCRIPTOR); i++, address += sizeof(IMAGE_IMPORT_DESCRIPTOR)) {
crc_table.Remove(address + offsetof(IMAGE_IMPORT_DESCRIPTOR, TimeDateStamp), sizeof(uint32_t) * 2);
}
}
}
if (load_config_directory_->cfg_check_function())
crc_table.Remove(load_config_directory_->cfg_check_function(), OperandSizeToValue(cpu_address_size()));
// skip fixups
if ((ctx.options.flags & cpStripFixups) == 0) {
for (i = 0; i < fixup_list_->count(); i++) {
PEFixup *fixup = fixup_list_->item(i);
crc_table.Remove(fixup->address(), OperandSizeToValue(fixup->size()));
}
}
// skip loader CRC table
crc_table.Remove(loader_crc_address, loader_crc_size);
crc_table.Remove(loader_crc_size_address, sizeof(uint32_t));
crc_table.Remove(loader_crc_hash_address, sizeof(uint32_t));
// skip file CRC table
if (file_crc_address)
crc_table.Remove(file_crc_address, file_crc_size);
if (file_crc_size_address)
crc_table.Remove(file_crc_size_address, sizeof(uint32_t));
// write to file
AddressSeek(loader_crc_address);
uint32_t hash;
size = static_cast<uint32_t>(crc_table.WriteToFile(*this, false, &hash));
AddressSeek(loader_crc_size_address);
WriteDWord(size);
AddressSeek(loader_crc_hash_address);
WriteDWord(hash);
}
// write file CRC table
if (file_crc_address) {
CRCTable crc_table(function_list_->crc_cryptor(), file_crc_size - sizeof(uint32_t));
// add file range
crc_table.Add(1, static_cast<size_t>(this->size()) - 1);
// skip IMAGE_OPTIONAL_HEADER.CheckSum
crc_table.Remove(header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, CheckSum) : offsetof(IMAGE_OPTIONAL_HEADER64, CheckSum)),
sizeof(uint32_t));
// skip position of security directory
crc_table.Remove(header_offset_ + sizeof(uint32_t) + sizeof(IMAGE_FILE_HEADER) +
((cpu_address_size() == osDWord) ? offsetof(IMAGE_OPTIONAL_HEADER32, DataDirectory) : offsetof(IMAGE_OPTIONAL_HEADER64, DataDirectory)) +
IMAGE_DIRECTORY_ENTRY_SECURITY * sizeof(IMAGE_DATA_DIRECTORY),
sizeof(IMAGE_DATA_DIRECTORY));
// skip file CRC table
if (AddressSeek(file_crc_address))
crc_table.Remove(Tell(), file_crc_size);
if (AddressSeek(file_crc_size_address))
crc_table.Remove(Tell(), sizeof(uint32_t));
// write to file
AddressSeek(file_crc_address);
size = static_cast<uint32_t>(this->size());
WriteDWord(size);
size = static_cast<uint32_t>(crc_table.WriteToFile(*this, true));
AddressSeek(file_crc_size_address);
WriteDWord(size);
}
WriteCheckSum();
EndProgress();
}
void PEArchitecture::Rebase(uint64_t target_image_base, uint64_t delta_base)
{
BaseArchitecture::Rebase(delta_base);
fixup_list_->Rebase(*this, delta_base);
import_list_->Rebase(delta_base);
export_list_->Rebase(delta_base);
directory_list_->Rebase(delta_base);
load_config_directory_->Rebase(delta_base);
runtime_function_list_->RebaseByFile(*this, target_image_base, delta_base);
segment_list_->Rebase(delta_base);
section_list_->Rebase(delta_base);
function_list_->Rebase(delta_base);
if (entry_point_)
entry_point_ += delta_base;
image_base_ += delta_base;
}
bool PEArchitecture::is_executable() const
{
return image_type() == itExe;
}
std::string PEArchitecture::ANSIToUTF8(const std::string &str) const
{
#ifndef VMP_GNU
if (!os::ValidateUTF8(str))
return os::ToUTF8(os::FromACP(str));
#endif
return str;
}
void PEArchitecture::ReadFromBuffer(Buffer &buffer)
{
BaseArchitecture::ReadFromBuffer(buffer);
PECFGAddressTable *cfg_address_list = load_config_directory_->cfg_address_list();
size_t c = buffer.ReadDWord();
for (size_t i = 0; i < c; i++) {
cfg_address_list->Add(buffer.ReadDWord() + image_base());
}
}
/**
* PDBFile
*/
PDBFile::PDBFile()
: BaseMapFile(), time_stamp_(0)
{
}
bool PDBFile::Parse(const char *file_name, const std::vector<uint64_t> &segments)
{
clear();
guid_.clear();
time_stamp_ = 0;
file_name_ = file_name;
PdbFileStream fs;
if (!fs.Open(file_name, fmOpenRead | fmShareDenyNone))
return false;
segments_ = segments;
size_t sign_len2 = sizeof(pdb2) - 1, sign_len7 = sizeof(pdb7) - 1;
size_t sign_len = std::max(sign_len2, sign_len7);
std::vector<uint8_t> head(sign_len);
if (fs.RawRead(0, &head))
{
if (!memcmp(&head[0], pdb2, sign_len2))
{
pdb_jg_reader reader(fs);
if (!reader.init())
return false;
time_stamp_ = reader.root->TimeDateStamp;
return ReadSymbols(reader);
}
else if (!memcmp(&head[0], pdb7, sign_len7))
{
pdb_ds_reader reader(fs);
if (!reader.init())
return false;
guid_.insert(guid_.begin(), reinterpret_cast<const uint8_t *>(&reader.root->guid), reinterpret_cast<const uint8_t *>(&reader.root->guid) + sizeof(reader.root->guid));
return ReadSymbols(reader);
}
}
return false;
}
bool PDBFile::ReadSymbols(pdb_reader &reader)
{
// read types
if (reader.read_file(PDB_STREAM_TPI, types_data_)) {
PDB_TYPES *types = reinterpret_cast<PDB_TYPES *>(types_data_.data());
size_t offset;
if (types->version < 19960000) {
const PDB_TYPES_OLD *types_old = reinterpret_cast<const PDB_TYPES_OLD *>(types);
offset = sizeof(PDB_TYPES_OLD);
types_first_index_ = types_old->first_index;
}
else {
offset = types->type_offset;
types_first_index_ = types->first_index;
}
int length;
for (size_t i = offset; i < types_data_.size(); i += length)
{
const union codeview_type *type = reinterpret_cast<const union codeview_type*>(types_data_.data() + i);
length = type->generic.len + 2;
if (!type->generic.id || length < 4)
break;
types_offset_.push_back(type);
}
}
PDB_SYMBOLS *symbols;
std::vector<uint8_t> vsymbols, vmodimage;
if (!reader.read_file(PDB_STREAM_DBI, vsymbols))
return false;
symbols = reinterpret_cast<PDB_SYMBOLS*>(vsymbols.data());
// read global symbol table
if (reader.read_file(symbols->gsym_file, vmodimage))
codeview_dump_symbols(vmodimage, 0);
// read per-module symbol / linenumber tables
const char *file = reinterpret_cast<const char*>(symbols) + sizeof(PDB_SYMBOLS);
while (static_cast<size_t>(file - reinterpret_cast<const char*>(symbols)) < sizeof(PDB_SYMBOLS) + symbols->module_size)
{
int file_nr, symbol_size;
const char* file_name;
if (symbols->version < 19970000)
{
const PDB_SYMBOL_FILE* sym_file = reinterpret_cast<const PDB_SYMBOL_FILE*>(file);
file_nr = sym_file->file;
file_name = sym_file->filename;
symbol_size = sym_file->symbol_size;
}
else
{
const PDB_SYMBOL_FILE_EX* sym_file = reinterpret_cast<const PDB_SYMBOL_FILE_EX*>(file);
file_nr = sym_file->file;
file_name = sym_file->filename;
symbol_size = sym_file->symbol_size;
}
if (symbol_size && reader.read_file(file_nr, vmodimage))
codeview_dump_symbols(vmodimage, sizeof(uint32_t));
file_name += strlen(file_name) + 1;
file = reinterpret_cast<char*>(reinterpret_cast<size_t>(file_name + strlen(file_name) + 1 + 3) & ~3);
}
return true;
}
void PDBFile::AddSymbol(size_t segment, size_t offset, const std::string &name)
{
if (!segment || segment >= segments_.size())
return;
uint64_t address = segments_[segment] + offset;
std::pair<uint64_t, std::string> key(address, name);
if (map_.find(key) != map_.end())
return;
map_.insert(key);
MapSection *section = GetSectionByType(msFunctions);
if (!section)
section = Add(msFunctions);
section->Add(NOT_ID, address, 0, name);
}
void PDBFile::AddSection(size_t segment, size_t offset, uint64_t size, const std::string &name)
{
if (segment >= segments_.size())
return;
MapSection *section = GetSectionByType(msSections);
if (!section)
section = Add(msSections);
section->Add(segment, segments_[segment] + offset, size, name);
}
size_t leaf_length(const uint16_t *type)
{
size_t res = sizeof(*type);
switch (*type++) {
case LF_CHAR:
res += 1;
break;
case LF_SHORT:
case LF_USHORT:
res += 2;
break;
case LF_LONG:
case LF_ULONG:
res += 4;
break;
case LF_REAL32:
res += 4;
break;
case LF_REAL48:
res += 6;
break;
case LF_REAL80:
res += 10;
break;
case LF_REAL128:
res += 16;
break;
case LF_QUADWORD:
case LF_UQUADWORD:
res += 8;
break;
case LF_COMPLEX32:
res += 4;
break;
case LF_COMPLEX80:
res += 10;
break;
case LF_COMPLEX128:
res += 16;
break;
case LF_VARSTRING:
res += 2 + *type;
break;
}
return res;
}
std::string PDBFile::GetTypeName(size_t data_type, const std::string &name)
{
std::string res;
const p_string *p_str;
if (data_type < types_first_index_) {
switch (data_type) {
case T_VOID:
res = "void";
break;
case T_CHAR:
res = "char";
break;
case T_SHORT:
res = "short";
break;
case T_LONG:
res = "long";
break;
case T_QUAD:
res = "__int64";
break;
case T_UCHAR:
res = "unsigned char";
break;
case T_USHORT:
res = "unsigned short";
break;
case T_ULONG:
res = "unsigned long";
break;
case T_UQUAD:
res = "unsigned __int64";
break;
case T_BOOL08:
case T_BOOL16:
case T_BOOL32:
case T_BOOL64:
res = "bool";
break;
case T_REAL32:
res = "float";
break;
case T_REAL64:
res = "double";
break;
case T_REAL80:
res = "long double";
break;
case T_RCHAR:
res = "char";
break;
case T_INT4:
res = "int";
break;
case T_UINT4:
res = "unsigned int";
break;
case T_WCHAR:
res = "wchar_t";
break;
case T_CHAR16:
res = "char16_t";
break;
case T_CHAR32:
res = "char32_t";
break;
case T_PVOID: case T_PCHAR: case T_PSHORT: case T_PLONG: case T_PQUAD: case T_PUCHAR: case T_PUSHORT: case T_PULONG:
case T_PUQUAD: case T_PBOOL08: case T_PBOOL16: case T_PBOOL32: case T_PBOOL64: case T_PREAL32: case T_PREAL64: case T_PREAL80:
case T_PREAL128: case T_PREAL48: case T_PCPLX32: case T_PCPLX64: case T_PCPLX80: case T_PCPLX128: case T_PRCHAR: case T_PWCHAR:
case T_PINT2: case T_PUINT2: case T_PINT4: case T_PUINT4: case T_PINT8: case T_PUINT8: case T_PCHAR16: case T_PCHAR32:
case T_PFVOID: case T_PFCHAR: case T_PFSHORT: case T_PFLONG: case T_PFQUAD: case T_PFUCHAR: case T_PFUSHORT: case T_PFULONG:
case T_PFUQUAD: case T_PFBOOL08: case T_PFBOOL16: case T_PFBOOL32: case T_PFBOOL64: case T_PFREAL32: case T_PFREAL64: case T_PFREAL80:
case T_PFREAL128: case T_PFREAL48: case T_PFCPLX32: case T_PFCPLX64: case T_PFCPLX80: case T_PFCPLX128: case T_PFRCHAR: case T_PFWCHAR:
case T_PFINT2: case T_PFUINT2: case T_PFINT4: case T_PFUINT4: case T_PFINT8: case T_PFUINT8: case T_PFCHAR16: case T_PFCHAR32:
case T_PHVOID: case T_PHCHAR: case T_PHSHORT: case T_PHLONG: case T_PHQUAD: case T_PHUCHAR: case T_PHUSHORT: case T_PHULONG:
case T_PHUQUAD: case T_PHBOOL08: case T_PHBOOL16: case T_PHBOOL32: case T_PHBOOL64: case T_PHREAL32: case T_PHREAL64: case T_PHREAL80:
case T_PHREAL128: case T_PHREAL48: case T_PHCPLX32: case T_PHCPLX64: case T_PHCPLX80: case T_PHCPLX128: case T_PHRCHAR: case T_PHWCHAR:
case T_PHINT2: case T_PHUINT2: case T_PHINT4: case T_PHUINT4: case T_PHINT8: case T_PHUINT8: case T_PHCHAR16: case T_PHCHAR32:
case T_32PVOID: case T_32PCHAR: case T_32PSHORT: case T_32PLONG: case T_32PQUAD: case T_32PUCHAR: case T_32PUSHORT: case T_32PULONG:
case T_32PUQUAD: case T_32PBOOL08: case T_32PBOOL16: case T_32PBOOL32: case T_32PBOOL64: case T_32PREAL32: case T_32PREAL64: case T_32PREAL80:
case T_32PREAL128: case T_32PREAL48: case T_32PCPLX32: case T_32PCPLX64: case T_32PCPLX80: case T_32PCPLX128: case T_32PRCHAR: case T_32PWCHAR:
case T_32PINT2: case T_32PUINT2: case T_32PINT4: case T_32PUINT4: case T_32PINT8: case T_32PUINT8: case T_32PCHAR16: case T_32PCHAR32:
case T_32PFVOID: case T_32PFCHAR: case T_32PFSHORT: case T_32PFLONG: case T_32PFQUAD: case T_32PFUCHAR: case T_32PFUSHORT: case T_32PFULONG:
case T_32PFUQUAD: case T_32PFBOOL08: case T_32PFBOOL16: case T_32PFBOOL32: case T_32PFBOOL64: case T_32PFREAL32: case T_32PFREAL64: case T_32PFREAL80:
case T_32PFREAL128: case T_32PFREAL48: case T_32PFCPLX32: case T_32PFCPLX64: case T_32PFCPLX80: case T_32PFCPLX128: case T_32PFRCHAR: case T_32PFWCHAR:
case T_32PFINT2: case T_32PFUINT2: case T_32PFINT4: case T_32PFUINT4: case T_32PFINT8: case T_32PFUINT8: case T_32PFCHAR16: case T_32PFCHAR32:
case T_64PVOID: case T_64PCHAR: case T_64PSHORT: case T_64PLONG: case T_64PQUAD: case T_64PUCHAR: case T_64PUSHORT: case T_64PULONG:
case T_64PUQUAD: case T_64PBOOL08: case T_64PBOOL16: case T_64PBOOL32: case T_64PBOOL64: case T_64PREAL32: case T_64PREAL64: case T_64PREAL80:
case T_64PREAL128: case T_64PREAL48: case T_64PCPLX32: case T_64PCPLX64: case T_64PCPLX80: case T_64PCPLX128: case T_64PRCHAR: case T_64PWCHAR:
case T_64PINT2: case T_64PUINT2: case T_64PINT4: case T_64PUINT4: case T_64PINT8: case T_64PUINT8: case T_64PCHAR16: case T_64PCHAR32:
return GetTypeName(data_type & T_BASICTYPE_MASK, (!name.empty() && name.front() != '*' ? "* " : "*") + name);
}
}
else if (data_type - types_first_index_ < types_offset_.size()) {
const union codeview_type* type = types_offset_[data_type - types_first_index_];
switch (type->generic.id) {
case LF_MODIFIER_V1:
if (type->modifier_v1.attribute & 0x01)
res += "const ";
if (type->modifier_v1.attribute & 0x02)
res += "volatile ";
if (type->modifier_v1.attribute & 0x04)
res += "unaligned ";
if (type->modifier_v1.attribute & ~0x07)
res += "unknown ";
if (!res.empty())
res.pop_back();
res = GetTypeName(type->modifier_v1.type, res);
case LF_MODIFIER_V2:
if (type->modifier_v2.attribute & 0x01)
res += "const ";
if (type->modifier_v2.attribute & 0x02)
res += "volatile ";
if (type->modifier_v2.attribute & 0x04)
res += "unaligned ";
if (type->modifier_v2.attribute & ~0x07)
res += "unknown ";
if (!res.empty())
res.pop_back();
res = GetTypeName(type->modifier_v2.type, res);
break;
case LF_POINTER_V1:
return GetTypeName(type->pointer_v1.datatype, (!name.empty() && name.front() != '*' ? "* " : "*") + name);
case LF_POINTER_V2:
if (type->pointer_v2.attribute & 0x80)
res = "&&";
else if (type->pointer_v2.attribute & 0x20)
res = '&';
else
res = '*';
if (!name.empty() && name.front() != res.back())
res += ' ';
return GetTypeName(type->pointer_v2.datatype, res + name);
case LF_ARRAY_V1:
return GetTypeName(type->array_v1.elemtype, (!name.empty() && name.front() != '*' ? "* " : "*") + name);
case LF_ARRAY_V2:
return GetTypeName(type->array_v2.elemtype, (!name.empty() && name.front() != '*' ? "* " : "*") + name);
case LF_ARRAY_V3:
return GetTypeName(type->array_v3.elemtype, (!name.empty() && name.front() != '*' ? "* " : "*") + name);
case LF_STRUCTURE_V1:
case LF_CLASS_V1:
p_str = reinterpret_cast<const p_string *>(reinterpret_cast<const char *>(&type->struct_v1.structlen) + leaf_length(&type->struct_v1.structlen));
res = (type->generic.id == LF_CLASS_V1 ? "class " : "struct ") + std::string(p_str->name, p_str->namelen);
break;
case LF_STRUCTURE_V2:
case LF_CLASS_V2:
p_str = reinterpret_cast<const p_string *>(reinterpret_cast<const char *>(&type->struct_v2.structlen) + leaf_length(&type->struct_v2.structlen));
res = (type->generic.id == LF_CLASS_V2 ? "class " : "struct ") + std::string(p_str->name, p_str->namelen);
break;
case LF_STRUCTURE_V3:
case LF_CLASS_V3:
res = (type->generic.id == LF_CLASS_V3 ? "class " : "struct ") + std::string(reinterpret_cast<const char *>(&type->struct_v3.structlen) + leaf_length(&type->struct_v3.structlen));
break;
case LF_ARGLIST_V1:
{
const union codeview_reftype *ref_type = reinterpret_cast<const union codeview_reftype *>(type);
if (ref_type->arglist_v2.num == 0)
res = GetTypeName(T_VOID, "");
else for (size_t i = 0; i < ref_type->arglist_v1.num; i++) {
if (i > 0)
res += ',';
res += GetTypeName(ref_type->arglist_v1.args[i], "");
}
}
break;
case LF_ARGLIST_V2:
{
const union codeview_reftype *ref_type = reinterpret_cast<const union codeview_reftype *>(type);
if (ref_type->arglist_v2.num == 0)
res = GetTypeName(T_VOID, "");
else for (size_t i = 0; i < ref_type->arglist_v2.num; i++) {
if (i > 0)
res += ',';
res += GetTypeName(ref_type->arglist_v2.args[i], "");
}
}
break;
case LF_PROCEDURE_V1:
return GetTypeName(type->procedure_v1.rvtype, '(' + name + ')' + '(' + GetTypeName(type->procedure_v1.arglist, "") + ')');
case LF_PROCEDURE_V2:
return GetTypeName(type->procedure_v2.rvtype, '(' + name + ')' + '(' + GetTypeName(type->procedure_v2.arglist, "") + ')');
case LF_UNION_V1:
p_str = reinterpret_cast<const p_string *>(reinterpret_cast<const char *>(&type->union_v1.un_len) + leaf_length(&type->union_v1.un_len));
res = "union " + std::string(p_str->name, p_str->namelen);
break;
case LF_UNION_V2:
p_str = reinterpret_cast<const p_string *>(reinterpret_cast<const char *>(&type->union_v2.un_len) + leaf_length(&type->union_v2.un_len));
res = "union " + std::string(p_str->name, p_str->namelen);
break;
case LF_UNION_V3:
res = "union " + std::string(reinterpret_cast<const char *>(&type->union_v3.un_len) + leaf_length(&type->union_v3.un_len));
break;
case LF_ENUM_V1:
res = "enum " + std::string(type->enumeration_v1.p_name.name, type->enumeration_v1.p_name.namelen);
break;
case LF_ENUM_V2:
res = "enum " + std::string(type->enumeration_v2.p_name.name, type->enumeration_v2.p_name.namelen);
break;
case LF_ENUM_V3:
res = "enum " + std::string(type->enumeration_v3.name);
break;
default:
res = "???";
}
}
if (!res.empty() && !name.empty())
res += ' ';
return res + name;
}
void PDBFile::codeview_dump_symbols(const std::vector<uint8_t> &root, size_t offset)
{
size_t i;
int length;
for (i = offset; i < root.size(); i += length)
{
const union codeview_symbol* sym = reinterpret_cast<const union codeview_symbol*>(&root[0] + i);
length = sym->generic.len + 2;
if (!sym->generic.id || length < 4) break;
switch (sym->generic.id)
{
case S_GDATA_V2:
case S_LDATA_V2:
AddSymbol(sym->data_v2.segment, sym->data_v2.offset, GetTypeName(sym->data_v2.symtype, std::string(sym->data_v2.p_name.name, sym->data_v2.p_name.namelen)));
break;
case S_LDATA_V3:
case S_GDATA_V3:
AddSymbol(sym->data_v3.segment, sym->data_v3.offset, GetTypeName(sym->data_v3.symtype, std::string(sym->data_v3.name)));
break;
case S_PUB_V2:
AddSymbol(sym->public_v2.segment, sym->public_v2.offset, std::string(sym->public_v2.p_name.name, sym->public_v2.p_name.namelen));
break;
case S_PUB_V3:
AddSymbol(sym->public_v3.segment, sym->public_v3.offset, std::string(sym->public_v3.name));
break;
case S_THUNK_V1:
AddSymbol(sym->thunk_v1.segment, sym->thunk_v1.offset, std::string(sym->thunk_v1.p_name.name, sym->thunk_v1.p_name.namelen));
break;
case S_THUNK_V3:
AddSymbol(sym->thunk_v3.segment, sym->thunk_v3.offset, std::string(sym->thunk_v3.name));
break;
//case S_GPROC_V1:
case S_LPROC_V1:
AddSymbol(sym->proc_v1.segment, sym->proc_v1.offset, std::string(sym->proc_v1.p_name.name, sym->proc_v1.p_name.namelen));
break;
//case S_GPROC_V2:
case S_LPROC_V2:
AddSymbol(sym->proc_v2.segment, sym->proc_v2.offset, std::string(sym->proc_v2.p_name.name, sym->proc_v2.p_name.namelen));
break;
case S_LPROC_V3:
//case S_GPROC_V3:
AddSymbol(sym->proc_v3.segment, sym->proc_v3.offset, std::string(sym->proc_v3.name));
break;
case S_SUBSECTINFO_V3:
AddSection(*reinterpret_cast<const unsigned short*>(reinterpret_cast<const char*>(sym) + 16),
*reinterpret_cast<const unsigned*>(reinterpret_cast<const char*>(sym) + 12),
*reinterpret_cast<const unsigned*>(reinterpret_cast<const char*>(sym) + 4),
std::string(reinterpret_cast<const char*>(sym) + 18));
break;
case S_LTHREAD_V1:
case S_GTHREAD_V1:
AddSymbol(sym->thread_v1.segment, sym->thread_v1.offset, std::string(sym->thread_v1.p_name.name, sym->thread_v1.p_name.namelen));
break;
case S_LTHREAD_V2:
case S_GTHREAD_V2:
AddSymbol(sym->thread_v2.segment, sym->thread_v2.offset, std::string(sym->thread_v2.p_name.name, sym->thread_v2.p_name.namelen));
break;
case S_LTHREAD_V3:
case S_GTHREAD_V3:
AddSymbol(sym->thread_v3.segment, sym->thread_v3.offset, std::string(sym->thread_v3.name));
break;
case S_PROCREF_V1:
case S_DATAREF_V1:
case S_LPROCREF_V1:
length += (*(reinterpret_cast<const char *>(sym) + length) + 1 + 3) & ~3;
break;
}
}
}
/**
* COFFStringTable
*/
std::string COFFStringTable::GetString(uint32_t pos) const
{
if (pos < sizeof(uint32_t))
throw std::runtime_error("Invalid index for string table");
if (pos >= data_.size())
throw std::runtime_error("Invalid index for string table");
size_t i, len;
len = data_.size() - pos;
for (i = 0; i < len; i++) {
if (data_[pos + i] == 0) {
len = i;
break;
}
}
if (len == data_.size() - pos)
throw std::runtime_error("Invalid format");
return std::string(&data_[pos], len);
}
void COFFStringTable::ReadFromFile(PEArchitecture &file)
{
uint32_t size = file.ReadDWord();
if (size < sizeof(size))
throw std::runtime_error("Invalid format");
data_.resize(size);
file.Read(data_.data() + sizeof(uint32_t), data_.size() - sizeof(uint32_t));
}
void COFFStringTable::ReadFromFile(FileStream &file)
{
uint32_t size = 0;
file.Read(&size, sizeof(size));
if (size < sizeof(size))
throw std::runtime_error("Invalid format");
data_.resize(size);
file.Read(data_.data() + sizeof(uint32_t), data_.size() - sizeof(uint32_t));
}
/**
* COFFFile
*/
bool COFFFile::Parse(const char *file_name, const std::vector<uint64_t> &segments)
{
clear();
time_stamp_ = 0;
file_name_ = file_name;
FileStream fs;
if (!fs.Open(file_name, fmOpenRead | fmShareDenyNone))
return false;
segments_ = segments;
IMAGE_DOS_HEADER dos_header;
if (fs.Read(&dos_header, sizeof(dos_header)) == sizeof(dos_header) && dos_header.e_magic == IMAGE_DOS_SIGNATURE) {
if (fs.Seek(dos_header.e_lfanew, soBeginning) != (uint64_t)-1) {
uint32_t signature = 0;
fs.Read(&signature, sizeof(signature));
if (signature == IMAGE_NT_SIGNATURE) {
IMAGE_FILE_HEADER image_header = IMAGE_FILE_HEADER();
fs.Read(&image_header, sizeof(image_header));
if (image_header.PointerToSymbolTable) {
time_stamp_ = image_header.TimeDateStamp;
if (fs.Seek(image_header.PointerToSymbolTable + image_header.NumberOfSymbols * sizeof(IMAGE_SYMBOL), soBeginning) != (uint64_t)-1) {
COFFStringTable string_table;
string_table.ReadFromFile(fs);
fs.Seek(image_header.PointerToSymbolTable, soBeginning);
for (size_t i = 0; i < image_header.NumberOfSymbols; i++) {
std::string name;
IMAGE_SYMBOL sym;
fs.Read(&sym, sizeof(sym));
switch (sym.StorageClass) {
case IMAGE_SYM_CLASS_EXTERNAL:
case IMAGE_SYM_CLASS_STATIC:
if (sym.N.Name.Short == 0) {
name = string_table.GetString(sym.N.Name.Long);
}
else {
name = std::string(reinterpret_cast<char *>(&sym.N.ShortName), strnlen(reinterpret_cast<char *>(&sym.N.ShortName), sizeof(sym.N.ShortName)));
}
AddSymbol(sym.SectionNumber, sym.Value, name);
}
}
return true;
}
}
}
}
}
return false;
}
void COFFFile::AddSymbol(size_t segment, size_t offset, const std::string &name)
{
if (!segment || segment >= segments_.size())
return;
uint64_t address = segments_[segment] + offset;
MapSection *section = GetSectionByType(msFunctions);
if (!section)
section = Add(msFunctions);
section->Add(NOT_ID, address, 0, name);
}
Reference in New Issue View Git Blame Copy Permalink