diff options
| author | Cyrille Bagard <nocbos@gmail.com> | 2021-04-05 22:59:31 (GMT) |
|---|---|---|
| committer | Cyrille Bagard <nocbos@gmail.com> | 2021-04-05 23:11:48 (GMT) |
| commit | b0347ca45a08ac63bc6dd6f244b046c6d19a6cdd (patch) | |
| tree | 9af1ec9901ddcf696bd3297633faf9fb46712396 /plugins/pe/pe_def.h | |
| parent | cf0b5d5f07e8102f2c9a04012bf29cabda9d85e4 (diff) | |
Build a partial working support for the PE format.
Diffstat (limited to 'plugins/pe/pe_def.h')
| -rw-r--r-- | plugins/pe/pe_def.h | 165 |
1 files changed, 132 insertions, 33 deletions
diff --git a/plugins/pe/pe_def.h b/plugins/pe/pe_def.h index 62d8afc..62b4607 100644 --- a/plugins/pe/pe_def.h +++ b/plugins/pe/pe_def.h @@ -21,13 +21,20 @@ */ -#ifndef _FORMAT_PE_PE_DEF_H -#define _FORMAT_PE_PE_DEF_H +#ifndef _PLUGINS_PE_PE_DEF_H +#define _PLUGINS_PE_PE_DEF_H #include <stdint.h> +/** + * Références : + * + * - https://fr.wikipedia.org/wiki/Portable_Executable#En-tête_MZ_sous_MS-DOS + * - https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html + * + */ @@ -59,10 +66,44 @@ typedef struct _image_dos_header } image_dos_header; -/* Archtecture supportées */ -#define IMAGE_FILE_MACHINE_I386 0x014c /* x86 */ -#define IMAGE_FILE_MACHINE_IA64 0x0200 /* Intel IPF */ -#define IMAGE_FILE_MACHINE_AMD64 0x8664 /* x64 */ +/* Archtectures supportées */ + +/** + * Cf. https://docs.microsoft.com/en-us/windows/win32/sysinfo/image-file-machine-constants + */ + +#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000 /* Unknown */ +#define IMAGE_FILE_MACHINE_TARGET_HOST 0x0001 /* Interacts with the host and not a WOW64 guest */ +#define IMAGE_FILE_MACHINE_I386 0x014c /* Intel 386 */ +#define IMAGE_FILE_MACHINE_R3000 0x0162 /* MIPS little-endian, 0x160 big-endian */ +#define IMAGE_FILE_MACHINE_R4000 0x0166 /* MIPS little-endian */ +#define IMAGE_FILE_MACHINE_R10000 0x0168 /* MIPS little-endian */ +#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 /* MIPS little-endian WCE v2 */ +#define IMAGE_FILE_MACHINE_ALPHA 0x0184 /* Alpha_AXP */ +#define IMAGE_FILE_MACHINE_SH3 0x01a2 /* SH3 little-endian */ +#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3 /* SH3DSP */ +#define IMAGE_FILE_MACHINE_SH3E 0x01a4 /* SH3E little-endian */ +#define IMAGE_FILE_MACHINE_SH4 0x01a6 /* SH4 little-endian */ +#define IMAGE_FILE_MACHINE_SH5 0x01a8 /* SH5 */ +#define IMAGE_FILE_MACHINE_ARM 0x01c0 /* ARM Little-Endian */ +#define IMAGE_FILE_MACHINE_THUMB 0x01c2 /* ARM Thumb/Thumb-2 Little-Endian */ +#define IMAGE_FILE_MACHINE_ARMNT 0x01c4 /* ARM Thumb-2 Little-Endian */ +#define IMAGE_FILE_MACHINE_AM33 0x01d3 /* TAM33BD */ +#define IMAGE_FILE_MACHINE_POWERPC 0x01f0 /* IBM PowerPC Little-Endian */ +#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 /* POWERPCFP */ +#define IMAGE_FILE_MACHINE_IA64 0x0200 /* Intel 64 */ +#define IMAGE_FILE_MACHINE_MIPS16 0x0266 /* MIPS */ +#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 /* ALPHA64 */ +/*#define IMAGE_FILE_MACHINE_AXP64 0x0284*/ /* AXP64 */ +#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 /* MIPS */ +#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 /* MIPS */ +#define IMAGE_FILE_MACHINE_TRICORE 0x0520 /*Infineon */ +#define IMAGE_FILE_MACHINE_CEF 0x0cef /* CEF */ +#define IMAGE_FILE_MACHINE_EBC 0x0ebc /* EFI Byte Code */ +#define IMAGE_FILE_MACHINE_AMD64 0x8664 /* AMD64 (K8) */ +#define IMAGE_FILE_MACHINE_M32R 0x9041 /* M32R little-endian */ +#define IMAGE_FILE_MACHINE_ARM64 0xaa64 /* ARM64 Little-Endian */ +#define IMAGE_FILE_MACHINE_CEE 0xc0ee /* CEE */ /* Caractéristiques de l'image */ #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 /* Pas de relocalisation */ @@ -96,18 +137,14 @@ typedef struct _image_file_header - - - - - - - /* -------------------------- EN-TETE EVOLUEE DU FORMAT PE -------------------------- */ /** - * cf. http://msdn.microsoft.com/en-us/library/ms680305(VS.85).aspx + * Références : + * + * - http://msdn.microsoft.com/en-us/library/ms680305(VS.85).aspx + * - https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32 */ /* Zone de données Windows */ @@ -144,7 +181,8 @@ typedef struct _image_data_directory #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 /* Seconde en-tête, optionnelle */ -typedef struct _image_optional_header + +typedef struct _image_optional_header_32 { uint16_t magic; /* Type de binaire manipulé */ uint8_t major_linker_version; /* Version majeure du linker */ @@ -178,8 +216,54 @@ typedef struct _image_optional_header uint32_t number_of_rva_and_sizes; /* Nombre d'entrées suivantes */ image_data_directory data_directory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; +} image_optional_header_32; + +typedef struct _image_optional_header_64 +{ + + uint16_t magic; /* Type de binaire manipulé */ + uint8_t major_linker_version; /* Version majeure du linker */ + uint8_t minor_linker_version; /* Version mineure du linker */ + uint32_t size_of_code; /* Taille de tout le code */ + uint32_t size_of_initialized_data; /* Taille des données init. */ + uint32_t size_of_uninitialized_data; /* Taille des données non init.*/ + uint32_t address_of_entry_point; /* Point d'entrée pour un exe. */ + uint32_t base_of_code; /* Adresse relative du code */ + uint64_t image_base; /* Adresse souhaitée en mémoire*/ + uint32_t section_alignment; /* Alignement des sections */ + uint32_t file_alignment; /* Alignement des données */ + uint16_t major_operating_system_version;/* Numéro majeur d'OS requis */ + uint16_t minor_operating_system_version;/* Numéro mineur d'OS requis */ + uint16_t major_image_version; /* Numéro majeur du binaire */ + uint16_t minor_image_version; /* Numéro mineur du binaire */ + uint16_t major_subsystem_version; /* Numéro majeur du sous-sys. */ + uint16_t minor_subsystem_version; /* Numéro mineur du sous-sys. */ + uint32_t win32_version_value; /* Réservé (-> 0) */ + uint32_t size_of_image; /* Taille de l'image */ + uint32_t size_of_headers; /* Taille de l'en-tête */ + uint32_t checksum; /* Somme de contrôle */ + uint16_t subsystem; /* Sous-système visé */ + uint16_t dll_characteristics; /* Propriétés de la DLL */ + uint64_t size_of_stack_reserve; /* Taille de pile reservée */ + uint64_t size_of_stack_commit; /* Taille de pile au démarrage */ + uint64_t size_of_heap_reserve; /* Taille de tas reservée */ + uint64_t size_of_heap_commit; /* Taille de tas au démarrage */ + uint32_t loader_flags; /* Champ obslète */ + uint32_t number_of_rva_and_sizes; /* Nombre d'entrées suivantes */ + image_data_directory data_directory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; + +} image_optional_header_64; + +typedef union _image_optional_header +{ + image_optional_header_32 header_32; /* Version 32 bits */ + image_optional_header_64 header_64; /* Version 64 bits */ + } image_optional_header; + + + /* Valeurs pour le champ 'magic' */ #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b /* Exécutable 32 bits */ #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b /* Exécutable 64 bits */ @@ -246,10 +330,11 @@ typedef struct _image_section_header { uint32_t physical_address; /* Adresse physique */ uint32_t virtual_size; /* Taille en mémoire */ + } misc; uint32_t virtual_address; /* Adresse en mémoire */ - uint32_t size_of_raw_data; /* Taille de données non init. */ + uint32_t size_of_raw_data; /* Taille de données définies */ uint32_t pointer_to_raw_data; /* Position de ces données */ uint32_t pointer_to_relocations; /* Position des relocalisations*/ uint32_t pointer_to_line_numbers; /* Position de numéros de ligne*/ @@ -308,10 +393,37 @@ typedef struct _image_section_header /* --------------------------- IDENTIFICATION DE SYMBOLES --------------------------- */ + /** - * cf. http://msdn.microsoft.com/en-us/library/ms809762.aspx - * http://sandsprite.com/CodeStuff/Understanding_imports.html - * http://olance.developpez.com/articles/windows/pe-iczelion/import-table/ + * https://docs.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN#pe-file-exports + * https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-edata-section-image-only + */ + +/* Répertoire des importations */ +typedef struct _image_export_directory +{ + uint32_t characteristics; /* Zéro !? */ + uint32_t time_date_stamp; /* Date de création du fichier */ + uint16_t major_version; /* Numéro majeur de version */ + uint16_t minor_version; /* Numéro lineur de version */ + uint32_t name; /* RVA du nom de la DLL visée */ + uint32_t base; /* Départ des ordinaux listés */ + uint32_t number_of_functions; /* Taille de liste de fonctions*/ + uint32_t number_of_names; /* Taille de liste de noms */ + uint32_t address_of_functions; /* Liste de RVA de fonctions */ + uint32_t address_of_names; /* Liste de RVA de noms */ + uint32_t address_of_name_ordinals; /* Liste de RVA d'ordinaux */ + +} image_export_directory; + + +/** + * http://msdn.microsoft.com/en-us/library/ms809762.aspx + * http://sandsprite.com/CodeStuff/Understanding_imports.html + * http://olance.developpez.com/articles/windows/pe-iczelion/import-table/ + * + * https://docs.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN#pe-file-imports + * https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-idata-section */ /* Point de départ de la chaîne des importations */ @@ -327,17 +439,4 @@ typedef struct _image_import_descriptor - -/* Désignation de fonction importée */ -typedef struct _image_import_by_name -{ - uint16_t hint; - char *name; - -} image_import_by_name; - - - - - -#endif /* _FORMAT_PE_PE_DEF_H */ +#endif /* _PLUGINS_PE_PE_DEF_H */ |