diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2009-01-29 21:08:53 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2009-01-29 21:08:53 (GMT) |
commit | 14abff97c2ba0940c2dcf2e37eb080ebdb923c6f (patch) | |
tree | 60f9bc40853754d126bb0d547fbf8d5c00146012 /src | |
parent | 21493170bb188ad9548820c830c3e8d7055e3f46 (diff) |
Begun to support PE binaries.
git-svn-id: svn://svn.gna.org/svn/chrysalide/trunk@47 abbe820e-26c8-41b2-8c08-b7b2b41f8b0a
Diffstat (limited to 'src')
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/binary.c | 4 | ||||
-rw-r--r-- | src/format/Makefile.am | 2 | ||||
-rwxr-xr-x | src/format/pe/Makefile.am | 15 | ||||
-rw-r--r-- | src/format/pe/e_pe.c | 138 | ||||
-rw-r--r-- | src/format/pe/e_pe.h | 47 | ||||
-rw-r--r-- | src/format/pe/pe-int.h | 118 |
7 files changed, 323 insertions, 3 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 5a0a565..8048f66 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -25,7 +25,7 @@ AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) openida_LDFLAGS = $(LIBGTK_LIBS) -L/usr/X11R6/lib -ldl -lm $(LIBXML_LIBS) `pkg-config --libs gthread-2.0` -openida_LDADD = $(LIBINTL) arch/libarch.a arch/x86/libarchx86.a format/libformat.a format/dwarf/libformatdwarf.a format/elf/libformatelf.a format/java/libformatjava.a common/libcommon.a +openida_LDADD = $(LIBINTL) arch/libarch.a arch/x86/libarchx86.a format/libformat.a format/dwarf/libformatdwarf.a format/elf/libformatelf.a format/java/libformatjava.a format/pe/libformatpe.a common/libcommon.a SUBDIRS = arch common format diff --git a/src/binary.c b/src/binary.c index 6bfa551..df64a1a 100644 --- a/src/binary.c +++ b/src/binary.c @@ -44,6 +44,7 @@ #include "format/elf/e_elf.h" #include "format/dwarf/d_dwarf.h" #include "format/java/e_java.h" +#include "format/pe/e_pe.h" #ifndef _ @@ -392,6 +393,7 @@ void fill_snippet(GtkSnippet *snippet, GtkWidget *panel, GtkWidget *panel2) register_exe_format(_("Java"), java_is_matching, load_java); + register_exe_format(_("Portable Executable"), pe_is_matching, load_pe); bin_data = map_binary_file("/tmp/hello", &length); @@ -407,7 +409,7 @@ void fill_snippet(GtkSnippet *snippet, GtkWidget *panel, GtkWidget *panel2) printf(" --> ok ? %p\n", format); - exit(0); + //exit(0); return; diff --git a/src/format/Makefile.am b/src/format/Makefile.am index 6f49822..67b3737 100644 --- a/src/format/Makefile.am +++ b/src/format/Makefile.am @@ -16,4 +16,4 @@ AM_CPPFLAGS = AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) -SUBDIRS = dwarf elf java +SUBDIRS = dwarf elf java pe diff --git a/src/format/pe/Makefile.am b/src/format/pe/Makefile.am new file mode 100755 index 0000000..853e3f5 --- /dev/null +++ b/src/format/pe/Makefile.am @@ -0,0 +1,15 @@ + +lib_LIBRARIES = libformatpe.a + +libformatpe_a_SOURCES = \ + e_pe.h e_pe.c \ + pe-int.h + +libformatpe_a_CFLAGS = $(AM_CFLAGS) + + +INCLUDES = + +AM_CPPFLAGS = + +AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) diff --git a/src/format/pe/e_pe.c b/src/format/pe/e_pe.c new file mode 100644 index 0000000..a10f075 --- /dev/null +++ b/src/format/pe/e_pe.c @@ -0,0 +1,138 @@ + +/* OpenIDA - Outil d'analyse de fichiers binaires + * e_pe.c - support du format Portable Executable + * + * Copyright (C) 2008 Cyrille Bagard + * + * This file is part of OpenIDA. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "e_pe.h" + + +#include <malloc.h> +#include <string.h> + + +#include "pe-int.h" + + + +/****************************************************************************** +* * +* Paramètres : content = contenu binaire à parcourir. * +* length = taille du contenu en question. * +* * +* Description : Indique si le format peut être pris en charge ici. * +* * +* Retour : true si la réponse est positive, false sinon. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool pe_is_matching(const uint8_t *content, off_t length) +{ + bool result; /* Bilan à faire connaître */ + image_dos_header dos_header; /* En-tête DOS */ + + result = false; + + if (length >= 2) + { + result = (strncmp((const char *)content, "\x4d\x5a" /* MZ */, 2) == 0); + result &= length >= sizeof(image_dos_header); + } + + if (result) + { + memcpy(&dos_header, content, sizeof(image_dos_header)); + + result = length >= (dos_header.e_lfanew + 4); + + result &= (strncmp((const char *)&content[dos_header.e_lfanew], + "\x50\x45\x00\x00" /* PE00 */, 4) == 0); + + } + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : content = contenu binaire à parcourir. * +* length = taille du contenu en question. * +* * +* Description : Prend en charge une nouvelle classe PE. * +* * +* Retour : Adresse de la structure mise en place ou NULL en cas d'échec.* +* * +* Remarques : - * +* * +******************************************************************************/ + +exe_format *load_pe(const uint8_t *content, off_t length) +{ + pe_format *result; /* Adresse à retourner */ + off_t pos; /* Point d'analyse */ + + result = (pe_format *)calloc(1, sizeof(pe_format)); + + EXE_FORMAT(result)->content = content; + EXE_FORMAT(result)->length = length; + + pos = 0; + + + + + + + return EXE_FORMAT(result); + + ldp_error: + + unload_pe(result); + + return NULL; + +} + + +/****************************************************************************** +* * +* Paramètres : format = description de l'exécutable à supprimer. * +* * +* Description : Efface la prise en charge une nouvelle classe PE. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void unload_pe(pe_format *format) +{ + + + + + free(format); + +} diff --git a/src/format/pe/e_pe.h b/src/format/pe/e_pe.h new file mode 100644 index 0000000..54820e2 --- /dev/null +++ b/src/format/pe/e_pe.h @@ -0,0 +1,47 @@ + +/* OpenIDA - Outil d'analyse de fichiers binaires + * e_pe.h - prototypes pour le support du format Portable Executable + * + * Copyright (C) 2008 Cyrille Bagard + * + * This file is part of OpenIDA. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _FORMAT_PE_E_PE_H +#define _FORMAT_PE_E_PE_H + + +#include "../exe_format.h" + + + +/* Description du format Pe */ +typedef struct _pe_format pe_format; + + +/* Indique si le format peut être pris en charge ici. */ +bool pe_is_matching(const uint8_t *, off_t); + +/* Prend en charge une nouvelle classe PE. */ +exe_format *load_pe(const uint8_t *, off_t); + +/* Efface la prise en charge une nouvelle classe PE. */ +void unload_pe(pe_format *); + + + +#endif /* _FORMAT_PE_E_PE_H */ diff --git a/src/format/pe/pe-int.h b/src/format/pe/pe-int.h new file mode 100644 index 0000000..8b18055 --- /dev/null +++ b/src/format/pe/pe-int.h @@ -0,0 +1,118 @@ + +/* OpenIDA - Outil d'analyse de fichiers binaires + * pe-int.h - prototypes pour les structures internes du format Portable Executable + * + * Copyright (C) 2008 Cyrille Bagard + * + * This file is part of OpenIDA. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see <http://www.gnu.org/licenses/>. + */ + + +#ifndef _FORMAT_PE_E_PE_INT_H +#define _FORMAT_PE_E_PE_INT_H + + +#include "../exe_format-int.h" + + + + + + + + + + + + + + +/* ---------------------------- DESCRIPTION DU FORMAT PE ---------------------------- */ + + +/* En-tête DOS */ +typedef struct _image_dos_header +{ + uint16_t e_magic; /* Numéro magique */ + uint16_t e_cblp; /* Octets de la dernière page */ + uint16_t e_cp; /* Pages dans le fichier */ + uint16_t e_crlc; /* Relocalisations */ + uint16_t e_cparhdr; /* Taille en paragraphes */ + uint16_t e_minalloc; /* Nb min de paragraphes requis*/ + uint16_t e_maxalloc; /* Nb max de paragraphes requis*/ + uint16_t e_ss; /* Valeur (relative) SS init. */ + uint16_t e_sp; /* Valeur SP initiale */ + uint16_t e_csum; /* Empreinte */ + uint16_t e_ip; /* Valeur IP initiale */ + uint16_t e_cs; /* Valeur (relative) CS init. */ + uint16_t e_lfarlc; /* Position de table de reloc. */ + uint16_t e_ovno; /* Nombre d'overlay */ + uint16_t e_res[4]; /* Mots réservés */ + uint16_t e_oemid; /* Identifiant OEM */ + uint16_t e_oeminfo; /* Infos OEM pour e_oemid */ + uint16_t e_res2[10]; /* Mots réservés */ + uint32_t e_lfanew; /* Décallage de bonne en-tête */ + +} image_dos_header; + +/* Archtecture supportées */ +#define IMAGE_FILE_MACHINE_I386 0x014c /* x86 */ +#define IMAGE_FILE_MACHINE_IA64 0x0200 /* Intel IPF */ +#define IMAGE_FILE_MACHINE_AMD64 0x8664 /* x64 */ + +/* Caractéristiques de l'image */ +#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 /* Pas de relocalisation */ +#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 /* Fichier exécutable */ +#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 /* Pas de ligne COFF */ +#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 /* Pas de table de symboles COFF */ +#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 /* Aggressively trim the working set. This value is obsolete as of Windows 2000. */ +#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 /* Adressage > 2 Go */ +#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 /* Octets inv. ; obsolète */ +#define IMAGE_FILE_32BIT_MACHINE 0x0100 /* Machine 32 bits */ +#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 /* Pas d'infos de débogage */ +#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 /* ...support amovible */ +#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 /* Ficher issu du réseau */ +#define IMAGE_FILE_SYSTEM 0x1000 /* Fichier système */ +#define IMAGE_FILE_DLL 0x2000 /* Fichier DLL */ +#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 /* Mono-proc. seulement */ +#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 /* Octets inv. ; obsolète */ + +/* Première en-tête du "vrai" format */ +typedef struct _image_file_header +{ + uint16_t machine; /* Type de machine visée */ + uint16_t number_of_sections; /* Nombre de sections */ + uint32_t time_date_stamp; /* Date de la liaison */ + uint32_t pointer_to_symbol_table; /* Position de ladite table */ + uint32_t number_of_symbols; /* Nombre de symboles */ + uint16_t size_of_optional_header; /* Taille de l'en-tête n°2 */ + uint16_t characteristics; /* Propriétés de l'image */ + +} image_file_header; + + +/* Description du format Portable Executable */ +struct _pe_format +{ + + int a; + + +}; + + + +#endif /* _FORMAT_PE_E_PE_INT_H */ |