diff options
Diffstat (limited to 'plugins/pe/format-int.c')
-rw-r--r-- | plugins/pe/format-int.c | 421 |
1 files changed, 421 insertions, 0 deletions
diff --git a/plugins/pe/format-int.c b/plugins/pe/format-int.c new file mode 100644 index 0000000..2d1e6c8 --- /dev/null +++ b/plugins/pe/format-int.c @@ -0,0 +1,421 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * format-int.c - structures internes du format Portable Executable + * + * Copyright (C) 2010-2017 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Chrysalide. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "format-int.h" + + +#include <malloc.h> +#include <string.h> + +#include <i18n.h> +#include <common/datatypes.h> +#include <core/logs.h> + + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un en-tête de programme DOS. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_dos_image_header(const GPeFormat *format, image_dos_header_t *header) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + vmpa2t pos; /* Position de lecture */ + size_t i; /* Boucle de parcours */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + init_vmpa(&pos, 0, VMPA_NO_VIRTUAL); + + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_magic); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_cblp); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_cp); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_crlc); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_cparhdr); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_minalloc); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_maxalloc); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_ss); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_sp); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_csum); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_ip); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_cs); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_lfarlc); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_ovno); + + for (i = 0; i < 4 && result; i++) + result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_res[i]); + + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_oemid); + if (result) result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_oeminfo); + + for (i = 0; i < 10 && result; i++) + result = g_binary_content_read_u16(content, &pos, SRE_LITTLE, &header->e_res2[i]); + + if (result) result = g_binary_content_read_u32(content, &pos, SRE_LITTLE, &header->e_lfanew); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un en-tête de programme PE (1). * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_file_header(const GPeFormat *format, vmpa2t *pos, image_file_header_t *header) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &header->machine); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &header->number_of_sections); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &header->time_date_stamp); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &header->pointer_to_symbol_table); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &header->number_of_symbols); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &header->size_of_optional_header); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &header->characteristics); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un en-tête de programme PE (2). * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_optional_header(const GPeFormat *format, vmpa2t *pos, image_optional_header_t *header) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + image_optional_header_32_t *hdr32; /* Version 32 bits */ + image_optional_header_64_t *hdr64; /* Version 64 bits */ + image_data_directory_t *directories; /* Répertoires à charger */ + uint32_t *number_of_rva_and_sizes; /* Quantité de ces répertoires */ + uint32_t i; /* Boucle de parcours */ + + content = G_KNOWN_FORMAT(format)->content; + + result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &header->header_32.magic); + if (!result) goto exit; + + ((GPeFormat *)format)->loaded = true; + + if (g_pe_format_get_is_32b(format)) + { + hdr32 = &header->header_32; + + if (result) result = g_binary_content_read_u8(content, pos, &hdr32->major_linker_version); + if (result) result = g_binary_content_read_u8(content, pos, &hdr32->minor_linker_version); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_code); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_initialized_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_uninitialized_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->address_of_entry_point); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->base_of_code); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->base_of_data); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->image_base); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->section_alignment); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->file_alignment); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->major_operating_system_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->minor_operating_system_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->major_image_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->minor_image_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->major_subsystem_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->minor_subsystem_version); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->win32_version_value); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_image); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_headers); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->checksum); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->subsystem); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr32->dll_characteristics); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_stack_reserve); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_stack_commit); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_heap_reserve); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->size_of_heap_commit); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->loader_flags); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr32->number_of_rva_and_sizes); + + directories = hdr32->data_directory; + number_of_rva_and_sizes = &hdr32->number_of_rva_and_sizes; + + } + else + { + hdr64 = &header->header_64; + + if (result) result = g_binary_content_read_u8(content, pos, &hdr64->major_linker_version); + if (result) result = g_binary_content_read_u8(content, pos, &hdr64->minor_linker_version); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->size_of_code); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->size_of_initialized_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->size_of_uninitialized_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->address_of_entry_point); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->base_of_code); + + if (result) result = g_binary_content_read_u64(content, pos, SRE_LITTLE, &hdr64->image_base); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->section_alignment); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->file_alignment); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->major_operating_system_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->minor_operating_system_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->major_image_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->minor_image_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->major_subsystem_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->minor_subsystem_version); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->win32_version_value); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->size_of_image); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->size_of_headers); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->checksum); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->subsystem); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &hdr64->dll_characteristics); + + if (result) result = g_binary_content_read_u64(content, pos, SRE_LITTLE, &hdr64->size_of_stack_reserve); + if (result) result = g_binary_content_read_u64(content, pos, SRE_LITTLE, &hdr64->size_of_stack_commit); + if (result) result = g_binary_content_read_u64(content, pos, SRE_LITTLE, &hdr64->size_of_heap_reserve); + if (result) result = g_binary_content_read_u64(content, pos, SRE_LITTLE, &hdr64->size_of_heap_commit); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->loader_flags); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &hdr64->number_of_rva_and_sizes); + + directories = hdr64->data_directory; + number_of_rva_and_sizes = &hdr64->number_of_rva_and_sizes; + + } + + if (result && *number_of_rva_and_sizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) + { + log_variadic_message(LMT_BAD_BINARY, + _("Corrupted number of directories (%u); fixed!"), + *number_of_rva_and_sizes); + + *number_of_rva_and_sizes = IMAGE_NUMBEROF_DIRECTORY_ENTRIES; + + } + + for (i = 0; i < *number_of_rva_and_sizes && result; i++) + { + result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &directories[i].virtual_address); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &directories[i].size); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* header = structure lue à retourner. [OUT] * +* next = position en fin de lecture. [OUT] * +* * +* Description : Procède à la lecture d'un en-tête de programme PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_nt_header(const GPeFormat *format, image_nt_headers_t *header, vmpa2t *next) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + vmpa2t pos; /* Position de lecture */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + init_vmpa(&pos, format->dos_header.e_lfanew, VMPA_NO_VIRTUAL); + + result = g_binary_content_read_u32(content, &pos, SRE_LITTLE, &header->signature); + + if (result) result = read_pe_file_header(format, &pos, &header->file_header); + + if (result) result = read_pe_optional_header(format, &pos, &header->optional_header); + + if (result) + copy_vmpa(next, &pos); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* section = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un en-tête de section PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_section_header(const GPeFormat *format, vmpa2t *pos, image_section_header_t *section) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + size_t i; /* Boucle de parcours */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + for (i = 0; i < IMAGE_SIZEOF_SHORT_NAME && result; i++) + result = g_binary_content_read_u8(content, pos, (uint8_t *)§ion->name[i]); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->physical_address); + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->virtual_address); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->size_of_raw_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->pointer_to_raw_data); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->pointer_to_relocations); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->pointer_to_line_numbers); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, §ion->number_of_relocations); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, §ion->number_of_line_numbers); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, §ion->characteristics); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* dir = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un répertoire d'exportations. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_export_directory(const GPeFormat *format, vmpa2t *pos, image_export_directory_t *dir) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->characteristics); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->time_date_stamp); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &dir->major_version); + if (result) result = g_binary_content_read_u16(content, pos, SRE_LITTLE, &dir->minor_version); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->name); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->base); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->number_of_functions); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->number_of_names); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->address_of_functions); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->address_of_names); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &dir->address_of_name_ordinals); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* desc = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un répertoire de programme PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_import_descriptor(const GPeFormat *format, vmpa2t *pos, image_import_descriptor_t *desc) +{ + bool result; /* Bilan à retourner */ + const GBinContent *content; /* Contenu binaire à lire */ + + result = true; + + content = G_KNOWN_FORMAT(format)->content; + + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &desc->original_first_thunk); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &desc->time_date_stamp); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &desc->forwarder_chain); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &desc->module_name); + if (result) result = g_binary_content_read_u32(content, pos, SRE_LITTLE, &desc->first_thunk); + + return result; + +} |