diff options
Diffstat (limited to 'src/format/pe/pe-int.c')
| -rw-r--r-- | src/format/pe/pe-int.c | 359 |
1 files changed, 359 insertions, 0 deletions
diff --git a/src/format/pe/pe-int.c b/src/format/pe/pe-int.c new file mode 100644 index 0000000..0ce1577 --- /dev/null +++ b/src/format/pe/pe-int.c @@ -0,0 +1,359 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * pe-int.c - structures internes du format Portable Executable + * + * Copyright (C) 2010-2017 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Chrysalide. If not, see <http://www.gnu.org/licenses/>. + */ + + +#include "pe-int.h" + + +#include <malloc.h> +#include <string.h> + + +#include "../../common/endianness.h" + + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une en-tête de programme DOS. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_dos_image_header(const GPeFormat *format, off_t *pos, image_dos_header *header) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + size_t i; /* Boucle de parcours */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u16(&header->e_magic, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_cblp, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_cp, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_crlc, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_cparhdr, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_minalloc, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_maxalloc, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_ss, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_sp, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_csum, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_ip, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_cs, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_lfarlc, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_ovno, content, pos, length, SRE_LITTLE); + + for (i = 0; i < 4 && result; i++) + result = read_u16(&header->e_res[i], content, pos, length, SRE_LITTLE); + + result &= read_u16(&header->e_oemid, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->e_oeminfo, content, pos, length, SRE_LITTLE); + + for (i = 0; i < 10 && result; i++) + result = read_u16(&header->e_res2[i], content, pos, length, SRE_LITTLE); + + result &= read_u32(&header->e_lfanew, content, pos, length, SRE_LITTLE); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une en-tête de programme PE (1). * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_file_header(const GPeFormat *format, off_t *pos, image_file_header *header) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u16(&header->machine, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->number_of_sections, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->time_date_stamp, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->pointer_to_symbol_table, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->number_of_symbols, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->size_of_optional_header, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->characteristics, content, pos, length, SRE_LITTLE); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une en-tête de programme PE (2). * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_optional_header(const GPeFormat *format, off_t *pos, image_optional_header *header) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + uint32_t i; /* Boucle de parcours */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u16(&header->magic, content, pos, length, SRE_LITTLE); + result &= read_u8(&header->major_linker_version, content, pos, length); + result &= read_u8(&header->minor_linker_version, content, pos, length); + result &= read_u32(&header->size_of_code, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_initialized_data, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_uninitialized_data, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->address_of_entry_point, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->base_of_code, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->base_of_data, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->image_base, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->section_alignment, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->file_alignment, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->major_operating_system_version, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->minor_operating_system_version, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->major_image_version, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->minor_image_version, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->major_subsystem_version, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->minor_subsystem_version, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->win32_version_value, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_image, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_headers, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->checksum, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->subsystem, content, pos, length, SRE_LITTLE); + result &= read_u16(&header->dll_characteristics, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_stack_reserve, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_stack_commit, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_heap_reserve, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->size_of_heap_commit, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->loader_flags, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->number_of_rva_and_sizes, content, pos, length, SRE_LITTLE); + + for (i = 0; i < header->number_of_rva_and_sizes && result; i++) + { + result = read_u32(&header->data_directory[i].virtual_address, content, pos, length, SRE_LITTLE); + result &= read_u32(&header->data_directory[i].size, content, pos, length, SRE_LITTLE); + } + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* header = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une en-tête de programme PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_nt_header(const GPeFormat *format, off_t *pos, image_nt_headers *header) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u32(&header->signature, content, pos, length, SRE_LITTLE); + + result &= read_pe_file_header(format, pos, &header->file_header); + result &= read_pe_optional_header(format, pos, &header->optional_header); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* section = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une en-tête de section PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_section_header(const GPeFormat *format, off_t *pos, image_section_header *section) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + size_t i; /* Boucle de parcours */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = true; + + for (i = 0; i < IMAGE_SIZEOF_SHORT_NAME && result; i++) + result = read_u8((uint8_t *)§ion->name[i], content, pos, length); + + result &= read_u32(§ion->misc.physical_address, content, pos, length, SRE_LITTLE); + + result &= read_u32(§ion->virtual_address, content, pos, length, SRE_LITTLE); + result &= read_u32(§ion->size_of_raw_data, content, pos, length, SRE_LITTLE); + result &= read_u32(§ion->pointer_to_raw_data, content, pos, length, SRE_LITTLE); + result &= read_u32(§ion->pointer_to_relocations, content, pos, length, SRE_LITTLE); + result &= read_u32(§ion->pointer_to_line_numbers, content, pos, length, SRE_LITTLE); + result &= read_u16(§ion->number_of_relocations, content, pos, length, SRE_LITTLE); + result &= read_u16(§ion->number_of_line_numbers, content, pos, length, SRE_LITTLE); + result &= read_u32(§ion->characteristics, content, pos, length, SRE_LITTLE); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* desc = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'un répertoire de programme PE. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_import_descriptor(const GPeFormat *format, off_t *pos, image_import_descriptor *desc) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u32(&desc->original_first_thunk, content, pos, length, SRE_LITTLE); + result &= read_u32(&desc->time_date_stamp, content, pos, length, SRE_LITTLE); + result &= read_u32(&desc->forwarder_chain, content, pos, length, SRE_LITTLE); + result &= read_u32(&desc->module_name, content, pos, length, SRE_LITTLE); + result &= read_u32(&desc->first_thunk, content, pos, length, SRE_LITTLE); + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : format = informations chargées à consulter. * +* pos = position de début de lecture. [OUT] * +* import = structure lue à retourner. [OUT] * +* * +* Description : Procède à la lecture d'une fonction importée par son nom. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool read_pe_image_import_by_name(const GPeFormat *format, off_t *pos, image_import_by_name *import) +{ + bool result; /* Bilan à retourner */ + const bin_t *content; /* Contenu binaire à lire */ + off_t length; /* Taille totale du contenu */ + uint32_t link; /* Lien vers la prochaine zone */ + off_t new_pos; /* Nouvelle tête de lecture */ + size_t i; /* Boucle de parcours */ + + content = NULL; //G_BIN_FORMAT(format)->content; + length = 0; //G_BIN_FORMAT(format)->length; + + result = read_u32(&link, content, pos, length, SRE_LITTLE); + + if (link == 0) + memset(import, 0, sizeof(image_import_by_name)); + + else if (link % 2 == 0) + { + new_pos = link; + + result = read_u16(&import->hint, content, &new_pos, length, SRE_LITTLE); + + import->name = (char *)calloc(1, sizeof(char)); + + for (i = 0; result; i++) + { + result = read_u8((uint8_t *)&import->name[i], content, &new_pos, length); + + if (import->name[i] == '\0') + break; + + import->name = (char *)realloc(import->name, (i + 2) * sizeof(char)); + + } + + } + else /* TODO */; + + return result; + +} |