/* Chrysalide - Outil d'analyse de fichiers binaires * format.c - équivalent Python du fichier "plugins/pe/format.c" * * Copyright (C) 2017-2019 Cyrille Bagard * * This file is part of Chrysalide. * * Chrysalide is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * Chrysalide is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "format.h" #include #include #include #include #include //#include "constants.h" #include "translate.h" #include "../pe-int.h" //#include "../rich.h" /* ------------------------ GLUE POUR CREATION DEPUIS PYTHON ------------------------ */ CREATE_DYN_CONSTRUCTOR(pe_format, G_TYPE_PE_FORMAT); /* Initialise une instance sur la base du dérivé de GObject. */ static int py_pe_format_init(PyObject *, PyObject *, PyObject *); /* ------------------------------ DEFINITION DE FORMAT ------------------------------ */ /* Présente l'en-tête MS-DOS du format chargé. */ static PyObject *py_pe_format_get_dos_header(PyObject *, void *); /* Présente l'en-tête NT du format chargé. */ static PyObject *py_pe_format_get_nt_headers(PyObject *, void *); /* Offre un raccourci vers les répertoires du format PE. */ static PyObject *py_pe_format_get_directories(PyObject *, void *); /* Offre un raccourci vers les sections du format PE. */ static PyObject *py_pe_format_get_sections(PyObject *, void *); /* Présente l'en-tête enrichi du format chargé. */ static PyObject *py_pe_format_get_rich_header(PyObject *, void *); /* Présente l'empreinte d'un en-tête enrichi du format chargé. */ static PyObject *py_pe_format_get_rich_header_checksum(PyObject *, void *); /* Présente les identifiants contenues dans l'en-tête enrichi. */ static PyObject *py_pe_format_get_comp_ids(PyObject *, void *); /* ---------------------------------------------------------------------------------- */ /* GLUE POUR CREATION DEPUIS PYTHON */ /* ---------------------------------------------------------------------------------- */ /****************************************************************************** * * * Paramètres : self = objet à initialiser (théoriquement). * * args = arguments fournis à l'appel. * * kwds = arguments de type key=val fournis. * * * * Description : Initialise une instance sur la base du dérivé de GObject. * * * * Retour : 0. * * * * Remarques : - * * * ******************************************************************************/ static int py_pe_format_init(PyObject *self, PyObject *args, PyObject *kwds) { GBinContent *content; /* Instance GLib du contenu */ int ret; /* Bilan de lecture des args. */ GPeFormat *format; /* Création GLib à transmettre */ #define PE_FORMAT_DOC \ "The PeFormat class handles executables with a Portable Executable" \ " structure.\n" \ "\n" \ "Instances can be created using the following constructor:\n" \ "\n" \ " PeFormat(content)" \ "\n" \ "Where content points to data as a pychrysalide.analysis.BinContent" \ " instance." /* Récupération des paramètres */ ret = PyArg_ParseTuple(args, "O&", convert_to_binary_content, &content); if (!ret) return -1; /* Initialisation d'un objet GLib */ ret = forward_pygobjet_init(self); if (ret == -1) return -1; /* Eléments de base */ format = G_PE_FORMAT(pygobject_get(self)); if (!g_pe_format_create(format, content)) return -1; return 0; } /* ---------------------------------------------------------------------------------- */ /* DEFINITION DE FORMAT */ /* ---------------------------------------------------------------------------------- */ /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Présente l'en-tête MS-DOS du format chargé. * * * * Retour : Structure Python créée pour l'occasion. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_dos_header(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ #define PE_FORMAT_DOS_HEADER_ATTRIB PYTHON_GET_DEF_FULL \ ( \ dos_header, py_pe_format, \ "MS-DOS header of the file format.\n" \ "\n" \ "This property is a pychrysalide.StructObject instance." \ "\n" \ "The provided information is composed of the following" \ " properties :\n" \ "* e_magic;\n" \ "* e_cblp;\n" \ "* e_cp;\n" \ "* e_crlc;\n" \ "* e_cparhdr;\n" \ "* e_minalloc;\n" \ "* e_maxalloc;\n" \ "* e_ss;\n" \ "* e_sp;\n" \ "* e_csum;\n" \ "* e_ip;\n" \ "* e_cs;\n" \ "* e_lfarlc;\n" \ "* e_ovno;\n" \ "* e_res;\n" \ "* e_oemid;\n" \ "* e_oeminfo;\n" \ "* e_res2;\n" \ "* e_lfanew." \ ) format = G_PE_FORMAT(pygobject_get(self)); result = translate_pe_dos_header_to_python(format, g_pe_format_get_dos_header(format)); return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Présente l'en-tête NT du format chargé. * * * * Retour : Structure Python créée pour l'occasion. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_nt_headers(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ #define PE_FORMAT_NT_HEADERS_ATTRIB PYTHON_GET_DEF_FULL \ ( \ nt_headers, py_pe_format, \ "NT headers of the file format.\n" \ "\n" \ "This property is a pychrysalide.StructObject instance." \ "\n" \ "The provided information is composed of the following" \ " properties :\n" \ "* signature;\n" \ "* file_header;\n" \ "* optional_header.\n" \ "\n" \ "The last two fields are pychrysalide.StructObject" \ " which contain more fields. These fields can be" \ " enumerated with the keys() method (for instance:" \ " *mype.nt_headers.file_header.keys()*).\n" \ ) format = G_PE_FORMAT(pygobject_get(self)); result = translate_pe_nt_headers_to_python(format, g_pe_format_get_nt_headers(format)); return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Offre un raccourci vers les répertoires du format PE. * * * * Retour : Structure Python créée pour l'occasion. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_directories(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ size_t count; /* Quantité de répertoires */ const image_data_directory_t *directories; /* Répertoires à exporter */ size_t i; /* Boucle de parcours */ PyObject *item; /* Elément de tableau */ int ret; /* Bilan d'une mise en place */ #define PE_FORMAT_DIRECTORIES_ATTRIB PYTHON_GET_DEF_FULL \ ( \ directories, py_pe_format, \ "Shortcut to the PE format directories.\n" \ "\n" \ "This property is a pychrysalide.StructObject instance and" \ " can also be access trough the" \ " *self.nt_headers.data_directory* attribute.\n" \ "\n" \ "Each returned item is composed of the following properties :\n"\ "\n" \ "* virtual_address;\n" \ "* size." \ ) format = G_PE_FORMAT(pygobject_get(self)); directories = g_pe_format_get_directories(format, &count); result = PyTuple_New(count); for (i = 0; i < count; i++) { item = translate_pe_image_data_directory_to_python(format, directories + i); ret = PyTuple_SetItem(result, i, item); if (ret != 0) { Py_DECREF(result); result = NULL; break; } } return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Offre un raccourci vers les sections du format PE. * * * * Retour : Structure Python créée pour l'occasion. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_sections(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ size_t count; /* Quantité de répertoires */ const image_section_header_t *sections; /* Sections à exporter */ size_t i; /* Boucle de parcours */ PyObject *item; /* Elément de tableau */ int ret; /* Bilan d'une mise en place */ #define PE_FORMAT_SECTIONS_ATTRIB PYTHON_GET_DEF_FULL \ ( \ sections, py_pe_format, \ "Shortcut to the definitions of all PE format sections.\n" \ "\n" \ "This property is a pychrysalide.StructObject instance.\n" \ "\n" \ "Each returned item is composed of the following properties :\n"\ "\n" \ "* name;\n" \ "* misc.virtual_size;\n" \ "* virtual_address;\n" \ "* size_of_raw_data;\n" \ "* pointer_to_raw_data;\n" \ "* pointer_to_relocations;\n" \ "* pointer_to_line_numbers;\n" \ "* number_of_relocations;\n" \ "* number_of_line_numbers;\n" \ "* characteristics." \ ) format = G_PE_FORMAT(pygobject_get(self)); sections = g_pe_format_get_sections(format, &count); result = PyTuple_New(count); for (i = 0; i < count; i++) { item = translate_pe_section_header_to_python(format, sections + i); ret = PyTuple_SetItem(result, i, item); if (ret != 0) { Py_DECREF(result); result = NULL; break; } } return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Présente l'en-tête enrichi du format chargé. * * * * Retour : Tableau de valeurs brutes d'information. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_rich_header(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ size_t count; /* Quantité de valeurs obtenues*/ uint64_t *values; /* Valeurs brutes à transcrire */ size_t i; /* Boucle de parcours */ #define PE_FORMAT_RICH_HEADER_ATTRIB PYTHON_GET_DEF_FULL \ ( \ rich_header, py_pe_format, \ "Raw values from the Rich header of the file format.\n" \ "\n" \ "This property is a tuple of 64-bit values or an empty" \ " tuple if no Rich header exists in the PE file." \ ) format = G_PE_FORMAT(pygobject_get(self)); values = g_pe_format_get_rich_header(format, &count); result = PyTuple_New(count); for (i = 0; i < count; i++) PyTuple_SetItem(result, i, PyLong_FromUnsignedLongLong(values[i])); if (values != NULL) free(values); return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Présente l'empreinte d'un en-tête enrichi du format chargé. * * * * Retour : Valeur de l'empreinte ou None en cas d'erreur. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_rich_header_checksum(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ uint32_t checksum; /* Valeur à transcrire */ bool status; /* Validité de cette valeur */ #define PE_FORMAT_RICH_HEADER_CHECKSUM_ATTRIB PYTHON_GET_DEF_FULL \ ( \ rich_header_checksum, py_pe_format, \ "Checksum used as XOR value for the Rich header of the file" \ " format.\n" \ "\n" \ "This property is a 32-bit integer value." \ ) format = G_PE_FORMAT(pygobject_get(self)); status = g_pe_format_get_rich_header_checksum(format, &checksum); if (status) result = PyLong_FromUnsignedLong(checksum); else { result = Py_None; Py_INCREF(result); } return result; } /****************************************************************************** * * * Paramètres : self = format en place à consulter. * * closure = non utilisé ici. * * * * Description : Présente les identifiants contenues dans l'en-tête enrichi. * * * * Retour : Tableau de valeurs raffinées d'information. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_pe_format_get_comp_ids(PyObject *self, void *closure) { PyObject *result; /* Trouvaille à retourner */ GPeFormat *format; /* Version GLib du format */ size_t count; /* Quantité de valeurs obtenues*/ comp_id_t *ids; /* Valeurs raffinées à émettre */ size_t i; /* Boucle de parcours */ #define PE_FORMAT_COMP_IDS_ATTRIB PYTHON_GET_DEF_FULL \ ( \ comp_ids, py_pe_format, \ "Compiler identifiers carried by the Rich header of the file" \ " format.\n" \ "\n" \ "This property is a tuple of" \ " pychrysalide.StructObject items or an empty tuple if no" \ " information is found.\n" \ "\n" \ "Each item contains the the following properties :\n" \ "\n" \ "* minor_cv;\n" \ "* prod_id;\n" \ "* count." \ ) format = G_PE_FORMAT(pygobject_get(self)); ids = g_pe_format_get_comp_ids(format, &count); result = PyTuple_New(count); for (i = 0; i < count; i++) PyTuple_SetItem(result, i, translate_pe_comp_id_to_python(format, &ids[i])); if (ids != NULL) free(ids); return result; } /****************************************************************************** * * * Paramètres : - * * * * Description : Fournit un accès à une définition de type à diffuser. * * * * Retour : Définition d'objet pour Python. * * * * Remarques : - * * * ******************************************************************************/ PyTypeObject *get_python_pe_format_type(void) { static PyMethodDef py_pe_format_methods[] = { { NULL } }; static PyGetSetDef py_pe_format_getseters[] = { PE_FORMAT_DOS_HEADER_ATTRIB, PE_FORMAT_NT_HEADERS_ATTRIB, PE_FORMAT_DIRECTORIES_ATTRIB, PE_FORMAT_SECTIONS_ATTRIB, PE_FORMAT_RICH_HEADER_ATTRIB, PE_FORMAT_RICH_HEADER_CHECKSUM_ATTRIB, PE_FORMAT_COMP_IDS_ATTRIB, { NULL } }; static PyTypeObject py_pe_format_type = { PyVarObject_HEAD_INIT(NULL, 0) .tp_name = "pychrysalide.format.pe.PeFormat", .tp_basicsize = sizeof(PyGObject), .tp_flags = Py_TPFLAGS_DEFAULT, .tp_doc = PE_FORMAT_DOC, .tp_methods = py_pe_format_methods, .tp_getset = py_pe_format_getseters, .tp_init = py_pe_format_init, .tp_new = py_pe_format_new, }; return &py_pe_format_type; } /****************************************************************************** * * * Paramètres : module = module dont la définition est à compléter. * * * * Description : Prend en charge l'objet 'pychrysalide.format.pe.PeFormat'. * * * * Retour : Bilan de l'opération. * * * * Remarques : - * * * ******************************************************************************/ bool register_python_pe_format(PyObject *module) { PyTypeObject *type; /* Type Python 'PeFormat' */ PyObject *dict; /* Dictionnaire du module */ type = get_python_pe_format_type(); dict = PyModule_GetDict(module); if (!ensure_python_executable_format_is_registered()) return false; if (!register_class_for_pygobject(dict, G_TYPE_PE_FORMAT, type)) return false; //if (!define_python_pe_format_constants(type)) // return false; return true; } /****************************************************************************** * * * Paramètres : arg = argument quelconque à tenter de convertir. * * dst = destination des valeurs récupérées en cas de succès. * * * * Description : Tente de convertir en format PE. * * * * Retour : Bilan de l'opération, voire indications supplémentaires. * * * * Remarques : - * * * ******************************************************************************/ int convert_to_pe_format(PyObject *arg, void *dst) { int result; /* Bilan à retourner */ result = PyObject_IsInstance(arg, (PyObject *)get_python_pe_format_type()); switch (result) { case -1: /* L'exception est déjà fixée par Python */ result = 0; break; case 0: PyErr_SetString(PyExc_TypeError, "unable to convert the provided argument to PE format"); break; case 1: *((GPeFormat **)dst) = G_PE_FORMAT(pygobject_get(arg)); break; default: assert(false); break; } return result; }