pe.h File Reference

#include <rz_types.h>
#include <rz_util.h>
#include <rz_lib.h>
#include <rz_bin.h>
#include "pe_specs.h"
#include "dotnet.h"

Go to the source code of this file.

Classes
struct	rz_bin_pe_addr_t
struct	rz_bin_pe_section_t
struct	rz_bin_pe_import_t
struct	rz_bin_pe_export_t
struct	rz_bin_pe_string_t
struct	rz_bin_pe_lib_t
struct	_PE_RESOURCE
struct	SDebugInfo

Macros
#define	PE_READ_STRUCT_FIELD(var, struct_type, field, size)   var->field = rz_read_le##size(buf + offsetof(struct_type, field))
#define	RZ_BIN_PE_SCN_IS_SHAREABLE(x)   x &PE_IMAGE_SCN_MEM_SHARED
#define	RZ_BIN_PE_SCN_IS_EXECUTABLE(x)   x &PE_IMAGE_SCN_MEM_EXECUTE
#define	RZ_BIN_PE_SCN_IS_READABLE(x)   x &PE_IMAGE_SCN_MEM_READ
#define	RZ_BIN_PE_SCN_IS_WRITABLE(x)   x &PE_IMAGE_SCN_MEM_WRITE
#define	IMAGE_SCN_TYPE_NO_PAD   0x00000008
#define	IMAGE_SCN_CNT_CODE   0x00000020
#define	IMAGE_SCN_CNT_INITIALIZED_DATA   0x00000040
#define	IMAGE_SCN_CNT_UNINITIALIZED_DATA   0x00000080
#define	IMAGE_SCN_LNK_OTHER   0x00000100
#define	IMAGE_SCN_LNK_INFO   0x00000200
#define	IMAGE_SCN_LNK_REMOVE   0x00000800
#define	IMAGE_SCN_LNK_COMDAT   0x00001000
#define	IMAGE_SCN_GPREL   0x00008000
#define	IMAGE_SCN_MEM_PURGEABLE   0x00020000
#define	IMAGE_SCN_MEM_16BIT   0x00020000
#define	IMAGE_SCN_MEM_LOCKED   0x00040000
#define	IMAGE_SCN_MEM_PRELOAD   0x00080000
#define	IMAGE_SCN_ALIGN_1BYTES   0x00100000
#define	IMAGE_SCN_ALIGN_2BYTES   0x00200000
#define	IMAGE_SCN_ALIGN_4BYTES   0x00300000
#define	IMAGE_SCN_ALIGN_8BYTES   0x00400000
#define	IMAGE_SCN_ALIGN_16BYTES   0x00500000
#define	IMAGE_SCN_ALIGN_32BYTES   0x00600000
#define	IMAGE_SCN_ALIGN_64BYTES   0x00700000
#define	IMAGE_SCN_ALIGN_128BYTES   0x00800000
#define	IMAGE_SCN_ALIGN_256BYTES   0x00900000
#define	IMAGE_SCN_ALIGN_512BYTES   0x00A00000
#define	IMAGE_SCN_ALIGN_1024BYTES   0x00B00000
#define	IMAGE_SCN_ALIGN_2048BYTES   0x00C00000
#define	IMAGE_SCN_ALIGN_4096BYTES   0x00D00000
#define	IMAGE_SCN_ALIGN_8192BYTES   0x00E00000
#define	IMAGE_SCN_LNK_NRELOC_OVFL   0x01000000
#define	IMAGE_SCN_MEM_DISCARDABLE   0x02000000
#define	IMAGE_SCN_MEM_NOT_CACHED   0x04000000
#define	IMAGE_SCN_MEM_NOT_PAGED   0x08000000
#define	PE_SCN_ALIGN_MASK   0x00F00000
#define	GUIDSTR_LEN   41
#define	DBG_FILE_NAME_LEN   255
#define	RzBinPEObj   struct PE_(rz_bin_pe_obj_t)
#define	MAX_METADATA_STRING_LENGTH   256
#define	COFF_SYMBOL_SIZE   18
#define	PE_READ_STRUCT_FIELD(var, struct_type, field, size)   var->field = rz_read_le##size(buf + offsetof(struct_type, field))

Typedefs
typedef struct _PE_RESOURCE	rz_pe_resource
typedef struct SDebugInfo	SDebugInfo

Functions
struct	PE_ (rz_bin_pe_obj_t)
RZ_OWN RzList *PE_()	rz_bin_pe_get_clr_symbols (RzBinPEObj *bin)
ut64 PE_()	rz_bin_pe_get_clr_methoddef_offset (RzBinPEObj *bin, Pe_image_metadata_methoddef *methoddef)
int PE_()	bin_pe_init_clr (RzBinPEObj *bin)
int PE_()	rz_bin_pe_get_debug_data (RzBinPEObj *bin, SDebugInfo *res)
int PE_()	bin_pe_init_exports (RzBinPEObj *bin)
struct rz_bin_pe_export_t *PE_()	rz_bin_pe_get_exports (RzBinPEObj *bin)
int PE_()	bin_pe_init_hdr (RzBinPEObj *bin)
int PE_()	bin_pe_init_imports (RzBinPEObj *bin)
int PE_()	read_image_import_directory (RzBuffer *b, ut64 addr, PE_(image_import_directory) *import_dir)
int PE_()	read_image_delay_import_directory (RzBuffer *b, ut64 addr, PE_(image_delay_import_directory) *directory)
struct rz_bin_pe_import_t *PE_()	rz_bin_pe_get_imports (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_arch (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_cc (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_machine (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_os (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_class (RzBinPEObj *bin)
int PE_()	rz_bin_pe_get_bits (RzBinPEObj *bin)
char *PE_()	rz_bin_pe_get_subsystem (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_dll (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_big_endian (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_stripped_relocs (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_stripped_line_nums (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_stripped_local_syms (RzBinPEObj *bin)
int PE_()	rz_bin_pe_is_stripped_debug (RzBinPEObj *bin)
int PE_()	bin_pe_get_claimed_checksum (RzBinPEObj *bin)
int PE_()	bin_pe_get_actual_checksum (RzBinPEObj *bin)
struct rz_bin_pe_addr_t *PE_()	check_unknow (RzBinPEObj *bin)
struct rz_bin_pe_addr_t *PE_()	check_msvcseh (RzBinPEObj *bin)
struct rz_bin_pe_addr_t *PE_()	check_mingw (RzBinPEObj *bin)
struct rz_bin_pe_addr_t *PE_()	rz_bin_pe_get_entrypoint (RzBinPEObj *bin)
struct rz_bin_pe_addr_t *PE_()	rz_bin_pe_get_main_vaddr (RzBinPEObj *bin)
int PE_()	rz_bin_pe_get_image_size (RzBinPEObj *bin)
struct rz_bin_pe_lib_t *PE_()	rz_bin_pe_get_libs (RzBinPEObj *bin)
ut64 PE_()	rz_bin_pe_get_image_base (RzBinPEObj *bin)
int PE_()	bin_pe_get_overlay (RzBinPEObj *bin, ut64 *size)
int PE_()	bin_pe_init_overlay (RzBinPEObj *bin)
RZ_API void PE_()	bin_pe_parse_resource (RzBinPEObj *bin)
void PE_()	bin_pe_init_rich_info (RzBinPEObj *bin)
int PE_()	bin_pe_init_resource (RzBinPEObj *bin)
int PE_()	bin_pe_init_sections (RzBinPEObj *bin)
void PE_()	rz_bin_pe_check_sections (RzBinPEObj *bin, struct rz_bin_pe_section_t **sects)
RzList *PE_()	section_flag_to_rzlist (ut64 flag)
struct rz_bin_pe_section_t *PE_()	rz_bin_pe_get_sections (RzBinPEObj *bin)
int PE_()	bin_pe_init_security (RzBinPEObj *bin)
const char *PE_()	bin_pe_get_authentihash (RzBinPEObj *bin)
char *PE_()	bin_pe_compute_authentihash (RzBinPEObj *bin)
int PE_()	bin_pe_is_authhash_valid (RzBinPEObj *bin)
void PE_()	free_security_directory (Pe_image_security_directory *security_directory)
int PE_()	bin_pe_init_tls (RzBinPEObj *bin)
PE_DWord PE_()	bin_pe_rva_to_paddr (RzBinPEObj *bin, PE_DWord rva)
PE_DWord PE_()	bin_pe_rva_to_va (RzBinPEObj *bin, PE_DWord rva)
PE_DWord PE_()	bin_pe_va_to_rva (RzBinPEObj *bin, PE_DWord va)
void *PE_()	rz_bin_pe_free (RzBinPEObj *bin)
RzBinPEObj *PE_()	rz_bin_pe_new (const char *file, bool verbose)
RzBinPEObj *PE_()	rz_bin_pe_new_buf (RzBuffer *buf, bool verbose)

Macro Definition Documentation

COFF_SYMBOL_SIZE

#define COFF_SYMBOL_SIZE   18

Definition at line 176 of file pe.h.

DBG_FILE_NAME_LEN

#define DBG_FILE_NAME_LEN   255

Definition at line 117 of file pe.h.

GUIDSTR_LEN

#define GUIDSTR_LEN   41

Definition at line 116 of file pe.h.

IMAGE_SCN_ALIGN_1024BYTES

#define IMAGE_SCN_ALIGN_1024BYTES   0x00B00000

Definition at line 46 of file pe.h.

IMAGE_SCN_ALIGN_128BYTES

#define IMAGE_SCN_ALIGN_128BYTES   0x00800000

Definition at line 43 of file pe.h.

IMAGE_SCN_ALIGN_16BYTES

#define IMAGE_SCN_ALIGN_16BYTES   0x00500000

Definition at line 40 of file pe.h.

IMAGE_SCN_ALIGN_1BYTES

#define IMAGE_SCN_ALIGN_1BYTES   0x00100000

Definition at line 36 of file pe.h.

IMAGE_SCN_ALIGN_2048BYTES

#define IMAGE_SCN_ALIGN_2048BYTES   0x00C00000

Definition at line 47 of file pe.h.

IMAGE_SCN_ALIGN_256BYTES

#define IMAGE_SCN_ALIGN_256BYTES   0x00900000

Definition at line 44 of file pe.h.

IMAGE_SCN_ALIGN_2BYTES

#define IMAGE_SCN_ALIGN_2BYTES   0x00200000

Definition at line 37 of file pe.h.

IMAGE_SCN_ALIGN_32BYTES

#define IMAGE_SCN_ALIGN_32BYTES   0x00600000

Definition at line 41 of file pe.h.

IMAGE_SCN_ALIGN_4096BYTES

#define IMAGE_SCN_ALIGN_4096BYTES   0x00D00000

Definition at line 48 of file pe.h.

IMAGE_SCN_ALIGN_4BYTES

#define IMAGE_SCN_ALIGN_4BYTES   0x00300000

Definition at line 38 of file pe.h.

IMAGE_SCN_ALIGN_512BYTES

#define IMAGE_SCN_ALIGN_512BYTES   0x00A00000

Definition at line 45 of file pe.h.

IMAGE_SCN_ALIGN_64BYTES

#define IMAGE_SCN_ALIGN_64BYTES   0x00700000

Definition at line 42 of file pe.h.

IMAGE_SCN_ALIGN_8192BYTES

#define IMAGE_SCN_ALIGN_8192BYTES   0x00E00000

Definition at line 49 of file pe.h.

IMAGE_SCN_ALIGN_8BYTES

#define IMAGE_SCN_ALIGN_8BYTES   0x00400000

Definition at line 39 of file pe.h.

IMAGE_SCN_CNT_CODE

#define IMAGE_SCN_CNT_CODE   0x00000020

Definition at line 24 of file pe.h.

IMAGE_SCN_CNT_INITIALIZED_DATA

#define IMAGE_SCN_CNT_INITIALIZED_DATA   0x00000040

Definition at line 25 of file pe.h.

IMAGE_SCN_CNT_UNINITIALIZED_DATA

#define IMAGE_SCN_CNT_UNINITIALIZED_DATA   0x00000080

Definition at line 26 of file pe.h.

IMAGE_SCN_GPREL

#define IMAGE_SCN_GPREL   0x00008000

Definition at line 31 of file pe.h.

IMAGE_SCN_LNK_COMDAT

#define IMAGE_SCN_LNK_COMDAT   0x00001000

Definition at line 30 of file pe.h.

IMAGE_SCN_LNK_INFO

#define IMAGE_SCN_LNK_INFO   0x00000200

Definition at line 28 of file pe.h.

IMAGE_SCN_LNK_NRELOC_OVFL

#define IMAGE_SCN_LNK_NRELOC_OVFL   0x01000000

Definition at line 50 of file pe.h.

IMAGE_SCN_LNK_OTHER

#define IMAGE_SCN_LNK_OTHER   0x00000100

Definition at line 27 of file pe.h.

IMAGE_SCN_LNK_REMOVE

#define IMAGE_SCN_LNK_REMOVE   0x00000800

Definition at line 29 of file pe.h.

IMAGE_SCN_MEM_16BIT

#define IMAGE_SCN_MEM_16BIT   0x00020000

Definition at line 33 of file pe.h.

IMAGE_SCN_MEM_DISCARDABLE

#define IMAGE_SCN_MEM_DISCARDABLE   0x02000000

Definition at line 51 of file pe.h.

IMAGE_SCN_MEM_LOCKED

#define IMAGE_SCN_MEM_LOCKED   0x00040000

Definition at line 34 of file pe.h.

IMAGE_SCN_MEM_NOT_CACHED

#define IMAGE_SCN_MEM_NOT_CACHED   0x04000000

Definition at line 52 of file pe.h.

IMAGE_SCN_MEM_NOT_PAGED

#define IMAGE_SCN_MEM_NOT_PAGED   0x08000000

Definition at line 53 of file pe.h.

IMAGE_SCN_MEM_PRELOAD

#define IMAGE_SCN_MEM_PRELOAD   0x00080000

Definition at line 35 of file pe.h.

IMAGE_SCN_MEM_PURGEABLE

#define IMAGE_SCN_MEM_PURGEABLE   0x00020000

Definition at line 32 of file pe.h.

IMAGE_SCN_TYPE_NO_PAD

#define IMAGE_SCN_TYPE_NO_PAD   0x00000008

Definition at line 23 of file pe.h.

MAX_METADATA_STRING_LENGTH

#define MAX_METADATA_STRING_LENGTH   256

Definition at line 175 of file pe.h.

PE_READ_STRUCT_FIELD [1/2]

#define PE_READ_STRUCT_FIELD	(		var,
			struct_type,
			field,
			size
	)		var->field = rz_read_le##size(buf + offsetof(struct_type, field))

Definition at line 177 of file pe.h.

PE_READ_STRUCT_FIELD [2/2]

#define PE_READ_STRUCT_FIELD	(		var,
			struct_type,
			field,
			size
	)		var->field = rz_read_le##size(buf + offsetof(struct_type, field))

Definition at line 177 of file pe.h.

PE_SCN_ALIGN_MASK

#define PE_SCN_ALIGN_MASK   0x00F00000

Definition at line 55 of file pe.h.

RZ_BIN_PE_SCN_IS_EXECUTABLE

#define RZ_BIN_PE_SCN_IS_EXECUTABLE

(

x

)

x &PE_IMAGE_SCN_MEM_EXECUTE

Definition at line 18 of file pe.h.

RZ_BIN_PE_SCN_IS_READABLE

#define RZ_BIN_PE_SCN_IS_READABLE

(

x

)

x &PE_IMAGE_SCN_MEM_READ

Definition at line 19 of file pe.h.

RZ_BIN_PE_SCN_IS_SHAREABLE

#define RZ_BIN_PE_SCN_IS_SHAREABLE

(

x

)

x &PE_IMAGE_SCN_MEM_SHARED

Definition at line 17 of file pe.h.

RZ_BIN_PE_SCN_IS_WRITABLE

#define RZ_BIN_PE_SCN_IS_WRITABLE

(

x

)

x &PE_IMAGE_SCN_MEM_WRITE

Definition at line 20 of file pe.h.

RzBinPEObj

#define RzBinPEObj   struct PE_(rz_bin_pe_obj_t)

Definition at line 126 of file pe.h.

Typedef Documentation

rz_pe_resource

typedef struct _PE_RESOURCE rz_pe_resource

SDebugInfo

typedef struct SDebugInfo SDebugInfo

Function Documentation

bin_pe_compute_authentihash()

char* PE_() bin_pe_compute_authentihash

(

RzBinPEObj *

bin

)

Definition at line 21 of file pe_security.c.

                                                        {
    if (!bin->spcinfo) {
        return NULL;
    }
 
    char *hashtype = strdup(bin->spcinfo->messageDigest.digestAlgorithm.algorithm->string);
    rz_str_replace_char(hashtype, '-', 0);
 
    RzHashCfg *md = rz_hash_cfg_new_with_algo2(bin->hash, hashtype);
    if (!md) {
        free(hashtype);
        return NULL;
    }
    ut32 checksum_paddr = bin->nt_header_offset + 4 + sizeof(PE_(image_file_header)) + 0x40;
    ut32 security_entry_offset = bin->nt_header_offset + sizeof(PE_(image_nt_headers)) - 96;
    PE_(image_data_directory) *data_dir_security = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_SECURITY];
    PE_DWord security_dir_offset = data_dir_security->VirtualAddress;
    ut32 security_dir_size = data_dir_security->Size;
    rz_buf_fwd_scan(bin->b, 0, checksum_paddr, buf_fwd_hash, md);
    rz_buf_fwd_scan(bin->b, checksum_paddr + 4, security_entry_offset - checksum_paddr - 4, buf_fwd_hash, md);
    rz_buf_fwd_scan(bin->b, security_entry_offset + 8, security_dir_offset - security_entry_offset - 8, buf_fwd_hash, md);
    rz_buf_fwd_scan(bin->b, security_dir_offset + security_dir_size, rz_buf_size(bin->b) - security_dir_offset - security_dir_size, buf_fwd_hash, md);
 
    RzHashSize digest_size = 0;
    const ut8 *digest = NULL;
    if (!rz_hash_cfg_final(md) ||
        !(digest = rz_hash_cfg_get_result(md, hashtype, &digest_size))) {
 
        free(hashtype);
        rz_hash_cfg_free(md);
        return NULL;
    }
 
    char *hashstr = rz_hex_bin2strdup(digest, digest_size);
    free(hashtype);
    rz_hash_cfg_free(md);
    return hashstr;
}

References buf_fwd_hash(), free(), benchmark::md, NULL, PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_SECURITY, rz_buf_fwd_scan(), rz_buf_size(), rz_hash_cfg_final(), rz_hash_cfg_free(), rz_hash_cfg_get_result(), rz_hex_bin2strdup(), rz_str_replace_char(), and strdup().

Referenced by bin_pe_get_authentihash().

bin_pe_get_actual_checksum()

int PE_() bin_pe_get_actual_checksum

(

RzBinPEObj *

bin

)

Definition at line 249 of file pe_info.c.

                                                     {
    size_t i, j, checksum_offset = 0;
    ut64 computed_cs = 0;
    int remaining_bytes;
    int shift;
    ut32 cur;
    if (!bin || !bin->nt_header_offset) {
        return 0;
    }
    const size_t buf_sz = 0x1000;
    ut32 *buf = malloc(buf_sz);
    if (!buf) {
        return 0;
    }
    if (rz_buf_read_at(bin->b, 0, (ut8 *)buf, buf_sz) < 0) {
        free(buf);
        return 0;
    }
    checksum_offset = bin->nt_header_offset + 4 + sizeof(PE_(image_file_header)) + 0x40;
    checksum_ctx ctx = { &computed_cs, bin->big_endian };
    rz_buf_fwd_scan(bin->b, 0, checksum_offset, buf_fwd_checksum, &ctx);
    rz_buf_fwd_scan(bin->b, checksum_offset + 4, bin->size - checksum_offset - 4 - bin->size % 4, buf_fwd_checksum, &ctx);
 
    // add resultant bytes to checksum
    remaining_bytes = bin->size % 4;
    i = bin->size - remaining_bytes;
    if (remaining_bytes != 0) {
        ut8 tmp;
        if (!rz_buf_read8_at(bin->b, i, &tmp)) {
            return 0;
        }
        cur = tmp;
 
        shift = 8;
        for (j = 1; j < remaining_bytes; j++, shift += 8) {
            if (!rz_buf_read8_at(bin->b, i + j, &tmp)) {
                return 0;
            }
            cur |= tmp << shift;
        }
        computed_cs = (computed_cs & 0xFFFFFFFF) + cur + (computed_cs >> 32);
        if (computed_cs >> 32) {
            computed_cs = (computed_cs & 0xFFFFFFFF) + (computed_cs >> 32);
        }
    }
 
    // 32bits -> 16bits
    computed_cs = (computed_cs & 0xFFFF) + (computed_cs >> 16);
    computed_cs = (computed_cs) + (computed_cs >> 16);
    computed_cs = (computed_cs & 0xFFFF);
 
    // add filesize
    computed_cs += bin->size;
    free(buf);
    return computed_cs;
}

References buf_fwd_checksum(), free(), i, malloc(), PE_, rz_buf_fwd_scan(), rz_buf_read8_at(), rz_buf_read_at(), shift(), autogen_x86imm::tmp, and ut64().

bin_pe_get_authentihash()

const char* PE_() bin_pe_get_authentihash

(

RzBinPEObj *

bin

)

Definition at line 60 of file pe_security.c.

                                                          {
    if (!bin->authentihash) {
        bin->authentihash = PE_(bin_pe_compute_authentihash)(bin);
    }
    return bin->authentihash;
}

References bin_pe_compute_authentihash(), and PE_.

Referenced by bin_pe_init_security().

bin_pe_get_claimed_checksum()

int PE_() bin_pe_get_claimed_checksum

(

RzBinPEObj *

bin

)

Definition at line 221 of file pe_info.c.

                                                      {
    if (!bin || !bin->optional_header) {
        return 0;
    }
    return bin->optional_header->CheckSum;
}

bin_pe_get_overlay()

int PE_() bin_pe_get_overlay	(	RzBinPEObj *	bin,
		ut64 *	size
	)

Definition at line 16 of file pe_overlay.c.

                                                         {
    ut64 largest_offset = 0;
    ut64 largest_size = 0;
    *size = 0;
    int i;
 
    if (!bin) {
        return 0;
    }
 
    if (bin->optional_header) {
        computeOverlayOffset(
            bin->nt_header_offset + 4 + sizeof(bin->nt_headers->file_header),
            bin->nt_headers->file_header.SizeOfOptionalHeader,
            bin->size,
            &largest_offset,
            &largest_size);
    }
 
    struct rz_bin_pe_section_t *sects = bin->sections;
    for (i = 0; !sects[i].last; i++) {
        computeOverlayOffset(
            sects[i].paddr,
            sects[i].size,
            bin->size,
            &largest_offset,
            &largest_size);
    }
 
    if (bin->optional_header) {
        for (i = 0; i < PE_IMAGE_DIRECTORY_ENTRIES; i++) {
            if (i == PE_IMAGE_DIRECTORY_ENTRY_SECURITY) {
                continue;
            }
 
            computeOverlayOffset(
                PE_(bin_pe_rva_to_paddr)(bin, bin->data_directory[i].VirtualAddress),
                bin->data_directory[i].Size,
                bin->size,
                &largest_offset,
                &largest_size);
        }
    }
 
    if ((ut64)bin->size > largest_offset + largest_size) {
        *size = bin->size - largest_offset - largest_size;
        return largest_offset + largest_size;
    }
    return 0;
}

References bin_pe_rva_to_paddr(), computeOverlayOffset(), i, rz_bin_pe_section_t::last, rz_bin_pe_section_t::paddr, PE_, PE_IMAGE_DIRECTORY_ENTRIES, PE_IMAGE_DIRECTORY_ENTRY_SECURITY, and ut64().

Referenced by bin_pe_init_overlay().

bin_pe_init_clr()

int PE_() bin_pe_init_clr

(

RzBinPEObj *

bin

)

Definition at line 122 of file pe_clr.c.

                                          {
    PE_(image_data_directory) *clr_dir = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR];
    PE_DWord image_clr_hdr_paddr = PE_(bin_pe_rva_to_paddr)(bin, clr_dir->VirtualAddress);
 
    Pe_image_clr *clr = RZ_NEW0(Pe_image_clr);
    if (!clr) {
        return -1;
    }
 
    if (bin_pe_dotnet_init_clr(clr, bin->b, image_clr_hdr_paddr)) {
        return -1;
    }
 
    if (clr->header) {
        PE_DWord metadata_directory = PE_(bin_pe_rva_to_paddr)(bin, clr->header->MetaDataDirectoryAddress);
        bin_pe_dotnet_init_metadata(clr, bin->big_endian, bin->b, metadata_directory);
    }
 
    bin->clr = clr;
    return 0;
}

References bin_pe_dotnet_init_clr(), bin_pe_dotnet_init_metadata(), bin_pe_rva_to_paddr(), Pe_image_clr::header, Pe_image_clr_header::MetaDataDirectoryAddress, PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, and RZ_NEW0.

Referenced by bin_pe_init().

bin_pe_init_exports()

int PE_() bin_pe_init_exports

(

RzBinPEObj *

bin

)

Definition at line 140 of file pe_exports.c.

                                              {
    PE_(image_data_directory) *data_dir_export = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_EXPORT];
    PE_DWord export_dir_paddr = PE_(bin_pe_rva_to_paddr)(bin, data_dir_export->VirtualAddress);
    if (!export_dir_paddr) {
        // This export-dir-paddr should only appear in DLL files
        // RZ_LOG_INFO("Warning: Cannot find the paddr of the export directory\n");
        return false;
    }
    // sdb_setn (DB, "hdr.exports_directory", export_dir_paddr);
    // RZ_LOG_INFO("Pexports paddr at 0x%"PFMT64x"\n", export_dir_paddr);
    if (!(bin->export_directory = malloc(sizeof(PE_(image_export_directory))))) {
        rz_sys_perror("malloc (export directory)");
        return false;
    }
    if (read_image_export_directory(bin->b, export_dir_paddr, bin->export_directory) < 0) {
        RZ_LOG_INFO("read (export directory)\n");
        RZ_FREE(bin->export_directory);
        return false;
    }
    return true;
}

References bin_pe_rva_to_paddr(), malloc(), PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_EXPORT, read_image_export_directory(), RZ_FREE, RZ_LOG_INFO, and rz_sys_perror.

Referenced by bin_pe_init().

bin_pe_init_hdr()

int PE_() bin_pe_init_hdr

(

RzBinPEObj *

bin

)

Definition at line 124 of file pe_hdr.c.

                                          {
    if (!(bin->dos_header = malloc(sizeof(PE_(image_dos_header))))) {
        rz_sys_perror("malloc (dos header)");
        return false;
    }
    if (!PE_(read_dos_header)(bin->b, bin->dos_header)) {
        RZ_LOG_INFO("read (dos header)\n");
        return false;
    }
    sdb_num_set(bin->kv, "pe_dos_header.offset", 0, 0);
    sdb_set(bin->kv, "pe_dos_header.format", "[2]zwwwwwwwwwwwww[4]www[10]wx"
                         " e_magic e_cblp e_cp e_crlc e_cparhdr e_minalloc e_maxalloc"
                         " e_ss e_sp e_csum e_ip e_cs e_lfarlc e_ovno e_res e_oemid"
                         " e_oeminfo e_res2 e_lfanew",
        0);
    if (bin->dos_header->e_lfanew > (unsigned int)bin->size) {
        RZ_LOG_INFO("Invalid e_lfanew field\n");
        return false;
    }
    if (!(bin->nt_headers = malloc(sizeof(PE_(image_nt_headers))))) {
        rz_sys_perror("malloc (nt header)");
        return false;
    }
    bin->nt_header_offset = bin->dos_header->e_lfanew;
    if (!PE_(read_nt_headers)(bin->b, bin->dos_header->e_lfanew, bin->nt_headers)) {
        RZ_LOG_INFO("read (nt header)\n");
        return false;
    }
    sdb_set(bin->kv, "pe_magic.cparse", "enum pe_magic { IMAGE_NT_OPTIONAL_HDR32_MAGIC=0x10b, IMAGE_NT_OPTIONAL_HDR64_MAGIC=0x20b, IMAGE_ROM_OPTIONAL_HDR_MAGIC=0x107 };", 0);
    sdb_set(bin->kv, "pe_subsystem.cparse", "enum pe_subsystem { IMAGE_SUBSYSTEM_UNKNOWN=0, IMAGE_SUBSYSTEM_NATIVE=1, IMAGE_SUBSYSTEM_WINDOWS_GUI=2, "
                        " IMAGE_SUBSYSTEM_WINDOWS_CUI=3, IMAGE_SUBSYSTEM_OS2_CUI=5, IMAGE_SUBSYSTEM_POSIX_CUI=7, IMAGE_SUBSYSTEM_WINDOWS_CE_GUI=9, "
                        " IMAGE_SUBSYSTEM_EFI_APPLICATION=10, IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER=11, IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER=12, "
                        " IMAGE_SUBSYSTEM_EFI_ROM=13, IMAGE_SUBSYSTEM_XBOX=14, IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION=16 };",
        0);
    sdb_set(bin->kv, "pe_dllcharacteristics.cparse", "enum pe_dllcharacteristics { IMAGE_LIBRARY_PROCESS_INIT=0x0001, IMAGE_LIBRARY_PROCESS_TERM=0x0002, "
                             " IMAGE_LIBRARY_THREAD_INIT=0x0004, IMAGE_LIBRARY_THREAD_TERM=0x0008, IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA=0x0020, "
                             " IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE=0x0040, IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY=0x0080, "
                             " IMAGE_DLLCHARACTERISTICS_NX_COMPAT=0x0100, IMAGE_DLLCHARACTERISTICS_NO_ISOLATION=0x0200,IMAGE_DLLCHARACTERISTICS_NO_SEH=0x0400, "
                             " IMAGE_DLLCHARACTERISTICS_NO_BIND=0x0800, IMAGE_DLLCHARACTERISTICS_APPCONTAINER=0x1000, IMAGE_DLLCHARACTERISTICS_WDM_DRIVER=0x2000, "
                             " IMAGE_DLLCHARACTERISTICS_GUARD_CF=0x4000, IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE=0x8000};",
        0);
#if RZ_BIN_PE64
    sdb_num_set(bin->kv, "pe_nt_image_headers64.offset", bin->dos_header->e_lfanew, 0);
    sdb_set(bin->kv, "pe_nt_image_headers64.format", "[4]z?? signature (pe_image_file_header)fileHeader (pe_image_optional_header64)optionalHeader", 0);
    sdb_set(bin->kv, "pe_image_optional_header64.format", "[2]Ebbxxxxxqxxwwwwwwxxxx[2]E[2]Bqqqqxx[16]?"
                                  " (pe_magic)magic majorLinkerVersion minorLinkerVersion sizeOfCode sizeOfInitializedData"
                                  " sizeOfUninitializedData addressOfEntryPoint baseOfCode imageBase"
                                  " sectionAlignment fileAlignment majorOperatingSystemVersion minorOperatingSystemVersion"
                                  " majorImageVersion minorImageVersion majorSubsystemVersion minorSubsystemVersion"
                                  " win32VersionValue sizeOfImage sizeOfHeaders checkSum (pe_subsystem)subsystem (pe_dllcharacteristics)dllCharacteristics"
                                  " sizeOfStackReserve sizeOfStackCommit sizeOfHeapReserve sizeOfHeapCommit loaderFlags"
                                  " numberOfRvaAndSizes (pe_image_data_directory)dataDirectory",
        0);
#else
    sdb_num_set(bin->kv, "pe_nt_image_headers32.offset", bin->dos_header->e_lfanew, 0);
    sdb_set(bin->kv, "pe_nt_image_headers32.format", "[4]z?? signature (pe_image_file_header)fileHeader (pe_image_optional_header32)optionalHeader", 0);
    sdb_set(bin->kv, "pe_image_optional_header32.format", "[2]Ebbxxxxxxxxxwwwwwwxxxx[2]E[2]Bxxxxxx[16]?"
                                  " (pe_magic)magic majorLinkerVersion minorLinkerVersion sizeOfCode sizeOfInitializedData"
                                  " sizeOfUninitializedData addressOfEntryPoint baseOfCode baseOfData imageBase"
                                  " sectionAlignment fileAlignment majorOperatingSystemVersion minorOperatingSystemVersion"
                                  " majorImageVersion minorImageVersion majorSubsystemVersion minorSubsystemVersion"
                                  " win32VersionValue sizeOfImage sizeOfHeaders checkSum (pe_subsystem)subsystem (pe_dllcharacteristics)dllCharacteristics"
                                  " sizeOfStackReserve sizeOfStackCommit sizeOfHeapReserve sizeOfHeapCommit loaderFlags numberOfRvaAndSizes"
                                  " (pe_image_data_directory)dataDirectory",
        0);
#endif
    sdb_set(bin->kv, "pe_machine.cparse", "enum pe_machine { IMAGE_FILE_MACHINE_I386=0x014c, IMAGE_FILE_MACHINE_IA64=0x0200, IMAGE_FILE_MACHINE_AMD64=0x8664 };", 0);
    sdb_set(bin->kv, "pe_characteristics.cparse", "enum pe_characteristics { "
                              " IMAGE_FILE_RELOCS_STRIPPED=0x0001, IMAGE_FILE_EXECUTABLE_IMAGE=0x0002, IMAGE_FILE_LINE_NUMS_STRIPPED=0x0004, "
                              " IMAGE_FILE_LOCAL_SYMS_STRIPPED=0x0008, IMAGE_FILE_AGGRESIVE_WS_TRIM=0x0010, IMAGE_FILE_LARGE_ADDRESS_AWARE=0x0020, "
                              " IMAGE_FILE_BYTES_REVERSED_LO=0x0080, IMAGE_FILE_32BIT_MACHINE=0x0100, IMAGE_FILE_DEBUG_STRIPPED=0x0200, "
                              " IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP=0x0400, IMAGE_FILE_NET_RUN_FROM_SWAP=0x0800, IMAGE_FILE_SYSTEM=0x1000, "
                              " IMAGE_FILE_DLL=0x2000, IMAGE_FILE_UP_SYSTEM_ONLY=0x4000, IMAGE_FILE_BYTES_REVERSED_HI=0x8000 };",
        0);
    sdb_set(bin->kv, "pe_image_file_header.format", "[2]Ewtxxw[2]B"
                            " (pe_machine)machine numberOfSections timeDateStamp pointerToSymbolTable"
                            " numberOfSymbols sizeOfOptionalHeader (pe_characteristics)characteristics",
        0);
    sdb_set(bin->kv, "pe_image_data_directory.format", "xx virtualAddress size", 0);
 
    // adding compile time to the SDB
    {
        sdb_num_set(bin->kv, "image_file_header.TimeDateStamp", bin->nt_headers->file_header.TimeDateStamp, 0);
        char *timestr = rz_time_stamp_to_str(bin->nt_headers->file_header.TimeDateStamp);
        sdb_set_owned(bin->kv, "image_file_header.TimeDateStamp_string", timestr, 0);
    }
    bin->optional_header = &bin->nt_headers->optional_header;
    bin->data_directory = (PE_(image_data_directory *)) & bin->optional_header->DataDirectory;
 
    if (bin->dos_header->e_magic != 0x5a4d || // "MZ"
        (bin->nt_headers->Signature != 0x4550 && // "PE"
            /* Check also for Phar Lap TNT DOS extender PL executable */
            bin->nt_headers->Signature != 0x4c50)) { // "PL"
        return false;
    }
    return true;
}

References if(), malloc(), PE_, read_dos_header(), read_nt_headers(), RZ_LOG_INFO, rz_sys_perror, rz_time_stamp_to_str(), sdb_num_set(), sdb_set(), and sdb_set_owned().

Referenced by bin_pe_init().

bin_pe_init_imports()

int PE_() bin_pe_init_imports

(

RzBinPEObj *

bin

)

HACK to modify import size because of begin 0.. this may report wrong info con corkami tests

Definition at line 325 of file pe_imports.c.

                                              {
    PE_(image_data_directory) *data_dir_import = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_IMPORT];
    PE_(image_data_directory) *data_dir_delay_import = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT];
 
    PE_DWord import_dir_paddr = PE_(bin_pe_rva_to_paddr)(bin, data_dir_import->VirtualAddress);
    PE_DWord import_dir_offset = PE_(bin_pe_rva_to_paddr)(bin, data_dir_import->VirtualAddress);
    PE_DWord delay_import_dir_offset = PE_(bin_pe_rva_to_paddr)(bin, data_dir_delay_import->VirtualAddress);
 
    PE_(image_import_directory) *import_dir = NULL;
    PE_(image_import_directory) *new_import_dir = NULL;
    PE_(image_import_directory) *curr_import_dir = NULL;
 
    PE_(image_delay_import_directory) *delay_import_dir = NULL;
    PE_(image_delay_import_directory) *new_delay_import_dir = NULL;
    PE_(image_delay_import_directory) *curr_delay_import_dir = NULL;
 
    int dir_size = sizeof(PE_(image_import_directory));
    int delay_import_size = sizeof(PE_(image_delay_import_directory));
    int indx = 0;
    int rr, count = 0;
    int import_dir_size = data_dir_import->Size;
    int delay_import_dir_size = data_dir_delay_import->Size;
    if (!import_dir_size) {
        // asume 1 entry for each
        import_dir_size = data_dir_import->Size = 0xffff;
    }
    if (!delay_import_dir_size) {
        data_dir_delay_import->Size = 0xffff;
    }
    int maxidsz = RZ_MIN((PE_DWord)bin->size, import_dir_offset + import_dir_size);
    maxidsz -= import_dir_offset;
    if (maxidsz < 0) {
        maxidsz = 0;
    }
    // int maxcount = maxidsz/ sizeof (struct rz_bin_pe_import_t);
 
    RZ_FREE(bin->import_directory);
    if (import_dir_paddr != 0) {
        if (import_dir_size < 1 || import_dir_size > maxidsz) {
            RZ_LOG_INFO("Invalid import directory size: 0x%x is now 0x%x\n", import_dir_size, maxidsz);
            import_dir_size = maxidsz;
        }
        bin->import_directory_offset = import_dir_offset;
        count = 0;
        do {
            new_import_dir = (PE_(image_import_directory) *)realloc(import_dir, ((1 + indx) * dir_size));
            if (!new_import_dir) {
                rz_sys_perror("malloc (import directory)");
                RZ_FREE(import_dir);
                break; //
                //          goto fail;
            }
            import_dir = new_import_dir;
            new_import_dir = NULL;
            curr_import_dir = import_dir + indx;
            if (PE_(read_image_import_directory)(bin->b, import_dir_offset + indx * dir_size, curr_import_dir) <= 0) {
                RZ_LOG_INFO("read (import directory)\n");
                RZ_FREE(import_dir);
                break; // return false;
            }
            if (((2 + indx) * dir_size) > import_dir_size) {
                break; // goto fail;
            }
            indx++;
            count++;
        } while (curr_import_dir->FirstThunk != 0 || curr_import_dir->Name != 0 ||
            curr_import_dir->TimeDateStamp != 0 || curr_import_dir->Characteristics != 0 ||
            curr_import_dir->ForwarderChain != 0);
 
        bin->import_directory = import_dir;
        bin->import_directory_size = import_dir_size;
    }
 
    indx = 0;
    if (rz_buf_size(bin->b) > 0) {
        if ((delay_import_dir_offset != 0) && (delay_import_dir_offset < (ut32)rz_buf_size(bin->b))) {
            ut64 off;
            bin->delay_import_directory_offset = delay_import_dir_offset;
            do {
                indx++;
                off = indx * delay_import_size;
                if (off >= rz_buf_size(bin->b)) {
                    RZ_LOG_INFO("Cannot find end of import symbols\n");
                    break;
                }
                new_delay_import_dir = (PE_(image_delay_import_directory) *)realloc(
                    delay_import_dir, (indx * delay_import_size) + 1);
                if (!new_delay_import_dir) {
                    rz_sys_perror("malloc (delay import directory)");
                    free(delay_import_dir);
                    return false;
                }
                delay_import_dir = new_delay_import_dir;
                curr_delay_import_dir = delay_import_dir + (indx - 1);
                rr = PE_(read_image_delay_import_directory)(bin->b, delay_import_dir_offset + (indx - 1) * delay_import_size,
                    curr_delay_import_dir);
                if (rr != dir_size) {
                    RZ_LOG_INFO("read (delay import directory)\n");
                    goto fail;
                }
            } while (curr_delay_import_dir->Name != 0);
            bin->delay_import_directory = delay_import_dir;
        }
    }
 
    return true;
fail:
    RZ_FREE(import_dir);
    bin->import_directory = import_dir;
    free(delay_import_dir);
    return false;
}

References bin_pe_rva_to_paddr(), count, fail, free(), indx(), NULL, off, PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, PE_IMAGE_DIRECTORY_ENTRY_IMPORT, read_image_delay_import_directory(), read_image_import_directory(), realloc(), rz_buf_size(), RZ_FREE, RZ_LOG_INFO, RZ_MIN, rz_sys_perror, and ut64().

Referenced by bin_pe_init().

bin_pe_init_overlay()

int PE_() bin_pe_init_overlay

(

RzBinPEObj *

bin

)

Definition at line 67 of file pe_overlay.c.

                                              {
    ut64 pe_overlay_size;
    ut64 pe_overlay_offset = PE_(bin_pe_get_overlay)(bin, &pe_overlay_size);
    if (pe_overlay_offset) {
        sdb_num_set(bin->kv, "pe_overlay.offset", pe_overlay_offset, 0);
        sdb_num_set(bin->kv, "pe_overlay.size", pe_overlay_size, 0);
    }
    return 0;
}

References bin_pe_get_overlay(), PE_, sdb_num_set(), and ut64().

Referenced by bin_pe_init().

bin_pe_init_resource()

int PE_() bin_pe_init_resource

(

RzBinPEObj *

bin

)

Definition at line 50 of file pe_rsrc.c.

                                               {
    PE_(image_data_directory) *resource_dir = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_RESOURCE];
    PE_DWord resource_dir_paddr = PE_(bin_pe_rva_to_paddr)(bin, resource_dir->VirtualAddress);
    if (!resource_dir_paddr) {
        return false;
    }
 
    bin->resources = rz_list_newf((RzListFree)_free_resource);
    if (!bin->resources) {
        return false;
    }
    if (!(bin->resource_directory = malloc(sizeof(*bin->resource_directory)))) {
        rz_sys_perror("malloc (resource directory)");
        return false;
    }
    if (read_image_resource_directory(bin->b, resource_dir_paddr, bin->resource_directory) < 0) {
        RZ_LOG_INFO("read (resource directory)\n");
        RZ_FREE(bin->resource_directory);
        return false;
    }
    bin->resource_directory_offset = resource_dir_paddr;
    return true;
}

References _free_resource(), bin_pe_rva_to_paddr(), malloc(), PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_RESOURCE, read_image_resource_directory(), RZ_FREE, rz_list_newf(), RZ_LOG_INFO, and rz_sys_perror.

Referenced by bin_pe_init().

bin_pe_init_rich_info()

void PE_() bin_pe_init_rich_info

(

RzBinPEObj *

bin

)

Definition at line 1101 of file pe_rsrc.c.

                                                 {
    if (!bin->rich_entries) {
        bin->rich_entries = rz_list_newf(free);
    }
    bin->rich_header_offset = bin->nt_header_offset;
    ut64 off = bin->nt_header_offset - sizeof(ut32);
    ut32 magic = 0x68636952; // Rich
    if (off % sizeof(ut32)) {
        return;
    }
 
    ut32 tmp;
    while (rz_buf_read_le32_at(bin->b, off, &tmp) && tmp != magic && off) {
        off -= sizeof(ut32);
    }
 
    if (!off) {
        return;
    }
 
    ut32 mask;
    if (!rz_buf_read_le32_at(bin->b, off + sizeof(ut32), &mask)) {
        return;
    }
 
    magic = 0x536E6144; // DanS
    off -= sizeof(ut32);
 
    ut32 data;
    while (rz_buf_read_le32_at(bin->b, off, &data) && data != magic && data ^ mask && off > 0x80) {
        Pe_image_rich_entry *entry = RZ_NEW0(Pe_image_rich_entry);
        if (!entry) {
            return;
        }
        entry->timesUsed = data ^ mask;
        off -= sizeof(ut32);
        if (!rz_buf_read_le32_at(bin->b, off, &data)) {
            free(entry);
            return;
        }
        data ^= mask;
        entry->productId = data >> 16;
        entry->minVersion = data & 0xFFFF;
        entry->productName = _known_product_ids(entry->productId);
        off -= sizeof(ut32);
        rz_list_append(bin->rich_entries, entry);
    }
    bin->rich_header_offset = off + sizeof(ut32);
}

References _known_product_ids(), free(), mask, off, rz_buf_read_le32_at, rz_list_append(), rz_list_newf(), RZ_NEW0, autogen_x86imm::tmp, and ut64().

Referenced by bin_pe_init().

bin_pe_init_sections()

int PE_() bin_pe_init_sections

(

RzBinPEObj *

bin

)

Definition at line 333 of file pe_section.c.

                                               {
    bin->num_sections = bin->nt_headers->file_header.NumberOfSections;
    if (bin->num_sections < 1) {
        return true;
    }
    ut64 sections_size = sizeof(PE_(image_section_header)) * bin->num_sections;
    if (sections_size > bin->size) {
        sections_size = bin->size;
        bin->num_sections = bin->size / sizeof(PE_(image_section_header));
        // massage this to make corkami happy
        // RZ_LOG_INFO("Invalid NumberOfSections value\n");
        // goto out_error;
    }
    if (!(bin->section_header = malloc(sections_size))) {
        rz_sys_perror("malloc (section header)");
        goto out_error;
    }
    bin->section_header_offset = bin->dos_header->e_lfanew + 4 + sizeof(PE_(image_file_header)) +
        bin->nt_headers->file_header.SizeOfOptionalHeader;
    int i;
    for (i = 0; i < bin->num_sections; i++) {
        if (!PE_(read_image_section_header)(bin->b, bin->section_header_offset + i * sizeof(PE_(image_section_header)),
                bin->section_header + i)) {
            RZ_LOG_INFO("read (sections)\n");
            RZ_FREE(bin->section_header);
            goto out_error;
        }
    }
#if 0
    Each symbol table entry includes a name, storage class, type, value and section number.Short names (8 characters or fewer) are stored directly in the symbol table;
    longer names are stored as an paddr into the string table at the end of the COFF object.
 
    ================================================================
    COFF SYMBOL TABLE RECORDS (18 BYTES)
    ================================================================
    record
    paddr
 
    struct symrec {
        union {
            char string[8]; // short name
            struct {
                ut32 seros;
                ut32 stridx;
            } stridx;
        } name;
        ut32 value;
        ut16 secnum;
        ut16 symtype;
        ut8 symclass;
        ut8 numaux;
    }
    ------------------------------------------------------ -
    0 | 8 - char symbol name |
    | or 32 - bit zeroes followed by 32 - bit |
    | index into string table |
    ------------------------------------------------------ -
    8 | symbol value |
    ------------------------------------------------------ -
    0Ch | section number | symbol type |
    ------------------------------------------------------ -
    10h | sym class | num aux |
    -------------------------- -
    12h
 
#endif
    return true;
out_error:
    bin->num_sections = 0;
    return false;
}

References a, bit, Ch, test_evm::end, h, i, if(), in, malloc(), name, names, num, rz_bin_pe_section_t::paddr, PE_, read_image_section_header(), RZ_FREE, RZ_LOG_INFO, rz_sys_perror, stored(), TABLE, true, type, ut64(), and value.

Referenced by bin_pe_init().

bin_pe_init_security()

int PE_() bin_pe_init_security

(

RzBinPEObj *

bin

)

Definition at line 71 of file pe_security.c.

                                               {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    if (bin->nt_headers->optional_header.NumberOfRvaAndSizes < 5) {
        return false;
    }
    PE_(image_data_directory) *data_dir_security = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_SECURITY];
    PE_DWord paddr = data_dir_security->VirtualAddress;
    ut32 size = data_dir_security->Size;
    if (size < 8 || paddr > bin->size || paddr + size > bin->size) {
        RZ_LOG_INFO("Invalid certificate table");
        return false;
    }
 
    Pe_image_security_directory *security_directory = RZ_NEW0(Pe_image_security_directory);
    if (!security_directory) {
        return false;
    }
    bin->security_directory = security_directory;
 
    PE_DWord offset = paddr;
    while (offset < paddr + size) {
        Pe_certificate **tmp = (Pe_certificate **)realloc(security_directory->certificates, (security_directory->length + 1) * sizeof(Pe_certificate *));
        if (!tmp) {
            return false;
        }
        security_directory->certificates = tmp;
        Pe_certificate *cert = RZ_NEW0(Pe_certificate);
        if (!cert) {
            return false;
        }
        if (!rz_buf_read_le32_at(bin->b, offset, &cert->dwLength)) {
            RZ_FREE(cert);
            return false;
        }
        cert->dwLength += (8 - (cert->dwLength & 7)) & 7; // align32
        if (offset + cert->dwLength > paddr + size) {
            RZ_LOG_INFO("Invalid certificate entry");
            RZ_FREE(cert);
            return false;
        }
        if (!rz_buf_read_le16_at(bin->b, offset + 4, &cert->wRevision)) {
            RZ_FREE(cert);
            return false;
        }
        if (!rz_buf_read_le16_at(bin->b, offset + 6, &cert->wCertificateType)) {
            RZ_FREE(cert);
            return false;
        }
        if (cert->dwLength < 6) {
            RZ_LOG_ERROR("Invalid cert.dwLength (must be > 6)\n");
            RZ_FREE(cert);
            return false;
        }
        if (!(cert->bCertificate = malloc(cert->dwLength - 6))) {
            RZ_FREE(cert);
            return false;
        }
        rz_buf_read_at(bin->b, offset + 8, cert->bCertificate, cert->dwLength - 6);
 
        if (!bin->cms && cert->wCertificateType == PE_WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
            bin->cms = rz_pkcs7_parse_cms(cert->bCertificate, cert->dwLength - 6);
            bin->spcinfo = rz_pkcs7_parse_spcinfo(bin->cms);
        }
 
        security_directory->certificates[security_directory->length] = cert;
        security_directory->length++;
        offset += cert->dwLength;
    }
 
    if (bin->cms && bin->spcinfo) {
        const char *actual_authentihash = PE_(bin_pe_get_authentihash)(bin);
        const char *claimed_authentihash = PE_(bin_pe_get_claimed_authentihash)(bin);
        if (actual_authentihash && claimed_authentihash) {
            bin->is_authhash_valid = !strcmp(actual_authentihash, claimed_authentihash);
        } else {
            bin->is_authhash_valid = false;
        }
        free((void *)claimed_authentihash);
    }
    bin->is_signed = bin->cms != NULL;
    return true;
}

References Pe_certificate::bCertificate, bin_pe_get_authentihash(), bin_pe_get_claimed_authentihash(), Pe_image_security_directory::certificates, Pe_certificate::dwLength, free(), Pe_image_security_directory::length, malloc(), NULL, PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_SECURITY, PE_WIN_CERT_TYPE_PKCS_SIGNED_DATA, realloc(), rz_buf_read_at(), rz_buf_read_le16_at, rz_buf_read_le32_at, RZ_FREE, RZ_LOG_ERROR, RZ_LOG_INFO, RZ_NEW0, rz_pkcs7_parse_cms(), rz_pkcs7_parse_spcinfo(), autogen_x86imm::tmp, Pe_certificate::wCertificateType, and Pe_certificate::wRevision.

Referenced by bin_pe_init().

bin_pe_init_tls()

int PE_() bin_pe_init_tls

(

RzBinPEObj *

bin

)

Definition at line 71 of file pe_tls.c.

                                          {
    PE_(image_tls_directory) * image_tls_directory;
    PE_(image_data_directory) *data_dir_tls = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_TLS];
    PE_DWord tls_paddr = PE_(bin_pe_rva_to_paddr)(bin, data_dir_tls->VirtualAddress);
 
    image_tls_directory = RZ_NEW0(PE_(image_tls_directory));
    if (read_tls_directory(bin->b, tls_paddr, image_tls_directory) < 0) {
        RZ_LOG_INFO("read (image_tls_directory)\n");
        free(image_tls_directory);
        return 0;
    }
    bin->tls_directory = image_tls_directory;
    if (!image_tls_directory->AddressOfCallBacks) {
        return 0;
    }
    if (image_tls_directory->EndAddressOfRawData < image_tls_directory->StartAddressOfRawData) {
        return 0;
    }
    PE_DWord callbacks_paddr = PE_(bin_pe_rva_to_paddr)(bin, PE_(bin_pe_va_to_rva)(bin, (PE_DWord)image_tls_directory->AddressOfCallBacks));
    bin_pe_store_tls_callbacks(bin, callbacks_paddr);
    return 0;
}

References bin_pe_rva_to_paddr(), bin_pe_store_tls_callbacks(), bin_pe_va_to_rva(), free(), PE_, PE_DWord, PE_IMAGE_DIRECTORY_ENTRY_TLS, read_tls_directory(), RZ_LOG_INFO, and RZ_NEW0.

Referenced by bin_pe_init().

bin_pe_is_authhash_valid()

int PE_() bin_pe_is_authhash_valid

(

RzBinPEObj *

bin

)

Definition at line 67 of file pe_security.c.

                                                   {
    return bin->is_authhash_valid;
}

bin_pe_parse_resource()

RZ_API void PE_() bin_pe_parse_resource

(

RzBinPEObj *

bin

)

Definition at line 1523 of file pe_rsrc.c.

                                                        {
    int index = 0;
    ut64 off = 0, rsrc_base = bin->resource_directory_offset;
    Pe_image_resource_directory *rs_directory = bin->resource_directory;
    ut32 curRes = 0;
    int totalRes = 0;
    HtUUOptions opt = { 0 };
    HtUU *dirs = ht_uu_new_opt(&opt); // to avoid infinite loops
    if (!dirs) {
        return;
    }
    if (!rs_directory) {
        ht_uu_free(dirs);
        return;
    }
    curRes = rs_directory->NumberOfNamedEntries;
    totalRes = curRes + rs_directory->NumberOfIdEntries;
    if (totalRes > RZ_PE_MAX_RESOURCES) {
        RZ_LOG_ERROR("Cannot parse resource directory\n");
        ht_uu_free(dirs);
        return;
    }
    for (index = 0; index < totalRes; index++) {
        Pe_image_resource_directory_entry typeEntry;
        off = rsrc_base + sizeof(*rs_directory) + index * sizeof(typeEntry);
        ht_uu_insert(dirs, off, 1);
        if (off > bin->size || off + sizeof(typeEntry) > bin->size) {
            break;
        }
        if (read_image_resource_directory_entry(bin->b, off, &typeEntry) < 0) {
            RZ_LOG_ERROR("read resource directory entry\n");
            break;
        }
        if (typeEntry.u2.OffsetToData >> 31) {
            Pe_image_resource_directory identEntry;
            ut32 OffsetToDirectory = typeEntry.u2.OffsetToData & 0x7fffffff;
            off = rsrc_base + OffsetToDirectory;
            int len = read_image_resource_directory(bin->b, off, &identEntry);
            if (len != sizeof(identEntry)) {
                RZ_LOG_ERROR("parsing resource directory\n");
            }
            (void)_parse_resource_directory(bin, &identEntry, OffsetToDirectory, typeEntry.u1.Name & 0xffff, 0, dirs, NULL);
        }
    }
    ht_uu_free(dirs);
    _store_resource_sdb(bin);
}

References _parse_resource_directory(), _store_resource_sdb(), len, Pe_image_resource_directory_entry::Name, NULL, Pe_image_resource_directory::NumberOfIdEntries, Pe_image_resource_directory::NumberOfNamedEntries, off, Pe_image_resource_directory_entry::OffsetToData, read_image_resource_directory(), read_image_resource_directory_entry(), RZ_LOG_ERROR, RZ_PE_MAX_RESOURCES, Pe_image_resource_directory_entry::u1, Pe_image_resource_directory_entry::u2, and ut64().

Referenced by bin_pe_init().

bin_pe_rva_to_paddr()

PE_DWord PE_() bin_pe_rva_to_paddr	(	RzBinPEObj *	bin,
		PE_DWord	rva
	)

Definition at line 15 of file pe.c.

                                                                 {
    PE_DWord section_base;
    int i, section_size;
    for (i = 0; i < bin->num_sections; i++) {
        section_base = bin->sections[i].vaddr;
        section_size = bin->sections[i].vsize;
        if (rva >= section_base && rva < section_base + section_size) {
            return bin->sections[i].paddr + (rva - section_base);
        }
    }
    return rva;
}

References i, PE_DWord, and rva().

Referenced by _parse_resource_directory(), bin_pe_get_overlay(), bin_pe_init_clr(), bin_pe_init_exports(), bin_pe_init_imports(), bin_pe_init_resource(), bin_pe_init_tls(), bin_pe_parse_imports(), bin_pe_store_tls_callbacks(), rz_bin_pe_get_clr_methoddef_offset(), rz_bin_pe_get_clr_symbols(), rz_bin_pe_get_debug_data(), rz_bin_pe_get_entrypoint(), rz_bin_pe_get_exports(), rz_bin_pe_get_imports(), and rz_bin_pe_get_libs().

bin_pe_rva_to_va()

PE_DWord PE_() bin_pe_rva_to_va	(	RzBinPEObj *	bin,
		PE_DWord	rva
	)

Definition at line 28 of file pe.c.

                                                              {
    return PE_(rz_bin_pe_get_image_base)(bin) + rva;
}

References PE_, rva(), and rz_bin_pe_get_image_base().

Referenced by _store_resource_sdb(), bin_pe_parse_imports(), parse_symbol_table(), rz_bin_pe_get_clr_methoddef_offset(), rz_bin_pe_get_clr_symbols(), rz_bin_pe_get_entrypoint(), and rz_bin_pe_get_exports().

bin_pe_va_to_rva()

PE_DWord PE_() bin_pe_va_to_rva	(	RzBinPEObj *	bin,
		PE_DWord	va
	)

Definition at line 32 of file pe.c.

                                                             {
    ut64 imageBase = PE_(rz_bin_pe_get_image_base)(bin);
    if (va < imageBase) {
        return va;
    }
    return va - imageBase;
}

References PE_, rz_bin_pe_get_image_base(), and ut64().

Referenced by bin_pe_init_tls(), and bin_pe_store_tls_callbacks().

check_mingw()

struct rz_bin_pe_addr_t* PE_() check_mingw

(

RzBinPEObj *

bin

)

Definition at line 822 of file pe_info.c.

                                                           {
    struct rz_bin_pe_addr_t *entry;
    bool sw = false;
    ut8 b[1024];
    size_t n = 0;
    if (!bin || !bin->b) {
        return 0LL;
    }
    entry = PE_(rz_bin_pe_get_entrypoint)(bin);
    ZERO_FILL(b);
    if (rz_buf_read_at(bin->b, entry->paddr, b, sizeof(b)) < 0) {
        RZ_LOG_INFO("Cannot read entry at 0x%08" PFMT64x "\n", entry->paddr);
        free(entry);
        return NULL;
    }
    // mingw
    // 55                                         push    ebp
    // 89 E5                                      mov     ebp, esp
    // 83 EC 08                                   sub     esp, 8
    // C7 04 24 01 00 00 00                       mov     dword ptr[esp], 1
    // FF 15 C8 63 41 00                          call    ds : __imp____set_app_type
    // E8 B8 FE FF FF                             call    ___mingw_CRTStartup
    if (b[0] == 0x55 && b[1] == 0x89 && b[3] == 0x83 && b[6] == 0xc7 && b[13] == 0xff && b[19] == 0xe8) {
        sw = follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 19);
    }
    // 83 EC 1C                                   sub     esp, 1Ch
    // C7 04 24 01 00 00 00                       mov[esp + 1Ch + var_1C], 1
    // FF 15 F8 60 40 00                          call    ds : __imp____set_app_type
    // E8 6B FD FF FF                             call    ___mingw_CRTStartup
    if (b[0] == 0x83 && b[3] == 0xc7 && b[10] == 0xff && b[16] == 0xe8) {
        sw = follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 16);
    }
    // 83 EC 0C                                            sub     esp, 0Ch
    // C7 05 F4 0A 81 00 00 00 00 00                       mov     ds : _mingw_app_type, 0
    // ED E8 3E AD 24 00                                      call    ___security_init_cookie
    // F2 83 C4 0C                                            add     esp, 0Ch
    // F5 E9 86 FC FF FF                                      jmp     ___tmainCRTStartup
    if (b[0] == 0x83 && b[3] == 0xc7 && b[13] == 0xe8 && b[18] == 0x83 && b[21] == 0xe9) {
        sw = follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 21);
    }
    if (sw) {
        // case1:
        // from des address of call search for a1 xx xx xx xx 89 xx xx e8 xx xx xx xx
        // A1 04 50 44 00                             mov     eax, ds:dword_445004
        // 89 04 24                                   mov[esp + 28h + lpTopLevelExceptionFilter], eax
        // E8 A3 01 00 00                             call    sub_4013EE
        for (n = 0; n < sizeof(b) - 12; n++) {
            if (b[n] == 0xa1 && b[n + 5] == 0x89 && b[n + 8] == 0xe8) {
                follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 8);
                return entry;
            }
        }
    }
    free(entry);
    return NULL;
}

References b, follow_offset(), free(), n, NULL, PE_, PFMT64x, rz_bin_pe_get_entrypoint(), rz_buf_read_at(), RZ_LOG_INFO, and ZERO_FILL.

Referenced by rz_bin_pe_get_main_vaddr().

check_msvcseh()

struct rz_bin_pe_addr_t* PE_() check_msvcseh

(

RzBinPEObj *

bin

)

Definition at line 623 of file pe_info.c.

                                                             {
    rz_return_val_if_fail(bin && bin->b, NULL);
    ut8 b[512];
    size_t n = 0;
    struct rz_bin_pe_addr_t *entry = PE_(rz_bin_pe_get_entrypoint)(bin);
    ZERO_FILL(b);
    if (rz_buf_read_at(bin->b, entry->paddr, b, sizeof(b)) < 0) {
        RZ_LOG_INFO("Cannot read entry at 0x%08" PFMT64x "\n", entry->paddr);
        free(entry);
        return NULL;
    }
 
    read_and_follow_jump(entry, bin->b, b, sizeof(b), bin->big_endian);
 
    // MSVC SEH
    // E8 13 09 00 00  call    0x44C388
    // E9 05 00 00 00  jmp     0x44BA7F
    if (b[0] == 0xe8 && b[5] == 0xe9) {
        if (follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 5)) {
            // case1:
            // from des address of jmp search for 68 xx xx xx xx e8 and test xx xx xx xx = imagebase
            // 68 00 00 40 00  push    0x400000
            // E8 3E F9 FF FF  call    0x44B4FF
            ut32 imageBase = bin->nt_headers->optional_header.ImageBase;
            for (n = 0; n < sizeof(b) - 6; n++) {
                const ut32 tmp_imgbase = rz_read_ble32(b + n + 1, bin->big_endian);
                if (b[n] == 0x68 && tmp_imgbase == imageBase && b[n + 5] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 5);
                    return entry;
                }
            }
            // case2:
            //  from des address of jmp search for 50 FF xx FF xx E8
            // 50            push    eax
            // FF 37             push    dword ptr[edi]
            // FF 36          push    dword ptr[esi]
            // E8 6F FC FF FF call    _main
            for (n = 0; n < sizeof(b) - 6; n++) {
                if (b[n] == 0x50 && b[n + 1] == 0xff && b[n + 3] == 0xff && b[n + 5] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 5);
                    return entry;
                }
            }
            // case3:
            // 50                                         push    eax
            // FF 35 0C E2 40 00                          push    xxxxxxxx
            // FF 35 08 E2 40 00                          push    xxxxxxxx
            // E8 2B FD FF FF                             call    _main
            for (n = 0; n < sizeof(b) - 20; n++) {
                if (b[n] == 0x50 && b[n + 1] == 0xff && b[n + 7] == 0xff && b[n + 13] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 13);
                    return entry;
                }
            }
            // case4:
            // 50                                        push    eax
            // 57                                        push    edi
            // FF 36                                     push    dword ptr[esi]
            // E8 D9 FD FF FF                            call    _main
            for (n = 0; n < sizeof(b) - 5; n++) {
                if (b[n] == 0x50 && b[n + 1] == 0x57 && b[n + 2] == 0xff && b[n + 4] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 4);
                    return entry;
                }
            }
            // case5:
            // 57                                        push    edi
            // 56                                        push    esi
            // FF 36                                     push    dword ptr[eax]
            // E8 D9 FD FF FF                            call    _main
            for (n = 0; n < sizeof(b) - 5; n++) {
                if (b[n] == 0x57 && b[n + 1] == 0x56 && b[n + 2] == 0xff && b[n + 4] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 4);
                    return entry;
                }
            }
        }
    }
 
    // MSVC 32bit debug
    if (b[3] == 0xe8) {
        // 55                    push ebp
        // 8B EC                 mov ebp, esp
        // E8 xx xx xx xx        call xxxxxxxx
        // 5D                    pop ebp
        // C3                    ret
        follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 3);
        if (b[8] == 0xe8) {
            // 55                    push ebp
            // 8B EC                 mov ebp, esp
            // E8 xx xx xx xx        call xxxxxxxx
            // E8 xx xx xx xx        call xxxxxxxx <- Follow this
            // 5D                    pop ebp
            // C3                    ret
            follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 8);
            for (n = 0; n < sizeof(b) - 17; n++) {
                // E8 xx xx xx xx    call sub.ucrtbased.dll__register_thread_local_exe_atexit_callback
                // 83 C4 04          add esp, 4
                // E8 xx xx xx xx    call xxxxxxxx <- Follow this
                // 89 xx xx          mov dword [xxxx], eax
                // E8 xx xx xx xx    call xxxxxxxx
                if (b[n] == 0xe8 && !memcmp(b + n + 5, "\x83\xc4\x04", 3) && b[n + 8] == 0xe8 && b[n + 13] == 0x89 && b[n + 16] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 8);
                    int j, calls = 0;
                    for (j = 0; j < sizeof(b) - 4; j++) {
                        if (b[j] == 0xe8) {
                            // E8 xx xx xx xx        call xxxxxxxx
                            calls++;
                            if (calls == 4) {
                                follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, j);
                                return entry;
                            }
                        }
                    }
                }
            }
        }
    }
 
    // MSVC AMD64
    int i;
    for (i = 0; i < sizeof(b) - 14; i++) {
        if (b[i] == 0x48 && b[i + 1] == 0x83 && b[i + 2] == 0xEC) {
            break;
        }
    }
    bool found_caller = false;
    if (b[i + 13] == 0xe9) {
        // 48 83 EC 28       sub     rsp, 0x28
        // E8 xx xx xx xx    call    xxxxxxxx
        // 48 83 C4 28       add     rsp, 0x28
        // E9 xx xx xx xx    jmp     xxxxxxxx <- Follow this
        found_caller = follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, i + 13);
    } else {
        // Debug
        // 48 83 EC 28       sub     rsp, 0x28
        // E8 xx xx xx xx    call    xxxxxxxx
        // 48 83 C4 28       add     rsp, 0x28
        // C3                ret
        follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, i + 4);
        if (b[9] == 0xe8) {
            // 48 83 EC 28       sub     rsp, 0x28
            // E8 xx xx xx xx    call    xxxxxxxx
            // E8 xx xx xx xx    call    xxxxxxxx <- Follow this
            // 48 83 C4 28       add     rsp, 0x28
            // C3                ret
            follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 9);
            if (b[0x129] == 0xe8) {
                // E8 xx xx xx xx        call xxxxxxxx
                found_caller = follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 0x129);
            }
        }
    }
    if (found_caller) {
        // from des address of jmp, search for 4C ... 48 ... 8B ... E8
        // 4C 8B C0                    mov     r8, rax
        // 48 8B 17                    mov     rdx, qword [rdi]
        // 8B 0B                       mov     ecx, dword [rbx]
        // E8 xx xx xx xx              call    main
        // or
        // 4C 8B 44 24 28              mov r8, qword [rsp + 0x28]
        // 48 8B 54 24 30              mov rdx, qword [rsp + 0x30]
        // 8B 4C 24 20                 mov ecx, dword [rsp + 0x20]
        // E8 xx xx xx xx              call    main
        for (n = 0; n < sizeof(b) - 13; n++) {
            if (b[n] == 0x4c && b[n + 3] == 0x48 && b[n + 6] == 0x8b && b[n + 8] == 0xe8) {
                follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 8);
                return entry;
            } else if (b[n] == 0x4c && b[n + 5] == 0x48 && b[n + 10] == 0x8b && b[n + 14] == 0xe8) {
                follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, n + 14);
                return entry;
            }
        }
    }
    // Microsoft Visual-C
    //  50                  push eax
    //  FF 75 9C            push dword [ebp - local_64h]
    //  56                  push    esi
    //  56                  push    esi
    //  FF 15 CC C0  44 00  call dword [sym.imp.KERNEL32.dll_GetModuleHandleA]
    //  50                  push    eax
    //  E8 DB DA 00 00      call    main
    //  89 45 A0            mov dword [ebp - local_60h], eax
    //  50                  push    eax
    //  E8 2D 00 00  00     call 0x4015a6
    if (b[188] == 0x50 && b[201] == 0xe8) {
        follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 201);
        return entry;
    }
 
    if (b[292] == 0x50 && b[303] == 0xe8) {
        follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 303);
        return entry;
    }
 
    free(entry);
    return NULL;
}

References b, follow_offset(), free(), i, n, NULL, PE_, PFMT64x, read_and_follow_jump(), rz_bin_pe_get_entrypoint(), rz_buf_read_at(), RZ_LOG_INFO, rz_read_ble32(), rz_return_val_if_fail, and ZERO_FILL.

Referenced by rz_bin_pe_get_main_vaddr().

check_unknow()

struct rz_bin_pe_addr_t* PE_() check_unknow

(

RzBinPEObj *

bin

)

Definition at line 879 of file pe_info.c.

                                                            {
    struct rz_bin_pe_addr_t *entry;
    if (!bin || !bin->b) {
        return 0LL;
    }
    ut8 b[512];
    ZERO_FILL(b);
    entry = PE_(rz_bin_pe_get_entrypoint)(bin);
    // option2: /x 8bff558bec83ec20
    if (rz_buf_read_at(bin->b, entry->paddr, b, 512) < 1) {
        RZ_LOG_INFO("Cannot read entry at 0x%08" PFMT64x "\n", entry->paddr);
        free(entry);
        return NULL;
    }
    /* Decode the jmp instruction, this gets the address of the 'main'
       function for PE produced by a compiler whose name someone forgot to
       write down. */
    // this is dirty only a single byte check, can return false positives
    if (b[367] == 0xe8) {
        follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, 367);
        return entry;
    }
    size_t i;
    for (i = 0; i < 512 - 16; i++) {
        // 5. ff 15 .. .. .. .. 50 e8 [main]
        if (!memcmp(b + i, "\xff\x15", 2)) {
            if (b[i + 6] == 0x50) {
                if (b[i + 7] == 0xe8) {
                    follow_offset(entry, bin->b, b, sizeof(b), bin->big_endian, i + 7);
                    return entry;
                }
            }
        }
    }
    free(entry);
    return NULL;
}

References b, follow_offset(), free(), i, NULL, PE_, PFMT64x, rz_bin_pe_get_entrypoint(), rz_buf_read_at(), RZ_LOG_INFO, and ZERO_FILL.

Referenced by rz_bin_pe_get_main_vaddr().

free_security_directory()

void PE_() free_security_directory

(

Pe_image_security_directory *

security_directory

)

Definition at line 156 of file pe_security.c.

                                                                                   {
    if (!security_directory) {
        return;
    }
    size_t numCert = 0;
    for (; numCert < security_directory->length; numCert++) {
        free(security_directory->certificates[numCert]);
    }
    free(security_directory->certificates);
    free(security_directory);
}

References free().

Referenced by rz_bin_pe_free().

PE_()

struct PE_

(

rz_bin_pe_obj_t

)

Definition at line 1 of file pe.h.

                            {
    // these pointers contain a copy of the headers and sections!
    PE_(image_dos_header) * dos_header;
    PE_(image_nt_headers) * nt_headers;
    PE_(image_optional_header) * optional_header; // not free this just pointer into nt_headers
    PE_(image_data_directory) * data_directory; // not free this just pointer into nt_headers
    PE_(image_section_header) * section_header;
    PE_(image_export_directory) * export_directory;
    PE_(image_import_directory) * import_directory;
    PE_(image_tls_directory) * tls_directory;
    Pe_image_resource_directory *resource_directory;
    PE_(image_delay_import_directory) * delay_import_directory;
    Pe_image_security_directory *security_directory;
 
    Pe_image_clr *clr; // dotnet information
 
    /* store the section information for future use */
    struct rz_bin_pe_section_t *sections;
 
    // these values define the real offset into the untouched binary
    ut64 rich_header_offset;
    ut64 nt_header_offset;
    ut64 section_header_offset;
    ut64 import_directory_offset;
    ut64 export_directory_offset;
    ut64 resource_directory_offset;
    ut64 delay_import_directory_offset;
 
    int import_directory_size;
    ut64 size;
    int num_sections;
    int endian;
    bool verbose;
    int big_endian;
    RzList *rich_entries;
    RzList *relocs;
    RzList *resources; // RzList of rz_pe_resources
    const char *file;
    RzBuffer *b;
    Sdb *kv;
    RCMS *cms;
    SpcIndirectDataContent *spcinfo;
    char *authentihash;
    bool is_authhash_valid;
    bool is_signed;
    RzHash *hash;
};

read_image_delay_import_directory()

int PE_() read_image_delay_import_directory	(	RzBuffer *	b,
		ut64	addr,
		PE_(image_delay_import_directory) *	directory
	)

Definition at line 24 of file pe_imports.c.

                                                                                                                  {
    st64 o_addr = rz_buf_seek(b, 0, RZ_BUF_CUR);
    if (rz_buf_seek(b, addr, RZ_BUF_SET) < 0) {
        return -1;
    }
    ut8 buf[sizeof(PE_(image_delay_import_directory))];
    rz_buf_read(b, buf, sizeof(buf));
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), Attributes, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), Name, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), ModulePlugin, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), DelayImportAddressTable, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), DelayImportNameTable, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), BoundDelayImportTable, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), UnloadDelayImportTable, 32);
    PE_READ_STRUCT_FIELD(directory, PE_(image_delay_import_directory), TimeStamp, 32);
    rz_buf_seek(b, o_addr, RZ_BUF_SET);
    return sizeof(PE_(image_delay_import_directory));
}

References addr, b, regress::directory, PE_, PE_READ_STRUCT_FIELD, RZ_BUF_CUR, rz_buf_read(), rz_buf_seek(), RZ_BUF_SET, and st64.

Referenced by bin_pe_init_imports(), rz_bin_pe_get_imports(), and rz_bin_pe_get_libs().

read_image_import_directory()

int PE_() read_image_import_directory	(	RzBuffer *	b,
		ut64	addr,
		PE_(image_import_directory) *	import_dir
	)

Definition at line 8 of file pe_imports.c.

                                                                                                       {
    st64 o_addr = rz_buf_seek(b, 0, RZ_BUF_CUR);
    if (rz_buf_seek(b, addr, RZ_BUF_SET) < 0) {
        return -1;
    }
    ut8 buf[sizeof(PE_(image_import_directory))];
    rz_buf_read(b, buf, sizeof(buf));
    PE_READ_STRUCT_FIELD(import_dir, PE_(image_import_directory), Characteristics, 32);
    PE_READ_STRUCT_FIELD(import_dir, PE_(image_import_directory), TimeDateStamp, 32);
    PE_READ_STRUCT_FIELD(import_dir, PE_(image_import_directory), ForwarderChain, 32);
    PE_READ_STRUCT_FIELD(import_dir, PE_(image_import_directory), Name, 32);
    PE_READ_STRUCT_FIELD(import_dir, PE_(image_import_directory), FirstThunk, 32);
    rz_buf_seek(b, o_addr, RZ_BUF_SET);
    return sizeof(PE_(image_import_directory));
}

References addr, b, PE_, PE_READ_STRUCT_FIELD, RZ_BUF_CUR, rz_buf_read(), rz_buf_seek(), RZ_BUF_SET, and st64.

Referenced by bin_pe_init_imports(), rz_bin_pe_get_imports(), and rz_bin_pe_get_libs().

rz_bin_pe_check_sections()

void PE_() rz_bin_pe_check_sections	(	RzBinPEObj *	bin,
		struct rz_bin_pe_section_t **	sects
	)

Definition at line 10 of file pe_section.c.

                                                                                        {
    int i = 0;
    struct rz_bin_pe_section_t *sections = *sects;
    ut64 addr_beg, addr_end, new_section_size, new_perm, base_addr;
    struct rz_bin_pe_addr_t *entry = PE_(rz_bin_pe_get_entrypoint)(bin);
 
    if (!entry) {
        return;
    }
    new_section_size = bin->size;
    new_section_size -= entry->paddr > bin->size ? 0 : entry->paddr;
    new_perm = (PE_IMAGE_SCN_MEM_READ | PE_IMAGE_SCN_MEM_WRITE | PE_IMAGE_SCN_MEM_EXECUTE);
    base_addr = PE_(rz_bin_pe_get_image_base)(bin);
 
    for (i = 0; !sections[i].last; i++) {
        // strcmp against .text doesn't work in somes cases
        if (strstr((const char *)sections[i].name, "text")) {
            bool fix = false;
            int j;
            // check paddr boundaries
            addr_beg = sections[i].paddr;
            addr_end = addr_beg + sections[i].size;
            if (entry->paddr < addr_beg || entry->paddr > addr_end) {
                fix = true;
            }
            // check vaddr boundaries
            addr_beg = sections[i].vaddr + base_addr;
            addr_end = addr_beg + sections[i].vsize;
            if (entry->vaddr < addr_beg || entry->vaddr > addr_end) {
                fix = true;
            }
            // look for other segment with x that is already mapped and hold entrypoint
            for (j = 0; !sections[j].last; j++) {
                addr_beg = sections[j].paddr;
                addr_end = addr_beg + sections[j].size;
                if (addr_beg <= entry->paddr && entry->paddr < addr_end) {
                    if (!sections[j].vsize) {
                        sections[j].vsize = sections[j].size;
                    }
                    addr_beg = sections[j].vaddr + base_addr;
                    addr_end = addr_beg + sections[j].vsize;
                    if (addr_beg <= entry->vaddr || entry->vaddr < addr_end) {
                        if (!(sections[j].perm & PE_IMAGE_SCN_MEM_EXECUTE)) {
                            if (bin->verbose) {
                                RZ_LOG_ERROR("Found entrypoint in non-executable section.\n");
                            }
                            sections[j].perm |= PE_IMAGE_SCN_MEM_EXECUTE;
                        }
                        fix = false;
                        break;
                    }
                }
            }
            // if either vaddr or paddr fail we should update this section
            if (fix) {
                strcpy((char *)sections[i].name, "blob");
                sections[i].paddr = entry->paddr;
                sections[i].vaddr = entry->vaddr - base_addr;
                sections[i].size = sections[i].vsize = new_section_size;
                sections[i].perm = new_perm;
            }
            goto out_function;
        }
    }
    // if we arrive til here means there is no text section find one that is holding the code
    for (i = 0; !sections[i].last; i++) {
        if (sections[i].size > bin->size) {
            continue;
        }
        addr_beg = sections[i].paddr;
        addr_end = addr_beg + sections[i].size;
        if (addr_beg <= entry->paddr && entry->paddr < addr_end) {
            if (!sections[i].vsize) {
                sections[i].vsize = sections[i].size;
            }
            addr_beg = sections[i].vaddr + base_addr;
            addr_end = addr_beg + sections[i].vsize;
            if (entry->vaddr < addr_beg || entry->vaddr > addr_end) {
                sections[i].vaddr = entry->vaddr - base_addr;
            }
            goto out_function;
        }
    }
    // we need to create another section in order to load the entrypoint
    void *ss = realloc(sections, (bin->num_sections + 2) * sizeof(struct rz_bin_pe_section_t));
    if (!ss) {
        goto out_function;
    }
    bin->sections = sections = ss;
    i = bin->num_sections;
    sections[i].last = 0;
    strcpy((char *)sections[i].name, "blob");
    sections[i].paddr = entry->paddr;
    sections[i].vaddr = entry->vaddr - base_addr;
    sections[i].size = sections[i].vsize = new_section_size;
    sections[i].perm = new_perm;
    sections[i + 1].last = 1;
    *sects = sections;
out_function:
    free(entry);
    return;
}

References free(), i, rz_bin_pe_addr_t::paddr, PE_, PE_IMAGE_SCN_MEM_EXECUTE, PE_IMAGE_SCN_MEM_READ, PE_IMAGE_SCN_MEM_WRITE, realloc(), rz_bin_pe_get_entrypoint(), rz_bin_pe_get_image_base(), RZ_LOG_ERROR, sections(), ut64(), and rz_bin_pe_addr_t::vaddr.

Referenced by rz_bin_mdmp_pe_get_sections().

rz_bin_pe_free()

void* PE_() rz_bin_pe_free

(

RzBinPEObj *

bin

)

Definition at line 88 of file pe.c.

                                           {
    if (!bin) {
        return NULL;
    }
    free(bin->dos_header);
    free(bin->nt_headers);
    free(bin->section_header);
    free(bin->export_directory);
    free(bin->import_directory);
    free(bin->resource_directory);
    PE_(free_security_directory)
    (bin->security_directory);
    free(bin->delay_import_directory);
    bin_pe_dotnet_destroy_clr(bin->clr);
    free(bin->tls_directory);
    free(bin->sections);
    free(bin->authentihash);
    rz_list_free(bin->rich_entries);
    rz_list_free(bin->resources);
    rz_pkcs7_free_cms(bin->cms);
    rz_pkcs7_free_spcinfo(bin->spcinfo);
    rz_hash_free(bin->hash);
    rz_buf_free(bin->b);
    bin->b = NULL;
    free(bin);
    return NULL;
}

References bin_pe_dotnet_destroy_clr(), free(), free_security_directory(), NULL, PE_, rz_buf_free(), rz_hash_free(), rz_list_free(), rz_pkcs7_free_cms(), and rz_pkcs7_free_spcinfo().

Referenced by rz_bin_pe_new_buf(), rz_bin_pemixed_free(), rz_bin_pemixed_from_bytes_new(), and rz_bin_pemixed_init_dos().

rz_bin_pe_get_arch()

char* PE_() rz_bin_pe_get_arch

(

RzBinPEObj *

bin

)

Definition at line 114 of file pe_info.c.

                                               {
    char *arch;
    if (!bin || !bin->nt_headers) {
        return strdup("x86");
    }
    switch (bin->nt_headers->file_header.Machine) {
    case PE_IMAGE_FILE_MACHINE_ALPHA:
    case PE_IMAGE_FILE_MACHINE_ALPHA64:
        arch = strdup("alpha");
        break;
    case PE_IMAGE_FILE_MACHINE_ARM:
    case PE_IMAGE_FILE_MACHINE_ARMNT:
    case PE_IMAGE_FILE_MACHINE_THUMB:
        arch = strdup("arm");
        break;
    case PE_IMAGE_FILE_MACHINE_M68K:
        arch = strdup("m68k");
        break;
    case PE_IMAGE_FILE_MACHINE_MIPS16:
    case PE_IMAGE_FILE_MACHINE_MIPSFPU:
    case PE_IMAGE_FILE_MACHINE_MIPSFPU16:
    case PE_IMAGE_FILE_MACHINE_WCEMIPSV2:
        arch = strdup("mips");
        break;
    case PE_IMAGE_FILE_MACHINE_POWERPC:
    case PE_IMAGE_FILE_MACHINE_POWERPCFP:
        arch = strdup("ppc");
        break;
    case PE_IMAGE_FILE_MACHINE_EBC:
        arch = strdup("ebc");
        break;
    case PE_IMAGE_FILE_MACHINE_ARM64:
        arch = strdup("arm");
        break;
    case PE_IMAGE_FILE_MACHINE_RISCV32:
    case PE_IMAGE_FILE_MACHINE_RISCV64:
    case PE_IMAGE_FILE_MACHINE_RISCV128:
        arch = strdup("riscv");
        break;
    default:
        arch = strdup("x86");
    }
    return arch;
}

References arch, PE_IMAGE_FILE_MACHINE_ALPHA, PE_IMAGE_FILE_MACHINE_ALPHA64, PE_IMAGE_FILE_MACHINE_ARM, PE_IMAGE_FILE_MACHINE_ARM64, PE_IMAGE_FILE_MACHINE_ARMNT, PE_IMAGE_FILE_MACHINE_EBC, PE_IMAGE_FILE_MACHINE_M68K, PE_IMAGE_FILE_MACHINE_MIPS16, PE_IMAGE_FILE_MACHINE_MIPSFPU, PE_IMAGE_FILE_MACHINE_MIPSFPU16, PE_IMAGE_FILE_MACHINE_POWERPC, PE_IMAGE_FILE_MACHINE_POWERPCFP, PE_IMAGE_FILE_MACHINE_RISCV128, PE_IMAGE_FILE_MACHINE_RISCV32, PE_IMAGE_FILE_MACHINE_RISCV64, PE_IMAGE_FILE_MACHINE_THUMB, PE_IMAGE_FILE_MACHINE_WCEMIPSV2, and strdup().

rz_bin_pe_get_bits()

int PE_() rz_bin_pe_get_bits

(

RzBinPEObj *

bin

)

Definition at line 306 of file pe_info.c.

                                             {
    int bits = 32;
    if (bin && bin->nt_headers) {
        if (is_arm(bin) && is_thumb(bin)) {
            bits = 16;
        } else {
            switch (bin->nt_headers->optional_header.Magic) {
            case PE_IMAGE_FILE_TYPE_PE32: bits = 32; break;
            case PE_IMAGE_FILE_TYPE_PE32PLUS: bits = 64; break;
            default: bits = -1;
            }
        }
    }
    return bits;
}

References bits(), is_arm(), is_thumb(), PE_IMAGE_FILE_TYPE_PE32, and PE_IMAGE_FILE_TYPE_PE32PLUS.

rz_bin_pe_get_cc()

char* PE_() rz_bin_pe_get_cc

(

RzBinPEObj *

bin

)

Definition at line 201 of file pe_info.c.

                                             {
    if (bin && bin->nt_headers) {
        if (is_arm(bin)) {
            if (is_thumb(bin)) {
                return strdup("arm16");
            }
            switch (bin->nt_headers->optional_header.Magic) {
            case PE_IMAGE_FILE_TYPE_PE32: return strdup("arm32");
            case PE_IMAGE_FILE_TYPE_PE32PLUS: return strdup("arm64");
            }
        } else {
            switch (bin->nt_headers->optional_header.Magic) {
            case PE_IMAGE_FILE_TYPE_PE32: return strdup("cdecl");
            case PE_IMAGE_FILE_TYPE_PE32PLUS: return strdup("ms");
            }
        }
    }
    return NULL;
}

References is_arm(), is_thumb(), NULL, PE_IMAGE_FILE_TYPE_PE32, PE_IMAGE_FILE_TYPE_PE32PLUS, and strdup().

rz_bin_pe_get_class()

char* PE_() rz_bin_pe_get_class

(

RzBinPEObj *

bin

)

Definition at line 103 of file pe_info.c.

                                                {
    if (bin && bin->nt_headers) {
        switch (bin->nt_headers->optional_header.Magic) {
        case PE_IMAGE_FILE_TYPE_PE32: return strdup("PE32");
        case PE_IMAGE_FILE_TYPE_PE32PLUS: return strdup("PE32+");
        default: return strdup("Unknown");
        }
    }
    return NULL;
}

References NULL, PE_IMAGE_FILE_TYPE_PE32, PE_IMAGE_FILE_TYPE_PE32PLUS, and strdup().

rz_bin_pe_get_clr_methoddef_offset()

ut64 PE_() rz_bin_pe_get_clr_methoddef_offset	(	RzBinPEObj *	bin,
		Pe_image_metadata_methoddef *	methoddef
	)

Definition at line 104 of file pe_clr.c.

                                                                                                      {
    if (!bin || !bin->clr || !methoddef) {
        return UT64_MAX;
    }
 
    RzBinSymbol sym;
    sym.vaddr = PE_(bin_pe_rva_to_va)(bin, methoddef->rva);
    sym.paddr = PE_(bin_pe_rva_to_paddr)(bin, methoddef->rva);
 
    if (!(methoddef->implflags & 0x01) && methoddef->rva) { // not native
        if (bin_pe_dotnet_read_method_header(bin->clr, bin->b, &sym) < 0) {
            return UT64_MAX;
        }
    }
 
    return sym.vaddr;
}

References bin_pe_dotnet_read_method_header(), bin_pe_rva_to_paddr(), bin_pe_rva_to_va(), rz_bin_symbol_t::paddr, PE_, UT64_MAX, and rz_bin_symbol_t::vaddr.

rz_bin_pe_get_clr_symbols()

RZ_OWN RzList* PE_() rz_bin_pe_get_clr_symbols

(

RzBinPEObj *

bin

)

Definition at line 8 of file pe_clr.c.

                                                                 {
    if (!bin || !bin->clr || !bin->clr->methoddefs) {
        return NULL;
    }
    RzList /* RzBinSymbol */ *methods = rz_list_newf((RzListFree)rz_bin_symbol_free);
    if (!methods) {
        return NULL;
    }
 
    // Namespace and classes
 
    // Each typedef contains a methodlist field which indexes into
    // the MethodDef table and marks the start of methods
    // belonging to that type
 
    // In order to determine the end of the methods of that type,
    // we mark the start of the next run with `type_methods_end`
    RzListIter *type_it = rz_list_iterator(bin->clr->typedefs);
 
    char *type_name = NULL;
    char *type_namespace = NULL;
 
    ut32 type_methods_start = rz_pvector_len(bin->clr->methoddefs) + 1;
    ut32 type_methods_end = type_methods_start;
 
    if (type_it) {
        Pe_image_metadata_typedef *typedef_ = type_it->data;
        type_name = rz_buf_get_string(bin->clr->strings, typedef_->name);
        type_namespace = rz_buf_get_string(bin->clr->strings, typedef_->namespace);
 
        type_methods_start = ((Pe_image_metadata_typedef *)type_it->data)->methodlist;
        type_methods_end = rz_pvector_len(bin->clr->methoddefs) + 1;
 
        type_it = type_it->n;
        if (type_it) {
            type_methods_end = ((Pe_image_metadata_typedef *)type_it->data)->methodlist;
        }
    }
 
    int i = 1;
    void **it;
    rz_pvector_foreach (bin->clr->methoddefs, it) {
        Pe_image_metadata_methoddef *methoddef = *it;
 
        if ((type_name || type_namespace) && i >= type_methods_start && i >= type_methods_end) {
            // Update class and namespace
            free(type_name);
            free(type_namespace);
 
            Pe_image_metadata_typedef *typedef_ = type_it->data;
            type_name = rz_buf_get_string(bin->clr->strings, typedef_->name);
            type_namespace = rz_buf_get_string(bin->clr->strings, typedef_->namespace);
 
            // Update next end
            type_it = type_it->n;
            if (type_it) {
                type_methods_end = ((Pe_image_metadata_typedef *)type_it->data)->methodlist;
            } else {
                type_methods_end = rz_pvector_len(bin->clr->methoddefs) + 1;
            }
        }
 
        RzBinSymbol *sym;
        if (!(sym = RZ_NEW0(RzBinSymbol))) {
            break;
        }
        char *name = rz_buf_get_string(bin->clr->strings, methoddef->name);
        sym->name = rz_str_newf("%s%s%s::%s",
            type_namespace ? type_namespace : "",
            type_namespace && type_namespace[0] != '\x00' ? "::" : "", // separator
            type_name ? type_name : "",
            name ? name : "");
        free(name);
 
        sym->type = RZ_BIN_TYPE_FUNC_STR;
        sym->vaddr = PE_(bin_pe_rva_to_va)(bin, methoddef->rva);
        sym->paddr = PE_(bin_pe_rva_to_paddr)(bin, methoddef->rva);
 
        if (!(methoddef->implflags & 0x01) && methoddef->rva) { // not native
            if (bin_pe_dotnet_read_method_header(bin->clr, bin->b, sym) < 0) {
                free(sym);
                break;
            }
        }
 
        rz_list_append(methods, sym);
        i++;
    }
 
    // Cleanup class / namespace strings
    free(type_name);
    free(type_namespace);
 
    return methods;
}

References bin_pe_dotnet_read_method_header(), bin_pe_rva_to_paddr(), bin_pe_rva_to_va(), rz_list_iter_t::data, free(), i, Pe_image_metadata_methoddef::implflags, rz_list_iter_t::n, Pe_image_metadata_methoddef::name, Pe_image_metadata_typedef::name, rz_bin_symbol_t::name, NULL, rz_bin_symbol_t::paddr, PE_, Pe_image_metadata_methoddef::rva, rz_bin_symbol_free(), RZ_BIN_TYPE_FUNC_STR, rz_buf_get_string(), rz_list_append(), rz_list_iterator(), rz_list_newf(), RZ_NEW0, rz_pvector_foreach, rz_pvector_len(), rz_str_newf(), rz_bin_symbol_t::type, and rz_bin_symbol_t::vaddr.

rz_bin_pe_get_debug_data()

int PE_() rz_bin_pe_get_debug_data	(	RzBinPEObj *	bin,
		SDebugInfo *	res
	)

Definition at line 158 of file pe_debug.c.

                                                                    {
    PE_(image_debug_directory_entry)
    img_dbg_dir_entry = { 0 };
    PE_(image_data_directory) *dbg_dir = NULL;
    PE_DWord dbg_dir_offset;
    ut8 *dbg_data = 0;
    int result = 0;
    if (!bin) {
        return 0;
    }
    dbg_dir = &bin->nt_headers->optional_header.DataDirectory[6 /*IMAGE_DIRECTORY_ENTRY_DEBUG*/];
    dbg_dir_offset = PE_(bin_pe_rva_to_paddr)(bin, dbg_dir->VirtualAddress);
    if ((int)dbg_dir_offset < 0 || dbg_dir_offset >= bin->size) {
        return false;
    }
    if (dbg_dir_offset >= rz_buf_size(bin->b)) {
        return false;
    }
    read_image_debug_directory_entry(bin->b, dbg_dir_offset, &img_dbg_dir_entry);
    if ((rz_buf_size(bin->b) - dbg_dir_offset) < sizeof(PE_(image_debug_directory_entry))) {
        return false;
    }
    ut32 dbg_data_poff = RZ_MIN(img_dbg_dir_entry.PointerToRawData, rz_buf_size(bin->b));
    int dbg_data_len = RZ_MIN(img_dbg_dir_entry.SizeOfData, rz_buf_size(bin->b) - dbg_data_poff);
    if (dbg_data_len < 1) {
        return false;
    }
    dbg_data = (ut8 *)calloc(1, dbg_data_len + 1);
    if (dbg_data) {
        rz_buf_read_at(bin->b, dbg_data_poff, dbg_data, dbg_data_len);
        result = get_debug_info(bin, &img_dbg_dir_entry, dbg_data, dbg_data_len, res);
        RZ_FREE(dbg_data);
    }
    return result;
}

References bin_pe_rva_to_paddr(), calloc(), get_debug_info(), NULL, PE_, PE_DWord, read_image_debug_directory_entry(), rz_buf_read_at(), rz_buf_size(), RZ_FREE, and RZ_MIN.

rz_bin_pe_get_entrypoint()

struct rz_bin_pe_addr_t* PE_() rz_bin_pe_get_entrypoint

(

RzBinPEObj *

bin

)

Definition at line 509 of file pe_info.c.

                                                                        {
    struct rz_bin_pe_addr_t *entry = NULL;
    static bool debug = false;
    int i;
    ut64 base_addr = PE_(rz_bin_pe_get_image_base)(bin);
    if (!bin || !bin->optional_header) {
        return NULL;
    }
    if (!(entry = malloc(sizeof(struct rz_bin_pe_addr_t)))) {
        rz_sys_perror("malloc (entrypoint)");
        return NULL;
    }
    PE_DWord pe_entry = bin->optional_header->AddressOfEntryPoint;
    entry->vaddr = PE_(bin_pe_rva_to_va)(bin, pe_entry);
    entry->paddr = PE_(bin_pe_rva_to_paddr)(bin, pe_entry);
    // haddr is the address of AddressOfEntryPoint in header.
    entry->haddr = bin->dos_header->e_lfanew + 4 + sizeof(PE_(image_file_header)) + 16;
 
    if (entry->paddr >= bin->size) {
        struct rz_bin_pe_section_t *sections = bin->sections;
        ut64 paddr = 0;
        if (!debug) {
            RZ_LOG_INFO("Invalid entrypoint ... "
                    "trying to fix it but i do not promise nothing\n");
        }
        for (i = 0; i < bin->num_sections; i++) {
            if (sections[i].perm & PE_IMAGE_SCN_MEM_EXECUTE) {
                entry->paddr = sections[i].paddr;
                entry->vaddr = sections[i].vaddr + base_addr;
                paddr = 1;
                break;
            }
        }
        if (!paddr) {
            ut64 min_off = -1;
            for (i = 0; i < bin->num_sections; i++) {
                // get the lowest section's paddr
                if (sections[i].paddr < min_off) {
                    entry->paddr = sections[i].paddr;
                    entry->vaddr = sections[i].vaddr + base_addr;
                    min_off = sections[i].paddr;
                }
            }
            if (min_off == -1) {
                // no section just a hack to try to fix entrypoint
                // maybe doesn't work always
                int sa = RZ_MAX(bin->optional_header->SectionAlignment, 0x1000);
                entry->paddr = pe_entry & ((sa << 1) - 1);
                entry->vaddr = entry->paddr + base_addr;
            }
        }
    }
    if (!entry->paddr) {
        if (!debug) {
            RZ_LOG_INFO("NULL entrypoint\n");
        }
        struct rz_bin_pe_section_t *sections = bin->sections;
        for (i = 0; i < bin->num_sections; i++) {
            // If there is a section with x without w perm is a good candidate to be the entrypoint
            if (sections[i].perm & PE_IMAGE_SCN_MEM_EXECUTE && !(sections[i].perm & PE_IMAGE_SCN_MEM_WRITE)) {
                entry->paddr = sections[i].paddr;
                entry->vaddr = sections[i].vaddr + base_addr;
                break;
            }
        }
    }
 
    if (is_arm(bin) && entry->vaddr & 1) {
        entry->vaddr--;
        if (entry->paddr & 1) {
            entry->paddr--;
        }
    }
    if (!debug) {
        debug = true;
    }
    return entry;
}

References bin_pe_rva_to_paddr(), bin_pe_rva_to_va(), debug, i, is_arm(), malloc(), NULL, rz_bin_pe_section_t::paddr, PE_, PE_DWord, PE_IMAGE_SCN_MEM_EXECUTE, PE_IMAGE_SCN_MEM_WRITE, rz_bin_pe_section_t::perm, rz_bin_pe_get_image_base(), RZ_LOG_INFO, RZ_MAX, rz_sys_perror, sections(), and ut64().

Referenced by check_mingw(), check_msvcseh(), check_unknow(), rz_bin_mdmp_pe_get_entrypoint(), and rz_bin_pe_check_sections().

rz_bin_pe_get_exports()

struct rz_bin_pe_export_t* PE_() rz_bin_pe_get_exports

(

RzBinPEObj *

bin

)

Definition at line 162 of file pe_exports.c.

                                                                       {
    rz_return_val_if_fail(bin, NULL);
    struct rz_bin_pe_export_t *exp, *exports = NULL;
    PE_Word function_ordinal = 0;
    PE_VWord functions_paddr, names_paddr, ordinals_paddr, function_rva, name_vaddr, name_paddr;
    char function_name[PE_NAME_LENGTH + 1], forwarder_name[PE_NAME_LENGTH + 1];
    char dll_name[PE_NAME_LENGTH + 1];
    PE_(image_data_directory) * data_dir_export;
    PE_VWord export_dir_rva;
    int n, i, export_dir_size;
    st64 exports_sz = 0;
 
    if (!bin->data_directory) {
        return NULL;
    }
    data_dir_export = &bin->data_directory[PE_IMAGE_DIRECTORY_ENTRY_EXPORT];
    export_dir_rva = data_dir_export->VirtualAddress;
    export_dir_size = data_dir_export->Size;
    PE_VWord *func_rvas = NULL;
    PE_Word *ordinals = NULL;
    if (bin->export_directory) {
        if (bin->export_directory->NumberOfFunctions + 1 <
            bin->export_directory->NumberOfFunctions) {
            // avoid integer overflow
            return NULL;
        }
        exports_sz = (bin->export_directory->NumberOfFunctions + 1) * sizeof(struct rz_bin_pe_export_t);
        // we cant exit with export_sz > bin->size, us rz_bin_pe_export_t is 256+256+8+8+8+4 bytes is easy get over file size
        // to avoid fuzzing we can abort on export_directory->NumberOfFunctions>0xffff
        if (exports_sz < 0 || bin->export_directory->NumberOfFunctions + 1 > 0xffff) {
            return NULL;
        }
        if (!(exports = malloc(exports_sz))) {
            return NULL;
        }
        if (rz_buf_read_at(bin->b, PE_(bin_pe_rva_to_paddr)(bin, bin->export_directory->Name), (ut8 *)dll_name, PE_NAME_LENGTH) < 1) {
            // we dont stop if dll name cant be read, we set dllname to null and continue
            RZ_LOG_INFO("read (dll name)\n");
            dll_name[0] = '\0';
        }
        functions_paddr = PE_(bin_pe_rva_to_paddr)(bin, bin->export_directory->AddressOfFunctions);
        names_paddr = PE_(bin_pe_rva_to_paddr)(bin, bin->export_directory->AddressOfNames);
        ordinals_paddr = PE_(bin_pe_rva_to_paddr)(bin, bin->export_directory->AddressOfOrdinals);
 
        const size_t names_sz = bin->export_directory->NumberOfNames * sizeof(PE_Word);
        const size_t funcs_sz = bin->export_directory->NumberOfFunctions * sizeof(PE_VWord);
        ordinals = malloc(names_sz);
        func_rvas = malloc(funcs_sz);
        if (!ordinals || !func_rvas) {
            goto beach;
        }
        int r = rz_buf_read_at(bin->b, ordinals_paddr, (ut8 *)ordinals, names_sz);
        if (r != names_sz) {
            goto beach;
        }
        r = rz_buf_read_at(bin->b, functions_paddr, (ut8 *)func_rvas, funcs_sz);
        if (r != funcs_sz) {
            goto beach;
        }
        for (i = 0; i < bin->export_directory->NumberOfFunctions; i++) {
            // get vaddr from AddressOfFunctions array
            function_rva = rz_read_at_ble32((ut8 *)func_rvas, i * sizeof(PE_VWord), bin->endian);
            // have exports by name?
            if (bin->export_directory->NumberOfNames > 0) {
                // search for value of i into AddressOfOrdinals
                name_vaddr = 0;
                for (n = 0; n < bin->export_directory->NumberOfNames; n++) {
                    PE_Word fo = rz_read_at_ble16((ut8 *)ordinals, n * sizeof(PE_Word), bin->endian);
                    // if exist this index into AddressOfOrdinals
                    if (i == fo) {
                        function_ordinal = fo;
                        // get the VA of export name  from AddressOfNames
                        if (!rz_buf_read_le32_at(bin->b, names_paddr + n * sizeof(PE_VWord), &name_vaddr)) {
                            goto beach;
                        }
                        break;
                    }
                }
                // have an address into name_vaddr?
                if (name_vaddr) {
                    // get the name of the Export
                    name_paddr = PE_(bin_pe_rva_to_paddr)(bin, name_vaddr);
                    if (rz_buf_read_at(bin->b, name_paddr, (ut8 *)function_name, PE_NAME_LENGTH) < 1) {
                        RZ_LOG_INFO("read (function name)\n");
                        exports[i].last = 1;
                        return exports;
                    }
                } else { // No name export, get the ordinal
                    function_ordinal = i;
                    snprintf(function_name, PE_NAME_LENGTH, "Ordinal_%i", i + bin->export_directory->Base);
                }
            } else { // if export by name dont exist, get the ordinal taking in mind the Base value.
                snprintf(function_name, PE_NAME_LENGTH, "Ordinal_%i", i + bin->export_directory->Base);
            }
            // check if VA are into export directory, this mean a forwarder export
            if (function_rva >= export_dir_rva && function_rva < (export_dir_rva + export_dir_size)) {
                // if forwarder, the VA point to Forwarded name
                if (rz_buf_read_at(bin->b, PE_(bin_pe_rva_to_paddr)(bin, function_rva), (ut8 *)forwarder_name, PE_NAME_LENGTH) < 1) {
                    exports[i].last = 1;
                    return exports;
                }
            } else { // no forwarder export
                snprintf(forwarder_name, PE_NAME_LENGTH, "NONE");
            }
            dll_name[PE_NAME_LENGTH] = '\0';
            function_name[PE_NAME_LENGTH] = '\0';
            exports[i].vaddr = PE_(bin_pe_rva_to_va)(bin, function_rva);
            exports[i].paddr = PE_(bin_pe_rva_to_paddr)(bin, function_rva);
            exports[i].ordinal = function_ordinal + bin->export_directory->Base;
            memcpy(exports[i].forwarder, forwarder_name, PE_NAME_LENGTH);
            exports[i].forwarder[PE_NAME_LENGTH] = '\0';
            memcpy(exports[i].name, function_name, PE_NAME_LENGTH);
            exports[i].name[PE_NAME_LENGTH] = '\0';
            memcpy(exports[i].libname, dll_name, PE_NAME_LENGTH);
            exports[i].libname[PE_NAME_LENGTH] = '\0';
            exports[i].last = 0;
        }
        exports[i].last = 1;
        free(ordinals);
        free(func_rvas);
    }
    exp = parse_symbol_table(bin, exports, exports_sz - sizeof(struct rz_bin_pe_export_t));
    if (exp) {
        exports = exp;
    }
    return exports;
beach:
    free(exports);
    free(ordinals);
    free(func_rvas);
    return NULL;
}

References bin_pe_rva_to_paddr(), bin_pe_rva_to_va(), rz_bin_pe_export_t::forwarder, free(), i, rz_bin_pe_export_t::last, rz_bin_pe_export_t::libname, malloc(), memcpy(), n, rz_bin_pe_export_t::name, NULL, rz_bin_pe_export_t::ordinal, rz_bin_pe_export_t::paddr, parse_symbol_table(), PE_, PE_IMAGE_DIRECTORY_ENTRY_EXPORT, PE_NAME_LENGTH, PE_VWord, PE_Word, r, rz_buf_read_at(), rz_buf_read_le32_at, RZ_LOG_INFO, rz_read_at_ble16(), rz_read_at_ble32(), rz_return_val_if_fail, snprintf, st64, and rz_bin_pe_export_t::vaddr.

Referenced by rz_bin_mdmp_pe_get_symbols().

rz_bin_pe_get_image_base()

ut64 PE_() rz_bin_pe_get_image_base

(

RzBinPEObj *

bin

)

Definition at line 588 of file pe_info.c.

                                                    {
    ut64 imageBase = 0;
    if (!bin || !bin->nt_headers) {
        return 0LL;
    }
    imageBase = bin->nt_headers->optional_header.ImageBase;
    if (!imageBase) {
        // this should only happens with messed up binaries
        // XXX this value should be user defined by bin.baddr
        // but from here we can not access config API
        imageBase = 0x10000;
    }
    return imageBase;
}

References ut64().

Referenced by bin_pe_rva_to_va(), bin_pe_va_to_rva(), rz_bin_pe_check_sections(), rz_bin_pe_get_entrypoint(), and rz_bin_pe_get_imports().

rz_bin_pe_get_image_size()

int PE_() rz_bin_pe_get_image_size

(

RzBinPEObj *

bin

)

Definition at line 505 of file pe_info.c.

                                                   {
    return bin->nt_headers->optional_header.SizeOfImage;
}

rz_bin_pe_get_imports()

struct rz_bin_pe_import_t* PE_() rz_bin_pe_get_imports

(

RzBinPEObj *

bin

)

Definition at line 198 of file pe_imports.c.

                                                                       {
    struct rz_bin_pe_import_t *imps, *imports = NULL;
    char dll_name[PE_NAME_LENGTH + 1];
    int nimp = 0;
    ut64 off; // used to cache value
    PE_DWord dll_name_offset = 0;
    PE_DWord paddr = 0;
    PE_DWord import_func_name_offset;
    PE_(image_import_directory)
    curr_import_dir;
    PE_(image_delay_import_directory)
    curr_delay_import_dir;
 
    if (!bin) {
        return NULL;
    }
    if (bin->import_directory_offset >= bin->size) {
        return NULL;
    }
    if (bin->import_directory_offset + 20 > bin->size) {
        return NULL;
    }
 
    off = bin->import_directory_offset;
    if (off < bin->size && off > 0) {
        ut64 last;
        int idi = 0;
        if (off + sizeof(PE_(image_import_directory)) > bin->size) {
            return NULL;
        }
        int r = PE_(read_image_import_directory)(bin->b, bin->import_directory_offset + idi * sizeof(curr_import_dir), &curr_import_dir);
        if (r < 0) {
            return NULL;
        }
 
        if (bin->import_directory_size < 1) {
            return NULL;
        }
        if (off + bin->import_directory_size > bin->size) {
            // why chopping instead of returning and cleaning?
            RZ_LOG_INFO("read (import directory too big)\n");
            bin->import_directory_size = bin->size - bin->import_directory_offset;
        }
        last = bin->import_directory_offset + bin->import_directory_size;
        while (r == sizeof(curr_import_dir) && bin->import_directory_offset + (idi + 1) * sizeof(curr_import_dir) <= last && (curr_import_dir.FirstThunk != 0 || curr_import_dir.Name != 0 || curr_import_dir.TimeDateStamp != 0 || curr_import_dir.Characteristics != 0 || curr_import_dir.ForwarderChain != 0)) {
            int rr;
            dll_name_offset = curr_import_dir.Name;
            paddr = PE_(bin_pe_rva_to_paddr)(bin, dll_name_offset);
            if (paddr > bin->size) {
                goto beach;
            }
            if (paddr + PE_NAME_LENGTH > bin->size) {
                rr = rz_buf_read_at(bin->b, paddr, (ut8 *)dll_name, bin->size - paddr);
                if (rr != bin->size - paddr) {
                    goto beach;
                }
                dll_name[bin->size - paddr] = '\0';
            } else {
                rr = rz_buf_read_at(bin->b, paddr, (ut8 *)dll_name, PE_NAME_LENGTH);
                if (rr != PE_NAME_LENGTH) {
                    goto beach;
                }
                dll_name[PE_NAME_LENGTH] = '\0';
            }
            if (!bin_pe_parse_imports(bin, &imports, &nimp, dll_name,
                    curr_import_dir.Characteristics,
                    curr_import_dir.FirstThunk)) {
                break;
            }
            idi++;
            r = PE_(read_image_import_directory)(bin->b, bin->import_directory_offset + idi * sizeof(curr_import_dir), &curr_import_dir);
            if (r < 0) {
                free(imports);
                return NULL;
            }
        }
    }
    off = bin->delay_import_directory_offset;
    if (off < bin->size && off > 0) {
        if (off + sizeof(PE_(image_delay_import_directory)) > bin->size) {
            goto beach;
        }
        int didi;
        for (didi = 0;; didi++) {
            int r = PE_(read_image_delay_import_directory)(bin->b, off + didi * sizeof(curr_delay_import_dir),
                &curr_delay_import_dir);
            if (r != sizeof(curr_delay_import_dir)) {
                goto beach;
            }
            if ((curr_delay_import_dir.Name == 0) || (curr_delay_import_dir.DelayImportAddressTable == 0)) {
                break;
            }
            if (!curr_delay_import_dir.Attributes) {
                dll_name_offset = PE_(bin_pe_rva_to_paddr)(bin, curr_delay_import_dir.Name - PE_(rz_bin_pe_get_image_base)(bin));
                import_func_name_offset = curr_delay_import_dir.DelayImportNameTable - PE_(rz_bin_pe_get_image_base)(bin);
            } else {
                dll_name_offset = PE_(bin_pe_rva_to_paddr)(bin, curr_delay_import_dir.Name);
                import_func_name_offset = curr_delay_import_dir.DelayImportNameTable;
            }
            if (dll_name_offset > bin->size || dll_name_offset + PE_NAME_LENGTH > bin->size) {
                goto beach;
            }
            int rr = rz_buf_read_at(bin->b, dll_name_offset, (ut8 *)dll_name, PE_NAME_LENGTH);
            if (rr < 5) {
                goto beach;
            }
            dll_name[PE_NAME_LENGTH] = '\0';
            if (!bin_pe_parse_imports(bin, &imports, &nimp, dll_name, import_func_name_offset,
                    curr_delay_import_dir.DelayImportAddressTable)) {
                break;
            }
        }
    }
beach:
    if (nimp) {
        imps = realloc(imports, (nimp + 1) * sizeof(struct rz_bin_pe_import_t));
        if (!imps) {
            rz_sys_perror("realloc (import)");
            free(imports);
            return NULL;
        }
        imports = imps;
        imports[nimp].last = 1;
    }
    return imports;
}

References bin_pe_parse_imports(), bin_pe_rva_to_paddr(), free(), imports(), rz_bin_pe_import_t::last, NULL, off, rz_bin_pe_import_t::paddr, PE_, PE_DWord, PE_NAME_LENGTH, r, read_image_delay_import_directory(), read_image_import_directory(), realloc(), rz_bin_pe_get_image_base(), rz_buf_read_at(), RZ_LOG_INFO, rz_sys_perror, and ut64().

Referenced by rz_bin_mdmp_pe_get_imports(), and rz_bin_mdmp_pe_get_symbols().

rz_bin_pe_get_libs()

struct rz_bin_pe_lib_t* PE_() rz_bin_pe_get_libs

(

RzBinPEObj *

bin

)

Definition at line 384 of file pe_info.c.

                                                                 {
    if (!bin) {
        return NULL;
    }
    struct rz_bin_pe_lib_t *libs = NULL;
    struct rz_bin_pe_lib_t *new_libs = NULL;
    PE_(image_import_directory)
    curr_import_dir;
    PE_(image_delay_import_directory)
    curr_delay_import_dir;
    PE_DWord name_off = 0;
    HtPP *lib_map = NULL;
    ut64 off; // cache value
    int index = 0;
    int len = 0;
    int max_libs = 20;
    libs = calloc(max_libs + 1, sizeof(struct rz_bin_pe_lib_t));
    if (!libs) {
        rz_sys_perror("malloc (libs)");
        return NULL;
    }
 
    if (bin->import_directory_offset + bin->import_directory_size > bin->size) {
        RZ_LOG_INFO("import directory offset bigger than file\n");
        goto out_error;
    }
    lib_map = sdb_ht_new();
    off = bin->import_directory_offset;
    if (off < bin->size && off > 0) {
        ut64 last;
        int iidi = 0;
        // normal imports
        if (off + sizeof(PE_(image_import_directory)) > bin->size) {
            goto out_error;
        }
        int r = PE_(read_image_import_directory)(bin->b, off + iidi * sizeof(curr_import_dir),
            &curr_import_dir);
        last = off + bin->import_directory_size;
        while (r == sizeof(curr_import_dir) && off + (iidi + 1) * sizeof(curr_import_dir) <= last && (curr_import_dir.FirstThunk || curr_import_dir.Name || curr_import_dir.TimeDateStamp || curr_import_dir.Characteristics || curr_import_dir.ForwarderChain)) {
            name_off = PE_(bin_pe_rva_to_paddr)(bin, curr_import_dir.Name);
            len = rz_buf_read_at(bin->b, name_off, (ut8 *)libs[index].name, PE_STRING_LENGTH);
            if (!libs[index].name[0]) { // minimum string length
                goto next;
            }
            if (len < 2 || libs[index].name[0] == 0) { // minimum string length
                RZ_LOG_INFO("read (libs - import dirs) %d\n", len);
                break;
            }
            libs[index].name[len - 1] = '\0';
            rz_str_case(libs[index].name, 0);
            if (!sdb_ht_find(lib_map, libs[index].name, NULL)) {
                sdb_ht_insert(lib_map, libs[index].name, "a");
                libs[index++].last = 0;
                if (index >= max_libs) {
                    new_libs = realloc(libs, (max_libs * 2) * sizeof(struct rz_bin_pe_lib_t));
                    if (!new_libs) {
                        rz_sys_perror("realloc (libs)");
                        goto out_error;
                    }
                    libs = new_libs;
                    new_libs = NULL;
                    max_libs *= 2;
                }
            }
        next:
            iidi++;
            r = PE_(read_image_import_directory)(bin->b, off + iidi * sizeof(curr_import_dir),
                &curr_import_dir);
        }
    }
    off = bin->delay_import_directory_offset;
    if (off < bin->size && off > 0) {
        ut64 did = 0;
        if (off + sizeof(PE_(image_delay_import_directory)) > bin->size) {
            goto out_error;
        }
        int r = PE_(read_image_delay_import_directory)(bin->b, off, &curr_delay_import_dir);
        if (r != sizeof(curr_delay_import_dir)) {
            goto out_error;
        }
        while (r == sizeof(curr_delay_import_dir) &&
            curr_delay_import_dir.Name != 0 && curr_delay_import_dir.DelayImportNameTable != 0) {
            name_off = PE_(bin_pe_rva_to_paddr)(bin, curr_delay_import_dir.Name);
            if (name_off > bin->size || name_off + PE_STRING_LENGTH > bin->size) {
                goto out_error;
            }
            len = rz_buf_read_at(bin->b, name_off, (ut8 *)libs[index].name, PE_STRING_LENGTH);
            if (len != PE_STRING_LENGTH) {
                RZ_LOG_INFO("read (libs - delay import dirs)\n");
                break;
            }
            libs[index].name[len - 1] = '\0';
            rz_str_case(libs[index].name, 0);
            if (!sdb_ht_find(lib_map, libs[index].name, NULL)) {
                sdb_ht_insert(lib_map, libs[index].name, "a");
                libs[index++].last = 0;
                if (index >= max_libs) {
                    new_libs = realloc(libs, (max_libs * 2) * sizeof(struct rz_bin_pe_lib_t));
                    if (!new_libs) {
                        rz_sys_perror("realloc (libs)");
                        goto out_error;
                    }
                    libs = new_libs;
                    new_libs = NULL;
                    max_libs *= 2;
                }
            }
            did++;
            r = PE_(read_image_delay_import_directory)(bin->b, off + did * sizeof(curr_delay_import_dir),
                &curr_delay_import_dir);
        }
    }
    sdb_ht_free(lib_map);
    libs[index].last = 1;
    return libs;
out_error:
    sdb_ht_free(lib_map);
    free(libs);
    return NULL;
}

References bin_pe_rva_to_paddr(), calloc(), free(), rz_bin_pe_lib_t::last, len, libs(), NULL, off, PE_, PE_DWord, PE_STRING_LENGTH, r, read_image_delay_import_directory(), read_image_import_directory(), realloc(), rz_buf_read_at(), RZ_LOG_INFO, rz_str_case(), rz_sys_perror, sdb_ht_find(), sdb_ht_free(), sdb_ht_insert(), sdb_ht_new(), and ut64().

rz_bin_pe_get_machine()

char* PE_() rz_bin_pe_get_machine

(

RzBinPEObj *

bin

)

Definition at line 24 of file pe_info.c.

                                                  {
    char *machine = NULL;
 
    if (bin && bin->nt_headers) {
        switch (bin->nt_headers->file_header.Machine) {
        case PE_IMAGE_FILE_MACHINE_ALPHA: machine = "Alpha"; break;
        case PE_IMAGE_FILE_MACHINE_ALPHA64: machine = "Alpha 64"; break;
        case PE_IMAGE_FILE_MACHINE_AM33: machine = "AM33"; break;
        case PE_IMAGE_FILE_MACHINE_AMD64: machine = "AMD 64"; break;
        case PE_IMAGE_FILE_MACHINE_ARM: machine = "ARM"; break;
        case PE_IMAGE_FILE_MACHINE_ARMNT: machine = "ARM Thumb-2"; break;
        case PE_IMAGE_FILE_MACHINE_ARM64: machine = "ARM64"; break;
        case PE_IMAGE_FILE_MACHINE_CEE: machine = "CEE"; break;
        case PE_IMAGE_FILE_MACHINE_CEF: machine = "CEF"; break;
        case PE_IMAGE_FILE_MACHINE_EBC: machine = "EBC"; break;
        case PE_IMAGE_FILE_MACHINE_I386: machine = "i386"; break;
        case PE_IMAGE_FILE_MACHINE_IA64: machine = "ia64"; break;
        case PE_IMAGE_FILE_MACHINE_M32R: machine = "M32R"; break;
        case PE_IMAGE_FILE_MACHINE_M68K: machine = "M68K"; break;
        case PE_IMAGE_FILE_MACHINE_MIPS16: machine = "Mips 16"; break;
        case PE_IMAGE_FILE_MACHINE_MIPSFPU: machine = "Mips FPU"; break;
        case PE_IMAGE_FILE_MACHINE_MIPSFPU16: machine = "Mips FPU 16"; break;
        case PE_IMAGE_FILE_MACHINE_POWERPC: machine = "PowerPC"; break;
        case PE_IMAGE_FILE_MACHINE_POWERPCFP: machine = "PowerPC FP"; break;
        case PE_IMAGE_FILE_MACHINE_R10000: machine = "R10000"; break;
        case PE_IMAGE_FILE_MACHINE_R3000: machine = "R3000"; break;
        case PE_IMAGE_FILE_MACHINE_R4000: machine = "R4000"; break;
        case PE_IMAGE_FILE_MACHINE_SH3: machine = "SH3"; break;
        case PE_IMAGE_FILE_MACHINE_SH3DSP: machine = "SH3DSP"; break;
        case PE_IMAGE_FILE_MACHINE_SH3E: machine = "SH3E"; break;
        case PE_IMAGE_FILE_MACHINE_SH4: machine = "SH4"; break;
        case PE_IMAGE_FILE_MACHINE_SH5: machine = "SH5"; break;
        case PE_IMAGE_FILE_MACHINE_THUMB: machine = "Thumb"; break;
        case PE_IMAGE_FILE_MACHINE_TRICORE: machine = "Tricore"; break;
        case PE_IMAGE_FILE_MACHINE_WCEMIPSV2: machine = "WCE Mips V2"; break;
        case PE_IMAGE_FILE_MACHINE_RISCV32: machine = "RISC-V 32-bit"; break;
        case PE_IMAGE_FILE_MACHINE_RISCV64: machine = "RISC-V 64-bit"; break;
        case PE_IMAGE_FILE_MACHINE_RISCV128: machine = "RISC-V 128-bit"; break;
        default: machine = "unknown";
        }
    }
    return machine ? strdup(machine) : NULL;
}

References NULL, PE_IMAGE_FILE_MACHINE_ALPHA, PE_IMAGE_FILE_MACHINE_ALPHA64, PE_IMAGE_FILE_MACHINE_AM33, PE_IMAGE_FILE_MACHINE_AMD64, PE_IMAGE_FILE_MACHINE_ARM, PE_IMAGE_FILE_MACHINE_ARM64, PE_IMAGE_FILE_MACHINE_ARMNT, PE_IMAGE_FILE_MACHINE_CEE, PE_IMAGE_FILE_MACHINE_CEF, PE_IMAGE_FILE_MACHINE_EBC, PE_IMAGE_FILE_MACHINE_I386, PE_IMAGE_FILE_MACHINE_IA64, PE_IMAGE_FILE_MACHINE_M32R, PE_IMAGE_FILE_MACHINE_M68K, PE_IMAGE_FILE_MACHINE_MIPS16, PE_IMAGE_FILE_MACHINE_MIPSFPU, PE_IMAGE_FILE_MACHINE_MIPSFPU16, PE_IMAGE_FILE_MACHINE_POWERPC, PE_IMAGE_FILE_MACHINE_POWERPCFP, PE_IMAGE_FILE_MACHINE_R10000, PE_IMAGE_FILE_MACHINE_R3000, PE_IMAGE_FILE_MACHINE_R4000, PE_IMAGE_FILE_MACHINE_RISCV128, PE_IMAGE_FILE_MACHINE_RISCV32, PE_IMAGE_FILE_MACHINE_RISCV64, PE_IMAGE_FILE_MACHINE_SH3, PE_IMAGE_FILE_MACHINE_SH3DSP, PE_IMAGE_FILE_MACHINE_SH3E, PE_IMAGE_FILE_MACHINE_SH4, PE_IMAGE_FILE_MACHINE_SH5, PE_IMAGE_FILE_MACHINE_THUMB, PE_IMAGE_FILE_MACHINE_TRICORE, PE_IMAGE_FILE_MACHINE_WCEMIPSV2, and strdup().

rz_bin_pe_get_main_vaddr()

struct rz_bin_pe_addr_t* PE_() rz_bin_pe_get_main_vaddr

(

RzBinPEObj *

bin

)

Definition at line 917 of file pe_info.c.

                                                                        {
    struct rz_bin_pe_addr_t *winmain = PE_(check_msvcseh)(bin);
    if (!winmain) {
        winmain = PE_(check_mingw)(bin);
        if (!winmain) {
            winmain = PE_(check_unknow)(bin);
        }
    }
    return winmain;
}

References check_mingw(), check_msvcseh(), check_unknow(), and PE_.

rz_bin_pe_get_os()

char* PE_() rz_bin_pe_get_os

(

RzBinPEObj *

bin

)

Definition at line 69 of file pe_info.c.

                                             {
    char *os;
    if (!bin || !bin->nt_headers) {
        return NULL;
    }
    switch (bin->nt_headers->optional_header.Subsystem) {
    case PE_IMAGE_SUBSYSTEM_NATIVE:
        os = strdup("native");
        break;
    case PE_IMAGE_SUBSYSTEM_WINDOWS_GUI:
    case PE_IMAGE_SUBSYSTEM_WINDOWS_CUI:
    case PE_IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
        os = strdup("windows");
        break;
    case PE_IMAGE_SUBSYSTEM_POSIX_CUI:
        os = strdup("posix");
        break;
    case PE_IMAGE_SUBSYSTEM_EFI_APPLICATION:
    case PE_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
    case PE_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
    case PE_IMAGE_SUBSYSTEM_EFI_ROM:
        os = strdup("efi");
        break;
    case PE_IMAGE_SUBSYSTEM_XBOX:
        os = strdup("xbox");
        break;
    default:
        // XXX: this is unknown
        os = strdup("windows");
    }
    return os;
}

References NULL, PE_IMAGE_SUBSYSTEM_EFI_APPLICATION, PE_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER, PE_IMAGE_SUBSYSTEM_EFI_ROM, PE_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER, PE_IMAGE_SUBSYSTEM_NATIVE, PE_IMAGE_SUBSYSTEM_POSIX_CUI, PE_IMAGE_SUBSYSTEM_WINDOWS_CE_GUI, PE_IMAGE_SUBSYSTEM_WINDOWS_CUI, PE_IMAGE_SUBSYSTEM_WINDOWS_GUI, PE_IMAGE_SUBSYSTEM_XBOX, and strdup().

rz_bin_pe_get_sections()

struct rz_bin_pe_section_t* PE_() rz_bin_pe_get_sections

(

RzBinPEObj *

bin

)

Definition at line 243 of file pe_section.c.

                                                                         {
    struct rz_bin_pe_section_t *sections = NULL;
    PE_(image_section_header) * shdr;
    int i, j, section_count = 0;
 
    if (!bin || !bin->nt_headers) {
        return NULL;
    }
    shdr = bin->section_header;
    for (i = 0; i < bin->num_sections; i++) {
        // just allocate the needed
        if (shdr[i].SizeOfRawData || shdr[i].Misc.VirtualSize) {
            section_count++;
        }
    }
    sections = calloc(section_count + 1, sizeof(struct rz_bin_pe_section_t));
    if (!sections) {
        rz_sys_perror("malloc (sections)");
        return NULL;
    }
    for (i = 0, j = 0; i < bin->num_sections; i++) {
        if (!shdr[i].SizeOfRawData && !shdr[i].Misc.VirtualSize) {
            continue;
        }
        if (shdr[i].Name[0] == '\0') {
            char *new_name = rz_str_newf("sect_%d", j);
            strncpy((char *)sections[j].name, new_name, RZ_ARRAY_SIZE(sections[j].name) - 1);
            free(new_name);
        } else if (shdr[i].Name[0] == '/') {
            // long name is something deprecated but still used
            int idx = atoi((const char *)shdr[i].Name + 1);
            ut64 sym_tbl_off = bin->nt_headers->file_header.PointerToSymbolTable;
            int num_symbols = bin->nt_headers->file_header.NumberOfSymbols;
            st64 off = num_symbols * COFF_SYMBOL_SIZE;
            if (off > 0 && sym_tbl_off &&
                sym_tbl_off + off + idx < bin->size &&
                sym_tbl_off + off + idx > off) {
                int sz = PE_IMAGE_SIZEOF_SHORT_NAME * 3;
                char *buf[64] = { 0 };
                if (rz_buf_read_at(bin->b,
                        sym_tbl_off + off + idx,
                        (ut8 *)buf, 64)) {
                    memcpy(sections[j].name, buf, sz);
                    sections[j].name[sz - 1] = '\0';
                }
            }
        } else {
            memcpy(sections[j].name, shdr[i].Name, PE_IMAGE_SIZEOF_SHORT_NAME);
            sections[j].name[PE_IMAGE_SIZEOF_SHORT_NAME] = '\0';
        }
        sections[j].vaddr = shdr[i].VirtualAddress;
        sections[j].size = shdr[i].SizeOfRawData;
        if (shdr[i].Misc.VirtualSize) {
            sections[j].vsize = shdr[i].Misc.VirtualSize;
        } else {
            sections[j].vsize = shdr[i].SizeOfRawData;
        }
        sections[j].paddr = shdr[i].PointerToRawData;
        sections[j].flags = shdr[i].Characteristics;
        if (bin->optional_header) {
            ut32 sa = bin->optional_header->SectionAlignment;
            if (sa) {
                ut64 diff = sections[j].vsize % sa;
                if (diff) {
                    sections[j].vsize += sa - diff;
                }
                if (sections[j].vaddr % sa) {
                    RZ_LOG_INFO("section %s not aligned to SectionAlignment.\n",
                        sections[j].name);
                }
            }
            const ut32 fa = bin->optional_header->FileAlignment;
            if (fa) {
                const ut64 diff = sections[j].paddr % fa;
                if (diff) {
                    RZ_LOG_INFO("section %s not aligned to FileAlignment.\n", sections[j].name);
                    sections[j].paddr -= diff;
                    sections[j].size += diff;
                }
            }
        }
        sections[j].perm = shdr[i].Characteristics;
        sections[j].last = 0;
        j++;
    }
    sections[j].last = 1;
    bin->num_sections = section_count;
    return sections;
}

References calloc(), COFF_SYMBOL_SIZE, free(), i, setup::idx, memcpy(), NULL, off, PE_, PE_IMAGE_SIZEOF_SHORT_NAME, RZ_ARRAY_SIZE, rz_buf_read_at(), RZ_LOG_INFO, rz_str_newf(), rz_sys_perror, sections(), st64, ut64(), and rz_bin_pe_section_t::vaddr.

Referenced by bin_pe_init().

rz_bin_pe_get_subsystem()

char* PE_() rz_bin_pe_get_subsystem

(

RzBinPEObj *

bin

)

Definition at line 159 of file pe_info.c.

                                                    {
    char *subsystem = NULL;
    if (bin && bin->nt_headers) {
        switch (bin->nt_headers->optional_header.Subsystem) {
        case PE_IMAGE_SUBSYSTEM_NATIVE:
            subsystem = "Native";
            break;
        case PE_IMAGE_SUBSYSTEM_WINDOWS_GUI:
            subsystem = "Windows GUI";
            break;
        case PE_IMAGE_SUBSYSTEM_WINDOWS_CUI:
            subsystem = "Windows CUI";
            break;
        case PE_IMAGE_SUBSYSTEM_POSIX_CUI:
            subsystem = "POSIX CUI";
            break;
        case PE_IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
            subsystem = "Windows CE GUI";
            break;
        case PE_IMAGE_SUBSYSTEM_EFI_APPLICATION:
            subsystem = "EFI Application";
            break;
        case PE_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
            subsystem = "EFI Boot Service Driver";
            break;
        case PE_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
            subsystem = "EFI Runtime Driver";
            break;
        case PE_IMAGE_SUBSYSTEM_EFI_ROM:
            subsystem = "EFI ROM";
            break;
        case PE_IMAGE_SUBSYSTEM_XBOX:
            subsystem = "XBOX";
            break;
        default:
            subsystem = "Unknown";
            break;
        }
    }
    return subsystem ? strdup(subsystem) : NULL;
}

References NULL, PE_IMAGE_SUBSYSTEM_EFI_APPLICATION, PE_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER, PE_IMAGE_SUBSYSTEM_EFI_ROM, PE_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER, PE_IMAGE_SUBSYSTEM_NATIVE, PE_IMAGE_SUBSYSTEM_POSIX_CUI, PE_IMAGE_SUBSYSTEM_WINDOWS_CE_GUI, PE_IMAGE_SUBSYSTEM_WINDOWS_CUI, PE_IMAGE_SUBSYSTEM_WINDOWS_GUI, PE_IMAGE_SUBSYSTEM_XBOX, and strdup().

rz_bin_pe_is_big_endian()

int PE_() rz_bin_pe_is_big_endian

(

RzBinPEObj *

bin

)

Definition at line 343 of file pe_info.c.

                                                  {
    ut16 arch;
    if (!bin || !bin->nt_headers) {
        return false;
    }
    arch = bin->nt_headers->file_header.Machine;
    if (arch == PE_IMAGE_FILE_MACHINE_I386 ||
        arch == PE_IMAGE_FILE_MACHINE_AMD64) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_BYTES_REVERSED_HI);
}

References arch, HASCHR, PE_IMAGE_FILE_BYTES_REVERSED_HI, PE_IMAGE_FILE_MACHINE_AMD64, and PE_IMAGE_FILE_MACHINE_I386.

Referenced by bin_pe_init().

rz_bin_pe_is_dll()

int PE_() rz_bin_pe_is_dll

(

RzBinPEObj *

bin

)

Definition at line 324 of file pe_info.c.

                                           {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_DLL);
}

References HASCHR, and PE_IMAGE_FILE_DLL.

rz_bin_pe_is_stripped_debug()

int PE_() rz_bin_pe_is_stripped_debug

(

RzBinPEObj *

bin

)

Definition at line 377 of file pe_info.c.

                                                      {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_DEBUG_STRIPPED);
}

References HASCHR, and PE_IMAGE_FILE_DEBUG_STRIPPED.

rz_bin_pe_is_stripped_line_nums()

int PE_() rz_bin_pe_is_stripped_line_nums

(

RzBinPEObj *

bin

)

Definition at line 363 of file pe_info.c.

                                                          {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_LINE_NUMS_STRIPPED);
}

References HASCHR, and PE_IMAGE_FILE_LINE_NUMS_STRIPPED.

rz_bin_pe_is_stripped_local_syms()

int PE_() rz_bin_pe_is_stripped_local_syms

(

RzBinPEObj *

bin

)

Definition at line 370 of file pe_info.c.

                                                           {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_LOCAL_SYMS_STRIPPED);
}

References HASCHR, and PE_IMAGE_FILE_LOCAL_SYMS_STRIPPED.

rz_bin_pe_is_stripped_relocs()

int PE_() rz_bin_pe_is_stripped_relocs

(

RzBinPEObj *

bin

)

Definition at line 356 of file pe_info.c.

                                                       {
    if (!bin || !bin->nt_headers) {
        return false;
    }
    return HASCHR(PE_IMAGE_FILE_RELOCS_STRIPPED);
}

References HASCHR, and PE_IMAGE_FILE_RELOCS_STRIPPED.

rz_bin_pe_new()

RzBinPEObj* PE_() rz_bin_pe_new	(	const char *	file,
		bool	verbose
	)

rz_bin_pe_new_buf()

RzBinPEObj* PE_() rz_bin_pe_new_buf	(	RzBuffer *	buf,
		bool	verbose
	)

Definition at line 116 of file pe.c.

                                                                {
    RzBinPEObj *bin = RZ_NEW0(RzBinPEObj);
    if (!bin) {
        return NULL;
    }
    bin->kv = sdb_new0();
    bin->b = rz_buf_ref(buf);
    bin->verbose = verbose;
    bin->size = rz_buf_size(buf);
    bin->hash = rz_hash_new();
    if (!bin_pe_init(bin)) {
        return PE_(rz_bin_pe_free)(bin);
    }
    return bin;
}

References bin_pe_init(), NULL, PE_, rz_bin_pe_free(), rz_buf_ref(), rz_buf_size(), rz_hash_new(), RZ_NEW0, RzBinPEObj, sdb_new0(), and verbose.

Referenced by rz_bin_pemixed_from_bytes_new().

section_flag_to_rzlist()

RzList* PE_() section_flag_to_rzlist

(

ut64

flag

)

Definition at line 2378 of file mach0.c.

                                                  {
    RzList *flag_list = rz_list_new();
    if (flag & S_ATTR_PURE_INSTRUCTIONS) {
        rz_list_append(flag_list, "PURE_INSTRUCTIONS");
    }
    if (flag & S_ATTR_NO_TOC) {
        rz_list_append(flag_list, "NO_TOC");
    }
    if (flag & S_ATTR_SOME_INSTRUCTIONS) {
        rz_list_append(flag_list, "SOME_INSTRUCTIONS");
    }
    if (flag & S_ATTR_EXT_RELOC) {
        rz_list_append(flag_list, "EXT_RELOC");
    }
    if (flag & S_ATTR_SELF_MODIFYING_CODE) {
        rz_list_append(flag_list, "SELF_MODIFYING_CODE");
    }
    if (flag & S_ATTR_DEBUG) {
        rz_list_append(flag_list, "DEBUG");
    }
    if (flag & S_ATTR_LIVE_SUPPORT) {
        rz_list_append(flag_list, "LIVE_SUPPORT");
    }
    if (flag & S_ATTR_STRIP_STATIC_SYMS) {
        rz_list_append(flag_list, "STRIP_STATIC_SYMS");
    }
    if (flag & S_ATTR_NO_DEAD_STRIP) {
        rz_list_append(flag_list, "NO_DEAD_STRIP");
    }
    return flag_list;
}

References IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_GPREL, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_TYPE_NO_PAD, PE_SCN_ALIGN_MASK, rz_list_append(), rz_list_new(), S_ATTR_DEBUG, S_ATTR_EXT_RELOC, S_ATTR_LIVE_SUPPORT, S_ATTR_NO_DEAD_STRIP, S_ATTR_NO_TOC, S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SELF_MODIFYING_CODE, S_ATTR_SOME_INSTRUCTIONS, and S_ATTR_STRIP_STATIC_SYMS.