Rizin
unix-like reverse engineering framework and cli tools
pe_overlay.c
Go to the documentation of this file.
1 // SPDX-FileCopyrightText: 2008-2019 nibble <nibble.ds@gmail.com>
2 // SPDX-FileCopyrightText: 2008-2019 pancake <pancake@nopcode.org>
3 // SPDX-FileCopyrightText: 2008-2019 inisider <inisider@gmail.com>
4 // SPDX-License-Identifier: LGPL-3.0-only
5 
6 #include "pe.h"
7 
8 static void computeOverlayOffset(ut64 offset, ut64 size, ut64 file_size, ut64 *largest_offset, ut64 *largest_size) {
9  if (offset + size <= file_size && offset + size > (*largest_offset + *largest_size)) {
10  *largest_offset = offset;
11  *largest_size = size;
12  }
13 }
14 
15 /* Inspired from https://github.com/erocarrera/pefile/blob/master/pefile.py#L5425 */
16 int PE_(bin_pe_get_overlay)(RzBinPEObj *bin, ut64 *size) {
17  ut64 largest_offset = 0;
18  ut64 largest_size = 0;
19  *size = 0;
20  int i;
21 
22  if (!bin) {
23  return 0;
24  }
25 
26  if (bin->optional_header) {
27  computeOverlayOffset(
28  bin->nt_header_offset + 4 + sizeof(bin->nt_headers->file_header),
29  bin->nt_headers->file_header.SizeOfOptionalHeader,
30  bin->size,
31  &largest_offset,
32  &largest_size);
33  }
34 
35  struct rz_bin_pe_section_t *sects = bin->sections;
36  for (i = 0; !sects[i].last; i++) {
37  computeOverlayOffset(
38  sects[i].paddr,
39  sects[i].size,
40  bin->size,
41  &largest_offset,
42  &largest_size);
43  }
44 
45  if (bin->optional_header) {
46  for (i = 0; i < PE_IMAGE_DIRECTORY_ENTRIES; i++) {
47  if (i == PE_IMAGE_DIRECTORY_ENTRY_SECURITY) {
48  continue;
49  }
50 
51  computeOverlayOffset(
52  PE_(bin_pe_rva_to_paddr)(bin, bin->data_directory[i].VirtualAddress),
53  bin->data_directory[i].Size,
54  bin->size,
55  &largest_offset,
56  &largest_size);
57  }
58  }
59 
60  if ((ut64)bin->size > largest_offset + largest_size) {
61  *size = bin->size - largest_offset - largest_size;
62  return largest_offset + largest_size;
63  }
64  return 0;
65 }
66 
67 int PE_(bin_pe_init_overlay)(RzBinPEObj *bin) {
68  ut64 pe_overlay_size;
69  ut64 pe_overlay_offset = PE_(bin_pe_get_overlay)(bin, &pe_overlay_size);
70  if (pe_overlay_offset) {
71  sdb_num_set(bin->kv, "pe_overlay.offset", pe_overlay_offset, 0);
72  sdb_num_set(bin->kv, "pe_overlay.size", pe_overlay_size, 0);
73  }
74  return 0;
75 }
i
lzma_index ** i
Definition: index.h:629
size
voidpf void uLong size
Definition: ioapi.h:138
offset
voidpf uLong offset
Definition: ioapi.h:144
sdb_num_set
RZ_API int sdb_num_set(Sdb *s, const char *key, ut64 v, ut32 cas)
Definition: num.c:25
bin_pe_rva_to_paddr
PE_DWord PE_() bin_pe_rva_to_paddr(RzBinPEObj *bin, PE_DWord rva)
Definition: pe.c:15
RzBinPEObj
#define RzBinPEObj
Definition: pe.h:126
computeOverlayOffset
static void computeOverlayOffset(ut64 offset, ut64 size, ut64 file_size, ut64 *largest_offset, ut64 *largest_size)
Definition: pe_overlay.c:8
bin_pe_init_overlay
int PE_() bin_pe_init_overlay(RzBinPEObj *bin)
Definition: pe_overlay.c:67
bin_pe_get_overlay
int PE_() bin_pe_get_overlay(RzBinPEObj *bin, ut64 *size)
Definition: pe_overlay.c:16
PE_
#define PE_(name)
Definition: pe_specs.h:23
PE_IMAGE_DIRECTORY_ENTRY_SECURITY
#define PE_IMAGE_DIRECTORY_ENTRY_SECURITY
Definition: pe_specs.h:147
PE_IMAGE_DIRECTORY_ENTRIES
#define PE_IMAGE_DIRECTORY_ENTRIES
Definition: pe_specs.h:142
bin
Definition: malloc.c:26
rz_bin_pe_section_t
Definition: pe.h:63
rz_bin_pe_section_t::paddr
ut64 paddr
Definition: pe.h:68
rz_bin_pe_section_t::last
int last
Definition: pe.h:71
ut64
ut64(WINAPI *w32_GetEnabledXStateFeatures)()