metasploit-framework/lib/rex/peparsey/pebase.rb

1666 lines
48 KiB
Ruby

#!/usr/bin/env ruby
# -*- coding: binary -*-
# $Id$
require 'rex/peparsey/exceptions'
require 'rex/struct2'
module Rex
module PeParsey
class PeBase
# #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
IMAGE_DOS_SIGNATURE = 0x5a4d
IMAGE_DOS_HEADER_SIZE = 64
# Struct
# typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
# WORD e_magic; // Magic number
# WORD e_cblp; // Bytes on last page of file
# WORD e_cp; // Pages in file
# WORD e_crlc; // Relocations
# WORD e_cparhdr; // Size of header in paragraphs
# WORD e_minalloc; // Minimum extra paragraphs needed
# WORD e_maxalloc; // Maximum extra paragraphs needed
# WORD e_ss; // Initial (relative) SS value
# WORD e_sp; // Initial SP value
# WORD e_csum; // Checksum
# WORD e_ip; // Initial IP value
# WORD e_cs; // Initial (relative) CS value
# WORD e_lfarlc; // File address of relocation table
# WORD e_ovno; // Overlay number
# WORD e_res[4]; // Reserved words
# WORD e_oemid; // OEM identifier (for e_oeminfo)
# WORD e_oeminfo; // OEM information; e_oemid specific
# WORD e_res2[10]; // Reserved words
# LONG e_lfanew; // File address of new exe header
# } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
IMAGE_DOS_HEADER = Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'e_magic', IMAGE_DOS_SIGNATURE ],
[ 'uint16v', 'e_cblp', 0 ],
[ 'uint16v', 'e_cp', 0 ],
[ 'uint16v', 'e_crlc', 0 ],
[ 'uint16v', 'e_cparhdr', 0 ],
[ 'uint16v', 'e_minalloc', 0 ],
[ 'uint16v', 'e_maxalloc', 0 ],
[ 'uint16v', 'e_ss', 0 ],
[ 'uint16v', 'e_sp', 0 ],
[ 'uint16v', 'e_csum', 0 ],
[ 'uint16v', 'e_ip', 0 ],
[ 'uint16v', 'e_cs', 0 ],
[ 'uint16v', 'e_lfarlc', 0 ],
[ 'uint16v', 'e_ovno', 0 ],
[ 'template', 'e_res', Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'e_res_0', 0 ],
[ 'uint16v', 'e_res_1', 0 ],
[ 'uint16v', 'e_res_2', 0 ],
[ 'uint16v', 'e_res_3', 0 ]
)],
[ 'uint16v', 'e_oemid', 0 ],
[ 'uint16v', 'e_oeminfo', 0 ],
[ 'template', 'e_res2', Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'e_res2_0', 0 ],
[ 'uint16v', 'e_res2_1', 0 ],
[ 'uint16v', 'e_res2_2', 0 ],
[ 'uint16v', 'e_res2_3', 0 ],
[ 'uint16v', 'e_res2_4', 0 ],
[ 'uint16v', 'e_res2_5', 0 ],
[ 'uint16v', 'e_res2_6', 0 ],
[ 'uint16v', 'e_res2_7', 0 ],
[ 'uint16v', 'e_res2_8', 0 ],
[ 'uint16v', 'e_res2_9', 0 ]
)],
[ 'uint32v', 'e_lfanew', 0 ]
)
class HeaderAccessor
attr_accessor :dos, :file, :opt, :sections, :config, :exceptions, :tls
def initialize
end
end
class GenericStruct
attr_accessor :struct
def initialize(_struct)
self.struct = _struct
end
# The following methods are just pass-throughs for struct
# Access a value
def v
struct.v
end
# Access a value by array
def [](*args)
struct[*args]
end
# Obtain an array of all fields
def keys
struct.keys
end
def method_missing(meth, *args)
v[meth.to_s] || (raise NoMethodError.new, meth)
end
end
class GenericHeader < GenericStruct
end
class DosHeader < GenericHeader
def initialize(rawdata)
dos_header = IMAGE_DOS_HEADER.make_struct
if !dos_header.from_s(rawdata)
raise DosHeaderError, "Couldn't parse IMAGE_DOS_HEADER", caller
end
if dos_header.v['e_magic'] != IMAGE_DOS_SIGNATURE
raise DosHeaderError, "Couldn't find DOS e_magic", caller
end
self.struct = dos_header
end
def e_lfanew
v['e_lfanew']
end
end
def self._parse_dos_header(rawdata)
return DosHeader.new(rawdata)
end
# #define IMAGE_NT_SIGNATURE 0x00004550 // PE00
IMAGE_NT_SIGNATURE = 0x00004550
# #define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
IMAGE_FILE_MACHINE_I386 = 0x014c
# #define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
IMAGE_FILE_MACHINE_IA64 = 0x0200
# #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
IMAGE_FILE_MACHINE_ALPHA64 = 0x0284
# #define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
IMAGE_FILE_MACHINE_AMD64 = 0x8664
# #define IMAGE_SIZEOF_FILE_HEADER 20
IMAGE_FILE_HEADER_SIZE = 20+4 # because we include the signature
# C struct defining the PE file header
# typedef struct _IMAGE_FILE_HEADER {
# WORD Machine;
# WORD NumberOfSections;
# DWORD TimeDateStamp;
# DWORD PointerToSymbolTable;
# DWORD NumberOfSymbols;
# WORD SizeOfOptionalHeader;
# WORD Characteristics;
# } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
IMAGE_FILE_HEADER = Rex::Struct2::CStructTemplate.new(
# not really in the header, but easier for us this way
[ 'uint32v', 'NtSignature', 0 ],
[ 'uint16v', 'Machine', 0 ],
[ 'uint16v', 'NumberOfSections', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint32v', 'PointerToSymbolTable', 0 ],
[ 'uint32v', 'NumberOfSymbols', 0 ],
[ 'uint16v', 'SizeOfOptionalHeader', 0 ],
[ 'uint16v', 'Characteristics', 0 ]
)
SUPPORTED_MACHINES = [
IMAGE_FILE_MACHINE_I386,
IMAGE_FILE_MACHINE_IA64,
IMAGE_FILE_MACHINE_ALPHA64,
IMAGE_FILE_MACHINE_AMD64
]
class FileHeader < GenericHeader
def initialize(rawdata)
file_header = IMAGE_FILE_HEADER.make_struct
if !file_header.from_s(rawdata)
raise FileHeaderError, "Couldn't parse IMAGE_FILE_HEADER", caller
end
if file_header.v['NtSignature'] != IMAGE_NT_SIGNATURE
raise FileHeaderError, "Couldn't find the PE magic!"
end
if SUPPORTED_MACHINES.include?(file_header.v['Machine']) == false
raise FileHeaderError, "Unsupported machine type: #{file_header.v['Machine']}", caller
end
self.struct = file_header
end
def Machine
v['Machine']
end
def SizeOfOptionalHeader
v['SizeOfOptionalHeader']
end
def NumberOfSections
v['NumberOfSections']
end
end
def self._parse_file_header(rawdata)
return FileHeader.new(rawdata)
end
IMAGE_ORDINAL_FLAG32 = 0x80000000
IMAGE_IMPORT_DESCRIPTOR_SIZE = 20
# Struct
# typedef struct _IMAGE_IMPORT_DESCRIPTOR {
# union {
# DWORD Characteristics; // 0 for terminating null import descriptor
# DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
# };
# DWORD TimeDateStamp; // 0 if not bound,
# // -1 if bound, and real date\time stamp
# // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
# // O.W. date/time stamp of DLL bound to (Old BIND)
#
# DWORD ForwarderChain; // -1 if no forwarders
# DWORD Name;
# DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
# } IMAGE_IMPORT_DESCRIPTOR;
IMAGE_IMPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'OriginalFirstThunk', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint32v', 'ForwarderChain', 0 ],
[ 'uint32v', 'Name', 0 ],
[ 'uint32v', 'FirstThunk', 0 ]
)
# typedef struct _IMAGE_IMPORT_BY_NAME {
# WORD Hint;
# BYTE Name[1];
# } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
#
class ImportDescriptor
attr_accessor :name, :entries
def initialize(_name, _entries)
self.name = _name
self.entries = _entries
end
end
class ImportEntry
attr_accessor :name, :ordinal
def initialize(_name, _ordinal)
self.name = _name
self.ordinal = _ordinal
end
end
# sizeof(struct _IMAGE_EXPORT_DESCRIPTOR)
IMAGE_EXPORT_DESCRIPTOR_SIZE = 40
# Struct defining the export table
# typedef struct _IMAGE_EXPORT_DIRECTORY {
# DWORD Characteristics;
# DWORD TimeDateStamp;
# WORD MajorVersion;
# WORD MinorVersion;
# DWORD Name;
# DWORD Base;
# DWORD NumberOfFunctions;
# DWORD NumberOfNames;
# DWORD AddressOfFunctions; // RVA from base of image
# DWORD AddressOfNames; // RVA from base of image
# DWORD AddressOfNameOrdinals; // RVA from base of image
# } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
IMAGE_EXPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'Characteristics', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint16v', 'MajorVersion', 0 ],
[ 'uint16v', 'MinorVersion', 0 ],
[ 'uint32v', 'Name', 0 ],
[ 'uint32v', 'Base', 0 ],
[ 'uint32v', 'NumberOfFunctions', 0 ],
[ 'uint32v', 'NumberOfNames', 0 ],
[ 'uint32v', 'AddressOfFunctions', 0 ],
[ 'uint32v', 'AddressOfNames', 0 ],
[ 'uint32v', 'AddressOfNameOrdinals', 0 ]
)
class ExportDirectory
attr_accessor :name, :entries, :base
def initialize(_name, _entries, _base)
self.name = _name
self.entries = _entries
self.base = _base
end
end
class ExportEntry
attr_accessor :name, :ordinal, :rva
def initialize(_name, _ordinal, _rva)
self.name = _name
self.ordinal = _ordinal
self.rva = _rva
end
end
IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
IMAGE_DATA_DIRECTORY_SIZE = 8
IMAGE_DIRECTORY_ENTRY_EXPORT = 0
IMAGE_DIRECTORY_ENTRY_IMPORT = 1
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
IMAGE_DIRECTORY_ENTRY_SECURITY = 4
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
IMAGE_DIRECTORY_ENTRY_DEBUG = 6
IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7
IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8
IMAGE_DIRECTORY_ENTRY_TLS = 9
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11
IMAGE_DIRECTORY_ENTRY_IAT = 12
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14
# Struct
# typedef struct _IMAGE_DATA_DIRECTORY {
# DWORD VirtualAddress;
# DWORD Size;
# } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
IMAGE_DATA_DIRECTORY = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'VirtualAddress', 0 ],
[ 'uint32v', 'Size', 0 ]
)
# Struct
# typedef struct _IMAGE_OPTIONAL_HEADER {
# //
# // Standard fields.
# //
#
# WORD Magic;
# BYTE MajorLinkerVersion;
# BYTE MinorLinkerVersion;
# DWORD SizeOfCode;
# DWORD SizeOfInitializedData;
# DWORD SizeOfUninitializedData;
# DWORD AddressOfEntryPoint;
# DWORD BaseOfCode;
# DWORD BaseOfData;
#
# //
# // NT additional fields.
# //
#
# DWORD ImageBase;
# DWORD SectionAlignment;
# DWORD FileAlignment;
# WORD MajorOperatingSystemVersion;
# WORD MinorOperatingSystemVersion;
# WORD MajorImageVersion;
# WORD MinorImageVersion;
# WORD MajorSubsystemVersion;
# WORD MinorSubsystemVersion;
# DWORD Win32VersionValue;
# DWORD SizeOfImage;
# DWORD SizeOfHeaders;
# DWORD CheckSum;
# WORD Subsystem;
# WORD DllCharacteristics;
# DWORD SizeOfStackReserve;
# DWORD SizeOfStackCommit;
# DWORD SizeOfHeapReserve;
# DWORD SizeOfHeapCommit;
# DWORD LoaderFlags;
# DWORD NumberOfRvaAndSizes;
# IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
# } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
#
# #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
# #define IMAGE_SIZEOF_NT_OPTIONAL32_HEADER 224
#
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b
IMAGE_SIZEOF_NT_OPTIONAL32_HEADER = 224
IMAGE_OPTIONAL_HEADER32 = Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'Magic', 0 ],
[ 'uint8', 'MajorLinkerVersion', 0 ],
[ 'uint8', 'MinorLinkerVersion', 0 ],
[ 'uint32v', 'SizeOfCode', 0 ],
[ 'uint32v', 'SizeOfInitializeData', 0 ],
[ 'uint32v', 'SizeOfUninitializeData', 0 ],
[ 'uint32v', 'AddressOfEntryPoint', 0 ],
[ 'uint32v', 'BaseOfCode', 0 ],
[ 'uint32v', 'BaseOfData', 0 ],
[ 'uint32v', 'ImageBase', 0 ],
[ 'uint32v', 'SectionAlignment', 0 ],
[ 'uint32v', 'FileAlignment', 0 ],
[ 'uint16v', 'MajorOperatingSystemVersion', 0 ],
[ 'uint16v', 'MinorOperatingSystemVersion', 0 ],
[ 'uint16v', 'MajorImageVersion', 0 ],
[ 'uint16v', 'MinorImageVersion', 0 ],
[ 'uint16v', 'MajorSubsystemVersion', 0 ],
[ 'uint16v', 'MinorSubsystemVersion', 0 ],
[ 'uint32v', 'Win32VersionValue', 0 ],
[ 'uint32v', 'SizeOfImage', 0 ],
[ 'uint32v', 'SizeOfHeaders', 0 ],
[ 'uint32v', 'CheckSum', 0 ],
[ 'uint16v', 'Subsystem', 0 ],
[ 'uint16v', 'DllCharacteristics', 0 ],
[ 'uint32v', 'SizeOfStackReserve', 0 ],
[ 'uint32v', 'SizeOfStackCommit', 0 ],
[ 'uint32v', 'SizeOfHeapReserve', 0 ],
[ 'uint32v', 'SizeOfHeapCommit', 0 ],
[ 'uint32v', 'LoaderFlags', 0 ],
[ 'uint32v', 'NumberOfRvaAndSizes', 0 ],
[ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new(
[ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ]
)]
)
# #define IMAGE_SIZEOF_NT_OPTIONAL64_HEADER 240
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
# #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
IMAGE_SIZEOF_NT_OPTIONAL64_HEADER = 240
# Struct
# typedef struct _IMAGE_OPTIONAL_HEADER64 {
# USHORT Magic;
# UCHAR MajorLinkerVersion;
# UCHAR MinorLinkerVersion;
# ULONG SizeOfCode;
# ULONG SizeOfInitializedData;
# ULONG SizeOfUninitializedData;
# ULONG AddressOfEntryPoint;
# ULONG BaseOfCode;
# ULONGLONG ImageBase;
# ULONG SectionAlignment;
# ULONG FileAlignment;
# USHORT MajorOperatingSystemVersion;
# USHORT MinorOperatingSystemVersion;
# USHORT MajorImageVersion;
# USHORT MinorImageVersion;
# USHORT MajorSubsystemVersion;
# USHORT MinorSubsystemVersion;
# ULONG Win32VersionValue;
# ULONG SizeOfImage;
# ULONG SizeOfHeaders;
# ULONG CheckSum;
# USHORT Subsystem;
# USHORT DllCharacteristics;
# ULONGLONG SizeOfStackReserve;
# ULONGLONG SizeOfStackCommit;
# ULONGLONG SizeOfHeapReserve;
# ULONGLONG SizeOfHeapCommit;
# ULONG LoaderFlags;
# ULONG NumberOfRvaAndSizes;
# IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
# } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
IMAGE_OPTIONAL_HEADER64 = Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'Magic', 0 ],
[ 'uint8', 'MajorLinkerVersion', 0 ],
[ 'uint8', 'MinorLinkerVersion', 0 ],
[ 'uint32v', 'SizeOfCode', 0 ],
[ 'uint32v', 'SizeOfInitializeData', 0 ],
[ 'uint32v', 'SizeOfUninitializeData', 0 ],
[ 'uint32v', 'AddressOfEntryPoint', 0 ],
[ 'uint32v', 'BaseOfCode', 0 ],
[ 'uint64v', 'ImageBase', 0 ],
[ 'uint32v', 'SectionAlignment', 0 ],
[ 'uint32v', 'FileAlignment', 0 ],
[ 'uint16v', 'MajorOperatingsystemVersion', 0 ],
[ 'uint16v', 'MinorOperatingsystemVersion', 0 ],
[ 'uint16v', 'MajorImageVersion', 0 ],
[ 'uint16v', 'MinorImageVersion', 0 ],
[ 'uint16v', 'MajorSubsystemVersion', 0 ],
[ 'uint16v', 'MinorSubsystemVersion', 0 ],
[ 'uint32v', 'Win32VersionValue', 0 ],
[ 'uint32v', 'SizeOfImage', 0 ],
[ 'uint32v', 'SizeOfHeaders', 0 ],
[ 'uint32v', 'CheckSum', 0 ],
[ 'uint16v', 'Subsystem', 0 ],
[ 'uint16v', 'DllCharacteristics', 0 ],
[ 'uint64v', 'SizeOfStackReserve', 0 ],
[ 'uint64v', 'SizeOfStackCommit', 0 ],
[ 'uint64v', 'SizeOfHeapReserve', 0 ],
[ 'uint64v', 'SizeOfHeapCommit', 0 ],
[ 'uint32v', 'LoaderFlags', 0 ],
[ 'uint32v', 'NumberOfRvaAndSizes', 0 ],
[ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new(
[ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ],
[ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ]
)]
)
class OptionalHeader < GenericHeader
def ImageBase
v['ImageBase']
end
def FileAlignment
v['FileAlignment']
end
end
class OptionalHeader32 < OptionalHeader
def initialize(rawdata)
optional_header = IMAGE_OPTIONAL_HEADER32.make_struct
if !optional_header.from_s(rawdata)
raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER32", caller
end
if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR32_MAGIC
raise OptionalHeaderError, "Magic did not match!", caller()
end
self.struct = optional_header
end
end
class OptionalHeader64 < OptionalHeader
def initialize(rawdata)
optional_header = IMAGE_OPTIONAL_HEADER64.make_struct
if !optional_header.from_s(rawdata)
raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER64", caller
end
if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR64_MAGIC
raise OptionalHeaderError, "Magic did not match!", caller()
end
self.struct = optional_header
end
end
def self._parse_optional_header(rawdata)
case rawdata.length
# no optional header
when 0
return nil
# good, good
when IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
return OptionalHeader32.new(rawdata)
when IMAGE_SIZEOF_NT_OPTIONAL64_HEADER
return OptionalHeader64.new(rawdata)
# bad, bad
else
raise OptionalHeaderError, "I don't know this header size, #{rawdata.length}", caller
end
end
# #define IMAGE_SIZEOF_SECTION_HEADER 40
IMAGE_SIZEOF_SECTION_HEADER = 40
# Struct
# typedef struct _IMAGE_SECTION_HEADER {
# BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
# union {
# DWORD PhysicalAddress;
# DWORD VirtualSize;
# } Misc;
# DWORD VirtualAddress;
# DWORD SizeOfRawData;
# DWORD PointerToRawData;
# DWORD PointerToRelocations;
# DWORD PointerToLinenumbers;
# WORD NumberOfRelocations;
# WORD NumberOfLinenumbers;
# DWORD Characteristics;
# } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
IMAGE_SECTION_HEADER = Rex::Struct2::CStructTemplate.new(
[ 'string', 'Name', 8, '' ],
[ 'uint32v', 'Misc', 0 ],
[ 'uint32v', 'VirtualAddress', 0 ],
[ 'uint32v', 'SizeOfRawData', 0 ],
[ 'uint32v', 'PointerToRawData', 0 ],
[ 'uint32v', 'PointerToRelocations', 0 ],
[ 'uint32v', 'NumberOfRelocations', 0 ],
[ 'uint32v', 'NumberOfLineNumbers', 0 ],
[ 'uint32v', 'Characteristics', 0 ]
)
class SectionHeader < GenericHeader
def initialize(rawdata)
section_header = IMAGE_SECTION_HEADER.make_struct
if !section_header.from_s(rawdata)
raise SectionHeaderError, "Could not parse header", caller
end
self.struct = section_header
end
def VirtualAddress
v['VirtualAddress']
end
def SizeOfRawData
v['SizeOfRawData']
end
def PointerToRawData
v['PointerToRawData']
end
end
def self._parse_section_headers(rawdata)
section_headers = [ ]
size = IMAGE_SIZEOF_SECTION_HEADER
numsections = rawdata.length / size
numsections.times do |i|
data = rawdata[i * size, size]
section_headers << SectionHeader.new(data)
end
return section_headers
end
# #define IMAGE_SIZEOF_BASE_RELOCATION 8
IMAGE_SIZEOF_BASE_RELOCATION = 8
# Struct
# typedef struct _IMAGE_BASE_RELOCATION {
# DWORD VirtualAddress;
# DWORD SizeOfBlock;
# // WORD TypeOffset[1];
# } IMAGE_BASE_RELOCATION;
# typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
IMAGE_BASE_RELOCATION = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'VirtualAddress', 0 ],
[ 'uint32v', 'SizeOfBlock', 0 ]
)
IMAGE_BASE_RELOCATION_TYPE_OFFSET = Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'TypeOffset', 0 ]
)
class RelocationDirectory
attr_accessor :entries, :rva
def initialize(rva, entries)
self.rva = rva
self.entries = entries
self.name = name
self.characteristics = chars
self.timedate = timedate
self.version = version
self.entries = []
end
end
class RelocationEntry
attr_accessor :rva, :reltype
def initialize(_rva, _type)
self.rva = _rva
self.reltype = _type
end
end
class ResourceDirectory
attr_accessor :entries, :name
def initialize(name, entries)
self.name = name
self.entries = entries
end
end
class ResourceEntry
attr_accessor :path, :lang, :code, :rva, :size, :pe, :file
def initialize(pe, path, lang, code, rva, size, file)
self.pe = pe
self.path = path
self.lang = lang
self.code = code
self.rva = rva
self.size = size
self.file = file.to_s
end
def data
pe._isource.read(pe.rva_to_file_offset(rva), size)
end
end
# Struct
# typedef struct {
# DWORD Size;
# DWORD TimeDateStamp;
# WORD MajorVersion;
# WORD MinorVersion;
# DWORD GlobalFlagsClear;
# DWORD GlobalFlagsSet;
# DWORD CriticalSectionDefaultTimeout;
# DWORD DeCommitFreeBlockThreshold;
# DWORD DeCommitTotalFreeThreshold;
# DWORD LockPrefixTable; // VA
# DWORD MaximumAllocationSize;
# DWORD VirtualMemoryThreshold;
# DWORD ProcessHeapFlags;
# DWORD ProcessAffinityMask;
# WORD CSDVersion;
# WORD Reserved1;
# DWORD EditList; // VA
# DWORD SecurityCookie; // VA
# DWORD SEHandlerTable; // VA
# DWORD SEHandlerCount;
# } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
#
IMAGE_LOAD_CONFIG_DIRECTORY32 = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'Size', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint16v', 'MajorVersion', 0 ],
[ 'uint16v', 'MinorVersion', 0 ],
[ 'uint32v', 'GlobalFlagsClear', 0 ],
[ 'uint32v', 'GlobalFlagsSet', 0 ],
[ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
[ 'uint32v', 'DeCommitFreeBlockThreshold', 0 ],
[ 'uint32v', 'DeCommitTotalFreeThreshold', 0 ],
[ 'uint32v', 'LockPrefixTable', 0 ],
[ 'uint32v', 'MaximumAllocationSize', 0 ],
[ 'uint32v', 'VirtualMemoryThreshold', 0 ],
[ 'uint32v', 'ProcessHeapFlags', 0 ],
[ 'uint32v', 'ProcessAffinityMask', 0 ],
[ 'uint16v', 'CSDVersion', 0 ],
[ 'uint16v', 'Reserved1', 0 ],
[ 'uint32v', 'EditList', 0 ],
[ 'uint32v', 'SecurityCookie', 0 ],
[ 'uint32v', 'SEHandlerTable', 0 ],
[ 'uint32v', 'SEHandlerCount', 0 ]
)
# Struct
# typedef struct {
# ULONG Size;
# ULONG TimeDateStamp;
# USHORT MajorVersion;
# USHORT MinorVersion;
# ULONG GlobalFlagsClear;
# ULONG GlobalFlagsSet;
# ULONG CriticalSectionDefaultTimeout;
# ULONGLONG DeCommitFreeBlockThreshold;
# ULONGLONG DeCommitTotalFreeThreshold;
# ULONGLONG LockPrefixTable; // VA
# ULONGLONG MaximumAllocationSize;
# ULONGLONG VirtualMemoryThreshold;
# ULONGLONG ProcessAffinityMask;
# ULONG ProcessHeapFlags;
# USHORT CSDVersion;
# USHORT Reserved1;
# ULONGLONG EditList; // VA
# ULONGLONG SecurityCookie; // VA
# ULONGLONG SEHandlerTable; // VA
# ULONGLONG SEHandlerCount;
# } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
IMAGE_LOAD_CONFIG_DIRECTORY64 = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'Size', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint16v', 'MajorVersion', 0 ],
[ 'uint16v', 'MinorVersion', 0 ],
[ 'uint32v', 'GlobalFlagsClear', 0 ],
[ 'uint32v', 'GlobalFlagsSet', 0 ],
[ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
[ 'uint64v', 'DeCommitFreeBlockThreshold', 0 ],
[ 'uint64v', 'DeCommitTotalFreeThreshold', 0 ],
[ 'uint64v', 'LockPrefixTable', 0 ],
[ 'uint64v', 'MaximumAllocationSize', 0 ],
[ 'uint64v', 'VirtualMemoryThreshold', 0 ],
[ 'uint64v', 'ProcessAffinityMask', 0 ],
[ 'uint32v', 'ProcessHeapFlags', 0 ],
[ 'uint16v', 'CSDVersion', 0 ],
[ 'uint16v', 'Reserved1', 0 ],
[ 'uint64v', 'EditList', 0 ],
[ 'uint64v', 'SecurityCookie', 0 ],
[ 'uint64v', 'SEHandlerTable', 0 ],
[ 'uint64v', 'SEHandlerCount', 0 ]
)
class ConfigHeader < GenericHeader
end
#--
# doesn't seem to be used -- not compatible with 64-bit
#def self._parse_config_header(rawdata)
# header = IMAGE_LOAD_CONFIG_DIRECTORY32.make_struct
# header.from_s(rawdata)
# ConfigHeader.new(header)
#end
#++
def _parse_config_header
#
# Get the data directory entry, size, etc
#
exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
rva = exports_entry.v['VirtualAddress']
size = exports_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
dirdata = _isource.read(rva_to_file_offset(rva), size)
klass = (ptr_64?) ? IMAGE_LOAD_CONFIG_DIRECTORY64 : IMAGE_LOAD_CONFIG_DIRECTORY32
header = klass.make_struct
header.from_s(dirdata)
@config = ConfigHeader.new(header)
end
def config
_parse_config_header if @config.nil?
@config
end
#
# TLS Directory
#
# Struct
# typedef struct {
# DWORD Size;
# DWORD TimeDateStamp;
# WORD MajorVersion;
# WORD MinorVersion;
# DWORD GlobalFlagsClear;
# DWORD GlobalFlagsSet;
# DWORD CriticalSectionDefaultTimeout;
# DWORD DeCommitFreeBlockThreshold;
# DWORD DeCommitTotalFreeThreshold;
# DWORD LockPrefixTable; // VA
# DWORD MaximumAllocationSize;
# DWORD VirtualMemoryThreshold;
# DWORD ProcessHeapFlags;
# DWORD ProcessAffinityMask;
# WORD CSDVersion;
# WORD Reserved1;
# DWORD EditList; // VA
# DWORD SecurityCookie; // VA
# DWORD SEHandlerTable; // VA
# DWORD SEHandlerCount;
# } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
IMAGE_LOAD_TLS_DIRECTORY32 = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'Size', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint16v', 'MajorVersion', 0 ],
[ 'uint16v', 'MinorVersion', 0 ],
[ 'uint32v', 'GlobalFlagsClear', 0 ],
[ 'uint32v', 'GlobalFlagsSet', 0 ],
[ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
[ 'uint32v', 'DeCommitFreeBlockThreshold', 0 ],
[ 'uint32v', 'DeCommitTotalFreeThreshold', 0 ],
[ 'uint32v', 'LockPrefixTable', 0 ],
[ 'uint32v', 'MaximumAllocationSize', 0 ],
[ 'uint32v', 'VirtualMemoryThreshold', 0 ],
[ 'uint32v', 'ProcessHeapFlags', 0 ],
[ 'uint32v', 'ProcessAffinityMask', 0 ],
[ 'uint16v', 'CSDVersion', 0 ],
[ 'uint16v', 'Reserved1', 0 ],
[ 'uint32v', 'EditList', 0 ],
[ 'uint32v', 'SecurityCookie', 0 ],
[ 'uint32v', 'SEHandlerTable', 0 ],
[ 'uint32v', 'SEHandlerCount', 0 ]
)
# Struct
# typedef struct {
# ULONG Size;
# ULONG TimeDateStamp;
# USHORT MajorVersion;
# USHORT MinorVersion;
# ULONG GlobalFlagsClear;
# ULONG GlobalFlagsSet;
# ULONG CriticalSectionDefaultTimeout;
# ULONGLONG DeCommitFreeBlockThreshold;
# ULONGLONG DeCommitTotalFreeThreshold;
# ULONGLONG LockPrefixTable; // VA
# ULONGLONG MaximumAllocationSize;
# ULONGLONG VirtualMemoryThreshold;
# ULONGLONG ProcessAffinityMask;
# ULONG ProcessHeapFlags;
# USHORT CSDVersion;
# USHORT Reserved1;
# ULONGLONG EditList; // VA
# ULONGLONG SecurityCookie; // VA
# ULONGLONG SEHandlerTable; // VA
# ULONGLONG SEHandlerCount;
# } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
IMAGE_LOAD_TLS_DIRECTORY64 = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'Size', 0 ],
[ 'uint32v', 'TimeDateStamp', 0 ],
[ 'uint16v', 'MajorVersion', 0 ],
[ 'uint16v', 'MinorVersion', 0 ],
[ 'uint32v', 'GlobalFlagsClear', 0 ],
[ 'uint32v', 'GlobalFlagsSet', 0 ],
[ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
[ 'uint64v', 'DeCommitFreeBlockThreshold', 0 ],
[ 'uint64v', 'DeCommitTotalFreeThreshold', 0 ],
[ 'uint64v', 'LockPrefixTable', 0 ],
[ 'uint64v', 'MaximumAllocationSize', 0 ],
[ 'uint64v', 'VirtualMemoryThreshold', 0 ],
[ 'uint64v', 'ProcessAffinityMask', 0 ],
[ 'uint32v', 'ProcessHeapFlags', 0 ],
[ 'uint16v', 'CSDVersion', 0 ],
[ 'uint16v', 'Reserved1', 0 ],
[ 'uint64v', 'EditList', 0 ],
[ 'uint64v', 'SecurityCookie', 0 ],
[ 'uint64v', 'SEHandlerTable', 0 ],
[ 'uint64v', 'SEHandlerCount', 0 ]
)
class TLSHeader < GenericHeader
end
def _parse_tls_header
#
# Get the data directory entry, size, etc
#
exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_TLS]
rva = exports_entry.v['VirtualAddress']
size = exports_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
dirdata = _isource.read(rva_to_file_offset(rva), size)
klass = (ptr_64?) ? IMAGE_LOAD_TLS_DIRECTORY64 : IMAGE_LOAD_TLS_DIRECTORY32
header = klass.make_struct
header.from_s(dirdata)
@tls = TLSHeader.new(header)
end
def tls
_parse_config_header if @tls.nil?
@tls
end
##
#
# Exception directory
#
##
IMAGE_RUNTIME_FUNCTION_ENTRY_SZ = 12
# Struct
# typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
# DWORD BeginAddress;
# DWORD EndAddress;
# DWORD UnwindInfoAddress;
# } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
IMAGE_RUNTIME_FUNCTION_ENTRY = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'BeginAddress', 0 ],
[ 'uint32v', 'EndAddress', 0 ],
[ 'uint32v', 'UnwindInfoAddress', 0 ]
)
UNWIND_INFO_HEADER_SZ = 4
UNWIND_INFO_HEADER = Rex::Struct2::CStructTemplate.new(
[ 'uint8', 'VersionFlags', 0 ],
[ 'uint8', 'SizeOfProlog', 0 ],
[ 'uint8', 'CountOfCodes', 0 ],
[ 'uint8', 'FrameRegisterAndOffset', 0 ]
)
UWOP_PUSH_NONVOL = 0 # 1 node
UWOP_ALLOC_LARGE = 1 # 2 or 3 nodes
UWOP_ALLOC_SMALL = 2 # 1 node
UWOP_SET_FPREG = 3 # 1 node
UWOP_SAVE_NONVOL = 4 # 2 nodes
UWOP_SAVE_NONVOL_FAR = 5 # 3 nodes
UWOP_SAVE_XMM128 = 8 # 2 nodes
UWOP_SAVE_XMM128_FAR = 9 # 3 nodes
UWOP_PUSH_MACHFRAME = 10 # 1 node
UNW_FLAG_EHANDLER = 1
UNW_FLAG_UHANDLER = 2
UNW_FLAG_CHAININFO = 4
class UnwindCode
def initialize(data)
self.code_offset = data[0].to_i
self.unwind_op = data[1].to_i & 0xf
self.op_info = data[1].to_i >> 4
self.frame_offset = data[2..3].unpack("v")[0]
data.slice!(0, 4)
end
attr_reader :code_offset, :unwind_op, :op_info, :frame_offset
attr_writer :code_offset, :unwind_op, :op_info, :frame_offset
end
class UnwindInfo
def initialize(pe, unwind_rva)
data = pe.read_rva(unwind_rva, UNWIND_INFO_HEADER_SZ)
unwind = UNWIND_INFO_HEADER.make_struct
unwind.from_s(data)
@version = unwind.v['VersionFlags'] & 0x7
@flags = unwind.v['VersionFlags'] >> 3
@size_of_prolog = unwind.v['SizeOfProlog']
@count_of_codes = unwind.v['CountOfCodes']
@frame_register = unwind.v['FrameRegisterAndOffset'] & 0xf
@frame_register_offset = unwind.v['FrameRegisterAndOffset'] >> 4
# Parse unwind codes
clist = pe.read_rva(unwind_rva + UNWIND_INFO_HEADER_SZ, count_of_codes * 4)
@unwind_codes = []
while clist.length > 0
@unwind_codes << UnwindCode.new(clist)
end
end
attr_reader :version, :flags, :size_of_prolog, :count_of_codes
attr_reader :frame_register, :frame_register_offset
def unwind_codes
@unwind_codes
end
end
class RuntimeFunctionEntry
def initialize(pe, data)
@pe = pe
@begin_address, @end_address, @unwind_info_address = data.unpack("VVV");
self.unwind_info = UnwindInfo.new(pe, unwind_info_address)
end
attr_reader :begin_address, :end_address, :unwind_info_address
attr_reader :unwind_info
attr_writer :unwind_info
end
def _load_exception_directory
@exception = []
exception_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_EXCEPTION]
rva = exception_entry.v['VirtualAddress']
size = exception_entry.v['Size']
return if (rva == 0)
data = _isource.read(rva_to_file_offset(rva), size)
case hdr.file.Machine
when IMAGE_FILE_MACHINE_AMD64
count = data.length / IMAGE_RUNTIME_FUNCTION_ENTRY_SZ
count.times { |current|
@exception << RuntimeFunctionEntry.new(self,
data.slice!(0, IMAGE_RUNTIME_FUNCTION_ENTRY_SZ))
}
else
end
return @exception
end
def exception
_load_exception_directory if @exception.nil?
@exception
end
#
# Just a stupid routine to round an offset up to it's alignment.
#
# For example, you're going to want this for FileAlignment and
# SectionAlignment, etc...
#
def self._align_offset(offset, alignment)
offset += alignment - 1
offset -= offset % alignment
return offset
end
#
# instance stuff
#
attr_accessor :_isource
attr_accessor :_dos_header, :_file_header, :_optional_header,
:_section_headers, :_config_header, :_tls_header, :_exception_header
attr_accessor :sections, :header_section, :image_base
attr_accessor :_imports_cache, :_imports_cached
attr_accessor :_exports_cache, :_exports_cached
attr_accessor :_relocations_cache, :_relocations_cached
attr_accessor :_resources_cache, :_resources_cached
attr_accessor :hdr
def self.new_from_file(filename, disk_backed = false)
file = ::File.new(filename)
file.binmode # windows... :\
if disk_backed
return self.new(ImageSource::Disk.new(file))
else
obj = new_from_string(file.read)
file.close
return obj
end
end
def self.new_from_string(data)
return self.new(ImageSource::Memory.new(data))
end
def close
_isource.close
end
#
#
# Random rva, vma, file offset, section offset, etc
# conversion routines...
#
#
def rva_to_vma(rva)
return rva + image_base
end
def vma_to_rva(vma)
return vma - image_base
end
def rva_to_file_offset(rva)
all_sections.each do |section|
if section.contains_rva?(rva)
return section.rva_to_file_offset(rva)
end
end
raise WtfError, "wtf!", caller
end
def vma_to_file_offset(vma)
return rva_to_file_offset(vma_to_rva(vma))
end
def file_offset_to_rva(foffset)
if foffset < 0
raise WtfError, "lame", caller
end
all_sections.each do |section|
if section.contains_file_offset?(foffset)
return section.file_offset_to_rva(foffset)
end
end
raise WtfError, "wtf! #{foffset}", caller
end
def file_offset_to_vma(foffset)
return rva_to_vma(file_offset_to_rva(foffset))
end
#
#
# Some routines to find which section something belongs
# to. These will search all_sections (so including
# our fake header section, etc...
#
#
#
# Find a section by an RVA
#
def _find_section_by_rva(rva)
all_sections.each do |section|
if section.contains_rva?(rva)
return section
end
end
return nil
end
def find_section_by_rva(rva)
section = _find_section_by_rva(rva)
if !section
raise WtfError, "Cannot find rva! #{rva}", caller
end
return section
end
#
# Find a section by a VMA
#
def find_section_by_vma(vma)
return find_section_by_rva(vma_to_rva(vma))
end
def valid_rva?(rva)
_find_section_by_rva(rva) != nil
end
def valid_vma?(vma)
_find_section_by_rva(vma_to_rva(vma)) != nil
end
#
#
# Some convenient methods to read a vma/rva without having
# the section... (inefficent though I suppose...)
#
#
def read_rva(rva, length)
return find_section_by_rva(rva).read_rva(rva, length)
end
def read_vma(vma, length)
return read_rva(vma_to_rva(vma), length)
end
def read_asciiz_rva(rva)
return find_section_by_rva(rva).read_asciiz_rva(rva)
end
def read_asciiz_vma(vma)
return read_asciiz_rva(vma_to_rva(vma))
end
#
#
# Imports, exports, and other stuff!
#
#
#
# We lazily parse the imports, and then cache it
#
def imports
if !_imports_cached
self._imports_cache = _load_imports
self._imports_cached = true
end
return _imports_cache
end
def _load_imports
#
# Get the data directory entry, size, etc
#
imports_entry = _optional_header['DataDirectory'][1]
rva = imports_entry.v['VirtualAddress']
size = imports_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
imports = [ ]
descriptors_data = _isource.read(rva_to_file_offset(rva), size)
while descriptors_data.length >= IMAGE_IMPORT_DESCRIPTOR_SIZE
descriptor = IMAGE_IMPORT_DESCRIPTOR.make_struct
descriptor.from_s(descriptors_data)
descriptors_data = descriptor.leftover
othunk = descriptor.v['OriginalFirstThunk']
fthunk = descriptor.v['FirstThunk']
break if fthunk == 0
dllname = _isource.read_asciiz(rva_to_file_offset(descriptor.v['Name']))
import = ImportDescriptor.new(dllname, [ ])
# we prefer the Characteristics/OriginalFirstThunk...
thunk_off = rva_to_file_offset(othunk == 0 ? fthunk : othunk)
while (orgrva = _isource.read(thunk_off, 4).unpack('V')[0]) != 0
hint = nil
name = nil
if (orgrva & IMAGE_ORDINAL_FLAG32) != 0
hint = orgrva & 0xffff
else
foff = rva_to_file_offset(orgrva)
hint = _isource.read(foff, 2).unpack('v')[0]
name = _isource.read_asciiz(foff + 2)
end
import.entries << ImportEntry.new(name, hint)
thunk_off += 4
end
imports << import
end
return imports
end
#
# We lazily parse the exports, and then cache it
#
def exports
if !_exports_cached
self._exports_cache = _load_exports
self._exports_cached = true
end
return _exports_cache
end
def _load_exports
#
# Get the data directory entry, size, etc
#
exports_entry = _optional_header['DataDirectory'][0]
rva = exports_entry.v['VirtualAddress']
size = exports_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
directory = IMAGE_EXPORT_DESCRIPTOR.make_struct
directory.from_s(_isource.read(rva_to_file_offset(rva), IMAGE_EXPORT_DESCRIPTOR_SIZE))
#
# We can have nameless exports, so we need to do the whole
# NumberOfFunctions NumberOfNames foo
#
num_functions = directory.v['NumberOfFunctions']
num_names = directory.v['NumberOfNames']
dllname_rva = directory.v['Name']
dllname = _isource.read_asciiz(rva_to_file_offset(dllname_rva))
# FIXME Base, etc
fun_off = rva_to_file_offset(directory.v['AddressOfFunctions'])
name_off = rva_to_file_offset(directory.v['AddressOfNames'])
ord_off = rva_to_file_offset(directory.v['AddressOfNameOrdinals'])
base = directory.v['Base']
# Allocate the list of names
names = Array.new(num_functions)
#
# Iterate the names and name/ordinal list, getting the names
# and storing them in the name list...
#
num_names.times do |i|
name_rva = _isource.read(name_off + (i * 4), 4).unpack('V')[0]
ordinal = _isource.read(ord_off + (i * 2), 2).unpack('v')[0]
name = _isource.read_asciiz(rva_to_file_offset(name_rva))
# store the exported name in the name list
names[ordinal] = name
end
exports = ExportDirectory.new(dllname, [ ], base)
#
# Now just iterate the functions (rvas) list..
#
num_functions.times do |i|
rva = _isource.read(fun_off + (i * 4), 4).unpack('V')[0]
# ExportEntry.new(name, ordinal, rva)
exports.entries << ExportEntry.new(names[i], i + base, rva)
end
return exports
end
#
# Base relocations in the hizzy
#
def relocations
if !_relocations_cached
self._relocations_cache = _load_relocations
self._relocations_cached = true
end
return _relocations_cache
end
def _load_relocations
#
# Get the data directory entry, size, etc
#
exports_entry = _optional_header['DataDirectory'][5]
rva = exports_entry.v['VirtualAddress']
size = exports_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
dirdata = _isource.read(rva_to_file_offset(rva), size)
relocdirs = [ ]
while dirdata.length >= IMAGE_SIZEOF_BASE_RELOCATION
header = IMAGE_BASE_RELOCATION.make_struct
header.from_s(dirdata)
dirdata = header.leftover
numrelocs = (header.v['SizeOfBlock'] - IMAGE_SIZEOF_BASE_RELOCATION) / 2
relocbase = header.v['VirtualAddress']
relocdir = RelocationDirectory.new(relocbase, [ ])
numrelocs.times do
reloc = IMAGE_BASE_RELOCATION_TYPE_OFFSET.make_struct
reloc.from_s(dirdata)
dirdata = reloc.leftover
typeoffset = reloc.v['TypeOffset']
relocrva = relocbase + (typeoffset & 0xfff)
reloctype = (typeoffset >> 12) & 0xf
relocdir.entries << RelocationEntry.new(relocrva, reloctype)
end
relocdirs << relocdir
end
return relocdirs
end
#
# We lazily parse the resources, and then cache them
#
def resources
if !_resources_cached
_load_resources
self._resources_cached = true
end
return self._resources_cache
end
def _load_resources
#
# Get the data directory entry, size, etc
#
rsrc_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_RESOURCE]
rva = rsrc_entry.v['VirtualAddress']
size = rsrc_entry.v['Size']
return nil if size == 0
#
# Ok, so we have the data directory, now lets parse it
#
data = _isource.read(rva_to_file_offset(rva), size)
self._resources_cache = {}
_parse_resource_directory(data)
end
def _parse_resource_directory(data, rname=0, rvalue=0x80000000, path='0', pname=nil)
pname = _parse_resource_name(data, rname)
if (path.scan('/').length == 1)
if (pname !~ /^\d+/)
path = "/" + pname
else
path = "/" + _resource_lookup( (rname & ~0x80000000).to_s)
end
end
rvalue &= ~0x80000000
vals = data[rvalue, 16].unpack('VVvvvv')
chars = vals[0]
tdate = vals[1]
vers = "#{vals[2]}#{vals[3]}"
count = vals[4] + vals[5]
0.upto(count-1) do |i|
ename, evalue = data[rvalue + 16 + ( i * 8), 8].unpack('VV')
epath = path + '/' + i.to_s
if (ename & 0x80000000 != 0)
pname = _parse_resource_name(data, ename)
end
if (evalue & 0x80000000 != 0)
# This is a subdirectory
_parse_resource_directory(data, ename, evalue, epath, pname)
else
# This is an entry
_parse_resource_entry(data, ename, evalue, epath, pname)
end
end
end
def _resource_lookup(i)
tbl = {
'1' => 'RT_CURSOR',
'2' => 'RT_BITMAP',
'3' => 'RT_ICON',
'4' => 'RT_MENU',
'5' => 'RT_DIALOG',
'6' => 'RT_STRING',
'7' => 'RT_FONTDIR',
'8' => 'RT_FONT',
'9' => 'RT_ACCELERATORS',
'10' => 'RT_RCDATA',
'11' => 'RT_MESSAGETABLE',
'12' => 'RT_GROUP_CURSOR',
'14' => 'RT_GROUP_ICON',
'16' => 'RT_VERSION',
'17' => 'RT_DLGINCLUDE',
'19' => 'RT_PLUGPLAY',
'20' => 'RT_VXD',
'21' => 'RT_ANICURSOR',
'22' => 'RT_ANIICON',
'23' => 'RT_HTML',
'24' => 'RT_MANIFEST',
'32767' => 'RT_ERROR',
'8192' => 'RT_NEWRESOURCE',
'8194' => 'RT_NEWBITMAP',
'8196' => 'RT_NEWMENU',
'8197' => 'RT_NEWDIALOG'
}
tbl[i] || i
end
def _parse_resource_entry(data, rname, rvalue, path, pname)
rva, size, code = data[rvalue, 12].unpack('VVV')
lang = _parse_resource_name(data, rname)
ent = ResourceEntry.new(
self,
path,
lang,
code,
rva,
size,
pname
)
self._resources_cache[path] = ent
end
def _parse_resource_name(data, rname)
if (rname & 0x80000000 != 0)
rname &= ~0x80000000
unistr = data[rname+2, 2 * data[rname,2].unpack('v')[0] ]
unistr, trash = unistr.split(/\x00\x00/, 2)
return unistr ? unistr.gsub(/\x00/, '') : nil
end
rname.to_s
end
def update_checksum
off = _dos_header.e_lfanew + IMAGE_FILE_HEADER_SIZE + 0x40
_isource.rawdata[off, 4] = [0].pack('V')
rem = _isource.size % 4
sum_me = ''
sum_me << _isource.rawdata
sum_me << "\x00" * (4 - rem) if rem > 0
cksum = 0
sum_me.unpack('V*').each { |el|
cksum = (cksum & 0xffffffff) + (cksum >> 32) + el
if cksum > 2**32
cksum = (cksum & 0xffffffff) + (cksum >> 32)
end
}
cksum = (cksum & 0xffff) + (cksum >> 16)
cksum += (cksum >> 16)
cksum &= 0xffff
cksum += _isource.size
_isource.rawdata[off, 4] = [cksum].pack('V')
end
end end end