x64dbg
/
btparser
mirror of https://github.com/x64dbg/btparser
1
0
Fork 0
Code Releases Activity
btparser/cparser/tests/exp_lex/EXETemplate2.bt

420 lines
17 KiB
Plaintext
Raw Blame History

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19: LittleEndian ( ) ;
20:
21: typedef struct {
22: WORD MZSignature < format = hex > ;
23: if ( MZSignature != 0x5A4D ) {
24: Warning ( "Not a valid EXE file" ) ;
25: return 1 ;
26: }
27:
28: WORD UsedBytesInTheLastPage ;
29: WORD FileSizeInPages ;
30: WORD NumberOfRelocationItems ;
31: WORD HeaderSizeInParagraphs ;
32: WORD MinimumExtraParagraphs ;
33: WORD MaximumExtraParagraphs ;
34: WORD InitialRelativeSS < format = hex > ;
35: WORD InitialSP < format = hex > ;
36: WORD Checksum < format = hex > ;
37: WORD InitialIP < format = hex > ;
38: WORD InitialRelativeCS < format = hex > ;
39: WORD AddressOfRelocationTable < format = hex > ;
40: WORD OverlayNumber ;
41: WORD Reserved [ 4 ] ;
42: WORD OEMid ;
43: WORD OEMinfo ;
44: WORD Reserved2 [ 10 ] ;
45: LONG AddressOfNewExeHeader < format = hex > ;
46: } IMAGE_DOS_HEADER ;
47:
48: typedef struct {
49: WORD Offset ;
50: WORD Segment ;
51: } DOS_RELOCATION_TABLE_ITEM ;
52:
53: typedef enum < WORD > { IMAGE_FILE_MACHINE_UNKNOWN = 0 , IMAGE_FILE_MACHINE_I386 = 0x14C ,
54: IMAGE_FILE_MACHINE_AMD64 = 0x8664 , IMAGE_FILE_MACHINE_ARM = 0x1C0 ,
55:
56: IMAGE_FILE_MACHINE_R3000 = 0x162 ,
57: IMAGE_FILE_MACHINE_R4000 = 0x166 , IMAGE_FILE_MACHINE_R10000 = 0x168 ,
58: IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x169 , IMAGE_FILE_MACHINE_ALPHA = 0x184 ,
59: IMAGE_FILE_MACHINE_SH3 = 0x1A2 , IMAGE_FILE_MACHINE_SH3DSP = 0x1A3 ,
60: IMAGE_FILE_MACHINE_SH3E = 0x1A4 , IMAGE_FILE_MACHINE_SH4 = 0x1A6 ,
61: IMAGE_FILE_MACHINE_SH5 = 0x1A8 , IMAGE_FILE_MACHINE_THUMB = 0x1C2 ,
62: IMAGE_FILE_MACHINE_AM33 = 0x1D3 , IMAGE_FILE_MACHINE_POWERPC = 0x1F0 ,
63: IMAGE_FILE_MACHINE_POWERPCFP = 0x1F1 , IMAGE_FILE_MACHINE_IA64 = 0x200 ,
64: IMAGE_FILE_MACHINE_MIPS16 = 0x266 , IMAGE_FILE_MACHINE_ALPHA64 = 0x284 ,
65: IMAGE_FILE_MACHINE_MIPSFPU = 0x366 , IMAGE_FILE_MACHINE_MIPSFPU16 = 0x466 ,
66: IMAGE_FILE_MACHINE_TRICORE = 0x520 , IMAGE_FILE_MACHINE_CEF = 0xCEF ,
67: IMAGE_FILE_MACHINE_EBC = 0xEBC , IMAGE_FILE_MACHINE_M32R = 0x9041 ,
68: IMAGE_FILE_MACHINE_CEE = 0xC0EE } MACHINE ;
69:
70:
71: typedef struct {
72: ushort RelocsStripped : 1 ;
73: ushort ExecutableImage : 1 ;
74: ushort LineNumsStripped : 1 ;
75: ushort LocalSymsStripped : 1 ;
76: ushort AggresiveWorksetTrim : 1 ;
77: ushort LargeAddressAware : 1 ;
78: ushort Reserved : 1 ;
79: ushort BytesReversedLo : 1 ;
80: ushort _32bitMachine : 1 ;
81: ushort DebugStripped : 1 ;
82: ushort RemovableRunFromSwap : 1 ;
83: ushort NetRunFromSwap : 1 ;
84: ushort System : 1 ;
85: ushort DLL : 1 ;
86: ushort UPSystemOnly : 1 ;
87: ushort BytesReversedHi : 1 ;
88: } CHARACTERISTICS < read = ReadCHARACTERISTICS > ;
89:
90: string ReadCHARACTERISTICS ( CHARACTERISTICS & flags ) {
91: string s = "" ;
92: if ( flags . AggresiveWorksetTrim ) Strcat ( s , "AggresiveWorksetTrim " ) ;
93: if ( flags . LargeAddressAware ) Strcat ( s , "LargeAddressAware " ) ;
94: if ( flags . RemovableRunFromSwap ) Strcat ( s , "RemovableRunFromSwap " ) ;
95: if ( flags . NetRunFromSwap ) Strcat ( s , "NetRunFromSwap " ) ;
96: if ( flags . System ) Strcat ( s , "SystemDriver " ) ;
97: if ( flags . DLL ) Strcat ( s , "DLL " ) ;
98: if ( flags . UPSystemOnly ) Strcat ( s , "UniprocessorSystemOnly " ) ;
99: if ( flags . BytesReversedLo ) Strcat ( s , "BytesReversedLo " ) ;
100: if ( flags . BytesReversedHi ) Strcat ( s , "BytesReversedHi " ) ;
101: if ( flags . DebugStripped ) Strcat ( s , "NoDebug " ) ;
102: if ( flags . RelocsStripped ) Strcat ( s , "NoRelocs " ) ;
103: if ( flags . LineNumsStripped ) Strcat ( s , "NoLineNums " ) ;
104: if ( flags . LocalSymsStripped ) Strcat ( s , "NoLocalSyms " ) ;
105: if ( flags . _32bitMachine ) Strcat ( s , "32bit " ) ;
106: if ( flags . ExecutableImage ) Strcat ( s , "Executable " ) ;
107: return s ;
108: }
109:
110: typedef struct {
111: MACHINE Machine ;
112: WORD NumberOfSections ;
113: time_t TimeDateStamp ;
114: DWORD PointerToSymbolTable < format = hex > ;
115: DWORD NumberOfSymbols ;
116: WORD SizeOfOptionalHeader ;
117: CHARACTERISTICS Characteristics ;
118: } IMAGE_FILE_HEADER ;
119:
120: typedef enum < WORD > { UNKNOWN = 0 , NATIVE = 1 , WINDOWS_GUI = 2 ,
121: WINDOWS_CONSOLE = 3 , OS2_CONSOLE = 5 , POSIX_CONSOLE = 7 , NATIVE_WIN9X_DRIVER = 8 ,
122: WINDOWS_CE_GUI = 9 , EFI_APPLICATION = 10 , EFI_BOOT_SERVICE_DRIVER = 11 , EFI_RUNTIME_DRIVER = 12 ,
123: EFI_ROM = 13 , XBOX = 14 } SUBSYSTEM ;
124:
125: typedef struct {
126: ushort NOTIFY_DLL_PROCESS_INIT : 1 ;
127: ushort NOTIFY_DLL_PROCESS_TERM : 1 ;
128: ushort NOTIFY_DLL_THREAD_TERM : 1 ;
129: ushort NOTIFY_DLL_THREAD_TERM : 1 ;
130: ushort Reserved : 2 ;
131: ushort DYNAMIC_BASE : 1 ;
132: ushort FORCE_INTEGRITY : 1 ;
133: ushort NX_COMPAT : 1 ;
134: ushort NO_ISOLATION : 1 ;
135: ushort NO_SEH : 1 ;
136: ushort NO_BIND : 1 ;
137: ushort Reserved2 : 1 ;
138: ushort WDM_DRIVER : 1 ;
139: ushort Reserved3 : 1 ;
140: ushort TERMINAL_SERVER_AWARE : 1 ;
141: } DLLCHARACTERISTICS ;
142:
143: typedef struct {
144: DWORD VirtualAddress < format = hex > ;
145: DWORD Size ;
146: } DATA_DIR ;
147:
148: typedef struct {
149: local int len = OptionalHeader . NumberOfRvaAndSizes ;
150: if ( len > 16 )
151: len = 16 ;
152: if ( len > 0 ) DATA_DIR Export ;
153: if ( len > 1 ) DATA_DIR Import ;
154: if ( len > 2 ) DATA_DIR Resource ;
155: if ( len > 3 ) DATA_DIR Exception ;
156: if ( len > 4 ) DATA_DIR Security ;
157: if ( len > 5 ) DATA_DIR BaseRelocationTable ;
158: if ( len > 6 ) DATA_DIR DebugDirectory ;
159: if ( len > 7 ) DATA_DIR CopyrightOrArchitectureSpecificData ;
160: if ( len > 8 ) DATA_DIR GlobalPtr ;
161: if ( len > 9 ) DATA_DIR TLSDirectory ;
162: if ( len > 10 ) DATA_DIR LoadConfigurationDirectory ;
163: if ( len > 11 ) DATA_DIR BoundImportDirectory ;
164: if ( len > 12 ) DATA_DIR ImportAddressTable ;
165: if ( len > 13 ) DATA_DIR DelayLoadImportDescriptors ;
166: if ( len > 14 ) DATA_DIR COMRuntimedescriptor ;
167: if ( len > 15 ) DATA_DIR Reserved ;
168: } IMAGE_DATA_DIRECTORIES ;
169:
170: typedef struct {
171:
172: WORD Magic < format = hex > ;
173: BYTE MajorLinkerVersion ;
174: BYTE MinorLinkerVersion ;
175: DWORD SizeOfCode ;
176: DWORD SizeOfInitializedData ;
177: DWORD SizeOfUninitializedData ;
178: DWORD AddressOfEntryPoint < format = hex > ;
179: DWORD BaseOfCode < format = hex > ;
180: DWORD BaseOfData < format = hex > ;
181:
182: DWORD ImageBase < format = hex > ;
183: DWORD SectionAlignment ;
184: DWORD FileAlignment ;
185: WORD MajorOperatingSystemVersion ;
186: WORD MinorOperatingSystemVersion ;
187: WORD MajorImageVersion ;
188: WORD MinorImageVersion ;
189: WORD MajorSubsystemVersion ;
190: WORD MinorSubsystemVersion ;
191: DWORD Win32VersionValue ;
192: DWORD SizeOfImage ;
193: DWORD SizeOfHeaders ;
194: DWORD CheckSum < format = hex > ;
195: SUBSYSTEM Subsystem ;
196: DLLCHARACTERISTICS DllCharacteristics ;
197: DWORD SizeOfStackReserve ;
198: DWORD SizeOfStackCommit ;
199: DWORD SizeOfHeapReserve ;
200: DWORD SizeOfHeapCommit ;
201: DWORD LoaderFlags ;
202: DWORD NumberOfRvaAndSizes ;
203: IMAGE_DATA_DIRECTORIES DataDirectory ;
204: } IMAGE_OPTIONAL_HEADER32 ;
205:
206: typedef struct {
207: WORD Magic < format = hex > ;
208: BYTE MajorLinkerVersion ;
209: BYTE MinorLinkerVersion ;
210: DWORD SizeOfCode ;
211: DWORD SizeOfInitializedData ;
212: DWORD SizeOfUninitializedData ;
213: DWORD AddressOfEntryPoint < format = hex > ;
214: DWORD BaseOfCode < format = hex > ;
215: quad ImageBase < format = hex > ;
216: DWORD SectionAlignment ;
217: DWORD FileAlignment ;
218: WORD MajorOperatingSystemVersion ;
219: WORD MinorOperatingSystemVersion ;
220: WORD MajorImageVersion ;
221: WORD MinorImageVersion ;
222: WORD MajorSubsystemVersion ;
223: WORD MinorSubsystemVersion ;
224: DWORD Win32VersionValue ;
225: DWORD SizeOfImage ;
226: DWORD SizeOfHeaders ;
227: DWORD CheckSum < format = hex > ;
228: SUBSYSTEM Subsystem ;
229: DLLCHARACTERISTICS DllCharacteristics ;
230: quad SizeOfStackReserve ;
231: quad SizeOfStackCommit ;
232: quad SizeOfHeapReserve ;
233: quad SizeOfHeapCommit ;
234: DWORD LoaderFlags ;
235: DWORD NumberOfRvaAndSizes ;
236: IMAGE_DATA_DIRECTORIES DataDirectory ;
237: } IMAGE_OPTIONAL_HEADER64 ;
238:
239: typedef struct {
240: DWORD PESignature < format = hex > ;
241: if ( PESignature != 0x4550 ) {
242: Warning ( "Not a valid PE file" ) ;
243: return 1 ;
244: }
245: IMAGE_FILE_HEADER FileHeader ;
246: local short OptionalHeaderMagic = ReadShort ( FTell ( ) ) ;
247: if ( OptionalHeaderMagic == 0x10B )
248: IMAGE_OPTIONAL_HEADER32 OptionalHeader ;
249: else if ( OptionalHeaderMagic == 0x20B )
250: IMAGE_OPTIONAL_HEADER64 OptionalHeader ;
251: else {
252: Warning ( "Not a valid PE file %x" , OptionalHeaderMagic ) ;
253: return 1 ;
254: }
255: } IMAGE_NT_HEADERS ;
256:
257: typedef struct {
258: DWORD Reserved : 5 ;
259: DWORD Code : 1 ;
260: DWORD InitializedData : 1 ;
261: DWORD UninitializedData : 1 ;
262: DWORD Reserved2 : 1 ;
263: DWORD LinkerInfoOrComments : 1 ;
264: DWORD Reserved3 : 1 ;
265: DWORD LinkerShouldRemove : 1 ;
266: DWORD CommonBlockData : 1 ;
267: DWORD Reserved4 : 1 ;
268: DWORD NoDeferSpeculativeExceptions : 1 ;
269: DWORD FarData : 1 ;
270: DWORD Reserved5 : 1 ;
271: DWORD PurgeableOr16Bit : 1 ;
272: DWORD Locked : 1 ;
273: DWORD PreLoad : 1 ;
274: DWORD Alignment : 4 ;
275: DWORD ExtendedRelocations : 1 ;
276: DWORD Discardable : 1 ;
277: DWORD NotCachable : 1 ;
278: DWORD NotPageable : 1 ;
279: DWORD Shareable : 1 ;
280: DWORD Executable : 1 ;
281: DWORD Readable : 1 ;
282: DWORD Writeable : 1 ;
283: } SECTION_FLAGS < read = ReadSECTION_FLAGS > ;
284:
285: string ReadSECTION_FLAGS ( SECTION_FLAGS & flags ) {
286: string s = "" ;
287: if ( flags . Code ) Strcat ( s , "Code " ) ;
288: if ( flags . InitializedData ) Strcat ( s , "InitializedData " ) ;
289: if ( flags . UninitializedData ) Strcat ( s , "UninitializedData " ) ;
290: if ( flags . LinkerInfoOrComments ) Strcat ( s , "LinkerInfoOrComments " ) ;
291: if ( flags . LinkerShouldRemove ) Strcat ( s , "LinkerShouldRemove " ) ;
292: if ( flags . CommonBlockData ) Strcat ( s , "CommonBlockData " ) ;
293: if ( flags . NoDeferSpeculativeExceptions ) Strcat ( s , "NoDeferSpeculativeExceptions " ) ;
294: if ( flags . FarData ) Strcat ( s , "FarData " ) ;
295: if ( flags . PurgeableOr16Bit ) Strcat ( s , "PurgeableOr16Bit " ) ;
296: if ( flags . Locked ) Strcat ( s , "Locked " ) ;
297: if ( flags . PreLoad ) Strcat ( s , "PreLoad " ) ;
298: if ( flags . ExtendedRelocations ) Strcat ( s , "ExtendedRelocations " ) ;
299: if ( flags . Discardable ) Strcat ( s , "Discardable " ) ;
300: if ( flags . NotCachable ) Strcat ( s , "NotCachable " ) ;
301: if ( flags . NotPageable ) Strcat ( s , "NotPageable " ) ;
302: if ( flags . Shareable ) Strcat ( s , "Shareable " ) ;
303: if ( flags . Executable ) Strcat ( s , "Executable " ) ;
304: if ( flags . Readable ) Strcat ( s , "Readable " ) ;
305: if ( flags . Writeable ) Strcat ( s , "Writeable " ) ;
306: if ( flags . Alignment ) {
307: string p ;
308: SPrintf ( p , "Alignment: %g" , Pow ( 2 , flags . Alignment - 1 ) ) ;
309: Strcat ( s , p ) ;
310: }
311: return s ;
312: }
313:
314: typedef struct {
315: BYTE Name [ 8 ] ;
316: DWORD VirtualSize ;
317: DWORD VirtualAddress < format = hex > ;
318: DWORD SizeOfRawData ;
319: DWORD PointerToRawData < format = hex > ;
320: DWORD NonUsedPointerToRelocations ;
321: DWORD NonUsedPointerToLinenumbers ;
322: WORD NonUsedNumberOfRelocations ;
323: WORD NonUsedNumberOfLinenumbers ;
324: SECTION_FLAGS Characteristics ;
325: } IMAGE_SECTION_HEADER < read = ReadIMAGE_SECTION_HEADER > ;
326:
327: string ReadIMAGE_SECTION_HEADER ( IMAGE_SECTION_HEADER & sect ) {
328: if ( exists ( sect . Name ) )
329: return sect . Name ;
330: else
331: return "" ;
332: }
333:
334:
335: IMAGE_DOS_HEADER dos_header ;
336: FSeek ( dos_header . HeaderSizeInParagraphs * 16 ) ;
337: local int dosstubsize = dos_header . FileSizeInPages * 512 ;
338: if ( dos_header . UsedBytesInTheLastPage )
339: dosstubsize -= ( 512 - dos_header . UsedBytesInTheLastPage ) ;
340: if ( dosstubsize > dos_header . AddressOfNewExeHeader )
341: dosstubsize = dos_header . AddressOfNewExeHeader ;
342: dosstubsize -= dos_header . HeaderSizeInParagraphs * 16 ;
343: local quad richpos ;
344: local quad richstart , richsize = 0 ;
345: if ( ( richpos = FindFirst ( "Rich" , true , false , false , 0 . 0 , 1 , FTell ( ) , dosstubsize ) ) > 0 &&
346: ( ReadUInt ( richpos - 4 ) & 0xFFFFFF00 ) == ( ReadUInt ( richpos + 4 ) & 0xFFFFFF00 ) ) {
347: local int a = 0 ;
348: local quad save = FTell ( ) ;
349: FSeek ( richpos ) ;
350: richstart = FindFirst ( a , true , false , false , 0 . 0 , 0 , FTell ( ) , richpos - FTell ( ) ) ;
351: FSeek ( save ) ;
352: richpos += 8 ;
353: richstart += 4 ;
354: richsize = richpos - richstart ;
355: dosstubsize = richstart - FTell ( ) ;
356: }
357: if ( dosstubsize > 0 )
358: UCHAR doscode [ dosstubsize ] ;
359: if ( richsize > 0 ) {
360: FSeek ( richstart ) ;
361: DWORD MSlinkerSignatureRich [ richsize / 4 ] < format = hex > ;
362: }
363:
364: if ( dos_header . NumberOfRelocationItems ) {
365: FSeek ( dos_header . AddressOfRelocationTable ) ;
366: if ( FileSize ( ) - FTell ( ) >= dos_header . NumberOfRelocationItems *
367: sizeof ( DOS_RELOCATION_TABLE_ITEM ) )
368: DOS_RELOCATION_TABLE_ITEM relocation_items [ dos_header . NumberOfRelocationItems ] ;
369: }
370:
371: FSeek ( dos_header . AddressOfNewExeHeader ) ;
372: IMAGE_NT_HEADERS nt_headers ;
373: FSeek ( dos_header . AddressOfNewExeHeader + sizeof ( DWORD ) + sizeof ( IMAGE_FILE_HEADER ) +
374: nt_headers . FileHeader . SizeOfOptionalHeader ) ;
375: IMAGE_SECTION_HEADER sections_table [ nt_headers . FileHeader . NumberOfSections ] ;
376: local int sectend = FTell ( ) ;
377: local int i , max = 0 ;
378: for ( i = 0 ; i < nt_headers . FileHeader . NumberOfSections ; ++ i )
379: if ( sections_table [ i ] . PointerToRawData && sections_table [ i ] . SizeOfRawData ) {
380: FSeek ( sections_table [ i ] . PointerToRawData ) ;
381: if ( 0 == Strcmp ( sections_table [ i ] . Name , ".text" ) && ! exists ( textsection ) )
382: BYTE textsection [ sections_table [ i ] . SizeOfRawData ] ;
383: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".data" ) && ! exists ( datasection ) )
384: BYTE datasection [ sections_table [ i ] . SizeOfRawData ] ;
385: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".rsrc" ) && ! exists ( rsrcsection ) )
386: BYTE rsrcsection [ sections_table [ i ] . SizeOfRawData ] ;
387: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".idata" ) && ! exists ( idatasection ) )
388: BYTE idatasection [ sections_table [ i ] . SizeOfRawData ] ;
389: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".rdata" ) && ! exists ( rdatasection ) )
390: BYTE rdatasection [ sections_table [ i ] . SizeOfRawData ] ;
391: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".pdata" ) && ! exists ( pdatasection ) )
392: BYTE pdatasection [ sections_table [ i ] . SizeOfRawData ] ;
393: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".reloc" ) && ! exists ( relocsection ) )
394: BYTE relocsection [ sections_table [ i ] . SizeOfRawData ] ;
395: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".edata" ) && ! exists ( edatasection ) )
396: BYTE edatasection [ sections_table [ i ] . SizeOfRawData ] ;
397: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".tls" ) && ! exists ( tlssection ) )
398: BYTE tlssection [ sections_table [ i ] . SizeOfRawData ] ;
399: else if ( ( 0 == Strcmp ( sections_table [ i ] . Name , "CODE" ) ||
400: 0 == Strcmp ( sections_table [ i ] . Name , ".code" ) ) && ! exists ( codesection ) )
401: BYTE codesection [ sections_table [ i ] . SizeOfRawData ] ;
402:
403: else if ( 0 == Strcmp ( sections_table [ i ] . Name , "DATA" ) && ! exists ( datasection ) )
404: BYTE datasection [ sections_table [ i ] . SizeOfRawData ] ;
405: else if ( 0 == Strcmp ( SubStr ( sections_table [ i ] . Name , 0 , 3 ) , "UPX" ) && ! exists ( upxsection ) )
406: BYTE upxsection [ sections_table [ i ] . SizeOfRawData ] ;
407: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".flat" ) && ! exists ( fasmsection ) )
408: BYTE fasmsection [ sections_table [ i ] . SizeOfRawData ] ;
409: else if ( 0 == Strcmp ( sections_table [ i ] . Name , ".aspack" ) && ! exists ( aspacksection ) )
410: BYTE aspacksection [ sections_table [ i ] . SizeOfRawData ] ;
411: else
412: struct {
413: BYTE sectiondata [ sections_table [ i ] . SizeOfRawData ] ;
414: } section ;
415: if ( sections_table [ i ] . PointerToRawData + sections_table [ i ] . SizeOfRawData > max )
416: max = sections_table [ i ] . PointerToRawData + sections_table [ i ] . SizeOfRawData ;
417: }
418: if ( max < FileSize ( ) ) {
419: BYTE Overlay [ FileSize ( ) - max ] ;
420: } tok_eof
View Git Blame Copy Permalink