x64dbg
/
btparser
mirror of https://github.com/x64dbg/btparser
1
0
Fork 0
Code Releases Activity
btparser/cparser/tests/exp_lex/PETemplate.bt

821 lines
29 KiB
Plaintext
Raw Blame History

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17: typedef QWORD ULONGLONG ;
18:
19: typedef struct _IMAGE_DOS_HEADER
20: {
21: WORD e_magic < format = hex , comment = "IMAGE_DOS_SIGNATURE = 0x5A4D" > ;
22: WORD e_cblp < comment = "Bytes on last page of file" > ;
23: WORD e_cp < comment = "Pages in file" > ;
24: WORD e_crlc < comment = "Relocations" > ;
25: WORD e_cparhdr < comment = "Size of header in paragraphs" > ;
26: WORD e_minalloc < comment = "Minimum extra paragraphs needed" > ;
27: WORD e_maxalloc < comment = "Maximum extra paragraphs needed" > ;
28: WORD e_ss < comment = "Initial (relative) SS value" > ;
29: WORD e_sp < comment = "Initial SP value" > ;
30: WORD e_csum < comment = "Checksum" > ;
31: WORD e_ip < comment = "Initial IP value" > ;
32: WORD e_cs < comment = "Initial (relative) CS value" > ;
33: WORD e_lfarlc < comment = "File address of relocation table" > ;
34: WORD e_ovno < comment = "Overlay number" > ;
35: WORD e_res [ 4 ] < comment = "Reserved words" > ;
36: WORD e_oemid < comment = "OEM identifier (for e_oeminfo)" > ;
37: WORD e_oeminfo < comment = "OEM information; e_oemid specific" > ;
38: WORD e_res2 [ 10 ] < comment = "Reserved words" > ;
39: LONG e_lfanew < fgcolor = cPurple , format = hex , comment = "NtHeader Offset" > ;
40: } IMAGE_DOS_HEADER ;
41:
42: typedef enum < WORD > _IMAGE_MACHINE
43: {
44: IMAGE_MACHINE_UNKNOWN = 0 ,
45: I386 = 0x14C ,
46: R3000 = 0x162 ,
47: R4000 = 0x166 ,
48: R10000 = 0x168 ,
49: WCEMIPSV2 = 0x169 ,
50: ALPHA = 0x184 ,
51: SH3 = 0x1A2 ,
52: SH3DSP = 0x1A3 ,
53: SH3E = 0x1A4 ,
54: SH4 = 0x1A6 ,
55: SH5 = 0x1A8 ,
56: ARM = 0x1C0 ,
57: THUMB = 0x1C2 ,
58: AM33 = 0x1D3 ,
59: POWERPC = 0x1F0 ,
60: POWERPCFP = 0x1F1 ,
61: IA64 = 0x200 ,
62: MIPS16 = 0x266 ,
63: ALPHA64 = 0x284 ,
64: MIPSFPU = 0x366 ,
65: MIPSFPU16 = 0x466 ,
66: TRICORE = 0x520 ,
67: CEF = 0xCEF ,
68: EBC = 0xEBC ,
69: AMD64 = 0x8664 ,
70: M32R = 0x9041 ,
71: CEE = 0xC0EE
72: } IMAGE_MACHINE < comment = "WORD" > ;
73:
74:
75: typedef struct _FILE_CHARACTERISTICS
76: {
77: WORD IMAGE_FILE_RELOCS_STRIPPED : 1 < comment = "0x0001 Relocation info stripped from file" > ;
78: WORD IMAGE_FILE_EXECUTABLE_IMAGE : 1 < comment = "0x0002 File is executable" > ;
79: WORD IMAGE_FILE_LINE_NUMS_STRIPPED : 1 < comment = "0x0004 Line nunbers stripped from file" > ;
80: WORD IMAGE_FILE_LOCAL_SYMS_STRIPPED : 1 < comment = "0x0008 Local symbols stripped from file" > ;
81: WORD IMAGE_FILE_AGGRESIVE_WS_TRIM : 1 < comment = "0x0010 Agressively trim working set" > ;
82: WORD IMAGE_FILE_LARGE_ADDRESS_AWARE : 1 < comment = "0x0020 App can handle >2gb addresses" > ;
83: WORD : 1 < comment = "0x0040 Reserved" , hidden = true > ;
84: WORD IMAGE_FILE_BYTES_REVERSED_LO : 1 < comment = "0x0080 Bytes of machine word are reversed" > ;
85: WORD IMAGE_FILE_32BIT_MACHINE : 1 < comment = "0x0100 32 bit word machine" > ;
86: WORD IMAGE_FILE_DEBUG_STRIPPED : 1 < comment = "0x0200 Debugging info stripped from file in .DBG file" > ;
87: WORD IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP : 1 < comment = "0x0400 If Image is on removable media, copy and run from the swap file" > ;
88: WORD IMAGE_FILE_NET_RUN_FROM_SWAP : 1 < comment = "0x0800 If Image is on Net, copy and run from the swap file" > ;
89: WORD IMAGE_FILE_SYSTEM : 1 < comment = "0x1000 System File" > ;
90: WORD IMAGE_FILE_DLL : 1 < comment = "0x2000 File is a DLL" > ;
91: WORD IMAGE_FILE_UP_SYSTEM_ONLY : 1 < comment = "0x4000 File should only be run on a UP machine" > ;
92: WORD IMAGE_FILE_BYTES_REVERSED_HI : 1 < comment = "0x8000 Bytes of machine word are reversed" > ;
93: } FILE_CHARACTERISTICS < comment = "WORD" > ;
94:
95: typedef struct _IMAGE_FILE_HEADER
96: {
97: IMAGE_MACHINE Machine < fgcolor = cPurple , format = hex , comment = "WORD" > ;
98: WORD NumberOfSections < fgcolor = cBlue , comment = "Section num" > ;
99: time_t TimeDateStamp < format = hex , comment = "DWORD,from 01/01/1970 12:00 AM" > ;
100: DWORD PointerToSymbolTable ;
101: DWORD NumberOfSymbols ;
102: WORD SizeOfOptionalHeader ;
103: FILE_CHARACTERISTICS Characteristics < comment = "WORD" > ;
104: } IMAGE_FILE_HEADER ;
105:
106: typedef struct _IMAGE_DATA_DIRECTORY
107: {
108: DWORD VirtualAddress < format = hex , comment = CommentRVA2FOA > ;
109: DWORD Size ;
110: } IMAGE_DATA_DIRECTORY ;
111:
112: typedef struct _IMAGE_DATA_DIRECTORY_ARRAY
113: {
114: IMAGE_DATA_DIRECTORY DataDir0 < comment = "IMAGE_DIRECTORY_ENTRY_EXPORT" > ;
115: IMAGE_DATA_DIRECTORY DataDir1 < fgcolor = cPurple , comment = "IMAGE_DIRECTORY_ENTRY_IMPORT" > ;
116: IMAGE_DATA_DIRECTORY DataDir2 < comment = "IMAGE_DIRECTORY_ENTRY_RESOURCE" > ;
117: IMAGE_DATA_DIRECTORY DataDir3 < comment = "IMAGE_DIRECTORY_ENTRY_EXCEPTION" > ;
118: IMAGE_DATA_DIRECTORY DataDir4 < comment = "IMAGE_DIRECTORY_ENTRY_SECURITY" > ;
119: IMAGE_DATA_DIRECTORY DataDir5 < fgcolor = cPurple , comment = "IMAGE_DIRECTORY_ENTRY_BASERELOC" > ;
120: IMAGE_DATA_DIRECTORY DataDir6 < comment = "IMAGE_DIRECTORY_ENTRY_DEBUG" > ;
121: IMAGE_DATA_DIRECTORY DataDir7 < comment = "IMAGE_DIRECTORY_ENTRY_ARCHITECTURE" > ;
122: IMAGE_DATA_DIRECTORY DataDir8 < comment = "IMAGE_DIRECTORY_ENTRY_GLOBALPTR" > ;
123: IMAGE_DATA_DIRECTORY DataDir9 < comment = "IMAGE_DIRECTORY_ENTRY_TLS" > ;
124: IMAGE_DATA_DIRECTORY DataDir10 < comment = "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG" > ;
125: IMAGE_DATA_DIRECTORY DataDir11 < comment = "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT" > ;
126: IMAGE_DATA_DIRECTORY DataDir12 < fgcolor = cPurple , comment = "IMAGE_DIRECTORY_ENTRY_IAT" > ;
127: IMAGE_DATA_DIRECTORY DataDir13 < comment = "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT" > ;
128: IMAGE_DATA_DIRECTORY DataDir14 < comment = "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR" > ;
129: IMAGE_DATA_DIRECTORY DataDir15 < comment = "System Reserved" > ;
130: } IMAGE_DATA_DIRECTORY_ARRAY ;
131:
132: typedef enum < WORD > _IMAGE_SUBSYSTEM
133: {
134: IMAGE_SUBSYSTEM_UNKNOWN = 0 ,
135: NATIVE = 1 ,
136: WINDOWS_GUI = 2 ,
137: WINDOWS_CUI = 3 ,
138: OS2_CUI = 5 ,
139: POSIX_CUI = 7 ,
140: NATIVE_WINDOWS = 8 ,
141: WINDOWS_CE_GUI = 9 ,
142: EFI_APPLICATION = 10 ,
143: EFI_BOOT_SERVICE_DRIVER = 11 ,
144: EFI_RUNTIME_DRIVER = 12 ,
145: EFI_ROM = 13 ,
146: XBOX = 14 ,
147: WINDOWS_BOOT_APPLICATION = 16
148: } IMAGE_SUBSYSTEM < comment = "WORD" > ;
149:
150: typedef struct _DLL_CHARACTERISTICS
151: {
152: WORD IMAGE_LIBRARY_PROCESS_INIT : 1 < comment = "0x0001 Reserved" , hidden = true > ;
153: WORD IMAGE_LIBRARY_PROCESS_TERM : 1 < comment = "0x0002 Reserved" , hidden = true > ;
154: WORD IMAGE_LIBRARY_THREAD_INIT : 1 < comment = "0x0004 Reserved" , hidden = true > ;
155: WORD IMAGE_LIBRARY_THREAD_TERM : 1 < comment = "0x0008 Reserved" , hidden = true > ;
156: WORD : 2 < comment = "0x0010,0x0020" , hidden = true > ;
157: WORD IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE : 1 < comment = "0x0040" > ;
158: WORD IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY : 1 < comment = "0x0080" > ;
159: WORD IMAGE_DLLCHARACTERISTICS_NX_COMPAT : 1 < comment = "0x0100" > ;
160: WORD IMAGE_DLLCHARACTERISTICS_NO_ISOLATION : 1 < comment = "0x0200" > ;
161: WORD IMAGE_DLLCHARACTERISTICS_NO_SEH : 1 < comment = "0x0400" > ;
162: WORD IMAGE_DLLCHARACTERISTICS_NO_BIND : 1 < comment = "0x0800" > ;
163: WORD : 1 < comment = "0x1000" , hidden = true > ;
164: WORD IMAGE_DLLCHARACTERISTICS_WDM_DRIVER : 1 < comment = "0x2000" > ;
165: WORD : 1 < comment = "0x4000" , hidden = true > ;
166: WORD IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE : 1 < comment = "0x8000" > ;
167: } DLL_CHARACTERISTICS < comment = "WORD" > ;
168:
169: typedef enum < WORD > _OPTIONAL_MAGIC
170: {
171: PE32 = 0x10B ,
172: PE64 = 0x20B ,
173: ROM = 0x107
174: } OPTIONAL_MAGIC < comment = "WORD" > ;
175:
176: typedef struct _IMAGE_OPTIONAL_HEADER32
177: {
178: OPTIONAL_MAGIC Magic < format = hex > ;
179: BYTE MajorLinkerVersion ;
180: BYTE MinorLinkerVersion ;
181: DWORD SizeOfCode < format = hex > ;
182: DWORD SizeOfInitializedData ;
183: DWORD SizeOfUninitializedData ;
184: DWORD AddressOfEntryPoint < fgcolor = cPurple , format = hex , comment = CommentRVA2FOA > ;
185: DWORD BaseOfCode < format = hex , comment = CommentRVA2FOA > ;
186: DWORD BaseOfData < format = hex , comment = CommentRVA2FOA > ;
187: DWORD ImageBase < format = hex > ;
188: DWORD SectionAlignment < format = hex > ;
189: DWORD FileAlignment < format = hex > ;
190: WORD MajorOperatingSystemVersion ;
191: WORD MinorOperatingSystemVersion ;
192: WORD MajorImageVersion ;
193: WORD MinorImageVersion ;
194: WORD MajorSubsystemVersion ;
195: WORD MinorSubsystemVersion ;
196: DWORD Win32VersionValue ;
197: DWORD SizeOfImage < format = hex > ;
198: DWORD SizeOfHeaders < format = hex > ;
199: DWORD CheckSum < format = hex > ;
200: IMAGE_SUBSYSTEM Subsystem ;
201: DLL_CHARACTERISTICS DllCharacteristics ;
202: DWORD SizeOfStackReserve < format = hex > ;
203: DWORD SizeOfStackCommit < format = hex > ;
204: DWORD SizeOfHeapReserve < format = hex > ;
205: DWORD SizeOfHeapCommit < format = hex > ;
206: DWORD LoaderFlags ;
207: DWORD NumberOfRvaAndSizes ;
208: IMAGE_DATA_DIRECTORY_ARRAY DataDirArray ;
209: } IMAGE_OPTIONAL_HEADER32 ;
210:
211: typedef struct _IMAGE_OPTIONAL_HEADER64
212: {
213: OPTIONAL_MAGIC Magic < format = hex > ;
214: BYTE MajorLinkerVersion ;
215: BYTE MinorLinkerVersion ;
216: DWORD SizeOfCode ;
217: DWORD SizeOfInitializedData ;
218: DWORD SizeOfUninitializedData ;
219: DWORD AddressOfEntryPoint < format = hex , comment = CommentRVA2FOA > ;
220: DWORD BaseOfCode < format = hex > ;
221: ULONGLONG ImageBase < format = hex > ;
222: DWORD SectionAlignment ;
223: DWORD FileAlignment ;
224: WORD MajorOperatingSystemVersion ;
225: WORD MinorOperatingSystemVersion ;
226: WORD MajorImageVersion ;
227: WORD MinorImageVersion ;
228: WORD MajorSubsystemVersion ;
229: WORD MinorSubsystemVersion ;
230: DWORD Win32VersionValue ;
231: DWORD SizeOfImage < format = hex > ;
232: DWORD SizeOfHeaders ;
233: DWORD CheckSum ;
234: IMAGE_SUBSYSTEM Subsystem ;
235: DLL_CHARACTERISTICS DllCharacteristics ;
236: ULONGLONG SizeOfStackReserve < format = hex > ;
237: ULONGLONG SizeOfStackCommit < format = hex > ;
238: ULONGLONG SizeOfHeapReserve < format = hex > ;
239: ULONGLONG SizeOfHeapCommit < format = hex > ;
240: DWORD LoaderFlags ;
241: DWORD NumberOfRvaAndSizes ;
242: IMAGE_DATA_DIRECTORY_ARRAY DataDirArray ;
243: } IMAGE_OPTIONAL_HEADER64 ;
244:
245: typedef struct _IMAGE_NT_HEADERS
246: {
247: DWORD Signature < format = hex , comment = "IMAGE_NT_SIGNATURE = 0x00004550" > ;
248: IMAGE_FILE_HEADER FileHeader ;
249:
250: local WORD OptionalHeaderMagic = ReadShort ( FTell ( ) ) ;
251:
252: if ( 0x10B == OptionalHeaderMagic )
253: {
254: IMAGE_OPTIONAL_HEADER32 OptionalHeader ;
255: }
256: else if ( 0x20B == OptionalHeaderMagic )
257: {
258: IMAGE_OPTIONAL_HEADER64 OptionalHeader ;
259: }
260: else
261: {
262: Printf ( "not valid Optional header magic %x.\n" , OptionalHeaderMagic ) ;
263: return 1 ;
264: }
265: } IMAGE_NT_HEADERS < size = CalcImageNtHeadersSize > ;
266:
267: int CalcImageNtHeadersSize ( IMAGE_NT_HEADERS & stNtHeader )
268: {
269: local WORD OptionalHeaderMagic = ReadShort ( startof ( stNtHeader ) + sizeof ( DWORD ) + sizeof ( IMAGE_FILE_HEADER ) ) ;
270:
271: if ( 0x10B == OptionalHeaderMagic )
272: {
273: Printf ( "PE32\n" ) ;
274: return 0xF8 ;
275: }
276: else if ( 0x20B == OptionalHeaderMagic )
277: {
278: Printf ( "PE64\n" ) ;
279: return 0x108 ;
280: }
281: else
282: {
283: return sizeof ( DWORD ) + sizeof ( IMAGE_FILE_HEADER ) + 0 ;
284: }
285: return 0 ;
286: }
287:
288: typedef struct _SECTION_CHARACTERISTICS
289: {
290: ULONG IMAGE_SCN_TYPE_DSECT : 1 < hidden = true , comment = "0x00000001 Reserved" > ;
291: ULONG IMAGE_SCN_TYPE_NOLOAD : 1 < hidden = true , comment = "0x00000002 Reserved" > ;
292: ULONG IMAGE_SCN_TYPE_GROUP : 1 < hidden = true , comment = "0x00000004 Reserved" > ;
293: ULONG IMAGE_SCN_TYPE_NO_PAD : 1 < comment = "0x00000008 Reserved" > ;
294: ULONG IMAGE_SCN_TYPE_COPY : 1 < hidden = true , comment = "0x00000010 Reserved" > ;
295:
296: ULONG IMAGE_SCN_CNT_CODE : 1 < comment = "0x00000020 Section contains code" > ;
297: ULONG IMAGE_SCN_CNT_INITIALIZED_DATA : 1 < comment = "0x00000040 Section contains initialized data" > ;
298: ULONG IMAGE_SCN_CNT_UNINITIALIZED_DATA : 1 < comment = "0x00000080 Section contains uninitialized data" > ;
299:
300: ULONG IMAGE_SCN_LNK_OTHER : 1 < comment = "0x00000100 Reserved" > ;
301: ULONG IMAGE_SCN_LNK_INFO : 1 < comment = "0x00000200 Section contains comments or some other type of information" > ;
302: ULONG IMAGE_SCN_TYPE_OVER : 1 < hidden = true , comment = "0x00000400 Reserved" > ;
303: ULONG IMAGE_SCN_LNK_REMOVE : 1 < comment = "0x00000800 Section contents will not become part of image" > ;
304: ULONG IMAGE_SCN_LNK_COMDAT : 1 < comment = "0x00001000 Section contents comdat" > ;
305: ULONG : 1 < comment = "0x00002000 Reserved" > ;
306: ULONG IMAGE_SCN_NO_DEFER_SPEC_EXC : 1 < hidden = true , comment = "0x00004000 Reset speculative exceptions handling bits in the TLB entries for this section." > ;
307: ULONG IMAGE_SCN_GPREL : 1 < comment = "0x00008000 Section content can be accessed relative to GP" > ;
308: ULONG IMAGE_SCN_MEM_SYSHEAP : 1 < hidden = true , comment = "0x00010000 Obsolete" > ;
309: ULONG IMAGE_SCN_MEM_16BIT : 1 < comment = "0x00020000" > ;
310: ULONG IMAGE_SCN_MEM_LOCKED : 1 < comment = "0x00040000 " > ;
311: ULONG IMAGE_SCN_MEM_PRELOAD : 1 < comment = "0x00080000" > ;
312:
313: ULONG IMAGE_SCN_ALIGN_1BYTES : 1 < comment = "0x00100000" > ;
314: ULONG IMAGE_SCN_ALIGN_2BYTES : 1 < comment = "0x00200000" > ;
315: ULONG IMAGE_SCN_ALIGN_8BYTES : 1 < comment = "0x00400000" > ;
316: ULONG IMAGE_SCN_ALIGN_128BYTES : 1 < comment = "0x00800000" > ;
317:
318: ULONG IMAGE_SCN_LNK_NRELOC_OVFL : 1 < comment = "0x01000000 Section contains extended relocations" > ;
319: ULONG IMAGE_SCN_MEM_DISCARDABLE : 1 < comment = "0x02000000 Section can be discarded." > ;
320: ULONG IMAGE_SCN_MEM_NOT_CACHED : 1 < comment = "0x04000000 Section is not cachable" > ;
321: ULONG IMAGE_SCN_MEM_NOT_PAGED : 1 < comment = "0x08000000 Section is not pageable." > ;
322: ULONG IMAGE_SCN_MEM_SHARED : 1 < comment = "0x10000000 Section is shareable" > ;
323: ULONG IMAGE_SCN_MEM_EXECUTE : 1 < comment = "0x20000000 Section is executable" > ;
324: ULONG IMAGE_SCN_MEM_READ : 1 < comment = "0x40000000 Section is readable" > ;
325: ULONG IMAGE_SCN_MEM_WRITE : 1 < comment = "0x80000000 Section is writeable" > ;
326: } SECTION_CHARACTERISTICS ;
327:
328: typedef struct _IMAGE_SECTION_HEADER
329: {
330: BYTE Name [ 8 ] < comment = "can end without zero" > ;
331: union {
332: DWORD PhysicalAddress ;
333: DWORD VirtualSize ;
334: } Misc ;
335: DWORD VirtualAddress < format = hex > ;
336: DWORD SizeOfRawData < format = hex > ;
337: DWORD PointerToRawData < format = hex > ;
338: DWORD PointerToRelocations < format = hex > ;
339: DWORD PointerToLinenumbers ;
340: WORD NumberOfRelocations ;
341: WORD NumberOfLinenumbers ;
342: SECTION_CHARACTERISTICS Characteristics < format = hex > ;
343: } IMAGE_SECTION_HEADER ;
344:
345: typedef struct _IMAGE_SECTION_DATA ( IMAGE_SECTION_HEADER & SecHeader )
346: {
347: local string sSecName = SecHeader . Name ;
348:
349: UCHAR Data [ SecHeader . SizeOfRawData ] ;
350: } IMAGE_SECTION_DATA < comment = commentSectionData > ;
351:
352: string commentSectionData ( IMAGE_SECTION_DATA & SecData )
353: {
354: return SecData . sSecName ;
355: }
356:
357: typedef struct _IMAGE_IMPORT_BY_NAME ( int nNameLen )
358: {
359: WORD Hint ;
360: BYTE Name [ nNameLen ] ;
361: } IMAGE_IMPORT_BY_NAME < comment = commentImageImportByName > ;
362:
363: string commentImageImportByName ( IMAGE_IMPORT_BY_NAME & ImportByName )
364: {
365: return ImportByName . Name ;
366: }
367:
368: typedef struct _IMAGE_IMPORT_DESCRIPTOR
369: {
370: local int nNameIndex = 0 ;
371: local ULONG ulThrunk = 0 ;
372: local int nNameLen = 0 ;
373: local string sDllName = "" ;
374: local ULONG ulOriginalFirstThunkFOA = 0 ;
375:
376: union
377: {
378: ULONG Characteristics ;
379: ULONG OriginalFirstThunk < format = hex , comment = CommentRVA2FOA > ;
380: } DUMMYUNIONNAME ;
381:
382: ULONG TimeDateStamp < comment = "0 if not bound" > ;
383: ULONG ForwarderChain < comment = "-1 if no forwarders" > ;
384: ULONG Name < format = hex , comment = CommentRVAString > ;
385: ULONG FirstThunk < format = hex , comment = CommentRVA2FOA > ;
386:
387:
388: ulOriginalFirstThunkFOA = RVA2FOA ( DUMMYUNIONNAME . OriginalFirstThunk ) ;
389: if ( ( 0x20B == NtHeader . OptionalHeader . Magic ) )
390: {
391:
392: }
393: else
394: {
395: nNameIndex = 0 ;
396: while ( 1 )
397: {
398: ulThrunk = ReadUInt ( ulOriginalFirstThunkFOA + 4 * nNameIndex ) ;
399: if ( 0 == ulThrunk )
400: {
401: break ;
402: }
403:
404: if ( ulThrunk & 0x80000000 )
405: {
406: Printf ( "mport by order \n" ) ;
407: }
408: else
409: {
410: nNameLen = Strlen ( ReadString ( RVA2FOA ( ulThrunk ) + sizeof ( WORD ) ) ) ;
411: if ( 0 != nNameLen )
412: {
413: FSeek ( RVA2FOA ( ulThrunk ) ) ;
414: IMAGE_IMPORT_BY_NAME ImportByName ( nNameLen + 1 ) < open = false > ;
415: }
416: }
417: nNameIndex ++ ;
418: }
419: }
420: } IMAGE_IMPORT_DESCRIPTOR < comment = commentImageImportDescriptor > ;
421:
422: string commentImageImportDescriptor ( IMAGE_IMPORT_DESCRIPTOR & ImportDescriptor )
423: {
424: return ReadString ( RVA2FOA ( ImportDescriptor . Name ) ) ;
425: }
426:
427: typedef struct _IMAGE_EXPORT_BY_NAME ( string & sExportFuncName , ULONG ulDestRVA , string & sJmpName )
428: {
429: local ULONG ulLocalDestRVA = ulDestRVA ;
430: local string sLocalJmpName = sJmpName ;
431:
432: char Function [ Strlen ( sExportFuncName ) ] ;
433: } IMAGE_EXPORT_BY_NAME < read = ReadExportByName , comment = commentExportByName > ;
434:
435: string ReadExportByName ( IMAGE_EXPORT_BY_NAME & ExportByName )
436: {
437: return ExportByName . Function ;
438: }
439:
440: string commentExportByName ( IMAGE_EXPORT_BY_NAME & ExportByName )
441: {
442: local string sComment = "" ;
443:
444: if ( 0 == Strlen ( ExportByName . sLocalJmpName ) )
445: {
446: SPrintf ( sComment , "0x%X" , ExportByName . ulLocalDestRVA ) ;
447: }
448: else
449: {
450: SPrintf ( sComment , "%s" , ExportByName . sLocalJmpName ) ;
451: }
452:
453: return sComment ;
454: }
455:
456: typedef struct _IMAGE_EXPORT_DIRECTORY {
457: DWORD Characteristics ;
458: time_t TimeDateStamp ;
459: WORD MajorVersion ;
460: WORD MinorVersion ;
461: DWORD Name < format = hex , comment = CommentRVAString > ;
462: DWORD Base ;
463: DWORD NumberOfFunctions ;
464: DWORD NumberOfNames ;
465: DWORD AddressOfFunctions < format = hex , comment = CommentRVA2FOA > ;
466: DWORD AddressOfNames < format = hex , comment = CommentRVA2FOA > ;
467: DWORD AddressOfNameOrdinals < format = hex , comment = CommentRVA2FOA > ;
468:
469: local int nIndex = 0 ;
470: local ULONG NameArrayFOA = 0 ;
471: local ULONG OrdinalArrayFOA = 0 ;
472: local ULONG FuncArrayFOA = 0 ;
473: local ULONG ulNameRVA = 0 ;
474: local ULONG ulNameFOA = 0 ;
475: local ULONG ulFuncRVA = 0 ;
476: local WORD wOrdinal = 0 ;
477:
478: local string sExportName = "" ;
479: local string sJmpName = "" ;
480:
481:
482: NameArrayFOA = RVA2FOA ( ExportDir . AddressOfNames ) ;
483: OrdinalArrayFOA = RVA2FOA ( ExportDir . AddressOfNameOrdinals ) ;
484: FuncArrayFOA = RVA2FOA ( ExportDir . AddressOfFunctions ) ;
485:
486: for ( nIndex = 0 ; nIndex < ExportDir . NumberOfNames ; nIndex ++ )
487: {
488: ulNameRVA = ReadUInt ( NameArrayFOA + nIndex * sizeof ( ULONG ) ) ;
489: ulNameFOA = RVA2FOA ( ulNameRVA ) ;
490: sExportName = ReadString ( ulNameFOA ) ;
491:
492: if ( 0 != Strlen ( sExportName ) )
493: {
494: wOrdinal = ReadUShort ( OrdinalArrayFOA + nIndex * sizeof ( USHORT ) ) ;
495: ulFuncRVA = ReadUInt ( FuncArrayFOA + wOrdinal * sizeof ( ULONG ) ) ;
496:
497: if ( ( ulFuncRVA > NtHeader . OptionalHeader . DataDirArray . DataDir0 . VirtualAddress ) &&
498: ( ulFuncRVA < NtHeader . OptionalHeader . DataDirArray . DataDir0 . VirtualAddress + NtHeader . OptionalHeader . DataDirArray . DataDir0 . Size ) )
499: {
500:
501:
502: sJmpName = ReadString ( RVA2FOA ( ulFuncRVA ) ) ;
503: FSeek ( ulNameFOA ) ;
504: IMAGE_EXPORT_BY_NAME ExportByName ( sExportName , ulFuncRVA , sJmpName ) ;
505: }
506: else
507: {
508:
509: sJmpName = "" ;
510: FSeek ( ulNameFOA ) ;
511: IMAGE_EXPORT_BY_NAME ExportByName ( sExportName , ulFuncRVA , sJmpName ) ;
512: }
513: }
514: }
515: } IMAGE_EXPORT_DIRECTORY < comment = commentExportDirectory > ;
516:
517: string commentExportDirectory ( IMAGE_EXPORT_DIRECTORY & ExportDir )
518: {
519: return ReadString ( RVA2FOA ( ExportDir . Name ) ) ;
520: }
521:
522: ULONG RVA2FOA ( ULONG ulRVA )
523: {
524: local int i = 0 ;
525:
526: for ( i = 0 ; i < NtHeader . FileHeader . NumberOfSections ; i ++ )
527: {
528: if ( ( ulRVA >= SectionHeaders [ i ] . VirtualAddress ) && ( ulRVA <= SectionHeaders [ i ] . VirtualAddress + SectionHeaders [ i ] . SizeOfRawData ) )
529: {
530: return SectionHeaders [ i ] . PointerToRawData + ( ulRVA - SectionHeaders [ i ] . VirtualAddress ) ;
531: }
532: }
533: return 0 ;
534: }
535:
536: string LocationRVA ( ULONG ulRVA )
537: {
538: local int i = 0 ;
539:
540: for ( i = 0 ; i < NtHeader . FileHeader . NumberOfSections ; i ++ )
541: {
542: if ( ( ulRVA >= SectionHeaders [ i ] . VirtualAddress ) && ( ulRVA <= SectionHeaders [ i ] . VirtualAddress + SectionHeaders [ i ] . SizeOfRawData ) )
543: {
544: return SectionHeaders [ i ] . Name ;
545: }
546: }
547: return "" ;
548: }
549:
550: string CommentRVA2FOA ( DWORD dwRVA )
551: {
552: local string sComment = "" ;
553: if ( 0 != dwRVA )
554: {
555: SPrintf ( sComment , "%s FOA = 0x%X \n" , LocationRVA ( dwRVA ) , RVA2FOA ( dwRVA ) ) ;
556: }
557: return sComment ;
558: }
559:
560: string CommentRVAString ( DWORD dwRVA )
561: {
562: local string sComment = "" ;
563:
564: if ( 0 != dwRVA )
565: {
566: SPrintf ( sComment , "%s FOA = 0x%X -> %s" , LocationRVA ( dwRVA ) , RVA2FOA ( dwRVA ) , ReadString ( RVA2FOA ( dwRVA ) ) ) ;
567: }
568: return sComment ;
569: }
570:
571: typedef struct _IMAGE_BASE_RELOCATION
572: {
573: DWORD VirtualAddress < format = hex , comment = CommentRVA2FOA > ;
574: DWORD SizeOfBlock ;
575:
576:
577: local ULONG ulBlockNum = 0 ;
578: local ULONG ulIndex = 0 ;
579:
580: ulBlockNum = ( SizeOfBlock - 8 ) / 2 ;
581: for ( ulIndex = 0 ; ulIndex < ulBlockNum ; ulIndex ++ )
582: {
583: WORD Block < format = hex , comment = CommentBaseRelocBlock > ;
584: }
585:
586: } IMAGE_BASE_RELOCATION < comment = commentImageBaseRelocation > ;
587:
588:
589:
590: string CommentBaseRelocBlock ( WORD Block )
591: {
592: if ( 0x3000 == ( Block & 0xF000 ) )
593: {
594: return "HIGHLOW" ;
595: }
596: else
597: {
598: return "ABSULUTE" ;
599: }
600:
601: return "" ;
602: }
603:
604:
605: string commentImageBaseRelocation ( IMAGE_BASE_RELOCATION & BaseReloc )
606: {
607: local string sComment = "" ;
608: SPrintf ( sComment , "%d" , BaseReloc . ulBlockNum ) ;
609: return sComment ;
610: }
611:
612: typedef struct _BASE_RELOCATION_TABLE
613: {
614: local ULONG ulRelocNum = 0 ;
615:
616: while ( 1 )
617: {
618: if ( 0 == ReadUInt ( FTell ( ) ) )
619: {
620: break ;
621: }
622: IMAGE_BASE_RELOCATION BaseReloc ;
623: ulRelocNum ++ ;
624: }
625: } BASE_RELOCATION_TABLE < comment = commentBaseRelocationTable > ;
626:
627: string commentBaseRelocationTable ( BASE_RELOCATION_TABLE & RelocTable )
628: {
629: local string sComment = "" ;
630: SPrintf ( sComment , "%d" , RelocTable . ulRelocNum ) ;
631: return sComment ;
632: }
633:
634:
635:
636:
637: void ParseEAT ( void )
638: {
639: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir0 . VirtualAddress != 0 ) && ( NtHeader . OptionalHeader . DataDirArray . DataDir0 . Size != 0 ) )
640: {
641: local ULONG ulExportFOA = RVA2FOA ( NtHeader . OptionalHeader . DataDirArray . DataDir0 . VirtualAddress ) ;
642: FSeek ( ulExportFOA ) ;
643: IMAGE_EXPORT_DIRECTORY ExportDir ;
644: }
645: }
646:
647:
648: void ParseIAT ( )
649: {
650: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir1 . VirtualAddress != 0 ) && ( NtHeader . OptionalHeader . DataDirArray . DataDir1 . Size != 0 ) )
651: {
652: local ULONG ulImportFOA = RVA2FOA ( NtHeader . OptionalHeader . DataDirArray . DataDir1 . VirtualAddress ) ;
653: local ULONG ulOriginalFirstThunk = 0 ;
654: local ULONG ulOriginalFirstThunkFOA = 0 ;
655: local int nImportIndex = 0 ;
656:
657: FSeek ( ulImportFOA ) ;
658: while ( 1 )
659: {
660: ulOriginalFirstThunk = ReadUInt ( ulImportFOA + 0x14 * nImportIndex ) ;
661: if ( 0 == ulOriginalFirstThunk )
662: {
663: break ;
664: }
665: FSeek ( ulImportFOA + 0x14 * nImportIndex ) ;
666: IMAGE_IMPORT_DESCRIPTOR ImportDescriptor ;
667: nImportIndex ++ ;
668: }
669: }
670: }
671:
672:
673: void ParseResource ( )
674: {
675: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir2 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir2 . Size == 0 ) )
676: {
677: return ;
678: }
679:
680: }
681:
682:
683: void ParseException ( )
684: {
685: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir3 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir3 . Size == 0 ) )
686: {
687: return ;
688: }
689:
690: }
691:
692:
693: void ParseSecurity ( )
694: {
695: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir4 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir4 . Size == 0 ) )
696: {
697: return ;
698: }
699:
700: }
701:
702:
703: void ParseBaseReloc ( )
704: {
705: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir5 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir5 . Size == 0 ) )
706: {
707: return ;
708: }
709: FSeek ( RVA2FOA ( NtHeader . OptionalHeader . DataDirArray . DataDir5 . VirtualAddress ) ) ;
710: BASE_RELOCATION_TABLE RelocTable ;
711: }
712:
713:
714: void ParseDebug ( )
715: {
716: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir6 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir6 . Size == 0 ) )
717: {
718: return ;
719: }
720:
721: }
722:
723:
724: void ParseTLS ( )
725: {
726: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir9 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir9 . Size == 0 ) )
727: {
728: return ;
729: }
730:
731:
732: }
733:
734:
735: void ParseBoundImport ( )
736: {
737: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir11 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir11 . Size == 0 ) )
738: {
739: return ;
740: }
741:
742: }
743:
744:
745: void ParseDelayImport ( )
746: {
747: if ( ( NtHeader . OptionalHeader . DataDirArray . DataDir13 . VirtualAddress == 0 ) || ( NtHeader . OptionalHeader . DataDirArray . DataDir13 . Size == 0 ) )
748: {
749: return ;
750: }
751:
752: }
753:
754:
755:
756: Printf ( "Parse PE Begin.\n" ) ;
757: IMAGE_DOS_HEADER DosHeader ;
758: if ( DosHeader . e_magic != 0x5A4D )
759: {
760: Printf ( "invalid dos magic.\n" ) ;
761: return 1 ;
762: }
763: if ( 0 == DosHeader . e_lfanew )
764: {
765: Warning ( "not invalid e_lfanew = 0x%X" , DosHeader . e_lfanew ) ;
766: return 2 ;
767: }
768:
769: UCHAR Space1 [ DosHeader . e_lfanew - sizeof ( IMAGE_DOS_HEADER ) ] < hidden = true , fgcolor = cRed , comment = "Space between dos header and nt header" > ;
770: Printf ( "Space between dos header and nt header is %d bytes \n" , DosHeader . e_lfanew - sizeof ( IMAGE_DOS_HEADER ) ) ;
771: FSeek ( DosHeader . e_lfanew ) ;
772:
773: IMAGE_NT_HEADERS NtHeader ;
774: if ( 0x4550 != NtHeader . Signature )
775: {
776: Printf ( "invalid nt Signature 0x%x \n" , NtHeader . Signature ) ;
777: return 3 ;
778: }
779:
780: IMAGE_SECTION_HEADER SectionHeaders [ NtHeader . FileHeader . NumberOfSections ] ;
781:
782:
783: local ULONG ulRawHeaderSize = DosHeader . e_lfanew + sizeof ( NtHeader ) + NtHeader . FileHeader . NumberOfSections * sizeof ( IMAGE_SECTION_HEADER ) ;
784:
785: if ( NtHeader . OptionalHeader . SizeOfHeaders - ulRawHeaderSize > 0 )
786: {
787: UCHAR Space2 [ NtHeader . OptionalHeader . SizeOfHeaders - ulRawHeaderSize ] < hidden = true , fgcolor = cRed , comment = "Space between header and first section" > ;
788: }
789: Printf ( "Space between headers and first sections is %d bytes\n" , NtHeader . OptionalHeader . SizeOfHeaders - ulRawHeaderSize ) ;
790:
791: FSeek ( NtHeader . OptionalHeader . SizeOfHeaders ) ;
792:
793: local ULONG ulIndex = 0 ;
794: for ( ulIndex = 0 ; ulIndex < NtHeader . FileHeader . NumberOfSections ; ulIndex ++ )
795: {
796: if ( 0 == SectionHeaders [ ulIndex ] . PointerToRawData )
797: {
798: continue ;
799: }
800: if ( 0 == SectionHeaders [ ulIndex ] . SizeOfRawData )
801: {
802: continue ;
803: }
804: IMAGE_SECTION_DATA Section ( SectionHeaders [ ulIndex ] ) ;
805: }
806:
807: FSeek ( NtHeader . OptionalHeader . SizeOfHeaders ) ;
808:
809:
810: ParseEAT ( ) ;
811: ParseIAT ( ) ;
812: ParseResource ( ) ;
813: ParseException ( ) ;
814: ParseSecurity ( ) ;
815: ParseBaseReloc ( ) ;
816: ParseDebug ( ) ;
817: ParseTLS ( ) ;
818: ParseBoundImport ( ) ;
819: ParseDelayImport ( ) ;
820:
821: Printf ( "Parse PE finish.\n" ) ; tok_eof
View Git Blame Copy Permalink