-
Notifications
You must be signed in to change notification settings - Fork 163
/
mod.rs
229 lines (215 loc) · 8.06 KB
/
mod.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
//! A PE32 and PE32+ parser
//!
// TODO: panics with unwrap on None for apisetschema.dll, fhuxgraphics.dll and some others
use alloc::vec::Vec;
pub mod characteristic;
pub mod data_directories;
pub mod debug;
pub mod exception;
pub mod export;
pub mod header;
pub mod import;
pub mod optional_header;
pub mod relocation;
pub mod section_table;
pub mod symbol;
pub mod utils;
use crate::container;
use crate::error;
use crate::strtab;
use log::debug;
#[derive(Debug)]
/// An analyzed PE32/PE32+ binary
pub struct PE<'a> {
/// The PE header
pub header: header::Header,
/// A list of the sections in this PE binary
pub sections: Vec<section_table::SectionTable>,
/// The size of the binary
pub size: usize,
/// The name of this `dll`, if it has one
pub name: Option<&'a str>,
/// Whether this is a `dll` or not
pub is_lib: bool,
/// Whether the binary is 64-bit (PE32+)
pub is_64: bool,
/// the entry point of the binary
pub entry: usize,
/// The binary's RVA, or image base - useful for computing virtual addreses
pub image_base: usize,
/// Data about any exported symbols in this binary (e.g., if it's a `dll`)
pub export_data: Option<export::ExportData<'a>>,
/// Data for any imported symbols, and from which `dll`, etc., in this binary
pub import_data: Option<import::ImportData<'a>>,
/// The list of exported symbols in this binary, contains synthetic information for easier analysis
pub exports: Vec<export::Export<'a>>,
/// The list symbols imported by this binary from other `dll`s
pub imports: Vec<import::Import<'a>>,
/// The list of libraries which this binary imports symbols from
pub libraries: Vec<&'a str>,
/// Debug information, if any, contained in the PE header
pub debug_data: Option<debug::DebugData<'a>>,
/// Exception handling and stack unwind information, if any, contained in the PE header
pub exception_data: Option<exception::ExceptionData<'a>>,
pub section_table: &'a [u8],
}
impl<'a> PE<'a> {
/// Reads a PE binary from the underlying `bytes`
pub fn parse(bytes: &'a [u8]) -> error::Result<Self> {
let header = header::Header::parse(bytes)?;
debug!("{:#?}", header);
let offset = &mut (header.dos_header.pe_pointer as usize
+ header::SIZEOF_PE_MAGIC
+ header::SIZEOF_COFF_HEADER
+ header.coff_header.size_of_optional_header as usize);
let min_size = *offset
+ header.coff_header.number_of_sections as usize * header::SIZEOF_IMAGE_SECTION_HEADER;
if bytes.len() < min_size {
// The section table contains more entries than the binary can provide given the size
return Err(error::Error::Malformed(format!(
"Corrupted PE: Expected at least {:#X} bytes but got {:#X}",
min_size,
bytes.len()
)));
}
let section_table = &bytes[*offset..min_size];
let sections = header.coff_header.sections(bytes, offset)?;
let is_lib = characteristic::is_dll(header.coff_header.characteristics);
let mut entry = 0;
let mut image_base = 0;
let mut exports = vec![];
let mut export_data = None;
let mut name = None;
let mut imports = vec![];
let mut import_data = None;
let mut libraries = vec![];
let mut debug_data = None;
let mut exception_data = None;
let mut is_64 = false;
if let Some(optional_header) = header.optional_header {
entry = optional_header.standard_fields.address_of_entry_point as usize;
image_base = optional_header.windows_fields.image_base as usize;
is_64 = optional_header.container()? == container::Container::Big;
debug!(
"entry {:#x} image_base {:#x} is_64: {}",
entry, image_base, is_64
);
let file_alignment = optional_header.windows_fields.file_alignment;
if let Some(export_table) = *optional_header.data_directories.get_export_table() {
if let Ok(ed) =
export::ExportData::parse(bytes, export_table, §ions, file_alignment)
{
debug!("export data {:#?}", ed);
exports = export::Export::parse(bytes, &ed, §ions, file_alignment)?;
name = ed.name;
debug!("name: {:#?}", name);
export_data = Some(ed);
}
}
debug!("exports: {:#?}", exports);
if let Some(import_table) = *optional_header.data_directories.get_import_table() {
let id = if is_64 {
import::ImportData::parse::<u64>(
bytes,
import_table,
§ions,
file_alignment,
)?
} else {
import::ImportData::parse::<u32>(
bytes,
import_table,
§ions,
file_alignment,
)?
};
debug!("import data {:#?}", id);
if is_64 {
imports = import::Import::parse::<u64>(bytes, &id, §ions)?
} else {
imports = import::Import::parse::<u32>(bytes, &id, §ions)?
}
libraries = id
.import_data
.iter()
.map(|data| data.name)
.collect::<Vec<&'a str>>();
libraries.sort();
libraries.dedup();
import_data = Some(id);
}
debug!("imports: {:#?}", imports);
if let Some(debug_table) = *optional_header.data_directories.get_debug_table() {
debug_data = Some(debug::DebugData::parse(
bytes,
debug_table,
§ions,
file_alignment,
)?);
}
if header.coff_header.machine == header::COFF_MACHINE_X86_64 {
// currently only x86_64 is supported
debug!("exception data: {:#?}", exception_data);
if let Some(exception_table) =
*optional_header.data_directories.get_exception_table()
{
exception_data = Some(exception::ExceptionData::parse(
bytes,
exception_table,
§ions,
file_alignment,
)?);
}
}
}
Ok(PE {
header,
sections,
size: 0,
name,
is_lib,
is_64,
entry,
image_base,
export_data,
import_data,
exports,
imports,
libraries,
debug_data,
exception_data,
section_table,
})
}
}
/// An analyzed COFF object
#[derive(Debug)]
pub struct Coff<'a> {
/// The COFF header
pub header: header::CoffHeader,
/// A list of the sections in this COFF binary
pub sections: Vec<section_table::SectionTable>,
/// The COFF symbol table.
pub symbols: symbol::SymbolTable<'a>,
/// The string table.
pub strings: strtab::Strtab<'a>,
}
impl<'a> Coff<'a> {
/// Reads a COFF object from the underlying `bytes`
pub fn parse(bytes: &'a [u8]) -> error::Result<Self> {
let offset = &mut 0;
let header = header::CoffHeader::parse(bytes, offset)?;
debug!("{:#?}", header);
// TODO: maybe parse optional header, but it isn't present for Windows.
*offset += header.size_of_optional_header as usize;
let sections = header.sections(bytes, offset)?;
let symbols = header.symbols(bytes)?;
let strings = header.strings(bytes)?;
Ok(Coff {
header,
sections,
symbols,
strings,
})
}
}