diff --git a/format/all/all.go b/format/all/all.go index c68a1577bf..60f4d9be4f 100644 --- a/format/all/all.go +++ b/format/all/all.go @@ -39,6 +39,7 @@ import ( _ "github.com/wader/fq/format/ogg" _ "github.com/wader/fq/format/opus" _ "github.com/wader/fq/format/pcap" + _ "github.com/wader/fq/format/pe" _ "github.com/wader/fq/format/png" _ "github.com/wader/fq/format/postgres" _ "github.com/wader/fq/format/prores" diff --git a/format/format.go b/format/format.go index 9fb544d6b5..26e04ff231 100644 --- a/format/format.go +++ b/format/format.go @@ -144,6 +144,9 @@ var ( Opus_Packet = &decode.Group{Name: "opus_packet"} PCAP = &decode.Group{Name: "pcap"} PCAPNG = &decode.Group{Name: "pcapng"} + PE = &decode.Group{Name: "pe"} + PE_COFF = &decode.Group{Name: "pe_coff"} + PE_MSDOS_Stub = &decode.Group{Name: "pe_msdos_stub"} Pg_BTree = &decode.Group{Name: "pg_btree"} Pg_Control = &decode.Group{Name: "pg_control"} Pg_Heap = &decode.Group{Name: "pg_heap"} diff --git a/format/pe/pe.go b/format/pe/pe.go new file mode 100644 index 0000000000..5870cad962 --- /dev/null +++ b/format/pe/pe.go @@ -0,0 +1,37 @@ +package pe + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ + +import ( + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" +) + +// TODO: probe? +// TODO: not pe_ prefix for format names? + +var peMSDosStubGroup decode.Group +var peCOFFGroup decode.Group + +func init() { + interp.RegisterFormat( + format.PE, + &decode.Format{ + Description: "Portable Executable", + Groups: []*decode.Group{format.Probe}, + Dependencies: []decode.Dependency{ + {Groups: []*decode.Group{format.PE_MSDOS_Stub}, Out: &peMSDosStubGroup}, + {Groups: []*decode.Group{format.PE_COFF}, Out: &peCOFFGroup}, + }, + DecodeFn: peDecode, + }) +} + +func peDecode(d *decode.D) any { + + d.FieldFormat("ms_dos_stub", &peMSDosStubGroup, nil) + d.FieldFormat("coff", &peCOFFGroup, nil) + + return nil +} diff --git a/format/pe/pe_coff.go b/format/pe/pe_coff.go new file mode 100644 index 0000000000..f36093a4ca --- /dev/null +++ b/format/pe/pe_coff.go @@ -0,0 +1,119 @@ +package pe + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ + +import ( + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" + "github.com/wader/fq/pkg/scalar" +) + +// TODO: probe? + +func init() { + interp.RegisterFormat( + format.PE_COFF, + &decode.Format{ + Description: "Common Object File Format", + DecodeFn: peCoffStubDecode, + }) +} + +const ( + MachineTypeUNKNOWN = 0x0 + MachineTypeALPHA = 0x184 + MachineTypeALPHA64 = 0x284 + MachineTypeAM33 = 0x1d3 + MachineTypeAMD64 = 0x8664 + MachineTypeARM = 0x1c0 + MachineTypeARM64 = 0xaa64 + MachineTypeARMNT = 0x1c4 + MachineTypeAXP64 = 0x284 + MachineTypeEBC = 0xebc + MachineTypeI386 = 0x14c + MachineTypeIA64 = 0x200 + MachineTypeLOONGARCH32 = 0x6232 + MachineTypeLOONGARCH64 = 0x6264 + MachineTypeM32R = 0x9041 + MachineTypeMIPS16 = 0x266 + MachineTypeMIPSFPU = 0x366 + MachineTypeMIPSFPU16 = 0x466 + MachineTypePOWERPC = 0x1f0 + MachineTypePOWERPCFP = 0x1f1 + MachineTypeR4000 = 0x166 + MachineTypeRISCV32 = 0x5032 + MachineTypeRISCV64 = 0x5064 + MachineTypeRISCV128 = 0x5128 + MachineTypeSH3 = 0x1a2 + MachineTypeSH3DSP = 0x1a3 + MachineTypeSH4 = 0x1a6 + MachineTypeSH5 = 0x1a8 + MachineTypeTHUMB = 0x1c2 + MachineTypeWCEMIPSV2 = 0x169 +) + +var MachineTypeNames = scalar.UintMap{ + MachineTypeUNKNOWN: {Sym: "UNKNOWN", Description: "The content of this field is assumed to be applicable to any machine type"}, + MachineTypeALPHA: {Sym: "ALPHA", Description: "Alpha AXP, 32-bit address space"}, + MachineTypeALPHA64: {Sym: "ALPHA64", Description: "Alpha 64, 64-bit address space"}, + MachineTypeAM33: {Sym: "AM33", Description: "Matsushita AM33"}, + MachineTypeAMD64: {Sym: "AMD64", Description: "x64"}, + MachineTypeARM: {Sym: "ARM", Description: "ARM little endian"}, + MachineTypeARM64: {Sym: "ARM64", Description: "ARM64 little endian"}, + MachineTypeARMNT: {Sym: "ARMNT", Description: "ARM Thumb-2 little endian"}, + //MachineTypeAXP64: {Sym: "AXP64", Description: "AXP 64 (Same as Alpha 64)"}, + MachineTypeEBC: {Sym: "EBC", Description: "EFI byte code"}, + MachineTypeI386: {Sym: "I386", Description: "Intel 386 or later processors and compatible processors"}, + MachineTypeIA64: {Sym: "IA64", Description: "Intel Itanium processor family"}, + MachineTypeLOONGARCH32: {Sym: "LOONGARCH32", Description: "LoongArch 32-bit processor family"}, + MachineTypeLOONGARCH64: {Sym: "LOONGARCH64", Description: "LoongArch 64-bit processor family"}, + MachineTypeM32R: {Sym: "M32R", Description: "Mitsubishi M32R little endian"}, + MachineTypeMIPS16: {Sym: "MIPS16", Description: "MIPS16"}, + MachineTypeMIPSFPU: {Sym: "MIPSFPU", Description: "MIPS with FPU"}, + MachineTypeMIPSFPU16: {Sym: "MIPSFPU16", Description: "MIPS16 with FPU"}, + MachineTypePOWERPC: {Sym: "POWERPC", Description: "Power PC little endian"}, + MachineTypePOWERPCFP: {Sym: "POWERPCFP", Description: "Power PC with floating point support"}, + MachineTypeR4000: {Sym: "R4000", Description: "MIPS little endian"}, + MachineTypeRISCV32: {Sym: "RISCV32", Description: "RISC-V 32-bit address space"}, + MachineTypeRISCV64: {Sym: "RISCV64", Description: "RISC-V 64-bit address space"}, + MachineTypeRISCV128: {Sym: "RISCV128", Description: "RISC-V 128-bit address space"}, + MachineTypeSH3: {Sym: "SH3", Description: "Hitachi SH3"}, + MachineTypeSH3DSP: {Sym: "SH3DSP", Description: "Hitachi SH3 DSP"}, + MachineTypeSH4: {Sym: "SH4", Description: "Hitachi SH4"}, + MachineTypeSH5: {Sym: "SH5", Description: "Hitachi SH5"}, + MachineTypeTHUMB: {Sym: "THUMB", Description: "Thumb"}, + MachineTypeWCEMIPSV2: {Sym: "WCEMIPSV2", Description: "MIPS little-endian WCE v2"}, +} + +func peCoffStubDecode(d *decode.D) any { + d.Endian = decode.LittleEndian + + d.FieldRawLen("signature", 4*8, d.AssertBitBuf([]byte("PE\x00\x00"))) + d.FieldU16("machine", MachineTypeNames, scalar.UintHex) + d.FieldU16("number_of_sections") + d.FieldU32("time_date_stamp") + d.FieldU32("pointer_to_symbol_table", scalar.UintHex) + d.FieldU32("number_of_symbol_table") + d.FieldU16("size_of_optional_header") + d.FieldStruct("characteristics", func(d *decode.D) { + d.FieldBool("BYTES_REVERSED_HI") // 0x8000 // Big endian: the MSB precedes the LSB in memory. This flag is deprecated and should be zero. + d.FieldBool("UP_SYSTEM_ONLY") // 0x4000 // The file should be run only on a uniprocessor machine. + d.FieldBool("DLL") // 0x2000 // The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run. + d.FieldBool("SYSTEM") // 0x1000 // The image file is a system file, not a user program. + d.FieldBool("NET_RUN_FROM_SWAP") // 0x0800 // If the image is on network media, fully load it and copy it to the swap file. + d.FieldBool("REMOVABLE_RUN_") // FROM_SWAP 0x0400 // If the image is on removable media, fully load it and copy it to the swap file. + d.FieldBool("DEBUG_STRIPPED") // 0x0200 // Debugging information is removed from the image file. + d.FieldBool("32BIT_MACHINE") // 0x0100 // Machine is based on a 32-bit-word architecture. + d.FieldBool("BYTES_REVERSED_LO") // 0x0080 // Little endian: the least significant bit (LSB) precedes the most significant bit (MSB) in memory. This flag is deprecated and should be zero. + d.FieldBool("RESERVED") // 0x0040 // This flag is reserved for future use. + d.FieldBool("LARGE_ADDRESS_") // AWARE 0x0020 // Application can handle > 2-GB addresses. + d.FieldBool("AGGRESSIVE_WS_TRIM") // 0x0010 // Obsolete. Aggressively trim working set. This flag is deprecated for Windows 2000 and later and must be zero. + d.FieldBool("LOCAL_SYMS_STRIPPED") // 0x0008 // COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero. + d.FieldBool("LINE_NUMS_STRIPPED") // 0x0004 // COFF line numbers have been removed. This flag is deprecated and should be zero. + d.FieldBool("EXECUTABLE_IMAGE") // 0x0002 // Image only. This indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error. + d.FieldBool("RELOCS_STRIPPED") // 0x0001 // Image only, Windows CE, and Microsoft Windows NT and later. This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from executable (EXE) files. + }) + + return nil +} diff --git a/format/pe/pe_msdos_stub.go b/format/pe/pe_msdos_stub.go new file mode 100644 index 0000000000..2cb85f174d --- /dev/null +++ b/format/pe/pe_msdos_stub.go @@ -0,0 +1,56 @@ +package pe + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ + +import ( + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" + "github.com/wader/fq/pkg/scalar" +) + +// TODO: probe? + +func init() { + interp.RegisterFormat( + format.PE_MSDOS_Stub, + &decode.Format{ + Description: "MS-DOS Stub", + DecodeFn: msDosStubDecode, + }) +} + +func msDosStubDecode(d *decode.D) any { + d.Endian = decode.LittleEndian + + d.FieldU16("e_magic", scalar.UintDescription("Magic number"), d.UintAssert(0x5a4d), scalar.UintHex) + d.FieldU16("e_cblp", scalar.UintDescription("Bytes on last page of file")) + d.FieldU16("e_cp", scalar.UintDescription("Pages in file")) + d.FieldU16("e_crlc", scalar.UintDescription("Relocations")) + d.FieldU16("e_cparhdr", scalar.UintDescription("Size of header in paragraphs")) + d.FieldU16("e_minalloc", scalar.UintDescription("Minimum extra paragraphs needed")) + d.FieldU16("e_maxalloc", scalar.UintDescription("Maximum extra paragraphs needed")) + d.FieldU16("e_ss", scalar.UintDescription("Initial (relative) SS value")) + d.FieldU16("e_sp", scalar.UintDescription("Initial SP value")) + d.FieldU16("e_csum", scalar.UintDescription("Checksum")) + d.FieldU16("e_ip", scalar.UintDescription("Initial IP value")) + d.FieldU16("e_cs", scalar.UintDescription("Initial (relative) CS value")) + d.FieldU16("e_lfarlc", scalar.UintDescription("File address of relocation table")) + d.FieldU16("e_ovno", scalar.UintDescription("Overlay number")) + d.FieldRawLen("e_res", 4*16, scalar.BitBufDescription("Reserved words")) + d.FieldU16("e_oemid", scalar.UintDescription("OEM identifier (for e_oeminfo)")) + d.FieldU16("e_oeminfo", scalar.UintDescription("OEM information; e_oemid specific")) + d.FieldRawLen("e_res2", 10*16, scalar.BitBufDescription("Reserved words")) + lfanew := d.FieldU32("e_lfanew", scalar.UintDescription("File address of new exe header")) + + // TODO: x86 format in the future + d.FieldRawLen("stub", 64*8, scalar.BitBufDescription("Sub program")) + + subEndPos := d.Pos() + + // TODO: is not padding i guess? + padding := lfanew*8 - uint64(subEndPos) + d.FieldRawLen("padding", int64(padding)) + + return nil +}