├── LICENSE
├── README.md
├── codereba license
├── lib_sample
├── funcs.cpp
├── funcs.h
├── lib_sample_2003.vcproj
└── lib_sample_2005.vcproj
├── output
├── MFC42.DLL
├── lib_sample.lib
├── pe-analyzer.pdb
├── pe-master.dll
└── pe-master.lib
├── pe-analyzer
├── pe-analyzer.aps
├── pe-analyzer.cpp
├── pe-analyzer.h
├── pe-analyzer.rc
├── pe-analyzerDlg.cpp
├── pe-analyzerDlg.h
├── pe-analyzer_2003.vcproj
├── pe-analyzer_2005.vcproj
├── res
│ ├── pe-analyzer.ico
│ ├── pe-analyzer.manifest
│ └── pe-analyzer.rc2
├── resource.h
├── stdafx.cpp
├── stdafx.h
└── treectrl.ASM
├── pe-master
├── coff_file_analyzer.c
├── coff_file_analyzer.h
├── common.c
├── common.h
├── common_analyze.c
├── common_analyze.h
├── dlist.c
├── dlist.h
├── file_analyzer.c
├── file_analyzer.h
├── lib_file_analyzer.c
├── lib_file_analyzer.h
├── lib_struct_analyze.c
├── lib_struct_analyze.h
├── lib_struct_analyzer.c
├── lib_struct_analyzer.h
├── pe-master_2003.sln
├── pe-master_2003.vcproj
├── pe-master_2005.sln
├── pe-master_2005.vcproj
├── pe_ana_func.def
├── pe_file_analyze.c
├── pe_file_analyze.h
├── pe_file_analyzer.c
├── pe_file_analyzer.h
├── pe_struct_analyze.c
├── pe_struct_analyze.h
├── pe_struct_analyzer.c
└── pe_struct_analyzer.h
└── sysshell
├── common.h
├── ddk.h
├── file_depack.c
├── file_depack.h
├── file_pack.h
├── img_chk_sum.h
├── import_code.h
├── pe_file_map.h
├── res_parse.h
├── section_build.h
├── shell_builder.h
├── shell_code.h
├── sys_mod_packer.cpp
├── sys_mod_packer.h
├── sysshell.sln
└── sysshell.vcproj
/README.md:
--------------------------------------------------------------------------------
1 | # pe-master
2 | pe,lib,obj file analysis,obj file extracting.
3 | functions for pack WINDOWS kernel mode module(driver)
4 |
5 |
6 | ----------------------------------------------------------
7 | Source code license is one choice of two:
8 |
9 | #### 1. The GNU General Public License v3.0
10 |
11 | #### 2. Copyright (c) 2010-2050, pe master team(simple_ai@outlook.com).All rights reserved.
12 |
13 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met.
14 |
15 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
16 |
17 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
18 |
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 |
21 | ----------------------------------------------------------
22 |
23 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 |
25 | project is work on visual studio 2015
26 |
27 | any question you can contact with me.
28 |
29 | Contact:
30 |
31 | WeiXin: jianzhi_ai
32 |
33 | WeiXin: AIChangeLife
34 |
35 | QQ group: 601169305
36 |
37 | QQ: 2146651351
38 |
39 | I have not earning when I develope the open source software suit, it's hard to continue, if you think this software is good, you can support me, together with me, let the development continuous. alipay:dante.1265@hotmail.com
40 |
41 | (这个软件工具是完全没有收入情况下开发的,很难继续下去,如果你认为这是一个不错的软件,请给予我支持,或者一起做开发,让软件 可以继续开发下去 支付宝:dante.1265@hotmail.com)
42 |
--------------------------------------------------------------------------------
/codereba license:
--------------------------------------------------------------------------------
1 | Copyright (c) 2010-2050, netmon develop team(simple_ai@outlook.com).All rights reserved.
2 |
3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met.
4 |
5 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
6 |
7 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
8 |
9 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
10 |
--------------------------------------------------------------------------------
/lib_sample/funcs.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "funcs.h"
22 |
23 | int sum( int num1, int num2 )
24 | {
25 | return num1 + num2;
26 | }
27 | int mul( int num1, int num2 )
28 | {
29 | return num1 * num2;
30 | }
31 |
32 |
33 |
--------------------------------------------------------------------------------
/lib_sample/funcs.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef __FUNCS_H__
22 | #define __FUNCS_H__
23 |
24 | int sum( int num1, int num2 );
25 |
26 | #endif //__FUNCS_H__
--------------------------------------------------------------------------------
/lib_sample/lib_sample_2003.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/lib_sample/lib_sample_2003.vcproj
--------------------------------------------------------------------------------
/lib_sample/lib_sample_2005.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/lib_sample/lib_sample_2005.vcproj
--------------------------------------------------------------------------------
/output/MFC42.DLL:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/output/MFC42.DLL
--------------------------------------------------------------------------------
/output/lib_sample.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/output/lib_sample.lib
--------------------------------------------------------------------------------
/output/pe-analyzer.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/output/pe-analyzer.pdb
--------------------------------------------------------------------------------
/output/pe-master.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/output/pe-master.dll
--------------------------------------------------------------------------------
/output/pe-master.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/output/pe-master.lib
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzer.aps
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzer.cpp
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzer.h
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzer.rc
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzerDlg.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzerDlg.cpp
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzerDlg.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/pe-analyzerDlg.h
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer_2003.vcproj:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
11 |
12 |
13 |
20 |
33 |
35 |
43 |
47 |
49 |
51 |
53 |
58 |
60 |
62 |
64 |
66 |
68 |
69 |
76 |
86 |
88 |
96 |
100 |
102 |
104 |
106 |
111 |
113 |
115 |
117 |
119 |
121 |
122 |
123 |
124 |
125 |
126 |
130 |
132 |
133 |
135 |
136 |
138 |
140 |
143 |
144 |
146 |
149 |
150 |
151 |
152 |
156 |
158 |
159 |
161 |
162 |
164 |
165 |
167 |
168 |
169 |
173 |
175 |
176 |
178 |
179 |
181 |
182 |
183 |
185 |
186 |
188 |
189 |
190 |
191 |
194 |
195 |
196 |
--------------------------------------------------------------------------------
/pe-analyzer/pe-analyzer_2005.vcproj:
--------------------------------------------------------------------------------
1 |
2 |
9 |
10 |
13 |
14 |
15 |
16 |
17 |
26 |
29 |
32 |
35 |
38 |
43 |
57 |
60 |
66 |
69 |
78 |
81 |
84 |
87 |
90 |
93 |
96 |
99 |
102 |
103 |
112 |
115 |
118 |
121 |
124 |
129 |
140 |
143 |
149 |
152 |
161 |
164 |
167 |
170 |
173 |
176 |
179 |
182 |
185 |
186 |
187 |
188 |
189 |
190 |
195 |
198 |
199 |
202 |
203 |
206 |
209 |
213 |
214 |
217 |
221 |
222 |
223 |
224 |
229 |
232 |
233 |
236 |
237 |
240 |
241 |
244 |
245 |
246 |
251 |
254 |
255 |
258 |
259 |
262 |
263 |
264 |
267 |
271 |
274 |
275 |
279 |
282 |
283 |
284 |
287 |
288 |
289 |
290 |
294 |
295 |
296 |
--------------------------------------------------------------------------------
/pe-analyzer/res/pe-analyzer.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/res/pe-analyzer.ico
--------------------------------------------------------------------------------
/pe-analyzer/res/pe-analyzer.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
9 | 在此说明应用程序
10 |
11 |
12 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/pe-analyzer/res/pe-analyzer.rc2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/res/pe-analyzer.rc2
--------------------------------------------------------------------------------
/pe-analyzer/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by pe-analyzer.rc
4 | //
5 | #define IDM_ABOUTBOX 0x0010
6 | #define IDD_ABOUTBOX 100
7 | #define IDS_ABOUTBOX 101
8 | #define IDD_PEANALYZER_DIALOG 102
9 | #define IDR_MAINFRAME 128
10 | #define IDR_MENU_MAIN 129
11 | #define IDC_EDIT_OUTPUT 1000
12 | #define IDC_EDIT_PE_FILE_PATH 1001
13 | #define IDC_EDIT_FILE_PATH 1001
14 | #define IDC_BUTTON1 1002
15 | #define IDC_BUTTON_SEL_FILE 1002
16 | #define IDC_EDIT_FILTER 1003
17 | #define IDC_TREE_MAIN 1008
18 | #define IDC_STOP_ANALYZE 1009
19 | #define IDC_TREE_DETAIL 1012
20 | #define IDC_LIST1 1012
21 | #define IDC_LIST_DETAIL 1012
22 | #define ID_POPMENU1_WRITETOONW 32771
23 |
24 | // Next default values for new objects
25 | //
26 | #ifdef APSTUDIO_INVOKED
27 | #ifndef APSTUDIO_READONLY_SYMBOLS
28 | #define _APS_NEXT_RESOURCE_VALUE 130
29 | #define _APS_NEXT_COMMAND_VALUE 32772
30 | #define _APS_NEXT_CONTROL_VALUE 1013
31 | #define _APS_NEXT_SYMED_VALUE 101
32 | #endif
33 | #endif
34 |
--------------------------------------------------------------------------------
/pe-analyzer/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/stdafx.cpp
--------------------------------------------------------------------------------
/pe-analyzer/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-analyzer/stdafx.h
--------------------------------------------------------------------------------
/pe-analyzer/treectrl.ASM:
--------------------------------------------------------------------------------
1 | title TreeDemo
2 | comment '*==============================*'
3 | comment '* Programed by Ewayne Wagner *'
4 | comment '* E-MAIL: yooper@kalamazoo.net *'
5 | comment '*==============================*'
6 |
7 | .586
8 | .model flat, stdcall
9 | option casemap:none ; Case sensitive
10 |
11 | include \MASM32\include\Windows.inc
12 | include \MASM32\include\user32.inc
13 | include \MASM32\include\kernel32.inc
14 | include \MASM32\include\gdi32.inc
15 | include \MASM32\include\comctl32.inc
16 | include \MASM32\include\comdlg32.inc
17 | include \MASM32\include\advapi32.inc
18 |
19 | includelib \MASM32\lib\user32.lib
20 | includelib \MASM32\lib\kernel32.lib
21 | includelib \MASM32\lib\gdi32.lib
22 | includelib \MASM32\lib\comctl32.lib
23 | includelib \MASM32\lib\comdlg32.lib
24 | includelib \MASM32\lib\advapi32.lib
25 |
26 | ;===================================================
27 | ; PROTO, MACRO, and Data section
28 | ;===================================================
29 | WinMain PROTO :DWORD, :DWORD, :DWORD, :DWORD
30 | SplitBarProc PROTO :DWORD, :DWORD, :DWORD, :DWORD
31 |
32 | .const
33 | IDM_EXIT equ 2001
34 |
35 | TVM_SETBKCOLOR equ TV_FIRST + 29
36 | TVM_SETTEXTCOLOR equ TV_FIRST + 30
37 | TVM_SETLINECOLOR equ TV_FIRST + 40
38 | TVM_SETINSERTMARKCOLOR equ TV_FIRST + 37
39 |
40 | .data
41 | ClassName db 'TreeDemo',0
42 | AppName db 'TreeDemo',0
43 | RichEdit db 'RichEdit20A',0
44 | RichEdDLL db 'RICHED20.DLL',0
45 | TreeClass db 'SysTreeView32',0
46 | ListClass db 'SysListView32',0
47 | StatClass db 'msctls_statusbar32',0
48 | StaticClass db 'STATIC',0
49 | MenuName db 'MainMenu',0
50 | Parent1 db 'Tree',0
51 | Parent2 db 'Does Nothing',0
52 | Child1 db 'Listview',0
53 | Child2 db 'Edit Control',0
54 | Child3 db 'Statusbar',0
55 | Child4 db 'Status 2',0
56 | Child5 db 'Status 3',0
57 | Child6 db 'Clear All',0
58 | Child7 db 'Nothing',0
59 |
60 | szColName db 'Items',0
61 | szItem1 db 'Item 1',0
62 | szItem2 db 'Item 2',0
63 | szDay db 'Have A Nice Day !!',0
64 |
65 | szNull db 0
66 | First db 1
67 |
68 | Split1 dd 0, 159, 130, 161
69 | Split2 dd 129, 0, 131, 241
70 |
71 | .data?
72 | hInst dd ?
73 | CommandLine dd ?
74 | hREdDll dd ?
75 | MainExit dd ?
76 | hWnd dd ?
77 | MenuCnt dd ?
78 |
79 | hWndStat dd ?
80 | hWndTree dd ?
81 | hWndList dd ?
82 | hREdit dd ?
83 | hImageList dd ?
84 | hParent dd ?
85 | hChild1 dd ?
86 | hChild2 dd ?
87 | hChild3 dd ?
88 | hChild4 dd ?
89 | hChild5 dd ?
90 | hChild6 dd ?
91 | hSplitBar dd ?
92 | BarType dd ?
93 | hBR dd ?
94 | sbParts dd 4 dup(?)
95 |
96 | ;---------- [Structures] ----------
97 | tvis TV_INSERTSTRUCT
98 |
99 | .code
100 |
101 | ;===================================================
102 | ; Program initialization section
103 | ;===================================================
104 | start:
105 | INVOKE GetModuleHandle, NULL
106 | mov hInst, eax
107 | INVOKE GetCommandLine
108 | mov CommandLine, eax
109 | call InitCommonControls
110 |
111 | ;---------- [Load the Riched20.dll] ----------
112 | INVOKE LoadLibrary, addr RichEdDLL
113 | mov hREdDll, eax
114 | .if !eax
115 | ; INVOKE MessageBox, NULL, addr szError1, addr szAppName, MB_OK or MB_ICONERROR
116 | jmp Exit
117 | .endif
118 |
119 | INVOKE WinMain, hInst ,NULL, CommandLine, SW_SHOWDEFAULT
120 | mov MainExit, eax
121 | INVOKE FreeLibrary, hREdDll
122 |
123 | Exit:
124 | INVOKE ExitProcess, MainExit
125 |
126 | ;===================================================
127 | ; WinMain procedure
128 | ;===================================================
129 | WinMain proc uses ebx hinst:DWORD, hPrevInst, CmdLine, CmdShow
130 | LOCAL wc:WNDCLASSEX
131 | LOCAL msg:MSG
132 |
133 | mov wc.cbSize, sizeof WNDCLASSEX
134 | mov wc.style, CS_BYTEALIGNCLIENT or CS_BYTEALIGNWINDOW
135 | mov wc.lpfnWndProc, offset WndProc
136 | mov wc.cbClsExtra, NULL
137 | mov wc.cbWndExtra, NULL
138 | push hInst
139 | pop wc.hInstance
140 | mov wc.hbrBackground, COLOR_BTNFACE+1
141 | mov wc.lpszMenuName, offset MenuName
142 | mov wc.lpszClassName, offset ClassName
143 | INVOKE LoadIcon, NULL, IDI_APPLICATION
144 | mov wc.hIcon, eax
145 | mov wc.hIconSm, eax
146 | INVOKE LoadCursor, NULL, IDC_ARROW
147 | mov wc.hCursor, eax
148 | INVOKE RegisterClassEx, addr wc
149 |
150 | ;---------- [Center the window] ----------
151 | INVOKE GetSystemMetrics, SM_CXSCREEN
152 | sub eax, 353
153 | shr eax, 1
154 | push eax
155 | INVOKE GetSystemMetrics, SM_CYSCREEN
156 | sub eax, 300
157 | shr eax, 1
158 | pop ebx
159 |
160 | ;---------- [Create the Main Window] ----------
161 | INVOKE CreateWindowEx, WS_EX_CLIENTEDGE, addr ClassName,\
162 | addr AppName, WS_OVERLAPPEDWINDOW,\
163 | ebx, eax, 353, 311, NULL, NULL, hInst, NULL
164 | mov hWnd, eax
165 |
166 | INVOKE ShowWindow, hWnd, SW_SHOWNORMAL
167 | INVOKE UpdateWindow, hWnd
168 |
169 | ;---------- [Message loop] ----------
170 | .while TRUE
171 | INVOKE GetMessage, addr msg, NULL, 0, 0
172 | .break .if (!eax)
173 | INVOKE TranslateMessage, addr msg
174 | INVOKE DispatchMessage, addr msg
175 | .endw
176 | mov eax, msg.wParam
177 | ret
178 | WinMain endp
179 |
180 | ;===================================================
181 | ; WinProc procedure
182 | ;===================================================
183 | WndProc proc uses esi edi ebx hwnd:DWORD, wMsg, wParam, lParam
184 | LOCAL rect:RECT
185 | LOCAL lvc:LV_COLUMN
186 | LOCAL lvi:LV_ITEM
187 | LOCAL tvi:TV_ITEM
188 | LOCAL xPos:DWORD, yPos, hBitmap
189 | LOCAL szWork1[64]:BYTE
190 |
191 | ;---------- [Create the Control(s) and one time stuff] ----------
192 | .if wMsg == WM_CREATE
193 |
194 | ;---------- [Create the status bar window] ----------
195 | INVOKE CreateWindowEx, 0, addr StatClass, 0,\
196 | WS_CHILD or WS_BORDER or WS_VISIBLE or SBS_SIZEGRIP,\
197 | 0, 0, 0, 0, hwnd, 0, hInst, 0
198 | mov hWndStat, eax
199 |
200 | ;---------- [Create the control windows] ----------
201 | INVOKE CreateWindowEx, WS_EX_CLIENTEDGE, addr TreeClass, 0,\
202 | WS_CHILD or WS_VISIBLE or TVS_HASLINES or TVS_HASBUTTONS or\
203 | TVS_LINESATROOT or WS_CLIPSIBLINGS,\
204 | 0, 0, 130, 160, hwnd, 44, hInst, NULL
205 | test eax, eax
206 | jz Ret0
207 | mov hWndTree, eax
208 | INVOKE SendMessage, hWndTree, TVM_SETBKCOLOR, 0, 00e1f0ffh
209 | ; INVOKE SendMessage, hWndTree, TVM_SETTEXTCOLOR, 0, 00ffffe0h
210 | ; INVOKE SendMessage, hWndTree, TVM_SETLINECOLOR, 0, 00ffffe0h
211 | ; INVOKE SendMessage, hWndTree, TVM_SETINSERTMARKCOLOR, 0, 00ffffe0h
212 |
213 | INVOKE CreateWindowEx, WS_EX_CLIENTEDGE, addr ListClass, NULL,\
214 | WS_CHILD or WS_VISIBLE or LVS_REPORT or LVS_SHAREIMAGELISTS or LVS_SORTASCENDING,\
215 | 0, 160, 130, 51, hwnd, 45, hInst, NULL
216 | test eax, eax
217 | jz Ret0
218 | mov hWndList, eax
219 | ; INVOKE SendMessage, hWndList, LVM_SETTEXTCOLOR, 0, 00000000h
220 | INVOKE SendMessage, hWndList, LVM_SETBKCOLOR, 0, 00ffffe0h
221 | INVOKE SendMessage, hWndList, LVM_SETTEXTBKCOLOR, 0, 00ffffe0h
222 |
223 | INVOKE CreateWindowEx, WS_EX_CLIENTEDGE, addr RichEdit, NULL,\
224 | WS_CHILD or WS_VISIBLE or ES_MULTILINE or\
225 | ES_NOHIDESEL or ES_SAVESEL or ES_SELECTIONBAR or\
226 | WS_HSCROLL or ES_AUTOHSCROLL or\
227 | WS_VSCROLL or ES_AUTOVSCROLL or WS_CLIPSIBLINGS,\
228 | 131, 0, 211, 241, hwnd, 46, hInst, NULL
229 | test eax, eax
230 | jz Ret0
231 | mov hREdit, eax
232 | INVOKE SendMessage, hREdit, EM_SETBKGNDCOLOR, 0, 00f0fff0h
233 |
234 | ;---------- [Get the Imagelist] ----------
235 | INVOKE ImageList_Create, 16, 16, ILC_COLOR16, 5, 10
236 | mov hImageList, eax
237 | INVOKE LoadBitmap, hInst, 900
238 | mov hBitmap,eax
239 | INVOKE ImageList_Add, hImageList, hBitmap, NULL
240 | INVOKE DeleteObject, hBitmap
241 |
242 | ;---------- [Remove the comment if you want images for the Tree] ----------
243 | ; INVOKE SendMessage, hWndTree, TVM_SETIMAGELIST, 0, hImageList
244 |
245 | ;---------- [Fill the tree] ----------
246 | INVOKE SendMessage, hWndTree, TVM_DELETEITEM, 0, TVI_ROOT
247 | mov tvis.hParent, NULL
248 | mov tvis.hInsertAfter, TVI_ROOT
249 | mov tvis.item.imask, TVIF_TEXT or TVIF_IMAGE or TVIF_SELECTEDIMAGE
250 | mov tvis.item.pszText, offset Parent1
251 | mov tvis.item.iImage, 0
252 | mov tvis.item.iSelectedImage, 1
253 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
254 | mov hParent, eax
255 |
256 | mov tvis.hParent, eax
257 | mov tvis.hInsertAfter, TVI_LAST
258 | mov tvis.item.pszText, offset Child1
259 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
260 | mov hChild1, eax
261 |
262 | mov tvis.item.pszText, offset Child2
263 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
264 | mov hChild2, eax
265 |
266 | mov tvis.item.pszText, offset Child3
267 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
268 | mov hChild3, eax
269 |
270 | mov tvis.hParent, eax
271 | mov tvis.item.pszText, offset Child4
272 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
273 | mov hChild4, eax
274 |
275 | mov tvis.item.pszText, offset Child5
276 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
277 | mov hChild5, eax
278 |
279 | mov eax, hParent
280 | mov tvis.hParent, eax
281 | mov tvis.item.pszText, offset Child6
282 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
283 | mov hChild6, eax
284 |
285 | mov tvis.hParent, NULL
286 | mov tvis.hInsertAfter, TVI_ROOT
287 | mov tvis.item.imask, TVIF_TEXT or TVIF_IMAGE or TVIF_SELECTEDIMAGE
288 | mov tvis.item.pszText, offset Parent2
289 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
290 | mov tvis.hParent, eax
291 | mov tvis.item.pszText, offset Child7
292 | INVOKE SendMessage, hWndTree, TVM_INSERTITEM, 0, addr tvis
293 |
294 | INVOKE SendMessage, hWndTree, TVM_EXPAND, TVE_EXPAND, hParent
295 | INVOKE SendMessage, hWndTree, TVM_SORTCHILDREN, 0, hParent
296 | INVOKE SendMessage, hWndTree, TVM_SELECTITEM, TVGN_CARET, NULL ;hParent
297 |
298 | ;---------- [Create the column for the Listview] ----------
299 | mov lvc.imask, LVCF_TEXT or LVCF_WIDTH
300 | mov lvc.pszText, offset szColName
301 | mov lvc.lx, 125
302 | INVOKE SendMessage, hWndList, LVM_INSERTCOLUMN, 0, addr lvc
303 |
304 | ;---------- [Move and Size the Control(s)] ----------
305 | .elseif wMsg == WM_SIZE
306 |
307 | ;---------- [Size the Statusbar Control] ----------
308 | mov eax, lParam ; Get width
309 | and eax, 0ffffh ; Lowword
310 | shr eax, 2 ; /4
311 | mov ecx, eax ; Save factor
312 | mov sbParts, eax ; Make part 1 1/4 the width
313 | add eax, ecx
314 | mov [sbParts+4], eax ; and also part2, .. etc
315 | add eax, ecx
316 | mov [sbParts+8], eax
317 | mov [sbParts+12], -1 ; The last part extends to the end
318 | INVOKE SendMessage, hWndStat, SB_SETPARTS, 4, addr sbParts
319 | INVOKE MoveWindow, hWndStat, 0, 0, 0, 0, TRUE
320 |
321 | INVOKE GetWindowRect, hWndStat, addr rect ; Rectangle of statusbar
322 | mov eax, rect.bottom
323 | sub eax, rect.top ; eax = height of statusbar
324 | push eax
325 | INVOKE GetClientRect, hWnd, addr rect
326 | pop eax
327 | dec eax
328 | sub rect.bottom, eax
329 |
330 | mov ecx, Split2
331 | mov edx, Split1[4]
332 | mov Split1[8], ecx
333 | INVOKE MoveWindow, hWndTree, 1, 1, ecx, edx, TRUE
334 |
335 | mov edx, rect.bottom
336 | mov ecx, Split1[12]
337 | mov edi, ecx
338 | dec ecx
339 | sub edx, ecx
340 | sub edx, 2
341 | mov ecx, Split2
342 | INVOKE MoveWindow, hWndList, 1, edi, ecx, edx, TRUE
343 | mov ecx, Split2
344 | sub ecx, 4
345 | INVOKE SendMessage, hWndList, LVM_SETCOLUMNWIDTH, 0, ecx
346 |
347 | mov ecx, rect.right
348 | inc Split1[8]
349 | sub ecx, Split1[8]
350 | mov edx, rect.bottom
351 | mov Split2[12], edx
352 | mov edi, Split2[8]
353 | dec ecx
354 | sub edx, 2
355 | INVOKE MoveWindow, hREdit, edi, 1, ecx, edx, TRUE
356 |
357 | .elseif wMsg == WM_NOTIFY
358 | .if wParam == 44 ; Treeview
359 | mov eax, lParam
360 | mov ebx, (NM_TREEVIEW ptr [eax]).hdr.code
361 | mov ecx, (NM_TREEVIEW ptr [eax]).itemNew.hItem
362 |
363 | .if ebx == TVN_ITEMEXPANDING
364 | mov edx, (NM_TREEVIEW ptr [eax]).action
365 | .if edx == TVE_COLLAPSE
366 | ;DSPValue hWnd, edx, 1, 't'
367 | mov First, 1
368 | INVOKE SendMessage, hWndTree, TVM_SELECTITEM, TVGN_CARET, NULL
369 | .endif
370 | jmp Ret0
371 | .endif
372 |
373 | .if ebx == TVN_SELCHANGED
374 | .if ecx == hParent && First
375 | and First, 0
376 | push ecx
377 | push eax
378 | INVOKE SendMessage, hWndTree, TVM_SELECTITEM, TVGN_CARET, NULL
379 | pop eax
380 | pop ecx
381 | .endif
382 | test (NM_TREEVIEW ptr [eax]).action, TVIS_FOCUSED
383 | jz Ret0
384 | mov tvi.hItem, ecx
385 | mov tvi.imask, TVIF_TEXT
386 | lea eax, szWork1
387 | mov tvi.pszText, eax
388 | mov tvi.cchTextMax, 64
389 |
390 | .if ecx == hChild6 ; Clear all
391 | INVOKE SendMessage, hWndList, LVM_DELETEALLITEMS, 0, 0
392 | INVOKE SendMessage, hREdit, WM_SETTEXT, 0, addr szNull
393 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 0, addr szNull
394 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 1, addr szNull
395 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 2, addr szNull
396 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 3, addr szNull
397 | jmp Ret0
398 | .endif
399 |
400 | push ecx
401 | INVOKE SendMessage, hWndTree, TVM_GETITEM, NULL, addr tvi
402 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 0, addr szWork1
403 | pop ecx
404 |
405 | .if ecx == hChild1 ; Listview
406 | INVOKE SendMessage, hWndList, LVM_DELETEALLITEMS, 0, 0
407 |
408 | ;---------- [Fill the Listview] ----------
409 | mov lvi.imask, LVIF_TEXT or LVIF_PARAM
410 | mov lvi.iItem, 0
411 | mov lvi.lParam, 0
412 | mov lvi.iSubItem, 0
413 | lea eax, szItem1
414 | mov lvi.pszText, eax
415 | mov lvi.iImage, 0
416 | INVOKE SendMessage, hWndList, LVM_INSERTITEM, 0, addr lvi
417 | mov lvi.iItem, 1
418 | mov lvi.lParam, 1
419 | mov lvi.iSubItem, 0
420 | lea eax, szItem2
421 | mov lvi.pszText, eax
422 | mov lvi.iImage, 0
423 | INVOKE SendMessage, hWndList, LVM_INSERTITEM, 0, addr lvi
424 |
425 | .elseif ecx == hChild2 ; Edit control
426 | INVOKE SendMessage, hREdit, WM_SETTEXT, 0, addr szDay
427 |
428 | .elseif ecx == hChild4 ; Stat 2
429 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 2, addr Child4
430 |
431 | .elseif ecx == hChild5 ; Stat 3
432 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 3, addr Child5
433 | .endif
434 | .endif
435 |
436 | .elseif wParam == 45 ; Listview
437 | mov ebx, lParam ; Get pointer to NMHDR
438 | .if [ebx.NMHDR].code == NM_CLICK ;NM_DBLCLK
439 | INVOKE SendMessage, hWndList, LVM_GETNEXTITEM, -1, LVNI_FOCUSED
440 | mov lvi.iItem, eax
441 | mov lvi.iSubItem, 0
442 | mov lvi.imask, LVIF_TEXT
443 | lea eax, szWork1
444 | mov lvi.pszText, eax
445 | mov lvi.cchTextMax, 64
446 | INVOKE SendMessage, hWndList, LVM_GETITEM, 0, addr lvi
447 | INVOKE SendMessage, hWndStat, SB_SETTEXT, 1, addr szWork1
448 | .endif
449 | .endif
450 |
451 | ;---------- [System and user commands] ----------
452 | .elseif wMsg == WM_COMMAND
453 | mov eax, wParam
454 | cwde ; Only low word contains command
455 | .if eax == IDM_EXIT
456 | INVOKE SendMessage, hwnd, WM_CLOSE, 0 ,0
457 |
458 | .endif
459 |
460 | ;---------- [Move the splitter bars] ----------
461 |
462 | .elseif wMsg == WM_MOUSEMOVE
463 |
464 | ;---------- [Capture the mouse if within an area] ----------
465 | INVOKE GetClientRect, hWnd, addr rect
466 | mov eax, lParam
467 | mov edx, eax
468 | and eax, 0ffffh
469 | inc eax
470 | mov xPos, eax
471 | shr edx, 16
472 | inc edx
473 | mov yPos, edx
474 |
475 | .if eax > Split1 && eax < Split1[8] && edx >= Split1[4] && edx <= Split1[12] && BarType != 2
476 | INVOKE LoadCursor, hInst, 899
477 | INVOKE SetCursor, eax
478 | INVOKE SetCapture, hwnd
479 | mov BarType, 1
480 | .elseif eax >= Split2 && eax <= Split2[8] && edx > Split2[4] && edx < Split2[12] && BarType != 1
481 | INVOKE LoadCursor, hInst, 898
482 | INVOKE SetCursor, eax
483 | INVOKE SetCapture, hwnd
484 | mov BarType, 2
485 | .else
486 |
487 | ;---------- [Release the mouse if out of the area] ----------
488 | .if wParam != MK_LBUTTON
489 | xor esi, esi
490 | .if BarType == 1
491 | lea esi, Split1
492 | .elseif BarType == 2
493 | lea esi, Split2
494 | .endif
495 | .if esi
496 | .if eax < [esi] || eax > [esi+8] || edx < [esi+4] || edx > [esi+12]
497 | and BarType, 0
498 | INVOKE ReleaseCapture
499 | .endif
500 | .endif
501 | .endif
502 | INVOKE LoadCursor, 0, IDC_ARROW
503 | INVOKE SetCursor, eax
504 | .endif
505 |
506 | .if wParam == MK_LBUTTON
507 | INVOKE GetClientRect, hWnd, addr rect
508 | mov ecx, xPos
509 | mov edx, yPos
510 | sub rect.bottom, 28
511 | .if ecx > rect.left && ecx < rect.right && edx > rect.top && edx < rect.bottom
512 | .else
513 | jmp Ret0
514 | .endif
515 |
516 | ;---------- [Create and drag the Splitter bar] ----------
517 | .if BarType == 1 ; Horizontal
518 | mov ecx, Split2
519 | .if xPos < ecx
520 | INVOKE LoadCursor, hInst, 899
521 | INVOKE SetCursor, eax
522 | .if !hSplitBar
523 | INVOKE CreateDialogParam, hInst, 4801, hWnd, offset SplitBarProc, 0
524 | .endif
525 | mov eax, yPos
526 | dec eax
527 | dec eax
528 | mov Split1[4], eax
529 | add eax, 2
530 | mov Split1[12], eax
531 | INVOKE GetWindowRect, hWnd, addr rect
532 | add rect.left, 6
533 | mov eax, rect.top
534 | add eax, 44
535 | add eax, Split1[4]
536 | inc eax
537 | mov rect.top, eax
538 | mov edx, Split1[8]
539 | INVOKE MoveWindow, hSplitBar, rect.left, rect.top, edx, 2, 1
540 | .endif
541 | .endif
542 |
543 | .if BarType == 2 ; Vertical
544 | INVOKE LoadCursor, hInst, 898
545 | INVOKE SetCursor, eax
546 | .if !hSplitBar
547 | INVOKE CreateDialogParam, hInst, 4801, hWnd, offset SplitBarProc, 0
548 | .endif
549 | mov eax, xPos
550 | dec eax
551 | dec eax
552 | mov Split2, eax
553 | add eax, 2
554 | mov Split2[8], eax
555 | INVOKE GetWindowRect, hWnd, addr rect
556 | add rect.top, 44
557 | mov eax, rect.top
558 | add eax, 28
559 | sub rect.bottom, eax
560 | add rect.left, 6
561 | mov ecx, rect.left
562 | add ecx, Split2
563 | inc ecx
564 | INVOKE MoveWindow, hSplitBar, ecx, rect.top, 2, Split2[12], 1
565 | .endif
566 | .endif
567 |
568 | .elseif wMsg == WM_LBUTTONUP
569 |
570 | ;---------- [Restore the cursor and call WM_SIZE] ----------
571 | INVOKE LoadCursor, 0, IDC_ARROW
572 | INVOKE SetCursor, eax
573 | and BarType, 0
574 | .if hSplitBar
575 | INVOKE ReleaseCapture
576 | INVOKE SplitBarProc, hSplitBar, WM_COMMAND, IDCANCEL, 0
577 | and hSplitBar, 0
578 | INVOKE GetClientRect, hWnd, addr rect
579 | mov edx, rect.bottom
580 | shl edx, 16
581 | mov ecx, rect.right
582 | mov dx, cx
583 | INVOKE SendMessage, hWnd, WM_SIZE, 0, edx
584 | .endif
585 |
586 | .elseif wMsg == WM_CLOSE
587 | INVOKE DestroyWindow, hwnd
588 |
589 | .elseif wMsg == WM_DESTROY
590 | INVOKE PostQuitMessage, NULL
591 |
592 | .else
593 |
594 | DefWin:
595 | INVOKE DefWindowProc, hwnd, wMsg, wParam, lParam
596 | ret
597 | .endif
598 |
599 | Ret0:
600 | xor eax, eax
601 | ret
602 | WndProc endp
603 |
604 | ;=========================================================================
605 | ; Splitter Bar PROCEDURE
606 | ;=========================================================================
607 | SplitBarProc PROC hdlg:DWORD, wmsg, wparam, lparam
608 | LOCAL hBrush:DWORD
609 |
610 | cmp wmsg, WM_INITDIALOG ; If message is INITDIALOG then
611 | jne NotInit ; check wmsg
612 | mov eax, hdlg
613 | mov hSplitBar, eax
614 | jmp DlgDone
615 |
616 | NotInit:
617 | cmp wmsg, WM_CTLCOLORDLG
618 | je ColorDlg
619 | cmp wmsg, WM_COMMAND ; Is message a WM_COMMAND?
620 | mov eax, wparam ; Otherwise, see if it's OK or CANCEL
621 | cmp eax, IDCANCEL ; that was pressed
622 | je CancleIt ; and if not either of these
623 | jmp DlgDone
624 |
625 | ColorDlg:
626 | INVOKE CreateSolidBrush, 0000ff00h
627 | mov hBrush, eax
628 | ret
629 |
630 | CancleIt:
631 | INVOKE DeleteObject, hBrush
632 | INVOKE EndDialog, hdlg, wparam
633 | mov eax, TRUE ; Return
634 | jmp DlgRet ; with TRUE
635 |
636 | DlgDone:
637 | mov eax, FALSE ; Return with FALSE
638 |
639 | DlgRet:
640 | ret ; Return
641 | SplitBarProc ENDP
642 |
643 | end start
--------------------------------------------------------------------------------
/pe-master/coff_file_analyzer.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-master/coff_file_analyzer.c
--------------------------------------------------------------------------------
/pe-master/coff_file_analyzer.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef __COFF_FILE_ANALYZER_H__
22 | #define __COFF_FILE_ANALYZER_H__
23 |
24 | #define STYP_TEXT 0x0020
25 | #define STYP_DATA 0x0040
26 | #define STYP_BSS 0x0080
27 |
28 | #define SYM_PTR_TYPE 0x01
29 | #define SYM_FUNC_TYPE 0x02
30 | #define SYM_ARRAY_TYPE 0x03
31 | #define SYM_NONE_TYPE 0x00
32 |
33 | #define SYM_NONE_STORE_TYPE 0
34 | #define SYM_AUTOMATIC_STORE_TYPE 1
35 | #define SYM_EXTERNAL_STORE_TYPE 2
36 | #define SYM_STATIC_STORE_TYPE 3 //offset 0 is the section name
37 | #define SYM_REGISTER_STORE_TYPE 4
38 | #define SYM_MEMBER_OF_STRUCT_STORE_TYPE 8
39 | #define SYM_STRUCT_TAG_STORE_TYPE 10
40 | #define SYM_MEMBER_OF_UNION_STORE_TYPE 11 //value is order of symbol in the enum
41 | #define SYM_UNION_TAG_STORE_TYPE 12
42 | #define SYM_TYPE_DEFINITION_STORE_TYPE 13
43 | #define SYM_FUNCTION_STORE_TYPE 13
44 | #define SYM_FILE_STORE_TYPE 13
45 |
46 | #define I386_COFF_FILE_MAGIC 0x014c
47 | #define F_RELFLG 0x0001
48 | #define F_EXEC 0x0002
49 | #define F_LNNO 0x0004
50 | #define F_LSYMS 0x0008
51 | #define F_AR32WR 0x0100
52 |
53 | #define STRUCT_TYPE_COFF_FILE_HEADER 0x014c0001
54 | #define STRUCT_TYPE_COFF_OPTIONAL_28_HEADER 0x014c0002
55 | #define STRUCT_TYPE_COFF_SECTION_HEADER 0x14c00003
56 | #define STRUCT_TYPE_COFF_STR_TABLE 0x14c00004
57 |
58 | #pragma pack( push )
59 | #pragma pack( 1 )
60 |
61 | typedef struct __coff_file_hdr{
62 | unsigned short magic;
63 | unsigned short sect_num;
64 | unsigned long time;
65 | unsigned long syms_offset;
66 | unsigned long syms_num;
67 | unsigned short opt_hdr_size;
68 | unsigned short flags;
69 | } coff_file_hdr;
70 |
71 | typedef struct __coff_opt_hdr28{
72 | unsigned short magic;
73 | unsigned short version;
74 | unsigned long text_size;
75 | unsigned long init_data_size;
76 | unsigned long uninit_data_size;
77 | unsigned long entry;
78 | unsigned long text_base;
79 | unsigned long data_base;
80 | } coff_opt_hdr28;
81 |
82 |
83 | typedef struct __coff_sect_hdr{
84 | char name[8];
85 | unsigned long virt_size;
86 | unsigned long virt_addr;
87 | unsigned long size;
88 | unsigned long sect_offset;
89 | unsigned long sect_rel_offset;
90 | unsigned long ln_table_offset;
91 | unsigned short rel_offset_num;
92 | unsigned short ln_num;
93 | unsigned long flags;
94 | //unsigned long reserved;
95 | } coff_sect_hdr;
96 |
97 | typedef struct __coff_reloc{
98 | unsigned long ulAddr;
99 | unsigned long ulSymbol;
100 | unsigned short usType;
101 | } coff_reloc;
102 |
103 | typedef struct {
104 | unsigned long addr_symbol;
105 | unsigned short ln_no;
106 | } coff_ln_info;
107 |
108 | typedef struct __coff_sym_ent{
109 | union {
110 | char name[8];
111 | struct {
112 | unsigned long zero;
113 | unsigned long offset;
114 | } id;
115 | } sym_id;
116 | unsigned long value;
117 | short section;
118 | unsigned short type;
119 | unsigned char __class;
120 | unsigned char aux_num;
121 | } coff_sym_ent;
122 |
123 | typedef struct __coff_str_table
124 | {
125 | dword size;
126 | char strings[1];
127 | } coff_str_table;
128 | #pragma pack( pop )
129 |
130 | #ifdef __cplusplus
131 | extern "C" {
132 | #endif
133 |
134 | int32 callback check_coff_file_type( byte *data, dword data_len );
135 |
136 | #ifdef __cplusplus
137 | }
138 | #endif
139 |
140 | #endif //__COFF_FILE_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/common.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "common.h"
22 |
23 | dlist *g_all_struct_info = NULL;
24 | int32 prepare_analyzing()
25 | {
26 | return init_list_element( &g_all_struct_info );
27 | }
28 |
29 | void add_new_record_info( void **info, dword size )
30 | {
31 | int ret;
32 | byte *data;
33 |
34 | ASSERT( NULL != info );
35 | ASSERT( 0 < size );
36 |
37 | data = ( byte* )malloc( size );
38 | if(NULL == data )
39 | {
40 | *info = NULL;
41 | return -1;
42 | }
43 |
44 | ret = add_list_element( g_all_struct_info, data );
45 | if( 0 > ret )
46 | {
47 | *info = NULL;
48 | return -1;
49 | }
50 |
51 | *info = data;
52 | return 0;
53 | }
54 |
55 | void *find_record_info( void *info, list_ele_compare compare_func )
56 | {
57 | return find_list_element_by_compare( g_all_struct_info, info, compare_func );
58 | }
59 |
60 | int32 end_analyzing()
61 | {
62 | int32 ret;
63 | if( NULL == g_all_struct_info )
64 | {
65 | return 0;
66 | }
67 | ret = destroy_list( g_all_struct_info, free_element_on_destroy );
68 | g_all_struct_info = NULL;
69 | return 0;
70 | }
71 |
72 | int32 open_file_dlg( HWND owner, char *seled_file_name, dword buff_len, dword flags )
73 | {
74 | int32 ret;
75 | OPENFILENAME ofn;
76 |
77 | ASSERT( NULL != seled_file_name &&
78 | 0 < buff_len );
79 |
80 | ZeroMemory(&ofn, sizeof(ofn));
81 | ofn.lStructSize = sizeof(OPENFILENAME);
82 | ofn.hwndOwner = owner;
83 | ofn.lpstrFile = seled_file_name;
84 | ofn.lpstrFile[ 0 ] = '\0';
85 | ofn.lpstrTitle = "select one file";
86 | ofn.nMaxFile = buff_len;
87 | ofn.lpstrFilter = "pe file (*.exe;*.dll)\0*.exe;*.dll\0coff file (*.lib;*.obj)\0*.lib;*.obj\0all file (*.*)\0*.*\0";
88 | ofn.lpstrInitialDir = NULL;
89 |
90 | if( flags == 0 )
91 | {
92 | ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST;
93 | }
94 | else
95 | {
96 | ofn.Flags = OFN_OVERWRITEPROMPT;
97 | }
98 | ret = GetOpenFileName( &ofn );
99 |
100 | return ret == 0 ? -1 : 0;
101 | }
102 |
103 | void littelendian2bigendian( void * p, size_t size )
104 | {
105 | int i;
106 | char * buf = ( char* )p;
107 | char temp;
108 | for ( i=0;i < size / 2; i++ ) {
109 | temp = buf[ i ];
110 | buf[ i ] = buf[ size - i - 1 ];
111 | buf[ size - i - 1 ] = temp;
112 | }
113 | }
114 |
115 | int mem_submem( byte* target_cont, int target_cont_len, byte* src_mem, int src_mem_len)
116 | {
117 | int __target_len;
118 | byte* __src_mem;
119 | int end_index;
120 | byte is_same;
121 | int i, j;
122 |
123 | if( src_mem_len < target_cont_len )
124 | return -1;
125 |
126 | __target_len = target_cont_len;
127 | __src_mem = src_mem;
128 |
129 | end_index = src_mem_len - target_cont_len + 1;
130 |
131 | for(i = 0; i < end_index; i ++)
132 | {
133 | is_same = TRUE;
134 | for( j = 0; j < target_cont_len; j++ )
135 | {
136 | if(target_cont[j] != __src_mem[i + j])
137 | {
138 | is_same = FALSE;
139 | break;
140 | }
141 | else
142 | {
143 | int j = 0;
144 | }
145 | }
146 |
147 | if( is_same )
148 | return i;
149 | }
150 | return -1;
151 | }
152 |
153 | int write_to_new_file_by_name( char *file_name, byte *data, dword data_len )
154 | {
155 | int ret = 0;
156 | HANDLE hfile;
157 | dword writed;
158 |
159 | ASSERT( NULL != file_name );
160 | ASSERT( NULL != data );
161 | ASSERT( NULL != data_len );
162 |
163 |
164 | hfile = CreateFile( file_name, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, 0, NULL );
165 | if( INVALID_HANDLE_VALUE == hfile )
166 | {
167 | return -1;
168 | }
169 |
170 | ret = WriteFile( hfile, data, data_len, &writed, NULL );
171 | if( FALSE == ret || writed != data_len )
172 | {
173 | ret = -1;
174 | goto __error;
175 | }
176 |
177 | __error:
178 | if( INVALID_HANDLE_VALUE != hfile )
179 | {
180 | CloseHandle( hfile );
181 | }
182 |
183 | return ret;
184 | }
185 |
186 | int write_to_new_file( char *file_path, char *file_name, byte *file_data, dword file_data_len )
187 | {
188 | int ret = 0;
189 | HANDLE hfile;
190 | dword writed;
191 | char new_file_name[ MAX_PATH ];
192 |
193 | ASSERT( NULL != file_name );
194 | ASSERT( NULL != file_data );
195 | ASSERT( NULL != file_data_len );
196 |
197 | strcpy( new_file_name, file_path );
198 | strcat( new_file_name, "\\" );
199 | strcat( new_file_name, file_name );
200 |
201 | ret = write_to_new_file_by_name( new_file_name, file_data, file_data_len );
202 |
203 | return ret;
204 | }
205 |
206 | int read_all_file_data( char *file_name, byte **data, dword *data_len )
207 | {
208 | int ret = 0;
209 | HANDLE hfile;
210 | dword file_len = 0;
211 | byte *__data = NULL;
212 | dword readed;
213 |
214 | ASSERT( NULL != data );
215 | ASSERT( NULL != data_len );
216 |
217 | hfile = CreateFile( file_name, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL );
218 | if( INVALID_HANDLE_VALUE == hfile )
219 | {
220 | ret = -1;
221 | goto __return;
222 | }
223 |
224 | file_len = SetFilePointer( hfile, 0, NULL, SEEK_END );
225 | SetFilePointer( hfile, 0, NULL, SEEK_SET );
226 |
227 | __data = ( PBYTE )malloc( file_len );
228 | if( NULL == __data )
229 | {
230 | ret = -1;
231 | goto __return;
232 | }
233 |
234 | ret = ReadFile( hfile, __data, file_len, &readed, NULL );
235 | if( FALSE == ret || readed != file_len )
236 | {
237 | ret = -1;
238 | goto __error;
239 | }
240 |
241 | ret = prepare_analyzing();
242 | if( 0 > ret )
243 | {
244 | goto __error;
245 | }
246 |
247 | goto __return;
248 |
249 | __error:
250 | if( NULL != __data )
251 | {
252 | free( __data );
253 | __data = NULL;
254 | }
255 |
256 | file_len = 0;
257 |
258 | __return:
259 | if( INVALID_HANDLE_VALUE != hfile )
260 | {
261 | CloseHandle( hfile );
262 | }
263 |
264 | *data = __data;
265 | *data_len = file_len;
266 | return ret;
267 | }
268 |
269 | int release_file_data( byte **data )
270 | {
271 | end_analyzing();
272 | ASSERT( NULL != data );
273 | ASSERT( NULL != *data );
274 |
275 | free( *data );
276 | *data = NULL;
277 | }
278 |
279 | int32 dump_mem( void *mem, int size, char*str_out, dword *buff_len )
280 | {
281 | int ret;
282 | dword out_len;
283 | byte dump_str[ 256 ];
284 | char *str_cur;
285 | unsigned char str[20];
286 | unsigned char *m = mem;
287 | int i,j;
288 |
289 | ASSERT( NULL != str_out );
290 | ASSERT( NULL != buff_len );
291 |
292 | *str_out = '\0';
293 | out_len = 0;
294 |
295 | for (j = 0; j < size / 8; j++)
296 | {
297 | memset( str, 0, sizeof( str ) );
298 | for (i = 0; i < 8; i++)
299 | {
300 | if (m[i] > ' ' && m[i] <= '~')
301 | {
302 | str[i] = m[i];
303 | }
304 | else
305 | {
306 | str[i] = '.';
307 | }
308 | }
309 |
310 | ret = sprintf( dump_str, "%02x %02x %02x %02x %02x %02x %02x %02x %s\n",
311 | m[0], m[1], m[2], m[3], m[4], m[5], m[6], m[7], str );
312 | if( 0 >= ret )
313 | {
314 | return -1;
315 | }
316 |
317 | out_len += ret;
318 |
319 | if( out_len > *buff_len )
320 | {
321 | *buff_len = out_len;
322 | return -1;
323 | }
324 |
325 | strcat( str_out, dump_str );
326 | m+=8;
327 | }
328 |
329 | if( size % 8 )
330 | {
331 | memset( str, 0, sizeof( str ) );
332 | for (i = 0; i < size % 8; i++)
333 | {
334 | if (m[i] > ' ' && m[i] <= '~')
335 | {
336 | str[i] = m[i];
337 | }
338 | else
339 | {
340 | str[i] = '.';
341 | }
342 | }
343 |
344 | *dump_str = '\0';
345 | str_cur = dump_str;
346 | m = ( byte* )mem + size - ( size % 8 );
347 |
348 | for (i = 0; i < size % 8; i++)
349 | {
350 | ret = sprintf( str_cur, "%02x ",
351 | m[i] );
352 | if( 0 >= ret )
353 | {
354 | return -1;
355 | }
356 |
357 | str_cur += ret;
358 | out_len += ret;
359 | }
360 |
361 | if( out_len > *buff_len )
362 | {
363 | *buff_len = out_len;
364 | return -1;
365 | }
366 |
367 | strcat( str_out, dump_str );
368 |
369 | out_len += strlen( str ) + 2;
370 | if( out_len > *buff_len )
371 | {
372 | *buff_len = out_len;
373 | return -1;
374 | }
375 |
376 | strcat( str_out, " " );
377 | strcat( str_out, str );
378 | }
379 |
380 | *buff_len = out_len;
381 | return 0;
382 | }
383 |
384 |
--------------------------------------------------------------------------------
/pe-master/common.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 | #ifndef __COMMON_H__
21 | #define __COMMON_H__
22 |
23 | #include
24 | #include
25 | #include
26 | #include
27 |
28 | #define callback __stdcall
29 |
30 | #define TRUE 1
31 | #define FALSE 0
32 |
33 | #ifndef ASSERT
34 | #ifdef _DEBUG
35 | #include
36 | #define ASSERT( x ) assert( x )
37 | #else
38 | #define ASSERT( x )
39 | #endif
40 | #endif
41 |
42 | #define CONST_STR_LEN( string ) ( int )( sizeof( string ) - sizeof( char ) )
43 |
44 | typedef unsigned long dword;
45 | typedef unsigned char byte;
46 | typedef unsigned short word;
47 | typedef int int32;
48 | typedef unsigned int uint32;
49 |
50 | #include "dlist.h"
51 |
52 | #ifdef __cplusplus
53 | extern "C" {
54 | #endif
55 |
56 | void *find_record_info( void *info, list_ele_compare compare_func );
57 | void littelendian2bigendian( byte *p, size_t size );
58 | int write_to_new_file( char *file_path, char *file_name, byte *data, dword data_len );
59 | int write_to_new_file_by_name( char *file_name, byte *data, dword data_len );
60 | int32 read_all_file_data( char *file_name, byte **data, dword *data_len );
61 | int32 mem_submem( byte* target_cont, int32 target_cont_len, byte* src_mem, int32 src_mem_len);
62 | int dump_mem( void *mem, int size, char*str_out, dword *buff_len );
63 | int release_file_data( byte **data );
64 | int32 open_file_dlg( HWND owner, char *seled_file_name, dword buff_len, dword flags );
65 |
66 | #ifdef __cplusplus
67 | }
68 | #endif
69 |
70 | #endif //__COMMON_H__
71 |
--------------------------------------------------------------------------------
/pe-master/common_analyze.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "common.h"
22 | #include "common_analyze.h"
--------------------------------------------------------------------------------
/pe-master/common_analyze.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef __COMMON_ANALYZE_H__
22 | #define __COMMON_ANALYZE_H__
23 |
24 | #define PE_FILE_TYPE 0x4d5a
25 | #define LIB_FILE_TYPE 0x02
26 | #define COFF_FILE_TYPE 0x041c
27 |
28 | #ifdef __cplusplus
29 | extern "C" {
30 | #endif
31 |
32 | typedef struct __code_infos
33 | {
34 | char *func_name;
35 | byte *func_code;
36 | dword func_code_len;
37 |
38 | } code_infos;
39 |
40 | typedef struct __sym_infos
41 | {
42 | char *sym_name;
43 | byte *sym_data;
44 | dword sym_data_len;
45 | } sym_infos;
46 |
47 | typedef struct __struct_infos
48 | {
49 | byte *struct_data;
50 | dword struct_id;
51 | dword struct_index;
52 | dword struct_context;
53 | dword param1;
54 | dword param2;
55 | dword param3;
56 | } struct_infos;
57 |
58 | typedef struct __error_infos
59 | {
60 | dword err_code;
61 | char *desc;
62 | } error_infos;
63 |
64 | typedef struct __obj_file_info
65 | {
66 | char *file_name;
67 | byte *file_data;
68 | dword file_data_len;
69 | } obj_file_info;
70 |
71 | typedef struct __name_info
72 | {
73 | char *name;
74 | dword name_order;
75 | } name_info;
76 |
77 | typedef int ( *export_import_info_proc )( name_info *info, void *context );
78 | typedef int ( *sym_info_proc )( sym_infos *sym_info, void *context );
79 | typedef int ( *code_info_proc )( code_infos *sym_info, void *context );
80 | typedef int ( *struct_info_proc )( struct_infos *struct_info, void *context );
81 | typedef int ( *obj_file_info_proc )( obj_file_info *file_info, void *context );
82 | typedef int ( *error_handler_proc )( error_infos *err_info );
83 |
84 | typedef struct __file_analyzer
85 | {
86 | sym_info_proc syms_analyze;
87 | sym_info_proc strs_analyze;
88 | code_info_proc code_analyze;
89 | obj_file_info_proc obj_file_analyze;
90 | struct_info_proc struct_analyze;
91 | export_import_info_proc name_analyze;
92 | error_handler_proc error_handler;
93 | void *context;
94 | byte *all_file_data;
95 | dword file_data_len;
96 | dword file_type;
97 | } file_analyzer;
98 |
99 | #ifdef __cplusplus
100 | }
101 | #endif
102 |
103 | #endif //__COMMON_ANALYZE_H__
--------------------------------------------------------------------------------
/pe-master/dlist.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "common.h"
22 | #include "dlist.h"
23 |
24 | int free_element_on_destroy( list_element element )
25 | {
26 | free( element );
27 | return 0;
28 | }
29 |
30 | int add_list_element( dlist *destlist, list_element element )
31 | {
32 | dlist *newlist;
33 | ASSERT( NULL != destlist );
34 |
35 | newlist = ( dlist* )malloc( sizeof( dlist ) );
36 | if( NULL == newlist )
37 | {
38 | return -E_OUTOFMEMORY;
39 | }
40 |
41 | memset( newlist, 0, sizeof( dlist ) );
42 | newlist->info = element;
43 |
44 | newlist->prev = destlist;
45 | newlist->next = destlist->next;
46 | if( NULL != destlist->next )
47 | {
48 | destlist->next->prev = newlist;
49 | }
50 | destlist->next = newlist;
51 |
52 | return 0;
53 | }
54 |
55 | int del_list_item( dlist *listitem, list_element *element )
56 | {
57 | ASSERT( NULL != listitem );
58 |
59 | if( NULL != listitem->prev )
60 | {
61 | listitem->prev->next = listitem->next;
62 | }
63 |
64 | if( NULL != listitem->next )
65 | {
66 | listitem->next->prev = listitem->prev;
67 | }
68 |
69 | if( NULL != element )
70 | {
71 | *element = listitem->info;
72 | }
73 | free( listitem );
74 | return 0;
75 | }
76 |
77 | dlist* find_list_element( dlist *destlist, list_element element )
78 | {
79 | dlist *listitem;
80 | ASSERT( NULL != destlist );
81 |
82 | listitem = destlist;
83 | for( ; NULL != listitem; listitem = listitem->next )
84 | {
85 | if( listitem->info == element )
86 | {
87 | return listitem;
88 | }
89 | }
90 |
91 | return NULL;
92 | }
93 |
94 | dlist* find_list_element_by_compare( dlist *destlist, list_element element, list_ele_compare compare_func )
95 | {
96 | dlist *listitem;
97 | ASSERT( NULL != destlist );
98 |
99 | listitem = destlist;
100 | listitem = listitem->next;
101 |
102 | for( ; NULL != listitem; listitem = listitem->next )
103 | {
104 | if( 0 == compare_func( listitem->info, element ) )
105 | {
106 | return listitem->info;
107 | }
108 | }
109 |
110 | return NULL;
111 | }
112 |
113 | dlist* get_list_item_ptr( list_element *list_item_member_addr )
114 | {
115 | dlist *listitem;
116 | ASSERT( NULL != list_item_member_addr );
117 |
118 | listitem = ( dlist* )list_item_member_addr;
119 |
120 | return listitem;
121 | }
122 |
123 | int del_list_element2( dlist *destlist, int index, list_element *element )
124 | {
125 | int count;
126 | dlist *listitem;
127 | ASSERT( NULL != destlist );
128 |
129 | listitem = destlist;
130 | count = 0;
131 | for( ; NULL != listitem; listitem = listitem->next )
132 | {
133 | if( count == index )
134 | {
135 | del_list_item( listitem, element );
136 | return 0;
137 | }
138 |
139 | count ++;
140 | }
141 |
142 | return -1;
143 | }
144 |
145 | int del_list_element( dlist *destlist, list_element element )
146 | {
147 | dlist *listitem;
148 | list_element tmp_elem;
149 | listitem = find_list_element( destlist, element );
150 | if( NULL != listitem )
151 | {
152 | del_list_item( listitem, &tmp_elem );
153 | }
154 | return 0;
155 | }
156 |
157 | int init_list_element( dlist **dest_list )
158 | {
159 | dlist *new_list;
160 | new_list = ( dlist* )malloc( sizeof( dlist ) );
161 | if( NULL == new_list )
162 | {
163 | return -E_OUTOFMEMORY;
164 | }
165 | memset( new_list, 0, sizeof( dlist ) );
166 | *dest_list = new_list;
167 | return 0;
168 | }
169 |
170 | int destroy_list( dlist *list_header, destroy_list_element_func des_func )
171 | {
172 | int ret;
173 | int failed_count;
174 |
175 | dlist *item;
176 | dlist *next_item;
177 |
178 | ASSERT( NULL != list_header );
179 | ASSERT( NULL == list_header->prev && NULL == list_header->info );
180 |
181 | item = list_header;
182 | failed_count = 0;
183 |
184 | for( ; ; )
185 | {
186 | if( NULL == item )
187 | {
188 | break;
189 | }
190 |
191 | next_item = get_next_list( item );
192 | if( NULL != des_func )
193 | {
194 | ret = des_func( item->info );
195 | if( 0 > ret )
196 | {
197 | failed_count ++;
198 | }
199 | }
200 |
201 | del_list_item( item, NULL );
202 |
203 | item = next_item;
204 | }
205 |
206 | return -failed_count;
207 | }
208 |
209 | dlist* get_next_list( dlist *item )
210 | {
211 | ASSERT( item );
212 | ASSERT( item->prev != NULL ? item->prev->next == item : TRUE );
213 | ASSERT( item->next != NULL ? item->next->prev == item : TRUE );
214 |
215 | return item->next;
216 | }
217 |
218 | dlist* get_prev_list( dlist *item )
219 | {
220 | ASSERT( item );
221 | ASSERT( item->prev != NULL ? item->prev->next == item : TRUE );
222 | ASSERT( item->next != NULL ? item->next->prev == item : TRUE );
223 |
224 | return item->prev;
225 | }
226 |
227 | dlist* get_next_list_element( dlist *item, list_element *element )
228 | {
229 | dlist *next_item;
230 |
231 | ASSERT( NULL != item );
232 |
233 | next_item = get_next_list( item );
234 |
235 | ASSERT( NULL != item );
236 | ASSERT( NULL != element );
237 |
238 | if( NULL == next_item )
239 | {
240 | *element = NULL;
241 | return NULL;
242 | }
243 |
244 | *element = next_item->info;
245 | return next_item;
246 | }
247 |
248 | dlist* get_prev_list_elememt( dlist *item, list_element *element )
249 | {
250 | dlist *prev_item;
251 | prev_item = get_prev_list( item );
252 |
253 | ASSERT( NULL != item );
254 | ASSERT( NULL != element );
255 |
256 | if( NULL == prev_item )
257 | {
258 | *element = NULL;
259 | return NULL;
260 | }
261 |
262 | *element = prev_item->info;
263 | return prev_item;
264 | }
--------------------------------------------------------------------------------
/pe-master/dlist.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef __BANLANCE_PARALLEL_DLIST_H__
22 | #define __BANLANCE_PARALLEL_DLIST_H__
23 |
24 | typedef void* list_element;
25 |
26 | typedef struct __dlist
27 | {
28 | list_element info;
29 | struct __dlist *prev;
30 | struct __dlist *next;
31 | } dlist;
32 |
33 | #include "common.h"
34 |
35 | typedef int ( *destroy_list_element_func )( list_element );
36 | typedef int ( callback *list_ele_compare )( list_element element1, list_element element2 );
37 |
38 | dlist* find_list_element_by_compare( dlist *destlist, list_element element, list_ele_compare compare_func );
39 | int free_element_on_destroy( list_element element );
40 | int add_list_element( dlist *destlist, list_element element );
41 | int del_list_item( dlist *listitem, list_element *element );
42 | dlist* find_list_element( dlist *destlist, list_element element );
43 | dlist* get_list_item_ptr( list_element *list_item_member_addr );
44 | int del_list_element2( dlist *destlist, int index, list_element *element );
45 | int del_list_element( dlist *destlist, list_element element );
46 | int init_list_element( dlist **dest_list );
47 | int destroy_list( dlist *list_header, destroy_list_element_func des_func );
48 | dlist* get_next_list( dlist *item );
49 | dlist* get_prev_list( dlist *item );
50 | dlist* get_next_list_element( dlist *item, list_element *element );
51 | dlist* get_prev_list_elememt( dlist *item, list_element *element );
52 |
53 | #endif
--------------------------------------------------------------------------------
/pe-master/file_analyzer.c:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 | #include "common_analyze.h"
3 | #include "pe_file_analyzer.h"
4 | #include "lib_file_analyzer.h"
5 | #include "file_analyzer.h"
6 |
7 | typedef int ( callback check_this_file_type )( byte *data, dword data_len );
8 | void* g_check_file_funcs[] =
9 | {
10 | ( void* )check_pe_file_type,
11 | ( void* )check_lib_file_type,
12 | ( void* )check_coff_file_type
13 | };
14 |
15 | file_analyzer *global_analyzer = NULL;
16 | void set_file_analyzer( file_analyzer *analyzer )
17 | {
18 | global_analyzer = analyzer;
19 | }
20 |
21 | int init_analyzing( CHAR *filename, file_analyzer *analyzer )
22 | {
23 | int ret;
24 |
25 | byte *data;
26 | dword data_len;
27 |
28 | ASSERT( NULL != analyzer );
29 | ret = read_all_file_data( filename, &data, &data_len );
30 | analyzer->all_file_data = data;
31 | analyzer->file_data_len = data_len;
32 |
33 | if( 0 != ret )
34 | {
35 | if( NULL != analyzer->error_handler )
36 | {
37 | error_infos info;
38 | info.err_code = ERR_FILE_NOT_EXIST;
39 | info.desc = "This file is not existing";
40 |
41 | analyzer->error_handler( &info );
42 | }
43 | return -1;
44 | }
45 |
46 | analyzer->file_type = check_file_type( data, data_len );
47 | if( PE_FILE_TYPE == analyzer->file_type )
48 | {
49 | ret = analyze_pe_file_struct( data, data_len, analyzer );
50 | }
51 | else if( LIB_FILE_TYPE == analyzer->file_type )
52 | {
53 | ret = analyze_lib_file_struct( data, data_len, analyzer );
54 | }
55 | else if( COFF_FILE_TYPE == analyzer->file_type )
56 | {
57 | ret = analyze_coff_file_struct( data, data_len, 0, analyzer );
58 | }
59 |
60 | return ret;
61 | }
62 |
63 | int32 check_file_type( byte *data, dword data_len )
64 | {
65 | int ret;
66 | int i;
67 | ASSERT( NULL != data );
68 | ASSERT( 0 <= data_len );
69 |
70 | for( i = 0; i < sizeof( g_check_file_funcs ) / sizeof( void* ); i ++ )
71 | {
72 | check_this_file_type *check_proc;
73 | check_proc = ( check_this_file_type* )g_check_file_funcs[ i ];
74 | ret = check_proc( data, data_len );
75 | if( 0 <= ret )
76 | {
77 | return ret;
78 | }
79 | }
80 |
81 | return -1;
82 | }
83 |
84 | int32 callback compare_struct_info( void *element1, void *element2 )
85 | {
86 | struct_infos *info1;
87 | struct_infos *info2;
88 |
89 | ASSERT( NULL != element1 );
90 | ASSERT( NULL != element2 );
91 |
92 | info1 = ( struct_infos* )element1;
93 | info2 = ( struct_infos* )element2;
94 |
95 | if( info1->struct_id == info2->struct_id && info1->struct_index == info2->struct_index )
96 | {
97 | return 0;
98 | }
99 |
100 | return -1;
101 | }
102 |
103 | struct_infos *find_struct_info_by_id( dword type, dword index )
104 | {
105 | struct_infos info;
106 | info.struct_id = type;
107 | info.struct_index = index;
108 |
109 | return find_struct_info( &info );
110 | }
111 |
112 | struct_infos *find_struct_info( struct_infos *info )
113 | {
114 | return ( struct_infos* )find_record_info( ( void* )info, compare_struct_info );
115 | }
116 |
117 |
--------------------------------------------------------------------------------
/pe-master/file_analyzer.h:
--------------------------------------------------------------------------------
1 | #ifndef __FILE_ANALYZER_H__
2 | #define __FILE_ANALYZER_H__
3 |
4 | #define ERR_FILE_NOT_EXIST 0x0001000a
5 |
6 | #ifdef __cplusplus
7 | extern "C" {
8 | #endif
9 |
10 | int32 check_file_type( byte *data, dword data_len );
11 | int init_analyzing( CHAR *filename, file_analyzer *analyzer );
12 | struct_infos *find_struct_info( struct_infos *info );
13 | struct_infos *find_struct_info_by_id( dword type, dword index );
14 |
15 | #ifdef __cplusplus
16 | }
17 | #endif
18 | #endif //__FILE_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/lib_file_analyzer.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "common.h"
22 | #include "common_analyze.h"
23 | #include "file_analyzer.h"
24 | #include "lib_file_analyzer.h"
25 |
26 | #define LIB_FILE_HEADER "!\n"
27 | #define STRTAB_END_SIGN "/\n"
28 |
29 | int32 callback check_lib_file_type( byte *data, dword data_len )
30 | {
31 | int ret;
32 |
33 | ASSERT( NULL != data );
34 | ASSERT( 0 < data_len );
35 |
36 | if( CONST_STR_LEN( LIB_FILE_HEADER ) > data_len )
37 | {
38 | return -1;
39 | }
40 |
41 | if( 0 == memcmp( LIB_FILE_HEADER, data, CONST_STR_LEN( LIB_FILE_HEADER ) ) )
42 | {
43 | return LIB_FILE_TYPE;
44 | }
45 |
46 | return -1;
47 | }
48 |
49 | int locate_next_sect( lib_section_hdr **sect_hdr, unsigned long *cur_offset, unsigned long data_len )
50 | {
51 | lib_section_hdr *__sect_hdr;
52 | dword offset;
53 |
54 | __sect_hdr = *sect_hdr;
55 | offset = *cur_offset;
56 | while( 0 != memcmp( __sect_hdr->end_of_header, LIB_SECT_HDR_END_SIGN, CONST_STR_LEN( LIB_SECT_HDR_END_SIGN ) ) )
57 | {
58 | offset += 1;
59 | if( offset == data_len )
60 | {
61 | return -1;
62 | }
63 |
64 | __sect_hdr = ( lib_section_hdr* )( ( byte* )__sect_hdr + 1 );
65 | }
66 |
67 | *cur_offset = offset;
68 | *sect_hdr = __sect_hdr;
69 | return 0;
70 | }
71 |
72 | #define LIB_HDR_FILLED_BYTE 0x20
73 | void clean_hdr_filled_bytes( lib_section_hdr *hdr )
74 | {
75 | int i;
76 | byte *data;
77 |
78 | data = ( byte* )hdr;
79 |
80 | for( i = 0; i < sizeof( lib_section_hdr ); i ++ )
81 | {
82 | if( LIB_HDR_FILLED_BYTE == data[ i ] )
83 | {
84 | data[ i ] = 0;
85 | }
86 | }
87 | }
88 |
89 | int32 analyze_lib_section1_data( byte *data, dword data_len, file_analyzer *analyzer )
90 | {
91 | int32 i;
92 | int32 ret;
93 | byte *section1_data;
94 | dword syms_num;
95 | dword syms_offsets;
96 | dword sym_offset;
97 | dword offset;
98 |
99 | offset = 0;
100 | section1_data = data; // + offset;
101 | syms_num = *( dword* )section1_data;
102 | littelendian2bigendian( &syms_num, sizeof( syms_num ) );
103 | offset += sizeof( dword );
104 | syms_offsets = data + offset;
105 | for( i = 0; i < syms_num; i ++ )
106 | {
107 | sym_offset = *( dword* )( syms_offsets );
108 | littelendian2bigendian( &sym_offset, sizeof( sym_offset ) );
109 | syms_offsets += sizeof( dword );
110 | }
111 | return 0;
112 | }
113 |
114 | int analyze_obj_sections( lib_section_hdr *sect_hdr, dword obj_sect_num )
115 | {
116 | int32 i;
117 | //for( i = 0; i < obj_sect_num; i ++ )
118 | //{
119 | // obj_sect_offset[ i ];
120 | //}
121 |
122 | return 0;
123 | }
124 |
125 | int analyze_sym_idxs( word *syms_idx, dword syms_num )
126 | {
127 | int32 i;
128 | for( i = 0; i < syms_num; i ++ )
129 | {
130 | syms_idx[ i ];
131 | }
132 |
133 | return 0;
134 | }
135 |
136 | int analyze_lib_section2( byte *section2_data, dword data_len )
137 | {
138 | dword obj_sect_num;
139 | dword offset;
140 | dword syms_num;
141 | dword syms_idx;
142 | char *section2_str_table;
143 | dword section2_str_table_len;
144 |
145 | offset = 0;
146 |
147 | obj_sect_num = *( dword* )section2_data;
148 | offset += sizeof( dword );
149 |
150 | offset += sizeof( dword ) * obj_sect_num;
151 | syms_num = *( dword* )( section2_data + offset );
152 |
153 | offset += sizeof( dword );
154 | syms_idx = ( word* )( section2_data + offset );
155 |
156 | offset += sizeof( word ) * syms_num;
157 | section2_str_table = ( char* )( section2_data + offset );
158 |
159 | section2_str_table_len =data_len - ( ( obj_sect_num )* sizeof( dword ) + sizeof( dword ) + syms_num * sizeof( word ) + sizeof( dword ) );
160 |
161 | offset += section2_str_table_len;
162 |
163 | return 0;
164 | }
165 |
166 | int32 analyze_long_section_data( byte *data, dword data_len )
167 | {
168 | //long_name_sect_strings = ( char* )( data + offset ) + sizeof( dword );
169 | return 0;
170 | }
171 |
172 | int analyze_lib_file_struct( byte *data, dword data_len, file_analyzer *analyzer )
173 | {
174 | int ret = 0;
175 | lib_section_hdr sect_copy;
176 | lib_section_hdr *section1;
177 | lib_section_hdr *section2;
178 | dword sym_offset;
179 | char *sym_name;
180 | dword offset;
181 |
182 | byte *section1_data;
183 | byte *syms_offsets;
184 | byte *syms_str_table;
185 | dword syms_str_offset;
186 | dword syms_str_table_len;
187 |
188 | byte *section2_data;
189 | dword obj_sect_num;
190 | dword *obj_sect_offset;
191 | dword syms_num;
192 | word *syms_idx;
193 | byte* section2_str_table;
194 | dword section2_str_offset;
195 | dword section2_str_table_len;
196 |
197 | lib_section_hdr *long_name_sect;
198 | byte* long_name_str_table;
199 | dword long_name_str_offset;
200 | dword long_name_str_table_len;
201 |
202 | lib_section_hdr *obj_file_sect;
203 | dword obj_file_name_offset;
204 | char *obj_file_name;
205 |
206 | char *long_name_sect_strings;
207 |
208 | int i;
209 |
210 | ASSERT( NULL != data );
211 | ASSERT( 0 <= data_len );
212 |
213 | if( 0 == data_len )
214 | {
215 | ret = -1;
216 | goto __error;
217 | }
218 |
219 | offset = 0;
220 |
221 | ret = check_lib_file_type( data, data_len );
222 | if( LIB_FILE_TYPE != ret )
223 | {
224 | ret = -1;
225 | goto __error;
226 | }
227 |
228 | offset += CONST_STR_LEN( LIB_FILE_HEADER );
229 | section1 = ( lib_section_hdr* )( data + offset );
230 | offset += sizeof( lib_section_hdr );
231 |
232 | sect_copy = *section1;
233 |
234 | clean_hdr_filled_bytes( §_copy );
235 | ASSERT( 0 == strcmp( sect_copy.name, "/" ) );
236 | ASSERT( 0 == memcmp( sect_copy.end_of_header, LIB_SECT_HDR_END_SIGN, CONST_STR_LEN( LIB_SECT_HDR_END_SIGN ) ) );
237 |
238 | if( NULL != analyzer->struct_analyze )
239 | {
240 | struct_infos *info;
241 | byte *__offset;
242 | dword data_size;
243 | ret = add_new_record_info( &info, sizeof( *info ) );
244 | if( 0 > ret )
245 | {
246 | goto __error;
247 | }
248 |
249 | info->struct_data = ( byte* )section1;
250 | info->struct_id = STRUCT_TYPE_LIB_SECTION1;
251 | info->struct_index = 0;
252 | info->struct_context = analyzer;
253 |
254 | analyzer->struct_analyze( info, analyzer->context );
255 |
256 | __offset = ( byte* )section1 + sizeof( lib_section_hdr );
257 | ret = add_new_record_info( &info, sizeof( *info ) );
258 | if( 0 > ret )
259 | {
260 | goto __error;
261 | }
262 |
263 | info->param1 = *( dword* )__offset;
264 | littelendian2bigendian( &info->param1, sizeof( info->param1 ) );
265 |
266 | info->struct_data = __offset + sizeof( dword ); ;
267 | info->struct_id = STRUCT_TYPE_SYM_TABLE;
268 | info->struct_index = 0;
269 | info->struct_context = analyzer;
270 |
271 | __offset += info->param1 * sizeof( dword ) + sizeof( dword );
272 | analyzer->struct_analyze( info, analyzer->context );
273 |
274 | ret = add_new_record_info( &info, sizeof( *info ) );
275 | if( 0 > ret )
276 | {
277 | goto __error;
278 | }
279 |
280 | data_size = atoi( sect_copy.size );
281 |
282 | info->param1 = data_size - ( __offset - ( ( byte* )section1 + sizeof( lib_section_hdr ) ) );
283 | ASSERT( info->param1 > 0 );
284 | info->struct_data = __offset;
285 | info->struct_id = STRUCT_TYPE_SECTION1_STR_TABLE;
286 | info->struct_index = 0;
287 | info->struct_context = analyzer;
288 |
289 | analyzer->struct_analyze( info, analyzer->context );
290 | }
291 |
292 | offset += atoi( sect_copy.size );
293 |
294 | section2 = ( lib_section_hdr* )( data + offset );
295 |
296 | ret = locate_next_sect( §ion2, &offset, data_len );
297 | if( 0 > ret )
298 | {
299 | return -1;
300 | }
301 |
302 | sect_copy = *section2;
303 | clean_hdr_filled_bytes( §_copy );
304 | assert( 0 == strcmp( sect_copy.name, "/" ) );
305 |
306 | if( NULL != analyzer->struct_analyze )
307 | {
308 | struct_infos *info;
309 | byte *__offset;
310 | dword data_size;
311 |
312 | ret = add_new_record_info( &info, sizeof( *info ) );
313 | if( 0 > ret )
314 | {
315 | goto __error;
316 | }
317 |
318 | info->struct_data = section2;
319 | info->struct_id = STRUCT_TYPE_LIB_SECTION2;
320 | info->struct_index = 0;
321 | info->struct_context = analyzer;
322 |
323 | analyzer->struct_analyze( info, analyzer->context );
324 |
325 | ret = add_new_record_info( &info, sizeof( *info ) );
326 | if( 0 > ret )
327 | {
328 | goto __error;
329 | }
330 |
331 | __offset = ( byte* )section2 + sizeof( lib_section_hdr );
332 | info->param1 = *( dword* )__offset;
333 | //littelendian2bigendian( &info->param1, sizeof( info->param1 ) );
334 | info->struct_data = __offset + sizeof( dword ); ;
335 | info->struct_id = STRUCT_TYPE_OBJ_OFFSETS;
336 | info->struct_index = 0;
337 | info->struct_context = analyzer;
338 |
339 | __offset += info->param1 * sizeof( dword ) + sizeof( dword );
340 |
341 | analyzer->struct_analyze( info, analyzer->context );
342 |
343 | ret = add_new_record_info( &info, sizeof( *info ) );
344 | if( 0 > ret )
345 | {
346 | goto __error;
347 | }
348 |
349 | info->param1 = *( dword* )__offset;
350 | //littelendian2bigendian( &info->param1, sizeof( info->param1 ) );
351 | info->struct_data = __offset + sizeof( dword ); ;
352 | info->struct_id = STRUCT_TYPE_SYM_INDEXES;
353 | info->struct_index = 0;
354 | info->struct_context = analyzer;
355 |
356 | __offset += info->param1 * sizeof( dword ) + sizeof( dword );
357 | analyzer->struct_analyze( info, analyzer->context );
358 |
359 | ret = add_new_record_info( &info, sizeof( *info ) );
360 | if( 0 > ret )
361 | {
362 | goto __error;
363 | }
364 |
365 | data_size = atoi( sect_copy.size );
366 |
367 | //littelendian2bigendian( &data_size, sizeof( data_size ) );
368 |
369 | info->param1 = data_size - ( __offset - ( ( byte* )section2 + sizeof( lib_section_hdr ) ) );
370 | ASSERT( info->param1 > 0 );
371 | info->struct_data = __offset;
372 | info->struct_id = STRUCT_TYPE_SECTION2_STR_TABLE;
373 | info->struct_index = 0;
374 | info->struct_context = analyzer;
375 |
376 | analyzer->struct_analyze( info, analyzer->context );
377 | }
378 |
379 | offset += sizeof( lib_section_hdr );
380 |
381 | obj_sect_num = *( dword* )( data + offset );
382 | offset += atoi( sect_copy.size );
383 |
384 | long_name_sect = ( lib_section_hdr* )( data + offset );
385 |
386 | ret = locate_next_sect( &long_name_sect, &offset, data_len );
387 | if( 0 > ret )
388 | {
389 | return -1;
390 | }
391 |
392 | sect_copy = *long_name_sect;
393 | clean_hdr_filled_bytes( §_copy );
394 |
395 | long_name_sect_strings = NULL;
396 | if( 0 == strcmp( sect_copy.name, "//" ) )
397 | {
398 | offset += sizeof( lib_section_hdr );
399 | long_name_sect_strings = data + offset + sizeof( dword );
400 |
401 | if( NULL != analyzer->struct_analyze )
402 | {
403 | struct_infos *info;
404 | ret = add_new_record_info( &info, sizeof( *info ) );
405 | if( 0 > ret )
406 | {
407 | goto __error;
408 | }
409 |
410 | info->struct_data = long_name_sect;
411 | info->struct_id = STRUCT_TYPE_LIB_SECTION_LONGNAME;
412 | info->struct_index = 0;
413 | info->struct_context = analyzer;
414 |
415 | analyzer->struct_analyze( info, analyzer->context );
416 |
417 | ret = add_new_record_info( &info, sizeof( *info ) );
418 | if( 0 > ret )
419 | {
420 | goto __error;
421 | }
422 |
423 | info->struct_data = ( byte* )long_name_sect + sizeof( lib_section_hdr ); ;
424 | info->struct_id = STRUCT_TYPE_LONGNAME_SECTION_STR_TABLE;
425 | info->struct_index = 0;
426 | info->struct_context = analyzer;
427 | info->param1 = atoi( long_name_sect->size );
428 | //littelendian2bigendian( &info->param1, sizeof( info->param1 ) );
429 |
430 | analyzer->struct_analyze( info, analyzer->context );
431 | }
432 |
433 | offset += atoi( sect_copy.size );
434 | }
435 |
436 | for( i = 0; i < obj_sect_num; i ++ )
437 | {
438 | obj_file_sect = ( lib_section_hdr* )( data + offset );
439 |
440 | ret = locate_next_sect( &obj_file_sect, &offset, data_len );
441 | if( 0 > ret )
442 | {
443 | return -1;
444 | }
445 |
446 | sect_copy = *obj_file_sect;
447 | clean_hdr_filled_bytes( §_copy );
448 |
449 | if( obj_file_sect->name[0] == '/' )
450 | {
451 | obj_file_name_offset = atoi( §_copy.name[ 1 ] );
452 | obj_file_name = &long_name_sect_strings[ obj_file_name_offset ];
453 | }
454 | else
455 | {
456 | char *obj_file_name_end;
457 | obj_file_name_end = strchr( sect_copy.name, '/' );
458 | if( NULL != obj_file_name_end )
459 | {
460 | *obj_file_name_end = '\0';
461 | }
462 |
463 | obj_file_name = sect_copy.name;
464 | }
465 |
466 | if( NULL != analyzer->struct_analyze )
467 | {
468 | struct_infos *info;
469 | ret = add_new_record_info( &info, sizeof( *info ) );
470 | if( 0 > ret )
471 | {
472 | goto __error;
473 | }
474 |
475 | info->struct_data = obj_file_sect;
476 | info->struct_id = STRUCT_TYPE_LIB_SECTION_OBJ_FILE;
477 | info->struct_index = i;
478 | info->struct_context = analyzer;
479 |
480 | analyzer->struct_analyze( info, analyzer->context );
481 | }
482 |
483 | if( NULL != analyzer->obj_file_analyze )
484 | {
485 | obj_file_info info;
486 | info.file_name = obj_file_name;
487 | info.file_data = ( byte* )obj_file_sect + sizeof( lib_section_hdr );
488 | info.file_data_len = atoi( obj_file_sect->size );
489 | analyzer->obj_file_analyze( &info, analyzer->context );
490 | }
491 |
492 | analyze_coff_file_struct( ( byte* )obj_file_sect + sizeof( lib_section_hdr ), atoi( obj_file_sect->size ), i, analyzer );
493 |
494 | offset += sizeof( lib_section_hdr );
495 | offset += atoi( obj_file_sect->size );
496 | }
497 |
498 | __error:
499 | return ret;
500 | }
501 |
502 | int just_search_symbols( char *data, dword data_len )
503 | {
504 | #define remain_len( pointer ) ( dword )( data + data_len - pointer )
505 |
506 | byte *func_name_begin_dash;
507 | byte *func_name_begin_question;
508 | byte *func_name_begin;
509 | byte *func_name_end;
510 | func_name_begin = data;
511 | for( ; ; )
512 | {
513 | func_name_begin_question = memchr( func_name_begin, '?', remain_len( func_name_begin ) );
514 | func_name_begin_dash = memchr( func_name_begin, '_', remain_len( func_name_begin ) );
515 |
516 | if( func_name_begin_question != NULL && func_name_begin_dash > func_name_begin_question )
517 | {
518 | func_name_begin = func_name_begin_question;
519 | }
520 | else
521 | {
522 | func_name_begin = func_name_begin_dash;
523 | }
524 |
525 | if( NULL == func_name_begin )
526 | {
527 | break;
528 | }
529 |
530 | func_name_end = memchr( func_name_begin, 0, remain_len( func_name_begin ) );
531 | if( NULL == func_name_end )
532 | {
533 | break;
534 | }
535 |
536 | func_name_begin = func_name_end + sizeof( char );
537 | }
538 |
539 | return 0;
540 | }
541 |
542 |
--------------------------------------------------------------------------------
/pe-master/lib_file_analyzer.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef __LIB_FILE_ANALYZER_H__
22 | #define __LIB_FILE_ANALYZER_H__
23 |
24 | #include "coff_file_analyzer.h"
25 |
26 | #define LIB_SECT_HDR_END_SIGN "`\n"
27 |
28 | #define STRUCT_TYPE_LIB_SECTION1 0x00020001
29 | #define STRUCT_TYPE_LIB_SECTION2 0x00020002
30 | #define STRUCT_TYPE_LIB_SECTION_LONGNAME 0x00020003
31 | #define STRUCT_TYPE_LIB_SECTION_OBJ_FILE 0x00020004
32 | #define STRUCT_TYPE_SYM_TABLE 0x00020005
33 | #define STRUCT_TYPE_SECTION1_STR_TABLE 0x00020006
34 | #define STRUCT_TYPE_OBJ_OFFSETS 0x00020007
35 | #define STRUCT_TYPE_SYM_INDEXES 0x00020008
36 | #define STRUCT_TYPE_SECTION2_STR_TABLE 0x0002000c
37 | #define STRUCT_TYPE_LONGNAME_SECTION_STR_TABLE 0x0002000d
38 |
39 | typedef struct __lib_section_hdr
40 | {
41 | char name[16];
42 | char time[12];
43 | char user_id[6];
44 | char group_id[6];
45 | char mode[8];
46 | char size[10];
47 | char end_of_header[2];
48 |
49 | } lib_section_hdr;
50 |
51 | typedef struct __section1_data{
52 | unsigned long SymbolNum;
53 | unsigned long *SymbolOffset;
54 | char *StrTable;
55 | } section1_data;
56 |
57 | typedef struct __section2_data{
58 | unsigned long ObjNum;
59 | unsigned long *ObjOffset;
60 | unsigned long SymbolNum;
61 | unsigned short *SymbolIdx;
62 | char *StrTable;
63 | } section2_data;
64 |
65 | #ifdef __cplusplus
66 | extern "C" {
67 | #endif
68 |
69 | void clean_hdr_filled_bytes( lib_section_hdr *hdr );
70 | int find_section_2( byte *data );
71 | int callback check_lib_file_type( byte *data, dword data_len );
72 | int read_obj_section( lib_section_hdr* sect, byte *data );
73 | int analyze_lib_file_struct( byte *data, dword data_len, file_analyzer *analyzer );
74 |
75 | #ifdef __cplusplus
76 | }
77 | #endif
78 |
79 | #endif //__LIB_FILE_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/lib_struct_analyze.c:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 | #include "common_analyze.h"
3 | #include "lib_struct_analyze.h"
4 |
5 | int32 analyze_lib_section_str_table( byte *data, dword data_len, file_analyzer *analyzer )
6 | {
7 | int ret;
8 | char *syms_str_table;
9 | dword syms_str_table_len;
10 | dword syms_str_offset;
11 |
12 | syms_str_table = ( byte* )( data + offset );
13 | syms_str_table_len = atoi( section1->Size ) - ( sizeof( dword ) * syms_num + sizeof( dword ) );
14 |
15 | syms_str_offset = 0;
16 | for(;; )
17 | {
18 | syms_str_table;
19 | syms_str_offset += strlen( syms_str_table ) + sizeof( char );
20 | syms_str_table += strlen( syms_str_table ) + sizeof( char );
21 |
22 | assert( syms_str_offset <= syms_str_table_len );
23 | if( syms_str_offset == syms_str_table_len )
24 | {
25 | break;
26 | }
27 | }
28 | return 0;
29 | }
30 |
31 | int32 coff_optional32_hdr_analyze( const coff_opt_hdr28 *opt_hdr )
32 | {
33 | coff_opt_hdr28 *opt_hdr28;
34 |
35 | opt_hdr28 = opt_hdr;
36 |
37 | opt_hdr28->magic == 0x010b; //exe
38 | opt_hdr28->magic == 0x0107; //rom
39 | opt_hdr28->entry;
40 | opt_hdr28->version;
41 | opt_hdr28->text_base;
42 |
43 | return 0;
44 | }
45 |
46 | int32 coff_file_hdr_analyze( const coff_file_hdr *file_hdr )
47 | {
48 |
49 | ASSERT( NULL != file_hdr );
50 | file_hdr->time;
51 | file_hdr->sect_num;
52 | file_hdr->syms_num;
53 | file_hdr->syms_offset;
54 |
55 | return 0;
56 | }
57 |
58 | int32 coff_sect_hdr_analyze( const coff_section_hdr *sect_hdr )
59 | {
60 |
61 | sect_hdr->flags;
62 | sect_hdr->ln_table_offset;
63 |
64 | return 0;
65 | }
--------------------------------------------------------------------------------
/pe-master/lib_struct_analyze.h:
--------------------------------------------------------------------------------
1 | #ifndef __LIB_STRUCT_ANALYZE_H__
2 | #define __LIB_STRUCT_ANALYZE_H__
3 |
4 |
5 |
6 | #endif //__LIB_STRUCT_ANALYZE_H__
--------------------------------------------------------------------------------
/pe-master/lib_struct_analyzer.c:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 | #include "common_analyze.h"
3 | #include "coff_file_analyzer.h"
4 | #include "lib_file_analyzer.h"
5 | #include "lib_struct_analyzer.h"
6 |
7 | int32 coff_optional32_hdr_analyze( const coff_opt_hdr28 *opt_hdr )
8 | {
9 | coff_opt_hdr28 *opt_hdr28;
10 |
11 | opt_hdr28 = opt_hdr;
12 |
13 | opt_hdr28->magic == 0x010b; //exe
14 | opt_hdr28->magic == 0x0107; //rom
15 | opt_hdr28->entry;
16 | opt_hdr28->version;
17 | opt_hdr28->text_base;
18 |
19 | return 0;
20 | }
21 |
22 | int32 coff_file_hdr_analyze( const coff_file_hdr *file_hdr )
23 | {
24 |
25 | ASSERT( NULL != file_hdr );
26 | file_hdr->time;
27 | file_hdr->sect_num;
28 | file_hdr->syms_num;
29 | file_hdr->syms_offset;
30 |
31 | return 0;
32 | }
33 |
34 | int32 coff_sect_hdr_analyze( const coff_sect_hdr *sect_hdr )
35 | {
36 |
37 | sect_hdr->flags;
38 | sect_hdr->ln_table_offset;
39 |
40 | return 0;
41 | }
--------------------------------------------------------------------------------
/pe-master/lib_struct_analyzer.h:
--------------------------------------------------------------------------------
1 | #ifndef __LIB_STRUCT_ANALYZE_H__
2 | #define __LIB_STRUCT_ANALYZE_H__
3 |
4 | #ifdef __cplusplus
5 | extern "C" {
6 | #endif
7 |
8 | void clean_hdr_filled_bytes( lib_section_hdr *hdr );
9 |
10 | #ifdef __cplusplus
11 | }
12 | #endif
13 | #endif //__LIB_STRUCT_ANALYZE_H__
--------------------------------------------------------------------------------
/pe-master/pe-master_2003.sln:
--------------------------------------------------------------------------------
1 | Microsoft Visual Studio Solution File, Format Version 8.00
2 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lib_sample", "..\lib_sample\lib_sample_2003.vcproj", "{962D0D53-927A-4A7E-A02B-C21C0E4B28A8}"
3 | ProjectSection(ProjectDependencies) = postProject
4 | EndProjectSection
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-analyzer", "..\pe-analyzer\pe-analyzer_2003.vcproj", "{3A8F5A21-049A-425C-8BCC-10001DD672C1}"
7 | ProjectSection(ProjectDependencies) = postProject
8 | EndProjectSection
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-master", "pe-master_2003.vcproj", "{1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}"
11 | ProjectSection(ProjectDependencies) = postProject
12 | EndProjectSection
13 | EndProject
14 | Global
15 | GlobalSection(SolutionConfiguration) = preSolution
16 | Debug = Debug
17 | Release = Release
18 | EndGlobalSection
19 | GlobalSection(ProjectConfiguration) = postSolution
20 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Debug.ActiveCfg = Debug|Win32
21 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Debug.Build.0 = Debug|Win32
22 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Release.ActiveCfg = Release|Win32
23 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Release.Build.0 = Release|Win32
24 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Debug.ActiveCfg = Debug|Win32
25 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Debug.Build.0 = Debug|Win32
26 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Release.ActiveCfg = Release|Win32
27 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Release.Build.0 = Release|Win32
28 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Debug.ActiveCfg = Debug|Win32
29 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Debug.Build.0 = Debug|Win32
30 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Release.ActiveCfg = Release|Win32
31 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Release.Build.0 = Release|Win32
32 | EndGlobalSection
33 | GlobalSection(ExtensibilityGlobals) = postSolution
34 | EndGlobalSection
35 | GlobalSection(ExtensibilityAddIns) = postSolution
36 | EndGlobalSection
37 | EndGlobal
38 |
--------------------------------------------------------------------------------
/pe-master/pe-master_2003.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-master/pe-master_2003.vcproj
--------------------------------------------------------------------------------
/pe-master/pe-master_2005.sln:
--------------------------------------------------------------------------------
1 | Microsoft Visual Studio Solution File, Format Version 9.00
2 | # Visual Studio 2005
3 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-analyzer", "..\pe-analyzer\pe-analyzer.vcproj", "{3A8F5A21-049A-425C-8BCC-10001DD672C1}"
4 | ProjectSection(ProjectDependencies) = postProject
5 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1} = {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}
6 | EndProjectSection
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lib_sample", "..\lib_sample\lib_sample.vcproj", "{962D0D53-927A-4A7E-A02B-C21C0E4B28A8}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-master", "pe-master_2005.vcproj", "{1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}"
11 | EndProject
12 | Global
13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | Debug|Win32 = Debug|Win32
15 | Release|Win32 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Debug|Win32.ActiveCfg = Debug|Win32
19 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Debug|Win32.Build.0 = Debug|Win32
20 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Release|Win32.ActiveCfg = Release|Win32
21 | {3A8F5A21-049A-425C-8BCC-10001DD672C1}.Release|Win32.Build.0 = Release|Win32
22 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Debug|Win32.ActiveCfg = Debug|Win32
23 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Debug|Win32.Build.0 = Debug|Win32
24 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Release|Win32.ActiveCfg = Release|Win32
25 | {962D0D53-927A-4A7E-A02B-C21C0E4B28A8}.Release|Win32.Build.0 = Release|Win32
26 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Debug|Win32.ActiveCfg = Debug|Win32
27 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Debug|Win32.Build.0 = Debug|Win32
28 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Release|Win32.ActiveCfg = Release|Win32
29 | {1C96DD72-7EB3-47D0-9DAD-5889C4FC40B1}.Release|Win32.Build.0 = Release|Win32
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | EndGlobal
35 |
--------------------------------------------------------------------------------
/pe-master/pe-master_2005.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/pe-master/pe-master_2005.vcproj
--------------------------------------------------------------------------------
/pe-master/pe_ana_func.def:
--------------------------------------------------------------------------------
1 | LIBRARY pe-master
2 |
3 | EXPORTS
4 | analyze_pe_file_struct
5 | check_lib_file_type
6 | write_to_new_file
7 | write_to_new_file_by_name
8 | analyze_lib_file_struct
9 | init_analyzing
10 | analyze_pe_file_struct
11 | mem_submem
12 | dump_mem
13 | open_file_dlg
14 | release_file_data
15 | find_struct_info
16 | find_struct_info_by_id
17 | clean_hdr_filled_bytes
--------------------------------------------------------------------------------
/pe-master/pe_file_analyze.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 | #include "common.h"
21 | #include "common_analyze.h"
22 | #include "pe_analyze.h"
23 |
24 | #define MAX_MSG_LEN 512
25 |
26 | #define ERR_READ_OR_FILE_TO_SMALL 0xffff4d5a
27 | #define ERR_PE_DOS_HEADER_SIGN 0x00014d5a
28 | #define ERR_PE_NT_HEADER_SIGN 0x00024d5a
29 | #define ERR_PE_OPTIONAL_HEADER_LEN 0x00034d5a
30 | #define ERR_PE_NT_HEADER_MACHINE 0x00044d5a
31 | #define ERR_PE_OPTIONAL_HEADER_SIGN 0x00054d5a
32 | #define ERR_PE_OPTIONAL_HEADER_SUBSYS 0x00064d5a
33 |
34 | #define STRUCT_TYPE_PE_DOS_HEADER 0x4d5a0001
35 | #define STRUCT_TYPE_PE_DOS_STUB 0x4d5a0002
36 | #define STRUCT_TYPE_NT_HEADER 0x4d5a0003
37 | #define STRUCT_TYPE_OPTIONAL_HEADER 0x4d5a0004
38 | #define WINDOWS_PE_OPTIONAL_HEADER_SIGN 0x010b
39 |
40 | int32 check_pe_file_type( byte *data, dword data_len )
41 | {
42 | ASSERT( NULL != data );
43 | ASSERT( 0 < data_len );
44 |
45 | if( data_len < sizeof( word ) )
46 | {
47 | return -1;
48 | }
49 |
50 | if( *( word* )data == 0x5d4a )
51 | {
52 | return PE_TYPE;
53 | }
54 | return -1;
55 | }
56 |
57 | PBYTE find_virt_addr_ptr2( DWORD virt_addr, DWORD size, PIMAGE_SECTION_HEADER sect_hdrs, DWORD sect_num, PBYTE data, PIMAGE_SECTION_HEADER *finded_sect )
58 | {
59 | INT32 i;
60 | PIMAGE_SECTION_HEADER sect_hdr;
61 |
62 | if( size == 0 /*&& NULL == virt_addr*/ )
63 | {
64 | *finded_sect = NULL;
65 | return NULL;
66 | }
67 |
68 | sect_hdr = sect_hdrs;
69 |
70 | for( i = 0; i < sect_num; i ++ )
71 | {
72 | if( virt_addr >= sect_hdr->VirtualAddress &&
73 | virt_addr + size <= sect_hdr->VirtualAddress + sect_hdr->SizeOfRawData )
74 | {
75 | PBYTE data_out;
76 | *finded_sect = sect_hdr;
77 |
78 | return data + sect_hdr->PointerToRawData + ( virt_addr - sect_hdr->VirtualAddress );
79 | }
80 |
81 | sect_hdr ++;
82 | }
83 |
84 | *finded_sect = NULL;
85 | return ( PBYTE )NULL;
86 | }
87 |
88 | PBYTE find_virt_addr_ptr( PIMAGE_DATA_DIRECTORY dir, PIMAGE_SECTION_HEADER sect_hdrs, DWORD sect_num, PBYTE data, PIMAGE_SECTION_HEADER *finded_sect )
89 | {
90 | return find_virt_addr_ptr2( dir->VirtualAddress, dir->Size, sect_hdrs, sect_num, data, finded_sect );
91 | }
92 |
93 | INT32 analyze_copyright( PIMAGE_DATA_DIRECTORY copyright, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data )
94 | {
95 | PBYTE copyright_buf;
96 | PBYTE copyright_ptr;
97 | PIMAGE_DATA_DIRECTORY finded_sect;
98 |
99 | copyright_ptr = find_virt_addr_ptr( copyright, sects, sect_num, data, &finded_sect );
100 | if( NULL == copyright )
101 | {
102 | return -1;
103 | }
104 |
105 | copyright_buf = ( PBYTE )malloc( copyright->Size + 1 );
106 | memcpy( copyright_buf, copyright_ptr, copyright->Size );
107 | copyright_buf[ copyright->Size ] = '\0';
108 |
109 | if( NULL != analyzer->struct_analyze )
110 | {
111 | if( NULL != analyzer->struct_analyze )
112 | {
113 | struct_infos info;
114 | info.struct_data =;
115 | info.struct_id = ;
116 | info.struct_name = ;
117 | info.param1 = ;
118 | analyzer->struct_analyze( &info, analyze->context );
119 | }
120 | }
121 | return 0;
122 | }
123 |
124 | INT32 analyze_export_syms( PIMAGE_DATA_DIRECTORY export_syms, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data )
125 | {
126 | INT32 i;
127 | PDWORD function_rvas;
128 | PDWORD func_name_rvas;
129 | PDWORD func_name_ord_rvas;
130 | DWORD function_rva;
131 | PCHAR func_name;
132 | DWORD func_name_ord;
133 | PIMAGE_EXPORT_DIRECTORY export_table;
134 | PIMAGE_SECTION_HEADER finded_sect;
135 |
136 | export_table = find_virt_addr_ptr( export_syms, sects, sect_num, data, &finded_sect );
137 | if( NULL == export_table )
138 | {
139 | if( NULL != analyzer->error_handler )
140 | {
141 | #define ERR_PE_EXPORT_SYM_RVA_PARSING 0x00094d5a
142 | analyzer->error_handler( ERR_PE_EXPORT_SYM_RVA_PARSING )
143 | }
144 | return -1;
145 | }
146 |
147 | function_rvas = find_virt_addr_ptr2( export_table->AddressOfFunctions, sizeof( DWORD ) * export_table->NumberOfFunctions, sects, sect_num, data, &finded_sect );
148 | if( NULL == function_rvas )
149 | {
150 | if( NULL != analyzer->error_handler )
151 | {
152 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
153 | analyzer->error_handler( ERR_PE_EXPORT_ADDRESS_RVA_PARSING )
154 | }
155 | return -1;
156 | }
157 |
158 | for( i = 0; i < export_table->NumberOfFunctions; i ++ )
159 | {
160 | function_rva = find_virt_addr_ptr2( function_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
161 | if( NULL == function_rvas )
162 | {
163 | if( NULL != analyzer->error_handler )
164 | {
165 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
166 | analyzer->error_handler( ERR_PE_EXPORT_ADDRESS_RVA_PARSING )
167 | }
168 | return -1;
169 | }
170 | }
171 |
172 | func_name_ord_rvas = find_virt_addr_ptr2( export_table->AddressOfNameOrdinals, sizeof( DWORD ), sects, sect_num, data, &finded_sect );
173 | func_name_rvas = find_virt_addr_ptr2( export_table->AddressOfNames, sizeof( DWORD ), sects, sect_num, data, &finded_sect );
174 | if( NULL == func_name_rvas )
175 | {
176 | if( NULL == func_name_rvas )
177 | {
178 | if( NULL != analyzer->error_handler )
179 | {
180 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
181 | analyzer->error_handler( ERR_PE_EXPORT_ADDRESS_RVA_PARSING )
182 | }
183 | return -1;
184 | }
185 | }
186 |
187 | if( NULL == func_name_ord_rvas )
188 | {
189 | {
190 | if( NULL == func_name_rvas )
191 | {
192 | if( NULL != analyzer->error_handler )
193 | {
194 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
195 | analyzer->error_handler( ERR_PE_EXPORT_ADDRESS_RVA_PARSING )
196 | }
197 | return -1;
198 | }
199 | }
200 |
201 | for( i = 0; i < export_table->NumberOfNames; i ++ )
202 | {
203 | func_name = find_virt_addr_ptr2( func_name_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
204 | func_name_ord = *( DWORD* )find_virt_addr_ptr2( func_name_ord_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
205 | if( NULL == func_name )
206 | {
207 | if( NULL != analyzer->error_handler )
208 | {
209 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
210 | analyzer->error_handler( ERR_PE_EXPORT_ADDRESS_RVA_PARSING )
211 | }
212 | return -1;
213 | }
214 |
215 | struct_infos info;
216 | info.struct_data =;
217 | info.struct_id = ;
218 | info.struct_name = ;
219 | info.param1 = ;
220 | analyzer->struct_analyze( &info, analyze->context );
221 | }
222 |
223 | export_table->AddressOfNameOrdinals;
224 | return 0;
225 | }
226 |
227 | INT32 read_import_func_info( DWORD import_name_rva, PIMAGE_SECTION_HEADER sects,
228 | DWORD sect_num, PBYTE data,
229 | dword data_len, file_analyzer *analyzer )
230 | {
231 | INT32 ret;
232 | PIMAGE_THUNK_DATA thunk;
233 | PIMAGE_IMPORT_BY_NAME import_info;
234 | PIMAGE_SECTION_HEADER finded_sect;
235 |
236 | thunk = find_virt_addr_ptr2( import_name_rva, sizeof( IMAGE_IMPORT_BY_NAME ), sects, sect_num, data, &finded_sect );
237 |
238 | if( NULL == thunk )
239 | {
240 | return -1;
241 | }
242 |
243 | for( ; ; )
244 | {
245 | __asm
246 | {
247 | mov ecx, 0x04;
248 | mov edi, thunk;
249 | xor eax, eax;
250 | repz scasb;
251 | mov dword ptr [ret], ecx;
252 | }
253 |
254 | if( 0 == ret )
255 | {
256 | return 0;
257 | }
258 |
259 | import_info = find_virt_addr_ptr2( thunk->u1.AddressOfData, sizeof( IMAGE_THUNK_DATA ), sects, sect_num, data, &finded_sect );
260 |
261 | if( NULL != analyzer->struct_analyze )
262 | {
263 | struct_infos info;
264 | info.struct_data =;
265 | info.struct_id = ;
266 | info.struct_name = ;
267 | info.param1 = ;
268 | analyzer->struct_analyze( &info, analyze->context );
269 | }
270 | thunk ++;
271 | }
272 |
273 | return 0;
274 | }
275 |
276 | INT32 analyze_import_syms( PIMAGE_DATA_DIRECTORY import_syms, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data, dword data_len, file_analyzer *analyzer )
277 | {
278 | INT32 ret;
279 | PIMAGE_IMPORT_DESCRIPTOR import_desc;
280 | PIMAGE_SECTION_HEADER finded_sect;
281 |
282 | import_desc = find_virt_addr_ptr( import_syms, sects, sect_num, data, &finded_sect );
283 | if( NULL == import_desc )
284 | {
285 | return -1;
286 | }
287 |
288 | for( ; ; )
289 | {
290 | __asm
291 | {
292 | mov ecx, 0x14;
293 | mov edi, import_desc;
294 | xor eax, eax;
295 | repz scasb;
296 | mov dword ptr [ret], ecx;
297 | }
298 |
299 | if( ret == 0 )
300 | {
301 | return 0;
302 | }
303 |
304 | if( NULL != analyzer->struct_analyze )
305 | {
306 | #define STRUCT_TYPE_PE_IMPORT_DESC 0x4d5a0007
307 | struct_info info;
308 | info.struct_data = import_desc;
309 | info.struct_id = STRUCT_TYPE_PE_IMPORT_DESC;
310 | info.struct_name;
311 | info.param1 = data;
312 |
313 | analyzer->struct_analyze( &info, analyzer->context );
314 | }
315 |
316 | import_desc ++;
317 | }
318 |
319 | return -1;
320 | }
321 |
322 | INT32 read_resource_data( PIMAGE_RESOURCE_DATA_ENTRY res_data, PBYTE sect_data, PIMAGE_RESOURCE_DATA_ENTRY res_data_out, file_analyzer *analyzer )
323 | {
324 | ASSERT( NULL != res_data );
325 | ASSERT( NULL != sect_data );
326 | ASSERT( NULL != res_data_out );
327 |
328 | res_data_out->OffsetToData = ( PBYTE )malloc( res_data->Size );
329 | if( NULL == res_data_out->OffsetToData )
330 | {
331 | return -1;
332 | }
333 |
334 | memcpy( res_data_out->OffsetToData, res_data->OffsetToData + sect_data, res_data->Size );
335 |
336 | if( NULL != analyzer->struct_analyze )
337 | {
338 | struct_infos info;
339 | struct_info info;
340 | info.struct_data = import_desc;
341 | info.struct_id = STRUCT_TYPE_PE_IMPORT_DESC;
342 | info.struct_name;
343 | info.param1 = data;
344 | }
345 |
346 | return 0;
347 | }
348 |
349 | int32 analyze_res_entry( PIMAGE_RESOURCE_DATA_ENTRY res_data, PBYTE sect_data, PIMAGE_RESOURCE_DATA_ENTRY res_data_out, file_analyzer *analyzer )
350 | {
351 | int32 i;
352 | int32 ret;
353 | res_entry = ( res_dir + 1 );
354 | for( i = 0; i < res_dir->NumberOfNamedEntries + res_dir->NumberOfIdEntries; i ++ )
355 | {
356 | #define STRUCT_TYPE_PE_RES_DIR 0x4d5a0008
357 | struct_infos info;
358 | info.struct_data = res_dir;
359 | info.struct_id = STRUCT_TYPE_PE_RES_DIR;
360 | info.struct_name = "resource directory"
361 | info.param1 = data;
362 | }
363 | return 0;
364 | }
365 |
366 | #define MAX_RES_NAME_LEN 512
367 | INT32 read_resource_info( PIMAGE_RESOURCE_DIRECTORY res_dir, PBYTE sect_data, file_analzyer *analyzer)
368 | {
369 | INT32 i;
370 | INT32 ret;
371 | PIMAGE_RESOURCE_DATA_ENTRY res_data;
372 | PIMAGE_RESOURCE_DIRECTORY_ENTRY res_entry;
373 | PIMAGE_RESOURCE_DIR_STRING_U res_name;
374 | WCHAR res_name_buf[ MAX_RES_NAME_LEN ];
375 |
376 | if( NULL != analyzer->struct_analyze )
377 | {
378 | #define STRUCT_TYPE_PE_RES_DIR 0x4d5a0008
379 | struct_infos info;
380 | info.struct_data = res_dir;
381 | info.struct_id = STRUCT_TYPE_PE_RES_DIR;
382 | info.struct_name = "resource directory"
383 | info.param1 = data;
384 | }
385 |
386 | if( res_entry->DataIsDirectory )
387 | {
388 | read_resource_info( res_entry->OffsetToDirectory + sect_data, sect_data, analyzer );
389 | }
390 | else
391 | {
392 | if( NULL != analyzer->struct_analyze )
393 | {
394 | res_data = sect_data + res_entry->OffsetToData;
395 |
396 | }
397 |
398 | res_entry ++;
399 | }
400 | return 0;
401 | }
402 |
403 | INT32 read_resource_table( PIMAGE_DATA_DIRECTORY resource_table, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data )
404 | {
405 | INT32 ret;
406 | INT32 i;
407 | PIMAGE_RESOURCE_DIRECTORY res_dir;
408 | PIMAGE_SECTION_HEADER finded_sect;
409 |
410 | res_dir = find_virt_addr_ptr( resource_table, sects, sect_num, data, &finded_sect );
411 |
412 | if( NULL == res_dir )
413 | {
414 | return -1;
415 | }
416 |
417 | read_resource_info( res_dir, data + finded_sect->PointerToRawData );
418 | }
419 |
420 | INT32 analyze_directories( PIMAGE_DATA_DIRECTORY dirs, DWORD dir_num, file_analyzer *analyzer)
421 | {
422 | PIMAGE_DATA_DIRECTORY data_dirs;
423 |
424 | data_dirs = dirs;
425 |
426 | if( analyzer->struct_analyze )
427 | {
428 | #define STRUCT_TYPE_PE_DATA_DIR 0x4d5a0005
429 | struct_infos infos;
430 | infos.struct_data = data_dirs;
431 | infos.param1 = dir_num;
432 | infos.struct_id = STRUCT_TYPE_PE_DATA_DIR;
433 | infos.struct_name = "data directory";
434 |
435 | analyzer->struct_analyze( &infos, analyzer->context );
436 | }
437 |
438 | return 0;
439 | }
440 |
441 | int32 analyze_directorie_data( PIMAGE_DATA_DIRECTORY dir, dword index,
442 | PIMAGE_SECTION_HEADER sects, DWORD sect_num,
443 | PBYTE data, dword data_len,
444 | file_analyzer *analyzer)
445 | {
446 | int32 ret;
447 |
448 | switch( index )
449 | {
450 | case IMAGE_DIRECTORY_ENTRY_EXPORT:
451 | ret = analyze_export_syms( dir, sects, sect_num, data, data_len, analyzer );
452 | break;
453 | case IMAGE_DIRECTORY_ENTRY_IMPORT:
454 | ret = analyze_import_syms( dir, sects, sect_num, data, data_len, analyzer );
455 | break;
456 | case IMAGE_DIRECTORY_ENTRY_RESOURCE:
457 | ret = analyze_res_table( dir, sects, sect_num, data, data_len, analyzer );
458 | break;
459 | default:
460 | ret = -1;
461 | }
462 |
463 | return ret;
464 | }
465 |
466 | INT32 analyze_sections( PIMAGE_SECTION_HEADER *sects, DWORD sect_num, file_analyzer *analyzer )
467 | {
468 | INT32 i;
469 | PIMAGE_SECTION_HEADER sect_hdr;
470 |
471 | sect_hdr = sects;
472 |
473 | if( NULL != analyzer->struct_analzye )
474 | {
475 | #define STRUCT_TYPE_PE_DATA_DIR 0x4d5a0005
476 | struct_infos infos;
477 | for( i = 0; i < sect_num; i ++ )
478 | {
479 | infos.struct_data = sect_hdr;
480 | infos.struct_id = STRUCT_TYPE_PE_DATA_DIR;
481 | infos.struct_name;
482 | infos.param1 = data;
483 | analyze->struct_analyze( &infos, analyze->context );
484 | }
485 | }
486 | return 0;
487 | }
488 |
489 | INT32 analyze_pe_file( byte *data, dword data_len, file_analyzer *analyzer )
490 | {
491 | INT32 i;
492 | BOOL ret;
493 | PBYTE pe_hdr;
494 | PIMAGE_DOS_HEADER dos_hdr;
495 | PIMAGE_FILE_HEADER file_hdr;
496 | PIMAGE_OPTIONAL_HEADER option_hdr;
497 | PIMAGE_DATA_DIRECTORY data_dirs;
498 | PIMAGE_SECTION_HEADER sect_hdr;
499 | DWORD offset;
500 | DWORD dir_num;
501 | PBYTE dos_stub;
502 |
503 | ASSERT( NULL != data );
504 | ASSERT( 0 < data_len );
505 | ASSERT( NULL != analyzer );
506 |
507 | if( sizeof( dword ) < data_len )
508 | {
509 | if( NULL != analyzer->error_hander )
510 | {
511 | analyzer->error_handler( ERR_READ_OR_FILE_TO_SMALL );
512 | }
513 | ret = -1;
514 | goto error;
515 | }
516 |
517 | pe_hdr = data;
518 |
519 | offset = 0;
520 |
521 |
522 |
523 | dos_hdr = ( byte* )( pe_hdr + offset );
524 | if( IMAGE_DOS_SIGNATURE != dos_hdr->e_magic )
525 | {
526 | if( NULL != analyzer->error_hander )
527 | {
528 | analyzer->error_handler( ERR_PE_DOS_HEADER_SIGN );
529 | }
530 |
531 | ret = -1;
532 | goto error;
533 | }
534 |
535 | offset += sizeof( IMAGE_DOS_HEADER );
536 | dos_stub = pe_hdr + offset;
537 |
538 | offset += dos_hdr->e_lfanew - sizeof( IMAGE_DOS_HEADER );
539 | if( IMAGE_NT_SIGNATURE != *( DWORD* )( pe_hdr + offset ) )
540 | {
541 | if( NULL != analyzer->error_hander )
542 | {
543 | analyzer->error_handler( ERR_PE_NT_HEADER_SIGN );
544 | }
545 | ret = -1;
546 | goto error;
547 | }
548 |
549 | offset += sizeof( DWORD );
550 | file_hdr = pe_hdr + offset;
551 | if( file_hdr->SizeOfOptionalHeader != sizeof( IMAGE_OPTIONAL_HEADER ) )
552 | {
553 | if( NULL != analyzer->error_hander )
554 | {
555 | analyzer->error_handler( ERR_PE_OPTIONAL_HEADER_LEN );
556 | }
557 |
558 | ret = -1;
559 | goto error;
560 | }
561 |
562 | if( IMAGE_FILE_MACHINE_I386 != file_hdr->Machine &&
563 | 0x014d != file_hdr->Machine &&
564 | 0x014e != file_hdr->Machine &&
565 | 0x0160 != file_hdr->Machine &&
566 | IMAGE_FILE_MACHINE_R3000 != file_hdr->Machine &&
567 | IMAGE_FILE_MACHINE_R4000 != file_hdr->Machine &&
568 | IMAGE_FILE_MACHINE_R10000 != file_hdr->Machine &&
569 | IMAGE_FILE_MACHINE_ALPHA != file_hdr->Machine &&
570 | IMAGE_FILE_MACHINE_POWERPC != file_hdr->Machine )
571 | {
572 | if( NULL != analyzer->error_hander )
573 | {
574 | analyzer->error_handler( ERR_PE_NT_HEADER_MACHINE );
575 | }
576 | ret = -1;
577 | goto error;
578 | }
579 |
580 | offset += sizeof( IMAGE_FILE_HEADER );
581 | option_hdr = pe_hdr + offset;
582 |
583 | if( option_hdr->Magic != WINDOWS_PE_OPTIONAL_HEADER_SIGN )
584 | {
585 | if( NULL != analyzer->error_hander )
586 | {
587 | analyzer->error_handler( ERR_PE_OPTIONAL_HEADER_SIGN );
588 | }
589 |
590 | ret = -1;
591 | goto error;
592 | }
593 |
594 | if( IMAGE_SUBSYSTEM_NATIVE != option_hdr->Subsystem &&
595 | IMAGE_SUBSYSTEM_WINDOWS_GUI != option_hdr->Subsystem &&
596 | IMAGE_SUBSYSTEM_WINDOWS_CUI != option_hdr->Subsystem &&
597 | IMAGE_SUBSYSTEM_OS2_CUI != option_hdr->Subsystem &&
598 | IMAGE_SUBSYSTEM_POSIX_CUI != option_hdr->Subsystem )
599 | {
600 | if( NULL != analyzer->error_hander )
601 | {
602 | analyzer->error_handler( ERR_PE_OPTIONAL_HEADER_SUBSYS );
603 | }
604 | ret = -1;
605 | goto error;
606 | }
607 |
608 | if( NULL == analyzer->struct_analyze )
609 | {
610 | analyzer->struct_analyze( ( byte* )dos_hdr, sizeof( dos_hdr ), STRUCT_TYPE_PE_DOS_HEADER );
611 | analyzer->struct_analyze( ( byte* )dos_stub, sizeof( dos_hdr ), STRUCT_TYPE_PE_DOS_STUB );
612 | analyzer->struct_analyze( ( byte* )file_hdr, sizeof( dos_hdr ), STRUCT_TYPE_NT_HEADER );
613 | analyzer->struct_analyze( ( byte* )option_hdr, sizeof( dos_hdr ), STRUCT_TYPE_OPTIONAL_HEADER );
614 | }
615 |
616 | dir_num = option_hdr->NumberOfRvaAndSizes; //IMAGE_NUMBEROF_DIRECTORY_ENTRIES
617 |
618 | if( dir_num > IMAGE_NUMBEROF_DIRECTORY_ENTRIES )
619 | {
620 | dir_num = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
621 | }
622 |
623 | data_dirs = &option_hdr->DataDirectory;
624 |
625 | offset += sizeof( IMAGE_OPTIONAL_HEADER );
626 |
627 | sect_hdr = ( PIMAGE_SECTION_HEADER )( pe_hdr + offset );
628 |
629 | read_directories( data_dirs,dir_num, sect_hdr, file_hdr->NumberOfSections, pe_hdr );
630 |
631 | read_sections( sect_hdr, file_hdr->NumberOfSections, pe_hdr );
632 |
633 | error:
634 |
635 | return ret;
636 | }
--------------------------------------------------------------------------------
/pe-master/pe_file_analyze.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 | #ifndef __PE_FILE_ANALYZER_H__
21 | #define __PE_FILE_ANALYZER_H__
22 |
23 | #define PE_HEADER_SIGN 0x4d5a
24 |
25 | #ifdef __cplusplus
26 | extern "C" {
27 | #endif
28 |
29 | int32 check_pe_file_type( byte *data, dword data_len );
30 | INT32 analyze_pe_file( byte *data, dword data_len, file_analyzer *analyzer );
31 |
32 | #ifdef __cplusplus
33 | }
34 | #endif
35 |
36 | #endif //__PE_FILE_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/pe_file_analyzer.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 | #include "common.h"
21 | #include "common_analyze.h"
22 | #include "pe_file_analyzer.h"
23 | #include "file_analyzer.h"
24 |
25 | int32 callback check_pe_file_type( byte *data, dword data_len )
26 | {
27 | ASSERT( NULL != data );
28 | ASSERT( 0 < data_len );
29 |
30 | if( data_len < sizeof( word ) )
31 | {
32 | return -1;
33 | }
34 |
35 | if( *( word* )data == IMAGE_DOS_SIGNATURE )
36 | {
37 | return PE_FILE_TYPE;
38 | }
39 | return -1;
40 | }
41 |
42 | PBYTE find_virt_addr_ptr2( DWORD virt_addr, DWORD size, PIMAGE_SECTION_HEADER sect_hdrs, DWORD sect_num, PBYTE data, PIMAGE_SECTION_HEADER *finded_sect )
43 | {
44 | INT32 i;
45 | PIMAGE_SECTION_HEADER sect_hdr;
46 |
47 | if( size == 0 /*&& NULL == virt_addr*/ )
48 | {
49 | *finded_sect = NULL;
50 | return NULL;
51 | }
52 |
53 | sect_hdr = sect_hdrs;
54 |
55 | for( i = 0; i < sect_num; i ++ )
56 | {
57 | if( virt_addr >= sect_hdr->VirtualAddress &&
58 | virt_addr + size <= sect_hdr->VirtualAddress + sect_hdr->SizeOfRawData )
59 | {
60 | PBYTE data_out;
61 | *finded_sect = sect_hdr;
62 |
63 | return data + sect_hdr->PointerToRawData + ( virt_addr - sect_hdr->VirtualAddress );
64 | }
65 |
66 | sect_hdr ++;
67 | }
68 |
69 | *finded_sect = NULL;
70 | return ( PBYTE )NULL;
71 | }
72 |
73 | PBYTE find_virt_addr_ptr( PIMAGE_DATA_DIRECTORY dir, PIMAGE_SECTION_HEADER sect_hdrs, DWORD sect_num, PBYTE data, PIMAGE_SECTION_HEADER *finded_sect )
74 | {
75 | return find_virt_addr_ptr2( dir->VirtualAddress, dir->Size, sect_hdrs, sect_num, data, finded_sect );
76 | }
77 |
78 | INT32 analyze_copyright( PIMAGE_DATA_DIRECTORY copyright, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data, dword data_len, file_analyzer *analyzer )
79 | {
80 | int32 ret;
81 | PBYTE copyright_buf;
82 | PBYTE copyright_ptr;
83 | PIMAGE_DATA_DIRECTORY finded_sect;
84 |
85 | copyright_ptr = find_virt_addr_ptr( copyright, sects, sect_num, data, &finded_sect );
86 | if( NULL == copyright )
87 | {
88 | return -1;
89 | }
90 |
91 | copyright_buf = ( PBYTE )malloc( copyright->Size + 1 );
92 | memcpy( copyright_buf, copyright_ptr, copyright->Size );
93 | copyright_buf[ copyright->Size ] = '\0';
94 |
95 | if( NULL != analyzer->struct_analyze )
96 | {
97 | struct_infos *info;
98 | ret = add_new_record_info( &info, sizeof( *info ) );
99 | if( 0 > ret )
100 | {
101 | return ret;
102 | }
103 |
104 | info->struct_data = copyright_buf;
105 | info->struct_id = STRUCT_TYPE_PE_COPYRIGHT;
106 | info->struct_index = 0;
107 | info->struct_context = analyzer;
108 | analyzer->struct_analyze( info, analyzer->context );
109 | }
110 | return 0;
111 | }
112 |
113 | INT32 analyze_export_syms( PIMAGE_DATA_DIRECTORY export_syms, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data, dword data_len, file_analyzer *analyzer )
114 | {
115 | INT32 i;
116 | PDWORD function_rvas;
117 | PDWORD func_name_rvas;
118 | PDWORD func_name_ord_rvas;
119 | DWORD function_rva;
120 | PCHAR func_name;
121 | DWORD func_name_ord;
122 | PIMAGE_EXPORT_DIRECTORY export_table;
123 | PIMAGE_SECTION_HEADER finded_sect;
124 |
125 | export_table = ( PIMAGE_EXPORT_DIRECTORY )find_virt_addr_ptr( export_syms, sects, sect_num, data, &finded_sect );
126 | if( NULL == export_table )
127 | {
128 | if( NULL != analyzer->error_handler )
129 | {
130 | analyzer->error_handler( ERR_PE_EXPORT_SYM_RVA_PARSING );
131 | }
132 | return -1;
133 | }
134 |
135 | function_rvas = find_virt_addr_ptr2( export_table->AddressOfFunctions, sizeof( DWORD ) * export_table->NumberOfFunctions, sects, sect_num, data, &finded_sect );
136 | if( NULL == function_rvas )
137 | {
138 | if( NULL != analyzer->error_handler )
139 | {
140 | error_infos info;
141 | info.desc = NULL;
142 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
143 | analyzer->error_handler( &info );
144 | }
145 | return -1;
146 | }
147 |
148 | for( i = 0; i < export_table->NumberOfFunctions; i ++ )
149 | {
150 | function_rva = find_virt_addr_ptr2( function_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
151 | if( NULL == function_rvas )
152 | {
153 | if( NULL != analyzer->error_handler )
154 | {
155 | error_infos info;
156 | info.desc = NULL;
157 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
158 | analyzer->error_handler( &info );
159 | }
160 | return -1;
161 | }
162 | }
163 |
164 | func_name_ord_rvas = find_virt_addr_ptr2( export_table->AddressOfNameOrdinals, sizeof( DWORD ), sects, sect_num, data, &finded_sect );
165 | func_name_rvas = find_virt_addr_ptr2( export_table->AddressOfNames, sizeof( DWORD ), sects, sect_num, data, &finded_sect );
166 | if( NULL == func_name_rvas )
167 | {
168 | if( NULL == func_name_rvas )
169 | {
170 | if( NULL != analyzer->error_handler )
171 | {
172 | error_infos info;
173 | info.desc = NULL;
174 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
175 |
176 | analyzer->error_handler( &info );
177 | }
178 | return -1;
179 | }
180 | }
181 |
182 | if( NULL == func_name_ord_rvas )
183 | {
184 | if( NULL != analyzer->error_handler )
185 | {
186 | error_infos info;
187 | info.desc = NULL;
188 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
189 |
190 | analyzer->error_handler( &info );
191 | }
192 | return -1;
193 | }
194 |
195 | if( NULL == func_name_rvas )
196 | {
197 | if( NULL != analyzer->error_handler )
198 | {
199 | error_infos info;
200 | info.desc = NULL;
201 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
202 |
203 | analyzer->error_handler( &info );
204 | }
205 | return -1;
206 | }
207 |
208 | for( i = 0; i < export_table->NumberOfNames; i ++ )
209 | {
210 | func_name = find_virt_addr_ptr2( func_name_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
211 | func_name_ord = *( DWORD* )find_virt_addr_ptr2( func_name_ord_rvas[ i ], sizeof( DWORD ), sects, sect_num, data, &finded_sect );
212 | if( NULL == func_name )
213 | {
214 | if( NULL != analyzer->error_handler )
215 | {
216 | error_infos info;
217 | info.desc = NULL;
218 | info.err_code = ERR_PE_EXPORT_ADDRESS_RVA_PARSING;
219 |
220 | analyzer->error_handler( &info );
221 | }
222 | return -1;
223 | }
224 |
225 | if( NULL != analyzer->name_analyze )
226 | {
227 | name_info info;
228 | info.name = func_name;
229 | info.name_order = func_name_ord;
230 |
231 | analyzer->name_analyze( &info, analyzer->context );
232 | }
233 | }
234 |
235 | export_table->AddressOfNameOrdinals;
236 | return 0;
237 | }
238 |
239 | INT32 read_import_func_info( DWORD import_name_rva, PIMAGE_SECTION_HEADER sects,
240 | DWORD sect_num, PBYTE data,
241 | dword data_len, file_analyzer *analyzer )
242 | {
243 | INT32 ret;
244 | int32 err_count;
245 | PIMAGE_THUNK_DATA thunk;
246 | PIMAGE_IMPORT_BY_NAME import_info;
247 | PIMAGE_SECTION_HEADER finded_sect;
248 |
249 | thunk = find_virt_addr_ptr2( import_name_rva, sizeof( IMAGE_IMPORT_BY_NAME ), sects, sect_num, data, &finded_sect );
250 |
251 | if( NULL == thunk )
252 | {
253 | return -1;
254 | }
255 |
256 | err_count = 0;
257 | for( ; ; )
258 | {
259 | __asm
260 | {
261 | mov ecx, 0x04;
262 | mov edi, thunk;
263 | xor eax, eax;
264 | repz scasb;
265 | mov dword ptr [ret], ecx;
266 | }
267 |
268 | if( 0 == ret )
269 | {
270 | return 0;
271 | }
272 |
273 | import_info = find_virt_addr_ptr2( thunk->u1.AddressOfData, sizeof( IMAGE_THUNK_DATA ), sects, sect_num, data, &finded_sect );
274 |
275 | if( NULL != analyzer->struct_analyze )
276 | {
277 | struct_infos *info;
278 | ret = add_new_record_info( &info, sizeof( *info ) );
279 | if( 0 > ret )
280 | {
281 | err_count ++;
282 | continue;
283 | }
284 |
285 | info->struct_data = import_info;
286 | info->struct_id = STRUCT_TYPE_PE_IMPORT_BY_NAME;
287 | info->struct_index = 0;
288 | info->struct_context = analyzer;
289 |
290 | analyzer->struct_analyze( info, analyzer->context );
291 | }
292 | thunk ++;
293 | }
294 |
295 | return -err_count;
296 | }
297 |
298 | INT32 analyze_import_syms( PIMAGE_DATA_DIRECTORY import_syms, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data, dword data_len, file_analyzer *analyzer )
299 | {
300 | INT32 ret;
301 | int32 err_count;
302 | PIMAGE_IMPORT_DESCRIPTOR import_desc;
303 | PIMAGE_SECTION_HEADER finded_sect;
304 |
305 | import_desc = find_virt_addr_ptr( import_syms, sects, sect_num, data, &finded_sect );
306 | if( NULL == import_desc )
307 | {
308 | return -1;
309 | }
310 |
311 | err_count = 0;
312 | for( ; ; )
313 | {
314 | __asm
315 | {
316 | mov ecx, 0x14;
317 | mov edi, import_desc;
318 | xor eax, eax;
319 | repz scasb;
320 | mov dword ptr [ret], ecx;
321 | }
322 |
323 | if( ret == 0 )
324 | {
325 | return 0;
326 | }
327 |
328 | if( NULL != analyzer->struct_analyze )
329 | {
330 | #define STRUCT_TYPE_PE_IMPORT_DESC 0x4d5a0007
331 | struct_infos *info;
332 | ret = add_new_record_info( &info, sizeof( *info ) );
333 | if( 0 > ret )
334 | {
335 | err_count ++;
336 | }
337 |
338 | info->struct_data = import_desc;
339 | info->struct_id = STRUCT_TYPE_PE_IMPORT_DESC;
340 | info->struct_index = 0;
341 | info->struct_context = analyzer;
342 |
343 | analyzer->struct_analyze( info, analyzer->context );
344 | }
345 |
346 | import_desc ++;
347 | }
348 |
349 | return -err_count;
350 | }
351 |
352 | INT32 read_resource_data( PIMAGE_RESOURCE_DATA_ENTRY res_data, PBYTE sect_data, PIMAGE_RESOURCE_DATA_ENTRY res_data_out, file_analyzer *analyzer )
353 | {
354 | int32 ret;
355 | ASSERT( NULL != res_data );
356 | ASSERT( NULL != sect_data );
357 | ASSERT( NULL != res_data_out );
358 |
359 | res_data_out->OffsetToData = ( PBYTE )malloc( res_data->Size );
360 | if( NULL == res_data_out->OffsetToData )
361 | {
362 | return -1;
363 | }
364 |
365 | memcpy( res_data_out->OffsetToData, res_data->OffsetToData + sect_data, res_data->Size );
366 |
367 | if( NULL != analyzer->struct_analyze )
368 | {
369 | struct_infos *info;
370 | ret = add_new_record_info( &info, sizeof( *info ) );
371 | if( 0 > ret )
372 | {
373 | return ret;
374 | }
375 |
376 | info->struct_data = res_data_out;
377 | info->struct_id = STRUCT_TYPE_PE_IMPORT_DESC;
378 | info->struct_index = 0;
379 | info->struct_context = analyzer;
380 | analyzer->struct_analyze( info, analyzer->context );
381 | }
382 |
383 | return 0;
384 | }
385 |
386 | int32 analyze_res_dir( PIMAGE_RESOURCE_DIRECTORY res_dir, PBYTE sect_data, PIMAGE_RESOURCE_DATA_ENTRY res_data_out, file_analyzer *analyzer )
387 | {
388 | int32 i;
389 | int32 ret;
390 | int32 err_count;
391 | PIMAGE_RESOURCE_DATA_ENTRY res_data;
392 |
393 | res_data = ( PIMAGE_RESOURCE_DATA_ENTRY )( ( byte* )res_dir + sizeof( IMAGE_RESOURCE_DIRECTORY ) );
394 | err_count = 0;
395 | for( i = 0; i < res_dir->NumberOfNamedEntries + res_dir->NumberOfIdEntries; i ++ )
396 | {
397 | #define STRUCT_TYPE_PE_RES_DIR 0x4d5a0008
398 | struct_infos *info;
399 | ret = add_new_record_info( &info, sizeof( *info ) );
400 | if( 0 > ret )
401 | {
402 | err_count ++;
403 | }
404 |
405 | info->struct_data = res_dir;
406 | info->struct_id = STRUCT_TYPE_PE_RES_DIR;
407 | info->struct_index = 0;
408 | info->struct_context = analyzer;
409 |
410 | analyzer->struct_analyze( info, analyzer->context );
411 | }
412 | return -err_count;
413 | }
414 |
415 | #define MAX_RES_NAME_LEN 512
416 | INT32 read_resource_info( PIMAGE_RESOURCE_DIRECTORY res_dir, PBYTE sect_data, file_analyzer *analyzer)
417 | {
418 | INT32 i;
419 | INT32 ret;
420 | PIMAGE_RESOURCE_DATA_ENTRY res_data;
421 | PIMAGE_RESOURCE_DIRECTORY_ENTRY res_entry;
422 | PIMAGE_RESOURCE_DIR_STRING_U res_name;
423 | WCHAR res_name_buf[ MAX_RES_NAME_LEN ];
424 |
425 | if( NULL != analyzer->struct_analyze )
426 | {
427 | #define STRUCT_TYPE_PE_RES_DIR 0x4d5a0008
428 | struct_infos *info;
429 | ret = add_new_record_info( &info, sizeof( *info ) );
430 | if( 0 > ret )
431 | {
432 | goto __error;
433 | }
434 |
435 | info->struct_data = res_dir;
436 | info->struct_id = STRUCT_TYPE_PE_RES_DIR;
437 | info->struct_index = 0;
438 | info->struct_context = analyzer;
439 |
440 | analyzer->struct_analyze( info, analyzer->context );
441 | }
442 |
443 | if( res_entry->DataIsDirectory )
444 | {
445 | read_resource_info( res_entry->OffsetToDirectory + sect_data, sect_data, analyzer );
446 | }
447 | else
448 | {
449 | if( NULL != analyzer->struct_analyze )
450 | {
451 | res_data = sect_data + res_entry->OffsetToData;
452 | if( NULL != analyzer->struct_analyze )
453 | {
454 | #define STRUCT_TYPE_PE_RES_DATA 0x4d5a000c
455 | struct_infos *info;
456 | ret = add_new_record_info( &info, sizeof( *info ) );
457 | if( 0 > ret )
458 | {
459 | goto __error;
460 | }
461 |
462 | info->struct_data = res_data;
463 | info->struct_id = STRUCT_TYPE_PE_RES_DATA;
464 | info->struct_index = 0;
465 | info->struct_context = analyzer;
466 |
467 | analyzer->struct_analyze( info, analyzer->context );
468 | }
469 | }
470 |
471 | res_entry ++;
472 | }
473 |
474 | return 0;
475 |
476 | __error:
477 | return -1;
478 | }
479 |
480 | INT32 read_resource_table( PIMAGE_DATA_DIRECTORY resource_table, PIMAGE_SECTION_HEADER sects, DWORD sect_num, PBYTE data, dword data_len, file_analyzer *analyzer )
481 | {
482 | INT32 ret;
483 | INT32 i;
484 | PIMAGE_RESOURCE_DIRECTORY res_dir;
485 | PIMAGE_SECTION_HEADER finded_sect;
486 |
487 | res_dir = find_virt_addr_ptr( resource_table, sects, sect_num, data, &finded_sect );
488 |
489 | if( NULL == res_dir )
490 | {
491 | return -1;
492 | }
493 |
494 | read_resource_info( res_dir, data + finded_sect->PointerToRawData, analyzer );
495 | return 0;
496 | }
497 |
498 | INT32 analyze_directories( PIMAGE_DATA_DIRECTORY dirs, DWORD dir_num, file_analyzer *analyzer)
499 | {
500 | int32 ret;
501 | PIMAGE_DATA_DIRECTORY data_dirs;
502 |
503 | data_dirs = dirs;
504 |
505 | if( analyzer->struct_analyze )
506 | {
507 | #define STRUCT_TYPE_PE_DATA_DIR 0x4d5a0005
508 | struct_infos *info;
509 | ret = add_new_record_info( &info, sizeof( *info ) );
510 | if( 0 > ret )
511 | {
512 | return ret;
513 | }
514 |
515 | info->struct_data = data_dirs;
516 | info->struct_id = STRUCT_TYPE_PE_DATA_DIR;
517 | info->struct_index = 0;
518 | info->struct_context = analyzer;
519 | analyzer->struct_analyze( info, analyzer->context );
520 | }
521 |
522 | return 0;
523 | }
524 |
525 | int32 analyze_directories_data( PIMAGE_DATA_DIRECTORY dir, dword index,
526 | PIMAGE_SECTION_HEADER sects, DWORD sect_num,
527 | PBYTE data, dword data_len,
528 | file_analyzer *analyzer)
529 | {
530 | int32 ret;
531 |
532 | switch( index )
533 | {
534 | case IMAGE_DIRECTORY_ENTRY_EXPORT:
535 | ret = analyze_export_syms( dir, sects, sect_num, data, data_len, analyzer );
536 | break;
537 | case IMAGE_DIRECTORY_ENTRY_IMPORT:
538 | ret = analyze_import_syms( dir, sects, sect_num, data, data_len, analyzer );
539 | break;
540 | case IMAGE_DIRECTORY_ENTRY_RESOURCE:
541 | //ret = analyze_res_table( dir, sects, sect_num, data, data_len, analyzer );
542 | break;
543 | default:
544 | ret = -1;
545 | }
546 |
547 | return ret;
548 | }
549 |
550 | INT32 analyze_sections( PIMAGE_SECTION_HEADER *sects, DWORD sect_num, file_analyzer *analyzer )
551 | {
552 | INT32 i;
553 | int32 ret;
554 | int32 err_count;
555 | PIMAGE_SECTION_HEADER sect_hdr;
556 |
557 | sect_hdr = sects;
558 |
559 | err_count = 0;
560 | if( NULL != analyzer->struct_analyze )
561 | {
562 | struct_infos *info;
563 | for( i = 0; i < sect_num; i ++ )
564 | {
565 | ret = add_new_record_info( &info, sizeof( *info ) );
566 | if( 0 > ret )
567 | {
568 | err_count;
569 | }
570 |
571 | info->struct_data = sect_hdr;
572 | info->struct_id = STRUCT_TYPE_PE_SECTION;
573 | info->struct_index = i;
574 | info->struct_context = analyzer;
575 | analyzer->struct_analyze( info, analyzer->context );
576 | }
577 | }
578 | return -err_count;
579 | }
580 |
581 | INT32 analyze_pe_file_struct( byte *data, dword data_len, file_analyzer *analyzer )
582 | {
583 | INT32 i;
584 | BOOL ret;
585 | PBYTE pe_hdr;
586 | PIMAGE_DOS_HEADER dos_hdr;
587 | PIMAGE_FILE_HEADER file_hdr;
588 | PIMAGE_OPTIONAL_HEADER option_hdr;
589 | PIMAGE_DATA_DIRECTORY data_dirs;
590 | PIMAGE_SECTION_HEADER sect_hdr;
591 | DWORD offset;
592 | DWORD dir_num;
593 | PBYTE dos_stub;
594 |
595 | ASSERT( NULL != data );
596 | ASSERT( 0 < data_len );
597 | ASSERT( NULL != analyzer );
598 |
599 | if( sizeof( dword ) > data_len )
600 | {
601 | if( NULL != analyzer->error_handler )
602 | {
603 | error_infos info;
604 | info.desc = NULL;
605 | info.err_code = ERR_READ_OR_FILE_TO_SMALL;
606 | analyzer->error_handler( &info );
607 | }
608 | ret = -1;
609 | goto __error;
610 | }
611 |
612 | pe_hdr = data;
613 |
614 | offset = 0;
615 |
616 | dos_hdr = ( byte* )( pe_hdr + offset );
617 | if( IMAGE_DOS_SIGNATURE != dos_hdr->e_magic )
618 | {
619 | if( NULL != analyzer->error_handler )
620 | {
621 | error_infos info;
622 | info.desc = NULL;
623 | info.err_code = ERR_PE_DOS_HEADER_SIGN;
624 | analyzer->error_handler( &info );
625 | }
626 |
627 | ret = -1;
628 | goto __error;
629 | }
630 |
631 | offset += sizeof( IMAGE_DOS_HEADER );
632 | dos_stub = pe_hdr + offset;
633 |
634 | offset += dos_hdr->e_lfanew - sizeof( IMAGE_DOS_HEADER );
635 | if( IMAGE_NT_SIGNATURE != *( DWORD* )( pe_hdr + offset ) )
636 | {
637 | if( NULL != analyzer->error_handler )
638 | {
639 | error_infos info;
640 | info.desc = NULL;
641 | info.err_code = ERR_PE_NT_HEADER_SIGN;
642 | analyzer->error_handler( &info );
643 | }
644 | ret = -1;
645 | goto __error;
646 | }
647 |
648 | offset += sizeof( DWORD );
649 | file_hdr = pe_hdr + offset;
650 | if( file_hdr->SizeOfOptionalHeader != sizeof( IMAGE_OPTIONAL_HEADER ) )
651 | {
652 | if( NULL != analyzer->error_handler )
653 | {
654 | error_infos info;
655 | info.desc = NULL;
656 | info.err_code = ERR_PE_OPTIONAL_HEADER_LEN;
657 | analyzer->error_handler( &info );
658 | }
659 |
660 | ret = -1;
661 | goto __error;
662 | }
663 |
664 | if( IMAGE_FILE_MACHINE_I386 != file_hdr->Machine &&
665 | 0x014d != file_hdr->Machine &&
666 | 0x014e != file_hdr->Machine &&
667 | 0x0160 != file_hdr->Machine &&
668 | IMAGE_FILE_MACHINE_R3000 != file_hdr->Machine &&
669 | IMAGE_FILE_MACHINE_R4000 != file_hdr->Machine &&
670 | IMAGE_FILE_MACHINE_R10000 != file_hdr->Machine &&
671 | IMAGE_FILE_MACHINE_ALPHA != file_hdr->Machine &&
672 | IMAGE_FILE_MACHINE_POWERPC != file_hdr->Machine )
673 | {
674 | if( NULL != analyzer->error_handler )
675 | {
676 | error_infos info;
677 | info.desc = NULL;
678 | info.err_code = ERR_PE_NT_HEADER_MACHINE;
679 | analyzer->error_handler( &info );
680 | }
681 | ret = -1;
682 | goto __error;
683 | }
684 |
685 | offset += sizeof( IMAGE_FILE_HEADER );
686 | option_hdr = pe_hdr + offset;
687 |
688 | if( option_hdr->Magic != WINDOWS_PE_OPTIONAL_HEADER_SIGN )
689 | {
690 | if( NULL != analyzer->error_handler )
691 | {
692 | error_infos info;
693 | info.desc = NULL;
694 | info.err_code = ERR_PE_OPTIONAL_HEADER_SIGN;
695 | analyzer->error_handler( &info );
696 | }
697 |
698 | ret = -1;
699 | goto __error;
700 | }
701 |
702 | if( IMAGE_SUBSYSTEM_NATIVE != option_hdr->Subsystem &&
703 | IMAGE_SUBSYSTEM_WINDOWS_GUI != option_hdr->Subsystem &&
704 | IMAGE_SUBSYSTEM_WINDOWS_CUI != option_hdr->Subsystem &&
705 | IMAGE_SUBSYSTEM_OS2_CUI != option_hdr->Subsystem &&
706 | IMAGE_SUBSYSTEM_POSIX_CUI != option_hdr->Subsystem )
707 | {
708 | if( NULL != analyzer->error_handler )
709 | {
710 | error_infos info;
711 | info.desc = NULL;
712 | info.err_code = ERR_PE_OPTIONAL_HEADER_SUBSYS;
713 | analyzer->error_handler( &info );
714 | }
715 | ret = -1;
716 | goto __error;
717 | }
718 |
719 | if( NULL != analyzer->struct_analyze )
720 | {
721 | struct_infos *info;
722 | ret = add_new_record_info( &info, sizeof( *info ) );
723 | if( 0 > ret )
724 | {
725 | goto __error;
726 | }
727 |
728 | info->struct_data = dos_hdr;
729 | info->struct_id = STRUCT_TYPE_PE_DOS_HEADER;
730 | info->struct_index = 0;
731 | info->struct_context = analyzer;
732 | analyzer->struct_analyze( info, analyzer->context );
733 |
734 | ret = add_new_record_info( &info, sizeof( *info ) );
735 | if( 0 > ret )
736 | {
737 | goto __error;
738 | }
739 |
740 | info->struct_data = dos_stub;
741 | info->struct_id = STRUCT_TYPE_PE_DOS_STUB;
742 | info->struct_index = 0;
743 | info->struct_context = analyzer;
744 | info->param1 = dos_hdr->e_lfanew - sizeof( IMAGE_DOS_HEADER );
745 | analyzer->struct_analyze( info, analyzer->context );
746 |
747 | ret = add_new_record_info( &info, sizeof( *info ) );
748 | if( 0 > ret )
749 | {
750 | goto __error;
751 | }
752 |
753 | info->struct_data = ( byte* )file_hdr;
754 | info->struct_id = STRUCT_TYPE_PE_NT_HEADER;
755 | info->struct_index = 0;
756 | info->struct_context = analyzer;
757 | analyzer->struct_analyze( info, analyzer->context );
758 |
759 | ret = add_new_record_info( &info, sizeof( *info ) );
760 | if( 0 > ret )
761 | {
762 | goto __error;
763 | }
764 |
765 | info->struct_data = ( byte* )option_hdr;
766 | info->struct_id = STRUCT_TYPE_PE_OPTIONAL_HEADER;
767 | info->struct_index = 0;
768 | info->struct_context = analyzer;
769 |
770 | analyzer->struct_analyze( info, analyzer->context );
771 | }
772 |
773 | dir_num = option_hdr->NumberOfRvaAndSizes; //IMAGE_NUMBEROF_DIRECTORY_ENTRIES
774 |
775 | if( dir_num > IMAGE_NUMBEROF_DIRECTORY_ENTRIES )
776 | {
777 | dir_num = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
778 | }
779 |
780 | data_dirs = &option_hdr->DataDirectory;
781 |
782 | offset += sizeof( IMAGE_OPTIONAL_HEADER );
783 |
784 | sect_hdr = ( PIMAGE_SECTION_HEADER )( pe_hdr + offset );
785 |
786 | //read_directories( data_dirs,dir_num, sect_hdr, file_hdr->NumberOfSections, pe_hdr );
787 |
788 | for( i = 0; i < file_hdr->NumberOfSections; i ++ )
789 | {
790 | if( NULL != analyzer->struct_analyze )
791 | {
792 | struct_infos *info;
793 | ret = add_new_record_info( &info, sizeof( *info ) );
794 | if( 0 > ret )
795 | {
796 | goto __error;
797 | }
798 |
799 | info->struct_data = ( byte* )( sect_hdr + i );
800 | info->struct_id = STRUCT_TYPE_PE_SECTION;
801 | info->struct_index = i;
802 | info->struct_context = analyzer;
803 | analyzer->struct_analyze( info, analyzer->context );
804 | }
805 | }
806 |
807 | __error:
808 | return ret;
809 | }
--------------------------------------------------------------------------------
/pe-master/pe_file_analyzer.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 | #ifndef __PE_FILE_ANALYZER_H__
21 | #define __PE_FILE_ANALYZER_H__
22 |
23 | #define PE_HEADER_SIGN 0x4d5a
24 |
25 | #define ERR_READ_OR_FILE_TO_SMALL 0xffff4d5a
26 | #define ERR_PE_DOS_HEADER_SIGN 0x00014d5a
27 | #define ERR_PE_NT_HEADER_SIGN 0x00024d5a
28 | #define ERR_PE_OPTIONAL_HEADER_LEN 0x00034d5a
29 | #define ERR_PE_NT_HEADER_MACHINE 0x00044d5a
30 | #define ERR_PE_OPTIONAL_HEADER_SIGN 0x00054d5a
31 | #define ERR_PE_OPTIONAL_HEADER_SUBSYS 0x00064d5a
32 | #define ERR_PE_EXPORT_SYM_RVA_PARSING 0x00094d5a
33 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
34 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
35 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
36 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
37 | #define ERR_PE_EXPORT_ADDRESS_RVA_PARSING 0x00094d5a
38 |
39 | #define STRUCT_TYPE_PE_DOS_HEADER 0x4d5a0001
40 | #define STRUCT_TYPE_PE_DOS_STUB 0x4d5a0002
41 | #define STRUCT_TYPE_PE_NT_HEADER 0x4d5a0003
42 | #define STRUCT_TYPE_PE_OPTIONAL_HEADER 0x4d5a0004
43 | #define STRUCT_TYPE_PE_COPYRIGHT 0x4d5a000a
44 | #define STRUCT_TYPE_PE_IMPORT_BY_NAME 0x4d5a000b
45 | #define STRUCT_TYPE_PE_SECTION 0x4d5a000d
46 |
47 | #define MAX_MSG_LEN 512
48 | #define WINDOWS_PE_OPTIONAL_HEADER_SIGN 0x010b
49 |
50 | #ifdef __cplusplus
51 | extern "C" {
52 | #endif
53 |
54 | int32 callback check_pe_file_type( byte *data, dword data_len );
55 | INT32 analyze_pe_file_struct( byte *data, dword data_len, file_analyzer *analyzer );
56 |
57 | #ifdef __cplusplus
58 | }
59 | #endif
60 |
61 | #endif //__PE_FILE_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/pe_struct_analyze.c:
--------------------------------------------------------------------------------
1 | #include "pe_struct_analyze.h"
2 |
3 | int32 get_standard_nt_hdr_desc( IMAGE_NT_FILE_HEADER *hdr )
4 | {
5 | switch( file_hdr->Machine )
6 | {
7 | case IMAGE_FILE_MACHINE_I386:
8 | break;
9 | case 0x014d:
10 | break;
11 | case 0x014e:
12 | break;
13 | case 0x0160:
14 | break;
15 | case IMAGE_FILE_MACHINE_R3000:
16 | break;
17 | case IMAGE_FILE_MACHINE_R4000:
18 | break;
19 | case IMAGE_FILE_MACHINE_R10000:
20 | break;
21 | case IMAGE_FILE_MACHINE_ALPHA:
22 | break;
23 | case IMAGE_FILE_MACHINE_POWERPC:
24 | break;
25 | default:
26 | ret = -1;
27 | goto error;
28 | break;
29 | }
30 | return 0;
31 | }
32 |
33 | int32 analyze_pe_func_info()
34 | {
35 | import_info->Hint;
36 | import_info->Name;
37 | }
38 |
39 | int32 aa()
40 | {
41 | res_data_out->CodePage = res_data->CodePage;
42 | res_data_out->Size = res_data->Size;
43 | }
44 |
45 | int32 get_standard_pe_optional_hdr_desc( PIMAGE_OPTIONAL_HEADER hdr )
46 | {
47 | option_hdr->AddressOfEntryPoint;
48 | option_hdr->ImageBase;
49 | option_hdr->SectionAlignment;
50 | option_hdr->FileAlignment;
51 | option_hdr->MinorSubsystemVersion;
52 | option_hdr->SizeOfImage;
53 | option_hdr->SizeOfHeaders;
54 | option_hdr->CheckSum; //CheckSumMappedFile()
55 | option_hdr->SizeOfStackReserve;
56 | option_hdr->SizeOfStackCommit;
57 | option_hdr->SizeOfHeapReserve;
58 | option_hdr->SizeOfHeapCommit;
59 | return 0;
60 | }
61 |
62 | int32 get_standard_pe_optional_hdr_subsys_desc( PIMAGE_OPTIONAL_HEADER hdr )
63 | {
64 | switch( option_hdr->Subsystem )
65 | {
66 | case IMAGE_SUBSYSTEM_NATIVE:
67 | break;
68 | case IMAGE_SUBSYSTEM_WINDOWS_GUI:
69 | break;
70 | case IMAGE_SUBSYSTEM_WINDOWS_CUI:
71 | break;
72 | case IMAGE_SUBSYSTEM_OS2_CUI:
73 | break;
74 | case IMAGE_SUBSYSTEM_POSIX_CUI:
75 | break;
76 | default:
77 | if( NULL != analyzer->error_hander )
78 | {
79 | analyzer->error_handler( ERR_PE_OPTIONAL_HEADER_SUBSYS );
80 | }
81 | ret = -1;
82 | goto error;
83 | break;
84 | }
85 | return 0;
86 | }
87 |
88 | int32 get_standard_nt_hdr_characer_desc( file_hdr )
89 | {
90 | if( file_hdr->Characteristics & IMAGE_FILE_RELOCS_STRIPPED )
91 | {
92 |
93 | }
94 |
95 | if( file_hdr->Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE )
96 | {
97 |
98 | }
99 |
100 | if( file_hdr->Characteristics & IMAGE_FILE_LINE_NUMS_STRIPPED )
101 | {
102 |
103 | }
104 |
105 | if( file_hdr->Characteristics & IMAGE_FILE_LOCAL_SYMS_STRIPPED )
106 | {
107 |
108 | }
109 |
110 | if( file_hdr->Characteristics & IMAGE_FILE_AGGRESIVE_WS_TRIM )
111 | {
112 |
113 | }
114 |
115 | if( file_hdr->Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE )
116 | {
117 |
118 | }
119 |
120 | if( file_hdr->Characteristics & IMAGE_FILE_BYTES_REVERSED_LO )
121 | {
122 |
123 | }
124 |
125 | if( file_hdr->Characteristics & IMAGE_FILE_32BIT_MACHINE )
126 | {
127 |
128 | }
129 |
130 |
131 | if( file_hdr->Characteristics & IMAGE_FILE_DEBUG_STRIPPED )
132 | {
133 |
134 | }
135 |
136 | if( file_hdr->Characteristics & IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP )
137 | {
138 |
139 | }
140 |
141 | if( file_hdr->Characteristics & IMAGE_FILE_NET_RUN_FROM_SWAP )
142 | {
143 |
144 | }
145 |
146 | if( file_hdr->Characteristics & IMAGE_FILE_SYSTEM )
147 | {
148 |
149 | }
150 |
151 | if( file_hdr->Characteristics & IMAGE_FILE_DLL )
152 | {
153 |
154 | }
155 |
156 | if( file_hdr->Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY )
157 | {
158 |
159 | }
160 |
161 | if( file_hdr->Characteristics & IMAGE_FILE_BYTES_REVERSED_HI )
162 | {
163 |
164 | }
165 | return 0;
166 | }
167 |
168 | int32 get_section_infos( PIMAGE_SECTION_HEADER *sect_hdr )
169 | {
170 | sect_hdr->Name;
171 | sect_hdr->Misc.VirtualSize;
172 | sect_hdr->VirtualAddress;
173 | sect_hdr->SizeOfRawData;
174 | sect_hdr->PointerToRawData;
175 | sect_hdr->PointerToRelocations;
176 | sect_hdr->PointerToLinenumbers;
177 | sect_hdr->NumberOfRelocations;
178 | sect_hdr->NumberOfLinenumbers;
179 | return 0;
180 | }
181 |
182 | int get_standard_sect_character_desc( PIMAGE_SECTION_HEADER hdr )
183 | {
184 | if( sect_hdr->Characteristics & IMAGE_SCN_TYPE_NO_PAD )
185 | {
186 | }
187 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_CODE )
188 | {
189 | }
190 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA )
191 | {
192 | }
193 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA )
194 | {
195 | }
196 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_OTHER )
197 | {
198 | }
199 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_INFO )
200 | {
201 | }
202 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_REMOVE )
203 | {
204 | }
205 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_COMDAT )
206 | {
207 | }
208 | if( sect_hdr->Characteristics & IMAGE_SCN_NO_DEFER_SPEC_EXC )
209 | {
210 | }
211 | if( sect_hdr->Characteristics & IMAGE_SCN_GPREL )
212 | {
213 | }
214 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_FARDATA )
215 | {
216 | }
217 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_PURGEABLE )
218 | {
219 | }
220 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_16BIT )
221 | {
222 | }
223 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_LOCKED )
224 | {
225 | }
226 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_PRELOAD )
227 | {
228 | }
229 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_1BYTES )
230 | {
231 | }
232 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_2BYTES )
233 | {
234 | }
235 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_4BYTES )
236 | {
237 | }
238 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_8BYTES )
239 | {
240 | }
241 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_16BYTES )
242 | {
243 | }
244 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_32BYTES )
245 | {
246 | }
247 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_64BYTES )
248 | {
249 | }
250 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_128BYTES )
251 | {
252 | }
253 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_256BYTES )
254 | {
255 | }
256 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_512BYTES )
257 | {
258 | }
259 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_1024BYTES )
260 | {
261 | }
262 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_2048BYTES )
263 | {
264 | }
265 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_4096BYTES )
266 | {
267 | }
268 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_8192BYTES )
269 | {
270 | }
271 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_NRELOC_OVFL )
272 | {
273 | }
274 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_DISCARDABLE )
275 | {
276 | }
277 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_NOT_CACHED )
278 | {
279 | }
280 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_NOT_PAGED )
281 | {
282 | }
283 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_SHARED )
284 | {
285 | }
286 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE )
287 | {
288 | }
289 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_READ )
290 | {
291 | }
292 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_WRITE )
293 | {
294 | }
295 |
296 | return 0;
297 | }
298 |
299 | int get_standard_data_dir_desc( PIMAGE_DATA_DIRECTORY data_dir, dword index,
300 | char * desc_out, dword *out_buf_len )
301 | {
302 | #define MAX_DIR_DESC_LEN 1024
303 | char *type_desc;
304 | char data_dir_desc[ MAX_DIR_DESC_LEN ];
305 | int32 length;
306 |
307 | switch( index )
308 | {
309 | case IMAGE_DIRECTORY_ENTRY_EXPORT:
310 | type_desc = "Export directory: ";
311 | break;
312 | case IMAGE_DIRECTORY_ENTRY_IMPORT:
313 | type_desc = "Import directory: ";
314 | break;
315 | case IMAGE_DIRECTORY_ENTRY_RESOURCE:
316 | type_desc = "Resource directory: ";
317 | break;
318 | case IMAGE_DIRECTORY_ENTRY_EXCEPTION:
319 | type_desc = "Exception directory: ";
320 | break;
321 | case IMAGE_DIRECTORY_ENTRY_SECURITY:
322 | type_desc = "Secrity directory: ";
323 | break;
324 | case IMAGE_DIRECTORY_ENTRY_BASERELOC:
325 | type_desc = "Base Relocating directory: ";
326 | break;
327 | case IMAGE_DIRECTORY_ENTRY_DEBUG:
328 | type_desc = "Debug directory: ";
329 | break;
330 | case IMAGE_DIRECTORY_ENTRY_GLOBALPTR:
331 | type_desc = "Global pointer directory: ";
332 | break;
333 | case IMAGE_DIRECTORY_ENTRY_TLS:
334 | type_desc = "Tls directory: ";
335 | break;
336 | case IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG:
337 | type_desc = "Load configure directory: ";
338 | break;
339 | case IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT:
340 | break;
341 | case IMAGE_DIRECTORY_ENTRY_IAT:
342 | type_desc = "Import address table directory: ";
343 | break;
344 | default:
345 | return -1;
346 | }
347 |
348 | #define DESC_SPAN_SPACE 3
349 |
350 | sprintf( data_dir_desc, "%40s Size: %d, Virtual address: %d \n", type_desc, data_dir->Size, data_dir->VirtualAddress );
351 |
352 | if( strlen( data_dir_desc ) + sizeof( char ) > *out_buf_len )
353 | {
354 | *desc_out = '\0';
355 | *out_buf_len = strlen( data_dir_desc ) + sizeof( char );
356 | return -2;
357 | }
358 |
359 | strcpy( desc_out, data_dir_desc );
360 | *out_buf_len = strlen( data_dir_len ) + sizeof( char );
361 | return 0;
362 | }
363 |
364 | int32 analyze_import_table( PIMAGE_IMPORT_DESCRIPTOR *import_desc )
365 | {
366 |
367 | }
368 |
369 | INT32 ErrorHandle( DWORD dwErrorCode )
370 | {
371 | DWORD dwLastError;
372 | CHAR szMsg[ MAX_MSG_LEN ];
373 |
374 | dwLastError = GetLastError();
375 | }
376 |
377 | int aaa()
378 | {
379 | res_dir->Characteristics;
380 | res_dir->TimeDateStamp;
381 | res_dir->MajorVersion;
382 | res_dir->MinorVersion;
383 | res_dir->NumberOfNamedEntries;
384 | res_dir->NumberOfIdEntries;
385 |
386 | }
387 |
388 | int32 analyze_res_dir( PIMAGE_RESOURCE_DIRECTORY_ENTRY data_entry )
389 | {
390 | if( res_entry->NameIsString )
391 | {
392 | res_name = sect_data + res_entry->Name;
393 | memcpy( res_name_buf, res_name->NameString, res_name->Length * sizeof( WCHAR ) );
394 | res_name_buf[ res_name->Length ] = L'\0';
395 | ret = WideCharToMultiByte( 0, 0, res_name_buf, 0, res_name_buf, MAX_RES_NAME_LEN * 2, NULL, NULL );
396 | }
397 | else
398 | {
399 | res_entry->Id;
400 | }
401 |
402 | return 0;
403 | }
404 |
405 | int32 analyzer_res_data( PIMAGE_RESOURCE_DATA_ENTRY res_data )
406 | {
407 | res_data->OffsetToData;
408 | res_data->Size;
409 | res_data->CodePage;
410 | res_data->Reserved;
411 | }
412 |
413 | int32 analyzer_export_table( )
414 | {
415 | export_table->Characteristics;
416 | export_table->TimeDateStamp;
417 | export_table->MajorVersion;
418 | export_table->MinorVersion;
419 | export_table->Name;
420 | export_table->Base;
421 | return 0;
422 | }
--------------------------------------------------------------------------------
/pe-master/pe_struct_analyze.h:
--------------------------------------------------------------------------------
1 | #ifndef __PE_STRUCT_ANALYZER_H__
2 | #define __PE_STRUCT_ANALYZER_H__
3 |
4 |
5 | #endif //__PE_STRUCT_ANALYZER_H__
--------------------------------------------------------------------------------
/pe-master/pe_struct_analyzer.c:
--------------------------------------------------------------------------------
1 | #include "common.h"
2 | #include "common_analyze.h"
3 | #include "file_analyzer.h"
4 | #include "pe_file_analyzer.h"
5 | #include "pe_struct_analyzer.h"
6 |
7 | int32 get_standard_nt_hdr_desc( PIMAGE_FILE_HEADER file_hdr, char *desc_out, dword *out_buf_len )
8 | {
9 | char *desc;
10 | switch( file_hdr->Machine )
11 | {
12 | case IMAGE_FILE_MACHINE_I386:
13 | desc = "PE file for i386";
14 | break;
15 | case 0x014d:
16 | desc = "PE file for unknow machine";
17 | break;
18 | case 0x014e:
19 | desc = "PE file for unknow machine";
20 | break;
21 | case 0x0160:
22 | desc = "PE file for unknow machine";
23 | break;
24 | case IMAGE_FILE_MACHINE_R3000:
25 | desc = "PE file for r3000";
26 | break;
27 | case IMAGE_FILE_MACHINE_R4000:
28 | desc = "PE file for r4000";
29 | break;
30 | case IMAGE_FILE_MACHINE_R10000:
31 | desc = "PE file for r10000";
32 | break;
33 | case IMAGE_FILE_MACHINE_ALPHA:
34 | desc = "PE file for alpha";
35 | break;
36 | case IMAGE_FILE_MACHINE_POWERPC:
37 | desc = "PE file for powerpc";
38 | break;
39 | default:
40 | *desc_out = '\0';
41 | *out_buf_len = 0;
42 | return -1;
43 | break;
44 | }
45 |
46 | if( strlen( desc ) + sizeof( char ) > *out_buf_len )
47 | {
48 | *desc_out = '\0';
49 | *out_buf_len = 0;
50 | return -1;
51 | }
52 |
53 | strcpy( desc_out, desc );
54 | *out_buf_len = strlen( desc ) + sizeof( char );
55 |
56 | return 0;
57 | }
58 |
59 | int32 analyze_pe_func_info( )
60 | {
61 | PIMAGE_IMPORT_BY_NAME import_info;
62 | import_info->Hint;
63 | import_info->Name;
64 |
65 | return 0;
66 | }
67 |
68 | int32 analyze_res_data_entry( PIMAGE_RESOURCE_DATA_ENTRY res_data_entry, void *context )
69 | {
70 | return;
71 | }
72 |
73 | int32 get_standard_pe_optional_hdr_subsys_desc( PIMAGE_OPTIONAL_HEADER option_hdr )
74 | {
75 | switch( option_hdr->Subsystem )
76 | {
77 | case IMAGE_SUBSYSTEM_NATIVE:
78 | break;
79 | case IMAGE_SUBSYSTEM_WINDOWS_GUI:
80 | break;
81 | case IMAGE_SUBSYSTEM_WINDOWS_CUI:
82 | break;
83 | case IMAGE_SUBSYSTEM_OS2_CUI:
84 | break;
85 | case IMAGE_SUBSYSTEM_POSIX_CUI:
86 | break;
87 | default:
88 | //if( NULL != analyzer->error_hander )
89 | //{
90 | // analyzer->error_handler( ERR_PE_OPTIONAL_HEADER_SUBSYS );
91 | //}
92 | break;
93 | }
94 | return 0;
95 | }
96 |
97 | int32 get_standard_nt_hdr_characer_desc( PIMAGE_FILE_HEADER file_hdr )
98 | {
99 | if( file_hdr->Characteristics & IMAGE_FILE_RELOCS_STRIPPED )
100 | {
101 |
102 | }
103 |
104 | if( file_hdr->Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE )
105 | {
106 |
107 | }
108 |
109 | if( file_hdr->Characteristics & IMAGE_FILE_LINE_NUMS_STRIPPED )
110 | {
111 |
112 | }
113 |
114 | if( file_hdr->Characteristics & IMAGE_FILE_LOCAL_SYMS_STRIPPED )
115 | {
116 |
117 | }
118 |
119 | if( file_hdr->Characteristics & IMAGE_FILE_AGGRESIVE_WS_TRIM )
120 | {
121 |
122 | }
123 |
124 | if( file_hdr->Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE )
125 | {
126 |
127 | }
128 |
129 | if( file_hdr->Characteristics & IMAGE_FILE_BYTES_REVERSED_LO )
130 | {
131 |
132 | }
133 |
134 | if( file_hdr->Characteristics & IMAGE_FILE_32BIT_MACHINE )
135 | {
136 |
137 | }
138 |
139 |
140 | if( file_hdr->Characteristics & IMAGE_FILE_DEBUG_STRIPPED )
141 | {
142 |
143 | }
144 |
145 | if( file_hdr->Characteristics & IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP )
146 | {
147 |
148 | }
149 |
150 | if( file_hdr->Characteristics & IMAGE_FILE_NET_RUN_FROM_SWAP )
151 | {
152 |
153 | }
154 |
155 | if( file_hdr->Characteristics & IMAGE_FILE_SYSTEM )
156 | {
157 |
158 | }
159 |
160 | if( file_hdr->Characteristics & IMAGE_FILE_DLL )
161 | {
162 |
163 | }
164 |
165 | if( file_hdr->Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY )
166 | {
167 |
168 | }
169 |
170 | if( file_hdr->Characteristics & IMAGE_FILE_BYTES_REVERSED_HI )
171 | {
172 |
173 | }
174 | return 0;
175 | }
176 |
177 | int get_standard_sect_character_desc( PIMAGE_SECTION_HEADER sect_hdr )
178 | {
179 | if( sect_hdr->Characteristics & IMAGE_SCN_TYPE_NO_PAD )
180 | {
181 | }
182 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_CODE )
183 | {
184 | }
185 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA )
186 | {
187 | }
188 | if( sect_hdr->Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA )
189 | {
190 | }
191 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_OTHER )
192 | {
193 | }
194 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_INFO )
195 | {
196 | }
197 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_REMOVE )
198 | {
199 | }
200 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_COMDAT )
201 | {
202 | }
203 | if( sect_hdr->Characteristics & IMAGE_SCN_NO_DEFER_SPEC_EXC )
204 | {
205 | }
206 | if( sect_hdr->Characteristics & IMAGE_SCN_GPREL )
207 | {
208 | }
209 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_FARDATA )
210 | {
211 | }
212 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_PURGEABLE )
213 | {
214 | }
215 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_16BIT )
216 | {
217 | }
218 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_LOCKED )
219 | {
220 | }
221 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_PRELOAD )
222 | {
223 | }
224 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_1BYTES )
225 | {
226 | }
227 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_2BYTES )
228 | {
229 | }
230 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_4BYTES )
231 | {
232 | }
233 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_8BYTES )
234 | {
235 | }
236 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_16BYTES )
237 | {
238 | }
239 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_32BYTES )
240 | {
241 | }
242 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_64BYTES )
243 | {
244 | }
245 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_128BYTES )
246 | {
247 | }
248 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_256BYTES )
249 | {
250 | }
251 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_512BYTES )
252 | {
253 | }
254 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_1024BYTES )
255 | {
256 | }
257 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_2048BYTES )
258 | {
259 | }
260 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_4096BYTES )
261 | {
262 | }
263 | if( sect_hdr->Characteristics & IMAGE_SCN_ALIGN_8192BYTES )
264 | {
265 | }
266 | if( sect_hdr->Characteristics & IMAGE_SCN_LNK_NRELOC_OVFL )
267 | {
268 | }
269 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_DISCARDABLE )
270 | {
271 | }
272 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_NOT_CACHED )
273 | {
274 | }
275 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_NOT_PAGED )
276 | {
277 | }
278 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_SHARED )
279 | {
280 | }
281 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE )
282 | {
283 | }
284 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_READ )
285 | {
286 | }
287 | if( sect_hdr->Characteristics & IMAGE_SCN_MEM_WRITE )
288 | {
289 | }
290 |
291 | return 0;
292 | }
293 |
294 | int get_standard_data_dir_desc( PIMAGE_DATA_DIRECTORY data_dir, dword index,
295 | char * desc_out, dword *out_buf_len )
296 | {
297 | #define MAX_DIR_DESC_LEN 1024
298 | char *type_desc;
299 | char data_dir_desc[ MAX_DIR_DESC_LEN ];
300 | int32 length;
301 |
302 | switch( index )
303 | {
304 | case IMAGE_DIRECTORY_ENTRY_EXPORT:
305 | type_desc = "Export directory: ";
306 | break;
307 | case IMAGE_DIRECTORY_ENTRY_IMPORT:
308 | type_desc = "Import directory: ";
309 | break;
310 | case IMAGE_DIRECTORY_ENTRY_RESOURCE:
311 | type_desc = "Resource directory: ";
312 | break;
313 | case IMAGE_DIRECTORY_ENTRY_EXCEPTION:
314 | type_desc = "Exception directory: ";
315 | break;
316 | case IMAGE_DIRECTORY_ENTRY_SECURITY:
317 | type_desc = "Secrity directory: ";
318 | break;
319 | case IMAGE_DIRECTORY_ENTRY_BASERELOC:
320 | type_desc = "Base Relocating directory: ";
321 | break;
322 | case IMAGE_DIRECTORY_ENTRY_DEBUG:
323 | type_desc = "Debug directory: ";
324 | break;
325 | case IMAGE_DIRECTORY_ENTRY_GLOBALPTR:
326 | type_desc = "Global pointer directory: ";
327 | break;
328 | case IMAGE_DIRECTORY_ENTRY_TLS:
329 | type_desc = "Tls directory: ";
330 | break;
331 | case IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG:
332 | type_desc = "Load configure directory: ";
333 | break;
334 | case IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT:
335 | break;
336 | case IMAGE_DIRECTORY_ENTRY_IAT:
337 | type_desc = "Import address table directory: ";
338 | break;
339 | default:
340 | return -1;
341 | }
342 |
343 | #define DESC_SPAN_SPACE 3
344 |
345 | sprintf( data_dir_desc, "%40s Size: %d, Virtual address: %d \n", type_desc, data_dir->Size, data_dir->VirtualAddress );
346 |
347 | if( strlen( data_dir_desc ) + sizeof( char ) > *out_buf_len )
348 | {
349 | *desc_out = '\0';
350 | *out_buf_len = strlen( data_dir_desc ) + sizeof( char );
351 | return -2;
352 | }
353 |
354 | strcpy( desc_out, data_dir_desc );
355 | *out_buf_len = strlen( data_dir_desc ) + sizeof( char );
356 | return 0;
357 | }
358 |
359 | int32 analyze_import_table( PIMAGE_IMPORT_DESCRIPTOR *import_desc )
360 | {
361 |
362 | }
363 |
364 | INT32 ErrorHandle( DWORD dwErrorCode )
365 | {
366 | DWORD dwLastError;
367 | CHAR szMsg[ MAX_MSG_LEN ];
368 |
369 | dwLastError = GetLastError();
370 | }
371 |
372 | int analyze_resource_dir()
373 | {
374 | PIMAGE_RESOURCE_DIRECTORY res_dir;
375 | res_dir->Characteristics;
376 | res_dir->TimeDateStamp;
377 | res_dir->MajorVersion;
378 | res_dir->MinorVersion;
379 | res_dir->NumberOfNamedEntries;
380 | res_dir->NumberOfIdEntries;
381 | return 0;
382 | }
383 |
384 | //int32 analyze_res_dir( PIMAGE_RESOURCE_DIRECTORY_ENTRY res_entry )
385 | //{
386 | // char *res_name;
387 | //
388 | // //if( res_entry->NameIsString )
389 | // //{
390 | // // res_name = sect_data + res_entry->Name;
391 | // // memcpy( res_name_buf, res_name->NameString, res_name->Length * sizeof( WCHAR ) );
392 | // // res_name_buf[ res_name->Length ] = L'\0';
393 | // // ret = WideCharToMultiByte( 0, 0, res_name_buf, 0, res_name_buf, MAX_RES_NAME_LEN * 2, NULL, NULL );
394 | // //}
395 | // //else
396 | // //{
397 | // // res_entry->Id;
398 | // //}
399 | //
400 | // return 0;
401 | //}
402 |
403 | int32 analyzer_res_data( PIMAGE_RESOURCE_DATA_ENTRY res_data )
404 | {
405 | res_data->OffsetToData;
406 | res_data->Size;
407 | res_data->CodePage;
408 | res_data->Reserved;
409 |
410 | return 0;
411 | }
412 |
413 | int32 analyzer_export_table( PIMAGE_EXPORT_DIRECTORY export_table )
414 | {
415 | export_table->Characteristics;
416 | export_table->TimeDateStamp;
417 | export_table->MajorVersion;
418 | export_table->MinorVersion;
419 | export_table->Name;
420 | export_table->Base;
421 | return 0;
422 | }
--------------------------------------------------------------------------------
/pe-master/pe_struct_analyzer.h:
--------------------------------------------------------------------------------
1 | #ifndef __PE_STRUCT_ANALYZER_H__
2 | #define __PE_STRUCT_ANALYZER_H__
3 |
4 |
5 | #endif //__PE_STRUCT_ANALYZER_H__
--------------------------------------------------------------------------------
/sysshell/common.h:
--------------------------------------------------------------------------------
1 | #ifndef __COMMON_H__
2 | #define __COMMON_H__
3 |
4 | //#define _PRINT_DEBUG
5 | //#define _RING3_TEST
6 | //#define _BP_DEBUG
7 | //D:\AntiArp\sysshell\xp_sys\ntfs.sys D:\AntiArp\sysshell\xp_sys\New\ntfs.sys
8 | //D:\AntiArp\output\i386\AntiArp.sys D:\AntiArp\output\i386\NEW\AntiArp.sys
9 | //D:\AntiArp\SevenLayersFW\bin\debug\i386\sevenfw.sys D:\AntiArp\SevenLayersFW\bin\debug\i386\NEW\sevenfw.sys
10 | //E:\WinDDK\7600.16385.1\src\general\cancel\sys\objchk_wxp_x86\i386\cancel.sys E:\WinDDK\7600.16385.1\src\general\cancel\sys\objchk_wxp_x86\new\cancel.sys
11 | //E:\WinDDK\7600.16385.1\src\general\cancel\sys\objchk_wxp_x86\i386\DIYTools.exe E:\WinDDK\7600.16385.1\src\general\cancel\sys\objchk_wxp_x86\i386\DIYTools2.exe
12 | //E:\WinDDK\7600.16385.1\src\general\event\wdm\objchk_wxp_x86\i386\event.sys E:\WinDDK\7600.16385.1\src\general\event\wdm\objchk_wxp_x86\i386\event2.sys
13 | #ifdef _RING3_TEST
14 | #include
15 | #define ASSERT( x ) assert( x )
16 | #else
17 | //#define DBG 1
18 | #endif
19 |
20 | #define _WIN32_WINNT 0x0500
21 | #include
22 | #include
23 |
24 | #define ARRAY_SIZE( arr ) ( sizeof( arr ) / sizeof( arr[ 0 ] ) )
25 |
26 | #define SAFE_RELEASE_MEM( mem ) if( mem != NULL ) { free( mem ); mem = NULL; }
27 |
28 | #ifdef _DEBUG
29 | #ifdef _WIN32
30 | #define DBGPRINT( _x_ ) printf _x_
31 | #else
32 | #define DBGPRINT( _x_ ) DbgPrint _x_
33 | #endif
34 | #else
35 | #ifdef _WIN32
36 | #define DBGPRINT( _x_ )
37 | #else
38 | #define DBGPRINT( _x_ )
39 | #endif
40 | #endif
41 |
42 | #define PACK_FILE_SECTION_FLAGS 0xE0000040
43 | #define SHELL_SECTION_INDEX 2
44 | #define PACK_DATA_SECTION_INDEX 1
45 | #define UNPACK_SPACE_SECTION_INDEX 0
46 | #define REMAIN_SECTION_NUM 3
47 |
48 | #define INLINE __inline
49 |
50 | #endif //__COMMON_H__
--------------------------------------------------------------------------------
/sysshell/file_depack.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #include "depacks.h"
22 |
23 | /* internal data structure */
24 | typedef struct {
25 | const unsigned char *source;
26 | unsigned int srclen;
27 | unsigned char *destination;
28 | unsigned int dstlen;
29 | unsigned int tag;
30 | unsigned int bitcount;
31 | } APDEPACKSAFEDATA;
32 |
33 | static int aP_getbit_safe(APDEPACKSAFEDATA *ud, unsigned int *result)
34 | {
35 | unsigned int bit;
36 |
37 | /* check if tag is empty */
38 | if (!ud->bitcount--)
39 | {
40 | if (!ud->srclen--) return 0;
41 |
42 | /* load next tag */
43 | ud->tag = *ud->source++;
44 | ud->bitcount = 7;
45 | }
46 |
47 | /* shift bit out of tag */
48 | bit = (ud->tag >> 7) & 0x01;
49 | ud->tag <<= 1;
50 |
51 | *result = bit;
52 |
53 | return 1;
54 | }
55 |
56 | static int aP_getgamma_safe(APDEPACKSAFEDATA *ud, unsigned int *result)
57 | {
58 | unsigned int bit;
59 | unsigned int v = 1;
60 |
61 | /* input gamma2-encoded bits */
62 | do {
63 |
64 | if (!aP_getbit_safe(ud, &bit)) return 0;
65 |
66 | v = (v << 1) + bit;
67 |
68 | if (!aP_getbit_safe(ud, &bit)) return 0;
69 |
70 | } while (bit);
71 |
72 | *result = v;
73 |
74 | return 1;
75 | }
76 |
77 | unsigned int aP_depack_safe(const void *source,
78 | unsigned int srclen,
79 | void *destination,
80 | unsigned int dstlen)
81 | {
82 | APDEPACKSAFEDATA ud;
83 | unsigned int offs, len, R0, LWM, bit;
84 | int done;
85 | int i;
86 |
87 | if (!source || !destination) return APLIB_ERROR;
88 |
89 | ud.source = (const unsigned char *) source;
90 | ud.srclen = srclen;
91 | ud.destination = (unsigned char *) destination;
92 | ud.dstlen = dstlen;
93 | ud.bitcount = 0;
94 |
95 | LWM = 0;
96 | done = 0;
97 |
98 | /* first byte verbatim */
99 | if (!ud.srclen-- || !ud.dstlen--) return APLIB_ERROR;
100 | *ud.destination++ = *ud.source++;
101 |
102 | /* main decompression loop */
103 | while (!done)
104 | {
105 | if (!aP_getbit_safe(&ud, &bit)) return APLIB_ERROR;
106 |
107 | if (bit)
108 | {
109 | if (!aP_getbit_safe(&ud, &bit)) return APLIB_ERROR;
110 |
111 | if (bit)
112 | {
113 | if (!aP_getbit_safe(&ud, &bit)) return APLIB_ERROR;
114 |
115 | if (bit)
116 | {
117 | offs = 0;
118 |
119 | for (i = 4; i; i--)
120 | {
121 | if (!aP_getbit_safe(&ud, &bit)) return APLIB_ERROR;
122 | offs = (offs << 1) + bit;
123 | }
124 |
125 | if (offs)
126 | {
127 | if (offs > (dstlen - ud.dstlen)) return APLIB_ERROR;
128 |
129 | if (!ud.dstlen--) return APLIB_ERROR;
130 |
131 | *ud.destination = *(ud.destination - offs);
132 | ud.destination++;
133 |
134 | } else {
135 |
136 | if (!ud.dstlen--) return APLIB_ERROR;
137 |
138 | *ud.destination++ = 0x00;
139 | }
140 |
141 | LWM = 0;
142 |
143 | } else {
144 |
145 | if (!ud.srclen--) return APLIB_ERROR;
146 |
147 | offs = *ud.source++;
148 |
149 | len = 2 + (offs & 0x0001);
150 |
151 | offs >>= 1;
152 |
153 | if (offs)
154 | {
155 | if (offs > (dstlen - ud.dstlen)) return APLIB_ERROR;
156 |
157 | if (len > ud.dstlen) return APLIB_ERROR;
158 |
159 | ud.dstlen -= len;
160 |
161 | for (; len; len--)
162 | {
163 | *ud.destination = *(ud.destination - offs);
164 | ud.destination++;
165 | }
166 | } else done = 1;
167 |
168 | R0 = offs;
169 | LWM = 1;
170 | }
171 |
172 | } else {
173 |
174 | if (!aP_getgamma_safe(&ud, &offs)) return APLIB_ERROR;
175 |
176 | if ((LWM == 0) && (offs == 2))
177 | {
178 | offs = R0;
179 |
180 | if (!aP_getgamma_safe(&ud, &len)) return APLIB_ERROR;
181 |
182 | if (offs > (dstlen - ud.dstlen)) return APLIB_ERROR;
183 |
184 | if (len > ud.dstlen) return APLIB_ERROR;
185 |
186 | ud.dstlen -= len;
187 |
188 | for (; len; len--)
189 | {
190 | *ud.destination = *(ud.destination - offs);
191 | ud.destination++;
192 | }
193 |
194 | } else {
195 |
196 | if (LWM == 0) offs -= 3; else offs -= 2;
197 |
198 | if (!ud.srclen--) return APLIB_ERROR;
199 |
200 | offs <<= 8;
201 | offs += *ud.source++;
202 |
203 | if (!aP_getgamma_safe(&ud, &len)) return APLIB_ERROR;
204 |
205 | if (offs >= 32000) len++;
206 | if (offs >= 1280) len++;
207 | if (offs < 128) len += 2;
208 |
209 | if (offs > (dstlen - ud.dstlen)) return APLIB_ERROR;
210 |
211 | if (len > ud.dstlen) return APLIB_ERROR;
212 |
213 | ud.dstlen -= len;
214 |
215 | for (; len; len--)
216 | {
217 | *ud.destination = *(ud.destination - offs);
218 | ud.destination++;
219 | }
220 |
221 | R0 = offs;
222 | }
223 |
224 | LWM = 1;
225 | }
226 |
227 | } else {
228 |
229 | if (!ud.srclen-- || !ud.dstlen--) return APLIB_ERROR;
230 | *ud.destination++ = *ud.source++;
231 | LWM = 0;
232 | }
233 | }
234 |
235 | return ud.destination - (unsigned char *) destination;
236 | }
237 |
--------------------------------------------------------------------------------
/sysshell/file_depack.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | #ifndef DEPACKS_H_INCLUDED
22 | #define DEPACKS_H_INCLUDED
23 |
24 | #ifdef __cplusplus
25 | extern "C" {
26 | #endif
27 |
28 | #ifndef APLIB_ERROR
29 | # define APLIB_ERROR (-1)
30 | #endif
31 |
32 | /* function prototype */
33 | unsigned int aP_depack_safe(const void *source,
34 | unsigned int srclen,
35 | void *destination,
36 | unsigned int dstlen);
37 |
38 | #ifdef __cplusplus
39 | } /* extern "C" */
40 | #endif
41 |
42 | #endif /* DEPACKS_H_INCLUDED */
43 |
--------------------------------------------------------------------------------
/sysshell/file_pack.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/file_pack.h
--------------------------------------------------------------------------------
/sysshell/img_chk_sum.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/img_chk_sum.h
--------------------------------------------------------------------------------
/sysshell/import_code.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/import_code.h
--------------------------------------------------------------------------------
/sysshell/pe_file_map.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/pe_file_map.h
--------------------------------------------------------------------------------
/sysshell/res_parse.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/res_parse.h
--------------------------------------------------------------------------------
/sysshell/section_build.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/section_build.h
--------------------------------------------------------------------------------
/sysshell/shell_builder.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2010 coderebasoft
3 | *
4 | * This file is part of PEMaster.
5 | *
6 | * PEMaster is free software: you can redistribute it and/or modify
7 | * it under the terms of the GNU General Public License as published by
8 | * the Free Software Foundation, either version 3 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * PEMaster is distributed in the hope that it will be useful,
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | *
16 | * You should have received a copy of the GNU General Public License
17 | * along with PEMaster. If not, see .
18 | *
19 | */
20 |
21 | VOID __stdcall reloc_parse( PIMAGE_BASE_RELOCATION base_reloc, PBYTE img_base_to_loc )
22 | {
23 | PDWORD reloc_addr;
24 | INT32 count;
25 | INT32 type;
26 | INT32 i;
27 |
28 | while( base_reloc->SizeOfBlock )
29 | {
30 | count = base_reloc->SizeOfBlock / 2;
31 |
32 | DBGPRINT( ( "base reloc count is %d\n", count ) );
33 |
34 | for( i = 0; i < count; i++ )
35 | {
36 | type = base_reloc->TypeOffset[ i ] >> 0x0c;
37 |
38 | DBGPRINT( ( "base reloc type is %d\n", type ) );
39 |
40 | if( type == 3 )
41 | {
42 |
43 | reloc_addr = ( PDWORD )( ( DWORD )( base_reloc->TypeOffset[ i ] & 0x0fff ) + base_reloc->VirtualAddress + img_base_to_loc );
44 |
45 | DBGPRINT( ( "base reloc addr is 0x%0.8x\n", *reloc_addr ) );
46 |
47 | //*reloc_addr = *reloc_addr + ( unpack_image_base - org_pack_image_base_rec );
48 | }
49 | }
50 |
51 | base_reloc = ( PIMAGE_BASE_RELOCATION )( ( DWORD )base_reloc + base_reloc->SizeOfBlock );
52 | DBGPRINT( ( "locate to next base reloc \n" ) );
53 | }
54 | }
55 |
56 | //typedef struct __IMAGE_BASE_RELOCATION
57 | //{
58 | // DWORD VirtualAddress;
59 | // DWORD SizeOfBlock;
60 | // WORD TypeOffset[1];
61 | //} IMAGE_BASE_RELOCATION;
62 | //typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
63 |
64 | INT32 build_reloc_table( PBYTE reloc_tbl, DWORD vaddr )
65 | {
66 | PIMAGE_BASE_RELOCATION reloc;
67 | INT32 count;
68 | INT32 offset;
69 | INT32 i;
70 |
71 | reloc = ( PIMAGE_BASE_RELOCATION )reloc_tbl;
72 | reloc->SizeOfBlock = 8;
73 | reloc->VirtualAddress = vaddr;
74 |
75 | count = 4;
76 |
77 | for( i = 0; i < count; i ++ )
78 | {
79 | reloc->TypeOffset[ i ] |= 0x03000000;
80 | }
81 |
82 | offset = ( DWORD )&shell_infos - vaddr;
83 | reloc->TypeOffset[ 0 ] |= ( offset & 0x00ffffff );
84 |
85 | offset = ( DWORD )&pack_infos - vaddr;
86 | reloc->TypeOffset[ 1 ] |= ( offset & 0x00ffffff );
87 |
88 | #ifdef _PRINT_DEBUG
89 | offset = ( DWORD )&dbg_print_func_name - vaddr;
90 | reloc->TypeOffset[ 2 ] |= ( offset & 0x00ffffff );
91 | #endif
92 |
93 | offset = ( DWORD )&depend_module - vaddr;
94 | reloc->TypeOffset[ 3 ] |= ( offset & 0x00ffffff );
95 | return 0;
96 | }
97 | //
98 | //#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
99 | //#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
100 | //#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
101 | //#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
102 | //#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
103 | //#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
104 | //#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
105 | //// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
106 | //#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
107 | //#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
108 | //#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
109 | //#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
110 | //#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
111 | //#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
112 | //#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
113 | //#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
114 | INT32 gen_shell_code()
115 | {
116 | INT32 ret;
117 | DWORD writed;
118 | DWORD shell_code_size;
119 | DWORD no_pack_res_addr;
120 | DWORD shell_file_size;
121 | DWORD shell_sect_size;
122 | DWORD err_code;
123 |
124 | shell_code_size = ( DWORD )end - ( DWORD )aP_getbit_safe;
125 |
126 | DBGPRINT( ( "shellcode region: 0x%0.8x - 0x%0.8x size: %d\n",
127 | ( DWORD )end,
128 | ( DWORD )aP_getbit_safe,
129 | shell_code_size ) );
130 |
131 | get_img_res_dir();
132 |
133 | no_pack_res_addr = img_section_hdrs[ PACK_DATA_SECTION_INDEX ].VirtualAddress + img_section_hdrs[ PACK_DATA_SECTION_INDEX ].Misc.VirtualSize + shell_code_size + img_res_dir_size;
134 |
135 | free( img_res_dir );
136 |
137 | reloc_type_res( 0x3, no_pack_res_addr );
138 | reloc_type_res( 0xe, no_pack_res_addr );
139 | reloc_type_res( 0x10, no_pack_res_addr );
140 | reloc_type_res( 0x18, no_pack_res_addr );
141 |
142 | get_img_res_dir();
143 |
144 | shell_infos[ IMPORT_RVA ] = img_section_hdrs[ PACK_DATA_SECTION_INDEX ].VirtualAddress +
145 | img_section_hdrs[ PACK_DATA_SECTION_INDEX ].Misc.VirtualSize +
146 | shell_code_size +
147 | img_res_dir_size +
148 | no_pack_res_size;
149 |
150 | shell_file_size = shell_code_size +
151 | img_res_dir_size +
152 | no_pack_res_size +
153 | import_codes_size;
154 |
155 | img_section_hdrs[ SHELL_SECTION_INDEX ].Characteristics = PACK_FILE_SECTION_FLAGS;
156 | shell_sect_size = align( shell_file_size, img_file_align );
157 |
158 | img_section_hdrs[ SHELL_SECTION_INDEX ].SizeOfRawData = shell_sect_size;
159 | img_section_hdrs[ SHELL_SECTION_INDEX ].Misc.VirtualSize = align( shell_file_size, img_section_align );
160 |
161 | strcpy( ( CHAR* )img_section_hdrs[ SHELL_SECTION_INDEX ].Name, ".ptxt" );
162 |
163 | img_section_hdrs[ SHELL_SECTION_INDEX ].VirtualAddress = img_section_hdrs[ PACK_DATA_SECTION_INDEX ].VirtualAddress + img_section_hdrs[ PACK_DATA_SECTION_INDEX ].Misc.VirtualSize;
164 |
165 | img_section_hdrs[ SHELL_SECTION_INDEX ].PointerToRawData = img_section_hdrs[ PACK_DATA_SECTION_INDEX ].PointerToRawData + img_section_hdrs[ PACK_DATA_SECTION_INDEX ].SizeOfRawData;
166 |
167 | shell_infos[ OEP ] = img_nt_hdr->OptionalHeader.AddressOfEntryPoint;
168 | img_nt_hdr->OptionalHeader.AddressOfEntryPoint = img_section_hdrs[ SHELL_SECTION_INDEX ].VirtualAddress;
169 | img_nt_hdr->OptionalHeader.AddressOfEntryPoint += ( ( DWORD )( PVOID )DriverEntry -( DWORD )( PVOID )aP_getbit_safe );
170 |
171 | shell_infos[ RELOC_RVA ] = img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ].VirtualAddress;
172 |
173 | reloc_parse( ( PIMAGE_BASE_RELOCATION )( img_base + shell_infos[ RELOC_RVA ] ), img_base );
174 |
175 | #define ADDED_RELOC_SIZE 16
176 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ].VirtualAddress = 0;
177 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ].Size = 0; //ADDED_RELOC_SIZE;
178 |
179 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG ].VirtualAddress = 0;
180 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG ].Size = 0;
181 |
182 | //build_reloc_table( reloc_tbl, img_section_hdrs[ SHELL_SECTION_INDEX ].VirtualAddress );
183 |
184 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].Size = 0;
185 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress = 0;
186 |
187 | img_nt_hdr->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_RESOURCE ].VirtualAddress = img_section_hdrs[ SHELL_SECTION_INDEX ].VirtualAddress + shell_code_size;
188 |
189 | img_nt_hdr->OptionalHeader.SizeOfImage = img_section_hdrs[ SHELL_SECTION_INDEX ].VirtualAddress + img_section_hdrs[ SHELL_SECTION_INDEX ].Misc.VirtualSize;
190 |
191 | {
192 | ULONG cur_pos;
193 | cur_pos = SetFilePointer( packed_file, 0, NULL, SEEK_CUR );
194 | DBGPRINT( ( "current file position is %d\n", cur_pos ) );
195 | }
196 |
197 | if( !WriteFile( packed_file, aP_getbit_safe, shell_code_size, &writed, NULL ) )
198 | {
199 | err_code = GetLastError();
200 |
201 | DBGPRINT( ( "write shell failed\n" ) );
202 | ret = FALSE;
203 | goto _err_return;
204 | }
205 |
206 | DBGPRINT( ( "shell code writed: %d, writed %d\n", shell_code_size, writed ) );
207 |
208 | if( !WriteFile( packed_file, img_res_dir, img_res_dir_size, &writed, NULL ) )
209 | {
210 | DBGPRINT( ( "write res dir failed\n" ) );
211 | err_code = GetLastError();
212 |
213 | ret = FALSE;
214 | goto _err_return;
215 | }
216 |
217 | DBGPRINT( ( "res dir writed :%d, writed: %d\n", img_res_dir_size, writed ) );
218 |
219 | if( !WriteFile( packed_file, no_pack_res, no_pack_res_size, &writed, NULL ) )
220 | {
221 | DBGPRINT( ( "write no pack res failed\n" ) );
222 | ret = FALSE;
223 | goto _err_return;
224 | }
225 |
226 | DBGPRINT( ( "cant packed res writed:%d writed %d \n", no_pack_res_size, writed ) );
227 |
228 | if( !WriteFile( packed_file, import_codes, import_codes_size, &writed, NULL ) )
229 | {
230 | DBGPRINT( ( "write no pack res failed\n" ) );
231 | ret = FALSE;
232 | goto _err_return;
233 | }
234 |
235 | DBGPRINT( ( "import code writed: %d writed: %d\n", import_codes_size, writed ) );
236 |
237 | if( shell_sect_size > shell_file_size )
238 | {
239 | PVOID zero;
240 | zero = malloc( shell_sect_size - shell_file_size );
241 | memset( zero, 0, shell_sect_size - shell_file_size );
242 | if( !WriteFile( packed_file, zero, shell_sect_size - shell_file_size, &writed, NULL ) )
243 | {
244 | DBGPRINT( ( "write zero failed\n" ) );
245 | ret = FALSE;
246 | goto _err_return;
247 | }
248 |
249 | DBGPRINT( ( "writed appending data: %d writed: %d\n", shell_sect_size - shell_file_size, writed ) );
250 | }
251 |
252 | //write the pack data and shell sections in begin of the orginal file, finally.
253 | SetFilePointer( packed_file, 0, NULL, FILE_BEGIN );
254 | if( !WriteFile( packed_file, img_base, img_nt_hdr->OptionalHeader.SizeOfHeaders, &writed, NULL ) )
255 | {
256 | DBGPRINT( ( "write no pack res failed\n" ) );
257 | ret = FALSE;
258 | goto _err_return;
259 | }
260 |
261 | ret = TRUE;
262 |
263 | _err_return:
264 | ASSERT( packed_file != INVALID_HANDLE_VALUE );
265 | CloseHandle( packed_file );
266 | return ret;
267 | }
268 |
--------------------------------------------------------------------------------
/sysshell/shell_code.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/shell_code.h
--------------------------------------------------------------------------------
/sysshell/sys_mod_packer.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/sys_mod_packer.cpp
--------------------------------------------------------------------------------
/sysshell/sys_mod_packer.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codereba/pe-master/715e2e4de23a70ce463e1fb42bc0f51341176b57/sysshell/sys_mod_packer.h
--------------------------------------------------------------------------------
/sysshell/sysshell.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 8.00
3 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sysshell", "sysshell.vcproj", "{23D7CC49-D242-411E-9FD9-4BC7190B0EA3}"
4 | ProjectSection(ProjectDependencies) = postProject
5 | EndProjectSection
6 | EndProject
7 | Global
8 | GlobalSection(SolutionConfiguration) = preSolution
9 | Debug = Debug
10 | Release = Release
11 | EndGlobalSection
12 | GlobalSection(ProjectConfiguration) = postSolution
13 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Debug.ActiveCfg = Debug|Win32
14 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Debug.Build.0 = Debug|Win32
15 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Release.ActiveCfg = Release|Win32
16 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Release.Build.0 = Release|Win32
17 | EndGlobalSection
18 | GlobalSection(ExtensibilityGlobals) = postSolution
19 | EndGlobalSection
20 | GlobalSection(ExtensibilityAddIns) = postSolution
21 | EndGlobalSection
22 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
23 | Debug|Win32 = Debug|Win32
24 | Release|Win32 = Release|Win32
25 | EndGlobalSection
26 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
27 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Debug|Win32.ActiveCfg = Debug|Win32
28 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Debug|Win32.Build.0 = Debug|Win32
29 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Release|Win32.ActiveCfg = Release|Win32
30 | {23D7CC49-D242-411E-9FD9-4BC7190B0EA3}.Release|Win32.Build.0 = Release|Win32
31 | EndGlobalSection
32 | GlobalSection(SolutionProperties) = preSolution
33 | HideSolutionNode = FALSE
34 | EndGlobalSection
35 | EndGlobal
36 |
--------------------------------------------------------------------------------
/sysshell/sysshell.vcproj:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
10 |
11 |
12 |
20 |
44 |
46 |
62 |
66 |
68 |
70 |
72 |
76 |
78 |
80 |
82 |
84 |
86 |
87 |
95 |
107 |
109 |
117 |
121 |
123 |
125 |
127 |
131 |
133 |
135 |
137 |
139 |
141 |
142 |
143 |
144 |
145 |
146 |
149 |
151 |
152 |
153 |
156 |
158 |
159 |
161 |
162 |
164 |
165 |
167 |
168 |
170 |
171 |
173 |
174 |
176 |
177 |
179 |
180 |
182 |
183 |
185 |
186 |
188 |
189 |
191 |
192 |
193 |
196 |
197 |
199 |
200 |
201 |
202 |
203 |
204 |
--------------------------------------------------------------------------------