SickGear/lib/hachoir/parser/program/exe_pe.py

225 lines
9.6 KiB
Python

from hachoir.field import (FieldSet, ParserError,
Bit, UInt8, UInt16, UInt32, UInt64, TimestampUnix32,
Bytes, String, Enum,
PaddingBytes, PaddingBits, NullBytes, NullBits)
from hachoir.core.text_handler import textHandler, hexadecimal, filesizeHandler
class SectionHeader(FieldSet):
static_size = 40 * 8
def createFields(self):
yield String(self, "name", 8, charset="ASCII", strip="\0 ")
yield filesizeHandler(UInt32(self, "mem_size", "Size in memory"))
yield textHandler(UInt32(self, "rva", "RVA (location) in memory"), hexadecimal)
yield filesizeHandler(UInt32(self, "phys_size", "Physical size (on disk)"))
yield filesizeHandler(UInt32(self, "phys_off", "Physical location (on disk)"))
yield PaddingBytes(self, "reserved", 12)
# 0x0000000#
yield NullBits(self, "reserved[]", 4)
# 0x000000#0
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_code", "Contains code")
yield Bit(self, "has_init_data", "Contains initialized data")
yield Bit(self, "has_uninit_data", "Contains uninitialized data")
# 0x00000#00
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "has_comment", "Contains comments?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "remove", "Contents will not become part of image")
# 0x0000#000
yield Bit(self, "has_comdata", "Contains comdat?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "no_defer_spec_exc", "Reset speculative exceptions handling bits in the TLB entries")
yield Bit(self, "gp_rel", "Content can be accessed relative to GP")
# 0x000#0000
yield NullBits(self, "reserved[]", 4)
# 0x00#00000
yield NullBits(self, "reserved[]", 4)
# 0x0#000000
yield Bit(self, "ext_reloc", "Contains extended relocations?")
yield Bit(self, "discarded", "Can be discarded?")
yield Bit(self, "is_not_cached", "Is not cachable?")
yield Bit(self, "is_not_paged", "Is not pageable?")
# 0x#0000000
yield Bit(self, "is_shareable", "Is shareable?")
yield Bit(self, "is_executable", "Is executable?")
yield Bit(self, "is_readable", "Is readable?")
yield Bit(self, "is_writable", "Is writable?")
def rva2file(self, rva):
return self["phys_off"].value + (rva - self["rva"].value)
def createDescription(self):
rva = self["rva"].value
size = self["mem_size"].value
info = [
"rva=0x%08x..0x%08x" % (rva, rva + size),
"size=%s" % self["mem_size"].display,
]
if self["is_executable"].value:
info.append("exec")
if self["is_readable"].value:
info.append("read")
if self["is_writable"].value:
info.append("write")
return 'Section "%s": %s' % (self["name"].value, ", ".join(info))
def createSectionName(self):
try:
name = str(self["name"].value.strip("."))
if name:
return "section_%s" % name
except Exception as err:
self.warning(str(err))
return "section[]"
class DataDirectory(FieldSet):
def createFields(self):
yield textHandler(UInt32(self, "rva", "Virtual address"), hexadecimal)
yield filesizeHandler(UInt32(self, "size"))
def createDescription(self):
if self["size"].value:
return "Directory at %s (%s)" % (
self["rva"].display, self["size"].display)
else:
return "(empty directory)"
class PE_Header(FieldSet):
static_size = 24 * 8
cpu_name = {
0x014C: "Intel 80386",
0x014D: "Intel 80486",
0x014E: "Intel Pentium",
0x0160: "R3000 (MIPS), big endian",
0x0162: "R3000 (MIPS), little endian",
0x0166: "R4000 (MIPS), little endian",
0x0168: "R10000 (MIPS), little endian",
0x0184: "DEC Alpha AXP",
0x01a2: "Hitachi SH3",
0x01a6: "Hitachi SH4",
0x01c0: "ARM",
0x01F0: "IBM Power PC, little endian",
0x0200: "Intel IA64",
0x0266: "MIPS",
0x0268: "Motorola 68000",
0x0284: "Alpha AXP 64 bits",
0x0366: "MIPS with FPU",
0x0466: "MIPS16 with FPU",
}
def createFields(self):
yield Bytes(self, "header", 4, r"PE header signature (PE\0\0)")
if self["header"].value != b"PE\0\0":
raise ParserError("Invalid PE header signature")
yield Enum(UInt16(self, "cpu", "CPU type"), self.cpu_name)
yield UInt16(self, "nb_section", "Number of sections")
yield TimestampUnix32(self, "creation_date", "Creation date")
yield UInt32(self, "ptr_to_sym", "Pointer to symbol table")
yield UInt32(self, "nb_symbols", "Number of symbols")
yield UInt16(self, "opt_hdr_size", "Optional header size")
yield Bit(self, "reloc_stripped", "If true, don't contain base relocations.")
yield Bit(self, "exec_image", "Executable image?")
yield Bit(self, "line_nb_stripped", "COFF line numbers stripped?")
yield Bit(self, "local_sym_stripped", "COFF symbol table entries stripped?")
yield Bit(self, "aggr_ws", "Aggressively trim working set")
yield Bit(self, "large_addr", "Application can handle addresses greater than 2 GB")
yield NullBits(self, "reserved", 1)
yield Bit(self, "reverse_lo", "Little endian: LSB precedes MSB in memory")
yield Bit(self, "32bit", "Machine based on 32-bit-word architecture")
yield Bit(self, "is_stripped", "Debugging information removed?")
yield Bit(self, "swap", "If image is on removable media, copy and run from swap file")
yield PaddingBits(self, "reserved2", 1)
yield Bit(self, "is_system", "It's a system file")
yield Bit(self, "is_dll", "It's a dynamic-link library (DLL)")
yield Bit(self, "up", "File should be run only on a UP machine")
yield Bit(self, "reverse_hi", "Big endian: MSB precedes LSB in memory")
class PE_OptHeader(FieldSet):
SUBSYSTEM_NAME = {
1: "Native",
2: "Windows GUI",
3: "Windows CUI",
5: "OS/2 CUI",
7: "POSIX CUI",
8: "Native Windows",
9: "Windows CE GUI",
10: "EFI application",
11: "EFI boot service driver",
12: "EFI runtime driver",
13: "EFI ROM",
14: "XBOX",
16: "Windows boot application",
}
DIRECTORY_NAME = {
0: "export",
1: "import",
2: "resource",
3: "exception",
4: "certificate",
5: "relocation",
6: "debug",
7: "description",
8: "global_ptr",
9: "tls", # Thread local storage
10: "load_config",
11: "bound_import",
12: "import_address",
}
def createFields(self):
yield UInt16(self, "signature", "PE optional header signature (0x010b | 0x020b)")
if self["signature"].value != 0x010b and self["signature"].value != 0x020b:
raise ParserError("Invalid PE optional header signature")
is_pe32plus = self["signature"].value == 0x020b
VarUInt = UInt64 if is_pe32plus else UInt32
yield UInt8(self, "maj_lnk_ver", "Major linker version")
yield UInt8(self, "min_lnk_ver", "Minor linker version")
yield filesizeHandler(UInt32(self, "size_code", "Size of code"))
yield filesizeHandler(UInt32(self, "size_init_data", "Size of initialized data"))
yield filesizeHandler(UInt32(self, "size_uninit_data", "Size of uninitialized data"))
yield textHandler(UInt32(self, "entry_point", "Address (RVA) of the code entry point"), hexadecimal)
yield textHandler(UInt32(self, "base_code", "Base (RVA) of code"), hexadecimal)
if not is_pe32plus:
yield textHandler(UInt32(self, "base_data", "Base (RVA) of data"), hexadecimal)
yield textHandler(VarUInt(self, "image_base", "Image base (RVA)"), hexadecimal)
yield filesizeHandler(UInt32(self, "sect_align", "Section alignment"))
yield filesizeHandler(UInt32(self, "file_align", "File alignment"))
yield UInt16(self, "maj_os_ver", "Major OS version")
yield UInt16(self, "min_os_ver", "Minor OS version")
yield UInt16(self, "maj_img_ver", "Major image version")
yield UInt16(self, "min_img_ver", "Minor image version")
yield UInt16(self, "maj_subsys_ver", "Major subsystem version")
yield UInt16(self, "min_subsys_ver", "Minor subsystem version")
yield NullBytes(self, "reserved", 4)
yield filesizeHandler(UInt32(self, "size_img", "Size of image"))
yield filesizeHandler(UInt32(self, "size_hdr", "Size of headers"))
yield textHandler(UInt32(self, "checksum"), hexadecimal)
yield Enum(UInt16(self, "subsystem"), self.SUBSYSTEM_NAME)
yield UInt16(self, "dll_flags")
yield filesizeHandler(VarUInt(self, "size_stack_reserve"))
yield filesizeHandler(VarUInt(self, "size_stack_commit"))
yield filesizeHandler(VarUInt(self, "size_heap_reserve"))
yield filesizeHandler(VarUInt(self, "size_heap_commit"))
yield UInt32(self, "loader_flags")
yield UInt32(self, "nb_directory", "Number of RVA and sizes")
for index in range(self["nb_directory"].value):
try:
name = self.DIRECTORY_NAME[index]
except KeyError:
name = "data_dir[%u]" % index
yield DataDirectory(self, name)
def createDescription(self):
return "PE optional header: %s, entry point %s" % (
self["subsystem"].display,
self["entry_point"].display)