binlex
pe.h
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <stdint.h>
4 
5 #ifndef PE_H
6 #define PE_H
7 
8 #define PE_MAGIC_PE 0x4550
9 #define PE_MAGIC_MZ 0x4d5a
10 #define PE_MAX_DLL_NAME 256
11 #define PE_MAX_FUNCTION_NAME 512
12 #define PE_MODE_UNSET 0
13 #define PE_MODE_X86 1
14 #define PE_MODE_X86_64 2
15 #define PE_MAX_SECTIONS 32
16 #define PE_SECTION_NAME_SIZE 8
17 #define PE_MAX_DIRECTORIES 16
18 
19 namespace binlex{
20 
21 typedef enum {
22  IMAGE_DIRECTORY_ENTRY_EXPORT = 0, // Export Table
23  IMAGE_DIRECTORY_ENTRY_IMPORT = 1, // Import Table
24  IMAGE_DIRECTORY_ENTRY_RESOURCE = 2, // Resource Table
25  IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3, // Exception Table
26  IMAGE_DIRECTORY_ENTRY_SECURITY = 4, // Certificate Table
27  IMAGE_DIRECTORY_ENTRY_BASERELOC = 5, // Base Relocation Table
28  IMAGE_DIRECTORY_ENTRY_DEBUG = 6, // Debug
29  //IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7, // (X86 usage)
30  IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7, // Architecture
31  IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8, // Global Ptr
32  IMAGE_DIRECTORY_ENTRY_TLS = 9, // TLS Table
33  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10, // Load Config Table
34  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11, // Bound Import
35  IMAGE_DIRECTORY_ENTRY_IAT = 12, // IAT
36  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13, // Delay Import Descriptor
37  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14, // CLR Runtime Header
38  IMAGE_DIRECTORY_RESERVED = 15 // Reserved, must be zero
39 } ImageDirectoryEntry;
40 
41 typedef struct {
42  uint32_t Characteristics;
43  uint32_t TimeDateStamp;
44  uint16_t MajorVersion;
45  uint16_t MinorVersion;
46  uint32_t Name;
47  uint32_t Base;
48  uint32_t NumberOfFunctions;
49  uint32_t NumberOfNames;
50  uint32_t AddressOfFunctions;
51  uint32_t AddressOfNames;
52  uint32_t AddressOfNameOrdinals;
54 
55 typedef struct {
56  uint32_t StartAddressOfRawData;
57  uint32_t EndAddressOfRawData;
58  uint32_t AddressOfIndex;
59  uint32_t AddressOfCallBacks; // PIMAGE_TLS_CALLBACK
60  uint32_t SizeOfZeroFill;
61  uint32_t Characteristics; // reserved for future use
63 
64 typedef struct {
65  uint64_t StartAddressOfRawData;
66  uint64_t EndAddressOfRawData;
67  uint64_t AddressOfIndex;
68  uint64_t AddressOfCallBacks;
69  uint32_t SizeOfZeroFill;
70  uint32_t Characteristics;
72 
73 typedef struct {
74  uint32_t VirtualAddress;
75  uint32_t Size;
77 
78 typedef enum {
79  IMAGE_FILE_MACHINE_UNKNOWN = 0x0,
80  IMAGE_FILE_MACHINE_AM33 = 0x1d3,
81  IMAGE_FILE_MACHINE_AMD64 = 0x8664,
82  IMAGE_FILE_MACHINE_ARM = 0x1c0,
83  IMAGE_FILE_MACHINE_ARMV7 = 0x1c4,
84  IMAGE_FILE_MACHINE_CEE = 0xc0ee,
85  IMAGE_FILE_MACHINE_EBC = 0xebc,
86  IMAGE_FILE_MACHINE_I386 = 0x14c,
87  IMAGE_FILE_MACHINE_IA64 = 0x200,
88  IMAGE_FILE_MACHINE_M32R = 0x9041,
89  IMAGE_FILE_MACHINE_MIPS16 = 0x266,
90  IMAGE_FILE_MACHINE_MIPSFPU = 0x366,
91  IMAGE_FILE_MACHINE_MIPSFPU16 = 0x466,
92  IMAGE_FILE_MACHINE_POWERPC = 0x1f0,
93  IMAGE_FILE_MACHINE_POWERPCFP = 0x1f1,
94  IMAGE_FILE_MACHINE_R4000 = 0x166,
95  IMAGE_FILE_MACHINE_SH3 = 0x1a2,
96  IMAGE_FILE_MACHINE_SH3DSP = 0x1a3,
97  IMAGE_FILE_MACHINE_SH4 = 0x1a6,
98  IMAGE_FILE_MACHINE_SH5 = 0x1a8,
99  IMAGE_FILE_MACHINE_THUMB = 0x1c2,
100  IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x169
101 } MachineType;
102 
103 typedef enum {
104  // Image only, Windows CE, Windows NT and above. Indicates that the
105  // file does not contain base relocations and must therefore be
106  // loaded at its preferred base address. If the base address is not
107  // available, the loader reports an error. The default behavior of
108  // the linker is to strip base relocations from EXEs.
109  IMAGE_FILE_RELOCS_STRIPPED = 0x0001,
110 
111  // Image only. Indicates that the image file is valid and can be run.
112  // If this flag is not set, it indicates a linker error.
113  IMAGE_FILE_EXECUTABLE_IMAGE = 0x0002,
114 
115  // COFF line numbers have been removed.
116  // Deprecated and should be zero.
117  IMAGE_FILE_LINE_NUMS_STRIPPED = 0x0004,
118 
119  // COFF symbol table entries for local symbols have been removed.
120  // Deprecated and should be zero.
121  IMAGE_FILE_LOCAL_SYMS_STRIPPED = 0x0008,
122 
123  // Obsolete. Aggressively trim working set.
124  // Deprecated in Windows 2000 and later. Must be zero.
125  IMAGE_FILE_AGGRESSIVE_WS_TRIM = 0x0010,
126 
127  // App can handle > 2gb addresses.
128  IMAGE_FILE_LARGE_ADDRESS_AWARE = 0x0020,
129 
130  // Reserved for future use.
131  IMAGE_FILE_RESERVED = 0x0040,
132 
133  // Little endian: LSB precedes MSB in memory.
134  // Deprecated and should be zero.
135  IMAGE_FILE_BYTES_REVERSED_LO = 0x0080,
136 
137  // Machine based on 32-bit-word architecture.
138  IMAGE_FILE_32BIT_MACHINE = 0x0100,
139 
140  // Debugging information removed from image file.
141  IMAGE_FILE_DEBUG_STRIPPED = 0x0200,
142 
143  // If image is on removable media, fully load it and copy it to the
144  // swap file.
145  IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400,
146 
147  // If image is on network media, fully load it and copy it to the
148  // swap file.
149  IMAGE_FILE_NET_RUN_FROM_SWAP = 0x0800,
150 
151  // The image file is a system file, not a user program.
152  IMAGE_FILE_SYSTEM = 0x1000,
153 
154  // The image file is a dynamic-link library (DLL). Such files are
155  // considered executable files for almost all purposes, although
156  // they cannot be directly run.
157  IMAGE_FILE_DLL = 0x2000,
158 
159  // File should be run only on a UP machine.
160  IMAGE_FILE_UP_SYSTEM_ONLY = 0x4000,
161 
162  // Big endian: MSB precedes LSB in memory.
163  // Deprecated and should be zero.
164  IMAGE_FILE_BYTES_REVERSED_HI = 0x8000
165 } ImageCharacteristics;
166 
167 typedef struct {
168  uint32_t Signature;
169  uint16_t Machine; // MachineType
170  uint16_t NumberOfSections;
171  uint32_t TimeDateStamp;
172  uint32_t PointerToSymbolTable;
173  uint32_t NumberOfSymbols;
174  uint16_t SizeOfOptionalHeader;
175  uint16_t Characteristics; // ImageCharacteristics
177 
178 typedef struct {
179  uint16_t e_magic;
180  uint16_t e_cblp;
181  uint16_t e_cp;
182  uint16_t e_crlc;
183  uint16_t e_cparhdr;
184  uint16_t e_minalloc;
185  uint16_t e_maxalloc;
186  uint16_t e_ss;
187  uint16_t e_sp;
188  uint16_t e_csum;
189  uint16_t e_ip;
190  uint16_t e_cs;
191  uint16_t e_lfarlc;
192  uint16_t e_ovno;
193  uint16_t e_res[4];
194  uint16_t e_oemid;
195  uint16_t e_oeminfo;
196  uint16_t e_res2[10];
197  uint32_t e_lfanew; // sizeof(IMAGE_DOS_HEADER) + size of MS-DOS stub
199 
200 // REFERENCE: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
201 typedef enum {
202  // Unknown subsystem
203  IMAGE_SUBSYSTEM_UNKNOWN = 0,
204  // No subsystem required (device drivers and native system processes)
205  IMAGE_SUBSYSTEM_NATIVE = 1,
206  // Windows graphical user interface (GUI) subsystem
207  IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
208  // Windows character-mode user interface (CUI) subsystem
209  IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
210  // OS/2 CUI subsystem
211  IMAGE_SUBSYSTEM_OS2_CUI = 5,
212  // POSIX CUI subsystem
213  IMAGE_SUBSYSTEM_POSIX_CUI = 7,
214  // Windows CE system
215  IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
216  // Extensible Firmware Interface (EFI) application
217  IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
218  // EFI driver with boot services
219  IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
220  // EFI driver with run-time services
221  IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
222  // EFI ROM image
223  IMAGE_SUBSYSTEM_EFI_ROM = 13,
224  // Xbox system
225  IMAGE_SUBSYSTEM_XBOX = 14,
226  // Boot application.
227  IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16
228 } WindowsSubsystem;
229 
230 // REFERENCE: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
231 typedef enum {
232  // IMAGE_DLLCHARACTERISTICS_RESERVED_1 = 0x0001,
233  // IMAGE_DLLCHARACTERISTICS_RESERVED_2 = 0x0002,
234  // IMAGE_DLLCHARACTERISTICS_RESERVED_4 = 0x0004,
235  // IMAGE_DLLCHARACTERISTICS_RESERVED_8 = 0x0008,
236  // The DLL can be relocated at load time.
237  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040,
238  // Code integrity checks are forced.
239  IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
240  // The image is compatible with data execution prevention (DEP).
241  IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x0100,
242  // The image is isolation aware, but should not be isolated.
243  IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
244  // The image does not use structured exception handling (SEH).
245  // No handlers can be called in this image.
246  IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
247  // Do not bind the image.
248  IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
249  // IMAGE_DLLCHARACTERISTICS_RESERVED_1000 = 0x1000,
250  // A WDM driver.
251  IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
252  // IMAGE_DLLCHARACTERISTICS_RESERVED_4000 = 0x4000,
253  // The image is terminal server aware.
254  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
255 } ImageDllCharacteristics;
256 
257 typedef enum {
258  MAGIC_ROM = 0x107,
259  MAGIC_PE32 = 0x10b,
260  MAGIC_PE64 = 0x20b // PE32+
261 } opt_type_e;
262 
263 typedef struct {
264  uint16_t Magic;
265  uint8_t MajorLinkerVersion;
266  uint8_t MinorLinkerVersion;
267  uint32_t SizeOfCode;
268  uint32_t SizeOfInitializedData;
269  uint32_t SizeOfUninitializedData;
270  uint32_t AddressOfEntryPoint;
271  uint32_t BaseOfCode;
272  uint32_t BaseOfData;
273  uint32_t BaseOfBss;
274  uint32_t GprMask;
275  uint32_t CprMask[4];
276  uint32_t GpValue;
278 
279 // REFERENCE: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
280 typedef struct {
281  uint16_t Magic;
282  uint8_t MajorLinkerVersion;
283  uint8_t MinorLinkerVersion;
284  uint32_t SizeOfCode;
285  uint32_t SizeOfInitializedData;
286  uint32_t SizeOfUninitializedData;
287  uint32_t AddressOfEntryPoint;
288  uint32_t BaseOfCode;
289  uint32_t BaseOfData; // only in PE32
290  uint32_t ImageBase;
291  uint32_t SectionAlignment;
292  uint32_t FileAlignment;
293  uint16_t MajorOperatingSystemVersion;
294  uint16_t MinorOperatingSystemVersion;
295  uint16_t MajorImageVersion;
296  uint16_t MinorImageVersion;
297  uint16_t MajorSubsystemVersion;
298  uint16_t MinorSubsystemVersion;
299  uint32_t Reserved1;
300  uint32_t SizeOfImage;
301  uint32_t SizeOfHeaders;
302  uint32_t CheckSum;
303  uint16_t Subsystem; // WindowsSubsystem
304  uint16_t DllCharacteristics;
305  uint32_t SizeOfStackReserve;
306  uint32_t SizeOfStackCommit;
307  uint32_t SizeOfHeapReserve;
308  uint32_t SizeOfHeapCommit;
309  uint32_t LoaderFlags;
310  uint32_t NumberOfRvaAndSizes;
311  IMAGE_DATA_DIRECTORY DataDirectory[PE_MAX_DIRECTORIES];
313 
314 // REFERENCE: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
315 typedef struct {
316  uint16_t Magic;
317  uint8_t MajorLinkerVersion;
318  uint8_t MinorLinkerVersion;
319  uint32_t SizeOfCode;
320  uint32_t SizeOfInitializedData;
321  uint32_t SizeOfUninitializedData;
322  uint32_t AddressOfEntryPoint;
323  uint32_t BaseOfCode;
324  uint64_t ImageBase;
325  uint32_t SectionAlignment;
326  uint32_t FileAlignment;
327  uint16_t MajorOperatingSystemVersion;
328  uint16_t MinorOperatingSystemVersion;
329  uint16_t MajorImageVersion;
330  uint16_t MinorImageVersion;
331  uint16_t MajorSubsystemVersion;
332  uint16_t MinorSubsystemVersion;
333  uint32_t Reserved1;
334  uint32_t SizeOfImage;
335  uint32_t SizeOfHeaders;
336  uint32_t CheckSum;
337  uint16_t Subsystem; // WindowsSubsystem
338  uint16_t DllCharacteristics;
339  uint64_t SizeOfStackReserve;
340  uint64_t SizeOfStackCommit;
341  uint64_t SizeOfHeapReserve;
342  uint64_t SizeOfHeapCommit;
343  uint32_t LoaderFlags; /* must be zero */
344  uint32_t NumberOfRvaAndSizes;
345  IMAGE_DATA_DIRECTORY DataDirectory[PE_MAX_DIRECTORIES];
347 
348 typedef struct {
349  uint16_t type; // opt_type_e
350  size_t length;
354 
355 typedef enum {
356  IMAGE_SCN_TYPE_NO_PAD = 0x00000008, // Obsolete. Replaced by IMAGE_SCN_ALIGN_1BYTES
357  IMAGE_SCN_CNT_CODE = 0x00000020,
358  IMAGE_SCN_CNT_INITIALIZED_DATA = 0x00000040,
359  IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080,
360  IMAGE_SCN_LNK_OTHER = 0x00000100, // Reserved.
361  IMAGE_SCN_LNK_INFO = 0x00000200, // Valid only for object files.
362  IMAGE_SCN_LNK_REMOVE = 0x00000800, // Valid only for object files.
363  IMAGE_SCN_LNK_COMDAT = 0x00001000, // Valid only for object files.
364  IMAGE_SCN_NO_DEFER_SPEC_EXC = 0x00004000,
365  IMAGE_SCN_GPREL = 0x00008000,
366  IMAGE_SCN_MEM_PURGEABLE = 0x00020000, // Reserved.
367  IMAGE_SCN_MEM_LOCKED = 0x00040000, // Reserved.
368  IMAGE_SCN_MEM_PRELOAD = 0x00080000, // Reserved.
369  IMAGE_SCN_ALIGN_1BYTES = 0x00100000, // Valid only for object files.
370  IMAGE_SCN_ALIGN_2BYTES = 0x00200000, // Valid only for object files.
371  IMAGE_SCN_ALIGN_4BYTES = 0x00300000, // Valid only for object files.
372  IMAGE_SCN_ALIGN_8BYTES = 0x00400000, // Valid only for object files.
373  IMAGE_SCN_ALIGN_16BYTES = 0x00500000, // Valid only for object files.
374  IMAGE_SCN_ALIGN_32BYTES = 0x00600000, // Valid only for object files.
375  IMAGE_SCN_ALIGN_64BYTES = 0x00700000, // Valid only for object files.
376  IMAGE_SCN_ALIGN_128BYTES = 0x00800000, // Valid only for object files.
377  IMAGE_SCN_ALIGN_256BYTES = 0x00900000, // Valid only for object files.
378  IMAGE_SCN_ALIGN_512BYTES = 0x00A00000, // Valid only for object files.
379  IMAGE_SCN_ALIGN_1024BYTES = 0x00B00000, // Valid only for object files.
380  IMAGE_SCN_ALIGN_2048BYTES = 0x00C00000, // Valid only for object files.
381  IMAGE_SCN_ALIGN_4096BYTES = 0x00D00000, // Valid only for object files.
382  IMAGE_SCN_ALIGN_8192BYTES = 0x00E00000, // Valid only for object files.
383  IMAGE_SCN_LNK_NRELOC_OVFL = 0x01000000,
384  IMAGE_SCN_MEM_DISCARDABLE = 0x02000000,
385  IMAGE_SCN_MEM_NOT_CACHED = 0x04000000,
386  IMAGE_SCN_MEM_NOT_PAGED = 0x08000000,
387  IMAGE_SCN_MEM_SHARED = 0x10000000,
388  IMAGE_SCN_MEM_EXECUTE = 0x20000000,
389  IMAGE_SCN_MEM_READ = 0x40000000,
390  IMAGE_SCN_MEM_WRITE = -2147483648 // Same as 0x80000000
391 } SectionCharacteristics;
392 
393 typedef struct {
394  uint8_t Name[PE_SECTION_NAME_SIZE]; // TODO: Should we use char instead?
395  union {
396  uint32_t PhysicalAddress; // same value as next field
397  uint32_t VirtualSize;
398  } Misc;
399  uint32_t VirtualAddress;
400  uint32_t SizeOfRawData;
401  uint32_t PointerToRawData;
402  uint32_t PointerToRelocations; // always zero in executables
403  uint32_t PointerToLinenumbers; // deprecated
404  uint16_t NumberOfRelocations;
405  uint16_t NumberOfLinenumbers; // deprecated
406  uint32_t Characteristics; // SectionCharacteristics
408 
409 class Pe{
410  private:
411  struct Section {
412  uint offset;
413  int size;
414  void *data;
415  };
416  bool is_pe();
417  public:
418  char magic_mz[2] = {0x5a, 0x4d};
419  char magic_pe[4] = {0x00, 0x00, 0x45, 0x50};
420  FILE *fd = NULL;
421  PIMAGE_DOS_HEADER dos_header = NULL;
422  PIMAGE_COFF_HEADER coff_header = NULL;
423  uint32_t pe_header_ptr = 0;
424  PIMAGE_OPTIONAL_HEADER_32 optional_header_32 = NULL;
425  PIMAGE_OPTIONAL_HEADER_64 optional_header_64 = NULL;
426  PIMAGE_SECTION_HEADER section_header = NULL;
427  int mode = PE_MODE_UNSET;
428  struct Section sections[PE_MAX_SECTIONS];
429  Pe();
430  bool Setup(int input_mode);
431  bool ReadFile(char *file_path);
432  ~Pe();
433 };
434 
435 }
436 #endif
binlex::IMAGE_FILE_HEADER
Definition: pe.h:167
binlex::IMAGE_OPTIONAL_HEADER_32
Definition: pe.h:280
binlex::IMAGE_OPTIONAL_HEADER
Definition: pe.h:348
binlex::IMAGE_OPTIONAL_HEADER_64
Definition: pe.h:315
binlex::Pe
Definition: pe.h:409
binlex::IMAGE_SECTION_HEADER
Definition: pe.h:393
binlex::IMAGE_DATA_DIRECTORY
Definition: pe.h:73
binlex::IMAGE_TLS_DIRECTORY64
Definition: pe.h:64
binlex::IMAGE_DOS_HEADER
Definition: pe.h:178
binlex::IMAGE_TLS_DIRECTORY32
Definition: pe.h:55
binlex
the binlex namespace
binlex::IMAGE_ROM_OPTIONAL_HEADER
Definition: pe.h:263
binlex::IMAGE_EXPORT_DIRECTORY
Definition: pe.h:41