BearParser
Portable Executable parsing library (from PE-bear)
Loading...
Searching...
No Matches
OptHdrWrapper.cpp
Go to the documentation of this file.
1#include "pe/OptHdrWrapper.h"
2#include "pe/PEFile.h"
3
4using namespace std;
5
6std::map<DWORD, QString> OptHdrWrapper::s_optMagic;
7std::map<std::pair<WORD,WORD>, QString> OptHdrWrapper::s_osVersion;
8std::map<DWORD, QString> OptHdrWrapper::s_dllCharact;
9std::map<DWORD, QString> OptHdrWrapper::s_subsystem;
10
11void OptHdrWrapper::initDllCharact()
12{
13 if (s_dllCharact.size() == 0) {
14 s_dllCharact[pe::DLL_CHARACTERISTICS_HIGH_ENTROPY_VA] = "Image can handle a high entropy 64-bit virtual address space";
15 s_dllCharact[pe::DLL_DYNAMIC_BASE] = "DLL can move";
16 s_dllCharact[pe::DLL_FORCE_INTEGRITY] = "Code Integrity Image";
17 s_dllCharact[pe::DLL_NX_COMPAT] = "Image is NX compatible";
18 s_dllCharact[pe::DLL_NO_ISOLATION] = "Image understands isolation and doesn't want it";
19 s_dllCharact[pe::DLL_NO_SEH] = "Image does not use SEH";
20 s_dllCharact[pe::DLL_NO_BIND] = "Do not bind this image";
21 s_dllCharact[pe::DLL_APPCONTAINER] = "AppContainer";
22 s_dllCharact[pe::DLL_WDM_DRIVER] = "Driver uses WDM model";
23 s_dllCharact[pe::DLL_GUARD_CF] = "Guard CF";
24 s_dllCharact[pe::DLL_TERMINAL_SERVER_AWARE] = "TerminalServer aware";
25 }
26}
27
28QString OptHdrWrapper::translateDllCharacteristics(DWORD charact)
29{
30 if (s_dllCharact.size() == 0) initDllCharact();
31
32 if (s_dllCharact.find(charact) == s_dllCharact.end()) return "";
33 return s_dllCharact[charact];
34}
35
36std::vector<DWORD> OptHdrWrapper::splitDllCharact(DWORD characteristics)
37{
38 if (s_dllCharact.size() == 0) initDllCharact();
39
40 std::vector<DWORD> chSet;
41 map<DWORD, QString>::iterator iter;
42 for (iter = s_dllCharact.begin(); iter != s_dllCharact.end(); ++iter) {
43 if (characteristics & iter->first) {
44 chSet.push_back(iter->first);
45 }
46 }
47 return chSet;
48}
49
50QString OptHdrWrapper::translateOptMagic(DWORD p)
51{
52 if (s_optMagic.size() == 0) {
53 s_optMagic[pe::OH_NT32] = "NT32";
54 s_optMagic[pe::OH_NT64] = "NT64";
55 s_optMagic[pe::OH_ROM] = "ROM";
56 }
57 if (s_optMagic.find(p) == s_optMagic.end()) return "";
58 return s_optMagic[p];
59}
60
61QString OptHdrWrapper::translateOSVersion(WORD major, WORD minor)
62{
63 if (s_osVersion.size() == 0) {
64 s_osVersion[pair<WORD,WORD>(8, 0)] = "Windows 8";
65 s_osVersion[pair<WORD,WORD>(7, 0)] = "Windows 7";
66 s_osVersion[pair<WORD,WORD>(6, 0)] = "Windows Vista / Server 2008";
67
68 s_osVersion[pair<WORD,WORD>(5, 2)] = "Windows Server 2003";
69 s_osVersion[pair<WORD,WORD>(5, 1)] = "Windows XP";
70 s_osVersion[pair<WORD,WORD>(5, 0)] = "Windows 2000 / XP";
71
72 s_osVersion[pair<WORD,WORD>(4, 90)] = "Windows ME";
73 s_osVersion[pair<WORD,WORD>(4, 10)] = "Windows 98";
74 s_osVersion[pair<WORD,WORD>(4, 0)] = "Windows 95 / NT 4.0";
75
76 s_osVersion[pair<WORD,WORD>(3, 51)] = "Windows NT 3.51";
77 s_osVersion[pair<WORD,WORD>(3, 10)] = "Windows NT 3.1";
78 }
79 pair<WORD,WORD> p(major, minor);
80 if (s_osVersion.find(p) == s_osVersion.end()) return "";
81 return s_osVersion[p];
82}
83
84QString OptHdrWrapper::translateSubsystem(DWORD subsystem)
85{
86 if (s_subsystem.size() == 0) {
87 s_subsystem[pe::SUB_UNKNOWN] = "Unknown subsystem";
88 s_subsystem[pe::SUB_NATIVE] = "Driver";
89 s_subsystem[pe::SUB_WINDOWS_GUI] = "Windows GUI";
90 s_subsystem[pe::SUB_WINDOWS_CUI] = "Windows console";
91 s_subsystem[pe::SUB_OS2_CUI] = "OS/2 console";
92 s_subsystem[pe::SUB_POSIX_CUI] = "Posix console";
93 s_subsystem[pe::SUB_NATIVE_WINDOWS] = "Native Win9x driver";
94 s_subsystem[pe::SUB_WINDOWS_CE_GUI] = "Windows CE subsystem";
95 s_subsystem[pe::SUB_EFI_APPLICATION] = "EFI_APPLICATION";
96 s_subsystem[pe::SUB_EFI_BOOT_SERVICE_DRIVER] = "EFI_BOOT_SERVICE_DRIVER";
97 s_subsystem[pe::SUB_EFI_RUNTIME_DRIVER] = "EFI_RUNTIME_DRIVER";
98 s_subsystem[pe::SUB_EFI_ROM] = "EFI_ROM";
99 s_subsystem[pe::SUB_XBOX] = "XBOX";
100 s_subsystem[pe::SUB_WINDOWS_BOOT_APP] = "WINDOWS_BOOT_APPLICATION";
101 }
102 if (s_subsystem.find(subsystem) == s_subsystem.end()) return "";
103 return s_subsystem[subsystem];
104}
105//-------------------------------------------
106bool OptHdrWrapper::wrap()
107{
108 opt32 = NULL;
109 opt64 = NULL;
110 getPtr();
111 bool isOk = false;
112 DWORD charact = static_cast<DWORD>(this->getNumValue(DLL_CHARACT, &isOk));
113 this->dllCharact.clear();
114 if (isOk) {
115 this->dllCharact = this->splitDllCharact(charact);
116 }
117 return true;
118}
119
120Executable::exe_bits OptHdrWrapper::getHdrBitMode()
121{
122 if (m_PE == NULL) {
123 return Executable::BITS_32; // default
124 }
125 return m_PE->getHdrBitMode();
126}
127
128IMAGE_NT_HEADERS32* OptHdrWrapper::nt32()
129{
130 if (m_PE == NULL) return NULL;
131 if (getHdrBitMode() != Executable::BITS_32) return NULL;
132
133 offset_t myOff = m_PE->peNtHdrOffset();
134 IMAGE_NT_HEADERS32* hdr = (IMAGE_NT_HEADERS32*) m_Exe->getContentAt(myOff, sizeof(IMAGE_NT_HEADERS32));
135 return hdr;
136}
137
138IMAGE_NT_HEADERS64* OptHdrWrapper::nt64()
139{
140 if (m_PE == NULL) return NULL;
141 if (getHdrBitMode() != Executable::BITS_64) return NULL;
142
143 offset_t myOff = m_PE->peNtHdrOffset();
144 IMAGE_NT_HEADERS64* hdr = (IMAGE_NT_HEADERS64*) m_Exe->getContentAt(myOff, sizeof(IMAGE_NT_HEADERS64));
145 return hdr;
146}
147
148
149void* OptHdrWrapper::getPtr()
150{
151 if (opt32 == NULL && opt64 == NULL) {
152 IMAGE_NT_HEADERS32* ntHdr32 = nt32();
153 if (ntHdr32) {
154 this->opt32 = &(ntHdr32->OptionalHeader);
155 } else {
156 IMAGE_NT_HEADERS64* ntHdr64 = nt64();
157 this->opt64 = (ntHdr64) ? &(ntHdr64->OptionalHeader) : NULL;
158 }
159 }
160 void *ptr = (opt32) ? (void*) opt32 : (void*) opt64;
161 return ptr;
162}
163
164bufsize_t OptHdrWrapper::getSize()
165{
166 IMAGE_OPTIONAL_HEADER32* opt32 = (nt32()) ? &(nt32()->OptionalHeader) : NULL;
167 IMAGE_OPTIONAL_HEADER64* opt64 = (nt64()) ? &(nt64()->OptionalHeader) : NULL;
168 if (opt32 == NULL && opt64 == NULL) return 0;
169
170 bufsize_t size = opt32 ? sizeof(IMAGE_OPTIONAL_HEADER32) : sizeof(IMAGE_OPTIONAL_HEADER64);
171 return size;
172}
173
174bufsize_t OptHdrWrapper::getFieldSize(size_t fId, size_t subField)
175{
176 IMAGE_OPTIONAL_HEADER64* opt64 = (nt64()) ? &(nt64()->OptionalHeader) : NULL;
177 if (opt64 != NULL) {
178 if (fId == CODE_BASE) return sizeof (opt64->BaseOfCode);
179 if (fId == DATA_BASE) return 0;
180 }
181 return ExeElementWrapper::getFieldSize(fId, subField);
182}
183
184void* OptHdrWrapper::getFieldPtr(size_t fId, size_t subField)
185{
186 IMAGE_OPTIONAL_HEADER32* opt32 = (nt32()) ? &(nt32()->OptionalHeader) : NULL;
187 IMAGE_OPTIONAL_HEADER64* opt64 = (nt64()) ? &(nt64()->OptionalHeader) : NULL;
188
189 switch (fId) {
190 case MAGIC :
191 return opt32 ? (void*)&opt32->Magic : (void*)&opt64->Magic;
192
193 case LINKER_MAJOR :
194 return opt32 ? (void*)&opt32->MajorLinkerVersion : (void*)&opt64->MajorLinkerVersion;
195 case LINKER_MINOR :
196 return opt32 ? (void*)&opt32->MinorLinkerVersion : (void*)&opt64->MinorLinkerVersion;
197
198 case CODE_SIZE :
199 return opt32 ? (void*)&opt32->SizeOfCode : (void*)&opt64->SizeOfCode;
200 case INITDATA_SIZE :
201 return opt32 ? (void*)&opt32->SizeOfInitializedData : (void*)&opt64->SizeOfInitializedData;
202 case UNINITDATA_SIZE :
203 return opt32 ? (void*)&opt32->SizeOfUninitializedData : (void*)&opt64->SizeOfUninitializedData;
204 case EP :
205 return opt32 ? &opt32->AddressOfEntryPoint : (void*)&opt64->AddressOfEntryPoint;
206 case CODE_BASE :
207 return opt32 ? (void*)&opt32->BaseOfCode : (void*)&opt64->BaseOfCode;
208
209 case DATA_BASE :
210 return opt32 ? (void*)&opt32->BaseOfData : NULL;
211
212 case IMAGE_BASE :
213 return opt32 ? (void*)&opt32->ImageBase : (void*)&opt64->ImageBase;
214 case SEC_ALIGN :
215 return opt32 ? (void*)&opt32->SectionAlignment : (void*)&opt64->SectionAlignment;
216 case FILE_ALIGN :
217 return opt32 ? (void*)&opt32->FileAlignment : (void*)&opt64->FileAlignment;
218
219 case OSVER_MAJOR :
220 return opt32 ? (void*)&opt32->MajorOperatingSystemVersion : (void*)&opt64->MajorOperatingSystemVersion;
221 case OSVER_MINOR :
222 return opt32 ? (void*)&opt32->MinorOperatingSystemVersion : (void*)&opt64->MinorOperatingSystemVersion;
223
224 case IMGVER_MAJOR :
225 return opt32 ? (void*)&opt32->MajorImageVersion : (void*)&opt64->MajorImageVersion;
226 case IMGVER_MINOR:
227 return opt32 ? (void*)&opt32->MinorImageVersion : (void*)&opt64->MinorImageVersion;
228
229 case SUBSYSVER_MAJOR :
230 return opt32 ? (void*)&opt32->MajorSubsystemVersion : (void*)&opt64->MajorSubsystemVersion;
231 case SUBSYSVER_MINOR:
232 return opt32 ? (void*)&opt32->MinorSubsystemVersion : (void*)&opt64->MinorSubsystemVersion;
233
234 case WIN32_VER :
235 return opt32 ? (void*)&opt32->Win32VersionValue : (void*)&opt64->Win32VersionValue;
236 case IMAGE_SIZE :
237 return opt32 ? (void*)&opt32->SizeOfImage : (void*)&opt64->SizeOfImage;
238 case HDRS_SIZE:
239 return opt32 ? (void*)&opt32->SizeOfHeaders : (void*)&opt64->SizeOfHeaders;
240 case CHECKSUM:
241 return opt32 ? (void*)&opt32->CheckSum : (void*)&opt64->CheckSum;
242 case SUBSYS:
243 return opt32 ? (void*)&opt32->Subsystem : (void*)&opt64->Subsystem;
244 case DLL_CHARACT :
245 return opt32 ? (void*)&opt32->DllCharacteristics : (void*)&opt64->DllCharacteristics;
246 case STACK_RSRV_SIZE :
247 return opt32 ? (void*)&opt32->SizeOfStackReserve : (void*)&opt64->SizeOfStackReserve;
248 case STACK_COMMIT_SIZE :
249 return opt32 ? (void*)&opt32->SizeOfStackCommit : (void*)&opt64->SizeOfStackCommit;
250 case HEAP_RSRV_SIZE:
251 return opt32 ? (void*)&opt32->SizeOfHeapReserve : (void*)&opt64->SizeOfHeapReserve;
252 case HEAP_COMMIT_SIZE :
253 return opt32 ? (void*)&opt32->SizeOfHeapCommit : (void*)&opt64->SizeOfHeapCommit;
254 case LDR_FLAGS :
255 return opt32 ? (void*)&opt32->LoaderFlags : (void*)&opt64->LoaderFlags;
256 case RVAS_SIZES_NUM:
257 return opt32 ? (void*)&opt32->NumberOfRvaAndSizes : (void*)&opt64->NumberOfRvaAndSizes;
258 case DATA_DIR:
259 return opt32 ? (void*)&opt32->DataDirectory : (void*)&opt64->DataDirectory;
260 }
261 return this->getPtr();
262}
263
264QString OptHdrWrapper::translateFieldContent(size_t fieldId)
265{
266 bool isOk = false;
267 uint32_t num = -1;
268
269 switch (fieldId) {
270 case MAGIC :
271 num = static_cast<uint32_t>(this->getNumValue(fieldId, &isOk));
272 if (!isOk) return "";
273 return this->translateOptMagic(num);
274 case SUBSYS :
275 num = static_cast<uint32_t>(this->getNumValue(fieldId, &isOk));
276 if (!isOk) return "";
277 return this->translateSubsystem(num);
278 }
279 return "";
280}
281
282QString OptHdrWrapper::getFieldName(size_t fieldId)
283{
284 switch (fieldId) {
285 case MAGIC: return ("Magic");
286 case LINKER_MAJOR: return ("Linker Ver. (Major)");
287 case LINKER_MINOR: return ("Linker Ver. (Minor)");
288
289 case CODE_SIZE: return ("Size of Code");
290 case INITDATA_SIZE: return ("Size of Initialized Data");
291 case UNINITDATA_SIZE: return ("Size of Uninitialized Data");
292 case EP: return ("Entry Point");
293 case CODE_BASE: return ("Base of Code");
294 case DATA_BASE:
295 {
296 if (getHdrBitMode() == Executable::BITS_32) return ("Base of Data");
297 return "";
298 }
299 case IMAGE_BASE: return ("Image Base");
300 case SEC_ALIGN: return ("Section Alignment");
301 case FILE_ALIGN: return ("File Alignment");
302
303 case OSVER_MAJOR: return ("OS Ver. (Major)");
304 case OSVER_MINOR: return ("OS Ver. (Minor)");
305
306 case IMGVER_MAJOR: return ("Image Ver. (Major)");
307 case IMGVER_MINOR: return ("Image Ver. (Minor)");
308
309 case SUBSYSVER_MAJOR: return ("Subsystem Ver. (Major)");
310 case SUBSYSVER_MINOR: return ("Subsystem Ver. Minor)");
311
312 case WIN32_VER: return ("Win32 Version Value");
313 case IMAGE_SIZE: return ("Size of Image");
314 case HDRS_SIZE: return ("Size of Headers");
315 case CHECKSUM: return ("Checksum");
316 case SUBSYS: return ("Subsystem");
317
318 case DLL_CHARACT: return ("Dll Characteristics");
319
320 case STACK_RSRV_SIZE: return ("Size of Stack Reserve");
321 case STACK_COMMIT_SIZE: return ("Size of Stack Commit");
322 case HEAP_RSRV_SIZE: return ("Size of Heap Reserve");
323 case HEAP_COMMIT_SIZE: return ("Size of Heap Commit");
324 case LDR_FLAGS: return ("Loader Flags");
325 case RVAS_SIZES_NUM: return ("Number of RVAs and Sizes");
326 case DATA_DIR: return "Data Dir.";
327 }
328 return "";
329}
330
331Executable::addr_type OptHdrWrapper::containsAddrType(size_t fieldId, size_t subField)
332{
333 switch (fieldId) {
334 case EP:
335 case CODE_BASE:
336 case DATA_BASE:
337 return Executable::RVA;
338 }
339 if (fieldId == IMAGE_BASE) {
340 return Executable::VA;
341 }
342 return Executable::NOT_ADDR;
343}
344
345//-----------------------
offset_t
uint64_t offset_t
Definition AbstractByteBuffer.h:20
bufsize_t
size_t bufsize_t
Definition AbstractByteBuffer.h:17
ExeElementWrapper::getFieldSize
virtual bufsize_t getFieldSize(size_t fieldId, size_t subField=FIELD_NONE)
Definition ExeElementWrapper.cpp:12
ExeElementWrapper::getNumValue
virtual uint64_t getNumValue(size_t fieldId, size_t subField, bool *isOk)
Definition ExeElementWrapper.cpp:73
OptHdrWrapper::containsAddrType
virtual Executable::addr_type containsAddrType(size_t fieldId, size_t subField=FIELD_NONE)
Definition OptHdrWrapper.cpp:331
OptHdrWrapper::translateOptMagic
static QString translateOptMagic(DWORD magic)
Definition OptHdrWrapper.cpp:50
OptHdrWrapper::nt64
IMAGE_NT_HEADERS64 * nt64()
Definition OptHdrWrapper.cpp:138
OptHdrWrapper::translateSubsystem
static QString translateSubsystem(DWORD subsystem)
Definition OptHdrWrapper.cpp:84
OptHdrWrapper::translateFieldContent
virtual QString translateFieldContent(size_t fieldId)
Definition OptHdrWrapper.cpp:264
OptHdrWrapper::initDllCharact
static void initDllCharact()
Definition OptHdrWrapper.cpp:11
OptHdrWrapper::getHdrBitMode
Executable::exe_bits getHdrBitMode()
Definition OptHdrWrapper.cpp:120
OptHdrWrapper::opt64
IMAGE_OPTIONAL_HEADER64 * opt64
Definition OptHdrWrapper.h:84
OptHdrWrapper::s_optMagic
static std::map< DWORD, QString > s_optMagic
Definition OptHdrWrapper.h:45
OptHdrWrapper::opt32
IMAGE_OPTIONAL_HEADER32 * opt32
Definition OptHdrWrapper.h:83
OptHdrWrapper::translateDllCharacteristics
static QString translateDllCharacteristics(DWORD charact)
Definition OptHdrWrapper.cpp:28
OptHdrWrapper::translateOSVersion
static QString translateOSVersion(WORD major, WORD minor)
Definition OptHdrWrapper.cpp:61
OptHdrWrapper::dllCharact
std::vector< DWORD > dllCharact
Definition OptHdrWrapper.h:85
OptHdrWrapper::nt32
IMAGE_NT_HEADERS32 * nt32()
Definition OptHdrWrapper.cpp:128
OptHdrWrapper::getFieldSize
virtual bufsize_t getFieldSize(size_t fieldId, size_t subField=FIELD_NONE)
Definition OptHdrWrapper.cpp:174
OptHdrWrapper::getFieldName
virtual QString getFieldName(size_t fieldId)
Definition OptHdrWrapper.cpp:282
OptHdrWrapper::getPtr
virtual void * getPtr()
Definition OptHdrWrapper.cpp:149
OptHdrWrapper::getSize
virtual bufsize_t getSize()
Definition OptHdrWrapper.cpp:164
OptHdrWrapper::s_dllCharact
static std::map< DWORD, QString > s_dllCharact
Definition OptHdrWrapper.h:47
OptHdrWrapper::getFieldPtr
virtual void * getFieldPtr(size_t fieldId, size_t subField=FIELD_NONE)
Definition OptHdrWrapper.cpp:184
OptHdrWrapper::splitDllCharact
static std::vector< DWORD > splitDllCharact(DWORD characteristics)
Definition OptHdrWrapper.cpp:36
OptHdrWrapper::s_osVersion
static std::map< std::pair< WORD, WORD >, QString > s_osVersion
Definition OptHdrWrapper.h:46
OptHdrWrapper::s_subsystem
static std::map< DWORD, QString > s_subsystem
Definition OptHdrWrapper.h:48
Generated by doxygen 1.17.0