0
|
1 /**
|
|
2 A simple PE/COFF image format reader.
|
|
3
|
|
4 Authors:
|
|
5 Jeremie Pelletier
|
|
6
|
|
7 References:
|
|
8 $(LINK http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html)
|
|
9
|
|
10 License:
|
|
11 Public Domain
|
|
12 */
|
|
13 module dbg.image.PE;
|
|
14
|
|
15 version(Windows) {
|
|
16
|
|
17 import std.c.string : strncmp;
|
|
18 import dbg.Debug;
|
|
19 import dbg.symbol.CodeView;
|
|
20 //import dbg.symbol.COFF;
|
|
21 //import sys.windows.FileSystem;
|
|
22 //import sys.windows.Memory;
|
|
23 //import sys.windows.Security : GENERIC_READ;
|
|
24 //import sys.windows.Information : CloseHandle;
|
|
25 //import sys.windows.Image;
|
|
26
|
|
27 import win32.windows;
|
|
28 import win32.winbase;
|
|
29
|
|
30 enum IMAGE_SIZEOF_NT_OPTIONAL64_HEADER = 240;
|
|
31
|
|
32 struct IMAGE_NT_HEADERS64 {
|
|
33 DWORD Signature;
|
|
34 IMAGE_FILE_HEADER FileHeader;
|
|
35 IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
|
36 }
|
|
37
|
|
38 auto IMAGE_FIRST_SECTION64( const(IMAGE_NT_HEADERS64*) ntheader ) {
|
|
39 return cast(PIMAGE_SECTION_HEADER) ((cast(UINT_PTR)ntheader) + IMAGE_NT_HEADERS64.OptionalHeader.offsetof + (cast(PIMAGE_NT_HEADERS64)(ntheader)).FileHeader.SizeOfOptionalHeader);
|
|
40 }
|
|
41
|
|
42 auto IMAGE_FIRST_SECTION32( const(IMAGE_NT_HEADERS32*) ntheader ) {
|
|
43 return cast(PIMAGE_SECTION_HEADER)((cast(UINT_PTR)ntheader) + IMAGE_NT_HEADERS32.OptionalHeader.offsetof + (cast(PIMAGE_NT_HEADERS32)ntheader).FileHeader.SizeOfOptionalHeader);
|
|
44 }
|
|
45
|
|
46 class PEImage : IExecutableImage {
|
|
47 /**
|
|
48 Loads and validate the image file.
|
|
49
|
|
50 Params:
|
|
51 fileName = Path to the image file.
|
|
52 */
|
|
53 this(string fileName)
|
|
54 in {
|
|
55 assert(fileName.length && fileName.ptr);
|
|
56 }
|
|
57 body {
|
|
58 _filename = fileName;
|
|
59
|
|
60 // Create the file mapping
|
|
61 _file = CreateFileA((fileName ~ '\0').ptr, GENERIC_READ, FILE_SHARE_READ,
|
|
62 null, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, null);
|
|
63 if(_file == INVALID_HANDLE_VALUE) SystemException();
|
|
64
|
|
65 GetFileSizeEx(_file, &_fileSize);
|
|
66
|
|
67 _map = CreateFileMapping(_file, null, PAGE_READONLY, 0, 0, null);
|
|
68 if(!_map) SystemException();
|
|
69
|
|
70 _view = cast(const(ubyte)*)MapViewOfFile(_map, FILE_MAP_READ, 0, 0, 0);
|
|
71 if(!_view) SystemException();
|
|
72
|
|
73 // Verify image headers
|
|
74 if(_dos.e_magic != IMAGE_DOS_SIGNATURE) goto Error;
|
|
75 CheckOffset(_dos.e_lfanew);
|
|
76
|
|
77 _nt = cast(IMAGE_NT_HEADERS32*)(_view + _dos.e_lfanew);
|
|
78 if(_nt.Signature != IMAGE_NT_SIGNATURE) goto Error;
|
|
79
|
|
80 _is64 = _nt.FileHeader.SizeOfOptionalHeader == IMAGE_SIZEOF_NT_OPTIONAL64_HEADER;
|
|
81
|
|
82 if(_is64) {
|
|
83 if(_nt64.OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)
|
|
84 goto Error;
|
|
85 }
|
|
86 else {
|
|
87 if(_nt.OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)
|
|
88 goto Error;
|
|
89 }
|
|
90
|
|
91 // Create the RVA lookup table
|
|
92 auto sections = this.sections;
|
|
93 RVAEntry* e = void;
|
|
94 _rvaTable.length = sections.length;
|
|
95 foreach(i, ref s; sections) with(s) {
|
|
96 e = &_rvaTable[i];
|
|
97 e.start = VirtualAddress;
|
|
98 e.end = VirtualAddress + SizeOfRawData;
|
|
99 e.base = PointerToRawData;
|
|
100 }
|
|
101
|
|
102 return;
|
|
103
|
|
104 Error:
|
|
105 throw new PEInvalidException(this);
|
|
106 }
|
|
107
|
|
108 /**
|
|
109 Unloads the PE file.
|
|
110 */
|
|
111 ~this() {
|
|
112 if(_dos && !UnmapViewOfFile(cast(void*)_dos)) SystemException();
|
|
113 if(_map && !CloseHandle(_map)) SystemException();
|
|
114 if(_file && !CloseHandle(_file)) SystemException();
|
|
115 }
|
|
116
|
|
117 /**
|
|
118 Get the filename of the image
|
|
119 */
|
|
120 string filename() const {
|
|
121 return _filename;
|
|
122 }
|
|
123
|
|
124 /**
|
|
125 Get whether the image uses the 64bit structures or not
|
|
126 */
|
|
127 bool is64() const {
|
|
128 return _is64;
|
|
129 }
|
|
130
|
|
131 /**
|
|
132 Get the base address of the image
|
|
133 */
|
|
134 long imageBase() const {
|
|
135 return _is64 ? _nt64.OptionalHeader.ImageBase : _nt.OptionalHeader.ImageBase;
|
|
136 }
|
|
137
|
|
138 /**
|
|
139 Get the raw image data
|
|
140 */
|
|
141 const(ubyte)[] data() const {
|
|
142 return _view[0 .. cast(size_t)_fileSize.QuadPart];
|
|
143 }
|
|
144
|
|
145 /**
|
|
146 Get the dos, nt or nt64 headers
|
|
147 */
|
|
148 const(IMAGE_DOS_HEADER)* dosHeader() const { return _dos; }
|
|
149 const(IMAGE_NT_HEADERS32)* ntHeaders32() const { return _nt; }
|
|
150 const(IMAGE_NT_HEADERS64)* ntHeaders64() const { return _nt64; }
|
|
151
|
|
152 /**
|
|
153 Get the array of data directories
|
|
154 */
|
|
155 const(IMAGE_DATA_DIRECTORY)[] dataDirectory() const {
|
|
156 return _is64 ? _nt64.OptionalHeader.DataDirectory : _nt.OptionalHeader.DataDirectory;
|
|
157 }
|
|
158
|
|
159 /**
|
|
160 Get the array of section headers
|
|
161 */
|
|
162 const(IMAGE_SECTION_HEADER)[] sections() const {
|
|
163 return (_is64 ? IMAGE_FIRST_SECTION64(_nt64) : IMAGE_FIRST_SECTION32(_nt))
|
|
164 [0 .. _nt.FileHeader.NumberOfSections];
|
|
165 }
|
|
166
|
|
167 /**
|
|
168 Translate the given Virtual Address to its corresponding data offset.
|
|
169 */
|
|
170 long LookupVA(long va) const {
|
|
171 return LookupRVA(va - imageBase);
|
|
172 }
|
|
173
|
|
174 /**
|
|
175 Translate the given Relative Virtual Address to its corresponding
|
|
176 data offset.
|
|
177 */
|
|
178 long LookupRVA(long rva) const {
|
|
179 foreach(ref e; _rvaTable) with(e) {
|
|
180 if(rva >= start && rva < end) {
|
|
181 long offset = base + (rva - start);
|
|
182 CheckOffset(offset);
|
|
183 return offset;
|
|
184 }
|
|
185 }
|
|
186
|
|
187 return 0;
|
|
188 }
|
|
189
|
|
190 /**
|
|
191 Get a data structure in the image from its RVA
|
|
192 */
|
|
193 const(T)* GetDataFromRVA(T : T*)(long rva) const {
|
|
194 long offset = LookupRVA(rva);
|
|
195 return offset ? cast(T*)(_view + offset) : null;
|
|
196 }
|
|
197
|
|
198 /**
|
|
199 Get a data directory in the image from its ID
|
|
200 */
|
|
201 const(T)* GetDirectory(T)(uint id) const {
|
|
202 const IMAGE_DATA_DIRECTORY* dir = &dataDirectory[id];
|
|
203 return dir.VirtualAddress && dir.Size ?
|
|
204 GetDataFromRVA!(T*)(dir.VirtualAddress) : null;
|
|
205 }
|
|
206
|
|
207 /**
|
|
208 Find the first section matching the given flags mask
|
|
209 */
|
|
210 const(IMAGE_SECTION_HEADER)* FindSection(uint mask) const
|
|
211 in {
|
|
212 assert(mask);
|
|
213 }
|
|
214 body {
|
|
215 foreach(ref section; sections)
|
|
216 if(section.Characteristics & mask)
|
|
217 return §ion;
|
|
218
|
|
219 return null;
|
|
220 }
|
|
221
|
|
222 /**
|
|
223 Find a section by its name
|
|
224 */
|
|
225 const(IMAGE_SECTION_HEADER)* FindSection(string name) const
|
|
226 in {
|
|
227 assert(name.length && name.ptr);
|
|
228 }
|
|
229 body {
|
|
230 foreach(ref section; sections)
|
|
231 if(strncmp(cast(char*)section.Name.ptr, name.ptr, section.Name.length) == 0)
|
|
232 return §ion;
|
|
233
|
|
234 return null;
|
|
235 }
|
|
236
|
|
237 /**
|
|
238 Get the offset to the code segment
|
|
239 */
|
|
240 uint codeOffset() const {
|
|
241 const(IMAGE_SECTION_HEADER)* section = FindSection(IMAGE_SCN_MEM_EXECUTE);
|
|
242 return section ? section.VirtualAddress : 0;
|
|
243 }
|
|
244
|
|
245 /**
|
|
246 Get the symbolic debug info object for this image
|
|
247 */
|
|
248 ISymbolicDebugInfo debugInfo() {
|
|
249 uint va = _nt.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress;
|
|
250 if(!va) return null;
|
|
251
|
|
252 const(IMAGE_DEBUG_DIRECTORY)* dir = void;
|
|
253 uint size = _nt.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size;
|
|
254 uint offset = void;
|
|
255
|
|
256 // Borland directory
|
|
257 const(IMAGE_SECTION_HEADER)* section = FindSection(".debug");
|
|
258 if(section && section.VirtualAddress == va) {
|
|
259 CheckOffset(section.PointerToRawData);
|
|
260
|
|
261 dir = cast(IMAGE_DEBUG_DIRECTORY*)(_view + section.PointerToRawData);
|
|
262 }
|
|
263 // Microsoft directory
|
|
264 else {
|
|
265 section = FindSection(".rdata");
|
|
266 if(!section) goto NoDebug;
|
|
267
|
|
268 offset = section.PointerToRawData + (va - section.VirtualAddress);
|
|
269 CheckOffset(offset);
|
|
270
|
|
271 dir = cast(IMAGE_DEBUG_DIRECTORY*)(_view + offset);
|
|
272 }
|
|
273
|
|
274 const(void)* end = cast(void*)dir + size;
|
|
275 Scan: for(; dir < end; dir++) {
|
|
276 switch(dir.Type) {
|
|
277 //case IMAGE_DEBUG_TYPE_COFF:
|
|
278 case IMAGE_DEBUG_TYPE_CODEVIEW:
|
|
279 // TODO: support more types
|
|
280 break Scan;
|
|
281
|
|
282 default:
|
|
283 }
|
|
284 }
|
|
285
|
|
286 if(dir >= end) goto NoDebug;
|
|
287
|
|
288 offset = dir.PointerToRawData + dir.SizeOfData;
|
|
289 CheckOffset(offset);
|
|
290 auto debugView = _view[dir.PointerToRawData .. offset];
|
|
291
|
|
292 switch(dir.Type) {
|
|
293 //case IMAGE_DEBUG_TYPE_COFF:
|
|
294 // return new COFFDebugInfo(debugView);
|
|
295 case IMAGE_DEBUG_TYPE_CODEVIEW:
|
|
296 return new CodeViewDebugInfo(debugView);
|
|
297 default:
|
|
298 assert(0);
|
|
299 }
|
|
300
|
|
301 NoDebug:
|
|
302 // TODO: we have no debug section or directory, but there csould still
|
|
303 // be external symbol files we can use.
|
|
304 return null;
|
|
305 }
|
|
306
|
|
307 private:
|
|
308
|
|
309 /**
|
|
310 Verify a file offset before accessing it
|
|
311 */
|
|
312 void CheckOffset(long offset) const {
|
|
313 if(offset > _fileSize.QuadPart) throw new PECorruptedException(this);
|
|
314 }
|
|
315
|
|
316 string _filename;
|
|
317 HANDLE _file;
|
|
318 HANDLE _map;
|
|
319 LARGE_INTEGER _fileSize;
|
|
320 bool _is64;
|
|
321
|
|
322 union {
|
|
323 const(ubyte)* _view;
|
|
324 const(IMAGE_DOS_HEADER)* _dos;
|
|
325 }
|
|
326 union {
|
|
327 const(IMAGE_NT_HEADERS32)* _nt;
|
|
328 const(IMAGE_NT_HEADERS64)* _nt64;
|
|
329 }
|
|
330
|
|
331 struct RVAEntry {
|
|
332 uint start;
|
|
333 uint end;
|
|
334 uint base;
|
|
335 }
|
|
336
|
|
337 RVAEntry[] _rvaTable;
|
|
338 }
|
|
339
|
|
340 /// Thrown if file open failed.
|
|
341 class PEException : Exception {
|
|
342 this(string msg) {
|
|
343 super("PEImage: " ~ msg);
|
|
344 }
|
|
345 }
|
|
346
|
|
347 /// Thrown if not a valid module file
|
|
348 class PEInvalidException : PEException {
|
|
349 this(in PEImage img) {
|
|
350 super("Invalid PE file.");
|
|
351 }
|
|
352 }
|
|
353
|
|
354 /// Thrown on corrupted module file.
|
|
355 class PECorruptedException : PEException {
|
|
356 this(in PEImage img) {
|
|
357 super("Corrupted PE file.");
|
|
358 }
|
|
359 }
|
|
360
|
|
361 } // version(Windows)
|