def get_block_size(self, block_rva):
size_of_block_off = 0x4
block_foff = PEGenericUtils.rva_to_file_offset(
self.section_headers_info, block_rva)
size_of_block = PEGenericUtils.unpack_dword(
self.bin_contents, block_foff + size_of_block_off)
return size_of_block
def get_block_virtualaddress(self, block_rva):
virtualaddress_off = 0x0
block_foff = PEGenericUtils.rva_to_file_offset(
self.section_headers_info, block_rva)
size_of_block = PEGenericUtils.unpack_dword(
self.bin_contents, block_foff + virtualaddress_off)
return size_of_block
def get_address_of_callbacks_va(self, callback_number):
address_of_callbacks_off = 0xC + callback_number * 4 # sizeof(DWORD)
image_tls_directory_rva = self.get_image_tls_directory_rva()
image_tls_directory_foff = PEGenericUtils.rva_to_file_offset(
self.section_headers_info, image_tls_directory_rva)
address_of_callbacks_va = PEGenericUtils.unpack_dword(
self.bin_contents,
image_tls_directory_foff + address_of_callbacks_off)
return address_of_callbacks_va
def parse_reloc(self, reloc_foff):
reloc_type_mask = 0b1111000000000000
reloc_value_mask = 0b0000111111111111
reloc_word = PEGenericUtils.unpack_word(self.bin_contents, reloc_foff)
reloc_type = (reloc_word & reloc_type_mask) >> 12
reloc_value = reloc_word & reloc_value_mask if reloc_type == 0x3 else None
return reloc_value
def get_relocations_for_block(self, block_rva):
block_relocs = []
block_foff = PEGenericUtils.rva_to_file_offset(self.section_headers_info, block_rva)
block_virtualaddress = self.get_block_virtualaddress(block_rva)
size_of_block = self.get_block_size(block_rva)
relocation_block_foff, relocation_foff = block_foff, block_foff + 8
while relocation_foff < relocation_block_foff + size_of_block:
reloc_value = self.parse_reloc(relocation_foff)
if reloc_value:
block_relocs.append(block_virtualaddress + reloc_value)
relocation_foff += 2
return block_relocs
def parse_pe32(self):
self.pe_section_utils = PESectionUtils(self.bin_contents)
self.section_headers_info = self.pe_section_utils.get_sections_info()
self.pe_data_directory_utils = PEDataDirectoryUtils(self.bin_contents)
self.data_directory_info = self.pe_data_directory_utils.get_data_directories_info()
self.pe_optional_header_utils = PEOptionalHeaderUtils(self.bin_contents)
self.image_tls_directory_foff = self.get_image_tls_directory_rva()
tls_callback_vas = self.get_tls_callbacks()
logging.info('TLS Callback addresses({} TLS callbacks):'.format(len(tls_callback_vas)))
for callback_va in tls_callback_vas:
callback_rva = callback_va - self.pe_optional_header_utils.get_image_base()
callback_foff = PEGenericUtils.rva_to_file_offset(self.section_headers_info, callback_rva)
logging.info(' VA: 0x{:x}, RVA: 0x{:x}, File Offset: {}'.format(callback_va, callback_rva, callback_foff))
def get_address_of_callbacks_va(self, callback_number):
address_of_callbacks_off = 24 + callback_number * 8 # PE32+: fix offset and increase to sizeof(QWORD)
image_tls_directory_rva = self.get_image_tls_directory_rva()
image_tls_directory_foff = PEGenericUtils.rva_to_file_offset(self.section_headers_info, image_tls_directory_rva)
address_of_callbacks_va = PEGenericUtils.unpack_qword(self.bin_contents, image_tls_directory_foff + address_of_callbacks_off) # PE32+: Unpack QWORD
return address_of_callbacks_va