def __init__(self, page):
vstruct.VStruct.__init__(self)
self.page = page
self.key_length = v_uint16()
self.key = v_bytes()
self.value_length = v_uint16()
self.value = v_bytes()
def __init__(self):
vstruct.VStruct.__init__(self)
self.foo = p.v_bytes(size=3)
self.bar = p.v_uint32()
self.baz = p.v_bytes(size=256)
self.faz = NNestedStruct()
def __init__(self, wordsize, buf=None):
vstruct.VStruct.__init__(self)
self.wordsize = wordsize
if wordsize == 4:
self.v_word = v_uint32
self.word_fmt = "I"
elif wordsize == 8:
self.v_word = v_uint64
self.word_fmt = "Q"
else:
raise RuntimeError('unexpected wordsize')
self.signature = v_bytes(size=0x04)
self.unk04 = v_uint32() # 0x3
self.non_empty = v_uint32() # (0x1 non-empty) or (0x0 empty)
self.unk0C = v_uint32() # 0x800
self.page_count = v_uint32()
self.unk14 = self.v_word() # 0x0
# this appears to actually be the number of dwords used by the names.
# so for an .i64, this is 2x the name count.
self.dword_count = v_uint32()
# set in `.pcb_dword_count` below.
self.name_count = 0
self.padding = v_bytes(size=NAM.PAGE_SIZE - (6 * 4 + wordsize))
self.buffer = v_bytes()
def __init__(self, wordsize=4, buf=None):
vstruct.VStruct.__init__(self)
self.wordsize = wordsize
if wordsize == 4:
self.v_word = v_uint32
self.word_fmt = "I"
elif wordsize == 8:
self.v_word = v_uint64
self.word_fmt = "Q"
else:
raise RuntimeError('unexpected wordsize')
self.signature = v_bytes(size=0x04)
self.unk04 = v_uint32() # 0x3
self.segment_count = v_uint32()
self.unk0C = v_uint32() # 0x800
self.page_count = v_uint32()
# varrays are not actually very list-like,
# so the struct field will be ._segments
# and the property will be .segments.
self._segments = vstruct.VArray()
self.segments = []
self.padding = v_bytes()
self.buffer = v_bytes()
def __init__(self):
vstruct.VStruct.__init__(self)
self.foo = p.v_bytes(size=3)
self.bar = p.v_uint32()
self.baz = p.v_bytes(size=256)
self.faz = NNestedStruct()
def __init__(self, wordsize):
vstruct.VStruct.__init__(self)
if wordsize == 4:
v_word = v_uint32
elif wordsize == 8:
v_word = v_uint64
else:
raise ValueError('unexpected wordsize')
"""
v7.0:
nodeid: ff000002 tag: S index: 0x41b994
00000000: 69 64 61 00 BC 02 6D 65 74 61 70 63 00 00 00 00 ida...metapc....
00000010: 00 00 00 00 00 00 A3 00 0B 02 00 00 14 00 00 00 ................
00000020: 0B 00 00 00 00 00 00 00 F7 FF FF DF 03 00 00 00 ................
00000030: 00 00 00 00 FF FF FF FF 01 00 00 00 95 16 90 68 ...............h
00000040: 95 16 90 68 FF FF FF FF FF FF FF FF 00 10 90 68 ...h...........h
00000050: 30 E2 9D 68 00 10 90 68 30 E2 9D 68 00 10 90 68 0..h...h0..h...h
00000060: 00 70 9E 68 10 00 00 00 00 00 00 FF 00 00 10 FF .p.h............
00000070: 00 00 00 00 00 02 01 0F 0F 00 40 40 00 00 00 00 ..........@@....
00000080: 00 00 00 00 00 00 00 00 00 00 02 06 67 BE A3 0E ............g...
00000090: 07 00 40 06 00 07 00 18 28 00 50 00 54 03 00 00 ..@.....(.P.T...
000000A0: 01 00 00 00 01 1B 0A 00 00 00 00 00 61 00 00 00 ............a...
000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0: 07 00 00 00 00 01 33 04 01 04 00 02 04 08 08 00 ......3.........
000000D0: 00 00 00 00 00 00 00 00 ........
v6.95:
00000000: 49 44 41 B7 02 6D 65 74 61 70 63 00 00 23 00 0B IDA..metapc..#..
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF ................
00000020: FF FF FF 95 16 90 68 95 16 90 68 00 10 90 68 30 ......h...h...h0
00000030: E2 9D 68 00 10 90 68 30 E2 9D 68 00 10 90 68 00 ..h...h0..h...h.
00000040: 70 9E 68 10 00 00 00 0A 00 00 18 00 01 00 00 02 p.h.............
00000050: 01 01 00 01 02 01 01 00 00 00 00 00 0F 08 00 09 ................
00000060: 06 00 01 01 1B 07 61 00 00 00 00 00 00 00 00 00 ......a.........
00000070: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 ................
00000080: 01 01 FF FF FF FF 01 00 00 00 FF FF FF FF 67 BE ..............g.
00000090: A3 0E 07 00 40 06 07 00 00 00 00 00 00 00 FD BF ....@...........
000000A0: 0F 00 28 00 50 00 40 40 00 00 00 00 00 00 00 00 ..(.P.@@........
000000B0: 00 00 00 00 00 00 02 01 33 04 01 04 00 02 04 08 ........3.......
000000C0: 14 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................
000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
"""
self.tag = v_str(size=0x3) # 'IDA' below 7.0, 'ida' in 7.0
self.zero = v_bytes(size=0x0)
self.version = v_uint16()
self.procname_size = v_bytes(size=0x0)
# 8 bytes for < 7.0
# 16 bytes for >= 7.0
self.procname = v_str(size=0x10)
self.lflags = v_uint8()
self.demnames = v_uint8()
self.filetype = v_uint16()
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception(
'Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
ctor = self._vs_ctors.get(vsname)
if ctor != None:
return ctor()
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags, fcount in vskids:
fieldval = self._buildVsType(ftypename, fsize, fflags)
if fcount != None:
afields = [copy.deepcopy(fieldval) for i in xrange(fcount)]
fieldval = vstruct.VArray(afields)
cursize = len(vs)
if foffset < cursize:
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset,
vs_prim.v_bytes(size=(foffset - cursize)))
setattr(vs, fname, fieldval)
final_len = len(vs)
if final_len < vssize:
setattr(vs, '_pad%.4x' % vssize,
vs_prim.v_bytes(size=(vssize - final_len)))
return vs
def __init__(self, key, common_prefix):
vstruct.VStruct.__init__(self)
self.pkey = key
self.common_prefix = common_prefix
self.key_length = v_uint16()
self._key = v_bytes()
self.value_length = v_uint16()
self.value = v_bytes()
self.key = None
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception('Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
ctor = self._vs_ctors.get(vsname)
if ctor != None:
return ctor()
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags, fcount in vskids:
fieldval = self._buildVsType(ftypename, fsize, fflags)
if fcount != None:
afields = [copy.deepcopy(fieldval) for i in xrange(fcount) ]
fieldval = vstruct.VArray(afields)
cursize = len(vs)
if foffset < cursize:
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset, vs_prim.v_bytes(size=(foffset-cursize)))
setattr(vs, fname, fieldval)
final_len = len(vs)
if final_len < vssize:
setattr(vs, '_pad%.4x' % vssize, vs_prim.v_bytes(size=(vssize-final_len)))
return vs
def vsAddField(self, name, value):
if not isVstructType(value):
raise Exception('Added fields MUST be vstruct types!')
# Do optional field alignment...
if self._vs_field_align:
# If it's a primitive, all is well, if not, pad to size of
# the first element of the VStruct/VArray...
if value.vsIsPrim():
align = value._vs_align
if align is None:
align = len(value)
else:
field = value.vsGetFirstPrim()
align = field._vs_align
if align is None:
align = len(field)
delta = len(self) % align
if delta != 0:
pname = "_pad%d" % self._vs_padnum
self._vs_padnum += 1
self._vs_fields.append(pname)
self._vs_values[pname] = vs_prims.v_bytes(align - delta)
self._vs_fields.append(name)
self._vs_values[name] = value
def __init__(self):
vstruct.VStruct.__init__(self)
# list of offsets to section headers.
# order should line up with the SECTIONS definition (see below).
self.offsets = []
# list of checksums of sections.
# order should line up with the SECTIONS definition.
self.checksums = []
self.signature = v_bytes(size=0x4) # IDA1 | IDA2
self.unk04 = v_uint16()
self.offset1 = v_uint64()
self.offset2 = v_uint64()
self.unk16 = v_uint32()
self.sig2 = v_uint32() # | DD CC BB AA |
self.version = v_uint16()
self.offset3 = v_uint64()
self.offset4 = v_uint64()
self.offset5 = v_uint64()
self.checksum1 = v_uint32()
self.checksum2 = v_uint32()
self.checksum3 = v_uint32()
self.checksum4 = v_uint32()
self.checksum5 = v_uint32()
self.offset6 = v_uint64()
self.checksum6 = v_uint32()
def __init__(self, page_size):
vstruct.VStruct.__init__(self)
self.ppointer = v_uint32()
self.entry_count = v_uint16()
self.contents = v_bytes(page_size)
# ordered cache of entries, once loaded.
self._entries = []
def vsAddField(self, name, value):
if not isVstructType(value):
raise Exception("Added fields MUST be vstruct types!")
# Do optional field alignment...
if self._vs_field_align:
# If it's a primitive, all is well, if not, pad to size of
# the first element of the VStruct/VArray...
if value.vsIsPrim():
align = len(value)
else:
fname = value._vs_fields[0]
align = len(value._vs_values.get(fname))
delta = len(self) % align
if delta != 0:
print "PADDING %s by %d" % (name,align-delta)
pname = "_pad%d" % self._vs_padnum
self._vs_padnum += 1
self._vs_fields.append(pname)
self._vs_values[pname] = vs_prims.v_bytes(align-delta)
self._vs_fields.append(name)
self._vs_values[name] = value
def __init__(self):
vstruct.VStruct.__init__(self)
self.one = p.v_uint32()
self.two = NestedStruct()
self.three = p.v_uint32()
self.four = p.v_bytes(size=100)
def __init__(self):
vstruct.VStruct.__init__(self)
self.one = p.v_uint32()
self.two = NestedStruct()
self.three = p.v_uint32()
self.four = p.v_bytes(size=100)
def vsAddField(self, name, value):
if not isVstructType(value):
raise Exception("Added fields MUST be vstruct types!")
# Do optional field alignment...
if self._vs_field_align:
# If it's a primitive, all is well, if not, pad to size of
# the first element of the VStruct/VArray...
if value.vsIsPrim():
align = value._vs_align
if align == None:
align = len(value)
else:
fname = value._vs_fields[0]
field = value._vs_values.get(fname)
align = field._vs_align
if align == None:
align = len(field)
delta = len(self) % align
if delta != 0:
pname = "_pad%d" % self._vs_padnum
self._vs_padnum += 1
self._vs_fields.append(pname)
self._vs_values[pname] = vs_prims.v_bytes(align - delta)
self._vs_fields.append(name)
self._vs_values[name] = value
def __init__(self):
VStruct.__init__(self)
self.opcode = v_uint32(enum=PATCH_ACTIONS)
self.action_size = v_uint32() # size of entire structure
self.pattern_size = v_uint32() # size of pattern field
self.rva = v_uint32()
self.unknown = v_uint32()
self.module_name = v_wstr(size=MAX_MODULE)
self.pattern = v_bytes(size=0)
def __init__(self):
VStruct.__init__(self)
self.opcode = v_uint32(enum=PATCH_ACTIONS)
self.action_size = v_uint32() # size of entire structure
self.pattern_size = v_uint32() # size of pattern field
self.rva = v_uint32()
self.unknown = v_uint32()
self.module_name = v_wstr(size=MAX_MODULE)
self.pattern = v_bytes(size=0)
def structs(self):
page = self._ctx.cim.logical_data_store.get_page(self.index)
ret = [
VstructInstance(0x0, page.toc, "toc"),
]
for i, data in enumerate(page.objects):
vbuf = v_bytes(size=len(data.buffer))
vbuf.vsParse(data.buffer)
ret.append(VstructInstance(data.offset, vbuf, "Object {:s}".format(h(i))))
return ret
def __init__(self, buf, wordsize):
vstruct.VStruct.__init__(self)
self.buf = memoryview(buf)
self.wordsize = wordsize
self.next_free_offset = v_uint32()
self.page_size = v_uint16()
self.root_page = v_uint32()
self.record_count = v_uint32()
self.page_count = v_uint32()
self.unk12 = v_uint8()
self.signature = v_bytes(size=0x09)
def __init__(self, wordsize=4, buf=None):
vstruct.VStruct.__init__(self)
self.wordsize = wordsize
if wordsize == 4:
self.v_word = v_uint32
self.word_fmt = "I"
elif wordsize == 8:
self.v_word = v_uint64
self.word_fmt = "Q"
else:
raise RuntimeError('unexpected wordsize')
self.signature = v_bytes(size=0x04)
self.unk04 = v_uint32() # 0x3
self.non_empty = v_uint32() # (0x1 non-empty) or (0x0 empty)
self.unk0C = v_uint32() # 0x800
self.page_count = v_uint32()
self.unk14 = self.v_word() # 0x0
self.name_count = v_uint32()
self.padding = v_bytes(size=NAM.PAGE_SIZE - (6 * 4 + wordsize))
self.buffer = v_bytes()
def _buildVsType(self, tname, tsize, tflags):
if tflags & VSFF_POINTER:
if tsize == 4:
return vs_prim.v_ptr32()
elif tsize == 8:
return vs_prim.v_ptr64()
else:
raise Exception('Invalid Pointer Width: %d' % tsize)
if tname is not None:
return self.buildVStruct(tname)
if tsize not in TSIZES:
return vs_prim.v_bytes(size=tsize)
return prim_types[tsize]()
def __init__(self, buf=None, wordsize=4):
vstruct.VStruct.__init__(self)
self.wordsize = wordsize
self.signature = v_bytes(size=0x06)
def __init__(self):
vstruct.VStruct.__init__(self)
self.header = SectionHeader()
self.contents = v_bytes()
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception('Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags in vskids:
if fflags & VSFF_POINTER:
# FIXME support pointers with types!
if fsize == 4:
fieldval = vs_prim.v_ptr32()
elif fsize == 8:
fieldval = vs_prim.v_ptr64()
else:
raise Exception('Invalid Pointer Width: %d' % fsize)
elif fflags & VSFF_ARRAY:
if ftypename != None:
fieldval = vstruct.VArray()
while len(fieldval) < fsize:
fieldval.vsAddElement( self.buildVStruct(ftypename) )
else:
# FIXME actually handle arrays!
fieldval = vs_prim.v_bytes(size=fsize)
elif ftypename == None:
if fsize not in [1,2,4,8]:
#print 'Primitive Field Size: %d' % fsize
fieldval = v_bytes(size=fsize)
else:
fieldval = prim_types[fsize]()
else:
fieldval = self.buildVStruct(ftypename)
cursize = len(vs)
if foffset < cursize:
#print 'FIXME handle unions, overlaps, etc...'
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset, vs_prim.v_bytes(size=(foffset-cursize)))
setattr(vs, fname, fieldval)
return vs
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception(
'Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags in vskids:
if fflags & VSFF_POINTER:
# FIXME support pointers with types!
if fsize == 4:
fieldval = vs_prim.v_ptr32()
elif fsize == 8:
fieldval = vs_prim.v_ptr64()
else:
raise Exception('Invalid Pointer Width: %d' % fsize)
elif fflags & VSFF_ARRAY:
if ftypename != None:
fieldval = vstruct.VArray()
while len(fieldval) < fsize:
fieldval.vsAddElement(self.buildVStruct(ftypename))
else:
# FIXME actually handle arrays!
fieldval = vs_prim.v_bytes(size=fsize)
elif ftypename == None:
if fsize not in [1, 2, 4, 8]:
#print 'Primitive Field Size: %d' % fsize
fieldval = v_bytes(size=fsize)
else:
fieldval = prim_types[fsize]()
else:
fieldval = self.buildVStruct(ftypename)
cursize = len(vs)
if foffset < cursize:
#print 'FIXME handle unions, overlaps, etc...'
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset,
vs_prim.v_bytes(size=(foffset - cursize)))
setattr(vs, fname, fieldval)
return vs
