class IMAGE_COR20_HEADER(pstruct.type):
def blocksize(self):
return self['cb'].li.int()
_fields_ = [
(pint.uint32_t, 'cb'),
(pint.uint16_t, 'MajorRuntimeVersion'),
(pint.uint16_t, 'MinorRuntimeVersion'),
(dyn.clone(IMAGE_DATA_DIRECTORY, _object_=MetaDataRoot), 'MetaData'),
(CORIMAGE_FLAGS_, 'Flags'),
(pint.uint32_t, 'EntryPoint'),
(dyn.clone(IMAGE_DATA_DIRECTORY,
_object_=lambda s: dyn.blockarray(
ResourceInfo,
s.getparent(IMAGE_DATA_DIRECTORY)['Size'].li.int())),
'Resources'),
(IMAGE_DATA_DIRECTORY, 'StrongNameSignature'),
(IMAGE_DATA_DIRECTORY, 'CodeManagerTable'),
(dyn.clone(IMAGE_DATA_DIRECTORY,
_object_=lambda s: dyn.blockarray(
VtableFixup,
s.getparent(IMAGE_DATA_DIRECTORY)['Size'].li.int())),
'VTableFixups'),
(IMAGE_DATA_DIRECTORY, 'ExportAddressTableJumps'),
(IMAGE_DATA_DIRECTORY, 'ManagedNativeHeader'),
]
def test_str_szwstring_blockarray():
data = '3d 00 3a 00 3a 00 3d 00 3a 00 3a 00 5c 00 00 00 65 00 2e 00 6c 00 6f 00 67 00 00 00 00 00 ab ab ab ab ab ab ab ab'.replace(' ','').decode('hex')
source = ptypes.prov.string(data)
t = dyn.blockarray(pstr.szwstring, 30)
a = t(source=source).l
if (a[0].str(),a[1].str(),a[2].str()) == ('=::=::\\','e.log','') and a[2].blocksize() == 2 and len(a) == 3:
raise Success
class IMAGE_DYNAMIC_RELOCATION(pstruct.type):
_fields_ = [
(uint32, 'Symbol'),
(uint32, 'BaseRelocSize'),
(lambda s: dyn.blockarray(uint32, s['BaseRelocSize'].li.int()),
'BaseRelocations'),
]
def test_str_szwstring_blockarray():
data = '3d 00 3a 00 3a 00 3d 00 3a 00 3a 00 5c 00 00 00 65 00 2e 00 6c 00 6f 00 67 00 00 00 00 00 ab ab ab ab ab ab ab ab'.replace(' ','').decode('hex')
source = ptypes.prov.string(data)
t = dyn.blockarray(pstr.szwstring, 30)
a = t(source=source).l
if (a[0].str(),a[1].str(),a[2].str()) == ('=::=::\\','e.log','') and a[2].blocksize() == 2 and len(a) == 3:
raise Success
class IMAGE_DYNAMIC_RELOCATION64(pstruct.type):
_fields_ = [
(realaddress(VOID, type=ULONGLONG), 'Symbol'),
(DWORD, 'BaseRelocSize'),
(lambda self: dyn.blockarray(DWORD, self['BaseRelocSize'].li.int()),
'BaseRelocations'),
]
class ResourceManagerHeader(pstruct.type):
_fields_ = [
#(pint.uint32_t, 'Magic'),
(pint.uint32_t, 'Version'),
(pint.uint32_t, 'Size'),
(lambda s: dyn.blockarray(ResourceString, s['Size'].li.int()),
'Parsers'),
]
def __DynamicRelocations(self):
p, version = self.getparent(
IMAGE_LOAD_CONFIG_DIRECTORY), self['Version'].li
if version.int() < 2:
if isinstance(p, IMAGE_LOAD_CONFIG_DIRECTORY32):
t = IMAGE_DYNAMIC_RELOCATION32
elif isinstance(p, IMAGE_LOAD_CONFIG_DIRECTORY64):
t = IMAGE_DYNAMIC_RELOCATION64
else:
raise TypeError(p)
return dyn.blockarray(t, self['Size'].li.int())
# FIXME: Reverse what the 32-bit version of this structure should look like
# and more importantly how the size fits into this...
raise NotImplementedError(version.int())
return IMAGE_DYNAMIC_RELOCATION64_V2
class UNWIND_INFO(pstruct.type):
class _Header(pbinary.struct):
_fields_ = [
(UNW_FLAG_, 'Flags'),
(3, 'Version'),
]
class _Frame(pbinary.struct):
_fields_ = [
(4, 'Offset'),
(4, 'Register'),
]
class _HandlerInfo(pstruct.type):
_fields_ = [(virtualaddress(ptype.undefined,
type=dword), 'ExceptionHandler'),
(virtualaddress(FuncInfo, type=dword), 'ExceptionData')]
def __HandlerInfo(self):
res = self['Header'].li
flags = res.item('Flags')
return self._HandlerInfo if any(
flags[item] for item in ['EHANDLER', 'UHANDLER', 'FHANDLER'
]) else ptype.undefined
def __FunctionEntry(self):
res = self['Header'].li
flags = res.item('Flags')
return RUNTIME_FUNCTION if flags['CHAININFO'] else ptype.undefined
_fields_ = [
(_Header, 'Header'),
(byte, 'SizeOfProlog'),
(byte, 'CountOfCodes'),
(_Frame, 'Frame'),
(lambda self: dyn.blockarray(UNWIND_CODE, 2 * self['CountOfCodes'].li.
int()), 'UnwindCode'),
(dyn.align(4),
'align(ExceptionHandler)'), # FIXME: this was copied from IDA
(__HandlerInfo, 'HandlerInfo'),
(__FunctionEntry, 'FunctionEntry'),
]
def __Children(self):
fields = ['wLength', 'wValueLength', 'wType', 'szKey', 'Padding1', 'Value', 'Padding2']
length, cb = self['wLength'].li.int(), sum(self[fld].li.size() for fld in fields)
if cb > length:
raise AssertionError("Invalid block size returned by {!s} for child: {:d} > {:d}".format(self.instance(), cb, length))
size = max(0, length - cb)
# If our class implements a .Children() method, then use that to determine the type.
attribute = getattr(self, 'Children') if hasattr(self, 'Children') else None
if callable(attribute):
return self.Children(size)
# Otherwise, use the key to lookup the type in our definition.
cls, key = self.__class__, self['szKey'].li.str()
if cls is not RT_VERSION:
logging.debug("{:s} : No type callback implemented for Children in {!r}. Searching for one instead.".format('.'.join([cls.__module__, cls.__name__]), key))
# And then use that type to build the array of children.
res = RT_VERSION_EntryType.lookup(key)
return dyn.blockarray(res, size)
def __DynamicRelocations(self):
# FIXME: figure out how to determine the type and size properly
t = IMAGE_DYNAMIC_RELOCATION
return dyn.blockarray(t, self['Size'].li.int())
def __entries(self):
bs, res = self.blocksize(), sum(self[fld].li.size()
for fld in ['Signature'])
return dyn.blockarray(LTCG_ENTRY, max(0, bs - res))
def Children(self, length):
return dyn.blockarray(RT_VERSION, length)
def ValueType(self, length):
return dyn.blockarray(dword, length)
def Children(self, size):
return dyn.blockarray(RT_VERSION_String, size)