def __init__(self):
vstruct.VStruct.__init__(self)
self.Magic = v_bytes(vbytes=IMAGE_ARCHIVE_START)
# A set of image archive names is first...
self.ImageArchiveMembers = vstruct.VArray(elems=(IMAGE_ARCHIVE_LINKER1(), IMAGE_ARCHIVE_LINKER2()))
def __init__(self):
IMAGE_ARCHIVE_MEMBER.__init__(self)
self.NumberOfSymbols = v_uint32(bigend=True)
self.SymbolOffsets = vstruct.VArray()
self.SymbolNames = vstruct.VArray()
def pcb_NumberOfAuxSymbols(self):
a = self.NumberOfAuxSymbols
self.AuxSymbols = vstruct.VArray(elems=[ v_bytes(size=18) for i in range(a) ])
def __init__(self, bigend=False):
IMAGE_ARCHIVE_MEMBER.__init__(self)
self.FileHeader = IMAGE_FILE_HEADER()
self.SectionHeaders = vstruct.VArray()
self.SectionData = v_bytes()
self.SymbolTable = vstruct.VArray()
def pcb_descsz(self):
elems = [v_uint32() for i in range(self.descsz // 4)]
self.desc = vstruct.VArray(elems=elems)
def __init__(self):
vstruct.VStruct.__init__(self)
self.PrivilegeCount = v_uint32()
self.Control = v_uint32()
self.Privilege = vstruct.VArray([ LUID_AND_ATTRIBUTES() for i in xrange(3) ])
def __init__(self):
vstruct.VStruct.__init__(self)
self.Count = v_uint32()
self.List = vstruct.VArray([ CM_FULL_RESOURCE_DESCRIPTOR() for i in xrange(1) ])
def pcb_NumberOfSymbols(self):
c = self.NumberOfSymbols
self.SymbolIndexes = vstruct.VArray( elems=[ v_uint16() for i in range(c) ])
self.SymbolNames = vstruct.VArray( elems=[ v_zstr() for i in range(c) ])
def __init__(self):
vstruct.VStruct.__init__(self)
self.ExtraData = v_ptr32()
self.size = v_uint32()
self.trace = vstruct.VArray([ v_ptr32() for i in xrange(6) ])
def __init__(self):
vstruct.VStruct.__init__(self)
self.Data1 = v_uint32()
self.Data2 = v_uint16()
self.Data3 = v_uint16()
self.Data4 = vstruct.VArray([ v_uint8() for i in xrange(8) ])
def __init__(self):
vstruct.VStruct.__init__(self)
self.HashBuckets = vstruct.VArray([ v_ptr32() for i in xrange(37) ])
self.Lock = EX_PUSH_LOCK()
self.DeviceMap = v_ptr32()
self.SessionId = v_uint32()
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception(
'Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags in vskids:
if fflags & VSFF_POINTER:
# FIXME support pointers with types!
if fsize == 4:
fieldval = vs_prim.v_ptr32()
elif fsize == 8:
fieldval = vs_prim.v_ptr64()
else:
raise Exception('Invalid Pointer Width: %d' % fsize)
elif fflags & VSFF_ARRAY:
if ftypename != None:
fieldval = vstruct.VArray()
while len(fieldval) < fsize:
fieldval.vsAddElement(self.buildVStruct(ftypename))
else:
# FIXME actually handle arrays!
fieldval = vs_prim.v_bytes(size=fsize)
elif ftypename == None:
if fsize not in [1, 2, 4, 8]:
#print 'Primitive Field Size: %d' % fsize
fieldval = v_bytes(size=fsize)
else:
fieldval = prim_types[fsize]()
else:
fieldval = self.buildVStruct(ftypename)
cursize = len(vs)
if foffset < cursize:
#print 'FIXME handle unions, overlaps, etc...'
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset,
vs_prim.v_bytes(size=(foffset - cursize)))
setattr(vs, fname, fieldval)
return vs
def __init__(self):
vstruct.VStruct.__init__(self)
self.InheritedAddressSpace = v_uint8()
self.ReadImageFileExecOptions = v_uint8()
self.BeingDebugged = v_uint8()
self.SpareBool = v_uint8()
self.Mutant = v_ptr32()
self.ImageBaseAddress = v_ptr32()
self.Ldr = v_ptr32()
self.ProcessParameters = v_ptr32()
self.SubSystemData = v_ptr32()
self.ProcessHeap = v_ptr32()
self.FastPebLock = v_ptr32()
self.FastPebLockRoutine = v_ptr32()
self.FastPebUnlockRoutine = v_ptr32()
self.EnvironmentUpdateCount = v_uint32()
self.KernelCallbackTable = v_ptr32()
self.SystemReserved = v_uint32()
self.AtlThunkSListPtr32 = v_ptr32()
self.FreeList = v_ptr32()
self.TlsExpansionCounter = v_uint32()
self.TlsBitmap = v_ptr32()
self.TlsBitmapBits = vstruct.VArray([v_uint32() for i in range(2)])
self.ReadOnlySharedMemoryBase = v_ptr32()
self.ReadOnlySharedMemoryHeap = v_ptr32()
self.ReadOnlyStaticServerData = v_ptr32()
self.AnsiCodePageData = v_ptr32()
self.OemCodePageData = v_ptr32()
self.UnicodeCaseTableData = v_ptr32()
self.NumberOfProcessors = v_uint32()
self.NtGlobalFlag = v_uint64()
self.CriticalSectionTimeout = v_uint64()
self.HeapSegmentReserve = v_uint32()
self.HeapSegmentCommit = v_uint32()
self.HeapDeCommitTotalFreeThreshold = v_uint32()
self.HeapDeCommitFreeBlockThreshold = v_uint32()
self.NumberOfHeaps = v_uint32()
self.MaximumNumberOfHeaps = v_uint32()
self.ProcessHeaps = v_ptr32()
self.GdiSharedHandleTable = v_ptr32()
self.ProcessStarterHelper = v_ptr32()
self.GdiDCAttributeList = v_uint32()
self.LoaderLock = v_ptr32()
self.OSMajorVersion = v_uint32()
self.OSMinorVersion = v_uint32()
self.OSBuildNumber = v_uint16()
self.OSCSDVersion = v_uint16()
self.OSPlatformId = v_uint32()
self.ImageSubsystem = v_uint32()
self.ImageSubsystemMajorVersion = v_uint32()
self.ImageSubsystemMinorVersion = v_uint32()
self.ImageProcessAffinityMask = v_uint32()
self.GdiHandleBuffer = vstruct.VArray([v_ptr32() for i in range(34)])
self.PostProcessInitRoutine = v_ptr32()
self.TlsExpansionBitmap = v_ptr32()
self.TlsExpansionBitmapBits = vstruct.VArray(
[v_uint32() for i in range(32)])
self.SessionId = v_uint32()
self.AppCompatFlags = v_uint64()
self.AppCompatFlagsUser = v_uint64()
self.pShimData = v_ptr32()
self.AppCompatInfo = v_ptr32()
self.CSDVersion = v_ptr32()
self.UNKNOWN = v_uint32()
self.ActivationContextData = v_ptr32()
self.ProcessAssemblyStorageMap = v_ptr32()
self.SystemDefaultActivationContextData = v_ptr32()
self.SystemAssemblyStorageMap = v_ptr32()
self.MinimumStackCommit = v_uint32()
def pcb_NumberOfSymbols(self):
c = self.NumberOfSymbols
self.SymbolOffsets = vstruct.VArray( elems=[ v_uint32(bigend=True) for i in range(c) ])
self.SymbolNames = vstruct.VArray( elems=[ v_zstr() for i in range(c) ])
def __init__(self):
vstruct.VStruct.__init__(self)
self.Locks = vstruct.VArray([ v_ptr32() for i in xrange(1) ])
def pcb_NumberOfMembers(self):
c = self.NumberOfMembers
self.MemberOffsets = vstruct.VArray( elems=[ v_uint32() for i in range(c) ] )
def __init__(self):
vstruct.VStruct.__init__(self)
self.Version = v_uint16()
self.Revision = v_uint16()
self.Count = v_uint32()
self.PartialDescriptors = vstruct.VArray([ CM_PARTIAL_RESOURCE_DESCRIPTOR() for i in xrange(1) ])
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception('Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
ctor = self._vs_ctors.get(vsname)
if ctor != None:
return ctor()
vsdef = self._vs_defs.get(vsname)
# If we still dont have a def, lets ask our namespaces
if vsdef == None:
for ns in self._vs_namespaces.values():
if isinstance(ns, types.ModuleType):
cls = getattr(ns, vsname, None)
if cls != None:
return cls()
else:
vsdef = ns._vs_defs.get(vsname)
if vsdef != None:
break
if vsdef == None:
return None
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags, fcount in vskids:
fieldval = self._buildVsType(ftypename, fsize, fflags)
if fcount != None:
afields = [copy.deepcopy(fieldval) for i in range(fcount) ]
fieldval = vstruct.VArray(afields)
cursize = len(vs)
if foffset < cursize:
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset, vs_prim.v_bytes(size=(foffset-cursize)))
setattr(vs, fname, fieldval)
final_len = len(vs)
if final_len < vssize:
setattr(vs, '_pad%.4x' % vssize, vs_prim.v_bytes(size=(vssize-final_len)))
return vs
def test_vstruct_varray(self):
v = vstruct.VArray([v_uint8(i) for i in xrange(20)])
self.assertEqual(v[2], 2)
v.vsParse('A' * 20)
self.assertEqual(v[2], 0x41)
