Beispiel #1
0
func openExecutablePath(path string) (*pe.File, error) {
	f, err := os.OpenFile(path, 0, os.ModePerm)
	if err != nil {
		return nil, err
	}
	return pe.NewFile(f)
}
Beispiel #2
0
func CheckPE(file string) bool {

	r := _ioReader(file)    //reader interface for file
	f, err := pe.NewFile(r) //open the file as a PE
	if err != nil {
		return false //Not a PE file
	}

	//Reading DOS header
	var dosheader [96]byte
	r.ReadAt(dosheader[0:], 0)
	if dosheader[0] == 'M' && dosheader[1] == 'Z' { //if we get MZ
		signoff := int64(binary.LittleEndian.Uint32(dosheader[0x3c:]))
		var sign [4]byte
		r.ReadAt(sign[:], signoff)
		if !(sign[0] == 'P' && sign[1] == 'E' && sign[2] == 0 && sign[3] == 0) { //if not PE\0\0
			return false //Invalid PE File Format
		}
	}
	if (f.Characteristics & 0x2000) == 0x2000 { //IMAGE_FILE_DLL signature
		return false //it's a DLL, OCX, CPL file, we want a EXE file
	}

	f.Close()
	return true //it is a valid EXE file

}
Beispiel #3
0
func Open(files string) {
	file := ioReader(files)

	f, err := pe.NewFile(file)
	if err != nil {
		return
	}

}
Beispiel #4
0
func loadTables(f *os.File) (textStart uint64, symtab, pclntab []byte, err error) {
	if obj, err := elf.NewFile(f); err == nil {
		if sect := obj.Section(".text"); sect != nil {
			textStart = sect.Addr
		}
		if sect := obj.Section(".gosymtab"); sect != nil {
			if symtab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		if sect := obj.Section(".gopclntab"); sect != nil {
			if pclntab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		return textStart, symtab, pclntab, nil
	}

	if obj, err := macho.NewFile(f); err == nil {
		if sect := obj.Section("__text"); sect != nil {
			textStart = sect.Addr
		}
		if sect := obj.Section("__gosymtab"); sect != nil {
			if symtab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		if sect := obj.Section("__gopclntab"); sect != nil {
			if pclntab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		return textStart, symtab, pclntab, nil
	}

	if obj, err := pe.NewFile(f); err == nil {
		if sect := obj.Section(".text"); sect != nil {
			textStart = uint64(sect.VirtualAddress)
		}
		if sect := obj.Section(".gosymtab"); sect != nil {
			if symtab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		if sect := obj.Section(".gopclntab"); sect != nil {
			if pclntab, err = sect.Data(); err != nil {
				return 0, nil, nil, err
			}
		}
		return textStart, symtab, pclntab, nil
	}

	return 0, nil, nil, fmt.Errorf("unrecognized binary format")
}
Beispiel #5
0
func openPE(r *os.File) (rawFile, error) {
	f, err := pe.NewFile(r)
	if err != nil {
		return nil, err
	}
	switch f.OptionalHeader.(type) {
	case *pe.OptionalHeader32, *pe.OptionalHeader64:
		// ok
	default:
		return nil, fmt.Errorf("unrecognized PE format")
	}
	return &peFile{f}, nil
}
Beispiel #6
0
func NewFile(r io.ReaderAt) (binaryx.File, error) {
	elfBinary, err := elf.NewFile(r)
	if err == nil {
		return newFile(&elfx.File{elfBinary})
	}
	machoBinary, err := macho.NewFile(r)
	if err == nil {
		return newFile(&machox.File{machoBinary})
	}
	peBinary, err := pe.NewFile(r)
	if err == nil {
		return newFile(&pex.File{peBinary})
	}
	return nil, err
}
func (dbp *Process) findExecutable(path string) (*pe.File, error) {
	if path == "" {
		// TODO: Find executable path from PID/handle on Windows:
		// https://msdn.microsoft.com/en-us/library/aa366789(VS.85).aspx
		return nil, fmt.Errorf("not yet implemented")
	}
	f, err := os.OpenFile(path, 0, os.ModePerm)
	if err != nil {
		return nil, err
	}
	peFile, err := pe.NewFile(f)
	if err != nil {
		return nil, err
	}
	dbp.dwarf, err = dwarfFromPE(peFile)
	if err != nil {
		return nil, err
	}
	return peFile, nil
}
Beispiel #8
0
func peSymbols(f *os.File) []Sym {
	p, err := pe.NewFile(f)
	if err != nil {
		errorf("parsing %s: %v", f.Name(), err)
		return nil
	}

	var syms []Sym
	for _, s := range p.Symbols {
		sym := Sym{Name: s.Name, Addr: uint64(s.Value), Code: '?'}
		if s.SectionNumber == 0 {
			sym.Code = 'U'
		} else if int(s.SectionNumber) <= len(p.Sections) {
			sect := p.Sections[s.SectionNumber-1]
			const (
				text  = 0x20
				data  = 0x40
				bss   = 0x80
				permX = 0x20000000
				permR = 0x40000000
				permW = 0x80000000
			)
			ch := sect.Characteristics
			switch {
			case ch&text != 0:
				sym.Code = 'T'
			case ch&data != 0:
				if ch&permW == 0 {
					sym.Code = 'R'
				} else {
					sym.Code = 'D'
				}
			case ch&bss != 0:
				sym.Code = 'B'
			}
		}
		syms = append(syms, sym)
	}

	return syms
}
Beispiel #9
0
// zipExeReaderPe treats the file as a Portable Exectuable binary
// (Windows executable) and attempts to find a zip archive.
func zipExeReaderPe(rda io.ReaderAt, size int64) (*zip.Reader, error) {
	file, err := pe.NewFile(rda)
	if err != nil {
		return nil, err
	}

	var max int64
	for _, sec := range file.Sections {
		// Check if this section has a zip file
		if zfile, err := zip.NewReader(sec, int64(sec.Size)); err == nil {
			return zfile, nil
		}

		// Otherwise move end of file pointer
		end := int64(sec.Offset + sec.Size)
		if end > max {
			max = end
		}
	}

	// No zip file within binary, try appended to end
	section := io.NewSectionReader(rda, max, size-max)
	return zip.NewReader(section, section.Size())
}
Beispiel #10
0
func grabDebugLineSection(p string, t *testing.T) []byte {
	f, err := os.Open(p)
	if err != nil {
		t.Fatal(err)
	}
	defer f.Close()

	ef, err := elf.NewFile(f)
	if err == nil {
		data, _ := ef.Section(".debug_line").Data()
		return data
	}

	pf, err := pe.NewFile(f)
	if err == nil {
		data, _ := pf.Section(".debug_line").Data()
		return data
	}

	mf, _ := macho.NewFile(f)
	data, _ := mf.Section("__debug_line").Data()

	return data
}
Beispiel #11
0
func ldpeError(ctxt *Link, input *bio.Reader, pkg string, length int64, pn string) error {
	if ctxt.Debugvlog != 0 {
		ctxt.Logf("%5.2f ldpe %s\n", obj.Cputime(), pn)
	}

	localSymVersion := ctxt.Syms.IncVersion()

	sectsyms := make(map[*pe.Section]*Symbol)
	sectdata := make(map[*pe.Section][]byte)

	// Some input files are archives containing multiple of
	// object files, and pe.NewFile seeks to the start of
	// input file and get confused. Create section reader
	// to stop pe.NewFile looking before current position.
	sr := io.NewSectionReader((*peBiobuf)(input), input.Offset(), 1<<63-1)

	// TODO: replace pe.NewFile with pe.Load (grep for "add Load function" in debug/pe for details)
	f, err := pe.NewFile(sr)
	if err != nil {
		return err
	}
	defer f.Close()

	// TODO return error if found .cormeta

	// create symbols for mapped sections
	for _, sect := range f.Sections {
		if sect.Characteristics&IMAGE_SCN_MEM_DISCARDABLE != 0 {
			continue
		}

		if sect.Characteristics&(IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA) == 0 {
			// This has been seen for .idata sections, which we
			// want to ignore. See issues 5106 and 5273.
			continue
		}

		data, err := sect.Data()
		if err != nil {
			return err
		}
		sectdata[sect] = data

		name := fmt.Sprintf("%s(%s)", pkg, sect.Name)
		s := ctxt.Syms.Lookup(name, localSymVersion)

		switch sect.Characteristics & (IMAGE_SCN_CNT_UNINITIALIZED_DATA | IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE) {
		case IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ: //.rdata
			s.Type = obj.SRODATA

		case IMAGE_SCN_CNT_UNINITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE: //.bss
			s.Type = obj.SNOPTRBSS

		case IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE: //.data
			s.Type = obj.SNOPTRDATA

		case IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ: //.text
			s.Type = obj.STEXT

		default:
			return fmt.Errorf("unexpected flags %#06x for PE section %s", sect.Characteristics, sect.Name)
		}

		s.P = data
		s.Size = int64(len(data))
		sectsyms[sect] = s
		if sect.Name == ".rsrc" {
			setpersrc(ctxt, s)
		}
	}

	// load relocations
	for _, rsect := range f.Sections {
		if _, found := sectsyms[rsect]; !found {
			continue
		}
		if rsect.NumberOfRelocations == 0 {
			continue
		}
		if rsect.Characteristics&IMAGE_SCN_MEM_DISCARDABLE != 0 {
			continue
		}
		if rsect.Characteristics&(IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA) == 0 {
			// This has been seen for .idata sections, which we
			// want to ignore. See issues 5106 and 5273.
			continue
		}

		rs := make([]Reloc, rsect.NumberOfRelocations)
		for j, r := range rsect.Relocs {
			rp := &rs[j]
			if int(r.SymbolTableIndex) >= len(f.COFFSymbols) {
				return fmt.Errorf("relocation number %d symbol index idx=%d cannot be large then number of symbols %d", j, r.SymbolTableIndex, len(f.COFFSymbols))
			}
			pesym := &f.COFFSymbols[r.SymbolTableIndex]
			gosym, err := readpesym(ctxt, f, pesym, sectsyms, localSymVersion)
			if err != nil {
				return err
			}
			if gosym == nil {
				name, err := pesym.FullName(f.StringTable)
				if err != nil {
					name = string(pesym.Name[:])
				}
				return fmt.Errorf("reloc of invalid sym %s idx=%d type=%d", name, r.SymbolTableIndex, pesym.Type)
			}

			rp.Sym = gosym
			rp.Siz = 4
			rp.Off = int32(r.VirtualAddress)
			switch r.Type {
			default:
				Errorf(sectsyms[rsect], "%s: unknown relocation type %d;", pn, r.Type)
				fallthrough

			case IMAGE_REL_I386_REL32, IMAGE_REL_AMD64_REL32,
				IMAGE_REL_AMD64_ADDR32, // R_X86_64_PC32
				IMAGE_REL_AMD64_ADDR32NB:
				rp.Type = obj.R_PCREL

				rp.Add = int64(int32(Le32(sectdata[rsect][rp.Off:])))

			case IMAGE_REL_I386_DIR32NB, IMAGE_REL_I386_DIR32:
				rp.Type = obj.R_ADDR

				// load addend from image
				rp.Add = int64(int32(Le32(sectdata[rsect][rp.Off:])))

			case IMAGE_REL_AMD64_ADDR64: // R_X86_64_64
				rp.Siz = 8

				rp.Type = obj.R_ADDR

				// load addend from image
				rp.Add = int64(Le64(sectdata[rsect][rp.Off:]))
			}

			// ld -r could generate multiple section symbols for the
			// same section but with different values, we have to take
			// that into account
			if issect(pesym) {
				rp.Add += int64(pesym.Value)
			}
		}

		sort.Sort(rbyoff(rs[:rsect.NumberOfRelocations]))

		s := sectsyms[rsect]
		s.R = rs
		s.R = s.R[:rsect.NumberOfRelocations]
	}

	// enter sub-symbols into symbol table.
	for i, numaux := 0, 0; i < len(f.COFFSymbols); i += numaux + 1 {
		pesym := &f.COFFSymbols[i]

		numaux = int(pesym.NumberOfAuxSymbols)

		name, err := pesym.FullName(f.StringTable)
		if err != nil {
			return err
		}
		if name == "" {
			continue
		}
		if issect(pesym) {
			continue
		}
		if int(pesym.SectionNumber) > len(f.Sections) {
			continue
		}
		if pesym.SectionNumber == IMAGE_SYM_DEBUG {
			continue
		}
		var sect *pe.Section
		if pesym.SectionNumber > 0 {
			sect = f.Sections[pesym.SectionNumber-1]
			if _, found := sectsyms[sect]; !found {
				continue
			}
		}

		s, err := readpesym(ctxt, f, pesym, sectsyms, localSymVersion)
		if err != nil {
			return err
		}

		if pesym.SectionNumber == 0 { // extern
			if s.Type == obj.SDYNIMPORT {
				s.Plt = -2 // flag for dynimport in PE object files.
			}
			if s.Type == obj.SXREF && pesym.Value > 0 { // global data
				s.Type = obj.SNOPTRDATA
				s.Size = int64(pesym.Value)
			}

			continue
		} else if pesym.SectionNumber > 0 && int(pesym.SectionNumber) <= len(f.Sections) {
			sect = f.Sections[pesym.SectionNumber-1]
			if _, found := sectsyms[sect]; !found {
				Errorf(s, "%s: missing sect.sym", pn)
			}
		} else {
			Errorf(s, "%s: sectnum < 0!", pn)
		}

		if sect == nil {
			return nil
		}

		if s.Outer != nil {
			if s.Attr.DuplicateOK() {
				continue
			}
			Exitf("%s: duplicate symbol reference: %s in both %s and %s", pn, s.Name, s.Outer.Name, sectsyms[sect].Name)
		}

		sectsym := sectsyms[sect]
		s.Sub = sectsym.Sub
		sectsym.Sub = s
		s.Type = sectsym.Type | obj.SSUB
		s.Value = int64(pesym.Value)
		s.Size = 4
		s.Outer = sectsym
		if sectsym.Type == obj.STEXT {
			if s.Attr.External() && !s.Attr.DuplicateOK() {
				Errorf(s, "%s: duplicate symbol definition", pn)
			}
			s.Attr |= AttrExternal
		}
	}

	// Sort outer lists by address, adding to textp.
	// This keeps textp in increasing address order.
	for _, sect := range f.Sections {
		s := sectsyms[sect]
		if s == nil {
			continue
		}
		if s.Sub != nil {
			s.Sub = listsort(s.Sub)
		}
		if s.Type == obj.STEXT {
			if s.Attr.OnList() {
				log.Fatalf("symbol %s listed multiple times", s.Name)
			}
			s.Attr |= AttrOnList
			ctxt.Textp = append(ctxt.Textp, s)
			for s = s.Sub; s != nil; s = s.Sub {
				if s.Attr.OnList() {
					log.Fatalf("symbol %s listed multiple times", s.Name)
				}
				s.Attr |= AttrOnList
				ctxt.Textp = append(ctxt.Textp, s)
			}
		}
	}

	return nil
}
Beispiel #12
0
func loadTables(f *os.File) (textStart uint64, textData, symtab, pclntab []byte, err error) {
	if obj, err := elf.NewFile(f); err == nil {
		if sect := obj.Section(".text"); sect != nil {
			textStart = sect.Addr
			textData, _ = sect.Data()
		}
		if sect := obj.Section(".gosymtab"); sect != nil {
			if symtab, err = sect.Data(); err != nil {
				return 0, nil, nil, nil, err
			}
		}
		if sect := obj.Section(".gopclntab"); sect != nil {
			if pclntab, err = sect.Data(); err != nil {
				return 0, nil, nil, nil, err
			}
		}
		return textStart, textData, symtab, pclntab, nil
	}

	if obj, err := macho.NewFile(f); err == nil {
		if sect := obj.Section("__text"); sect != nil {
			textStart = sect.Addr
			textData, _ = sect.Data()
		}
		if sect := obj.Section("__gosymtab"); sect != nil {
			if symtab, err = sect.Data(); err != nil {
				return 0, nil, nil, nil, err
			}
		}
		if sect := obj.Section("__gopclntab"); sect != nil {
			if pclntab, err = sect.Data(); err != nil {
				return 0, nil, nil, nil, err
			}
		}
		return textStart, textData, symtab, pclntab, nil
	}

	if obj, err := pe.NewFile(f); err == nil {
		var imageBase uint64
		switch oh := obj.OptionalHeader.(type) {
		case *pe.OptionalHeader32:
			imageBase = uint64(oh.ImageBase)
		case *pe.OptionalHeader64:
			imageBase = oh.ImageBase
		default:
			return 0, nil, nil, nil, fmt.Errorf("pe file format not recognized")
		}
		if sect := obj.Section(".text"); sect != nil {
			textStart = imageBase + uint64(sect.VirtualAddress)
			textData, _ = sect.Data()
		}
		if pclntab, err = loadPETable(obj, "pclntab", "epclntab"); err != nil {
			return 0, nil, nil, nil, err
		}
		if symtab, err = loadPETable(obj, "symtab", "esymtab"); err != nil {
			return 0, nil, nil, nil, err
		}
		return textStart, textData, symtab, pclntab, nil
	}

	if obj, err := plan9obj.NewFile(f); err == nil {
		sym, err := findPlan9Symbol(obj, "text")
		if err != nil {
			return 0, nil, nil, nil, err
		}
		textStart = sym.Value
		if sect := obj.Section("text"); sect != nil {
			textData, _ = sect.Data()
		}
		if pclntab, err = loadPlan9Table(obj, "pclntab", "epclntab"); err != nil {
			return 0, nil, nil, nil, err
		}
		if symtab, err = loadPlan9Table(obj, "symtab", "esymtab"); err != nil {
			return 0, nil, nil, nil, err
		}
		return textStart, textData, symtab, pclntab, nil
	}

	return 0, nil, nil, nil, fmt.Errorf("unrecognized binary format")
}
Beispiel #13
0
func peSymbols(f *os.File) (syms []Sym, goarch string) {
	p, err := pe.NewFile(f)
	if err != nil {
		errorf("parsing %s: %v", f.Name(), err)
		return
	}

	// Build sorted list of addresses of all symbols.
	// We infer the size of a symbol by looking at where the next symbol begins.
	var addrs []uint64

	var imageBase uint64
	switch oh := p.OptionalHeader.(type) {
	case *pe.OptionalHeader32:
		imageBase = uint64(oh.ImageBase)
		goarch = "386"
	case *pe.OptionalHeader64:
		imageBase = oh.ImageBase
		goarch = "amd64"
	default:
		errorf("parsing %s: file format not recognized", f.Name())
		return
	}

	for _, s := range p.Symbols {
		const (
			N_UNDEF = 0  // An undefined (extern) symbol
			N_ABS   = -1 // An absolute symbol (e_value is a constant, not an address)
			N_DEBUG = -2 // A debugging symbol
		)
		sym := Sym{Name: s.Name, Addr: uint64(s.Value), Code: '?'}
		switch s.SectionNumber {
		case N_UNDEF:
			sym.Code = 'U'
		case N_ABS:
			sym.Code = 'C'
		case N_DEBUG:
			sym.Code = '?'
		default:
			if s.SectionNumber < 0 {
				errorf("parsing %s: invalid section number %d", f.Name(), s.SectionNumber)
				return
			}
			if len(p.Sections) < int(s.SectionNumber) {
				errorf("parsing %s: section number %d is large then max %d", f.Name(), s.SectionNumber, len(p.Sections))
				return
			}
			sect := p.Sections[s.SectionNumber-1]
			const (
				text  = 0x20
				data  = 0x40
				bss   = 0x80
				permX = 0x20000000
				permR = 0x40000000
				permW = 0x80000000
			)
			ch := sect.Characteristics
			switch {
			case ch&text != 0:
				sym.Code = 'T'
			case ch&data != 0:
				if ch&permW == 0 {
					sym.Code = 'R'
				} else {
					sym.Code = 'D'
				}
			case ch&bss != 0:
				sym.Code = 'B'
			}
			sym.Addr += imageBase + uint64(sect.VirtualAddress)
		}
		syms = append(syms, sym)
		addrs = append(addrs, sym.Addr)
	}

	sort.Sort(uint64s(addrs))
	for i := range syms {
		j := sort.Search(len(addrs), func(x int) bool { return addrs[x] > syms[i].Addr })
		if j < len(addrs) {
			syms[i].Size = int64(addrs[j] - syms[i].Addr)
		}
	}

	return
}
Beispiel #14
0
func check(fname string) error {
	f, err := os.Open(fname)
	if err != nil {
		return err
	}
	defer f.Close()

	pefile, err := pe.NewFile(f)
	if err != nil {
		return err
	}

	dch := getDllCharacteristics(pefile)
	subsystem := getSubsystem(pefile)

	if flagVerbose {
		log.Printf("   Machine = 0x%04d\n", pefile.Machine)
		log.Printf("   Subsystem = %d\n", subsystem)
		log.Printf("   DllCharacteristics = 0x%04x\n", dch)
	}

	// Device drivers always have these flags set.
	if subsystem != IMAGE_SUBSYSTEM_NATIVE {
		if dch&IMAGE_DLLCHARACTERISTICS_NX_COMPAT == 0 {
			fmt.Printf("%s:does not have NXCOMPAT bit set\n", fname)
		}
		if dch&IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE == 0 {
			fmt.Printf("%s:does not have DYNAMICBASE bit set\n", fname)
		}
	}

	// Check for the /GS flag
	dir, err := readImageLoadConfigDirectory(pefile)
	if err != nil {
		return err
	}
	if dir != nil {
		var securityCookie uint64
		switch imdir := dir.(type) {
		case *ImageLoadConfigDirectory32:
			securityCookie = uint64(imdir.SecurityCookie)
		case *ImageLoadConfigDirectory64:
			securityCookie = imdir.SecurityCookie
		default:
			panic("bad load config directory type")
		}

		if flagVerbose {
			log.Printf("   SecurityCookie = 0x%x", securityCookie)
		}
		if securityCookie == 0 {
			fmt.Printf("%s:does not use security cookies\n", fname)
		}

		// Check for SAFESEH on Windows x86 only
		if pefile.Machine == pe.IMAGE_FILE_MACHINE_I386 {
			if dch&IMAGE_DLLCHARACTERISTICS_NO_SEH == 0 {
				handlerTable := dir.(*ImageLoadConfigDirectory32).SEHandlerTable
				handlerCount := dir.(*ImageLoadConfigDirectory32).SEHandlerTable

				if handlerTable == 0 {
					fmt.Printf("%s:does not use SAFESEH\n", fname)
				}

				if flagVerbose {
					log.Printf("   SEHandlerTable = 0x%x\n", handlerTable)
					log.Printf("   SEHandlerCount = 0x%x\n", handlerCount)
				}
			} else if flagVerbose {
				log.Println("   Skipping SAFESEH check because image has NO_SEH bit set")
			}
		} else if flagVerbose {
			log.Println("   Skipping SAFESEH check on non-x86 file")
		}
	}

	// Check for R/W shared image sections
	var rwSharedFlags uint32 = IMAGE_SCN_MEM_SHARED | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
	for _, section := range pefile.Sections {
		if section.Characteristics&rwSharedFlags == rwSharedFlags {
			fmt.Printf("%s:has a R/W shared section named %s\n", fname, section.Name)
		}
	}

	return nil
}