Skip to content

Commit

Permalink
Added a feature to disable pe rva resolve for already mapped modules …
Browse files Browse the repository at this point in the history
…(e.g. from a memory dump)
  • Loading branch information
ko1N committed Jan 31, 2021
1 parent 05daf1e commit 1b0ea3a
Show file tree
Hide file tree
Showing 7 changed files with 210 additions and 39 deletions.
37 changes: 33 additions & 4 deletions src/pe/debug.rs
Expand Up @@ -4,6 +4,7 @@ use scroll::{Pread, Pwrite, SizeWith};
use crate::pe::data_directories;
use crate::pe::section_table;
use crate::pe::utils;
use crate::pe::options;

#[derive(Debug, PartialEq, Copy, Clone, Default)]
pub struct DebugData<'a> {
Expand All @@ -17,11 +18,21 @@ impl<'a> DebugData<'a> {
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
) -> error::Result<Self> {
Self::parse_with_opts(bytes, dd, sections, file_alignment, &options::ParseOptions::default())
}

pub fn parse_with_opts(
bytes: &'a [u8],
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
opts: &options::ParseOptions,
) -> error::Result<Self> {
let image_debug_directory =
ImageDebugDirectory::parse(bytes, dd, sections, file_alignment)?;
ImageDebugDirectory::parse_with_opts(bytes, dd, sections, file_alignment, opts)?;
let codeview_pdb70_debug_info =
CodeviewPDB70DebugInfo::parse(bytes, &image_debug_directory)?;
CodeviewPDB70DebugInfo::parse_with_opts(bytes, &image_debug_directory, opts)?;

Ok(DebugData {
image_debug_directory,
Expand Down Expand Up @@ -59,14 +70,25 @@ pub const IMAGE_DEBUG_TYPE_FIXUP: u32 = 6;
pub const IMAGE_DEBUG_TYPE_BORLAND: u32 = 9;

impl ImageDebugDirectory {
#[allow(unused)]
fn parse(
bytes: &[u8],
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
) -> error::Result<Self> {
Self::parse_with_opts(bytes, dd, sections, file_alignment, &options::ParseOptions::default())
}

fn parse_with_opts(
bytes: &[u8],
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
opts: &options::ParseOptions
) -> error::Result<Self> {
let rva = dd.virtual_address as usize;
let offset = utils::find_offset(rva, sections, file_alignment).ok_or_else(|| {
let offset = utils::find_offset(rva, sections, file_alignment, opts).ok_or_else(|| {
error::Error::Malformed(format!(
"Cannot map ImageDebugDirectory rva {:#x} into offset",
rva
Expand Down Expand Up @@ -94,14 +116,21 @@ pub struct CodeviewPDB70DebugInfo<'a> {

impl<'a> CodeviewPDB70DebugInfo<'a> {
pub fn parse(bytes: &'a [u8], idd: &ImageDebugDirectory) -> error::Result<Option<Self>> {
Self::parse_with_opts(bytes, idd, &options::ParseOptions::default())
}

pub fn parse_with_opts(bytes: &'a [u8], idd: &ImageDebugDirectory, opts: &options::ParseOptions) -> error::Result<Option<Self>> {
if idd.data_type != IMAGE_DEBUG_TYPE_CODEVIEW {
// not a codeview debug directory
// that's not an error, but it's not a CodeviewPDB70DebugInfo either
return Ok(None);
}

// ImageDebugDirectory.pointer_to_raw_data stores a raw offset -- not a virtual offset -- which we can use directly
let mut offset: usize = idd.pointer_to_raw_data as usize;
let mut offset: usize = match opts.resolve_rva {
true => idd.pointer_to_raw_data as usize,
false => idd.address_of_raw_data as usize,
};

// calculate how long the eventual filename will be, which doubles as a check of the record size
let filename_length = idd.size_of_data as isize - 24;
Expand Down
40 changes: 36 additions & 4 deletions src/pe/exception.rs
Expand Up @@ -50,6 +50,7 @@ use crate::error;

use crate::pe::data_directories;
use crate::pe::section_table;
use crate::pe::options;
use crate::pe::utils;

/// The function has an exception handler that should be called when looking for functions that need
Expand Down Expand Up @@ -662,10 +663,21 @@ pub struct ExceptionData<'a> {
impl<'a> ExceptionData<'a> {
/// Parses exception data from the image at the given offset.
pub fn parse(
bytes: &'a [u8],
directory: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32
) -> error::Result<Self> {
Self::parse_with_opts(bytes, directory, sections, file_alignment, &options::ParseOptions::default())
}

/// Parses exception data from the image at the given offset.
pub fn parse_with_opts(
bytes: &'a [u8],
directory: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
opts: &options::ParseOptions
) -> error::Result<Self> {
let size = directory.size as usize;

Expand All @@ -677,7 +689,7 @@ impl<'a> ExceptionData<'a> {
}

let rva = directory.virtual_address as usize;
let offset = utils::find_offset(rva, sections, file_alignment).ok_or_else(|| {
let offset = utils::find_offset(rva, sections, file_alignment, opts).ok_or_else(|| {
error::Error::Malformed(format!("cannot map exception_rva ({:#x}) into offset", rva))
})?;

Expand Down Expand Up @@ -761,29 +773,49 @@ impl<'a> ExceptionData<'a> {

/// Resolves unwind information for the given function entry.
pub fn get_unwind_info(
&self,
function: RuntimeFunction,
sections: &[section_table::SectionTable]
) -> error::Result<UnwindInfo<'a>> {
self.get_unwind_info_with_opts(function, sections, &options::ParseOptions::default())
}

/// Resolves unwind information for the given function entry.
pub fn get_unwind_info_with_opts(
&self,
mut function: RuntimeFunction,
sections: &[section_table::SectionTable],
opts: &options::ParseOptions
) -> error::Result<UnwindInfo<'a>> {
while function.unwind_info_address % 2 != 0 {
let rva = (function.unwind_info_address & !1) as usize;
function = self.get_function_by_rva(rva, sections)?;
function = self.get_function_by_rva_with_opts(rva, sections, opts)?;
}

let rva = function.unwind_info_address as usize;
let offset = utils::find_offset(rva, sections, self.file_alignment).ok_or_else(|| {
let offset = utils::find_offset(rva, sections, self.file_alignment, opts).ok_or_else(|| {
error::Error::Malformed(format!("cannot map unwind rva ({:#x}) into offset", rva))
})?;

UnwindInfo::parse(self.bytes, offset)
}

#[allow(dead_code)]
fn get_function_by_rva(
&self,
rva: usize,
sections: &[section_table::SectionTable]
) -> error::Result<RuntimeFunction> {
self.get_function_by_rva_with_opts(rva, sections, &options::ParseOptions::default())
}

fn get_function_by_rva_with_opts(
&self,
rva: usize,
sections: &[section_table::SectionTable],
opts: &options::ParseOptions
) -> error::Result<RuntimeFunction> {
let offset = utils::find_offset(rva, sections, self.file_alignment).ok_or_else(|| {
let offset = utils::find_offset(rva, sections, self.file_alignment, opts).ok_or_else(|| {
error::Error::Malformed(format!("cannot map exception rva ({:#x}) into offset", rva))
})?;

Expand Down
33 changes: 32 additions & 1 deletion src/pe/export.rs
Expand Up @@ -5,6 +5,7 @@ use log::debug;

use crate::error;

use crate::pe::options;
use crate::pe::data_directories;
use crate::pe::section_table;
use crate::pe::utils;
Expand Down Expand Up @@ -70,6 +71,16 @@ impl<'a> ExportData<'a> {
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
) -> error::Result<ExportData<'a>> {
Self::parse_with_opts(bytes, dd, sections, file_alignment, &options::ParseOptions::default())
}

pub fn parse_with_opts(
bytes: &'a [u8],
dd: data_directories::DataDirectory,
sections: &[section_table::SectionTable],
file_alignment: u32,
opts: &options::ParseOptions,
) -> error::Result<ExportData<'a>> {
let export_rva = dd.virtual_address as usize;
let size = dd.size as usize;
Expand All @@ -78,6 +89,7 @@ impl<'a> ExportData<'a> {
export_rva,
sections,
file_alignment,
opts,
&format!("cannot map export_rva ({:#x}) into offset", export_rva),
)?;
let export_directory_table =
Expand All @@ -94,6 +106,7 @@ impl<'a> ExportData<'a> {
export_directory_table.name_pointer_rva as usize,
sections,
file_alignment,
opts,
)
.map_or(vec![], |table_offset| {
let mut offset = table_offset;
Expand All @@ -114,6 +127,7 @@ impl<'a> ExportData<'a> {
export_directory_table.ordinal_table_rva as usize,
sections,
file_alignment,
opts,
)
.map_or(vec![], |table_offset| {
let mut offset = table_offset;
Expand All @@ -134,6 +148,7 @@ impl<'a> ExportData<'a> {
export_directory_table.export_address_table_rva as usize,
sections,
file_alignment,
opts,
)
.map_or(vec![], |table_offset| {
let mut offset = table_offset;
Expand All @@ -159,6 +174,7 @@ impl<'a> ExportData<'a> {
export_directory_table.name_rva as usize,
sections,
file_alignment,
opts,
)
.and_then(|offset| bytes.pread(offset).ok());

Expand Down Expand Up @@ -251,6 +267,7 @@ struct ExportCtx<'a> {
pub file_alignment: u32,
pub addresses: &'a ExportAddressTable,
pub ordinals: &'a ExportOrdinalTable,
pub opts: options::ParseOptions,
}

impl<'a, 'b> scroll::ctx::TryFromCtx<'a, ExportCtx<'b>> for Export<'a> {
Expand All @@ -265,11 +282,12 @@ impl<'a, 'b> scroll::ctx::TryFromCtx<'a, ExportCtx<'b>> for Export<'a> {
file_alignment,
addresses,
ordinals,
opts,
}: ExportCtx<'b>,
) -> Result<(Self, usize), Self::Error> {
use self::ExportAddressTableEntry::*;

let name = utils::find_offset(ptr as usize, sections, file_alignment)
let name = utils::find_offset(ptr as usize, sections, file_alignment, &opts)
.and_then(|offset| bytes.pread::<&str>(offset).ok());

if let Some(ordinal) = ordinals.get(idx) {
Expand All @@ -281,6 +299,7 @@ impl<'a, 'b> scroll::ctx::TryFromCtx<'a, ExportCtx<'b>> for Export<'a> {
rva,
sections,
file_alignment,
&opts,
&format!(
"cannot map RVA ({:#x}) of export ordinal {} into offset",
rva, ordinal
Expand All @@ -304,6 +323,7 @@ impl<'a, 'b> scroll::ctx::TryFromCtx<'a, ExportCtx<'b>> for Export<'a> {
rva,
sections,
file_alignment,
&opts,
&format!(
"cannot map RVA ({:#x}) of export ordinal {} into offset",
rva, ordinal
Expand Down Expand Up @@ -343,6 +363,16 @@ impl<'a> Export<'a> {
export_data: &ExportData,
sections: &[section_table::SectionTable],
file_alignment: u32,
) -> error::Result<Vec<Export<'a>>> {
Self::parse_with_opts(bytes, export_data, sections, file_alignment, &options::ParseOptions::default())
}

pub fn parse_with_opts(
bytes: &'a [u8],
export_data: &ExportData,
sections: &[section_table::SectionTable],
file_alignment: u32,
opts: &options::ParseOptions,
) -> error::Result<Vec<Export<'a>>> {
let pointers = &export_data.export_name_pointer_table;
let addresses = &export_data.export_address_table;
Expand All @@ -359,6 +389,7 @@ impl<'a> Export<'a> {
file_alignment,
addresses,
ordinals,
opts: *opts,
},
) {
exports.push(export);
Expand Down

0 comments on commit 1b0ea3a

Please sign in to comment.