retdec
|
#include <pe_format.h>
Public Member Functions | |
PeFormat (const std::string &pathToFile, const std::string &dllListFile, LoadFlags loadFlags=LoadFlags::NONE) | |
PeFormat (std::istream &inputStream, LoadFlags loadFlags=LoadFlags::NONE) | |
PeFormat (const std::uint8_t *data, std::size_t size, LoadFlags loadFlags=LoadFlags::NONE) | |
virtual | ~PeFormat () override |
bool | isDotNet () const |
bool | isPackedDotNet () const |
bool | isVisualBasic (unsigned long long &version) const |
bool | getDllFlags (unsigned long long &dllFlags) const |
bool | getNumberOfBaseRelocationBlocks (unsigned long long &relocs) const |
bool | getNumberOfRelocations (unsigned long long &relocs) const |
bool | getDataDirectoryRelative (unsigned long long index, unsigned long long &relAddr, unsigned long long &size) const |
bool | getDataDirectoryAbsolute (unsigned long long index, unsigned long long &absAddr, unsigned long long &size) const |
const PeCoffSection * | getPeSection (const std::string &secName) const |
const PeCoffSection * | getPeSection (unsigned long long secIndex) const |
const CLRHeader * | getCLRHeader () const |
const MetadataHeader * | getMetadataHeader () const |
const MetadataStream * | getMetadataStream () const |
const StringStream * | getStringStream () const |
const BlobStream * | getBlobStream () const |
const GuidStream * | getGuidStream () const |
const UserStringStream * | getUserStringStream () const |
const std::string & | getModuleVersionId () const |
const std::string & | getTypeLibId () const |
const std::vector< std::shared_ptr< DotnetClass > > & | getDefinedDotnetClasses () const |
const std::vector< std::shared_ptr< DotnetClass > > & | getImportedDotnetClasses () const |
const std::string & | getTypeRefhashCrc32 () const |
const std::string & | getTypeRefhashMd5 () const |
const std::string & | getTypeRefhashSha256 () const |
const VisualBasicInfo * | getVisualBasicInfo () const |
std::vector< std::tuple< const std::uint8_t *, std::size_t > > | getDigestRanges () const |
Byte value storage methods | |
virtual retdec::utils::Endianness | getEndianness () const override |
virtual std::size_t | getBytesPerWord () const override |
virtual bool | hasMixedEndianForDouble () const override |
Virtual detection methods | |
virtual std::size_t | getDeclaredFileLength () const override |
virtual bool | areSectionsValid () const override |
virtual bool | isObjectFile () const override |
virtual bool | isDll () const override |
virtual bool | isExecutable () const override |
virtual bool | getMachineCode (unsigned long long &result) const override |
virtual bool | getAbiVersion (unsigned long long &result) const override |
virtual bool | getImageBaseAddress (unsigned long long &imageBase) const override |
virtual bool | getEpAddress (unsigned long long &result) const override |
virtual bool | getEpOffset (unsigned long long &epOffset) const override |
virtual Architecture | getTargetArchitecture () const override |
virtual std::size_t | getDeclaredNumberOfSections () const override |
virtual std::size_t | getDeclaredNumberOfSegments () const override |
virtual std::size_t | getSectionTableOffset () const override |
virtual std::size_t | getSectionTableEntrySize () const override |
virtual std::size_t | getSegmentTableOffset () const override |
virtual std::size_t | getSegmentTableEntrySize () const override |
Detection methods | |
const PeLib::ImageLoader & | getImageLoader () const |
std::size_t | getMzHeaderSize () const |
std::size_t | getOptionalHeaderSize () const |
std::size_t | getPeHeaderOffset () const |
std::size_t | getImageBitability () const |
std::size_t | getCoffSymbolTableOffset () const |
std::size_t | getNumberOfCoffSymbols () const |
std::size_t | getSizeOfStringTable () const |
std::size_t | getMajorLinkerVersion () const |
std::size_t | getMinorLinkerVersion () const |
std::size_t | getFileFlags () const |
std::size_t | getTimeStamp () const |
std::size_t | getChecksum () const |
std::size_t | getFileAlignment () const |
std::size_t | getSectionAlignment () const |
std::size_t | getSizeOfHeaders () const |
std::size_t | getSizeOfImage () const |
std::size_t | getSizeOfStackReserve () const |
std::size_t | getSizeOfStackCommit () const |
std::size_t | getSizeOfHeapReserve () const |
std::size_t | getSizeOfHeapCommit () const |
std::size_t | getNumberOfDataDirectories () const |
std::size_t | getDeclaredNumberOfDataDirectories () const |
Dependency checking | |
bool | isMissingDependency (std::string dllname) const |
bool | dllListFailedToLoad () const |
bool | initDllList (const std::string &dllListFile) |
Scanning methods | |
void | scanForAnomalies () |
![]() | |
FileFormat (const std::string &pathToFile, LoadFlags loadFlags=LoadFlags::NONE) | |
FileFormat (std::istream &inputStream, LoadFlags loadFlags=LoadFlags::NONE) | |
FileFormat (const std::uint8_t *data, std::size_t size, LoadFlags loadFlags=LoadFlags::NONE) | |
virtual | ~FileFormat () |
const LoaderErrorInfo & | getLoaderErrorInfo () const |
void | initArchitecture (Architecture arch, retdec::utils::Endianness endian=retdec::utils::Endianness::UNKNOWN, std::size_t bytesPerWord=4, retdec::common::Address entryPoint=retdec::common::Address::Undefined, retdec::common::Address sectionVMA=retdec::common::Address::Undefined) |
void | loadStrings () |
void | loadStrings (StringType type, std::size_t charSize) |
void | loadStrings (StringType type, std::size_t charSize, const SecSeg *secSeg) |
void | loadImpHash () |
void | loadExpHash () |
void | loadResourceIconHash () |
bool | isInValidState () const |
LoadFlags | getLoadFlags () const |
const Section * | getSectionFromOffset (unsigned long long offset) const |
const Segment * | getSegmentFromOffset (unsigned long long offset) const |
const SecSeg * | getSectionOrSegmentFromOffset (unsigned long long offset) const |
bool | haveSectionOrSegmentOnOffset (unsigned long long offset) const |
bool | haveDataOnOffset (unsigned long long offset) const |
const Section * | getSectionFromAddress (unsigned long long address) const |
const Segment * | getSegmentFromAddress (unsigned long long address) const |
const SecSeg * | getSectionOrSegmentFromAddress (unsigned long long address) const |
bool | haveSectionOrSegmentOnAddress (unsigned long long address) const |
bool | haveDataOnAddress (unsigned long long address) const |
bool | haveReadOnlyDataOnAddress (unsigned long long address) const |
Test if there are some read-only data on provided address – address belongs to some read-only section or segment. More... | |
virtual std::size_t | getNibbleLength () const override |
virtual std::size_t | getByteLength () const override |
virtual std::size_t | getWordLength () const override |
virtual std::size_t | getNumberOfNibblesInByte () const override |
bool | isX86 () const |
bool | isX86_64 () const |
bool | isX86OrX86_64 () const |
bool | isArm () const |
bool | isPowerPc () const |
bool | isMips () const |
bool | isUnknownArch () const |
bool | isPe () const |
bool | isElf () const |
bool | isCoff () const |
bool | isMacho () const |
bool | isIntelHex () const |
bool | isRawData () const |
bool | isUnknownFormat () const |
bool | isWindowsDriver () const |
bool | hasCrc32 () const |
bool | hasMd5 () const |
bool | hasSha256 () const |
bool | hasSectionTableCrc32 () const |
bool | hasSectionTableMd5 () const |
bool | hasSectionTableSha256 () const |
std::string | getCrc32 () const |
std::string | getMd5 () const |
std::string | getSha256 () const |
std::string | getSectionTableCrc32 () const |
std::string | getSectionTableMd5 () const |
std::string | getSectionTableSha256 () const |
std::string | getPathToFile () const |
Format | getFileFormat () const |
std::size_t | getNumberOfSections () const |
std::size_t | getNumberOfSegments () const |
std::size_t | getNumberOfSymbolTables () const |
std::size_t | getNumberOfRelocationTables () const |
std::size_t | getNumberOfDynamicTables () const |
std::size_t | getFileLength () const |
std::size_t | getLoadedFileLength () const |
std::size_t | getOverlaySize () const |
bool | getOverlayEntropy (double &res) const |
std::size_t | nibblesFromBytes (std::size_t bytes) const |
std::size_t | bytesFromNibbles (std::size_t nibbles) const |
std::size_t | bytesFromNibblesRounded (std::size_t nibbles) const |
bool | getOffsetFromAddress (unsigned long long &result, unsigned long long address) const |
bool | getAddressFromOffset (unsigned long long &result, unsigned long long offset) const |
bool | getBytes (std::vector< std::uint8_t > &result, unsigned long long offset, unsigned long long numberOfBytes) const |
bool | getEpBytes (std::vector< std::uint8_t > &result, unsigned long long numberOfBytes) const |
bool | getHexBytes (std::string &result, unsigned long long offset, unsigned long long numberOfBytes) const |
bool | getHexEpBytes (std::string &result, unsigned long long numberOfBytes) const |
bool | getHexBytesFromEnd (std::string &result, unsigned long long numberOfBytes) const |
bool | getString (std::string &result, unsigned long long offset, unsigned long long numberOfBytes) const |
bool | getStringFromEnd (std::string &result, unsigned long long numberOfBytes) const |
bool | isObjectStretchedOverSections (std::size_t addr, std::size_t size) const |
const Section * | getEpSection () |
const Section * | getSection (const std::string &secName) const |
const Section * | getSection (unsigned long long secIndex) const |
const Section * | getLastSection () const |
const Section * | getLastButOneSection () const |
const Segment * | getEpSegment () |
const Segment * | getSegment (const std::string &segName) const |
const Segment * | getSegment (unsigned long long segIndex) const |
const Segment * | getLastSegment () const |
const Segment * | getLastButOneSegment () const |
const SymbolTable * | getSymbolTable (unsigned long long tabIndex) const |
const RelocationTable * | getRelocationTable (unsigned long long tabIndex) const |
const DynamicTable * | getDynamicTable (unsigned long long tabIndex) const |
const ImportTable * | getImportTable () const |
const ExportTable * | getExportTable () const |
const ResourceTable * | getResourceTable () const |
const ResourceTree * | getResourceTree () const |
const RichHeader * | getRichHeader () const |
const PdbInfo * | getPdbInfo () const |
const CertificateTable * | getCertificateTable () const |
const TlsInfo * | getTlsInfo () const |
const ElfCoreInfo * | getElfCoreInfo () const |
const Symbol * | getSymbol (const std::string &name) const |
const Symbol * | getSymbol (unsigned long long address) const |
const Relocation * | getRelocation (const std::string &name) const |
const Relocation * | getRelocation (unsigned long long address) const |
const Import * | getImport (const std::string &name) const |
const Import * | getImport (unsigned long long address) const |
const Export * | getExport (const std::string &name) const |
const Export * | getExport (unsigned long long address) const |
const Resource * | getManifestResource () const |
const Resource * | getVersionResource () const |
bool | isSignaturePresent () const |
bool | isSignatureVerified () const |
const retdec::common::RangeContainer< std::uint64_t > & | getNonDecodableAddressRanges () const |
const std::vector< Section * > & | getSections () const |
const std::vector< Section * > | getSections (std::initializer_list< std::string > secs) const |
const std::vector< Segment * > & | getSegments () const |
const std::vector< Segment * > | getSegments (std::initializer_list< std::string > segs) const |
const std::vector< SymbolTable * > & | getSymbolTables () const |
const std::vector< RelocationTable * > & | getRelocationTables () const |
const std::vector< DynamicTable * > & | getDynamicTables () const |
const std::vector< unsigned char > & | getBytes () const |
const std::vector< unsigned char > & | getLoadedBytes () const |
const unsigned char * | getBytesData () const |
const unsigned char * | getLoadedBytesData () const |
const std::vector< String > & | getStrings () const |
const std::vector< ElfNoteSecSeg > & | getElfNoteSecSegs () const |
const std::set< std::uint64_t > & | getUnknownRelocations () const |
const std::vector< std::pair< std::string, std::string > > & | getAnomalies () const |
virtual bool | getXByte (std::uint64_t address, std::uint64_t x, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const override |
virtual bool | getXBytes (std::uint64_t address, std::uint64_t x, std::vector< std::uint8_t > &res) const override |
virtual bool | setXByte (std::uint64_t address, std::uint64_t x, std::uint64_t val, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) override |
virtual bool | setXBytes (std::uint64_t address, const std::vector< std::uint8_t > &val) override |
bool | isPointer (unsigned long long address, std::uint64_t *pointer=nullptr) const |
bool | get1ByteOffset (std::uint64_t offset, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | get2ByteOffset (std::uint64_t offset, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | get4ByteOffset (std::uint64_t offset, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | get8ByteOffset (std::uint64_t offset, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | get10ByteOffset (std::uint64_t offset, long double &res) const |
bool | getXByteOffset (std::uint64_t offset, std::uint64_t x, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | getXBytesOffset (std::uint64_t offset, std::uint64_t x, std::vector< std::uint8_t > &res) const |
bool | getWordOffset (std::uint64_t offset, std::uint64_t &res, retdec::utils::Endianness e=retdec::utils::Endianness::UNKNOWN) const |
bool | getNTBSOffset (std::uint64_t offset, std::string &res, std::size_t size=0) const |
bool | getNTWSOffset (std::uint64_t offset, std::size_t width, std::vector< std::uint64_t > &res) const |
virtual std::string | getFileFormatName () const |
void | dump () |
void | dump (std::string &dumpFile) |
void | dumpRegionsValidity () |
void | dumpRegionsValidity (std::string &dumpStr) |
void | dumpResourceTree () |
void | dumpResourceTree (std::string &dumpStr) |
![]() | |
ByteValueStorage ()=default | |
virtual | ~ByteValueStorage ()=default |
Endianness | getInverseEndianness () const |
bool | isLittleEndian () const |
bool | isBigEndian () const |
bool | isUnknownEndian () const |
bool | hexToBig (std::string &str) const |
bool | hexToLittle (std::string &str) const |
bool | bitsToBig (std::string &str) const |
bool | bitsToLittle (std::string &str) const |
bool | bitsToBig (std::vector< unsigned char > &values) const |
bool | bitsToLittle (std::vector< unsigned char > &values) const |
bool | get1Byte (std::uint64_t address, std::uint64_t &res, Endianness e=Endianness::UNKNOWN) const |
bool | get2Byte (std::uint64_t address, std::uint64_t &res, Endianness e=Endianness::UNKNOWN) const |
bool | get4Byte (std::uint64_t address, std::uint64_t &res, Endianness e=Endianness::UNKNOWN) const |
bool | get8Byte (std::uint64_t address, std::uint64_t &res, Endianness e=Endianness::UNKNOWN) const |
bool | get10Byte (std::uint64_t address, long double &res) const |
bool | getWord (std::uint64_t address, std::uint64_t &res, Endianness e=Endianness::UNKNOWN) const |
bool | getFloat (std::uint64_t address, float &res) const |
bool | getDouble (std::uint64_t address, double &res) const |
bool | set1Byte (std::uint64_t address, std::uint64_t val, Endianness e=Endianness::UNKNOWN) |
bool | set2Byte (std::uint64_t address, std::uint64_t val, Endianness e=Endianness::UNKNOWN) |
bool | set4Byte (std::uint64_t address, std::uint64_t val, Endianness e=Endianness::UNKNOWN) |
bool | set8Byte (std::uint64_t address, std::uint64_t val, Endianness e=Endianness::UNKNOWN) |
bool | set10Byte (std::uint64_t address, long double val) |
bool | setWord (std::uint64_t address, std::uint64_t val, Endianness e=Endianness::UNKNOWN) |
bool | setFloat (std::uint64_t address, float val) |
bool | setDouble (std::uint64_t address, double val) |
bool | getXByteArray (std::uint64_t address, std::uint64_t x, std::vector< std::uint64_t > &res, std::size_t size, Endianness e=Endianness::UNKNOWN) const |
bool | get1ByteArray (std::uint64_t address, std::vector< std::uint64_t > &res, std::size_t size, Endianness e=Endianness::UNKNOWN) const |
bool | get2ByteArray (std::uint64_t address, std::vector< std::uint64_t > &res, std::size_t size, Endianness e=Endianness::UNKNOWN) const |
bool | get4ByteArray (std::uint64_t address, std::vector< std::uint64_t > &res, std::size_t size, Endianness e=Endianness::UNKNOWN) const |
bool | get8ByteArray (std::uint64_t address, std::vector< std::uint64_t > &res, std::size_t size, Endianness e=Endianness::UNKNOWN) const |
bool | get10ByteArray (std::uint64_t address, std::vector< long double > &res, std::size_t size) const |
bool | getWordArray (std::uint64_t address, std::vector< std::uint64_t > &res, std::size_t, Endianness e=Endianness::UNKNOWN) const |
bool | getFloatArray (std::uint64_t address, std::vector< float > &res, std::size_t size) const |
bool | getDoubleArray (std::uint64_t address, std::vector< double > &res, std::size_t size) const |
bool | getNTBS (std::uint64_t address, std::string &res, std::size_t size=0) const |
bool | getNTWS (std::uint64_t address, std::size_t width, std::vector< std::uint64_t > &res) const |
bool | getNTWSNice (std::uint64_t address, std::size_t width, std::vector< std::uint64_t > &res) const |
Protected Attributes | |
PeLib::PeFileT * | file |
PeLib representation of PE file. More... | |
![]() | |
std::string | crc32 |
CRC32 of file content. More... | |
std::string | md5 |
MD5 of file content. More... | |
std::string | sha256 |
SHA256 of file content. More... | |
std::string | sectionCrc32 |
CRC32 of section table. More... | |
std::string | sectionMd5 |
MD5 of section table. More... | |
std::string | sectionSha256 |
SHA256 of section table. More... | |
std::string | filePath |
name of input file More... | |
std::istream & | fileStream |
stream representation of input file More... | |
std::vector< Section * > | sections |
file sections More... | |
std::vector< Segment * > | segments |
file segments More... | |
std::vector< SymbolTable * > | symbolTables |
symbol tables More... | |
std::vector< RelocationTable * > | relocationTables |
relocation tables More... | |
std::vector< DynamicTable * > | dynamicTables |
tables with dynamic records More... | |
std::vector< unsigned char > | bytes |
content of file as bytes More... | |
std::vector< String > | strings |
detected strings More... | |
std::vector< ElfNoteSecSeg > | noteSecSegs |
note sections or segemnts found in ELF file More... | |
std::set< std::uint64_t > | unknownRelocs |
unknown relocations More... | |
ImportTable * | importTable |
table of imports More... | |
ExportTable * | exportTable |
table of exports More... | |
ResourceTable * | resourceTable |
table of resources More... | |
ResourceTree * | resourceTree |
structure of resource tree More... | |
RichHeader * | richHeader |
rich header More... | |
PdbInfo * | pdbInfo |
information about related PDB debug file More... | |
CertificateTable * | certificateTable |
table of certificates More... | |
TlsInfo * | tlsInfo |
thread-local information More... | |
ElfCoreInfo * | elfCoreInfo |
information about core file structures More... | |
Format | fileFormat |
format of input file More... | |
LoaderErrorInfo | _ldrErrInfo |
loader error (e.g. Windows loader error for PE files) More... | |
bool | stateIsValid |
internal state of instance More... | |
std::vector< std::pair< std::size_t, std::size_t > > | secHashInfo |
information for calculation of section table hash More... | |
std::optional< bool > | signatureVerified |
indicates whether the signature is present and also verified More... | |
retdec::common::RangeContainer< std::uint64_t > | nonDecodableRanges |
Address ranges which should not be decoded for instructions. More... | |
std::vector< std::pair< std::string, std::string > > | anomalies |
file format anomalies More... | |
Private Member Functions | |
Initialization methods | |
void | initLoaderErrorInfo (PeLib::LoaderError ldrError) |
void | initLoaderErrorInfo () |
void | initStructures (const std::string &dllListFile) |
Virtual initialization methods | |
virtual std::size_t | initSectionTableHashOffsets () override |
.NET methods | |
void | loadDotnetHeaders () |
void | parseMetadataStream (std::uint64_t baseAddress, std::uint64_t offset, std::uint64_t size) |
void | parseBlobStream (std::uint64_t baseAddress, std::uint64_t offset, std::uint64_t size) |
void | parseGuidStream (std::uint64_t baseAddress, std::uint64_t offset, std::uint64_t size) |
void | parseStringStream (std::uint64_t baseAddress, std::uint64_t offset, std::uint64_t size) |
void | parseUserStringStream (std::uint64_t baseAddress, std::uint64_t offset, std::uint64_t size) |
template<typename T > | |
void | parseMetadataTable (BaseMetadataTable *table, std::uint64_t &address) |
void | detectModuleVersionId () |
void | detectTypeLibId () |
void | detectDotnetTypes () |
std::uint64_t | detectPossibleMetadataHeaderAddress () const |
void | computeTypeRefHashes () |
Visual Basic methods | |
bool | parseVisualBasicProjectInfo (std::size_t structureOffset) |
bool | parseVisualBasicExternTable (std::size_t structureOffset, std::size_t nEntries) |
bool | parseVisualBasicObjectTable (std::size_t structureOffset) |
bool | parseVisualBasicObjects (std::size_t structureOffset, std::size_t nObjects) |
bool | parseVisualBasicComRegistrationData (std::size_t structureOffset) |
bool | parseVisualBasicComRegistrationInfo (std::size_t structureOffset, std::size_t comRegDataOffset) |
Auxiliary scanning methods | |
void | scanForSectionAnomalies (unsigned anamaliesLimit=1000) |
void | scanForResourceAnomalies () |
void | scanForImportAnomalies () |
void | scanForExportAnomalies () |
void | scanForOptHeaderAnomalies () |
Private Attributes | |
PeFormatParser * | formatParser |
parser of PE file More... | |
std::unique_ptr< CLRHeader > | clrHeader |
.NET CLR header More... | |
std::unique_ptr< MetadataHeader > | metadataHeader |
.NET metadata header More... | |
std::unique_ptr< MetadataStream > | metadataStream |
.NET metadata stream More... | |
std::unique_ptr< BlobStream > | blobStream |
.NET blob stream More... | |
std::unique_ptr< GuidStream > | guidStream |
.NET GUID stream More... | |
std::unique_ptr< StringStream > | stringStream |
.NET string stream More... | |
std::unique_ptr< UserStringStream > | userStringStream |
.NET user string stream More... | |
std::string | moduleVersionId |
.NET module version ID More... | |
std::string | typeLibId |
.NET type lib ID More... | |
std::vector< std::shared_ptr< DotnetClass > > | definedClasses |
.NET defined class list More... | |
std::vector< std::shared_ptr< DotnetClass > > | importedClasses |
.NET imported class list More... | |
std::string | typeRefHashCrc32 |
.NET typeref table hash as CRC32 More... | |
std::string | typeRefHashMd5 |
.NET typeref table hash as MD5 More... | |
std::string | typeRefHashSha256 |
.NET typeref table hash as SHA256 More... | |
VisualBasicInfo | visualBasicInfo |
visual basic header information More... | |
std::unordered_set< std::string > | dllList |
Override set of DLLs for checking dependency missing. More... | |
bool | errorLoadingDllList |
If true, then an error happened while loading DLL list. More... | |
Auxiliary methods | |
std::size_t | getRichHeaderOffset (const std::string &plainFile) |
bool | getResourceNodes (std::vector< const PeLib::ResourceChild * > &nodes, std::vector< std::size_t > &levels) |
void | loadRichHeader () |
void | loadSections () |
void | loadSymbols () |
void | loadImports () |
void | loadExports () |
void | loadVisualBasicHeader () |
void | loadPdbInfo () |
void | loadResourceNodes (std::vector< const PeLib::ResourceChild * > &nodes, const std::vector< std::size_t > &levels) |
void | loadResources () |
void | loadCertificates () |
void | loadTlsInformation () |
static bool | checkDefaultList (std::string_view) |
Additional Inherited Members | |
![]() | |
using | GetNByteFn = std::function< bool(std::uint64_t, std::uint64_t &, Endianness)> |
using | GetXByteFn = std::function< bool(std::uint64_t, std::uint64_t, std::uint64_t &, Endianness)> |
![]() | |
void | clear () |
void | computeSectionTableHashes () |
void | setLoadedBytes (std::vector< unsigned char > *lBytes) |
![]() | |
bool | createValueFromBytes (const std::vector< std::uint8_t > &data, std::uint64_t &value, Endianness endian, std::uint64_t offset=0, std::uint64_t size=0) const |
bool | createBytesFromValue (std::uint64_t data, std::uint64_t x, std::vector< std::uint8_t > &value, Endianness endian) const |
bool | get10ByteImpl (const std::vector< std::uint8_t > &data, long double &res) const |
bool | getFloatImpl (const std::vector< std::uint8_t > &data, float &res) const |
bool | getDoubleImpl (const std::vector< std::uint8_t > &data, double &res) const |
bool | getNTBSImpl (const GetNByteFn &get1ByteFn, std::uint64_t address, std::string &res, std::size_t size) const |
bool | getNTWSImpl (const GetXByteFn &getXByteFn, std::uint64_t address, std::size_t width, std::vector< std::uint64_t > &res) const |
bool | getNTWSNiceImpl (const GetXByteFn &getXByteFn, std::uint64_t address, std::size_t width, std::vector< std::uint64_t > &res) const |
PeFormat - wrapper for parsing PE files
retdec::fileformat::PeFormat::PeFormat | ( | const std::string & | pathToFile, |
const std::string & | dllListFile, | ||
LoadFlags | loadFlags = LoadFlags::NONE |
||
) |
Constructor
pathToFile | Path to input file |
dllListFile | Path to text file containing list of OS DLLs |
loadFlags | Load flags |
retdec::fileformat::PeFormat::PeFormat | ( | std::istream & | inputStream, |
LoadFlags | loadFlags = LoadFlags::NONE |
||
) |
Constructor
inputStream | Representation of input file |
loadFlags | Load flags |
retdec::fileformat::PeFormat::PeFormat | ( | const std::uint8_t * | data, |
std::size_t | size, | ||
LoadFlags | loadFlags = LoadFlags::NONE |
||
) |
Constructor
data | Input data. |
size | Input data size. |
loadFlags | Load flags |
|
overridevirtual |
Destructor
|
overridevirtual |
Determine if loaded sections are OK to use for decompilation purposes. We want at least one valid section which may hold code.
true
if sections are to be used, false
otherwise (use segments). Reimplemented from retdec::fileformat::FileFormat.
|
staticprivate |
|
private |
Compute typeref hashes - CRC32, MD5, SHA256.
|
private |
Detects and reconstructs .NET types such as classes, methods, fields, properties etc.
|
private |
Detects Module Version ID (GUID) out of .NET tables.
|
private |
Detects possible metadata header structure. It first searches for metadata header signature 0x424A5342
. If it finds this signature, it then tries to look further for possible stream names.
|
private |
Detects TypeLib ID (GUID) out of .NET tables.
bool retdec::fileformat::PeFormat::dllListFailedToLoad | ( | ) | const |
Returns a flag whether the given DLL list has failed to load.
|
overridevirtual |
Get file format-dependent version of used ABI
result | Parameter for store the result |
true
if method went OK, false
otherwise Implements retdec::fileformat::FileFormat.
const BlobStream * retdec::fileformat::PeFormat::getBlobStream | ( | ) | const |
|
overridevirtual |
Implements retdec::utils::ByteValueStorage.
std::size_t retdec::fileformat::PeFormat::getChecksum | ( | ) | const |
Get file checksum
const CLRHeader * retdec::fileformat::PeFormat::getCLRHeader | ( | ) | const |
std::size_t retdec::fileformat::PeFormat::getCoffSymbolTableOffset | ( | ) | const |
Get offset of COFF symbol table
bool retdec::fileformat::PeFormat::getDataDirectoryAbsolute | ( | unsigned long long | index, |
unsigned long long & | absAddr, | ||
unsigned long long & | size | ||
) | const |
Get data directory
index | Index of selected directory |
absAddr | Into this parameter is stored absolute virtual address of directory |
size | Into this parameter is stored size of directory |
true
if index of selected directory is valid, false
otherwiseIf method returns false
, absAddr and size are left unchanged.
bool retdec::fileformat::PeFormat::getDataDirectoryRelative | ( | unsigned long long | index, |
unsigned long long & | relAddr, | ||
unsigned long long & | size | ||
) | const |
Get data directory
index | Index of selected directory |
relAddr | Into this parameter is stored relative virtual address of directory |
size | Into this parameter is stored size of directory |
true
if index of selected directory is valid, false
otherwiseIf method returns false
, relAddr and size are left unchanged.
|
overridevirtual |
Get declared length of file. This length may be shorter or longer than real length of file.
Reimplemented from retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getDeclaredNumberOfDataDirectories | ( | ) | const |
Get number of data-directory entries declared in the optional header
|
overridevirtual |
Get declared number of sections. This number may be different than real number of sections in file
Implements retdec::fileformat::FileFormat.
|
overridevirtual |
Get declared number of segments. This number may be different than real number of segments in file
Implements retdec::fileformat::FileFormat.
const std::vector< std::shared_ptr< DotnetClass > > & retdec::fileformat::PeFormat::getDefinedDotnetClasses | ( | ) | const |
std::vector< std::tuple< const std::uint8_t *, std::size_t > > retdec::fileformat::PeFormat::getDigestRanges | ( | ) | const |
Returns ranges that are used for digest calculation. This digest is used for signature verification. Range is represented in form of tuple where first element is pointer to the beginning of the range and second is size of the range.
bool retdec::fileformat::PeFormat::getDllFlags | ( | unsigned long long & | dllFlags | ) | const |
Get DLL flags
dllFlags | Into this parameter DLL flags will be stored |
true
if file is DLL and flags are successfully detected, false
otherwise
|
overridevirtual |
Implements retdec::utils::ByteValueStorage.
|
overridevirtual |
Get virtual address of entry point
result | Parameter for store the result |
true
if file has entry point and entry point address is successfully detected, false
otherwiseIf file has no associated entry point, result is left unchanged.
If file has entry point but detection of entry point address is failed, instance method isInValidState() returns false
after its invocation.
Implements retdec::fileformat::FileFormat.
|
overridevirtual |
Get offset of entry point
epOffset | Into this parameter the resulting number is stored |
true
if file has entry point and entry point offset is successfully detected, false
otherwiseIf file has no associated entry point, epOffset is left unchanged.
If file has entry point but detection of entry point offset is failed, instance method isInValidState() returns false
after its invocation.
Implements retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getFileAlignment | ( | ) | const |
Get file alignment
std::size_t retdec::fileformat::PeFormat::getFileFlags | ( | ) | const |
Get file flags
const GuidStream * retdec::fileformat::PeFormat::getGuidStream | ( | ) | const |
|
overridevirtual |
Get image base address of file
imageBase | Into this parameter the resulting number is stored |
true
if file has image base address and this address was successfully detected, false
otherwiseIf file has no image base, imageBase is left unchanged
Implements retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getImageBitability | ( | ) | const |
Get image bitability
In some cases (e.g. FSG packer), offset of PE signature may be inside MZ header and therefore this method may return lesser number that method getMzHeaderSize().
const PeLib::ImageLoader & retdec::fileformat::PeFormat::getImageLoader | ( | ) | const |
const std::vector< std::shared_ptr< DotnetClass > > & retdec::fileformat::PeFormat::getImportedDotnetClasses | ( | ) | const |
|
overridevirtual |
Get file format-dependent number representing code of target architecture of file
result | Parameter for store the result |
true
if method went OK, false
otherwise Implements retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getMajorLinkerVersion | ( | ) | const |
Get major version of used linker
const MetadataHeader * retdec::fileformat::PeFormat::getMetadataHeader | ( | ) | const |
const MetadataStream * retdec::fileformat::PeFormat::getMetadataStream | ( | ) | const |
std::size_t retdec::fileformat::PeFormat::getMinorLinkerVersion | ( | ) | const |
Get minor version of used linker
const std::string & retdec::fileformat::PeFormat::getModuleVersionId | ( | ) | const |
std::size_t retdec::fileformat::PeFormat::getMzHeaderSize | ( | ) | const |
Get size of MZ header
bool retdec::fileformat::PeFormat::getNumberOfBaseRelocationBlocks | ( | unsigned long long & | relocs | ) | const |
Get number of base relocation blocks
relocs | Into this parameter the number of blocks is stored |
true
if number of blocks is successfully detected, false
otherwiseIf function returns false
, relocs is left unchanged
std::size_t retdec::fileformat::PeFormat::getNumberOfCoffSymbols | ( | ) | const |
Get number of symbols in COFF symbol table
std::size_t retdec::fileformat::PeFormat::getNumberOfDataDirectories | ( | ) | const |
Get number of data-directory entries in input file
bool retdec::fileformat::PeFormat::getNumberOfRelocations | ( | unsigned long long & | relocs | ) | const |
Get number of relocations
relocs | Into this parameter the number of relocations is stored |
true
if number of relocations is successfully detected, false
otherwiseIf function returns false
, relocs is left unchanged
std::size_t retdec::fileformat::PeFormat::getOptionalHeaderSize | ( | ) | const |
Get size of optional header
std::size_t retdec::fileformat::PeFormat::getPeHeaderOffset | ( | ) | const |
Get offset of PE signature
In some cases (e.g. FSG packer), offset of PE signature may be inside MZ header and therefore this method may return lesser number that method getMzHeaderSize().
const PeCoffSection * retdec::fileformat::PeFormat::getPeSection | ( | const std::string & | secName | ) | const |
Get information about section with name secName
secName | Name of section |
nullptr
if section was not foundIf file has more sections with name equal to secName, then is returned first such section.
const PeCoffSection * retdec::fileformat::PeFormat::getPeSection | ( | unsigned long long | secIndex | ) | const |
Get information about section with index secIndex
secIndex | Index of section (indexed from 0) |
nullptr
if section was not detected
|
private |
Get nodes of resource tree except root
nodes | Into this parameter nodes are stored (except root node) |
levels | Into this parameter is stored number of nodes in each level of tree (except root level) |
true
if nodes was successfully loaded, false
otherwise
|
private |
Calculate offset of rich header
plainFile | Content of input file from space after MZ header to offset of PE signature |
Method returns default value (0x80) if detection of offset fails or rich header is not present in input file.
std::size_t retdec::fileformat::PeFormat::getSectionAlignment | ( | ) | const |
Get section alignment
|
overridevirtual |
Get size of one record in section table or zero if section table does not exist
Implements retdec::fileformat::FileFormat.
|
overridevirtual |
Get section table offset or zero if section table does not exist
Implements retdec::fileformat::FileFormat.
|
overridevirtual |
Get size of one record in segment table or zero if segment table does not exist
Implements retdec::fileformat::FileFormat.
|
overridevirtual |
Get segment table offset or zero if segment table does not exist
Implements retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getSizeOfHeaders | ( | ) | const |
Get size of headers
std::size_t retdec::fileformat::PeFormat::getSizeOfHeapCommit | ( | ) | const |
Get size of the local heap space to commit
std::size_t retdec::fileformat::PeFormat::getSizeOfHeapReserve | ( | ) | const |
Get size of the local heap space to reserve
std::size_t retdec::fileformat::PeFormat::getSizeOfImage | ( | ) | const |
Get size of image
std::size_t retdec::fileformat::PeFormat::getSizeOfStackCommit | ( | ) | const |
Get size of the stack to commit
std::size_t retdec::fileformat::PeFormat::getSizeOfStackReserve | ( | ) | const |
Get size of the stack to reserve
std::size_t retdec::fileformat::PeFormat::getSizeOfStringTable | ( | ) | const |
Get size in bytes of string table
const StringStream * retdec::fileformat::PeFormat::getStringStream | ( | ) | const |
|
overridevirtual |
Get target architecture
Architecture::UNKNOWN | Architecture is unknown |
Implements retdec::fileformat::FileFormat.
std::size_t retdec::fileformat::PeFormat::getTimeStamp | ( | ) | const |
Get time stamp
const std::string & retdec::fileformat::PeFormat::getTypeLibId | ( | ) | const |
const std::string & retdec::fileformat::PeFormat::getTypeRefhashCrc32 | ( | ) | const |
const std::string & retdec::fileformat::PeFormat::getTypeRefhashMd5 | ( | ) | const |
const std::string & retdec::fileformat::PeFormat::getTypeRefhashSha256 | ( | ) | const |
const UserStringStream * retdec::fileformat::PeFormat::getUserStringStream | ( | ) | const |
const VisualBasicInfo * retdec::fileformat::PeFormat::getVisualBasicInfo | ( | ) | const |
|
overridevirtual |
Implements retdec::utils::ByteValueStorage.
bool retdec::fileformat::PeFormat::initDllList | ( | const std::string & | dllListFile | ) |
|
private |
|
private |
Init information from PE loader
|
overrideprivatevirtual |
Init offsets for calculation of section table hashes
Implements retdec::fileformat::FileFormat.
|
private |
Init internal structures
|
overridevirtual |
true
if file id dynamic linked library, false
otherwise Implements retdec::fileformat::FileFormat.
bool retdec::fileformat::PeFormat::isDotNet | ( | ) | const |
Check if input file contains CIL/.NET code
true
if input file contains CIL/.NET code, false
otherwise
|
overridevirtual |
true
if input file is executable file, false
otherwise Implements retdec::fileformat::FileFormat.
bool retdec::fileformat::PeFormat::isMissingDependency | ( | std::string | dllname | ) | const |
|
overridevirtual |
true
if file is object file, false
otherwise Implements retdec::fileformat::FileFormat.
bool retdec::fileformat::PeFormat::isPackedDotNet | ( | ) | const |
Check if input file contains packed CIL/.NET code
true
if input file contains packed CIL/.NET code, false
otherwise bool retdec::fileformat::PeFormat::isVisualBasic | ( | unsigned long long & | version | ) | const |
Check if input file original language is Visual Basic
version | Into this parameter is stored version of Visual Basic, or 0 if version was not detected |
true
if input file original language is Visual Basic, false
otherwise
|
private |
Load certificates.
|
private |
Load .NET headers.
|
private |
Load informations about exports
|
private |
Load information about imports
|
private |
Load information about related PDB file
|
private |
Load only resource nodes
nodes | Nodes of tree (except root node) |
levels | Number of nodes in each level of tree (except root level) |
|
private |
Load resources
|
private |
Load Rich header
|
private |
Load information about sections
|
private |
Load information about symbols
Instance method loadSections() must be invoked before invocation of this method
|
private |
Load thread-local storage information
|
private |
Load visual basic header
|
private |
Parses .NET blob stream.
baseAddress | Base address of .NET metadata header. |
offset | Offset of blob stream. |
size | Size of stream. |
|
private |
Parses .NET GUID stream.
baseAddress | Base address of .NET metadata header. |
offset | Offset of GUID stream. |
size | Size of stream. |
|
private |
Parses .NET metadata stream.
baseAddress | Base address of .NET metadata header. |
offset | Offset of metadata stream. |
size | Size of stream. |
|
private |
Parses single metadata table from metadata stream.
table | Table where to insert data. |
address | Address of table data. |
|
private |
Parses .NET string stream.
baseAddress | Base address of .NET metadata header. |
offset | Offset of string stream. |
size | Size of stream. |
|
private |
Parses .NET user string stream.
baseAddress | Base address of .NET metadata header. |
offset | Offset of user string stream. |
size | Size of stream. |
|
private |
Parse visual basic COM registration data
structureOffset | Offset in file where the structure starts |
true
if COM registration data was successfuly parsed, false
otherwise
|
private |
Parse visual basic COM registration info
structureOffset | Offset in file where the structure starts |
comRegDataOffset | Offset in file where the com registration data structure starts |
true
if COM registration info was successfuly parsed, false
otherwise
|
private |
Parse visual basic extern table
structureOffset | Offset in file where the structure starts |
nEntries | Number of entries in table |
true
if extern table was successfuly parsed, false
otherwise
|
private |
Parse visual basic objects
structureOffset | Offset in file where the public object descriptors array starts |
nObjects | Number of objects in array |
true
if objects were successfuly parsed, false
otherwise
|
private |
Parse visual basic object table
structureOffset | Offset in file where the structure starts |
true
if object table was successfuly parsed, false
otherwise
|
private |
Parse visual basic project info
structureOffset | Offset in file where the structure starts |
true
if project info was successfuly parsed, false
otherwise void retdec::fileformat::PeFormat::scanForAnomalies | ( | ) |
Scan for file format anomalies
|
private |
Scan for export anomalies
|
private |
Scan for import anomalies
|
private |
Scan for optional header anomalies
|
private |
Scan for section anomalies
|
private |
Scan for section anomalies
|
private |
.NET blob stream
|
private |
.NET CLR header
|
private |
.NET defined class list
|
private |
Override set of DLLs for checking dependency missing.
|
private |
If true, then an error happened while loading DLL list.
|
protected |
PeLib representation of PE file.
|
private |
parser of PE file
|
private |
.NET GUID stream
|
private |
.NET imported class list
|
private |
.NET metadata header
|
private |
.NET metadata stream
|
private |
.NET module version ID
|
private |
.NET string stream
|
private |
.NET type lib ID
|
private |
.NET typeref table hash as CRC32
|
private |
.NET typeref table hash as MD5
|
private |
.NET typeref table hash as SHA256
|
private |
.NET user string stream
|
private |
visual basic header information