forked from hillu/go-yara
-
Notifications
You must be signed in to change notification settings - Fork 7
/
pe_utils.h
87 lines (63 loc) · 2.14 KB
/
pe_utils.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#ifndef YR_PE_UTILS_H
#define YR_PE_UTILS_H
#include <yara_pe.h>
#define MAX_PE_SECTIONS 96
#define IS_64BITS_PE(pe) \
(yr_le16toh(pe->header64->OptionalHeader.Magic) == \
IMAGE_NT_OPTIONAL_HDR64_MAGIC)
#define OptionalHeader(pe, field) \
(IS_64BITS_PE(pe) ? pe->header64->OptionalHeader.field \
: pe->header->OptionalHeader.field)
//
// Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the
// name of the DLL and a pointer to another linked list of
// IMPORT_EXPORT_FUNCTION structures containing the details of imported
// functions.
//
typedef struct _IMPORTED_DLL
{
char* name;
struct _IMPORT_FUNCTION* functions;
struct _IMPORTED_DLL* next;
} IMPORTED_DLL, *PIMPORTED_DLL;
//
// This is used to track imported and exported functions. The "has_ordinal"
// field is only used in the case of imports as those are optional. Every export
// has an ordinal so we don't need the field there, but in the interest of
// keeping duplicate code to a minimum we use this function for both imports and
// exports.
//
typedef struct _IMPORT_FUNCTION
{
char* name;
uint8_t has_ordinal;
uint16_t ordinal;
uint64_t rva;
struct _IMPORT_FUNCTION* next;
} IMPORT_FUNCTION, *PIMPORT_FUNCTION;
typedef struct _PE
{
const uint8_t* data;
size_t data_size;
union
{
PIMAGE_NT_HEADERS32 header;
PIMAGE_NT_HEADERS64 header64;
};
YR_HASH_TABLE* hash_table;
YR_OBJECT* object;
IMPORTED_DLL* imported_dlls;
IMPORTED_DLL* delay_imported_dlls;
uint32_t resources;
uint32_t version_infos;
} PE;
#define fits_in_pe(pe, pointer, size) \
((size_t)(size) <= pe->data_size && (uint8_t*) (pointer) >= pe->data && \
(uint8_t*) (pointer) <= pe->data + pe->data_size - (size))
#define struct_fits_in_pe(pe, pointer, struct_type) \
fits_in_pe(pe, pointer, sizeof(struct_type))
PIMAGE_NT_HEADERS32 pe_get_header(const uint8_t* data, size_t data_size);
PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry);
int64_t pe_rva_to_offset(PE* pe, uint64_t rva);
char* ord_lookup(char* dll, uint16_t ord);
#endif