📄 pe_sections.idc
字号:
Message(" flags: %.8X ", sectionflags);
Message(flagsComment + "\n\n");
Message(warningComment);
if(PEentry && (RVA <= PEentry) && (PEentry < (RVA + vSize)))
{
Message(" * The entry point is in the " + DLL_name + findString + " section\n\n");
comment = comment + "\n* The entry point is in this section.";
if((RVA + phySize) <= PEentry)
{
Message(" * WARNING: no physical data to backup the entry point\n\n");
}
}
l = imageBase + PEsections + i*0x28;
ForceStruct(l, DLL_name + PE_SECTION_STRUCTURE_NAME);
MakeComm(l, comment);
}
if(LargestPhysical < fileSize)
{
Message(form(" * extra data after image at %.8X (size is %.8X)\n\n", LargestPhysical, fileSize - LargestPhysical));
}
if(imageDelta)
{
auto reloc_rva;
if(PEtype != 0x20b)
{
reloc_rva = imageBase + PEoffset + 0xa0;
}
else
{
reloc_rva = imageBase + PEoffset + 0xb0;
}
ApplyRelocs(imageBase, LEDword(reloc_rva), imageDelta);
}
Message("-------------------------------------------------------------------------------\n\n");
tables_error = doPETables(PEoffset, imageBase, DLL_name);
ForceStruct(imageBase, DLL_name + MZ_HEADER_STRUCTURE_NAME);
ForceStruct(imageBase + PEoffset, DLL_name + PE_HEADER_STRUCTURE_NAME);
ForceName(imageBase, DLL_name + "image_base");
ForceName(imageBase + PEoffset, DLL_name + "pe_header");
if(tables_error != -1)
{
return imageBase;
}
else
{
return -1;
}
}
static CreateMZStruct(imageBase, DLL_name)
{
auto sHandle;
auto error;
#ifdef IDA_IS_OLD
sHandle = AddStruc(-1, DLL_name + MZ_HEADER_STRUCTURE_NAME);
#else
sHandle = AddStrucEx(-1, DLL_name + MZ_HEADER_STRUCTURE_NAME, 0);
#endif
if(sHandle == -1)
{
sHandle = GetStrucIdByName(DLL_name + MZ_HEADER_STRUCTURE_NAME);
if(sHandle == -1)
{
WarningMessage("Unable to create the " + DLL_name + MZ_HEADER_STRUCTURE_NAME + " structure!\n");
return -1;
}
return 0;
}
AddStrucMember(sHandle, "MZ_signature", 0x00, FF_ASCI, -1, 2);
AddStrucMember(sHandle, "bytes_in_last", 0x02, FF_WORD, -1, 2);
AddStrucMember(sHandle, "total_pages", 0x04, FF_WORD, -1, 2);
AddStrucMember(sHandle, "num_relocs", 0x06, FF_WORD, -1, 2);
AddStrucMember(sHandle, "header_size", 0x08, FF_WORD, -1, 2);
AddStrucMember(sHandle, "min_mem", 0x0a, FF_WORD, -1, 2);
AddStrucMember(sHandle, "max_mem", 0x0c, FF_WORD, -1, 2);
AddStrucMember(sHandle, "init_SS", 0x0e, FF_WORD, -1, 2);
AddStrucMember(sHandle, "init_SP", 0x10, FF_WORD, -1, 2);
AddStrucMember(sHandle, "CRC", 0x12, FF_WORD, -1, 2);
AddStrucMember(sHandle, "init_IP", 0x14, FF_WORD, -1, 2);
AddStrucMember(sHandle, "init_CS", 0x16, FF_WORD, -1, 2);
AddStrucMember(sHandle, "relocs_offset", 0x18, FF_WORD, -1, 2);
AddStrucMember(sHandle, "overlay_number", 0x1a, FF_WORD, -1, 2);
AddStrucMember(sHandle, "reserved", 0x1c, FF_BYTE, -1, 32);
AddStrucMember(sHandle, "new_hdr_offset", 0x3c, FF_DWRD | FF_0OFF, imageBase, 4);
}
static AddNZOffset(sHandle, name, s_offset, base, PEoffset)
{
if(LEDword(base + PEoffset + s_offset) == 0)
{
return AddStrucMember(sHandle, name, s_offset, FF_DWRD, -1, 4);
}
else
{
return AddStrucMember(sHandle, name, s_offset, FF_DWRD | FF_0OFF, base, 4);
}
}
static CreatePEStruct(imageBase, PEoffset, DLL_name)
{
auto sHandle;
auto numInterested;
auto PEtype;
auto delta;
PEtype = LEWord(imageBase + PEoffset + 0x18);
#ifdef IDA_IS_OLD
sHandle = AddStruc(-1, DLL_name + PE_HEADER_STRUCTURE_NAME);
#else
sHandle = AddStrucEx(-1, DLL_name + PE_HEADER_STRUCTURE_NAME, 0);
#endif
if(sHandle == -1)
{
sHandle = GetStrucIdByName(DLL_name + PE_HEADER_STRUCTURE_NAME);
if(sHandle == -1)
{
WarningMessage("Unable to create the " + DLL_name + PE_HEADER_STRUCTURE_NAME + " structure!\n");
return -1;
}
return 0;
}
AddStrucMember(sHandle, "PE_signature", 0x00, FF_ASCI, -1, 4);
AddStrucMember(sHandle, "CPU_Type", 0x04, FF_WORD, -1, 2);
AddStrucMember(sHandle, "number_of_Sections", 0x06, FF_WORD, -1, 2);
AddStrucMember(sHandle, "time_date_stamp", 0x08, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "symbol_table_file_offset", 0x0c, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "symbol_table_size", 0x10, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "opt_header_size", 0x14, FF_WORD, -1, 2);
AddStrucMember(sHandle, "flags", 0x16, FF_WORD, -1, 2);
AddStrucMember(sHandle, "COFF_magic", 0x18, FF_WORD, -1, 2);
AddStrucMember(sHandle, "Linker_version", 0x1a, FF_WORD, -1, 2);
AddStrucMember(sHandle, "size_of_code", 0x1c, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "size_of_init_data", 0x20, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "size_of_uninit_data", 0x24, FF_DWRD, -1, 4);
AddNZOffset(sHandle, "entry_point_RVA", 0x28, imageBase, PEoffset);
AddNZOffset(sHandle, "base_of_code", 0x2c, imageBase, PEoffset);
if(PEtype != 0x20b)
{
AddNZOffset(sHandle, "base_of_data", 0x30, imageBase, PEoffset);
AddStrucMember(sHandle, "base_of_image", 0x34, FF_DWRD, -1, 4);
}
else
{
AddStrucMember(sHandle, "base_of_image", 0x30, FF_QWRD, -1, 8);
}
AddStrucMember(sHandle, "image_alignment", 0x38, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "file_alignment", 0x3c, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "OS_version_major", 0x40, FF_WORD, -1, 2);
AddStrucMember(sHandle, "OS_version_minor", 0x42, FF_WORD, -1, 2);
AddStrucMember(sHandle, "User_version_major", 0x44, FF_WORD, -1, 2);
AddStrucMember(sHandle, "User_version_minor", 0x46, FF_WORD, -1, 2);
AddStrucMember(sHandle, "SubSys_version_major",0x48, FF_WORD, -1, 2);
AddStrucMember(sHandle, "SubSys_version_minor",0x4a, FF_WORD, -1, 2);
AddStrucMember(sHandle, "Reserved2", 0x4c, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "size_of_image", 0x50, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "size_of_header", 0x54, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "file_CRC", 0x58, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "Sub_System", 0x5c, FF_WORD, -1, 2);
AddStrucMember(sHandle, "DLL_flags", 0x5e, FF_WORD, -1, 2);
if(PEtype != 0x20b)
{
AddStrucMember(sHandle, "stack_reserve", 0x60, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "stack_commit", 0x64, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "heap_reserve", 0x68, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "heap_commit", 0x6c, FF_DWRD, -1, 4);
delta = 0;
}
else
{
AddStrucMember(sHandle, "stack_reserve", 0x60, FF_QWRD, -1, 8);
AddStrucMember(sHandle, "stack_commit", 0x68, FF_QWRD, -1, 8);
AddStrucMember(sHandle, "heap_reserve", 0x70, FF_QWRD, -1, 8);
AddStrucMember(sHandle, "heap_commit", 0x78, FF_QWRD, -1, 8);
delta = 0x10;
}
AddStrucMember(sHandle, "loader_flags", 0x70 + delta, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "interesting_pairs", 0x74 + delta, FF_DWRD, -1, 4);
numInterested = LEDword(imageBase + PEoffset + 0x74 + delta);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "export_table_RVA", 0x78 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "export_table_size", 0x7c + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "import_table_RVA", 0x80 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "import_table_size", 0x84 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "resource_table_RVA", 0x88 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "resource_table_size", 0x8c + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "exception_table_RVA", 0x90 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "exception_table_size", 0x94 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "security_table_RVA", 0x98 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "security_table_size", 0x9c + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "reloc_table_RVA", 0xa0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "reloc_table_size", 0xa4 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "debug_table_RVA", 0xa8 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "debug_table_size", 0xac + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "image_desc_table_RVA", 0xb0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "image_desc_table_size", 0xb4 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "machine_spec_table_RVA", 0xb8 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "machine_spec_table_size", 0xbc + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "thread_local_storage_table_RVA", 0xc0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "thread_local_storage_table_size", 0xc4 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "load_config_table_RVA", 0xc8 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "load_config_table_size", 0xcc + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "bound_import_table_RVA", 0xd0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "bound_import_table_size", 0xd4 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "IAT_table_RVA", 0xd8 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "IAT_table_size", 0xdc + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "delay_import_desc_table_RVA", 0xe0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "delay_import_desc_table_size", 0xe4 + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "Reserved0_table_RVA", 0xe8 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "Reserved0_table_size", 0xec + delta, FF_DWRD, -1, 4);
if(!numInterested--)
return 0;
AddNZOffset(sHandle, "Reserved1_table_RVA", 0xf0 + delta, imageBase, PEoffset);
AddStrucMember(sHandle, "Reserved1_table_size", 0xf4 + delta, FF_DWRD, -1, 4);
}
static CreatePESStruct(imageBase, DLL_name)
{
auto sHandle;
#ifdef IDA_IS_OLD
sHandle = AddStruc(-1, DLL_name + PE_SECTION_STRUCTURE_NAME);
#else
sHandle = AddStrucEx(-1, DLL_name + PE_SECTION_STRUCTURE_NAME, 0);
#endif
if (sHandle == -1)
{
sHandle = GetStrucIdByName(DLL_name + PE_SECTION_STRUCTURE_NAME);
if (sHandle == -1)
{
WarningMessage("Unable to create the " + DLL_name + PE_SECTION_STRUCTURE_NAME + " structure!\n");
return -1;
}
return 0;
}
AddStrucMember(sHandle, "name", 0x00, FF_ASCI, -1, 8);
AddStrucMember(sHandle, "virtual_size", 0x08, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "relative_virtual_address", 0x0c, FF_DWRD | FF_0OFF, imageBase, 4);
AddStrucMember(sHandle, "size_in_file", 0x10, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "offset_in_file", 0x14, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "file_offset_to_relocs", 0x18, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "file_offset_to_line_numbers", 0x1c, FF_DWRD, -1, 4);
AddStrucMember(sHandle, "number_of_relocs", 0x20, FF_WORD, -1, 2);
AddStrucMember(sHandle, "number_of_line_numbers", 0x22, FF_WORD, -1, 2);
AddStrucMember(sHandle, "flags", 0x24, FF_DWRD, -1, 4);
}
/*
sec per day = sd = 24*60*60 = 86400 = 0x00015180
sec per normal year = sy = 365*sd = 31536000 = 0x01e13380
sec per leap year = sly = sy + sd = 31622400 = 0x01e28500
sec per normal 4 year cycle (with no leap year)
= s4y = 4*sy = 126144000 = 0x0784ce00
sec per normal 4 year cycle (with one leap year)
= s4ly = 4*sy + sd = 126230400 = 0x07861f80
sec per normal 100 year cycle (not including the leap years)
= s100y = 25*s4y = 3153600000 = 0xbbf81e00
sec per normal 100 year cycle (including the leap years)
= s100ly = 25*s4ly = 3155760000 = 0xbc191380
sec till 1972 = s1972 = 2*sy = 63072000 = 0x03c26700
sec till 2000 = s2000 = 2*sy + 7*c4 = 946684800 = 0x386d4380
sec in 100 year cycle after 1999 (not including 1999)
= c100 = 25*c4 = 3155760000 = 0xbc191380
sec till 2100 = s2100 = s2000 + 25*c4 = 4102444800 = 0xf4865700
note: 2100 is not a leap year (centuries only on 400 year intervals).
*/
static ULDateToStr(TimeStamp)
{
auto year, month, day, hour, min;
auto leap;
auto RetString;
if((TimeStamp == 0xffffffff) || (TimeStamp == 0))
{
return "uninitialized";
}
// note: ida doesn't support unsigned values... there for...
year = 1970;
while(TimeStamp < 0)
{
year = year + 68; // ok, since 2000 is a leap year.
TimeStamp = TimeStamp - 2145916800; // 68 years (in seconds)
}
leap = TimeStamp/126230400; // div by 4 year cycle number (with leap year)
TimeStamp = TimeStamp - leap*126230400;
year = year + leap*4;
leap = 0;
if(TimeStamp >= 31536000)
{
year++;
TimeStamp = TimeStamp - 31536000;
if(TimeStamp >= 31536000)
{
year++;
TimeStamp = TimeStamp - 31536000;
if(year != 2100)
{
if(TimeStamp >= 31622400)
{
year++;
TimeStamp = TimeStamp - 31622400;
}
else
{
leap = 1;
}
}
else
{
if(TimeStamp >= 31536000)
{
year++;
TimeStamp = TimeStamp - 31536000;
if(TimeStamp >= 31536000)
{
// because this is not a leap year we might have one too many days.
year++;
TimeStamp = TimeStamp - 31536000;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -