pe_analy.cc

功能较全面的反汇编器：反汇编器ht-2.0.15.tar.gz

 */
Address *PEAnalyser::createAddress64(uint64 addr)
{
	return new AddressFlat64(addr);
}

Address *PEAnalyser::createAddress()
{
	switch (pe_shared->coffheader.machine) {
		case COFF_MACHINE_I386:
		case COFF_MACHINE_I486:
		case COFF_MACHINE_I586:
			if (pe_shared->opt_magic == COFF_OPTMAGIC_PE64) {
				return new AddressFlat64();
			} else {
				return new AddressX86Flat32();
			}
	}
	if (pe_shared->opt_magic == COFF_OPTMAGIC_PE64) {
		return new AddressFlat64();
	}
	return new AddressFlat32();
}

/*
 *
 */
Assembler *PEAnalyser::createAssembler()
{
	Assembler *a = NULL;
	switch (pe_shared->coffheader.machine) {
	case COFF_MACHINE_I386:
	case COFF_MACHINE_I486:
	case COFF_MACHINE_I586:
		a = new x86asm(X86_OPSIZE32, X86_ADDRSIZE32);
		a->init();
		return a;
	case COFF_MACHINE_AMD64:
		a = new x86_64asm();
		a->init();
		return a;
	}
	return a;
}

/*
 *
 */
FileOfs PEAnalyser::addressToFileofs(Address *Addr)
{
/*     char tbuf[1024];
	Addr->stringify(tbuf, 1024, 0);
	printf("ADDR=%s", tbuf);*/
	if (validAddress(Addr, scinitialized)) {
//     	printf(" v1\n");
		FileOfs ofs;
		RVA r;
		if (!convertAddressToRVA(Addr, &r)) return INVALID_FILE_OFS;
		if (!pe_rva_to_ofs(&pe_shared->sections, r, &ofs)) return INVALID_FILE_OFS;
		return ofs;
	} else {
//     	printf(" IV1\n");
		return INVALID_FILE_OFS;
	}
}

/*
 *
 */
const char *PEAnalyser::getSegmentNameByAddress(Address *Addr)
{
	static char sectionname[9];
	pe_section_headers *sections=&pe_shared->sections;
	int i;
	RVA r;
//	Addr-=pe_shared->pe32.header_nt.image_base;
	if (!convertAddressToRVA(Addr, &r)) return NULL;
	pe_rva_to_section(sections, r, &i);
	COFF_SECTION_HEADER *s=sections->sections+i;
	if (!pe_rva_is_valid(sections, r)) return NULL;
	memcpy(sectionname, s->name, 8);
	sectionname[8] = 0;
	return sectionname;
}

/*
 *
 */
String &PEAnalyser::getName(String &s)
{
	return file->getDesc(s);
}

/*
 *
 */
const char *PEAnalyser::getType()
{
	return "PE/Analyser";
}

/*
 *
 */
void PEAnalyser::initCodeAnalyser()
{
	Analyser::initCodeAnalyser();
}

static char *string_func(uint32 ofs, void *context)
{
	char str[1024];
	static char str2[1024];
	ht_pe_shared_data *pe = (ht_pe_shared_data*)context;
	if (ofs < pe->il->string_pool_size) {
		uint32 length;
		uint32 o = ILunpackDword(length, (byte*)&pe->il->string_pool[ofs], 10);
		wide_char_to_multi_byte(str, (byte*)&pe->il->string_pool[ofs+o], length/2+1);
		escape_special_str(str2, sizeof str2, str, "\"");
		return str2;
	} else {
		return NULL;
	}
}

static char *token_func(uint32 token, void *context)
{
	static char tokenstr[1024];
//	ht_pe_shared_data *pe = (ht_pe_shared_data*)context;
	switch (token & IL_META_TOKEN_MASK) {
	case IL_META_TOKEN_TYPE_REF:
	case IL_META_TOKEN_TYPE_DEF: {
		sprintf(tokenstr, "typedef");
		break;
	}
	case IL_META_TOKEN_FIELD_DEF: {
		sprintf(tokenstr, "fielddef");
		break;
	}
	case IL_META_TOKEN_METHOD_DEF: {
		sprintf(tokenstr, "methoddef");
		break;
	}
	case IL_META_TOKEN_MEMBER_REF: {
		sprintf(tokenstr, "memberref");
		break;
	}
	case IL_META_TOKEN_TYPE_SPEC: {
		sprintf(tokenstr, "typespec");
		break;
	}
	default:
		return NULL;
	}
	return tokenstr;
}

/*
 *
 */
void PEAnalyser::initUnasm()
{
	bool pe64 = false;
	if (pe_shared->opt_magic == COFF_OPTMAGIC_PE64) {
		pe64 = true;
	}
	DPRINTF("pe_analy: ");
	if (pe_shared->il) {
		analy_disasm = new AnalyILDisassembler();
		((AnalyILDisassembler *)analy_disasm)->init(this, string_func, token_func, pe_shared);
	} else {
		switch (pe_shared->coffheader.machine) {
		case COFF_MACHINE_I386:	// Intel 386
		case COFF_MACHINE_I486:	// Intel 486
		case COFF_MACHINE_I586:	// Intel 586
			if (pe64) {
				errorbox("x86 cant be used in PE64 format.");
			} else {
				DPRINTF("initing analy_x86_disassembler\n");
				analy_disasm = new AnalyX86Disassembler();
				((AnalyX86Disassembler *)analy_disasm)->init(this, 0);
			}
			break;
		case COFF_MACHINE_AMD64:
			if (!pe64) {
				errorbox("x86_64 cant be used in PE32 format.");
			} else {
				analy_disasm = new AnalyX86Disassembler();
				((AnalyX86Disassembler *)analy_disasm)->init(this, ANALYX86DISASSEMBLER_FLAGS_AMD64);
			}
			break;
		case COFF_MACHINE_R3000:	// MIPS little-endian, 0x160 big-endian
			DPRINTF("no apropriate disassembler for MIPS\n");
			warnbox("No disassembler for MIPS!");
			break;
		case COFF_MACHINE_R4000:	// MIPS little-endian
			DPRINTF("no apropriate disassembler for MIPS\n");
			warnbox("No disassembler for MIPS!");
			break;
		case COFF_MACHINE_R10000:	// MIPS little-endian
			DPRINTF("no apropriate disassembler for MIPS\n");
			warnbox("No disassembler for MIPS!");
			break;
		case COFF_MACHINE_ALPHA:	// Alpha_AXP
			DPRINTF("initing alpha_axp_disassembler\n");
			analy_disasm = new AnalyAlphaDisassembler();
			((AnalyAlphaDisassembler *)analy_disasm)->init(this);
			break;
		case COFF_MACHINE_POWERPC_LE:	// IBM PowerPC Little-Endian
			DPRINTF("no apropriate disassembler for POWER PC\n");
			warnbox("No disassembler for little endian POWER PC!");
			break;
		case COFF_MACHINE_POWERPC_BE:
		case COFF_MACHINE_POWERPC64_BE:
			analy_disasm = new AnalyPPCDisassembler();
			((AnalyPPCDisassembler*)analy_disasm)->init(this, pe64 ? ANALY_PPC_64 : ANALY_PPC_32);
			break;
		case COFF_MACHINE_IA64:
			if (!pe64) {
				errorbox("Intel IA64 cant be used in PE32 format.");
			} else {
				analy_disasm = new AnalyIA64Disassembler();
				((AnalyIA64Disassembler*)analy_disasm)->init(this);
			}
			break;
		case COFF_MACHINE_ARM: // ARM
		case COFF_MACHINE_THUMB: // Thumb
			DPRINTF("initing arm_disassembler\n");
			analy_disasm = new AnalyArmDisassembler();
			((AnalyArmDisassembler *)analy_disasm)->init(this);
                        break;
		case COFF_MACHINE_UNKNOWN:
		default:
			DPRINTF("no apropriate disassembler for machine %04x\n", pe_shared->coffheader.machine);
			warnbox("No disassembler for unknown machine type %04x!", pe_shared->coffheader.machine);
		}
	}
}

/*
 *
 */
void PEAnalyser::log(const char *msg)
{
	/*
	 *	log() creates to much traffic so dont log
	 *   perhaps we reactivate this later
	 *
	 */
/*	LOG(msg);*/
}

/*
 *
 */
Address *PEAnalyser::nextValid(Address *Addr)
{
	return (Address *)validarea->findNext(Addr);
}

/*
 *
 */
void PEAnalyser::store(ObjectStream &st) const
{
	PUT_OBJECT(st, validarea);
	Analyser::store(st);
}

/*
 *
 */
int	PEAnalyser::queryConfig(int mode)
{
	switch (mode) {
	case Q_DO_ANALYSIS:
	case Q_ENGAGE_CODE_ANALYSER:
	case Q_ENGAGE_DATA_ANALYSER:
		return true;
	default:
		return 0;
	}
}

/*
 *
 */
Address *PEAnalyser::fileofsToAddress(FileOfs fileofs)
{
	RVA r;
	if (pe_ofs_to_rva(&pe_shared->sections, fileofs, &r)) {
		if (pe_shared->opt_magic == COFF_OPTMAGIC_PE32) {
			return createAddress32(r + pe_shared->pe32.header_nt.image_base);
		} else {
			return createAddress64(r + pe_shared->pe64.header_nt.image_base);
		}
	} else {
		return new InvalidAddress();
	}
}

/*
 *
 */
bool PEAnalyser::validAddress(Address *Addr, tsectype action)
{
	pe_section_headers *sections=&pe_shared->sections;
	int sec;
	RVA r;
	if (!convertAddressToRVA(Addr, &r)) return false;
	if (!pe_rva_to_section(sections, r, &sec)) return false;
	COFF_SECTION_HEADER *s=sections->sections+sec;
	switch (action) {
	case scvalid:
		return true;
	case scread:
		return s->characteristics & COFF_SCN_MEM_READ;
	case scwrite:
		return s->characteristics & COFF_SCN_MEM_WRITE;
	case screadwrite:
		return s->characteristics & COFF_SCN_MEM_WRITE;
	case sccode:
		// FIXME: EXECUTE vs. CNT_CODE ?
		if (!pe_rva_is_physical(sections, r)) return false;
		return (s->characteristics & (COFF_SCN_MEM_EXECUTE | COFF_SCN_CNT_CODE));
	case scinitialized:
		if (!pe_rva_is_physical(sections, r)) return false;
		return true;
		// !(s->characteristics & COFF_SCN_CNT_UNINITIALIZED_DATA);
	}
	return false;
}