File: pe.h

package info (click to toggle)
clamav 0.98.7+dfsg-0+deb6u2
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 60,204 kB
  • ctags: 49,129
  • sloc: cpp: 267,090; ansic: 152,211; sh: 35,196; python: 2,630; makefile: 2,220; perl: 1,690; pascal: 1,218; lisp: 184; csh: 117; xml: 38; asm: 32; exp: 4
file content (173 lines) | stat: -rw-r--r-- 6,551 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
 *  Copyright (C) 2007-2008 Sourcefire, Inc.
 *
 *  Authors: Alberto Wu, Tomasz Kojm
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2 as
 *  published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *  MA 02110-1301, USA.
 */

#ifndef __PE_H
#define __PE_H

#include "clamav.h"
#include "execs.h"
#include "others.h"
#include "cltypes.h"
#include "fmap.h"
#include "bcfeatures.h"
/** @file */
/** Header for this PE file
  \group_pe */
struct pe_image_file_hdr {
    uint32_t Magic;  /**< PE magic header: PE\\0\\0 */
    uint16_t Machine;/**< CPU this executable runs on, see libclamav/pe.c for possible values */
    uint16_t NumberOfSections;/**< Number of sections in this executable */
    uint32_t TimeDateStamp;   /**< Unreliable */
    uint32_t PointerToSymbolTable;	    /**< debug */
    uint32_t NumberOfSymbols;		    /**< debug */
    uint16_t SizeOfOptionalHeader;	    /**< == 224 */
    uint16_t Characteristics;
};

/** PE data directory header
  \group_pe */
struct pe_image_data_dir {
    uint32_t VirtualAddress;
    uint32_t Size;
};

/** 32-bit PE optional header
  \group_pe */
struct pe_image_optional_hdr32 {
    uint16_t Magic;
    uint8_t  MajorLinkerVersion;		    /**< unreliable */
    uint8_t  MinorLinkerVersion;		    /**< unreliable */
    uint32_t SizeOfCode;			    /**< unreliable */
    uint32_t SizeOfInitializedData;		    /**< unreliable */
    uint32_t SizeOfUninitializedData;		    /**< unreliable */
    uint32_t AddressOfEntryPoint;
    uint32_t BaseOfCode;
    uint32_t BaseOfData;
    uint32_t ImageBase;				    /**< multiple of 64 KB */
    uint32_t SectionAlignment;			    /**< usually 32 or 4096 */
    uint32_t FileAlignment;			    /**< usually 32 or 512 */
    uint16_t MajorOperatingSystemVersion;	    /**< not used */
    uint16_t MinorOperatingSystemVersion;	    /**< not used */
    uint16_t MajorImageVersion;			    /**< unreliable */
    uint16_t MinorImageVersion;			    /**< unreliable */
    uint16_t MajorSubsystemVersion;
    uint16_t MinorSubsystemVersion;
    uint32_t Win32VersionValue;			    /*< ? */
    uint32_t SizeOfImage;
    uint32_t SizeOfHeaders;
    uint32_t CheckSum;				    /**< NT drivers only */
    uint16_t Subsystem;
    uint16_t DllCharacteristics;
    uint32_t SizeOfStackReserve;
    uint32_t SizeOfStackCommit;
    uint32_t SizeOfHeapReserve;
    uint32_t SizeOfHeapCommit;
    uint32_t LoaderFlags;			    /*< ? */
    uint32_t NumberOfRvaAndSizes;		    /**< unreliable */
    struct pe_image_data_dir DataDirectory[16];
};

/** PE 64-bit optional header
  \group_pe */
struct pe_image_optional_hdr64 {
    uint16_t Magic;
    uint8_t  MajorLinkerVersion;		    /**< unreliable */
    uint8_t  MinorLinkerVersion;		    /**< unreliable */
    uint32_t SizeOfCode;			    /**< unreliable */
    uint32_t SizeOfInitializedData;		    /**< unreliable */
    uint32_t SizeOfUninitializedData;		    /**< unreliable */
    uint32_t AddressOfEntryPoint;
    uint32_t BaseOfCode;
    uint64_t ImageBase;				    /**< multiple of 64 KB */
    uint32_t SectionAlignment;			    /**< usually 32 or 4096 */
    uint32_t FileAlignment;			    /**< usually 32 or 512 */
    uint16_t MajorOperatingSystemVersion;	    /**< not used */
    uint16_t MinorOperatingSystemVersion;	    /**< not used */
    uint16_t MajorImageVersion;			    /**< unreliable */
    uint16_t MinorImageVersion;			    /**< unreliable */
    uint16_t MajorSubsystemVersion;
    uint16_t MinorSubsystemVersion;
    uint32_t Win32VersionValue;			    /* ? */
    uint32_t SizeOfImage;
    uint32_t SizeOfHeaders;
    uint32_t CheckSum;				    /**< NT drivers only */
    uint16_t Subsystem;
    uint16_t DllCharacteristics;
    uint64_t SizeOfStackReserve;
    uint64_t SizeOfStackCommit;
    uint64_t SizeOfHeapReserve;
    uint64_t SizeOfHeapCommit;
    uint32_t LoaderFlags;			    /* ? */
    uint32_t NumberOfRvaAndSizes;		    /**< unreliable */
    struct pe_image_data_dir DataDirectory[16];
};

/** PE section header
  \group_pe */
struct pe_image_section_hdr {
    uint8_t Name[8];			    /**< may not end with NULL */
    /*
    union {
	uint32_t PhysicalAddress;
	uint32_t VirtualSize;
    } AddrSize;
    */
    uint32_t VirtualSize;
    uint32_t VirtualAddress;
    uint32_t SizeOfRawData;		    /**< multiple of FileAlignment */
    uint32_t PointerToRawData;		    /**< offset to the section's data */
    uint32_t PointerToRelocations;	    /**< object files only */
    uint32_t PointerToLinenumbers;	    /**< object files only */
    uint16_t NumberOfRelocations;	    /**< object files only */
    uint16_t NumberOfLinenumbers;	    /**< object files only */
    uint32_t Characteristics;
};

/** Data for the bytecode PE hook
  \group_pe */
struct cli_pe_hook_data {
  uint32_t offset;
  uint32_t ep; /**< EntryPoint as file offset */
  uint16_t nsections;/**< Number of sections */
  uint16_t dummy; /* align */
  struct pe_image_file_hdr file_hdr;/**< Header for this PE file */
  struct pe_image_optional_hdr32 opt32; /**< 32-bit PE optional header */
  uint32_t dummy2; /* align */
  struct pe_image_optional_hdr64 opt64;/**< 64-bit PE optional header */
  struct pe_image_data_dir dirs[16]; /**< PE data directory header */
  uint32_t e_lfanew;/**< address of new exe header */
  uint32_t overlays;/**< number of overlays */
  int32_t overlays_sz;/**< size of overlays */
  uint32_t hdr_size;/**< internally needed by rawaddr */
};

int cli_scanpe(cli_ctx *ctx);

#define CL_CHECKFP_PE_FLAG_NONE             0x00000000
#define CL_CHECKFP_PE_FLAG_STATS            0x00000001
#define CL_CHECKFP_PE_FLAG_AUTHENTICODE     0x00000002

int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo);
int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uint32_t flags);

uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);
void findres(uint32_t, uint32_t, uint32_t, fmap_t *map, struct cli_exe_section *, uint16_t, uint32_t, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *);

#endif