diff --git a/parser-library/nt-headers.h b/parser-library/nt-headers.h index ce9faf5..cc81cb8 100644 --- a/parser-library/nt-headers.h +++ b/parser-library/nt-headers.h @@ -2,11 +2,13 @@ #define _NT_HEADERS #include -//need an offsetof macro +#define _offset(t, f) ((boost::uint32_t)(ptrdiff_t)&(((t*)0)->f)) //need to pack these structure definitions //some constant definitions +const boost::uint16_t MZ_MAGIC = 0x5A4D; +const boost::uint16_t NUM_DIR_ENTRIES = 16; struct dos_header { boost::uint16_t e_magic; @@ -40,4 +42,49 @@ struct file_header { boost::uint16_t Characteristics; }; +struct data_directory { + boost::uint32_t VirtualAddress; + boost::uint32_t Size; +}; + +struct optional_header_32 { + boost::uint16_t Magic; + boost::uint8_t MajorLinkerVersion; + boost::uint8_t MinorLinkerVersion; + boost::uint32_t SizeOfCode; + boost::uint32_t SizeOfInitializedData; + boost::uint32_t SizeOfUninitializedData; + boost::uint32_t AddressOfEntryPoint; + boost::uint32_t BaseOfCode; + boost::uint32_t BaseOfData; + boost::uint32_t ImageBase; + boost::uint32_t SectionAlignment; + boost::uint32_t FileAlignment; + boost::uint16_t MajorOperatingSystemVersion; + boost::uint16_t MinorOperatingSystemVersion; + boost::uint16_t MajorImageVersion; + boost::uint16_t MinorImageVersion; + boost::uint16_t MajorSubsystemVersion; + boost::uint16_t MinorSubsystemVersion; + boost::uint32_t Win32VersionValue; + boost::uint32_t SizeOfImage; + boost::uint32_t SizeOfHeaders; + boost::uint32_t CheckSum; + boost::uint16_t Subsystem; + boost::uint16_t DllCharacteristics; + boost::uint32_t SizeOfStackReserve; + boost::uint32_t SizeOfStackCommit; + boost::uint32_t SizeOfHeapReserve; + boost::uint32_t SizeOfHeapCommit; + boost::uint32_t LoaderFlags; + boost::uint32_t NumberOfRvaAndSizes; + data_directory DataDirectory[NUM_DIR_ENTRIES]; +}; + +struct nt_header_32 { + boost::uint32_t Signature; + file_header FileHeader; + optional_header_32 OptionalHeader; +}; + #endif diff --git a/parser-library/parse.cpp b/parser-library/parse.cpp index 6efbe14..9cbd109 100644 --- a/parser-library/parse.cpp +++ b/parser-library/parse.cpp @@ -26,10 +26,37 @@ list
getSections(bounded_buffer *file) { return sections; } -pe_header getHeader(bounded_buffer *file) { +bool readNtHeader(bounded_buffer *b, nt_header_32 &header) { + + return false; +} + +bool getHeader(bounded_buffer *file) { pe_header p; - return p; + //start by reading MZ + ::uint16_t tmp = 0; + ::uint32_t curOffset = 0; + readWord(file, curOffset, tmp); + if(tmp != MZ_MAGIC) { + return false; + } + + //read the offset to the NT headers + ::uint32_t offset; + curOffset = _offset(dos_header, e_lfanew)+curOffset; + if(readDword(file, curOffset, offset) == false) { + return false; + } + curOffset += offset; + + //now, we can read out the fields of the NT headers + nt_header_32 nthdr; + if(readNtHeader(splitBuffer(file, curOffset, file->bufLen), nthdr) == false) { + return false; + } + + return true; } parsed_pe *ParsePEFromFile(const char *filePath) { @@ -59,7 +86,11 @@ parsed_pe *ParsePEFromFile(const char *filePath) { //now, we need to do some actual PE parsing and file carving. //get header information - p->peHeader = getHeader(p->fileBuffer); + if(getHeader(p->fileBuffer) == false) { + deleteBuffer(p->fileBuffer); + delete p; + return NULL; + } //get the raw data of each section p->internal->secs = getSections(p->fileBuffer);