| authenticode.rs |
|
12160 |
| certificate_table.rs |
|
6901 |
| characteristic.rs |
type characteristic =
| IMAGE_FILE_RELOCS_STRIPPED
| IMAGE_FILE_EXECUTABLE_IMAGE
| IMAGE_FILE_LINE_NUMS_STRIPPED
| IMAGE_FILE_LOCAL_SYMS_STRIPPED
| IMAGE_FILE_AGGRESSIVE_WS_TRIM
| IMAGE_FILE_LARGE_ADDRESS_AWARE
| RESERVED
| IMAGE_FILE_BYTES_REVERSED_LO
| IMAGE_FILE_32BIT_MACHINE
| IMAGE_FILE_DEBUG_STRIPPED
| IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
| IMAGE_FILE_NET_RUN_FROM_SWAP
| IMAGE_FILE_SYSTEM
| IMAGE_FILE_DLL
| IMAGE_FILE_UP_SYSTEM_ONLY
| IMAGE_FILE_BYTES_REVERSED_HI
| UNKNOWN of int
let get_characteristic =
function
| 0x0001 -> IMAGE_FILE_RELOCS_STRIPPED
| 0x0002 -> IMAGE_FILE_EXECUTABLE_IMAGE
| 0x0004 -> IMAGE_FILE_LINE_NUMS_STRIPPED
| 0x0008 -> IMAGE_FILE_LOCAL_SYMS_STRIPPED
| 0x0010 -> IMAGE_FILE_AGGRESSIVE_WS_TRIM
| 0x0020 -> IMAGE_FILE_LARGE_ADDRESS_AWARE
| 0x0040 -> RESERVED
| 0x0080 -> IMAGE_FILE_BYTES_REVERSED_LO
| 0x0100 -> IMAGE_FILE_32BIT_MACHINE
| 0x0200 -> IMAGE_FILE_DEBUG_STRIPPED
| 0x0400 -> IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
| 0x0800 -> IMAGE_FILE_NET_RUN_FROM_SWAP
| 0x1000 -> IMAGE_FILE_SYSTEM
| 0x2000 -> IMAGE_FILE_DLL
| 0x4000 -> IMAGE_FILE_UP_SYSTEM_ONLY
| 0x8000 -> IMAGE_FILE_BYTES_REVERSED_HI
| x -> UNKNOWN x
let characteristic_to_string =
function
| IMAGE_FILE_RELOCS_STRIPPED -> "IMAGE_FILE_RELOCS_STRIPPED"
| IMAGE_FILE_EXECUTABLE_IMAGE -> "IMAGE_FILE_EXECUTABLE_IMAGE"
| IMAGE_FILE_LINE_NUMS_STRIPPED -> "IMAGE_FILE_LINE_NUMS_STRIPPED"
| IMAGE_FILE_LOCAL_SYMS_STRIPPED -> "IMAGE_FILE_LOCAL_SYMS_STRIPPED"
| IMAGE_FILE_AGGRESSIVE_WS_TRIM -> "IMAGE_FILE_AGGRESSIVE_WS_TRIM"
| IMAGE_FILE_LARGE_ADDRESS_AWARE -> "IMAGE_FILE_LARGE_ADDRESS_AWARE"
| RESERVED -> "RESERVED"
| IMAGE_FILE_BYTES_REVERSED_LO -> "IMAGE_FILE_BYTES_REVERSED_LO"
| IMAGE_FILE_32BIT_MACHINE -> "IMAGE_FILE_32BIT_MACHINE"
| IMAGE_FILE_DEBUG_STRIPPED -> "IMAGE_FILE_DEBUG_STRIPPED"
| IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP -> "IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP"
| IMAGE_FILE_NET_RUN_FROM_SWAP -> "IMAGE_FILE_NET_RUN_FROM_SWAP"
| IMAGE_FILE_SYSTEM -> "IMAGE_FILE_SYSTEM"
| IMAGE_FILE_DLL -> "IMAGE_FILE_DLL"
| IMAGE_FILE_UP_SYSTEM_ONLY -> "IMAGE_FILE_UP_SYSTEM_ONLY"
| IMAGE_FILE_BYTES_REVERSED_HI -> "IMAGE_FILE_BYTES_REVERSED_HI"
| UNKNOWN x -> Printf.sprintf "UNKNOWN_CHARACTERISTIC 0x%x" x
let is_dll characteristics =
let characteristic = characteristic_to_int IMAGE_FILE_DLL in
characteristics land characteristic = characteristic
let has characteristic characteristics =
let characteristic = characteristic_to_int characteristic in
characteristics land characteristic = characteristic
(* TODO: this is a mad hack *)
let show_type characteristics =
if (has IMAGE_FILE_DLL characteristics) then "DLL"
else if (has IMAGE_FILE_EXECUTABLE_IMAGE characteristics) then "EXE"
else "MANY" (* print all *)
|
3946 |
| data_directories.rs |
|
5087 |
| debug.rs |
|
6186 |
| exception.rs |
Exception handling and stack unwinding for x64.
Exception information is exposed via the [`ExceptionData`] structure. If present in a PE file,
it contains a list of [`RuntimeFunction`] entries that can be used to get [`UnwindInfo`] for a
particular code location.
Unwind information contains a list of unwind codes which specify the operations that are
necessary to restore registers (including the stack pointer RSP) when unwinding out of a
function.
Depending on where the instruction pointer lies, there are three strategies to unwind:
1. If the RIP is within an epilog, then control is leaving the function, there can be no
exception handler associated with this exception for this function, and the effects of the
epilog must be continued to compute the context of the caller function. To determine if the
RIP is within an epilog, the code stream from RIP on is examined. If that code stream can be
matched to the trailing portion of a legitimate epilog, then it's in an epilog, and the
remaining portion of the epilog is simulated, with the context record updated as each
instruction is processed. After this, step 1 is repeated.
2. Case b) If the RIP lies within the prologue, then control has not entered the function,
there can be no exception handler associated with this exception for this function, and the
effects of the prolog must be undone to compute the context of the caller function. The RIP
is within the prolog if the distance from the function start to the RIP is less than or
equal to the prolog size encoded in the unwind info. The effects of the prolog are unwound
by scanning forward through the unwind codes array for the first entry with an offset less
than or equal to the offset of the RIP from the function start, then undoing the effect of
all remaining items in the unwind code array. Step 1 is then repeated.
3. If the RIP is not within a prolog or epilog and the function has an exception handler, then
the language-specific handler is called. The handler scans its data and calls filter
functions as appropriate. The language-specific handler can return that the exception was
handled or that the search is to be continued. It can also initiate an unwind directly.
For more information, see [x64 exception handling].
[`ExceptionData`]: struct.ExceptionData.html
[`RuntimeFunction`]: struct.RuntimeFunction.html
[`UnwindInfo`]: struct.UnwindInfo.html
[x64 exception handling]: https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=vs-2017 |
40112 |
| export.rs |
|
21943 |
| header.rs |
|
18757 |
| import.rs |
|
14164 |
| mod.rs |
A PE32 and PE32+ parser
|
29610 |
| optional_header.rs |
|
15447 |
| options.rs |
|
804 |
| relocation.rs |
|
5204 |
| section_table.rs |
|
12271 |
| symbol.rs |
|
20481 |
| utils.rs |
|
6242 |