Esempio n. 1
0
//------------------------------------------------------------------------
inline bool pe_loader_t::read_header(linput_t *li, off_t _peoff, bool silent)
{
    peoff = _peoff;
    qlseek(li, peoff);
    memset(&pe64, 0, sizeof(pe64));
    qlseek(li, peoff);
    size_t size = qlread(li, &pe64, sizeof(pe64));
    size_t minsize = pe64.magic == MAGIC_P32_PLUS
                     ? qoffsetof(peheader64_t, subsys)
                     : qoffsetof(peheader_t, subsys);
    bool ok = size > minsize
              && size <= sizeof(pe64)
              && (pe64.signature == PEEXE_ID || pe64.signature == BPEEXE_ID || pe64.signature == PLEXE_ID)
              && pe64_to_pe(pe, pe64, silent);
    if ( ok  )
        //initialize imagebase for loading
        set_imagebase((ea_t)pe.imagebase());

    return ok;
}
//--------------------------------------------------------------------------
// Get PE header
// In: ea=DLL imagebase, nh=buffer to keep the answer
//     child==true:ea is an address in the child process
//     child==false:ea is an address in the the debugger itself
// Returns: offset to the headers, BADADDR means failure
ea_t win32_debmod_t::get_pe_header(ea_t ea, peheader_t *nh)
{
  uint32 offset = 0;
  uint32 magic;
  if ( _read_memory(ea, &magic, sizeof(magic)) != sizeof(magic) )
    return BADADDR;
  if ( ushort(magic) == MC2('M','Z') )
  {
    if ( _read_memory(ea+PE_PTROFF, &offset, sizeof(offset)) != sizeof(offset) )
      return BADADDR;
  }
  peheader64_t pe64;
  if ( _read_memory(ea+offset, &pe64, sizeof(pe64)) != sizeof(pe64) )
    return BADADDR;
  if ( !pe64_to_pe(*nh, pe64, true, true) )
    return BADADDR;
  if ( nh->signature != PEEXE_ID )
    return BADADDR;
#ifdef __X64__
  if ( debapp_attrs.addrsize == 8 && !pe64.is_pe_plus() )
    debapp_attrs.addrsize = 4;
#endif
  return offset;
}