uint64_t yr_get_entry_point_address(
const uint8_t* buffer,
size_t buffer_length,
uint64_t base_address)
{
PIMAGE_NT_HEADERS32 pe_header;
elf32_header_t* elf_header32;
elf64_header_t* elf_header64;
pe_header = yr_get_pe_header(buffer, buffer_length);
// If file is PE but not a DLL.
if (pe_header != NULL &&
!(pe_header->FileHeader.Characteristics & IMAGE_FILE_DLL))
return base_address + pe_header->OptionalHeader.AddressOfEntryPoint;
// If file is executable ELF, not shared library.
switch(yr_get_elf_type(buffer, buffer_length))
{
case ELF_CLASS_32:
elf_header32 = (elf32_header_t*) buffer;
if (elf_header32->type == ELF_ET_EXEC)
return elf_header32->entry;
break;
case ELF_CLASS_64:
elf_header64 = (elf64_header_t*) buffer;
if (elf_header64->type == ELF_ET_EXEC)
return elf_header64->entry;
break;
}
return UNDEFINED;
}
uint64_t yr_get_entry_point_offset(
const uint8_t* buffer,
size_t buffer_length)
{
PIMAGE_NT_HEADERS32 pe_header;
elf32_header_t* elf_header32;
elf64_header_t* elf_header64;
pe_header = yr_get_pe_header(buffer, buffer_length);
if (pe_header != NULL)
{
return yr_pe_rva_to_offset(
pe_header,
yr_le32toh(pe_header->OptionalHeader.AddressOfEntryPoint),
buffer_length - ((uint8_t*) pe_header - buffer));
}
switch(yr_get_elf_type(buffer, buffer_length))
{
case ELF_CLASS_32:
elf_header32 = (elf32_header_t*) buffer;
return yr_elf_rva_to_offset_32(
elf_header32,
yr_le32toh(elf_header32->entry),
buffer_length);
case ELF_CLASS_64:
elf_header64 = (elf64_header_t*) buffer;
return yr_elf_rva_to_offset_64(
elf_header64,
yr_le64toh(elf_header64->entry),
buffer_length);
}
return UNDEFINED;
}
int yr_file_is_pe(
uint8_t* buffer,
size_t buffer_length)
{
return (yr_get_pe_header(buffer, buffer_length) != NULL);
}
