uint64_t yr_get_entry_point_address( const uint8_t* buffer, size_t buffer_length, uint64_t base_address) { PIMAGE_NT_HEADERS32 pe_header; elf32_header_t* elf_header32; elf64_header_t* elf_header64; pe_header = yr_get_pe_header(buffer, buffer_length); // If file is PE but not a DLL. if (pe_header != NULL && !(pe_header->FileHeader.Characteristics & IMAGE_FILE_DLL)) return base_address + pe_header->OptionalHeader.AddressOfEntryPoint; // If file is executable ELF, not shared library. switch(yr_get_elf_type(buffer, buffer_length)) { case ELF_CLASS_32: elf_header32 = (elf32_header_t*) buffer; if (elf_header32->type == ELF_ET_EXEC) return elf_header32->entry; break; case ELF_CLASS_64: elf_header64 = (elf64_header_t*) buffer; if (elf_header64->type == ELF_ET_EXEC) return elf_header64->entry; break; } return UNDEFINED; }
uint64_t yr_get_entry_point_offset( const uint8_t* buffer, size_t buffer_length) { PIMAGE_NT_HEADERS32 pe_header; elf32_header_t* elf_header32; elf64_header_t* elf_header64; pe_header = yr_get_pe_header(buffer, buffer_length); if (pe_header != NULL) { return yr_pe_rva_to_offset( pe_header, yr_le32toh(pe_header->OptionalHeader.AddressOfEntryPoint), buffer_length - ((uint8_t*) pe_header - buffer)); } switch(yr_get_elf_type(buffer, buffer_length)) { case ELF_CLASS_32: elf_header32 = (elf32_header_t*) buffer; return yr_elf_rva_to_offset_32( elf_header32, yr_le32toh(elf_header32->entry), buffer_length); case ELF_CLASS_64: elf_header64 = (elf64_header_t*) buffer; return yr_elf_rva_to_offset_64( elf_header64, yr_le64toh(elf_header64->entry), buffer_length); } return UNDEFINED; }
int yr_file_is_pe( uint8_t* buffer, size_t buffer_length) { return (yr_get_pe_header(buffer, buffer_length) != NULL); }