void DumpPeFile(hadesmem::Process const& process,
hadesmem::PeFile const& pe_file,
std::wstring const& path)
{
std::wostream& out = GetOutputStreamW();
ClearWarnForCurrentFile();
WriteNewline(out);
std::wstring const architecture_str{pe_file.Is64() ? L"64-Bit File: Yes"
: L"64-Bit File: No"};
WriteNormal(out, architecture_str, 1);
std::uint32_t const k1MB = (1U << 20);
std::uint32_t const k100MB = k1MB * 100;
if (pe_file.GetSize() > k100MB)
{
// Not actually unsupported, just want to flag large files for use in perf
// testing.
WriteNewline(out);
WriteNormal(out, L"WARNING! File is over 100MB.", 0);
// WarnForCurrentFile(WarningType::kUnsupported);
}
DumpHeaders(process, pe_file);
DumpSections(process, pe_file);
DumpOverlay(process, pe_file);
DumpTls(process, pe_file);
DumpExports(process, pe_file);
bool has_new_bound_imports_any = false;
DumpImports(process, pe_file, has_new_bound_imports_any);
DumpBoundImports(process, pe_file, has_new_bound_imports_any);
DumpRelocations(process, pe_file);
if (!g_quiet && g_strings)
{
DumpStrings(process, pe_file);
}
HandleWarnings(path);
}
void DumpPeFile(hadesmem::Process const& process,
hadesmem::PeFile const& pe_file,
std::wstring const& path)
{
std::wostream& out = std::wcout;
ClearWarnForCurrentFile();
std::uint32_t const k1MB = (1U << 20);
std::uint32_t const k100MB = k1MB * 100;
if (pe_file.GetSize() > k100MB)
{
// Not actually unsupported, just want to flag large files.
WriteNewline(out);
WriteNormal(out, L"WARNING! File is over 100MB.", 0);
WarnForCurrentFile(WarningType::kUnsupported);
}
DumpHeaders(process, pe_file);
DumpSections(process, pe_file);
DumpTls(process, pe_file);
DumpExports(process, pe_file);
bool has_new_bound_imports_any = false;
DumpImports(process, pe_file, has_new_bound_imports_any);
DumpBoundImports(process, pe_file, has_new_bound_imports_any);
DumpRelocations(process, pe_file);
DumpStrings(process, pe_file);
HandleWarnings(path);
}
BOOL BeginFileScan(HANDLE hFileView, BOOL *pf64bit)
{
PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)hFileView;
PIMAGE_NT_HEADERS pNTHeaders = NULL;
#ifdef _DEBUG
wprintf_s(L"Filebase/DOSHeader: 0x%08x\n", (DWORD)pDOSHeader);
#endif
// verify "MZ" in the DOS header
if (!(pDOSHeader->e_magic == IMAGE_DOS_SIGNATURE))
{
wprintf_s(L"Valid DOS stub not found. Aborting...\n");
return FALSE;
}
pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);
// set pointer to NTHeaders in the global info struct
g_binFileInfo.pNTHeaders = pNTHeaders;
if (g_fHeaders)
{
wprintf_s(L"\n* NT Headers *\n");
wprintf_s(L"Valid DOS stub found\n");
// verify "PE00" at offset given by e_lfanew in IMAGE_DOS_HEADER
if (!(pNTHeaders->Signature == IMAGE_NT_SIGNATURE))
{
wprintf_s(L"Valid PE signature not found. Aborting...\n");
return FALSE;
}
wprintf_s(L"Valid PE signature found at FilePtr:0x%08x\n", (DWORD)pNTHeaders - (DWORD)hFileView);
if (!DumpFileHeader(pNTHeaders, pf64bit))
return FALSE;
// optional header: IMAGE_OPTIONAL_HEADER
wprintf_s(L"\n* IMAGE_OPTIONAL_HEADER *\n");
if (!(pNTHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC))
{
wprintf_s(L"Unsupported IMAGE_OPTIONAL_HEADER magic: %d\n", pNTHeaders->OptionalHeader.Magic);
return FALSE;
}
wprintf_s(L"Size of code : 0x%x\n", pNTHeaders->OptionalHeader.SizeOfCode);
wprintf_s(L"Size of idata : 0x%x\n", pNTHeaders->OptionalHeader.SizeOfInitializedData);
wprintf_s(L"Size of udata : 0x%x\n", pNTHeaders->OptionalHeader.SizeOfUninitializedData);
wprintf_s(L"Preferred Image Base : 0x%x\n", pNTHeaders->OptionalHeader.ImageBase);
wprintf_s(L"Entry Point : 0x%x\n", pNTHeaders->OptionalHeader.AddressOfEntryPoint);
wprintf_s(L"Base of code : 0x%x\n", pNTHeaders->OptionalHeader.BaseOfCode);
wprintf_s(L"Base of data : 0x%x\n", pNTHeaders->OptionalHeader.BaseOfData);
wprintf_s(L"Size of headers : 0x%08x\n", pNTHeaders->OptionalHeader.SizeOfHeaders);
wprintf_s(L"Size of image : 0x%x\n", pNTHeaders->OptionalHeader.SizeOfImage);
wprintf_s(L"File alignment : 0x%08x\n", pNTHeaders->OptionalHeader.FileAlignment);
wprintf_s(L"Section alignment : 0x%08x\n", pNTHeaders->OptionalHeader.SectionAlignment);
if (g_dwInputFileType == DASM_FTYPE_EXE)
{
wprintf_s(L"Subsystem required : ");
switch (pNTHeaders->OptionalHeader.Subsystem)
{
case IMAGE_SUBSYSTEM_NATIVE:
wprintf_s(L"Native. No subsystem required.\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_CUI:
wprintf_s(L"Windows CommandLine\n");
break;
case IMAGE_SUBSYSTEM_WINDOWS_GUI:
wprintf_s(L"Windows GUI\n");
break;
default:
wprintf_s(L"Unknown\n");
}// switch(subsystem)
}
DumpDataDirectory(pNTHeaders);
}// if(g_fHeaders)
if (g_fExports)
DumpExports((DWORD)pDOSHeader, pNTHeaders,
&(pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]));
if (g_fImports)
Util_DumpIMAGE_IMPORT_DESCRIPTORS(pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,
pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size, pNTHeaders, (DWORD)hFileView);
return TRUE;
}// BeginFileScan()
