internal ElfProgramHeader(Reader reader, bool is64bit, ulong headerPositon, long loadBias, bool isVirtual = false)
{
if (is64bit)
{
var header = reader.Read <ElfProgramHeader64>(headerPositon);
_attributes = (ElfProgramHeaderAttributes)header.Flags;
Type = header.Type;
VirtualAddress = header.VirtualAddress;
VirtualSize = header.VirtualSize;
FileOffset = header.FileOffset;
FileSize = header.FileSize;
}
else
{
var header = reader.Read <ElfProgramHeader32>(headerPositon);
_attributes = (ElfProgramHeaderAttributes)header.Flags;
Type = header.Type;
VirtualAddress = header.VirtualAddress;
VirtualSize = header.VirtualSize;
FileOffset = header.FileOffset;
FileSize = header.FileSize;
}
if (isVirtual)
{
ulong offset = (loadBias < 0) ? (ulong)((long)VirtualAddress + loadBias) : VirtualAddress + (ulong)loadBias;
AddressSpace = new RelativeAddressSpace(reader.DataSource, "ProgramHeader", offset, VirtualSize);
}
else
{
ulong offset = (loadBias < 0) ? (ulong)((long)FileOffset + loadBias) : FileOffset + (ulong)loadBias;
AddressSpace = new RelativeAddressSpace(reader.DataSource, "ProgramHeader", offset, FileSize);
}
}
private KeyGenerator CreateGenerator(ELFLoadedImage loadedImage)
{
try
{
if (loadedImage.Image.IsValid())
{
return(new ELFFileKeyGenerator(Tracer, loadedImage.Image, loadedImage.Path));
}
// TODO - mikem 7/1/17 - need to figure out a better way to determine the file vs loaded layout
bool layout = loadedImage.Path.StartsWith("/");
var reader = new RelativeAddressSpace(_core.DataSource, loadedImage.LoadAddress, _core.DataSource.Length);
var peFile = new PEFile(reader, layout);
if (peFile.IsValid())
{
return(new PEFileKeyGenerator(Tracer, peFile, loadedImage.Path));
}
// Check if this is a macho module in a ELF 5.0.x MacOS dump
var machOFile = new MachOFile(reader, 0, true);
if (machOFile.IsValid())
{
return(new MachOFileKeyGenerator(Tracer, machOFile, loadedImage.Path));
}
Tracer.Warning("Unknown ELF core image {0:X16} {1}", loadedImage.LoadAddress, loadedImage.Path);
}
catch (InvalidVirtualAddressException ex)
{
Tracer.Error("{0}: {1:X16} {2}", ex.Message, loadedImage.LoadAddress, loadedImage.Path);
}
return(null);
}
public ElfProgramHeader(Reader reader, bool is64bit, long headerPositon, long fileOffset, bool isVirtual = false)
{
if (is64bit)
{
var header = reader.Read <ElfProgramHeader64>(headerPositon);
_attributes = (ElfProgramHeaderAttributes)header.Flags;
Type = header.Type;
VirtualAddress = unchecked ((long)header.VirtualAddress);
VirtualSize = unchecked ((long)header.VirtualSize);
FileOffset = unchecked ((long)header.FileOffset);
FileSize = unchecked ((long)header.FileSize);
}
else
{
var header = reader.Read <ElfProgramHeader32>(headerPositon);
_attributes = (ElfProgramHeaderAttributes)header.Flags;
Type = header.Type;
VirtualAddress = header.VirtualAddress;
VirtualSize = header.VirtualSize;
FileOffset = header.FileOffset;
FileSize = header.FileSize;
}
if (isVirtual && Type == ElfProgramHeaderType.Load)
{
AddressSpace = new RelativeAddressSpace(reader.DataSource, "ProgramHeader", VirtualAddress, VirtualSize);
}
else
{
AddressSpace = new RelativeAddressSpace(reader.DataSource, "ProgramHeader", fileOffset + FileOffset, FileSize);
}
}
internal void VerifyCoreDump()
{
foreach (string inputFile in GetInputFiles())
{
Console.WriteLine($"{inputFile}");
using Stream inputStream = File.Open(inputFile, FileMode.Open, FileAccess.Read, FileShare.Read);
var dataSource = new StreamAddressSpace(inputStream);
var core = new ELFCoreFile(dataSource);
if (Tracer.Enabled)
{
foreach (ELFProgramSegment segment in core.Segments)
{
Tracer.Information("{0:X16}-{1:X16} {2:X8} {3:X8} {4}",
segment.Header.VirtualAddress.Value,
segment.Header.VirtualAddress + segment.Header.VirtualSize,
segment.Header.FileOffset.Value,
(ulong)segment.Header.FileSize,
segment.Header.Type);
}
}
foreach (ELFLoadedImage image in core.LoadedImages)
{
Console.WriteLine("{0:X16} {1}", image.LoadAddress, image.Path);
Exception elfException = null;
Exception machoException = null;
Exception peException = null;
try
{
ELFFile elfFile = image.Image;
if (elfFile.IsValid())
{
try
{
byte[] buildid = elfFile.BuildID;
}
catch (Exception ex)
{
Console.WriteLine(" ELF file invalid build id - {0}", ex.Message);
}
foreach (ELFProgramSegment segment in elfFile.Segments)
{
Tracer.Verbose(" {0:X16}-{1:X16} file off {2:X8} file size {3:X8} {4}",
segment.Header.VirtualAddress.Value,
segment.Header.VirtualAddress + segment.Header.VirtualSize,
segment.Header.FileOffset.Value,
(ulong)segment.Header.FileSize,
segment.Header.Type);
if (segment.Header.Type == ELFProgramHeaderType.Note ||
segment.Header.Type == ELFProgramHeaderType.Dynamic ||
segment.Header.Type == ELFProgramHeaderType.GnuEHFrame)
{
try
{
byte[] data = segment.Contents.Read(0, (uint)segment.Header.VirtualSize);
}
catch (Exception ex)
{
Console.WriteLine(" ELF file segment {0} virt addr {1:X16} virt size {2:X8} INVALID - {3}",
segment.Header.Type, segment.Header.VirtualAddress, segment.Header.VirtualSize, ex.Message);
}
}
}
// The ELF module was valid try next module
continue;
}
}
catch (Exception ex)
{
elfException = ex;
}
IAddressSpace addressSpace = new RelativeAddressSpace(core.DataSource, image.LoadAddress, core.DataSource.Length);
try
{
var machoFile = new MachOFile(addressSpace);
if (machoFile.IsValid())
{
try
{
byte[] uuid = machoFile.Uuid;
}
catch (Exception ex)
{
Console.WriteLine(" MachO file invalid uuid - {0}", ex.Message);
}
foreach (MachSegment segment in machoFile.Segments)
{
Tracer.Verbose(" {0:X16}-{1:X16} offset {2:X16} size {3:X16} {4} {5}",
(ulong)segment.LoadCommand.VMAddress,
segment.LoadCommand.VMAddress + segment.LoadCommand.VMSize,
(ulong)segment.LoadCommand.FileOffset,
(ulong)segment.LoadCommand.FileSize,
segment.LoadCommand.Command,
segment.LoadCommand.SegName);
foreach (MachSection section in segment.Sections)
{
Tracer.Verbose(" addr {0:X16} size {1:X16} offset {2:X8} {3}",
(ulong)section.Address,
(ulong)section.Size,
section.Offset,
section.SectionName);
}
}
// The MachO module was valid try next module
continue;
}
}
catch (Exception ex)
{
machoException = ex;
}
try
{
var peFile = new PEFile(addressSpace, true);
if (peFile.IsValid())
{
// The PE module was valid try next module
continue;
}
}
catch (Exception ex)
{
peException = ex;
}
Console.WriteLine("{0:X16} invalid image - {1}", image.LoadAddress, image.Path);
if (elfException != null)
{
Tracer.Verbose("ELF {0}", elfException.Message);
}
if (machoException != null)
{
Tracer.Verbose("MachO {0}", machoException.Message);
}
if (peException != null)
{
Tracer.Verbose("PE {0}", peException.Message);
}
}
ulong segmentsTotal = core.Segments.Max(s => s.Header.FileOffset + s.Header.FileSize);
if (segmentsTotal > dataSource.Length)
{
Console.WriteLine($"ERROR: Core file not complete: file size 0x{dataSource.Length:X8} segments total 0x{segmentsTotal:X8}");
}
}
}
