public static Elf64_PHdr Load(ImageReader rdr) { var hdr = new Elf64_PHdr { p_type = (ProgramHeaderType)rdr.ReadUInt32(), p_flags = rdr.ReadUInt32(), p_offset = rdr.ReadUInt64(), p_vaddr = rdr.ReadUInt64(), p_paddr = rdr.ReadUInt64(), p_filesz = rdr.ReadUInt64(), p_pmemsz = rdr.ReadUInt64(), p_align = rdr.ReadUInt64(), }; return hdr; }
public static Elf64_SHdr Load(ImageReader rdr) { return new Elf64_SHdr { sh_name = rdr.ReadUInt32(), sh_type = (SectionHeaderType)rdr.ReadUInt32(), sh_flags = rdr.ReadUInt64(), sh_addr = rdr.ReadUInt64(), // Address sh_offset = rdr.ReadUInt64(), sh_size = rdr.ReadUInt64(), sh_link = rdr.ReadUInt32(), sh_info = rdr.ReadUInt32(), sh_addralign = rdr.ReadUInt64(), sh_entsize = rdr.ReadUInt64(), }; }
public ushort e_shstrndx; // section name string table index public static Elf32_EHdr Load(ImageReader rdr) { return new Elf32_EHdr { e_type = rdr.ReadUInt16(), e_machine = rdr.ReadUInt16(), e_version = rdr.ReadUInt32(), e_entry = rdr.ReadUInt32(), e_phoff = rdr.ReadUInt32(), e_shoff = rdr.ReadUInt32(), e_flags = rdr.ReadUInt32(), e_ehsize = rdr.ReadUInt16(), e_phentsize = rdr.ReadUInt16(), e_phnum = rdr.ReadUInt16(), e_shentsize = rdr.ReadUInt16(), e_shnum = rdr.ReadUInt16(), e_shstrndx = rdr.ReadUInt16(), }; }
public override ProcedureBase GetTrampolineDestination(ImageReader rdr, IRewriterHost host) { var dasm = new PowerPcDisassembler( (PowerPcArchitecture64) Architecture, rdr, PrimitiveType.Word64); PowerPcInstruction instr; ImmediateOperand immOp; MemoryOperand memOp; //addi r12,r0,0000 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.addi) return null; //oris r12,r12,0006 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.oris) return null; immOp = (ImmediateOperand) instr.op3; uint aFuncDesc = immOp.Value.ToUInt32() << 16; //lwz r12,nnnn(r12) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; memOp = (MemoryOperand)instr.op2; int offset = memOp.Offset.ToInt32(); aFuncDesc = (uint)(aFuncDesc + offset); //std r2,40(r1) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.std) return null; //lwz r0,0(r12) // Have a pointer to a trampoline instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; //lwz r2,4(r12) instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.lwz) return null; // mtctr r0 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.mtctr) return null; // bcctr 14,00 instr = dasm.DisassembleInstruction(); if (instr.Opcode != Opcode.bcctr) return null; // Read the function pointer from the function descriptor. offset = (int)aFuncDesc - (int)rdr.Address.ToUInt32(); rdr.Offset = (ulong) (((long)rdr.Offset) + offset); var aFn = rdr.ReadUInt32(); return null; }
public static object ReadPointer(Type pointerType, int size, ImageReader rdr, ReaderContext ctx) { Debug.Print("Reading pointer at offset {0}, size {1}", rdr.Offset, size); uint newOffset; switch (size) { default: throw new InvalidOperationException("Field size must be > 0."); case 1: newOffset = rdr.ReadByte(); break; case 2: newOffset = rdr.ReadUInt16(); break; case 4: newOffset = rdr.ReadUInt32(); break; } Debug.Print("Structure of type {0} must start at offset {1:X}", pointerType.Name, newOffset); rdr = rdr.Clone(); rdr.Offset = newOffset; var dst = Activator.CreateInstance(pointerType); var sr = new StructureReader(dst); sr.Read(rdr); return dst; }