/// <summary>
/// Find Codeview pointer in the last 256 bytes of the EXE
/// </summary>
/// <param name="rawImage">The raw image.</param>
/// <returns>
/// A tuple of (signature, start of CodeView data/dlfaBase, start of subsection directory)
/// </returns>
public static (string, int, int) FindCodeView(byte[] rawImage)
{
// get filesize -- seek to EOF then
var fp = new LeImageReader(rawImage);
var szfile = rawImage.Length;
for (var ofs = 8; ofs <= 256 && ofs < szfile; ++ofs)
{
fp.Offset = szfile - ofs;
var sig = Encoding.ASCII.GetString(fp.ReadBytes(4));
long dlfaBase = fp.ReadLeUInt32();
if (sig.StartsWith("NB0"))
{
// calculate start of debug data
dlfaBase = fp.Offset - dlfaBase;
// bounds check
if (dlfaBase < 0 || dlfaBase > szfile)
{
continue;
}
// try to read the debug data and check the signature
fp.Offset = dlfaBase;
var nsig = Encoding.ASCII.GetString(fp.ReadBytes(4));
var lfoSubsecDir = fp.ReadLeUInt32();
if (nsig.StartsWith("NB0"))
{
return(sig, (int)dlfaBase, (int)(lfoSubsecDir + dlfaBase));
}
}
}
// found nothing
return(null, 0, 0);
}
private List <ImageSectionDescriptor> LoadImageSectionDescriptors(ushort rvaIsds)
{
var sections = new List <ImageSectionDescriptor>();
var rdr = new LeImageReader(RawImage, rvaIsds);
Debug.WriteLine("Isd: Size Pges Start Flags Rva GsId Name");
for (;;)
{
var isd = new ImageSectionDescriptor();
isd.Size = rdr.ReadLeUInt16();
if (isd.Size == 0)
{
break;
}
isd.NumPages = rdr.ReadLeUInt16();
isd.StartVPage = rdr.ReadLeUInt32();
isd.Flags = rdr.ReadLeUInt32();
if (isd.Size > 0x0C)
{
isd.RvaFile = rdr.ReadLeUInt32();
if (isd.Size > 0x010)
{
isd.GlobalSectionIdent = rdr.ReadLeUInt32();
var count = rdr.ReadByte();
var sectionName = rdr.ReadBytes(count);
isd.SectionName = Encoding.ASCII.GetString(sectionName);
}
}
sections.Add(isd);
Debug.WriteLine("{0}", isd);
}
return(sections);
}
private Header LoadHeader(LeImageReader rdr)
{
var header = new Header
{
HdrSize = rdr.ReadLeUInt16(),
RvaTaa = rdr.ReadLeUInt16(),
RvaSymbols = rdr.ReadLeUInt16(),
RvaIdent = rdr.ReadLeUInt16(),
RvaPatchData = rdr.ReadLeUInt16(),
Spare0A = rdr.ReadLeUInt16(),
IdMajor = rdr.ReadLeUInt16(),
IdMinor = rdr.ReadLeUInt16(),
HeaderBlocks = rdr.ReadByte(),
ImageType = rdr.ReadByte(),
Spare12 = rdr.ReadLeUInt16(),
RequestedPrivilegeMask = rdr.ReadLeUInt64(),
IoChannels = rdr.ReadLeUInt16(),
IoSegPages = rdr.ReadLeUInt16(),
ImageFlags = rdr.ReadLeUInt32(),
GlobalSectionID = rdr.ReadLeUInt32(),
SystemVersionNumber = rdr.ReadLeUInt32(),
};
return(header);
}
public void ReadCommonExeFields()
{
ImageReader rdr = new LeImageReader(RawImage, 0);
e_magic = rdr.ReadLeUInt16();
e_cbLastPage = rdr.ReadLeUInt16();
e_cpImage = rdr.ReadLeUInt16();
this.e_cRelocations = rdr.ReadLeUInt16();
e_cparHeader = rdr.ReadLeUInt16();
e_minalloc = rdr.ReadLeUInt16();
e_maxalloc = rdr.ReadLeUInt16();
e_ss = rdr.ReadLeUInt16();
e_sp = rdr.ReadLeUInt16();
e_csum = rdr.ReadLeUInt16();
e_ip = rdr.ReadLeUInt16();
e_cs = rdr.ReadLeUInt16();
e_lfaRelocations = rdr.ReadLeUInt16();
e_ovno = rdr.ReadLeUInt16();
e_res = new ushort[4];
for (int i = 0; i != 4; ++i)
{
e_res[i] = rdr.ReadLeUInt16();
}
e_oemid = rdr.ReadLeUInt16();
e_oeminfo = rdr.ReadLeUInt16();
e_res2 = new ushort[10];
for (int i = 0; i != 10; ++i)
{
e_res2[i] = rdr.ReadLeUInt16();
}
e_lfanew = rdr.ReadLeUInt32();
}
public void ApplyRelocations(uint rvaReloc, uint size, uint baseOfImage, RelocationDictionary relocations)
{
ImageReader rdr = new LeImageReader(RawImage, rvaReloc);
uint rvaStop = rvaReloc + size;
while (rdr.Offset < rvaStop)
{
// Read fixup block header.
uint page = rdr.ReadLeUInt32();
int cbBlock = rdr.ReadLeInt32();
if (page == 0 || cbBlock == 0)
{
break;
}
uint offBlockEnd = (uint)((int)rdr.Offset + cbBlock - 8);
while (rdr.Offset < offBlockEnd)
{
ApplyRelocation(baseOfImage, page, rdr, relocations);
}
}
}
/* DCCLIBS.DAT is a data file sorted on function name containing names and
return types of functions found in include files, and the names and types
of arguements. Only functions in this list will be considered library
functions; others (like LXMUL@) are helper files, and need to be analysed
by dcc, rather than considered as known functions. When a prototype is
found (in searchPList()), the parameter info is written to the proc struct.
*/
void readProtoFile(IServiceProvider services)
{
var diagSvc = services.RequireService<IDiagnosticsService>();
var cfgSvc = services.RequireService<IConfigurationService>();
var szProFName = cfgSvc.GetInstallationRelativePath("msdos", DCCLIBS); /* Full name of dclibs.lst */
var fsSvc = services.RequireService<IFileSystemService>();
if (fsSvc.FileExists(szProFName))
{
diagSvc.Warn(string.Format("Cannot open library prototype data file {0}.", szProFName));
return;
}
var bytes = fsSvc.ReadAllBytes(szProFName);
var fProto = new LeImageReader(bytes);
int i;
uint fileSig = fProto.ReadLeUInt32();
if (fileSig != 0x70636364) // "dccp"
{
diagSvc.Warn(string.Format("{0} is not a dcc prototype file.", szProFName));
return;
}
ushort sectionID = fProto.ReadLeUInt16();
if (sectionID != 0x4E46) // "FN"
{
Debug.Print("FN (Function) subsection expected in {0}", szProFName);
diagSvc.Warn(string.Format("{0} is not a dcc prototype file.", szProFName));
return;
}
numFunc = fProto.ReadLeUInt16(); /* Num of entries to allocate */
/* Allocate exactly correct # entries */
pFunc = new PH_FUNC_STRUCT[numFunc];
for (i = 0; i < numFunc; i++)
{
var symbuf = fProto.ReadBytes(SYMLEN);
if (symbuf.Length != SYMLEN)
break;
pFunc[i].typ = (hlType)fProto.ReadLeUInt16();
pFunc[i].numArg = fProto.ReadLeUInt16();
pFunc[i].firstArg = fProto.ReadLeUInt16();
int c = fProto.ReadByte();
pFunc[i].bVararg = (c != 0); //fread(&pFunc[i].bVararg, 1, 1, fProto);
}
sectionID = fProto.ReadLeUInt16();
if (sectionID != 0x4D50) // "PM"
{
Debug.Print("PM (Parameter) subsection expected in {0}", szProFName);
return;
}
numArg = fProto.ReadLeUInt16(); /* Num of entries to allocate */
/* Allocate exactly correct # entries */
pArg = new hlType[numArg];
for (i = 0; i < numArg; i++)
{
// fread(&pArg[i], 1, SYMLEN, fProto); /* No names to read as yet */
pArg[i] = (hlType)fProto.ReadLeUInt16();
}
}
