From 2f41f6e2335b88fbb8fe3adeeafed143a9ce8316 Mon Sep 17 00:00:00 2001
From: ThisALV <lel.charriere@orange.fr>
Date: Sun, 24 Jan 2021 14:31:51 +0100
Subject: [PATCH] Improved PE patterns for both x86 and x64 files. (#9)

* Improved PE patterns for both x86 and x64 files.

Added sections table and data directories.
Support for 64bits binaries.
Separated files for 32bits and 64bits binaries.

* Deleted old PE pattern.

* Single file used for both PE32 and PE32+.

Change FORMAT preprocessor constant to switch mode.

* Improved sections table localization.

Using recently added nextAfter() builtin-function to locate sections
table.

* Automatic detection for 64bits executables.

Automatically detect if PE32+ format is enabled by checking machine
value.

* Updated README.md for single PE hexpat file.

* Use String for sections name.

* Remove silly usage of define preprocessor.
---
 patterns/pe.hexpat | 71 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 68 insertions(+), 3 deletions(-)

diff --git a/patterns/pe.hexpat b/patterns/pe.hexpat
index e8d91eb..9b32125 100644
--- a/patterns/pe.hexpat
+++ b/patterns/pe.hexpat
@@ -47,7 +47,12 @@ bitfield Characteristics {
 	bytesReversedHi : 1;
 };
 
-struct OptionalHeader {
+struct DataDirectory {
+	u32 virtualAddress;
+	u32 size;
+};
+
+struct OptionalHeader32 {
 	u16 magic;
 	u8 majorLinkerVersion;
 	u8 minorLinkerVersion;
@@ -78,6 +83,40 @@ struct OptionalHeader {
 	u32 sizeOfHeapCommit;
 	u32 loaderFlags;
 	u32 numberOfRvaAndSizes;
+	DataDirectory directories[numberOfRvaAndSizes];
+};
+
+struct OptionalHeader64 {
+	u16 magic;
+	u8 majorLinkerVersion;
+	u8 minorLinkerVersion;
+	u32 sizeOfCode;
+	u32 sizeOfInitializedData;
+	u32 sizeOfUninitializedData;
+	u32 addressOfEntryPoint;
+	u32 baseOfCode;
+	u64 imageBase;
+	u32 sectionAlignment;
+	u32 fileAlignment;
+	u16 majorOperatingSystemVersion;
+	u16 minorOperatingSystemVersion;
+	u16 majorImageVersion;
+	u16 minorImageVersion;
+	u16 majorSubsystemVersion;
+	u16 minorSubSystemVersion;
+	u32 win32VersionValue;
+	u32 sizeOfImage;
+	u32 sizeOfHeaders;
+	u32 checksum;
+	u16 subsystem;
+	u16 dllCharacteristics;
+	u64 sizeOfStackReserve;
+	u64 sizeOfStackCommit;
+	u64 sizeOfHeapReserve;
+	u64 sizeOfHeapCommit;
+	u32 loaderFlags;
+	u32 numberOfRvaAndSizes;
+	DataDirectory directories[numberOfRvaAndSizes];
 };
 
 struct COFFHeader {
@@ -89,7 +128,12 @@ struct COFFHeader {
 	u32 numberOfSymbolTable;
 	u16 sizeOfOptionalHeader;
 	Characteristics characteristics;
-	OptionalHeader optionalHeader;
+	
+	if (machine == MachineType::AMD64) {
+		OptionalHeader64 optionalHeader;
+	} else {
+		OptionalHeader32 optionalHeader;
+	}
 };
 
 struct DOSHeader {
@@ -104,9 +148,30 @@ struct DOSStub {
 	u8 data[11];
 };
 
+union SectionMisc {
+	u32 physicalAddress;
+	u32 virtualSize;
+};
+
+struct Section {
+	char name[8];
+	SectionMisc misc;
+	u32 virtualAddress;
+	u32 sizeOfRawData;
+	u32 ptrRawData;
+	u32 ptrRelocations;
+	u32 ptrLineNumbers;
+	u16 numberOfRelactions;
+	u16 numberOfLineNumbers;
+	u32 characteristics;
+};
+
 struct PEHeader {
 	DOSHeader dosHeader;
 	DOSStub dosStub;
 };
 
-PEHeader peHeader @ 0x00;
\ No newline at end of file
+PEHeader peHeader @ 0x00;
+
+Section sectionsTable[peHeader.dosHeader.coffHeaderPointer.numberOfSections]
+@ nextAfter("peHeader.dosHeader.coffHeaderPointer");