imports/ImHex-Patterns
1
0
Fork 0
mirror of https://github.com/WerWolv/ImHex-Patterns.git synced 2026-03-27 23:37:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improved PE patterns for both x86 and x64 files. (#9)

Browse Source 
* Improved PE patterns for both x86 and x64 files.

Added sections table and data directories.
Support for 64bits binaries.
Separated files for 32bits and 64bits binaries.

* Deleted old PE pattern.

* Single file used for both PE32 and PE32+.

Change FORMAT preprocessor constant to switch mode.

* Improved sections table localization.

Using recently added nextAfter() builtin-function to locate sections
table.

* Automatic detection for 64bits executables.

Automatically detect if PE32+ format is enabled by checking machine
value.

* Updated README.md for single PE hexpat file.

* Use String for sections name.

* Remove silly usage of define preprocessor.
This commit is contained in:
ThisALV
2021-01-24 14:31:51 +01:00
committed by GitHub
parent bec4233ff6
commit 2f41f6e233
1 changed files with 68 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
patterns/pe.hexpat
View File

@@ -47,7 +47,12 @@ bitfield Characteristics {
bytesReversedHi : 1; bytesReversedHi : 1;
}; };
struct OptionalHeader { struct DataDirectory {
u32 virtualAddress;
u32 size;
};
struct OptionalHeader32 {
u16 magic; u16 magic;
u8 majorLinkerVersion; u8 majorLinkerVersion;
u8 minorLinkerVersion; u8 minorLinkerVersion;
@@ -78,6 +83,40 @@ struct OptionalHeader {
u32 sizeOfHeapCommit; u32 sizeOfHeapCommit;
u32 loaderFlags; u32 loaderFlags;
u32 numberOfRvaAndSizes; u32 numberOfRvaAndSizes;
DataDirectory directories[numberOfRvaAndSizes];
};
struct OptionalHeader64 {
u16 magic;
u8 majorLinkerVersion;
u8 minorLinkerVersion;
u32 sizeOfCode;
u32 sizeOfInitializedData;
u32 sizeOfUninitializedData;
u32 addressOfEntryPoint;
u32 baseOfCode;
u64 imageBase;
u32 sectionAlignment;
u32 fileAlignment;
u16 majorOperatingSystemVersion;
u16 minorOperatingSystemVersion;
u16 majorImageVersion;
u16 minorImageVersion;
u16 majorSubsystemVersion;
u16 minorSubSystemVersion;
u32 win32VersionValue;
u32 sizeOfImage;
u32 sizeOfHeaders;
u32 checksum;
u16 subsystem;
u16 dllCharacteristics;
u64 sizeOfStackReserve;
u64 sizeOfStackCommit;
u64 sizeOfHeapReserve;
u64 sizeOfHeapCommit;
u32 loaderFlags;
u32 numberOfRvaAndSizes;
DataDirectory directories[numberOfRvaAndSizes];
}; };
struct COFFHeader { struct COFFHeader {
@@ -89,7 +128,12 @@ struct COFFHeader {
u32 numberOfSymbolTable; u32 numberOfSymbolTable;
u16 sizeOfOptionalHeader; u16 sizeOfOptionalHeader;
Characteristics characteristics; Characteristics characteristics;
OptionalHeader optionalHeader;
if (machine == MachineType::AMD64) {
OptionalHeader64 optionalHeader;
} else {
OptionalHeader32 optionalHeader;
}
}; };
struct DOSHeader { struct DOSHeader {
@@ -104,9 +148,30 @@ struct DOSStub {
u8 data[11]; u8 data[11];
}; };
union SectionMisc {
u32 physicalAddress;
u32 virtualSize;
};
struct Section {
char name[8];
SectionMisc misc;
u32 virtualAddress;
u32 sizeOfRawData;
u32 ptrRawData;
u32 ptrRelocations;
u32 ptrLineNumbers;
u16 numberOfRelactions;
u16 numberOfLineNumbers;
u32 characteristics;
};
struct PEHeader { struct PEHeader {
DOSHeader dosHeader; DOSHeader dosHeader;
DOSStub dosStub; DOSStub dosStub;
}; };
PEHeader peHeader @ 0x00; PEHeader peHeader @ 0x00;
Section sectionsTable[peHeader.dosHeader.coffHeaderPointer.numberOfSections]
@ nextAfter("peHeader.dosHeader.coffHeaderPointer");