Coverage Report

Created: 2025-08-26 06:32

/src/yara/libyara/modules/elf/elf.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3
4
Redistribution and use in source and binary forms, with or without modification,
5
are permitted provided that the following conditions are met:
6
7
1. Redistributions of source code must retain the above copyright notice, this
8
list of conditions and the following disclaimer.
9
10
2. Redistributions in binary form must reproduce the above copyright notice,
11
this list of conditions and the following disclaimer in the documentation and/or
12
other materials provided with the distribution.
13
14
3. Neither the name of the copyright holder nor the names of its contributors
15
may be used to endorse or promote products derived from this software without
16
specific prior written permission.
17
18
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
*/
29
30
#include <limits.h>
31
#include <stdlib.h>
32
#include <string.h>
33
#include <tlshc/tlsh.h>
34
#include <yara/elf.h>
35
#include <yara/elf_utils.h>
36
#include <yara/endian.h>
37
#include <yara/mem.h>
38
#include <yara/modules.h>
39
#include <yara/simple_str.h>
40
#include <yara/utils.h>
41
#include "../crypto.h"
42
#include "../exception.h"
43
44
#define MODULE_NAME elf
45
46
49.8k
#define CLASS_DATA(c, d) ((c << 8) | d)
47
48
static int sort_strcmp(const void* a, const void* b)
49
0
{
50
0
  return strcmp(*(const char**) a, *(const char**) b);
51
0
}
52
53
define_function(telfhash)
54
0
{
55
0
  YR_OBJECT* obj = yr_module();
56
0
  ELF* elf = (ELF*) obj->data;
57
0
  if (elf == NULL)
58
0
    return_string(YR_UNDEFINED);
59
60
0
  if (elf->telfhash)
61
0
    return_string(elf->telfhash);
62
63
  /* We prefer dynsym if possible */
64
0
  ELF_SYMBOL_LIST* list = elf->dynsym ? elf->dynsym : elf->symtab;
65
0
  if (!list)
66
0
    return_string(YR_UNDEFINED);
67
68
  /* exclusions are based on the original implementation
69
     https://github.com/trendmicro/telfhash/blob/master/telfhash/telfhash.py */
70
0
  char* exclude_strings[] = {
71
0
      "__libc_start_main",
72
0
      "main",
73
0
      "abort",
74
0
      "cachectl",
75
0
      "cacheflush",
76
0
      "puts",
77
0
      "atol",
78
0
      "malloc_trim"};
79
80
0
  SIMPLE_STR* sstr = NULL;
81
0
  Tlsh* tlsh = NULL;
82
83
0
  int symbol_count = 0;
84
0
  char** clean_names = yr_calloc(list->count, sizeof(*clean_names));
85
86
0
  if (clean_names == NULL && list->count > 0)
87
0
    return_string(YR_UNDEFINED);
88
89
0
  for (ELF_SYMBOL* i = list->symbols; i != NULL; i = i->next)
90
0
  {
91
0
    char* name = i->name;
92
93
0
    if (!name)
94
0
      continue;
95
96
    /* Use only global code symbols */
97
0
    if (i->bind != ELF_STB_GLOBAL || i->type != ELF_STT_FUNC ||
98
0
        i->visibility != ELF_STV_DEFAULT)
99
0
      continue;
100
101
    /* ignore:
102
        x86-64 specific functions
103
        string functions (str.* and mem.*), gcc changes them depending on arch
104
        symbols starting with . or _ */
105
0
    bool is_bad_prefix = name[0] == '.' || name[0] == '_';
106
0
    size_t namelen = strlen(name);
107
0
    bool is_x86_64 = namelen >= 2 && strncmp(name + namelen - 2, "64", 2) == 0;
108
0
    bool is_mem_or_str = strncmp(name, "str", 3) == 0 ||
109
0
                         strncmp(name, "mem", 3) == 0;
110
111
0
    if (is_bad_prefix || is_x86_64 || is_mem_or_str)
112
0
      continue;
113
114
    /* Exclude any symbols that match the excluded ones */
115
0
    bool is_excluded = false;
116
0
    for (int i = 0; i < sizeof(exclude_strings) / sizeof(*exclude_strings); i++)
117
0
    {
118
0
      if (strcmp(name, exclude_strings[i]) == 0)
119
0
      {
120
0
        is_excluded = true;
121
0
        break;
122
0
      }
123
0
    }
124
125
0
    if (is_excluded)
126
0
      continue;
127
128
0
    clean_names[symbol_count] = yr_malloc(strlen(name) + 1);
129
130
0
    if (!clean_names[symbol_count])
131
0
      goto cleanup;
132
133
    /* Convert it to lowercase */
134
0
    int j;
135
0
    for (j = 0; name[j]; j++) clean_names[symbol_count][j] = tolower(name[j]);
136
137
0
    clean_names[symbol_count][j] = '\0';
138
139
0
    symbol_count++;
140
0
  }
141
142
0
  if (!symbol_count)
143
0
    goto cleanup;
144
145
  /* Now we have all the valid symbols, sort them, concat them */
146
0
  qsort(clean_names, symbol_count, sizeof(*clean_names), &sort_strcmp);
147
148
0
  sstr = sstr_newf("%s", clean_names[0]);
149
0
  if (!sstr)
150
0
    goto cleanup;
151
152
  /* We've already written first symbol, start at 1 */
153
0
  for (int i = 1; i < symbol_count; ++i)
154
0
  {
155
0
    if (!sstr_appendf(sstr, ",%s", clean_names[i]))
156
0
      goto cleanup;
157
0
  }
158
159
0
  tlsh = tlsh_new();
160
0
  if (!tlsh)
161
0
    goto cleanup;
162
163
0
  tlsh_final(tlsh, (const unsigned char*) sstr->str, sstr->len, 0);
164
165
0
  const char* telfhash = tlsh_get_hash(tlsh, true);
166
0
  elf->telfhash = yr_strdup(telfhash);  // cache it
167
0
  if (!elf->telfhash)
168
0
    goto cleanup;
169
170
0
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
171
0
  yr_free(clean_names);
172
0
  sstr_free(sstr);
173
0
  tlsh_free(tlsh);
174
175
0
  return_string(elf->telfhash);
176
177
0
cleanup:
178
0
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
179
0
  yr_free(clean_names);
180
0
  sstr_free(sstr);
181
0
  tlsh_free(tlsh);
182
183
0
  return_string(YR_UNDEFINED);
184
0
}
185
186
#if defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H) || \
187
    defined(HAVE_COMMONCRYPTO_COMMONCRYPTO_H)
188
189
define_function(import_md5)
190
{
191
  YR_OBJECT* obj = yr_module();
192
  ELF* elf = (ELF*) obj->data;
193
  if (elf == NULL)
194
    return_string(YR_UNDEFINED);
195
196
  if (elf->import_hash)
197
    return_string(elf->import_hash);
198
199
  ELF_SYMBOL_LIST* list = elf->dynsym ? elf->dynsym : elf->symtab;
200
  if (!list)
201
    return_string(YR_UNDEFINED);
202
203
  SIMPLE_STR* sstr = NULL;
204
205
  int symbol_count = 0;
206
  char** clean_names = yr_malloc(list->count * sizeof(*clean_names));
207
  if (!clean_names)
208
    return_string(YR_UNDEFINED);
209
210
  for (ELF_SYMBOL* i = list->symbols; i != NULL; i = i->next)
211
  {
212
    char* name = i->name;
213
214
    if (!name)
215
      continue;
216
217
    if (i->shndx != ELF_SHN_UNDEF)
218
      continue;
219
220
    // skip empty names
221
    if (strlen(i->name) == 0)
222
      continue;
223
224
    clean_names[symbol_count] = yr_malloc(strlen(name) + 1);
225
    if (!clean_names[symbol_count])
226
      goto cleanup;
227
228
    /* Convert it to lowercase */
229
    int j;
230
    for (j = 0; name[j]; j++) clean_names[symbol_count][j] = tolower(name[j]);
231
232
    clean_names[symbol_count][j] = '\0';
233
234
    symbol_count++;
235
  }
236
237
  if (!symbol_count)
238
    goto cleanup;
239
240
  /* Now we have all the valid symbols, sort them, concat them */
241
  qsort(clean_names, symbol_count, sizeof(*clean_names), &sort_strcmp);
242
243
  sstr = sstr_newf("%s", clean_names[0]);
244
  if (!sstr)
245
    goto cleanup;
246
247
  /* We've already written first symbol, start at 1 */
248
  for (int i = 1; i < symbol_count; ++i)
249
  {
250
    if (!sstr_appendf(sstr, ",%s", clean_names[i]))
251
      goto cleanup;
252
  }
253
254
  unsigned char hash[YR_MD5_LEN];
255
256
  yr_md5_ctx ctx;
257
  yr_md5_init(&ctx);
258
  yr_md5_update(&ctx, sstr->str, sstr->len);
259
  yr_md5_final(hash, &ctx);
260
261
  elf->import_hash = yr_malloc(YR_MD5_LEN * 2 + 1);
262
  if (!elf->import_hash)
263
    goto cleanup;
264
265
  for (int i = 0; i < YR_MD5_LEN; ++i)
266
    sprintf(elf->import_hash + (i * 2), "%02x", hash[i]);
267
268
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
269
  yr_free(clean_names);
270
  sstr_free(sstr);
271
272
  return_string(elf->import_hash);
273
274
cleanup:
275
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
276
  yr_free(clean_names);
277
  sstr_free(sstr);
278
279
  return_string(YR_UNDEFINED);
280
}
281
282
#endif  // defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H)
283
284
int get_elf_class_data(const uint8_t* buffer, size_t buffer_length)
285
7.41k
{
286
7.41k
  elf_ident_t* elf_ident;
287
288
7.41k
  if (buffer_length < sizeof(elf_ident_t))
289
17
    return 0;
290
291
7.39k
  elf_ident = (elf_ident_t*) buffer;
292
293
7.39k
  if (yr_le32toh(elf_ident->magic) == ELF_MAGIC)
294
7.14k
  {
295
7.14k
    return CLASS_DATA(elf_ident->_class, elf_ident->data);
296
7.14k
  }
297
246
  else
298
246
  {
299
246
    return 0;
300
246
  }
301
7.39k
}
302
303
static bool is_valid_ptr(
304
    const void* base,
305
    size_t size,
306
    const void* ptr,
307
    uint64_t ptr_size)  // ptr_size can be 64bit even in 32bit systems.
308
2.33M
{
309
2.33M
  return ptr >= base && ptr_size <= size &&
310
2.33M
         ((char*) ptr) + ptr_size <= ((char*) base) + size;
311
2.33M
}
312
313
#define IS_VALID_PTR(base, size, ptr) \
314
2.34M
  is_valid_ptr(base, size, ptr, sizeof(*ptr))
315
316
//
317
// Returns a string table entry for the index or NULL if the entry is out
318
// of bounds. A non-null return value will be a null-terminated C string.
319
//
320
static const char* str_table_entry(
321
    const char* str_table_base,
322
    const char* str_table_limit,
323
    int index)
324
278k
{
325
278k
  size_t len;
326
278k
  const char* str_entry;
327
328
278k
  if (str_table_base >= str_table_limit)
329
2.56k
    return NULL;
330
331
  // The first entry in the string table must be a null character, if not the
332
  // string table is probably corrupted.
333
275k
  if (*str_table_base != '\0')
334
77.7k
    return NULL;
335
336
197k
  if (index < 0)
337
25.8k
    return NULL;
338
339
171k
  str_entry = str_table_base + index;
340
341
171k
  if (str_entry >= str_table_limit)
342
48.7k
    return NULL;
343
344
123k
  len = strnlen(str_entry, str_table_limit - str_entry);
345
346
  // Entry is clamped by extent of string table, not null-terminated.
347
123k
  if (str_entry + len == str_table_limit)
348
2.90k
    return NULL;
349
350
120k
  return str_entry;
351
123k
}
352
353
#define ELF_SIZE_OF_SECTION_TABLE(bits, bo, h) \
354
8.34k
  (sizeof(elf##bits##_section_header_t) * yr_##bo##16toh(h->sh_entry_count))
355
356
#define ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, h) \
357
2.30k
  (sizeof(elf##bits##_program_header_t) * yr_##bo##16toh(h->ph_entry_count))
358
359
#define ELF_RVA_TO_OFFSET(bits, bo)                                                \
360
  uint64_t elf_rva_to_offset_##bits##_##bo(                                        \
361
      elf##bits##_header_t* elf_header, uint64_t rva, size_t elf_size)             \
362
6.16k
  {                                                                                \
363
6.16k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
6.16k
    {                                                                              \
365
1.45k
      int i;                                                                       \
366
1.45k
                                                                                   \
367
1.45k
      elf##bits##_program_header_t* program;                                       \
368
1.45k
                                                                                   \
369
1.45k
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
1.45k
       */                                                                          \
371
1.45k
                                                                                   \
372
1.45k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
1.45k
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
1.45k
      {                                                                            \
375
5
        return YR_UNDEFINED;                                                       \
376
5
      }                                                                            \
377
1.45k
                                                                                   \
378
1.45k
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
1.44k
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
1.44k
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
858
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
858
              elf_size ||                                                          \
383
1.44k
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
1.44k
      {                                                                            \
385
733
        return YR_UNDEFINED;                                                       \
386
733
      }                                                                            \
387
1.44k
                                                                                   \
388
1.44k
      program = (elf##bits##_program_header_t*)                                  \
389
712
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
712
                                                                                   \
391
13.2k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
12.8k
      {                                                                            \
393
12.8k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
12.8k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
11.1k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
12.8k
        {                                                                          \
397
279
          return yr_##bo##bits##toh(program->offset) +                             \
398
279
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
279
        }                                                                          \
400
12.8k
                                                                                   \
401
12.8k
        program++;                                                                 \
402
12.5k
      }                                                                            \
403
712
    }                                                                              \
404
6.16k
    else                                                                           \
405
6.16k
    {                                                                              \
406
4.71k
      int i;                                                                       \
407
4.71k
                                                                                   \
408
4.71k
      elf##bits##_section_header_t* section;                                       \
409
4.71k
                                                                                   \
410
4.71k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
4.71k
       */                                                                          \
412
4.71k
                                                                                   \
413
4.71k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
4.71k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
4.71k
      {                                                                            \
416
15
        return YR_UNDEFINED;                                                       \
417
15
      }                                                                            \
418
4.71k
                                                                                   \
419
4.71k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
4.69k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
4.69k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
3.63k
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
3.63k
              elf_size ||                                                          \
424
4.69k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
4.69k
      {                                                                            \
426
1.25k
        return YR_UNDEFINED;                                                       \
427
1.25k
      }                                                                            \
428
4.69k
                                                                                   \
429
4.69k
      section = (elf##bits##_section_header_t*)                                  \
430
3.44k
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
3.44k
                                                                                   \
432
42.6k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
40.5k
      {                                                                            \
434
40.5k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
40.5k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
40.5k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
40.5k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
24.8k
                      yr_##bo##bits##toh(section->size))                           \
439
40.5k
        {                                                                          \
440
1.35k
          return yr_##bo##bits##toh(section->offset) +                             \
441
1.35k
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
1.35k
        }                                                                          \
443
40.5k
                                                                                   \
444
40.5k
        section++;                                                                 \
445
39.2k
      }                                                                            \
446
3.44k
    }                                                                              \
447
6.16k
    return YR_UNDEFINED;                                                           \
448
6.16k
  }
elf_rva_to_offset_32_le
Line
Count
Source
362
1.21k
  {                                                                                \
363
1.21k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.21k
    {                                                                              \
365
323
      int i;                                                                       \
366
323
                                                                                   \
367
323
      elf##bits##_program_header_t* program;                                       \
368
323
                                                                                   \
369
323
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
323
       */                                                                          \
371
323
                                                                                   \
372
323
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
323
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
323
      {                                                                            \
375
0
        return YR_UNDEFINED;                                                       \
376
0
      }                                                                            \
377
323
                                                                                   \
378
323
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
323
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
323
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
228
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
228
              elf_size ||                                                          \
383
323
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
323
      {                                                                            \
385
139
        return YR_UNDEFINED;                                                       \
386
139
      }                                                                            \
387
323
                                                                                   \
388
323
      program = (elf##bits##_program_header_t*)                                  \
389
184
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
184
                                                                                   \
391
5.75k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
5.65k
      {                                                                            \
393
5.65k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
5.65k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
5.26k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
5.65k
        {                                                                          \
397
88
          return yr_##bo##bits##toh(program->offset) +                             \
398
88
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
88
        }                                                                          \
400
5.65k
                                                                                   \
401
5.65k
        program++;                                                                 \
402
5.56k
      }                                                                            \
403
184
    }                                                                              \
404
1.21k
    else                                                                           \
405
1.21k
    {                                                                              \
406
887
      int i;                                                                       \
407
887
                                                                                   \
408
887
      elf##bits##_section_header_t* section;                                       \
409
887
                                                                                   \
410
887
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
887
       */                                                                          \
412
887
                                                                                   \
413
887
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
887
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
887
      {                                                                            \
416
0
        return YR_UNDEFINED;                                                       \
417
0
      }                                                                            \
418
887
                                                                                   \
419
887
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
887
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
887
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
691
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
691
              elf_size ||                                                          \
424
887
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
887
      {                                                                            \
426
247
        return YR_UNDEFINED;                                                       \
427
247
      }                                                                            \
428
887
                                                                                   \
429
887
      section = (elf##bits##_section_header_t*)                                  \
430
640
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
640
                                                                                   \
432
8.11k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
7.69k
      {                                                                            \
434
7.69k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
7.69k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
7.69k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
7.69k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
3.75k
                      yr_##bo##bits##toh(section->size))                           \
439
7.69k
        {                                                                          \
440
227
          return yr_##bo##bits##toh(section->offset) +                             \
441
227
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
227
        }                                                                          \
443
7.69k
                                                                                   \
444
7.69k
        section++;                                                                 \
445
7.47k
      }                                                                            \
446
640
    }                                                                              \
447
1.21k
    return YR_UNDEFINED;                                                           \
448
1.21k
  }
elf_rva_to_offset_64_le
Line
Count
Source
362
1.81k
  {                                                                                \
363
1.81k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.81k
    {                                                                              \
365
434
      int i;                                                                       \
366
434
                                                                                   \
367
434
      elf##bits##_program_header_t* program;                                       \
368
434
                                                                                   \
369
434
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
434
       */                                                                          \
371
434
                                                                                   \
372
434
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
434
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
434
      {                                                                            \
375
1
        return YR_UNDEFINED;                                                       \
376
1
      }                                                                            \
377
434
                                                                                   \
378
434
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
433
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
433
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
234
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
234
              elf_size ||                                                          \
383
433
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
433
      {                                                                            \
385
228
        return YR_UNDEFINED;                                                       \
386
228
      }                                                                            \
387
433
                                                                                   \
388
433
      program = (elf##bits##_program_header_t*)                                  \
389
205
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
205
                                                                                   \
391
2.64k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
2.51k
      {                                                                            \
393
2.51k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
2.51k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
2.09k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
2.51k
        {                                                                          \
397
73
          return yr_##bo##bits##toh(program->offset) +                             \
398
73
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
73
        }                                                                          \
400
2.51k
                                                                                   \
401
2.51k
        program++;                                                                 \
402
2.44k
      }                                                                            \
403
205
    }                                                                              \
404
1.81k
    else                                                                           \
405
1.81k
    {                                                                              \
406
1.37k
      int i;                                                                       \
407
1.37k
                                                                                   \
408
1.37k
      elf##bits##_section_header_t* section;                                       \
409
1.37k
                                                                                   \
410
1.37k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
1.37k
       */                                                                          \
412
1.37k
                                                                                   \
413
1.37k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
1.37k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
1.37k
      {                                                                            \
416
11
        return YR_UNDEFINED;                                                       \
417
11
      }                                                                            \
418
1.37k
                                                                                   \
419
1.37k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
1.36k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
1.36k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
1.02k
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
1.02k
              elf_size ||                                                          \
424
1.36k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
1.36k
      {                                                                            \
426
383
        return YR_UNDEFINED;                                                       \
427
383
      }                                                                            \
428
1.36k
                                                                                   \
429
1.36k
      section = (elf##bits##_section_header_t*)                                  \
430
983
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
983
                                                                                   \
432
10.4k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
9.99k
      {                                                                            \
434
9.99k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
9.99k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
9.99k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
9.99k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
7.02k
                      yr_##bo##bits##toh(section->size))                           \
439
9.99k
        {                                                                          \
440
566
          return yr_##bo##bits##toh(section->offset) +                             \
441
566
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
566
        }                                                                          \
443
9.99k
                                                                                   \
444
9.99k
        section++;                                                                 \
445
9.42k
      }                                                                            \
446
983
    }                                                                              \
447
1.81k
    return YR_UNDEFINED;                                                           \
448
1.81k
  }
elf_rva_to_offset_32_be
Line
Count
Source
362
1.27k
  {                                                                                \
363
1.27k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.27k
    {                                                                              \
365
289
      int i;                                                                       \
366
289
                                                                                   \
367
289
      elf##bits##_program_header_t* program;                                       \
368
289
                                                                                   \
369
289
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
289
       */                                                                          \
371
289
                                                                                   \
372
289
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
289
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
289
      {                                                                            \
375
0
        return YR_UNDEFINED;                                                       \
376
0
      }                                                                            \
377
289
                                                                                   \
378
289
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
289
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
289
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
192
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
192
              elf_size ||                                                          \
383
289
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
289
      {                                                                            \
385
135
        return YR_UNDEFINED;                                                       \
386
135
      }                                                                            \
387
289
                                                                                   \
388
289
      program = (elf##bits##_program_header_t*)                                  \
389
154
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
154
                                                                                   \
391
968
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
873
      {                                                                            \
393
873
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
873
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
558
                      yr_##bo##bits##toh(program->mem_size))                       \
396
873
        {                                                                          \
397
59
          return yr_##bo##bits##toh(program->offset) +                             \
398
59
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
59
        }                                                                          \
400
873
                                                                                   \
401
873
        program++;                                                                 \
402
814
      }                                                                            \
403
154
    }                                                                              \
404
1.27k
    else                                                                           \
405
1.27k
    {                                                                              \
406
983
      int i;                                                                       \
407
983
                                                                                   \
408
983
      elf##bits##_section_header_t* section;                                       \
409
983
                                                                                   \
410
983
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
983
       */                                                                          \
412
983
                                                                                   \
413
983
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
983
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
983
      {                                                                            \
416
0
        return YR_UNDEFINED;                                                       \
417
0
      }                                                                            \
418
983
                                                                                   \
419
983
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
983
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
983
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
803
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
803
              elf_size ||                                                          \
424
983
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
983
      {                                                                            \
426
229
        return YR_UNDEFINED;                                                       \
427
229
      }                                                                            \
428
983
                                                                                   \
429
983
      section = (elf##bits##_section_header_t*)                                  \
430
754
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
754
                                                                                   \
432
14.1k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
13.5k
      {                                                                            \
434
13.5k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
13.5k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
13.5k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
13.5k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
8.56k
                      yr_##bo##bits##toh(section->size))                           \
439
13.5k
        {                                                                          \
440
191
          return yr_##bo##bits##toh(section->offset) +                             \
441
191
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
191
        }                                                                          \
443
13.5k
                                                                                   \
444
13.5k
        section++;                                                                 \
445
13.3k
      }                                                                            \
446
754
    }                                                                              \
447
1.27k
    return YR_UNDEFINED;                                                           \
448
1.27k
  }
elf_rva_to_offset_64_be
Line
Count
Source
362
1.87k
  {                                                                                \
363
1.87k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.87k
    {                                                                              \
365
404
      int i;                                                                       \
366
404
                                                                                   \
367
404
      elf##bits##_program_header_t* program;                                       \
368
404
                                                                                   \
369
404
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
404
       */                                                                          \
371
404
                                                                                   \
372
404
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
404
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
404
      {                                                                            \
375
4
        return YR_UNDEFINED;                                                       \
376
4
      }                                                                            \
377
404
                                                                                   \
378
404
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
400
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
400
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
204
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
204
              elf_size ||                                                          \
383
400
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
400
      {                                                                            \
385
231
        return YR_UNDEFINED;                                                       \
386
231
      }                                                                            \
387
400
                                                                                   \
388
400
      program = (elf##bits##_program_header_t*)                                  \
389
169
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
169
                                                                                   \
391
3.88k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
3.77k
      {                                                                            \
393
3.77k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
3.77k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
3.19k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
3.77k
        {                                                                          \
397
59
          return yr_##bo##bits##toh(program->offset) +                             \
398
59
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
59
        }                                                                          \
400
3.77k
                                                                                   \
401
3.77k
        program++;                                                                 \
402
3.71k
      }                                                                            \
403
169
    }                                                                              \
404
1.87k
    else                                                                           \
405
1.87k
    {                                                                              \
406
1.46k
      int i;                                                                       \
407
1.46k
                                                                                   \
408
1.46k
      elf##bits##_section_header_t* section;                                       \
409
1.46k
                                                                                   \
410
1.46k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
1.46k
       */                                                                          \
412
1.46k
                                                                                   \
413
1.46k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
1.46k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
1.46k
      {                                                                            \
416
4
        return YR_UNDEFINED;                                                       \
417
4
      }                                                                            \
418
1.46k
                                                                                   \
419
1.46k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
1.46k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
1.46k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
1.11k
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
1.11k
              elf_size ||                                                          \
424
1.46k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
1.46k
      {                                                                            \
426
396
        return YR_UNDEFINED;                                                       \
427
396
      }                                                                            \
428
1.46k
                                                                                   \
429
1.46k
      section = (elf##bits##_section_header_t*)                                  \
430
1.06k
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
1.06k
                                                                                   \
432
10.0k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
9.30k
      {                                                                            \
434
9.30k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
9.30k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
9.30k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
9.30k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
5.52k
                      yr_##bo##bits##toh(section->size))                           \
439
9.30k
        {                                                                          \
440
371
          return yr_##bo##bits##toh(section->offset) +                             \
441
371
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
371
        }                                                                          \
443
9.30k
                                                                                   \
444
9.30k
        section++;                                                                 \
445
8.93k
      }                                                                            \
446
1.06k
    }                                                                              \
447
1.87k
    return YR_UNDEFINED;                                                           \
448
1.87k
  }
449
450
#define PARSE_ELF_HEADER(bits, bo)                                                        \
451
  int parse_elf_header_##bits##_##bo(                                                     \
452
      ELF* elf_data,                                                                      \
453
      elf##bits##_header_t* elf,                                                          \
454
      uint64_t base_address,                                                              \
455
      size_t elf_size,                                                                    \
456
      int flags,                                                                          \
457
      YR_OBJECT* elf_obj)                                                                 \
458
6.37k
  {                                                                                       \
459
6.37k
    unsigned int i, j, m;                                                                 \
460
6.37k
    const char* elf_raw = (const char*) elf;                                              \
461
6.37k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
6.37k
                                                                                          \
463
6.37k
    const char* sym_table = NULL;                                                         \
464
6.37k
    const char* sym_str_table = NULL;                                                     \
465
6.37k
    const char* dyn_sym_table = NULL;                                                     \
466
6.37k
    const char* dyn_sym_str_table = NULL;                                                 \
467
6.37k
                                                                                          \
468
6.37k
    uint##bits##_t sym_table_size = 0;                                                    \
469
6.37k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
6.37k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
6.37k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
6.37k
                                                                                          \
473
6.37k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
6.37k
                                                                                          \
475
6.37k
    elf##bits##_section_header_t* section_table;                                          \
476
6.37k
    elf##bits##_section_header_t* section;                                                \
477
6.37k
    elf##bits##_program_header_t* segment;                                                \
478
6.37k
                                                                                          \
479
6.37k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
6.37k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
6.37k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
6.37k
    yr_set_integer(                                                                       \
483
6.37k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
6.37k
    yr_set_integer(                                                                       \
485
6.37k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
6.37k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
6.37k
    yr_set_integer(                                                                       \
488
6.37k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
6.37k
    yr_set_integer(                                                                       \
490
6.37k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
6.37k
                                                                                          \
492
6.37k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
6.37k
    {                                                                                     \
494
6.16k
      yr_set_integer(                                                                     \
495
6.16k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
6.16k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
6.16k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
6.16k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
6.16k
          elf_obj,                                                                        \
500
6.16k
          "entry_point");                                                                 \
501
6.16k
    }                                                                                     \
502
6.37k
                                                                                          \
503
6.37k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
6.37k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
6.37k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
6.37k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
3.85k
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
3.85k
                    sizeof(elf##bits##_section_header_t) <=                               \
509
3.85k
            elf_size)                                                                     \
510
6.37k
    {                                                                                     \
511
3.65k
      const char* str_table = NULL;                                                       \
512
3.65k
                                                                                          \
513
3.65k
      section_table =                                                                     \
514
3.65k
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
3.65k
                                                                                          \
516
3.65k
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
3.65k
          elf_size)                                                                       \
518
3.65k
      {                                                                                   \
519
1.78k
        str_table = elf_raw +                                                             \
520
1.78k
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
1.78k
      }                                                                                   \
522
3.65k
                                                                                          \
523
3.65k
      section = section_table;                                                            \
524
3.65k
                                                                                          \
525
466k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
462k
      {                                                                                   \
527
462k
        yr_set_integer(                                                                   \
528
462k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
462k
        yr_set_integer(                                                                   \
530
462k
            yr_##bo##bits##toh(section->flags),                                           \
531
462k
            elf_obj,                                                                      \
532
462k
            "sections[%i].flags",                                                         \
533
462k
            i);                                                                           \
534
462k
        yr_set_integer(                                                                   \
535
462k
            yr_##bo##bits##toh(section->addr),                                            \
536
462k
            elf_obj,                                                                      \
537
462k
            "sections[%i].address",                                                       \
538
462k
            i);                                                                           \
539
462k
        yr_set_integer(                                                                   \
540
462k
            yr_##bo##bits##toh(section->size),                                            \
541
462k
            elf_obj,                                                                      \
542
462k
            "sections[%i].size",                                                          \
543
462k
            i);                                                                           \
544
462k
        yr_set_integer(                                                                   \
545
462k
            yr_##bo##bits##toh(section->offset),                                          \
546
462k
            elf_obj,                                                                      \
547
462k
            "sections[%i].offset",                                                        \
548
462k
            i);                                                                           \
549
462k
                                                                                          \
550
462k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
462k
        {                                                                                 \
552
122k
          const char* section_name = str_table_entry(                                     \
553
122k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
122k
                                                                                          \
555
122k
          if (section_name)                                                               \
556
122k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
122k
        }                                                                                 \
558
462k
                                                                                          \
559
462k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
462k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
462k
        {                                                                                 \
562
10.0k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
10.0k
                                                         yr_##bo##32toh(                  \
564
10.0k
                                                             section->link);              \
565
10.0k
                                                                                          \
566
10.0k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
10.0k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
10.0k
          {                                                                               \
569
5.69k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
5.69k
            sym_str_table = elf_raw +                                                     \
571
5.69k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
5.69k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
5.69k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
5.69k
          }                                                                               \
575
10.0k
        }                                                                                 \
576
462k
                                                                                          \
577
462k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
462k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
462k
        {                                                                                 \
580
4.33k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
4.33k
                                                         yr_##bo##32toh(                  \
582
4.33k
                                                             section->link);              \
583
4.33k
                                                                                          \
584
4.33k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
4.33k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
4.33k
          {                                                                               \
587
2.03k
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
2.03k
            dyn_sym_str_table = elf_raw +                                                 \
589
2.03k
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
2.03k
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
2.03k
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
2.03k
          }                                                                               \
593
4.33k
        }                                                                                 \
594
462k
      }                                                                                   \
595
3.65k
                                                                                          \
596
3.65k
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
3.65k
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
3.65k
      {                                                                                   \
599
532
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
532
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
532
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
532
                                                                                          \
603
532
        if (elf_data->symtab == NULL)                                                     \
604
532
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
532
                                                                                          \
606
532
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
532
        *symbol = NULL;                                                                   \
608
532
                                                                                          \
609
83.0k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
82.5k
             j++, sym++)                                                                  \
611
82.5k
        {                                                                                 \
612
82.5k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
82.5k
          if (*symbol == NULL)                                                            \
614
82.5k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
82.5k
                                                                                          \
616
82.5k
          (*symbol)->name = NULL;                                                         \
617
82.5k
          (*symbol)->next = NULL;                                                         \
618
82.5k
                                                                                          \
619
82.5k
          const char* sym_name = str_table_entry(                                         \
620
82.5k
              sym_str_table,                                                              \
621
82.5k
              sym_str_table + sym_str_table_size,                                         \
622
82.5k
              yr_##bo##32toh(sym->name));                                                 \
623
82.5k
                                                                                          \
624
82.5k
          if (sym_name)                                                                   \
625
82.5k
          {                                                                               \
626
17.9k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
17.9k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
17.9k
            if ((*symbol)->name == NULL)                                                  \
629
17.9k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
17.9k
                                                                                          \
631
17.9k
            strcpy((*symbol)->name, sym_name);                                            \
632
17.9k
          }                                                                               \
633
82.5k
                                                                                          \
634
82.5k
          int bind = sym->info >> 4;                                                      \
635
82.5k
          (*symbol)->bind = bind;                                                         \
636
82.5k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
82.5k
                                                                                          \
638
82.5k
          int type = sym->info & 0xf;                                                     \
639
82.5k
          (*symbol)->type = type;                                                         \
640
82.5k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
82.5k
                                                                                          \
642
82.5k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
82.5k
          (*symbol)->shndx = shndx;                                                       \
644
82.5k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
82.5k
                                                                                          \
646
82.5k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
82.5k
          (*symbol)->value = value;                                                       \
648
82.5k
          yr_set_integer(                                                                 \
649
82.5k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
82.5k
                                                                                          \
651
82.5k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
82.5k
          (*symbol)->size = size;                                                         \
653
82.5k
          yr_set_integer(                                                                 \
654
82.5k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
82.5k
                                                                                          \
656
82.5k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
82.5k
                                                                                          \
658
82.5k
          symbol = &((*symbol)->next);                                                    \
659
82.5k
        }                                                                                 \
660
532
                                                                                          \
661
532
        elf_data->symtab->count = j;                                                      \
662
532
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
532
      }                                                                                   \
664
3.65k
                                                                                          \
665
3.65k
      if (is_valid_ptr(                                                                   \
666
3.65k
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
3.65k
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
3.65k
      {                                                                                   \
669
492
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
492
                                                                                          \
671
492
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
492
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
492
                                                                                          \
674
492
        if (elf_data->dynsym == NULL)                                                     \
675
492
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
492
                                                                                          \
677
492
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
492
        *symbol = NULL;                                                                   \
679
492
                                                                                          \
680
73.3k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
72.8k
             m++, dynsym++)                                                               \
682
72.8k
        {                                                                                 \
683
72.8k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
72.8k
          if (*symbol == NULL)                                                            \
685
72.8k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
72.8k
                                                                                          \
687
72.8k
          (*symbol)->name = NULL;                                                         \
688
72.8k
          (*symbol)->next = NULL;                                                         \
689
72.8k
                                                                                          \
690
72.8k
          const char* dynsym_name = str_table_entry(                                      \
691
72.8k
              dyn_sym_str_table,                                                          \
692
72.8k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
72.8k
              yr_##bo##32toh(dynsym->name));                                              \
694
72.8k
                                                                                          \
695
72.8k
          if (dynsym_name)                                                                \
696
72.8k
          {                                                                               \
697
19.9k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
19.9k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
19.9k
            if ((*symbol)->name == NULL)                                                  \
700
19.9k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
19.9k
                                                                                          \
702
19.9k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
19.9k
          }                                                                               \
704
72.8k
                                                                                          \
705
72.8k
          int bind = dynsym->info >> 4;                                                   \
706
72.8k
          (*symbol)->bind = bind;                                                         \
707
72.8k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
72.8k
                                                                                          \
709
72.8k
          int type = dynsym->info & 0xf;                                                  \
710
72.8k
          (*symbol)->type = type;                                                         \
711
72.8k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
72.8k
                                                                                          \
713
72.8k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
72.8k
          (*symbol)->shndx = shndx;                                                       \
715
72.8k
          yr_set_integer(                                                                 \
716
72.8k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
72.8k
                                                                                          \
718
72.8k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
72.8k
          (*symbol)->value = value;                                                       \
720
72.8k
          yr_set_integer(                                                                 \
721
72.8k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
72.8k
              elf_obj,                                                                    \
723
72.8k
              "dynsym[%i].value",                                                         \
724
72.8k
              m);                                                                         \
725
72.8k
                                                                                          \
726
72.8k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
72.8k
          (*symbol)->size = size;                                                         \
728
72.8k
          yr_set_integer(                                                                 \
729
72.8k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
72.8k
              elf_obj,                                                                    \
731
72.8k
              "dynsym[%i].size",                                                          \
732
72.8k
              m);                                                                         \
733
72.8k
                                                                                          \
734
72.8k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
72.8k
                                                                                          \
736
72.8k
          symbol = &((*symbol)->next);                                                    \
737
72.8k
        }                                                                                 \
738
492
                                                                                          \
739
492
        elf_data->dynsym->count = m;                                                      \
740
492
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
492
      }                                                                                   \
742
3.65k
    }                                                                                     \
743
6.37k
                                                                                          \
744
6.37k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
6.37k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
6.37k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
6.37k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
2.26k
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
2.26k
                    sizeof(elf##bits##_program_header_t) <=                               \
750
2.26k
            elf_size)                                                                     \
751
6.37k
    {                                                                                     \
752
1.40k
      segment =                                                                           \
753
1.40k
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
1.40k
                                                                                          \
755
379k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
378k
      {                                                                                   \
757
378k
        yr_set_integer(                                                                   \
758
378k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
378k
        yr_set_integer(                                                                   \
760
378k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
378k
        yr_set_integer(                                                                   \
762
378k
            yr_##bo##bits##toh(segment->offset),                                          \
763
378k
            elf_obj,                                                                      \
764
378k
            "segments[%i].offset",                                                        \
765
378k
            i);                                                                           \
766
378k
        yr_set_integer(                                                                   \
767
378k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
378k
            elf_obj,                                                                      \
769
378k
            "segments[%i].virtual_address",                                               \
770
378k
            i);                                                                           \
771
378k
        yr_set_integer(                                                                   \
772
378k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
378k
            elf_obj,                                                                      \
774
378k
            "segments[%i].physical_address",                                              \
775
378k
            i);                                                                           \
776
378k
        yr_set_integer(                                                                   \
777
378k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
378k
            elf_obj,                                                                      \
779
378k
            "segments[%i].file_size",                                                     \
780
378k
            i);                                                                           \
781
378k
        yr_set_integer(                                                                   \
782
378k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
378k
            elf_obj,                                                                      \
784
378k
            "segments[%i].memory_size",                                                   \
785
378k
            i);                                                                           \
786
378k
        yr_set_integer(                                                                   \
787
378k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
378k
            elf_obj,                                                                      \
789
378k
            "segments[%i].alignment",                                                     \
790
378k
            i);                                                                           \
791
378k
                                                                                          \
792
378k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
378k
        {                                                                                 \
794
10.2k
          j = 0;                                                                          \
795
10.2k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
10.2k
          {                                                                               \
797
5.23k
            elf##bits##_dyn_t* dyn =                                                      \
798
5.23k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
5.23k
                                                                                          \
800
2.31M
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
2.31M
            {                                                                             \
802
2.31M
              yr_set_integer(                                                             \
803
2.31M
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
2.31M
              yr_set_integer(                                                             \
805
2.31M
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
2.31M
                                                                                          \
807
2.31M
              if (dyn->tag == ELF_DT_NULL)                                                \
808
2.31M
              {                                                                           \
809
3.90k
                j++;                                                                      \
810
3.90k
                break;                                                                    \
811
3.90k
              }                                                                           \
812
2.31M
            }                                                                             \
813
5.23k
          }                                                                               \
814
10.2k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
10.2k
        }                                                                                 \
816
378k
      }                                                                                   \
817
1.40k
    }                                                                                     \
818
6.37k
    return ERROR_SUCCESS;                                                                 \
819
6.37k
  }
parse_elf_header_32_le
Line
Count
Source
458
1.27k
  {                                                                                       \
459
1.27k
    unsigned int i, j, m;                                                                 \
460
1.27k
    const char* elf_raw = (const char*) elf;                                              \
461
1.27k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.27k
                                                                                          \
463
1.27k
    const char* sym_table = NULL;                                                         \
464
1.27k
    const char* sym_str_table = NULL;                                                     \
465
1.27k
    const char* dyn_sym_table = NULL;                                                     \
466
1.27k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.27k
                                                                                          \
468
1.27k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.27k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.27k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.27k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.27k
                                                                                          \
473
1.27k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.27k
                                                                                          \
475
1.27k
    elf##bits##_section_header_t* section_table;                                          \
476
1.27k
    elf##bits##_section_header_t* section;                                                \
477
1.27k
    elf##bits##_program_header_t* segment;                                                \
478
1.27k
                                                                                          \
479
1.27k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.27k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.27k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.27k
    yr_set_integer(                                                                       \
483
1.27k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.27k
    yr_set_integer(                                                                       \
485
1.27k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.27k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.27k
    yr_set_integer(                                                                       \
488
1.27k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.27k
    yr_set_integer(                                                                       \
490
1.27k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.27k
                                                                                          \
492
1.27k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.27k
    {                                                                                     \
494
1.21k
      yr_set_integer(                                                                     \
495
1.21k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.21k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.21k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.21k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.21k
          elf_obj,                                                                        \
500
1.21k
          "entry_point");                                                                 \
501
1.21k
    }                                                                                     \
502
1.27k
                                                                                          \
503
1.27k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.27k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.27k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.27k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
812
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
812
                    sizeof(elf##bits##_section_header_t) <=                               \
509
812
            elf_size)                                                                     \
510
1.27k
    {                                                                                     \
511
753
      const char* str_table = NULL;                                                       \
512
753
                                                                                          \
513
753
      section_table =                                                                     \
514
753
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
753
                                                                                          \
516
753
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
753
          elf_size)                                                                       \
518
753
      {                                                                                   \
519
476
        str_table = elf_raw +                                                             \
520
476
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
476
      }                                                                                   \
522
753
                                                                                          \
523
753
      section = section_table;                                                            \
524
753
                                                                                          \
525
92.3k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
91.6k
      {                                                                                   \
527
91.6k
        yr_set_integer(                                                                   \
528
91.6k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
91.6k
        yr_set_integer(                                                                   \
530
91.6k
            yr_##bo##bits##toh(section->flags),                                           \
531
91.6k
            elf_obj,                                                                      \
532
91.6k
            "sections[%i].flags",                                                         \
533
91.6k
            i);                                                                           \
534
91.6k
        yr_set_integer(                                                                   \
535
91.6k
            yr_##bo##bits##toh(section->addr),                                            \
536
91.6k
            elf_obj,                                                                      \
537
91.6k
            "sections[%i].address",                                                       \
538
91.6k
            i);                                                                           \
539
91.6k
        yr_set_integer(                                                                   \
540
91.6k
            yr_##bo##bits##toh(section->size),                                            \
541
91.6k
            elf_obj,                                                                      \
542
91.6k
            "sections[%i].size",                                                          \
543
91.6k
            i);                                                                           \
544
91.6k
        yr_set_integer(                                                                   \
545
91.6k
            yr_##bo##bits##toh(section->offset),                                          \
546
91.6k
            elf_obj,                                                                      \
547
91.6k
            "sections[%i].offset",                                                        \
548
91.6k
            i);                                                                           \
549
91.6k
                                                                                          \
550
91.6k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
91.6k
        {                                                                                 \
552
27.7k
          const char* section_name = str_table_entry(                                     \
553
27.7k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
27.7k
                                                                                          \
555
27.7k
          if (section_name)                                                               \
556
27.7k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
27.7k
        }                                                                                 \
558
91.6k
                                                                                          \
559
91.6k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
91.6k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
91.6k
        {                                                                                 \
562
2.00k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
2.00k
                                                         yr_##bo##32toh(                  \
564
2.00k
                                                             section->link);              \
565
2.00k
                                                                                          \
566
2.00k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
2.00k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
2.00k
          {                                                                               \
569
1.08k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
1.08k
            sym_str_table = elf_raw +                                                     \
571
1.08k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
1.08k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
1.08k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
1.08k
          }                                                                               \
575
2.00k
        }                                                                                 \
576
91.6k
                                                                                          \
577
91.6k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
91.6k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
91.6k
        {                                                                                 \
580
843
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
843
                                                         yr_##bo##32toh(                  \
582
843
                                                             section->link);              \
583
843
                                                                                          \
584
843
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
843
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
843
          {                                                                               \
587
437
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
437
            dyn_sym_str_table = elf_raw +                                                 \
589
437
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
437
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
437
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
437
          }                                                                               \
593
843
        }                                                                                 \
594
91.6k
      }                                                                                   \
595
753
                                                                                          \
596
753
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
753
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
753
      {                                                                                   \
599
166
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
166
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
166
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
166
                                                                                          \
603
166
        if (elf_data->symtab == NULL)                                                     \
604
166
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
166
                                                                                          \
606
166
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
166
        *symbol = NULL;                                                                   \
608
166
                                                                                          \
609
25.7k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
25.6k
             j++, sym++)                                                                  \
611
25.6k
        {                                                                                 \
612
25.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
25.6k
          if (*symbol == NULL)                                                            \
614
25.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
25.6k
                                                                                          \
616
25.6k
          (*symbol)->name = NULL;                                                         \
617
25.6k
          (*symbol)->next = NULL;                                                         \
618
25.6k
                                                                                          \
619
25.6k
          const char* sym_name = str_table_entry(                                         \
620
25.6k
              sym_str_table,                                                              \
621
25.6k
              sym_str_table + sym_str_table_size,                                         \
622
25.6k
              yr_##bo##32toh(sym->name));                                                 \
623
25.6k
                                                                                          \
624
25.6k
          if (sym_name)                                                                   \
625
25.6k
          {                                                                               \
626
1.77k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
1.77k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
1.77k
            if ((*symbol)->name == NULL)                                                  \
629
1.77k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
1.77k
                                                                                          \
631
1.77k
            strcpy((*symbol)->name, sym_name);                                            \
632
1.77k
          }                                                                               \
633
25.6k
                                                                                          \
634
25.6k
          int bind = sym->info >> 4;                                                      \
635
25.6k
          (*symbol)->bind = bind;                                                         \
636
25.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
25.6k
                                                                                          \
638
25.6k
          int type = sym->info & 0xf;                                                     \
639
25.6k
          (*symbol)->type = type;                                                         \
640
25.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
25.6k
                                                                                          \
642
25.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
25.6k
          (*symbol)->shndx = shndx;                                                       \
644
25.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
25.6k
                                                                                          \
646
25.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
25.6k
          (*symbol)->value = value;                                                       \
648
25.6k
          yr_set_integer(                                                                 \
649
25.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
25.6k
                                                                                          \
651
25.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
25.6k
          (*symbol)->size = size;                                                         \
653
25.6k
          yr_set_integer(                                                                 \
654
25.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
25.6k
                                                                                          \
656
25.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
25.6k
                                                                                          \
658
25.6k
          symbol = &((*symbol)->next);                                                    \
659
25.6k
        }                                                                                 \
660
166
                                                                                          \
661
166
        elf_data->symtab->count = j;                                                      \
662
166
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
166
      }                                                                                   \
664
753
                                                                                          \
665
753
      if (is_valid_ptr(                                                                   \
666
753
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
753
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
753
      {                                                                                   \
669
156
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
156
                                                                                          \
671
156
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
156
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
156
                                                                                          \
674
156
        if (elf_data->dynsym == NULL)                                                     \
675
156
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
156
                                                                                          \
677
156
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
156
        *symbol = NULL;                                                                   \
679
156
                                                                                          \
680
13.2k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
13.1k
             m++, dynsym++)                                                               \
682
13.1k
        {                                                                                 \
683
13.1k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
13.1k
          if (*symbol == NULL)                                                            \
685
13.1k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
13.1k
                                                                                          \
687
13.1k
          (*symbol)->name = NULL;                                                         \
688
13.1k
          (*symbol)->next = NULL;                                                         \
689
13.1k
                                                                                          \
690
13.1k
          const char* dynsym_name = str_table_entry(                                      \
691
13.1k
              dyn_sym_str_table,                                                          \
692
13.1k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
13.1k
              yr_##bo##32toh(dynsym->name));                                              \
694
13.1k
                                                                                          \
695
13.1k
          if (dynsym_name)                                                                \
696
13.1k
          {                                                                               \
697
995
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
995
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
995
            if ((*symbol)->name == NULL)                                                  \
700
995
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
995
                                                                                          \
702
995
            strcpy((*symbol)->name, dynsym_name);                                         \
703
995
          }                                                                               \
704
13.1k
                                                                                          \
705
13.1k
          int bind = dynsym->info >> 4;                                                   \
706
13.1k
          (*symbol)->bind = bind;                                                         \
707
13.1k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
13.1k
                                                                                          \
709
13.1k
          int type = dynsym->info & 0xf;                                                  \
710
13.1k
          (*symbol)->type = type;                                                         \
711
13.1k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
13.1k
                                                                                          \
713
13.1k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
13.1k
          (*symbol)->shndx = shndx;                                                       \
715
13.1k
          yr_set_integer(                                                                 \
716
13.1k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
13.1k
                                                                                          \
718
13.1k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
13.1k
          (*symbol)->value = value;                                                       \
720
13.1k
          yr_set_integer(                                                                 \
721
13.1k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
13.1k
              elf_obj,                                                                    \
723
13.1k
              "dynsym[%i].value",                                                         \
724
13.1k
              m);                                                                         \
725
13.1k
                                                                                          \
726
13.1k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
13.1k
          (*symbol)->size = size;                                                         \
728
13.1k
          yr_set_integer(                                                                 \
729
13.1k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
13.1k
              elf_obj,                                                                    \
731
13.1k
              "dynsym[%i].size",                                                          \
732
13.1k
              m);                                                                         \
733
13.1k
                                                                                          \
734
13.1k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
13.1k
                                                                                          \
736
13.1k
          symbol = &((*symbol)->next);                                                    \
737
13.1k
        }                                                                                 \
738
156
                                                                                          \
739
156
        elf_data->dynsym->count = m;                                                      \
740
156
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
156
      }                                                                                   \
742
753
    }                                                                                     \
743
1.27k
                                                                                          \
744
1.27k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.27k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.27k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.27k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
705
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
705
                    sizeof(elf##bits##_program_header_t) <=                               \
750
705
            elf_size)                                                                     \
751
1.27k
    {                                                                                     \
752
429
      segment =                                                                           \
753
429
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
429
                                                                                          \
755
184k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
183k
      {                                                                                   \
757
183k
        yr_set_integer(                                                                   \
758
183k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
183k
        yr_set_integer(                                                                   \
760
183k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
183k
        yr_set_integer(                                                                   \
762
183k
            yr_##bo##bits##toh(segment->offset),                                          \
763
183k
            elf_obj,                                                                      \
764
183k
            "segments[%i].offset",                                                        \
765
183k
            i);                                                                           \
766
183k
        yr_set_integer(                                                                   \
767
183k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
183k
            elf_obj,                                                                      \
769
183k
            "segments[%i].virtual_address",                                               \
770
183k
            i);                                                                           \
771
183k
        yr_set_integer(                                                                   \
772
183k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
183k
            elf_obj,                                                                      \
774
183k
            "segments[%i].physical_address",                                              \
775
183k
            i);                                                                           \
776
183k
        yr_set_integer(                                                                   \
777
183k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
183k
            elf_obj,                                                                      \
779
183k
            "segments[%i].file_size",                                                     \
780
183k
            i);                                                                           \
781
183k
        yr_set_integer(                                                                   \
782
183k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
183k
            elf_obj,                                                                      \
784
183k
            "segments[%i].memory_size",                                                   \
785
183k
            i);                                                                           \
786
183k
        yr_set_integer(                                                                   \
787
183k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
183k
            elf_obj,                                                                      \
789
183k
            "segments[%i].alignment",                                                     \
790
183k
            i);                                                                           \
791
183k
                                                                                          \
792
183k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
183k
        {                                                                                 \
794
3.23k
          j = 0;                                                                          \
795
3.23k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
3.23k
          {                                                                               \
797
2.52k
            elf##bits##_dyn_t* dyn =                                                      \
798
2.52k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
2.52k
                                                                                          \
800
1.77M
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
1.77M
            {                                                                             \
802
1.77M
              yr_set_integer(                                                             \
803
1.77M
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
1.77M
              yr_set_integer(                                                             \
805
1.77M
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
1.77M
                                                                                          \
807
1.77M
              if (dyn->tag == ELF_DT_NULL)                                                \
808
1.77M
              {                                                                           \
809
1.77k
                j++;                                                                      \
810
1.77k
                break;                                                                    \
811
1.77k
              }                                                                           \
812
1.77M
            }                                                                             \
813
2.52k
          }                                                                               \
814
3.23k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
3.23k
        }                                                                                 \
816
183k
      }                                                                                   \
817
429
    }                                                                                     \
818
1.27k
    return ERROR_SUCCESS;                                                                 \
819
1.27k
  }
parse_elf_header_64_le
Line
Count
Source
458
1.83k
  {                                                                                       \
459
1.83k
    unsigned int i, j, m;                                                                 \
460
1.83k
    const char* elf_raw = (const char*) elf;                                              \
461
1.83k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.83k
                                                                                          \
463
1.83k
    const char* sym_table = NULL;                                                         \
464
1.83k
    const char* sym_str_table = NULL;                                                     \
465
1.83k
    const char* dyn_sym_table = NULL;                                                     \
466
1.83k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.83k
                                                                                          \
468
1.83k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.83k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.83k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.83k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.83k
                                                                                          \
473
1.83k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.83k
                                                                                          \
475
1.83k
    elf##bits##_section_header_t* section_table;                                          \
476
1.83k
    elf##bits##_section_header_t* section;                                                \
477
1.83k
    elf##bits##_program_header_t* segment;                                                \
478
1.83k
                                                                                          \
479
1.83k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.83k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.83k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.83k
    yr_set_integer(                                                                       \
483
1.83k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.83k
    yr_set_integer(                                                                       \
485
1.83k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.83k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.83k
    yr_set_integer(                                                                       \
488
1.83k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.83k
    yr_set_integer(                                                                       \
490
1.83k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.83k
                                                                                          \
492
1.83k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.83k
    {                                                                                     \
494
1.81k
      yr_set_integer(                                                                     \
495
1.81k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.81k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.81k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.81k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.81k
          elf_obj,                                                                        \
500
1.81k
          "entry_point");                                                                 \
501
1.81k
    }                                                                                     \
502
1.83k
                                                                                          \
503
1.83k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.83k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.83k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.83k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
994
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
994
                    sizeof(elf##bits##_section_header_t) <=                               \
509
994
            elf_size)                                                                     \
510
1.83k
    {                                                                                     \
511
965
      const char* str_table = NULL;                                                       \
512
965
                                                                                          \
513
965
      section_table =                                                                     \
514
965
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
965
                                                                                          \
516
965
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
965
          elf_size)                                                                       \
518
965
      {                                                                                   \
519
466
        str_table = elf_raw +                                                             \
520
466
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
466
      }                                                                                   \
522
965
                                                                                          \
523
965
      section = section_table;                                                            \
524
965
                                                                                          \
525
54.8k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
53.9k
      {                                                                                   \
527
53.9k
        yr_set_integer(                                                                   \
528
53.9k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
53.9k
        yr_set_integer(                                                                   \
530
53.9k
            yr_##bo##bits##toh(section->flags),                                           \
531
53.9k
            elf_obj,                                                                      \
532
53.9k
            "sections[%i].flags",                                                         \
533
53.9k
            i);                                                                           \
534
53.9k
        yr_set_integer(                                                                   \
535
53.9k
            yr_##bo##bits##toh(section->addr),                                            \
536
53.9k
            elf_obj,                                                                      \
537
53.9k
            "sections[%i].address",                                                       \
538
53.9k
            i);                                                                           \
539
53.9k
        yr_set_integer(                                                                   \
540
53.9k
            yr_##bo##bits##toh(section->size),                                            \
541
53.9k
            elf_obj,                                                                      \
542
53.9k
            "sections[%i].size",                                                          \
543
53.9k
            i);                                                                           \
544
53.9k
        yr_set_integer(                                                                   \
545
53.9k
            yr_##bo##bits##toh(section->offset),                                          \
546
53.9k
            elf_obj,                                                                      \
547
53.9k
            "sections[%i].offset",                                                        \
548
53.9k
            i);                                                                           \
549
53.9k
                                                                                          \
550
53.9k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
53.9k
        {                                                                                 \
552
11.0k
          const char* section_name = str_table_entry(                                     \
553
11.0k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
11.0k
                                                                                          \
555
11.0k
          if (section_name)                                                               \
556
11.0k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
11.0k
        }                                                                                 \
558
53.9k
                                                                                          \
559
53.9k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
53.9k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
53.9k
        {                                                                                 \
562
1.42k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
1.42k
                                                         yr_##bo##32toh(                  \
564
1.42k
                                                             section->link);              \
565
1.42k
                                                                                          \
566
1.42k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
1.42k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
1.42k
          {                                                                               \
569
882
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
882
            sym_str_table = elf_raw +                                                     \
571
882
                            yr_##bo##bits##toh(string_section->offset);                   \
572
882
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
882
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
882
          }                                                                               \
575
1.42k
        }                                                                                 \
576
53.9k
                                                                                          \
577
53.9k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
53.9k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
53.9k
        {                                                                                 \
580
840
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
840
                                                         yr_##bo##32toh(                  \
582
840
                                                             section->link);              \
583
840
                                                                                          \
584
840
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
840
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
840
          {                                                                               \
587
498
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
498
            dyn_sym_str_table = elf_raw +                                                 \
589
498
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
498
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
498
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
498
          }                                                                               \
593
840
        }                                                                                 \
594
53.9k
      }                                                                                   \
595
965
                                                                                          \
596
965
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
965
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
965
      {                                                                                   \
599
110
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
110
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
110
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
110
                                                                                          \
603
110
        if (elf_data->symtab == NULL)                                                     \
604
110
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
110
                                                                                          \
606
110
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
110
        *symbol = NULL;                                                                   \
608
110
                                                                                          \
609
19.7k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
19.6k
             j++, sym++)                                                                  \
611
19.6k
        {                                                                                 \
612
19.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
19.6k
          if (*symbol == NULL)                                                            \
614
19.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
19.6k
                                                                                          \
616
19.6k
          (*symbol)->name = NULL;                                                         \
617
19.6k
          (*symbol)->next = NULL;                                                         \
618
19.6k
                                                                                          \
619
19.6k
          const char* sym_name = str_table_entry(                                         \
620
19.6k
              sym_str_table,                                                              \
621
19.6k
              sym_str_table + sym_str_table_size,                                         \
622
19.6k
              yr_##bo##32toh(sym->name));                                                 \
623
19.6k
                                                                                          \
624
19.6k
          if (sym_name)                                                                   \
625
19.6k
          {                                                                               \
626
3.69k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
3.69k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
3.69k
            if ((*symbol)->name == NULL)                                                  \
629
3.69k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
3.69k
                                                                                          \
631
3.69k
            strcpy((*symbol)->name, sym_name);                                            \
632
3.69k
          }                                                                               \
633
19.6k
                                                                                          \
634
19.6k
          int bind = sym->info >> 4;                                                      \
635
19.6k
          (*symbol)->bind = bind;                                                         \
636
19.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
19.6k
                                                                                          \
638
19.6k
          int type = sym->info & 0xf;                                                     \
639
19.6k
          (*symbol)->type = type;                                                         \
640
19.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
19.6k
                                                                                          \
642
19.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
19.6k
          (*symbol)->shndx = shndx;                                                       \
644
19.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
19.6k
                                                                                          \
646
19.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
19.6k
          (*symbol)->value = value;                                                       \
648
19.6k
          yr_set_integer(                                                                 \
649
19.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
19.6k
                                                                                          \
651
19.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
19.6k
          (*symbol)->size = size;                                                         \
653
19.6k
          yr_set_integer(                                                                 \
654
19.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
19.6k
                                                                                          \
656
19.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
19.6k
                                                                                          \
658
19.6k
          symbol = &((*symbol)->next);                                                    \
659
19.6k
        }                                                                                 \
660
110
                                                                                          \
661
110
        elf_data->symtab->count = j;                                                      \
662
110
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
110
      }                                                                                   \
664
965
                                                                                          \
665
965
      if (is_valid_ptr(                                                                   \
666
965
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
965
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
965
      {                                                                                   \
669
112
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
112
                                                                                          \
671
112
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
112
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
112
                                                                                          \
674
112
        if (elf_data->dynsym == NULL)                                                     \
675
112
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
112
                                                                                          \
677
112
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
112
        *symbol = NULL;                                                                   \
679
112
                                                                                          \
680
22.0k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
21.8k
             m++, dynsym++)                                                               \
682
21.8k
        {                                                                                 \
683
21.8k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
21.8k
          if (*symbol == NULL)                                                            \
685
21.8k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
21.8k
                                                                                          \
687
21.8k
          (*symbol)->name = NULL;                                                         \
688
21.8k
          (*symbol)->next = NULL;                                                         \
689
21.8k
                                                                                          \
690
21.8k
          const char* dynsym_name = str_table_entry(                                      \
691
21.8k
              dyn_sym_str_table,                                                          \
692
21.8k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
21.8k
              yr_##bo##32toh(dynsym->name));                                              \
694
21.8k
                                                                                          \
695
21.8k
          if (dynsym_name)                                                                \
696
21.8k
          {                                                                               \
697
7.80k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
7.80k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
7.80k
            if ((*symbol)->name == NULL)                                                  \
700
7.80k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
7.80k
                                                                                          \
702
7.80k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
7.80k
          }                                                                               \
704
21.8k
                                                                                          \
705
21.8k
          int bind = dynsym->info >> 4;                                                   \
706
21.8k
          (*symbol)->bind = bind;                                                         \
707
21.8k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
21.8k
                                                                                          \
709
21.8k
          int type = dynsym->info & 0xf;                                                  \
710
21.8k
          (*symbol)->type = type;                                                         \
711
21.8k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
21.8k
                                                                                          \
713
21.8k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
21.8k
          (*symbol)->shndx = shndx;                                                       \
715
21.8k
          yr_set_integer(                                                                 \
716
21.8k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
21.8k
                                                                                          \
718
21.8k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
21.8k
          (*symbol)->value = value;                                                       \
720
21.8k
          yr_set_integer(                                                                 \
721
21.8k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
21.8k
              elf_obj,                                                                    \
723
21.8k
              "dynsym[%i].value",                                                         \
724
21.8k
              m);                                                                         \
725
21.8k
                                                                                          \
726
21.8k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
21.8k
          (*symbol)->size = size;                                                         \
728
21.8k
          yr_set_integer(                                                                 \
729
21.8k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
21.8k
              elf_obj,                                                                    \
731
21.8k
              "dynsym[%i].size",                                                          \
732
21.8k
              m);                                                                         \
733
21.8k
                                                                                          \
734
21.8k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
21.8k
                                                                                          \
736
21.8k
          symbol = &((*symbol)->next);                                                    \
737
21.8k
        }                                                                                 \
738
112
                                                                                          \
739
112
        elf_data->dynsym->count = m;                                                      \
740
112
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
112
      }                                                                                   \
742
965
    }                                                                                     \
743
1.83k
                                                                                          \
744
1.83k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.83k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.83k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.83k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
667
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
667
                    sizeof(elf##bits##_program_header_t) <=                               \
750
667
            elf_size)                                                                     \
751
1.83k
    {                                                                                     \
752
371
      segment =                                                                           \
753
371
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
371
                                                                                          \
755
35.9k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
35.5k
      {                                                                                   \
757
35.5k
        yr_set_integer(                                                                   \
758
35.5k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
35.5k
        yr_set_integer(                                                                   \
760
35.5k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
35.5k
        yr_set_integer(                                                                   \
762
35.5k
            yr_##bo##bits##toh(segment->offset),                                          \
763
35.5k
            elf_obj,                                                                      \
764
35.5k
            "segments[%i].offset",                                                        \
765
35.5k
            i);                                                                           \
766
35.5k
        yr_set_integer(                                                                   \
767
35.5k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
35.5k
            elf_obj,                                                                      \
769
35.5k
            "segments[%i].virtual_address",                                               \
770
35.5k
            i);                                                                           \
771
35.5k
        yr_set_integer(                                                                   \
772
35.5k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
35.5k
            elf_obj,                                                                      \
774
35.5k
            "segments[%i].physical_address",                                              \
775
35.5k
            i);                                                                           \
776
35.5k
        yr_set_integer(                                                                   \
777
35.5k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
35.5k
            elf_obj,                                                                      \
779
35.5k
            "segments[%i].file_size",                                                     \
780
35.5k
            i);                                                                           \
781
35.5k
        yr_set_integer(                                                                   \
782
35.5k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
35.5k
            elf_obj,                                                                      \
784
35.5k
            "segments[%i].memory_size",                                                   \
785
35.5k
            i);                                                                           \
786
35.5k
        yr_set_integer(                                                                   \
787
35.5k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
35.5k
            elf_obj,                                                                      \
789
35.5k
            "segments[%i].alignment",                                                     \
790
35.5k
            i);                                                                           \
791
35.5k
                                                                                          \
792
35.5k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
35.5k
        {                                                                                 \
794
1.66k
          j = 0;                                                                          \
795
1.66k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
1.66k
          {                                                                               \
797
895
            elf##bits##_dyn_t* dyn =                                                      \
798
895
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
895
                                                                                          \
800
194k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
194k
            {                                                                             \
802
194k
              yr_set_integer(                                                             \
803
194k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
194k
              yr_set_integer(                                                             \
805
194k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
194k
                                                                                          \
807
194k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
194k
              {                                                                           \
809
675
                j++;                                                                      \
810
675
                break;                                                                    \
811
675
              }                                                                           \
812
194k
            }                                                                             \
813
895
          }                                                                               \
814
1.66k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
1.66k
        }                                                                                 \
816
35.5k
      }                                                                                   \
817
371
    }                                                                                     \
818
1.83k
    return ERROR_SUCCESS;                                                                 \
819
1.83k
  }
parse_elf_header_32_be
Line
Count
Source
458
1.31k
  {                                                                                       \
459
1.31k
    unsigned int i, j, m;                                                                 \
460
1.31k
    const char* elf_raw = (const char*) elf;                                              \
461
1.31k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.31k
                                                                                          \
463
1.31k
    const char* sym_table = NULL;                                                         \
464
1.31k
    const char* sym_str_table = NULL;                                                     \
465
1.31k
    const char* dyn_sym_table = NULL;                                                     \
466
1.31k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.31k
                                                                                          \
468
1.31k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.31k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.31k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.31k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.31k
                                                                                          \
473
1.31k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.31k
                                                                                          \
475
1.31k
    elf##bits##_section_header_t* section_table;                                          \
476
1.31k
    elf##bits##_section_header_t* section;                                                \
477
1.31k
    elf##bits##_program_header_t* segment;                                                \
478
1.31k
                                                                                          \
479
1.31k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.31k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.31k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.31k
    yr_set_integer(                                                                       \
483
1.31k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.31k
    yr_set_integer(                                                                       \
485
1.31k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.31k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.31k
    yr_set_integer(                                                                       \
488
1.31k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.31k
    yr_set_integer(                                                                       \
490
1.31k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.31k
                                                                                          \
492
1.31k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.31k
    {                                                                                     \
494
1.27k
      yr_set_integer(                                                                     \
495
1.27k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.27k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.27k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.27k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.27k
          elf_obj,                                                                        \
500
1.27k
          "entry_point");                                                                 \
501
1.27k
    }                                                                                     \
502
1.31k
                                                                                          \
503
1.31k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.31k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.31k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.31k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
882
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
882
                    sizeof(elf##bits##_section_header_t) <=                               \
509
882
            elf_size)                                                                     \
510
1.31k
    {                                                                                     \
511
813
      const char* str_table = NULL;                                                       \
512
813
                                                                                          \
513
813
      section_table =                                                                     \
514
813
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
813
                                                                                          \
516
813
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
813
          elf_size)                                                                       \
518
813
      {                                                                                   \
519
444
        str_table = elf_raw +                                                             \
520
444
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
444
      }                                                                                   \
522
813
                                                                                          \
523
813
      section = section_table;                                                            \
524
813
                                                                                          \
525
153k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
152k
      {                                                                                   \
527
152k
        yr_set_integer(                                                                   \
528
152k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
152k
        yr_set_integer(                                                                   \
530
152k
            yr_##bo##bits##toh(section->flags),                                           \
531
152k
            elf_obj,                                                                      \
532
152k
            "sections[%i].flags",                                                         \
533
152k
            i);                                                                           \
534
152k
        yr_set_integer(                                                                   \
535
152k
            yr_##bo##bits##toh(section->addr),                                            \
536
152k
            elf_obj,                                                                      \
537
152k
            "sections[%i].address",                                                       \
538
152k
            i);                                                                           \
539
152k
        yr_set_integer(                                                                   \
540
152k
            yr_##bo##bits##toh(section->size),                                            \
541
152k
            elf_obj,                                                                      \
542
152k
            "sections[%i].size",                                                          \
543
152k
            i);                                                                           \
544
152k
        yr_set_integer(                                                                   \
545
152k
            yr_##bo##bits##toh(section->offset),                                          \
546
152k
            elf_obj,                                                                      \
547
152k
            "sections[%i].offset",                                                        \
548
152k
            i);                                                                           \
549
152k
                                                                                          \
550
152k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
152k
        {                                                                                 \
552
47.7k
          const char* section_name = str_table_entry(                                     \
553
47.7k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
47.7k
                                                                                          \
555
47.7k
          if (section_name)                                                               \
556
47.7k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
47.7k
        }                                                                                 \
558
152k
                                                                                          \
559
152k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
152k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
152k
        {                                                                                 \
562
2.57k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
2.57k
                                                         yr_##bo##32toh(                  \
564
2.57k
                                                             section->link);              \
565
2.57k
                                                                                          \
566
2.57k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
2.57k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
2.57k
          {                                                                               \
569
1.13k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
1.13k
            sym_str_table = elf_raw +                                                     \
571
1.13k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
1.13k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
1.13k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
1.13k
          }                                                                               \
575
2.57k
        }                                                                                 \
576
152k
                                                                                          \
577
152k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
152k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
152k
        {                                                                                 \
580
1.38k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
1.38k
                                                         yr_##bo##32toh(                  \
582
1.38k
                                                             section->link);              \
583
1.38k
                                                                                          \
584
1.38k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
1.38k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
1.38k
          {                                                                               \
587
482
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
482
            dyn_sym_str_table = elf_raw +                                                 \
589
482
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
482
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
482
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
482
          }                                                                               \
593
1.38k
        }                                                                                 \
594
152k
      }                                                                                   \
595
813
                                                                                          \
596
813
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
813
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
813
      {                                                                                   \
599
134
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
134
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
134
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
134
                                                                                          \
603
134
        if (elf_data->symtab == NULL)                                                     \
604
134
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
134
                                                                                          \
606
134
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
134
        *symbol = NULL;                                                                   \
608
134
                                                                                          \
609
25.8k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
25.6k
             j++, sym++)                                                                  \
611
25.6k
        {                                                                                 \
612
25.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
25.6k
          if (*symbol == NULL)                                                            \
614
25.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
25.6k
                                                                                          \
616
25.6k
          (*symbol)->name = NULL;                                                         \
617
25.6k
          (*symbol)->next = NULL;                                                         \
618
25.6k
                                                                                          \
619
25.6k
          const char* sym_name = str_table_entry(                                         \
620
25.6k
              sym_str_table,                                                              \
621
25.6k
              sym_str_table + sym_str_table_size,                                         \
622
25.6k
              yr_##bo##32toh(sym->name));                                                 \
623
25.6k
                                                                                          \
624
25.6k
          if (sym_name)                                                                   \
625
25.6k
          {                                                                               \
626
7.97k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
7.97k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
7.97k
            if ((*symbol)->name == NULL)                                                  \
629
7.97k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
7.97k
                                                                                          \
631
7.97k
            strcpy((*symbol)->name, sym_name);                                            \
632
7.97k
          }                                                                               \
633
25.6k
                                                                                          \
634
25.6k
          int bind = sym->info >> 4;                                                      \
635
25.6k
          (*symbol)->bind = bind;                                                         \
636
25.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
25.6k
                                                                                          \
638
25.6k
          int type = sym->info & 0xf;                                                     \
639
25.6k
          (*symbol)->type = type;                                                         \
640
25.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
25.6k
                                                                                          \
642
25.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
25.6k
          (*symbol)->shndx = shndx;                                                       \
644
25.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
25.6k
                                                                                          \
646
25.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
25.6k
          (*symbol)->value = value;                                                       \
648
25.6k
          yr_set_integer(                                                                 \
649
25.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
25.6k
                                                                                          \
651
25.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
25.6k
          (*symbol)->size = size;                                                         \
653
25.6k
          yr_set_integer(                                                                 \
654
25.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
25.6k
                                                                                          \
656
25.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
25.6k
                                                                                          \
658
25.6k
          symbol = &((*symbol)->next);                                                    \
659
25.6k
        }                                                                                 \
660
134
                                                                                          \
661
134
        elf_data->symtab->count = j;                                                      \
662
134
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
134
      }                                                                                   \
664
813
                                                                                          \
665
813
      if (is_valid_ptr(                                                                   \
666
813
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
813
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
813
      {                                                                                   \
669
126
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
126
                                                                                          \
671
126
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
126
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
126
                                                                                          \
674
126
        if (elf_data->dynsym == NULL)                                                     \
675
126
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
126
                                                                                          \
677
126
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
126
        *symbol = NULL;                                                                   \
679
126
                                                                                          \
680
34.6k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
34.4k
             m++, dynsym++)                                                               \
682
34.4k
        {                                                                                 \
683
34.4k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
34.4k
          if (*symbol == NULL)                                                            \
685
34.4k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
34.4k
                                                                                          \
687
34.4k
          (*symbol)->name = NULL;                                                         \
688
34.4k
          (*symbol)->next = NULL;                                                         \
689
34.4k
                                                                                          \
690
34.4k
          const char* dynsym_name = str_table_entry(                                      \
691
34.4k
              dyn_sym_str_table,                                                          \
692
34.4k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
34.4k
              yr_##bo##32toh(dynsym->name));                                              \
694
34.4k
                                                                                          \
695
34.4k
          if (dynsym_name)                                                                \
696
34.4k
          {                                                                               \
697
10.2k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
10.2k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
10.2k
            if ((*symbol)->name == NULL)                                                  \
700
10.2k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
10.2k
                                                                                          \
702
10.2k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
10.2k
          }                                                                               \
704
34.4k
                                                                                          \
705
34.4k
          int bind = dynsym->info >> 4;                                                   \
706
34.4k
          (*symbol)->bind = bind;                                                         \
707
34.4k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
34.4k
                                                                                          \
709
34.4k
          int type = dynsym->info & 0xf;                                                  \
710
34.4k
          (*symbol)->type = type;                                                         \
711
34.4k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
34.4k
                                                                                          \
713
34.4k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
34.4k
          (*symbol)->shndx = shndx;                                                       \
715
34.4k
          yr_set_integer(                                                                 \
716
34.4k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
34.4k
                                                                                          \
718
34.4k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
34.4k
          (*symbol)->value = value;                                                       \
720
34.4k
          yr_set_integer(                                                                 \
721
34.4k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
34.4k
              elf_obj,                                                                    \
723
34.4k
              "dynsym[%i].value",                                                         \
724
34.4k
              m);                                                                         \
725
34.4k
                                                                                          \
726
34.4k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
34.4k
          (*symbol)->size = size;                                                         \
728
34.4k
          yr_set_integer(                                                                 \
729
34.4k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
34.4k
              elf_obj,                                                                    \
731
34.4k
              "dynsym[%i].size",                                                          \
732
34.4k
              m);                                                                         \
733
34.4k
                                                                                          \
734
34.4k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
34.4k
                                                                                          \
736
34.4k
          symbol = &((*symbol)->next);                                                    \
737
34.4k
        }                                                                                 \
738
126
                                                                                          \
739
126
        elf_data->dynsym->count = m;                                                      \
740
126
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
126
      }                                                                                   \
742
813
    }                                                                                     \
743
1.31k
                                                                                          \
744
1.31k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.31k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.31k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.31k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
369
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
369
                    sizeof(elf##bits##_program_header_t) <=                               \
750
369
            elf_size)                                                                     \
751
1.31k
    {                                                                                     \
752
269
      segment =                                                                           \
753
269
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
269
                                                                                          \
755
51.5k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
51.2k
      {                                                                                   \
757
51.2k
        yr_set_integer(                                                                   \
758
51.2k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
51.2k
        yr_set_integer(                                                                   \
760
51.2k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
51.2k
        yr_set_integer(                                                                   \
762
51.2k
            yr_##bo##bits##toh(segment->offset),                                          \
763
51.2k
            elf_obj,                                                                      \
764
51.2k
            "segments[%i].offset",                                                        \
765
51.2k
            i);                                                                           \
766
51.2k
        yr_set_integer(                                                                   \
767
51.2k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
51.2k
            elf_obj,                                                                      \
769
51.2k
            "segments[%i].virtual_address",                                               \
770
51.2k
            i);                                                                           \
771
51.2k
        yr_set_integer(                                                                   \
772
51.2k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
51.2k
            elf_obj,                                                                      \
774
51.2k
            "segments[%i].physical_address",                                              \
775
51.2k
            i);                                                                           \
776
51.2k
        yr_set_integer(                                                                   \
777
51.2k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
51.2k
            elf_obj,                                                                      \
779
51.2k
            "segments[%i].file_size",                                                     \
780
51.2k
            i);                                                                           \
781
51.2k
        yr_set_integer(                                                                   \
782
51.2k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
51.2k
            elf_obj,                                                                      \
784
51.2k
            "segments[%i].memory_size",                                                   \
785
51.2k
            i);                                                                           \
786
51.2k
        yr_set_integer(                                                                   \
787
51.2k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
51.2k
            elf_obj,                                                                      \
789
51.2k
            "segments[%i].alignment",                                                     \
790
51.2k
            i);                                                                           \
791
51.2k
                                                                                          \
792
51.2k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
51.2k
        {                                                                                 \
794
1.99k
          j = 0;                                                                          \
795
1.99k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
1.99k
          {                                                                               \
797
1.34k
            elf##bits##_dyn_t* dyn =                                                      \
798
1.34k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
1.34k
                                                                                          \
800
254k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
254k
            {                                                                             \
802
254k
              yr_set_integer(                                                             \
803
254k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
254k
              yr_set_integer(                                                             \
805
254k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
254k
                                                                                          \
807
254k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
254k
              {                                                                           \
809
1.07k
                j++;                                                                      \
810
1.07k
                break;                                                                    \
811
1.07k
              }                                                                           \
812
254k
            }                                                                             \
813
1.34k
          }                                                                               \
814
1.99k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
1.99k
        }                                                                                 \
816
51.2k
      }                                                                                   \
817
269
    }                                                                                     \
818
1.31k
    return ERROR_SUCCESS;                                                                 \
819
1.31k
  }
parse_elf_header_64_be
Line
Count
Source
458
1.94k
  {                                                                                       \
459
1.94k
    unsigned int i, j, m;                                                                 \
460
1.94k
    const char* elf_raw = (const char*) elf;                                              \
461
1.94k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.94k
                                                                                          \
463
1.94k
    const char* sym_table = NULL;                                                         \
464
1.94k
    const char* sym_str_table = NULL;                                                     \
465
1.94k
    const char* dyn_sym_table = NULL;                                                     \
466
1.94k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.94k
                                                                                          \
468
1.94k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.94k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.94k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.94k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.94k
                                                                                          \
473
1.94k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.94k
                                                                                          \
475
1.94k
    elf##bits##_section_header_t* section_table;                                          \
476
1.94k
    elf##bits##_section_header_t* section;                                                \
477
1.94k
    elf##bits##_program_header_t* segment;                                                \
478
1.94k
                                                                                          \
479
1.94k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.94k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.94k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.94k
    yr_set_integer(                                                                       \
483
1.94k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.94k
    yr_set_integer(                                                                       \
485
1.94k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.94k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.94k
    yr_set_integer(                                                                       \
488
1.94k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.94k
    yr_set_integer(                                                                       \
490
1.94k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.94k
                                                                                          \
492
1.94k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.94k
    {                                                                                     \
494
1.87k
      yr_set_integer(                                                                     \
495
1.87k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.87k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.87k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.87k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.87k
          elf_obj,                                                                        \
500
1.87k
          "entry_point");                                                                 \
501
1.87k
    }                                                                                     \
502
1.94k
                                                                                          \
503
1.94k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.94k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.94k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.94k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
1.16k
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
1.16k
                    sizeof(elf##bits##_section_header_t) <=                               \
509
1.16k
            elf_size)                                                                     \
510
1.94k
    {                                                                                     \
511
1.12k
      const char* str_table = NULL;                                                       \
512
1.12k
                                                                                          \
513
1.12k
      section_table =                                                                     \
514
1.12k
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
1.12k
                                                                                          \
516
1.12k
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
1.12k
          elf_size)                                                                       \
518
1.12k
      {                                                                                   \
519
396
        str_table = elf_raw +                                                             \
520
396
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
396
      }                                                                                   \
522
1.12k
                                                                                          \
523
1.12k
      section = section_table;                                                            \
524
1.12k
                                                                                          \
525
165k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
164k
      {                                                                                   \
527
164k
        yr_set_integer(                                                                   \
528
164k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
164k
        yr_set_integer(                                                                   \
530
164k
            yr_##bo##bits##toh(section->flags),                                           \
531
164k
            elf_obj,                                                                      \
532
164k
            "sections[%i].flags",                                                         \
533
164k
            i);                                                                           \
534
164k
        yr_set_integer(                                                                   \
535
164k
            yr_##bo##bits##toh(section->addr),                                            \
536
164k
            elf_obj,                                                                      \
537
164k
            "sections[%i].address",                                                       \
538
164k
            i);                                                                           \
539
164k
        yr_set_integer(                                                                   \
540
164k
            yr_##bo##bits##toh(section->size),                                            \
541
164k
            elf_obj,                                                                      \
542
164k
            "sections[%i].size",                                                          \
543
164k
            i);                                                                           \
544
164k
        yr_set_integer(                                                                   \
545
164k
            yr_##bo##bits##toh(section->offset),                                          \
546
164k
            elf_obj,                                                                      \
547
164k
            "sections[%i].offset",                                                        \
548
164k
            i);                                                                           \
549
164k
                                                                                          \
550
164k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
164k
        {                                                                                 \
552
35.9k
          const char* section_name = str_table_entry(                                     \
553
35.9k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
35.9k
                                                                                          \
555
35.9k
          if (section_name)                                                               \
556
35.9k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
35.9k
        }                                                                                 \
558
164k
                                                                                          \
559
164k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
164k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
164k
        {                                                                                 \
562
4.08k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
4.08k
                                                         yr_##bo##32toh(                  \
564
4.08k
                                                             section->link);              \
565
4.08k
                                                                                          \
566
4.08k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
4.08k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
4.08k
          {                                                                               \
569
2.58k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
2.58k
            sym_str_table = elf_raw +                                                     \
571
2.58k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
2.58k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
2.58k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
2.58k
          }                                                                               \
575
4.08k
        }                                                                                 \
576
164k
                                                                                          \
577
164k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
164k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
164k
        {                                                                                 \
580
1.26k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
1.26k
                                                         yr_##bo##32toh(                  \
582
1.26k
                                                             section->link);              \
583
1.26k
                                                                                          \
584
1.26k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
1.26k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
1.26k
          {                                                                               \
587
619
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
619
            dyn_sym_str_table = elf_raw +                                                 \
589
619
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
619
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
619
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
619
          }                                                                               \
593
1.26k
        }                                                                                 \
594
164k
      }                                                                                   \
595
1.12k
                                                                                          \
596
1.12k
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
1.12k
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
1.12k
      {                                                                                   \
599
122
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
122
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
122
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
122
                                                                                          \
603
122
        if (elf_data->symtab == NULL)                                                     \
604
122
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
122
                                                                                          \
606
122
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
122
        *symbol = NULL;                                                                   \
608
122
                                                                                          \
609
11.7k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
11.6k
             j++, sym++)                                                                  \
611
11.6k
        {                                                                                 \
612
11.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
11.6k
          if (*symbol == NULL)                                                            \
614
11.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
11.6k
                                                                                          \
616
11.6k
          (*symbol)->name = NULL;                                                         \
617
11.6k
          (*symbol)->next = NULL;                                                         \
618
11.6k
                                                                                          \
619
11.6k
          const char* sym_name = str_table_entry(                                         \
620
11.6k
              sym_str_table,                                                              \
621
11.6k
              sym_str_table + sym_str_table_size,                                         \
622
11.6k
              yr_##bo##32toh(sym->name));                                                 \
623
11.6k
                                                                                          \
624
11.6k
          if (sym_name)                                                                   \
625
11.6k
          {                                                                               \
626
4.46k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
4.46k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
4.46k
            if ((*symbol)->name == NULL)                                                  \
629
4.46k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
4.46k
                                                                                          \
631
4.46k
            strcpy((*symbol)->name, sym_name);                                            \
632
4.46k
          }                                                                               \
633
11.6k
                                                                                          \
634
11.6k
          int bind = sym->info >> 4;                                                      \
635
11.6k
          (*symbol)->bind = bind;                                                         \
636
11.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
11.6k
                                                                                          \
638
11.6k
          int type = sym->info & 0xf;                                                     \
639
11.6k
          (*symbol)->type = type;                                                         \
640
11.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
11.6k
                                                                                          \
642
11.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
11.6k
          (*symbol)->shndx = shndx;                                                       \
644
11.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
11.6k
                                                                                          \
646
11.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
11.6k
          (*symbol)->value = value;                                                       \
648
11.6k
          yr_set_integer(                                                                 \
649
11.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
11.6k
                                                                                          \
651
11.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
11.6k
          (*symbol)->size = size;                                                         \
653
11.6k
          yr_set_integer(                                                                 \
654
11.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
11.6k
                                                                                          \
656
11.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
11.6k
                                                                                          \
658
11.6k
          symbol = &((*symbol)->next);                                                    \
659
11.6k
        }                                                                                 \
660
122
                                                                                          \
661
122
        elf_data->symtab->count = j;                                                      \
662
122
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
122
      }                                                                                   \
664
1.12k
                                                                                          \
665
1.12k
      if (is_valid_ptr(                                                                   \
666
1.12k
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
1.12k
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
1.12k
      {                                                                                   \
669
98
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
98
                                                                                          \
671
98
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
98
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
98
                                                                                          \
674
98
        if (elf_data->dynsym == NULL)                                                     \
675
98
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
98
                                                                                          \
677
98
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
98
        *symbol = NULL;                                                                   \
679
98
                                                                                          \
680
3.49k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
3.39k
             m++, dynsym++)                                                               \
682
3.39k
        {                                                                                 \
683
3.39k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
3.39k
          if (*symbol == NULL)                                                            \
685
3.39k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
3.39k
                                                                                          \
687
3.39k
          (*symbol)->name = NULL;                                                         \
688
3.39k
          (*symbol)->next = NULL;                                                         \
689
3.39k
                                                                                          \
690
3.39k
          const char* dynsym_name = str_table_entry(                                      \
691
3.39k
              dyn_sym_str_table,                                                          \
692
3.39k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
3.39k
              yr_##bo##32toh(dynsym->name));                                              \
694
3.39k
                                                                                          \
695
3.39k
          if (dynsym_name)                                                                \
696
3.39k
          {                                                                               \
697
849
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
849
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
849
            if ((*symbol)->name == NULL)                                                  \
700
849
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
849
                                                                                          \
702
849
            strcpy((*symbol)->name, dynsym_name);                                         \
703
849
          }                                                                               \
704
3.39k
                                                                                          \
705
3.39k
          int bind = dynsym->info >> 4;                                                   \
706
3.39k
          (*symbol)->bind = bind;                                                         \
707
3.39k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
3.39k
                                                                                          \
709
3.39k
          int type = dynsym->info & 0xf;                                                  \
710
3.39k
          (*symbol)->type = type;                                                         \
711
3.39k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
3.39k
                                                                                          \
713
3.39k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
3.39k
          (*symbol)->shndx = shndx;                                                       \
715
3.39k
          yr_set_integer(                                                                 \
716
3.39k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
3.39k
                                                                                          \
718
3.39k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
3.39k
          (*symbol)->value = value;                                                       \
720
3.39k
          yr_set_integer(                                                                 \
721
3.39k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
3.39k
              elf_obj,                                                                    \
723
3.39k
              "dynsym[%i].value",                                                         \
724
3.39k
              m);                                                                         \
725
3.39k
                                                                                          \
726
3.39k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
3.39k
          (*symbol)->size = size;                                                         \
728
3.39k
          yr_set_integer(                                                                 \
729
3.39k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
3.39k
              elf_obj,                                                                    \
731
3.39k
              "dynsym[%i].size",                                                          \
732
3.39k
              m);                                                                         \
733
3.39k
                                                                                          \
734
3.39k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
3.39k
                                                                                          \
736
3.39k
          symbol = &((*symbol)->next);                                                    \
737
3.39k
        }                                                                                 \
738
98
                                                                                          \
739
98
        elf_data->dynsym->count = m;                                                      \
740
98
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
98
      }                                                                                   \
742
1.12k
    }                                                                                     \
743
1.94k
                                                                                          \
744
1.94k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.94k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.94k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.94k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
524
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
524
                    sizeof(elf##bits##_program_header_t) <=                               \
750
524
            elf_size)                                                                     \
751
1.94k
    {                                                                                     \
752
339
      segment =                                                                           \
753
339
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
339
                                                                                          \
755
108k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
107k
      {                                                                                   \
757
107k
        yr_set_integer(                                                                   \
758
107k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
107k
        yr_set_integer(                                                                   \
760
107k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
107k
        yr_set_integer(                                                                   \
762
107k
            yr_##bo##bits##toh(segment->offset),                                          \
763
107k
            elf_obj,                                                                      \
764
107k
            "segments[%i].offset",                                                        \
765
107k
            i);                                                                           \
766
107k
        yr_set_integer(                                                                   \
767
107k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
107k
            elf_obj,                                                                      \
769
107k
            "segments[%i].virtual_address",                                               \
770
107k
            i);                                                                           \
771
107k
        yr_set_integer(                                                                   \
772
107k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
107k
            elf_obj,                                                                      \
774
107k
            "segments[%i].physical_address",                                              \
775
107k
            i);                                                                           \
776
107k
        yr_set_integer(                                                                   \
777
107k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
107k
            elf_obj,                                                                      \
779
107k
            "segments[%i].file_size",                                                     \
780
107k
            i);                                                                           \
781
107k
        yr_set_integer(                                                                   \
782
107k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
107k
            elf_obj,                                                                      \
784
107k
            "segments[%i].memory_size",                                                   \
785
107k
            i);                                                                           \
786
107k
        yr_set_integer(                                                                   \
787
107k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
107k
            elf_obj,                                                                      \
789
107k
            "segments[%i].alignment",                                                     \
790
107k
            i);                                                                           \
791
107k
                                                                                          \
792
107k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
107k
        {                                                                                 \
794
3.36k
          j = 0;                                                                          \
795
3.36k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
3.36k
          {                                                                               \
797
468
            elf##bits##_dyn_t* dyn =                                                      \
798
468
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
468
                                                                                          \
800
83.8k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
83.7k
            {                                                                             \
802
83.7k
              yr_set_integer(                                                             \
803
83.7k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
83.7k
              yr_set_integer(                                                             \
805
83.7k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
83.7k
                                                                                          \
807
83.7k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
83.7k
              {                                                                           \
809
375
                j++;                                                                      \
810
375
                break;                                                                    \
811
375
              }                                                                           \
812
83.7k
            }                                                                             \
813
468
          }                                                                               \
814
3.36k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
3.36k
        }                                                                                 \
816
107k
      }                                                                                   \
817
339
    }                                                                                     \
818
1.94k
    return ERROR_SUCCESS;                                                                 \
819
1.94k
  }
820
821
ELF_RVA_TO_OFFSET(32, le);
822
ELF_RVA_TO_OFFSET(64, le);
823
ELF_RVA_TO_OFFSET(32, be);
824
ELF_RVA_TO_OFFSET(64, be);
825
826
PARSE_ELF_HEADER(32, le);
827
PARSE_ELF_HEADER(64, le);
828
PARSE_ELF_HEADER(32, be);
829
PARSE_ELF_HEADER(64, be);
830
831
7.41k
begin_declarations
832
7.41k
  declare_integer("ET_NONE");
833
7.41k
  declare_integer("ET_REL");
834
7.41k
  declare_integer("ET_EXEC");
835
7.41k
  declare_integer("ET_DYN");
836
7.41k
  declare_integer("ET_CORE");
837
838
7.41k
  declare_integer("EM_NONE");
839
7.41k
  declare_integer("EM_M32");
840
7.41k
  declare_integer("EM_SPARC");
841
7.41k
  declare_integer("EM_386");
842
7.41k
  declare_integer("EM_68K");
843
7.41k
  declare_integer("EM_88K");
844
7.41k
  declare_integer("EM_860");
845
7.41k
  declare_integer("EM_MIPS");
846
7.41k
  declare_integer("EM_MIPS_RS3_LE");
847
7.41k
  declare_integer("EM_PPC");
848
7.41k
  declare_integer("EM_PPC64");
849
7.41k
  declare_integer("EM_ARM");
850
7.41k
  declare_integer("EM_X86_64");
851
7.41k
  declare_integer("EM_AARCH64");
852
853
7.41k
  declare_integer("SHT_NULL");
854
7.41k
  declare_integer("SHT_PROGBITS");
855
7.41k
  declare_integer("SHT_SYMTAB");
856
7.41k
  declare_integer("SHT_STRTAB");
857
7.41k
  declare_integer("SHT_RELA");
858
7.41k
  declare_integer("SHT_HASH");
859
7.41k
  declare_integer("SHT_DYNAMIC");
860
7.41k
  declare_integer("SHT_NOTE");
861
7.41k
  declare_integer("SHT_NOBITS");
862
7.41k
  declare_integer("SHT_REL");
863
7.41k
  declare_integer("SHT_SHLIB");
864
7.41k
  declare_integer("SHT_DYNSYM");
865
866
7.41k
  declare_integer("SHF_WRITE");
867
7.41k
  declare_integer("SHF_ALLOC");
868
7.41k
  declare_integer("SHF_EXECINSTR");
869
870
7.41k
  declare_integer("type");
871
7.41k
  declare_integer("machine");
872
7.41k
  declare_integer("entry_point");
873
874
7.41k
  declare_integer("number_of_sections");
875
7.41k
  declare_integer("sh_offset");
876
7.41k
  declare_integer("sh_entry_size");
877
878
7.41k
  declare_integer("number_of_segments");
879
7.41k
  declare_integer("ph_offset");
880
7.41k
  declare_integer("ph_entry_size");
881
882
22.2k
  begin_struct_array("sections")
883
7.41k
    declare_integer("type");
884
7.41k
    declare_integer("flags");
885
7.41k
    declare_integer("address");
886
7.41k
    declare_string("name");
887
7.41k
    declare_integer("size");
888
7.41k
    declare_integer("offset");
889
14.8k
  end_struct_array("sections")
890
891
7.41k
  declare_integer("PT_NULL");
892
7.41k
  declare_integer("PT_LOAD");
893
7.41k
  declare_integer("PT_DYNAMIC");
894
7.41k
  declare_integer("PT_INTERP");
895
7.41k
  declare_integer("PT_NOTE");
896
7.41k
  declare_integer("PT_SHLIB");
897
7.41k
  declare_integer("PT_PHDR");
898
7.41k
  declare_integer("PT_TLS");
899
7.41k
  declare_integer("PT_GNU_EH_FRAME");
900
7.41k
  declare_integer("PT_GNU_STACK");
901
902
7.41k
  declare_integer("DT_NULL");
903
7.41k
  declare_integer("DT_NEEDED");
904
7.41k
  declare_integer("DT_PLTRELSZ");
905
7.41k
  declare_integer("DT_PLTGOT");
906
7.41k
  declare_integer("DT_HASH");
907
7.41k
  declare_integer("DT_STRTAB");
908
7.41k
  declare_integer("DT_SYMTAB");
909
7.41k
  declare_integer("DT_RELA");
910
7.41k
  declare_integer("DT_RELASZ");
911
7.41k
  declare_integer("DT_RELAENT");
912
7.41k
  declare_integer("DT_STRSZ");
913
7.41k
  declare_integer("DT_SYMENT");
914
7.41k
  declare_integer("DT_INIT");
915
7.41k
  declare_integer("DT_FINI");
916
7.41k
  declare_integer("DT_SONAME");
917
7.41k
  declare_integer("DT_RPATH");
918
7.41k
  declare_integer("DT_SYMBOLIC");
919
7.41k
  declare_integer("DT_REL");
920
7.41k
  declare_integer("DT_RELSZ");
921
7.41k
  declare_integer("DT_RELENT");
922
7.41k
  declare_integer("DT_PLTREL");
923
7.41k
  declare_integer("DT_DEBUG");
924
7.41k
  declare_integer("DT_TEXTREL");
925
7.41k
  declare_integer("DT_JMPREL");
926
7.41k
  declare_integer("DT_BIND_NOW");
927
7.41k
  declare_integer("DT_INIT_ARRAY");
928
7.41k
  declare_integer("DT_FINI_ARRAY");
929
7.41k
  declare_integer("DT_INIT_ARRAYSZ");
930
7.41k
  declare_integer("DT_FINI_ARRAYSZ");
931
7.41k
  declare_integer("DT_RUNPATH");
932
7.41k
  declare_integer("DT_FLAGS");
933
7.41k
  declare_integer("DT_ENCODING");
934
935
7.41k
  declare_integer("STT_NOTYPE");
936
7.41k
  declare_integer("STT_OBJECT");
937
7.41k
  declare_integer("STT_FUNC");
938
7.41k
  declare_integer("STT_SECTION");
939
7.41k
  declare_integer("STT_FILE");
940
7.41k
  declare_integer("STT_COMMON");
941
7.41k
  declare_integer("STT_TLS");
942
943
7.41k
  declare_integer("STB_LOCAL");
944
7.41k
  declare_integer("STB_GLOBAL");
945
7.41k
  declare_integer("STB_WEAK");
946
947
7.41k
  declare_integer("PF_X");
948
7.41k
  declare_integer("PF_W");
949
7.41k
  declare_integer("PF_R");
950
951
22.2k
  begin_struct_array("segments")
952
7.41k
    declare_integer("type");
953
7.41k
    declare_integer("flags");
954
7.41k
    declare_integer("offset");
955
7.41k
    declare_integer("virtual_address");
956
7.41k
    declare_integer("physical_address");
957
7.41k
    declare_integer("file_size");
958
7.41k
    declare_integer("memory_size");
959
7.41k
    declare_integer("alignment");
960
14.8k
  end_struct_array("segments")
961
962
7.41k
  declare_integer("dynamic_section_entries");
963
22.2k
  begin_struct_array("dynamic")
964
7.41k
    declare_integer("type");
965
7.41k
    declare_integer("val");
966
14.8k
  end_struct_array("dynamic")
967
968
7.41k
  declare_integer("symtab_entries");
969
22.2k
  begin_struct_array("symtab")
970
7.41k
    declare_string("name");
971
7.41k
    declare_integer("value");
972
7.41k
    declare_integer("size");
973
7.41k
    declare_integer("type");
974
7.41k
    declare_integer("bind");
975
7.41k
    declare_integer("shndx");
976
14.8k
  end_struct_array("symtab")
977
978
7.41k
  declare_integer("dynsym_entries");
979
22.2k
  begin_struct_array("dynsym")
980
7.41k
    declare_string("name");
981
7.41k
    declare_integer("value");
982
7.41k
    declare_integer("size");
983
7.41k
    declare_integer("type");
984
7.41k
    declare_integer("bind");
985
7.41k
    declare_integer("shndx");
986
14.8k
  end_struct_array("dynsym")
987
988
7.41k
  declare_function("telfhash", "", "s", telfhash);
989
990
#if defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H) || \
991
    defined(HAVE_COMMONCRYPTO_COMMONCRYPTO_H)
992
  declare_function("import_md5", "", "s", import_md5);
993
#endif  // defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H)
994
995
7.41k
end_declarations
996
997
int module_initialize(YR_MODULE* module)
998
2
{
999
2
  return ERROR_SUCCESS;
1000
2
}
1001
1002
int module_finalize(YR_MODULE* module)
1003
0
{
1004
0
  return ERROR_SUCCESS;
1005
0
}
1006
1007
int module_load(
1008
    YR_SCAN_CONTEXT* context,
1009
    YR_OBJECT* module_object,
1010
    void* module_data,
1011
    size_t module_data_size)
1012
7.41k
{
1013
7.41k
  YR_MEMORY_BLOCK* block;
1014
7.41k
  YR_MEMORY_BLOCK_ITERATOR* iterator = context->iterator;
1015
1016
7.41k
  elf32_header_t* elf_header32;
1017
7.41k
  elf64_header_t* elf_header64;
1018
1019
7.41k
  yr_set_integer(ELF_ET_NONE, module_object, "ET_NONE");
1020
7.41k
  yr_set_integer(ELF_ET_REL, module_object, "ET_REL");
1021
7.41k
  yr_set_integer(ELF_ET_EXEC, module_object, "ET_EXEC");
1022
7.41k
  yr_set_integer(ELF_ET_DYN, module_object, "ET_DYN");
1023
7.41k
  yr_set_integer(ELF_ET_CORE, module_object, "ET_CORE");
1024
1025
7.41k
  yr_set_integer(ELF_EM_NONE, module_object, "EM_NONE");
1026
7.41k
  yr_set_integer(ELF_EM_M32, module_object, "EM_M32");
1027
7.41k
  yr_set_integer(ELF_EM_SPARC, module_object, "EM_SPARC");
1028
7.41k
  yr_set_integer(ELF_EM_386, module_object, "EM_386");
1029
7.41k
  yr_set_integer(ELF_EM_68K, module_object, "EM_68K");
1030
7.41k
  yr_set_integer(ELF_EM_88K, module_object, "EM_88K");
1031
7.41k
  yr_set_integer(ELF_EM_860, module_object, "EM_860");
1032
7.41k
  yr_set_integer(ELF_EM_MIPS, module_object, "EM_MIPS");
1033
7.41k
  yr_set_integer(ELF_EM_MIPS_RS3_LE, module_object, "EM_MIPS_RS3_LE");
1034
7.41k
  yr_set_integer(ELF_EM_PPC, module_object, "EM_PPC");
1035
7.41k
  yr_set_integer(ELF_EM_PPC64, module_object, "EM_PPC64");
1036
7.41k
  yr_set_integer(ELF_EM_ARM, module_object, "EM_ARM");
1037
7.41k
  yr_set_integer(ELF_EM_X86_64, module_object, "EM_X86_64");
1038
7.41k
  yr_set_integer(ELF_EM_AARCH64, module_object, "EM_AARCH64");
1039
1040
7.41k
  yr_set_integer(ELF_SHT_NULL, module_object, "SHT_NULL");
1041
7.41k
  yr_set_integer(ELF_SHT_PROGBITS, module_object, "SHT_PROGBITS");
1042
7.41k
  yr_set_integer(ELF_SHT_SYMTAB, module_object, "SHT_SYMTAB");
1043
7.41k
  yr_set_integer(ELF_SHT_STRTAB, module_object, "SHT_STRTAB");
1044
7.41k
  yr_set_integer(ELF_SHT_RELA, module_object, "SHT_RELA");
1045
7.41k
  yr_set_integer(ELF_SHT_HASH, module_object, "SHT_HASH");
1046
7.41k
  yr_set_integer(ELF_SHT_DYNAMIC, module_object, "SHT_DYNAMIC");
1047
7.41k
  yr_set_integer(ELF_SHT_NOTE, module_object, "SHT_NOTE");
1048
7.41k
  yr_set_integer(ELF_SHT_NOBITS, module_object, "SHT_NOBITS");
1049
7.41k
  yr_set_integer(ELF_SHT_REL, module_object, "SHT_REL");
1050
7.41k
  yr_set_integer(ELF_SHT_SHLIB, module_object, "SHT_SHLIB");
1051
7.41k
  yr_set_integer(ELF_SHT_DYNSYM, module_object, "SHT_DYNSYM");
1052
1053
7.41k
  yr_set_integer(ELF_SHF_WRITE, module_object, "SHF_WRITE");
1054
7.41k
  yr_set_integer(ELF_SHF_ALLOC, module_object, "SHF_ALLOC");
1055
7.41k
  yr_set_integer(ELF_SHF_EXECINSTR, module_object, "SHF_EXECINSTR");
1056
1057
7.41k
  yr_set_integer(ELF_PT_NULL, module_object, "PT_NULL");
1058
7.41k
  yr_set_integer(ELF_PT_LOAD, module_object, "PT_LOAD");
1059
7.41k
  yr_set_integer(ELF_PT_DYNAMIC, module_object, "PT_DYNAMIC");
1060
7.41k
  yr_set_integer(ELF_PT_INTERP, module_object, "PT_INTERP");
1061
7.41k
  yr_set_integer(ELF_PT_NOTE, module_object, "PT_NOTE");
1062
7.41k
  yr_set_integer(ELF_PT_SHLIB, module_object, "PT_SHLIB");
1063
7.41k
  yr_set_integer(ELF_PT_PHDR, module_object, "PT_PHDR");
1064
7.41k
  yr_set_integer(ELF_PT_TLS, module_object, "PT_TLS");
1065
7.41k
  yr_set_integer(ELF_PT_GNU_EH_FRAME, module_object, "PT_GNU_EH_FRAME");
1066
7.41k
  yr_set_integer(ELF_PT_GNU_STACK, module_object, "PT_GNU_STACK");
1067
1068
7.41k
  yr_set_integer(ELF_DT_NULL, module_object, "DT_NULL");
1069
7.41k
  yr_set_integer(ELF_DT_NEEDED, module_object, "DT_NEEDED");
1070
7.41k
  yr_set_integer(ELF_DT_PLTRELSZ, module_object, "DT_PLTRELSZ");
1071
7.41k
  yr_set_integer(ELF_DT_PLTGOT, module_object, "DT_PLTGOT");
1072
7.41k
  yr_set_integer(ELF_DT_HASH, module_object, "DT_HASH");
1073
7.41k
  yr_set_integer(ELF_DT_STRTAB, module_object, "DT_STRTAB");
1074
7.41k
  yr_set_integer(ELF_DT_SYMTAB, module_object, "DT_SYMTAB");
1075
7.41k
  yr_set_integer(ELF_DT_RELA, module_object, "DT_RELA");
1076
7.41k
  yr_set_integer(ELF_DT_RELASZ, module_object, "DT_RELASZ");
1077
7.41k
  yr_set_integer(ELF_DT_RELAENT, module_object, "DT_RELAENT");
1078
7.41k
  yr_set_integer(ELF_DT_STRSZ, module_object, "DT_STRSZ");
1079
7.41k
  yr_set_integer(ELF_DT_SYMENT, module_object, "DT_SYMENT");
1080
7.41k
  yr_set_integer(ELF_DT_INIT, module_object, "DT_INIT");
1081
7.41k
  yr_set_integer(ELF_DT_FINI, module_object, "DT_FINI");
1082
7.41k
  yr_set_integer(ELF_DT_SONAME, module_object, "DT_SONAME");
1083
7.41k
  yr_set_integer(ELF_DT_RPATH, module_object, "DT_RPATH");
1084
7.41k
  yr_set_integer(ELF_DT_SYMBOLIC, module_object, "DT_SYMBOLIC");
1085
7.41k
  yr_set_integer(ELF_DT_REL, module_object, "DT_REL");
1086
7.41k
  yr_set_integer(ELF_DT_RELSZ, module_object, "DT_RELSZ");
1087
7.41k
  yr_set_integer(ELF_DT_RELENT, module_object, "DT_RELENT");
1088
7.41k
  yr_set_integer(ELF_DT_PLTREL, module_object, "DT_PLTREL");
1089
7.41k
  yr_set_integer(ELF_DT_DEBUG, module_object, "DT_DEBUG");
1090
7.41k
  yr_set_integer(ELF_DT_TEXTREL, module_object, "DT_TEXTREL");
1091
7.41k
  yr_set_integer(ELF_DT_JMPREL, module_object, "DT_JMPREL");
1092
7.41k
  yr_set_integer(ELF_DT_BIND_NOW, module_object, "DT_BIND_NOW");
1093
7.41k
  yr_set_integer(ELF_DT_INIT_ARRAY, module_object, "DT_INIT_ARRAY");
1094
7.41k
  yr_set_integer(ELF_DT_FINI_ARRAY, module_object, "DT_FINI_ARRAY");
1095
7.41k
  yr_set_integer(ELF_DT_INIT_ARRAYSZ, module_object, "DT_INIT_ARRAYSZ");
1096
7.41k
  yr_set_integer(ELF_DT_FINI_ARRAYSZ, module_object, "DT_FINI_ARRAYSZ");
1097
7.41k
  yr_set_integer(ELF_DT_RUNPATH, module_object, "DT_RUNPATH");
1098
7.41k
  yr_set_integer(ELF_DT_FLAGS, module_object, "DT_FLAGS");
1099
7.41k
  yr_set_integer(ELF_DT_ENCODING, module_object, "DT_ENCODING");
1100
1101
7.41k
  yr_set_integer(ELF_STT_NOTYPE, module_object, "STT_NOTYPE");
1102
7.41k
  yr_set_integer(ELF_STT_OBJECT, module_object, "STT_OBJECT");
1103
7.41k
  yr_set_integer(ELF_STT_FUNC, module_object, "STT_FUNC");
1104
7.41k
  yr_set_integer(ELF_STT_SECTION, module_object, "STT_SECTION");
1105
7.41k
  yr_set_integer(ELF_STT_FILE, module_object, "STT_FILE");
1106
7.41k
  yr_set_integer(ELF_STT_COMMON, module_object, "STT_COMMON");
1107
7.41k
  yr_set_integer(ELF_STT_TLS, module_object, "STT_TLS");
1108
1109
7.41k
  yr_set_integer(ELF_STB_LOCAL, module_object, "STB_LOCAL");
1110
7.41k
  yr_set_integer(ELF_STB_GLOBAL, module_object, "STB_GLOBAL");
1111
7.41k
  yr_set_integer(ELF_STB_WEAK, module_object, "STB_WEAK");
1112
1113
7.41k
  yr_set_integer(ELF_PF_X, module_object, "PF_X");
1114
7.41k
  yr_set_integer(ELF_PF_W, module_object, "PF_W");
1115
7.41k
  yr_set_integer(ELF_PF_R, module_object, "PF_R");
1116
1117
7.41k
  uint64_t parse_result = ERROR_SUCCESS;
1118
1119
7.41k
  foreach_memory_block(iterator, block)
1120
7.41k
  {
1121
7.41k
    const uint8_t* block_data = yr_fetch_block_data(block);
1122
1123
7.41k
    if (block_data == NULL)
1124
0
      continue;
1125
1126
7.41k
    ELF* elf = (ELF*) yr_calloc(1, sizeof(ELF));
1127
7.41k
    if (elf == NULL)
1128
0
      return ERROR_INSUFFICIENT_MEMORY;
1129
1130
7.41k
    module_object->data = elf;
1131
7.41k
    int class_data = get_elf_class_data(block_data, block->size);
1132
1133
7.41k
    if (class_data == CLASS_DATA(ELF_CLASS_32, ELF_DATA_2LSB) &&
1134
7.41k
        block->size > sizeof(elf32_header_t))
1135
1.27k
    {
1136
1.27k
      elf_header32 = (elf32_header_t*) block_data;
1137
1138
1.27k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1139
1.27k
          yr_le16toh(elf_header32->type) == ELF_ET_EXEC)
1140
1.27k
      {
1141
1.27k
        parse_result = parse_elf_header_32_le(
1142
1.27k
            elf,
1143
1.27k
            elf_header32,
1144
1.27k
            block->base,
1145
1.27k
            block->size,
1146
1.27k
            context->flags,
1147
1.27k
            module_object);
1148
1.27k
        break;
1149
1.27k
      }
1150
6.13k
    } else if (
1151
6.13k
        class_data == CLASS_DATA(ELF_CLASS_32, ELF_DATA_2MSB) &&
1152
6.13k
        block->size > sizeof(elf32_header_t))
1153
1.31k
    {
1154
1.31k
      elf_header32 = (elf32_header_t*) block_data;
1155
1156
1.31k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1157
1.31k
          yr_be16toh(elf_header32->type) == ELF_ET_EXEC)
1158
1.31k
      {
1159
1.31k
        parse_result = parse_elf_header_32_be(
1160
1.31k
            elf,
1161
1.31k
            elf_header32,
1162
1.31k
            block->base,
1163
1.31k
            block->size,
1164
1.31k
            context->flags,
1165
1.31k
            module_object);
1166
1.31k
        break;
1167
1.31k
      }
1168
4.82k
    } else if (
1169
4.82k
        class_data == CLASS_DATA(ELF_CLASS_64, ELF_DATA_2LSB) &&
1170
4.82k
        block->size > sizeof(elf64_header_t))
1171
1.83k
    {
1172
1.83k
      elf_header64 = (elf64_header_t*) block_data;
1173
1174
1.83k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1175
1.83k
          yr_le16toh(elf_header64->type) == ELF_ET_EXEC)
1176
1.83k
      {
1177
1.83k
        parse_result = parse_elf_header_64_le(
1178
1.83k
            elf,
1179
1.83k
            elf_header64,
1180
1.83k
            block->base,
1181
1.83k
            block->size,
1182
1.83k
            context->flags,
1183
1.83k
            module_object);
1184
1.83k
        break;
1185
1.83k
      }
1186
2.98k
    } else if (
1187
2.98k
        class_data == CLASS_DATA(ELF_CLASS_64, ELF_DATA_2MSB) &&
1188
2.98k
        block->size > sizeof(elf64_header_t))
1189
1.94k
    {
1190
1.94k
      elf_header64 = (elf64_header_t*) block_data;
1191
1192
1.94k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1193
1.94k
          yr_be16toh(elf_header64->type) == ELF_ET_EXEC)
1194
1.94k
      {
1195
1.94k
        parse_result = parse_elf_header_64_be(
1196
1.94k
            elf,
1197
1.94k
            elf_header64,
1198
1.94k
            block->base,
1199
1.94k
            block->size,
1200
1.94k
            context->flags,
1201
1.94k
            module_object);
1202
1.94k
        break;
1203
1.94k
      }
1204
1.94k
    }
1205
7.41k
  }
1206
1207
7.41k
  return parse_result;
1208
7.41k
}
1209
1210
int module_unload(YR_OBJECT* module_object)
1211
7.41k
{
1212
7.41k
  ELF* elf = (ELF*) module_object->data;
1213
7.41k
  if (elf == NULL)
1214
0
    return ERROR_SUCCESS;
1215
1216
7.41k
  if (elf->symtab != NULL)
1217
532
  {
1218
532
    ELF_SYMBOL *act = NULL, *next = NULL;
1219
83.0k
    for (act = elf->symtab->symbols; act != NULL; act = next)
1220
82.5k
    {
1221
82.5k
      next = act->next;
1222
82.5k
      if (act->name != NULL)
1223
17.9k
        yr_free(act->name);
1224
82.5k
      yr_free(act);
1225
82.5k
    }
1226
532
    yr_free(elf->symtab);
1227
532
  }
1228
1229
7.41k
  if (elf->dynsym != NULL)
1230
492
  {
1231
492
    ELF_SYMBOL *act = NULL, *next = NULL;
1232
73.3k
    for (act = elf->dynsym->symbols; act != NULL; act = next)
1233
72.8k
    {
1234
72.8k
      next = act->next;
1235
72.8k
      if (act->name != NULL)
1236
19.9k
        yr_free(act->name);
1237
72.8k
      yr_free(act);
1238
72.8k
    }
1239
492
    yr_free(elf->dynsym);
1240
492
  }
1241
1242
7.41k
  yr_free(elf->telfhash);
1243
7.41k
  yr_free(elf->import_hash);
1244
7.41k
  yr_free(elf);
1245
1246
7.41k
  module_object->data = NULL;
1247
1248
7.41k
  return ERROR_SUCCESS;
1249
7.41k
}