Coverage Report

Created: 2025-04-11 06:09

/src/yara/libyara/modules/elf/elf.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
Copyright (c) 2014. The YARA Authors. All Rights Reserved.
3
4
Redistribution and use in source and binary forms, with or without modification,
5
are permitted provided that the following conditions are met:
6
7
1. Redistributions of source code must retain the above copyright notice, this
8
list of conditions and the following disclaimer.
9
10
2. Redistributions in binary form must reproduce the above copyright notice,
11
this list of conditions and the following disclaimer in the documentation and/or
12
other materials provided with the distribution.
13
14
3. Neither the name of the copyright holder nor the names of its contributors
15
may be used to endorse or promote products derived from this software without
16
specific prior written permission.
17
18
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
*/
29
30
#include <limits.h>
31
#include <stdlib.h>
32
#include <string.h>
33
#include <tlshc/tlsh.h>
34
#include <yara/elf.h>
35
#include <yara/elf_utils.h>
36
#include <yara/endian.h>
37
#include <yara/mem.h>
38
#include <yara/modules.h>
39
#include <yara/simple_str.h>
40
#include <yara/utils.h>
41
#include "../crypto.h"
42
#include "../exception.h"
43
44
#define MODULE_NAME elf
45
46
49.0k
#define CLASS_DATA(c, d) ((c << 8) | d)
47
48
static int sort_strcmp(const void* a, const void* b)
49
0
{
50
0
  return strcmp(*(const char**) a, *(const char**) b);
51
0
}
52
53
define_function(telfhash)
54
0
{
55
0
  YR_OBJECT* obj = yr_module();
56
0
  ELF* elf = (ELF*) obj->data;
57
0
  if (elf == NULL)
58
0
    return_string(YR_UNDEFINED);
59
60
0
  if (elf->telfhash)
61
0
    return_string(elf->telfhash);
62
63
  /* We prefer dynsym if possible */
64
0
  ELF_SYMBOL_LIST* list = elf->dynsym ? elf->dynsym : elf->symtab;
65
0
  if (!list)
66
0
    return_string(YR_UNDEFINED);
67
68
  /* exclusions are based on the original implementation
69
     https://github.com/trendmicro/telfhash/blob/master/telfhash/telfhash.py */
70
0
  char* exclude_strings[] = {
71
0
      "__libc_start_main",
72
0
      "main",
73
0
      "abort",
74
0
      "cachectl",
75
0
      "cacheflush",
76
0
      "puts",
77
0
      "atol",
78
0
      "malloc_trim"};
79
80
0
  SIMPLE_STR* sstr = NULL;
81
0
  Tlsh* tlsh = NULL;
82
83
0
  int symbol_count = 0;
84
0
  char** clean_names = yr_calloc(list->count, sizeof(*clean_names));
85
86
0
  if (clean_names == NULL && list->count > 0)
87
0
    return_string(YR_UNDEFINED);
88
89
0
  for (ELF_SYMBOL* i = list->symbols; i != NULL; i = i->next)
90
0
  {
91
0
    char* name = i->name;
92
93
0
    if (!name)
94
0
      continue;
95
96
    /* Use only global code symbols */
97
0
    if (i->bind != ELF_STB_GLOBAL || i->type != ELF_STT_FUNC ||
98
0
        i->visibility != ELF_STV_DEFAULT)
99
0
      continue;
100
101
    /* ignore:
102
        x86-64 specific functions
103
        string functions (str.* and mem.*), gcc changes them depending on arch
104
        symbols starting with . or _ */
105
0
    bool is_bad_prefix = name[0] == '.' || name[0] == '_';
106
0
    size_t namelen = strlen(name);
107
0
    bool is_x86_64 = namelen >= 2 && strncmp(name + namelen - 2, "64", 2) == 0;
108
0
    bool is_mem_or_str = strncmp(name, "str", 3) == 0 ||
109
0
                         strncmp(name, "mem", 3) == 0;
110
111
0
    if (is_bad_prefix || is_x86_64 || is_mem_or_str)
112
0
      continue;
113
114
    /* Exclude any symbols that match the excluded ones */
115
0
    bool is_excluded = false;
116
0
    for (int i = 0; i < sizeof(exclude_strings) / sizeof(*exclude_strings); i++)
117
0
    {
118
0
      if (strcmp(name, exclude_strings[i]) == 0)
119
0
      {
120
0
        is_excluded = true;
121
0
        break;
122
0
      }
123
0
    }
124
125
0
    if (is_excluded)
126
0
      continue;
127
128
0
    clean_names[symbol_count] = yr_malloc(strlen(name) + 1);
129
130
0
    if (!clean_names[symbol_count])
131
0
      goto cleanup;
132
133
    /* Convert it to lowercase */
134
0
    int j;
135
0
    for (j = 0; name[j]; j++) clean_names[symbol_count][j] = tolower(name[j]);
136
137
0
    clean_names[symbol_count][j] = '\0';
138
139
0
    symbol_count++;
140
0
  }
141
142
0
  if (!symbol_count)
143
0
    goto cleanup;
144
145
  /* Now we have all the valid symbols, sort them, concat them */
146
0
  qsort(clean_names, symbol_count, sizeof(*clean_names), &sort_strcmp);
147
148
0
  sstr = sstr_newf("%s", clean_names[0]);
149
0
  if (!sstr)
150
0
    goto cleanup;
151
152
  /* We've already written first symbol, start at 1 */
153
0
  for (int i = 1; i < symbol_count; ++i)
154
0
  {
155
0
    if (!sstr_appendf(sstr, ",%s", clean_names[i]))
156
0
      goto cleanup;
157
0
  }
158
159
0
  tlsh = tlsh_new();
160
0
  if (!tlsh)
161
0
    goto cleanup;
162
163
0
  tlsh_final(tlsh, (const unsigned char*) sstr->str, sstr->len, 0);
164
165
0
  const char* telfhash = tlsh_get_hash(tlsh, true);
166
0
  elf->telfhash = yr_strdup(telfhash);  // cache it
167
0
  if (!elf->telfhash)
168
0
    goto cleanup;
169
170
0
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
171
0
  yr_free(clean_names);
172
0
  sstr_free(sstr);
173
0
  tlsh_free(tlsh);
174
175
0
  return_string(elf->telfhash);
176
177
0
cleanup:
178
0
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
179
0
  yr_free(clean_names);
180
0
  sstr_free(sstr);
181
0
  tlsh_free(tlsh);
182
183
0
  return_string(YR_UNDEFINED);
184
0
}
185
186
#if defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H) || \
187
    defined(HAVE_COMMONCRYPTO_COMMONCRYPTO_H)
188
189
define_function(import_md5)
190
{
191
  YR_OBJECT* obj = yr_module();
192
  ELF* elf = (ELF*) obj->data;
193
  if (elf == NULL)
194
    return_string(YR_UNDEFINED);
195
196
  if (elf->import_hash)
197
    return_string(elf->import_hash);
198
199
  ELF_SYMBOL_LIST* list = elf->dynsym ? elf->dynsym : elf->symtab;
200
  if (!list)
201
    return_string(YR_UNDEFINED);
202
203
  SIMPLE_STR* sstr = NULL;
204
205
  int symbol_count = 0;
206
  char** clean_names = yr_malloc(list->count * sizeof(*clean_names));
207
  if (!clean_names)
208
    return_string(YR_UNDEFINED);
209
210
  for (ELF_SYMBOL* i = list->symbols; i != NULL; i = i->next)
211
  {
212
    char* name = i->name;
213
214
    if (!name)
215
      continue;
216
217
    if (i->shndx != ELF_SHN_UNDEF)
218
      continue;
219
220
    // skip empty names
221
    if (strlen(i->name) == 0)
222
      continue;
223
224
    clean_names[symbol_count] = yr_malloc(strlen(name) + 1);
225
    if (!clean_names[symbol_count])
226
      goto cleanup;
227
228
    /* Convert it to lowercase */
229
    int j;
230
    for (j = 0; name[j]; j++) clean_names[symbol_count][j] = tolower(name[j]);
231
232
    clean_names[symbol_count][j] = '\0';
233
234
    symbol_count++;
235
  }
236
237
  if (!symbol_count)
238
    goto cleanup;
239
240
  /* Now we have all the valid symbols, sort them, concat them */
241
  qsort(clean_names, symbol_count, sizeof(*clean_names), &sort_strcmp);
242
243
  sstr = sstr_newf("%s", clean_names[0]);
244
  if (!sstr)
245
    goto cleanup;
246
247
  /* We've already written first symbol, start at 1 */
248
  for (int i = 1; i < symbol_count; ++i)
249
  {
250
    if (!sstr_appendf(sstr, ",%s", clean_names[i]))
251
      goto cleanup;
252
  }
253
254
  unsigned char hash[YR_MD5_LEN];
255
256
  yr_md5_ctx ctx;
257
  yr_md5_init(&ctx);
258
  yr_md5_update(&ctx, sstr->str, sstr->len);
259
  yr_md5_final(hash, &ctx);
260
261
  elf->import_hash = yr_malloc(YR_MD5_LEN * 2 + 1);
262
  if (!elf->import_hash)
263
    goto cleanup;
264
265
  for (int i = 0; i < YR_MD5_LEN; ++i)
266
    sprintf(elf->import_hash + (i * 2), "%02x", hash[i]);
267
268
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
269
  yr_free(clean_names);
270
  sstr_free(sstr);
271
272
  return_string(elf->import_hash);
273
274
cleanup:
275
  for (int i = 0; i < symbol_count; ++i) yr_free(clean_names[i]);
276
  yr_free(clean_names);
277
  sstr_free(sstr);
278
279
  return_string(YR_UNDEFINED);
280
}
281
282
#endif  // defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H)
283
284
int get_elf_class_data(const uint8_t* buffer, size_t buffer_length)
285
7.31k
{
286
7.31k
  elf_ident_t* elf_ident;
287
288
7.31k
  if (buffer_length < sizeof(elf_ident_t))
289
17
    return 0;
290
291
7.29k
  elf_ident = (elf_ident_t*) buffer;
292
293
7.29k
  if (yr_le32toh(elf_ident->magic) == ELF_MAGIC)
294
7.12k
  {
295
7.12k
    return CLASS_DATA(elf_ident->_class, elf_ident->data);
296
7.12k
  }
297
165
  else
298
165
  {
299
165
    return 0;
300
165
  }
301
7.29k
}
302
303
static bool is_valid_ptr(
304
    const void* base,
305
    size_t size,
306
    const void* ptr,
307
    uint64_t ptr_size)  // ptr_size can be 64bit even in 32bit systems.
308
3.48M
{
309
3.48M
  return ptr >= base && ptr_size <= size &&
310
3.48M
         ((char*) ptr) + ptr_size <= ((char*) base) + size;
311
3.48M
}
312
313
#define IS_VALID_PTR(base, size, ptr) \
314
3.49M
  is_valid_ptr(base, size, ptr, sizeof(*ptr))
315
316
//
317
// Returns a string table entry for the index or NULL if the entry is out
318
// of bounds. A non-null return value will be a null-terminated C string.
319
//
320
static const char* str_table_entry(
321
    const char* str_table_base,
322
    const char* str_table_limit,
323
    int index)
324
230k
{
325
230k
  size_t len;
326
230k
  const char* str_entry;
327
328
230k
  if (str_table_base >= str_table_limit)
329
2.73k
    return NULL;
330
331
  // The first entry in the string table must be a null character, if not the
332
  // string table is probably corrupted.
333
227k
  if (*str_table_base != '\0')
334
52.1k
    return NULL;
335
336
175k
  if (index < 0)
337
20.8k
    return NULL;
338
339
154k
  str_entry = str_table_base + index;
340
341
154k
  if (str_entry >= str_table_limit)
342
35.1k
    return NULL;
343
344
119k
  len = strnlen(str_entry, str_table_limit - str_entry);
345
346
  // Entry is clamped by extent of string table, not null-terminated.
347
119k
  if (str_entry + len == str_table_limit)
348
2.79k
    return NULL;
349
350
116k
  return str_entry;
351
119k
}
352
353
#define ELF_SIZE_OF_SECTION_TABLE(bits, bo, h) \
354
8.23k
  (sizeof(elf##bits##_section_header_t) * yr_##bo##16toh(h->sh_entry_count))
355
356
#define ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, h) \
357
2.24k
  (sizeof(elf##bits##_program_header_t) * yr_##bo##16toh(h->ph_entry_count))
358
359
#define ELF_RVA_TO_OFFSET(bits, bo)                                                \
360
  uint64_t elf_rva_to_offset_##bits##_##bo(                                        \
361
      elf##bits##_header_t* elf_header, uint64_t rva, size_t elf_size)             \
362
6.06k
  {                                                                                \
363
6.06k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
6.06k
    {                                                                              \
365
1.42k
      int i;                                                                       \
366
1.42k
                                                                                   \
367
1.42k
      elf##bits##_program_header_t* program;                                       \
368
1.42k
                                                                                   \
369
1.42k
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
1.42k
       */                                                                          \
371
1.42k
                                                                                   \
372
1.42k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
1.42k
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
1.42k
      {                                                                            \
375
8
        return YR_UNDEFINED;                                                       \
376
8
      }                                                                            \
377
1.42k
                                                                                   \
378
1.42k
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
1.41k
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
1.41k
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
825
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
825
              elf_size ||                                                          \
383
1.41k
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
1.41k
      {                                                                            \
385
721
        return YR_UNDEFINED;                                                       \
386
721
      }                                                                            \
387
1.41k
                                                                                   \
388
1.41k
      program = (elf##bits##_program_header_t*)                                  \
389
692
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
692
                                                                                   \
391
17.6k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
17.2k
      {                                                                            \
393
17.2k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
17.2k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
15.2k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
17.2k
        {                                                                          \
397
271
          return yr_##bo##bits##toh(program->offset) +                             \
398
271
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
271
        }                                                                          \
400
17.2k
                                                                                   \
401
17.2k
        program++;                                                                 \
402
16.9k
      }                                                                            \
403
692
    }                                                                              \
404
6.06k
    else                                                                           \
405
6.06k
    {                                                                              \
406
4.64k
      int i;                                                                       \
407
4.64k
                                                                                   \
408
4.64k
      elf##bits##_section_header_t* section;                                       \
409
4.64k
                                                                                   \
410
4.64k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
4.64k
       */                                                                          \
412
4.64k
                                                                                   \
413
4.64k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
4.64k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
4.64k
      {                                                                            \
416
11
        return YR_UNDEFINED;                                                       \
417
11
      }                                                                            \
418
4.64k
                                                                                   \
419
4.64k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
4.63k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
4.63k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
3.59k
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
3.59k
              elf_size ||                                                          \
424
4.63k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
4.63k
      {                                                                            \
426
1.24k
        return YR_UNDEFINED;                                                       \
427
1.24k
      }                                                                            \
428
4.63k
                                                                                   \
429
4.63k
      section = (elf##bits##_section_header_t*)                                  \
430
3.39k
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
3.39k
                                                                                   \
432
66.2k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
64.1k
      {                                                                            \
434
64.1k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
64.1k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
64.1k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
64.1k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
38.5k
                      yr_##bo##bits##toh(section->size))                           \
439
64.1k
        {                                                                          \
440
1.26k
          return yr_##bo##bits##toh(section->offset) +                             \
441
1.26k
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
1.26k
        }                                                                          \
443
64.1k
                                                                                   \
444
64.1k
        section++;                                                                 \
445
62.9k
      }                                                                            \
446
3.39k
    }                                                                              \
447
6.06k
    return YR_UNDEFINED;                                                           \
448
6.06k
  }
elf_rva_to_offset_32_le
Line
Count
Source
362
1.20k
  {                                                                                \
363
1.20k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.20k
    {                                                                              \
365
326
      int i;                                                                       \
366
326
                                                                                   \
367
326
      elf##bits##_program_header_t* program;                                       \
368
326
                                                                                   \
369
326
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
326
       */                                                                          \
371
326
                                                                                   \
372
326
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
326
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
326
      {                                                                            \
375
0
        return YR_UNDEFINED;                                                       \
376
0
      }                                                                            \
377
326
                                                                                   \
378
326
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
326
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
326
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
232
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
232
              elf_size ||                                                          \
383
326
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
326
      {                                                                            \
385
137
        return YR_UNDEFINED;                                                       \
386
137
      }                                                                            \
387
326
                                                                                   \
388
326
      program = (elf##bits##_program_header_t*)                                  \
389
189
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
189
                                                                                   \
391
3.96k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
3.86k
      {                                                                            \
393
3.86k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
3.86k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
3.34k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
3.86k
        {                                                                          \
397
88
          return yr_##bo##bits##toh(program->offset) +                             \
398
88
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
88
        }                                                                          \
400
3.86k
                                                                                   \
401
3.86k
        program++;                                                                 \
402
3.77k
      }                                                                            \
403
189
    }                                                                              \
404
1.20k
    else                                                                           \
405
1.20k
    {                                                                              \
406
882
      int i;                                                                       \
407
882
                                                                                   \
408
882
      elf##bits##_section_header_t* section;                                       \
409
882
                                                                                   \
410
882
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
882
       */                                                                          \
412
882
                                                                                   \
413
882
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
882
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
882
      {                                                                            \
416
0
        return YR_UNDEFINED;                                                       \
417
0
      }                                                                            \
418
882
                                                                                   \
419
882
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
882
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
882
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
706
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
706
              elf_size ||                                                          \
424
882
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
882
      {                                                                            \
426
234
        return YR_UNDEFINED;                                                       \
427
234
      }                                                                            \
428
882
                                                                                   \
429
882
      section = (elf##bits##_section_header_t*)                                  \
430
648
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
648
                                                                                   \
432
12.3k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
11.9k
      {                                                                            \
434
11.9k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
11.9k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
11.9k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
11.9k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
6.38k
                      yr_##bo##bits##toh(section->size))                           \
439
11.9k
        {                                                                          \
440
196
          return yr_##bo##bits##toh(section->offset) +                             \
441
196
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
196
        }                                                                          \
443
11.9k
                                                                                   \
444
11.9k
        section++;                                                                 \
445
11.7k
      }                                                                            \
446
648
    }                                                                              \
447
1.20k
    return YR_UNDEFINED;                                                           \
448
1.20k
  }
elf_rva_to_offset_64_le
Line
Count
Source
362
1.70k
  {                                                                                \
363
1.70k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.70k
    {                                                                              \
365
424
      int i;                                                                       \
366
424
                                                                                   \
367
424
      elf##bits##_program_header_t* program;                                       \
368
424
                                                                                   \
369
424
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
424
       */                                                                          \
371
424
                                                                                   \
372
424
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
424
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
424
      {                                                                            \
375
6
        return YR_UNDEFINED;                                                       \
376
6
      }                                                                            \
377
424
                                                                                   \
378
424
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
418
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
418
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
225
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
225
              elf_size ||                                                          \
383
418
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
418
      {                                                                            \
385
213
        return YR_UNDEFINED;                                                       \
386
213
      }                                                                            \
387
418
                                                                                   \
388
418
      program = (elf##bits##_program_header_t*)                                  \
389
205
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
205
                                                                                   \
391
4.56k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
4.42k
      {                                                                            \
393
4.42k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
4.42k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
3.99k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
4.42k
        {                                                                          \
397
66
          return yr_##bo##bits##toh(program->offset) +                             \
398
66
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
66
        }                                                                          \
400
4.42k
                                                                                   \
401
4.42k
        program++;                                                                 \
402
4.36k
      }                                                                            \
403
205
    }                                                                              \
404
1.70k
    else                                                                           \
405
1.70k
    {                                                                              \
406
1.28k
      int i;                                                                       \
407
1.28k
                                                                                   \
408
1.28k
      elf##bits##_section_header_t* section;                                       \
409
1.28k
                                                                                   \
410
1.28k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
1.28k
       */                                                                          \
412
1.28k
                                                                                   \
413
1.28k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
1.28k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
1.28k
      {                                                                            \
416
6
        return YR_UNDEFINED;                                                       \
417
6
      }                                                                            \
418
1.28k
                                                                                   \
419
1.28k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
1.27k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
1.27k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
947
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
947
              elf_size ||                                                          \
424
1.27k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
1.27k
      {                                                                            \
426
376
        return YR_UNDEFINED;                                                       \
427
376
      }                                                                            \
428
1.27k
                                                                                   \
429
1.27k
      section = (elf##bits##_section_header_t*)                                  \
430
901
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
901
                                                                                   \
432
10.8k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
10.3k
      {                                                                            \
434
10.3k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
10.3k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
10.3k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
10.3k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
7.11k
                      yr_##bo##bits##toh(section->size))                           \
439
10.3k
        {                                                                          \
440
482
          return yr_##bo##bits##toh(section->offset) +                             \
441
482
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
482
        }                                                                          \
443
10.3k
                                                                                   \
444
10.3k
        section++;                                                                 \
445
9.91k
      }                                                                            \
446
901
    }                                                                              \
447
1.70k
    return YR_UNDEFINED;                                                           \
448
1.70k
  }
elf_rva_to_offset_32_be
Line
Count
Source
362
1.26k
  {                                                                                \
363
1.26k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.26k
    {                                                                              \
365
273
      int i;                                                                       \
366
273
                                                                                   \
367
273
      elf##bits##_program_header_t* program;                                       \
368
273
                                                                                   \
369
273
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
273
       */                                                                          \
371
273
                                                                                   \
372
273
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
273
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
273
      {                                                                            \
375
0
        return YR_UNDEFINED;                                                       \
376
0
      }                                                                            \
377
273
                                                                                   \
378
273
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
273
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
273
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
184
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
184
              elf_size ||                                                          \
383
273
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
273
      {                                                                            \
385
122
        return YR_UNDEFINED;                                                       \
386
122
      }                                                                            \
387
273
                                                                                   \
388
273
      program = (elf##bits##_program_header_t*)                                  \
389
151
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
151
                                                                                   \
391
984
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
888
      {                                                                            \
393
888
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
888
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
413
                      yr_##bo##bits##toh(program->mem_size))                       \
396
888
        {                                                                          \
397
55
          return yr_##bo##bits##toh(program->offset) +                             \
398
55
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
55
        }                                                                          \
400
888
                                                                                   \
401
888
        program++;                                                                 \
402
833
      }                                                                            \
403
151
    }                                                                              \
404
1.26k
    else                                                                           \
405
1.26k
    {                                                                              \
406
988
      int i;                                                                       \
407
988
                                                                                   \
408
988
      elf##bits##_section_header_t* section;                                       \
409
988
                                                                                   \
410
988
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
988
       */                                                                          \
412
988
                                                                                   \
413
988
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
988
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
988
      {                                                                            \
416
0
        return YR_UNDEFINED;                                                       \
417
0
      }                                                                            \
418
988
                                                                                   \
419
988
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
988
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
988
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
808
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
808
              elf_size ||                                                          \
424
988
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
988
      {                                                                            \
426
229
        return YR_UNDEFINED;                                                       \
427
229
      }                                                                            \
428
988
                                                                                   \
429
988
      section = (elf##bits##_section_header_t*)                                  \
430
759
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
759
                                                                                   \
432
33.0k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
32.4k
      {                                                                            \
434
32.4k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
32.4k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
32.4k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
32.4k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
19.2k
                      yr_##bo##bits##toh(section->size))                           \
439
32.4k
        {                                                                          \
440
189
          return yr_##bo##bits##toh(section->offset) +                             \
441
189
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
189
        }                                                                          \
443
32.4k
                                                                                   \
444
32.4k
        section++;                                                                 \
445
32.2k
      }                                                                            \
446
759
    }                                                                              \
447
1.26k
    return YR_UNDEFINED;                                                           \
448
1.26k
  }
elf_rva_to_offset_64_be
Line
Count
Source
362
1.89k
  {                                                                                \
363
1.89k
    if (yr_##bo##16toh(elf_header->type) == ELF_ET_EXEC)                           \
364
1.89k
    {                                                                              \
365
398
      int i;                                                                       \
366
398
                                                                                   \
367
398
      elf##bits##_program_header_t* program;                                       \
368
398
                                                                                   \
369
398
      /* check that ph_offset doesn't wrap when added to SIZE_OF_PROGRAM_TABLE     \
370
398
       */                                                                          \
371
398
                                                                                   \
372
398
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->ph_offset) <                  \
373
398
          ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header))                         \
374
398
      {                                                                            \
375
2
        return YR_UNDEFINED;                                                       \
376
2
      }                                                                            \
377
398
                                                                                   \
378
398
      if (yr_##bo##bits##toh(elf_header->ph_offset) == 0 ||                        \
379
396
          yr_##bo##bits##toh(elf_header->ph_offset) > elf_size ||                  \
380
396
          yr_##bo##bits##toh(elf_header->ph_offset) +                              \
381
184
                  ELF_SIZE_OF_PROGRAM_TABLE(bits, bo, elf_header) >                \
382
184
              elf_size ||                                                          \
383
396
          yr_##bo##16toh(elf_header->ph_entry_count) == 0)                         \
384
396
      {                                                                            \
385
249
        return YR_UNDEFINED;                                                       \
386
249
      }                                                                            \
387
396
                                                                                   \
388
396
      program = (elf##bits##_program_header_t*)                                  \
389
147
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->ph_offset)); \
390
147
                                                                                   \
391
8.13k
      for (i = 0; i < yr_##bo##16toh(elf_header->ph_entry_count); i++)             \
392
8.04k
      {                                                                            \
393
8.04k
        if (rva >= yr_##bo##bits##toh(program->virt_addr) &&                       \
394
8.04k
            rva < yr_##bo##bits##toh(program->virt_addr) +                         \
395
7.48k
                      yr_##bo##bits##toh(program->mem_size))                       \
396
8.04k
        {                                                                          \
397
62
          return yr_##bo##bits##toh(program->offset) +                             \
398
62
                 (rva - yr_##bo##bits##toh(program->virt_addr));                   \
399
62
        }                                                                          \
400
8.04k
                                                                                   \
401
8.04k
        program++;                                                                 \
402
7.98k
      }                                                                            \
403
147
    }                                                                              \
404
1.89k
    else                                                                           \
405
1.89k
    {                                                                              \
406
1.49k
      int i;                                                                       \
407
1.49k
                                                                                   \
408
1.49k
      elf##bits##_section_header_t* section;                                       \
409
1.49k
                                                                                   \
410
1.49k
      /* check that sh_offset doesn't wrap when added to SIZE_OF_SECTION_TABLE     \
411
1.49k
       */                                                                          \
412
1.49k
                                                                                   \
413
1.49k
      if (ULONG_MAX - yr_##bo##bits##toh(elf_header->sh_offset) <                  \
414
1.49k
          ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header))                         \
415
1.49k
      {                                                                            \
416
5
        return YR_UNDEFINED;                                                       \
417
5
      }                                                                            \
418
1.49k
                                                                                   \
419
1.49k
      if (yr_##bo##bits##toh(elf_header->sh_offset) == 0 ||                        \
420
1.48k
          yr_##bo##bits##toh(elf_header->sh_offset) > elf_size ||                  \
421
1.48k
          yr_##bo##bits##toh(elf_header->sh_offset) +                              \
422
1.13k
                  ELF_SIZE_OF_SECTION_TABLE(bits, bo, elf_header) >                \
423
1.13k
              elf_size ||                                                          \
424
1.48k
          yr_##bo##16toh(elf_header->sh_entry_count) == 0)                         \
425
1.48k
      {                                                                            \
426
406
        return YR_UNDEFINED;                                                       \
427
406
      }                                                                            \
428
1.48k
                                                                                   \
429
1.48k
      section = (elf##bits##_section_header_t*)                                  \
430
1.08k
        ((uint8_t*) elf_header + yr_##bo##bits##toh(elf_header->sh_offset)); \
431
1.08k
                                                                                   \
432
10.0k
      for (i = 0; i < yr_##bo##16toh(elf_header->sh_entry_count); i++)             \
433
9.35k
      {                                                                            \
434
9.35k
        if (yr_##bo##32toh(section->type) != ELF_SHT_NULL &&                       \
435
9.35k
            yr_##bo##32toh(section->type) != ELF_SHT_NOBITS &&                     \
436
9.35k
            rva >= yr_##bo##bits##toh(section->addr) &&                            \
437
9.35k
            rva < yr_##bo##bits##toh(section->addr) +                              \
438
5.82k
                      yr_##bo##bits##toh(section->size))                           \
439
9.35k
        {                                                                          \
440
402
          return yr_##bo##bits##toh(section->offset) +                             \
441
402
                 (rva - yr_##bo##bits##toh(section->addr));                        \
442
402
        }                                                                          \
443
9.35k
                                                                                   \
444
9.35k
        section++;                                                                 \
445
8.95k
      }                                                                            \
446
1.08k
    }                                                                              \
447
1.89k
    return YR_UNDEFINED;                                                           \
448
1.89k
  }
449
450
#define PARSE_ELF_HEADER(bits, bo)                                                        \
451
  int parse_elf_header_##bits##_##bo(                                                     \
452
      ELF* elf_data,                                                                      \
453
      elf##bits##_header_t* elf,                                                          \
454
      uint64_t base_address,                                                              \
455
      size_t elf_size,                                                                    \
456
      int flags,                                                                          \
457
      YR_OBJECT* elf_obj)                                                                 \
458
6.28k
  {                                                                                       \
459
6.28k
    unsigned int i, j, m;                                                                 \
460
6.28k
    const char* elf_raw = (const char*) elf;                                              \
461
6.28k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
6.28k
                                                                                          \
463
6.28k
    const char* sym_table = NULL;                                                         \
464
6.28k
    const char* sym_str_table = NULL;                                                     \
465
6.28k
    const char* dyn_sym_table = NULL;                                                     \
466
6.28k
    const char* dyn_sym_str_table = NULL;                                                 \
467
6.28k
                                                                                          \
468
6.28k
    uint##bits##_t sym_table_size = 0;                                                    \
469
6.28k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
6.28k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
6.28k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
6.28k
                                                                                          \
473
6.28k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
6.28k
                                                                                          \
475
6.28k
    elf##bits##_section_header_t* section_table;                                          \
476
6.28k
    elf##bits##_section_header_t* section;                                                \
477
6.28k
    elf##bits##_program_header_t* segment;                                                \
478
6.28k
                                                                                          \
479
6.28k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
6.28k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
6.28k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
6.28k
    yr_set_integer(                                                                       \
483
6.28k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
6.28k
    yr_set_integer(                                                                       \
485
6.28k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
6.28k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
6.28k
    yr_set_integer(                                                                       \
488
6.28k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
6.28k
    yr_set_integer(                                                                       \
490
6.28k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
6.28k
                                                                                          \
492
6.28k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
6.28k
    {                                                                                     \
494
6.06k
      yr_set_integer(                                                                     \
495
6.06k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
6.06k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
6.06k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
6.06k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
6.06k
          elf_obj,                                                                        \
500
6.06k
          "entry_point");                                                                 \
501
6.06k
    }                                                                                     \
502
6.28k
                                                                                          \
503
6.28k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
6.28k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
6.28k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
6.28k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
3.82k
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
3.82k
                    sizeof(elf##bits##_section_header_t) <=                               \
509
3.82k
            elf_size)                                                                     \
510
6.28k
    {                                                                                     \
511
3.64k
      const char* str_table = NULL;                                                       \
512
3.64k
                                                                                          \
513
3.64k
      section_table =                                                                     \
514
3.64k
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
3.64k
                                                                                          \
516
3.64k
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
3.64k
          elf_size)                                                                       \
518
3.64k
      {                                                                                   \
519
1.73k
        str_table = elf_raw +                                                             \
520
1.73k
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
1.73k
      }                                                                                   \
522
3.64k
                                                                                          \
523
3.64k
      section = section_table;                                                            \
524
3.64k
                                                                                          \
525
470k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
466k
      {                                                                                   \
527
466k
        yr_set_integer(                                                                   \
528
466k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
466k
        yr_set_integer(                                                                   \
530
466k
            yr_##bo##bits##toh(section->flags),                                           \
531
466k
            elf_obj,                                                                      \
532
466k
            "sections[%i].flags",                                                         \
533
466k
            i);                                                                           \
534
466k
        yr_set_integer(                                                                   \
535
466k
            yr_##bo##bits##toh(section->addr),                                            \
536
466k
            elf_obj,                                                                      \
537
466k
            "sections[%i].address",                                                       \
538
466k
            i);                                                                           \
539
466k
        yr_set_integer(                                                                   \
540
466k
            yr_##bo##bits##toh(section->size),                                            \
541
466k
            elf_obj,                                                                      \
542
466k
            "sections[%i].size",                                                          \
543
466k
            i);                                                                           \
544
466k
        yr_set_integer(                                                                   \
545
466k
            yr_##bo##bits##toh(section->offset),                                          \
546
466k
            elf_obj,                                                                      \
547
466k
            "sections[%i].offset",                                                        \
548
466k
            i);                                                                           \
549
466k
                                                                                          \
550
466k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
466k
        {                                                                                 \
552
111k
          const char* section_name = str_table_entry(                                     \
553
111k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
111k
                                                                                          \
555
111k
          if (section_name)                                                               \
556
111k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
111k
        }                                                                                 \
558
466k
                                                                                          \
559
466k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
466k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
466k
        {                                                                                 \
562
9.71k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
9.71k
                                                         yr_##bo##32toh(                  \
564
9.71k
                                                             section->link);              \
565
9.71k
                                                                                          \
566
9.71k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
9.71k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
9.71k
          {                                                                               \
569
5.70k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
5.70k
            sym_str_table = elf_raw +                                                     \
571
5.70k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
5.70k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
5.70k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
5.70k
          }                                                                               \
575
9.71k
        }                                                                                 \
576
466k
                                                                                          \
577
466k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
466k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
466k
        {                                                                                 \
580
4.49k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
4.49k
                                                         yr_##bo##32toh(                  \
582
4.49k
                                                             section->link);              \
583
4.49k
                                                                                          \
584
4.49k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
4.49k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
4.49k
          {                                                                               \
587
1.94k
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
1.94k
            dyn_sym_str_table = elf_raw +                                                 \
589
1.94k
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
1.94k
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
1.94k
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
1.94k
          }                                                                               \
593
4.49k
        }                                                                                 \
594
466k
      }                                                                                   \
595
3.64k
                                                                                          \
596
3.64k
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
3.64k
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
3.64k
      {                                                                                   \
599
503
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
503
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
503
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
503
                                                                                          \
603
503
        if (elf_data->symtab == NULL)                                                     \
604
503
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
503
                                                                                          \
606
503
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
503
        *symbol = NULL;                                                                   \
608
503
                                                                                          \
609
65.2k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
64.7k
             j++, sym++)                                                                  \
611
64.7k
        {                                                                                 \
612
64.7k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
64.7k
          if (*symbol == NULL)                                                            \
614
64.7k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
64.7k
                                                                                          \
616
64.7k
          (*symbol)->name = NULL;                                                         \
617
64.7k
          (*symbol)->next = NULL;                                                         \
618
64.7k
                                                                                          \
619
64.7k
          const char* sym_name = str_table_entry(                                         \
620
64.7k
              sym_str_table,                                                              \
621
64.7k
              sym_str_table + sym_str_table_size,                                         \
622
64.7k
              yr_##bo##32toh(sym->name));                                                 \
623
64.7k
                                                                                          \
624
64.7k
          if (sym_name)                                                                   \
625
64.7k
          {                                                                               \
626
12.9k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
12.9k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
12.9k
            if ((*symbol)->name == NULL)                                                  \
629
12.9k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
12.9k
                                                                                          \
631
12.9k
            strcpy((*symbol)->name, sym_name);                                            \
632
12.9k
          }                                                                               \
633
64.7k
                                                                                          \
634
64.7k
          int bind = sym->info >> 4;                                                      \
635
64.7k
          (*symbol)->bind = bind;                                                         \
636
64.7k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
64.7k
                                                                                          \
638
64.7k
          int type = sym->info & 0xf;                                                     \
639
64.7k
          (*symbol)->type = type;                                                         \
640
64.7k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
64.7k
                                                                                          \
642
64.7k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
64.7k
          (*symbol)->shndx = shndx;                                                       \
644
64.7k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
64.7k
                                                                                          \
646
64.7k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
64.7k
          (*symbol)->value = value;                                                       \
648
64.7k
          yr_set_integer(                                                                 \
649
64.7k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
64.7k
                                                                                          \
651
64.7k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
64.7k
          (*symbol)->size = size;                                                         \
653
64.7k
          yr_set_integer(                                                                 \
654
64.7k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
64.7k
                                                                                          \
656
64.7k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
64.7k
                                                                                          \
658
64.7k
          symbol = &((*symbol)->next);                                                    \
659
64.7k
        }                                                                                 \
660
503
                                                                                          \
661
503
        elf_data->symtab->count = j;                                                      \
662
503
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
503
      }                                                                                   \
664
3.64k
                                                                                          \
665
3.64k
      if (is_valid_ptr(                                                                   \
666
3.64k
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
3.64k
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
3.64k
      {                                                                                   \
669
527
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
527
                                                                                          \
671
527
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
527
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
527
                                                                                          \
674
527
        if (elf_data->dynsym == NULL)                                                     \
675
527
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
527
                                                                                          \
677
527
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
527
        *symbol = NULL;                                                                   \
679
527
                                                                                          \
680
54.4k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
53.9k
             m++, dynsym++)                                                               \
682
53.9k
        {                                                                                 \
683
53.9k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
53.9k
          if (*symbol == NULL)                                                            \
685
53.9k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
53.9k
                                                                                          \
687
53.9k
          (*symbol)->name = NULL;                                                         \
688
53.9k
          (*symbol)->next = NULL;                                                         \
689
53.9k
                                                                                          \
690
53.9k
          const char* dynsym_name = str_table_entry(                                      \
691
53.9k
              dyn_sym_str_table,                                                          \
692
53.9k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
53.9k
              yr_##bo##32toh(dynsym->name));                                              \
694
53.9k
                                                                                          \
695
53.9k
          if (dynsym_name)                                                                \
696
53.9k
          {                                                                               \
697
16.9k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
16.9k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
16.9k
            if ((*symbol)->name == NULL)                                                  \
700
16.9k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
16.9k
                                                                                          \
702
16.9k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
16.9k
          }                                                                               \
704
53.9k
                                                                                          \
705
53.9k
          int bind = dynsym->info >> 4;                                                   \
706
53.9k
          (*symbol)->bind = bind;                                                         \
707
53.9k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
53.9k
                                                                                          \
709
53.9k
          int type = dynsym->info & 0xf;                                                  \
710
53.9k
          (*symbol)->type = type;                                                         \
711
53.9k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
53.9k
                                                                                          \
713
53.9k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
53.9k
          (*symbol)->shndx = shndx;                                                       \
715
53.9k
          yr_set_integer(                                                                 \
716
53.9k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
53.9k
                                                                                          \
718
53.9k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
53.9k
          (*symbol)->value = value;                                                       \
720
53.9k
          yr_set_integer(                                                                 \
721
53.9k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
53.9k
              elf_obj,                                                                    \
723
53.9k
              "dynsym[%i].value",                                                         \
724
53.9k
              m);                                                                         \
725
53.9k
                                                                                          \
726
53.9k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
53.9k
          (*symbol)->size = size;                                                         \
728
53.9k
          yr_set_integer(                                                                 \
729
53.9k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
53.9k
              elf_obj,                                                                    \
731
53.9k
              "dynsym[%i].size",                                                          \
732
53.9k
              m);                                                                         \
733
53.9k
                                                                                          \
734
53.9k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
53.9k
                                                                                          \
736
53.9k
          symbol = &((*symbol)->next);                                                    \
737
53.9k
        }                                                                                 \
738
527
                                                                                          \
739
527
        elf_data->dynsym->count = m;                                                      \
740
527
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
527
      }                                                                                   \
742
3.64k
    }                                                                                     \
743
6.28k
                                                                                          \
744
6.28k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
6.28k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
6.28k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
6.28k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
2.20k
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
2.20k
                    sizeof(elf##bits##_program_header_t) <=                               \
750
2.20k
            elf_size)                                                                     \
751
6.28k
    {                                                                                     \
752
1.36k
      segment =                                                                           \
753
1.36k
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
1.36k
                                                                                          \
755
456k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
455k
      {                                                                                   \
757
455k
        yr_set_integer(                                                                   \
758
455k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
455k
        yr_set_integer(                                                                   \
760
455k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
455k
        yr_set_integer(                                                                   \
762
455k
            yr_##bo##bits##toh(segment->offset),                                          \
763
455k
            elf_obj,                                                                      \
764
455k
            "segments[%i].offset",                                                        \
765
455k
            i);                                                                           \
766
455k
        yr_set_integer(                                                                   \
767
455k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
455k
            elf_obj,                                                                      \
769
455k
            "segments[%i].virtual_address",                                               \
770
455k
            i);                                                                           \
771
455k
        yr_set_integer(                                                                   \
772
455k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
455k
            elf_obj,                                                                      \
774
455k
            "segments[%i].physical_address",                                              \
775
455k
            i);                                                                           \
776
455k
        yr_set_integer(                                                                   \
777
455k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
455k
            elf_obj,                                                                      \
779
455k
            "segments[%i].file_size",                                                     \
780
455k
            i);                                                                           \
781
455k
        yr_set_integer(                                                                   \
782
455k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
455k
            elf_obj,                                                                      \
784
455k
            "segments[%i].memory_size",                                                   \
785
455k
            i);                                                                           \
786
455k
        yr_set_integer(                                                                   \
787
455k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
455k
            elf_obj,                                                                      \
789
455k
            "segments[%i].alignment",                                                     \
790
455k
            i);                                                                           \
791
455k
                                                                                          \
792
455k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
455k
        {                                                                                 \
794
11.0k
          j = 0;                                                                          \
795
11.0k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
11.0k
          {                                                                               \
797
5.26k
            elf##bits##_dyn_t* dyn =                                                      \
798
5.26k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
5.26k
                                                                                          \
800
3.46M
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
3.46M
            {                                                                             \
802
3.46M
              yr_set_integer(                                                             \
803
3.46M
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
3.46M
              yr_set_integer(                                                             \
805
3.46M
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
3.46M
                                                                                          \
807
3.46M
              if (dyn->tag == ELF_DT_NULL)                                                \
808
3.46M
              {                                                                           \
809
3.58k
                j++;                                                                      \
810
3.58k
                break;                                                                    \
811
3.58k
              }                                                                           \
812
3.46M
            }                                                                             \
813
5.26k
          }                                                                               \
814
11.0k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
11.0k
        }                                                                                 \
816
455k
      }                                                                                   \
817
1.36k
    }                                                                                     \
818
6.28k
    return ERROR_SUCCESS;                                                                 \
819
6.28k
  }
parse_elf_header_32_le
Line
Count
Source
458
1.29k
  {                                                                                       \
459
1.29k
    unsigned int i, j, m;                                                                 \
460
1.29k
    const char* elf_raw = (const char*) elf;                                              \
461
1.29k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.29k
                                                                                          \
463
1.29k
    const char* sym_table = NULL;                                                         \
464
1.29k
    const char* sym_str_table = NULL;                                                     \
465
1.29k
    const char* dyn_sym_table = NULL;                                                     \
466
1.29k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.29k
                                                                                          \
468
1.29k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.29k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.29k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.29k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.29k
                                                                                          \
473
1.29k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.29k
                                                                                          \
475
1.29k
    elf##bits##_section_header_t* section_table;                                          \
476
1.29k
    elf##bits##_section_header_t* section;                                                \
477
1.29k
    elf##bits##_program_header_t* segment;                                                \
478
1.29k
                                                                                          \
479
1.29k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.29k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.29k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.29k
    yr_set_integer(                                                                       \
483
1.29k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.29k
    yr_set_integer(                                                                       \
485
1.29k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.29k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.29k
    yr_set_integer(                                                                       \
488
1.29k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.29k
    yr_set_integer(                                                                       \
490
1.29k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.29k
                                                                                          \
492
1.29k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.29k
    {                                                                                     \
494
1.20k
      yr_set_integer(                                                                     \
495
1.20k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.20k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.20k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.20k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.20k
          elf_obj,                                                                        \
500
1.20k
          "entry_point");                                                                 \
501
1.20k
    }                                                                                     \
502
1.29k
                                                                                          \
503
1.29k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.29k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.29k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.29k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
834
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
834
                    sizeof(elf##bits##_section_header_t) <=                               \
509
834
            elf_size)                                                                     \
510
1.29k
    {                                                                                     \
511
771
      const char* str_table = NULL;                                                       \
512
771
                                                                                          \
513
771
      section_table =                                                                     \
514
771
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
771
                                                                                          \
516
771
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
771
          elf_size)                                                                       \
518
771
      {                                                                                   \
519
469
        str_table = elf_raw +                                                             \
520
469
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
469
      }                                                                                   \
522
771
                                                                                          \
523
771
      section = section_table;                                                            \
524
771
                                                                                          \
525
80.7k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
79.9k
      {                                                                                   \
527
79.9k
        yr_set_integer(                                                                   \
528
79.9k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
79.9k
        yr_set_integer(                                                                   \
530
79.9k
            yr_##bo##bits##toh(section->flags),                                           \
531
79.9k
            elf_obj,                                                                      \
532
79.9k
            "sections[%i].flags",                                                         \
533
79.9k
            i);                                                                           \
534
79.9k
        yr_set_integer(                                                                   \
535
79.9k
            yr_##bo##bits##toh(section->addr),                                            \
536
79.9k
            elf_obj,                                                                      \
537
79.9k
            "sections[%i].address",                                                       \
538
79.9k
            i);                                                                           \
539
79.9k
        yr_set_integer(                                                                   \
540
79.9k
            yr_##bo##bits##toh(section->size),                                            \
541
79.9k
            elf_obj,                                                                      \
542
79.9k
            "sections[%i].size",                                                          \
543
79.9k
            i);                                                                           \
544
79.9k
        yr_set_integer(                                                                   \
545
79.9k
            yr_##bo##bits##toh(section->offset),                                          \
546
79.9k
            elf_obj,                                                                      \
547
79.9k
            "sections[%i].offset",                                                        \
548
79.9k
            i);                                                                           \
549
79.9k
                                                                                          \
550
79.9k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
79.9k
        {                                                                                 \
552
10.3k
          const char* section_name = str_table_entry(                                     \
553
10.3k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
10.3k
                                                                                          \
555
10.3k
          if (section_name)                                                               \
556
10.3k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
10.3k
        }                                                                                 \
558
79.9k
                                                                                          \
559
79.9k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
79.9k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
79.9k
        {                                                                                 \
562
1.65k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
1.65k
                                                         yr_##bo##32toh(                  \
564
1.65k
                                                             section->link);              \
565
1.65k
                                                                                          \
566
1.65k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
1.65k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
1.65k
          {                                                                               \
569
845
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
845
            sym_str_table = elf_raw +                                                     \
571
845
                            yr_##bo##bits##toh(string_section->offset);                   \
572
845
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
845
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
845
          }                                                                               \
575
1.65k
        }                                                                                 \
576
79.9k
                                                                                          \
577
79.9k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
79.9k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
79.9k
        {                                                                                 \
580
876
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
876
                                                         yr_##bo##32toh(                  \
582
876
                                                             section->link);              \
583
876
                                                                                          \
584
876
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
876
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
876
          {                                                                               \
587
471
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
471
            dyn_sym_str_table = elf_raw +                                                 \
589
471
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
471
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
471
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
471
          }                                                                               \
593
876
        }                                                                                 \
594
79.9k
      }                                                                                   \
595
771
                                                                                          \
596
771
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
771
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
771
      {                                                                                   \
599
156
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
156
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
156
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
156
                                                                                          \
603
156
        if (elf_data->symtab == NULL)                                                     \
604
156
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
156
                                                                                          \
606
156
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
156
        *symbol = NULL;                                                                   \
608
156
                                                                                          \
609
30.8k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
30.6k
             j++, sym++)                                                                  \
611
30.6k
        {                                                                                 \
612
30.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
30.6k
          if (*symbol == NULL)                                                            \
614
30.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
30.6k
                                                                                          \
616
30.6k
          (*symbol)->name = NULL;                                                         \
617
30.6k
          (*symbol)->next = NULL;                                                         \
618
30.6k
                                                                                          \
619
30.6k
          const char* sym_name = str_table_entry(                                         \
620
30.6k
              sym_str_table,                                                              \
621
30.6k
              sym_str_table + sym_str_table_size,                                         \
622
30.6k
              yr_##bo##32toh(sym->name));                                                 \
623
30.6k
                                                                                          \
624
30.6k
          if (sym_name)                                                                   \
625
30.6k
          {                                                                               \
626
1.39k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
1.39k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
1.39k
            if ((*symbol)->name == NULL)                                                  \
629
1.39k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
1.39k
                                                                                          \
631
1.39k
            strcpy((*symbol)->name, sym_name);                                            \
632
1.39k
          }                                                                               \
633
30.6k
                                                                                          \
634
30.6k
          int bind = sym->info >> 4;                                                      \
635
30.6k
          (*symbol)->bind = bind;                                                         \
636
30.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
30.6k
                                                                                          \
638
30.6k
          int type = sym->info & 0xf;                                                     \
639
30.6k
          (*symbol)->type = type;                                                         \
640
30.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
30.6k
                                                                                          \
642
30.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
30.6k
          (*symbol)->shndx = shndx;                                                       \
644
30.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
30.6k
                                                                                          \
646
30.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
30.6k
          (*symbol)->value = value;                                                       \
648
30.6k
          yr_set_integer(                                                                 \
649
30.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
30.6k
                                                                                          \
651
30.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
30.6k
          (*symbol)->size = size;                                                         \
653
30.6k
          yr_set_integer(                                                                 \
654
30.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
30.6k
                                                                                          \
656
30.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
30.6k
                                                                                          \
658
30.6k
          symbol = &((*symbol)->next);                                                    \
659
30.6k
        }                                                                                 \
660
156
                                                                                          \
661
156
        elf_data->symtab->count = j;                                                      \
662
156
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
156
      }                                                                                   \
664
771
                                                                                          \
665
771
      if (is_valid_ptr(                                                                   \
666
771
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
771
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
771
      {                                                                                   \
669
165
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
165
                                                                                          \
671
165
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
165
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
165
                                                                                          \
674
165
        if (elf_data->dynsym == NULL)                                                     \
675
165
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
165
                                                                                          \
677
165
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
165
        *symbol = NULL;                                                                   \
679
165
                                                                                          \
680
4.86k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
4.69k
             m++, dynsym++)                                                               \
682
4.69k
        {                                                                                 \
683
4.69k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
4.69k
          if (*symbol == NULL)                                                            \
685
4.69k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
4.69k
                                                                                          \
687
4.69k
          (*symbol)->name = NULL;                                                         \
688
4.69k
          (*symbol)->next = NULL;                                                         \
689
4.69k
                                                                                          \
690
4.69k
          const char* dynsym_name = str_table_entry(                                      \
691
4.69k
              dyn_sym_str_table,                                                          \
692
4.69k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
4.69k
              yr_##bo##32toh(dynsym->name));                                              \
694
4.69k
                                                                                          \
695
4.69k
          if (dynsym_name)                                                                \
696
4.69k
          {                                                                               \
697
639
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
639
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
639
            if ((*symbol)->name == NULL)                                                  \
700
639
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
639
                                                                                          \
702
639
            strcpy((*symbol)->name, dynsym_name);                                         \
703
639
          }                                                                               \
704
4.69k
                                                                                          \
705
4.69k
          int bind = dynsym->info >> 4;                                                   \
706
4.69k
          (*symbol)->bind = bind;                                                         \
707
4.69k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
4.69k
                                                                                          \
709
4.69k
          int type = dynsym->info & 0xf;                                                  \
710
4.69k
          (*symbol)->type = type;                                                         \
711
4.69k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
4.69k
                                                                                          \
713
4.69k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
4.69k
          (*symbol)->shndx = shndx;                                                       \
715
4.69k
          yr_set_integer(                                                                 \
716
4.69k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
4.69k
                                                                                          \
718
4.69k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
4.69k
          (*symbol)->value = value;                                                       \
720
4.69k
          yr_set_integer(                                                                 \
721
4.69k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
4.69k
              elf_obj,                                                                    \
723
4.69k
              "dynsym[%i].value",                                                         \
724
4.69k
              m);                                                                         \
725
4.69k
                                                                                          \
726
4.69k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
4.69k
          (*symbol)->size = size;                                                         \
728
4.69k
          yr_set_integer(                                                                 \
729
4.69k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
4.69k
              elf_obj,                                                                    \
731
4.69k
              "dynsym[%i].size",                                                          \
732
4.69k
              m);                                                                         \
733
4.69k
                                                                                          \
734
4.69k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
4.69k
                                                                                          \
736
4.69k
          symbol = &((*symbol)->next);                                                    \
737
4.69k
        }                                                                                 \
738
165
                                                                                          \
739
165
        elf_data->dynsym->count = m;                                                      \
740
165
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
165
      }                                                                                   \
742
771
    }                                                                                     \
743
1.29k
                                                                                          \
744
1.29k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.29k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.29k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.29k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
686
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
686
                    sizeof(elf##bits##_program_header_t) <=                               \
750
686
            elf_size)                                                                     \
751
1.29k
    {                                                                                     \
752
399
      segment =                                                                           \
753
399
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
399
                                                                                          \
755
229k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
228k
      {                                                                                   \
757
228k
        yr_set_integer(                                                                   \
758
228k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
228k
        yr_set_integer(                                                                   \
760
228k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
228k
        yr_set_integer(                                                                   \
762
228k
            yr_##bo##bits##toh(segment->offset),                                          \
763
228k
            elf_obj,                                                                      \
764
228k
            "segments[%i].offset",                                                        \
765
228k
            i);                                                                           \
766
228k
        yr_set_integer(                                                                   \
767
228k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
228k
            elf_obj,                                                                      \
769
228k
            "segments[%i].virtual_address",                                               \
770
228k
            i);                                                                           \
771
228k
        yr_set_integer(                                                                   \
772
228k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
228k
            elf_obj,                                                                      \
774
228k
            "segments[%i].physical_address",                                              \
775
228k
            i);                                                                           \
776
228k
        yr_set_integer(                                                                   \
777
228k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
228k
            elf_obj,                                                                      \
779
228k
            "segments[%i].file_size",                                                     \
780
228k
            i);                                                                           \
781
228k
        yr_set_integer(                                                                   \
782
228k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
228k
            elf_obj,                                                                      \
784
228k
            "segments[%i].memory_size",                                                   \
785
228k
            i);                                                                           \
786
228k
        yr_set_integer(                                                                   \
787
228k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
228k
            elf_obj,                                                                      \
789
228k
            "segments[%i].alignment",                                                     \
790
228k
            i);                                                                           \
791
228k
                                                                                          \
792
228k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
228k
        {                                                                                 \
794
2.72k
          j = 0;                                                                          \
795
2.72k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
2.72k
          {                                                                               \
797
2.09k
            elf##bits##_dyn_t* dyn =                                                      \
798
2.09k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
2.09k
                                                                                          \
800
2.24M
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
2.23M
            {                                                                             \
802
2.23M
              yr_set_integer(                                                             \
803
2.23M
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
2.23M
              yr_set_integer(                                                             \
805
2.23M
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
2.23M
                                                                                          \
807
2.23M
              if (dyn->tag == ELF_DT_NULL)                                                \
808
2.23M
              {                                                                           \
809
1.30k
                j++;                                                                      \
810
1.30k
                break;                                                                    \
811
1.30k
              }                                                                           \
812
2.23M
            }                                                                             \
813
2.09k
          }                                                                               \
814
2.72k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
2.72k
        }                                                                                 \
816
228k
      }                                                                                   \
817
399
    }                                                                                     \
818
1.29k
    return ERROR_SUCCESS;                                                                 \
819
1.29k
  }
parse_elf_header_64_le
Line
Count
Source
458
1.71k
  {                                                                                       \
459
1.71k
    unsigned int i, j, m;                                                                 \
460
1.71k
    const char* elf_raw = (const char*) elf;                                              \
461
1.71k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.71k
                                                                                          \
463
1.71k
    const char* sym_table = NULL;                                                         \
464
1.71k
    const char* sym_str_table = NULL;                                                     \
465
1.71k
    const char* dyn_sym_table = NULL;                                                     \
466
1.71k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.71k
                                                                                          \
468
1.71k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.71k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.71k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.71k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.71k
                                                                                          \
473
1.71k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.71k
                                                                                          \
475
1.71k
    elf##bits##_section_header_t* section_table;                                          \
476
1.71k
    elf##bits##_section_header_t* section;                                                \
477
1.71k
    elf##bits##_program_header_t* segment;                                                \
478
1.71k
                                                                                          \
479
1.71k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.71k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.71k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.71k
    yr_set_integer(                                                                       \
483
1.71k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.71k
    yr_set_integer(                                                                       \
485
1.71k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.71k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.71k
    yr_set_integer(                                                                       \
488
1.71k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.71k
    yr_set_integer(                                                                       \
490
1.71k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.71k
                                                                                          \
492
1.71k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.71k
    {                                                                                     \
494
1.70k
      yr_set_integer(                                                                     \
495
1.70k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.70k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.70k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.70k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.70k
          elf_obj,                                                                        \
500
1.70k
          "entry_point");                                                                 \
501
1.70k
    }                                                                                     \
502
1.71k
                                                                                          \
503
1.71k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.71k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.71k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.71k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
951
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
951
                    sizeof(elf##bits##_section_header_t) <=                               \
509
951
            elf_size)                                                                     \
510
1.71k
    {                                                                                     \
511
923
      const char* str_table = NULL;                                                       \
512
923
                                                                                          \
513
923
      section_table =                                                                     \
514
923
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
923
                                                                                          \
516
923
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
923
          elf_size)                                                                       \
518
923
      {                                                                                   \
519
407
        str_table = elf_raw +                                                             \
520
407
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
407
      }                                                                                   \
522
923
                                                                                          \
523
923
      section = section_table;                                                            \
524
923
                                                                                          \
525
59.5k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
58.6k
      {                                                                                   \
527
58.6k
        yr_set_integer(                                                                   \
528
58.6k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
58.6k
        yr_set_integer(                                                                   \
530
58.6k
            yr_##bo##bits##toh(section->flags),                                           \
531
58.6k
            elf_obj,                                                                      \
532
58.6k
            "sections[%i].flags",                                                         \
533
58.6k
            i);                                                                           \
534
58.6k
        yr_set_integer(                                                                   \
535
58.6k
            yr_##bo##bits##toh(section->addr),                                            \
536
58.6k
            elf_obj,                                                                      \
537
58.6k
            "sections[%i].address",                                                       \
538
58.6k
            i);                                                                           \
539
58.6k
        yr_set_integer(                                                                   \
540
58.6k
            yr_##bo##bits##toh(section->size),                                            \
541
58.6k
            elf_obj,                                                                      \
542
58.6k
            "sections[%i].size",                                                          \
543
58.6k
            i);                                                                           \
544
58.6k
        yr_set_integer(                                                                   \
545
58.6k
            yr_##bo##bits##toh(section->offset),                                          \
546
58.6k
            elf_obj,                                                                      \
547
58.6k
            "sections[%i].offset",                                                        \
548
58.6k
            i);                                                                           \
549
58.6k
                                                                                          \
550
58.6k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
58.6k
        {                                                                                 \
552
15.8k
          const char* section_name = str_table_entry(                                     \
553
15.8k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
15.8k
                                                                                          \
555
15.8k
          if (section_name)                                                               \
556
15.8k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
15.8k
        }                                                                                 \
558
58.6k
                                                                                          \
559
58.6k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
58.6k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
58.6k
        {                                                                                 \
562
1.37k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
1.37k
                                                         yr_##bo##32toh(                  \
564
1.37k
                                                             section->link);              \
565
1.37k
                                                                                          \
566
1.37k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
1.37k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
1.37k
          {                                                                               \
569
982
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
982
            sym_str_table = elf_raw +                                                     \
571
982
                            yr_##bo##bits##toh(string_section->offset);                   \
572
982
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
982
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
982
          }                                                                               \
575
1.37k
        }                                                                                 \
576
58.6k
                                                                                          \
577
58.6k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
58.6k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
58.6k
        {                                                                                 \
580
812
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
812
                                                         yr_##bo##32toh(                  \
582
812
                                                             section->link);              \
583
812
                                                                                          \
584
812
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
812
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
812
          {                                                                               \
587
439
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
439
            dyn_sym_str_table = elf_raw +                                                 \
589
439
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
439
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
439
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
439
          }                                                                               \
593
812
        }                                                                                 \
594
58.6k
      }                                                                                   \
595
923
                                                                                          \
596
923
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
923
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
923
      {                                                                                   \
599
113
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
113
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
113
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
113
                                                                                          \
603
113
        if (elf_data->symtab == NULL)                                                     \
604
113
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
113
                                                                                          \
606
113
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
113
        *symbol = NULL;                                                                   \
608
113
                                                                                          \
609
14.7k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
14.6k
             j++, sym++)                                                                  \
611
14.6k
        {                                                                                 \
612
14.6k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
14.6k
          if (*symbol == NULL)                                                            \
614
14.6k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
14.6k
                                                                                          \
616
14.6k
          (*symbol)->name = NULL;                                                         \
617
14.6k
          (*symbol)->next = NULL;                                                         \
618
14.6k
                                                                                          \
619
14.6k
          const char* sym_name = str_table_entry(                                         \
620
14.6k
              sym_str_table,                                                              \
621
14.6k
              sym_str_table + sym_str_table_size,                                         \
622
14.6k
              yr_##bo##32toh(sym->name));                                                 \
623
14.6k
                                                                                          \
624
14.6k
          if (sym_name)                                                                   \
625
14.6k
          {                                                                               \
626
4.08k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
4.08k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
4.08k
            if ((*symbol)->name == NULL)                                                  \
629
4.08k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
4.08k
                                                                                          \
631
4.08k
            strcpy((*symbol)->name, sym_name);                                            \
632
4.08k
          }                                                                               \
633
14.6k
                                                                                          \
634
14.6k
          int bind = sym->info >> 4;                                                      \
635
14.6k
          (*symbol)->bind = bind;                                                         \
636
14.6k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
14.6k
                                                                                          \
638
14.6k
          int type = sym->info & 0xf;                                                     \
639
14.6k
          (*symbol)->type = type;                                                         \
640
14.6k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
14.6k
                                                                                          \
642
14.6k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
14.6k
          (*symbol)->shndx = shndx;                                                       \
644
14.6k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
14.6k
                                                                                          \
646
14.6k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
14.6k
          (*symbol)->value = value;                                                       \
648
14.6k
          yr_set_integer(                                                                 \
649
14.6k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
14.6k
                                                                                          \
651
14.6k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
14.6k
          (*symbol)->size = size;                                                         \
653
14.6k
          yr_set_integer(                                                                 \
654
14.6k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
14.6k
                                                                                          \
656
14.6k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
14.6k
                                                                                          \
658
14.6k
          symbol = &((*symbol)->next);                                                    \
659
14.6k
        }                                                                                 \
660
113
                                                                                          \
661
113
        elf_data->symtab->count = j;                                                      \
662
113
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
113
      }                                                                                   \
664
923
                                                                                          \
665
923
      if (is_valid_ptr(                                                                   \
666
923
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
923
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
923
      {                                                                                   \
669
122
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
122
                                                                                          \
671
122
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
122
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
122
                                                                                          \
674
122
        if (elf_data->dynsym == NULL)                                                     \
675
122
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
122
                                                                                          \
677
122
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
122
        *symbol = NULL;                                                                   \
679
122
                                                                                          \
680
15.2k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
15.1k
             m++, dynsym++)                                                               \
682
15.1k
        {                                                                                 \
683
15.1k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
15.1k
          if (*symbol == NULL)                                                            \
685
15.1k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
15.1k
                                                                                          \
687
15.1k
          (*symbol)->name = NULL;                                                         \
688
15.1k
          (*symbol)->next = NULL;                                                         \
689
15.1k
                                                                                          \
690
15.1k
          const char* dynsym_name = str_table_entry(                                      \
691
15.1k
              dyn_sym_str_table,                                                          \
692
15.1k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
15.1k
              yr_##bo##32toh(dynsym->name));                                              \
694
15.1k
                                                                                          \
695
15.1k
          if (dynsym_name)                                                                \
696
15.1k
          {                                                                               \
697
3.68k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
3.68k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
3.68k
            if ((*symbol)->name == NULL)                                                  \
700
3.68k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
3.68k
                                                                                          \
702
3.68k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
3.68k
          }                                                                               \
704
15.1k
                                                                                          \
705
15.1k
          int bind = dynsym->info >> 4;                                                   \
706
15.1k
          (*symbol)->bind = bind;                                                         \
707
15.1k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
15.1k
                                                                                          \
709
15.1k
          int type = dynsym->info & 0xf;                                                  \
710
15.1k
          (*symbol)->type = type;                                                         \
711
15.1k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
15.1k
                                                                                          \
713
15.1k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
15.1k
          (*symbol)->shndx = shndx;                                                       \
715
15.1k
          yr_set_integer(                                                                 \
716
15.1k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
15.1k
                                                                                          \
718
15.1k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
15.1k
          (*symbol)->value = value;                                                       \
720
15.1k
          yr_set_integer(                                                                 \
721
15.1k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
15.1k
              elf_obj,                                                                    \
723
15.1k
              "dynsym[%i].value",                                                         \
724
15.1k
              m);                                                                         \
725
15.1k
                                                                                          \
726
15.1k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
15.1k
          (*symbol)->size = size;                                                         \
728
15.1k
          yr_set_integer(                                                                 \
729
15.1k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
15.1k
              elf_obj,                                                                    \
731
15.1k
              "dynsym[%i].size",                                                          \
732
15.1k
              m);                                                                         \
733
15.1k
                                                                                          \
734
15.1k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
15.1k
                                                                                          \
736
15.1k
          symbol = &((*symbol)->next);                                                    \
737
15.1k
        }                                                                                 \
738
122
                                                                                          \
739
122
        elf_data->dynsym->count = m;                                                      \
740
122
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
122
      }                                                                                   \
742
923
    }                                                                                     \
743
1.71k
                                                                                          \
744
1.71k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.71k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.71k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.71k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
611
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
611
                    sizeof(elf##bits##_program_header_t) <=                               \
750
611
            elf_size)                                                                     \
751
1.71k
    {                                                                                     \
752
374
      segment =                                                                           \
753
374
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
374
                                                                                          \
755
53.0k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
52.6k
      {                                                                                   \
757
52.6k
        yr_set_integer(                                                                   \
758
52.6k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
52.6k
        yr_set_integer(                                                                   \
760
52.6k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
52.6k
        yr_set_integer(                                                                   \
762
52.6k
            yr_##bo##bits##toh(segment->offset),                                          \
763
52.6k
            elf_obj,                                                                      \
764
52.6k
            "segments[%i].offset",                                                        \
765
52.6k
            i);                                                                           \
766
52.6k
        yr_set_integer(                                                                   \
767
52.6k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
52.6k
            elf_obj,                                                                      \
769
52.6k
            "segments[%i].virtual_address",                                               \
770
52.6k
            i);                                                                           \
771
52.6k
        yr_set_integer(                                                                   \
772
52.6k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
52.6k
            elf_obj,                                                                      \
774
52.6k
            "segments[%i].physical_address",                                              \
775
52.6k
            i);                                                                           \
776
52.6k
        yr_set_integer(                                                                   \
777
52.6k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
52.6k
            elf_obj,                                                                      \
779
52.6k
            "segments[%i].file_size",                                                     \
780
52.6k
            i);                                                                           \
781
52.6k
        yr_set_integer(                                                                   \
782
52.6k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
52.6k
            elf_obj,                                                                      \
784
52.6k
            "segments[%i].memory_size",                                                   \
785
52.6k
            i);                                                                           \
786
52.6k
        yr_set_integer(                                                                   \
787
52.6k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
52.6k
            elf_obj,                                                                      \
789
52.6k
            "segments[%i].alignment",                                                     \
790
52.6k
            i);                                                                           \
791
52.6k
                                                                                          \
792
52.6k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
52.6k
        {                                                                                 \
794
2.03k
          j = 0;                                                                          \
795
2.03k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
2.03k
          {                                                                               \
797
1.09k
            elf##bits##_dyn_t* dyn =                                                      \
798
1.09k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
1.09k
                                                                                          \
800
428k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
428k
            {                                                                             \
802
428k
              yr_set_integer(                                                             \
803
428k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
428k
              yr_set_integer(                                                             \
805
428k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
428k
                                                                                          \
807
428k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
428k
              {                                                                           \
809
858
                j++;                                                                      \
810
858
                break;                                                                    \
811
858
              }                                                                           \
812
428k
            }                                                                             \
813
1.09k
          }                                                                               \
814
2.03k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
2.03k
        }                                                                                 \
816
52.6k
      }                                                                                   \
817
374
    }                                                                                     \
818
1.71k
    return ERROR_SUCCESS;                                                                 \
819
1.71k
  }
parse_elf_header_32_be
Line
Count
Source
458
1.33k
  {                                                                                       \
459
1.33k
    unsigned int i, j, m;                                                                 \
460
1.33k
    const char* elf_raw = (const char*) elf;                                              \
461
1.33k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.33k
                                                                                          \
463
1.33k
    const char* sym_table = NULL;                                                         \
464
1.33k
    const char* sym_str_table = NULL;                                                     \
465
1.33k
    const char* dyn_sym_table = NULL;                                                     \
466
1.33k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.33k
                                                                                          \
468
1.33k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.33k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.33k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.33k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.33k
                                                                                          \
473
1.33k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.33k
                                                                                          \
475
1.33k
    elf##bits##_section_header_t* section_table;                                          \
476
1.33k
    elf##bits##_section_header_t* section;                                                \
477
1.33k
    elf##bits##_program_header_t* segment;                                                \
478
1.33k
                                                                                          \
479
1.33k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.33k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.33k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.33k
    yr_set_integer(                                                                       \
483
1.33k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.33k
    yr_set_integer(                                                                       \
485
1.33k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.33k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.33k
    yr_set_integer(                                                                       \
488
1.33k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.33k
    yr_set_integer(                                                                       \
490
1.33k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.33k
                                                                                          \
492
1.33k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.33k
    {                                                                                     \
494
1.26k
      yr_set_integer(                                                                     \
495
1.26k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.26k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.26k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.26k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.26k
          elf_obj,                                                                        \
500
1.26k
          "entry_point");                                                                 \
501
1.26k
    }                                                                                     \
502
1.33k
                                                                                          \
503
1.33k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.33k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.33k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.33k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
876
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
876
                    sizeof(elf##bits##_section_header_t) <=                               \
509
876
            elf_size)                                                                     \
510
1.33k
    {                                                                                     \
511
824
      const char* str_table = NULL;                                                       \
512
824
                                                                                          \
513
824
      section_table =                                                                     \
514
824
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
824
                                                                                          \
516
824
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
824
          elf_size)                                                                       \
518
824
      {                                                                                   \
519
427
        str_table = elf_raw +                                                             \
520
427
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
427
      }                                                                                   \
522
824
                                                                                          \
523
824
      section = section_table;                                                            \
524
824
                                                                                          \
525
215k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
215k
      {                                                                                   \
527
215k
        yr_set_integer(                                                                   \
528
215k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
215k
        yr_set_integer(                                                                   \
530
215k
            yr_##bo##bits##toh(section->flags),                                           \
531
215k
            elf_obj,                                                                      \
532
215k
            "sections[%i].flags",                                                         \
533
215k
            i);                                                                           \
534
215k
        yr_set_integer(                                                                   \
535
215k
            yr_##bo##bits##toh(section->addr),                                            \
536
215k
            elf_obj,                                                                      \
537
215k
            "sections[%i].address",                                                       \
538
215k
            i);                                                                           \
539
215k
        yr_set_integer(                                                                   \
540
215k
            yr_##bo##bits##toh(section->size),                                            \
541
215k
            elf_obj,                                                                      \
542
215k
            "sections[%i].size",                                                          \
543
215k
            i);                                                                           \
544
215k
        yr_set_integer(                                                                   \
545
215k
            yr_##bo##bits##toh(section->offset),                                          \
546
215k
            elf_obj,                                                                      \
547
215k
            "sections[%i].offset",                                                        \
548
215k
            i);                                                                           \
549
215k
                                                                                          \
550
215k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
215k
        {                                                                                 \
552
62.0k
          const char* section_name = str_table_entry(                                     \
553
62.0k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
62.0k
                                                                                          \
555
62.0k
          if (section_name)                                                               \
556
62.0k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
62.0k
        }                                                                                 \
558
215k
                                                                                          \
559
215k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
215k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
215k
        {                                                                                 \
562
3.43k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
3.43k
                                                         yr_##bo##32toh(                  \
564
3.43k
                                                             section->link);              \
565
3.43k
                                                                                          \
566
3.43k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
3.43k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
3.43k
          {                                                                               \
569
1.58k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
1.58k
            sym_str_table = elf_raw +                                                     \
571
1.58k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
1.58k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
1.58k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
1.58k
          }                                                                               \
575
3.43k
        }                                                                                 \
576
215k
                                                                                          \
577
215k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
215k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
215k
        {                                                                                 \
580
1.63k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
1.63k
                                                         yr_##bo##32toh(                  \
582
1.63k
                                                             section->link);              \
583
1.63k
                                                                                          \
584
1.63k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
1.63k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
1.63k
          {                                                                               \
587
450
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
450
            dyn_sym_str_table = elf_raw +                                                 \
589
450
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
450
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
450
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
450
          }                                                                               \
593
1.63k
        }                                                                                 \
594
215k
      }                                                                                   \
595
824
                                                                                          \
596
824
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
824
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
824
      {                                                                                   \
599
112
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
112
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
112
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
112
                                                                                          \
603
112
        if (elf_data->symtab == NULL)                                                     \
604
112
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
112
                                                                                          \
606
112
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
112
        *symbol = NULL;                                                                   \
608
112
                                                                                          \
609
10.4k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
10.3k
             j++, sym++)                                                                  \
611
10.3k
        {                                                                                 \
612
10.3k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
10.3k
          if (*symbol == NULL)                                                            \
614
10.3k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
10.3k
                                                                                          \
616
10.3k
          (*symbol)->name = NULL;                                                         \
617
10.3k
          (*symbol)->next = NULL;                                                         \
618
10.3k
                                                                                          \
619
10.3k
          const char* sym_name = str_table_entry(                                         \
620
10.3k
              sym_str_table,                                                              \
621
10.3k
              sym_str_table + sym_str_table_size,                                         \
622
10.3k
              yr_##bo##32toh(sym->name));                                                 \
623
10.3k
                                                                                          \
624
10.3k
          if (sym_name)                                                                   \
625
10.3k
          {                                                                               \
626
4.18k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
4.18k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
4.18k
            if ((*symbol)->name == NULL)                                                  \
629
4.18k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
4.18k
                                                                                          \
631
4.18k
            strcpy((*symbol)->name, sym_name);                                            \
632
4.18k
          }                                                                               \
633
10.3k
                                                                                          \
634
10.3k
          int bind = sym->info >> 4;                                                      \
635
10.3k
          (*symbol)->bind = bind;                                                         \
636
10.3k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
10.3k
                                                                                          \
638
10.3k
          int type = sym->info & 0xf;                                                     \
639
10.3k
          (*symbol)->type = type;                                                         \
640
10.3k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
10.3k
                                                                                          \
642
10.3k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
10.3k
          (*symbol)->shndx = shndx;                                                       \
644
10.3k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
10.3k
                                                                                          \
646
10.3k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
10.3k
          (*symbol)->value = value;                                                       \
648
10.3k
          yr_set_integer(                                                                 \
649
10.3k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
10.3k
                                                                                          \
651
10.3k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
10.3k
          (*symbol)->size = size;                                                         \
653
10.3k
          yr_set_integer(                                                                 \
654
10.3k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
10.3k
                                                                                          \
656
10.3k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
10.3k
                                                                                          \
658
10.3k
          symbol = &((*symbol)->next);                                                    \
659
10.3k
        }                                                                                 \
660
112
                                                                                          \
661
112
        elf_data->symtab->count = j;                                                      \
662
112
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
112
      }                                                                                   \
664
824
                                                                                          \
665
824
      if (is_valid_ptr(                                                                   \
666
824
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
824
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
824
      {                                                                                   \
669
125
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
125
                                                                                          \
671
125
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
125
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
125
                                                                                          \
674
125
        if (elf_data->dynsym == NULL)                                                     \
675
125
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
125
                                                                                          \
677
125
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
125
        *symbol = NULL;                                                                   \
679
125
                                                                                          \
680
26.5k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
26.4k
             m++, dynsym++)                                                               \
682
26.4k
        {                                                                                 \
683
26.4k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
26.4k
          if (*symbol == NULL)                                                            \
685
26.4k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
26.4k
                                                                                          \
687
26.4k
          (*symbol)->name = NULL;                                                         \
688
26.4k
          (*symbol)->next = NULL;                                                         \
689
26.4k
                                                                                          \
690
26.4k
          const char* dynsym_name = str_table_entry(                                      \
691
26.4k
              dyn_sym_str_table,                                                          \
692
26.4k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
26.4k
              yr_##bo##32toh(dynsym->name));                                              \
694
26.4k
                                                                                          \
695
26.4k
          if (dynsym_name)                                                                \
696
26.4k
          {                                                                               \
697
10.9k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
10.9k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
10.9k
            if ((*symbol)->name == NULL)                                                  \
700
10.9k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
10.9k
                                                                                          \
702
10.9k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
10.9k
          }                                                                               \
704
26.4k
                                                                                          \
705
26.4k
          int bind = dynsym->info >> 4;                                                   \
706
26.4k
          (*symbol)->bind = bind;                                                         \
707
26.4k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
26.4k
                                                                                          \
709
26.4k
          int type = dynsym->info & 0xf;                                                  \
710
26.4k
          (*symbol)->type = type;                                                         \
711
26.4k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
26.4k
                                                                                          \
713
26.4k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
26.4k
          (*symbol)->shndx = shndx;                                                       \
715
26.4k
          yr_set_integer(                                                                 \
716
26.4k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
26.4k
                                                                                          \
718
26.4k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
26.4k
          (*symbol)->value = value;                                                       \
720
26.4k
          yr_set_integer(                                                                 \
721
26.4k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
26.4k
              elf_obj,                                                                    \
723
26.4k
              "dynsym[%i].value",                                                         \
724
26.4k
              m);                                                                         \
725
26.4k
                                                                                          \
726
26.4k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
26.4k
          (*symbol)->size = size;                                                         \
728
26.4k
          yr_set_integer(                                                                 \
729
26.4k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
26.4k
              elf_obj,                                                                    \
731
26.4k
              "dynsym[%i].size",                                                          \
732
26.4k
              m);                                                                         \
733
26.4k
                                                                                          \
734
26.4k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
26.4k
                                                                                          \
736
26.4k
          symbol = &((*symbol)->next);                                                    \
737
26.4k
        }                                                                                 \
738
125
                                                                                          \
739
125
        elf_data->dynsym->count = m;                                                      \
740
125
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
125
      }                                                                                   \
742
824
    }                                                                                     \
743
1.33k
                                                                                          \
744
1.33k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.33k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.33k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.33k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
363
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
363
                    sizeof(elf##bits##_program_header_t) <=                               \
750
363
            elf_size)                                                                     \
751
1.33k
    {                                                                                     \
752
278
      segment =                                                                           \
753
278
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
278
                                                                                          \
755
38.9k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
38.7k
      {                                                                                   \
757
38.7k
        yr_set_integer(                                                                   \
758
38.7k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
38.7k
        yr_set_integer(                                                                   \
760
38.7k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
38.7k
        yr_set_integer(                                                                   \
762
38.7k
            yr_##bo##bits##toh(segment->offset),                                          \
763
38.7k
            elf_obj,                                                                      \
764
38.7k
            "segments[%i].offset",                                                        \
765
38.7k
            i);                                                                           \
766
38.7k
        yr_set_integer(                                                                   \
767
38.7k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
38.7k
            elf_obj,                                                                      \
769
38.7k
            "segments[%i].virtual_address",                                               \
770
38.7k
            i);                                                                           \
771
38.7k
        yr_set_integer(                                                                   \
772
38.7k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
38.7k
            elf_obj,                                                                      \
774
38.7k
            "segments[%i].physical_address",                                              \
775
38.7k
            i);                                                                           \
776
38.7k
        yr_set_integer(                                                                   \
777
38.7k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
38.7k
            elf_obj,                                                                      \
779
38.7k
            "segments[%i].file_size",                                                     \
780
38.7k
            i);                                                                           \
781
38.7k
        yr_set_integer(                                                                   \
782
38.7k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
38.7k
            elf_obj,                                                                      \
784
38.7k
            "segments[%i].memory_size",                                                   \
785
38.7k
            i);                                                                           \
786
38.7k
        yr_set_integer(                                                                   \
787
38.7k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
38.7k
            elf_obj,                                                                      \
789
38.7k
            "segments[%i].alignment",                                                     \
790
38.7k
            i);                                                                           \
791
38.7k
                                                                                          \
792
38.7k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
38.7k
        {                                                                                 \
794
2.09k
          j = 0;                                                                          \
795
2.09k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
2.09k
          {                                                                               \
797
1.43k
            elf##bits##_dyn_t* dyn =                                                      \
798
1.43k
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
1.43k
                                                                                          \
800
677k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
676k
            {                                                                             \
802
676k
              yr_set_integer(                                                             \
803
676k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
676k
              yr_set_integer(                                                             \
805
676k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
676k
                                                                                          \
807
676k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
676k
              {                                                                           \
809
890
                j++;                                                                      \
810
890
                break;                                                                    \
811
890
              }                                                                           \
812
676k
            }                                                                             \
813
1.43k
          }                                                                               \
814
2.09k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
2.09k
        }                                                                                 \
816
38.7k
      }                                                                                   \
817
278
    }                                                                                     \
818
1.33k
    return ERROR_SUCCESS;                                                                 \
819
1.33k
  }
parse_elf_header_64_be
Line
Count
Source
458
1.93k
  {                                                                                       \
459
1.93k
    unsigned int i, j, m;                                                                 \
460
1.93k
    const char* elf_raw = (const char*) elf;                                              \
461
1.93k
    uint16_t str_table_index = yr_##bo##16toh(elf->sh_str_table_index);                   \
462
1.93k
                                                                                          \
463
1.93k
    const char* sym_table = NULL;                                                         \
464
1.93k
    const char* sym_str_table = NULL;                                                     \
465
1.93k
    const char* dyn_sym_table = NULL;                                                     \
466
1.93k
    const char* dyn_sym_str_table = NULL;                                                 \
467
1.93k
                                                                                          \
468
1.93k
    uint##bits##_t sym_table_size = 0;                                                    \
469
1.93k
    uint##bits##_t sym_str_table_size = 0;                                                \
470
1.93k
    uint##bits##_t dyn_sym_table_size = 0;                                                \
471
1.93k
    uint##bits##_t dyn_sym_str_table_size = 0;                                            \
472
1.93k
                                                                                          \
473
1.93k
    elf_data->symtab = elf_data->dynsym = NULL;                                           \
474
1.93k
                                                                                          \
475
1.93k
    elf##bits##_section_header_t* section_table;                                          \
476
1.93k
    elf##bits##_section_header_t* section;                                                \
477
1.93k
    elf##bits##_program_header_t* segment;                                                \
478
1.93k
                                                                                          \
479
1.93k
    yr_set_integer(yr_##bo##16toh(elf->type), elf_obj, "type");                           \
480
1.93k
    yr_set_integer(yr_##bo##16toh(elf->machine), elf_obj, "machine");                     \
481
1.93k
    yr_set_integer(yr_##bo##bits##toh(elf->sh_offset), elf_obj, "sh_offset");             \
482
1.93k
    yr_set_integer(                                                                       \
483
1.93k
        yr_##bo##16toh(elf->sh_entry_size), elf_obj, "sh_entry_size");                    \
484
1.93k
    yr_set_integer(                                                                       \
485
1.93k
        yr_##bo##16toh(elf->sh_entry_count), elf_obj, "number_of_sections");              \
486
1.93k
    yr_set_integer(yr_##bo##bits##toh(elf->ph_offset), elf_obj, "ph_offset");             \
487
1.93k
    yr_set_integer(                                                                       \
488
1.93k
        yr_##bo##16toh(elf->ph_entry_size), elf_obj, "ph_entry_size");                    \
489
1.93k
    yr_set_integer(                                                                       \
490
1.93k
        yr_##bo##16toh(elf->ph_entry_count), elf_obj, "number_of_segments");              \
491
1.93k
                                                                                          \
492
1.93k
    if (yr_##bo##bits##toh(elf->entry) != 0)                                              \
493
1.93k
    {                                                                                     \
494
1.89k
      yr_set_integer(                                                                     \
495
1.89k
          flags& SCAN_FLAGS_PROCESS_MEMORY                                                \
496
1.89k
              ? base_address + yr_##bo##bits##toh(elf->entry)                             \
497
1.89k
              : elf_rva_to_offset_##bits##_##bo(                                          \
498
1.89k
                    elf, yr_##bo##bits##toh(elf->entry), elf_size),                       \
499
1.89k
          elf_obj,                                                                        \
500
1.89k
          "entry_point");                                                                 \
501
1.89k
    }                                                                                     \
502
1.93k
                                                                                          \
503
1.93k
    if (yr_##bo##16toh(elf->sh_entry_count) < ELF_SHN_LORESERVE &&                        \
504
1.93k
        str_table_index < yr_##bo##16toh(elf->sh_entry_count) &&                          \
505
1.93k
        yr_##bo##bits##toh(elf->sh_offset) < elf_size &&                                  \
506
1.93k
        yr_##bo##bits##toh(elf->sh_offset) +                                              \
507
1.16k
                yr_##bo##16toh(elf->sh_entry_count) *                                     \
508
1.16k
                    sizeof(elf##bits##_section_header_t) <=                               \
509
1.16k
            elf_size)                                                                     \
510
1.93k
    {                                                                                     \
511
1.12k
      const char* str_table = NULL;                                                       \
512
1.12k
                                                                                          \
513
1.12k
      section_table =                                                                     \
514
1.12k
          (elf##bits##_section_header_t*) (elf_raw + yr_##bo##bits##toh(elf->sh_offset)); \
515
1.12k
                                                                                          \
516
1.12k
      if (yr_##bo##bits##toh(section_table[str_table_index].offset) <                     \
517
1.12k
          elf_size)                                                                       \
518
1.12k
      {                                                                                   \
519
428
        str_table = elf_raw +                                                             \
520
428
                    yr_##bo##bits##toh(section_table[str_table_index].offset);            \
521
428
      }                                                                                   \
522
1.12k
                                                                                          \
523
1.12k
      section = section_table;                                                            \
524
1.12k
                                                                                          \
525
114k
      for (i = 0; i < yr_##bo##16toh(elf->sh_entry_count); i++, section++)                \
526
113k
      {                                                                                   \
527
113k
        yr_set_integer(                                                                   \
528
113k
            yr_##bo##32toh(section->type), elf_obj, "sections[%i].type", i);              \
529
113k
        yr_set_integer(                                                                   \
530
113k
            yr_##bo##bits##toh(section->flags),                                           \
531
113k
            elf_obj,                                                                      \
532
113k
            "sections[%i].flags",                                                         \
533
113k
            i);                                                                           \
534
113k
        yr_set_integer(                                                                   \
535
113k
            yr_##bo##bits##toh(section->addr),                                            \
536
113k
            elf_obj,                                                                      \
537
113k
            "sections[%i].address",                                                       \
538
113k
            i);                                                                           \
539
113k
        yr_set_integer(                                                                   \
540
113k
            yr_##bo##bits##toh(section->size),                                            \
541
113k
            elf_obj,                                                                      \
542
113k
            "sections[%i].size",                                                          \
543
113k
            i);                                                                           \
544
113k
        yr_set_integer(                                                                   \
545
113k
            yr_##bo##bits##toh(section->offset),                                          \
546
113k
            elf_obj,                                                                      \
547
113k
            "sections[%i].offset",                                                        \
548
113k
            i);                                                                           \
549
113k
                                                                                          \
550
113k
        if (yr_##bo##32toh(section->name) < elf_size && str_table > elf_raw)              \
551
113k
        {                                                                                 \
552
23.4k
          const char* section_name = str_table_entry(                                     \
553
23.4k
              str_table, elf_raw + elf_size, yr_##bo##32toh(section->name));              \
554
23.4k
                                                                                          \
555
23.4k
          if (section_name)                                                               \
556
23.4k
            yr_set_string(section_name, elf_obj, "sections[%i].name", i);                 \
557
23.4k
        }                                                                                 \
558
113k
                                                                                          \
559
113k
        if (yr_##bo##32toh(section->type) == ELF_SHT_SYMTAB &&                            \
560
113k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
561
113k
        {                                                                                 \
562
3.24k
          elf##bits##_section_header_t* string_section = section_table +                  \
563
3.24k
                                                         yr_##bo##32toh(                  \
564
3.24k
                                                             section->link);              \
565
3.24k
                                                                                          \
566
3.24k
          if (IS_VALID_PTR(elf, elf_size, string_section) &&                              \
567
3.24k
              yr_##bo##32toh(string_section->type) == ELF_SHT_STRTAB)                     \
568
3.24k
          {                                                                               \
569
2.29k
            sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                    \
570
2.29k
            sym_str_table = elf_raw +                                                     \
571
2.29k
                            yr_##bo##bits##toh(string_section->offset);                   \
572
2.29k
            sym_table_size = yr_##bo##bits##toh(section->size);                           \
573
2.29k
            sym_str_table_size = yr_##bo##bits##toh(string_section->size);                \
574
2.29k
          }                                                                               \
575
3.24k
        }                                                                                 \
576
113k
                                                                                          \
577
113k
        if (yr_##bo##32toh(section->type) == ELF_SHT_DYNSYM &&                            \
578
113k
            yr_##bo##32toh(section->link) < elf->sh_entry_count)                          \
579
113k
        {                                                                                 \
580
1.17k
          elf##bits##_section_header_t* dynstr_section = section_table +                  \
581
1.17k
                                                         yr_##bo##32toh(                  \
582
1.17k
                                                             section->link);              \
583
1.17k
                                                                                          \
584
1.17k
          if (IS_VALID_PTR(elf, elf_size, dynstr_section) &&                              \
585
1.17k
              yr_##bo##32toh(dynstr_section->type) == ELF_SHT_STRTAB)                     \
586
1.17k
          {                                                                               \
587
587
            dyn_sym_table = elf_raw + yr_##bo##bits##toh(section->offset);                \
588
587
            dyn_sym_str_table = elf_raw +                                                 \
589
587
                                yr_##bo##bits##toh(dynstr_section->offset);               \
590
587
            dyn_sym_table_size = yr_##bo##bits##toh(section->size);                       \
591
587
            dyn_sym_str_table_size = yr_##bo##bits##toh(dynstr_section->size);            \
592
587
          }                                                                               \
593
1.17k
        }                                                                                 \
594
113k
      }                                                                                   \
595
1.12k
                                                                                          \
596
1.12k
      if (is_valid_ptr(elf, elf_size, sym_str_table, sym_str_table_size) &&               \
597
1.12k
          is_valid_ptr(elf, elf_size, sym_table, sym_table_size))                         \
598
1.12k
      {                                                                                   \
599
122
        elf##bits##_sym_t* sym = (elf##bits##_sym_t*) sym_table;                          \
600
122
        elf_data->symtab = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
601
122
            sizeof(ELF_SYMBOL_LIST));                                                     \
602
122
                                                                                          \
603
122
        if (elf_data->symtab == NULL)                                                     \
604
122
          return ERROR_INSUFFICIENT_MEMORY;                                               \
605
122
                                                                                          \
606
122
        ELF_SYMBOL** symbol = &(elf_data->symtab->symbols);                               \
607
122
        *symbol = NULL;                                                                   \
608
122
                                                                                          \
609
9.27k
        for (j = 0; j < sym_table_size / sizeof(elf##bits##_sym_t);                       \
610
9.15k
             j++, sym++)                                                                  \
611
9.15k
        {                                                                                 \
612
9.15k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
613
9.15k
          if (*symbol == NULL)                                                            \
614
9.15k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
615
9.15k
                                                                                          \
616
9.15k
          (*symbol)->name = NULL;                                                         \
617
9.15k
          (*symbol)->next = NULL;                                                         \
618
9.15k
                                                                                          \
619
9.15k
          const char* sym_name = str_table_entry(                                         \
620
9.15k
              sym_str_table,                                                              \
621
9.15k
              sym_str_table + sym_str_table_size,                                         \
622
9.15k
              yr_##bo##32toh(sym->name));                                                 \
623
9.15k
                                                                                          \
624
9.15k
          if (sym_name)                                                                   \
625
9.15k
          {                                                                               \
626
3.26k
            yr_set_string(sym_name, elf_obj, "symtab[%i].name", j);                       \
627
3.26k
            (*symbol)->name = (char*) yr_malloc(strlen(sym_name) + 1);                    \
628
3.26k
            if ((*symbol)->name == NULL)                                                  \
629
3.26k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
630
3.26k
                                                                                          \
631
3.26k
            strcpy((*symbol)->name, sym_name);                                            \
632
3.26k
          }                                                                               \
633
9.15k
                                                                                          \
634
9.15k
          int bind = sym->info >> 4;                                                      \
635
9.15k
          (*symbol)->bind = bind;                                                         \
636
9.15k
          yr_set_integer(bind, elf_obj, "symtab[%i].bind", j);                            \
637
9.15k
                                                                                          \
638
9.15k
          int type = sym->info & 0xf;                                                     \
639
9.15k
          (*symbol)->type = type;                                                         \
640
9.15k
          yr_set_integer(type, elf_obj, "symtab[%i].type", j);                            \
641
9.15k
                                                                                          \
642
9.15k
          int shndx = yr_##bo##16toh(sym->shndx);                                         \
643
9.15k
          (*symbol)->shndx = shndx;                                                       \
644
9.15k
          yr_set_integer(shndx, elf_obj, "symtab[%i].shndx", j);                          \
645
9.15k
                                                                                          \
646
9.15k
          int value = yr_##bo##bits##toh(sym->value);                                     \
647
9.15k
          (*symbol)->value = value;                                                       \
648
9.15k
          yr_set_integer(                                                                 \
649
9.15k
              yr_##bo##bits##toh(sym->value), elf_obj, "symtab[%i].value", j);            \
650
9.15k
                                                                                          \
651
9.15k
          int size = yr_##bo##bits##toh(sym->size);                                       \
652
9.15k
          (*symbol)->size = size;                                                         \
653
9.15k
          yr_set_integer(                                                                 \
654
9.15k
              yr_##bo##bits##toh(sym->size), elf_obj, "symtab[%i].size", j);              \
655
9.15k
                                                                                          \
656
9.15k
          (*symbol)->visibility = sym->other & 0x3;                                       \
657
9.15k
                                                                                          \
658
9.15k
          symbol = &((*symbol)->next);                                                    \
659
9.15k
        }                                                                                 \
660
122
                                                                                          \
661
122
        elf_data->symtab->count = j;                                                      \
662
122
        yr_set_integer(j, elf_obj, "symtab_entries");                                     \
663
122
      }                                                                                   \
664
1.12k
                                                                                          \
665
1.12k
      if (is_valid_ptr(                                                                   \
666
1.12k
              elf, elf_size, dyn_sym_str_table, dyn_sym_str_table_size) &&                \
667
1.12k
          is_valid_ptr(elf, elf_size, dyn_sym_table, dyn_sym_table_size))                 \
668
1.12k
      {                                                                                   \
669
115
        elf##bits##_sym_t* dynsym = (elf##bits##_sym_t*) dyn_sym_table;                   \
670
115
                                                                                          \
671
115
        elf_data->dynsym = (ELF_SYMBOL_LIST*) yr_malloc(                                  \
672
115
            sizeof(ELF_SYMBOL_LIST));                                                     \
673
115
                                                                                          \
674
115
        if (elf_data->dynsym == NULL)                                                     \
675
115
          return ERROR_INSUFFICIENT_MEMORY;                                               \
676
115
                                                                                          \
677
115
        ELF_SYMBOL** symbol = &(elf_data->dynsym->symbols);                               \
678
115
        *symbol = NULL;                                                                   \
679
115
                                                                                          \
680
7.71k
        for (m = 0; m < dyn_sym_table_size / sizeof(elf##bits##_sym_t);                   \
681
7.60k
             m++, dynsym++)                                                               \
682
7.60k
        {                                                                                 \
683
7.60k
          *symbol = (ELF_SYMBOL*) yr_malloc(sizeof(ELF_SYMBOL));                          \
684
7.60k
          if (*symbol == NULL)                                                            \
685
7.60k
            return ERROR_INSUFFICIENT_MEMORY;                                             \
686
7.60k
                                                                                          \
687
7.60k
          (*symbol)->name = NULL;                                                         \
688
7.60k
          (*symbol)->next = NULL;                                                         \
689
7.60k
                                                                                          \
690
7.60k
          const char* dynsym_name = str_table_entry(                                      \
691
7.60k
              dyn_sym_str_table,                                                          \
692
7.60k
              dyn_sym_str_table + dyn_sym_str_table_size,                                 \
693
7.60k
              yr_##bo##32toh(dynsym->name));                                              \
694
7.60k
                                                                                          \
695
7.60k
          if (dynsym_name)                                                                \
696
7.60k
          {                                                                               \
697
1.70k
            yr_set_string(dynsym_name, elf_obj, "dynsym[%i].name", m);                    \
698
1.70k
            (*symbol)->name = (char*) yr_malloc(strlen(dynsym_name) + 1);                 \
699
1.70k
            if ((*symbol)->name == NULL)                                                  \
700
1.70k
              return ERROR_INSUFFICIENT_MEMORY;                                           \
701
1.70k
                                                                                          \
702
1.70k
            strcpy((*symbol)->name, dynsym_name);                                         \
703
1.70k
          }                                                                               \
704
7.60k
                                                                                          \
705
7.60k
          int bind = dynsym->info >> 4;                                                   \
706
7.60k
          (*symbol)->bind = bind;                                                         \
707
7.60k
          yr_set_integer(dynsym->info >> 4, elf_obj, "dynsym[%i].bind", m);               \
708
7.60k
                                                                                          \
709
7.60k
          int type = dynsym->info & 0xf;                                                  \
710
7.60k
          (*symbol)->type = type;                                                         \
711
7.60k
          yr_set_integer(dynsym->info & 0xf, elf_obj, "dynsym[%i].type", m);              \
712
7.60k
                                                                                          \
713
7.60k
          int shndx = yr_##bo##16toh(dynsym->shndx);                                      \
714
7.60k
          (*symbol)->shndx = shndx;                                                       \
715
7.60k
          yr_set_integer(                                                                 \
716
7.60k
              yr_##bo##16toh(dynsym->shndx), elf_obj, "dynsym[%i].shndx", m);             \
717
7.60k
                                                                                          \
718
7.60k
          int value = yr_##bo##bits##toh(dynsym->value);                                  \
719
7.60k
          (*symbol)->value = value;                                                       \
720
7.60k
          yr_set_integer(                                                                 \
721
7.60k
              yr_##bo##bits##toh(dynsym->value),                                          \
722
7.60k
              elf_obj,                                                                    \
723
7.60k
              "dynsym[%i].value",                                                         \
724
7.60k
              m);                                                                         \
725
7.60k
                                                                                          \
726
7.60k
          int size = yr_##bo##bits##toh(dynsym->size);                                    \
727
7.60k
          (*symbol)->size = size;                                                         \
728
7.60k
          yr_set_integer(                                                                 \
729
7.60k
              yr_##bo##bits##toh(dynsym->size),                                           \
730
7.60k
              elf_obj,                                                                    \
731
7.60k
              "dynsym[%i].size",                                                          \
732
7.60k
              m);                                                                         \
733
7.60k
                                                                                          \
734
7.60k
          (*symbol)->visibility = dynsym->other & 0x3;                                    \
735
7.60k
                                                                                          \
736
7.60k
          symbol = &((*symbol)->next);                                                    \
737
7.60k
        }                                                                                 \
738
115
                                                                                          \
739
115
        elf_data->dynsym->count = m;                                                      \
740
115
        yr_set_integer(m, elf_obj, "dynsym_entries");                                     \
741
115
      }                                                                                   \
742
1.12k
    }                                                                                     \
743
1.93k
                                                                                          \
744
1.93k
    if (yr_##bo##16toh(elf->ph_entry_count) > 0 &&                                        \
745
1.93k
        yr_##bo##16toh(elf->ph_entry_count) < ELF_PN_XNUM &&                              \
746
1.93k
        yr_##bo##bits##toh(elf->ph_offset) < elf_size &&                                  \
747
1.93k
        yr_##bo##bits##toh(elf->ph_offset) +                                              \
748
541
                yr_##bo##16toh(elf->ph_entry_count) *                                     \
749
541
                    sizeof(elf##bits##_program_header_t) <=                               \
750
541
            elf_size)                                                                     \
751
1.93k
    {                                                                                     \
752
318
      segment =                                                                           \
753
318
          (elf##bits##_program_header_t*) (elf_raw + yr_##bo##bits##toh(elf->ph_offset)); \
754
318
                                                                                          \
755
135k
      for (i = 0; i < yr_##bo##16toh(elf->ph_entry_count); i++, segment++)                \
756
134k
      {                                                                                   \
757
134k
        yr_set_integer(                                                                   \
758
134k
            yr_##bo##32toh(segment->type), elf_obj, "segments[%i].type", i);              \
759
134k
        yr_set_integer(                                                                   \
760
134k
            yr_##bo##32toh(segment->flags), elf_obj, "segments[%i].flags", i);            \
761
134k
        yr_set_integer(                                                                   \
762
134k
            yr_##bo##bits##toh(segment->offset),                                          \
763
134k
            elf_obj,                                                                      \
764
134k
            "segments[%i].offset",                                                        \
765
134k
            i);                                                                           \
766
134k
        yr_set_integer(                                                                   \
767
134k
            yr_##bo##bits##toh(segment->virt_addr),                                       \
768
134k
            elf_obj,                                                                      \
769
134k
            "segments[%i].virtual_address",                                               \
770
134k
            i);                                                                           \
771
134k
        yr_set_integer(                                                                   \
772
134k
            yr_##bo##bits##toh(segment->phys_addr),                                       \
773
134k
            elf_obj,                                                                      \
774
134k
            "segments[%i].physical_address",                                              \
775
134k
            i);                                                                           \
776
134k
        yr_set_integer(                                                                   \
777
134k
            yr_##bo##bits##toh(segment->file_size),                                       \
778
134k
            elf_obj,                                                                      \
779
134k
            "segments[%i].file_size",                                                     \
780
134k
            i);                                                                           \
781
134k
        yr_set_integer(                                                                   \
782
134k
            yr_##bo##bits##toh(segment->mem_size),                                        \
783
134k
            elf_obj,                                                                      \
784
134k
            "segments[%i].memory_size",                                                   \
785
134k
            i);                                                                           \
786
134k
        yr_set_integer(                                                                   \
787
134k
            yr_##bo##bits##toh(segment->alignment),                                       \
788
134k
            elf_obj,                                                                      \
789
134k
            "segments[%i].alignment",                                                     \
790
134k
            i);                                                                           \
791
134k
                                                                                          \
792
134k
        if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC)                              \
793
134k
        {                                                                                 \
794
4.18k
          j = 0;                                                                          \
795
4.18k
          if (yr_##bo##bits##toh(segment->offset) < elf_size)                             \
796
4.18k
          {                                                                               \
797
634
            elf##bits##_dyn_t* dyn =                                                      \
798
634
                (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset));     \
799
634
                                                                                          \
800
117k
            for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++)                     \
801
117k
            {                                                                             \
802
117k
              yr_set_integer(                                                             \
803
117k
                  yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j);          \
804
117k
              yr_set_integer(                                                             \
805
117k
                  yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j);           \
806
117k
                                                                                          \
807
117k
              if (dyn->tag == ELF_DT_NULL)                                                \
808
117k
              {                                                                           \
809
540
                j++;                                                                      \
810
540
                break;                                                                    \
811
540
              }                                                                           \
812
117k
            }                                                                             \
813
634
          }                                                                               \
814
4.18k
          yr_set_integer(j, elf_obj, "dynamic_section_entries");                          \
815
4.18k
        }                                                                                 \
816
134k
      }                                                                                   \
817
318
    }                                                                                     \
818
1.93k
    return ERROR_SUCCESS;                                                                 \
819
1.93k
  }
820
821
ELF_RVA_TO_OFFSET(32, le);
822
ELF_RVA_TO_OFFSET(64, le);
823
ELF_RVA_TO_OFFSET(32, be);
824
ELF_RVA_TO_OFFSET(64, be);
825
826
PARSE_ELF_HEADER(32, le);
827
PARSE_ELF_HEADER(64, le);
828
PARSE_ELF_HEADER(32, be);
829
PARSE_ELF_HEADER(64, be);
830
831
7.32k
begin_declarations
832
7.32k
  declare_integer("ET_NONE");
833
7.32k
  declare_integer("ET_REL");
834
7.32k
  declare_integer("ET_EXEC");
835
7.32k
  declare_integer("ET_DYN");
836
7.32k
  declare_integer("ET_CORE");
837
838
7.32k
  declare_integer("EM_NONE");
839
7.32k
  declare_integer("EM_M32");
840
7.32k
  declare_integer("EM_SPARC");
841
7.32k
  declare_integer("EM_386");
842
7.32k
  declare_integer("EM_68K");
843
7.32k
  declare_integer("EM_88K");
844
7.32k
  declare_integer("EM_860");
845
7.32k
  declare_integer("EM_MIPS");
846
7.32k
  declare_integer("EM_MIPS_RS3_LE");
847
7.32k
  declare_integer("EM_PPC");
848
7.32k
  declare_integer("EM_PPC64");
849
7.32k
  declare_integer("EM_ARM");
850
7.32k
  declare_integer("EM_X86_64");
851
7.32k
  declare_integer("EM_AARCH64");
852
853
7.32k
  declare_integer("SHT_NULL");
854
7.32k
  declare_integer("SHT_PROGBITS");
855
7.32k
  declare_integer("SHT_SYMTAB");
856
7.32k
  declare_integer("SHT_STRTAB");
857
7.32k
  declare_integer("SHT_RELA");
858
7.32k
  declare_integer("SHT_HASH");
859
7.32k
  declare_integer("SHT_DYNAMIC");
860
7.32k
  declare_integer("SHT_NOTE");
861
7.32k
  declare_integer("SHT_NOBITS");
862
7.32k
  declare_integer("SHT_REL");
863
7.32k
  declare_integer("SHT_SHLIB");
864
7.32k
  declare_integer("SHT_DYNSYM");
865
866
7.32k
  declare_integer("SHF_WRITE");
867
7.32k
  declare_integer("SHF_ALLOC");
868
7.32k
  declare_integer("SHF_EXECINSTR");
869
870
7.32k
  declare_integer("type");
871
7.32k
  declare_integer("machine");
872
7.32k
  declare_integer("entry_point");
873
874
7.32k
  declare_integer("number_of_sections");
875
7.32k
  declare_integer("sh_offset");
876
7.32k
  declare_integer("sh_entry_size");
877
878
7.32k
  declare_integer("number_of_segments");
879
7.32k
  declare_integer("ph_offset");
880
7.32k
  declare_integer("ph_entry_size");
881
882
21.9k
  begin_struct_array("sections")
883
7.32k
    declare_integer("type");
884
7.32k
    declare_integer("flags");
885
7.32k
    declare_integer("address");
886
7.32k
    declare_string("name");
887
7.32k
    declare_integer("size");
888
7.32k
    declare_integer("offset");
889
14.6k
  end_struct_array("sections")
890
891
7.32k
  declare_integer("PT_NULL");
892
7.32k
  declare_integer("PT_LOAD");
893
7.32k
  declare_integer("PT_DYNAMIC");
894
7.32k
  declare_integer("PT_INTERP");
895
7.32k
  declare_integer("PT_NOTE");
896
7.32k
  declare_integer("PT_SHLIB");
897
7.32k
  declare_integer("PT_PHDR");
898
7.32k
  declare_integer("PT_TLS");
899
7.32k
  declare_integer("PT_GNU_EH_FRAME");
900
7.32k
  declare_integer("PT_GNU_STACK");
901
902
7.32k
  declare_integer("DT_NULL");
903
7.32k
  declare_integer("DT_NEEDED");
904
7.32k
  declare_integer("DT_PLTRELSZ");
905
7.32k
  declare_integer("DT_PLTGOT");
906
7.32k
  declare_integer("DT_HASH");
907
7.32k
  declare_integer("DT_STRTAB");
908
7.32k
  declare_integer("DT_SYMTAB");
909
7.32k
  declare_integer("DT_RELA");
910
7.32k
  declare_integer("DT_RELASZ");
911
7.32k
  declare_integer("DT_RELAENT");
912
7.32k
  declare_integer("DT_STRSZ");
913
7.32k
  declare_integer("DT_SYMENT");
914
7.32k
  declare_integer("DT_INIT");
915
7.32k
  declare_integer("DT_FINI");
916
7.32k
  declare_integer("DT_SONAME");
917
7.32k
  declare_integer("DT_RPATH");
918
7.32k
  declare_integer("DT_SYMBOLIC");
919
7.32k
  declare_integer("DT_REL");
920
7.32k
  declare_integer("DT_RELSZ");
921
7.32k
  declare_integer("DT_RELENT");
922
7.32k
  declare_integer("DT_PLTREL");
923
7.32k
  declare_integer("DT_DEBUG");
924
7.32k
  declare_integer("DT_TEXTREL");
925
7.32k
  declare_integer("DT_JMPREL");
926
7.32k
  declare_integer("DT_BIND_NOW");
927
7.32k
  declare_integer("DT_INIT_ARRAY");
928
7.32k
  declare_integer("DT_FINI_ARRAY");
929
7.32k
  declare_integer("DT_INIT_ARRAYSZ");
930
7.32k
  declare_integer("DT_FINI_ARRAYSZ");
931
7.32k
  declare_integer("DT_RUNPATH");
932
7.32k
  declare_integer("DT_FLAGS");
933
7.32k
  declare_integer("DT_ENCODING");
934
935
7.32k
  declare_integer("STT_NOTYPE");
936
7.32k
  declare_integer("STT_OBJECT");
937
7.32k
  declare_integer("STT_FUNC");
938
7.32k
  declare_integer("STT_SECTION");
939
7.32k
  declare_integer("STT_FILE");
940
7.32k
  declare_integer("STT_COMMON");
941
7.32k
  declare_integer("STT_TLS");
942
943
7.32k
  declare_integer("STB_LOCAL");
944
7.32k
  declare_integer("STB_GLOBAL");
945
7.32k
  declare_integer("STB_WEAK");
946
947
7.32k
  declare_integer("PF_X");
948
7.32k
  declare_integer("PF_W");
949
7.32k
  declare_integer("PF_R");
950
951
21.9k
  begin_struct_array("segments")
952
7.32k
    declare_integer("type");
953
7.32k
    declare_integer("flags");
954
7.32k
    declare_integer("offset");
955
7.32k
    declare_integer("virtual_address");
956
7.32k
    declare_integer("physical_address");
957
7.32k
    declare_integer("file_size");
958
7.32k
    declare_integer("memory_size");
959
7.32k
    declare_integer("alignment");
960
14.6k
  end_struct_array("segments")
961
962
7.32k
  declare_integer("dynamic_section_entries");
963
21.9k
  begin_struct_array("dynamic")
964
7.32k
    declare_integer("type");
965
7.32k
    declare_integer("val");
966
14.6k
  end_struct_array("dynamic")
967
968
7.32k
  declare_integer("symtab_entries");
969
21.9k
  begin_struct_array("symtab")
970
7.32k
    declare_string("name");
971
7.32k
    declare_integer("value");
972
7.32k
    declare_integer("size");
973
7.32k
    declare_integer("type");
974
7.32k
    declare_integer("bind");
975
7.32k
    declare_integer("shndx");
976
14.6k
  end_struct_array("symtab")
977
978
7.32k
  declare_integer("dynsym_entries");
979
21.9k
  begin_struct_array("dynsym")
980
7.32k
    declare_string("name");
981
7.32k
    declare_integer("value");
982
7.32k
    declare_integer("size");
983
7.32k
    declare_integer("type");
984
7.32k
    declare_integer("bind");
985
7.32k
    declare_integer("shndx");
986
14.6k
  end_struct_array("dynsym")
987
988
7.32k
  declare_function("telfhash", "", "s", telfhash);
989
990
#if defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H) || \
991
    defined(HAVE_COMMONCRYPTO_COMMONCRYPTO_H)
992
  declare_function("import_md5", "", "s", import_md5);
993
#endif  // defined(HAVE_LIBCRYPTO) || defined(HAVE_WINCRYPT_H)
994
995
7.32k
end_declarations
996
997
int module_initialize(YR_MODULE* module)
998
11
{
999
11
  return ERROR_SUCCESS;
1000
11
}
1001
1002
int module_finalize(YR_MODULE* module)
1003
0
{
1004
0
  return ERROR_SUCCESS;
1005
0
}
1006
1007
int module_load(
1008
    YR_SCAN_CONTEXT* context,
1009
    YR_OBJECT* module_object,
1010
    void* module_data,
1011
    size_t module_data_size)
1012
7.31k
{
1013
7.31k
  YR_MEMORY_BLOCK* block;
1014
7.31k
  YR_MEMORY_BLOCK_ITERATOR* iterator = context->iterator;
1015
1016
7.31k
  elf32_header_t* elf_header32;
1017
7.31k
  elf64_header_t* elf_header64;
1018
1019
7.31k
  yr_set_integer(ELF_ET_NONE, module_object, "ET_NONE");
1020
7.31k
  yr_set_integer(ELF_ET_REL, module_object, "ET_REL");
1021
7.31k
  yr_set_integer(ELF_ET_EXEC, module_object, "ET_EXEC");
1022
7.31k
  yr_set_integer(ELF_ET_DYN, module_object, "ET_DYN");
1023
7.31k
  yr_set_integer(ELF_ET_CORE, module_object, "ET_CORE");
1024
1025
7.31k
  yr_set_integer(ELF_EM_NONE, module_object, "EM_NONE");
1026
7.31k
  yr_set_integer(ELF_EM_M32, module_object, "EM_M32");
1027
7.31k
  yr_set_integer(ELF_EM_SPARC, module_object, "EM_SPARC");
1028
7.31k
  yr_set_integer(ELF_EM_386, module_object, "EM_386");
1029
7.31k
  yr_set_integer(ELF_EM_68K, module_object, "EM_68K");
1030
7.31k
  yr_set_integer(ELF_EM_88K, module_object, "EM_88K");
1031
7.31k
  yr_set_integer(ELF_EM_860, module_object, "EM_860");
1032
7.31k
  yr_set_integer(ELF_EM_MIPS, module_object, "EM_MIPS");
1033
7.31k
  yr_set_integer(ELF_EM_MIPS_RS3_LE, module_object, "EM_MIPS_RS3_LE");
1034
7.31k
  yr_set_integer(ELF_EM_PPC, module_object, "EM_PPC");
1035
7.31k
  yr_set_integer(ELF_EM_PPC64, module_object, "EM_PPC64");
1036
7.31k
  yr_set_integer(ELF_EM_ARM, module_object, "EM_ARM");
1037
7.31k
  yr_set_integer(ELF_EM_X86_64, module_object, "EM_X86_64");
1038
7.31k
  yr_set_integer(ELF_EM_AARCH64, module_object, "EM_AARCH64");
1039
1040
7.31k
  yr_set_integer(ELF_SHT_NULL, module_object, "SHT_NULL");
1041
7.31k
  yr_set_integer(ELF_SHT_PROGBITS, module_object, "SHT_PROGBITS");
1042
7.31k
  yr_set_integer(ELF_SHT_SYMTAB, module_object, "SHT_SYMTAB");
1043
7.31k
  yr_set_integer(ELF_SHT_STRTAB, module_object, "SHT_STRTAB");
1044
7.31k
  yr_set_integer(ELF_SHT_RELA, module_object, "SHT_RELA");
1045
7.31k
  yr_set_integer(ELF_SHT_HASH, module_object, "SHT_HASH");
1046
7.31k
  yr_set_integer(ELF_SHT_DYNAMIC, module_object, "SHT_DYNAMIC");
1047
7.31k
  yr_set_integer(ELF_SHT_NOTE, module_object, "SHT_NOTE");
1048
7.31k
  yr_set_integer(ELF_SHT_NOBITS, module_object, "SHT_NOBITS");
1049
7.31k
  yr_set_integer(ELF_SHT_REL, module_object, "SHT_REL");
1050
7.31k
  yr_set_integer(ELF_SHT_SHLIB, module_object, "SHT_SHLIB");
1051
7.31k
  yr_set_integer(ELF_SHT_DYNSYM, module_object, "SHT_DYNSYM");
1052
1053
7.31k
  yr_set_integer(ELF_SHF_WRITE, module_object, "SHF_WRITE");
1054
7.31k
  yr_set_integer(ELF_SHF_ALLOC, module_object, "SHF_ALLOC");
1055
7.31k
  yr_set_integer(ELF_SHF_EXECINSTR, module_object, "SHF_EXECINSTR");
1056
1057
7.31k
  yr_set_integer(ELF_PT_NULL, module_object, "PT_NULL");
1058
7.31k
  yr_set_integer(ELF_PT_LOAD, module_object, "PT_LOAD");
1059
7.31k
  yr_set_integer(ELF_PT_DYNAMIC, module_object, "PT_DYNAMIC");
1060
7.31k
  yr_set_integer(ELF_PT_INTERP, module_object, "PT_INTERP");
1061
7.31k
  yr_set_integer(ELF_PT_NOTE, module_object, "PT_NOTE");
1062
7.31k
  yr_set_integer(ELF_PT_SHLIB, module_object, "PT_SHLIB");
1063
7.31k
  yr_set_integer(ELF_PT_PHDR, module_object, "PT_PHDR");
1064
7.31k
  yr_set_integer(ELF_PT_TLS, module_object, "PT_TLS");
1065
7.31k
  yr_set_integer(ELF_PT_GNU_EH_FRAME, module_object, "PT_GNU_EH_FRAME");
1066
7.31k
  yr_set_integer(ELF_PT_GNU_STACK, module_object, "PT_GNU_STACK");
1067
1068
7.31k
  yr_set_integer(ELF_DT_NULL, module_object, "DT_NULL");
1069
7.31k
  yr_set_integer(ELF_DT_NEEDED, module_object, "DT_NEEDED");
1070
7.31k
  yr_set_integer(ELF_DT_PLTRELSZ, module_object, "DT_PLTRELSZ");
1071
7.31k
  yr_set_integer(ELF_DT_PLTGOT, module_object, "DT_PLTGOT");
1072
7.31k
  yr_set_integer(ELF_DT_HASH, module_object, "DT_HASH");
1073
7.31k
  yr_set_integer(ELF_DT_STRTAB, module_object, "DT_STRTAB");
1074
7.31k
  yr_set_integer(ELF_DT_SYMTAB, module_object, "DT_SYMTAB");
1075
7.31k
  yr_set_integer(ELF_DT_RELA, module_object, "DT_RELA");
1076
7.31k
  yr_set_integer(ELF_DT_RELASZ, module_object, "DT_RELASZ");
1077
7.31k
  yr_set_integer(ELF_DT_RELAENT, module_object, "DT_RELAENT");
1078
7.31k
  yr_set_integer(ELF_DT_STRSZ, module_object, "DT_STRSZ");
1079
7.31k
  yr_set_integer(ELF_DT_SYMENT, module_object, "DT_SYMENT");
1080
7.31k
  yr_set_integer(ELF_DT_INIT, module_object, "DT_INIT");
1081
7.31k
  yr_set_integer(ELF_DT_FINI, module_object, "DT_FINI");
1082
7.31k
  yr_set_integer(ELF_DT_SONAME, module_object, "DT_SONAME");
1083
7.31k
  yr_set_integer(ELF_DT_RPATH, module_object, "DT_RPATH");
1084
7.31k
  yr_set_integer(ELF_DT_SYMBOLIC, module_object, "DT_SYMBOLIC");
1085
7.31k
  yr_set_integer(ELF_DT_REL, module_object, "DT_REL");
1086
7.31k
  yr_set_integer(ELF_DT_RELSZ, module_object, "DT_RELSZ");
1087
7.31k
  yr_set_integer(ELF_DT_RELENT, module_object, "DT_RELENT");
1088
7.31k
  yr_set_integer(ELF_DT_PLTREL, module_object, "DT_PLTREL");
1089
7.31k
  yr_set_integer(ELF_DT_DEBUG, module_object, "DT_DEBUG");
1090
7.31k
  yr_set_integer(ELF_DT_TEXTREL, module_object, "DT_TEXTREL");
1091
7.31k
  yr_set_integer(ELF_DT_JMPREL, module_object, "DT_JMPREL");
1092
7.31k
  yr_set_integer(ELF_DT_BIND_NOW, module_object, "DT_BIND_NOW");
1093
7.31k
  yr_set_integer(ELF_DT_INIT_ARRAY, module_object, "DT_INIT_ARRAY");
1094
7.31k
  yr_set_integer(ELF_DT_FINI_ARRAY, module_object, "DT_FINI_ARRAY");
1095
7.31k
  yr_set_integer(ELF_DT_INIT_ARRAYSZ, module_object, "DT_INIT_ARRAYSZ");
1096
7.31k
  yr_set_integer(ELF_DT_FINI_ARRAYSZ, module_object, "DT_FINI_ARRAYSZ");
1097
7.31k
  yr_set_integer(ELF_DT_RUNPATH, module_object, "DT_RUNPATH");
1098
7.31k
  yr_set_integer(ELF_DT_FLAGS, module_object, "DT_FLAGS");
1099
7.31k
  yr_set_integer(ELF_DT_ENCODING, module_object, "DT_ENCODING");
1100
1101
7.31k
  yr_set_integer(ELF_STT_NOTYPE, module_object, "STT_NOTYPE");
1102
7.31k
  yr_set_integer(ELF_STT_OBJECT, module_object, "STT_OBJECT");
1103
7.31k
  yr_set_integer(ELF_STT_FUNC, module_object, "STT_FUNC");
1104
7.31k
  yr_set_integer(ELF_STT_SECTION, module_object, "STT_SECTION");
1105
7.31k
  yr_set_integer(ELF_STT_FILE, module_object, "STT_FILE");
1106
7.31k
  yr_set_integer(ELF_STT_COMMON, module_object, "STT_COMMON");
1107
7.31k
  yr_set_integer(ELF_STT_TLS, module_object, "STT_TLS");
1108
1109
7.31k
  yr_set_integer(ELF_STB_LOCAL, module_object, "STB_LOCAL");
1110
7.31k
  yr_set_integer(ELF_STB_GLOBAL, module_object, "STB_GLOBAL");
1111
7.31k
  yr_set_integer(ELF_STB_WEAK, module_object, "STB_WEAK");
1112
1113
7.31k
  yr_set_integer(ELF_PF_X, module_object, "PF_X");
1114
7.31k
  yr_set_integer(ELF_PF_W, module_object, "PF_W");
1115
7.31k
  yr_set_integer(ELF_PF_R, module_object, "PF_R");
1116
1117
7.31k
  uint64_t parse_result = ERROR_SUCCESS;
1118
1119
7.31k
  foreach_memory_block(iterator, block)
1120
7.31k
  {
1121
7.31k
    const uint8_t* block_data = yr_fetch_block_data(block);
1122
1123
7.31k
    if (block_data == NULL)
1124
0
      continue;
1125
1126
7.31k
    ELF* elf = (ELF*) yr_calloc(1, sizeof(ELF));
1127
7.31k
    if (elf == NULL)
1128
0
      return ERROR_INSUFFICIENT_MEMORY;
1129
1130
7.31k
    module_object->data = elf;
1131
7.31k
    int class_data = get_elf_class_data(block_data, block->size);
1132
1133
7.31k
    if (class_data == CLASS_DATA(ELF_CLASS_32, ELF_DATA_2LSB) &&
1134
7.31k
        block->size > sizeof(elf32_header_t))
1135
1.29k
    {
1136
1.29k
      elf_header32 = (elf32_header_t*) block_data;
1137
1138
1.29k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1139
1.29k
          yr_le16toh(elf_header32->type) == ELF_ET_EXEC)
1140
1.29k
      {
1141
1.29k
        parse_result = parse_elf_header_32_le(
1142
1.29k
            elf,
1143
1.29k
            elf_header32,
1144
1.29k
            block->base,
1145
1.29k
            block->size,
1146
1.29k
            context->flags,
1147
1.29k
            module_object);
1148
1.29k
        break;
1149
1.29k
      }
1150
6.01k
    } else if (
1151
6.01k
        class_data == CLASS_DATA(ELF_CLASS_32, ELF_DATA_2MSB) &&
1152
6.01k
        block->size > sizeof(elf32_header_t))
1153
1.33k
    {
1154
1.33k
      elf_header32 = (elf32_header_t*) block_data;
1155
1156
1.33k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1157
1.33k
          yr_be16toh(elf_header32->type) == ELF_ET_EXEC)
1158
1.33k
      {
1159
1.33k
        parse_result = parse_elf_header_32_be(
1160
1.33k
            elf,
1161
1.33k
            elf_header32,
1162
1.33k
            block->base,
1163
1.33k
            block->size,
1164
1.33k
            context->flags,
1165
1.33k
            module_object);
1166
1.33k
        break;
1167
1.33k
      }
1168
4.68k
    } else if (
1169
4.68k
        class_data == CLASS_DATA(ELF_CLASS_64, ELF_DATA_2LSB) &&
1170
4.68k
        block->size > sizeof(elf64_header_t))
1171
1.71k
    {
1172
1.71k
      elf_header64 = (elf64_header_t*) block_data;
1173
1174
1.71k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1175
1.71k
          yr_le16toh(elf_header64->type) == ELF_ET_EXEC)
1176
1.71k
      {
1177
1.71k
        parse_result = parse_elf_header_64_le(
1178
1.71k
            elf,
1179
1.71k
            elf_header64,
1180
1.71k
            block->base,
1181
1.71k
            block->size,
1182
1.71k
            context->flags,
1183
1.71k
            module_object);
1184
1.71k
        break;
1185
1.71k
      }
1186
2.96k
    } else if (
1187
2.96k
        class_data == CLASS_DATA(ELF_CLASS_64, ELF_DATA_2MSB) &&
1188
2.96k
        block->size > sizeof(elf64_header_t))
1189
1.93k
    {
1190
1.93k
      elf_header64 = (elf64_header_t*) block_data;
1191
1192
1.93k
      if (!(context->flags & SCAN_FLAGS_PROCESS_MEMORY) ||
1193
1.93k
          yr_be16toh(elf_header64->type) == ELF_ET_EXEC)
1194
1.93k
      {
1195
1.93k
        parse_result = parse_elf_header_64_be(
1196
1.93k
            elf,
1197
1.93k
            elf_header64,
1198
1.93k
            block->base,
1199
1.93k
            block->size,
1200
1.93k
            context->flags,
1201
1.93k
            module_object);
1202
1.93k
        break;
1203
1.93k
      }
1204
1.93k
    }
1205
7.31k
  }
1206
1207
7.31k
  return parse_result;
1208
7.31k
}
1209
1210
int module_unload(YR_OBJECT* module_object)
1211
7.31k
{
1212
7.31k
  ELF* elf = (ELF*) module_object->data;
1213
7.31k
  if (elf == NULL)
1214
0
    return ERROR_SUCCESS;
1215
1216
7.31k
  if (elf->symtab != NULL)
1217
503
  {
1218
503
    ELF_SYMBOL *act = NULL, *next = NULL;
1219
65.2k
    for (act = elf->symtab->symbols; act != NULL; act = next)
1220
64.7k
    {
1221
64.7k
      next = act->next;
1222
64.7k
      if (act->name != NULL)
1223
12.9k
        yr_free(act->name);
1224
64.7k
      yr_free(act);
1225
64.7k
    }
1226
503
    yr_free(elf->symtab);
1227
503
  }
1228
1229
7.31k
  if (elf->dynsym != NULL)
1230
527
  {
1231
527
    ELF_SYMBOL *act = NULL, *next = NULL;
1232
54.4k
    for (act = elf->dynsym->symbols; act != NULL; act = next)
1233
53.9k
    {
1234
53.9k
      next = act->next;
1235
53.9k
      if (act->name != NULL)
1236
16.9k
        yr_free(act->name);
1237
53.9k
      yr_free(act);
1238
53.9k
    }
1239
527
    yr_free(elf->dynsym);
1240
527
  }
1241
1242
7.31k
  yr_free(elf->telfhash);
1243
7.31k
  yr_free(elf->import_hash);
1244
7.31k
  yr_free(elf);
1245
1246
7.31k
  module_object->data = NULL;
1247
1248
7.31k
  return ERROR_SUCCESS;
1249
7.31k
}