1 // copyright (c) 2017-2021 hors<horsicq@gmail.com> 2 // 3 // Permission is hereby granted, free of charge, to any person obtaining a copy 4 // of this software and associated documentation files (the "Software"), to deal 5 // in the Software without restriction, including without limitation the rights 6 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 // copies of the Software, and to permit persons to whom the Software is 8 // furnished to do so, subject to the following conditions: 9 10 // The above copyright notice and this permission notice shall be included in all 11 // copies or substantial portions of the Software. 12 13 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 // SOFTWARE. 20 // 21 #ifndef XBINARY_H 22 #define XBINARY_H 23 24 #include <QIODevice> 25 #include <QUuid> 26 #include <QFile> 27 #include <QFileInfo> 28 #include <QDir> 29 #include <QtEndian> 30 #include <QMap> 31 #include <QSet> 32 #include <QBuffer> 33 #include <QTemporaryFile> 34 #include <QCryptographicHash> 35 #include <QCoreApplication> 36 #include <QTextStream> 37 #include <QDateTime> 38 #include <QElapsedTimer> 39 #include <QMutex> 40 #include <QTextCodec> 41 #include <math.h> 42 #if (QT_VERSION_MAJOR<5) // TODO Check 43 #include <QRegExp> 44 #else 45 #include <QRegularExpression> 46 #include <QRegularExpressionMatch> 47 #endif 48 #ifdef QT_DEBUG 49 #include <QDebug> 50 #endif 51 #if (QT_VERSION_MAJOR>=5)&&(QT_VERSION_MINOR>=10) 52 #include <QRandomGenerator> 53 #elif (QT_VERSION_MAJOR>=6) // TODO Check 54 #include <QRandomGenerator> 55 #endif 56 #include "xmsdos_def.h" 57 #include "xne_def.h" 58 #include "xle_def.h" 59 #include "xpe_def.h" 60 #include "xelf_def.h" 61 #include "xmach_def.h" 62 #include "subdevice.h" 63 64 // TODO Check 64 65 // TODO mb Functions 66 #define S_ALIGN_DOWN(value,align) ((value)&~(align-1)) 67 #define S_ALIGN_UP(value,align) (((value)&(align-1))?S_ALIGN_DOWN(value,align)+align:value) 68 #define S_LOWORD(value) ((quint16)((quint32)(value)&0xFFFF)) 69 #define S_HIWORD(value) ((quint16)((quint32)(value)>>16)) 70 71 #ifdef Q_OS_MAC 72 #include <CoreFoundation/CoreFoundation.h> // Check 73 #endif 74 75 class XBinary : public QObject 76 { 77 Q_OBJECT 78 79 static const double D_ENTROPY_THRESHOLD; // 6.5 80 81 public: 82 struct DATASET 83 { 84 qint64 nOffset; 85 qint64 nAddress; 86 qint64 nSize; 87 QString sName; 88 quint32 nType; 89 // Optional 90 qint64 nStringTableOffset; 91 qint64 nStringTableSize; 92 }; 93 94 struct BYTE_COUNTS 95 { 96 qint64 nSize; 97 qint64 nCount[256]; // TODO const 98 }; 99 100 struct OS_ANSISTRING 101 { 102 qint64 nOffset; 103 qint64 nSize; 104 QString sAnsiString; 105 }; 106 107 struct OFFSETSIZE 108 { 109 qint64 nOffset; 110 qint64 nSize; 111 }; 112 113 struct ADDRESSSIZE 114 { 115 qint64 nAddress; 116 qint64 nSize; 117 }; 118 119 enum ADDRESS_SEGMENT 120 { 121 ADDRESS_SEGMENT_UNKNOWN=-1, 122 ADDRESS_SEGMENT_FLAT=0, 123 ADDRESS_SEGMENT_CODE, 124 // ADDRESS_SEGMENT_DATA 125 }; 126 127 enum MMT 128 { 129 MMT_UNKNOWN=0, 130 MMT_HEADER, 131 MMT_LOADSEGMENT, // Section in PE; LoadProgram in ELF; Segments in MACH 132 MMT_NOLOADABLE, // For ELF 133 MMT_FILESEGMENT, 134 MMT_OVERLAY 135 }; 136 137 struct _MEMORY_RECORD 138 { 139 qint64 nOffset; 140 qint64 nAddress; 141 ADDRESS_SEGMENT segment; 142 qint64 nSize; 143 MMT type; 144 qint32 nLoadSection; 145 QString sName; 146 qint32 nIndex; 147 bool bIsVirtual; 148 }; 149 150 enum FT 151 { 152 FT_UNKNOWN=0, 153 FT_BINARY, 154 FT_BINARY16, 155 FT_BINARY32, 156 FT_BINARY64, 157 FT_COM, 158 FT_MSDOS, 159 FT_NE, 160 FT_LE, 161 FT_LX, 162 FT_PE, 163 FT_PE32, 164 FT_PE64, 165 FT_ELF, 166 FT_ELF32, 167 FT_ELF64, 168 FT_MACHO, 169 FT_MACHO32, 170 FT_MACHO64, 171 // Extra 172 FT_ZIP, 173 FT_CAB, 174 FT_RAR, 175 FT_7Z, 176 FT_MACHOFAT, 177 FT_PNG, 178 FT_JPEG, 179 FT_GIF, 180 FT_TIFF, 181 FT_DEX, 182 FT_ANDROIDASRC, 183 FT_ANDROIDXML, 184 FT_APK, 185 FT_JAR, 186 FT_IPA, 187 FT_TEXT, 188 FT_PLAINTEXT, 189 FT_UTF8, 190 FT_UNICODE, 191 FT_UNICODE_LE, 192 FT_UNICODE_BE, 193 FT_DOCUMENT, 194 FT_IMAGE, 195 FT_ARCHIVE 196 // TODO more 197 }; 198 199 enum MODE 200 { 201 MODE_UNKNOWN=0, 202 MODE_DATA, 203 MODE_8, 204 MODE_16, 205 MODE_16SEG, 206 MODE_32, 207 MODE_64 208 // TODO more 209 // mb bits 210 }; 211 212 enum DMFAMILY 213 { 214 DMFAMILY_UNKNOWN, 215 DMFAMILY_X86, 216 DMFAMILY_ARM, 217 DMFAMILY_ARM64, 218 DMFAMILY_MIPS, 219 DMFAMILY_PPC, 220 DMFAMILY_SPARC, 221 DMFAMILY_SYSZ, 222 DMFAMILY_XCORE, 223 DMFAMILY_M68K, 224 DMFAMILY_M68OK, 225 DMFAMILY_RISCV, 226 DMFAMILY_EVM 227 }; 228 229 enum DM 230 { 231 DM_UNKNOWN=0, 232 DM_X86_16, 233 DM_X86_32, 234 DM_X86_64, 235 DM_ARM_LE, 236 DM_ARM_BE, 237 DM_ARM64_LE, 238 DM_ARM64_BE, 239 DM_CORTEXM, 240 DM_THUMB_LE, 241 DM_THUMB_BE, 242 DM_MIPS_LE, 243 DM_MIPS_BE, 244 DM_MIPS64_LE, 245 DM_MIPS64_BE, 246 DM_PPC_LE, 247 DM_PPC_BE, 248 DM_PPC64_LE, 249 DM_PPC64_BE, 250 DM_SPARC, 251 DM_S390X, 252 DM_XCORE, 253 DM_M68K, 254 DM_M68K40, 255 DM_TMS320C64X, 256 DM_M6800, 257 DM_M6801, 258 DM_M6805, 259 DM_M6808, 260 DM_M6809, 261 DM_M6811, 262 DM_CPU12, 263 DM_HD6301, 264 DM_HD6309, 265 DM_HCS08, 266 DM_EVM, 267 DM_RISKV32, 268 DM_RISKV64, 269 DM_RISKVC 270 // DM_MOS65XX TODO Check! 271 // TODO Check more 272 }; 273 274 struct _MEMORY_MAP 275 { 276 qint64 nModuleAddress; 277 qint64 nImageSize; 278 qint64 nRawSize; 279 FT fileType; 280 MODE mode; 281 bool bIsBigEndian; 282 QString sArch; 283 QString sType; 284 QList<_MEMORY_RECORD> listRecords; 285 }; 286 287 enum SYMBOL_TYPE 288 { 289 SYMBOL_TYPE_UNKNOWN, 290 SYMBOL_TYPE_EXPORT =0x00000001, 291 SYMBOL_TYPE_IMPORT =0x00000002, 292 SYMBOL_TYPE_LABEL =0x00000004, // DATA 293 SYMBOL_TYPE_ANSISTRING =0x00000008, 294 SYMBOL_TYPE_UNICODESTRING =0x00000010, 295 SYMBOL_TYPE_ALL =0xFFFFFFFF 296 }; 297 298 struct SYMBOL_RECORD 299 { 300 qint64 nAddress; 301 qint64 nSize; 302 qint64 nModuleAddress; 303 SYMBOL_TYPE symbolType; 304 qint32 nOrdinal; // For Windows; 305 QString sName; 306 QString sFunction; 307 }; 308 309 enum HASH 310 { 311 HASH_MD4=0, 312 HASH_MD5, 313 HASH_SHA1, 314 #ifndef QT_CRYPTOGRAPHICHASH_ONLY_SHA1 315 HASH_SHA224, 316 HASH_SHA256, 317 HASH_SHA384, 318 HASH_SHA512, 319 // TODO Check more 320 // TODO Check Qt versions! 321 // HASH_KECCAK_224, 322 // HASH_KECCAK_256, 323 // HASH_KECCAK_384, 324 // HASH_KECCAK_512 325 #endif 326 }; 327 328 enum TYPE 329 { 330 TYPE_UNKNOWN=0, 331 // TODO more 332 }; 333 334 enum MS_RECORD_TYPE 335 { 336 MS_RECORD_TYPE_UNKNOWN=0, 337 MS_RECORD_TYPE_ANSI, 338 MS_RECORD_TYPE_UTF8, 339 MS_RECORD_TYPE_UNICODE, 340 MS_RECORD_TYPE_SIGNATURE 341 }; 342 343 struct MS_RECORD 344 { 345 qint64 nOffset; 346 qint64 nSize; 347 MS_RECORD_TYPE recordType; 348 QString sString; 349 QString sInfo; 350 }; 351 352 struct OPCODE 353 { 354 qint64 nAddress; 355 qint64 nSize; 356 QString sName; 357 }; 358 359 struct MEMORY_REPLACE // For debuggers&breakpoints 360 { 361 qint64 nAddress; 362 qint64 nOffset; 363 qint64 nSize; 364 QByteArray baOriginal; 365 }; 366 367 private: 368 enum ST 369 { 370 ST_COMPAREBYTES=0, 371 ST_FINDBYTES, 372 ST_RELOFFSETFIX, 373 ST_RELOFFSET, 374 ST_ADDRESS 375 }; 376 377 struct SIGNATURE_RECORD 378 { 379 qint64 nBaseAddress; 380 ST st; 381 QByteArray baData; 382 quint32 nSizeOfAddr; 383 qint64 nFindDelta; 384 }; 385 386 public: 387 explicit XBinary(QIODevice *pDevice=nullptr,bool bIsImage=false,qint64 nModuleAddress=-1); // mb TODO parent for signals/slot 388 void setDevice(QIODevice *pDevice); 389 void setReadWriteMutex(QMutex *pReadWriteMutex); 390 qint64 safeReadData(QIODevice *pDevice,qint64 nPos,char *pData,qint64 nMaxLen); 391 qint64 safeWriteData(QIODevice *pDevice,qint64 nPos,const char *pData,qint64 nLen); 392 qint64 getSize(); 393 static qint64 getSize(QIODevice *pDevice); 394 static qint64 getSize(QString sFileName); 395 396 void setMode(MODE mode); 397 virtual MODE getMode(); 398 399 void setType(int nType); 400 virtual int getType(); 401 virtual QString typeIdToString(int nType); 402 QString getTypeAsString(); 403 404 void setFileType(FT fileType); 405 virtual FT getFileType(); 406 407 static QString modeIdToString(MODE mode); 408 static QString endiannessToString(bool bIsBigEndian); 409 410 void setArch(QString sArch); 411 virtual QString getArch(); 412 413 virtual bool isSigned(); 414 virtual OFFSETSIZE getSignOS(); 415 416 void setEndianness(bool bIsBigEndian); 417 418 static bool isPacked(double dEntropy); 419 420 static quint8 random8(); 421 static quint16 random16(); 422 static quint32 random32(); 423 static quint64 random64(); 424 static quint64 random(quint64 nLimit); 425 426 static QString fileTypeIdToString(FT fileType); 427 428 static QString convertFileName(QString sFileName); 429 static QString convertPathName(QString sPathName); 430 431 OS_ANSISTRING getOsAnsiString(qint64 nOffset,qint64 nSize); 432 433 struct FFOPTIONS 434 { 435 QList<QString> *pListFileNames; 436 bool bSubdirectories; 437 bool *pbIsStop; 438 qint32 *pnNumberOfFiles; 439 // TODO filter 440 }; 441 442 static void findFiles(QString sDirectoryName,FFOPTIONS *pFFOption,qint32 nLevel=0); 443 static void findFiles(QString sDirectoryName,QList<QString> *pListFileNames); 444 445 static QString regExp(QString sRegExp,QString sString,int nIndex); 446 static bool isRegExpPresent(QString sRegExp,QString sString); 447 qint64 read_array(qint64 nOffset,char *pBuffer,qint64 nMaxSize); 448 QByteArray read_array(qint64 nOffset,qint64 nSize); 449 qint64 write_array(qint64 nOffset,char *pBuffer,qint64 nMaxSize); 450 451 static QByteArray read_array(QIODevice *pDevice,qint64 nOffset,qint64 nSize); 452 static qint64 read_array(QIODevice *pDevice,qint64 nOffset,char *pBuffer,qint64 nSize); 453 454 quint8 read_uint8(qint64 nOffset); 455 qint8 read_int8(qint64 nOffset); 456 quint16 read_uint16(qint64 nOffset,bool bIsBigEndian=false); 457 qint16 read_int16(qint64 nOffset,bool bIsBigEndian=false); 458 quint32 read_uint32(qint64 nOffset,bool bIsBigEndian=false); 459 qint32 read_int32(qint64 nOffset,bool bIsBigEndian=false); 460 quint64 read_uint64(qint64 nOffset,bool bIsBigEndian=false); 461 qint64 read_int64(qint64 nOffset,bool bIsBigEndian=false); 462 float read_float(qint64 nOffset,bool bIsBigEndian=false); // TODO Check 463 double read_double(qint64 nOffset,bool bIsBigEndian=false); // TODO Check 464 465 quint32 read_uint24(qint64 nOffset,bool bIsBigEndian=false); // Uses UPX in header 466 467 qint64 write_ansiString(qint64 nOffset,QString sString); 468 void write_ansiStringFix(qint64 nOffset,qint64 nSize,QString sString); 469 // TODO write unicodestring 470 471 QString read_ansiString(qint64 nOffset,qint64 nMaxSize=256); 472 QString read_unicodeString(qint64 nOffset,qint64 nMaxSize=256,bool bIsBigEndian=false); 473 QString read_utf8String(qint64 nOffset,qint64 nMaxSize=256); 474 QString _read_utf8String(qint64 nOffset,qint64 nMaxSize=256); 475 QString _read_utf8String(char *pData,qint64 nMaxSize); 476 QString _read_utf8String(qint64 nOffset,char *pData,qint32 nDataSize,qint32 nDataOffset); 477 478 void write_uint8(qint64 nOffset,quint8 nValue); 479 void write_int8(qint64 nOffset,qint8 nValue); 480 void write_uint16(qint64 nOffset,quint16 nValue,bool bIsBigEndian=false); 481 void write_int16(qint64 nOffset,qint16 nValue,bool bIsBigEndian=false); 482 void write_uint32(qint64 nOffset,quint32 nValue,bool bIsBigEndian=false); 483 void write_int32(qint64 nOffset,qint32 nValue,bool bIsBigEndian=false); 484 void write_uint64(qint64 nOffset,quint64 nValue,bool bIsBigEndian=false); 485 void write_int64(qint64 nOffset,qint64 nValue,bool bIsBigEndian=false); 486 void write_float(qint64 nOffset,float fValue,bool bIsBigEndian=false); // TODO Check 487 void write_double(qint64 nOffset,double dValue,bool bIsBigEndian=false); // TODO Check 488 489 QString read_UUID(qint64 nOffset); 490 void write_UUID(qint64 nOffset,QString sValue); 491 492 static quint8 _read_uint8(char *pData); 493 static qint8 _read_int8(char *pData); 494 static quint16 _read_uint16(char *pData,bool bIsBigEndian=false); 495 static qint16 _read_int16(char *pData,bool bIsBigEndian=false); 496 static quint32 _read_uint32(char *pData,bool bIsBigEndian=false); 497 static qint32 _read_int32(char *pData,bool bIsBigEndian=false); 498 static quint64 _read_uint64(char *pData,bool bIsBigEndian=false); 499 static qint64 _read_int64(char *pData,bool bIsBigEndian=false); 500 static QString _read_ansiString(char *pData,int nMaxSize=50); 501 static QByteArray _read_byteArray(char *pData,int nSize); 502 static float _read_float(char *pData,bool bIsBigEndian=false); // TODO Check 503 static double _read_double(char *pData,bool bIsBigEndian=false); // TODO Check 504 505 static quint64 _read_value(MODE mode,char *pData,bool bIsBigEndian=false); 506 507 static void _write_uint8(char *pData,quint8 nValue); 508 static void _write_int8(char *pData,qint8 nValue); 509 static void _write_uint16(char *pData,quint16 nValue,bool bIsBigEndian=false); 510 static void _write_int16(char *pData,qint16 nValue,bool bIsBigEndian=false); 511 static void _write_uint32(char *pData,quint32 nValue,bool bIsBigEndian=false); 512 static void _write_int32(char *pData,qint32 nValue,bool bIsBigEndian=false); 513 static void _write_uint64(char *pData,quint64 nValue,bool bIsBigEndian=false); 514 static void _write_int64(char *pData,qint64 nValue,bool bIsBigEndian=false); 515 static void _write_float(char *pData,float fValue,bool bIsBigEndian=false); // TODO Check 516 static void _write_double(char *pData,double dValue,bool bIsBigEndian=false); // TODO Check 517 518 static void _write_value(MODE mode,char *pData,quint64 nValue,bool bIsBigEndian=false); 519 520 qint64 find_array(qint64 nOffset,qint64 nSize,const char *pArray,qint64 nArraySize); 521 qint64 find_byteArray(qint64 nOffset,qint64 nSize,QByteArray baData); 522 qint64 find_uint8(qint64 nOffset,qint64 nSize,quint8 nValue); 523 qint64 find_int8(qint64 nOffset,qint64 nSize,qint8 nValue); 524 qint64 find_uint16(qint64 nOffset,qint64 nSize,quint16 nValue,bool bIsBigEndian=false); 525 qint64 find_int16(qint64 nOffset,qint64 nSize,qint16 nValue,bool bIsBigEndian=false); 526 qint64 find_uint32(qint64 nOffset,qint64 nSize,quint32 nValue,bool bIsBigEndian=false); 527 qint64 find_int32(qint64 nOffset,qint64 nSize,qint32 nValue,bool bIsBigEndian=false); 528 qint64 find_uint64(qint64 nOffset,qint64 nSize,quint64 nValue,bool bIsBigEndian=false); 529 qint64 find_int64(qint64 nOffset,qint64 nSize,qint64 nValue,bool bIsBigEndian=false); 530 qint64 find_float(qint64 nOffset,qint64 nSize,float fValue,bool bIsBigEndian=false); 531 qint64 find_double(qint64 nOffset,qint64 nSize,double dValue,bool bIsBigEndian=false); 532 533 static void endian_float(float *pValue,bool bIsBigEndian); 534 static void endian_double(double *pValue,bool bIsBigEndian); 535 536 qint64 find_ansiString(qint64 nOffset,qint64 nSize,QString sString); 537 qint64 find_unicodeString(qint64 nOffset,qint64 nSize,QString sString); // mb TODO endian 538 qint64 find_signature(qint64 nOffset,qint64 nSize,QString sSignature,qint64 *pnResultSize=0); 539 qint64 find_signature(_MEMORY_MAP *pMemoryMap,qint64 nOffset,qint64 nSize,QString sSignature,qint64 *pnResultSize=0); 540 qint64 find_ansiStringI(qint64 nOffset,qint64 nSize,QString sString); 541 qint64 find_unicodeStringI(qint64 nOffset,qint64 nSize,QString sString); 542 543 struct STRINGSEARCH_OPTIONS 544 { 545 qint32 nLimit; 546 qint64 nMinLenght; 547 qint64 nMaxLenght; 548 bool bAnsi; 549 bool bUTF8; 550 bool bUnicode; 551 bool bCStrings; 552 QString sExpFilter; 553 QString sANSICodec; 554 }; 555 556 QList<MS_RECORD> multiSearch_allStrings(qint64 nOffset,qint64 nSize,STRINGSEARCH_OPTIONS ssOptions); 557 QList<MS_RECORD> multiSearch_signature(qint64 nOffset,qint64 nSize,qint32 nLimit,QString sSignature,QString sInfo=""); 558 QList<MS_RECORD> multiSearch_signature(_MEMORY_MAP *pMemoryMap,qint64 nOffset,qint64 nSize,qint32 nLimit,QString sSignature,QString sInfo=""); 559 560 QByteArray getUnicodeString(QString sString); 561 562 bool isSignaturePresent(_MEMORY_MAP *pMemoryMap,qint64 nOffset,qint64 nSize,QString sSignature); 563 564 static bool createFile(QString sFileName,qint64 nFileSize=0); 565 static bool isFileExists(QString sFileName); 566 static bool removeFile(QString sFileName); 567 static bool copyFile(QString sSrcFileName,QString sDestFileName); 568 static bool moveFile(QString sSrcFileName,QString sDestFileName); 569 static bool moveFileToDirectory(QString sSrcFileName,QString sDestDirectory); 570 static QString convertFileNameSymbols(QString sFileName); 571 static QString getBaseFileName(QString sFileName); 572 static bool createDirectory(QString sDirectoryName); 573 static bool isDirectoryExists(QString sDirectoryName); 574 static bool removeDirectory(QString sDirectoryName); 575 static bool isDirectoryEmpty(QString sDirectoryName); 576 577 static QByteArray readFile(QString sFileName); 578 579 static void _copyMemory(char *pDest,char *pSource,qint64 nSize); 580 static void _zeroMemory(char *pDest,qint64 nSize); 581 static bool _isMemoryZeroFilled(char *pDest,qint64 nSize); 582 static bool copyDeviceMemory(QIODevice *pSourceDevice,qint64 nSourceOffset,QIODevice *pDestDevice,qint64 nDestOffset,qint64 nSize,quint32 nBufferSize=0x1000); 583 bool copyMemory(qint64 nSourceOffset,qint64 nDestOffset,qint64 nSize,quint32 nBufferSize=1,bool bReverse=false); 584 bool zeroFill(qint64 nOffset,qint64 nSize); 585 static bool compareMemory(char *pMemory1,const char *pMemory2,qint64 nSize); 586 // For strings compare 587 static bool compareMemoryByteI(quint8 *pMemory,const quint8 *pMemoryU,const quint8 *pMemoryL,qint64 nSize); // Ansi 588 static bool compareMemoryWordI(quint16 *pMemory,const quint16 *pMemoryU,const quint16 *pMemoryL,qint64 nSize); // Unicode 589 590 bool isOffsetValid(qint64 nOffset); 591 bool isAddressValid(qint64 nAddress); 592 bool isRelAddressValid(qint64 nRelAddress); 593 bool isAddressPhysical(qint64 nAddress); 594 595 qint64 offsetToAddress(qint64 nOffset); 596 qint64 addressToOffset(qint64 nAddress); 597 qint64 offsetToRelAddress(qint64 nOffset); 598 qint64 relAddressToOffset(qint64 nRelAddress); 599 600 static bool isOffsetValid(_MEMORY_MAP *pMemoryMap,qint64 nOffset); 601 static bool isOffsetAndSizeValid(_MEMORY_MAP *pMemoryMap,OFFSETSIZE *pOffsetSize); 602 bool isOffsetAndSizeValid(qint64 nOffset,qint64 nSize); 603 static bool isOffsetAndSizeValid(_MEMORY_MAP *pMemoryMap,qint64 nOffset,qint64 nSize); 604 605 static bool isAddressValid(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 606 static bool isRelAddressValid(_MEMORY_MAP *pMemoryMap,qint64 nRelAddress); 607 608 static bool isAddressPhysical(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 609 610 static qint64 offsetToAddress(_MEMORY_MAP *pMemoryMap,qint64 nOffset); 611 static qint64 addressToOffset(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 612 static qint64 offsetToRelAddress(_MEMORY_MAP *pMemoryMap,qint64 nOffset); 613 static qint64 relAddressToOffset(_MEMORY_MAP *pMemoryMap,qint64 nRelAddress); 614 static qint64 relAddressToAddress(_MEMORY_MAP *pMemoryMap,qint64 nRelAddress); 615 static qint64 addressToRelAddress(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 616 617 static _MEMORY_RECORD getMemoryRecordByOffset(_MEMORY_MAP *pMemoryMap,qint64 nOffset); 618 static _MEMORY_RECORD getMemoryRecordByAddress(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 619 static _MEMORY_RECORD getMemoryRecordByRelAddress(_MEMORY_MAP *pMemoryMap,qint64 nRelAddress); 620 621 static qint32 addressToLoadSection(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 622 623 static bool isSolidAddressRange(_MEMORY_MAP *pMemoryMap,qint64 nAddress,qint64 nSize); 624 625 QString getMemoryRecordInfoByOffset(qint64 nOffset); 626 QString getMemoryRecordInfoByAddress(qint64 nAddress); 627 QString getMemoryRecordInfoByRelAddress(qint64 nRelAddress); 628 629 static QString getMemoryRecordInfoByOffset(_MEMORY_MAP *pMemoryMap,qint64 nOffset); 630 static QString getMemoryRecordInfoByAddress(_MEMORY_MAP *pMemoryMap,qint64 nAddress); 631 static QString getMemoryRecordInfoByRelAddress(_MEMORY_MAP *pMemoryMap,qint64 nRelAddress); 632 633 static QString getMemoryRecordInfo(_MEMORY_RECORD *pMemoryRecord); 634 635 virtual _MEMORY_MAP getMemoryMap(); 636 637 static qint32 getNumberOfPhysicalRecords(_MEMORY_MAP *pMemoryMap); 638 639 virtual qint64 getBaseAddress(); 640 virtual void setBaseAddress(qint64 nBaseAddress); 641 642 virtual qint64 getImageSize(); 643 644 qint64 _getEntryPointOffset(); 645 virtual qint64 getEntryPointOffset(_MEMORY_MAP *pMemoryMap); 646 647 virtual void setEntryPointOffset(qint64 nEntryPointOffset); 648 qint64 getEntryPointAddress(); 649 qint64 getEntryPointAddress(_MEMORY_MAP *pMemoryMap); 650 651 static qint64 getLowestAddress(_MEMORY_MAP *pMemoryMap); 652 static qint64 getTotalVirtualSize(_MEMORY_MAP *pMemoryMap); 653 static qint64 positionToVirtualAddress(_MEMORY_MAP *pMemoryMap,qint64 nPosition); 654 655 void setModuleAddress(qint64 nValue); 656 657 qint64 getModuleAddress(); 658 659 bool isImage(); 660 void setIsImage(bool bValue); 661 662 static qint64 getPhysSize(char *pBuffer,qint64 nSize); // TODO Check! 663 static bool isEmptyData(char *pBuffer,qint64 nSize); 664 bool compareSignature(QString sSignature,qint64 nOffset=0); 665 bool compareSignature(_MEMORY_MAP *pMemoryMap,QString sSignature,qint64 nOffset=0); 666 static bool _compareByteArrayWithSignature(QByteArray baData,QString sSignature); 667 static QString _createSignature(QString sSignature1,QString sSignature2); 668 669 bool compareSignatureOnAddress(QString sSignature,qint64 nAddress); 670 bool compareSignatureOnAddress(_MEMORY_MAP *pMemoryMap,QString sSignature,qint64 nAddress); 671 672 bool compareEntryPoint(QString sSignature,qint64 nOffset=0); 673 bool compareEntryPoint(_MEMORY_MAP *pMemoryMap,QString sSignature,qint64 nOffset=0); 674 675 bool moveMemory(qint64 nSourceOffset,qint64 nDestOffset,qint64 nSize); 676 677 static bool dumpToFile(QString sFileName,const char *pData,qint64 nDataSize); 678 bool dumpToFile(QString sFileName,qint64 nDataOffset,qint64 nDataSize); 679 680 QSet<FT> getFileTypes(bool bExtra=false); 681 static QSet<FT> getFileTypes(QIODevice *pDevice,bool bExtra=false); // mb TODO isImage 682 static QSet<FT> getFileTypes(QString sFileName,bool bExtra=false); 683 static QSet<FT> getFileTypes(QByteArray *pbaData,bool bExtra=false); 684 685 static FT getPrefFileType(QIODevice *pDevice,bool bExtra=false); 686 687 static QList<FT> _getFileTypeListFromSet(QSet<FT> stFileTypes); 688 689 static QString valueToHex(quint8 nValue); 690 static QString valueToHex(qint8 nValue); 691 static QString valueToHex(quint16 nValue,bool bIsBigEndian=false); 692 static QString valueToHex(qint16 nValue,bool bIsBigEndian=false); 693 static QString valueToHex(quint32 nValue,bool bIsBigEndian=false); 694 static QString valueToHex(qint32 nValue,bool bIsBigEndian=false); 695 static QString valueToHex(quint64 nValue,bool bIsBigEndian=false); 696 static QString valueToHex(qint64 nValue,bool bIsBigEndian=false); 697 static QString valueToHex(float fValue,bool bIsBigEndian=false); 698 static QString valueToHex(double dValue,bool bIsBigEndian=false); 699 static QString valueToHex(MODE mode,quint64 nValue,bool bIsBigEndian=false); 700 static QString valueToHexEx(quint64 nValue,bool bIsBigEndian=false); 701 702 static bool checkString_uint8(QString sValue); 703 static bool checkString_int8(QString sValue); 704 static bool checkString_uint16(QString sValue); 705 static bool checkString_int16(QString sValue); 706 static bool checkString_uint32(QString sValue); 707 static bool checkString_int32(QString sValue); 708 static bool checkString_uint64(QString sValue); 709 static bool checkString_int64(QString sValue); 710 static bool checkString_float(QString sValue); 711 static bool checkString_double(QString sValue); 712 713 static QString boolToString(bool bValue); 714 static QString getSpaces(qint32 nNumberOfSpaces); 715 716 static QString getUnpackedFileName(QIODevice *pDevice); 717 static QString getUnpackedFileName(QString sFileName); 718 static QString getDumpFileName(QIODevice *pDevice); 719 static QString getDumpFileName(QString sFileName); 720 static QString getBackupFileName(QIODevice *pDevice); 721 static QString getBackupFileName(QString sFileName); 722 static QString getResultFileName(QIODevice *pDevice,QString sAppendix); 723 static QString getResultFileName(QString sFileName,QString sAppendix); 724 static QString getDeviceFileName(QIODevice *pDevice); 725 static QString getDeviceFilePath(QIODevice *pDevice); 726 static QString getDeviceDirectory(QIODevice *pDevice); 727 static QString getDeviceFileBaseName(QIODevice *pDevice); 728 static QString getDeviceFileCompleteSuffix(QIODevice *pDevice); 729 static QString getDeviceFileSuffix(QIODevice *pDevice); 730 731 static bool isBackupPresent(QIODevice *pDevice); 732 static bool saveBackup(QIODevice *pDevice); 733 734 static QString getCurrentBackupDate(); 735 736 static QList<qint64> getFixupList(QIODevice *pDevice1,QIODevice *pDevice2,qint64 nDelta); 737 738 static QString getHash(HASH hash,QString sFileName); 739 static QString getHash(HASH hash,QIODevice *pDevice); 740 QString getHash(HASH hash,qint64 nOffset=0,qint64 nSize=-1); 741 QString getHash(HASH hash,QList<OFFSETSIZE> *pListOS); 742 743 static QSet<HASH> getHashMethods(); 744 static QList<HASH> getHashMethodsAsList(); 745 static QString hashIdToString(HASH hash); 746 747 static bool isFileHashValid(HASH hash,QString sFileName,QString sHash); 748 749 static quint32 getAdler32(QString sFileName); 750 static quint32 getAdler32(QIODevice *pDevice); 751 quint32 getAdler32(qint64 nOffset=0,qint64 nSize=-1); 752 753 static quint32 _getCRC32(QString sFileName); 754 static quint32 _getCRC32(QIODevice *pDevice); 755 quint32 _getCRC32(qint64 nOffset=0,qint64 nSize=-1); 756 757 static double getEntropy(QString sFileName); 758 static double getEntropy(QIODevice *pDevice); 759 double getEntropy(qint64 nOffset=0,qint64 nSize=-1); 760 761 BYTE_COUNTS getByteCounts(qint64 nOffset=0,qint64 nSize=-1); 762 763 void _xor(quint8 nXorValue,qint64 nOffset=0,qint64 nSize=-1); 764 765 // static quint32 _ror32(quint32 nValue,quint32 nShift); 766 // static quint32 _rol32(quint32 nValue,quint32 nShift); 767 static quint32 getStringCustomCRC32(QString sString); 768 769 QIODevice *getDevice(); 770 771 virtual bool isValid(); 772 static bool isValid(QIODevice *pDevice,bool bIsImage=false,qint64 nModuleAddress=-1); 773 static MODE getMode(QIODevice *pDevice,bool bIsImage=false,qint64 nModuleAddress=-1); 774 775 virtual bool isBigEndian(); 776 bool is16(); 777 bool is32(); 778 bool is64(); 779 780 bool isBigEndian(_MEMORY_MAP *pMemoryMap); 781 bool is16(_MEMORY_MAP *pMemoryMap); 782 bool is32(_MEMORY_MAP *pMemoryMap); 783 bool is64(_MEMORY_MAP *pMemoryMap); 784 785 void setVersion(QString sVersion); 786 virtual QString getVersion(); 787 virtual bool isEncrypted(); 788 789 QString getSignature(qint64 nOffset,qint64 nSize); 790 791 OFFSETSIZE convertOffsetAndSize(qint64 nOffset,qint64 nSize); 792 static OFFSETSIZE convertOffsetAndSize(QIODevice *pDevice,qint64 nOffset,qint64 nSize); 793 794 static bool compareSignatureStrings(QString sBaseSignature,QString sOptSignature); 795 static QString stringToHex(QString sString); 796 static QString hexToString(QString sHex); 797 static QString floatToString(float fValue,int nPrec=2); 798 static QString doubleToString(double dValue,int nPrec=2); 799 800 static quint8 hexToUint8(QString sHex); 801 static qint8 hexToInt8(QString sHex); 802 static quint16 hexToUint16(QString sHex,bool bIsBigEndian=false); 803 static qint16 hexToInt16(QString sHex,bool bIsBigEndian=false); 804 static quint32 hexToUint32(QString sHex,bool bIsBigEndian=false); 805 static qint32 hexToInt32(QString sHex,bool bIsBigEndian=false); 806 static quint64 hexToUint64(QString sHex,bool bIsBigEndian=false); 807 static qint64 hexToInt64(QString sHex,bool bIsBigEndian=false); 808 809 static QString invertHexByteString(QString sHex); 810 811 static void _swapBytes(char *pSource,int nSize); 812 static quint16 swapBytes(quint16 nValue); 813 static quint32 swapBytes(quint32 nValue); 814 static quint64 swapBytes(quint64 nValue); 815 816 bool isPlainTextType(); 817 bool isPlainTextType(QByteArray *pbaData); 818 bool isUTF8TextType(); 819 bool isUTF8TextType(QByteArray *pbaData); 820 821 static bool isPlainTextType(QIODevice *pDevice); 822 823 enum UNICODE_TYPE 824 { 825 UNICODE_TYPE_NONE=0, 826 UNICODE_TYPE_LE, 827 UNICODE_TYPE_BE 828 }; 829 830 UNICODE_TYPE getUnicodeType(); 831 UNICODE_TYPE getUnicodeType(QByteArray *pbaData); 832 833 static bool tryToOpen(QIODevice *pDevice); 834 835 bool checkOffsetSize(OFFSETSIZE os); 836 837 static QString get_uint32_version(quint32 nValue); 838 static bool isResizeEnable(QIODevice *pDevice); 839 static bool resize(QIODevice *pDevice,qint64 nSize); 840 841 struct PACKED_INT 842 { 843 bool bIsValid; 844 quint64 nValue; 845 quint32 nByteSize; 846 }; 847 848 PACKED_INT read_uleb128(qint64 nOffset,qint64 nSize); 849 PACKED_INT _read_uleb128(char *pData,qint64 nSize); 850 851 PACKED_INT read_acn1_integer(qint64 nOffset,qint64 nSize); 852 853 struct PACKED 854 { 855 quint64 nValue; 856 quint32 nByteSize; 857 }; 858 859 PACKED get_packedNumber(qint64 nOffset); 860 861 static QList<QString> getListFromFile(QString sFileName); 862 863 qint64 getOverlaySize(); 864 qint64 getOverlaySize(_MEMORY_MAP *pMemoryMap); 865 qint64 getOverlayOffset(); 866 qint64 getOverlayOffset(_MEMORY_MAP *pMemoryMap); 867 bool isOverlayPresent(); 868 bool isOverlayPresent(_MEMORY_MAP *pMemoryMap); 869 870 bool compareOverlay(QString sSignature,qint64 nOffset); 871 bool compareOverlay(_MEMORY_MAP *pMemoryMap,QString sSignature,qint64 nOffset); 872 873 bool addOverlay(char *pData,qint64 nDataSize); 874 bool removeOverlay(); 875 876 bool isSignatureInLoadSegmentPresent(qint32 nLoadSegment,QString sSignature); 877 bool isSignatureInLoadSegmentPresent(_MEMORY_MAP *pMemoryMap,qint32 nLoadSegment,QString sSignature); 878 879 static QString getStringCollision(QList<QString> *pListStrings,QString sString1,QString sString2); 880 881 static bool writeToFile(QString sFileName,QByteArray baData); 882 static bool writeToFile(QString sFileName,QIODevice *pDevice); 883 884 static bool appendToFile(QString sFileName,QString sString); 885 static bool clearFile(QString sFileName); 886 887 static qint32 getStringNumberFromList(QList<QString> *pListStrings,QString sString,bool *pbIsStop=nullptr); 888 static qint32 getStringNumberFromListExp(QList<QString> *pListStrings,QString sString,bool *pbIsStop=nullptr); 889 static bool isStringInListPresent(QList<QString> *pListStrings,QString sString,bool *pbIsStop=nullptr); 890 static bool isStringInListPresentExp(QList<QString> *pListStrings,QString sString,bool *pbIsStop=nullptr); 891 static QString getStringByIndex(QList<QString> *pListStrings,int nIndex,qint32 nNumberOfStrings=-1); 892 893 static bool isStringUnicode(QString sString,qint32 nMaxCheckSize=-1); 894 895 static quint32 elfHash(const quint8 *pData); 896 897 static QString getVersionString(QString sString); 898 static qint64 getVersionIntValue(QString sString); 899 static bool checkStringNumber(QString sString,quint32 nMin,quint32 nMax); 900 901 enum DT_TYPE 902 { 903 DT_TYPE_UNKNOWN=0, 904 DT_TYPE_POSIX 905 // TODO more 906 }; 907 908 static QString valueToTimeString(quint64 nValue,DT_TYPE type); 909 910 static bool isX86asm(QString sArch); 911 static QString disasmIdToString(DM disasmMode); 912 static DM getDisasmMode(_MEMORY_MAP *pMemoryMap); 913 static DMFAMILY getDisasmFamily(DM disasmMode); 914 915 static bool checkFileType(XBinary::FT fileTypeMain,XBinary::FT fileTypeOptional); 916 917 static void filterFileTypes(QSet<XBinary::FT> *pStFileTypes); 918 static void filterFileTypes(QSet<XBinary::FT> *pStFileTypes,XBinary::FT fileType); 919 920 static bool isFileTypePresent(QSet<XBinary::FT> *pStFileTypes,QSet<XBinary::FT> *pStAvailableFileTypes); 921 922 struct PROCENT 923 { 924 qint64 nCurrentValue; 925 qint64 nMaxValue; 926 qint32 nCurrentProcent; 927 qint32 nMaxProcent; 928 bool bTimer; 929 QElapsedTimer timer; 930 }; 931 932 static PROCENT procentInit(qint64 nMaxValue,bool bTimer=false); 933 static bool procentSetCurrentValue(PROCENT *pProcent,qint64 nCurrentValue); 934 935 static qint64 getTotalOSSize(QList<OFFSETSIZE> *pListOS); 936 937 static MODE getWidthModeFromSize(quint64 nSize); // TODO rename 938 static MODE getWidthModeFromMemoryMap(_MEMORY_MAP *pMemoryMap); 939 940 static MODE getWidthModeFromByteSize(quint32 nByteSize); 941 942 static bool isAnsiSymbol(quint8 cCode,bool bExtra=false); 943 static bool isUTF8Symbol(quint8 cCode,qint32 *pnWidth); 944 static bool isUnicodeSymbol(quint16 nCode,bool bExtra=false); 945 QString getStringFromIndex(qint64 nOffset,qint64 nSize,int nIndex); 946 947 static QList<QString> getAllFilesFromDirectory(QString sDirectory,QString sExtension); 948 949 enum OPCODE_STATUS 950 { 951 OPCODE_STATUS_SUCCESS=0, 952 OPCODE_STATUS_END 953 }; 954 955 QList<OPCODE> getOpcodes(qint64 nOffset,qint64 nStartAddress,qint64 nSize,quint32 nType); 956 virtual qint64 readOpcodes(quint32 nType,char *pData,qint64 nStartAddress,qint64 nSize,QList<OPCODE> *pListOpcodes,OPCODE_STATUS *pOpcodeStatus); 957 958 bool _read_opcode_uleb128(OPCODE *pOpcode,char **ppData,qint64 *pnSize,qint64 *pnAddress,qint64 *pnResult,QString sPrefix); 959 bool _read_opcode_ansiString(OPCODE *pOpcode,char **ppData,qint64 *pnSize,qint64 *pnAddress,qint64 *pnResult,QString sPrefix); 960 961 QList<quint32> get_uint32_list(qint64 nOffset,qint32 nNumberOfRecords,bool bIsBigEndian=false); 962 QList<quint64> get_uint64_list(qint64 nOffset,qint32 nNumberOfRecords,bool bIsBigEndian=false); 963 964 static bool _isOffsetsCrossed(qint64 nOffset1,qint64 nSize1,qint64 nOffset2,qint64 nSize2); 965 static bool _isReplaced(qint64 nOffset,qint64 nSize,QList<MEMORY_REPLACE> *pListMemoryReplace); 966 static bool _replaceMemory(qint64 nDataOffset,char *pData,qint64 nDataSize,QList<MEMORY_REPLACE> *pListMemoryReplace); 967 968 virtual QList<SYMBOL_RECORD> getSymbolRecords(XBinary::_MEMORY_MAP *pMemoryMap,SYMBOL_TYPE symbolType=SYMBOL_TYPE_ALL); 969 static SYMBOL_RECORD findSymbolByAddress(QList<SYMBOL_RECORD> *pListSymbolRecords,qint64 nAddress); 970 static SYMBOL_RECORD findSymbolByName(QList<SYMBOL_RECORD> *pListSymbolRecords,QString sName); 971 static SYMBOL_RECORD findSymbolByOrdinal(QList<SYMBOL_RECORD> *pListSymbolRecords,qint32 nOrdinal); 972 973 static QString generateUUID(); 974 975 static QString appendText(QString sResult,QString sString,QString sSeparate); 976 977 public slots: 978 void setSearchProcessEnable(bool bState); 979 void setDumpProcessEnable(bool bState); 980 void setEntropyProcessEnable(bool bState); 981 void setHashProcessEnable(bool bState); 982 void setProcessSignalsEnable(bool bState); 983 984 private: 985 static const int READWRITE_BUFFER_SIZE=0x1000; 986 static QString convertSignature(QString sSignature); 987 static QString qcharToHex(QChar cSymbol); 988 989 QList<SIGNATURE_RECORD> getSignatureRecords(QString sSignature); 990 bool _compareSignature(_MEMORY_MAP *pMemoryMap,QList<SIGNATURE_RECORD> *pListSignatureRecords,qint64 nOffset); 991 992 int _getSignatureRelOffsetFix(QList<SIGNATURE_RECORD> *pListSignatureRecords,QString sSignature,int nStartIndex); 993 int _getSignatureDelta(QList<SIGNATURE_RECORD> *pListSignatureRecords,QString sSignature,int nStartIndex); 994 int _getSignatureRelOffset(QList<SIGNATURE_RECORD> *pListSignatureRecords,QString sSignature,int nStartIndex); 995 int _getSignatureAddress(QList<SIGNATURE_RECORD> *pListSignatureRecords,QString sSignature,int nStartIndex); 996 int _getSignatureBytes(QList<SIGNATURE_RECORD> *pListSignatureRecords,QString sSignature,int nStartIndex); 997 998 void _searchProgressMinimumChanged(qint32 nMaximum); 999 void _searchProgressMaximumChanged(qint32 nMaximum); 1000 void _searchProgressValueChanged(qint32 nValue); 1001 void _dumpProgressMinimumChanged(qint32 nMaximum); 1002 void _dumpProgressMaximumChanged(qint32 nMaximum); 1003 void _dumpProgressValueChanged(qint32 nValue); 1004 void _entropyProgressMinimumChanged(qint32 nMaximum); 1005 void _entropyProgressMaximumChanged(qint32 nMaximum); 1006 void _entropyProgressValueChanged(qint32 nValue); 1007 void _hashProgressMinimumChanged(qint32 nMaximum); 1008 void _hashProgressMaximumChanged(qint32 nMaximum); 1009 void _hashProgressValueChanged(qint32 nValue); 1010 1011 protected: 1012 bool _isOffsetValid(qint64 nOffset); 1013 void _errorMessage(QString sErrorMessage); 1014 void _infoMessage(QString sInfoMessage); 1015 qint64 _calculateRawSize(); 1016 qint64 _calculateRawSize(_MEMORY_MAP *pMemoryMap); 1017 1018 signals: 1019 void errorMessage(QString sErrorMessage); 1020 void infoMessage(QString sInfoMessage); 1021 void searchProgressMinimumChanged(qint32 nMaximum); 1022 void searchProgressMaximumChanged(qint32 nMaximum); 1023 void searchProgressValueChanged(qint32 nValue); 1024 void dumpProgressMinimumChanged(qint32 nMaximum); 1025 void dumpProgressMaximumChanged(qint32 nMaximum); 1026 void dumpProgressValueChanged(qint32 nValue); 1027 void entropyProgressMinimumChanged(qint32 nMaximum); 1028 void entropyProgressMaximumChanged(qint32 nMaximum); 1029 void entropyProgressValueChanged(qint32 nValue); 1030 void hashProgressMinimumChanged(qint32 nMaximum); 1031 void hashProgressMaximumChanged(qint32 nMaximum); 1032 void hashProgressValueChanged(qint32 nValue); 1033 1034 private: 1035 QIODevice *g_pDevice; 1036 QMutex *g_pReadWriteMutex; 1037 bool g_bIsImage; 1038 qint64 g_nBaseAddress; 1039 qint64 g_nEntryPointOffset; 1040 qint64 g_nModuleAddress; 1041 bool g_bIsBigEndian; // TODO enum 1042 bool g_bIsSearchStop; 1043 bool g_bIsDumpStop; 1044 bool g_bIsEntropyStop; 1045 bool g_bIsHashStop; 1046 bool g_bIsProcessSignalsDisable; 1047 QString g_sArch; 1048 MODE g_mode; 1049 QString g_sVersion; 1050 int g_nType; 1051 FT g_fileType; 1052 bool g_bLog; 1053 qint64 g_nSize; 1054 }; 1055 1056 #endif // XBINARY_H 1057