1 #ifndef _DEX_H 2 #define _DEX_H 3 4 #include <stdlib.h> 5 #include <yara/integers.h> 6 #include <yara/types.h> 7 8 #define DEX_FILE_MAGIC_035 "dex\n035\x00" 9 #define DEX_FILE_MAGIC_036 "dex\n036\x00" 10 #define DEX_FILE_MAGIC_037 "dex\n037\x00" 11 #define DEX_FILE_MAGIC_038 "dex\n038\x00" 12 #define DEX_FILE_MAGIC_039 "dex\n039\x00" 13 14 #pragma pack(push, 1) 15 16 typedef struct 17 { 18 uint8_t magic[8]; 19 uint32_t checksum; 20 uint8_t signature[20]; 21 uint32_t file_size; 22 uint32_t header_size; 23 uint32_t endian_tag; 24 uint32_t link_size; 25 uint32_t link_offset; 26 uint32_t map_offset; 27 uint32_t string_ids_size; 28 uint32_t string_ids_offset; 29 uint32_t type_ids_size; 30 uint32_t type_ids_offset; 31 uint32_t proto_ids_size; 32 uint32_t proto_ids_offset; 33 uint32_t field_ids_size; 34 uint32_t field_ids_offset; 35 uint32_t method_ids_size; 36 uint32_t method_ids_offset; 37 uint32_t class_defs_size; 38 uint32_t class_defs_offset; 39 uint32_t data_size; 40 uint32_t data_offset; 41 } dex_header_t; 42 43 typedef struct 44 { 45 uint32_t string_data_offset; 46 } string_id_item_t; 47 48 typedef struct 49 { 50 uint32_t utf16_size; 51 } string_data_item_t; 52 53 typedef struct 54 { 55 uint32_t descriptor_idx; 56 } type_id_item_t; 57 58 typedef struct 59 { 60 uint32_t shorty_idx; 61 uint32_t return_type_idx; 62 uint32_t parameters_offset; 63 } proto_id_item_t; 64 65 typedef struct 66 { 67 uint16_t class_idx; 68 uint16_t type_idx; 69 uint32_t name_idx; 70 } field_id_item_t; 71 72 typedef struct 73 { 74 uint16_t class_idx; 75 uint16_t proto_idx; 76 uint32_t name_idx; 77 } method_id_item_t; 78 79 typedef struct 80 { 81 uint32_t class_idx; 82 uint32_t access_flags; 83 uint32_t super_class_idx; 84 uint32_t interfaces_offset; 85 uint32_t source_file_idx; 86 uint32_t annotations_offset; 87 uint32_t class_data_offset; 88 uint32_t static_values_offset; 89 } class_id_item_t; 90 91 typedef struct 92 { 93 uint32_t static_fields_size; 94 uint32_t instance_fields_size; 95 uint32_t direct_methods_size; 96 uint32_t virtual_methods_size; 97 } class_data_item_t; 98 99 typedef struct 100 { 101 uint32_t field_idx_diff; 102 uint32_t access_flags; 103 } encoded_field_t; 104 105 typedef struct 106 { 107 uint32_t method_idx_diff; 108 uint32_t access_flags; 109 uint32_t code_off; 110 } encoded_method_t; 111 112 typedef struct 113 { 114 uint16_t registers_size; 115 uint16_t ins_size; 116 uint16_t outs_size; 117 uint16_t tries_size; 118 uint32_t debug_info_off; 119 uint32_t insns_size; 120 } code_item_t; 121 122 typedef struct 123 { 124 uint16_t type; 125 uint16_t unused; 126 uint32_t size; 127 uint32_t offset; 128 } map_item_t; 129 130 typedef struct _DEX 131 { 132 const uint8_t* data; 133 size_t data_size; 134 dex_header_t* header; 135 YR_OBJECT* object; 136 } DEX; 137 138 #define fits_in_dex(dex, pointer, size) \ 139 ((size_t) size <= dex->data_size && (uint8_t*) (pointer) >= dex->data && \ 140 (uint8_t*) (pointer) <= dex->data + dex->data_size - size) 141 142 #define struct_fits_in_dex(dex, pointer, struct_type) \ 143 fits_in_dex(dex, pointer, sizeof(struct_type)) 144 145 #pragma pack(pop) 146 147 #endif 148