Unify the PE header types created by the PE view and that from the Platform types #5892
Description
A recurring situation during Windows malware analysis is that the code parse the PE for certain purposes. To deal with the code, often times we would like to apply appropriate types to the variables, e.g., setting the type of the variable that holds the PE header or the NT header. However, there are two cases where this workflow is not as smooth as we wish it to be:
-
The user navigates to the start of the PE view and see what the type is and then apply it. In binja, we put a COFF header followed by a PE64_Optional_Header (or PE32_Optional_Header). We did this for good -- some object files may not have the PE64_Optional_Header. However, the problem is if the user sets the variable type to
COFF_Header, then he would not be able to resolve offsets to the optional header, e.g., the export directory
-
The user is aware of the situation described in 1), and he knows there is a
IMAGE_NT_HEADERS64from the type library that we can use. Setting the variable toIMAGE_NT_HEADERS64will produce better output, however, a few things can be improved, e.g., theIMAGE_NT_HEADERS64has the data directory asIMAGE_DATA_DIRECTORY DataDirectory[0x10], which is NOT as descruptive as what we do inPE64_Optional_Header, which we define 16 separate members each with their name. Besides, various enums are just defined as WORD or DWORD, which is also not the best. See the below screenshot for an illustration on what I am talking about:
As such, I think a possible route is to combine the two types and have the PE view directly use the type from the type library instead of defining its own. Alternatively, if this is not viable, then maybe we can at least change the IMAGE_NT_HEADERS64 type in the type library to make it look closer to the COFF_Header+IMAGE_NT_HEADERS64, but have them sit in one larger structure, so that the code can resolve references to offsets into IMAGE_NT_HEADERS64 properly