-
Notifications
You must be signed in to change notification settings - Fork 5
/
binary_script.h
282 lines (250 loc) · 11.5 KB
/
binary_script.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
/* Copyright (c) 2019-2024 hors<horsicq@gmail.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BINARY_SCRIPT_H
#define BINARY_SCRIPT_H
#include "xformats.h"
#include "xcapstone.h"
class Binary_Script : public QObject {
Q_OBJECT
public:
struct OPTIONS {
bool bIsDeepScan;
bool bIsHeuristicScan;
bool bIsAggressiveScan;
bool bIsVerbose;
bool bIsProfiling;
};
explicit Binary_Script(XBinary *pBinary, XBinary::FILEPART filePart, OPTIONS *pOptions, XBinary::PDSTRUCT *pPdStruct);
~Binary_Script();
public slots:
qint64 getSize();
bool compare(const QString &sSignature, qint64 nOffset = 0);
bool compareEP(const QString &sSignature, qint64 nOffset = 0);
quint8 readByte(qint64 nOffset);
qint16 readSByte(qint64 nOffset); // qint16 not qint8 js shows as char
quint16 readWord(qint64 nOffset);
qint16 readSWord(qint64 nOffset);
quint32 readDword(qint64 nOffset);
qint32 readSDword(qint64 nOffset);
quint64 readQword(qint64 nOffset);
qint64 readSQword(qint64 nOffset);
QString getString(qint64 nOffset, qint64 nMaxSize = 50);
qint64 findSignature(qint64 nOffset, qint64 nSize, const QString &sSignature);
qint64 findString(qint64 nOffset, qint64 nSize, const QString &sString);
qint64 findByte(qint64 nOffset, qint64 nSize, quint8 nValue);
qint64 findWord(qint64 nOffset, qint64 nSize, quint16 nValue);
qint64 findDword(qint64 nOffset, qint64 nSize, quint32 nValue);
qint64 getEntryPointOffset();
qint64 getOverlayOffset();
qint64 getOverlaySize();
qint64 getAddressOfEntryPoint();
bool isOverlayPresent();
bool compareOverlay(const QString &sSignature, qint64 nOffset = 0);
bool isSignaturePresent(qint64 nOffset, qint64 nSize, const QString &sSignature);
quint32 swapBytes(quint32 nValue);
virtual QString getGeneralOptions();
qint64 RVAToOffset(qint64 nRVA);
qint64 VAToOffset(qint64 nVA);
qint64 OffsetToVA(qint64 nOffset);
qint64 OffsetToRVA(qint64 nOffset);
QString getFileDirectory();
QString getFileBaseName();
QString getFileCompleteSuffix();
QString getFileSuffix();
QString getSignature(qint64 nOffset, qint64 nSize);
double calculateEntropy(qint64 nOffset, qint64 nSize);
QString calculateMD5(qint64 nOffset, qint64 nSize);
quint32 calculateCRC32(qint64 nOffset, qint64 nSize);
quint16 crc16(qint64 nOffset, qint64 nSize, quint16 nInit = 0);
quint32 crc32(qint64 nOffset, qint64 nSize, quint32 nInit = 0);
quint32 adler32(qint64 nOffset, qint64 nSize);
bool isSignatureInSectionPresent(quint32 nNumber, const QString &sSignature);
qint64 getImageBase(); // Check mb quint64
QString upperCase(const QString &sString);
QString lowerCase(const QString &sString);
bool isPlainText();
bool isUTF8Text();
bool isUnicodeText();
bool isText();
QString getHeaderString();
qint32 getDisasmLength(qint64 nAddress);
QString getDisasmString(qint64 nAddress);
qint64 getDisasmNextAddress(qint64 nAddress);
bool is16();
bool is32();
bool is64();
bool isDeepScan();
bool isHeuristicScan();
bool isAggressiveScan();
bool isVerbose();
bool isProfiling();
quint8 read_uint8(qint64 nOffset);
qint16 read_int8(qint64 nOffset); // qint16 not qint8 / qint8 qjs shows as char
quint16 read_uint16(qint64 nOffset, bool bIsBigEndian = false);
qint16 read_int16(qint64 nOffset, bool bIsBigEndian = false);
quint32 read_uint32(qint64 nOffset, bool bIsBigEndian = false);
qint32 read_int32(qint64 nOffset, bool bIsBigEndian = false);
quint64 read_uint64(qint64 nOffset, bool bIsBigEndian = false);
qint64 read_int64(qint64 nOffset, bool bIsBigEndian = false);
QString read_ansiString(qint64 nOffset, qint64 nMaxSize = 50);
QString read_unicodeString(qint64 nOffset, qint64 nMaxSize = 50);
QString read_utf8String(qint64 nOffset, qint64 nMaxSize = 50);
QString read_ucsdString(qint64 nOffset);
QString read_codePageString(qint64 nOffset, qint64 nMaxByteSize = 256, const QString &sCodePage = "System");
QString bytesCountToString(quint64 nValue);
qint64 find_ansiString(qint64 nOffset, qint64 nSize, const QString &sString);
qint64 find_unicodeString(qint64 nOffset, qint64 nSize, const QString &sString);
qint64 find_utf8String(qint64 nOffset, qint64 nSize, const QString &sString);
QString read_UUID_bytes(qint64 nOffset);
QString read_UUID(qint64 nOffset, bool bIsBigEndian = false);
float read_float(qint64 nOffset, bool bIsBigEndian = false);
double read_double(qint64 nOffset, bool bIsBigEndian = false);
float read_float16(qint64 nOffset, bool bIsBigEndian = false);
float read_float32(qint64 nOffset, bool bIsBigEndian = false);
double read_float64(qint64 nOffset, bool bIsBigEndian = false);
quint32 read_uint24(qint64 nOffset, bool bIsBigEndian = false);
qint32 read_int24(qint64 nOffset, bool bIsBigEndian = false);
quint8 read_bcd_uint8(qint64 nOffset);
quint16 read_bcd_uint16(qint64 nOffset, bool bIsBigEndian = false);
quint16 read_bcd_uint32(qint64 nOffset, bool bIsBigEndian = false);
quint16 read_bcd_uint64(qint64 nOffset, bool bIsBigEndian = false);
bool isJpeg();
QString getJpegComment();
QString getJpegDqtMD5();
bool isJpegChunkPresent(qint32 nID);
bool isJpegExifPresent();
QString getJpegExifCameraName();
QString getOperationSystemName();
QString getOperationSystemVersion();
QString getOperationSystemOptions();
QString getFileFormatName();
QString getFileFormatVersion();
QString getFileFormatOptions();
bool isSigned();
QString cleanString(const QString &sString);
qint64 startTiming();
qint64 endTiming(qint64 nHandle, const QString &sInfo);
qint64 detectZLIB(qint64 nOffset, qint64 nSize);
qint64 detectGZIP(qint64 nOffset, qint64 nSize);
qint64 detectZIP(qint64 nOffset, qint64 nSize);
bool isOverlay();
bool isResource();
bool isDebugData();
// alliases
quint8 U8(qint64 nOffset);
qint16 I8(qint64 nOffset); // qint16 not qint8 / qint8 qjs shows as char
quint16 U16(qint64 nOffset, bool bIsBigEndian = false);
qint16 I16(qint64 nOffset, bool bIsBigEndian = false);
quint32 U24(qint64 nOffset, bool bIsBigEndian = false);
qint32 I24(qint64 nOffset, bool bIsBigEndian = false);
quint32 U32(qint64 nOffset, bool bIsBigEndian = false);
qint32 I32(qint64 nOffset, bool bIsBigEndian = false);
quint64 U64(qint64 nOffset, bool bIsBigEndian = false);
qint64 I64(qint64 nOffset, bool bIsBigEndian = false);
float F16(qint64 nOffset, bool bIsBigEndian = false);
float F32(qint64 nOffset, bool bIsBigEndian = false);
double F64(qint64 nOffset, bool bIsBigEndian = false);
QString SA(qint64 nOffset, qint64 nMaxSize = 50);
QString SU16(qint64 nOffset, qint64 nMaxSize = 50);
QString SU8(qint64 nOffset, qint64 nMaxSize = 50);
QString UCSD(qint64 nOffset);
QString SC(qint64 nOffset, qint64 nMaxByteSize = 256, const QString &sCodePage = "System");
qint64 Sz();
qint64 fSig(qint64 nOffset, qint64 nSize, const QString &sSignature);
qint64 fStr(qint64 nOffset, qint64 nSize, const QString &sString);
bool c(const QString &sSignature, qint64 nOffset = 0);
// function X.U8(a) { return File.read_uint8(a) }
// function X.I8(a) { return File.read_int8(a) }
// function X.U16(a,b) { return File.read_uint16(a,b) }
// function X.I16(a,b) { return File.read_int16(a,b) }
// function X.F16(a,b) { return File.read_float16(a,b) }
// function X.U24(a,b) { return File.read_uint24(a,b) }
// function X.I24(a,b) { return File.read_int24(a,b) }
// function X.U32(a,b) { return File.read_uint32(a,b) }
// function X.I32(a,b) { return File.read_int32(a,b) }
// function X.F32(a,b) { return File.read_float32(a,b) }
// function X.U64(a,b) { return File.read_uint64(a,b) }
// function X.I64(a,b) { return File.read_int64(a,b) }
// function X.F64(a,b) { return File.read_float64(a,b) }
// function X.SA(a,b) { return File.read_ansiString(a,b) }
// function X.SC(a,b,c) { return File.read_codePageString(a,b,c) }
// function X.UСSD(a,b) { return File.read_ucsdString(a,b) }
// function X.SU8(a,b,c) { return File.read_utf8String(a,b,c) }
// function X.SU16(a,b,c) { return File.read_unicodeString(a,b,c) }
// function X.Sz() { return File.getSize() }
// function X.fSig(a,b,c) { return File.findSignature(a,b,c) }
// function X.fStr(a,b,c) { return File.findString(a,b,c) }
// function X.c(a,b) { return File.compare(a,b) }
private:
void _fixOffsetAndSize(qint64 *pnOffset, qint64 *pnSize);
QElapsedTimer *_startProfiling();
void _finishProfiling(QElapsedTimer *pElapsedTimer, const QString &sInfo);
protected:
XBinary::_MEMORY_MAP *getMemoryMap();
XADDR getBaseAddress();
XBinary::PDSTRUCT *getPdStruct();
QList<XArchive::RECORD> *getArchiveRecords();
signals:
void errorMessage(const QString &sErrorMessage);
void warningMessage(const QString &sWarningMessage);
void infoMessage(const QString &sInfoMessage);
private:
XBinary *g_pBinary;
XBinary::FILEPART g_filePart;
OPTIONS *g_pOptions;
XBinary::PDSTRUCT *g_pPdStruct;
XBinary::_MEMORY_MAP g_memoryMap;
XADDR g_nBaseAddress;
csh g_disasmHandle;
qint64 g_nSize;
qint64 g_nEntryPointOffset;
qint64 g_nEntryPointAddress;
qint64 g_nOverlayOffset;
qint64 g_nOverlaySize;
qint64 g_bIsOverlayPresent;
QString g_sHeaderSignature;
qint32 g_nHeaderSignatureSize;
QString g_sEntryPointSignature;
qint32 g_nEntryPointSignatureSize;
QString g_sOverlaySignature;
qint32 g_nOverlaySignatureSize;
bool g_bIsPlainText;
bool g_bIsUTF8Text;
bool g_bIsUnicodeText;
QString g_sHeaderString;
QString g_sFileDirectory;
QString g_sFileBaseName;
QString g_sFileCompleteSuffix;
QString g_sFileSuffix;
XBinary::OSINFO g_osInfo;
XBinary::FILEFORMATINFO g_fileFormatInfo;
// JPEG
bool g_bIsJpeg;
XJpeg *g_pJpeg;
QList<XJpeg::CHUNK> g_listJpegChunks;
XBinary::OFFSETSIZE g_osJpegExif;
QList<XTiff::CHUNK> g_listJpegExifChunks;
QString g_sJpegExifCameraName;
bool g_bIsBigEndian;
bool g_bIsSigned;
QMap<quint32, QElapsedTimer *> g_mapProfiling;
};
#endif // BINARY_SCRIPT_H