diff options
| author | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-06-18 22:45:15 +0200 |
|---|---|---|
| committer | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-06-23 10:59:43 +0200 |
| commit | ccd8aebb855029cfadafcc50870445d3ee6e20b9 (patch) | |
| tree | 16425a84a1d0e5bc676597f193dd7fd424555e05 | |
| parent | 8134c3b0c08889a7cf3d8c991bd6bc305b950b7d (diff) | |
| download | miasm-ccd8aebb855029cfadafcc50870445d3ee6e20b9.tar.gz miasm-ccd8aebb855029cfadafcc50870445d3ee6e20b9.zip | |
Os_dep: add win 32 structs
| -rw-r--r-- | miasm2/os_dep/win_32_structs.py | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/miasm2/os_dep/win_32_structs.py b/miasm2/os_dep/win_32_structs.py new file mode 100644 index 00000000..993fc79c --- /dev/null +++ b/miasm2/os_dep/win_32_structs.py @@ -0,0 +1,198 @@ +from miasm2.core.types import MemStruct, Num, Ptr, Str, \ + Array, RawStruct, Union, \ + BitField, Self, Void, Bits, \ + set_allocator, MemUnion, Struct + + +class UnicodeString(MemStruct): + fields = [ + ("length", Num("H")), + ("maxlength", Num("H")), + ("data", Ptr("<I", Str("utf16"))), + ] + + +class ListEntry(MemStruct): + fields = [ + ("flink", Ptr("<I", Void())), + ("blink", Ptr("<I", Void())), + ] + + +class LdrDataEntry(MemStruct): + + """ + +0x000 InLoadOrderLinks : _LIST_ENTRY + +0x008 InMemoryOrderLinks : _LIST_ENTRY + +0x010 InInitializationOrderLinks : _LIST_ENTRY + +0x018 DllBase : Ptr32 Void + +0x01c EntryPoint : Ptr32 Void + +0x020 SizeOfImage : Uint4B + +0x024 FullDllName : _UNICODE_STRING + +0x02c BaseDllName : _UNICODE_STRING + +0x034 Flags : Uint4B + +0x038 LoadCount : Uint2B + +0x03a TlsIndex : Uint2B + +0x03c HashLinks : _LIST_ENTRY + +0x03c SectionPointer : Ptr32 Void + +0x040 CheckSum : Uint4B + +0x044 TimeDateStamp : Uint4B + +0x044 LoadedImports : Ptr32 Void + +0x048 EntryPointActivationContext : Ptr32 Void + +0x04c PatchInformation : Ptr32 Void + """ + + fields = [ + ("InLoadOrderLinks", ListEntry), + ("InMemoryOrderLinks", ListEntry), + ("InInitializationOrderLinks", ListEntry), + ("DllBase", Ptr("<I", Void())), + ("EntryPoint", Ptr("<I", Void())), + ("SizeOfImage", Num("<I")), + ("FullDllName", UnicodeString), + ("BaseDllName", UnicodeString), + ("Flags", Array(Num("B"), 4)), + ("LoadCount", Num("H")), + ("TlsIndex", Num("H")), + ("union1", Union([ + ("HashLinks", Ptr("<I", Void())), + ("SectionPointer", Ptr("<I", Void())), + ])), + ("CheckSum", Num("<I")), + ("union2", Union([ + ("TimeDateStamp", Num("<I")), + ("LoadedImports", Ptr("<I", Void())), + ])), + ("EntryPointActivationContext", Ptr("<I", Void())), + ("PatchInformation", Ptr("<I", Void())), + + ] + + +class PEB_LDR_DATA(MemStruct): + + """ + +0x000 Length : Uint4B + +0x004 Initialized : UChar + +0x008 SsHandle : Ptr32 Void + +0x00c InLoadOrderModuleList : _LIST_ENTRY + +0x014 InMemoryOrderModuleList : _LIST_ENTRY + +0x01C InInitializationOrderModuleList : _LIST_ENTRY + """ + + fields = [ + ("Length", Num("<I")), + ("Initialized", Num("<I")), + ("SsHandle", Ptr("<I", Void())), + ("InLoadOrderModuleList", ListEntry), + ("InMemoryOrderModuleList", ListEntry), + ("InInitializationOrderModuleList", ListEntry) + ] + + +class PEB(MemStruct): + + """ + +0x000 InheritedAddressSpace : UChar + +0x001 ReadImageFileExecOptions : UChar + +0x002 BeingDebugged : UChar + +0x003 SpareBool : UChar + +0x004 Mutant : Ptr32 Void + +0x008 ImageBaseAddress : Ptr32 Void + +0x00c Ldr : Ptr32 _PEB_LDR_DATA + +0x010 processparameter + """ + + fields = [ + ("InheritedAddressSpace", Num("B")), + ("ReadImageFileExecOptions", Num("B")), + ("BeingDebugged", Num("B")), + ("SpareBool", Num("B")), + ("Mutant", Ptr("<I", Void())), + ("ImageBaseAddress", Num("<I")), + ("Ldr", Ptr("<I", PEB_LDR_DATA)), + ] + + +class NT_TIB(MemStruct): + + """ + +00 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList + +04 void *StackBase + +08 void *StackLimit + +0c void *SubSystemTib + +10 void *FiberData + +10 uint32 Version + +14 void *ArbitraryUserPointer + +18 struct _NT_TIB *Self + """ + + fields = [ + ("ExceptionList", Ptr("<I", Void())), + ("StackBase", Ptr("<I", Void())), + ("StackLimit", Ptr("<I", Void())), + ("SubSystemTib", Ptr("<I", Void())), + (None, Union([ + ("FiberData", Ptr("<I", Void())), + ("Version", Num("<I")) + ])), + ("ArbitraryUserPointer", Ptr("<I", Void())), + ("Self", Ptr("<I", Self())), + ] + + +class TEB(MemStruct): + + """ + +0x000 NtTib : _NT_TIB + +0x01c EnvironmentPointer : Ptr32 Void + +0x020 ClientId : _CLIENT_ID + +0x028 ActiveRpcHandle : Ptr32 Void + +0x02c ThreadLocalStoragePointer : Ptr32 Void + +0x030 ProcessEnvironmentBlock : Ptr32 _PEB + +0x034 LastErrorValue : Uint4B + ... + """ + + fields = [ + ("NtTib", NT_TIB), + ("EnvironmentPointer", Ptr("<I", Void())), + ("ClientId", Array(Num("B"), 0x8)), + ("ActiveRpcHandle", Ptr("<I", Void())), + ("ThreadLocalStoragePointer", Ptr("<I", Void())), + ("ProcessEnvironmentBlock", Ptr("<I", PEB)), + ("LastErrorValue", Num("<I")), + ] + + +class ContextException(MemStruct): + fields = [ + ("ContectFlags", Num("<I")), + ("dr0", Num("<I")), + ("dr1", Num("<I")), + ("dr2", Num("<I")), + ("dr3", Num("<I")), + ("dr4", Num("<I")), + ("dr5", Num("<I")), + + ("Float", Array(Num("B"), 112)), + + ("gs", Num("<I")), + ("fs", Num("<I")), + ("es", Num("<I")), + ("ds", Num("<I")), + + ("edi", Num("<I")), + ("esi", Num("<I")), + ("ebx", Num("<I")), + ("edx", Num("<I")), + ("ecx", Num("<I")), + ("eax", Num("<I")), + ("ebp", Num("<I")), + ("eip", Num("<I")), + + ("cs", Num("<I")), + ("eflags", Num("<I")), + ("esp", Num("<I")), + ("ss", Num("<I")), + ] |