1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
base / win / pe_image_reader.cc [blame]
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
#pragma allow_unsafe_buffers
#endif
#include "base/win/pe_image_reader.h"
#include <memory>
#include "base/check_op.h"
#include "base/memory/raw_ptr.h"
#include "base/numerics/safe_math.h"
#include "base/win/wintrust_shim.h"
namespace base {
namespace win {
// A class template of traits pertaining to IMAGE_OPTIONAL_HEADER{32,64}.
template <class HEADER_TYPE>
struct OptionalHeaderTraits {};
template <>
struct OptionalHeaderTraits<IMAGE_OPTIONAL_HEADER32> {
static const PeImageReader::WordSize word_size = PeImageReader::WORD_SIZE_32;
};
template <>
struct OptionalHeaderTraits<IMAGE_OPTIONAL_HEADER64> {
static const PeImageReader::WordSize word_size = PeImageReader::WORD_SIZE_64;
};
// A template for type-specific optional header implementations. This, in
// conjunction with the OptionalHeader interface, effectively erases the
// underlying structure type from the point of view of the PeImageReader.
template <class OPTIONAL_HEADER_TYPE>
class PeImageReader::OptionalHeaderImpl : public PeImageReader::OptionalHeader {
public:
using TraitsType = OptionalHeaderTraits<OPTIONAL_HEADER_TYPE>;
explicit OptionalHeaderImpl(const uint8_t* optional_header_start)
: optional_header_(reinterpret_cast<const OPTIONAL_HEADER_TYPE*>(
optional_header_start)) {}
OptionalHeaderImpl(const OptionalHeaderImpl&) = delete;
OptionalHeaderImpl& operator=(const OptionalHeaderImpl&) = delete;
WordSize GetWordSize() override { return TraitsType::word_size; }
size_t GetDataDirectoryOffset() override {
return offsetof(OPTIONAL_HEADER_TYPE, DataDirectory);
}
DWORD GetDataDirectorySize() override {
return optional_header_->NumberOfRvaAndSizes;
}
const IMAGE_DATA_DIRECTORY* GetDataDirectoryEntries() override {
return &optional_header_->DataDirectory[0];
}
DWORD GetSizeOfImage() override { return optional_header_->SizeOfImage; }
private:
raw_ptr<const OPTIONAL_HEADER_TYPE> optional_header_;
};
PeImageReader::PeImageReader() = default;
PeImageReader::~PeImageReader() {
Clear();
}
bool PeImageReader::Initialize(span<const uint8_t> image_data) {
image_data_ = image_data;
if (!ValidateDosHeader() || !ValidatePeSignature() ||
!ValidateCoffFileHeader() || !ValidateOptionalHeader() ||
!ValidateSectionHeaders()) {
Clear();
return false;
}
return true;
}
PeImageReader::WordSize PeImageReader::GetWordSize() {
return optional_header_->GetWordSize();
}
const IMAGE_DOS_HEADER* PeImageReader::GetDosHeader() {
DCHECK_NE((validation_state_ & VALID_DOS_HEADER), 0U);
return reinterpret_cast<const IMAGE_DOS_HEADER*>(image_data_.data());
}
const IMAGE_FILE_HEADER* PeImageReader::GetCoffFileHeader() {
DCHECK_NE((validation_state_ & VALID_COFF_FILE_HEADER), 0U);
return reinterpret_cast<const IMAGE_FILE_HEADER*>(
image_data_
.subspan(checked_cast<size_t>(GetDosHeader()->e_lfanew) +
sizeof(DWORD))
.data());
}
span<const uint8_t> PeImageReader::GetOptionalHeaderData() {
return span(GetOptionalHeaderStart(), GetOptionalHeaderSize());
}
size_t PeImageReader::GetNumberOfSections() {
return GetCoffFileHeader()->NumberOfSections;
}
const IMAGE_SECTION_HEADER* PeImageReader::GetSectionHeaderAt(size_t index) {
DCHECK_NE((validation_state_ & VALID_SECTION_HEADERS), 0U);
DCHECK_LT(index, GetNumberOfSections());
return reinterpret_cast<const IMAGE_SECTION_HEADER*>(
GetOptionalHeaderStart() + GetOptionalHeaderSize() +
(sizeof(IMAGE_SECTION_HEADER) * index));
}
span<const uint8_t> PeImageReader::GetExportSection() {
span<const uint8_t> data = GetImageData(IMAGE_DIRECTORY_ENTRY_EXPORT);
// The export section data must be big enough for the export directory.
if (data.size() < sizeof(IMAGE_EXPORT_DIRECTORY)) {
return span<const uint8_t>();
}
return data;
}
size_t PeImageReader::GetNumberOfDebugEntries() {
return GetImageData(IMAGE_DIRECTORY_ENTRY_DEBUG).size() /
sizeof(IMAGE_DEBUG_DIRECTORY);
}
const IMAGE_DEBUG_DIRECTORY* PeImageReader::GetDebugEntry(
size_t index,
span<const uint8_t>& raw_data) {
DCHECK_LT(index, GetNumberOfDebugEntries());
// Get the debug directory.
span<const uint8_t> debug_directory_data =
GetImageData(IMAGE_DIRECTORY_ENTRY_DEBUG);
if (debug_directory_data.empty()) {
return nullptr;
}
const IMAGE_DEBUG_DIRECTORY& entry =
reinterpret_cast<const IMAGE_DEBUG_DIRECTORY&>(
debug_directory_data[index * sizeof(IMAGE_DEBUG_DIRECTORY)]);
const uint8_t* debug_data = nullptr;
if (GetStructureAt(entry.PointerToRawData, entry.SizeOfData, &debug_data)) {
raw_data = span(debug_data, entry.SizeOfData);
}
return &entry;
}
bool PeImageReader::EnumCertificates(EnumCertificatesCallback callback,
void* context) {
span<const uint8_t> data = GetImageData(IMAGE_DIRECTORY_ENTRY_SECURITY);
const size_t kWinCertificateSize = offsetof(WIN_CERTIFICATE, bCertificate);
while (!data.empty()) {
const WIN_CERTIFICATE* win_certificate =
reinterpret_cast<const WIN_CERTIFICATE*>(data.data());
if (kWinCertificateSize > data.size() ||
kWinCertificateSize > win_certificate->dwLength ||
win_certificate->dwLength > data.size()) {
return false;
}
if (!(*callback)(
win_certificate->wRevision, win_certificate->wCertificateType,
base::span(&win_certificate->bCertificate[0],
win_certificate->dwLength - kWinCertificateSize),
context)) {
return false;
}
size_t padded_length = (win_certificate->dwLength + 7) & ~0x7u;
if (padded_length > data.size()) {
return false;
}
data = data.subspan(padded_length);
}
return true;
}
DWORD PeImageReader::GetSizeOfImage() {
return optional_header_->GetSizeOfImage();
}
void PeImageReader::Clear() {
image_data_ = raw_span<const uint8_t>();
validation_state_ = 0;
optional_header_.reset();
}
bool PeImageReader::ValidateDosHeader() {
const IMAGE_DOS_HEADER* dos_header = nullptr;
if (!GetStructureAt(0, &dos_header) ||
dos_header->e_magic != IMAGE_DOS_SIGNATURE || dos_header->e_lfanew < 0) {
return false;
}
validation_state_ |= VALID_DOS_HEADER;
return true;
}
bool PeImageReader::ValidatePeSignature() {
const DWORD* signature = nullptr;
if (!GetStructureAt(static_cast<size_t>(GetDosHeader()->e_lfanew),
&signature) ||
*signature != IMAGE_NT_SIGNATURE) {
return false;
}
validation_state_ |= VALID_PE_SIGNATURE;
return true;
}
bool PeImageReader::ValidateCoffFileHeader() {
DCHECK_NE((validation_state_ & VALID_PE_SIGNATURE), 0U);
const IMAGE_FILE_HEADER* file_header = nullptr;
if (!GetStructureAt(static_cast<size_t>(GetDosHeader()->e_lfanew) +
offsetof(IMAGE_NT_HEADERS32, FileHeader),
&file_header)) {
return false;
}
validation_state_ |= VALID_COFF_FILE_HEADER;
return true;
}
bool PeImageReader::ValidateOptionalHeader() {
const IMAGE_FILE_HEADER* file_header = GetCoffFileHeader();
const size_t optional_header_offset =
static_cast<size_t>(GetDosHeader()->e_lfanew) +
offsetof(IMAGE_NT_HEADERS32, OptionalHeader);
const size_t optional_header_size = file_header->SizeOfOptionalHeader;
const WORD* optional_header_magic = nullptr;
if (optional_header_size < sizeof(*optional_header_magic) ||
!GetStructureAt(optional_header_offset, &optional_header_magic)) {
return false;
}
std::unique_ptr<OptionalHeader> optional_header;
if (*optional_header_magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
optional_header =
std::make_unique<OptionalHeaderImpl<IMAGE_OPTIONAL_HEADER32>>(
image_data_.subspan(optional_header_offset).data());
} else if (*optional_header_magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
optional_header =
std::make_unique<OptionalHeaderImpl<IMAGE_OPTIONAL_HEADER64>>(
image_data_.subspan(optional_header_offset).data());
} else {
return false;
}
// Does all of the claimed optional header fit in the image?
if (optional_header_size > image_data_.size() - optional_header_offset) {
return false;
}
// Is the claimed optional header big enough for everything but the dir?
if (optional_header->GetDataDirectoryOffset() > optional_header_size)
return false;
// Is there enough room for all of the claimed directory entries?
if (optional_header->GetDataDirectorySize() >
((optional_header_size - optional_header->GetDataDirectoryOffset()) /
sizeof(IMAGE_DATA_DIRECTORY))) {
return false;
}
optional_header_.swap(optional_header);
validation_state_ |= VALID_OPTIONAL_HEADER;
return true;
}
bool PeImageReader::ValidateSectionHeaders() {
const uint8_t* first_section_header =
GetOptionalHeaderStart() + GetOptionalHeaderSize();
const size_t number_of_sections = GetNumberOfSections();
// Do all section headers fit in the image?
if (!GetStructureAt(
static_cast<size_t>(first_section_header - image_data_.data()),
number_of_sections * sizeof(IMAGE_SECTION_HEADER),
&first_section_header)) {
return false;
}
validation_state_ |= VALID_SECTION_HEADERS;
return true;
}
const uint8_t* PeImageReader::GetOptionalHeaderStart() {
DCHECK_NE((validation_state_ & VALID_OPTIONAL_HEADER), 0U);
return image_data_
.subspan(checked_cast<size_t>(GetDosHeader()->e_lfanew) +
offsetof(IMAGE_NT_HEADERS32, OptionalHeader))
.data();
}
size_t PeImageReader::GetOptionalHeaderSize() {
return GetCoffFileHeader()->SizeOfOptionalHeader;
}
const IMAGE_DATA_DIRECTORY* PeImageReader::GetDataDirectoryEntryAt(
size_t index) {
DCHECK_NE((validation_state_ & VALID_OPTIONAL_HEADER), 0U);
if (index >= optional_header_->GetDataDirectorySize())
return nullptr;
return &optional_header_->GetDataDirectoryEntries()[index];
}
const IMAGE_SECTION_HEADER* PeImageReader::FindSectionFromRva(
uint32_t relative_address) {
const size_t number_of_sections = GetNumberOfSections();
for (size_t i = 0; i < number_of_sections; ++i) {
const IMAGE_SECTION_HEADER* section_header = GetSectionHeaderAt(i);
// Is the raw data present in the image? If no, optimistically keep looking.
const uint8_t* section_data = nullptr;
if (!GetStructureAt(section_header->PointerToRawData,
section_header->SizeOfRawData, §ion_data)) {
continue;
}
// Does the RVA lie on or after this section's start when mapped? If no,
// bail.
if (section_header->VirtualAddress > relative_address)
break;
// Does the RVA lie within the section when mapped? If no, keep looking.
size_t address_offset = relative_address - section_header->VirtualAddress;
if (address_offset > section_header->Misc.VirtualSize)
continue;
// We have a winner.
return section_header;
}
return nullptr;
}
span<const uint8_t> PeImageReader::GetImageData(size_t index) {
// Get the requested directory entry.
const IMAGE_DATA_DIRECTORY* entry = GetDataDirectoryEntryAt(index);
if (!entry)
return span<const uint8_t>();
// The entry for the certificate table is special in that its address is a
// file pointer rather than an RVA.
if (index == IMAGE_DIRECTORY_ENTRY_SECURITY) {
// Does the data fit within the file.
if (entry->VirtualAddress > image_data_.size() ||
image_data_.size() - entry->VirtualAddress < entry->Size) {
return span<const uint8_t>();
}
return image_data_.subspan(entry->VirtualAddress, entry->Size);
}
// Find the section containing the data.
const IMAGE_SECTION_HEADER* header =
FindSectionFromRva(entry->VirtualAddress);
if (!header)
return span<const uint8_t>();
// Does the data fit within the section when mapped?
size_t data_offset = entry->VirtualAddress - header->VirtualAddress;
if (entry->Size > (header->Misc.VirtualSize - data_offset))
return span<const uint8_t>();
// Is the data entirely present on disk (if not it's zeroed out when loaded)?
if (data_offset >= header->SizeOfRawData ||
header->SizeOfRawData - data_offset < entry->Size) {
return span<const uint8_t>();
}
return image_data_.subspan(header->PointerToRawData + data_offset,
entry->Size);
}
} // namespace win
} // namespace base