subr_pe.c revision 123821
1/* 2 * Copyright (c) 2003 3 * Bill Paul <wpaul@windriver.com>. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Bill Paul. 16 * 4. Neither the name of the author nor the names of any co-contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD 24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/compat/ndis/subr_pe.c 123821 2003-12-24 21:21:18Z wpaul $"); 35 36/* 37 * This file contains routines for relocating and dynamically linking 38 * executable object code files in the Windows(r) PE (Portable Executable) 39 * format. In Windows, anything with a .EXE, .DLL or .SYS extention is 40 * considered an executable, and all such files have some structures in 41 * common. The PE format was apparently based largely on COFF but has 42 * mutated significantly over time. We are mainly concerned with .SYS files, 43 * so this module implements only enough routines to be able to parse the 44 * headers and sections of a .SYS object file and perform the necessary 45 * relocations and jump table patching to allow us to call into it 46 * (and to have it call back to us). Note that while this module 47 * can handle fixups for imported symbols, it knows nothing about 48 * exporting them. 49 */ 50 51#include <sys/param.h> 52#include <sys/types.h> 53#include <sys/errno.h> 54#ifdef _KERNEL 55#include <sys/systm.h> 56#else 57#include <stdio.h> 58#include <stdlib.h> 59#include <unistd.h> 60#include <string.h> 61#endif 62 63#include <compat/ndis/pe_var.h> 64 65static u_int32_t pe_functbl_match(image_patch_table *, char *); 66 67/* 68 * Check for an MS-DOS executable header. All Windows binaries 69 * have a small MS-DOS executable prepended to them to print out 70 * the "This program requires Windows" message. Even .SYS files 71 * have this header, in spite of the fact that you're can't actually 72 * run them directly. 73 */ 74 75int 76pe_get_dos_header(imgbase, hdr) 77 vm_offset_t imgbase; 78 image_dos_header *hdr; 79{ 80 uint16_t signature; 81 82 if (imgbase == 0 || hdr == NULL) 83 return (EINVAL); 84 85 signature = *(uint16_t *)imgbase; 86 if (signature != IMAGE_DOS_SIGNATURE) 87 return (ENOEXEC); 88 89 bcopy ((char *)imgbase, (char *)hdr, sizeof(image_dos_header)); 90 91 return(0); 92} 93 94/* 95 * Verify that this image has a Windows NT PE signature. 96 */ 97 98int 99pe_is_nt_image(imgbase) 100 vm_offset_t imgbase; 101{ 102 uint32_t signature; 103 image_dos_header *dos_hdr; 104 105 if (imgbase == 0) 106 return (EINVAL); 107 108 signature = *(uint16_t *)imgbase; 109 if (signature == IMAGE_DOS_SIGNATURE) { 110 dos_hdr = (image_dos_header *)imgbase; 111 signature = *(uint32_t *)(imgbase + dos_hdr->idh_lfanew); 112 if (signature == IMAGE_NT_SIGNATURE) 113 return(0); 114 } 115 116 return(ENOEXEC); 117} 118 119/* 120 * Return a copy of the optional header. This contains the 121 * executable entry point and the directory listing which we 122 * need to find the relocations and imports later. 123 */ 124 125int 126pe_get_optional_header(imgbase, hdr) 127 vm_offset_t imgbase; 128 image_optional_header *hdr; 129{ 130 image_dos_header *dos_hdr; 131 image_nt_header *nt_hdr; 132 133 if (imgbase == 0 || hdr == NULL) 134 return(EINVAL); 135 136 if (pe_is_nt_image(imgbase)) 137 return (EINVAL); 138 139 dos_hdr = (image_dos_header *)(imgbase); 140 nt_hdr = (image_nt_header *)(imgbase + dos_hdr->idh_lfanew); 141 142 bcopy ((char *)&nt_hdr->inh_optionalhdr, (char *)hdr, 143 sizeof(image_optional_header)); 144 145 return(0); 146} 147 148/* 149 * Return a copy of the file header. Contains the number of 150 * sections in this image. 151 */ 152 153int 154pe_get_file_header(imgbase, hdr) 155 vm_offset_t imgbase; 156 image_file_header *hdr; 157{ 158 image_dos_header *dos_hdr; 159 image_nt_header *nt_hdr; 160 161 if (imgbase == 0 || hdr == NULL) 162 return(EINVAL); 163 164 if (pe_is_nt_image(imgbase)) 165 return (EINVAL); 166 167 dos_hdr = (image_dos_header *)imgbase; 168 nt_hdr = (image_nt_header *)(imgbase + dos_hdr->idh_lfanew); 169 170 bcopy ((char *)&nt_hdr->inh_filehdr, (char *)hdr, 171 sizeof(image_file_header)); 172 173 return(0); 174} 175 176/* 177 * Return the header of the first section in this image (usually 178 * .text). 179 */ 180 181int 182pe_get_section_header(imgbase, hdr) 183 vm_offset_t imgbase; 184 image_section_header *hdr; 185{ 186 image_dos_header *dos_hdr; 187 image_nt_header *nt_hdr; 188 image_section_header *sect_hdr; 189 190 if (imgbase == 0 || hdr == NULL) 191 return(EINVAL); 192 193 if (pe_is_nt_image(imgbase)) 194 return (EINVAL); 195 196 dos_hdr = (image_dos_header *)imgbase; 197 nt_hdr = (image_nt_header *)(imgbase + dos_hdr->idh_lfanew); 198 sect_hdr = (image_section_header *)((vm_offset_t)nt_hdr + 199 sizeof(image_nt_header)); 200 201 bcopy ((char *)sect_hdr, (char *)hdr, sizeof(image_section_header)); 202 203 return(0); 204} 205 206/* 207 * Return the number of sections in this executable, or 0 on error. 208 */ 209 210int 211pe_numsections(imgbase) 212 vm_offset_t imgbase; 213{ 214 image_file_header file_hdr; 215 216 if (pe_get_file_header(imgbase, &file_hdr)) 217 return(0); 218 219 return (file_hdr.ifh_numsections); 220} 221 222/* 223 * Return the base address that this image was linked for. 224 * This helps us calculate relocation addresses later. 225 */ 226 227vm_offset_t 228pe_imagebase(imgbase) 229 vm_offset_t imgbase; 230{ 231 image_optional_header optional_hdr; 232 233 if (pe_get_optional_header(imgbase, &optional_hdr)) 234 return(0); 235 236 return (optional_hdr.ioh_imagebase); 237} 238 239/* 240 * Return the offset of a given directory structure within the 241 * image. Directories reside within sections. 242 */ 243 244vm_offset_t 245pe_directory_offset(imgbase, diridx) 246 vm_offset_t imgbase; 247 uint32_t diridx; 248{ 249 image_optional_header opt_hdr; 250 vm_offset_t dir; 251 252 if (pe_get_optional_header(imgbase, &opt_hdr)) 253 return(0); 254 255 if (diridx >= opt_hdr.ioh_rva_size_cnt) 256 return(0); 257 258 dir = opt_hdr.ioh_datadir[diridx].idd_vaddr; 259 260 return(pe_translate_addr(imgbase, dir)); 261} 262 263vm_offset_t 264pe_translate_addr(imgbase, rva) 265 vm_offset_t imgbase; 266 uint32_t rva; 267{ 268 image_optional_header opt_hdr; 269 image_section_header *sect_hdr; 270 image_dos_header *dos_hdr; 271 image_nt_header *nt_hdr; 272 int i = 0, sections, fixedlen; 273 274 if (pe_get_optional_header(imgbase, &opt_hdr)) 275 return(0); 276 277 sections = pe_numsections(imgbase); 278 279 dos_hdr = (image_dos_header *)imgbase; 280 nt_hdr = (image_nt_header *)(imgbase + dos_hdr->idh_lfanew); 281 sect_hdr = (image_section_header *)((vm_offset_t)nt_hdr + 282 sizeof(image_nt_header)); 283 284 /* 285 * The test here is to see if the RVA falls somewhere 286 * inside the section, based on the section's start RVA 287 * and its length. However it seems sometimes the 288 * virtual length isn't enough to cover the entire 289 * area of the section. We fudge by taking into account 290 * the section alignment and rounding the section length 291 * up to a page boundary. 292 */ 293 while (i++ < sections) { 294 fixedlen = sect_hdr->ish_misc.ish_vsize; 295 fixedlen += ((opt_hdr.ioh_sectalign - 1) - 296 sect_hdr->ish_misc.ish_vsize) & 297 (opt_hdr.ioh_sectalign - 1); 298 if (sect_hdr->ish_vaddr <= (u_int32_t)rva && 299 (sect_hdr->ish_vaddr + fixedlen) > 300 (u_int32_t)rva) 301 break; 302 sect_hdr++; 303 } 304 305 if (i > sections) 306 return(0); 307 308 return((vm_offset_t)(imgbase + rva - sect_hdr->ish_vaddr + 309 sect_hdr->ish_rawdataaddr)); 310} 311 312/* 313 * Get the section header for a particular section. Note that 314 * section names can be anything, but there are some standard 315 * ones (.text, .data, .rdata, .reloc). 316 */ 317 318int 319pe_get_section(imgbase, hdr, name) 320 vm_offset_t imgbase; 321 image_section_header *hdr; 322 const char *name; 323{ 324 image_dos_header *dos_hdr; 325 image_nt_header *nt_hdr; 326 image_section_header *sect_hdr; 327 328 int i, sections; 329 330 if (imgbase == 0 || hdr == NULL) 331 return(EINVAL); 332 333 if (pe_is_nt_image(imgbase)) 334 return (EINVAL); 335 336 sections = pe_numsections(imgbase); 337 338 dos_hdr = (image_dos_header *)imgbase; 339 nt_hdr = (image_nt_header *)(imgbase + dos_hdr->idh_lfanew); 340 sect_hdr = (image_section_header *)((vm_offset_t)nt_hdr + 341 sizeof(image_nt_header)); 342 343 for (i = 0; i < sections; i++) { 344 if (!strcmp ((char *)§_hdr->ish_name, name)) { 345 bcopy((char *)sect_hdr, (char *)hdr, 346 sizeof(image_section_header)); 347 return(0); 348 } else 349 sect_hdr++; 350 } 351 352 return (ENOEXEC); 353} 354 355/* 356 * Apply the base relocations to this image. The relocation table 357 * resides within the .reloc section. Relocations are specified in 358 * blocks which refer to a particular page. We apply the relocations 359 * one page block at a time. 360 */ 361 362int 363pe_relocate(imgbase) 364 vm_offset_t imgbase; 365{ 366 image_section_header sect; 367 image_base_reloc *relhdr; 368 uint16_t rel, *sloc; 369 uint32_t base, delta, *lloc; 370 int i, count; 371 vm_offset_t txt; 372 373 base = pe_imagebase(imgbase); 374 pe_get_section(imgbase, §, ".text"); 375 txt = pe_translate_addr(imgbase, sect.ish_vaddr); 376 delta = (uint32_t)(txt) - base - sect.ish_vaddr; 377 378 pe_get_section(imgbase, §, ".reloc"); 379 380 relhdr = (image_base_reloc *)(imgbase + sect.ish_rawdataaddr); 381 382 do { 383 count = (relhdr->ibr_blocksize - 384 (sizeof(uint32_t) * 2)) / sizeof(uint16_t); 385 for (i = 0; i < count; i++) { 386 rel = relhdr->ibr_rel[i]; 387 switch (IMR_RELTYPE(rel)) { 388 case IMAGE_REL_BASED_ABSOLUTE: 389 break; 390 case IMAGE_REL_BASED_HIGHLOW: 391 lloc = (uint32_t *)pe_translate_addr(imgbase, 392 relhdr->ibr_vaddr + IMR_RELOFFSET(rel)); 393 *lloc = pe_translate_addr(imgbase, 394 (*lloc - base)); 395 break; 396 case IMAGE_REL_BASED_HIGH: 397 sloc = (uint16_t *)pe_translate_addr(imgbase, 398 relhdr->ibr_vaddr + IMR_RELOFFSET(rel)); 399 *sloc += (delta & 0xFFFF0000) >> 16; 400 break; 401 case IMAGE_REL_BASED_LOW: 402 sloc = (uint16_t *)pe_translate_addr(imgbase, 403 relhdr->ibr_vaddr + IMR_RELOFFSET(rel)); 404 *sloc += (delta & 0xFFFF); 405 break; 406 default: 407 printf ("[%d]reloc type: %d\n",i, 408 IMR_RELTYPE(rel)); 409 break; 410 } 411 } 412 relhdr = (image_base_reloc *)((vm_offset_t)relhdr + 413 relhdr->ibr_blocksize); 414 } while (relhdr->ibr_blocksize); 415 416 return(0); 417} 418 419/* 420 * Return the import descriptor for a particular module. An image 421 * may be linked against several modules, typically HAL.dll, ntoskrnl.exe 422 * and NDIS.SYS. For each module, there is a list of imported function 423 * names and their addresses. 424 */ 425 426int 427pe_get_import_descriptor(imgbase, desc, module) 428 vm_offset_t imgbase; 429 image_import_descriptor *desc; 430 char *module; 431{ 432 vm_offset_t offset; 433 image_import_descriptor *imp_desc; 434 char *modname; 435 436 if (imgbase == 0 || module == NULL || desc == NULL) 437 return(EINVAL); 438 439 offset = pe_directory_offset(imgbase, IMAGE_DIRECTORY_ENTRY_IMPORT); 440 if (offset == 0) 441 return (ENOENT); 442 443 imp_desc = (void *)offset; 444 445 while (imp_desc->iid_nameaddr) { 446 modname = (char *)pe_translate_addr(imgbase, 447 imp_desc->iid_nameaddr); 448 if (!strncmp(module, modname, strlen(module))) { 449 bcopy((char *)imp_desc, (char *)desc, 450 sizeof(image_import_descriptor)); 451 return(0); 452 } 453 imp_desc++; 454 } 455 456 return (ENOENT); 457} 458 459/* 460 * Find the function that matches a particular name. This doesn't 461 * need to be particularly speedy since it's only run when loading 462 * a module for the first time. 463 */ 464 465static vm_offset_t 466pe_functbl_match(functbl, name) 467 image_patch_table *functbl; 468 char *name; 469{ 470 image_patch_table *p; 471 472 if (functbl == NULL || name == NULL) 473 return(0); 474 475 p = functbl; 476 477 while (p->ipt_name != NULL) { 478 if (!strcmp(p->ipt_name, name)) 479 return((uint32_t)p->ipt_func); 480 p++; 481 } 482 printf ("no match for %s\n", name); 483 return((vm_offset_t)p->ipt_func); 484} 485 486/* 487 * Patch the imported function addresses for a given module. 488 * The caller must specify the module name and provide a table 489 * of function pointers that will be patched into the jump table. 490 * Note that there are actually two copies of the jump table: one 491 * copy is left alone. In a .SYS file, the jump tables are usually 492 * merged into the INIT segment. 493 * 494 * Note: Windows uses the _stdcall calling convention. This means 495 * that the callback functions provided in the function table must 496 * be declared using __attribute__((__stdcall__)), otherwise the 497 * Windows code will likely screw up the %esp register and cause 498 * us to jump to an invalid address when it returns. 499 */ 500 501int 502pe_patch_imports(imgbase, module, functbl) 503 vm_offset_t imgbase; 504 char *module; 505 image_patch_table *functbl; 506{ 507 image_import_descriptor imp_desc; 508 char *fname; 509 vm_offset_t *nptr, *fptr; 510 vm_offset_t func; 511 512 if (imgbase == 0 || module == NULL || functbl == NULL) 513 return(EINVAL); 514 515 if (pe_get_import_descriptor(imgbase, &imp_desc, module)) 516 return(ENOEXEC); 517 518 nptr = (vm_offset_t *)pe_translate_addr(imgbase, 519 imp_desc.iid_import_name_table_addr); 520 fptr = (vm_offset_t *)pe_translate_addr(imgbase, 521 imp_desc.iid_import_address_table_addr); 522 523 while (nptr != NULL && pe_translate_addr(imgbase, *nptr) != NULL) { 524 fname = (char *)pe_translate_addr(imgbase, (*nptr) + 2); 525 func = pe_functbl_match(functbl, fname); 526 if (func) 527 *fptr = func; 528#ifdef notdef 529 if (*fptr == 0) 530 return(ENOENT); 531#endif 532 nptr++; 533 fptr++; 534 } 535 536 return(0); 537} 538