2005-08-25 03:03:39 +00:00
|
|
|
/*
|
2024-01-12 17:03:59 -05:00
|
|
|
* Copyright (C) 2013-2024 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2013-10-15 16:02:46 -04:00
|
|
|
* Copyright (C) 2007-2013 Sourcefire, Inc.
|
2005-08-25 03:03:39 +00:00
|
|
|
*
|
2008-04-02 15:24:51 +00:00
|
|
|
* Authors: Tomasz Kojm
|
2020-01-03 15:44:07 -05:00
|
|
|
*
|
|
|
|
|
* Acknowledgements: The header structures were based upon "ELF: Executable
|
|
|
|
|
* and Linkable Format, Portable Formats Specification,
|
2018-03-05 16:34:35 -05:00
|
|
|
* Version 1.1".
|
2005-08-25 03:03:39 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
2007-03-31 20:31:04 +00:00
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
2005-08-25 03:03:39 +00:00
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
2006-04-09 19:59:28 +00:00
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
2005-08-25 03:03:39 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __ELF_H
|
|
|
|
|
#define __ELF_H
|
|
|
|
|
|
|
|
|
|
#include "clamav.h"
|
2005-09-18 23:19:28 +00:00
|
|
|
#include "execs.h"
|
2006-02-15 00:41:40 +00:00
|
|
|
#include "others.h"
|
2009-09-01 18:24:49 +02:00
|
|
|
#include "fmap.h"
|
2005-08-25 03:03:39 +00:00
|
|
|
|
2013-10-15 16:02:46 -04:00
|
|
|
/* ELF File Headers */
|
2005-08-25 03:03:39 +00:00
|
|
|
struct elf_file_hdr32 {
|
2018-12-03 12:40:13 -05:00
|
|
|
uint8_t e_ident[16];
|
2005-08-25 03:03:39 +00:00
|
|
|
uint16_t e_type;
|
|
|
|
|
uint16_t e_machine;
|
|
|
|
|
uint32_t e_version;
|
2013-10-15 16:02:46 -04:00
|
|
|
/* fields after here are NOT aligned the same as 64 */
|
2005-08-25 03:03:39 +00:00
|
|
|
uint32_t e_entry;
|
|
|
|
|
uint32_t e_phoff;
|
|
|
|
|
uint32_t e_shoff;
|
|
|
|
|
uint32_t e_flags;
|
|
|
|
|
uint16_t e_ehsize;
|
|
|
|
|
uint16_t e_phentsize;
|
|
|
|
|
uint16_t e_phnum;
|
|
|
|
|
uint16_t e_shentsize;
|
|
|
|
|
uint16_t e_shnum;
|
|
|
|
|
uint16_t e_shstrndx;
|
|
|
|
|
};
|
|
|
|
|
|
2009-06-12 10:31:24 +00:00
|
|
|
struct elf_file_hdr64 {
|
2018-12-03 12:40:13 -05:00
|
|
|
uint8_t e_ident[16];
|
2009-06-12 10:31:24 +00:00
|
|
|
uint16_t e_type;
|
|
|
|
|
uint16_t e_machine;
|
|
|
|
|
uint32_t e_version;
|
2013-10-15 16:02:46 -04:00
|
|
|
/* fields after here are NOT aligned the same as 32 */
|
2009-06-12 10:31:24 +00:00
|
|
|
uint64_t e_entry;
|
|
|
|
|
uint64_t e_phoff;
|
|
|
|
|
uint64_t e_shoff;
|
|
|
|
|
uint32_t e_flags;
|
|
|
|
|
uint16_t e_ehsize;
|
|
|
|
|
uint16_t e_phentsize;
|
|
|
|
|
uint16_t e_phnum;
|
|
|
|
|
uint16_t e_shentsize;
|
|
|
|
|
uint16_t e_shnum;
|
|
|
|
|
uint16_t e_shstrndx;
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 16:02:46 -04:00
|
|
|
/* ELF File Header Helpers */
|
|
|
|
|
#define ELF_HDR_SIZEDIFF 12
|
|
|
|
|
|
|
|
|
|
/* This part is the same on both headers */
|
|
|
|
|
struct elf_file_hdr32plus {
|
|
|
|
|
struct elf_file_hdr32 hdr;
|
|
|
|
|
uint8_t pad[ELF_HDR_SIZEDIFF];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
union elf_file_hdr {
|
|
|
|
|
struct elf_file_hdr32plus hdr32;
|
|
|
|
|
struct elf_file_hdr64 hdr64;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* ELF Program Headers */
|
2006-10-28 20:46:32 +00:00
|
|
|
struct elf_program_hdr32 {
|
|
|
|
|
uint32_t p_type;
|
|
|
|
|
uint32_t p_offset;
|
|
|
|
|
uint32_t p_vaddr;
|
|
|
|
|
uint32_t p_paddr;
|
|
|
|
|
uint32_t p_filesz;
|
|
|
|
|
uint32_t p_memsz;
|
|
|
|
|
uint32_t p_flags;
|
|
|
|
|
uint32_t p_align;
|
|
|
|
|
};
|
|
|
|
|
|
2009-06-12 10:31:24 +00:00
|
|
|
struct elf_program_hdr64 {
|
|
|
|
|
uint32_t p_type;
|
|
|
|
|
uint32_t p_flags;
|
|
|
|
|
uint64_t p_offset;
|
|
|
|
|
uint64_t p_vaddr;
|
|
|
|
|
uint64_t p_paddr;
|
|
|
|
|
uint64_t p_filesz;
|
|
|
|
|
uint64_t p_memsz;
|
|
|
|
|
uint64_t p_align;
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 16:02:46 -04:00
|
|
|
/* ELF Section Headers */
|
|
|
|
|
|
|
|
|
|
/* Notable ELF section header flags */
|
|
|
|
|
#define ELF_SHF_WRITE (1 << 0)
|
|
|
|
|
#define ELF_SHF_ALLOC (1 << 1)
|
2018-12-03 12:40:13 -05:00
|
|
|
#define ELF_SHF_EXECINSTR (1 << 2)
|
2013-10-15 16:02:46 -04:00
|
|
|
|
|
|
|
|
/* There are more section header flags, but these are the ones we log */
|
|
|
|
|
#define ELF_SHF_MASK (ELF_SHF_WRITE | ELF_SHF_ALLOC | ELF_SHF_EXECINSTR)
|
|
|
|
|
|
2005-08-25 03:03:39 +00:00
|
|
|
struct elf_section_hdr32 {
|
|
|
|
|
uint32_t sh_name;
|
|
|
|
|
uint32_t sh_type;
|
|
|
|
|
uint32_t sh_flags;
|
|
|
|
|
uint32_t sh_addr;
|
|
|
|
|
uint32_t sh_offset;
|
|
|
|
|
uint32_t sh_size;
|
|
|
|
|
uint32_t sh_link;
|
|
|
|
|
uint32_t sh_info;
|
|
|
|
|
uint32_t sh_addralign;
|
|
|
|
|
uint32_t sh_entsize;
|
|
|
|
|
};
|
|
|
|
|
|
2009-06-12 10:31:24 +00:00
|
|
|
struct elf_section_hdr64 {
|
|
|
|
|
uint32_t sh_name;
|
|
|
|
|
uint32_t sh_type;
|
|
|
|
|
uint64_t sh_flags;
|
|
|
|
|
uint64_t sh_addr;
|
|
|
|
|
uint64_t sh_offset;
|
|
|
|
|
uint64_t sh_size;
|
|
|
|
|
uint32_t sh_link;
|
|
|
|
|
uint32_t sh_info;
|
|
|
|
|
uint64_t sh_addralign;
|
|
|
|
|
uint64_t sh_entsize;
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 16:02:46 -04:00
|
|
|
/* Exposed functions */
|
|
|
|
|
|
2022-08-27 09:28:38 -07:00
|
|
|
cl_error_t cli_scanelf(cli_ctx *ctx);
|
2005-08-25 03:03:39 +00:00
|
|
|
|
PE, ELF, Mach-O: code cleanup
The header parsing / executable metadata collecting functions for the
PE, ELF, and Mach-O file types were using `int` for the return type.
Mostly they were returning 0 for success and -1, -2, -3, or -4 for
failure. But in some cases they were returning cl_error_t enum values
for failure. Regardless, the function using them was treating 0 as
success and non-zero as failure, which it stored as -1 ... every time.
This commit switches them all to use cl_error_t. I am continuing to
storeo the final result as 0 / -1 in the `peinfo` struct, but outside of
that everything has been made consistent.
While I was working on that, I got a tad side tracked. I noticed that
the target type isn't an enum, or even a set of #defines. So I made an
enum and then changed the code that uses target types to use the enum.
I also removed the `target` parameter from a number of functions that
don't actually use it at all. Some recursion was masking the fact that
it was an unused parameter which is why there was no warning about it.
2022-08-28 18:41:04 -07:00
|
|
|
cl_error_t cli_elfheader(cli_ctx *ctx, struct cli_exe_info *elfinfo);
|
2005-09-18 23:19:28 +00:00
|
|
|
|
2022-08-27 09:28:38 -07:00
|
|
|
cl_error_t cli_unpackelf(cli_ctx *ctx);
|
2019-03-19 15:28:49 +01:00
|
|
|
|
2005-08-25 03:03:39 +00:00
|
|
|
#endif
|