forked from saferwall/pe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
version.go
380 lines (346 loc) · 13.4 KB
/
version.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
// Copyright 2018 Saferwall. All rights reserved.
// Use of this source code is governed by Apache v2 license
// license that can be found in the LICENSE file.
package pe
import (
"bytes"
"encoding/binary"
"fmt"
)
const (
// VersionResourceType identifies the version resource type in the resource directory
VersionResourceType = 16
// VsVersionInfoString is the UTF16-encoded string that identifies the VS_VERSION_INFO block
VsVersionInfoString = "VS_VERSION_INFO"
// VsFileInfoSignature is the file info signature
VsFileInfoSignature uint32 = 0xFEEF04BD
// StringFileInfoString is the UTF16-encoded string that identifies the StringFileInfo block
StringFileInfoString = "StringFileInfo"
// VarFileInfoString is the UTF16-encoded string that identifies the VarFileInfoString block
VarFileInfoString = "VarFileInfo"
// VsVersionInfoStringLength specifies the length of the VS_VERSION_INFO structure
VsVersionInfoStringLength uint32 = 6
// StringFileInfoLength specifies length of the StringFileInfo structure
StringFileInfoLength uint32 = 6
// StringTableLength specifies the length of the StringTable structure
StringTableLength uint32 = 6
// StringLength specifies the length of the String structure
StringLength uint32 = 6
// LangIDLength specifies the length of the language identifier string.
// It is represented as 8-digit hexadecimal number stored as a Unicode string.
LangIDLength uint32 = 8*2 + 1
)
// VsVersionInfo represents the organization of data in
// a file-version resource. It is the root structure that
// contains all other file-version information structures.
type VsVersionInfo struct {
// Length is the length, in bytes, of the VS_VERSIONINFO structure.
// This length does not include any padding that aligns any
// subsequent version resource data on a 32-bit boundary.
Length uint16 `json:"length"`
// ValueLength is the length, in bytes, of arbitrary data associated
// with the VS_VERSIONINFO structure.
// This value is zero if there is no any data associated with the
// current version structure.
ValueLength uint16 `json:"value_length"`
// Type represents as many zero words as necessary to align the StringFileInfo
// and VarFileInfo structures on a 32-bit boundary. These bytes are not included
// in ValueLength.
Type uint16 `json:"type"`
}
func (pe *File) parseVersionInfo(e ResourceDirectoryEntry) (*VsVersionInfo, error) {
offset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData)
b, err := pe.ReadBytesAtOffset(offset, e.Data.Struct.Size)
if err != nil {
return nil, err
}
var v VsVersionInfo
if err := binary.Read(bytes.NewBuffer(b), binary.LittleEndian, &v); err != nil {
return nil, err
}
b, err = pe.ReadBytesAtOffset(offset+VsVersionInfoStringLength, uint32(v.ValueLength))
if err != nil {
return nil, err
}
vsVersionString, err := DecodeUTF16String(b)
if err != nil {
return nil, err
}
if vsVersionString != VsVersionInfoString {
return nil, fmt.Errorf("invalid VS_VERSION_INFO block. %s", vsVersionString)
}
return &v, nil
}
// VsFixedFileInfo contains version information for a file.
// This information is language and code page independent.
type VsFixedFileInfo struct {
// Signature contains the value 0xFEEF04BD. This is used
// with the `key` member of the VS_VERSIONINFO structure
// when searching a file for the VS_FIXEDFILEINFO structure.
Signature uint32 `json:"signature"`
// StructVer is the binary version number of this structure.
// The high-order word of this member contains the major version
// number, and the low-order word contains the minor version number.
StructVer uint32 `json:"struct_ver"`
// FileVersionMS denotes the most significant 32 bits of the file's
// binary version number.
FileVersionMS uint32 `json:"file_version_ms"`
// FileVersionLS denotes the least significant 32 bits of the file's
// binary version number.
FileVersionLS uint32 `json:"file_version_ls"`
// ProductVersionMS represents the most significant 32 bits of the
// binary version number of the product with which this file was distributed.
ProductVersionMS uint32 `json:"product_version_ms"`
// ProductVersionLS represents the most significant 32 bits of the
// binary version number of the product with which this file was distributed.
ProductVersionLS uint32 `json:"product_version_ls"`
// FileFlagMask contains a bitmask that specifies the valid bits in FileFlags.
// A bit is valid only if it was defined when the file was created.
FileFlagMask uint32 `json:"file_flag_mask"`
// FileFlags contains a bitmask that specifies the Boolean attributes of the file.
// For example, the file contains debugging information or is compiled with debugging
// features enabled if FileFlags is equal to 0x00000001L (VS_FF_DEBUG).
FileFlags uint32 `json:"file_flags"`
// FileOS represents the operating system for which this file was designed.
FileOS uint32 `json:"file_os"`
// FileType describes the general type of file.
FileType uint32 `json:"file_type"`
// FileSubtype specifies the function of the file. The possible values depend on the value of FileType.
FileSubtype uint32 `json:"file_subtype"`
// FileDateMS are the most significant 32 bits of the file's 64-bit binary creation date and time stamp.
FileDateMS uint32 `json:"file_date_ms"`
// FileDateLS are the least significant 32 bits of the file's 64-bit binary creation date and time stamp.
FileDateLS uint32 `json:"file_date_ls"`
}
// Size returns the size of this structure in bytes.
func (f *VsFixedFileInfo) Size() uint32 { return uint32(binary.Size(f)) }
func (f *VsFixedFileInfo) GetStringFileInfoOffset(e ResourceDirectoryEntry) uint32 {
return alignDword(VsVersionInfoStringLength+uint32(2*len(VsVersionInfoString)+1)+f.Size(), e.Data.Struct.OffsetToData)
}
func (f *VsFixedFileInfo) GetOffset(e ResourceDirectoryEntry, pe *File) uint32 {
offset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData) + VsVersionInfoStringLength
offset += uint32(2*len(VsVersionInfoString)) + 1
return alignDword(offset, e.Data.Struct.OffsetToData)
}
func (pe *File) parseFixedFileInfo(e ResourceDirectoryEntry) (*VsFixedFileInfo, error) {
var f VsFixedFileInfo
offset := f.GetOffset(e, pe)
b, err := pe.ReadBytesAtOffset(offset, f.Size())
if err != nil {
return nil, err
}
if err := binary.Read(bytes.NewBuffer(b), binary.LittleEndian, &f); err != nil {
return nil, err
}
if f.Signature != VsFileInfoSignature {
return nil, fmt.Errorf("invalid file info signature %d", f.Signature)
}
return &f, nil
}
// StringFileInfo represents the organization of data in a
// file-version resource. It contains version information
// that can be displayed for a particular language and code page.
type StringFileInfo struct {
Length uint16
ValueLength uint16
Type uint16
}
func (s *StringFileInfo) GetStringTableOffset(offset uint32) uint32 {
return offset + StringFileInfoLength + uint32(2*len(StringFileInfoString)) + 1
}
func (s *StringFileInfo) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32 {
offset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData) + rva
return alignDword(offset, e.Data.Struct.OffsetToData)
}
func (pe *File) parseStringFileInfo(rva uint32, e ResourceDirectoryEntry) (*StringFileInfo, string, error) {
var s StringFileInfo
offset := s.GetOffset(rva, e, pe)
b, err := pe.ReadBytesAtOffset(offset, StringFileInfoLength)
if err != nil {
return nil, "", err
}
if err := binary.Read(bytes.NewBuffer(b), binary.LittleEndian, &s); err != nil {
return nil, "", err
}
b, err = pe.ReadBytesAtOffset(offset+StringFileInfoLength, uint32(len(StringFileInfoString)*2)+1)
if err != nil {
return nil, "", err
}
str, err := DecodeUTF16String(b)
return &s, str, err
}
// StringTable represents the organization of data in a
// file-version resource. It contains language and code
// page formatting information for the version strings
type StringTable struct {
Length uint16
ValueLength uint16
Type uint16
}
func (s *StringTable) GetStringOffset(offset uint32, e ResourceDirectoryEntry) uint32 {
return alignDword(offset+StringTableLength+LangIDLength, e.Data.Struct.OffsetToData)
}
func (s *StringTable) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32 {
offset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData) + rva
return alignDword(offset, e.Data.Struct.OffsetToData)
}
func (pe *File) parseStringTable(rva uint32, e ResourceDirectoryEntry) (*StringTable, error) {
var s StringTable
offset := s.GetOffset(rva, e, pe)
b, err := pe.ReadBytesAtOffset(offset, StringTableLength)
if err != nil {
return nil, err
}
if err := binary.Read(bytes.NewBuffer(b), binary.LittleEndian, &s); err != nil {
return nil, err
}
// Read the 8-digit hexadecimal number stored as a Unicode string.
// The four most significant digits represent the language identifier.
// The four least significant digits represent the code page for which
// the data is formatted.
b, err = pe.ReadBytesAtOffset(offset+StringTableLength, (8*2)+1)
if err != nil {
return nil, err
}
langID, err := DecodeUTF16String(b)
if err != nil {
return nil, err
}
if len(langID) != int(LangIDLength/2) {
return nil, fmt.Errorf("invalid language identifier length. Expected: %d, Got: %d",
LangIDLength/2,
len(langID))
}
return &s, nil
}
// String Represents the organization of data in a
// file-version resource. It contains a string that
// describes a specific aspect of a file, for example,
// a file's version, its copyright notices, or its trademarks.
type String struct {
Length uint16
ValueLength uint16
Type uint16
}
func (s *String) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32 {
offset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData) + rva
return alignDword(offset, e.Data.Struct.OffsetToData)
}
// variant of GetOffset which also returns the number of bytes which were added
// to achieve 32-bit alignment. The padding value needs to be added to the
// string length to figure out the offset of the next string
func (s *String) getOffsetAndPadding(rva uint32, e ResourceDirectoryEntry, pe *File) (uint32, uint16) {
unalignedOffset := pe.GetOffsetFromRva(e.Data.Struct.OffsetToData) + rva
alignedOffset := alignDword(unalignedOffset, e.Data.Struct.OffsetToData)
return alignedOffset, uint16(alignedOffset - unalignedOffset)
}
func (pe *File) parseString(rva uint32, e ResourceDirectoryEntry) (string, string, uint16, error) {
var s String
offset, padding := s.getOffsetAndPadding(rva, e, pe)
b, err := pe.ReadBytesAtOffset(offset, StringLength)
if err != nil {
return "", "", 0, err
}
if err := binary.Read(bytes.NewBuffer(b), binary.LittleEndian, &s); err != nil {
return "", "", 0, err
}
const maxKeySize = 100
b, err = pe.ReadBytesAtOffset(offset+StringLength, maxKeySize)
if err != nil {
return "", "", 0, err
}
key, err := DecodeUTF16String(b)
if err != nil {
return "", "", 0, err
}
valueOffset := alignDword(uint32(2*(len(key)+1))+offset+StringLength, e.Data.Struct.OffsetToData)
b, err = pe.ReadBytesAtOffset(valueOffset, uint32(s.Length))
if err != nil {
return "", "", 0, err
}
value, err := DecodeUTF16String(b)
if err != nil {
return "", "", 0, err
}
// The caller of this function uses the string length as an offset to find
// the next string in the file. We need add the alignment padding here
// since the caller is unaware of the byte alignment, and will add the
// string length to the unaligned offset to get the address of the next
// string.
totalLength := s.Length + padding
return key, value, totalLength, nil
}
// ParseVersionResources parses file version strings from the version resource
// directory. This directory contains several structures starting with VS_VERSION_INFO
// with references to children StringFileInfo structures. In addition, StringFileInfo
// contains the StringTable structure with String entries describing the name and value
// of each file version strings.
func (pe *File) ParseVersionResources() (map[string]string, error) {
vers := make(map[string]string)
if pe.opts.OmitResourceDirectory {
return vers, nil
}
for _, e := range pe.Resources.Entries {
if e.ID != VersionResourceType {
continue
}
directory := e.Directory.Entries[0].Directory
for _, e := range directory.Entries {
ver, err := pe.parseVersionInfo(e)
if err != nil {
return vers, err
}
ff, err := pe.parseFixedFileInfo(e)
if err != nil {
return vers, err
}
offset := ff.GetStringFileInfoOffset(e)
for {
f, n, err := pe.parseStringFileInfo(offset, e)
if err != nil || f.Length == 0 {
break
}
switch n {
case StringFileInfoString:
tableOffset := f.GetStringTableOffset(offset)
for {
table, err := pe.parseStringTable(tableOffset, e)
if err != nil {
break
}
stringOffset := table.GetStringOffset(tableOffset, e)
for stringOffset < tableOffset+uint32(table.Length) {
k, v, l, err := pe.parseString(stringOffset, e)
if err != nil {
break
}
vers[k] = v
if l == 0 {
stringOffset = tableOffset + uint32(table.Length)
} else {
stringOffset = stringOffset + uint32(l)
}
}
// handle potential infinite loops
if uint32(table.Length)+tableOffset > tableOffset {
break
}
if tableOffset > uint32(f.Length) {
break
}
}
case VarFileInfoString:
break
default:
break
}
offset += uint32(f.Length)
// StringFileInfo/VarFileinfo structs consumed?
if offset >= uint32(ver.Length) {
break
}
}
}
}
return vers, nil
}