1
/*-
2
 * Copyright (c) 2015 Kai Wang
3
 * All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
 * SUCH DAMAGE.
25
 */
26

27
#include <assert.h>
28
#include <errno.h>
29
#include <stdlib.h>
30
#include <string.h>
31

32
#include "_libpe.h"
33

34
ELFTC_VCSID("$Id: libpe_rich.c 3312 2016-01-10 09:23:51Z kaiwang27 $");
35

36
static char *
37
memfind(char *s, const char *find, size_t slen, size_t flen)
38
{
39
	int i;
40

41
	if (slen == 0 || flen == 0 || flen > slen)
42
		return (NULL);
43

44
	for (i = 0; (size_t) i <= slen - flen; i++) {
45
		if (s[i] != find[0])
46
			continue;
47
		if (flen == 1)
48
			return (&s[i]);
49
		if (memcmp(&s[i + 1], &find[1], flen - 1) == 0)
50
			return (&s[i]);
51
	}
52

53
	return (NULL);
54
}
55

56
int
57
libpe_parse_rich_header(PE *pe)
58
{
59
	PE_RichHdr *rh;
60
	char *p, *r, *s;
61
	uint32_t x;
62
	int found, i;
63

64
	assert(pe->pe_stub != NULL && pe->pe_stub_ex > 0);
65

66
	/* Search for the "Rich" keyword to locate the Rich header. */
67
	s = pe->pe_stub + sizeof(PE_DosHdr);
68
	r = memfind(s, PE_RICH_TEXT, pe->pe_stub_ex, 4);
69
	if (r == NULL || r + 8 > s + pe->pe_stub_ex) {
70
		errno = ENOENT;
71
		return (-1);
72
	}
73

74
	if ((rh = calloc(1, sizeof(*rh))) == NULL) {
75
		errno = ENOMEM;
76
		return (-1);
77
	}
78

79
	rh->rh_xor = le32dec(r + 4); /* Retrieve the "XOR mask" */
80

81
	/*
82
	 * Search for the hidden keyword "DanS" by XOR the dwords before
83
	 * the "Rich" keyword with the XOR mask.
84
	 */
85
	found = 0;
86
	for (p = r - 4; p >= s; p -= 4) {
87
		x = le32dec(p) ^ rh->rh_xor;
88
		if (x == PE_RICH_HIDDEN) {
89
			found = 1;
90
			break;
91
		}
92
	}
93
	if (!found) {
94
		free(rh);
95
		errno = ENOENT;
96
		return (-1);
97
	}
98

99
	/*
100
	 * Found the "DanS" keyword, which is the start of the Rich header.
101
	 * The next step is to skip the first 16 bytes (DanS, XOR mask,
102
	 * XOR mask, XOR mask) and read the (compid,cnt) tuples.
103
	 */
104
	pe->pe_rh_start = p;
105
	p += 16;
106
	rh->rh_total = (r - p) / 8;
107
	if ((rh->rh_compid = malloc(rh->rh_total * sizeof(*rh->rh_compid))) ==
108
	    NULL) {
109
		free(rh);
110
		errno = ENOMEM;
111
		return (-1);
112
	}
113
	if ((rh->rh_cnt = malloc(rh->rh_total * sizeof(*rh->rh_cnt))) ==
114
	    NULL) {
115
		free(rh->rh_compid);
116
		free(rh);
117
		errno = ENOMEM;
118
		return (-1);
119
	}
120
	for (i = 0; (uint32_t) i < rh->rh_total; i++, p += 8) {
121
		rh->rh_compid[i] = le32dec(p) ^ rh->rh_xor;
122
		rh->rh_cnt[i] = le32dec(p + 4) ^ rh->rh_xor;
123
	}
124

125
	pe->pe_rh = rh;
126

127
	return (0);
128
}
129

130