exeheader.cul

( $Id: exeheader.cul,v 1.5 2005/03/18 16:00:58 albert Exp $ )
( Copyright{2004}: Albert van der Horst, HCC FIG Holland by GNU Public License)

\ Consult file for ciasdis. (See man 5 cul).
\ In behalf of analysing Windows exe files.

REQUIRE  do                     \ Interpreted control structures

28 CONSTANT COFFSECTION_SIZE        \ Size of a section header.

0 -ORG-         \ Preliminary, to find out.
0 TARGET>HOST 2 "MZ" $= 0 = "Fatal, not an ex header!" ?ABORT
3C L@ ( coffHeaderStart) 34 + L@  DUP CONSTANT IMAGE_BASE

DUP -ORG-
DUP LABEL exHeaderStart
DUP LABEL exSignature        2 +
DUP LABEL exExtrabytes       2 +
DUP LABEL exPages            2 +
DUP LABEL exRelocItems       2 +
DUP LABEL exHeaderSize       2 +
DUP LABEL exMinAlloc         2 +
DUP LABEL exMaxAlloc         2 +
DUP LABEL exInitSS           2 +
DUP LABEL exInitSp           2 +
DUP LABEL exCheckSum         2 +
DUP LABEL exInitIP           2 +
DUP LABEL exInitCS           2 +
DUP LABEL exRelocTable       2 +
DUP LABEL exOverlay          2 +
    LABEL exHeaderEnd

exHeaderStart exHeaderEnd -dw: exHeader

exHeaderStart   exInitIP W@ +  exHeaderSize W@ 10 * +   LABEL exEntry
exHeaderEnd DUP 40 + -dl: exHeaderPreversity

exHeaderStart 3C + L@   exHeaderStart + LABEL coffHeaderStart

coffHeaderStart TARGET>HOST 2 "PE" $= 0 = "Fatal, not a windows header!" ?ABORT

\ Coff File Header.
14C EQU IMAGE_FILE_MACHINE_I386
10B EQU PE32    \ Magic number for windows (non)-Portable Execution format.
coffHeaderStart   4 +
DUP LABEL fhMachine                     2 +
DUP LABEL fhNumberOfSections            2 +
DUP LABEL fhTimeDateStamp               4 +
DUP LABEL fhPointerToSymbolTable        4 +
DUP LABEL fhNumberOfSymbols             4 +
DUP LABEL fhSizeOfOptionalHeader        2 +
DUP LABEL fhCharacteristics             2 +
DUP LABEL coffOptionalHeaderStart
DUP LABEL fhMagic                       2 +
DUP LABEL fhMajorLinkerVersion          1 +
DUP LABEL fhMinorLinkerVersion          1 +
DUP LABEL fhSizeOfCode                  4 +
DUP LABEL fhSizeOfInitializedData       4 +
DUP LABEL fhSizeOfUninitializedData     4 +
DUP LABEL fhAddressOfEntryPoint         4 +
DUP LABEL fhBaseOfCode                  4 +
DUP LABEL coffHeaderEnd

fhNumberOfSections      W@ CONSTANT NUMBER_OF_COFFSECTIONS

fhMachine W@ IMAGE_FILE_MACHINE_I386 <>
    "Fatal, this is an Intel 86..Pentium disassembler only!" ?ABORT
fhCharacteristics W@ 2000 AND "Fatal, cannot handle dll's, yet!" ?ABORT
fhMagic W@ 10B <> "Fatal, cannot handle 64 bits address spaces, yet!" ?ABORT

\ MS names these thingies "optional file header" though there is nothing
\ optional about it.
DUP LABEL ofhBaseOfData                    4 +
DUP LABEL ofhImageBase                     4 +
DUP LABEL ofhSectionAlignment              4 +
DUP LABEL ofhFileAlignment                 4 +
DUP LABEL ofhMajorOperatingSystemVersion   2 +
DUP LABEL ofhMinorOperatingSystemVersion   2 +
DUP LABEL ofhMajorImageVersion             2 +
DUP LABEL ofhMinorImageVersion             2 +
DUP LABEL ofhMajorSubsystemVersion         2 +
DUP LABEL ofhMinorSubsystemVersion         2 +
DUP LABEL ofhReserved                      4 +
DUP LABEL ofhSizeOfImage                   4 +
DUP LABEL ofhSizeOfHeaders                 4 +
DUP LABEL ofhCheckSum                      4 +
DUP LABEL ofhSubsystem                     2 +
DUP LABEL ofhDLL_Characteristics           2 +
DUP LABEL ofhSizeOfStackReserve            4 +
DUP LABEL ofhSizeOfStackCommit             4 +
DUP LABEL ofhSizeOfHeapReserve             4 +
DUP LABEL ofhSizeOfHeapCommit              4 +
DUP LABEL ofhLoaderFlags                   4 +
DUP LABEL ofhNumberOfRvaAndSizes           4 +
DUP LABEL coffOptionalHeaderEnd
DUP LABEL RvaAndSizes     ofhNumberOfRvaAndSizes W@ 8 * +
DUP LABEL RvaAndSizesEnd
DUP LABEL Sections              NUMBER_OF_COFFSECTIONS COFFSECTION_SIZE * +
DUP LABEL SectionsEnd
DROP

ofhSubsystem W@ 2 <> "Fatal, can only handle windows GUI applications, as yet." ?ABORT


fhSizeOfOptionalHeader  W@ CONSTANT OPTIONAL_HEADER_SIZE

exEntry 0E +   LABEL NoDosMode$
exEntry         NoDosMode$      -dc16-
NoDosMode$      exEntry 40 +    -d$-

coffHeaderStart         fhMachine               -d$-
fhMachine               fhTimeDateStamp         -dw-
fhTimeDateStamp         fhSizeOfOptionalHeader  -dl-
fhSizeOfOptionalHeader  fhMajorLinkerVersion    -dw-
fhMajorLinkerVersion    fhSizeOfCode            -db-
fhSizeOfCode            ofhMajorOperatingSystemVersion     -dl-
ofhMajorOperatingSystemVersion ofhReserved                 -dw-
ofhReserved             ofhSubsystem                       -dl-
ofhSubsystem            ofhSizeOfStackReserve              -dw-
ofhSizeOfStackReserve   coffOptionalHeaderEnd              -dl-

\ The following thingies have names, but those we don't need.
RvaAndSizes             RvaAndSizesEnd                  -dl-

\ For the TADDRESS of a sectionheader N, give it a label.
: ADD-COFFSECTION-HEADER
    "_Section" PAD $!   0 <# #S #> PAD $+!   PAD $@   LABELED
;

\ For the TADDRESS of a sectionheader, add the label of that section.
\ Fetch its name from the section header.
: ADD-COFFSECTION
    DUP 8 + L@   OVER TARGET>HOST 8 0 $S 2SWAP 2DROP   LABELED
;

\ Add all sections.
\ In the loop the section header address is incremented to the next one.
Sections  NUMBER_OF_COFFSECTIONS 0 do
    DUP I ADD-COFFSECTION-HEADER
    DUP ADD-COFFSECTION
    DUP 8 +   DUP >R -d$- R>
    DUP COFFSECTION_SIZE 8 - +    DUP >R -dl- R>
loop
DROP

\ Crawl the exe header. In rare case it is ill-advised
\ to do it automatically.
\ : EXE-CRAWL   coffHeaderStart CRAWL ;
\ EXE-CRAWL