objfile

package
v0.0.0-...-9dfbc21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 5, 2023 License: MIT Imports: 32 Imported by: 0

Documentation

Overview

Copyright (C) 2022 Mandiant, Inc. All Rights Reserved.

Package objfile implements portable access to OS-specific executable files.

Index

Constants

This section is empty.

Variables

View Source 
var ARM32_sig = signatureModuleDataInitARM32{0, `{ ?? ?? 9F E5 ?? ?? ?? EA ?? ?? ?? E5 ?? ?? ?? E3 ?? ?? ?? 0A }`}

0x0006AA00 80 12 9F E5 LDR R1, =firstmoduleData // 0xE59F1280 -> 0b11 100101100111110001001010000000 -> size = 11, 0x0006AA04 00 00 00 EA B loc_6AA0C 0x0006AA08 18 11 91 E5 LDR R1, [R1,#0x118] 0x0006AA0C 00 00 51 E3 CMP R1, #0 0x0006AA10 69 00 00 0A BEQ loc_6ABBC

View Source 
var ARM64_sig = signatureModuleDataInitARM64{0, 4, `{ ?? ?? ?? (90 | b0 | f0 | d0) ?? ?? ?? 91 ?? ?? ?? (14 | 17) ?? ?? 41 F9 ?? ?? ?? B4 }`}

0x000000000005C1E8 41 14 00 F0 ADRP X1, #unk_2E7000 // 0xF0001441 -> 0b1 11 10000 0000000000010100010 00001 -> op=1, immlo=0b11, immhi=0b0000000000010100010 ........................................................................ // X1 = ((0b0000000000010100010 11 << 12) + 0x5C1E8) = 0b1011100111000111101000 = 0b1011100111000111101000 & 0xFFFFFFFFFFFFF000 = 0x2E7000 0x000000000005C1EC 21 80 3D 91 ADD X1, X1, #firstmoduleData@PAGEOFF // 0x913d8021 -> 0b100 100010 0 111101100000 00001 00001 -> sh = 0, imm12 = 0b111101100000, Rn = 00001, Rb = 00001 ....................................................................... // X1 = 0x2E7000 + 0b111101100000 (0xF60) = 0x2E7F60 0x000000000005C1F0 02 00 00 14 B loc_5C1F8 0x14 00 00 02 0x000000000005C1F4 21 18 41 F9 LDR X1, [X1,#0x230] 0x000000000005C1F8 21 0D 00 B4 CBZ X1, loc_5C39C 0xb4000d21 THIS SIG ENCODES the 0x230 struct field offset - might need to mask that more if we see misses - TODO

View Source 
var PPC_BE_sig = signatureModuleDataInitPPC{2, 6, `{ 3? 80 00 ?? 3? ?? ?? ?? 48 ?? ?? ?? E? ?? 02 ?? 7C ?? ?? ?? 41 82 ?? ?? }`}

0x0000000000061a74: 3C 80 00 2C lis r4, 0x2c // moduledata 0x0000000000061a78: 38 84 80 00 addi r4, r4, 0x8000 // moduledata ((0x2c << 16) - 0x8000) 0x0000000000061a7c: 48 00 00 08 b 0x61a84 0x0000000000061a80: E8 84 02 30 ld r4, 0x230(r4) 0x0000000000061a84: 7C 24 00 00 cmpd r4, r0 0x0000000000061a88: 41 82 01 A8 beq 0x61c30

Functions

func FindRegex 

func FindRegex(data []byte, regexInfo *RegexAndNeedle) []int

Types

type CachedFile 

type CachedFile struct {
	FileName string
	Lines    [][]byte
}

CachedFile contains the content of a file split into lines.

type ChanDir 

type ChanDir uint
const (
	RecvOnly ChanDir               = 1 << iota // <-chan
	SendOnly                                   // chan<-
	SendRecv = RecvOnly | SendOnly             // chan
)

func (ChanDir) String 

func (d ChanDir) String() string

type Disasm 

type Disasm struct {
	// contains filtered or unexported fields
}

Disasm is a disassembler for a given File.

func (*Disasm) Decode 

func (d *Disasm) Decode(start, end uint64, relocs []Reloc, gnuAsm bool, f func(pc, size uint64, file string, line int, text string))

Decode disassembles the text segment range [start, end), calling f for each instruction.

func (*Disasm) Print 

func (d *Disasm) Print(w io.Writer, filter *regexp.Regexp, start, end uint64, printCode bool, gnuAsm bool)

Print prints a disassembly of the file to w. If filter is non-nil, the disassembly only includes functions with names matching filter. If printCode is true, the disassembly includs corresponding source lines. The disassembly only includes functions that overlap the range [start, end).

type Entry 

type Entry struct {
	// contains filtered or unexported fields
}

func (*Entry) DWARF 

func (e *Entry) DWARF() (*dwarf.Data, error)

DWARF returns DWARF debug data for the file, if any. This is for cmd/pprof to locate cgo functions.

func (*Entry) Disasm 

func (e *Entry) Disasm() (*Disasm, error)

Disasm returns a disassembler for the file f.

func (*Entry) GOARCH 

func (e *Entry) GOARCH() string

func (*Entry) LoadAddress 

func (e *Entry) LoadAddress() (uint64, error)

LoadAddress returns the expected load address of the file. This differs from the actual load address for a position-independent executable.

func (*Entry) ModuleDataTable 

func (e *Entry) ModuleDataTable(pclntabVA uint64, runtimeVersion string, version string, is64bit bool, littleendian bool) (secStart uint64, moduleData *ModuleData, err error)

func (*Entry) Name 

func (e *Entry) Name() string

func (*Entry) PCLineTable 

func (e *Entry) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)

previously: func (e *Entry) PCLineTable() (Liner, error) 

func (e *Entry) ParseITabLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)

func (*Entry) ParseType 

func (e *Entry) ParseType(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, is64bit bool, littleendian bool) (_type []Type, err error)
func (e *Entry) ParseTypeLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)

func (*Entry) ParseType_impl 

func (e *Entry) ParseType_impl(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, is64bit bool, littleendian bool, parsedTypesIn *orderedmap.OrderedMap) (*orderedmap.OrderedMap, error)

func (*Entry) ReadPointerSizeMem 

func (e *Entry) ReadPointerSizeMem(addr uint64, is64bit bool, littleendian bool) (result uint64, err error)

func (*Entry) Symbols 

func (e *Entry) Symbols() ([]Sym, error)

func (*Entry) Text 

func (e *Entry) Text() (uint64, []byte, error)

type File 

type File struct {
	// contains filtered or unexported fields
}

A File is an opened executable file.

func Open 

func Open(name string) (*File, error)

Open opens the named file. The caller must call f.Close when the file is no longer needed.

func (*File) Close 

func (f *File) Close() error

func (*File) DWARF 

func (f *File) DWARF() (*dwarf.Data, error)

func (*File) Disasm 

func (f *File) Disasm() (*Disasm, error)

func (*File) Entries 

func (f *File) Entries() []*Entry

func (*File) GOARCH 

func (f *File) GOARCH() string

func (*File) LoadAddress 

func (f *File) LoadAddress() (uint64, error)

func (*File) ModuleDataTable 

func (f *File) ModuleDataTable(pclntabVA uint64, runtimeVersion string, version string, is64bit bool, littleendian bool) (secStart uint64, moduleData *ModuleData, err error)

func (*File) PCLineTable 

func (f *File) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)

previously : func (f *File) PCLineTable() (Liner, error) { 

func (f *File) ParseITabLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)

func (*File) ParseType 

func (f *File) ParseType(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, is64bit bool, littleendian bool) (types []Type, err error)
func (f *File) ParseTypeLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)

func (*File) Symbols 

func (f *File) Symbols() ([]Sym, error)

func (*File) Text 

func (f *File) Text() (uint64, []byte, error)

type FileCache 

type FileCache struct {
	// contains filtered or unexported fields
}

FileCache is a simple LRU cache of file contents.

func NewFileCache 

func NewFileCache(maxLen int) *FileCache

NewFileCache returns a FileCache which can contain up to maxLen cached file contents.

func (*FileCache) Line 

func (fc *FileCache) Line(filename string, line int) ([]byte, error)

Line returns the source code line for the given file and line number. If the file is not already cached, reads it, inserts it into the cache, and removes the least recently used file if necessary. If the file is in cache, it is moved to the front of the list.

type FuncTab118 

type FuncTab118 struct {
	Entryoffset uint32 // relative to runtime.text, ie. VA
	Funcoffset  uint32 // relative to ftab table start
}

type FuncTab12_116_32 

type FuncTab12_116_32 struct {
	Entryoffset pvoid32 // relative to runtime.text, ie. VA
	Funcoffset  pvoid32 // relative to ftab table start
}

type FuncTab12_116_64 

type FuncTab12_116_64 struct {
	Entryoffset pvoid64 // relative to runtime.text, ie. VA
	Funcoffset  pvoid64 // relative to ftab table start
}

a function table entry in 'ftab'

type GoBitVector32 

type GoBitVector32 struct {
	Bitnum   int32
	Bytedata pvoid32
}

type GoBitVector64 

type GoBitVector64 struct {
	Bitnum   int32
	Bytedata pvoid64
}

https://github.com/golang/go/blob/dbd3cf884986c88f5b3350709c0f51fa02330805/src/runtime/stack.go#L583

type GoSlice32 

type GoSlice32 struct {
	Data     pvoid32
	Len      size_t32
	Capacity size_t32
}

type GoSlice64 

type GoSlice64 struct {
	Data     pvoid64
	Len      uint64
	Capacity uint64
}

All types following this are the binary representation of internal objects. These are 'flat', i.e. one pointer level deep. Access to pointers and such require a memory read to retrieve the backing data. https://github.com/golang/go/blob/23adc139bf1c0c099dd075da076f5a1f3ac700d4/src/reflect/value.go#L2599

type GoString32 

type GoString32 struct {
	Data pvoid32
	Len  size_t32
}

type GoString64 

type GoString64 struct {
	Data pvoid64
	Len  size_t64
}

https://github.com/golang/go/blob/23adc139bf1c0c099dd075da076f5a1f3ac700d4/src/reflect/value.go#L2588

type IMethod 

type IMethod struct {
	Name nameOff
	Typ  typeOff
}

type Kind 

type Kind uint8 // mask & 0x1f

const (
	Invalid Kind = iota
	Bool
	Int
	Int8
	Int16
	Int32
	Int64
	Uint
	Uint8
	Uint16
	Uint32
	Uint64
	Uintptr
	Float32
	Float64
	Complex64
	Complex128
	Array
	Chan
	Func
	Interface
	Map
	Pointer
	Slice
	String
	Struct
	UnsafePointer
)

func (Kind) String 

func (k Kind) String() string

type Liner 

type Liner interface {
	// Given a pc, returns the corresponding file, line, and function data.
	// If unknown, returns "",0,nil.
	PCToLine(uint64) (string, int, *gosym.Func)
}

type ModuleData 

type ModuleData struct {
	VA        uint64
	TextVA    uint64    // adjusted (ex: CGO) .text base that pclntab offsets are relative to
	Types     uint64    // points to type information
	ETypes    uint64    // points to end of type information
	Typelinks GoSlice64 // points to metadata about offsets into types for structures and other types
	ITablinks GoSlice64 // points to metadata about offsets into types for interfaces

	// Some versions of go with 1.2 moduledata use a slice instead of the types + offset typelinks list
	LegacyTypes GoSlice64
}

This is a general structure that just holds the fields I care about this lets us return a single type, even though moduledata changes between go version

type ModuleData116_32 

type ModuleData116_32 struct {
	PcHeader     pvoid32
	Funcnametab  GoSlice32
	Cutab        GoSlice32
	Filetab      GoSlice32
	Pctab        GoSlice32
	Pclntable    GoSlice32
	Ftab         GoSlice32
	Findfunctab  pvoid32
	Minpc        pvoid32
	Maxpc        pvoid32
	Text         pvoid32
	Etext        pvoid32
	Noptrdata    pvoid32
	Enoptrdata   pvoid32
	Data         pvoid32
	Edata        pvoid32
	Bss          pvoid32
	Ebss         pvoid32
	Noptrbss     pvoid32
	Enoptrbss    pvoid32
	End          pvoid32
	Gcdata       pvoid32
	Gcbss        pvoid32
	Types        pvoid32
	Etypes       pvoid32
	Textsectmap  GoSlice32
	Typelinks    GoSlice32
	Itablinks    GoSlice32
	Ptab         GoSlice32
	Pluginpath   GoString32
	Pkghashes    GoSlice32
	Modulename   GoString32
	Modulehashes GoSlice32
	Hasmain      bool
	Gcdatamask   GoBitVector32
	Gcbssmask    GoBitVector32
	Typemap      pvoid32
	Badload      bool
	Next         pvoid32
}

type ModuleData116_64 

type ModuleData116_64 struct {
	PcHeader     pvoid64
	Funcnametab  GoSlice64
	Cutab        GoSlice64
	Filetab      GoSlice64
	Pctab        GoSlice64
	Pclntable    GoSlice64
	Ftab         GoSlice64
	Findfunctab  pvoid64
	Minpc        pvoid64
	Maxpc        pvoid64
	Text         pvoid64
	Etext        pvoid64
	Noptrdata    pvoid64
	Enoptrdata   pvoid64
	Data         pvoid64
	Edata        pvoid64
	Bss          pvoid64
	Ebss         pvoid64
	Noptrbss     pvoid64
	Enoptrbss    pvoid64
	End          pvoid64
	Gcdata       pvoid64
	Gcbss        pvoid64
	Types        pvoid64
	Etypes       pvoid64
	Textsectmap  GoSlice64
	Typelinks    GoSlice64
	Itablinks    GoSlice64
	Ptab         GoSlice64
	Pluginpath   GoString64
	Pkghashes    GoSlice64
	Modulename   GoString64
	Modulehashes GoSlice64
	Hasmain      bool
	Gcdatamask   GoBitVector64
	Gcbssmask    GoBitVector64
	Typemap      pvoid64
	Badload      bool
	Next         pvoid64
}

type ModuleData118_32 

type ModuleData118_32 struct {
	PcHeader     pvoid32
	Funcnametab  GoSlice32
	Cutab        GoSlice32
	Filetab      GoSlice32
	Pctab        GoSlice32
	Pclntable    GoSlice32
	Ftab         GoSlice32
	Findfunctab  pvoid32
	Minpc        pvoid32
	Maxpc        pvoid32
	Text         pvoid32
	Etext        pvoid32
	Noptrdata    pvoid32
	Enoptrdata   pvoid32
	Data         pvoid32
	Edata        pvoid32
	Bss          pvoid32
	Ebss         pvoid32
	Noptrbss     pvoid32
	Enoptrbss    pvoid32
	End          pvoid32
	Gcdata       pvoid32
	Gcbss        pvoid32
	Types        pvoid32
	Etypes       pvoid32
	Rodata       pvoid32
	Gofunc       pvoid32
	Textsectmap  GoSlice32
	Typelinks    GoSlice32
	Itablinks    GoSlice32
	Ptab         GoSlice32
	Pluginpath   GoString32
	Pkghashes    GoSlice32
	Modulename   GoString32
	Modulehashes GoSlice32
	Hasmain      bool
	Gcdatamask   GoBitVector32
	Gcbssmask    GoBitVector32
	Typemap      pvoid32
	Badload      bool
	Next         pvoid32
}

type ModuleData118_64 

type ModuleData118_64 struct {
	PcHeader     pvoid64
	Funcnametab  GoSlice64
	Cutab        GoSlice64
	Filetab      GoSlice64
	Pctab        GoSlice64
	Pclntable    GoSlice64
	Ftab         GoSlice64
	Findfunctab  pvoid64
	Minpc        pvoid64
	Maxpc        pvoid64
	Text         pvoid64
	Etext        pvoid64
	Noptrdata    pvoid64
	Enoptrdata   pvoid64
	Data         pvoid64
	Edata        pvoid64
	Bss          pvoid64
	Ebss         pvoid64
	Noptrbss     pvoid64
	Enoptrbss    pvoid64
	End          pvoid64
	Gcdata       pvoid64
	Gcbss        pvoid64
	Types        pvoid64
	Etypes       pvoid64
	Rodata       pvoid64
	Gofunc       pvoid64
	Textsectmap  GoSlice64
	Typelinks    GoSlice64
	Itablinks    GoSlice64
	Ptab         GoSlice64
	Pluginpath   GoString64
	Pkghashes    GoSlice64
	Modulename   GoString64
	Modulehashes GoSlice64
	Hasmain      bool
	Gcdatamask   GoBitVector64
	Gcbssmask    GoBitVector64
	Typemap      pvoid64
	Badload      bool
	Next         pvoid64
}

type ModuleData120_32 

type ModuleData120_32 struct {
	PcHeader     pvoid32
	Funcnametab  GoSlice32
	Cutab        GoSlice32
	Filetab      GoSlice32
	Pctab        GoSlice32
	Pclntable    GoSlice32
	Ftab         GoSlice32
	Findfunctab  pvoid32
	Minpc        pvoid32
	Maxpc        pvoid32
	Text         pvoid32
	Etext        pvoid32
	Noptrdata    pvoid32
	Enoptrdata   pvoid32
	Data         pvoid32
	Edata        pvoid32
	Bss          pvoid32
	Ebss         pvoid32
	Noptrbss     pvoid32
	Enoptrbss    pvoid32
	Covctrs      pvoid32
	Ecovctrs     pvoid32
	End          pvoid32
	Gcdata       pvoid32
	Gcbss        pvoid32
	Types        pvoid32
	Etypes       pvoid32
	Rodata       pvoid32
	Gofunc       pvoid32
	Textsectmap  GoSlice32
	Typelinks    GoSlice32
	Itablinks    GoSlice32
	Ptab         GoSlice32
	Pluginpath   GoString32
	Pkghashes    GoSlice32
	Modulename   GoString32
	Modulehashes GoSlice32
	Hasmain      bool
	Gcdatamask   GoBitVector32
	Gcbssmask    GoBitVector32
	Typemap      pvoid32
	Badload      bool
	Next         pvoid32
}

type ModuleData120_64 

type ModuleData120_64 struct {
	PcHeader     pvoid64
	Funcnametab  GoSlice64
	Cutab        GoSlice64
	Filetab      GoSlice64
	Pctab        GoSlice64
	Pclntable    GoSlice64
	Ftab         GoSlice64
	Findfunctab  pvoid64
	Minpc        pvoid64
	Maxpc        pvoid64
	Text         pvoid64
	Etext        pvoid64
	Noptrdata    pvoid64
	Enoptrdata   pvoid64
	Data         pvoid64
	Edata        pvoid64
	Bss          pvoid64
	Ebss         pvoid64
	Noptrbss     pvoid64
	Enoptrbss    pvoid64
	Covctrs      pvoid64
	Ecovctrs     pvoid64
	End          pvoid64
	Gcdata       pvoid64
	Gcbss        pvoid64
	Types        pvoid64
	Etypes       pvoid64
	Rodata       pvoid64
	Gofunc       pvoid64
	Textsectmap  GoSlice64
	Typelinks    GoSlice64
	Itablinks    GoSlice64
	Ptab         GoSlice64
	Pluginpath   GoString64
	Pkghashes    GoSlice64
	Modulename   GoString64
	Modulehashes GoSlice64
	Hasmain      bool
	Gcdatamask   GoBitVector64
	Gcbssmask    GoBitVector64
	Typemap      pvoid64
	Badload      bool
	Next         pvoid64
}

type ModuleData12_32 

type ModuleData12_32 struct {
	Pclntable    GoSlice32
	Ftab         GoSlice32
	FileTab      GoSlice32
	Findfunctab  pvoid32
	Minpc        pvoid32
	Maxpc        pvoid32
	Text         pvoid32
	Etext        pvoid32
	Noptrdata    pvoid32
	Enoptrdata   pvoid32
	Data         pvoid32
	Edata        pvoid32
	Bss          pvoid32
	Ebss         pvoid32
	Noptrbss     pvoid32
	Enoptrbss    pvoid32
	End          pvoid32
	Gcdata       pvoid32
	Gcbss        pvoid32
	Types        pvoid32
	Etypes       pvoid32
	Textsectmap  GoSlice32
	Typelinks    GoSlice32
	Itablinks    GoSlice32
	Ptab         GoSlice32
	Pluginpath   GoString32
	Pkghashes    GoSlice32
	Modulename   GoString32
	Modulehashes GoSlice32
	Hasmain      bool
	Gcdatamask   GoBitVector32
	Gcbssmask    GoBitVector32
	Typemap      pvoid32
	Badload      bool
	Next         pvoid32
}

type ModuleData12_64 

type ModuleData12_64 struct {
	Pclntable    GoSlice64
	Ftab         GoSlice64
	FileTab      GoSlice64
	Findfunctab  pvoid64
	Minpc        pvoid64
	Maxpc        pvoid64
	Text         pvoid64
	Etext        pvoid64
	Noptrdata    pvoid64
	Enoptrdata   pvoid64
	Data         pvoid64
	Edata        pvoid64
	Bss          pvoid64
	Ebss         pvoid64
	Noptrbss     pvoid64
	Enoptrbss    pvoid64
	End          pvoid64
	Gcdata       pvoid64
	Gcbss        pvoid64
	Types        pvoid64
	Etypes       pvoid64
	Textsectmap  GoSlice64
	Typelinks    GoSlice64
	Itablinks    GoSlice64
	Ptab         GoSlice64
	Pluginpath   GoString64
	Pkghashes    GoSlice64
	Modulename   GoString64
	Modulehashes GoSlice64
	Hasmain      bool
	Gcdatamask   GoBitVector64
	Gcbssmask    GoBitVector64
	Typemap      pvoid64
	Badload      bool
	Next         pvoid64
}

type ModuleData12_r15_r16_32 

type ModuleData12_r15_r16_32 struct {
	Pclntable   GoSlice32
	Ftab        GoSlice32
	Filetab     GoSlice32
	Findfunctab pvoid32
	Minpc       pvoid32
	Maxpc       pvoid32

	Text       pvoid32
	Etext      pvoid32
	Noptrdata  pvoid32
	Enoptrdata pvoid32
	Data       pvoid32
	Edata      pvoid32
	Bss        pvoid32
	Ebss       pvoid32
	Noptrbss   pvoid32
	Enoptrbss  pvoid32
	End        pvoid32
	Gcdata     pvoid32
	Gcbss      pvoid32

	Typelinks GoSlice32

	Modulename   GoString32
	Modulehashes GoSlice32
	Gcdatamask   GoBitVector32
	Gcbssmask    GoBitVector32

	Next pvoid32
}

type ModuleData12_r15_r16_64 

type ModuleData12_r15_r16_64 struct {
	Pclntable   GoSlice64
	Ftab        GoSlice64
	Filetab     GoSlice64
	Findfunctab pvoid64
	Minpc       pvoid64
	Maxpc       pvoid64

	Text       pvoid64
	Etext      pvoid64
	Noptrdata  pvoid64
	Enoptrdata pvoid64
	Data       pvoid64
	Edata      pvoid64
	Bss        pvoid64
	Ebss       pvoid64
	Noptrbss   pvoid64
	Enoptrbss  pvoid64
	End        pvoid64
	Gcdata     pvoid64
	Gcbss      pvoid64

	Typelinks GoSlice64

	Modulename   GoString64
	Modulehashes GoSlice64
	Gcdatamask   GoBitVector64
	Gcbssmask    GoBitVector64

	Next pvoid64
}

1.2, runtime 1.5-1.6, 64bit

type ModuleData12_r17_32 

type ModuleData12_r17_32 struct {
	Pclntable   GoSlice32
	Ftab        GoSlice32
	Filetab     GoSlice32
	Findfunctab pvoid32
	Minpc       pvoid32
	Maxpc       pvoid32

	Text       pvoid32
	Etext      pvoid32
	Noptrdata  pvoid32
	Enoptrdata pvoid32
	Data       pvoid32
	Edata      pvoid32
	Bss        pvoid32
	Ebss       pvoid32
	Noptrbss   pvoid32
	Enoptrbss  pvoid32
	End        pvoid32
	Gcdata     pvoid32
	Gcbss      pvoid32
	Types      pvoid32
	Etypes     pvoid32

	Typelinks GoSlice32
	Itablinks GoSlice32

	Modulename   GoString32
	Modulehashes GoSlice32

	Gcdatamask GoBitVector32
	Gcbssmask  GoBitVector32

	Typemap pvoid32
	Next    pvoid32
}

type ModuleData12_r17_64 

type ModuleData12_r17_64 struct {
	Pclntable   GoSlice64
	Ftab        GoSlice64
	Filetab     GoSlice64
	Findfunctab pvoid64
	Minpc       pvoid64
	Maxpc       pvoid64

	Text       pvoid64
	Etext      pvoid64
	Noptrdata  pvoid64
	Enoptrdata pvoid64
	Data       pvoid64
	Edata      pvoid64
	Bss        pvoid64
	Ebss       pvoid64
	Noptrbss   pvoid64
	Enoptrbss  pvoid64
	End        pvoid64
	Gcdata     pvoid64
	Gcbss      pvoid64
	Types      pvoid64
	Etypes     pvoid64

	Typelinks GoSlice64
	Itablinks GoSlice64

	Modulename   GoString64
	Modulehashes GoSlice64

	Gcdatamask GoBitVector64
	Gcbssmask  GoBitVector64

	Typemap pvoid64
	Next    pvoid64
}

type ModuleDataCandidate 

type ModuleDataCandidate struct {
	SecStart     uint64
	ModuledataVA uint64
	Moduledata   []byte
}

type PclntabCandidate 

type PclntabCandidate struct {
	SecStart                uint64
	PclntabVA               uint64
	StompMagicCandidateMeta *StompMagicCandidate // some search modes might optimistically try to find moduledata or guess endianess, these hints must match the found moduleData VA later to be considered good candidate
	Pclntab                 []byte
	Symtab                  []byte // optional
	ParsedPclntab           *gosym.Table
}

type RegexAndNeedle 

type RegexAndNeedle struct {
	// contains filtered or unexported fields
}

func RegexpPatternFromYaraPattern 

func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error)

translate from a yara-style pattern, like: 

{ 48 8D 0? ?? ?? ?? ?? EB ?? 48 8? 8? ?? 02 00 00 66 0F 1F 44 00 00 }

to a regular expression string compatible with the binaryregexp module, like: 

\x48\x8D[\x00-\x0F]....\xEB.\x48[\x80-\x8F][\x80-\x8F].\x02\x00\x00\x66\x0F\x1F\x44\x00\x00

although this requires more code, we provide this functionality because these patterns are *much* more readable than raw regular expressions, we strongly value people being able to understand GoReSym's algorithm.

type Reloc 

type Reloc struct {
	Addr     uint64 // Address of first byte that reloc applies to.
	Size     uint64 // Number of bytes
	Stringer RelocStringer
}

type RelocStringer 

type RelocStringer interface {
	// insnOffset is the offset of the instruction containing the relocation
	// from the start of the symbol containing the relocation.
	String(insnOffset uint64) string
}

type Rtype114_115_116_117_118_32 

type Rtype114_115_116_117_118_32 struct {
	Size       size_t32
	Ptrdata    size_t32 // number of bytes in the type that can contain pointers
	Hash       uint32   // hash of type; avoids computation in hash tables
	Tflag      tflag    // extra type information flags
	Align      uint8    // alignment of variable with this type
	FieldAlign uint8    // alignment of struct field with this type
	Kind       Kind
	Equal      pvoid32
	Gcdata     pvoid32 // garbage collection data
	Str        nameOff // string form
	PtrToThis  typeOff // type for pointer to this type, may be zero
}

type Rtype114_115_116_117_118_64 

type Rtype114_115_116_117_118_64 struct {
	Size       size_t64
	Ptrdata    size_t64 // number of bytes in the type that can contain pointers
	Hash       uint32   // hash of type; avoids computation in hash tables
	Tflag      tflag    // extra type information flags
	Align      uint8    // alignment of variable with this type
	FieldAlign uint8    // alignment of struct field with this type
	Kind       Kind
	Equal      pvoid64
	Gcdata     pvoid64 // garbage collection data
	Str        nameOff // string form
	PtrToThis  typeOff // type for pointer to this type, may be zero
}

type Rtype15_32 

type Rtype15_32 struct {
	Size         size_t32
	Ptrdata      size_t32 // number of bytes in the type that can contain pointers
	Hash         uint32   // hash of type; avoids computation in hash tables
	Unused       uint8    // extra type information flags
	Align        uint8    // alignment of variable with this type
	FieldAlign   uint8    // alignment of struct field with this type
	Kind         Kind     // enumeration for C
	Alg          pvoid32  // algorithm table
	Gcdata       pvoid32  // garbage collection data
	Str          pvoid32  // string form
	UncommonType pvoid32
	PtrToThis    pvoid32 // type for pointer to this type, may be zero
	Zero         pvoid32
}

type Rtype15_64 

type Rtype15_64 struct {
	Size         size_t64
	Ptrdata      size_t64 // number of bytes in the type that can contain pointers
	Hash         uint32   // hash of type; avoids computation in hash tables
	Unused       uint8    // extra type information flags
	Align        uint8    // alignment of variable with this type
	FieldAlign   uint8    // alignment of struct field with this type
	Kind         Kind     // enumeration for C
	Alg          pvoid64  // algorithm table
	Gcdata       pvoid64  // garbage collection data
	Str          pvoid64  // string form
	UncommonType pvoid64
	PtrToThis    pvoid64 // type for pointer to this type, may be zero
	Zero         pvoid64
}

type Rtype16_32 

type Rtype16_32 struct {
	Size         size_t32
	Ptrdata      size_t32 // number of bytes in the type that can contain pointers
	Hash         uint32   // hash of type; avoids computation in hash tables
	Unused       uint8    // extra type information flags
	Align        uint8    // alignment of variable with this type
	FieldAlign   uint8    // alignment of struct field with this type
	Kind         Kind     // enumeration for C
	Alg          pvoid32  // algorithm table
	Gcdata       pvoid32  // garbage collection data
	Str          pvoid32  // string form
	UncommonType pvoid32
	PtrToThis    pvoid32 // type for pointer to this type, may be zero
}

type Rtype16_64 

type Rtype16_64 struct {
	Size         size_t64
	Ptrdata      size_t64 // number of bytes in the type that can contain pointers
	Hash         uint32   // hash of type; avoids computation in hash tables
	Unused       uint8    // extra type information flags
	Align        uint8    // alignment of variable with this type
	FieldAlign   uint8    // alignment of struct field with this type
	Kind         Kind     // enumeration for C
	Alg          pvoid64  // algorithm table
	Gcdata       pvoid64  // garbage collection data
	Str          pvoid64  // string form
	UncommonType pvoid64
	PtrToThis    pvoid64 // type for pointer to this type, may be zero
}

type Rtype17_18_19_110_111_112_113_32 

type Rtype17_18_19_110_111_112_113_32 struct {
	Size       size_t32
	Ptrdata    size_t32 // number of bytes in the type that can contain pointers
	Hash       uint32   // hash of type; avoids computation in hash tables
	Tflag      tflag    // extra type information flags
	Align      uint8    // alignment of variable with this type
	FieldAlign uint8    // alignment of struct field with this type
	Kind       Kind     // enumeration for C
	Alg        pvoid32  // algorithm table
	Gcdata     pvoid32  // garbage collection data
	Str        nameOff  // string form
	PtrToThis  typeOff  // type for pointer to this type, may be zero
}

type Rtype17_18_19_110_111_112_113_64 

type Rtype17_18_19_110_111_112_113_64 struct {
	Size       size_t64
	Ptrdata    size_t64 // number of bytes in the type that can contain pointers
	Hash       uint32   // hash of type; avoids computation in hash tables
	Tflag      tflag    // extra type information flags
	Align      uint8    // alignment of variable with this type
	FieldAlign uint8    // alignment of struct field with this type
	Kind       Kind     // enumeration for C
	Alg        pvoid64  // algorithm table
	Gcdata     pvoid64  // garbage collection data
	Str        nameOff  // string form
	PtrToThis  typeOff  // type for pointer to this type, may be zero
}

type SignatureMatch 

type SignatureMatch struct {
	// contains filtered or unexported fields
}

type StompMagicCandidate 

type StompMagicCandidate struct {
	PclntabVa             uint64
	SuspectedModuleDataVa uint64
	LittleEndian          bool
}

type Sym 

type Sym struct {
	Name   string  // symbol name
	Addr   uint64  // virtual address of symbol
	Size   int64   // size in bytes
	Code   rune    // nm code (T for text, D for data, and so on)
	Type   string  // XXX?
	Relocs []Reloc // in increasing Addr order
}

A Sym is a symbol defined in an executable file.

type Textsect_32 

type Textsect_32 struct {
	Vaddr    pvoid32 // prelinked section vaddr
	End      pvoid32 // vaddr + section length
	Baseaddr pvoid32 // relocated section address
}

type Textsect_64 

type Textsect_64 struct {
	Vaddr    pvoid64 // prelinked section vaddr
	End      pvoid64 // vaddr + section length
	Baseaddr pvoid64 // relocated section address
}

type Type 

type Type struct {
	VA             uint64
	Str            string
	CStr           string
	Kind           string
	Reconstructed  string `json:",omitempty"` // for Some types we can reconstruct the original definition back to Go code
	CReconstructed string `json:",omitempty"` // for Some types we can reconstruct the original definition back to C code
	// contains filtered or unexported fields
}

This is a general structure that just holds the fields I care about this lets us return a single type, even though rtypes change between go version

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.