-
Notifications
You must be signed in to change notification settings - Fork 957
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemented computation of export hashes #321
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code doesn't look bad but spaces need to be replaced with tabs and few return by values can be replaced with return by const reference.
This PR is however incomplete. It is missing some files, for example I don't see any changes in src/fileformat/types/export_table
but there should be since header is changed. Presentation to JSON is also missing.
@@ -116,6 +116,7 @@ class FileFormat : public retdec::utils::ByteValueStorage, private retdec::utils | |||
void loadStrings(StringType type, std::size_t charSize); | |||
void loadStrings(StringType type, std::size_t charSize, const SecSeg* secSeg); | |||
void loadImpHash(); | |||
void loadExpHash(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
@@ -42,6 +42,7 @@ class Export | |||
|
|||
/// @name Other methods | |||
/// @{ | |||
virtual bool isUsedForImphash() const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation. Also, this method shouldn't be here.
public: | ||
ExportTable(); | ||
~ExportTable(); | ||
|
||
/// @name Getters | ||
/// @{ | ||
std::size_t getNumberOfExports() const; | ||
std::string getExphashCrc32() const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably return const std::string&
.
loadImports(); | ||
loadExports(); | ||
|
||
if(stateIsValid) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
@@ -733,6 +734,8 @@ void PeFormat::loadExports() | |||
exportTable->addExport(newExport); | |||
} | |||
|
|||
loadExpHash(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
@@ -26,7 +26,7 @@ namespace fileinfo { | |||
FileDetector::FileDetector(std::string pathToInputFile, FileInformation &finfo, retdec::cpdetect::DetectParams &searchPar, retdec::fileformat::LoadFlags loadFlags) : | |||
fileInfo(finfo), cpParams(searchPar), fileConfig(nullptr), fileParser(nullptr), loaded(false), loadFlags(loadFlags) | |||
{ | |||
fileInfo.setPathToFile(pathToInputFile); | |||
fileInfo.setPathToFile(pathToInputFile); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
@@ -37,8 +37,8 @@ const unsigned long long PE_16_FLAGS_SIZE = 16; | |||
PeDetector::PeDetector(std::string pathToInputFile, FileInformation &finfo, retdec::cpdetect::DetectParams &searchPar, retdec::fileformat::LoadFlags loadFlags) : | |||
FileDetector(pathToInputFile, finfo, searchPar, loadFlags) | |||
{ | |||
fileParser = peParser = std::make_shared<PeWrapper>(fileInfo.getPathToFile(), loadFlags); | |||
loaded = peParser->isInValidState(); | |||
fileParser = peParser = std::make_shared<PeWrapper>(fileInfo.getPathToFile(), loadFlags); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
@@ -179,6 +179,9 @@ class FileInformation | |||
/// @name Getters of @a exportTable | |||
/// @{ | |||
std::size_t getNumberOfStoredExports() const; | |||
std::string getExphashCrc32() const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
info.push_back(numToStr(fileinfo.getNumberOfStoredExports())); | ||
|
||
return info.size(); | ||
desc.push_back("CRC32 : "); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
info.push_back(numToStr(fileinfo.getNumberOfStoredExports())); | ||
|
||
return info.size(); | ||
desc.push_back("crc32"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use tabs for indentation.
A few notes from me:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added my review notes and I also have two general notes to add:
- What about other file formats like ELF or Mach-O? I believe this kind of hash would come handy for us even for formats other than PE.
- Whenever we detect nonprintable characters in export name we replace its name with generic name
exported_function_<address>
(at least on PE and Mach-O). This can potentially cause problems and generate same hash for two completely different files with export tables corrupted in the same way. I'll need to analyze this before I give you final decision. I'll get back to you soon.
@@ -21,14 +21,20 @@ class ExportTable | |||
{ | |||
private: | |||
using exportsIterator = std::vector<Export>::const_iterator; | |||
std::vector<Export> exports; ///< stored exports | |||
std::vector<Export> exports; ///< stored exports |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use tabs only to indent code. If you want to add comments at the end of the line, align it with spaces please.
info.push_back(numToStr(fileinfo.getNumberOfStoredExports())); | ||
info.push_back(fileinfo.getImphashCrc32()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be exphash, not imphash. Same for all three of them.
#121
expHashes are calculated after the table gets sorted alphabetically. ordinals are not converted to names rather to form of "ord<ord_num>"