malwaredb_types/exec/pef/

mod.rs

// SPDX-License-Identifier: Apache-2.0

use crate::exec::{Architecture, ExecutableFile, OperatingSystem, Section, Sections};
use crate::utils::{
    bytes_offset_match, i32_from_offset, string_from_offset, u16_from_offset, u32_from_offset,
    EntropyCalc,
};
use crate::{Ordering, SpecimenFile};

use std::fmt::{Display, Formatter};
use std::mem::size_of;

use anyhow::{bail, Result};
use chrono::{DateTime, NaiveDateTime, TimeDelta, Utc};
use tracing::instrument;

// Documentation:
// https://web.archive.org/web/20020219190852/http://developer.apple.com/techpubs/mac/runtimehtml/RTArch-91.html#HEADING=91-0

const MAGIC: [u8; 8] = [0x4a, 0x6f, 0x79, 0x21, 0x70, 0x65, 0x66, 0x66]; // Joy!peff
const PWPC: [u8; 4] = [0x70, 0x77, 0x70, 0x63];
const M68K: [u8; 4] = [0x6d, 0x36, 0x38, 0x6b];

const HEADER_SIZE: usize = 40;
const SECTION_HEADER_SIZE: usize = 28;

/// The struct for [Preferred Executables](https://en.wikipedia.org/wiki/Preferred_Executable_Format).
///
/// This was the binary format for "Classic" Mac OS, and Be OS on Power PC. Some data is only
/// on the "resource fork", which is not available on modern systems, so we can't the entire file. :(
#[derive(Clone, Debug, PartialEq)]
pub struct Pef<'a> {
    /// Instruction set architecture for this binary
    pub arch: Option<Architecture>,

    /// Byte ordering for this binary
    pub ordering: Ordering,

    /// Operating System for this binary, likely Classic Mac OS
    pub os: OperatingSystem,

    /// Sections of this binary
    pub sections: Option<Sections<'a>>,

    /// Seconds since 1 January 1904
    pub timestamp: u32,

    /// The array containing the raw bytes used to parse this program
    pub contents: &'a [u8],
}

/// PEF section header
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct SectionHeader {
    /// Location in the file for the section name, or -1 if the section is unnamed
    pub name_offset: Option<usize>,

    /// Linker's preferred memory address for loading the binary
    pub default_address: u32,

    /// Total section size in memory at run-time
    pub total_size: u32,

    /// Size of the executable code, or data to be initialized at run-time after decompression
    pub unpacked_size: u32,

    /// Size of the section
    pub packed_size: u32,

    /// Location in the file where the section begins
    pub container_offset: u32,

    /// Attributes of the section
    pub section_kind: u8,

    /// Indicates how data might be shared at run-time
    pub share_kind: u8,

    /// Alignment of bytes in memory
    pub alignment: u8,

    /// Reserved, should be zero
    pub reserved: u8,
}

impl AsRef<[u8; size_of::<Self>()]> for SectionHeader {
    #[allow(clippy::transmute_ptr_to_ptr)]
    fn as_ref(&self) -> &[u8; size_of::<Self>()] {
        unsafe { std::mem::transmute::<_, &[u8; size_of::<Self>()]>(self) }
    }
}

impl SectionHeader {
    /// Section header from a sequence of bytes
    #[must_use]
    pub fn from(contents: &[u8]) -> Self {
        Self {
            name_offset: {
                let val = i32_from_offset(contents, 0, Ordering::BigEndian).unwrap_or_default();
                if val > 0 {
                    #[allow(clippy::cast_sign_loss)]
                    Some(val as usize)
                } else {
                    None
                }
            },
            default_address: u32_from_offset(contents, 4, Ordering::BigEndian).unwrap_or_default(),
            total_size: u32_from_offset(contents, 8, Ordering::BigEndian).unwrap_or_default(),
            unpacked_size: u32_from_offset(contents, 12, Ordering::BigEndian).unwrap_or_default(),
            packed_size: u32_from_offset(contents, 16, Ordering::BigEndian).unwrap_or_default(),
            container_offset: u32_from_offset(contents, 20, Ordering::BigEndian)
                .unwrap_or_default(),
            section_kind: contents[24],
            share_kind: contents[25],
            alignment: contents[26],
            reserved: contents[27],
        }
    }
}

impl<'a> Pef<'a> {
    /// Parsed PEF from a sequence of bytes
    ///
    /// # Errors
    ///
    /// Returns an error if parsing fails.
    #[instrument(name = "PEF parser", skip(contents))]
    pub fn from(contents: &'a [u8]) -> Result<Self> {
        if !bytes_offset_match(contents, 0, &MAGIC) {
            bail!("Not a PEF file");
        }

        let arch = {
            if bytes_offset_match(contents, 8, &PWPC) {
                Some(Architecture::PowerPC)
            } else if bytes_offset_match(contents, 8, &M68K) {
                Some(Architecture::M68k)
            } else {
                None
            }
        };

        let section_count = u16_from_offset(contents, 32, Ordering::BigEndian).unwrap_or_default();
        let inst_section_count =
            u16_from_offset(contents, 34, Ordering::BigEndian).unwrap_or_default();

        let mut sections = Sections::default();
        for section_index in 0..(section_count + inst_section_count) as usize {
            // There seems to be an issue after "section_count" number of sections where
            // the sizes or needed offset value changes, and the incoming values don't
            // match what one would expect when looking at the binary with a hex editor.
            let offset_this_section = HEADER_SIZE + section_index * SECTION_HEADER_SIZE;
            if offset_this_section > contents.len() {
                break;
            }
            let this_section = SectionHeader::from(
                &contents[offset_this_section..offset_this_section + HEADER_SIZE],
            );

            let section_name = {
                let default = format!("Unnamed section {section_index}");
                if let Some(offset) = this_section.name_offset {
                    string_from_offset(contents, offset).unwrap_or(default)
                } else {
                    default
                }
            };

            sections.push(Section {
                name: section_name,
                is_executable: this_section.section_kind == 0 || this_section.section_kind == 8,
                size: this_section.packed_size as usize,
                offset: this_section.container_offset as usize,
                virtual_size: 0,
                virtual_address: 0,
                data: None,
                entropy: 0.0,
            });
        }

        Ok(Self {
            arch,
            ordering: Ordering::BigEndian,
            os: OperatingSystem::MacOS_Classic,
            sections: Some(sections),
            timestamp: u32_from_offset(contents, 16, Ordering::BigEndian).unwrap_or_default(),
            contents,
        })
    }

    /// Compiled timestamp as UTC
    ///
    /// # Panics
    ///
    /// This code won't panic despite some `.unwrap()` calls.
    #[must_use]
    pub fn compiled_date(&self) -> DateTime<Utc> {
        let janone1940 = DateTime::from_naive_utc_and_offset(
            NaiveDateTime::parse_from_str("1904-01-01 00:00:00", "%Y-%m-%d %H:%M:%S").unwrap(),
            Utc,
        );
        janone1940 + TimeDelta::try_seconds(i64::from(self.timestamp)).unwrap()
    }
}

impl ExecutableFile for Pef<'_> {
    fn architecture(&self) -> Option<Architecture> {
        self.arch
    }

    fn pointer_size(&self) -> usize {
        32
    }

    fn operating_system(&self) -> OperatingSystem {
        self.os
    }

    fn compiled_timestamp(&self) -> Option<DateTime<Utc>> {
        Some(self.compiled_date())
    }

    #[allow(clippy::cast_possible_truncation)]
    fn num_sections(&self) -> u32 {
        self.sections.as_ref().unwrap_or(&Sections::default()).len() as u32
    }

    fn sections(&self) -> Option<&Sections<'_>> {
        self.sections.as_ref()
    }

    fn import_hash(&self) -> Option<String> {
        None
    }

    fn fuzzy_imports(&self) -> Option<String> {
        None
    }
}

impl SpecimenFile for Pef<'_> {
    const MAGIC: &'static [&'static [u8]] = &[&MAGIC];

    fn type_name(&self) -> &'static str {
        "PEF"
    }
}

impl Display for Pef<'_> {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        writeln!(f, "PEF file:")?;
        writeln!(f, "\tOS: {}", self.os)?;
        if let Some(arch) = self.arch {
            writeln!(f, "\tArchitecture: {arch}")?;
        }
        writeln!(f, "\tOrdering: {}", self.ordering)?;
        if let Some(sections) = &self.sections {
            writeln!(f, "\t{} sections:", sections.len())?;
            for section in sections {
                writeln!(f, "\t\t{section}")?;
            }
        }
        writeln!(
            f,
            "\tCompiled: {:?}",
            self.compiled_date().format("%Y-%m-%d %H:%M:%S").to_string()
        )?;
        writeln!(f, "\tSize: {}", self.contents.len())?;
        writeln!(f, "\tEntropy: {:.4}", self.contents.entropy())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use rstest::rstest;

    #[test]
    fn beos() {
        const BYTES: &[u8] = include_bytes!("../../../testdata/pef/BeApp");

        let pef = Pef::from(BYTES).unwrap();
        eprintln!("BeOS:\n{pef}");
        assert_eq!(pef.arch, Some(Architecture::PowerPC));
    }

    #[rstest]
    #[case(include_bytes!("../../../testdata/pef/MacOS_1"))]
    #[case(include_bytes!("../../../testdata/pef/MacOS_2"))]
    fn macos(#[case] bytes: &[u8]) {
        let pef = Pef::from(bytes).unwrap();
        eprintln!("Mac OS:\n{pef}");
        assert_eq!(pef.arch, Some(Architecture::PowerPC));
    }
}