search

mentebinaria / readpe

The PE file analysis toolkit
GNU General Public License v2.0
676 stars 128 forks source link

Update list of known machine types #186

Closed pali closed 1 year ago

pali commented 1 year ago

There are missing more machine types constants in libpe/readpe code.

For example MPPC binary compiled by MSVC40's MPPC CL.EXE compiler is not recognized by readpe:

    Machine:                         0x601 Unknown machine type

Here is simple change which adds known machines types by SDK winnt.h file, plus MPPC:

diff --git a/lib/libpe/include/libpe/hdr_coff.h b/lib/libpe/include/libpe/hdr_coff.h
index ff361ad6e265..ff47dd16f005 100644
--- a/lib/libpe/include/libpe/hdr_coff.h
+++ b/lib/libpe/include/libpe/hdr_coff.h
@@ -30,25 +30,38 @@ extern "C" {

 typedef enum {
    IMAGE_FILE_MACHINE_UNKNOWN      = 0x0,
+   IMAGE_FILE_MACHINE_ALPHA        = 0x184,
+   IMAGE_FILE_MACHINE_ALPHA64      = 0x284,
    IMAGE_FILE_MACHINE_AM33         = 0x1d3,
    IMAGE_FILE_MACHINE_AMD64        = 0x8664,
    IMAGE_FILE_MACHINE_ARM          = 0x1c0,
    IMAGE_FILE_MACHINE_ARMV7        = 0x1c4,
+   IMAGE_FILE_MACHINE_ARM64        = 0xaa64,
    IMAGE_FILE_MACHINE_CEE          = 0xc0ee,
+   IMAGE_FILE_MACHINE_CEF          = 0xcef,
    IMAGE_FILE_MACHINE_EBC          = 0xebc,
    IMAGE_FILE_MACHINE_I386         = 0x14c,
+   IMAGE_FILE_MACHINE_I860         = 0x14d,
    IMAGE_FILE_MACHINE_IA64         = 0x200,
    IMAGE_FILE_MACHINE_M32R         = 0x9041,
+   IMAGE_FILE_MACHINE_M68K         = 0x268,
    IMAGE_FILE_MACHINE_MIPS16       = 0x266,
    IMAGE_FILE_MACHINE_MIPSFPU      = 0x366,
    IMAGE_FILE_MACHINE_MIPSFPU16    = 0x466,
+   IMAGE_FILE_MACHINE_MPPC_601     = 0x601,
+   IMAGE_FILE_MACHINE_PARISC       = 0x290,
    IMAGE_FILE_MACHINE_POWERPC      = 0x1f0,
    IMAGE_FILE_MACHINE_POWERPCFP    = 0x1f1,
+   IMAGE_FILE_MACHINE_R3000        = 0x162,
+   IMAGE_FILE_MACHINE_R3000_BE     = 0x160,
    IMAGE_FILE_MACHINE_R4000        = 0x166,
+   IMAGE_FILE_MACHINE_R10000       = 0x168,
    IMAGE_FILE_MACHINE_SH3          = 0x1a2,
    IMAGE_FILE_MACHINE_SH3DSP       = 0x1a3,
+   IMAGE_FILE_MACHINE_SH3E         = 0x1a4,
    IMAGE_FILE_MACHINE_SH4          = 0x1a6,
    IMAGE_FILE_MACHINE_SH5          = 0x1a8,
+   IMAGE_FILE_MACHINE_TRICORE      = 0x520,
    IMAGE_FILE_MACHINE_THUMB        = 0x1c2,
    IMAGE_FILE_MACHINE_WCEMIPSV2    = 0x169
 } MachineType;
diff --git a/lib/libpe/pe.c b/lib/libpe/pe.c
index a0f057b3af46..298a109cf716 100644
--- a/lib/libpe/pe.c
+++ b/lib/libpe/pe.c
@@ -448,25 +448,38 @@ const char *pe_machine_type_name(MachineType type) {

    static const MachineEntry names[] = {
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_UNKNOWN),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_ALPHA),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_ALPHA64),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_AM33),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_AMD64),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_ARM),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_ARMV7),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_ARM64),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_CEE),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_CEF),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_EBC),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_I386),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_I860),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_IA64),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_M32R),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_M68K),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_MIPS16),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_MIPSFPU),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_MIPSFPU16),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_MPPC_601),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_PARISC),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_POWERPC),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_POWERPCFP),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_R3000),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_R3000_BE),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_R4000),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_R10000),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_SH3),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_SH3DSP),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_SH3E),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_SH4),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_SH5),
+       LIBPE_ENTRY(IMAGE_FILE_MACHINE_TRICORE),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_THUMB),
        LIBPE_ENTRY(IMAGE_FILE_MACHINE_WCEMIPSV2)
    };
pali commented 1 year ago

There is still missing constant for M68K:

    Machine:                         0x268 Unknown machine type
pali commented 1 year ago

I updated list and included additional M68K, PARISC, I860 (present in NT 3.1 SDK) and renamed MPPC to MPPC_601 as this is the name already used, see: https://github.com/search?q=IMAGE_FILE_MACHINE_PARISC&type=code https://github.com/search?q=IMAGE_FILE_MACHINE_MPPC_601&type=code

GoGoOtaku commented 1 year ago

Thank you