Documentation ¶
Overview ¶
Copyright (C) 2022 Mandiant, Inc. All Rights Reserved.
Package objfile implements portable access to OS-specific executable files.
Index ¶
- Variables
- func FindRegex(data []byte, regexInfo *RegexAndNeedle) []int
- type CachedFile
- type ChanDir
- type Disasm
- type Entry
- func (e *Entry) DWARF() (*dwarf.Data, error)
- func (e *Entry) Disasm() (*Disasm, error)
- func (e *Entry) GOARCH() string
- func (e *Entry) LoadAddress() (uint64, error)
- func (e *Entry) ModuleDataTable(pclntabVA uint64, runtimeVersion string, version string, is64bit bool, ...) (secStart uint64, moduleData *ModuleData, err error)
- func (e *Entry) Name() string
- func (e *Entry) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)
- func (e *Entry) ParseITabLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)
- func (e *Entry) ParseType(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, ...) (_type []Type, err error)
- func (e *Entry) ParseTypeLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)
- func (e *Entry) ParseType_impl(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, ...) (*orderedmap.OrderedMap, error)
- func (e *Entry) ReadPointerSizeMem(addr uint64, is64bit bool, littleendian bool) (result uint64, err error)
- func (e *Entry) Symbols() ([]Sym, error)
- func (e *Entry) Text() (uint64, []byte, error)
- type File
- func (f *File) Close() error
- func (f *File) DWARF() (*dwarf.Data, error)
- func (f *File) Disasm() (*Disasm, error)
- func (f *File) Entries() []*Entry
- func (f *File) GOARCH() string
- func (f *File) LoadAddress() (uint64, error)
- func (f *File) ModuleDataTable(pclntabVA uint64, runtimeVersion string, version string, is64bit bool, ...) (secStart uint64, moduleData *ModuleData, err error)
- func (f *File) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)
- func (f *File) ParseITabLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)
- func (f *File) ParseType(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, ...) (types []Type, err error)
- func (f *File) ParseTypeLinks(runtimeVersion string, moduleData *ModuleData, is64bit bool, littleendian bool) (types []Type, err error)
- func (f *File) Symbols() ([]Sym, error)
- func (f *File) Text() (uint64, []byte, error)
- type FileCache
- type FuncTab118
- type FuncTab12_116_32
- type FuncTab12_116_64
- type GoBitVector32
- type GoBitVector64
- type GoSlice32
- type GoSlice64
- type GoString32
- type GoString64
- type IMethod
- type Kind
- type Liner
- type ModuleData
- type ModuleData116_32
- type ModuleData116_64
- type ModuleData118_32
- type ModuleData118_64
- type ModuleData120_32
- type ModuleData120_64
- type ModuleData12_32
- type ModuleData12_64
- type ModuleData12_r15_r16_32
- type ModuleData12_r15_r16_64
- type ModuleData12_r17_32
- type ModuleData12_r17_64
- type ModuleDataCandidate
- type PclntabCandidate
- type RegexAndNeedle
- type Reloc
- type RelocStringer
- type Rtype114_115_116_117_118_32
- type Rtype114_115_116_117_118_64
- type Rtype15_32
- type Rtype15_64
- type Rtype16_32
- type Rtype16_64
- type Rtype17_18_19_110_111_112_113_32
- type Rtype17_18_19_110_111_112_113_64
- type SignatureMatch
- type StompMagicCandidate
- type Sym
- type Textsect_32
- type Textsect_64
- type Type
Constants ¶
This section is empty.
Variables ¶
var ARM32_sig = signatureModuleDataInitARM32{0, `{ ?? ?? 9F E5 ?? ?? ?? EA ?? ?? ?? E5 ?? ?? ?? E3 ?? ?? ?? 0A }`}
0x0006AA00 80 12 9F E5 LDR R1, =firstmoduleData // 0xE59F1280 -> 0b11 100101100111110001001010000000 -> size = 11, 0x0006AA04 00 00 00 EA B loc_6AA0C 0x0006AA08 18 11 91 E5 LDR R1, [R1,#0x118] 0x0006AA0C 00 00 51 E3 CMP R1, #0 0x0006AA10 69 00 00 0A BEQ loc_6ABBC
var ARM64_sig = signatureModuleDataInitARM64{0, 4, `{ ?? ?? ?? (90 | b0 | f0 | d0) ?? ?? ?? 91 ?? ?? ?? (14 | 17) ?? ?? 41 F9 ?? ?? ?? B4 }`}
0x000000000005C1E8 41 14 00 F0 ADRP X1, #unk_2E7000 // 0xF0001441 -> 0b1 11 10000 0000000000010100010 00001 -> op=1, immlo=0b11, immhi=0b0000000000010100010 ........................................................................ // X1 = ((0b0000000000010100010 11 << 12) + 0x5C1E8) = 0b1011100111000111101000 = 0b1011100111000111101000 & 0xFFFFFFFFFFFFF000 = 0x2E7000 0x000000000005C1EC 21 80 3D 91 ADD X1, X1, #firstmoduleData@PAGEOFF // 0x913d8021 -> 0b100 100010 0 111101100000 00001 00001 -> sh = 0, imm12 = 0b111101100000, Rn = 00001, Rb = 00001 ....................................................................... // X1 = 0x2E7000 + 0b111101100000 (0xF60) = 0x2E7F60 0x000000000005C1F0 02 00 00 14 B loc_5C1F8 0x14 00 00 02 0x000000000005C1F4 21 18 41 F9 LDR X1, [X1,#0x230] 0x000000000005C1F8 21 0D 00 B4 CBZ X1, loc_5C39C 0xb4000d21 THIS SIG ENCODES the 0x230 struct field offset - might need to mask that more if we see misses - TODO
var PPC_BE_sig = signatureModuleDataInitPPC{2, 6, `{ 3? 80 00 ?? 3? ?? ?? ?? 48 ?? ?? ?? E? ?? 02 ?? 7C ?? ?? ?? 41 82 ?? ?? }`}
0x0000000000061a74: 3C 80 00 2C lis r4, 0x2c // moduledata 0x0000000000061a78: 38 84 80 00 addi r4, r4, 0x8000 // moduledata ((0x2c << 16) - 0x8000) 0x0000000000061a7c: 48 00 00 08 b 0x61a84 0x0000000000061a80: E8 84 02 30 ld r4, 0x230(r4) 0x0000000000061a84: 7C 24 00 00 cmpd r4, r0 0x0000000000061a88: 41 82 01 A8 beq 0x61c30
Functions ¶
func FindRegex ¶
func FindRegex(data []byte, regexInfo *RegexAndNeedle) []int
Types ¶
type CachedFile ¶
CachedFile contains the content of a file split into lines.
type Disasm ¶
type Disasm struct {
// contains filtered or unexported fields
}
Disasm is a disassembler for a given File.
func (*Disasm) Decode ¶
func (d *Disasm) Decode(start, end uint64, relocs []Reloc, gnuAsm bool, f func(pc, size uint64, file string, line int, text string))
Decode disassembles the text segment range [start, end), calling f for each instruction.
func (*Disasm) Print ¶
func (d *Disasm) Print(w io.Writer, filter *regexp.Regexp, start, end uint64, printCode bool, gnuAsm bool)
Print prints a disassembly of the file to w. If filter is non-nil, the disassembly only includes functions with names matching filter. If printCode is true, the disassembly includs corresponding source lines. The disassembly only includes functions that overlap the range [start, end).
type Entry ¶
type Entry struct {
// contains filtered or unexported fields
}
func (*Entry) DWARF ¶
DWARF returns DWARF debug data for the file, if any. This is for cmd/pprof to locate cgo functions.
func (*Entry) LoadAddress ¶
LoadAddress returns the expected load address of the file. This differs from the actual load address for a position-independent executable.
func (*Entry) ModuleDataTable ¶
func (*Entry) PCLineTable ¶
func (e *Entry) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)
previously: func (e *Entry) PCLineTable() (Liner, error)
func (*Entry) ParseITabLinks ¶
func (*Entry) ParseTypeLinks ¶
func (*Entry) ParseType_impl ¶
func (e *Entry) ParseType_impl(runtimeVersion string, moduleData *ModuleData, typeAddress uint64, is64bit bool, littleendian bool, parsedTypesIn *orderedmap.OrderedMap) (*orderedmap.OrderedMap, error)
func (*Entry) ReadPointerSizeMem ¶
type File ¶
type File struct {
// contains filtered or unexported fields
}
A File is an opened executable file.
func Open ¶
Open opens the named file. The caller must call f.Close when the file is no longer needed.
func (*File) LoadAddress ¶
func (*File) ModuleDataTable ¶
func (*File) PCLineTable ¶
func (f *File) PCLineTable(versionOverride string, knownPclntabVA uint64, knownGoTextBase uint64) ([]PclntabCandidate, error)
previously : func (f *File) PCLineTable() (Liner, error) {
func (*File) ParseITabLinks ¶
func (*File) ParseTypeLinks ¶
type FileCache ¶
type FileCache struct {
// contains filtered or unexported fields
}
FileCache is a simple LRU cache of file contents.
func NewFileCache ¶
NewFileCache returns a FileCache which can contain up to maxLen cached file contents.
type FuncTab118 ¶
type FuncTab12_116_32 ¶
type FuncTab12_116_32 struct { Entryoffset pvoid32 // relative to runtime.text, ie. VA Funcoffset pvoid32 // relative to ftab table start }
type FuncTab12_116_64 ¶
type FuncTab12_116_64 struct { Entryoffset pvoid64 // relative to runtime.text, ie. VA Funcoffset pvoid64 // relative to ftab table start }
a function table entry in 'ftab'
type GoBitVector32 ¶
type GoBitVector32 struct { Bitnum int32 Bytedata pvoid32 }
type GoBitVector64 ¶
type GoBitVector64 struct { Bitnum int32 Bytedata pvoid64 }
https://github.com/golang/go/blob/dbd3cf884986c88f5b3350709c0f51fa02330805/src/runtime/stack.go#L583
type GoSlice64 ¶
All types following this are the binary representation of internal objects. These are 'flat', i.e. one pointer level deep. Access to pointers and such require a memory read to retrieve the backing data. https://github.com/golang/go/blob/23adc139bf1c0c099dd075da076f5a1f3ac700d4/src/reflect/value.go#L2599
type GoString32 ¶
type GoString32 struct { Data pvoid32 Len size_t32 }
type GoString64 ¶
type GoString64 struct { Data pvoid64 Len size_t64 }
type ModuleData ¶
type ModuleData struct { VA uint64 TextVA uint64 // adjusted (ex: CGO) .text base that pclntab offsets are relative to Types uint64 // points to type information ETypes uint64 // points to end of type information Typelinks GoSlice64 // points to metadata about offsets into types for structures and other types ITablinks GoSlice64 // points to metadata about offsets into types for interfaces // Some versions of go with 1.2 moduledata use a slice instead of the types + offset typelinks list LegacyTypes GoSlice64 }
This is a general structure that just holds the fields I care about this lets us return a single type, even though moduledata changes between go version
type ModuleData116_32 ¶
type ModuleData116_32 struct { PcHeader pvoid32 Funcnametab GoSlice32 Cutab GoSlice32 Filetab GoSlice32 Pctab GoSlice32 Pclntable GoSlice32 Ftab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Types pvoid32 Etypes pvoid32 Textsectmap GoSlice32 Typelinks GoSlice32 Itablinks GoSlice32 Ptab GoSlice32 Pluginpath GoString32 Pkghashes GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Hasmain bool Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Typemap pvoid32 Badload bool Next pvoid32 }
type ModuleData116_64 ¶
type ModuleData116_64 struct { PcHeader pvoid64 Funcnametab GoSlice64 Cutab GoSlice64 Filetab GoSlice64 Pctab GoSlice64 Pclntable GoSlice64 Ftab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Types pvoid64 Etypes pvoid64 Textsectmap GoSlice64 Typelinks GoSlice64 Itablinks GoSlice64 Ptab GoSlice64 Pluginpath GoString64 Pkghashes GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Hasmain bool Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Typemap pvoid64 Badload bool Next pvoid64 }
type ModuleData118_32 ¶
type ModuleData118_32 struct { PcHeader pvoid32 Funcnametab GoSlice32 Cutab GoSlice32 Filetab GoSlice32 Pctab GoSlice32 Pclntable GoSlice32 Ftab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Types pvoid32 Etypes pvoid32 Rodata pvoid32 Gofunc pvoid32 Textsectmap GoSlice32 Typelinks GoSlice32 Itablinks GoSlice32 Ptab GoSlice32 Pluginpath GoString32 Pkghashes GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Hasmain bool Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Typemap pvoid32 Badload bool Next pvoid32 }
type ModuleData118_64 ¶
type ModuleData118_64 struct { PcHeader pvoid64 Funcnametab GoSlice64 Cutab GoSlice64 Filetab GoSlice64 Pctab GoSlice64 Pclntable GoSlice64 Ftab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Types pvoid64 Etypes pvoid64 Rodata pvoid64 Gofunc pvoid64 Textsectmap GoSlice64 Typelinks GoSlice64 Itablinks GoSlice64 Ptab GoSlice64 Pluginpath GoString64 Pkghashes GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Hasmain bool Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Typemap pvoid64 Badload bool Next pvoid64 }
type ModuleData120_32 ¶
type ModuleData120_32 struct { PcHeader pvoid32 Funcnametab GoSlice32 Cutab GoSlice32 Filetab GoSlice32 Pctab GoSlice32 Pclntable GoSlice32 Ftab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 Covctrs pvoid32 Ecovctrs pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Types pvoid32 Etypes pvoid32 Rodata pvoid32 Gofunc pvoid32 Textsectmap GoSlice32 Typelinks GoSlice32 Itablinks GoSlice32 Ptab GoSlice32 Pluginpath GoString32 Pkghashes GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Hasmain bool Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Typemap pvoid32 Badload bool Next pvoid32 }
type ModuleData120_64 ¶
type ModuleData120_64 struct { PcHeader pvoid64 Funcnametab GoSlice64 Cutab GoSlice64 Filetab GoSlice64 Pctab GoSlice64 Pclntable GoSlice64 Ftab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 Covctrs pvoid64 Ecovctrs pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Types pvoid64 Etypes pvoid64 Rodata pvoid64 Gofunc pvoid64 Textsectmap GoSlice64 Typelinks GoSlice64 Itablinks GoSlice64 Ptab GoSlice64 Pluginpath GoString64 Pkghashes GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Hasmain bool Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Typemap pvoid64 Badload bool Next pvoid64 }
type ModuleData12_32 ¶
type ModuleData12_32 struct { Pclntable GoSlice32 Ftab GoSlice32 FileTab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Types pvoid32 Etypes pvoid32 Textsectmap GoSlice32 Typelinks GoSlice32 Itablinks GoSlice32 Ptab GoSlice32 Pluginpath GoString32 Pkghashes GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Hasmain bool Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Typemap pvoid32 Badload bool Next pvoid32 }
type ModuleData12_64 ¶
type ModuleData12_64 struct { Pclntable GoSlice64 Ftab GoSlice64 FileTab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Types pvoid64 Etypes pvoid64 Textsectmap GoSlice64 Typelinks GoSlice64 Itablinks GoSlice64 Ptab GoSlice64 Pluginpath GoString64 Pkghashes GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Hasmain bool Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Typemap pvoid64 Badload bool Next pvoid64 }
type ModuleData12_r15_r16_32 ¶
type ModuleData12_r15_r16_32 struct { Pclntable GoSlice32 Ftab GoSlice32 Filetab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Typelinks GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Next pvoid32 }
type ModuleData12_r15_r16_64 ¶
type ModuleData12_r15_r16_64 struct { Pclntable GoSlice64 Ftab GoSlice64 Filetab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Typelinks GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Next pvoid64 }
1.2, runtime 1.5-1.6, 64bit
type ModuleData12_r17_32 ¶
type ModuleData12_r17_32 struct { Pclntable GoSlice32 Ftab GoSlice32 Filetab GoSlice32 Findfunctab pvoid32 Minpc pvoid32 Maxpc pvoid32 Text pvoid32 Etext pvoid32 Noptrdata pvoid32 Enoptrdata pvoid32 Data pvoid32 Edata pvoid32 Bss pvoid32 Ebss pvoid32 Noptrbss pvoid32 Enoptrbss pvoid32 End pvoid32 Gcdata pvoid32 Gcbss pvoid32 Types pvoid32 Etypes pvoid32 Typelinks GoSlice32 Itablinks GoSlice32 Modulename GoString32 Modulehashes GoSlice32 Gcdatamask GoBitVector32 Gcbssmask GoBitVector32 Typemap pvoid32 Next pvoid32 }
type ModuleData12_r17_64 ¶
type ModuleData12_r17_64 struct { Pclntable GoSlice64 Ftab GoSlice64 Filetab GoSlice64 Findfunctab pvoid64 Minpc pvoid64 Maxpc pvoid64 Text pvoid64 Etext pvoid64 Noptrdata pvoid64 Enoptrdata pvoid64 Data pvoid64 Edata pvoid64 Bss pvoid64 Ebss pvoid64 Noptrbss pvoid64 Enoptrbss pvoid64 End pvoid64 Gcdata pvoid64 Gcbss pvoid64 Types pvoid64 Etypes pvoid64 Typelinks GoSlice64 Itablinks GoSlice64 Modulename GoString64 Modulehashes GoSlice64 Gcdatamask GoBitVector64 Gcbssmask GoBitVector64 Typemap pvoid64 Next pvoid64 }
type ModuleDataCandidate ¶
type PclntabCandidate ¶
type PclntabCandidate struct { SecStart uint64 PclntabVA uint64 StompMagicCandidateMeta *StompMagicCandidate // some search modes might optimistically try to find moduledata or guess endianess, these hints must match the found moduleData VA later to be considered good candidate Pclntab []byte Symtab []byte // optional ParsedPclntab *gosym.Table }
type RegexAndNeedle ¶
type RegexAndNeedle struct {
// contains filtered or unexported fields
}
func RegexpPatternFromYaraPattern ¶
func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error)
translate from a yara-style pattern, like:
{ 48 8D 0? ?? ?? ?? ?? EB ?? 48 8? 8? ?? 02 00 00 66 0F 1F 44 00 00 }
to a regular expression string compatible with the binaryregexp module, like:
\x48\x8D[\x00-\x0F]....\xEB.\x48[\x80-\x8F][\x80-\x8F].\x02\x00\x00\x66\x0F\x1F\x44\x00\x00
although this requires more code, we provide this functionality because these patterns are *much* more readable than raw regular expressions, we strongly value people being able to understand GoReSym's algorithm.
type Reloc ¶
type Reloc struct { Addr uint64 // Address of first byte that reloc applies to. Size uint64 // Number of bytes Stringer RelocStringer }
type RelocStringer ¶
type Rtype114_115_116_117_118_32 ¶
type Rtype114_115_116_117_118_32 struct { Size size_t32 Ptrdata size_t32 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Tflag tflag // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind Equal pvoid32 Gcdata pvoid32 // garbage collection data Str nameOff // string form PtrToThis typeOff // type for pointer to this type, may be zero }
type Rtype114_115_116_117_118_64 ¶
type Rtype114_115_116_117_118_64 struct { Size size_t64 Ptrdata size_t64 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Tflag tflag // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind Equal pvoid64 Gcdata pvoid64 // garbage collection data Str nameOff // string form PtrToThis typeOff // type for pointer to this type, may be zero }
type Rtype15_32 ¶
type Rtype15_32 struct { Size size_t32 Ptrdata size_t32 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Unused uint8 // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid32 // algorithm table Gcdata pvoid32 // garbage collection data Str pvoid32 // string form UncommonType pvoid32 PtrToThis pvoid32 // type for pointer to this type, may be zero Zero pvoid32 }
type Rtype15_64 ¶
type Rtype15_64 struct { Size size_t64 Ptrdata size_t64 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Unused uint8 // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid64 // algorithm table Gcdata pvoid64 // garbage collection data Str pvoid64 // string form UncommonType pvoid64 PtrToThis pvoid64 // type for pointer to this type, may be zero Zero pvoid64 }
type Rtype16_32 ¶
type Rtype16_32 struct { Size size_t32 Ptrdata size_t32 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Unused uint8 // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid32 // algorithm table Gcdata pvoid32 // garbage collection data Str pvoid32 // string form UncommonType pvoid32 PtrToThis pvoid32 // type for pointer to this type, may be zero }
type Rtype16_64 ¶
type Rtype16_64 struct { Size size_t64 Ptrdata size_t64 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Unused uint8 // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid64 // algorithm table Gcdata pvoid64 // garbage collection data Str pvoid64 // string form UncommonType pvoid64 PtrToThis pvoid64 // type for pointer to this type, may be zero }
type Rtype17_18_19_110_111_112_113_32 ¶
type Rtype17_18_19_110_111_112_113_32 struct { Size size_t32 Ptrdata size_t32 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Tflag tflag // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid32 // algorithm table Gcdata pvoid32 // garbage collection data Str nameOff // string form PtrToThis typeOff // type for pointer to this type, may be zero }
type Rtype17_18_19_110_111_112_113_64 ¶
type Rtype17_18_19_110_111_112_113_64 struct { Size size_t64 Ptrdata size_t64 // number of bytes in the type that can contain pointers Hash uint32 // hash of type; avoids computation in hash tables Tflag tflag // extra type information flags Align uint8 // alignment of variable with this type FieldAlign uint8 // alignment of struct field with this type Kind Kind // enumeration for C Alg pvoid64 // algorithm table Gcdata pvoid64 // garbage collection data Str nameOff // string form PtrToThis typeOff // type for pointer to this type, may be zero }
type SignatureMatch ¶
type SignatureMatch struct {
// contains filtered or unexported fields
}
type StompMagicCandidate ¶
type Sym ¶
type Sym struct { Name string // symbol name Addr uint64 // virtual address of symbol Size int64 // size in bytes Code rune // nm code (T for text, D for data, and so on) Type string // XXX? Relocs []Reloc // in increasing Addr order }
A Sym is a symbol defined in an executable file.
type Textsect_32 ¶
type Textsect_32 struct { Vaddr pvoid32 // prelinked section vaddr End pvoid32 // vaddr + section length Baseaddr pvoid32 // relocated section address }
type Textsect_64 ¶
type Textsect_64 struct { Vaddr pvoid64 // prelinked section vaddr End pvoid64 // vaddr + section length Baseaddr pvoid64 // relocated section address }
type Type ¶
type Type struct { VA uint64 Str string CStr string Kind string Reconstructed string `json:",omitempty"` // for Some types we can reconstruct the original definition back to Go code CReconstructed string `json:",omitempty"` // for Some types we can reconstruct the original definition back to C code // contains filtered or unexported fields }
This is a general structure that just holds the fields I care about this lets us return a single type, even though rtypes change between go version