class Metasm::AutoExe
special class that decodes a PE
, ELF
, MachO
or UnivBinary file from its signature XXX UnivBinary is not a real ExeFormat
, just a container..
Public Class Methods
execlass_from_signature(raw)
click to toggle source
match the actual exe class from the raw file inspection using the registered signature list calls unknown_signature if nothing matches
# File metasm/exe_format/autoexe.rb, line 23 def self.execlass_from_signature(raw) m = @signatures.find { |sig, exe| case sig when String; raw[0, sig.length] == sig when Proc; sig[raw] end } e = m ? m[1] : unknown_signature(raw) case e when String; Metasm.const_get(e) when Proc; e.call else e end end
init_signatures(sig=[])
click to toggle source
# File metasm/exe_format/autoexe.rb, line 43 def self.init_signatures(sig=[]) @signatures = sig end
load(str, *a, &b)
click to toggle source
actually calls autoexe_load for the detected filetype from execlass_from_signature
# File metasm/exe_format/autoexe.rb, line 15 def self.load(str, *a, &b) s = str s = str.data if s.kind_of? EncodedData execlass_from_signature(s).autoexe_load(str, *a, &b) end
orshellcode(cpu=nil, &b)
click to toggle source
replacement for AutoExe
where load
defaults to a Shellcode
of the specified CPU
# File metasm/exe_format/autoexe.rb, line 65 def self.orshellcode(cpu=nil, &b) # here we create an anonymous subclass of AutoExe whose #unknown_sig is patched to return a Shellcode instead of raise()ing c = ::Class.new(self) # yeeehaa class << c ; self ; end.send(:define_method, :unknown_signature) { |raw| Shellcode.withcpu(cpu || b[raw]) } c.init_signatures @signatures c end
register_signature(sig, exe=nil, &b)
click to toggle source
register a new binary file signature
# File metasm/exe_format/autoexe.rb, line 39 def self.register_signature(sig, exe=nil, &b) (@signatures ||= []) << [sig, exe || b] end
unknown_signature(raw)
click to toggle source
this function is called when no signature matches
# File metasm/exe_format/autoexe.rb, line 48 def self.unknown_signature(raw) raise UnknownSignature, "unrecognized executable file format #{raw[0, 4].unpack('H*').first.inspect}" end