idaloader: parse pdata manually before calling eh_parse

emoose · emoose · commit 03ecc35f16d0 · 2024-10-09T12:46:28.000+01:00
results in funcs being marked much sooner, and more funcs identified
diff --git a/idaloader.cpp b/idaloader.cpp
@@ -173,34 +173,100 @@ void pe_add_sections(XEXFile& file)
   }
 }
 
-void pe_setup_netnode(XEXFile& file)
+void pe_parse_pdata(XEXFile& file)
 {
-  netnode penode;
-  penode.create(PE_NODE);
+  // Hybrid pdata parser:
+  // - our code will first read from pdata and create functions based on it
+  // - then defer to eh_parse which will create .pdata dwords & set up exception handlers
+  // From testing this results in more functions getting created, and allows autoanalysis to parse functions much earlier
 
-  const uint8_t* pe_data = file.pe_data();
-  IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)pe_data;
+  bool has_pdata = false;
 
-  // Set PE header node data
-  // Make a copy of PE header and update with correct values first, since IDA/eh_parse reads some info from this
-  IMAGE_NT_HEADERS nt_header = *(IMAGE_NT_HEADERS*)(pe_data + dos_header->AddressOfNewExeHeader);
-  nt_header.OptionalHeader.ImageBase = file.base_address();
+  // Try reading & marking functions from .pdata section
+  for (const auto& section : file.sections())
+  {
+    // New buffer for section name so we can null-terminate it
+    char name[9];
+    std::copy_n(section.Name, 8, name);
+    name[8] = '\0';
+    if (strcmp(name, ".pdata"))
+      continue;
 
-  penode.set(&nt_header, sizeof(IMAGE_NT_HEADERS));
+    has_pdata = true;
 
-  // Update imagebase
-  penode.altset(PE_ALT_IMAGEBASE, file.base_address());
+    uint32 sec_addr = section.VirtualAddress;
+    uint32 sec_size = section.VirtualSize;
+    if (file.header().Magic == MAGIC_XEX3F || file.header().Magic == MAGIC_XEX0)
+    {
+      sec_addr = section.PointerToRawData;
+      sec_size = section.SizeOfRawData; // TODO: verify this?
+    }
+    ea_t seg_addr = (ea_t)file.base_address() + (ea_t)section.VirtualAddress;
+    // Size could be beyond file bounds, if so fix the size to what we can fit
+    if (sec_addr + sec_size > file.image_size())
+      sec_size = file.image_size() - sec_addr;
 
-  bool has_pdata = false;
-  for (const auto& section : file.sections())
-  {
-    if (!strncmp(section.Name, ".pdata", 6)) {
-      has_pdata = true;
-      break;
+    struct RUNTIME_FUNCTION_INFO // bitfield portion of RUNTIME_FUNCTION
+    {
+      uint32_t PrologLength : 8;
+      uint32_t FunctionLength : 22;
+      uint32_t FunctionType : 2;
+      inline xex::RuntimeFunctionType RuntimeFunctionType() {
+        return (xex::RuntimeFunctionType)FunctionType;
+      }
+    };
+
+    // Read function addrs from .pdata into vector so we can get a count before asking IDA to create functions for them
+    std::unordered_map<uint32_t, RUNTIME_FUNCTION_INFO> funcs;
+    int offset = 0;
+    while (offset < sec_size)
+    {
+      auto* fn_ptr = reinterpret_cast<const xe::be<uint32_t>*>(file.pe_data() + sec_addr + offset);
+      uint32_t fn_ea = fn_ptr[0];
+      if (fn_ea)
+      {
+        uint32_t fn_info_raw = fn_ptr[1]; // endian-swap the field for us
+        RUNTIME_FUNCTION_INFO fn_info = *(RUNTIME_FUNCTION_INFO*)&fn_info_raw; // and then convert to RUNTIME_FUNCTION_INFO
+        funcs.insert({ fn_ea, fn_info });
+      }
+      offset += 8;
+    }
+
+    msg("Parsing .pdata and creating %d functions...\n", int(funcs.size()));
+
+    // display messagebox prompt to user so they can cancel if needed
+    show_wait_box("Marking functions from .pdata... (0/%d)", int(funcs.size()));
+    size_t num = 0;
+    for (auto& kvp : funcs)
+    {
+      if (kvp.second.FunctionLength && !get_fchunk(kvp.first))
+      {
+        if (create_insn(kvp.first))
+        {
+          show_auto(kvp.first);
+          // Don't create function for savevmx/restvmx, we handle it in label_regsaveloads
+          auto fn_type = kvp.second.RuntimeFunctionType();
+          if (fn_type != xex::RuntimeFunctionType::SaveMillicode && fn_type != xex::RuntimeFunctionType::RestoreMillicode)
+          {
+            func_t fn(kvp.first, kvp.first + (kvp.second.FunctionLength * 4));
+            add_func_ex(&fn);
+          }
+        }
+      }
+      if (user_cancelled())
+        break;
+      // update every few funcs
+      if (++num % 50 == 0)
+      {
+        replace_wait_box("Marking functions from .pdata... (%d/%d)", int(num), int(funcs.size()));
+      }
     }
+
+    hide_wait_box();
+    break;
   }
 
-  // Ask eh_parse to parse .pdata for us
+  // Ask eh_parse to parse .pdata, for it to mark xrefs & EH
   // Load it here early so user won't need to wait for autoanalysis to complete
   if (has_pdata)
   {
@@ -211,7 +277,30 @@ void pe_setup_netnode(XEXFile& file)
       run_plugin(plugin, 0);
     }
   }
+}
+
+void pe_setup_netnode(XEXFile& file)
+{
+  netnode penode;
+  penode.create(PE_NODE);
+
+  const uint8_t* pe_data = file.pe_data();
+  IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)pe_data;
+
+  // Set PE header node data
+  // Make a copy of PE header and update with correct values first, since IDA/eh_parse reads some info from this
+  IMAGE_NT_HEADERS nt_header = *(IMAGE_NT_HEADERS*)(pe_data + dos_header->AddressOfNewExeHeader);
+  nt_header.OptionalHeader.ImageBase = file.base_address();
+
+  penode.set(&nt_header, sizeof(IMAGE_NT_HEADERS));
+
+  // Update imagebase
+  penode.altset(PE_ALT_IMAGEBASE, file.base_address());
+
+  // Parse pdata if it exists
+  pe_parse_pdata(file);
 
+  // Update IDA with any codeview data
   size_t cv_length = 0;
   auto* cv_data = file.codeview_data(0, &cv_length);
   if (cv_data)
