idaloader: prompt to load PDB, pass codeview PDB info over to IDA

"pdb incorrect or invalid" message should be fixed if you're using matching PDB

Author: emoose

idaloader.cpp

@@ -12,6 +12,7 @@
 #include "xex_headerids.hpp"
 #include <typeinf.hpp>
 #include <bytes.hpp>
+#include <filesystem>
 
 netnode ignore_micro;
 
@@ -48,7 +49,7 @@ void label_regsaveloads(ea_t start, ea_t end)
     savef_pattern,
     loadf_pattern
   };
-  char* pattern_labels[] = {
+  const char* pattern_labels[] = {
     "__savegprlr_%d",
     "__restgprlr_%d",
     "__savefpr_%d",
@@ -158,7 +159,7 @@ void pe_add_sections(XEXFile& file)
     bool has_code = (section.Characteristics & IMAGE_SCN_CNT_CODE);
     bool has_data = (section.Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) || (section.Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA);
 
-    char* seg_class = has_code ? "CODE" : "DATA";
+    const char* seg_class = has_code ? "CODE" : "DATA";
     ea_t seg_addr = (ea_t)file.base_address() + (ea_t)section.VirtualAddress;
 
     segment_t segm;
@@ -224,8 +225,9 @@ void pe_add_sections(XEXFile& file)
       offset += 8;
     }
 
-    // display messagebox prompt to user, since pdata labelling can take a little while
+    msg("Parsing .pdata and creating %lld functions...\n", funcs.size());
 
+    // display messagebox prompt to user, since pdata labelling can take a little while
     // ida printf formatter tends to crash, too bad, use sprintf to rewrite just the number portion
     char msg_text[256] = "Marking functions from .pdata... (";
     int num_pos = strlen(msg_text);
@@ -244,7 +246,7 @@ void pe_add_sections(XEXFile& file)
         break;
 
       // update every few funcs
-      if (++num % 10 == 0)
+      if (++num % 50 == 0)
       {
         sprintf_s(msg_text_write, 256 - num_pos, "%lld/%lld)", num, funcs.size());
         replace_wait_box(msg_text);
@@ -255,6 +257,56 @@ void pe_add_sections(XEXFile& file)
   }
 }
 
+#define PE_NODE "$ PE header" // netnode name for PE header
+// value()        -> peheader_t
+// altval(segnum) -> s->start_ea
+#define PE_ALT_DBG_FPOS   nodeidx_t(-1)  // altval() -> translated fpos of debuginfo
+#define PE_ALT_IMAGEBASE  nodeidx_t(-2)  // altval() -> loading address (usually pe.imagebase)
+#define PE_ALT_PEHDR_OFF  nodeidx_t(-3)  // altval() -> offset of PE header
+#define PE_ALT_NEFLAGS    nodeidx_t(-4)  // altval() -> neflags
+#define PE_ALT_TDS_LOADED nodeidx_t(-5)  // altval() -> tds already loaded(1) or invalid(-1)
+#define PE_ALT_PSXDLL     nodeidx_t(-6)  // altval() -> if POSIX(x86) imports from PSXDLL netnode
+#define PE_ALT_OVRVA      nodeidx_t(-7)  // altval() -> overlay rva (if present)
+#define PE_ALT_OVRSZ      nodeidx_t(-8)  // altval() -> overlay size (if present)
+#define PE_SUPSTR_PDBNM   nodeidx_t(-9)  // supstr() -> pdb file name
+                              // supval(segnum) -> pesection_t
+                              // blob(0, PE_NODE_RELOC)  -> relocation info
+                              // blob(0, RSDS_TAG)  -> rsds_t structure
+                              // blob(0, NB10_TAG)  -> cv_info_pdb20_t structure
+#define PE_ALT_NTAPI      nodeidx_t(-10) // altval() -> uses Native API
+#define PE_EMBED_PDB_OFF  nodeidx_t(-11) // altval() -> offset of embedded PDB file
+#define PE_NODE_RELOC 'r'
+#define RSDS_TAG 's'
+#define NB10_TAG 'n'
+#define UTDS_TAG 't'
+
+void pe_setup_netnode(XEXFile& file)
+{
+  netnode penode;
+  penode.create(PE_NODE);
+
+  penode.altset(PE_ALT_IMAGEBASE, file.base_address());
+
+  size_t cv_length = 0;
+  auto* cv_data = file.codeview_data(0, &cv_length);
+  if (cv_data)
+  {
+    // Set PDB filename to whatever cv_data[0] says
+    // (only use filename instead of full path, else it may fail to load it)
+    char* pdb_path_ptr = (char*)(cv_data + sizeof(CV_INFO_PDB70));
+    std::filesystem::path pdb_path = pdb_path_ptr;
+    penode.supset(PE_SUPSTR_PDBNM, pdb_path.filename().string().c_str());
+
+    // Copy cv_data into RSDS tag
+    penode.setblob(cv_data, cv_length, 0, RSDS_TAG);
+
+    // Prompt for PDB load
+    msg("Prompting for PDB load...\n(full X360 type loading may require pdb.cfg PDB_PROVIDER = PDB_PROVIDER_MSDIA !)\n");
+    auto* plugin = find_plugin("pdb", 1LL);
+    run_plugin(plugin, 1LL);
+  }
+}
+
 bool load_application(linput_t* li)
 {
   qlseek(li, 0);
@@ -264,6 +316,7 @@ bool load_application(linput_t* li)
   if (!file.load(li))
     return false;
 
+  inf_set_filetype(f_PE);
   inf_set_baseaddr(file.base_address() >> 4);
   set_imagebase(file.base_address());
 
@@ -431,6 +484,8 @@ bool load_application(linput_t* li)
     }
   }
 
+  pe_setup_netnode(file);
+
   return true;
 }
 

idaxex.vcxproj

@@ -77,6 +77,7 @@
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\include;3rdparty/excrypt;3rdparty/mspack%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>__NT__;IDALDR;__EA64__;_WINDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <LanguageStandard>stdcpp20</LanguageStandard>
     </ClCompile>
     <Link>
       <AdditionalOptions>/EXPORT:LDSC %(AdditionalOptions)</AdditionalOptions>
@@ -98,6 +99,7 @@
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\include;3rdparty/excrypt;3rdparty/mspack%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>__NT__;IDALDR;__EA64__;_WINDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <LanguageStandard>stdcpp20</LanguageStandard>
     </ClCompile>
     <Link>
       <AdditionalOptions>/EXPORT:LDSC %(AdditionalOptions)</AdditionalOptions>

pe_structs.hpp

@@ -162,3 +162,26 @@ typedef struct _IMAGE_EXPORT_DIRECTORY
   uint32_t AddressOfNames;
   uint32_t AddressOfNameOrdinals;
 } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
+
+typedef struct _IMAGE_DEBUG_DIRECTORY {
+  uint32_t Characteristics;
+  uint32_t TimeDateStamp;
+  uint16_t MajorVersion;
+  uint16_t MinorVersion;
+  uint32_t Type;
+  uint32_t SizeOfData;
+  uint32_t AddressOfRawData;
+  uint32_t PointerToRawData;
+} IMAGE_DEBUG_DIRECTORY, * PIMAGE_DEBUG_DIRECTORY;
+static_assert(sizeof(IMAGE_DEBUG_DIRECTORY) == 0x1C, "IMAGE_DEBUG_DIRECTORY");
+
+#define CV_INFO_RSDS_SIGNATURE 0x53445352
+struct CV_INFO_PDB70
+{
+  uint32_t CvSignature;
+  uint8_t Signature[0x10];
+  uint32_t Age;
+  // followed by filename
+  //BYTE PdbFileName[];
+};
+static_assert(sizeof(CV_INFO_PDB70) == 0x18, "CV_INFO_PDB70");

xex.cpp

@@ -1154,6 +1154,54 @@ bool XEXFile::pe_load(const uint8_t* data)
       pe_load_exports(data);
   }
 
+  // Read in debug directory if exists (and valid)
+  auto& debug_directory = nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG];
+  if (debug_directory.Size)
+  {
+    int num_directories = debug_directory.Size / sizeof(IMAGE_DEBUG_DIRECTORY);
+
+    if (pe_data_.size() > debug_directory.VirtualAddress)
+    {
+      IMAGE_DEBUG_DIRECTORY* dir_ptr = (IMAGE_DEBUG_DIRECTORY*)(data + debug_directory.VirtualAddress);
+      for (int i = 0; i < num_directories; i++)
+      {
+        auto dir = *dir_ptr;
+        dir_ptr++;
+
+        debug_directories_.push_back(dir);
+
+        if (dir.Type != 2 /* CODEVIEW */ || dir.SizeOfData == 0)
+          continue;
+
+        // Both AddressOfRawData & PointerToRawData usually seem to point to same offset, but not sure if that's always the case
+        // Check if either of them point to valid CV_INFO
+        CV_INFO_PDB70* cv_ptr = nullptr;
+        for(auto& addr : { dir.AddressOfRawData, dir.PointerToRawData })
+        {
+          if (addr > 0 && pe_data_.size() > (addr + dir.SizeOfData))
+          {
+            auto* test_ptr = (CV_INFO_PDB70*)(data + addr);
+            if (test_ptr->CvSignature == CV_INFO_RSDS_SIGNATURE)
+            {
+              cv_ptr = test_ptr;
+              break;
+            }
+          }
+        }
+
+        // Bail out if neither are valid
+        if (!cv_ptr)
+          continue;
+
+        std::vector<uint8_t> data;
+        data.resize(dir.SizeOfData);
+        std::copy_n((uint8_t*)cv_ptr, dir.SizeOfData, data.data());
+
+        codeview_data_.push_back(data);
+      }
+    }
+  }
+
   return true;
 }
 

xex.hpp

@@ -100,6 +100,8 @@ class XEXFile
 
   // Sections from PE headers (includes XEX sections above)
   std::vector<IMAGE_SECTION_HEADER> sections_;
+  std::vector<IMAGE_DEBUG_DIRECTORY> debug_directories_;
+  std::vector<std::vector<uint8_t>> codeview_data_;
 
   int load_error_ = 0;
 
@@ -208,6 +210,16 @@ class XEXFile
   const xex_opt::XexVitalStats* vital_stats() { return vital_stats_; }
   const xex_opt::XexFileDataDescriptor* data_descriptor() { return data_descriptor_; }
 
+  const uint8_t* codeview_data(int idx, size_t* size = nullptr) {
+    if (codeview_data_.size() > idx)
+    {
+      if (size)
+        *size = codeview_data_[idx].size();
+      return codeview_data_[idx].data();
+    }
+    return nullptr;
+  }
+
   uint32_t min_kernel_version() {
     switch (xex_header_.Magic) {
       case MAGIC_XEX0:  return 1332;