Add signature-based RTR directory locator

Author: Washi1337

README.md

@@ -57,15 +57,21 @@ Install the plugin using `File > Install Extensions` menu in the main project wi
 Steps:
 
 - Make sure you have the plugin installed (see [Building](#building) and [Installing](#installing)).
-- Make sure that you have the ReadyToRun directory annotated in your binary with the `__ReadyToRunHeader` label.
+- Open a .NET NativeAOT binary in the code browser.
+- Optionally, if symbols are stripped, locate and markup the ReadyToRun header with the name `__ReadyToRunHeader` (see below).
 - Run the Native AOT Analyzer (Either as a One-Shot Analysis or part of Auto-Analysis).
 - Open the Native AOT Metadata Browser from the Windows Menu.
 
 
-### How to Find the ReadyToRun Directory?
+## Locating the ReadyToRun Directory
 
 The ReadyToRun data directory is the root of all .NET Native AOT metadata.
-Currently, the plugin does not support automatically locating this, however, the directory is referenced in a call to `S_P_CoreLib_Internal_Runtime_CompilerHelpers_StartupCodeHelpers__InitializeModules` in `wmain`.
+As the directory is not a normal PE data directory specified in its header, the plugin tries to heuristically find it in the following manner:
+- First, it will prefer using symbols `__ReadyToRunHeader` or the symbol pair `__modules_a` and `__modules_z` which mark a list of directories.
+- If no valid headers are found at these symbol names, it will heuristically scan all non-executable memory blocks for a known pattern (i.e., the `RTR\0` signature and a few expected fields in its header).
+
+If you find that this process does not work for you (e.g., no matches or too many matches), the RTR directory list (i.e., `__modules_a`) is also referenced in the startup code of any NativeAOT binary.
+Specifically it is referenced as **the second argument** in a call to `S_P_CoreLib_Internal_Runtime_CompilerHelpers_StartupCodeHelpers__InitializeModules` in `wmain`.
 
 You can find this call by e.g., compiling a simple Hello World application using Native AOT with symbols, and using Ghidra's Version Tracking Tool to compare functions.
 
@@ -91,8 +97,14 @@ Any editor supporting Gradle should work, including Eclipse, IntelliJ and Visual
 
 For quickly reinstalling the plugin as well as starting ghidra, use a command like the following (change file paths accordingly):
 
+Linux (Bash):
 ```sh
-$ gradle && unzip -o dist/ghidra_11.3.1_PUBLIC_XXXXXXXX_ghidra-nativeaot.zip -d ~/.config/ghidra/ghidra_11.3.1_PUBLIC/Extensions/ && ghidra
+$ gradle && unzip -o dist/*.zip -d ~/.config/ghidra/ghidra_X.X_PUBLIC/Extensions/ && ghidra
+```
+
+Windows (Powershell):
+```pwsh
+gradle; Expand-Archive .\dist\*.zip -DestinationPath $env:APPDATA\ghidra\ghidra_X.X_PUBLIC\Extensions -Force; Z:\Path\To\Ghidra\ghidraRun.bat
 ```
 
 ## License

src/main/java/nativeaot/NativeAotAnalyzer.java

@@ -38,17 +38,18 @@
 import nativeaot.rehydration.MetadataRehydrator;
 import nativeaot.rehydration.MetadataRehydratorNet80;
 import nativeaot.rehydration.PointerScanResult;
-import nativeaot.rtr.ReadyToRunDirectory;
-import nativeaot.rtr.ReadyToRunLocator;
-import nativeaot.rtr.ReadyToRunSection;
-import nativeaot.rtr.SymbolReadyToRunLocator;
+import nativeaot.rtr.*;
 
 /**
  * Provide class-level documentation that describes what this analyzer does.
  */
 public class NativeAotAnalyzer extends AbstractAnalyzer {
 
     public static final String MARKUP_REHYDRATION_CODE = "Markup rehydration code";
+    private static final ReadyToRunLocator[] READY_TO_RUN_LOCATORS = new ReadyToRunLocator[] {
+        new SymbolReadyToRunLocator(),
+        new SignatureReadyToRunLocator(),
+    };
 
     private boolean _markupRehydrationCode = false;
 
@@ -93,14 +94,9 @@ public void optionsChanged(Options options, Program program) {
     }
 
     @Override
-    public boolean added(Program program, AddressSetView set, TaskMonitor monitor, MessageLog log)
-            throws CancelledException {
-
-        // TODO: make configurable which locator is used..
-        ReadyToRunLocator locator = new SymbolReadyToRunLocator();
-
-        var moduleHeaders = locator.locateModules(program, monitor, log);
-
+    public boolean added(Program program, AddressSetView set, TaskMonitor monitor, MessageLog log) throws CancelledException {
+        // Locate modules.
+        var moduleHeaders = locateModules(program, monitor, log);
         if (moduleHeaders.length == 0) {
             log.appendMsg(Constants.TAG, String.format(
                 "Symbols `%s` or `%s` and `%s` not found.",
@@ -129,16 +125,26 @@ public boolean added(Program program, AddressSetView set, TaskMonitor monitor, M
         return true;
     }
 
+    private Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log) throws CancelledException {
+        for (var locator : READY_TO_RUN_LOCATORS) {
+            var moduleHeaders = locator.locateModules(program, monitor, log);
+            if (moduleHeaders.length > 0) {
+                return moduleHeaders;
+            }
+        }
+
+        return new Address[0];
+    }
+
     private void processModule(Program program, Address moduleHeader, TaskMonitor monitor, MessageLog log) throws Exception {
         ReadyToRunDirectory directory;
         try {
             directory = readRtrDirectory(program, moduleHeader);
         } catch (Exception ex) {
-            throw new Exception("Failed to read rtr directory.", ex);
+            throw new Exception("Failed to read RTR directory at %s.".formatted(moduleHeader), ex);
         }
 
-        // NOTE: Method table managers should be changed if the file format changes per rtr version.
-        var manager = new MethodTableManagerNet80(program);
+        var manager = createMethodTableManagerForDirectory(program, directory);
 
         // Restore first from DB to allow for the analyzer to be run multiple times.
         manager.restoreFromDB();
@@ -208,6 +214,11 @@ private ReadyToRunDirectory readRtrDirectory(Program program, Address moduleHead
         return directory;
     }
 
+    private static MethodTableManagerNet80 createMethodTableManagerForDirectory(Program program, ReadyToRunDirectory directory) {
+        // NOTE: Method table managers should be changed if the file format changes per RTR version.
+        return new MethodTableManagerNet80(program);
+    }
+
     private PointerScanResult rehydrateData(Program program, ReadyToRunSection rehydratedData, MetadataRehydrator rehydrator, TaskMonitor monitor, MessageLog log) throws Exception {
         var symbolTable = program.getSymbolTable();
 
@@ -241,10 +252,7 @@ private PointerScanResult scanForPointers(Program program, Address moduleHeader,
         }
 
         // We use the block containing the module header as the scanning range
-        var scanningRange = new AddressRangeImpl(
-            moduleBlock.getStart(), 
-            moduleBlock.getEnd()
-        );
+        var scanningRange = moduleBlock.getAddressRange();
 
         monitor.setMessage(Constants.TAG + ": Scanning for pointers...");
         monitor.setMaximum(moduleBlock.getSize());

src/main/java/nativeaot/rtr/ReadyToRunDirectory.java

@@ -13,8 +13,8 @@
 import ghidra.util.exception.DuplicateNameException;
 import nativeaot.Constants;
 
-
 public class ReadyToRunDirectory implements StructConverter {
+    private static final byte EXPECTED_NUMBER_OF_SECTIONS_UPPER_BOUND = 0x50;
 
     private final short _majorVersion;
     private final short _minorVersion;
@@ -33,8 +33,8 @@ public ReadyToRunDirectory(BinaryReader reader) throws IOException {
         byte entrySize = reader.readNextByte();
         byte entryType = reader.readNextByte();
 
-        if (sectionCount > 100) {
-            throw new IOException("Unexpected number of sections $d".formatted(sectionCount));
+        if (sectionCount > EXPECTED_NUMBER_OF_SECTIONS_UPPER_BOUND) {
+            throw new IOException("Unexpected number of sections %d".formatted(sectionCount));
         }
 
         _sections = new ReadyToRunSection[sectionCount];

src/main/java/nativeaot/rtr/ReadyToRunLocator.java

@@ -4,8 +4,9 @@
 import ghidra.app.util.importer.MessageLog;
 import ghidra.program.model.address.Address;
 import ghidra.program.model.listing.Program;
+import ghidra.util.exception.CancelledException;
 import ghidra.util.task.TaskMonitor;
 
 public interface ReadyToRunLocator {
-    Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log);
+    Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log) throws CancelledException;
 }

src/main/java/nativeaot/rtr/SignatureReadyToRunLocator.java

@@ -0,0 +1,79 @@
+package nativeaot.rtr;
+
+import ghidra.app.util.importer.MessageLog;
+import ghidra.program.model.address.Address;
+import ghidra.program.model.listing.Program;
+import ghidra.program.model.mem.Memory;
+import ghidra.program.model.mem.MemoryAccessException;
+import ghidra.util.exception.CancelledException;
+import ghidra.util.task.TaskMonitor;
+import nativeaot.Constants;
+
+import java.util.ArrayList;
+
+public class SignatureReadyToRunLocator implements ReadyToRunLocator {
+    private static final byte EXPECTED_ENTRY_SIZE = 0x18;
+    private static final byte EXPECTED_ENTRY_TYPE = 0x01;
+    private static final byte EXPECTED_NUMBER_OF_SECTIONS_UPPER_BOUND = 0x50;
+
+    @Override
+    public Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log) throws CancelledException {
+        var result = new ArrayList<Address>();
+        var memory = program.getMemory();
+
+        monitor.setMessage(Constants.TAG + ": Scanning for RTR signatures...");
+        monitor.setMaximum(memory.getSize());
+        monitor.setIndeterminate(false);
+        monitor.setProgress(0);
+
+        for (var block : memory.getBlocks()) {
+            // We assume the modules are stored in an initialized data section.
+            if (!block.isRead() || !block.isInitialized() || block.isExecute()) {
+                continue;
+            }
+
+            var current = block.getStart();
+            var end = block.getEnd();
+
+            // Align start to 8 bytes
+            long offset = current.getOffset();
+            if (offset % 8 != 0) {
+                current = current.add(8 - (offset % 8));
+            }
+
+            try{
+                while (current.compareTo(end) <= 0) {
+                    monitor.checkCancelled();
+                    monitor.setProgress(current.getOffset() - block.getStart().getOffset());
+
+                    if (isLikelyValidRtrHeader(memory, current)) {
+                        result.add(current);
+                    }
+
+                    current = current.add(8);
+                }
+            } catch (MemoryAccessException e) {
+                continue;
+            }
+        }
+
+        return  result.toArray(new Address[0]);
+    }
+
+    private static boolean isLikelyValidRtrHeader(Memory memory, Address address) throws MemoryAccessException {
+        // Expected pattern:
+        // dOff     Type      Expected Value          Description
+        // +0x00    ddw       00525452h               Signature
+        // +0x04    dw        ??                      MajorVersion
+        // +0x06    dw        ??                      MinorVersion
+        // +0x08    ddw       ??                      Flags
+        // +0x0c    dw        < 50h                   NumberOfSections
+        // +0x0e    db        18h                     EntrySize
+        // +0x0f    db        1h                      EntryType
+
+        return memory.getInt(address) == Constants.READY_TO_RUN_SIGNATURE
+                && memory.getByte(address.add(0x0C)) < EXPECTED_NUMBER_OF_SECTIONS_UPPER_BOUND
+                && memory.getByte(address.add(0x0E)) == EXPECTED_ENTRY_SIZE
+                && memory.getByte(address.add(0x0F)) == EXPECTED_ENTRY_TYPE;
+    }
+}

src/main/java/nativeaot/rtr/SymbolReadyToRunLocator.java

@@ -8,13 +8,14 @@
 import ghidra.program.model.address.Address;
 import ghidra.program.model.listing.Program;
 import ghidra.program.model.mem.MemoryAccessException;
+import ghidra.util.exception.CancelledException;
 import ghidra.util.task.TaskMonitor;
 import nativeaot.Constants;
 
 public class SymbolReadyToRunLocator implements ReadyToRunLocator {
 
     @Override
-    public Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log) {
+    public Address[] locateModules(Program program, TaskMonitor monitor, MessageLog log) throws CancelledException {
         var memory = program.getMemory();
         try {
             var candidates = findCandidates(program, monitor);