libPeConv
A library to load, manipulate, dump PE files.
imports_loader.cpp
Go to the documentation of this file.
1#include "peconv/imports_loader.h"
2
3#include <iostream>
4
5using namespace peconv;
6
7class FillImportThunks : public ImportThunksCallback
8{
9public:
10 FillImportThunks(BYTE* _modulePtr, size_t _moduleSize, t_function_resolver* func_resolver)
11 : ImportThunksCallback(_modulePtr, _moduleSize), funcResolver(func_resolver)
12 {
13 }
14
15 virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr)
16 {
17 if (this->is64b) {
18#ifdef _WIN64 // loader is 64 bit, allow to load imports for 64-bit payload:
19 IMAGE_THUNK_DATA64* desc = reinterpret_cast<IMAGE_THUNK_DATA64*>(origFirstThunkPtr);
20 ULONGLONG* call_via = reinterpret_cast<ULONGLONG*>(firstThunkPtr);
21 return processThunks_tpl<ULONGLONG, IMAGE_THUNK_DATA64>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64);
22#else
23 std::cerr << "[!] Cannot fill imports into 64 bit PE via 32 bit loader!\n";
24 return false;
25#endif
26 }
27 else {
28#ifndef _WIN64 // loader is 32 bit, allow to load imports for 32-bit payload:
29 IMAGE_THUNK_DATA32* desc = reinterpret_cast<IMAGE_THUNK_DATA32*>(origFirstThunkPtr);
30 DWORD* call_via = reinterpret_cast<DWORD*>(firstThunkPtr);
31 return processThunks_tpl<DWORD, IMAGE_THUNK_DATA32>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32);
32#else
33 std::cerr << "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n";
34 return false;
35#endif
36 }
37 }
38
39protected:
40 template <typename T_FIELD, typename T_IMAGE_THUNK_DATA>
41 bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA* desc, T_FIELD* call_via, T_FIELD ordinal_flag)
42 {
43 if (!this->funcResolver) {
44 return false;
45 }
46
47 bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0;
48
49 FARPROC hProc = nullptr;
50 if (is_by_ord) {
51 T_FIELD raw_ordinal = desc->u1.Ordinal & (~ordinal_flag);
52#ifdef _DEBUG
53 std::cout << "raw ordinal: " << std::hex << raw_ordinal << std::endl;
54#endif
55 hProc = funcResolver->resolve_func(lib_name, MAKEINTRESOURCEA(raw_ordinal));
56
57 }
58 else {
59 PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData);
60 LPSTR func_name = reinterpret_cast<LPSTR>(by_name->Name);
61#ifdef _DEBUG
62 std::cout << "name: " << func_name << std::endl;
63#endif
64 hProc = this->funcResolver->resolve_func(lib_name, func_name);
65 }
66 if (!hProc) {
67#ifdef _DEBUG
68 std::cerr << "Could not resolve the function!" << std::endl;
69#endif
70 return false;
71 }
72 (*call_via) = reinterpret_cast<T_FIELD>(hProc);
73 return true;
74 }
75
76 //fields:
77 t_function_resolver* funcResolver;
78};
79
80
81template <typename T_FIELD, typename T_IMAGE_THUNK_DATA>
82bool process_imp_functions_tpl(BYTE* modulePtr, size_t module_size, LPSTR lib_name, DWORD call_via, DWORD thunk_addr, IN ImportThunksCallback *callback)
83{
84 bool is_ok = true;
85
86 T_FIELD *thunks = (T_FIELD*)((ULONGLONG)modulePtr + thunk_addr);
87 T_FIELD *callers = (T_FIELD*)((ULONGLONG)modulePtr + call_via);
88
89 for (size_t index = 0; true; index++) {
90 if (!validate_ptr(modulePtr, module_size, &callers[index], sizeof(T_FIELD))) {
91 break;
92 }
93 if (!validate_ptr(modulePtr, module_size, &thunks[index], sizeof(T_FIELD))) {
94 break;
95 }
96 if (callers[index] == 0) {
97 //nothing to fill, probably the last record
98 return true;
99 }
100 LPVOID thunk_ptr = &thunks[index];
101 T_IMAGE_THUNK_DATA* desc = reinterpret_cast<T_IMAGE_THUNK_DATA*>(thunk_ptr);
102 if (!validate_ptr(modulePtr, module_size, desc, sizeof(T_IMAGE_THUNK_DATA))) {
103 break;
104 }
105 if (desc->u1.Function == NULL) {
106 break;
107 }
108 T_FIELD ordinal_flag = (sizeof(T_FIELD) == sizeof(ULONGLONG)) ? IMAGE_ORDINAL_FLAG64 : IMAGE_ORDINAL_FLAG32;
109 bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0;
110 if (!is_by_ord) {
111 PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData);
112 if (!validate_ptr(modulePtr, module_size, by_name, sizeof(IMAGE_IMPORT_BY_NAME))) {
113 break;
114 }
115 }
116 //when the callback is called, all the pointers should be already verified
117 if (!callback->processThunks(lib_name, (ULONG_PTR)&thunks[index], (ULONG_PTR)&callers[index])) {
118 is_ok = false;
119 }
120 }
121 return is_ok;
122}
123
124//Walk through the table of imported DLLs (starting from the given descriptor) and execute the callback each time when the new record was found
125bool process_dlls(BYTE* modulePtr, size_t module_size, IMAGE_IMPORT_DESCRIPTOR *first_desc, IN ImportThunksCallback *callback)
126{
127 bool isAllFilled = true;
128#ifdef _DEBUG
129 std::cout << "---IMP---" << std::endl;
130#endif
131 const bool is64 = is64bit((BYTE*)modulePtr);
132 IMAGE_IMPORT_DESCRIPTOR* lib_desc = nullptr;
133
134 for (size_t i = 0; true; i++) {
135 lib_desc = &first_desc[i];
136 if (!validate_ptr(modulePtr, module_size, lib_desc, sizeof(IMAGE_IMPORT_DESCRIPTOR))) {
137 break;
138 }
139 if (lib_desc->OriginalFirstThunk == NULL && lib_desc->FirstThunk == NULL) {
140 break;
141 }
142 LPSTR lib_name = (LPSTR)((ULONGLONG)modulePtr + lib_desc->Name);
143 if (!peconv::is_valid_import_name(modulePtr, module_size, lib_name)) {
144 //invalid name
145 return false;
146 }
147 DWORD call_via = lib_desc->FirstThunk;
148 DWORD thunk_addr = lib_desc->OriginalFirstThunk;
149 if (thunk_addr == NULL) {
150 thunk_addr = lib_desc->FirstThunk;
151 }
152#ifdef _DEBUG
153 std::cout << "Imported Lib: " << std::hex << lib_desc->FirstThunk << " : " << std::hex << lib_desc->OriginalFirstThunk << " : " << lib_desc->Name << std::endl;
154#endif
155 size_t all_solved = false;
156 if (is64) {
157 all_solved = process_imp_functions_tpl<ULONGLONG, IMAGE_THUNK_DATA64>(modulePtr, module_size, lib_name, call_via, thunk_addr, callback);
158 }
159 else {
160 all_solved = process_imp_functions_tpl<DWORD, IMAGE_THUNK_DATA32>(modulePtr, module_size, lib_name, call_via, thunk_addr, callback);
161 }
162 if (!all_solved) {
163 isAllFilled = false;
164 }
165 }
166#ifdef _DEBUG
167 printf("---------\n");
168#endif
169 return isAllFilled;
170}
171
172bool peconv::process_import_table(IN BYTE* modulePtr, IN SIZE_T moduleSize, IN ImportThunksCallback *callback)
173{
174 if (moduleSize == 0) { //if not given, try to fetch
175 moduleSize = peconv::get_image_size((const BYTE*)modulePtr);
176 }
177 if (moduleSize == 0) return false;
178
179 IMAGE_DATA_DIRECTORY *importsDir = get_directory_entry((BYTE*)modulePtr, IMAGE_DIRECTORY_ENTRY_IMPORT);
180 if (!importsDir) {
181 return true; //no import table
182 }
183 const DWORD impAddr = importsDir->VirtualAddress;
184 IMAGE_IMPORT_DESCRIPTOR *first_desc = (IMAGE_IMPORT_DESCRIPTOR*)(impAddr + (ULONG_PTR)modulePtr);
185 if (!peconv::validate_ptr(modulePtr, moduleSize, first_desc, sizeof(IMAGE_IMPORT_DESCRIPTOR))) {
186 return false;
187 }
188 return process_dlls(modulePtr, moduleSize, first_desc, callback);
189}
190
191bool peconv::load_imports(BYTE* modulePtr, t_function_resolver* func_resolver)
192{
193 size_t moduleSize = peconv::get_image_size((const BYTE*)modulePtr);
194 if (moduleSize == 0) return false;
195
196 bool is64 = is64bit((BYTE*)modulePtr);
197 bool is_loader64 = false;
198#ifdef _WIN64
199 is_loader64 = true;
200#endif
201 if (is64 != is_loader64) {
202 std::cerr << "[ERROR] Loader/Payload bitness mismatch.\n";
203 return false;
204 }
205
206 default_func_resolver default_res;
207 if (!func_resolver) {
208 func_resolver = (t_function_resolver*)&default_res;
209 }
210
211 FillImportThunks callback(modulePtr, moduleSize, func_resolver);
212 return peconv::process_import_table(modulePtr, moduleSize, &callback);
213}
214
215// A valid name must contain printable characters. Empty name is also acceptable (may have been erased)
216bool peconv::is_valid_import_name(const PBYTE modulePtr, const size_t moduleSize, LPSTR lib_name)
217{
218 while (true) {
219 if (!peconv::validate_ptr(modulePtr, moduleSize, lib_name, sizeof(char))) {
220 return false;
221 }
222 char next_char = *lib_name;
223 if (next_char == '\0') break;
224
225 if (next_char <= 0x20 || next_char >= 0x7E) {
226 return false;
227 }
228 lib_name++;
229 }
230 return true;
231}
232
233bool peconv::has_valid_import_table(const PBYTE modulePtr, size_t moduleSize)
234{
235 IMAGE_DATA_DIRECTORY *importsDir = get_directory_entry((BYTE*)modulePtr, IMAGE_DIRECTORY_ENTRY_IMPORT);
236 if (importsDir == NULL) return false;
237
238 const DWORD impAddr = importsDir->VirtualAddress;
239
240 IMAGE_IMPORT_DESCRIPTOR* lib_desc = NULL;
241 DWORD parsedSize = 0;
242 size_t valid_records = 0;
243
244 while (true) { //size of the import table doesn't matter
245 lib_desc = (IMAGE_IMPORT_DESCRIPTOR*)(impAddr + parsedSize + (ULONG_PTR)modulePtr);
246 if (!peconv::validate_ptr(modulePtr, moduleSize, lib_desc, sizeof(IMAGE_IMPORT_DESCRIPTOR))) {
247 return false;
248 }
249 parsedSize += sizeof(IMAGE_IMPORT_DESCRIPTOR);
250
251 if (lib_desc->OriginalFirstThunk == NULL && lib_desc->FirstThunk == NULL) {
252 break;
253 }
254 LPSTR lib_name = (LPSTR)((ULONGLONG)modulePtr + lib_desc->Name);
255 if (!is_valid_import_name(modulePtr, moduleSize, lib_name)) return false;
256
257 DWORD call_via = lib_desc->FirstThunk;
258 DWORD thunk_addr = lib_desc->OriginalFirstThunk;
259 if (thunk_addr == NULL) thunk_addr = lib_desc->FirstThunk;
260
261 DWORD *thunks = (DWORD*)((ULONGLONG)modulePtr + thunk_addr);
262 if (!peconv::validate_ptr(modulePtr, moduleSize, thunks, sizeof(DWORD))) return false;
263
264 DWORD *callers = (DWORD*)((ULONGLONG)modulePtr + call_via);
265 if (!peconv::validate_ptr(modulePtr, moduleSize, callers, sizeof(DWORD))) return false;
266
267 valid_records++;
268 }
269
270 return (valid_records > 0);
271}
FillImportThunks::FillImportThunks
FillImportThunks(BYTE *_modulePtr, size_t _moduleSize, t_function_resolver *func_resolver)
Definition: imports_loader.cpp:10
FillImportThunks::processThunks_tpl
bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA *desc, T_FIELD *call_via, T_FIELD ordinal_flag)
Definition: imports_loader.cpp:41
FillImportThunks::processThunks
virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr)
Definition: imports_loader.cpp:15
FillImportThunks::funcResolver
t_function_resolver * funcResolver
Definition: imports_loader.cpp:77
peconv::default_func_resolver
Definition: function_resolver.h:28
peconv::t_function_resolver
Definition: function_resolver.h:14
peconv::t_function_resolver::resolve_func
virtual FARPROC resolve_func(LPSTR lib_name, LPSTR func_name)=0
process_dlls
bool process_dlls(BYTE *modulePtr, size_t module_size, IMAGE_IMPORT_DESCRIPTOR *first_desc, IN ImportThunksCallback *callback)
Definition: imports_loader.cpp:125
process_imp_functions_tpl
bool process_imp_functions_tpl(BYTE *modulePtr, size_t module_size, LPSTR lib_name, DWORD call_via, DWORD thunk_addr, IN ImportThunksCallback *callback)
Definition: imports_loader.cpp:82
imports_loader.h
Parsing and filling the Import Table.
peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN SIZE_T buffer_size, IN const void *field_bgn, IN SIZE_T field_size)
Definition: buffer_util.cpp:9
peconv::has_valid_import_table
bool has_valid_import_table(const PBYTE modulePtr, size_t moduleSize)
Definition: imports_loader.cpp:233
peconv::process_import_table
bool process_import_table(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ImportThunksCallback *callback)
Definition: imports_loader.cpp:172
peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:77
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:121
peconv::is_valid_import_name
bool is_valid_import_name(const PBYTE modulePtr, const size_t moduleSize, LPSTR lib_name)
Definition: imports_loader.cpp:216
peconv::get_directory_entry
IMAGE_DATA_DIRECTORY * get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty=false)
Definition: pe_hdrs_helper.cpp:130
peconv::load_imports
bool load_imports(BYTE *modulePtr, t_function_resolver *func_resolver=nullptr)
Definition: imports_loader.cpp:191
Generated by doxygen 1.9.2