libPeConv
A library to load, manipulate, dump PE files.
pe_dumper.cpp
Go to the documentation of this file.
1#include "peconv/pe_dumper.h"
2
3#include "peconv/pe_hdrs_helper.h"
4#include "peconv/pe_virtual_to_raw.h"
5#include "peconv/fix_imports.h"
6#include "peconv/file_util.h"
7#include "peconv/pe_mode_detector.h"
8#include "fix_dot_net_ep.h"
9
10#include <iostream>
11
12using namespace peconv;
13
14t_pe_dump_mode peconv::detect_dump_mode(IN const BYTE* buffer, IN size_t mod_size)
15{
16 const t_pe_dump_mode default_mode = peconv::PE_DUMP_UNMAP;
17 if (peconv::is_pe_raw(buffer, mod_size)) {
18 return peconv::PE_DUMP_VIRTUAL;
19 }
20 if (peconv::is_pe_expanded(buffer, mod_size)) {
21 return peconv::PE_DUMP_REALIGN;
22 }
23 return default_mode;
24}
25
26bool peconv::dump_pe(IN const char *out_path,
27 IN OUT BYTE *buffer, IN size_t mod_size,
28 IN const ULONGLONG start_addr,
29 IN OUT t_pe_dump_mode &dump_mode,
30 IN OPTIONAL const peconv::ExportsMapper* exportsMap
31)
32{
33 // if the exportsMap is supplied, attempt to recover the (destroyed) import table:
34 if (exportsMap != nullptr) {
35 if (!peconv::fix_imports(buffer, mod_size, *exportsMap, NULL)) {
36 std::cerr << "[-] Unable to fix imports!" << std::endl;
37 }
38 }
39 if (dump_mode == PE_DUMP_AUTO || dump_mode >= PE_DUMP_MODES_COUNT) {
40 dump_mode = detect_dump_mode(buffer, mod_size);
41 }
42
43 BYTE* dump_data = buffer;
44 size_t dump_size = mod_size;
45 size_t out_size = 0;
46 BYTE* unmapped_module = nullptr;
47
48 if (dump_mode == peconv::PE_DUMP_UNMAP || dump_mode == peconv::PE_DUMP_REALIGN) {
49 //if the image base in headers is invalid, set the current base and prevent from relocating PE:
50 if (peconv::get_image_base(buffer) == 0) {
51 peconv::update_image_base(buffer, (ULONGLONG)start_addr);
52 }
53 if (is_dot_net(buffer, mod_size)) {
54 fix_dot_net_ep(buffer, mod_size);
55 }
56 if (dump_mode == peconv::PE_DUMP_UNMAP) {
57 unmapped_module = pe_virtual_to_raw(buffer, mod_size, (ULONGLONG)start_addr, out_size, false);
58 }
59 else if (dump_mode == peconv::PE_DUMP_REALIGN) {
60 unmapped_module = peconv::pe_realign_raw_to_virtual(buffer, mod_size, (ULONGLONG)start_addr, out_size);
61 }
62 // unmap the PE file (convert from the Virtual Format into Raw Format)
63 if (unmapped_module) {
64 dump_data = unmapped_module;
65 dump_size = out_size;
66 }
67 }
68 // save the read module into a file
69 const bool is_dumped = dump_to_file(out_path, dump_data, dump_size);
70
71 peconv::free_pe_buffer(unmapped_module, mod_size);
72 return is_dumped;
73}
file_util.h
Functions related to operations on files. Wrappers for read/write.
is_dot_net
bool is_dot_net(BYTE *pe_buffer, size_t pe_buffer_size)
Definition: fix_dot_net_ep.cpp:133
fix_dot_net_ep
bool fix_dot_net_ep(BYTE *pe_buffer, size_t pe_buffer_size)
Definition: fix_dot_net_ep.cpp:99
fix_dot_net_ep.h
fix_imports.h
Functions and classes responsible for fixing Import Table. A definition of ImportedDllCoverage class.
peconv::is_pe_raw
bool is_pe_raw(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition: pe_mode_detector.cpp:149
peconv::update_image_base
bool update_image_base(IN OUT BYTE *payload, IN ULONGLONG destImageBase)
Definition: pe_hdrs_helper.cpp:226
peconv::fix_imports
bool fix_imports(IN OUT PVOID modulePtr, IN size_t moduleSize, IN const peconv::ExportsMapper &exportsMap, OUT OPTIONAL peconv::ImpsNotCovered *notCovered)
Definition: fix_imports.cpp:216
peconv::dump_pe
bool dump_pe(IN const char *outputFilePath, IN OUT BYTE *buffer, IN size_t buffer_size, IN const ULONGLONG module_base, IN OUT t_pe_dump_mode &dump_mode, IN OPTIONAL const peconv::ExportsMapper *exportsMap=nullptr)
Definition: pe_dumper.cpp:26
peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:152
peconv::pe_virtual_to_raw
BYTE * pe_virtual_to_raw(IN BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize, IN OPTIONAL bool rebuffer=true)
Definition: pe_virtual_to_raw.cpp:107
peconv::t_pe_dump_mode
t_pe_dump_mode
Definition: pe_dumper.h:16
peconv::PE_DUMP_REALIGN
@ PE_DUMP_REALIGN
Definition: pe_dumper.h:20
peconv::PE_DUMP_MODES_COUNT
@ PE_DUMP_MODES_COUNT
Definition: pe_dumper.h:21
peconv::PE_DUMP_UNMAP
@ PE_DUMP_UNMAP
Definition: pe_dumper.h:19
peconv::PE_DUMP_AUTO
@ PE_DUMP_AUTO
Definition: pe_dumper.h:17
peconv::PE_DUMP_VIRTUAL
@ PE_DUMP_VIRTUAL
Definition: pe_dumper.h:18
peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition: buffer_util.cpp:84
peconv::dump_to_file
bool dump_to_file(IN const char *path, IN PBYTE dump_data, IN size_t dump_size)
Definition: file_util.cpp:101
peconv::detect_dump_mode
t_pe_dump_mode detect_dump_mode(IN const BYTE *buffer, IN size_t buffer_size)
Definition: pe_dumper.cpp:14
peconv::is_pe_expanded
bool is_pe_expanded(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition: pe_mode_detector.cpp:169
peconv::pe_realign_raw_to_virtual
BYTE * pe_realign_raw_to_virtual(IN const BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize)
Definition: pe_virtual_to_raw.cpp:161
pe_dumper.h
Dumping PE from the memory buffer into a file.
pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.
pe_mode_detector.h
Detecting in which mode is the PE in the supplied buffer (i.e. raw, virtual). Analyzes PE features ty...
pe_virtual_to_raw.h
Converting PE from virtual to raw format.
Generated by doxygen 1.9.2