libPeConv
A library to load, manipulate, dump PE files.
pe_hdrs_helper.cpp
Go to the documentation of this file.
1#include "peconv/pe_hdrs_helper.h"
2#include "peconv/util.h"
3
4using namespace peconv;
5
6#ifdef _DEBUG
7#include <iostream>
8#endif
9
10BYTE* peconv::get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size)
11{
12 if (!pe_buffer) return nullptr;
13
14 IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)pe_buffer;
15 if (buffer_size != 0) {
16 if (!peconv::validate_ptr((LPVOID)pe_buffer, buffer_size, (LPVOID)idh, sizeof(IMAGE_DOS_HEADER))) {
17 return nullptr;
18 }
19 }
20 else {
21 if (peconv::is_bad_read_ptr(idh, sizeof(IMAGE_DOS_HEADER))) {
22 return nullptr;
23 }
24 }
25 if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
26 return nullptr;
27 }
28 const LONG kMaxOffset = 1024;
29 LONG pe_offset = idh->e_lfanew;
30
31 if (pe_offset > kMaxOffset) return nullptr;
32
33 IMAGE_NT_HEADERS32 *inh = (IMAGE_NT_HEADERS32 *)(pe_buffer + pe_offset);
34 if (buffer_size != 0) {
35 if (!peconv::validate_ptr((LPVOID)pe_buffer, buffer_size, (LPVOID)inh, sizeof(IMAGE_NT_HEADERS32))) {
36 return nullptr;
37 }
38 }
39 else {
40 if (peconv::is_bad_read_ptr(inh, sizeof(IMAGE_NT_HEADERS32))) {
41 return nullptr;
42 }
43 }
44
45 if (inh->Signature != IMAGE_NT_SIGNATURE) {
46 return nullptr;
47 }
48 return (BYTE*)inh;
49}
50
51IMAGE_NT_HEADERS32* peconv::get_nt_hdrs32(IN const BYTE *payload)
52{
53 if (!payload) return nullptr;
54
55 BYTE *ptr = get_nt_hdrs(payload);
56 if (!ptr) return nullptr;
57
58 if (!is64bit(payload)) {
59 return (IMAGE_NT_HEADERS32*)ptr;
60 }
61 return nullptr;
62}
63
64IMAGE_NT_HEADERS64* peconv::get_nt_hdrs64(IN const BYTE *payload)
65{
66 if (payload == nullptr) return nullptr;
67
68 BYTE *ptr = get_nt_hdrs(payload);
69 if (!ptr) return nullptr;
70
71 if (is64bit(payload)) {
72 return (IMAGE_NT_HEADERS64*)ptr;
73 }
74 return nullptr;
75}
76
77DWORD peconv::get_image_size(IN const BYTE *payload)
78{
79 if (!get_nt_hdrs(payload)) {
80 return 0;
81 }
82 DWORD image_size = 0;
83 if (is64bit(payload)) {
84 IMAGE_NT_HEADERS64* nt64 = get_nt_hdrs64(payload);
85 image_size = nt64->OptionalHeader.SizeOfImage;
86 } else {
87 IMAGE_NT_HEADERS32* nt32 = get_nt_hdrs32(payload);
88 image_size = nt32->OptionalHeader.SizeOfImage;
89 }
90 return image_size;
91}
92
93bool peconv::update_image_size(IN OUT BYTE* payload, IN DWORD image_size)
94{
95 if (!get_nt_hdrs(payload)) {
96 return false;
97 }
98 if (is64bit(payload)) {
99 IMAGE_NT_HEADERS64* nt64 = get_nt_hdrs64(payload);
100 nt64->OptionalHeader.SizeOfImage = image_size;
101 }
102 else {
103 IMAGE_NT_HEADERS32* nt32 = get_nt_hdrs32(payload);
104 nt32->OptionalHeader.SizeOfImage = image_size;
105 }
106 return true;
107}
108
109WORD peconv::get_nt_hdr_architecture(IN const BYTE *pe_buffer)
110{
111 void *ptr = get_nt_hdrs(pe_buffer);
112 if (!ptr) return 0;
113
114 IMAGE_NT_HEADERS32 *inh = static_cast<IMAGE_NT_HEADERS32*>(ptr);
115 if (peconv::is_bad_read_ptr(inh, sizeof(IMAGE_NT_HEADERS32))) {
116 return 0;
117 }
118 return inh->OptionalHeader.Magic;
119}
120
121bool peconv::is64bit(IN const BYTE *pe_buffer)
122{
123 WORD arch = get_nt_hdr_architecture(pe_buffer);
124 if (arch == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
125 return true;
126 }
127 return false;
128}
129
130IMAGE_DATA_DIRECTORY* peconv::get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty)
131{
132 if (dir_id >= IMAGE_NUMBEROF_DIRECTORY_ENTRIES) return nullptr;
133
134 BYTE* nt_headers = get_nt_hdrs((BYTE*)pe_buffer);
135 if (!nt_headers) return nullptr;
136
137 IMAGE_DATA_DIRECTORY* peDir = nullptr;
138 if (is64bit(pe_buffer)) {
139 IMAGE_NT_HEADERS64* nt_headers64 = (IMAGE_NT_HEADERS64*)nt_headers;
140 peDir = &(nt_headers64->OptionalHeader.DataDirectory[dir_id]);
141 }
142 else {
143 IMAGE_NT_HEADERS32* nt_headers64 = (IMAGE_NT_HEADERS32*)nt_headers;
144 peDir = &(nt_headers64->OptionalHeader.DataDirectory[dir_id]);
145 }
146 if (!allow_empty && peDir->VirtualAddress == NULL) {
147 return nullptr;
148 }
149 return peDir;
150}
151
152ULONGLONG peconv::get_image_base(IN const BYTE *pe_buffer)
153{
154 bool is64b = is64bit(pe_buffer);
155 //update image base in the written content:
156 BYTE* payload_nt_hdr = get_nt_hdrs(pe_buffer);
157 if (!payload_nt_hdr) {
158 return 0;
159 }
160 ULONGLONG img_base = 0;
161 if (is64b) {
162 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
163 img_base = payload_nt_hdr64->OptionalHeader.ImageBase;
164 } else {
165 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
166 img_base = static_cast<ULONGLONG>(payload_nt_hdr32->OptionalHeader.ImageBase);
167 }
168 return img_base;
169}
170
171DWORD peconv::get_entry_point_rva(IN const BYTE *pe_buffer)
172{
173 //update image base in the written content:
174 BYTE* payload_nt_hdr = get_nt_hdrs(pe_buffer);
175 if (!payload_nt_hdr) {
176 return 0;
177 }
178 const bool is64b = is64bit(pe_buffer);
179 DWORD value = 0;
180 if (is64b) {
181 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
182 value = payload_nt_hdr64->OptionalHeader.AddressOfEntryPoint;
183 } else {
184 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
185 value = payload_nt_hdr32->OptionalHeader.AddressOfEntryPoint;
186 }
187 return value;
188}
189
190bool peconv::update_entry_point_rva(IN OUT BYTE *pe_buffer, IN DWORD value)
191{
192 bool is64b = is64bit(pe_buffer);
193 //update image base in the written content:
194 BYTE* payload_nt_hdr = get_nt_hdrs(pe_buffer);
195 if (!payload_nt_hdr) {
196 return false;
197 }
198 if (is64b) {
199 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
200 payload_nt_hdr64->OptionalHeader.AddressOfEntryPoint = value;
201 } else {
202 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
203 payload_nt_hdr32->OptionalHeader.AddressOfEntryPoint = value;
204 }
205 return true;
206}
207
208DWORD peconv::get_hdrs_size(IN const BYTE *pe_buffer)
209{
210 bool is64b = is64bit(pe_buffer);
211 BYTE* payload_nt_hdr = get_nt_hdrs(pe_buffer);
212 if (!payload_nt_hdr) {
213 return 0;
214 }
215 DWORD hdrs_size = 0;
216 if (is64b) {
217 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
218 hdrs_size = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;
219 } else {
220 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
221 hdrs_size = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;
222 }
223 return hdrs_size;
224}
225
226bool peconv::update_image_base(IN OUT BYTE* payload, IN ULONGLONG destImageBase)
227{
228 bool is64b = is64bit(payload);
229 BYTE* payload_nt_hdr = get_nt_hdrs(payload);
230 if (!payload_nt_hdr) {
231 return false;
232 }
233 if (is64b) {
234 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
235 payload_nt_hdr64->OptionalHeader.ImageBase = (ULONGLONG)destImageBase;
236 }
237 else {
238 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
239 payload_nt_hdr32->OptionalHeader.ImageBase = (DWORD)destImageBase;
240 }
241 return true;
242}
243
244template <typename IMAGE_NT_HEADERS_T>
245inline const IMAGE_FILE_HEADER* fetch_file_hdr(IN const BYTE* payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
246{
247 if (!payload || !payload_nt_hdr) return nullptr;
248
249 const IMAGE_FILE_HEADER *fileHdr = &(payload_nt_hdr->FileHeader);
250
251 if (!validate_ptr((const LPVOID)payload, buffer_size, (const LPVOID)fileHdr, sizeof(IMAGE_FILE_HEADER))) {
252 return nullptr;
253 }
254 return fileHdr;
255}
256
257const IMAGE_FILE_HEADER* peconv::get_file_hdr(IN const BYTE* payload, IN const size_t buffer_size)
258{
259 if (!payload) return nullptr;
260
261 BYTE* payload_nt_hdr = get_nt_hdrs(payload, buffer_size);
262 if (!payload_nt_hdr) {
263 return nullptr;
264 }
265 if (is64bit(payload)) {
266 return fetch_file_hdr(payload, buffer_size, (IMAGE_NT_HEADERS64*)payload_nt_hdr);
267 }
268 return fetch_file_hdr(payload, buffer_size, (IMAGE_NT_HEADERS32*)payload_nt_hdr);
269}
270
271template <typename IMAGE_NT_HEADERS_T>
272inline const LPVOID fetch_opt_hdr(IN const BYTE* payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
273{
274 if (!payload) return nullptr;
275
276 const IMAGE_FILE_HEADER *fileHdr = fetch_file_hdr<IMAGE_NT_HEADERS_T>(payload, buffer_size, payload_nt_hdr);
277 if (!fileHdr) {
278 return nullptr;
279 }
280 const LPVOID opt_hdr = (const LPVOID) &(payload_nt_hdr->OptionalHeader);
281 const size_t opt_size = fileHdr->SizeOfOptionalHeader;
282 if (!validate_ptr((const LPVOID)payload, buffer_size, opt_hdr, opt_size)) {
283 return nullptr;
284 }
285 return opt_hdr;
286}
287
288LPVOID peconv::get_optional_hdr(IN const BYTE* payload, IN const size_t buffer_size)
289{
290 if (!payload) return nullptr;
291
292 BYTE* payload_nt_hdr = get_nt_hdrs(payload, buffer_size);
293 const IMAGE_FILE_HEADER* fileHdr = get_file_hdr(payload, buffer_size);
294 if (!payload_nt_hdr || !fileHdr) {
295 return nullptr;
296 }
297 if (is64bit(payload)) {
298 return fetch_opt_hdr<IMAGE_NT_HEADERS64>(payload,buffer_size, (IMAGE_NT_HEADERS64*)payload_nt_hdr);
299 }
300 return fetch_opt_hdr<IMAGE_NT_HEADERS32>(payload, buffer_size, (IMAGE_NT_HEADERS32*)payload_nt_hdr);
301}
302
303template <typename IMAGE_NT_HEADERS_T>
304inline LPVOID fetch_section_hdrs_ptr(IN const BYTE* payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
305{
306 const IMAGE_FILE_HEADER *fileHdr = fetch_file_hdr<IMAGE_NT_HEADERS_T>(payload, buffer_size, payload_nt_hdr);
307 if (!fileHdr) {
308 return nullptr;
309 }
310 const size_t opt_size = fileHdr->SizeOfOptionalHeader;
311 BYTE* opt_hdr = (BYTE*)fetch_opt_hdr(payload, buffer_size, payload_nt_hdr);
312 if (!validate_ptr((const LPVOID)payload, buffer_size, opt_hdr, opt_size)) {
313 return nullptr;
314 }
315 //sections headers starts right after the end of the optional header
316 return (LPVOID)(opt_hdr + opt_size);
317}
318
319size_t peconv::get_sections_count(IN const BYTE* payload, IN const size_t buffer_size)
320{
321 const IMAGE_FILE_HEADER* fileHdr = get_file_hdr(payload, buffer_size);
322 if (!fileHdr) {
323 return 0;
324 }
325 return fileHdr->NumberOfSections;
326}
327
328bool peconv::is_valid_sections_hdr_offset(IN const BYTE* buffer, IN const size_t buffer_size)
329{
330 size_t sec_count = peconv::get_sections_count(buffer, buffer_size);
331 if (sec_count == 0) {
332 //no sections found - a valid PE should have at least one section
333 return false;
334 }
335 PIMAGE_SECTION_HEADER last_hdr = get_section_hdr(buffer, buffer_size, sec_count - 1);
336 if (!last_hdr) {
337 //could not fetch the last section
338 return false;
339 }
340 return true;
341}
342
343PIMAGE_SECTION_HEADER peconv::get_section_hdr(IN const BYTE* payload, IN const size_t buffer_size, IN size_t section_num)
344{
345 if (!payload) return nullptr;
346
347 const size_t sections_count = peconv::get_sections_count(payload, buffer_size);
348 if (section_num >= sections_count) {
349 return nullptr;
350 }
351
352 LPVOID nt_hdrs = peconv::get_nt_hdrs(payload, buffer_size);
353 if (!nt_hdrs) return nullptr; //this should never happened, because the get_sections_count did not fail
354
355 LPVOID secptr = nullptr;
356 //get the beginning of sections headers:
357 if (is64bit(payload)) {
358 secptr = fetch_section_hdrs_ptr<IMAGE_NT_HEADERS64>(payload, buffer_size, (IMAGE_NT_HEADERS64*)nt_hdrs);
359 }
360 else {
361 secptr = fetch_section_hdrs_ptr<IMAGE_NT_HEADERS32>(payload, buffer_size, (IMAGE_NT_HEADERS32*)nt_hdrs);
362 }
363 //get the section header of given number:
364 PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)(
365 (ULONGLONG)secptr + (IMAGE_SIZEOF_SECTION_HEADER * section_num)
366 );
367 //validate pointer:
368 if (!validate_ptr((const LPVOID) payload, buffer_size, (const LPVOID) next_sec, sizeof(IMAGE_SECTION_HEADER))) {
369 return nullptr;
370 }
371 return next_sec;
372}
373
374WORD peconv::get_file_characteristics(IN const BYTE* payload)
375{
376 if (!payload) return 0;
377
378 bool is64b = is64bit(payload);
379 BYTE* payload_nt_hdr = get_nt_hdrs(payload);
380 if (!payload_nt_hdr) {
381 return 0;
382 }
383 IMAGE_FILE_HEADER *fileHdr = nullptr;
384 if (is64b) {
385 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
386 fileHdr = &(payload_nt_hdr64->FileHeader);
387 }
388 else {
389 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
390 fileHdr = &(payload_nt_hdr32->FileHeader);
391 }
392 return fileHdr->Characteristics;
393}
394
395bool peconv::is_module_dll(IN const BYTE* payload)
396{
397 if (!payload) return false;
398 WORD charact = get_file_characteristics(payload);
399 return ((charact & IMAGE_FILE_DLL) != 0);
400}
401
402WORD peconv::get_dll_characteristics(IN const BYTE* payload)
403{
404 if (!payload) return 0;
405
406 bool is64b = is64bit(payload);
407 BYTE* payload_nt_hdr = get_nt_hdrs(payload);
408 if (!payload_nt_hdr) {
409 return 0;
410 }
411 WORD charact = 0;
412 if (is64b) {
413 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
414 charact = payload_nt_hdr64->OptionalHeader.DllCharacteristics;
415 }
416 else {
417 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
418 charact = payload_nt_hdr32->OptionalHeader.DllCharacteristics;
419 }
420 return charact;
421}
422
423bool peconv::set_subsystem(IN OUT BYTE* payload, IN WORD subsystem)
424{
425 if (!payload) return false;
426
427 bool is64b = is64bit(payload);
428 BYTE* payload_nt_hdr = get_nt_hdrs(payload);
429 if (!payload_nt_hdr) {
430 return false;
431 }
432 if (is64b) {
433 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
434 payload_nt_hdr64->OptionalHeader.Subsystem = subsystem;
435 } else {
436 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
437 payload_nt_hdr32->OptionalHeader.Subsystem = subsystem;
438 }
439 return true;
440}
441
442WORD peconv::get_subsystem(IN const BYTE* payload)
443{
444 if (!payload) return 0;
445
446 BYTE* payload_nt_hdr = get_nt_hdrs(payload);
447 if (payload_nt_hdr == NULL) {
448 return 0;
449 }
450 const bool is64b = is64bit(payload);
451 if (is64b) {
452 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
453 return payload_nt_hdr64->OptionalHeader.Subsystem;
454 } else {
455 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
456 return payload_nt_hdr32->OptionalHeader.Subsystem;
457 }
458}
459
460bool peconv::has_relocations(IN const BYTE *pe_buffer)
461{
462 IMAGE_DATA_DIRECTORY* relocDir = get_directory_entry(pe_buffer, IMAGE_DIRECTORY_ENTRY_BASERELOC);
463 if (!relocDir) {
464 return false;
465 }
466 return true;
467}
468
469IMAGE_EXPORT_DIRECTORY* peconv::get_export_directory(IN HMODULE modulePtr)
470{
471 return get_type_directory<IMAGE_EXPORT_DIRECTORY>(modulePtr, IMAGE_DIRECTORY_ENTRY_EXPORT);
472}
473
474
475IMAGE_COR20_HEADER * peconv::get_dotnet_hdr(IN const BYTE* module, IN size_t const module_size, IN const IMAGE_DATA_DIRECTORY * dotNetDir)
476{
477 DWORD rva = dotNetDir->VirtualAddress;
478 DWORD hdr_size = dotNetDir->Size;
479 if (!peconv::validate_ptr(module, module_size, module + rva, hdr_size)) {
480 return nullptr;
481 }
482 IMAGE_COR20_HEADER *dnet_hdr = (IMAGE_COR20_HEADER*)(module + rva);
483 if (!peconv::validate_ptr(module, module_size, module + dnet_hdr->MetaData.VirtualAddress, dnet_hdr->MetaData.Size)) {
484 return nullptr;
485 }
486 DWORD* signature_ptr = (DWORD*)(module + dnet_hdr->MetaData.VirtualAddress);
487 const DWORD dotNetSign = 0x424A5342;
488 if (*signature_ptr != dotNetSign) {
489 //invalid header
490 return nullptr;
491 }
492 return dnet_hdr;
493}
494
495template <typename IMAGE_NT_HEADERS_T>
496DWORD* _get_sec_alignment_ptr(const BYTE* modulePtr, bool is_raw)
497{
498 IMAGE_NT_HEADERS_T* hdrs = reinterpret_cast<IMAGE_NT_HEADERS_T*>(peconv::get_nt_hdrs(modulePtr));
499 if (!hdrs) return nullptr;
500 if (is_raw) {
501 return &hdrs->OptionalHeader.FileAlignment;
502 }
503 return &hdrs->OptionalHeader.SectionAlignment;
504}
505
506DWORD peconv::get_sec_alignment(IN const BYTE* modulePtr, IN bool is_raw)
507{
508 DWORD* alignment = 0;
509 if (peconv::is64bit(modulePtr)) {
510 alignment = _get_sec_alignment_ptr<IMAGE_NT_HEADERS64>(modulePtr, is_raw);
511 } else {
512 alignment = _get_sec_alignment_ptr<IMAGE_NT_HEADERS32>(modulePtr, is_raw);
513 }
514 if (!alignment) return 0;
515 return *alignment;
516}
517
518bool peconv::set_sec_alignment(IN OUT BYTE* modulePtr, IN bool is_raw, IN DWORD new_alignment)
519{
520 DWORD* alignment = 0;
521 if (peconv::is64bit(modulePtr)) {
522 alignment = _get_sec_alignment_ptr<IMAGE_NT_HEADERS64>(modulePtr, is_raw);
523 }
524 else {
525 alignment = _get_sec_alignment_ptr<IMAGE_NT_HEADERS32>(modulePtr, is_raw);
526 }
527 if (!alignment) return false;
528
529 *alignment = new_alignment;
530 return true;
531}
532
533DWORD peconv::get_virtual_sec_size(IN const BYTE* pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
534{
535 if (!pe_hdr || !sec_hdr) {
536 return 0;
537 }
538 if (!rounded) {
539 return sec_hdr->Misc.VirtualSize;;
540 }
541 //TODO: calculate real size, round up to Virtual Alignment
542 DWORD alignment = peconv::get_sec_alignment((const PBYTE)pe_hdr, false);
543 DWORD vsize = sec_hdr->Misc.VirtualSize;
544
545 DWORD units = vsize / alignment;
546 if ((vsize % alignment) > 0) units++;
547
548 vsize = units * alignment;
549
550 DWORD image_size = peconv::get_image_size(pe_hdr);
551 //if it is bigger than the image size, use the size from the headers
552 if ((sec_hdr->VirtualAddress + vsize) > image_size) {
553 vsize = sec_hdr->Misc.VirtualSize;
554 }
555 return vsize;
556}
557
558PIMAGE_SECTION_HEADER peconv::get_last_section(IN const PBYTE pe_buffer, IN size_t pe_size, IN bool is_raw)
559{
560 SIZE_T module_end = peconv::get_hdrs_size(pe_buffer);
561 const size_t sections_count = peconv::get_sections_count(pe_buffer, pe_size);
562 if (sections_count == 0) {
563 return nullptr;
564 }
565 PIMAGE_SECTION_HEADER last_sec = nullptr;
566 //walk through sections
567 for (size_t i = 0; i < sections_count; i++) {
568 PIMAGE_SECTION_HEADER sec = peconv::get_section_hdr(pe_buffer, pe_size, i);
569 if (!sec) break;
570
571 size_t new_end = is_raw ? (sec->PointerToRawData + sec->SizeOfRawData) : (sec->VirtualAddress + sec->Misc.VirtualSize);
572 if (new_end > module_end) {
573 module_end = new_end;
574 last_sec = sec;
575 }
576 }
577 return last_sec;
578}
579
580DWORD peconv::calc_pe_size(IN const PBYTE pe_buffer, IN size_t pe_size, IN bool is_raw)
581{
582 DWORD module_end = peconv::get_hdrs_size(pe_buffer);
583 const size_t sections_count = peconv::get_sections_count(pe_buffer, pe_size);
584 if (sections_count == 0) {
585 return module_end;
586 }
587 //walk through sections
588 for (size_t i = 0; i < sections_count; i++) {
589 PIMAGE_SECTION_HEADER sec = peconv::get_section_hdr(pe_buffer, pe_size, i);
590 if (!sec) break;
591
592 DWORD new_end = is_raw ? (sec->PointerToRawData + sec->SizeOfRawData) : (sec->VirtualAddress + sec->Misc.VirtualSize);
593 if (new_end > module_end) module_end = new_end;
594 }
595 return module_end;
596}
597
598bool peconv::is_valid_sectons_alignment(IN const BYTE* payload, IN const SIZE_T payload_size, IN bool is_raw)
599{
600 if (payload == NULL) return false;
601
602 const DWORD my_align = peconv::get_sec_alignment(payload, is_raw);
603 if (my_align == 0) {
604#ifdef _DEBUG
605 std::cout << "Section alignment cannot be 0\n";
606#endif
607 return false;
608 }
609 const size_t sections_count = peconv::get_sections_count(payload, payload_size);
610 if (sections_count == 0) {
611 //no sections
612 return false;
613 }
614 for (size_t i = 0; i < sections_count; i++) {
615 PIMAGE_SECTION_HEADER next_sec = peconv::get_section_hdr(payload, payload_size, i);
616 if (!next_sec) return false; //the number of the sections in header is out of scope
617
618 const DWORD next_sec_addr = is_raw ? (next_sec->PointerToRawData) : (next_sec->VirtualAddress);
619
620 SIZE_T sec_size = is_raw ? next_sec->SizeOfRawData : next_sec->Misc.VirtualSize;
621 if (sec_size == 0) continue;
622 if (next_sec->Misc.VirtualSize == 0) {
623 continue; // if the VirtualSize == 0 the section will not be mapped anyways
624 }
625 if (next_sec_addr == 0) {
626 //if cannot be 0 if the size is not 0
627 return false;
628 }
629
630 //check only if raw_align is non-zero
631 if (my_align && next_sec_addr % my_align != 0) {
632#ifdef _DEBUG
633 std::cout << "Section is misaligned\n";
634#endif
635 return false; //misaligned
636 }
637 }
638 return true;
639}
peconv::update_entry_point_rva
bool update_entry_point_rva(IN OUT BYTE *pe_buffer, IN DWORD ep)
Definition: pe_hdrs_helper.cpp:190
peconv::set_sec_alignment
bool set_sec_alignment(IN OUT BYTE *pe_buffer, IN bool is_raw, IN DWORD new_alignment)
Definition: pe_hdrs_helper.cpp:518
peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN SIZE_T buffer_size, IN const void *field_bgn, IN SIZE_T field_size)
Definition: buffer_util.cpp:9
peconv::has_relocations
bool has_relocations(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:460
peconv::get_entry_point_rva
DWORD get_entry_point_rva(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:171
peconv::get_nt_hdr_architecture
WORD get_nt_hdr_architecture(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:109
peconv::set_subsystem
bool set_subsystem(IN OUT BYTE *payload, IN WORD subsystem)
Definition: pe_hdrs_helper.cpp:423
peconv::get_virtual_sec_size
DWORD get_virtual_sec_size(IN const BYTE *pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
Definition: pe_hdrs_helper.cpp:533
peconv::get_file_hdr
const IMAGE_FILE_HEADER * get_file_hdr(IN const BYTE *payload, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:257
peconv::update_image_base
bool update_image_base(IN OUT BYTE *payload, IN ULONGLONG destImageBase)
Definition: pe_hdrs_helper.cpp:226
peconv::is_valid_sections_hdr_offset
bool is_valid_sections_hdr_offset(IN const BYTE *buffer, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:328
peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:152
peconv::get_file_characteristics
WORD get_file_characteristics(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:374
peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition: pe_hdrs_helper.cpp:343
peconv::get_nt_hdrs64
IMAGE_NT_HEADERS64 * get_nt_hdrs64(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:64
peconv::get_dotnet_hdr
IMAGE_COR20_HEADER * get_dotnet_hdr(IN const BYTE *pe_buffer, IN size_t const buffer_size, IN const IMAGE_DATA_DIRECTORY *dotNetDir)
Definition: pe_hdrs_helper.cpp:475
peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:77
peconv::get_sec_alignment
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
Definition: pe_hdrs_helper.cpp:506
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:121
peconv::is_bad_read_ptr
bool is_bad_read_ptr(LPCVOID areaStart, SIZE_T areaSize)
Definition: util.cpp:150
peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:319
peconv::get_nt_hdrs32
IMAGE_NT_HEADERS32 * get_nt_hdrs32(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:51
peconv::update_image_size
bool update_image_size(IN OUT BYTE *payload, IN DWORD new_img_size)
Definition: pe_hdrs_helper.cpp:93
peconv::get_hdrs_size
DWORD get_hdrs_size(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:208
peconv::get_directory_entry
IMAGE_DATA_DIRECTORY * get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty=false)
Definition: pe_hdrs_helper.cpp:130
peconv::get_last_section
PIMAGE_SECTION_HEADER get_last_section(IN const PBYTE pe_buffer, IN size_t pe_size, IN bool is_raw)
Definition: pe_hdrs_helper.cpp:558
peconv::get_dll_characteristics
WORD get_dll_characteristics(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:402
peconv::get_export_directory
IMAGE_EXPORT_DIRECTORY * get_export_directory(IN HMODULE modulePtr)
Definition: pe_hdrs_helper.cpp:469
peconv::is_valid_sectons_alignment
bool is_valid_sectons_alignment(IN const BYTE *buffer, IN const SIZE_T buffer_size, IN bool is_raw)
Definition: pe_hdrs_helper.cpp:598
peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition: pe_hdrs_helper.cpp:10
peconv::calc_pe_size
DWORD calc_pe_size(IN const PBYTE pe_buffer, IN size_t pe_size, IN bool is_raw)
Definition: pe_hdrs_helper.cpp:580
peconv::is_module_dll
bool is_module_dll(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:395
peconv::get_subsystem
WORD get_subsystem(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:442
peconv::get_optional_hdr
LPVOID get_optional_hdr(IN const BYTE *payload, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:288
fetch_file_hdr
const IMAGE_FILE_HEADER * fetch_file_hdr(IN const BYTE *payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
Definition: pe_hdrs_helper.cpp:245
fetch_section_hdrs_ptr
LPVOID fetch_section_hdrs_ptr(IN const BYTE *payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
Definition: pe_hdrs_helper.cpp:304
_get_sec_alignment_ptr
DWORD * _get_sec_alignment_ptr(const BYTE *modulePtr, bool is_raw)
Definition: pe_hdrs_helper.cpp:496
fetch_opt_hdr
const LPVOID fetch_opt_hdr(IN const BYTE *payload, IN const size_t buffer_size, IN const IMAGE_NT_HEADERS_T *payload_nt_hdr)
Definition: pe_hdrs_helper.cpp:272
pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.
util.h
Miscellaneous utility functions.
Generated by doxygen 1.9.2