libpeconv/pe__loader_8cpp_source.html

#include "peconv/pe_loader.h"


#include "peconv/relocate.h"

#include "peconv/imports_loader.h"

#include "peconv/buffer_util.h"

#include "peconv/function_resolver.h"

#include "peconv/exports_lookup.h"


#include <iostream>


using namespace peconv;


namespace peconv {

    BYTE* load_no_sec_pe(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable)

    {

        ULONGLONG desired_base = 0;

        size_t out_size = (r_size < PAGE_SIZE) ? PAGE_SIZE : r_size;

        if (executable) {

            desired_base = get_image_base(dllRawData);

            out_size = peconv::get_image_size(dllRawData);

        }

        DWORD protect = (executable) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;

        BYTE* mappedPE = peconv::alloc_pe_buffer(out_size, protect, desired_base);

        if (!mappedPE) {

            return NULL;

        }

        memcpy(mappedPE, dllRawData, r_size);

        v_size = out_size;

        return mappedPE;

    }

};


BYTE* peconv::load_pe_module(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate)

{

    if (!peconv::get_nt_hdrs(dllRawData, r_size)) {

        return NULL;

    }

    if (peconv::get_sections_count(dllRawData, r_size) == 0) {

        return load_no_sec_pe(dllRawData, r_size, v_size, executable);

    }

    // by default, allow to load the PE at any base:

    ULONGLONG desired_base = NULL;

    // if relocating is required, but the PE has no relocation table...

    if (relocate && !has_relocations(dllRawData)) {

        // ...enforce loading the PE image at its default base (so that it will need no relocations)

        desired_base = get_image_base(dllRawData);

    }

    // load a virtual image of the PE file at the desired_base address (random if desired_base is NULL):

    BYTE *mappedDLL = pe_raw_to_virtual(dllRawData, r_size, v_size, executable, desired_base);

    if (mappedDLL) {

        //if the image was loaded at its default base, relocate_module will return always true (because relocating is already done)

        if (relocate && !relocate_module(mappedDLL, v_size, (ULONGLONG)mappedDLL)) {

            // relocating was required, but it failed - thus, the full PE image is useless

            printf("Could not relocate the module!");

            free_pe_buffer(mappedDLL, v_size);

            mappedDLL = NULL;

        }

    } else {

        printf("Could not allocate memory at the desired base!\n");

    }

    return mappedDLL;

}


BYTE* peconv::load_pe_module(const char *filename, OUT size_t &v_size, bool executable, bool relocate)

{

    size_t r_size = 0;

    BYTE *dllRawData = load_file(filename, r_size);

    if (!dllRawData) {

#ifdef _DEBUG

        std::cerr << "Cannot load the file: " << filename << std::endl;

#endif

        return NULL;

    }

    BYTE* mappedPE = load_pe_module(dllRawData, r_size, v_size, executable, relocate);

    free_pe_buffer(dllRawData);

    return mappedPE;

}


BYTE* peconv::load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver)

{

    BYTE* loaded_pe = load_pe_module(dllRawData, r_size, v_size, true, true);

    if (!loaded_pe) {

        printf("[-] Loading failed!\n");

        return NULL;

    }

#if _DEBUG

    printf("Loaded at: %p\n", loaded_pe);

#endif

    if (has_valid_import_table(loaded_pe, v_size)) {

        if (!load_imports(loaded_pe, import_resolver)) {

            printf("[-] Loading imports failed!");

            free_pe_buffer(loaded_pe, v_size);

            return NULL;

        }

    }

    else {

        printf("[-] PE doesn't have a valid Import Table!\n");

    }

    return loaded_pe;

}


BYTE* peconv::load_pe_executable(const char *my_path, OUT size_t &v_size, t_function_resolver* import_resolver)

{

#if _DEBUG

    printf("Module: %s\n", my_path);

#endif

    BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true);

    if (!loaded_pe) {

         printf("Loading failed!\n");

        return NULL;

    }

#if _DEBUG

    printf("Loaded at: %p\n", loaded_pe);

#endif

    if (!load_imports(loaded_pe, import_resolver)) {

        printf("[-] Loading imports failed!");

        free_pe_buffer(loaded_pe, v_size);

        return NULL;

    }

    return loaded_pe;

}

buffer_util.h
Definitions of the used buffer types. Functions for their allocation and deallocation.

peconv::t_function_resolver
Definition: function_resolver.h:14

exports_lookup.h
Searching specific functions in PE's Exports Table.

function_resolver.h
Definitions of basic Imports Resolver classes. They can be used for filling imports when the PE is lo...

imports_loader.h
Parsing and filling the Import Table.

peconv
Definition: buffer_util.h:10

peconv::has_relocations
bool has_relocations(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:460

peconv::has_valid_import_table
bool has_valid_import_table(const PBYTE modulePtr, size_t moduleSize)
Definition: imports_loader.cpp:233

peconv::load_no_sec_pe
BYTE * load_no_sec_pe(BYTE *dllRawData, size_t r_size, OUT size_t &v_size, bool executable)
Definition: pe_loader.cpp:14

peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:152

peconv::load_pe_executable
BYTE * load_pe_executable(BYTE *dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver *import_resolver=NULL)
Definition: pe_loader.cpp:79

peconv::load_pe_module
BYTE * load_pe_module(BYTE *dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate)
Definition: pe_loader.cpp:33

peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition: pe_hdrs_helper.cpp:77

peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition: buffer_util.cpp:84

peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, ULONGLONG desired_base=NULL)
Definition: buffer_util.cpp:78

peconv::load_file
peconv::ALIGNED_BUF load_file(IN const char *filename, OUT size_t &r_size)
Definition: file_util.cpp:11

peconv::pe_raw_to_virtual
BYTE * pe_raw_to_virtual(IN const BYTE *rawPeBuffer, IN size_t rawPeSize, OUT size_t &outputSize, IN OPTIONAL bool executable=true, IN OPTIONAL ULONGLONG desired_base=0)
Definition: pe_raw_to_virtual.cpp:98

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:319

peconv::relocate_module
bool relocate_module(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
Definition: relocate.cpp:162

peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition: pe_hdrs_helper.cpp:10

peconv::load_imports
bool load_imports(BYTE *modulePtr, t_function_resolver *func_resolver=nullptr)
Definition: imports_loader.cpp:191

PAGE_SIZE
#define PAGE_SIZE
Definition: pe_hdrs_helper.h:12

pe_loader.h
Loading PE from a file with the help of the custom loader.

relocate.h
Operating on PE file's relocations table.