13 if (!payload || !destAddress)
return false;
15 BYTE* payload_nt_hdr =
get_nt_hdrs(payload, payload_size);
16 if (payload_nt_hdr == NULL) {
17 std::cerr <<
"Invalid payload: " << std::hex << (ULONGLONG) payload << std::endl;
21 const bool is64b =
is64bit(payload);
23 IMAGE_FILE_HEADER *fileHdr = NULL;
27 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*) payload_nt_hdr;
28 fileHdr = &(payload_nt_hdr64->FileHeader);
29 hdrsSize = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;
30 secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr64->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
32 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*) payload_nt_hdr;
33 fileHdr = &(payload_nt_hdr32->FileHeader);
34 hdrsSize = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;
35 secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr32->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
40 std::cout <<
"Coping sections:" << std::endl;
43 SIZE_T raw_end = hdrsSize;
44 for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {
45 PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONGLONG)secptr + (IMAGE_SIZEOF_SECTION_HEADER * i));
46 if (!
validate_ptr(payload, payload_size, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) {
50 LPVOID section_mapped = (BYTE*) payload + next_sec->VirtualAddress;
51 LPVOID section_raw_ptr = destAddress + next_sec->PointerToRawData;
52 SIZE_T sec_size = next_sec->SizeOfRawData;
54 size_t new_end = sec_size + next_sec->PointerToRawData;
55 if (new_end > raw_end) raw_end = new_end;
57 if ((next_sec->VirtualAddress + sec_size) > payload_size) {
58 std::cerr <<
"[!] Virtual section size is out ouf bounds: " << std::hex << sec_size << std::endl;
59 sec_size = (payload_size > next_sec->VirtualAddress) ? SIZE_T(payload_size - next_sec->VirtualAddress) : 0;
60 std::cerr <<
"[!] Truncated to maximal size: " << std::hex << sec_size <<
", buffer size: " << payload_size << std::endl;
62 if (next_sec->VirtualAddress > payload_size && sec_size != 0) {
63 std::cerr <<
"[-] VirtualAddress of section is out ouf bounds: " << std::hex << next_sec->VirtualAddress << std::endl;
66 if (next_sec->PointerToRawData + sec_size > payload_size) {
67 std::cerr <<
"[-] Raw section size is out ouf bounds: " << std::hex << sec_size << std::endl;
71 std::cout <<
"[+] " << next_sec->Name <<
" to: " << std::hex << section_raw_ptr << std::endl;
75 std::cerr <<
"[-] Section " << i <<
": out ouf bounds, skipping... " << std::endl;
80 std::cerr <<
"[-] Section " << i <<
": out ouf bounds, skipping... " << std::endl;
83 memcpy(section_raw_ptr, section_mapped, sec_size);
84 if (first_raw == 0 || (next_sec->PointerToRawData < first_raw)) {
85 first_raw = next_sec->PointerToRawData;
88 if (raw_end > payload_size) raw_end = payload_size;
89 if (raw_size_ptr != NULL) {
90 (*raw_size_ptr) = raw_end;
97 std::cout <<
"hdrsSize not filled, using calculated size: " << std::hex << hdrsSize <<
"\n";
100 if (!
validate_ptr(payload, payload_size, payload, hdrsSize)) {
103 memcpy(destAddress, payload, hdrsSize);
110 IN ULONGLONG loadBase,
111 OUT
size_t &out_size,
112 IN OPTIONAL
bool rebuffer
116 if (out_buf == NULL)
return NULL;
118 BYTE* in_buf = payload;
121 if (in_buf == NULL) {
125 memcpy(in_buf, payload, in_size);
134 std::cerr <<
"[-] Failed relocating the module!" << std::endl;
138 std::cerr <<
"[!] WARNING: The module could not be relocated, so the ImageBase has been changed instead!" << std::endl;
148 if (rebuffer && in_buf != NULL) {
162 IN
const BYTE* payload,
164 IN ULONGLONG loadBase,
174 memcpy(out_buf, payload, in_size);
182 std::cerr <<
"[-] Failed relocating the module!" << std::endl;
186 std::cerr <<
"[!] WARNING: The module could not be relocated, so the ImageBase has been changed instead!" << std::endl;
198 for (
size_t i = 0; i < sections_count; i++) {
203 sec->SizeOfRawData = sec->Misc.VirtualSize;
204 sec->PointerToRawData = sec->VirtualAddress;
bool set_sec_alignment(IN OUT BYTE *pe_buffer, IN bool is_raw, IN DWORD new_alignment)
bool validate_ptr(IN const void *buffer_bgn, IN SIZE_T buffer_size, IN const void *field_bgn, IN SIZE_T field_size)
DWORD get_virtual_sec_size(IN const BYTE *pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
bool update_image_base(IN OUT BYTE *payload, IN ULONGLONG destImageBase)
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
BYTE * pe_virtual_to_raw(IN BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize, IN OPTIONAL bool rebuffer=true)
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, ULONGLONG desired_base=NULL)
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
bool is64bit(IN const BYTE *pe_buffer)
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
bool relocate_module(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
BYTE * pe_realign_raw_to_virtual(IN const BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize)
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Wrappers over various fields in the PE header. Read, write, parse PE headers.
bool sections_virtual_to_raw(BYTE *payload, SIZE_T payload_size, OUT BYTE *destAddress, OUT SIZE_T *raw_size_ptr)
Converting PE from virtual to raw format.
Operating on PE file's relocations table.
Miscellaneous utility functions.
