/* MEW Packer and others basically stores the entrypoint
in a section marked only as readable (without
executable and/or writable flags)
Windows Loader still executes the binary
*/
bool generic_packer(PE_FILE *pe, QWORD ep)
{
unsigned char packer = '0';
IMAGE_SECTION_HEADER *sec = pe_rva2section(pe, ep);
// we count the flags for the section and if there is more than
// 2 it means we don't have the mew_packer
unsigned int invalid_flags[] =
{0x20000000, 0x40000000, 0x80000000};
if (!sec)
return false;
// MEW never leave EP in .text section
if (!memcmp(sec->Name, ".text", 5))
return false;
for (unsigned int j=0; j < sizeof(invalid_flags) / sizeof(unsigned int); j++)
{
if (sec->Characteristics & invalid_flags[j])
packer++;
}
return (packer < '3');
}
/* MEW Packer and others basically stores the entrypoint
in a section marked only as readable (without
executable and/or writable flags)
Windows Loader still executes the binary
*/
static bool generic_packer(pe_ctx_t *ctx, uint64_t entrypoint)
{
IMAGE_SECTION_HEADER *section = pe_rva2section(ctx, entrypoint);
if (section == NULL)
return false;
// we count the flags for the section and if there is more than
// 2 it means we don't have the mew_packer
const SectionCharacteristics invalid_flags[] = {
IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_READ,
IMAGE_SCN_MEM_WRITE
};
// MEW never leave EP in .text section
if (memcmp(section->Name, ".text", 5) == 0)
return false;
unsigned short flags_count = 0;
for (size_t i=0; i < LIBPE_SIZEOF_ARRAY(invalid_flags); i++) {
if (section->Characteristics & invalid_flags[i])
flags_count++;
}
return flags_count < 3;
}
static IMAGE_SECTION_HEADER *pe_check_fake_entrypoint(PE_FILE *pe, DWORD *ep)
{
IMAGE_SECTION_HEADER *epsec = NULL;
if (!pe->optional_ptr)
pe_get_optional(pe);
if (!pe->num_sections || !pe->sections_ptr)
pe_get_sections(pe);
if (!pe->num_sections)
return NULL;
epsec = pe_rva2section(pe, *ep);
if (!epsec)
return NULL;
if (!(epsec->Characteristics & 0x20))
return epsec;
return NULL;
}
