static unsigned long DLLINTERNAL_NOVIS va_to_mapaddr(void * mapview, IMAGE_SECTION_HEADER * sections, int num_sects, unsigned long vaddr) { for(int i = 0; i < num_sects; i++) if(vaddr >= sections[i].VirtualAddress && vaddr < sections[i].VirtualAddress + sections[i].SizeOfRawData) return(rva_to_va(mapview, (vaddr - sections[i].VirtualAddress + sections[i].PointerToRawData))); return(0); }
// Checks module signatures and return ntheaders pointer for valid module static IMAGE_NT_HEADERS * DLLINTERNAL_NOVIS get_ntheaders(void * mapview) { union { unsigned long mem; IMAGE_DOS_HEADER * dos; IMAGE_NT_HEADERS * pe; } mem; //Check if valid dos header mem.mem = (unsigned long)mapview; if(IsBadReadPtr(mem.dos, sizeof(*mem.dos)) || mem.dos->e_magic != IMAGE_DOS_SIGNATURE) return(0); //Get and check pe header mem.mem = rva_to_va(mapview, mem.dos->e_lfanew); if(IsBadReadPtr(mem.pe, sizeof(*mem.pe)) || mem.pe->Signature != IMAGE_NT_SIGNATURE) return(0); return(mem.pe); }
static void mark_entry_points(pefile_t *pefile, disassembly_t *da) { disassembly_t *dptr; DWORD dwOEP; assert(pefile); if (pefile->exports != NULL) { int i; for (i = 0; i < pefile->exports->image_export_directory.NumberOfFunctions; i++) { if (pefile->exports->exports[i].export_address_type == EXPORT_ADDRESS_TYPE_RVA) { // find the instruction that matches and flag it. for (dptr = da; dptr != NULL; dptr = dptr->next) { if (dptr->MemoryAddress == rva_to_va(pefile, pefile->exports->exports[i].rva.rva)) { dptr->IsNotRelocatable = TRUE; break; } } } } } dwOEP = pefile->image_nt_headers.OptionalHeader.AddressOfEntryPoint + pefile->image_nt_headers.OptionalHeader.ImageBase; for (dptr = da; dptr != NULL ; dptr = dptr->next) { if (dptr->MemoryAddress == dwOEP) { dptr->IsNotRelocatable = TRUE; break; } } }