Exemplo n.º 1
0
void GetLinkedModulesInfo(TCHAR *moduleName, CMString &buffer)
{
	HANDLE hDllFile = CreateFile(moduleName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hDllFile == INVALID_HANDLE_VALUE)
		return;

	HANDLE hDllMapping = CreateFileMapping(hDllFile, NULL, PAGE_READONLY, 0, 0, NULL);
	if (hDllMapping == INVALID_HANDLE_VALUE) {
		CloseHandle(hDllFile);
		return;
	}

	LPVOID dllAddr = MapViewOfFile(hDllMapping, FILE_MAP_READ, 0, 0, 0);

	static const TCHAR format[] = TEXT("    Plugin statically linked to missing module: %S\r\n");

	__try {
		PIMAGE_NT_HEADERS nthdrs = ImageNtHeader(dllAddr);

		ULONG tableSize;
		PIMAGE_IMPORT_DESCRIPTOR importData = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(dllAddr, FALSE,
			IMAGE_DIRECTORY_ENTRY_IMPORT, &tableSize);
		if (importData) {
			while (importData->Name) {
				char* moduleName = (char*)ImageRvaToVa(nthdrs, dllAddr, importData->Name, NULL);
				if (!SearchPathA(NULL, moduleName, NULL, NULL, 0, NULL))
					buffer.AppendFormat(format, moduleName);

				importData++; //go to next record
			}
		}

		bool found = false;
		PIMAGE_EXPORT_DIRECTORY exportData = (PIMAGE_EXPORT_DIRECTORY)ImageDirectoryEntryToData(dllAddr, FALSE,
			IMAGE_DIRECTORY_ENTRY_EXPORT, &tableSize);
		if (exportData) {
			ULONG* funcAddr = (ULONG*)ImageRvaToVa(nthdrs, dllAddr, exportData->AddressOfNames, NULL);
			for (unsigned i = 0; i < exportData->NumberOfNames && !found; ++i) {
				char* funcName = (char*)ImageRvaToVa(nthdrs, dllAddr, funcAddr[i], NULL);
				found = mir_strcmp(funcName, "MirandaPluginInfoEx") == 0 || mir_strcmp(funcName, "MirandaPluginInfo") == 0;
				if (mir_strcmp(funcName, "DatabasePluginInfo") == 0) {
					buffer.Append(TEXT("    This dll is a Miranda database plugin, another database is active right now\r\n"));
					found = true;
				}
			}
		}
		if (!found)
			buffer.Append(TEXT("    This dll is not a Miranda plugin and should be removed from plugins directory\r\n"));
	}
	__except (EXCEPTION_EXECUTE_HANDLER) {}

	UnmapViewOfFile(dllAddr);
	CloseHandle(hDllMapping);
	CloseHandle(hDllFile);
}
Exemplo n.º 2
0
struct PE_get_imports_info* PE_get_imports (LOADED_IMAGE *im)
{
	struct PE_get_imports_info* rt=DMALLOC(struct PE_get_imports_info, 1, "struct PE_get_imports_info");
	bool PE32_plus=PE_is_PE32(im);
	rt->start_RVA=PE_get_import_descriptor_RVA(im, PE32_plus);
	IMAGE_IMPORT_DESCRIPTOR* import_dir=PE_get_import_descriptor(im, PE32_plus);

	if (import_dir==NULL)
	{
		free(rt);
		return NULL; // No imports
	};

	rt->import_descriptors_t=PE_count_import_descriptors (im);
	rt->dlls=DMALLOC(struct PE_get_imports_DLL_info, rt->import_descriptors_t, 
			"struct PE_get_imports_DLL_info");

	int j;
	IMAGE_IMPORT_DESCRIPTOR *i;
	for (i=import_dir, j=0; i->OriginalFirstThunk; i++, j++)
	{
		address* OriginalFirstThunk_a=(address*)ImageRvaToVa (im->FileHeader, im->MappedAddress, i->OriginalFirstThunk, NULL);
		char* name=(char*)ImageRvaToVa (im->FileHeader, im->MappedAddress, i->Name, NULL);
		struct PE_get_imports_DLL_info* DLL=rt->dlls+j;
		DLL->DLL_name=DSTRDUP(name,"char*");
		DLL->FirstThunk=i->FirstThunk;
		DLL->allocate_thunks=false;

		DLL->symbols_t=NULL_terminated_array_of_pointers_size((void**)OriginalFirstThunk_a);
		DLL->symbols=DMALLOC(char*, DLL->symbols_t, "char*");
		DLL->hints=DMALLOC(wyde, DLL->symbols_t, "wyde");
		
		for (address *s=OriginalFirstThunk_a, si=0; *s; s++, si++)
		{
			if (IS_SET(*s, REG_MSB))
			{
				DLL->hints[si]=(*s)&0xFFFF;
				DLL->symbols[si]=NULL;
			}
			else
			{
				byte *tmp=(byte*)ImageRvaToVa(im->FileHeader, im->MappedAddress, *s, NULL);
				DLL->hints[si]=*(wyde*)tmp;
				DLL->symbols[si]=DSTRDUP ((char*)(tmp+2), "symbol name");
			};
		};
	};

	return rt;
};
Exemplo n.º 3
0
static void* assembly_rva_to_va(ASSEMBLY *assembly, ULONG rva)
{
    if (assembly->is_mapped_file)
        return ImageRvaToVa(assembly->nthdr, assembly->data, rva, NULL);
    else
        return assembly->data + rva;
}
Exemplo n.º 4
0
static HRESULT parse_metadata_header(ASSEMBLY *assembly, DWORD *hdrsz)
{
    METADATAHDR *metadatahdr;
    BYTE *ptr, *dest;
    DWORD size, ofs;
    ULONG rva;

    rva = assembly->corhdr->MetaData.VirtualAddress;
    ptr = ImageRvaToVa(assembly->nthdr, assembly->data, rva, NULL);
    if (!ptr)
        return E_FAIL;

    metadatahdr = (METADATAHDR *)ptr;

    assembly->metadatahdr = HeapAlloc(GetProcessHeap(), 0, sizeof(METADATAHDR));
    if (!assembly->metadatahdr)
        return E_OUTOFMEMORY;

    size = FIELD_OFFSET(METADATAHDR, Version);
    memcpy(assembly->metadatahdr, metadatahdr, size);

    assembly->metadatahdr->Version = (LPSTR)&metadatahdr->Version;

    ofs = FIELD_OFFSET(METADATAHDR, Flags);
    ptr += FIELD_OFFSET(METADATAHDR, Version) + metadatahdr->VersionLength + 1;
    dest = (BYTE *)assembly->metadatahdr + ofs;
    memcpy(dest, ptr, sizeof(METADATAHDR) - ofs);

    *hdrsz = sizeof(METADATAHDR) - sizeof(LPSTR) + metadatahdr->VersionLength + 1;

    return S_OK;
}
Exemplo n.º 5
0
// translate actual loaded pointer to to pointer within the loaded image
const unsigned char * KImageModule::Address2ImagePointer(unsigned addr)
{
	assert(m_imagebase_loaded);

	return (const unsigned char *) 
		ImageRvaToVa(m_image.FileHeader, (void *) m_imagebase_loaded, 
		                addr - m_image.FileHeader->OptionalHeader.ImageBase, NULL);
}
Exemplo n.º 6
0
// translate symbol va address symbva to RVA symbva - mappedBase
// translate RVA to pointer within the loaded image
const unsigned char * KImageModule::GetImagePointer(unsigned symbva)
{
	assert(m_imagebase_loaded);

	return (const unsigned char *) 
		ImageRvaToVa(m_image.FileHeader, (void *) m_imagebase_loaded, 
		                symbva - m_imagebase_default, NULL);
}
Exemplo n.º 7
0
static bool
search_syms_cb(const char *name, size_t modoffs, void *data)
{
    search_data_t *sd = (search_data_t *) data;
    byte *addr = ImageRvaToVa(sd->img->FileHeader, sd->img->MappedAddress,
                              (ULONG) modoffs, NULL);
    verbose_print("Found symbol \"%s\" at offs "PIFX" => "PFX"\n", name, modoffs, addr);
    process_syscall_wrapper(sd->dcontext, addr, name, "pdb");
    return true; /* keep iterating */
}
Exemplo n.º 8
0
int
main(int argc, char *argv[])
{
	util_suppress_errmsg();
	if (argc < 2) {
		fprintf(stderr, "usage: %s dllname\n", argv[0]);
		exit(1);
	}

	const char *dllname = argv[1];

	LOADED_IMAGE img;
	if (MapAndLoad(dllname, NULL, &img, 1, 1) == FALSE) {
		fprintf(stderr, "cannot load DLL image\n");
		exit(2);
	}

	IMAGE_EXPORT_DIRECTORY *dir;
	ULONG dirsize;
	dir = (IMAGE_EXPORT_DIRECTORY *)ImageDirectoryEntryToData(
			img.MappedAddress, 0 /* mapped as image */,
			IMAGE_DIRECTORY_ENTRY_EXPORT, &dirsize);
	if (dir == NULL) {
		fprintf(stderr, "cannot read image directory\n");
		UnMapAndLoad(&img);
		exit(3);
	}

	DWORD *rva;
	rva = (DWORD *)ImageRvaToVa(img.FileHeader, img.MappedAddress,
			dir->AddressOfNames, NULL);

	for (DWORD i = 0; i < dir->NumberOfNames; i++) {
		char *name = (char *)ImageRvaToVa(img.FileHeader,
				img.MappedAddress, rva[i], NULL);
		printf("%s\n", name);
	}

	UnMapAndLoad(&img);
	return 0;
}
Exemplo n.º 9
0
DWORD pe_getImportOriFuncAddressByOrdinal(PVOID lpBase,LPSTR lpDllName,DWORD dwOrdinal)
{
	//获得dos头部
	PIMAGE_DOS_HEADER pImage_dos_header=(PIMAGE_DOS_HEADER)lpBase;
	//获得nt头部
	PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((ULONG)lpBase + pImage_dos_header->e_lfanew);
	//获得导入表
	PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,NULL);

	//遍历导入表
	while(pImage_import_descriptor->Characteristics != 0)
	{
		if (!stricmp((LPSTR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_import_descriptor->Name,NULL),lpDllName))
		{
			//
			return *(PDWORD)ImageRvaToVa(pImage_nt_header,lpBase,pImage_import_descriptor->FirstThunk + dwOrdinal*4,NULL);
		}
		
		pImage_import_descriptor++;
	};
}
Exemplo n.º 10
0
DWORD pe_getExportOriFuncAddressByOrdinal(PVOID lpBase,DWORD dwOrdinal)
{
	//
	PIMAGE_DOS_HEADER pImage_dos_header = (PIMAGE_DOS_HEADER)lpBase;

	//
	PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((PBYTE)lpBase + pImage_dos_header->e_lfanew);

	//
	PIMAGE_EXPORT_DIRECTORY pImage_export_directory = (PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,NULL);

	if (!pImage_export_directory)
	{
		return -1;
	}

	//
	DWORD dwOriFuncAddr = *(PDWORD)ImageRvaToVa(pImage_nt_header,lpBase,pImage_export_directory->AddressOfFunctions + dwOrdinal * 4,NULL);

	//
	return dwOriFuncAddr;
}
Exemplo n.º 11
0
void initializeFSM() {
	LOADED_IMAGE image;
	PSTR imageFilename;
	//imageFilename = argv[1];
	//imageFilename = "test_short_instruction.exe";
	//imageFilename = "test_prefix.exe";
	//imageFilename = "prefix_4_opcode_1.exe";
	imageFilename = "prefix_2_opcode_1_modRM_SIB_imm.exe";
	//imageFilename = "opcode_1_modRM_SIB_imm.exe";
	
	if (!MapAndLoad(imageFilename, NULL, &image, FALSE, TRUE)) {
		PRINT_ERROR("MapAndLoad", __FILE__, __LINE__);
		return;
	}
	g_va = ImageRvaToVa(image.FileHeader, image.MappedAddress,
						  image.FileHeader->OptionalHeader.BaseOfCode, NULL);
}
Exemplo n.º 12
0
static HRESULT parse_clr_metadata(ASSEMBLY *assembly)
{
    METADATASTREAMHDR *streamhdr;
    ULONG rva, i, ofs;
    LPSTR stream;
    HRESULT hr;
    DWORD hdrsz;
    BYTE *ptr;

    hr = parse_metadata_header(assembly, &hdrsz);
    if (FAILED(hr))
        return hr;

    rva = assembly->corhdr->MetaData.VirtualAddress;
    ptr = ImageRvaToVa(assembly->nthdr, assembly->data, rva + hdrsz, NULL);
    if (!ptr)
        return E_FAIL;

    for (i = 0; i < assembly->metadatahdr->Streams; i++)
    {
        streamhdr = (METADATASTREAMHDR *)ptr;
        ofs = rva_to_offset(assembly->nthdr, rva + streamhdr->Offset);

        ptr += sizeof(METADATASTREAMHDR);
        stream = (LPSTR)ptr;

        if (!lstrcmpA(stream, "#~"))
        {
            hr = parse_clr_tables(assembly, ofs);
            if (FAILED(hr))
                return hr;
        }
        else if (!lstrcmpA(stream, "#Strings") || !lstrcmpA(stream, "Strings"))
            assembly->strings = assembly_data_offset(assembly, ofs);
        else if (!lstrcmpA(stream, "#Blob") || !lstrcmpA(stream, "Blob"))
            assembly->blobs = assembly_data_offset(assembly, ofs);

        ptr += lstrlenA(stream) + 1;
        ptr = (BYTE *)(((UINT_PTR)ptr + 3) & ~3); /* align on DWORD boundary */
    }

    return S_OK;
}
Exemplo n.º 13
0
static HRESULT parse_pe_header(ASSEMBLY *assembly)
{
    IMAGE_DATA_DIRECTORY *datadirs;

    assembly->nthdr = ImageNtHeader(assembly->data);
    if (!assembly->nthdr)
        return E_FAIL;

    if (assembly->nthdr->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
    {
        IMAGE_OPTIONAL_HEADER64 *opthdr =
                (IMAGE_OPTIONAL_HEADER64 *)&assembly->nthdr->OptionalHeader;
        datadirs = opthdr->DataDirectory;
    }
    else
    {
        IMAGE_OPTIONAL_HEADER32 *opthdr =
                (IMAGE_OPTIONAL_HEADER32 *)&assembly->nthdr->OptionalHeader;
        datadirs = opthdr->DataDirectory;
    }

    if (!datadirs)
        return E_FAIL;

    if (!datadirs[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress ||
        !datadirs[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size)
    {
        return E_FAIL;
    }

    assembly->corhdr = ImageRvaToVa(assembly->nthdr, assembly->data,
        datadirs[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress, NULL);
    if (!assembly->corhdr)
        return E_FAIL;

    return S_OK;
}
Exemplo n.º 14
0
//导入表感染
void pe_infect_eat(LPTSTR lpFilePath,LPSTR lpDllName,LPSTR lpFuncName,ppe_retn_msg p_msg)
{
	//打开文件
	HANDLE hFile = CreateFile(lpFilePath,
		GENERIC_WRITE | GENERIC_READ,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);

	//打开文件失败
	if(hFile == INVALID_HANDLE_VALUE)
	{
		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't create file! error code : %d",GetLastError());
		//
		return;
	}

	//获得文件大小
	DWORD dwFileSize = GetFileSize(hFile , 0 );

	//映射文件
	HANDLE hMap = CreateFileMapping(hFile ,
		0 ,
		PAGE_READWRITE ,
		0 ,
		dwFileSize ,
		0);

	//文件映射内存失败
	if(hMap == INVALID_HANDLE_VALUE)
	{
		CloseHandle(hFile);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't create file mapping! error code : %d",GetLastError());
		//
		return ;
	}

	//获得映射基址
	PBYTE lpBase = (PBYTE)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , dwFileSize);

	//文件映射内存失败
	if(lpBase == NULL)
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't map view of file! error code : %d",GetLastError());
		//
		return ;
	}

	//dos
	PIMAGE_DOS_HEADER pImage_dos_header = (PIMAGE_DOS_HEADER)lpBase;

	//nt
	PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((DWORD)lpBase + pImage_dos_header->e_lfanew);

	//
	PIMAGE_OPTIONAL_HEADER32 pImage_optional_header = (PIMAGE_OPTIONAL_HEADER32)(lpBase + pImage_dos_header->e_lfanew + 4 + sizeof(IMAGE_FILE_HEADER));

	//sec
	PIMAGE_SECTION_HEADER pImage_section_header = IMAGE_FIRST_SECTION(pImage_nt_header);

	//.text section PointerToRawData
	DWORD dwSectionOffset = pe_getTextSecOffset(pImage_section_header, pImage_nt_header->FileHeader.NumberOfSections);

	//
	if(dwSectionOffset == 0)
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't find .text section!");
		//
		return ;
	}

	/*
	PointerToRawData 为节区在PE文件中的偏移
	SizeOfRawData >= VirtualSize 
	VirtualSize      是节在内存中的长度 
	SizeOfRawData    则是VirtualSize经文件对齐后的尺寸。 
	比如: 你的.text的代码段长是0x110但是文件对齐尺寸是0x400,那.text的SizeOfRawData   就是0x400,而virtualSize就是0x110
	*/

	//import
	PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
	
	//
	int importTableCount = 0;

	//获得导入表的数目
	while(pImage_import_descriptor[importTableCount].Characteristics != 0)
	{
		importTableCount ++;
	}

	//已有导入表数据的大小
	DWORD dwBufferSize = sizeof(IMAGE_IMPORT_DESCRIPTOR) * importTableCount;

	//获得第一个块的va
	PBYTE pSectionEnd = lpBase + pImage_section_header->PointerToRawData + pImage_section_header->SizeOfRawData - 1;

	//空闲空间大小
	UINT pPadSize = 0;

	//获得空闲空间大小
	while(*pSectionEnd == 0)
	{
		pPadSize ++;
		pSectionEnd --;
	}
	
	//
	PBYTE pSectionStart = pSectionEnd; 

	if (pPadSize < dwBufferSize + sizeof(IMAGE_IMPORT_DESCRIPTOR))
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"not enough space in .text section!");
		//
		return ;
	}

	//复制原始的引入表到.text空闲空间里面
	memcpy(pSectionStart,pImage_import_descriptor,dwBufferSize);

	//清空原始的引入表
	memset(pImage_import_descriptor,0,dwBufferSize);

	//定义一个新的引入表
	PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor_new = PIMAGE_IMPORT_DESCRIPTOR(pSectionStart + dwBufferSize);

	//新的dll name
	strcpy((PCHAR)pImage_import_descriptor,lpDllName);
	PIMAGE_IMPORT_BY_NAME  pImage_import_by_name = (PIMAGE_IMPORT_BY_NAME)((PCHAR)(pImage_import_descriptor + 1)) + 5;

	//image_thunk_data
	DWORD dwThunkData = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)pImage_import_by_name);

	memcpy((PCHAR)(pImage_import_descriptor + 1), &dwThunkData, 4);

	pImage_import_by_name->Hint = 0;
	//复制函数名
	strcpy((PCHAR)pImage_import_by_name->Name,lpFuncName);

	pImage_import_descriptor_new->Name = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)pImage_import_descriptor);
	pImage_import_descriptor_new->FirstThunk = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pImage_import_descriptor + 1));
	pImage_import_descriptor_new->OriginalFirstThunk = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pImage_import_descriptor + 1));
	pImage_import_descriptor_new->ForwarderChain = 0;
	pImage_import_descriptor_new->TimeDateStamp = 0;

	pImage_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)ImageVaToRva(pImage_nt_header,lpBase,(ULONG)(pSectionStart));
	pImage_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size +=sizeof(IMAGE_IMPORT_DESCRIPTOR);

	CloseHandle(hFile);
	CloseHandle(hMap);
	UnmapViewOfFile(lpBase);

	p_msg->isSuccessed = true;

	//
	return ;
}
Exemplo n.º 15
0
/***********************************************************************
 *		BindImageEx (IMAGEHLP.@)
 *
 * Compute the virtual address of each function imported by a PE image
 *
 * PARAMS
 *
 *   Flags         [in] Bind options
 *   ImageName     [in] File name of the image to be bound
 *   DllPath       [in] Root of the fallback search path in case the ImageName file cannot be opened
 *   SymbolPath    [in] Symbol file root search path
 *   StatusRoutine [in] Pointer to a status routine which will be called during the binding process
 *
 * RETURNS
 *   Success: TRUE
 *   Failure: FALSE
 *
 * NOTES
 *  Binding is not implemented yet, so far this function only enumerates
 *  all imported dlls/functions and returns TRUE.
 */
BOOL WINAPI BindImageEx(
  DWORD Flags, PCSTR ImageName, PCSTR DllPath, PCSTR SymbolPath,
  PIMAGEHLP_STATUS_ROUTINE StatusRoutine)
{
    LOADED_IMAGE loaded_image;
    const IMAGE_IMPORT_DESCRIPTOR *import_desc;
    ULONG size;

    FIXME("(%d, %s, %s, %s, %p): semi-stub\n",
        Flags, debugstr_a(ImageName), debugstr_a(DllPath),
        debugstr_a(SymbolPath), StatusRoutine
    );

    if (!(MapAndLoad(ImageName, DllPath, &loaded_image, TRUE, TRUE))) return FALSE;

    if (!(import_desc = RtlImageDirectoryEntryToData((HMODULE)loaded_image.MappedAddress, FALSE,
                                                     IMAGE_DIRECTORY_ENTRY_IMPORT, &size)))
    {
        UnMapAndLoad(&loaded_image);
        return TRUE; /* No imported modules means nothing to bind, so we're done. */
    }

    /* FIXME: Does native imagehlp support both 32-bit and 64-bit PE executables? */
#ifdef _WIN64
    if (loaded_image.FileHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)
#else
    if (loaded_image.FileHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)
#endif
    {
        FIXME("Wrong architecture in PE header, unable to enumerate imports\n");
        UnMapAndLoad(&loaded_image);
        return TRUE;
    }

    for (; import_desc->Name && import_desc->FirstThunk; ++import_desc)
    {
        IMAGE_THUNK_DATA *thunk;
        char dll_fullname[MAX_PATH];
        const char *dll_name;

        if (!(dll_name = ImageRvaToVa(loaded_image.FileHeader, loaded_image.MappedAddress,
                                      import_desc->Name, 0)))
        {
            UnMapAndLoad(&loaded_image);
            SetLastError(ERROR_INVALID_ACCESS); /* FIXME */
            return FALSE;
        }

        if (StatusRoutine)
            StatusRoutine(BindImportModule, ImageName, dll_name, 0, 0);

        if (!SearchPathA(DllPath, dll_name, 0, sizeof(dll_fullname), dll_fullname, 0))
        {
            UnMapAndLoad(&loaded_image);
            SetLastError(ERROR_FILE_NOT_FOUND);
            return FALSE;
        }

        if (!(thunk = ImageRvaToVa(loaded_image.FileHeader, loaded_image.MappedAddress,
                                   import_desc->OriginalFirstThunk ? import_desc->OriginalFirstThunk :
                                   import_desc->FirstThunk, 0)))
        {
            ERR("Can't grab thunk data of %s, going to next imported DLL\n", dll_name);
            continue;
        }

        for (; thunk->u1.Ordinal; ++thunk)
        {
            /* Ignoring ordinal imports for now */
            if(!IMAGE_SNAP_BY_ORDINAL(thunk->u1.Ordinal))
            {
                IMAGE_IMPORT_BY_NAME *iibn;

                if (!(iibn = ImageRvaToVa(loaded_image.FileHeader, loaded_image.MappedAddress,
                                          thunk->u1.AddressOfData, 0)))
                {
                    ERR("Can't grab import by name info, skipping to next ordinal\n");
                    continue;
                }

                if (StatusRoutine)
                    StatusRoutine(BindImportProcedure, ImageName, dll_fullname, 0, (ULONG_PTR)iibn->Name);
            }
        }
    }

    UnMapAndLoad(&loaded_image);
    return TRUE;
}
Exemplo n.º 16
0
void * CPEFile::VaToPtr(DWORD dwVA)
{
    PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
    DWORD dwRVA = dwVA-GetNtOptionalHeader()->ImageBase;
    return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL);
}
Exemplo n.º 17
0
//查找导出表目录
bool pe_findExportDir(LPTSTR lpFilePath){
	//打开文件
	HANDLE hFile = CreateFile(lpFilePath,
		GENERIC_WRITE | GENERIC_READ,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);

	//打开文件失败
	if(hFile == INVALID_HANDLE_VALUE)
	{
		//
		return false;
	}

	//获得文件大小
	DWORD dwFileSize = GetFileSize(hFile , 0 );

	//映射文件
	HANDLE hMap = CreateFileMapping(hFile ,
		0 ,
		PAGE_READWRITE ,
		0 ,
		dwFileSize ,
		0);

	//文件映射内存失败
	if(hMap == INVALID_HANDLE_VALUE)
	{
		CloseHandle(hFile);

		//
		return false;
	}

	//获得映射基址
	LPBYTE lpBase = (LPBYTE)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , dwFileSize);

	//文件映射内存失败
	if(lpBase == NULL)
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		//
		return false;
	}

	//获得dos头部
	PIMAGE_DOS_HEADER pImage_dos_header=(PIMAGE_DOS_HEADER)lpBase;
	//获得nt头部
	PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((ULONG)lpBase + pImage_dos_header->e_lfanew);
	//获得导出表
	PIMAGE_EXPORT_DIRECTORY pImage_export_directory = (PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,NULL);

	//
	if(!pImage_export_directory)
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		return false;
	}

	CloseHandle(hFile);
	CloseHandle(hMap);
	UnmapViewOfFile(lpBase);

	return true;
}
Exemplo n.º 18
0
static void
process_exports(void *dcontext, char *dllname, LOADED_IMAGE *img)
{
    IMAGE_EXPORT_DIRECTORY *dir;
    IMAGE_SECTION_HEADER *sec;
    DWORD *name, *code;
    WORD *ordinal;
    const char *string;
    ULONG size;
    uint i;
    byte *addr, *start_exports, *end_exports;

    verbose_print("Processing exports of \"%s\"\n", dllname);
    dir = (IMAGE_EXPORT_DIRECTORY *)
        ImageDirectoryEntryToData(img->MappedAddress, FALSE,
                                  IMAGE_DIRECTORY_ENTRY_EXPORT, &size);
    verbose_print("mapped at "PFX" (preferred "PFX"), exports 0x%08x, size 0x%x\n",
                  img->MappedAddress, get_preferred_base(img), dir, size);
    start_exports = (byte *) dir;
    end_exports = start_exports + size;
    verbose_print("name=%s, ord base=0x%08x, names=%d 0x%08x\n",
                  (char *) ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                        dir->Name, NULL),
                  dir->Base, dir->NumberOfNames, dir->AddressOfNames);

    /* don't limit functions to lie in .text --
     * for ntdll, some exported routines have their code after .text, inside
     * ECODE section!
     */
    sec = img->Sections;
    for (i = 0; i < img->NumberOfSections; i++) {
        verbose_print("Section %d %s: 0x%x + 0x%x == 0x%08x through 0x%08x\n",
                      i, sec->Name, sec->VirtualAddress, sec->SizeOfRawData,
                      ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                   sec->VirtualAddress, NULL),
                      (ptr_uint_t) ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                                sec->VirtualAddress, NULL) +
                      sec->SizeOfRawData);
        sec++;
    }

    name = (DWORD *) ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                  dir->AddressOfNames, NULL);
    code = (DWORD *) ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                  dir->AddressOfFunctions, NULL);
    ordinal = (WORD *) ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                    dir->AddressOfNameOrdinals, NULL);
    verbose_print("names: from 0x%08x to 0x%08x\n",
                  ImageRvaToVa(img->FileHeader, img->MappedAddress, name[0], NULL),
                  ImageRvaToVa(img->FileHeader, img->MappedAddress,
                               name[dir->NumberOfNames-1], NULL));

    for (i = 0; i < dir->NumberOfNames; i++) {
        string = (char *) ImageRvaToVa(img->FileHeader, img->MappedAddress, name[i], NULL);
        /* ordinal is biased (dir->Base), but don't add base when using as index */
        assert(dir->NumberOfFunctions > ordinal[i]);
        /* I don't understand why have to do RVA to VA here, when dumpbin /exports
         * seems to give the same offsets but by simply adding them to base we
         * get the appropriate code location -- but that doesn't work here...
         */
        addr = ImageRvaToVa(img->FileHeader, img->MappedAddress,
                            code[ordinal[i]], NULL);
        verbose_print("name=%s 0x%08x, ord=%d, code=0x%x -> 0x%08x\n",
                      string, string, ordinal[i], code[ordinal[i]], addr);
        if (list_exports) {
            print("ord %3d offs 0x%08x %s\n", ordinal[i],
                  addr - img->MappedAddress, string);
        }
        if (list_Ki && string[0] == 'K' && string[1] == 'i') {
            print("\n==================================================\n");
            print("%s\n\n", string);
            check_Ki(string);
            print("\ndisassembly:\n");
            decode_function(dcontext, addr);
            print(  "==================================================\n");
        }
        /* forwarded export points inside exports section */
        if (addr >= start_exports && addr < end_exports) {
            if (list_forwards || verbose) {
                /* I've had issues w/ forwards before, so avoid printing crap */
                if (addr[0] > 0 && addr[0] < 127)
                    print("%s is forwarded to %.128s\n", string, addr);
                else
                    print("ERROR identifying forwarded entry for %s\n", string);
            }
        } else if (list_syscalls) {
            process_syscall_wrapper(dcontext, addr, string, "export", img);
        }
    }
}
Exemplo n.º 19
0
static void
process_symbols(void *dcontext, char *dllname, LOADED_IMAGE *img)
{
    /* We have to specify the module via "modname!symname".
     * We must use the same modname as in full_path.
     */
    char fullpath[MAX_PATH];
# define MAX_SYM_WITH_MOD_LEN 256
    char sym_with_mod[MAX_SYM_WITH_MOD_LEN];
    int len;
    drsym_error_t symres;
    char *fname = NULL, *c;
    search_data_t sd;

    if (drsym_init(NULL) != DRSYM_SUCCESS) {
        print("WARNING: unable to initialize symbol engine\n");
        return;
    }

    if (dllname == NULL)
        return;
    fname = dllname;
    for (c = dllname; *c != '\0'; c++) {
        if (*c == '/' || *c == '\\')
            fname = c + 1;
    }
    assert(fname != NULL && "unable to get fname for module");
    if (fname == NULL)
        return;
    /* now get rid of extension */
    for (; c > fname && *c != '.'; c--)
        ; /* nothing */

    assert(c > fname && "file has no extension");
    assert(c - fname < BUFFER_SIZE_ELEMENTS(sym_with_mod) && "sizes way off");
    len = dr_snprintf(sym_with_mod, BUFFER_SIZE_ELEMENTS(sym_with_mod), "%.*s!%s",
                      c - fname, fname, SYM_PATTERN);
    assert(len > 0 && "error printing modname!symname");
    NULL_TERMINATE_BUFFER(sym_with_mod);

    len = GetFullPathName(dllname, BUFFER_SIZE_ELEMENTS(fullpath), fullpath, NULL);
    assert(len > 0);
    NULL_TERMINATE_BUFFER(dllname);

    if (list_usercalls) {
        int i;
        for (i = 0; i < NUM_USERCALL; i++) {
            size_t offs;
            symres = drsym_lookup_symbol(fullpath, usercall_names[i], &offs, 0);
            if (symres == DRSYM_SUCCESS) {
                usercall_addr[i] = ImageRvaToVa(img->FileHeader, img->MappedAddress,
                                                (ULONG)offs, NULL);
                verbose_print("%s = %d +0x%x == "PFX"\n", usercall_names[i], symres,
                              offs, usercall_addr[i]);
            } else {
                dr_printf("Error locating usercall %s: aborting\n", usercall_names[i]);
                return;
            }
        }
    }

    sd.dcontext = dcontext;
    sd.img = img;
    sd.modpath = fullpath;
    verbose_print("Searching \"%s\" for \"%s\"\n", fullpath, sym_with_mod);
    symres = drsym_search_symbols(fullpath, sym_with_mod, true, search_syms_cb, &sd);
    if (symres != DRSYM_SUCCESS)
        print("Error %d searching \"%s\" for \"%s\"\n", symres, fullpath, sym_with_mod);
    drsym_exit();
}
Exemplo n.º 20
0
//查找目标程序有无目标模块
void pe_findDllModule(LPTSTR lpFilePath,LPSTR lpDllName,ppe_retn_msg p_msg)
{
	//打开文件
	HANDLE hFile = CreateFile(lpFilePath,
		GENERIC_WRITE | GENERIC_READ,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);

	//打开文件失败
	if(hFile == INVALID_HANDLE_VALUE)
	{
		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't create file! error code : %d",GetLastError());
		//
		return;
	}

	//获得文件大小
	DWORD dwFileSize = GetFileSize(hFile , 0 );

	//映射文件
	HANDLE hMap = CreateFileMapping(hFile ,
		0 ,
		PAGE_READWRITE ,
		0 ,
		dwFileSize ,
		0);

	//文件映射内存失败
	if(hMap == INVALID_HANDLE_VALUE)
	{
		CloseHandle(hFile);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't create file mapping! error code : %d",GetLastError());
		//
		return ;
	}

	//获得映射基址
	LPBYTE lpBase = (LPBYTE)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , dwFileSize);

	//文件映射内存失败
	if(lpBase == NULL)
	{
		CloseHandle(hFile);
		CloseHandle(hMap);
		UnmapViewOfFile(lpBase);

		p_msg->isSuccessed = false;
		swprintf(p_msg->tsMsg,L"can't map view of file! error code : %d",GetLastError());
		//
		return ;
	}

	//获得dos头部
	PIMAGE_DOS_HEADER pImage_dos_header=(PIMAGE_DOS_HEADER)lpBase;
	//获得nt头部
	PIMAGE_NT_HEADERS pImage_nt_header = (PIMAGE_NT_HEADERS)((ULONG)lpBase + pImage_dos_header->e_lfanew);
	//获得导入表
	PIMAGE_IMPORT_DESCRIPTOR pImage_import_descriptor = (PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_nt_header->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
	
	//遍历导入表
	while(pImage_import_descriptor->Name != NULL)
	{
		if (pImage_import_descriptor->OriginalFirstThunk == 0 && pImage_import_descriptor->FirstThunk == 0) 
		{
			break;
		}

		//如果找到目标模块的话
		if(!strcmpi((LPSTR)ImageRvaToVa(pImage_nt_header,lpBase,pImage_import_descriptor->Name,NULL),lpDllName))
		{
			CloseHandle(hFile);
			CloseHandle(hMap);
			UnmapViewOfFile(lpBase);

			p_msg->isSuccessed = true;
			return;
		}

		//
		pImage_import_descriptor ++;
	}

	CloseHandle(hFile);
	CloseHandle(hMap);
	UnmapViewOfFile(lpBase);

	//看来是没有找到
	p_msg->isSuccessed = false;
	swprintf(p_msg->tsMsg,L"no error!");
}
Exemplo n.º 21
0
void * CPEFile::RvaToPtr(DWORD dwRVA)
{
    PIMAGE_NT_HEADERS32 pNth = GetNtHeader();
    return ImageRvaToVa(pNth,m_pFile->ImageBase,dwRVA,NULL);
}
Exemplo n.º 22
0
VOID ShowPE64Info(char *filename)
{
	PIMAGE_NT_HEADERS64 pinths64;
	PIMAGE_DOS_HEADER pdih;
	char *filedata;
	filedata=LoadFile(filename);
	pdih=(PIMAGE_DOS_HEADER)filedata;
	pinths64=(PIMAGE_NT_HEADERS64)(filedata+pdih->e_lfanew);
	if(pinths64->Signature!=0x00004550)
	{
		printf("无效的PE文件!\n");
		return ;
	}
	if(pinths64->OptionalHeader.Magic!=0x20b)
	{
		printf("不是PE32+格式的文件!\n");
		return ;
	}
	printf("\n");
	printf("入口点:          %llx\n",pinths64->OptionalHeader.AddressOfEntryPoint);
	printf("镜像基址:        %llx\n",pinths64->OptionalHeader.ImageBase);
	printf("镜像大小:        %llx\n",pinths64->OptionalHeader.SizeOfImage);
	printf("代码基址:        %llx\n",pinths64->OptionalHeader.BaseOfCode);
	printf("块对齐:          %llx\n",pinths64->OptionalHeader.SectionAlignment);
	printf("文件块对齐:      %llx\n",pinths64->OptionalHeader.FileAlignment);
	printf("子系统:          %llx\n",pinths64->OptionalHeader.Subsystem);
	printf("区段数目:        %llx\n",pinths64->FileHeader.NumberOfSections);
	printf("时间日期标志:    %llx\n",pinths64->FileHeader.TimeDateStamp);
	printf("首部大小:        %llx\n",pinths64->OptionalHeader.SizeOfHeaders);
	printf("特征值:          %llx\n",pinths64->FileHeader.Characteristics);
	printf("校验和:          %llx\n",pinths64->OptionalHeader.CheckSum);
	printf("可选头部大小:    %llx\n",pinths64->FileHeader.SizeOfOptionalHeader);
	printf("RVA 数及大小:    %llx\n",pinths64->OptionalHeader.NumberOfRvaAndSizes);
	getchar();
	printf("\n");
	printf("输出表:\n");
	printf("Ordinal\tRVA\t\tName\n");
	PIMAGE_EXPORT_DIRECTORY pied;
	if(pinths64,pdih,pinths64->OptionalHeader.DataDirectory[0].VirtualAddress==0) goto imp;
	pied=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,pinths64->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
	DWORD i = 0;
	DWORD NumberOfNames = pied->NumberOfNames;
	ULONGLONG **ppdwNames = (ULONGLONG **)pied->AddressOfNames;
	ppdwNames = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)ppdwNames,NULL);
	ULONGLONG **ppdwAddr  = (ULONGLONG **)pied->AddressOfFunctions;
    ppdwAddr = (PULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)ppdwAddr,NULL);
	ULONGLONG *ppdwOrdin=(ULONGLONG*)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(DWORD)pied->AddressOfNameOrdinals,NULL);
	char* szFun=(PSTR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)*ppdwNames,NULL);
	for(i=0; i<NumberOfNames; i++)
	{
		printf("%0.4x\t%0.8x\t%s\n",i+1,*ppdwAddr,szFun);
		szFun=szFun + strlen(szFun)+1;
		ppdwAddr++;
		if(i%200==0 && i/200>=1)
		{
			printf("{Press [ENTER] to continue...}");
			getchar();
		}
	}
imp:
	printf("\n\n输入表:\n");
	printf("\tHint\tThunkRVA\tName\n");
	PIMAGE_IMPORT_DESCRIPTOR piid;
	PIMAGE_THUNK_DATA _pThunk=NULL;
	DWORD dwThunk=NULL;
	USHORT Hint;
	if(pinths64->OptionalHeader.DataDirectory[1].VirtualAddress==0) return;
	piid=(PIMAGE_IMPORT_DESCRIPTOR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,pinths64->OptionalHeader.DataDirectory[1].VirtualAddress,NULL);
	for(;piid->Name!=NULL;)
	{
		char *szName=(PSTR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64, pdih, (ULONG)piid->Name, 0);
		printf("%s\n",szName);
		if(piid->OriginalFirstThunk!=0)
		{
			dwThunk=piid->OriginalFirstThunk;
			_pThunk=(PIMAGE_THUNK_DATA)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)piid->OriginalFirstThunk,NULL);
		}
		else
		{
			dwThunk=piid->FirstThunk;
			_pThunk=(PIMAGE_THUNK_DATA)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)piid->FirstThunk,NULL);
		}
		for(;_pThunk->u1.AddressOfData!=NULL;)
		{
			char *szFun=(PSTR)ImageRvaToVa((PIMAGE_NT_HEADERS)pinths64,pdih,(ULONG)(((PIMAGE_IMPORT_BY_NAME)_pThunk->u1.AddressOfData)->Name), 0);
			if(szFun!=NULL)
				memcpy(&Hint,szFun-2,2);
			else
				Hint=-1;
			printf("\t%0.4x\t%0.8x\t%s\n",Hint,dwThunk,szFun);
			dwThunk+=8;
			_pThunk++;
		}
		piid++;
		printf("{Press [ENTER] to continue...}");
		getchar();
	}
}