//Get relocation list of pe file, supports one-word sized relocations only
//If list_absolute_entries = true, IMAGE_REL_BASED_ABSOLUTE will be listed
const relocation_table_list get_relocations(const pe_base& pe, bool list_absolute_entries)
{
    relocation_table_list ret;

    //If image does not have relocations
    if(!pe.has_reloc())
        return ret;

    //Check the length in bytes of the section containing relocation directory
    if(pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_basereloc),
                                       pe.get_directory_rva(image_directory_entry_basereloc), section_data_virtual, true)
            < sizeof(image_base_relocation))
        throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);

    unsigned long current_pos = pe.get_directory_rva(image_directory_entry_basereloc);
    //First IMAGE_BASE_RELOCATION table
    image_base_relocation reloc_table = pe.section_data_from_rva<image_base_relocation>(current_pos, section_data_virtual, true);

    if(reloc_table.SizeOfBlock % 2)
        throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);

    unsigned long reloc_size = pe.get_directory_size(image_directory_entry_basereloc);
    unsigned long read_size = 0;

    //reloc_table.VirtualAddress is not checked (not so important)
    while(reloc_table.SizeOfBlock && read_size < reloc_size)
    {
        //Create relocation table
        relocation_table table;
        //Save RVA
        table.set_rva(reloc_table.VirtualAddress);

        if(!pe_utils::is_sum_safe(current_pos, reloc_table.SizeOfBlock))
            throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);

        //List all relocations
        for(unsigned long i = sizeof(image_base_relocation); i < reloc_table.SizeOfBlock; i += sizeof(uint16_t))
        {
            relocation_entry entry(pe.section_data_from_rva<uint16_t>(current_pos + i, section_data_virtual, true));
            if(list_absolute_entries || entry.get_type() != image_rel_based_absolute)
                table.add_relocation(entry);
        }

        //Save table
        ret.push_back(table);

        //Go to next relocation block
        if(!pe_utils::is_sum_safe(current_pos, reloc_table.SizeOfBlock))
            throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);

        current_pos += reloc_table.SizeOfBlock;
        read_size += reloc_table.SizeOfBlock;
        if (read_size >= reloc_size)
            break;

        reloc_table = pe.section_data_from_rva<image_base_relocation>(current_pos, section_data_virtual, true);
    }

    return ret;
}
Exemplo n.º 2
0
//Returns basic .NET information
//If image is not native, throws an exception
const basic_dotnet_info get_basic_dotnet_info(const pe_base& pe)
{
	//If there's no debug directory, return empty list
	if(!pe.is_dotnet())
		throw pe_exception("Image does not have managed code", pe_exception::image_does_not_have_managed_code);

	//Return basic .NET information
	return basic_dotnet_info(pe.section_data_from_rva<image_cor20_header>(pe.get_directory_rva(image_directory_entry_com_descriptor), section_data_virtual, true));
}
Exemplo n.º 3
0
//Returns exception directory data (exists on PE+ only)
//Unwind opcodes are not listed, because their format and list are subject to change
const exception_entry_list get_exception_directory_data(const pe_base& pe)
{
	exception_entry_list ret;

	//If image doesn't have exception directory, return empty list
	if(!pe.has_exception_directory())
		return ret;

	//Check the length in bytes of the section containing exception directory
	if(pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_exception), pe.get_directory_rva(image_directory_entry_exception), section_data_virtual, true)
		< sizeof(image_runtime_function_entry))
		throw pe_exception("Incorrect exception directory", pe_exception::incorrect_exception_directory);

	unsigned long current_pos = pe.get_directory_rva(image_directory_entry_exception);

	//Check if structures are DWORD-aligned
	if(current_pos % sizeof(uint32_t))
		throw pe_exception("Incorrect exception directory", pe_exception::incorrect_exception_directory);

	//First IMAGE_RUNTIME_FUNCTION_ENTRY table
	image_runtime_function_entry exception_table = pe.section_data_from_rva<image_runtime_function_entry>(current_pos, section_data_virtual, true);

	//todo: virtual addresses BeginAddress and EndAddress are not checked to be inside image
	while(exception_table.BeginAddress)
	{
		//Check addresses
		if(exception_table.BeginAddress > exception_table.EndAddress)
			throw pe_exception("Incorrect exception directory", pe_exception::incorrect_exception_directory);

		//Get unwind information
		unwind_info info = pe.section_data_from_rva<unwind_info>(exception_table.UnwindInfoAddress, section_data_virtual, true);

		//Create exception entry and save it
		ret.push_back(exception_entry(exception_table, info));

		//Go to next exception entry
		current_pos += sizeof(image_runtime_function_entry);
		exception_table = pe.section_data_from_rva<image_runtime_function_entry>(current_pos, section_data_virtual, true);
	}

	return ret;
}
//Returns resources from PE file
const resource_directory get_resources(const pe_base& pe)
{
    resource_directory ret;

    if(!pe.has_resources())
        return ret;

    //Get resource directory RVA
    uint32_t res_rva = pe.get_directory_rva(image_directory_entry_resource);
    
    //Store already processed directories to avoid resource loops
    std::set<uint32_t> processed;
    
    //Process all directories (recursion)
    ret = process_resource_directory(pe, res_rva, 0, processed);

    return ret;
}
Exemplo n.º 5
0
const bound_import_module_list get_bound_import_module_list(const pe_base& pe)
{
    //Returned bound import modules list
    bound_import_module_list ret;

    //If image has no bound imports
    if(!pe.has_bound_import())
        return ret;

    uint32_t bound_import_data_len =
        pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_bound_import), pe.get_directory_rva(image_directory_entry_bound_import), section_data_raw, true);

    if(bound_import_data_len < pe.get_directory_size(image_directory_entry_bound_import))
        throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

    const char* bound_import_data = pe.section_data_from_rva(pe.get_directory_rva(image_directory_entry_bound_import), section_data_raw, true);

    //Check read in "read_pe" function raw bound import data size
    if(bound_import_data_len < sizeof(image_bound_import_descriptor))
        throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

    //current bound_import_data_ in-string position
    unsigned long current_pos = 0;
    //first bound import descriptor
    //so, we're working with raw data here, no section helpers available
    const image_bound_import_descriptor* descriptor = reinterpret_cast<const image_bound_import_descriptor*>(&bound_import_data[current_pos]);

    //Enumerate until zero
    while(descriptor->OffsetModuleName)
    {
        //Check module name offset
        if(descriptor->OffsetModuleName >= bound_import_data_len)
            throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

        //Check module name for null-termination
        if(!pe_utils::is_null_terminated(&bound_import_data[descriptor->OffsetModuleName], bound_import_data_len - descriptor->OffsetModuleName))
            throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

        //Create bound import descriptor structure
        bound_import elem(&bound_import_data[descriptor->OffsetModuleName], descriptor->TimeDateStamp);

        //Check DWORDs
        if(descriptor->NumberOfModuleForwarderRefs >= pe_utils::max_dword / sizeof(image_bound_forwarder_ref)
                || !pe_utils::is_sum_safe(current_pos, 2 /* this descriptor and the next one */ * sizeof(image_bound_import_descriptor) + descriptor->NumberOfModuleForwarderRefs * sizeof(image_bound_forwarder_ref)))
            throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

        //Move after current descriptor
        current_pos += sizeof(image_bound_import_descriptor);

        //Enumerate referenced bound import descriptors
        for(unsigned long i = 0; i != descriptor->NumberOfModuleForwarderRefs; ++i)
        {
            //They're just after parent descriptor
            //Check size of structure
            if(current_pos + sizeof(image_bound_forwarder_ref) > bound_import_data_len)
                throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

            //Get IMAGE_BOUND_FORWARDER_REF pointer
            const image_bound_forwarder_ref* ref_descriptor = reinterpret_cast<const image_bound_forwarder_ref*>(&bound_import_data[current_pos]);

            //Check referenced module name
            if(ref_descriptor->OffsetModuleName >= bound_import_data_len)
                throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

            //And its null-termination
            if(!pe_utils::is_null_terminated(&bound_import_data[ref_descriptor->OffsetModuleName], bound_import_data_len - ref_descriptor->OffsetModuleName))
                throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

            //Add referenced module to current bound import structure
            elem.add_module_ref(bound_import_ref(&bound_import_data[ref_descriptor->OffsetModuleName], ref_descriptor->TimeDateStamp));

            //Move after referenced bound import descriptor
            current_pos += sizeof(image_bound_forwarder_ref);
        }

        //Check structure size
        if(current_pos + sizeof(image_bound_import_descriptor) > bound_import_data_len)
            throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);

        //Move to next bound import descriptor
        descriptor = reinterpret_cast<const image_bound_import_descriptor*>(&bound_import_data[current_pos]);

        //Save created descriptor structure and references
        ret.push_back(elem);
    }

    //Return result
    return ret;
}
Exemplo n.º 6
0
const image_config_info get_image_config_base(const pe_base& pe)
{
	//Check if image has config directory
	if(!pe.has_config())
		throw pe_exception("Image does not have load config directory", pe_exception::directory_does_not_exist);

	//Get load config structure
	typename PEClassType::ConfigStruct config_info = pe.section_data_from_rva<typename PEClassType::ConfigStruct>(pe.get_directory_rva(image_directory_entry_load_config), section_data_virtual);

	//Check size of config directory
	if(config_info.Size != sizeof(config_info))
		throw pe_exception("Incorrect (or old) load config directory", pe_exception::incorrect_config_directory);

	//Fill return structure
	image_config_info ret(config_info);

	//Check possible overflow
	if(config_info.SEHandlerCount >= pe_utils::max_dword / sizeof(uint32_t)
		|| config_info.SEHandlerTable >= static_cast<typename PEClassType::BaseSize>(-1) - config_info.SEHandlerCount * sizeof(uint32_t))
		throw pe_exception("Incorrect load config directory", pe_exception::incorrect_config_directory);

	//Read sorted SE handler RVA list (if any)
	for(typename PEClassType::BaseSize i = 0; i != config_info.SEHandlerCount; ++i)
		ret.add_se_handler_rva(pe.section_data_from_va<uint32_t>(static_cast<typename PEClassType::BaseSize>(config_info.SEHandlerTable + i * sizeof(uint32_t))));

	if(config_info.LockPrefixTable)
	{
		//Read Lock Prefix VA list (if any)
		unsigned long current = 0;
		while(true)
		{
			typename PEClassType::BaseSize lock_prefix_va = pe.section_data_from_va<typename PEClassType::BaseSize>(static_cast<typename PEClassType::BaseSize>(config_info.LockPrefixTable + current * sizeof(typename PEClassType::BaseSize)));
			if(!lock_prefix_va)
				break;

			ret.add_lock_prefix_rva(pe.va_to_rva(lock_prefix_va));

			++current;
		}
	}

	return ret;
}
Exemplo n.º 7
0
//Returns array of exported functions and information about export (if info != 0)
const exported_functions_list get_exported_functions(const pe_base& pe, export_info* info)
{
	//Returned exported functions info array
	std::vector<exported_function> ret;

	if(pe.has_exports())
	{
		//Check the length in bytes of the section containing export directory
		if(pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_export),
			pe.get_directory_rva(image_directory_entry_export), section_data_virtual, true)
			< sizeof(image_export_directory))
			throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

		image_export_directory exports = pe.section_data_from_rva<image_export_directory>(pe.get_directory_rva(image_directory_entry_export), section_data_virtual, true);

		unsigned long max_name_length;

		if(info)
		{
			//Save some export info data
			info->set_characteristics(exports.Characteristics);
			info->set_major_version(exports.MajorVersion);
			info->set_minor_version(exports.MinorVersion);

			//Get byte count that we have for dll name
			if((max_name_length = pe.section_data_length_from_rva(exports.Name, exports.Name, section_data_virtual, true)) < 2)
				throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

			//Get dll name pointer
			const char* dll_name = pe.section_data_from_rva(exports.Name, section_data_virtual, true);

			//Check for null-termination
			if(!pe_utils::is_null_terminated(dll_name, max_name_length))
				throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

			//Save the rest of export information data
			info->set_name(dll_name);
			info->set_number_of_functions(exports.NumberOfFunctions);
			info->set_number_of_names(exports.NumberOfNames);
			info->set_ordinal_base(exports.Base);
			info->set_rva_of_functions(exports.AddressOfFunctions);
			info->set_rva_of_names(exports.AddressOfNames);
			info->set_rva_of_name_ordinals(exports.AddressOfNameOrdinals);
			info->set_timestamp(exports.TimeDateStamp);
		}

		if(!exports.NumberOfFunctions)
			return ret;

		//Check IMAGE_EXPORT_DIRECTORY fields
		if(exports.NumberOfNames > exports.NumberOfFunctions)
			throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

		//Check some export directory fields
		if((!exports.AddressOfNameOrdinals && exports.AddressOfNames) ||
			(exports.AddressOfNameOrdinals && !exports.AddressOfNames) ||
			!exports.AddressOfFunctions
			|| exports.NumberOfFunctions >= pe_utils::max_dword / sizeof(uint32_t)
			|| exports.NumberOfNames > pe_utils::max_dword / sizeof(uint32_t)
			|| !pe_utils::is_sum_safe(exports.AddressOfFunctions, exports.NumberOfFunctions * sizeof(uint32_t))
			|| !pe_utils::is_sum_safe(exports.AddressOfNames, exports.NumberOfNames * sizeof(uint32_t))
			|| !pe_utils::is_sum_safe(exports.AddressOfNameOrdinals, exports.NumberOfFunctions * sizeof(uint32_t))
			|| !pe_utils::is_sum_safe(pe.get_directory_rva(image_directory_entry_export), pe.get_directory_size(image_directory_entry_export)))
			throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

		//Check if it is enough bytes to hold AddressOfFunctions table
		if(pe.section_data_length_from_rva(exports.AddressOfFunctions, exports.AddressOfFunctions, section_data_virtual, true)
			< exports.NumberOfFunctions * sizeof(uint32_t))
			throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

		if(exports.AddressOfNames)
		{
			//Check if it is enough bytes to hold name and ordinal tables
			if(pe.section_data_length_from_rva(exports.AddressOfNameOrdinals, exports.AddressOfNameOrdinals, section_data_virtual, true)
				< exports.NumberOfNames * sizeof(uint16_t))
				throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

			if(pe.section_data_length_from_rva(exports.AddressOfNames, exports.AddressOfNames, section_data_virtual, true)
				< exports.NumberOfNames * sizeof(uint32_t))
				throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);
		}
		
		for(uint32_t ordinal = 0; ordinal < exports.NumberOfFunctions; ordinal++)
		{
			//Get function address
			//Sum and multiplication are safe (checked above)
			uint32_t rva = pe.section_data_from_rva<uint32_t>(exports.AddressOfFunctions + ordinal * sizeof(uint32_t), section_data_virtual, true);

			//If we have a skip
			if(!rva)
				continue;

			exported_function func;
			func.set_rva(rva);

			if(!pe_utils::is_sum_safe(exports.Base, ordinal) || exports.Base + ordinal > pe_utils::max_word)
				throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

			func.set_ordinal(static_cast<uint16_t>(ordinal + exports.Base));

			//Scan for function name ordinal
			for(uint32_t i = 0; i < exports.NumberOfNames; i++)
			{
				uint16_t ordinal2 = pe.section_data_from_rva<uint16_t>(exports.AddressOfNameOrdinals + i * sizeof(uint16_t), section_data_virtual, true);

				//If function has name (and name ordinal)
				if(ordinal == ordinal2)
				{
					//Get function name
					//Sum and multiplication are safe (checked above)
					uint32_t function_name_rva = pe.section_data_from_rva<uint32_t>(exports.AddressOfNames + i * sizeof(uint32_t), section_data_virtual, true);

					//Get byte count that we have for function name
					if((max_name_length = pe.section_data_length_from_rva(function_name_rva, function_name_rva, section_data_virtual, true)) < 2)
						throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

					//Get function name pointer
					const char* func_name = pe.section_data_from_rva(function_name_rva, section_data_virtual, true);

					//Check for null-termination
					if(!pe_utils::is_null_terminated(func_name, max_name_length))
						throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

					//Save function info
					func.set_name(func_name);
					func.set_name_ordinal(ordinal2);

					//If the function is just a redirect, save its name
					if(rva >= pe.get_directory_rva(image_directory_entry_export) + sizeof(image_directory_entry_export) &&
						rva < pe.get_directory_rva(image_directory_entry_export) + pe.get_directory_size(image_directory_entry_export))
					{
						if((max_name_length = pe.section_data_length_from_rva(rva, rva, section_data_virtual, true)) < 2)
							throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

						//Get forwarded function name pointer
						const char* forwarded_func_name = pe.section_data_from_rva(rva, section_data_virtual, true);

						//Check for null-termination
						if(!pe_utils::is_null_terminated(forwarded_func_name, max_name_length))
							throw pe_exception("Incorrect export directory", pe_exception::incorrect_export_directory);

						//Set the name of forwarded function
						func.set_forwarded_name(forwarded_func_name);
					}

					break;
				}
			}

			//Add function info to output array
			ret.push_back(func);
		}
	}

	return ret;
}
//Rebuild PE image and write it to "out" ostream
//If strip_dos_header is true, DOS headers partially will be used for PE headers
//If change_size_of_headers == true, SizeOfHeaders will be recalculated automatically
//If save_bound_import == true, existing bound import directory will be saved correctly (because some compilers and bind.exe put it to PE headers)
void rebuild_pe(pe_base& pe, std::ostream& out, bool strip_dos_header, bool change_size_of_headers, bool save_bound_import)
{
    if(out.bad())
        throw pe_exception("Stream is bad", pe_exception::stream_is_bad);

    if(save_bound_import && pe.has_bound_import())
    {
        if(pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_bound_import), pe.get_directory_rva(image_directory_entry_bound_import), section_data_raw, true)
            < pe.get_directory_size(image_directory_entry_bound_import))
            throw pe_exception("Incorrect bound import directory", pe_exception::incorrect_bound_import_directory);
    }

    //Change ostream state
    out.exceptions(std::ios::goodbit);
    out.clear();
    
    uint32_t original_bound_import_rva = pe.has_bound_import() ? pe.get_directory_rva(image_directory_entry_bound_import) : 0;
    if(original_bound_import_rva && original_bound_import_rva > pe.get_size_of_headers())
    {
        //No need to do anything with bound import directory
        //if it is placed inside of any section, not headers
        original_bound_import_rva = 0;
        save_bound_import = false;
    }

    {
        image_dos_header dos_header;

        //Rebuild PE image headers
        rebuild_pe(pe, dos_header, strip_dos_header, change_size_of_headers, save_bound_import);

        //Write DOS header
        out.write(reinterpret_cast<const char*>(&dos_header), strip_dos_header ? 8 * sizeof(uint16_t) : sizeof(image_dos_header));
    }

    //If we have stub overlay, write it too
    {
        const std::string& stub = pe.get_stub_overlay();
        if(stub.size())
        {
            out.write(stub.data(), stub.size());
            size_t aligned_size = pe_utils::align_up(stub.size(), sizeof(uint32_t));
            //Align PE header, which is right after rich overlay
            while(aligned_size > stub.size())
            {
                out.put('\0');
                --aligned_size;
            }
        }
    }
    
    //Write NT headers
    out.write(static_cast<const pe_base&>(pe).get_nt_headers_ptr(), pe.get_sizeof_nt_header()
        - sizeof(image_data_directory) * (image_numberof_directory_entries - pe.get_number_of_rvas_and_sizes()));

    //Write section headers
    const section_list& sections = pe.get_image_sections();
    for(section_list::const_iterator it = sections.begin(); it != sections.end(); ++it)
    {
        out.write(reinterpret_cast<const char*>(&(*it).get_raw_header()), sizeof(image_section_header));
    }

    //Write bound import data if requested
    if(save_bound_import && pe.has_bound_import())
    {
        out.write(pe.section_data_from_rva(original_bound_import_rva, section_data_raw, true),
            pe.get_directory_size(image_directory_entry_bound_import));
    }

    //Write section data finally
    for(section_list::const_iterator it = sections.begin(); it != sections.end(); ++it)
    {
        const section& s = *it;

        std::streamoff wpos = out.tellp();

        //Fill unused overlay data between sections with null bytes
        for(unsigned int i = 0; i < s.get_pointer_to_raw_data() - wpos; i++)
            out.put(0);

        //Write raw section data
        out.write(s.get_raw_data().data(), s.get_size_of_raw_data());
    }
}