libPeConv
A library to load, manipulate, dump PE files.
Loading...
Searching...
No Matches
libPeConv

Build status Codacy Badge Commit activity Last Commit

License Platform Badge

A library to load and manipulate PE files.

Objectives

The goal of libPEConv was to create a "swiss army knife" for custom loading of PE files. It gathers various helper functions that you can quickly integrate in your own loader. For example: remapping sections, applying relocations, loading imports, parsing resources.

Not only it allows for loading PE files, but also for customizing of some steps, i.e. IAT hooking (by providing custom IAT resolvers), and functions redirection. Yet, it is NOT focused on inline hooking and should not be confused with libraries such as MS Detours or MinHook.

LibPeConv can be used for creating PE binders, as it allows to load a PE directly from the resource, and integrate it as if it was a local code.

As well it can help you in dumping PEs from the memory, and rebuilding their IATs.

Basic example

The simplest usecase: use libPeConv to manually load and run an EXE of you choice.

#include <Windows.h>
#include <iostream>
#include <peconv.h> // include libPeConv header
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cout << "Args: <path to the exe>" << std::endl;
return 0;
}
LPCSTR pe_path = argv[1];
// manually load the PE file using libPeConv:
size_t v_size = 0;
#ifdef LOAD_FROM_PATH
//if the PE is dropped on the disk, you can load it from the file:
BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
#else
size_t bufsize = 0;
BYTE *buffer = peconv::load_file(pe_path, bufsize);
// if the file is NOT dropped on the disk, you can load it directly from a memory buffer:
BYTE* my_pe = peconv::load_pe_executable(buffer, bufsize, v_size);
#endif
if (!my_pe) {
return -1;
}
// if the loaded PE needs to access resources, you may need to connect it to the PEB:
// load delayed imports (if present):
const ULONGLONG load_base = (ULONGLONG)my_pe;
peconv::load_delayed_imports(my_pe, load_base);
// if needed, you can run TLS callbacks before the Entry Point:
peconv::run_tls_callbacks(my_pe, v_size);
//calculate the Entry Point of the manually loaded module
DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
if (!ep_rva) {
return -2;
}
ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;
//assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main:
int (*new_main)() = (int(*)())ep_va;
//call the Entry Point of the manually loaded PE:
return new_main();
}
size_t run_tls_callbacks(IN PVOID modulePtr, IN size_t moduleSize=0, IN DWORD dwReason=DLL_PROCESS_ATTACH)
DWORD get_entry_point_rva(IN const BYTE *pe_buffer)
bool load_delayed_imports(BYTE *modulePtr, const ULONGLONG moduleBase, t_function_resolver *func_resolver=nullptr)
bool set_main_module_in_peb(HMODULE hModule)
peconv::UNALIGNED_BUF load_file(IN LPCTSTR filename, OUT size_t &r_size)
Definition file_util.cpp:11
BYTE * load_pe_executable(BYTE *payload_raw, size_t r_size, OUT size_t &v_size, t_function_resolver *import_resolver=nullptr, ULONGLONG desired_base=0)
Definition pe_loader.cpp:79
Master include file, including everything else.

See also: https://github.com/hasherezade/libpeconv_tpl/blob/master/project_template/main.cpp

Read more