14 if (sec_count == 0)
return nullptr;
16 size_t last_sec = sec_count - 1;
18 if (section_hdr ==
nullptr)
return nullptr;
19 if (!(section_hdr->Characteristics & req_charact))
return nullptr;
21 DWORD raw_size = section_hdr->SizeOfRawData;
22 DWORD virtual_size = (DWORD)moduleSize - section_hdr->VirtualAddress;
24 if (raw_size >= virtual_size) {
26 std::cout <<
"Last section's raw_size: " << std::hex << raw_size <<
" >= virtual_size: " << virtual_size << std::endl;
30 DWORD cave_size = virtual_size - raw_size;
31 if (cave_size < minimal_size) {
33 std::cout <<
"Cave is too small" << std::endl;
37 PBYTE cave_ptr = modulePtr + section_hdr->VirtualAddress + section_hdr->SizeOfRawData;
38 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
40 std::cout <<
"Invalid cave pointer" << std::endl;
44 section_hdr->SizeOfRawData += minimal_size;
51 if (alignment == 0)
return nullptr;
54 for (
size_t i = 0; i < sec_count; i++) {
56 if (section_hdr ==
nullptr)
continue;
57 if (!(section_hdr->Characteristics & req_charact))
continue;
59 DWORD rem = section_hdr->SizeOfRawData % alignment;
60 if (rem == 0)
continue;
62 DWORD div = (section_hdr->SizeOfRawData / alignment) + 1;
63 DWORD new_size = div * alignment;
64 DWORD cave_size = new_size - section_hdr->SizeOfRawData;
65 if (cave_size < minimal_size) {
67 std::cout <<
"Cave is too small" << std::endl;
71 DWORD sec_start = section_hdr->PointerToRawData;
72 if (sec_start == 0)
continue;
74 DWORD sec_end = sec_start + section_hdr->SizeOfRawData;
76 std::cout <<
"section: " << std::hex << sec_start <<
" : " << sec_end << std::endl;
78 PBYTE cave_ptr = modulePtr + sec_end;
79 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
81 std::cout <<
"Invalid cave pointer" << std::endl;
85 section_hdr->SizeOfRawData += minimal_size;
89 std::cout <<
"Cave not found" << std::endl;
97 for (
size_t i = 0; i < sec_count; i++) {
99 if (section_hdr ==
nullptr)
continue;
100 if (!(section_hdr->Characteristics & req_charact))
continue;
102 if (section_hdr->SizeOfRawData < minimal_size)
continue;
105 DWORD sec_start = section_hdr->VirtualAddress;
106 if (sec_start == 0)
continue;
108 DWORD sec_end = sec_start + section_hdr->SizeOfRawData;
110 std::cout <<
"section: " << std::hex << sec_start <<
" : " << sec_end << std::endl;
113 size_t cave_offset = section_hdr->SizeOfRawData - minimal_size;
114 PBYTE cave_ptr = modulePtr + sec_start + cave_offset;
115 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
117 std::cout <<
"Invalid cave pointer" << std::endl;
126 if (section_hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
127 if (
is_padding(cave_ptr, minimal_size, 0xCC)) {
136 std::cout <<
"Cave not found" << std::endl;
Functions related to finding caves in the loaded PE file.
PBYTE find_alignment_cave(BYTE *modulePtr, size_t moduleSize, const DWORD cave_size, const DWORD req_charact=IMAGE_SCN_MEM_READ)
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char)
PBYTE find_ending_cave(BYTE *module_ptr, size_t module_size, const DWORD cave_size, const DWORD cave_charact=IMAGE_SCN_MEM_READ)
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
PBYTE find_padding_cave(BYTE *modulePtr, size_t moduleSize, const size_t minimal_size, const DWORD req_charact=IMAGE_SCN_MEM_READ)
Wrappers over various fields in the PE header. Read, write, parse PE headers.
Miscellaneous utility functions.
