8PBYTE
peconv::find_ending_cave(BYTE* modulePtr,
size_t moduleSize,
const DWORD minimal_size,
const DWORD req_charact,
bool reserve)
10 if (!modulePtr || !moduleSize)
return nullptr;
13 if (sec_count == 0)
return nullptr;
15 const size_t last_sec = sec_count - 1;
17 if (!section_hdr)
return nullptr;
18 if (!(section_hdr->Characteristics & req_charact))
return nullptr;
20 const DWORD raw_size = section_hdr->SizeOfRawData;
21 const size_t vsize_full = moduleSize - section_hdr->VirtualAddress;
22 if (vsize_full > MAXDWORD)
return nullptr;
24 const DWORD virtual_size =
static_cast<DWORD
>(vsize_full);
25 if (raw_size >= virtual_size) {
26 LOG_INFO(
"Last section's raw_size: 0x%lx >= virtual_size: 0x%lx", raw_size, virtual_size);
29 const DWORD cave_size = virtual_size - raw_size;
30 if (cave_size < minimal_size) {
34 const PBYTE cave_ptr = modulePtr + section_hdr->VirtualAddress + section_hdr->SizeOfRawData;
35 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
40 section_hdr->SizeOfRawData += minimal_size;
48 if (alignment == 0)
return nullptr;
51 for (
size_t i = 0; i < sec_count; i++) {
53 if (section_hdr ==
nullptr)
continue;
54 if (!(section_hdr->Characteristics & req_charact))
continue;
56 DWORD rem = section_hdr->SizeOfRawData % alignment;
57 if (rem == 0)
continue;
60 DWORD cave_size = new_size - section_hdr->SizeOfRawData;
61 if (cave_size < minimal_size) {
65 DWORD sec_start = section_hdr->PointerToRawData;
66 if (sec_start == 0)
continue;
68 DWORD sec_end = sec_start + section_hdr->SizeOfRawData;
69 LOG_INFO(
"Section: 0x%lx : 0x%lx", sec_start, sec_end);
70 PBYTE cave_ptr = modulePtr + sec_end;
71 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
76 section_hdr->SizeOfRawData += minimal_size;
87 for (
size_t i = 0; i < sec_count; i++) {
89 if (section_hdr ==
nullptr)
continue;
90 if (!(section_hdr->Characteristics & req_charact))
continue;
92 if (section_hdr->SizeOfRawData < minimal_size)
continue;
95 DWORD sec_start = section_hdr->VirtualAddress;
96 if (sec_start == 0)
continue;
98 DWORD sec_end = sec_start + section_hdr->SizeOfRawData;
99 LOG_INFO(
"Section: 0x%lx : 0x%lx", sec_start, sec_end);
101 size_t cave_offset = section_hdr->SizeOfRawData - minimal_size;
102 PBYTE cave_ptr = modulePtr + sec_start + cave_offset;
103 if (!
validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {
112 if (section_hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
113 if (
is_padding(cave_ptr, minimal_size, 0xCC)) {
Functions related to finding caves in the loaded PE file.
Compile-time configurable logging macros for peconv.
#define LOG_INFO(fmt,...)
PBYTE find_padding_cave(BYTE *module_ptr, size_t module_size, const size_t minimal_size, const DWORD req_charact=IMAGE_SCN_MEM_READ)
PBYTE find_ending_cave(BYTE *module_ptr, size_t module_size, const DWORD cave_size, const DWORD req_charact=IMAGE_SCN_MEM_READ, bool reserve=true)
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char)
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
INT_TYPE round_up_to_unit(const INT_TYPE size, const INT_TYPE unit)
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
PBYTE find_alignment_cave(BYTE *module_ptr, size_t module_size, const DWORD cave_size, const DWORD req_charact=IMAGE_SCN_MEM_READ, bool reserve=true)
Wrappers over various fields in the PE header. Read, write, parse PE headers.
Miscellaneous utility functions.
