libpeconv/caves_8cpp_source.html

#include "peconv/caves.h"

#include "peconv/pe_hdrs_helper.h"

#include "peconv/util.h"


using namespace peconv;


#ifdef _DEBUG

#include <iostream>

#endif


PBYTE peconv::find_ending_cave(BYTE*modulePtr, size_t moduleSize, const DWORD minimal_size, const DWORD req_charact)

{

    size_t sec_count = peconv::get_sections_count(modulePtr, moduleSize);

    if (sec_count == 0) return nullptr;


    size_t last_sec = sec_count - 1;

    PIMAGE_SECTION_HEADER section_hdr = peconv::get_section_hdr(modulePtr, moduleSize, last_sec);

    if (section_hdr == nullptr) return nullptr;

    if (!(section_hdr->Characteristics & req_charact)) return nullptr;


    DWORD raw_size = section_hdr->SizeOfRawData;

    DWORD virtual_size = (DWORD)moduleSize - section_hdr->VirtualAddress;


    if (raw_size >= virtual_size) {

#ifdef _DEBUG

        std::cout << "Last section's raw_size: " << std::hex << raw_size << " >= virtual_size: " << virtual_size << std::endl;

#endif

        return nullptr;

    }

    DWORD cave_size = virtual_size - raw_size;

    if (cave_size < minimal_size) {

#ifdef _DEBUG

        std::cout << "Cave is too small" << std::endl;

#endif

        return nullptr;

    }

    PBYTE cave_ptr = modulePtr + section_hdr->VirtualAddress + section_hdr->SizeOfRawData;

    if (!validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {

#ifdef _DEBUG

        std::cout << "Invalid cave pointer" << std::endl;

#endif

        return nullptr;

    }

    section_hdr->SizeOfRawData += minimal_size; //book this cave

    return cave_ptr;

}


PBYTE peconv::find_alignment_cave(BYTE* modulePtr, size_t moduleSize, const DWORD minimal_size, const DWORD req_charact)

{

    DWORD alignment = peconv::get_sec_alignment(modulePtr, true);

    if (alignment == 0) return nullptr;


    size_t sec_count = peconv::get_sections_count(modulePtr, moduleSize);

    for (size_t i = 0; i < sec_count; i++) {

        PIMAGE_SECTION_HEADER section_hdr = peconv::get_section_hdr(modulePtr, moduleSize, i);

        if (section_hdr == nullptr) continue;

        if (!(section_hdr->Characteristics & req_charact)) continue;


        DWORD rem = section_hdr->SizeOfRawData % alignment;

        if (rem == 0) continue;


        DWORD div = (section_hdr->SizeOfRawData / alignment) + 1;

        DWORD new_size = div * alignment;

        DWORD cave_size = new_size - section_hdr->SizeOfRawData;

        if (cave_size < minimal_size) {

#ifdef __DEBUG

            std::cout << "Cave is too small" << std::endl;

#endif

            continue;

        }

        DWORD sec_start = section_hdr->PointerToRawData;

        if (sec_start == 0) continue;


        DWORD sec_end = sec_start + section_hdr->SizeOfRawData;

#ifdef _DEBUG

        std::cout << "section: " << std::hex << sec_start << " : " << sec_end << std::endl;

#endif

        PBYTE cave_ptr = modulePtr + sec_end;

        if (!validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {

#ifdef _DEBUG

            std::cout << "Invalid cave pointer" << std::endl;

#endif

            continue;

        }

        section_hdr->SizeOfRawData += minimal_size; //book this cave

        return cave_ptr;

    }

#ifdef _DEBUG

    std::cout << "Cave not found" << std::endl;

#endif

    return nullptr;

}


PBYTE peconv::find_padding_cave(BYTE* modulePtr, size_t moduleSize, const size_t minimal_size, const DWORD req_charact)

{

    size_t sec_count = peconv::get_sections_count(modulePtr, moduleSize);

    for (size_t i = 0; i < sec_count; i++) {

        PIMAGE_SECTION_HEADER section_hdr = peconv::get_section_hdr(modulePtr, moduleSize, i);

        if (section_hdr == nullptr) continue;

        if (!(section_hdr->Characteristics & req_charact)) continue;


        if (section_hdr->SizeOfRawData < minimal_size) continue;


        // we will be searching in the loaded, virtual image:

        DWORD sec_start = section_hdr->VirtualAddress;

        if (sec_start == 0) continue;


        DWORD sec_end = sec_start + section_hdr->SizeOfRawData;

#ifdef _DEBUG

        std::cout << "section: " << std::hex << sec_start << " : " << sec_end << std::endl;

#endif

        //offset from the end of the section:

        size_t cave_offset = section_hdr->SizeOfRawData - minimal_size;

        PBYTE cave_ptr = modulePtr + sec_start + cave_offset;

        if (!validate_ptr(modulePtr, moduleSize, cave_ptr, minimal_size)) {

#ifdef _DEBUG

            std::cout << "Invalid cave pointer" << std::endl;

#endif

            continue;

        }

        bool found = false;

        if (is_padding(cave_ptr, minimal_size, 0)) {

            found = true;

        }

        //if the section is code, check also code padding:

        if (section_hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE) {

            if (is_padding(cave_ptr, minimal_size, 0xCC)) {

                found = true;

            }

        }

        if (found) {

            return cave_ptr;

        }

    }

#ifdef _DEBUG

    std::cout << "Cave not found" << std::endl;

#endif

    return nullptr;

}


caves.h
Functions related to finding caves in the loaded PE file.

peconv
Definition buffer_util.h:15

peconv::find_alignment_cave
PBYTE find_alignment_cave(BYTE *modulePtr, size_t moduleSize, const DWORD cave_size, const DWORD req_charact=IMAGE_SCN_MEM_READ)
Definition caves.cpp:48

peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition buffer_util.cpp:9

peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition pe_hdrs_helper.cpp:343

peconv::is_padding
bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char)
Definition util.cpp:100

peconv::find_ending_cave
PBYTE find_ending_cave(BYTE *module_ptr, size_t module_size, const DWORD cave_size, const DWORD cave_charact=IMAGE_SCN_MEM_READ)
Definition caves.cpp:11

peconv::get_sec_alignment
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
Definition pe_hdrs_helper.cpp:519

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:319

peconv::find_padding_cave
PBYTE find_padding_cave(BYTE *modulePtr, size_t moduleSize, const size_t minimal_size, const DWORD req_charact=IMAGE_SCN_MEM_READ)
Definition caves.cpp:94

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

util.h
Miscellaneous utility functions.