libpeconv/find__base_8cpp_source.html

#include <peconv/find_base.h>

#include <peconv/pe_hdrs_helper.h>

#include <peconv/relocate.h>

#include <set>

#include <map>


namespace {


    class CollectCodeRelocs : public peconv::RelocBlockCallback

    {

    public:

        CollectCodeRelocs(BYTE *pe_buffer, size_t buffer_size, IN bool _is64bit, OUT std::set<ULONGLONG> &_relocs)

            : RelocBlockCallback(_is64bit), relocs(_relocs),

            peBuffer(pe_buffer), bufferSize(buffer_size)

        {

            codeSec = getCodeSection(peBuffer, bufferSize);

        }


        virtual bool processRelocField(ULONG_PTR relocField)

        {

            if (!codeSec) return false;


            ULONGLONG reloc_addr = (relocField - (ULONGLONG)peBuffer);

            const ULONGLONG code_start = codeSec->VirtualAddress;

            const ULONGLONG code_end = code_start + codeSec->Misc.VirtualSize;

            const bool is_in_code = (reloc_addr >= code_start) && (reloc_addr < code_end);

            if (!is64bit && !is_in_code) {

                // in case of 32 bit PEs process only the relocations form the code section

                return true;

            }

            ULONGLONG rva = 0;

            if (is64bit) {

                ULONGLONG* relocateAddr = (ULONGLONG*)((ULONG_PTR)relocField);

                rva = (*relocateAddr);

                //std::cout << std::hex << (relocField - (ULONGLONG)peBuffer) << " : " << rva << std::endl;

            }

            else {

                DWORD* relocateAddr = (DWORD*)((ULONG_PTR)relocField);

                rva = ULONGLONG(*relocateAddr);

                //std::cout << std::hex << (relocField - (ULONGLONG)peBuffer) << " : " << rva << std::endl;

            }

            relocs.insert(rva);

            return true;

        }


        static PIMAGE_SECTION_HEADER getCodeSection(BYTE *peBuffer, size_t bufferSize)

        {

            size_t sec_count = peconv::get_sections_count(peBuffer, bufferSize);

            for (size_t i = 0; i < sec_count; i++) {

                PIMAGE_SECTION_HEADER hdr = peconv::get_section_hdr(peBuffer, bufferSize, i);

                if (!hdr) break;

                if (hdr->VirtualAddress == 0 || hdr->SizeOfRawData == 0) {

                    continue;

                }

                if (hdr->Characteristics & IMAGE_SCN_MEM_EXECUTE) {

                    return hdr;

                }

            }

            return nullptr;

        }


    protected:

        std::set<ULONGLONG> &relocs;

        PIMAGE_SECTION_HEADER codeSec;


        BYTE *peBuffer;

        size_t bufferSize;

    };

}


ULONGLONG peconv::find_base_candidate(IN BYTE* modulePtr, IN size_t moduleSize)

{

    if (moduleSize == 0) {

        moduleSize = peconv::get_image_size((const BYTE*)modulePtr);

    }

    if (moduleSize == 0) return 0;


    bool is64 = peconv::is64bit(modulePtr);

    std::set<ULONGLONG> relocs;

    CollectCodeRelocs callback(modulePtr, moduleSize, is64, relocs);

    if (!peconv::process_relocation_table(modulePtr, moduleSize, &callback)) {

        return 0;

    }

    if (relocs.size() == 0) {

        return 0;

    }


    PIMAGE_SECTION_HEADER hdr = CollectCodeRelocs::getCodeSection(modulePtr, moduleSize);

    if (!hdr) {

        return 0;

    }

    const ULONGLONG mask = ~ULONGLONG(0xFFFF);

    std::map<ULONGLONG, size_t>base_candidates;


    std::set<ULONGLONG>::iterator itr;


    for (itr = relocs.begin(); itr != relocs.end(); ++itr) {

        const ULONGLONG guessed_base = (*itr) & mask;

        std::map<ULONGLONG, size_t>::iterator found = base_candidates.find(guessed_base);

        if (found == base_candidates.end()) {

            base_candidates[guessed_base] = 0;

        }

        base_candidates[guessed_base]++;

    }

    ULONGLONG most_frequent = 0;

    size_t max_freq = 0;

    std::map<ULONGLONG, size_t>::iterator mapItr;

    for (mapItr = base_candidates.begin(); mapItr != base_candidates.end(); ++mapItr) {

        if (mapItr->second >= max_freq) {

            most_frequent = mapItr->first;

            max_freq = mapItr->second;

        }

    }

    for (itr = relocs.begin(); itr != relocs.end(); ++itr) {

        ULONGLONG first = *itr;

        ULONGLONG first_base = first & mask;

        if (first_base > most_frequent) {

            break;

        }

        ULONGLONG delta = most_frequent - first_base;

        if (delta < moduleSize) {

            return first_base;

        }

    }

    return 0;

}


peconv::RelocBlockCallback
Definition relocate.h:18

find_base.h
Functions related to finding a base to which the module was relocated.

peconv::find_base_candidate
ULONGLONG find_base_candidate(IN BYTE *module_ptr, IN size_t module_size)
Definition find_base.cpp:71

peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition pe_hdrs_helper.cpp:339

peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition pe_hdrs_helper.cpp:75

peconv::process_relocation_table
bool process_relocation_table(IN PVOID modulePtr, IN SIZE_T moduleSize, IN RelocBlockCallback *callback)
Definition relocate.cpp:111

peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:119

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:315

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

relocate.h
Operating on PE file's relocations table.