libPeConv
A library to load, manipulate, dump PE files.
Loading...
Searching...
No Matches
fix_dot_net_ep.cpp
Go to the documentation of this file.
1#include "fix_dot_net_ep.h"
2#include <peconv.h>
3
4#include <string>
5#include <map>
6
7class ListImportNames : public peconv::ImportThunksCallback
8{
9public:
10 ListImportNames(BYTE* _modulePtr, size_t _moduleSize, std::map<std::string, DWORD> &name_to_addr)
11 : ImportThunksCallback(_modulePtr, _moduleSize), nameToAddr(name_to_addr)
12 {
13 }
14
15 virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr)
16 {
17 if (this->is64b) {
18 IMAGE_THUNK_DATA64* desc = reinterpret_cast<IMAGE_THUNK_DATA64*>(origFirstThunkPtr);
19 ULONGLONG* call_via = reinterpret_cast<ULONGLONG*>(firstThunkPtr);
20 return processThunks_tpl<ULONGLONG, IMAGE_THUNK_DATA64>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64);
21 }
22 IMAGE_THUNK_DATA32* desc = reinterpret_cast<IMAGE_THUNK_DATA32*>(origFirstThunkPtr);
23 DWORD* call_via = reinterpret_cast<DWORD*>(firstThunkPtr);
24 return processThunks_tpl<DWORD, IMAGE_THUNK_DATA32>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32);
25 }
26
27protected:
28 template <typename T_FIELD, typename T_IMAGE_THUNK_DATA>
29 bool processThunks_tpl(LPSTR lib_name, const T_IMAGE_THUNK_DATA* desc, const T_FIELD* call_via, const T_FIELD ordinal_flag)
30 {
31 const DWORD call_via_rva = static_cast<DWORD>((ULONG_PTR)call_via - (ULONG_PTR)this->modulePtr);
32 LOG_DEBUG("via RVA: 0x%lx", call_via_rva);
33 const bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0;
34 if (!is_by_ord) {
35 const PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData);
36 if (!peconv::validate_ptr(modulePtr, moduleSize, by_name, sizeof(IMAGE_IMPORT_BY_NAME))) {
37 LOG_ERROR("Invalid pointer to IMAGE_IMPORT_BY_NAME");
38 return false;
39 }
40 const LPSTR func_name = reinterpret_cast<LPSTR>(by_name->Name);
41 if (!peconv::is_valid_string(modulePtr, moduleSize, func_name)) {
42 LOG_ERROR("Invalid pointer to function name");
43 return false;
44 }
45 LOG_DEBUG("name: %s", func_name);
46 nameToAddr[func_name] = call_via_rva;
47 }
48 return true;
49 }
50
51 std::map<std::string, DWORD> &nameToAddr;
52};
53
54DWORD find_corexemain(BYTE *buf, size_t buf_size)
55{
56 std::map<std::string, DWORD> name_to_addr;
57 ListImportNames callback(buf, buf_size, name_to_addr);
58 if (!peconv::process_import_table(buf, buf_size, &callback)) return 0;
59
60 std::map<std::string, DWORD>::iterator found = name_to_addr.find("_CorExeMain");
61 if (found != name_to_addr.end()) return found->second;
62
63 found = name_to_addr.find("_CorDllMain");
64 if (found != name_to_addr.end()) return found->second;
65
66 return 0;
67}
68
69BYTE* search_jump(BYTE *buf, size_t buf_size, const DWORD cor_exe_main_thunk, const ULONGLONG img_base)
70{
71 // search the jump pattern, i.e.:
72 //JMP DWORD NEAR [0X402000] : FF 25 00204000
73 const size_t jmp_size = 2;
74 const BYTE jmp_pattern[jmp_size] = { 0xFF, 0x25 };
75
76 const size_t arg_size = sizeof(DWORD);
77 if ((jmp_size + arg_size) > buf_size) {
78 return nullptr;
79 }
80 const size_t end_offset = buf_size - (jmp_size + arg_size);
81
82 for (size_t i = end_offset; // search backwards
83 (i + 1) != 0; // this is unsigned comparison, so we cannot do: i >= 0
84 i--) // go back by one BYTE
85 {
86 if (buf[i] == jmp_pattern[0] && buf[i + 1] == jmp_pattern[1]) { // JMP
87 DWORD* addr = (DWORD*)(&buf[i + jmp_size]);
88 DWORD rva = static_cast<DWORD>((*addr) - img_base);
89 if (rva == cor_exe_main_thunk) {
90 LOG_DEBUG("Found call to _CorExeMain.");
91 return buf + i;
92 }
93 else {
94 LOG_WARNING("Mismatch: 0x%lx vs _CorExeMain: 0x%lx", rva, cor_exe_main_thunk);
95 }
96 }
97 }
98 return nullptr;
99}
100
101bool fix_dot_net_ep(BYTE *pe_buffer, size_t pe_buffer_size)
102{
103 if (!pe_buffer) return false;
104
105 if (peconv::is64bit(pe_buffer)) {
106 //64bit .NET files have EP=0
107 return peconv::update_entry_point_rva(pe_buffer, 0);
108 }
109
110 DWORD ep_rva = peconv::get_entry_point_rva(pe_buffer);
111 LOG_INFO(".NET payload may require Entry Point correction. Current EP: 0x%lx", (unsigned long)ep_rva);
112 PIMAGE_SECTION_HEADER sec_hdr = peconv::get_section_hdr(pe_buffer, pe_buffer_size, 0);
113 if (!sec_hdr) {
114 return false;
115 }
116 BYTE* sec_ptr = (BYTE*)((ULONG_PTR)pe_buffer + sec_hdr->VirtualAddress);
117 if (!peconv::validate_ptr(pe_buffer, pe_buffer_size, sec_ptr, sec_hdr->SizeOfRawData)) {
118 return false;
119 }
120 ULONGLONG img_base = peconv::get_image_base(pe_buffer);
121 DWORD cor_exe_main_thunk = find_corexemain(pe_buffer, pe_buffer_size);
122 if (!cor_exe_main_thunk) {
123 return false;
124 }
125 BYTE* jump_ptr = search_jump(sec_ptr, sec_hdr->SizeOfRawData, cor_exe_main_thunk, img_base);
126 if (!jump_ptr) {
127 return false;
128 }
129 size_t offset = (ULONG_PTR)jump_ptr - (ULONG_PTR)pe_buffer;
130 const bool is_updated = peconv::update_entry_point_rva(pe_buffer, static_cast<DWORD>(offset));
131 LOG_INFO("Found possible Entry Point: 0x%lx", (unsigned long)offset);
132 return is_updated;
133}
134
ListImportNames::processThunks
virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr)
Definition: fix_dot_net_ep.cpp:15
ListImportNames::processThunks_tpl
bool processThunks_tpl(LPSTR lib_name, const T_IMAGE_THUNK_DATA *desc, const T_FIELD *call_via, const T_FIELD ordinal_flag)
Definition: fix_dot_net_ep.cpp:29
ListImportNames::ListImportNames
ListImportNames(BYTE *_modulePtr, size_t _moduleSize, std::map< std::string, DWORD > &name_to_addr)
Definition: fix_dot_net_ep.cpp:10
ListImportNames::nameToAddr
std::map< std::string, DWORD > & nameToAddr
Definition: fix_dot_net_ep.cpp:51
peconv::ImportThunksCallback::ImportThunksCallback
ImportThunksCallback(BYTE *_modulePtr, size_t _moduleSize)
Definition: imports_loader.h:23
fix_dot_net_ep
bool fix_dot_net_ep(BYTE *pe_buffer, size_t pe_buffer_size)
Definition: fix_dot_net_ep.cpp:101
search_jump
BYTE * search_jump(BYTE *buf, size_t buf_size, const DWORD cor_exe_main_thunk, const ULONGLONG img_base)
Definition: fix_dot_net_ep.cpp:69
find_corexemain
DWORD find_corexemain(BYTE *buf, size_t buf_size)
Definition: fix_dot_net_ep.cpp:54
fix_dot_net_ep.h
LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition: logger.h:80
LOG_INFO
#define LOG_INFO(fmt,...)
Definition: logger.h:74
LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition: logger.h:60
LOG_WARNING
#define LOG_WARNING(fmt,...)
Definition: logger.h:68
peconv::update_entry_point_rva
bool update_entry_point_rva(IN OUT BYTE *pe_buffer, IN DWORD ep)
Definition: pe_hdrs_helper.cpp:185
peconv::get_entry_point_rva
DWORD get_entry_point_rva(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:167
peconv::is_valid_string
bool is_valid_string(LPVOID modulePtr, const size_t moduleSize, const CHAR_T *name_ptr, const size_t max_len=260)
Definition: util.h:61
peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:148
peconv::process_import_table
bool process_import_table(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ImportThunksCallback *callback)
Definition: imports_loader.cpp:274
peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition: buffer_util.cpp:9
peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition: pe_hdrs_helper.cpp:343
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:117
peconv.h
Master include for LibPEConv.
Generated on Tue Apr 14 2026 13:01:06 for libPeConv by doxygen 1.9.5