Classes | |
| struct | _BASE_RELOCATION_ENTRY |
| struct | _IMAGE_LOAD_CONFIG_CODE_INTEGRITY_W10 |
| struct | _IMAGE_LOAD_CONFIG_DIR32_W10 |
| struct | _IMAGE_LOAD_CONFIG_DIR32_W7 |
| struct | _IMAGE_LOAD_CONFIG_DIR32_W8 |
| struct | _IMAGE_LOAD_CONFIG_DIR64_W10 |
| struct | _IMAGE_LOAD_CONFIG_DIR64_W7 |
| struct | _IMAGE_LOAD_CONFIG_DIR64_W8 |
| class | CollectCodeRelocs |
| class | default_func_resolver |
| struct | DllInfo |
| class | export_based_resolver |
| class | ExportedFunc |
| class | ExportsMapper |
| class | hooking_func_resolver |
| class | ImportedDllCoverage |
| struct | ImportsCollection |
| class | ImportsUneraser |
| class | ImportThunksCallback |
| class | ImpsNotCovered |
| class | PatchBackup |
| class | RelocBlockCallback |
| class | t_function_resolver |
Enumerations | |
| enum | t_load_config_ver { LOAD_CONFIG_NONE = 0 , LOAD_CONFIG_W7_VER = 7 , LOAD_CONFIG_W8_VER = 8 , LOAD_CONFIG_W10_VER = 10 , LOAD_CONFIG_UNK_VER = -1 } |
| enum | t_pe_dump_mode { PE_DUMP_AUTO = 0 , PE_DUMP_VIRTUAL , PE_DUMP_UNMAP , PE_DUMP_REALIGN , PE_DUMP_MODES_COUNT } |
Variables | |
| const ULONGLONG | MAX_HEADER_SIZE = PAGE_SIZE |
| const LPSTR | RT_RCDATA_A = MAKEINTRESOURCEA(10) |
| HMODULE | g_kernel32Hndl = nullptr |
| HMODULE | g_ntdllHndl = nullptr |
Typedef Documentation
◆ ALIGNED_BUF
A buffer allocated in a virtual space of a process, aligned to the beginning of a memory page.
Definition at line 46 of file buffer_util.h.
◆ BASE_RELOCATION_ENTRY
◆ IMAGE_LOAD_CONFIG_CODE_INTEGRITY_W10
| typedef struct peconv::_IMAGE_LOAD_CONFIG_CODE_INTEGRITY_W10 peconv::IMAGE_LOAD_CONFIG_CODE_INTEGRITY_W10 |
IMAGE_LOAD_CONFIG_CODE_INTEGRITY: a structure used by IMAGE_LOAD_CONFIG_DIR - the Windows 10 version.
◆ IMAGE_LOAD_CONFIG_DIR32_W10
IMAGE_LOAD_CONFIG_DIR32: the Windows 10 version.
◆ IMAGE_LOAD_CONFIG_DIR32_W7
IMAGE_LOAD_CONFIG_DIR32: the Windows 7 version.
◆ IMAGE_LOAD_CONFIG_DIR32_W8
IMAGE_LOAD_CONFIG_DIR32: the Windows 8 version.
◆ IMAGE_LOAD_CONFIG_DIR64_W10
IMAGE_LOAD_CONFIG_DIR64: the Windows 10 version.
◆ IMAGE_LOAD_CONFIG_DIR64_W7
IMAGE_LOAD_CONFIG_DIR64: the Windows 7 version.
◆ IMAGE_LOAD_CONFIG_DIR64_W8
IMAGE_LOAD_CONFIG_DIR64: the Windows 8 version.
◆ t_on_res_entry_found
| typedef bool(* peconv::t_on_res_entry_found) (BYTE *modulePtr, IMAGE_RESOURCE_DIRECTORY_ENTRY *root_dir, IMAGE_RESOURCE_DATA_ENTRY *curr_entry) |
A callback that will be executed by the function parse_resources when the Resource Entry was found.
Definition at line 13 of file resource_parser.h.
◆ UNALIGNED_BUF
A buffer allocated on the heap of a process, not aligned to the beginning of a memory page.
Definition at line 41 of file buffer_util.h.
Enumeration Type Documentation
◆ t_load_config_ver
A version of Load Config Directory.
Definition at line 17 of file load_config_util.h.
◆ t_pe_dump_mode
A mode in which the PE fille be dumped.
Definition at line 16 of file pe_dumper.h.
Function Documentation
◆ _search_readable_size()
| SIZE_T peconv::_search_readable_size | ( | HANDLE | processHandle, |
| LPVOID | start_addr, | ||
| OUT BYTE * | buffer, | ||
| const size_t | buffer_size, | ||
| const SIZE_T | minimal_size ) |
Performs a binary search along with ReadProcessMemory, trying to find the biggest size of memory (within the buffer_size) that can be read. The search stops when the minimal_size was reached. The given minimal_size must be non-zero, and smaller than the buffer_size. If the size matching the constraints was found, it reads that many bytes to the buffer.
Definition at line 61 of file remote_pe_reader.cpp.
◆ alloc_aligned()
| peconv::ALIGNED_BUF peconv::alloc_aligned | ( | size_t | buffer_size, |
| DWORD | protect, | ||
| ULONGLONG | desired_base = NULL ) |
Allocates a buffer of a virtual memory (using VirtualAlloc). Can be used in the cases when the buffer have to be aligned to the beginning of a page.
Definition at line 56 of file buffer_util.cpp.
◆ alloc_pe_buffer()
| peconv::ALIGNED_BUF peconv::alloc_pe_buffer | ( | size_t | buffer_size, |
| DWORD | protect, | ||
| ULONGLONG | desired_base = NULL ) |
Allocates an aligned buffer for a PE file.
Definition at line 82 of file buffer_util.cpp.
◆ alloc_unaligned()
| peconv::UNALIGNED_BUF peconv::alloc_unaligned | ( | size_t | buf_size | ) |
Allocates a buffer on the heap. Can be used in the cases when the buffer does not have to start at the beginning of a page.
Definition at line 39 of file buffer_util.cpp.
◆ calc_pe_size()
Calculate full PE size (raw or virtual) using information from sections' headers. WARNING: it drops an overlay.
- Parameters
-
pe_buffer : a buffer containing a PE pe_size : the size of the given buffer is_raw : If true, the Raw alignment is used. If false, the Virtual alignment is used.
Definition at line 593 of file pe_hdrs_helper.cpp.
◆ collect_imports()
◆ collect_thunks()
| bool peconv::collect_thunks | ( | IN BYTE * | modulePtr, |
| IN SIZE_T | moduleSize, | ||
| OUT std::set< DWORD > & | thunk_rvas ) |
Collects all the Import Thunks RVAs (via which Imports are called)
Definition at line 370 of file imports_loader.cpp.
◆ detect_dump_mode()
Detect dump mode that is the most suitable for the given input.
- Parameters
-
buffer : the buffer containing the PE to be dumped. buffer_size : the size of the given buffer
Definition at line 14 of file pe_dumper.cpp.
◆ dump_pe()
| bool peconv::dump_pe | ( | IN LPCTSTR | outputFilePath, |
| IN OUT BYTE * | buffer, | ||
| IN size_t | buffer_size, | ||
| IN const ULONGLONG | module_base, | ||
| IN OUT t_pe_dump_mode & | dump_mode, | ||
| IN OPTIONAL const peconv::ExportsMapper * | exportsMap = nullptr ) |
Dumps PE from the fiven buffer into a file. It expects the module base and size to be given.
- Parameters
-
outputFilePath : name of the file where the dump should be saved buffer : the buffer containing the PE to be dumped. WARNING: the buffer may be preprocessed before dumping. buffer_size : the size of the given buffer module_base : the base to which the PE buffer was relocated dump_mode : specifies in which format the PE should be dumped. If the mode was set to PE_DUMP_AUTO, it autodetects mode and returns the detected one. exportsMap : optional. If exportsMap is supplied, it will try to recover destroyed import table of the PE, basing on the supplied map of exported functions.
Definition at line 26 of file pe_dumper.cpp.
◆ dump_remote_pe()
| bool peconv::dump_remote_pe | ( | IN LPCTSTR | outputFilePath, |
| IN const HANDLE | processHandle, | ||
| IN LPVOID | moduleBase, | ||
| IN OUT t_pe_dump_mode & | dump_mode, | ||
| IN OPTIONAL peconv::ExportsMapper * | exportsMap = nullptr ) |
Dumps PE from the remote process into a file. It expects the module base and size to be given.
- Parameters
-
outputFilePath : the path where the dump will be saved processHandle : the handle to the remote process moduleBase : the base address of the module that needs to be dumped dump_mode : specifies in which format the PE should be dumped. If the mode was set to PE_DUMP_AUTO, it autodetects mode and returns the detected one. exportsMap : optional. If exportsMap is supplied, it will try to recover destroyed import table of the PE, basing on the supplied map of exported functions.
Definition at line 388 of file remote_pe_reader.cpp.
◆ dump_to_file()
Writes a buffer of bytes into a file of given path.
- Parameters
-
path : the path to the output file dump_data : the buffer to be dumped dump_size : the size of data to be dumped (in bytes)
- Returns
- true if succeeded, false if failed
Definition at line 101 of file file_util.cpp.
◆ fetch_alloc_base()
Fetch the allocation base of the memory region with the supplied start address.
- Parameters
-
processHandle : handle of the process where the region of interest belongs start_addr : the address inside the region of interest
- Returns
- the allocation base address of the memory region, or 0 if not found
Definition at line 43 of file remote_pe_reader.cpp.
◆ fetch_callbacks_list()
◆ fetch_region_info()
| bool peconv::fetch_region_info | ( | HANDLE | processHandle, |
| LPVOID | start_addr, | ||
| MEMORY_BASIC_INFORMATION & | page_info ) |
◆ fetch_region_size()
Fetch size of the memory region starting from the given address.
Definition at line 33 of file remote_pe_reader.cpp.
◆ find_alignment_cave()
◆ find_base_candidate()
Try to find a base to which the PE file was relocated, basing on the filled relocations. WARNING: the found base is an estimate, and sometimes may not be fully accurate.
- Parameters
-
module_ptr : the module which's base is being searched module_size : the size of the given module
- Returns
- the base to which the module was relocated
Definition at line 70 of file find_base.cpp.
◆ find_ending_cave()
◆ find_extension_pos()
Find a position of possible file extension. If not found, gives string length.
Definition at line 150 of file file_util.cpp.
◆ find_padding_cave()
◆ fix_imports()
| bool peconv::fix_imports | ( | IN OUT PVOID | modulePtr, |
| IN size_t | moduleSize, | ||
| IN const peconv::ExportsMapper & | exportsMap, | ||
| OUT OPTIONAL peconv::ImpsNotCovered * | notCovered ) |
fix imports in the given module, using the given map of all available exports
Definition at line 216 of file fix_imports.cpp.
◆ format_dll_func()
| std::string peconv::format_dll_func | ( | const std::string & | str | ) |
Convert the function in a format: DLL_name.function_name into a normalized form (DLL name in lowercase).
Definition at line 95 of file exported_func.cpp.
◆ forwarder_name_len()
Check if the pointer redirects to a forwarder - if so, return the length, otherwise return 0.
Definition at line 36 of file exported_func.cpp.
◆ free_aligned()
| bool peconv::free_aligned | ( | peconv::ALIGNED_BUF | buffer, |
| size_t | buffer_size = 0 ) |
Frees buffer allocated by alloc_aligned.
Definition at line 64 of file buffer_util.cpp.
◆ free_file()
| void peconv::free_file | ( | IN peconv::UNALIGNED_BUF | buffer | ) |
Free the buffer allocated by load_file/read_from_file
Definition at line 127 of file file_util.cpp.
◆ free_pe_buffer()
| bool peconv::free_pe_buffer | ( | peconv::ALIGNED_BUF | buffer, |
| size_t | buffer_size = 0 ) |
Free the memory allocated with alloc_pe_buffer.
Definition at line 88 of file buffer_util.cpp.
◆ free_resource_data()
| void peconv::free_resource_data | ( | peconv::ALIGNED_BUF | buffer | ) |
Free the buffer with PE Resources, mapped by the function load_resource_data.
Definition at line 53 of file resource_util.cpp.
◆ free_unaligned()
| void peconv::free_unaligned | ( | peconv::UNALIGNED_BUF | section_buffer | ) |
Frees buffer allocated by alloc_unaligned.
Definition at line 47 of file buffer_util.cpp.
◆ get_current_module_handle()
| HMODULE peconv::get_current_module_handle | ( | ) |
a helper function to get the module handle of the current DLL
Definition at line 7 of file resource_util.cpp.
◆ get_delayed_imps()
| IMAGE_DELAYLOAD_DESCRIPTOR * peconv::get_delayed_imps | ( | IN const BYTE * | modulePtr, |
| IN const size_t | moduleSize, | ||
| OUT size_t & | dir_size ) |
Get the Delayload Imports directory. Returns the pointer to the first descriptor. The size of the directory is passed via variable dir_size.
Definition at line 6 of file delayed_imports_loader.cpp.
◆ get_directory_entry()
| IMAGE_DATA_DIRECTORY * peconv::get_directory_entry | ( | IN const BYTE * | pe_buffer, |
| IN DWORD | dir_id, | ||
| IN bool | allow_empty = false ) |
get Data Directory entry of the given number. If the entry is not filled and allow_empty is not set, it returns null pointer.
Definition at line 130 of file pe_hdrs_helper.cpp.
◆ get_directory_name()
Get the directory name from the given path. It assumes that a directory name always ends with a separator ("/" or "\")
Definition at line 141 of file file_util.cpp.
◆ get_dll_characteristics()
Fetch the DLL Characteristics from the Optional Header.
Definition at line 415 of file pe_hdrs_helper.cpp.
◆ get_dll_shortname()
| std::string peconv::get_dll_shortname | ( | const std::string & | str | ) |
get the DLL name without the extension
Definition at line 12 of file exported_func.cpp.
◆ get_dotnet_hdr()
| IMAGE_COR20_HEADER * peconv::get_dotnet_hdr | ( | IN const BYTE * | pe_buffer, |
| IN size_t const | buffer_size, | ||
| IN const IMAGE_DATA_DIRECTORY * | dotNetDir ) |
Fetch the pointer to the .NET header (if exist).
Definition at line 488 of file pe_hdrs_helper.cpp.
◆ get_entry_point_rva()
Get RVA of the Entry Point from the Optional Header.
Definition at line 171 of file pe_hdrs_helper.cpp.
◆ get_export_directory()
| IMAGE_EXPORT_DIRECTORY * peconv::get_export_directory | ( | IN HMODULE | modulePtr | ) |
Get pointer to the Export Directory.
Definition at line 482 of file pe_hdrs_helper.cpp.
◆ get_exported_func()
Gets the function address by the name. Uses Export Table lookup. WARNING: doesn't work for the forwarded functions.
Definition at line 100 of file exports_lookup.cpp.
◆ get_exported_names()
Gets list of all the functions from a given module that are exported by names.
Definition at line 78 of file exports_lookup.cpp.
◆ get_file_characteristics()
Fetch the PE Characteristics from the File Header.
Definition at line 374 of file pe_hdrs_helper.cpp.
◆ get_file_hdr()
| const IMAGE_FILE_HEADER * peconv::get_file_hdr | ( | IN const BYTE * | payload, |
| IN const size_t | buffer_size ) |
Fetches file header of the PE. Validates pointers against buffer size.
Definition at line 257 of file pe_hdrs_helper.cpp.
◆ get_file_name()
Get the file name from the given path.
Definition at line 132 of file file_util.cpp.
◆ get_func_name()
| std::string peconv::get_func_name | ( | const std::string & | str | ) |
Get the function name from the string in a format: DLL_name.function_name
Definition at line 64 of file exported_func.cpp.
◆ get_hdrs_size()
Fetch the size of headers (from Optional Header).
Definition at line 208 of file pe_hdrs_helper.cpp.
◆ get_image_base()
◆ get_image_size()
Fetch image size from headers.
Definition at line 77 of file pe_hdrs_helper.cpp.
◆ get_kernel32_hndl()
| HMODULE peconv::get_kernel32_hndl | ( | ) |
◆ get_last_section()
| PIMAGE_SECTION_HEADER peconv::get_last_section | ( | IN const PBYTE | pe_buffer, |
| IN size_t | pe_size, | ||
| IN bool | is_raw ) |
Get the last section (in a raw or virtual alignment)
- Parameters
-
pe_buffer : buffer with a PE pe_size : size of the given PE is_raw : If true, give the section with the highest Raw offset. If false, give the section with the highest Virtual offset.
Definition at line 571 of file pe_hdrs_helper.cpp.
◆ get_load_config_ptr()
Get a pointer to the Load Config Directory within the given PE.
- Parameters
-
buffer : a buffer containing the PE file in a Virtual format buf_size : size of the buffer
- Returns
- a pointer to the Load Config Directory, NULL if the given PE does not have this directory
Definition at line 4 of file load_config_util.cpp.
◆ get_load_config_version()
| peconv::t_load_config_ver peconv::get_load_config_version | ( | BYTE * | buffer, |
| size_t | buf_size, | ||
| BYTE * | ld_config_ptr ) |
Detect which version of Load Config Directory was used in the given PE.
- Parameters
-
buffer : a buffer containing the PE file in a Virtual format buf_size : size of the buffer ld_config_ptr : pointer to the Load Config Directory within the given PE
- Returns
- detected version of Load Config Directory
Definition at line 20 of file load_config_util.cpp.
◆ get_main_module_via_peb()
| HMODULE peconv::get_main_module_via_peb | ( | ) |
Gets the main module from the current PEB.
- Returns
- the main module connected to the current PEB.
Definition at line 178 of file peb_lookup.cpp.
◆ get_module_size_via_peb()
Gets size of the given module via PEB.
- Parameters
-
hModule : (optional) the base of the module which's size we want to retrieve. If not set, the main module of the current process is used.
- Returns
- the size of the given module.
Definition at line 136 of file peb_lookup.cpp.
◆ get_module_via_peb()
Gets handle to the given module via PEB. A low-level equivalent of GetModuleHandleW.
- Parameters
-
module_name : (optional) the name of the DLL loaded within the current process. If not set, the main module of the current process is used.
- Returns
- the handle of the DLL with given name, or, if the name was not given, the handle of the main module of the current process.
Definition at line 105 of file peb_lookup.cpp.
◆ get_nt_hdr_architecture()
Fetch architecture from the NT headers. Checks for bad pointers.
Definition at line 109 of file pe_hdrs_helper.cpp.
◆ get_nt_hdrs()
Fetch pointer to the NT headers of the PE file. Checks for bad pointers. If buffer_size is set, validates pointers against the buffer size.
Definition at line 10 of file pe_hdrs_helper.cpp.
◆ get_nt_hdrs32()
| IMAGE_NT_HEADERS32 * peconv::get_nt_hdrs32 | ( | IN const BYTE * | pe_buffer | ) |
Wrapper for get_nt_headers. Automatically detects if the PE is 32 bit - if not, returns null pointer.
Definition at line 51 of file pe_hdrs_helper.cpp.
◆ get_nt_hdrs64()
| IMAGE_NT_HEADERS64 * peconv::get_nt_hdrs64 | ( | IN const BYTE * | pe_buffer | ) |
Wrapper for get_nt_headers. Automatically detects if the PE is 64 bit - if not, returns null pointer.
Definition at line 64 of file pe_hdrs_helper.cpp.
◆ get_ntdll_hndl()
| HMODULE peconv::get_ntdll_hndl | ( | ) |
◆ get_optional_hdr()
Fetches optional header of the PE. Validates pointers against buffer size.
Definition at line 288 of file pe_hdrs_helper.cpp.
◆ get_process_id()
◆ get_remote_image_size()
Retrieve the Image Size saved in the header of the remote PE.
- Parameters
-
processHandle : process from where we are reading start_addr : a base address of the PE within the given process
Definition at line 379 of file remote_pe_reader.cpp.
◆ get_remote_pe_section()
| peconv::UNALIGNED_BUF peconv::get_remote_pe_section | ( | HANDLE | processHandle, |
| LPVOID | moduleBase, | ||
| const size_t | sectionNum, | ||
| OUT size_t & | sectionSize, | ||
| bool | roundup, | ||
| bool | force_access = false ) |
Reads a PE section with a given number (sectionNum) from the remote module within the given process. The buffer of appropriate size is automatically allocated. After use, it should be freed by the function free_unaligned. The size of the buffer is writen into sectionSize.
- Parameters
-
processHandle : the handle to the remote process moduleBase : the base address of the module sectionNum : number of the section to be read sectionSize : the size of the read section (output) roundup : if set, the section size is roundup to the alignment unit force_access : if this flag is set, in case if the region is inaccassible (PAGE_NOACCESS) it will try to force the the read by changing the permissions, and applying the old ones back after reading. WARNING: force_access should be used only on a suspended process, or a process relection, otherwise it may cause instability.
- Returns
- a buffer containing a copy of the section.
Definition at line 291 of file remote_pe_reader.cpp.
◆ get_sec_alignment()
Fetch section aligmenent from headers. Depending on the flag, it fetches either Raw Alignment or Virtual Alignment.
Definition at line 519 of file pe_hdrs_helper.cpp.
◆ get_section_hdr()
| PIMAGE_SECTION_HEADER peconv::get_section_hdr | ( | IN const BYTE * | pe_buffer, |
| IN const size_t | buffer_size, | ||
| IN size_t | section_num ) |
Gets pointer to the section header of the given number.
Definition at line 343 of file pe_hdrs_helper.cpp.
◆ get_sections_count()
Get number of sections from the File Header. It does not validate if this the actual number.
Definition at line 319 of file pe_hdrs_helper.cpp.
◆ get_subsystem()
Get the PE subsystem from the header.
Definition at line 455 of file pe_hdrs_helper.cpp.
◆ get_type_directory()
| IMAGE_TYPE_DIRECTORY * peconv::get_type_directory | ( | IN HMODULE | modulePtr, |
| IN DWORD | dir_id ) |
Get pointer to the Data Directory content of the given number. Automatically cast to the chosen type.
Definition at line 87 of file pe_hdrs_helper.h.
◆ get_virtual_sec_size()
| DWORD peconv::get_virtual_sec_size | ( | IN const BYTE * | pe_hdr, |
| IN const PIMAGE_SECTION_HEADER | sec_hdr, | ||
| IN bool | rounded ) |
Get size of virtual section from the headers (optionaly rounds it up to the Virtual Alignment)
Definition at line 546 of file pe_hdrs_helper.cpp.
◆ has_relocations()
Check if the PE has relocations Data Directory.
Definition at line 473 of file pe_hdrs_helper.cpp.
◆ has_valid_import_table()
Checks if the given PE has a valid import table.
Definition at line 330 of file imports_loader.cpp.
◆ has_valid_relocation_table()
Checks if the given PE has a valid relocations table.
- Parameters
-
modulePtr : a buffer containing the PE to be checked moduleSize : the size of the given PE buffer
Definition at line 185 of file relocate.cpp.
◆ is64bit()
Wrapper for get_nt_hdr_architecture. Returns true if the PE file is 64 bit.
Definition at line 121 of file pe_hdrs_helper.cpp.
◆ is_bad_read_ptr()
Verifies that the calling process has read access to the specified range of memory.
- Parameters
-
areaStart : A pointer to the first byte of the memory block areaSize : The size of the memory block, in bytes. If this parameter is zero, the return value is true (bad pointer).
Definition at line 150 of file util.cpp.
◆ is_dot_net()
Check if the module is a .NET executable
Definition at line 402 of file pe_hdrs_helper.cpp.
◆ is_mem_accessible()
Verifies if the calling process has a defined access to the specified continuous range of memory, defined by areaStart and areaSize. If the area includes pages that are not commited, or pages with access rights PAGE_GUARD | PAGE_NOACCESS, it is treated as inaccessible.
- Parameters
-
areaStart : A pointer to the first byte of the memory block areaSize : The size of the memory block, in bytes. If this parameter is zero, the return value is false. accessRights : The access rights to be checked
Definition at line 110 of file util.cpp.
◆ is_module_dll()
Check if the module is a DLL (basing on the Characteristcs in the header).
Definition at line 395 of file pe_hdrs_helper.cpp.
◆ is_ordinal_string()
Check if the given string is in a format typical for storing ordinals (#[ordinal])
Definition at line 82 of file exported_func.cpp.
◆ is_padding()
◆ is_pe_expanded()
checks if the PE has sections that were unpacked/expanded in the memory
Definition at line 163 of file pe_mode_detector.cpp.
◆ is_pe_raw()
check if the PE in the memory is in raw format
Definition at line 143 of file pe_mode_detector.cpp.
◆ is_pe_raw_eq_virtual()
check if Virtual section addresses are identical to Raw addresses (i.e. if the PE was realigned)
Definition at line 99 of file pe_mode_detector.cpp.
◆ is_pointer_in_ntdll()
◆ is_section_expanded()
| bool peconv::is_section_expanded | ( | IN const BYTE * | pe_buffer, |
| IN size_t | pe_size, | ||
| IN const PIMAGE_SECTION_HEADER | sec ) |
checks if the given section was unpacked in the memory
Definition at line 177 of file pe_mode_detector.cpp.
◆ is_valid_extension()
◆ is_valid_import_name()
| bool peconv::is_valid_import_name | ( | const PBYTE | modulePtr, |
| const size_t | moduleSize, | ||
| LPSTR | lib_name ) |
Checks if the given lib_name is a valid DLL name. A valid name must contain printable characters. Empty name is also acceptable (may have been erased).
Definition at line 313 of file imports_loader.cpp.
◆ is_valid_sections_hdr_offset()
Checks if the section headers are reachable. It does not validate sections alignment.
Definition at line 328 of file pe_hdrs_helper.cpp.
◆ is_valid_sectons_alignment()
| bool peconv::is_valid_sectons_alignment | ( | IN const BYTE * | buffer, |
| IN const SIZE_T | buffer_size, | ||
| IN bool | is_raw ) |
Walk through sections headers checking if the sections beginnings and sizes are fitting the alignment (Virtual or Raw)
- Parameters
-
buffer : a buffer containing a PE buffer_size : the size of the given buffer is_raw : If true, the Raw alignment is checked. If false, the Virtual alignment is checked.
Definition at line 611 of file pe_hdrs_helper.cpp.
◆ list_tls_callbacks()
| size_t peconv::list_tls_callbacks | ( | IN PVOID | modulePtr, |
| IN size_t | moduleSize, | ||
| OUT std::vector< ULONGLONG > & | tls_callbacks ) |
A function listing RVAs of all TLS callbacks that are present in the given module.
- Parameters
-
modulePtr : pointer to the buffer with the PE in a Virtual format, relocated to the load base moduleSize : size of the given module (if 0 given, the imageSize from the PE headers will be used) tls_callbacks : a vector of TLS callbacks addresses (as given in the TLS table)
- Returns
- number of TLS callbacks added to the list
Definition at line 52 of file tls_parser.cpp.
◆ load_delayed_imports()
| bool peconv::load_delayed_imports | ( | BYTE * | modulePtr, |
| const ULONGLONG | moduleBase, | ||
| t_function_resolver * | func_resolver = nullptr ) |
Fill the Delayload Imports in the given module.
- Parameters
-
modulePtr : the pointer to the module where the imports needs to be filled. moduleBase : the base to which the module was relocated, it may (or not) be the same as modulePtr func_resolver : the resolver that will be used for loading the imports
- Returns
- : true if resolving all succeeded, false otherwise
Definition at line 101 of file delayed_imports_loader.cpp.
◆ load_file()
| peconv::ALIGNED_BUF peconv::load_file | ( | IN LPCTSTR | filename, |
| OUT size_t & | r_size ) |
Maps a file with the given path and copies its raw content into the output buffer. If read_size is not zero, it reads maximum read_size of bytes. If read_size is zero, it reads the full file. The actual read size is returned back in read_size. Automatically allocates a buffer of the required size.
Definition at line 11 of file file_util.cpp.
◆ load_imports()
| bool peconv::load_imports | ( | BYTE * | modulePtr, |
| t_function_resolver * | func_resolver = nullptr ) |
Fills imports of the given PE with the help of the defined functions resolver.
- Parameters
-
modulePtr : a pointer to the loded PE (in virtual format) func_resolver : a resolver that will be used to fill the thunk of the import
- Returns
- : true if loading all functions succeeded, false otherwise
Definition at line 288 of file imports_loader.cpp.
◆ load_no_sec_pe()
◆ load_pe_executable() [1/2]
| BYTE * peconv::load_pe_executable | ( | BYTE * | payload_raw, |
| size_t | r_size, | ||
| OUT size_t & | v_size, | ||
| t_function_resolver * | import_resolver = NULL ) |
Loads full PE from the raw buffer in a way in which it can be directly executed: remaps to virual format, applies relocations, loads imports. Allows for supplying custom function resolver.
Definition at line 80 of file pe_loader.cpp.
◆ load_pe_executable() [2/2]
| BYTE * peconv::load_pe_executable | ( | LPCTSTR | filename, |
| OUT size_t & | v_size, | ||
| t_function_resolver * | import_resolver = NULL ) |
Loads full PE from file in a way in which it can be directly executed: remaps to virtual format, applies relocations, loads imports. Allows for supplying custom function resolver.
Definition at line 104 of file pe_loader.cpp.
◆ load_pe_module() [1/2]
| BYTE * peconv::load_pe_module | ( | BYTE * | payload_raw, |
| size_t | r_size, | ||
| OUT size_t & | v_size, | ||
| bool | executable, | ||
| bool | relocate ) |
Reads PE from the given buffer into memory and maps it into virtual format. (Automatic raw to virtual conversion). If the executable flag is true, the PE file is loaded into executable memory. If the relocate flag is true, applies relocations. Does not load imports. Automatically allocates buffer of the needed size (the size is returned in outputSize). The buffer can be freed by the function free_pe_buffer.
Definition at line 34 of file pe_loader.cpp.
◆ load_pe_module() [2/2]
| BYTE * peconv::load_pe_module | ( | LPCTSTR | filename, |
| OUT size_t & | v_size, | ||
| bool | executable, | ||
| bool | relocate ) |
Reads PE from the given file into memory and maps it into vitual format. (Automatic raw to virtual conversion). If the executable flag is true, the PE file is loaded into executable memory. If the relocate flag is true, applies relocations. Does not load imports. Automatically allocates buffer of the needed size (the size is returned in outputSize). The buffer can be freed by the function free_pe_buffer.
Definition at line 65 of file pe_loader.cpp.
◆ load_resource_data()
| peconv::ALIGNED_BUF peconv::load_resource_data | ( | OUT size_t & | out_size, |
| const int | res_id, | ||
| const LPSTR | res_type = RT_RCDATA_A, | ||
| HMODULE | hInstance = nullptr ) |
Maps a resource with the given id + type and copies its raw content into the output buffer. If out_size is not zero, it reads maximum out_size of bytes. If out_size is zero, it reads the full resource. The actual read size is returned back in out_size. Automatically allocates a buffer of the required size. If hInstance is NULL, it search the resource in the current module. Otherwise, it search in the given module.
Definition at line 17 of file resource_util.cpp.
◆ nt_protect()
◆ ordinal_string_to_val()
Get the ordinal value from the ordinal string (in a format #[ordinal])
Definition at line 88 of file exported_func.cpp.
◆ ordinal_to_string()
| std::string peconv::ordinal_to_string | ( | DWORD | func_ordinal | ) |
Convert ordinal value to the ordinal string (in a format #[ordinal])
Definition at line 74 of file exported_func.cpp.
◆ parse_resources()
| bool peconv::parse_resources | ( | BYTE * | modulePtr, |
| t_on_res_entry_found | on_entry ) |
A function walking through the Resource Tree of the given PE. On each Resource Entry found, the callback is executed.
- Parameters
-
modulePtr : pointer to the buffer with the PE in a Virtual format on_entry : a callback function executed on each Resource Entry
Definition at line 78 of file resource_parser.cpp.
◆ pe_raw_to_virtual()
| BYTE * peconv::pe_raw_to_virtual | ( | IN const BYTE * | rawPeBuffer, |
| IN size_t | rawPeSize, | ||
| OUT size_t & | outputSize, | ||
| IN OPTIONAL bool | executable = true, | ||
| IN OPTIONAL ULONGLONG | desired_base = 0 ) |
Converts a raw PE supplied in a buffer to a virtual format. If the executable flag is true (default), the PE file is loaded into executable memory. Does not apply relocations. Does not load imports. Automatically allocates buffer of the needed size (the size is returned in outputSize). The buffer can be freed by the function free_pe_module. If the desired_base is defined (0 by default), it enforces allocation at the particular base.
Definition at line 97 of file pe_raw_to_virtual.cpp.
◆ pe_realign_raw_to_virtual()
◆ pe_virtual_to_raw()
| BYTE * peconv::pe_virtual_to_raw | ( | IN BYTE * | payload, |
| IN size_t | in_size, | ||
| IN ULONGLONG | loadBase, | ||
| OUT size_t & | outputSize, | ||
| IN OPTIONAL bool | rebuffer = true ) |
Maps virtual image of PE to into raw. Automaticaly applies relocations. Automatically allocates buffer of the needed size (the size is returned in outputSize).
- Parameters
-
payload : the PE in the Virtual format that needs to be converted into the Raw format in_size : size of the input buffer (the PE in the Virtual format) loadBase : the base to which the given PE was relocated outputSize : the size of the output buffer (the PE in the Raw format) rebuffer : if set (default), the input buffer is rebuffered and the original buffer is not modified.
- Returns
- a buffer of the outputSize, containing the Raw PE. The buffer can be freed by the function free_pe_module.
Definition at line 119 of file pe_virtual_to_raw.cpp.
◆ process_import_table()
| bool peconv::process_import_table | ( | IN BYTE * | modulePtr, |
| IN SIZE_T | moduleSize, | ||
| IN ImportThunksCallback * | callback ) |
Process the given PE's import table and execute the callback each time when the new imported function was found
- Parameters
-
modulePtr : a pointer to the loded PE (in virtual format) moduleSize : a size of the supplied PE callback : a callback that will be executed to process each imported function
- Returns
- : true if processing succeeded, false otherwise
Definition at line 269 of file imports_loader.cpp.
◆ process_relocation_table()
◆ read_dll_name()
Read the DLL name from the Export Table.
Definition at line 181 of file exports_lookup.cpp.
◆ read_from_file()
Reads a raw content of the file with the given path. If read_size is not zero, it reads maximum read_size of bytes. If read_size is zero, it reads the full file. The actual read size is returned back in read_size. Automatically allocates a buffer of the required size.
Definition at line 65 of file file_util.cpp.
◆ read_remote_area()
| size_t peconv::read_remote_area | ( | HANDLE | processHandle, |
| LPVOID | start_addr, | ||
| OUT BYTE * | buffer, | ||
| const size_t | buffer_size, | ||
| const bool | force_access, | ||
| const SIZE_T | minimal_size = 0x100 ) |
Reads a full memory area within a given process, starting at the start_addr, till the buffer_size is exceeded. The memory area can consist of multiple regions with various access rights. In case if the region is inaccessible, if the flag force_access was set, it tries to force the access by temporarly changing the permissions. On read failure the region is skipped, and the read is moving to the next one, leaving in the output buffer an empty space of the region size. Requires a handle with privilege PROCESS_QUERY_INFORMATION. In order for force_access to work, PROCESS_VM_OPERATION is additionally required. step_size is passed to the underlying read_remote_memory.
- Parameters
-
processHandle : handle of the process where the memory of interest belongs start_addr : the address within the remote process to start reading from buffer : the buffer where the read data will be stored buffer_size : the size of the buffer force_access : if this flag is set, in case if the region is inaccassible (PAGE_NOACCESS) it will try to force the the read by changing the permissions, and applying the old ones back after reading. WARNING: force_access should be used only on a suspended process, or a process relection, otherwise it may cause instability. minimal_size : the minimal size that has to be read in order to consider the read successful (passed to read_remote_memory)
- Returns
- the number of bytes successfuly read
Definition at line 203 of file remote_pe_reader.cpp.
◆ read_remote_memory()
| size_t peconv::read_remote_memory | ( | HANDLE | processHandle, |
| LPVOID | start_addr, | ||
| OUT BYTE * | buffer, | ||
| const size_t | buffer_size, | ||
| const SIZE_T | minimal_size = 0x100 ) |
Wrapper over ReadProcessMemory. Requires a handle with privilege PROCESS_VM_READ. If reading of the full buffer_size was not possible, it will keep trying to read a smaller chunk, decreasing requested size on each attempt, till the minimal_size is reached (it is a workaround for errors such as FAULTY_HARDWARE_CORRUPTED_PAGE). Returns how many bytes were successfuly read.
- Parameters
-
processHandle : handle of the process where the memory of interest belongs start_addr : the address within the remote process to start reading from buffer : the buffer where the read data will be stored buffer_size : the size of the buffer, and the size that will be attempted to read minimal_size : the minimal size that has to be read in order to consider the read successful
- Returns
- the number of bytes successfuly read
Definition at line 106 of file remote_pe_reader.cpp.
◆ read_remote_pe()
| size_t peconv::read_remote_pe | ( | const HANDLE | processHandle, |
| LPVOID | moduleBase, | ||
| const size_t | moduleSize, | ||
| OUT BYTE * | buffer, | ||
| const size_t | bufferSize ) |
Reads PE file from the remote process into the supplied buffer. It expects the module base and size to be given.
Definition at line 325 of file remote_pe_reader.cpp.
◆ read_remote_pe_header()
| bool peconv::read_remote_pe_header | ( | HANDLE | processHandle, |
| LPVOID | moduleBase, | ||
| OUT BYTE * | buffer, | ||
| const size_t | bufferSize, | ||
| bool | force_access = false ) |
Reads a PE header of the remote module within the given process. Requires a valid output buffer to be supplied (buffer).
- Parameters
-
processHandle : handle of the process where the memory of interest belongs moduleBase : the base address of the module within the remote process buffer : the buffer where the read data will be stored buffer_size : the size of the buffer force_access : if this flag is set, in case if the region is inaccassible (PAGE_NOACCESS) it will try to force the the read by changing the permissions, and applying the old ones back after reading. WARNING: force_access should be used only on a suspended process, or a process relection, otherwise it may cause instability.
Definition at line 250 of file remote_pe_reader.cpp.
◆ read_remote_region()
| size_t peconv::read_remote_region | ( | HANDLE | processHandle, |
| LPVOID | start_addr, | ||
| OUT BYTE * | buffer, | ||
| const size_t | buffer_size, | ||
| const bool | force_access, | ||
| const SIZE_T | minimal_size = 0x100 ) |
Reads a single memory region (continuous, with the same access rights) within a given process, starting at the start_addr. In case if it is inaccessible, if the flag force_access was set, it tries to force the access by temporarly changing the permissions. Requires a handle with privilege PROCESS_QUERY_INFORMATION. In order for force_access to work, PROCESS_VM_OPERATION is additionally required. step_size is passed to the underlying read_remote_memory.
- Parameters
-
processHandle : handle of the process where the memory of interest belongs start_addr : the address within the remote process to start reading from buffer : the buffer where the read data will be stored buffer_size : the size of the buffer force_access : if this flag is set, in case if the region is inaccassible (PAGE_NOACCESS) it will try to force the the read by changing the permissions, and applying the old ones back after reading. WARNING: force_access should be used only on a suspended process, or a process relection, otherwise it may cause instability. minimal_size : the minimal size that has to be read in order to consider the read successful (passed to read_remote_memory)
- Returns
- the number of bytes successfuly read
Definition at line 150 of file remote_pe_reader.cpp.
◆ redirect_to_local()
| size_t peconv::redirect_to_local | ( | void * | ptr, |
| void * | new_function_ptr, | ||
| PatchBackup * | backup = nullptr ) |
Installs inline hook at the given ptr. Returns the number of bytes overwriten. Uses bitness of the current applications for the bitness of the intalled hook.
- Parameters
-
ptr : pointer to the function to be replaced new_function_ptr : pointer to the new function backup : (optional) backup that can be used to reverse the changes
- Returns
- size of the applied patch
Definition at line 177 of file hooks.cpp.
◆ redirect_to_local32()
| size_t peconv::redirect_to_local32 | ( | void * | ptr, |
| DWORD | new_offset, | ||
| PatchBackup * | backup = nullptr ) |
Installs inline hook at the given ptr. Returns the number of bytes overwriten. 32 bit version.
- Parameters
-
ptr : pointer to the function to be replaced new_offset : VA of the new function backup : (optional) backup that can be used to reverse the changes
- Returns
- size of the applied patch
Definition at line 142 of file hooks.cpp.
◆ redirect_to_local64()
| size_t peconv::redirect_to_local64 | ( | void * | ptr, |
| ULONGLONG | new_offset, | ||
| PatchBackup * | backup = nullptr ) |
Installs inline hook at the given ptr. Returns the number of bytes overwriten. 64 bit version.
- Parameters
-
ptr : pointer to the function to be replaced new_offset : VA of the new function backup : (optional) backup that can be used to reverse the changes
- Returns
- size of the applied patch
Definition at line 107 of file hooks.cpp.
◆ relocate_module()
| bool peconv::relocate_module | ( | IN BYTE * | modulePtr, |
| IN SIZE_T | moduleSize, | ||
| IN ULONGLONG | newBase, | ||
| IN ULONGLONG | oldBase = 0 ) |
Applies relocations on the PE in virtual format. Relocates it from the old base given to the new base given. If 0 was supplied as the old base, it assumes that the old base is the ImageBase given in the header.
- Parameters
-
modulePtr : a buffer containing the PE to be relocated moduleSize : the size of the given PE buffer newBase : a base to which the PE should be relocated oldBase : a base to which the PE is currently relocated (if not set, the imageBase from the header will be used)
Definition at line 158 of file relocate.cpp.
◆ remove_module_extension()
◆ replace_target()
◆ roundup_to_unit()
◆ run_tls_callbacks()
| size_t peconv::run_tls_callbacks | ( | IN PVOID | modulePtr, |
| IN size_t | moduleSize = 0, | ||
| IN DWORD | dwReason = DLL_PROCESS_ATTACH ) |
A function running all the TLS callbacks that are present in the given module, one by one.
- Parameters
-
modulePtr : pointer to the buffer with the PE in a Virtual format, relocated to the load base moduleSize : size of the given module (if 0 given, the imageSize from the PE headers will be used) dwReason : a parameter (dwReason) that will be passed to the callback function
- Returns
- number of TLS callbacks executed
Definition at line 84 of file tls_parser.cpp.
◆ set_main_module_in_peb()
Sets the given module as the main module in the current PEB.
- Parameters
-
hModule : the module to be connected to the current PEB.
- Returns
- true if succeeded, false if failed
Definition at line 167 of file peb_lookup.cpp.
◆ set_sec_alignment()
Change section aligmenent in headers. Depending on the flag, it sets either Raw Alignment or Virtual Alignment.
Definition at line 531 of file pe_hdrs_helper.cpp.
◆ set_subsystem()
Set the PE subsystem in the header.
Definition at line 436 of file pe_hdrs_helper.cpp.
◆ update_entry_point_rva()
Change the Entry Point RVA in the Optional Header to the given one.
Definition at line 190 of file pe_hdrs_helper.cpp.
◆ update_image_base()
Change the Image Base in Optional Header to the given one.
Definition at line 226 of file pe_hdrs_helper.cpp.
◆ update_image_size()
Change the Image Size in Optional Header to the given one.
Definition at line 93 of file pe_hdrs_helper.cpp.
◆ validate_ptr()
| bool peconv::validate_ptr | ( | IN const void * | buffer_bgn, |
| IN size_t | buffer_size, | ||
| IN const void * | field_bgn, | ||
| IN size_t | field_size ) |
Validates pointers, checks if the particular field is inside the given buffer. Sizes must be given in bytes.
- Parameters
-
buffer_bgn : the start address of the buffer buffer_size : the size of the buffer field_bgn : the start address of the field field_size : the size of the field
- Returns
- true if the field (defined by its start address: field_bgn, and size: field_size) is contained within the given buffer (defined by its start address: buffer_bgn, and size: buffer_size). false otherwise
Definition at line 9 of file buffer_util.cpp.
◆ virtual_addr_to_rva()
| bool peconv::virtual_addr_to_rva | ( | IN const ULONGLONG | imgBase, |
| IN const DWORD | imgSize, | ||
| IN ULONGLONG | virtualAddr, | ||
| OUT DWORD & | outRVA ) |
A helper function, normalizing virtual addresses. It automatically detects if the given virtual address is VA or RVA, and converts it into RVA
- Parameters
-
imgBase : the base address to which the module was relocated imgSize : the size of the image virtualAddr : the virtual address (RVA or VA) that we want to convert (within the module described by imgBase and imgSize) outRVA : the output of the conversion (RVA)
- Returns
- true if the conversion was successful, false otherwise
Definition at line 35 of file tls_parser.cpp.
Variable Documentation
◆ g_kernel32Hndl
◆ g_ntdllHndl
◆ MAX_HEADER_SIZE
Maximal size of the PE header.
Definition at line 19 of file pe_hdrs_helper.h.
◆ RT_RCDATA_A
| const LPSTR peconv::RT_RCDATA_A = MAKEINTRESOURCEA(10) |
Definition at line 13 of file resource_util.h.
