libpeconv/pe__dumper_8cpp_source.html

#include "peconv/pe_dumper.h"


#include "peconv/pe_hdrs_helper.h"

#include "peconv/pe_virtual_to_raw.h"

#include "peconv/fix_imports.h"

#include "peconv/file_util.h"

#include "peconv/pe_mode_detector.h"

#include "fix_dot_net_ep.h"


#include <iostream>


using namespace peconv;


t_pe_dump_mode peconv::detect_dump_mode(IN const BYTE* buffer, IN size_t mod_size)

{

    const t_pe_dump_mode default_mode = peconv::PE_DUMP_UNMAP;

    if (peconv::is_pe_raw(buffer, mod_size)) {

        return peconv::PE_DUMP_VIRTUAL;

    }

    if (peconv::is_pe_expanded(buffer, mod_size)) {

        return peconv::PE_DUMP_REALIGN;

    }

    return default_mode;

}


bool peconv::dump_pe(

    IN LPCTSTR out_path,

    IN OUT BYTE *buffer, IN size_t mod_size,

    IN const ULONGLONG start_addr,

    IN OUT t_pe_dump_mode &dump_mode,

    IN OPTIONAL const peconv::ExportsMapper* exportsMap

)

{

    // if the exportsMap is supplied, attempt to recover the (destroyed) import table:

    if (exportsMap != nullptr) {

        if (!peconv::fix_imports(buffer, mod_size, *exportsMap, NULL)) {

            std::cerr << "[-] Unable to fix imports!" << std::endl;

        }

    }

    if (dump_mode == PE_DUMP_AUTO || dump_mode >= PE_DUMP_MODES_COUNT) {

        dump_mode = detect_dump_mode(buffer, mod_size);

    }


    BYTE* dump_data = buffer;

    size_t dump_size = mod_size;

    size_t out_size = 0;

    BYTE* unmapped_module = nullptr;


    if (dump_mode == peconv::PE_DUMP_UNMAP || dump_mode == peconv::PE_DUMP_REALIGN) {

        //if the image base in headers is invalid, set the current base and prevent from relocating PE:

        if (peconv::get_image_base(buffer) == 0) {

            peconv::update_image_base(buffer, (ULONGLONG)start_addr);

        }

        if (is_dot_net(buffer, mod_size)) {

            fix_dot_net_ep(buffer, mod_size);

        }

        if (dump_mode == peconv::PE_DUMP_UNMAP) {

            unmapped_module = pe_virtual_to_raw(buffer, mod_size, (ULONGLONG)start_addr, out_size, false);

        }

        else if (dump_mode == peconv::PE_DUMP_REALIGN) {

            unmapped_module = peconv::pe_realign_raw_to_virtual(buffer, mod_size, (ULONGLONG)start_addr, out_size);

        }

        // unmap the PE file (convert from the Virtual Format into Raw Format)

        if (unmapped_module) {

            dump_data = unmapped_module;

            dump_size = out_size;

        }

    }

    // save the read module into a file

    const bool is_dumped = dump_to_file(out_path, dump_data, dump_size);


    peconv::free_pe_buffer(unmapped_module, mod_size);

    return is_dumped;

}


peconv::ExportsMapper
Definition exports_mapper.h:61

parse_delayed_desc
bool parse_delayed_desc(BYTE *modulePtr, const size_t moduleSize, const ULONGLONG img_base, LPSTR lib_name, const T_FIELD ordinal_flag, IMAGE_DELAYLOAD_DESCRIPTOR *desc, peconv::t_function_resolver *func_resolver)
Definition delayed_imports_loader.cpp:26

file_util.h
Functions related to operations on files. Wrappers for read/write.

fix_dot_net_ep
bool fix_dot_net_ep(BYTE *pe_buffer, size_t pe_buffer_size)
Definition fix_dot_net_ep.cpp:99

fix_dot_net_ep.h

fix_imports.h
Functions and classes responsible for fixing Import Table. A definition of ImportedDllCoverage class.

peconv
Definition buffer_util.h:15

peconv::dump_to_file
bool dump_to_file(IN LPCTSTR path, IN PBYTE dump_data, IN size_t dump_size)
Definition file_util.cpp:101

peconv::is_dot_net
bool is_dot_net(BYTE *pe_buffer, size_t pe_buffer_size)
Definition pe_hdrs_helper.cpp:402

peconv::is_pe_raw
bool is_pe_raw(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:143

peconv::update_image_base
bool update_image_base(IN OUT BYTE *payload, IN ULONGLONG destImageBase)
Definition pe_hdrs_helper.cpp:226

peconv::fix_imports
bool fix_imports(IN OUT PVOID modulePtr, IN size_t moduleSize, IN const peconv::ExportsMapper &exportsMap, OUT OPTIONAL peconv::ImpsNotCovered *notCovered)
Definition fix_imports.cpp:216

peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:152

peconv::pe_virtual_to_raw
BYTE * pe_virtual_to_raw(IN BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize, IN OPTIONAL bool rebuffer=true)
Definition pe_virtual_to_raw.cpp:119

peconv::t_pe_dump_mode
t_pe_dump_mode
Definition pe_dumper.h:16

peconv::PE_DUMP_REALIGN
@ PE_DUMP_REALIGN
Definition pe_dumper.h:20

peconv::PE_DUMP_MODES_COUNT
@ PE_DUMP_MODES_COUNT
Definition pe_dumper.h:21

peconv::PE_DUMP_UNMAP
@ PE_DUMP_UNMAP
Definition pe_dumper.h:19

peconv::PE_DUMP_AUTO
@ PE_DUMP_AUTO
Definition pe_dumper.h:17

peconv::PE_DUMP_VIRTUAL
@ PE_DUMP_VIRTUAL
Definition pe_dumper.h:18

peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition buffer_util.cpp:88

peconv::detect_dump_mode
t_pe_dump_mode detect_dump_mode(IN const BYTE *buffer, IN size_t buffer_size)
Definition pe_dumper.cpp:14

peconv::is_pe_expanded
bool is_pe_expanded(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:163

peconv::dump_pe
bool dump_pe(IN LPCTSTR outputFilePath, IN OUT BYTE *buffer, IN size_t buffer_size, IN const ULONGLONG module_base, IN OUT t_pe_dump_mode &dump_mode, IN OPTIONAL const peconv::ExportsMapper *exportsMap=nullptr)
Definition pe_dumper.cpp:26

peconv::pe_realign_raw_to_virtual
BYTE * pe_realign_raw_to_virtual(IN const BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize)
Definition pe_virtual_to_raw.cpp:173

pe_dumper.h
Dumping PE from the memory buffer into a file.

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

pe_mode_detector.h
Detecting in which mode is the PE in the supplied buffer (i.e. raw, virtual). Analyzes PE features ty...

pe_virtual_to_raw.h
Converting PE from virtual to raw format.