libpeconv/pe__loader_8cpp_source.html

#include "peconv/pe_loader.h"


#include "peconv/relocate.h"

#include "peconv/imports_loader.h"

#include "peconv/buffer_util.h"

#include "peconv/function_resolver.h"

#include "peconv/exports_lookup.h"


#include <tchar.h>

#include <iostream>


using namespace peconv;


namespace peconv {


    BYTE* load_no_sec_pe(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable)

    {

        ULONGLONG desired_base = 0;

        size_t out_size = (r_size < PAGE_SIZE) ? PAGE_SIZE : r_size;

        if (executable) {

            desired_base = get_image_base(dllRawData);

            out_size = peconv::get_image_size(dllRawData);

        }

        DWORD protect = (executable) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;

        BYTE* mappedPE = peconv::alloc_pe_buffer(out_size, protect, desired_base);

        if (!mappedPE) {

            return NULL;

        }

        memcpy(mappedPE, dllRawData, r_size);

        v_size = out_size;

        return mappedPE;

    }


};


BYTE* peconv::load_pe_module(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate)

{

    if (!peconv::get_nt_hdrs(dllRawData, r_size)) {

        return NULL;

    }

    if (peconv::get_sections_count(dllRawData, r_size) == 0) {

        return load_no_sec_pe(dllRawData, r_size, v_size, executable);

    }

    // by default, allow to load the PE at any base:

    ULONGLONG desired_base = NULL;

    // if relocating is required, but the PE has no relocation table...

    if (relocate && !has_relocations(dllRawData)) {

        // ...enforce loading the PE image at its default base (so that it will need no relocations)

        desired_base = get_image_base(dllRawData);

    }

    // load a virtual image of the PE file at the desired_base address (random if desired_base is NULL):

    BYTE *mappedDLL = pe_raw_to_virtual(dllRawData, r_size, v_size, executable, desired_base);

    if (mappedDLL) {

        //if the image was loaded at its default base, relocate_module will return always true (because relocating is already done)

        if (relocate && !relocate_module(mappedDLL, v_size, (ULONGLONG)mappedDLL)) {

            // relocating was required, but it failed - thus, the full PE image is useless

            std::cerr << "[!] Could not relocate the module!\n";

            free_pe_buffer(mappedDLL, v_size);

            mappedDLL = NULL;

        }

    } else {

        std::cerr << "[!] Could not allocate memory at the desired base!\n";

    }

    return mappedDLL;

}


BYTE* peconv::load_pe_module(LPCTSTR filename, OUT size_t &v_size, bool executable, bool relocate)

{

    size_t r_size = 0;

    BYTE *dllRawData = load_file(filename, r_size);

    if (!dllRawData) {

#ifdef _DEBUG

        std::cerr << "Cannot load the file: " << filename << std::endl;

#endif

        return NULL;

    }

    BYTE* mappedPE = load_pe_module(dllRawData, r_size, v_size, executable, relocate);

    free_file(dllRawData);

    return mappedPE;

}


BYTE* peconv::load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver)

{

    BYTE* loaded_pe = load_pe_module(dllRawData, r_size, v_size, true, true);

    if (!loaded_pe) {

        std::cerr << "[-] Loading failed!\n";

        return NULL;

    }

#if _DEBUG

    printf("Loaded at: %p\n", loaded_pe);

#endif

    if (has_valid_import_table(loaded_pe, v_size)) {

        if (!load_imports(loaded_pe, import_resolver)) {

            printf("[-] Loading imports failed!");

            free_pe_buffer(loaded_pe, v_size);

            return NULL;

        }

    }

    else {

        printf("[-] PE doesn't have a valid Import Table!\n");

    }

    return loaded_pe;

}


BYTE* peconv::load_pe_executable(LPCTSTR my_path, OUT size_t &v_size, t_function_resolver* import_resolver)

{

#if _DEBUG

    _tprintf(TEXT("Module: %s\n"), my_path);

#endif

    BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true);

    if (!loaded_pe) {

         printf("[-] Loading failed!\n");

        return NULL;

    }

#if _DEBUG

    printf("Loaded at: %p\n", loaded_pe);

#endif

    if (!load_imports(loaded_pe, import_resolver)) {

        printf("[-] Loading imports failed!");

        free_pe_buffer(loaded_pe, v_size);

        return NULL;

    }

    return loaded_pe;

}


buffer_util.h
Definitions of the used buffer types. Functions for their allocation and deallocation.

peconv::t_function_resolver
Definition function_resolver.h:14

parse_delayed_desc
bool parse_delayed_desc(BYTE *modulePtr, const size_t moduleSize, const ULONGLONG img_base, LPSTR lib_name, const T_FIELD ordinal_flag, IMAGE_DELAYLOAD_DESCRIPTOR *desc, peconv::t_function_resolver *func_resolver)
Definition delayed_imports_loader.cpp:26

exports_lookup.h
Searching specific functions in PE's Exports Table.

function_resolver.h
Definitions of basic Imports Resolver classes. They can be used for filling imports when the PE is lo...

imports_loader.h
Parsing and filling the Import Table.

peconv
Definition buffer_util.h:15

peconv::has_relocations
bool has_relocations(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:473

peconv::has_valid_import_table
bool has_valid_import_table(const PBYTE modulePtr, size_t moduleSize)
Definition imports_loader.cpp:330

peconv::load_pe_executable
BYTE * load_pe_executable(BYTE *payload_raw, size_t r_size, OUT size_t &v_size, t_function_resolver *import_resolver=NULL)
Definition pe_loader.cpp:80

peconv::load_file
peconv::UNALIGNED_BUF load_file(IN LPCTSTR filename, OUT size_t &r_size)
Definition file_util.cpp:11

peconv::load_no_sec_pe
BYTE * load_no_sec_pe(BYTE *dllRawData, size_t r_size, OUT size_t &v_size, bool executable)
Definition pe_loader.cpp:15

peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:152

peconv::load_pe_module
BYTE * load_pe_module(BYTE *payload_raw, size_t r_size, OUT size_t &v_size, bool executable, bool relocate)
Definition pe_loader.cpp:34

peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition pe_hdrs_helper.cpp:77

peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition buffer_util.cpp:88

peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, ULONGLONG desired_base=NULL)
Definition buffer_util.cpp:82

peconv::pe_raw_to_virtual
BYTE * pe_raw_to_virtual(IN const BYTE *rawPeBuffer, IN size_t rawPeSize, OUT size_t &outputSize, IN OPTIONAL bool executable=true, IN OPTIONAL ULONGLONG desired_base=0)
Definition pe_raw_to_virtual.cpp:97

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:319

peconv::relocate_module
bool relocate_module(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
Definition relocate.cpp:158

peconv::free_file
void free_file(IN peconv::UNALIGNED_BUF buffer)
Definition file_util.cpp:127

peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition pe_hdrs_helper.cpp:10

peconv::load_imports
bool load_imports(BYTE *modulePtr, t_function_resolver *func_resolver=nullptr)
Definition imports_loader.cpp:288

PAGE_SIZE
#define PAGE_SIZE
Definition pe_hdrs_helper.h:12

pe_loader.h
Loading PE from a file with the help of the custom loader.

relocate.h
Operating on PE file's relocations table.