libpeconv/pe__loader_8cpp_source.html

#include "peconv/pe_loader.h"


#include "peconv/relocate.h"

#include "peconv/imports_loader.h"

#include "peconv/buffer_util.h"

#include "peconv/function_resolver.h"

#include "peconv/exports_lookup.h"


#include "peconv/logger.h"


using namespace peconv;


namespace {

    BYTE* load_no_sec_pe(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable)

    {

        ULONG_PTR desired_base = 0;

        size_t out_size = (r_size < PAGE_SIZE) ? PAGE_SIZE : r_size;

        if (executable) {

            desired_base = get_image_base(dllRawData);

            out_size = peconv::get_image_size(dllRawData);

        }

        DWORD protect = (executable) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;

        BYTE* mappedPE = peconv::alloc_pe_buffer(out_size, protect, reinterpret_cast<void*>(desired_base));

        if (!mappedPE) {

            return nullptr;

        }

        memcpy(mappedPE, dllRawData, r_size);

        v_size = out_size;

        return mappedPE;

    }

};


BYTE* peconv::load_pe_module(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate, ULONG_PTR desired_base)

{

    if (!peconv::get_nt_hdrs(dllRawData, r_size)) {

        return nullptr;

    }

    if (peconv::get_sections_count(dllRawData, r_size) == 0) {

        return load_no_sec_pe(dllRawData, r_size, v_size, executable);

    }

    // by default, allow to load the PE at the supplied base

    // if relocating is required, but the PE has no relocation table...

    if (relocate && !has_relocations(dllRawData)) {

        // ...enforce loading the PE image at its default base (so that it will need no relocations)

        desired_base = get_image_base(dllRawData);

    }

    // load a virtual image of the PE file at the desired_base address (random if desired_base is NULL):

    BYTE *mappedDLL = pe_raw_to_virtual(dllRawData, r_size, v_size, executable, desired_base);

    if (mappedDLL) {

        //if the image was loaded at its default base, relocate_module will return always true (because relocating is already done)

        if (relocate && !relocate_module(mappedDLL, v_size, (ULONGLONG)mappedDLL)) {

            // relocating was required, but it failed - thus, the full PE image is useless

            LOG_ERROR("Could not relocate the module.");

            free_pe_buffer(mappedDLL, v_size);

            mappedDLL = nullptr;

        }

    } else {

        LOG_ERROR("Could not allocate memory at the desired base.");

    }

    return mappedDLL;

}


BYTE* peconv::load_pe_module(LPCTSTR filename, OUT size_t &v_size, bool executable, bool relocate, ULONG_PTR desired_base)

{

    size_t r_size = 0;

    BYTE *dllRawData = load_file(filename, r_size);

    if (!dllRawData) {

        LOG_ERROR("Cannot load the file.");

        return nullptr;

    }

    BYTE* mappedPE = load_pe_module(dllRawData, r_size, v_size, executable, relocate, desired_base);

    free_file(dllRawData);

    return mappedPE;

}


namespace

{

    bool validate_and_load_imports(BYTE* loaded_pe, const size_t v_size, t_function_resolver* import_resolver)

    {

        if (!has_valid_import_table(loaded_pe, v_size)) {

            LOG_WARNING("PE does not have a valid Import Table.");

            return true; // nothing to load, use as is

        }

        if (load_imports(loaded_pe, import_resolver)) {

            return true;

        }

        LOG_ERROR("Loading imports failed.");

        return false;

    }

};


BYTE* peconv::load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver, ULONG_PTR desired_base)

{

    BYTE* loaded_pe = load_pe_module(dllRawData, r_size, v_size, true, true, desired_base);

    if (!loaded_pe) {

        LOG_ERROR("Loading failed.");

        return nullptr;

    }

    LOG_DEBUG("Loaded at: %p.", loaded_pe);

    if (!validate_and_load_imports(loaded_pe, v_size, import_resolver)) {

        free_pe_buffer(loaded_pe, v_size);

        return NULL;

    }

    return loaded_pe;

}


BYTE* peconv::load_pe_executable(LPCTSTR my_path, OUT size_t &v_size, t_function_resolver* import_resolver)

{

    BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true);

    if (!loaded_pe) {

        LOG_ERROR("Loading failed.");

        return NULL;

    }

    LOG_DEBUG("Loaded at: %p.", loaded_pe);

    if (!validate_and_load_imports(loaded_pe, v_size, import_resolver)) {

        free_pe_buffer(loaded_pe, v_size);

        return NULL;

    }

    return loaded_pe;

}


buffer_util.h
Definitions of the used buffer types. Functions for their allocation and deallocation.

peconv::t_function_resolver
Definition function_resolver.h:16

exports_lookup.h
Searching specific functions in PE's Exports Table.

function_resolver.h
Definitions of basic Imports Resolver classes. They can be used for filling imports when the PE is lo...

imports_loader.h
Parsing and filling the Import Table.

logger.h

LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition logger.h:56

LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition logger.h:36

LOG_WARNING
#define LOG_WARNING(fmt,...)
Definition logger.h:44

peconv
Definition buffer_util.h:15

peconv::has_valid_import_table
bool has_valid_import_table(const PBYTE modulePtr, size_t moduleSize, size_t max_count=0)
Definition imports_loader.cpp:371

peconv::has_relocations
bool has_relocations(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:469

peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:150

peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, void *desired_base=nullptr)
Definition buffer_util.cpp:78

peconv::load_file
peconv::UNALIGNED_BUF load_file(IN LPCTSTR filename, OUT size_t &r_size)
Definition file_util.cpp:9

peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition pe_hdrs_helper.cpp:75

peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition buffer_util.cpp:84

peconv::load_pe_module
BYTE * load_pe_module(BYTE *payload_raw, size_t r_size, OUT size_t &v_size, bool executable, bool relocate, ULONG_PTR desired_base=0)
Definition pe_loader.cpp:33

peconv::pe_raw_to_virtual
BYTE * pe_raw_to_virtual(IN const BYTE *rawPeBuffer, IN size_t rawPeSize, OUT size_t &outputSize, IN OPTIONAL bool executable=true, IN OPTIONAL ULONG_PTR desired_base=0)
Definition pe_raw_to_virtual.cpp:101

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:315

peconv::relocate_module
bool relocate_module(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
Definition relocate.cpp:164

peconv::free_file
void free_file(IN peconv::UNALIGNED_BUF buffer)
Definition file_util.cpp:120

peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition pe_hdrs_helper.cpp:8

peconv::load_pe_executable
BYTE * load_pe_executable(BYTE *payload_raw, size_t r_size, OUT size_t &v_size, t_function_resolver *import_resolver=nullptr, ULONG_PTR desired_base=0)
Definition pe_loader.cpp:92

peconv::load_imports
bool load_imports(BYTE *modulePtr, t_function_resolver *func_resolver=nullptr)
Definition imports_loader.cpp:276

PAGE_SIZE
#define PAGE_SIZE
Definition pe_hdrs_helper.h:12

pe_loader.h
Loading PE from a file with the help of the custom loader.

relocate.h
Operating on PE file's relocations table.