libpeconv/pe__mode__detector_8cpp_source.html

#include "peconv/pe_mode_detector.h"

#include "peconv/util.h"

#include "peconv/imports_loader.h"

#include "peconv/relocate.h"


#include "peconv/logger.h"


// Check if gaps between sections are typical for Virtual Alignment.

// Returns true if confirmed, false if not confirmed. False result can also mean that data was invalid/insufficient to decide.


bool is_virtual_padding(const BYTE* pe_buffer, size_t pe_size)

{

    const size_t r_align = peconv::get_sec_alignment((PBYTE)pe_buffer, true);


    size_t sections_count = peconv::get_sections_count(pe_buffer, pe_size);

    if (sections_count < 2) return false;


    bool is_valid_padding = false;

    for (size_t i = 1; i < sections_count; i += 2) {

        PIMAGE_SECTION_HEADER sec1 = peconv::get_section_hdr(pe_buffer, pe_size, i-1);

        PIMAGE_SECTION_HEADER sec2 = peconv::get_section_hdr(pe_buffer, pe_size, i);

        if (!sec1 || !sec2) continue; //skip if fetching any of the sections failed


        if (sec1->SizeOfRawData == 0) continue; //skip empty sections


        const DWORD sec1_end_offset = sec1->VirtualAddress + sec1->SizeOfRawData;

        if (sec2->VirtualAddress == sec1_end_offset) continue;


        if (sec2->VirtualAddress < sec1_end_offset) {

            //std::cout << "Invalid size of the section: " << std::hex << sec2->VirtualAddress << " vs "<< sec1_end_offset << std::endl;

            return false;

        }

        const size_t diff = sec2->VirtualAddress - sec1_end_offset;

        if (diff < r_align) continue; //to small to determine


        BYTE* sec1_end_ptr = (BYTE*)((ULONGLONG)pe_buffer + sec1_end_offset);

        if (!peconv::validate_ptr((const LPVOID)pe_buffer, pe_size, sec1_end_ptr, diff)) {

            //std::cout << "Invalid pointer to the section\n";

            return false;

        }

        if (peconv::is_padding(sec1_end_ptr, diff, 0)) {

            is_valid_padding = true;

        }

        else {

            return false;

        }

    }

    return is_valid_padding;

}


// Check if the gap between the end of headers and the first section is typical for Virtual Alignment.

// Returns true if confirmed, false if not confirmed. False result can also mean that data was invalid/insufficient to decide.


bool is_hdr_virtual_align(const BYTE* pe_buffer, size_t pe_size)

{

    const size_t v_align = peconv::get_sec_alignment((PBYTE)pe_buffer, false);

    if (peconv::get_hdrs_size(pe_buffer) >= v_align) {

        //undetermined for such case

        return false;

    }

    //walk through sections and check their sizes

    size_t sections_count = peconv::get_sections_count(pe_buffer, pe_size);

    if (sections_count == 0) return false;

    for (size_t i = 0; i < sections_count; i++) {

        PIMAGE_SECTION_HEADER sec = peconv::get_section_hdr(pe_buffer, pe_size, i);

        if (!sec || sec->PointerToRawData == 0 || sec->SizeOfRawData == 0) {

            continue; // check next

        }

        if (sec->PointerToRawData >= v_align) continue;


        size_t diff = v_align - sec->PointerToRawData;

        BYTE* sec_raw_ptr = (BYTE*)((ULONGLONG)pe_buffer + sec->PointerToRawData);

        if (!peconv::validate_ptr((const LPVOID)pe_buffer, pe_size, sec_raw_ptr, diff)) {

            return false;

        }

        if (peconv::is_padding(sec_raw_ptr, diff, 0)) {

            return true;

        }

    }

    return false;

}


bool is_sec_hdrs_erased(IN const BYTE* pe_buffer, IN size_t pe_size, bool is_raw)

{

    const size_t count = peconv::get_sections_count(pe_buffer, pe_size);

    for (size_t i = 0; i < count; i++) {

        const IMAGE_SECTION_HEADER* hdr = peconv::get_section_hdr(pe_buffer, pe_size, i);

        if (!hdr) continue;

        if (is_raw) {

            if (hdr->PointerToRawData != 0) return false;

        }

        else {

            if (hdr->VirtualAddress != 0) return false;

        }

    }

    return true;

}


bool peconv::is_pe_raw_eq_virtual(IN const BYTE* pe_buffer, IN size_t pe_size)

{

    const size_t count = peconv::get_sections_count(pe_buffer, pe_size);

    for (size_t i = 0; i < count; i++) {

        const IMAGE_SECTION_HEADER* hdr = peconv::get_section_hdr(pe_buffer, pe_size, i);

        if (!hdr) continue;


        if (hdr->VirtualAddress != hdr->PointerToRawData) {

            return false;

        }

    }

    return true;

}


bool is_pe_mapped(IN const BYTE* pe_buffer, IN size_t pe_size)

{

    size_t v_score = 0;

    if (peconv::has_valid_import_table((const PBYTE)pe_buffer, pe_size)) {

        LOG_INFO("Valid Import Table found.");

        v_score++;

    }

    if (peconv::has_valid_relocation_table((const PBYTE)pe_buffer, pe_size)) {

        LOG_INFO("Valid Relocations Table found.");

        v_score++;

    }

    if (is_hdr_virtual_align(pe_buffer, pe_size)) {

        LOG_INFO("Header virtual alignment OK.");

        v_score++;

    }

    LOG_INFO("TOTAL v_score: %zu.", v_score);

    if (v_score > 0) {

        return true;

    }

    return false;

}


bool peconv::is_pe_raw(IN const BYTE* pe_buffer, IN size_t pe_size)

{

    if (peconv::get_sections_count(pe_buffer, pe_size) == 0) {

        return true;

    }

    if (is_pe_mapped(pe_buffer, pe_size)) {

       // it has artefacts typical for a PE in a virtual alignment

        return false;

    }

    if (is_sec_hdrs_erased(pe_buffer, pe_size, true)) {

        LOG_INFO("Raw alignment is erased.");

        // the raw alignment of the sections is erased

        return false;

    }

    return true;

}


// checks if any sections has been expanded in the memory


bool peconv::is_pe_expanded(IN const BYTE* pe_buffer, IN size_t pe_size)

{

    //walk through sections and check their sizes

    size_t sections_count = peconv::get_sections_count(pe_buffer, pe_size);

    for (size_t i = 0; i < sections_count; i++) {

        PIMAGE_SECTION_HEADER sec = peconv::get_section_hdr(pe_buffer, pe_size, i);

        if (is_section_expanded(pe_buffer, pe_size, sec)) {

            return true;

        }

    }

    return false;

}


// checks if the section's content in memory is bigger than in the raw format


bool peconv::is_section_expanded(IN const BYTE* pe_buffer, IN size_t pe_size, IN const PIMAGE_SECTION_HEADER sec)

{

    if (!sec) return false;


    size_t sec_vsize = peconv::get_virtual_sec_size(pe_buffer, sec, true);

    size_t sec_rsize = sec->SizeOfRawData;


    if (sec_rsize >= sec_vsize) return false;

    size_t diff = sec_vsize - sec_rsize;


    BYTE* sec_raw_end_ptr = (BYTE*)((ULONGLONG)pe_buffer + sec->VirtualAddress + sec_rsize);

    if (!peconv::validate_ptr((const LPVOID)pe_buffer, pe_size, sec_raw_end_ptr, diff)) {

        return false;

    }

    if (!is_padding(sec_raw_end_ptr, diff, 0)) {

        //this is not padding: non-zero content detected

        return true;

    }

    return false;

}


imports_loader.h
Parsing and filling the Import Table.

logger.h

LOG_INFO
#define LOG_INFO(fmt,...)
Definition logger.h:50

peconv::has_valid_import_table
bool has_valid_import_table(const PBYTE modulePtr, size_t moduleSize, size_t max_count=0)
Definition imports_loader.cpp:371

peconv::is_section_expanded
bool is_section_expanded(IN const BYTE *pe_buffer, IN size_t pe_size, IN const PIMAGE_SECTION_HEADER sec)
Definition pe_mode_detector.cpp:165

peconv::get_virtual_sec_size
DWORD get_virtual_sec_size(IN const BYTE *pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
Definition pe_hdrs_helper.cpp:542

peconv::is_pe_raw
bool is_pe_raw(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:133

peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition buffer_util.cpp:9

peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition pe_hdrs_helper.cpp:339

peconv::is_padding
bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char)
Definition util.cpp:106

peconv::get_sec_alignment
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
Definition pe_hdrs_helper.cpp:515

peconv::is_pe_raw_eq_virtual
bool is_pe_raw_eq_virtual(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:97

peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:315

peconv::is_pe_expanded
bool is_pe_expanded(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:151

peconv::get_hdrs_size
DWORD get_hdrs_size(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:204

peconv::has_valid_relocation_table
bool has_valid_relocation_table(IN const PBYTE modulePtr, IN const size_t moduleSize)
Definition relocate.cpp:185

is_hdr_virtual_align
bool is_hdr_virtual_align(const BYTE *pe_buffer, size_t pe_size)
Definition pe_mode_detector.cpp:52

is_virtual_padding
bool is_virtual_padding(const BYTE *pe_buffer, size_t pe_size)
Definition pe_mode_detector.cpp:10

is_sec_hdrs_erased
bool is_sec_hdrs_erased(IN const BYTE *pe_buffer, IN size_t pe_size, bool is_raw)
Definition pe_mode_detector.cpp:81

is_pe_mapped
bool is_pe_mapped(IN const BYTE *pe_buffer, IN size_t pe_size)
Definition pe_mode_detector.cpp:111

pe_mode_detector.h
Detecting in which mode is the PE in the supplied buffer (i.e. raw, virtual). Analyzes PE features ty...

relocate.h
Operating on PE file's relocations table.

util.h
Miscellaneous utility functions.