libpeconv/pe__raw__to__virtual_8cpp_source.html

#include "peconv/pe_raw_to_virtual.h"


#include "peconv/util.h"

#include "peconv/pe_hdrs_helper.h"


#include <iostream>


using namespace peconv;


// Map raw PE into virtual memory of local process:


bool sections_raw_to_virtual(IN const BYTE* payload, IN SIZE_T payloadSize, OUT BYTE* destBuffer, IN SIZE_T destBufferSize)

{

    if (!payload || !destBuffer) return false;


    BYTE* payload_nt_hdr = get_nt_hdrs(payload, payloadSize);

    if (payload_nt_hdr == NULL) {

        std::cerr << "Invalid payload: " << std::hex << (ULONGLONG) payload << std::endl;

        return false;

    }


    const bool is64b = is64bit(payload);


    IMAGE_FILE_HEADER *fileHdr = NULL;

    DWORD hdrsSize = 0;

    LPVOID secptr = NULL;

    if (is64b) {

        IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;

        fileHdr = &(payload_nt_hdr64->FileHeader);

        hdrsSize = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;

        secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr64->OptionalHeader) + fileHdr->SizeOfOptionalHeader);

    }

    else {

        IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;

        fileHdr = &(payload_nt_hdr32->FileHeader);

        hdrsSize = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;

        secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr32->OptionalHeader) + fileHdr->SizeOfOptionalHeader);

    }

    DWORD first_raw = 0;

    //copy all the sections, one by one:

    for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {

        PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONGLONG)secptr + ((ULONGLONG)IMAGE_SIZEOF_SECTION_HEADER * i));

        if (!validate_ptr((const LPVOID)payload, payloadSize, next_sec, IMAGE_SIZEOF_SECTION_HEADER) // check if fits in the source size

            || !validate_ptr((const LPVOID)payload, destBufferSize, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) // check if fits in the destination size

        {

            return false;

        }

        if (next_sec->PointerToRawData == 0 || next_sec->SizeOfRawData == 0) {

            continue; //skipping empty

        }

        LPVOID section_mapped = destBuffer + next_sec->VirtualAddress;

        LPVOID section_raw_ptr = (BYTE*)payload +  next_sec->PointerToRawData;

        size_t sec_size = next_sec->SizeOfRawData;


        if ((next_sec->VirtualAddress + sec_size) > destBufferSize) {

            std::cerr << "[!] Virtual section size is out ouf bounds: " << std::hex << sec_size << std::endl;

            sec_size = (destBufferSize > next_sec->VirtualAddress) ? SIZE_T(destBufferSize - next_sec->VirtualAddress) : 0;

            std::cerr << "[!] Truncated to maximal size: " << std::hex << sec_size << ", buffer size:" << destBufferSize << std::endl;

        }

        if (next_sec->VirtualAddress >= destBufferSize && sec_size != 0) {

            std::cerr << "[-] VirtualAddress of section is out ouf bounds: " << std::hex << next_sec->VirtualAddress << std::endl;

            return false;

        }

        if (next_sec->PointerToRawData + sec_size > destBufferSize) {

            std::cerr << "[-] Raw section size is out ouf bounds: " << std::hex << sec_size << std::endl;

            return false;

        }

        // validate source:

        if (!validate_ptr((const LPVOID)payload, payloadSize, section_raw_ptr, sec_size)) {

            std::cerr << "[-] Section " << i << ":  out ouf bounds, skipping... " << std::endl;

            continue;

        }

        // validate destination:

        if (!peconv::validate_ptr(destBuffer, destBufferSize, section_mapped, sec_size)) {

            std::cerr << "[-] Section " << i << ":  out ouf bounds, skipping... " << std::endl;

            continue;

        }

        memcpy(section_mapped, section_raw_ptr, sec_size);

        if (first_raw == 0 || (next_sec->PointerToRawData < first_raw)) {

            first_raw = next_sec->PointerToRawData;

        }

    }


    //copy payload's headers:

    if (hdrsSize == 0) {

        hdrsSize= first_raw;

#ifdef _DEBUG

        std::cout << "hdrsSize not filled, using calculated size: " << std::hex << hdrsSize << "\n";

#endif

    }

    if (!validate_ptr((const LPVOID)payload, destBufferSize, (const LPVOID)payload, hdrsSize)) {

        return false;

    }

    memcpy(destBuffer, payload, hdrsSize);

    return true;

}


BYTE* peconv::pe_raw_to_virtual(

    IN const BYTE* payload,

    IN size_t in_size,

    OUT size_t &out_size,

    IN OPTIONAL bool executable,

    IN OPTIONAL ULONGLONG desired_base

)

{

    //check payload:

    BYTE* nt_hdr = get_nt_hdrs(payload);

    if (nt_hdr == NULL) {

        std::cerr << "Invalid payload: " << std::hex << (ULONGLONG) payload << std::endl;

        return nullptr;

    }

    DWORD payloadImageSize = 0;


    bool is64 = is64bit(payload);

    if (is64) {

        IMAGE_NT_HEADERS64* payload_nt_hdr = (IMAGE_NT_HEADERS64*)nt_hdr;

        payloadImageSize = payload_nt_hdr->OptionalHeader.SizeOfImage;

    }

    else {

        IMAGE_NT_HEADERS32* payload_nt_hdr = (IMAGE_NT_HEADERS32*)nt_hdr;

        payloadImageSize = payload_nt_hdr->OptionalHeader.SizeOfImage;

    }


    DWORD protect = executable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;


    //first we will prepare the payload image in the local memory, so that it will be easier to edit it, apply relocations etc.

    //when it will be ready, we will copy it into the space reserved in the target process

    BYTE* localCopyAddress = alloc_pe_buffer(payloadImageSize, protect, desired_base);

    if (localCopyAddress == NULL) {

        std::cerr << "Could not allocate memory in the current process" << std::endl;

        return NULL;

    }

    //printf("Allocated local memory: %p size: %x\n", localCopyAddress, payloadImageSize);

    if (!sections_raw_to_virtual(payload, in_size, (BYTE*)localCopyAddress, payloadImageSize)) {

        std::cerr <<  "Could not copy PE file" << std::endl;

        return NULL;

    }

    out_size = payloadImageSize;

    return localCopyAddress;

}


parse_delayed_desc
bool parse_delayed_desc(BYTE *modulePtr, const size_t moduleSize, const ULONGLONG img_base, LPSTR lib_name, const T_FIELD ordinal_flag, IMAGE_DELAYLOAD_DESCRIPTOR *desc, peconv::t_function_resolver *func_resolver)
Definition delayed_imports_loader.cpp:26

peconv
Definition buffer_util.h:15

peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition buffer_util.cpp:9

peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, ULONGLONG desired_base=NULL)
Definition buffer_util.cpp:82

peconv::pe_raw_to_virtual
BYTE * pe_raw_to_virtual(IN const BYTE *rawPeBuffer, IN size_t rawPeSize, OUT size_t &outputSize, IN OPTIONAL bool executable=true, IN OPTIONAL ULONGLONG desired_base=0)
Definition pe_raw_to_virtual.cpp:97

peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:121

peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition pe_hdrs_helper.cpp:10

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

sections_raw_to_virtual
bool sections_raw_to_virtual(IN const BYTE *payload, IN SIZE_T payloadSize, OUT BYTE *destBuffer, IN SIZE_T destBufferSize)
Definition pe_raw_to_virtual.cpp:11

pe_raw_to_virtual.h
Converting PE from raw to virtual format.

util.h
Miscellaneous utility functions.