libPeConv
A library to load, manipulate, dump PE files.
Loading...
Searching...
No Matches
pe_raw_to_virtual.cpp
Go to the documentation of this file.
1#include "peconv/pe_raw_to_virtual.h"
2
3#include "peconv/util.h"
4#include "peconv/pe_hdrs_helper.h"
5
6#include "peconv/logger.h"
7
8using namespace peconv;
9
10// Map raw PE into virtual memory of local process:
11bool sections_raw_to_virtual(IN const BYTE* payload, IN SIZE_T payloadSize, OUT BYTE* destBuffer, IN SIZE_T destBufferSize)
12{
13 if (!payload || !destBuffer) return false;
14
15 BYTE* payload_nt_hdr = get_nt_hdrs(payload, payloadSize);
16 if (!payload_nt_hdr) {
17 LOG_ERROR("Invalid PE at 0x%llx.", (unsigned long long)payload);
18 return false;
19 }
20
21 const bool is64b = is64bit(payload);
22
23 IMAGE_FILE_HEADER *fileHdr = nullptr;
24 DWORD hdrsSize = 0;
25 void* secptr = nullptr;
26 if (is64b) {
27 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
28 fileHdr = &(payload_nt_hdr64->FileHeader);
29 hdrsSize = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;
30 secptr = (void*)((ULONG_PTR)&(payload_nt_hdr64->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
31 }
32 else {
33 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
34 fileHdr = &(payload_nt_hdr32->FileHeader);
35 hdrsSize = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;
36 secptr = (void*)((ULONG_PTR)&(payload_nt_hdr32->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
37 }
38 DWORD first_raw = 0;
39 //copy all the sections, one by one:
40 for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {
41 PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONG_PTR)secptr + ((ULONG_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
42 if (!validate_ptr(static_cast<const void*>(payload), payloadSize, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) { // check if fits in the source size
43 return false;
44 }
45 const BYTE* next_sec_dest = destBuffer + (reinterpret_cast<const BYTE*>(next_sec) - payload);
46 if (!validate_ptr(static_cast<const void*>(destBuffer), destBufferSize, next_sec_dest, IMAGE_SIZEOF_SECTION_HEADER)) { // check if fits in the destination size
47 return false;
48 }
49 if (next_sec->PointerToRawData == 0 || next_sec->SizeOfRawData == 0) {
50 continue; //skipping empty
51 }
52 void* section_mapped = destBuffer + next_sec->VirtualAddress;
53 void* section_raw_ptr = (BYTE*)payload + next_sec->PointerToRawData;
54 size_t sec_size = next_sec->SizeOfRawData;
55
56 if ((next_sec->VirtualAddress + sec_size) > destBufferSize) {
57 sec_size = (destBufferSize > next_sec->VirtualAddress) ? SIZE_T(destBufferSize - next_sec->VirtualAddress) : 0;
58 LOG_WARNING("Section %u: virtual size exceeds buffer, truncating to 0x%zx (buffer: 0x%zx).", i, sec_size, destBufferSize);
59 }
60 if (next_sec->VirtualAddress >= destBufferSize && sec_size != 0) {
61 LOG_ERROR("Section %u: VirtualAddress 0x%lx is out of bounds.", i, next_sec->VirtualAddress);
62 return false;
63 }
64 if (next_sec->PointerToRawData + sec_size > destBufferSize) {
65 LOG_ERROR("Section %u: raw data exceeds buffer (size: 0x%zx).", i, sec_size);
66 return false;
67 }
68
69 // validate source:
70 if (!validate_ptr(static_cast<const void*>(payload), payloadSize, section_raw_ptr, sec_size)) {
71 if (next_sec->PointerToRawData > payloadSize) {
72 LOG_WARNING("Section %u: PointerToRawData out of bounds, skipping.", i);
73 continue;
74 }
75 // trim section
76 sec_size = payloadSize - (next_sec->PointerToRawData);
77 }
78 // validate destination:
79 if (!peconv::validate_ptr(destBuffer, destBufferSize, section_mapped, sec_size)) {
80 LOG_WARNING("Section %u: destination out of bounds, skipping.", i);
81 continue;
82 }
83 ::memcpy(section_mapped, section_raw_ptr, sec_size);
84 if (first_raw == 0 || (next_sec->PointerToRawData < first_raw)) {
85 first_raw = next_sec->PointerToRawData;
86 }
87 }
88
89 //copy payload's headers:
90 if (hdrsSize == 0 || hdrsSize > payloadSize) {
91 hdrsSize = first_raw;
92 if (hdrsSize == 0) hdrsSize = PAGE_SIZE;
93 if (hdrsSize > payloadSize) hdrsSize = payloadSize;
94 LOG_INFO("SizeOfHeaders invalid, using a fallback value: 0x%lx.", hdrsSize);
95 }
96 if (hdrsSize > destBufferSize) {
97 return false;
98 }
99 ::memcpy(destBuffer, payload, hdrsSize);
100 return true;
101}
102
103BYTE* peconv::pe_raw_to_virtual(
104 IN const BYTE* payload,
105 IN size_t in_size,
106 OUT size_t &out_size,
107 IN OPTIONAL bool executable,
108 IN OPTIONAL ULONG_PTR desired_base
109)
110{
111 //check payload:
112 BYTE* nt_hdr = get_nt_hdrs(payload);
113 if (!nt_hdr) {
114 LOG_ERROR("Invalid PE at 0x%llx.", (unsigned long long)(ULONG_PTR)payload);
115 return nullptr;
116 }
117 DWORD payloadImageSize = 0;
118
119 const bool is64 = is64bit(payload);
120 if (is64) {
121 IMAGE_NT_HEADERS64* payload_nt_hdr = (IMAGE_NT_HEADERS64*)nt_hdr;
122 payloadImageSize = payload_nt_hdr->OptionalHeader.SizeOfImage;
123 }
124 else {
125 IMAGE_NT_HEADERS32* payload_nt_hdr = (IMAGE_NT_HEADERS32*)nt_hdr;
126 payloadImageSize = payload_nt_hdr->OptionalHeader.SizeOfImage;
127 }
128 payloadImageSize = peconv::round_up_to_unit(payloadImageSize, (DWORD)PAGE_SIZE);
129
130 DWORD protect = executable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
131 //first we will prepare the payload image in the local memory, so that it will be easier to edit it, apply relocations etc.
132 //when it will be ready, we will copy it into the space reserved in the target process
133 BYTE* localCopyAddress = alloc_pe_buffer(payloadImageSize, protect, reinterpret_cast<void*>(desired_base));
134 if (!localCopyAddress) {
135 LOG_ERROR("Could not allocate memory in the current process.");
136 return nullptr;
137 }
138 LOG_DEBUG("Allocated local memory: %p size: %x", localCopyAddress, payloadImageSize);
139 if (!sections_raw_to_virtual(payload, in_size, localCopyAddress, payloadImageSize)) {
140 LOG_ERROR("Could not copy PE file into virtual buffer.");
141 peconv::free_pe_buffer(localCopyAddress);
142 return nullptr;
143 }
144 out_size = payloadImageSize;
145 return localCopyAddress;
146}
logger.h
Compile-time configurable logging macros for peconv.
LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition: logger.h:80
LOG_INFO
#define LOG_INFO(fmt,...)
Definition: logger.h:74
LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition: logger.h:60
LOG_WARNING
#define LOG_WARNING(fmt,...)
Definition: logger.h:68
peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, void *desired_base=nullptr)
Definition: buffer_util.cpp:78
peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition: buffer_util.cpp:9
peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition: buffer_util.cpp:84
peconv::round_up_to_unit
INT_TYPE round_up_to_unit(const INT_TYPE size, const INT_TYPE unit)
Definition: util.h:43
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:117
peconv::pe_raw_to_virtual
BYTE * pe_raw_to_virtual(IN const BYTE *rawPeBuffer, IN size_t rawPeSize, OUT size_t &outputSize, IN OPTIONAL bool executable=true, IN OPTIONAL ULONG_PTR desired_base=0)
Definition: pe_raw_to_virtual.cpp:103
peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0, IN OPTIONAL const LONG max_pe_offset=MAX_HEADER_SIZE)
Definition: pe_hdrs_helper.cpp:8
pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.
PAGE_SIZE
#define PAGE_SIZE
Definition: pe_hdrs_helper.h:12
sections_raw_to_virtual
bool sections_raw_to_virtual(IN const BYTE *payload, IN SIZE_T payloadSize, OUT BYTE *destBuffer, IN SIZE_T destBufferSize)
Definition: pe_raw_to_virtual.cpp:11
pe_raw_to_virtual.h
Converting PE from raw to virtual format.
util.h
Miscellaneous utility functions.
Generated on Tue Apr 14 2026 13:01:06 for libPeConv by doxygen 1.9.5