libPeConv
A library to load, manipulate, dump PE files.
Loading...
Searching...
No Matches
pe_virtual_to_raw.cpp
Go to the documentation of this file.
1#include "peconv/pe_virtual_to_raw.h"
2
3#include "peconv/util.h"
4#include "peconv/pe_hdrs_helper.h"
5#include "peconv/relocate.h"
6
7#include "peconv/logger.h"
8
9using namespace peconv;
10
11bool sections_virtual_to_raw(BYTE* payload, SIZE_T payload_size, OUT BYTE* destAddress, OUT SIZE_T *raw_size_ptr)
12{
13 if (!payload || !destAddress) return false;
14
15 BYTE* payload_nt_hdr = get_nt_hdrs(payload, payload_size);
16 if (payload_nt_hdr == NULL) {
17 LOG_ERROR("Invalid PE at 0x%llx.", (unsigned long long)payload);
18 return false;
19 }
20
21 const bool is64b = is64bit(payload);
22
23 IMAGE_FILE_HEADER *fileHdr = NULL;
24 DWORD hdrsSize = 0;
25 LPVOID secptr = NULL;
26 if (is64b) {
27 IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*) payload_nt_hdr;
28 fileHdr = &(payload_nt_hdr64->FileHeader);
29 hdrsSize = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;
30 secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr64->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
31 } else {
32 IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*) payload_nt_hdr;
33 fileHdr = &(payload_nt_hdr32->FileHeader);
34 hdrsSize = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;
35 secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr32->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
36 }
37
38 //copy all the sections, one by one:
39 LOG_DEBUG("Copying sections.");
40 DWORD first_raw = 0;
41 SIZE_T raw_end = hdrsSize;
42 for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {
43 PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONGLONG)secptr + (IMAGE_SIZEOF_SECTION_HEADER * i));
44 if (!validate_ptr(payload, payload_size, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) {
45 return false;
46 }
47
48 LPVOID section_mapped = (BYTE*) payload + next_sec->VirtualAddress;
49 LPVOID section_raw_ptr = destAddress + next_sec->PointerToRawData;
50 SIZE_T sec_size = next_sec->SizeOfRawData;
51
52 size_t new_end = sec_size + next_sec->PointerToRawData;
53 if (new_end > raw_end) raw_end = new_end;
54
55 if ((next_sec->VirtualAddress + sec_size) > payload_size) {
56 sec_size = (payload_size > next_sec->VirtualAddress) ? SIZE_T(payload_size - next_sec->VirtualAddress) : 0;
57 LOG_WARNING("Section %u: virtual size exceeds buffer, truncating to 0x%zx.", i, sec_size);
58 }
59 if (next_sec->VirtualAddress >= payload_size && sec_size != 0) {
60 LOG_ERROR("Section %u: VirtualAddress 0x%lx is out of bounds.", i, next_sec->VirtualAddress);
61 return false;
62 }
63 if (next_sec->PointerToRawData + sec_size > payload_size) {
64 LOG_ERROR("Section %u: raw data exceeds buffer (size: 0x%zx).", i, sec_size);
65 return false;
66 }
67 LOG_DEBUG("Section %u: copying to raw offset %p.", i, section_raw_ptr);
68 //validate source:
69 if (!peconv::validate_ptr(payload, payload_size, section_mapped, sec_size)) {
70 LOG_WARNING("Section %u: source out of bounds, skipping.", i);
71 continue;
72 }
73 //validate destination:
74 if (!peconv::validate_ptr(destAddress, payload_size, section_raw_ptr, sec_size)) {
75 LOG_WARNING("Section %u: destination out of bounds, skipping.", i);
76 continue;
77 }
78 memcpy(section_raw_ptr, section_mapped, sec_size);
79 if (first_raw == 0 || (next_sec->PointerToRawData < first_raw)) {
80 first_raw = next_sec->PointerToRawData;
81 }
82 }
83 if (raw_end > payload_size) raw_end = payload_size;
84 if (raw_size_ptr != NULL) {
85 (*raw_size_ptr) = raw_end;
86 }
87
88 //copy payload's headers:
89 if (hdrsSize == 0) {
90 hdrsSize = first_raw;
91 LOG_DEBUG("SizeOfHeaders not set, using first section raw offset as fallback: 0x%lx.", hdrsSize);
92 }
93 if (!validate_ptr(payload, payload_size, payload, hdrsSize)) {
94 return false;
95 }
96 memcpy(destAddress, payload, hdrsSize);
97 return true;
98}
99
100BYTE* peconv::pe_virtual_to_raw(
101 IN BYTE* payload,
102 IN size_t in_size,
103 IN ULONGLONG loadBase,
104 OUT size_t &out_size,
105 IN OPTIONAL bool rebuffer
106)
107{
108 BYTE* out_buf = (BYTE*)alloc_pe_buffer(in_size, PAGE_READWRITE);
109 if (out_buf == NULL) return NULL; //could not allocate output buffer
110
111 BYTE* in_buf = payload;
112 if (rebuffer) {
113 in_buf = (BYTE*) alloc_pe_buffer(in_size, PAGE_READWRITE);
114 if (in_buf == NULL) {
115 free_pe_buffer(out_buf, in_size);
116 return NULL;
117 }
118 memcpy(in_buf, payload, in_size);
119 }
120
121 ULONGLONG oldBase = get_image_base(in_buf);
122 bool isOk = true;
123 // from the loadBase go back to the original base
124 if (!relocate_module(in_buf, in_size, oldBase, loadBase)) {
125 //Failed relocating the module! Changing image base instead...
126 if (!update_image_base(in_buf, (ULONGLONG)loadBase)) {
127 LOG_ERROR("Failed relocating the module.");
128 isOk = false;
129 } else {
130 LOG_WARNING("The module could not be relocated, so the ImageBase has been changed instead.");
131 }
132 }
133 SIZE_T raw_size = 0;
134 if (isOk) {
135 if (!sections_virtual_to_raw(in_buf, in_size, out_buf, &raw_size)) {
136 isOk = false;
137 }
138 }
139 if (rebuffer && in_buf != NULL) {
140 free_pe_buffer(in_buf, in_size);
141 in_buf = NULL;
142 }
143 if (!isOk) {
144 free_pe_buffer(out_buf, in_size);
145 out_buf = NULL;
146 raw_size = 0;
147 }
148 out_size = raw_size;
149 return out_buf;
150}
151
152BYTE* peconv::pe_realign_raw_to_virtual(
153 IN const BYTE* payload,
154 IN size_t in_size,
155 IN ULONGLONG loadBase,
156 OUT size_t &out_size
157)
158{
159 out_size = in_size;
160 BYTE* out_buf = (BYTE*)alloc_pe_buffer(out_size, PAGE_READWRITE);
161 if (!out_buf) {
162 out_size = 0;
163 return nullptr;
164 }
165 memcpy(out_buf, payload, in_size);
166
167 ULONGLONG oldBase = get_image_base(out_buf);
168 bool isOk = true;
169 // from the loadBase go back to the original base
170 if (!relocate_module(out_buf, out_size, oldBase, loadBase)) {
171 //Failed relocating the module! Changing image base instead...
172 if (!update_image_base(out_buf, (ULONGLONG)loadBase)) {
173 LOG_ERROR("Failed relocating the module.");
174 isOk = false;
175 } else {
176 LOG_WARNING("The module could not be relocated, so the ImageBase has been changed instead.");
177 }
178 }
179 //---
180 //set raw alignment the same as virtual
181 DWORD v_alignment = peconv::get_sec_alignment((const PBYTE)payload, false);
182 if (!peconv::set_sec_alignment(out_buf, true, v_alignment)) {
183 isOk = false;
184 }
185 //set Raw pointers and sizes of the sections same as Virtual
186 size_t sections_count = peconv::get_sections_count(out_buf, out_size);
187 for (size_t i = 0; i < sections_count; i++) {
188 PIMAGE_SECTION_HEADER sec = peconv::get_section_hdr(out_buf, out_size, i);
189 if (!sec) break;
190
191 sec->Misc.VirtualSize = peconv::get_virtual_sec_size(out_buf, sec, true);
192 sec->SizeOfRawData = sec->Misc.VirtualSize;
193 sec->PointerToRawData = sec->VirtualAddress;
194 }
196 if (!isOk) {
197 free_pe_buffer(out_buf);
198 out_buf = nullptr;
199 out_size = 0;
200 }
201 return out_buf;
202}
logger.h
Compile-time configurable logging macros for peconv.
LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition: logger.h:80
LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition: logger.h:60
LOG_WARNING
#define LOG_WARNING(fmt,...)
Definition: logger.h:68
peconv::set_sec_alignment
bool set_sec_alignment(IN OUT BYTE *pe_buffer, IN const bool is_raw, IN const DWORD new_alignment)
Definition: pe_hdrs_helper.cpp:534
peconv::get_virtual_sec_size
DWORD get_virtual_sec_size(IN const BYTE *pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
Definition: pe_hdrs_helper.cpp:549
peconv::update_image_base
bool update_image_base(IN OUT BYTE *payload, IN ULONGLONG destImageBase)
Definition: pe_hdrs_helper.cpp:220
peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:148
peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, void *desired_base=nullptr)
Definition: buffer_util.cpp:78
peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition: buffer_util.cpp:9
peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition: pe_hdrs_helper.cpp:343
peconv::pe_virtual_to_raw
BYTE * pe_virtual_to_raw(IN BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize, IN OPTIONAL bool rebuffer=true)
Definition: pe_virtual_to_raw.cpp:100
peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition: buffer_util.cpp:84
peconv::get_sec_alignment
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
Definition: pe_hdrs_helper.cpp:522
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition: pe_hdrs_helper.cpp:117
peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition: pe_hdrs_helper.cpp:319
peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0, IN OPTIONAL const LONG max_pe_offset=MAX_HEADER_SIZE)
Definition: pe_hdrs_helper.cpp:8
peconv::relocate_module
bool relocate_module(IN PBYTE modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
Definition: relocate.cpp:172
peconv::pe_realign_raw_to_virtual
BYTE * pe_realign_raw_to_virtual(IN const BYTE *payload, IN size_t in_size, IN ULONGLONG loadBase, OUT size_t &outputSize)
Definition: pe_virtual_to_raw.cpp:152
pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.
sections_virtual_to_raw
bool sections_virtual_to_raw(BYTE *payload, SIZE_T payload_size, OUT BYTE *destAddress, OUT SIZE_T *raw_size_ptr)
Definition: pe_virtual_to_raw.cpp:11
pe_virtual_to_raw.h
Converting PE from virtual to raw format.
relocate.h
Operating on PE file's relocations table.
util.h
Miscellaneous utility functions.
Generated on Tue Apr 14 2026 13:01:06 for libPeConv by doxygen 1.9.5