libpeconv/relocate_8cpp_source.html

#include "peconv/relocate.h"


#include "peconv/pe_hdrs_helper.h"

#include <stdio.h>

#include "peconv/logger.h"


using namespace peconv;


#define RELOC_32BIT_FIELD 3

#define RELOC_64BIT_FIELD 0xA


class ApplyRelocCallback : public RelocBlockCallback

{

public:


    ApplyRelocCallback(bool _is64bit, ULONGLONG _oldBase, ULONGLONG _newBase)

        : RelocBlockCallback(_is64bit), oldBase(_oldBase), newBase(_newBase)

    {

    }


    virtual bool processRelocField(ULONG_PTR relocField)

    {

        if (is64bit) {

            ULONGLONG* relocateAddr = (ULONGLONG*)((ULONG_PTR)relocField);

            ULONGLONG rva = (*relocateAddr) - oldBase;

            (*relocateAddr) = rva + newBase;

        }

        else {

            DWORD* relocateAddr = (DWORD*)((ULONG_PTR)relocField);

            ULONGLONG rva = ULONGLONG(*relocateAddr) - oldBase;

            (*relocateAddr) = static_cast<DWORD>(rva + newBase);

        }

        return true;

    }


protected:

    ULONGLONG oldBase;

    ULONGLONG newBase;

};


bool is_empty_reloc_block(BASE_RELOCATION_ENTRY *block, SIZE_T entriesNum, DWORD page, PVOID modulePtr, SIZE_T moduleSize)

{

    if (entriesNum == 0) {

        return true; // nothing to process

    }

    BASE_RELOCATION_ENTRY* entry = block;

    for (SIZE_T i = 0; i < entriesNum; i++) {

        if (!validate_ptr(modulePtr, moduleSize, entry, sizeof(BASE_RELOCATION_ENTRY))) {

            return false;

        }

        DWORD type = entry->Type;

        if (type != 0) {

            //non empty block found

            return false;

        }

        entry = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)entry + sizeof(WORD));

    }

    return true;

}


namespace {

    bool validate_reloc_field(PVOID modulePtr, SIZE_T moduleSize, bool is64bit, const DWORD reloc_field)

    {

        const size_t field_width = is64bit ? sizeof(ULONGLONG) : sizeof(DWORD);

        const ULONG_PTR reloc_ptr = (ULONG_PTR)modulePtr + reloc_field;

        return peconv::validate_ptr(modulePtr, moduleSize, (LPVOID)reloc_ptr, field_width);

    }

};


bool process_reloc_block(BASE_RELOCATION_ENTRY *block, SIZE_T entriesNum, DWORD page, PVOID modulePtr, SIZE_T moduleSize, bool is64bit, RelocBlockCallback *callback)

{

    if (entriesNum == 0) {

        return true; // nothing to process

    }

    BASE_RELOCATION_ENTRY* entry = block;

    SIZE_T i = 0;

    for (i = 0; i < entriesNum; i++) {

        if (!validate_ptr(modulePtr, moduleSize, entry, sizeof(BASE_RELOCATION_ENTRY))) {

            break;

        }

        DWORD offset = entry->Offset;

        DWORD type = entry->Type;

        if (type == 0) {

            entry = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)entry + sizeof(WORD));

            continue;  // skip padding

        }

        if (type != RELOC_32BIT_FIELD && type != RELOC_64BIT_FIELD) {

            if (callback) { //print debug messages only if the callback function was set

                LOG_ERROR("Not supported relocation format at %d: %d.", (int)i, (int)type);

            }

            return false;

        }

        const DWORD reloc_field = page + offset;

        if (!validate_reloc_field(modulePtr, moduleSize, is64bit, reloc_field)) {

            if (callback) { //print debug messages only if the callback function was set

                LOG_ERROR("Malformed reloc field: 0x%lx.", reloc_field);

            }

            return false;

        }

        if (callback) {

            bool isOk = callback->processRelocField(((ULONG_PTR)modulePtr + reloc_field));

            if (!isOk) {

                LOG_ERROR("Failed processing reloc field at: 0x%lx.", reloc_field);

                return false;

            }

        }

        entry = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)entry + sizeof(WORD));

    }

    return (i != 0);

}


bool peconv::process_relocation_table(IN PVOID modulePtr, IN SIZE_T moduleSize, IN RelocBlockCallback *callback)

{

    IMAGE_DATA_DIRECTORY* relocDir = peconv::get_directory_entry((const BYTE*)modulePtr, IMAGE_DIRECTORY_ENTRY_BASERELOC);

    if (relocDir == NULL) {

        LOG_DEBUG("No relocation table found.");

        return false;

    }

    if (!validate_ptr(modulePtr, moduleSize, relocDir, sizeof(IMAGE_DATA_DIRECTORY))) {

        LOG_ERROR("Invalid relocDir pointer.");

        return false;

    }

    DWORD maxSize = relocDir->Size;

    DWORD relocAddr = relocDir->VirtualAddress;

    bool is64b = is64bit((BYTE*)modulePtr);


    IMAGE_BASE_RELOCATION* reloc = NULL;


    DWORD parsedSize = 0;

    while (parsedSize < maxSize) {

        reloc = (IMAGE_BASE_RELOCATION*)(relocAddr + parsedSize + (ULONG_PTR)modulePtr);

        if (!validate_ptr(modulePtr, moduleSize, reloc, sizeof(IMAGE_BASE_RELOCATION))) {

            LOG_ERROR("Invalid address of relocations.");

            return false;

        }

        if (reloc->SizeOfBlock < (2 * sizeof(DWORD))) {

            LOG_ERROR("Malformed relocation block: SizeOfBlock too small.");

            return false;

        }

        const size_t entriesNum = (reloc->SizeOfBlock - 2 * sizeof(DWORD)) / sizeof(WORD);

        const DWORD page = reloc->VirtualAddress;


        BASE_RELOCATION_ENTRY* block = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)reloc + sizeof(DWORD) + sizeof(DWORD));

        if (!validate_ptr(modulePtr, moduleSize, block, sizeof(BASE_RELOCATION_ENTRY))) {

            LOG_ERROR("Invalid address of relocations block.");

            return false;

        }

        if (!is_empty_reloc_block(block, entriesNum, page, modulePtr, moduleSize)) {

            if (!process_reloc_block(block, entriesNum, page, modulePtr, moduleSize, is64b, callback)) {

                // the block was malformed

                return false;

            }

        }

        parsedSize += reloc->SizeOfBlock;

    }

    return true;

}


bool apply_relocations(PVOID modulePtr, SIZE_T moduleSize, ULONGLONG newBase, ULONGLONG oldBase)

{

    const bool is64b = is64bit((BYTE*)modulePtr);

    ApplyRelocCallback callback(is64b, oldBase, newBase);

    return process_relocation_table(modulePtr, moduleSize, &callback);

}


bool peconv::relocate_module(IN BYTE* modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase)

{

    if (modulePtr == NULL) {

        return false;

    }

    if (oldBase == 0) {

        oldBase = get_image_base(modulePtr);

    }

    LOG_DEBUG("New Base: 0x%llx Old Base: 0x%llx.", (unsigned long long)newBase, (unsigned long long)oldBase);

    if (newBase == oldBase) {

        LOG_DEBUG("Nothing to relocate: oldBase equals newBase.");

        return true; //nothing to relocate

    }

    if (apply_relocations(modulePtr, moduleSize, newBase, oldBase)) {

        return true;

    }

    LOG_ERROR("Could not relocate the module.");

    return false;

}


bool peconv::has_valid_relocation_table(IN const PBYTE modulePtr, IN const size_t moduleSize)

{

    return process_relocation_table(modulePtr, moduleSize, nullptr);

}


ApplyRelocCallback
Definition relocate.cpp:13

ApplyRelocCallback::processRelocField
virtual bool processRelocField(ULONG_PTR relocField)
Definition relocate.cpp:20

ApplyRelocCallback::ApplyRelocCallback
ApplyRelocCallback(bool _is64bit, ULONGLONG _oldBase, ULONGLONG _newBase)
Definition relocate.cpp:15

ApplyRelocCallback::oldBase
ULONGLONG oldBase
Definition relocate.cpp:36

ApplyRelocCallback::newBase
ULONGLONG newBase
Definition relocate.cpp:37

peconv::RelocBlockCallback
Definition relocate.h:18

peconv::RelocBlockCallback::RelocBlockCallback
RelocBlockCallback(bool _is64bit)
Definition relocate.h:20

peconv::RelocBlockCallback::is64bit
bool is64bit
Definition relocate.h:28

peconv::RelocBlockCallback::processRelocField
virtual bool processRelocField(ULONG_PTR relocField)=0

logger.h

LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition logger.h:56

LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition logger.h:36

peconv
Definition buffer_util.h:15

peconv::get_image_base
ULONGLONG get_image_base(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:150

peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition buffer_util.cpp:9

peconv::process_relocation_table
bool process_relocation_table(IN PVOID modulePtr, IN SIZE_T moduleSize, IN RelocBlockCallback *callback)
Definition relocate.cpp:111

peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:119

peconv::relocate_module
bool relocate_module(IN BYTE *modulePtr, IN SIZE_T moduleSize, IN ULONGLONG newBase, IN ULONGLONG oldBase=0)
Definition relocate.cpp:165

peconv::BASE_RELOCATION_ENTRY
struct peconv::_BASE_RELOCATION_ENTRY BASE_RELOCATION_ENTRY

peconv::get_directory_entry
IMAGE_DATA_DIRECTORY * get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty=false)
Definition pe_hdrs_helper.cpp:128

peconv::has_valid_relocation_table
bool has_valid_relocation_table(IN const PBYTE modulePtr, IN const size_t moduleSize)
Definition relocate.cpp:185

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

process_reloc_block
bool process_reloc_block(BASE_RELOCATION_ENTRY *block, SIZE_T entriesNum, DWORD page, PVOID modulePtr, SIZE_T moduleSize, bool is64bit, RelocBlockCallback *callback)
Definition relocate.cpp:69

RELOC_64BIT_FIELD
#define RELOC_64BIT_FIELD
Definition relocate.cpp:10

apply_relocations
bool apply_relocations(PVOID modulePtr, SIZE_T moduleSize, ULONGLONG newBase, ULONGLONG oldBase)
Definition relocate.cpp:158

is_empty_reloc_block
bool is_empty_reloc_block(BASE_RELOCATION_ENTRY *block, SIZE_T entriesNum, DWORD page, PVOID modulePtr, SIZE_T moduleSize)
Definition relocate.cpp:40

RELOC_32BIT_FIELD
#define RELOC_32BIT_FIELD
Definition relocate.cpp:9

relocate.h
Operating on PE file's relocations table.

peconv::_BASE_RELOCATION_ENTRY::Offset
WORD Offset
Definition relocate.h:13

peconv::_BASE_RELOCATION_ENTRY::Type
WORD Type
Definition relocate.h:14