libPeConv
A library to load, manipulate, dump PE files.
Loading...
Searching...
No Matches
remote_pe_reader.cpp
Go to the documentation of this file.
1#include "peconv/remote_pe_reader.h"
2
3#include <iostream>
4
5#include "peconv/util.h"
6#include "peconv/fix_imports.h"
7
8using namespace peconv;
9
10bool peconv::fetch_region_info(HANDLE processHandle, LPVOID moduleBase, MEMORY_BASIC_INFORMATION &page_info)
11{
12 memset(&page_info, 0, sizeof(MEMORY_BASIC_INFORMATION));
13 SIZE_T out = VirtualQueryEx(processHandle, moduleBase, &page_info, sizeof(page_info));
14 if (out != sizeof(page_info)) {
15 return false;
16 }
17 return true;
18}
19
20size_t _fetch_region_size(MEMORY_BASIC_INFORMATION &page_info, LPVOID moduleBase)
21{
22 if (page_info.Type == 0) {
23 return false; //invalid type, skip it
24 }
25 if ((BYTE*)page_info.BaseAddress > moduleBase) {
26 return 0; //should never happen
27 }
28 const size_t offset = (ULONG_PTR)moduleBase - (ULONG_PTR)page_info.BaseAddress;
29 const size_t area_size = page_info.RegionSize - offset;
30 return area_size;
31}
32
33size_t peconv::fetch_region_size(HANDLE processHandle, LPVOID moduleBase)
34{
35 MEMORY_BASIC_INFORMATION page_info = { 0 };
36 if (!peconv::fetch_region_info(processHandle, moduleBase, page_info)) {
37 return 0;
38 }
39 const size_t area_size = _fetch_region_size(page_info, moduleBase);
40 return area_size;
41}
42
43ULONGLONG peconv::fetch_alloc_base(HANDLE processHandle, LPVOID moduleBase)
44{
45 MEMORY_BASIC_INFORMATION page_info = { 0 };
46 if (!peconv::fetch_region_info(processHandle, moduleBase, page_info)) {
47 return 0;
48 }
49 if (page_info.Type == 0) {
50 return 0; //invalid type, skip it
51 }
52 return (ULONGLONG) page_info.AllocationBase;
53}
54
55namespace peconv {
61 SIZE_T _search_readable_size(HANDLE processHandle, LPVOID start_addr, OUT BYTE* buffer, const size_t buffer_size, const SIZE_T minimal_size)
62 {
63 if (!buffer || buffer_size == 0) {
64 return 0;
65 }
66 if ((buffer_size < minimal_size) || minimal_size == 0) {
67 return 0;
68 }
69 SIZE_T last_failed_size = buffer_size;
70 SIZE_T last_success_size = 0;
71
72 SIZE_T test_read_size = 0;
73 if (!ReadProcessMemory(processHandle, start_addr, buffer, minimal_size, &test_read_size)) {
74 //cannot read even the minimal size, quit trying
75 return test_read_size;
76 }
77 last_success_size = minimal_size;
78
79 SIZE_T read_size = 0;
80 SIZE_T to_read_size = buffer_size/2;
81
82 while (to_read_size > minimal_size && to_read_size < buffer_size)
83 {
84 read_size = 0;
85 if (ReadProcessMemory(processHandle, start_addr, buffer, to_read_size, &read_size)) {
86 last_success_size = to_read_size;
87 }
88 else {
89 last_failed_size = to_read_size;
90 }
91 const size_t delta = (last_failed_size - last_success_size) / 2;
92 if (delta == 0) break;
93 to_read_size = last_success_size + delta;
94 }
95 if (last_success_size) {
96 read_size = 0;
97 memset(buffer, 0, buffer_size);
98 if (ReadProcessMemory(processHandle, start_addr, buffer, last_success_size, &read_size)) {
99 return read_size;
100 }
101 }
102 return 0;
103 }
104};
105
106size_t peconv::read_remote_memory(HANDLE processHandle, LPVOID start_addr, OUT BYTE* buffer, const size_t buffer_size, const SIZE_T minimal_size)
107{
108 if (!buffer || buffer_size == 0) {
109 return 0;
110 }
111 memset(buffer, 0, buffer_size);
112
113 SIZE_T read_size = 0;
114 DWORD last_error = ERROR_SUCCESS;
115
116 while (buffer_size > 0)
117 {
118 if (ReadProcessMemory(processHandle, start_addr, buffer, buffer_size, &read_size)) {
119 break;
120 }
121 last_error = GetLastError();
122 if (last_error != ERROR_SUCCESS) {
123 if (read_size == 0 && (last_error != ERROR_PARTIAL_COPY)) {
124 break; // break
125 }
126 }
127 if (last_error == ERROR_PARTIAL_COPY) {
128 read_size = peconv::_search_readable_size(processHandle, start_addr, buffer, buffer_size, minimal_size);
129#ifdef _DEBUG
130 std::cout << "peconv::search_readable_size res: " << std::hex << read_size << std::endl;
131#endif
132 }
133 break;
134 }
135
136#ifdef _DEBUG
137 if (read_size == 0) {
138 std::cerr << "[WARNING] Cannot read memory. Last Error : " << last_error << std::endl;
139 }
140 else if (read_size < buffer_size) {
141 std::cerr << "[WARNING] Read size: " << std::hex << read_size
142 << " is smaller than the requested size: " << std::hex << buffer_size
143 << ". Last Error: " << last_error << std::endl;
144
145 }
146#endif
147 return static_cast<size_t>(read_size);
148}
149
150size_t peconv::read_remote_region(HANDLE processHandle, LPVOID start_addr, OUT BYTE* buffer, const size_t buffer_size, const bool force_access, const SIZE_T minimal_size)
151{
152 if (!buffer || buffer_size == 0) {
153 return 0;
154 }
155 MEMORY_BASIC_INFORMATION page_info = { 0 };
156 if (!peconv::fetch_region_info(processHandle, start_addr, page_info)) {
157 return 0;
158 }
159 if ((page_info.State & MEM_COMMIT) == 0) {
160 return 0;
161 }
162 size_t region_size = _fetch_region_size(page_info, start_addr);
163 if (region_size == 0) {
164 return 0;
165 }
166
167 const size_t size_to_read = (region_size > buffer_size) ? buffer_size : region_size;
168
169 const bool is_accessible = (page_info.Protect & PAGE_NOACCESS) == 0;
170 BOOL access_changed = FALSE;
171 DWORD oldProtect = 0;
172
173 // check the access right and eventually try to change it
174 if (force_access && !is_accessible) {
175 access_changed = VirtualProtectEx(processHandle, start_addr, region_size, PAGE_READONLY, &oldProtect);
176#ifdef _DEBUG
177 if (!access_changed) {
178 DWORD err = GetLastError();
179 if (err != ERROR_ACCESS_DENIED) {
180 std::cerr << "[!] " << std::hex << start_addr << " : " << region_size << " inaccessible area, changing page access failed: " << std::dec << err << "\n";
181 }
182 }
183#endif
184 }
185
186 size_t size_read = 0;
187 if (is_accessible || access_changed) {
188 size_read = peconv::read_remote_memory(processHandle, start_addr, buffer, size_to_read, minimal_size);
189 if ((size_read == 0) && (page_info.Protect & PAGE_GUARD)) {
190#ifdef _DEBUG
191 std::cout << "Warning: guarded page, trying to read again..." << std::endl;
192#endif
193 size_read = peconv::read_remote_memory(processHandle, start_addr, buffer, size_to_read, minimal_size);
194 }
195 }
196 // if the access rights were changed, change it back:
197 if (access_changed) {
198 VirtualProtectEx(processHandle, start_addr, region_size, oldProtect, &oldProtect);
199 }
200 return size_read;
201}
202
203size_t peconv::read_remote_area(HANDLE processHandle, LPVOID start_addr, OUT BYTE* buffer, const size_t buffer_size, const bool force_access, const SIZE_T minimal_size)
204{
205 if (!buffer || !start_addr || buffer_size == 0) {
206 return 0;
207 }
208 memset(buffer, 0, buffer_size);
209
210 size_t real_read = 0; // how many bytes has been realy read (not counting the skipped areas)
211 size_t last_valid = 0; // the last chunk that was really read (don't count the last skipped ones)
212
213 size_t buf_index = 0;
214 for (buf_index = 0; buf_index < buffer_size; ) {
215 LPVOID remote_chunk = LPVOID((ULONG_PTR)start_addr + buf_index);
216
217 MEMORY_BASIC_INFORMATION page_info = { 0 };
218 if (!peconv::fetch_region_info(processHandle, remote_chunk, page_info)) {
219 break;
220 }
221 const size_t region_size = _fetch_region_size(page_info, remote_chunk);
222 if (region_size == 0) {
223 break;
224 }
225
226 // read the memory:
227 const size_t read_chunk = read_remote_region(
228 processHandle,
229 remote_chunk,
230 (BYTE*)((ULONG_PTR)buffer + buf_index),
231 buffer_size - buf_index,
232 force_access,
233 minimal_size
234 );
235 if (read_chunk == 0) {
236 //skip the region that could not be read, and proceed to the next:
237 buf_index += region_size;
238 continue;
239 }
240 buf_index += read_chunk;
241 real_read += read_chunk; // total sum of the read content
242 last_valid = buf_index; // the last chunk that was really read
243 }
244 if (real_read == 0) {
245 return 0;
246 }
247 return last_valid;
248}
249
250bool peconv::read_remote_pe_header(HANDLE processHandle, LPVOID start_addr, OUT BYTE* buffer, const size_t buffer_size, bool force_access)
251{
252 if (buffer == nullptr) {
253 return false;
254 }
255 SIZE_T read_size = read_remote_area(processHandle, start_addr, buffer, buffer_size, force_access);
256 if (read_size == 0) {
257 return false;
258 }
259 BYTE *nt_ptr = get_nt_hdrs(buffer, buffer_size);
260 if (nt_ptr == nullptr) {
261 return false;
262 }
263 const size_t nt_offset = nt_ptr - buffer;
264 const size_t nt_size = peconv::is64bit(buffer) ? sizeof(IMAGE_NT_HEADERS64) : sizeof(IMAGE_NT_HEADERS32);
265 const size_t min_size = nt_offset + nt_size;
266
267 if (read_size < min_size) {
268 std::cerr << "[-] [" << std::dec << get_process_id(processHandle)
269 << " ][" << std::hex << (ULONGLONG) start_addr
270 << "] Read size: " << std::hex << read_size
271 << " is smaller that the minimal size:" << get_hdrs_size(buffer)
272 << std::endl;
273 return false;
274 }
275 //reading succeeded and the header passed the checks:
276 return true;
277}
278
279namespace peconv {
280 inline size_t roundup_to_unit(size_t size, size_t unit)
281 {
282 if (unit == 0) {
283 return size;
284 }
285 size_t parts = size / unit;
286 if (size % unit) parts++;
287 return parts * unit;
288 }
289};
290
291peconv::UNALIGNED_BUF peconv::get_remote_pe_section(HANDLE processHandle, LPVOID start_addr, const size_t section_num, OUT size_t &section_size, bool roundup, bool force_access)
292{
293 BYTE header_buffer[MAX_HEADER_SIZE] = { 0 };
294
295 if (!read_remote_pe_header(processHandle, start_addr, header_buffer, MAX_HEADER_SIZE)) {
296 return NULL;
297 }
298 PIMAGE_SECTION_HEADER section_hdr = get_section_hdr(header_buffer, MAX_HEADER_SIZE, section_num);
299 if (section_hdr == NULL || section_hdr->Misc.VirtualSize == 0) {
300 return NULL;
301 }
302 size_t buffer_size = section_hdr->Misc.VirtualSize;
303 if (roundup) {
304 DWORD va = peconv::get_sec_alignment(header_buffer, false);
305 if (va == 0) va = PAGE_SIZE;
306 buffer_size = roundup_to_unit(section_hdr->Misc.VirtualSize, va);
307 }
308 UNALIGNED_BUF module_code = peconv::alloc_unaligned(buffer_size);
309 if (module_code == NULL) {
310 return NULL;
311 }
312 size_t read_size = peconv::read_remote_memory(processHandle, LPVOID((ULONG_PTR)start_addr + section_hdr->VirtualAddress), module_code, buffer_size);
313 if (read_size == 0) {
314 // this function is slower, so use it only if the normal read has failed:
315 read_size = read_remote_area(processHandle, LPVOID((ULONG_PTR)start_addr + section_hdr->VirtualAddress), module_code, buffer_size, force_access);
316 }
317 if (read_size == 0) {
318 peconv::free_unaligned(module_code);
319 return NULL;
320 }
321 section_size = buffer_size;
322 return module_code;
323}
324
325size_t peconv::read_remote_pe(const HANDLE processHandle, LPVOID start_addr, const size_t mod_size, OUT BYTE* buffer, const size_t bufferSize)
326{
327 if (buffer == nullptr) {
328 std::cerr << "[-] Invalid output buffer: NULL pointer" << std::endl;
329 return 0;
330 }
331 if (bufferSize < mod_size || bufferSize < MAX_HEADER_SIZE ) {
332 std::cerr << "[-] Invalid output buffer: too small size!" << std::endl;
333 return 0;
334 }
335 // read PE section by section
336 PBYTE hdr_buffer = buffer;
337 //try to read headers:
338 if (!read_remote_pe_header(processHandle, start_addr, hdr_buffer, MAX_HEADER_SIZE)) {
339 std::cerr << "[-] Failed to read the module header" << std::endl;
340 return 0;
341 }
342 if (!is_valid_sections_hdr_offset(hdr_buffer, MAX_HEADER_SIZE)) {
343 std::cerr << "[-] Sections headers are invalid or atypically aligned" << std::endl;
344 return 0;
345 }
346 size_t sections_count = get_sections_count(hdr_buffer, MAX_HEADER_SIZE);
347#ifdef _DEBUG
348 std::cout << "Sections: " << sections_count << std::endl;
349#endif
350 size_t read_size = MAX_HEADER_SIZE;
351
352 for (size_t i = 0; i < sections_count; i++) {
353 PIMAGE_SECTION_HEADER hdr = get_section_hdr(hdr_buffer, MAX_HEADER_SIZE, i);
354 if (!hdr) {
355 std::cerr << "[-] Failed to read the header of section: " << i << std::endl;
356 break;
357 }
358 const DWORD sec_va = hdr->VirtualAddress;
359 const DWORD sec_vsize = get_virtual_sec_size(hdr_buffer, hdr, true);
360 if (sec_va + sec_vsize > bufferSize) {
361 std::cerr << "[-] No more space in the buffer!" << std::endl;
362 break;
363 }
364 if (sec_vsize > 0 && !read_remote_memory(processHandle, LPVOID((ULONG_PTR)start_addr + sec_va), buffer + sec_va, sec_vsize)) {
365#ifdef _DEBUG
366 std::cerr << "[-] [" << std::hex << start_addr << "] Failed to read the module section " << i <<" : at: " << std::hex << (ULONG_PTR)start_addr + sec_va << std::endl;
367#endif
368 }
369 // update the end of the read area:
370 size_t new_end = sec_va + sec_vsize;
371 if (new_end > read_size) read_size = new_end;
372 }
373#ifdef _DEBUG
374 std::cout << "Total read size: " << read_size << std::endl;
375#endif
376 return read_size;
377}
378
379DWORD peconv::get_remote_image_size(IN const HANDLE processHandle, IN LPVOID start_addr)
380{
381 BYTE hdr_buffer[MAX_HEADER_SIZE] = { 0 };
382 if (!read_remote_pe_header(processHandle, start_addr, hdr_buffer, MAX_HEADER_SIZE)) {
383 return 0;
384 }
385 return peconv::get_image_size(hdr_buffer);
386}
387
388bool peconv::dump_remote_pe(
389 IN LPCTSTR out_path,
390 IN const HANDLE processHandle,
391 IN LPVOID start_addr,
392 IN OUT t_pe_dump_mode &dump_mode,
393 IN OPTIONAL peconv::ExportsMapper* exportsMap)
394{
395 DWORD mod_size = get_remote_image_size(processHandle, start_addr);
396#ifdef _DEBUG
397 std::cout << "Module Size: " << mod_size << std::endl;
398#endif
399 if (mod_size == 0) {
400 return false;
401 }
402 BYTE* buffer = peconv::alloc_pe_buffer(mod_size, PAGE_READWRITE);
403 if (buffer == nullptr) {
404 std::cerr << "[-] Failed allocating buffer. Error: " << GetLastError() << std::endl;
405 return false;
406 }
407 //read the module that it mapped in the remote process:
408 const size_t read_size = read_remote_pe(processHandle, start_addr, mod_size, buffer, mod_size);
409 if (read_size == 0) {
410 std::cerr << "[-] Failed reading module. Error: " << GetLastError() << std::endl;
411 peconv::free_pe_buffer(buffer, mod_size);
412 buffer = nullptr;
413 return false;
414 }
415
416 const bool is_dumped = peconv::dump_pe(out_path,
417 buffer, mod_size,
418 reinterpret_cast<ULONGLONG>(start_addr),
419 dump_mode, exportsMap);
420
421 peconv::free_pe_buffer(buffer, mod_size);
422 buffer = nullptr;
423 return is_dumped;
424}
425
fix_imports.h
Functions and classes responsible for fixing Import Table. A definition of ImportedDllCoverage class.
peconv::get_process_id
DWORD get_process_id(HANDLE hProcess)
Definition util.cpp:76
peconv::get_remote_pe_section
peconv::UNALIGNED_BUF get_remote_pe_section(HANDLE processHandle, LPVOID moduleBase, const size_t sectionNum, OUT size_t &sectionSize, bool roundup, bool force_access=false)
Definition remote_pe_reader.cpp:291
peconv::get_virtual_sec_size
DWORD get_virtual_sec_size(IN const BYTE *pe_hdr, IN const PIMAGE_SECTION_HEADER sec_hdr, IN bool rounded)
Definition pe_hdrs_helper.cpp:546
peconv::dump_remote_pe
bool dump_remote_pe(IN LPCTSTR outputFilePath, IN const HANDLE processHandle, IN LPVOID moduleBase, IN OUT t_pe_dump_mode &dump_mode, IN OPTIONAL peconv::ExportsMapper *exportsMap=nullptr)
Definition remote_pe_reader.cpp:388
peconv::is_valid_sections_hdr_offset
bool is_valid_sections_hdr_offset(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:328
peconv::alloc_unaligned
UNALIGNED_BUF alloc_unaligned(size_t buf_size)
Definition buffer_util.cpp:39
peconv::read_remote_region
size_t read_remote_region(HANDLE processHandle, LPVOID start_addr, OUT BYTE *buffer, const size_t buffer_size, const bool force_access, const SIZE_T minimal_size=0x100)
Definition remote_pe_reader.cpp:150
peconv::get_section_hdr
PIMAGE_SECTION_HEADER get_section_hdr(IN const BYTE *pe_buffer, IN const size_t buffer_size, IN size_t section_num)
Definition pe_hdrs_helper.cpp:343
peconv::read_remote_memory
size_t read_remote_memory(HANDLE processHandle, LPVOID start_addr, OUT BYTE *buffer, const size_t buffer_size, const SIZE_T minimal_size=0x100)
Definition remote_pe_reader.cpp:106
peconv::fetch_region_info
bool fetch_region_info(HANDLE processHandle, LPVOID start_addr, MEMORY_BASIC_INFORMATION &page_info)
Definition remote_pe_reader.cpp:10
peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition pe_hdrs_helper.cpp:77
peconv::t_pe_dump_mode
t_pe_dump_mode
Definition pe_dumper.h:16
peconv::read_remote_area
size_t read_remote_area(HANDLE processHandle, LPVOID start_addr, OUT BYTE *buffer, const size_t buffer_size, const bool force_access, const SIZE_T minimal_size=0x100)
Definition remote_pe_reader.cpp:203
peconv::free_pe_buffer
bool free_pe_buffer(ALIGNED_BUF buffer, size_t buffer_size=0)
Definition buffer_util.cpp:88
peconv::alloc_pe_buffer
ALIGNED_BUF alloc_pe_buffer(size_t buffer_size, DWORD protect, ULONGLONG desired_base=NULL)
Definition buffer_util.cpp:82
peconv::roundup_to_unit
size_t roundup_to_unit(size_t size, size_t unit)
Definition remote_pe_reader.cpp:280
peconv::get_sec_alignment
DWORD get_sec_alignment(IN const BYTE *modulePtr, IN bool is_raw)
Definition pe_hdrs_helper.cpp:519
peconv::is64bit
bool is64bit(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:121
peconv::get_sections_count
size_t get_sections_count(IN const BYTE *buffer, IN const size_t buffer_size)
Definition pe_hdrs_helper.cpp:319
peconv::_search_readable_size
SIZE_T _search_readable_size(HANDLE processHandle, LPVOID start_addr, OUT BYTE *buffer, const size_t buffer_size, const SIZE_T minimal_size)
Definition remote_pe_reader.cpp:61
peconv::MAX_HEADER_SIZE
const ULONGLONG MAX_HEADER_SIZE
Definition pe_hdrs_helper.h:19
peconv::read_remote_pe_header
bool read_remote_pe_header(HANDLE processHandle, LPVOID moduleBase, OUT BYTE *buffer, const size_t bufferSize, bool force_access=false)
Definition remote_pe_reader.cpp:250
peconv::dump_pe
bool dump_pe(IN LPCTSTR outputFilePath, IN OUT BYTE *buffer, IN size_t buffer_size, IN const ULONGLONG module_base, IN OUT t_pe_dump_mode &dump_mode, IN OPTIONAL const peconv::ExportsMapper *exportsMap=nullptr)
Definition pe_dumper.cpp:25
peconv::get_hdrs_size
DWORD get_hdrs_size(IN const BYTE *pe_buffer)
Definition pe_hdrs_helper.cpp:208
peconv::UNALIGNED_BUF
PBYTE UNALIGNED_BUF
Definition buffer_util.h:41
peconv::get_nt_hdrs
BYTE * get_nt_hdrs(IN const BYTE *pe_buffer, IN OPTIONAL size_t buffer_size=0)
Definition pe_hdrs_helper.cpp:10
peconv::read_remote_pe
size_t read_remote_pe(const HANDLE processHandle, LPVOID moduleBase, const size_t moduleSize, OUT BYTE *buffer, const size_t bufferSize)
Definition remote_pe_reader.cpp:325
peconv::fetch_region_size
size_t fetch_region_size(HANDLE processHandle, LPVOID start_addr)
Definition remote_pe_reader.cpp:33
peconv::fetch_alloc_base
ULONGLONG fetch_alloc_base(HANDLE processHandle, LPVOID start_addr)
Definition remote_pe_reader.cpp:43
peconv::free_unaligned
void free_unaligned(UNALIGNED_BUF section_buffer)
Definition buffer_util.cpp:47
peconv::get_remote_image_size
DWORD get_remote_image_size(IN const HANDLE processHandle, IN LPVOID start_addr)
Definition remote_pe_reader.cpp:379
PAGE_SIZE
#define PAGE_SIZE
Definition pe_hdrs_helper.h:12
_fetch_region_size
size_t _fetch_region_size(MEMORY_BASIC_INFORMATION &page_info, LPVOID moduleBase)
Definition remote_pe_reader.cpp:20
remote_pe_reader.h
Reading from a PE module that is loaded within a remote process.
util.h
Miscellaneous utility functions.
Generated on Sat Nov 2 2024 22:08:24 for libPeConv by doxygen 1.12.0