libpeconv/resource__parser_8cpp_source.html

#include "peconv/resource_parser.h"

#include "peconv/pe_hdrs_helper.h"


#include "peconv/logger.h"


namespace {


    bool parse_resource_dir(BYTE* modulePtr, const size_t moduleSize,

        IMAGE_RESOURCE_DIRECTORY_ENTRY* root_dir,

        const IMAGE_RESOURCE_DIRECTORY* upper_dir,

        IMAGE_RESOURCE_DIRECTORY* curr_dir,

        peconv::t_on_res_entry_found on_entry,

        size_t depth = 0);


    bool parse_resource_entry(BYTE* modulePtr, const size_t moduleSize,

        IMAGE_RESOURCE_DIRECTORY_ENTRY* root_dir,

        const IMAGE_RESOURCE_DIRECTORY* upper_dir,

        IMAGE_RESOURCE_DIRECTORY_ENTRY* entry,

        peconv::t_on_res_entry_found on_entry,

        size_t depth)

    {

        if (!entry->DataIsDirectory) {

            LOG_DEBUG("Entry is NOT a directory.");

            DWORD offset = entry->OffsetToData;

            LOG_DEBUG("Offset: %lu.", offset);

            IMAGE_RESOURCE_DATA_ENTRY* data_entry = (IMAGE_RESOURCE_DATA_ENTRY*)(offset + (ULONGLONG)upper_dir);

            if (!peconv::validate_ptr(modulePtr, moduleSize, data_entry, sizeof(IMAGE_RESOURCE_DATA_ENTRY))) {

                return false;

            }

            LOG_DEBUG("Data Offset: %lu : %lu.", data_entry->OffsetToData, data_entry->Size);

            BYTE* data_ptr = (BYTE*)((ULONGLONG)modulePtr + data_entry->OffsetToData);

            if (!peconv::validate_ptr(modulePtr, moduleSize, data_ptr, data_entry->Size)) {

                return false;

            }

            on_entry(modulePtr, root_dir, data_entry);

            return true;

        }

        LOG_DEBUG("Entry is a directory.");

        //else: it is a next level directory

        DWORD offset = entry->OffsetToDirectory;

        LOG_DEBUG("Offset: 0x%x.", offset);

        IMAGE_RESOURCE_DIRECTORY* next_dir = (IMAGE_RESOURCE_DIRECTORY*)(offset + (ULONGLONG)upper_dir);

        if (!peconv::validate_ptr(modulePtr, moduleSize, next_dir, sizeof(IMAGE_RESOURCE_DIRECTORY))) {

            return false;

        }

        return parse_resource_dir(modulePtr, moduleSize, root_dir, upper_dir, next_dir, on_entry, depth);

    }


    bool parse_resource_dir(BYTE* modulePtr, const size_t moduleSize,

        IMAGE_RESOURCE_DIRECTORY_ENTRY* root_dir,

        const IMAGE_RESOURCE_DIRECTORY* upper_dir,

        IMAGE_RESOURCE_DIRECTORY* curr_dir,

        peconv::t_on_res_entry_found on_entry,

        size_t depth)

    {

        if (depth > 8) {

            LOG_ERROR("Maximum depth exceeded: %lld", (unsigned long long)depth);

            return false;

        }

        size_t total_entries = curr_dir->NumberOfIdEntries + curr_dir->NumberOfNamedEntries;

        IMAGE_RESOURCE_DIRECTORY_ENTRY* first_entry = (IMAGE_RESOURCE_DIRECTORY_ENTRY*)((ULONGLONG)&curr_dir->NumberOfIdEntries + sizeof(WORD));

        for (size_t i = 0; i < total_entries; i++) {

            IMAGE_RESOURCE_DIRECTORY_ENTRY* entry = &first_entry[i];

            if (!peconv::validate_ptr(modulePtr, moduleSize, entry, sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))) {

                LOG_ERROR("Invalid resource entry pointer");

                return false;

            }

            LOG_DEBUG("Entry: 0x%zx ; Id: %u ; dataOffset: %lu.", i, entry->Id, entry->OffsetToData);

            if (!root_dir) {

                root_dir = entry;

            }

            parse_resource_entry(modulePtr, moduleSize, root_dir, upper_dir, entry, on_entry, depth + 1);

        }

        return true;

    }

};


bool peconv::parse_resources(BYTE* modulePtr, t_on_res_entry_found on_entry)

{

    const size_t module_size = peconv::get_image_size(modulePtr);

    IMAGE_DATA_DIRECTORY *dir = peconv::get_directory_entry(modulePtr, IMAGE_DIRECTORY_ENTRY_RESOURCE);

    if (!dir || dir->VirtualAddress == 0 || dir->Size == 0) {

        return false;

    }

    IMAGE_RESOURCE_DIRECTORY *res_dir = (IMAGE_RESOURCE_DIRECTORY*)(dir->VirtualAddress + (ULONGLONG)modulePtr);

    if (!peconv::validate_ptr(modulePtr, module_size, res_dir, sizeof(IMAGE_RESOURCE_DIRECTORY))) {

        return false;

    }

    return parse_resource_dir(modulePtr, module_size, nullptr, res_dir, res_dir, on_entry);

}


logger.h

LOG_DEBUG
#define LOG_DEBUG(fmt,...)
Definition logger.h:56

LOG_ERROR
#define LOG_ERROR(fmt,...)
Definition logger.h:36

peconv::parse_resources
bool parse_resources(BYTE *modulePtr, t_on_res_entry_found on_entry)
Definition resource_parser.cpp:78

peconv::t_on_res_entry_found
bool(* t_on_res_entry_found)(BYTE *modulePtr, IMAGE_RESOURCE_DIRECTORY_ENTRY *root_dir, IMAGE_RESOURCE_DATA_ENTRY *curr_entry)
Definition resource_parser.h:13

peconv::validate_ptr
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
Definition buffer_util.cpp:9

peconv::get_image_size
DWORD get_image_size(IN const BYTE *payload)
Definition pe_hdrs_helper.cpp:75

peconv::get_directory_entry
IMAGE_DATA_DIRECTORY * get_directory_entry(IN const BYTE *pe_buffer, IN DWORD dir_id, IN bool allow_empty=false)
Definition pe_hdrs_helper.cpp:128

pe_hdrs_helper.h
Wrappers over various fields in the PE header. Read, write, parse PE headers.

resource_parser.h
Parsing PE's resource directory.