libpeconv/util_8cpp_source.html

#include "peconv/util.h"


#define USE_OLD_BADPTR


namespace peconv {


    HMODULE g_kernel32Hndl = nullptr;

    HMODULE g_ntdllHndl = nullptr;


    bool fetch_or_load_dll(IN const char *mod_name, IN OUT HMODULE &mod)

    {

        if (!mod) {

            mod = GetModuleHandleA(mod_name);

            if (!mod) {

                mod = LoadLibraryA(mod_name);

            }

        }

        return mod ? true : false;

    }


    HMODULE get_kernel32_hndl()

    {

        fetch_or_load_dll("kernel32.dll", g_kernel32Hndl);

        return g_kernel32Hndl;

    }


    HMODULE get_ntdll_hndl()

    {

        fetch_or_load_dll("ntdll.dll", g_ntdllHndl);

        return g_ntdllHndl;

    }


};


DWORD ntdll_get_process_id(HANDLE hProcess)

{

#if !defined PROCESSINFOCLASS

    typedef LONG PROCESSINFOCLASS;

#endif


    NTSTATUS(WINAPI *_ZwQueryInformationProcess)(

        IN       HANDLE ProcessHandle,

        IN       PROCESSINFOCLASS ProcessInformationClass,

        OUT      PVOID ProcessInformation,

        IN       ULONG ProcessInformationLength,

        OUT  PULONG ReturnLength

    ) = NULL;


    HINSTANCE hNtDll = peconv::get_ntdll_hndl();

    if (!hNtDll) {

        return 0;

    }


    FARPROC procPtr = GetProcAddress(hNtDll, "ZwQueryInformationProcess");

    if (!procPtr) {

        return 0;

    }


    _ZwQueryInformationProcess = (NTSTATUS(WINAPI *)(

        HANDLE,

        PROCESSINFOCLASS,

        PVOID,

        ULONG,

        PULONG)

     ) procPtr;


    typedef struct _PROCESS_BASIC_INFORMATION {

        PVOID Reserved1;

        PVOID PebBaseAddress;

        PVOID Reserved2[2];

        ULONG_PTR UniqueProcessId;

        PVOID Reserved3;

    } PROCESS_BASIC_INFORMATION;


    PROCESS_BASIC_INFORMATION pbi = { 0 };

    if (_ZwQueryInformationProcess(hProcess, 0, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) == S_OK) {

        const DWORD pid = static_cast<DWORD>(pbi.UniqueProcessId);

        return pid;

    }

    return 0;

}


DWORD peconv::get_process_id(HANDLE hProcess)

{

    static DWORD(WINAPI *_GetProcessId)(IN HANDLE Process) = nullptr;


    DWORD processID = 0;

    if (!_GetProcessId) {

        HMODULE kernelLib = peconv::get_kernel32_hndl();

        if (kernelLib) {

            FARPROC procPtr = GetProcAddress(kernelLib, "GetProcessId");

            if (procPtr) {

                _GetProcessId = (DWORD(WINAPI *) (IN HANDLE))procPtr;

            }

        }

    }

    if (_GetProcessId) {

        processID = _GetProcessId(hProcess);

    }

    if (processID == 0) {

        //could not retrieve Pid using GetProcessId, try using NTDLL:

        processID = ntdll_get_process_id(hProcess);

    }

    return processID;

}


bool peconv::is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding)

{

    for (size_t i = 0; i < cave_size; i++) {

        if (cave_ptr[i] != padding) {

            return false;

        }

    }

    return true;

}


bool peconv::is_mem_accessible(LPCVOID areaStart, SIZE_T areaSize, DWORD dwAccessRights)

{

    if (!areaSize) return false; // zero-sized areas are not allowed


    const DWORD dwForbiddenArea = PAGE_GUARD | PAGE_NOACCESS;


    MEMORY_BASIC_INFORMATION mbi = { 0 };

    const size_t mbiSize = sizeof(MEMORY_BASIC_INFORMATION);


    SIZE_T sizeToCheck = areaSize;

    LPCVOID areaPtr = areaStart;


    while (sizeToCheck > 0) {

        //reset area

        memset(&mbi, 0, mbiSize);


        // query the next area

        if (VirtualQuery(areaPtr, &mbi, mbiSize) != mbiSize) {

            return false; // could not query the area, assume it is bad

        }

        // check the privileges

        bool isOk = (mbi.State & MEM_COMMIT) // memory allocated and

            && !(mbi.Protect & dwForbiddenArea) // access to page allowed and

            && (mbi.Protect & dwAccessRights); // the required rights

        if (!isOk) {

            return false; //invalid access

        }

        SIZE_T offset = (ULONG_PTR)areaPtr - (ULONG_PTR)mbi.BaseAddress;

        SIZE_T queriedSize = mbi.RegionSize - offset;

        if (queriedSize >= sizeToCheck) {

            return true; // it is fine

        }

        // move to the next region

        sizeToCheck -= queriedSize;

        areaPtr = LPCVOID((ULONG_PTR)areaPtr + queriedSize);

    }

    // by default assume it is inaccessible

    return false;

}


bool peconv::is_bad_read_ptr(LPCVOID areaStart, SIZE_T areaSize)

{

#ifdef USE_OLD_BADPTR // classic IsBadReadPtr is much faster than the version using VirtualQuery

    return (IsBadReadPtr(areaStart, areaSize)) ? true : false;

#else

    const DWORD dwReadRights = PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY;

    bool isAccessible = peconv::is_mem_accessible(areaStart, areaSize, dwReadRights);

    if (isAccessible) {

        // the area has read access rights: not a bad read pointer

        return false;

    }

    return true;

#endif

}


peconv
Definition buffer_util.h:15

peconv::get_process_id
DWORD get_process_id(HANDLE hProcess)
Definition util.cpp:82

peconv::is_mem_accessible
bool is_mem_accessible(LPCVOID areaStart, SIZE_T areaSize, DWORD accessRights)
Definition util.cpp:116

peconv::fetch_or_load_dll
bool fetch_or_load_dll(IN const char *mod_name, IN OUT HMODULE &mod)
Definition util.cpp:10

peconv::g_ntdllHndl
HMODULE g_ntdllHndl
Definition util.cpp:8

peconv::is_padding
bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char)
Definition util.cpp:106

peconv::get_kernel32_hndl
HMODULE get_kernel32_hndl()
Definition util.cpp:21

peconv::is_bad_read_ptr
bool is_bad_read_ptr(LPCVOID areaStart, SIZE_T areaSize)
Definition util.cpp:156

peconv::g_kernel32Hndl
HMODULE g_kernel32Hndl
Definition util.cpp:7

peconv::get_ntdll_hndl
HMODULE get_ntdll_hndl()
Definition util.cpp:27

ntdll_get_process_id
DWORD ntdll_get_process_id(HANDLE hProcess)
Definition util.cpp:34

util.h
Miscellaneous utility functions.