├── portable_executable ├── portable_executable │ ├── data_directory.cpp │ ├── section_header.cpp │ ├── file_header.hpp │ ├── dos_header.cpp │ ├── file.hpp │ ├── nt_headers.hpp │ ├── nt_headers.cpp │ ├── dos_header.hpp │ ├── export_directory.cpp │ ├── data_directory.hpp │ ├── optional_header.hpp │ ├── file.cpp │ ├── debug_directory.hpp │ ├── exception_directory.cpp │ ├── section_header.hpp │ ├── relocations_directory.cpp │ ├── export_directory.hpp │ ├── imports_directory.cpp │ ├── imports_directory.hpp │ ├── relocations_directory.hpp │ ├── image.cpp │ ├── exception_directory.hpp │ └── image.hpp ├── main.cpp ├── portable_executable.vcxproj.filters └── portable_executable.vcxproj ├── portable_executable.sln ├── README.md └── .gitignore /portable_executable/portable_executable/data_directory.cpp: -------------------------------------------------------------------------------- 1 | #include "data_directory.hpp" 2 | 3 | bool portable_executable::data_directory_t::present() const 4 | { 5 | return this->size != 0; 6 | } 7 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/section_header.cpp: -------------------------------------------------------------------------------- 1 | #include "section_header.hpp" 2 | 3 | std::string portable_executable::section_header_t::to_str() const 4 | { 5 | return { this->name, this->name + sizeof(this->name) }; 6 | } 7 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/file_header.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace portable_executable 6 | { 7 | struct file_header_t 8 | { 9 | std::uint16_t machine; 10 | std::uint16_t number_of_sections; 11 | std::uint32_t time_date_stamp; 12 | std::uint32_t pointer_to_symbol_table; 13 | std::uint32_t number_of_symbols; 14 | std::uint16_t sizeof_optional_header; 15 | std::uint16_t characteristics; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/dos_header.cpp: -------------------------------------------------------------------------------- 1 | #include "dos_header.hpp" 2 | 3 | bool portable_executable::dos_header_t::valid() const 4 | { 5 | return this->e_magic == dos_magic; 6 | } 7 | 8 | portable_executable::nt_headers_t* portable_executable::dos_header_t::nt_headers() 9 | { 10 | return reinterpret_cast(reinterpret_cast(this) + this->e_lfanew); 11 | } 12 | 13 | const portable_executable::nt_headers_t* portable_executable::dos_header_t::nt_headers() const 14 | { 15 | return reinterpret_cast(reinterpret_cast(this) + this->e_lfanew); 16 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/file.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | namespace portable_executable 9 | { 10 | class image_t; 11 | 12 | class file_t 13 | { 14 | std::filesystem::path m_file_path; 15 | 16 | std::vector m_buffer; 17 | 18 | public: 19 | explicit file_t(std::string_view file_path); 20 | 21 | explicit file_t(std::wstring_view file_path); 22 | 23 | explicit file_t(std::filesystem::path file_path); 24 | 25 | bool load(); 26 | 27 | image_t* image(); 28 | 29 | [[nodiscard]] const image_t* image() const; 30 | }; 31 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/nt_headers.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "file_header.hpp" 6 | #include "optional_header.hpp" 7 | 8 | #include "section_header.hpp" 9 | 10 | namespace portable_executable 11 | { 12 | static constexpr std::uint32_t nt_magic = 0x00004550; 13 | 14 | struct nt_headers_t 15 | { 16 | std::uint32_t signature; 17 | file_header_t file_header; 18 | optional_header_t optional_header; 19 | 20 | [[nodiscard]] bool valid() const; 21 | 22 | section_header_t* section_headers(); 23 | 24 | [[nodiscard]] const section_header_t* section_headers() const; 25 | 26 | [[nodiscard]] std::uint16_t num_sections() const; 27 | }; 28 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/nt_headers.cpp: -------------------------------------------------------------------------------- 1 | #include "nt_headers.hpp" 2 | 3 | bool portable_executable::nt_headers_t::valid() const 4 | { 5 | return this->signature == nt_magic; 6 | } 7 | 8 | portable_executable::section_header_t* portable_executable::nt_headers_t::section_headers() 9 | { 10 | return reinterpret_cast(reinterpret_cast(&this->optional_header) + this->file_header.sizeof_optional_header); 11 | } 12 | 13 | const portable_executable::section_header_t* portable_executable::nt_headers_t::section_headers() const 14 | { 15 | return reinterpret_cast(reinterpret_cast(&this->optional_header) + this->file_header.sizeof_optional_header); 16 | } 17 | 18 | std::uint16_t portable_executable::nt_headers_t::num_sections() const 19 | { 20 | return this->file_header.number_of_sections; 21 | } -------------------------------------------------------------------------------- /portable_executable.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.12.35527.113 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "portable_executable", "portable_executable\portable_executable.vcxproj", "{7D3BDA32-9943-45CB-B075-9BA7327E0E85}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {7D3BDA32-9943-45CB-B075-9BA7327E0E85}.Debug|x64.ActiveCfg = Debug|x64 15 | {7D3BDA32-9943-45CB-B075-9BA7327E0E85}.Debug|x64.Build.0 = Debug|x64 16 | {7D3BDA32-9943-45CB-B075-9BA7327E0E85}.Release|x64.ActiveCfg = Release|x64 17 | {7D3BDA32-9943-45CB-B075-9BA7327E0E85}.Release|x64.Build.0 = Release|x64 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/dos_header.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "nt_headers.hpp" 6 | 7 | namespace portable_executable 8 | { 9 | static constexpr std::uint16_t dos_magic = 0x5A4D; 10 | 11 | struct dos_header_t 12 | { 13 | std::uint16_t e_magic; 14 | std::uint16_t e_cblp; 15 | std::uint16_t e_cp; 16 | std::uint16_t e_crlc; 17 | std::uint16_t e_cparhdr; 18 | std::uint16_t e_minalloc; 19 | std::uint16_t e_maxalloc; 20 | std::uint16_t e_ss; 21 | std::uint16_t e_sp; 22 | std::uint16_t e_csum; 23 | std::uint16_t e_ip; 24 | std::uint16_t e_cs; 25 | std::uint16_t e_lfarlc; 26 | std::uint16_t e_ovno; 27 | std::uint16_t e_res[4]; 28 | std::uint16_t e_oemid; 29 | std::uint16_t e_oeminfo; 30 | std::uint16_t e_res2[10]; 31 | std::uint32_t e_lfanew; 32 | 33 | [[nodiscard]] bool valid() const; 34 | 35 | nt_headers_t* nt_headers(); 36 | 37 | [[nodiscard]] const nt_headers_t* nt_headers() const; 38 | }; 39 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/export_directory.cpp: -------------------------------------------------------------------------------- 1 | #include "export_directory.hpp" 2 | 3 | portable_executable::exports_iterator_t::exports_iterator_t(const std::uint8_t* module, const std::uint32_t* names, const std::uint32_t* functions, const std::uint16_t* ordinals, std::uint32_t index) : 4 | m_module(module), m_names(names), m_functions(functions), m_ordinals(ordinals), m_index(index) 5 | { 6 | 7 | } 8 | 9 | portable_executable::exports_iterator_t::value_type portable_executable::exports_iterator_t::operator*() const 10 | { 11 | const std::uint32_t name_offset = this->m_names[this->m_index]; 12 | 13 | const std::uint16_t ordinal_offset = this->m_ordinals[this->m_index]; 14 | 15 | const std::uint32_t functions_offset = this->m_functions[ordinal_offset]; 16 | 17 | return 18 | { 19 | reinterpret_cast(this->m_module + name_offset), 20 | const_cast(this->m_module + functions_offset) 21 | }; 22 | } 23 | 24 | portable_executable::exports_iterator_t& portable_executable::exports_iterator_t::operator++() 25 | { 26 | ++this->m_index; 27 | 28 | return *this; 29 | } 30 | 31 | bool portable_executable::exports_iterator_t::operator==(const exports_iterator_t& other) const 32 | { 33 | return this->m_index == other.m_index; 34 | } 35 | 36 | bool portable_executable::exports_iterator_t::operator!=(const exports_iterator_t& other) const 37 | { 38 | return this->m_index != other.m_index; 39 | } 40 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/data_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace portable_executable 7 | { 8 | static constexpr std::size_t max_data_directories = 16; 9 | 10 | struct data_directory_t 11 | { 12 | std::uint32_t virtual_address; 13 | std::uint32_t size; 14 | 15 | [[nodiscard]] bool present() const; 16 | }; 17 | 18 | struct data_directories_t 19 | { 20 | union 21 | { 22 | struct 23 | { 24 | data_directory_t export_directory; 25 | data_directory_t import_directory; 26 | data_directory_t resource_directory; 27 | data_directory_t exception_directory; 28 | data_directory_t security_directory; 29 | data_directory_t basereloc_directory; 30 | data_directory_t debug_directory; 31 | data_directory_t architecture_directory; 32 | data_directory_t globalptr_directory; 33 | data_directory_t tls_directory; 34 | data_directory_t load_config_directory; 35 | data_directory_t bound_import_directory; 36 | data_directory_t iat_directory; 37 | data_directory_t delay_import_directory; 38 | data_directory_t com_descriptor_directory; 39 | data_directory_t _reserved0; 40 | }; 41 | 42 | data_directory_t entries[max_data_directories]; 43 | }; 44 | }; 45 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/optional_header.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "data_directory.hpp" 6 | 7 | namespace portable_executable 8 | { 9 | struct optional_header_t 10 | { 11 | std::uint16_t magic; 12 | std::uint8_t major_linker_version; 13 | std::uint8_t minor_linker_version; 14 | std::uint32_t size_of_code; 15 | std::uint32_t size_of_initialized_data; 16 | std::uint32_t size_of_uninitialized_data; 17 | std::uint32_t address_of_entry_point; 18 | std::uint32_t base_of_code; 19 | std::uint64_t image_base; 20 | std::uint32_t section_alignment; 21 | std::uint32_t file_alignment; 22 | std::uint16_t major_operating_system_version; 23 | std::uint16_t minor_operating_system_version; 24 | std::uint16_t major_image_version; 25 | std::uint16_t minor_image_version; 26 | std::uint16_t major_subsystem_version; 27 | std::uint16_t minor_subsystem_version; 28 | std::uint32_t win32_version_value; 29 | std::uint32_t size_of_image; 30 | std::uint32_t size_of_headers; 31 | std::uint32_t check_sum; 32 | std::uint16_t subsystem; 33 | std::uint16_t dll_characteristics; 34 | std::uint64_t size_of_stack_reserve; 35 | std::uint64_t size_of_stack_commit; 36 | std::uint64_t size_of_heap_reserve; 37 | std::uint64_t size_of_heap_commit; 38 | std::uint32_t loader_flags; 39 | std::uint32_t number_of_rva_and_sizes; 40 | data_directories_t data_directories; 41 | }; 42 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/file.cpp: -------------------------------------------------------------------------------- 1 | #include "file.hpp" 2 | #include "image.hpp" 3 | 4 | #include 5 | 6 | portable_executable::file_t::file_t(const std::string_view file_path) : m_file_path(file_path) 7 | { 8 | } 9 | 10 | portable_executable::file_t::file_t(const std::wstring_view file_path) : m_file_path(file_path) 11 | { 12 | } 13 | 14 | portable_executable::file_t::file_t(std::filesystem::path file_path) : m_file_path(std::move(file_path)) 15 | { 16 | } 17 | 18 | bool portable_executable::file_t::load() 19 | { 20 | std::ifstream file_stream(this->m_file_path, std::ios::binary); 21 | 22 | if (!file_stream.is_open()) 23 | { 24 | return false; 25 | } 26 | 27 | file_stream.seekg(0, std::ios::end); 28 | 29 | const std::streampos file_size = file_stream.tellg(); 30 | 31 | file_stream.seekg(0, std::ios::beg); 32 | 33 | std::vector raw_buffer(file_size); 34 | file_stream.read(reinterpret_cast(raw_buffer.data()), static_cast(raw_buffer.size())); 35 | 36 | const auto raw_image = reinterpret_cast(raw_buffer.data()); 37 | 38 | if (!raw_image->dos_header()->valid() || !raw_image->nt_headers()->valid()) 39 | { 40 | return false; 41 | } 42 | 43 | this->m_buffer.resize(raw_image->nt_headers()->optional_header.size_of_image, 0); 44 | 45 | std::memcpy(this->m_buffer.data(), raw_buffer.data(), 0x1000); 46 | 47 | for (const auto& section : raw_image->sections()) 48 | { 49 | std::memcpy(this->m_buffer.data() + section.virtual_address, raw_buffer.data() + section.pointer_to_raw_data, section.size_of_raw_data); 50 | } 51 | 52 | return true; 53 | } 54 | 55 | portable_executable::image_t* portable_executable::file_t::image() 56 | { 57 | return reinterpret_cast(this->m_buffer.data()); 58 | } 59 | 60 | const portable_executable::image_t* portable_executable::file_t::image() const 61 | { 62 | return reinterpret_cast(this->m_buffer.data()); 63 | } 64 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/debug_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace portable_executable 7 | { 8 | enum class debug_directory_type_t : std::uint32_t 9 | { 10 | unknown, 11 | coff, 12 | codeview, 13 | fpo, 14 | misc, 15 | exception, 16 | fixup, 17 | omap_to_src, 18 | omap_from_src, 19 | borland, 20 | _reserved0, 21 | clsid, 22 | vc_feature, 23 | pogo, 24 | iltcg, 25 | mpx, 26 | repro, 27 | _undefined1, 28 | _reserved1, 29 | _undefined2, 30 | ex_dll_characteristics 31 | }; 32 | 33 | struct debug_directory_t 34 | { 35 | std::uint32_t characteristics; 36 | std::uint32_t time_date_stamp; 37 | std::uint16_t major_version; 38 | std::uint16_t minor_version; 39 | debug_directory_type_t type; 40 | std::uint32_t size_of_data; 41 | std::uint32_t virtual_address; 42 | std::uint32_t pointer_to_raw_data; 43 | }; 44 | 45 | template 46 | class debug_info_iterator_t 47 | { 48 | private: 49 | using pointer_type = std::conditional_t, const std::uint8_t*, std::uint8_t*>; 50 | 51 | T* m_debug_info = nullptr; 52 | T* m_end_debug_info = nullptr; 53 | 54 | public: 55 | debug_info_iterator_t() = default; 56 | 57 | debug_info_iterator_t(const pointer_type module, const std::uint32_t debug_directory_rva, const std::uint32_t entry_count) : 58 | m_debug_info(reinterpret_cast(module + debug_directory_rva)), 59 | m_end_debug_info(m_debug_info + entry_count) 60 | { 61 | 62 | } 63 | 64 | [[nodiscard]] T* begin() const 65 | { 66 | return m_debug_info; 67 | } 68 | 69 | [[nodiscard]] T* end() const 70 | { 71 | return m_end_debug_info; 72 | } 73 | }; 74 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/exception_directory.cpp: -------------------------------------------------------------------------------- 1 | #include "exception_directory.hpp" 2 | 3 | portable_executable::unwind_code_iterator_t portable_executable::unwind_info_t::begin() const 4 | { 5 | return unwind_code_iterator_t{ codes }; 6 | } 7 | 8 | portable_executable::unwind_code_iterator_t portable_executable::unwind_info_t::end() const 9 | { 10 | return unwind_code_iterator_t{ codes + unwind_code_count }; 11 | } 12 | 13 | portable_executable::unwind_code_iterator_t::value_type portable_executable::unwind_code_iterator_t::operator*() const 14 | { 15 | return *m_current_code; 16 | } 17 | 18 | portable_executable::unwind_code_iterator_t& portable_executable::unwind_code_iterator_t::operator++() 19 | { 20 | ++m_current_code; 21 | 22 | return *this; 23 | } 24 | 25 | bool portable_executable::unwind_code_iterator_t::operator==(const unwind_code_iterator_t& other) const 26 | { 27 | return m_current_code == other.m_current_code; 28 | } 29 | 30 | bool portable_executable::unwind_code_iterator_t::operator!=(const unwind_code_iterator_t& other) const 31 | { 32 | return m_current_code != other.m_current_code; 33 | } 34 | 35 | portable_executable::runtime_functions_iterator_t::value_type portable_executable::runtime_functions_iterator_t::operator*() const 36 | { 37 | const auto function_begin = const_cast(m_module + m_current_function->begin_address); 38 | const auto function_end = const_cast(m_module + m_current_function->end_address); 39 | const auto unwind_info = reinterpret_cast(const_cast(m_module + m_current_function->unwind_info_rva)); 40 | 41 | return value_type{ function_begin, function_end, unwind_info }; 42 | } 43 | 44 | portable_executable::runtime_functions_iterator_t& portable_executable::runtime_functions_iterator_t::operator++() 45 | { 46 | ++m_current_function; 47 | 48 | return *this; 49 | } 50 | 51 | bool portable_executable::runtime_functions_iterator_t::operator==(const runtime_functions_iterator_t& other) const 52 | { 53 | return m_current_function == other.m_current_function; 54 | } 55 | 56 | bool portable_executable::runtime_functions_iterator_t::operator!=(const runtime_functions_iterator_t& other) const 57 | { 58 | return m_current_function != other.m_current_function; 59 | } 60 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/section_header.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | namespace portable_executable 8 | { 9 | static constexpr std::size_t section_name_size_limit = 8; 10 | 11 | union section_characteristics_t 12 | { 13 | struct 14 | { 15 | std::uint32_t _pad0 : 5; 16 | std::uint32_t cnt_code : 1; 17 | std::uint32_t cnt_init_data : 1; 18 | std::uint32_t cnt_uninit_data : 1; 19 | std::uint32_t _pad1 : 1; 20 | std::uint32_t lnk_info : 1; 21 | std::uint32_t _pad2 : 1; 22 | std::uint32_t lnk_remove : 1; 23 | std::uint32_t lnk_comdat : 1; 24 | std::uint32_t _pad3 : 1; 25 | std::uint32_t no_defer_spec_exc : 1; 26 | std::uint32_t mem_far : 1; 27 | std::uint32_t _pad4 : 1; 28 | std::uint32_t mem_purgeable : 1; 29 | std::uint32_t mem_locked : 1; 30 | std::uint32_t mem_preload : 1; 31 | std::uint32_t alignment : 4; 32 | std::uint32_t lnk_nreloc_ovfl : 1; 33 | std::uint32_t mem_discardable : 1; 34 | std::uint32_t mem_not_cached : 1; 35 | std::uint32_t mem_not_paged : 1; 36 | std::uint32_t mem_shared : 1; 37 | std::uint32_t mem_execute : 1; 38 | std::uint32_t mem_read : 1; 39 | std::uint32_t mem_write : 1; 40 | }; 41 | 42 | std::uint32_t flags; 43 | }; 44 | 45 | struct section_header_t 46 | { 47 | char name[section_name_size_limit]; 48 | std::uint32_t virtual_size; 49 | std::uint32_t virtual_address; 50 | std::uint32_t size_of_raw_data; 51 | std::uint32_t pointer_to_raw_data; 52 | std::uint32_t pointer_to_relocations; 53 | std::uint32_t pointer_to_linenumbers; 54 | std::uint16_t number_of_relocations; 55 | std::uint16_t number_of_linenumbers; 56 | section_characteristics_t characteristics; 57 | 58 | [[nodiscard]] std::string to_str() const; 59 | }; 60 | 61 | template 62 | class section_iterator_t 63 | { 64 | private: 65 | T* m_base = nullptr; 66 | 67 | std::uint16_t m_num_sections = 0; 68 | 69 | public: 70 | section_iterator_t(T* base, const std::uint16_t num_sections) : m_base(base), m_num_sections(num_sections) 71 | { 72 | 73 | } 74 | 75 | T* begin() const 76 | { 77 | return this->m_base; 78 | } 79 | 80 | T* end() const 81 | { 82 | return this->m_base + this->m_num_sections; 83 | } 84 | }; 85 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/relocations_directory.cpp: -------------------------------------------------------------------------------- 1 | #include "relocations_directory.hpp" 2 | 3 | void portable_executable::relocations_iterator_t::load_block(const raw_relocation_block_descriptor_t* raw_relocation_block_descriptor) 4 | { 5 | this->m_current_raw_relocation_block_descriptor = raw_relocation_block_descriptor; 6 | 7 | if (this->m_current_raw_relocation_block_descriptor && this->m_current_raw_relocation_block_descriptor->virtual_address) 8 | { 9 | const std::uint64_t real_block_size = this->m_current_raw_relocation_block_descriptor->size_of_block - sizeof(raw_relocation_block_descriptor_t); 10 | 11 | this->m_current_relocation_block.max_entry_index = static_cast(real_block_size / sizeof(relocation_entry_descriptor_t)); 12 | this->m_current_relocation_block.current_entry_index = 1; 13 | 14 | this->m_current_descriptor = reinterpret_cast(this->m_current_raw_relocation_block_descriptor + 1); 15 | } 16 | else 17 | this->m_current_descriptor = nullptr; 18 | } 19 | 20 | portable_executable::relocations_iterator_t::relocations_iterator_t(const raw_relocation_block_descriptor_t* raw_relocation_block_descriptor) 21 | { 22 | if (raw_relocation_block_descriptor) 23 | { 24 | this->load_block(raw_relocation_block_descriptor); 25 | } 26 | } 27 | 28 | portable_executable::relocations_iterator_t::value_type portable_executable::relocations_iterator_t::operator*() const 29 | { 30 | return { *this->m_current_descriptor, this->m_current_raw_relocation_block_descriptor->virtual_address }; 31 | } 32 | 33 | portable_executable::relocations_iterator_t& portable_executable::relocations_iterator_t::operator++() 34 | { 35 | if (this->m_current_descriptor && this->m_current_relocation_block.current_entry_index < this->m_current_relocation_block.max_entry_index) 36 | { 37 | ++this->m_current_descriptor; 38 | 39 | this->m_current_relocation_block.current_entry_index++; 40 | } 41 | else if (this->m_current_raw_relocation_block_descriptor && this->m_current_raw_relocation_block_descriptor->virtual_address) 42 | { 43 | this->load_block(reinterpret_cast(reinterpret_cast(this->m_current_raw_relocation_block_descriptor) + this->m_current_raw_relocation_block_descriptor->size_of_block)); 44 | } 45 | else 46 | { 47 | this->m_current_descriptor = nullptr; 48 | } 49 | 50 | return *this; 51 | } 52 | 53 | bool portable_executable::relocations_iterator_t::operator==(const relocations_iterator_t& other) 54 | { 55 | return this->m_current_descriptor == other.m_current_descriptor; 56 | } 57 | 58 | bool portable_executable::relocations_iterator_t::operator!=(const relocations_iterator_t& other) 59 | { 60 | return this->m_current_descriptor != other.m_current_descriptor; 61 | } 62 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/export_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace portable_executable 7 | { 8 | struct export_entry_t 9 | { 10 | std::string name; 11 | std::uint8_t* address; 12 | }; 13 | 14 | class exports_iterator_t 15 | { 16 | const std::uint8_t* m_module = nullptr; 17 | const std::uint32_t* m_names = nullptr; 18 | const std::uint32_t* m_functions = nullptr; 19 | const std::uint16_t* m_ordinals = nullptr; 20 | std::uint32_t m_index = 0; 21 | 22 | public: 23 | exports_iterator_t(const std::uint8_t* module, const std::uint32_t* names, const std::uint32_t* functions, const std::uint16_t* ordinals, std::uint32_t index); 24 | 25 | using iterator_category = std::forward_iterator_tag; 26 | using difference_type = std::ptrdiff_t; 27 | using value_type = export_entry_t; 28 | using pointer = value_type*; 29 | using reference = value_type&; 30 | 31 | value_type operator*() const; 32 | 33 | exports_iterator_t& operator++(); 34 | 35 | bool operator==(const exports_iterator_t& other) const; 36 | 37 | bool operator!=(const exports_iterator_t& other) const; 38 | }; 39 | 40 | template 41 | class exports_range_t 42 | { 43 | private: 44 | using pointer_type = std::conditional_t, const std::uint8_t*, std::uint8_t*>; 45 | using uint32_pointer = std::conditional_t, const std::uint32_t*, std::uint32_t*>; 46 | using uint16_pointer = std::conditional_t, const std::uint16_t*, std::uint16_t*>; 47 | 48 | pointer_type m_module = nullptr; 49 | uint32_pointer m_names = nullptr; 50 | uint32_pointer m_functions = nullptr; 51 | uint16_pointer m_ordinals = nullptr; 52 | 53 | std::uint32_t m_num_exports = 0; 54 | 55 | public: 56 | exports_range_t() = default; 57 | 58 | exports_range_t(pointer_type module, uint32_pointer names, uint32_pointer functions, uint16_pointer ordinals, const std::uint32_t num_exports) : 59 | m_module(module), m_names(names), m_functions(functions), m_ordinals(ordinals), m_num_exports(num_exports) 60 | { 61 | 62 | } 63 | 64 | T begin() const 65 | { 66 | return { this->m_module, this->m_names, this->m_functions, this->m_ordinals, 0 }; 67 | } 68 | 69 | T end() const 70 | { 71 | return { this->m_module, this->m_names, this->m_functions, this->m_ordinals, this->m_num_exports }; 72 | } 73 | }; 74 | 75 | struct export_directory_t 76 | { 77 | std::uint32_t characteristics; 78 | std::uint32_t time_date_stamp; 79 | std::uint16_t major_version; 80 | std::uint16_t minor_version; 81 | std::uint32_t name; 82 | std::uint32_t base; 83 | std::uint32_t number_of_functions; 84 | std::uint32_t number_of_names; 85 | std::uint32_t address_of_functions; 86 | std::uint32_t address_of_names; 87 | std::uint32_t address_of_name_ordinals; 88 | }; 89 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/imports_directory.cpp: -------------------------------------------------------------------------------- 1 | #include "imports_directory.hpp" 2 | 3 | portable_executable::imports_iterator_t::imports_iterator_t(const std::uint8_t* module, const import_descriptor_t* descriptor) : 4 | m_module(module), m_current_descriptor(descriptor) 5 | { 6 | if (this->m_current_descriptor && this->m_current_descriptor->first_thunk) 7 | { 8 | this->m_current_thunk = reinterpret_cast(this->m_module + m_current_descriptor->first_thunk); 9 | this->m_original_thunk = reinterpret_cast(this->m_module + m_current_descriptor->misc.original_first_thunk); 10 | } 11 | } 12 | 13 | portable_executable::imports_iterator_t::value_type portable_executable::imports_iterator_t::operator*() const 14 | { 15 | std::string import_name; 16 | 17 | if (this->m_original_thunk->is_ordinal) 18 | { 19 | import_name = reinterpret_cast(this->m_module + this->m_original_thunk->ordinal); 20 | } 21 | else 22 | { 23 | const auto import_by_name = reinterpret_cast(this->m_module + this->m_original_thunk->address); 24 | 25 | import_name = import_by_name->name; 26 | } 27 | 28 | const std::string module_name(reinterpret_cast(this->m_module + this->m_current_descriptor->name)); 29 | 30 | auto* import_addr_ref = const_cast(&this->m_current_thunk->function); 31 | auto& import_addr = *reinterpret_cast(import_addr_ref); 32 | 33 | return { module_name, import_name, import_addr }; 34 | } 35 | 36 | portable_executable::imports_iterator_t& portable_executable::imports_iterator_t::operator++() 37 | { 38 | if (this->m_current_thunk && this->m_current_thunk->address) 39 | { 40 | ++this->m_current_thunk; 41 | ++this->m_original_thunk; 42 | 43 | if (!this->m_current_thunk->address) 44 | { 45 | ++this->m_current_descriptor; 46 | 47 | while (this->m_current_descriptor && this->m_current_descriptor->first_thunk) 48 | { 49 | this->m_current_thunk = reinterpret_cast(this->m_module + this->m_current_descriptor->first_thunk); 50 | this->m_original_thunk = reinterpret_cast(this->m_module + this->m_current_descriptor->misc.original_first_thunk); 51 | 52 | if (this->m_current_thunk->address) 53 | { 54 | break; 55 | } 56 | 57 | ++this->m_current_descriptor; 58 | } 59 | 60 | if (!this->m_current_descriptor || !this->m_current_descriptor->first_thunk) 61 | { 62 | this->m_current_descriptor = nullptr; 63 | this->m_current_thunk = nullptr; 64 | } 65 | } 66 | } 67 | 68 | return *this; 69 | } 70 | 71 | bool portable_executable::imports_iterator_t::operator==(const imports_iterator_t& other) const 72 | { 73 | return this->m_current_descriptor == other.m_current_descriptor && this->m_current_thunk == other.m_current_thunk; 74 | } 75 | 76 | bool portable_executable::imports_iterator_t::operator!=(const imports_iterator_t& other) const 77 | { 78 | return this->m_current_descriptor != other.m_current_descriptor || this->m_current_thunk != other.m_current_thunk; 79 | } 80 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/imports_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | namespace portable_executable 8 | { 9 | struct import_descriptor_t 10 | { 11 | union 12 | { 13 | std::uint32_t characteristics; 14 | std::uint32_t original_first_thunk; 15 | } misc; 16 | 17 | std::uint32_t time_date_stamp; 18 | std::uint32_t forwarder_chain; 19 | std::uint32_t name; 20 | std::uint32_t first_thunk; 21 | }; 22 | 23 | struct thunk_data_t 24 | { 25 | union 26 | { 27 | std::uint64_t forwarder_string; 28 | std::uint64_t function; 29 | std::uint64_t address; 30 | 31 | struct // NOLINT(clang-diagnostic-nested-anon-types) 32 | { 33 | std::uint64_t ordinal : 16; 34 | std::uint64_t reserved0 : 47; 35 | std::uint64_t is_ordinal : 1; 36 | }; 37 | }; 38 | }; 39 | 40 | struct import_by_name_t 41 | { 42 | std::uint16_t hint; 43 | char name[1]; 44 | }; 45 | 46 | struct import_entry_t 47 | { 48 | std::string module_name; 49 | std::string import_name; 50 | std::uint8_t*& address; 51 | }; 52 | 53 | class imports_iterator_t 54 | { 55 | const std::uint8_t* m_module = nullptr; 56 | 57 | const import_descriptor_t* m_current_descriptor = nullptr; 58 | const thunk_data_t* m_current_thunk = nullptr; 59 | const thunk_data_t* m_original_thunk = nullptr; 60 | 61 | public: 62 | imports_iterator_t(const std::uint8_t* module, const import_descriptor_t* descriptor); 63 | 64 | using iterator_category = std::forward_iterator_tag; 65 | using difference_type = std::ptrdiff_t; 66 | using value_type = import_entry_t; 67 | using pointer = value_type*; 68 | using reference = value_type&; 69 | 70 | value_type operator*() const; 71 | 72 | imports_iterator_t& operator++(); 73 | 74 | bool operator==(const imports_iterator_t& other) const; 75 | 76 | bool operator!=(const imports_iterator_t& other) const; 77 | }; 78 | 79 | template 80 | class imports_range_t 81 | { 82 | private: 83 | using pointer_type = std::conditional_t, const std::uint8_t*, std::uint8_t*>; 84 | using import_descriptor_type = std::conditional_t, const import_descriptor_t*, import_descriptor_t*>; 85 | 86 | pointer_type m_module = nullptr; 87 | 88 | import_descriptor_type m_import_descriptor = nullptr; 89 | 90 | public: 91 | imports_range_t() = default; 92 | 93 | imports_range_t(pointer_type module, std::uint32_t imports_rva) : 94 | m_module(module), m_import_descriptor(reinterpret_cast(module + imports_rva)) 95 | { 96 | 97 | } 98 | 99 | T begin() const 100 | { 101 | return { this->m_module, this->m_import_descriptor }; 102 | } 103 | 104 | T end() const 105 | { 106 | return { this->m_module, nullptr }; 107 | } 108 | }; 109 | } -------------------------------------------------------------------------------- /portable_executable/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "portable_executable/image.hpp" 5 | #include "portable_executable/file.hpp" 6 | 7 | static void run_image_tests(const portable_executable::image_t* image) 8 | { 9 | std::printf("iterating sections...\n"); 10 | 11 | for (const auto& section : image->sections()) 12 | { 13 | std::printf("section name: %s -> va: 0x%x size: 0x%x\n", section.to_str().c_str(), section.virtual_address, section.virtual_size); 14 | } 15 | 16 | std::printf("iterating exports...\n"); 17 | 18 | for (const auto& [name, address] : image->exports()) 19 | { 20 | std::printf("%s -> 0x%p\n", name.c_str(), address); 21 | } 22 | 23 | std::printf("iterating imports...\n"); 24 | 25 | for (const auto& [module_name, import_name, address] : image->imports()) 26 | { 27 | std::printf("%s!%s -> 0x%p\n", module_name.c_str(), import_name.c_str(), address); 28 | } 29 | 30 | std::printf("iterating relocations...\n"); 31 | 32 | for (const auto [relocation_block, relocation_block_va] : image->relocations()) 33 | { 34 | std::printf("offset: 0x%x -> type: 0x%x\n", relocation_block.offset, relocation_block.type); 35 | } 36 | 37 | std::printf("iterating debug information...\n"); 38 | 39 | for (const auto debug_info : image->debug_info()) 40 | { 41 | std::printf("va: 0x%x -> type: 0x%x\n", debug_info.virtual_address, static_cast(debug_info.type)); 42 | } 43 | 44 | std::printf("iterating exceptions...\n"); 45 | 46 | for (const auto runtime_function : image->runtime_functions()) 47 | { 48 | const auto virtual_address = static_cast(runtime_function.function_begin - image->as()); 49 | 50 | std::printf("va: 0x%x -> unwind code count: 0x%x\n", virtual_address, runtime_function.unwind_info->unwind_code_count); 51 | 52 | for (const auto unwind_opcode : *runtime_function.unwind_info) 53 | { 54 | std::printf("(unwind code) offset: 0x%x, info: 0x%x\n", unwind_opcode.offset, unwind_opcode.info); 55 | } 56 | } 57 | } 58 | 59 | std::int32_t main() 60 | { 61 | // parse in-memory portable executable 62 | HMODULE user32 = LoadLibrary(L"user32"); 63 | 64 | if (!user32) 65 | { 66 | std::printf("failed to load user32\n"); 67 | 68 | return EXIT_FAILURE; 69 | } 70 | 71 | auto in_memory_image = reinterpret_cast(user32); 72 | 73 | run_image_tests(in_memory_image); 74 | 75 | FreeLibrary(user32); 76 | 77 | std::string_view ntoskrnl_path_view = "C:\\Windows\\System32\\ntoskrnl.exe"; 78 | 79 | // load a portable executable from filesystem 80 | portable_executable::file_t ntoskrnl(ntoskrnl_path_view); 81 | 82 | // avoid exceptions in constructor to support contexts without exception support 83 | if (!ntoskrnl.load()) 84 | { 85 | std::printf("failed to load ntoskrnl from filesystem\n"); 86 | 87 | return EXIT_FAILURE; 88 | } 89 | 90 | const auto ntoskrnl_image = ntoskrnl.image(); 91 | 92 | run_image_tests(ntoskrnl_image); 93 | 94 | // signature made for ntoskrnl version 22h2 95 | std::uint8_t* hvi_is_any_hypervisor_present = ntoskrnl_image->signature_scan("40 53 48 83 EC ? 48 8B 05 ? ? ? ? 48 33 C4 48 89 44 24 ? 33 C9 41 B9"); 96 | 97 | std::printf("ntoskrnl!HviIsAnyHypervisorPresent -> 0x%p\n", hvi_is_any_hypervisor_present); 98 | 99 | return EXIT_SUCCESS; 100 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/relocations_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | namespace portable_executable 8 | { 9 | enum class relocation_type_t : std::uint16_t 10 | { 11 | absolute, 12 | high, 13 | low, 14 | high_low, 15 | high_adj, 16 | machine_specific_5, 17 | reserved, 18 | machine_specific_7, 19 | machine_specific_8, 20 | machine_specific_9, 21 | dir64, 22 | null 23 | }; 24 | 25 | struct relocation_entry_descriptor_t 26 | { 27 | std::uint16_t offset : 12; 28 | relocation_type_t type : 4; 29 | }; 30 | 31 | struct raw_relocation_block_descriptor_t 32 | { 33 | std::uint32_t virtual_address; 34 | std::uint32_t size_of_block; 35 | }; 36 | 37 | struct relocation_block_t 38 | { 39 | std::uint32_t current_entry_index; 40 | std::uint32_t max_entry_index; 41 | }; 42 | 43 | struct relocation_entry_t 44 | { 45 | relocation_entry_descriptor_t descriptor; 46 | std::uint32_t virtual_address; 47 | }; 48 | 49 | class relocations_iterator_t 50 | { 51 | private: 52 | const raw_relocation_block_descriptor_t* m_current_raw_relocation_block_descriptor = nullptr; 53 | relocation_block_t m_current_relocation_block = { }; 54 | 55 | const relocation_entry_descriptor_t* m_current_descriptor = nullptr; 56 | 57 | void load_block(const raw_relocation_block_descriptor_t* raw_relocation_block_descriptor); 58 | 59 | public: 60 | relocations_iterator_t() = default; 61 | 62 | // ReSharper disable once CppNonExplicitConvertingConstructor 63 | relocations_iterator_t(const raw_relocation_block_descriptor_t* raw_relocation_block_descriptor); 64 | 65 | using iterator_category = std::forward_iterator_tag; 66 | using difference_type = std::ptrdiff_t; 67 | using value_type = relocation_entry_t; 68 | using pointer = value_type*; 69 | using reference = value_type&; 70 | 71 | value_type operator*() const; 72 | 73 | relocations_iterator_t& operator++(); 74 | 75 | bool operator==(const relocations_iterator_t& other); 76 | 77 | bool operator!=(const relocations_iterator_t& other); 78 | }; 79 | 80 | template 81 | class relocations_range_t 82 | { 83 | private: 84 | using pointer_type = std::conditional_t, const std::uint8_t*, std::uint8_t*>; 85 | using relocation_descriptor_type = std::conditional_t, const raw_relocation_block_descriptor_t*, raw_relocation_block_descriptor_t*>; 86 | 87 | pointer_type m_module = nullptr; 88 | 89 | const raw_relocation_block_descriptor_t* m_raw_relocation_block_descriptor = nullptr; 90 | 91 | public: 92 | relocations_range_t() = default; 93 | 94 | relocations_range_t(pointer_type module, std::uint32_t relocations_rva) : 95 | m_module(module), m_raw_relocation_block_descriptor(reinterpret_cast(module + relocations_rva)) 96 | { 97 | 98 | } 99 | 100 | T begin() const 101 | { 102 | return { this->m_raw_relocation_block_descriptor }; 103 | } 104 | 105 | // ReSharper disable once CppMemberFunctionMayBeStatic 106 | T end() 107 | { 108 | return { nullptr }; 109 | } 110 | }; 111 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | Source Files 47 | 48 | 49 | Source Files 50 | 51 | 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | Header Files 79 | 80 | 81 | Header Files 82 | 83 | 84 | Header Files 85 | 86 | 87 | Header Files 88 | 89 | 90 | Header Files 91 | 92 | 93 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/image.cpp: -------------------------------------------------------------------------------- 1 | #include "image.hpp" 2 | 3 | #include 4 | 5 | portable_executable::dos_header_t* portable_executable::image_t::dos_header() 6 | { 7 | return &this->m_dos_header; 8 | } 9 | 10 | const portable_executable::dos_header_t* portable_executable::image_t::dos_header() const 11 | { 12 | return &this->m_dos_header; 13 | } 14 | 15 | portable_executable::nt_headers_t* portable_executable::image_t::nt_headers() 16 | { 17 | return this->dos_header()->nt_headers(); 18 | } 19 | 20 | const portable_executable::nt_headers_t* portable_executable::image_t::nt_headers() const 21 | { 22 | return this->dos_header()->nt_headers(); 23 | } 24 | 25 | portable_executable::section_header_t* portable_executable::image_t::find_section(const std::string_view name) 26 | { 27 | for (auto& section : this->sections()) 28 | { 29 | if (section.to_str() == name) 30 | { 31 | return §ion; 32 | } 33 | } 34 | 35 | return nullptr; 36 | } 37 | 38 | const portable_executable::section_header_t* portable_executable::image_t::find_section(const std::string_view name) const 39 | { 40 | for (const auto& section : this->sections()) 41 | { 42 | if (section.to_str() == name) 43 | { 44 | return §ion; 45 | } 46 | } 47 | 48 | return nullptr; 49 | } 50 | 51 | std::uint8_t* portable_executable::image_t::find_export(const std::string_view name) const 52 | { 53 | for (const auto& [export_name, export_address] : this->exports()) 54 | { 55 | if (export_name == name) 56 | { 57 | return export_address; 58 | } 59 | } 60 | 61 | return nullptr; 62 | } 63 | 64 | std::uint8_t* portable_executable::image_t::signature_scan(const std::string_view signature) const 65 | { 66 | auto pattern_to_bytes = [](const std::string_view pattern) -> std::vector 67 | { 68 | std::vector bytes; 69 | 70 | const char* start = pattern.data(); 71 | const char* end = start + pattern.size(); 72 | 73 | for (auto current = const_cast(start); current < end; current++) 74 | { 75 | if (*current == '?') 76 | { 77 | current++; 78 | 79 | if (*current == '?') 80 | { 81 | current++; 82 | } 83 | 84 | bytes.push_back(-1); 85 | } 86 | else 87 | { 88 | bytes.push_back(static_cast(std::strtoul(current, ¤t, 16))); 89 | } 90 | } 91 | 92 | return bytes; 93 | }; 94 | 95 | const std::vector pattern_bytes = pattern_to_bytes(signature); 96 | const std::size_t pattern_bytes_size = pattern_bytes.size(); 97 | 98 | for (const auto& section : this->sections()) 99 | { 100 | const std::uint8_t* section_start = this->as() + section.virtual_address; 101 | const std::uint8_t* section_end = section_start + section.virtual_size; 102 | 103 | for (const std::uint8_t* byte = section_start; byte < (section_end - pattern_bytes_size); byte++) 104 | { 105 | bool found = true; 106 | 107 | for (std::size_t j = 0; j < pattern_bytes_size; j++) 108 | { 109 | if (pattern_bytes[j] != -1 && pattern_bytes[j] != byte[j]) 110 | { 111 | found = false; 112 | break; 113 | } 114 | } 115 | 116 | if (found) 117 | { 118 | return const_cast(byte); 119 | } 120 | } 121 | } 122 | 123 | return nullptr; 124 | } 125 | 126 | std::uint8_t* portable_executable::image_t::signature_scan(const std::uint8_t* pattern, const std::size_t pattern_size) const 127 | { 128 | for (const auto& section : this->sections()) 129 | { 130 | const std::uint8_t* section_start = this->as() + section.virtual_address; 131 | const std::uint8_t* section_end = section_start + section.virtual_size; 132 | 133 | for (const std::uint8_t* byte = section_start; byte < (section_end - pattern_size); byte++) 134 | { 135 | bool found = true; 136 | 137 | for (std::size_t j = 0; j < pattern_size; j++) 138 | { 139 | if (pattern[j] != 0x00 && pattern[j] != byte[j]) 140 | { 141 | found = false; 142 | break; 143 | } 144 | } 145 | 146 | if (found) 147 | { 148 | return const_cast(byte); 149 | } 150 | } 151 | } 152 | 153 | return nullptr; 154 | } -------------------------------------------------------------------------------- /portable_executable/portable_executable/exception_directory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace portable_executable 7 | { 8 | class unwind_code_iterator_t; 9 | 10 | struct unwind_code_t 11 | { 12 | std::uint8_t offset; 13 | std::uint8_t code : 4; 14 | std::uint8_t info : 4; 15 | }; 16 | 17 | struct unwind_info_t 18 | { 19 | std::uint8_t version : 3; 20 | std::uint8_t flags : 5; 21 | std::uint8_t size_of_prolog; 22 | std::uint8_t unwind_code_count; 23 | std::uint8_t frame_register : 4; 24 | std::uint8_t frame_offset : 4; 25 | unwind_code_t codes[1]; 26 | 27 | [[nodiscard]] unwind_code_iterator_t begin() const; 28 | [[nodiscard]] unwind_code_iterator_t end() const; 29 | }; 30 | 31 | struct runtime_function_t 32 | { 33 | std::uint32_t begin_address; 34 | std::uint32_t end_address; 35 | std::uint32_t unwind_info_rva; 36 | }; 37 | 38 | struct runtime_function_descriptor_t 39 | { 40 | std::uint8_t* function_begin; 41 | std::uint8_t* function_end; 42 | 43 | unwind_info_t* unwind_info; 44 | }; 45 | 46 | class unwind_code_iterator_t 47 | { 48 | const unwind_code_t* m_current_code = nullptr; 49 | 50 | public: 51 | unwind_code_iterator_t() = default; 52 | 53 | unwind_code_iterator_t(const unwind_code_t* unwind_code) : 54 | m_current_code(unwind_code) 55 | { 56 | 57 | } 58 | 59 | using iterator_category = std::forward_iterator_tag; 60 | using difference_type = std::ptrdiff_t; 61 | using value_type = unwind_code_t; 62 | using pointer = value_type*; 63 | using reference = value_type&; 64 | 65 | value_type operator*() const; 66 | 67 | unwind_code_iterator_t& operator++(); 68 | 69 | bool operator==(const unwind_code_iterator_t& other) const; 70 | bool operator!=(const unwind_code_iterator_t& other) const; 71 | }; 72 | 73 | class runtime_functions_iterator_t 74 | { 75 | const std::uint8_t* m_module = nullptr; 76 | const runtime_function_t* m_current_function = nullptr; 77 | 78 | public: 79 | runtime_functions_iterator_t() = default; 80 | 81 | runtime_functions_iterator_t(const std::uint8_t* const module, const runtime_function_t* runtime_function) : 82 | m_module(module), 83 | m_current_function(runtime_function) 84 | { 85 | 86 | } 87 | 88 | using iterator_category = std::forward_iterator_tag; 89 | using difference_type = std::ptrdiff_t; 90 | using value_type = runtime_function_descriptor_t; 91 | using pointer = value_type*; 92 | using reference = value_type&; 93 | 94 | value_type operator*() const; 95 | 96 | runtime_functions_iterator_t& operator++(); 97 | 98 | bool operator==(const runtime_functions_iterator_t& other) const; 99 | bool operator!=(const runtime_functions_iterator_t& other) const; 100 | }; 101 | 102 | template 103 | class runtime_functions_range_t 104 | { 105 | private: 106 | using pointer_type = std::conditional_t, const std::uint8_t*, std::uint8_t*>; 107 | using runtime_function_type = std::conditional_t, const runtime_function_t*, runtime_function_t*>; 108 | 109 | pointer_type m_module = nullptr; 110 | 111 | runtime_function_type m_runtime_functions = nullptr; 112 | runtime_function_type m_end_runtime_functions = nullptr; 113 | 114 | public: 115 | runtime_functions_range_t() = default; 116 | 117 | runtime_functions_range_t(const pointer_type module, const std::uint32_t exception_directory_rva, const std::uint32_t exception_directory_size) : 118 | m_module(module), 119 | m_runtime_functions(reinterpret_cast(module + exception_directory_rva)), 120 | m_end_runtime_functions(reinterpret_cast(module + exception_directory_rva + exception_directory_size)) 121 | { 122 | 123 | } 124 | 125 | [[nodiscard]] T begin() const 126 | { 127 | return { m_module, m_runtime_functions }; 128 | } 129 | 130 | [[nodiscard]] T end() const 131 | { 132 | return { m_module, m_end_runtime_functions }; 133 | } 134 | }; 135 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Modern C++ wrapper around the Microsoft Portable Executable file format 2 | 3 | Note: For the "no_crt" version please checkout [this](https://github.com/papstuc/nocrt_portable_executable) link. 4 | 5 | This is a W.I.P. library to interact with Microsoft PE files (.exe, .dll, .sys) in a modern C++ way. 6 | 7 | Code to traverse tables (IAT, EAT, Relocs, etc...) is being abstracted by iterators to provide developers with a clean abstracted interface to base their work on. 8 | 9 | ## Examples 10 | 11 | More samples can be found in the main.cpp file. 12 | 13 | ### Obtaining an image instance 14 | The library currently only works with already mapped PE files, which means that sections have to be mapped to their virtual addresses. 15 | 16 | The library however provides a way to map PE files on disk to memory using RAII. 17 | 18 | ```cpp 19 | // obtain image from a already mapped pe 20 | HMODULE user32 = LoadLibrary(L"user32"); 21 | auto in_memory_image = reinterpret_cast(user32); 22 | 23 | // obtain image from filesystem and load it into memory 24 | portable_executable::file_t ntoskrnl("C:\\Windows\\System32\\ntoskrnl.exe"); 25 | 26 | if (!ntoskrnl.load()) 27 | { 28 | // handle error cases 29 | } 30 | 31 | const portable_executable::image_t* from_fs_image = ntoskrnl.image(); 32 | ``` 33 | 34 | ### Iterating sections 35 | The section iterator provides the caller with a raw view of a section header. 36 | 37 | ```cpp 38 | for (const auto& section : image->sections()) 39 | { 40 | std::printf("section name: %s -> va: 0x%x size: 0x%x\n", 41 | section.to_str().c_str(), 42 | section.virtual_address, 43 | section.virtual_size); 44 | } 45 | ``` 46 | ### Iterating imports 47 | The imports iterator abstracts away boilerplate code and returns the module name, function name and address of the respective import. 48 | 49 | ```cpp 50 | for (const auto& [module_name, import_name, address] : image->imports()) 51 | { 52 | std::printf("%s!%s -> 0x%p\n", module_name.c_str(), import_name.c_str(), address); 53 | } 54 | ``` 55 | 56 | ### Iterating relocations 57 | The relocations iterator provides the caller with a raw view of the offset of the relocation and its type. 58 | 59 | ```cpp 60 | for (const auto& relocation : image->relocations()) 61 | { 62 | std::printf("offset: %x -> type: %x\n", relocation.offset, relocation.type); 63 | } 64 | ``` 65 | 66 | ### Iterating debug information 67 | The debug information iterator provides the caller with a raw view of the debug information. 68 | 69 | ```cpp 70 | for (const auto debug_info : image->debug_info()) 71 | { 72 | std::printf("va: 0x%x -> type: 0x%x\n", debug_info.virtual_address, static_cast(debug_info.type)); 73 | } 74 | ``` 75 | 76 | ### Iterating exceptions/runtime functions 77 | The runtime functions iterator abstracts away boilerplate code and returns the pointer to the function begin, function end, and the unwind info. 78 | 79 | The unwind code iterator provides the caller with a raw view of the unwind code. This is accessed via the unwind_info_t structure. 80 | 81 | ```cpp 82 | for (const auto runtime_function : image->runtime_functions()) 83 | { 84 | const auto virtual_address = static_cast(runtime_function.function_begin - image->as()); 85 | 86 | std::printf("va: 0x%x -> unwind code count: 0x%x\n", virtual_address, runtime_function.unwind_info->unwind_code_count); 87 | 88 | for (const auto unwind_opcode : *runtime_function.unwind_info) 89 | { 90 | std::printf("(unwind code) offset: 0x%x, info: 0x%x\n", unwind_opcode.offset, unwind_opcode.info); 91 | } 92 | } 93 | ``` 94 | 95 | ### Signature scanning 96 | 97 | This library supports both IDA and Byte signature scanning. 98 | 99 | ```cpp 100 | // signature made for ntoskrnl version 22h2 101 | std::uint8_t* hvi_is_any_hypervisor_present = ntoskrnl->signature_scan("40 53 48 83 EC ? 48 8B 05 ? ? ? ? 48 33 C4 48 89 44 24 ? 33 C9 41 B9"); 102 | 103 | if (!hvi_is_any_hypervisor_present) 104 | { 105 | // handle error cases 106 | } 107 | 108 | std::printf("ntoskrnl!HviIsAnyHypervisorPresent -> 0x%p\n", hvi_is_any_hypervisor_present); 109 | ``` 110 | 111 | ## Credits 112 | - [noahware](https://github.com/noahware) for the relocations parsing, debug information parsing, and exceptions parsing 113 | - [can1357](https://github.com/can1357) for section_characteristics_t, thunk_data_t, data_directory_t and data_directories_t definitions from his [linux-pe](https://github.com/can1357/linux-pe) library 114 | - [john](https://github.com/vmp38) for forcing me into releasing a version without any CRT linkage -------------------------------------------------------------------------------- /portable_executable/portable_executable.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 17.0 15 | Win32Proj 16 | {7d3bda32-9943-45cb-b075-9ba7327e0e85} 17 | portableexecutable 18 | 10.0 19 | 20 | 21 | 22 | Application 23 | true 24 | v143 25 | Unicode 26 | 27 | 28 | Application 29 | false 30 | v143 31 | true 32 | Unicode 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | $(SolutionDir)build\ 48 | $(OutDir)intermediate\ 49 | 50 | 51 | $(SolutionDir)build\ 52 | $(OutDir)intermediate\ 53 | 54 | 55 | 56 | Level3 57 | true 58 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 59 | true 60 | stdcpp20 61 | stdc17 62 | true 63 | 64 | 65 | Console 66 | true 67 | 68 | 69 | 70 | 71 | Level3 72 | true 73 | true 74 | true 75 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 76 | true 77 | stdcpp20 78 | stdc17 79 | true 80 | 81 | 82 | Console 83 | true 84 | true 85 | true 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.toptal.com/developers/gitignore/api/c,visualstudio 2 | # Edit at https://www.toptal.com/developers/gitignore?templates=c,visualstudio 3 | 4 | ### C ### 5 | # Prerequisites 6 | *.d 7 | 8 | # Object files 9 | *.o 10 | *.ko 11 | *.obj 12 | *.elf 13 | 14 | # Linker output 15 | *.ilk 16 | *.map 17 | *.exp 18 | 19 | # Precompiled Headers 20 | *.gch 21 | *.pch 22 | 23 | # Libraries 24 | *.lib 25 | *.a 26 | *.la 27 | *.lo 28 | 29 | # Shared objects (inc. Windows DLLs) 30 | *.dll 31 | *.so 32 | *.so.* 33 | *.dylib 34 | 35 | # Executables 36 | *.exe 37 | *.out 38 | *.app 39 | *.i*86 40 | *.x86_64 41 | *.hex 42 | 43 | # Debug files 44 | *.dSYM/ 45 | *.su 46 | *.idb 47 | *.pdb 48 | 49 | # Kernel Module Compile Results 50 | *.mod* 51 | *.cmd 52 | .tmp_versions/ 53 | modules.order 54 | Module.symvers 55 | Mkfile.old 56 | dkms.conf 57 | 58 | ### VisualStudio ### 59 | ## Ignore Visual Studio temporary files, build results, and 60 | ## files generated by popular Visual Studio add-ons. 61 | ## 62 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 63 | 64 | # User-specific files 65 | *.rsuser 66 | *.suo 67 | *.user 68 | *.userosscache 69 | *.sln.docstates 70 | 71 | # User-specific files (MonoDevelop/Xamarin Studio) 72 | *.userprefs 73 | 74 | # Mono auto generated files 75 | mono_crash.* 76 | 77 | # Build results 78 | [Dd]ebug/ 79 | [Dd]ebugPublic/ 80 | [Rr]elease/ 81 | [Rr]eleases/ 82 | x64/ 83 | x86/ 84 | build/ 85 | intermediate/ 86 | hypervisor_intermediate/ 87 | controller_intermediate/ 88 | [Ww][Ii][Nn]32/ 89 | [Aa][Rr][Mm]/ 90 | [Aa][Rr][Mm]64/ 91 | bld/ 92 | [Bb]in/ 93 | [Oo]bj/ 94 | [Ll]og/ 95 | [Ll]ogs/ 96 | 97 | # Visual Studio 2015/2017 cache/options directory 98 | .vs/ 99 | # Uncomment if you have tasks that create the project's static files in wwwroot 100 | #wwwroot/ 101 | 102 | # Visual Studio 2017 auto generated files 103 | Generated\ Files/ 104 | 105 | # MSTest test Results 106 | [Tt]est[Rr]esult*/ 107 | [Bb]uild[Ll]og.* 108 | 109 | # NUnit 110 | *.VisualState.xml 111 | TestResult.xml 112 | nunit-*.xml 113 | 114 | # Build Results of an ATL Project 115 | [Dd]ebugPS/ 116 | [Rr]eleasePS/ 117 | dlldata.c 118 | 119 | # Benchmark Results 120 | BenchmarkDotNet.Artifacts/ 121 | 122 | # .NET Core 123 | project.lock.json 124 | project.fragment.lock.json 125 | artifacts/ 126 | 127 | # ASP.NET Scaffolding 128 | ScaffoldingReadMe.txt 129 | 130 | # StyleCop 131 | StyleCopReport.xml 132 | 133 | # Files built by Visual Studio 134 | *_i.c 135 | *_p.c 136 | *_h.h 137 | *.meta 138 | *.iobj 139 | *.ipdb 140 | *.pgc 141 | *.pgd 142 | *.rsp 143 | *.sbr 144 | *.tlb 145 | *.tli 146 | *.tlh 147 | *.tmp 148 | *.tmp_proj 149 | *_wpftmp.csproj 150 | *.log 151 | *.tlog 152 | *.vspscc 153 | *.vssscc 154 | .builds 155 | *.pidb 156 | *.svclog 157 | *.scc 158 | 159 | # Chutzpah Test files 160 | _Chutzpah* 161 | 162 | # Visual C++ cache files 163 | ipch/ 164 | *.aps 165 | *.ncb 166 | *.opendb 167 | *.opensdf 168 | *.sdf 169 | *.cachefile 170 | *.VC.db 171 | *.VC.VC.opendb 172 | 173 | # Visual Studio profiler 174 | *.psess 175 | *.vsp 176 | *.vspx 177 | *.sap 178 | 179 | # Visual Studio Trace Files 180 | *.e2e 181 | 182 | # TFS 2012 Local Workspace 183 | $tf/ 184 | 185 | # Guidance Automation Toolkit 186 | *.gpState 187 | 188 | # ReSharper is a .NET coding add-in 189 | _ReSharper*/ 190 | *.[Rr]e[Ss]harper 191 | *.DotSettings.user 192 | 193 | # TeamCity is a build add-in 194 | _TeamCity* 195 | 196 | # DotCover is a Code Coverage Tool 197 | *.dotCover 198 | 199 | # AxoCover is a Code Coverage Tool 200 | .axoCover/* 201 | !.axoCover/settings.json 202 | 203 | # Coverlet is a free, cross platform Code Coverage Tool 204 | coverage*.json 205 | coverage*.xml 206 | coverage*.info 207 | 208 | # Visual Studio code coverage results 209 | *.coverage 210 | *.coveragexml 211 | 212 | # NCrunch 213 | _NCrunch_* 214 | .*crunch*.local.xml 215 | nCrunchTemp_* 216 | 217 | # MightyMoose 218 | *.mm.* 219 | AutoTest.Net/ 220 | 221 | # Web workbench (sass) 222 | .sass-cache/ 223 | 224 | # Installshield output folder 225 | [Ee]xpress/ 226 | 227 | # DocProject is a documentation generator add-in 228 | DocProject/buildhelp/ 229 | DocProject/Help/*.HxT 230 | DocProject/Help/*.HxC 231 | DocProject/Help/*.hhc 232 | DocProject/Help/*.hhk 233 | DocProject/Help/*.hhp 234 | DocProject/Help/Html2 235 | DocProject/Help/html 236 | 237 | # Click-Once directory 238 | publish/ 239 | 240 | # Publish Web Output 241 | *.[Pp]ublish.xml 242 | *.azurePubxml 243 | # Note: Comment the next line if you want to checkin your web deploy settings, 244 | # but database connection strings (with potential passwords) will be unencrypted 245 | *.pubxml 246 | *.publishproj 247 | 248 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 249 | # checkin your Azure Web App publish settings, but sensitive information contained 250 | # in these scripts will be unencrypted 251 | PublishScripts/ 252 | 253 | # NuGet Packages 254 | *.nupkg 255 | # NuGet Symbol Packages 256 | *.snupkg 257 | # The packages folder can be ignored because of Package Restore 258 | **/[Pp]ackages/* 259 | # except build/, which is used as an MSBuild target. 260 | !**/[Pp]ackages/build/ 261 | # Uncomment if necessary however generally it will be regenerated when needed 262 | #!**/[Pp]ackages/repositories.config 263 | # NuGet v3's project.json files produces more ignorable files 264 | *.nuget.props 265 | *.nuget.targets 266 | 267 | # Microsoft Azure Build Output 268 | csx/ 269 | *.build.csdef 270 | 271 | # Microsoft Azure Emulator 272 | ecf/ 273 | rcf/ 274 | 275 | # Windows Store app package directories and files 276 | AppPackages/ 277 | BundleArtifacts/ 278 | Package.StoreAssociation.xml 279 | _pkginfo.txt 280 | *.appx 281 | *.appxbundle 282 | *.appxupload 283 | 284 | # Visual Studio cache files 285 | # files ending in .cache can be ignored 286 | *.[Cc]ache 287 | # but keep track of directories ending in .cache 288 | !?*.[Cc]ache/ 289 | 290 | # Others 291 | ClientBin/ 292 | ~$* 293 | *~ 294 | *.dbmdl 295 | *.dbproj.schemaview 296 | *.jfm 297 | *.pfx 298 | *.publishsettings 299 | orleans.codegen.cs 300 | 301 | # Including strong name files can present a security risk 302 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 303 | #*.snk 304 | 305 | # Since there are multiple workflows, uncomment next line to ignore bower_components 306 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 307 | #bower_components/ 308 | 309 | # RIA/Silverlight projects 310 | Generated_Code/ 311 | 312 | # Backup & report files from converting an old project file 313 | # to a newer Visual Studio version. Backup files are not needed, 314 | # because we have git ;-) 315 | _UpgradeReport_Files/ 316 | Backup*/ 317 | UpgradeLog*.XML 318 | UpgradeLog*.htm 319 | ServiceFabricBackup/ 320 | *.rptproj.bak 321 | 322 | # SQL Server files 323 | *.mdf 324 | *.ldf 325 | *.ndf 326 | 327 | # Business Intelligence projects 328 | *.rdl.data 329 | *.bim.layout 330 | *.bim_*.settings 331 | *.rptproj.rsuser 332 | *- [Bb]ackup.rdl 333 | *- [Bb]ackup ([0-9]).rdl 334 | *- [Bb]ackup ([0-9][0-9]).rdl 335 | 336 | # Microsoft Fakes 337 | FakesAssemblies/ 338 | 339 | # GhostDoc plugin setting file 340 | *.GhostDoc.xml 341 | 342 | # Node.js Tools for Visual Studio 343 | .ntvs_analysis.dat 344 | node_modules/ 345 | 346 | # Visual Studio 6 build log 347 | *.plg 348 | 349 | # Visual Studio 6 workspace options file 350 | *.opt 351 | 352 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 353 | *.vbw 354 | 355 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 356 | *.vbp 357 | 358 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 359 | *.dsw 360 | *.dsp 361 | 362 | # Visual Studio 6 technical files 363 | 364 | # Visual Studio LightSwitch build output 365 | **/*.HTMLClient/GeneratedArtifacts 366 | **/*.DesktopClient/GeneratedArtifacts 367 | **/*.DesktopClient/ModelManifest.xml 368 | **/*.Server/GeneratedArtifacts 369 | **/*.Server/ModelManifest.xml 370 | _Pvt_Extensions 371 | 372 | # Paket dependency manager 373 | .paket/paket.exe 374 | paket-files/ 375 | 376 | # FAKE - F# Make 377 | .fake/ 378 | 379 | # CodeRush personal settings 380 | .cr/personal 381 | 382 | # Python Tools for Visual Studio (PTVS) 383 | __pycache__/ 384 | *.pyc 385 | 386 | # Cake - Uncomment if you are using it 387 | # tools/** 388 | # !tools/packages.config 389 | 390 | # Tabs Studio 391 | *.tss 392 | 393 | # Telerik's JustMock configuration file 394 | *.jmconfig 395 | 396 | # BizTalk build output 397 | *.btp.cs 398 | *.btm.cs 399 | *.odx.cs 400 | *.xsd.cs 401 | 402 | # OpenCover UI analysis results 403 | OpenCover/ 404 | 405 | # Azure Stream Analytics local run output 406 | ASALocalRun/ 407 | 408 | # MSBuild Binary and Structured Log 409 | *.binlog 410 | 411 | # NVidia Nsight GPU debugger configuration file 412 | *.nvuser 413 | 414 | # MFractors (Xamarin productivity tool) working folder 415 | .mfractor/ 416 | 417 | # Local History for Visual Studio 418 | .localhistory/ 419 | 420 | # Visual Studio History (VSHistory) files 421 | .vshistory/ 422 | 423 | # BeatPulse healthcheck temp database 424 | healthchecksdb 425 | 426 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 427 | MigrationBackup/ 428 | 429 | # Ionide (cross platform F# VS Code tools) working folder 430 | .ionide/ 431 | 432 | # Fody - auto-generated XML schema 433 | FodyWeavers.xsd 434 | 435 | # VS Code files for those working on multiple tools 436 | .vscode/* 437 | !.vscode/settings.json 438 | !.vscode/tasks.json 439 | !.vscode/launch.json 440 | !.vscode/extensions.json 441 | *.code-workspace 442 | 443 | # Local History for Visual Studio Code 444 | .history/ 445 | 446 | # Windows Installer files from build outputs 447 | *.cab 448 | *.msi 449 | *.msix 450 | *.msm 451 | *.msp 452 | 453 | # JetBrains Rider 454 | *.sln.iml 455 | 456 | ### VisualStudio Patch ### 457 | # Additional files built by Visual Studio 458 | 459 | # End of https://www.toptal.com/developers/gitignore/api/c,visualstudio 460 | 461 | # Created by https://www.toptal.com/developers/gitignore/api/vcpkg 462 | # Edit at https://www.toptal.com/developers/gitignore?templates=vcpkg 463 | 464 | ### vcpkg ### 465 | # Vcpkg 466 | 467 | vcpkg-manifest-install.log 468 | 469 | ## Manifest Mode 470 | vcpkg_installed/ 471 | 472 | # End of https://www.toptal.com/developers/gitignore/api/vcpkg 473 | 474 | -------------------------------------------------------------------------------- /portable_executable/portable_executable/image.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "dos_header.hpp" 4 | #include "nt_headers.hpp" 5 | 6 | #include "section_header.hpp" 7 | #include "export_directory.hpp" 8 | #include "imports_directory.hpp" 9 | #include "relocations_directory.hpp" 10 | #include "debug_directory.hpp" 11 | #include "exception_directory.hpp" 12 | 13 | #include 14 | 15 | namespace portable_executable 16 | { 17 | class image_t 18 | { 19 | dos_header_t m_dos_header = { }; 20 | 21 | public: 22 | template 23 | [[nodiscard]] T as() const 24 | { 25 | return reinterpret_cast(this); 26 | } 27 | 28 | dos_header_t* dos_header(); 29 | 30 | [[nodiscard]] const dos_header_t* dos_header() const; 31 | 32 | nt_headers_t* nt_headers(); 33 | 34 | [[nodiscard]] const nt_headers_t* nt_headers() const; 35 | 36 | section_iterator_t sections() 37 | { 38 | return { this->nt_headers()->section_headers(), this->nt_headers()->num_sections() }; 39 | } 40 | 41 | [[nodiscard]] section_iterator_t sections() const 42 | { 43 | return { this->nt_headers()->section_headers(), this->nt_headers()->num_sections() }; 44 | } 45 | 46 | template 47 | t calculate_alignment(t address, t alignment) 48 | { 49 | const t remainder = address % alignment; 50 | 51 | if (!remainder) 52 | { 53 | return address; 54 | } 55 | 56 | return address + (alignment - remainder); 57 | } 58 | 59 | std::vector add_section(std::string_view name, std::uint32_t size, std::uint32_t characteristics, bool is_image_decompressed = false) 60 | { 61 | if (8 < name.size()) 62 | { 63 | return { }; 64 | } 65 | 66 | const portable_executable::nt_headers_t* nt_headers = this->nt_headers(); 67 | 68 | const portable_executable::section_header_t* section_header = this->nt_headers()->section_headers(); 69 | 70 | const portable_executable::section_header_t* last_section_header = §ion_header[nt_headers->num_sections() - 1]; 71 | 72 | portable_executable::section_header_t* new_section_header = reinterpret_cast(reinterpret_cast(&last_section_header->characteristics) + 4); 73 | 74 | memcpy(new_section_header, name.data(), name.size()); 75 | 76 | new_section_header->virtual_address = calculate_alignment(last_section_header->virtual_address + last_section_header->virtual_size, nt_headers->optional_header.section_alignment); 77 | new_section_header->virtual_size = calculate_alignment(size + 5, nt_headers->optional_header.section_alignment); 78 | new_section_header->pointer_to_raw_data = is_image_decompressed ? new_section_header->virtual_address : calculate_alignment(last_section_header->pointer_to_raw_data + last_section_header->size_of_raw_data, nt_headers->optional_header.file_alignment); 79 | new_section_header->size_of_raw_data = is_image_decompressed ? new_section_header->virtual_size : calculate_alignment(size + 5, nt_headers->optional_header.file_alignment); 80 | new_section_header->characteristics = { .flags = characteristics }; 81 | 82 | new_section_header->pointer_to_linenumbers = 0; 83 | new_section_header->pointer_to_relocations = 0; 84 | new_section_header->number_of_linenumbers = 0; 85 | new_section_header->number_of_relocations = 0; 86 | 87 | std::vector binary_snapshot = { this->as(), this->as() + nt_headers->optional_header.size_of_image }; 88 | 89 | image_t* new_image = reinterpret_cast(binary_snapshot.data()); 90 | 91 | for (portable_executable::section_header_t& section : new_image->sections()) 92 | { 93 | section.pointer_to_raw_data = section.virtual_address; 94 | } 95 | 96 | new_image->nt_headers()->optional_header.size_of_image = calculate_alignment(new_image->nt_headers()->optional_header.size_of_image + size + 5 + static_cast(sizeof(portable_executable::section_header_t)), nt_headers->optional_header.section_alignment); 97 | new_image->nt_headers()->optional_header.size_of_headers = calculate_alignment(new_image->nt_headers()->optional_header.size_of_headers + static_cast(sizeof(portable_executable::section_header_t)), nt_headers->optional_header.file_alignment); 98 | new_image->nt_headers()->file_header.number_of_sections++; 99 | 100 | binary_snapshot.resize(new_image->nt_headers()->optional_header.size_of_image); 101 | 102 | return binary_snapshot; 103 | } 104 | 105 | exports_range_t exports() 106 | { 107 | const data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.export_directory; 108 | 109 | if (!data_directory.present()) 110 | { 111 | return { }; 112 | } 113 | 114 | auto module = reinterpret_cast(this); 115 | 116 | const auto export_directory = reinterpret_cast(module + data_directory.virtual_address); 117 | 118 | auto names = reinterpret_cast(module + export_directory->address_of_names); 119 | auto functions = reinterpret_cast(module + export_directory->address_of_functions); 120 | auto ordinals = reinterpret_cast(module + export_directory->address_of_name_ordinals); 121 | 122 | return { module, names, functions, ordinals, export_directory->number_of_names }; 123 | } 124 | 125 | [[nodiscard]] exports_range_t exports() const 126 | { 127 | const data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.export_directory; 128 | 129 | if (!data_directory.present()) 130 | { 131 | return { }; 132 | } 133 | 134 | auto module = reinterpret_cast(this); 135 | 136 | const auto export_directory = reinterpret_cast(module + data_directory.virtual_address); 137 | 138 | auto names = reinterpret_cast(module + export_directory->address_of_names); 139 | auto functions = reinterpret_cast(module + export_directory->address_of_functions); 140 | auto ordinals = reinterpret_cast(module + export_directory->address_of_name_ordinals); 141 | 142 | return { module, names, functions, ordinals, export_directory->number_of_names }; 143 | } 144 | 145 | imports_range_t imports() 146 | { 147 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.import_directory; 148 | 149 | if (!data_directory.present()) 150 | { 151 | return { }; 152 | } 153 | 154 | auto module = reinterpret_cast(this); 155 | 156 | return { module, data_directory.virtual_address }; 157 | } 158 | 159 | [[nodiscard]] imports_range_t imports() const 160 | { 161 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.import_directory; 162 | 163 | if (!data_directory.present()) 164 | { 165 | return { }; 166 | } 167 | 168 | auto module = reinterpret_cast(this); 169 | 170 | return { module, data_directory.virtual_address }; 171 | } 172 | 173 | relocations_range_t relocations() 174 | { 175 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.basereloc_directory; 176 | 177 | if (!data_directory.present()) 178 | { 179 | return { }; 180 | } 181 | 182 | auto module = reinterpret_cast(this); 183 | 184 | return { module, data_directory.virtual_address }; 185 | } 186 | 187 | [[nodiscard]] relocations_range_t relocations() const 188 | { 189 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.basereloc_directory; 190 | 191 | if (!data_directory.present()) 192 | { 193 | return { }; 194 | } 195 | 196 | auto module = reinterpret_cast(this); 197 | 198 | return { module, data_directory.virtual_address }; 199 | } 200 | 201 | [[nodiscard]] debug_info_iterator_t debug_info() 202 | { 203 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.debug_directory; 204 | 205 | if (!data_directory.present()) 206 | { 207 | return { }; 208 | } 209 | 210 | auto module = reinterpret_cast(this); 211 | 212 | const std::uint32_t entries = data_directory.size / sizeof(debug_directory_t); 213 | 214 | return { module, data_directory.virtual_address, entries }; 215 | } 216 | 217 | [[nodiscard]] debug_info_iterator_t debug_info() const 218 | { 219 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.debug_directory; 220 | 221 | if (!data_directory.present()) 222 | { 223 | return { }; 224 | } 225 | 226 | auto module = reinterpret_cast(this); 227 | 228 | const std::uint32_t entries = data_directory.size / sizeof(debug_directory_t); 229 | 230 | return { module, data_directory.virtual_address, entries }; 231 | } 232 | 233 | [[nodiscard]] runtime_functions_range_t runtime_functions() 234 | { 235 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.exception_directory; 236 | 237 | if (!data_directory.present()) 238 | { 239 | return { }; 240 | } 241 | 242 | auto module = reinterpret_cast(this); 243 | 244 | return { module, data_directory.virtual_address, data_directory.size }; 245 | } 246 | 247 | [[nodiscard]] runtime_functions_range_t runtime_functions() const 248 | { 249 | data_directory_t data_directory = this->nt_headers()->optional_header.data_directories.exception_directory; 250 | 251 | if (!data_directory.present()) 252 | { 253 | return { }; 254 | } 255 | 256 | auto module = reinterpret_cast(this); 257 | 258 | return { module, data_directory.virtual_address, data_directory.size }; 259 | } 260 | 261 | section_header_t* find_section(std::string_view name); 262 | 263 | [[nodiscard]] const section_header_t* find_section(std::string_view name) const; 264 | 265 | [[nodiscard]] std::uint8_t* find_export(std::string_view name) const; 266 | 267 | // IDA signatures 268 | [[nodiscard]] std::uint8_t* signature_scan(std::string_view signature) const; 269 | 270 | // byte signatures 271 | [[nodiscard]] std::uint8_t* signature_scan(const std::uint8_t* pattern, std::size_t pattern_size) const; 272 | }; 273 | } 274 | --------------------------------------------------------------------------------