-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathModules.cpp
229 lines (195 loc) · 7.44 KB
/
Modules.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
// TTD module support
#include "StdAfx.h"
#include "Modules.h"
// Given an RVA, look up the section header that encloses it and return a pointer to its IMAGE_SECTION_HEADER
template <class T> PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(UINT32 rva, T* ntHeader)
{
PIMAGE_SECTION_HEADER secHead = IMAGE_FIRST_SECTION(ntHeader);
for (UINT32 i = 0; i < ntHeader->FileHeader.NumberOfSections; i++, secHead++)
{
UINT32 size = secHead->Misc.VirtualSize;
if (!size)
size = secHead->SizeOfRawData;
// Is the RVA within this section?
if ((rva >= secHead->VirtualAddress) && (rva < (secHead->VirtualAddress + size)))
return secHead;
}
return NULL;
}
template <class T> LPVOID GetPtrFromRVA(UINT32 rva, T* ntHeader, PVOID imageBase)
{
if (PIMAGE_SECTION_HEADER secHead = GetEnclosingSectionHeader(rva, ntHeader))
return((PVOID) (((UINT_PTR) imageBase) + rva));
else
return NULL;
}
// Parse module exports from in-memory PE header
static void ParseExports(PBYTE base, __inout Module &module)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER) base;
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
msg(" * Module \"%S\" in memory has bad DOS header signature *\n", module.file);
return;
}
PIMAGE_NT_HEADERS32 ntHeaderAny = (PIMAGE_NT_HEADERS32) (base + dosHeader->e_lfanew);
if (ntHeaderAny->Signature != LOWORD(IMAGE_NT_SIGNATURE))
{
msg(" * Module \"%S\" in memory has bad NT header signature *\n", module.file);
return;
}
if (ntHeaderAny->FileHeader.SizeOfOptionalHeader == 0)
return;
// x86
if (ntHeaderAny->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
{
module.flags.is32bit = TRUE;
PIMAGE_NT_HEADERS32 ntHeader32 = ntHeaderAny;
// TODO: Allow the TTD image base, or use the default/assumed one?
//UINT64 VirtaulBase = 0x10000000;
// Note: To get the actual, not assumed default, static base address, would have to read it from the original module off disk
// since the loaded one's PE header is modified post load.
UINT64 VirtaulBase = (UINT64) ntHeader32->OptionalHeader.ImageBase;
DWORD exportsRva = ntHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY) GetPtrFromRVA(exportsRva, ntHeader32, base);
if (exportDir)
{
PUINT functions = (PUINT) GetPtrFromRVA(exportDir->AddressOfFunctions, ntHeader32, base);
PWORD ordinals = (PWORD) GetPtrFromRVA(exportDir->AddressOfNameOrdinals, ntHeader32, base);
PUINT names = (PUINT) GetPtrFromRVA(exportDir->AddressOfNames, ntHeader32, base);
UINT32 functionCount = exportDir->NumberOfFunctions;
UINT32 nameCount = exportDir->NumberOfNames;
for (UINT32 i = 0; i < functionCount; i++)
{
UINT32 entryPointRVA = functions[i];
if (!entryPointRVA)
continue;
for (UINT32 j = 0; j < nameCount; j++)
{
if (ordinals[j] == i)
{
LPSTR name = (LPSTR) GetPtrFromRVA(names[j], ntHeader32, base);
module.exports[VirtaulBase + entryPointRVA] = name;
break;
}
}
}
}
}
else
// AMD64
if (ntHeaderAny->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
{
PIMAGE_NT_HEADERS64 ntHeader64 = (PIMAGE_NT_HEADERS64) ntHeaderAny;
//UINT64 VirtaulBase = 0x180000000;
UINT64 VirtaulBase = ntHeader64->OptionalHeader.ImageBase;
DWORD exportsRva = ntHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY) GetPtrFromRVA(exportsRva, ntHeader64, base);
if (exportDir)
{
PUINT functions = (PUINT) GetPtrFromRVA(exportDir->AddressOfFunctions, ntHeader64, base);
PWORD ordinals = (PWORD) GetPtrFromRVA(exportDir->AddressOfNameOrdinals, ntHeader64, base);
PUINT names = (PUINT) GetPtrFromRVA(exportDir->AddressOfNames, ntHeader64, base);
UINT32 functionCount = exportDir->NumberOfFunctions;
UINT32 nameCount = exportDir->NumberOfNames;
for (UINT32 i = 0; i < functionCount; i++)
{
UINT32 entryPointRVA = functions[i];
if (!entryPointRVA)
continue;
for (UINT32 j = 0; j < nameCount; j++)
{
if (ordinals[j] == i)
{
LPSTR name = (LPSTR) GetPtrFromRVA(names[j], ntHeader64, base);
module.exports[VirtaulBase + entryPointRVA] = name;
break;
}
}
}
}
}
else
msg(" * Module \"%S\" in memory has unsupported machine type: 0x%X *\n", module.file, ntHeaderAny->FileHeader.Machine);
}
// Get PE IAT section extents if it exists
static void GetIatInfo(PBYTE base, __inout Module &module)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER) base;
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return;
PIMAGE_NT_HEADERS32 ntHeaderAny = (PIMAGE_NT_HEADERS32) (base + dosHeader->e_lfanew);
if (ntHeaderAny->Signature != LOWORD(IMAGE_NT_SIGNATURE))
return;
if (ntHeaderAny->FileHeader.SizeOfOptionalHeader == 0)
return;
// x86
if (ntHeaderAny->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
{
PIMAGE_NT_HEADERS32 ntHeader32 = ntHeaderAny;
if (ntHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size)
{
DWORD importsRva = ntHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
module.iatStart = (module.start + importsRva);
module.iatEnd = (module.iatStart + ntHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size);
}
}
else
// AMD64
if (ntHeaderAny->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
{
PIMAGE_NT_HEADERS64 ntHeader64 = (PIMAGE_NT_HEADERS64) ntHeaderAny;
if (ntHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size)
{
DWORD importsRva = ntHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
module.iatStart = (module.start + importsRva);
module.iatEnd = (module.iatStart + ntHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size);
}
}
}
// Determine bitness and gather module exports
// Returns TRUE on success
BOOL ProcessModule(__in TTD::Replay::Cursor *ICursorView, __inout Module &module)
{
BOOL result = FALSE;
TTD::TBufferView modBuff = { NULL, 0};
__try
{
// Move to where this module is loaded into memory
ICursorView->SetPosition(module.load);
// Get the module's memory
size_t moduleSize = (module.end - module.start);
modBuff.buffer = new(std::nothrow) BYTE[moduleSize];
if (!modBuff.buffer)
{
msg(" ** Failed to allocate module \"%S\" buffer of 0x%llX size, export parsing skipped **\n", module.file, moduleSize);
goto exit;
}
modBuff.size = moduleSize;
TTD::Replay::MemoryBuffer memBuff = ICursorView->QueryMemoryBuffer(module.start, &modBuff, TTD::Replay::DefaultMemoryPolicy);
if (memBuff.size < moduleSize)
{
msg(" * Got only 0x%llX of 0x%llX bytes for module \"%S\", export parsing skipped *\n", memBuff.size, moduleSize, module.file);
goto exit;
}
// Parse exports from PE export header
ParseExports((PBYTE) modBuff.buffer, module);
// Extra data for target module
if (module.flags.isTarget)
{
// Save the image for later dissembly
module.image = (PBYTE) modBuff.buffer;
// Save sections info for resolving direct pointer calls
GetIatInfo((PBYTE) modBuff.buffer, module);
}
result = TRUE;
}
C_EXCEPT();
exit:;
if (modBuff.buffer && !module.flags.isTarget)
{
delete modBuff.buffer;
modBuff.buffer = NULL;
}
return result;
}