1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file was adapted from GreenBorder's Code.
// To understand what this class is about (for other than well known functions
// as GetProcAddress), a good starting point is "An In-Depth Look into the
// Win32 Portable Executable File Format" by Matt Pietrek:
// http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
#ifndef SANDBOX_SRC_PE_IMAGE_H__
#define SANDBOX_SRC_PE_IMAGE_H__
#include <windows.h>
#include <DelayIMP.h>
namespace sandbox {
// This class is a wrapper for the Portable Executable File Format (PE).
// It's main purpose is to provide an easy way to work with imports and exports
// from a file, mapped in memory as image.
class PEImage {
public:
// Callback to enumerate sections.
// cookie is the value passed to the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumSectionsFunction)(const PEImage &image,
PIMAGE_SECTION_HEADER header,
PVOID section_start, DWORD section_size,
PVOID cookie);
// Callback to enumerate exports.
// function is the actual address of the symbol. If forward is not null, it
// contains the dll and symbol to forward this export to. cookie is the value
// passed to the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumExportsFunction)(const PEImage &image, DWORD ordinal,
DWORD hint, LPCSTR name, PVOID function,
LPCSTR forward, PVOID cookie);
// Callback to enumerate import blocks.
// name_table and iat point to the imports name table and address table for
// this block. cookie is the value passed to the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumImportChunksFunction)(const PEImage &image, LPCSTR module,
PIMAGE_THUNK_DATA name_table,
PIMAGE_THUNK_DATA iat, PVOID cookie);
// Callback to enumerate imports.
// module is the dll that exports this symbol. cookie is the value passed to
// the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumImportsFunction)(const PEImage &image, LPCSTR module,
DWORD ordinal, LPCSTR name, DWORD hint,
PIMAGE_THUNK_DATA iat, PVOID cookie);
// Callback to enumerate dalayed import blocks.
// module is the dll that exports this block of symbols. cookie is the value
// passed to the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumDelayImportChunksFunction)(const PEImage &image,
PImgDelayDescr delay_descriptor,
LPCSTR module,
PIMAGE_THUNK_DATA name_table,
PIMAGE_THUNK_DATA iat,
PIMAGE_THUNK_DATA bound_iat,
PIMAGE_THUNK_DATA unload_iat,
PVOID cookie);
// Callback to enumerate relocations.
// cookie is the value passed to the enumerate method.
// Returns true to continue the enumeration.
typedef bool (*EnumRelocsFunction)(const PEImage &image, WORD type,
PVOID address, PVOID cookie);
explicit PEImage(HMODULE module) : module_(module) {}
explicit PEImage(const void* module) {
module_ = reinterpret_cast<HMODULE>(const_cast<void*>(module));
}
// Gets the HMODULE for this object.
HMODULE module() const;
// Sets this object's HMODULE.
void set_module(HMODULE module);
// Checks if this symbol is actually an ordinal.
static bool IsOrdinal(LPCSTR name);
// Converts a named symbol to the corresponding ordinal.
static WORD ToOrdinal(LPCSTR name);
// Returns the DOS_HEADER for this PE.
PIMAGE_DOS_HEADER GetDosHeader() const;
// Returns the NT_HEADER for this PE.
PIMAGE_NT_HEADERS GetNTHeaders() const;
// Returns number of sections of this PE.
WORD GetNumSections() const;
// Returns the header for a given section.
// returns NULL if there is no such section.
PIMAGE_SECTION_HEADER GetSectionHeader(UINT section) const;
// Returns the size of a given directory entry.
DWORD GetImageDirectoryEntrySize(UINT directory) const;
// Returns the address of a given directory entry.
PVOID GetImageDirectoryEntryAddr(UINT directory) const;
// Returns the section header for a given address.
// Use: s = image.GetImageSectionFromAddr(a);
// Post: 's' is the section header of the section that contains 'a'
// or NULL if there is no such section.
PIMAGE_SECTION_HEADER GetImageSectionFromAddr(PVOID address) const;
// Returns the section header for a given section.
PIMAGE_SECTION_HEADER GetImageSectionHeaderByName(LPCSTR section_name) const;
// Returns the first block of imports.
PIMAGE_IMPORT_DESCRIPTOR GetFirstImportChunk() const;
// Returns the exports directory.
PIMAGE_EXPORT_DIRECTORY GetExportDirectory() const;
// Returns a given export entry.
// Use: e = image.GetExportEntry(f);
// Pre: 'f' is either a zero terminated string or ordinal
// Post: 'e' is a pointer to the export directory entry
// that contains 'f's export RVA, or NULL if 'f'
// is not exported from this image
PDWORD GetExportEntry(LPCSTR name) const;
// Returns the address for a given exported symbol.
// Use: p = image.GetProcAddress(f);
// Pre: 'f' is either a zero terminated string or ordinal.
// Post: if 'f' is a non-forwarded export from image, 'p' is
// the exported function. If 'f' is a forwarded export
// then p is the special value 0xFFFFFFFF. In this case
// RVAToAddr(*GetExportEntry) can be used to resolve
// the string that describes the forward.
FARPROC GetProcAddress(LPCSTR function_name) const;
// Retrieves the ordinal for a given exported symbol.
// Returns true if the symbol was found.
bool GetProcOrdinal(LPCSTR function_name, WORD *ordinal) const;
// Enumerates PE sections.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumSections(EnumSectionsFunction callback, PVOID cookie) const;
// Enumerates PE exports.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumExports(EnumExportsFunction callback, PVOID cookie) const;
// Enumerates PE imports.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumAllImports(EnumImportsFunction callback, PVOID cookie) const;
// Enumerates PE import blocks.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumImportChunks(EnumImportChunksFunction callback, PVOID cookie) const;
// Enumerates the imports from a single PE import block.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumOneImportChunk(EnumImportsFunction callback, LPCSTR module_name,
PIMAGE_THUNK_DATA name_table, PIMAGE_THUNK_DATA iat,
PVOID cookie) const;
// Enumerates PE delay imports.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumAllDelayImports(EnumImportsFunction callback, PVOID cookie) const;
// Enumerates PE delay import blocks.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumDelayImportChunks(EnumDelayImportChunksFunction callback,
PVOID cookie) const;
// Enumerates imports from a single PE delay import block.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumOneDelayImportChunk(EnumImportsFunction callback,
PImgDelayDescr delay_descriptor,
LPCSTR module_name,
PIMAGE_THUNK_DATA name_table,
PIMAGE_THUNK_DATA iat,
PIMAGE_THUNK_DATA bound_iat,
PIMAGE_THUNK_DATA unload_iat,
PVOID cookie) const;
// Enumerates PE relocation entries.
// cookie is a generic cookie to pass to the callback.
// Returns true on success.
bool EnumRelocs(EnumRelocsFunction callback, PVOID cookie) const;
// Verifies the magic values on the PE file.
// Returns true if all values are correct.
bool VerifyMagic() const;
// Converts an rva value to the appropriate address.
virtual PVOID RVAToAddr(DWORD rva) const;
// Converts an rva value to an offset on disk.
// Returns true on success.
bool ImageRVAToOnDiskOffset(DWORD rva, DWORD *on_disk_offset) const;
// Converts an address to an offset on disk.
// Returns true on success.
bool ImageAddrToOnDiskOffset(LPVOID address, DWORD *on_disk_offset) const;
private:
HMODULE module_;
};
// This class is an extension to the PEImage class that allows working with PE
// files mapped as data instead of as image file.
class PEImageAsData : public PEImage {
public:
explicit PEImageAsData(HMODULE hModule) : PEImage(hModule) {}
virtual PVOID RVAToAddr(DWORD rva) const;
};
inline bool PEImage::IsOrdinal(LPCSTR name) {
#pragma warning(push)
#pragma warning(disable: 4311)
// This cast generates a warning because it is 32 bit specific.
return reinterpret_cast<DWORD>(name) <= 0xFFFF;
#pragma warning(pop)
}
inline WORD PEImage::ToOrdinal(LPCSTR name) {
return reinterpret_cast<WORD>(name);
}
inline HMODULE PEImage::module() const {
return module_;
}
inline PIMAGE_IMPORT_DESCRIPTOR PEImage::GetFirstImportChunk() const {
return reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_IMPORT));
}
inline PIMAGE_EXPORT_DIRECTORY PEImage::GetExportDirectory() const {
return reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_EXPORT));
}
} // namespace sandbox
#endif // SANDBOX_SRC_PE_IMAGE_H__
|