-
Notifications
You must be signed in to change notification settings - Fork 27
Expand file tree
/
Copy pathmap.cpp
More file actions
192 lines (153 loc) · 5.91 KB
/
map.cpp
File metadata and controls
192 lines (153 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
#include "stdafx.h"
namespace Map {
PIMAGE_SECTION_HEADER TranslateRawSection(PIMAGE_NT_HEADERS nt, DWORD rva) {
auto section = IMAGE_FIRST_SECTION(nt);
for (auto i = 0; i < nt->FileHeader.NumberOfSections; ++i, ++section) {
if (rva >= section->VirtualAddress && rva < section->VirtualAddress + section->Misc.VirtualSize) {
return section;
}
}
return NULL;
}
PVOID TranslateRaw(PBYTE base, PIMAGE_NT_HEADERS nt, DWORD rva) {
auto section = TranslateRawSection(nt, rva);
if (!section) {
return NULL;
}
return base + section->PointerToRawData + (rva - section->VirtualAddress);
}
BOOLEAN ResolveImports(utils::Process &process, PBYTE base, PIMAGE_NT_HEADERS nt) {
auto rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (!rva) {
return TRUE;
}
auto importDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(TranslateRaw(base, nt, rva));
if (!importDescriptor) {
return TRUE;
}
for (; importDescriptor->FirstThunk; ++importDescriptor) {
auto moduleName = reinterpret_cast<PCHAR>(TranslateRaw(base, nt, importDescriptor->Name));
if (!moduleName) {
break;
}
auto module = LoadLibraryA(moduleName);
if (!module) {
errorf("module not loaded: %s\n", moduleName);
return FALSE;
}
PBYTE processModuleBase = NULL;
DWORD processModuleSize = 0;
if (process.Module(StrToWStr(moduleName), &processModuleBase, &processModuleSize) != ERROR_SUCCESS) {
errorf("Process currently does not have %s loaded\n", moduleName);
return FALSE;
}
for (auto thunk = reinterpret_cast<PIMAGE_THUNK_DATA>(TranslateRaw(base, nt, importDescriptor->FirstThunk)); thunk->u1.AddressOfData; ++thunk) {
auto importByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(TranslateRaw(base, nt, static_cast<DWORD>(thunk->u1.AddressOfData)));
thunk->u1.Function = reinterpret_cast<UINT_PTR>(processModuleBase + (reinterpret_cast<PBYTE>(GetProcAddress(module, importByName->Name)) - reinterpret_cast<PBYTE>(module)));
}
}
return TRUE;
}
VOID ResolveRelocations(PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
auto &baseRelocDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (!baseRelocDir.VirtualAddress) {
return;
}
auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(TranslateRaw(base, nt, baseRelocDir.VirtualAddress));
if (!reloc) {
return;
}
for (auto currentSize = 0UL; currentSize < baseRelocDir.Size; ) {
auto relocCount = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
auto relocData = reinterpret_cast<PWORD>(reinterpret_cast<PBYTE>(reloc) + sizeof(IMAGE_BASE_RELOCATION));
auto relocBase = reinterpret_cast<PBYTE>(TranslateRaw(base, nt, reloc->VirtualAddress));
for (auto i = 0UL; i < relocCount; ++i, ++relocData) {
auto data = *relocData;
auto type = data >> 12;
auto offset = data & 0xFFF;
if (type == IMAGE_REL_BASED_DIR64) {
*reinterpret_cast<PBYTE *>(relocBase + offset) += (mapped - reinterpret_cast<PBYTE>(nt->OptionalHeader.ImageBase));
}
}
currentSize += reloc->SizeOfBlock;
reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(relocData);
}
}
BOOLEAN MapHeaders(utils::Process &process, PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
return process.Write(mapped, base, sizeof(nt->Signature) + sizeof(nt->FileHeader) + nt->FileHeader.SizeOfOptionalHeader) == ERROR_SUCCESS;
}
BOOLEAN MapSections(utils::Process &process, PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
auto section = IMAGE_FIRST_SECTION(nt);
for (auto i = 0; i < nt->FileHeader.NumberOfSections; ++i, ++section) {
auto sectionSize = min(section->SizeOfRawData, section->Misc.VirtualSize);
if (!sectionSize) {
continue;
}
auto mappedSection = mapped + section->VirtualAddress;
if (process.Write(mappedSection, base + section->PointerToRawData, sectionSize) != ERROR_SUCCESS) {
errorf("Mapping failed at section %s at %p (%x)\n", section->Name, mappedSection, sectionSize);
return FALSE;
}
}
return TRUE;
}
PBYTE ExtendModule(utils::Process &process, PIMAGE_NT_HEADERS nt, LPCWSTR module) {
PBYTE moduleBase = NULL;
DWORD moduleSize = 0;
auto status = process.Module(module, &moduleBase, &moduleSize);
if (status != ERROR_SUCCESS || !moduleBase) {
errorf("Module %ws (%X) was not found\n", module, status);
return NULL;
}
status = process.Extend(module, nt->OptionalHeader.SizeOfImage);
if (status != ERROR_SUCCESS) {
errorf("Module %ws does not having enough free memory (%X)\n", module, status);
return NULL;
}
return moduleBase + moduleSize;
}
PVOID ExtendMap(utils::Process &process, PBYTE base, LPCWSTR module) {
auto dos = reinterpret_cast<PIMAGE_DOS_HEADER>(base);
if (dos->e_magic != IMAGE_DOS_SIGNATURE) {
errorf("DOS signature is invalid\n");
return NULL;
}
auto nt = reinterpret_cast<PIMAGE_NT_HEADERS>(base + dos->e_lfanew);
if (nt->Signature != IMAGE_NT_SIGNATURE) {
errorf("NT signature is invalid\n");
return NULL;
}
nt->Signature = dos->e_magic = 0;
auto mapped = ExtendModule(process, nt, module);
if (!mapped) {
return NULL;
}
if (!ResolveImports(process, base, nt)) {
return NULL;
}
ResolveRelocations(base, nt, mapped);
if (!MapHeaders(process, base, nt, mapped)) {
errorf("failed to map headers\n");
return NULL;
}
if (!MapSections(process, base, nt, mapped)) {
return NULL;
}
return mapped + nt->OptionalHeader.AddressOfEntryPoint;
}
PVOID ExtendMap(utils::Process &process, LPCWSTR filePath, LPCWSTR module) {
std::ifstream file(filePath, std::ios::ate | std::ios::binary);
if (!file) {
errorf("file: \"%ws\" failed to open\n", filePath);
return NULL;
}
auto size = file.tellg();
auto buffer = new BYTE[size];
file.seekg(0, std::ios::beg);
file.read(reinterpret_cast<PCHAR>(buffer), size);
file.close();
auto entryPoint = ExtendMap(process, buffer, module);
delete[] buffer;
return entryPoint;
}
}