diff options
Diffstat (limited to 'src/modules')
-rw-r--r-- | src/modules/pe_get_kernel32_module_handle.c | 86 |
1 files changed, 50 insertions, 36 deletions
diff --git a/src/modules/pe_get_kernel32_module_handle.c b/src/modules/pe_get_kernel32_module_handle.c index 9cd0c18..2625e0f 100644 --- a/src/modules/pe_get_kernel32_module_handle.c +++ b/src/modules/pe_get_kernel32_module_handle.c @@ -17,48 +17,62 @@ static int pe_get_kernel32_handle_callback( { #define KERNEL32_UTF16_STRLEN 24 - int32_t kernel32_base_name_le[4]; - char * kernel32_base_name_ansi; + intptr_t * addr; + const wchar16_t * wch; - intptr_t * addr; - char * ch; - size_t match; + /* not an item? */ + if (reason != PE_CALLBACK_REASON_ITEM) + return 1; + + /* wrong length? */ + if (ldr_tbl_entry->base_dll_name.strlen != KERNEL32_UTF16_STRLEN) + return 1; /* avoid scan-based false positives */ - kernel32_base_name_le[0] = 0x6E72656B; /* 'kern' */ - kernel32_base_name_le[1] = 0x32336C65; /* 'el32' */ - kernel32_base_name_le[2] = 0x6C6C642E; /* '.dll' */ - kernel32_base_name_le[3] = 0; - - kernel32_base_name_ansi = (char *)&kernel32_base_name_le; - - match = 0; - addr = (intptr_t *)context; - - if (reason == PE_CALLBACK_REASON_ITEM) - if (ldr_tbl_entry->base_dll_name.strlen == KERNEL32_UTF16_STRLEN) { - ch = (char *)ldr_tbl_entry->base_dll_name.buffer; - match = 0; - - while ((match < sizeof(kernel32_base_name_ansi)) - && ((*ch == kernel32_base_name_ansi[match]) - || (*ch == (kernel32_base_name_ansi[match] + 'A' - 'a'))) - && (*(ch + 1) == 0)) { - ch+=sizeof(uint16_t); - match++; - } - } - - if (match == sizeof(kernel32_base_name_ansi)) { - *addr = (intptr_t)ldr_tbl_entry->dll_base; - return 0; - } - else + wch = ldr_tbl_entry->base_dll_name.buffer; + + if (pe_impl_utf16_char_to_lower(wch[4] != 'e')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[1] != 'e')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[3] != 'n')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[2] != 'r')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[5] != 'l')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[0] != 'k')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[7] != '2')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[6] != '3')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[11] != 'l')) return 1; -} + else if (pe_impl_utf16_char_to_lower(wch[10] != 'l')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[9] != 'd')) + return 1; + + else if (pe_impl_utf16_char_to_lower(wch[8] != '.')) + return 1; + + /* match */ + addr = (intptr_t *)context; + *addr = (intptr_t)ldr_tbl_entry->dll_base; + return 0; +} -pe_api void * pe_get_kernel32_module_handle(void) { |