summaryrefslogtreecommitdiffhomepage
path: root/src/modules
diff options
context:
space:
mode:
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/pe_enum_modules.c102
-rw-r--r--src/modules/pe_get_kernel32_module_handle.c73
-rw-r--r--src/modules/pe_get_module_handle.c80
-rw-r--r--src/modules/pe_get_ntdll_module_handle.c27
4 files changed, 282 insertions, 0 deletions
diff --git a/src/modules/pe_enum_modules.c b/src/modules/pe_enum_modules.c
new file mode 100644
index 0000000..c36b076
--- /dev/null
+++ b/src/modules/pe_enum_modules.c
@@ -0,0 +1,102 @@
+/*****************************************************************************/
+/* pemagination: a (virtual) tour into portable bits and executable bytes */
+/* Copyright (C) 2013,2014,2015 Z. Gilboa */
+/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */
+/*****************************************************************************/
+
+#include <psxtypes/psxtypes.h>
+#include <pemagine/pe_consts.h>
+#include <pemagine/pe_structs.h>
+#include <pemagine/pemagine.h>
+#include "pe_impl.h"
+
+static int pe_enum_modules(
+ pe_enum_modules_callback * callback,
+ const uintptr_t in_order_member_offset,
+ void * context)
+{
+ int ret;
+ uintptr_t peb_tbl_addr;
+ struct pe_peb_ldr_data * peb_ldr_data;
+ struct pe_ldr_tbl_entry * ldr_tbl_entry;
+ struct pe_list_entry * plist_head;
+ struct pe_list_entry * plist_current;
+
+ peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address();
+ plist_head = (struct pe_list_entry *)0;
+
+ if ((intptr_t)peb_ldr_data == 0) {
+ callback(
+ 0,
+ PE_CALLBACK_REASON_ERROR,
+ context);
+ return -1;
+ }
+
+ ret = callback(
+ 0,
+ PE_CALLBACK_REASON_INIT,
+ context);
+
+ if (ret <= 0)
+ return ret;
+
+ switch (in_order_member_offset) {
+ case IN_LOAD_ORDER_MODULE_LIST_OFFSET:
+ plist_head = peb_ldr_data->in_load_order_module_list.flink;
+ break;
+
+ case IN_MEMORY_ORDER_MODULE_LIST_OFFSET:
+ plist_head = peb_ldr_data->in_memory_order_module_list.flink;
+ break;
+
+ case IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET:
+ plist_head = peb_ldr_data->in_init_order_module_list.flink;
+ break;
+ }
+
+ plist_current = plist_head;
+
+ do
+ {
+ peb_tbl_addr = (uintptr_t)plist_current - in_order_member_offset;
+ ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr;
+
+ ret = callback(
+ ldr_tbl_entry,
+ PE_CALLBACK_REASON_ITEM,
+ context);
+
+ if (ret <= 0)
+ return ret;
+ else
+ plist_current = plist_current->flink;
+
+ } while (plist_current != plist_head);
+
+ ret = callback(
+ ldr_tbl_entry,
+ PE_CALLBACK_REASON_DONE,
+ context);
+
+ return ret;
+}
+
+
+pe_api
+int pe_enum_modules_in_load_order(pe_enum_modules_callback * fn, void * ctx)
+{
+ return pe_enum_modules(fn,IN_LOAD_ORDER_MODULE_LIST_OFFSET,ctx);
+}
+
+pe_api
+int pe_enum_modules_in_memory_order(pe_enum_modules_callback * fn, void * ctx)
+{
+ return pe_enum_modules(fn,IN_MEMORY_ORDER_MODULE_LIST_OFFSET,ctx);
+}
+
+pe_api
+int pe_enum_modules_in_init_order(pe_enum_modules_callback * fn, void * ctx)
+{
+ return pe_enum_modules(fn,IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET,ctx);
+}
diff --git a/src/modules/pe_get_kernel32_module_handle.c b/src/modules/pe_get_kernel32_module_handle.c
new file mode 100644
index 0000000..9cd0c18
--- /dev/null
+++ b/src/modules/pe_get_kernel32_module_handle.c
@@ -0,0 +1,73 @@
+/*****************************************************************************/
+/* pemagination: a (virtual) tour into portable bits and executable bytes */
+/* Copyright (C) 2013,2014,2015 Z. Gilboa */
+/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */
+/*****************************************************************************/
+
+#include <psxtypes/psxtypes.h>
+#include <pemagine/pe_consts.h>
+#include <pemagine/pe_structs.h>
+#include <pemagine/pemagine.h>
+#include "pe_impl.h"
+
+static int pe_get_kernel32_handle_callback(
+ struct pe_ldr_tbl_entry * ldr_tbl_entry,
+ enum pe_callback_reason reason,
+ void * context)
+{
+ #define KERNEL32_UTF16_STRLEN 24
+
+ int32_t kernel32_base_name_le[4];
+ char * kernel32_base_name_ansi;
+
+ intptr_t * addr;
+ char * ch;
+ size_t match;
+
+ /* avoid scan-based false positives */
+ kernel32_base_name_le[0] = 0x6E72656B; /* 'kern' */
+ kernel32_base_name_le[1] = 0x32336C65; /* 'el32' */
+ kernel32_base_name_le[2] = 0x6C6C642E; /* '.dll' */
+ kernel32_base_name_le[3] = 0;
+
+ kernel32_base_name_ansi = (char *)&kernel32_base_name_le;
+
+ match = 0;
+ addr = (intptr_t *)context;
+
+ if (reason == PE_CALLBACK_REASON_ITEM)
+ if (ldr_tbl_entry->base_dll_name.strlen == KERNEL32_UTF16_STRLEN) {
+ ch = (char *)ldr_tbl_entry->base_dll_name.buffer;
+ match = 0;
+
+ while ((match < sizeof(kernel32_base_name_ansi))
+ && ((*ch == kernel32_base_name_ansi[match])
+ || (*ch == (kernel32_base_name_ansi[match] + 'A' - 'a')))
+ && (*(ch + 1) == 0)) {
+ ch+=sizeof(uint16_t);
+ match++;
+ }
+ }
+
+ if (match == sizeof(kernel32_base_name_ansi)) {
+ *addr = (intptr_t)ldr_tbl_entry->dll_base;
+ return 0;
+ }
+ else
+ return 1;
+}
+
+
+pe_api
+void * pe_get_kernel32_module_handle(void)
+{
+
+ intptr_t kernel32_base_addr = 0;
+ void * ptr_to_callback = &kernel32_base_addr;
+
+ pe_enum_modules_in_init_order(
+ &pe_get_kernel32_handle_callback,
+ ptr_to_callback);
+
+ return (void *)kernel32_base_addr;
+}
diff --git a/src/modules/pe_get_module_handle.c b/src/modules/pe_get_module_handle.c
new file mode 100644
index 0000000..7677ba0
--- /dev/null
+++ b/src/modules/pe_get_module_handle.c
@@ -0,0 +1,80 @@
+/*****************************************************************************/
+/* pemagination: a (virtual) tour into portable bits and executable bytes */
+/* Copyright (C) 2013,2014,2015 Z. Gilboa */
+/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */
+/*****************************************************************************/
+
+#include <psxtypes/psxtypes.h>
+#include <pemagine/pe_consts.h>
+#include <pemagine/pe_structs.h>
+#include <pemagine/pemagine.h>
+#include "pe_impl.h"
+
+pe_api
+void * pe_get_first_module_handle(void)
+{
+ struct pe_peb_ldr_data * peb_ldr_data;
+ struct pe_list_entry * peb_list_entry;
+ intptr_t peb_tbl_addr;
+ struct pe_ldr_tbl_entry * peb_ldr_tbl_entry;
+
+ peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address();
+ peb_list_entry = (struct pe_list_entry *)peb_ldr_data->in_load_order_module_list.flink;
+ peb_tbl_addr = (intptr_t)peb_list_entry - IN_LOAD_ORDER_MODULE_LIST_OFFSET;
+ peb_ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr;
+
+ return peb_ldr_tbl_entry->dll_base;
+}
+
+pe_api
+void * pe_get_module_handle(const wchar16_t * name)
+{
+ wchar16_t * src;
+ wchar16_t * dst;
+
+ size_t match;
+ size_t len;
+
+ struct pe_peb_ldr_data * peb_ldr_data;
+ struct pe_list_entry * plist_head;
+
+ struct pe_list_entry * plist_current;
+ struct pe_ldr_tbl_entry * ldr_tbl_entry = 0;
+
+ peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address();
+ plist_head = (struct pe_list_entry *)peb_ldr_data->in_load_order_module_list.flink;
+ plist_current = plist_head;
+
+ len = pe_impl_strlen_utf16(name);
+
+ do {
+ ldr_tbl_entry = (struct pe_ldr_tbl_entry *)plist_current - IN_LOAD_ORDER_MODULE_LIST_OFFSET;
+
+ if (ldr_tbl_entry->base_dll_name.strlen == len)
+ dst = (wchar16_t *)ldr_tbl_entry->base_dll_name.buffer;
+ else if (ldr_tbl_entry->full_dll_name.strlen == len)
+ dst = (wchar16_t *)ldr_tbl_entry->full_dll_name.buffer;
+ else
+ dst = (wchar16_t *)0;
+
+ if ((intptr_t)(dst)) {
+ src = (wchar16_t *)name;
+ match = 0;
+
+ while ((match < len)
+ && ((pe_impl_utf16_char_to_lower(*src)) == (pe_impl_utf16_char_to_lower(*dst)))) {
+ src = (wchar16_t *)pe_va_from_rva(src,sizeof(wchar16_t));
+ dst = (wchar16_t *)pe_va_from_rva(dst,sizeof(wchar16_t));
+ match+=sizeof(wchar16_t);
+ }
+
+ if (match == len)
+ return ldr_tbl_entry->dll_base;
+ }
+
+ plist_current = plist_current->flink;
+ } while (plist_current != plist_head);
+
+ /* address not found */
+ return 0;
+}
diff --git a/src/modules/pe_get_ntdll_module_handle.c b/src/modules/pe_get_ntdll_module_handle.c
new file mode 100644
index 0000000..72f81ec
--- /dev/null
+++ b/src/modules/pe_get_ntdll_module_handle.c
@@ -0,0 +1,27 @@
+/*****************************************************************************/
+/* pemagination: a (virtual) tour into portable bits and executable bytes */
+/* Copyright (C) 2013,2014,2015 Z. Gilboa */
+/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */
+/*****************************************************************************/
+
+#include <psxtypes/psxtypes.h>
+#include <pemagine/pe_consts.h>
+#include <pemagine/pe_structs.h>
+#include <pemagine/pemagine.h>
+#include "pe_impl.h"
+
+pe_api
+void * pe_get_ntdll_module_handle(void)
+{
+ struct pe_peb_ldr_data * peb_ldr_data;
+ struct pe_list_entry * peb_list_entry;
+ intptr_t peb_tbl_addr;
+ struct pe_ldr_tbl_entry * peb_ldr_tbl_entry;
+
+ peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address();
+ peb_list_entry = peb_ldr_data->in_init_order_module_list.flink;
+ peb_tbl_addr = (intptr_t)peb_list_entry - IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET;
+ peb_ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr;
+
+ return peb_ldr_tbl_entry->dll_base;
+}