diff options
Diffstat (limited to 'src/modules')
-rw-r--r-- | src/modules/pe_enum_modules.c | 102 | ||||
-rw-r--r-- | src/modules/pe_get_kernel32_module_handle.c | 73 | ||||
-rw-r--r-- | src/modules/pe_get_module_handle.c | 80 | ||||
-rw-r--r-- | src/modules/pe_get_ntdll_module_handle.c | 27 |
4 files changed, 282 insertions, 0 deletions
diff --git a/src/modules/pe_enum_modules.c b/src/modules/pe_enum_modules.c new file mode 100644 index 0000000..c36b076 --- /dev/null +++ b/src/modules/pe_enum_modules.c @@ -0,0 +1,102 @@ +/*****************************************************************************/ +/* pemagination: a (virtual) tour into portable bits and executable bytes */ +/* Copyright (C) 2013,2014,2015 Z. Gilboa */ +/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */ +/*****************************************************************************/ + +#include <psxtypes/psxtypes.h> +#include <pemagine/pe_consts.h> +#include <pemagine/pe_structs.h> +#include <pemagine/pemagine.h> +#include "pe_impl.h" + +static int pe_enum_modules( + pe_enum_modules_callback * callback, + const uintptr_t in_order_member_offset, + void * context) +{ + int ret; + uintptr_t peb_tbl_addr; + struct pe_peb_ldr_data * peb_ldr_data; + struct pe_ldr_tbl_entry * ldr_tbl_entry; + struct pe_list_entry * plist_head; + struct pe_list_entry * plist_current; + + peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address(); + plist_head = (struct pe_list_entry *)0; + + if ((intptr_t)peb_ldr_data == 0) { + callback( + 0, + PE_CALLBACK_REASON_ERROR, + context); + return -1; + } + + ret = callback( + 0, + PE_CALLBACK_REASON_INIT, + context); + + if (ret <= 0) + return ret; + + switch (in_order_member_offset) { + case IN_LOAD_ORDER_MODULE_LIST_OFFSET: + plist_head = peb_ldr_data->in_load_order_module_list.flink; + break; + + case IN_MEMORY_ORDER_MODULE_LIST_OFFSET: + plist_head = peb_ldr_data->in_memory_order_module_list.flink; + break; + + case IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET: + plist_head = peb_ldr_data->in_init_order_module_list.flink; + break; + } + + plist_current = plist_head; + + do + { + peb_tbl_addr = (uintptr_t)plist_current - in_order_member_offset; + ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr; + + ret = callback( + ldr_tbl_entry, + PE_CALLBACK_REASON_ITEM, + context); + + if (ret <= 0) + return ret; + else + plist_current = plist_current->flink; + + } while (plist_current != plist_head); + + ret = callback( + ldr_tbl_entry, + PE_CALLBACK_REASON_DONE, + context); + + return ret; +} + + +pe_api +int pe_enum_modules_in_load_order(pe_enum_modules_callback * fn, void * ctx) +{ + return pe_enum_modules(fn,IN_LOAD_ORDER_MODULE_LIST_OFFSET,ctx); +} + +pe_api +int pe_enum_modules_in_memory_order(pe_enum_modules_callback * fn, void * ctx) +{ + return pe_enum_modules(fn,IN_MEMORY_ORDER_MODULE_LIST_OFFSET,ctx); +} + +pe_api +int pe_enum_modules_in_init_order(pe_enum_modules_callback * fn, void * ctx) +{ + return pe_enum_modules(fn,IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET,ctx); +} diff --git a/src/modules/pe_get_kernel32_module_handle.c b/src/modules/pe_get_kernel32_module_handle.c new file mode 100644 index 0000000..9cd0c18 --- /dev/null +++ b/src/modules/pe_get_kernel32_module_handle.c @@ -0,0 +1,73 @@ +/*****************************************************************************/ +/* pemagination: a (virtual) tour into portable bits and executable bytes */ +/* Copyright (C) 2013,2014,2015 Z. Gilboa */ +/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */ +/*****************************************************************************/ + +#include <psxtypes/psxtypes.h> +#include <pemagine/pe_consts.h> +#include <pemagine/pe_structs.h> +#include <pemagine/pemagine.h> +#include "pe_impl.h" + +static int pe_get_kernel32_handle_callback( + struct pe_ldr_tbl_entry * ldr_tbl_entry, + enum pe_callback_reason reason, + void * context) +{ + #define KERNEL32_UTF16_STRLEN 24 + + int32_t kernel32_base_name_le[4]; + char * kernel32_base_name_ansi; + + intptr_t * addr; + char * ch; + size_t match; + + /* avoid scan-based false positives */ + kernel32_base_name_le[0] = 0x6E72656B; /* 'kern' */ + kernel32_base_name_le[1] = 0x32336C65; /* 'el32' */ + kernel32_base_name_le[2] = 0x6C6C642E; /* '.dll' */ + kernel32_base_name_le[3] = 0; + + kernel32_base_name_ansi = (char *)&kernel32_base_name_le; + + match = 0; + addr = (intptr_t *)context; + + if (reason == PE_CALLBACK_REASON_ITEM) + if (ldr_tbl_entry->base_dll_name.strlen == KERNEL32_UTF16_STRLEN) { + ch = (char *)ldr_tbl_entry->base_dll_name.buffer; + match = 0; + + while ((match < sizeof(kernel32_base_name_ansi)) + && ((*ch == kernel32_base_name_ansi[match]) + || (*ch == (kernel32_base_name_ansi[match] + 'A' - 'a'))) + && (*(ch + 1) == 0)) { + ch+=sizeof(uint16_t); + match++; + } + } + + if (match == sizeof(kernel32_base_name_ansi)) { + *addr = (intptr_t)ldr_tbl_entry->dll_base; + return 0; + } + else + return 1; +} + + +pe_api +void * pe_get_kernel32_module_handle(void) +{ + + intptr_t kernel32_base_addr = 0; + void * ptr_to_callback = &kernel32_base_addr; + + pe_enum_modules_in_init_order( + &pe_get_kernel32_handle_callback, + ptr_to_callback); + + return (void *)kernel32_base_addr; +} diff --git a/src/modules/pe_get_module_handle.c b/src/modules/pe_get_module_handle.c new file mode 100644 index 0000000..7677ba0 --- /dev/null +++ b/src/modules/pe_get_module_handle.c @@ -0,0 +1,80 @@ +/*****************************************************************************/ +/* pemagination: a (virtual) tour into portable bits and executable bytes */ +/* Copyright (C) 2013,2014,2015 Z. Gilboa */ +/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */ +/*****************************************************************************/ + +#include <psxtypes/psxtypes.h> +#include <pemagine/pe_consts.h> +#include <pemagine/pe_structs.h> +#include <pemagine/pemagine.h> +#include "pe_impl.h" + +pe_api +void * pe_get_first_module_handle(void) +{ + struct pe_peb_ldr_data * peb_ldr_data; + struct pe_list_entry * peb_list_entry; + intptr_t peb_tbl_addr; + struct pe_ldr_tbl_entry * peb_ldr_tbl_entry; + + peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address(); + peb_list_entry = (struct pe_list_entry *)peb_ldr_data->in_load_order_module_list.flink; + peb_tbl_addr = (intptr_t)peb_list_entry - IN_LOAD_ORDER_MODULE_LIST_OFFSET; + peb_ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr; + + return peb_ldr_tbl_entry->dll_base; +} + +pe_api +void * pe_get_module_handle(const wchar16_t * name) +{ + wchar16_t * src; + wchar16_t * dst; + + size_t match; + size_t len; + + struct pe_peb_ldr_data * peb_ldr_data; + struct pe_list_entry * plist_head; + + struct pe_list_entry * plist_current; + struct pe_ldr_tbl_entry * ldr_tbl_entry = 0; + + peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address(); + plist_head = (struct pe_list_entry *)peb_ldr_data->in_load_order_module_list.flink; + plist_current = plist_head; + + len = pe_impl_strlen_utf16(name); + + do { + ldr_tbl_entry = (struct pe_ldr_tbl_entry *)plist_current - IN_LOAD_ORDER_MODULE_LIST_OFFSET; + + if (ldr_tbl_entry->base_dll_name.strlen == len) + dst = (wchar16_t *)ldr_tbl_entry->base_dll_name.buffer; + else if (ldr_tbl_entry->full_dll_name.strlen == len) + dst = (wchar16_t *)ldr_tbl_entry->full_dll_name.buffer; + else + dst = (wchar16_t *)0; + + if ((intptr_t)(dst)) { + src = (wchar16_t *)name; + match = 0; + + while ((match < len) + && ((pe_impl_utf16_char_to_lower(*src)) == (pe_impl_utf16_char_to_lower(*dst)))) { + src = (wchar16_t *)pe_va_from_rva(src,sizeof(wchar16_t)); + dst = (wchar16_t *)pe_va_from_rva(dst,sizeof(wchar16_t)); + match+=sizeof(wchar16_t); + } + + if (match == len) + return ldr_tbl_entry->dll_base; + } + + plist_current = plist_current->flink; + } while (plist_current != plist_head); + + /* address not found */ + return 0; +} diff --git a/src/modules/pe_get_ntdll_module_handle.c b/src/modules/pe_get_ntdll_module_handle.c new file mode 100644 index 0000000..72f81ec --- /dev/null +++ b/src/modules/pe_get_ntdll_module_handle.c @@ -0,0 +1,27 @@ +/*****************************************************************************/ +/* pemagination: a (virtual) tour into portable bits and executable bytes */ +/* Copyright (C) 2013,2014,2015 Z. Gilboa */ +/* Released under GPLv2 and GPLv3; see COPYING.PEMAGINE. */ +/*****************************************************************************/ + +#include <psxtypes/psxtypes.h> +#include <pemagine/pe_consts.h> +#include <pemagine/pe_structs.h> +#include <pemagine/pemagine.h> +#include "pe_impl.h" + +pe_api +void * pe_get_ntdll_module_handle(void) +{ + struct pe_peb_ldr_data * peb_ldr_data; + struct pe_list_entry * peb_list_entry; + intptr_t peb_tbl_addr; + struct pe_ldr_tbl_entry * peb_ldr_tbl_entry; + + peb_ldr_data = (struct pe_peb_ldr_data *)pe_get_peb_ldr_data_address(); + peb_list_entry = peb_ldr_data->in_init_order_module_list.flink; + peb_tbl_addr = (intptr_t)peb_list_entry - IN_INITIALIZATION_ORDER_MODULE_LIST_OFFSET; + peb_ldr_tbl_entry = (struct pe_ldr_tbl_entry *)peb_tbl_addr; + + return peb_ldr_tbl_entry->dll_base; +} |