mirror-ac/driver/pe.c

#include "pe.h"

#include "lib/stdlib.h"

PNT_HEADER_64
PeGetNtHeaderSafe(_In_ PVOID Image)
{
    PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)Image;

    if (!MmIsAddressValid(Image))
        return NULL;

    if (dos->e_magic != IMAGE_DOS_SIGNATURE)
        return NULL;

    return RVA(PNT_HEADER_64, Image, dos->e_lfanew);
}

PNT_HEADER_64
PeGetNtHeader(_In_ PVOID Image)
{
    PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)Image;

    if (dos->e_magic != IMAGE_DOS_SIGNATURE)
        return NULL;

    return RVA(PNT_HEADER_64, Image, dos->e_lfanew);
}

PIMAGE_DATA_DIRECTORY
PeGetExportDataDirectory(_In_ PVOID Image)
{
    PNT_HEADER_64 nt = PeGetNtHeader(Image);

    if (IMAGE_DIRECTORY_ENTRY_EXPORT >= nt->OptionalHeader.NumberOfRvaAndSizes)
        return NULL;

    return (PIMAGE_DATA_DIRECTORY)&nt->OptionalHeader
        .DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
}

PIMAGE_DATA_DIRECTORY
PeGetExportDataDirectorySafe(_In_ PVOID Image)
{
    PNT_HEADER_64 nt = PeGetNtHeader(Image);

    if (!MmIsAddressValid(Image))
        return NULL;

    if (IMAGE_DIRECTORY_ENTRY_EXPORT >= nt->OptionalHeader.NumberOfRvaAndSizes)
        return NULL;

    return (PIMAGE_DATA_DIRECTORY)&nt->OptionalHeader
        .DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
}

PIMAGE_EXPORT_DIRECTORY
PeGetExportDirectory(
    _In_ PVOID Image, _In_ PIMAGE_DATA_DIRECTORY ExportDataDirectory)
{
    if (!ExportDataDirectory->VirtualAddress || !ExportDataDirectory->Size)
        return NULL;

    return RVA(
        PIMAGE_EXPORT_DIRECTORY,
        Image,
        ExportDataDirectory->VirtualAddress);
}

PIMAGE_EXPORT_DIRECTORY
PeGetExportDirectorySafe(
    _In_ PVOID Image, _In_ PIMAGE_DATA_DIRECTORY ExportDataDirectory)
{
    if (!MmIsAddressValid(Image))
        return NULL;

    if (!ExportDataDirectory->VirtualAddress || !ExportDataDirectory->Size)
        return NULL;

    return RVA(
        PIMAGE_EXPORT_DIRECTORY,
        Image,
        ExportDataDirectory->VirtualAddress);
}

UINT32
GetSectionCount(_In_ PNT_HEADER_64 Header)
{
    return Header->FileHeader.NumberOfSections;
}

UINT32
GetSectionCountSafe(_In_ PNT_HEADER_64 Header)
{
    if (!MmIsAddressValid(Header))
        return NULL;

    return Header->FileHeader.NumberOfSections;
}

PVOID
PeFindExportByName(_In_ PVOID Image, _In_ PCHAR Name)
{
    ANSI_STRING target = {0};
    PNT_HEADER_64 nt = NULL;
    PIMAGE_DATA_DIRECTORY data = NULL;
    PIMAGE_EXPORT_DIRECTORY export = NULL;

    RtlInitAnsiString(&target, Name);

    nt = PeGetNtHeader(Image);

    if (!nt)
        return NULL;

    data = PeGetExportDataDirectory(Image);

    if (!data)
        return NULL;

    export = PeGetExportDirectory(Image, data);

    if (!export)
        return NULL;

    PUINT32 functions = RVA(PUINT32, Image, export->AddressOfFunctions);
    PUINT32 names = RVA(PUINT32, Image, export->AddressOfNames);
    PUINT16 ordinals = RVA(PUINT16, Image, export->AddressOfNameOrdinals);

    for (UINT32 index = 0; index < export->NumberOfNames; index++) {
        PCHAR export = RVA(PCHAR, Image, names[index]);
        if (!IntCompareString(Name, export))
            return RVA(PVOID, Image, functions[ordinals[index]]);
    }

    return NULL;
}
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`#include "pe.h"`

internal c lib 2024-07-22 12:43:09 +02:00			`#include "lib/stdlib.h"`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`PNT_HEADER_64`
			`PeGetNtHeaderSafe(_In_ PVOID Image)`
			`{`
			`PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)Image;`

			`if (!MmIsAddressValid(Image))`
			`return NULL;`

			`if (dos->e_magic != IMAGE_DOS_SIGNATURE)`
			`return NULL;`

some code cleaning 2024-07-19 16:27:50 +02:00			`return RVA(PNT_HEADER_64, Image, dos->e_lfanew);`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`}`

integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`PNT_HEADER_64`
			`PeGetNtHeader(_In_ PVOID Image)`
			`{`
			`PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)Image;`

			`if (dos->e_magic != IMAGE_DOS_SIGNATURE)`
			`return NULL;`

some code cleaning 2024-07-19 16:27:50 +02:00			`return RVA(PNT_HEADER_64, Image, dos->e_lfanew);`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`}`

			`PIMAGE_DATA_DIRECTORY`
			`PeGetExportDataDirectory(_In_ PVOID Image)`
			`{`
			`PNT_HEADER_64 nt = PeGetNtHeader(Image);`

			`if (IMAGE_DIRECTORY_ENTRY_EXPORT >= nt->OptionalHeader.NumberOfRvaAndSizes)`
			`return NULL;`

			`return (PIMAGE_DATA_DIRECTORY)&nt->OptionalHeader`
			`.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];`
			`}`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`PIMAGE_DATA_DIRECTORY`
			`PeGetExportDataDirectorySafe(_In_ PVOID Image)`
			`{`
			`PNT_HEADER_64 nt = PeGetNtHeader(Image);`

			`if (!MmIsAddressValid(Image))`
			`return NULL;`

			`if (IMAGE_DIRECTORY_ENTRY_EXPORT >= nt->OptionalHeader.NumberOfRvaAndSizes)`
			`return NULL;`

			`return (PIMAGE_DATA_DIRECTORY)&nt->OptionalHeader`
			`.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];`
			`}`

integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`PIMAGE_EXPORT_DIRECTORY`
format 2024-08-01 06:21:53 +02:00			`PeGetExportDirectory(`
			`_In_ PVOID Image, _In_ PIMAGE_DATA_DIRECTORY ExportDataDirectory)`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`{`
			`if (!ExportDataDirectory->VirtualAddress \|\| !ExportDataDirectory->Size)`
			`return NULL;`

some code cleaning 2024-07-19 16:27:50 +02:00			`return RVA(`
format 2024-08-01 06:21:53 +02:00			`PIMAGE_EXPORT_DIRECTORY,`
			`Image,`
			`ExportDataDirectory->VirtualAddress);`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`}`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`PIMAGE_EXPORT_DIRECTORY`
format 2024-08-01 06:21:53 +02:00			`PeGetExportDirectorySafe(`
			`_In_ PVOID Image, _In_ PIMAGE_DATA_DIRECTORY ExportDataDirectory)`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`{`
			`if (!MmIsAddressValid(Image))`
			`return NULL;`

			`if (!ExportDataDirectory->VirtualAddress \|\| !ExportDataDirectory->Size)`
			`return NULL;`

some code cleaning 2024-07-19 16:27:50 +02:00			`return RVA(`
format 2024-08-01 06:21:53 +02:00			`PIMAGE_EXPORT_DIRECTORY,`
			`Image,`
			`ExportDataDirectory->VirtualAddress);`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`}`

refactor some more 2024-05-05 15:20:35 +02:00			`UINT32`
			`GetSectionCount(_In_ PNT_HEADER_64 Header)`
			`{`
			`return Header->FileHeader.NumberOfSections;`
			`}`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`UINT32`
			`GetSectionCountSafe(_In_ PNT_HEADER_64 Header)`
			`{`
			`if (!MmIsAddressValid(Header))`
			`return NULL;`

			`return Header->FileHeader.NumberOfSections;`
			`}`

integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`PVOID`
			`PeFindExportByName(_In_ PVOID Image, _In_ PCHAR Name)`
			`{`
format 2024-08-01 06:21:53 +02:00			`ANSI_STRING target = {0};`
			`PNT_HEADER_64 nt = NULL;`
			`PIMAGE_DATA_DIRECTORY data = NULL;`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`PIMAGE_EXPORT_DIRECTORY export = NULL;`

			`RtlInitAnsiString(&target, Name);`

			`nt = PeGetNtHeader(Image);`

			`if (!nt)`
			`return NULL;`

			`data = PeGetExportDataDirectory(Image);`

			`if (!data)`
			`return NULL;`

			`export = PeGetExportDirectory(Image, data);`

			`if (!export)`
			`return NULL;`

format 2024-08-01 06:21:53 +02:00			`PUINT32 functions = RVA(PUINT32, Image, export->AddressOfFunctions);`
			`PUINT32 names = RVA(PUINT32, Image, export->AddressOfNames);`
			`PUINT16 ordinals = RVA(PUINT16, Image, export->AddressOfNameOrdinals);`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00
			`for (UINT32 index = 0; index < export->NumberOfNames; index++) {`
some code cleaning 2024-07-19 16:27:50 +02:00			`PCHAR export = RVA(PCHAR, Image, names[index]);`
internal c lib 2024-07-22 12:43:09 +02:00			`if (!IntCompareString(Name, export))`
format 2024-08-01 06:21:53 +02:00			`return RVA(PVOID, Image, functions[ordinals[index]]);`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`}`

			`return NULL;`
			`}`