-
Notifications
You must be signed in to change notification settings - Fork 76
/
Copy pathpe_hdrs_helper.cpp
66 lines (56 loc) · 1.81 KB
/
pe_hdrs_helper.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include "pe_hdrs_helper.h"
BYTE* get_nt_hrds(const BYTE *pe_buffer)
{
if (pe_buffer == NULL) return NULL;
IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER*)pe_buffer;
if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
return NULL;
}
const LONG kMaxOffset = 1024;
LONG pe_offset = idh->e_lfanew;
if (pe_offset > kMaxOffset) return NULL;
IMAGE_NT_HEADERS32 *inh = (IMAGE_NT_HEADERS32 *)(pe_buffer + pe_offset);
if (inh->Signature != IMAGE_NT_SIGNATURE) {
return NULL;
}
return (BYTE*)inh;
}
WORD get_pe_architecture(const BYTE *pe_buffer)
{
void *ptr = get_nt_hrds(pe_buffer);
if (ptr == NULL) return 0;
IMAGE_NT_HEADERS32 *inh = static_cast<IMAGE_NT_HEADERS32*>(ptr);
return inh->FileHeader.Machine;
}
WORD get_nt_hdr_architecture(IN const BYTE *pe_buffer)
{
void *ptr = get_nt_hrds(pe_buffer);
if (!ptr) return 0;
IMAGE_NT_HEADERS32 *inh = static_cast<IMAGE_NT_HEADERS32*>(ptr);
return inh->OptionalHeader.Magic;
}
DWORD get_entry_point_rva(const BYTE *pe_buffer)
{
WORD arch = get_pe_architecture(pe_buffer);
BYTE* payload_nt_hdr = get_nt_hrds(pe_buffer);
if (payload_nt_hdr == NULL) {
return 0;
}
DWORD ep_addr = 0;
if (arch == IMAGE_FILE_MACHINE_AMD64) {
IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
ep_addr = payload_nt_hdr64->OptionalHeader.AddressOfEntryPoint;
} else {
IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*)payload_nt_hdr;
ep_addr = static_cast<ULONGLONG>(payload_nt_hdr32->OptionalHeader.AddressOfEntryPoint);
}
return ep_addr;
}
bool pe_is64bit(IN const BYTE *pe_buffer)
{
WORD arch = get_nt_hdr_architecture(pe_buffer);
if (arch == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
return true;
}
return false;
}