[Tigzy]

Hello

I have a newbie question.
I had a doubt about something :D

Let's assume we have a binary "binary.exe", with some address A on the physical disk.
then, we load this in memory, let's say at memory offset B.

Is it true to say the exported function F which can be found at B+addr_F can also be found on the disk at A+addr_F ?
Sorry if it's obvious for you, but I needed to clarify this

[rkhunter]

For PE files there are alignment of it sections on disk (raw) and in memory (virtual). These values specified in the PE-header. So, when PE-file stored at disk there are raw offsets correct, else if it in memory - virtual. Look MS PE and COFF Specification or Windows SDK - IMAGE_NT_HEADERS structure.
You need to parse export table?

[Tigzy]

You need to parse export table?

No. To be honest, I wonder if I can restore inline hooks in ntoskrnl.exe by looking at its physical image on the disk for the concerned function.

[everdox]

hey,

rkhunter covered it well. Check here for good documentation on the PE format:

http://msdn.microsoft.com/en-us/windows ... e/gg463119

when an image is mapped with SEC_IMAGE that format is followed, so where the first section in memory would generally be at header+0x1000, it could be at something like 0x400 within the actual harddisk image.

Also what you mentioned about reading into the harddisk image to overwrite possible hooks I have seen done before, but for other purposes. For instance a piece of malware that would want to evade a breakpoint at the actual location of ntdll!NtWriteVirtualMemory, it could read out the function's syscall index then create it's own wrapper for the call.

[Tigzy]

Thanks, will check this out ;)

[Tigzy]

Hello

I just read the documentation and began to code a PE parser.
I got the RVA address of Export / Import tables and sections (.text, .rsrc and so on), but it shows address larger that the size of my file on the disk :shock:

These address are used to find the sections on the disk image or in the object image?

[rkhunter]

I got the RVA address of Export / Import tables and sections (.text, .rsrc and so on), but it shows address larger that the size of my file on the disk :shock:

Probably you're doing something wrong...Show your code.

These address are used to find the sections on the disk image or in the object image?

What is "object image"?

[Tigzy]

Here's my code :

Code: Select all

// peInfo.cpp : définit le point d'entrée pour l'application console.
//

#include <stdio.h>
#include <tchar.h>
#include <Windows.h>

bool parseFile(TCHAR* filePath);
bool getDosHeader(FILE* f, PIMAGE_DOS_HEADER pDosHeader);
bool getNtHeaders(FILE* f, PIMAGE_NT_HEADERS pNtHeaders, LONG offset);
bool getSections(FILE* f, PIMAGE_SECTION_HEADER pSectionHeaders, int nbSections, LONG offset);

int _tmain(int argc, _TCHAR* argv[])
{
	//parseFile(L"C:\\Documents and Settings\\Tigzy\\Mes documents\\Visual Studio 2010\\Projects\\testSimple\\Debug\\testSimple.exe");
	parseFile(L"C:\\Tools\\ThreatBlaster\\Hook\\Hook\\Debug\\Hook.dll");
	//parseFile(L"C:\\windows\\system32\\ntoskrnl.exe");
	system("PAUSE");
	return 0;
}

bool parseFile(TCHAR* filePath)
{
	FILE *f;	
	BYTE NameSection[IMAGE_SIZEOF_SHORT_NAME+1];
	IMAGE_DOS_HEADER DosHeader;
	IMAGE_NT_HEADERS NtHeaders;
	PIMAGE_SECTION_HEADER pSectionHeaders;

	f = _tfopen(filePath, L"r");
	if (f != NULL)
	{
		// Get dos header
		if (!getDosHeader(f, &DosHeader))
			return false;

		// Get PE header
		if (!getNtHeaders(f, &NtHeaders, DosHeader.e_lfanew))
			return false;

		// allocate space for sections
		pSectionHeaders = (PIMAGE_SECTION_HEADER) malloc(sizeof(IMAGE_SECTION_HEADER) * NtHeaders.FileHeader.NumberOfSections);
		getSections(f, pSectionHeaders, NtHeaders.FileHeader.NumberOfSections, DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS));
		for (int i = 0; i < NtHeaders.FileHeader.NumberOfSections ; i++)
		{
			memset(NameSection, '\0', IMAGE_SIZEOF_SHORT_NAME+1);
			memcpy(NameSection, pSectionHeaders[i].Name, IMAGE_SIZEOF_SHORT_NAME);

			printf ("%s : 0x%x\n", NameSection, pSectionHeaders[i].VirtualAddress);
		}
		free (pSectionHeaders);

		// Import table
		printf ("Import table : 0x%x -- %d\n", NtHeaders.OptionalHeader.DataDirectory[1].VirtualAddress, NtHeaders.OptionalHeader.DataDirectory[1].Size);

		// Export table
		printf ("Export table : 0x%x -- %d\n", NtHeaders.OptionalHeader.DataDirectory[0].VirtualAddress, NtHeaders.OptionalHeader.DataDirectory[0].Size);

		fclose (f);
		return true;
	}

	return false;
}

bool getDosHeader(FILE* f, PIMAGE_DOS_HEADER pDosHeader)
{	
	// beginning
	fseek(f, 0, SEEK_SET);

	// read
	fread(pDosHeader, sizeof(BYTE), sizeof(IMAGE_DOS_HEADER), f);

	// Is valid header
	if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
		return true;
	else return false;
}

bool getNtHeaders(FILE* f, PIMAGE_NT_HEADERS pNtHeaders, LONG offset)
{	
	// at offset getted from dos header
	fseek(f, offset, SEEK_SET);

	// read
	fread(pNtHeaders, sizeof(BYTE), sizeof(IMAGE_NT_HEADERS), f);

	// Is valid header
	if (pNtHeaders->Signature == IMAGE_NT_SIGNATURE)
		return true;
	else return false;
}

bool getSections(FILE* f, PIMAGE_SECTION_HEADER pSectionHeaders, int nbSections, LONG offset)
{	
	// at offset
	fseek(f, offset, SEEK_SET);

	// read
	fread(pSectionHeaders, sizeof(BYTE), sizeof(IMAGE_SECTION_HEADER) * nbSections, f);

	return true;
}

What I got:
Last line of the file : 0x63010

Capture.PNG (118.92 KiB) Viewed 436 times

What is "object image"?

I mean Image in RAM

[r2nwcnydc]

RVAs are the addresses in memory relative to the beginning of the image. If you are parsing the file from disk, you have to look at the raw address, which is the offset from the start of the flie. Download CFF Explorer, or something similar, and compare your results to what it outputs.

[Tigzy]

Yes, that's my first idea..
raw address are not part of structures?