Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-11 01:41:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

added a PE_find_static_relative_reference function (not used yet)

Browse Source 
Function that can be used to find cross-references of a global variable
or a function
This commit is contained in:
Maxime Meignan
2022-08-22 17:22:46 +02:00
parent 1e8713cfb5
commit 4d2789b21b
3 changed files with 372 additions and 354 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Includes/PEParser.h
+1 -1
View File
@@ -58,5 +58,5 @@ PVOID PE_functionAddr(PE* pe, LPCSTR functionName);
VOID PE_parseRelocations(PE* pe); VOID PE_parseRelocations(PE* pe);
VOID PE_rebasePE(PE* pe, LPVOID newBaseAddress); VOID PE_rebasePE(PE* pe, LPVOID newBaseAddress);
PVOID PE_search_pattern(PE* pe, PBYTE pattern, size_t patternSize); PVOID PE_search_pattern(PE* pe, PBYTE pattern, size_t patternSize);
PVOID PE_search_relative_reference(PE* pe, PVOID target, DWORD relativeReferenceSize); DWORD PE_find_static_relative_reference(PE* pe, DWORD targetRVA, DWORD relativeReferenceSize, DWORD fromRVA);
VOID PE_destroy(PE* pe); VOID PE_destroy(PE* pe);
EDRSandblast/Utils/PEParser.c
+43 -25
View File
@@ -356,60 +356,78 @@ PVOID PE_search_pattern(PE* pe, PBYTE pattern, size_t patternSize) {
return NULL; return NULL;
} }
PVOID PE_search_relative_reference(PE* pe, PVOID target, DWORD relativeReferenceSize) { /*
signed long long int maximum; * Look for an instruction that references address targetRVA relatively from its own address, starting the search at fromRVA.
signed long long int minimum; * Searches a 8, 16 or 32 bits relative displacement that points to targetRVA (on x86_84, 64-bits relative displacements do not exist)
* Returns the RVA of the reference (in the middle of the instruction)
*
* Example:
*
* PAGE:14084EA2B 45 33 FF xor r15d, r15d
* PAGE:14084EA2E 4C 8D 2D [6B DA 49 00] lea r13, PspCreateProcessNotifyRoutine ; array at address 140CEC4A0
* PAGE:14084EA35 4E 8D 24 FD 00 00 00 00 lea r12, ds:0[r15*8]
*
* At address 14084EA31 (14084EA2E+3), we find the DWORD 0x0049DA6B (see brackets), which is a displacement relative to the
* address of the next instruction (14084EA35). 0x0049DA6B + 0x14084EA35 being equal to 0x140CEC4A0, this is how the array
* PspCreateProcessNotifyRoutine is referenced by the lea instruction.
*/
DWORD PE_find_static_relative_reference(PE* pe, DWORD targetRVA, DWORD relativeReferenceSize, DWORD fromRVA) {
QWORD startRVA;
QWORD endRVA;
switch (relativeReferenceSize) switch (relativeReferenceSize)
{ {
case 1: case 1:
minimum = MININT8; startRVA = (QWORD)targetRVA - MAXINT8 - relativeReferenceSize;
maximum = MAXINT8; endRVA = (QWORD)targetRVA - MININT8 - relativeReferenceSize;
break; break;
case 2: case 2:
minimum = MININT16; startRVA = (QWORD)targetRVA - MAXINT16 - relativeReferenceSize;
maximum = MAXINT16; endRVA = (QWORD)targetRVA - MININT16 - relativeReferenceSize;
break; break;
case 4: case 4:
minimum = MININT32; startRVA = (QWORD)targetRVA - MAXINT32 - relativeReferenceSize;
maximum = MAXINT32; endRVA = (QWORD)targetRVA - MININT32 - relativeReferenceSize;
break; break;
default: default:
minimum = 0; return 0;
maximum = 0; }
break; if (startRVA > targetRVA) {
startRVA = 0;
}
if (startRVA < fromRVA) {
startRVA = fromRVA;
}
if (endRVA > MAXDWORD) {
endRVA = MAXDWORD;
} }
for (int i = 0; i < pe->ntHeader->FileHeader.NumberOfSections; i++) { for (int i = 0; i < pe->ntHeader->FileHeader.NumberOfSections; i++) {
DWORD sectionVA = pe->sectionHeaders[i].VirtualAddress; DWORD startRVA_inSection = pe->sectionHeaders[i].VirtualAddress;
DWORD sectionSize = pe->sectionHeaders[i].Misc.VirtualSize; startRVA_inSection = max(startRVA_inSection, (DWORD)startRVA);
DWORD targetRVA = PE_Addr_to_RVA(pe, target); DWORD endRVA_inSection = startRVA_inSection + pe->sectionHeaders[i].Misc.VirtualSize - relativeReferenceSize;
//TODO : implement optimization rva in range(targetRVA - maximum - relativeReferenceSize,targetRVA + minimum - relativeReferenceSize) inter range(sectionVA, sectionVA+sectionSize) endRVA_inSection = min(endRVA_inSection, (DWORD)endRVA);
for (DWORD rva = sectionVA; rva <= sectionVA + sectionSize - relativeReferenceSize; rva++) { for (DWORD rva = startRVA_inSection; rva <= endRVA_inSection; rva++) {
switch (relativeReferenceSize) { switch (relativeReferenceSize) {
case 1: case 1:
if (rva + relativeReferenceSize + *(INT8*)PE_RVA_to_Addr(pe, rva) == targetRVA) { if (rva + relativeReferenceSize + *(INT8*)PE_RVA_to_Addr(pe, rva) == targetRVA) {
return PE_RVA_to_Addr(pe, rva); return rva;
} }
break; break;
case 2: case 2:
if (rva + relativeReferenceSize + *(INT16*)PE_RVA_to_Addr(pe, rva) == targetRVA) { if (rva + relativeReferenceSize + *(INT16*)PE_RVA_to_Addr(pe, rva) == targetRVA) {
return PE_RVA_to_Addr(pe, rva); return rva;
} }
break; break;
case 4: case 4:
if (rva + relativeReferenceSize + *(INT32*)PE_RVA_to_Addr(pe, rva) == targetRVA) { if (rva + relativeReferenceSize + *(INT32*)PE_RVA_to_Addr(pe, rva) == targetRVA) {
return PE_RVA_to_Addr(pe, rva); return rva;
} }
break; break;
default:
minimum = 0;
maximum = 0;
break;
} }
} }
} }
return NULL; return 0;
} }
VOID PE_destroy(PE* pe) VOID PE_destroy(PE* pe)