Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-11 01:41:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

PE parser: added a feature to parse a PE directly from kernel memory

Browse Source 
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
This commit is contained in:
Maxime Meignan
2023-11-03 16:13:13 +01:00
parent b7b17f8b51
commit bf749f54c7
2 changed files with 123 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Includes/PEParser.h
+8
View File
@@ -22,10 +22,17 @@ typedef struct PE_codeview_debug_info_t {
CHAR pdbName[1];
} PE_codeview_debug_info;
typedef VOID(*kernel_read_memory_func) (DWORD64 Address, PVOID Buffer, SIZE_T Size);
typedef struct PE_pointers {
BOOL isMemoryMapped;
BOOL isInAnotherAddressSpace;
HANDLE hProcess;
BOOL isInKernelLand;
kernel_read_memory_func kernel_read;
PVOID baseAddress;
//headers ptrs
IMAGE_DOS_HEADER* dosHeader;
@@ -49,6 +56,7 @@ typedef struct PE_pointers {
PE* PE_create(PVOID imageBase, BOOL isMemoryMapped);
PE* PE_create_from_another_address_space(HANDLE hProcess, PVOID imageBase);
PE* PE_create_from_kernel(PVOID imageBase, kernel_read_memory_func ReadPrimitive);
PVOID PE_RVA_to_Addr(PE* pe, DWORD rva);
DWORD PE_Addr_to_RVA(PE* pe, PVOID addr);
IMAGE_SECTION_HEADER* PE_sectionHeader_fromRVA(PE* pe, DWORD rva);