From 0dc4f0f11aa7db79280dbeaf5568d60b2b3368df Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Sat, 5 Nov 2022 22:34:33 -0700 Subject: [PATCH] Add PE load configuration directory; fix naming --- .../PortableExecutable/Enums.cs | 68 ++++ .../PortableExecutable/Executable.cs | 3 +- .../LoadConfigurationDirectory.cs | 343 ++++++++++++++++++ .../PortableExecutable/OptionalHeader.cs | 22 +- .../PortableExecutable/TLSDirectory.cs | 16 +- 5 files changed, 430 insertions(+), 22 deletions(-) create mode 100644 BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs diff --git a/BurnOutSharp.Models/PortableExecutable/Enums.cs b/BurnOutSharp.Models/PortableExecutable/Enums.cs index 8cfc0652..9c09cbdd 100644 --- a/BurnOutSharp.Models/PortableExecutable/Enums.cs +++ b/BurnOutSharp.Models/PortableExecutable/Enums.cs @@ -449,6 +449,74 @@ namespace BurnOutSharp.Models.PortableExecutable IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT = 0x0001, } + [Flags] + public enum GuardFlags : uint + { + /// + /// Module performs control flow integrity checks using + /// system-supplied support. + /// + IMAGE_GUARD_CF_INSTRUMENTED = 0x00000100, + + /// + /// Module performs control flow and write integrity checks. + /// + IMAGE_GUARD_CFW_INSTRUMENTED = 0x00000200, + + /// + /// Module contains valid control flow target metadata. + /// + IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT = 0x00000400, + + /// + /// Module does not make use of the /GS security cookie. + /// + IMAGE_GUARD_SECURITY_COOKIE_UNUSED = 0x00000800, + + /// + /// Module supports read only delay load IAT. + /// + IMAGE_GUARD_PROTECT_DELAYLOAD_IAT = 0x00001000, + + /// + /// Delayload import table in its own .didat section (with + /// nothing else in it) that can be freely reprotected. + /// + IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 0x00002000, + + /// + /// Module contains suppressed export information. This also + /// infers that the address taken IAT table is also present + /// in the load config. + /// + IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT = 0x00004000, + + /// + /// Module enables suppression of exports. + /// + IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION = 0x00008000, + + /// + /// Module contains longjmp target information. + /// + IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT = 0x00010000, + + /// + /// Mask for the subfield that contains the stride of Control + /// Flow Guard function table entries (that is, the additional + /// count of bytes per table entry). + /// + IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK = 0xF0000000, + + /// + /// Additionally, the Windows SDK winnt.h header defines this + /// macro for the amount of bits to right-shift the GuardFlags + /// value to right-justify the Control Flow Guard function table + /// stride: + /// + IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT = 28, + } + public enum ImportType : ushort { /// diff --git a/BurnOutSharp.Models/PortableExecutable/Executable.cs b/BurnOutSharp.Models/PortableExecutable/Executable.cs index b8d22d1d..a4797960 100644 --- a/BurnOutSharp.Models/PortableExecutable/Executable.cs +++ b/BurnOutSharp.Models/PortableExecutable/Executable.cs @@ -56,7 +56,7 @@ namespace BurnOutSharp.Models.PortableExecutable /// public DelayLoadDirectoryTableEntry[] DelayLoadDirectoryTable { get; set; } - // TODO: Left off at "The Load Configuration Structure (Image Only)" + // TODO: Left off at "The .rsrc Section" // TODO: Implement and/or document the following non-modeled parts: // - Grouped Sections (Object Only) @@ -81,6 +81,5 @@ namespace BurnOutSharp.Models.PortableExecutable // - Import Address Table // - The .pdata Section [Multiple formats per entry] // - TLS Callback Functions - // } } diff --git a/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs b/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs new file mode 100644 index 00000000..44f5bfb1 --- /dev/null +++ b/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs @@ -0,0 +1,343 @@ +namespace BurnOutSharp.Models.PortableExecutable +{ + /// + /// The data directory entry for a pre-reserved SEH load configuration + /// structure must specify a particular size of the load configuration + /// structure because the operating system loader always expects it to + /// be a certain value. In that regard, the size is really only a + /// version check. For compatibility with Windows XP and earlier versions + /// of Windows, the size must be 64 for x86 images. + /// + /// + public class LoadConfigurationDirectory + { + /// + /// Flags that indicate attributes of the file, currently unused. + /// + public uint Characteristics; + + /// + /// Date and time stamp value. The value is represented in the number of + /// seconds that have elapsed since midnight (00:00:00), January 1, 1970, + /// Universal Coordinated Time, according to the system clock. The time + /// stamp can be printed by using the C runtime (CRT) time function. + /// + public uint TimeDateStamp; + + /// + /// Major version number. + /// + public ushort MajorVersion; + + /// + /// Minor version number. + /// + public ushort MinorVersion; + + /// + /// The global loader flags to clear for this process as the loader starts + /// the process. + /// + public uint GlobalFlagsClear; + + /// + /// The global loader flags to set for this process as the loader starts + /// the process. + /// + public uint GlobalFlagsSet; + + /// + /// The default timeout value to use for this process's critical sections + /// that are abandoned. + /// + public uint CriticalSectionDefaultTimeout; + + #region DeCommitFreeBlockThreshold + + /// + /// Memory that must be freed before it is returned to the system, in bytes. + /// + public uint DeCommitFreeBlockThreshold_PE32; + + /// + /// Memory that must be freed before it is returned to the system, in bytes. + /// + public ulong DeCommitFreeBlockThreshold_PE32Plus; + + #endregion + + #region DeCommitTotalFreeThreshold + + /// + /// Total amount of free memory, in bytes. + /// + public uint DeCommitTotalFreeThreshold_PE32; + + /// + /// Total amount of free memory, in bytes. + /// + public ulong DeCommitTotalFreeThreshold_PE32Plus; + + #endregion + + #region LockPrefixTable + + /// + /// [x86 only] The VA of a list of addresses where the LOCK prefix is used so + /// that they can be replaced with NOP on single processor machines. + /// + public uint LockPrefixTable_PE32; + + /// + /// [x86 only] The VA of a list of addresses where the LOCK prefix is used so + /// that they can be replaced with NOP on single processor machines. + /// + public ulong LockPrefixTable_PE32Plus; + + #endregion + + #region MaximumAllocationSize + + /// + /// Maximum allocation size, in bytes. + /// + public uint MaximumAllocationSize_PE32; + + /// + /// Maximum allocation size, in bytes. + /// + public ulong MaximumAllocationSize_PE32Plus; + + #endregion + + #region VirtualMemoryThreshold + + /// + /// Maximum virtual memory size, in bytes. + /// + public uint VirtualMemoryThreshold_PE32; + + /// + /// Maximum virtual memory size, in bytes. + /// + public ulong VirtualMemoryThreshold_PE32Plus; + + #endregion + + #region ProcessAffinityMask + + /// + /// Setting this field to a non-zero value is equivalent to calling + /// SetProcessAffinityMask with this value during process startup (.exe only) + /// + public uint ProcessAffinityMask_PE32; + + /// + /// Setting this field to a non-zero value is equivalent to calling + /// SetProcessAffinityMask with this value during process startup (.exe only) + /// + public ulong ProcessAffinityMask_PE32Plus; + + #endregion + + /// + /// Process heap flags that correspond to the first argument of the + /// HeapCreate function. These flags apply to the process heap that + /// is created during process startup. + /// + public uint ProcessHeapFlags; + + /// + /// The service pack version identifier. + /// + public ushort CSDVersion; + + /// + /// Must be zero. + /// + public ushort Reserved; + + #region EditList + + /// + /// Reserved for use by the system. + /// + public uint EditList_PE32; + + /// + /// Reserved for use by the system. + /// + public ulong EditList_PE32Plus; + + #endregion + + #region SecurityCookie + + /// + /// A pointer to a cookie that is used by Visual C++ or GS implementation. + /// + public uint SecurityCookie_PE32; + + /// + /// A pointer to a cookie that is used by Visual C++ or GS implementation. + /// + public ulong SecurityCookie_PE32Plus; + + #endregion + + #region SEHandlerTable + + /// + /// [x86 only] The VA of the sorted table of RVAs of each valid, unique + /// SE handler in the image. + /// + public uint SEHandlerTable_PE32; + + /// + /// [x86 only] The VA of the sorted table of RVAs of each valid, unique + /// SE handler in the image. + /// + public ulong SEHandlerTable_PE32Plus; + + #endregion + + #region SEHandlerCount + + /// + /// [x86 only] The count of unique handlers in the table. + /// + public uint SEHandlerCount_PE32; + + /// + /// [x86 only] The count of unique handlers in the table. + /// + public ulong SEHandlerCount_PE32Plus; + + #endregion + + #region GuardCFCheckFunctionPointer + + /// + /// The VA where Control Flow Guard check-function pointer is stored. + /// + public uint GuardCFCheckFunctionPointer_PE32; + + /// + /// The VA where Control Flow Guard check-function pointer is stored. + /// + public ulong GuardCFCheckFunctionPointer_PE32Plus; + + #endregion + + #region GuardCFDispatchFunctionPointer + + /// + /// The VA where Control Flow Guard dispatch-function pointer is stored. + /// + public uint GuardCFDispatchFunctionPointer_PE32; + + /// + /// The VA where Control Flow Guard dispatch-function pointer is stored. + /// + public ulong GuardCFDispatchFunctionPointer_PE32Plus; + + #endregion + + #region GuardCFFunctionTable + + /// + /// The VA of the sorted table of RVAs of each Control Flow Guard + /// function in the image. + /// + public uint GuardCFFunctionTable_PE32; + + /// + /// The VA of the sorted table of RVAs of each Control Flow Guard + /// function in the image. + /// + public ulong GuardCFFunctionTable_PE32Plus; + + #endregion + + #region GuardCFFunctionCount + + /// + /// The count of unique RVAs in the above table. + /// + public uint GuardCFFunctionCount_PE32; + + /// + /// The count of unique RVAs in the above table. + /// + public ulong GuardCFFunctionCount_PE32Plus; + + #endregion + + /// + /// Control Flow Guard related flags. + /// + public GuardFlags GuardFlags; + + /// + /// Code integrity information. + /// + /// 12 bytes + public byte[] CodeIntegrity; + + #region GuardAddressTakenIatEntryTable + + /// + /// The VA where Control Flow Guard address taken IAT table is stored. + /// + public uint GuardAddressTakenIatEntryTable_PE32; + + /// + /// The VA where Control Flow Guard address taken IAT table is stored. + /// + public ulong GuardAddressTakenIatEntryTable_PE32Plus; + + #endregion + + #region GuardAddressTakenIatEntryCount + + /// + /// The count of unique RVAs in the above table. + /// + public uint GuardAddressTakenIatEntryCount_PE32; + + /// + /// The count of unique RVAs in the above table. + /// + public ulong GuardAddressTakenIatEntryCount_PE32Plus; + + #endregion + + #region GuardLongJumpTargetTable + + /// + /// The VA where Control Flow Guard long jump target table is stored. + /// + public uint GuardLongJumpTargetTable_PE32; + + /// + /// The VA where Control Flow Guard long jump target table is stored. + /// + public ulong GuardLongJumpTargetTable_PE32Plus; + + #endregion + + #region GuardLongJumpTargetCount + + /// + /// The count of unique RVAs in the above table. + /// + public uint GuardLongJumpTargetCount_PE32; + + /// + /// The count of unique RVAs in the above table. + /// + public ulong GuardLongJumpTargetCount_PE32Plus; + + #endregion + } +} diff --git a/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs b/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs index a251fe5a..fdf4932a 100644 --- a/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs +++ b/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs @@ -103,8 +103,7 @@ /// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, /// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000. /// - /// PE32 - public uint ImageBasePE32; + public uint ImageBase_PE32; /// /// The preferred address of the first byte of image when loaded into memory; @@ -112,8 +111,7 @@ /// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, /// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000. /// - /// PE32+ - public ulong ImageBasePE32Plus; + public ulong ImageBase_PE32Plus; #endregion @@ -203,13 +201,13 @@ /// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest /// is made available one page at a time until the reserve size is reached. /// - public uint SizeOfStackReservePE32; + public uint SizeOfStackReserve_PE32; /// /// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest /// is made available one page at a time until the reserve size is reached. /// - public ulong SizeOfStackReservePE32Plus; + public ulong SizeOfStackReserve_PE32Plus; #endregion @@ -218,12 +216,12 @@ /// /// The size of the stack to commit. /// - public uint SizeOfStackCommitPE32; + public uint SizeOfStackCommit_PE32; /// /// The size of the stack to commit. /// - public ulong SizeOfStackCommitPE32Plus; + public ulong SizeOfStackCommit_PE32Plus; #endregion @@ -234,14 +232,14 @@ /// committed; the rest is made available one page at a time until the reserve /// size is reached. /// - public uint SizeOfHeapReservePE32; + public uint SizeOfHeapReserve_PE32; /// /// The size of the local heap space to reserve. Only SizeOfHeapCommit is /// committed; the rest is made available one page at a time until the reserve /// size is reached. /// - public ulong SizeOfHeapReservePE32Plus; + public ulong SizeOfHeapReserve_PE32Plus; #endregion @@ -250,12 +248,12 @@ /// /// The size of the local heap space to commit. /// - public uint SizeOfHeapCommitPE32; + public uint SizeOfHeapCommit_PE32; /// /// The size of the local heap space to commit. /// - public ulong SizeOfHeapCommitPE32Plus; + public ulong SizeOfHeapCommit_PE32Plus; #endregion diff --git a/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs b/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs index 354694f7..1e0883bc 100644 --- a/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs +++ b/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs @@ -12,7 +12,7 @@ /// address is not an RVA; it is an address for which there should be a base /// relocation in the .reloc section. /// - public uint RawDataStartVAPE32; + public uint RawDataStartVA_PE32; /// /// The starting address of the TLS template. The template is a block of data @@ -21,7 +21,7 @@ /// address is not an RVA; it is an address for which there should be a base /// relocation in the .reloc section. /// - public ulong RawDataStartVAPE32Plus; + public ulong RawDataStartVA_PE32Plus; #endregion @@ -31,13 +31,13 @@ /// The address of the last byte of the TLS, except for the zero fill. As /// with the Raw Data Start VA field, this is a VA, not an RVA. /// - public uint RawDataEndVAPE32; + public uint RawDataEndVA_PE32; /// /// The address of the last byte of the TLS, except for the zero fill. As /// with the Raw Data Start VA field, this is a VA, not an RVA. /// - public ulong RawDataEndVAPE32Plus; + public ulong RawDataEndVA_PE32Plus; #endregion @@ -48,14 +48,14 @@ /// location is in an ordinary data section, so it can be given a symbolic /// name that is accessible to the program. /// - public uint AddressOfIndexPE32; + public uint AddressOfIndex_PE32; /// /// The location to receive the TLS index, which the loader assigns. This /// location is in an ordinary data section, so it can be given a symbolic /// name that is accessible to the program. /// - public ulong AddressOfIndexPE32Plus; + public ulong AddressOfIndex_PE32Plus; #endregion @@ -66,14 +66,14 @@ /// null-terminated, so if no callback function is supported, this field /// points to 4 bytes set to zero. /// - public uint AddressOfCallbacksPE32; + public uint AddressOfCallbacks_PE32; /// /// The pointer to an array of TLS callback functions. The array is /// null-terminated, so if no callback function is supported, this field /// points to 4 bytes set to zero. /// - public ulong AddressOfCallbacksPE32Plus; + public ulong AddressOfCallbacks_PE32Plus; #endregion