SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-14 13:46:03 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity

Add PE load configuration directory; fix naming

Browse Source
This commit is contained in:
Matt Nadareski
2022-11-05 22:34:33 -07:00
parent a1d7e65ffb
commit 0dc4f0f11a
5 changed files with 430 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
BurnOutSharp.Models/PortableExecutable/Enums.cs
View File

@@ -449,6 +449,74 @@ namespace BurnOutSharp.Models.PortableExecutable
IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT = 0x0001,
}
[Flags]
public enum GuardFlags : uint
{
/// <summary>
/// Module performs control flow integrity checks using
/// system-supplied support.
/// </summary>
IMAGE_GUARD_CF_INSTRUMENTED = 0x00000100,
/// <summary>
/// Module performs control flow and write integrity checks.
/// </summary>
IMAGE_GUARD_CFW_INSTRUMENTED = 0x00000200,
/// <summary>
/// Module contains valid control flow target metadata.
/// </summary>
IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT = 0x00000400,
/// <summary>
/// Module does not make use of the /GS security cookie.
/// </summary>
IMAGE_GUARD_SECURITY_COOKIE_UNUSED = 0x00000800,
/// <summary>
/// Module supports read only delay load IAT.
/// </summary>
IMAGE_GUARD_PROTECT_DELAYLOAD_IAT = 0x00001000,
/// <summary>
/// Delayload import table in its own .didat section (with
/// nothing else in it) that can be freely reprotected.
/// </summary>
IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 0x00002000,
/// <summary>
/// Module contains suppressed export information. This also
/// infers that the address taken IAT table is also present
/// in the load config.
/// </summary>
IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT = 0x00004000,
/// <summary>
/// Module enables suppression of exports.
/// </summary>
IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION = 0x00008000,
/// <summary>
/// Module contains longjmp target information.
/// </summary>
IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT = 0x00010000,
/// <summary>
/// Mask for the subfield that contains the stride of Control
/// Flow Guard function table entries (that is, the additional
/// count of bytes per table entry).
/// </summary>
IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK = 0xF0000000,
/// <summary>
/// Additionally, the Windows SDK winnt.h header defines this
/// macro for the amount of bits to right-shift the GuardFlags
/// value to right-justify the Control Flow Guard function table
/// stride:
/// </summary>
IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT = 28,
}
public enum ImportType : ushort
{
/// <summary>

3
BurnOutSharp.Models/PortableExecutable/Executable.cs
View File

@@ -56,7 +56,7 @@ namespace BurnOutSharp.Models.PortableExecutable
/// </summary>
public DelayLoadDirectoryTableEntry[] DelayLoadDirectoryTable { get; set; }
// TODO: Left off at "The Load Configuration Structure (Image Only)"
// TODO: Left off at "The .rsrc Section"
// TODO: Implement and/or document the following non-modeled parts:
// - Grouped Sections (Object Only)
@@ -81,6 +81,5 @@ namespace BurnOutSharp.Models.PortableExecutable
// - Import Address Table
// - The .pdata Section [Multiple formats per entry]
// - TLS Callback Functions
//
}
}

343
BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs Normal file
View File

@@ -0,0 +1,343 @@
namespace BurnOutSharp.Models.PortableExecutable
{
/// <summary>
/// The data directory entry for a pre-reserved SEH load configuration
/// structure must specify a particular size of the load configuration
/// structure because the operating system loader always expects it to
/// be a certain value. In that regard, the size is really only a
/// version check. For compatibility with Windows XP and earlier versions
/// of Windows, the size must be 64 for x86 images.
/// </summary>
/// <see href="https://learn.microsoft.com/en-us/windows/win32/debug/pe-format"/>
public class LoadConfigurationDirectory
{
/// <summary>
/// Flags that indicate attributes of the file, currently unused.
/// </summary>
public uint Characteristics;
/// <summary>
/// Date and time stamp value. The value is represented in the number of
/// seconds that have elapsed since midnight (00:00:00), January 1, 1970,
/// Universal Coordinated Time, according to the system clock. The time
/// stamp can be printed by using the C runtime (CRT) time function.
/// </summary>
public uint TimeDateStamp;
/// <summary>
/// Major version number.
/// </summary>
public ushort MajorVersion;
/// <summary>
/// Minor version number.
/// </summary>
public ushort MinorVersion;
/// <summary>
/// The global loader flags to clear for this process as the loader starts
/// the process.
/// </summary>
public uint GlobalFlagsClear;
/// <summary>
/// The global loader flags to set for this process as the loader starts
/// the process.
/// </summary>
public uint GlobalFlagsSet;
/// <summary>
/// The default timeout value to use for this process's critical sections
/// that are abandoned.
/// </summary>
public uint CriticalSectionDefaultTimeout;
#region DeCommitFreeBlockThreshold
/// <summary>
/// Memory that must be freed before it is returned to the system, in bytes.
/// </summary>
public uint DeCommitFreeBlockThreshold_PE32;
/// <summary>
/// Memory that must be freed before it is returned to the system, in bytes.
/// </summary>
public ulong DeCommitFreeBlockThreshold_PE32Plus;
#endregion
#region DeCommitTotalFreeThreshold
/// <summary>
/// Total amount of free memory, in bytes.
/// </summary>
public uint DeCommitTotalFreeThreshold_PE32;
/// <summary>
/// Total amount of free memory, in bytes.
/// </summary>
public ulong DeCommitTotalFreeThreshold_PE32Plus;
#endregion
#region LockPrefixTable
/// <summary>
/// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
/// that they can be replaced with NOP on single processor machines.
/// </summary>
public uint LockPrefixTable_PE32;
/// <summary>
/// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
/// that they can be replaced with NOP on single processor machines.
/// </summary>
public ulong LockPrefixTable_PE32Plus;
#endregion
#region MaximumAllocationSize
/// <summary>
/// Maximum allocation size, in bytes.
/// </summary>
public uint MaximumAllocationSize_PE32;
/// <summary>
/// Maximum allocation size, in bytes.
/// </summary>
public ulong MaximumAllocationSize_PE32Plus;
#endregion
#region VirtualMemoryThreshold
/// <summary>
/// Maximum virtual memory size, in bytes.
/// </summary>
public uint VirtualMemoryThreshold_PE32;
/// <summary>
/// Maximum virtual memory size, in bytes.
/// </summary>
public ulong VirtualMemoryThreshold_PE32Plus;
#endregion
#region ProcessAffinityMask
/// <summary>
/// Setting this field to a non-zero value is equivalent to calling
/// SetProcessAffinityMask with this value during process startup (.exe only)
/// </summary>
public uint ProcessAffinityMask_PE32;
/// <summary>
/// Setting this field to a non-zero value is equivalent to calling
/// SetProcessAffinityMask with this value during process startup (.exe only)
/// </summary>
public ulong ProcessAffinityMask_PE32Plus;
#endregion
/// <summary>
/// Process heap flags that correspond to the first argument of the
/// HeapCreate function. These flags apply to the process heap that
/// is created during process startup.
/// </summary>
public uint ProcessHeapFlags;
/// <summary>
/// The service pack version identifier.
/// </summary>
public ushort CSDVersion;
/// <summary>
/// Must be zero.
/// </summary>
public ushort Reserved;
#region EditList
/// <summary>
/// Reserved for use by the system.
/// </summary>
public uint EditList_PE32;
/// <summary>
/// Reserved for use by the system.
/// </summary>
public ulong EditList_PE32Plus;
#endregion
#region SecurityCookie
/// <summary>
/// A pointer to a cookie that is used by Visual C++ or GS implementation.
/// </summary>
public uint SecurityCookie_PE32;
/// <summary>
/// A pointer to a cookie that is used by Visual C++ or GS implementation.
/// </summary>
public ulong SecurityCookie_PE32Plus;
#endregion
#region SEHandlerTable
/// <summary>
/// [x86 only] The VA of the sorted table of RVAs of each valid, unique
/// SE handler in the image.
/// </summary>
public uint SEHandlerTable_PE32;
/// <summary>
/// [x86 only] The VA of the sorted table of RVAs of each valid, unique
/// SE handler in the image.
/// </summary>
public ulong SEHandlerTable_PE32Plus;
#endregion
#region SEHandlerCount
/// <summary>
/// [x86 only] The count of unique handlers in the table.
/// </summary>
public uint SEHandlerCount_PE32;
/// <summary>
/// [x86 only] The count of unique handlers in the table.
/// </summary>
public ulong SEHandlerCount_PE32Plus;
#endregion
#region GuardCFCheckFunctionPointer
/// <summary>
/// The VA where Control Flow Guard check-function pointer is stored.
/// </summary>
public uint GuardCFCheckFunctionPointer_PE32;
/// <summary>
/// The VA where Control Flow Guard check-function pointer is stored.
/// </summary>
public ulong GuardCFCheckFunctionPointer_PE32Plus;
#endregion
#region GuardCFDispatchFunctionPointer
/// <summary>
/// The VA where Control Flow Guard dispatch-function pointer is stored.
/// </summary>
public uint GuardCFDispatchFunctionPointer_PE32;
/// <summary>
/// The VA where Control Flow Guard dispatch-function pointer is stored.
/// </summary>
public ulong GuardCFDispatchFunctionPointer_PE32Plus;
#endregion
#region GuardCFFunctionTable
/// <summary>
/// The VA of the sorted table of RVAs of each Control Flow Guard
/// function in the image.
/// </summary>
public uint GuardCFFunctionTable_PE32;
/// <summary>
/// The VA of the sorted table of RVAs of each Control Flow Guard
/// function in the image.
/// </summary>
public ulong GuardCFFunctionTable_PE32Plus;
#endregion
#region GuardCFFunctionCount
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public uint GuardCFFunctionCount_PE32;
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public ulong GuardCFFunctionCount_PE32Plus;
#endregion
/// <summary>
/// Control Flow Guard related flags.
/// </summary>
public GuardFlags GuardFlags;
/// <summary>
/// Code integrity information.
/// </summary>
/// <remarks>12 bytes</remarks>
public byte[] CodeIntegrity;
#region GuardAddressTakenIatEntryTable
/// <summary>
/// The VA where Control Flow Guard address taken IAT table is stored.
/// </summary>
public uint GuardAddressTakenIatEntryTable_PE32;
/// <summary>
/// The VA where Control Flow Guard address taken IAT table is stored.
/// </summary>
public ulong GuardAddressTakenIatEntryTable_PE32Plus;
#endregion
#region GuardAddressTakenIatEntryCount
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public uint GuardAddressTakenIatEntryCount_PE32;
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public ulong GuardAddressTakenIatEntryCount_PE32Plus;
#endregion
#region GuardLongJumpTargetTable
/// <summary>
/// The VA where Control Flow Guard long jump target table is stored.
/// </summary>
public uint GuardLongJumpTargetTable_PE32;
/// <summary>
/// The VA where Control Flow Guard long jump target table is stored.
/// </summary>
public ulong GuardLongJumpTargetTable_PE32Plus;
#endregion
#region GuardLongJumpTargetCount
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public uint GuardLongJumpTargetCount_PE32;
/// <summary>
/// The count of unique RVAs in the above table.
/// </summary>
public ulong GuardLongJumpTargetCount_PE32Plus;
#endregion
}
}

22
BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs
View File

@@ -103,8 +103,7 @@
/// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000,
/// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.
/// </summary>
/// <remarks>PE32</remarks>
public uint ImageBasePE32;
public uint ImageBase_PE32;
/// <summary>
/// The preferred address of the first byte of image when loaded into memory;
@@ -112,8 +111,7 @@
/// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000,
/// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.
/// </summary>
/// <remarks>PE32+</remarks>
public ulong ImageBasePE32Plus;
public ulong ImageBase_PE32Plus;
#endregion
@@ -203,13 +201,13 @@
/// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest
/// is made available one page at a time until the reserve size is reached.
/// </summary>
public uint SizeOfStackReservePE32;
public uint SizeOfStackReserve_PE32;
/// <summary>
/// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest
/// is made available one page at a time until the reserve size is reached.
/// </summary>
public ulong SizeOfStackReservePE32Plus;
public ulong SizeOfStackReserve_PE32Plus;
#endregion
@@ -218,12 +216,12 @@
/// <summary>
/// The size of the stack to commit.
/// </summary>
public uint SizeOfStackCommitPE32;
public uint SizeOfStackCommit_PE32;
/// <summary>
/// The size of the stack to commit.
/// </summary>
public ulong SizeOfStackCommitPE32Plus;
public ulong SizeOfStackCommit_PE32Plus;
#endregion
@@ -234,14 +232,14 @@
/// committed; the rest is made available one page at a time until the reserve
/// size is reached.
/// </summary>
public uint SizeOfHeapReservePE32;
public uint SizeOfHeapReserve_PE32;
/// <summary>
/// The size of the local heap space to reserve. Only SizeOfHeapCommit is
/// committed; the rest is made available one page at a time until the reserve
/// size is reached.
/// </summary>
public ulong SizeOfHeapReservePE32Plus;
public ulong SizeOfHeapReserve_PE32Plus;
#endregion
@@ -250,12 +248,12 @@
/// <summary>
/// The size of the local heap space to commit.
/// </summary>
public uint SizeOfHeapCommitPE32;
public uint SizeOfHeapCommit_PE32;
/// <summary>
/// The size of the local heap space to commit.
/// </summary>
public ulong SizeOfHeapCommitPE32Plus;
public ulong SizeOfHeapCommit_PE32Plus;
#endregion

16
BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs
View File

@@ -12,7 +12,7 @@
/// address is not an RVA; it is an address for which there should be a base
/// relocation in the .reloc section.
/// </summary>
public uint RawDataStartVAPE32;
public uint RawDataStartVA_PE32;
/// <summary>
/// The starting address of the TLS template. The template is a block of data
@@ -21,7 +21,7 @@
/// address is not an RVA; it is an address for which there should be a base
/// relocation in the .reloc section.
/// </summary>
public ulong RawDataStartVAPE32Plus;
public ulong RawDataStartVA_PE32Plus;
#endregion
@@ -31,13 +31,13 @@
/// The address of the last byte of the TLS, except for the zero fill. As
/// with the Raw Data Start VA field, this is a VA, not an RVA.
/// </summary>
public uint RawDataEndVAPE32;
public uint RawDataEndVA_PE32;
/// <summary>
/// The address of the last byte of the TLS, except for the zero fill. As
/// with the Raw Data Start VA field, this is a VA, not an RVA.
/// </summary>
public ulong RawDataEndVAPE32Plus;
public ulong RawDataEndVA_PE32Plus;
#endregion
@@ -48,14 +48,14 @@
/// location is in an ordinary data section, so it can be given a symbolic
/// name that is accessible to the program.
/// </summary>
public uint AddressOfIndexPE32;
public uint AddressOfIndex_PE32;
/// <summary>
/// The location to receive the TLS index, which the loader assigns. This
/// location is in an ordinary data section, so it can be given a symbolic
/// name that is accessible to the program.
/// </summary>
public ulong AddressOfIndexPE32Plus;
public ulong AddressOfIndex_PE32Plus;
#endregion
@@ -66,14 +66,14 @@
/// null-terminated, so if no callback function is supported, this field
/// points to 4 bytes set to zero.
/// </summary>
public uint AddressOfCallbacksPE32;
public uint AddressOfCallbacks_PE32;
/// <summary>
/// The pointer to an array of TLS callback functions. The array is
/// null-terminated, so if no callback function is supported, this field
/// points to 4 bytes set to zero.
/// </summary>
public ulong AddressOfCallbacksPE32Plus;
public ulong AddressOfCallbacks_PE32Plus;
#endregion