From 7bbed5985bfba601e7abe948fbaf74ca399eacc7 Mon Sep 17 00:00:00 2001 From: Matt Nadareski Date: Thu, 26 Aug 2021 16:05:38 -0700 Subject: [PATCH] A little EVORE cleanup --- BurnOutSharp/Tools/EVORE.cs | 80 +++++++++++++------------------------ 1 file changed, 27 insertions(+), 53 deletions(-) diff --git a/BurnOutSharp/Tools/EVORE.cs b/BurnOutSharp/Tools/EVORE.cs index 0b757a24..ebb8a905 100644 --- a/BurnOutSharp/Tools/EVORE.cs +++ b/BurnOutSharp/Tools/EVORE.cs @@ -21,7 +21,6 @@ using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Linq; -using System.Runtime.InteropServices; using BurnOutSharp.ExecutableType.Microsoft; using BurnOutSharp.ExecutableType.Microsoft.Sections; using BurnOutSharp.ExecutableType.Microsoft.Tables; @@ -30,6 +29,30 @@ namespace BurnOutSharp.Tools { internal static class EVORE { + /// + /// Convert a virtual address to a physical one + /// + /// Virtual address to convert + /// Array of sections to check against + /// Physical address, 0 on error + internal static uint ConvertVirtualAddress(uint virtualAddress, IMAGE_SECTION_HEADER[] sections) + { + // Loop through all of the sections + for (int i = 0; i < sections.Length; i++) + { + // If the section is invalid, just skip it + if (sections[i] == null) + continue; + + // Attempt to derive the physical address from the current section + var section = sections[i]; + if (virtualAddress >= section.VirtualAddress && virtualAddress <= section.VirtualAddress + section.VirtualSize) + return section.PointerToRawData + virtualAddress - section.VirtualAddress; + } + + return 0; + } + /// /// Checks if the file contents represent a PE executable /// @@ -42,11 +65,8 @@ namespace BurnOutSharp.Tools try { - IMAGE_DOS_HEADER idh = IMAGE_DOS_HEADER.Deserialize(fileContent, 0); - IMAGE_FILE_HEADER ifh = IMAGE_FILE_HEADER.Deserialize(fileContent, idh.NewExeHeaderAddr); - - // Check if file is dll - return ifh.Characteristics.HasFlag(ImageObjectCharacteristics.IMAGE_FILE_DLL); + PEExecutable pex = PEExecutable.Deserialize(fileContent, 0); + return pex.COFFFileHeader.Characteristics.HasFlag(ImageObjectCharacteristics.IMAGE_FILE_DLL); } catch { @@ -174,7 +194,7 @@ namespace BurnOutSharp.Tools /// /// Executable to attempt to run /// Process representing the running executable, null on error - public static Process StartSafe(string file) + internal static Process StartSafe(string file) { if (file == null || !File.Exists(file)) return null; @@ -202,51 +222,5 @@ namespace BurnOutSharp.Tools return null; } } - - /// - /// Read all section headers from a PE executable - /// - /// Byte array representing the executable - /// Pointer to the location in the array to read from - /// An array of section headers, null on error - internal static IMAGE_SECTION_HEADER[] ReadSections(byte[] fileContent) - { - if (fileContent == null) - return null; - - try - { - PEExecutable pex = PEExecutable.Deserialize(fileContent, 0); - return pex.SectionHeaders; - } - catch - { - return null; - } - } - - /// - /// Convert a virtual address to a physical one - /// - /// Virtual address to convert - /// Array of sections to check against - /// Physical address, 0 on error - internal static uint ConvertVirtualAddress(uint virtualAddress, IMAGE_SECTION_HEADER[] sections) - { - // Loop through all of the sections - for (int i = 0; i < sections.Length; i++) - { - // If the section is invalid, just skip it - if (sections[i] == null) - continue; - - // Attempt to derive the physical address from the current section - var section = sections[i]; - if (virtualAddress >= section.VirtualAddress && virtualAddress <= section.VirtualAddress + section.VirtualSize) - return section.PointerToRawData + virtualAddress - section.VirtualAddress; - } - - return 0; - } } }