From aabf3ee53f72735ea5c81fc44c7cf274fa043146 Mon Sep 17 00:00:00 2001 From: mrexodia Date: Sun, 10 Jan 2016 14:11:54 +0100 Subject: [PATCH] initial work on reading the section data --- GleeBug/GleeBug.h | 1 + GleeBug/Static.Pe.cpp | 46 +++++++++++++++++++++++++++++++++++++---- GleeBug/Static.Pe.h | 8 +++++-- GleeBug/Static.Region.h | 8 +++++++ MyDebugger/main.cpp | 8 +++++-- 5 files changed, 63 insertions(+), 8 deletions(-) diff --git a/GleeBug/GleeBug.h b/GleeBug/GleeBug.h index 17e4748..27d6969 100644 --- a/GleeBug/GleeBug.h +++ b/GleeBug/GleeBug.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include diff --git a/GleeBug/Static.Pe.cpp b/GleeBug/Static.Pe.cpp index c45691c..0739c90 100644 --- a/GleeBug/Static.Pe.cpp +++ b/GleeBug/Static.Pe.cpp @@ -21,9 +21,16 @@ namespace GleeBug mNtHeaders64.Clear(); mAfterOptionalData.Clear(); mSectionHeaders.Clear(); + mAfterSectionHeadersData.Clear(); mSections.clear(); } + const char* Pe::ErrorText(Error error) const + { + auto found = mErrorMap.find(error); + return found == mErrorMap.end() ? "" : found->second; + } + bool Pe::IsValidPe() const { return IsPe64() ? mNtHeaders64.Valid() : mNtHeaders32.Valid(); @@ -150,9 +157,11 @@ namespace GleeBug //read the section headers auto sectionCount = ifh->NumberOfSections; mSectionHeaders = readRegion(sectionCount); + if (!mSectionHeaders) + return ErrorSectionsRead; //parse the sections - auto sectionsError = parseSections(); + auto sectionsError = parseSections(sectionCount); if (sectionsError != ErrorOk) return sectionsError; @@ -160,10 +169,38 @@ namespace GleeBug return ErrorOk; } - Pe::Error Pe::parseSections() + Pe::Error Pe::parseSections(uint16 count) { - auto numberOfSections = mSectionHeaders.Count(); - //TODO: parse section data + if (count == 0) + return ErrorOk; + + auto sectionHeaders = GetSectionHeaders(); + struct SectionInfo + { + uint16 index; + PIMAGE_SECTION_HEADER header; + }; + + //sort sections on raw address to prevent read errors and have a contiguous buffer + std::vector sortedHeaders; + for (uint32 i = 0; i < count; i++) + sortedHeaders.push_back(SectionInfo{ i, sectionHeaders[i] }); + std::sort(sortedHeaders.begin(), sortedHeaders.end(), [](const SectionInfo & a, const SectionInfo & b) + { + return a.header->PointerToRawData < b.header->PointerToRawData; + }); + + //get after section headers data + auto firstRawAddress = sortedHeaders[0].header->PointerToRawData; + if (mOffset < firstRawAddress) + mAfterSectionHeadersData = readRegion(firstRawAddress - mOffset); + + //TODO: read the actual section data. + for (auto section : sortedHeaders) + { + + } + return ErrorOk; } @@ -198,5 +235,6 @@ namespace GleeBug mErrorMap.insert({ ErrorNtOptionalHeaderRead, "ErrorNtOptionalHeaderRead" }); mErrorMap.insert({ ErrorNtOptionalHeaderMagic, "ErrorNtOptionalHeaderMagic" }); mErrorMap.insert({ ErrorNtHeadersRegionSize, "ErrorNtHeadersRegionSize" }); + mErrorMap.insert({ ErrorSectionsRead, "ErrorSectionsRead" }); } }; \ No newline at end of file diff --git a/GleeBug/Static.Pe.h b/GleeBug/Static.Pe.h index 17c3d69..5153189 100644 --- a/GleeBug/Static.Pe.h +++ b/GleeBug/Static.Pe.h @@ -28,13 +28,15 @@ namespace GleeBug ErrorNtOptionalHeaderRead = 13, ErrorNtOptionalHeaderMagic = 14, ErrorNtHeadersRegionSize = 15, + ErrorSectionsRead = 16 }; explicit Pe(File & file); + void Clear(); + const char* ErrorText(Error error) const; bool IsValidPe() const; bool IsPe64() const; - void Clear(); Error Parse(bool allowOverlap = false); const Region & GetDosHeader() const { return mDosHeader; } @@ -44,10 +46,11 @@ namespace GleeBug const Region & GetNtHeaders64() const { return mNtHeaders64; } const Region & GetAfterOptionalData() const { return mAfterOptionalData; } const Region & GetSectionHeaders() const { return mSectionHeaders; } + const Region & GetAfterSectionHeadersData() const { return mAfterSectionHeadersData; } const std::vector
& GetSections() const { return mSections; } private: - Error parseSections(); + Error parseSections(uint16 count); uint32 readData(uint32 size); void setupErrorMap(); @@ -70,6 +73,7 @@ namespace GleeBug Region mNtHeaders64; Region mAfterOptionalData; Region mSectionHeaders; + Region mAfterSectionHeadersData; std::vector
mSections; }; }; diff --git a/GleeBug/Static.Region.h b/GleeBug/Static.Region.h index bca3b3b..f046fe9 100644 --- a/GleeBug/Static.Region.h +++ b/GleeBug/Static.Region.h @@ -117,6 +117,14 @@ namespace GleeBug return Data(); } + T* operator[](uint32 index) const + { + auto data = Data(); + if (!data || index >= mCount) + return nullptr; + return data + index; + } + protected: std::vector* mData; uint32 mOffset; diff --git a/MyDebugger/main.cpp b/MyDebugger/main.cpp index a32e97c..e34cfb5 100644 --- a/MyDebugger/main.cpp +++ b/MyDebugger/main.cpp @@ -105,9 +105,12 @@ static bool testPeFile(const wchar_t* szFileName, bool dumpData = true) printf(" RSize: %08X\n", cur->SizeOfRawData); printf(" RAddr: %08X\n", cur->PointerToRawData); } + + auto afterSectionHeadersData = pe.GetAfterSectionHeadersData(); + printRegion("After Section Headers Data", afterSectionHeadersData); } else - printf("Pe::Parse failed (%d)!\n", parseError); + printf("Pe::Parse failed (%s)!\n", pe.ErrorText(parseError)); } else puts("File::Read failed!"); @@ -138,7 +141,8 @@ static void testCorkami() int main() { - testCorkami(); + testPeFile(L"C:\\test64.exe"); + //testCorkami(); puts(""); system("pause"); return 0;