x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

Fix PE header size check for values of e_lfanew >= 0x10000

This commit is contained in:
Mattiwatti 2020-01-21 19:37:40 +01:00 committed by Duncan Ogilvie
parent 247f643cac
commit 8e79163e4d
1 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
TitanEngine/Global.Engine.cpp
View File

@ -794,32 +794,34 @@ bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName,
bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile) bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile)
{ {
MODULEINFO ModuleInfo; MODULEINFO ModuleInfo;
DWORD MemorySize = NULL; DWORD PESize, MaxPESize;
PIMAGE_NT_HEADERS PEHeader; PIMAGE_NT_HEADERS PEHeader;
IMAGE_NT_HEADERS RemotePEHeader; IMAGE_NT_HEADERS RemotePEHeader;
MEMORY_BASIC_INFORMATION MemoryInfo = {0};
ULONG_PTR NumberOfBytesRW = NULL; ULONG_PTR NumberOfBytesRW = NULL;
if(IsFile) if(IsFile)
{ {
if(hFileProc == NULL) if(hFileProc == NULL)
{ {
//VirtualQueryEx(GetCurrentProcess(), (LPVOID)FileMapVA, &MemoryInfo, sizeof(MEMORY_BASIC_INFORMATION)); PESize = 0;
//VirtualQueryEx(GetCurrentProcess(), MemoryInfo.AllocationBase, &MemoryInfo, sizeof(MEMORY_BASIC_INFORMATION)); MaxPESize = ULONG_MAX;
MemorySize = 0x10000; // (DWORD)((ULONG_PTR)MemoryInfo.AllocationBase + (ULONG_PTR)MemoryInfo.RegionSize - (ULONG_PTR)FileMapVA);
} }
else else
{ {
MemorySize = GetFileSize(hFileProc, NULL); PESize = GetFileSize(hFileProc, NULL);
MaxPESize = PESize;
} }
__try __try
{ {
if(DOSHeader->e_magic == 0x5A4D) if(DOSHeader->e_magic == IMAGE_DOS_SIGNATURE)
{ {
if(DOSHeader->e_lfanew + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS) < MemorySize) DWORD LfaNew = DOSHeader->e_lfanew;
if((PESize == 0 || (LfaNew < PESize && LfaNew + sizeof(IMAGE_NT_SIGNATURE) + sizeof(IMAGE_FILE_HEADER) < PESize)) &&
MaxPESize != 0 &&
LfaNew < (MaxPESize - sizeof(IMAGE_NT_SIGNATURE) - sizeof(IMAGE_FILE_HEADER)))
{ {
PEHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); PEHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)DOSHeader + LfaNew);
return (PEHeader->Signature == 0x4550); return PEHeader->Signature == IMAGE_NT_SIGNATURE;
} }
} }
} }
@ -831,16 +833,19 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas
{ {
RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO); RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof(MODULEINFO)); GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof(MODULEINFO));
PESize = ModuleInfo.SizeOfImage;
__try __try
{ {
if(DOSHeader->e_magic == 0x5A4D) if(DOSHeader->e_magic == IMAGE_DOS_SIGNATURE)
{ {
if(DOSHeader->e_lfanew + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS) < ModuleInfo.SizeOfImage) DWORD LfaNew = DOSHeader->e_lfanew;
if((LfaNew < PESize && LfaNew + sizeof(IMAGE_NT_SIGNATURE) + sizeof(IMAGE_FILE_HEADER) < PESize) &&
LfaNew < (PESize - sizeof(IMAGE_NT_SIGNATURE) - sizeof(IMAGE_FILE_HEADER)))
{ {
if(ReadProcessMemory(hFileProc, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader, sizeof(IMAGE_NT_HEADERS), &NumberOfBytesRW)) if(ReadProcessMemory(hFileProc, (LPVOID)((ULONG_PTR)ImageBase + LfaNew), &RemotePEHeader, sizeof(IMAGE_NT_HEADERS), &NumberOfBytesRW))
{ {
PEHeader = (PIMAGE_NT_HEADERS)(&RemotePEHeader); PEHeader = (PIMAGE_NT_HEADERS)&RemotePEHeader;
return (PEHeader->Signature == 0x4550); return PEHeader->Signature == IMAGE_NT_SIGNATURE;
} }
} }
} }