#include "loader.h"
#include "drivers.h"
#include "winpe.h"

Functions
INTSTATUS	IntLdrGetImageSizeAndEntryPoint (PBYTE RawPe, DWORD RawSize, DWORD VirtualSize, DWORD EntryPoint)
	Returns the entry point and the virtual size for the provided module. More...

static INTSTATUS	IntLdrPreLoadImage (PBYTE RawImage, DWORD RawImageSize, PBYTE VirtualImage, DWORD VirtualImageSize, DWORD NumberOfSections, PIMAGE_SECTION_HEADER Sections)
	Pre-load the given raw PE image at the indicated virtual address. More...

static INTSTATUS	IntLdrFixRelocations (PBYTE VirtualImage, DWORD VirtualImageSize, QWORD Delta, PIMAGE_DATA_DIRECTORY BaseRelocations)
	This function will parse the relocations of the PE and apply them where needed. More...

static INTSTATUS	IntLdrFixImports (PBYTE VirtualImage, DWORD VirtualImageSize, BOOLEAN Is64, PIMAGE_DATA_DIRECTORY ImportTable)
	Fix the imports of the provided PE image. More...

INTSTATUS	IntLdrLoadPEImage (PBYTE RawPe, DWORD RawPeSize, QWORD GuestVirtualAddress, PBYTE LoadedPe, DWORD VirtualPeSize, DWORD Flags)
	Load the provided PE image at the provided guest virtual address, and return it in LoadedPe. More...

Function Documentation

◆ IntLdrFixImports()

static INTSTATUS IntLdrFixImports	(	PBYTE	VirtualImage,
		DWORD	VirtualImageSize,
		BOOLEAN	Is64,
		PIMAGE_DATA_DIRECTORY	ImportTable
	)

static

Fix the imports of the provided PE image.

This function will lookup, in guest memory, each module that is imported by the loaded PE image, it will locate each imported function, and it will fix the IAT of this loaded image by storing the actual function pointers for each imported function. NOTE: The export directories of the kernel modules are usually paged, so this may fail if required info is not present in physical memory!

Parameters

[in]	VirtualImage	The pre-loaded memory image of the PE file.
[in]	VirtualImageSize	The size of the memory image.
[in]	Is64	True if the image is 64 bit.
[in]	ImportTable	The imports data directory.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE image is malformed in any way.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory alloc fails.

Definition at line 358 of file loader.c.

Referenced by IntLdrLoadPEImage().

◆ IntLdrFixRelocations()

static INTSTATUS IntLdrFixRelocations	(	PBYTE	VirtualImage,
		DWORD	VirtualImageSize,
		QWORD	Delta,
		PIMAGE_DATA_DIRECTORY	BaseRelocations
	)

static

This function will parse the relocations of the PE and apply them where needed.

Parameters

[in]	VirtualImage	The pre-loaded memory image of the PE file.
[in]	VirtualImageSize	The size of the memory image.
[in]	Delta	The delta value to be applied to each relocated address.
[in]	BaseRelocations	The base relocations data directory.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE image is malformed in any way.

Definition at line 211 of file loader.c.

Referenced by IntLdrLoadPEImage().

◆ IntLdrGetImageSizeAndEntryPoint()

INTSTATUS IntLdrGetImageSizeAndEntryPoint	(	PBYTE	RawPe,
		DWORD	RawSize,
		DWORD *	VirtualSize,
		DWORD *	EntryPoint
	)

Returns the entry point and the virtual size for the provided module.

This module will get the entry point and the virtual size of the module. If a special section named ENTRYP is found, the beginning of that section is considered to be the entry point. The returned entry point is a RVA inside the module. NOTE: this function assumes that the PE contained at RawPe is fully read into memory.

Parameters

[in]	RawPe	The PE file contents.
[in]	RawSize	The PE raw size.
[out]	VirtualSize	The virtual PE size (SizeOfImage).
[out]	EntryPoint	A RVA to the PE entry point.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 11 of file loader.c.

Referenced by IntPtiInjectPtFilter(), IntVeInit(), IntWinAgentDeployWinDriver(), and IntWinAgentInject().

◆ IntLdrLoadPEImage()

INTSTATUS IntLdrLoadPEImage	(	PBYTE	RawPe,
		DWORD	RawPeSize,
		QWORD	GuestVirtualAddress,
		PBYTE	LoadedPe,
		DWORD	VirtualPeSize,
		DWORD	Flags
	)

Load the provided PE image at the provided guest virtual address, and return it in LoadedPe.

This function will act as a PE loader which is capable of loading a PE file from the Introcore memory address space to the guest memory address space. NOTE: For now, we only support parsing relocations & imports (basic in order to get the PE ready for running); We don't take into consideration forwarded exports, delayed imports or bounded imports.

Parameters

[in]	RawPe	A buffer that contains the raw PE image that must be "loaded" (disk image).
[in]	RawPeSize	Raw size of the PE to be loaded (disk size).
[in]	GuestVirtualAddress	Guest virtual address where the module will be loaded.
[in]	LoadedPe	Will contain, upon exit, the fixed image.
[in]	VirtualPeSize	The size of the loaded image.
[in]	Flags	Indicates what fixups are required. Supported fixups are: LDR_FLAG_FIX_RELOCATIONS and LDR_FLAG_FIX_IMPORTS.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed in any way.
INT_STATUS_NOT_SUPPORTED	If the PE does not match the guest OS architecture.

Definition at line 670 of file loader.c.

Referenced by IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), and IntWinAgentDeployWinDriver().

◆ IntLdrPreLoadImage()

static INTSTATUS IntLdrPreLoadImage	(	PBYTE	RawImage,
		DWORD	RawImageSize,
		PBYTE	VirtualImage,
		DWORD	VirtualImageSize,
		DWORD	NumberOfSections,
		PIMAGE_SECTION_HEADER	Sections
	)

static

Pre-load the given raw PE image at the indicated virtual address.

This function will pre-load the image inside the new, virtual, final space. What it does is:

Initialize the entire virtual range with zeros;
Copy the headers (everything from the raw image, up until the first section) inside the loaded image;
Copy the sections from their raw location, to their virtual location inside the loaded image. Basically, this function acts like the loader, in that it creates the image version of the PE file. It does not, however, apply relocations and it does not fix imports. Upon successful return, the VirtualImage address will contain the memory image of the provided PE file, as if it was loaded for execution.

Parameters

[in]	RawImage	The raw PE file contents (disk image).
[in]	RawImageSize	The raw PE file size (disk size).
[in]	VirtualImage	A preallocated region of memory where the memory image of the PE will be stored.
[in]	VirtualImageSize	The size of the memory image (SizeOfImage).
[in]	NumberOfSections	The number of PE sections.
[in]	Sections	A pointer to the first PE section.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE image is malformed in any way.

which they appear inside the section headers.

Definition at line 81 of file loader.c.

Referenced by IntLdrLoadPEImage().

Functions

Function Documentation

◆ IntLdrFixImports()

◆ IntLdrFixRelocations()

◆ IntLdrGetImageSizeAndEntryPoint()

◆ IntLdrLoadPEImage()

◆ IntLdrPreLoadImage()