#include "winpe.h"
#include "decoder.h"
#include "introcpu.h"
#include "guests.h"

Data Structures
struct	_OPTIONAL_HEADER_INFO
	Structure describing relevant fields extracted from the optional header. More...

Macros
#define	MAX_NUMBER_OF_EXPORT_NAMES 65535ul
	We won't consider a valid image if it has more than MAX_NUMBER_OF_EXPORT_NAMES names. More...

#define	MAX_UNWIND_INFO_TRIES 512
	The maximum number of iterations done while parsing unwind data. More...

#define	MAX_SIZE_OF_IMAGE (2 * ONE_GIGABYTE)

#define	MAX_UNWIND_CODES 50
	Maximum number of unwind codes to check. More...

Typedefs
typedef struct _OPTIONAL_HEADER_INFO	OPTIONAL_HEADER_INFO
	Structure describing relevant fields extracted from the optional header. More...

typedef struct _OPTIONAL_HEADER_INFO *	POPTIONAL_HEADER_INFO

Functions
static INTSTATUS	IntPeValidateOptionalHeader (void OptionalHeader, DWORD SizeOfOptionalHeader, OPTIONAL_HEADER_INFO Info)
	Validates and extracts info about the optional header. More...

INTSTATUS	IntPeValidateHeader (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD ImageBaseBufferSize, INTRO_PE_INFO PeInfo, QWORD Cr3)
	Validates a PE header. More...

INTSTATUS	IntPeListSectionsHeaders (QWORD ImageBase, BYTE ImageBuffer, DWORD ImageBufferSize, DWORD FirstSectionOffset, DWORD *SectionCount)
	Will get the offset to the first section header and the number of sections from the given module. More...

INTSTATUS	IntPeGetDirectory (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD DirectoryEntry, IMAGE_DATA_DIRECTORY Directory)
	Validate & return the indicated image data directory. More...

INTSTATUS	IntPeGetSectionHeaderByRva (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD GuestRva, IMAGE_SECTION_HEADER SectionHeader)
	Given a relative virtual address, return the section header which describes the section the RVA lies in. More...

INTSTATUS	IntPeGetSectionHeaderByIndex (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD Index, IMAGE_SECTION_HEADER SectionHeader)
	Return the section header located on position Index (0 based). More...

INTSTATUS	IntPeGetSectionHeadersByName (QWORD ImageBase, BYTE ImageBaseBuffer, PCHAR Name, DWORD NumberOfSectionHeadersAllocated, QWORD Cr3, IMAGE_SECTION_HEADER SectionHeaders, DWORD *NumberOfSectionHeadersFilled)
	Return all the section headers matching the indicated Name. More...

INTSTATUS	IntPeFindExportByRva (QWORD ImageBase, BYTE *ImageBaseBuffer, DWORD Rva)
	Check if a RVA lies inside an exported function. More...

INTSTATUS	IntPeFindExportByRvaInBuffer (QWORD ImageBase, BYTE *Buffer, DWORD BufferSize, DWORD Rva)
	Check if the indicated Rva belongs to an exported function. More...

INTSTATUS	IntPeGetExportNameByRva (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD Rva, DWORD ExportNameSize, CHAR ExportName)
	Find the export name a Rva lies in. More...

INTSTATUS	IntPeGetExportNameByRvaInBuffer (QWORD ImageBase, BYTE Buffer, DWORD BufferSize, DWORD Rva, DWORD ExportNameSize, CHAR ExportName)
	Find the export name a Rva lies in. More...

INTSTATUS	IntPeFindExportByNameInBuffer (QWORD ImageBase, BYTE Buffer, DWORD BufferSize, const char Name, DWORD *ExportRva)
	Find the export name a Rva lies in. More...

INTSTATUS	IntPeFindKernelExport (const char Name, QWORD ExportGva)
	Find an export inside the NT kernel image. More...

INTSTATUS	IntPeFindExportByName (QWORD ImageBase, BYTE ImageBaseBuffer, CHAR Name, DWORD *ExportRva)
	Find the export name a Rva lies in. More...

INTSTATUS	IntPeFindExportByOrdinal (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD Ordinal, DWORD ExportRva)
	Find an exported function using its ordinal. More...

INTSTATUS	IntPeGetRuntimeFunction (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD Rva, RUNTIME_FUNCTION RuntimeFunction)
	Parses the exception directory and gets the runtime function corresponding to the Rva. More...

INTSTATUS	IntPeGetRuntimeFunctionInBuffer (QWORD ImageBase, BYTE Buffer, DWORD BufferSize, DWORD Rva, RUNTIME_FUNCTION RuntimeFunction)
	Parses the exception directory and gets the runtime function corresponding to the Rva. More...

INTSTATUS	IntPeParseUnwindData (QWORD ImageBase, BYTE ImageBaseBuffer, RUNTIME_FUNCTION RuntimeFunction, DWORD RipOffset, DWORD ReservedStack, DWORD BeginAddress, BOOLEAN InterruptFunction, BOOLEAN ExceptionFunction, BOOLEAN *HasFramePointer)
	Parse the unwind data for the indicated function and return the prologue size. More...

INTSTATUS	IntPeParseUnwindDataInBuffer (QWORD ImageBase, BYTE Buffer, DWORD BufferSize, RUNTIME_FUNCTION RuntimeFunction, DWORD RipOffset, DWORD ReservedStack, DWORD BeginAddress, BOOLEAN InterruptFunction, BOOLEAN ExceptionFunction, BOOLEAN *HasFramePointer)
	Parse the unwind data for the indicated function and return the prologue size. More...

INTSTATUS	IntPeFindFunctionByPatternInBuffer (BYTE Buffer, DWORD BufferSize, WIN_UNEXPORTED_FUNCTION_PATTERN Pattern, BOOLEAN IgnoreSectionHint, DWORD *Rva)
	Find a function using a pattern. More...

INTSTATUS	IntPeFindFunctionByPattern (QWORD ImageBase, WIN_UNEXPORTED_FUNCTION_PATTERN Pattern, BOOLEAN IgnoreSectionHint, DWORD Rva)
	Find a function using a pattern. More...

INTSTATUS	IntPeFindFunctionStart (QWORD ImageBase, BYTE ImageBaseBuffer, DWORD Rva, DWORD BeginAddress)
	Find the start address of a function, given a Rva pointing inside of it. More...

INTSTATUS	IntPeFindFunctionStartInBuffer (QWORD ImageBase, BYTE Buffer, DWORD BufferSize, DWORD Rva, DWORD BeginAddress)
	Find the start address of a function, given a Rva pointing inside of it. More...

Macro Definition Documentation

◆ MAX_NUMBER_OF_EXPORT_NAMES

#define MAX_NUMBER_OF_EXPORT_NAMES 65535ul

We won't consider a valid image if it has more than MAX_NUMBER_OF_EXPORT_NAMES names.

Definition at line 12 of file winpe.c.

Referenced by IntPeFindExportByRva(), IntPeFindExportByRvaInBuffer(), IntPeGetExportNameByRva(), and IntPeGetExportNameByRvaInBuffer().

◆ MAX_SIZE_OF_IMAGE

#define MAX_SIZE_OF_IMAGE (2 * ONE_GIGABYTE)

The maximum value for the SizeOfImage field from a MZPE header.

See https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#optional-header-image-only

Definition at line 20 of file winpe.c.

Referenced by IntPeValidateHeader().

◆ MAX_UNWIND_CODES

#define MAX_UNWIND_CODES 50

Maximum number of unwind codes to check.

Definition at line 23 of file winpe.c.

Referenced by IntPeParseUnwindData(), and IntPeParseUnwindDataInBuffer().

◆ MAX_UNWIND_INFO_TRIES

#define MAX_UNWIND_INFO_TRIES 512

The maximum number of iterations done while parsing unwind data.

Definition at line 15 of file winpe.c.

Referenced by IntPeParseUnwindData(), and IntPeParseUnwindDataInBuffer().

Typedef Documentation

◆ OPTIONAL_HEADER_INFO

typedef struct _OPTIONAL_HEADER_INFO OPTIONAL_HEADER_INFO

Structure describing relevant fields extracted from the optional header.

◆ POPTIONAL_HEADER_INFO

typedef struct _OPTIONAL_HEADER_INFO * POPTIONAL_HEADER_INFO

Function Documentation

◆ IntPeFindExportByName()

INTSTATUS IntPeFindExportByName	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		CHAR *	Name,
		DWORD *	ExportRva
	)

Find the export name a Rva lies in.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Buffer containing the MZ/PE image.
[in]	Name	Export name to be found.
[out]	ExportRva	Rva the indicated export is found at.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_FOUND	If no export containing the Rva is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory alloc fails.

Definition at line 1783 of file winpe.c.

Referenced by IntLdrFixImports(), IntVeDeliverDriverForLoad(), and IntWinApiHook().

◆ IntPeFindExportByNameInBuffer()

INTSTATUS IntPeFindExportByNameInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		const char *	Name,
		DWORD *	ExportRva
	)

Find the export name a Rva lies in.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	Buffer	Buffer containing the MZ/PE image.
[in]	BufferSize	Size of the Buffer containing the MZ/PE image.
[in]	Name	Export name to be found.
[out]	ExportRva	Rva the indicated export is found at.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_FOUND	If no export containing the Rva is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.

Definition at line 1586 of file winpe.c.

Referenced by IntPeFindKernelExport(), and IntWinHalFindPerformanceCounterInternal().

◆ IntPeFindExportByOrdinal()

INTSTATUS IntPeFindExportByOrdinal	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Ordinal,
		DWORD *	ExportRva
	)

Find an exported function using its ordinal.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Buffer containing the MZ/PE image.
[in]	Ordinal	Ordinal used to find the export.
[out]	ExportRva	Rva the indicated export is found at.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_FOUND	If no export containing the Rva is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.

Definition at line 1961 of file winpe.c.

◆ IntPeFindExportByRva()

INTSTATUS IntPeFindExportByRva	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Rva
	)

Check if a RVA lies inside an exported function.

Will return success if the given RVA is inside an exported function. Does not return the name since that would be slow. For getting the name use the IntPeGetExportNameByRva.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	Rva	The Rva to be checked.

Return values

INT_STATUS_SUCCESS	If the indicated Rva lies within an export.
INT_STATUS_NOT_FOUND	if the RVA isn't inside an exported function
INT_STATUS_INVALID_OBJECT_TYPE	if the ImageBase isn't a valid PE/PE+ object

Definition at line 1103 of file winpe.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntPeFindExportByRvaInBuffer()

INTSTATUS IntPeFindExportByRvaInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		DWORD	Rva
	)

Check if the indicated Rva belongs to an exported function.

Will return success if the given RVA is inside an exported function. Does not return the name since that would be slow. For getting the name use the IntPeGetExportNameByRva.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	Buffer	Buffer containing the module.
[in]	BufferSize	The size of the buffer containing the module.
[in]	Rva	The Rva to be found.

Return values

INT_STATUS_SUCCESS	If an export is found to contain the given Rva.
INT_STATUS_NOT_FOUND	if the RVA isn't inside an exported function
STATUS_INVALID_OBJECT_TYPE	if the ImageBase isn't a valid PE/PE+ object

Definition at line 1223 of file winpe.c.

Referenced by IntExceptWinKernelGetOriginator().

◆ IntPeFindFunctionByPattern()

INTSTATUS IntPeFindFunctionByPattern	(	QWORD	ImageBase,
		WIN_UNEXPORTED_FUNCTION_PATTERN *	Pattern,
		BOOLEAN	IgnoreSectionHint,
		DWORD *	Rva
	)

Find a function using a pattern.

Searches the indicated guest module for a function matching the provided pattern. This function uses IntPeValidateHeader to validate the MZPE headers before using them.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers) to be validated.
[in]	Pattern	The searched pattern.
[in]	IgnoreSectionHint	If true, the pattern section hint will be ignored.
[out]	Rva	The Rva the indicated pattern is found at.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_DATA_BUFFER_TOO_SMALL	If a section exceeds the size of the provided buffer.
INT_STATUS_NOT_FOUND	If not function matching that pattern is found.

Definition at line 3150 of file winpe.c.

Referenced by IntWinAgentFindPropperSyscall(), IntWinAgentFindSyscallLinkage(), and IntWinApiFindFunctionRva().

◆ IntPeFindFunctionByPatternInBuffer()

INTSTATUS IntPeFindFunctionByPatternInBuffer	(	BYTE *	Buffer,
		DWORD	BufferSize,
		WIN_UNEXPORTED_FUNCTION_PATTERN *	Pattern,
		BOOLEAN	IgnoreSectionHint,
		DWORD *	Rva
	)

Find a function using a pattern.

Searches the indicated buffer for a function matching the provided pattern.

Parameters

[in]	Buffer	The buffer to search.
[in]	BufferSize	The size of the Buffer to be searched.
[in]	Pattern	The searched pattern.
[in]	IgnoreSectionHint	If true, the pattern section hint will be ignored.
[out]	Rva	The Rva the indicated pattern is found at.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_DATA_BUFFER_TOO_SMALL	If a section exceeds the size of the provided buffer.
INT_STATUS_NOT_FOUND	If not function matching that pattern is found.

Definition at line 3044 of file winpe.c.

Referenced by IntWinAgentFindSyscallLinkage(), IntWinApiFindFunctionRva(), and IntWinInfHookGetEtwpDebuggerData().

◆ IntPeFindFunctionStart()

INTSTATUS IntPeFindFunctionStart	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Rva,
		DWORD *	BeginAddress
	)

Find the start address of a function, given a Rva pointing inside of it.

Given a Rva, parse code backwards until we find what looks like the start of the function. This function uses either the exception directory for 64 bit executables or the standard prologue for 32 bit executables to locate the beginning of the function.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers) to be validated.
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	Rva	The Rva we will search the function start for.
[out]	BeginAddress	The Rva of the identified function start.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_NOT_SUPPORTED	If the Rva lies in a non-executable section.
INT_STATUS_NOT_FOUND	If the function start could not be identified.

Definition at line 3297 of file winpe.c.

Referenced by IntAlertEptFillFromVictimZone(), IntPeFindExportByRva(), and IntPeFindExportByRvaInBuffer().

◆ IntPeFindFunctionStartInBuffer()

INTSTATUS IntPeFindFunctionStartInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		DWORD	Rva,
		DWORD *	BeginAddress
	)

Find the start address of a function, given a Rva pointing inside of it.

Given a Rva, parse code backwards until we find what looks like the start of the function. This function uses either the exception directory for 64 bit executables or the standard prologue for 32 bit executables to locate the beginning of the function. For 64-bit MZPEs IntPeParseUnwindDataInBuffer should be used instead.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers) to be validated.
[in]	Buffer	The buffer containing the MZ/PE image.
[in]	BufferSize	The size of the Buffer containing the MZ/PE image.
[in]	Rva	The Rva we will search the function start for.
[out]	BeginAddress	The Rva of the identified function start.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_NOT_SUPPORTED	If the Rva lies in a non-executable section.
INT_STATUS_NOT_FOUND	If the function start could not be identified.

Definition at line 3624 of file winpe.c.

Referenced by IntAlertEptFillFromVictimZone().

◆ IntPeFindKernelExport()

INTSTATUS IntPeFindKernelExport	(	const char *	Name,
		QWORD *	ExportGva
	)

Find an export inside the NT kernel image.

Parameters

[in]	Name	Export to be found.
[out]	ExportGva	Guest virtual address (NOT RVA!) of the identified export.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 1748 of file winpe.c.

Referenced by IntWinApiHook(), IntWinGuestIsIncreasedUserVa(), IntWinGuestResolveImports(), IntWinHalCreateHalData(), IntWinProcPrepareInstrument(), and IntWinThrPrepareApcHandler().

◆ IntPeGetDirectory()

INTSTATUS IntPeGetDirectory	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	DirectoryEntry,
		IMAGE_DATA_DIRECTORY *	Directory
	)

Validate & return the indicated image data directory.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	DirectoryEntry	Data directory entry to be fetched.
[out]	Directory	Will contain, upon successful return, the requested data directory.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed or corrupted in any way.
INT_STATUS_NOT_FOUND	If the indicated data directory is not present.

Definition at line 552 of file winpe.c.

Referenced by IntExceptWinGetVictimDriver(), IntLdrLoadPEImage(), IntPeFindExportByName(), IntPeFindExportByNameInBuffer(), IntPeFindExportByOrdinal(), IntPeFindExportByRva(), IntPeFindExportByRvaInBuffer(), IntPeGetExportNameByRva(), IntPeGetExportNameByRvaInBuffer(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntWinDrvHeadersInMemory(), IntWinProtectReadNtEat(), and IntWinUmModCacheFillHeaders().

◆ IntPeGetExportNameByRva()

INTSTATUS IntPeGetExportNameByRva	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Rva,
		DWORD	ExportNameSize,
		CHAR *	ExportName
	)

Find the export name a Rva lies in.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	Rva	The Rva for which we wish to find the export name.
[in]	ExportNameSize	Maximum length of the ExportName buffer, which will contain the export name, including the NULL-terminator.
[out]	ExportName	Will contain upon successful return the name of the export Rva belongs to.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_FOUND	If no export containing the Rva is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.

Definition at line 1312 of file winpe.c.

Referenced by IntAlertEptFillFromVictimZone().

◆ IntPeGetExportNameByRvaInBuffer()

INTSTATUS IntPeGetExportNameByRvaInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		DWORD	Rva,
		DWORD	ExportNameSize,
		CHAR *	ExportName
	)

Find the export name a Rva lies in.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	Buffer	Buffer containing the MZ/PE image.
[in]	BufferSize	Size of the Buffer containing the MZ/PE image.
[in]	Rva	The Rva for which we wish to find the export name.
[in]	ExportNameSize	Maximum length of the ExportName buffer, which will contain the export name.
[out]	ExportName	Will contain upon successful return the name of the export Rva belongs to.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_FOUND	If no export containing the Rva is found.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.

Definition at line 1457 of file winpe.c.

Referenced by IntAlertEptFillFromVictimZone().

◆ IntPeGetRuntimeFunction()

INTSTATUS IntPeGetRuntimeFunction	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Rva,
		RUNTIME_FUNCTION *	RuntimeFunction
	)

Parses the exception directory and gets the runtime function corresponding to the Rva.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Buffer containing the MZ/PE image.
[in]	Rva	The Rva whose runtime function is to be found.
[out]	RuntimeFunction	The identified runtime function for the indicated Rva.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.
INT_STATUS_NOT_SUPPORTED	If the indicated MZ/PE file is not 64 bit.
INT_STATUS_NOT_FOUND	If no function is found at that RVA

Definition at line 2062 of file winpe.c.

Referenced by IntPeFindFunctionStart(), and IntWinStackTraceGet64().

◆ IntPeGetRuntimeFunctionInBuffer()

INTSTATUS IntPeGetRuntimeFunctionInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		DWORD	Rva,
		RUNTIME_FUNCTION *	RuntimeFunction
	)

Parses the exception directory and gets the runtime function corresponding to the Rva.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	Buffer	Buffer containing the MZ/PE image.
[in]	BufferSize	The size of the Buffer containing the MZ/PE image.
[in]	Rva	The Rva whose runtime function is to be found.
[out]	RuntimeFunction	The identified runtime function for the indicated Rva.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE file is malformed or corrupted in any way.
INT_STATUS_NOT_SUPPORTED	If the indicated MZ/PE file is not 64 bit.
INT_STATUS_NOT_FOUND	If no function is found at that RVA

Definition at line 2267 of file winpe.c.

Referenced by IntPeFindFunctionStartInBuffer(), and IntWinStackTraceGet64().

◆ IntPeGetSectionHeaderByIndex()

INTSTATUS IntPeGetSectionHeaderByIndex	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	Index,
		IMAGE_SECTION_HEADER *	SectionHeader
	)

Return the section header located on position Index (0 based).

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	Index	Index of the section header to be returned (0 based).
[out]	SectionHeader	Will contain, upon successful return, the section header located at Index.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed or corrupted in any way.
INT_STATUS_NOT_FOUND	If the section Index is not found.

Definition at line 838 of file winpe.c.

Referenced by IntPtiMonitorAllPtWriteCandidates().

◆ IntPeGetSectionHeaderByRva()

INTSTATUS IntPeGetSectionHeaderByRva	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	GuestRva,
		IMAGE_SECTION_HEADER *	SectionHeader
	)

Given a relative virtual address, return the section header which describes the section the RVA lies in.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	GuestRva	The RVA to be found.
[out]	SectionHeader	Will contain, upon successful return, the section header describing the section that contains the indicated RVA.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed or corrupted in any way.
INT_STATUS_NOT_FOUND	If a section containing the RVA is not found.

Definition at line 707 of file winpe.c.

Referenced by IntExceptGetVictimEpt(), IntExceptWinGetVictimDriver(), IntExceptWinKernelGetOriginator(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPtiIsPtrInAgent(), IntWinDagentSendDoubleAgentAlert(), IntWinGuestValidateKernel(), IntWinModFillDriverInjectionData(), IntWinStackTraceGet64(), IntWinStackTraceGetUser32(), and IntWinStackTraceGetUser64().

◆ IntPeGetSectionHeadersByName()

INTSTATUS IntPeGetSectionHeadersByName	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		PCHAR	Name,
		DWORD	NumberOfSectionHeadersAllocated,
		QWORD	Cr3,
		IMAGE_SECTION_HEADER *	SectionHeaders,
		DWORD *	NumberOfSectionHeadersFilled
	)

Return all the section headers matching the indicated Name.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	Name	The name of the searched sections.
[in]	NumberOfSectionHeadersAllocated	Number of section headers allocated for the results.
[in]	Cr3	The Cr3 used for mapping the headers in case ImageBaseBuffer is not provided.
[out]	SectionHeaders	Buffer containing NumberOfSectionHeadersAllocated slots.
[out]	NumberOfSectionHeadersFilled	Number of slots filled in the SectionHeaders = number of sections found to have the indicated Name.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed or corrupted in any way.
INT_STATUS_NOT_FOUND	If no section with the given name is found.

Definition at line 942 of file winpe.c.

Referenced by IntWinGuestFindDriversNamespace(), IntWinGuestFindDriversNamespaceNoBuffer(), IntWinGuestFindKernelObjectsInternal(), IntWinGuestValidateKernel(), IntWinHalFindHalHeapAndInterruptController(), and IntWinHalFindInterruptController().

◆ IntPeListSectionsHeaders()

INTSTATUS IntPeListSectionsHeaders	(	QWORD	ImageBase,
		BYTE *	ImageBuffer,
		DWORD	ImageBufferSize,
		DWORD *	FirstSectionOffset,
		DWORD *	SectionCount
	)

Will get the offset to the first section header and the number of sections from the given module.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	ImageBufferSize	If ImageBaseBuffer is valid, this indicates its size.
[out]	FirstSectionOffset	Offset to the first section header.
[out]	SectionCount	Number of sections.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INVALID_OBJECT_TYPE	If the MZ/PE is malformed or corrupted in any way.

Definition at line 473 of file winpe.c.

Referenced by IntPtiHookPtDriver(), IntVeEnableDisableDriverAccessInProtectedView(), IntVeHookVeDriver(), IntWinDagentHandleSuspModHeaders(), and IntWinModHookModule().

◆ IntPeParseUnwindData()

INTSTATUS IntPeParseUnwindData	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		RUNTIME_FUNCTION *	RuntimeFunction,
		DWORD	RipOffset,
		DWORD *	ReservedStack,
		DWORD *	BeginAddress,
		BOOLEAN *	InterruptFunction,
		BOOLEAN *	ExceptionFunction,
		BOOLEAN *	HasFramePointer
	)

Parse the unwind data for the indicated function and return the prologue size.

Parses the UNWIND_INFO structure(s) of the RuntimeFunction and returns the total space occupied by the function prologue (it can be 0!).

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	ImageBaseBuffer	Buffer containing the MZ/PE image.
[in]	RuntimeFunction	The runtime function to be parsed.
[in]	RipOffset	The offset inside the function where the RIP is.
[out]	ReservedStack	Size reserved on the stack for that function.
[out]	BeginAddress	The actual beginning of the function (after parsing chained info).
[out]	InterruptFunction	True if it's an interrupt handler function.
[out]	ExceptionFunction	True if it's an exception handler function.
[out]	HasFramePointer	True if the function uses a frame pointer.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 2395 of file winpe.c.

Referenced by IntPeFindFunctionStart(), and IntWinStackTraceGet64().

◆ IntPeParseUnwindDataInBuffer()

INTSTATUS IntPeParseUnwindDataInBuffer	(	QWORD	ImageBase,
		BYTE *	Buffer,
		DWORD	BufferSize,
		RUNTIME_FUNCTION *	RuntimeFunction,
		DWORD	RipOffset,
		DWORD *	ReservedStack,
		DWORD *	BeginAddress,
		BOOLEAN *	InterruptFunction,
		BOOLEAN *	ExceptionFunction,
		BOOLEAN *	HasFramePointer
	)

Parse the unwind data for the indicated function and return the prologue size.

Parses the UNWIND_INFO structure(s) of the RuntimeFunction and returns the total space occupied by the function prologue (it can be 0!).

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers).
[in]	Buffer	Buffer containing the MZ/PE image.
[in]	BufferSize	The size of the Buffer containing the MZ/PE image.
[in]	RuntimeFunction	The runtime function to be parsed.
[in]	RipOffset	The offset inside the function where the RIP is.
[out]	ReservedStack	Size reserved on the stack for that function.
[out]	BeginAddress	The actual beginning of the function (after parsing chained info).
[out]	InterruptFunction	True if it's an interrupt handler function.
[out]	ExceptionFunction	True if it's an exception handler function.
[out]	HasFramePointer	True if the function uses a frame pointer.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 2726 of file winpe.c.

Referenced by IntPeFindFunctionStartInBuffer(), and IntWinStackTraceGet64().

◆ IntPeValidateHeader()

INTSTATUS IntPeValidateHeader	(	QWORD	ImageBase,
		BYTE *	ImageBaseBuffer,
		DWORD	ImageBaseBufferSize,
		INTRO_PE_INFO *	PeInfo,
		QWORD	Cr3
	)

Validates a PE header.

This function will perform several checks on the given PE header:

MZ and PE signatures;
Optional header size;
Sections (offset, size);
Entry point;
File & section alignment; If all the checks pass (the PE does not look malformed/corrupted), it will return the information in the PeInfo structure. In order to work, at least a page of memory (containing the MZ/PE) headers must be mapped. If the caller provides ImageBaseBuffer, it must make sure that at least one page is available.

Parameters

[in]	ImageBase	Guest virtual address of the beginning of the module (headers) to be validated.
[in]	ImageBaseBuffer	Address where the ImageBase is already mapped in Introcore space, if present.
[in]	ImageBaseBufferSize	If ImageBaseBuffer is valid, this indicates its size.
[out]	PeInfo	Will contain upon successful validation relevant PE information.
[in]	Cr3	Optional virtual address space the image lies in.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_SUPPORTED	If the base of the PE file is not aligned to 4K.
INT_STATUS_INVALID_OBJECT_TYPE	If the PE file is malformed or corrupted in any way.

Definition at line 131 of file winpe.c.

Referenced by IntLdrGetImageSizeAndEntryPoint(), IntLdrLoadPEImage(), IntModBlockHandleBlockModHeadersInMemory(), IntPeFindExportByNameInBuffer(), IntPeFindExportByRvaInBuffer(), IntPeFindFunctionByPattern(), IntPeFindFunctionByPatternInBuffer(), IntPeFindFunctionStart(), IntPeFindFunctionStartInBuffer(), IntPeGetDirectory(), IntPeGetExportNameByRvaInBuffer(), IntPeGetRuntimeFunction(), IntPeGetRuntimeFunctionInBuffer(), IntPeGetSectionHeaderByIndex(), IntPeGetSectionHeaderByRva(), IntPeGetSectionHeadersByName(), IntPeListSectionsHeaders(), IntSlackAllocWindows(), IntWinDagentCheckNativeSubsystem(), IntWinDepInjectProcess(), IntWinDrvHeadersInMemory(), IntWinDrvObjIsValidDriverObject(), IntWinGuestReadKernel(), IntWinHalReadHal(), IntWinModHookPoly(), and IntWinUmModCacheFillHeaders().

◆ IntPeValidateOptionalHeader()

static INTSTATUS IntPeValidateOptionalHeader	(	void *	OptionalHeader,
		DWORD	SizeOfOptionalHeader,
		OPTIONAL_HEADER_INFO *	Info
	)

static

Validates and extracts info about the optional header.

This function will parse the optional header and get relevant information, described in the OPTIONAL_HEADER_INFO structure. Note that the optional header is parsed with respect to the magic, even if the process is considered 64 bits, if we encounter a IMAGE_OPTIONAL_HEADER_PE32 signature, we'll consider the optional header, as well as the whole image, to be 32 bits.

Parameters

[in]	OptionalHeader	A pointer to the optional header field of the nt headers.
[in]	SizeOfOptionalHeader	The number of bytes in the optional header, as extracted from the file header.
[out]	Info	An OPTIONAL_HEADER_INFO structure containing the retrieved relevant information.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_OBJECT_TYPE	If the optional header is corrupted or has an invalid magic.

Definition at line 41 of file winpe.c.

Referenced by IntPeValidateHeader().

Data Structures

Macros

Typedefs

Functions

Macro Definition Documentation

◆ MAX_NUMBER_OF_EXPORT_NAMES

◆ MAX_SIZE_OF_IMAGE

◆ MAX_UNWIND_CODES

◆ MAX_UNWIND_INFO_TRIES

Typedef Documentation

◆ OPTIONAL_HEADER_INFO

◆ POPTIONAL_HEADER_INFO

Function Documentation

◆ IntPeFindExportByName()

◆ IntPeFindExportByNameInBuffer()

◆ IntPeFindExportByOrdinal()

◆ IntPeFindExportByRva()

◆ IntPeFindExportByRvaInBuffer()

◆ IntPeFindFunctionByPattern()

◆ IntPeFindFunctionByPatternInBuffer()

◆ IntPeFindFunctionStart()

◆ IntPeFindFunctionStartInBuffer()

◆ IntPeFindKernelExport()

◆ IntPeGetDirectory()

◆ IntPeGetExportNameByRva()

◆ IntPeGetExportNameByRvaInBuffer()

◆ IntPeGetRuntimeFunction()

◆ IntPeGetRuntimeFunctionInBuffer()

◆ IntPeGetSectionHeaderByIndex()

◆ IntPeGetSectionHeaderByRva()

◆ IntPeGetSectionHeadersByName()

◆ IntPeListSectionsHeaders()

◆ IntPeParseUnwindData()

◆ IntPeParseUnwindDataInBuffer()

◆ IntPeValidateHeader()

◆ IntPeValidateOptionalHeader()