|
|
dd89bb |
/********************************************************/
|
|
|
dd89bb |
/* ntapi: Native API core library */
|
|
|
4256e2 |
/* Copyright (C) 2013--2016 Z. Gilboa */
|
|
|
dd89bb |
/* Released under GPLv2 and GPLv3; see COPYING.NTAPI. */
|
|
|
dd89bb |
/********************************************************/
|
|
|
dd89bb |
|
|
|
dd89bb |
#include <psxtypes/psxtypes.h>
|
|
|
dd89bb |
#include <pemagine/pemagine.h>
|
|
|
dd89bb |
#include <ntapi/nt_section.h>
|
|
|
dd89bb |
#include <ntapi/nt_process.h>
|
|
|
dd89bb |
#include <ntapi/ntapi.h>
|
|
|
dd89bb |
#include "ntapi_impl.h"
|
|
|
dd89bb |
|
|
|
dd89bb |
static nt_sqos const sqos = {
|
|
|
dd89bb |
sizeof(sqos),
|
|
|
dd89bb |
NT_SECURITY_IMPERSONATION,
|
|
|
dd89bb |
NT_SECURITY_TRACKING_DYNAMIC,
|
|
|
dd89bb |
1};
|
|
|
dd89bb |
|
|
|
dd89bb |
static int32_t __tt_exec_unmap_image(nt_executable_image * image, void * base, int32_t status)
|
|
|
dd89bb |
{
|
|
|
dd89bb |
int32_t ret;
|
|
|
dd89bb |
|
|
|
dd89bb |
if (base)
|
|
|
dd89bb |
if ((ret = __ntapi->zw_unmap_view_of_section(
|
|
|
dd89bb |
NT_CURRENT_PROCESS_HANDLE,
|
|
|
dd89bb |
base)))
|
|
|
dd89bb |
return ret;
|
|
|
dd89bb |
|
|
|
dd89bb |
if (image->hsection)
|
|
|
dd89bb |
if ((ret = __ntapi->zw_close(image->hsection)))
|
|
|
dd89bb |
return ret;
|
|
|
dd89bb |
|
|
|
dd89bb |
return status;
|
|
|
dd89bb |
}
|
|
|
dd89bb |
|
|
|
dd89bb |
int32_t __stdcall __ntapi_tt_exec_unmap_image(nt_executable_image * image)
|
|
|
dd89bb |
{
|
|
|
dd89bb |
return __tt_exec_unmap_image(image,image->addr,0);
|
|
|
dd89bb |
}
|
|
|
dd89bb |
|
|
|
dd89bb |
|
|
|
dd89bb |
int32_t __stdcall __ntapi_tt_exec_map_image_as_data(nt_executable_image * image)
|
|
|
dd89bb |
{
|
|
|
dd89bb |
int32_t status;
|
|
|
dd89bb |
uint16_t * pi16;
|
|
|
dd89bb |
uint32_t * pi32;
|
|
|
dd89bb |
nt_sec_size sec_size;
|
|
|
dd89bb |
size_t view_size;
|
|
|
dd89bb |
void * base;
|
|
|
dd89bb |
void * hsection;
|
|
|
dd89bb |
|
|
|
283803 |
struct pe_raw_image_dos_hdr * dos;
|
|
|
283803 |
struct pe_raw_coff_file_hdr * coff;
|
|
|
283803 |
union pe_raw_opt_hdr * opt;
|
|
|
283803 |
struct pe_raw_sec_hdr * sec;
|
|
|
dd89bb |
|
|
|
dd89bb |
nt_oa oa = {sizeof(oa),
|
|
|
dd89bb |
0,0,0,0,(nt_sqos *)&sqos};
|
|
|
dd89bb |
|
|
|
dd89bb |
base = 0;
|
|
|
dd89bb |
sec_size.quad = 0;
|
|
|
dd89bb |
view_size = image->size;
|
|
|
dd89bb |
|
|
|
dd89bb |
if ((status = __ntapi->zw_create_section(
|
|
|
dd89bb |
&hsection,
|
|
|
dd89bb |
NT_SECTION_MAP_READ,
|
|
|
dd89bb |
&oa,
|
|
|
dd89bb |
&sec_size,
|
|
|
dd89bb |
NT_PAGE_READONLY,
|
|
|
dd89bb |
NT_SEC_RESERVE,image->hfile)))
|
|
|
dd89bb |
return status;
|
|
|
dd89bb |
|
|
|
dd89bb |
if ((status = __ntapi->zw_map_view_of_section(
|
|
|
dd89bb |
hsection,
|
|
|
dd89bb |
NT_CURRENT_PROCESS_HANDLE,
|
|
|
dd89bb |
&base,
|
|
|
dd89bb |
0,0,0,
|
|
|
dd89bb |
&view_size,
|
|
|
dd89bb |
NT_VIEW_UNMAP,0,
|
|
|
dd89bb |
NT_PAGE_READONLY)))
|
|
|
dd89bb |
return __tt_exec_unmap_image(
|
|
|
dd89bb |
image,base,status);
|
|
|
dd89bb |
|
|
|
dd89bb |
if (!(dos = pe_get_image_dos_hdr_addr(base)))
|
|
|
dd89bb |
return 0;
|
|
|
dd89bb |
|
|
|
dd89bb |
pi32 = (uint32_t *)dos->dos_lfanew;
|
|
|
dd89bb |
if ((*pi32 + sizeof(*coff)) > view_size)
|
|
|
dd89bb |
return __tt_exec_unmap_image(
|
|
|
dd89bb |
image,base,NT_STATUS_INVALID_IMAGE_FORMAT);
|
|
|
dd89bb |
|
|
|
dd89bb |
if (!(coff = pe_get_image_coff_hdr_addr(base)))
|
|
|
dd89bb |
return 0;
|
|
|
dd89bb |
|
|
|
dd89bb |
if (!(opt = pe_get_image_opt_hdr_addr(base)))
|
|
|
dd89bb |
return 0;
|
|
|
dd89bb |
|
|
|
dd89bb |
sec = pe_get_image_section_tbl_addr(base);
|
|
|
6fea25 |
pi16 = (uint16_t *)coff->cfh_num_of_sections;
|
|
|
dd89bb |
if (((size_t)sec-(size_t)base + *pi16 * sizeof(*sec)) > view_size)
|
|
|
dd89bb |
return __tt_exec_unmap_image(
|
|
|
dd89bb |
image,base,NT_STATUS_INVALID_IMAGE_FORMAT);
|
|
|
dd89bb |
|
|
|
dd89bb |
/* subsystem: same offset (pe32, pe32+) */
|
|
|
dd89bb |
pi16 = (uint16_t *)opt;
|
|
|
dd89bb |
image->magic = *pi16;
|
|
|
dd89bb |
|
|
|
6fea25 |
pi16 = (uint16_t *)opt->opt_hdr_32.coh_subsystem;
|
|
|
dd89bb |
image->subsystem = *pi16;
|
|
|
dd89bb |
|
|
|
6fea25 |
pi16 = (uint16_t *)coff->cfh_characteristics;
|
|
|
dd89bb |
image->characteristics = *pi16;
|
|
|
dd89bb |
|
|
|
dd89bb |
image->hsection = hsection;
|
|
|
dd89bb |
image->addr = base;
|
|
|
dd89bb |
image->size = view_size;
|
|
|
dd89bb |
|
|
|
dd89bb |
return status;
|
|
|
dd89bb |
}
|