1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
|
#include <string.h>
#include "pe_relocations.h"
#include "pe_properties_generic.h"
namespace pe_bliss
{
using namespace pe_win;
//RELOCATIONS
//Default constructor
relocation_entry::relocation_entry()
:rva_(0), type_(0)
{}
//Constructor from relocation item (WORD)
relocation_entry::relocation_entry(uint16_t relocation_value)
:rva_(relocation_value & ((1 << 12) - 1)), type_(relocation_value >> 12)
{}
//Constructor from relative rva and relocation type
relocation_entry::relocation_entry(uint16_t rrva, uint16_t type)
:rva_(rrva), type_(type)
{}
//Returns RVA of relocation
uint16_t relocation_entry::get_rva() const
{
return rva_;
}
//Returns type of relocation
uint16_t relocation_entry::get_type() const
{
return type_;
}
//Sets RVA of relocation
void relocation_entry::set_rva(uint16_t rva)
{
rva_ = rva;
}
//Sets type of relocation
void relocation_entry::set_type(uint16_t type)
{
type_ = type;
}
//Returns relocation item (rrva + type)
uint16_t relocation_entry::get_item() const
{
return rva_ | (type_ << 12);
}
//Sets relocation item (rrva + type)
void relocation_entry::set_item(uint16_t item)
{
rva_ = item & ((1 << 12) - 1);
type_ = item >> 12;
}
//Returns relocation list
const relocation_table::relocation_list& relocation_table::get_relocations() const
{
return relocations_;
}
//Adds relocation to table
void relocation_table::add_relocation(const relocation_entry& entry)
{
relocations_.push_back(entry);
}
//Default constructor
relocation_table::relocation_table()
:rva_(0)
{}
//Constructor from RVA of relocation table
relocation_table::relocation_table(uint32_t rva)
:rva_(rva)
{}
//Returns RVA of block
uint32_t relocation_table::get_rva() const
{
return rva_;
}
//Sets RVA of block
void relocation_table::set_rva(uint32_t rva)
{
rva_ = rva;
}
//Returns changeable relocation list
relocation_table::relocation_list& relocation_table::get_relocations()
{
return relocations_;
}
//Get relocation list of pe file, supports one-word sized relocations only
//If list_absolute_entries = true, IMAGE_REL_BASED_ABSOLUTE will be listed
const relocation_table_list get_relocations(const pe_base& pe, bool list_absolute_entries)
{
relocation_table_list ret;
//If image does not have relocations
if(!pe.has_reloc())
return ret;
//Check the length in bytes of the section containing relocation directory
if(pe.section_data_length_from_rva(pe.get_directory_rva(image_directory_entry_basereloc),
pe.get_directory_rva(image_directory_entry_basereloc), section_data_virtual, true)
< sizeof(image_base_relocation))
throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);
unsigned long current_pos = pe.get_directory_rva(image_directory_entry_basereloc);
//First IMAGE_BASE_RELOCATION table
image_base_relocation reloc_table = pe.section_data_from_rva<image_base_relocation>(current_pos, section_data_virtual, true);
if(reloc_table.SizeOfBlock % 2)
throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);
unsigned long reloc_size = pe.get_directory_size(image_directory_entry_basereloc);
unsigned long read_size = 0;
//reloc_table.VirtualAddress is not checked (not so important)
while(reloc_table.SizeOfBlock && read_size < reloc_size)
{
//Create relocation table
relocation_table table;
//Save RVA
table.set_rva(reloc_table.VirtualAddress);
if(!pe_utils::is_sum_safe(current_pos, reloc_table.SizeOfBlock))
throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);
//List all relocations
for(unsigned long i = sizeof(image_base_relocation); i < reloc_table.SizeOfBlock; i += sizeof(uint16_t))
{
relocation_entry entry(pe.section_data_from_rva<uint16_t>(current_pos + i, section_data_virtual, true));
if(list_absolute_entries || entry.get_type() != image_rel_based_absolute)
table.add_relocation(entry);
}
//Save table
ret.push_back(table);
//Go to next relocation block
if(!pe_utils::is_sum_safe(current_pos, reloc_table.SizeOfBlock))
throw pe_exception("Incorrect relocation directory", pe_exception::incorrect_relocation_directory);
current_pos += reloc_table.SizeOfBlock;
read_size += reloc_table.SizeOfBlock;
reloc_table = pe.section_data_from_rva<image_base_relocation>(current_pos, section_data_virtual, true);
}
return ret;
}
//Simple relocations rebuilder
//To keep PE file working, don't remove any of existing relocations in
//relocation_table_list returned by a call to get_relocations() function
//auto_strip_last_section - if true and relocations are placed in the last section, it will be automatically stripped
//offset_from_section_start - offset from the beginning of reloc_section, where relocations data will be situated
//If save_to_pe_header is true, PE header will be modified automatically
const image_directory rebuild_relocations(pe_base& pe, const relocation_table_list& relocs, section& reloc_section, uint32_t offset_from_section_start, bool save_to_pe_header, bool auto_strip_last_section)
{
//Check that reloc_section is attached to this PE image
if(!pe.section_attached(reloc_section))
throw pe_exception("Relocations section must be attached to PE file", pe_exception::section_is_not_attached);
uint32_t current_reloc_data_pos = pe_utils::align_up(offset_from_section_start, sizeof(uint32_t));
uint32_t needed_size = current_reloc_data_pos - offset_from_section_start; //Calculate needed size for relocation tables
uint32_t size_delta = needed_size;
uint32_t start_reloc_pos = current_reloc_data_pos;
//Enumerate relocation tables
for(relocation_table_list::const_iterator it = relocs.begin(); it != relocs.end(); ++it)
{
needed_size += static_cast<uint32_t>((*it).get_relocations().size() * sizeof(uint16_t) /* relocations */ + sizeof(image_base_relocation) /* table header */);
//End of each table will be DWORD-aligned
if((start_reloc_pos + needed_size - size_delta) % sizeof(uint32_t))
needed_size += sizeof(uint16_t); //Align it with IMAGE_REL_BASED_ABSOLUTE relocation
}
//Check if reloc_section is last one. If it's not, check if there's enough place for relocations data
if(&reloc_section != &*(pe.get_image_sections().end() - 1) &&
(reloc_section.empty() || pe_utils::align_up(reloc_section.get_size_of_raw_data(), pe.get_file_alignment()) < needed_size + current_reloc_data_pos))
throw pe_exception("Insufficient space for relocations directory", pe_exception::insufficient_space);
std::string& raw_data = reloc_section.get_raw_data();
//This will be done only if reloc_section is the last section of image or for section with unaligned raw length of data
if(raw_data.length() < needed_size + current_reloc_data_pos)
raw_data.resize(needed_size + current_reloc_data_pos); //Expand section raw data
//Enumerate relocation tables
for(relocation_table_list::const_iterator it = relocs.begin(); it != relocs.end(); ++it)
{
//Create relocation table header
image_base_relocation reloc;
reloc.VirtualAddress = (*it).get_rva();
const relocation_table::relocation_list& reloc_list = (*it).get_relocations();
reloc.SizeOfBlock = static_cast<uint32_t>(sizeof(image_base_relocation) + sizeof(uint16_t) * reloc_list.size());
if((reloc_list.size() * sizeof(uint16_t)) % sizeof(uint32_t)) //If we must align end of relocation table
reloc.SizeOfBlock += sizeof(uint16_t);
memcpy(&raw_data[current_reloc_data_pos], &reloc, sizeof(reloc));
current_reloc_data_pos += sizeof(reloc);
//Enumerate relocations in table
for(relocation_table::relocation_list::const_iterator r = reloc_list.begin(); r != reloc_list.end(); ++r)
{
//Save relocations
uint16_t reloc_value = (*r).get_item();
memcpy(&raw_data[current_reloc_data_pos], &reloc_value, sizeof(reloc_value));
current_reloc_data_pos += sizeof(reloc_value);
}
if(current_reloc_data_pos % sizeof(uint32_t)) //If end of table is not DWORD-aligned
{
memset(&raw_data[current_reloc_data_pos], 0, sizeof(uint16_t)); //Align it with IMAGE_REL_BASED_ABSOLUTE relocation
current_reloc_data_pos += sizeof(uint16_t);
}
}
image_directory ret(pe.rva_from_section_offset(reloc_section, start_reloc_pos), needed_size - size_delta);
//Adjust section raw and virtual sizes
pe.recalculate_section_sizes(reloc_section, auto_strip_last_section);
//If auto-rewrite of PE headers is required
if(save_to_pe_header)
{
pe.set_directory_rva(image_directory_entry_basereloc, ret.get_rva());
pe.set_directory_size(image_directory_entry_basereloc, ret.get_size());
pe.clear_characteristics_flags(image_file_relocs_stripped);
pe.set_dll_characteristics(pe.get_dll_characteristics() | image_dllcharacteristics_dynamic_base);
}
return ret;
}
//Recalculates image base with the help of relocation tables
void rebase_image(pe_base& pe, const relocation_table_list& tables, uint64_t new_base)
{
pe.get_pe_type() == pe_type_32
? rebase_image_base<pe_types_class_32>(pe, tables, new_base)
: rebase_image_base<pe_types_class_64>(pe, tables, new_base);
}
//RELOCATIONS
//Recalculates image base with the help of relocation tables
//Recalculates VAs of DWORDS/QWORDS in image according to relocations
//Notice: if you move some critical structures like TLS, image relocations will not fix new
//positions of TLS VAs. Instead, some bytes that now doesn't belong to TLS will be fixed.
//It is recommended to rebase image in the very beginning and move all structures afterwards.
template<typename PEClassType>
void rebase_image_base(pe_base& pe, const relocation_table_list& tables, uint64_t new_base)
{
//Get current image base value
typename PEClassType::BaseSize image_base;
pe.get_image_base(image_base);
//ImageBase difference
typename PEClassType::BaseSize base_rel = static_cast<typename PEClassType::BaseSize>(static_cast<int64_t>(new_base) - image_base);
//We need to fix addresses from relocation tables
//Enumerate relocation tables
for(relocation_table_list::const_iterator it = tables.begin(); it != tables.end(); ++it)
{
const relocation_table::relocation_list& relocs = (*it).get_relocations();
uint32_t base_rva = (*it).get_rva();
//Enumerate relocations
for(relocation_table::relocation_list::const_iterator rel = relocs.begin(); rel != relocs.end(); ++rel)
{
//Skip ABSOLUTE entries
if((*rel).get_type() == pe_win::image_rel_based_absolute)
continue;
//Recalculate value by RVA and rewrite it
uint32_t current_rva = base_rva + (*rel).get_rva();
typename PEClassType::BaseSize value = pe.section_data_from_rva<typename PEClassType::BaseSize>(current_rva, section_data_raw, true);
value += base_rel;
memcpy(pe.section_data_from_rva(current_rva, true), &value, sizeof(value));
}
}
//Finally, save new image base
pe.set_image_base_64(new_base);
}
}
|