Skip to content

Instantly share code, notes, and snippets.

@0xbadfca11

0xbadfca11/.adoc

Created September 24, 2020 13:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xbadfca11/c28f3aefdb905f3523dab4cafbee3e7a to your computer and use it in GitHub Desktop.
Save 0xbadfca11/c28f3aefdb905f3523dab4cafbee3e7a to your computer and use it in GitHub Desktop.
Download ZIP
Don't use GetImageConfigInformation
Raw
.adoc

TL;DR Don’t use GetImageConfigInformation.

GetImageConfigInformation bug

GetImageConfigInformation is hard coded that the Image Config Directory is 64 bytes.
It will not work in most environments.
Don’t use GetImageConfigInformation. This API is waste.

GetImageConfigInformation Implementation

BOOL IMAGEAPI GetImageConfigInformation(
  PLOADED_IMAGE                LoadedImage,
  PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigInformation
)
{
  if (!LoadedImage || !ImageConfigInformation)
  {
    SetLastError(ERROR_INVALID_PARAMETER);
    return FALSE;
  }
  if (LoadedImage->FileHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
  {
    SetLastError(ERROR_INVALID_PARAMETER);
    return FALSE;
  }
  ULONG LoadConfigDirectorySize;
  PIMAGE_LOAD_CONFIG_DIRECTORY LoadConfigDirectoryAddress
    = ImageDirectoryEntryToDataEx(
        LoadedImage->MappedAddress,
        FALSE,
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
        &LoadConfigDirectorySize,
        NULL
        );
  if (!LoadConfigDirectoryAddress)
  {
    SetLastError(ERROR_INVALID_DATA);
    return FALSE;
  }
  if (LoadConfigDirectorySize != 64)
  {
    SetLastError(ERROR_INVALID_DATA);
    return FALSE;
  }
  if (LoadConfigDirectoryAddress->Size > 0 && LoadConfigDirectoryAddress->Size < 64)
  {
    SetLastError(ERROR_INVALID_DATA);
    return FALSE;
  }
  memcpy(ImageConfigInformation, LoadConfigDirectoryAddress, 64);
  return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment