Created
May 19, 2012 06:04
-
-
Save abhisek/2729528 to your computer and use it in GitHub Desktop.
Runtime PE Section Enumeration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define WIN32_LEAN_AND_MEAN | |
#include <windows.h> | |
#include <winnt.h> | |
#include <intrin.h> | |
typedef struct _UNICODE_STR | |
{ | |
USHORT Length; | |
USHORT MaximumLength; | |
PWSTR pBuffer; | |
} UNICODE_STR, *PUNICODE_STR; | |
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY | |
//__declspec( align(8) ) | |
typedef struct _LDR_DATA_TABLE_ENTRY | |
{ | |
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. | |
LIST_ENTRY InMemoryOrderModuleList; | |
LIST_ENTRY InInitializationOrderModuleList; | |
PVOID DllBase; | |
PVOID EntryPoint; | |
ULONG SizeOfImage; | |
UNICODE_STR FullDllName; | |
UNICODE_STR BaseDllName; | |
ULONG Flags; | |
SHORT LoadCount; | |
SHORT TlsIndex; | |
LIST_ENTRY HashTableEntry; | |
ULONG TimeDateStamp; | |
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; | |
// WinDbg> dt -v ntdll!_PEB_LDR_DATA | |
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes | |
{ | |
DWORD dwLength; | |
DWORD dwInitialized; | |
LPVOID lpSsHandle; | |
LIST_ENTRY InLoadOrderModuleList; | |
LIST_ENTRY InMemoryOrderModuleList; | |
LIST_ENTRY InInitializationOrderModuleList; | |
LPVOID lpEntryInProgress; | |
} PEB_LDR_DATA, * PPEB_LDR_DATA; | |
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK | |
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes | |
{ | |
struct _PEB_FREE_BLOCK * pNext; | |
DWORD dwSize; | |
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; | |
// struct _PEB is defined in Winternl.h but it is incomplete | |
// WinDbg> dt -v ntdll!_PEB | |
typedef struct __PEB // 65 elements, 0x210 bytes | |
{ | |
BYTE bInheritedAddressSpace; | |
BYTE bReadImageFileExecOptions; | |
BYTE bBeingDebugged; | |
BYTE bSpareBool; | |
LPVOID lpMutant; | |
LPVOID lpImageBaseAddress; | |
PPEB_LDR_DATA pLdr; | |
LPVOID lpProcessParameters; | |
LPVOID lpSubSystemData; | |
LPVOID lpProcessHeap; | |
PRTL_CRITICAL_SECTION pFastPebLock; | |
LPVOID lpFastPebLockRoutine; | |
LPVOID lpFastPebUnlockRoutine; | |
DWORD dwEnvironmentUpdateCount; | |
LPVOID lpKernelCallbackTable; | |
DWORD dwSystemReserved; | |
DWORD dwAtlThunkSListPtr32; | |
PPEB_FREE_BLOCK pFreeList; | |
DWORD dwTlsExpansionCounter; | |
LPVOID lpTlsBitmap; | |
DWORD dwTlsBitmapBits[2]; | |
LPVOID lpReadOnlySharedMemoryBase; | |
LPVOID lpReadOnlySharedMemoryHeap; | |
LPVOID lpReadOnlyStaticServerData; | |
LPVOID lpAnsiCodePageData; | |
LPVOID lpOemCodePageData; | |
LPVOID lpUnicodeCaseTableData; | |
DWORD dwNumberOfProcessors; | |
DWORD dwNtGlobalFlag; | |
LARGE_INTEGER liCriticalSectionTimeout; | |
DWORD dwHeapSegmentReserve; | |
DWORD dwHeapSegmentCommit; | |
DWORD dwHeapDeCommitTotalFreeThreshold; | |
DWORD dwHeapDeCommitFreeBlockThreshold; | |
DWORD dwNumberOfHeaps; | |
DWORD dwMaximumNumberOfHeaps; | |
LPVOID lpProcessHeaps; | |
LPVOID lpGdiSharedHandleTable; | |
LPVOID lpProcessStarterHelper; | |
DWORD dwGdiDCAttributeList; | |
LPVOID lpLoaderLock; | |
DWORD dwOSMajorVersion; | |
DWORD dwOSMinorVersion; | |
WORD wOSBuildNumber; | |
WORD wOSCSDVersion; | |
DWORD dwOSPlatformId; | |
DWORD dwImageSubsystem; | |
DWORD dwImageSubsystemMajorVersion; | |
DWORD dwImageSubsystemMinorVersion; | |
DWORD dwImageProcessAffinityMask; | |
DWORD dwGdiHandleBuffer[34]; | |
LPVOID lpPostProcessInitRoutine; | |
LPVOID lpTlsExpansionBitmap; | |
DWORD dwTlsExpansionBitmapBits[32]; | |
DWORD dwSessionId; | |
ULARGE_INTEGER liAppCompatFlags; | |
ULARGE_INTEGER liAppCompatFlagsUser; | |
LPVOID lppShimData; | |
LPVOID lpAppCompatInfo; | |
UNICODE_STR usCSDVersion; | |
LPVOID lpActivationContextData; | |
LPVOID lpProcessAssemblyStorageMap; | |
LPVOID lpSystemDefaultActivationContextData; | |
LPVOID lpSystemAssemblyStorageMap; | |
DWORD dwMinimumStackCommit; | |
} _PEB, * _PPEB; | |
BOOL PeSectionEnum() | |
{ | |
PIMAGE_DOS_HEADER pDosHeader; | |
PIMAGE_NT_HEADERS pNtHeaders; | |
PIMAGE_SECTION_HEADER pSectionHeader; | |
DWORD dwImageBase, i; | |
PVOID pBuffer; | |
DWORD dwLen; | |
dwImageBase = (DWORD) (((_PPEB) __readfsdword(0x30))->lpImageBaseAddress); | |
pDosHeader = (PIMAGE_DOS_HEADER) dwImageBase; | |
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) | |
return; | |
pNtHeaders = (PIMAGE_NT_HEADERS)(dwImageBase + pDosHeader->e_lfanew); | |
if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE) | |
return; | |
for(i = 0, pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders); | |
i < pNtHeaders->FileHeader.NumberOfSections; i++) { | |
DMSG("Section Name: %s", pSectionHeader[i].Name); | |
// This is an in-memory PE so offsets are represented by VirtualAddress | |
// Section Data: | |
// Location: (dwImageBase + pSectionHeader[i].VirtualAddress) | |
// Size: pSectionHeader[i].SizeOfRawData | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you don't want to define big structures to get only one dword, you can use this: