-
-
Save dr4k0nia/682cb6db231516b904c166226e5e5676 to your computer and use it in GitHub Desktop.
Map offsets to PE Header fields, written for my blog post about AntiDump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| namespace OffsetMapper | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| // Offsets defined in the AntiDump based on these I assumed PE32 format | |
| int[] peheaderdwords = new int[] { 0x0, 0x8, 0xC, 0x10, 0x16, 0x1C, 0x20, 0x28, 0x2C, 0x34, 0x3C, 0x4C, 0x50, 0x54, 0x58, 0x60, 0x64, 0x68, 0x6C, 0x70, 0x74, 0x104, 0x108, 0x10C, 0x110, 0x114, 0x11C }; | |
| int[] peheaderwords = new int[] { 0x4, 0x16, 0x18, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x5C, 0x5E }; | |
| int[] peheaderbytes = new int[] { 0x1A, 0x1B }; | |
| // Resolve the offsets to the respective fields in the PE Header from 0x80 as base | |
| // 0x80 is the default value of e_lfanew which is called dwpeheader in the AntiDump Code | |
| // base_address is the beggining of the pe header so for this case its 0 | |
| // since 0x80 added to 0 is just 0x80 we can use it as our base | |
| MapOffsetsToFields(peheaderdwords, nameof(peheaderdwords)); | |
| MapOffsetsToFields(peheaderwords, nameof(peheaderwords)); | |
| MapOffsetsToFields(peheaderbytes, nameof(peheaderbytes)); | |
| // Added 0x20 to the list because its called first | |
| int[] sectiontabledwords = new int[] { 0x20, 0x8, 0xC, 0x10, 0x14, 0x18, 0x1C, 0x24 }; | |
| // Resolving section table offset x has been replaced with 0 | |
| // since it will be 0 for the first iteration | |
| MapOffsetsToField(0xFA + (0x28 * 0), sectiontabledwords, nameof(sectiontabledwords)); | |
| // When resolving these offsets only 0x20 will result in a valid field | |
| // the others seem to be off by 2 for example (0xFA + (0x28 * 0) + 0x8 = 0x182 | |
| // which is off by +2 from Virtual Size and off by -2 from Virtual Address | |
| // The same applies for all following values being off by either +2 or -2 | |
| // Maybe it is on purpose but I cant see any particular reason for this | |
| } | |
| private static void MapOffsetsToFields(int[] source, string name) | |
| { | |
| Console.WriteLine($"\nResolving {name}\n"); | |
| foreach (int i in source) | |
| { | |
| int offset = 0x80 + i; | |
| var result = IsValid(offset) ? (Fields)offset : (Fields)0xFF; | |
| Console.WriteLine($"0x{i:X} offset to {result} in the {GetLocation(offset)} => location: {offset:X8}"); | |
| } | |
| } | |
| private static void MapOffsetsToField(int chain, int[] source, string name) | |
| { | |
| Console.WriteLine($"\nResolving {name}\n"); | |
| foreach (int i in source) | |
| { | |
| int offset = 0x80 + chain + i; | |
| var result = IsValid(offset) ? (Fields)offset : (Fields)0xFF; | |
| Console.WriteLine($"0x{i:X} offset to {result} in the {GetLocation(offset)} => location: {offset:X8}"); | |
| } | |
| } | |
| private static bool IsValid(int offset) | |
| { | |
| return Enum.IsDefined(typeof(Fields), offset); | |
| } | |
| private static string GetLocation(int offset) | |
| { | |
| if (offset <= 0x96) | |
| return "File Header"; | |
| if (offset <= 0xF4) | |
| return "Optional Header"; | |
| return "Section Table"; | |
| } | |
| enum Fields | |
| { | |
| // File Header | |
| Signature = 0x80, | |
| Machine = 0x84, | |
| NumberOfSections = 0x86, | |
| TimeDateStap = 0x88, | |
| PointerToSymboleTable = 0x8C, | |
| NumberOfSymbols = 0x90, | |
| SizeOfOptionalHeader = 0x94, | |
| Characteristics = 0x96, | |
| // Optional Header | |
| Magic = 0x98, | |
| MajorLinkerVersion = 0x9A, | |
| MinorLinkerVersion = 0x9B, | |
| SizeOfCode = 0x9C, | |
| SizeOfInitializedData = 0xA0, | |
| SizeOfUInitializedData = 0xA4, | |
| AddressOfEntryPoint = 0xA8, | |
| BaseOfCode = 0xAC, | |
| ImageBase = 0xB4, | |
| SectionAlignment = 0xB8, | |
| FileAlignment = 0xBC, | |
| MajorOperatingSystemVersion = 0xC0, | |
| MinorOperatingSystemVersion = 0xC2, | |
| MajorImageVersion = 0xC4, | |
| MinorImageVersion = 0xC6, | |
| MajorSubsystemVersion = 0xC8, | |
| MinorSubsystemVersion = 0xCA, | |
| Win32VersionValue = 0xCC, | |
| SizeOfImage = 0xD0, | |
| SizeOfHeaders = 0xD4, | |
| CheckSum = 0xD8, | |
| Subsystem = 0xDC, | |
| DllCharacteristics = 0xDE, | |
| SizeOfStackReserve = 0xE0, | |
| SizeOfStackCommit = 0xE4, | |
| SizeOfHeapReserve = 0xE8, | |
| SizeOfHeapCommit = 0xEC, | |
| LoaderFlags = 0xF0, | |
| NumberOfRvaAndSizes = 0xF4, | |
| // First section header (assuming 32bit Optional Header) | |
| // 0x104, 0x108, 0x10C, 0x110, 0x114, 0x11C }; | |
| Section_Name = 0x178, | |
| Section_Virtual_Size = 0x180, | |
| Section_Virtual_Address = 0x184, | |
| Section_Raw_Size = 0x188, | |
| Section_Raw_Address = 0x18C, | |
| Section_Reloc_Address = 0x190, | |
| Section_Linenumbers = 0x194, | |
| Section_Relocations_Number = 0x198, | |
| Section_Linenumbers_Number = 0x19A, | |
| Section_Characteristics = 0x19C, | |
| Unknown = 0xFF | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Resolving peheaderdwords
0x0 offset to Signature in the File Header => location: 00000080
0x8 offset to TimeDateStap in the File Header => location: 00000088
0xC offset to PointerToSymboleTable in the File Header => location: 0000008C
0x10 offset to NumberOfSymbols in the File Header => location: 00000090
0x16 offset to Characteristics in the File Header => location: 00000096
0x1C offset to SizeOfCode in the Optional Header => location: 0000009C
0x20 offset to SizeOfInitializedData in the Optional Header => location: 000000A0
0x28 offset to AddressOfEntryPoint in the Optional Header => location: 000000A8
0x2C offset to BaseOfCode in the Optional Header => location: 000000AC
0x34 offset to ImageBase in the Optional Header => location: 000000B4
0x3C offset to FileAlignment in the Optional Header => location: 000000BC
0x4C offset to Win32VersionValue in the Optional Header => location: 000000CC
0x50 offset to SizeOfImage in the Optional Header => location: 000000D0
0x54 offset to SizeOfHeaders in the Optional Header => location: 000000D4
0x58 offset to CheckSum in the Optional Header => location: 000000D8
0x60 offset to SizeOfStackReserve in the Optional Header => location: 000000E0
0x64 offset to SizeOfStackCommit in the Optional Header => location: 000000E4
0x68 offset to SizeOfHeapReserve in the Optional Header => location: 000000E8
0x6C offset to SizeOfHeapCommit in the Optional Header => location: 000000EC
0x70 offset to LoaderFlags in the Optional Header => location: 000000F0
0x74 offset to NumberOfRvaAndSizes in the Optional Header => location: 000000F4
0x104 offset to Section_Virtual_Address in the Section Table => location: 00000184
0x108 offset to Section_Raw_Size in the Section Table => location: 00000188
0x10C offset to Section_Raw_Address in the Section Table => location: 0000018C
0x110 offset to Section_Reloc_Address in the Section Table => location: 00000190
0x114 offset to Section_Linenumbers in the Section Table => location: 00000194
0x11C offset to Section_Characteristics in the Section Table => location: 0000019C
Resolving peheaderwords
0x4 offset to Machine in the File Header => location: 00000084
0x16 offset to Characteristics in the File Header => location: 00000096
0x18 offset to Magic in the Optional Header => location: 00000098
0x40 offset to MajorOperatingSystemVersion in the Optional Header => location: 000000C0
0x42 offset to MinorOperatingSystemVersion in the Optional Header => location: 000000C2
0x44 offset to MajorImageVersion in the Optional Header => location: 000000C4
0x46 offset to MinorImageVersion in the Optional Header => location: 000000C6
0x48 offset to MajorSubsystemVersion in the Optional Header => location: 000000C8
0x4A offset to MinorSubsystemVersion in the Optional Header => location: 000000CA
0x4C offset to Win32VersionValue in the Optional Header => location: 000000CC
0x5C offset to Subsystem in the Optional Header => location: 000000DC
0x5E offset to DllCharacteristics in the Optional Header => location: 000000DE
Resolving peheaderbytes
0x1A offset to MajorLinkerVersion in the Optional Header => location: 0000009A
0x1B offset to MinorLinkerVersion in the Optional Header => location: 0000009B
Resolving sectiontabledwords
0x20 offset to Section_Linenumbers_Number in the Section Table => location: 0000019A
0x8 offset to Unknown in the Section Table => location: 00000182
0xC offset to Unknown in the Section Table => location: 00000186
0x10 offset to Unknown in the Section Table => location: 0000018A
0x14 offset to Unknown in the Section Table => location: 0000018E
0x18 offset to Unknown in the Section Table => location: 00000192
0x1C offset to Unknown in the Section Table => location: 00000196
0x24 offset to Unknown in the Section Table => location: 0000019E