Last active
August 15, 2021 05:48
-
-
Save jeremyd2019/d3cf9ae792958b9f470ff9a57d3c5f30 to your computer and use it in GitHub Desktop.
tool to determine if an image imports malloc from math dll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <strings.h> | |
#include "img.h" | |
#define GET_UINT(PEIMG, POS) fimg_get_uint_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian) | |
#define GET_UQUAD(PEIMG, POS) fimg_get_uquad_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian) | |
int main(int argc, char **argv) | |
{ | |
pe_image *pe; | |
int ret = 0; | |
pe = peimg_load (argv[1]); | |
if (!pe) | |
{ | |
fprintf (stderr, "File not found, or no PE-image\n"); | |
return 0; | |
} | |
/*peimg_show (pe, stderr);*/ | |
if (PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 108 : 92)) >= 2) | |
{ | |
unsigned int rva, size; | |
rva = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 120 : 104)); | |
size = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 124 : 108)); | |
size_t importsectionoff; | |
/* potential bug in genpeimg - section table entries are 40 bytes, not 36 */ | |
pe->section_list_sz = pe->pe_filehdr.numsecs * 40; | |
for (size_t i = pe->section_list; i < pe->section_list + pe->section_list_sz; i+=40) | |
{ | |
unsigned int secsize = PEIMG_GET_UINT(pe, i+8); | |
unsigned int secrva = PEIMG_GET_UINT(pe, i+12); | |
if (rva >= secrva && rva < secrva + secsize) | |
{ | |
importsectionoff = PEIMG_GET_UINT(pe, i+20) + rva - secrva; | |
break; | |
} | |
} | |
for (size_t i = importsectionoff; i < importsectionoff + size; i+=20) | |
{ | |
unsigned int iltrva = GET_UINT(pe, i), | |
dtstamp = GET_UINT(pe, i+4), | |
forwarder = GET_UINT(pe, i+8), | |
namerva = GET_UINT(pe, i+12), | |
iatrva = GET_UINT(pe, i+16); | |
if (!iltrva && !dtstamp && !forwarder && !namerva && !iatrva) | |
break; | |
const char * dllname = pe->pimg->data + namerva - rva + importsectionoff; | |
printf("%s\n", dllname); | |
if (!strcasecmp(dllname, "api-ms-win-crt-math-l1-1-0.dll") && iltrva) | |
for (size_t j = iltrva - rva + importsectionoff; (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j)); j+=(pe->is_64bit ? 8 : 4)) | |
{ | |
unsigned long long entry = (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j)); | |
if (!(entry & (1ULL << (pe->is_64bit ? 63 : 31)))) | |
{ | |
const char * importname = pe->pimg->data + (entry & 0x7FFFFFFF) + 2 - rva + importsectionoff; | |
printf(" - %s\n", importname); | |
if (!strcasecmp(importname, "malloc")) | |
{ | |
fprintf(stderr, "malloc imported from math dll!\n"); | |
ret = 1; | |
goto done; | |
} | |
} | |
} | |
} | |
} | |
done: | |
peimg_free (pe); | |
return ret; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from __future__ import print_function | |
import pefile | |
import sys | |
pe = pefile.PE(sys.argv[1], fast_load=True) | |
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']]) | |
for entry in pe.DIRECTORY_ENTRY_IMPORT: | |
if entry.dll.lower() == b"api-ms-win-crt-math-l1-1-0.dll": | |
for imp in entry.imports: | |
if imp.name == b"malloc": | |
print("malloc imported from math dll!", file=sys.stderr) | |
sys.exit(1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment