jeremyd2019/ucrt-bad-import.c

## ucrt-bad-import.c
#include <stdio.h>
#include <strings.h>
#include "img.h"

#define GET_UINT(PEIMG, POS)   fimg_get_uint_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian)
#define GET_UQUAD(PEIMG, POS)  fimg_get_uquad_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian)

int main(int argc, char **argv)
{
  pe_image *pe;
  int ret = 0;
  pe = peimg_load (argv[1]);
  if (!pe)
    {
      fprintf (stderr, "File not found, or no PE-image\n");
      return 0;
    }
  /*peimg_show (pe, stderr);*/
  if (PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 108 : 92)) >= 2)
  {
    unsigned int rva, size;
    rva = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 120 : 104));
    size = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 124 : 108));
    size_t importsectionoff;
    /* potential bug in genpeimg - section table entries are 40 bytes, not 36 */
    pe->section_list_sz = pe->pe_filehdr.numsecs * 40;
    for (size_t i = pe->section_list; i < pe->section_list + pe->section_list_sz; i+=40)
    {
      unsigned int secsize = PEIMG_GET_UINT(pe, i+8);
      unsigned int secrva = PEIMG_GET_UINT(pe, i+12);
      if (rva >= secrva && rva < secrva + secsize)
      {
        importsectionoff = PEIMG_GET_UINT(pe, i+20) + rva - secrva;
        break;
      }
    }
    for (size_t i = importsectionoff; i < importsectionoff + size; i+=20)
    {
      unsigned int iltrva = GET_UINT(pe, i),
                   dtstamp = GET_UINT(pe, i+4),
                   forwarder = GET_UINT(pe, i+8),
                   namerva = GET_UINT(pe, i+12),
                   iatrva = GET_UINT(pe, i+16);
      if (!iltrva && !dtstamp && !forwarder && !namerva && !iatrva)
        break;
      const char * dllname = pe->pimg->data + namerva - rva + importsectionoff;
      printf("%s\n", dllname);

      if (!strcasecmp(dllname, "api-ms-win-crt-math-l1-1-0.dll") && iltrva)
        for (size_t j = iltrva - rva + importsectionoff; (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j)); j+=(pe->is_64bit ? 8 : 4))
        {
          unsigned long long entry = (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j));
          if (!(entry & (1ULL << (pe->is_64bit ? 63 : 31))))
          {
            const char * importname = pe->pimg->data + (entry & 0x7FFFFFFF) + 2 - rva + importsectionoff;
            printf(" - %s\n", importname);
            if (!strcasecmp(importname, "malloc"))
            {
              fprintf(stderr, "malloc imported from math dll!\n");
              ret = 1;
              goto done;
            }
          }
        }
    }
  }
done:
  peimg_free (pe);
  return ret;
}

## ucrt-bad-import.py
#!/usr/bin/env python
from __future__ import print_function

import pefile
import sys

pe = pefile.PE(sys.argv[1], fast_load=True)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])

for entry in pe.DIRECTORY_ENTRY_IMPORT:
    if entry.dll.lower() == b"api-ms-win-crt-math-l1-1-0.dll":
        for imp in entry.imports:
            if imp.name == b"malloc":
                print("malloc imported from math dll!", file=sys.stderr)
                sys.exit(1)
	#include <stdio.h>
	#include <strings.h>
	#include "img.h"

	#define GET_UINT(PEIMG, POS) fimg_get_uint_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian)
	#define GET_UQUAD(PEIMG, POS) fimg_get_uquad_at((PEIMG)->pimg, (POS), (PEIMG)->is_bigendian)

	int main(int argc, char **argv)
	{
	pe_image *pe;
	int ret = 0;
	pe = peimg_load (argv[1]);
	if (!pe)
	{
	fprintf (stderr, "File not found, or no PE-image\n");
	return 0;
	}
	/peimg_show (pe, stderr);/
	if (PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 108 : 92)) >= 2)
	{
	unsigned int rva, size;
	rva = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 120 : 104));
	size = PEIMG_GET_UINT(pe, pe->optional_hdr_pos + (pe->is_64bit ? 124 : 108));
	size_t importsectionoff;
	/* potential bug in genpeimg - section table entries are 40 bytes, not 36 */
	pe->section_list_sz = pe->pe_filehdr.numsecs * 40;
	for (size_t i = pe->section_list; i < pe->section_list + pe->section_list_sz; i+=40)
	{
	unsigned int secsize = PEIMG_GET_UINT(pe, i+8);
	unsigned int secrva = PEIMG_GET_UINT(pe, i+12);
	if (rva >= secrva && rva < secrva + secsize)
	{
	importsectionoff = PEIMG_GET_UINT(pe, i+20) + rva - secrva;
	break;
	}
	}
	for (size_t i = importsectionoff; i < importsectionoff + size; i+=20)
	{
	unsigned int iltrva = GET_UINT(pe, i),
	dtstamp = GET_UINT(pe, i+4),
	forwarder = GET_UINT(pe, i+8),
	namerva = GET_UINT(pe, i+12),
	iatrva = GET_UINT(pe, i+16);
	if (!iltrva && !dtstamp && !forwarder && !namerva && !iatrva)
	break;
	const char * dllname = pe->pimg->data + namerva - rva + importsectionoff;
	printf("%s\n", dllname);

	if (!strcasecmp(dllname, "api-ms-win-crt-math-l1-1-0.dll") && iltrva)
	for (size_t j = iltrva - rva + importsectionoff; (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j)); j+=(pe->is_64bit ? 8 : 4))
	{
	unsigned long long entry = (pe->is_64bit ? GET_UQUAD(pe, j) : GET_UINT(pe, j));
	if (!(entry & (1ULL << (pe->is_64bit ? 63 : 31))))
	{
	const char * importname = pe->pimg->data + (entry & 0x7FFFFFFF) + 2 - rva + importsectionoff;
	printf(" - %s\n", importname);
	if (!strcasecmp(importname, "malloc"))
	{
	fprintf(stderr, "malloc imported from math dll!\n");
	ret = 1;
	goto done;
	}
	}
	}
	}
	}
	done:
	peimg_free (pe);
	return ret;
	}
	#!/usr/bin/env python
	from __future__ import print_function

	import pefile
	import sys

	pe = pefile.PE(sys.argv[1], fast_load=True)
	pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])

	for entry in pe.DIRECTORY_ENTRY_IMPORT:
	if entry.dll.lower() == b"api-ms-win-crt-math-l1-1-0.dll":
	for imp in entry.imports:
	if imp.name == b"malloc":
	print("malloc imported from math dll!", file=sys.stderr)
	sys.exit(1)