Created
May 4, 2016 12:42
-
-
Save tkeetch/a1ee83b861bb69368b7a612cde8ff346 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "windows.h" | |
#include "Imagehlp.h" | |
#include "Psapi.h" | |
#include "stdio.h" | |
struct EXPLOITATION_PROPERTIES | |
{ | |
DWORD dwImageBaseAddress; | |
BYTE dwMajorLinkerVersion; | |
DWORD dwGSCookie; | |
DWORD dwSEHCount; | |
DWORD dwAuthenticodeRva; | |
BOOL bGS; | |
BOOL bASLR; | |
BOOL bNoSEH; | |
BOOL bSafeSEH; | |
BOOL bNXCompat; | |
BOOL bAuthenticode; | |
}; | |
BOOL getModuleExploitationProperties(EXPLOITATION_PROPERTIES* lpExploitProperties, CHAR* lpModuleImage, SIZE_T dwLen); | |
#define IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE 0x40 | |
#define IMAGE_DLL_CHARACTERISTICS_NX_COMPAT 0x100 | |
typedef DWORD (*PFNSECTIONOP) (LOADED_IMAGE, IMAGE_SECTION_HEADER, DWORD); | |
PIMAGE_NT_HEADERS GetNtHeader(CHAR* lpImage) | |
{ | |
//return ImageNtHeader(lpImage); | |
PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER) lpImage; | |
if(lpDosHeader->e_magic == IMAGE_DOS_SIGNATURE) | |
{ | |
PIMAGE_NT_HEADERS lpNtHeader = (PIMAGE_NT_HEADERS) (lpImage + lpDosHeader->e_lfanew); | |
if(lpNtHeader->Signature == IMAGE_NT_SIGNATURE) | |
{ | |
return lpNtHeader; | |
} | |
} | |
return NULL; | |
} | |
CHAR* rvaToAbs(CHAR* lpImageBase, DWORD dwRva) | |
{ | |
return (lpImageBase + dwRva); | |
} | |
CHAR* getDataDirectory(CHAR* lpModuleImage, DWORD ddIndex) | |
{ | |
if(ddIndex < 16) | |
{ | |
PIMAGE_NT_HEADERS lpImageHeaders = GetNtHeader(lpModuleImage); | |
if(lpImageHeaders != NULL) | |
{ | |
return (CHAR*) &(lpImageHeaders->OptionalHeader.DataDirectory[ddIndex]); | |
} | |
} | |
return NULL; | |
} | |
DWORD foreachSection(PFNSECTIONOP lpFun, LOADED_IMAGE lpImage, DWORD dwRequiredCharacteristics, DWORD dwParam) | |
{ | |
if(lpFun == NULL) return (0); | |
DWORD dwReturnSum = 0; | |
PIMAGE_SECTION_HEADER lpCurrentSection = lpImage.Sections; | |
for(ULONG i=0; i < lpImage.NumberOfSections; i++) // For each Section... | |
{ | |
if(((lpCurrentSection->Characteristics & dwRequiredCharacteristics) == dwRequiredCharacteristics) | |
&& (lpCurrentSection->SizeOfRawData != 0)) | |
{ | |
dwReturnSum += lpFun(lpImage, *lpCurrentSection, dwParam); | |
} | |
lpCurrentSection += 1; // Go to next section header. | |
} | |
return dwReturnSum; | |
} | |
BOOL getModuleExploitationProperties(EXPLOITATION_PROPERTIES* lpExploitProperties, CHAR* lpModuleImage, SIZE_T dwLen) | |
{ | |
memset(lpExploitProperties,0,sizeof(EXPLOITATION_PROPERTIES)); | |
PIMAGE_NT_HEADERS lpImageHeaders = GetNtHeader(lpModuleImage); | |
if((lpImageHeaders != 0) && (lpImageHeaders->FileHeader.SizeOfOptionalHeader > 0)) | |
{ | |
//Base Address. TODO: Default case. | |
lpExploitProperties->dwImageBaseAddress = lpImageHeaders->OptionalHeader.ImageBase << 8 ; | |
//Linker Version | |
lpExploitProperties->dwMajorLinkerVersion = lpImageHeaders->OptionalHeader.MajorLinkerVersion; | |
// ASLR, NX | |
WORD wDllCharacteristics = lpImageHeaders->OptionalHeader.DllCharacteristics; | |
lpExploitProperties->bASLR = ((wDllCharacteristics & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE) ? TRUE : FALSE); | |
lpExploitProperties->bNXCompat = ((wDllCharacteristics & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) ? TRUE : FALSE); | |
lpExploitProperties->bNoSEH = ((wDllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH) ? TRUE : FALSE); | |
if(lpImageHeaders->OptionalHeader.NumberOfRvaAndSizes >= IMAGE_DIRECTORY_ENTRY_SECURITY) | |
{ | |
PIMAGE_DATA_DIRECTORY lpImageDataDirSecurity = | |
(PIMAGE_DATA_DIRECTORY) getDataDirectory(lpModuleImage, IMAGE_DIRECTORY_ENTRY_SECURITY); | |
if((lpImageDataDirSecurity != NULL) && (lpImageDataDirSecurity->Size != 0) && (lpImageDataDirSecurity->VirtualAddress != 0)) | |
{ | |
lpExploitProperties->bAuthenticode = TRUE; | |
lpExploitProperties->dwAuthenticodeRva = lpImageDataDirSecurity->VirtualAddress; | |
} | |
if(lpImageHeaders->OptionalHeader.NumberOfRvaAndSizes >= IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG) | |
{ | |
PIMAGE_DATA_DIRECTORY lpImageDataDirConfig = | |
(PIMAGE_DATA_DIRECTORY) getDataDirectory(lpModuleImage, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG); | |
if((lpImageDataDirConfig != NULL) && (lpImageDataDirConfig->Size != 0)) | |
{ | |
if(lpImageDataDirConfig->VirtualAddress > dwLen) | |
{ | |
printf("Can't locate Load Config Directory\n"); | |
return false; | |
} | |
PIMAGE_LOAD_CONFIG_DIRECTORY lpLoadConfigDir = | |
(PIMAGE_LOAD_CONFIG_DIRECTORY) rvaToAbs(lpModuleImage, lpImageDataDirConfig->VirtualAddress); | |
// GS | |
lpExploitProperties->bGS = (lpLoadConfigDir->SecurityCookie != NULL); | |
lpExploitProperties->dwGSCookie = lpLoadConfigDir->SecurityCookie; | |
//SafeSEH | |
lpExploitProperties->bSafeSEH = (lpLoadConfigDir->SEHandlerCount != 0); | |
lpExploitProperties->dwSEHCount = lpLoadConfigDir->SEHandlerCount; | |
} | |
} | |
} | |
return TRUE; | |
} | |
return FALSE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment