initial commit

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 293 insertions, 0 deletions

diff --git a/PastDSEDriver/PE.h b/PastDSEDriver/PE.h
new file mode 100644
index 0000000..d7dec91
--- /dev/null
+++ b/PastDSEDriver/PE.h
@@ -0,0 +1,293 @@
+/******************************************************
+* FILENAME:
+*       PE.h
+*
+* DESCRIPTION:
+*       Driver utility functions.
+*
+*       Copyright Toni Uhlig 2019. All rights reserved.
+*
+* AUTHOR:
+*       DarthTon
+*       Toni Uhlig          START DATE :    27 Mar 19
+*/
+
+#pragma once
+
+#include <ntddk.h>
+
+
+#define IMAGE_DOS_SIGNATURE                     0x5A4D      // MZ
+#define IMAGE_NT_SIGNATURE                      0x00004550  // PE00
+
+#define IMAGE_NT_OPTIONAL_HDR64_MAGIC           0x20b
+#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES        16
+
+#define IMAGE_DIRECTORY_ENTRY_EXPORT             0   // Export Directory
+#define IMAGE_DIRECTORY_ENTRY_IMPORT             1   // Import Directory
+#define IMAGE_DIRECTORY_ENTRY_RESOURCE           2   // Resource Directory
+#define IMAGE_DIRECTORY_ENTRY_EXCEPTION          3   // Exception Directory
+#define IMAGE_DIRECTORY_ENTRY_SECURITY           4   // Security Directory
+#define IMAGE_DIRECTORY_ENTRY_BASERELOC          5   // Base Relocation Table
+#define IMAGE_DIRECTORY_ENTRY_DEBUG              6   // Debug Directory
+#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE       7   // Architecture Specific Data
+#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR          8   // RVA of GP
+#define IMAGE_DIRECTORY_ENTRY_TLS                9   // TLS Directory
+#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG       10   // Load Configuration Directory
+#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT      11   // Bound Import Directory in headers
+#define IMAGE_DIRECTORY_ENTRY_IAT               12   // Import Address Table
+#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT      13   // Delay Load Import Descriptors
+#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR    14   // COM Runtime descriptor
+
+#define IMAGE_REL_BASED_ABSOLUTE                0
+#define IMAGE_REL_BASED_HIGH                    1
+#define IMAGE_REL_BASED_LOW                     2
+#define IMAGE_REL_BASED_HIGHLOW                 3
+#define IMAGE_REL_BASED_HIGHADJ                 4
+#define IMAGE_REL_BASED_MIPS_JMPADDR            5
+#define IMAGE_REL_BASED_SECTION                 6
+#define IMAGE_REL_BASED_REL32                   7
+#define IMAGE_REL_BASED_MIPS_JMPADDR16          9
+#define IMAGE_REL_BASED_IA64_IMM64              9
+#define IMAGE_REL_BASED_DIR64                   10
+
+#define IMAGE_SIZEOF_BASE_RELOCATION            8
+
+
+#define IMAGE_FILE_RELOCS_STRIPPED           0x0001  // Relocation info stripped from file.
+#define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable  (i.e. no unresolved external references).
+#define IMAGE_FILE_LINE_NUMS_STRIPPED        0x0004  // Line nunbers stripped from file.
+#define IMAGE_FILE_LOCAL_SYMS_STRIPPED       0x0008  // Local symbols stripped from file.
+#define IMAGE_FILE_AGGRESIVE_WS_TRIM         0x0010  // Aggressively trim working set
+#define IMAGE_FILE_LARGE_ADDRESS_AWARE       0x0020  // App can handle >2gb addresses
+#define IMAGE_FILE_BYTES_REVERSED_LO         0x0080  // Bytes of machine word are reversed.
+#define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
+#define IMAGE_FILE_DEBUG_STRIPPED            0x0200  // Debugging info stripped from file in .DBG file
+#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   0x0400  // If Image is on removable media, copy and run from the swap file.
+#define IMAGE_FILE_NET_RUN_FROM_SWAP         0x0800  // If Image is on Net, copy and run from the swap file.
+#define IMAGE_FILE_SYSTEM                    0x1000  // System File.
+#define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
+#define IMAGE_FILE_UP_SYSTEM_ONLY            0x4000  // File should only be run on a UP machine
+#define IMAGE_FILE_BYTES_REVERSED_HI         0x8000  // Bytes of machine word are reversed.
+
+#define IMAGE_FILE_MACHINE_UNKNOWN           0
+#define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
+#define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian
+#define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian
+#define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian
+#define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2
+#define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP
+#define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian
+#define IMAGE_FILE_MACHINE_SH3DSP            0x01a3
+#define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian
+#define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian
+#define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5
+#define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian
+#define IMAGE_FILE_MACHINE_THUMB             0x01c2  // ARM Thumb/Thumb-2 Little-Endian
+#define IMAGE_FILE_MACHINE_ARMNT             0x01c4  // ARM Thumb-2 Little-Endian
+#define IMAGE_FILE_MACHINE_AM33              0x01d3
+#define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian
+#define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1
+#define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
+#define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS
+#define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
+#define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS
+#define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS
+#define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64
+#define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon
+#define IMAGE_FILE_MACHINE_CEF               0x0CEF
+#define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code
+#define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
+#define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian
+#define IMAGE_FILE_MACHINE_CEE               0xC0EE
+
+#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
+
+#define CFG_DIR_VAL_T(hdr, dir, val) ((PIMAGE_LOAD_CONFIG_DIRECTORY64)dir)->val
+#define THUNK_VAL_T(hdr, ptr, val) ((PIMAGE_THUNK_DATA64)ptr)->val
+
+typedef struct _IMAGE_DOS_HEADER
+{
+	USHORT e_magic;
+	USHORT e_cblp;
+	USHORT e_cp;
+	USHORT e_crlc;
+	USHORT e_cparhdr;
+	USHORT e_minalloc;
+	USHORT e_maxalloc;
+	USHORT e_ss;
+	USHORT e_sp;
+	USHORT e_csum;
+	USHORT e_ip;
+	USHORT e_cs;
+	USHORT e_lfarlc;
+	USHORT e_ovno;
+	USHORT e_res[4];
+	USHORT e_oemid;
+	USHORT e_oeminfo;
+	USHORT e_res2[10];
+	LONG e_lfanew;
+} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
+
+typedef struct _IMAGE_SECTION_HEADER
+{
+	UCHAR  Name[8];
+	union
+	{
+		ULONG PhysicalAddress;
+		ULONG VirtualSize;
+	} Misc;
+	ULONG VirtualAddress;
+	ULONG SizeOfRawData;
+	ULONG PointerToRawData;
+	ULONG PointerToRelocations;
+	ULONG PointerToLinenumbers;
+	USHORT  NumberOfRelocations;
+	USHORT  NumberOfLinenumbers;
+	ULONG Characteristics;
+} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
+
+typedef struct _IMAGE_FILE_HEADER // Size=20
+{
+	USHORT Machine;
+	USHORT NumberOfSections;
+	ULONG TimeDateStamp;
+	ULONG PointerToSymbolTable;
+	ULONG NumberOfSymbols;
+	USHORT SizeOfOptionalHeader;
+	USHORT Characteristics;
+} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
+
+typedef struct _IMAGE_DATA_DIRECTORY
+{
+	ULONG VirtualAddress;
+	ULONG Size;
+} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
+
+typedef struct _IMAGE_OPTIONAL_HEADER64
+{
+	USHORT Magic;
+	UCHAR MajorLinkerVersion;
+	UCHAR MinorLinkerVersion;
+	ULONG SizeOfCode;
+	ULONG SizeOfInitializedData;
+	ULONG SizeOfUninitializedData;
+	ULONG AddressOfEntryPoint;
+	ULONG BaseOfCode;
+	ULONGLONG ImageBase;
+	ULONG SectionAlignment;
+	ULONG FileAlignment;
+	USHORT MajorOperatingSystemVersion;
+	USHORT MinorOperatingSystemVersion;
+	USHORT MajorImageVersion;
+	USHORT MinorImageVersion;
+	USHORT MajorSubsystemVersion;
+	USHORT MinorSubsystemVersion;
+	ULONG Win32VersionValue;
+	ULONG SizeOfImage;
+	ULONG SizeOfHeaders;
+	ULONG CheckSum;
+	USHORT Subsystem;
+	USHORT DllCharacteristics;
+	ULONGLONG SizeOfStackReserve;
+	ULONGLONG SizeOfStackCommit;
+	ULONGLONG SizeOfHeapReserve;
+	ULONGLONG SizeOfHeapCommit;
+	ULONG LoaderFlags;
+	ULONG NumberOfRvaAndSizes;
+	struct _IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
+} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
+
+typedef struct _IMAGE_NT_HEADERS64
+{
+	ULONG Signature;
+	struct _IMAGE_FILE_HEADER FileHeader;
+	struct _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
+
+typedef struct _IMAGE_EXPORT_DIRECTORY {
+	ULONG   Characteristics;
+	ULONG   TimeDateStamp;
+	USHORT  MajorVersion;
+	USHORT  MinorVersion;
+	ULONG   Name;
+	ULONG   Base;
+	ULONG   NumberOfFunctions;
+	ULONG   NumberOfNames;
+	ULONG   AddressOfFunctions;     // RVA from base of image
+	ULONG   AddressOfNames;         // RVA from base of image
+	ULONG   AddressOfNameOrdinals;  // RVA from base of image
+} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
+
+typedef struct _IMAGE_BASE_RELOCATION {
+	ULONG   VirtualAddress;
+	ULONG   SizeOfBlock;
+} IMAGE_BASE_RELOCATION;
+typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
+
+typedef struct _IMAGE_IMPORT_BY_NAME {
+	USHORT Hint;
+	CHAR   Name[1];
+} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
+
+
+// warning C4201: nonstandard extension used : nameless struct/union
+#pragma warning (disable : 4201)
+
+typedef struct _IMAGE_IMPORT_DESCRIPTOR
+{
+	union {
+		ULONG   Characteristics;            // 0 for terminating null import descriptor
+		ULONG   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
+	};
+	ULONG   TimeDateStamp;                  // 0 if not bound,
+	// -1 if bound, and real date\time stamp
+	//     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
+	// O.W. date/time stamp of DLL bound to (Old BIND)
+
+	ULONG   ForwarderChain;                 // -1 if no forwarders
+	ULONG   Name;
+	ULONG   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
+} IMAGE_IMPORT_DESCRIPTOR;
+typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
+
+
+typedef struct _IMAGE_THUNK_DATA64
+{
+	union
+	{
+		ULONGLONG ForwarderString;  // PBYTE 
+		ULONGLONG Function;         // PULONG
+		ULONGLONG Ordinal;
+		ULONGLONG AddressOfData;    // PIMAGE_IMPORT_BY_NAME
+	} u1;
+} IMAGE_THUNK_DATA64;
+typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
+
+typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY64 {
+	ULONG      Size;
+	ULONG      TimeDateStamp;
+	USHORT     MajorVersion;
+	USHORT     MinorVersion;
+	ULONG      GlobalFlagsClear;
+	ULONG      GlobalFlagsSet;
+	ULONG      CriticalSectionDefaultTimeout;
+	ULONGLONG  DeCommitFreeBlockThreshold;
+	ULONGLONG  DeCommitTotalFreeThreshold;
+	ULONGLONG  LockPrefixTable;             // VA
+	ULONGLONG  MaximumAllocationSize;
+	ULONGLONG  VirtualMemoryThreshold;
+	ULONGLONG  ProcessAffinityMask;
+	ULONG      ProcessHeapFlags;
+	USHORT     CSDVersion;
+	USHORT     Reserved1;
+	ULONGLONG  EditList;                    // VA
+	ULONGLONG  SecurityCookie;              // VA
+	ULONGLONG  SEHandlerTable;              // VA
+	ULONGLONG  SEHandlerCount;
+	ULONGLONG  GuardCFCheckFunctionPointer; // VA
+	ULONGLONG  Reserved2;
+	ULONGLONG  GuardCFFunctionTable;        // VA
+	ULONGLONG  GuardCFFunctionCount;
+	ULONG      GuardFlags;
+} IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
\ No newline at end of file