source/tests/test_pe.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

#include "tests.h"

#include "utils.h"
#include "file.h"
#include "pe_infect.h"
#include "patch.h"
#include "xor_strings.h"


BOOL test_pe(char* filename)
{
    HANDLE hFile;
    BYTE* buf;
    SIZE_T szBuf;
    struct ParsedPE ppe;

    memset(&ppe, '\0', sizeof(struct ParsedPE));
    ERRETCP( bOpenFile(filename, 0, &hFile) == TRUE );
    ERRETCP( bFileToBuf(hFile, &buf, &szBuf) == TRUE );
    ERRETCP( bParsePE(buf, szBuf, &ppe, FALSE) == TRUE );
    ERRETCP( ppe.valid == TRUE );
    ERRETCP( bIsInfected(&ppe) == FALSE );
    ERRETCP( pGetSegmentAdr(".text", TRUE, &ppe, NULL) != NULL );
    ERRETCP( pGetSegmentAdr(".data", TRUE, &ppe, NULL) != NULL );
    ERRETCP( pGetSegmentAdr(".rdata", TRUE, &ppe, NULL) != NULL );
    ERRETCP( pGetSegmentAdr(".idata", TRUE, &ppe, NULL) != NULL );
    ERRETCP( pGetSegmentAdr(".CRT", TRUE, &ppe, NULL) != NULL );
    ERRETCP( pGetSegmentAdr(LDRSECTION, TRUE, &ppe, NULL) == NULL );
    ERRETCP( pGetSegmentAdr(DLLSECTION, TRUE, &ppe, NULL) == NULL );
    ERRETCP( PtrToRva(&ppe, pGetSegmentAdr(".text", TRUE, &ppe, NULL)) != (DWORD)-1 );
    ERRETCP( PtrToRva(&ppe, pGetSegmentAdr(".text", TRUE, &ppe, NULL)) > (DWORD)ppe.hdrOptional->ImageBase );
    ERRETCP( OffsetToRva(&ppe, PtrToOffset(&ppe, pGetSegmentAdr(".text", TRUE, &ppe, NULL))) <
                 OffsetToRva(&ppe, PtrToOffset(&ppe, pGetSegmentAdr(".data", TRUE, &ppe, NULL))) );

    free(buf);
    CloseHandle(hFile);

    BYTE jmp[5];
    patchRelJMP(jmp, 0x44332211);
    ERRETCP( strncmp((char*)jmp, "\xE9\x11\x22\x33\x44", 5) == 0 );

    char* test_dir = dirname(filename);
    char* loader_file = NULL;
    asprintf(&loader_file, "%s\\loader_base.exe", test_dir);
    if (bOpenFile(loader_file, 0, &hFile) == TRUE) {
        ERRETCP( bFileToBuf(hFile, &buf, &szBuf) == TRUE );
        ERRETCP( bParsePE(buf, szBuf, &ppe, FALSE) == TRUE );
        ERRETCP( ppe.valid == TRUE );
        ERRETCP( ppe.hasDLL == TRUE );
        ERRETCP( ppe.hasLdr == TRUE );
        ERRETCP( bIsInfected(&ppe) == TRUE );
        ERRETCP( ppe.ptrToDLL != NULL );
        ERRETCP( ppe.ptrToLdr != NULL );
        ERRETCP( bCheckEndMarker(&ppe) == TRUE );
        ERRETCP( ppe.loader86 != NULL );
        ERRETCP( ppe.loader86->ptrToDLL != 0 );
        ERRETCP( ppe.loader86->sizOfDLL != 0 );
        size_t ldrstrsiz = sizeof(ppe.loader86->strVirtualAlloc)/sizeof(ppe.loader86->strVirtualAlloc[0]);
        ERRETCP( ppe.loader86->strVirtualAlloc[ldrstrsiz-1] == '\0' );
        ERRETCP( ppe.loader86->strIsBadReadPtr[ldrstrsiz-1] == '\0' );
        DWORD dwImpLibs = dwCountNonSystemImportLibs(&ppe);
        ERRETCPDW( dwImpLibs == 0, dwImpLibs );
    } else ERRPRINT_STDERR("Could not OpenFile: %s\n", loader_file);
    free(loader_file);
    return TRUE;
}