virtualx-engine/tools/pe_bliss/pe_tls.cpp

376 lines
13 KiB
C++
Raw Normal View History

#include <string.h>
#include "pe_tls.h"
#include "pe_properties_generic.h"
namespace pe_bliss
{
using namespace pe_win;
//TLS
//Default constructor
tls_info::tls_info()
:start_rva_(0), end_rva_(0), index_rva_(0), callbacks_rva_(0),
size_of_zero_fill_(0), characteristics_(0)
{}
//Returns start RVA of TLS raw data
uint32_t tls_info::get_raw_data_start_rva() const
{
return start_rva_;
}
//Returns end RVA of TLS raw data
uint32_t tls_info::get_raw_data_end_rva() const
{
return end_rva_;
}
//Returns TLS index RVA
uint32_t tls_info::get_index_rva() const
{
return index_rva_;
}
//Returns TLS callbacks RVA
uint32_t tls_info::get_callbacks_rva() const
{
return callbacks_rva_;
}
//Returns size of zero fill
uint32_t tls_info::get_size_of_zero_fill() const
{
return size_of_zero_fill_;
}
//Returns characteristics
uint32_t tls_info::get_characteristics() const
{
return characteristics_;
}
//Returns raw TLS data
const std::string& tls_info::get_raw_data() const
{
return raw_data_;
}
//Returns TLS callbacks addresses
const tls_info::tls_callback_list& tls_info::get_tls_callbacks() const
{
return callbacks_;
}
//Returns TLS callbacks addresses
tls_info::tls_callback_list& tls_info::get_tls_callbacks()
{
return callbacks_;
}
//Adds TLS callback
void tls_info::add_tls_callback(uint32_t rva)
{
callbacks_.push_back(rva);
}
//Clears TLS callbacks list
void tls_info::clear_tls_callbacks()
{
callbacks_.clear();
}
//Recalculates end address of raw TLS data
void tls_info::recalc_raw_data_end_rva()
{
end_rva_ = static_cast<uint32_t>(start_rva_ + raw_data_.length());
}
//Sets start RVA of TLS raw data
void tls_info::set_raw_data_start_rva(uint32_t rva)
{
start_rva_ = rva;
}
//Sets end RVA of TLS raw data
void tls_info::set_raw_data_end_rva(uint32_t rva)
{
end_rva_ = rva;
}
//Sets TLS index RVA
void tls_info::set_index_rva(uint32_t rva)
{
index_rva_ = rva;
}
//Sets TLS callbacks RVA
void tls_info::set_callbacks_rva(uint32_t rva)
{
callbacks_rva_ = rva;
}
//Sets size of zero fill
void tls_info::set_size_of_zero_fill(uint32_t size)
{
size_of_zero_fill_ = size;
}
//Sets characteristics
void tls_info::set_characteristics(uint32_t characteristics)
{
characteristics_ = characteristics;
}
//Sets raw TLS data
void tls_info::set_raw_data(const std::string& data)
{
raw_data_ = data;
}
//If image does not have TLS, throws an exception
const tls_info get_tls_info(const pe_base& pe)
{
return pe.get_pe_type() == pe_type_32
? get_tls_info_base<pe_types_class_32>(pe)
: get_tls_info_base<pe_types_class_64>(pe);
}
//TLS Rebuilder
const image_directory rebuild_tls(pe_base& pe, const tls_info& info, section& tls_section, uint32_t offset_from_section_start, bool write_tls_callbacks, bool write_tls_data, tls_data_expand_type expand, bool save_to_pe_header, bool auto_strip_last_section)
{
return pe.get_pe_type() == pe_type_32
? rebuild_tls_base<pe_types_class_32>(pe, info, tls_section, offset_from_section_start, write_tls_callbacks, write_tls_data, expand, save_to_pe_header, auto_strip_last_section)
: rebuild_tls_base<pe_types_class_64>(pe, info, tls_section, offset_from_section_start, write_tls_callbacks, write_tls_data, expand, save_to_pe_header, auto_strip_last_section);
}
//Get TLS info
//If image does not have TLS, throws an exception
template<typename PEClassType>
const tls_info get_tls_info_base(const pe_base& pe)
{
tls_info ret;
//If there's no TLS directory, throw an exception
if(!pe.has_tls())
throw pe_exception("Image does not have TLS directory", pe_exception::directory_does_not_exist);
//Get TLS directory data
typename PEClassType::TLSStruct tls_directory_data = pe.section_data_from_rva<typename PEClassType::TLSStruct>(pe.get_directory_rva(image_directory_entry_tls), section_data_virtual, true);
//Check data addresses
if(tls_directory_data.EndAddressOfRawData == tls_directory_data.StartAddressOfRawData)
{
try
{
pe.va_to_rva(static_cast<typename PEClassType::BaseSize>(tls_directory_data.EndAddressOfRawData));
}
catch(const pe_exception&)
{
//Fix addressess on incorrect conversion
tls_directory_data.EndAddressOfRawData = tls_directory_data.StartAddressOfRawData = 0;
}
}
if(tls_directory_data.StartAddressOfRawData &&
pe.section_data_length_from_va(static_cast<typename PEClassType::BaseSize>(tls_directory_data.StartAddressOfRawData),
static_cast<typename PEClassType::BaseSize>(tls_directory_data.StartAddressOfRawData), section_data_virtual, true)
< (tls_directory_data.EndAddressOfRawData - tls_directory_data.StartAddressOfRawData))
throw pe_exception("Incorrect TLS directory", pe_exception::incorrect_tls_directory);
//Fill TLS info
//VAs are not checked
ret.set_raw_data_start_rva(tls_directory_data.StartAddressOfRawData ? pe.va_to_rva(static_cast<typename PEClassType::BaseSize>(tls_directory_data.StartAddressOfRawData)) : 0);
ret.set_raw_data_end_rva(tls_directory_data.EndAddressOfRawData ? pe.va_to_rva(static_cast<typename PEClassType::BaseSize>(tls_directory_data.EndAddressOfRawData)) : 0);
ret.set_index_rva(tls_directory_data.AddressOfIndex ? pe.va_to_rva(static_cast<typename PEClassType::BaseSize>(tls_directory_data.AddressOfIndex)) : 0);
ret.set_callbacks_rva(tls_directory_data.AddressOfCallBacks ? pe.va_to_rva(static_cast<typename PEClassType::BaseSize>(tls_directory_data.AddressOfCallBacks)) : 0);
ret.set_size_of_zero_fill(tls_directory_data.SizeOfZeroFill);
ret.set_characteristics(tls_directory_data.Characteristics);
if(tls_directory_data.StartAddressOfRawData && tls_directory_data.StartAddressOfRawData != tls_directory_data.EndAddressOfRawData)
{
//Read and save TLS RAW data
ret.set_raw_data(std::string(
pe.section_data_from_va(static_cast<typename PEClassType::BaseSize>(tls_directory_data.StartAddressOfRawData), section_data_virtual, true),
static_cast<uint32_t>(tls_directory_data.EndAddressOfRawData - tls_directory_data.StartAddressOfRawData)));
}
//If file has TLS callbacks
if(ret.get_callbacks_rva())
{
//Read callbacks VAs
uint32_t current_tls_callback = 0;
while(true)
{
//Read TLS callback VA
typename PEClassType::BaseSize va = pe.section_data_from_va<typename PEClassType::BaseSize>(static_cast<typename PEClassType::BaseSize>(tls_directory_data.AddressOfCallBacks + current_tls_callback), section_data_virtual, true);
if(va == 0)
break;
//Save it
ret.add_tls_callback(pe.va_to_rva(va, false));
//Move to next callback VA
current_tls_callback += sizeof(va);
}
}
return ret;
}
//Rebuilder of TLS structures
//If write_tls_callbacks = true, TLS callbacks VAs will be written to their place
//If write_tls_data = true, TLS data will be written to its place
//If you have chosen to rewrite raw data, only (EndAddressOfRawData - StartAddressOfRawData) bytes will be written, not the full length of string
//representing raw data content
//auto_strip_last_section - if true and TLS are placed in the last section, it will be automatically stripped
//Note/TODO: TLS Callbacks array is not DWORD-aligned (seems to work on WinXP - Win7)
template<typename PEClassType>
const image_directory rebuild_tls_base(pe_base& pe, const tls_info& info, section& tls_section, uint32_t offset_from_section_start, bool write_tls_callbacks, bool write_tls_data, tls_data_expand_type expand, bool save_to_pe_header, bool auto_strip_last_section)
{
//Check that tls_section is attached to this PE image
if(!pe.section_attached(tls_section))
throw pe_exception("TLS section must be attached to PE file", pe_exception::section_is_not_attached);
uint32_t tls_data_pos = pe_utils::align_up(offset_from_section_start, sizeof(typename PEClassType::BaseSize));
uint32_t needed_size = sizeof(typename PEClassType::TLSStruct); //Calculate needed size for TLS table
//Check if tls_section is last one. If it's not, check if there's enough place for TLS data
if(&tls_section != &*(pe.get_image_sections().end() - 1) &&
(tls_section.empty() || pe_utils::align_up(tls_section.get_size_of_raw_data(), pe.get_file_alignment()) < needed_size + tls_data_pos))
throw pe_exception("Insufficient space for TLS directory", pe_exception::insufficient_space);
//Check raw data positions
if(info.get_raw_data_end_rva() < info.get_raw_data_start_rva() || info.get_index_rva() == 0)
throw pe_exception("Incorrect TLS directory", pe_exception::incorrect_tls_directory);
std::string& raw_data = tls_section.get_raw_data();
//This will be done only if tls_section is the last section of image or for section with unaligned raw length of data
if(raw_data.length() < needed_size + tls_data_pos)
raw_data.resize(needed_size + tls_data_pos); //Expand section raw data
//Create and fill TLS structure
typename PEClassType::TLSStruct tls_struct = {0};
typename PEClassType::BaseSize va;
if(info.get_raw_data_start_rva())
{
pe.rva_to_va(info.get_raw_data_start_rva(), va);
tls_struct.StartAddressOfRawData = va;
tls_struct.SizeOfZeroFill = info.get_size_of_zero_fill();
}
if(info.get_raw_data_end_rva())
{
pe.rva_to_va(info.get_raw_data_end_rva(), va);
tls_struct.EndAddressOfRawData = va;
}
pe.rva_to_va(info.get_index_rva(), va);
tls_struct.AddressOfIndex = va;
if(info.get_callbacks_rva())
{
pe.rva_to_va(info.get_callbacks_rva(), va);
tls_struct.AddressOfCallBacks = va;
}
tls_struct.Characteristics = info.get_characteristics();
//Save TLS structure
memcpy(&raw_data[tls_data_pos], &tls_struct, sizeof(tls_struct));
//If we are asked to rewrite TLS raw data
if(write_tls_data && info.get_raw_data_start_rva() && info.get_raw_data_start_rva() != info.get_raw_data_end_rva())
{
try
{
//Check if we're going to write TLS raw data to an existing section (not to PE headers)
section& raw_data_section = pe.section_from_rva(info.get_raw_data_start_rva());
pe.expand_section(raw_data_section, info.get_raw_data_start_rva(), info.get_raw_data_end_rva() - info.get_raw_data_start_rva(), expand == tls_data_expand_raw ? pe_base::expand_section_raw : pe_base::expand_section_virtual);
}
catch(const pe_exception&)
{
//If no section is presented by StartAddressOfRawData, just go to next step
}
unsigned long write_raw_data_size = info.get_raw_data_end_rva() - info.get_raw_data_start_rva();
unsigned long available_raw_length = 0;
//Check if there's enough RAW space to write raw TLS data...
if((available_raw_length = pe.section_data_length_from_rva(info.get_raw_data_start_rva(), info.get_raw_data_start_rva(), section_data_raw, true))
< info.get_raw_data_end_rva() - info.get_raw_data_start_rva())
{
//Check if there's enough virtual space for it...
if(pe.section_data_length_from_rva(info.get_raw_data_start_rva(), info.get_raw_data_start_rva(), section_data_virtual, true)
< info.get_raw_data_end_rva() - info.get_raw_data_start_rva())
throw pe_exception("Insufficient space for TLS raw data", pe_exception::insufficient_space);
else
write_raw_data_size = available_raw_length; //We'll write just a part of full raw data
}
//Write raw TLS data, if any
if(write_raw_data_size != 0)
memcpy(pe.section_data_from_rva(info.get_raw_data_start_rva(), true), info.get_raw_data().data(), write_raw_data_size);
}
//If we are asked to rewrite TLS callbacks addresses
if(write_tls_callbacks && info.get_callbacks_rva())
{
unsigned long needed_callback_size = static_cast<unsigned long>((info.get_tls_callbacks().size() + 1 /* last null element */) * sizeof(typename PEClassType::BaseSize));
try
{
//Check if we're going to write TLS callbacks VAs to an existing section (not to PE headers)
section& raw_data_section = pe.section_from_rva(info.get_callbacks_rva());
pe.expand_section(raw_data_section, info.get_callbacks_rva(), needed_callback_size, pe_base::expand_section_raw);
}
catch(const pe_exception&)
{
//If no section is presented by RVA of callbacks, just go to next step
}
//Check if there's enough space to write callbacks TLS data...
if(pe.section_data_length_from_rva(info.get_callbacks_rva(), info.get_callbacks_rva(), section_data_raw, true)
< needed_callback_size - sizeof(typename PEClassType::BaseSize) /* last zero element can be virtual only */)
throw pe_exception("Insufficient space for TLS callbacks data", pe_exception::insufficient_space);
if(pe.section_data_length_from_rva(info.get_callbacks_rva(), info.get_callbacks_rva(), section_data_virtual, true)
< needed_callback_size /* check here full virtual data length available */)
throw pe_exception("Insufficient space for TLS callbacks data", pe_exception::insufficient_space);
std::vector<typename PEClassType::BaseSize> callbacks_virtual_addresses;
callbacks_virtual_addresses.reserve(info.get_tls_callbacks().size() + 1 /* last null element */);
//Convert TLS RVAs to VAs
for(tls_info::tls_callback_list::const_iterator it = info.get_tls_callbacks().begin(); it != info.get_tls_callbacks().end(); ++it)
{
typename PEClassType::BaseSize cb_va = 0;
pe.rva_to_va(*it, cb_va);
callbacks_virtual_addresses.push_back(cb_va);
}
//Ending null element
callbacks_virtual_addresses.push_back(0);
//Write callbacks TLS data
memcpy(pe.section_data_from_rva(info.get_callbacks_rva(), true), &callbacks_virtual_addresses[0], needed_callback_size);
}
//Adjust section raw and virtual sizes
pe.recalculate_section_sizes(tls_section, auto_strip_last_section);
image_directory ret(pe.rva_from_section_offset(tls_section, tls_data_pos), needed_size);
//If auto-rewrite of PE headers is required
if(save_to_pe_header)
{
pe.set_directory_rva(image_directory_entry_tls, ret.get_rva());
pe.set_directory_size(image_directory_entry_tls, ret.get_size());
}
return ret;
}
}