### Setup Exception Handling Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Sets up exception handling for a PE module. Requires the module pointer and size. ```cpp bool | setup_exceptions (IN BYTE *modulePtr, IN size_t moduleSize) ``` -------------------------------- ### Configure Logging Verbosity Source: https://hasherezade.github.io/libpeconv/logger_8h.html Examples of how to configure the compile-time logging verbosity using the LOG_VERBOSITY macro. ```c // Errors only (default): #define LOG_VERBOSITY LOG_LEVEL_ERROR // Full tracing: #define LOG_VERBOSITY LOG_LEVEL_DEBUG ``` -------------------------------- ### Namespace Members - _ Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with '_'. ```APIDOC ## _list_tls_callbacks() ### Description Lists the Thread Local Storage (TLS) callbacks. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## _RTL_INVERTED_FUNCTION_TABLE ### Description Represents an inverted function table entry used for exception handling. ### Method (Not specified, likely a type definition) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## _RTL_INVERTED_FUNCTION_TABLE_ENTRY ### Description Represents a single entry within the inverted function table. ### Method (Not specified, likely a type definition) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## _search_readable_size() ### Description Searches for a readable size within the PE file structure. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Entry Point Functions Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Functions to get and update the entry point RVA of a PE file. ```APIDOC ## get_entry_point_rva ### Description Retrieves the Relative Virtual Address (RVA) of the entry point of a PE file. ### Signature DWORD get_entry_point_rva(IN const BYTE *pe_buffer) ### Parameters - **pe_buffer** (const BYTE *) - Pointer to the PE file buffer. ### Returns - Returns the RVA of the entry point. ``` ```APIDOC ## update_entry_point_rva ### Description Updates the entry point RVA of a PE file. ### Signature bool update_entry_point_rva(IN OUT BYTE *pe_buffer, IN DWORD ep) ### Parameters - **pe_buffer** (BYTE *) - Pointer to the PE file buffer. - **ep** (DWORD) - The new entry point RVA. ### Returns - Returns true if the entry point RVA was successfully updated, false otherwise. ``` -------------------------------- ### Get Load Configuration Pointer Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Retrieves a pointer to the IMAGE_LOAD_CONFIG_DIRECTORY structure within a PE buffer. ```cpp BYTE * | get_load_config_ptr (BYTE *buffer, size_t buf_size) ``` -------------------------------- ### Get Image Base Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Fetches the preferred base address of the PE image from its Optional Header. ```cpp ULONGLONG get_image_base(IN const BYTE *pe_buffer); ``` -------------------------------- ### setup_exceptions Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Allows activation of the Exception table from a manually loaded module. ```APIDOC ## setup_exceptions() ### Description Allows to activate the Exception table from the manually loaded module. For 32-bits the loaded image should enable /SAFESEH linker option, otherwise the exception handler cannot pass the RtlIsValidHandler() check when an exception occurs. ### Parameters * **_modulePtr_** (IN BYTE *) - Pointer to the module. * **_moduleSize_** (IN size_t) - The size of the module. ``` -------------------------------- ### C++ Class Definitions for Graph Example Source: https://hasherezade.github.io/libpeconv/graph_legend.html These C++ class definitions are used to generate an example inheritance graph. They demonstrate various inheritance types and template usage. ```cpp /*! Invisible class because of truncation */ class Invisible { }; ``` ```cpp /*! Truncated class, inheritance relation is hidden */ class Truncated : public Invisible { }; ``` ```cpp /* Class not documented with doxygen comments */ class Undocumented { }; ``` ```cpp /*! Class that is inherited using public inheritance */ class PublicBase : public Truncated { }; ``` ```cpp /*! A template class */ template class Templ { }; ``` ```cpp /*! Class that is inherited using protected inheritance */ class ProtectedBase { }; ``` ```cpp /*! Class that is inherited using private inheritance */ class PrivateBase { }; ``` ```cpp /*! Class that is used by the Inherited class */ class Used { }; ``` ```cpp /*! Super class that inherits a number of other classes */ class Inherited : public PublicBase, protected ProtectedBase, private PrivateBase, public Undocumented, public Templ { private: Used *m_usedClass; }; ``` -------------------------------- ### Namespace Members - a Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'a'. ```APIDOC ## ALIGNED_BUF ### Description A type or macro representing an aligned buffer. ### Method (Not specified, likely a type definition or macro) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## alloc_aligned() ### Description Allocates memory with specified alignment. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## alloc_pe_buffer() ### Description Allocates a buffer suitable for PE file operations. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## alloc_unaligned() ### Description Allocates unaligned memory. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Load and Execute PE File from Path Source: https://hasherezade.github.io/libpeconv/index.html This snippet demonstrates the basic usage of libPEConv to load and execute a PE file directly from its path on disk. It includes steps for loading the PE, setting it in the PEB, loading delayed imports, running TLS callbacks, and finally executing the PE's entry point. ```cpp #include #include #include // include libPeConv header int main(int argc, char *argv[]) { if (argc < 2) { std::cout << "Args: " << std::endl; return 0; } LPCSTR pe_path = argv[1]; // manually load the PE file using libPeConv: size_t v_size = 0; #ifdef LOAD_FROM_PATH //if the PE is dropped on the disk, you can load it from the file: BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size); #else size_t bufsize = 0; BYTE *buffer = peconv::load_file(pe_path, bufsize); // if the file is NOT dropped on the disk, you can load it directly from a memory buffer: BYTE* my_pe = peconv::load_pe_executable(buffer, bufsize, v_size); #endif if (!my_pe) { return -1; } // if the loaded PE needs to access resources, you may need to connect it to the PEB: peconv::set_main_module_in_peb((HMODULE)my_pe); // load delayed imports (if present): const ULONGLONG load_base = (ULONGLONG)my_pe; peconv::load_delayed_imports(my_pe, load_base); // if needed, you can run TLS callbacks before the Entry Point: peconv::run_tls_callbacks(my_pe, v_size); //calculate the Entry Point of the manually loaded module DWORD ep_rva = peconv::get_entry_point_rva(my_pe); if (!ep_rva) { return -2; } ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe; //assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main: int (*new_main)() = (int(*)())ep_va; //call the Entry Point of the manually loaded PE: return new_main(); } ``` -------------------------------- ### Find .NET Entry Point (_CorExeMain or _CorDllMain) Source: https://hasherezade.github.io/libpeconv/fix__dot__net__ep_8cpp_source.html This function searches the PE import table for the .NET entry point functions _CorExeMain or _CorDllMain. It returns the RVA of the found entry point or 0 if not found. Use this to locate the starting point of a .NET executable or DLL. ```cpp DWORD find_corexemain(BYTE *buf, size_t buf_size) { std::map name_to_addr; ListImportNames callback(buf, buf_size, name_to_addr); if (!peconv::process_import_table(buf, buf_size, &callback)) return 0; std::map::iterator found = name_to_addr.find("_CorExeMain"); if (found != name_to_addr.end()) return found->second; found = name_to_addr.find("_CorDllMain"); if (found != name_to_addr.end()) return found->second; return 0; } ``` -------------------------------- ### Namespace Members - d Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'd'. ```APIDOC ## detect_dump_mode() ### Description Detects the current dump mode of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## dump_pe() ### Description Dumps the PE file content. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## dump_remote_pe() ### Description Dumps a PE file from a remote process. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## dump_to_file() ### Description Dumps the PE file content to a specified file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### peconv::setup_exceptions Source: https://hasherezade.github.io/libpeconv/exceptions__parser_8h_source.html Sets up exception handling for a given PE module. This function is crucial for correctly parsing and managing exceptions within the module's memory space. ```APIDOC ## peconv::setup_exceptions ### Description Sets up exception handling for a given PE module. This function is crucial for correctly parsing and managing exceptions within the module's memory space. ### Signature bool setup_exceptions(IN BYTE* modulePtr, IN size_t moduleSize) ### Parameters #### Path Parameters - **modulePtr** (BYTE*) - Required - A pointer to the base address of the PE module. - **moduleSize** (size_t) - Required - The size of the PE module in bytes. ### Returns - **bool** - Returns true if the exceptions were set up successfully, false otherwise. ``` -------------------------------- ### Namespace Members - h Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'h'. ```APIDOC ## has_relocations() ### Description Checks if the PE file has a relocation table. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## has_valid_import_table() ### Description Checks if the PE file has a valid import table. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## has_valid_relocation_table() ### Description Checks if the PE file has a valid relocation table. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### read_dll_name, read_from_file, read_remote_area, read_remote_memory, read_remote_pe, read_remote_pe_header, read_remote_region, redirect_to_local, redirect_to_local32, redirect_to_local64, relocate_module, replace_target, round_up_to_unit, run_tls_callbacks Source: https://hasherezade.github.io/libpeconv/namespacemembers_func.html A comprehensive set of functions for reading data from PE files and remote processes, including DLL names, memory regions, and PE headers. Also includes functions for relocating modules and running TLS callbacks. ```APIDOC ## Reading and Relocation Functions (read*, relocate*, run*) ### Description This set of functions provides capabilities for reading data from both local files and remote processes. It includes utilities for accessing PE headers, memory regions, and DLL names, as well as functions for relocating modules and executing TLS callbacks. ### Functions - **read_dll_name()**: Reads the name of a DLL from the PE file. - **read_from_file()**: Reads data from a file. - **read_remote_area()**: Reads a specified area from a remote process's memory. - **read_remote_memory()**: Reads memory from a remote process. - **read_remote_pe()**: Reads the entire PE structure from a remote process. - **read_remote_pe_header()**: Reads the PE header from a remote process. - **read_remote_region()**: Reads a memory region from a remote process. - **redirect_to_local()**: Redirects a remote address to a local representation. - **redirect_to_local32()**: Redirects a 32-bit remote address to a local representation. - **redirect_to_local64()**: Redirects a 64-bit remote address to a local representation. - **relocate_module()**: Relocates a module in memory. - **replace_target()**: Replaces a target address. - **round_up_to_unit()**: Rounds up a value to the nearest unit. - **run_tls_callbacks()**: Executes the TLS callbacks of the PE module. ``` -------------------------------- ### Namespace Members - g Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'g'. ```APIDOC ## g_kernel32Hndl ### Description Global handle for kernel32.dll. ### Method (Not specified, likely a global variable) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## g_ntdllHndl ### Description Global handle for ntdll.dll. ### Method (Not specified, likely a global variable) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_current_module_handle() ### Description Gets the handle of the current module. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_delayed_imps() ### Description Retrieves delayed import information. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_directory_entry() ### Description Gets a specific directory entry from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_directory_name() ### Description Gets the name of a PE directory entry. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_dll_characteristics() ### Description Retrieves the DLL characteristics from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_dll_shortname() ### Description Gets the short name of a DLL. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_dotnet_hdr() ### Description Retrieves the .NET header from the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_entry_point_rva() ### Description Gets the Relative Virtual Address (RVA) of the entry point. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_export_directory() ### Description Retrieves the export directory from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_exported_func() ### Description Gets information about an exported function. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_exported_names() ### Description Retrieves the names of all exported functions. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_file_characteristics() ### Description Gets the file characteristics from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_file_hdr() ### Description Retrieves the file header of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_file_name() ### Description Gets the name of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_func_name() ### Description Gets the name of a function. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_hdrs_size() ### Description Calculates the total size of the PE headers. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_image_base() ### Description Retrieves the preferred image base address of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_image_size() ### Description Gets the total size of the PE image in memory. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_kernel32_hndl() ### Description Gets the handle for kernel32.dll. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_last_section() ### Description Gets the last section header of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_load_config_ptr() ### Description Gets a pointer to the load configuration directory. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_load_config_version() ### Description Gets the version of the load configuration directory. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_main_module_via_peb() ### Description Gets the main module handle via the Process Environment Block (PEB). ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_module_size_via_peb() ### Description Gets the size of a module via the Process Environment Block (PEB). ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_module_via_peb() ### Description Gets a module handle via the Process Environment Block (PEB). ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_nt_hdr_architecture() ### Description Gets the architecture information from the NT headers. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_nt_hdrs() ### Description Retrieves the NT headers of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_nt_hdrs32() ### Description Retrieves the 32-bit NT headers of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_nt_hdrs64() ### Description Retrieves the 64-bit NT headers of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_ntdll_hndl() ### Description Gets the handle for ntdll.dll. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_optional_hdr() ### Description Retrieves the optional header of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_process_id() ### Description Gets the current process ID. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_remote_image_size() ### Description Gets the image size of a PE file in a remote process. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_remote_pe_section() ### Description Gets a section from a PE file in a remote process. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_sec_alignment() ### Description Gets the section alignment value from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_section_hdr() ### Description Retrieves a specific section header from the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_sections_count() ### Description Gets the number of sections in the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_subsystem() ### Description Gets the subsystem type from the PE optional header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_type_directory() ### Description Gets a specific type of directory entry from the PE header. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## get_virtual_sec_size() ### Description Gets the virtual size of a section. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Load PE Executable from Raw Data with Imports Source: https://hasherezade.github.io/libpeconv/pe__loader_8cpp_source.html Loads a PE executable from raw data, validates and loads its imports, and returns the loaded PE. If loading or import loading fails, it frees the buffer and returns NULL. ```cpp BYTE* peconv::load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver, ULONG_PTR desired_base) { BYTE* loaded_pe = load_pe_module(dllRawData, r_size, v_size, true, true, desired_base); if (!loaded_pe) { LOG_ERROR("Loading failed."); return nullptr; } LOG_DEBUG("Loaded at: %p.", loaded_pe); if (!validate_and_load_imports(loaded_pe, v_size, import_resolver)) { free_pe_buffer(loaded_pe, v_size); return NULL; } return loaded_pe; } ``` -------------------------------- ### Namespace Members - f Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'f'. ```APIDOC ## fetch_alloc_base() ### Description Fetches the base address of an allocated memory region. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## fetch_callbacks_list() ### Description Fetches the list of callbacks. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## fetch_or_load_dll() ### Description Fetches or loads a DLL. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## fetch_region_info() ### Description Fetches information about a memory region. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## fetch_region_size() ### Description Fetches the size of a memory region. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## find_alignment_cave() ### Description Finds an alignment cave within the PE structure. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## find_base_candidate() ### Description Finds a potential base address candidate for the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## find_ending_cave() ### Description Finds a cave at the end of the PE structure. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## find_extension_pos() ### Description Finds the position of a PE file extension. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## find_padding_cave() ### Description Finds a padding cave within the PE structure. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## fix_imports() ### Description Fixes the import table of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## format_dll_func() ### Description Formats a DLL function name. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## forwarder_name_len() ### Description Calculates the length of a forwarder name. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## free_aligned() ### Description Frees memory allocated with alignment. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## free_file() ### Description Frees resources associated with a file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## free_pe_buffer() ### Description Frees a buffer allocated for PE file operations. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## free_resource_data() ### Description Frees resource data from the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## free_unaligned() ### Description Frees unaligned memory. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Load Config Definitions - C/C++ Source: https://hasherezade.github.io/libpeconv/load__config__util_8h.html Includes necessary headers for buffer utilities and load config definitions. This code is part of the libPeConv library. ```c #include #include "buffer_util.h" #include "load_config_defs.h" ``` -------------------------------- ### Namespace Members - c Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'c'. ```APIDOC ## calc_pe_size() ### Description Calculates the total size of the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## collect_imports() ### Description Collects import information from the PE file. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ## collect_thunks() ### Description Collects thunk information, likely related to imports or exports. ### Method (Not specified, likely a function call) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Namespace Members - b Source: https://hasherezade.github.io/libpeconv/namespacemembers.html List of members starting with 'b'. ```APIDOC ## BASE_RELOCATION_ENTRY ### Description Represents an entry in the base relocation table. ### Method (Not specified, likely a type definition) ### Endpoint (Not applicable) ### Parameters (None specified) ### Request Example (None specified) ### Response (None specified) ``` -------------------------------- ### Setup Exceptions Function Source: https://hasherezade.github.io/libpeconv/exceptions__parser_8cpp_source.html A wrapper function to set up the exception table for a given module. It first determines the image size if not provided and then calls RtlInsertInvertedFunctionTable. Returns true on success, false otherwise. ```cpp bool peconv::setup_exceptions(IN BYTE* modulePtr, IN size_t moduleSize) { if (moduleSize == 0) { const DWORD img_size = get_image_size(reinterpret_cast(modulePtr)); if (!img_size) { return false; // invalid image } moduleSize = img_size; } return NT_SUCCESS(peconv::RtlInsertInvertedFunctionTable(modulePtr, (ULONG)moduleSize)) ? true : false; } ``` -------------------------------- ### peconv::load_pe_executable (from file) Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Loads a PE executable from a file path. Similar to the buffer version, it prepares the PE for execution by remapping, relocating, and loading imports, with support for custom resolvers. ```APIDOC ## peconv::load_pe_executable (from file) ### Description Loads a full PE executable directly from a specified file path. This function handles the process of remapping the PE to its virtual format, applying relocations, and loading its imports, making it ready for execution. A custom function resolver can be provided. ### Method (Not specified, likely a C++ function call) ### Parameters - **_filename_** (LPCTSTR) - The path to the PE file. - **_v_size_** (OUT size_t &) - Output parameter to store the virtual size of the loaded PE. - **_import_resolver_** (t_function_resolver *) - Optional. A pointer to a custom function resolver. Defaults to nullptr. ``` -------------------------------- ### peconv::_BASE_RELOCATION_ENTRY::Type Source: https://hasherezade.github.io/libpeconv/relocate_8cpp_source.html The type of relocation. For example, IMAGE_REL_BASED_HIGHLOW or IMAGE_REL_BASED_DIR64. ```cpp WORD Type ``` -------------------------------- ### Subsystem Functions Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Functions to get and set the subsystem of a PE file. ```APIDOC ## set_subsystem ### Description Sets the subsystem value in the PE header. ### Signature bool set_subsystem(IN OUT BYTE *payload, IN WORD subsystem) ### Parameters - **payload** (BYTE *) - Pointer to the PE file buffer. - **subsystem** (WORD) - The new subsystem value. ### Returns - Returns true if the subsystem was successfully updated, false otherwise. ``` ```APIDOC ## get_subsystem ### Description Retrieves the subsystem value from the PE header. ### Signature WORD get_subsystem(IN const BYTE *payload) ### Parameters - **payload** (const BYTE *) - Pointer to the PE file buffer. ### Returns - Returns the subsystem value. ``` -------------------------------- ### Load PE Executable from File Path with Imports Source: https://hasherezade.github.io/libpeconv/pe__loader_8cpp_source.html Loads a PE executable from a file path, validates and loads its imports, and returns the loaded PE. If loading or import loading fails, it frees the buffer and returns NULL. ```cpp BYTE* peconv::load_pe_executable(LPCTSTR my_path, OUT size_t &v_size, t_function_resolver* import_resolver) { BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true); if (!loaded_pe) { LOG_ERROR("Loading failed."); return NULL; } LOG_DEBUG("Loaded at: %p.", loaded_pe); if (!validate_and_load_imports(loaded_pe, v_size, import_resolver)) { free_pe_buffer(loaded_pe, v_size); return NULL; } return loaded_pe; } ``` -------------------------------- ### Header Size Functions Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Functions to get the size of PE headers. ```APIDOC ## get_hdrs_size ### Description Calculates the total size of the PE headers. ### Signature DWORD get_hdrs_size(IN const BYTE *pe_buffer) ### Parameters - **pe_buffer** (const BYTE *) - Pointer to the PE file buffer. ### Returns - Returns the size of the PE headers in bytes. ``` -------------------------------- ### PatchBackup Constructor Source: https://hasherezade.github.io/libpeconv/classpeconv_1_1_patch_backup.html Initializes an empty PatchBackup object. ```APIDOC ## PatchBackup() ### Description Creates an empty backup. ### Signature `peconv::PatchBackup::PatchBackup()` ### Definition `hooks.h`, line 26 ``` -------------------------------- ### Get Subsystem Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Retrieves the subsystem value from the PE Optional Header. ```APIDOC ## get_subsystem ### Description Retrieves the subsystem value from the PE Optional Header. ### Parameters - **payload** (const BYTE*) - A pointer to the beginning of the PE file buffer. ### Returns - WORD: The value of the Subsystem field in the IMAGE_OPTIONAL_HEADER. ``` -------------------------------- ### Redirect to Local Address (64-bit) Source: https://hasherezade.github.io/libpeconv/hooks_8cpp_source.html Creates a 64-bit hook (movabs + jmp) to redirect execution to a new function. It handles memory protection and instruction cache flushing. Avoids patching NTDLL. ```cpp size_t peconv::redirect_to_local64(void *ptr, ULONGLONG new_offset, PatchBackup* backup) { if (!ptr) return 0; BYTE hook_64[] = { 0x48, 0xB8, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xEE, 0xFF, //movabs rax,FFEE998877665544 0xFF, 0xE0 //jmp rax }; const size_t hook64_size = sizeof(hook_64); if (is_pointer_in_ntdll(ptr)) { LOG_WARNING("Patching NTDLL is not allowed because of possible stability issues."); return 0; } DWORD oldProtect = 0; if (!nt_protect((LPVOID)ptr, hook64_size, PAGE_EXECUTE_READWRITE, //this must be executable if we are hooking kernel32.dll, because we are using VirtualProtect from kernel32 at the same time &oldProtect)) { return 0; } if (backup != nullptr) { backup->makeBackup((BYTE*)ptr, hook64_size); } ::memcpy(hook_64 + 2, &new_offset, sizeof(ULONGLONG)); ::memcpy(ptr, hook_64, hook64_size); if (!nt_protect((LPVOID)ptr, hook64_size, oldProtect, &oldProtect)) { LOG_WARNING("Failed to restore protection of region: %p", ptr); } //flush cache: FlushInstructionCache(GetCurrentProcess(), ptr, hook64_size); return hook64_size; } ``` -------------------------------- ### Get Headers Size Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Calculates the total size of the PE headers. ```APIDOC ## get_hdrs_size ### Description Calculates the total size of the PE headers (DOS header, NT headers, section headers). ### Parameters - **pe_buffer** (const BYTE*) - A pointer to the beginning of the PE file buffer. ### Returns - DWORD: The total size of the PE headers. ``` -------------------------------- ### Get DLL Characteristics Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Retrieves the DLL characteristics from the PE Optional Header. ```APIDOC ## get_dll_characteristics ### Description Retrieves the DLL characteristics from the PE Optional Header. ### Parameters - **payload** (const BYTE*) - A pointer to the beginning of the PE file buffer. ### Returns - WORD: The value of the DllCharacteristics field in the IMAGE_OPTIONAL_HEADER. ``` -------------------------------- ### Load PE Module from File Source: https://hasherezade.github.io/libpeconv/pe__loader_8cpp_source.html Loads a PE module from a specified file path. It first reads the file into raw data and then calls the appropriate PE loading function. ```cpp BYTE* peconv::load_pe_module(LPCTSTR filename, OUT size_t &v_size, bool executable, bool relocate, ULONG_PTR desired_base) { size_t r_size = 0; BYTE *dllRawData = load_file(filename, r_size); if (!dllRawData) { LOG_ERROR("Cannot load the file."); return nullptr; } } ``` -------------------------------- ### Get File Characteristics Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Retrieves the file characteristics from the PE file header. ```APIDOC ## get_file_characteristics ### Description Retrieves the file characteristics from the PE file header. ### Parameters - **payload** (const BYTE*) - A pointer to the beginning of the PE file buffer. ### Returns - WORD: The value of the Characteristics field in the IMAGE_FILE_HEADER. ``` -------------------------------- ### peconv::setup_exceptions Source: https://hasherezade.github.io/libpeconv/exceptions__parser_8cpp_source.html Sets up the inverted function table for exception handling within a module. This is crucial for proper exception dispatching, especially on newer Windows versions. ```APIDOC ## peconv::setup_exceptions ### Description This function configures the necessary structures for handling exceptions within a given module. It ensures that the operating system can correctly dispatch exceptions that occur within the module's code. The function handles different Windows version requirements for exception table protection. ### Function Signature ```cpp bool setup_exceptions(IN BYTE *modulePtr, IN size_t moduleSize) ``` ### Parameters - **modulePtr** (BYTE*) - Required - A pointer to the base address of the module. - **moduleSize** (size_t) - Required - The size of the module in bytes. If 0, the function will attempt to determine the image size automatically. ### Return Value - **bool** - Returns `true` if the exception table was successfully set up, `false` otherwise. ### Notes - If `moduleSize` is provided as 0, the function calls `get_image_size` to determine the module's size. - The function utilizes internal Windows API calls like `RtlProtectMrdata` and `RtlpInsertInvertedFunctionTable`, adapting protection levels based on the Windows version. ``` -------------------------------- ### fetch_or_load_dll Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Fetches a module handle if the DLL is already loaded, otherwise loads it. ```APIDOC ## fetch_or_load_dll ### Description Attempts to get the module handle for a specified DLL. If the DLL is already loaded in the process, its handle is returned. Otherwise, the function attempts to load the DLL. ### Signature `bool fetch_or_load_dll(IN const char *mod_name, IN OUT HMODULE &mod)` ### Parameters * `mod_name` (const char*) - The name of the module (DLL) to fetch or load. * `mod` (HMODULE&) - Output parameter that will receive the module handle. ### Returns `bool` - True if the module handle was successfully obtained (either by fetching or loading), false otherwise. ``` -------------------------------- ### Get Section Header Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Retrieves a pointer to a specific section header by its index. ```APIDOC ## get_section_hdr ### Description Retrieves a pointer to a specific section header by its index. ### Parameters - **pe_buffer** (const BYTE*) - A pointer to the beginning of the PE file buffer. - **buffer_size** (size_t) - The size of the PE file buffer. - **section_num** (size_t) - The index of the section header to retrieve (0-based). ### Returns - PIMAGE_SECTION_HEADER: A pointer to the requested section header, or nullptr if not found or invalid. ``` -------------------------------- ### Get Sections Count Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Counts the number of section headers in the PE file. ```APIDOC ## get_sections_count ### Description Counts the number of section headers in the PE file. ### Parameters - **buffer** (const BYTE*) - A pointer to the beginning of the PE file buffer. - **buffer_size** (size_t) - The size of the PE file buffer. ### Returns - size_t: The number of section headers. ``` -------------------------------- ### Convert Raw PE to Virtual Memory Source: https://hasherezade.github.io/libpeconv/pe__raw__to__virtual_8cpp_source.html Allocates memory and copies the PE file's sections into it, preparing it for execution or further manipulation. Handles optional parameters for executable permissions and desired base address. Returns a pointer to the allocated virtual memory or nullptr on failure. ```cpp BYTE* peconv::pe_raw_to_virtual( IN const BYTE* payload, IN size_t in_size, OUT size_t &out_size, IN OPTIONAL bool executable, IN OPTIONAL ULONG_PTR desired_base ) { // ... (PE header parsing, memory allocation, section copying) ... out_size = payloadImageSize; return localCopyAddress; } ``` -------------------------------- ### nameToString Source: https://hasherezade.github.io/libpeconv/classpeconv_1_1_exported_func.html Gets a string representation of the exported function, including its name or ordinal. ```APIDOC ## nameToString() ### Description Gets a string representation of the variable. Short info about the function: only function name or ordinal (if the name is missing). ### Method `std::string ExportedFunc::nameToString() const` ### Definition Defined at line 250 of file exported_func.cpp. ``` -------------------------------- ### Create Patch Backup Source: https://hasherezade.github.io/libpeconv/hooks_8cpp_source.html Creates a backup of the original bytes at a given memory location before patching. Allocates memory for the buffer and copies the source data. Requires `deleteBackup()` to be called to free allocated memory. ```cpp bool PatchBackup::makeBackup(BYTE *patch_ptr, size_t patch_size) { if (!patch_ptr) { return false; } deleteBackup(); this->sourcePtr = patch_ptr; this->buffer = new BYTE[patch_size]; this->bufferSize = patch_size; ::memcpy(buffer, patch_ptr, patch_size); return true; } ``` -------------------------------- ### get_virtual_sec_size Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Get size of virtual section from the headers (optionally rounds it up to the Virtual Alignment). ```APIDOC ## get_virtual_sec_size() ### Description Get size of virtual section from the headers (optionaly rounds it up to the Virtual Alignment). ### Signature DWORD peconv::get_virtual_sec_size(IN const BYTE * _pe_hdr_, IN const PIMAGE_SECTION_HEADER _sec_hdr_, IN bool _rounded_) ### Definition Located in file pe_hdrs_helper.cpp at line 549. ``` -------------------------------- ### Include Headers for TLS Parsing Source: https://hasherezade.github.io/libpeconv/tls__parser_8cpp.html Includes necessary headers for PE file manipulation, TLS parsing, logging, and relocation handling. ```cpp #include "peconv/tls_parser.h" #include "peconv/pe_hdrs_helper.h" #include "peconv/logger.h" #include "peconv/relocate.h" ``` -------------------------------- ### Get Image Size Source: https://hasherezade.github.io/libpeconv/namespacepeconv.html Retrieves the total image size of a PE payload from its header. ```cpp DWORD | get_image_size (IN const BYTE *payload) ``` -------------------------------- ### ApplyRelocCallback Constructor Source: https://hasherezade.github.io/libpeconv/relocate_8cpp_source.html Initializes the ApplyRelocCallback with information about the PE file's bitness and base addresses for relocation. ```cpp ApplyRelocCallback(bool _is64bit, ULONGLONG _oldBase, ULONGLONG _newBase) ``` -------------------------------- ### Get Export Directory Source: https://hasherezade.github.io/libpeconv/pe__hdrs__helper_8h_source.html Retrieves a pointer to the Export Directory structure of a PE module. ```APIDOC ## get_export_directory ### Description Retrieves a pointer to the Export Directory structure. ### Parameters - **modulePtr** (HMODULE) - A handle to the loaded PE module (or a pointer to the PE buffer). ### Returns - IMAGE_EXPORT_DIRECTORY*: A pointer to the Export Directory structure, or nullptr if not found. ```