Phishing & BotNets
Re: PE Headers Oct 20 2005 03:28PM
Harlan Carvey (keydet89 yahoo com)
Jon,

> > Based on what you've said, given the information
> from
> > the .data section above, the calculation of
> > "sh.PointerToRawData - sh.VirtualAddress" is a
> > negative number.
>
> Negative corrections are expected.
[snip]
> If using negative values in file pointer
> calculations makes you uncomfortable,

Not at all...it was simply an observation.

> I do a linear search through all section headers
> until I find the
> section containing the virtual address of the import
> section directory.
>
> Here is example C code that I have written on a
> Win2k machine using the
> header file windows.h with WIN32_LEAN_AND_MEAN
> undefined. I left out
> most of the error-handling code for conciseness:
>
> /* I assume that you read this structure
> successfully. */
> IMAGE_NT_HEADERS nth;

Okay, I can successfully read all of the data you're
referring to...as I said in my original post, I'm
doing this in binary mode, bypassing the MS API all
together. However, I have the structure definitions
from MS, so this isn't difficult.

> /* Get the import section directory. */
> IMAGE_DATA_DIRECTORY *idd =
>
>
&nth.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
>

I guess maybe I'm getting a little too wrapped around
the axle with regards to terminology...and that's my
fault, for being too new to PE headers (only started
down this road in June). When you say "import
section", I can see from the code that you're
referring to the import data directory.

So, according to the MS documentation, the structure
for the data directory is two DWORD values; the
virtual address, and the size. In the case of the
Import data directory for netstat.exe (on XP SP2), the
values are:

ImportTable 0x4FE8 0xDC

> /* Get the section containing the import directory.
> */
> IMAGE_SECTION_HEADER ish;
> int i;
> for (i = 0; i < nth.FileHeader.NumberOfSections;
> ++i)
> {
> fread((void*)&ish, sizeof(IMAGE_SECTION_HEADER),
> 1, PE_file);
> if (idd->VirtualAddress >= ish.VirtualAddress &&
> idd->VirtualAddress < ish.VirtualAddress +
> ish.SizeOfRawData)
> break;
> }
> if (i == nth.FileHeader.NumberOfSections)
> die_section_not_found();

Okay...I understand your code, and can see how you go
about performing the calculation.

Thanks. You've been much more helpful than "read
article x"...and I greatly appreciate your assistance.

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus