New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] CFG property page for Peview #101
Conversation
That how MS call it. (see RtlpGuardAllowSuppressedCall or RtlGuardCheckLongJumpTarget in ntdll)
Very cool, thanks! I'll merge the code when you think it's ready. |
The symbol provider was loaded with (ImageBase, SizeOfCode) infos, not (ImageBase, SizeOfImage).
Those helpers can parse and return CFG configuration and entries in a mapped pe.
The code for symbol provider loading is party ripped from mainwnd.c. It could be a good idea to provide a PhLoadDbgHelpFromCommonLocations (like Windows Kits) in symprv.
Ok I've cleaned up my code and fixed the several bugs I've spotted, so it's good to go on my part. The last commit in this PR also add the CFG configuration items in the load config property page. L. |
I've fixed most issues and memory leaks, there's just one issue remaining with how symbol loading is done that I will fix up later... Can you please double check my changes and make sure I haven't accidentally broken something with CFG parsing? 😄 You can review the changes here: Here's some notes from those changes:
You can review project guidelines on the link below. I'm very flexible when it comes to the guidelines so don't worry about them too much 😄 Also, the PhGetMappedImageCfgEntry function - The Reserved field of the structure used by GuardFunctionTable seems to have some undocumented flags that are currently being used? :) |
I've pulled your modifications and I've spotted a regression : a the line in mapimg.c:1233 : Since it's a one-liner fix, I will let you do it on your end (it will be easier than creating a whole PR for it). Regarding the code style fixes, I've nothing to correct. I probably should have read the HACKING.md file before submitted this PR ... And to answer your last question, I haven't noticed other use of the Reserved field yet in any binaries I've analyzed. Same for the |
Thanks, I fixed the regression 👍 I've also added window resize support to peview in PR #102 and I'm just waiting on a review from @wj32 before I can merge the code - It'll make using peview a lot more user friendly 😃 The reserved field is definitely being used on my system (Win10 x64, build 14393)... For example the following DLLs are showing values stored in the 'Reserved' field: Seems to be used by nearly all DLLs other than ntdll, kernelbase and kernel32? |
Resize support for peview has been merged 👍 Binaries such as Visual Studio have values stored in the GuardAddressTakenIatEntryTable and GuardLongJumpTable fields? |
Hmm, I've taken a look at it and the values seemed fishy to me. There is definitively a bug here. The Since Here the diff : loadconfig.diff.txt |
Thanks, I've merged the changes in commit f0517b3 Btw, the nightly builds now include the peview changes: |
Okay great. If that's too not much to ask, is it possible to exports some functions from mapimg in the For my use case I would need the following functions exported :
L. |
Done |
Hi,
I've worked for some time now on a plugin analyzing CFG and its whitelist mechanism. In the process, I've tweaked
peview
in order to show me the list of authorized functions as indirect call in a givenPE
:It cleary replicate the
__guard_fids_table
name entry in IDA :The code has probably some bugs left in it but if you guys are interested in merging this feature into the main tree, I will gladly iron out the remaining kinks.
L.