peview: Check binaries for valid CFG data (patch by lucasg), Fix inco…

…rrect type names

phlib/include/mapimg.h

@@ -436,8 +436,8 @@ PHLIBAPI
 NTSTATUS
 NTAPI
 PhGetMappedImageCfg(
-    _In_ PPH_MAPPED_IMAGE MappedImage,
-    _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig
+    _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig,
+    _In_ PPH_MAPPED_IMAGE MappedImage
     );
 
 PHLIBAPI

phlib/mapimg.c

@@ -1219,8 +1219,8 @@ ULONG PhCheckSumMappedImage(
 }
 
 NTSTATUS PhGetMappedImageCfg(
-    _In_ PPH_MAPPED_IMAGE MappedImage,
-    _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig
+    _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig,
+    _In_ PPH_MAPPED_IMAGE MappedImage
     )
 {
     NTSTATUS status;
@@ -1229,6 +1229,10 @@ NTSTATUS PhGetMappedImageCfg(
     if (!NT_SUCCESS(status = PhGetMappedImageLoadConfig64(MappedImage, &config64)))
         return status;
 
+    // Not every load configuration defines CFG characteristics
+    if (config64->Size < (ULONG)FIELD_OFFSET(IMAGE_LOAD_CONFIG_DIRECTORY64, GuardAddressTakenIatEntryTable))
+        return STATUS_INVALID_VIEW_SIZE;
+
     CfgConfig->MappedImage = MappedImage;
     CfgConfig->EntrySize = sizeof(FIELD_OFFSET(IMAGE_CFG_ENTRY, Rva)) +
         (ULONG)((config64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT);
@@ -1241,8 +1245,8 @@ NTSTATUS PhGetMappedImageCfg(
     CfgConfig->EnableExportSuppression = !!(config64->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION);
     CfgConfig->HasExportSuppressionInfos = !!(config64->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT);
     CfgConfig->CfgLongJumpTablePresent = !!(config64->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT);
-    CfgConfig->NumberOfGuardFunctionEntries = config64->GuardCFFunctionCount;
 
+    CfgConfig->NumberOfGuardFunctionEntries = config64->GuardCFFunctionCount;
     CfgConfig->GuardFunctionTable = PhMappedImageRvaToVa(
         MappedImage,
         (ULONG)(config64->GuardCFFunctionTable - MappedImage->NtHeaders->OptionalHeader.ImageBase),
@@ -1256,7 +1260,7 @@ NTSTATUS PhGetMappedImageCfg(
             PhpMappedImageProbe(
                 MappedImage,
                 CfgConfig->GuardFunctionTable,
-                CfgConfig->EntrySize * (ULONG)CfgConfig->NumberOfGuardFunctionEntries
+                (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardFunctionEntries)
                 );
         }
         __except (EXCEPTION_EXECUTE_HANDLER)
@@ -1279,7 +1283,7 @@ NTSTATUS PhGetMappedImageCfg(
             PhpMappedImageProbe(
                 MappedImage,
                 CfgConfig->GuardAdressIatTable,
-                CfgConfig->EntrySize * (ULONG)CfgConfig->NumberOfGuardAdressIatEntries
+                (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardAdressIatEntries)
                 );
         }
         __except (EXCEPTION_EXECUTE_HANDLER)
@@ -1302,7 +1306,7 @@ NTSTATUS PhGetMappedImageCfg(
             PhpMappedImageProbe(
                 MappedImage,
                 CfgConfig->GuardLongJumpTable,
-                CfgConfig->EntrySize * (ULONG)CfgConfig->NumberOfGuardLongJumpEntries
+                (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardLongJumpEntries)
                 );
         }
         __except (EXCEPTION_EXECUTE_HANDLER)

tools/peview/peprp.c

@@ -942,7 +942,7 @@ INT_PTR CALLBACK PvpPeLoadConfigDlgProc(
                 PhSetListViewSubItem(lvHandle, lvItemIndex, 1, Value); \
             }
 
-            #define ADD_VALUES(Config) \
+            #define ADD_VALUES(Type, Config) \
             { \
                 LARGE_INTEGER time; \
                 SYSTEMTIME systemTime; \
@@ -968,29 +968,33 @@ INT_PTR CALLBACK PvpPeLoadConfigDlgProc(
                 ADD_VALUE(L"SEH handler table", PhaFormatString(L"0x%Ix", (Config)->SEHandlerTable)->Buffer); \
                 ADD_VALUE(L"SEH handler count", PhaFormatUInt64((Config)->SEHandlerCount, TRUE)->Buffer); \
                 ADD_VALUE(L"SEH handler count", PhaFormatUInt64((Config)->SEHandlerCount, TRUE)->Buffer); \
-                ADD_VALUE(L"CFG GuardFlags", PhaFormatString(L"0x%Ix", (Config)->GuardFlags)->Buffer); \
-                ADD_VALUE(L"CFG Check Function pointer", PhaFormatString(L"0x%Ix", (Config)->GuardCFCheckFunctionPointer)->Buffer); \
-                ADD_VALUE(L"CFG Check Dispatch pointer", PhaFormatString(L"0x%Ix", (Config)->GuardCFDispatchFunctionPointer)->Buffer); \
-                ADD_VALUE(L"CFG Function table", PhaFormatString(L"0x%Ix", (Config)->GuardCFFunctionTable)->Buffer); \
-                ADD_VALUE(L"CFG Function table entry count", PhaFormatUInt64((Config)->GuardCFFunctionCount, TRUE)->Buffer); \
-                ADD_VALUE(L"CFG IatEntry table", PhaFormatString(L"0x%Ix", (Config)->GuardAddressTakenIatEntryTable)->Buffer); \
-                ADD_VALUE(L"CFG IatEntry table entry count", PhaFormatUInt64((Config)->GuardAddressTakenIatEntryCount, TRUE)->Buffer); \
-                ADD_VALUE(L"CFG LongJump table", PhaFormatString(L"0x%Ix", (Config)->GuardLongJumpTargetTable)->Buffer); \
-                ADD_VALUE(L"CFG LongJump table entry count", PhaFormatUInt64((Config)->GuardLongJumpTargetCount, TRUE)->Buffer); \
+                \
+                if ((Config)->Size >= (ULONG)FIELD_OFFSET(Type, GuardAddressTakenIatEntryTable)) \
+                { \
+                    ADD_VALUE(L"CFG GuardFlags", PhaFormatString(L"0x%Ix", (Config)->GuardFlags)->Buffer); \
+                    ADD_VALUE(L"CFG Check Function pointer", PhaFormatString(L"0x%Ix", (Config)->GuardCFCheckFunctionPointer)->Buffer); \
+                    ADD_VALUE(L"CFG Check Dispatch pointer", PhaFormatString(L"0x%Ix", (Config)->GuardCFDispatchFunctionPointer)->Buffer); \
+                    ADD_VALUE(L"CFG Function table", PhaFormatString(L"0x%Ix", (Config)->GuardCFFunctionTable)->Buffer); \
+                    ADD_VALUE(L"CFG Function table entry count", PhaFormatUInt64((Config)->GuardCFFunctionCount, TRUE)->Buffer); \
+                    ADD_VALUE(L"CFG IatEntry table", PhaFormatString(L"0x%Ix", (Config)->GuardAddressTakenIatEntryTable)->Buffer); \
+                    ADD_VALUE(L"CFG IatEntry table entry count", PhaFormatUInt64((Config)->GuardAddressTakenIatEntryCount, TRUE)->Buffer); \
+                    ADD_VALUE(L"CFG LongJump table", PhaFormatString(L"0x%Ix", (Config)->GuardLongJumpTargetTable)->Buffer); \
+                    ADD_VALUE(L"CFG LongJump table entry count", PhaFormatUInt64((Config)->GuardLongJumpTargetCount, TRUE)->Buffer); \
+                } \
             }
 
             if (PvMappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
             {
                 if (NT_SUCCESS(PhGetMappedImageLoadConfig32(&PvMappedImage, &config32)))
                 {
-                    ADD_VALUES(config32);
+                    ADD_VALUES(IMAGE_LOAD_CONFIG_DIRECTORY32, config32);
                 }
             }
             else
             {
                 if (NT_SUCCESS(PhGetMappedImageLoadConfig64(&PvMappedImage, &config64)))
                 {
-                    ADD_VALUES(config64);
+                    ADD_VALUES(IMAGE_LOAD_CONFIG_DIRECTORY64, config64);
                 }
             }
 
@@ -1152,7 +1156,7 @@ INT_PTR CALLBACK PvpPeCgfDlgProc(
             }
 
             // Retrieve Cfg Table entry and characteristics
-            if (NT_SUCCESS(PhGetMappedImageCfg(&PvMappedImage, &cfgConfig)))
+            if (NT_SUCCESS(PhGetMappedImageCfg(&cfgConfig, &PvMappedImage)))
             {
                 for (ULONGLONG i = 0; i < cfgConfig.NumberOfGuardFunctionEntries; i++)
                 {

tools/peview/prpsh.c

@@ -23,11 +23,9 @@
 // NOTE: Copied from processhacker2\ProcessHacker\procprp.c
 
 #include <peview.h>
-#include <uxtheme.h>
 
-PPH_OBJECT_TYPE PhpPropContextType;
-PPH_OBJECT_TYPE PhpPropPageContextType;
-PH_STRINGREF PhpLoadingText = PH_STRINGREF_INIT(L"Loading...");
+PPH_OBJECT_TYPE PvpPropContextType;
+PPH_OBJECT_TYPE PvpPropPageContextType;
 static RECT MinimumSize = { -1, -1, -1, -1 };
 
 VOID NTAPI PvpPropContextDeleteProcedure(
@@ -65,8 +63,8 @@ BOOLEAN PvPropInitialization(
     VOID
     )
 {
-    PhpPropContextType = PhCreateObjectType(L"PvPropContext", 0, PvpPropContextDeleteProcedure);
-    PhpPropPageContextType = PhCreateObjectType(L"PvPropPageContext", 0, PvpPropPageContextDeleteProcedure);
+    PvpPropContextType = PhCreateObjectType(L"PvPropContext", 0, PvpPropContextDeleteProcedure);
+    PvpPropPageContextType = PhCreateObjectType(L"PvPropPageContext", 0, PvpPropPageContextDeleteProcedure);
 
     return TRUE;
 }
@@ -78,7 +76,7 @@ PPV_PROPCONTEXT PvCreatePropContext(
     PPV_PROPCONTEXT propContext;
     PROPSHEETHEADER propSheetHeader;
 
-    propContext = PhCreateObject(sizeof(PV_PROPCONTEXT), PhpPropContextType);
+    propContext = PhCreateObject(sizeof(PV_PROPCONTEXT), PvpPropContextType);
     memset(propContext, 0, sizeof(PV_PROPCONTEXT));
 
     propContext->Title = Caption;
@@ -326,7 +324,7 @@ PPV_PROPPAGECONTEXT PvCreatePropPageContextEx(
 {
     PPV_PROPPAGECONTEXT propPageContext;
 
-    propPageContext = PhCreateObject(sizeof(PV_PROPPAGECONTEXT), PhpPropPageContextType);
+    propPageContext = PhCreateObject(sizeof(PV_PROPPAGECONTEXT), PvpPropPageContextType);
     memset(propPageContext, 0, sizeof(PV_PROPPAGECONTEXT));
 
     propPageContext->PropSheetPage.dwSize = sizeof(PROPSHEETPAGE);