diff --git a/libpeconv/include/peconv/util.h b/libpeconv/include/peconv/util.h index 822601a7f..9ee7d87da 100644 --- a/libpeconv/include/peconv/util.h +++ b/libpeconv/include/peconv/util.h @@ -8,6 +8,17 @@ #include "file_util.h" #include "resource_util.h" +#ifdef _MSC_VER +#define PECONV_FORCEINLINE __forceinline +#define PECONV_TRY_EXCEPT_BLOCK_START __try { +#define PECONV_TRY_EXCEPT_BLOCK_END __except (EXCEPTION_EXECUTE_HANDLER) { +#else +#define PECONV_FORCEINLINE __attribute__((always_inline)) inline +#define PECONV_TRY_EXCEPT_BLOCK_START try { +#define PECONV_TRY_EXCEPT_BLOCK_END catch (...) { +#endif + + namespace peconv { /** Checks if the given buffer is fully filled with the specified character. @@ -15,7 +26,7 @@ namespace peconv { \param cave_size : size of the buffer to be checked \param padding_char : the required character */ - bool is_padding(const BYTE *cave_ptr, size_t cave_size, const BYTE padding_char); + bool is_padding(const BYTE* cave_ptr, size_t cave_size, const BYTE padding_char); /** Wrapper for GetProcessId - for a backward compatibility with old versions of Windows @@ -37,5 +48,4 @@ namespace peconv { \param areaSize : The size of the memory block, in bytes. If this parameter is zero, the return value is true (bad pointer). */ bool is_bad_read_ptr(LPCVOID areaStart, SIZE_T areaSize); -}; - +}; \ No newline at end of file diff --git a/libpeconv/src/exceptions_parser.cpp b/libpeconv/src/exceptions_parser.cpp index e537e91df..29f44a0d3 100644 --- a/libpeconv/src/exceptions_parser.cpp +++ b/libpeconv/src/exceptions_parser.cpp @@ -1,12 +1,17 @@ #include "peconv/exceptions_parser.h" #include "peconv/pe_hdrs_helper.h" +#include "peconv/util.h" #include "ntddk.h" #ifdef _DEBUG #include #endif +#ifndef min +#define min(a,b) (((a) < (b)) ? (a) : (b)) +#endif + namespace details { #define RTL_VERIFY_FLAGS_MAJOR_VERSION 0 #define RTL_VERIFY_FLAGS_MINOR_VERSION 1 @@ -157,7 +162,7 @@ namespace details { _In_ ULONG BuildNumber ) { NtVersion version{}; - RtlSecureZeroMemory(&version, sizeof NtVersion); + RtlSecureZeroMemory(&version, sizeof(NtVersion)); RtlCurrentVersion(&version); if (version.MajorVersion == MajorVersion) { if (version.MinorVersion == MinorVersion) return version.BuildNumber >= BuildNumber; @@ -173,7 +178,7 @@ namespace details { _In_ BYTE Flags ) { NtVersion version{}; - RtlSecureZeroMemory(&version, sizeof NtVersion); + RtlSecureZeroMemory(&version, sizeof(NtVersion)); RtlCurrentVersion(&version); if (version.MajorVersion == MajorVersion && ((Flags & RTL_VERIFY_FLAGS_MINOR_VERSION) ? version.MinorVersion == MinorVersion : true) && @@ -211,7 +216,7 @@ namespace details { } #endif - static __forceinline bool IsModuleUnloaded(PLDR_DATA_TABLE_ENTRY entry) { + static PECONV_FORCEINLINE bool IsModuleUnloaded(PLDR_DATA_TABLE_ENTRY entry) { if (RtlIsWindowsVersionOrGreater(6, 2, 0)) { // Windows 8+ return PLDR_DATA_TABLE_ENTRY_WIN8(entry)->DdagNode->State == LdrModulesUnloaded; } @@ -227,11 +232,17 @@ namespace details { NTSTATUS status = STATUS_SUCCESS; +#ifdef _MSC_VER +#define RtlFindMemoryBlockFromModuleSection__leave __leave +#else +#define RtlFindMemoryBlockFromModuleSection__leave return status +#endif + #ifdef _DEBUG std::cout << "Searching in section " << SectionName << " in module " << ModuleHandle << std::endl; #endif - __try { + PECONV_TRY_EXCEPT_BLOCK_START // // checks if no search pattern and length are provided @@ -241,7 +252,7 @@ namespace details { SearchContext->Result = nullptr; SearchContext->MemoryBlockSize = 0; status = STATUS_INVALID_PARAMETER; - __leave; + RtlFindMemoryBlockFromModuleSection__leave; } if (SearchContext->Result) { @@ -273,12 +284,12 @@ namespace details { SearchContext->Result = nullptr; SearchContext->MemoryBlockSize = 0; status = STATUS_NOT_FOUND; - __leave; + RtlFindMemoryBlockFromModuleSection__leave; } } else { status = STATUS_INVALID_PARAMETER_1; - __leave; + RtlFindMemoryBlockFromModuleSection__leave; } } @@ -289,7 +300,7 @@ namespace details { LPBYTE end = SearchContext->Result + SearchContext->MemoryBlockSize - SearchContext->PatternSize; while (SearchContext->Result <= end) { if (RtlCompareMemory(SearchContext->SearchPattern, SearchContext->Result, SearchContext->PatternSize) == SearchContext->PatternSize) { - __leave; + RtlFindMemoryBlockFromModuleSection__leave; } ++SearchContext->Result; @@ -304,7 +315,7 @@ namespace details { SearchContext->MemoryBlockSize = 0; status = STATUS_NOT_FOUND; } - __except (EXCEPTION_EXECUTE_HANDLER) { + PECONV_TRY_EXCEPT_BLOCK_END status = GetExceptionCode(); } @@ -356,7 +367,7 @@ namespace details { SEARCH_CONTEXT SearchContext{}; SearchContext.SearchPattern = reinterpret_cast(&entry); SearchContext.PatternSize = sizeof(entry); - RtlSecureZeroMemory(&entry, sizeof entry); + RtlSecureZeroMemory(&entry, sizeof(entry)); // Windows 8 if (RtlVerifyVersion(6, 2, 0, RTL_VERIFY_FLAGS_MAJOR_VERSION | RTL_VERIFY_FLAGS_MINOR_VERSION)) { @@ -421,7 +432,7 @@ namespace details { auto NtdllHeaders = reinterpret_cast(RtlImageNtHeader(hNtdll)); PIMAGE_NT_HEADERS ModuleHeaders = nullptr; _RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 entry{}; - RtlSecureZeroMemory(&entry, sizeof entry); + RtlSecureZeroMemory(&entry, sizeof(entry)); LPCSTR lpSectionName = ".data"; SEARCH_CONTEXT SearchContext{ }; @@ -611,4 +622,4 @@ bool peconv::setup_exceptions(IN BYTE* modulePtr, IN size_t moduleSize) moduleSize = img_size; } return NT_SUCCESS(details::RtlInsertInvertedFunctionTable(modulePtr, moduleSize)); -} +} \ No newline at end of file