PE dump bugs fixed.

BeneficialCode · BeneficialCode · commit 6f35e5b52ea5 · 2025-02-05T16:18:26.000+08:00
diff --git a/PEParser/PEParser.cpp b/PEParser/PEParser.cpp
@@ -9,19 +9,35 @@
 #pragma comment(lib,"imagehlp")
 
 
-PEParser::PEParser(const wchar_t* path) :_path(path) {
-	_hFile = ::CreateFile(path, GENERIC_READ,
-		FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
-	if (_hFile == INVALID_HANDLE_VALUE)
-		return;
-	::GetFileSizeEx(_hFile, &_fileSize);
-	_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
-	if (!_hMemMap)
-		return;
-
-	_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_READ, 0, 0, 0);
-	if (!_address)
-		return;
+PEParser::PEParser(const wchar_t* path,bool isScylla) :_path(path) {
+	if (isScylla) {
+		_hFile = ::CreateFile(path, GENERIC_READ|GENERIC_WRITE,
+			FILE_SHARE_READ| FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
+		if (_hFile == INVALID_HANDLE_VALUE)
+			return;
+		::GetFileSizeEx(_hFile, &_fileSize);
+		_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READWRITE, 0, 0, nullptr);
+		if (!_hMemMap)
+			return;
+
+		_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_READ|FILE_MAP_WRITE, 0, 0, 0);
+		if (!_address)
+			return;
+	}
+	else {
+		_hFile = ::CreateFile(path, GENERIC_READ,
+			FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
+		if (_hFile == INVALID_HANDLE_VALUE)
+			return;
+		::GetFileSizeEx(_hFile, &_fileSize);
+		_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
+		if (!_hMemMap)
+			return;
+
+		_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_READ, 0, 0, 0);
+		if (!_address)
+			return;
+	}
 
 	CheckValidity();
 	if (IsValid()) {
@@ -665,16 +681,22 @@ void PEParser::AlignAllSectionHeaders() {
 	DWORD fileAlignment = GetFileAlignment();
 	DWORD newFileSize = 0;
 	
+
+	std::sort(_PESections.begin(), _PESections.end(), [](const PEFileSection& d1, const PEFileSection& d2) {
+		return d1._sectionHeader.PointerToRawData < d2._sectionHeader.PointerToRawData;
+	});
+
 	newFileSize = _dosHeader->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) +
-		_ntHeader->FileHeader.SizeOfOptionalHeader * sizeof(IMAGE_SECTION_HEADER);
+		_ntHeader->FileHeader.SizeOfOptionalHeader + GetSectionCount() * sizeof(IMAGE_SECTION_HEADER);
 
 	for (int i = 0; i < GetSectionCount(); ++i) {
-		sections[i].VirtualAddress = AlignValue(sections[i].VirtualAddress, sectionAlignment);
-		sections[i].Misc.VirtualSize = AlignValue(sections[i].Misc.VirtualSize, sectionAlignment);
+		_PESections[i]._sectionHeader.VirtualAddress = AlignValue(sections[i].VirtualAddress, sectionAlignment);
+		_PESections[i]._sectionHeader.Misc.VirtualSize = AlignValue(sections[i].Misc.VirtualSize, sectionAlignment);
 
-		sections[i].PointerToRawData = AlignValue(newFileSize, fileAlignment);
+		_PESections[i]._sectionHeader.PointerToRawData = AlignValue(newFileSize, fileAlignment);
+		_PESections[i]._sectionHeader.SizeOfRawData = AlignValue(_PESections[i]._dataSize, fileAlignment);
 		
-		newFileSize = sections[i].PointerToRawData + sections[i].SizeOfRawData;
+		newFileSize = _PESections[i]._sectionHeader.PointerToRawData + _PESections[i]._sectionHeader.SizeOfRawData;
 	}
 
 	std::sort(_PESections.begin(), _PESections.end(), [](const PEFileSection& d1, const PEFileSection& d2) {
@@ -717,6 +739,8 @@ void PEParser::FixPEHeader() {
 		_opt64->NumberOfRvaAndSizes = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
 		_fileHeader->SizeOfOptionalHeader = sizeof(IMAGE_OPTIONAL_HEADER64);
 
+		_opt64->SizeOfImage = GetSectionHeaderBasedSizeOfImage();
+
 		if (_moduleBase) {
 			_opt64->ImageBase = _moduleBase;
 		}
@@ -847,6 +871,7 @@ void PEParser::GetPESections() {
 
 	for (WORD i = 0; i < count; i++) {
 		_PESections[i]._normalSize = _sections[i].Misc.VirtualSize;
+		_PESections[i]._dataSize = _sections[i].Misc.VirtualSize;
 		offset = _sections[i].VirtualAddress;
 		GetPESectionData(offset, _PESections[i]);
 	}
@@ -938,8 +963,7 @@ bool PEParser::SavePEFileToDisk(const WCHAR* pNewFile) {
 		writeSize = sizeof(IMAGE_SECTION_HEADER);
 		auto sections = GetSections();
 		for (WORD i = 0; i < GetSectionCount(); i++) {
-			auto section = sections[i];
-			if (!WriteMemoryToFile(_hFile, fileOffset, writeSize, &section)) {
+			if (!WriteMemoryToFile(_hFile, fileOffset, writeSize, &_PESections[i]._sectionHeader)) {
 				ret = false;
 				break;
 			}
@@ -948,12 +972,11 @@ bool PEParser::SavePEFileToDisk(const WCHAR* pNewFile) {
 
 
 		for (WORD i = 0; i < GetSectionCount(); i++) {
-			auto section = sections[i];
-			if (!section.PointerToRawData)
+			if (!_PESections[i]._sectionHeader.PointerToRawData)
 				continue;
 
-			if (section.PointerToRawData > fileOffset) {
-				writeSize = section.PointerToRawData - fileOffset;
+			if (_PESections[i]._sectionHeader.PointerToRawData > fileOffset) {
+				writeSize = _PESections[i]._sectionHeader.PointerToRawData - fileOffset;
 
 				if (!WriteZeroMemoryToFile(_hFile, fileOffset, writeSize)) {
 					ret = false;
@@ -962,15 +985,24 @@ bool PEParser::SavePEFileToDisk(const WCHAR* pNewFile) {
 				fileOffset += writeSize;
 			}
 
-			writeSize = section.SizeOfRawData;
+			writeSize = _PESections[i]._sectionHeader.SizeOfRawData;
 
 			if (writeSize) {
-				BYTE* pData = GetFileAddress(section.PointerToRawData);
-				if (!WriteMemoryToFile(_hFile, section.PointerToRawData, writeSize, pData)) {
+				if (!WriteMemoryToFile(_hFile, _PESections[i]._sectionHeader.PointerToRawData, 
+					writeSize, _PESections[i]._pData)) {
 					ret = false;
 					break;
 				}
 				fileOffset += writeSize;
+
+				if (_PESections[i]._dataSize < _PESections[i]._sectionHeader.SizeOfRawData) {
+					writeSize = _PESections[i]._sectionHeader.SizeOfRawData - _PESections[i]._dataSize;
+					if (!WriteZeroMemoryToFile(_hFile, fileOffset, writeSize)) {
+						ret = false;
+						break;
+					}
+					fileOffset += writeSize;
+				}
 			}
 		}
 
diff --git a/PEParser/PEParser.h b/PEParser/PEParser.h
@@ -166,7 +166,7 @@ struct RelocInfo {
 
 class PEParser {
 public:
-	explicit PEParser(const wchar_t* path);
+	explicit PEParser(const wchar_t* path,bool isScylla = false);
 	~PEParser();
 	PEParser(void* base);
 
diff --git a/WinArk/ImportRebuilder.h b/WinArk/ImportRebuilder.h
@@ -8,7 +8,7 @@
 
 class ImportRebuilder: public PEParser{
 public:
-	ImportRebuilder(const WCHAR* file): PEParser(file) {
+	ImportRebuilder(const WCHAR* file): PEParser(file,true) {
 	}
 	bool RebuildImportTable(const WCHAR* newFilePath, std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
 	void EnableOFTSupport();
diff --git a/WinArk/ProcessAccessHelper.cpp b/WinArk/ProcessAccessHelper.cpp
@@ -362,8 +362,12 @@ bool ProcessAccessHelper::GetProcessModules(HANDLE hProcess, std::vector<ModuleI
 
 	for (auto& info : infos) {
 		std::wstring path = info.get()->Path;
+		std::wstring name = info.get()->Name;
 		if (path.empty())
 			continue;
+		if (_wcsicmp(L"kernelbase.dll", name.c_str()) == 0)
+			continue;
+		
 
 		module._modBaseAddr = (DWORD_PTR)info.get()->Base;
 		module._modBaseSize = info.get()->ModuleSize;
diff --git a/WinArk/ScyllaDlg.cpp b/WinArk/ScyllaDlg.cpp
@@ -4,6 +4,7 @@
 #include "Architecture.h"
 #include "IATSearcher.h"
 #include <PEParser.h>
+#include "ImportRebuilder.h"
 
 
 CScyllaDlg::CScyllaDlg(const WinSys::ProcessManager& pm, ProcessInfoEx& px)
@@ -347,13 +348,15 @@ bool CScyllaDlg::GetCurrentDefaultDumpFilename(WCHAR* pBuffer, size_t bufSize) {
 		wcscpy_s(fullPath, m_px.GetExecutablePath().c_str());
 	}
 
-	WCHAR* pSlash = wcsrchr(fullPath, L'\\');
-	if (pSlash) {
-		pSlash++;
+	WCHAR* pTemp = wcsrchr(fullPath, L'\\');
+	if (pTemp) {
+		pTemp++;
+
+		wcscpy_s(pBuffer, bufSize, pTemp);
 
-		wcscpy_s(pBuffer, bufSize, pSlash);
-		if (pSlash) {
-			*pSlash = 0;
+		pTemp = wcsrchr(pBuffer, L'.');
+		if (pTemp) {
+			*pTemp = 0;
 			if (ProcessAccessHelper::_pSelectedModule) {
 				wcscat_s(pBuffer, bufSize, L"_dump.dll");
 			}
@@ -396,4 +399,171 @@ bool CScyllaDlg::ShowFileDialog(WCHAR* pSelectedFile, bool save, const WCHAR* pD
 		return 0 != GetSaveFileName(&ofn);
 	else
 		return 0 != GetOpenFileName(&ofn);
+}
+
+void CScyllaDlg::OnFixDump(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	FixDumpHandler();
+}
+
+void CScyllaDlg::FixDumpHandler() {
+	if (_treeImports.GetCount() < 2) {
+		return;
+	}
+
+	WCHAR newFilePath[MAX_PATH] = { 0 };
+	WCHAR selectedFilePath[MAX_PATH] = { 0 };
+	const WCHAR* pFileFilter = nullptr;
+	DWORD_PTR modBase = 0;
+	DWORD_PTR entryPoint = _oepAddress.GetValue();
+
+	if (ProcessAccessHelper::_pSelectedModule) {
+		modBase = ProcessAccessHelper::_pSelectedModule->_modBaseAddr;
+		pFileFilter = s_FilterDll;
+	}
+	else {
+		modBase = ProcessAccessHelper::_targetImageBase;
+		pFileFilter = s_FilterExe;
+	}
+
+	GetCurrentModulePath(_text, _countof(_text));
+	if (ShowFileDialog(selectedFilePath, false, nullptr, pFileFilter, nullptr, _text)) {
+		wcscpy_s(newFilePath, selectedFilePath);
+
+		const WCHAR* pExtension = nullptr;
+		WCHAR* pDot = wcsrchr(newFilePath, L'.');
+		if (pDot) {
+			*pDot = L'\0';
+			pExtension = selectedFilePath + (pDot - newFilePath);
+		}
+
+		wcscat_s(newFilePath, L"_SCY");
+
+		if (pExtension) {
+			wcscat_s(newFilePath, pExtension);
+		}
+
+		ImportRebuilder rebuilder(selectedFilePath);
+
+		rebuilder.RebuildImportTable(newFilePath, _importsHandling.m_ModuleMap);
+	}
+}
+
+void CScyllaDlg::OnPERebuild(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	PERebuildHandler();
+}
+
+void CScyllaDlg::PERebuildHandler() {
+	DWORD newSize = 0;
+	WCHAR selectedFilePath[MAX_PATH] = { 0 };
+
+	GetCurrentModulePath(_text, _countof(_text));
+	if (ShowFileDialog(selectedFilePath, false, nullptr, s_FilterExeDll, nullptr, _text)) {
+		DWORD fileSize = ProcessAccessHelper::GetFileSize(selectedFilePath);
+		
+		PEParser parser(selectedFilePath, true);
+
+		if (!parser.IsValid()) {
+			return;
+		}
+
+		parser.GetPESections();
+		parser.SetDefaultFileAligment();
+		parser.AlignAllSectionHeaders();
+		parser.FixPEHeader();
+		parser.SavePEFileToDisk(selectedFilePath);
+	}
+}
+
+CTreeItem CScyllaDlg::FindTreeItem(CPoint pt, bool screenCoordinates) {
+	if (screenCoordinates) {
+		_treeImports.ScreenToClient(&pt);
+	}
+	UINT flags;
+	CTreeItem over = _treeImports.HitTest(pt, &flags);
+	if (over) {
+		if (!(flags & TVHT_ONITEM))
+		{
+			over.m_hTreeItem = NULL;
+		}
+	}
+	return over;
+}
+
+LRESULT CScyllaDlg::OnTreeImportsDoubleClick(const NMHDR* pnmh) {
+	if (_treeImports.GetCount() < 1)
+		return 0;
+
+	CTreeItem over = FindTreeItem(CPoint(GetMessagePos()), true);
+	if (over && _importsHandling.IsImport(over)) {
+		// todo: Pick API Handler
+
+	}
+
+	return 0;
+}
+
+LRESULT CScyllaDlg::OnTreeImportsKeyDown(const NMHDR* pnmh) {
+	const NMTVKEYDOWN* tkd = (NMTVKEYDOWN*)pnmh;
+	switch (tkd->wVKey)
+	{
+		case VK_RETURN:
+		{
+			CTreeItem selected = _treeImports.GetFocusItem();
+			if (!selected.IsNull() && _importsHandling.IsImport(selected))
+			{
+				// to do: Pick API handler
+			}
+		}
+		return 1;
+		case VK_DELETE:
+			DeleteSelectedImportsHandler();
+			return 1;
+	}
+
+	SetMsgHandled(FALSE);
+	return 0;
+}
+
+void CScyllaDlg::DeleteSelectedImportsHandler() {
+	CTreeItem selected = _treeImports.GetFirstSelectedItem();
+	while (!selected.IsNull())
+	{
+		if (_importsHandling.IsModule(selected))
+		{
+			_importsHandling.CutModule(selected);
+		}
+		else
+		{
+			_importsHandling.CutImport(selected);
+		}
+		selected = _treeImports.GetNextSelectedItem(selected);
+	}
+	UpdateStatusBar();
+}
+
+void CScyllaDlg::OnInvalidImports(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	ShowInvalidImportsHandler();
+}
+
+void CScyllaDlg::OnSuspectImports(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	ShowSuspectImportsHandler();
+}
+
+void CScyllaDlg::OnClearImports(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	ClearImportsHandler();
+}
+
+void CScyllaDlg::ShowInvalidImportsHandler() {
+	_importsHandling.SelectImports(true, false);
+	GotoDlgCtrl(_treeImports);
+}
+
+void CScyllaDlg::ShowSuspectImportsHandler() {
+	_importsHandling.SelectImports(false, true);
+	GotoDlgCtrl(_treeImports);
+}
+
+void CScyllaDlg::ClearImportsHandler() {
+	_importsHandling.ClearAllImports();
+	UpdateStatusBar();
 }
diff --git a/WinArk/ScyllaDlg.h b/WinArk/ScyllaDlg.h
diff --git a/WinArk/WinArk.rc b/WinArk/WinArk.rc

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`
`9`	`9`	`class ImportRebuilder: public PEParser{`
`10`	`10`	`public:`
`11`		`- ImportRebuilder(const WCHAR* file): PEParser(file) {`
	`11`	`+ ImportRebuilder(const WCHAR* file): PEParser(file,true) {`
`12`	`12`	`}`
`13`	`13`	`bool RebuildImportTable(const WCHAR* newFilePath, std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);`
`14`	`14`	`void EnableOFTSupport();`