fixup the HexEdit bug.

Author: BeneficialCode

PEParser/PEParser.cpp

@@ -30,6 +30,7 @@ PEParser::PEParser(const wchar_t* path) :_path(path) {
 
 PEParser::PEParser(void* base) {
 	_address = reinterpret_cast<PUCHAR>(base);
+	_moduleBase = (DWORD_PTR)base;
 	CheckValidity();
 }
 
@@ -82,6 +83,10 @@ int PEParser::GetSectionCount() const {
 	return _fileHeader->NumberOfSections;
 }
 
+void PEParser::SetSectionCount(WORD count) {
+	_fileHeader->NumberOfSections = count;
+}
+
 const IMAGE_SECTION_HEADER* PEParser::GetSectionHeader(ULONG section) const {
 	if (!IsValid() || section >= _fileHeader->NumberOfSections)
 		return nullptr;
@@ -107,6 +112,23 @@ const IMAGE_DOS_HEADER& PEParser::GetDosHeader() const {
 	return *_dosHeader;
 }
 
+BYTE* PEParser::GetDosStub() {
+	BYTE* pDosStub = nullptr;
+
+	if (_dosHeader->e_lfanew > sizeof(IMAGE_DOS_HEADER)) {
+		pDosStub = (BYTE*)((DWORD_PTR)_dosHeader + sizeof(IMAGE_DOS_HEADER));
+	}
+	else if (_dosHeader->e_lfanew < sizeof(IMAGE_DOS_HEADER)) {
+		_dosHeader->e_lfanew = sizeof(IMAGE_DOS_HEADER);
+	}
+
+	return pDosStub;
+}
+
+IMAGE_NT_HEADERS64* PEParser::GetNtHeader() {
+	return _ntHeader;
+}
+
 void* PEParser::GetBaseAddress() const {
 	return _address;
 }
@@ -262,6 +284,10 @@ void* PEParser::GetAddress(unsigned rva) const {
 	return ::ImageRvaToVa(::ImageNtHeader(_address), _address, rva, nullptr);
 }
 
+BYTE* PEParser::GetFileAddress(DWORD offset) {
+	return _address + offset;
+}
+
 SubsystemType PEParser::GetSubsystemType() const {
 	if (IsPe64())
 		return static_cast<SubsystemType>(GetOptionalHeader64().Subsystem);
@@ -307,6 +333,19 @@ unsigned PEParser::RvaToFileOffset(unsigned rva) const {
 	return rva;
 }
 
+DWORD_PTR PEParser::FileOffsetToRva(DWORD_PTR offset) {
+	auto sections = _sections;
+	for (int i = 0; i < GetSectionCount(); ++i) {
+		if ((sections[i].PointerToRawData <= offset) && 
+			((sections[i].PointerToRawData + sections[i].SizeOfRawData) > offset))
+		{
+			return ((offset - sections[i].PointerToRawData) + sections[i].VirtualAddress);
+		}
+	}
+
+	return 0;
+}
+
 DWORD_PTR PEParser::RVAToRelativeOffset(DWORD_PTR rva) const {
 	auto sections = _sections;
 	for (int i = 0; i < GetSectionCount(); ++i) {
@@ -327,6 +366,19 @@ int PEParser::RVAToSectionIndex(DWORD_PTR rva) const {
 	return -1;
 }
 
+DWORD PEParser::GetSectionHeaderBasedSizeOfImage() {
+	DWORD lastVirtualOffset = 0, lastVirtualSize = 0;
+
+	for (WORD i = 0; i < GetSectionCount(); i++) {
+		if ((_sections[i].VirtualAddress + _sections[i].Misc.VirtualSize) > (lastVirtualOffset + lastVirtualSize)) {
+			lastVirtualOffset = _sections[i].VirtualAddress;
+			lastVirtualSize = _sections[i].Misc.VirtualSize;
+		}
+	}
+
+	return lastVirtualSize + lastVirtualOffset;
+}
+
 bool PEParser::GetImportAddressTable() const {
 	auto dir = GetDataDirectory(IMAGE_DIRECTORY_ENTRY_IAT);
 	if (dir->Size == 0)
@@ -546,4 +598,136 @@ void PEParser::AlignAllSectionHeaders() {
 
 		newFileSize = sections[i].PointerToRawData + sections[i].SizeOfRawData;
 	}
+}
+
+void PEParser::FixPEHeader() {
+	DWORD size = _dosHeader->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER);
+
+	if (!IsPe64()) {
+		_opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
+		_opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
+
+		for (DWORD i = _opt32->NumberOfRvaAndSizes; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++) {
+			_opt32->DataDirectory[i].Size = 0;
+			_opt32->DataDirectory[i].VirtualAddress = 0;
+		}
+		_opt32->NumberOfRvaAndSizes = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
+		_fileHeader->SizeOfOptionalHeader = sizeof(IMAGE_OPTIONAL_HEADER32);
+
+		_opt32->SizeOfImage = GetSectionHeaderBasedSizeOfImage();
+
+		if (_moduleBase) {
+			_opt32->ImageBase = _moduleBase;;
+		}
+
+		_opt32->SizeOfHeaders = AlignValue(size + _ntHeader->FileHeader.SizeOfOptionalHeader
+			+ GetSectionCount() * sizeof(IMAGE_SECTION_HEADER), _opt32->FileAlignment);
+	}
+	else {
+		_opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
+		_opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
+
+		for (DWORD i = _opt64->NumberOfRvaAndSizes; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++) {
+			_opt64->DataDirectory[i].Size = 0;
+			_opt64->DataDirectory[i].VirtualAddress = 0;
+		}
+
+		_opt64->NumberOfRvaAndSizes = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
+		_fileHeader->SizeOfOptionalHeader = sizeof(IMAGE_OPTIONAL_HEADER64);
+
+		if (_moduleBase) {
+			_opt64->ImageBase = _moduleBase;
+		}
+
+		_opt64->SizeOfHeaders = AlignValue(size + _fileHeader->SizeOfOptionalHeader +
+			+GetSectionCount() * sizeof(IMAGE_SECTION_HEADER), _opt64->FileAlignment);
+	}
+
+	RemoveIATDirectory();
+}
+
+void PEParser::RemoveIATDirectory() {
+	DWORD searchAddress = 0;
+
+	if (!IsPe64()) {
+		searchAddress = _opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
+		_opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = 0;
+		_opt32->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = 0;
+	}
+	else {
+		searchAddress = _opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
+		_opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = 0;
+		_opt64->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = 0;
+	}
+
+	if (searchAddress) {
+		for (WORD i = 0; i < GetSectionCount(); i++) {
+			if (_sections[i].VirtualAddress <= searchAddress &&
+				(_sections[i].VirtualAddress + _sections[i].Misc.VirtualSize) > searchAddress) {
+				_sections[i].Characteristics |= IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
+			}
+		}
+	}
+}
+
+DWORD PEParser::GetSectionHeaderBasedFileSize() {
+	DWORD lastRawOffset = 0, lastRawSize = 0;
+
+	for (WORD i = 0; i < GetSectionCount(); i++) {
+		auto section = _sections[i];
+		if ((section.PointerToRawData + section.SizeOfRawData) > (lastRawOffset + lastRawSize))
+		{
+			lastRawOffset = section.PointerToRawData;
+			lastRawSize = section.SizeOfRawData;
+		}
+	}
+
+	return lastRawSize + lastRawOffset;
+}
+
+bool PEParser::AddNewLastSection(const char* pSectionName, DWORD sectionSize, BYTE* pSectionData) {
+	size_t len = strlen(pSectionName);
+	DWORD fileAlignment = 0, sectionAlignment = 0;
+	PEFileSection peFileSection;
+
+	if (len > IMAGE_SIZEOF_SHORT_NAME) {
+		return false;
+	}
+
+	if (!IsPe64()) {
+		fileAlignment = _opt32->FileAlignment;
+		sectionAlignment = _opt32->SectionAlignment;
+	}
+	else {
+		fileAlignment = _opt64->FileAlignment;
+		sectionAlignment = _opt64->SectionAlignment;
+	}
+
+	memcpy_s(peFileSection._sectionHeader.Name, IMAGE_SIZEOF_SHORT_NAME, pSectionName, len);
+
+	peFileSection._sectionHeader.SizeOfRawData = sectionSize;
+	peFileSection._sectionHeader.Misc.VirtualSize = AlignValue(sectionSize, sectionAlignment);
+
+	peFileSection._sectionHeader.PointerToRawData = AlignValue(GetSectionHeaderBasedFileSize(), fileAlignment);
+	peFileSection._sectionHeader.VirtualAddress = AlignValue(GetSectionHeaderBasedSizeOfImage(), sectionAlignment);
+
+	peFileSection._sectionHeader.Characteristics = IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ 
+		| IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_CODE | IMAGE_SCN_CNT_INITIALIZED_DATA;
+	
+	peFileSection._normalSize = peFileSection._sectionHeader.SizeOfRawData;
+	peFileSection._dataSize = peFileSection._sectionHeader.SizeOfRawData;
+
+	if (pSectionData == nullptr) {
+		peFileSection._pData = new BYTE[peFileSection._sectionHeader.SizeOfRawData];
+		ZeroMemory(peFileSection._pData, peFileSection._sectionHeader.SizeOfRawData);
+	}
+	else {
+		peFileSection._pData = pSectionData;
+	}
+
+	_PESections.push_back(peFileSection);
+
+	SetSectionCount(GetSectionCount() + 1);
+
+	return true;
 }

PEParser/PEParser.h

@@ -146,6 +146,18 @@ struct ResourceInfo {
 	bool IsId{ false };
 };
 
+class PEFileSection {
+public:
+	IMAGE_SECTION_HEADER _sectionHeader;
+	BYTE* _pData = nullptr;
+	DWORD _dataSize = 0;
+	DWORD _normalSize = 0;
+
+	PEFileSection() {
+		ZeroMemory(&_sectionHeader, sizeof(IMAGE_SECTION_HEADER));
+	}
+};
+
 struct RelocInfo {
 	uint64_t address;
 	uint16_t* item;
@@ -166,7 +178,10 @@ class PEParser {
 	bool HasImports() const;
 	bool IsSystemFile() const;
 
+	void FixPEHeader();
+
 	int GetSectionCount() const;
+	void SetSectionCount(WORD count);
 	const IMAGE_SECTION_HEADER* GetSectionHeader(ULONG section) const;
 	const IMAGE_DATA_DIRECTORY* GetDataDirectory(int index) const;
 	const IMAGE_DOS_HEADER& GetDosHeader() const;
@@ -176,6 +191,11 @@ class PEParser {
 
 	ULONGLONG GetImageBase() const;
 
+	void RemoveIATDirectory();
+
+	DWORD GetSectionHeaderBasedFileSize();
+	DWORD GetSectionHeaderBasedSizeOfImage();
+
 	DWORD GetImageSize() const;
 	DWORD GetHeadersSize() const;
 	DWORD GetAddressOfEntryPoint() const;
@@ -200,6 +220,8 @@ class PEParser {
 
 	void* GetMemAddress(unsigned rva) const;
 
+	BYTE* GetFileAddress(DWORD offset);
+
 	SubsystemType GetSubsystemType() const;
 
 	IMAGE_OPTIONAL_HEADER64& GetOptionalHeader64() const {
@@ -228,15 +250,24 @@ class PEParser {
 	DWORD_PTR RVAToRelativeOffset(DWORD_PTR rva) const;
 	int RVAToSectionIndex(DWORD_PTR rva) const;
 	IMAGE_SECTION_HEADER* GetSections();
+	DWORD_PTR FileOffsetToRva(DWORD_PTR offset);
 
 	LARGE_INTEGER GetFileSize() const;
 
 	std::vector<RelocInfo> GetRelocs(void* imageBase);
 	static void RelocateImageByDelta(std::vector<RelocInfo>& relocs, const uint64_t delta);
 
+	BYTE* GetDosStub();
+
+	IMAGE_NT_HEADERS64* GetNtHeader();
+
+	std::vector<PEFileSection> _PESections;
+
 protected:
 	static const DWORD _fileAlignmentConstant = 0x200;
 
+	bool AddNewLastSection(const char* pSectionName, DWORD sectionSize, BYTE* pSectionData);
+
 private:
 	bool IsObjectPe64() const;
 	void CheckValidity();
@@ -245,12 +276,13 @@ class PEParser {
 	//CString GetResourceName(void* data) const;
 
 	PBYTE _address{ nullptr };
+	DWORD_PTR _moduleBase = 0;
 	LARGE_INTEGER _fileSize{ 0 };
 	HMODULE _module{ nullptr };
 	HANDLE _hMemMap{ nullptr };
 	HANDLE _hFile{ INVALID_HANDLE_VALUE };
 	IMAGE_DOS_HEADER* _dosHeader = nullptr;
-	IMAGE_NT_HEADERS64* _ntHeader=nullptr;
+	IMAGE_NT_HEADERS64* _ntHeader = nullptr;
 	IMAGE_FILE_HEADER* _fileHeader = nullptr;
 	IMAGE_SECTION_HEADER* _sections = nullptr;
 	IMAGE_OPTIONAL_HEADER32* _opt32{ nullptr };

WinArk/DPCTimerTable.cpp

@@ -10,9 +10,14 @@ LRESULT CDpcTimerTable::OnCreate(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL&
 	return 0;
 }
 
+LRESULT CDpcTimerTable::OnEraseBackground(UINT, WPARAM wParam, LPARAM, BOOL&) {
+	return 1;
+}
+
 LRESULT CDpcTimerTable::OnDestroy(UINT uMsg, WPARAM wParam, LPARAM lparam, BOOL& /*bHandled*/) {
 	return 0;
 }
+
 LRESULT CDpcTimerTable::OnPaint(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	PaintTable(m_hWnd);
 	return 0;
@@ -47,15 +52,19 @@ LRESULT CDpcTimerTable::OnMouseWheel(UINT uMsg, WPARAM wParam, LPARAM lParam, BO
 	int zDelta = GET_WHEEL_DELTA_WPARAM(wParam);
 	return Tablefunction(m_hWnd, WM_VSCROLL, zDelta >= 0 ? 0 : 1, wParam);
 }
+
 LRESULT CDpcTimerTable::OnMouseMove(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	return Tablefunction(m_hWnd, uMsg, wParam, lParam);
 }
+
 LRESULT CDpcTimerTable::OnLBtnDown(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	return Tablefunction(m_hWnd, uMsg, wParam, lParam);
 }
+
 LRESULT CDpcTimerTable::OnLBtnUp(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	return Tablefunction(m_hWnd, uMsg, wParam, lParam);
 }
+
 LRESULT CDpcTimerTable::OnRBtnDown(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	CMenu menu;
 	CMenuHandle hSubMenu;
@@ -73,6 +82,7 @@ LRESULT CDpcTimerTable::OnRBtnDown(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL
 
 	return 0;
 }
+
 LRESULT CDpcTimerTable::OnUserSts(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/) {
 	return Tablefunction(m_hWnd, uMsg, wParam, lParam);
 }
@@ -129,7 +139,7 @@ int CDpcTimerTable::ParseTableEntry(CString& s, char& mask, int& select, std::sh
 			break;
 
 		case Column::DueTime:
-			s.Format(L"0x%x", info->DueTime);
+			s.Format(L"0x%x", info->DueTime.QuadPart);
 			break;
 	}
 	return s.GetLength();
@@ -142,7 +152,6 @@ void CDpcTimerTable::Refresh() {
 	ULONG size = SymbolHelper::GetKernelStructSize("_KTIMER_TABLE_ENTRY");
 	KernelTimerData data;
 	if (size != 0) {
-		
 		ULONG entryCount = memberSize / size;
 		data.entriesOffset = SymbolHelper::GetKernelStructMemberOffset("_KTIMER_TABLE", "TimerEntries");
 		data.maxEntryCount = entryCount;

WinArk/DPCTimerTable.h

@@ -21,6 +21,7 @@ class CDpcTimerTable :
 		MESSAGE_HANDLER(WM_USER_VABS, OnUserVabs)
 		MESSAGE_HANDLER(WM_USER_VREL, OnUserVrel)
 		MESSAGE_HANDLER(WM_USER_CHGS, OnUserChgs)
+		MESSAGE_HANDLER(WM_ERASEBKGND, OnEraseBackground)
 		MESSAGE_HANDLER(WM_MOUSEWHEEL, OnMouseWheel)
 		MESSAGE_HANDLER(WM_MOUSEMOVE, OnMouseMove)
 		MESSAGE_HANDLER(WM_LBUTTONDOWN, OnLBtnDown)
@@ -56,6 +57,7 @@ class CDpcTimerTable :
 	LRESULT OnKeyDown(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/);
 	LRESULT OnSysKeyDown(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& /*bHandled*/);
 	LRESULT OnGetDlgCode(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/);
+	LRESULT OnEraseBackground(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/);
 
 	LRESULT OnRefresh(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);