|
3 | 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework |
4 | 4 | # |
5 | 5 |
|
6 | | -import os, pefile, pickle, traceback |
| 6 | +import os, pefile, pickle, secrets, traceback |
7 | 7 | from typing import Any, MutableMapping, Optional, Mapping, Sequence |
8 | 8 |
|
9 | 9 | from qiling import Qiling |
@@ -608,6 +608,21 @@ def load(self): |
608 | 608 | self.pe.parse_data_directories() |
609 | 609 | data = bytearray(self.pe.get_memory_mapped_image()) |
610 | 610 | self.ql.mem.write(self.pe_image_address, bytes(data)) |
| 611 | + |
| 612 | + if self.is_driver: |
| 613 | + # setup IMAGE_LOAD_CONFIG_DIRECTORY |
| 614 | + if self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']].VirtualAddress != 0: |
| 615 | + SecurityCookie_rva = self.pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SecurityCookie - self.pe.OPTIONAL_HEADER.ImageBase |
| 616 | + SecurityCookie_value = default_security_cookie_value = self.ql.mem.read(self.pe_image_address+SecurityCookie_rva, self.ql.pointersize) |
| 617 | + while SecurityCookie_value == default_security_cookie_value: |
| 618 | + SecurityCookie_value = secrets.token_bytes(self.ql.pointersize) |
| 619 | + # rol rcx, 10h (rcx: cookie) |
| 620 | + # test cx, 0FFFFh |
| 621 | + SecurityCookie_value_array = bytearray(SecurityCookie_value) |
| 622 | + # Sanity question: We are always little endian, right? |
| 623 | + SecurityCookie_value_array[-2:] = b'\x00\x00' |
| 624 | + SecurityCookie_value = bytes(SecurityCookie_value_array) |
| 625 | + self.ql.mem.write(self.pe_image_address+SecurityCookie_rva, SecurityCookie_value) |
611 | 626 |
|
612 | 627 | # Add main PE to ldr_data_table |
613 | 628 | mod_name = os.path.basename(self.path) |
|
0 commit comments