本文整理汇总了C++中RtlImageNtHeader函数的典型用法代码示例。如果您正苦于以下问题:C++ RtlImageNtHeader函数的具体用法?C++ RtlImageNtHeader怎么用?C++ RtlImageNtHeader使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了RtlImageNtHeader函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: FreeLibrary
/*
* @implemented
*/
BOOL WINAPI FreeLibrary(HINSTANCE hLibModule)
{
NTSTATUS Status;
PIMAGE_NT_HEADERS NtHeaders;
if (LDR_IS_DATAFILE(hLibModule))
{
// FIXME: This SEH should go inside RtlImageNtHeader instead
_SEH2_TRY
{
/* This is a LOAD_LIBRARY_AS_DATAFILE module, check if it's a valid one */
NtHeaders = RtlImageNtHeader((PVOID)((ULONG_PTR)hLibModule & ~1));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
NtHeaders = NULL;
} _SEH2_END
if (NtHeaders)
{
/* Unmap view */
Status = NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)((ULONG_PTR)hLibModule & ~1));
/* Unload alternate resource module */
LdrUnloadAlternateResourceModule(hLibModule);
}
else
Status = STATUS_INVALID_IMAGE_FORMAT;
}
else
{示例2: GetModuleExportDirectoryAddr
//returns a pointer to the absolute linear address of the export section
//of the given module in memory using undocumented api
PIMAGE_EXPORT_DIRECTORY GetModuleExportDirectoryAddr(PVOID ModuleBaseAddr)
{
PIMAGE_NT_HEADERS pHeader = NULL;
PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
NTSTATUS ns=STATUS_INVALID_PARAMETER;
PIMAGE_EXPORT_DIRECTORY pExportDirectory=NULL; //this is what we return
//returns a pointer to the linear address of the IMAGE_NT_HEADERS
//structure in memory of the given module using undocumented API
pHeader=RtlImageNtHeader(ModuleBaseAddr);
//if the IMAGE_NT_HEADERS structure actually exists in the module's address space
if (pHeader != NULL)
{
//the data directory is at a given offset from the optional_header
pDataDirectory=pHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT;
//if the virtual address is NOT null and its size is within the export directory structure,
//then we consider this a valid address and return the module base addr+this address
if (pDataDirectory->VirtualAddress && (pDataDirectory->Size >= sizeof(IMAGE_EXPORT_DIRECTORY)))
return (PVOID)((PBYTE)ModuleBaseAddr+(DWORD)pDataDirectory->VirtualAddress);
else
return NULL;
}
return NULL;
}示例3: init_driver
/* call the driver init entry point */
static NTSTATUS init_driver( HMODULE module, UNICODE_STRING *keyname )
{
unsigned int i;
NTSTATUS status;
const IMAGE_NT_HEADERS *nt = RtlImageNtHeader( module );
if (!nt->OptionalHeader.AddressOfEntryPoint) return STATUS_SUCCESS;
driver_obj.Size = sizeof(driver_obj);
driver_obj.DriverSection = find_ldr_module( module );
driver_obj.DriverInit = (PDRIVER_INITIALIZE)((char *)module + nt->OptionalHeader.AddressOfEntryPoint);
driver_obj.DriverExtension = &driver_extension;
driver_extension.DriverObject = &driver_obj;
driver_extension.ServiceKeyName = *keyname;
if (WINE_TRACE_ON(relay))
WINE_DPRINTF( "%04x:Call driver init %p (obj=%p,str=%s)\n", GetCurrentThreadId(),
driver_obj.DriverInit, &driver_obj, wine_dbgstr_w(keyname->Buffer) );
status = driver_obj.DriverInit( &driver_obj, keyname );
if (WINE_TRACE_ON(relay))
WINE_DPRINTF( "%04x:Ret driver init %p (obj=%p,str=%s) retval=%08x\n", GetCurrentThreadId(),
driver_obj.DriverInit, &driver_obj, wine_dbgstr_w(keyname->Buffer), status );
WINE_TRACE( "init done for %s obj %p\n", wine_dbgstr_w(driver_name), &driver_obj );
WINE_TRACE( "- DriverInit = %p\n", driver_obj.DriverInit );
WINE_TRACE( "- DriverStartIo = %p\n", driver_obj.DriverStartIo );
WINE_TRACE( "- DriverUnload = %p\n", driver_obj.DriverUnload );
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
WINE_TRACE( "- MajorFunction[%d] = %p\n", i, driver_obj.MajorFunction[i] );
return status;
}示例4: GetImageCodeBase
ULONG
GetImageCodeBase(
IN PVOID ImageBase
)
/*++
Routine Description:
This routine determines the base of the code for this image.
Arguments:
ImageBase -- Supplies the base of the data mapped image in memory
Return Value:
Base of the code in this image
BUGBUG:
Do we need to determine if this field is valid?
--*/
{
return (RtlImageNtHeader(ImageBase))->OptionalHeader.BaseOfCode;
}示例5: UtiSetFileDllFlag
BOOL UtiSetFileDllFlag(LPCSTR lpPath)
{
BOOL bRet = FALSE;
DWORD dwSize;
PVOID pMap;
PIMAGE_NT_HEADERS pNtHeader;
DWORD HeaderSum, CheckSum;
pMap = UtiMapFile(lpPath, GENERIC_WRITE|GENERIC_READ, FILE_FLAG_WRITE_THROUGH, PAGE_READWRITE, FILE_MAP_WRITE|FILE_MAP_READ, &dwSize);
if (pMap)
{
pNtHeader = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pMap);
if (pNtHeader)
{
pNtHeader->FileHeader.Characteristics |= IMAGE_FILE_DLL;
bRet = (BOOL)CheckSumMappedFile(pMap, dwSize, &HeaderSum, &CheckSum);
if (bRet) pNtHeader->OptionalHeader.CheckSum = CheckSum;
}
FlushViewOfFile(pMap, dwSize);
UnmapViewOfFile(pMap);
}
return bRet;
}示例6: access_resource
static inline NTSTATUS access_resource( HMODULE hmod, const IMAGE_RESOURCE_DATA_ENTRY *entry,
void **ptr, ULONG *size )
#endif
{
NTSTATUS status;
__TRY
{
ULONG dirsize;
if (!RtlImageDirectoryEntryToData( hmod, TRUE, IMAGE_DIRECTORY_ENTRY_RESOURCE, &dirsize ))
status = STATUS_RESOURCE_DATA_NOT_FOUND;
else
{
if (ptr)
{
if (is_data_file_module(hmod))
{
HMODULE mod = (HMODULE)((ULONG_PTR)hmod & ~1);
*ptr = RtlImageRvaToVa( RtlImageNtHeader(mod), mod, entry->OffsetToData, NULL );
}
else *ptr = (char *)hmod + entry->OffsetToData;
}
if (size) *size = entry->Size;
status = STATUS_SUCCESS;
}
}
__EXCEPT_PAGE_FAULT
{
return GetExceptionCode();
}
__ENDTRY;
return status;
}示例7: LdrpAccessResource
static NTSTATUS LdrpAccessResource( PVOID BaseAddress, IMAGE_RESOURCE_DATA_ENTRY *entry,
void **ptr, ULONG *size )
#endif
{
NTSTATUS status = STATUS_SUCCESS;
_SEH2_TRY
{
ULONG dirsize;
if (!RtlImageDirectoryEntryToData( BaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_RESOURCE, &dirsize ))
status = STATUS_RESOURCE_DATA_NOT_FOUND;
else
{
if (ptr)
{
if (is_data_file_module(BaseAddress))
{
PVOID mod = (PVOID)((ULONG_PTR)BaseAddress & ~1);
*ptr = RtlImageRvaToVa( RtlImageNtHeader(mod), mod, entry->OffsetToData, NULL );
}
else *ptr = (char *)BaseAddress + entry->OffsetToData;
}
if (size) *size = entry->Size;
}
}
_SEH2_EXCEPT(page_fault(_SEH2_GetExceptionCode()))
{
status = _SEH2_GetExceptionCode();
}
_SEH2_END;
return status;
}示例8: SfcVerifyFile
/*
* SfcVerifyFile
*
* Purpose:
*
* Verify file to be legit ZeroAccess signed binary.
*
*/
BOOL SfcVerifyFile(
_In_ HCRYPTPROV hProv,
_In_ HCRYPTKEY hKey,
_In_ MD5_CTX *ctx,
_In_ PBYTE Image,
_In_ DWORD ImageSize
)
{
HCRYPTHASH lh_hash = 0;
ULONG CRC, SignSize = 0;
BYTE e_sign[128];
PBYTE p_resource_sign;
PIMAGE_NT_HEADERS32 phdr;
BOOL bResult = FALSE;
LDR_RESOURCE_INFO resInfo;
phdr = (PIMAGE_NT_HEADERS32)RtlImageNtHeader(Image);
while (phdr != NULL) {
resInfo.Type = (ULONG_PTR)RT_RCDATA; //type
resInfo.Name = 1; //id
resInfo.Lang = 0; //lang
p_resource_sign = SfLdrQueryResourceDataEx(Image, &resInfo, &SignSize);
if (p_resource_sign == NULL)
break;
if (SignSize != 128)
break;
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &lh_hash))
break;
CRC = phdr->OptionalHeader.CheckSum;
memcpy(e_sign, p_resource_sign, sizeof(e_sign));
memset(p_resource_sign, 0, sizeof(e_sign));
phdr->OptionalHeader.CheckSum = 0;
MD5Update(ctx, Image, ImageSize);
phdr->OptionalHeader.CheckSum = CRC;
memcpy(p_resource_sign, e_sign, sizeof(e_sign));
MD5Final(ctx);
if (!CryptSetHashParam(lh_hash, HP_HASHVAL, (const BYTE *)&ctx->digest, 0)) {
CryptDestroyHash(lh_hash);
break;
}
bResult = CryptVerifySignatureW(lh_hash, (const BYTE *)&e_sign, sizeof(e_sign), hKey, 0, 0);
CryptDestroyHash(lh_hash);
break;
}
return bResult;
}示例9: RvaToSeekAddress
PVOID
RvaToSeekAddress(
IN PVOID Rva,
IN PVOID ImageBase
)
/*++
Routine Description:
This routine converts a relative virtual address to a seek address
Arguments:
Rva -- Supplies the relative virtual address
ImageBase -- Supplies the base of the image
Return Value:
Returns the seek address of the specified Rva
--*/
{
ULONG i;
ULONG NumberOfSections;
PIMAGE_SECTION_HEADER ImageSection;
PVOID SeekAddress;
//
// Form address of section headers
//
(PIMAGE_NT_HEADERS)ImageSection = RtlImageNtHeader(ImageBase);
NumberOfSections = ((PIMAGE_NT_HEADERS)ImageSection)->FileHeader.NumberOfSections;
ImageSection = (PVOID)((ULONG)ImageSection +
sizeof(ULONG) +
sizeof(IMAGE_FILE_HEADER) +
((PIMAGE_NT_HEADERS)ImageSection)->FileHeader.SizeOfOptionalHeader);
//
// Find the section containing this rva
//
SeekAddress = NULL;
for (i = 0; i < NumberOfSections; i++, ImageSection++) {
if ((Rva >= (PVOID)ImageSection->VirtualAddress) &&
(Rva < (PVOID)(ImageSection->VirtualAddress + ImageSection->SizeOfRawData))
) {
SeekAddress = (PVOID)((ULONG)Rva - ImageSection->VirtualAddress +
ImageSection->PointerToRawData);
break;
}
}
return SeekAddress;
}示例10: pe_load_native_module
/******************************************************************
* pe_load_native_module
*
*/
struct module* pe_load_native_module(struct process* pcs, const WCHAR* name,
HANDLE hFile, DWORD base, DWORD size)
{
struct module* module = NULL;
BOOL opened = FALSE;
HANDLE hMap;
WCHAR loaded_name[MAX_PATH];
loaded_name[0] = '\0';
if (!hFile)
{
assert(name);
if ((hFile = FindExecutableImageExW(name, pcs->search_path, loaded_name, NULL, NULL)) == NULL)
return NULL;
opened = TRUE;
}
else if (name) strcpyW(loaded_name, name);
else if (dbghelp_options & SYMOPT_DEFERRED_LOADS)
FIXME("Trouble ahead (no module name passed in deferred mode)\n");
if ((hMap = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0, 0, NULL)) != NULL)
{
void* mapping;
if ((mapping = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0)) != NULL)
{
IMAGE_NT_HEADERS* nth = RtlImageNtHeader(mapping);
if (nth)
{
if (!base) base = nth->OptionalHeader.ImageBase;
if (!size) size = nth->OptionalHeader.SizeOfImage;
module = module_new(pcs, loaded_name, DMT_PE, FALSE, base, size,
nth->FileHeader.TimeDateStamp,
nth->OptionalHeader.CheckSum);
if (module)
{
if (dbghelp_options & SYMOPT_DEFERRED_LOADS)
module->module.SymType = SymDeferred;
else
pe_load_debug_info(pcs, module);
}
else
ERR("could not load the module '%s'\n", debugstr_w(loaded_name));
}
UnmapViewOfFile(mapping);
}
CloseHandle(hMap);
}
if (opened) CloseHandle(hFile);
return module;
}示例11: RtlImageNtHeader
DWORD Crypter::freeSpaceInHeader(PVOID pvPEBase){
PIMAGE_NT_HEADERS pNtHeaders = RtlImageNtHeader(pvPEBase);
if (pNtHeaders) {
PIMAGE_SECTION_HEADER pFirstSection = IMAGE_FIRST_SECTION(pNtHeaders);
return (pFirstSection->PointerToRawData - ((DWORD)pFirstSection - (DWORD)pvPEBase) - (pNtHeaders->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER));
}
return 0;
}示例12: GetStaticInformation
VOID GetStaticInformation()
{
MEMORY_BASIC_INFORMATION pMemInfo;
VirtualQuery(GetStaticInformation,&pMemInfo,sizeof(pMemInfo));
g_pvImageBase = pMemInfo.AllocationBase;
g_dwImageSize = RtlImageNtHeader(pMemInfo.AllocationBase)->OptionalHeader.SizeOfImage;
g_bAdmin = CheckAdmin();
g_bUAC = CheckUAC();
}示例13: pe_map_full
static void* pe_map_full(struct image_file_map* fmap, IMAGE_NT_HEADERS** nth)
{
if (!fmap->u.pe.full_map)
{
fmap->u.pe.full_map = MapViewOfFile(fmap->u.pe.hMap, FILE_MAP_READ, 0, 0, 0);
}
if (fmap->u.pe.full_map)
{
if (nth) *nth = RtlImageNtHeader(fmap->u.pe.full_map);
fmap->u.pe.full_count++;
return fmap->u.pe.full_map;
}
return IMAGE_NO_MAP;
}示例14: SfcZAVerifyFile
//move to zacrypto.c
//@@implemented in harusame
VOID SfcZAVerifyFile(
HCRYPTPROV hProv,
HCRYPTKEY hKey,
MD5_CTX *ctx,
PBYTE Image,
DWORD ImageSize
)
{
HCRYPTHASH lh_hash = 0;
ULONG CRC, SignSize = 0;
BYTE e_sign[128];
PBYTE p_resource_sign;
PIMAGE_NT_HEADERS32 phdr;
phdr = (PIMAGE_NT_HEADERS32)RtlImageNtHeader(Image);
while (phdr != NULL) {
p_resource_sign = SfuQueryResourceData(3, Image, &SignSize);
if (p_resource_sign == NULL)
break;
if (SignSize != 128)
break;
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &lh_hash))
break;
CRC = phdr->OptionalHeader.CheckSum;
memcpy(e_sign, p_resource_sign, sizeof(e_sign));
memset(p_resource_sign, 0, sizeof(e_sign));
phdr->OptionalHeader.CheckSum = 0;
MD5Update(ctx, Image, ImageSize);
phdr->OptionalHeader.CheckSum = CRC;
memcpy(p_resource_sign, e_sign, sizeof(e_sign));
MD5Final(ctx);
if (!CryptSetHashParam(lh_hash, HP_HASHVAL, (const BYTE *)&ctx->digest, 0)) {
CryptDestroyHash(lh_hash);
break;
}
CryptVerifySignatureW(lh_hash, (const BYTE *)&e_sign, sizeof(e_sign), hKey, 0, 0);
break;
}
}示例15: CheckSumMappedFile
/***********************************************************************
* CheckSumMappedFile ([email protected])
*/
PIMAGE_NT_HEADERS WINAPI CheckSumMappedFile(
LPVOID BaseAddress, DWORD FileLength,
LPDWORD HeaderSum, LPDWORD CheckSum)
{
PIMAGE_NT_HEADERS Header;
DWORD CalcSum;
DWORD HdrSum;
FIXME("(%p, %ld, %p, %p): stub\n",
BaseAddress, FileLength, HeaderSum, CheckSum
);
CalcSum = (DWORD)CalcCheckSum(0,
BaseAddress,
(FileLength + 1) / sizeof(WORD));
Header = RtlImageNtHeader(BaseAddress);
HdrSum = Header->OptionalHeader.CheckSum;
/* Subtract image checksum from calculated checksum. */
/* fix low word of checksum */
if (LOWORD(CalcSum) >= LOWORD(HdrSum))
{
CalcSum -= LOWORD(HdrSum);
}
else
{
CalcSum = ((LOWORD(CalcSum) - LOWORD(HdrSum)) & 0xFFFF) - 1;
}
/* fix high word of checksum */
if (LOWORD(CalcSum) >= HIWORD(HdrSum))
{
CalcSum -= HIWORD(HdrSum);
}
else
{
CalcSum = ((LOWORD(CalcSum) - HIWORD(HdrSum)) & 0xFFFF) - 1;
}
/* add file length */
CalcSum += FileLength;
*CheckSum = CalcSum;
*HeaderSum = Header->OptionalHeader.CheckSum;
return Header;
}