protected override void ProcessImage(PortableExecutableInfo info)
{
PEDataDirectory corHeader = info.PEHeader.GetDataDirectory(DataDirectory.CorHeader);
WriteVerbose("Processing " + info.Path);
WriteObject(corHeader.VirtualAddress != 0 && corHeader.Size != 0);
}
private void PatchWindowsXP2003SetupBootLoader(string setupldrPath)
{
var bytes = File.ReadAllBytes(setupldrPath);
var dosSignature = BitConverter.GetBytes(DOSHeader.DOSSignature);
// setupldr.bin and ntldr are regular executables that are preceded by a special loader
// we use the MZ DOS signature to determine where the executable start.
// Note that we must update the executable checksum, because the loader will verify that the executable checksum is correct
var executableOffset = IndexOfSequence(ref bytes, dosSignature);
if (executableOffset == -1)
{
Console.WriteLine("Error: setupldr.bin is corrupted.");
Program.Exit();
}
var loader = new byte[executableOffset];
Array.Copy(bytes, loader, executableOffset);
var executableLength = bytes.Length - executableOffset;
var executable = new byte[executableLength];
Array.Copy(bytes, executableOffset, executable, 0, executableLength);
var peInfo = new PortableExecutableInfo(executable);
// update executable byte array
var oldSequence = Encoding.ASCII.GetBytes("ntkrnlmp.exe");
var newSequence = Encoding.ASCII.GetBytes("ntoskrnl.exe");
// the kernel filename appears in the first PE section
var section = peInfo.Sections[0];
ReplaceInBytes(ref section, oldSequence, newSequence);
peInfo.Sections[0] = section;
var peStream = new MemoryStream();
PortableExecutableInfo.WritePortableExecutable(peInfo, peStream);
executable = peStream.ToArray();
// finished updating executable byte array
FileSystemUtils.ClearReadOnlyAttribute(setupldrPath);
var stream = new FileStream(setupldrPath, FileMode.Create, FileAccess.ReadWrite);
var writer = new BinaryWriter(stream);
writer.Write(loader);
writer.Write(executable);
writer.Close();
}
// Windows File Protection may restore a newer unsigned driver file to an older in-box signed driver file (sfc.exe is executed at the end of GUI-mode setup).
// The list of files that is being protected is stored in sfcfiles.sys, and we can prevent a file from being protected by making sure it's not in that list.
public static void DisableInBoxDeviceDriverFile(string setupDirectory, string fileName)
{
fileName = fileName.ToLower(); // sfcfiles.dll stores all file names in lowercase
string path = setupDirectory + "sfcfiles.dl_";
byte[] packed = File.ReadAllBytes(path);
byte[] unpacked = HiveINIFile.Unpack(packed, "sfcfiles.dll");
PortableExecutableInfo peInfo = new PortableExecutableInfo(unpacked);
string oldValue = @"%systemroot%\system32\drivers\" + fileName;
string newValue = @"%systemroot%\system32\drivers\" + fileName.Substring(0, fileName.Length - 1) + "0"; // e.g. e1000325.sys => e1000325.sy0
byte[] oldSequence = Encoding.Unicode.GetBytes(oldValue);
byte[] newSequence = Encoding.Unicode.GetBytes(newValue);
bool replaced = false;
for (int index = 0; index < peInfo.Sections.Count; index++)// XP uses the .text section while Windows 2000 uses the .data section
{
byte[] section = peInfo.Sections[index];
bool replacedInSection = KernelAndHalIntegrator.ReplaceInBytes(ref section, oldSequence, newSequence);
if (replacedInSection)
{
peInfo.Sections[index] = section;
replaced = true;
}
}
if (replaced)
{
Console.WriteLine();
Console.WriteLine("'{0}' has been removed from Windows File Protection file list.", fileName);
MemoryStream peStream = new MemoryStream();
PortableExecutableInfo.WritePortableExecutable(peInfo, peStream);
unpacked = peStream.ToArray();
packed = HiveINIFile.Pack(unpacked, "sfcfiles.dll");
FileSystemUtils.ClearReadOnlyAttribute(path);
File.WriteAllBytes(path, packed);
}
}
protected override void ProcessPath(PscxPathInfo pscxPath)
{
PortableExecutableInfo info = null;
string filePath = pscxPath.ProviderPath;
try
{
info = new PortableExecutableInfo(filePath);
}
catch (PipelineStoppedException)
{
throw;
}
catch (Exception exc)
{
WriteError(new ErrorRecord(exc, "InvalidPEImage", ErrorCategory.InvalidData, filePath));
}
if (info != null)
{
ProcessImage(info);
}
}
protected abstract void ProcessImage(PortableExecutableInfo info);
protected override void ProcessImage(PortableExecutableInfo info)
{
WriteObject(info.PEHeader);
}
