protected override void ProcessImage(PortableExecutableInfo info) { PEDataDirectory corHeader = info.PEHeader.GetDataDirectory(DataDirectory.CorHeader); WriteVerbose("Processing " + info.Path); WriteObject(corHeader.VirtualAddress != 0 && corHeader.Size != 0); }
private void PatchWindowsXP2003SetupBootLoader(string setupldrPath) { var bytes = File.ReadAllBytes(setupldrPath); var dosSignature = BitConverter.GetBytes(DOSHeader.DOSSignature); // setupldr.bin and ntldr are regular executables that are preceded by a special loader // we use the MZ DOS signature to determine where the executable start. // Note that we must update the executable checksum, because the loader will verify that the executable checksum is correct var executableOffset = IndexOfSequence(ref bytes, dosSignature); if (executableOffset == -1) { Console.WriteLine("Error: setupldr.bin is corrupted."); Program.Exit(); } var loader = new byte[executableOffset]; Array.Copy(bytes, loader, executableOffset); var executableLength = bytes.Length - executableOffset; var executable = new byte[executableLength]; Array.Copy(bytes, executableOffset, executable, 0, executableLength); var peInfo = new PortableExecutableInfo(executable); // update executable byte array var oldSequence = Encoding.ASCII.GetBytes("ntkrnlmp.exe"); var newSequence = Encoding.ASCII.GetBytes("ntoskrnl.exe"); // the kernel filename appears in the first PE section var section = peInfo.Sections[0]; ReplaceInBytes(ref section, oldSequence, newSequence); peInfo.Sections[0] = section; var peStream = new MemoryStream(); PortableExecutableInfo.WritePortableExecutable(peInfo, peStream); executable = peStream.ToArray(); // finished updating executable byte array FileSystemUtils.ClearReadOnlyAttribute(setupldrPath); var stream = new FileStream(setupldrPath, FileMode.Create, FileAccess.ReadWrite); var writer = new BinaryWriter(stream); writer.Write(loader); writer.Write(executable); writer.Close(); }
// Windows File Protection may restore a newer unsigned driver file to an older in-box signed driver file (sfc.exe is executed at the end of GUI-mode setup). // The list of files that is being protected is stored in sfcfiles.sys, and we can prevent a file from being protected by making sure it's not in that list. public static void DisableInBoxDeviceDriverFile(string setupDirectory, string fileName) { fileName = fileName.ToLower(); // sfcfiles.dll stores all file names in lowercase string path = setupDirectory + "sfcfiles.dl_"; byte[] packed = File.ReadAllBytes(path); byte[] unpacked = HiveINIFile.Unpack(packed, "sfcfiles.dll"); PortableExecutableInfo peInfo = new PortableExecutableInfo(unpacked); string oldValue = @"%systemroot%\system32\drivers\" + fileName; string newValue = @"%systemroot%\system32\drivers\" + fileName.Substring(0, fileName.Length - 1) + "0"; // e.g. e1000325.sys => e1000325.sy0 byte[] oldSequence = Encoding.Unicode.GetBytes(oldValue); byte[] newSequence = Encoding.Unicode.GetBytes(newValue); bool replaced = false; for (int index = 0; index < peInfo.Sections.Count; index++)// XP uses the .text section while Windows 2000 uses the .data section { byte[] section = peInfo.Sections[index]; bool replacedInSection = KernelAndHalIntegrator.ReplaceInBytes(ref section, oldSequence, newSequence); if (replacedInSection) { peInfo.Sections[index] = section; replaced = true; } } if (replaced) { Console.WriteLine(); Console.WriteLine("'{0}' has been removed from Windows File Protection file list.", fileName); MemoryStream peStream = new MemoryStream(); PortableExecutableInfo.WritePortableExecutable(peInfo, peStream); unpacked = peStream.ToArray(); packed = HiveINIFile.Pack(unpacked, "sfcfiles.dll"); FileSystemUtils.ClearReadOnlyAttribute(path); File.WriteAllBytes(path, packed); } }
protected override void ProcessPath(PscxPathInfo pscxPath) { PortableExecutableInfo info = null; string filePath = pscxPath.ProviderPath; try { info = new PortableExecutableInfo(filePath); } catch (PipelineStoppedException) { throw; } catch (Exception exc) { WriteError(new ErrorRecord(exc, "InvalidPEImage", ErrorCategory.InvalidData, filePath)); } if (info != null) { ProcessImage(info); } }
protected abstract void ProcessImage(PortableExecutableInfo info);
protected override void ProcessImage(PortableExecutableInfo info) { WriteObject(info.PEHeader); }