-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRWXDLLScanner.cpp
145 lines (124 loc) · 4.08 KB
/
RWXDLLScanner.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#include <windows.h>
#include <cstdint>
#include <iostream>
#include <fstream>
#include <sstream>
#include <string>
#include <vector>
#define MINIMAL_SECTION_SIZE 0x64000
bool readFile(const std::string& filename, std::vector<uint8_t>& fileData) {
std::ifstream file(filename, std::ios::binary);
if (!file) {
return false;
}
file.seekg(0, std::ios::end);
std::streampos fileSize = file.tellg();
file.seekg(0, std::ios::beg);
fileData.resize(fileSize);
file.read((char*)fileData.data(), fileSize);
file.close();
return true;
}
int main() {
std::vector<uint8_t> dlls = {};
if (!readFile("dlls.txt", dlls)) {
std::cerr << "Error opening dlls.txt file!" << std::endl;
} else {
std::istringstream iss({ dlls.begin(), dlls.end() });
std::string dll = {};
while (std::getline(iss, dll)) {
if (dll.ends_with('\r')) {
dll.pop_back();
}
HANDLE file = CreateFileA(dll.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE) {
// std::cerr << "Error opening " << dll << " file!" << std::endl;
continue;
}
HANDLE mapping = CreateFileMappingA(file, NULL, PAGE_READONLY, 0, 0, NULL);
if (mapping == NULL) {
// std::cerr << "Failed to create file mapping object for " << dll << " file!" << std::endl;
CloseHandle(file);
continue;
}
PVOID view = MapViewOfFile(mapping, FILE_MAP_READ, 0, 0, 0);
if (view == NULL) {
// std::cerr << "Failed to map view of file for " << dll << " file!" << std::endl;
CloseHandle(mapping);
CloseHandle(file);
continue;
}
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)view;
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
// std::cerr << "Invalid DOS header in " << dll << " file!" << std::endl;
UnmapViewOfFile(view);
CloseHandle(mapping);
CloseHandle(file);
continue;
}
PIMAGE_NT_HEADERS32 ntHeaders = (PIMAGE_NT_HEADERS32)((PBYTE)view + dosHeader->e_lfanew);
if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) {
// std::cerr << "Invalid NT header in " << dll << " file!" << std::endl;
UnmapViewOfFile(view);
CloseHandle(mapping);
CloseHandle(file);
continue;
}
bool isRWX = false;
auto isSignedRWX = [&] <typename T> (T ntHeaders) {
DWORD securityDirAddr = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress,
securityDirSize = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
if (securityDirAddr == 0 || securityDirSize == 0) {
UnmapViewOfFile(view);
CloseHandle(mapping);
CloseHandle(file);
return false;
}
PIMAGE_SECTION_HEADER sectionHeader = (PIMAGE_SECTION_HEADER)((PBYTE)ntHeaders + sizeof(*ntHeaders));
for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i, ++sectionHeader) {
if (sectionHeader->Misc.VirtualSize >= MINIMAL_SECTION_SIZE &&
sectionHeader->Characteristics & IMAGE_SCN_MEM_READ &&
sectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE &&
sectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
isRWX = true;
std::string sectionName = { sectionHeader->Name, sectionHeader->Name + 8 };
std::cout << "section" << i << ": \"" << sectionName.c_str() << "\"" << std::endl;
}
}
return true;
};
bool isX32;
switch (ntHeaders->OptionalHeader.Magic) {
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
if (!isSignedRWX(ntHeaders)) {
continue;
}
isX32 = true;
break;
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
if (!isSignedRWX((PIMAGE_NT_HEADERS64)ntHeaders)) {
continue;
}
isX32 = false;
break;
default:
// std::cerr << "Invalid optional header magic in " << dll << " file!" << std::endl;
UnmapViewOfFile(view);
CloseHandle(mapping);
CloseHandle(file);
continue;
}
UnmapViewOfFile(view);
CloseHandle(mapping);
CloseHandle(file);
if (!isRWX) {
continue;
}
std::cout << (isX32 ? "32-bit" : "64-bit") << " dll: \"" << dll << "\"" << std::endl << std::endl;
}
}
std::cout << "Press Ctrl+C to exit" << std::endl;
for (;;) {
Sleep(10);
}
}