четверг, 2 марта 2017 г.

ida plugin for RFG fixups processing

I commited today code for Ida Pro plugin for RFG fixups processing - for both version 1 & 2

It seems that by default during automatic loading of pe files Ida don`t load .reloc section (where usually located RFG fixups). In such case I ask if you want to add new segment:
Sure it works only if original input file (you can extract it with get_input_file_path function) is still available. Also I used dirty hack - I am too lazy to parse PE file by hand, and it seems that node "$ PE header" keeps all sections (even not loaded in base !) in supvals


Update: it seems that buggy ida sdk don`t contains doCode function and auto_mark_range actually does not take into account end argument, so body of prologs looks ugly

среда, 1 марта 2017 г.


it seems that around since w10 build 15007 format of rfg relocs was changed and field IMAGE_DYNAMIC_RELOCATION_TABLE.Version now has value 2. So lets install platform SDK for 15003 and see what was changed

First remarkable thing is that IMAGE_LOAD_CONFIG_DIRECTORY now has two additional fields:
    WORD       DynamicValueRelocTableSection;
    WORD       Reserved2;
    // since w10 build 15003 ?
    ULONGLONG  GuardRFVerifyStackPointerFunctionPointer; // VA
    DWORD      HotPatchTableOffset;

so sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64) is now 0xf4