I commited today code for Ida Pro plugin for RFG fixups processing - for both version 1 & 2
It seems that by default during automatic loading of pe files Ida don`t load .reloc section (where usually located RFG fixups). In such case I ask if you want to add new segment:
Sure it works only if original input file (you can extract it with get_input_file_path function) is still available. Also I used dirty hack - I am too lazy to parse PE file by hand, and it seems that node "$ PE header" keeps all sections (even not loaded in base !) in supvals
enjoy
Update: it seems that buggy ida sdk don`t contains doCode function and auto_mark_range actually does not take into account end argument, so body of prologs looks ugly
четверг, 2 марта 2017 г.
среда, 1 марта 2017 г.
IMAGE_DYNAMIC_RELOCATION_TABLE.Version 2
it seems that around since w10 build 15007 format of rfg relocs was changed and field IMAGE_DYNAMIC_RELOCATION_TABLE.Version now has value 2. So lets install platform SDK for 15003 and see what was changed
First remarkable thing is that IMAGE_LOAD_CONFIG_DIRECTORY now has two additional fields:
First remarkable thing is that IMAGE_LOAD_CONFIG_DIRECTORY now has two additional fields:
WORD DynamicValueRelocTableSection;
WORD Reserved2;
// since w10 build 15003 ?
ULONGLONG GuardRFVerifyStackPointerFunctionPointer; // VA
DWORD HotPatchTableOffset;
} IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
so sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64) is now 0xf4