93 def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs):
94 """Load a PE in memory (@vm) from a data buffer @fdata
96 @fdata: data buffer to parse
97 @align_s: (optional) If False, keep gaps between section
98 @load_hdr: (optional) If False, do not load the NThdr in memory
99 Return the corresponding PE instance.
101 Extra arguments are passed to PE instanciation.
102 If all sections are aligned, they will be mapped on several different pages
103 Otherwise, a big page is created, containing all sections
106 pe = pe_init.PE(fdata, **kargs)
110 for section
in pe.SHList:
111 if section.addr & 0xFFF:
119 hdr_len = max(0x200, pe.NThdr.sizeofheaders)
121 min_len = min(pe.SHList[0].addr, 0x1000)
124 pe_hdr = pe.content[:hdr_len] + max(
125 0, (min_len - hdr_len)) *
"\x00"
126 vm.add_memory_page(pe.NThdr.ImageBase, PAGE_READ | PAGE_WRITE,
132 for i, section
in enumerate(pe.SHList[:-1]):
133 new_size = pe.SHList[i + 1].addr - section.addr
134 section.size = new_size
135 section.rawsize = new_size
136 section.data = strpatchwork.StrPatchwork(
137 section.data[:new_size])
138 section.offset = section.addr
141 last_section = pe.SHList[-1]
142 last_section.size = (last_section.size + 0xfff) & 0xfffff000
145 for section
in pe.SHList:
146 data = str(section.data)
147 data +=
"\x00" * (section.size - len(data))
148 vm.add_memory_page(pe.rva2virt(section.addr),
149 PAGE_READ | PAGE_WRITE, data)
154 log.warning(
'PE is not aligned, creating big section')
155 min_addr = 0
if load_hdr
else None
159 for i, section
in enumerate(pe.SHList):
160 if i < len(pe.SHList) - 1:
162 section.size = pe.SHList[i + 1].addr - section.addr
163 section.rawsize = section.size
164 section.offset = section.addr
167 if min_addr
is None or section.addr < min_addr:
168 min_addr = section.addr
169 max_section_len = max(section.size, len(section.data))
170 if max_addr
is None or section.addr + max_section_len > max_addr:
171 max_addr = section.addr + max_section_len
173 min_addr = pe.rva2virt(min_addr)
174 max_addr = pe.rva2virt(max_addr)
175 log.debug(
'Min: 0x%x, Max: 0x%x, Size: 0x%x', min_addr, max_addr,
176 (max_addr - min_addr))
179 vm.add_memory_page(min_addr,
180 PAGE_READ | PAGE_WRITE,
181 (max_addr - min_addr) *
"\x00")
184 for section
in pe.SHList:
185 log.debug(
'Map 0x%x bytes to 0x%x', len(section.data),
186 pe.rva2virt(section.addr))
187 vm.set_mem(pe.rva2virt(section.addr), str(section.data))