plugins/examples/patch_nonexec_section.rb at master · relyze-ltd/plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# To use this plugin:
#   * Copy this plugin file to your Relyze Plugins folder (e.g. C:\Users\<username>\Documents\Relyze\Plugins\)
#   * Either restart Relyze.exe or right click in the Plugins view and select 'Reload all Plugins'
#   * Open the file you want to analyze and tick this plugin in the loader options

require 'relyze/core'

class Plugin < Relyze::Plugin::Analysis

    def initialize
        super( {
            :guid                    => '{2316E98E-03C5-4783-9066-DE80F8626912}',
            :name                    => 'Patch non executeable entry point section',
            :description             => %q{
                Patch the Characteristics of a PE section which contains the entry point
                if that section is not already marked as executable.
            },
            :authors                 => [ 'Relyze Software Limited' ],
            :license                 => 'Relyze Plugin License',
            :require                 => {
                :type                => [ :pe ]
            },
            :min_application_version => '1.2.0'
        } )
    end

    IMAGE_SCN_CNT_CODE               = 0x00000020
    IMAGE_SCN_CNT_INITIALIZED_DATA   = 0x00000040
    IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080
    IMAGE_SCN_MEM_EXECUTE            = 0x20000000

    def post_structure_analyze

        cm.synchronize_read do

            entry_point     = cm.structure['NT Header']['Optional Header']['EntryPoint'].value

            entry_section   = cm.structure['Section Header'][ cm.segment( entry_point ).name ]

            characteristics = entry_section['Characteristics'].value

            sizeofrawdata   = entry_section['SizeOfRawData'].value

            virtualsize     = entry_section['VirtualSize'].value

            if( ((characteristics & IMAGE_SCN_CNT_CODE) != IMAGE_SCN_CNT_CODE) and ((characteristics & IMAGE_SCN_MEM_EXECUTE) != IMAGE_SCN_MEM_EXECUTE) )
                characteristics |= IMAGE_SCN_MEM_EXECUTE
            end

            if( ((characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) != IMAGE_SCN_CNT_INITIALIZED_DATA) and (sizeofrawdata > 0) )
                characteristics |= IMAGE_SCN_CNT_INITIALIZED_DATA
            end

            if( ((characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) != IMAGE_SCN_CNT_UNINITIALIZED_DATA) and (virtualsize > sizeofrawdata) )
                characteristics |= IMAGE_SCN_CNT_UNINITIALIZED_DATA
            end

            if( entry_section['Characteristics'].value != characteristics )
                cm.synchronize_write do
                    cm.write_buffer(
                        entry_section['Characteristics'].offset,
                        [ characteristics ].pack('V')
                    )
                    self.restart_analysis
                end
            end

        end
    end

end