-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathPE_SectionHeaderByType.asm
182 lines (166 loc) · 5.34 KB
/
PE_SectionHeaderByType.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
;==============================================================================
;
; PE Library
;
; Copyright (c) 2019 by fearless
;
; http://github.com/mrfearless
;
;==============================================================================
.686
.MMX
.XMM
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
include PE.inc
.CODE
PE_ALIGN
;------------------------------------------------------------------------------
; PE_SectionHeaderByType - Get section specified by dwSectionType
; Returns: pointer to section IMAGE_SECTION_HEADER or NULL
;------------------------------------------------------------------------------
PE_SectionHeaderByType PROC USES EBX hPE:DWORD, dwSectionType:DWORD
LOCAL pHeaderSections:DWORD
LOCAL pCurrentSection:DWORD
LOCAL nTotalSections:DWORD
LOCAL nSection:DWORD
.IF hPE == NULL
xor eax, eax
ret
.ENDIF
.IF dwSectionType > SEC_LAST
xor eax, eax
ret
.ENDIF
Invoke PE_HeaderSections, hPE
.IF eax == 0
ret
.ENDIF
mov pHeaderSections, eax
mov pCurrentSection, eax
Invoke PE_SectionHeaderCount, hPE
mov ebx, pCurrentSection
mov nTotalSections, eax
mov nSection, 0
mov eax, 0
.WHILE eax < nTotalSections
.IF [ebx].IMAGE_SECTION_HEADER.Name1 != 0
lea ebx, [ebx].IMAGE_SECTION_HEADER.Name1
mov ebx, [ebx]
mov eax, dwSectionType
.IF eax == SEC_BSS
.IF ebx == 'ssb.' ; .bss
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_CORMETA
.IF ebx == 'roc.' ; .cormeta
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_DATA
.IF ebx == 'tad.' ; .data
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_DEBUG
.IF ebx == 'bed.' ; .debug
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_DRECTVE
.IF ebx == 'erd.' ; .drectve
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_EDATA
.IF ebx == 'ade.' ; .edata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_IDATA
.IF ebx == 'adi.' ; .idata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_IDLSYM
.IF ebx == 'ldi.' ; .idlsym
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_PDATA
.IF ebx == 'adp.' ; .pdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_RDATA
.IF ebx == 'adr.' ; .rdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_RELOC
.IF ebx == 'ler.' ; .reloc
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_RSRC
.IF ebx == 'rsr.' ; .rsrc
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_SBSS
.IF ebx == 'sbs.' ; .sbss
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_SDATA
.IF ebx == 'ads.' ; .sdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_SRDATA
.IF ebx == 'drs.' ; .srdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_SXDATA
.IF ebx == 'dxs.' ; .sxdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_TEXT
.IF ebx == 'xet.' ; .text
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_TLS
.IF ebx == 'slt.' ; .tls
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_VSDATA
.IF ebx == 'dsv.' ; .vsdata
mov eax, pCurrentSection
ret
.ENDIF
.ELSEIF eax == SEC_XDATA
.IF ebx == 'adx.' ; .xdata
mov eax, pCurrentSection
ret
.ENDIF
.ENDIF
.ENDIF
add pCurrentSection, SIZEOF IMAGE_SECTION_HEADER
mov ebx, pCurrentSection
inc nSection
mov eax, nSection
.ENDW
xor eax, eax
ret
PE_SectionHeaderByType ENDP
PE_LIBEND