def fix_image_base(self, raw_data: bytes,
nt_header: interfaces.objects.ObjectInterface) -> bytes:
"""Fix the _OPTIONAL_HEADER.ImageBase value (which is either an
unsigned long for 32-bit PE's or unsigned long long for 64-bit PE's) to
match the address where the PE file was carved out of memory.
Args:
raw_data: a bytes object of the PE's data
nt_header: <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
Returns:
<bytes> patched with the correct address
"""
image_base_offset = nt_header.OptionalHeader.ImageBase.vol.offset - self.vol.offset
image_base_type = nt_header.OptionalHeader.ImageBase.vol.type_name
member_size = self._context.symbol_space.get_type(image_base_type).size
try:
newval = objects.convert_value_to_data(
self.vol.offset, int,
nt_header.OptionalHeader.ImageBase.vol.data_format)
new_pe = raw_data[:image_base_offset] + newval + raw_data[
image_base_offset + member_size:]
except OverflowError:
vollog.warning("Volatility was unable to fix the image base for the PE file at base address {:#x}. " \
"This will cause issues with many static analysis tools if you do not inform the " \
"tool of the in-memory load address.".format(self.vol.offset))
new_pe = raw_data
return new_pe
def fix_image_base(self, raw_data: bytes, nt_header: interfaces.objects.ObjectInterface) -> bytes:
"""Fix the _OPTIONAL_HEADER.ImageBase value (which is either an
unsigned long for 32-bit PE's or unsigned long long for 64-bit PE's) to
match the address where the PE file was carved out of memory.
Args:
raw_data: a bytes object of the PE's data
nt_header: <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance
Returns:
<bytes> patched with the correct address
"""
image_base_offset = nt_header.OptionalHeader.ImageBase.vol.offset - self.vol.offset
image_base_type = nt_header.OptionalHeader.ImageBase.vol.type_name
member_size = self._context.symbol_space.get_type(image_base_type).size
newval = objects.convert_value_to_data(self.vol.offset, int, nt_header.OptionalHeader.ImageBase.vol.data_format)
return raw_data[:image_base_offset] + newval + raw_data[image_base_offset + member_size:]
def replace_header_field(self, sect: interfaces.objects.ObjectInterface, header: bytes,
item: interfaces.objects.ObjectInterface, value: int) -> bytes:
"""Replaces a member in an _IMAGE_SECTION_HEADER structure.
Args:
sect: the section instance
header: raw data for the section
item: the member of the section to replace
value: new value for the member
Returns:
The raw data with the replaced header field
"""
member_size = self._context.symbol_space.get_type(item.vol.type_name).size
start = item.vol.offset - sect.vol.offset
newval = objects.convert_value_to_data(value, int, item.vol.data_format)
result = header[:start] + newval + header[start + member_size:]
return result
def get_key(self) -> str:
"""Returns the Key value as a 4 character string"""
tag_bytes = objects.convert_value_to_data(
self.Key, int, objects.DataFormatInfo(4, "little", False))
return "".join([chr(x) if 32 < x < 127 else '' for x in tag_bytes])