Parse 32bit PE in 64bit driver

Hello everyone.
I am writing a driver and in part I need to parse a PE file.
The problem I have is that in LOAD_IMAGE_NOTIFY_ROUTINE when an image from wow64 is opened I can not parse it properly. Does anyone have a solution?

MyAddr.Kernel32dll = (PVOID)ImageInfo->ImageBase;
Hashqa.GlobalAlloc= (fnGlobalAlloc)GetProcedureAddressByHash((PVOID)MyAddr.Kernel32dll , _GlobalAlloc_ADDRESS);

PVOID GetProcedureAddressByHash(PVOID ModuleBase, ULONG Data)
{
PIMAGE_DOS_HEADER ImageDosHeader = (PIMAGE_DOS_HEADER)ModuleBase; //e_lfanew address is wrong.
if (ImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
PIMAGE_NT_HEADERS32 ImageNtHeaders = ((PIMAGE_NT_HEADERS32)(RtlOffsetToPointer(ModuleBase, ImageDosHeader->e_lfanew)));
if (ImageNtHeaders->Signature == IMAGE_NT_SIGNATURE)
{
if (ImageNtHeaders->OptionalHeader.DataDirectory[Data].VirtualAddress && Data < ImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes) {
PIMAGE_EXPORT_DIRECTORY ImageExport = (((PIMAGE_EXPORT_DIRECTORY)(PUCHAR)RtlOffsetToPointer(ModuleBase, ImageNtHeaders->OptionalHeader.DataDirectory[Data].VirtualAddress)));
if (ImageExport)
{
PULONG AddressOfNames = ((PULONG)RtlOffsetToPointer(ModuleBase, ImageExport->AddressOfNames));
for (ULONG n = 0; n < ImageExport->NumberOfNames; ++n)
{
LPSTR Func = ((LPSTR)RtlOffsetToPointer(ModuleBase, AddressOfNames[n]));
XXXXXX
}

			}
		}
	}
}
return NULL;

What is the problem? What do you see? And, by the way, if you put three back ticks ( ` ) before and after your code, the site will automatically format it correctly.

Not trying to discourage you from experimenting with parsing PE headers from code running in the kernel, but in all seriousness parsing file formats in general from code running with high privileges, is never a good idea. You should always do this from a non-privileged process. I know this is not the answer you are looking for, but since @Tim_Roberts asked the important question, I will wait for your initial reply to that.

Not trying to discourage you from experimenting with parsing PE headers from code running in the kernel

No?

I am.

Bad idea. What are you trying to accomplish by doing this?

Peter

1 Like

@kyREcon said: > > but in all seriousness parsing file formats in general from code running with high privileges, is never a good idea. :slight_smile:

I think my problem is not in parsing PE. In my OnImageLoad routine, when I run a 32-bit program, I receive a 32-bit ImageBase, which gets into trouble when it enters the parsing stage and does not find it.

Is there a way to get this address in 64 bits?

Why doesn’t it find it? The addressing is the same. If a 32-bit process loads a DLL with an image base of 00400000, it will be located at 00000000_00400000. There is no difference.

Now, I HOPE your code takes into account the fact that a 32-bit PE header has a different layout from a 64-bit PE header. The fields are in different positions.