A library to load and manipulate PE files.
The goal of libPEConv was to create a "swiss army knife" for custom loading of PE files. It gathers various helper functions that you can quickly integrate in your own loader. For example: remapping sections, applying relocations, loading imports, parsing resources.
Not only it allows for loading PE files, but also for customizing of some steps, i.e. IAT hooking (by providing custom IAT resolvers), and functions redirection. Yet, it is NOT focused on inline hooking and should not be confused with libraries such as MS Detours or MinHook.
LibPeConv can be used for creating PE binders, as it allows to load a PE directly from the resource, and integrate it as if it was a local code.
As well it can help you in dumping PEs from the memory, and rebuilding their IATs.
The simplest usecase: use libPeConv to manually load and run an EXE of you choice.
#include<Windows.h>#include<iostream>#include<peconv.h>// include libPeConv headerintmain(intargc,char*argv[]){if (argc<2) {std::cout <<"Args: <path to the exe>" <<std::endl;return0; }LPCSTRpe_path=argv[1];// manually load the PE file using libPeConv:size_tv_size=0;#ifdefLOAD_FROM_PATH//if the PE is dropped on the disk, you can load it from the file:BYTE*my_pe=peconv::load_pe_executable(pe_path,v_size);#elsesize_tbufsize=0;BYTE*buffer=peconv::load_file(pe_path,bufsize);// if the file is NOT dropped on the disk, you can load it directly from a memory buffer:BYTE*my_pe=peconv::load_pe_executable(buffer,bufsize,v_size);#endifif (!my_pe) {return-1; }// if the loaded PE needs to access resources, you may need to connect it to the PEB:peconv::set_main_module_in_peb((HMODULE)my_pe);//calculate the Entry Point of the manually loaded moduleDWORDep_rva=peconv::get_entry_point_rva(my_pe);if (!ep_rva) {return-2; }ULONG_PTRep_va=ep_rva+ (ULONG_PTR)my_pe;//assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main:int (*new_main)()= (int(*)())ep_va;//call the Entry Point of the manually loaded PE:returnnew_main();}