Posted to tcl by apn at Sat Sep 06 16:04:23 GMT 2014view pretty
/* * If we are opening a Windows PE executable with an attached metakit * then we must check for the presence of an Authenticode certificate * and reduce the length of our mapped region accordingly */ static DWORD AuthenticodeOffset(LPBYTE pData, DWORD cbData) { if (pData[0] == 'M' && pData[1] == 'Z') /* IMAGE_DOS_SIGNATURE */ { LPBYTE pNT = pData + *(LONG *)(pData + 0x3c); /* e_lfanew */ if (pNT[0] == 'P' && pNT[1] == 'E' && pNT[2] == 0 && pNT[3] == 0) { /* IMAGE_NT_SIGNATURE */ DWORD dwCheckSum = 0, dwDirectories = 0; LPBYTE pOpt = pNT + 0x18; /* OptionalHeader */ LPDWORD pCertDir = NULL; if (pOpt[0] == 0x0b && pOpt[1] == 0x01) { /* IMAGE_NT_OPTIONAL_HDR_MAGIC */ dwCheckSum = *(DWORD *)(pOpt + 0x40); /* Checksum */ dwDirectories = *(DWORD *)(pOpt + 0x5c); /* NumberOfRvaAndSizes */ if (dwDirectories > 4) { /* DataDirectory[] */ pCertDir = (DWORD *)(pOpt + 0x60 + (4 * 8)); } } else { dwCheckSum = *(DWORD *)(pOpt + 0x40); /* Checksum */ dwDirectories = *(DWORD *)(pOpt + 0x6c); /* NumberOfRvaAndSizes */ if (dwDirectories > 4) { /* DataDirectory[] */ pCertDir = (DWORD *)(pOpt + 0x70 + (4 * 8)); } } if (pCertDir && pCertDir[1] > 0) { int n = 0; cbData = pCertDir[0]; /* need to eliminate any zero padding - up to 8 bytes */ while (pData[cbData - 16] != 0x80 && pData[cbData-1] == 0 && n < 16) { --cbData, ++n; } } } } return cbData; } #endif /* WIN32 */