├── .gitignore
├── .gitmodules
├── CHANGELOG.txt
├── LICENSE.txt
├── Makefile
├── README.md
├── bin
├── inject.c
├── is32bit.c
└── monitor.c
├── data
├── base-sigs.json
├── capstone-config.mk
├── dereference.conf
├── flags-header.jinja2
├── flags-source.jinja2
├── hook-header.jinja2
├── hook-info-header.jinja2
├── hook-source.jinja2
├── is-success.conf
└── types.conf
├── docs
├── Makefile
├── compilation.rst
├── components.rst
├── conf.py
├── hooks.rst
├── index.rst
├── make.bat
└── requirements.rst
├── flags
├── crypto.rst
├── file.rst
├── generic.rst
├── ioctl.rst
├── misc.rst
├── network.rst
├── process.rst
├── registry.rst
├── system.rst
└── ui.rst
├── inc
├── assembly.h
├── config.h
├── diffing.h
├── hashtable.h
├── hooking.h
├── ignore.h
├── log.h
├── memory.h
├── misc.h
├── misc2.h
├── monitor.h
├── native.h
├── ntapi.h
├── pipe.h
├── sleep.h
├── symbol.h
├── unhook.h
└── utf8.h
├── make-debug.sh
├── sigs
├── cert.rst
├── crypto.rst
├── exception.rst
├── file.rst
├── file_native.rst
├── iexplore.rst
├── misc.rst
├── netapi.rst
├── network.rst
├── ole.rst
├── process.rst
├── process_native.rst
├── registry.rst
├── registry_native.rst
├── resource.rst
├── services.rst
├── sleep.rst
├── socket.rst
├── srvcli.rst
├── sync.rst
├── system.rst
├── thread.rst
├── thread_native.rst
├── ui.rst
└── wmi.rst
├── src
├── assembly.c
├── bson
│ ├── LICENSE
│ ├── bson.c
│ ├── bson.h
│ ├── encoding.c
│ ├── encoding.h
│ └── numbers.c
├── config.c
├── diffing.c
├── disguise.c
├── hashtable.c
├── hooking.c
├── iexplore.c
├── ignore.c
├── log.c
├── memory.c
├── misc.c
├── native.c
├── pipe.c
├── sha1
│ ├── license.txt
│ ├── sha1.c
│ └── sha1.h
├── sleep.c
├── symbol.c
├── unhook.c
├── utf8.c
└── wmi.c
├── test
├── test-adapter.c
├── test-array.c
├── test-breakpipe.c
├── test-changedir.c
├── test-controlservice.c
├── test-createproc.c
├── test-datatypes.c
├── test-inject-shellcode.c
├── test-logdll.c
├── test-misc.c
├── test-moninmem.c
├── test-native.c
├── test-obtainuseragentstring.c
├── test-readav.c
├── test-resumethread.c
├── test-unibuf.c
├── test-unicode-fname-.c
├── test-unistr.c
├── test-utf8.c
└── unittest.py
└── utils
├── Makefile
├── helloworld.c
└── process.py
/.gitignore:
--------------------------------------------------------------------------------
1 | .gitignore
2 | docs/_build/
3 | objects/
4 | *.exe
5 | *.dll
6 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "src/capstone"]
2 | path = src/capstone
3 | url = https://github.com/aquynh/capstone
4 | branch = next
5 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | CC32 = i686-w64-mingw32-gcc -m32
2 | CC64 = x86_64-w64-mingw32-gcc -m64
3 | AR = ar
4 | CFLAGS = -Wall -Wextra -std=c99 -static -Wno-missing-field-initializers \
5 | -I inc/ -I objects/code/ -I src/bson/ -I src/sha1/ -mwindows
6 | LDFLAGS = -lshlwapi
7 | MAKEFLAGS = -j8
8 |
9 | SIGS = $(wildcard sigs/*.rst)
10 | FLAGS = $(wildcard flags/*.rst)
11 | JINJA2 = $(wildcard data/*.jinja2)
12 |
13 | # Dependencies for the auto-generated hook files.
14 | HOOKREQ = utils/process.py $(wildcard data/*.json) $(wildcard data/*.conf)
15 |
16 | # HOOKSRC only contains one element as the related auto-generated files are
17 | # automatically created as well (if not emitting them it'll re-generate *all*
18 | # the to-be-auto-generated files multiple times).
19 | HOOKSRC = objects/code/hooks.c
20 | HOOKOBJ32 = objects/x86/code/hooks.o
21 | HOOKOBJ64 = objects/x64/code/hooks.o
22 | FLAGSRC = objects/code/flags.c
23 | FLAGOBJ32 = objects/x86/code/flags.o
24 | FLAGOBJ64 = objects/x64/code/flags.o
25 |
26 | SRC = $(wildcard src/*.c)
27 | SRCOBJ32 = $(SRC:%.c=objects/x86/%.o)
28 | SRCOBJ64 = $(SRC:%.c=objects/x64/%.o)
29 | HEADER = $(wildcard inc/*.h)
30 |
31 | BSON = $(wildcard src/bson/*.c)
32 | BSONOBJ32 = $(BSON:%.c=objects/x86/%.o)
33 | BSONOBJ64 = $(BSON:%.c=objects/x64/%.o)
34 |
35 | SHA1 = src/sha1/sha1.c
36 | SHA1OBJ32 = objects/x86/src/sha1/sha1.o
37 | SHA1OBJ64 = objects/x64/src/sha1/sha1.o
38 |
39 | LIBCAPSTONE32 = src/capstone/capstone-x86.lib
40 | LIBCAPSTONE64 = src/capstone/capstone-x64.lib
41 |
42 | ifdef DEBUG
43 | CFLAGS += -DDEBUG=1 -O0 -ggdb
44 | RELMODE = debug
45 | else
46 | CFLAGS += -DDEBUG=0 -O0 -s
47 | RELMODE = release
48 | endif
49 |
50 | all: dirs bin/inject-x86.exe bin/inject-x64.exe bin/is32bit.exe \
51 | bin/monitor-x86.dll bin/monitor-x64.dll
52 |
53 | dirs: | objects/
54 |
55 | objects/:
56 | mkdir -p objects/code/
57 | mkdir -p objects/x86/code/ objects/x64/code/
58 | mkdir -p objects/x86/src/bson/ objects/x64/src/bson/
59 | mkdir -p objects/x86/src/sha1/ objects/x64/src/sha1/
60 |
61 | $(HOOKSRC): $(SIGS) $(FLAGS) $(JINJA2) $(HOOKREQ)
62 | python2 utils/process.py $(RELMODE) --apis=$(APIS)
63 |
64 | $(FLAGSRC): $(HOOKSRC)
65 |
66 | src/capstone/config.mk:
67 | git submodule update --init
68 | cp data/capstone-config.mk src/capstone/config.mk
69 |
70 | $(LIBCAPSTONE32): src/capstone/config.mk
71 | cd src/capstone/ && \
72 | CAPSTONE_ARCHS="x86" BUILDDIR=../../objects/x86/capstone/ ./make.sh cross-win32 && \
73 | cp ../../objects/x86/capstone/capstone.lib capstone-x86.lib
74 |
75 | $(LIBCAPSTONE64): src/capstone/config.mk
76 | cd src/capstone/ && \
77 | CAPSTONE_ARCHS="x86" BUILDDIR=../../objects/x64/capstone/ ./make.sh cross-win64 && \
78 | cp ../../objects/x64/capstone/capstone.lib capstone-x64.lib
79 |
80 | objects/x86/%.o: %.c $(HEADER) Makefile
81 | $(CC32) -c -o $@ $< $(CFLAGS)
82 |
83 | objects/x86/%.o: objects/x86/%.c $(HEADER) $(HOOKSRC) Makefile
84 | $(CC32) -c -o $@ $< $(CFLAGS)
85 |
86 | objects/x64/%.o: %.c $(HEADER) Makefile
87 | $(CC64) -c -o $@ $< $(CFLAGS)
88 |
89 | objects/x64/%.o: objects/x64/%.c $(HEADER) $(HOOKSRC) Makefile
90 | $(CC64) -c -o $@ $< $(CFLAGS)
91 |
92 | $(HOOKOBJ32): $(HOOKSRC) $(HEADER) Makefile
93 | $(CC32) -c -o $@ $< $(CFLAGS)
94 |
95 | $(HOOKOBJ64): $(HOOKSRC) $(HEADER) Makefile
96 | $(CC64) -c -o $@ $< $(CFLAGS)
97 |
98 | $(FLAGOBJ32): $(FLAGSRC) $(HEADER) Makefile
99 | $(CC32) -c -o $@ $< $(CFLAGS)
100 |
101 | $(FLAGOBJ64): $(FLAGSRC) $(HEADER) Makefile
102 | $(CC64) -c -o $@ $< $(CFLAGS)
103 |
104 | bin/monitor-x86.dll: bin/monitor.c $(SRCOBJ32) $(HOOKOBJ32) $(FLAGOBJ32) \
105 | $(BSONOBJ32) $(LIBCAPSTONE32) $(SHA1OBJ32)
106 | $(CC32) -shared -o $@ $^ $(CFLAGS) $(LDFLAGS) -Wunused-variable
107 |
108 | bin/monitor-x64.dll: bin/monitor.c $(SRCOBJ64) $(HOOKOBJ64) $(FLAGOBJ64) \
109 | $(BSONOBJ64) $(LIBCAPSTONE64) $(SHA1OBJ64)
110 | $(CC64) -shared -o $@ $^ $(CFLAGS) $(LDFLAGS) -Wunused-variable
111 |
112 | bin/inject-x86.exe: bin/inject.c src/assembly.c
113 | $(CC32) -o $@ $^ $(CFLAGS) $(LDFLAGS) -I inc
114 |
115 | bin/inject-x64.exe: bin/inject.c src/assembly.c
116 | $(CC64) -o $@ $^ $(CFLAGS) $(LDFLAGS) -I inc
117 |
118 | bin/is32bit.exe: bin/is32bit.c
119 | $(CC32) -o $@ $^ $(CFLAGS)
120 |
121 | clean:
122 | rm -rf objects/ $(DLL32) $(DLL64)
123 |
124 | clean-capstone:
125 | rm -rf $(LIBCAPSTONE32) $(LIBCAPSTONE64)
126 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | monitor
2 | =======
3 |
4 | The new Cuckoo Monitor. [Click here for documentation][docs].
5 | If at first it doesn't compile, just try a second time!
6 |
7 | [docs]: http://cuckoo-monitor.readthedocs.org/en/latest/
8 |
9 |
10 | # Cuckoo Monitor - Address Caller Identification
11 | This repository is a clone of the new [Cuckoo Sandbox Monitor DLL](https://github.com/cuckoosandbox/monitor)
12 | It is based on [Mr Polino version from the first Monitoring DLL](https://github.com/JinBlack/cuckoomon/commits/mem_pointer)
13 | ## How it works
14 |
15 | Basically by editing Jinja2 files (files that generate automatically code for API hooking) we add functions that helps us determining the calling address.
16 | Using the python script provided by Cuckoo Monitor, we add a new parameter for all logged API that is used to store the calling address.
17 |
--------------------------------------------------------------------------------
/bin/is32bit.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 |
24 | static BOOL (WINAPI *pIsWow64Process)(HANDLE hProcess, PBOOL Wow64Process);
25 |
26 | void error(const char *fmt, ...)
27 | {
28 | char buf[2048]; va_list args;
29 |
30 | va_start(args, fmt);
31 | vsnprintf(buf, sizeof(buf), fmt, args);
32 | MessageBox(NULL, buf, "is32bit error", 0);
33 | va_end(args);
34 |
35 | exit(1);
36 | }
37 |
38 | uint32_t pid_from_process_name(const wchar_t *process_name)
39 | {
40 | PROCESSENTRY32W row; HANDLE snapshot_handle;
41 |
42 | snapshot_handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
43 | if(snapshot_handle == INVALID_HANDLE_VALUE) {
44 | error("[-] Error obtaining snapshot handle: %ld\n", GetLastError());
45 | }
46 |
47 | row.dwSize = sizeof(row);
48 | if(Process32FirstW(snapshot_handle, &row) == FALSE) {
49 | error("[-] Error enumerating the first process: %ld\n",
50 | GetLastError());
51 | }
52 |
53 | do {
54 | if(wcsicmp(row.szExeFile, process_name) == 0) {
55 | CloseHandle(snapshot_handle);
56 | return row.th32ProcessID;
57 | }
58 | } while (Process32NextW(snapshot_handle, &row) != FALSE);
59 |
60 | CloseHandle(snapshot_handle);
61 |
62 | error("[-] Error finding process by name: %S\n", process_name);
63 | return 0;
64 | }
65 |
66 | HANDLE open_process(uint32_t pid)
67 | {
68 | HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
69 | if(process_handle == NULL) {
70 | error("[-] Error getting access to process: %ld!\n", GetLastError());
71 | }
72 |
73 | return process_handle;
74 | }
75 |
76 | static int determine_process_identifier(uint32_t pid)
77 | {
78 | HANDLE process_handle = open_process(pid);
79 | BOOL wow64_process; SYSTEM_INFO si;
80 |
81 | GetNativeSystemInfo(&si);
82 |
83 | // If the IsWow64Process function doesn't exist then this is an older
84 | // 32-bit Windows version.
85 | if(pIsWow64Process == NULL) {
86 | printf("32");
87 | }
88 | // If it fails then we emit an error.
89 | else if(pIsWow64Process(process_handle, &wow64_process) == FALSE) {
90 | error("Error obtaining wow64 process status\n");
91 | }
92 |
93 | // This is a 32-bit machine.
94 | if(si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL) {
95 | printf("32");
96 | return 0;
97 | }
98 |
99 | // TODO It is also possible to run 32-bit Windows on a 64-bit machine.
100 | if(si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64) {
101 | error("Invalid processor architecture\n");
102 | }
103 |
104 | printf(wow64_process == FALSE ? "64" : "32");
105 | return 0;
106 | }
107 |
108 | static int determine_pe_file(const wchar_t *filepath)
109 | {
110 | FILE *fp = _wfopen(filepath, L"rb");
111 | if(fp == NULL) {
112 | error("Error opening filepath\n");
113 | }
114 |
115 | static uint8_t buf[0x2000];
116 |
117 | fread(buf, 1, sizeof(buf), fp);
118 | fclose(fp);
119 |
120 | IMAGE_DOS_HEADER *image_dos_header = (IMAGE_DOS_HEADER *) buf;
121 | if(image_dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
122 | error("Invalid DOS file\n");
123 | return 1;
124 | }
125 |
126 | IMAGE_NT_HEADERS *image_nt_headers =
127 | (IMAGE_NT_HEADERS *)(buf + image_dos_header->e_lfanew);
128 | if(image_nt_headers->Signature != IMAGE_NT_SIGNATURE) {
129 | error("Invalid PE file\n");
130 | }
131 |
132 | switch (image_nt_headers->FileHeader.Machine) {
133 | case IMAGE_FILE_MACHINE_I386:
134 | printf("32");
135 | return 0;
136 |
137 | case IMAGE_FILE_MACHINE_AMD64:
138 | printf("64");
139 | return 0;
140 |
141 | default:
142 | error("Invalid PE file: not a 32-bit or 64-bit\n");
143 | }
144 | return 0;
145 | }
146 |
147 | int main()
148 | {
149 | LPWSTR *argv; int argc;
150 |
151 | argv = CommandLineToArgvW(GetCommandLineW(), &argc);
152 | if(argv == NULL) {
153 | error("Error parsing commandline options!\n");
154 | }
155 |
156 | if(argc != 3) {
157 | error(
158 | "Usage: %S \n"
159 | "Options:\n"
160 | " -p --pid \n"
161 | " -n --process-name \n"
162 | " -f --file \n"
163 | "\n"
164 | "Examples:\n"
165 | "%S -p 1234\n"
166 | "%S -n lsass.exe\n"
167 | "%S -f %S\n",
168 | argv[0], argv[0], argv[0], argv[0], argv[0]
169 | );
170 | }
171 |
172 | *(FARPROC *) &pIsWow64Process =
173 | GetProcAddress(GetModuleHandle("kernel32"), "IsWow64Process");
174 |
175 | if(wcscmp(argv[1], L"-p") == 0 || wcscmp(argv[1], L"--pid") == 0) {
176 | uint32_t pid = wcstoul(argv[2], NULL, 10);
177 | return determine_process_identifier(pid);
178 | }
179 |
180 | if(wcscmp(argv[1], L"-n") == 0 ||
181 | wcscmp(argv[1], L"--process-name") == 0) {
182 | uint32_t pid = pid_from_process_name(argv[2]);
183 | return determine_process_identifier(pid);
184 | }
185 |
186 | if(wcscmp(argv[1], L"-f") == 0 || wcscmp(argv[1], L"--file") == 0) {
187 | return determine_pe_file(argv[2]);
188 | }
189 |
190 | error("Invalid action specified..\n");
191 | return 1;
192 | }
193 |
--------------------------------------------------------------------------------
/bin/monitor.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "config.h"
22 | #include "diffing.h"
23 | #include "hooking.h"
24 | #include "ignore.h"
25 | #include "log.h"
26 | #include "memory.h"
27 | #include "misc.h"
28 | #include "monitor.h"
29 | #include "native.h"
30 | #include "pipe.h"
31 | #include "sleep.h"
32 | #include "symbol.h"
33 | #include "unhook.h"
34 |
35 | void monitor_init(HMODULE module_handle)
36 | {
37 | // Sends crashes to the process rather than showing error popup boxes etc.
38 | SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOALIGNMENTFAULTEXCEPT |
39 | SEM_NOGPFAULTERRORBOX | SEM_NOOPENFILEERRORBOX);
40 |
41 | config_t cfg;
42 | config_read(&cfg);
43 |
44 | // Required to be initialized before any logging starts.
45 | mem_init();
46 |
47 | // Initialize capstone without our custom allocator as it is
48 | // not available yet.
49 | hook_init(module_handle);
50 |
51 | pipe_init(cfg.pipe_name, cfg.pipe_pid);
52 | native_init();
53 |
54 | // Re-initialize capstone with our custom allocator which is now
55 | // accessible after native_init().
56 | hook_init2();
57 |
58 | misc_init(module_handle, cfg.shutdown_mutex);
59 | misc_set_hook_library(&monitor_hook, &monitor_unhook);
60 | diffing_init(cfg.hashes_path, cfg.diffing_enable);
61 |
62 | log_init(cfg.logpipe, cfg.track);
63 | ignore_init();
64 |
65 | sleep_init(cfg.first_process, cfg.force_sleep_skip, cfg.startup_time);
66 |
67 | // Disable the unhook detection for now. TODO Re-enable.
68 | // unhook_init_detection(cfg.first_process);
69 |
70 | hide_module_from_peb(module_handle);
71 |
72 | if(cfg.disguise != 0) {
73 | // Set the processor count to two.
74 | set_processor_count(2);
75 |
76 | // Pretend like we have two extra gigabytes of memory.
77 | add_virtual_memory(2 * 1024 * 1024 * 1024ull);
78 | }
79 |
80 | symbol_init(module_handle);
81 |
82 | // Should be the last as some of the other initialization routines extract
83 | // the image size, EAT pointers, etc while the PE header is still intact.
84 | destroy_pe_header(module_handle);
85 |
86 | misc_set_monitor_options(cfg.track, cfg.mode);
87 | }
88 |
89 | void monitor_hook(const char *library, void *module_handle)
90 | {
91 | // Initialize data about each hook.
92 | for (hook_t *h = sig_hooks(); h->funcname != NULL; h++) {
93 | // If a specific library has been specified then we skip all other
94 | // libraries. This feature is used in the special hook for LdrLoadDll.
95 | if(library != NULL && stricmp(h->library, library) != 0) {
96 | continue;
97 | }
98 |
99 | // We only hook this function if the monitor mode is "hook everything"
100 | // or if the monitor mode matches the mode of this hook.
101 | if(g_monitor_mode != HOOK_MODE_ALL &&
102 | (g_monitor_mode & h->mode) == 0) {
103 | continue;
104 | }
105 |
106 | // Return value 1 indicates to retry the hook. This is important for
107 | // delay-loaded function forwarders as the delay-loaded DLL may
108 | // already have been loaded. In that case we want to hook the function
109 | // forwarder right away. (Note that the library member of the hook
110 | // object is updated in the case of retrying).
111 | while (hook(h, module_handle) == 1);
112 | }
113 | }
114 |
115 | void monitor_unhook(const char *library, void *module_handle)
116 | {
117 | (void) library;
118 |
119 | for (hook_t *h = sig_hooks(); h->funcname != NULL; h++) {
120 | // This module was unloaded.
121 | if(h->module_handle == module_handle) {
122 | h->is_hooked = 0;
123 | h->addr = NULL;
124 | }
125 |
126 | // This is a hooked function which doesn't belong to a particular DLL.
127 | // Therefore the module handle is a nullptr and we simply check
128 | // whether the address of the original function is still in-memory.
129 | if(h->module_handle == NULL && range_is_readable(h->addr, 16) == 0) {
130 | h->is_hooked = 0;
131 | h->addr = NULL;
132 | }
133 | }
134 | }
135 |
136 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
137 | {
138 | (void) hModule; (void) lpReserved;
139 |
140 | if(dwReason == DLL_PROCESS_ATTACH && is_ignored_process() == 0) {
141 | monitor_init(hModule);
142 | monitor_hook(NULL, NULL);
143 | pipe("LOADED:%d,%d", get_current_process_id(), g_monitor_track);
144 | }
145 |
146 | return TRUE;
147 | }
148 |
--------------------------------------------------------------------------------
/data/base-sigs.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "apiname": "__process__",
4 | "parameters": [
5 | {"argtype": "ULONG", "argname": "time_low"},
6 | {"argtype": "ULONG", "argname": "time_high"},
7 | {"argtype": "ULONG", "argname": "pid"},
8 | {"argtype": "ULONG", "argname": "ppid"},
9 | {"argtype": "LPWSTR", "argname": "module_path"},
10 | {"argtype": "LPWSTR", "argname": "command_line"},
11 | {"argtype": "int", "argname": "is_64bit"},
12 | {"argtype": "int", "argname": "track"}
13 | ],
14 | "signature": {
15 | "category": "__notification__"
16 | }
17 | },
18 | {
19 | "apiname": "__anomaly__",
20 | "parameters": [
21 | {"argtype": "ULONG", "argname": "tid"},
22 | {"argtype": "LPCSTR", "argname": "subcategory"},
23 | {"argtype": "LPCSTR", "argname": "function_name"},
24 | {"argtype": "LPCSTR", "argname": "message"}
25 | ],
26 | "signature": {
27 | "category": "__notification__"
28 | }
29 | },
30 | {
31 | "apiname": "__exception__",
32 | "parameters": [
33 | {"argtype": "bson *", "argname": "exception"},
34 | {"argtype": "bson *", "argname": "registers"},
35 | {"argtype": "bson *", "argname": "stacktrace"}
36 | ],
37 | "signature": {
38 | "category": "__notification__"
39 | }
40 | },
41 | {
42 | "apiname": "__missing__",
43 | "parameters": [
44 | {"argtype": "LPCSTR", "argname": "function_name"}
45 | ],
46 | "signature": {
47 | "category": "__notification__"
48 | }
49 | }
50 | ]
51 |
--------------------------------------------------------------------------------
/data/capstone-config.mk:
--------------------------------------------------------------------------------
1 | # This file contains all customized compile options for Capstone.
2 | # Modify it before building step. Consult docs/README for details.
3 |
4 | ################################################################################
5 | # Specify which archs you want to compile in. By default, we build all archs.
6 |
7 | CAPSTONE_ARCHS ?= x86
8 |
9 |
10 | ################################################################################
11 | # Comment out the line below ('CAPSTONE_USE_SYS_DYN_MEM = yes'), or change it to
12 | # 'CAPSTONE_USE_SYS_DYN_MEM = no' if do NOT use malloc/calloc/realloc/free/
13 | # vsnprintf() provided by system for internal dynamic memory management.
14 | #
15 | # NOTE: in that case, specify your own malloc/calloc/realloc/free/vsnprintf()
16 | # functions in your program via API cs_option(), using CS_OPT_MEM option type.
17 |
18 | CAPSTONE_USE_SYS_DYN_MEM ?= yes
19 |
20 |
21 | ################################################################################
22 | # Change 'CAPSTONE_DIET = no' to 'CAPSTONE_DIET = yes' to make the library
23 | # more compact: use less memory & smaller in binary size.
24 | # This setup will remove the @mnemonic & @op_str data, plus semantic information
25 | # such as @regs_read/write & @group. The amount of binary size reduced is
26 | # up to 50% in some individual archs.
27 | #
28 | # NOTE: we still keep all those related fileds @mnemonic, @op_str, @regs_read,
29 | # @regs_write, @groups, etc in fields in cs_insn structure regardless, but they
30 | # will not be updated (i.e empty), thus become irrelevant.
31 |
32 | CAPSTONE_DIET ?= no
33 |
34 |
35 | ################################################################################
36 | # Change 'CAPSTONE_X86_REDUCE = no' to 'CAPSTONE_X86_REDUCE = yes' to remove
37 | # non-critical instruction sets of X86, making the binary size smaller by ~60%.
38 | # This is desired in special cases, such as OS kernel, where these kind of
39 | # instructions are not used.
40 | #
41 | # The list of instruction sets to be removed includes:
42 | # - Floating Point Unit (FPU)
43 | # - MultiMedia eXtension (MMX)
44 | # - Streaming SIMD Extensions (SSE)
45 | # - 3DNow
46 | # - Advanced Vector Extensions (AVX)
47 | # - Fused Multiply Add Operations (FMA)
48 | # - eXtended Operations (XOP)
49 | # - Transactional Synchronization Extensions (TSX)
50 | #
51 | # Due to this removal, the related instructions are nolonger supported.
52 | #
53 | # By default, Capstone is compiled with 'CAPSTONE_X86_REDUCE = no',
54 | # thus supports complete X86 instructions.
55 |
56 | CAPSTONE_X86_REDUCE ?= yes
57 |
58 |
59 | ################################################################################
60 | # Change 'CAPSTONE_STATIC = yes' to 'CAPSTONE_STATIC = no' to avoid building
61 | # a static library.
62 |
63 | CAPSTONE_STATIC ?= yes
64 |
65 |
66 | ################################################################################
67 | # Change 'CAPSTONE_SHARED = yes' to 'CAPSTONE_SHARED = no' to avoid building
68 | # a shared library.
69 |
70 | CAPSTONE_SHARED ?= no
71 |
--------------------------------------------------------------------------------
/data/dereference.conf:
--------------------------------------------------------------------------------
1 | LPDWORD = DWORD
2 | PULONG = ULONG
3 | LPPROCESS_INFORMATION = PROCESS_INFORMATION
4 | PLARGE_INTEGER = LARGE_INTEGER
5 | DATA_BLOB * = DATA_BLOB
6 | ULONG * = ULONG
7 | SIZE_T * = SIZE_T
8 | PCLIENT_ID = CLIENT_ID
9 | SHELLEXECUTEINFOW * = SHELLEXECUTEINFOW
10 | PIO_STATUS_BLOCK = IO_STATUS_BLOCK
11 | LPWSTR * = LPWSTR
12 | PSIZE_T = SIZE_T
13 | DWORD * = DWORD
14 |
--------------------------------------------------------------------------------
/data/flags-header.jinja2:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_FLAGS_H
20 | #define MONITOR_FLAGS_H
21 |
22 | #include
23 | #include
24 |
25 | typedef enum _flag_t {
26 | FLAG_NONE,
27 | {%- for name in flags: %}
28 | FLAG_{{ name }},
29 | {%- endfor %}
30 | FLAGCNT,
31 | } flag_t;
32 |
33 | #endif
34 |
--------------------------------------------------------------------------------
/data/flags-source.jinja2:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 | #include "flags.h"
26 | #include "log.h"
27 | #include "ntapi.h"
28 |
29 | {% for flag in flags.values(): %}
30 | static const flag_repr_t _{{ flag.name }}_value[] = {
31 | {%- for row in flag.value %}
32 | {{ "{" }}{{ row }}, "{{ row }}"{{ "}" }},
33 | {%- endfor %}
34 | {0, NULL},
35 | };
36 |
37 | static const flag_repr_t _{{ flag.name }}_bitmask[] = {
38 | {%- for row in flag.enum %}
39 | {{ "{" }}{{ row }}, "{{ row }}"{{ "}" }},
40 | {%- endfor %}
41 | {0, NULL},
42 | };
43 | {% endfor %}
44 |
45 | const flag_repr_t *g_flags[FLAGCNT][2] = {
46 | {NULL, NULL},
47 | {%- for name in flags: %}
48 | {{ "{" }}_{{ name }}_value, _{{ name }}_bitmask{{ "}" }},
49 | {%- endfor %}
50 | };
51 |
52 | const flag_repr_t *flag_value(uint32_t flagidx)
53 | {
54 | return g_flags[flagidx][0];
55 | }
56 |
57 | const flag_repr_t *flag_bitmask(uint32_t flagidx)
58 | {
59 | return g_flags[flagidx][1];
60 | }
61 |
--------------------------------------------------------------------------------
/data/hook-header.jinja2:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_HOOKS_H
20 | #define MONITOR_HOOKS_H
21 |
22 | #include
23 | #include
24 | #include
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include "hook-info.h"
33 | #include "ntapi.h"
34 |
35 |
36 |
37 |
38 | #ifdef __i386__
39 | static __inline__ PEB *get_PEB()
40 | {
41 | void *PPEB;
42 | __asm__ __volatile__("movl %%fs:0x30, %0;":"=r"(PPEB));
43 | return PPEB;
44 | }
45 |
46 |
47 | static __inline__ int * FixCall(int * Ptr)
48 | {
49 | // Call seems to begin either by FF or E8
50 | int i = 2;
51 | // Call is at least 2 bytes. (Up to 6 bytes from what i have seen in x86)
52 | // It starts with one of the following : 0xFF ; 0xE8 ; 0x9A
53 | Ptr = ((int)Ptr) -2;
54 | while (i <=6)
55 | {
56 | if ((*Ptr&0xff) == 0xFF)
57 | {
58 | break;
59 | }
60 | else if((*Ptr&0xff) == 0xE8)
61 | {
62 | break;
63 | }
64 | else if((*Ptr&0xff) == 0x9A)
65 | {
66 | break;
67 | }
68 | else
69 | {
70 | Ptr = ((int)Ptr) -1;
71 | i++;
72 | }
73 | }
74 | return (int *)Ptr;
75 | }
76 |
77 |
78 | #endif
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 | #ifdef __amd64__
87 | static __inline__ PEB *get_PEB()
88 | {
89 | void *PPEB;
90 | //__asm__ __volatile__("mov %%gs:0x30, %0;":"=r"(PPEB));
91 |
92 |
93 | __asm__ __volatile__("mov %%gs:0x30, %%rax;"
94 | "mov 0x60(%%rax), %%rax;"
95 | "mov %%rax, %0":"=r"(PPEB)
96 |
97 |
98 | );
99 |
100 | return PPEB;
101 | }
102 |
103 |
104 | static __inline__ int * FixCall(int * Ptr)
105 | {
106 | // Call seems to begin either by FF or E8
107 | int i = 2;
108 | // Call is at least 2 bytes. (Up to 6 bytes from what i have seen in x86)
109 | // It starts with one of the following : 0xFF ; 0xE8 ; 0x9A
110 | Ptr = ((int)Ptr) -2;
111 | while (i <=6)
112 | {
113 | if ((*Ptr&0xff) == 0xFF)
114 | {
115 | break;
116 | }
117 | else if((*Ptr&0xff) == 0xE8)
118 | {
119 | break;
120 | }
121 | else if((*Ptr&0xff) == 0x9A)
122 | {
123 | break;
124 | }
125 | else
126 | {
127 | Ptr = ((int)Ptr) -1;
128 | i++;
129 | }
130 | }
131 | return (int *)Ptr;
132 | }
133 |
134 |
135 |
136 | #endif
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 | static __inline__ unsigned int IsInTextRange(int * Addr)
149 | {
150 | PPEB PEB = get_PEB();
151 |
152 | PLDR_MODULE Module = (PLDR_MODULE) PEB->LoaderData->InLoadOrderModuleList.Flink;
153 | if ((void*)Addr - Module->BaseAddress < Module->SizeOfImage){
154 | return 1;
155 | }
156 | return 0;
157 | }
158 |
159 | static __inline__ uint8_t check_caller_address_in_module(int *caller){
160 | PPEB peb = get_PEB();
161 | PLDR_MODULE stop;
162 | //Assupmtion: the first loaded module is the code base.
163 | PLDR_MODULE module = (PLDR_MODULE) peb->LoaderData->InLoadOrderModuleList.Flink;
164 | stop = (PLDR_MODULE) peb->LoaderData->InLoadOrderModuleList.Blink;
165 | do{
166 | module = (PLDR_MODULE) module->InLoadOrderModuleList.Flink;
167 | if ((void*)caller-module->BaseAddress < module->SizeOfImage){
168 | return 1;
169 | }
170 | }while(module != stop);
171 | return 0;
172 | }
173 |
174 | static __inline__ int * GetCallerAddress() __attribute__((always_inline));
175 | static __inline__ int * GetCallerAddress()
176 | {
177 | int *Caller = NULL;
178 | int i =1;
179 |
180 | Caller = (void *)__builtin_return_address(0); // Get return address minus 5 so we get the address where the function is called.
181 |
182 | // TODO : Fix depends on architecture
183 | //__asm__ __volatile__("movl 4(%%ebp),%0;"
184 | // : "=r" (Caller));
185 | if (IsInTextRange(Caller)) // If address is in .text section range, then we just return it.
186 | {
187 | return FixCall(Caller);
188 | }
189 |
190 | while(check_caller_address_in_module(Caller) && i <= 10){
191 | switch(i){
192 | case 1:
193 | Caller = __builtin_return_address(1) ;
194 | break;
195 | case 2:
196 | Caller = __builtin_return_address(2) ;
197 | break;
198 | case 3:
199 | Caller = __builtin_return_address(3) ;
200 | break;
201 | case 4:
202 | Caller = __builtin_return_address(4) ;
203 | break;
204 | case 5:
205 | Caller = __builtin_return_address(5) ;
206 | break;
207 | case 6:
208 | Caller = __builtin_return_address(6) ;
209 | break;
210 | case 7:
211 | Caller = __builtin_return_address(7) ;
212 | break;
213 | case 8:
214 | Caller = __builtin_return_address(8) ;
215 | break;
216 | case 9:
217 | Caller = __builtin_return_address(9) ;
218 | break;
219 | case 10:
220 | Caller = __builtin_return_address(10) ;
221 | break;
222 | default:
223 | return FixCall(Caller);
224 | }
225 | ++i;
226 | }
227 |
228 | if (check_caller_address_in_module(Caller))
229 | {
230 | return NULL;
231 | }
232 | if (!IsInTextRange(Caller))
233 | {
234 | return NULL;
235 | }
236 | return FixCall(Caller);
237 | }
238 |
239 |
240 |
241 |
242 | {%- for hook in sigs if hook.is_hook and not hook.ignore: %}
243 |
244 | {%- endfor %}
245 |
246 | #endif
247 |
--------------------------------------------------------------------------------
/data/hook-info-header.jinja2:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_HOOK_INFO_H
20 | #define MONITOR_HOOK_INFO_H
21 |
22 | #include "flags.h"
23 |
24 | #define MONITOR_FIRSTHOOKIDX {{ first_hook }}
25 | #define MONITOR_HOOKCNT {{ sigs|rejectattr('ignore')|list|length }}
26 |
27 | typedef enum _signature_index_t {
28 | {%- for hook in sigs if not hook.ignore: %}
29 | SIG_{{ hook.signature.library }}_{{ hook.apiname }},
30 | {%- endfor %}
31 | } signature_index_t;
32 |
33 | #endif
34 |
--------------------------------------------------------------------------------
/data/is-success.conf:
--------------------------------------------------------------------------------
1 | BOOL = ret != FALSE
2 | HANDLE = ret != NULL && ret != INVALID_HANDLE_VALUE
3 | NTSTATUS = NT_SUCCESS(ret) != FALSE
4 | HRESULT = ret == S_OK
5 | HHOOK = ret != NULL
6 | HINTERNET = ret != NULL
7 | DNS_STATUS = ret == DNS_RCODE_NOERROR
8 | SC_HANDLE = ret != NULL
9 | void = 1
10 | HWND = ret != NULL
11 | SOCKET = ret != INVALID_SOCKET
12 | HRSRC = ret != NULL
13 | HGLOBAL = ret != NULL
14 | PCCERT_CONTEXT = ret != NULL
15 | HCERTSTORE = ret != NULL
16 | NET_API_STATUS = ret == NERR_Success
17 | SECURITY_STATUS = ret == SEC_E_OK
18 |
--------------------------------------------------------------------------------
/data/types.conf:
--------------------------------------------------------------------------------
1 | HANDLE = p
2 | PHANDLE = P
3 | HANDLE * = P
4 | POBJECT_ATTRIBUTES = x
5 | PLARGE_INTEGER = Q
6 | PULARGE_INTEGER = Q
7 | ULONG = i
8 | LPCSTR = s
9 | LPCTSTR = s
10 | LPWSTR = u
11 | LPCWSTR = u
12 | HCRYPTKEY = p
13 | HCRYPTHASH = p
14 | BOOL = i
15 | DWORD = i
16 | int = i
17 | int * = I
18 | FILE_INFORMATION_CLASS = i
19 | SIZE_T = i
20 | ACCESS_MASK = x
21 | PANSI_STRING = o
22 | PVOID * = P
23 | HOOKPROC = p
24 | HINSTANCE = p
25 | HHOOK = p
26 | HMODULE = p
27 | WORD = i
28 | PWCHAR = u
29 | UINT = i
30 | PCWSTR = u
31 | PCSTR = s
32 | HINTERNET = p
33 | PWSTR = u
34 | INTERNET_PORT = i
35 | LPCVOID = p
36 | PVOID = p
37 | NTSTATUS = x
38 | PSIZE_T = L
39 | PULONG = I
40 | ULONG * = I
41 | LPVOID = p
42 | char * = s
43 | const char * = s
44 | SC_HANDLE = p
45 | HWND = p
46 | KEY_INFORMATION_CLASS = i
47 | KEY_VALUE_INFORMATION_CLASS = i
48 | HKEY = p
49 | REGSAM = x
50 | PHKEY = P
51 | LPDWORD = I
52 | LPTSTR = s
53 | u_long * = I
54 | SOCKET = i
55 | long = i
56 | BOOLEAN = i
57 | LPTHREAD_START_ROUTINE = p
58 | LONG = i
59 | FILE_INFO_BY_HANDLE_CLASS = i
60 | HRSRC = p
61 | EXTENDED_NAME_FORMAT = i
62 | PIO_STATUS_BLOCK = p
63 | REFCLSID = c
64 | HCRYPTPROV = p
65 | ALG_ID = x
66 | HCRYPTHASH * = P
67 | HCRYPTKEY * = P
68 | REFIID = c
69 | HMENU = p
70 | HCRYPTPROV * = P
71 | bson * = z
72 | USHORT = i
73 | HCERTSTORE = p
74 | LPSTR = s
75 | GET_FILEEX_INFO_LEVELS = i
76 | INTERNET_STATUS_CALLBACK = p
77 | const wchar_t * = u
78 | void ** = p
79 | uint32_t = i
80 | TASKDIALOG_COMMON_BUTTON_FLAGS = i
81 | void * = p
82 | const BSTR = t
83 | SECURITY_STATUS = i
84 | PCtxtHandle = p
85 | SYSTEM_INFORMATION_CLASS = i
86 | SHUTDOWN_ACTION = i
87 | uintptr_t = l
88 |
--------------------------------------------------------------------------------
/docs/compilation.rst:
--------------------------------------------------------------------------------
1 | Compilation
2 | ===========
3 |
4 | To compile the Monitor on a machine that has been :ref:`configured to feature
5 | all requirements ` all one has to do is run ``make``. The
6 | various :ref:`components` will be automatically processed and stitched
7 | together.
8 |
--------------------------------------------------------------------------------
/docs/index.rst:
--------------------------------------------------------------------------------
1 | .. monitor documentation master file, created by
2 | sphinx-quickstart on Tue Jul 22 13:59:34 2014.
3 | You can adapt this file completely to your liking, but it should at least
4 | contain the root `toctree` directive.
5 |
6 | ==========================================
7 | Welcome to Cuckoo Monitor's documentation!
8 | ==========================================
9 |
10 | The **Cuckoo Monitor** is the *new* user-mode monitor for `Cuckoo Sandbox
11 | `_. It has been rewritten from scratch with clean
12 | and easily extendable code in mind.
13 |
14 | This document is meant as a guide to start customizing the monitor to your
15 | own needs.
16 |
17 | Contents:
18 |
19 | .. toctree::
20 | :maxdepth: 2
21 |
22 | requirements
23 | compilation
24 | components
25 | hooks
26 | debug
27 |
28 |
29 | Indices and tables
30 | ==================
31 |
32 | * :ref:`genindex`
33 | * :ref:`modindex`
34 | * :ref:`search`
35 |
36 |
--------------------------------------------------------------------------------
/docs/requirements.rst:
--------------------------------------------------------------------------------
1 | .. _requirements:
2 |
3 | Requirements
4 | ============
5 |
6 | Building the Cuckoo Monitor is easiest on a Ubuntu machine. It should also
7 | be possible on other operating systems, but this has not been tested.
8 |
9 | Required packages
10 | =================
11 |
12 | To quickly get started the following commands will help setup all
13 | requirements.
14 |
15 | .. code-block:: bash
16 |
17 | sudo apt-get install mingw-w64 python-pip nasm
18 | sudo pip install sphinx docutils
19 |
--------------------------------------------------------------------------------
/flags/crypto.rst:
--------------------------------------------------------------------------------
1 | ALG_ID
2 | ======
3 |
4 | Value::
5 |
6 | CALG_MD2
7 | CALG_MD5
8 | CALG_SHA1
9 | CALG_MAC
10 | CALG_HMAC
11 | CALG_SSL3_SHAMD5
12 | CALG_RSA_SIGN
13 | CALG_RSA_KEYX
14 | CALG_RC2
15 | CALG_RC4
16 | CALG_DES
17 | CALG_3DES
18 | CALG_3DES_112
19 |
--------------------------------------------------------------------------------
/flags/generic.rst:
--------------------------------------------------------------------------------
1 | ACCESS_MASK
2 | ===========
3 |
4 | Enum::
5 |
6 | STANDARD_RIGHTS_ALL
7 | STANDARD_RIGHTS_REQUIRED
8 | DELETE
9 | READ_CONTROL
10 | WRITE_DAC
11 | WRITE_OWNER
12 | SYNCHRONIZE
13 | SPECIFIC_RIGHTS_ALL
14 | ACCESS_SYSTEM_SECURITY
15 | MAXIMUM_ALLOWED
16 | GENERIC_READ
17 | GENERIC_WRITE
18 | GENERIC_EXECUTE
19 | GENERIC_ALL
20 |
21 |
22 | PRIORITY_CLASS
23 | ==============
24 |
25 | Enum::
26 |
27 | ABOVE_NORMAL_PRIORITY_CLASS
28 | BELOW_NORMAL_PRIORITY_CLASS
29 | HIGH_PRIORITY_CLASS
30 | IDLE_PRIORITY_CLASS
31 | NORMAL_PRIORITY_CLASS
32 | REALTIME_PRIORITY_CLASS
33 |
--------------------------------------------------------------------------------
/flags/ioctl.rst:
--------------------------------------------------------------------------------
1 | IOCTL_CODES
2 | ===========
3 |
4 | Value::
5 |
6 | IOCTL_STORAGE_CHECK_VERIFY
7 | IOCTL_STORAGE_CHECK_VERIFY2
8 | IOCTL_STORAGE_MEDIA_REMOVAL
9 | IOCTL_STORAGE_EJECT_MEDIA
10 | IOCTL_STORAGE_LOAD_MEDIA
11 | IOCTL_STORAGE_LOAD_MEDIA2
12 | IOCTL_STORAGE_RESERVE
13 | IOCTL_STORAGE_RELEASE
14 | IOCTL_STORAGE_FIND_NEW_DEVICES
15 | IOCTL_STORAGE_EJECTION_CONTROL
16 | IOCTL_STORAGE_MCN_CONTROL
17 | IOCTL_STORAGE_GET_MEDIA_TYPES
18 | IOCTL_STORAGE_GET_MEDIA_TYPES_EX
19 | IOCTL_STORAGE_GET_MEDIA_SERIAL_NUMBER
20 | IOCTL_STORAGE_GET_HOTPLUG_INFO
21 | IOCTL_STORAGE_SET_HOTPLUG_INFO
22 | IOCTL_STORAGE_RESET_BUS
23 | IOCTL_STORAGE_RESET_DEVICE
24 | IOCTL_STORAGE_BREAK_RESERVATION
25 | IOCTL_STORAGE_GET_DEVICE_NUMBER
26 | IOCTL_STORAGE_PREDICT_FAILURE
27 | IOCTL_STORAGE_READ_CAPACITY
28 | IOCTL_DISK_GET_DRIVE_GEOMETRY
29 | IOCTL_DISK_GET_PARTITION_INFO
30 | IOCTL_DISK_SET_PARTITION_INFO
31 | IOCTL_DISK_GET_DRIVE_LAYOUT
32 | IOCTL_DISK_SET_DRIVE_LAYOUT
33 | IOCTL_DISK_VERIFY
34 | IOCTL_DISK_FORMAT_TRACKS
35 | IOCTL_DISK_REASSIGN_BLOCKS
36 | IOCTL_DISK_PERFORMANCE
37 | IOCTL_DISK_IS_WRITABLE
38 | IOCTL_DISK_LOGGING
39 | IOCTL_DISK_FORMAT_TRACKS_EX
40 | IOCTL_DISK_HISTOGRAM_STRUCTURE
41 | IOCTL_DISK_HISTOGRAM_DATA
42 | IOCTL_DISK_HISTOGRAM_RESET
43 | IOCTL_DISK_REQUEST_STRUCTURE
44 | IOCTL_DISK_REQUEST_DATA
45 | IOCTL_DISK_PERFORMANCE_OFF
46 | IOCTL_DISK_CONTROLLER_NUMBER
47 | IOCTL_DISK_GET_PARTITION_INFO_EX
48 | IOCTL_DISK_SET_PARTITION_INFO_EX
49 | IOCTL_DISK_GET_DRIVE_LAYOUT_EX
50 | IOCTL_DISK_SET_DRIVE_LAYOUT_EX
51 | IOCTL_DISK_CREATE_DISK
52 | IOCTL_DISK_GET_LENGTH_INFO
53 | IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
54 | IOCTL_DISK_REASSIGN_BLOCKS_EX
55 | IOCTL_DISK_UPDATE_DRIVE_SIZE
56 | IOCTL_DISK_GROW_PARTITION
57 | IOCTL_DISK_GET_CACHE_INFORMATION
58 | IOCTL_DISK_SET_CACHE_INFORMATION
59 | IOCTL_DISK_DELETE_DRIVE_LAYOUT
60 | IOCTL_DISK_UPDATE_PROPERTIES
61 | IOCTL_DISK_RESET_SNAPSHOT_INFO
62 | IOCTL_DISK_FORMAT_DRIVE
63 | IOCTL_DISK_SENSE_DEVICE
64 | IOCTL_DISK_CHECK_VERIFY
65 | IOCTL_DISK_MEDIA_REMOVAL
66 | IOCTL_DISK_EJECT_MEDIA
67 | IOCTL_DISK_LOAD_MEDIA
68 | IOCTL_DISK_RESERVE
69 | IOCTL_DISK_RELEASE
70 | IOCTL_DISK_FIND_NEW_DEVICES
71 | IOCTL_DISK_GET_MEDIA_TYPES
72 |
73 | DeviceIoControl_dwIoControlCode
74 | ===============================
75 |
76 | Inherits::
77 |
78 | IOCTL_CODES
79 |
80 |
81 | NtDeviceIoControlFile_IoControlCode
82 | ===================================
83 |
84 | Inherits::
85 |
86 | IOCTL_CODES
87 |
--------------------------------------------------------------------------------
/flags/misc.rst:
--------------------------------------------------------------------------------
1 | GetSystemMetrics_nIndex
2 | =======================
3 |
4 | Value::
5 |
6 | SM_CXSCREEN
7 | SM_CYSCREEN
8 | SM_CXVSCROLL
9 | SM_CYHSCROLL
10 | SM_CYCAPTION
11 | SM_CXBORDER
12 | SM_CYBORDER
13 | SM_CXDLGFRAME
14 | SM_CYDLGFRAME
15 | SM_CYVTHUMB
16 | SM_CXHTHUMB
17 | SM_CXICON
18 | SM_CYICON
19 | SM_CXCURSOR
20 | SM_CYCURSOR
21 | SM_CYMENU
22 | SM_CXFULLSCREEN
23 | SM_CYFULLSCREEN
24 | SM_CYKANJIWINDOW
25 | SM_MOUSEPRESENT
26 | SM_CYVSCROLL
27 | SM_CXHSCROLL
28 | SM_DEBUG
29 | SM_SWAPBUTTON
30 | SM_RESERVED1
31 | SM_RESERVED2
32 | SM_RESERVED3
33 | SM_RESERVED4
34 | SM_CXMIN
35 | SM_CYMIN
36 | SM_CXSIZE
37 | SM_CYSIZE
38 | SM_CXFRAME
39 | SM_CYFRAME
40 | SM_CXMINTRACK
41 | SM_CYMINTRACK
42 | SM_CXDOUBLECLK
43 | SM_CYDOUBLECLK
44 | SM_CXICONSPACING
45 | SM_CYICONSPACING
46 | SM_MENUDROPALIGNMENT
47 | SM_PENWINDOWS
48 | SM_DBCSENABLED
49 | SM_CMOUSEBUTTONS
50 | SM_SECURE
51 | SM_CXEDGE
52 | SM_CYEDGE
53 | SM_CXMINSPACING
54 | SM_CYMINSPACING
55 | SM_CXSMICON
56 | SM_CYSMICON
57 | SM_CYSMCAPTION
58 | SM_CXSMSIZE
59 | SM_CYSMSIZE
60 | SM_CXMENUSIZE
61 | SM_CYMENUSIZE
62 | SM_ARRANGE
63 | SM_CXMINIMIZED
64 | SM_CYMINIMIZED
65 | SM_CXMAXTRACK
66 | SM_CYMAXTRACK
67 | SM_CXMAXIMIZED
68 | SM_CYMAXIMIZED
69 | SM_NETWORK
70 | SM_CLEANBOOT
71 | SM_CXDRAG
72 | SM_CYDRAG
73 | SM_SHOWSOUNDS
74 | SM_CXMENUCHECK
75 | SM_CYMENUCHECK
76 | SM_SLOWMACHINE
77 | SM_MIDEASTENABLED
78 | SM_MOUSEWHEELPRESENT
79 | SM_XVIRTUALSCREEN
80 | SM_YVIRTUALSCREEN
81 | SM_CXVIRTUALSCREEN
82 | SM_CYVIRTUALSCREEN
83 | SM_CMONITORS
84 | SM_SAMEDISPLAYFORMAT
85 | SM_IMMENABLED
86 | SM_CXFOCUSBORDER
87 | SM_CYFOCUSBORDER
88 | SM_TABLETPC
89 | SM_MEDIACENTER
90 | SM_STARTER
91 | SM_SERVERR2
92 | SM_REMOTESESSION
93 | SM_SHUTTINGDOWN
94 | SM_REMOTECONTROL
95 | SM_CARETBLINKINGENABLED
96 |
97 |
98 | TaskDialog_dwCommonButtons
99 | ==========================
100 |
101 | Enum::
102 |
103 | TDCBF_OK_BUTTON
104 | TDCBF_YES_BUTTON
105 | TDCBF_NO_BUTTON
106 | TDCBF_CANCEL_BUTTON
107 | TDCBF_RETRY_BUTTON
108 | TDCBF_CLOSE_BUTTON
109 |
110 |
111 | RegisterHotKey_fsModifiers
112 | ==========================
113 |
114 | Enum::
115 |
116 | MOD_ALT
117 | MOD_CONTROL
118 | MOD_NOREPEAT
119 | MOD_SHIFT
120 | MOD_WIN
121 |
--------------------------------------------------------------------------------
/flags/network.rst:
--------------------------------------------------------------------------------
1 | InternetQueryOptions
2 | ====================
3 |
4 | Value::
5 |
6 | INTERNET_OPTION_CALLBACK
7 | INTERNET_OPTION_CONNECT_TIMEOUT
8 | INTERNET_OPTION_CONNECT_RETRIES
9 | INTERNET_OPTION_CONNECT_BACKOFF
10 | INTERNET_OPTION_SEND_TIMEOUT
11 | INTERNET_OPTION_CONTROL_SEND_TIMEOUT
12 | INTERNET_OPTION_RECEIVE_TIMEOUT
13 | INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT
14 | INTERNET_OPTION_DATA_SEND_TIMEOUT
15 | INTERNET_OPTION_DATA_RECEIVE_TIMEOUT
16 | INTERNET_OPTION_HANDLE_TYPE
17 | INTERNET_OPTION_LISTEN_TIMEOUT
18 | INTERNET_OPTION_READ_BUFFER_SIZE
19 | INTERNET_OPTION_WRITE_BUFFER_SIZE
20 | INTERNET_OPTION_ASYNC_ID
21 | INTERNET_OPTION_ASYNC_PRIORITY
22 | INTERNET_OPTION_PARENT_HANDLE
23 | INTERNET_OPTION_KEEP_CONNECTION
24 | INTERNET_OPTION_REQUEST_FLAGS
25 | INTERNET_OPTION_EXTENDED_ERROR
26 | INTERNET_OPTION_OFFLINE_MODE
27 | INTERNET_OPTION_CACHE_STREAM_HANDLE
28 | INTERNET_OPTION_USERNAME
29 | INTERNET_OPTION_PASSWORD
30 | INTERNET_OPTION_ASYNC
31 | INTERNET_OPTION_SECURITY_FLAGS
32 | INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
33 | INTERNET_OPTION_DATAFILE_NAME
34 | INTERNET_OPTION_URL
35 | INTERNET_OPTION_SECURITY_CERTIFICATE
36 | INTERNET_OPTION_SECURITY_KEY_BITNESS
37 | INTERNET_OPTION_REFRESH
38 | INTERNET_OPTION_PROXY
39 | INTERNET_OPTION_SETTINGS_CHANGED
40 | INTERNET_OPTION_VERSION
41 | INTERNET_OPTION_USER_AGENT
42 | INTERNET_OPTION_END_BROWSER_SESSION
43 | INTERNET_OPTION_PROXY_USERNAME
44 | INTERNET_OPTION_PROXY_PASSWORD
45 | INTERNET_OPTION_CONTEXT_VALUE
46 | INTERNET_OPTION_CONNECT_LIMIT
47 | INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
48 | INTERNET_OPTION_POLICY
49 | INTERNET_OPTION_DISCONNECTED_TIMEOUT
50 | INTERNET_OPTION_CONNECTED_STATE
51 | INTERNET_OPTION_IDLE_STATE
52 | INTERNET_OPTION_OFFLINE_SEMANTICS
53 | INTERNET_OPTION_SECONDARY_CACHE_KEY
54 | INTERNET_OPTION_CALLBACK_FILTER
55 | INTERNET_OPTION_CONNECT_TIME
56 | INTERNET_OPTION_SEND_THROUGHPUT
57 | INTERNET_OPTION_RECEIVE_THROUGHPUT
58 | INTERNET_OPTION_REQUEST_PRIORITY
59 | INTERNET_OPTION_HTTP_VERSION
60 | INTERNET_OPTION_RESET_URLCACHE_SESSION
61 | INTERNET_OPTION_ERROR_MASK
62 | INTERNET_OPTION_FROM_CACHE_TIMEOUT
63 | INTERNET_OPTION_BYPASS_EDITED_ENTRY
64 | INTERNET_OPTION_DIAGNOSTIC_SOCKET_INFO
65 | INTERNET_OPTION_CODEPAGE
66 | INTERNET_OPTION_CACHE_TIMESTAMPS
67 | INTERNET_OPTION_DISABLE_AUTODIAL
68 | INTERNET_OPTION_MAX_CONNS_PER_SERVER
69 | INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER
70 | INTERNET_OPTION_PER_CONNECTION_OPTION
71 | INTERNET_OPTION_DIGEST_AUTH_UNLOAD
72 | INTERNET_OPTION_IGNORE_OFFLINE
73 | INTERNET_OPTION_IDENTITY
74 | INTERNET_OPTION_REMOVE_IDENTITY
75 | INTERNET_OPTION_ALTER_IDENTITY
76 | INTERNET_OPTION_SUPPRESS_BEHAVIOR
77 | INTERNET_OPTION_AUTODIAL_MODE
78 | INTERNET_OPTION_AUTODIAL_CONNECTION
79 | INTERNET_OPTION_CLIENT_CERT_CONTEXT
80 | INTERNET_OPTION_AUTH_FLAGS
81 | INTERNET_OPTION_COOKIES_3RD_PARTY
82 | INTERNET_OPTION_DISABLE_PASSPORT_AUTH
83 | INTERNET_OPTION_SEND_UTF8_SERVERNAME_TO_PROXY
84 | INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
85 | INTERNET_OPTION_ENABLE_PASSPORT_AUTH
86 | INTERNET_OPTION_HIBERNATE_INACTIVE_WORKER_THREADS
87 | INTERNET_OPTION_ACTIVATE_WORKER_THREADS
88 | INTERNET_OPTION_RESTORE_WORKER_THREAD_DEFAULTS
89 | INTERNET_OPTION_SOCKET_SEND_BUFFER_LENGTH
90 | INTERNET_OPTION_PROXY_SETTINGS_CHANGED
91 | INTERNET_OPTION_DATAFILE_EXT
92 |
93 |
94 | InternetQueryOptionA_dwOption
95 | =============================
96 |
97 | Inherits::
98 |
99 | InternetQueryOptions
100 |
101 |
102 | InternetSetOptionA_dwOption
103 | ===========================
104 |
105 | Inherits::
106 |
107 | InternetQueryOptions
108 |
109 |
110 | ioctlsocket_cmd
111 | ===============
112 |
113 | Value::
114 |
115 | FIONREAD
116 | FIONBIO
117 | FIOASYNC
118 | SIOCSHIWAT
119 | SIOCGHIWAT
120 | SIOCSLOWAT
121 | SIOCGLOWAT
122 | SIOCATMARK
123 |
--------------------------------------------------------------------------------
/flags/process.rst:
--------------------------------------------------------------------------------
1 | CreateProcessInternalW_creation_flags
2 | =====================================
3 |
4 | Inherits::
5 |
6 | PRIORITY_CLASS
7 |
8 | Enum::
9 |
10 | CREATE_BREAKAWAY_FROM_JOB
11 | CREATE_DEFAULT_ERROR_MODE
12 | CREATE_NEW_CONSOLE
13 | CREATE_NEW_PROCESS_GROUP
14 | CREATE_NO_WINDOW
15 | CREATE_PROTECTED_PROCESS
16 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL
17 | CREATE_SEPARATE_WOW_VDM
18 | CREATE_SHARED_WOW_VDM
19 | CREATE_SUSPENDED
20 | CREATE_UNICODE_ENVIRONMENT
21 | DEBUG_ONLY_THIS_PROCESS
22 | DEBUG_PROCESS
23 | DETACHED_PROCESS
24 | EXTENDED_STARTUPINFO_PRESENT
25 | INHERIT_PARENT_AFFINITY
26 |
27 |
28 | MemoryProtectionFlags
29 | =====================
30 |
31 | Enum::
32 |
33 | PAGE_EXECUTE
34 | PAGE_EXECUTE_READ
35 | PAGE_EXECUTE_READWRITE
36 | PAGE_EXECUTE_WRITECOPY
37 | PAGE_NOACCESS
38 | PAGE_READONLY
39 | PAGE_READWRITE
40 | PAGE_WRITECOPY
41 | PAGE_GUARD
42 | PAGE_NOCACHE
43 | PAGE_WRITECOMBINE
44 |
45 |
46 | VirtualProtectEx_flNewProtect
47 | =============================
48 |
49 | Inherits::
50 |
51 | MemoryProtectionFlags
52 |
53 |
54 | NtProtectVirtualMemory_NewAccessProtection
55 | ==========================================
56 |
57 | Inherits::
58 |
59 | MemoryProtectionFlags
60 |
61 |
62 | NtAllocateVirtualMemory_Protect
63 | ===============================
64 |
65 | Inherits::
66 |
67 | MemoryProtectionFlags
68 |
69 |
70 | NtMapViewOfSection_Win32Protect
71 | ===============================
72 |
73 | Inherits::
74 |
75 | MemoryProtectionFlags
76 |
77 |
78 | AllocationType
79 | ==============
80 |
81 | Enum::
82 |
83 | MEM_COMMIT
84 | MEM_RESERVE
85 | MEM_RESET
86 | MEM_LARGE_PAGES
87 | MEM_PHYSICAL
88 | MEM_TOP_DOWN
89 | MEM_WRITE_WATCH
90 |
91 |
92 | NtAllocateVirtualMemory_AllocationType
93 | ======================================
94 |
95 | Inherits::
96 |
97 | AllocationType
98 |
99 |
100 | NtMapViewOfSection_AllocationType
101 | =================================
102 |
103 | Inherits::
104 |
105 | AllocationType
106 |
--------------------------------------------------------------------------------
/flags/registry.rst:
--------------------------------------------------------------------------------
1 | KEY_INFORMATION_CLASS
2 | =====================
3 |
4 | Value::
5 |
6 | KeyBasicInformation
7 | KeyNodeInformation
8 | KeyFullInformation
9 | KeyNameInformation
10 | KeyCachedInformation
11 | KeyFlagsInformation
12 | KeyVirtualizationInformation
13 | KeyHandleTagsInformation
14 |
15 |
16 | KEY_VALUE_INFORMATION_CLASS
17 | ===========================
18 |
19 | Value::
20 |
21 | KeyValueBasicInformation
22 | KeyValueFullInformation
23 | KeyValuePartialInformation
24 | KeyValueFullInformationAlign64
25 | KeyValuePartialInformationAlign64
26 | MaxKeyValueInfoClass
27 |
28 |
29 | REGISTRY_VALUE_TYPE
30 | ===================
31 |
32 | Value::
33 |
34 | REG_NONE
35 | REG_SZ
36 | REG_EXPAND_SZ
37 | REG_BINARY
38 | REG_DWORD
39 | REG_DWORD_BIG_ENDIAN
40 | REG_LINK
41 | REG_MULTI_SZ
42 | REG_RESOURCE_LIST
43 | REG_FULL_RESOURCE_DESCRIPTOR
44 | REG_RESOURCE_REQUIREMENTS_LIST
45 | REG_QWORD
46 |
47 |
48 | RegEnumValueA_lpType
49 | ====================
50 |
51 | Inherits::
52 |
53 | REGISTRY_VALUE_TYPE
54 |
55 |
56 | RegEnumValueW_lpType
57 | ====================
58 |
59 | Inherits::
60 |
61 | REGISTRY_VALUE_TYPE
62 |
63 |
64 | RegSetValueExA_dwType
65 | =====================
66 |
67 | Inherits::
68 |
69 | REGISTRY_VALUE_TYPE
70 |
71 |
72 | RegSetValueExW_dwType
73 | =====================
74 |
75 | Inherits::
76 |
77 | REGISTRY_VALUE_TYPE
78 |
79 |
80 | RegQueryValueExA_lpType
81 | =======================
82 |
83 | Inherits::
84 |
85 | REGISTRY_VALUE_TYPE
86 |
87 |
88 | RegQueryValueExW_lpType
89 | =======================
90 |
91 | Inherits::
92 |
93 | REGISTRY_VALUE_TYPE
94 |
95 |
96 | NtEnumerateValueKey_reg_type
97 | ============================
98 |
99 | Inherits::
100 |
101 | REGISTRY_VALUE_TYPE
102 |
103 |
104 | NtSetValueKey_Type
105 | ==================
106 |
107 | Inherits::
108 |
109 | REGISTRY_VALUE_TYPE
110 |
111 |
112 | NtQueryValueKey_reg_type
113 | ========================
114 |
115 | Inherits::
116 |
117 | REGISTRY_VALUE_TYPE
118 |
--------------------------------------------------------------------------------
/flags/ui.rst:
--------------------------------------------------------------------------------
1 | ExtendedWindowStyles
2 | ====================
3 |
4 | Value::
5 |
6 | WS_EX_OVERLAPPEDWINDOW
7 | WS_EX_PALETTEWINDOW
8 |
9 | Enum::
10 |
11 | WS_EX_DLGMODALFRAME
12 | WS_EX_NOPARENTNOTIFY
13 | WS_EX_TOPMOST
14 | WS_EX_ACCEPTFILES
15 | WS_EX_TRANSPARENT
16 | WS_EX_MDICHILD
17 | WS_EX_TOOLWINDOW
18 | WS_EX_WINDOWEDGE
19 | WS_EX_CLIENTEDGE
20 | WS_EX_CONTEXTHELP
21 | WS_EX_RIGHT
22 | WS_EX_LEFT
23 | WS_EX_RTLREADING
24 | WS_EX_LTRREADING
25 | WS_EX_LEFTSCROLLBAR
26 | WS_EX_RIGHTSCROLLBAR
27 | WS_EX_CONTROLPARENT
28 | WS_EX_STATICEDGE
29 | WS_EX_APPWINDOW
30 | WS_EX_LAYERED
31 | WS_EX_NOINHERITLAYOUT
32 | WS_EX_LAYOUTRTL
33 | WS_EX_COMPOSITED
34 | WS_EX_NOACTIVATE
35 |
36 |
37 | CreateWindowExA_dwExStyle
38 | =========================
39 |
40 | Inherits::
41 |
42 | ExtendedWindowStyles
43 |
44 |
45 | CreateWindowExW_dwExStyle
46 | =========================
47 |
48 | Inherits::
49 |
50 | ExtendedWindowStyles
51 |
52 |
53 | WindowStyles
54 | ============
55 |
56 | Value::
57 |
58 | WS_OVERLAPPEDWINDOW
59 | WS_POPUPWINDOW
60 |
61 | Enum::
62 |
63 | WS_OVERLAPPED
64 | WS_POPUP
65 | WS_CHILD
66 | WS_MINIMIZE
67 | WS_VISIBLE
68 | WS_DISABLED
69 | WS_CLIPSIBLINGS
70 | WS_CLIPCHILDREN
71 | WS_MAXIMIZE
72 | WS_CAPTION
73 | WS_BORDER
74 | WS_DLGFRAME
75 | WS_VSCROLL
76 | WS_HSCROLL
77 | WS_SYSMENU
78 | WS_THICKFRAME
79 | WS_GROUP
80 | WS_TABSTOP
81 | WS_MINIMIZEBOX
82 | WS_MAXIMIZEBOX
83 |
84 |
85 | CreateWindowExA_dwStyle
86 | =======================
87 |
88 | Inherits::
89 |
90 | WindowStyles
91 |
92 |
93 | CreateWindowExW_dwStyle
94 | =======================
95 |
96 | Inherits::
97 |
98 | WindowStyles
99 |
--------------------------------------------------------------------------------
/inc/assembly.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_ASSEMBLY_H
20 | #define MONITOR_ASSEMBLY_H
21 |
22 | #include
23 |
24 | #if __x86_64__
25 |
26 | #define ASM_MOVE_REGIMM_SIZE (ASM_PUSH_SIZE+2)
27 | #define ASM_PUSH_SIZE 13
28 | #define ASM_JREGZ 5
29 | #define ASM_JUMP_SIZE 14
30 |
31 | typedef enum _register_t {
32 | R_RAX, R_RCX, R_RDX, R_RBX, R_RSP, R_RBP, R_RSI, R_RDI,
33 | R_R8, R_R9, R_R10, R_R11, R_R12, R_R13, R_R14, R_R15,
34 | } register_t;
35 |
36 | #else
37 |
38 | #define ASM_MOVE_REGIMM_SIZE 5
39 | #define ASM_PUSH_SIZE 5
40 | #define ASM_JREGZ 4
41 | #define ASM_JUMP_SIZE 6
42 |
43 | typedef enum _register_t {
44 | R_EAX, R_ECX, R_EDX, R_EBX, R_ESP, R_EBP, R_ESI, R_EDI,
45 | } register_t;
46 |
47 | #endif
48 |
49 | #define ASM_ADD_REGIMM_SIZE 7
50 | #define ASM_CALL_SIZE (ASM_MOVE_REGIMM_SIZE+2)
51 | #define ASM_RETURN_SIZE 3
52 |
53 | #if DEBUG && !__x86_64__
54 | #define ASM_JUMP_32BIT_SIZE 6
55 | #else
56 | #define ASM_JUMP_32BIT_SIZE 5
57 | #endif
58 |
59 | int asm_move_regimm(uint8_t *stub, register_t reg, uintptr_t value);
60 | int asm_push(uint8_t *stub, uintptr_t value);
61 | int asm_jregz(uint8_t *stub, register_t reg, int8_t offset);
62 | int asm_jump_32bit(uint8_t *stub, const void *addr);
63 | int asm_add_regimm(uint8_t *stub, register_t reg, uint32_t value);
64 | int asm_jump(uint8_t *stub, const void *addr);
65 | int asm_call(uint8_t *stub, const void *addr);
66 | int asm_return(uint8_t *stub, uint16_t value);
67 |
68 | static inline int asm_move_regimmv(uint8_t *stub,
69 | register_t reg, const void *value)
70 | {
71 | return asm_move_regimm(stub, reg, (uintptr_t) value);
72 | }
73 |
74 | static inline int asm_pushv(uint8_t *stub, const void *value)
75 | {
76 | return asm_push(stub, (uintptr_t) value);
77 | }
78 |
79 | uint8_t *asm_get_rel_jump_target(uint8_t *addr);
80 | uint8_t *asm_get_rel_call_target(uint8_t *addr);
81 | uint8_t *asm_get_call_target(uint8_t *addr);
82 |
83 | int asm_is_call_function(uint8_t *addr,
84 | const wchar_t *library, const char *funcname);
85 | int asm_is_abs_call(uint8_t *addr);
86 |
87 | #endif
88 |
--------------------------------------------------------------------------------
/inc/config.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_CONFIG_H
20 | #define MONITOR_CONFIG_H
21 |
22 | #include
23 | #include
24 |
25 | typedef struct _config_t {
26 | // Pipe name to communicate with Cuckoo.
27 | char pipe_name[MAX_PATH];
28 |
29 | // Log pipe name to write bson logs to.
30 | char logpipe[MAX_PATH];
31 |
32 | // If this mutex exists then the Virtual Machine is shutting down.
33 | char shutdown_mutex[MAX_PATH];
34 |
35 | // Whether this is the first process.
36 | int first_process;
37 |
38 | // Randomized amount of milliseconds since startup.
39 | uint32_t startup_time;
40 | uint32_t force_sleep_skip;
41 |
42 | // Path to non-interesting hashes.
43 | char hashes_path[MAX_PATH];
44 |
45 | // Enable diffing logging - this is disabled by default.
46 | int diffing_enable;
47 |
48 | // Whether this pid should be monitored for in the analyzer.
49 | int track;
50 |
51 | // Monitoring mode.
52 | int mode;
53 |
54 | // Disguise the VM in an attempt to fool samples into thinking it's a
55 | // real machine?
56 | int disguise;
57 |
58 | // If we should prepend each pipe message with our pid (requires the
59 | // latest version on the Analyzer side).
60 | int pipe_pid;
61 | } config_t;
62 |
63 | void config_read(config_t *cfg);
64 |
65 | #endif
66 |
--------------------------------------------------------------------------------
/inc/diffing.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_DIFFING_H
20 | #define MONITOR_DIFFING_H
21 |
22 | #include
23 |
24 | //
25 | // Diffing API
26 | //
27 | // The following Format Specifiers are available:
28 | // s -> (char *) -> zero-terminated ascii string
29 | // S -> (int, char *) -> ascii string with length
30 | // u -> (wchar_t *) -> zero-terminated unicode string
31 | // U -> (int, wchar_t *) -> unicode string with length
32 | // i -> (int) -> 32-bit integer
33 | // I -> (int *) -> pointer to a 32-bit integer
34 | // l -> (int) -> 32-bit integer
35 | // L -> (int *) -> pointer to a 32-bit integer
36 | // p -> (void *) -> pointer
37 | // P -> (void **) -> pointer to a pointer
38 | // b -> (int, void *) -> buffer with length
39 | // h -> (HANDLE) -> object handle to be checked against ignored object list
40 | //
41 |
42 | void diffing_init(const char *path, int enable);
43 | uint64_t call_hash(const char *fmt, ...);
44 | int is_interesting_hash(uint64_t hash);
45 |
46 | #endif
47 |
--------------------------------------------------------------------------------
/inc/hashtable.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_HASHTABLE_H
20 | #define MONITOR_HASHTABLE_H
21 |
22 | #include
23 |
24 | typedef struct _ht_entry_t {
25 | uint64_t hash;
26 | uint32_t length;
27 | uint8_t data[0];
28 | } ht_entry_t;
29 |
30 | typedef struct _ht_t {
31 | ht_entry_t *table;
32 | uint32_t data_length;
33 | uint32_t size_index;
34 | uint64_t size;
35 | uint64_t rehash;
36 | uint64_t max_entries;
37 | uint64_t entries;
38 | uint64_t deleted_entries;
39 | } ht_t;
40 |
41 | void ht_init(ht_t *ht, uint32_t data_length);
42 | void ht_free(ht_t *ht);
43 | int ht_next_key(const ht_t *ht, uint32_t *index, uint64_t *hash);
44 | void *ht_lookup(const ht_t *ht, uint64_t hash, uint32_t *length);
45 | int ht_contains(const ht_t *ht, uint64_t hash);
46 | int ht_insert(ht_t *ht, uint64_t hash, void *data);
47 | int ht_insert2(ht_t *ht, uint64_t hash, void *data, uint32_t length);
48 | void ht_remove(ht_t *ht, uint64_t hash);
49 |
50 | uint64_t hash_str(const void *s);
51 | uint64_t hash_mem(const void *s, uint32_t length);
52 |
53 | #endif
54 |
--------------------------------------------------------------------------------
/inc/hooking.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_HOOKING_H
20 | #define MONITOR_HOOKING_H
21 |
22 | #include
23 | #include
24 | #include "monitor.h"
25 |
26 | #define RETADDRCNT 64
27 |
28 | #define HOOK_PRUNE_RESOLVERR 1
29 |
30 | #define HOOK_MODE_ALL 0
31 | #define HOOK_MODE_DUMPTLS 1
32 | #define HOOK_MODE_IEXPLORE 2
33 | #define HOOK_MODE_EXPLOIT 4
34 |
35 | typedef struct _hook_t {
36 | // Library and function name.
37 | const char *library;
38 | const char *funcname;
39 |
40 | // Hook handler.
41 | FARPROC handler;
42 |
43 | // Callback to the original function.
44 | FARPROC *orig;
45 |
46 | // Is this a "special" hook?
47 | int special;
48 |
49 | // Various flags on limiting the amount of non-critical errors shown
50 | // related to API hooks.
51 | int report;
52 |
53 | // Mode indicating in which monitor modes this hook should be enabled.
54 | int mode;
55 |
56 | // Special address resolve callback for this function hook. It is called
57 | // in order to resolve the address of the function to be hooked.
58 | uint8_t *(*addrcb)(struct _hook_t *h,
59 | uint8_t *module_address, uint32_t module_size);
60 |
61 | // Special initialization callback for this function hook. It is called
62 | // right after the hooking has successfully taken place.
63 | void (*initcb)(struct _hook_t *h);
64 |
65 | // Address of the module.
66 | void *module_handle;
67 |
68 | // Address of the hooked function.
69 | uint8_t *addr;
70 |
71 | // Amount of bytes to skip before placing the hook. I.e., hook
72 | // at addr+skip instead of addr.
73 | uint32_t skip;
74 |
75 | // Total size used to create our stub off.
76 | int32_t stub_used;
77 |
78 | // Is this function already hooked?
79 | uint32_t is_hooked;
80 |
81 | // Stub for calling the original function.
82 | uint8_t *func_stub;
83 | } hook_t;
84 |
85 | // Hook initialization part one and two. One should be called before having
86 | // initialized the native functionality for memory allocation, two afterwards.
87 | int hook_init(HMODULE module_handle);
88 | int hook_init2();
89 |
90 | int lde(const void *addr);
91 |
92 | int hook_in_monitor();
93 |
94 | int hook(hook_t *h, void *module_handle);
95 | int hook_missing_hooks(HMODULE module_handle);
96 |
97 | #define DISASM_BUFSIZ 128
98 |
99 | int disasm(const void *addr, char *str);
100 |
101 | hook_t *sig_hooks();
102 | uint32_t sig_hook_count();
103 |
104 | void hook_initcb_LdrLoadDll(hook_t *h);
105 |
106 | uint8_t *hook_addrcb_RtlDispatchException(hook_t *h,
107 | uint8_t *module_address, uint32_t module_size);
108 | uint8_t *hook_addrcb_COleScript_Compile(hook_t *h,
109 | uint8_t *module_address, uint32_t module_size);
110 | uint8_t *hook_addrcb_CDocument_write(hook_t *h,
111 | uint8_t *module_address, uint32_t module_size);
112 | uint8_t *hook_addrcb_CHyperlink_SetUrlComponent(hook_t *h,
113 | uint8_t *module_address, uint32_t module_size);
114 | uint8_t *hook_addrcb_CIFrameElement_CreateElement(hook_t *h,
115 | uint8_t *module_address, uint32_t module_size);
116 | uint8_t *hook_addrcb_CWindow_AddTimeoutCode(
117 | hook_t *h, uint8_t *module_address, uint32_t module_size);
118 | uint8_t *hook_addrcb_CScriptElement_put_src(
119 | hook_t *h, uint8_t *module_address, uint32_t module_size);
120 | uint8_t *hook_addrcb_CElement_put_innerHTML(
121 | hook_t *h, uint8_t *module_address, uint32_t module_size);
122 | uint8_t *hook_addrcb_PRF(
123 | hook_t *h, uint8_t *module_address, uint32_t module_size);
124 | uint8_t *hook_addrcb_Ssl3GenerateKeyMaterial(
125 | hook_t *h, uint8_t *module_address, uint32_t module_size);
126 | uint8_t *hook_addrcb_CImgElement_put_src(
127 | hook_t *h, uint8_t *module_address, uint32_t module_size);
128 | uint8_t *hook_addrcb_ActiveXObjectFncObj_Construct(
129 | hook_t *h, uint8_t *module_address, uint32_t module_size);
130 | uint8_t *hook_addrcb_IWbemServices_ExecQuery(
131 | hook_t *h, uint8_t *module_address, uint32_t module_size);
132 | uint8_t *hook_addrcb_IWbemServices_ExecQueryAsync(hook_t *h,
133 | uint8_t *module_address, uint32_t module_size);
134 |
135 | typedef void VAR;
136 |
137 | VAR *iexplore_var_getvalue(VAR *value, void *session);
138 |
139 | void ole_enable_hooks(REFCLSID refclsid);
140 |
141 | #endif
142 |
--------------------------------------------------------------------------------
/inc/ignore.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_IGNORE_H
20 | #define MONITOR_IGNORE_H
21 |
22 | #include
23 | #include "ntapi.h"
24 |
25 | void ignore_init();
26 |
27 | int is_ignored_filepath(const wchar_t *fname);
28 | int is_ignored_process();
29 |
30 | void ignored_object_add(HANDLE object_handle);
31 | void ignored_object_remove(HANDLE object_handle);
32 | int is_ignored_object_handle(HANDLE object_handle);
33 |
34 | int monitor_mode_should_propagate(const wchar_t *cmdline, uint32_t *mode);
35 |
36 | #endif
37 |
--------------------------------------------------------------------------------
/inc/log.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_LOG_H
20 | #define MONITOR_LOG_H
21 |
22 | #include
23 | #include
24 | #include "bson.h"
25 | #include "native.h"
26 |
27 | void log_init(const char *pipe_name, int track);
28 |
29 | void log_api(uint32_t index, int is_success, uintptr_t return_value,
30 | uint64_t hash, last_error_t *lasterr, ...);
31 |
32 | void log_intptr(bson *b, const char *idx, intptr_t value);
33 | void log_string(bson *b, const char *idx, const char *str, int length);
34 | void log_wstring(bson *b, const char *idx, const wchar_t *str, int length);
35 |
36 | void log_anomaly(const char *subcategory,
37 | const char *funcname, const char *msg);
38 |
39 | void log_exception(CONTEXT *ctx, EXCEPTION_RECORD *rec,
40 | uintptr_t *return_addresses, uint32_t count);
41 |
42 | void log_new_process();
43 | void WINAPI log_missing_hook(const char *funcname);
44 |
45 | void log_debug(const char *fmt, ...);
46 |
47 | // Remove log_debug() in release mode altogether.
48 | #if DEBUG == 0
49 | #define log_debug(fmt, ...) (void)0
50 | #endif
51 |
52 | // Following are function imports and declarations that are generated as part
53 | // of the automated code generation. However, as we don't want to recompile
54 | // everything every time this code is re-generated, we wrap its data in
55 | // functions which we reference here.
56 |
57 | typedef struct _flag_repr_t {
58 | uint32_t value;
59 | const char *repr;
60 | } flag_repr_t;
61 |
62 | const char *sig_flag_name(uint32_t sigidx, uint32_t flagidx);
63 | uint32_t sig_flag_value(uint32_t sigidx, uint32_t flagidx);
64 | const char *sig_apiname(uint32_t sigidx);
65 | const char *sig_category(uint32_t sigidx);
66 | const char *sig_paramtypes(uint32_t sigidx);
67 | const char *sig_param_name(uint32_t sigidx, uint32_t argidx);
68 | uint32_t sig_count();
69 | const flag_repr_t *flag_value(uint32_t flagidx);
70 | const flag_repr_t *flag_bitmask(uint32_t flagidx);
71 |
72 | uint32_t sig_index_process();
73 | uint32_t sig_index_anomaly();
74 | uint32_t sig_index_exception();
75 | uint32_t sig_index_missing();
76 |
77 | #endif
78 |
--------------------------------------------------------------------------------
/inc/memory.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_MEMORY_H
20 | #define MONITOR_MEMORY_H
21 |
22 | #include
23 | #include
24 |
25 | typedef struct _array_t {
26 | uint32_t length;
27 | void **elements;
28 | CRITICAL_SECTION cs;
29 | } array_t;
30 |
31 | typedef struct _slab_t {
32 | array_t array;
33 | uint32_t size;
34 | uint32_t count;
35 |
36 | uint32_t offset;
37 | uint32_t length;
38 | uint32_t memprot;
39 | } slab_t;
40 |
41 | uintptr_t roundup2(uintptr_t value);
42 | uintptr_t mem_suggested_size(uintptr_t size);
43 |
44 | void mem_init();
45 | void *mem_alloc(uint32_t length);
46 | void *mem_realloc(void *ptr, uint32_t length);
47 | void mem_free(void *ptr);
48 |
49 | void array_init(array_t *array);
50 | int array_set(array_t *array, uintptr_t index, void *value);
51 | void *array_get(array_t *array, uintptr_t index);
52 | int array_unset(array_t *array, uintptr_t index);
53 |
54 | static inline int array_seti(array_t *array, uintptr_t index, uintptr_t value)
55 | {
56 | return array_set(array, index, (void *) value);
57 | }
58 |
59 | static inline uintptr_t array_geti(array_t *array, uintptr_t index)
60 | {
61 | return (uintptr_t) array_get(array, index);
62 | }
63 |
64 | void slab_init(slab_t *slab, uint32_t size, uint32_t count,
65 | uint32_t memory_protection);
66 | void *slab_getmem(slab_t *slab);
67 | uint32_t slab_size(const slab_t *slab);
68 |
69 | #endif
70 |
--------------------------------------------------------------------------------
/inc/misc2.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_MISC2_H
20 | #define MONITOR_MISC2_H
21 |
22 | #include
23 | #include
24 | #include
25 |
26 | void wsabuf_get_buffer(uint32_t buffer_count, const WSABUF *buffers,
27 | uint8_t **ptr, uintptr_t *length);
28 |
29 | void secbuf_get_buffer(uint32_t buffer_count, SecBuffer *buffers,
30 | uint8_t **ptr, uintptr_t *length);
31 |
32 | #endif
33 |
--------------------------------------------------------------------------------
/inc/monitor.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_MONITOR_H
20 | #define MONITOR_MONITOR_H
21 |
22 | #include
23 | #include
24 |
25 | void monitor_init(HMODULE module_handle);
26 | void monitor_hook(const char *library, void *module_handle);
27 | void monitor_unhook(const char *library, void *module_handle);
28 |
29 | extern uint32_t g_monitor_mode;
30 |
31 | #endif
32 |
--------------------------------------------------------------------------------
/inc/native.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_NATIVE_H
20 | #define MONITOR_NATIVE_H
21 |
22 | #include
23 | #include
24 | #include "ntapi.h"
25 |
26 | typedef struct _last_error_t {
27 | uint32_t nt_status;
28 | uint32_t lasterror;
29 | } last_error_t;
30 |
31 | #if __x86_64__
32 | #define MEMORY_BASIC_INFORMATION_CROSS MEMORY_BASIC_INFORMATION64
33 | #else
34 | #define MEMORY_BASIC_INFORMATION_CROSS MEMORY_BASIC_INFORMATION
35 | #endif
36 |
37 | int native_init();
38 |
39 | int virtual_query_ex(HANDLE process_handle, const void *addr,
40 | MEMORY_BASIC_INFORMATION_CROSS *mbi);
41 |
42 | int virtual_query(const void *addr, MEMORY_BASIC_INFORMATION_CROSS *mbi);
43 |
44 | void *virtual_alloc_ex(HANDLE process_handle, void *addr,
45 | uintptr_t size, uint32_t allocation_type, uint32_t protection);
46 |
47 | void *virtual_alloc(void *addr, uintptr_t size,
48 | uint32_t allocation_type, uint32_t protection);
49 |
50 | void *virtual_alloc_rw(void *addr, uintptr_t size);
51 |
52 | int virtual_free_ex(HANDLE process_handle, const void *addr, uintptr_t size,
53 | uint32_t free_type);
54 |
55 | int virtual_free(const void *addr, uintptr_t size, uint32_t free_type);
56 |
57 | NTSTATUS virtual_protect_ex(HANDLE process_handle, const void *addr,
58 | uintptr_t size, uint32_t protection);
59 |
60 | NTSTATUS virtual_protect(const void *addr, uintptr_t size,
61 | uint32_t protection);
62 |
63 | uint32_t query_information_process(HANDLE process_handle,
64 | uint32_t information_class, void *buf, uint32_t length);
65 |
66 | uint32_t query_information_thread(HANDLE process_handle,
67 | uint32_t information_class, void *buf, uint32_t length);
68 |
69 | NTSTATUS virtual_read_ex(HANDLE process_handle, void *addr,
70 | void *buffer, uintptr_t *size);
71 | NTSTATUS virtual_read(void *addr, void *buffer, uintptr_t *size);
72 |
73 | uint32_t query_object(HANDLE handle, uint32_t information_class,
74 | void *buf, uint32_t length);
75 |
76 | uint32_t query_key(HANDLE key_handle, uint32_t information_class,
77 | void *buf, uint32_t length);
78 |
79 | int duplicate_handle(HANDLE source_process_handle, HANDLE source_handle,
80 | HANDLE target_process_handle, HANDLE *target_handle,
81 | uint32_t desired_access, int inherit_handle, uint32_t options);
82 |
83 | NTSTATUS write_file(HANDLE file_handle, const void *buffer, uint32_t length,
84 | uint32_t *bytes_written);
85 |
86 | NTSTATUS transact_named_pipe(HANDLE pipe_handle,
87 | const void *inbuf, uintptr_t inbufsz, void *outbuf, uintptr_t outbufsz,
88 | uintptr_t *written);
89 |
90 | NTSTATUS set_named_pipe_handle_mode(HANDLE pipe_handle, uint32_t mode);
91 |
92 | int close_handle(HANDLE object_handle);
93 |
94 | void sleep(uint32_t milliseconds);
95 | uint32_t get_tick_count();
96 |
97 | void register_dll_notification(LDR_DLL_NOTIFICATION_FUNCTION fn, void *param);
98 |
99 | void get_last_error(last_error_t *error);
100 | void set_last_error(last_error_t *error);
101 |
102 | HANDLE get_current_process();
103 | uint32_t get_current_process_id();
104 | HANDLE get_current_thread();
105 | uint32_t get_current_thread_id();
106 |
107 | #endif
108 |
--------------------------------------------------------------------------------
/inc/pipe.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_PIPE_H
20 | #define MONITOR_PIPE_H
21 |
22 | //
23 | // Pipe API
24 | //
25 | // The following Format Specifiers are available:
26 | // z -> (char *) -> zero-terminated ascii string
27 | // Z -> (wchar_t *) -> zero-terminated unicode string
28 | // s -> (int, char *) -> ascii string with length
29 | // S -> (int, wchar_t *) -> unicode string with length
30 | // o -> (UNICODE_STRING *) -> unicode string
31 | // O -> (OBJECT_ATTRIBUTES *) -> wrapper around unicode string
32 | // d -> (int) -> integer
33 | // x -> (int) -> hexadecimal integer
34 | // X -> (uint64_t) -> 64-bit hexadecimal integer
35 | //
36 |
37 | #include
38 |
39 | void pipe_init(const char *pipe_name, int pipe_pid);
40 |
41 | int pipe(const char *fmt, ...);
42 | int32_t pipe2(void *out, uint32_t outlen, const char *fmt, ...);
43 |
44 | #define PIPE_MAX_TIMEOUT 10000
45 |
46 | #if DEBUG
47 | #define dpipe(fmt, ...) pipe(fmt, ##__VA_ARGS__)
48 | #else
49 | #define dpipe(fmt, ...) (void)0
50 | #endif
51 |
52 | #endif
53 |
--------------------------------------------------------------------------------
/inc/sleep.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_SLEEP_H
20 | #define MONITOR_SLEEP_H
21 |
22 | #include
23 | #include
24 |
25 | void sleep_init(int first_process, uint32_t force_skip,
26 | uint32_t startup_time);
27 |
28 | int sleep_skip(LARGE_INTEGER *delay);
29 |
30 | void sleep_skip_disable();
31 |
32 | void sleep_apply_filetime(FILETIME *ft);
33 | void sleep_apply_systemtime(SYSTEMTIME *st);
34 | uint64_t sleep_skipped();
35 |
36 | #endif
37 |
--------------------------------------------------------------------------------
/inc/symbol.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_SYMBOL_H
20 | #define MONITOR_SYMBOL_H
21 |
22 | #include
23 | #include
24 |
25 | #if __x86_64__
26 | #define IMAGE_NT_HEADERS_CROSS IMAGE_NT_HEADERS64
27 | #else
28 | #define IMAGE_NT_HEADERS_CROSS IMAGE_NT_HEADERS
29 | #endif
30 |
31 | typedef void (*symbol_callback_t)(const char *funcname,
32 | uintptr_t address, void *context);
33 |
34 | void symbol_init(HMODULE monitor_address);
35 | uint32_t module_image_size(const uint8_t *addr);
36 |
37 | int symbol_enumerate_module(HMODULE module_handle,
38 | symbol_callback_t callback, void *context);
39 |
40 | int symbol(const uint8_t *addr, char *sym, uint32_t length);
41 |
42 | #endif
43 |
--------------------------------------------------------------------------------
/inc/unhook.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_UNHOOK_H
20 | #define MONITOR_UNHOOK_H
21 |
22 | #include
23 |
24 | void unhook_detect_add_region(const char *funcname, const uint8_t *addr,
25 | const uint8_t *orig, const uint8_t *our, uint32_t length);
26 | void unhook_detect_remove_dead_regions();
27 |
28 | int unhook_init_detection(int first_process);
29 | void unhook_detect_disable();
30 | void unhook_detect_enable();
31 |
32 | #endif
33 |
--------------------------------------------------------------------------------
/inc/utf8.h:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #ifndef MONITOR_UTF8_H
20 | #define MONITOR_UTF8_H
21 |
22 | #include
23 | #include
24 |
25 | int utf8_encode(uint32_t x, uint8_t *out);
26 | int utf8_length(uint32_t x);
27 |
28 | int utf8_bytecnt_ascii(const char *s, int len);
29 | int utf8_bytecnt_unicode(const wchar_t *s, int len);
30 |
31 | char *utf8_string(const char *s, int len);
32 | char *utf8_wstring(const wchar_t *s, int len);
33 |
34 | #endif
35 |
--------------------------------------------------------------------------------
/make-debug.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Don't forget to "make clean" if this is the first time you run
4 | # make with the DEBUG flag set. Otherwise source code that depends
5 | # on the DEBUG flag might already have been compiled.
6 | DEBUG=1 make
7 |
--------------------------------------------------------------------------------
/sigs/cert.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: certificate
5 |
6 |
7 | CertOpenStore
8 | =============
9 |
10 | Signature::
11 |
12 | * Library: crypt32
13 | * Return value: HCERTSTORE
14 |
15 | Parameters::
16 |
17 | * LPCSTR lpszStoreProvider
18 | ** DWORD dwMsgAndCertEncodingType encoding_type
19 | * HCRYPTPROV hCryptProv
20 | ** DWORD dwFlags flags
21 | * const void *pvPara
22 |
23 | Pre::
24 |
25 | char number[10], *store_provider;
26 |
27 | int_or_strA(&store_provider, lpszStoreProvider, number);
28 |
29 | Logging::
30 |
31 | s store_provider store_provider
32 |
33 |
34 | CertOpenSystemStoreA
35 | ====================
36 |
37 | Signature::
38 |
39 | * Library: crypt32
40 | * Return value: HCERTSTORE
41 |
42 | Parameters::
43 |
44 | * HCRYPTPROV hProv
45 | ** LPCTSTR szSubsystemProtocol store_name
46 |
47 |
48 | CertOpenSystemStoreW
49 | ====================
50 |
51 | Signature::
52 |
53 | * Library: crypt32
54 | * Return value: HCERTSTORE
55 |
56 | Parameters::
57 |
58 | * HCRYPTPROV hProv
59 | ** LPCWSTR szSubsystemProtocol store_name
60 |
61 |
62 | CertControlStore
63 | ================
64 |
65 | Signature::
66 |
67 | * Library: crypt32
68 | * Return value: BOOL
69 |
70 | Parameters::
71 |
72 | ** HCERTSTORE hCertStore cert_store
73 | ** DWORD dwFlags flags
74 | ** DWORD dwCtrlType control_type
75 | * const void *pvCtrlPara
76 |
77 |
78 | CertCreateCertificateContext
79 | ============================
80 |
81 | Signature::
82 |
83 | * Library: crypt32
84 | * Return value: PCCERT_CONTEXT
85 |
86 | Parameters::
87 |
88 | ** DWORD dwCertEncodingType encoding
89 | * const BYTE *pbCertEncoded
90 | * DWORD cbCertEncoded
91 |
92 | Logging::
93 |
94 | b certificate cbCertEncoded, pbCertEncoded
95 |
--------------------------------------------------------------------------------
/sigs/exception.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: exception
5 |
6 |
7 | SetUnhandledExceptionFilter
8 | ===========================
9 |
10 | Signature::
11 |
12 | * Is success: ret != NULL
13 | * Library: kernel32
14 | * Return value: LPTOP_LEVEL_EXCEPTION_FILTER
15 |
16 | Parameters::
17 |
18 | * LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
19 |
20 | Interesting::
21 |
22 | p lpTopLevelExceptionFilter
23 |
24 |
25 | RtlAddVectoredExceptionHandler
26 | ==============================
27 |
28 | Signature::
29 |
30 | * Is success: 1
31 | * Library: ntdll
32 | * Return value: PVOID
33 |
34 | Parameters::
35 |
36 | ** ULONG FirstHandler
37 | * PVECTORED_EXCEPTION_HANDLER VectoredHandler
38 |
39 | Interesting::
40 |
41 | p VectoredHandler
42 | i FirstHandler
43 |
44 |
45 | RtlAddVectoredContinueHandler
46 | =============================
47 |
48 | Signature::
49 |
50 | * Is success: 1
51 | * Library: ntdll
52 | * Prune: resolve
53 | * Return value: PVOID
54 |
55 | Parameters::
56 |
57 | ** ULONG FirstHandler
58 | * PVECTORED_EXCEPTION_HANDLER VectoredHandler
59 |
60 | Interesting::
61 |
62 | p VectoredHandler
63 |
64 |
65 | RtlRemoveVectoredExceptionHandler
66 | =================================
67 |
68 | Signature::
69 |
70 | * Is success: 1
71 | * Library: ntdll
72 | * Prune: resolve
73 | * Return value: ULONG
74 |
75 | Parameters::
76 |
77 | * PVOID VectoredHandlerHandle
78 |
79 | Interesting::
80 |
81 | p VectoredHandlerHandle
82 |
83 |
84 | RtlRemoveVectoredContinueHandler
85 | ================================
86 |
87 | Signature::
88 |
89 | * Is success: 1
90 | * Library: ntdll
91 | * Prune: resolve
92 | * Return value: ULONG
93 |
94 | Parameters::
95 |
96 | * PVOID VectoredHandlerHandle
97 |
98 | Interesting::
99 |
100 | p VectoredHandlerHandle
101 |
102 |
103 | RtlDispatchException
104 | ====================
105 |
106 | Signature::
107 |
108 | * Callback: addr
109 | * Is success: 1
110 | * Library: ntdll
111 | * Logging: no
112 | * Return value: void *
113 | * Special: true
114 |
115 | Parameters::
116 |
117 | * EXCEPTION_RECORD *ExceptionRecord
118 | * CONTEXT *Context
119 |
120 | Pre::
121 |
122 | uint32_t exception_code = 0;
123 | if(ExceptionRecord != NULL) {
124 | exception_code = ExceptionRecord->ExceptionCode;
125 | }
126 |
127 | // Ignore exceptions that are caused by calling OutputDebugString().
128 | if(is_exception_code_whitelisted(exception_code) == 0) {
129 | uintptr_t addrs[RETADDRCNT]; uint32_t count = 0;
130 | count = stacktrace(Context, addrs, RETADDRCNT);
131 | log_exception(Context, ExceptionRecord, addrs, count);
132 | }
133 |
134 |
135 | _RtlRaiseException
136 | ==================
137 |
138 | Signature::
139 |
140 | * Is success: 1
141 | * Library: ntdll
142 | * Logging: no
143 | * Return value: void *
144 | * Special: true
145 |
146 | Parameters::
147 |
148 | * EXCEPTION_RECORD *ExceptionRecord
149 |
150 | Pre::
151 |
152 | // uintptr_t addrs[RETADDRCNT]; uint32_t count = 0;
153 | // count = stacktrace(NULL, addrs, RETADDRCNT);
154 | // log_exception(NULL, ExceptionRecord, addrs, count);
155 |
156 | log_exception(NULL, ExceptionRecord, NULL, 0);
157 |
158 |
159 | _NtRaiseException
160 | =================
161 |
162 | Signature::
163 |
164 | * Is success: 1
165 | * Library: ntdll
166 | * Logging: no
167 | * Return value: NTSTATUS
168 | * Special: true
169 |
170 | Parameters::
171 |
172 | * EXCEPTION_RECORD *ExceptionRecord
173 | * CONTEXT *Context
174 | * BOOLEAN HandleException
175 |
176 | Pre::
177 |
178 | // uintptr_t addrs[RETADDRCNT]; uint32_t count = 0;
179 | // count = stacktrace(NULL, addrs, RETADDRCNT);
180 | // log_exception(Context, ExceptionRecord, addrs, count);
181 |
182 | log_exception(Context, ExceptionRecord, NULL, 0);
183 |
--------------------------------------------------------------------------------
/sigs/iexplore.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Callback: addr
4 | * Calling convention: WINAPI
5 | * Category: iexplore
6 | * Logging: always
7 | * Mode: iexplore
8 | * Special: true
9 |
10 |
11 | COleScript_Compile
12 | ==================
13 |
14 | Signature::
15 |
16 | * Is success: ret >= 0
17 | * Library: jscript
18 | * Return value: int
19 |
20 | Parameters::
21 |
22 | * void *this
23 | * void *script_body
24 | ** const wchar_t *script
25 | * uintptr_t unk1
26 | * uintptr_t unk2
27 | * uintptr_t unk3
28 | ** const wchar_t *type
29 | * void *exception
30 |
31 |
32 | CDocument_write
33 | ===============
34 |
35 | Signature::
36 |
37 | * Is success: 1
38 | * Library: mshtml
39 | * Return value: int
40 |
41 | Parameters::
42 |
43 | * void *cdocument
44 | * SAFEARRAY *arr
45 |
46 | Middle::
47 |
48 | bson b; char index[8];
49 | bson_init_size(&b, mem_suggested_size(4096));
50 | bson_append_start_array(&b, "lines");
51 |
52 | VARIANT *elements = (VARIANT *) arr->pvData;
53 | for (uint32_t idx = 0, jdx = 0; idx < arr->rgsabound[0].cElements;
54 | idx++, elements++) {
55 | if(elements->vt == VT_BSTR && elements->bstrVal != NULL) {
56 | our_snprintf(index, sizeof(index), "%d", jdx++);
57 | log_wstring(&b, index, elements->bstrVal,
58 | sys_string_length(elements->bstrVal));
59 | }
60 | }
61 |
62 | bson_append_finish_array(&b);
63 | bson_finish(&b);
64 |
65 | Logging::
66 |
67 | z lines &b
68 |
69 | Post::
70 |
71 | bson_destroy(&b);
72 |
73 |
74 | CHyperlink_SetUrlComponent
75 | ==========================
76 |
77 | Signature::
78 |
79 | * Is success: 1
80 | * Library: mshtml
81 | * Return value: int
82 |
83 | Parameters::
84 |
85 | * void *chyperlink
86 | ** const wchar_t *component
87 | ** int index
88 |
89 |
90 | CIFrameElement_CreateElement
91 | ============================
92 |
93 | Signature::
94 |
95 | * Library: mshtml
96 | * Return value: HRESULT
97 |
98 | Parameters::
99 |
100 | * void *chtmtag
101 | * void *cdoc
102 | * void **celement
103 |
104 | Middle::
105 |
106 | bson b;
107 | bson_init_size(&b, mem_suggested_size(1024));
108 | bson_append_start_object(&b, "attributes");
109 |
110 | chtmtag_attrs(chtmtag, &b);
111 |
112 | bson_append_finish_object(&b);
113 | bson_finish(&b);
114 |
115 | Logging::
116 |
117 | z attributes &b
118 |
119 | Post::
120 |
121 | bson_destroy(&b);
122 |
123 |
124 | CWindow_AddTimeoutCode
125 | ======================
126 |
127 | Signature::
128 |
129 | * Library: mshtml
130 | * Return value: HRESULT
131 |
132 | Parameters::
133 |
134 | * void *cwindow
135 | * VARIANT *data
136 | ** const wchar_t *argument
137 | ** int milliseconds
138 | * int repeat
139 | * void *unk2
140 |
141 | Pre::
142 |
143 | wchar_t *code = NULL;
144 | if(data != NULL && data->vt == VT_BSTR) {
145 | code = data->bstrVal;
146 | }
147 |
148 | VARIANT v; v.vt = VT_EMPTY;
149 | if(data != NULL && data->vt == VT_DISPATCH) {
150 | if(SUCCEEDED(variant_change_type(&v, data, 0, VT_BSTR)) != FALSE) {
151 | code = v.bstrVal;
152 | }
153 | }
154 |
155 | Logging::
156 |
157 | u code code
158 | i repeat repeat != 0
159 |
160 | Post::
161 |
162 | if(v.vt != VT_EMPTY) {
163 | variant_clear(&v);
164 | }
165 |
166 |
167 | CScriptElement_put_src
168 | ======================
169 |
170 | Signature::
171 |
172 | * Library: mshtml
173 | * Return value: HRESULT
174 |
175 | Parameters::
176 |
177 | * void *cscriptelement
178 | ** const wchar_t *url
179 |
180 |
181 | CElement_put_innerHTML
182 | ======================
183 |
184 | Signature::
185 |
186 | * Library: mshtml
187 | * Return value: HRESULT
188 |
189 | Parameters::
190 |
191 | * void *celement
192 | ** const wchar_t *html
193 |
194 |
195 | CImgElement_put_src
196 | ===================
197 |
198 | Signature::
199 |
200 | * Library: mshtml
201 | * Return value: HRESULT
202 |
203 | Parameters::
204 |
205 | * void *celement
206 | ** const wchar_t *src
207 |
208 |
209 | ActiveXObjectFncObj_Construct
210 | =============================
211 |
212 | Signature::
213 |
214 | * Library: jscript
215 | * Return value: HRESULT
216 |
217 | Parameters::
218 |
219 | * void *this
220 | * VAR *unk1
221 | * int unk2
222 | * VAR *args
223 |
224 | Pre::
225 |
226 | wchar_t *objname = NULL; void *session = ((void **) this)[3];
227 |
228 | VAR *value = iexplore_var_getvalue(args, session);
229 | if(value != NULL) {
230 | objname = *((wchar_t **) value + 1);
231 | }
232 |
233 | Logging::
234 |
235 | u objname objname
236 |
--------------------------------------------------------------------------------
/sigs/netapi.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: netapi
5 | * Library: netapi32
6 |
7 |
8 | NetGetJoinInformation
9 | =====================
10 |
11 | Signature::
12 |
13 | * Return value: NET_API_STATUS
14 |
15 | Parameters::
16 |
17 | ** LPCWSTR lpServer server
18 | * LPWSTR *lpNameBuffer
19 | * PNETSETUP_JOIN_STATUS BufferType
20 |
21 | Ensure::
22 |
23 | lpNameBuffer
24 |
25 | Logging::
26 |
27 | u name *lpNameBuffer
28 |
29 |
30 | NetUserGetInfo
31 | ==============
32 |
33 | Signature::
34 |
35 | * Is success: ret == 0
36 | * Return value: int
37 |
38 | Parameters::
39 |
40 | ** LPCWSTR servername server_name
41 | ** LPCWSTR username username
42 | ** DWORD level level
43 | * LPBYTE *bufptr
44 |
45 |
46 | NetUserGetLocalGroups
47 | =====================
48 |
49 | Signature::
50 |
51 | * Return value: NET_API_STATUS
52 |
53 | Parameters::
54 |
55 | ** LPCWSTR servername servername
56 | ** LPCWSTR username username
57 | ** DWORD level level
58 | ** DWORD flags flags
59 | * LPBYTE *bufptr
60 | * DWORD prefmaxlen
61 | * LPDWORD entriesread
62 | * LPDWORD totalentries
63 |
64 |
65 | NetShareEnum
66 | ============
67 |
68 | Signature::
69 |
70 | * Return value: NET_API_STATUS
71 |
72 | Parameters::
73 |
74 | ** LPWSTR servername servername
75 | ** DWORD level level
76 | * LPBYTE *bufptr
77 | * DWORD prefmaxlen
78 | * LPDWORD entriesread
79 | * LPDWORD totalentries
80 | * LPDWORD resume_handle
81 |
--------------------------------------------------------------------------------
/sigs/ole.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: ole
5 | * Library: ole32
6 | * Mode: iexplore
7 | * Return value: HRESULT
8 |
9 |
10 | CoCreateInstance
11 | ================
12 |
13 | Parameters::
14 |
15 | ** REFCLSID rclsid clsid
16 | * LPUNKNOWN pUnkOuter
17 | ** DWORD dwClsContext class_context
18 | ** REFIID riid iid
19 | * LPVOID *ppv
20 |
21 | Interesting::
22 |
23 | b sizeof(CLSID), rclsid
24 | i class_context
25 | b sizeof(IID), riid
26 |
27 | Post::
28 |
29 | ole_enable_hooks(rclsid);
30 |
31 |
32 | OleInitialize
33 | =============
34 |
35 | Parameters::
36 |
37 | * LPVOID pvReserved
38 |
39 |
40 | CoInitializeEx
41 | ==============
42 |
43 | Parameters::
44 |
45 | * LPVOID pvReserved
46 | ** DWORD dwCoInit options
47 |
48 |
49 | CoUninitialize
50 | ==============
51 |
52 |
53 | CoInitializeSecurity
54 | ====================
55 |
56 | Parameters::
57 |
58 | * PSECURITY_DESCRIPTOR pSecDesc
59 | * LONG cAuthSvc
60 | * SOLE_AUTHENTICATION_SERVICE *asAuthSvc
61 | * void *pReserved1
62 | * DWORD dwAuthnLevel
63 | * DWORD dwImpLevel
64 | * void *pAuthList
65 | * DWORD dwCapabilities
66 | * void *pReserved3
67 |
68 |
69 | CoCreateInstanceEx
70 | ==================
71 |
72 | Parameters::
73 |
74 | ** REFCLSID rclsid clsid
75 | * IUnknown *punkOuter
76 | ** DWORD dwClsCtx class_context
77 | * COSERVERINFO *pServerInfo
78 | * DWORD dwCount
79 | * MULTI_QI *pResults
80 |
81 | Pre::
82 |
83 | bson b; char index[8], clsid[64];
84 | bson_init(&b);
85 |
86 | bson_append_start_array(&b, "iid");
87 |
88 | MULTI_QI *multi_qi = pResults;
89 | for (uint32_t idx = 0; idx < dwCount; idx++, multi_qi++) {
90 | our_snprintf(index, sizeof(index), "%d", idx++);
91 | clsid_to_string(multi_qi->pIID, clsid);
92 | log_string(&b, index, clsid, strlen(clsid));
93 | }
94 |
95 | bson_append_finish_array(&b);
96 | bson_finish(&b);
97 |
98 | Logging::
99 |
100 | z iid &b
101 |
102 | Post::
103 |
104 | ole_enable_hooks(rclsid);
105 | bson_destroy(&b);
106 |
107 |
108 | CoGetClassObject
109 | ================
110 |
111 | Parameters::
112 |
113 | ** REFCLSID rclsid clsid
114 | ** DWORD dwClsContext class_context
115 | * COSERVERINFO *pServerInfo
116 | ** REFIID riid iid
117 | * LPVOID *ppv
118 |
119 | Post::
120 |
121 | ole_enable_hooks(rclsid);
122 |
--------------------------------------------------------------------------------
/sigs/process.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: process
5 |
6 |
7 | CreateProcessInternalW
8 | ======================
9 |
10 | Signature::
11 |
12 | * Library: kernel32
13 | * Mode: iexplore
14 | * Return value: BOOL
15 | * Special: true
16 |
17 | Parameters::
18 |
19 | * LPVOID lpUnknown1
20 | * LPWSTR lpApplicationName
21 | ** LPWSTR lpCommandLine command_line
22 | * LPSECURITY_ATTRIBUTES lpProcessAttributes
23 | * LPSECURITY_ATTRIBUTES lpThreadAttributes
24 | ** BOOL bInheritHandles inherit_handles
25 | * DWORD dwCreationFlags
26 | * LPVOID lpEnvironment
27 | ** LPWSTR lpCurrentDirectory current_directory
28 | * LPSTARTUPINFO lpStartupInfo
29 | * LPPROCESS_INFORMATION lpProcessInformation
30 | * LPVOID lpUnknown2
31 |
32 | Flags::
33 |
34 | creation_flags creation_flags
35 |
36 | Ensure::
37 |
38 | lpProcessInformation
39 |
40 | Pre::
41 |
42 | // Ensure the CREATE_SUSPENDED flag is set when calling
43 | // the original function.
44 | DWORD creation_flags = dwCreationFlags;
45 | dwCreationFlags |= CREATE_SUSPENDED;
46 |
47 | wchar_t *filepath = get_unicode_buffer();
48 | path_get_full_pathW(lpApplicationName, filepath);
49 |
50 | Interesting::
51 |
52 | u filepath
53 | u command_line
54 | i inherit_handles
55 | i creation_flags
56 | u current_directory
57 |
58 | Logging::
59 |
60 | u filepath filepath
61 | u filepath_r lpApplicationName
62 | i creation_flags creation_flags
63 | i process_identifier lpProcessInformation->dwProcessId
64 | i thread_identifier lpProcessInformation->dwThreadId
65 | p process_handle lpProcessInformation->hProcess
66 | p thread_handle lpProcessInformation->hThread
67 |
68 | Post::
69 |
70 | if(ret != FALSE) {
71 | uint32_t mode = HOOK_MODE_ALL;
72 |
73 | const wchar_t *command_line = lpCommandLine;
74 | if(command_line == NULL) {
75 | command_line = lpApplicationName;
76 | }
77 |
78 | // Let's ask nicely whether we want to propagate execution into this
79 | // new process and if so, in what monitoring mode.
80 | if(monitor_mode_should_propagate(command_line, &mode) == 0) {
81 | pipe("PROCESS2:%d,%d,%d",
82 | lpProcessInformation->dwProcessId,
83 | lpProcessInformation->dwThreadId,
84 | mode);
85 | }
86 |
87 | // If the CREATE_SUSPENDED flag was not set then we have to resume
88 | // the main thread ourselves.
89 | if((creation_flags & CREATE_SUSPENDED) == 0) {
90 | ResumeThread(lpProcessInformation->hThread);
91 | }
92 |
93 | sleep_skip_disable();
94 | }
95 |
96 | free_unicode_buffer(filepath);
97 |
98 |
99 | ShellExecuteExW
100 | ===============
101 |
102 | Signature::
103 |
104 | * Library: shell32
105 | * Return value: BOOL
106 |
107 | Parameters::
108 |
109 | * SHELLEXECUTEINFOW *pExecInfo
110 |
111 | Ensure::
112 |
113 | pExecInfo
114 |
115 | Pre::
116 |
117 | wchar_t *filepath = get_unicode_buffer();
118 | if(pExecInfo->lpFile != NULL) {
119 | // In case it's a relative path we'll just stick to it.
120 | wcsncpy(filepath, pExecInfo->lpFile, MAX_PATH_W);
121 |
122 | // If this is not a relative path then we resolve the full path.
123 | if(lstrlenW(pExecInfo->lpFile) > 2 && pExecInfo->lpFile[1] == ':' &&
124 | pExecInfo->lpFile[2] == '\\') {
125 | path_get_full_pathW(pExecInfo->lpFile, filepath);
126 | }
127 | }
128 |
129 | Interesting::
130 |
131 | u filepath
132 | i pExecInfo->fMask
133 | u pExecInfo->lpVerb
134 | u pExecInfo->lpFile
135 | u pExecInfo->lpParameters
136 | u pExecInfo->lpDirectory
137 | i pExecInfo->nShow
138 | u pExecInfo->lpClass
139 | i pExecInfo->dwHotKey
140 |
141 | Logging::
142 |
143 | u filepath filepath
144 | u filepath_r pExecInfo->lpFile
145 | u parameters pExecInfo->lpParameters
146 | i show_type pExecInfo->nShow
147 |
148 | Post::
149 |
150 | free_unicode_buffer(filepath);
151 |
152 |
153 | ReadProcessMemory
154 | =================
155 |
156 | Signature::
157 |
158 | * Library: kernel32
159 | * Return value: BOOL
160 |
161 | Parameters::
162 |
163 | ** HANDLE hProcess process_handle
164 | ** LPCVOID lpBaseAddress base_address
165 | * LPVOID lpBuffer
166 | * SIZE_T nSize
167 | * SIZE_T *lpNumberOfBytesRead
168 |
169 | Ensure::
170 |
171 | lpNumberOfBytesRead
172 |
173 | Logging::
174 |
175 | B buffer lpNumberOfBytesRead, lpBuffer
176 |
177 |
178 | WriteProcessMemory
179 | ==================
180 |
181 | Signature::
182 |
183 | * Library: kernel32
184 | * Return value: BOOL
185 |
186 | Parameters::
187 |
188 | ** HANDLE hProcess process_handle
189 | ** LPVOID lpBaseAddress base_address
190 | * LPCVOID lpBuffer
191 | * SIZE_T nSize
192 | * SIZE_T *lpNumberOfBytesWritten
193 |
194 | Ensure::
195 |
196 | lpNumberOfBytesWritten
197 |
198 | Logging::
199 |
200 | !B buffer lpNumberOfBytesWritten, lpBuffer
201 |
202 |
203 | system
204 | ======
205 |
206 | Signature::
207 |
208 | * Is success: ret == 0
209 | * Library: msvcrt
210 | * Return value: int
211 |
212 | Parameters::
213 |
214 | ** const char *command
215 |
216 | Interesting::
217 |
218 | s command
219 |
220 |
221 | CreateToolhelp32Snapshot
222 | ========================
223 |
224 | Signature::
225 |
226 | * Library: kernel32
227 | * Return value: HANDLE
228 |
229 | Parameters::
230 |
231 | ** DWORD dwFlags flags
232 | ** DWORD th32ProcessID process_identifier
233 |
234 | Interesting::
235 |
236 | i flags
237 | i process_identifier
238 |
239 |
240 | Process32FirstW
241 | ===============
242 |
243 | Signature::
244 |
245 | * Library: kernel32
246 | * Return value: BOOL
247 |
248 | Parameters::
249 |
250 | ** HANDLE hSnapshot snapshot_handle
251 | * LPPROCESSENTRY32W lppe
252 |
253 | Logging::
254 |
255 | u process_name lppe->szExeFile
256 | i process_identifier lppe->th32ProcessID
257 |
258 |
259 | Process32NextW
260 | ==============
261 |
262 | Signature::
263 |
264 | * Library: kernel32
265 | * Return value: BOOL
266 |
267 | Parameters::
268 |
269 | ** HANDLE hSnapshot snapshot_handle
270 | * LPPROCESSENTRY32W lppe
271 |
272 | Logging::
273 |
274 | u process_name lppe->szExeFile
275 | i process_identifier lppe->th32ProcessID
276 |
277 |
278 | Module32FirstW
279 | ==============
280 |
281 | Signature::
282 |
283 | * Library: kernel32
284 | * Return value: BOOL
285 |
286 | Parameters::
287 |
288 | ** HANDLE hSnapshot snapshot_handle
289 | * LPMODULEENTRY32W lpme
290 |
291 |
292 | Module32NextW
293 | =============
294 |
295 | Signature::
296 |
297 | * Library: kernel32
298 | * Return value: BOOL
299 |
300 | Parameters::
301 |
302 | ** HANDLE hSnapshot snapshot_handle
303 | * LPMODULEENTRY32W lpme
304 |
--------------------------------------------------------------------------------
/sigs/resource.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: resource
5 | * Library: kernel32
6 |
7 |
8 | FindResourceA
9 | =============
10 |
11 | Signature::
12 |
13 | * Return value: HRSRC
14 |
15 | Parameters::
16 |
17 | ** HMODULE hModule module_handle
18 | * LPCSTR lpName
19 | * LPCSTR lpType
20 |
21 | Pre::
22 |
23 | char value[10], value2[10], *name, *type;
24 |
25 | int_or_strA(&name, lpName, value);
26 | int_or_strA(&type, lpType, value2);
27 |
28 | Logging::
29 |
30 | s name name
31 | s type type
32 |
33 |
34 | FindResourceW
35 | =============
36 |
37 | Signature::
38 |
39 | * Return value: HRSRC
40 |
41 | Parameters::
42 |
43 | ** HMODULE hModule module_handle
44 | * LPWSTR lpName
45 | * LPWSTR lpType
46 |
47 | Pre::
48 |
49 | wchar_t value[10], value2[10], *name, *type;
50 |
51 | int_or_strW(&name, lpName, value);
52 | int_or_strW(&type, lpType, value2);
53 |
54 | Logging::
55 |
56 | u name name
57 | u type type
58 |
59 |
60 | FindResourceExA
61 | ===============
62 |
63 | Signature::
64 |
65 | * Return value: HRSRC
66 |
67 | Parameters::
68 |
69 | ** HMODULE hModule module_handle
70 | * LPCSTR lpName
71 | * LPCSTR lpType
72 | ** WORD wLanguage language_identifier
73 |
74 | Pre::
75 |
76 | char value[10], value2[10], *name, *type;
77 |
78 | int_or_strA(&name, lpName, value);
79 | int_or_strA(&type, lpType, value2);
80 |
81 | Logging::
82 |
83 | s name name
84 | s type type
85 |
86 |
87 | FindResourceExW
88 | ===============
89 |
90 | Signature::
91 |
92 | * Return value: HRSRC
93 |
94 | Parameters::
95 |
96 | ** HMODULE hModule module_handle
97 | * LPWSTR lpName
98 | * LPWSTR lpType
99 | ** WORD wLanguage language_identifier
100 |
101 | Pre::
102 |
103 | wchar_t value[10], value2[10], *name, *type;
104 |
105 | int_or_strW(&name, lpName, value);
106 | int_or_strW(&type, lpType, value2);
107 |
108 | Logging::
109 |
110 | u name name
111 | u type type
112 |
113 |
114 | LoadResource
115 | ============
116 |
117 | Signature::
118 |
119 | * Return value: HGLOBAL
120 |
121 | Parameters::
122 |
123 | ** HMODULE hModule module_handle
124 | ** HRSRC hResInfo resource_handle
125 |
126 | Logging::
127 |
128 | p pointer ret
129 |
130 |
131 | SizeofResource
132 | ==============
133 |
134 | Signature::
135 |
136 | * Is success: 1
137 | * Return value: DWORD
138 |
139 | Parameters::
140 |
141 | ** HMODULE hModule module_handle
142 | ** HRSRC hResInfo resource_handle
143 |
144 | Logging::
145 |
146 | i resource_size ret
147 |
--------------------------------------------------------------------------------
/sigs/sleep.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: synchronisation
5 |
6 |
7 | NtDelayExecution
8 | ================
9 |
10 | Signature::
11 |
12 | * Library: ntdll
13 | * Return value: NTSTATUS
14 |
15 | Parameters::
16 |
17 | * BOOLEAN Alertable
18 | * PLARGE_INTEGER DelayInterval
19 |
20 | Ensure::
21 |
22 | DelayInterval
23 |
24 | Pre::
25 |
26 | int64_t milliseconds = -DelayInterval->QuadPart / 10000;
27 | int skipped = sleep_skip(DelayInterval);
28 |
29 | Logging::
30 |
31 | q milliseconds milliseconds
32 | i skipped skipped
33 |
34 |
35 | GetLocalTime
36 | ============
37 |
38 | Signature::
39 |
40 | * Library: kernel32
41 | * Logging: no
42 | * Return value: void
43 |
44 | Parameters::
45 |
46 | * LPSYSTEMTIME lpSystemTime
47 |
48 | Post::
49 |
50 | sleep_apply_systemtime(lpSystemTime);
51 |
52 |
53 | GetSystemTime
54 | =============
55 |
56 | Signature::
57 |
58 | * Library: kernel32
59 | * Logging: no
60 | * Return value: void
61 |
62 | Parameters::
63 |
64 | * LPSYSTEMTIME lpSystemTime
65 |
66 | Post::
67 |
68 | sleep_apply_systemtime(lpSystemTime);
69 |
70 |
71 | GetTickCount
72 | ============
73 |
74 | Signature::
75 |
76 | * Is success: 1
77 | * Library: kernel32
78 | * Logging: no
79 | * Return value: DWORD
80 |
81 | Post::
82 |
83 | ret += sleep_skipped() / 10000;
84 |
85 |
86 | GetSystemTimeAsFileTime
87 | =======================
88 |
89 | Signature::
90 |
91 | * Is success: 1
92 | * Library: kernel32
93 | * Return value: void
94 |
95 | Parameters::
96 |
97 | * LPFILETIME lpSystemTimeAsFileTime
98 |
99 | Post::
100 |
101 | sleep_apply_filetime(lpSystemTimeAsFileTime);
102 |
103 |
104 | NtQuerySystemTime
105 | =================
106 |
107 | Signature::
108 |
109 | * Library: ntdll
110 | * Logging: no
111 | * Return value: NTSTATUS
112 |
113 | Parameters::
114 |
115 | * PLARGE_INTEGER SystemTime
116 |
117 | Post::
118 |
119 | if(NT_SUCCESS(ret) != FALSE) {
120 | SystemTime->QuadPart += sleep_skipped();
121 | }
122 |
123 |
124 | timeGetTime
125 | ===========
126 |
127 | Signature::
128 |
129 | * Is success: 1
130 | * Library: winmm
131 | * Return value: DWORD
132 |
133 | Post::
134 |
135 | ret += sleep_skipped() / 10000;
136 |
--------------------------------------------------------------------------------
/sigs/srvcli.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: netapi
5 | * Library: srvcli
6 |
7 |
8 | NetShareEnum
9 | ============
10 |
11 | Signature::
12 |
13 | * Return value: NET_API_STATUS
14 |
15 | Parameters::
16 |
17 | ** LPWSTR servername servername
18 | ** DWORD level level
19 | * LPBYTE *bufptr
20 | * DWORD prefmaxlen
21 | * LPDWORD entriesread
22 | * LPDWORD totalentries
23 | * LPDWORD resume_handle
24 |
--------------------------------------------------------------------------------
/sigs/sync.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: synchronisation
5 |
6 |
7 | NtCreateMutant
8 | ==============
9 |
10 | Signature::
11 |
12 | * Library: ntdll
13 | * Return value: NTSTATUS
14 |
15 | Parameters::
16 |
17 | ** PHANDLE MutantHandle mutant_handle
18 | ** ACCESS_MASK DesiredAccess desired_access
19 | * POBJECT_ATTRIBUTES ObjectAttributes
20 | ** BOOLEAN InitialOwner initial_owner
21 |
22 | Flags::
23 |
24 | desired_access
25 |
26 | Pre::
27 |
28 | wchar_t *mutant_name = NULL;
29 | if(ObjectAttributes != NULL) {
30 | mutant_name = extract_unicode_string(ObjectAttributes->ObjectName);
31 | }
32 |
33 | Logging::
34 |
35 | u mutant_name mutant_name
36 |
37 | Post::
38 |
39 | if(mutant_name != NULL) {
40 | free_unicode_buffer(mutant_name);
41 | }
42 |
43 |
44 | NtOpenMutant
45 | ============
46 |
47 | Signature::
48 |
49 | * Library: ntdll
50 | * Return value: NTSTATUS
51 |
52 | Parameters::
53 |
54 | ** PHANDLE MutantHandle mutant_handle
55 | ** ACCESS_MASK DesiredAccess desired_access
56 | * POBJECT_ATTRIBUTES ObjectAttributes
57 |
58 | Flags::
59 |
60 | desired_access
61 |
62 | Pre::
63 |
64 | wchar_t *mutant_name = NULL;
65 | if(ObjectAttributes != NULL) {
66 | mutant_name = extract_unicode_string(ObjectAttributes->ObjectName);
67 | }
68 |
69 | Logging::
70 |
71 | u mutant_name mutant_name
72 |
73 | Post::
74 |
75 | if(mutant_name != NULL) {
76 | free_unicode_buffer(mutant_name);
77 | }
78 |
--------------------------------------------------------------------------------
/sigs/thread.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: process
5 | * Library: kernel32
6 |
7 |
8 | CreateThread
9 | ============
10 |
11 | Signature::
12 |
13 | * Return value: HANDLE
14 |
15 | Parameters::
16 |
17 | * LPSECURITY_ATTRIBUTES lpThreadAttributes
18 | ** SIZE_T dwStackSize stack_size
19 | ** LPTHREAD_START_ROUTINE lpStartAddress function_address
20 | ** LPVOID lpParameter parameter
21 | ** DWORD dwCreationFlags flags
22 | ** LPDWORD lpThreadId thread_identifier
23 |
24 | Ensure::
25 |
26 | lpThreadId
27 |
28 | Post::
29 |
30 | if(ret != NULL) {
31 | sleep_skip_disable();
32 | }
33 |
34 |
35 | CreateRemoteThread
36 | ==================
37 |
38 | Signature::
39 |
40 | * Return value: HANDLE
41 |
42 | Parameters::
43 |
44 | ** HANDLE hProcess process_handle
45 | * LPSECURITY_ATTRIBUTES lpThreadAttributes
46 | ** SIZE_T dwStackSize stack_size
47 | ** LPTHREAD_START_ROUTINE lpStartAddress function_address
48 | ** LPVOID lpParameter parameter
49 | ** DWORD dwCreationFlags flags
50 | ** LPDWORD lpThreadId thread_identifier
51 |
52 | Pre::
53 |
54 | pipe("PROCESS:%d", pid_from_process_handle(hProcess));
55 |
56 | Post::
57 |
58 | if(ret != NULL) {
59 | sleep_skip_disable();
60 | }
61 |
62 |
63 | CreateRemoteThreadEx
64 | ====================
65 |
66 | Signature::
67 |
68 | * Prune: resolve
69 | * Return value: HANDLE
70 |
71 | Parameters::
72 |
73 | ** HANDLE hProcess process_handle
74 | * LPSECURITY_ATTRIBUTES lpThreadAttributes
75 | ** SIZE_T dwStackSize stack_size
76 | ** LPTHREAD_START_ROUTINE lpStartAddress function_address
77 | ** LPVOID lpParameter parameter
78 | ** DWORD dwCreationFlags flags
79 | * LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList
80 | ** LPDWORD lpThreadId thread_identifier
81 |
82 |
83 | Thread32First
84 | =============
85 |
86 | Signature::
87 |
88 | * Return value: BOOL
89 |
90 | Parameters::
91 |
92 | ** HANDLE hSnapshot snapshot_handle
93 | * LPTHREADENTRY32 lpte
94 |
95 |
96 | Thread32Next
97 | ============
98 |
99 | Signature::
100 |
101 | * Return value: BOOL
102 |
103 | Parameters::
104 |
105 | ** HANDLE hSnapshot snapshot_handle
106 | * LPTHREADENTRY32 lpte
107 |
--------------------------------------------------------------------------------
/sigs/ui.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Calling convention: WINAPI
4 | * Category: ui
5 | * Library: user32
6 |
7 |
8 | FindWindowA
9 | ===========
10 |
11 | Signature::
12 |
13 | * Return value: HWND
14 |
15 | Parameters::
16 |
17 | * LPCSTR lpClassName
18 | ** LPCTSTR lpWindowName window_name
19 |
20 | Pre::
21 |
22 | char value[10], *class_name;
23 |
24 | int_or_strA(&class_name, lpClassName, value);
25 |
26 | Interesting::
27 |
28 | s class_name
29 | s window_name
30 |
31 | Logging::
32 |
33 | s class_name class_name
34 |
35 |
36 | FindWindowW
37 | ===========
38 |
39 | Signature::
40 |
41 | * Return value: HWND
42 |
43 | Parameters::
44 |
45 | * LPWSTR lpClassName
46 | ** LPWSTR lpWindowName window_name
47 |
48 | Pre::
49 |
50 | wchar_t value[10], *class_name;
51 |
52 | int_or_strW(&class_name, lpClassName, value);
53 |
54 | Interesting::
55 |
56 | u class_name
57 | u window_name
58 |
59 | Logging::
60 |
61 | u class_name class_name
62 |
63 |
64 | FindWindowExA
65 | =============
66 |
67 | Signature::
68 |
69 | * Return value: HWND
70 |
71 | Parameters::
72 |
73 | ** HWND hwndParent parent_hwnd
74 | ** HWND hwndChildAfter child_after_hwnd
75 | * LPCTSTR lpszClass
76 | ** LPCTSTR lpszWindow window_name
77 |
78 | Pre::
79 |
80 | char value[10], *class_name;
81 |
82 | int_or_strA(&class_name, lpszClass, value);
83 |
84 | Interesting::
85 |
86 | s class_name
87 | s window_name
88 |
89 | Logging::
90 |
91 | s class_name class_name
92 |
93 |
94 | FindWindowExW
95 | =============
96 |
97 | Signature::
98 |
99 | * Return value: HWND
100 |
101 | Parameters::
102 |
103 | ** HWND hwndParent parent_hwnd
104 | ** HWND hwndChildAfter child_after_hwnd
105 | * LPWSTR lpszClass
106 | ** LPWSTR lpszWindow window_name
107 |
108 | Pre::
109 |
110 | wchar_t value[10], *class_name;
111 |
112 | int_or_strW(&class_name, lpszClass, value);
113 |
114 | Interesting::
115 |
116 | u class_name
117 | u window_name
118 |
119 | Logging::
120 |
121 | u class_name class_name
122 |
123 |
124 | GetForegroundWindow
125 | ===================
126 |
127 | Signature::
128 |
129 | * Return value: HWND
130 |
131 |
132 | MessageBoxTimeoutA
133 | ==================
134 |
135 | Signature::
136 |
137 | * Is success: ret != 0
138 | * Return value: int
139 |
140 | Parameters::
141 |
142 | ** HWND hWnd window_handle
143 | ** LPCTSTR lpText text
144 | ** LPCTSTR lpCaption caption
145 | ** UINT uType flags
146 | ** WORD wLanguageId language_identifier
147 | * INT Unknown
148 |
149 | Interesting::
150 |
151 | s text
152 | s caption
153 | i flags
154 | i language_identifier
155 |
156 |
157 | MessageBoxTimeoutW
158 | ==================
159 |
160 | Signature::
161 |
162 | * Is success: ret != 0
163 | * Return value: int
164 |
165 | Parameters::
166 |
167 | ** HWND hWnd window_handle
168 | ** LPWSTR lpText text
169 | ** LPWSTR lpCaption caption
170 | ** UINT uType flags
171 | ** WORD wLanguageId language_identifier
172 | * INT Unknown
173 |
174 | Interesting::
175 |
176 | u text
177 | u caption
178 | i flags
179 | i language_identifier
180 |
181 |
182 | DrawTextExA
183 | ===========
184 |
185 | Signature::
186 |
187 | * Is success: ret != 0
188 | * Return value: int
189 |
190 | Parameters::
191 |
192 | * HDC hdc
193 | * LPSTR lpchText
194 | * int cchText
195 | * LPRECT lprc
196 | * UINT dwDTFormat
197 | * LPDRAWTEXTPARAMS lpDTParams
198 |
199 | Middle::
200 |
201 | if(cchText == -1) {
202 | cchText = strlen(lpchText);
203 | }
204 |
205 | Logging::
206 |
207 | S string cchText, lpchText
208 |
209 |
210 | DrawTextExW
211 | ===========
212 |
213 | Signature::
214 |
215 | * Is success: ret != 0
216 | * Return value: int
217 |
218 | Parameters::
219 |
220 | * HDC hdc
221 | * LPWSTR lpchText
222 | * int cchText
223 | * LPRECT lprc
224 | * UINT dwDTFormat
225 | * LPDRAWTEXTPARAMS lpDTParams
226 |
227 | Middle::
228 |
229 | if(cchText == -1) {
230 | cchText = lstrlenW(lpchText);
231 | }
232 |
233 | Logging::
234 |
235 | U string cchText, lpchText
236 |
237 |
238 | LoadStringA
239 | ===========
240 |
241 | Signature::
242 |
243 | * Is success: ret != 0
244 | * Return value: int
245 |
246 | Parameters::
247 |
248 | ** HINSTANCE hInstance module_handle
249 | ** UINT uID id
250 | * LPSTR lpBuffer
251 | * int nBufferMax
252 |
253 | Middle::
254 |
255 | const char *buf = lpBuffer;
256 | if(nBufferMax == 0 && lpBuffer != NULL) {
257 | buf = *(const char **) lpBuffer;
258 | }
259 |
260 | Logging::
261 |
262 | s string buf
263 |
264 |
265 | LoadStringW
266 | ===========
267 |
268 | Signature::
269 |
270 | * Is success: ret != 0
271 | * Return value: int
272 |
273 | Parameters::
274 |
275 | ** HINSTANCE hInstance module_handle
276 | ** UINT uID id
277 | * LPWSTR lpBuffer
278 | * int nBufferMax
279 |
280 | Middle::
281 |
282 | const wchar_t *buf = lpBuffer;
283 | if(nBufferMax == 0 && lpBuffer != NULL) {
284 | buf = *(const wchar_t **) lpBuffer;
285 | }
286 |
287 | Logging::
288 |
289 | u string buf
290 |
291 |
292 | _CreateWindowExA
293 | ================
294 |
295 | Signature::
296 |
297 | * Return value: HWND
298 |
299 | Parameters::
300 |
301 | ** DWORD dwExStyle extended_style
302 | ** LPCTSTR lpClassName class_name
303 | ** LPCTSTR lpWindowName window_name
304 | ** DWORD dwStyle style
305 | ** int x
306 | ** int y
307 | ** int nWidth width
308 | ** int nHeight height
309 | ** HWND hWndParent parent_handle
310 | ** HMENU hMenu menu_handle
311 | ** HINSTANCE hInstance instance_handle
312 | * LPVOID lpParam
313 |
314 | Flags::
315 |
316 | extended_style
317 | style
318 |
319 |
320 | _CreateWindowExW
321 | ================
322 |
323 | Signature::
324 |
325 | * Return value: HWND
326 |
327 | Parameters::
328 |
329 | ** DWORD dwExStyle extended_style
330 | ** LPWSTR lpClassName class_name
331 | ** LPWSTR lpWindowName window_name
332 | ** DWORD dwStyle style
333 | ** int x
334 | ** int y
335 | ** int nWidth width
336 | ** int nHeight height
337 | ** HWND hWndParent parent_handle
338 | ** HMENU hMenu menu_handle
339 | ** HINSTANCE hInstance instance_handle
340 | * LPVOID lpParam
341 |
342 | Flags::
343 |
344 | extended_style
345 | style
346 |
347 |
348 | _DialogBoxIndirectParamA
349 | ========================
350 |
351 | Parameters::
352 |
353 | * HINSTANCE hInstance
354 | * LPCDLGTEMPLATE hDialogTemplate
355 | * HWND hWndParent
356 | * DLGPROC lpDialogFunc
357 | * LPARAM dwInitParam
358 |
359 |
360 | _DialogBoxIndirectParamW
361 | ========================
362 |
363 | Parameters::
364 |
365 | * HINSTANCE hInstance
366 | * LPCDLGTEMPLATE hDialogTemplate
367 | * HWND hWndParent
368 | * DLGPROC lpDialogFunc
369 | * LPARAM dwInitParam
370 |
--------------------------------------------------------------------------------
/sigs/wmi.rst:
--------------------------------------------------------------------------------
1 | Signature::
2 |
3 | * Callback: addr
4 | * Calling convention: WINAPI
5 | * Category: misc
6 | * Library: __wmi__
7 | * Mode: iexplore
8 | * Prune: resolve
9 | * Return value: HRESULT
10 |
11 |
12 | IWbemServices_ExecQuery
13 | =======================
14 |
15 | Parameters::
16 |
17 | * IWbemServices *This
18 | ** const BSTR strQueryLanguage query_language
19 | ** const BSTR strQuery query
20 | ** ULONG lFlags flags
21 | * IWbemContext *pCtx
22 | * IEnumWbemClassObject **ppEnum
23 |
24 |
25 | IWbemServices_ExecQueryAsync
26 | ============================
27 |
28 | Parameters::
29 |
30 | * IWbemServices *This
31 | ** const BSTR strQueryLanguage query_language
32 | ** const BSTR strQuery query
33 | ** long lFlags flags
34 | * IWbemContext *pCtx
35 | * IWbemObjectSink *pResponseHandler
36 |
--------------------------------------------------------------------------------
/src/assembly.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "assembly.h"
22 | #include "misc.h"
23 | #include "native.h"
24 |
25 | #if __x86_64__
26 |
27 | int asm_move_regimm(uint8_t *stub, register_t reg, uintptr_t value)
28 | {
29 | uint8_t *base = stub;
30 |
31 | stub += asm_push(stub, value);
32 |
33 | if(reg >= R_R8) {
34 | *stub++ = 0x41;
35 | *stub++ = 0x58 + (reg - R_R8);
36 | }
37 | else {
38 | *stub++ = 0x58 + reg;
39 | *stub++ = 0x90;
40 | }
41 |
42 | return stub - base;
43 | }
44 |
45 | int asm_push(uint8_t *stub, uintptr_t value)
46 | {
47 | // Push the lower 32-bits of the value onto the stack. The 32-bit
48 | // value will be zero-extended to 64-bits.
49 | stub[0] = 0x68;
50 | *(uint32_t *)(stub + 1) = (uint32_t) value;
51 |
52 | // Move higher 32-bits of the value into the stack.
53 | // mov dword [rsp+4], 32-bit
54 | stub[5] = 0xc7;
55 | stub[6] = 0x44;
56 | stub[7] = 0x24;
57 | stub[8] = 0x04;
58 | *(uint32_t *)(stub + 9) = (uint32_t)(value >> 32);
59 | return 13;
60 | }
61 |
62 | int asm_jregz(uint8_t *stub, register_t reg, int8_t offset)
63 | {
64 | if(reg < R_R8) {
65 | *stub++ = 0x48;
66 | }
67 | else {
68 | *stub++ = 0x4d;
69 | reg -= R_R8;
70 | }
71 | *stub++ = 0x85;
72 | *stub++ = 0xc0 + reg + reg * 8;
73 | *stub++ = 0x74;
74 | *stub++ = offset;
75 | return 5;
76 | }
77 |
78 | #else
79 |
80 | int asm_move_regimm(uint8_t *stub, register_t reg, uintptr_t value)
81 | {
82 | *stub = 0xb8 + reg;
83 | *(uintptr_t *)(stub + 1) = value;
84 | return 5;
85 | }
86 |
87 | int asm_push(uint8_t *stub, uintptr_t value)
88 | {
89 | // Push the value onto the stack.
90 | stub[0] = 0x68;
91 | *(uintptr_t *)(stub + 1) = value;
92 | return 5;
93 | }
94 |
95 | int asm_jregz(uint8_t *stub, register_t reg, int8_t offset)
96 | {
97 | *stub++ = 0x85;
98 | *stub++ = 0xc0 + reg + reg * 8;
99 | *stub++ = 0x74;
100 | *stub++ = offset;
101 | return 4;
102 | }
103 |
104 | #endif
105 |
106 | int asm_add_regimm(uint8_t *stub, register_t reg, uint32_t value)
107 | {
108 | #if __x86_64__
109 | if(reg >= R_R8) {
110 | stub[0] = 0x49;
111 | reg -= R_R8;
112 | }
113 | else {
114 | stub[0] = 0x90;
115 | }
116 | #else
117 | stub[0] = 0x90;
118 | #endif
119 |
120 | stub[1] = 0x81;
121 | stub[2] = 0xc0 + reg;
122 | *(uint32_t *)(stub + 3) = value;
123 | return 7;
124 | }
125 |
126 | int asm_jump_32bit(uint8_t *stub, const void *addr)
127 | {
128 | #if DEBUG && !__x86_64__
129 | stub[0] = 0x68;
130 | stub[5] = 0xc3;
131 | *(uint32_t *)(stub + 1) = (uint32_t) (uintptr_t) addr;
132 | return 6;
133 | #else
134 | stub[0] = 0xe9;
135 | *(uint32_t *)(stub + 1) = (uint8_t *) addr - stub - 5;
136 | return 5;
137 | #endif
138 | }
139 |
140 | int asm_jump(uint8_t *stub, const void *addr)
141 | {
142 | uint8_t *base = stub;
143 |
144 | // Push the address on the stack.
145 | stub += asm_pushv(stub, addr);
146 |
147 | // Pop the address into the instruction pointer.
148 | *stub++ = 0xc3;
149 |
150 | return stub - base;
151 | }
152 |
153 | int asm_call(uint8_t *stub, const void *addr)
154 | {
155 | uint8_t *base = stub;
156 |
157 | #if __x86_64__
158 | stub += asm_move_regimmv(stub, R_RAX, addr);
159 | #else
160 | stub += asm_move_regimmv(stub, R_EAX, addr);
161 | #endif
162 |
163 | *stub++ = 0xff;
164 | *stub++ = 0xd0;
165 |
166 | return stub - base;
167 | }
168 |
169 | int asm_return(uint8_t *stub, uint16_t value)
170 | {
171 | uint8_t *base = stub;
172 |
173 | *stub++ = 0xc2;
174 | *stub++ = value & 0xff;
175 | *stub++ = value >> 8;
176 |
177 | return stub - base;
178 | }
179 |
180 | uint8_t *asm_get_rel_jump_target(uint8_t *addr)
181 | {
182 | if(*addr == 0xeb) {
183 | return addr + *(int8_t *)(addr + 1) + 2;
184 | }
185 | if(*addr == 0xe9) {
186 | return addr + *(int32_t *)(addr + 1) + 5;
187 | }
188 | return NULL;
189 | }
190 |
191 | uint8_t *asm_get_rel_call_target(uint8_t *addr)
192 | {
193 | if(*addr == 0xe8) {
194 | return addr + *(int32_t *)(addr + 1) + 5;
195 | }
196 | return NULL;
197 | }
198 |
199 | uint8_t *asm_get_call_target(uint8_t *addr)
200 | {
201 | uint8_t *ret = asm_get_rel_call_target(addr);
202 | if(ret == NULL && *addr == 0xff && addr[1] == 0x15) {
203 | #if __x86_64__
204 | addr += *(int32_t *)(addr + 2) + 6;
205 | ret = *(uint8_t **) addr;
206 | #else
207 | ret = **(uint8_t ***)(addr + 2);
208 | #endif
209 | }
210 | return ret;
211 | }
212 |
213 | int asm_is_abs_call(uint8_t *addr)
214 | {
215 | if(*addr != 0xff || addr[1] != 0x15) {
216 | return 0;
217 | }
218 | return 1;
219 | }
220 |
221 | int asm_is_call_function(uint8_t *addr,
222 | const wchar_t *library, const char *funcname)
223 | {
224 | if(*addr != 0xff || addr[1] != 0x15) {
225 | return 0;
226 | }
227 |
228 | #if __x86_64__
229 | addr += *(int32_t *)(addr + 2) + 6;
230 | #else
231 | addr = *(uint8_t **)(addr + 2);
232 | #endif
233 |
234 | // TODO We should perhaps use range_is_readable() here, but then inject.c
235 | // will require every other dependency in the project, resulting in
236 | // 500kb inject-{x86,x64}.exe files, which is kind of bloated.
237 | addr = *(uint8_t **) addr;
238 |
239 | HMODULE module_handle = GetModuleHandleW(library);
240 | if(module_handle == NULL) {
241 | return 0;
242 | }
243 |
244 | FARPROC fp = GetProcAddress(module_handle, funcname);
245 | return (uint8_t *) fp == addr;
246 | }
247 |
--------------------------------------------------------------------------------
/src/bson/encoding.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2009-2012 10gen, Inc.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | /*
18 | * Portions Copyright 2001 Unicode, Inc.
19 | *
20 | * Disclaimer
21 | *
22 | * This source code is provided as is by Unicode, Inc. No claims are
23 | * made as to fitness for any particular purpose. No warranties of any
24 | * kind are expressed or implied. The recipient agrees to determine
25 | * applicability of information provided. If this file has been
26 | * purchased on magnetic or optical media from Unicode, Inc., the
27 | * sole remedy for any claim will be exchange of defective media
28 | * within 90 days of receipt.
29 | *
30 | * Limitations on Rights to Redistribute This Code
31 | *
32 | * Unicode, Inc. hereby grants the right to freely use the information
33 | * supplied in this file in the creation of products supporting the
34 | * Unicode Standard, and to make copies of this file in any form
35 | * for internal or external distribution as long as this notice
36 | * remains attached.
37 | */
38 |
39 |
40 | #include "bson.h"
41 | #include "encoding.h"
42 |
43 | /*
44 | * Index into the table below with the first byte of a UTF-8 sequence to
45 | * get the number of trailing bytes that are supposed to follow it.
46 | */
47 | static const char trailingBytesForUTF8[256] = {
48 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
49 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
50 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
51 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
52 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
53 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
54 | 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
55 | 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5
56 | };
57 |
58 | /* --------------------------------------------------------------------- */
59 |
60 | /*
61 | * Utility routine to tell whether a sequence of bytes is legal UTF-8.
62 | * This must be called with the length pre-determined by the first byte.
63 | * The length can be set by:
64 | * length = trailingBytesForUTF8[*source]+1;
65 | * and the sequence is illegal right away if there aren't that many bytes
66 | * available.
67 | * If presented with a length > 4, this returns 0. The Unicode
68 | * definition of UTF-8 goes up to 4-byte sequences.
69 | */
70 | static int isLegalUTF8( const unsigned char *source, int length ) {
71 | unsigned char a;
72 | const unsigned char *srcptr = source + length;
73 | switch ( length ) {
74 | default:
75 | return 0;
76 | /* Everything else falls through when "true"... */
77 | case 4:
78 | if ( ( a = ( *--srcptr ) ) < 0x80 || a > 0xBF ) return 0;
79 | case 3:
80 | if ( ( a = ( *--srcptr ) ) < 0x80 || a > 0xBF ) return 0;
81 | case 2:
82 | if ( ( a = ( *--srcptr ) ) > 0xBF ) return 0;
83 | switch ( *source ) {
84 | /* no fall-through in this inner switch */
85 | case 0xE0:
86 | if ( a < 0xA0 ) return 0;
87 | break;
88 | case 0xF0:
89 | if ( a < 0x90 ) return 0;
90 | break;
91 | case 0xF4:
92 | if ( a > 0x8F ) return 0;
93 | break;
94 | default:
95 | if ( a < 0x80 ) return 0;
96 | }
97 | case 1:
98 | if ( *source >= 0x80 && *source < 0xC2 ) return 0;
99 | if ( *source > 0xF4 ) return 0;
100 | }
101 | return 1;
102 | }
103 |
104 | /* If the name is part of a db ref ($ref, $db, or $id), then return true. */
105 | static int bson_string_is_db_ref( const unsigned char *string, const size_t length ) {
106 | int result = 0;
107 |
108 | if( length >= 4 ) {
109 | if( string[1] == 'r' && string[2] == 'e' && string[3] == 'f' )
110 | result = 1;
111 | }
112 | else if( length >= 3 ) {
113 | if( string[1] == 'i' && string[2] == 'd' )
114 | result = 1;
115 | else if( string[1] == 'd' && string[2] == 'b' )
116 | result = 1;
117 | }
118 |
119 | return result;
120 | }
121 |
122 | static int bson_validate_string( bson *b, const unsigned char *string,
123 | const size_t length, const char check_utf8, const char check_dot,
124 | const char check_dollar ) {
125 |
126 | size_t position = 0;
127 | int sequence_length = 1;
128 |
129 | if( check_dollar && string[0] == '$' ) {
130 | if( !bson_string_is_db_ref( string, length ) )
131 | b->err |= BSON_FIELD_INIT_DOLLAR;
132 | }
133 |
134 | while ( position < length ) {
135 | if ( check_dot && *( string + position ) == '.' ) {
136 | b->err |= BSON_FIELD_HAS_DOT;
137 | }
138 |
139 | if ( check_utf8 ) {
140 | sequence_length = trailingBytesForUTF8[*( string + position )] + 1;
141 | if ( ( position + sequence_length ) > length ) {
142 | b->err |= BSON_NOT_UTF8;
143 | return BSON_ERROR;
144 | }
145 | if ( !isLegalUTF8( string + position, sequence_length ) ) {
146 | b->err |= BSON_NOT_UTF8;
147 | return BSON_ERROR;
148 | }
149 | }
150 | position += sequence_length;
151 | }
152 |
153 | return BSON_OK;
154 | }
155 |
156 |
157 | int bson_check_string( bson *b, const char *string,
158 | const size_t length ) {
159 |
160 | return bson_validate_string( b, ( const unsigned char * )string, length, 1, 0, 0 );
161 | }
162 |
163 | int bson_check_field_name( bson *b, const char *string,
164 | const size_t length ) {
165 |
166 | return bson_validate_string( b, ( const unsigned char * )string, length, 1, 1, 1 );
167 | }
168 |
--------------------------------------------------------------------------------
/src/bson/encoding.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2009-2012 10gen, Inc.
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | #ifndef BSON_ENCODING_H_
18 | #define BSON_ENCODING_H_
19 |
20 | MONGO_EXTERN_C_START
21 |
22 | /**
23 | * Check that a field name is valid UTF8, does not start with a '$',
24 | * and contains no '.' characters. Set bson bit field appropriately.
25 | * Note that we don't need to check for '\0' because we're using
26 | * strlen(3), which stops at '\0'.
27 | *
28 | * @param b The bson object to which field name will be appended.
29 | * @param string The field name as char*.
30 | * @param length The length of the field name.
31 | *
32 | * @return BSON_OK if valid UTF8 and BSON_ERROR if not. All BSON strings must be
33 | * valid UTF8. This function will also check whether the string
34 | * contains '.' or starts with '$', since the validity of this depends on context.
35 | * Set the value of b->err appropriately.
36 | */
37 | int bson_check_field_name( bson *b, const char *string,
38 | const size_t length );
39 |
40 | /**
41 | * Check that a string is valid UTF8. Sets the buffer bit field appropriately.
42 | *
43 | * @param b The bson object to which string will be appended.
44 | * @param string The string to check.
45 | * @param length The length of the string.
46 | *
47 | * @return BSON_OK if valid UTF-8; otherwise, BSON_ERROR.
48 | * Sets b->err on error.
49 | */
50 | bson_bool_t bson_check_string( bson *b, const char *string,
51 | const size_t length );
52 |
53 | MONGO_EXTERN_C_END
54 | #endif
55 |
--------------------------------------------------------------------------------
/src/config.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "config.h"
22 | #include "hooking.h"
23 | #include "ntapi.h"
24 |
25 | static uint32_t _parse_mode(const char *mode)
26 | {
27 | uint32_t ret = HOOK_MODE_ALL;
28 | while (*mode != 0) {
29 | if(*mode == ' ' || *mode == ',') {
30 | mode++;
31 | continue;
32 | }
33 |
34 | if(*mode >= '0' && *mode <= '9') {
35 | ret = strtoul(mode, NULL, 10);
36 | break;
37 | }
38 |
39 | if(strnicmp(mode, "dumptls", 7) == 0) {
40 | ret |= HOOK_MODE_DUMPTLS;
41 | mode += 7;
42 | continue;
43 | }
44 |
45 | if(strnicmp(mode, "iexplore", 8) == 0) {
46 | ret |= HOOK_MODE_IEXPLORE;
47 | mode += 8;
48 | continue;
49 | }
50 |
51 | if(strnicmp(mode, "exploit", 7) == 0) {
52 | ret |= HOOK_MODE_EXPLOIT;
53 | mode += 7;
54 | continue;
55 | }
56 |
57 | // Report.. find a more proper way? At this point the pipe has not
58 | // yet been initialized, so.
59 | MessageBox(NULL, "Invalid Monitor Mode", mode, 0);
60 | }
61 | return ret;
62 | }
63 |
64 | void config_read(config_t *cfg)
65 | {
66 | char buf[512], config_fname[MAX_PATH];
67 | sprintf(config_fname, "C:\\cuckoo_%lu.ini", GetCurrentProcessId());
68 |
69 | memset(cfg, 0, sizeof(config_t));
70 |
71 | FILE *fp = fopen(config_fname, "rb");
72 | if(fp == NULL) {
73 | MessageBox(NULL, "Error fetching configuration file! This is a "
74 | "serious error. If encountered, please notify the Cuckoo "
75 | "Developers as this error prevents analysis.", "Cuckoo Error", 0);
76 | return;
77 | }
78 |
79 | while (fgets(buf, sizeof(buf), fp) != NULL) {
80 | // Cut off the newline.
81 | char *p = strchr(buf, '\r');
82 | if(p != NULL) *p = 0;
83 |
84 | p = strchr(buf, '\n');
85 | if(p != NULL) *p = 0;
86 |
87 | // Split key=value.
88 | p = strchr(buf, '=');
89 | if(p == NULL) continue;
90 |
91 | *p = 0;
92 |
93 | const char *key = buf, *value = p + 1;
94 |
95 | if(strcmp(key, "pipe") == 0) {
96 | strcpy(cfg->pipe_name, value);
97 | }
98 | else if(strcmp(key, "logpipe") == 0) {
99 | strcpy(cfg->logpipe, value);
100 | }
101 | else if(strcmp(key, "shutdown-mutex") == 0) {
102 | strcpy(cfg->shutdown_mutex, value);
103 | }
104 | else if(strcmp(key, "first-process") == 0) {
105 | cfg->first_process = value[0] == '1';
106 | }
107 | else if(strcmp(key, "startup-time") == 0) {
108 | cfg->startup_time = strtoul(value, NULL, 10);
109 | }
110 | else if(strcmp(key, "force-sleepskip") == 0) {
111 | cfg->force_sleep_skip = value[0] == '1';
112 | }
113 | else if(strcmp(key, "hashes-path") == 0) {
114 | strcpy(cfg->hashes_path, value);
115 | }
116 | else if(strcmp(key, "diffing-enable") == 0) {
117 | cfg->diffing_enable = value[0] == '1';
118 | }
119 | else if(strcmp(key, "track") == 0) {
120 | cfg->track = value[0] == '1';
121 | }
122 | else if(strcmp(key, "mode") == 0) {
123 | cfg->mode = _parse_mode(value);
124 | }
125 | else if(strcmp(key, "disguise") == 0) {
126 | cfg->disguise = value[0] == '1';
127 | }
128 | else if(strcmp(key, "pipe-pid") == 0) {
129 | cfg->pipe_pid = value[0] == '1';
130 | }
131 | }
132 | fclose(fp);
133 | DeleteFile(config_fname);
134 | }
135 |
--------------------------------------------------------------------------------
/src/disguise.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "ntapi.h"
22 |
23 | uint32_t g_extra_virtual_memory;
24 |
25 | void set_processor_count(uint32_t processor_count)
26 | {
27 | get_peb()->NumberOfProcessors = processor_count;
28 | }
29 |
30 | void add_virtual_memory(uint64_t length)
31 | {
32 | g_extra_virtual_memory = length;
33 | }
34 |
--------------------------------------------------------------------------------
/src/ignore.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "hooking.h"
22 | #include "memory.h"
23 | #include "monitor.h"
24 | #include "misc.h"
25 | #include "ntapi.h"
26 | #include "pipe.h"
27 |
28 | #define IGNORE_MATCH(s) \
29 | if(wcsicmp(fname, s) == 0) return 1
30 |
31 | #define IGNORE_START(s) \
32 | if(wcsnicmp(fname, s, sizeof(s)/sizeof(wchar_t)-1) == 0) return 1
33 |
34 | static array_t g_ignored_handles;
35 |
36 | void ignore_init()
37 | {
38 | array_init(&g_ignored_handles);
39 | }
40 |
41 | int is_ignored_filepath(const wchar_t *fname)
42 | {
43 | IGNORE_MATCH(L"\\\\?\\MountPointManager");
44 | IGNORE_MATCH(L"\\\\?\\Nsi");
45 |
46 | IGNORE_START(L"\\\\?\\PIPE\\");
47 | IGNORE_START(L"\\\\?\\IDE#");
48 | IGNORE_START(L"\\\\?\\STORAGE#");
49 | IGNORE_START(L"\\\\?\\root#");
50 | IGNORE_START(L"\\BaseNamedObjects\\");
51 | IGNORE_START(L"\\Callback\\");
52 | IGNORE_START(L"\\Device\\");
53 | IGNORE_START(L"\\Drivers\\");
54 | IGNORE_START(L"\\FileSystem\\");
55 | IGNORE_START(L"\\KnownDlls\\");
56 | IGNORE_START(L"\\Nls\\");
57 | IGNORE_START(L"\\ObjectTypes\\");
58 | IGNORE_START(L"\\RPC Controls\\");
59 | IGNORE_START(L"\\Security\\");
60 | IGNORE_START(L"\\Window\\");
61 | IGNORE_START(L"\\Sessions\\");
62 | return 0;
63 | }
64 |
65 | static const wchar_t *g_ignored_processpaths[] = {
66 | L"C:\\WINDOWS\\system32\\dwwin.exe",
67 | L"C:\\WINDOWS\\system32\\dumprep.exe",
68 | L"C:\\WINDOWS\\system32\\drwtsn32.exe",
69 | NULL,
70 | };
71 |
72 | int is_ignored_process()
73 | {
74 | wchar_t process_path[MAX_PATH];
75 | GetModuleFileNameW(NULL, process_path, MAX_PATH);
76 | GetLongPathNameW(process_path, process_path, MAX_PATH);
77 |
78 | for (uint32_t idx = 0; g_ignored_processpaths[idx] != NULL; idx++) {
79 | if(!wcsicmp(g_ignored_processpaths[idx], process_path)) {
80 | return 1;
81 | }
82 | }
83 | return 0;
84 | }
85 |
86 | void ignored_object_add(HANDLE object_handle)
87 | {
88 | uintptr_t index = (uintptr_t) object_handle / 4;
89 |
90 | // The value doesn't matter - it just has to be non-null.
91 | if(array_set(&g_ignored_handles, index, &ignored_object_add) < 0) {
92 | pipe("CRITICAL:Error adding ignored object handle!");
93 | }
94 | }
95 |
96 | void ignored_object_remove(HANDLE object_handle)
97 | {
98 | uintptr_t index = (uintptr_t) object_handle / 4;
99 |
100 | array_unset(&g_ignored_handles, index);
101 | }
102 |
103 | int is_ignored_object_handle(HANDLE object_handle)
104 | {
105 | uintptr_t index = (uintptr_t) object_handle / 4;
106 |
107 | return array_get(&g_ignored_handles, index) != NULL;
108 | }
109 |
110 | // Determines whether a created process should be injected. And if injected,
111 | // what its monitoring mode should be.
112 | int monitor_mode_should_propagate(const wchar_t *cmdline, uint32_t *mode)
113 | {
114 | // Monitor everything. This is the default.
115 | if(cmdline == NULL || g_monitor_mode == HOOK_MODE_ALL) {
116 | return 0;
117 | }
118 |
119 | uint32_t length = lstrlenW(cmdline) * sizeof(wchar_t);
120 |
121 | // Assuming the following is a legitimate process in iexplore monitoring
122 | // mode; "iexplore.exe SCODEF:1234 CREDAT:5678".
123 | if((g_monitor_mode & HOOK_MODE_IEXPLORE) == HOOK_MODE_IEXPLORE &&
124 | our_memmemW(cmdline, length, L"iexplore.exe", NULL) != NULL &&
125 | our_memmemW(cmdline, length, L"SCODEF:", NULL) != NULL &&
126 | our_memmemW(cmdline, length, L"CREDAT:", NULL) != NULL) {
127 | *mode |= g_monitor_mode & (HOOK_MODE_IEXPLORE|HOOK_MODE_EXPLOIT);
128 | pipe("DEBUG:Following legitimate iexplore process: %Z!", cmdline);
129 | return 0;
130 | }
131 |
132 | // Ignoring the following process in iexplore monitoring;
133 | // "ie4uinit.exe -ShowQLIcon".
134 | if((g_monitor_mode & HOOK_MODE_IEXPLORE) == HOOK_MODE_IEXPLORE &&
135 | our_memmemW(cmdline, length, L"ie4uinit.exe", NULL) != NULL &&
136 | our_memmemW(cmdline, length, L"-ShowQLIcon", NULL) != NULL) {
137 | pipe("DEBUG:Ignoring process %Z!", cmdline);
138 | return -1;
139 | }
140 |
141 | pipe("CRITICAL:Encountered an unknown process while in "
142 | "monitoring mode: %Z!", cmdline);
143 | return 0;
144 | }
145 |
--------------------------------------------------------------------------------
/src/memory.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include "memory.h"
23 | #include "native.h"
24 | #include "pipe.h"
25 |
26 | static SYSTEM_INFO g_si;
27 |
28 | uintptr_t roundup2(uintptr_t value)
29 | {
30 | value--;
31 | value |= value >> 1;
32 | value |= value >> 2;
33 | value |= value >> 4;
34 | value |= value >> 8;
35 | value |= value >> 16;
36 | #if __x86_64__
37 | value |= value >> 32;
38 | #endif
39 | return ++value;
40 | }
41 |
42 | uintptr_t mem_suggested_size(uintptr_t size)
43 | {
44 | size = roundup2(size);
45 |
46 | // Go for at least one page.
47 | if(size < g_si.dwPageSize) {
48 | size = g_si.dwPageSize;
49 | }
50 |
51 | return size - sizeof(uintptr_t);
52 | }
53 |
54 | void mem_init()
55 | {
56 | GetSystemInfo(&g_si);
57 | }
58 |
59 | void *mem_alloc(uint32_t length)
60 | {
61 | void *ptr = virtual_alloc(NULL, length + sizeof(uintptr_t),
62 | MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
63 | if(ptr == NULL) {
64 | return NULL;
65 | }
66 |
67 | memset(ptr, 0, length + sizeof(uintptr_t));
68 |
69 | *(uintptr_t *) ptr = length;
70 | return (uintptr_t *) ptr + 1;
71 | }
72 |
73 | void *mem_realloc(void *ptr, uint32_t length)
74 | {
75 | void *newptr = mem_alloc(length);
76 | if(newptr == NULL) {
77 | return NULL;
78 | }
79 |
80 | if(ptr != NULL) {
81 | uintptr_t oldlength = *((uintptr_t *) ptr - 1);
82 | memcpy(newptr, ptr, min(length, oldlength));
83 | mem_free(ptr);
84 | }
85 | return newptr;
86 | }
87 |
88 | void mem_free(void *ptr)
89 | {
90 | if(ptr != NULL) {
91 | uintptr_t oldlength = *((uintptr_t *) ptr - 1);
92 | virtual_free((uintptr_t *) ptr - 1,
93 | oldlength + sizeof(uintptr_t), MEM_RELEASE);
94 | }
95 | }
96 |
97 | void array_init(array_t *array)
98 | {
99 | array->length = 0;
100 | array->elements = NULL;
101 | InitializeCriticalSection(&array->cs);
102 | }
103 |
104 | static uintptr_t _suggested_array_length(uintptr_t length)
105 | {
106 | return mem_suggested_size(length * sizeof(void *)) / sizeof(void *);
107 | }
108 |
109 | static int _array_ensure(array_t *array, uint32_t index)
110 | {
111 | if(array->elements == NULL || index >= array->length) {
112 | uintptr_t newlength = _suggested_array_length(index + 1);
113 |
114 | array->elements = (void **)
115 | mem_realloc(array->elements, newlength * sizeof(void *));
116 | if(array->elements == NULL) {
117 | return -1;
118 | }
119 |
120 | array->length = newlength;
121 | }
122 | return 0;
123 | }
124 |
125 | int array_set(array_t *array, uintptr_t index, void *value)
126 | {
127 | EnterCriticalSection(&array->cs);
128 |
129 | if(_array_ensure(array, index) < 0) {
130 | LeaveCriticalSection(&array->cs);
131 | return -1;
132 | }
133 |
134 | array->elements[index] = value;
135 |
136 | LeaveCriticalSection(&array->cs);
137 | return 0;
138 | }
139 |
140 | void *array_get(array_t *array, uintptr_t index)
141 | {
142 | EnterCriticalSection(&array->cs);
143 |
144 | void *ret = NULL;
145 | if(index < array->length) {
146 | ret = array->elements[index];
147 | }
148 |
149 | LeaveCriticalSection(&array->cs);
150 | return ret;
151 | }
152 |
153 | int array_unset(array_t *array, uintptr_t index)
154 | {
155 | EnterCriticalSection(&array->cs);
156 |
157 | int ret = -1;
158 | if(index < array->length) {
159 | array->elements[index] = NULL;
160 | ret = 0;
161 | }
162 |
163 | LeaveCriticalSection(&array->cs);
164 | return ret;
165 | }
166 |
167 | static int _slab_ensure(slab_t *slab)
168 | {
169 | if(slab->offset == slab->length) {
170 | uint8_t *mem = virtual_alloc(NULL, slab->size * slab->count,
171 | MEM_COMMIT | MEM_RESERVE, slab->memprot);
172 | if(mem == NULL) {
173 | pipe("CRITICAL:Error allocating memory for slab!");
174 | return -1;
175 | }
176 |
177 | array_set(&slab->array, slab->offset / slab->count, mem);
178 |
179 | slab->length += slab->count;
180 | }
181 | return 0;
182 | }
183 |
184 | void slab_init(slab_t *slab, uint32_t size, uint32_t count,
185 | uint32_t memory_protection)
186 | {
187 | array_init(&slab->array);
188 | slab->size = size;
189 | slab->count = count;
190 | slab->offset = 0;
191 | slab->length = 0;
192 | slab->memprot = memory_protection;
193 | }
194 |
195 | void *slab_getmem(slab_t *slab)
196 | {
197 | if(_slab_ensure(slab) == 0) {
198 | uint8_t *mem = array_get(&slab->array, slab->offset / slab->count);
199 | uint8_t *ret = mem + slab->size * (slab->offset % slab->count);
200 | slab->offset++;
201 | return ret;
202 | }
203 | return NULL;
204 | }
205 |
206 | uint32_t slab_size(const slab_t *slab)
207 | {
208 | return slab->size;
209 | }
210 |
--------------------------------------------------------------------------------
/src/sha1/license.txt:
--------------------------------------------------------------------------------
1 | Copyright (C) 1998, 2009
2 | Paul E. Jones
3 |
4 | Freeware Public License (FPL)
5 |
6 | This software is licensed as "freeware." Permission to distribute
7 | this software in source and binary forms, including incorporation
8 | into other products, is hereby granted without a fee. THIS SOFTWARE
9 | IS PROVIDED 'AS IS' AND WITHOUT ANY EXPRESSED OR IMPLIED WARRANTIES,
10 | INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
11 | AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHOR SHALL NOT BE HELD
12 | LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE, EITHER
13 | DIRECTLY OR INDIRECTLY, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA
14 | OR DATA BEING RENDERED INACCURATE.
15 |
--------------------------------------------------------------------------------
/src/sha1/sha1.h:
--------------------------------------------------------------------------------
1 | /*
2 | * sha1.h
3 | *
4 | * Copyright (C) 1998, 2009
5 | * Paul E. Jones
6 | * All Rights Reserved
7 | *
8 | *****************************************************************************
9 | * $Id: sha1.h 12 2009-06-22 19:34:25Z paulej $
10 | *****************************************************************************
11 | *
12 | * Description:
13 | * This class implements the Secure Hashing Standard as defined
14 | * in FIPS PUB 180-1 published April 17, 1995.
15 | *
16 | * Many of the variable names in the SHA1Context, especially the
17 | * single character names, were used because those were the names
18 | * used in the publication.
19 | *
20 | * Please read the file sha1.c for more information.
21 | *
22 | */
23 |
24 | #ifndef _SHA1_H_
25 | #define _SHA1_H_
26 |
27 | /*
28 | * This structure will hold context information for the hashing
29 | * operation
30 | */
31 | typedef struct SHA1Context
32 | {
33 | unsigned Message_Digest[5]; /* Message Digest (output) */
34 |
35 | unsigned Length_Low; /* Message length in bits */
36 | unsigned Length_High; /* Message length in bits */
37 |
38 | unsigned char Message_Block[64]; /* 512-bit message blocks */
39 | int Message_Block_Index; /* Index into message block array */
40 |
41 | int Computed; /* Is the digest computed? */
42 | int Corrupted; /* Is the message digest corruped? */
43 | } SHA1Context;
44 |
45 | /*
46 | * Function Prototypes
47 | */
48 | void SHA1Reset(SHA1Context *);
49 | int SHA1Result(SHA1Context *);
50 | void SHA1Input( SHA1Context *,
51 | const unsigned char *,
52 | unsigned);
53 |
54 | #endif
55 |
--------------------------------------------------------------------------------
/src/sleep.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include "sleep.h"
23 |
24 | static uint32_t g_sleep_skip_active;
25 | static uint32_t g_sleep_max_skip;
26 | static uint32_t g_sleep_force_skip;
27 |
28 | static LARGE_INTEGER g_time_skipped;
29 | static LARGE_INTEGER g_time_start;
30 |
31 | void sleep_init(int first_process, uint32_t force_skip, uint32_t startup_time)
32 | {
33 | FILETIME ft;
34 | GetSystemTimeAsFileTime(&ft);
35 | g_time_start.HighPart = ft.dwHighDateTime;
36 | g_time_start.LowPart = ft.dwLowDateTime;
37 |
38 | g_sleep_skip_active = 1;
39 |
40 | // TODO Make this configurable.
41 | g_sleep_max_skip = 5000;
42 |
43 | g_sleep_force_skip = force_skip;
44 |
45 | g_time_skipped.QuadPart = (uint64_t) startup_time * 10000;
46 |
47 | if(first_process == 0) {
48 | sleep_skip_disable();
49 | }
50 | }
51 |
52 | int sleep_skip(LARGE_INTEGER *delay)
53 | {
54 | FILETIME ft; LARGE_INTEGER li;
55 |
56 | if(g_sleep_skip_active != 0) {
57 | GetSystemTimeAsFileTime(&ft);
58 | li.HighPart = ft.dwHighDateTime;
59 | li.LowPart = ft.dwLowDateTime;
60 |
61 | // Check whether we're within the maximum limit of skipping.
62 | if(li.QuadPart < g_time_start.QuadPart + g_sleep_max_skip * 10000) {
63 | g_time_skipped.QuadPart += -delay->QuadPart;
64 |
65 | // Replace the time by a tenth of a millisecond.
66 | delay->QuadPart = -1000;
67 | return 1;
68 | }
69 |
70 | // TODO Should this depend on 'force-skip' or not?
71 | sleep_skip_disable();
72 | }
73 |
74 | return 0;
75 | }
76 |
77 | void sleep_skip_disable()
78 | {
79 | if(g_sleep_force_skip == 0) {
80 | g_sleep_skip_active = 0;
81 | }
82 | }
83 |
84 | void sleep_apply_filetime(FILETIME *ft)
85 | {
86 | LARGE_INTEGER li;
87 |
88 | li.HighPart = ft->dwHighDateTime;
89 | li.LowPart = ft->dwLowDateTime;
90 | li.QuadPart += g_time_skipped.QuadPart;
91 | ft->dwHighDateTime = li.HighPart;
92 | ft->dwLowDateTime = li.LowPart;
93 | }
94 |
95 | void sleep_apply_systemtime(SYSTEMTIME *st)
96 | {
97 | FILETIME ft;
98 |
99 | SystemTimeToFileTime(st, &ft);
100 | sleep_apply_filetime(&ft);
101 | FileTimeToSystemTime(&ft, st);
102 | }
103 |
104 | uint64_t sleep_skipped()
105 | {
106 | return g_time_skipped.QuadPart;
107 | }
108 |
--------------------------------------------------------------------------------
/src/utf8.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "memory.h"
22 | #include "utf8.h"
23 |
24 | int utf8_encode(uint32_t c, uint8_t *out)
25 | {
26 | if(c < 0x80) {
27 | *out = c & 0x7f;
28 | return 1;
29 | }
30 | if(c < 0x800) {
31 | out[0] = 0xc0 + ((c >> 6) & 0x1f);
32 | out[1] = 0x80 + ((c >> 0) & 0x3f);
33 | return 2;
34 | }
35 | if(c < 0x10000) {
36 | out[0] = 0xe0 + ((c >> 12) & 0x0f);
37 | out[1] = 0x80 + ((c >> 6) & 0x3f);
38 | out[2] = 0x80 + (c & 0x3f);
39 | return 3;
40 | }
41 | if(c < 0x200000) {
42 | out[0] = 0xf0 + ((c >> 18) & 0x07);
43 | out[1] = 0x80 + ((c >> 12) & 0x3f);
44 | out[2] = 0x80 + ((c >> 6) & 0x3f);
45 | out[3] = 0x80 + ((c >> 0) & 0x3f);
46 | return 4;
47 | }
48 |
49 | // The following two we won't be needing for UTF-16 encoding,
50 | // but while we're at it anyway..
51 | if(c < 0x4000000) {
52 | out[0] = 0xf8 + ((c >> 24) & 0x03);
53 | out[1] = 0x80 + ((c >> 18) & 0x3f);
54 | out[2] = 0x80 + ((c >> 12) & 0x3f);
55 | out[3] = 0x80 + ((c >> 6) & 0x3f);
56 | out[4] = 0x80 + ((c >> 0) & 0x3f);
57 | return 5;
58 | }
59 | if(c < 0x80000000) {
60 | out[0] = 0xfc + ((c >> 30) & 0x01);
61 | out[1] = 0x80 + ((c >> 24) & 0x3f);
62 | out[2] = 0x80 + ((c >> 18) & 0x3f);
63 | out[3] = 0x80 + ((c >> 12) & 0x3f);
64 | out[4] = 0x80 + ((c >> 6) & 0x3f);
65 | out[5] = 0x80 + ((c >> 0) & 0x3f);
66 | return 6;
67 | }
68 | return -1;
69 | }
70 |
71 | int utf8_length(uint32_t c)
72 | {
73 | uint8_t buf[6];
74 | return utf8_encode(c, buf);
75 | }
76 |
77 | int utf8_bytecnt_ascii(const char *s, int len)
78 | {
79 | int ret = 0;
80 | while (len-- != 0) {
81 | ret += utf8_length((uint8_t) *s++);
82 | }
83 | return ret;
84 | }
85 |
86 | int utf8_bytecnt_unicode(const wchar_t *s, int len)
87 | {
88 | int ret = 0;
89 | while (len-- != 0) {
90 | // Handle Supplementary Planes.
91 | if((uint16_t) *s >= 0xd800 && (uint16_t) *s < 0xdc00) {
92 | // No remaining space? Prevent possibly reading out of bounds.
93 | if(len == 0) {
94 | break;
95 | }
96 |
97 | uint32_t ch = ((uint32_t)(uint16_t) *s - 0xd800) << 10;
98 |
99 | // We'll just ignore invalid low surrogates..
100 | if((uint16_t) s[1] >= 0xdc00 && (uint16_t) s[1] < 0xe000) {
101 | ch += (uint16_t) s[1] - 0xdc00;
102 | }
103 |
104 | ret += utf8_length(ch);
105 | s += 2, len--;
106 | }
107 | else {
108 | ret += utf8_length((uint16_t) *s++);
109 | }
110 | }
111 | return ret;
112 | }
113 |
114 | char *utf8_string(const char *s, int len)
115 | {
116 | int encoded_length = utf8_bytecnt_ascii(s, len);
117 | char *utf8string = (char *) mem_alloc(encoded_length+5);
118 | *((int *) utf8string) = encoded_length;
119 | int pos = 4;
120 |
121 | while (len-- != 0) {
122 | pos += utf8_encode((uint8_t) *s++, (uint8_t *) &utf8string[pos]);
123 | }
124 | utf8string[pos] = 0;
125 | return utf8string;
126 | }
127 |
128 | char *utf8_wstring(const wchar_t *s, int len)
129 | {
130 | int encoded_length = utf8_bytecnt_unicode(s, len);
131 | char *utf8string = (char *) mem_alloc(encoded_length+5);
132 | *((int *) utf8string) = encoded_length;
133 | int pos = 4;
134 |
135 | while (len-- != 0) {
136 | // Handle Supplementary Planes.
137 | if((uint16_t) *s >= 0xd800 && (uint16_t) *s < 0xdc00) {
138 | // No remaining space? Prevent possibly reading out of bounds.
139 | if(len == 0) {
140 | break;
141 | }
142 |
143 | uint32_t ch = ((uint32_t)(uint16_t) *s - 0xd800) << 10;
144 |
145 | // We'll just ignore invalid low surrogates..
146 | if((uint16_t) s[1] >= 0xdc00 && (uint16_t) s[1] < 0xe000) {
147 | ch += (uint16_t) s[1] - 0xdc00;
148 | }
149 |
150 | pos += utf8_encode(ch, (uint8_t *) &utf8string[pos]);
151 | s += 2, len--;
152 | }
153 | else {
154 | pos += utf8_encode((uint16_t) *s++, (uint8_t *) &utf8string[pos]);
155 | }
156 | }
157 | utf8string[pos] = 0;
158 | return utf8string;
159 | }
160 |
--------------------------------------------------------------------------------
/src/wmi.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include "hooking.h"
21 | #include "misc.h"
22 | #include "pipe.h"
23 |
24 | static CLSID our_CLSID_WbemAdministrativeLocator = {
25 | 0xcb8555cc, 0x9128, 0x11d1, {0xad,0x9b, 0x00,0xc0,0x4f,0xd8,0xfd,0xff},
26 | };
27 |
28 | static CLSID our_CLSID_WbemLocator = {
29 | 0x4590f811, 0x1d3a, 0x11d0, {0x89,0x1f, 0x00,0xaa,0x00,0x4b,0x2e,0x24},
30 | };
31 |
32 | static CLSID our_IID_IUnknown = {
33 | 0x00000000, 0x0000, 0x0000, {0xc0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46},
34 | };
35 |
36 | static HRESULT (WINAPI *pCoCreateInstance)(REFCLSID rclsid,
37 | LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
38 |
39 | int init_co_create_instance()
40 | {
41 | if(pCoCreateInstance != NULL) {
42 | return 0;
43 | }
44 |
45 | HANDLE module_handle = GetModuleHandle("ole32");
46 | if(module_handle == NULL) {
47 | return -1;
48 | }
49 |
50 | *(FARPROC *) &pCoCreateInstance =
51 | GetProcAddress(module_handle, "CoCreateInstance");
52 | return 0;
53 | }
54 |
55 | uint8_t *hook_addrcb_IWbemServices_ExecQuery(hook_t *h,
56 | uint8_t *module_address, uint32_t module_size)
57 | {
58 | (void) module_address; (void) module_size;
59 |
60 | h->is_hooked = 1;
61 |
62 | if(init_co_create_instance() < 0) {
63 | return NULL;
64 | }
65 |
66 | IWbemLocator *wbem_locator = NULL;
67 | HRESULT res = pCoCreateInstance(&our_CLSID_WbemLocator, NULL,
68 | CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER, &our_IID_IUnknown,
69 | (void **) &wbem_locator);
70 | if(res == CO_E_NOTINITIALIZED) {
71 | h->is_hooked = 0;
72 | return NULL;
73 | }
74 | if(SUCCEEDED(res) == FALSE) {
75 | pipe("WARNING:IWbemServices::ExecQuery error creating "
76 | "instance error=0x%x [aborting hook]", res);
77 | h->is_hooked = 0;
78 | return NULL;
79 | }
80 |
81 | IWbemServices *wbem_services = NULL;
82 | if(SUCCEEDED(wbem_locator->lpVtbl->ConnectServer(wbem_locator,
83 | L"root\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL,
84 | &wbem_services)) == FALSE) {
85 | pipe("WARNING:IWbemServices::ExecQuery error connecting to fetch "
86 | "IWbemServices instance [aborting hook]");
87 | wbem_locator->lpVtbl->Release(wbem_locator);
88 | h->is_hooked = 0;
89 | return NULL;
90 | }
91 |
92 | uint8_t *ret = (uint8_t *) wbem_services->lpVtbl->ExecQuery;
93 | wbem_locator->lpVtbl->Release(wbem_locator);
94 | wbem_services->lpVtbl->Release(wbem_services);
95 | return ret;
96 | }
97 |
98 | uint8_t *hook_addrcb_IWbemServices_ExecQueryAsync(hook_t *h,
99 | uint8_t *module_address, uint32_t module_size)
100 | {
101 | (void) module_address; (void) module_size;
102 |
103 | h->is_hooked = 1;
104 |
105 | if(init_co_create_instance() < 0) {
106 | return NULL;
107 | }
108 |
109 | IWbemLocator *wbem_locator = NULL;
110 | HRESULT res = pCoCreateInstance(&our_CLSID_WbemLocator, NULL,
111 | CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER, &our_IID_IUnknown,
112 | (void **) &wbem_locator);
113 | if(res == CO_E_NOTINITIALIZED) {
114 | h->is_hooked = 0;
115 | return NULL;
116 | }
117 | if(SUCCEEDED(res) == FALSE) {
118 | pipe("WARNING:IWbemServices::ExecQueryAsync error creating "
119 | "instance error=0x%x [aborting hook]", res);
120 | h->is_hooked = 0;
121 | return NULL;
122 | }
123 |
124 | IWbemServices *wbem_services = NULL;
125 | if(SUCCEEDED(wbem_locator->lpVtbl->ConnectServer(wbem_locator,
126 | L"root\\CIMV2", NULL, NULL, NULL, 0, NULL, NULL,
127 | &wbem_services)) == FALSE) {
128 | pipe("WARNING:IWbemServices::ExecQueryAsync error connecting to "
129 | "fetch IWbemServices instance [aborting hook]");
130 | wbem_locator->lpVtbl->Release(wbem_locator);
131 | h->is_hooked = 0;
132 | return NULL;
133 | }
134 |
135 | uint8_t *ret = (uint8_t *) wbem_services->lpVtbl->ExecQueryAsync;
136 | wbem_locator->lpVtbl->Release(wbem_locator);
137 | wbem_services->lpVtbl->Release(wbem_services);
138 | return ret;
139 | }
140 |
141 | void ole_enable_hooks(REFCLSID clsid)
142 | {
143 | if(memcmp(clsid, &our_CLSID_WbemLocator, sizeof(CLSID)) == 0) {
144 | hook_library("__wmi__", NULL);
145 | }
146 |
147 | if(memcmp(clsid, &our_CLSID_WbemAdministrativeLocator,
148 | sizeof(CLSID)) == 0) {
149 | hook_library("__wmi__", NULL);
150 | }
151 | }
152 |
--------------------------------------------------------------------------------
/test/test-adapter.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // Shows the GetAdaptersInfo() entry in the logs. Before the changes to being
20 | // able to hook recursively loaded DLLs, calls to GetAdaptersInfo() and
21 | // similar would not show up, rendering their hooks useless.
22 | // That is, when calling LoadLibrary/LdrLoadDll on test-adapter.dll, the
23 | // imported dll iphlpapi.dll will not be loaded through LoadLibrary/LdrLoadDll
24 | // but instead through an internal method, and thus we would not be updated
25 | // about it being loaded, and thus we would not be able to place hooks on it.
26 |
27 | /// EXTENSION= dll
28 | /// CFLAGS= -shared -static
29 | /// LDFLAGS += -liphlpapi
30 | /// OBJECTS=
31 |
32 | #include
33 | #include
34 |
35 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
36 | {
37 | (void) hModule; (void) dwReason; (void) lpReserved;
38 |
39 | GetAdaptersInfo(NULL, NULL);
40 | return TRUE;
41 | }
42 |
--------------------------------------------------------------------------------
/test/test-array.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program tests some functionality of our array implementation.
20 |
21 | /// OPTIONS= free=yes,pipe=cuckoo
22 |
23 | #include
24 | #include
25 | #include
26 | #include "hooking.h"
27 | #include "memory.h"
28 | #include "native.h"
29 | #include "pipe.h"
30 |
31 | #define assert(expr) \
32 | if((expr) == 0) { \
33 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
34 | } \
35 | else { \
36 | pipe("INFO:Test passed: %z", #expr); \
37 | }
38 |
39 | int main()
40 | {
41 | pipe_init("\\\\.\\PIPE\\cuckoo");
42 |
43 | hook_init(GetModuleHandle(NULL));
44 | mem_init();
45 | assert(native_init() == 0);
46 |
47 | array_t arr;
48 | array_init(&arr);
49 |
50 | assert(array_set(&arr, 0, "hoi0") == 0);
51 | assert(array_set(&arr, 1, "hoi1") == 0);
52 | assert(array_set(&arr, 2, "hoi2") == 0);
53 | assert(array_set(&arr, 3, "hoi3") == 0);
54 |
55 | assert(strcmp(array_get(&arr, 2), "hoi2") == 0);
56 | assert(strcmp(array_get(&arr, 3), "hoi3") == 0);
57 | assert(array_get(&arr, 0x4000) == NULL);
58 |
59 | assert(array_unset(&arr, 2) == 0);
60 | assert(array_unset(&arr, 0x4001) == -1);
61 | assert(array_get(&arr, 2) == NULL);
62 | assert(strcmp(array_get(&arr, 1), "hoi1") == 0);
63 | assert(array_unset(&arr, 2) == 0);
64 | }
65 |
--------------------------------------------------------------------------------
/test/test-breakpipe.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program demonstrates the case where malware closes all open handles
20 | // therefore also closing our log pipe handle. We handle this by reopening
21 | // the pipe handle. The logs for this analysis should show both MessageBoxA()
22 | // calls or otherwise something is going wrong.
23 |
24 | #include
25 | #include
26 | #include
27 |
28 | int main()
29 | {
30 | MessageBox(NULL, "Hello World", "Before", 0);
31 |
32 | // Just kill off all open handles in this process. Chances are this will
33 | // break other stuff as well, but at the very least the pipe log handle
34 | // will be closed as well.
35 | for (uintptr_t idx = 0; idx < 10000; idx += 4) {
36 | CloseHandle((HANDLE) idx);
37 | }
38 |
39 | MessageBox(NULL, "Hello World", "After", 0);
40 | return 0;
41 | }
42 |
--------------------------------------------------------------------------------
/test/test-controlservice.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include "pipe.h"
22 |
23 | int main()
24 | {
25 | ControlService(NULL, 0, NULL);
26 | }
27 |
--------------------------------------------------------------------------------
/test/test-createproc.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include "pipe.h"
23 |
24 | // Tests very basic process following logic.
25 |
26 | /// OPTIONS= pipe=cuckoo
27 |
28 | #define assert(expr) \
29 | if((expr) == 0) { \
30 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
31 | } \
32 | else { \
33 | pipe("INFO:Test passed: %z", #expr); \
34 | }
35 |
36 | void inject(const char *filepath)
37 | {
38 | char cmdline[MAX_PATH+MAX_PATH];
39 | STARTUPINFO si; PROCESS_INFORMATION pi;
40 |
41 | sprintf(cmdline, "\"%s\" \"World\"", filepath);
42 | memset(&si, 0, sizeof(si)); si.cb = sizeof(si);
43 |
44 | assert(CreateProcess(filepath, cmdline, NULL, NULL, FALSE, 0, NULL, NULL,
45 | &si, &pi) != FALSE);
46 | }
47 |
48 | void msgbox(const char *arg)
49 | {
50 | MessageBox(NULL, arg, "Hello", 0);
51 | }
52 |
53 | int main(int argc, char *argv[])
54 | {
55 | pipe_init("\\\\.\\PIPE\\cuckoo");
56 |
57 | if(argc == 1) {
58 | inject(argv[0]);
59 | }
60 | else {
61 | msgbox(argv[1]);
62 | }
63 | return 0;
64 | }
65 |
--------------------------------------------------------------------------------
/test/test-datatypes.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // Due to integer size issues in 64-bit DLLs we're going to check bitsize of
20 | // various data types so to help us decide which logging data type to use.
21 |
22 | /// OPTIONS= pipe=cuckoo,free=yes
23 |
24 | #include
25 | #include
26 | #include
27 | #include "pipe.h"
28 |
29 | #define assert(expr) \
30 | if((expr) == 0) { \
31 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
32 | } \
33 | else { \
34 | pipe("INFO:Test passed: %z", #expr); \
35 | }
36 |
37 | #if __x86_64__
38 | #define PTR_SIZE 8
39 | #else
40 | #define PTR_SIZE 4
41 | #endif
42 |
43 | int main()
44 | {
45 | pipe_init("\\\\.\\PIPE\\cuckoo");
46 |
47 | assert(sizeof(int) == 4);
48 | assert(sizeof(long) == 4);
49 | assert(sizeof(LONG) == 4);
50 | assert(sizeof(u_long) == 4);
51 | assert(sizeof(ULONG) == 4);
52 | assert(sizeof(BOOL) == 4);
53 | assert(sizeof(BOOLEAN) == 1);
54 | assert(sizeof(DWORD) == 4);
55 | assert(sizeof(UINT) == 4);
56 |
57 | assert(sizeof(LARGE_INTEGER) == 8);
58 |
59 | assert(sizeof(uintptr_t) == PTR_SIZE);
60 | assert(sizeof(ULONG_PTR) == PTR_SIZE);
61 | assert(sizeof(DWORD_PTR) == PTR_SIZE);
62 | assert(sizeof(SIZE_T) == PTR_SIZE);
63 | assert(sizeof(HANDLE) == PTR_SIZE);
64 | }
65 |
--------------------------------------------------------------------------------
/test/test-inject-shellcode.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | /// MODES=winxp win7x64
20 |
21 | #include
22 | #include
23 | #include
24 | #include
25 |
26 | static uint8_t shellcode[] = {
27 | #if __x86_64__
28 | 0x6a, 0x00, // push 0
29 | 0xff, 0x35, 128-8, 0x00, 0x00, 0x00, // push address
30 | 0xff, 0x35, 256-14, 0x00, 0x00, 0x00, // push address2
31 | 0x6a, 0x00, // push 0
32 | 0x48, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, // mov rax, addr
33 | 0xff, 0xd0, // call rax
34 | 0xc3, // retn
35 | #else
36 | 0x6a, 0x00, // push 0
37 | 0x68, 0x00, 0x00, 0x00, 0x00, // push address
38 | 0x68, 0x00, 0x00, 0x00, 0x00, // push address2
39 | 0x6a, 0x00, // push 0
40 | 0xb8, 0x00, 0x00, 0x00, 0x00, // mov eax, addr
41 | 0xff, 0xd0, // call eax
42 | 0xc2, 0x04, 0x00, // retn 4
43 | #endif
44 | };
45 |
46 | uint32_t pid_from_process_name(const char *process_name)
47 | {
48 | PROCESSENTRY32 row; HANDLE snapshot_handle;
49 |
50 | snapshot_handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
51 | if(snapshot_handle == INVALID_HANDLE_VALUE) {
52 | fprintf(stderr, "[-] Error obtaining snapshot handle: %ld\n",
53 | GetLastError());
54 | exit(1);
55 | }
56 |
57 | row.dwSize = sizeof(row);
58 | if(Process32First(snapshot_handle, &row) == FALSE) {
59 | fprintf(stderr, "[-] Error enumerating the first process: %ld\n",
60 | GetLastError());
61 | exit(1);
62 | }
63 |
64 | do {
65 | if(stricmp(row.szExeFile, process_name) == 0) {
66 | CloseHandle(snapshot_handle);
67 | return row.th32ProcessID;
68 | }
69 | } while (Process32Next(snapshot_handle, &row) != FALSE);
70 |
71 | CloseHandle(snapshot_handle);
72 |
73 | fprintf(stderr, "[-] Error finding process by name: %s\n", process_name);
74 | exit(1);
75 | }
76 |
77 | int main()
78 | {
79 | uint32_t pid = pid_from_process_name("explorer.exe");
80 | HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
81 | uint8_t *addr = (uint8_t *) VirtualAllocEx(process_handle, NULL, 0x1000,
82 | MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
83 |
84 | uintptr_t messagebox_addr = (uintptr_t)
85 | GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");
86 |
87 | static uint8_t buf[0x1000]; SIZE_T bytes_written;
88 |
89 | memcpy(buf, shellcode, sizeof(shellcode));
90 |
91 | #if __x86_64__
92 | *(uintptr_t *) &buf[18] = messagebox_addr;
93 | #else
94 | *(uint32_t *) &buf[3] = (uint32_t) addr + 128;
95 | *(uint32_t *) &buf[8] = (uint32_t) addr + 256;
96 | *(uint32_t *) &buf[15] = messagebox_addr;
97 | #endif
98 |
99 | strcpy((char *) buf + 128, "World");
100 | strcpy((char *) buf + 256, "Hello");
101 |
102 | WriteProcessMemory(process_handle, addr, buf, sizeof(buf),
103 | &bytes_written);
104 |
105 | HANDLE thread_handle = CreateRemoteThread(process_handle, NULL, 0,
106 | (LPTHREAD_START_ROUTINE) addr, NULL, 0, NULL);
107 |
108 | CloseHandle(thread_handle);
109 | CloseHandle(process_handle);
110 | return 0;
111 | }
112 |
--------------------------------------------------------------------------------
/test/test-logdll.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // Tests whether function calls within DllMain are logged as these happen
20 | // while inside the LdrLoadDll hook. Since a recent commit they are,
21 | // naturally. Same goes for the exported function, although those were already
22 | // logged successfully.
23 | // The report should show two calls to MessageBoxInternalA.
24 |
25 | /// CFLAGS += -shared
26 | /// OPTIONS += function=exported_function
27 | /// EXTENSION = dll
28 | /// OBJECTS =
29 |
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 |
36 | __declspec(dllexport) void exported_function()
37 | {
38 | MessageBox(NULL, "Exported Function", "Hello World", 0);
39 | }
40 |
41 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
42 | {
43 | (void) hModule; (void) dwReason; (void) lpReserved;
44 |
45 | if(dwReason == DLL_PROCESS_ATTACH) {
46 | MessageBox(NULL, "DllMain", "Hello World", 0);
47 | }
48 | return TRUE;
49 | }
50 |
--------------------------------------------------------------------------------
/test/test-misc.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | /// OPTIONS= free=yes,pipe=cuckoo
20 |
21 | #include
22 | #include
23 | #include
24 | #include "config.h"
25 | #include "hooking.h"
26 | #include "misc.h"
27 | #include "native.h"
28 | #include "pipe.h"
29 |
30 | #define assert(expr) \
31 | if((expr) == 0) { \
32 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
33 | } \
34 | else { \
35 | pipe("INFO:Test passed: %z", #expr); \
36 | }
37 |
38 | int main()
39 | {
40 | static char buf[0x1000]; static wchar_t bufW[0x1000];
41 |
42 | WSADATA wsa;
43 | WSAStartup(MAKEWORD(2, 2), &wsa);
44 | pipe_init("\\\\.\\PIPE\\cuckoo");
45 |
46 | hook_init(GetModuleHandle(NULL));
47 | assert(native_init() == 0);
48 | misc_init(GetModuleHandle(NULL), "hoi");
49 |
50 | assert(ultostr(42, buf, 10) == 2 && strcmp(buf, "42") == 0);
51 | assert(ultostr(1337, buf, 10) == 4 && strcmp(buf, "1337") == 0);
52 | assert(ultostr(-20, buf, 10) == 3 && strcmp(buf, "-20") == 0);
53 | assert(ultostr(-42, buf, 10) == 3 && strcmp(buf, "-42") == 0);
54 | assert(ultostr(0x1337, buf, 16) == 4 && strcmp(buf, "1337") == 0);
55 |
56 | #if __x86_64__
57 | assert(ultostr(0xffffffffffffffff, buf, 16) == 16 && strcmp(buf, "ffffffffffffffff") == 0);
58 | #else
59 | assert(ultostr(0xffffffff, buf, 16) == 8 && strcmp(buf, "ffffffff") == 0);
60 | #endif
61 |
62 | assert(our_snprintf(buf, 3, "hoi") == 2 && strcmp(buf, "ho") == 0);
63 | assert(our_snprintf(buf, 4, "hoi") == 3 && strcmp(buf, "hoi") == 0);
64 | assert(our_snprintf(buf, 4, "hello") == 3 && strcmp(buf, "hel") == 0);
65 | assert(our_snprintf(buf, 64, "%s %s", "a", "b") == 3 && memcmp(buf, "a b", 3) == 0);
66 | assert(our_snprintf(buf, 64, "%s %s ccc", "a", "bb") == 8 && memcmp(buf, "a bb ccc", 8) == 0);
67 | assert(our_snprintf(buf, 64, "%p", 0x4141) == 6 && memcmp(buf, "0x4141", 6) == 0);
68 | assert(our_snprintf(buf, 64, "%p %p", 0x4141, 0x4242) == 13 && memcmp(buf, "0x4141 0x4242", 13) == 0);
69 | assert(our_snprintf(buf, 64, "%d %d", 9001, -42) == 8 && strcmp(buf, "9001 -42") == 0);
70 | assert(our_snprintf(buf, 64, "%p", 0xffffffff) == 10 && strcmp(buf, "0xffffffff") == 0);
71 |
72 | assert((wcsncpyA(bufW, "hello", 4), wcscmp(bufW, L"hel") == 0));
73 | assert((wcsncpyA(bufW, "hello", 5), wcscmp(bufW, L"hell") == 0));
74 | assert((wcsncpyA(bufW, "hello", 6), wcscmp(bufW, L"hello") == 0));
75 | assert((wcsncpyA(bufW, "hello", 64), wcscmp(bufW, L"hello") == 0));
76 |
77 | UNICODE_STRING unistr2, unistr = {
78 | .Length = 10, .MaximumLength = 10, .Buffer = L"HELLO",
79 | };
80 |
81 | assert(copy_unicode_string(&unistr, &unistr2, bufW, sizeof(bufW)) == 0 && wcsncmp(bufW, unistr.Buffer, unistr.Length) == 0 && wcscmp(bufW, L"HELLO") == 0);
82 | assert(wcscmp(extract_unicode_string(&unistr), L"HELLO") == 0);
83 |
84 | struct sockaddr_in addr; const char *ip; int port;
85 | addr.sin_family = AF_INET;
86 | addr.sin_addr.s_addr = inet_addr("127.0.0.1");
87 | addr.sin_port = htons(80);
88 | assert((get_ip_port((struct sockaddr *) &addr, &ip, &port), strcmp(ip, "127.0.0.1") == 0 && port == 80));
89 |
90 | assert(our_htons(1337) == htons(1337));
91 | assert(our_htons(0x4141) == htons(0x4141));
92 | assert(our_htonl(0x11223344) == htonl(0x11223344));
93 | assert(our_htonl(0x22446688) == 0x88664422);
94 |
95 | assert(strcmp(our_inet_ntoa(addr.sin_addr), "127.0.0.1") == 0);
96 | addr.sin_addr.s_addr = inet_addr("1.2.3.4");
97 | assert(strcmp(inet_ntoa(addr.sin_addr), our_inet_ntoa(addr.sin_addr)) == 0);
98 | return 0;
99 | }
100 |
--------------------------------------------------------------------------------
/test/test-moninmem.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program tests whether the monitor is easily detectable in-memory by
20 | // trying to get a handle to it. Normally the monitor should unlink itself
21 | // from the PEB rendering this particular approach useless.
22 |
23 | /// OPTIONS= pipe=cuckoo
24 |
25 | #include
26 | #include "hooking.h"
27 | #include "native.h"
28 | #include "pipe.h"
29 |
30 | #define assert(expr) \
31 | if((expr) == 0) { \
32 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
33 | } \
34 | else { \
35 | pipe("INFO:Test passed: %z", #expr); \
36 | }
37 |
38 | int main()
39 | {
40 | pipe_init("\\\\.\\PIPE\\cuckoo");
41 |
42 | assert(GetModuleHandle("monitor-x86.dll") == NULL);
43 | assert(GetModuleHandle("monitor-x64.dll") == NULL);
44 | return 0;
45 | }
46 |
--------------------------------------------------------------------------------
/test/test-native.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | /// OPTIONS= free=yes,pipe=cuckoo
20 |
21 | #include
22 | #include
23 | #include "config.h"
24 | #include "hooking.h"
25 | #include "misc.h"
26 | #include "native.h"
27 | #include "pipe.h"
28 |
29 | #define assert(expr) \
30 | if((expr) == 0) { \
31 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
32 | } \
33 | else { \
34 | pipe("INFO:Test passed: %z", #expr); \
35 | }
36 |
37 | int main()
38 | {
39 | pipe_init("\\\\.\\PIPE\\cuckoo");
40 |
41 | hook_init(GetModuleHandle(NULL));
42 | assert(native_init() == 0);
43 |
44 | assert(GetCurrentProcessId() == get_current_process_id());
45 | assert(GetCurrentThreadId() == get_current_thread_id());
46 |
47 | assert(pid_from_process_handle(get_current_process()) == get_current_process_id());
48 | assert(pid_from_thread_handle(get_current_thread()) == get_current_process_id());
49 | assert(tid_from_thread_handle(get_current_thread()) == get_current_thread_id());
50 |
51 | last_error_t err;
52 | assert((SetLastError(42), get_last_error(&err), err.lasterror == 42));
53 | assert((SetLastError(0), set_last_error(&err), GetLastError() == 42));
54 | return 0;
55 | }
56 |
--------------------------------------------------------------------------------
/test/test-obtainuseragentstring.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | /// OPTIONS= free=yes,pipe=cuckoo
20 |
21 | #include
22 | #include
23 | #include "pipe.h"
24 |
25 | #define assert(expr) \
26 | if((expr) == 0) { \
27 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
28 | } \
29 | else { \
30 | pipe("INFO:Test passed: %z", #expr); \
31 | }
32 |
33 | int main()
34 | {
35 | pipe_init("\\\\.\\PIPE\\cuckoo");
36 |
37 | FARPROC pObtainUserAgentString =
38 | GetProcAddress(LoadLibrary("urlmon"), "ObtainUserAgentString");
39 |
40 | char buf[512]; DWORD size = sizeof(buf);
41 | assert(pObtainUserAgentString(0, buf, &size) == NOERROR);
42 | assert(strncmp(buf, "Mozilla", 7) == 0);
43 | }
44 |
--------------------------------------------------------------------------------
/test/test-readav.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program demonstrates the logging of invalid and incomplete pointers.
20 |
21 | #include
22 | #include
23 |
24 | int main()
25 | {
26 | char *ptr =
27 | VirtualAlloc(NULL, 0x1000, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
28 |
29 | memcpy(ptr+0x1000-11, "hello world", 11);
30 |
31 | HANDLE file_handle = CreateFile("readav.txt", GENERIC_WRITE,
32 | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
33 |
34 | DWORD bytes_written;
35 | WriteFile(file_handle, ptr+0x1000-11, 11, &bytes_written, NULL);
36 | WriteFile(file_handle, ptr+0x1000-11, 12, &bytes_written, NULL);
37 | WriteFile(file_handle, (const void *) 1, 20, &bytes_written, NULL);
38 | }
39 |
--------------------------------------------------------------------------------
/test/test-resumethread.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #include "pipe.h"
23 |
24 | // Tests very basic process following logic.
25 |
26 | /// OPTIONS= pipe=cuckoo
27 |
28 | #define assert(expr) \
29 | if((expr) == 0) { \
30 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
31 | } \
32 | else { \
33 | pipe("INFO:Test passed: %z", #expr); \
34 | }
35 |
36 | void inject(const char *filepath)
37 | {
38 | char cmdline[MAX_PATH+MAX_PATH];
39 | STARTUPINFO si; PROCESS_INFORMATION pi;
40 |
41 | sprintf(cmdline, "\"%s\" \"World\"", filepath);
42 | memset(&si, 0, sizeof(si)); si.cb = sizeof(si);
43 |
44 | assert(CreateProcess(filepath, cmdline, NULL, NULL, FALSE,
45 | CREATE_SUSPENDED, NULL, NULL, &si, &pi) != FALSE);
46 |
47 | Sleep(1000);
48 |
49 | assert(ResumeThread(pi.hThread) != (DWORD) -1);
50 | }
51 |
52 | void msgbox(const char *arg)
53 | {
54 | MessageBox(NULL, arg, "Hello", 0);
55 | }
56 |
57 | int main(int argc, char *argv[])
58 | {
59 | pipe_init("\\\\.\\PIPE\\cuckoo");
60 |
61 | if(argc == 1) {
62 | inject(argv[0]);
63 | }
64 | else {
65 | msgbox(argv[1]);
66 | }
67 | return 0;
68 | }
69 |
--------------------------------------------------------------------------------
/test/test-unibuf.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // Tests the unicode buffer functionality.
20 |
21 | /// OPTIONS= free=yes,pipe=cuckoo
22 |
23 | #include
24 | #include
25 | #include "hooking.h"
26 | #include "memory.h"
27 | #include "misc.h"
28 | #include "native.h"
29 | #include "pipe.h"
30 |
31 | #define assert(expr) \
32 | if((expr) == 0) { \
33 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
34 | } \
35 | else { \
36 | pipe("INFO:Test passed: %z", #expr); \
37 | }
38 |
39 | int main()
40 | {
41 | pipe_init("\\\\.\\PIPE\\cuckoo");
42 |
43 | hook_init(GetModuleHandle(NULL));
44 | assert(native_init() == 0);
45 | misc_init(GetModuleHandle(NULL), "hoi");
46 |
47 | wchar_t *a, *b, *c, *d;
48 |
49 | assert((a = get_unicode_buffer()) != NULL);
50 | assert((b = get_unicode_buffer()) != NULL);
51 | assert((c = get_unicode_buffer()) != NULL);
52 |
53 | memset(b, 0x01, 32);
54 | free_unicode_buffer(b);
55 |
56 | // The first utf16 character is zeroed.
57 | assert((b = get_unicode_buffer()) != NULL && memcmp(b, "\x00\x00\x01\x01\x01\x01", 6) == 0);
58 |
59 | assert((d = get_unicode_buffer()) != NULL);
60 |
61 | // The first available pointer is always used when possible.
62 | free_unicode_buffer(a); free_unicode_buffer(c);
63 | assert(get_unicode_buffer() == a && get_unicode_buffer() == c);
64 |
65 | uint32_t bufcount = 0x1000/sizeof(void *) + 4;
66 |
67 | // Allocate X pointers and then free them. The last N pointers will
68 | // not be managed by the custom memory manager. TODO Could improve these
69 | // checks to show that memory is actually being allocated & deallocated.
70 | static wchar_t *ptrs[0x1000];
71 | for (uint32_t idx = 0; idx < bufcount; idx++) {
72 | ptrs[idx] = get_unicode_buffer();
73 | }
74 |
75 | for (uint32_t idx = 0; idx < bufcount; idx++) {
76 | free_unicode_buffer(ptrs[idx]);
77 | }
78 |
79 | return 0;
80 | }
81 |
--------------------------------------------------------------------------------
/test/test-unicode-fname-.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program tests unicode filename support for the initial process.
20 | // See also: https://github.com/cuckoobox/cuckoo/issues/502
21 |
22 | /// OPTIONS= free=yes,pipe=cuckoo
23 |
24 | #include
25 | #include
26 | #include
27 | #include "pipe.h"
28 |
29 | #define assert(expr) \
30 | if((expr) == 0) { \
31 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
32 | } \
33 | else { \
34 | pipe("INFO:Test passed: %z", #expr); \
35 | }
36 |
37 | int main()
38 | {
39 | pipe_init("\\\\.\\PIPE\\cuckoo");
40 |
41 | wchar_t filename[MAX_PATH]; const wchar_t *ptr;
42 | GetModuleFileNameW(NULL, filename, MAX_PATH);
43 |
44 | ptr = wcsrchr(filename, '\\');
45 | if(ptr == NULL) {
46 | ptr = filename;
47 | }
48 | else {
49 | ptr++;
50 | }
51 |
52 | #if __x86_64__
53 | assert(wcscmp(ptr, L"test-unicode-fname-\u202e-x64.exe") == 0);
54 | #else
55 | assert(wcscmp(ptr, L"test-unicode-fname-\u202e-x86.exe") == 0);
56 | #endif
57 |
58 | pipe("DEBUG:Filename -> %Z", ptr);
59 | }
60 |
--------------------------------------------------------------------------------
/test/test-unistr.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | // This program tests a fixed bug in the way that ascii and unicode strings
20 | // are handled under Windows. Namely, when we use pipe() inside a hook, it
21 | // will connect to a pipe server. To do this, a filename is required. Earlier
22 | // we would pass an ascii string to CallNamedPipe(). However, due to the
23 | // per-thread unicode string that Windows uses in order to convert from ascii
24 | // to unicode, the existing unicode string would be overwritten to convert our
25 | // pipe server filename to unicode. For hook handlers that would be given such
26 | // a unicode string, and where we would use pipe(), the unicode string would
27 | // thus be overwritten, resulting in incorrect logic.
28 | //
29 | // This program basically tests this behavior. The file a.txt is created and
30 | // should thus be deletable. However, if the unicode string a.txt is
31 | // overwritten with our pipe filename, then we won't be able to delete it, as
32 | // you can't delete a pipe name, and thus the DeleteFile() function will fail.
33 | //
34 | // Note that this test will return success if a DeleteFileA hook is present,
35 | // rather than just a DeleteFileW hook.
36 | //
37 | // This bug has been fixed by using a unicode string filename together with
38 | // CallNamedPipeW().
39 |
40 | /// OPTIONS= pipe=cuckoo
41 |
42 | #include
43 | #include
44 | #include "pipe.h"
45 |
46 | #define assert(expr) \
47 | if((expr) == 0) { \
48 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
49 | } \
50 | else { \
51 | pipe("INFO:Test passed: %z", #expr); \
52 | }
53 |
54 | int main()
55 | {
56 | pipe_init("\\\\.\\PIPE\\cuckoo");
57 |
58 | fclose(fopen("a.txt", "wb"));
59 | assert(DeleteFile("a.txt") == TRUE);
60 | }
61 |
--------------------------------------------------------------------------------
/test/test-utf8.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | /// OPTIONS= free=yes,pipe=cuckoo
20 |
21 | #include
22 | #include
23 | #include
24 | #include "hooking.h"
25 | #include "memory.h"
26 | #include "native.h"
27 | #include "pipe.h"
28 | #include "utf8.h"
29 |
30 | #define assert(expr) \
31 | if((expr) == 0) { \
32 | pipe("CRITICAL:Test didn't pass: %z", #expr); \
33 | } \
34 | else { \
35 | pipe("INFO:Test passed: %z", #expr); \
36 | }
37 |
38 | int main()
39 | {
40 | pipe_init("\\\\.\\PIPE\\cuckoo");
41 |
42 | hook_init(GetModuleHandle(NULL));
43 | mem_init();
44 | assert(native_init() == 0);
45 |
46 | uint8_t buf[16]; uint16_t val[2];
47 |
48 | assert(utf8_encode(0x00000001, buf) == 1 && memcmp(buf, "\x01", 1) == 0);
49 | assert(utf8_encode(0x0000007f, buf) == 1 && memcmp(buf, "\x7f", 1) == 0);
50 | assert(utf8_encode(0x00000080, buf) == 2 && memcmp(buf, "\xc2\x80", 2) == 0);
51 | assert(utf8_encode(0x000007ff, buf) == 2 && memcmp(buf, "\xdf\xbf", 2) == 0);
52 | assert(utf8_encode(0x00000800, buf) == 3 && memcmp(buf, "\xe0\xa0\x80", 3) == 0);
53 | assert(utf8_encode(0x0000ffff, buf) == 3 && memcmp(buf, "\xef\xbf\xbf", 3) == 0);
54 | assert(utf8_encode(0x00010000, buf) == 4 && memcmp(buf, "\xf0\x90\x80\x80", 4) == 0);
55 | assert(utf8_encode(0x001fffff, buf) == 4 && memcmp(buf, "\xf7\xbf\xbf\xbf", 4) == 0);
56 | assert(utf8_encode(0x00200000, buf) == 5 && memcmp(buf, "\xf8\x88\x80\x80\x80", 5) == 0);
57 | assert(utf8_encode(0x03ffffff, buf) == 5 && memcmp(buf, "\xfb\xbf\xbf\xbf\xbf", 5) == 0);
58 | assert(utf8_encode(0x04000000, buf) == 6 && memcmp(buf, "\xfc\x84\x80\x80\x80\x80", 6) == 0);
59 | assert(utf8_encode(0x7fffffff, buf) == 6 && memcmp(buf, "\xfd\xbf\xbf\xbf\xbf\xbf", 6) == 0);
60 |
61 | // It's kind of a hassle to get utf8_wstring() to work here, so we'll just
62 | // do similar work with the byte count, which calculates the required
63 | // amount of bytes for a sequence. The following sequences represent the
64 | // various utf8 boundaries, i.e., their maximum values before needing an
65 | // extra byte etc.
66 | assert(utf8_bytecnt_unicode((val[0] = 0xd800, val[1] = 0xdc00, val), 2) == 1);
67 | assert(utf8_bytecnt_unicode((val[0] = 0xd801, val[1] = 0xdc00, val), 2) == 2);
68 | assert(utf8_bytecnt_unicode((val[0] = 0xd802, val[1] = 0xdc00, val), 2) == 3);
69 | assert(utf8_bytecnt_unicode((val[0] = 0xd840, val[1] = 0xdc00, val), 2) == 4);
70 |
71 | // We used to have some issues with signed chars and the MSB being set as
72 | // we wouldn't cast these as unsigned characters. This would result in
73 | // utf8_length(0xffffff81) returning -1, rather than utf8_length(0x81)
74 | // returning 2. Similarly to incorrect return values of utf8_length() we'd
75 | // also experience out-of-bounds writes as our buffer would be indexed by
76 | // -1, resulting in undefined behavior.
77 | assert(utf8_bytecnt_ascii("\x81", 1) == 2);
78 | assert(utf8_bytecnt_unicode(L"\u8081", 1) == 3);
79 | assert(memcmp(utf8_string("\x81", 1), "\x02\x00\x00\x00\xc2\x81", 6) == 0);
80 | assert(memcmp(utf8_wstring(L"\u8081", 1), "\x03\x00\x00\x00\xe8\x82\x81", 7) == 0);
81 | }
82 |
--------------------------------------------------------------------------------
/test/unittest.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | """
3 | Cuckoo Sandbox - Automated Malware Analysis
4 | Copyright (C) 2010-2015 Cuckoo Foundation
5 |
6 | This program is free software: you can redistribute it and/or modify
7 | it under the terms of the GNU General Public License as published by
8 | the Free Software Foundation, either version 3 of the License, or
9 | (at your option) any later version.
10 |
11 | This program is distributed in the hope that it will be useful,
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | GNU General Public License for more details.
15 |
16 | You should have received a copy of the GNU General Public License
17 | along with this program. If not, see .
18 | """
19 |
20 | import copy
21 | import os
22 | import shlex
23 | import sys
24 |
25 | MODES = [
26 | 'winxp',
27 | 'win7',
28 | 'win7x64',
29 | ]
30 |
31 | MULTIPLE = {
32 | 'CC': False,
33 | 'CFLAGS': True,
34 | 'INC': True,
35 | 'OBJECTS': True,
36 | 'OPTIONS': True,
37 | 'MODES': True,
38 | 'EXTENSION': False,
39 | }
40 |
41 | DEFAULTS = {
42 | 'CC86': 'i686-w64-mingw32-gcc',
43 | 'CC64': 'x86_64-w64-mingw32-gcc',
44 | 'CFLAGS': ['-std=c99', '-Wall', '-Werror', '-s'],
45 | 'INC': ['-I', '../inc', '-I', '../objects/code', '-I', '../src/bson'],
46 | 'OBJECTS': """pipe.o misc.o native.o memory.o utf8.o symbol.o ignore.o
47 | hooking.o unhook.o assembly.o log.o diffing.o sleep.o wmi.o
48 | flags.o hooks.o config.o network.o iexplore.o sha1/sha1.o
49 | bson/bson.o bson/numbers.o bson/encoding.o disguise.o
50 | ../src/capstone/capstone-%(arch)s.lib""".split(),
51 | 'LDFLAGS': ['-lws2_32', '-lshlwapi', '-lole32'],
52 | 'OPTIONS': [],
53 | 'MODES': ['winxp', 'win7', 'win7x64'],
54 | 'EXTENSION': 'exe',
55 | }
56 |
57 | ALL = []
58 |
59 | class Dict(dict):
60 | def __init__(self, value):
61 | dict.__init__(self, copy.deepcopy(value))
62 |
63 | def __getattr__(self, name):
64 | return dict.__getitem__(self, name)
65 |
66 | def compile_file(fname, arch):
67 | kw = Dict(DEFAULTS)
68 | for line in open(fname, 'rb'):
69 | if not line.startswith('///'):
70 | continue
71 |
72 | key, value = line[3:].split('=', 1)
73 | if key.strip().endswith('+'):
74 | kw[key.rstrip('+').strip()] += shlex.split(value)
75 | elif MULTIPLE[key.strip()]:
76 | kw[key.strip()] = shlex.split(value)
77 | else:
78 | kw[key.strip()] = value.strip()
79 |
80 | for idx, value in enumerate(kw.OBJECTS):
81 | kw.OBJECTS[idx] = value = value % dict(arch=arch)
82 | if os.path.exists(value):
83 | continue
84 |
85 | path = os.path.join('..', 'objects', arch, 'src', value)
86 | if os.path.exists(path):
87 | kw.OBJECTS[idx] = path
88 | continue
89 |
90 | path = os.path.join('..', 'objects', arch, 'code', value)
91 | if os.path.exists(path):
92 | kw.OBJECTS[idx] = path
93 | continue
94 |
95 | output_exe = fname.replace('.c', '-%s.%s' % (arch, kw.EXTENSION))
96 |
97 | compiler = kw.CC86 if arch == 'x86' else kw.CC64
98 | files = ' '.join(kw.OBJECTS)
99 | args = ' '.join(kw.CFLAGS + kw.LDFLAGS + kw.INC)
100 | ALL.append(output_exe)
101 | return [
102 | '%s: %s %s' % (output_exe, fname, files),
103 | '\t%s -o %s %s %s %s' % (compiler, output_exe, fname, files, args),
104 | '',
105 | ]
106 |
107 | if __name__ == '__main__':
108 | curdir = os.path.abspath(os.path.dirname(__file__))
109 |
110 | lines = []
111 | for fname in os.listdir(curdir):
112 | if not fname.startswith('test-') or not fname.endswith('.c'):
113 | continue
114 |
115 | lines += compile_file(fname, 'x86')
116 | lines += compile_file(fname, 'x64')
117 |
118 | with open(os.path.join(curdir, 'Makefile'), 'wb') as f:
119 | f.write('all: %s\n' % ' '.join(ALL))
120 | f.write('clean:\n\trm -f %s\n\n' % ' '.join(ALL))
121 | f.write('\n'.join(lines))
122 |
--------------------------------------------------------------------------------
/utils/Makefile:
--------------------------------------------------------------------------------
1 | CC32 = i686-w64-mingw32-gcc -m32
2 | CC64 = x86_64-w64-mingw32-gcc -m64
3 | CFLAGS = -Wall -Wextra -O2 -std=c99 -static -s -mwindows
4 | LDFLAGS = -lshlwapi
5 |
6 | UTILSRC = $(wildcard *.c)
7 | UTILEXE = helloworld-x86.dll helloworld-x64.dll
8 |
9 | default: $(UTILEXE)
10 |
11 | helloworld-x86.dll: helloworld.c
12 | $(CC32) -o $@ $^ $(CFLAGS) $(LDFLAGS) -shared
13 |
14 | helloworld-x64.dll: helloworld.c
15 | $(CC64) -o $@ $^ $(CFLAGS) $(LDFLAGS) -shared
16 |
17 | clean:
18 | rm -f $(UTILEXE)
19 |
--------------------------------------------------------------------------------
/utils/helloworld.c:
--------------------------------------------------------------------------------
1 | /*
2 | Cuckoo Sandbox - Automated Malware Analysis.
3 | Copyright (C) 2010-2015 Cuckoo Foundation.
4 |
5 | This program is free software: you can redistribute it and/or modify
6 | it under the terms of the GNU General Public License as published by
7 | the Free Software Foundation, either version 3 of the License, or
8 | (at your option) any later version.
9 |
10 | This program is distributed in the hope that it will be useful,
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | GNU General Public License for more details.
14 |
15 | You should have received a copy of the GNU General Public License
16 | along with this program. If not, see .
17 | */
18 |
19 | #include
20 | #include
21 |
22 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
23 | {
24 | (void) hModule; (void) lpReserved;
25 |
26 | if(dwReason == DLL_PROCESS_ATTACH) {
27 | MessageBox(NULL, "World", "Hello", 0);
28 | }
29 | return TRUE;
30 | }
31 |
--------------------------------------------------------------------------------