├── WinDNA
    ├── include
    │   ├── triton_tainter.h
    │   ├── addresses.h
    │   ├── pch.h
    │   └── internal_structures.h
    ├── src
    │   ├── pch.cpp
    │   ├── addresses.cpp
    │   ├── internal_structures.cpp
    │   ├── dllmain.cpp
    │   └── triton_tainter.cpp
    ├── WinDNA.vcxproj.user
    ├── WinDNA.vcxproj.filters
    └── WinDNA.vcxproj
├── .gitignore
└── WinDNA.sln


/WinDNA/include/triton_tainter.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | namespace Tainter
4 | {
5 | 	// Taints the instruction which is currently being executed by the vCpu.
6 | 	void HandleTaintInstruction(Internals::VirtualCpu* vCpu);
7 | }


--------------------------------------------------------------------------------
/WinDNA/src/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 | 
3 | #include "pch.h"
4 | 
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 | 


--------------------------------------------------------------------------------
/WinDNA/WinDNA.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup>
4 |     <ShowAllFiles>false</ShowAllFiles>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Compiled Object files
 5 | *.slo
 6 | *.lo
 7 | *.o
 8 | *.obj
 9 | 
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 | 
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 | 
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 | 
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 | 
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 | 
34 | .vs
35 | 
36 | # visual studio specifics
37 | x64/
38 | Debug/


--------------------------------------------------------------------------------
/WinDNA/src/addresses.cpp:
--------------------------------------------------------------------------------
 1 | #include "pch.h"
 2 | 
 3 | namespace Addresses
 4 | {
 5 | 	void Initialize()
 6 | 	{
 7 | 		// Locate modules
 8 | 		Modules::g_replay = (u64)GetModuleHandleA("TTDReplay.dll");
 9 | 		Modules::g_replay_cpu = (u64)GetModuleHandleA("TTDReplayCPU.dll");
10 | 
11 | 		// Locate functions. TODO: Pattern scan.
12 | 		Functions::g_register_instrumentation_callbacks = Modules::g_replay_cpu + 0x1540;
13 | 		Functions::g_read_cached_data_internal = Modules::g_replay_cpu + 0x4AD0;
14 | 	}
15 | }


--------------------------------------------------------------------------------
/WinDNA/src/internal_structures.cpp:
--------------------------------------------------------------------------------
 1 | #include "pch.h"
 2 | #include "internal_structures.h"
 3 | 
 4 | namespace Internals
 5 | {
 6 | 	bool VirtualCpuHelper::ReadVirtualCpuMemory(VirtualCpu* vCpu, u64 addr, void* pDst, u64 dataSize)
 7 | 	{
 8 | 		if (VirtualCpuHelper::readCachedDataInternal == nullptr)
 9 | 			VirtualCpuHelper::readCachedDataInternal = (f_ReadCachedDataInternal)Addresses::Functions::g_read_cached_data_internal;
10 | 
11 | 		return VirtualCpuHelper::readCachedDataInternal(vCpu, addr, pDst, dataSize);
12 | 	}
13 | }


--------------------------------------------------------------------------------
/WinDNA/include/addresses.h:
--------------------------------------------------------------------------------
 1 | // WinDbg related addresses which are resolved at runtime
 2 | namespace Addresses
 3 | {
 4 | 	void Initialize();
 5 | 
 6 | 	namespace Modules
 7 | 	{
 8 | 		// Base address of TTDReplay.dll.
 9 | 		inline u64 g_replay;
10 | 
11 | 		// Base address of TTDReplayCPU.dll
12 | 		inline u64 g_replay_cpu;
13 | 	}
14 | 
15 | 	namespace Functions
16 | 	{
17 | 		inline u64 g_register_instrumentation_callbacks;
18 | 
19 | 		// Address of VirtualCpu::ReadCachedDataInternal.
20 | 		inline u64 g_read_cached_data_internal;
21 | 	}
22 | }


--------------------------------------------------------------------------------
/WinDNA/include/pch.h:
--------------------------------------------------------------------------------
 1 | // pch.h: This is a precompiled header file.
 2 | // Files listed below are compiled only once, improving build performance for future builds.
 3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
 5 | #ifndef PCH_H
 6 | #define PCH_H
 7 | 
 8 | // Windows Header Files
 9 | #include <windows.h>
10 | #include <stdio.h>
11 | #include <d3d9types.h>
12 | #include <d3d11.h>
13 | #include <sstream>
14 | #include <fstream>
15 | #include <dinput.h>
16 | #include <tchar.h>
17 | #include <vector>
18 | #include <string>
19 | #include <DXGI.h>
20 | #include <mutex>
21 | #include <algorithm>
22 | #include <math.h>
23 | #include <functional>
24 | #include <intrin.h>
25 | #include <iostream>
26 | #include <map>
27 | #include <iterator>
28 | 
29 | using u64 = unsigned long long;
30 | #include "addresses.h"
31 | 
32 | #endif //PCH_H
33 | 


--------------------------------------------------------------------------------
/WinDNA.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31105.61
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WinDNA", "WinDNA\WinDNA.vcxproj", "{351E43AB-B29E-4EEE-848C-821394C69C55}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Debug|x64.Build.0 = Debug|x64
18 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Debug|x86.Build.0 = Debug|Win32
20 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Release|x64.ActiveCfg = Release|x64
21 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Release|x64.Build.0 = Release|x64
22 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Release|x86.ActiveCfg = Release|Win32
23 | 		{351E43AB-B29E-4EEE-848C-821394C69C55}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {FDB64CE9-7468-44D7-A53E-3D3F6AD8C421}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/WinDNA/WinDNA.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Resource Files">
 5 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
 6 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="src">
 9 |       <UniqueIdentifier>{bdb2f494-dcf4-4d69-8101-5dc57b22ecc0}</UniqueIdentifier>
10 |     </Filter>
11 |     <Filter Include="include">
12 |       <UniqueIdentifier>{0c4de131-032a-47db-8ade-1eb1350143c5}</UniqueIdentifier>
13 |     </Filter>
14 |   </ItemGroup>
15 |   <ItemGroup>
16 |     <ClInclude Include="include\addresses.h">
17 |       <Filter>include</Filter>
18 |     </ClInclude>
19 |     <ClInclude Include="include\internal_structures.h">
20 |       <Filter>include</Filter>
21 |     </ClInclude>
22 |     <ClInclude Include="include\pch.h">
23 |       <Filter>include</Filter>
24 |     </ClInclude>
25 |     <ClInclude Include="include\triton_tainter.h">
26 |       <Filter>include</Filter>
27 |     </ClInclude>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClCompile Include="src\addresses.cpp">
31 |       <Filter>src</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="src\dllmain.cpp">
34 |       <Filter>src</Filter>
35 |     </ClCompile>
36 |     <ClCompile Include="src\internal_structures.cpp">
37 |       <Filter>src</Filter>
38 |     </ClCompile>
39 |     <ClCompile Include="src\pch.cpp">
40 |       <Filter>src</Filter>
41 |     </ClCompile>
42 |     <ClCompile Include="src\triton_tainter.cpp">
43 |       <Filter>src</Filter>
44 |     </ClCompile>
45 |   </ItemGroup>
46 | </Project>


--------------------------------------------------------------------------------
/WinDNA/src/dllmain.cpp:
--------------------------------------------------------------------------------
  1 | // dllmain.cpp : Defines the entry point for the DLL application.
  2 | #include "pch.h"
  3 | #include <detours/detours.h>
  4 | #include "internal_structures.h"
  5 | #include <inttypes.h>
  6 | #include <triton_tainter.h>
  7 | #include <capstone/capstone.h>
  8 | 
  9 | // capstone handle
 10 | csh handle;
 11 | 
 12 | int globalCount = 0;
 13 | void __fastcall InstrCallbackCallRets(Internals::VirtualCpu* vCpu, u64 flowDstAddr)
 14 | {
 15 |    return;
 16 |    u64 rip;
 17 |    vCpu->GetRegister(Internals::RegisterId::RIP, &rip, 8);
 18 | 
 19 |    unsigned int pageSize = 0x1000 - ((((DWORD)rip)) & 0xFFF);
 20 |    if (pageSize > 15)
 21 |        pageSize = 15;
 22 | 
 23 |    auto isReadingMem = vCpu->bIsReadingMem;
 24 |    Internals::VirtualCpu* tempCpu = vCpu;
 25 |    vCpu->bIsReadingMem = true;
 26 |    if (isReadingMem)
 27 |        tempCpu = 0;
 28 | 
 29 |    if (tempCpu != nullptr)
 30 |        tempCpu->bIsReadingMem = false;
 31 | 
 32 |    cs_insn* insn;
 33 |    uint8_t disassemblyBuffer[32];
 34 |    auto count = cs_disasm(handle, disassemblyBuffer, 15, rip, 1, &insn);
 35 | }
 36 | 
 37 | void __fastcall InstrCallbackPreWriteMemory(Internals::VirtualCpu* vCpu, u64 address, u64 dataSize)
 38 | {
 39 | 
 40 | }
 41 | 
 42 | void __fastcall InstrCallbackPostWriteMemory(Internals::VirtualCpu* vCpu, u64 address, void* pBuffer, u64 dataSize)
 43 | {
 44 | }
 45 | 
 46 | void __fastcall InstrCallbackReadMemory(Internals::VirtualCpu* vCpu, u64 address, void* pBuffer, u64 dataSize)
 47 | {
 48 | }
 49 | 
 50 | void RegisterInstrumentationCallbacks()
 51 | {
 52 |     // Grab the function for registering callbacks.
 53 |     auto func = (Internals::f_RegisterCallbacks)Addresses::Functions::g_register_instrumentation_callbacks;
 54 | 
 55 |     // Register callbacks
 56 |     Internals::InstrumentationCallbacks callbacks;
 57 |     callbacks.callbackCallRets = (Internals::f_InstrCallbackCallRets*)InstrCallbackCallRets;
 58 |     callbacks.callbackPreWriteMemory = (Internals::f_InstrCallbackPreWriteMemory*)InstrCallbackPreWriteMemory;
 59 |     callbacks.callbackPostWriteMemory = (Internals::f_InstrCallbackPostWriteMemory*)InstrCallbackPostWriteMemory;
 60 |     callbacks.callbackReadMemory = (Internals::f_InstrCallbackReadMemory*)(InstrCallbackReadMemory);
 61 |     func(&callbacks);
 62 | }
 63 | 
 64 | typedef void* (__fastcall* fDispatcherLoop)(Internals::VirtualCpu* vCpu, u64 a2);
 65 | 
 66 | fDispatcherLoop dispatcherLoop;
 67 | 
 68 | void* __fastcall h_DispatcherLoop(Internals::VirtualCpu* vCpu, u64 a2)
 69 | {
 70 |     Tainter::HandleTaintInstruction(vCpu);
 71 |     return dispatcherLoop(vCpu, a2);
 72 | }
 73 | 
 74 | void Initialize()
 75 | {
 76 |     // Initialize logging.
 77 |     AllocConsole();
 78 |     FILE* fp;
 79 |     freopen_s(&fp, "CONOUT$", "w", stdout);
 80 |     printf("WinDNA loaded.");
 81 | 
 82 |     // Retrieve various internal addresses.
 83 |     Addresses::Initialize();
 84 | 
 85 |     dispatcherLoop = (fDispatcherLoop)(Addresses::Modules::g_replay_cpu + 0x9AA00);
 86 |     DetourTransactionBegin();
 87 |     DetourUpdateThread(GetCurrentThread());
 88 |     DetourAttach(&(PVOID&)dispatcherLoop, h_DispatcherLoop);
 89 |     DetourTransactionCommit();
 90 | 
 91 |     // Execute boilerplate code for registering callbacks.
 92 |     RegisterInstrumentationCallbacks();
 93 | }
 94 | 
 95 | BOOL APIENTRY DllMain( HMODULE hModule,
 96 |                        DWORD  ul_reason_for_call,
 97 |                        LPVOID lpReserved
 98 |                      )
 99 | {
100 |     switch (ul_reason_for_call)
101 |     {
102 |     case DLL_PROCESS_ATTACH:
103 |     case DLL_THREAD_ATTACH:
104 |         Initialize();
105 |         break;
106 |     case DLL_THREAD_DETACH:
107 |     case DLL_PROCESS_DETACH:
108 |         break;
109 |     }
110 |     return TRUE;
111 | }
112 | 
113 | 


--------------------------------------------------------------------------------
/WinDNA/src/triton_tainter.cpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <pch.h>
  3 | #include <triton/api.hpp>
  4 | #include <triton/x86Specifications.hpp>
  5 | #include <capstone/capstone.h>
  6 | #include <internal_structures.h>
  7 | #include <triton_tainter.h>
  8 | 
  9 | namespace Tainter
 10 | {
 11 | 	// Context for swapping between threads.
 12 | 	class ThreadContext
 13 | 	{
 14 | 	public:
 15 | 		// Thread ID.
 16 | 		u64 tid;
 17 | 
 18 | 		// Concrete registers.
 19 | 		std::unordered_map<triton::arch::register_e, triton::uint512>* concreteRegisters;
 20 | 
 21 | 		// Symbolic registers
 22 | 		std::unordered_map<triton::arch::register_e, triton::engines::symbolic::SharedSymbolicExpression>* symbolicRegisters;
 23 | 
 24 | 		ThreadContext(u64 tid)
 25 | 		{
 26 | 			this->tid = tid;
 27 | 			concreteRegisters = new std::unordered_map<triton::arch::register_e, triton::uint512>();
 28 | 			symbolicRegisters = new std::unordered_map<triton::arch::register_e, triton::engines::symbolic::SharedSymbolicExpression>();
 29 | 		}
 30 | 
 31 | 		void Save(triton::API* api)
 32 | 		{
 33 | 			// Save concrete register values
 34 | 			for (auto reg : api->getParentRegisters())
 35 | 			{
 36 | 				concreteRegisters->insert({ reg->getId(), api->getConcreteRegisterValue(*reg) });
 37 | 			}
 38 | 
 39 | 			// Save symbolic registers
 40 | 			*symbolicRegisters = api->getSymbolicRegisters();
 41 | 		}
 42 | 
 43 | 		void Restore(triton::API* api)
 44 | 		{
 45 | 			// Restore concrete registers
 46 | 			for (auto&& pair : *concreteRegisters)
 47 | 			{
 48 | 				api->setConcreteRegisterValue(api->getRegister(pair.first), pair.second);
 49 | 			}
 50 | 
 51 | 			// Restore symbolic registers
 52 | 			for (auto&& pair : *symbolicRegisters)
 53 | 			{
 54 | 				api->assignSymbolicExpressionToRegister(pair.second, api->getRegister(pair.first));
 55 | 			}
 56 | 		}
 57 | 	};
 58 | 
 59 | 	triton::API* api;
 60 | 
 61 | 	std::map<u64, ThreadContext*> contextMap = *new std::map<u64, ThreadContext*>();
 62 | 
 63 | 	u64 currentTid;
 64 | 
 65 | 	bool isTainting = false;
 66 | 
 67 | 	std::mutex taintMutex;
 68 | 
 69 | 	csh handle;
 70 | 
 71 | 	int taintCount = 0;
 72 | 
 73 | 	void LoadThreadContext(Internals::VirtualCpu* vCpu);
 74 | 
 75 | 	void InitializeTaint(Internals::VirtualCpu* vCpu);
 76 | 
 77 | 	void TaintCurrentExecutingInstruction(Internals::VirtualCpu* vCpu);
 78 | 	
 79 | 	void TaintInstruction(Internals::VirtualCpu* vCpu)
 80 | 	{
 81 | 		// Initialize the taint if needed
 82 | 		if (!isTainting)
 83 | 			InitializeTaint(vCpu);
 84 | 
 85 | 		taintMutex.lock();
 86 | 		LoadThreadContext(vCpu);
 87 | 		TaintCurrentExecutingInstruction(vCpu);
 88 | 		taintMutex.unlock();
 89 | 	}
 90 | 
 91 | 	void InitializeTaint(Internals::VirtualCpu* vCpu)
 92 | 	{
 93 | 		api = new triton::API();
 94 | 		api->setArchitecture(triton::arch::architecture_e::ARCH_X86_64);
 95 | 
 96 | 		isTainting = true;
 97 | 		LoadThreadContext(vCpu);
 98 | 		api->enableTaintEngine(true);
 99 | 		api->setMode(triton::modes::TAINT_THROUGH_POINTERS, true);
100 | 		api->setMode(triton::modes::ONLY_ON_TAINTED, true);
101 | 		api->setMode(triton::modes::ONLY_ON_TAINTED, true);
102 | 
103 | 		// Initialize capstone
104 | 		if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK)
105 | 		{
106 | 			printf("failed to load capstone. \n");
107 | 			return;
108 | 		}
109 | 	}
110 | 
111 | 	void LoadThreadContext(Internals::VirtualCpu* vCpu)
112 | 	{
113 | 		// Grab the TEB and use it as a thread ID.
114 | 		auto cpuThreadId = vCpu->GetTeb();
115 | 
116 | 		// Return if the provided vCpu's thread context is already loaded.
117 | 		if (cpuThreadId == currentTid)
118 | 			return;
119 | 
120 | 		// Save the old context, in preparation of loading a new context
121 | 		if (contextMap.find(currentTid) != contextMap.end())
122 | 		{
123 | 			contextMap[currentTid]->Save(api);
124 | 		}
125 | 
126 | 		// Set the new current thread ID.
127 | 		currentTid = cpuThreadId;
128 | 
129 | 		// Create a context for the current thread if one doesn't exist
130 | 		if (contextMap.find(cpuThreadId) == contextMap.end())
131 | 		{
132 | 			//printf("creating new context");
133 | 			ThreadContext* ctx = new ThreadContext(cpuThreadId);
134 | 			ctx->Save(api);
135 | 			contextMap.insert({ cpuThreadId, ctx });
136 | 		}
137 | 
138 | 		// Load the new thread context into triton.
139 | 		auto context = contextMap[cpuThreadId];
140 | 		context->Restore(api);
141 | 	}
142 | 
143 | 	void TaintCurrentExecutingInstruction(Internals::VirtualCpu* vCpu)
144 | 	{
145 | 		// Retrieve PC
146 | 		auto rip = vCpu->GetPC();
147 | 
148 | 		// Compute the size of memory to read
149 | 		unsigned int pageSize = 0x1000 - ((((DWORD)rip)) & 0xFFF);
150 | 		if (pageSize > 15)
151 | 			pageSize = 15;
152 | 
153 | 		// Prepare to read memory
154 | 		auto isReadingMem = vCpu->bIsReadingMem;
155 | 		Internals::VirtualCpu* tempCpu = vCpu;
156 | 		vCpu->bIsReadingMem = true;
157 | 		if (isReadingMem)
158 | 			tempCpu = 0;
159 | 
160 | 		// Read virtual CPU memory.
161 | 		uint8_t disassemblyBuffer[32];
162 | 		bool hasRead = Internals::VirtualCpuHelper::ReadVirtualCpuMemory(vCpu, rip & (u64)0xFFFFFFFFFFFF, &disassemblyBuffer, pageSize);
163 | 		if (tempCpu != nullptr)
164 | 			tempCpu->bIsReadingMem = false;
165 | 
166 | 		// Return if the read failed for some reason.
167 | 		if (!hasRead)
168 | 		{
169 | 			printf("failed to read memory.");
170 | 			return;
171 | 		}
172 | 
173 | 		// Compute the length of the instruction
174 | 		cs_insn* insn;
175 | 		auto count = cs_disasm(handle, disassemblyBuffer, 15, rip, 1, &insn);
176 | 		
177 | 		// Feed the instruction to triton
178 | 		triton::arch::Instruction instruction;
179 | 		instruction.setOpcode(disassemblyBuffer, insn->size);
180 | 		instruction.setAddress(rip);
181 | 		bool success = api->processing(instruction);
182 | 
183 | 		if (!success)
184 | 		{
185 | 			std::cout << "failed to process insn" << std::endl;
186 | 			return;
187 | 		}
188 | 		
189 | 		// Log the instruction if it is tainted
190 | 		if (instruction.isTainted())
191 | 		{
192 | 			taintCount++;
193 | 			printf("instruction tainted: 0x%" PRIx64 ":\t%s\t\t%s\n", insn[0].address, insn[0].mnemonic,
194 | 				insn[0].op_str);
195 | 		}
196 | 
197 | 		else 
198 | 		{
199 | 			printf("Failed to taint instruction: 0x%" PRIx64 ":\t%s\t\t%s\n", insn[0].address, insn[0].mnemonic,
200 | 				insn[0].op_str);
201 | 		}
202 | 	}
203 | }


--------------------------------------------------------------------------------
/WinDNA/include/internal_structures.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | // Reverse engineered WinDBG internal structures.
  4 | namespace Internals
  5 | {
  6 | 	class Disx86
  7 | 	{
  8 | 	public:
  9 | 		char pad_0008[616]; //0x0008
 10 | 
 11 | 		virtual void Function0();
 12 | 		virtual void Function1();
 13 | 		virtual void Function2();
 14 | 		virtual void Function3();
 15 | 		virtual void Function4();
 16 | 		virtual void Function5();
 17 | 		virtual void Function6();
 18 | 		virtual void Function7();
 19 | 		virtual void Function8();
 20 | 		virtual void Function9();
 21 | 	}; //Size: 0x0270
 22 | 
 23 | 	enum class RegisterId : uint8_t
 24 | 	{
 25 | 		NONE = 0,
 26 | 		REG1 = 1,
 27 | 		REG2 = 2,
 28 | 		REG3 = 3,
 29 | 		REG4 = 4,
 30 | 		REG5 = 5,
 31 | 		RAX = 6,
 32 | 		RCX = 7,
 33 | 		RDX = 8,
 34 | 		RBX = 9,
 35 | 		RSP = 10,
 36 | 		RBP = 11,
 37 | 		RSI = 12,
 38 | 		RDI = 13,
 39 | 		R8 = 14,
 40 | 		R9 = 15,
 41 | 		R10 = 16,
 42 | 		R11 = 17,
 43 | 		R12 = 18,
 44 | 		R13 = 19,
 45 | 		R14 = 20,
 46 | 		R15 = 21,
 47 | 		RIP = 22,
 48 | 		RFLAGS = 23
 49 | 	};
 50 | 
 51 | 
 52 | 	class VirtualCpu
 53 | 	{
 54 | 	public:
 55 | 		void* clientTls; //0x0008
 56 | 		char pad_0010[48]; //0x0010
 57 | 		uint64_t qword1; //0x0040
 58 | 		void* oPreWriteMem; //0x0048
 59 | 		void* oPostWriteMem; //0x0050
 60 | 		void* oReadMem; //0x0058
 61 | 		void* oTranslation; //0x0060
 62 | 		void* oMemoryEvict; //0x0068
 63 | 		void* callbackPreWriteMem; //0x0070
 64 | 		void* callbackPostWriteMem; //0x0078
 65 | 		void* callbackReadMem; //0x0080
 66 | 		void* callbackTranslation; //0x0088
 67 | 		void* callbackMemoryEvict; //0x0090
 68 | 		int8_t bFastMemoryPathDisabled; //0x0098
 69 | 		char pad_0099[7]; //0x0099
 70 | 		uint64_t qword2; //0x00A0
 71 | 		int32_t insnCount1; //0x00A8
 72 | 		char pad_00AC[4]; //0x00AC
 73 | 		int32_t insnCount2; //0x00B0
 74 | 		char pad_00B4[4]; //0x00B4
 75 | 		int64_t insnCountFactor; //0x00B8
 76 | 		int32_t insnCountLimit; //0x00C0
 77 | 		int32_t computedLimit; //0x00C4
 78 | 		int32_t computedLimit2; //0x00C8
 79 | 		uint8_t bIsReadingMem; //0x00CC
 80 | 		uint8_t bIsExecutingCallback; //0x00CD
 81 | 		char pad_00CE[2]; //0x00CE
 82 | 		void* callbackReplayMemoryFetch; //0x00D0
 83 | 		void* callbackReplayTimestamp; //0x00D8
 84 | 		char pad_00E0[32]; //0x00E0
 85 | 		char registersData[13][8]; //0x0100
 86 | 		uint64_t pc; //0x0168
 87 | 		uint64_t teb; //0x0170
 88 | 		char registersDataExtended[385][8]; //0x0178
 89 | 		class Disx86 disx86; //0x0D80
 90 | 		char pad_0FF0[17064]; //0x0FF0
 91 | 		void* jitHashFunction; //0x5298
 92 | 		void* jitHashTableMatch; //0x52A0
 93 | 		char pad_52A8[24]; //0x52A8
 94 | 		void* stlB; //0x52C0
 95 | 		char pad_52C8[760]; //0x52C8
 96 | 
 97 | 
 98 | 
 99 | 		virtual void SetClientTls(u64 tls);
100 | 		virtual u64* GetRegistersData(u64* outputDst);
101 | 		virtual u64 GetVirtualProcessorState(int unkInt, u64* outputState);
102 | 		virtual u64 SetVirtualProcessorState(int stateCode, u64* vState);
103 | 		virtual void GetRegister(RegisterId regId, u64* pDst, size_t regSize);
104 | 		virtual void SetRegister(RegisterId regId, u64* pSrc, size_t regSize);
105 | 		virtual u64 GetPC();
106 | 		virtual u64 GetTeb();
107 | 		virtual void SetPC(u64 pc);
108 | 		virtual void SetTeb(u64 teb);
109 | 		virtual u64 GetRegistersHash(char unkBool);
110 | 		virtual u64 GetInstructionCount();
111 | 		virtual u64 ResetInstructionCount();
112 | 		virtual u64 SetInstructionCountLimit(unsigned int limit);
113 | 
114 | 		// Cache related functions have not been reversed or documented. Do not use.
115 | 		virtual void EmptyDataCache();
116 | 		virtual void QueryDataCacheLineSize();
117 | 		virtual void AlignAddrToDataCacheLineSize();
118 | 		virtual void RemoveLineFromDataCache();
119 | 		virtual void RemoveRangeFromCodeCache();
120 | 		virtual void ReadLineFromDataCache();
121 | 		virtual void WriteGuestMemory();
122 | 		virtual void CreateOrUpdateCacheLine();
123 | 		virtual void FindFirstValidDataLine();
124 | 		virtual void FindNextValidDataLine();
125 | 		virtual void SetMemoryTag();
126 | 
127 | 		virtual u64 RegisterInstrumentationCallbacks(u64* callbackStructure);
128 | 		virtual u64 SyncGuestMachineState();
129 | 
130 | 		// More undocumented functions.
131 | 		virtual void DisableFastMemoryPath();
132 | 		virtual void EnableFastMemoryPath();
133 | 		virtual void Delete();
134 | 		virtual void RegisterReplayCallbacks();
135 | 		virtual void FlushCaches();
136 | 		virtual void StopExecution();
137 | 		virtual void Execute();
138 | 		virtual void Destructor();
139 | 	}; //Size: 0x0850
140 | 
141 | 	// Callback for flow transfer operations. This callback applies to *all* control flow transfer operations.
142 | 	typedef void* (__fastcall* f_InstrCallbackFlowTransfer)(VirtualCpu* vCpu, u64 flowDstAddr);
143 | 
144 | 	// Callback for calls and returns
145 | 	typedef void* (__fastcall* f_InstrCallbackCallRets)(VirtualCpu* vCpu, u64 flowDstAddr);
146 | 
147 | 	// Note: This callback is never executed.
148 | 	typedef void* (__fastcall* f_InstrCallbackTranslation)();
149 | 
150 | 	// Callback prior to memory writes. It may also be some type of memory overwrite callback, or a memory reference callback. I am pretty confident that this is really just a callback that executes before memory write.
151 | 	typedef void(__fastcall* f_InstrCallbackPreWriteMemory)(VirtualCpu* vCpu, u64 address, u64 dataSize);
152 | 
153 | 	// Callback after memory writes
154 | 	typedef void(__fastcall* f_InstrCallbackPostWriteMemory)(VirtualCpu* vCpu, u64 address, void* pBuffer, u64 dataSize);
155 | 
156 | 	// Callback for memory read operations.
157 | 	typedef void(__fastcall* f_InstrCallbackReadMemory)(VirtualCpu* vCpu, u64 address, void* pBuffer, u64 dataSize);
158 | 
159 | 	// Unknown callback, never executed.
160 | 	typedef void* (__fastcall* f_InstrCallback6)();
161 | 
162 | 	// Callback for atomic operations(e.g lock, xcgh)
163 | 	typedef void* (__fastcall* f_InstrCallbackAtomic)(VirtualCpu* vCpu, void* a2);
164 | 
165 | 	// This callback is presumably executed when the code cache is full, but we have no use for it(I've also never encountered a scenario where it gets executed).
166 | 	typedef void* (__fastcall* f_InstrCallbackCodeCacheFull)();
167 | 
168 | 	// Callback for indirect jump operations(e.g jmp rax). It does not apply to indirect calls or other types of indirect control flow.
169 | 	typedef void* (__fastcall* f_InstrCallbackIndirectJump)(VirtualCpu* vCpu, u64 flowDstAddr);
170 | 
171 | 	// Internal function for reading virual cpu memory.
172 | 	typedef bool(__fastcall* f_ReadCachedDataInternal)(VirtualCpu* vCpu, u64 addr, void* pDst, u64 dataSize);
173 | 
174 | 	class InstrumentationCallbacks
175 | 	{
176 | 	public:
177 | 		f_InstrCallbackFlowTransfer* callbackFlowTransfer = nullptr;
178 | 		f_InstrCallbackCallRets* callbackCallRets = nullptr;
179 | 		f_InstrCallbackTranslation* callbackTranslation = nullptr;
180 | 		f_InstrCallbackPreWriteMemory* callbackPreWriteMemory = nullptr;
181 | 		f_InstrCallbackPostWriteMemory* callbackPostWriteMemory = nullptr;
182 | 		f_InstrCallbackReadMemory* callbackReadMemory = nullptr;
183 | 		f_InstrCallback6* callback6 = nullptr;
184 | 		f_InstrCallbackAtomic* callbackAtomicOperation = nullptr;
185 | 		f_InstrCallbackCodeCacheFull* callbackCodeCacheFull = nullptr;
186 | 		f_InstrCallbackIndirectJump* callbackIndirectJump = nullptr;
187 | 	};
188 | 
189 | 	typedef void(__fastcall* f_RegisterCallbacks)(InstrumentationCallbacks* callbacks);
190 | 
191 | 	class VirtualCpuHelper
192 | 	{
193 | 	private:
194 | 		inline static f_ReadCachedDataInternal readCachedDataInternal;
195 | 	public:
196 | 		static bool ReadVirtualCpuMemory(VirtualCpu* vCpu, u64 addr, void* pDst, u64 dataSize);
197 | 	};
198 | }


--------------------------------------------------------------------------------
/WinDNA/WinDNA.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{351e43ab-b29e-4eee-848c-821394c69c55}</ProjectGuid>
 25 |     <RootNamespace>WinDNA</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |     <IncludePath>C:\Users\colton\source\repos\vcpkg\installed\x64-windows-static\include;C:\Users\colton\source\repos\vcpkg\installed\x64-windows\include;C:\Users\colton\source\repos\Triton\Dependencies\z3-4.8.9-x64-win\include;C:\Users\colton\source\repos\Triton\Dependencies\boost_1_73_0;C:\Users\colton\source\repos\Triton\src\libtriton\includes;include;$(IncludePath)</IncludePath>
 82 |     <LibraryPath>C:\Users\colton\Downloads\triton_binaries;C:\Users\colton\source\repos\vcpkg\installed\x64-windows-static\lib;C:\Users\colton\source\repos\vcpkg\installed\x64-windows\lib;$(LibraryPath)</LibraryPath>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 85 |     <LinkIncremental>false</LinkIncremental>
 86 |     <IncludePath>include;C:\Users\colton\source\repos\Triton\src\libtriton\includes;C:\Users\colton\source\repos\Triton\Dependencies\boost_1_73_0;C:\Users\colton\source\repos\Triton\Dependencies\z3-4.8.9-x64-win\include;C:\Users\colton\source\repos\vcpkg\installed\x64-windows\include;C:\Users\colton\source\repos\vcpkg\installed\x64-windows-static\include;$(IncludePath)</IncludePath>
 87 |     <LibraryPath>C:\Users\colton\source\repos\vcpkg\installed\x64-windows\lib;C:\Users\colton\source\repos\vcpkg\installed\x64-windows-static\lib;C:\Users\colton\Downloads\triton_binaries;$(LibraryPath)</LibraryPath>
 88 |   </PropertyGroup>
 89 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 90 |     <ClCompile>
 91 |       <WarningLevel>Level3</WarningLevel>
 92 |       <SDLCheck>true</SDLCheck>
 93 |       <PreprocessorDefinitions>WIN32;_DEBUG;WINDNA_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 94 |       <ConformanceMode>true</ConformanceMode>
 95 |       <PrecompiledHeader>Use</PrecompiledHeader>
 96 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 97 |     </ClCompile>
 98 |     <Link>
 99 |       <SubSystem>Windows</SubSystem>
100 |       <GenerateDebugInformation>true</GenerateDebugInformation>
101 |       <EnableUAC>false</EnableUAC>
102 |     </Link>
103 |   </ItemDefinitionGroup>
104 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
105 |     <ClCompile>
106 |       <WarningLevel>Level3</WarningLevel>
107 |       <FunctionLevelLinking>true</FunctionLevelLinking>
108 |       <IntrinsicFunctions>true</IntrinsicFunctions>
109 |       <SDLCheck>true</SDLCheck>
110 |       <PreprocessorDefinitions>WIN32;NDEBUG;WINDNA_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
111 |       <ConformanceMode>true</ConformanceMode>
112 |       <PrecompiledHeader>Use</PrecompiledHeader>
113 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
114 |     </ClCompile>
115 |     <Link>
116 |       <SubSystem>Windows</SubSystem>
117 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
118 |       <OptimizeReferences>true</OptimizeReferences>
119 |       <GenerateDebugInformation>true</GenerateDebugInformation>
120 |       <EnableUAC>false</EnableUAC>
121 |     </Link>
122 |   </ItemDefinitionGroup>
123 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
124 |     <ClCompile>
125 |       <WarningLevel>Level3</WarningLevel>
126 |       <SDLCheck>true</SDLCheck>
127 |       <PreprocessorDefinitions>_DEBUG;WINDNA_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
128 |       <ConformanceMode>true</ConformanceMode>
129 |       <PrecompiledHeader>Use</PrecompiledHeader>
130 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
131 |       <LanguageStandard>stdcpp17</LanguageStandard>
132 |     </ClCompile>
133 |     <Link>
134 |       <SubSystem>Windows</SubSystem>
135 |       <GenerateDebugInformation>true</GenerateDebugInformation>
136 |       <EnableUAC>false</EnableUAC>
137 |       <AdditionalDependencies>detours.lib;capstone.lib;%(AdditionalDependencies)</AdditionalDependencies>
138 |     </Link>
139 |   </ItemDefinitionGroup>
140 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
141 |     <ClCompile>
142 |       <WarningLevel>Level3</WarningLevel>
143 |       <FunctionLevelLinking>true</FunctionLevelLinking>
144 |       <IntrinsicFunctions>true</IntrinsicFunctions>
145 |       <SDLCheck>true</SDLCheck>
146 |       <PreprocessorDefinitions>NDEBUG;WINDNA_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
147 |       <ConformanceMode>true</ConformanceMode>
148 |       <PrecompiledHeader>Use</PrecompiledHeader>
149 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
150 |       <LanguageStandard>stdcpp17</LanguageStandard>
151 |     </ClCompile>
152 |     <Link>
153 |       <SubSystem>Windows</SubSystem>
154 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
155 |       <OptimizeReferences>true</OptimizeReferences>
156 |       <GenerateDebugInformation>true</GenerateDebugInformation>
157 |       <EnableUAC>false</EnableUAC>
158 |       <AdditionalDependencies>triton.lib;detours.lib;capstone.lib;%(AdditionalDependencies)</AdditionalDependencies>
159 |     </Link>
160 |   </ItemDefinitionGroup>
161 |   <ItemGroup>
162 |     <ClInclude Include="include\addresses.h" />
163 |     <ClInclude Include="include\internal_structures.h" />
164 |     <ClInclude Include="include\pch.h" />
165 |     <ClInclude Include="include\triton_tainter.h" />
166 |   </ItemGroup>
167 |   <ItemGroup>
168 |     <ClCompile Include="src\addresses.cpp" />
169 |     <ClCompile Include="src\dllmain.cpp" />
170 |     <ClCompile Include="src\internal_structures.cpp" />
171 |     <ClCompile Include="src\pch.cpp">
172 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
173 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
174 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
175 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
176 |     </ClCompile>
177 |     <ClCompile Include="src\triton_tainter.cpp" />
178 |   </ItemGroup>
179 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
180 |   <ImportGroup Label="ExtensionTargets">
181 |   </ImportGroup>
182 | </Project>


--------------------------------------------------------------------------------