├── ExtDepLibs ├── Au3Info.exe ├── autoit │ ├── __init__.py │ ├── __init__.pyc │ ├── autoit.py │ ├── autoit.pyc │ ├── control.py │ ├── control.pyc │ ├── lib │ │ ├── AutoItX3.dll │ │ └── AutoItX3_x64.dll │ ├── process.py │ ├── process.pyc │ ├── win.py │ └── win.pyc ├── domato │ ├── CONTRIBUTING.md │ ├── LICENSE │ ├── README.md │ ├── attributevalues.txt │ ├── common.txt │ ├── css.txt │ ├── cssproperties.txt │ ├── generator.py │ ├── grammar.py │ ├── grammar.pyc │ ├── html.txt │ ├── js.txt │ ├── jshelpers.txt │ ├── svg.txt │ ├── svgattrvalues.txt │ ├── tagattributes.txt │ └── template.html └── winappdbg │ ├── __init__.py │ ├── __init__.pyc │ ├── breakpoint.py │ ├── breakpoint.pyc │ ├── crash.py │ ├── crash.pyc │ ├── debug.py │ ├── debug.pyc │ ├── disasm.py │ ├── disasm.pyc │ ├── event.py │ ├── event.pyc │ ├── interactive.py │ ├── interactive.pyc │ ├── module.py │ ├── module.pyc │ ├── plugins │ ├── README │ ├── __init__.py │ ├── do_example.py │ ├── do_exchain.py │ ├── do_exploitable.py │ └── do_symfix.py │ ├── process.py │ ├── process.pyc │ ├── registry.py │ ├── registry.pyc │ ├── search.py │ ├── search.pyc │ ├── sql.py │ ├── sql.pyc │ ├── system.py │ ├── system.pyc │ ├── textio.py │ ├── textio.pyc │ ├── thread.py │ ├── thread.pyc │ ├── util.py │ ├── util.pyc │ ├── win32 │ ├── __init__.py │ ├── __init__.pyc │ ├── advapi32.py │ ├── advapi32.pyc │ ├── context_amd64.py │ ├── context_amd64.pyc │ ├── context_i386.py │ ├── context_i386.pyc │ ├── dbghelp.py │ ├── dbghelp.pyc │ ├── defines.py │ ├── defines.pyc │ ├── gdi32.py │ ├── gdi32.pyc │ ├── kernel32.py │ ├── kernel32.pyc │ ├── ntdll.py │ ├── ntdll.pyc │ ├── peb_teb.py │ ├── peb_teb.pyc │ ├── psapi.py │ ├── psapi.pyc │ ├── shell32.py │ ├── shell32.pyc │ ├── shlwapi.py │ ├── shlwapi.pyc │ ├── user32.py │ ├── user32.pyc │ ├── version.py │ ├── version.pyc │ ├── wtsapi32.py │ └── wtsapi32.pyc │ ├── window.py │ └── window.pyc ├── PopUpKiller.py ├── README.md ├── fuzzHTML.py ├── fuzzPics.py ├── includepicture.docx ├── includetext.docx └── popuphandler.PNG /ExtDepLibs/Au3Info.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/Au3Info.exe -------------------------------------------------------------------------------- /ExtDepLibs/autoit/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __author__ = 'Jace Xu' 4 | __version__ = "0.3" 5 | 6 | from .autoit import options, properties, commands 7 | from .autoit import AutoItError 8 | 9 | from .autoit import error 10 | from .autoit import auto_it_set_option 11 | from .autoit import clip_get 12 | from .autoit import clip_put 13 | from .autoit import is_admin 14 | from .autoit import drive_map_add 15 | from .autoit import drive_map_del 16 | from .autoit import drive_map_get 17 | from .autoit import mouse_click 18 | from .autoit import mouse_click_drag 19 | from .autoit import mouse_down 20 | from .autoit import mouse_get_cursor 21 | from .autoit import mouse_get_pos 22 | from .autoit import mouse_move 23 | from .autoit import mouse_up 24 | from .autoit import mouse_wheel 25 | from .autoit import opt 26 | from .autoit import pixel_checksum 27 | from .autoit import pixel_get_color 28 | from .autoit import pixel_search 29 | from .autoit import send 30 | from .autoit import tooltip 31 | 32 | from .process import run 33 | from .process import run_wait 34 | from .process import process_close 35 | from .process import process_exists 36 | from .process import process_set_priority 37 | from .process import process_wait 38 | from .process import process_wait_close 39 | from .process import run_as 40 | from .process import run_as_wait 41 | from .process import shutdown 42 | 43 | from .win import win_activate 44 | from .win import win_activate_by_handle 45 | from .win import win_active 46 | from .win import win_active_by_handle 47 | from .win import win_close 48 | from .win import win_close_by_handle 49 | from .win import win_exists 50 | from .win import win_exists_by_handle 51 | from .win import win_get_caret_pos 52 | from .win import win_get_class_list 53 | from .win import win_get_class_list_by_handle 54 | from .win import win_get_client_size 55 | from .win import win_get_client_size_by_handle 56 | from .win import win_get_handle 57 | from .win import win_get_handle_as_text 58 | from .win import win_get_pos 59 | from .win import win_get_pos_by_handle 60 | from .win import win_get_process 61 | from .win import win_get_process_by_handle 62 | from .win import win_get_state 63 | from .win import win_get_state_by_handle 64 | from .win import win_get_text 65 | from .win import win_get_text_by_handle 66 | from .win import win_get_title 67 | from .win import win_get_title_by_handle 68 | from .win import win_kill 69 | from .win import win_kill_by_handle 70 | from .win import win_menu_select_item 71 | from .win import win_menu_select_item_by_handle 72 | from .win import win_minimize_all 73 | from .win import win_minimize_all_undo 74 | from .win import win_move 75 | from .win import win_move_by_handle 76 | from .win import win_set_on_top 77 | from .win import win_set_on_top_by_handle 78 | from .win import win_set_state 79 | from .win import win_set_state_by_handle 80 | from .win import win_set_title 81 | from .win import win_set_title_by_handle 82 | from .win import win_set_trans 83 | from .win import win_set_trans_by_handle 84 | from .win import win_wait 85 | from .win import win_wait_by_handle 86 | from .win import win_wait_active 87 | from .win import win_wait_active_by_handle 88 | from .win import win_wait_close 89 | from .win import win_wait_close_by_handle 90 | from .win import win_wait_not_active 91 | from .win import win_wait_not_active_by_handle 92 | 93 | from .control import control_click 94 | from .control import control_click_by_handle 95 | from .control import control_command 96 | from .control import control_command_by_handle 97 | from .control import control_list_view 98 | from .control import control_list_view_by_handle 99 | from .control import control_disable 100 | from .control import control_disable_by_handle 101 | from .control import control_enable 102 | from .control import control_enable_by_handle 103 | from .control import control_focus 104 | from .control import control_focus_by_handle 105 | from .control import control_get_focus 106 | from .control import control_get_focus_by_handle 107 | from .control import control_get_handle 108 | from .control import control_get_handle_as_text 109 | from .control import control_get_pos 110 | from .control import control_get_pos_by_handle 111 | from .control import control_get_text 112 | from .control import control_get_text_by_handle 113 | from .control import control_hide 114 | from .control import control_hide_by_handle 115 | from .control import control_move 116 | from .control import control_move_by_handle 117 | from .control import control_send 118 | from .control import control_send_by_handle 119 | from .control import control_set_text 120 | from .control import control_set_text_by_handle 121 | from .control import control_show 122 | from .control import control_show_by_handle 123 | from .control import control_tree_view 124 | from .control import control_tree_view_by_handle 125 | from .control import statusbar_get_text 126 | from .control import statusbar_get_text_by_handle -------------------------------------------------------------------------------- /ExtDepLibs/autoit/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/__init__.pyc -------------------------------------------------------------------------------- /ExtDepLibs/autoit/autoit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __author__ = 'Jace Xu' 4 | 5 | import ctypes 6 | import os 7 | import platform 8 | from ctypes.wintypes import * 9 | from functools import wraps 10 | 11 | dll = "AutoItX3.dll" 12 | bit, _ = platform.architecture() 13 | 14 | if bit == "64bit": 15 | # if 64bit version of python, load AutoItX3_x64.dll 16 | dll = "AutoItX3_x64.dll" 17 | 18 | dll_path = os.path.join(os.path.dirname(__file__), "lib", dll) 19 | 20 | if not os.path.exists(dll_path): 21 | raise IOError("Cannot load AutoItX from path: %s" % dll_path) 22 | 23 | AUTO_IT = ctypes.windll.LoadLibrary(dll_path) 24 | 25 | 26 | class AutoItError(Exception): 27 | pass 28 | 29 | 30 | def error(): 31 | return AUTO_IT.AU3_error() 32 | 33 | 34 | class AutoItAPI(object): 35 | 36 | def __init__(self): 37 | self.msg = {} 38 | 39 | @staticmethod 40 | def _has_error(): 41 | return True if error() == 1 else False 42 | 43 | @staticmethod 44 | def _has_unexpected_ret(ret, unexpected): 45 | if ret in unexpected: 46 | return True 47 | return False 48 | 49 | @staticmethod 50 | def _parser(x, y): 51 | if x["num"] >= y: 52 | x["flags"].append(y) 53 | x["num"] -= y 54 | return x 55 | 56 | def check(self, mark=0, err_msg="", **kwds): 57 | """ 58 | :param mark: 59 | 0 - do not need check return value or error() 60 | 1 - check error() 61 | 2 - check return value 62 | """ 63 | unexpected_ret = kwds.get("unexpected_ret", (0,)) 64 | 65 | def _check(fn): 66 | @wraps(fn) 67 | def wrapper(*args, **kwargs): 68 | ret = fn(*args, **kwargs) 69 | 70 | flags = reduce( 71 | self._parser, [dict(num=mark, flags=[]), 2, 1])["flags"] 72 | 73 | if 1 in flags: 74 | if self._has_error(): 75 | raise AutoItError(err_msg) 76 | 77 | if 2 in flags: 78 | if self._has_unexpected_ret(ret, unexpected_ret): 79 | raise AutoItError(err_msg) 80 | 81 | return ret 82 | return wrapper 83 | return _check 84 | 85 | 86 | api = AutoItAPI() 87 | 88 | 89 | @api.check() 90 | def auto_it_set_option(option, param): 91 | """ 92 | Changes the operation of various AutoIt functions/parameters 93 | :param option: The option to change 94 | :param param: The parameter (varies by option). 95 | :return: 96 | """ 97 | pre_value = AUTO_IT.AU3_AutoItSetOption(LPCWSTR(option), INT(param)) 98 | return pre_value 99 | 100 | 101 | class Properties(object): 102 | """ 103 | Below is an list of all the properties available in AutoItX. 104 | """ 105 | SW_HIDE = 0 106 | SW_MAXIMIZE = 3 107 | SW_MINIMIZE = 6 108 | SW_RESTORE = 9 109 | SW_SHOW = 5 110 | SW_SHOWDEFAULT = 10 111 | SW_SHOWMAXIMIZED = 3 112 | SW_SHOWMINIMIZED = 2 113 | SW_SHOWMINNOACTIVE = 7 114 | SW_SHOWNA = 8 115 | SW_SHOWNOACTIVATE = 4 116 | SW_SHOWNORMAL = 1 117 | 118 | 119 | class _Options(object): 120 | 121 | def __init__(self): 122 | self._caret_coord_mode = 1 123 | self._mouse_click_delay = 10 124 | self._mouse_click_down_delay = 10 125 | self._mouse_click_drag_delay = 250 126 | self._mouse_coord_mode = 1 127 | self._pixel_coord_mode = 1 128 | self._send_attach_mode = 0 129 | self._send_capslock_mode = 1 130 | self._send_key_delay = 5 131 | self._send_key_down_delay = 10 132 | self._win_detect_hidden_text = 0 133 | self._win_search_children = 0 134 | self._win_text_match_mode = 1 135 | self._win_title_match_mode = 1 136 | self._win_wait_delay = 250 137 | 138 | @property 139 | def caret_coord_mode(self): 140 | return self._caret_coord_mode 141 | 142 | @caret_coord_mode.setter 143 | def caret_coord_mode(self, value): 144 | auto_it_set_option("CaretCoordMode", value) 145 | self._caret_coord_mode = value 146 | 147 | @property 148 | def mouse_click_delay(self): 149 | return self._mouse_click_delay 150 | 151 | @mouse_click_delay.setter 152 | def mouse_click_delay(self, value): 153 | auto_it_set_option("MouseClickDelay", value) 154 | self._mouse_click_delay = value 155 | 156 | @property 157 | def mouse_click_down_delay(self): 158 | return self._mouse_click_down_delay 159 | 160 | @mouse_click_down_delay.setter 161 | def mouse_click_down_delay(self, value): 162 | auto_it_set_option("MouseClickDownDelay", value) 163 | self._mouse_click_down_delay = value 164 | 165 | @property 166 | def mouse_click_drag_delay(self): 167 | return self._mouse_click_drag_delay 168 | 169 | @mouse_click_drag_delay.setter 170 | def mouse_click_drag_delay(self, value): 171 | auto_it_set_option("MouseClickDragDelay", value) 172 | self._mouse_click_drag_delay = value 173 | 174 | @property 175 | def mouse_coord_mode(self): 176 | return self._mouse_coord_mode 177 | 178 | @mouse_coord_mode.setter 179 | def mouse_coord_mode(self, value): 180 | auto_it_set_option("MouseCoordMode", value) 181 | self._mouse_coord_mode = value 182 | 183 | @property 184 | def pixel_coord_mode(self): 185 | return self._pixel_coord_mode 186 | 187 | @pixel_coord_mode.setter 188 | def pixel_coord_mode(self, value): 189 | auto_it_set_option("PixelCoordMode", value) 190 | self._pixel_coord_mode = value 191 | 192 | @property 193 | def send_attach_mode(self): 194 | return self._send_attach_mode 195 | 196 | @send_attach_mode.setter 197 | def send_attach_mode(self, value): 198 | auto_it_set_option("SendAttachMode", INT(value)) 199 | self._send_attach_mode = value 200 | 201 | @property 202 | def send_capslock_mode(self): 203 | return self._send_capslock_mode 204 | 205 | @send_capslock_mode.setter 206 | def send_capslock_mode(self, value): 207 | auto_it_set_option("SendCapslockMode", value) 208 | self._send_capslock_mode = value 209 | 210 | @property 211 | def send_key_delay(self): 212 | return self._send_key_delay 213 | 214 | @send_key_delay.setter 215 | def send_key_delay(self, value): 216 | auto_it_set_option("SendKeyDelay", value) 217 | self._send_key_delay = value 218 | 219 | @property 220 | def send_key_down_delay(self): 221 | return self._send_key_down_delay 222 | 223 | @send_key_down_delay.setter 224 | def send_key_down_delay(self, value): 225 | auto_it_set_option("SendKeyDownDelay", value) 226 | self._send_key_down_delay = value 227 | 228 | @property 229 | def win_detect_hidden_text(self): 230 | return self._win_detect_hidden_text 231 | 232 | @win_detect_hidden_text.setter 233 | def win_detect_hidden_text(self, value): 234 | auto_it_set_option("WinDetectHiddenText", value) 235 | self._win_detect_hidden_text = value 236 | 237 | @property 238 | def win_search_children(self): 239 | return self._win_search_children 240 | 241 | @win_search_children.setter 242 | def win_search_children(self, value): 243 | auto_it_set_option("WinSearchChildren", value) 244 | self._win_search_children = value 245 | 246 | @property 247 | def win_text_match_mode(self): 248 | return self._win_text_match_mode 249 | 250 | @win_text_match_mode.setter 251 | def win_text_match_mode(self, value): 252 | auto_it_set_option("WinTextMatchMode", value) 253 | self._win_text_match_mode = value 254 | 255 | @property 256 | def win_title_match_mode(self): 257 | return self._win_title_match_mode 258 | 259 | @win_title_match_mode.setter 260 | def win_title_match_mode(self, value): 261 | auto_it_set_option("WinTitleMatchMode", value) 262 | self._win_title_match_mode = value 263 | 264 | @property 265 | def win_wait_delay(self): 266 | return self._win_wait_delay 267 | 268 | @win_wait_delay.setter 269 | def win_wait_delay(self, value): 270 | auto_it_set_option("WinWaitDelay", value) 271 | self._win_wait_delay = value 272 | 273 | 274 | class Commands(object): 275 | 276 | is_visible = "IsVisible" 277 | is_enabled = "IsEnabled" 278 | show_drop_down = "ShowDropDown" 279 | hide_drop_down = "HideDropDown" 280 | add_string = "AddString" 281 | del_string = "DelString" 282 | find_string = "FindString" 283 | set_current_selection = "SetCurrentSelection" 284 | is_checked = "IsChecked" 285 | check = "Check" 286 | un_check = "UnCheck" 287 | get_current_line = "GetCurrentLine" 288 | get_current_col = "GetCurrentCol" 289 | get_current_selection = "GetCurrentSelection" 290 | get_line_count = "GetLineCount" 291 | get_line = "GetLine" 292 | get_selected = "GetSelected" 293 | edit_paste = "EditPaste" 294 | current_tab = "CurrentTab" 295 | tab_right = "TabRight" 296 | tab_left = "TabLeft" 297 | de_select = "DeSelect" 298 | find_item = "FindItem" 299 | get_item_count = "GetItemCount" 300 | get_selected_count = "GetSelectedCount" 301 | get_sub_item_count = "GetSubItemCount" 302 | get_text = "GetText" 303 | is_selected = "IsSelected" 304 | select = "Select" 305 | select_all = "SelectAll" 306 | select_clear = "SelectClear" 307 | select_invert = "SelectInvert" 308 | view_change = "View" 309 | collapse = "Collapse" 310 | exists = "Exists" 311 | expand = "Expand" 312 | uncheck = "Uncheck" 313 | 314 | options = _Options() 315 | properties = Properties 316 | commands = Commands 317 | INTDEFAULT = -2147483647 318 | 319 | 320 | @api.check(1, err_msg="clipboard is empty or contains a non-text entry") 321 | def clip_get(buf_size=256): 322 | """ 323 | 324 | :param buf_size: 325 | :return: 326 | """ 327 | 328 | clip = ctypes.create_unicode_buffer(buf_size) 329 | AUTO_IT.AU3_ClipGet(clip, INT(buf_size)) 330 | return clip.value.rstrip() 331 | 332 | 333 | @api.check(2, err_msg="Write text to clipboard failed") 334 | def clip_put(value): 335 | """ 336 | 337 | :param value: 338 | :return: 339 | """ 340 | ret = AUTO_IT.AU3_ClipPut(LPCWSTR(value)) 341 | return ret 342 | 343 | 344 | def is_admin(): 345 | """ 346 | 347 | :return: 348 | """ 349 | ret = AUTO_IT.AU3_IsAdmin() 350 | return ret 351 | 352 | 353 | def drive_map_add(device, share, flag=0, user="", pwd="", buf_size=256): 354 | """ 355 | 356 | :param device: 357 | :param share: 358 | :param flag: 0 = default 359 | 1 = Persistant mapping 360 | 8 = Show authentication dialog if required 361 | :param user: 362 | :param pwd: 363 | :param buf_size: 364 | :return: 365 | """ 366 | result = ctypes.create_unicode_buffer(buf_size) 367 | 368 | err_code = { 369 | 1: "Undefined / Other error", 370 | 2: "Access to the remote share was denied", 371 | 3: "The device is already assigned", 372 | 4: "Invalid device name", 373 | 5: "Invalid remote share", 374 | 6: "Invalid password" 375 | } 376 | AUTO_IT.AU3_DriveMapAdd( 377 | LPCWSTR(device), LPCWSTR(share), INT(flag), LPCWSTR(user), 378 | LPCWSTR(pwd), result, INT(buf_size)) 379 | 380 | if error(): 381 | raise AutoItError(err_code.get(error(), None)) 382 | return result.value.rstrip() 383 | 384 | 385 | @api.check(2, err_msg="the disconnection was unsuccessful") 386 | def drive_map_del(device): 387 | """ 388 | 389 | :param device: 390 | :return: 391 | """ 392 | ret = AUTO_IT.AU3_DriveMapDel(LPCWSTR(device)) 393 | return ret 394 | 395 | 396 | @api.check(1, err_msg="get the details of a mapped drive failed") 397 | def drive_map_get(device, buf_size=256): 398 | """ 399 | 400 | :param device: 401 | :param buf_size: 402 | :return: 403 | """ 404 | mapping = ctypes.create_unicode_buffer(buf_size) 405 | AUTO_IT.AU3_DriveMapGet(LPCWSTR(device), mapping, INT(buf_size)) 406 | return mapping.value.rstrip() 407 | 408 | 409 | def mouse_click(button="left", x=INTDEFAULT, y=INTDEFAULT, clicks=1, speed=-1): 410 | """ 411 | 412 | :param button: 413 | :param x: 414 | :param y: 415 | :param clicks: 416 | :param speed: 417 | :return: 418 | """ 419 | ret = AUTO_IT.AU3_MouseClick( 420 | LPCWSTR(button), INT(x), INT(y), INT(clicks), INT(speed) 421 | ) 422 | return ret 423 | 424 | 425 | def mouse_click_drag(x1, y1, x2, y2, button="left", speed=-1): 426 | """ 427 | 428 | :param x1: 429 | :param y1: 430 | :param x2: 431 | :param y2: 432 | :param button: 433 | :param speed: 434 | :return: 435 | """ 436 | 437 | ret = AUTO_IT.AU3_MouseClickDrag( 438 | LPCWSTR(button), INT(x1), INT(y1), INT(x2), INT(y2), INT(speed) 439 | ) 440 | return ret 441 | 442 | 443 | def mouse_down(button="left"): 444 | """ 445 | 446 | :param button: 447 | :return: 448 | """ 449 | AUTO_IT.AU3_MouseDown(LPCWSTR(button)) 450 | 451 | 452 | def mouse_get_cursor(): 453 | """ 454 | 455 | :return: 456 | """ 457 | ret = AUTO_IT.AU3_MouseGetCursor() 458 | return ret 459 | 460 | 461 | def mouse_get_pos(): 462 | """ 463 | 464 | :return: 465 | """ 466 | p = POINT() 467 | AUTO_IT.AU3_MouseGetPos(ctypes.byref(p)) 468 | return p.x, p.y 469 | 470 | 471 | def mouse_move(x, y, speed=-1): 472 | """ 473 | 474 | :param x: 475 | :param y: 476 | :param speed: 477 | :return: 478 | """ 479 | ret = AUTO_IT.AU3_MouseMove(INT(x), INT(y), INT(speed)) 480 | return ret 481 | 482 | 483 | def mouse_up(button="left"): 484 | """ 485 | 486 | :param button: 487 | :return: 488 | """ 489 | AUTO_IT.AU3_MouseUp(LPCWSTR(button)) 490 | 491 | 492 | @api.check(1, err_msg="the direction is not recognized") 493 | def mouse_wheel(direction, clicks=-1): 494 | """ 495 | 496 | :param direction: "up" or "down" 497 | :param clicks: 498 | :return: 499 | """ 500 | AUTO_IT.AU3_MouseWheel(LPCWSTR(direction), INT(clicks)) 501 | 502 | 503 | def opt(option, value): 504 | """ 505 | 506 | :param option: 507 | :param value: 508 | :return: 509 | """ 510 | return auto_it_set_option(option, value) 511 | 512 | 513 | def pixel_checksum(left, top, right, bottom, step=1): 514 | """ 515 | 516 | :param left: 517 | :param top: 518 | :param right: 519 | :param bottom: 520 | :param step: 521 | :return: 522 | """ 523 | rect = RECT(left, top, right, bottom) 524 | ret = AUTO_IT.AU3_PixelChecksum(ctypes.byref(rect), INT(step)) 525 | return ret 526 | 527 | 528 | @api.check(2, unexpected_ret=(-1,), err_msg="invalid coordinates") 529 | def pixel_get_color(x, y): 530 | """ 531 | 532 | :param x: 533 | :param y: 534 | :return: 535 | """ 536 | ret = AUTO_IT.AU3_PixelGetColor(INT(x), INT(y)) 537 | return ret 538 | 539 | 540 | @api.check(1, err_msg="color is not found") 541 | def pixel_search(left, top, right, bottom, col, var=1, step=1): 542 | """ 543 | 544 | :param left: 545 | :param top: 546 | :param right: 547 | :param bottom: 548 | :param col: 549 | :param var: 550 | :param step: 551 | :return: 552 | """ 553 | p = POINT() 554 | rect = RECT(left, top, right, bottom) 555 | 556 | AUTO_IT.AU3_PixelSearch( 557 | ctypes.byref(rect), INT(col), INT(var), INT(step), ctypes.byref(p) 558 | ) 559 | return p.x, p.y 560 | 561 | 562 | def send(send_text, mode=0): 563 | """ 564 | Sends simulated keystrokes to the active window. 565 | :param send_text: 566 | :param mode: Changes how "keys" is processed: 567 | flag = 0 (default), Text contains special characters like + and ! to 568 | indicate SHIFT and ALT key presses. 569 | flag = 1, keys are sent raw. 570 | :return: 571 | """ 572 | AUTO_IT.AU3_Send(LPCWSTR(send_text), INT(mode)) 573 | 574 | 575 | def tooltip(tip, x=INTDEFAULT, y=INTDEFAULT): 576 | """ 577 | 578 | :param tip: 579 | :param x: 580 | :param y: 581 | :return: 582 | """ 583 | AUTO_IT.AU3_ToolTip(LPCWSTR(tip), INT(x), INT(y)) 584 | -------------------------------------------------------------------------------- /ExtDepLibs/autoit/autoit.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/autoit.pyc -------------------------------------------------------------------------------- /ExtDepLibs/autoit/control.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __author__ = 'Jace Xu' 4 | 5 | from autoit import INTDEFAULT, AUTO_IT 6 | from autoit import api 7 | from ctypes.wintypes import * 8 | import ctypes 9 | 10 | 11 | @api.check(2, "send click message failed") 12 | def control_click(title, control, **kwargs): 13 | """ 14 | 15 | :param title: 16 | :param text: 17 | :param control: 18 | :param button: 19 | :param clicks: 20 | :param x: 21 | :param y: 22 | :return: 23 | """ 24 | text = kwargs.get("text", "") 25 | button = kwargs.get("button", "left") 26 | clicks = kwargs.get("clicks", 1) 27 | x = kwargs.get("x", INTDEFAULT) 28 | y = kwargs.get("y", INTDEFAULT) 29 | 30 | ret = AUTO_IT.AU3_ControlClick(LPCWSTR(title), LPCWSTR(text), 31 | LPCWSTR(control), LPCWSTR(button), 32 | INT(clicks), INT(x), INT(y)) 33 | return ret 34 | 35 | 36 | @api.check(2, "send click message failed") 37 | def control_click_by_handle(hwnd, h_ctrl, **kwargs): 38 | """ 39 | 40 | :param handle: 41 | :param kwargs: 42 | :return: 43 | """ 44 | button = kwargs.get("button", "left") 45 | clicks = kwargs.get("clicks", 1) 46 | x = kwargs.get("x", INTDEFAULT) 47 | y = kwargs.get("y", INTDEFAULT) 48 | 49 | ret = AUTO_IT.AU3_ControlClickByHandle(HWND(hwnd), HWND(h_ctrl), 50 | LPCWSTR(button), INT(clicks), 51 | INT(x), INT(y)) 52 | return ret 53 | 54 | 55 | @api.check(1, "no window match the criteria") 56 | def control_command(title, control, command, buf_size=256, **kwargs): 57 | """ 58 | 59 | :param title: 60 | :param control: 61 | :param command: 62 | :param extra: 63 | :param buf_size: 64 | :return: 65 | """ 66 | text = kwargs.get("text", "") 67 | extra = kwargs.get("extra", "") 68 | result = ctypes.create_unicode_buffer(buf_size) 69 | AUTO_IT.AU3_ControlCommand(LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 70 | LPCWSTR(command), LPCWSTR(extra), 71 | result, INT(buf_size)) 72 | 73 | return result.value.rstrip() 74 | 75 | 76 | @api.check(1, "no window match the criteria") 77 | def control_command_by_handle(hwnd, h_ctrl, command, buf_size=256, **kwargs): 78 | """ 79 | 80 | :param hwnd: 81 | :param h_ctrl: 82 | :param command: 83 | :param kwargs: 84 | :return: 85 | """ 86 | extra = kwargs.get("extra", "") 87 | result = ctypes.create_unicode_buffer(buf_size) 88 | 89 | AUTO_IT.AU3_ControlCommandByHandle( 90 | HWND(hwnd), HWND(h_ctrl), LPCWSTR(command), LPCWSTR(extra), result, 91 | INT(buf_size)) 92 | return result.value.rstrip() 93 | 94 | 95 | @api.check(1, "Window/Control could not be found") 96 | def control_list_view(title, control, command, **kwargs): 97 | """ 98 | 99 | :param title: 100 | :param control: 101 | :param command: 102 | :param args: 103 | :param kwargs: 104 | :return: 105 | """ 106 | text = kwargs.get("text", "") 107 | buf_size = kwargs.get("buf_size", 256) 108 | result = ctypes.create_unicode_buffer(buf_size) 109 | extra1 = kwargs.get("extras1", "") 110 | extra2 = kwargs.get("extras2", "") 111 | 112 | AUTO_IT.AU3_ControlListView( 113 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), LPCWSTR(command), 114 | LPCWSTR(extra1), LPCWSTR(extra2), result, INT(buf_size) 115 | ) 116 | return result.value.rstrip() 117 | 118 | 119 | @api.check(1, "Window/Control could not be found") 120 | def control_list_view_by_handle(hwnd, h_ctrl, command, **kwargs): 121 | """ 122 | 123 | :param hwnd: 124 | :param h_ctrl: 125 | :param command: 126 | :param kwargs: 127 | :return: 128 | """ 129 | extra1 = kwargs.get("extra1", "") 130 | extra2 = kwargs.get("extra2", "") 131 | buf_size = kwargs.get("buf_size", 256) 132 | result = ctypes.create_unicode_buffer(buf_size) 133 | 134 | AUTO_IT.AU3_ControlListViewByHandle( 135 | HWND(hwnd), HWND(h_ctrl), LPCWSTR(command), 136 | LPCWSTR(extra1), LPCWSTR(extra2), result, INT(buf_size) 137 | ) 138 | return result.value.rstrip() 139 | 140 | 141 | @api.check(2, "Window/Control could not be found") 142 | def control_disable(title, control, **kwargs): 143 | """ 144 | 145 | :param title: 146 | :param control: 147 | :param kwargs: 148 | :return: 149 | """ 150 | text = kwargs.get("text", "") 151 | 152 | ret = AUTO_IT.AU3_ControlDisable(LPCWSTR(title), LPCWSTR(text), 153 | LPCWSTR(control)) 154 | return ret 155 | 156 | 157 | @api.check(2, "Window/Control could not be found") 158 | def control_disable_by_handle(hwnd, h_ctrl): 159 | """ 160 | 161 | :param hwnd: 162 | :param h_ctrl: 163 | :return: 164 | """ 165 | ret = AUTO_IT.AU3_ControlDisableByHandle(HWND(hwnd), HWND(h_ctrl)) 166 | return ret 167 | 168 | 169 | @api.check(2, "Window/Control could not be found") 170 | def control_enable(title, control, **kwargs): 171 | """ 172 | 173 | :param title: 174 | :param control: 175 | :param kwargs: 176 | :return: 177 | """ 178 | text = kwargs.get("text", "") 179 | 180 | ret = AUTO_IT.AU3_ControlEnable(LPCWSTR(title), LPCWSTR(text), 181 | LPCWSTR(control)) 182 | return ret 183 | 184 | 185 | @api.check(2, "Window/Control could not be found") 186 | def control_enable_by_handle(hwnd, h_ctrl): 187 | """ 188 | 189 | :param hwnd: 190 | :param h_ctrl: 191 | :return: 192 | """ 193 | ret = AUTO_IT.AU3_ControlEnableByHandle(HWND(hwnd), HWND(h_ctrl)) 194 | return ret 195 | 196 | 197 | @api.check(2, "Window/Control could not be found") 198 | def control_focus(title, control, **kwargs): 199 | """ 200 | 201 | :param title: 202 | :param control: 203 | :param kwargs: 204 | :return: 205 | """ 206 | text = kwargs.get("text", "") 207 | 208 | ret = AUTO_IT.AU3_ControlFocus( 209 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control)) 210 | return ret 211 | 212 | 213 | @api.check(2, "Window/Control could not be found") 214 | def control_focus_by_handle(hwnd, h_ctrl): 215 | """ 216 | 217 | :param hwnd: 218 | :param h_ctrl: 219 | :return: 220 | """ 221 | ret = AUTO_IT.AU3_ControlFocusByHandle(HWND(hwnd), HWND(h_ctrl)) 222 | return ret 223 | 224 | 225 | @api.check(1, "Window/Control could not be found") 226 | def control_get_focus(title, **kwargs): 227 | """ 228 | 229 | :param title: 230 | :param kwargs: 231 | :return: 232 | """ 233 | buf_size = kwargs.get("buf_size", 256) 234 | text = kwargs.get("text", "") 235 | ctrl_with_focus = ctypes.create_unicode_buffer(buf_size) 236 | 237 | AUTO_IT.AU3_ControlGetFocus( 238 | LPCWSTR(title), LPCWSTR(text), ctrl_with_focus, INT(buf_size)) 239 | return ctrl_with_focus.value.rstrip() 240 | 241 | 242 | @api.check(1, "Window/Control could not be found") 243 | def control_get_focus_by_handle(hwnd, buf_size=256): 244 | """ 245 | 246 | :param hwnd: 247 | :param buf_size: 248 | :return: 249 | """ 250 | ctrl_with_focus = ctypes.create_unicode_buffer(buf_size) 251 | 252 | AUTO_IT.AU3_ControlGetFocusByHandle(HWND(hwnd), ctrl_with_focus, 253 | INT(buf_size)) 254 | return ctrl_with_focus.value.rstrip() 255 | 256 | 257 | @api.check(1, "Window/Control could not be found") 258 | def control_get_handle(hwnd, control): 259 | """ 260 | 261 | :param hwnd: 262 | :param control: 263 | :return: 264 | """ 265 | ret = AUTO_IT.AU3_ControlGetHandle(HWND(hwnd), LPCWSTR(control)) 266 | return ret 267 | 268 | 269 | @api.check(1, "Window/Control could not be found") 270 | def control_get_handle_as_text(title, control, **kwargs): 271 | """ 272 | 273 | :param title: 274 | :param control: 275 | :param kwargs: 276 | :return: 277 | """ 278 | text = kwargs.get("text", "") 279 | buf_size = kwargs.get("buf_size", 32) 280 | ret_text = ctypes.create_unicode_buffer(buf_size) 281 | 282 | AUTO_IT.AU3_ControlGetHandleAsText( 283 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 284 | ret_text, INT(buf_size) 285 | ) 286 | return ret_text.value.rstrip() 287 | 288 | 289 | @api.check(1, "Window/Control could not be found") 290 | def control_get_pos(title, control, text=""): 291 | """ 292 | 293 | :param title: 294 | :param control: 295 | :param text: 296 | :return: 297 | """ 298 | rect = RECT() 299 | 300 | AUTO_IT.AU3_ControlGetPos( 301 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 302 | ctypes.byref(rect) 303 | ) 304 | return rect.left, rect.top, rect.right, rect.bottom 305 | 306 | 307 | @api.check(1, "Window/Control could not be found") 308 | def control_get_pos_by_handle(hwnd, h_ctrl): 309 | """ 310 | 311 | :param hwnd: 312 | :param h_ctrl: 313 | :return: 314 | """ 315 | rect = RECT() 316 | 317 | AUTO_IT.AU3_ControlGetPosByHandle(HWND(hwnd), HWND(h_ctrl), 318 | ctypes.byref(rect)) 319 | return rect.left, rect.top, rect.right, rect.bottom 320 | 321 | 322 | @api.check(1, "Window/Control could not be found") 323 | def control_get_text(title, control, **kwargs): 324 | """ 325 | 326 | :param title: 327 | :param control: 328 | :param kwargs: 329 | :return: 330 | """ 331 | text = kwargs.get("text", "") 332 | buf_size = kwargs.get("buf_size", 256) 333 | ctrl_text = ctypes.create_unicode_buffer(buf_size) 334 | 335 | AUTO_IT.AU3_ControlGetText( 336 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 337 | ctrl_text, INT(buf_size) 338 | ) 339 | 340 | return ctrl_text.value.rstrip() 341 | 342 | 343 | @api.check(1, "Window/Control could not be found") 344 | def control_get_text_by_handle(hwnd, h_ctrl, **kwargs): 345 | """ 346 | 347 | :param hwnd: 348 | :param h_ctrl: 349 | :return: 350 | """ 351 | buf_size = kwargs.get("buf_size", 256) 352 | ctrl_text = ctypes.create_unicode_buffer(buf_size) 353 | 354 | AUTO_IT.AU3_ControlGetTextByHandle( 355 | HWND(hwnd), HWND(h_ctrl), ctrl_text, INT(buf_size) 356 | ) 357 | 358 | return ctrl_text.value.rstrip() 359 | 360 | 361 | @api.check(2, "Window/Control could not be found") 362 | def control_hide(title, control, **kwargs): 363 | """ 364 | 365 | :param title: 366 | :param control: 367 | :param kwargs: 368 | :return: 369 | """ 370 | text = kwargs.get("text", "") 371 | 372 | ret = AUTO_IT.AU3_ControlHide( 373 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control)) 374 | return ret 375 | 376 | 377 | @api.check(2, "Window/Control could not be found") 378 | def control_hide_by_handle(hwnd, h_ctrl): 379 | """ 380 | 381 | :param hwnd: 382 | :param h_ctrl: 383 | :return: 384 | """ 385 | ret = AUTO_IT.AU3_ControlHideByHandle(HWND(hwnd), HWND(h_ctrl)) 386 | return ret 387 | 388 | 389 | @api.check(2, "Window/Control could not be found") 390 | def control_move(title, control, x, y, width=-1, height=-1, **kwargs): 391 | """ 392 | 393 | :param title: 394 | :param control: 395 | :param x: 396 | :param y: 397 | :param kwargs: 398 | :return: 399 | """ 400 | text = kwargs.get("text", "") 401 | 402 | ret = AUTO_IT.AU3_ControlMove( 403 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 404 | INT(x), INT(y), INT(width), INT(height) 405 | ) 406 | return ret 407 | 408 | 409 | @api.check(2, "Window/Control could not be found") 410 | def control_move_by_handle(hwnd, h_ctrl, x, y, width=-1, height=-1): 411 | """ 412 | 413 | :param hwnd: 414 | :param h_ctrl: 415 | :param x: 416 | :param y: 417 | :param width: 418 | :param height: 419 | :return: 420 | """ 421 | ret = AUTO_IT.AU3_ControlMoveByHandle( 422 | HWND(hwnd), HWND(h_ctrl), INT(x), INT(y), INT(width), INT(height) 423 | ) 424 | return ret 425 | 426 | 427 | @api.check(2, "Window/Control could not be found") 428 | def control_send(title, control, send_text, mode=0, **kwargs): 429 | """ 430 | 431 | :param title: 432 | :param control: 433 | :param send_text: 434 | :param mode: 435 | flag = 0 (default), Text contains special characters like + to indicate 436 | SHIFT and {LEFT} to indicate left arrow. 437 | flag = 1, keys are sent raw. 438 | :param kwargs: 439 | :return: 440 | """ 441 | text = kwargs.get("text", "") 442 | 443 | ret = AUTO_IT.AU3_ControlSend( 444 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), 445 | LPCWSTR(send_text), INT(mode) 446 | ) 447 | return ret 448 | 449 | 450 | @api.check(2, "Window/Control could not be found") 451 | def control_send_by_handle(hwnd, h_ctrl, send_text, mode=0): 452 | """ 453 | 454 | :param hwnd: 455 | :param h_ctrl: 456 | :param send_text: 457 | :param mode: 458 | :return: 459 | """ 460 | 461 | ret = AUTO_IT.AU3_ControlSendByHandle( 462 | HWND(hwnd), HWND(h_ctrl), LPCWSTR(send_text), INT(mode) 463 | ) 464 | return ret 465 | 466 | 467 | @api.check(2, "Window/Control could not be found") 468 | def control_set_text(title, control, control_text, **kwargs): 469 | """ 470 | 471 | :param title: 472 | :param control: 473 | :param control_text: 474 | :param kwargs: 475 | :return: 476 | """ 477 | text = kwargs.get("text", "") 478 | 479 | ret = AUTO_IT.AU3_ControlSetText( 480 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), LPCWSTR(control_text) 481 | ) 482 | return ret 483 | 484 | 485 | @api.check(2, "Window/Control could not be found") 486 | def control_set_text_by_handle(hwnd, h_ctrl, control_text): 487 | """ 488 | 489 | :param hwnd: 490 | :param h_ctrl: 491 | :param control_text: 492 | :return: 493 | """ 494 | ret = AUTO_IT.AU3_ControlSetTextByHandle( 495 | HWND(hwnd), HWND(h_ctrl), LPCWSTR(control_text) 496 | ) 497 | return ret 498 | 499 | 500 | @api.check(2, "Window/Control could not be found") 501 | def control_show(title, control, **kwargs): 502 | """ 503 | 504 | :param title: 505 | :param control: 506 | :param kwargs: 507 | :return: 508 | """ 509 | text = kwargs.get("text", "") 510 | 511 | ret = AUTO_IT.AU3_ControlShow( 512 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control)) 513 | return ret 514 | 515 | 516 | @api.check(2, "Window/Control could not be found") 517 | def control_show_by_handle(hwnd, h_ctrl): 518 | """ 519 | 520 | :param hwnd: 521 | :param h_ctrl: 522 | :return: 523 | """ 524 | ret = AUTO_IT.AU3_ControlShowByHandle(HWND(hwnd), HWND(h_ctrl)) 525 | return ret 526 | 527 | 528 | @api.check(1, "Window/Control could not be found") 529 | def control_tree_view(title, control, command, **kwargs): 530 | """ 531 | 532 | :param title: 533 | :param control: 534 | :param command: 535 | :param args: 536 | :param kwargs: 537 | :return: 538 | """ 539 | text = kwargs.get("text", "") 540 | buf_size = kwargs.get("buf_size", 256) 541 | result = ctypes.create_unicode_buffer(buf_size) 542 | extra1 = kwargs.get("extras1", "") 543 | extra2 = kwargs.get("extras2", "") 544 | 545 | AUTO_IT.AU3_ControlTreeView( 546 | LPCWSTR(title), LPCWSTR(text), LPCWSTR(control), LPCWSTR(command), 547 | LPCWSTR(extra1), LPCWSTR(extra2), result, INT(buf_size) 548 | ) 549 | 550 | return result.value.rstrip() 551 | 552 | 553 | @api.check(1, "Window/Control could not be found") 554 | def control_tree_view_by_handle(hwnd, h_ctrl, command, **kwargs): 555 | """ 556 | 557 | :param hwnd: 558 | :param h_ctrl: 559 | :param command: 560 | :param kwargs: 561 | :return: 562 | """ 563 | extra1 = kwargs.get("extra1", "") 564 | extra2 = kwargs.get("extra2", "") 565 | buf_size = kwargs.get("buf_size", 256) 566 | result = ctypes.create_unicode_buffer(buf_size) 567 | 568 | AUTO_IT.AU3_ControlTreeViewByHandle( 569 | HWND(hwnd), HWND(h_ctrl), LPCWSTR(command), 570 | LPCWSTR(extra1), LPCWSTR(extra2), result, INT(buf_size) 571 | ) 572 | return result.value.rstrip() 573 | 574 | 575 | @api.check(1, "Window/Control could not be found") 576 | def statusbar_get_text(title, text="", part=1, buf_size=256): 577 | """ 578 | 579 | :param title: 580 | :param text: 581 | :param part: The "part" number of the status bar to read - the default 582 | is 1. 1 is the first possible part and usually the one that contains 583 | the useful messages like "Ready" "Loading...", etc. 584 | :param buf_size: 585 | :return: 586 | """ 587 | sb_text = ctypes.create_unicode_buffer(buf_size) 588 | 589 | AUTO_IT.AU3_StatusbarGetText( 590 | LPCWSTR(title), LPCWSTR(text), INT(part), sb_text, INT(buf_size) 591 | ) 592 | 593 | return sb_text.value.rstrip() 594 | 595 | 596 | @api.check(1, "Window/Control could not be found") 597 | def statusbar_get_text_by_handle(hwnd, part=1, buf_size=256): 598 | """ 599 | 600 | :param hwnd: 601 | :param part: 602 | :param buf_size: 603 | :return: 604 | """ 605 | statusbar_text = ctypes.create_unicode_buffer(buf_size) 606 | 607 | AUTO_IT.AU3_StatusbarGetTextByHandle( 608 | HWND(hwnd), INT(part), statusbar_text, INT(buf_size) 609 | ) 610 | 611 | return statusbar_text.value.rstrip() -------------------------------------------------------------------------------- /ExtDepLibs/autoit/control.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/control.pyc -------------------------------------------------------------------------------- /ExtDepLibs/autoit/lib/AutoItX3.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/lib/AutoItX3.dll -------------------------------------------------------------------------------- /ExtDepLibs/autoit/lib/AutoItX3_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/lib/AutoItX3_x64.dll -------------------------------------------------------------------------------- /ExtDepLibs/autoit/process.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __author__ = 'Jace Xu' 4 | 5 | from autoit import AUTO_IT 6 | from autoit import api, error 7 | from autoit import Properties 8 | from autoit import AutoItError 9 | from ctypes.wintypes import * 10 | 11 | 12 | @api.check(1, "run program failed") 13 | def run(filename, work_dir="", show_flag=Properties.SW_SHOWNORMAL): 14 | """ 15 | 16 | :param filename: 17 | :param work_dir: 18 | :param show_flag: 19 | :return: 20 | """ 21 | ret = AUTO_IT.AU3_Run(LPCWSTR(filename), LPCWSTR(work_dir), 22 | INT(show_flag)) 23 | return ret 24 | 25 | 26 | @api.check(1, "run program failed") 27 | def run_wait(filename, work_dir="", show_flag=Properties.SW_SHOWNORMAL): 28 | """ 29 | 30 | :param filename: 31 | :param work_dir: 32 | :param show_flag: 33 | :return: 34 | """ 35 | ret = AUTO_IT.AU3_RunWait(LPCWSTR(filename), LPCWSTR(work_dir), 36 | INT(show_flag)) 37 | return ret 38 | 39 | 40 | def process_close(process): 41 | """ 42 | Terminates a named process. 43 | """ 44 | ret = AUTO_IT.AU3_ProcessClose(LPCWSTR(process)) 45 | return ret 46 | 47 | 48 | def process_exists(process): 49 | """ 50 | 51 | :param process: 52 | :return: 53 | """ 54 | ret = AUTO_IT.AU3_ProcessExists(LPCWSTR(process)) 55 | return ret 56 | 57 | 58 | def process_set_priority(process, priority): 59 | """ 60 | Changes the priority of a process 61 | :param process: The name or PID of the process to check. 62 | :param priority:A flag which determines what priority to set 63 | 0 - Idle/Low 64 | 1 - Below Normal (Not supported on Windows 95/98/ME) 65 | 2 - Normal 66 | 3 - Above Normal (Not supported on Windows 95/98/ME) 67 | 4 - High 68 | 5 - Realtime (Use with caution, may make the system unstable) 69 | :return: 70 | """ 71 | ret = AUTO_IT.AU3_ProcessSetPriority(LPCWSTR(process), INT(priority)) 72 | if ret == 0: 73 | if error() == 1: 74 | raise AutoItError("set priority failed") 75 | elif error() == 2: 76 | raise AutoItError("unsupported priority class be used") 77 | return ret 78 | 79 | 80 | @api.check(2, "the process wait timed out") 81 | def process_wait(process, timeout=0): 82 | """ 83 | Pauses script execution until a given process exists. 84 | :param process: 85 | :param timeout: 86 | :return: 87 | """ 88 | ret = AUTO_IT.AU3_ProcessWait(LPCWSTR(process), INT(timeout)) 89 | return ret 90 | 91 | 92 | @api.check(2, "the process wait close timed out") 93 | def process_wait_close(process, timeout=0): 94 | """ 95 | Pauses script execution until a given process does not exist. 96 | :param process: 97 | :param timeout: 98 | :return: 99 | """ 100 | ret = AUTO_IT.AU3_ProcessWaitClose(LPCWSTR(process), INT(timeout)) 101 | return ret 102 | 103 | 104 | @api.check(1, "run an external program failed") 105 | def run_as(user, domain, password, filename, logon_flag=1, work_dir="", 106 | show_flag=Properties.SW_SHOWNORMAL): 107 | """ 108 | Runs an external program. 109 | :param user: username The user name to use. 110 | :param domain: The domain name to use. 111 | :param password: The password to use. 112 | :param logon_flag: 0 = do not load the user profile, 1 = (default) load 113 | the user profile, 2 = use for net credentials only 114 | :param filename: The name of the executable (EXE, BAT, COM, or PIF) to run. 115 | :param work_dir: The working directory. 116 | :param show_flag: The "show" flag of the executed program: 117 | SW_HIDE = Hidden window 118 | SW_MINIMIZE = Minimized window 119 | SW_MAXIMIZE = Maximized window 120 | :return: 121 | """ 122 | ret = AUTO_IT.AU3_RunAs( 123 | LPCWSTR(user), LPCWSTR(domain), LPCWSTR(password), INT(logon_flag), 124 | LPCWSTR(filename), LPCWSTR(work_dir), INT(show_flag) 125 | ) 126 | return ret 127 | 128 | 129 | @api.check(1, "run an external program failed") 130 | def run_as_wait(user, domain, password, filename, logon_flag=1, work_dir="", 131 | show_flag=Properties.SW_SHOWNORMAL): 132 | """ 133 | Runs an external program. 134 | :param user: username The user name to use. 135 | :param domain: The domain name to use. 136 | :param password: The password to use. 137 | :param logon_flag: 0 = do not load the user profile, 1 = (default) load 138 | the user profile, 2 = use for net credentials only 139 | :param filename: The name of the executable (EXE, BAT, COM, or PIF) to run. 140 | :param work_dir: The working directory. 141 | :param show_flag: The "show" flag of the executed program: 142 | SW_HIDE = Hidden window 143 | SW_MINIMIZE = Minimized window 144 | SW_MAXIMIZE = Maximized window 145 | :return: 146 | """ 147 | ret = AUTO_IT.AU3_RunAsWait( 148 | LPCWSTR(user), LPCWSTR(domain), LPCWSTR(password), INT(logon_flag), 149 | LPCWSTR(filename), LPCWSTR(work_dir), INT(show_flag) 150 | ) 151 | return ret 152 | 153 | 154 | @api.check(2, "set shutdown failed") 155 | def shutdown(code): 156 | """ 157 | 158 | :param code: The shutdown code is a combination of the following values: 159 | 0 = Logoff 160 | 1 = Shutdown 161 | 2 = Reboot 162 | 4 = Force 163 | 8 = Power down 164 | :return: 165 | """ 166 | ret = AUTO_IT.AU3_Shutdown(INT(code)) 167 | return ret -------------------------------------------------------------------------------- /ExtDepLibs/autoit/process.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/process.pyc -------------------------------------------------------------------------------- /ExtDepLibs/autoit/win.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/autoit/win.pyc -------------------------------------------------------------------------------- /ExtDepLibs/domato/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to contribute 2 | 3 | We'd love to accept your patches and contributions to this project. There are 4 | just a few small guidelines you need to follow. 5 | 6 | ## Contributor License Agreement 7 | 8 | Contributions to any Google project must be accompanied by a Contributor License 9 | Agreement. This is necessary because you own the copyright to your changes, even 10 | after your contribution becomes part of this project. So this agreement simply 11 | gives us permission to use and redistribute your contributions as part of the 12 | project. Head over to to see your current 13 | agreements on file or to sign a new one. 14 | 15 | You generally only need to submit a CLA once, so if you've already submitted one 16 | (even if it was for a different project), you probably don't need to do it 17 | again. 18 | 19 | ## Code reviews 20 | 21 | All submissions, including submissions by project members, require review. We 22 | use GitHub pull requests for this purpose. Consult [GitHub Help] for more 23 | information on using pull requests. 24 | 25 | [GitHub Help]: https://help.github.com/articles/about-pull-requests/ 26 | -------------------------------------------------------------------------------- /ExtDepLibs/domato/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /ExtDepLibs/domato/README.md: -------------------------------------------------------------------------------- 1 | # Domato 2 | #### A DOM fuzzer 3 | 4 | Written and maintained by Ivan Fratric, 5 | 6 | Copyright 2017 Google Inc. All Rights Reserved. 7 | 8 | Licensed under the Apache License, Version 2.0 (the "License"); 9 | you may not use this file except in compliance with the License. 10 | You may obtain a copy of the License at 11 | 12 | http://www.apache.org/licenses/LICENSE-2.0 13 | 14 | Unless required by applicable law or agreed to in writing, software 15 | distributed under the License is distributed on an "AS IS" BASIS, 16 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | See the License for the specific language governing permissions and 18 | limitations under the License. 19 | 20 | #### Usage 21 | 22 | To generate a single .html sample run: 23 | 24 | `python generator.py ` 25 | 26 | To generate multiple samples with a single call run: 27 | 28 | `python generator.py --output_dir --no_of_files ` 29 | 30 | The generated samples will be placed in the specified directory and will be named as fuzz-<number>.html, e.g. fuzz-1.html, fuzz-2.html etc. Generating multiple samples is faster because the input grammar files need to be loaded and parsed only once. 31 | 32 | #### Code organization 33 | 34 | generator.py contains the main script. It uses grammar.py as a library and contains additional helper code for DOM fuzzing. 35 | 36 | grammar.py contains the generation engine that is mostly application-agnostic and can thus be used in other (i.e. non-DOM) generation-based fuzzers. As it can be used as a library, its usage is described in a separate section below. 37 | 38 | .txt files contain grammar definitions. There are 3 main files, html.txt, css.txt and js.txt which contain HTML, CSS and JavaScript grammars, respectively. These root grammar files may include content from other files. 39 | 40 | #### Using the generation engine and writing grammars 41 | 42 | To use the generation engine with a custom grammar, you can use the following python code: 43 | 44 | ``` 45 | from grammar import Grammar 46 | 47 | my_grammar = Grammar() 48 | my_grammar.parse_from_file('input_file.txt') 49 | result_string = my_grammar.generate_symbol('symbol_name') 50 | 51 | ``` 52 | 53 | The following sections describe the syntax of the grammar files. 54 | 55 | ##### Basic syntax 56 | 57 | Domato is based on an engine that, given a context-free grammar in a simple format specified below, generates samples from that grammar. 58 | 59 | A grammar is described as a set of rules in the following basic format: 60 | 61 | ` = a mix of constants and s` 62 | 63 | Each grammar rule contains a left side and the right side separated by the equal character. The left side contains a symbol, while the right side contains the details on how that symbol may be expanded. When expanding a symbol, all symbols on the right-hand side are expanded recursively while everything that is not a symbol is simply copied to the output. Note that a single rule can't span over multiple lines of the input file. 64 | 65 | Consider the following simplified example of a part of the CSS grammar: 66 | 67 | ``` 68 | = { } 69 | = a 70 | = b 71 | = width:100% 72 | ``` 73 | 74 | If we instruct the grammar engine to parse that grammar and generate 'cssrule', we may end up with either: 75 | 76 | `a { width:100% }` 77 | 78 | or 79 | 80 | `b { width:100% }` 81 | 82 | Note there are two rules for the 'selector' symbol. In such cases, when the generator is asked to generate a 'selector', it will select the rule to use at random. It is also possible to specify the probability of the rule using the 'p' attribute, for example: 83 | 84 | ``` 85 | = a 86 | = b 87 | ``` 88 | 89 | In this case, the string 'a' would be output more often than 'b'. 90 | 91 | There are other attributes that can be applied to symbols in addition to the probability. Those are listed in a separate section. 92 | 93 | Consider another example for generating html samples: 94 | 95 | ``` 96 | = html/html 97 | = head.../head 98 | = body.../body 99 | ``` 100 | 101 | Note that since the '<' and '>' have a special meaning in the grammar syntax, so here we are using `` and `` instead. These symbols are built in and don't need to be defined by the user. A list of all built-in symbols is provided in a separate section. 102 | 103 | ##### Generating programming language code 104 | 105 | To generate programming language code, a similar syntax can be used, but there are a couple of differences. Each line of the programming language grammar is going to correspond to the line of the output. Because of that, the grammar syntax is going to be more free-form to allow expressing constructs in various programming languages. Secondly, when a line is generated, in addition to outputting the line, one or more variables may be created and those variables may be reused when generating other lines. Again, let's take a look of the simplified example: 106 | 107 | ``` 108 | !varformat fuzzvar%05d 109 | !lineguard try { } catch(e) {} 110 | 111 | !begin lines 112 | = document.getElementById(""); 113 | .doSomething(); 114 | !end lines 115 | ``` 116 | 117 | If we instruct the engine to generate 5 lines, we may end up with something like: 118 | 119 | ``` 120 | try { var00001 = document.getElementById("hw"); } catch(e) {} 121 | try { var00001.doSomething(); } catch(e) {} 122 | try { var00002 = document.getElementById("feezcqbndf"); } catch(e) {} 123 | try { var00002.doSomething(); } catch(e) {} 124 | try { var00001.doSomething(); } catch(e) {} 125 | ``` 126 | 127 | Note that 128 | 129 | - programming language lines are enclosed in '!begin lines' and '!end lines' statement. This gives the grammar parser the necessary information that the lines inbetween are programming language lines and are thus parsed differently. 130 | - We used `` instead of ``. This instructs the generator to create a new variable of type 'element' instead of generating the 'element' symbol. 131 | - `` is one of the built-in symbols so no need to define it. 132 | - [optional] You can use !varformat statement to define the format of variables you want to use. 133 | - [optional] You can use !lineguard statement to define additional code that gets inserted around every line in order to catch exceptions or perform other tasks. This is so you wouldn't need to write it for every line separately. 134 | - In addition to '!begin lines' and '!end lines' you can also use '!begin helperlines' and '!end helperlines' to define lines of code that will only ever be used if required when generating other lines (for example, helper lines might generate variables needed by the 'main' code, but you don't ever want those helper lines to end up in the output when they are not needed). 135 | 136 | ##### Comments 137 | 138 | Everything after the first '#' character on the line is considered a comment, so for example: 139 | 140 | ``` 141 | #This is a comment 142 | ``` 143 | 144 | 145 | ##### Preventing infinite recursions 146 | 147 | The grammar syntax has a way of telling the fuzzer which rules are nonrecursive and can be safe to use even if the maximum level of recursion has been reached. This is done with the ‘nonrecursive’ attributes. An example is given below. 148 | 149 | ``` 150 | !max_recursion 10 151 | = 152 | = foo 153 | = bar 154 | ``` 155 | 156 | Firstly, an optional ‘!max_recursion’ statement defines the maximum recursion depth level (50 by default). Notice that the second production rule for ‘foobar’ is marked as non-recursive. If ever the maximum recursion level is reached the generator will force using the non-recursive rule for ‘foobar’ symbol, thus preventing infinite recursion. 157 | 158 | ##### Including and importing other grammar files 159 | 160 | In Domato, including and importing grammars are two different context. 161 | 162 | Including is simpler. You can use: 163 | 164 | ``` 165 | !include other.txt 166 | ``` 167 | 168 | to include rules from other.txt into the currently parsed grammar. 169 | 170 | Importing works a bit differently: 171 | 172 | ``` 173 | !import other.txt 174 | ``` 175 | 176 | tells the parser to create a new Grammar() object that can then be referenced from the current grammar by using the special `` symbol, for example like this: 177 | 178 | ``` 179 | = 180 | ``` 181 | 182 | You can think about importing and including in terms of namespaces: !include will put the included grammar into the single namespace, while !import will create a new namespace which can then be accessed using the `` symbol and the namespace specified via the 'from' attribute. 183 | 184 | ##### Including Python code 185 | 186 | Sometimes you might want to call custom Python code in your grammar. For example, let’s say you want to use the engine to generate a http response and you want the body length to match the 'Size' header. Since this is something not possible with normal grammar rules, you can include custom Python code to accomplish it like this: 187 | 188 | ``` 189 | !begin function savesize 190 | context['size'] = ret_val 191 | !end function 192 | 193 | !begin function createbody 194 | n = int(context['size']) 195 | ret_val = 'a' * n 196 | !end function 197 | 198 | =
199 |
= Size: 200 | = 201 | ``` 202 | 203 | The python functions are defined between ‘!begin function ’ and ‘!end function’ commands. The functions can be called in two ways: using ‘beforeoutput’ attribute and using symbol. 204 | 205 | By specifying the ‘beforeoutput’ attribute in some symbol, the corresponding function will be called when this symbol is expanded, just before the result of the expansion is output to the sample. The expansion result will be passed to the function in the ret_val variable. The function is then free to modify ret_val, store it for later use or perform any other operations. 206 | 207 | When using a special `` symbol, the function (specified in a ‘function’ attribute) will be called when the symbol is encountered during language generation. Any value stored by the function in ret_val will be considered the result of the expansion (ret_val gets included in the sample). 208 | 209 | Your python code has access to the following variables: 210 | 211 | - `context` - a dictionary that is passed through the whole sample generation. You can use it to store values (such as storing the size in an example above) and retrieve them in the rules that fire subsequently. 212 | - `attributes` - a dictionary corresponding to the symbol currently being processed. You can use it to pass parameters to your functions. For example if you used something like to call your function attributes\[‘foo’\] will be set to ‘bar’. 213 | - `ret_val` - The value that will be output as a result of the function call. It is initialized to an empty value when using symbol to call a function, otherwise it will be initialized to the value generated by the symbol. 214 | 215 | ##### Built-in symbols 216 | 217 | The following symbols have a special meaning and should not be redefined by users: 218 | 219 | - `` - ‘<’ character 220 | - `` - ‘>’ character 221 | - `` - ‘#’ character 222 | - `` - CR character 223 | - `` - LF character 224 | - `` - space character 225 | - `` - tab character 226 | - `` - ‘!’ character 227 | - `` - can be used to generate an arbitrary ascii character using ‘code’ attribute. For example `` corresponds to ‘a’. Generates random character if not specified. Supports ‘min’ and ‘max’ attribute. 228 | - `` - generates a random hex digit. 229 | - ``, ``, ``, ``, ``, ``, ``, ``, `` - can be used to generate random integers. Supports ‘min’ and ‘max’ attribute that can be used to limit the range of integers that will be generated. Supports the ‘b’ and ‘be’ attribute which makes the output binary in little/big endian format instead of text output. 230 | - ``, `` - generates a random floating-point number. Supports ‘min’ and ‘max’ attribute (0 and 1 if not specified). Supports ‘b’ attribute which makes the output binary. 231 | - `` - generates a random string. Supports ‘min’ and ‘max’ attributes which control the minimum and maximum charcode generated as well as ‘minlength’ and ‘maxlength’ attributes that control the length of the string. 232 | - `` - same as `` except HTML metacharacters will be escaped, making it safe to embed the string as part of HTML text or attribute values. 233 | - `` - outputs the given number (via ‘count’ attribute) lines of code. See the section on generating programming language code for example. 234 | - `` - imports a symbol from another grammar, see the section on including external grammars for details. 235 | - `` - calls a user-defined function corresponding to the function attribute. See the section on including Python code in the grammar for more info. 236 | 237 | ##### Symbol attributes 238 | 239 | The following attributes are supported: 240 | 241 | - root - marks a symbol as the root symbol of the grammar. The only supported value is ‘true’. When GenerateSymbol() is called, if no argument is specified, the root symbol will be generated. 242 | - nonrecursive - gives the generator a hint that this rule doesn’t contain recursion loops and is used to prevent infinite recursions. The only supported value is ‘true’. 243 | - new - used when generating programming languages to denote that a new variable is created here rather than expanding the symbol as usual. The only supported value is ‘true’. 244 | - from, symbol - used when importing symbols from other grammars, see ‘Including external grammars’ section. 245 | - count - used in lines symbol to specify the number of lines to be created. 246 | - id - used to mark that several symbols should share the same value. For example in the rule `‘doSomething(, )’` both ints would end up having the same value. Only the first instance is actually expanded, the second is just copied from the first. 247 | - min, max - used in generation of numeric types to specify the minimum and maximum value. Also used to limit the set of characters generated in strings. 248 | - b, be - used in numeric types to specify binary little-endian (‘b’) or big-endian (‘be’) output. 249 | - code - used in char symbol to specify the exact character to output by its code. 250 | - minlength, maxlength - used when generating strings to specify the minimum and maximum length. 251 | - up - used in hex symbol to specify uppercase output (lowercase is the default). 252 | - function - used in the `` symbol, see ‘Including Python code’ section for more info. 253 | - beforeoutput - used to call user-specified functions, see ‘Including Python’. 254 | 255 | #### Bug Showcase 256 | 257 | Some of the bugs that have been found with Domato: 258 | 259 | - Apple Safari: CVE-2017-2369, CVE-2017-2373, CVE-2017-2362, CVE-2017-2454, CVE-2017-2455, CVE-2017-2459, CVE-2017-2460, CVE-2017-2466, CVE-2017-2471, CVE-2017-2476, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049 260 | - Google Chrome: Issues 666246 and 671328 261 | - Microsoft Internet Explorer 11: CVE-2017-0037, CVE-2017-0059, CVE-2017-0202, CVE-2017-8594 262 | - Microsoft Edge: CVE-2017-0037, CVE-2017-8496, CVE-2017-8652, CVE-2017-8644 263 | - Mozilla Firefox: CVE-2017-5404, CVE-2017-5447, CVE-2017-5465 264 | 265 | #### Disclaimer 266 | 267 | This is not an official Google product. 268 | 269 | -------------------------------------------------------------------------------- /ExtDepLibs/domato/common.txt: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All Rights Reserved. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | # 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | # 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | 15 | = 16 | 17 | = 32768 18 | = 65535 19 | = 65536 20 | = 1073741824 21 | = 536870912 22 | = 268435456 23 | = 4294967295 24 | = 2147483648 25 | = 2147483647 26 | = -2147483648 27 | = -1073741824 28 | = -32769 29 | 30 | = 0 31 | = 0 32 | = 0 33 | = 1 34 | = 1 35 | = -1 36 | = 37 | = 38 | = 39 | 40 | = true 41 | = false 42 | 43 | = 44 | 45 | = htmlvar0000 46 | = svgvar0000 47 | = class 48 | 49 | = red 50 | = green 51 | = white 52 | = black 53 | = # 54 | = rgb(,,) 55 | 56 | = a 57 | = abbr 58 | = acronym 59 | = address 60 | = applet 61 | = area 62 | = article 63 | = aside 64 | = audio 65 | = b 66 | = base 67 | = basefont 68 | = bdi 69 | = bdo 70 | = bgsound 71 | = big 72 | = blink 73 | = blockquote 74 | = body 75 | = br 76 | = button 77 | = canvas 78 | = caption 79 | = center 80 | = cite 81 | = code 82 | = col 83 | = colgroup 84 | = command 85 | = content 86 | = data 87 | = datalist 88 | = dd 89 | = del 90 | = details 91 | = dfn 92 | = dialog 93 | = dir 94 | = div 95 | = dl 96 | = dt 97 | = element 98 | = em 99 | = embed 100 | = fieldset 101 | = figcaption 102 | = figure 103 | = font 104 | = footer 105 | = form 106 | = frame 107 | = frameset 108 | = h1 109 | = h2 110 | = h3 111 | = h4 112 | = h5 113 | = h6 114 | = head 115 | = header 116 | = hgroup 117 | = hr 118 | = html 119 | = i 120 | = iframe 121 | = image 122 | = img 123 | = input 124 | = ins 125 | = isindex 126 | = kbd 127 | = keygen 128 | = label 129 | = layer 130 | = legend 131 | = li 132 | = link 133 | = listing 134 | = main 135 | = map 136 | = mark 137 | = marquee 138 | = menu 139 | = menuitem 140 | = meta 141 | = meter 142 | = multicol 143 | = nav 144 | = nobr 145 | = noembed 146 | = noframes 147 | = nolayer 148 | = noscript 149 | = object 150 | = ol 151 | = optgroup 152 | = option 153 | = output 154 | = p 155 | = param 156 | = picture 157 | = plaintext 158 | = pre 159 | = progress 160 | = q 161 | = rp 162 | = rt 163 | = rtc 164 | = ruby 165 | = s 166 | = samp 167 | = script 168 | = section 169 | = select 170 | = shadow 171 | = small 172 | = source 173 | = spacer 174 | = span 175 | = strike 176 | = strong 177 | = style 178 | = sub 179 | = summary 180 | = sup 181 | = table 182 | = tbody 183 | = td 184 | = template 185 | = textarea 186 | = tfoot 187 | = th 188 | = thead 189 | = time 190 | = title 191 | = tr 192 | = track 193 | = tt 194 | = u 195 | = ul 196 | = var 197 | = video 198 | = wbr 199 | = xmp 200 | 201 | = a 202 | = altGlyph 203 | = altGlyphDef 204 | = altGlyphItem 205 | = animate 206 | = animateColor 207 | = animateMotion 208 | = animateTransform 209 | = circle 210 | = clipPath 211 | = cursor 212 | = defs 213 | = desc 214 | = ellipse 215 | = feBlend 216 | = feColorMatrix 217 | = feComponentTransfer 218 | = feComposite 219 | = feConvolveMatrix 220 | = feDiffuseLighting 221 | = feDisplacementMap 222 | = feDistantLight 223 | = feDropShadow 224 | = feFlood 225 | = feFuncA 226 | = feFuncB 227 | = feFuncG 228 | = feFuncR 229 | = feGaussianBlur 230 | = feImage 231 | = feMerge 232 | = feMergeNode 233 | = feMorphology 234 | = feOffset 235 | = fePointLight 236 | = feSpecularLighting 237 | = feSpotLight 238 | = feTile 239 | = feTurbulence 240 | = filter 241 | = font 242 | = font_face 243 | = font_face_format 244 | = font_face_name 245 | = font_face_src 246 | = font_face_uri 247 | = foreignObject 248 | = g 249 | = glyph 250 | = glyphRef 251 | = hkern 252 | = image 253 | = line 254 | = linearGradient 255 | = marker 256 | = mask 257 | = metadata 258 | = missing_glyph 259 | = mpath 260 | = path 261 | = pattern 262 | = polygon 263 | = polyline 264 | = radialGradient 265 | = rect 266 | = script 267 | = set 268 | = stop 269 | = style 270 | = svg 271 | = switch 272 | = symbol 273 | = text 274 | = textPath 275 | = title 276 | = tref 277 | = tspan 278 | = use 279 | = view 280 | = vkern 281 | 282 | = x 283 | = data:image/gif;base64,R0lGODlhIAAgAPIBAGbMzP///wAAADOZZpn/zAAAAAAAAAAAACH5BAAAAAAALAAAAAAgACAAAAOLGLrc/k7ISau9S5DNu/8fICgaYJ5oqqbDGJRrLAMtScw468J5Xr+3nm8XFM5+PGMMWYwxcMyZ40iULQaDhSzqDGBNisGyuhUDrmNb72pWcaXhtpsM/27pVi8UX96rcQpDf3V+QD12d4NKK2+Lc4qOKI2RJ5OUNHyXSDRYnZ6foKAuLxelphMQqaoPCQA7 284 | 285 | = x 286 | = data:video/mp4;base64,AAAAIGZ0eXBpc29tAAACAGlzb21pc28yYXZjMW1wNDEAAAAIZnJlZQAAA5NtZGF0AAACrgYF//+q3EXpvebZSLeWLNgg2SPu73gyNjQgLSBjb3JlIDE0OCByMjY0MyA1YzY1NzA0IC0gSC4yNjQvTVBFRy00IEFWQyBjb2RlYyAtIENvcHlsZWZ0IDIwMDMtMjAxNSAtIGh0dHA6Ly93d3cudmlkZW9sYW4ub3JnL3gyNjQuaHRtbCAtIG9wdGlvbnM6IGNhYmFjPTEgcmVmPTMgZGVibG9jaz0xOjA6MCBhbmFseXNlPTB4MzoweDExMyBtZT1oZXggc3VibWU9NyBwc3k9MSBwc3lfcmQ9MS4wMDowLjAwIG1peGVkX3JlZj0xIG1lX3JhbmdlPTE2IGNocm9tYV9tZT0xIHRyZWxsaXM9MSA4eDhkY3Q9MSBjcW09MCBkZWFkem9uZT0yMSwxMSBmYXN0X3Bza2lwPTEgY2hyb21hX3FwX29mZnNldD0tMiB0aHJlYWRzPTEgbG9va2FoZWFkX3RocmVhZHM9MSBzbGljZWRfdGhyZWFkcz0wIG5yPTAgZGVjaW1hdGU9MSBpbnRlcmxhY2VkPTAgYmx1cmF5X2NvbXBhdD0wIGNvbnN0cmFpbmVkX2ludHJhPTAgYmZyYW1lcz0zIGJfcHlyYW1pZD0yIGJfYWRhcHQ9MSBiX2JpYXM9MCBkaXJlY3Q9MSB3ZWlnaHRiPTEgb3Blbl9nb3A9MCB3ZWlnaHRwPTIga2V5aW50PTI1MCBrZXlpbnRfbWluPTI1IHNjZW5lY3V0PTQwIGludHJhX3JlZnJlc2g9MCByY19sb29rYWhlYWQ9NDAgcmM9Y3JmIG1idHJlZT0xIGNyZj0yMy4wIHFjb21wPTAuNjAgcXBtaW49MCBxcG1heD02OSBxcHN0ZXA9NCBpcF9yYXRpbz0xLjQwIGFxPTE6MS4wMACAAAAAvWWIhAAh/9PWYQ7q+jvvWOfBgvpv0eIYkqWiQW6SsLQx8ByoouBLEC9HBQTAXOJh/wFnteOP+NH5Er2DeHrP4kxvjj4nXKG9Zm/FycSAdlzoMDOFc4CmXmCL51Dj+zekurxKazOLwXVd7f/rOQpa9+iPXYTZsRw+WFFNokI8saLT7Mt03UvGxwdAYkwe7UmwPZacue5goP6rQhBgGMjgK21nSHZWUcz5Y6Ec/wdCPp0Sxx/h6UsSneF9hINuvwAAAAhBmiJsQx92QAAAAAgBnkF5DH/EgQAAAzRtb292AAAAbG12aGQAAAAAAAAAAAAAAAAAAAPoAAAAZAABAAABAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAACXnRyYWsAAABcdGtoZAAAAAMAAAAAAAAAAAAAAAEAAAAAAAAAZAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAIAAAACAAAAAAACRlZHRzAAAAHGVsc3QAAAAAAAAAAQAAAGQAAAQAAAEAAAAAAdZtZGlhAAAAIG1kaGQAAAAAAAAAAAAAAAAAADwAAAAGAFXEAAAAAAAtaGRscgAAAAAAAAAAdmlkZQAAAAAAAAAAAAAAAFZpZGVvSGFuZGxlcgAAAAGBbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABQXN0YmwAAACVc3RzZAAAAAAAAAABAAAAhWF2YzEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAIAAgAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAAAvYXZjQwFkAAr/4QAWZ2QACqzZSWhAAAADAEAAAA8DxIllgAEABmjr48siwAAAABhzdHRzAAAAAAAAAAEAAAADAAACAAAAABRzdHNzAAAAAAAAAAEAAAABAAAAKGN0dHMAAAAAAAAAAwAAAAEAAAQAAAAAAQAABgAAAAABAAACAAAAABxzdHNjAAAAAAAAAAEAAAABAAAAAwAAAAEAAAAgc3RzegAAAAAAAAAAAAAAAwAAA3MAAAAMAAAADAAAABRzdGNvAAAAAAAAAAEAAAAwAAAAYnVkdGEAAABabWV0YQAAAAAAAAAhaGRscgAAAAAAAAAAbWRpcmFwcGwAAAAAAAAAAAAAAAAtaWxzdAAAACWpdG9vAAAAHWRhdGEAAAABAAAAAExhdmY1Ni40MC4xMDE= 287 | 288 | = x 289 | = data:audio/mp3;base64,//uQxAAAAAAAAAAAAAAAAAAAAAAASW5mbwAAAA8AAAADAAAGhgBVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqr///////////////////////////////////////////8AAAA5TEFNRTMuOTlyAc0AAAAAAAAAABSAJAKjQgAAgAAABoaLLYLcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//uQxAAAVHoO86Ch/wKrQh+UIz/YShKDZqEIAAE3kQFg+NSyUDm5f/yB+D/GP8hjmzG6Jy7lvFu8Iif7i7vApIeVfN/DkGIKGInCaJxNu9wifzeiTfJlaJX/Np//9wKClWWDcG4vBiIYwcB4NHigohguDcBcIxSiAaB4JAgT6jf2YDkQi5/mmabkya6nTRBy5uRyKB48TiFogeguDih66JwykEQBKzjbzTdl3FjUCgfnYZFWM01W3xx4g/qtMn//v/////9+j9oeZe+G35O3ZKZ9f+8N1LCTyD5/hhewsfDj0TDUzpMMkhzaPS6TS172Po89nnJ1mln9/pod31/j4jYgPWx7Aq5MUFns3tUmlSzP2fSvZYbOVT9OP3yLJ4kTEQacS6PSzeXtGQ2It0A5GhIiGn0WMgS8ajcLgZ5bBbhuIFSj0FuHwJQsY9yIPgmZ0C5kpLKpyAaBMiOBSC9Lmcypf2WJKVNItoAE2UDUo2XGvl3+5Sn5///efkKpqSl6nNZq7mRvk4LTEpFJ8EAuIIcxAhRdGejHgAcDIOpMMVju//uSxB6AVKYRAYCN/sKXwiAoFL/gDcjA/qGXMzOkX/l6QcZi6hvb6Y4WczOL93AnkfJl7CVqfnbUQ0Ho3KpwmVbcT59DQkvrEhSnUC6Vj6U8DvLevkCV5hs+WMupZKsylEjyvcT0cEcY7S2P0YSlVGAubM6oKYf5cj6jZk1KwsxdIeZzRc/S4vzv5eR9ur/9Leh0fZPPeV5uvbrzTv1SuTy5NxTyW3CF0vrF1tLFsuFa7336yxlTi7cnKcof3kvPKu5/1fyqy/lVf2b1DpDDpE7RIhSOJDZQicyQqsmKYEpKJ2M6IbchCvO84TjUCHIWP411MmlAd6cVrAhDUf5xJU/mJkJihqdI4dY9D5RrxBi+sQeEacRPSTBouAj48i+Lh04Z/8v/mf/f////+8V7RiRllObiOvpaJWu06xcyGP0pkpaptJDnnhj0eWiixyiewi5rebgxesayRHMuP+27WN/HfdbJvEP4fQXk7++VdHVMZm+0Oe2aU4o1xHQ5iSKepDeM60sIchLEqmFqep1TE9OEwxKtsdOtj1EFMyJsxcoWMv/7ksQ/gFTqEPwAmf7CYEId8BM/4JpLqWw6TTWAcxNS6msRk0RbhJT6D+FfP4lBBVSsgOJvhmkkOEjSBhUgSJQIpiTyc1V/nL+i/8UK//upf/4Sf9vjfy8+nynnTUTkjVVv7VZGEnfN9PLHSckai1d/TotT5X/9PLV2rznavW+ZYltU8yxyRqTkUTkjcaTlgpiU0XVgsUcmATAkqN8xYUZh3lOsCilexWJqjvXq8hR+qluTrIW5pOUyTCLESFHH6dLVGP5Li2qxlP1UD1JclJkro0lDNtVMQU1FMy45OS41VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU= 290 | 291 | 292 | -------------------------------------------------------------------------------- /ExtDepLibs/domato/grammar.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/domato/grammar.pyc -------------------------------------------------------------------------------- /ExtDepLibs/domato/template.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 9 | 71 | 72 | 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/__init__.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Windows application debugging engine for Python. 33 | 34 | by Mario Vilas (mvilas at gmail.com) 35 | 36 | Project: U{https://github.com/MarioVilas/winappdbg/} 37 | 38 | Web: U{http://winappdbg.readthedocs.io/en/latest/} 39 | 40 | Blog: U{http://breakingcode.wordpress.com} 41 | 42 | @group Debugging: 43 | Debug, EventHandler, EventSift, DebugLog 44 | 45 | @group Instrumentation: 46 | System, Process, Thread, Module, Window, Registry 47 | 48 | @group Disassemblers: 49 | Disassembler, 50 | BeaEngine, DistormEngine, PyDasmEngine 51 | 52 | @group Crash reporting: 53 | Crash, CrashDump, CrashDAO, CrashDictionary 54 | 55 | @group Memory search: 56 | Search, 57 | Pattern, 58 | BytePattern, 59 | TextPattern, 60 | RegExpPattern, 61 | HexPattern 62 | 63 | @group Debug events: 64 | Event, 65 | NoEvent, 66 | CreateProcessEvent, 67 | CreateThreadEvent, 68 | ExitProcessEvent, 69 | ExitThreadEvent, 70 | LoadDLLEvent, 71 | UnloadDLLEvent, 72 | OutputDebugStringEvent, 73 | RIPEvent, 74 | ExceptionEvent 75 | 76 | @group Win32 API wrappers: 77 | win32, Handle, ProcessHandle, ThreadHandle, FileHandle 78 | 79 | @group Helpers: 80 | HexInput, HexOutput, HexDump, Color, Table, Logger, 81 | PathOperations, 82 | MemoryAddresses, 83 | CustomAddressIterator, 84 | DataAddressIterator, 85 | ImageAddressIterator, 86 | MappedAddressIterator, 87 | ExecutableAddressIterator, 88 | ReadableAddressIterator, 89 | WriteableAddressIterator, 90 | ExecutableAndWriteableAddressIterator, 91 | DebugRegister, 92 | Regenerator 93 | 94 | @group Warnings: 95 | MixedBitsWarning, BreakpointWarning, BreakpointCallbackWarning, 96 | EventCallbackWarning, DebugSymbolsWarning, CrashWarning 97 | 98 | @group Deprecated classes: 99 | CrashContainer, CrashTable, CrashTableMSSQL, 100 | VolatileCrashContainer, DummyCrashContainer 101 | 102 | @type version_number: float 103 | @var version_number: This WinAppDbg major and minor version, 104 | as a floating point number. Use this for compatibility checking. 105 | 106 | @type version: str 107 | @var version: This WinAppDbg release version, 108 | as a printable string. Use this to show to the user. 109 | 110 | @undocumented: plugins 111 | """ 112 | 113 | # List of all public symbols 114 | __all__ = [ 115 | # Library version 116 | 'version', 117 | 'version_number', 118 | 119 | # from breakpoint import * 120 | ## 'Breakpoint', 121 | ## 'CodeBreakpoint', 122 | ## 'PageBreakpoint', 123 | ## 'HardwareBreakpoint', 124 | ## 'Hook', 125 | ## 'ApiHook', 126 | ## 'BufferWatch', 127 | 'BreakpointWarning', 128 | 'BreakpointCallbackWarning', 129 | 130 | # from crash import * 131 | 'Crash', 132 | 'CrashWarning', 133 | 'CrashDictionary', 134 | 'CrashContainer', 135 | 'CrashTable', 136 | 'CrashTableMSSQL', 137 | 'VolatileCrashContainer', 138 | 'DummyCrashContainer', 139 | 140 | # from debug import * 141 | 'Debug', 142 | 'MixedBitsWarning', 143 | 144 | # from disasm import * 145 | 'Disassembler', 146 | 'BeaEngine', 147 | 'DistormEngine', 148 | 'PyDasmEngine', 149 | 150 | # from event import * 151 | 'EventHandler', 152 | 'EventSift', 153 | ## 'EventFactory', 154 | ## 'EventDispatcher', 155 | 'EventCallbackWarning', 156 | 'Event', 157 | ## 'NoEvent', 158 | 'CreateProcessEvent', 159 | 'CreateThreadEvent', 160 | 'ExitProcessEvent', 161 | 'ExitThreadEvent', 162 | 'LoadDLLEvent', 163 | 'UnloadDLLEvent', 164 | 'OutputDebugStringEvent', 165 | 'RIPEvent', 166 | 'ExceptionEvent', 167 | 168 | # from interactive import * 169 | ## 'ConsoleDebugger', 170 | 171 | # from module import * 172 | 'Module', 173 | 'DebugSymbolsWarning', 174 | 175 | # from process import * 176 | 'Process', 177 | 178 | # from system import * 179 | 'System', 180 | 181 | # from search import * 182 | 'Search', 183 | 'Pattern', 184 | 'BytePattern', 185 | 'TextPattern', 186 | 'RegExpPattern', 187 | 'HexPattern', 188 | 189 | # from registry import * 190 | 'Registry', 191 | 192 | # from textio import * 193 | 'HexDump', 194 | 'HexInput', 195 | 'HexOutput', 196 | 'Color', 197 | 'Table', 198 | 'CrashDump', 199 | 'DebugLog', 200 | 'Logger', 201 | 202 | # from thread import * 203 | 'Thread', 204 | 205 | # from util import * 206 | 'PathOperations', 207 | 'MemoryAddresses', 208 | 'CustomAddressIterator', 209 | 'DataAddressIterator', 210 | 'ImageAddressIterator', 211 | 'MappedAddressIterator', 212 | 'ExecutableAddressIterator', 213 | 'ReadableAddressIterator', 214 | 'WriteableAddressIterator', 215 | 'ExecutableAndWriteableAddressIterator', 216 | 'DebugRegister', 217 | 218 | # from window import * 219 | 'Window', 220 | 221 | # import win32 222 | 'win32', 223 | 224 | # from win32 import Handle, ProcessHandle, ThreadHandle, FileHandle 225 | 'Handle', 226 | 'ProcessHandle', 227 | 'ThreadHandle', 228 | 'FileHandle', 229 | ] 230 | 231 | # Import all public symbols 232 | from breakpoint import * 233 | from crash import * 234 | from debug import * 235 | from disasm import * 236 | from event import * 237 | from interactive import * 238 | from module import * 239 | from process import * 240 | from registry import * 241 | from system import * 242 | from search import * 243 | from textio import * 244 | from thread import * 245 | from util import * 246 | from window import * 247 | 248 | import win32 249 | from win32 import Handle, ProcessHandle, ThreadHandle, FileHandle 250 | 251 | try: 252 | # We need to ignore all warnings from this module because SQLAlchemy 253 | # became really picky in its latest versions regarding what we send it. 254 | import warnings 255 | with warnings.catch_warnings(): 256 | warnings.simplefilter("ignore") 257 | from sql import * 258 | __all__.append('CrashDAO') 259 | except ImportError: 260 | import warnings 261 | warnings.warn("No SQL database support present (missing dependencies?)", 262 | ImportWarning) 263 | 264 | # Library version 265 | version_number = 1.6 266 | version = "Version %s" % version_number 267 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/__init__.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/breakpoint.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/breakpoint.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/crash.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/crash.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/debug.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/debug.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/disasm.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/disasm.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/event.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/event.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/interactive.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/interactive.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/module.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/module.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/README: -------------------------------------------------------------------------------- 1 | Here go the plugins for the interactive debugger. -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Plugins folder for the WinAppDbg interactive debugger. 33 | """ 34 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/do_example.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Command line debugger using WinAppDbg 5 | # Example command 6 | # Copyright (c) 2009-2016, Mario Vilas 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions are met: 11 | # 12 | # * Redistributions of source code must retain the above copyright notice, 13 | # this list of conditions and the following disclaimer. 14 | # * Redistributions in binary form must reproduce the above copyright 15 | # notice,this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # * Neither the name of the copyright holder nor the names of its 18 | # contributors may be used to endorse or promote products derived from 19 | # this software without specific prior written permission. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 25 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 28 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 29 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 | # POSSIBILITY OF SUCH DAMAGE. 32 | 33 | def do(self, arg): 34 | ".example - This is an example plugin for the command line debugger" 35 | print "This is an example command." 36 | print "%s.do(%r, %r):" % (__name__, self, arg) 37 | print " last event", self.lastEvent 38 | print " prefix", self.cmdprefix 39 | print " arguments", self.split_tokens(arg) 40 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/do_exchain.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Command line debugger using WinAppDbg 5 | # Show exception handlers list 6 | # Copyright (c) 2009-2016, Mario Vilas 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions are met: 11 | # 12 | # * Redistributions of source code must retain the above copyright notice, 13 | # this list of conditions and the following disclaimer. 14 | # * Redistributions in binary form must reproduce the above copyright 15 | # notice,this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # * Neither the name of the copyright holder nor the names of its 18 | # contributors may be used to endorse or promote products derived from 19 | # this software without specific prior written permission. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 25 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 28 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 29 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 | # POSSIBILITY OF SUCH DAMAGE. 32 | 33 | from winappdbg import HexDump, Table 34 | 35 | def do(self, arg): 36 | ".exchain - Show the SEH chain" 37 | thread = self.get_thread_from_prefix() 38 | print "Exception handlers for thread %d" % thread.get_tid() 39 | print 40 | table = Table() 41 | table.addRow("Block", "Function") 42 | bits = thread.get_bits() 43 | for (seh, seh_func) in thread.get_seh_chain(): 44 | if seh is not None: 45 | seh = HexDump.address(seh, bits) 46 | if seh_func is not None: 47 | seh_func = HexDump.address(seh_func, bits) 48 | table.addRow(seh, seh_func) 49 | print table.getOutput() 50 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/do_exploitable.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Command line debugger using WinAppDbg 5 | # Determine the approximate exploitability rating 6 | # Copyright (c) 2009-2016, Mario Vilas 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions are met: 11 | # 12 | # * Redistributions of source code must retain the above copyright notice, 13 | # this list of conditions and the following disclaimer. 14 | # * Redistributions in binary form must reproduce the above copyright 15 | # notice,this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # * Neither the name of the copyright holder nor the names of its 18 | # contributors may be used to endorse or promote products derived from 19 | # this software without specific prior written permission. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 25 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 28 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 29 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 | # POSSIBILITY OF SUCH DAMAGE. 32 | 33 | def do(self, arg): 34 | ".exploitable - Determine the approximate exploitability rating" 35 | 36 | from winappdbg import Crash 37 | 38 | event = self.debug.lastEvent 39 | crash = Crash(event) 40 | crash.fetch_extra_data(event) 41 | 42 | status, rule, description = crash.isExploitable() 43 | 44 | print "-" * 79 45 | print "Exploitability: %s" % status 46 | print "Matched rule: %s" % rule 47 | print "Description: %s" % description 48 | print "-" * 79 49 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/plugins/do_symfix.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Command line debugger using WinAppDbg 5 | # Fix the symbol store path 6 | # Copyright (c) 2009-2016, Mario Vilas 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions are met: 11 | # 12 | # * Redistributions of source code must retain the above copyright notice, 13 | # this list of conditions and the following disclaimer. 14 | # * Redistributions in binary form must reproduce the above copyright 15 | # notice,this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # * Neither the name of the copyright holder nor the names of its 18 | # contributors may be used to endorse or promote products derived from 19 | # this software without specific prior written permission. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 25 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 28 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 29 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 | # POSSIBILITY OF SUCH DAMAGE. 32 | 33 | def do(self, arg): 34 | ".symfix - Set the default Microsoft Symbol Store settings if missing" 35 | self.debug.system.fix_symbol_store_path(remote = True, force = False) 36 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/process.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/process.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/registry.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/registry.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/search.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/search.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/sql.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/sql.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/system.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/system.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/textio.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/textio.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/thread.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/thread.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/util.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/util.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Debugging API wrappers in ctypes. 33 | """ 34 | 35 | #----------------------------------------------------------------------------- 36 | # Monkey patch for Cygwin, which does not load some features correctly since 37 | # it believes to be running on Linux. 38 | 39 | # Detect whether we need to patch or not. 40 | try: 41 | from ctypes import WINFUNCTYPE 42 | except ImportError: 43 | import ctypes 44 | 45 | # Fix FormatError. 46 | ##from _ctypes import FormatError 47 | ##ctypes.FormatError = FormatError 48 | 49 | # Fix FUNCFLAG_STDCALL. 50 | ctypes.FUNCFLAG_STDCALL = FUNCFLAG_STDCALL = _FUNCFLAG_STDCALL = 0 51 | 52 | # Fix WINFUNCTYPE. 53 | ctypes._win_functype_cache = {} 54 | def WINFUNCTYPE(restype, *argtypes, **kw): 55 | flags = _FUNCFLAG_STDCALL 56 | if kw.pop("use_errno", False): 57 | flags |= ctypes._FUNCFLAG_USE_ERRNO 58 | if kw.pop("use_last_error", False): 59 | flags |= ctypes._FUNCFLAG_USE_LASTERROR 60 | if kw: 61 | raise ValueError("unexpected keyword argument(s) %s" % kw.keys()) 62 | try: 63 | return ctypes._win_functype_cache[(restype, argtypes, flags)] 64 | except KeyError: 65 | class WinFunctionType(ctypes._CFuncPtr): 66 | _argtypes_ = argtypes 67 | _restype_ = restype 68 | _flags_ = flags 69 | ctypes._win_functype_cache[(restype, argtypes, flags)] = WinFunctionType 70 | return WinFunctionType 71 | if WINFUNCTYPE.__doc__: 72 | WINFUNCTYPE.__doc__ = ctypes.CFUNCTYPE.__doc__.replace( 73 | "CFUNCTYPE", "WINFUNCTYPE") 74 | ctypes.WINFUNCTYPE = WINFUNCTYPE 75 | 76 | # Fix _reset_cache. 77 | _original_reset_cache = ctypes._reset_cache 78 | def _reset_cache(): 79 | ctypes._win_functype_cache.clear() 80 | _original_reset_cache() 81 | ctypes._reset_cache = _reset_cache 82 | 83 | # Fix the string conversion mode. 84 | if hasattr(ctypes, "set_conversion_mode"): 85 | ctypes.set_conversion_mode("mbcs", "ignore") 86 | 87 | # Fix WinDLL. 88 | class WinDLL(ctypes.CDLL): 89 | """This class represents a dll exporting functions using the 90 | Windows stdcall calling convention. 91 | """ 92 | _func_flags_ = _FUNCFLAG_STDCALL 93 | ctypes.WinDLL = WinDLL 94 | 95 | # Fix HRESULT. 96 | from _ctypes import _SimpleCData 97 | class HRESULT(_SimpleCData): 98 | _type_ = "l" 99 | ##_check_retval_ = _check_HRESULT 100 | ctypes.HRESULT = HRESULT 101 | 102 | # Fix OleDLL. 103 | class OleDLL(ctypes.CDLL): 104 | """This class represents a dll exporting functions using the 105 | Windows stdcall calling convention, and returning HRESULT. 106 | HRESULT error values are automatically raised as WindowsError 107 | exceptions. 108 | """ 109 | _func_flags_ = _FUNCFLAG_STDCALL 110 | _func_restype_ = HRESULT 111 | ctypes.OleDLL = OleDLL 112 | 113 | # Fix windll, oledll and GetLastError. 114 | ctypes.windll = ctypes.LibraryLoader(WinDLL) 115 | ctypes.oledll = ctypes.LibraryLoader(OleDLL) 116 | ctypes.GetLastError = ctypes.windll.kernel32.GetLastError 117 | 118 | # Fix get_last_error and set_last_error. 119 | ctypes.get_last_error = ctypes.windll.kernel32.GetLastError 120 | ctypes.set_last_error = ctypes.windll.kernel32.SetLastError 121 | 122 | # Fix FormatError. 123 | def FormatError(code): 124 | code = int(long(code)) 125 | try: 126 | if GuessStringType.t_default == GuessStringType.t_ansi: 127 | FormatMessage = windll.kernel32.FormatMessageA 128 | FormatMessage.argtypes = [DWORD, LPVOID, DWORD, DWORD, LPSTR, DWORD] 129 | FormatMessage.restype = DWORD 130 | lpBuffer = ctypes.create_string_buffer(1024) 131 | else: 132 | FormatMessage = windll.kernel32.FormatMessageW 133 | FormatMessage.argtypes = [DWORD, LPVOID, DWORD, DWORD, LPWSTR, DWORD] 134 | FormatMessage.restype = DWORD 135 | lpBuffer = ctypes.create_unicode_buffer(1024) 136 | ##FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 137 | ##FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200 138 | success = FormatMessage(0x1200, None, code, 0, lpBuffer, 1024) 139 | if success: 140 | return lpBuffer.value 141 | except Exception: 142 | pass 143 | if GuessStringType.t_default == GuessStringType.t_ansi: 144 | return "Error code 0x%.8X" % code 145 | return u"Error code 0x%.8X" % code 146 | ctypes.FormatError = FormatError 147 | 148 | # Fix WinError. 149 | def WinError(code=None, descr=None): 150 | if code is None: 151 | code = ctypes.GetLastError() 152 | if descr is None: 153 | descr = ctypes.FormatError(code).strip() 154 | return WindowsError(code, descr) 155 | ctypes.WinError = WinError 156 | 157 | # Fix DllGetClassObject. 158 | def DllGetClassObject(rclsid, riid, ppv): 159 | try: 160 | ccom = __import__( 161 | "comtypes.server.inprocserver", globals(), locals(), ['*']) 162 | except ImportError: 163 | return -2147221231 # CLASS_E_CLASSNOTAVAILABLE 164 | else: 165 | return ccom.DllGetClassObject(rclsid, riid, ppv) 166 | ctypes.DllGetClassObject = DllGetClassObject 167 | 168 | # Fix DllCanUnloadNow. 169 | def DllCanUnloadNow(): 170 | try: 171 | ccom = __import__( 172 | "comtypes.server.inprocserver", globals(), locals(), ['*']) 173 | except ImportError: 174 | return 0 # S_OK 175 | return ccom.DllCanUnloadNow() 176 | ctypes.DllCanUnloadNow = DllCanUnloadNow 177 | 178 | #----------------------------------------------------------------------------- 179 | 180 | # Import all submodules into this namespace. 181 | # Required for compatibility with older versions of WinAppDbg. 182 | import defines 183 | import kernel32 184 | import user32 185 | import advapi32 186 | import wtsapi32 187 | import shell32 188 | import shlwapi 189 | import psapi 190 | import dbghelp 191 | import ntdll 192 | 193 | # Import all symbols from submodules into this namespace. 194 | # Required for compatibility with older versions of WinAppDbg. 195 | from defines import * 196 | from kernel32 import * 197 | from user32 import * 198 | from advapi32 import * 199 | from wtsapi32 import * 200 | from shell32 import * 201 | from shlwapi import * 202 | from psapi import * 203 | from dbghelp import * 204 | from ntdll import * 205 | 206 | # This calculates the list of exported symbols. 207 | _all = set() 208 | _all.update(defines._all) 209 | _all.update(kernel32._all) 210 | _all.update(user32._all) 211 | _all.update(advapi32._all) 212 | _all.update(wtsapi32._all) 213 | _all.update(shell32._all) 214 | _all.update(shlwapi._all) 215 | _all.update(psapi._all) 216 | _all.update(dbghelp._all) 217 | _all.update(ntdll._all) 218 | __all__ = [_x for _x in _all if not _x.startswith('_')] 219 | __all__.sort() 220 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/__init__.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/advapi32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/advapi32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/context_amd64.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/context_amd64.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/context_i386.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/context_i386.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/dbghelp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/dbghelp.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/defines.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/defines.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/gdi32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/gdi32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/kernel32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/kernel32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/ntdll.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/ntdll.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/peb_teb.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/peb_teb.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/psapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Wrapper for psapi.dll in ctypes. 33 | """ 34 | 35 | from defines import * 36 | 37 | #============================================================================== 38 | # This is used later on to calculate the list of exported symbols. 39 | _all = None 40 | _all = set(vars().keys()) 41 | #============================================================================== 42 | 43 | #--- PSAPI structures and constants ------------------------------------------- 44 | 45 | LIST_MODULES_DEFAULT = 0x00 46 | LIST_MODULES_32BIT = 0x01 47 | LIST_MODULES_64BIT = 0x02 48 | LIST_MODULES_ALL = 0x03 49 | 50 | # typedef struct _MODULEINFO { 51 | # LPVOID lpBaseOfDll; 52 | # DWORD SizeOfImage; 53 | # LPVOID EntryPoint; 54 | # } MODULEINFO, *LPMODULEINFO; 55 | class MODULEINFO(Structure): 56 | _fields_ = [ 57 | ("lpBaseOfDll", LPVOID), # remote pointer 58 | ("SizeOfImage", DWORD), 59 | ("EntryPoint", LPVOID), # remote pointer 60 | ] 61 | LPMODULEINFO = POINTER(MODULEINFO) 62 | 63 | #--- psapi.dll ---------------------------------------------------------------- 64 | 65 | # BOOL WINAPI EnumDeviceDrivers( 66 | # __out LPVOID *lpImageBase, 67 | # __in DWORD cb, 68 | # __out LPDWORD lpcbNeeded 69 | # ); 70 | def EnumDeviceDrivers(): 71 | _EnumDeviceDrivers = windll.psapi.EnumDeviceDrivers 72 | _EnumDeviceDrivers.argtypes = [LPVOID, DWORD, LPDWORD] 73 | _EnumDeviceDrivers.restype = bool 74 | _EnumDeviceDrivers.errcheck = RaiseIfZero 75 | 76 | size = 0x1000 77 | lpcbNeeded = DWORD(size) 78 | unit = sizeof(LPVOID) 79 | while 1: 80 | lpImageBase = (LPVOID * (size // unit))() 81 | _EnumDeviceDrivers(byref(lpImageBase), lpcbNeeded, byref(lpcbNeeded)) 82 | needed = lpcbNeeded.value 83 | if needed <= size: 84 | break 85 | size = needed 86 | return [ lpImageBase[index] for index in xrange(0, (needed // unit)) ] 87 | 88 | # BOOL WINAPI EnumProcesses( 89 | # __out DWORD *pProcessIds, 90 | # __in DWORD cb, 91 | # __out DWORD *pBytesReturned 92 | # ); 93 | def EnumProcesses(): 94 | _EnumProcesses = windll.psapi.EnumProcesses 95 | _EnumProcesses.argtypes = [LPVOID, DWORD, LPDWORD] 96 | _EnumProcesses.restype = bool 97 | _EnumProcesses.errcheck = RaiseIfZero 98 | 99 | size = 0x1000 100 | cbBytesReturned = DWORD() 101 | unit = sizeof(DWORD) 102 | while 1: 103 | ProcessIds = (DWORD * (size // unit))() 104 | cbBytesReturned.value = size 105 | _EnumProcesses(byref(ProcessIds), cbBytesReturned, byref(cbBytesReturned)) 106 | returned = cbBytesReturned.value 107 | if returned < size: 108 | break 109 | size = size + 0x1000 110 | ProcessIdList = list() 111 | for ProcessId in ProcessIds: 112 | if ProcessId is None: 113 | break 114 | ProcessIdList.append(ProcessId) 115 | return ProcessIdList 116 | 117 | # BOOL WINAPI EnumProcessModules( 118 | # __in HANDLE hProcess, 119 | # __out HMODULE *lphModule, 120 | # __in DWORD cb, 121 | # __out LPDWORD lpcbNeeded 122 | # ); 123 | def EnumProcessModules(hProcess): 124 | _EnumProcessModules = windll.psapi.EnumProcessModules 125 | _EnumProcessModules.argtypes = [HANDLE, LPVOID, DWORD, LPDWORD] 126 | _EnumProcessModules.restype = bool 127 | _EnumProcessModules.errcheck = RaiseIfZero 128 | 129 | size = 0x1000 130 | lpcbNeeded = DWORD(size) 131 | unit = sizeof(HMODULE) 132 | while 1: 133 | lphModule = (HMODULE * (size // unit))() 134 | _EnumProcessModules(hProcess, byref(lphModule), lpcbNeeded, byref(lpcbNeeded)) 135 | needed = lpcbNeeded.value 136 | if needed <= size: 137 | break 138 | size = needed 139 | return [ lphModule[index] for index in xrange(0, int(needed // unit)) ] 140 | 141 | # BOOL WINAPI EnumProcessModulesEx( 142 | # __in HANDLE hProcess, 143 | # __out HMODULE *lphModule, 144 | # __in DWORD cb, 145 | # __out LPDWORD lpcbNeeded, 146 | # __in DWORD dwFilterFlag 147 | # ); 148 | def EnumProcessModulesEx(hProcess, dwFilterFlag = LIST_MODULES_DEFAULT): 149 | _EnumProcessModulesEx = windll.psapi.EnumProcessModulesEx 150 | _EnumProcessModulesEx.argtypes = [HANDLE, LPVOID, DWORD, LPDWORD, DWORD] 151 | _EnumProcessModulesEx.restype = bool 152 | _EnumProcessModulesEx.errcheck = RaiseIfZero 153 | 154 | size = 0x1000 155 | lpcbNeeded = DWORD(size) 156 | unit = sizeof(HMODULE) 157 | while 1: 158 | lphModule = (HMODULE * (size // unit))() 159 | _EnumProcessModulesEx(hProcess, byref(lphModule), lpcbNeeded, byref(lpcbNeeded), dwFilterFlag) 160 | needed = lpcbNeeded.value 161 | if needed <= size: 162 | break 163 | size = needed 164 | return [ lphModule[index] for index in xrange(0, (needed // unit)) ] 165 | 166 | # DWORD WINAPI GetDeviceDriverBaseName( 167 | # __in LPVOID ImageBase, 168 | # __out LPTSTR lpBaseName, 169 | # __in DWORD nSize 170 | # ); 171 | def GetDeviceDriverBaseNameA(ImageBase): 172 | _GetDeviceDriverBaseNameA = windll.psapi.GetDeviceDriverBaseNameA 173 | _GetDeviceDriverBaseNameA.argtypes = [LPVOID, LPSTR, DWORD] 174 | _GetDeviceDriverBaseNameA.restype = DWORD 175 | 176 | nSize = MAX_PATH 177 | while 1: 178 | lpBaseName = ctypes.create_string_buffer("", nSize) 179 | nCopied = _GetDeviceDriverBaseNameA(ImageBase, lpBaseName, nSize) 180 | if nCopied == 0: 181 | raise ctypes.WinError() 182 | if nCopied < (nSize - 1): 183 | break 184 | nSize = nSize + MAX_PATH 185 | return lpBaseName.value 186 | 187 | def GetDeviceDriverBaseNameW(ImageBase): 188 | _GetDeviceDriverBaseNameW = windll.psapi.GetDeviceDriverBaseNameW 189 | _GetDeviceDriverBaseNameW.argtypes = [LPVOID, LPWSTR, DWORD] 190 | _GetDeviceDriverBaseNameW.restype = DWORD 191 | 192 | nSize = MAX_PATH 193 | while 1: 194 | lpBaseName = ctypes.create_unicode_buffer(u"", nSize) 195 | nCopied = _GetDeviceDriverBaseNameW(ImageBase, lpBaseName, nSize) 196 | if nCopied == 0: 197 | raise ctypes.WinError() 198 | if nCopied < (nSize - 1): 199 | break 200 | nSize = nSize + MAX_PATH 201 | return lpBaseName.value 202 | 203 | GetDeviceDriverBaseName = GuessStringType(GetDeviceDriverBaseNameA, GetDeviceDriverBaseNameW) 204 | 205 | # DWORD WINAPI GetDeviceDriverFileName( 206 | # __in LPVOID ImageBase, 207 | # __out LPTSTR lpFilename, 208 | # __in DWORD nSize 209 | # ); 210 | def GetDeviceDriverFileNameA(ImageBase): 211 | _GetDeviceDriverFileNameA = windll.psapi.GetDeviceDriverFileNameA 212 | _GetDeviceDriverFileNameA.argtypes = [LPVOID, LPSTR, DWORD] 213 | _GetDeviceDriverFileNameA.restype = DWORD 214 | 215 | nSize = MAX_PATH 216 | while 1: 217 | lpFilename = ctypes.create_string_buffer("", nSize) 218 | nCopied = ctypes.windll.psapi.GetDeviceDriverFileNameA(ImageBase, lpFilename, nSize) 219 | if nCopied == 0: 220 | raise ctypes.WinError() 221 | if nCopied < (nSize - 1): 222 | break 223 | nSize = nSize + MAX_PATH 224 | return lpFilename.value 225 | 226 | def GetDeviceDriverFileNameW(ImageBase): 227 | _GetDeviceDriverFileNameW = windll.psapi.GetDeviceDriverFileNameW 228 | _GetDeviceDriverFileNameW.argtypes = [LPVOID, LPWSTR, DWORD] 229 | _GetDeviceDriverFileNameW.restype = DWORD 230 | 231 | nSize = MAX_PATH 232 | while 1: 233 | lpFilename = ctypes.create_unicode_buffer(u"", nSize) 234 | nCopied = ctypes.windll.psapi.GetDeviceDriverFileNameW(ImageBase, lpFilename, nSize) 235 | if nCopied == 0: 236 | raise ctypes.WinError() 237 | if nCopied < (nSize - 1): 238 | break 239 | nSize = nSize + MAX_PATH 240 | return lpFilename.value 241 | 242 | GetDeviceDriverFileName = GuessStringType(GetDeviceDriverFileNameA, GetDeviceDriverFileNameW) 243 | 244 | # DWORD WINAPI GetMappedFileName( 245 | # __in HANDLE hProcess, 246 | # __in LPVOID lpv, 247 | # __out LPTSTR lpFilename, 248 | # __in DWORD nSize 249 | # ); 250 | def GetMappedFileNameA(hProcess, lpv): 251 | _GetMappedFileNameA = ctypes.windll.psapi.GetMappedFileNameA 252 | _GetMappedFileNameA.argtypes = [HANDLE, LPVOID, LPSTR, DWORD] 253 | _GetMappedFileNameA.restype = DWORD 254 | 255 | nSize = MAX_PATH 256 | while 1: 257 | lpFilename = ctypes.create_string_buffer("", nSize) 258 | nCopied = _GetMappedFileNameA(hProcess, lpv, lpFilename, nSize) 259 | if nCopied == 0: 260 | raise ctypes.WinError() 261 | if nCopied < (nSize - 1): 262 | break 263 | nSize = nSize + MAX_PATH 264 | return lpFilename.value 265 | 266 | def GetMappedFileNameW(hProcess, lpv): 267 | _GetMappedFileNameW = ctypes.windll.psapi.GetMappedFileNameW 268 | _GetMappedFileNameW.argtypes = [HANDLE, LPVOID, LPWSTR, DWORD] 269 | _GetMappedFileNameW.restype = DWORD 270 | 271 | nSize = MAX_PATH 272 | while 1: 273 | lpFilename = ctypes.create_unicode_buffer(u"", nSize) 274 | nCopied = _GetMappedFileNameW(hProcess, lpv, lpFilename, nSize) 275 | if nCopied == 0: 276 | raise ctypes.WinError() 277 | if nCopied < (nSize - 1): 278 | break 279 | nSize = nSize + MAX_PATH 280 | return lpFilename.value 281 | 282 | GetMappedFileName = GuessStringType(GetMappedFileNameA, GetMappedFileNameW) 283 | 284 | # DWORD WINAPI GetModuleFileNameEx( 285 | # __in HANDLE hProcess, 286 | # __in_opt HMODULE hModule, 287 | # __out LPTSTR lpFilename, 288 | # __in DWORD nSize 289 | # ); 290 | def GetModuleFileNameExA(hProcess, hModule = None): 291 | _GetModuleFileNameExA = ctypes.windll.psapi.GetModuleFileNameExA 292 | _GetModuleFileNameExA.argtypes = [HANDLE, HMODULE, LPSTR, DWORD] 293 | _GetModuleFileNameExA.restype = DWORD 294 | 295 | nSize = MAX_PATH 296 | while 1: 297 | lpFilename = ctypes.create_string_buffer("", nSize) 298 | nCopied = _GetModuleFileNameExA(hProcess, hModule, lpFilename, nSize) 299 | if nCopied == 0: 300 | raise ctypes.WinError() 301 | if nCopied < (nSize - 1): 302 | break 303 | nSize = nSize + MAX_PATH 304 | return lpFilename.value 305 | 306 | def GetModuleFileNameExW(hProcess, hModule = None): 307 | _GetModuleFileNameExW = ctypes.windll.psapi.GetModuleFileNameExW 308 | _GetModuleFileNameExW.argtypes = [HANDLE, HMODULE, LPWSTR, DWORD] 309 | _GetModuleFileNameExW.restype = DWORD 310 | 311 | nSize = MAX_PATH 312 | while 1: 313 | lpFilename = ctypes.create_unicode_buffer(u"", nSize) 314 | nCopied = _GetModuleFileNameExW(hProcess, hModule, lpFilename, nSize) 315 | if nCopied == 0: 316 | raise ctypes.WinError() 317 | if nCopied < (nSize - 1): 318 | break 319 | nSize = nSize + MAX_PATH 320 | return lpFilename.value 321 | 322 | GetModuleFileNameEx = GuessStringType(GetModuleFileNameExA, GetModuleFileNameExW) 323 | 324 | # BOOL WINAPI GetModuleInformation( 325 | # __in HANDLE hProcess, 326 | # __in HMODULE hModule, 327 | # __out LPMODULEINFO lpmodinfo, 328 | # __in DWORD cb 329 | # ); 330 | def GetModuleInformation(hProcess, hModule, lpmodinfo = None): 331 | _GetModuleInformation = windll.psapi.GetModuleInformation 332 | _GetModuleInformation.argtypes = [HANDLE, HMODULE, LPMODULEINFO, DWORD] 333 | _GetModuleInformation.restype = bool 334 | _GetModuleInformation.errcheck = RaiseIfZero 335 | 336 | if lpmodinfo is None: 337 | lpmodinfo = MODULEINFO() 338 | _GetModuleInformation(hProcess, hModule, byref(lpmodinfo), sizeof(lpmodinfo)) 339 | return lpmodinfo 340 | 341 | # DWORD WINAPI GetProcessImageFileName( 342 | # __in HANDLE hProcess, 343 | # __out LPTSTR lpImageFileName, 344 | # __in DWORD nSize 345 | # ); 346 | def GetProcessImageFileNameA(hProcess): 347 | _GetProcessImageFileNameA = windll.psapi.GetProcessImageFileNameA 348 | _GetProcessImageFileNameA.argtypes = [HANDLE, LPSTR, DWORD] 349 | _GetProcessImageFileNameA.restype = DWORD 350 | 351 | nSize = MAX_PATH 352 | while 1: 353 | lpFilename = ctypes.create_string_buffer("", nSize) 354 | nCopied = _GetProcessImageFileNameA(hProcess, lpFilename, nSize) 355 | if nCopied == 0: 356 | raise ctypes.WinError() 357 | if nCopied < (nSize - 1): 358 | break 359 | nSize = nSize + MAX_PATH 360 | return lpFilename.value 361 | 362 | def GetProcessImageFileNameW(hProcess): 363 | _GetProcessImageFileNameW = windll.psapi.GetProcessImageFileNameW 364 | _GetProcessImageFileNameW.argtypes = [HANDLE, LPWSTR, DWORD] 365 | _GetProcessImageFileNameW.restype = DWORD 366 | 367 | nSize = MAX_PATH 368 | while 1: 369 | lpFilename = ctypes.create_unicode_buffer(u"", nSize) 370 | nCopied = _GetProcessImageFileNameW(hProcess, lpFilename, nSize) 371 | if nCopied == 0: 372 | raise ctypes.WinError() 373 | if nCopied < (nSize - 1): 374 | break 375 | nSize = nSize + MAX_PATH 376 | return lpFilename.value 377 | 378 | GetProcessImageFileName = GuessStringType(GetProcessImageFileNameA, GetProcessImageFileNameW) 379 | 380 | #============================================================================== 381 | # This calculates the list of exported symbols. 382 | _all = set(vars().keys()).difference(_all) 383 | __all__ = [_x for _x in _all if not _x.startswith('_')] 384 | __all__.sort() 385 | #============================================================================== 386 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/psapi.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/psapi.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/shell32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Wrapper for shell32.dll in ctypes. 33 | """ 34 | 35 | # TODO 36 | # * Add a class wrapper to SHELLEXECUTEINFO 37 | # * More logic into ShellExecuteEx 38 | 39 | from defines import * 40 | from kernel32 import LocalFree 41 | 42 | #============================================================================== 43 | # This is used later on to calculate the list of exported symbols. 44 | _all = None 45 | _all = set(vars().keys()) 46 | #============================================================================== 47 | 48 | #--- Constants ---------------------------------------------------------------- 49 | 50 | SEE_MASK_DEFAULT = 0x00000000 51 | SEE_MASK_CLASSNAME = 0x00000001 52 | SEE_MASK_CLASSKEY = 0x00000003 53 | SEE_MASK_IDLIST = 0x00000004 54 | SEE_MASK_INVOKEIDLIST = 0x0000000C 55 | SEE_MASK_ICON = 0x00000010 56 | SEE_MASK_HOTKEY = 0x00000020 57 | SEE_MASK_NOCLOSEPROCESS = 0x00000040 58 | SEE_MASK_CONNECTNETDRV = 0x00000080 59 | SEE_MASK_NOASYNC = 0x00000100 60 | SEE_MASK_DOENVSUBST = 0x00000200 61 | SEE_MASK_FLAG_NO_UI = 0x00000400 62 | SEE_MASK_UNICODE = 0x00004000 63 | SEE_MASK_NO_CONSOLE = 0x00008000 64 | SEE_MASK_ASYNCOK = 0x00100000 65 | SEE_MASK_HMONITOR = 0x00200000 66 | SEE_MASK_NOZONECHECKS = 0x00800000 67 | SEE_MASK_WAITFORINPUTIDLE = 0x02000000 68 | SEE_MASK_FLAG_LOG_USAGE = 0x04000000 69 | 70 | SE_ERR_FNF = 2 71 | SE_ERR_PNF = 3 72 | SE_ERR_ACCESSDENIED = 5 73 | SE_ERR_OOM = 8 74 | SE_ERR_DLLNOTFOUND = 32 75 | SE_ERR_SHARE = 26 76 | SE_ERR_ASSOCINCOMPLETE = 27 77 | SE_ERR_DDETIMEOUT = 28 78 | SE_ERR_DDEFAIL = 29 79 | SE_ERR_DDEBUSY = 30 80 | SE_ERR_NOASSOC = 31 81 | 82 | SHGFP_TYPE_CURRENT = 0 83 | SHGFP_TYPE_DEFAULT = 1 84 | 85 | CSIDL_DESKTOP = 0x0000 86 | CSIDL_INTERNET = 0x0001 87 | CSIDL_PROGRAMS = 0x0002 88 | CSIDL_CONTROLS = 0x0003 89 | CSIDL_PRINTERS = 0x0004 90 | CSIDL_PERSONAL = 0x0005 91 | CSIDL_FAVORITES = 0x0006 92 | CSIDL_STARTUP = 0x0007 93 | CSIDL_RECENT = 0x0008 94 | CSIDL_SENDTO = 0x0009 95 | CSIDL_BITBUCKET = 0x000a 96 | CSIDL_STARTMENU = 0x000b 97 | CSIDL_MYDOCUMENTS = CSIDL_PERSONAL 98 | CSIDL_MYMUSIC = 0x000d 99 | CSIDL_MYVIDEO = 0x000e 100 | CSIDL_DESKTOPDIRECTORY = 0x0010 101 | CSIDL_DRIVES = 0x0011 102 | CSIDL_NETWORK = 0x0012 103 | CSIDL_NETHOOD = 0x0013 104 | CSIDL_FONTS = 0x0014 105 | CSIDL_TEMPLATES = 0x0015 106 | CSIDL_COMMON_STARTMENU = 0x0016 107 | CSIDL_COMMON_PROGRAMS = 0x0017 108 | CSIDL_COMMON_STARTUP = 0x0018 109 | CSIDL_COMMON_DESKTOPDIRECTORY = 0x0019 110 | CSIDL_APPDATA = 0x001a 111 | CSIDL_PRINTHOOD = 0x001b 112 | CSIDL_LOCAL_APPDATA = 0x001c 113 | CSIDL_ALTSTARTUP = 0x001d 114 | CSIDL_COMMON_ALTSTARTUP = 0x001e 115 | CSIDL_COMMON_FAVORITES = 0x001f 116 | CSIDL_INTERNET_CACHE = 0x0020 117 | CSIDL_COOKIES = 0x0021 118 | CSIDL_HISTORY = 0x0022 119 | CSIDL_COMMON_APPDATA = 0x0023 120 | CSIDL_WINDOWS = 0x0024 121 | CSIDL_SYSTEM = 0x0025 122 | CSIDL_PROGRAM_FILES = 0x0026 123 | CSIDL_MYPICTURES = 0x0027 124 | CSIDL_PROFILE = 0x0028 125 | CSIDL_SYSTEMX86 = 0x0029 126 | CSIDL_PROGRAM_FILESX86 = 0x002a 127 | CSIDL_PROGRAM_FILES_COMMON = 0x002b 128 | CSIDL_PROGRAM_FILES_COMMONX86 = 0x002c 129 | CSIDL_COMMON_TEMPLATES = 0x002d 130 | CSIDL_COMMON_DOCUMENTS = 0x002e 131 | CSIDL_COMMON_ADMINTOOLS = 0x002f 132 | CSIDL_ADMINTOOLS = 0x0030 133 | CSIDL_CONNECTIONS = 0x0031 134 | CSIDL_COMMON_MUSIC = 0x0035 135 | CSIDL_COMMON_PICTURES = 0x0036 136 | CSIDL_COMMON_VIDEO = 0x0037 137 | CSIDL_RESOURCES = 0x0038 138 | CSIDL_RESOURCES_LOCALIZED = 0x0039 139 | CSIDL_COMMON_OEM_LINKS = 0x003a 140 | CSIDL_CDBURN_AREA = 0x003b 141 | CSIDL_COMPUTERSNEARME = 0x003d 142 | CSIDL_PROFILES = 0x003e 143 | 144 | CSIDL_FOLDER_MASK = 0x00ff 145 | 146 | CSIDL_FLAG_PER_USER_INIT = 0x0800 147 | CSIDL_FLAG_NO_ALIAS = 0x1000 148 | CSIDL_FLAG_DONT_VERIFY = 0x4000 149 | CSIDL_FLAG_CREATE = 0x8000 150 | 151 | CSIDL_FLAG_MASK = 0xff00 152 | 153 | #--- Structures --------------------------------------------------------------- 154 | 155 | # typedef struct _SHELLEXECUTEINFO { 156 | # DWORD cbSize; 157 | # ULONG fMask; 158 | # HWND hwnd; 159 | # LPCTSTR lpVerb; 160 | # LPCTSTR lpFile; 161 | # LPCTSTR lpParameters; 162 | # LPCTSTR lpDirectory; 163 | # int nShow; 164 | # HINSTANCE hInstApp; 165 | # LPVOID lpIDList; 166 | # LPCTSTR lpClass; 167 | # HKEY hkeyClass; 168 | # DWORD dwHotKey; 169 | # union { 170 | # HANDLE hIcon; 171 | # HANDLE hMonitor; 172 | # } DUMMYUNIONNAME; 173 | # HANDLE hProcess; 174 | # } SHELLEXECUTEINFO, *LPSHELLEXECUTEINFO; 175 | 176 | class SHELLEXECUTEINFO(Structure): 177 | _fields_ = [ 178 | ("cbSize", DWORD), 179 | ("fMask", ULONG), 180 | ("hwnd", HWND), 181 | ("lpVerb", LPSTR), 182 | ("lpFile", LPSTR), 183 | ("lpParameters", LPSTR), 184 | ("lpDirectory", LPSTR), 185 | ("nShow", ctypes.c_int), 186 | ("hInstApp", HINSTANCE), 187 | ("lpIDList", LPVOID), 188 | ("lpClass", LPSTR), 189 | ("hkeyClass", HKEY), 190 | ("dwHotKey", DWORD), 191 | ("hIcon", HANDLE), 192 | ("hProcess", HANDLE), 193 | ] 194 | 195 | def __get_hMonitor(self): 196 | return self.hIcon 197 | def __set_hMonitor(self, hMonitor): 198 | self.hIcon = hMonitor 199 | hMonitor = property(__get_hMonitor, __set_hMonitor) 200 | 201 | LPSHELLEXECUTEINFO = POINTER(SHELLEXECUTEINFO) 202 | 203 | #--- shell32.dll -------------------------------------------------------------- 204 | 205 | # LPWSTR *CommandLineToArgvW( 206 | # LPCWSTR lpCmdLine, 207 | # int *pNumArgs 208 | # ); 209 | def CommandLineToArgvW(lpCmdLine): 210 | _CommandLineToArgvW = windll.shell32.CommandLineToArgvW 211 | _CommandLineToArgvW.argtypes = [LPVOID, POINTER(ctypes.c_int)] 212 | _CommandLineToArgvW.restype = LPVOID 213 | 214 | if not lpCmdLine: 215 | lpCmdLine = None 216 | argc = ctypes.c_int(0) 217 | vptr = ctypes.windll.shell32.CommandLineToArgvW(lpCmdLine, byref(argc)) 218 | if vptr == NULL: 219 | raise ctypes.WinError() 220 | argv = vptr 221 | try: 222 | argc = argc.value 223 | if argc <= 0: 224 | raise ctypes.WinError() 225 | argv = ctypes.cast(argv, ctypes.POINTER(LPWSTR * argc) ) 226 | argv = [ argv.contents[i] for i in xrange(0, argc) ] 227 | finally: 228 | if vptr is not None: 229 | LocalFree(vptr) 230 | return argv 231 | 232 | def CommandLineToArgvA(lpCmdLine): 233 | t_ansi = GuessStringType.t_ansi 234 | t_unicode = GuessStringType.t_unicode 235 | if isinstance(lpCmdLine, t_ansi): 236 | cmdline = t_unicode(lpCmdLine) 237 | else: 238 | cmdline = lpCmdLine 239 | return [t_ansi(x) for x in CommandLineToArgvW(cmdline)] 240 | 241 | CommandLineToArgv = GuessStringType(CommandLineToArgvA, CommandLineToArgvW) 242 | 243 | # HINSTANCE ShellExecute( 244 | # HWND hwnd, 245 | # LPCTSTR lpOperation, 246 | # LPCTSTR lpFile, 247 | # LPCTSTR lpParameters, 248 | # LPCTSTR lpDirectory, 249 | # INT nShowCmd 250 | # ); 251 | def ShellExecuteA(hwnd = None, lpOperation = None, lpFile = None, lpParameters = None, lpDirectory = None, nShowCmd = None): 252 | _ShellExecuteA = windll.shell32.ShellExecuteA 253 | _ShellExecuteA.argtypes = [HWND, LPSTR, LPSTR, LPSTR, LPSTR, INT] 254 | _ShellExecuteA.restype = HINSTANCE 255 | 256 | if not nShowCmd: 257 | nShowCmd = 0 258 | success = _ShellExecuteA(hwnd, lpOperation, lpFile, lpParameters, lpDirectory, nShowCmd) 259 | success = ctypes.cast(success, c_int) 260 | success = success.value 261 | if not success > 32: # weird! isn't it? 262 | raise ctypes.WinError(success) 263 | 264 | def ShellExecuteW(hwnd = None, lpOperation = None, lpFile = None, lpParameters = None, lpDirectory = None, nShowCmd = None): 265 | _ShellExecuteW = windll.shell32.ShellExecuteW 266 | _ShellExecuteW.argtypes = [HWND, LPWSTR, LPWSTR, LPWSTR, LPWSTR, INT] 267 | _ShellExecuteW.restype = HINSTANCE 268 | 269 | if not nShowCmd: 270 | nShowCmd = 0 271 | success = _ShellExecuteW(hwnd, lpOperation, lpFile, lpParameters, lpDirectory, nShowCmd) 272 | success = ctypes.cast(success, c_int) 273 | success = success.value 274 | if not success > 32: # weird! isn't it? 275 | raise ctypes.WinError(success) 276 | 277 | ShellExecute = GuessStringType(ShellExecuteA, ShellExecuteW) 278 | 279 | # BOOL ShellExecuteEx( 280 | # __inout LPSHELLEXECUTEINFO lpExecInfo 281 | # ); 282 | def ShellExecuteEx(lpExecInfo): 283 | if isinstance(lpExecInfo, SHELLEXECUTEINFOA): 284 | ShellExecuteExA(lpExecInfo) 285 | elif isinstance(lpExecInfo, SHELLEXECUTEINFOW): 286 | ShellExecuteExW(lpExecInfo) 287 | else: 288 | raise TypeError("Expected SHELLEXECUTEINFOA or SHELLEXECUTEINFOW, got %s instead" % type(lpExecInfo)) 289 | 290 | def ShellExecuteExA(lpExecInfo): 291 | _ShellExecuteExA = windll.shell32.ShellExecuteExA 292 | _ShellExecuteExA.argtypes = [LPSHELLEXECUTEINFOA] 293 | _ShellExecuteExA.restype = BOOL 294 | _ShellExecuteExA.errcheck = RaiseIfZero 295 | _ShellExecuteExA(byref(lpExecInfo)) 296 | 297 | def ShellExecuteExW(lpExecInfo): 298 | _ShellExecuteExW = windll.shell32.ShellExecuteExW 299 | _ShellExecuteExW.argtypes = [LPSHELLEXECUTEINFOW] 300 | _ShellExecuteExW.restype = BOOL 301 | _ShellExecuteExW.errcheck = RaiseIfZero 302 | _ShellExecuteExW(byref(lpExecInfo)) 303 | 304 | # HINSTANCE FindExecutable( 305 | # __in LPCTSTR lpFile, 306 | # __in_opt LPCTSTR lpDirectory, 307 | # __out LPTSTR lpResult 308 | # ); 309 | def FindExecutableA(lpFile, lpDirectory = None): 310 | _FindExecutableA = windll.shell32.FindExecutableA 311 | _FindExecutableA.argtypes = [LPSTR, LPSTR, LPSTR] 312 | _FindExecutableA.restype = HINSTANCE 313 | 314 | lpResult = ctypes.create_string_buffer(MAX_PATH) 315 | success = _FindExecutableA(lpFile, lpDirectory, lpResult) 316 | success = ctypes.cast(success, ctypes.c_void_p) 317 | success = success.value 318 | if not success > 32: # weird! isn't it? 319 | raise ctypes.WinError(success) 320 | return lpResult.value 321 | 322 | def FindExecutableW(lpFile, lpDirectory = None): 323 | _FindExecutableW = windll.shell32.FindExecutableW 324 | _FindExecutableW.argtypes = [LPWSTR, LPWSTR, LPWSTR] 325 | _FindExecutableW.restype = HINSTANCE 326 | 327 | lpResult = ctypes.create_unicode_buffer(MAX_PATH) 328 | success = _FindExecutableW(lpFile, lpDirectory, lpResult) 329 | success = ctypes.cast(success, ctypes.c_void_p) 330 | success = success.value 331 | if not success > 32: # weird! isn't it? 332 | raise ctypes.WinError(success) 333 | return lpResult.value 334 | 335 | FindExecutable = GuessStringType(FindExecutableA, FindExecutableW) 336 | 337 | # HRESULT SHGetFolderPath( 338 | # __in HWND hwndOwner, 339 | # __in int nFolder, 340 | # __in HANDLE hToken, 341 | # __in DWORD dwFlags, 342 | # __out LPTSTR pszPath 343 | # ); 344 | def SHGetFolderPathA(nFolder, hToken = None, dwFlags = SHGFP_TYPE_CURRENT): 345 | _SHGetFolderPathA = windll.shell32.SHGetFolderPathA # shfolder.dll in older win versions 346 | _SHGetFolderPathA.argtypes = [HWND, ctypes.c_int, HANDLE, DWORD, LPSTR] 347 | _SHGetFolderPathA.restype = HRESULT 348 | _SHGetFolderPathA.errcheck = RaiseIfNotZero # S_OK == 0 349 | 350 | pszPath = ctypes.create_string_buffer(MAX_PATH + 1) 351 | _SHGetFolderPathA(None, nFolder, hToken, dwFlags, pszPath) 352 | return pszPath.value 353 | 354 | def SHGetFolderPathW(nFolder, hToken = None, dwFlags = SHGFP_TYPE_CURRENT): 355 | _SHGetFolderPathW = windll.shell32.SHGetFolderPathW # shfolder.dll in older win versions 356 | _SHGetFolderPathW.argtypes = [HWND, ctypes.c_int, HANDLE, DWORD, LPWSTR] 357 | _SHGetFolderPathW.restype = HRESULT 358 | _SHGetFolderPathW.errcheck = RaiseIfNotZero # S_OK == 0 359 | 360 | pszPath = ctypes.create_unicode_buffer(MAX_PATH + 1) 361 | _SHGetFolderPathW(None, nFolder, hToken, dwFlags, pszPath) 362 | return pszPath.value 363 | 364 | SHGetFolderPath = DefaultStringType(SHGetFolderPathA, SHGetFolderPathW) 365 | 366 | # BOOL IsUserAnAdmin(void); 367 | def IsUserAnAdmin(): 368 | # Supposedly, IsUserAnAdmin() is deprecated in Vista. 369 | # But I tried it on Windows 7 and it works just fine. 370 | _IsUserAnAdmin = windll.shell32.IsUserAnAdmin 371 | _IsUserAnAdmin.argtypes = [] 372 | _IsUserAnAdmin.restype = bool 373 | return _IsUserAnAdmin() 374 | 375 | #============================================================================== 376 | # This calculates the list of exported symbols. 377 | _all = set(vars().keys()).difference(_all) 378 | __all__ = [_x for _x in _all if not _x.startswith('_')] 379 | __all__.sort() 380 | #============================================================================== 381 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/shell32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/shell32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/shlwapi.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/shlwapi.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/user32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/user32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/version.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/version.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/wtsapi32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2009-2016, Mario Vilas 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # * Redistributions of source code must retain the above copyright notice, 11 | # this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright 13 | # notice,this list of conditions and the following disclaimer in the 14 | # documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the copyright holder nor the names of its 16 | # contributors may be used to endorse or promote products derived from 17 | # this software without specific prior written permission. 18 | # 19 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | # POSSIBILITY OF SUCH DAMAGE. 30 | 31 | """ 32 | Wrapper for wtsapi32.dll in ctypes. 33 | """ 34 | 35 | from defines import * 36 | from advapi32 import * 37 | 38 | #============================================================================== 39 | # This is used later on to calculate the list of exported symbols. 40 | _all = None 41 | _all = set(vars().keys()) 42 | #============================================================================== 43 | 44 | #--- Constants ---------------------------------------------------------------- 45 | 46 | WTS_CURRENT_SERVER_HANDLE = 0 47 | WTS_CURRENT_SESSION = 1 48 | 49 | #--- WTS_PROCESS_INFO structure ----------------------------------------------- 50 | 51 | # typedef struct _WTS_PROCESS_INFO { 52 | # DWORD SessionId; 53 | # DWORD ProcessId; 54 | # LPTSTR pProcessName; 55 | # PSID pUserSid; 56 | # } WTS_PROCESS_INFO, *PWTS_PROCESS_INFO; 57 | 58 | class WTS_PROCESS_INFOA(Structure): 59 | _fields_ = [ 60 | ("SessionId", DWORD), 61 | ("ProcessId", DWORD), 62 | ("pProcessName", LPSTR), 63 | ("pUserSid", PSID), 64 | ] 65 | PWTS_PROCESS_INFOA = POINTER(WTS_PROCESS_INFOA) 66 | 67 | class WTS_PROCESS_INFOW(Structure): 68 | _fields_ = [ 69 | ("SessionId", DWORD), 70 | ("ProcessId", DWORD), 71 | ("pProcessName", LPWSTR), 72 | ("pUserSid", PSID), 73 | ] 74 | PWTS_PROCESS_INFOW = POINTER(WTS_PROCESS_INFOW) 75 | 76 | #--- WTSQuerySessionInformation enums and structures -------------------------- 77 | 78 | # typedef enum _WTS_INFO_CLASS { 79 | # WTSInitialProgram = 0, 80 | # WTSApplicationName = 1, 81 | # WTSWorkingDirectory = 2, 82 | # WTSOEMId = 3, 83 | # WTSSessionId = 4, 84 | # WTSUserName = 5, 85 | # WTSWinStationName = 6, 86 | # WTSDomainName = 7, 87 | # WTSConnectState = 8, 88 | # WTSClientBuildNumber = 9, 89 | # WTSClientName = 10, 90 | # WTSClientDirectory = 11, 91 | # WTSClientProductId = 12, 92 | # WTSClientHardwareId = 13, 93 | # WTSClientAddress = 14, 94 | # WTSClientDisplay = 15, 95 | # WTSClientProtocolType = 16, 96 | # WTSIdleTime = 17, 97 | # WTSLogonTime = 18, 98 | # WTSIncomingBytes = 19, 99 | # WTSOutgoingBytes = 20, 100 | # WTSIncomingFrames = 21, 101 | # WTSOutgoingFrames = 22, 102 | # WTSClientInfo = 23, 103 | # WTSSessionInfo = 24, 104 | # WTSSessionInfoEx = 25, 105 | # WTSConfigInfo = 26, 106 | # WTSValidationInfo = 27, 107 | # WTSSessionAddressV4 = 28, 108 | # WTSIsRemoteSession = 29 109 | # } WTS_INFO_CLASS; 110 | 111 | WTSInitialProgram = 0 112 | WTSApplicationName = 1 113 | WTSWorkingDirectory = 2 114 | WTSOEMId = 3 115 | WTSSessionId = 4 116 | WTSUserName = 5 117 | WTSWinStationName = 6 118 | WTSDomainName = 7 119 | WTSConnectState = 8 120 | WTSClientBuildNumber = 9 121 | WTSClientName = 10 122 | WTSClientDirectory = 11 123 | WTSClientProductId = 12 124 | WTSClientHardwareId = 13 125 | WTSClientAddress = 14 126 | WTSClientDisplay = 15 127 | WTSClientProtocolType = 16 128 | WTSIdleTime = 17 129 | WTSLogonTime = 18 130 | WTSIncomingBytes = 19 131 | WTSOutgoingBytes = 20 132 | WTSIncomingFrames = 21 133 | WTSOutgoingFrames = 22 134 | WTSClientInfo = 23 135 | WTSSessionInfo = 24 136 | WTSSessionInfoEx = 25 137 | WTSConfigInfo = 26 138 | WTSValidationInfo = 27 139 | WTSSessionAddressV4 = 28 140 | WTSIsRemoteSession = 29 141 | 142 | WTS_INFO_CLASS = ctypes.c_int 143 | 144 | # typedef enum _WTS_CONNECTSTATE_CLASS { 145 | # WTSActive, 146 | # WTSConnected, 147 | # WTSConnectQuery, 148 | # WTSShadow, 149 | # WTSDisconnected, 150 | # WTSIdle, 151 | # WTSListen, 152 | # WTSReset, 153 | # WTSDown, 154 | # WTSInit 155 | # } WTS_CONNECTSTATE_CLASS; 156 | 157 | WTSActive = 0 158 | WTSConnected = 1 159 | WTSConnectQuery = 2 160 | WTSShadow = 3 161 | WTSDisconnected = 4 162 | WTSIdle = 5 163 | WTSListen = 6 164 | WTSReset = 7 165 | WTSDown = 8 166 | WTSInit = 9 167 | 168 | WTS_CONNECTSTATE_CLASS = ctypes.c_int 169 | 170 | # typedef struct _WTS_CLIENT_DISPLAY { 171 | # DWORD HorizontalResolution; 172 | # DWORD VerticalResolution; 173 | # DWORD ColorDepth; 174 | # } WTS_CLIENT_DISPLAY, *PWTS_CLIENT_DISPLAY; 175 | class WTS_CLIENT_DISPLAY(Structure): 176 | _fields_ = [ 177 | ("HorizontalResolution", DWORD), 178 | ("VerticalResolution", DWORD), 179 | ("ColorDepth", DWORD), 180 | ] 181 | PWTS_CLIENT_DISPLAY = POINTER(WTS_CLIENT_DISPLAY) 182 | 183 | # typedef struct _WTS_CLIENT_ADDRESS { 184 | # DWORD AddressFamily; 185 | # BYTE Address[20]; 186 | # } WTS_CLIENT_ADDRESS, *PWTS_CLIENT_ADDRESS; 187 | 188 | # XXX TODO 189 | 190 | # typedef struct _WTSCLIENT { 191 | # WCHAR ClientName[CLIENTNAME_LENGTH + 1]; 192 | # WCHAR Domain[DOMAIN_LENGTH + 1 ]; 193 | # WCHAR UserName[USERNAME_LENGTH + 1]; 194 | # WCHAR WorkDirectory[MAX_PATH + 1]; 195 | # WCHAR InitialProgram[MAX_PATH + 1]; 196 | # BYTE EncryptionLevel; 197 | # ULONG ClientAddressFamily; 198 | # USHORT ClientAddress[CLIENTADDRESS_LENGTH + 1]; 199 | # USHORT HRes; 200 | # USHORT VRes; 201 | # USHORT ColorDepth; 202 | # WCHAR ClientDirectory[MAX_PATH + 1]; 203 | # ULONG ClientBuildNumber; 204 | # ULONG ClientHardwareId; 205 | # USHORT ClientProductId; 206 | # USHORT OutBufCountHost; 207 | # USHORT OutBufCountClient; 208 | # USHORT OutBufLength; 209 | # WCHAR DeviceId[MAX_PATH + 1]; 210 | # } WTSCLIENT, *PWTSCLIENT; 211 | 212 | # XXX TODO 213 | 214 | # typedef struct _WTSINFO { 215 | # WTS_CONNECTSTATE_CLASS State; 216 | # DWORD SessionId; 217 | # DWORD IncomingBytes; 218 | # DWORD OutgoingBytes; 219 | # DWORD IncomingCompressedBytes; 220 | # DWORD OutgoingCompressedBytes; 221 | # WCHAR WinStationName; 222 | # WCHAR Domain; 223 | # WCHAR UserName; 224 | # LARGE_INTEGER ConnectTime; 225 | # LARGE_INTEGER DisconnectTime; 226 | # LARGE_INTEGER LastInputTime; 227 | # LARGE_INTEGER LogonTime; 228 | # LARGE_INTEGER CurrentTime; 229 | # } WTSINFO, *PWTSINFO; 230 | 231 | # XXX TODO 232 | 233 | # typedef struct _WTSINFOEX { 234 | # DWORD Level; 235 | # WTSINFOEX_LEVEL Data; 236 | # } WTSINFOEX, *PWTSINFOEX; 237 | 238 | # XXX TODO 239 | 240 | #--- wtsapi32.dll ------------------------------------------------------------- 241 | 242 | # void WTSFreeMemory( 243 | # __in PVOID pMemory 244 | # ); 245 | def WTSFreeMemory(pMemory): 246 | _WTSFreeMemory = windll.wtsapi32.WTSFreeMemory 247 | _WTSFreeMemory.argtypes = [PVOID] 248 | _WTSFreeMemory.restype = None 249 | _WTSFreeMemory(pMemory) 250 | 251 | # BOOL WTSEnumerateProcesses( 252 | # __in HANDLE hServer, 253 | # __in DWORD Reserved, 254 | # __in DWORD Version, 255 | # __out PWTS_PROCESS_INFO *ppProcessInfo, 256 | # __out DWORD *pCount 257 | # ); 258 | def WTSEnumerateProcessesA(hServer = WTS_CURRENT_SERVER_HANDLE): 259 | _WTSEnumerateProcessesA = windll.wtsapi32.WTSEnumerateProcessesA 260 | _WTSEnumerateProcessesA.argtypes = [HANDLE, DWORD, DWORD, POINTER(PWTS_PROCESS_INFOA), PDWORD] 261 | _WTSEnumerateProcessesA.restype = bool 262 | _WTSEnumerateProcessesA.errcheck = RaiseIfZero 263 | 264 | pProcessInfo = PWTS_PROCESS_INFOA() 265 | Count = DWORD(0) 266 | _WTSEnumerateProcessesA(hServer, 0, 1, byref(pProcessInfo), byref(Count)) 267 | return pProcessInfo, Count.value 268 | 269 | def WTSEnumerateProcessesW(hServer = WTS_CURRENT_SERVER_HANDLE): 270 | _WTSEnumerateProcessesW = windll.wtsapi32.WTSEnumerateProcessesW 271 | _WTSEnumerateProcessesW.argtypes = [HANDLE, DWORD, DWORD, POINTER(PWTS_PROCESS_INFOW), PDWORD] 272 | _WTSEnumerateProcessesW.restype = bool 273 | _WTSEnumerateProcessesW.errcheck = RaiseIfZero 274 | 275 | pProcessInfo = PWTS_PROCESS_INFOW() 276 | Count = DWORD(0) 277 | _WTSEnumerateProcessesW(hServer, 0, 1, byref(pProcessInfo), byref(Count)) 278 | return pProcessInfo, Count.value 279 | 280 | WTSEnumerateProcesses = DefaultStringType(WTSEnumerateProcessesA, WTSEnumerateProcessesW) 281 | 282 | # BOOL WTSTerminateProcess( 283 | # __in HANDLE hServer, 284 | # __in DWORD ProcessId, 285 | # __in DWORD ExitCode 286 | # ); 287 | def WTSTerminateProcess(hServer, ProcessId, ExitCode): 288 | _WTSTerminateProcess = windll.wtsapi32.WTSTerminateProcess 289 | _WTSTerminateProcess.argtypes = [HANDLE, DWORD, DWORD] 290 | _WTSTerminateProcess.restype = bool 291 | _WTSTerminateProcess.errcheck = RaiseIfZero 292 | _WTSTerminateProcess(hServer, ProcessId, ExitCode) 293 | 294 | # BOOL WTSQuerySessionInformation( 295 | # __in HANDLE hServer, 296 | # __in DWORD SessionId, 297 | # __in WTS_INFO_CLASS WTSInfoClass, 298 | # __out LPTSTR *ppBuffer, 299 | # __out DWORD *pBytesReturned 300 | # ); 301 | 302 | # XXX TODO 303 | 304 | #--- kernel32.dll ------------------------------------------------------------- 305 | 306 | # I've no idea why these functions are in kernel32.dll instead of wtsapi32.dll 307 | 308 | # BOOL ProcessIdToSessionId( 309 | # __in DWORD dwProcessId, 310 | # __out DWORD *pSessionId 311 | # ); 312 | def ProcessIdToSessionId(dwProcessId): 313 | _ProcessIdToSessionId = windll.kernel32.ProcessIdToSessionId 314 | _ProcessIdToSessionId.argtypes = [DWORD, PDWORD] 315 | _ProcessIdToSessionId.restype = bool 316 | _ProcessIdToSessionId.errcheck = RaiseIfZero 317 | 318 | dwSessionId = DWORD(0) 319 | _ProcessIdToSessionId(dwProcessId, byref(dwSessionId)) 320 | return dwSessionId.value 321 | 322 | # DWORD WTSGetActiveConsoleSessionId(void); 323 | def WTSGetActiveConsoleSessionId(): 324 | _WTSGetActiveConsoleSessionId = windll.kernel32.WTSGetActiveConsoleSessionId 325 | _WTSGetActiveConsoleSessionId.argtypes = [] 326 | _WTSGetActiveConsoleSessionId.restype = DWORD 327 | _WTSGetActiveConsoleSessionId.errcheck = RaiseIfZero 328 | return _WTSGetActiveConsoleSessionId() 329 | 330 | #============================================================================== 331 | # This calculates the list of exported symbols. 332 | _all = set(vars().keys()).difference(_all) 333 | __all__ = [_x for _x in _all if not _x.startswith('_')] 334 | __all__.sort() 335 | #============================================================================== 336 | -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/win32/wtsapi32.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/win32/wtsapi32.pyc -------------------------------------------------------------------------------- /ExtDepLibs/winappdbg/window.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/ExtDepLibs/winappdbg/window.pyc -------------------------------------------------------------------------------- /PopUpKiller.py: -------------------------------------------------------------------------------- 1 | ''' 2 | 3 | Copyright 2017 Debasish Mandal 4 | 5 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 8 | 9 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 10 | 11 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 14 | 15 | ''' 16 | 17 | 18 | import sys 19 | try: 20 | sys.path.append('ExtDepLibs') 21 | import autoit 22 | except: 23 | print('[Error] pyautoit is not installed. Which is required to run this fuzzer (Error POPUp Killer). Install pyautoit First https://pypi.python.org/pypi/PyAutoIt/0.3') 24 | exit() 25 | from datetime import datetime 26 | class PopUpKiller: 27 | def __init__(self): 28 | None 29 | def POPUpKillerThread(self): 30 | print '[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' POP Up killer Thread started..' 31 | while True: 32 | try: 33 | # MS Word 34 | if '' == autoit.win_get_text('Microsoft Word'): 35 | autoit.control_click("[Class:NUIDialog]", "Button2") 36 | if "Word found unreadable" in autoit.win_get_text('Microsoft Word'): 37 | autoit.control_click("[Class:#32770]", "Button1") 38 | if "This document contains fields that may refer to" in autoit.win_get_text('Microsoft Word'): 39 | autoit.control_click("[Class:#32770]", "Button1") 40 | if "You cannot close Microsoft Word because" in autoit.win_get_text('Microsoft Word'): 41 | autoit.control_click("[Class:#32770]", "Button1") 42 | if "caused a serious error the last time it was opened" in autoit.win_get_text('Microsoft Word'): 43 | autoit.control_click("[Class:#32770]", "Button1") 44 | if "Word failed to start correctly last time" in autoit.win_get_text('Microsoft Word'): 45 | autoit.control_click("[Class:#32770]", "Button2") 46 | if "This file was created in a pre-release version" in autoit.win_get_text('Microsoft Word'): 47 | autoit.control_click("[Class:#32770]", "Button1") 48 | if "The program used to create this object is" in autoit.win_get_text('Microsoft Word'): 49 | autoit.control_click("[Class:#32770]", "Button1") 50 | if "Word experienced an error trying to open the file" in autoit.win_get_text('Microsoft Word'): 51 | autoit.control_click("[Class:#32770]", "Button1") 52 | if "experienced an error trying to open the file" in autoit.win_get_text('Microsoft Word'): 53 | autoit.control_click("[Class:#32770]", "Button1") 54 | if "Word was unable to read this document" in autoit.win_get_text('Microsoft Word'): 55 | autoit.control_click("[Class:#32770]", "Button1") 56 | if "The last time you" in autoit.win_get_text('Microsoft Word'): 57 | autoit.control_click("[Class:#32770]", "Button1") 58 | if "" in autoit.win_get_text('Microsoft Word'): 59 | autoit.control_click("[Class:#32770]", "Button2") 60 | if "Safe mode could help you" in autoit.win_get_text('Microsoft Word'): 61 | autoit.control_click("[Class:#32770]", "Button2") 62 | if "You may continue opening it or perform" in autoit.win_get_text('Microsoft Word'): 63 | autoit.control_click("[Class:#32770]", "Button2") # Button2 Recover Data or Button1 Open 64 | 65 | # MS Excel 66 | if "Word found unreadable" in autoit.win_get_text('Microsoft Excel'): 67 | autoit.control_click("[Class:#32770]", "Button1") 68 | if "You cannot close Microsoft Word because" in autoit.win_get_text('Microsoft Excel'): 69 | autoit.control_click("[Class:#32770]", "Button1") 70 | if "caused a serious error the last time it was opened" in autoit.win_get_text('Microsoft Excel'): 71 | autoit.control_click("[Class:#32770]", "Button1") 72 | if "Word failed to start correctly last time" in autoit.win_get_text('Microsoft Excel'): 73 | autoit.control_click("[Class:#32770]", "Button2") 74 | if "This file was created in a pre-release version" in autoit.win_get_text('Microsoft Excel'): 75 | autoit.control_click("[Class:#32770]", "Button1") 76 | if "The program used to create this object is" in autoit.win_get_text('Microsoft Excel'): 77 | autoit.control_click("[Class:#32770]", "Button1") 78 | if "because the file format or file extension is not valid" in autoit.win_get_text('Microsoft Excel'): 79 | autoit.control_click("[Class:#32770]", "Button1") 80 | if "The file you are trying to open" in autoit.win_get_text('Microsoft Excel'): 81 | autoit.control_click("[Class:#32770]", "Button1") 82 | if "The file may be corrupted" in autoit.win_get_text('Microsoft Excel'): 83 | autoit.control_click("[Class:#32770]", "Button2") 84 | if "The last time you" in autoit.win_get_text('Microsoft Excel'): 85 | autoit.control_click("[Class:#32770]", "Button1") 86 | if "We found" in autoit.win_get_text('Microsoft Excel'): 87 | autoit.control_click("[Class:#32770]", "Button1") 88 | 89 | #PPT 90 | if "The last time you" in autoit.win_get_text('Microsoft PowerPoint'): 91 | autoit.control_click("[Class:#32770]", "Button1") 92 | if "PowerPoint found a problem with content" in autoit.win_get_text('Microsoft PowerPoint'): 93 | autoit.control_click("[Class:#32770]", "Button1") 94 | if "read some content" in autoit.win_get_text('Microsoft PowerPoint'): 95 | autoit.control_click("[Class:#32770]", "Button1") 96 | if "Sorry" in autoit.win_get_text('Microsoft PowerPoint'): 97 | autoit.control_click("[Class:#32770]", "Button1") 98 | if "PowerPoint" in autoit.win_get_text('Microsoft PowerPoint'): 99 | autoit.control_click("[Class:#32770]", "Button1") 100 | if "is not supported" in autoit.win_get_text('SmartArt Graphics'): 101 | autoit.control_click("[Class:#32770]", "Button2") 102 | if "Safe mode" in autoit.win_get_text('Microsoft PowerPoint'): 103 | autoit.control_click("[Class:#32770]", "Button2") # Button2 Recover Data or Button1 Open 104 | 105 | 106 | 107 | # XPS Viewer 108 | if "Close" in autoit.win_get_text('XPS Viewer'): 109 | autoit.control_click("[Class:#32770]", "Button1") 110 | if "XPS" in autoit.win_get_text('XPS Viewer'): 111 | autoit.control_click("[Class:#32770]", "Button1") 112 | autoit.win_close('[CLASS:bosa_sdm_msword]') 113 | except: 114 | pass 115 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Word Quick Fuzzer v 1.0 2 | ======================= 3 | 4 | $$\ $$\ $$$$$$$$\ 5 | $$$\ $$$ | $$ _____| 6 | $$$$\ $$$$ | $$$$$$\ $$ | 7 | $$\$$\$$ $$ |$$ __$$\ $$$$$\ 8 | $$ \$$$ $$ |$$ / $$ |$$ __| 9 | $$ |\$ /$$ |$$ | $$ |$$ | 10 | $$ | \_/ $$ |\$$$$$$$ |$$ | 11 | \__| \__| \____$$ |\__| 12 | $$ | 13 | $$ | 14 | \__| 15 | 16 | 17 | Word Quick Fuzzer is a [Microsoft Quick Fields list](https://support.office.com/en-us/article/list-of-field-codes-in-word-1ad6d91a-55a7-4a8d-b535-cf7888659a51) fuzzer aiming for Word Quick Fields, written in Python. 18 | 19 | 20 | Motivation 21 | ========================================= 22 | There has yet to be a fuzzer aiming specifically for the Word Quick Fields. While this is some what of a niche, these fields pose a big risk as we've seen in DDE attacks and alike. 23 | 24 | Dependencies 25 | ================== 26 | MqF is written and tested on Python v2.7. it uses the following third party libraries 27 | 28 | 1. [winappdbg](https://github.com/MarioVilas/winappdbg) 29 | 30 | 31 | 2. [pyautoit](https://pypi.python.org/pypi/PyAutoIt/0.3) 32 | 33 | 3. [Domato](https://github.com/google/domato) 34 | 35 | Since we feed random yet valid data into target application during fuzzing, target application reacts in many different ways. During fuzzing the target application may throw different errors through different pop-up windows. To continue the fuzzing process, the fuzzer must handle these pop-up error windows properly. MqF uses PyAutoIT to suppress different application pop-up windows. PyAutoIt is Python binding for AutoItX3.dll 36 | 37 | 38 | 39 | Adding More POPUP / Errors Windows Handler 40 | =============================================== 41 | 42 | The default PopUpKiller.py file provided with Word Quick Fuzzer, is having few most occurred pop up / error windows handler for MS Word, MS Excel & Power Point. Using AutoIT Window Info tool (https://www.autoitscript.com/site/autoit/downloads/) you can add more POPUP / Errors Windows Handlers into 'PopUpKiller.py'. 43 | 44 | ![Example popup](https://github.com/VotiroLabs/Word-Quick-Fuzzer/blob/master/popuphandler.PNG) 45 | So to be able to Handle the error pop up window shown in screen shot, following lines need to be added in : PopUpKiller.py 46 | 47 | ```python 48 | if "PowerPoint found a problem with content" in autoit.win_get_text('Microsoft PowerPoint'): 49 | autoit.control_click("[Class:#32770]", "Button1") 50 | 51 | ``` 52 | 53 | How it works 54 | ============= 55 | MqF launches Word with this document and then starts updating its Quick field using COM Update method. 56 | - The reason I chose this method is that it enables to only load Word once, saving a lot of process time. 57 | - The main thing to realize is that unlinke fuzzers that launch and close the program on each input, in MqF Word remains open and the document remains unchanged - the only thing that changes is the symbolic link, pointing to a new input each time. 58 | - The provided files contains an auto-updating Quick field, pointing to a symbolic link in the same directory. 59 | - For best performance, make sure to disable "Safe mode" and "Protected View". At the very least, make sure the document is "trusted", so it won't open in "Protected View" - This can be achieved by opening it once and "Enabling Content" or editing it's ZoneIdentifier. 60 | 61 | If a crashing input was found, it will be copied for furhter analysis and Word will be relaunched to continue fuzzing. 62 | When all input files have been tested, we move on to the crash analysis phase where Word will be launched per crashing file, testing the crash and recording what happened. 63 | It is at this stage that the "autoupdating" link becomes important - the PopUp module is configured to click "yes" on the autoupdate prompt, effectively updating the link causing Word to load the crashing input file. 64 | 65 | 66 | 67 | Execution 68 | =================== 69 | This fuzzer is tested on 32 Bit and 64 Bit Windows Platforms (32 Bit Office Process). All the required libraries are distributed with this fuzzer in 'ExtDepLibs/' folder. 70 | 71 | Make sure you execute this in an administrator mode, so python will be able to create symbolic links! 72 | 73 | ~~~~ 74 | python fuzzHTML.py 75 | 76 | 77 | $$\ $$\ $$$$$$$$\ 78 | $$$\ $$$ | $$ _____| 79 | $$$$\ $$$$ | $$$$$$\ $$ | 80 | $$\$$\$$ $$ |$$ __$$\ $$$$$\ 81 | $$ \$$$ $$ |$$ / $$ |$$ __| 82 | $$ |\$ /$$ |$$ | $$ |$$ | 83 | $$ | \_/ $$ |\$$$$$$$ |$$ | 84 | \__| \__| \____$$ |\__| 85 | $$ | 86 | $$ | 87 | \__| 88 | 89 | MSWORD Quick Fields Fuzzing Framework. 90 | Author : Amit Dori (twitter.com/_AmitDori_) 91 | 92 | usage: HTMLfuzzer [-h] [-w WORD_FILE] [-r REF_FILE] [-n NUMBER_OF_FILES] 93 | [-i INPUTS_DIR] [-o OUTPUT_DIR] [-v] [-d] 94 | {analyze,fuzz} 95 | 96 | ~~~~ 97 | 98 | Basically, there are 2 modes of operation: analyze OR fuzz. This is the only required argument to the program. 99 | 100 | The rest are predifined (but can be user supplied as well): 101 | - -w WORD_FILE: which Word file to use, could be any format that Word can parse. 102 | - -r REF_FILE: what will be the name of the symbolic link file. 103 | - -n NUMBER_OF_FILES: number of HTML files to be generated by DOMATO. 104 | - -i INPUTS_DIR: directory to save generated HTML files. 105 | - -o OUTPUT_DIR: directory to save crashing HTML files for further analysis. 106 | - -v: verbose mode (logger on DEBUG). 107 | - -d: delete inputs at exit. 108 | 109 | ___________________________________________________________________________________ 110 | 111 | ~~~~ 112 | python fuzzPics.py 113 | 114 | 115 | $$\ $$\ $$$$$$$$\ 116 | $$$\ $$$ | $$ _____| 117 | $$$$\ $$$$ | $$$$$$\ $$ | 118 | $$\$$\$$ $$ |$$ __$$\ $$$$$\ 119 | $$ \$$$ $$ |$$ / $$ |$$ __| 120 | $$ |\$ /$$ |$$ | $$ |$$ | 121 | $$ | \_/ $$ |\$$$$$$$ |$$ | 122 | \__| \__| \____$$ |\__| 123 | $$ | 124 | $$ | 125 | \__| 126 | 127 | MSWORD Quick Fields Fuzzing Framework. 128 | Author : Amit Dori (twitter.com/_AmitDori_) 129 | 130 | usage: ImageFuzzer [-h] [-w WORD_FILE] [-r REF_FILE] [-i INPUTS_DIR] 131 | [-o OUTPUT_DIR] [-v] [-d] 132 | {analyze,fuzz} inputs_dir 133 | ~~~~ 134 | 135 | Basically, there are 2 modes of operation: analyze OR fuzz. 136 | In addition, an inputs folder needs to be defined - Test this with [AFL generated images](http://lcamtuf.coredump.cx/afl/demo/). 137 | 138 | The rest are predifined (but can be user supplied as well): 139 | - -w WORD_FILE: which Word file to use, could be any format that Word can parse. 140 | - -r REF_FILE: what will be the name of the symbolic link file. 141 | - -o OUTPUT_DIR: directory to save crashing image files for further analysis. 142 | - -v: verbose mode (logger on DEBUG). 143 | - -d: delete inputs at exit. 144 | 145 | 146 | Since MqF supports custom user files, you will be needing to take care to these features: 147 | 1. create a document in Word, insert a Quick field of type INCLUDETEXT/INCLUDEPICTURE and point it to a non-existant html/image file path. 148 | - This non-existant file path should be provided to MqF in the "-r" argument, as it will be the generated symbolic link. 149 | 2. Open the document with an archive unpacker and edit "word\document.xml": look for a tag containing "begin" and add w:dirty="true" -> it should look like this: `` 150 | 3. Exit the text editor and make sure the edits are saved to the document. now you can supply its path to MqF in the "-w" argument. 151 | 152 | 153 | Few More Points about Word Quick Fuzzer: 154 | ====================================== 155 | 1. Fuzzing Efficiency: 156 | To maximize fuzzing efficiency, Word is loaded once and the refresh is made using COM and symbolic links. Once crashed, Word will be relaunched and the process continues. 157 | 158 | 2. Hybrid approach: 159 | At the moment, the fuzzer is hybrid in the sense that it first generates all inputs and then feeds them into Word, keeping track of crashing inputs. Only when all inputs have finished, it moves forward to analyze each crash. 160 | It operates in this way as I was having some issues utilizing a debugger alongside COM control, so we got COM control (at the input testing stage) -> debugger control (at the crash analysis stage). 161 | 162 | 163 | TODO 164 | ======= 165 | 1. TODO: timeout mechanizm for the COM Update? 166 | 2. ISSUE: A race condition occurs sometimes between COM and the debugger, causing the "Update" to do nothing. It's somehow related to Word loosing focus. 167 | 3. TODO: create a "not-responding" guarding thread. 168 | 4. TODO: Add workers for HTML/Image generation and feeding the queue. continous fuzzing. 169 | 5. TODO: Add injection of refFile to supplied wordFile. 170 | 6. TODO: Improve HTML generation [incorporate in fuzzer process or continue in seperate process with different configuration]. 171 | 172 | 173 | 174 | Author 175 | ============= 176 | [Amit Dori](https://twitter.com/_AmitDori_), Security Researcher at Votiro. 177 | 178 | 179 | Inspiration for this tool 180 | ========================= 181 | - Based on [OpenXMolar]( https://github.com/debasishm89/OpenXMolar) by [Debasish Mandal](https://twitter.com/debasishm89) 182 | - [Domato](https://github.com/google/domato) by [Ivan Fratric](ifratric@google.com) -------------------------------------------------------------------------------- /fuzzHTML.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import subprocess 4 | import logging 5 | import Queue 6 | import signal 7 | import thread 8 | import threading 9 | import argparse 10 | import shutil 11 | import atexit 12 | from datetime import datetime 13 | from time import sleep 14 | 15 | 16 | sys.path.insert(0, './ExtDepLibs') 17 | #from domato import generator 18 | #Import win32com.client and winappdbg 19 | from PopUpKiller import PopUpKiller 20 | 21 | 22 | try: 23 | import win32com.client, win32com 24 | except Exception, e: 25 | logger.error('win32com.client could not be imported. Try installing it using `pip install pypiwin32`', exc_info=True) 26 | exit() 27 | 28 | try: 29 | from winappdbg import Crash,win32,Debug 30 | except Exception, e: 31 | logger.error('winappdbg could not be imported. Try installing it using `pip install winappdbg`', exc_info=True) 32 | exit() 33 | try: 34 | import autoit 35 | except: 36 | print('[Error] pyautoit is not installed. Which is required to run this fuzzer (Error POPUp Killer). Install pyautoit First https://pypi.python.org/pypi/PyAutoIt/0.3') 37 | exit() 38 | 39 | 40 | def setupLogger(): 41 | logging.basicConfig() 42 | logger = logging.getLogger('logger') 43 | logger.setLevel(logging.INFO) 44 | return logger 45 | 46 | 47 | 48 | threads = [] 49 | IMAGE_NAME = "WINWORD.EXE" 50 | OFFICE_VERSION = "16" 51 | 52 | if 'PROGRAMFILES(X86)' in os.environ: 53 | PROG_NAME = "C:\\Program Files (x86)\\Microsoft Office\\root\\Office{0}\\{1}".format(OFFICE_VERSION, IMAGE_NAME) 54 | else: 55 | PROG_NAME = "C:\\Program Files\\Microsoft Office\\root\\Office{0}\\{1}".format(OFFICE_VERSION, IMAGE_NAME) 56 | 57 | #PROG_ARGUMENTS = "/q" 58 | crash_dir = os.getcwd() + "\\HTML_crashes\\" 59 | inputs_dir = os.getcwd() + "\\HTML_inputs\\" 60 | wordFile = os.getcwd() + "\\includetext.docx" 61 | refFile = os.getcwd() + "\\1.html" 62 | number_of_files = 1000 63 | delete_inputs = False 64 | APP_RUN_TIME = 30 65 | DEBUGGER = 'winappdbg' 66 | exec_count = 0 67 | 68 | #Start fuzzing by creating a symlink, update etc. Need Administrator rights 69 | def symlink(source, link_name): 70 | if os.name == "nt": 71 | import ctypes 72 | csl = ctypes.windll.kernel32.CreateSymbolicLinkW 73 | csl.argtypes = (ctypes.c_wchar_p, ctypes.c_wchar_p, ctypes.c_uint32) 74 | csl.restype = ctypes.c_ubyte 75 | flags = 1 if os.path.isdir(source) else 0 76 | try: 77 | if csl(link_name, source.replace('/', '\\'), flags) == 0: 78 | raise ctypes.WinError() 79 | except Exception, e: 80 | logger.error('Could not create a symbolic link. please ensure Python has permissions to make symbolic links OR run the fuzzer with an administrator privileges', exc_info=True) 81 | exit() 82 | return flags 83 | 84 | def DeleteOfficeHistorty(): 85 | #Delete Office startup files (not in use). 86 | 87 | logger.debug('[+] Deleting Safe Mode Prompt Office History') 88 | s = 'REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Office\{0}.0\Word\Resiliency\StartupItems" /f'.format(OFFICE_VERSION) 89 | s = 'REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Office\{0}.0\Word\File MRU" /v "Item 1" /f'.format(OFFICE_VERSION) 90 | os.popen(s) 91 | 92 | def ForceKillOffice(): 93 | ''' 94 | In case debugger is unable to kill the half dead office process, we will try to kill it forcefully. 95 | ''' 96 | try: 97 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Forcefully Killing Office Application') 98 | os.popen('taskkill /F /IM {0} > NUL'.format(IMAGE_NAME)) 99 | except: 100 | pass 101 | 102 | def AccessViolationHandlerWINAPPDBG(event): 103 | ''' 104 | Handle access violation while using winappdbg 105 | ''' 106 | global curr_input 107 | code = event.get_event_code() 108 | if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): 109 | crash = Crash(event) 110 | crash.fetch_extra_data(event) 111 | details = crash.fullReport(bShowNotes=True) 112 | violation_addr = hex(crash.registers['Eip']) 113 | thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") 114 | exe_name = event.get_process().get_filename().split('\\')[-1] 115 | crashfilename = 'crash_'+'_'+ curr_input.split('-')[1] +'.'+curr_input.split('.')[-1] 116 | synfilename = crash_dir+exe_name+'\\'+ violation_addr +'\\'+crashfilename + '.txt' 117 | if not os.path.exists(crash_dir+exe_name): 118 | os.makedirs(crash_dir+exe_name) 119 | if not os.path.exists(crash_dir+exe_name+'\\'+violation_addr): 120 | os.makedirs(crash_dir+exe_name+'\\'+violation_addr) 121 | shutil.copyfile(curr_input,crash_dir+exe_name+'\\'+violation_addr+'\\'+curr_input.split('-')[1]) 122 | logger.info('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'BOOM!! APP Crashed :','Crash file Copied to ',(exe_name+'\\'+violation_addr+'\\'+crashfilename)) 123 | syn = open(synfilename,'w') 124 | syn.write(details) 125 | syn.close() 126 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process') 127 | try: 128 | event.get_process().kill() 129 | except: 130 | ForceKillOffice() 131 | 132 | def StillRunningWINAPPDBG(proc): 133 | ''' 134 | This function (run as thread) kill the process after user defined interval.(not in use) 135 | ''' 136 | sleep(APP_RUN_TIME) 137 | try: 138 | proc.kill() 139 | except: 140 | ForceKillOffice() 141 | 142 | def generateHTMLInputs(numOfInputs, queue, fuzzer_dir = inputs_dir): 143 | ''' 144 | Generating numOfInputs HTML files using DOMATO generator. 145 | Output directory is fuzzer_dir 146 | ''' 147 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") + ' HTML Thread started..') 148 | if os.path.exists(fuzzer_dir): 149 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' {0} exists, adding files to queue'.format(fuzzer_dir)) 150 | for item in os.listdir(fuzzer_dir): 151 | queue.put('{0}\\{1}'.format(fuzzer_dir,item)) 152 | else: 153 | logger.debug('[+] Creating ./{0} directory'.format(fuzzer_dir)) 154 | os.mkdir(fuzzer_dir) 155 | subprocess.call(["python", "./ExtDepLibs/domato/generator.py", "--output_dir", fuzzer_dir, "--no_of_files", str(numOfInputs)]) 156 | for item in os.listdir(fuzzer_dir): 157 | queue.put('{0}\\{1}'.format(fuzzer_dir,item)) 158 | 159 | def pretty_print(count, char): 160 | if count == 1: 161 | print '0: {1}'.format(count,char), 162 | elif (count % 50 == 0): 163 | print 164 | print '{0}: {1}'.format(count,char), 165 | else: 166 | print char, 167 | 168 | def wordGuard(): 169 | '''Watches from Word hangs caused by Fields.Update() ''' 170 | 171 | while True: 172 | r = subprocess.check_output('tasklist /FI "IMAGENAME eq {0}" /FI "STATUS eq not responding"'.format(IMAGE_NAME)) 173 | lines = [line.split() for line in subprocess.check_output("tasklist").splitlines()] 174 | for line in lines: 175 | if line== [] or line[0] == 'IMAGE' or line[0].startswith('='): 176 | continue 177 | else: 178 | if line[0] == 'INFO:': 179 | continue 180 | else: 181 | os.system("taskkill /f /im {0} > NUL".format(IMAGE_NAME)) 182 | break 183 | 184 | sleep(7) 185 | 186 | def launchWord(queue): 187 | 188 | global exec_count, curr_input, event 189 | 190 | fail_count = 0 191 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' Word Thread started..') 192 | word = win32com.client.DispatchEx("word.Application") 193 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Using debugger : ',DEBUGGER) 194 | #wordGuard_tid = thread.start_new_thread(wordGuard, ()) 195 | #cmd = [PROG_NAME, PROG_ARGUMENTS, wordFile] 196 | cmd = [PROG_NAME, wordFile] 197 | #logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Executing : ',cmd) 198 | debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True ) 199 | proc = debug.execv(cmd) 200 | debug.loop() 201 | 202 | while (fail_count < 10 and fail_count >= 0): 203 | try: 204 | filename = queue.get(False) 205 | curr_input = '{0}'.format(filename) 206 | exec_count += 1 207 | logger.debug('[+] Generating symlink to {0}'.format(curr_input)) 208 | if symlink(curr_input, refFile)==1:#make symbolic link 209 | continue #If it is a directory, continue 210 | 211 | try: 212 | logger.debug('[+] Updating Word via COM') 213 | 214 | if (word.Selection.Fields.Update() == 0): #update document fields 215 | pretty_print(exec_count,'.') 216 | 217 | except Exception as e: 218 | if e is None or not isinstance(e, tuple): 219 | pass 220 | try: 221 | if 'The remote procedure call failed.' in e: 222 | logger.debug('[!] We have a crash!') 223 | pretty_print(exec_count,'!') 224 | if not os.path.exists(crash_dir): 225 | os.mkdir(crash_dir) 226 | os.system("cp {0} {1} > NUL".format(curr_input, crash_dir)) 227 | fail_count = -1 228 | else: 229 | logger.debug('[?] We have a hang?') 230 | pretty_print(exec_count,'?') 231 | ForceKillOffice() 232 | fail_count = -1 233 | sleep(2) 234 | except: 235 | pass 236 | finally: 237 | logger.debug('[+] Removing symlink from {0}'.format(curr_input)) 238 | queue.task_done() 239 | try: 240 | os.remove(refFile) 241 | sleep(0.1) 242 | except: 243 | pass 244 | except Queue.Empty: 245 | fail_count += 1 246 | continue 247 | try: 248 | word.Quit() 249 | ForceKillOffice() 250 | 251 | except: 252 | pass 253 | 254 | def analyzeCrashes(): 255 | global threads, curr_input 256 | 257 | if not os.path.exists(crash_dir): 258 | logger.info('[!] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' There are no crashing inputs to analyze!') 259 | return 260 | 261 | if len(threads) == 0: 262 | popup = PopUpKiller() 263 | popup_tid = thread.start_new_thread(popup.POPUpKillerThread, ()) 264 | threads.append(popup_tid) 265 | 266 | 267 | for file in os.listdir(crash_dir): 268 | try: 269 | if file == "": 270 | continue 271 | curr_input = '{0}\\{1}'.format(crash_dir, file) 272 | logger.debug('[+] Generating symlink to {0}'.format(curr_input)) 273 | if symlink(curr_input, refFile)==1:#make symbolic link 274 | continue 275 | #cmd = [PROG_NAME, PROG_ARGUMENTS, wordFile] 276 | cmd = [PROG_NAME, wordFile] 277 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Executing : ',cmd) 278 | debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True ) 279 | proc = debug.execv(cmd) 280 | wordGuard_tid = thread.start_new_thread(StillRunningWINAPPDBG, (proc,)) 281 | threads.append(wordGuard_tid) 282 | debug.loop() 283 | except: 284 | pass 285 | finally: 286 | try: 287 | logger.debug('[+] Removing symlink from {0}'.format(curr_input)) 288 | os.remove(refFile) 289 | except: 290 | pass 291 | 292 | def startFuzzing(): 293 | 294 | global threads, curr_input 295 | q = Queue.Queue() 296 | 297 | logger.info('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' Starting!') 298 | html_tid = generateHTMLInputs(number_of_files, q, fuzzer_dir=inputs_dir) 299 | popup = PopUpKiller() 300 | popup_tid = thread.start_new_thread(popup.POPUpKillerThread, ()) 301 | threads.append(popup_tid) 302 | 303 | 304 | while not q.empty(): 305 | #ForceKillOffice() 306 | #DeleteOfficeHistorty() 307 | launchWord(q) 308 | if not os.path.exists(crash_dir): 309 | exit() 310 | 311 | analyzeCrashes() 312 | 313 | @atexit.register 314 | def cleanup(signum = None, frame = None): 315 | 316 | try: ForceKillOffice() 317 | except: pass 318 | if (delete_inputs and os.path.exists(inputs_dir)): shutil.rmtree(inputs_dir,False) 319 | if os.path.exists(refFile): os.remove(refFile) 320 | exit() 321 | 322 | 323 | 324 | if __name__ == "__main__": 325 | banner = ''' 326 | 327 | $$\ $$\ $$$$$$$$\ 328 | $$$\ $$$ | $$ _____| 329 | $$$$\ $$$$ | $$$$$$\ $$ | 330 | $$\$$\$$ $$ |$$ __$$\ $$$$$\ 331 | $$ \$$$ $$ |$$ / $$ |$$ __| 332 | $$ |\$ /$$ |$$ | $$ |$$ | 333 | $$ | \_/ $$ |\$$$$$$$ |$$ | 334 | \__| \__| \____$$ |\__| 335 | $$ | 336 | $$ | 337 | \__| 338 | 339 | MSWORD Quick Fields Fuzzing Framework. 340 | Author : Amit Dori (twitter.com/_AmitDori_) 341 | ''' 342 | 343 | 344 | signal.signal(signal.SIGINT, cleanup) 345 | signal.signal(signal.SIGTERM, cleanup) 346 | 347 | print banner 348 | logger = setupLogger() 349 | parser = argparse.ArgumentParser(prog='HTMLfuzzer', description="Fuzzing Word INCLUDETEXT Field HTML capabilities") 350 | parser.add_argument("operation", choices=['analyze','fuzz'], help="Operation mode: analyze or fuzz") 351 | parser.add_argument("-w", "--word-file", help="Name of Word File to use") 352 | parser.add_argument("-r", "--ref-file", help="Name of Symbolic link file to use") 353 | parser.add_argument("-n", "--number-of-files", help="Number of HTML files to generate", type=int) 354 | parser.add_argument("-i","--inputs-dir", help="Directory to save generate HTML files into") 355 | parser.add_argument("-o","--output-dir", help="Directory to save crashing HTML files") 356 | parser.add_argument("-v","--verbose", help="More info", action="store_true") 357 | parser.add_argument("-d","--delete-arguments",help="Delete generated HTML files when done", action="store_true") 358 | args = parser.parse_args() 359 | 360 | if args.word_file: wordFile = args.word_file 361 | if args.ref_file: refFile = args.ref_file 362 | if args.number_of_files: number_of_files = args.number_of_files 363 | if args.inputs_dir: inputs_dir = args.inputs_dir 364 | if args.output_dir: crash_dir = args.output_dir 365 | if args.verbose: logger.setLevel(logging.DEBUG) 366 | if args.delete_arguments: delete_inputs = True 367 | 368 | if args.operation == "fuzz": 369 | if os.path.exists(refFile): os.remove(refFile) 370 | startFuzzing() 371 | elif args.operation == "analyze": 372 | analyzeCrashes() 373 | cleanup() 374 | 375 | -------------------------------------------------------------------------------- /fuzzPics.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import subprocess 4 | import logging 5 | import Queue 6 | import signal 7 | import thread 8 | import threading 9 | import argparse 10 | import shutil 11 | import atexit 12 | from datetime import datetime 13 | from time import sleep 14 | 15 | sys.path.insert(0, './ExtDepLibs') 16 | #from domato import generator 17 | #Import win32com.client and winappdbg 18 | from PopUpKiller import PopUpKiller 19 | 20 | 21 | try: 22 | import win32com.client, win32com 23 | except Exception, e: 24 | logger.error('win32com.client could not be imported. Try installing it using `pip install pypiwin32`', exc_info=True) 25 | exit() 26 | 27 | try: 28 | from winappdbg import Crash,win32,Debug 29 | except Exception, e: 30 | logger.error('winappdbg could not be imported. Try installing it using `pip install winappdbg`', exc_info=True) 31 | exit() 32 | try: 33 | import autoit 34 | except: 35 | print('[Error] pyautoit is not installed. Which is required to run this fuzzer (Error POPUp Killer). Install pyautoit First https://pypi.python.org/pypi/PyAutoIt/0.3') 36 | exit() 37 | 38 | 39 | def setupLogger(): 40 | logging.basicConfig() 41 | logger = logging.getLogger('logger') 42 | logger.setLevel(logging.INFO) 43 | return logger 44 | 45 | 46 | 47 | threads = [] 48 | IMAGE_NAME = "WINWORD.EXE" 49 | OFFICE_VERSION = "16" 50 | 51 | if 'PROGRAMFILES(X86)' in os.environ: 52 | PROG_NAME = "C:\\Program Files (x86)\\Microsoft Office\\root\\Office{0}\\{1}".format(OFFICE_VERSION, IMAGE_NAME) 53 | else: 54 | PROG_NAME = "C:\\Program Files\\Microsoft Office\\root\\Office{0}\\{1}".format(OFFICE_VERSION, IMAGE_NAME) 55 | 56 | #PROG_ARGUMENTS = "/q" 57 | crash_dir = os.getcwd() + "\\IMAGES_crashes\\" 58 | wordFile = os.getcwd() + "\\includepicture.docx" 59 | refFile = os.getcwd() + "\\1.jpg" 60 | number_of_files = 1000 61 | delete_inputs = False 62 | APP_RUN_TIME = 30 63 | DEBUGGER = 'winappdbg' 64 | exec_count = 0 65 | 66 | #Start fuzzing by creating a symlink, update etc. Need Administrator rights 67 | def symlink(source, link_name): 68 | if os.name == "nt": 69 | import ctypes 70 | csl = ctypes.windll.kernel32.CreateSymbolicLinkW 71 | csl.argtypes = (ctypes.c_wchar_p, ctypes.c_wchar_p, ctypes.c_uint32) 72 | csl.restype = ctypes.c_ubyte 73 | flags = 1 if os.path.isdir(source) else 0 74 | try: 75 | if csl(link_name, source.replace('/', '\\'), flags) == 0: 76 | raise ctypes.WinError() 77 | except Exception, e: 78 | logger.error('Could not create a symbolic link. please ensure Python has permissions to make symbolic links OR run the fuzzer with an administrator privileges', exc_info=True) 79 | exit() 80 | 81 | def DeleteOfficeHistorty(): 82 | #Delete Office startup files (not in use). 83 | 84 | logger.debug('[+] Deleting Safe Mode Prompt Office History') 85 | s = 'REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Office\{0}.0\Word\Resiliency\StartupItems" /f'.format(OFFICE_VERSION) 86 | s = 'REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Office\{0}.0\Word\File MRU" /v "Item 1" /f'.format(OFFICE_VERSION) 87 | os.popen(s) 88 | 89 | def ForceKillOffice(): 90 | ''' 91 | In case debugger is unable to kill the half dead office process, we will try to kill it forcefully. 92 | ''' 93 | try: 94 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Forcefully Killing Office Application') 95 | os.popen('taskkill /F /IM {0} > NUL'.format(IMAGE_NAME)) 96 | except: 97 | pass 98 | 99 | def AccessViolationHandlerWINAPPDBG(event): 100 | ''' 101 | Handle access violation while using winappdbg 102 | ''' 103 | global curr_input 104 | code = event.get_event_code() 105 | if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): 106 | crash = Crash(event) 107 | crash.fetch_extra_data(event) 108 | details = crash.fullReport(bShowNotes=True) 109 | violation_addr = hex(crash.registers['Eip']) 110 | thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") 111 | exe_name = event.get_process().get_filename().split('\\')[-1] 112 | crashfilename = 'crash_'+'_'+ curr_input.split('fuzz-')[1] +'.'+curr_input.split('.')[-1] 113 | synfilename = crash_dir+exe_name+'\\'+ violation_addr +'\\'+crashfilename + '.txt' 114 | if not os.path.exists(crash_dir+exe_name): 115 | os.makedirs(crash_dir+exe_name) 116 | if not os.path.exists(crash_dir+exe_name+'\\'+violation_addr): 117 | os.makedirs(crash_dir+exe_name+'\\'+violation_addr) 118 | shutil.copyfile(curr_input,crash_dir+exe_name+'\\'+violation_addr+'\\'+curr_input.split('fuzz-')[1]) 119 | logger.info('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'BOOM!! APP Crashed :','Crash file Copied to ',(exe_name+'\\'+violation_addr+'\\'+crashfilename)) 120 | syn = open(synfilename,'w') 121 | syn.write(details) 122 | syn.close() 123 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process') 124 | try: 125 | event.get_process().kill() 126 | except: 127 | ForceKillOffice() 128 | 129 | def StillRunningWINAPPDBG(proc): 130 | ''' 131 | This function (run as thread) kill the process after user defined interval.(not in use) 132 | ''' 133 | sleep(APP_RUN_TIME) 134 | try: 135 | proc.kill() 136 | except: 137 | ForceKillOffice() 138 | 139 | def pretty_print(count, char): 140 | if count == 1: 141 | print '0: {1}'.format(count,char), 142 | elif (count % 50 == 0): 143 | print 144 | print '{0}: {1}'.format(count,char), 145 | else: 146 | print char, 147 | 148 | def wordGuard(): 149 | '''Watches from Word hangs caused by Fields.Update() ''' 150 | 151 | while True: 152 | r = subprocess.check_output('tasklist /FI "IMAGENAME eq {0}" /FI "STATUS eq not responding"'.format(IMAGE_NAME)) 153 | lines = [line.split() for line in subprocess.check_output("tasklist").splitlines()] 154 | for line in lines: 155 | if line== [] or line[0] == 'IMAGE' or line[0].startswith('='): 156 | continue 157 | else: 158 | if line[0] == 'INFO:': 159 | continue 160 | else: 161 | os.system("taskkill /f /im {0} > NUL".format(IMAGE_NAME)) 162 | break 163 | 164 | sleep(7) 165 | 166 | def launchWord(queue): 167 | 168 | global exec_count, curr_input, event 169 | 170 | fail_count = 0 171 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' Word Thread started..') 172 | word = win32com.client.DispatchEx("word.Application") 173 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Using debugger : ',DEBUGGER) 174 | #wordGuard_tid = thread.start_new_thread(wordGuard, ()) 175 | #cmd = [PROG_NAME, PROG_ARGUMENTS, wordFile] 176 | cmd = [PROG_NAME, wordFile] 177 | #logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Executing : ',cmd) 178 | debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True ) 179 | proc = debug.execv(cmd) 180 | debug.loop() 181 | 182 | while (fail_count < 10 and fail_count >= 0): 183 | try: 184 | filename = queue.get(False) 185 | curr_input = '{0}'.format(filename) 186 | exec_count += 1 187 | logger.debug('[+] Generating symlink to {0}'.format(curr_input)) 188 | symlink(curr_input, refFile)#make symbolic link 189 | 190 | try: 191 | logger.debug('[+] Updating Word via COM') 192 | 193 | if (word.Selection.Fields.Update() == 0): #update document fields 194 | pretty_print(exec_count,'.') 195 | 196 | except Exception as e: 197 | if e is None or not isinstance(e, tuple): 198 | pass 199 | try: 200 | if 'The remote procedure call failed.' in e: 201 | logger.debug('[!] We have a crash!') 202 | pretty_print(exec_count,'!') 203 | if not os.path.exists(crash_dir): 204 | os.mkdir(crash_dir) 205 | os.system("cp {0} {1}/{2} > NUL".format(curr_input, crash_dir, curr_input.split('\\')[1])) 206 | fail_count = -1 207 | else: 208 | logger.debug('[?] We have a hang?') 209 | pretty_print(exec_count,'?') 210 | ForceKillOffice() 211 | fail_count = -1 212 | except: 213 | pass 214 | finally: 215 | logger.debug('[+] Removing symlink from {0}'.format(curr_input)) 216 | queue.task_done() 217 | try: 218 | os.remove(refFile) 219 | except: 220 | pass 221 | except Queue.Empty: 222 | fail_count += 1 223 | continue 224 | try: 225 | word.Quit() 226 | ForceKillOffice() 227 | 228 | except: 229 | pass 230 | 231 | def analyzeCrashes(): 232 | global threads, curr_input 233 | 234 | if not os.path.exists(crash_dir): 235 | logger.info('[!] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' There are no crashing inputs to analyze!') 236 | return 237 | 238 | if len(threads) == 0: 239 | popup = PopUpKiller() 240 | popup_tid = thread.start_new_thread(popup.POPUpKillerThread, ()) 241 | threads.append(popup_tid) 242 | 243 | 244 | 245 | for file in os.listdir(crash_dir): 246 | try: 247 | if file == "": 248 | continue 249 | curr_input = '{0}\\{1}'.format(crash_dir, file) 250 | logger.debug('[+] Generating symlink to {0}'.format(curr_input)) 251 | symlink(curr_input, refFile)#make symbolic link 252 | #cmd = [PROG_NAME, PROG_ARGUMENTS, wordFile] 253 | cmd = [PROG_NAME, wordFile] 254 | debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True ) 255 | logger.debug('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'Executing : ',cmd) 256 | proc = debug.execv(cmd) 257 | wordGuard_tid = thread.start_new_thread(StillRunningWINAPPDBG, (proc,)) 258 | threads.append(wordGuard_tid) 259 | debug.loop() 260 | except: 261 | pass 262 | finally: 263 | try: 264 | logger.debug('[+] Removing symlink from {0}'.format(curr_input)) 265 | os.remove(refFile) 266 | except: 267 | pass 268 | 269 | def startFuzzing(): 270 | 271 | global threads, curr_input 272 | q = Queue.Queue() 273 | 274 | logger.info('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") +' Starting!') 275 | popup = PopUpKiller() 276 | popup_tid = thread.start_new_thread(popup.POPUpKillerThread, ()) 277 | threads.append(popup_tid) 278 | 279 | logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") + ' Adding image inputs to queue..') 280 | for item in os.listdir(inputs_dir): q.put('{0}\\{1}'.format(inputs_dir,item)) 281 | while not q.empty(): 282 | #ForceKillOffice() 283 | #DeleteOfficeHistorty() 284 | launchWord(q) 285 | if not os.path.exists(crash_dir): 286 | exit() 287 | 288 | analyzeCrashes() 289 | 290 | @atexit.register 291 | def cleanup(signum = None, frame = None): 292 | 293 | ForceKillOffice() 294 | if (delete_inputs and os.path.exists(inputs_dir)): shutil.rmtree(inputs_dir,False) 295 | if os.path.exists(refFile): os.remove(refFile) 296 | exit() 297 | 298 | if __name__ == "__main__": 299 | banner = ''' 300 | 301 | $$\ $$\ $$$$$$$$\ 302 | $$$\ $$$ | $$ _____| 303 | $$$$\ $$$$ | $$$$$$\ $$ | 304 | $$\$$\$$ $$ |$$ __$$\ $$$$$\ 305 | $$ \$$$ $$ |$$ / $$ |$$ __| 306 | $$ |\$ /$$ |$$ | $$ |$$ | 307 | $$ | \_/ $$ |\$$$$$$$ |$$ | 308 | \__| \__| \____$$ |\__| 309 | $$ | 310 | $$ | 311 | \__| 312 | 313 | MSWORD Quick Fields Fuzzing Framework. 314 | Author : Amit Dori (twitter.com/_AmitDori_) 315 | ''' 316 | 317 | 318 | signal.signal(signal.SIGINT, cleanup) 319 | signal.signal(signal.SIGTERM, cleanup) 320 | 321 | print banner 322 | logger = setupLogger() 323 | parser = argparse.ArgumentParser(prog='ImageFuzzer', description="Fuzzing Word INCLUDEPICTURE Field image capabilities") 324 | parser.add_argument("operation", choices=['analyze','fuzz'], help="Operation mode: analyze or fuzz") 325 | parser.add_argument("inputs_dir", nargs="?", default="", help="Directory of input images") 326 | parser.add_argument("-w", "--word-file", help="Name of Word File to use") 327 | parser.add_argument("-r", "--ref-file", help="Name of Symbolic link file to use") 328 | parser.add_argument("-i","--inputs-dir", help="Directory of input images") 329 | parser.add_argument("-o","--output-dir", help="Directory to save crashing image files") 330 | parser.add_argument("-v","--verbose", help="More info", action="store_true") 331 | parser.add_argument("-d","--delete-arguments",help="Delete input image files when done", action="store_true") 332 | args = parser.parse_args() 333 | 334 | if args.word_file: wordFile = args.word_file 335 | if args.ref_file: refFile = args.ref_file 336 | if args.output_dir: crash_dir = args.output_dir 337 | if args.verbose: logger.setLevel(logging.DEBUG) 338 | if args.delete_arguments: delete_inputs = True 339 | 340 | if os.path.exists(args.inputs_dir): inputs_dir = args.inputs_dir 341 | else: 342 | logger.error('[!] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S") + ' Inputs directory does not exist') 343 | exit() 344 | if args.operation == "fuzz": 345 | if os.path.exists(refFile): os.remove(refFile) 346 | startFuzzing() 347 | elif args.operation == "analyze": 348 | analyzeCrashes() 349 | cleanup() 350 | -------------------------------------------------------------------------------- /includepicture.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/includepicture.docx -------------------------------------------------------------------------------- /includetext.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/includetext.docx -------------------------------------------------------------------------------- /popuphandler.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VotiroLabs/Word-Quick-Fuzzer/fc4dfd29aba2a8f7ec392b8e26e4be6e29597bd8/popuphandler.PNG --------------------------------------------------------------------------------