├── .gitignore ├── AutoDebug.cpp ├── AutoDebug.h ├── CloneFunction.cpp ├── CloneFunction.h ├── LoadExe_example.cpp ├── Lock.cpp ├── Lock.h ├── PeLoader.cpp ├── PeLoader.h ├── ReadMe.txt ├── Thread.cpp ├── Thread.h ├── ThreadMgr.cpp ├── ThreadMgr.h ├── Utils.cpp ├── Utils.h ├── Win32ApiWrapper.cpp ├── Win32ApiWrapper.h ├── XDbgController.cpp ├── XDbgController.h ├── XDbgProxy.cpp ├── XDbgProxy.h ├── common.cpp ├── common.h ├── creatwth.cpp ├── debugee.cpp ├── debugee.vcxproj ├── detours.cpp ├── detours.h ├── detver.h ├── disasm.cpp ├── image.cpp ├── launcher.cpp ├── launcher.vcxproj ├── modules.cpp ├── note.txt ├── pluginsdk ├── DeviceNameResolver │ ├── DeviceNameResolver.h │ ├── DeviceNameResolver_x64.a │ ├── DeviceNameResolver_x64.lib │ ├── DeviceNameResolver_x86.a │ └── DeviceNameResolver_x86.lib ├── TitanEngine │ ├── TitanEngine.h │ ├── TitanEngine_x64.a │ ├── TitanEngine_x64.lib │ ├── TitanEngine_x86.a │ └── TitanEngine_x86.lib ├── XEDParse │ ├── XEDParse.h │ ├── XEDParse_x64.a │ ├── XEDParse_x64.lib │ ├── XEDParse_x86.a │ └── XEDParse_x86.lib ├── _dbgfunctions.h ├── _plugin_types.h ├── _plugins.h ├── _scriptapi.h ├── _scriptapi_assembler.h ├── _scriptapi_bookmark.h ├── _scriptapi_comment.h ├── _scriptapi_debug.h ├── _scriptapi_flag.h ├── _scriptapi_function.h ├── _scriptapi_gui.h ├── _scriptapi_label.h ├── _scriptapi_memory.h ├── _scriptapi_misc.h ├── _scriptapi_module.h ├── _scriptapi_pattern.h ├── _scriptapi_register.h ├── _scriptapi_stack.h ├── _scriptapi_symbol.h ├── bridgelist.h ├── bridgemain.h ├── dbghelp │ ├── dbghelp.h │ ├── dbghelp_x64.a │ ├── dbghelp_x64.lib │ ├── dbghelp_x86.a │ └── dbghelp_x86.lib ├── jansson │ ├── jansson.h │ ├── jansson_config.h │ ├── jansson_x64.a │ ├── jansson_x64.lib │ ├── jansson_x64dbg.h │ ├── jansson_x86.a │ └── jansson_x86.lib ├── libx32bridge.a ├── libx32dbg.a ├── libx64bridge.a ├── libx64dbg.a ├── lz4 │ ├── lz4.h │ ├── lz4_x64.a │ ├── lz4_x64.lib │ ├── lz4_x86.a │ ├── lz4_x86.lib │ ├── lz4file.h │ └── lz4hc.h ├── x32bridge.lib ├── x32dbg.lib ├── x64bridge.lib ├── x64dbg.lib └── yara │ ├── yara.h │ ├── yara │ ├── ahocorasick.h │ ├── arena.h │ ├── atoms.h │ ├── compiler.h │ ├── elf.h │ ├── error.h │ ├── exec.h │ ├── exefiles.h │ ├── filemap.h │ ├── globals.h │ ├── hash.h │ ├── hex_lexer.h │ ├── lexer.h │ ├── libyara.h │ ├── limits.h │ ├── mem.h │ ├── modules.h │ ├── object.h │ ├── parser.h │ ├── pe.h │ ├── proc.h │ ├── re.h │ ├── re_lexer.h │ ├── rules.h │ ├── scan.h │ ├── sizedstr.h │ ├── stream.h │ ├── strutils.h │ ├── types.h │ └── utils.h │ ├── yara_x64.a │ ├── yara_x64.lib │ ├── yara_x86.a │ └── yara_x86.lib ├── uimports.cpp ├── x32dbg.exe.ini ├── xdbg.cpp ├── xdbg.sln ├── xdbg.vcxproj ├── xdbgcore.cpp ├── xdbgcore.def └── xdbgcore.vcxproj /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignored directories 2 | bin/*/ 3 | obj/ 4 | ipch/ 5 | Win32/ 6 | x64/ 7 | release/ 8 | build/ 9 | gui_build/ 10 | debug/ 11 | *XE Results*/ 12 | doxygen*/ 13 | doc/ 14 | COV/ 15 | minidump/ 16 | 17 | # Global filetypes to ignore 18 | *.depend 19 | *.layout 20 | *.patch 21 | *.cscope_file_list 22 | *.bmarks 23 | *.chw 24 | *.cbTemp 25 | *.ini 26 | *.opensdf 27 | *.sdf 28 | *.suo 29 | *.autosave 30 | *.~vsd 31 | *.dll 32 | *.exe 33 | *.pro.user.* 34 | *.orig 35 | cov-int* 36 | *.pdb 37 | ui_* 38 | *.aps 39 | *.pro.user 40 | *.vcxproj.user 41 | .DS_Store 42 | *.ipgset 43 | 44 | # Project to ignore 45 | help/x64*dbg.chm 46 | help/output/ 47 | bin/x64*dbg.chm 48 | bin/win32.* 49 | 50 | # Debugger files to ignore 51 | CppCheckResults.xml 52 | src/dbg/ODbgScript.chm 53 | src/dbg/ODbgScript.chw 54 | 55 | # GUI files 56 | src/gui/build 57 | src/gui/Makefile* 58 | tools/ 59 | RCa* 60 | RDa* 61 | RDb* 62 | src/build-*/ 63 | 64 | # Exceptions 65 | !/hooks/AStyleWhore.exe 66 | !/hooks/AStyle.dll 67 | !/bin/x64dbg_shell_remove.reg 68 | !*.lib 69 | pin.log 70 | tags 71 | -------------------------------------------------------------------------------- /AutoDebug.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "AutoDebug.h" 3 | #include "XDbgController.h" 4 | 5 | IgnoreException::IgnoreException() 6 | { 7 | char iniName[MAX_PATH]; 8 | GetModuleFileName(NULL, iniName, sizeof(iniName) - 1); 9 | strcat_s(iniName, ".ini"); 10 | char ignoreExceptions[1024]; 11 | GetPrivateProfileString("xdbg", "ignored_exceptions", "", ignoreExceptions, 12 | sizeof(ignoreExceptions) - 1, iniName); 13 | 14 | char* entry = strtok(ignoreExceptions, ","); 15 | while (entry) { 16 | ULONG_PTR start; 17 | ULONG_PTR end; 18 | if (sscanf(entry, "%X-%X", &start, &end) == 2) { 19 | std::pair range; 20 | range.first = start; 21 | range.second = end; 22 | _exceptions.push_back(range); 23 | } 24 | 25 | entry = strtok(0, ","); 26 | } 27 | } 28 | 29 | bool IgnoreException::peekDebugEvent(LPDEBUG_EVENT event, DWORD* continueStatus) 30 | { 31 | if (event->dwDebugEventCode == EXCEPTION_DEBUG_EVENT) { 32 | std::vector >::iterator it; 33 | for (it = _exceptions.begin(); it != _exceptions.end(); it ++) { 34 | if (it->first == 0 && (ULONG_PTR )event->u.Exception.ExceptionRecord.ExceptionAddress == it->second) { 35 | *continueStatus = DBG_EXCEPTION_NOT_HANDLED; 36 | return false; 37 | } 38 | 39 | if (it->second == 0) { 40 | DWORD code = 0; 41 | SIZE_T len; 42 | ::ReadProcessMemory(XDbgController::instance().getProcessHandle(), 43 | event->u.Exception.ExceptionRecord.ExceptionAddress, &code, 44 | sizeof(code), &len); 45 | if (code == it->first) { 46 | *continueStatus = DBG_EXCEPTION_NOT_HANDLED; 47 | return false; 48 | } 49 | } 50 | 51 | if (event->u.Exception.ExceptionRecord.ExceptionCode >= it->first && 52 | event->u.Exception.ExceptionRecord.ExceptionCode <= it->second) { 53 | *continueStatus = DBG_EXCEPTION_NOT_HANDLED; 54 | return false; 55 | } 56 | } 57 | } 58 | 59 | return true; 60 | } 61 | -------------------------------------------------------------------------------- /AutoDebug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "XDbgController.h" 4 | #include 5 | 6 | class IgnoreException : public AutoDebug { 7 | public: 8 | IgnoreException(); 9 | virtual bool peekDebugEvent(LPDEBUG_EVENT event, DWORD* continueStatus); 10 | 11 | std::vector > _exceptions; 12 | }; 13 | -------------------------------------------------------------------------------- /CloneFunction.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "CloneFunction.h" 3 | #include 4 | 5 | PVOID CloneFunctions(const CloneFuncDef defs[], size_t count, size_t* funcsSize) 6 | { 7 | size_t memSize = 0; 8 | for (size_t i = 0; i < count; i++) { 9 | memSize += defs[i].funcSize; 10 | } 11 | 12 | PVOID base = VirtualAlloc(NULL, memSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 13 | 14 | if (base == NULL) 15 | return false; 16 | char* pos = (char *)base; 17 | for (size_t i = 0; i < count; i++) { 18 | HMODULE hMod = LoadLibrary(defs[i].modName); 19 | if (hMod == NULL) { 20 | VirtualFree(base, 0, MEM_RELEASE); 21 | assert(false); 22 | return NULL; 23 | } 24 | 25 | PVOID funcAddr = pos; 26 | if (!CloneFunction(hMod, defs[i].funcName, funcAddr, defs[i].funcSize)) { 27 | VirtualFree(base, 0, MEM_RELEASE); 28 | assert(false); 29 | return NULL; 30 | } 31 | 32 | *defs[i].funcAddr = funcAddr; 33 | pos += defs[i].funcSize; 34 | } 35 | 36 | if (funcsSize) 37 | *funcsSize = memSize; 38 | return base; 39 | } 40 | 41 | bool CloneFunction(HMODULE hMod, const char* funcName, void* funcAddr, size_t size) 42 | { 43 | FARPROC fn = GetProcAddress(hMod, funcName); 44 | if (fn == NULL) { 45 | assert(false); 46 | return false; 47 | } 48 | 49 | memcpy(funcAddr, fn, size); 50 | return true; 51 | } 52 | -------------------------------------------------------------------------------- /CloneFunction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct CloneFuncDef { 4 | const char* modName; 5 | const char* funcName; 6 | void** funcAddr; 7 | size_t funcSize; 8 | }; 9 | 10 | bool CloneFunction(HMODULE hMod, const char* funcName, void* funcAddr, size_t size); 11 | PVOID CloneFunctions(const CloneFuncDef defs[], size_t count, size_t* funcsSize); 12 | -------------------------------------------------------------------------------- /Lock.cpp: -------------------------------------------------------------------------------- 1 | #include "Lock.h" 2 | 3 | Mutex::Mutex() 4 | { 5 | InitializeCriticalSection(&_cs); 6 | } 7 | 8 | Mutex::~Mutex() 9 | { 10 | DeleteCriticalSection(&_cs); 11 | } 12 | 13 | void Mutex::lock() 14 | { 15 | EnterCriticalSection(&_cs); 16 | } 17 | 18 | bool Mutex::trylock() 19 | { 20 | return TryEnterCriticalSection(&_cs) == TRUE; 21 | } 22 | 23 | void Mutex::unlock() 24 | { 25 | LeaveCriticalSection(&_cs); 26 | } 27 | 28 | ////////////////////////////////////////////////////////////////////////// 29 | 30 | Semaphore::Semaphore(long initVal, long maxVal) 31 | { 32 | _sema = CreateSemaphore(NULL, initVal, maxVal, NULL); 33 | 34 | if (_sema == NULL) { 35 | 36 | throw __FUNCTION__": CreateSemaphore failed"; 37 | } 38 | } 39 | 40 | Semaphore::~Semaphore() 41 | { 42 | if (_sema) 43 | CloseHandle(_sema); 44 | } 45 | 46 | void Semaphore::lock() 47 | { 48 | WaitForSingleObject(_sema, INFINITE); 49 | } 50 | 51 | void Semaphore::unlock() 52 | { 53 | LONG count; 54 | ::ReleaseSemaphore(_sema, 1, &count); 55 | } 56 | 57 | ////////////////////////////////////////////////////////////////////////// 58 | // unit testing 59 | #ifdef _UNIT_TEST 60 | 61 | static void test() 62 | { 63 | Mutex lock1, lock2; 64 | MutexGuard guard(&lock1); 65 | MMutexGuard guard2(2, &lock1, &lock2); 66 | } 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /Lock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class Mutex { 7 | public: 8 | Mutex(); 9 | ~Mutex(); 10 | 11 | void lock(); 12 | bool trylock(); 13 | void unlock(); 14 | 15 | protected: 16 | CRITICAL_SECTION _cs; 17 | }; 18 | 19 | class Semaphore { 20 | public: 21 | Semaphore(long initVal, long maxVal); 22 | ~Semaphore(); 23 | 24 | void lock(); 25 | void unlock(); 26 | 27 | protected: 28 | HANDLE _sema; 29 | }; 30 | 31 | class Nonlock { 32 | public: 33 | void lock() { } 34 | void unlock() { } 35 | }; 36 | 37 | template 38 | class LockGuard { 39 | public: 40 | LockGuard (LOCK_TYPE* lock): _lock(lock) 41 | { 42 | lock->lock(); 43 | } 44 | 45 | ~LockGuard () 46 | { 47 | _lock->unlock(); 48 | } 49 | 50 | protected: 51 | LOCK_TYPE* _lock; 52 | }; 53 | 54 | template 55 | class MultiLockGuard { 56 | public: 57 | MultiLockGuard (size_t n, ...) 58 | { 59 | va_list valist; 60 | va_start(valist, n); 61 | for (size_t i = 0; i < n; i ++) { 62 | LOCK_TYPE* lock = va_arg(valist, LOCK_TYPE* ); 63 | _locks.insert(lock); 64 | } 65 | 66 | LockSet::iterator it; 67 | for (it = _locks.begin(); it != _locks.end(); it ++) { 68 | (*it)->lock(); 69 | } 70 | } 71 | 72 | ~MultiLockGuard () 73 | { 74 | LockSet::iterator it; 75 | for (it = _locks.begin(); it != _locks.end(); it ++) { 76 | (*it)->unlock(); 77 | } 78 | } 79 | 80 | protected: 81 | typedef std::set LockSet; 82 | LockSet _locks; 83 | }; 84 | 85 | typedef LockGuard MutexGuard; 86 | typedef MultiLockGuard MMutexGuard; 87 | 88 | typedef LockGuard SemaGuard; 89 | -------------------------------------------------------------------------------- /PeLoader.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "PeLoader.h" 4 | #include "Utils.h" 5 | #include 6 | 7 | PeLoader::PeLoader() 8 | { 9 | } 10 | 11 | 12 | PeLoader::~PeLoader() 13 | { 14 | } 15 | 16 | PVOID PeLoader::load(HANDLE hProc, LPCTSTR fileName, PVOID base) 17 | { 18 | HANDLE hFile = CreateFile(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); 19 | if (hFile == INVALID_HANDLE_VALUE) 20 | return NULL; 21 | HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); 22 | CloseHandle(hFile); 23 | if (hMap == NULL) { 24 | return NULL; 25 | } 26 | 27 | _hProc = hProc; 28 | 29 | PVOID fileCache = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0); 30 | CloseHandle(hMap); 31 | PIMAGE_DOS_HEADER dosHdr = (PIMAGE_DOS_HEADER )fileCache; 32 | PIMAGE_NT_HEADERS ntHdrs = (PIMAGE_NT_HEADERS )MakePtr(fileCache, dosHdr->e_lfanew); 33 | base = VirtualAllocEx(hProc, base, ntHdrs->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, 34 | PAGE_READWRITE); 35 | loadImage(fileCache, base); 36 | 37 | PIMAGE_DOS_HEADER imgDosHdr = (PIMAGE_DOS_HEADER)base; 38 | PIMAGE_NT_HEADERS imgNtHdrs = (PIMAGE_NT_HEADERS)MakePtr(base, dosHdr->e_lfanew); 39 | 40 | if (!loadImport(fileCache, base, ntHdrs, imgNtHdrs)) { 41 | assert(false); 42 | return false; 43 | } 44 | 45 | if (!loadRelocation(fileCache, base, ntHdrs, imgNtHdrs)) { 46 | assert(false); 47 | return false; 48 | } 49 | 50 | UnmapViewOfFile(fileCache); 51 | 52 | return base; 53 | } 54 | 55 | 56 | bool PeLoader::loadImage(PVOID cachedBase, PVOID imgBase) 57 | { 58 | SIZE_T len; 59 | PIMAGE_DOS_HEADER dosHdrSrc = (PIMAGE_DOS_HEADER)cachedBase; 60 | PIMAGE_DOS_HEADER dosHdrDest = (PIMAGE_DOS_HEADER)imgBase; 61 | WriteProcessMemory(_hProc, dosHdrDest, dosHdrSrc, sizeof(*dosHdrSrc), &len); 62 | PIMAGE_NT_HEADERS ntHdrsSrc = (PIMAGE_NT_HEADERS)MakePtr(cachedBase, dosHdrSrc->e_lfanew); 63 | PIMAGE_NT_HEADERS ntHdrsDest = (PIMAGE_NT_HEADERS)MakePtr(imgBase, dosHdrSrc->e_lfanew); 64 | WriteProcessMemory(_hProc, ntHdrsDest, ntHdrsSrc, sizeof(*ntHdrsSrc), &len); 65 | WORD secNum = ntHdrsSrc->FileHeader.NumberOfSections; 66 | WriteProcessMemory(_hProc, ntHdrsDest + 1, ntHdrsSrc + 1, sizeof(IMAGE_SECTION_HEADER) * secNum, &len); 67 | 68 | PIMAGE_SECTION_HEADER secHdrSrc = PIMAGE_SECTION_HEADER(ntHdrsSrc + 1); 69 | PIMAGE_SECTION_HEADER secHdrDest = PIMAGE_SECTION_HEADER(ntHdrsDest + 1); 70 | for (WORD i = 0; i < secNum; i ++) { 71 | PVOID secAddrSrc = (PVOID)MakePtr(cachedBase, secHdrSrc[i].VirtualAddress); 72 | PVOID secAddrDest = (PVOID)MakePtr(imgBase, secHdrSrc[i].VirtualAddress); 73 | WriteProcessMemory(_hProc, secAddrDest, secAddrSrc, secHdrSrc[i].Misc.VirtualSize, &len); 74 | } 75 | 76 | return true; 77 | } 78 | 79 | HMODULE PeLoader::loadDll(HANDLE hProc, LPCTSTR dllPath) 80 | { 81 | assert(hProc == GetCurrentProcess()); 82 | return LoadLibrary(dllPath); 83 | } 84 | 85 | bool PeLoader::loadImport(PVOID cachedBase, PVOID imgBase, PIMAGE_NT_HEADERS cachedNtHdrs, 86 | PIMAGE_NT_HEADERS ntHdrs) 87 | { 88 | PIMAGE_IMPORT_DESCRIPTOR impDesc = (PIMAGE_IMPORT_DESCRIPTOR )cachedNtHdrs->OptionalHeader. 89 | DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; 90 | while (impDesc->Name) { 91 | 92 | LPCSTR name = (LPCSTR )MakePtr(cachedBase, impDesc->Name); 93 | impDesc ++; 94 | } 95 | 96 | return false; 97 | } 98 | 99 | bool PeLoader::loadRelocation(PVOID cachedBase, PVOID imgBase, PIMAGE_NT_HEADERS cachedNtHdrs, 100 | PIMAGE_NT_HEADERS ntHdrs) 101 | { 102 | return false; 103 | } 104 | -------------------------------------------------------------------------------- /PeLoader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | class PeLoader 3 | { 4 | public: 5 | PeLoader(); 6 | ~PeLoader(); 7 | 8 | PVOID load(HANDLE hProc, LPCTSTR fileName, PVOID base); 9 | 10 | protected: 11 | bool loadImage(PVOID cachedBase, PVOID imgBase); 12 | bool loadImport(PVOID cachedBase, PVOID imgBase, PIMAGE_NT_HEADERS cachedNtHdrs, PIMAGE_NT_HEADERS imgNtHdrs); 13 | bool loadRelocation(PVOID cachedBase, PVOID imgBase, PIMAGE_NT_HEADERS cachedNtHdrs, PIMAGE_NT_HEADERS imgNtHdrs); 14 | HMODULE loadDll(HANDLE hProc, LPCTSTR dllPath); 15 | 16 | protected: 17 | HANDLE _hProc; 18 | PVOID _base; 19 | }; 20 | -------------------------------------------------------------------------------- /ReadMe.txt: -------------------------------------------------------------------------------- 1 | Open-source user-mode Anti-Anti-Debug plugin for x64dbg & cheatengine 2 | 3 | 1 put xgdbcore.dll to plugin folder 4 | 2 put x64dbg.exe.ini or x32dbg.exe.ini to program folder 5 | 3 enalabe xdbg by plugin memu. 6 | -------------------------------------------------------------------------------- /Thread.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "Thread.h" 3 | #include "Utils.h" 4 | 5 | Thread::Thread(void) 6 | { 7 | _threadHandle = NULL; 8 | _threadId = 0; 9 | } 10 | 11 | Thread::~Thread(void) 12 | { 13 | if (_threadHandle != NULL) { 14 | 15 | stop(); 16 | // CloseHandle(_threadHandle); 17 | _threadHandle = NULL; 18 | _threadId = 0; 19 | } 20 | } 21 | 22 | bool Thread::start(size_t stackSize /* = 0 */) 23 | { 24 | if (!this->init()) 25 | return false; 26 | 27 | _threadHandle = ::CreateThread(NULL, stackSize, threadProc, this, 0, &_threadId); 28 | if (_threadHandle == NULL) 29 | return false; 30 | 31 | return true; 32 | } 33 | 34 | void Thread::stop(int exitCode) 35 | { 36 | ::TerminateThread(_threadHandle, (DWORD )exitCode); 37 | CloseHandle(_threadHandle); 38 | _threadHandle = NULL; 39 | _threadId = 0; 40 | } 41 | 42 | static DWORD exceptionFilter(EXCEPTION_POINTERS* excepInfo) 43 | { 44 | MyTrace("%s:%d - exception code: %d, exception address: %p", 45 | __FILE__, __LINE__, excepInfo->ExceptionRecord->ExceptionCode, 46 | excepInfo->ExceptionRecord->ExceptionAddress); 47 | 48 | // assert(false); 49 | 50 | return EXCEPTION_EXECUTE_HANDLER; 51 | } 52 | 53 | DWORD __stdcall Thread::threadProc(void* param) 54 | { 55 | 56 | // #define PAGE_SIZE 4096 57 | 58 | // BYTE guardPages[PAGE_SIZE * 2 + 1]; 59 | // DWORD oldProt; 60 | // VirtualProtect(&guardPages[PAGE_SIZE + 1], 1, PAGE_READONLY, &oldProt); 61 | 62 | Thread* thisPtr = (Thread* )param; 63 | DWORD result; 64 | 65 | // __try { 66 | 67 | result = (DWORD )thisPtr->run(); 68 | 69 | // } __except(exceptionFilter(GetExceptionInformation())) { 70 | 71 | // } 72 | 73 | thisPtr->final(result); 74 | return result; 75 | } 76 | 77 | void Thread::wait() 78 | { 79 | WaitForSingleObject(_threadHandle, INFINITE); 80 | } 81 | -------------------------------------------------------------------------------- /Thread.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class Thread 4 | { 5 | public: 6 | Thread(void); 7 | virtual ~Thread(void); 8 | 9 | virtual bool init() 10 | { 11 | return true; 12 | } 13 | 14 | virtual long run() = 0; 15 | 16 | virtual void final(int result) 17 | { 18 | 19 | } 20 | 21 | bool start(size_t stackSize = 0); 22 | void stop(int exitCode = 0); 23 | 24 | void wait(); 25 | 26 | int getId() const 27 | { 28 | return _threadId; 29 | } 30 | 31 | protected: 32 | static DWORD __stdcall threadProc(void* param); 33 | 34 | protected: 35 | DWORD _threadId; 36 | HANDLE _threadHandle; 37 | }; 38 | -------------------------------------------------------------------------------- /ThreadMgr.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "ThreadMgr.h" 3 | #include 4 | #include "Utils.h" 5 | 6 | ThreadMgr::ThreadMgr() 7 | { 8 | } 9 | 10 | 11 | ThreadMgr::~ThreadMgr() 12 | { 13 | } 14 | 15 | bool ThreadMgr::addAllThreads(DWORD excluded) 16 | { 17 | MutexGuard guard(&_lock); 18 | 19 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 20 | if (hSnapshot != INVALID_HANDLE_VALUE) { 21 | THREADENTRY32 te; 22 | te.dwSize = sizeof(te); 23 | if (Thread32First(hSnapshot, &te)) { 24 | do { 25 | if (te.th32OwnerProcessID == GetCurrentProcessId()) { 26 | 27 | if (te.th32ThreadID == excluded) 28 | continue; 29 | addThread(te.th32ThreadID); 30 | } 31 | 32 | te.dwSize = sizeof(te); 33 | } while (Thread32Next(hSnapshot, &te)); 34 | } 35 | 36 | CloseHandle(hSnapshot); 37 | } 38 | 39 | return true; 40 | } 41 | 42 | void ThreadMgr::clearThreads() 43 | { 44 | MutexGuard guard(&_lock); 45 | std::map::iterator it; 46 | for (it = _threads.begin(); it != _threads.end(); it++) { 47 | CloseHandle(it->second); 48 | } 49 | 50 | _threads.clear(); 51 | } 52 | 53 | HANDLE ThreadMgr::addThread(DWORD tid) 54 | { 55 | HANDLE hThread = openThread(THREAD_ALL_ACCESS, FALSE, tid); 56 | if (hThread == NULL) { 57 | MyTrace("%s(): openThread() failed. errno: %x", __FUNCTION__, GetLastError()); 58 | assert(false); 59 | hThread = (HANDLE)-1; 60 | } 61 | 62 | MutexGuard guard(&_lock); 63 | _threads[tid] = hThread; 64 | return hThread; 65 | } 66 | 67 | bool ThreadMgr::delThread(DWORD tid) 68 | { 69 | MutexGuard guard(&_lock); 70 | std::map::iterator it = _threads.find(tid); 71 | if (it == _threads.end()) { 72 | return false; 73 | } 74 | if (it->second && it->second != (HANDLE)-1) 75 | CloseHandle(it->second); 76 | _threads.erase(it); 77 | return true; 78 | } 79 | 80 | void ThreadMgr::suspendAll(DWORD excluded) 81 | { 82 | MutexGuard guard(&_lock); 83 | std::map::iterator it; 84 | for (it = _threads.begin(); it != _threads.end(); it++) { 85 | if (it->first == excluded) 86 | continue; 87 | suspendThread(it->second); 88 | } 89 | } 90 | 91 | void ThreadMgr::resumeAll(DWORD excluded) 92 | { 93 | MutexGuard guard(&_lock); 94 | std::map::iterator it; 95 | for (it = _threads.begin(); it != _threads.end(); it++) { 96 | if (it->first == excluded) 97 | continue; 98 | resumeThread(it->second); 99 | } 100 | } 101 | 102 | HANDLE ThreadMgr::threadIdToHandle(DWORD tid) 103 | { 104 | MutexGuard guard(&_lock); 105 | std::map::iterator it; 106 | it = _threads.find(tid); 107 | if (it == _threads.end()) 108 | return NULL; 109 | return it->second; 110 | } 111 | 112 | DWORD ThreadMgr::threadHandleToId(HANDLE handle) 113 | { 114 | MutexGuard guard(&_lock); 115 | std::map::iterator it; 116 | for (it = _threads.begin(); it != _threads.end(); it++) { 117 | if (it->second == handle) 118 | return it->first; 119 | } 120 | 121 | return 0; 122 | } 123 | -------------------------------------------------------------------------------- /ThreadMgr.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include "Lock.h" 5 | class ThreadMgr { 6 | public: 7 | ThreadMgr(); 8 | ~ThreadMgr(); 9 | 10 | bool addAllThreads(DWORD excluded); 11 | void clearThreads(); 12 | HANDLE addThread(DWORD tid); 13 | bool delThread(DWORD tid); 14 | void suspendAll(DWORD excluded); 15 | void resumeAll(DWORD excluded); 16 | HANDLE threadIdToHandle(DWORD tid); 17 | DWORD threadHandleToId(HANDLE handle); 18 | 19 | DWORD getFirstThread() const 20 | { 21 | if (_threads.size() == 0) { 22 | assert(false); 23 | return 0; 24 | } 25 | 26 | _cursor = _threads.begin(); 27 | return _cursor->first; 28 | } 29 | 30 | DWORD getNextThread() const 31 | { 32 | if (++ _cursor == _threads.end()) 33 | return 0; 34 | return _cursor->first; 35 | } 36 | 37 | protected: 38 | virtual HANDLE openThread(DWORD dwDesiredAccess, BOOL bInheritHandle, 39 | DWORD dwThreadId) 40 | { 41 | return ::OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId); 42 | } 43 | 44 | virtual DWORD suspendThread(HANDLE hThead) 45 | { 46 | return ::SuspendThread(hThead); 47 | } 48 | 49 | virtual DWORD resumeThread(HANDLE hThead) 50 | { 51 | return ::ResumeThread(hThead); 52 | } 53 | 54 | protected: 55 | std::map _threads; 56 | Mutex _lock; 57 | mutable std::map::const_iterator _cursor; 58 | }; 59 | 60 | -------------------------------------------------------------------------------- /Utils.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/Utils.h -------------------------------------------------------------------------------- /Win32ApiWrapper.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "Win32ApiWrapper.h" 4 | #include "CloneFunction.h" 5 | #include 6 | 7 | #define STATUS_END_OF_FILE ((NTSTATUS)0xC0000011L) 8 | 9 | NTSTATUS 10 | (NTAPI 11 | * NtReadFile)(IN HANDLE FileHandle, 12 | IN HANDLE Event OPTIONAL, 13 | IN PVOID ApcRoutine OPTIONAL, 14 | IN PVOID ApcContext OPTIONAL, 15 | OUT PVOID IoStatusBlock, 16 | OUT PVOID Buffer, 17 | IN ULONG Length, 18 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 19 | IN PULONG Key OPTIONAL) = NULL; 20 | 21 | NTSTATUS 22 | (NTAPI 23 | * NtWriteFile)(IN HANDLE FileHandle, 24 | IN HANDLE Event OPTIONAL, 25 | IN PVOID ApcRoutine OPTIONAL, 26 | IN PVOID ApcContext OPTIONAL, 27 | OUT PVOID IoStatusBlock, 28 | IN PVOID Buffer, 29 | IN ULONG Length, 30 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 31 | IN PULONG Key OPTIONAL) = NULL; 32 | 33 | NTSTATUS (NTAPI * NtSuspendThread)(IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL) = NULL; 34 | NTSTATUS(NTAPI * NtResumeThread)(IN HANDLE ThreadHandle, OUT PULONG SuspendCount OPTIONAL) = NULL; 35 | 36 | NTSTATUS 37 | (NTAPI 38 | *NtWaitForSingleObject)(IN HANDLE ObjectHandle, 39 | IN BOOLEAN Alertable, 40 | IN PLARGE_INTEGER TimeOut OPTIONAL) = NULL; 41 | 42 | 43 | /* NTSTATUS 44 | (NTAPI 45 | *NtOpenThread)(OUT PHANDLE ThreadHandle, 46 | IN ACCESS_MASK DesiredAccess, 47 | IN POBJECT_ATTRIBUTES ObjectAttributes, 48 | IN PCLIENT_ID ClientId OPTIONAL) = NULL; */ 49 | 50 | NTSTATUS 51 | (NTAPI 52 | *NtClose)(IN HANDLE Handle) = NULL; 53 | 54 | CloneFuncDef nativeApiDefs[] = { 55 | { "ntdll.dll", "NtReadFile", (void**)&NtReadFile, MAX_FUNCTION_SIZE }, 56 | { "ntdll.dll", "NtWriteFile", (void**)&NtWriteFile, MAX_FUNCTION_SIZE }, 57 | { "ntdll.dll", "NtSuspendThread", (void**)&NtSuspendThread, MAX_FUNCTION_SIZE }, 58 | { "ntdll.dll", "NtResumeThread", (void**)&NtResumeThread, MAX_FUNCTION_SIZE }, 59 | { "ntdll.dll", "NtWaitForSingleObject", (void**)&NtWaitForSingleObject, MAX_FUNCTION_SIZE }, 60 | // { "ntdll.dll", "NtOpenThread", (void**)&NtOpenThread }, 61 | { "ntdll.dll", "NtClose", (void**)&NtClose, MAX_FUNCTION_SIZE }, 62 | }; 63 | 64 | static PVOID funcsBase = NULL; 65 | static size_t funcsSize; 66 | BOOL InitWin32ApiWrapper() 67 | { 68 | funcsBase = CloneFunctions(nativeApiDefs, sizeof(nativeApiDefs) / sizeof(nativeApiDefs[0]), &funcsSize); 69 | return funcsBase != NULL; 70 | } 71 | 72 | void UninitWin32ApiWrapper() 73 | { 74 | if (funcsBase) { 75 | VirtualFree(funcsBase, 0, MEM_RELEASE); 76 | funcsBase = NULL; 77 | } 78 | } 79 | 80 | typedef struct _IO_STATUS_BLOCK { 81 | union { 82 | NTSTATUS Status; 83 | PVOID Pointer; 84 | } DUMMYUNIONNAME; 85 | 86 | ULONG_PTR Information; 87 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 88 | 89 | BOOL WINAPI XDbgReadFile(IN HANDLE hFile, IN LPVOID lpBuffer, IN DWORD nNumberOfBytesToRead, 90 | OUT LPDWORD lpNumberOfBytesRead OPTIONAL, IN LPOVERLAPPED lpOverlapped OPTIONAL) 91 | { 92 | assert(lpOverlapped == NULL); 93 | 94 | IO_STATUS_BLOCK Iosb; 95 | 96 | NTSTATUS Status = NtReadFile(hFile, 97 | NULL, 98 | NULL, 99 | NULL, 100 | &Iosb, 101 | lpBuffer, 102 | nNumberOfBytesToRead, 103 | NULL, 104 | NULL); 105 | 106 | /* Wait in case operation is pending */ 107 | if (Status == STATUS_PENDING) 108 | { 109 | Status = NtWaitForSingleObject(hFile, FALSE, NULL); 110 | if (Status == 0) Status = Iosb.Status; 111 | } 112 | 113 | if (Status == STATUS_END_OF_FILE) 114 | { 115 | /* 116 | * lpNumberOfBytesRead must not be NULL here, in fact Win doesn't 117 | * check that case either and crashes (only after the operation 118 | * completed). 119 | */ 120 | *lpNumberOfBytesRead = 0; 121 | return TRUE; 122 | } 123 | 124 | if (Status == 0) 125 | { 126 | /* 127 | * lpNumberOfBytesRead must not be NULL here, in fact Win doesn't 128 | * check that case either and crashes (only after the operation 129 | * completed). 130 | */ 131 | *lpNumberOfBytesRead = (DWORD )Iosb.Information; 132 | } 133 | else 134 | { 135 | return FALSE; 136 | } 137 | 138 | return TRUE; 139 | } 140 | 141 | BOOL WINAPI XDbgWriteFile(IN HANDLE hFile, IN LPCVOID lpBuffer, IN DWORD nNumberOfBytesToWrite OPTIONAL, 142 | OUT LPDWORD lpNumberOfBytesWritten OPTIONAL, IN LPOVERLAPPED lpOverlapped OPTIONAL) 143 | { 144 | assert(lpOverlapped == NULL); 145 | 146 | IO_STATUS_BLOCK Iosb; 147 | 148 | NTSTATUS Status = NtWriteFile(hFile, 149 | NULL, 150 | NULL, 151 | NULL, 152 | &Iosb, 153 | (PVOID)lpBuffer, 154 | nNumberOfBytesToWrite, 155 | NULL, 156 | NULL); 157 | 158 | /* Wait in case operation is pending */ 159 | if (Status == STATUS_PENDING) 160 | { 161 | Status = NtWaitForSingleObject(hFile, FALSE, NULL); 162 | if (Status == 0) Status = Iosb.Status; 163 | } 164 | 165 | if (Status == 0) 166 | { 167 | /* 168 | * lpNumberOfBytesWritten must not be NULL here, in fact Win doesn't 169 | * check that case either and crashes (only after the operation 170 | * completed). 171 | */ 172 | *lpNumberOfBytesWritten = (DWORD )Iosb.Information; 173 | } 174 | else 175 | { 176 | return FALSE; 177 | } 178 | 179 | return TRUE; 180 | } 181 | 182 | DWORD WINAPI XDbgGetCurrentProcessId() 183 | { 184 | PVOID* teb = (PVOID* )NtCurrentTeb(); 185 | return * LPDWORD(teb + 8); 186 | } 187 | 188 | DWORD WINAPI XDbgGetCurrentThreadId() 189 | { 190 | PVOID* teb = (PVOID*)NtCurrentTeb(); 191 | return *LPDWORD(teb + 9); 192 | } 193 | 194 | DWORD WINAPI XDbgSuspendThread(IN HANDLE hThread) 195 | { 196 | DWORD PreviousSuspendCount; 197 | NTSTATUS status = NtSuspendThread(hThread, &PreviousSuspendCount); 198 | if (status) { 199 | return -1; 200 | } 201 | 202 | return PreviousSuspendCount; 203 | } 204 | 205 | DWORD WINAPI XDbgResumeThread(IN HANDLE hThread) 206 | { 207 | DWORD SuspendCount; 208 | NTSTATUS status = NtResumeThread(hThread, &SuspendCount); 209 | if (status) { 210 | return -1; 211 | } 212 | 213 | return SuspendCount; 214 | } 215 | 216 | HANDLE WINAPI XDbgGetCurrentProcess() 217 | { 218 | return (HANDLE )-1; 219 | } 220 | 221 | HANDLE WINAPI XDbgGetCurrentThread() 222 | { 223 | return (HANDLE)-2; 224 | } 225 | 226 | BOOL WINAPI XDbgCloseHandle(HANDLE hObj) 227 | { 228 | return NtClose(hObj) == 0; 229 | } 230 | -------------------------------------------------------------------------------- /Win32ApiWrapper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define MAX_FUNCTION_SIZE 64 4 | 5 | BOOL InitWin32ApiWrapper(); 6 | void UninitWin32ApiWrapper(); 7 | 8 | BOOL WINAPI XDbgReadFile(IN HANDLE hFile, IN LPVOID lpBuffer, IN DWORD nNumberOfBytesToRead, 9 | OUT LPDWORD lpNumberOfBytesRead OPTIONAL, IN LPOVERLAPPED lpOverlapped OPTIONAL); 10 | 11 | BOOL WINAPI XDbgWriteFile(IN HANDLE hFile, IN LPCVOID lpBuffer, IN DWORD nNumberOfBytesToWrite OPTIONAL, 12 | OUT LPDWORD lpNumberOfBytesWritten OPTIONAL, IN LPOVERLAPPED lpOverlapped OPTIONAL); 13 | 14 | DWORD WINAPI XDbgGetCurrentProcessId(); 15 | DWORD WINAPI XDbgGetCurrentThreadId(); 16 | 17 | DWORD WINAPI XDbgSuspendThread(IN HANDLE hThread); 18 | DWORD WINAPI XDbgResumeThread(IN HANDLE hThread); 19 | HANDLE WINAPI XDbgGetCurrentProcess(); 20 | HANDLE WINAPI XDbgGetCurrentThread(); 21 | BOOL WINAPI XDbgCloseHandle(HANDLE hObj); -------------------------------------------------------------------------------- /XDbgController.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/XDbgController.cpp -------------------------------------------------------------------------------- /XDbgController.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "common.h" 4 | #include "ThreadMgr.h" 5 | 6 | class XDbgController // : public ThreadMgr 7 | { 8 | public: 9 | static XDbgController& instance() 10 | { 11 | static XDbgController inst; 12 | return inst; 13 | } 14 | 15 | bool initialize(HMODULE hInst, bool hookDbgApi); 16 | bool attach(DWORD pid, BOOL createProcess, DWORD tid = 0); 17 | bool stop(DWORD pid); 18 | bool waitEvent(LPDEBUG_EVENT lpDebugEvent, DWORD dwMilliseconds = INFINITE); 19 | bool continueEvent(DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus); 20 | bool continueAttachEvent(DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus, 21 | const DbgAttachArgs& args); 22 | 23 | bool connectRemoteApi(DWORD pid); 24 | void disconnectRemoteApi(); 25 | HANDLE getProcessHandle() const 26 | { 27 | return _hProcess; 28 | } 29 | 30 | bool setThreadContext(HANDLE hThread, const CONTEXT* ctx); 31 | bool getThreadContext(HANDLE hThread, CONTEXT* ctx); 32 | 33 | void* allocMemroy(size_t size, DWORD allocType, DWORD protect); 34 | bool freeMemory(LPVOID lpAddress, size_t dwSize, DWORD dwFreeType); 35 | bool setMemoryProtection(LPVOID lpAddress, size_t dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 36 | size_t queryMemory(LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, size_t dwLength); 37 | bool readMemory(LPCVOID lpBaseAddress, PVOID lpBuffer, size_t nSize, size_t * lpNumberOfBytesRead); 38 | bool writeMemory(LPVOID lpBaseAddress, LPCVOID lpBuffer, size_t nSize, size_t * lpNumberOfBytesWritten); 39 | DWORD suspendThread(HANDLE hThread); 40 | DWORD resumeThread(HANDLE hThread); 41 | DWORD getModuleFileName(HMODULE hMod, wchar_t* fileName, DWORD len); 42 | bool debugBreak(); 43 | HANDLE createRemoteThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, 44 | LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, 45 | LPDWORD lpThreadId); 46 | 47 | DWORD getEventCode() const 48 | { 49 | return _event.event.dwDebugEventCode; 50 | } 51 | 52 | DWORD getEventProcessId() const 53 | { 54 | return _event.event.dwProcessId; 55 | } 56 | 57 | DWORD getEventThreadId() const 58 | { 59 | return _event.event.dwThreadId; 60 | } 61 | 62 | DWORD getExceptCode() const 63 | { 64 | if (_event.event.dwDebugEventCode == EXCEPTION_DEBUG_EVENT) { 65 | return _event.event.u.Exception.ExceptionRecord.ExceptionCode; 66 | } 67 | 68 | return 0; 69 | } 70 | 71 | ULONG getExceptAddress() const 72 | { 73 | if (_event.event.dwDebugEventCode == EXCEPTION_DEBUG_EVENT) { 74 | return (ULONG )_event.event.u.Exception.ExceptionRecord.ExceptionAddress; 75 | } 76 | 77 | return 0; 78 | } 79 | 80 | HMODULE getModuleHandle() const 81 | { 82 | return _hInst; 83 | } 84 | 85 | DWORD getContextFlags() const 86 | { 87 | return _ContextFlags; 88 | } 89 | 90 | DWORD getProcessId() const 91 | { 92 | return _pid; 93 | } 94 | 95 | static BOOL injectDll(DWORD pid, HMODULE hInst); 96 | 97 | bool isDebugging() const 98 | { 99 | return _hPipe != INVALID_HANDLE_VALUE; 100 | } 101 | 102 | bool isRemoteApi() const 103 | { 104 | return _hApiPipe != INVALID_HANDLE_VALUE; 105 | } 106 | 107 | protected: 108 | void resetDbgEvent() 109 | { 110 | memset(&_event, 0, sizeof(_event)); 111 | _ContextFlags = 0; 112 | } 113 | 114 | bool hookDbgApi(); 115 | 116 | HANDLE connectPipe(const std::string& name); 117 | bool connectInferior(DWORD pid); 118 | void disconnectInferior(); 119 | 120 | BOOL sendApiCall(const ApiCallPacket& outPkt); 121 | BOOL sendApiCall(const ApiCallPacket& outPkt, ApiReturnPakcet& inPkt); 122 | BOOL recvApiReturn(ApiReturnPakcet& inPkt); 123 | 124 | bool _setThreadContext(DWORD threadId, HANDLE hThread, const CONTEXT* ctx); 125 | bool _getThreadContext(DWORD threadId, HANDLE hThread, CONTEXT* ctx); 126 | 127 | private: 128 | XDbgController(void); 129 | ~XDbgController(void); 130 | 131 | protected: 132 | HANDLE _hPipe; 133 | volatile DWORD _pid; 134 | OVERLAPPED _overlap; 135 | bool _pending; 136 | HANDLE _hProcess; 137 | DebugEventPacket _event; 138 | HMODULE _hInst; 139 | DWORD _ContextFlags; 140 | HANDLE _hApiPipe; 141 | Mutex _apiMutex; // ensuring remote-API is atomic 142 | }; 143 | 144 | class AutoDebug 145 | { 146 | public: 147 | virtual bool peekDebugEvent(LPDEBUG_EVENT event, DWORD* continueStatus) = 0; 148 | }; 149 | 150 | void registerAutoDebugHandler(AutoDebug* handler); 151 | -------------------------------------------------------------------------------- /XDbgProxy.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/XDbgProxy.h -------------------------------------------------------------------------------- /common.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "common.h" 3 | 4 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | static inline std::string makePipeName(DWORD pid) 5 | { 6 | char buf[256]; 7 | sprintf_s(buf, "\\\\.\\pipe\\__XDBG__%u__", pid); 8 | return buf; 9 | } 10 | 11 | static inline std::string makeApiPipeName(DWORD pid) 12 | { 13 | char buf[256]; 14 | sprintf_s(buf, "\\\\.\\pipe\\__XDBGAPI__%u__", pid); 15 | return buf; 16 | } 17 | 18 | #define EVENT_MESSAGE_SIZE sizeof(DebugEventPacket) 19 | #define CONTINUE_MESSAGE_SIZE sizeof(DebugAckPacket) 20 | 21 | struct DebugEventPacket { 22 | struct { 23 | DEBUG_EVENT event; 24 | union { 25 | CONTEXT ctx; 26 | // ANOTHER MEMBER; 27 | }; 28 | }; 29 | }; 30 | 31 | struct DbgAttachArgs { 32 | UINT32 ignore_dbgstr; 33 | UINT32 inject_method; 34 | BOOL createProcess; 35 | UINT32 simu_attach_bp; 36 | }; 37 | 38 | struct DebugAckPacket { 39 | struct { 40 | DWORD dwProcessId; 41 | DWORD dwThreadId; 42 | DWORD dwContinueStatus; 43 | union { 44 | struct { 45 | CONTEXT ctx; 46 | DWORD ContextFlags; 47 | }; 48 | 49 | // ANOTHER MEMBER; 50 | DbgAttachArgs args; 51 | }; 52 | }; 53 | }; 54 | 55 | #define SINGLE_STEP_FLAG 0x100 56 | #define DBG_PRINTEXCEPTION_WIDE_C (0x4001000AL) 57 | 58 | #define ATTACHED_EVENT (RIP_EVENT + 1) 59 | #define LAST_EVENT ATTACHED_EVENT 60 | 61 | ////////////////////////////////////////////////////////////////////////// 62 | // Remote API 63 | #define MAX_MEMORY_BLOCK (1024) 64 | 65 | #define ID_ReadProcessMemory (0x00000001) 66 | #define ID_WriteProcessMemory (0x00000002) 67 | #define ID_SuspendThread (0x00000004) 68 | #define ID_ResumeThread (0x00000008) 69 | #define ID_VirtualQueryEx (0x00000010) 70 | #define ID_GetThreadContext (0x00000020) 71 | #define ID_SetThreadContext (0x00000040) 72 | #define ID_VirtualProtectEx (0x00000080) 73 | #define ID_VirtualAllocEx (0x00000100) 74 | #define ID_VirtualFreeEx (0x00000200) 75 | #define ID_GetModuleFileNameExW (0x00000400) 76 | #define ID_NtQueryInformationProcess (0x00000800) 77 | #define ID_CreateRemoteThread (0x00001000) 78 | #define ID_DuplicateHandle (0x00002000) 79 | #define ID_OpenProcess (0x00004000) 80 | 81 | #define CALL_MESSAGE_SIZE sizeof(ApiCallPacket) 82 | #define RETURN_MESSAGE_SIZE sizeof(ApiReturnPakcet) 83 | 84 | struct ApiCallPacket { 85 | 86 | DWORD apiId; 87 | 88 | union { 89 | struct { 90 | PVOID addr; 91 | SIZE_T size; 92 | } ReadProcessMemory; 93 | 94 | struct { 95 | PVOID addr; 96 | UCHAR buffer[MAX_MEMORY_BLOCK]; 97 | SIZE_T size; 98 | } WriteProcessMemory; 99 | 100 | struct { 101 | DWORD threadId; 102 | } SuspendThread; 103 | 104 | struct { 105 | DWORD threadId; 106 | } ResumeThread; 107 | 108 | struct { 109 | PVOID addr; 110 | } VirtualQueryEx; 111 | 112 | struct { 113 | DWORD threadId; 114 | DWORD contextFlags; 115 | } GetThreadContext; 116 | 117 | struct { 118 | DWORD threadId; 119 | CONTEXT ctx; 120 | } SetThreadContext; 121 | 122 | struct { 123 | PVOID addr; 124 | SIZE_T size; 125 | DWORD prot; 126 | } VirtualProtectEx; 127 | 128 | struct { 129 | PVOID addr; 130 | SIZE_T size; 131 | DWORD type; 132 | DWORD prot; 133 | } VirtualAllocEx; 134 | 135 | struct { 136 | PVOID addr; 137 | SIZE_T size; 138 | DWORD type; 139 | } VirtualFreeEx; 140 | 141 | struct { 142 | HMODULE hMod; 143 | } _GetModuleFileNameExW; 144 | 145 | struct { 146 | LPSECURITY_ATTRIBUTES lpThreadAttributes; 147 | SIZE_T dwStackSize; 148 | LPTHREAD_START_ROUTINE lpStartAddress; 149 | LPVOID lpParameter; 150 | DWORD dwCreationFlags; 151 | } CreateRemoteThread; 152 | }; 153 | }; 154 | 155 | struct ApiReturnPakcet { 156 | 157 | DWORD lastError; 158 | union { 159 | struct { 160 | BOOL result; 161 | UCHAR buffer[MAX_MEMORY_BLOCK]; 162 | SIZE_T size; 163 | } ReadProcessMemory; 164 | 165 | struct { 166 | BOOL result; 167 | SIZE_T writtenSize; 168 | } WriteProcessMemory; 169 | 170 | struct { 171 | DWORD result; 172 | } SuspendThread; 173 | 174 | struct { 175 | DWORD result; 176 | } ResumeThread; 177 | 178 | struct { 179 | SIZE_T result; 180 | MEMORY_BASIC_INFORMATION memInfo; 181 | } VirtualQueryEx; 182 | 183 | struct { 184 | BOOL result; 185 | CONTEXT ctx; 186 | } GetThreadContext; 187 | 188 | struct { 189 | BOOL result; 190 | } SetThreadContext; 191 | 192 | struct { 193 | BOOL result; 194 | DWORD oldProt; 195 | } VirtualProtectEx; 196 | 197 | struct { 198 | PVOID result; 199 | } VirtualAllocEx; 200 | 201 | struct { 202 | BOOL result; 203 | } VirtualFreeEx; 204 | 205 | struct { 206 | wchar_t fileName[MAX_PATH]; 207 | DWORD result; 208 | } _GetModuleFileNameExW; 209 | 210 | struct { 211 | HANDLE result; 212 | DWORD threadId; 213 | } CreateRemoteThread; 214 | }; 215 | }; 216 | 217 | ////////////////////////////////////////////////////////////////////////// 218 | -------------------------------------------------------------------------------- /debugee.cpp: -------------------------------------------------------------------------------- 1 | // debugee.cpp : Defines the entry point for the console application. 2 | // 3 | #include 4 | #include 5 | #include "XDbgProxy.h" 6 | 7 | int _tmain(int argc, _TCHAR* argv[]) 8 | { 9 | LoadLibrary("xdbgcore.dll"); 10 | /* XDbgProxy::instance().DllMain(GetModuleHandle(NULL), DLL_PROCESS_ATTACH, NULL); 11 | 12 | if (!XDbgProxy::instance().initialize()) { 13 | return -1; 14 | } */ 15 | 16 | // Sleep(10000); 17 | //__try { 18 | int* p = NULL; 19 | *p = 10; 20 | DebugBreak(); 21 | return 0; 22 | Sleep(10000); 23 | //} __except (EXCEPTION_EXECUTE_HANDLER) { 24 | printf("aaaa\n"); 25 | //} 26 | // OutputDebugString("test"); 27 | __try { 28 | //int* p = NULL; 29 | //*p = 10; 30 | OutputDebugString("test\n"); 31 | } __except(EXCEPTION_EXECUTE_HANDLER) { 32 | 33 | } 34 | 35 | return 0; 36 | } 37 | 38 | -------------------------------------------------------------------------------- /debugee.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {201B4863-DC85-4848-B019-8039ECC0863F} 15 | Win32Proj 16 | debugee 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | MultiByte 24 | 25 | 26 | Application 27 | false 28 | true 29 | MultiByte 30 | v120 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | false 45 | 46 | 47 | false 48 | 49 | 50 | 51 | 52 | 53 | Level3 54 | Disabled 55 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 56 | 57 | 58 | Console 59 | true 60 | 61 | 62 | 63 | 64 | Level3 65 | 66 | 67 | MaxSpeed 68 | true 69 | true 70 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 71 | 72 | 73 | Console 74 | true 75 | true 76 | true 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | NotUsing 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0 Build_302. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #define VER_FILEFLAGSMASK 0x3fL 11 | #define VER_FILEFLAGS 0x0L 12 | #define VER_FILEOS 0x00040004L 13 | #define VER_FILETYPE 0x00000002L 14 | #define VER_FILESUBTYPE 0x00000000L 15 | -------------------------------------------------------------------------------- /launcher.cpp: -------------------------------------------------------------------------------- 1 | // launcher.cpp : Defines the entry point for the console application. 2 | // 3 | #include 4 | #include 5 | #include "detours.h" 6 | #include 7 | 8 | 9 | void EnableDebugPrivilege() 10 | { 11 | 12 | HANDLE Token; 13 | TOKEN_PRIVILEGES tp; 14 | if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token)) 15 | { 16 | LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); 17 | tp.PrivilegeCount = 1; 18 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 19 | AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL); 20 | } 21 | } 22 | 23 | bool LoadRemoteDll(DWORD pid, const char* dllPath) 24 | { 25 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 26 | 27 | if (hProc == NULL) 28 | return false; 29 | 30 | PVOID p = VirtualAllocEx(hProc, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE); 31 | DWORD l; 32 | BOOL r = WriteProcessMemory(hProc, p, dllPath, strlen(dllPath) + 1, &l); 33 | 34 | if (!r) { 35 | 36 | VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE); 37 | return false; 38 | } 39 | 40 | HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, 41 | (LPTHREAD_START_ROUTINE )GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"), 42 | p, 0, &l); 43 | 44 | VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE); 45 | 46 | if (hThread == NULL) { 47 | 48 | return false; 49 | } 50 | 51 | WaitForSingleObject(hThread, INFINITE); 52 | GetExitCodeThread(hThread, &l); 53 | CloseHandle(hThread); 54 | return l != 0; 55 | } 56 | 57 | int _tmain(int argc, _TCHAR* argv[]) 58 | { 59 | // EnableDebugPrivilege(); 60 | // LoadRemoteDll(5804, "xdbgcore.dll"); 61 | STARTUPINFO si; 62 | memset(&si, 0, sizeof(si)); 63 | si.cb = sizeof(si); 64 | 65 | PROCESS_INFORMATION pi; 66 | 67 | if (!DetourCreateProcessWithDll(NULL, argv[1], NULL, NULL, FALSE, 0, NULL, NULL, 68 | &si, &pi, "xdbgcore.dll", NULL)) { 69 | 70 | printf("failed!\n"); 71 | } 72 | 73 | return 0; 74 | } 75 | 76 | -------------------------------------------------------------------------------- /launcher.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {1B84D79B-83FF-479E-B3CE-A113613A0FD6} 15 | Win32Proj 16 | launcher 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | NotSet 24 | 25 | 26 | Application 27 | false 28 | v120 29 | true 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | NotUsing 51 | Level3 52 | Disabled 53 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 54 | 55 | 56 | Console 57 | true 58 | 59 | 60 | 61 | 62 | Level3 63 | 64 | 65 | MaxSpeed 66 | true 67 | true 68 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 69 | 70 | 71 | Console 72 | true 73 | true 74 | true 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /note.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/note.txt -------------------------------------------------------------------------------- /pluginsdk/DeviceNameResolver/DeviceNameResolver.h: -------------------------------------------------------------------------------- 1 | #ifndef _DEVICENAMERESOLVER_H 2 | #define _DEVICENAMERESOLVER_H 3 | 4 | #include 5 | 6 | #ifdef __cplusplus 7 | extern "C" 8 | { 9 | #endif 10 | 11 | __declspec(dllexport) bool DevicePathToPathW(const wchar_t* szDevicePath, wchar_t* szPath, size_t nSize); 12 | __declspec(dllexport) bool DevicePathToPathA(const char* szDevicePath, char* szPath, size_t nSize); 13 | __declspec(dllexport) bool DevicePathFromFileHandleW(HANDLE hFile, wchar_t* szDevicePath, size_t nSize); 14 | __declspec(dllexport) bool DevicePathFromFileHandleA(HANDLE hFile, char* szDevicePath, size_t nSize); 15 | __declspec(dllexport) bool PathFromFileHandleW(HANDLE hFile, wchar_t* szPath, size_t nSize); 16 | __declspec(dllexport) bool PathFromFileHandleA(HANDLE hFile, char* szPath, size_t nSize); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | 22 | #endif // _DEVICENAMERESOLVER_H 23 | -------------------------------------------------------------------------------- /pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a -------------------------------------------------------------------------------- /pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib -------------------------------------------------------------------------------- /pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a -------------------------------------------------------------------------------- /pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib -------------------------------------------------------------------------------- /pluginsdk/TitanEngine/TitanEngine_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/TitanEngine/TitanEngine_x64.a -------------------------------------------------------------------------------- /pluginsdk/TitanEngine/TitanEngine_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/TitanEngine/TitanEngine_x64.lib -------------------------------------------------------------------------------- /pluginsdk/TitanEngine/TitanEngine_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/TitanEngine/TitanEngine_x86.a -------------------------------------------------------------------------------- /pluginsdk/TitanEngine/TitanEngine_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/TitanEngine/TitanEngine_x86.lib -------------------------------------------------------------------------------- /pluginsdk/XEDParse/XEDParse.h: -------------------------------------------------------------------------------- 1 | #ifndef _XEDPARSE_H 2 | #define _XEDPARSE_H 3 | 4 | #include 5 | 6 | //XEDParse defines 7 | #ifdef XEDPARSE_BUILD 8 | #define XEDPARSE_EXPORT __declspec(dllexport) 9 | #else 10 | #define XEDPARSE_EXPORT __declspec(dllimport) 11 | #endif //XEDPARSE_BUILD 12 | 13 | #define XEDPARSE_CALL //calling convention 14 | 15 | #define XEDPARSE_MAXBUFSIZE 256 16 | #define XEDPARSE_MAXASMSIZE 16 17 | 18 | //typedefs 19 | typedef bool (XEDPARSE_CALL* CBXEDPARSE_UNKNOWN)(const char* text, ULONGLONG* value); 20 | 21 | //XEDParse enums 22 | enum XEDPARSE_STATUS 23 | { 24 | XEDPARSE_ERROR = 0, 25 | XEDPARSE_OK = 1 26 | }; 27 | 28 | //XEDParse structs 29 | #pragma pack(push,8) 30 | struct XEDPARSE 31 | { 32 | bool x64; // use 64-bit instructions 33 | ULONGLONG cip; //instruction pointer (for relative addressing) 34 | unsigned int dest_size; //destination size (returned by XEDParse) 35 | CBXEDPARSE_UNKNOWN cbUnknown; //unknown operand callback 36 | unsigned char dest[XEDPARSE_MAXASMSIZE]; //destination buffer 37 | char instr[XEDPARSE_MAXBUFSIZE]; //instruction text 38 | char error[XEDPARSE_MAXBUFSIZE]; //error text (in case of an error) 39 | }; 40 | #pragma pack(pop) 41 | 42 | #ifdef __cplusplus 43 | extern "C" 44 | { 45 | #endif 46 | 47 | XEDPARSE_EXPORT XEDPARSE_STATUS XEDPARSE_CALL XEDParseAssemble(XEDPARSE* XEDParse); 48 | 49 | #ifdef __cplusplus 50 | } 51 | #endif 52 | 53 | #endif // _XEDPARSE_H 54 | -------------------------------------------------------------------------------- /pluginsdk/XEDParse/XEDParse_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/XEDParse/XEDParse_x64.a -------------------------------------------------------------------------------- /pluginsdk/XEDParse/XEDParse_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/XEDParse/XEDParse_x64.lib -------------------------------------------------------------------------------- /pluginsdk/XEDParse/XEDParse_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/XEDParse/XEDParse_x86.a -------------------------------------------------------------------------------- /pluginsdk/XEDParse/XEDParse_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/XEDParse/XEDParse_x86.lib -------------------------------------------------------------------------------- /pluginsdk/_dbgfunctions.h: -------------------------------------------------------------------------------- 1 | #ifndef _DBGFUNCTIONS_H 2 | #define _DBGFUNCTIONS_H 3 | 4 | #ifndef __cplusplus 5 | #include 6 | #endif 7 | 8 | typedef struct 9 | { 10 | char mod[MAX_MODULE_SIZE]; 11 | duint addr; 12 | unsigned char oldbyte; 13 | unsigned char newbyte; 14 | } DBGPATCHINFO; 15 | 16 | typedef struct 17 | { 18 | duint addr; 19 | duint from; 20 | duint to; 21 | char comment[MAX_COMMENT_SIZE]; 22 | } DBGCALLSTACKENTRY; 23 | 24 | typedef struct 25 | { 26 | int total; 27 | DBGCALLSTACKENTRY* entries; 28 | } DBGCALLSTACK; 29 | 30 | typedef struct 31 | { 32 | DWORD dwProcessId; 33 | char szExeFile[MAX_PATH]; 34 | } DBGPROCESSINFO; 35 | 36 | typedef bool (*ASSEMBLEATEX)(duint addr, const char* instruction, char* error, bool fillnop); 37 | typedef bool (*SECTIONFROMADDR)(duint addr, char* section); 38 | typedef bool (*MODNAMEFROMADDR)(duint addr, char* modname, bool extension); 39 | typedef duint(*MODBASEFROMADDR)(duint addr); 40 | typedef duint(*MODBASEFROMNAME)(const char* modname); 41 | typedef duint(*MODSIZEFROMADDR)(duint addr); 42 | typedef bool (*ASSEMBLE)(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); 43 | typedef bool (*PATCHGET)(duint addr); 44 | typedef bool (*PATCHINRANGE)(duint start, duint end); 45 | typedef bool (*MEMPATCH)(duint va, const unsigned char* src, duint size); 46 | typedef void (*PATCHRESTORERANGE)(duint start, duint end); 47 | typedef bool (*PATCHENUM)(DBGPATCHINFO* patchlist, size_t* cbsize); 48 | typedef bool (*PATCHRESTORE)(duint addr); 49 | typedef int (*PATCHFILE)(DBGPATCHINFO* patchlist, int count, const char* szFileName, char* error); 50 | typedef int (*MODPATHFROMADDR)(duint addr, char* path, int size); 51 | typedef int (*MODPATHFROMNAME)(const char* modname, char* path, int size); 52 | typedef bool (*DISASMFAST)(const unsigned char* data, duint addr, BASIC_INSTRUCTION_INFO* basicinfo); 53 | typedef void (*MEMUPDATEMAP)(); 54 | typedef void (*GETCALLSTACK)(DBGCALLSTACK* callstack); 55 | typedef void (*SYMBOLDOWNLOADALLSYMBOLS)(const char* szSymbolStore); 56 | typedef bool (*GETJIT)(char* jit, bool x64); 57 | typedef bool (*GETJITAUTO)(bool* jitauto); 58 | typedef bool (*GETDEFJIT)(char* defjit); 59 | typedef bool (*GETPROCESSLIST)(DBGPROCESSINFO** entries, int* count); 60 | typedef bool (*GETPAGERIGHTS)(duint addr, char* rights); 61 | typedef bool (*SETPAGERIGHTS)(duint addr, const char* rights); 62 | typedef bool (*PAGERIGHTSTOSTRING)(DWORD protect, char* rights); 63 | typedef bool (*ISPROCESSELEVATED)(); 64 | typedef bool (*GETCMDLINE)(char* cmdline, size_t* cbsize); 65 | typedef bool (*SETCMDLINE)(const char* cmdline); 66 | typedef duint(*FILEOFFSETTOVA)(const char* modname, duint offset); 67 | typedef duint(*VATOFILEOFFSET)(duint va); 68 | typedef duint(*GETADDRFROMLINE)(const char* szSourceFile, int line); 69 | typedef bool (*GETSOURCEFROMADDR)(duint addr, char* szSourceFile, int* line); 70 | typedef bool (*VALFROMSTRING)(const char* string, duint* value); 71 | typedef bool(*PATCHGETEX)(duint addr, DBGPATCHINFO* info); 72 | 73 | typedef struct DBGFUNCTIONS_ 74 | { 75 | ASSEMBLEATEX AssembleAtEx; 76 | SECTIONFROMADDR SectionFromAddr; 77 | MODNAMEFROMADDR ModNameFromAddr; 78 | MODBASEFROMADDR ModBaseFromAddr; 79 | MODBASEFROMNAME ModBaseFromName; 80 | MODSIZEFROMADDR ModSizeFromAddr; 81 | ASSEMBLE Assemble; 82 | PATCHGET PatchGet; 83 | PATCHINRANGE PatchInRange; 84 | MEMPATCH MemPatch; 85 | PATCHRESTORERANGE PatchRestoreRange; 86 | PATCHENUM PatchEnum; 87 | PATCHRESTORE PatchRestore; 88 | PATCHFILE PatchFile; 89 | MODPATHFROMADDR ModPathFromAddr; 90 | MODPATHFROMNAME ModPathFromName; 91 | DISASMFAST DisasmFast; 92 | MEMUPDATEMAP MemUpdateMap; 93 | GETCALLSTACK GetCallStack; 94 | SYMBOLDOWNLOADALLSYMBOLS SymbolDownloadAllSymbols; 95 | GETJITAUTO GetJitAuto; 96 | GETJIT GetJit; 97 | GETDEFJIT GetDefJit; 98 | GETPROCESSLIST GetProcessList; 99 | GETPAGERIGHTS GetPageRights; 100 | SETPAGERIGHTS SetPageRights; 101 | PAGERIGHTSTOSTRING PageRightsToString; 102 | ISPROCESSELEVATED IsProcessElevated; 103 | GETCMDLINE GetCmdline; 104 | SETCMDLINE SetCmdline; 105 | FILEOFFSETTOVA FileOffsetToVa; 106 | VATOFILEOFFSET VaToFileOffset; 107 | GETADDRFROMLINE GetAddrFromLine; 108 | GETSOURCEFROMADDR GetSourceFromAddr; 109 | VALFROMSTRING ValFromString; 110 | PATCHGETEX PatchGetEx; 111 | } DBGFUNCTIONS; 112 | 113 | #ifdef BUILD_DBG 114 | 115 | const DBGFUNCTIONS* dbgfunctionsget(); 116 | void dbgfunctionsinit(); 117 | 118 | #endif //BUILD_DBG 119 | 120 | #endif //_DBGFUNCTIONS_H 121 | -------------------------------------------------------------------------------- /pluginsdk/_plugin_types.h: -------------------------------------------------------------------------------- 1 | #ifndef _PLUGIN_DATA_H 2 | #define _PLUGIN_DATA_H 3 | 4 | #ifdef BUILD_DBG 5 | 6 | #include "_global.h" 7 | 8 | #else 9 | 10 | #ifdef __GNUC__ 11 | #include "dbghelp\dbghelp.h" 12 | #else 13 | #include 14 | #endif // __GNUC__ 15 | 16 | #ifndef deflen 17 | #define deflen 1024 18 | #endif // deflen 19 | 20 | #include "bridgemain.h" 21 | #include "_dbgfunctions.h" 22 | 23 | #endif // BUILD_DBG 24 | 25 | #endif // _PLUGIN_DATA_H 26 | -------------------------------------------------------------------------------- /pluginsdk/_plugins.h: -------------------------------------------------------------------------------- 1 | #ifndef _PLUGINS_H 2 | #define _PLUGINS_H 3 | 4 | #ifndef __cplusplus 5 | #include 6 | #endif 7 | 8 | #ifndef PLUG_IMPEXP 9 | #ifdef BUILD_DBG 10 | #define PLUG_IMPEXP __declspec(dllexport) 11 | #else 12 | #define PLUG_IMPEXP __declspec(dllimport) 13 | #endif //BUILD_DBG 14 | #endif //PLUG_IMPEXP 15 | 16 | #include "_plugin_types.h" 17 | 18 | //default structure alignments forced 19 | #ifdef _WIN64 20 | #pragma pack(push, 16) 21 | #else //x86 22 | #pragma pack(push, 8) 23 | #endif //_WIN64 24 | 25 | //defines 26 | #define PLUG_SDKVERSION 1 27 | 28 | //structures 29 | typedef struct 30 | { 31 | //provided by the debugger 32 | int pluginHandle; 33 | //provided by the pluginit function 34 | int sdkVersion; 35 | int pluginVersion; 36 | char pluginName[256]; 37 | } PLUG_INITSTRUCT; 38 | 39 | typedef struct 40 | { 41 | //provided by the debugger 42 | HWND hwndDlg; //gui window handle 43 | int hMenu; //plugin menu handle 44 | int hMenuDisasm; //plugin disasm menu handle 45 | int hMenuDump; //plugin dump menu handle 46 | int hMenuStack; //plugin stack menu handle 47 | } PLUG_SETUPSTRUCT; 48 | 49 | typedef struct 50 | { 51 | void* data; //user data 52 | } PLUG_SCRIPTSTRUCT; 53 | 54 | //callback structures 55 | typedef struct 56 | { 57 | const char* szFileName; 58 | } PLUG_CB_INITDEBUG; 59 | 60 | typedef struct 61 | { 62 | void* reserved; 63 | } PLUG_CB_STOPDEBUG; 64 | 65 | typedef struct 66 | { 67 | CREATE_PROCESS_DEBUG_INFO* CreateProcessInfo; 68 | IMAGEHLP_MODULE64* modInfo; 69 | const char* DebugFileName; 70 | PROCESS_INFORMATION* fdProcessInfo; 71 | } PLUG_CB_CREATEPROCESS; 72 | 73 | typedef struct 74 | { 75 | EXIT_PROCESS_DEBUG_INFO* ExitProcess; 76 | } PLUG_CB_EXITPROCESS; 77 | 78 | typedef struct 79 | { 80 | CREATE_THREAD_DEBUG_INFO* CreateThread; 81 | DWORD dwThreadId; 82 | } PLUG_CB_CREATETHREAD; 83 | 84 | typedef struct 85 | { 86 | EXIT_THREAD_DEBUG_INFO* ExitThread; 87 | DWORD dwThreadId; 88 | } PLUG_CB_EXITTHREAD; 89 | 90 | typedef struct 91 | { 92 | void* reserved; 93 | } PLUG_CB_SYSTEMBREAKPOINT; 94 | 95 | typedef struct 96 | { 97 | LOAD_DLL_DEBUG_INFO* LoadDll; 98 | IMAGEHLP_MODULE64* modInfo; 99 | const char* modname; 100 | } PLUG_CB_LOADDLL; 101 | 102 | typedef struct 103 | { 104 | UNLOAD_DLL_DEBUG_INFO* UnloadDll; 105 | } PLUG_CB_UNLOADDLL; 106 | 107 | typedef struct 108 | { 109 | OUTPUT_DEBUG_STRING_INFO* DebugString; 110 | } PLUG_CB_OUTPUTDEBUGSTRING; 111 | 112 | typedef struct 113 | { 114 | EXCEPTION_DEBUG_INFO* Exception; 115 | } PLUG_CB_EXCEPTION; 116 | 117 | typedef struct 118 | { 119 | BRIDGEBP* breakpoint; 120 | } PLUG_CB_BREAKPOINT; 121 | 122 | typedef struct 123 | { 124 | void* reserved; 125 | } PLUG_CB_PAUSEDEBUG; 126 | 127 | typedef struct 128 | { 129 | void* reserved; 130 | } PLUG_CB_RESUMEDEBUG; 131 | 132 | typedef struct 133 | { 134 | void* reserved; 135 | } PLUG_CB_STEPPED; 136 | 137 | typedef struct 138 | { 139 | DWORD dwProcessId; 140 | } PLUG_CB_ATTACH; 141 | 142 | typedef struct 143 | { 144 | PROCESS_INFORMATION* fdProcessInfo; 145 | } PLUG_CB_DETACH; 146 | 147 | typedef struct 148 | { 149 | DEBUG_EVENT* DebugEvent; 150 | } PLUG_CB_DEBUGEVENT; 151 | 152 | typedef struct 153 | { 154 | int hEntry; 155 | } PLUG_CB_MENUENTRY; 156 | 157 | typedef struct 158 | { 159 | MSG* message; 160 | long* result; 161 | bool retval; 162 | } PLUG_CB_WINEVENT; 163 | 164 | typedef struct 165 | { 166 | MSG* message; 167 | bool retval; 168 | } PLUG_CB_WINEVENTGLOBAL; 169 | 170 | //enums 171 | typedef enum 172 | { 173 | CB_INITDEBUG, //PLUG_CB_INITDEBUG 174 | CB_STOPDEBUG, //PLUG_CB_STOPDEBUG 175 | CB_CREATEPROCESS, //PLUG_CB_CREATEPROCESS 176 | CB_EXITPROCESS, //PLUG_CB_EXITPROCESS 177 | CB_CREATETHREAD, //PLUG_CB_CREATETHREAD 178 | CB_EXITTHREAD, //PLUG_CB_EXITTHREAD 179 | CB_SYSTEMBREAKPOINT, //PLUG_CB_SYSTEMBREAKPOINT 180 | CB_LOADDLL, //PLUG_CB_LOADDLL 181 | CB_UNLOADDLL, //PLUG_CB_UNLOADDLL 182 | CB_OUTPUTDEBUGSTRING, //PLUG_CB_OUTPUTDEBUGSTRING 183 | CB_EXCEPTION, //PLUG_CB_EXCEPTION 184 | CB_BREAKPOINT, //PLUG_CB_BREAKPOINT 185 | CB_PAUSEDEBUG, //PLUG_CB_PAUSEDEBUG 186 | CB_RESUMEDEBUG, //PLUG_CB_RESUMEDEBUG 187 | CB_STEPPED, //PLUG_CB_STEPPED 188 | CB_ATTACH, //PLUG_CB_ATTACHED (before attaching, after CB_INITDEBUG) 189 | CB_DETACH, //PLUG_CB_DETACH (before detaching, before CB_STOPDEBUG) 190 | CB_DEBUGEVENT, //PLUG_CB_DEBUGEVENT (called on any debug event) 191 | CB_MENUENTRY, //PLUG_CB_MENUENTRY 192 | CB_WINEVENT, //PLUG_CB_WINEVENT 193 | CB_WINEVENTGLOBAL //PLUG_CB_WINEVENTGLOBAL 194 | } CBTYPE; 195 | 196 | //typedefs 197 | typedef void (*CBPLUGIN)(CBTYPE cbType, void* callbackInfo); 198 | typedef bool (*CBPLUGINCOMMAND)(int, char**); 199 | typedef void (*CBPLUGINSCRIPT)(); 200 | 201 | //exports 202 | #ifdef __cplusplus 203 | extern "C" 204 | { 205 | #endif 206 | 207 | PLUG_IMPEXP void _plugin_registercallback(int pluginHandle, CBTYPE cbType, CBPLUGIN cbPlugin); 208 | PLUG_IMPEXP bool _plugin_unregistercallback(int pluginHandle, CBTYPE cbType); 209 | PLUG_IMPEXP bool _plugin_registercommand(int pluginHandle, const char* command, CBPLUGINCOMMAND cbCommand, bool debugonly); 210 | PLUG_IMPEXP bool _plugin_unregistercommand(int pluginHandle, const char* command); 211 | PLUG_IMPEXP void _plugin_logprintf(const char* format, ...); 212 | PLUG_IMPEXP void _plugin_logputs(const char* text); 213 | PLUG_IMPEXP void _plugin_debugpause(); 214 | PLUG_IMPEXP void _plugin_debugskipexceptions(bool skip); 215 | PLUG_IMPEXP int _plugin_menuadd(int hMenu, const char* title); 216 | PLUG_IMPEXP bool _plugin_menuaddentry(int hMenu, int hEntry, const char* title); 217 | PLUG_IMPEXP bool _plugin_menuaddseparator(int hMenu); 218 | PLUG_IMPEXP bool _plugin_menuclear(int hMenu); 219 | PLUG_IMPEXP void _plugin_menuseticon(int hMenu, const ICONDATA* icon); 220 | PLUG_IMPEXP void _plugin_menuentryseticon(int pluginHandle, int hEntry, const ICONDATA* icon); 221 | PLUG_IMPEXP void _plugin_startscript(CBPLUGINSCRIPT cbScript); 222 | PLUG_IMPEXP bool _plugin_waituntilpaused(); 223 | 224 | #ifdef __cplusplus 225 | } 226 | #endif 227 | 228 | #pragma pack(pop) 229 | 230 | #endif // _PLUGINS_H 231 | -------------------------------------------------------------------------------- /pluginsdk/_scriptapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPT_API_H 2 | #define _SCRIPT_API_H 3 | 4 | #include "_plugins.h" 5 | 6 | #define SCRIPT_EXPORT PLUG_IMPEXP 7 | 8 | #endif //_SCRIPT_API_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_assembler.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_ASSEMBLER_H 2 | #define _SCRIPTAPI_ASSEMBLER_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Assembler 9 | { 10 | SCRIPT_EXPORT bool Assemble(duint addr, unsigned char* dest, int* size, const char* instruction); //dest[16] 11 | SCRIPT_EXPORT bool AssembleEx(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); //dest[16], error[MAX_ERROR_SIZE] 12 | SCRIPT_EXPORT bool AssembleMem(duint addr, const char* instruction); 13 | SCRIPT_EXPORT bool AssembleMemEx(duint addr, const char* instruction, int* size, char* error, bool fillnop); //error[MAX_ERROR_SIZE] 14 | }; //Assembler 15 | }; //Script 16 | 17 | #endif //_SCRIPTAPI_ASSEMBLER_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_bookmark.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_BOOKMARK_H 2 | #define _SCRIPTAPI_BOOKMARK_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Bookmark 9 | { 10 | struct BookmarkInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | bool manual; 15 | }; 16 | 17 | SCRIPT_EXPORT bool Set(duint addr, bool manual = false); 18 | SCRIPT_EXPORT bool Set(const BookmarkInfo* info); 19 | SCRIPT_EXPORT bool Get(duint addr); 20 | SCRIPT_EXPORT bool GetInfo(duint addr, BookmarkInfo* info); 21 | SCRIPT_EXPORT bool Delete(duint addr); 22 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 23 | SCRIPT_EXPORT void Clear(); 24 | SCRIPT_EXPORT bool GetList(ListOf(BookmarkInfo) list); //caller has the responsibility to free the list 25 | }; //Bookmark 26 | }; //Script 27 | 28 | #endif //_SCRIPTAPI_BOOKMARK_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_comment.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_COMMENT_H 2 | #define _SCRIPTAPI_COMMENT_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Comment 9 | { 10 | struct CommentInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | char text[MAX_LABEL_SIZE]; 15 | bool manual; 16 | }; 17 | 18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); 19 | SCRIPT_EXPORT bool Set(const CommentInfo* info); 20 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_COMMENT_SIZE] 21 | SCRIPT_EXPORT bool GetInfo(duint addr, CommentInfo* info); 22 | SCRIPT_EXPORT bool Delete(duint addr); 23 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 24 | SCRIPT_EXPORT void Clear(); 25 | SCRIPT_EXPORT bool GetList(ListOf(CommentInfo) list); //caller has the responsibility to free the list 26 | }; //Comment 27 | }; //Script 28 | 29 | #endif //_SCRIPTAPI_COMMENT_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_debug.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_DEBUG_H 2 | #define _SCRIPTAPI_DEBUG_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Debug 9 | { 10 | enum HardwareType 11 | { 12 | HardwareAccess, 13 | HardwareWrite, 14 | HardwareExecute 15 | }; 16 | 17 | SCRIPT_EXPORT void Wait(); 18 | SCRIPT_EXPORT void Run(); 19 | SCRIPT_EXPORT void Pause(); 20 | SCRIPT_EXPORT void Stop(); 21 | SCRIPT_EXPORT void StepIn(); 22 | SCRIPT_EXPORT void StepOver(); 23 | SCRIPT_EXPORT void StepOut(); 24 | SCRIPT_EXPORT bool SetBreakpoint(duint address); 25 | SCRIPT_EXPORT bool DeleteBreakpoint(duint address); 26 | SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute); 27 | SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address); 28 | }; //Debug 29 | }; //Script 30 | 31 | #endif //_SCRIPTAPI_DEBUG_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_flag.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_FLAG_H 2 | #define _SCRIPTAPI_FLAG_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Flag 9 | { 10 | enum FlagEnum 11 | { 12 | ZF, 13 | OF, 14 | CF, 15 | PF, 16 | SF, 17 | TF, 18 | AF, 19 | DF, 20 | IF 21 | }; 22 | 23 | SCRIPT_EXPORT bool Get(FlagEnum flag); 24 | SCRIPT_EXPORT bool Set(FlagEnum flag, bool value); 25 | 26 | SCRIPT_EXPORT bool GetZF(); 27 | SCRIPT_EXPORT bool SetZF(bool value); 28 | SCRIPT_EXPORT bool GetOF(); 29 | SCRIPT_EXPORT bool SetOF(bool value); 30 | SCRIPT_EXPORT bool GetCF(); 31 | SCRIPT_EXPORT bool SetCF(bool value); 32 | SCRIPT_EXPORT bool GetPF(); 33 | SCRIPT_EXPORT bool SetPF(bool value); 34 | SCRIPT_EXPORT bool GetSF(); 35 | SCRIPT_EXPORT bool SetSF(bool value); 36 | SCRIPT_EXPORT bool GetTF(); 37 | SCRIPT_EXPORT bool SetTF(bool value); 38 | SCRIPT_EXPORT bool GetAF(); 39 | SCRIPT_EXPORT bool SetAF(bool value); 40 | SCRIPT_EXPORT bool GetDF(); 41 | SCRIPT_EXPORT bool SetDF(bool value); 42 | SCRIPT_EXPORT bool GetIF(); 43 | SCRIPT_EXPORT bool SetIF(bool value); 44 | }; 45 | }; 46 | 47 | #endif //_SCRIPTAPI_FLAG_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_function.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_FUNCTION_H 2 | #define _SCRIPTAPI_FUNCTION_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Function 9 | { 10 | struct FunctionInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rvaStart; 14 | duint rvaEnd; 15 | bool manual; 16 | duint instructioncount; 17 | }; 18 | 19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0); 20 | SCRIPT_EXPORT bool Add(const FunctionInfo* info); 21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr); 22 | SCRIPT_EXPORT bool GetInfo(duint addr, FunctionInfo* info); 23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end); 24 | SCRIPT_EXPORT bool Delete(duint address); 25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 26 | SCRIPT_EXPORT void Clear(); 27 | SCRIPT_EXPORT bool GetList(ListOf(FunctionInfo) list); //caller has the responsibility to free the list 28 | }; //Function 29 | }; //Script 30 | 31 | #endif //_SCRIPTAPI_FUNCTION_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_gui.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_GUI_H 2 | #define _SCRIPTAPI_GUI_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Gui 9 | { 10 | namespace Disassembly 11 | { 12 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 13 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 14 | SCRIPT_EXPORT duint SelectionGetStart(); 15 | SCRIPT_EXPORT duint SelectionGetEnd(); 16 | }; //Disassembly 17 | 18 | namespace Dump 19 | { 20 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 21 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 22 | SCRIPT_EXPORT duint SelectionGetStart(); 23 | SCRIPT_EXPORT duint SelectionGetEnd(); 24 | }; //Dump 25 | 26 | namespace Stack 27 | { 28 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 29 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 30 | SCRIPT_EXPORT duint SelectionGetStart(); 31 | SCRIPT_EXPORT duint SelectionGetEnd(); 32 | }; //Stack 33 | }; //Gui 34 | 35 | namespace Gui 36 | { 37 | enum Window 38 | { 39 | DisassemblyWindow, 40 | DumpWindow, 41 | StackWindow 42 | }; 43 | 44 | SCRIPT_EXPORT bool SelectionGet(Window window, duint* start, duint* end); 45 | SCRIPT_EXPORT bool SelectionSet(Window window, duint start, duint end); 46 | SCRIPT_EXPORT duint SelectionGetStart(Window window); 47 | SCRIPT_EXPORT duint SelectionGetEnd(Window window); 48 | SCRIPT_EXPORT void Message(const char* message); 49 | SCRIPT_EXPORT bool MessageYesNo(const char* message); 50 | SCRIPT_EXPORT bool InputLine(const char* title, char* text); //text[GUI_MAX_LINE_SIZE] 51 | SCRIPT_EXPORT bool InputValue(const char* title, duint* value); 52 | SCRIPT_EXPORT void Refresh(); 53 | SCRIPT_EXPORT void AddQWidgetTab(void* qWidget); 54 | SCRIPT_EXPORT void ShowQWidgetTab(void* qWidget); 55 | SCRIPT_EXPORT void CloseQWidgetTab(void* qWidget); 56 | 57 | }; //Gui 58 | }; //Script 59 | 60 | #endif //_SCRIPTAPI_GUI_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_label.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_LABEL_H 2 | #define _SCRIPTAPI_LABEL_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Label 9 | { 10 | struct LabelInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | char text[MAX_LABEL_SIZE]; 15 | bool manual; 16 | }; 17 | 18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); 19 | SCRIPT_EXPORT bool Set(const LabelInfo* info); 20 | SCRIPT_EXPORT bool FromString(const char* label, duint* addr); 21 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_LABEL_SIZE] 22 | SCRIPT_EXPORT bool GetInfo(duint addr, LabelInfo* info); 23 | SCRIPT_EXPORT bool Delete(duint addr); 24 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 25 | SCRIPT_EXPORT void Clear(); 26 | SCRIPT_EXPORT bool GetList(ListOf(LabelInfo) list); //caller has the responsibility to free the list 27 | }; //Label 28 | }; //Script 29 | 30 | #endif //_SCRIPTAPI_LABEL_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_memory.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MEMORY_H 2 | #define _SCRIPTAPI_MEMORY_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Memory 9 | { 10 | SCRIPT_EXPORT bool Read(duint addr, void* data, duint size, duint* sizeRead); 11 | SCRIPT_EXPORT bool Write(duint addr, const void* data, duint size, duint* sizeWritten); 12 | SCRIPT_EXPORT bool IsValidPtr(duint addr); 13 | SCRIPT_EXPORT duint RemoteAlloc(duint addr, duint size); 14 | SCRIPT_EXPORT bool RemoteFree(duint addr); 15 | 16 | SCRIPT_EXPORT unsigned char ReadByte(duint addr); 17 | SCRIPT_EXPORT bool WriteByte(duint addr, unsigned char data); 18 | SCRIPT_EXPORT unsigned short ReadWord(duint addr); 19 | SCRIPT_EXPORT bool WriteWord(duint addr, unsigned short data); 20 | SCRIPT_EXPORT unsigned int ReadDword(duint addr); 21 | SCRIPT_EXPORT bool WriteDword(duint addr, unsigned int data); 22 | SCRIPT_EXPORT unsigned long long ReadQword(duint addr); 23 | SCRIPT_EXPORT bool WriteQword(duint addr, unsigned long long data); 24 | SCRIPT_EXPORT duint ReadPtr(duint addr); 25 | SCRIPT_EXPORT bool WritePtr(duint addr, duint data); 26 | }; //Memory 27 | }; //Script 28 | 29 | #endif //_SCRIPTAPI_MEMORY_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_misc.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MISC_H 2 | #define _SCRIPTAPI_MISC_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Misc 9 | { 10 | SCRIPT_EXPORT bool ParseExpression(const char* expression, duint* value); 11 | SCRIPT_EXPORT duint RemoteGetProcAddress(const char* module, const char* api); 12 | SCRIPT_EXPORT duint ResolveLabel(const char* label); 13 | SCRIPT_EXPORT void* Alloc(duint size); 14 | SCRIPT_EXPORT void Free(void* ptr); 15 | }; //Misc 16 | }; //Script 17 | 18 | #endif //_SCRIPTAPI_MISC_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_module.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MODULE_H 2 | #define _SCRIPTAPI_MODULE_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Module 9 | { 10 | struct ModuleInfo 11 | { 12 | duint base; 13 | duint size; 14 | duint entry; 15 | int sectionCount; 16 | char name[MAX_MODULE_SIZE]; 17 | char path[MAX_PATH]; 18 | }; 19 | 20 | struct ModuleSectionInfo 21 | { 22 | duint addr; 23 | duint size; 24 | char name[MAX_SECTION_SIZE * 5]; 25 | }; 26 | 27 | SCRIPT_EXPORT bool InfoFromAddr(duint addr, ModuleInfo* info); 28 | SCRIPT_EXPORT bool InfoFromName(const char* name, ModuleInfo* info); 29 | SCRIPT_EXPORT duint BaseFromAddr(duint addr); 30 | SCRIPT_EXPORT duint BaseFromName(const char* name); 31 | SCRIPT_EXPORT duint SizeFromAddr(duint addr); 32 | SCRIPT_EXPORT duint SizeFromName(const char* name); 33 | SCRIPT_EXPORT bool NameFromAddr(duint addr, char* name); //name[MAX_MODULE_SIZE] 34 | SCRIPT_EXPORT bool PathFromAddr(duint addr, char* path); //path[MAX_PATH] 35 | SCRIPT_EXPORT bool PathFromName(const char* name, char* path); //path[MAX_PATH] 36 | SCRIPT_EXPORT duint EntryFromAddr(duint addr); 37 | SCRIPT_EXPORT duint EntryFromName(const char* name); 38 | SCRIPT_EXPORT int SectionCountFromAddr(duint addr); 39 | SCRIPT_EXPORT int SectionCountFromName(const char* name); 40 | SCRIPT_EXPORT bool SectionFromAddr(duint addr, int number, ModuleSectionInfo* section); 41 | SCRIPT_EXPORT bool SectionFromName(const char* name, int number, ModuleSectionInfo* section); 42 | SCRIPT_EXPORT bool SectionListFromAddr(duint addr, ListOf(ModuleSectionInfo) list); 43 | SCRIPT_EXPORT bool SectionListFromName(const char* name, ListOf(ModuleSectionInfo) list); 44 | SCRIPT_EXPORT bool GetMainModuleInfo(ModuleInfo* info); 45 | SCRIPT_EXPORT duint GetMainModuleBase(); 46 | SCRIPT_EXPORT duint GetMainModuleSize(); 47 | SCRIPT_EXPORT duint GetMainModuleEntry(); 48 | SCRIPT_EXPORT int GetMainModuleSectionCount(); 49 | SCRIPT_EXPORT bool GetMainModuleName(char* name); //name[MAX_MODULE_SIZE] 50 | SCRIPT_EXPORT bool GetMainModulePath(char* path); //path[MAX_PATH] 51 | SCRIPT_EXPORT bool GetMainModuleSectionList(ListOf(ModuleSectionInfo) list); //caller has the responsibility to free the list 52 | SCRIPT_EXPORT bool GetList(ListOf(ModuleInfo) list); //caller has the responsibility to free the list 53 | }; //Module 54 | }; //Script 55 | 56 | #endif //_SCRIPTAPI_MODULE_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_pattern.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_PATTERN_H 2 | #define _SCRIPTAPI_PATTERN_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Pattern 9 | { 10 | SCRIPT_EXPORT duint Find(unsigned char* data, duint datasize, const char* pattern); 11 | SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern); 12 | SCRIPT_EXPORT void Write(unsigned char* data, duint datasize, const char* pattern); 13 | SCRIPT_EXPORT void WriteMem(duint start, duint size, const char* pattern); 14 | SCRIPT_EXPORT bool SearchAndReplace(unsigned char* data, duint datasize, const char* searchpattern, const char* replacepattern); 15 | SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern); 16 | }; 17 | }; 18 | 19 | #endif //_SCRIPTAPI_FIND_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_register.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_REGISTER_H 2 | #define _SCRIPTAPI_REGISTER_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Register 9 | { 10 | enum RegisterEnum 11 | { 12 | DR0, 13 | DR1, 14 | DR2, 15 | DR3, 16 | DR6, 17 | DR7, 18 | 19 | EAX, 20 | AX, 21 | AH, 22 | AL, 23 | EBX, 24 | BX, 25 | BH, 26 | BL, 27 | ECX, 28 | CX, 29 | CH, 30 | CL, 31 | EDX, 32 | DX, 33 | DH, 34 | DL, 35 | EDI, 36 | DI, 37 | ESI, 38 | SI, 39 | EBP, 40 | BP, 41 | ESP, 42 | SP, 43 | EIP, 44 | 45 | #ifdef _WIN64 46 | RAX, 47 | RBX, 48 | RCX, 49 | RDX, 50 | RSI, 51 | SIL, 52 | RDI, 53 | DIL, 54 | RBP, 55 | BPL, 56 | RSP, 57 | SPL, 58 | RIP, 59 | R8, 60 | R8D, 61 | R8W, 62 | R8B, 63 | R9, 64 | R9D, 65 | R9W, 66 | R9B, 67 | R10, 68 | R10D, 69 | R10W, 70 | R10B, 71 | R11, 72 | R11D, 73 | R11W, 74 | R11B, 75 | R12, 76 | R12D, 77 | R12W, 78 | R12B, 79 | R13, 80 | R13D, 81 | R13W, 82 | R13B, 83 | R14, 84 | R14D, 85 | R14W, 86 | R14B, 87 | R15, 88 | R15D, 89 | R15W, 90 | R15B, 91 | #endif //_WIN64 92 | 93 | CIP, 94 | CSP, 95 | }; //RegisterEnum 96 | 97 | SCRIPT_EXPORT duint Get(RegisterEnum reg); 98 | SCRIPT_EXPORT bool Set(RegisterEnum reg, duint value); 99 | SCRIPT_EXPORT int Size(); //gets architecture register size in bytes 100 | 101 | SCRIPT_EXPORT duint GetDR0(); 102 | SCRIPT_EXPORT bool SetDR0(duint value); 103 | SCRIPT_EXPORT duint GetDR1(); 104 | SCRIPT_EXPORT bool SetDR1(duint value); 105 | SCRIPT_EXPORT duint GetDR2(); 106 | SCRIPT_EXPORT bool SetDR2(duint value); 107 | SCRIPT_EXPORT duint GetDR3(); 108 | SCRIPT_EXPORT bool SetDR3(duint value); 109 | SCRIPT_EXPORT duint GetDR6(); 110 | SCRIPT_EXPORT bool SetDR6(duint value); 111 | SCRIPT_EXPORT duint GetDR7(); 112 | SCRIPT_EXPORT bool SetDR7(duint value); 113 | 114 | SCRIPT_EXPORT unsigned int GetEAX(); 115 | SCRIPT_EXPORT bool SetEAX(unsigned int value); 116 | SCRIPT_EXPORT unsigned short GetAX(); 117 | SCRIPT_EXPORT bool SetAX(unsigned short value); 118 | SCRIPT_EXPORT unsigned char GetAH(); 119 | SCRIPT_EXPORT bool SetAH(unsigned char value); 120 | SCRIPT_EXPORT unsigned char GetAL(); 121 | SCRIPT_EXPORT bool SetAL(unsigned char value); 122 | SCRIPT_EXPORT unsigned int GetEBX(); 123 | SCRIPT_EXPORT bool SetEBX(unsigned int value); 124 | SCRIPT_EXPORT unsigned short GetBX(); 125 | SCRIPT_EXPORT bool SetBX(unsigned short value); 126 | SCRIPT_EXPORT unsigned char GetBH(); 127 | SCRIPT_EXPORT bool SetBH(unsigned char value); 128 | SCRIPT_EXPORT unsigned char GetBL(); 129 | SCRIPT_EXPORT bool SetBL(unsigned char value); 130 | SCRIPT_EXPORT unsigned int GetECX(); 131 | SCRIPT_EXPORT bool SetECX(unsigned int value); 132 | SCRIPT_EXPORT unsigned short GetCX(); 133 | SCRIPT_EXPORT bool SetCX(unsigned short value); 134 | SCRIPT_EXPORT unsigned char GetCH(); 135 | SCRIPT_EXPORT bool SetCH(unsigned char value); 136 | SCRIPT_EXPORT unsigned char GetCL(); 137 | SCRIPT_EXPORT bool SetCL(unsigned char value); 138 | SCRIPT_EXPORT unsigned int GetEDX(); 139 | SCRIPT_EXPORT bool SetEDX(unsigned int value); 140 | SCRIPT_EXPORT unsigned short GetDX(); 141 | SCRIPT_EXPORT bool SetDX(unsigned short value); 142 | SCRIPT_EXPORT unsigned char GetDH(); 143 | SCRIPT_EXPORT bool SetDH(unsigned char value); 144 | SCRIPT_EXPORT unsigned char GetDL(); 145 | SCRIPT_EXPORT bool SetDL(unsigned char value); 146 | SCRIPT_EXPORT unsigned int GetEDI(); 147 | SCRIPT_EXPORT bool SetEDI(unsigned int value); 148 | SCRIPT_EXPORT unsigned short GetDI(); 149 | SCRIPT_EXPORT bool SetDI(unsigned short value); 150 | SCRIPT_EXPORT unsigned int GetESI(); 151 | SCRIPT_EXPORT bool SetESI(unsigned int value); 152 | SCRIPT_EXPORT unsigned short GetSI(); 153 | SCRIPT_EXPORT bool SetSI(unsigned short value); 154 | SCRIPT_EXPORT unsigned int GetEBP(); 155 | SCRIPT_EXPORT bool SetEBP(unsigned int value); 156 | SCRIPT_EXPORT unsigned short GetBP(); 157 | SCRIPT_EXPORT bool SetBP(unsigned short value); 158 | SCRIPT_EXPORT unsigned int GetESP(); 159 | SCRIPT_EXPORT bool SetESP(unsigned int value); 160 | SCRIPT_EXPORT unsigned short GetSP(); 161 | SCRIPT_EXPORT bool SetSP(unsigned short value); 162 | SCRIPT_EXPORT unsigned int GetEIP(); 163 | SCRIPT_EXPORT bool SetEIP(unsigned int value); 164 | 165 | #ifdef _WIN64 166 | SCRIPT_EXPORT unsigned long long GetRAX(); 167 | SCRIPT_EXPORT bool SetRAX(unsigned long long value); 168 | SCRIPT_EXPORT unsigned long long GetRBX(); 169 | SCRIPT_EXPORT bool SetRBX(unsigned long long value); 170 | SCRIPT_EXPORT unsigned long long GetRCX(); 171 | SCRIPT_EXPORT bool SetRCX(unsigned long long value); 172 | SCRIPT_EXPORT unsigned long long GetRDX(); 173 | SCRIPT_EXPORT bool SetRDX(unsigned long long value); 174 | SCRIPT_EXPORT unsigned long long GetRSI(); 175 | SCRIPT_EXPORT bool SetRSI(unsigned long long value); 176 | SCRIPT_EXPORT unsigned char GetSIL(); 177 | SCRIPT_EXPORT bool SetSIL(unsigned char value); 178 | SCRIPT_EXPORT unsigned long long GetRDI(); 179 | SCRIPT_EXPORT bool SetRDI(unsigned long long value); 180 | SCRIPT_EXPORT unsigned char GetDIL(); 181 | SCRIPT_EXPORT bool SetDIL(unsigned char value); 182 | SCRIPT_EXPORT unsigned long long GetRBP(); 183 | SCRIPT_EXPORT bool SetRBP(unsigned long long value); 184 | SCRIPT_EXPORT unsigned char GetBPL(); 185 | SCRIPT_EXPORT bool SetBPL(unsigned char value); 186 | SCRIPT_EXPORT unsigned long long GetRSP(); 187 | SCRIPT_EXPORT bool SetRSP(unsigned long long value); 188 | SCRIPT_EXPORT unsigned char GetSPL(); 189 | SCRIPT_EXPORT bool SetSPL(unsigned char value); 190 | SCRIPT_EXPORT unsigned long long GetRIP(); 191 | SCRIPT_EXPORT bool SetRIP(unsigned long long value); 192 | SCRIPT_EXPORT unsigned long long GetR8(); 193 | SCRIPT_EXPORT bool SetR8(unsigned long long value); 194 | SCRIPT_EXPORT unsigned int GetR8D(); 195 | SCRIPT_EXPORT bool SetR8D(unsigned int value); 196 | SCRIPT_EXPORT unsigned short GetR8W(); 197 | SCRIPT_EXPORT bool SetR8W(unsigned short value); 198 | SCRIPT_EXPORT unsigned char GetR8B(); 199 | SCRIPT_EXPORT bool SetR8B(unsigned char value); 200 | SCRIPT_EXPORT unsigned long long GetR9(); 201 | SCRIPT_EXPORT bool SetR9(unsigned long long value); 202 | SCRIPT_EXPORT unsigned int GetR9D(); 203 | SCRIPT_EXPORT bool SetR9D(unsigned int value); 204 | SCRIPT_EXPORT unsigned short GetR9W(); 205 | SCRIPT_EXPORT bool SetR9W(unsigned short value); 206 | SCRIPT_EXPORT unsigned char GetR9B(); 207 | SCRIPT_EXPORT bool SetR9B(unsigned char value); 208 | SCRIPT_EXPORT unsigned long long GetR10(); 209 | SCRIPT_EXPORT bool SetR10(unsigned long long value); 210 | SCRIPT_EXPORT unsigned int GetR10D(); 211 | SCRIPT_EXPORT bool SetR10D(unsigned int value); 212 | SCRIPT_EXPORT unsigned short GetR10W(); 213 | SCRIPT_EXPORT bool SetR10W(unsigned short value); 214 | SCRIPT_EXPORT unsigned char GetR10B(); 215 | SCRIPT_EXPORT bool SetR10B(unsigned char value); 216 | SCRIPT_EXPORT unsigned long long GetR11(); 217 | SCRIPT_EXPORT bool SetR11(unsigned long long value); 218 | SCRIPT_EXPORT unsigned int GetR11D(); 219 | SCRIPT_EXPORT bool SetR11D(unsigned int value); 220 | SCRIPT_EXPORT unsigned short GetR11W(); 221 | SCRIPT_EXPORT bool SetR11W(unsigned short value); 222 | SCRIPT_EXPORT unsigned char GetR11B(); 223 | SCRIPT_EXPORT bool SetR11B(unsigned char value); 224 | SCRIPT_EXPORT unsigned long long GetR12(); 225 | SCRIPT_EXPORT bool SetR12(unsigned long long value); 226 | SCRIPT_EXPORT unsigned int GetR12D(); 227 | SCRIPT_EXPORT bool SetR12D(unsigned int value); 228 | SCRIPT_EXPORT unsigned short GetR12W(); 229 | SCRIPT_EXPORT bool SetR12W(unsigned short value); 230 | SCRIPT_EXPORT unsigned char GetR12B(); 231 | SCRIPT_EXPORT bool SetR12B(unsigned char value); 232 | SCRIPT_EXPORT unsigned long long GetR13(); 233 | SCRIPT_EXPORT bool SetR13(unsigned long long value); 234 | SCRIPT_EXPORT unsigned int GetR13D(); 235 | SCRIPT_EXPORT bool SetR13D(unsigned int value); 236 | SCRIPT_EXPORT unsigned short GetR13W(); 237 | SCRIPT_EXPORT bool SetR13W(unsigned short value); 238 | SCRIPT_EXPORT unsigned char GetR13B(); 239 | SCRIPT_EXPORT bool SetR13B(unsigned char value); 240 | SCRIPT_EXPORT unsigned long long GetR14(); 241 | SCRIPT_EXPORT bool SetR14(unsigned long long value); 242 | SCRIPT_EXPORT unsigned int GetR14D(); 243 | SCRIPT_EXPORT bool SetR14D(unsigned int value); 244 | SCRIPT_EXPORT unsigned short GetR14W(); 245 | SCRIPT_EXPORT bool SetR14W(unsigned short value); 246 | SCRIPT_EXPORT unsigned char GetR14B(); 247 | SCRIPT_EXPORT bool SetR14B(unsigned char value); 248 | SCRIPT_EXPORT unsigned long long GetR15(); 249 | SCRIPT_EXPORT bool SetR15(unsigned long long value); 250 | SCRIPT_EXPORT unsigned int GetR15D(); 251 | SCRIPT_EXPORT bool SetR15D(unsigned int value); 252 | SCRIPT_EXPORT unsigned short GetR15W(); 253 | SCRIPT_EXPORT bool SetR15W(unsigned short value); 254 | SCRIPT_EXPORT unsigned char GetR15B(); 255 | SCRIPT_EXPORT bool SetR15B(unsigned char value); 256 | #endif //_WIN64 257 | 258 | SCRIPT_EXPORT duint GetCIP(); 259 | SCRIPT_EXPORT bool SetCIP(duint value); 260 | SCRIPT_EXPORT duint GetCSP(); 261 | SCRIPT_EXPORT bool SetCSP(duint value); 262 | }; //Register 263 | }; //Script 264 | 265 | #endif //_SCRIPTAPI_REGISTER_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_stack.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_STACK_H 2 | #define _SCRIPTAPI_STACK_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Stack 9 | { 10 | SCRIPT_EXPORT duint Pop(); 11 | SCRIPT_EXPORT duint Push(duint value); //returns the previous top, equal to Peek(1) 12 | SCRIPT_EXPORT duint Peek(int offset = 0); //offset is in multiples of Register::Size(), for easy x32/x64 portability 13 | }; //Stack 14 | }; //Script 15 | 16 | #endif //_SCRIPTAPI_STACK_H -------------------------------------------------------------------------------- /pluginsdk/_scriptapi_symbol.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_SYMBOL_H 2 | #define _SCRIPTAPI_SYMBOL_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Symbol 9 | { 10 | enum SymbolType 11 | { 12 | Function, 13 | Import, 14 | Export 15 | }; 16 | 17 | struct SymbolInfo 18 | { 19 | char mod[MAX_MODULE_SIZE]; 20 | duint rva; 21 | char name[MAX_LABEL_SIZE]; 22 | bool manual; 23 | SymbolType type; 24 | }; 25 | 26 | SCRIPT_EXPORT bool GetList(ListOf(SymbolInfo) list); //caller has the responsibility to free the list 27 | }; //Symbol 28 | }; //Script 29 | 30 | #endif //_SCRIPTAPI_SYMBOL_H -------------------------------------------------------------------------------- /pluginsdk/bridgelist.h: -------------------------------------------------------------------------------- 1 | #ifndef _LIST_H 2 | #define _LIST_H 3 | 4 | typedef struct 5 | { 6 | int count; //Number of element in the list. 7 | size_t size; //Size of list in bytes (used for type checking). 8 | void* data; //Pointer to the list contents. Must be deleted by the caller using BridgeFree (or BridgeList::Free). 9 | } ListInfo; 10 | 11 | #define ListOf(Type) ListInfo* 12 | 13 | #ifdef __cplusplus 14 | 15 | #include 16 | 17 | /** 18 | \brief A list object. This object is NOT thread safe. 19 | \tparam Type BridgeList contents type. 20 | */ 21 | template 22 | class BridgeList 23 | { 24 | public: 25 | /** 26 | \brief BridgeList constructor. 27 | \param _freeData (Optional) the free function. 28 | */ 29 | explicit BridgeList() 30 | { 31 | memset(&_listInfo, 0, sizeof(_listInfo)); 32 | } 33 | 34 | /** 35 | \brief BridgeList destructor. 36 | */ 37 | ~BridgeList() 38 | { 39 | Cleanup(); 40 | } 41 | 42 | /** 43 | \brief Gets the list data. 44 | \return Returns ListInfo->data. Can be null if the list was never initialized. Will be destroyed once this object goes out of scope! 45 | */ 46 | Type* Data() const 47 | { 48 | return reinterpret_cast(_listInfo.data); 49 | } 50 | 51 | /** 52 | \brief Gets the number of elements in the list. This will crash the program if the data is not consistent with the specified template argument. 53 | \return The number of elements in the list. 54 | */ 55 | int Count() const 56 | { 57 | if(_listInfo.size != _listInfo.count * sizeof(Type)) //make sure the user is using the correct type. 58 | __debugbreak(); 59 | return _listInfo.count; 60 | } 61 | 62 | /** 63 | \brief Cleans up the list, freeing the list data when it is not null. 64 | */ 65 | void Cleanup() 66 | { 67 | if(_listInfo.data) 68 | { 69 | BridgeFree(_listInfo.data); 70 | _listInfo.data = nullptr; 71 | } 72 | } 73 | 74 | /** 75 | \brief Reference operator (cleans up the previous list) 76 | \return Pointer to the ListInfo. 77 | */ 78 | ListInfo* operator&() 79 | { 80 | Cleanup(); 81 | return &_listInfo; 82 | } 83 | 84 | /** 85 | \brief Array indexer operator. This will crash if you try to access out-of-bounds. 86 | \param index Zero-based index of the item you want to get. 87 | \return Reference to a value at that index. 88 | */ 89 | Type & operator[](size_t index) const 90 | { 91 | if(index >= size_t(Count())) //make sure the out-of-bounds access is caught as soon as possible. 92 | __debugbreak(); 93 | return Data()[index]; 94 | } 95 | 96 | /** 97 | \brief Copies data to a ListInfo structure.. 98 | \param [out] listInfo If non-null, information describing the list. 99 | \param listData Data to copy in the ListInfo structure. 100 | \return true if it succeeds, false if it fails. 101 | */ 102 | static bool CopyData(ListInfo* listInfo, const std::vector & listData) 103 | { 104 | if(!listInfo) 105 | return false; 106 | listInfo->count = int(listData.size()); 107 | listInfo->size = listInfo->count * sizeof(Type); 108 | if(listInfo->count) 109 | { 110 | listInfo->data = BridgeAlloc(listInfo->size); 111 | Type* curItem = reinterpret_cast(listInfo->data); 112 | for(const auto & item : listData) 113 | { 114 | *curItem = item; 115 | ++curItem; 116 | } 117 | } 118 | else 119 | listInfo->data = nullptr; 120 | return true; 121 | } 122 | 123 | private: 124 | ListInfo _listInfo; 125 | }; 126 | 127 | #endif //__cplusplus 128 | 129 | #endif //_LIST_H -------------------------------------------------------------------------------- /pluginsdk/dbghelp/dbghelp_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/dbghelp/dbghelp_x64.a -------------------------------------------------------------------------------- /pluginsdk/dbghelp/dbghelp_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/dbghelp/dbghelp_x64.lib -------------------------------------------------------------------------------- /pluginsdk/dbghelp/dbghelp_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/dbghelp/dbghelp_x86.a -------------------------------------------------------------------------------- /pluginsdk/dbghelp/dbghelp_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/dbghelp/dbghelp_x86.lib -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_config.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2010-2014 Petri Lehtinen 3 | * 4 | * Jansson is free software; you can redistribute it and/or modify 5 | * it under the terms of the MIT license. See LICENSE for details. 6 | * 7 | * 8 | * This file specifies a part of the site-specific configuration for 9 | * Jansson, namely those things that affect the public API in 10 | * jansson.h. 11 | * 12 | * The CMake system will generate the jansson_config.h file and 13 | * copy it to the build and install directories. 14 | */ 15 | 16 | #ifndef JANSSON_CONFIG_H 17 | #define JANSSON_CONFIG_H 18 | 19 | /* Define this so that we can disable scattered automake configuration in source files */ 20 | #ifndef JANSSON_USING_CMAKE 21 | #define JANSSON_USING_CMAKE 22 | #endif 23 | 24 | /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used, 25 | * as we will also check for __int64 etc types. 26 | * (the definition was used in the automake system) */ 27 | 28 | /* Bring in the cmake-detected defines */ 29 | #define HAVE_STDINT_H 1 30 | /* #undef HAVE_INTTYPES_H */ 31 | /* #undef HAVE_SYS_TYPES_H */ 32 | 33 | /* Include our standard type header for the integer typedef */ 34 | 35 | #if defined(HAVE_STDINT_H) 36 | # include 37 | #elif defined(HAVE_INTTYPES_H) 38 | # include 39 | #elif defined(HAVE_SYS_TYPES_H) 40 | # include 41 | #endif 42 | 43 | 44 | /* If your compiler supports the inline keyword in C, JSON_INLINE is 45 | defined to `inline', otherwise empty. In C++, the inline is always 46 | supported. */ 47 | #ifdef __cplusplus 48 | #define JSON_INLINE inline 49 | #else 50 | #define JSON_INLINE __inline 51 | #endif 52 | 53 | 54 | #define json_int_t long long 55 | #define json_strtoint _strtoi64 56 | #define JSON_INTEGER_FORMAT "I64d" 57 | 58 | 59 | /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */ 60 | #define JSON_HAVE_LOCALECONV 1 61 | 62 | 63 | 64 | #endif 65 | -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/jansson/jansson_x64.a -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/jansson/jansson_x64.lib -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_x64dbg.h: -------------------------------------------------------------------------------- 1 | typedef json_t* JSON; 2 | 3 | static JSON_INLINE 4 | json_t* json_hex(unsigned json_int_t value) 5 | { 6 | char hexvalue[20]; 7 | #ifdef _WIN64 8 | sprintf(hexvalue, "0x%llX", value); 9 | #else //x64 10 | sprintf(hexvalue, "0x%X", value); 11 | #endif //_WIN64 12 | return json_string(hexvalue); 13 | } 14 | 15 | static JSON_INLINE 16 | unsigned json_int_t json_hex_value(const json_t* hex) 17 | { 18 | unsigned json_int_t ret; 19 | const char* hexvalue; 20 | hexvalue = json_string_value(hex); 21 | if(!hexvalue) 22 | return 0; 23 | #ifdef _WIN64 24 | sscanf(hexvalue, "0x%llX", &ret); 25 | #else //x64 26 | sscanf(hexvalue, "0x%X", &ret); 27 | #endif //_WIN64 28 | return ret; 29 | } -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/jansson/jansson_x86.a -------------------------------------------------------------------------------- /pluginsdk/jansson/jansson_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/jansson/jansson_x86.lib -------------------------------------------------------------------------------- /pluginsdk/libx32bridge.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/libx32bridge.a -------------------------------------------------------------------------------- /pluginsdk/libx32dbg.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/libx32dbg.a -------------------------------------------------------------------------------- /pluginsdk/libx64bridge.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/libx64bridge.a -------------------------------------------------------------------------------- /pluginsdk/libx64dbg.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/libx64dbg.a -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/lz4/lz4_x64.a -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/lz4/lz4_x64.lib -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/lz4/lz4_x86.a -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/lz4/lz4_x86.lib -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4file.h: -------------------------------------------------------------------------------- 1 | #ifndef _LZ4FILE_H 2 | #define _LZ4FILE_H 3 | 4 | typedef enum _LZ4_STATUS 5 | { 6 | LZ4_SUCCESS, 7 | LZ4_FAILED_OPEN_INPUT, 8 | LZ4_FAILED_OPEN_OUTPUT, 9 | LZ4_NOT_ENOUGH_MEMORY, 10 | LZ4_INVALID_ARCHIVE, 11 | LZ4_CORRUPTED_ARCHIVE 12 | } LZ4_STATUS; 13 | 14 | #if defined (__cplusplus) 15 | extern "C" 16 | { 17 | #endif 18 | 19 | __declspec(dllimport) LZ4_STATUS LZ4_compress_file(const char* input_filename, const char* output_filename); 20 | __declspec(dllimport) LZ4_STATUS LZ4_compress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); 21 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_file(const char* input_filename, const char* output_filename); 22 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); 23 | 24 | #if defined (__cplusplus) 25 | } 26 | #endif 27 | 28 | #endif //_LZ4FILE_H -------------------------------------------------------------------------------- /pluginsdk/lz4/lz4hc.h: -------------------------------------------------------------------------------- 1 | /* 2 | LZ4 HC - High Compression Mode of LZ4 3 | Header File 4 | Copyright (C) 2011-2014, Yann Collet. 5 | BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are 9 | met: 10 | 11 | * Redistributions of source code must retain the above copyright 12 | notice, this list of conditions and the following disclaimer. 13 | * Redistributions in binary form must reproduce the above 14 | copyright notice, this list of conditions and the following disclaimer 15 | in the documentation and/or other materials provided with the 16 | distribution. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | 30 | You can contact the author at : 31 | - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html 32 | - LZ4 source repository : http://code.google.com/p/lz4/ 33 | */ 34 | #ifndef _LZ4HC_H 35 | #define _LZ4HC_H 36 | 37 | #if defined (__cplusplus) 38 | extern "C" 39 | { 40 | #endif 41 | 42 | 43 | __declspec(dllimport) int LZ4_compressHC(const char* source, char* dest, int inputSize); 44 | /* 45 | LZ4_compressHC : 46 | return : the number of bytes in compressed buffer dest 47 | or 0 if compression fails. 48 | note : destination buffer must be already allocated. 49 | To avoid any problem, size it to handle worst cases situations (input data not compressible) 50 | Worst case size evaluation is provided by function LZ4_compressBound() (see "lz4.h") 51 | */ 52 | 53 | __declspec(dllimport) int LZ4_compressHC_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize); 54 | /* 55 | LZ4_compress_limitedOutput() : 56 | Compress 'inputSize' bytes from 'source' into an output buffer 'dest' of maximum size 'maxOutputSize'. 57 | If it cannot achieve it, compression will stop, and result of the function will be zero. 58 | This function never writes outside of provided output buffer. 59 | 60 | inputSize : Max supported value is 1 GB 61 | maxOutputSize : is maximum allowed size into the destination buffer (which must be already allocated) 62 | return : the number of output bytes written in buffer 'dest' 63 | or 0 if compression fails. 64 | */ 65 | 66 | 67 | __declspec(dllimport) int LZ4_compressHC2(const char* source, char* dest, int inputSize, int compressionLevel); 68 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 69 | /* 70 | Same functions as above, but with programmable 'compressionLevel'. 71 | Recommended values are between 4 and 9, although any value between 0 and 16 will work. 72 | 'compressionLevel'==0 means use default 'compressionLevel' value. 73 | Values above 16 behave the same as 16. 74 | Equivalent variants exist for all other compression functions below. 75 | */ 76 | 77 | /* Note : 78 | Decompression functions are provided within LZ4 source code (see "lz4.h") (BSD license) 79 | */ 80 | 81 | 82 | /************************************** 83 | Using an external allocation 84 | **************************************/ 85 | __declspec(dllimport) int LZ4_sizeofStateHC(void); 86 | __declspec(dllimport) int LZ4_compressHC_withStateHC(void* state, const char* source, char* dest, int inputSize); 87 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize); 88 | 89 | __declspec(dllimport) int LZ4_compressHC2_withStateHC(void* state, const char* source, char* dest, int inputSize, int compressionLevel); 90 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 91 | 92 | /* 93 | These functions are provided should you prefer to allocate memory for compression tables with your own allocation methods. 94 | To know how much memory must be allocated for the compression tables, use : 95 | int LZ4_sizeofStateHC(); 96 | 97 | Note that tables must be aligned for pointer (32 or 64 bits), otherwise compression will fail (return code 0). 98 | 99 | The allocated memory can be provided to the compressions functions using 'void* state' parameter. 100 | LZ4_compress_withStateHC() and LZ4_compress_limitedOutput_withStateHC() are equivalent to previously described functions. 101 | They just use the externally allocated memory area instead of allocating their own (on stack, or on heap). 102 | */ 103 | 104 | 105 | /************************************** 106 | Streaming Functions 107 | **************************************/ 108 | __declspec(dllimport) void* LZ4_createHC(const char* inputBuffer); 109 | __declspec(dllimport) int LZ4_compressHC_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize); 110 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize); 111 | __declspec(dllimport) char* LZ4_slideInputBufferHC(void* LZ4HC_Data); 112 | __declspec(dllimport) int LZ4_freeHC(void* LZ4HC_Data); 113 | 114 | __declspec(dllimport) int LZ4_compressHC2_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int compressionLevel); 115 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 116 | 117 | /* 118 | These functions allow the compression of dependent blocks, where each block benefits from prior 64 KB within preceding blocks. 119 | In order to achieve this, it is necessary to start creating the LZ4HC Data Structure, thanks to the function : 120 | 121 | void* LZ4_createHC (const char* inputBuffer); 122 | The result of the function is the (void*) pointer on the LZ4HC Data Structure. 123 | This pointer will be needed in all other functions. 124 | If the pointer returned is NULL, then the allocation has failed, and compression must be aborted. 125 | The only parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. 126 | The input buffer must be already allocated, and size at least 192KB. 127 | 'inputBuffer' will also be the 'const char* source' of the first block. 128 | 129 | All blocks are expected to lay next to each other within the input buffer, starting from 'inputBuffer'. 130 | To compress each block, use either LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(). 131 | Their behavior are identical to LZ4_compressHC() or LZ4_compressHC_limitedOutput(), 132 | but require the LZ4HC Data Structure as their first argument, and check that each block starts right after the previous one. 133 | If next block does not begin immediately after the previous one, the compression will fail (return 0). 134 | 135 | When it's no longer possible to lay the next block after the previous one (not enough space left into input buffer), a call to : 136 | char* LZ4_slideInputBufferHC(void* LZ4HC_Data); 137 | must be performed. It will typically copy the latest 64KB of input at the beginning of input buffer. 138 | Note that, for this function to work properly, minimum size of an input buffer must be 192KB. 139 | ==> The memory position where the next input data block must start is provided as the result of the function. 140 | 141 | Compression can then resume, using LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(), as usual. 142 | 143 | When compression is completed, a call to LZ4_freeHC() will release the memory used by the LZ4HC Data Structure. 144 | */ 145 | 146 | __declspec(dllimport) int LZ4_sizeofStreamStateHC(void); 147 | __declspec(dllimport) int LZ4_resetStreamStateHC(void* state, const char* inputBuffer); 148 | 149 | /* 150 | These functions achieve the same result as : 151 | void* LZ4_createHC (const char* inputBuffer); 152 | 153 | They are provided here to allow the user program to allocate memory using its own routines. 154 | 155 | To know how much space must be allocated, use LZ4_sizeofStreamStateHC(); 156 | Note also that space must be aligned for pointers (32 or 64 bits). 157 | 158 | Once space is allocated, you must initialize it using : LZ4_resetStreamStateHC(void* state, const char* inputBuffer); 159 | void* state is a pointer to the space allocated. 160 | It must be aligned for pointers (32 or 64 bits), and be large enough. 161 | The parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. 162 | The input buffer must be already allocated, and size at least 192KB. 163 | 'inputBuffer' will also be the 'const char* source' of the first block. 164 | 165 | The same space can be re-used multiple times, just by initializing it each time with LZ4_resetStreamState(). 166 | return value of LZ4_resetStreamStateHC() must be 0 is OK. 167 | Any other value means there was an error (typically, state is not aligned for pointers (32 or 64 bits)). 168 | */ 169 | 170 | 171 | #if defined (__cplusplus) 172 | } 173 | #endif 174 | 175 | #endif //_LZ4HC_H 176 | -------------------------------------------------------------------------------- /pluginsdk/x32bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/x32bridge.lib -------------------------------------------------------------------------------- /pluginsdk/x32dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/x32dbg.lib -------------------------------------------------------------------------------- /pluginsdk/x64bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/x64bridge.lib -------------------------------------------------------------------------------- /pluginsdk/x64dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/x64dbg.lib -------------------------------------------------------------------------------- /pluginsdk/yara/yara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_YARA_H 18 | #define YR_YARA_H 19 | 20 | #include "yara/utils.h" 21 | #include "yara/filemap.h" 22 | #include "yara/compiler.h" 23 | #include "yara/modules.h" 24 | #include "yara/object.h" 25 | #include "yara/libyara.h" 26 | #include "yara/error.h" 27 | #include "yara/stream.h" 28 | #include "yara/hash.h" 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/ahocorasick.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef _AHOCORASICK_H 18 | #define _AHOCORASICK_H 19 | 20 | #include "limits.h" 21 | #include "atoms.h" 22 | #include "types.h" 23 | 24 | 25 | int yr_ac_create_automaton( 26 | YR_ARENA* arena, 27 | YR_AC_AUTOMATON** automaton); 28 | 29 | 30 | int yr_ac_add_string( 31 | YR_ARENA* arena, 32 | YR_AC_AUTOMATON* automaton, 33 | YR_STRING* string, 34 | YR_ATOM_LIST_ITEM* atom); 35 | 36 | 37 | YR_AC_STATE* yr_ac_next_state( 38 | YR_AC_STATE* state, 39 | uint8_t input); 40 | 41 | 42 | int yr_ac_create_failure_links( 43 | YR_ARENA* arena, 44 | YR_AC_AUTOMATON* automaton); 45 | 46 | 47 | void yr_ac_print_automaton( 48 | YR_AC_AUTOMATON* automaton); 49 | 50 | #endif 51 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/arena.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_ARENA_H 18 | #define YR_ARENA_H 19 | 20 | #include 21 | #include 22 | 23 | #include "stream.h" 24 | 25 | #define ARENA_FLAGS_FIXED_SIZE 1 26 | #define ARENA_FLAGS_COALESCED 2 27 | #define ARENA_FILE_VERSION 10 28 | 29 | #define EOL ((size_t) -1) 30 | 31 | 32 | typedef struct _YR_RELOC 33 | { 34 | uint32_t offset; 35 | struct _YR_RELOC* next; 36 | 37 | } YR_RELOC; 38 | 39 | 40 | typedef struct _YR_ARENA_PAGE 41 | { 42 | 43 | uint8_t* new_address; 44 | uint8_t* address; 45 | 46 | size_t size; 47 | size_t used; 48 | 49 | YR_RELOC* reloc_list_head; 50 | YR_RELOC* reloc_list_tail; 51 | 52 | struct _YR_ARENA_PAGE* next; 53 | struct _YR_ARENA_PAGE* prev; 54 | 55 | } YR_ARENA_PAGE; 56 | 57 | 58 | typedef struct _YR_ARENA 59 | { 60 | int flags; 61 | 62 | YR_ARENA_PAGE* page_list_head; 63 | YR_ARENA_PAGE* current_page; 64 | 65 | } YR_ARENA; 66 | 67 | 68 | int yr_arena_create( 69 | size_t initial_size, 70 | int flags, 71 | YR_ARENA** arena); 72 | 73 | 74 | void yr_arena_destroy( 75 | YR_ARENA* arena); 76 | 77 | 78 | void* yr_arena_base_address( 79 | YR_ARENA* arena); 80 | 81 | 82 | void* yr_arena_next_address( 83 | YR_ARENA* arena, 84 | void* address, 85 | size_t offset); 86 | 87 | 88 | int yr_arena_coalesce( 89 | YR_ARENA* arena); 90 | 91 | 92 | int yr_arena_reserve_memory( 93 | YR_ARENA* arena, 94 | size_t size); 95 | 96 | 97 | int yr_arena_allocate_memory( 98 | YR_ARENA* arena, 99 | size_t size, 100 | void** allocated_memory); 101 | 102 | 103 | int yr_arena_allocate_struct( 104 | YR_ARENA* arena, 105 | size_t size, 106 | void** allocated_memory, 107 | ...); 108 | 109 | 110 | int yr_arena_make_relocatable( 111 | YR_ARENA* arena, 112 | void* base, 113 | ...); 114 | 115 | 116 | int yr_arena_write_data( 117 | YR_ARENA* arena, 118 | void* data, 119 | size_t size, 120 | void** written_data); 121 | 122 | 123 | int yr_arena_write_string( 124 | YR_ARENA* arena, 125 | const char* string, 126 | char** written_string); 127 | 128 | 129 | int yr_arena_append( 130 | YR_ARENA* target_arena, 131 | YR_ARENA* source_arena); 132 | 133 | 134 | int yr_arena_load_stream( 135 | YR_STREAM* stream, 136 | YR_ARENA** arena); 137 | 138 | 139 | int yr_arena_save_stream( 140 | YR_ARENA* arena, 141 | YR_STREAM* stream); 142 | 143 | 144 | int yr_arena_duplicate( 145 | YR_ARENA* arena, 146 | YR_ARENA** duplicated); 147 | 148 | 149 | void yr_arena_print( 150 | YR_ARENA* arena); 151 | 152 | #endif 153 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/atoms.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_ATOMS_H 18 | #define YR_ATOMS_H 19 | 20 | #include "limits.h" 21 | #include "re.h" 22 | 23 | #define ATOM_TREE_LEAF 1 24 | #define ATOM_TREE_AND 2 25 | #define ATOM_TREE_OR 3 26 | 27 | 28 | typedef struct _ATOM_TREE_NODE 29 | { 30 | uint8_t type; 31 | uint8_t atom_length; 32 | uint8_t atom[MAX_ATOM_LENGTH]; 33 | 34 | uint8_t* forward_code; 35 | uint8_t* backward_code; 36 | 37 | RE_NODE* recent_nodes[MAX_ATOM_LENGTH]; 38 | 39 | struct _ATOM_TREE_NODE* children_head; 40 | struct _ATOM_TREE_NODE* children_tail; 41 | struct _ATOM_TREE_NODE* next_sibling; 42 | 43 | } ATOM_TREE_NODE; 44 | 45 | 46 | typedef struct _ATOM_TREE 47 | { 48 | ATOM_TREE_NODE* current_leaf; 49 | ATOM_TREE_NODE* root_node; 50 | 51 | } ATOM_TREE; 52 | 53 | 54 | typedef struct _YR_ATOM_LIST_ITEM 55 | { 56 | uint8_t atom_length; 57 | uint8_t atom[MAX_ATOM_LENGTH]; 58 | 59 | uint16_t backtrack; 60 | 61 | uint8_t* forward_code; 62 | uint8_t* backward_code; 63 | 64 | struct _YR_ATOM_LIST_ITEM* next; 65 | 66 | } YR_ATOM_LIST_ITEM; 67 | 68 | 69 | int yr_atoms_extract_from_re( 70 | RE* re, 71 | int flags, 72 | YR_ATOM_LIST_ITEM** atoms); 73 | 74 | 75 | int yr_atoms_extract_from_string( 76 | uint8_t* string, 77 | int string_length, 78 | int flags, 79 | YR_ATOM_LIST_ITEM** atoms); 80 | 81 | 82 | int yr_atoms_min_quality( 83 | YR_ATOM_LIST_ITEM* atom_list); 84 | 85 | 86 | void yr_atoms_list_destroy( 87 | YR_ATOM_LIST_ITEM* list_head); 88 | 89 | #endif 90 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/compiler.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_COMPILER_H 18 | #define YR_COMPILER_H 19 | 20 | #include 21 | #include 22 | 23 | #include "ahocorasick.h" 24 | #include "arena.h" 25 | #include "hash.h" 26 | #include "utils.h" 27 | 28 | 29 | #define YARA_ERROR_LEVEL_ERROR 0 30 | #define YARA_ERROR_LEVEL_WARNING 1 31 | 32 | 33 | typedef void (*YR_COMPILER_CALLBACK_FUNC)( 34 | int error_level, 35 | const char* file_name, 36 | int line_number, 37 | const char* message, 38 | void* user_data); 39 | 40 | 41 | typedef struct _YR_FIXUP 42 | { 43 | int64_t* address; 44 | struct _YR_FIXUP* next; 45 | 46 | } YR_FIXUP; 47 | 48 | 49 | typedef struct _YR_COMPILER 50 | { 51 | int errors; 52 | int error_line; 53 | int last_error; 54 | int last_error_line; 55 | int last_result; 56 | 57 | jmp_buf error_recovery; 58 | 59 | YR_ARENA* sz_arena; 60 | YR_ARENA* rules_arena; 61 | YR_ARENA* strings_arena; 62 | YR_ARENA* code_arena; 63 | YR_ARENA* re_code_arena; 64 | YR_ARENA* automaton_arena; 65 | YR_ARENA* compiled_rules_arena; 66 | YR_ARENA* externals_arena; 67 | YR_ARENA* namespaces_arena; 68 | YR_ARENA* metas_arena; 69 | 70 | YR_AC_AUTOMATON* automaton; 71 | YR_HASH_TABLE* rules_table; 72 | YR_HASH_TABLE* objects_table; 73 | YR_NAMESPACE* current_namespace; 74 | YR_RULE* current_rule; 75 | 76 | YR_FIXUP* fixup_stack_head; 77 | 78 | int namespaces_count; 79 | 80 | uint8_t* loop_address[MAX_LOOP_NESTING]; 81 | char* loop_identifier[MAX_LOOP_NESTING]; 82 | int loop_depth; 83 | int loop_for_of_mem_offset; 84 | 85 | int allow_includes; 86 | 87 | char* file_name_stack[MAX_INCLUDE_DEPTH]; 88 | int file_name_stack_ptr; 89 | 90 | FILE* file_stack[MAX_INCLUDE_DEPTH]; 91 | int file_stack_ptr; 92 | 93 | char last_error_extra_info[MAX_COMPILER_ERROR_EXTRA_INFO]; 94 | 95 | char lex_buf[LEX_BUF_SIZE]; 96 | char* lex_buf_ptr; 97 | unsigned short lex_buf_len; 98 | 99 | char include_base_dir[MAX_PATH]; 100 | void* user_data; 101 | 102 | YR_COMPILER_CALLBACK_FUNC callback; 103 | 104 | } YR_COMPILER; 105 | 106 | 107 | #define yr_compiler_set_error_extra_info(compiler, info) \ 108 | strlcpy( \ 109 | compiler->last_error_extra_info, \ 110 | info, \ 111 | sizeof(compiler->last_error_extra_info)); \ 112 | 113 | 114 | #define yr_compiler_set_error_extra_info_fmt(compiler, fmt, ...) \ 115 | snprintf( \ 116 | compiler->last_error_extra_info, \ 117 | sizeof(compiler->last_error_extra_info), \ 118 | fmt, __VA_ARGS__); 119 | 120 | 121 | int _yr_compiler_push_file( 122 | YR_COMPILER* compiler, 123 | FILE* fh); 124 | 125 | 126 | FILE* _yr_compiler_pop_file( 127 | YR_COMPILER* compiler); 128 | 129 | 130 | int _yr_compiler_push_file_name( 131 | YR_COMPILER* compiler, 132 | const char* file_name); 133 | 134 | 135 | void _yr_compiler_pop_file_name( 136 | YR_COMPILER* compiler); 137 | 138 | 139 | YR_API int yr_compiler_create( 140 | YR_COMPILER** compiler); 141 | 142 | 143 | YR_API void yr_compiler_destroy( 144 | YR_COMPILER* compiler); 145 | 146 | 147 | YR_API void yr_compiler_set_callback( 148 | YR_COMPILER* compiler, 149 | YR_COMPILER_CALLBACK_FUNC callback, 150 | void* user_data); 151 | 152 | 153 | YR_API int yr_compiler_add_file( 154 | YR_COMPILER* compiler, 155 | FILE* rules_file, 156 | const char* namespace_, 157 | const char* file_name); 158 | 159 | 160 | YR_API int yr_compiler_add_string( 161 | YR_COMPILER* compiler, 162 | const char* rules_string, 163 | const char* namespace_); 164 | 165 | 166 | YR_API char* yr_compiler_get_error_message( 167 | YR_COMPILER* compiler, 168 | char* buffer, 169 | int buffer_size); 170 | 171 | 172 | YR_API char* yr_compiler_get_current_file_name( 173 | YR_COMPILER* context); 174 | 175 | 176 | YR_API int yr_compiler_define_integer_variable( 177 | YR_COMPILER* compiler, 178 | const char* identifier, 179 | int64_t value); 180 | 181 | 182 | YR_API int yr_compiler_define_boolean_variable( 183 | YR_COMPILER* compiler, 184 | const char* identifier, 185 | int value); 186 | 187 | 188 | YR_API int yr_compiler_define_float_variable( 189 | YR_COMPILER* compiler, 190 | const char* identifier, 191 | double value); 192 | 193 | 194 | YR_API int yr_compiler_define_string_variable( 195 | YR_COMPILER* compiler, 196 | const char* identifier, 197 | const char* value); 198 | 199 | 200 | YR_API int yr_compiler_get_rules( 201 | YR_COMPILER* compiler, 202 | YR_RULES** rules); 203 | 204 | 205 | #endif 206 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/elf.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef _ELF_H 18 | #define _ELF_H 19 | 20 | #include 21 | 22 | 23 | // 32-bit ELF base types 24 | 25 | typedef uint32_t elf32_addr_t; 26 | typedef uint16_t elf32_half_t; 27 | typedef uint32_t elf32_off_t; 28 | typedef uint32_t elf32_word_t; 29 | 30 | // 64-bit ELF base types 31 | 32 | typedef uint64_t elf64_addr_t; 33 | typedef uint16_t elf64_half_t; 34 | typedef uint64_t elf64_off_t; 35 | typedef uint32_t elf64_word_t; 36 | typedef uint64_t elf64_xword_t; 37 | 38 | #define ELF_MAGIC 0x464C457F 39 | 40 | #define ELF_ET_NONE 0x0000 // no type 41 | #define ELF_ET_REL 0x0001 // relocatable 42 | #define ELF_ET_EXEC 0x0002 // executeable 43 | #define ELF_ET_DYN 0x0003 // Shared-Object-File 44 | #define ELF_ET_CORE 0x0004 // Corefile 45 | #define ELF_ET_LOPROC 0xFF00 // Processor-specific 46 | #define ELF_ET_HIPROC 0x00FF // Processor-specific 47 | 48 | #define ELF_EM_NONE 0x0000 // no type 49 | #define ELF_EM_M32 0x0001 // AT&T WE 32100 50 | #define ELF_EM_SPARC 0x0002 // SPARC 51 | #define ELF_EM_386 0x0003 // Intel 80386 52 | #define ELF_EM_68K 0x0004 // Motorola 68000 53 | #define ELF_EM_88K 0x0005 // Motorola 88000 54 | #define ELF_EM_860 0x0007 // Intel 80860 55 | #define ELF_EM_MIPS 0x0008 // MIPS I Architecture 56 | #define ELF_EM_MIPS_RS3_LE 0x000A // MIPS RS3000 Little-endian 57 | #define ELF_EM_PPC 0x0014 // PowerPC 58 | #define ELF_EM_PPC64 0x0015 // 64-bit PowerPC 59 | #define ELF_EM_ARM 0x0028 // ARM 60 | #define ELF_EM_X86_64 0x003E // AMD/Intel x86_64 61 | #define ELF_EM_AARCH64 0x00B7 // 64-bit ARM 62 | 63 | #define ELF_CLASS_NONE 0x0000 64 | #define ELF_CLASS_32 0x0001 // 32bit file 65 | #define ELF_CLASS_64 0x0002 // 64bit file 66 | 67 | #define ELF_DATA_NONE 0x0000 68 | #define ELF_DATA_2LSB 0x0001 69 | #define ELF_DATA_2MSB 0x002 70 | 71 | 72 | #define ELF_SHT_NULL 0 // Section header table entry unused 73 | #define ELF_SHT_PROGBITS 1 // Program data 74 | #define ELF_SHT_SYMTAB 2 // Symbol table 75 | #define ELF_SHT_STRTAB 3 // String table 76 | #define ELF_SHT_RELA 4 // Relocation entries with addends 77 | #define ELF_SHT_HASH 5 // Symbol hash table 78 | #define ELF_SHT_DYNAMIC 6 // Dynamic linking information 79 | #define ELF_SHT_NOTE 7 // Notes 80 | #define ELF_SHT_NOBITS 8 // Program space with no data (bss) 81 | #define ELF_SHT_REL 9 // Relocation entries, no addends 82 | #define ELF_SHT_SHLIB 10 // Reserved 83 | #define ELF_SHT_DYNSYM 11 // Dynamic linker symbol table 84 | #define ELF_SHT_NUM 12 // Number of defined types 85 | 86 | #define ELF_SHF_WRITE 0x1 // Section is writable 87 | #define ELF_SHF_ALLOC 0x2 // Section is present during execution 88 | #define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions 89 | 90 | #define ELF_SHN_LORESERVE 0xFF00 91 | 92 | #define ELF_PT_NULL 0 // The array element is unused 93 | #define ELF_PT_LOAD 1 // Loadable segment 94 | #define ELF_PT_DYNAMIC 2 // Segment contains dynamic linking info 95 | #define ELF_PT_INTERP 3 // Contains interpreter pathname 96 | #define ELF_PT_NOTE 4 // Location & size of auxiliary info 97 | #define ELF_PT_SHLIB 5 // Reserved, unspecified semantics 98 | #define ELF_PT_PHDR 6 // Location and size of program header table 99 | #define ELF_PT_TLS 7 // Thread-Local Storage 100 | #define ELF_PT_GNU_EH_FRAME 0x6474e550 101 | #define ELF_PT_GNU_STACK 0x6474e551 102 | 103 | #define ELF_PF_X 0x1 // Segment is executable 104 | #define ELF_PF_W 0x2 // Segment is writable 105 | #define ELF_PF_R 0x4 // Segment is readable 106 | 107 | #define ELF_PN_XNUM 0xffff 108 | 109 | #pragma pack(push,1) 110 | 111 | typedef struct 112 | { 113 | uint32_t magic; 114 | uint8_t _class; 115 | uint8_t data; 116 | uint8_t version; 117 | uint8_t pad[8]; 118 | uint8_t nident; 119 | 120 | } elf_ident_t; 121 | 122 | 123 | typedef struct 124 | { 125 | elf_ident_t ident; 126 | elf32_half_t type; 127 | elf32_half_t machine; 128 | elf32_word_t version; 129 | elf32_addr_t entry; 130 | elf32_off_t ph_offset; 131 | elf32_off_t sh_offset; 132 | elf32_word_t flags; 133 | elf32_half_t header_size; 134 | elf32_half_t ph_entry_size; 135 | elf32_half_t ph_entry_count; 136 | elf32_half_t sh_entry_size; 137 | elf32_half_t sh_entry_count; 138 | elf32_half_t sh_str_table_index; 139 | 140 | } elf32_header_t; 141 | 142 | 143 | typedef struct 144 | { 145 | elf_ident_t ident; 146 | elf64_half_t type; 147 | elf64_half_t machine; 148 | elf64_word_t version; 149 | elf64_addr_t entry; 150 | elf64_off_t ph_offset; 151 | elf64_off_t sh_offset; 152 | elf64_word_t flags; 153 | elf64_half_t header_size; 154 | elf64_half_t ph_entry_size; 155 | elf64_half_t ph_entry_count; 156 | elf64_half_t sh_entry_size; 157 | elf64_half_t sh_entry_count; 158 | elf64_half_t sh_str_table_index; 159 | 160 | } elf64_header_t; 161 | 162 | 163 | typedef struct 164 | { 165 | elf32_word_t type; 166 | elf32_off_t offset; 167 | elf32_addr_t virt_addr; 168 | elf32_addr_t phys_addr; 169 | elf32_word_t file_size; 170 | elf32_word_t mem_size; 171 | elf32_word_t flags; 172 | elf32_word_t alignment; 173 | 174 | } elf32_program_header_t; 175 | 176 | 177 | typedef struct 178 | { 179 | elf64_word_t type; 180 | elf64_word_t flags; 181 | elf64_off_t offset; 182 | elf64_addr_t virt_addr; 183 | elf64_addr_t phys_addr; 184 | elf64_xword_t file_size; 185 | elf64_xword_t mem_size; 186 | elf64_xword_t alignment; 187 | 188 | } elf64_program_header_t; 189 | 190 | 191 | typedef struct 192 | { 193 | elf32_word_t name; 194 | elf32_word_t type; 195 | elf32_word_t flags; 196 | elf32_addr_t addr; 197 | elf32_off_t offset; 198 | elf32_word_t size; 199 | elf32_word_t link; 200 | elf32_word_t info; 201 | elf32_word_t align; 202 | elf32_word_t entry_size; 203 | 204 | } elf32_section_header_t; 205 | 206 | 207 | typedef struct 208 | { 209 | elf64_word_t name; 210 | elf64_word_t type; 211 | elf64_xword_t flags; 212 | elf64_addr_t addr; 213 | elf64_off_t offset; 214 | elf64_xword_t size; 215 | elf64_word_t link; 216 | elf64_word_t info; 217 | elf64_xword_t align; 218 | elf64_xword_t entry_size; 219 | 220 | } elf64_section_header_t; 221 | 222 | 223 | #pragma pack(pop) 224 | 225 | #endif -------------------------------------------------------------------------------- /pluginsdk/yara/yara/error.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_ERROR_H 18 | #define YR_ERROR_H 19 | 20 | #include 21 | 22 | #ifdef _WIN32 23 | #include 24 | #endif 25 | 26 | #ifndef ERROR_SUCCESS 27 | #define ERROR_SUCCESS 0 28 | #endif 29 | 30 | #define ERROR_INSUFICIENT_MEMORY 1 31 | #define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2 32 | #define ERROR_COULD_NOT_OPEN_FILE 3 33 | #define ERROR_COULD_NOT_MAP_FILE 4 34 | #define ERROR_INVALID_FILE 6 35 | #define ERROR_CORRUPT_FILE 7 36 | #define ERROR_UNSUPPORTED_FILE_VERSION 8 37 | #define ERROR_INVALID_REGULAR_EXPRESSION 9 38 | #define ERROR_INVALID_HEX_STRING 10 39 | #define ERROR_SYNTAX_ERROR 11 40 | #define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12 41 | #define ERROR_DUPLICATED_LOOP_IDENTIFIER 13 42 | #define ERROR_DUPLICATED_IDENTIFIER 14 43 | #define ERROR_DUPLICATED_TAG_IDENTIFIER 15 44 | #define ERROR_DUPLICATED_META_IDENTIFIER 16 45 | #define ERROR_DUPLICATED_STRING_IDENTIFIER 17 46 | #define ERROR_UNREFERENCED_STRING 18 47 | #define ERROR_UNDEFINED_STRING 19 48 | #define ERROR_UNDEFINED_IDENTIFIER 20 49 | #define ERROR_MISPLACED_ANONYMOUS_STRING 21 50 | #define ERROR_INCLUDES_CIRCULAR_REFERENCE 22 51 | #define ERROR_INCLUDE_DEPTH_EXCEEDED 23 52 | #define ERROR_WRONG_TYPE 24 53 | #define ERROR_EXEC_STACK_OVERFLOW 25 54 | #define ERROR_SCAN_TIMEOUT 26 55 | #define ERROR_TOO_MANY_SCAN_THREADS 27 56 | #define ERROR_CALLBACK_ERROR 28 57 | #define ERROR_INVALID_ARGUMENT 29 58 | #define ERROR_TOO_MANY_MATCHES 30 59 | #define ERROR_INTERNAL_FATAL_ERROR 31 60 | #define ERROR_NESTED_FOR_OF_LOOP 32 61 | #define ERROR_INVALID_FIELD_NAME 33 62 | #define ERROR_UNKNOWN_MODULE 34 63 | #define ERROR_NOT_A_STRUCTURE 35 64 | #define ERROR_NOT_INDEXABLE 36 65 | #define ERROR_NOT_A_FUNCTION 37 66 | #define ERROR_INVALID_FORMAT 38 67 | #define ERROR_TOO_MANY_ARGUMENTS 39 68 | #define ERROR_WRONG_ARGUMENTS 40 69 | #define ERROR_WRONG_RETURN_TYPE 41 70 | #define ERROR_DUPLICATED_STRUCTURE_MEMBER 42 71 | #define ERROR_EMPTY_STRING 43 72 | #define ERROR_DIVISION_BY_ZERO 44 73 | #define ERROR_REGULAR_EXPRESSION_TOO_LARGE 45 74 | 75 | 76 | #define FAIL_ON_ERROR(x) { \ 77 | int result = (x); \ 78 | if (result != ERROR_SUCCESS) \ 79 | return result; \ 80 | } 81 | 82 | #define FAIL_ON_ERROR_WITH_CLEANUP(x, cleanup) { \ 83 | int result = (x); \ 84 | if (result != ERROR_SUCCESS) { \ 85 | cleanup; \ 86 | return result; \ 87 | } \ 88 | } 89 | 90 | #define FAIL_ON_COMPILER_ERROR(x) { \ 91 | compiler->last_result = (x); \ 92 | if (compiler->last_result != ERROR_SUCCESS) \ 93 | return compiler->last_result; \ 94 | } 95 | 96 | 97 | #ifdef NDEBUG 98 | #define assertf(expr, msg, ...) ((void)0) 99 | #else 100 | #define assertf(expr, msg, ...) \ 101 | if(!(expr)) { \ 102 | fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ 103 | abort(); \ 104 | } 105 | #endif 106 | 107 | #endif 108 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/exec.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_EXEC_H 18 | #define YR_EXEC_H 19 | 20 | #include "hash.h" 21 | #include "scan.h" 22 | #include "types.h" 23 | #include "rules.h" 24 | 25 | 26 | #define UNDEFINED 0xFFFABADAFABADAFFLL 27 | #define IS_UNDEFINED(x) ((size_t)(x) == (size_t) UNDEFINED) 28 | 29 | #define OP_ERROR 0 30 | #define OP_HALT 255 31 | 32 | #define OP_AND 1 33 | #define OP_OR 2 34 | #define OP_NOT 3 35 | #define OP_BITWISE_NOT 4 36 | #define OP_BITWISE_AND 5 37 | #define OP_BITWISE_OR 6 38 | #define OP_BITWISE_XOR 7 39 | #define OP_SHL 8 40 | #define OP_SHR 9 41 | #define OP_MOD 10 42 | #define OP_INT_TO_DBL 11 43 | #define OP_STR_TO_BOOL 12 44 | #define OP_PUSH 13 45 | #define OP_POP 14 46 | #define OP_CALL 15 47 | #define OP_OBJ_LOAD 16 48 | #define OP_OBJ_VALUE 17 49 | #define OP_OBJ_FIELD 18 50 | #define OP_INDEX_ARRAY 19 51 | #define OP_COUNT 20 52 | #define OP_LENGTH 21 53 | #define OP_FOUND 22 54 | #define OP_FOUND_AT 23 55 | #define OP_FOUND_IN 24 56 | #define OP_OFFSET 25 57 | #define OP_OF 26 58 | #define OP_PUSH_RULE 27 59 | #define OP_INIT_RULE 28 60 | #define OP_MATCH_RULE 29 61 | #define OP_INCR_M 30 62 | #define OP_CLEAR_M 31 63 | #define OP_ADD_M 32 64 | #define OP_POP_M 33 65 | #define OP_PUSH_M 34 66 | #define OP_SWAPUNDEF 35 67 | #define OP_JNUNDEF 36 68 | #define OP_JLE 37 69 | #define OP_FILESIZE 38 70 | #define OP_ENTRYPOINT 39 71 | #define OP_CONTAINS 40 72 | #define OP_MATCHES 41 73 | #define OP_IMPORT 42 74 | #define OP_LOOKUP_DICT 43 75 | #define OP_JFALSE 44 76 | #define OP_JTRUE 45 77 | 78 | 79 | #define _OP_EQ 0 80 | #define _OP_NEQ 1 81 | #define _OP_LT 2 82 | #define _OP_GT 3 83 | #define _OP_LE 4 84 | #define _OP_GE 5 85 | #define _OP_ADD 6 86 | #define _OP_SUB 7 87 | #define _OP_MUL 8 88 | #define _OP_DIV 9 89 | #define _OP_MINUS 10 90 | 91 | 92 | #define OP_INT_BEGIN 100 93 | #define OP_INT_EQ (OP_INT_BEGIN + _OP_EQ) 94 | #define OP_INT_NEQ (OP_INT_BEGIN + _OP_NEQ) 95 | #define OP_INT_LT (OP_INT_BEGIN + _OP_LT) 96 | #define OP_INT_GT (OP_INT_BEGIN + _OP_GT) 97 | #define OP_INT_LE (OP_INT_BEGIN + _OP_LE) 98 | #define OP_INT_GE (OP_INT_BEGIN + _OP_GE) 99 | #define OP_INT_ADD (OP_INT_BEGIN + _OP_ADD) 100 | #define OP_INT_SUB (OP_INT_BEGIN + _OP_SUB) 101 | #define OP_INT_MUL (OP_INT_BEGIN + _OP_MUL) 102 | #define OP_INT_DIV (OP_INT_BEGIN + _OP_DIV) 103 | #define OP_INT_MINUS (OP_INT_BEGIN + _OP_MINUS) 104 | #define OP_INT_END OP_INT_MINUS 105 | 106 | #define OP_DBL_BEGIN 120 107 | #define OP_DBL_EQ (OP_DBL_BEGIN + _OP_EQ) 108 | #define OP_DBL_NEQ (OP_DBL_BEGIN + _OP_NEQ) 109 | #define OP_DBL_LT (OP_DBL_BEGIN + _OP_LT) 110 | #define OP_DBL_GT (OP_DBL_BEGIN + _OP_GT) 111 | #define OP_DBL_LE (OP_DBL_BEGIN + _OP_LE) 112 | #define OP_DBL_GE (OP_DBL_BEGIN + _OP_GE) 113 | #define OP_DBL_ADD (OP_DBL_BEGIN + _OP_ADD) 114 | #define OP_DBL_SUB (OP_DBL_BEGIN + _OP_SUB) 115 | #define OP_DBL_MUL (OP_DBL_BEGIN + _OP_MUL) 116 | #define OP_DBL_DIV (OP_DBL_BEGIN + _OP_DIV) 117 | #define OP_DBL_MINUS (OP_DBL_BEGIN + _OP_MINUS) 118 | #define OP_DBL_END OP_DBL_MINUS 119 | 120 | #define OP_STR_BEGIN 140 121 | #define OP_STR_EQ (OP_STR_BEGIN + _OP_EQ) 122 | #define OP_STR_NEQ (OP_STR_BEGIN + _OP_NEQ) 123 | #define OP_STR_LT (OP_STR_BEGIN + _OP_LT) 124 | #define OP_STR_GT (OP_STR_BEGIN + _OP_GT) 125 | #define OP_STR_LE (OP_STR_BEGIN + _OP_LE) 126 | #define OP_STR_GE (OP_STR_BEGIN + _OP_GE) 127 | #define OP_STR_END OP_STR_GE 128 | 129 | #define IS_INT_OP(x) ((x) >= OP_INT_BEGIN && (x) <= OP_INT_END) 130 | #define IS_DBL_OP(x) ((x) >= OP_DBL_BEGIN && (x) <= OP_DBL_END) 131 | #define IS_STR_OP(x) ((x) >= OP_STR_BEGIN && (x) <= OP_STR_END) 132 | 133 | #define OP_READ_INT 240 134 | #define OP_INT8 (OP_READ_INT + 0) 135 | #define OP_INT16 (OP_READ_INT + 1) 136 | #define OP_INT32 (OP_READ_INT + 2) 137 | #define OP_UINT8 (OP_READ_INT + 3) 138 | #define OP_UINT16 (OP_READ_INT + 4) 139 | #define OP_UINT32 (OP_READ_INT + 5) 140 | #define OP_INT8BE (OP_READ_INT + 6) 141 | #define OP_INT16BE (OP_READ_INT + 7) 142 | #define OP_INT32BE (OP_READ_INT + 8) 143 | #define OP_UINT8BE (OP_READ_INT + 9) 144 | #define OP_UINT16BE (OP_READ_INT + 10) 145 | #define OP_UINT32BE (OP_READ_INT + 11) 146 | 147 | 148 | #define OPERATION(operator, op1, op2) \ 149 | (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2) 150 | 151 | 152 | #define COMPARISON(operator, op1, op2) \ 153 | (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2) 154 | 155 | 156 | int yr_execute_code( 157 | YR_RULES* rules, 158 | YR_SCAN_CONTEXT* context, 159 | int timeout, 160 | time_t start_time); 161 | 162 | #endif 163 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/exefiles.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_EXEFILES_H 18 | #define YR_EXEFILES_H 19 | 20 | uint64_t yr_get_entry_point_offset( 21 | uint8_t* buffer, 22 | size_t buffer_length); 23 | 24 | 25 | uint64_t yr_get_entry_point_address( 26 | uint8_t* buffer, 27 | size_t buffer_length, 28 | size_t base_address); 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/filemap.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_FILEMAP_H 18 | #define YR_FILEMAP_H 19 | 20 | #ifdef _MSC_VER 21 | #define off_t int64_t 22 | #else 23 | #include 24 | #endif 25 | 26 | #ifdef _WIN32 27 | #include 28 | #define YR_FILE_DESCRIPTOR HANDLE 29 | #else 30 | #define YR_FILE_DESCRIPTOR int 31 | #endif 32 | 33 | #include 34 | #include 35 | 36 | #include "utils.h" 37 | 38 | 39 | typedef struct _YR_MAPPED_FILE 40 | { 41 | YR_FILE_DESCRIPTOR file; 42 | size_t size; 43 | uint8_t* data; 44 | #ifdef _WIN32 45 | HANDLE mapping; 46 | #endif 47 | 48 | } YR_MAPPED_FILE; 49 | 50 | 51 | YR_API int yr_filemap_map( 52 | const char* file_path, 53 | YR_MAPPED_FILE* pmapped_file); 54 | 55 | 56 | YR_API int yr_filemap_map_fd( 57 | YR_FILE_DESCRIPTOR file, 58 | off_t offset, 59 | size_t size, 60 | YR_MAPPED_FILE* pmapped_file); 61 | 62 | 63 | YR_API int yr_filemap_map_ex( 64 | const char* file_path, 65 | off_t offset, 66 | size_t size, 67 | YR_MAPPED_FILE* pmapped_file); 68 | 69 | 70 | YR_API void yr_filemap_unmap( 71 | YR_MAPPED_FILE* pmapped_file); 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_GLOBALS_H 18 | #define YR_GLOBALS_H 19 | 20 | extern char lowercase[256]; 21 | extern char altercase[256]; 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_HASH_H 18 | #define YR_HASH_H 19 | 20 | #include "utils.h" 21 | 22 | typedef struct _YR_HASH_TABLE_ENTRY 23 | { 24 | char* key; 25 | char* ns; 26 | void* value; 27 | 28 | struct _YR_HASH_TABLE_ENTRY* next; 29 | 30 | } YR_HASH_TABLE_ENTRY; 31 | 32 | 33 | typedef struct _YR_HASH_TABLE 34 | { 35 | int size; 36 | 37 | YR_HASH_TABLE_ENTRY* buckets[1]; 38 | 39 | } YR_HASH_TABLE; 40 | 41 | 42 | typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value); 43 | 44 | 45 | YR_API int yr_hash_table_create( 46 | int size, 47 | YR_HASH_TABLE** table); 48 | 49 | 50 | YR_API void yr_hash_table_destroy( 51 | YR_HASH_TABLE* table, 52 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value); 53 | 54 | 55 | YR_API void* yr_hash_table_lookup( 56 | YR_HASH_TABLE* table, 57 | const char* key, 58 | const char* ns); 59 | 60 | 61 | YR_API int yr_hash_table_add( 62 | YR_HASH_TABLE* table, 63 | const char* key, 64 | const char* ns, 65 | void* value); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/hex_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #include "re.h" 18 | 19 | #undef yyparse 20 | #undef yylex 21 | #undef yyerror 22 | #undef yyfatal 23 | #undef yychar 24 | #undef yydebug 25 | #undef yynerrs 26 | #undef yyget_extra 27 | #undef yyget_lineno 28 | 29 | #undef YY_FATAL_ERROR 30 | #undef YY_DECL 31 | #undef LEX_ENV 32 | 33 | #define yyparse hex_yyparse 34 | #define yylex hex_yylex 35 | #define yyerror hex_yyerror 36 | #define yyfatal hex_yyfatal 37 | #define yychar hex_yychar 38 | #define yydebug hex_yydebug 39 | #define yynerrs hex_yynerrs 40 | #define yyget_extra hex_yyget_extra 41 | #define yyget_lineno hex_yyget_lineno 42 | 43 | 44 | #ifndef YY_TYPEDEF_YY_SCANNER_T 45 | #define YY_TYPEDEF_YY_SCANNER_T 46 | typedef void* yyscan_t; 47 | #endif 48 | 49 | #define YY_EXTRA_TYPE RE* 50 | #define YY_USE_CONST 51 | 52 | 53 | typedef struct _HEX_LEX_ENVIRONMENT 54 | { 55 | int token_count; 56 | int inside_or; 57 | int last_error_code; 58 | char last_error_message[256]; 59 | 60 | } HEX_LEX_ENVIRONMENT; 61 | 62 | 63 | #define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg) 64 | 65 | #define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env) 66 | 67 | #include 68 | 69 | #define YY_DECL int hex_yylex \ 70 | (YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env) 71 | 72 | 73 | YY_EXTRA_TYPE yyget_extra( 74 | yyscan_t yyscanner); 75 | 76 | int yylex( 77 | YYSTYPE* yylval_param, 78 | yyscan_t yyscanner, 79 | HEX_LEX_ENVIRONMENT* lex_env); 80 | 81 | int yyparse( 82 | void* yyscanner, 83 | HEX_LEX_ENVIRONMENT* lex_env); 84 | 85 | void yyerror( 86 | yyscan_t yyscanner, 87 | HEX_LEX_ENVIRONMENT* lex_env, 88 | const char* error_message); 89 | 90 | void yyfatal( 91 | yyscan_t yyscanner, 92 | const char* error_message); 93 | 94 | int yr_parse_hex_string( 95 | const char* hex_string, 96 | int flags, 97 | RE** re, 98 | RE_ERROR* error); 99 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #include "compiler.h" 18 | 19 | 20 | #undef yyparse 21 | #undef yylex 22 | #undef yyerror 23 | #undef yyfatal 24 | #undef yychar 25 | #undef yydebug 26 | #undef yynerrs 27 | #undef yyget_extra 28 | #undef yyget_lineno 29 | 30 | #undef YY_DECL 31 | #undef YY_FATAL_ERROR 32 | #undef YY_EXTRA_TYPE 33 | 34 | #define yyparse yara_yyparse 35 | #define yylex yara_yylex 36 | #define yyerror yara_yyerror 37 | #define yyfatal yara_yyfatal 38 | #define yywarning yara_yywarning 39 | #define yychar yara_yychar 40 | #define yydebug yara_yydebug 41 | #define yynerrs yara_yynerrs 42 | #define yyget_extra yara_yyget_extra 43 | #define yyget_lineno yara_yyget_lineno 44 | 45 | 46 | #ifndef YY_TYPEDEF_YY_SCANNER_T 47 | #define YY_TYPEDEF_YY_SCANNER_T 48 | typedef void* yyscan_t; 49 | #endif 50 | 51 | #ifndef YY_TYPEDEF_EXPRESSION_T 52 | #define YY_TYPEDEF_EXPRESSION_T 53 | 54 | 55 | // Expression type constants are powers of two because they are used as flags. 56 | // For example: 57 | // CHECK_TYPE(whatever, EXPRESSION_TYPE_INTEGER | EXPRESSION_TYPE_FLOAT) 58 | // The expression above is used to ensure that the type of "whatever" is either 59 | // integer or float. 60 | 61 | #define EXPRESSION_TYPE_BOOLEAN 1 62 | #define EXPRESSION_TYPE_INTEGER 2 63 | #define EXPRESSION_TYPE_STRING 4 64 | #define EXPRESSION_TYPE_REGEXP 8 65 | #define EXPRESSION_TYPE_OBJECT 16 66 | #define EXPRESSION_TYPE_FLOAT 32 67 | 68 | typedef struct _EXPRESSION 69 | { 70 | int type; 71 | 72 | union 73 | { 74 | int64_t integer; 75 | YR_OBJECT* object; 76 | } value; 77 | 78 | const char* identifier; 79 | 80 | } EXPRESSION; 81 | 82 | union YYSTYPE; 83 | 84 | #endif 85 | 86 | 87 | #define YY_DECL int yylex( \ 88 | union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler) 89 | 90 | 91 | #define YY_FATAL_ERROR(msg) yara_yyfatal(yyscanner, msg) 92 | 93 | 94 | #define YY_EXTRA_TYPE YR_COMPILER* 95 | #define YY_USE_CONST 96 | 97 | 98 | int yyget_lineno(yyscan_t yyscanner); 99 | 100 | int yylex( 101 | union YYSTYPE* yylval_param, 102 | yyscan_t yyscanner, 103 | YR_COMPILER* compiler); 104 | 105 | int yyparse( 106 | void* yyscanner, 107 | YR_COMPILER* compiler); 108 | 109 | void yyerror( 110 | yyscan_t yyscanner, 111 | YR_COMPILER* compiler, 112 | const char* error_message); 113 | 114 | void yywarning( 115 | yyscan_t yyscanner, 116 | const char* warning_message); 117 | 118 | void yyfatal( 119 | yyscan_t yyscanner, 120 | const char* error_message); 121 | 122 | YY_EXTRA_TYPE yyget_extra( 123 | yyscan_t yyscanner); 124 | 125 | int yr_lex_parse_rules_string( 126 | const char* rules_string, 127 | YR_COMPILER* compiler); 128 | 129 | int yr_lex_parse_rules_file( 130 | FILE* rules_file, 131 | YR_COMPILER* compiler); 132 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/libyara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_LIBYARA_H 18 | #define YR_LIBYARA_H 19 | 20 | #include "utils.h" 21 | 22 | #define YR_MAJOR_VERSION 3 23 | #define YR_MINOR_VERSION 4 24 | #define YR_MICRO_VERSION 0 25 | 26 | // Version as a string 27 | #define YR_VERSION "3.4.0" 28 | 29 | // Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1. 30 | #define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \ 31 | (YR_MINOR_VERSION << 8) | \ 32 | (YR_MICRO_VERSION << 0)) 33 | 34 | 35 | YR_API int yr_initialize(void); 36 | 37 | 38 | YR_API int yr_finalize(void); 39 | 40 | 41 | YR_API void yr_finalize_thread(void); 42 | 43 | 44 | YR_API int yr_get_tidx(void); 45 | 46 | 47 | YR_API void yr_set_tidx(int); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/limits.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_LIMITS_H 18 | #define YR_LIMITS_H 19 | 20 | #ifdef _WIN32 21 | #include 22 | #endif 23 | 24 | 25 | // MAX_THREADS is the number of threads that can use a YR_RULES 26 | // object simultaneosly. This value is limited by the number of 27 | // bits in tidx_mask. 28 | 29 | #define MAX_THREADS 32 30 | 31 | 32 | #ifndef MAX_PATH 33 | #define MAX_PATH 1024 34 | #endif 35 | 36 | #define MAX_COMPILER_ERROR_EXTRA_INFO 256 37 | #define MAX_ATOM_LENGTH 4 38 | #define MAX_LOOP_NESTING 4 39 | #define MAX_ARENA_PAGES 32 40 | #define MAX_INCLUDE_DEPTH 16 41 | #define MAX_STRING_MATCHES 1000000 42 | #define MAX_FUNCTION_ARGS 128 43 | #define MAX_FAST_HEX_RE_STACK 300 44 | #define MAX_OVERLOADED_FUNCTIONS 10 45 | #define MAX_HEX_STRING_TOKENS 10000 46 | 47 | #define LOOP_LOCAL_VARS 4 48 | #define STRING_CHAINING_THRESHOLD 200 49 | #define LEX_BUF_SIZE 8192 50 | 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/mem.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_MEM_H 18 | #define YR_MEM_H 19 | 20 | #include 21 | 22 | #include "config.h" 23 | 24 | #ifdef DMALLOC 25 | 26 | #define yr_malloc malloc 27 | #define yr_calloc calloc 28 | #define yr_realloc realloc 29 | #define yr_free free 30 | #define yr_strdup strdup 31 | #define yr_strndup strndup 32 | 33 | #include 34 | 35 | #else 36 | 37 | void* yr_calloc( 38 | size_t count, 39 | size_t size); 40 | 41 | void* yr_malloc( 42 | size_t size); 43 | 44 | void* yr_realloc( 45 | void* ptr, 46 | size_t size); 47 | 48 | void yr_free( 49 | void* ptr); 50 | 51 | char* yr_strdup( 52 | const char* str); 53 | 54 | char* yr_strndup( 55 | const char* str, size_t n); 56 | 57 | #endif 58 | 59 | int yr_heap_alloc(); 60 | 61 | int yr_heap_free(); 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/object.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_OBJECT_H 18 | #define YR_OBJECT_H 19 | 20 | #ifdef _MSC_VER 21 | #include 22 | #define isnan _isnan 23 | //#define INFINITY (DBL_MAX + DBL_MAX) 24 | //#define NAN (INFINITY-INFINITY) 25 | #endif 26 | 27 | #include "types.h" 28 | 29 | 30 | #define OBJECT_CREATE 1 31 | 32 | #define OBJECT_TYPE_INTEGER 1 33 | #define OBJECT_TYPE_STRING 2 34 | #define OBJECT_TYPE_STRUCTURE 3 35 | #define OBJECT_TYPE_ARRAY 4 36 | #define OBJECT_TYPE_FUNCTION 5 37 | #define OBJECT_TYPE_REGEXP 6 38 | #define OBJECT_TYPE_DICTIONARY 7 39 | #define OBJECT_TYPE_FLOAT 8 40 | 41 | 42 | int yr_object_create( 43 | int8_t type, 44 | const char* identifier, 45 | YR_OBJECT* parent, 46 | YR_OBJECT** object); 47 | 48 | 49 | int yr_object_function_create( 50 | const char* identifier, 51 | const char* arguments_fmt, 52 | const char* return_fmt, 53 | YR_MODULE_FUNC func, 54 | YR_OBJECT* parent, 55 | YR_OBJECT** function); 56 | 57 | 58 | int yr_object_from_external_variable( 59 | YR_EXTERNAL_VARIABLE* external, 60 | YR_OBJECT** object); 61 | 62 | 63 | void yr_object_destroy( 64 | YR_OBJECT* object); 65 | 66 | 67 | YR_OBJECT* yr_object_lookup_field( 68 | YR_OBJECT* object, 69 | const char* field_name); 70 | 71 | 72 | YR_OBJECT* yr_object_lookup( 73 | YR_OBJECT* root, 74 | int flags, 75 | const char* pattern, 76 | ...); 77 | 78 | 79 | int yr_object_has_undefined_value( 80 | YR_OBJECT* object, 81 | const char* field, 82 | ...); 83 | 84 | int64_t yr_object_get_integer( 85 | YR_OBJECT* object, 86 | const char* field, 87 | ...); 88 | 89 | 90 | SIZED_STRING* yr_object_get_string( 91 | YR_OBJECT* object, 92 | const char* field, 93 | ...); 94 | 95 | 96 | int yr_object_set_integer( 97 | int64_t value, 98 | YR_OBJECT* object, 99 | const char* field, 100 | ...); 101 | 102 | 103 | int yr_object_set_float( 104 | double value, 105 | YR_OBJECT* object, 106 | const char* field, 107 | ...); 108 | 109 | 110 | int yr_object_set_string( 111 | const char* value, 112 | size_t len, 113 | YR_OBJECT* object, 114 | const char* field, 115 | ...); 116 | 117 | 118 | YR_OBJECT* yr_object_array_get_item( 119 | YR_OBJECT* object, 120 | int flags, 121 | int index); 122 | 123 | 124 | int yr_object_array_set_item( 125 | YR_OBJECT* object, 126 | YR_OBJECT* item, 127 | int index); 128 | 129 | 130 | YR_OBJECT* yr_object_dict_get_item( 131 | YR_OBJECT* object, 132 | int flags, 133 | const char* key); 134 | 135 | 136 | int yr_object_dict_set_item( 137 | YR_OBJECT* object, 138 | YR_OBJECT* item, 139 | const char* key); 140 | 141 | 142 | int yr_object_structure_set_member( 143 | YR_OBJECT* object, 144 | YR_OBJECT* member); 145 | 146 | 147 | YR_OBJECT* yr_object_get_root( 148 | YR_OBJECT* object); 149 | 150 | 151 | void yr_object_print_data( 152 | YR_OBJECT* object, 153 | int indent, 154 | int print_identifier); 155 | 156 | 157 | #endif 158 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/parser.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_PARSER_H 18 | #define YR_PARSER_H 19 | 20 | 21 | #include "lexer.h" 22 | 23 | 24 | int yr_parser_emit( 25 | yyscan_t yyscanner, 26 | uint8_t instruction, 27 | uint8_t** instruction_address); 28 | 29 | 30 | int yr_parser_emit_with_arg( 31 | yyscan_t yyscanner, 32 | uint8_t instruction, 33 | int64_t argument, 34 | uint8_t** instruction_address, 35 | int64_t** argument_address); 36 | 37 | 38 | int yr_parser_emit_with_arg_double( 39 | yyscan_t yyscanner, 40 | uint8_t instruction, 41 | double argument, 42 | uint8_t** instruction_address, 43 | double** argument_address); 44 | 45 | 46 | int yr_parser_emit_with_arg_reloc( 47 | yyscan_t yyscanner, 48 | uint8_t instruction, 49 | int64_t argument, 50 | uint8_t** instruction_address, 51 | int64_t** argument_address); 52 | 53 | 54 | int yr_parser_check_types( 55 | YR_COMPILER* compiler, 56 | YR_OBJECT_FUNCTION* function, 57 | const char* actual_args_fmt); 58 | 59 | 60 | YR_STRING* yr_parser_lookup_string( 61 | yyscan_t yyscanner, 62 | const char* identifier); 63 | 64 | 65 | int yr_parser_lookup_loop_variable( 66 | yyscan_t yyscanner, 67 | const char* identifier); 68 | 69 | 70 | YR_RULE* yr_parser_reduce_rule_declaration_phase_1( 71 | yyscan_t yyscanner, 72 | int32_t flags, 73 | const char* identifier, 74 | char* tags, 75 | YR_STRING* strings, 76 | YR_META* metas); 77 | 78 | 79 | int yr_parser_reduce_rule_declaration_phase_2( 80 | yyscan_t yyscanner, 81 | YR_RULE* rule); 82 | 83 | 84 | YR_STRING* yr_parser_reduce_string_declaration( 85 | yyscan_t yyscanner, 86 | int32_t flags, 87 | const char* identifier, 88 | SIZED_STRING* str); 89 | 90 | 91 | YR_META* yr_parser_reduce_meta_declaration( 92 | yyscan_t yyscanner, 93 | int32_t type, 94 | const char* identifier, 95 | const char* string, 96 | int64_t integer); 97 | 98 | 99 | int yr_parser_reduce_string_identifier( 100 | yyscan_t yyscanner, 101 | const char* identifier, 102 | uint8_t instruction, 103 | uint64_t at_offset); 104 | 105 | 106 | int yr_parser_emit_pushes_for_strings( 107 | yyscan_t yyscanner, 108 | const char* identifier); 109 | 110 | 111 | int yr_parser_reduce_external( 112 | yyscan_t yyscanner, 113 | const char* identifier, 114 | uint8_t intruction); 115 | 116 | 117 | int yr_parser_reduce_import( 118 | yyscan_t yyscanner, 119 | SIZED_STRING* module_name); 120 | 121 | 122 | int yr_parser_reduce_operation( 123 | yyscan_t yyscanner, 124 | const char* operation, 125 | EXPRESSION left_operand, 126 | EXPRESSION right_operand); 127 | 128 | #endif 129 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/proc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_PROC_H 18 | #define YR_PROC_H 19 | 20 | #include "types.h" 21 | 22 | int yr_process_get_memory( 23 | int pid, 24 | YR_MEMORY_BLOCK** first_block); 25 | 26 | #endif 27 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/re.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_RE_H 18 | #define YR_RE_H 19 | 20 | #include 21 | 22 | #include "arena.h" 23 | #include "sizedstr.h" 24 | 25 | #define RE_NODE_LITERAL 1 26 | #define RE_NODE_MASKED_LITERAL 2 27 | #define RE_NODE_ANY 3 28 | #define RE_NODE_CONCAT 4 29 | #define RE_NODE_ALT 5 30 | #define RE_NODE_RANGE 6 31 | #define RE_NODE_STAR 7 32 | #define RE_NODE_PLUS 8 33 | #define RE_NODE_CLASS 9 34 | #define RE_NODE_WORD_CHAR 10 35 | #define RE_NODE_NON_WORD_CHAR 11 36 | #define RE_NODE_SPACE 12 37 | #define RE_NODE_NON_SPACE 13 38 | #define RE_NODE_DIGIT 14 39 | #define RE_NODE_NON_DIGIT 15 40 | #define RE_NODE_EMPTY 16 41 | #define RE_NODE_ANCHOR_START 17 42 | #define RE_NODE_ANCHOR_END 18 43 | #define RE_NODE_WORD_BOUNDARY 19 44 | #define RE_NODE_NON_WORD_BOUNDARY 20 45 | 46 | 47 | #define RE_OPCODE_ANY 0xA0 48 | #define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1 49 | #define RE_OPCODE_LITERAL 0xA2 50 | #define RE_OPCODE_LITERAL_NO_CASE 0xA3 51 | #define RE_OPCODE_MASKED_LITERAL 0xA4 52 | #define RE_OPCODE_CLASS 0xA5 53 | #define RE_OPCODE_CLASS_NO_CASE 0xA6 54 | #define RE_OPCODE_WORD_CHAR 0xA7 55 | #define RE_OPCODE_NON_WORD_CHAR 0xA8 56 | #define RE_OPCODE_SPACE 0xA9 57 | #define RE_OPCODE_NON_SPACE 0xAA 58 | #define RE_OPCODE_DIGIT 0xAB 59 | #define RE_OPCODE_NON_DIGIT 0xAC 60 | #define RE_OPCODE_MATCH 0xAD 61 | 62 | #define RE_OPCODE_MATCH_AT_END 0xB0 63 | #define RE_OPCODE_MATCH_AT_START 0xB1 64 | #define RE_OPCODE_WORD_BOUNDARY 0xB2 65 | #define RE_OPCODE_NON_WORD_BOUNDARY 0xB3 66 | 67 | #define RE_OPCODE_SPLIT_A 0xC0 68 | #define RE_OPCODE_SPLIT_B 0xC1 69 | #define RE_OPCODE_PUSH 0xC2 70 | #define RE_OPCODE_POP 0xC3 71 | #define RE_OPCODE_JNZ 0xC4 72 | #define RE_OPCODE_JUMP 0xC5 73 | 74 | 75 | #define RE_FLAGS_FAST_HEX_REGEXP 0x02 76 | #define RE_FLAGS_BACKWARDS 0x04 77 | #define RE_FLAGS_EXHAUSTIVE 0x08 78 | #define RE_FLAGS_WIDE 0x10 79 | #define RE_FLAGS_NO_CASE 0x20 80 | #define RE_FLAGS_SCAN 0x40 81 | #define RE_FLAGS_DOT_ALL 0x80 82 | #define RE_FLAGS_NOT_AT_START 0x100 83 | #define RE_FLAGS_GREEDY 0x400 84 | #define RE_FLAGS_UNGREEDY 0x800 85 | 86 | 87 | typedef struct RE RE; 88 | typedef struct RE_NODE RE_NODE; 89 | typedef struct RE_ERROR RE_ERROR; 90 | 91 | typedef uint8_t* RE_CODE; 92 | 93 | #define CHAR_IN_CLASS(chr, cls) \ 94 | ((cls)[(chr) / 8] & 1 << ((chr) % 8)) 95 | 96 | 97 | #define IS_WORD_CHAR(chr) \ 98 | (isalnum(chr) || (chr) == '_') 99 | 100 | 101 | struct RE_NODE 102 | { 103 | int type; 104 | 105 | union 106 | { 107 | int value; 108 | int count; 109 | int start; 110 | }; 111 | 112 | union 113 | { 114 | int mask; 115 | int end; 116 | }; 117 | 118 | int greedy; 119 | 120 | uint8_t* class_vector; 121 | 122 | RE_NODE* left; 123 | RE_NODE* right; 124 | 125 | RE_CODE forward_code; 126 | RE_CODE backward_code; 127 | }; 128 | 129 | 130 | struct RE 131 | { 132 | 133 | uint32_t flags; 134 | RE_NODE* root_node; 135 | YR_ARENA* code_arena; 136 | RE_CODE code; 137 | }; 138 | 139 | 140 | struct RE_ERROR 141 | { 142 | 143 | char message[512]; 144 | 145 | }; 146 | 147 | 148 | typedef int RE_MATCH_CALLBACK_FUNC( 149 | uint8_t* match, 150 | int match_length, 151 | int flags, 152 | void* args); 153 | 154 | 155 | int yr_re_create( 156 | RE** re); 157 | 158 | 159 | int yr_re_parse( 160 | const char* re_string, 161 | int flags, 162 | RE** re, 163 | RE_ERROR* error); 164 | 165 | 166 | int yr_re_parse_hex( 167 | const char* hex_string, 168 | int flags, 169 | RE** re, 170 | RE_ERROR* error); 171 | 172 | 173 | int yr_re_compile( 174 | const char* re_string, 175 | int flags, 176 | YR_ARENA* code_arena, 177 | RE** re, 178 | RE_ERROR* error); 179 | 180 | 181 | void yr_re_destroy( 182 | RE* re); 183 | 184 | 185 | void yr_re_print( 186 | RE* re); 187 | 188 | 189 | RE_NODE* yr_re_node_create( 190 | int type, 191 | RE_NODE* left, 192 | RE_NODE* right); 193 | 194 | 195 | void yr_re_node_destroy( 196 | RE_NODE* node); 197 | 198 | 199 | SIZED_STRING* yr_re_extract_literal( 200 | RE* re); 201 | 202 | 203 | int yr_re_contains_dot_star( 204 | RE* re); 205 | 206 | 207 | int yr_re_split_at_chaining_point( 208 | RE* re, 209 | RE** result_re, 210 | RE** remainder_re, 211 | int32_t* min_gap, 212 | int32_t* max_gap); 213 | 214 | 215 | int yr_re_emit_code( 216 | RE* re, 217 | YR_ARENA* arena); 218 | 219 | 220 | int yr_re_exec( 221 | RE_CODE re_code, 222 | uint8_t* input, 223 | size_t input_size, 224 | int flags, 225 | RE_MATCH_CALLBACK_FUNC callback, 226 | void* callback_args); 227 | 228 | 229 | int yr_re_match( 230 | RE_CODE re_code, 231 | const char* target); 232 | 233 | 234 | int yr_re_initialize(void); 235 | 236 | 237 | int yr_re_finalize(void); 238 | 239 | 240 | int yr_re_finalize_thread(void); 241 | 242 | #endif 243 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/re_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #undef yyparse 18 | #undef yylex 19 | #undef yyerror 20 | #undef yyfatal 21 | #undef yychar 22 | #undef yydebug 23 | #undef yynerrs 24 | #undef yyget_extra 25 | #undef yyget_lineno 26 | 27 | #undef YY_FATAL_ERROR 28 | #undef YY_DECL 29 | #undef LEX_ENV 30 | 31 | 32 | #define yyparse re_yyparse 33 | #define yylex re_yylex 34 | #define yyerror re_yyerror 35 | #define yyfatal re_yyfatal 36 | #define yychar re_yychar 37 | #define yydebug re_yydebug 38 | #define yynerrs re_yynerrs 39 | #define yyget_extra re_yyget_extra 40 | #define yyget_lineno re_yyget_lineno 41 | 42 | 43 | #ifndef YY_TYPEDEF_YY_SCANNER_T 44 | #define YY_TYPEDEF_YY_SCANNER_T 45 | typedef void* yyscan_t; 46 | #endif 47 | 48 | #define YY_EXTRA_TYPE RE* 49 | #define YY_USE_CONST 50 | 51 | 52 | typedef struct _RE_LEX_ENVIRONMENT 53 | { 54 | int negated_class; 55 | uint8_t class_vector[32]; 56 | int last_error_code; 57 | char last_error_message[256]; 58 | 59 | } RE_LEX_ENVIRONMENT; 60 | 61 | 62 | #define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env) 63 | 64 | #define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg) 65 | 66 | #include 67 | 68 | #define YY_DECL int re_yylex \ 69 | (YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env) 70 | 71 | 72 | YY_EXTRA_TYPE yyget_extra( 73 | yyscan_t yyscanner); 74 | 75 | int yylex( 76 | YYSTYPE* yylval_param, 77 | yyscan_t yyscanner, 78 | RE_LEX_ENVIRONMENT* lex_env); 79 | 80 | int yyparse( 81 | void* yyscanner, 82 | RE_LEX_ENVIRONMENT* lex_env); 83 | 84 | void yyerror( 85 | yyscan_t yyscanner, 86 | RE_LEX_ENVIRONMENT* lex_env, 87 | const char* error_message); 88 | 89 | void yyfatal( 90 | yyscan_t yyscanner, 91 | const char* error_message); 92 | 93 | int yr_parse_re_string( 94 | const char* re_string, 95 | int flags, 96 | RE** re, 97 | RE_ERROR* error); 98 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/rules.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_RULES_H 18 | #define YR_RULES_H 19 | 20 | #include "types.h" 21 | #include "utils.h" 22 | #include "filemap.h" 23 | 24 | 25 | #define CALLBACK_MSG_RULE_MATCHING 1 26 | #define CALLBACK_MSG_RULE_NOT_MATCHING 2 27 | #define CALLBACK_MSG_SCAN_FINISHED 3 28 | #define CALLBACK_MSG_IMPORT_MODULE 4 29 | 30 | #define CALLBACK_CONTINUE 0 31 | #define CALLBACK_ABORT 1 32 | #define CALLBACK_ERROR 2 33 | 34 | 35 | #define yr_rule_tags_foreach(rule, tag_name) \ 36 | for (tag_name = rule->tags; \ 37 | tag_name != NULL && *tag_name != '\0'; \ 38 | tag_name += strlen(tag_name) + 1) 39 | 40 | 41 | #define yr_rule_metas_foreach(rule, meta) \ 42 | for (meta = rule->metas; !META_IS_NULL(meta); meta++) 43 | 44 | 45 | #define yr_rule_strings_foreach(rule, string) \ 46 | for (string = rule->strings; !STRING_IS_NULL(string); string++) 47 | 48 | 49 | #define yr_string_matches_foreach(string, match) \ 50 | for (match = STRING_MATCHES(string).head; match != NULL; match = match->next) 51 | 52 | 53 | #define yr_rules_foreach(rules, rule) \ 54 | for (rule = rules->rules_list_head; !RULE_IS_NULL(rule); rule++) 55 | 56 | 57 | 58 | YR_API int yr_rules_scan_mem( 59 | YR_RULES* rules, 60 | uint8_t* buffer, 61 | size_t buffer_size, 62 | int flags, 63 | YR_CALLBACK_FUNC callback, 64 | void* user_data, 65 | int timeout); 66 | 67 | 68 | YR_API int yr_rules_scan_file( 69 | YR_RULES* rules, 70 | const char* filename, 71 | int flags, 72 | YR_CALLBACK_FUNC callback, 73 | void* user_data, 74 | int timeout); 75 | 76 | 77 | YR_API int yr_rules_scan_fd( 78 | YR_RULES* rules, 79 | YR_FILE_DESCRIPTOR fd, 80 | int flags, 81 | YR_CALLBACK_FUNC callback, 82 | void* user_data, 83 | int timeout); 84 | 85 | 86 | YR_API int yr_rules_scan_proc( 87 | YR_RULES* rules, 88 | int pid, 89 | int flags, 90 | YR_CALLBACK_FUNC callback, 91 | void* user_data, 92 | int timeout); 93 | 94 | 95 | YR_API int yr_rules_save( 96 | YR_RULES* rules, 97 | const char* filename); 98 | 99 | 100 | YR_API int yr_rules_save_stream( 101 | YR_RULES* rules, 102 | YR_STREAM* stream); 103 | 104 | 105 | YR_API int yr_rules_load( 106 | const char* filename, 107 | YR_RULES** rules); 108 | 109 | 110 | YR_API int yr_rules_load_stream( 111 | YR_STREAM* stream, 112 | YR_RULES** rules); 113 | 114 | 115 | YR_API int yr_rules_destroy( 116 | YR_RULES* rules); 117 | 118 | 119 | YR_API int yr_rules_define_integer_variable( 120 | YR_RULES* rules, 121 | const char* identifier, 122 | int64_t value); 123 | 124 | 125 | YR_API int yr_rules_define_boolean_variable( 126 | YR_RULES* rules, 127 | const char* identifier, 128 | int value); 129 | 130 | 131 | YR_API int yr_rules_define_float_variable( 132 | YR_RULES* rules, 133 | const char* identifier, 134 | double value); 135 | 136 | 137 | YR_API int yr_rules_define_string_variable( 138 | YR_RULES* rules, 139 | const char* identifier, 140 | const char* value); 141 | 142 | 143 | YR_API void yr_rules_print_profiling_info( 144 | YR_RULES* rules); 145 | 146 | #endif 147 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/scan.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_SCAN_H 18 | #define YR_SCAN_H 19 | 20 | #include "types.h" 21 | 22 | // Bitmasks for flags. 23 | #define SCAN_FLAGS_FAST_MODE 1 24 | #define SCAN_FLAGS_PROCESS_MEMORY 2 25 | #define SCAN_FLAGS_SHOW_MODULE_DATA 4 26 | 27 | 28 | int yr_scan_verify_match( 29 | YR_SCAN_CONTEXT* context, 30 | YR_AC_MATCH* ac_match, 31 | uint8_t* data, 32 | size_t data_size, 33 | size_t data_base, 34 | size_t offset); 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/sizedstr.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef _SIZEDSTR_H 18 | #define _SIZEDSTR_H 19 | 20 | #include 21 | 22 | // 23 | // This struct is used to support strings containing null chars. The length of 24 | // the string is stored along the string data. However the string data is also 25 | // terminated with a null char. 26 | // 27 | 28 | #define SIZED_STRING_FLAGS_NO_CASE 1 29 | #define SIZED_STRING_FLAGS_DOT_ALL 2 30 | 31 | typedef struct _SIZED_STRING 32 | { 33 | size_t length; 34 | int flags; 35 | char c_string[1]; 36 | 37 | } SIZED_STRING; 38 | 39 | 40 | int sized_string_cmp( 41 | SIZED_STRING* s1, 42 | SIZED_STRING* s2); 43 | 44 | #endif 45 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/stream.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_STREAM_H 18 | #define YR_STREAM_H 19 | 20 | #include 21 | 22 | typedef size_t (*YR_STREAM_READ_FUNC)( 23 | void* ptr, 24 | size_t size, 25 | size_t count, 26 | void* user_data); 27 | 28 | 29 | typedef size_t (*YR_STREAM_WRITE_FUNC)( 30 | const void* ptr, 31 | size_t size, 32 | size_t count, 33 | void* user_data); 34 | 35 | 36 | typedef struct _YR_STREAM 37 | { 38 | void* user_data; 39 | 40 | YR_STREAM_READ_FUNC read; 41 | YR_STREAM_WRITE_FUNC write; 42 | 43 | } YR_STREAM; 44 | 45 | 46 | size_t yr_stream_read( 47 | void* ptr, 48 | size_t size, 49 | size_t count, 50 | YR_STREAM* stream); 51 | 52 | 53 | size_t yr_stream_write( 54 | const void* ptr, 55 | size_t size, 56 | size_t count, 57 | YR_STREAM* stream); 58 | 59 | #endif 60 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/strutils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | #ifndef YR_STRUTILS_H 18 | #define YR_STRUTILS_H 19 | 20 | #include 21 | #include 22 | #include 23 | 24 | #include "config.h" 25 | 26 | #ifdef _WIN32 27 | #define snprintf _snprintf 28 | #define strcasecmp _stricmp 29 | #define strncasecmp _strnicmp 30 | #endif 31 | 32 | 33 | uint64_t xtoi( 34 | const char* hexstr); 35 | 36 | 37 | #if !HAVE_STRLCPY && !defined(strlcpy) 38 | size_t strlcpy( 39 | char* dst, 40 | const char* src, 41 | size_t size); 42 | #endif 43 | 44 | 45 | #if !HAVE_STRLCAT && !defined(strlcat) 46 | size_t strlcat( 47 | char* dst, 48 | const char* src, 49 | size_t size); 50 | #endif 51 | 52 | 53 | #if !HAVE_MEMMEM && !defined(memmem) 54 | void* memmem( 55 | const void* haystack, 56 | size_t haystack_size, 57 | const void* needle, 58 | size_t needle_size); 59 | #endif 60 | 61 | 62 | int strnlen_w( 63 | const char* w_str); 64 | 65 | 66 | int strcmp_w( 67 | const char* w_str, 68 | const char* str); 69 | 70 | 71 | size_t strlcpy_w( 72 | char* dst, 73 | const char* w_src, 74 | size_t n); 75 | 76 | #endif 77 | 78 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara/utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | 18 | #ifndef YR_UTILS_H 19 | #define YR_UTILS_H 20 | 21 | #ifndef TRUE 22 | #define TRUE 1 23 | #endif 24 | 25 | #ifndef FALSE 26 | #define FALSE 0 27 | #endif 28 | 29 | #ifndef NULL 30 | #define NULL 0 31 | #endif 32 | 33 | #ifdef __cplusplus 34 | #define EXTERNC extern "C" 35 | #else 36 | #define EXTERNC 37 | #endif 38 | 39 | #if defined(__GNUC__) 40 | #define YR_API EXTERNC __attribute__((visibility("default"))) 41 | #elif defined(_MSC_VER) 42 | #define YR_API EXTERNC __declspec(dllexport) 43 | #else 44 | #deinfe YR_API EXTERNC 45 | #endif 46 | 47 | #define yr_min(x, y) ((x < y) ? (x) : (y)) 48 | #define yr_max(x, y) ((x > y) ? (x) : (y)) 49 | 50 | #define PTR_TO_INT64(x) ((int64_t) (size_t) x) 51 | 52 | 53 | #ifdef NDEBUG 54 | 55 | #define assertf(expr, msg, ...) ((void)0) 56 | 57 | #else 58 | 59 | #include 60 | 61 | #define assertf(expr, msg, ...) \ 62 | if(!(expr)) { \ 63 | fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ 64 | abort(); \ 65 | } 66 | 67 | #endif 68 | 69 | #endif 70 | -------------------------------------------------------------------------------- /pluginsdk/yara/yara_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/yara/yara_x64.a -------------------------------------------------------------------------------- /pluginsdk/yara/yara_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/yara/yara_x64.lib -------------------------------------------------------------------------------- /pluginsdk/yara/yara_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/yara/yara_x86.a -------------------------------------------------------------------------------- /pluginsdk/yara/yara_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/pluginsdk/yara/yara_x86.lib -------------------------------------------------------------------------------- /x32dbg.exe.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/x32dbg.exe.ini -------------------------------------------------------------------------------- /xdbg.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brock7/xdbg/55eed44a23f5af47dace771365f6cc9109009170/xdbg.cpp -------------------------------------------------------------------------------- /xdbg.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.40629.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "xdbgcore", "xdbgcore.vcxproj", "{05AF2FAB-FDFC-429D-942B-1D633BF29E40}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {05AF2FAB-FDFC-429D-942B-1D633BF29E40}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {05AF2FAB-FDFC-429D-942B-1D633BF29E40}.Debug|Win32.Build.0 = Debug|Win32 16 | {05AF2FAB-FDFC-429D-942B-1D633BF29E40}.Release|Win32.ActiveCfg = Release|Win32 17 | {05AF2FAB-FDFC-429D-942B-1D633BF29E40}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /xdbg.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {EA45863F-ECB5-449A-BE0E-B51187B98695} 15 | Win32Proj 16 | xdbg 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | 24 | 25 | Application 26 | false 27 | true 28 | Unicode 29 | v120 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | true 43 | false 44 | 45 | 46 | false 47 | 48 | 49 | 50 | 51 | 52 | Level3 53 | Disabled 54 | DETOURS_32BIT;DETOURS_X86;WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 55 | 56 | 57 | Console 58 | true 59 | 60 | 61 | 62 | 63 | Level3 64 | 65 | 66 | MaxSpeed 67 | true 68 | true 69 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 70 | 71 | 72 | Console 73 | true 74 | true 75 | true 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | -------------------------------------------------------------------------------- /xdbgcore.cpp: -------------------------------------------------------------------------------- 1 | // xdbgcore.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include 5 | #include "XDbgProxy.h" 6 | #include 7 | #include "detours.h" 8 | #include "XDbgController.h" 9 | #include "common.h" 10 | #include "AutoDebug.h" 11 | #include "pluginsdk/_plugins.h" 12 | #include "Utils.h" 13 | #include 14 | 15 | #define XDBG_VER (1) 16 | 17 | HMODULE hInstance; 18 | UINT exec_mode = 0; 19 | UINT debug_if = 0; 20 | UINT api_hook_mask = ID_ReadProcessMemory | ID_WriteProcessMemory | ID_SuspendThread | ID_ResumeThread; 21 | UINT inject_method = 0; 22 | UINT ignore_dbgstr = 0; 23 | UINT simu_attach_bp = 1; 24 | // XDbgController* dbgctl = NULL; 25 | 26 | ////////////////////////////////////////////////////////////////////////// 27 | void (* plugin_registercallback)(int pluginHandle, CBTYPE cbType, CBPLUGIN cbPlugin) = NULL; 28 | int (* plugin_menuaddentry)(int hMenu, int entry, const char* title) = NULL; 29 | bool (* plugin_menuclear)(int hMenu); 30 | void (* plugin_logprintf)(const char* format, ...); 31 | 32 | bool preparePlugin(); 33 | void ResiserListViewClass(); 34 | void initMode2(); 35 | 36 | ////////////////////////////////////////////////////////////////////////// 37 | 38 | static void loadConfig() 39 | { 40 | char iniName[MAX_PATH]; 41 | GetModuleFileName(NULL, iniName, sizeof(iniName) - 1); 42 | strcat_s(iniName, ".ini"); 43 | exec_mode = GetPrivateProfileInt("xdbg", "mode", exec_mode, iniName); 44 | debug_if = GetPrivateProfileInt("xdbg", "debug_if", debug_if, iniName); 45 | api_hook_mask = GetPrivateProfileInt("xdbg", "api_hook_mask", api_hook_mask, iniName); 46 | inject_method = GetPrivateProfileInt("xdbg", "inject_method", inject_method, iniName); 47 | ignore_dbgstr = GetPrivateProfileInt("xdbg", "ignore_dbgstr", ignore_dbgstr, iniName); 48 | simu_attach_bp = GetPrivateProfileInt("xdbg", "simu_attach_bp", simu_attach_bp, iniName); 49 | } 50 | 51 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) 52 | { 53 | if (reason == DLL_PROCESS_ATTACH) { 54 | hInstance = hModule; 55 | loadConfig(); 56 | // ModifyExe(); 57 | 58 | // KEEP IT 59 | char dllPath[MAX_PATH + 1]; 60 | GetModuleFileName(hModule, dllPath, sizeof(dllPath) - 1); 61 | dllPath[sizeof(dllPath) - 1] = 0; 62 | LoadLibrary(dllPath); 63 | 64 | if (exec_mode == 1 || preparePlugin()) { 65 | 66 | exec_mode = 1; 67 | preparePlugin(); 68 | 69 | MyTrace("xdbgcore initializing. mode: 1"); 70 | if (!XDbgController::instance().initialize(hModule, true)) { 71 | // log error 72 | assert(false); 73 | } 74 | 75 | registerAutoDebugHandler(new IgnoreException()); 76 | 77 | } else if (exec_mode == 0) { // proxy mode 78 | 79 | MyTrace("xdbgcore initializing. mode: 0"); 80 | if (!XDbgProxy::instance().initialize()) { 81 | // log error 82 | assert(false); 83 | return FALSE; 84 | } 85 | 86 | // XDbgProxy::instance().waitForAttach(); 87 | } else if (exec_mode == 2) { 88 | initMode2(); 89 | } else { 90 | assert(false); 91 | return FALSE; 92 | } 93 | } 94 | 95 | if (exec_mode == 0) { 96 | 97 | return XDbgProxy::instance().DllMain(hModule, reason, lpReserved); 98 | } 99 | 100 | return TRUE; 101 | } 102 | 103 | ////////////////////////////////////////////////////////////////////////// 104 | 105 | #define MENU_ID_ENABLE 1 106 | #define MENU_ID_DISABLE 2 107 | #define MENU_ID_ABOUT 3 108 | #define MENU_ID_STATE 4 109 | 110 | bool preparePlugin() 111 | { 112 | #ifdef _M_X64 113 | #define X64DBG_DLL "x64dbg.dll" 114 | #else 115 | #define X64DBG_DLL "x32dbg.dll" 116 | #endif 117 | 118 | plugin_registercallback = (void ( *)(int pluginHandle, CBTYPE cbType, CBPLUGIN cbPlugin)) 119 | GetProcAddress(GetModuleHandle(X64DBG_DLL), "_plugin_registercallback"); 120 | 121 | plugin_menuaddentry = (int (* )(int hMenu, int entry, const char* title)) 122 | GetProcAddress(GetModuleHandle(X64DBG_DLL), "_plugin_menuaddentry"); 123 | 124 | plugin_menuclear = (bool (*)(int hMenu)) 125 | GetProcAddress(GetModuleHandle(X64DBG_DLL), "_plugin_menuclear"); 126 | 127 | plugin_logprintf = ( void(*)(const char* format, ...)) 128 | GetProcAddress(GetModuleHandle(X64DBG_DLL), "_plugin_logprintf"); 129 | 130 | return (plugin_registercallback && plugin_registercallback && plugin_menuclear && plugin_logprintf); 131 | } 132 | 133 | void menuHandler(CBTYPE Type, PLUG_CB_MENUENTRY *Info); 134 | void createProcessHandler(CBTYPE type, PLUG_CB_CREATEPROCESS* info); 135 | void attachHandler(CBTYPE type, PLUG_CB_ATTACH* info); 136 | 137 | bool pluginit(PLUG_INITSTRUCT* initStruct) 138 | { 139 | initStruct->pluginVersion = XDBG_VER; 140 | strcpy(initStruct->pluginName, "XDbg"); 141 | initStruct->sdkVersion = PLUG_SDKVERSION; 142 | 143 | assert(plugin_registercallback); 144 | plugin_registercallback(initStruct->pluginHandle, CB_MENUENTRY, (CBPLUGIN)menuHandler); 145 | plugin_registercallback(initStruct->pluginHandle, CB_CREATEPROCESS, (CBPLUGIN)createProcessHandler); 146 | plugin_registercallback(initStruct->pluginHandle, CB_ATTACH, (CBPLUGIN)attachHandler); 147 | return true; 148 | } 149 | 150 | HWND hWnd; 151 | void plugsetup(PLUG_SETUPSTRUCT* setupStruct) 152 | { 153 | hWnd = setupStruct->hwndDlg; 154 | 155 | assert(plugin_menuaddentry); 156 | plugin_menuaddentry(setupStruct->hMenu, MENU_ID_ENABLE, "Enable XDbg"); 157 | plugin_menuaddentry(setupStruct->hMenu, MENU_ID_DISABLE, "Disable XDbg"); 158 | plugin_menuaddentry(setupStruct->hMenu, MENU_ID_STATE, "Current state"); 159 | plugin_menuaddentry(setupStruct->hMenu, MENU_ID_ABOUT, "About XDbg"); 160 | } 161 | 162 | bool plugstop() 163 | { 164 | return true; 165 | } 166 | 167 | void menuHandler(CBTYPE Type, PLUG_CB_MENUENTRY *info) 168 | { 169 | switch (info->hEntry) { 170 | case MENU_ID_ENABLE: 171 | debug_if = 0; 172 | plugin_logprintf("XDbg enabled\n"); 173 | break; 174 | case MENU_ID_DISABLE: 175 | debug_if = 1; 176 | plugin_logprintf("XDbg disabled\n"); 177 | break; 178 | case MENU_ID_STATE: 179 | plugin_logprintf("XDbg state: %s\n", debug_if == 0 ? "Enabled" : "Disabled" ); 180 | break; 181 | case MENU_ID_ABOUT: 182 | MessageBox(hWnd, "XDbg v0.1\nAuthor: Brock\nEmail: xiaowave@gmail.com", "XDbg", MB_OK | MB_ICONINFORMATION); 183 | break; 184 | } 185 | } 186 | 187 | void createProcessHandler(CBTYPE type, PLUG_CB_CREATEPROCESS* info) 188 | { 189 | if (debug_if == 0) 190 | plugin_logprintf("Current debug engine is XDbg\n"); 191 | } 192 | 193 | void attachHandler(CBTYPE type, PLUG_CB_ATTACH* info) 194 | { 195 | if (debug_if == 0) 196 | plugin_logprintf("Current debug engine is XDbg\n"); 197 | } 198 | 199 | ////////////////////////////////////////////////////////////////////////// 200 | // mode 2 201 | 202 | #define LISTVIEW_CLASS L"SysListView32" 203 | #define MY_LISTVIEW_CLASS L"XDBGLV" 204 | 205 | void ResiserListViewClass() 206 | { 207 | WNDCLASSW wndCls; 208 | if (!GetClassInfoW(NULL, LISTVIEW_CLASS, &wndCls)) { 209 | assert(false); 210 | } 211 | 212 | wndCls.lpszClassName = MY_LISTVIEW_CLASS; 213 | if (RegisterClassW(&wndCls) == 0) { 214 | assert(false); 215 | } 216 | } 217 | 218 | HWND(__stdcall * Real_CreateWindowExW)(DWORD a0, 219 | LPCWSTR a1, 220 | LPCWSTR a2, 221 | DWORD a3, 222 | int a4, 223 | int a5, 224 | int a6, 225 | int a7, 226 | HWND a8, 227 | HMENU a9, 228 | HINSTANCE a10, 229 | LPVOID a11) 230 | = CreateWindowExW; 231 | 232 | HWND __stdcall Mine_CreateWindowExW(DWORD a0, 233 | LPCWSTR lpClassName, 234 | LPCWSTR a2, 235 | DWORD a3, 236 | int a4, 237 | int a5, 238 | int a6, 239 | int a7, 240 | HWND a8, 241 | HMENU a9, 242 | HINSTANCE a10, 243 | LPVOID a11) 244 | { 245 | // MyTrace("%s() classname: %S", __FUNCTION__, lpClassName); 246 | if (LOWORD(lpClassName) != ULONG_PTR(lpClassName) && 247 | lstrcmpW(lpClassName, LISTVIEW_CLASS) == 0) { 248 | 249 | lpClassName = MY_LISTVIEW_CLASS; 250 | // MyTrace("%s() new classname: %S", __FUNCTION__, lpClassName); 251 | } 252 | 253 | return Real_CreateWindowExW(a0, lpClassName, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11); 254 | } 255 | 256 | HRSRC(__stdcall * Real_FindResourceExW)(HMODULE a0, 257 | LPCWSTR a1, 258 | LPCWSTR a2, 259 | WORD a3) 260 | = FindResourceExW; 261 | 262 | HRSRC(__stdcall * Real_FindResourceExA)(HMODULE a0, 263 | LPCSTR a1, 264 | LPCSTR a2, 265 | WORD a3) 266 | = FindResourceExA; 267 | 268 | HRSRC __stdcall Mine_FindResourceExA(HMODULE a0, 269 | LPCSTR a1, 270 | LPCSTR a2, 271 | WORD a3) 272 | { 273 | return Real_FindResourceExA(a0, a1, a2, a3); 274 | } 275 | 276 | HRSRC __stdcall Mine_FindResourceExW(HMODULE a0, 277 | LPCWSTR a1, 278 | LPCWSTR a2, 279 | WORD a3) 280 | { 281 | return Real_FindResourceExW(a0, a1, a2, a3); 282 | } 283 | 284 | static PVOID mallocRecSec(PVOID base, SIZE_T size) 285 | { 286 | return VirtualAlloc((PVOID)0x20000000, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 287 | } 288 | 289 | PVOID memblockCache = NULL; 290 | PVOID memBase = NULL; 291 | 292 | void restoreMemory(PVOID base, ULONG_PTR offset, SIZE_T len) 293 | { 294 | memcpy((PVOID)MakePtr(base, offset), (PVOID)MakePtr(memblockCache, offset), len); 295 | } 296 | 297 | 298 | std::vector > records; 299 | void prebeSign(PVOID base, SIZE_T len) 300 | { 301 | if (len < 16) 302 | return; 303 | 304 | // MyTrace("memBase: %p, base: %p, size_t: %u", memBase, base, len); 305 | PVOID addr = base; 306 | SIZE_T part = len / 2; 307 | memset(addr, 0, part); 308 | char msg[256]; 309 | sprintf(msg, "memBase: %p, base: %p, part: %u. is detected?", memBase, base, part); 310 | if (MessageBox(NULL, msg, msg, MB_YESNO) == IDNO) { 311 | // records.push_back(std::pair((ULONG_PTR)addr, (ULONG_PTR)part)); 312 | MyTrace("FOUND! memBase: %p, base: %p, size_t: %u", memBase, addr, part); 313 | restoreMemory(memBase, (ULONG_PTR)addr - (ULONG_PTR)memBase, part); 314 | prebeSign(addr, part); 315 | return; 316 | } 317 | 318 | // restoreMemory(memBase, (ULONG_PTR )addr - (ULONG_PTR )memBase, part); 319 | 320 | PVOID addr2 = (PVOID )MakePtr(base, part); 321 | SIZE_T part2 = len - part; 322 | memset(addr2, 0, part2); 323 | sprintf(msg, "memBase: %p, base: %p, part: %u. is detected?", memBase, addr2, part2); 324 | if (MessageBox(NULL, msg, msg, MB_YESNO) == IDNO) { 325 | // records.push_back(std::pair((ULONG_PTR)addr2, (ULONG_PTR)part2)); 326 | MyTrace("FOUND! memBase: %p, base: %p, size_t: %u", memBase, addr2, part2); 327 | restoreMemory(memBase, (ULONG_PTR)addr2 - (ULONG_PTR)memBase, part2); 328 | prebeSign(addr2, part2); 329 | } 330 | 331 | restoreMemory(base, (ULONG_PTR)base - (ULONG_PTR)memBase, len); 332 | } 333 | 334 | BOOL ModifyExe() 335 | { 336 | return TRUE; 337 | } 338 | 339 | void initMode2() 340 | { 341 | ModifyExe(); 342 | // inject_method = 1; // WIN HOOK 343 | //api_hook_mask = ID_ReadProcessMemory | ID_WriteProcessMemory | ID_SuspendThread | ID_ResumeThread | 344 | // ID_GetThreadContext | ID_SetThreadContext | ID_VirtualQueryEx | ID_VirtualProtectEx | ID_GetModuleFileNameExW; 345 | MyTrace("xdbgcore initializing. mode: 2"); 346 | if (!XDbgController::instance().initialize(hInstance, true)) { 347 | // log error 348 | assert(false); 349 | } 350 | 351 | ResiserListViewClass(); 352 | DetourTransactionBegin(); 353 | DetourAttach(&(PVOID&)Real_CreateWindowExW, &(PVOID&)Mine_CreateWindowExW); 354 | DetourTransactionCommit(); 355 | } 356 | 357 | BOOL WINAPI CE_OpenProcess(DWORD pid) 358 | { 359 | MyTrace("%s()", __FUNCTION__); 360 | XDbgController& dbgctl = XDbgController::instance(); 361 | if (!dbgctl.injectDll(pid, dbgctl.getModuleHandle())) { 362 | MyTrace("%s(): injectDll() failed.", __FUNCTION__); 363 | } 364 | 365 | dbgctl.disconnectRemoteApi(); 366 | int i; 367 | for (i = 30; i > 0; i--) { 368 | if (dbgctl.connectRemoteApi(pid)) 369 | break; 370 | 371 | Sleep(100); 372 | } 373 | 374 | if (i == 0) { 375 | assert(false); 376 | // log error 377 | return FALSE; 378 | } 379 | 380 | return TRUE; 381 | } 382 | -------------------------------------------------------------------------------- /xdbgcore.def: -------------------------------------------------------------------------------- 1 | LIBRARY "xdbgcore" 2 | 3 | EXPORTS 4 | pluginit 5 | plugsetup 6 | CE_OpenProcess -------------------------------------------------------------------------------- /xdbgcore.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {05AF2FAB-FDFC-429D-942B-1D633BF29E40} 23 | Win32Proj 24 | xdbgcore 25 | 26 | 27 | 28 | DynamicLibrary 29 | true 30 | v120 31 | 32 | 33 | DynamicLibrary 34 | true 35 | v120 36 | 37 | 38 | DynamicLibrary 39 | false 40 | true 41 | NotSet 42 | v120 43 | 44 | 45 | DynamicLibrary 46 | false 47 | true 48 | NotSet 49 | v120 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | true 69 | false 70 | 71 | 72 | true 73 | false 74 | 75 | 76 | false 77 | 78 | 79 | false 80 | 81 | 82 | 83 | NotUsing 84 | Level3 85 | Disabled 86 | _CRT_SECURE_NO_WARNINGS;DETOURS_X86;DETOURS_32BIT;WIN32;_DEBUG;_WINDOWS;_USRDLL;XDBGCORE_EXPORTS;%(PreprocessorDefinitions) 87 | 88 | 89 | Windows 90 | true 91 | xdbgcore.def 92 | Psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 93 | $(OutDir)$(TargetName).dp32 94 | 95 | 96 | copy $(TargetDir)$(TargetName).dp32 ..\x64dbg\bin\x32\plugins 97 | 98 | 99 | 100 | 101 | NotUsing 102 | Level3 103 | Disabled 104 | _CRT_SECURE_NO_WARNINGS;DETOURS_X64;DETOURS_64BIT;WIN32;_DEBUG;_WINDOWS;_USRDLL;XDBGCORE_EXPORTS;%(PreprocessorDefinitions) 105 | 106 | 107 | Windows 108 | true 109 | xdbgcore.def 110 | Psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 111 | $(OutDir)$(TargetName).dp64 112 | 113 | 114 | copy $(TargetDir)$(TargetName).dp64 ..\x64dbg\bin\x64\plugins 115 | 116 | 117 | 118 | 119 | Level3 120 | NotUsing 121 | MaxSpeed 122 | true 123 | true 124 | _CRT_SECURE_NO_WARNINGS;DETOURS_X86;DETOURS_32BIT;WIN32;NDEBUG;_WINDOWS;_USRDLL;XDBGCORE_EXPORTS;%(PreprocessorDefinitions) 125 | 126 | 127 | Windows 128 | true 129 | true 130 | true 131 | xdbgcore.def 132 | pluginsdk/x32dbg.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 133 | $(OutDir)$(TargetName).dp32 134 | 135 | 136 | copy $(TargetDir)$(TargetName).dp32 ..\x64dbg\bin\x32\plugins 137 | 138 | 139 | 140 | 141 | Level3 142 | NotUsing 143 | MaxSpeed 144 | true 145 | true 146 | _CRT_SECURE_NO_WARNINGS;DETOURS_X64;DETOURS_64BIT;WIN32;NDEBUG;_WINDOWS;_USRDLL;XDBGCORE_EXPORTS;%(PreprocessorDefinitions) 147 | 148 | 149 | Windows 150 | true 151 | true 152 | true 153 | $(OutDir)$(TargetName).dp64 154 | xdbgcore.def 155 | 156 | 157 | copy $(TargetDir)$(TargetName).dp64 ..\x64dbg\bin\x64\plugins 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | NotUsing 182 | NotUsing 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | --------------------------------------------------------------------------------