├── .gitattributes ├── .gitignore ├── APIInfo ├── deviare32_populated.sqlite ├── msdn_populated.xml ├── parse_db.py └── populate_db.py ├── CodaPinTracer.json ├── CodaPinTracer.sln ├── Code ├── Config.cpp ├── Config.h ├── Debug.h ├── DllPrototypes │ ├── ASycFilt.cpp │ ├── AclUI.cpp │ ├── ActiveDS.cpp │ ├── AdvAPI32.cpp │ ├── AuthZ.cpp │ ├── Cabinet.cpp │ ├── CertPolEng.cpp │ ├── ClusApi.cpp │ ├── ComCtl32.cpp │ ├── ComDlg32.cpp │ ├── ComSvcs.cpp │ ├── Crypt32.cpp │ ├── CryptNet.cpp │ ├── DSProp.cpp │ ├── DSUIExt.cpp │ ├── DbgEng.cpp │ ├── DbgHelp.cpp │ ├── DhcpCSvc.cpp │ ├── DnsAPI.cpp │ ├── ElsCore.cpp │ ├── FaultRep.cpp │ ├── GPEdit.cpp │ ├── Gdi32.cpp │ ├── GdiPlus.cpp │ ├── HLink.cpp │ ├── IPHlpApi.cpp │ ├── Icm32.cpp │ ├── Icmui.cpp │ ├── ImageHlp.cpp │ ├── Imm32.cpp │ ├── Iprop.cpp │ ├── Kernel32.cpp │ ├── KernelBase.cpp │ ├── LoadPerf.cpp │ ├── Lz32.cpp │ ├── MAPI32.cpp │ ├── MSAcm32.cpp │ ├── MSImg32.cpp │ ├── MSRating.cpp │ ├── MSTask.cpp │ ├── Mf.cpp │ ├── Mfplat.cpp │ ├── MgmtAPI.cpp │ ├── Misc.cpp │ ├── Mpr.cpp │ ├── Mprapi.cpp │ ├── MsWSock.cpp │ ├── Mscms.cpp │ ├── Msi.cpp │ ├── NetAPI32.cpp │ ├── NtDsAPI.cpp │ ├── Ole32.cpp │ ├── OleAcc.cpp │ ├── OleAut32.cpp │ ├── OleDlg.cpp │ ├── OlePro32.cpp │ ├── OpenGL32.cpp │ ├── Pdh.cpp │ ├── RASAPI32.cpp │ ├── RASDlg.cpp │ ├── ResUtils.cpp │ ├── RichEd20.cpp │ ├── RpcRT4.cpp │ ├── Rpcns4.cpp │ ├── Rtm.cpp │ ├── Rtutils.cpp │ ├── SCardDlg.cpp │ ├── Secur32.cpp │ ├── SensAPI.cpp │ ├── SetupAPI.cpp │ ├── Sfc.cpp │ ├── ShFolder.cpp │ ├── ShLwApi.cpp │ ├── SnmpAPI.cpp │ ├── SrClient.cpp │ ├── Sti.cpp │ ├── Tapi32.cpp │ ├── Traffic.cpp │ ├── UIAutomationCore.cpp │ ├── USP10.cpp │ ├── Url.cpp │ ├── Urlmon.cpp │ ├── User32.cpp │ ├── UserEnv.cpp │ ├── Uxtheme.cpp │ ├── VdmDbg.cpp │ ├── Version.cpp │ ├── WER.cpp │ ├── WS2_32.cpp │ ├── WSnmp32.cpp │ ├── WSock32.cpp │ ├── WebServices.cpp │ ├── WinBio.cpp │ ├── WinFax.cpp │ ├── WinInet.cpp │ ├── WinMM.cpp │ ├── WinSCard.cpp │ ├── WinTrust.cpp │ ├── Wldap32.cpp │ ├── Wow32.cpp │ ├── WtsApi32.cpp │ ├── advpack.cpp │ ├── avifil32.cpp │ ├── avrt.cpp │ ├── bcrypt.cpp │ ├── clfsw32.cpp │ ├── corrEngine.cpp │ ├── credui.cpp │ ├── cryptui.cpp │ ├── cryptxml.cpp │ ├── cscapi.cpp │ ├── d3d10.cpp │ ├── d3d10_1.cpp │ ├── d3d11.cpp │ ├── d3d9.cpp │ ├── davclnt.cpp │ ├── dciman32.cpp │ ├── dhcpcsvc6.cpp │ ├── dhcpsapi.cpp │ ├── dinput8.cpp │ ├── dpx.cpp │ ├── drt.cpp │ ├── drtprov.cpp │ ├── drttransport.cpp │ ├── dsound.cpp │ ├── dwmapi.cpp │ ├── dxgi.cpp │ ├── dxva2.cpp │ ├── eappcfg.cpp │ ├── eappprxy.cpp │ ├── encapi.cpp │ ├── esent.cpp │ ├── evr.cpp │ ├── fontsub.cpp │ ├── fwpuclnt.cpp │ ├── fxsutility.cpp │ ├── imgutil.cpp │ ├── infocardapi.cpp │ ├── ksuser.cpp │ ├── ktmw32.cpp │ ├── locationapi.cpp │ ├── magnification.cpp │ ├── mfplay.cpp │ ├── mfreadwrite.cpp │ ├── mscoree.cpp │ ├── msctfmonitor.cpp │ ├── msdelta.cpp │ ├── msdmo.cpp │ ├── msdrm.cpp │ ├── msvfw32.cpp │ ├── msxml6.cpp │ ├── ncrypt.cpp │ ├── ndfapi.cpp │ ├── ndproxystub.cpp │ ├── newdev.cpp │ ├── normaliz.cpp │ ├── ntdll.cpp │ ├── powrprof.cpp │ ├── prntvpt.cpp │ ├── propsys.cpp │ ├── quartz.cpp │ ├── qutil.cpp │ ├── qwave.cpp │ ├── rstrtmgr.cpp │ ├── sas.cpp │ ├── sensorsapi.cpp │ ├── shdocvw.cpp │ ├── shell32.cpp │ ├── sisbkup.cpp │ ├── slc.cpp │ ├── slcext.cpp │ ├── slwga.cpp │ ├── structuredquery.cpp │ ├── t2embed.cpp │ ├── taskschd.cpp │ ├── tbs.cpp │ ├── tdh.cpp │ ├── txfw32.cpp │ ├── virtdisk.cpp │ ├── vssapi.cpp │ ├── wecapi.cpp │ ├── wevtapi.cpp │ ├── windowscodecs.cpp │ ├── winhttp.cpp │ ├── winsatapi.cpp │ ├── wlanapi.cpp │ ├── wlanui.cpp │ ├── wmdrmsdk.cpp │ ├── wmiutils.cpp │ ├── wmvcore.cpp │ ├── wscapi.cpp │ ├── wsdapi.cpp │ ├── xmllite.cpp │ ├── xoleHlp.cpp │ └── xpsprint.cpp ├── Drltrace_libcalls.cpp ├── Drltrace_libcalls.h ├── DumpHandler.cpp ├── DumpHandler.h ├── EntropyHeuristic.cpp ├── EntropyHeuristic.h ├── ExceptionHandler.cpp ├── ExceptionHandler.h ├── FakeReadHandler.cpp ├── FakeReadHandler.h ├── FakeWriteHandler.cpp ├── FakeWriteHandler.h ├── GdbDebugger.cpp ├── GdbDebugger.h ├── HeapModule.cpp ├── HeapModule.h ├── Helper.cpp ├── Helper.h ├── Heuristics.cpp ├── Heuristics.h ├── HookSyscalls.cpp ├── HookSyscalls.h ├── InitFunctionCall.cpp ├── InitFunctionCall.h ├── JumpOuterSectionHeuristic.cpp ├── JumpOuterSectionHeuristic.h ├── LibraryHandler.cpp ├── LibraryHandler.h ├── Logging.cpp ├── Logging.h ├── LongJumpHeuristic.cpp ├── LongJumpHeuristic.h ├── MyPinTool.sln ├── MyPinTool.vcxproj ├── MyPinTool.vcxproj.filters ├── OepFinder.cpp ├── OepFinder.h ├── PINdemonium.rc ├── PINshield.cpp ├── PINshield.h ├── PatternMatchModule.cpp ├── PatternMatchModule.h ├── Pin-config.props ├── PolymorphicCodeHandlerModule.cpp ├── PolymorphicCodeHandlerModule.h ├── ProcInfo.cpp ├── ProcInfo.h ├── ProcessInjectionModule.cpp ├── ProcessInjectionModule.h ├── PushadPopadHeuristic.cpp ├── PushadPopadHeuristic.h ├── Pyrebox_libcalls.cpp ├── Pyrebox_libcalls.h ├── Pyrebox_named_consts.cpp ├── Report.cpp ├── Report.h ├── ReportDump.cpp ├── ReportDump.h ├── ReportEntropy.cpp ├── ReportEntropy.h ├── ReportGeneralInformation.cpp ├── ReportGeneralInformation.h ├── ReportImportedFunction.cpp ├── ReportImportedFunction.h ├── ReportJumpOuterSection.cpp ├── ReportJumpOuterSection.h ├── ReportLongJump.cpp ├── ReportLongJump.h ├── ReportMainModule.cpp ├── ReportMainModule.h ├── ReportObject.cpp ├── ReportObject.h ├── ReportYaraRules.cpp ├── ReportYaraRules.h ├── ScyllaWrapper.cpp ├── ScyllaWrapper.h ├── ServerTCP.cpp ├── ServerTCP.h ├── TimeTracker.h ├── TracerContextChangeManager.cpp ├── TracerContextChangeManager.h ├── TracerLibCalls.cpp ├── TracerLibCalls.h ├── TracerSysCalls.cpp ├── TracerSysCalls.h ├── TracerTdataManager.cpp ├── TracerTdataManager.h ├── TracerWriteFile.cpp ├── TracerWriteFile.h ├── WriteInterval.cpp ├── WriteInterval.h ├── WxorXHandler.cpp ├── WxorXHandler.h ├── YaraHeuristic.cpp ├── YaraHeuristic.h ├── drstrace_named_consts.cpp ├── drstrace_named_consts.h ├── drsyscall.cpp ├── drsyscall.h ├── json.h ├── jsoncpp.cpp ├── libdft │ ├── array.hpp │ ├── branch_pred.h │ ├── config.h │ ├── dbg.h │ ├── libdft_api.cpp │ ├── libdft_api.h │ ├── libdft_core.cpp │ ├── libdft_core.h │ ├── tag_traits.cpp │ ├── tag_traits.h │ ├── tagmap.cpp │ ├── tagmap.h │ └── tagmap_custom.h ├── main.cpp ├── makefile ├── makefile.rules ├── md5.cpp ├── md5.h ├── porting.h ├── resource.h ├── tls.h └── types.h ├── ExpInfo ├── GenerateExpRanges.py ├── ReadFuncts.py └── exports │ └── kernel32.json ├── LICENSE ├── Locals.props └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /APIInfo/deviare32_populated.sqlite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fengjixuchui/CodaPinTracer/1aa7b1670cf5d9dc8a6de412f2b006e3f91ceea3/APIInfo/deviare32_populated.sqlite -------------------------------------------------------------------------------- /APIInfo/msdn_populated.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fengjixuchui/CodaPinTracer/1aa7b1670cf5d9dc8a6de412f2b006e3f91ceea3/APIInfo/msdn_populated.xml -------------------------------------------------------------------------------- /CodaPinTracer.json: -------------------------------------------------------------------------------- 1 | { 2 | "results_path": "C:\\pin35\\Results", 3 | "timestamped_folder" : true, 4 | "main_log_name" : "main.rbp", 5 | "thread_log_name" : "thread.rbp", 6 | "report_filename": "report.json", 7 | "filtered_writes": "", 8 | "yara_exe_path": "", 9 | "yara_rules_path": "", 10 | "scylla_dumper_path": "", 11 | "scylla_plugins_path": "", 12 | "scylla_wrapper_path": "" 13 | } 14 | -------------------------------------------------------------------------------- /CodaPinTracer.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{4814523D-1988-4131-A72B-32C7881F3A32}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CodaPinTracer", "Code\MyPinTool.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Win32 = Debug|Win32 13 | Debug|x64 = Debug|x64 14 | Debug-Lib|Win32 = Debug-Lib|Win32 15 | Debug-Lib|x64 = Debug-Lib|x64 16 | Release|Win32 = Release|Win32 17 | Release|x64 = Release|x64 18 | Release-Lib|Win32 = Release-Lib|Win32 19 | Release-Lib|x64 = Release-Lib|x64 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 23 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 24 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Release|Win32 25 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Release|Win32 26 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug-Lib|Win32.ActiveCfg = Release|x64 27 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug-Lib|x64.ActiveCfg = Release|x64 28 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug-Lib|x64.Build.0 = Release|x64 29 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 30 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Debug|Win32 31 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Debug|Win32 32 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release-Lib|Win32.ActiveCfg = Release|x64 33 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release-Lib|x64.ActiveCfg = Release|x64 34 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release-Lib|x64.Build.0 = Release|x64 35 | EndGlobalSection 36 | GlobalSection(SolutionProperties) = preSolution 37 | HideSolutionNode = FALSE 38 | EndGlobalSection 39 | GlobalSection(ExtensibilityGlobals) = postSolution 40 | SolutionGuid = {E492018D-DFDB-4968-97A1-6BC02CEF7740} 41 | EndGlobalSection 42 | EndGlobal 43 | -------------------------------------------------------------------------------- /Code/Debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Logging.h" -------------------------------------------------------------------------------- /Code/DllPrototypes/ASycFilt.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ASycFilt_info[] = { 4 | { "DllCanUnloadNow",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | }; 10 | 11 | int ASycFiltarraySize = (sizeof(ASycFilt_info) / sizeof(ASycFilt_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/AclUI.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t AclUI_info[] = { 4 | { "EditSecurity",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hwndOwner", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "psi", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "ISecurityInformation", 32, IN }, 9 | } 10 | }, 11 | { "EditSecurityAdvanced",3, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | {0, "hwndOwner", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | {1, "psi", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "ISecurityInformation", 32, IN }, 16 | {2, "uSIPage", NKT_DBOBJCLASS_Enumeration, "_SI_PAGE_TYPE", 32, IN }, 17 | } 18 | }, 19 | { "CreateSecurityPage",1, 20 | { 21 | {-1, "Return value", NKT_DBOBJCLASS_Typedef, 0, 0, INOUT }, 22 | {0, "psi", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "ISecurityInformation", 32, IN }, 23 | } 24 | }, 25 | }; 26 | 27 | int AclUIarraySize = (sizeof(AclUI_info) / sizeof(AclUI_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/CertPolEng.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t CertPolEng_info[] = { 4 | { "PstGetTrustAnchors",4, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pTargetName", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_UNICODE_STRING", 64, IN }, 8 | {1, "cCriteria", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 9 | {2, "rgpCriteria", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_SELECT_CRITERIA", 96, IN }, 10 | {3, "ppTrustedIssuers", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "_SecPkgContext_IssuerListInfoEx", 64, IN }, 11 | } 12 | }, 13 | { "PstValidate",6, 14 | { 15 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 16 | {0, "pTargetName", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_UNICODE_STRING", 64, IN }, 17 | {1, "bIsClient", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 18 | {2, "pRequestedIssuancePolicy", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_USAGE_MATCH", 96, IN }, 19 | {3, "phAdditionalCertStore", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 20 | {4, "pCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 21 | {5, "pProvGUID", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 22 | } 23 | }, 24 | { "PstGetCertificates",6, 25 | { 26 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 27 | {0, "pTargetName", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_UNICODE_STRING", 64, IN }, 28 | {1, "cCriteria", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 29 | {2, "rgpCriteria", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_SELECT_CRITERIA", 96, IN }, 30 | {3, "bIsClient", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 31 | {4, "pdwCertChainContextCount", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 32 | {5, "ppCertChainContexts", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer | NKT_DBOBJCLASS_Pointer | NKT_DBOBJCLASS_Pointer, "_CERT_CHAIN_CONTEXT", 448, IN }, 33 | } 34 | }, 35 | { "PstMapCertificate",3, 36 | { 37 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 38 | {0, "pCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 39 | {1, "pTokenInformationType", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "_LSA_TOKEN_INFORMATION_TYPE", 32, IN }, 40 | {2, "ppTokenInformation", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 41 | } 42 | }, 43 | { "PstGetUserNameForCertificate",2, 44 | { 45 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 46 | {0, "pCertContext", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 47 | {1, "UserName", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_UNICODE_STRING", 64, IN }, 48 | } 49 | }, 50 | { "PstAcquirePrivateKey",1, 51 | { 52 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 53 | {0, "pCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 54 | } 55 | }, 56 | }; 57 | 58 | int CertPolEngarraySize = (sizeof(CertPolEng_info) / sizeof(CertPolEng_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/ComSvcs.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ComSvcs_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int ComSvcsarraySize = (sizeof(ComSvcs_info) / sizeof(ComSvcs_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/DSProp.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t DSProp_info[] = { 4 | { "ADsPropSetHwnd",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "hPage", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 9 | } 10 | }, 11 | { "DllRegisterServer",0, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | } 15 | }, 16 | { "ADsPropSendErrorMessage",2, 17 | { 18 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 19 | {0, "hNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 20 | {1, "pError", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_ADSPROPERROR", 192, INOUT }, 21 | } 22 | }, 23 | { "ADsPropCheckIfWritable",2, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 26 | {0, "pwzAttr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 27 | {1, "pWritableAttrs", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_ads_attr_info", 160, IN }, 28 | } 29 | }, 30 | { "ADsPropCreateNotifyObj",3, 31 | { 32 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 33 | {0, "pAppThdDataObj", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IDataObject", 32, IN }, 34 | {1, "pwzADsObjName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 35 | {2, "phNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 36 | } 37 | }, 38 | { "ADsPropShowErrorDialog",2, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | {0, "hNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 42 | {1, "hPage", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 43 | } 44 | }, 45 | { "ADsPropGetInitInfo",2, 46 | { 47 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 48 | {0, "hNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 49 | {1, "pInitParams", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_ADSPROPINITPARAMS", 192, INOUT }, 50 | } 51 | }, 52 | { "DllGetClassObject",3, 53 | { 54 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 55 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 56 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 57 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 58 | } 59 | }, 60 | { "ADsPropSetHwndWithTitle",3, 61 | { 62 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 63 | {0, "hNotifyObj", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 64 | {1, "hPage", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 65 | {2, "ptzTitle", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 66 | } 67 | }, 68 | { "DllCanUnloadNow",0, 69 | { 70 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 71 | } 72 | }, 73 | { "DllUnregisterServer",0, 74 | { 75 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 76 | } 77 | }, 78 | }; 79 | 80 | int DSProparraySize = (sizeof(DSProp_info) / sizeof(DSProp_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/DSUIExt.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t DSUIExt_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DsGetFriendlyClassName",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "pszObjectClass", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 13 | {1, "pszBuffer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 14 | {2, "cchBuffer", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | } 16 | }, 17 | { "DsGetIcon",4, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 20 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 21 | {1, "pszObjectClass", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 22 | {2, "cxImage", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 23 | {3, "cyImage", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 24 | } 25 | }, 26 | { "DllGetClassObject",3, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 29 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 30 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 31 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 32 | } 33 | }, 34 | { "DllInstall",2, 35 | { 36 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 37 | {0, "bInstall", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 38 | {1, "pszCmdLine", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 39 | } 40 | }, 41 | { "DllCanUnloadNow",0, 42 | { 43 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 44 | } 45 | }, 46 | { "DsBrowseForContainerA",1, 47 | { 48 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 49 | {0, "pInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "DSBROWSEINFOA", 480, IN }, 50 | } 51 | }, 52 | { "DsBrowseForContainerW",1, 53 | { 54 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 55 | {0, "pInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "DSBROWSEINFOW", 480, IN }, 56 | } 57 | }, 58 | { "DllUnregisterServer",0, 59 | { 60 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 61 | } 62 | }, 63 | }; 64 | 65 | int DSUIExtarraySize = (sizeof(DSUIExt_info) / sizeof(DSUIExt_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/DbgEng.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t DbgEng_info[] = { 4 | { "DebugConnect",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "RemoteOptions", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | {1, "InterfaceId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 9 | {2, "Interface", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 10 | } 11 | }, 12 | { "DebugCreate",2, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "InterfaceId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 16 | {1, "Interface", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 17 | } 18 | }, 19 | { "DebugConnectWide",3, 20 | { 21 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 22 | {0, "RemoteOptions", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 23 | {1, "InterfaceId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 24 | {2, "Interface", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 25 | } 26 | }, 27 | }; 28 | 29 | int DbgEngarraySize = (sizeof(DbgEng_info) / sizeof(DbgEng_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/ElsCore.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ElsCore_info[] = { 4 | { "MappingDoAction",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pBag", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_PROPERTY_BAG", 256, INOUT }, 8 | {1, "dwRangeIndex", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 9 | {2, "pszActionId", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 10 | } 11 | }, 12 | { "MappingGetServices",3, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "pOptions", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_ENUM_OPTIONS", 320, IN }, 16 | {1, "prgServices", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "_MAPPING_SERVICE_INFO", 832, INOUT }, 17 | {2, "pdwServicesCount", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 18 | } 19 | }, 20 | { "MappingRecognizeText",6, 21 | { 22 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 23 | {0, "pServiceInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_SERVICE_INFO", 832, IN }, 24 | {1, "pszText", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 25 | {2, "dwLength", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 26 | {3, "dwIndex", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {4, "pOptions", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_OPTIONS", 512, IN }, 28 | {5, "pbag", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_PROPERTY_BAG", 256, INOUT }, 29 | } 30 | }, 31 | { "MappingFreeServices",1, 32 | { 33 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 34 | {0, "pServiceInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_SERVICE_INFO", 832, IN }, 35 | } 36 | }, 37 | { "MappingFreePropertyBag",1, 38 | { 39 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 40 | {0, "pBag", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_MAPPING_PROPERTY_BAG", 256, IN }, 41 | } 42 | }, 43 | }; 44 | 45 | int ElsCorearraySize = (sizeof(ElsCore_info) / sizeof(ElsCore_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/FaultRep.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t FaultRep_info[] = { 4 | { "AddERExcludedApplicationA",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "szApplication", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | } 9 | }, 10 | { "AddERExcludedApplicationW",1, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "wszApplication", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 14 | } 15 | }, 16 | { "ReportFault",2, 17 | { 18 | {-1, "Return value", NKT_DBOBJCLASS_Enumeration, "tagEFaultRepRetVal", 32, INOUT }, 19 | {0, "pep", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_EXCEPTION_POINTERS", 64, IN }, 20 | {1, "dwOpt", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 21 | } 22 | }, 23 | { "WerReportHang",2, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 26 | {0, "hwndHungApp", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {1, "pwzHungApplicationName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 28 | } 29 | }, 30 | { "DllGetClassObject",3, 31 | { 32 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 33 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 34 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 35 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 36 | } 37 | }, 38 | { "DllCanUnloadNow",0, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | } 42 | }, 43 | }; 44 | 45 | int FaultReparraySize = (sizeof(FaultRep_info) / sizeof(FaultRep_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/GPEdit.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t GPEdit_info[] = { 4 | { "BrowseForGPO",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "lpBrowseInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tag_GPOBROWSEINFO", 352, INOUT }, 8 | } 9 | }, 10 | { "DeleteGPOLink",2, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "lpGPO", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 14 | {1, "lpContainer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 15 | } 16 | }, 17 | { "DeleteAllGPOLinks",1, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | {0, "lpContainer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 21 | } 22 | }, 23 | { "DllGetClassObject",3, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 26 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 27 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 28 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 29 | } 30 | }, 31 | { "ImportRSoPData",2, 32 | { 33 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 34 | {0, "lpNameSpace", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 35 | {1, "lpFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 36 | } 37 | }, 38 | { "DllCanUnloadNow",0, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | } 42 | }, 43 | { "CreateGPOLink",3, 44 | { 45 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 46 | {0, "lpGPO", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 47 | {1, "lpContainer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 48 | {2, "fHighPriority", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 49 | } 50 | }, 51 | { "ExportRSoPData",2, 52 | { 53 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 54 | {0, "lpNameSpace", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 55 | {1, "lpFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 56 | } 57 | }, 58 | }; 59 | 60 | int GPEditarraySize = (sizeof(GPEdit_info) / sizeof(GPEdit_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Icmui.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Icmui_info[] = { 4 | { "SetupColorMatchingA",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pcms", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_tagCOLORMATCHSETUPA", 608, IN }, 8 | } 9 | }, 10 | { "SetupColorMatchingW",1, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "pcms", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_tagCOLORMATCHSETUPW", 608, IN }, 14 | } 15 | }, 16 | }; 17 | 18 | int IcmuiarraySize = (sizeof(Icmui_info) / sizeof(Icmui_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Iprop.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Iprop_info[] = { 4 | { "FreePropVariantArray",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "cVariants", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "rgvars", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagPROPVARIANT", 128, IN }, 9 | } 10 | }, 11 | { "StgOpenPropStg",5, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | {0, "pUnk", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 15 | {1, "fmtid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 16 | {2, "grfFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 17 | {3, "dwReserved", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 18 | {4, "ppPropStg", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IPropertyStorage", 32, IN }, 19 | } 20 | }, 21 | { "FmtIdToPropStgName",2, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 24 | {0, "pfmtid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 25 | {1, "oszName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 26 | } 27 | }, 28 | { "PropVariantClear",1, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 31 | {0, "pvar", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagPROPVARIANT", 128, IN }, 32 | } 33 | }, 34 | { "PropStgNameToFmtId",2, 35 | { 36 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 37 | {0, "oszName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 38 | {1, "pfmtid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 39 | } 40 | }, 41 | { "PropVariantCopy",2, 42 | { 43 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 44 | {0, "pvarDest", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagPROPVARIANT", 128, IN }, 45 | {1, "pvarSrc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagPROPVARIANT", 128, IN }, 46 | } 47 | }, 48 | { "StgCreatePropSetStg",3, 49 | { 50 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 51 | {0, "pStorage", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IStorage", 32, IN }, 52 | {1, "dwReserved", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 53 | {2, "ppPropSetStg", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IPropertySetStorage", 32, IN }, 54 | } 55 | }, 56 | { "StgCreatePropStg",6, 57 | { 58 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 59 | {0, "pUnk", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 60 | {1, "fmtid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 61 | {2, "pclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 62 | {3, "grfFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 63 | {4, "dwReserved", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 64 | {5, "ppPropStg", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IPropertyStorage", 32, IN }, 65 | } 66 | }, 67 | }; 68 | 69 | int IproparraySize = (sizeof(Iprop_info) / sizeof(Iprop_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Lz32.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Lz32_info[] = { 4 | { "LZStart",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "LZInit",1, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "hfSource", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 13 | } 14 | }, 15 | { "GetExpandedNameA",2, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "lpszSource", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 19 | {1, "lpszBuffer", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, INOUT }, 20 | } 21 | }, 22 | { "GetExpandedNameW",2, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | {0, "lpszSource", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 26 | {1, "lpszBuffer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 27 | } 28 | }, 29 | { "LZDone",0, 30 | { 31 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 32 | } 33 | }, 34 | { "LZRead",3, 35 | { 36 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 37 | {0, "hFile", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 38 | {1, "lpBuffer", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, INOUT }, 39 | {2, "cbRead", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 40 | } 41 | }, 42 | { "LZOpenFileW",3, 43 | { 44 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 45 | {0, "lpFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 46 | {1, "lpReOpenBuf", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_OFSTRUCT", 1088, INOUT }, 47 | {2, "wStyle", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 48 | } 49 | }, 50 | { "LZClose",1, 51 | { 52 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 53 | {0, "hFile", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 54 | } 55 | }, 56 | { "LZCopy",2, 57 | { 58 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 59 | {0, "hfSource", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 60 | {1, "hfDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 61 | } 62 | }, 63 | { "LZSeek",3, 64 | { 65 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 66 | {0, "hFile", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 67 | {1, "lOffset", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 68 | {2, "iOrigin", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 69 | } 70 | }, 71 | { "CopyLZFile",2, 72 | { 73 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 74 | {0, "hfSource", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 75 | {1, "hfDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 76 | } 77 | }, 78 | { "LZOpenFileA",3, 79 | { 80 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 81 | {0, "lpFileName", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 82 | {1, "lpReOpenBuf", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_OFSTRUCT", 1088, INOUT }, 83 | {2, "wStyle", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 84 | } 85 | }, 86 | }; 87 | 88 | int Lz32arraySize = (sizeof(Lz32_info) / sizeof(Lz32_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/MSImg32.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t MSImg32_info[] = { 4 | { "GradientFill",6, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hdc", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "pVertex", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_TRIVERTEX", 128, IN }, 9 | {2, "nVertex", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 10 | {3, "pMesh", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 11 | {4, "nMesh", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 12 | {5, "ulMode", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | } 14 | }, 15 | { "AlphaBlend",11, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "hdcDest", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 19 | {1, "xoriginDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 20 | {2, "yoriginDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 21 | {3, "wDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 22 | {4, "hDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 23 | {5, "hdcSrc", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 24 | {6, "xoriginSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 25 | {7, "yoriginSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 26 | {8, "wSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 27 | {9, "hSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 28 | {10, "ftn", NKT_DBOBJCLASS_Struct, "_BLENDFUNCTION", 32, IN }, 29 | } 30 | }, 31 | { "TransparentBlt",11, 32 | { 33 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 34 | {0, "hdcDest", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 35 | {1, "xoriginDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 36 | {2, "yoriginDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 37 | {3, "wDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 38 | {4, "hDest", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 39 | {5, "hdcSrc", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 40 | {6, "xoriginSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 41 | {7, "yoriginSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 42 | {8, "wSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 43 | {9, "hSrc", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 44 | {10, "crTransparent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 45 | } 46 | }, 47 | }; 48 | 49 | int MSImg32arraySize = (sizeof(MSImg32_info) / sizeof(MSImg32_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/MSTask.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t MSTask_info[] = { 4 | { "DllGetClassObject",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 8 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 9 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 10 | } 11 | }, 12 | { "SetNetScheduleAccountInformation",3, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "pwszServerName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 16 | {1, "pwszAccount", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 17 | {2, "pwszPassword", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 18 | } 19 | }, 20 | { "GetNetScheduleAccountInformation",3, 21 | { 22 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 23 | {0, "pwszServerName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 24 | {1, "ccAccount", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 25 | {2, "wszAccount", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 26 | } 27 | }, 28 | { "DllCanUnloadNow",0, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 31 | } 32 | }, 33 | }; 34 | 35 | int MSTaskarraySize = (sizeof(MSTask_info) / sizeof(MSTask_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/RASDlg.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t RASDlg_info[] = { 4 | { "RasDialDlgA",4, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | {1, "lpszEntry", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 9 | {2, "lpszPhoneNumber", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 10 | {3, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASDIALDLG", 288, IN }, 11 | } 12 | }, 13 | { "RasDialDlgW",4, 14 | { 15 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 16 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 17 | {1, "lpszEntry", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 18 | {2, "lpszPhoneNumber", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 19 | {3, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASDIALDLG", 288, IN }, 20 | } 21 | }, 22 | { "RasPhonebookDlgA",3, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 26 | {1, "lpszEntry", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 27 | {2, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASPBDLGA", 320, INOUT }, 28 | } 29 | }, 30 | { "RasPhonebookDlgW",3, 31 | { 32 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 33 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 34 | {1, "lpszEntry", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 35 | {2, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASPBDLGW", 320, INOUT }, 36 | } 37 | }, 38 | { "DllGetClassObject",3, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 42 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 43 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 44 | } 45 | }, 46 | { "RasEntryDlgA",3, 47 | { 48 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 49 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 50 | {1, "lpszEntry", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 51 | {2, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASENTRYDLGA", 2336, IN }, 52 | } 53 | }, 54 | { "RasEntryDlgW",3, 55 | { 56 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 57 | {0, "lpszPhonebook", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 58 | {1, "lpszEntry", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 59 | {2, "lpInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRASENTRYDLGW", 4384, IN }, 60 | } 61 | }, 62 | { "DllCanUnloadNow",0, 63 | { 64 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 65 | } 66 | }, 67 | }; 68 | 69 | int RASDlgarraySize = (sizeof(RASDlg_info) / sizeof(RASDlg_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/RichEd20.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t RichEd20_info[] = { 4 | { "CreateTextServices",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "punkOuter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 8 | {1, "pITextHost", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "ITextHost", 64, IN }, 9 | {2, "ppUnk", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IUnknown", 32, IN }, 10 | } 11 | }, 12 | }; 13 | 14 | int RichEd20arraySize = (sizeof(RichEd20_info) / sizeof(RichEd20_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/SCardDlg.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t SCardDlg_info[] = { 4 | { "SCardDlgExtendedError",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "SCardUIDlgSelectCardW",1, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, 0, NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "OPENCARDNAME_EXW", 576, IN }, 13 | } 14 | }, 15 | { "GetOpenCardNameA",1, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, 0, NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "OPENCARDNAMEA", 736, IN }, 19 | } 20 | }, 21 | { "GetOpenCardNameW",1, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 24 | {0, 0, NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "OPENCARDNAMEW", 736, IN }, 25 | } 26 | }, 27 | { "SCardUIDlgSelectCardA",1, 28 | { 29 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 30 | {0, 0, NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "OPENCARDNAME_EXA", 576, IN }, 31 | } 32 | }, 33 | }; 34 | 35 | int SCardDlgarraySize = (sizeof(SCardDlg_info) / sizeof(SCardDlg_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/SensAPI.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t SensAPI_info[] = { 4 | { "IsDestinationReachableW",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "lpszDestination", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 8 | {1, "lpQOCInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagQOCINFO", 128, IN }, 9 | } 10 | }, 11 | { "IsDestinationReachableA",2, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | {0, "lpszDestination", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 15 | {1, "lpQOCInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagQOCINFO", 128, IN }, 16 | } 17 | }, 18 | { "IsNetworkAlive",1, 19 | { 20 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 21 | {0, "lpdwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 22 | } 23 | }, 24 | }; 25 | 26 | int SensAPIarraySize = (sizeof(SensAPI_info) / sizeof(SensAPI_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Sfc.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Sfc_info[] = { 4 | { "SfpVerifyFile",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pszFileName", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | {1, "pszError", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 9 | {2, "dwErrSize", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 10 | } 11 | }, 12 | { "SfcIsFileProtected",2, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "RpcHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 16 | {1, "ProtFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 17 | } 18 | }, 19 | { "SRSetRestorePointA",2, 20 | { 21 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 22 | {0, "pRestorePtSpec", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_RESTOREPTINFOA", 640, IN }, 23 | {1, "pSMgrStatus", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_SMGRSTATUS", 96, INOUT }, 24 | } 25 | }, 26 | { "SRSetRestorePointW",2, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 29 | {0, "pRestorePtSpec", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_RESTOREPTINFOW", 4224, IN }, 30 | {1, "pSMgrStatus", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_SMGRSTATUS", 96, INOUT }, 31 | } 32 | }, 33 | { "SfcGetNextProtectedFile",2, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 36 | {0, "RpcHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 37 | {1, "ProtFileData", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_PROTECTED_FILE_DATA", 4192, INOUT }, 38 | } 39 | }, 40 | { "SfcIsKeyProtected",3, 41 | { 42 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 43 | {0, "KeyHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 44 | {1, "SubKeyName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 45 | {2, "KeySam", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 46 | } 47 | }, 48 | }; 49 | 50 | int SfcarraySize = (sizeof(Sfc_info) / sizeof(Sfc_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/ShFolder.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ShFolder_info[] = { 4 | { "SHGetFolderPathA",5, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "csidl", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 9 | {2, "hToken", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 10 | {3, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 11 | {4, "pszPath", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 12 | } 13 | }, 14 | { "SHGetFolderPathW",5, 15 | { 16 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 17 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 18 | {1, "csidl", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 19 | {2, "hToken", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 20 | {3, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 21 | {4, "pszPath", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 22 | } 23 | }, 24 | }; 25 | 26 | int ShFolderarraySize = (sizeof(ShFolder_info) / sizeof(ShFolder_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/SrClient.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t SrClient_info[] = { 4 | { "SRRemoveRestorePoint",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "dwRPNum", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | } 9 | }, 10 | { "SRSetRestorePointA",2, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "pRestorePtSpec", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_RESTOREPTINFOA", 640, IN }, 14 | {1, "pSMgrStatus", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_SMGRSTATUS", 96, INOUT }, 15 | } 16 | }, 17 | { "SRSetRestorePointW",2, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | {0, "pRestorePtSpec", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_RESTOREPTINFOW", 4224, IN }, 21 | {1, "pSMgrStatus", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_SMGRSTATUS", 96, INOUT }, 22 | } 23 | }, 24 | { "SRSetRestorePointInternal",3, 25 | { 26 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 27 | {0, "pRestorePtSpec", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_RESTOREPTINFOW", 4224, IN }, 28 | {1, "pSMgrStatus", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_SMGRSTATUS", 96, IN }, 29 | {2, "fForceSurrogate", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 30 | } 31 | }, 32 | }; 33 | 34 | int SrClientarraySize = (sizeof(SrClient_info) / sizeof(SrClient_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Sti.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Sti_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "StiCreateInstanceW",4, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "hinst", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | {1, "dwVer", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 14 | {2, "ppSti", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IStillImageW", 32, INOUT }, 15 | {3, "punkOuter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 16 | } 17 | }, 18 | { "DllGetClassObject",3, 19 | { 20 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 21 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 22 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 23 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 24 | } 25 | }, 26 | { "DllCanUnloadNow",0, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 29 | } 30 | }, 31 | { "DllUnregisterServer",0, 32 | { 33 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 34 | } 35 | }, 36 | }; 37 | 38 | int StiarraySize = (sizeof(Sti_info) / sizeof(Sti_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/Url.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t Url_info[] = { 4 | { "URLAssociationDialogA",6, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hwndParent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 9 | {2, "pcszFile", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 10 | {3, "pcszURL", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 11 | {4, "pszAppBuf", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 12 | {5, "ucAppBufLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | } 14 | }, 15 | { "URLAssociationDialogW",6, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "hwndParent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 19 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 20 | {2, "pcszFile", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 21 | {3, "pcszURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 22 | {4, "pszAppBuf", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 23 | {5, "ucAppBufLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 24 | } 25 | }, 26 | { "InetIsOffline",1, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 29 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 30 | } 31 | }, 32 | { "TranslateURLA",3, 33 | { 34 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 35 | {0, "pcszURL", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 36 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 37 | {2, "ppszTranslatedURL", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_PointerPointer, 0, 1, IN }, 38 | } 39 | }, 40 | { "TranslateURLW",3, 41 | { 42 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 43 | {0, "pcszURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 44 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 45 | {2, "ppszTranslatedURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_PointerPointer, 0, 2, IN }, 46 | } 47 | }, 48 | { "MIMEAssociationDialogA",6, 49 | { 50 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 51 | {0, "hwndParent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 52 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 53 | {2, "pcszFile", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 54 | {3, "pcszMIMEContentType", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 55 | {4, "pszAppBuf", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 56 | {5, "ucAppBufLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 57 | } 58 | }, 59 | { "MIMEAssociationDialogW",6, 60 | { 61 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 62 | {0, "hwndParent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 63 | {1, "dwInFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 64 | {2, "pcszFile", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 65 | {3, "pcszMIMEContentType", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 66 | {4, "pszAppBuf", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 67 | {5, "ucAppBufLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 68 | } 69 | }, 70 | }; 71 | 72 | int UrlarraySize = (sizeof(Url_info) / sizeof(Url_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/corrEngine.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t corrEngine_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int corrEnginearraySize = (sizeof(corrEngine_info) / sizeof(corrEngine_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/cscapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t cscapi_info[] = { 4 | { "OfflineFilesQueryStatus",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pbActive", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 8 | {1, "pbEnabled", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 9 | } 10 | }, 11 | { "OfflineFilesEnable",2, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 14 | {0, "bEnable", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 15 | {1, "pbRebootRequired", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 16 | } 17 | }, 18 | }; 19 | 20 | int cscapiarraySize = (sizeof(cscapi_info) / sizeof(cscapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/d3d11.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t d3d11_info[] = { 4 | { "D3D11CreateDeviceAndSwapChain",12, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pAdapter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IDXGIAdapter", 32, IN }, 8 | {1, "DriverType", NKT_DBOBJCLASS_Enumeration, "D3D_DRIVER_TYPE", 32, IN }, 9 | {2, "Software", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 10 | {3, "Flags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 11 | {4, "pFeatureLevels", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "D3D_FEATURE_LEVEL", 32, IN }, 12 | {5, "FeatureLevels", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | {6, "SDKVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 14 | {7, "pSwapChainDesc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "DXGI_SWAP_CHAIN_DESC", 480, IN }, 15 | {8, "ppSwapChain", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IDXGISwapChain", 32, IN }, 16 | {9, "ppDevice", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "ID3D11Device", 32, IN }, 17 | {10, "pFeatureLevel", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "D3D_FEATURE_LEVEL", 32, IN }, 18 | {11, "ppImmediateContext", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "ID3D11DeviceContext", 32, IN }, 19 | } 20 | }, 21 | { "D3D11CreateDevice",10, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 24 | {0, "pAdapter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IDXGIAdapter", 32, IN }, 25 | {1, "DriverType", NKT_DBOBJCLASS_Enumeration, "D3D_DRIVER_TYPE", 32, IN }, 26 | {2, "Software", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {3, "Flags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 28 | {4, "pFeatureLevels", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "D3D_FEATURE_LEVEL", 32, IN }, 29 | {5, "FeatureLevels", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 30 | {6, "SDKVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 31 | {7, "ppDevice", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "ID3D11Device", 32, IN }, 32 | {8, "pFeatureLevel", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "D3D_FEATURE_LEVEL", 32, IN }, 33 | {9, "ppImmediateContext", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "ID3D11DeviceContext", 32, IN }, 34 | } 35 | }, 36 | }; 37 | 38 | int d3d11arraySize = (sizeof(d3d11_info) / sizeof(d3d11_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/d3d9.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t d3d9_info[] = { 4 | { "D3DPERF_EndEvent",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "D3DPERF_SetOptions",1, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 12 | {0, "dwOptions", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | } 14 | }, 15 | { "Direct3DCreate9",1, 16 | { 17 | {-1, "Return value", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IDirect3D9", 32, INOUT }, 18 | {0, "SDKVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 19 | } 20 | }, 21 | { "D3DPERF_SetMarker",2, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 24 | {0, "col", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 25 | {1, "wszName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 26 | } 27 | }, 28 | { "D3DPERF_GetStatus",0, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 31 | } 32 | }, 33 | { "D3DPERF_SetRegion",2, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 36 | {0, "col", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 37 | {1, "wszName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 38 | } 39 | }, 40 | { "D3DPERF_BeginEvent",2, 41 | { 42 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 43 | {0, "col", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 44 | {1, "wszName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 45 | } 46 | }, 47 | { "D3DPERF_QueryRepeatFrame",0, 48 | { 49 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 50 | } 51 | }, 52 | { "Direct3DCreate9Ex",2, 53 | { 54 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 55 | {0, "SDKVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 56 | {1, 0, NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IDirect3D9Ex", 32, IN }, 57 | } 58 | }, 59 | }; 60 | 61 | int d3d9arraySize = (sizeof(d3d9_info) / sizeof(d3d9_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/dhcpcsvc6.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t dhcpcsvc6_info[] = { 4 | { "Dhcpv6RequestPrefix",4, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "adapterName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 8 | {1, "pclassId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6CAPI_CLASSID", 96, IN }, 9 | {2, "prefixleaseInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6PrefixLeaseInformation", 512, INOUT }, 10 | {3, "pdwTimeToWait", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 11 | } 12 | }, 13 | { "Dhcpv6RequestParams",7, 14 | { 15 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 16 | {0, "forceNewInform", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 17 | {1, "reserved", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 18 | {2, "adapterName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 19 | {3, "classId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6CAPI_CLASSID", 96, IN }, 20 | {4, "recdParams", NKT_DBOBJCLASS_Struct, "_DHCPV6CAPI_PARAMS_ARRAY", 64, IN }, 21 | {5, "buffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 22 | {6, "pSize", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 23 | } 24 | }, 25 | { "Dhcpv6ReleasePrefix",3, 26 | { 27 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 28 | {0, "adapterName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 29 | {1, "classId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6CAPI_CLASSID", 96, IN }, 30 | {2, "leaseInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6PrefixLeaseInformation", 512, IN }, 31 | } 32 | }, 33 | { "Dhcpv6RenewPrefix",5, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 36 | {0, "adapterName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 37 | {1, "pclassId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6CAPI_CLASSID", 96, IN }, 38 | {2, "prefixleaseInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_DHCPV6PrefixLeaseInformation", 512, INOUT }, 39 | {3, "pdwTimeToWait", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 40 | {4, "bValidatePrefix", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 41 | } 42 | }, 43 | }; 44 | 45 | int dhcpcsvc6arraySize = (sizeof(dhcpcsvc6_info) / sizeof(dhcpcsvc6_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/dinput8.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t dinput8_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DirectInput8Create",5, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "hinst", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | {1, "dwVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 14 | {2, "riidltf", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 15 | {3, "ppvOut", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 16 | {4, "punkOuter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 17 | } 18 | }, 19 | { "DllGetClassObject",3, 20 | { 21 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 22 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 23 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 24 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 25 | } 26 | }, 27 | { "DllCanUnloadNow",0, 28 | { 29 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 30 | } 31 | }, 32 | { "DllUnregisterServer",0, 33 | { 34 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 35 | } 36 | }, 37 | }; 38 | 39 | int dinput8arraySize = (sizeof(dinput8_info) / sizeof(dinput8_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/dpx.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t dpx_info[] = { 4 | { "DpxFreeMemory",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 7 | {0, "Allocation", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 8 | } 9 | }, 10 | { "DpxNewJob",2, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "TargetPath", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 14 | {1, "ppJob", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IDpxJob", 32, IN }, 15 | } 16 | }, 17 | { "DpxRestoreJob",2, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | {0, "TargetPath", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 21 | {1, "ppJob", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IDpxJob", 32, IN }, 22 | } 23 | }, 24 | }; 25 | 26 | int dpxarraySize = (sizeof(dpx_info) / sizeof(dpx_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/drtprov.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t drtprov_info[] = { 4 | { "DrtCreateDerivedKey",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pLocalCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 8 | {1, "pKey", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "drt_data_tag", 64, IN }, 9 | } 10 | }, 11 | { "DrtDeletePnrpBootstrapResolver",1, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 14 | {0, "pResolver", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "drt_bootstrap_provider_tag", 256, IN }, 15 | } 16 | }, 17 | { "DrtDeleteDnsBootstrapResolver",1, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 20 | {0, "pResolver", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "drt_bootstrap_provider_tag", 256, IN }, 21 | } 22 | }, 23 | { "DrtDeleteDerivedKeySecurityProvider",1, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 26 | {0, "pSecurityProvider", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "drt_security_provider_tag", 448, IN }, 27 | } 28 | }, 29 | { "DrtCreateDnsBootstrapResolver",3, 30 | { 31 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 32 | {0, "port", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 33 | {1, "pwszAddress", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 34 | {2, "ppModule", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "drt_bootstrap_provider_tag", 256, IN }, 35 | } 36 | }, 37 | { "DrtCreateDerivedKeySecurityProvider",3, 38 | { 39 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 40 | {0, "pRootCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 41 | {1, "pLocalCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_CERT_CONTEXT", 160, IN }, 42 | {2, "ppSecurityProvider", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "drt_security_provider_tag", 448, IN }, 43 | } 44 | }, 45 | { "DrtDeleteNullSecurityProvider",1, 46 | { 47 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 48 | {0, "pSecurityProvider", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "drt_security_provider_tag", 448, IN }, 49 | } 50 | }, 51 | { "DrtCreateNullSecurityProvider",1, 52 | { 53 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 54 | {0, "ppSecurityProvider", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "drt_security_provider_tag", 448, IN }, 55 | } 56 | }, 57 | { "DrtCreatePnrpBootstrapResolver",5, 58 | { 59 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 60 | {0, "fPublish", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 61 | {1, "pwzPeerName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 62 | {2, "pwzCloudName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 63 | {3, "pwzPublishingIdentity", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 64 | {4, "ppResolver", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "drt_bootstrap_provider_tag", 256, IN }, 65 | } 66 | }, 67 | }; 68 | 69 | int drtprovarraySize = (sizeof(drtprov_info) / sizeof(drtprov_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/drttransport.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t drttransport_info[] = { 4 | { "DrtDeleteIpv6UdpTransport",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hTransport", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 8 | } 9 | }, 10 | { "DrtCreateIpv6UdpTransport",5, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "scope", NKT_DBOBJCLASS_Enumeration, "drt_scope_tag", 32, IN }, 14 | {1, "dwScopeId", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | {2, "dwLocalityThreshold", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 16 | {3, "pwPort", NKT_DBFUNDTYPE_UnsignedWord | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 17 | {4, "phTransport", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 18 | } 19 | }, 20 | }; 21 | 22 | int drttransportarraySize = (sizeof(drttransport_info) / sizeof(drttransport_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/dxgi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t dxgi_info[] = { 4 | { "CreateDXGIFactory1",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 8 | {1, "ppFactory", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 9 | } 10 | }, 11 | { "CreateDXGIFactory",2, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | {0, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 15 | {1, "ppFactory", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 16 | } 17 | }, 18 | }; 19 | 20 | int dxgiarraySize = (sizeof(dxgi_info) / sizeof(dxgi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/encapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t encapi_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int encapiarraySize = (sizeof(encapi_info) / sizeof(encapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/fontsub.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t fontsub_info[] = { 4 | { "CreateFontPackage",17, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "puchSrcBuffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | {1, "ulSrcBufferSize", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 9 | {2, "ppuchFontPackageBuffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_PointerPointer, 0, 1, IN }, 10 | {3, "pulFontPackageBufferSize", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 11 | {4, "pulBytesWritten", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 12 | {5, "usFlag", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 13 | {6, "usTTCIndex", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 14 | {7, "usSubsetFormat", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 15 | {8, "usSubsetLanguage", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 16 | {9, "usSubsetPlatform", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 17 | {10, "usSubsetEncoding", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 18 | {11, "pusSubsetKeepList", NKT_DBFUNDTYPE_UnsignedWord | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 19 | {12, "usSubsetListCount", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 20 | {13, "lpfnAllocate", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 21 | {14, "lpfnReAllocate", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 22 | {15, "lpfnFree", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 23 | {16, "lpvReserved", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 24 | } 25 | }, 26 | { "MergeFontPackage",12, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 29 | {0, "puchMergeFontBuffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 30 | {1, "ulMergeFontBufferSize", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 31 | {2, "puchFontPackageBuffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 32 | {3, "ulFontPackageBufferSize", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 33 | {4, "ppuchDestBuffer", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_PointerPointer, 0, 1, INOUT }, 34 | {5, "pulDestBufferSize", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 35 | {6, "pulBytesWritten", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 36 | {7, "usMode", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 37 | {8, "lpfnAllocate", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 38 | {9, "lpfnReAllocate", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 39 | {10, "lpfnFree", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 40 | {11, "lpvReserved", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 41 | } 42 | }, 43 | }; 44 | 45 | int fontsubarraySize = (sizeof(fontsub_info) / sizeof(fontsub_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/fxsutility.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t fxsutility_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "CanSendToFaxRecipient",0, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | } 13 | }, 14 | { "DllGetClassObject",3, 15 | { 16 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 17 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 18 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 19 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 20 | } 21 | }, 22 | { "SendToFaxRecipient",2, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 25 | {0, "sndMode", NKT_DBOBJCLASS_Enumeration, "SendToMode", 32, IN }, 26 | {1, "lpFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 27 | } 28 | }, 29 | { "DllCanUnloadNow",0, 30 | { 31 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 32 | } 33 | }, 34 | { "DllUnregisterServer",0, 35 | { 36 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 37 | } 38 | }, 39 | }; 40 | 41 | int fxsutilityarraySize = (sizeof(fxsutility_info) / sizeof(fxsutility_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/ksuser.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ksuser_info[] = { 4 | { "KsCreateAllocator",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "ConnectionHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "AllocatorFraming", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "KSALLOCATOR_FRAMING", 192, IN }, 9 | {2, "AllocatorHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 10 | } 11 | }, 12 | { "KsCreatePin",4, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 15 | {0, "FilterHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 16 | {1, "Connect", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "KSPIN_CONNECT", 512, IN }, 17 | {2, "DesiredAccess", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 18 | {3, "ConnectionHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 19 | } 20 | }, 21 | { "KsCreateClock",3, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 24 | {0, "ConnectionHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 25 | {1, "ClockCreate", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "KSCLOCK_CREATE", 32, IN }, 26 | {2, "ClockHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 27 | } 28 | }, 29 | { "KsCreateTopologyNode",4, 30 | { 31 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 32 | {0, "ParentHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 33 | {1, "NodeCreate", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "KSNODE_CREATE", 64, IN }, 34 | {2, "DesiredAccess", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 35 | {3, "NodeHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 36 | } 37 | }, 38 | }; 39 | 40 | int ksuserarraySize = (sizeof(ksuser_info) / sizeof(ksuser_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/locationapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t locationapi_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int locationapiarraySize = (sizeof(locationapi_info) / sizeof(locationapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/magnification.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t magnification_info[] = { 4 | { "MagSetWindowSource",2, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "rect", NKT_DBOBJCLASS_Struct, "tagRECT", 128, IN }, 9 | } 10 | }, 11 | { "MagInitialize",0, 12 | { 13 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 14 | } 15 | }, 16 | { "MagSetImageScalingCallback",2, 17 | { 18 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 19 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 20 | {1, "callback", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 21 | } 22 | }, 23 | { "MagSetWindowTransform",2, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 26 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {1, "pTransform", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagMAGTRANSFORM", 288, IN }, 28 | } 29 | }, 30 | { "MagGetImageScalingCallback",1, 31 | { 32 | {-1, "Return value", NKT_DBOBJCLASS_Typedef, 0, 0, INOUT }, 33 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 34 | } 35 | }, 36 | { "MagGetWindowSource",2, 37 | { 38 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 39 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 40 | {1, "pRect", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagRECT", 128, IN }, 41 | } 42 | }, 43 | { "MagUninitialize",0, 44 | { 45 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 46 | } 47 | }, 48 | { "MagGetWindowFilterList",4, 49 | { 50 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 51 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 52 | {1, "pdwFilterMode", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 53 | {2, "count", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 54 | {3, "pHWND", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 55 | } 56 | }, 57 | { "MagGetColorEffect",2, 58 | { 59 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 60 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 61 | {1, "pEffect", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagMAGCOLOREFFECT", 800, IN }, 62 | } 63 | }, 64 | { "MagSetColorEffect",2, 65 | { 66 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 67 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 68 | {1, "pEffect", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagMAGCOLOREFFECT", 800, IN }, 69 | } 70 | }, 71 | { "MagGetWindowTransform",2, 72 | { 73 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 74 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 75 | {1, "pTransform", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tagMAGTRANSFORM", 288, IN }, 76 | } 77 | }, 78 | { "MagSetWindowFilterList",4, 79 | { 80 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 81 | {0, "hwnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 82 | {1, "dwFilterMode", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 83 | {2, "count", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 84 | {3, "pHWND", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 85 | } 86 | }, 87 | }; 88 | 89 | int magnificationarraySize = (sizeof(magnification_info) / sizeof(magnification_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/mfplay.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t mfplay_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "MFPCreateMediaPlayer",6, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "pwszURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 13 | {1, "fStartPlayback", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 14 | {2, "creationOptions", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | {3, "pCallback", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFPMediaPlayerCallback", 32, IN }, 16 | {4, "hWnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 17 | {5, "ppMediaPlayer", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFPMediaPlayer", 32, INOUT }, 18 | } 19 | }, 20 | { "DllGetClassObject",3, 21 | { 22 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 23 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 24 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 25 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 26 | } 27 | }, 28 | { "DllCanUnloadNow",0, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 31 | } 32 | }, 33 | { "DllUnregisterServer",0, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 36 | } 37 | }, 38 | }; 39 | 40 | int mfplayarraySize = (sizeof(mfplay_info) / sizeof(mfplay_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/mfreadwrite.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t mfreadwrite_info[] = { 4 | { "MFCreateSinkWriterFromMediaSink",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pMediaSink", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFMediaSink", 32, IN }, 8 | {1, "pAttributes", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFAttributes", 32, IN }, 9 | {2, "ppSinkWriter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFSinkWriter", 32, INOUT }, 10 | } 11 | }, 12 | { "MFCreateSourceReaderFromMediaSource",3, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "pMediaSource", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFMediaSource", 32, IN }, 16 | {1, "pAttributes", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFAttributes", 32, IN }, 17 | {2, "ppSourceReader", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFSourceReader", 32, INOUT }, 18 | } 19 | }, 20 | { "DllGetClassObject",3, 21 | { 22 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 23 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 24 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 25 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 26 | } 27 | }, 28 | { "MFCreateSourceReaderFromByteStream",3, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 31 | {0, "pByteStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFByteStream", 32, IN }, 32 | {1, "pAttributes", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFAttributes", 32, IN }, 33 | {2, "ppSourceReader", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFSourceReader", 32, INOUT }, 34 | } 35 | }, 36 | { "MFCreateSourceReaderFromURL",3, 37 | { 38 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 39 | {0, "pwszURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 40 | {1, "pAttributes", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFAttributes", 32, IN }, 41 | {2, "ppSourceReader", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFSourceReader", 32, INOUT }, 42 | } 43 | }, 44 | { "MFCreateSinkWriterFromURL",4, 45 | { 46 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 47 | {0, "pwszOutputURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 48 | {1, "pByteStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFByteStream", 32, IN }, 49 | {2, "pAttributes", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMFAttributes", 32, IN }, 50 | {3, "ppSinkWriter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IMFSinkWriter", 32, INOUT }, 51 | } 52 | }, 53 | { "DllCanUnloadNow",0, 54 | { 55 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 56 | } 57 | }, 58 | }; 59 | 60 | int mfreadwritearraySize = (sizeof(mfreadwrite_info) / sizeof(mfreadwrite_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/msctfmonitor.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t msctfmonitor_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "InitLocalMsCtfMonitor",1, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 13 | } 14 | }, 15 | { "DoMsCtfMonitor",2, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 19 | {1, "hEventForServiceStop", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 20 | } 21 | }, 22 | { "UninitLocalMsCtfMonitor",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | { "DllGetClassObject",3, 28 | { 29 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 30 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 31 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 32 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 33 | } 34 | }, 35 | { "DllCanUnloadNow",0, 36 | { 37 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 38 | } 39 | }, 40 | { "DllUnregisterServer",0, 41 | { 42 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 43 | } 44 | }, 45 | }; 46 | 47 | int msctfmonitorarraySize = (sizeof(msctfmonitor_info) / sizeof(msctfmonitor_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/msxml6.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t msxml6_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int msxml6arraySize = (sizeof(msxml6_info) / sizeof(msxml6_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/ndproxystub.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t ndproxystub_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int ndproxystubarraySize = (sizeof(ndproxystub_info) / sizeof(ndproxystub_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/normaliz.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t normaliz_info[] = { 4 | { "NormalizeString",5, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "NormForm", NKT_DBOBJCLASS_Enumeration, "_NORM_FORM", 32, IN }, 8 | {1, "lpSrcString", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 9 | {2, "cwSrcLength", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 10 | {3, "lpDstString", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 11 | {4, "cwDstLength", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 12 | } 13 | }, 14 | { "IsNormalizedString",3, 15 | { 16 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 17 | {0, "NormForm", NKT_DBOBJCLASS_Enumeration, "_NORM_FORM", 32, IN }, 18 | {1, "lpString", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 19 | {2, "cwLength", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 20 | } 21 | }, 22 | { "IdnToNameprepUnicode",5, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 26 | {1, "lpUnicodeCharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 27 | {2, "cchUnicodeChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 28 | {3, "lpNameprepCharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 29 | {4, "cchNameprepChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 30 | } 31 | }, 32 | { "IdnToAscii",5, 33 | { 34 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 35 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 36 | {1, "lpUnicodeCharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 37 | {2, "cchUnicodeChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 38 | {3, "lpASCIICharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 39 | {4, "cchASCIIChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 40 | } 41 | }, 42 | { "IdnToUnicode",5, 43 | { 44 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 45 | {0, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 46 | {1, "lpASCIICharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 47 | {2, "cchASCIIChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 48 | {3, "lpUnicodeCharStr", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, INOUT }, 49 | {4, "cchUnicodeChar", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 50 | } 51 | }, 52 | }; 53 | 54 | int normalizarraySize = (sizeof(normaliz_info) / sizeof(normaliz_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/quartz.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t quartz_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "AMGetErrorTextA",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 12 | {0, "hr", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 13 | {1, "pbuffer", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 14 | {2, "MaxLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | } 16 | }, 17 | { "AMGetErrorTextW",3, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 20 | {0, "hr", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 21 | {1, "pbuffer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 22 | {2, "MaxLen", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 23 | } 24 | }, 25 | { "DllGetClassObject",3, 26 | { 27 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 28 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 29 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 30 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 31 | } 32 | }, 33 | { "DllCanUnloadNow",0, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 36 | } 37 | }, 38 | { "DllUnregisterServer",0, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | } 42 | }, 43 | }; 44 | 45 | int quartzarraySize = (sizeof(quartz_info) / sizeof(quartz_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/sas.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t sas_info[] = { 4 | { "SendSAS",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_Void, 0, 0, INOUT }, 7 | {0, "AsUser", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 8 | } 9 | }, 10 | }; 11 | 12 | int sasarraySize = (sizeof(sas_info) / sizeof(sas_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/sensorsapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t sensorsapi_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int sensorsapiarraySize = (sizeof(sensorsapi_info) / sizeof(sensorsapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/shdocvw.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t shdocvw_info[] = { 4 | { "ImportPrivacySettings",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pszFilename", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 8 | {1, "pfParsePrivacyPreferences", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 9 | {2, "pfParsePerSiteRules", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 10 | } 11 | }, 12 | { "DllGetClassObject",3, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 16 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 17 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 18 | } 19 | }, 20 | { "SoftwareUpdateMessageBox",4, 21 | { 22 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 23 | {0, "hWnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 24 | {1, "pszDistUnit", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 25 | {2, "dwFlags", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 26 | {3, "psdi", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_tagSOFTDISTINFO", 416, IN }, 27 | } 28 | }, 29 | { "DoPrivacyDlg",4, 30 | { 31 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 32 | {0, "hwndOwner", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 33 | {1, "pszUrl", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 34 | {2, "pPrivacyEnum", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IEnumPrivacyRecords", 32, IN }, 35 | {3, "fReportAllSites", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 36 | } 37 | }, 38 | { "DllCanUnloadNow",0, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | } 42 | }, 43 | }; 44 | 45 | int shdocvwarraySize = (sizeof(shdocvw_info) / sizeof(shdocvw_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/slcext.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t slcext_info[] = { 4 | { "SLActivateProduct",7, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hSLC", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 8 | {1, "pProductSkuId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 9 | {2, "cbAppSpecificData", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 10 | {3, "pvAppSpecificData", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 11 | {4, "pActivationInfo", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_tagSL_ACTIVATION_INFO_HEADER", 64, IN }, 12 | {5, "pwszProxyServer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 13 | {6, "wProxyPort", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 14 | } 15 | }, 16 | { "SLAcquireGenuineTicket",5, 17 | { 18 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 19 | {0, "ppTicketBlob", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, INOUT }, 20 | {1, "pcbTicketBlob", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 21 | {2, "pwszTemplateId", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 22 | {3, "pwszServerUrl", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 23 | {4, "pwszClientToken", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 24 | } 25 | }, 26 | { "SLGetServerStatus",5, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 29 | {0, "pwszServerURL", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 30 | {1, "pwszAcquisitionType", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 31 | {2, "pwszProxyServer", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 32 | {3, "wProxyPort", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 33 | {4, "phrStatus", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 34 | } 35 | }, 36 | { "SLGetReferralInformation",5, 37 | { 38 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 39 | {0, "hSLC", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 40 | {1, "eReferralType", NKT_DBOBJCLASS_Enumeration, "SLREFERRALTYPE", 32, IN }, 41 | {2, "pSkuOrAppId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 42 | {3, "pwszValueName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 43 | {4, "ppwszValue", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_PointerPointer, 0, 2, IN }, 44 | } 45 | }, 46 | }; 47 | 48 | int slcextarraySize = (sizeof(slcext_info) / sizeof(slcext_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/slwga.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t slwga_info[] = { 4 | { "SLIsGenuineLocal",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pAppId", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 8 | {1, "pGenuineState", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "_SL_GENUINE_STATE", 32, INOUT }, 9 | {2, "pUIOptions", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_tagSL_NONGENUINE_UI_OPTIONS", 96, INOUT }, 10 | } 11 | }, 12 | }; 13 | 14 | int slwgaarraySize = (sizeof(slwga_info) / sizeof(slwga_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/structuredquery.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t structuredquery_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int structuredqueryarraySize = (sizeof(structuredquery_info) / sizeof(structuredquery_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/taskschd.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t taskschd_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int taskschdarraySize = (sizeof(taskschd_info) / sizeof(taskschd_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/tbs.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t tbs_info[] = { 4 | { "Tbsip_Cancel_Commands",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 8 | } 9 | }, 10 | { "Tbsip_Submit_Command",7, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 13 | {0, "hContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 14 | {1, "Locality", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 15 | {2, "Priority", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 16 | {3, "pabCommand", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 17 | {4, "cbCommand", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 18 | {5, "pabResult", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 19 | {6, "pcbResult", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 20 | } 21 | }, 22 | { "Tbsip_Context_Close",1, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 25 | {0, "hContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 26 | } 27 | }, 28 | { "Tbsi_Get_TCG_Log",3, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 31 | {0, "hContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 32 | {1, "pOutputBuf", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, INOUT }, 33 | {2, "pOutputBufLen", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 34 | } 35 | }, 36 | { "Tbsi_Physical_Presence_Command",5, 37 | { 38 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 39 | {0, "hContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 40 | {1, "pabInput", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 41 | {2, "cbInput", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 42 | {3, "pabOutput", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 43 | {4, "pcbOutput", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 44 | } 45 | }, 46 | { "Tbsi_Context_Create",2, 47 | { 48 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 49 | {0, "pContextParams", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "tdTBS_CONTEXT_PARAMS", 32, IN }, 50 | {1, "phContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, INOUT }, 51 | } 52 | }, 53 | }; 54 | 55 | int tbsarraySize = (sizeof(tbs_info) / sizeof(tbs_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/vssapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t vssapi_info[] = { 4 | { "DllGetClassObject",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 8 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 9 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 10 | } 11 | }, 12 | { "DllCanUnloadNow",0, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | } 16 | }, 17 | }; 18 | 19 | int vssapiarraySize = (sizeof(vssapi_info) / sizeof(vssapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/winhttp.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t winhttp_info[] = { 4 | { "DllGetClassObject",3, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 8 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 9 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 10 | } 11 | }, 12 | { "DllCanUnloadNow",0, 13 | { 14 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 15 | } 16 | }, 17 | }; 18 | 19 | int winhttparraySize = (sizeof(winhttp_info) / sizeof(winhttp_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/winsatapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t winsatapi_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int winsatapiarraySize = (sizeof(winsatapi_info) / sizeof(winsatapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/wlanui.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t wlanui_info[] = { 4 | { "WlanUIEditProfile",7, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 7 | {0, "dwClientVersion", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | {1, "wstrProfileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 9 | {2, "pInterfaceGuid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "_GUID", 128, IN }, 10 | {3, "hWnd", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 11 | {4, "wlStartPage", NKT_DBOBJCLASS_Enumeration, "_WL_DISPLAY_PAGES", 32, IN }, 12 | {5, "pReserved", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 13 | {6, "pWlanReasonCode", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, INOUT }, 14 | } 15 | }, 16 | { "DllGetClassObject",3, 17 | { 18 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 19 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 20 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 21 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 22 | } 23 | }, 24 | }; 25 | 26 | int wlanuiarraySize = (sizeof(wlanui_info) / sizeof(wlanui_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/wmdrmsdk.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t wmdrmsdk_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "WMDRMCreateProvider",1, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "ppDRMProvider", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMDRMProvider", 32, IN }, 13 | } 14 | }, 15 | { "DllGetClassObject",3, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 19 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 20 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 21 | } 22 | }, 23 | { "WMDRMShutdown",0, 24 | { 25 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 26 | } 27 | }, 28 | { "WMDRMStartup",0, 29 | { 30 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 31 | } 32 | }, 33 | { "DllCanUnloadNow",0, 34 | { 35 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 36 | } 37 | }, 38 | { "DllUnregisterServer",0, 39 | { 40 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 41 | } 42 | }, 43 | }; 44 | 45 | int wmdrmsdkarraySize = (sizeof(wmdrmsdk_info) / sizeof(wmdrmsdk_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/wmiutils.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t wmiutils_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "DllGetClassObject",3, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "rclsid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 13 | {1, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 14 | {2, "ppv", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 15 | } 16 | }, 17 | { "DllCanUnloadNow",0, 18 | { 19 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 20 | } 21 | }, 22 | { "DllUnregisterServer",0, 23 | { 24 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 25 | } 26 | }, 27 | }; 28 | 29 | int wmiutilsarraySize = (sizeof(wmiutils_info) / sizeof(wmiutils_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/wmvcore.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t wmvcore_info[] = { 4 | { "DllRegisterServer",0, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | } 8 | }, 9 | { "WMCreateBackupRestorer",2, 10 | { 11 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 12 | {0, "pCallback", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 13 | {1, "ppBackup", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMLicenseBackup", 32, IN }, 14 | } 15 | }, 16 | { "WMCreateReader",3, 17 | { 18 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 19 | {0, "pUnkCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 20 | {1, "dwRights", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 21 | {2, "ppReader", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMReader", 32, IN }, 22 | } 23 | }, 24 | { "WMCreateWriterPushSink",1, 25 | { 26 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 27 | {0, "ppSink", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMWriterPushSink", 32, IN }, 28 | } 29 | }, 30 | { "WMIsContentProtected",2, 31 | { 32 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 33 | {0, "pwszFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 34 | {1, "pfIsProtected", NKT_DBFUNDTYPE_SignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 35 | } 36 | }, 37 | { "WMCreateWriter",2, 38 | { 39 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 40 | {0, "pUnkCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 41 | {1, "ppWriter", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMWriter", 32, IN }, 42 | } 43 | }, 44 | { "WMCreateEditor",1, 45 | { 46 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 47 | {0, "ppEditor", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMMetadataEditor", 32, IN }, 48 | } 49 | }, 50 | { "WMCreateIndexer",1, 51 | { 52 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 53 | {0, "ppIndexer", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMIndexer", 32, IN }, 54 | } 55 | }, 56 | { "WMCreateWriterFileSink",1, 57 | { 58 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 59 | {0, "ppSink", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMWriterFileSink", 32, IN }, 60 | } 61 | }, 62 | { "WMCreateProfileManager",1, 63 | { 64 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 65 | {0, "ppProfileManager", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMProfileManager", 32, IN }, 66 | } 67 | }, 68 | { "WMCreateWriterNetworkSink",1, 69 | { 70 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 71 | {0, "ppSink", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMWriterNetworkSink", 32, IN }, 72 | } 73 | }, 74 | { "WMCreateSyncReader",3, 75 | { 76 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 77 | {0, "pUnkCert", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 78 | {1, "dwRights", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 79 | {2, "ppSyncReader", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IWMSyncReader", 32, IN }, 80 | } 81 | }, 82 | }; 83 | 84 | int wmvcorearraySize = (sizeof(wmvcore_info) / sizeof(wmvcore_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/wscapi.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t wscapi_info[] = { 4 | { "WscUnRegisterChanges",1, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "hRegistrationHandle", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 8 | } 9 | }, 10 | { "WscRegisterForChanges",4, 11 | { 12 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 13 | {0, "Reserved", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 14 | {1, "phCallbackRegistration", NKT_DBFUNDTYPE_UnsignedDoubleWord | NKT_DBOBJCLASS_Pointer, 0, 4, IN }, 15 | {2, "lpCallbackAddress", NKT_DBOBJCLASS_Typedef, 0, 0, IN }, 16 | {3, "pContext", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 17 | } 18 | }, 19 | { "WscGetSecurityProviderHealth",2, 20 | { 21 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 22 | {0, "Providers", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 23 | {1, "pHealth", NKT_DBOBJCLASS_Enumeration | NKT_DBOBJCLASS_Pointer, "_WSC_SECURITY_PROVIDER_HEALTH", 32, IN }, 24 | } 25 | }, 26 | }; 27 | 28 | int wscapiarraySize = (sizeof(wscapi_info) / sizeof(wscapi_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/xmllite.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t xmllite_info[] = { 4 | { "CreateXmlWriterOutputWithEncodingName",4, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "pOutputStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 8 | {1, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 9 | {2, "pwszEncodingName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 10 | {3, "ppOutput", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IUnknown", 32, IN }, 11 | } 12 | }, 13 | { "CreateXmlReader",3, 14 | { 15 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 16 | {0, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 17 | {1, "ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 18 | {2, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 19 | } 20 | }, 21 | { "CreateXmlReaderInputWithEncodingCodePage",6, 22 | { 23 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 24 | {0, "pInputStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 25 | {1, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 26 | {2, "nEncodingCodePage", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {3, "fEncodingHint", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 28 | {4, "pwszBaseUri", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 29 | {5, "ppInput", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IUnknown", 32, IN }, 30 | } 31 | }, 32 | { "CreateXmlWriterOutputWithEncodingCodePage",4, 33 | { 34 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 35 | {0, "pOutputStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 36 | {1, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 37 | {2, "nEncodingCodePage", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 38 | {3, "ppOutput", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IUnknown", 32, IN }, 39 | } 40 | }, 41 | { "CreateXmlReaderInputWithEncodingName",6, 42 | { 43 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 44 | {0, "pInputStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IUnknown", 32, IN }, 45 | {1, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 46 | {2, "pwszEncodingName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 47 | {3, "fEncodingHint", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, IN }, 48 | {4, "pwszBaseUri", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 49 | {5, "ppInput", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IUnknown", 32, IN }, 50 | } 51 | }, 52 | { "CreateXmlWriter",3, 53 | { 54 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 55 | {0, "riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 56 | {1, "ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 57 | {2, "pMalloc", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Pointer, "IMalloc", 32, IN }, 58 | } 59 | }, 60 | }; 61 | 62 | int xmllitearraySize = (sizeof(xmllite_info) / sizeof(xmllite_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/xoleHlp.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t xoleHlp_info[] = { 4 | { "DtcGetTransactionManagerExA",6, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "i_pszHost", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 8 | {1, "i_pszTmName", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 9 | {2, "i_riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 10 | {3, "i_grfOptions", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 11 | {4, "i_pvConfigParams", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 12 | {5, "o_ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 13 | } 14 | }, 15 | { "DtcGetTransactionManagerExW",6, 16 | { 17 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 18 | {0, "i_pwszHost", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 19 | {1, "i_pwszTmName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 20 | {2, "i_riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 21 | {3, "i_grfOptions", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 22 | {4, "i_pvConfigParams", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 23 | {5, "o_ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 24 | } 25 | }, 26 | { "GetDtcLocaleResourceHandle",0, 27 | { 28 | {-1, "Return value", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, INOUT }, 29 | } 30 | }, 31 | { "DtcGetTransactionManagerC",7, 32 | { 33 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 34 | {0, "i_pszHost", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 35 | {1, "i_pszTmName", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 36 | {2, "i_riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 37 | {3, "i_dwReserved1", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 38 | {4, "i_wcbReserved2", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 39 | {5, "i_pvReserved2", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 40 | {6, "o_ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 41 | } 42 | }, 43 | { "DtcGetTransactionManager",7, 44 | { 45 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 46 | {0, "i_pszHost", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 47 | {1, "i_pszTmName", NKT_DBFUNDTYPE_AnsiChar | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 48 | {2, "i_riid", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_Reference, "_GUID", 128, IN }, 49 | {3, "i_dwReserved1", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 50 | {4, "i_wcbReserved2", NKT_DBFUNDTYPE_UnsignedWord, 0, 2, IN }, 51 | {5, "i_pvReserved2", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_Pointer, 0, 0, IN }, 52 | {6, "o_ppvObject", NKT_DBFUNDTYPE_Void | NKT_DBOBJCLASS_PointerPointer, 0, 0, IN }, 53 | } 54 | }, 55 | }; 56 | 57 | int xoleHlparraySize = (sizeof(xoleHlp_info) / sizeof(xoleHlp_info[0])); -------------------------------------------------------------------------------- /Code/DllPrototypes/xpsprint.cpp: -------------------------------------------------------------------------------- 1 | #include "../Pyrebox_libcalls.h" 2 | 3 | libcall_info_t xpsprint_info[] = { 4 | { "StartXpsPrintJob",10, 5 | { 6 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 7 | {0, "printerName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 8 | {1, "jobName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 9 | {2, "outputFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 10 | {3, "progressEvent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 11 | {4, "completionEvent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 12 | {5, "printablePagesOn", NKT_DBFUNDTYPE_UnsignedByte | NKT_DBOBJCLASS_Pointer, 0, 1, IN }, 13 | {6, "printablePagesOnCount", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 14 | {7, "xpsPrintJob", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IXpsPrintJob", 32, IN }, 15 | {8, "documentStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IXpsPrintJobStream", 32, IN }, 16 | {9, "printTicketStream", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IXpsPrintJobStream", 32, IN }, 17 | } 18 | }, 19 | { "StartXpsPrintJob1",7, 20 | { 21 | {-1, "Return value", NKT_DBFUNDTYPE_SignedDoubleWord, 0, 4, INOUT }, 22 | {0, "printerName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 23 | {1, "jobName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 24 | {2, "outputFileName", NKT_DBFUNDTYPE_WideChar | NKT_DBOBJCLASS_Pointer, 0, 2, IN }, 25 | {3, "progressEvent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 26 | {4, "completionEvent", NKT_DBFUNDTYPE_UnsignedDoubleWord, 0, 4, IN }, 27 | {5, "xpsPrintJob", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IXpsPrintJob", 32, IN }, 28 | {6, "printContentReceiver", NKT_DBOBJCLASS_Struct | NKT_DBOBJCLASS_PointerPointer, "IXpsOMPackageTarget", 32, IN }, 29 | } 30 | }, 31 | }; 32 | 33 | int xpsprintarraySize = (sizeof(xpsprint_info) / sizeof(xpsprint_info[0])); -------------------------------------------------------------------------------- /Code/Drltrace_libcalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include "tls.h" 5 | 6 | class Drltrace_libcalls { 7 | 8 | public: 9 | static void parse_config(); 10 | static bool findRtn(const char* rtn_name, hash_map>::iterator &it); 11 | 12 | static void print_arg_drltrace(drsys_arg_t *arg, bluepill_tls* tdata, uint api_count); 13 | static void print_args_known_drltrace(bluepill_tls* tdata, ADDRINT* args, apicall_t *exeApi, std::vector args_info); 14 | 15 | static void clearMapOfArgs(); 16 | 17 | }; -------------------------------------------------------------------------------- /Code/DumpHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "DumpHandler.h" 2 | 3 | 4 | 5 | DumpHandler::DumpHandler(void) 6 | { 7 | } 8 | 9 | 10 | DumpHandler::~DumpHandler(void) 11 | { 12 | } 13 | 14 | 15 | BOOL DumpHandler::existFile (string name) { 16 | if (FILE *file = fopen(name.c_str(), "r")) { 17 | fclose(file); 18 | return true; 19 | } else { 20 | return false; 21 | } 22 | } 23 | 24 | /** 25 | Lauch external tool ScyllaDumper to dump the process with PID pid 26 | scylla: string containing the path to the scyllaDumper executable 27 | pid: pid of the process to dump (Current PID if you want to use the Pin Instrumented Binary) 28 | curEip: current eip 29 | outputFile: path to the dump file 30 | **/ 31 | BOOL DumpHandler::launchScyllaDumpAndFix(string scylla,int pid, int curEip,string outputFile){ 32 | 33 | 34 | MYINFO("CURR EIP %x",curEip); 35 | //Creating the string containing the arguments to pass to the ScyllaTest.exe 36 | std::stringstream scyllaArgsStream; 37 | scyllaArgsStream << scylla << " "; 38 | scyllaArgsStream << pid << " "; 39 | scyllaArgsStream << std::hex << curEip << " "; 40 | scyllaArgsStream << outputFile << " "; 41 | string scyllaArgs = scyllaArgsStream.str(); 42 | 43 | //sprintf(scyllaArgs,"%s %d %x %s",scylla,pid,curEip,outputFile); //argv[0] is the name of the program 44 | MYINFO("Scylla cmd %s %s",scylla.c_str(),scyllaArgs.c_str()); 45 | 46 | //Running external Scyllatest.exe executable 47 | W::STARTUPINFO si ={0}; 48 | W::PROCESS_INFORMATION pi ={0}; 49 | 50 | si.cb=sizeof(si); 51 | 52 | if(!W::CreateProcess(scylla.c_str(),(char *)scyllaArgs.c_str(),NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)){ 53 | MYERRORE("(INITFUNCTIONCALL)Can't launch Scylla"); 54 | return false; 55 | } 56 | W::WaitForSingleObject(pi.hProcess,INFINITE); 57 | W::CloseHandle(pi.hProcess); 58 | W::CloseHandle(pi.hThread); 59 | 60 | if(!existFile(outputFile)){ 61 | MYERRORE("Scylla Can't dump the process"); 62 | return false; 63 | } 64 | MYINFO("Scylla Finished"); 65 | return true; 66 | } -------------------------------------------------------------------------------- /Code/DumpHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ProcInfo.h" 4 | #include 5 | namespace W{ 6 | #include "windows.h" 7 | #include 8 | #include 9 | } 10 | 11 | class DumpHandler 12 | { 13 | public: 14 | DumpHandler(void); 15 | ~DumpHandler(void); 16 | static BOOL launchScyllaDumpAndFix(string scylla,int pid, int curEip,string dumpFileName); 17 | static BOOL launchScyllaAddSection(string scylla, string dumped_file ); 18 | private: 19 | static BOOL existFile (string name); 20 | 21 | }; 22 | 23 | -------------------------------------------------------------------------------- /Code/EntropyHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "EntropyHeuristic.h" 2 | 3 | #define ENTROPY_THRESHOLD 0.2f 4 | 5 | int EntropyHeuristic::run(){ 6 | ProcInfo *proc_info = ProcInfo::getInstance(); 7 | float entropy_value = proc_info->GetEntropy(); 8 | float initial_entropy = proc_info->getInitialEntropy(); 9 | float difference = std::abs(entropy_value - initial_entropy)/initial_entropy; 10 | 11 | LOG_INFO("INITIAL ENTROPY IS %f" , initial_entropy); 12 | LOG_INFO("CURRENT ENTROPY IS %f" , entropy_value); 13 | LOG_INFO("ENTROPY DIFFERERNCE IS %f" , difference); 14 | 15 | bool result = (difference > ENTROPY_THRESHOLD); 16 | 17 | /* TODO: as of now Pin would need an ad-hoc internal exception handler */ 18 | //try{ 19 | ReportDump& report_dump = Report::getInstance()->getCurrentDump(); 20 | ReportObject* entropy_heur = new ReportEntropy(result,entropy_value,difference); 21 | report_dump.addHeuristic(entropy_heur); 22 | //}catch (const std::out_of_range&){ 23 | // LOG_ERROR("Problem creating ReportEntropy report"); 24 | //} 25 | 26 | if (result){ 27 | return OepFinder::FOUND_OEP; 28 | } 29 | else return OepFinder::HEURISTIC_FAIL; 30 | } 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Code/EntropyHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "ReportEntropy.h" 4 | 5 | 6 | class EntropyHeuristic 7 | { 8 | public: 9 | int run(); 10 | }; 11 | -------------------------------------------------------------------------------- /Code/ExceptionHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "ExceptionHandler.h" 2 | 3 | ExceptionHandler::ExceptionHandler() { 4 | 5 | this->pending = FALSE; 6 | 7 | } 8 | 9 | 10 | //singleton 11 | ExceptionHandler* ExceptionHandler::instance = nullptr; 12 | 13 | ExceptionHandler* ExceptionHandler::getInstance() { 14 | 15 | if (instance == nullptr) 16 | instance = new ExceptionHandler(); 17 | 18 | return instance; 19 | 20 | } 21 | 22 | void ExceptionHandler::setExceptionToExecute(W::UINT32 exceptionCode) { 23 | 24 | this->pending = TRUE; 25 | this->code = exceptionCode; 26 | 27 | } 28 | 29 | bool ExceptionHandler::isPendingException() { 30 | 31 | return this->pending; 32 | 33 | } 34 | 35 | void ExceptionHandler::raisePendingException(CONTEXT *ctx, THREADID tid, ADDRINT accessAddr) { 36 | 37 | EXCEPTION_INFO exc; 38 | // we are interested only in a Windows environment 39 | PIN_InitWindowsExceptionInfo(&exc, this->code, accessAddr); 40 | PIN_SetContextReg(ctx, REG_INST_PTR, PIN_GetContextReg(ctx, REG_INST_PTR) + 0x1); // add 0x1 to get the right address 41 | this->pending = FALSE; 42 | PIN_RaiseException(ctx, tid, &exc); 43 | 44 | } 45 | 46 | void ExceptionHandler::executeExceptionIns(CONTEXT *ctx, THREADID tid, ADDRINT accessAddr) { 47 | 48 | ExceptionHandler *eh = ExceptionHandler::getInstance(); 49 | eh->raisePendingException(ctx, tid, accessAddr); 50 | 51 | } 52 | 53 | void ExceptionHandler::setCode(W::UINT32 exceptionCode) { 54 | 55 | this->code = exceptionCode; 56 | 57 | } -------------------------------------------------------------------------------- /Code/ExceptionHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.H" 4 | #include 5 | 6 | namespace W { 7 | #include "windows.h" 8 | } 9 | 10 | class ExceptionHandler { 11 | 12 | public: 13 | static ExceptionHandler* getInstance(); 14 | static void executeExceptionIns(CONTEXT *ctx, THREADID tid, ADDRINT accessAddr); 15 | void setExceptionToExecute(W::UINT32 exceptionCode); 16 | void raisePendingException(CONTEXT *ctx, THREADID tid, ADDRINT accessAddr); 17 | bool isPendingException(); 18 | void setCode(W::UINT32 exceptionCode); 19 | 20 | ADDRINT lastAddress; 21 | W::UINT32 code; 22 | bool pending; 23 | THREADID tid; 24 | CONTEXT *ctx; 25 | 26 | private: 27 | ExceptionHandler(); 28 | 29 | static ExceptionHandler* instance; 30 | 31 | }; 32 | -------------------------------------------------------------------------------- /Code/FakeReadHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "pin.H" 4 | #include "ProcInfo.h" 5 | #include "FilterHandler.h" 6 | 7 | #define TICK_MULTIPLIER_OFFSET 0x4 8 | #define TICK_MULTIPLIER_SIZE 0x3 9 | #define LOW_PART_INTERRUPT_TIME_OFFSET 0x8 10 | #define HIGH_1_INTERRUPT_TIME_OFFSET 0xc 11 | #define HIGH_2_INTERRUPT_TIME_OFFSET 0x10 12 | #define LOW_PART_SYSTEM_TIME_OFFSET 0x14 13 | #define HIGH_1_SYSTEM_TIME_OFFSET 0x18 14 | #define HIGH_2_SYSTEM_TIME_OFFSET 0x1c 15 | 16 | //string containing the current faked memory NB need to static because it need to survive and been accessible in the HandleRead callback inside PINshield 17 | static string curFakeMemory; 18 | //ntdll map associate the name of the function to hook with the patch value 19 | //<"KiUserApcDispatcher","\x8b.."> 20 | static std::map ntdllHooksNamesPatch; 21 | //ntdll map populated at runtime resoving the name of the Function with its address 22 | //<0x77dff2ac,"\x8b.."> 23 | static std::map ntdllHooksAddrPatch; 24 | 25 | typedef struct _MODULEINFO { 26 | W::LPVOID lpBaseOfDll; 27 | W::DWORD SizeOfImage; 28 | W::LPVOID EntryPoint; 29 | } MODULEINFO, *LPMODULEINFO; 30 | 31 | typedef W::DWORD (WINAPI *MyEnumProcessModules)(W::HANDLE hProcess, W::HMODULE *lphModule, W::DWORD cb, W::LPDWORD lpcbNeeded); 32 | typedef W::DWORD (WINAPI *MyGetModuleInformation)(W::HANDLE hProcess, W::HMODULE HModule, LPMODULEINFO module_info, W::DWORD cb); 33 | 34 | /*function that returns the ADDRINT for the fake memory content for the given curAddr address 35 | curAddr: current address that is queried 36 | startAddr: start address of the FakeMemoryItem that contains the curAddr (used to take care of offsets inside the FakeMemoryItem range) 37 | return: the address of the faked memory 38 | */ 39 | typedef ADDRINT (*fakeMemoryFunction)(ADDRINT curAddr, ADDRINT startAddr); 40 | 41 | typedef struct FakeMemoryItem{ 42 | ADDRINT StartAddress; 43 | ADDRINT EndAddress; 44 | fakeMemoryFunction func; 45 | } FakeMemoryItem; 46 | 47 | 48 | class FakeReadHandler 49 | { 50 | private: 51 | //list of memory addresses that need to be faked 52 | std::vector fakeMemory; 53 | ProcInfo *pInfo; 54 | // fakeMemoryFunction to handle ntdll inspection 55 | static ADDRINT ntdllFuncPatch(ADDRINT curReadAddr, ADDRINT ntdllFuncAddr); 56 | static ADDRINT TickMultiplierPatch(ADDRINT curReadAddr, ADDRINT addr); 57 | static ADDRINT InterruptTimePatch(ADDRINT curReadAddr, ADDRINT addr); 58 | static ADDRINT SystemTimePatch(ADDRINT curReadAddr, ADDRINT addr); 59 | //attributes for the load library psapi 60 | MyEnumProcessModules enumProcessModules; 61 | MyGetModuleInformation getModuleInformation; 62 | W::HINSTANCE hPsapi; 63 | 64 | public: 65 | FakeReadHandler(); 66 | VOID initFakeMemory(); 67 | static BOOL isAddrInWhiteList(ADDRINT address); 68 | BOOL checkInCurrentDlls(ADDRINT address_to_check); // DCD code using it is commented 69 | ADDRINT getFakeMemory(ADDRINT address, ADDRINT eip); 70 | }; -------------------------------------------------------------------------------- /Code/FakeWriteHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "FakeWriteHandler.h" 2 | 3 | 4 | FakeWriteHandler::FakeWriteHandler(void) 5 | { 6 | pInfo = ProcInfo::getInstance(); 7 | } 8 | 9 | //hijack the write operation 10 | ADDRINT FakeWriteHandler::getFakeWriteAddress(ADDRINT cur_addr){ 11 | if(pInfo->isInsideProtectedSection(cur_addr)){ 12 | LOG_INFO("Suspicious Write at %08x",cur_addr); 13 | fakeWriteAddress = (ADDRINT)malloc(MAX_WRITE_SIZE*sizeof(char)); 14 | return fakeWriteAddress; 15 | } 16 | return cur_addr; 17 | } -------------------------------------------------------------------------------- /Code/FakeWriteHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ProcInfo.h" 3 | 4 | #define MAX_WRITE_SIZE 16 5 | static ADDRINT fakeWriteAddress; 6 | 7 | class FakeWriteHandler 8 | { 9 | public: 10 | FakeWriteHandler(void); 11 | ADDRINT getFakeWriteAddress(ADDRINT cur_addr); 12 | 13 | private: 14 | ProcInfo *pInfo; 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /Code/GdbDebugger.cpp: -------------------------------------------------------------------------------- 1 | #include "GdbDebugger.h" 2 | 3 | #include "pin.H" 4 | #include 5 | #include 6 | 7 | #define BUFSIZE 10000 8 | 9 | #define GDB_PATH "C:\\MinGW\\bin\\gdb.exe" 10 | 11 | GdbDebugger* GdbDebugger::instance = 0; 12 | 13 | //singleton 14 | GdbDebugger* GdbDebugger::getInstance() 15 | { 16 | if (instance == 0) 17 | instance = new GdbDebugger(); 18 | return instance; 19 | } 20 | 21 | GdbDebugger::GdbDebugger(void) 22 | { 23 | OS_RETURN_CODE ret = OS_Pipe(OS_PIPE_CREATE_FLAGS_READ_SIDE_INHERITABLE, 24 | &g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr); 25 | if (ret.generic_err != OS_RETURN_CODE_NO_ERROR) 26 | ErrorExit("OS_Pipe", ret.os_specific_err); 27 | CreateChildProcess(); 28 | ReadFromPipe(); 29 | } 30 | 31 | 32 | GdbDebugger::~GdbDebugger(void) 33 | { 34 | } 35 | 36 | // ----------------------------- SETTER ----------------------------- // 37 | 38 | void GdbDebugger::connectRemote(int port) 39 | { 40 | std::stringstream cmd; 41 | cmd << "target remote :" << port; 42 | this->executeCmd((char *)cmd.str().c_str()); 43 | } 44 | 45 | 46 | // ----------------------------- UTILS ----------------------------- // 47 | 48 | 49 | void GdbDebugger::CreateChildProcess() 50 | // Create a child process that uses the previously created pipes for STDIN and STDOUT. 51 | { 52 | OS_RETURN_CODE ret; 53 | 54 | char szCmdLine[] = GDB_PATH; 55 | NATIVE_FD stdFiles[3]; 56 | OS_FindStdFiles(stdFiles); 57 | stdFiles[0] = g_hChildStd_IN_Rd; 58 | 59 | NATIVE_PID curPid; 60 | USIZE envBlockSize; 61 | char** envBlock; 62 | OS_GetPid(&curPid); 63 | OS_GetEnvironmentBlock(curPid, &envBlock, &envBlockSize); 64 | // TODO how can we specify CREATE_NEW_CONSOLE for Pin? 65 | ret = OS_CreateProcess(szCmdLine, stdFiles, NULL, envBlock, &waitProc); 66 | if (ret.generic_err != OS_RETURN_CODE_NO_ERROR) 67 | ErrorExit("OS_CreateProcess", ret.os_specific_err); 68 | } 69 | 70 | // Read from a file and write its contents to the pipe for the child's STDIN. 71 | // Stop when there is no more data. 72 | void GdbDebugger::WriteToPipe(char* cmd) { 73 | USIZE size = strlen(cmd); 74 | OS_RETURN_CODE ret = OS_WriteFD(g_hChildStd_IN_Wr, cmd, &size); 75 | if (ret.generic_err != OS_RETURN_CODE_NO_ERROR) 76 | ErrorExit("OS_WriteFD", ret.os_specific_err); 77 | } 78 | 79 | 80 | // Read output from the child process's pipe for STDOUT 81 | // and write to the parent process's pipe for STDOUT. 82 | // Stop when there is no more data. 83 | void GdbDebugger::ReadFromPipe(void){ 84 | char chBuf[BUFSIZE]; 85 | USIZE size = sizeof(chBuf); 86 | OS_RETURN_CODE ret = OS_ReadFD(g_hChildStd_OUT_Rd, &size, chBuf); 87 | if (ret.generic_err != OS_RETURN_CODE_NO_ERROR) 88 | ErrorExit("OS_ReadFD", ret.os_specific_err); 89 | /* TODO: code for writing to hParentStdOut is missing */ 90 | } 91 | 92 | void GdbDebugger::ErrorExit(char* error, int code) { 93 | std::cerr << error << std::endl; 94 | PIN_ExitProcess(code); 95 | } 96 | 97 | void GdbDebugger::executeCmd(char* cmd){ 98 | this->WriteToPipe(cmd); 99 | this->ReadFromPipe(); 100 | } -------------------------------------------------------------------------------- /Code/GdbDebugger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.h" 3 | /*namespace W{ 4 | #define _WIN32_LEAN_AND_MEAN_ 5 | #include "windows.h" 6 | } 7 | */ 8 | 9 | class GdbDebugger 10 | 11 | { 12 | public: 13 | static GdbDebugger* getInstance(); 14 | void executeCmd(char* cmd); 15 | void connectRemote(int port); 16 | 17 | private: 18 | static GdbDebugger* instance; 19 | OS_PROCESS_WAITABLE_PROCESS waitProc; 20 | NATIVE_FD g_hChildStd_IN_Rd; 21 | NATIVE_FD g_hChildStd_IN_Wr; 22 | NATIVE_FD g_hChildStd_OUT_Rd; 23 | NATIVE_FD g_hChildStd_OUT_Wr; 24 | int remote_port; 25 | GdbDebugger(void); 26 | ~GdbDebugger(void); 27 | void CreateChildProcess(); 28 | void ReadFromPipe(void); 29 | void WriteToPipe(char* cmd); 30 | void ErrorExit(char* error, int code); 31 | }; 32 | 33 | -------------------------------------------------------------------------------- /Code/HeapModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "Helper.h" 4 | #include 5 | #include "ProcInfo.h" 6 | #include "ScyllaWrapperInterface.h" 7 | #include "OepFinder.h" 8 | 9 | namespace W{ 10 | #include "windows.h" 11 | } 12 | 13 | class HeapModule 14 | { 15 | public: 16 | //singleton instance 17 | static HeapModule* getInstance(); 18 | UINT32 checkHeapWxorX(WriteInterval* item, ADDRINT curEip, int dumpAndFixResult); 19 | VOID saveHeapZones(std::vector &hzs, std::map &hzs_dumped); 20 | 21 | private: 22 | HeapModule(void); 23 | static HeapModule *instance; 24 | std::string dumpHZ(HeapZone hz, char * data, std::string hz_md5); 25 | std::string linkHZ(std::string heap_bin_path); 26 | void logHZ(std::string heap_link_name, HeapZone hz, std::string hz_md5); 27 | 28 | }; 29 | -------------------------------------------------------------------------------- /Code/Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include 4 | #include 5 | 6 | namespace W { 7 | #include "windows.h" 8 | } 9 | 10 | //CHAR 11 | #define PATH_BUFSIZE 512 12 | #define GET_TO_UPPER(c, buf, bufSize) do { \ 13 | size_t i; \ 14 | for (i = 0; i < bufSize; i++) { \ 15 | (buf)[i] = toupper((c)[i]); \ 16 | if ((c)[i] == '\0') break; \ 17 | } \ 18 | } while (0) 19 | 20 | //T_CHAR 21 | #define GET_LPCSTR_TO_UPPER(c, buf, bufSize) do { \ 22 | size_t i; \ 23 | for (i = 0; i < bufSize; i++) { \ 24 | (buf)[i] = toupper((c)[2*i]); \ 25 | if ((c)[2*i] == '\0') break; \ 26 | } \ 27 | } while (0) 28 | 29 | class Helper 30 | { 31 | public: 32 | Helper(void); 33 | static BOOL existFile (string name); 34 | static std::vector split(const std::string &s, char delim); 35 | static std::string replaceString(std::string str, const std::string &from, const std::string &to); 36 | static bool writeBufferToFile(unsigned char *buffer, UINT32 dwBytesToWrite, std::string path); 37 | 38 | // Suppli 39 | static wchar_t locase_w(wchar_t c); 40 | static int _strcmpi_w(const wchar_t *s1, const wchar_t *s2); 41 | static void toValue(char* value, void* buffer); 42 | static size_t _strlen_a(const char *s); 43 | static std::string getCurDateAndTime(); 44 | }; 45 | 46 | -------------------------------------------------------------------------------- /Code/Heuristics.cpp: -------------------------------------------------------------------------------- 1 | #include "Heuristics.h" 2 | 3 | int Heuristics::longJmpHeuristic(INS ins, ADDRINT prev_ip){ 4 | LongJumpHeuristic heu = LongJumpHeuristic(); 5 | return heu.run(ins, prev_ip); 6 | } 7 | 8 | int Heuristics::entropyHeuristic(){ 9 | EntropyHeuristic heu = EntropyHeuristic(); 10 | return heu.run(); 11 | } 12 | 13 | int Heuristics::jmpOuterSectionHeuristic(INS ins, ADDRINT prev_ip){ 14 | JumpOuterSection heu = JumpOuterSection(); 15 | return heu.run(ins, prev_ip); 16 | } 17 | 18 | int Heuristics::pushadPopadHeuristic(){ 19 | PushadPopadheuristic heu = PushadPopadheuristic(); 20 | return heu.run(); 21 | } 22 | 23 | int Heuristics::yaraHeuristic(vector dumps_to_analyse){ 24 | YaraHeuristic heu = YaraHeuristic(); 25 | return heu.run(dumps_to_analyse); 26 | 27 | } -------------------------------------------------------------------------------- /Code/Heuristics.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "Debug.h" 4 | #include "Config.h" 5 | #include "OepFinder.h" 6 | #include "LongJumpHeuristic.h" 7 | #include "EntropyHeuristic.h" 8 | #include "JumpOuterSectionHeuristic.h" 9 | #include "WxorXHandler.h" 10 | #include "PushadPopadHeuristic.h" 11 | #include "YaraHeuristic.h" 12 | 13 | 14 | //static class where you have to define all the methods that o some kind of heuristic 15 | class Heuristics 16 | { 17 | public: 18 | static int longJmpHeuristic(INS ins, ADDRINT prev_ip); 19 | static int entropyHeuristic(); 20 | static int jmpOuterSectionHeuristic(INS ins, ADDRINT prev_ip); 21 | static int pushadPopadHeuristic(); 22 | static int yaraHeuristic(std::vector dumps_to_analyse); 23 | 24 | }; 25 | 26 | 27 | -------------------------------------------------------------------------------- /Code/InitFunctionCall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "WxorXHandler.h" 4 | namespace W{ 5 | #include "windows.h" 6 | #include 7 | #include 8 | } 9 | 10 | 11 | 12 | 13 | typedef int (*def_ScyllaIatSearch)(ADDRINT dwProcessId, ADDRINT * iatStart, UINT32 * iatSize, ADDRINT searchStart, BOOL advancedSearch); 14 | typedef int (*def_ScyllaIatFixAutoA)(ADDRINT iatAddr, UINT32 iatSize, UINT32 dwProcessId, const char * dumpFile, const char * iatFixFile); 15 | typedef BOOL (*def_ScyllaDumpProcessA)(ADDRINT pid, const char * fileToDump, ADDRINT imagebase, ADDRINT entrypoint, const char * fileResult); 16 | 17 | 18 | 19 | 20 | class InitFunctionCall 21 | { 22 | public: 23 | InitFunctionCall(void); 24 | ~InitFunctionCall(void); 25 | UINT32 run(ADDRINT curEip); 26 | private: 27 | def_ScyllaIatSearch ScyllaIatSearch; 28 | def_ScyllaIatFixAutoA ScyllaIatFixAutoA; 29 | def_ScyllaDumpProcessA ScyllaDumpProcessA; 30 | W::HMODULE hScylla; 31 | BOOL GetFilePathFromPID(UINT32 dwProcessId, char **filename); 32 | ADDRINT GetExeModuleBase(UINT32 dwProcessId); 33 | UINT32 getFileSize(FILE * fp); 34 | void DumpProcess(ADDRINT oep, char *outputFile); 35 | 36 | }; 37 | 38 | -------------------------------------------------------------------------------- /Code/JumpOuterSectionHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "JumpOuterSectionHeuristic.h" 2 | #include "ReportJumpOuterSection.h" 3 | 4 | int JumpOuterSection::run(INS ins, ADDRINT prev_ip){ 5 | bool result= false; 6 | if (prev_ip > 0) { 7 | ProcInfo *proc_info = ProcInfo::getInstance(); 8 | //get the current IP 9 | ADDRINT ip = INS_Address(ins); 10 | //get the name of the current section and teh previos section 11 | string sec_current = proc_info->getSectionNameByIp(ip); 12 | string sec_prev = proc_info->getSectionNameByIp(prev_ip); 13 | //if they are different then i have detected a jmp outer section 14 | if (sec_current.compare(sec_prev) && !sec_current.empty() && !sec_prev.empty()){ 15 | result = true; 16 | LOG_WARNING("[JMP OUTER SECTION DETECTED!!] FROM : %s TO : %s", sec_current.c_str(), sec_prev.c_str()); 17 | } 18 | /* TODO: as of now Pin would need an ad-hoc internal exception handler */ 19 | //try{ 20 | ReportDump& report_dump = Report::getInstance()->getCurrentDump(); 21 | ReportObject* long_jmp_heur = new ReportJumpOuterSection(result, sec_prev,sec_current); 22 | report_dump.addHeuristic(long_jmp_heur); 23 | //} 24 | //catch (const std::out_of_range& ){ 25 | // LOG_ERROR("Problem creating ReportJumpOuterSection report"); 26 | //} 27 | } 28 | if(result == true){ 29 | return OepFinder::FOUND_OEP; 30 | }else{ 31 | return OepFinder::HEURISTIC_FAIL; 32 | } 33 | 34 | 35 | } -------------------------------------------------------------------------------- /Code/JumpOuterSectionHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | 4 | class JumpOuterSection 5 | 6 | { 7 | public: 8 | int JumpOuterSection::run(INS ins, ADDRINT prev_ip); 9 | }; 10 | 11 | -------------------------------------------------------------------------------- /Code/LibraryHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "LibraryHandler.h" 2 | 3 | 4 | LibraryHandler::LibraryHandler(void) 5 | { 6 | } 7 | 8 | 9 | LibraryHandler::~LibraryHandler(void) 10 | { 11 | } 12 | 13 | //Mock instruction 14 | BOOL LibraryHandler::filterLib(ADDRINT eip){ 15 | if(eip>0x00420000){ 16 | return TRUE; 17 | } 18 | return FALSE; 19 | } 20 | -------------------------------------------------------------------------------- /Code/LibraryHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.h" 4 | #include "Debug.h" 5 | 6 | 7 | /* 8 | This struct will track the library loaded 9 | at program startup 10 | */ 11 | struct LibraryItem{ 12 | ADDRINT StartAddress; 13 | ADDRINT EndAddress; 14 | }; 15 | 16 | class LibraryHandler 17 | { 18 | public: 19 | LibraryHandler(void); 20 | ~LibraryHandler(void); 21 | BOOL filterLib(ADDRINT eip); 22 | private: 23 | std::vector LibrarySet; 24 | 25 | }; 26 | 27 | -------------------------------------------------------------------------------- /Code/Logging.cpp: -------------------------------------------------------------------------------- 1 | #include "Logging.h" 2 | #include "porting.h" 3 | 4 | FILE* Logging::mainLog; 5 | 6 | std::string Logging::strPinPID; 7 | std::string Logging::mainLogName; 8 | std::string Logging::threadLogName; 9 | std::string Logging::logDir; 10 | 11 | void Logging::initLogging(std::string &logDir, std::string mainLogName, std::string threadLogName) { 12 | Logging::mainLogName = mainLogName; 13 | Logging::threadLogName = threadLogName; 14 | Logging::logDir = logDir; 15 | Logging::strPinPID = to_string(W::GetCurrentProcessId()); 16 | 17 | // create main log 18 | std::string mainLogPath = logDir + "//" + mainLogName + "." + strPinPID; 19 | 20 | Logging::mainLog = fopen(mainLogPath.c_str(), "a"); 21 | if (!Logging::mainLog) { 22 | std::cerr << "Cannot open main log file " << mainLogPath 23 | << " - logging will be disabled!" << std::endl; 24 | return; 25 | // TODO shall we quit Pin instead? 26 | } 27 | 28 | #if FORCE_LOG_FLUSH 29 | if (setvbuf(Logging::mainLog, (char *)NULL, _IONBF, 0)) { 30 | std::cerr << "Cannot disable buffering for main log" << std::endl; 31 | PIN_ExitProcess(1); 32 | } 33 | #endif 34 | } 35 | 36 | void Logging::initThreadLog(THREADID tid, bluepill_tls* tdata) { 37 | std::string threadLogPath = Logging::logDir + "//" + Logging::threadLogName 38 | + "." + strPinPID + "." + to_string(tid); 39 | 40 | tdata->threadLogFile = fopen(threadLogPath.c_str(), "a"); 41 | if (!tdata->threadLogFile) { 42 | std::cerr << "Cannot open thread log file " << threadLogPath 43 | << " - logging will be disabled!" << std::endl; 44 | return; 45 | // TODO shall we quit Pin instead? 46 | } 47 | 48 | #if FORCE_LOG_FLUSH 49 | if (setvbuf(tdata->threadLogFile, (char *)NULL, _IONBF, 0)) { 50 | std::cerr << "Cannot disable buffering for thread log" << std::endl; 51 | PIN_ExitProcess(1); 52 | } 53 | #endif 54 | } 55 | 56 | void Logging::shutdownLogging() { 57 | fclose(Logging::mainLog); 58 | } 59 | 60 | void Logging::shutdownThreadLogging(bluepill_tls * tdata) { 61 | fclose(tdata->threadLogFile); 62 | } 63 | 64 | void Logging::logMain(const char* fmt, ...) { 65 | if (!Logging::mainLog) return; // TODO shall we quit Pin instead? 66 | va_list args; 67 | va_start(args, fmt); 68 | vfprintf(Logging::mainLog, fmt, args); 69 | va_end(args); 70 | } 71 | 72 | void Logging::logThread(const char* fmt, ...) { 73 | THREADID tid = PIN_ThreadId(); 74 | if (tid == INVALID_THREADID) { 75 | cerr << "ERROR: logging an evasion in an internal thread?" << std::endl; 76 | return; // TODO shall we quit Pin instead? 77 | } 78 | bluepill_tls *tdata = static_cast(PIN_GetThreadData(tls_key, tid)); 79 | 80 | ASSERT(tdata->threadLogFile != NULL, "No log descriptor for thread"); // TODO disable 81 | va_list args; 82 | va_start(args, fmt); 83 | vfprintf(tdata->threadLogFile, fmt, args); 84 | va_end(args); 85 | } 86 | 87 | void Logging::logThreadTLS(bluepill_tls* tdata, const char* fmt, ...) { 88 | ASSERT(tdata->threadLogFile != NULL, "No log descriptor for thread"); // TODO disable 89 | va_list args; 90 | va_start(args, fmt); 91 | vfprintf(tdata->threadLogFile, fmt, args); 92 | va_end(args); 93 | } 94 | -------------------------------------------------------------------------------- /Code/Logging.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "pin.H" 4 | #include "tls.h" 5 | 6 | #define INFO_BUILD 1 7 | #define WARN_BUILD 1 8 | #define ERROR_BUILD 1 9 | #define LOG_BUILD 1 10 | 11 | #define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__) 12 | 13 | #define LOG_WARNING(fmt, ...) \ 14 | do { \ 15 | if (!WARN_BUILD) break; \ 16 | Logging::logMain("[WARNING](%s) "fmt"\n", __FILENAME__, __VA_ARGS__); \ 17 | } while (0) 18 | 19 | #define LOG_ERROR(fmt, ...) \ 20 | do { \ 21 | if (!ERROR_BUILD) break; \ 22 | Logging::logMain("[ERROR](%s) "fmt"\n", __FILENAME__, __VA_ARGS__); \ 23 | } while (0) 24 | 25 | #define LOG_INFO(fmt, ...) \ 26 | do { \ 27 | if (!INFO_BUILD) break; \ 28 | Logging::logMain("[INFO](%s) "fmt"\n", __FILENAME__, __VA_ARGS__); \ 29 | } while (0) 30 | 31 | #define LOG_PRINT(fmt, ...) \ 32 | do { \ 33 | if (!LOG_BUILD) break; \ 34 | Logging::logMain("(%s) "fmt"\n", __FILENAME__, __VA_ARGS__); \ 35 | } while (0) 36 | 37 | #define LOG_EVASION(fmt, ...) \ 38 | do { \ 39 | if (!LOG_BUILD) break; \ 40 | Logging::logThread(fmt"\n", __VA_ARGS__); \ 41 | } while (0) 42 | 43 | class Logging { 44 | public: 45 | static FILE* mainLog; 46 | static void initLogging(std::string &logDir, std::string mainLogName, std::string threadLogName); 47 | static void initThreadLog(THREADID tid, bluepill_tls* tdata); 48 | 49 | static void shutdownLogging(); 50 | static void shutdownThreadLogging(bluepill_tls* tdata); 51 | 52 | static void logMain(const char* fmt, ...); 53 | static void logThread(const char* fmt, ...); 54 | static void logThreadTLS(bluepill_tls* tdata, const char* fmt, ...); 55 | 56 | private: 57 | static std::string strPinPID; 58 | static std::string mainLogName; 59 | static std::string threadLogName; 60 | static std::string logDir; 61 | }; 62 | 63 | -------------------------------------------------------------------------------- /Code/LongJumpHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "LongJumpHeuristic.h" 2 | #include "porting.h" 3 | 4 | //specify the range of the jump when it is considered a long jump or not 5 | #define JMP_THRESHOLD 0x200 6 | 7 | int LongJumpHeuristic::run(INS ins, ADDRINT prev_ip){ 8 | bool result = false; 9 | //filter out the improper values 10 | if (prev_ip > 0) { 11 | // get the current IP 12 | ADDRINT ip = INS_Address(ins); 13 | 14 | // difference between prev_ip and current ip (the target of the jmp instruction) 15 | ADDRINT diff = ABS_ADDR_DIFF(prev_ip, ip); 16 | 17 | // compare diff against JMP_THRESHOLD 18 | if (diff > JMP_THRESHOLD) { 19 | result = true; 20 | LOG_WARNING("[LONG JMP DETECTED!!] FROM : %08x TO : %08x", prev_ip, ip); 21 | } 22 | 23 | //add heuristic result to report 24 | LOG_INFO("Adding Long Jump Heuristic to report"); 25 | /* TODO: as of now Pin would need an ad-hoc internal exception handler */ 26 | //try{ 27 | ReportDump& report_dump = Report::getInstance()->getCurrentDump(); 28 | ReportObject* long_jmp_heur = new ReportLongJump(result,prev_ip, diff); 29 | report_dump.addHeuristic(long_jmp_heur); 30 | //}catch (const std::out_of_range&){ 31 | // LOG_ERROR("Problem creating ReportLongJump report"); 32 | //} 33 | } 34 | 35 | if (result) { 36 | return OepFinder::FOUND_OEP; 37 | } else { 38 | return OepFinder::HEURISTIC_FAIL; 39 | } 40 | 41 | } 42 | -------------------------------------------------------------------------------- /Code/LongJumpHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "Report.h" 4 | #include "ReportLongJump.h" 5 | 6 | 7 | class LongJumpHeuristic 8 | { 9 | public: 10 | int run(INS ins, ADDRINT prev_ip); 11 | }; 12 | -------------------------------------------------------------------------------- /Code/MyPinTool.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPinTool", "MyPinTool.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /Code/OepFinder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.H" 4 | #include "WxorXHandler.h" 5 | #include "Debug.h" 6 | #include "Heuristics.h" 7 | #include "FilterHandler.h" 8 | #include "ProcInfo.h" 9 | #include "Config.h" 10 | #include "Report.h" 11 | #include "md5.h" 12 | #include "Helper.h" 13 | namespace W { 14 | #include "windows.h" 15 | } 16 | #include "GdbDebugger.h" 17 | #include "ScyllaWrapperInterface.h" 18 | #include "TimeTracker.h" 19 | #include "HeapModule.h" 20 | 21 | //return value for isCurrentInOEP function 22 | 23 | 24 | class OepFinder 25 | { 26 | 27 | public: 28 | OepFinder(void); 29 | int isCurrentInOEP(INS ins); 30 | 31 | enum OepFinderCode { 32 | SKIPPED_DUMP = -4, 33 | INS_FILTERED = -3, 34 | HEURISTIC_FAIL = -2, 35 | NOT_WXORX_INST = -1, 36 | FOUND_OEP = 0 37 | }; 38 | 39 | private: 40 | //check if the current instruction is a pushad or a popad 41 | //if so then set the proper flags in ProcInfo 42 | void handlePopadAndPushad(INS ins); 43 | VOID skipCurrentDump(WriteInterval* item, ADDRINT currJMPLength, Config* config); 44 | BOOL analysis(WriteInterval* item, INS ins, ADDRINT prev_ip, ADDRINT curEip , int dumpAndFixResult); 45 | void intraWriteSetJMPAnalysis(ADDRINT curEip, ADDRINT prev_ip, INS ins, WriteInterval *item); 46 | WxorXHandler *wxorxHandler; 47 | Report *report; 48 | UINT32 dumpAndFixIAT(ADDRINT curEip, W::DWORD pid, Config* config); 49 | VOID dumpAndCollectHeap(WriteInterval* item, ADDRINT curEip, int dumpAndFixResult); 50 | }; 51 | 52 | -------------------------------------------------------------------------------- /Code/PINdemonium.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fengjixuchui/CodaPinTracer/1aa7b1670cf5d9dc8a6de412f2b006e3f91ceea3/Code/PINdemonium.rc -------------------------------------------------------------------------------- /Code/PINshield.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Pin.h" 3 | #include "Debug.h" 4 | //#include "Log.h" 5 | #include "FilterHandler.h" 6 | #include "PatternMatchModule.h" 7 | #include "FakeReadHandler.h" 8 | #include "FakeWriteHandler.h" 9 | 10 | namespace W { 11 | #include "windows.h" 12 | } 13 | 14 | class PINshield { 15 | public: 16 | PINshield() {}; 17 | void addInstrumentation(INS ins); 18 | 19 | private: 20 | PatternMatchModule evasionPatcher; 21 | FakeReadHandler fakeReadH; 22 | FakeWriteHandler fakeWriteH; 23 | bool isFakeReadInitialized; 24 | //void ScanForMappedFiles(); 25 | static REG GetScratchReg(UINT32 index); 26 | static ADDRINT handleRead(ADDRINT eip, ADDRINT read_addr, void *fakeReadH); 27 | static ADDRINT handleWrite(ADDRINT eip, ADDRINT write_addr, void *fakeWriteH); 28 | }; 29 | 30 | -------------------------------------------------------------------------------- /Code/PatternMatchModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "pin.H" 6 | 7 | namespace W{ 8 | #include "windows.h" 9 | } 10 | 11 | class PatternMatchModule 12 | { 13 | public: 14 | PatternMatchModule(); 15 | bool patchDispatcher(INS ins, ADDRINT curEip); 16 | 17 | private: 18 | //std::map patchesMap; 19 | std::map indexMap; 20 | AFUNPTR curPatchPointer; 21 | int index; 22 | 23 | enum { 24 | INT2_INDEX, 25 | FSAVE_INDEX, 26 | RDTSC_INDEX, 27 | CPUID_INDEX, 28 | INT2D_INDEX 29 | } PATCH_INDEX; 30 | }; 31 | 32 | -------------------------------------------------------------------------------- /Code/Pin-config.props: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Pin 6 | C:\WinDDK\7600.16385.1\ 7 | 8 | 9 | <_PropertySheetDisplayName>Local paths 10 | 11 | 12 | 13 | 14 | $(PinFolder) 15 | 16 | 17 | $(WinDDK) 18 | 19 | 20 | -------------------------------------------------------------------------------- /Code/PolymorphicCodeHandlerModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | 4 | /** 5 | * This class provides a patch for PIN in order to avoid crashes during the instrumentation of polymorphic code 6 | * 7 | * these crashes happen due to the fact that PIN compiles a wrong trace (the one not modified by the code itself) instead of the correct one the one that has been overwritten by the program itself): 8 | * 1. PIN compile the trace and place it in the code caache 9 | * 2. jump to the code cahce and start executing the trace 10 | * 3. an instruction of the trace modify some of the instructions present in the current trace 11 | * 4. PIN continue the execution of the current trace 12 | * 5. CRASH!!! 13 | * 14 | * This is wrong because the trace has been modified and PIN instead will execute the old instructions which don't have any sense and can cause crashes 15 | * (executon of a priviled instruction like "out") 16 | * 17 | * Our patch works like this: 18 | * 1. PIN compile the trace and place it in the code caache 19 | * 2. jump to the code cahce and start executing the trace 20 | * 3. in the analysis routine check, if the current instruction is a write, if the target address is inside the current trace and mark this address 21 | * 4. in the analysis routine, if the current instructin has the eip marked, then break the trace and force PIN to build a new one starting from the current eip 22 | * 5. continue the execution fropm the new trace 23 | */ 24 | class PolymorphicCodeHandlerModule 25 | { 26 | public: 27 | PolymorphicCodeHandlerModule(); 28 | VOID inspectTrace(TRACE trace); 29 | // --- getter and setter --- // 30 | ADDRINT getTraceHead(); 31 | ADDRINT getTraceTail(); 32 | ADDRINT getFirstWrittenAddressInMesmory(); 33 | VOID setFirstWrittenAddressInMesmory(ADDRINT first_written_address_in_trace); 34 | 35 | private: 36 | ADDRINT trace_head; 37 | ADDRINT trace_tail; 38 | ADDRINT first_written_address_in_trace; 39 | }; 40 | 41 | -------------------------------------------------------------------------------- /Code/ProcessInjectionModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "WxorXHandler.h" 4 | #include "Report.h" 5 | #include "Heuristics.h" 6 | #include "Helper.h" 7 | namespace W{ 8 | #include "windows.h" 9 | } 10 | class ProcessInjectionModule 11 | { 12 | public: 13 | 14 | 15 | //singleton instance 16 | static ProcessInjectionModule* getInstance(); 17 | 18 | VOID AddInjectedWrite(ADDRINT start, UINT32 size, W::DWORD ); 19 | VOID CheckInjectedExecution(W::DWORD pid ); 20 | VOID setInsideCreateProcess(); // used by hook for CreateProcess 21 | // 22 | 23 | private: 24 | VOID HandleInjectedMemory(std::vector& currentWriteSet,W::DWORD pid); 25 | string DumpRemoteWriteInterval(WriteInterval* item,W::DWORD pid); 26 | VOID WriteBufferToFile(unsigned char *buffer,UINT32 size, string path); 27 | VOID ExecuteHeuristics(string path_to_analyse); 28 | string getNameFromPid(W::DWORD pid); 29 | BOOL isInsideCreateProcess(); 30 | WxorXHandler *wxorxHandler; 31 | Config *config; 32 | Report *report; 33 | static ProcessInjectionModule *instance; 34 | BOOL insideCreateProcess; 35 | int remoteWriteInsideCreateProcess; 36 | ProcessInjectionModule(void); 37 | }; 38 | 39 | -------------------------------------------------------------------------------- /Code/PushadPopadHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "PushadPopadHeuristic.h" 2 | 3 | int PushadPopadheuristic::run(){ 4 | //filter out the improper values 5 | ProcInfo *proc_info = ProcInfo::getInstance(); 6 | //if both the flag are valid our heuristic is valid 7 | if (proc_info->getPopadFlag() && proc_info->getPushadFlag()) { 8 | LOG_WARNING("[PUSHAD POPAD DETECTED !!]"); 9 | return OepFinder::FOUND_OEP; 10 | } 11 | return OepFinder::HEURISTIC_FAIL; 12 | } 13 | -------------------------------------------------------------------------------- /Code/PushadPopadHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | 4 | 5 | class PushadPopadheuristic 6 | { 7 | public: 8 | int run(); 9 | }; 10 | -------------------------------------------------------------------------------- /Code/Report.cpp: -------------------------------------------------------------------------------- 1 | #include "Report.h" 2 | #include "Config.h" 3 | #include "ReportGeneralInformation.h" 4 | #include 5 | 6 | // singleton 7 | Report* Report::instance = nullptr; 8 | 9 | Report* Report::getInstance() 10 | { 11 | if (instance == 0) 12 | instance = new Report(); 13 | return instance; 14 | } 15 | 16 | Report::Report(void) 17 | { 18 | initialized = false; 19 | } 20 | 21 | void Report::initializeReport(string process_name, ADDRINT startAddr , ADDRINT endAddr, float initial_entropy){ 22 | //already initialized report (avoid problems when called multiple times) 23 | if (initialized) return; 24 | 25 | report_path = Config::getInstance()->getReportPath(); 26 | 27 | //create the general information object and populate it 28 | info = new ReportGeneralInformation(process_name, startAddr, endAddr, initial_entropy); 29 | //create the external structure of the json 30 | Json::Value info_json = info->toJson(); 31 | report["information"] = info_json; 32 | report["dumps"] = Json::Value(Json::arrayValue); 33 | writeJsonToReport(report); 34 | initialized = true; 35 | 36 | } 37 | 38 | // Create the DumpReport with initial information about the dump 39 | void Report::createReportDump(ADDRINT eip,ADDRINT start_addr, ADDRINT end_addr, int dump_number, bool intra_writeset,int pid){ 40 | ReportDump cur_dump = ReportDump(eip,start_addr,end_addr,dump_number,intra_writeset,pid); 41 | dumps.push_back(cur_dump); 42 | 43 | } 44 | 45 | //return the current dump object 46 | ReportDump& Report::getCurrentDump(){ 47 | return dumps.at(dumps.size()-1); 48 | } 49 | 50 | /* 51 | Close the report for the current Dump and write the results on file 52 | */ 53 | void Report::closeReportDump(){ 54 | ReportDump& cur_dump = getCurrentDump(); 55 | //get current dump and add it to the json structure 56 | 57 | Json::Value cur_dump_json = cur_dump.toJson(); 58 | report["dumps"].append(cur_dump_json); //add it to the json structure 59 | writeJsonToReport(report); //write it to file 60 | 61 | } 62 | 63 | void Report::closeReport(){ 64 | delete info; 65 | } 66 | 67 | 68 | //------------- Helpers ---------------- 69 | //create a new file where writes the current report 70 | void Report::writeJsonToReport(Json::Value report ){ 71 | ofstream report_file; 72 | report_file.open(report_path.c_str(),std::ofstream::out); 73 | Json::FastWriter fastWriter; 74 | report_file << fastWriter.write(report); 75 | report_file.flush(); 76 | report_file.close(); 77 | } -------------------------------------------------------------------------------- /Code/Report.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ReportDump.h" 4 | #include "json.h" 5 | 6 | class Report 7 | { 8 | private: 9 | Report(void); 10 | static Report *instance; 11 | bool initialized; // keep track if the report has already been initialized 12 | std::string report_path; // path of the report file 13 | ReportObject *info; // Object containing general info abount the current analysed executable 14 | std::vector dumps; 15 | Json::Value report; // json object representing current report 16 | void writeJsonToReport(Json::Value report); 17 | 18 | 19 | public: 20 | static Report* getInstance(); 21 | void initializeReport(std::string process_name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy); 22 | void createReportDump(ADDRINT eip,ADDRINT start_addr, ADDRINT end_addr, int dump_number, bool intra_writeset, int pid); 23 | ReportDump& getCurrentDump(); 24 | void closeReportDump(); 25 | void closeReport(); 26 | }; 27 | 28 | -------------------------------------------------------------------------------- /Code/ReportDump.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportDump.h" 2 | #include "ReportLongJump.h" 3 | 4 | ReportDump::ReportDump(){} 5 | 6 | ReportDump::ReportDump(ADDRINT eip,ADDRINT start_addr, ADDRINT end_addr, int dump_number, bool intra_writeset,int pid){ 7 | this->eip = eip; 8 | this->start_address = start_addr; 9 | this->end_address = end_addr; 10 | this->intra_writeset = intra_writeset; 11 | this->number = dump_number; 12 | this->reconstructed_imports = 0; 13 | this->pid = pid; 14 | } 15 | 16 | 17 | Json::Value ReportDump::toJson(){ 18 | //LOG_INFO("Generating current dump report"); 19 | root["eip"] = eip; 20 | root["start_address"] = start_address; 21 | root["end_address"] = end_address; 22 | root["intra_writeset"] = intra_writeset; 23 | root["number"] = number; 24 | root["reconstructed_imports"] = reconstructed_imports; 25 | root["pid"] = pid; 26 | root["heuristics"] = Json::Value(Json::arrayValue); 27 | root["imports"] = Json::Value(Json::arrayValue); 28 | 29 | 30 | 31 | //iterate over the heuristics andf append their json content in the "heuristics field" array of the current dump 32 | for(auto heur = this->heuristics.begin(); heur != this->heuristics.end(); ++heur){ 33 | ReportObject * cur_heur = *heur; 34 | Json::Value heur_json = cur_heur->toJson(); //generate the json of the heuristic 35 | root["heuristics"].append(heur_json); //append the heuristic json to the current dump json 36 | delete cur_heur; // free the heuristic object 37 | } 38 | 39 | //iterate over the imports and append their json content in the "import field" array of the current dump 40 | for(auto import = this->imported_functions.begin(); import != this->imported_functions.end(); ++import){ 41 | ReportObject * current_import = *import; 42 | Json::Value heur_json = current_import->toJson(); //generate the json of the import 43 | root["imports"].append(heur_json); //append the import json to the current dump json 44 | delete current_import; // free the import object 45 | } 46 | 47 | return root; 48 | 49 | } 50 | //add the heuristic object to the current dump report 51 | void ReportDump::addHeuristic(ReportObject* heur){ 52 | heuristics.push_back(heur); 53 | } 54 | 55 | void ReportDump::setImportedFunctions(vector imports){ 56 | this->imported_functions = imports; 57 | } 58 | 59 | void ReportDump::setNumberOfImports(int imports_number){ 60 | this->reconstructed_imports = imports_number; 61 | } 62 | 63 | 64 | -------------------------------------------------------------------------------- /Code/ReportDump.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ReportObject.h" 4 | #include "Debug.h" 5 | //#include "Log.h" 6 | 7 | class ReportDump : public ReportObject 8 | { 9 | public: 10 | ReportDump(); 11 | ReportDump(ADDRINT eip,ADDRINT start_addr, ADDRINT end_addr, int dump_number, bool intra_writeset,int pid); 12 | Json::Value ReportDump::toJson(); 13 | void addHeuristic(ReportObject*); 14 | void setImportedFunctions(vector); 15 | void setNumberOfImports( int imports_number); 16 | 17 | private: 18 | int number; 19 | bool intra_writeset; 20 | ADDRINT eip; 21 | ADDRINT start_address; 22 | ADDRINT end_address; 23 | int pid; 24 | int reconstructed_imports; 25 | int total_imports; 26 | vector imported_functions; 27 | /* 28 | In order to create a new heuristic Report you need: 29 | 1. Create a class (like ReportLongJump) which contains the information needed as attributes 30 | 2. Make this class inherit from the abstract class ReportObject the method toJson and implement it 31 | 3. Invoke the method ReportDump::addHeuristic(ReportObject* heur) when the new heuristic object has been created 32 | Example: 33 | ReportDump& report_dump = Report::getInstance()->getCurrentDump(); 34 | ReportObject* long_jmp_heur = new ReportLongJump(result,prev_ip, diff); 35 | report_dump.addHeuristic(long_jmp_heur); 36 | */ 37 | vector heuristics; 38 | 39 | 40 | 41 | 42 | }; 43 | 44 | -------------------------------------------------------------------------------- /Code/ReportEntropy.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportEntropy.h" 2 | 3 | 4 | ReportEntropy::ReportEntropy(void) 5 | { 6 | } 7 | 8 | 9 | 10 | ReportEntropy::ReportEntropy(bool result, float cur_entropy, float difference_entropy){ 11 | this->name = "EntropyHeuristic"; 12 | this->result = result; 13 | this->current_entropy = cur_entropy; 14 | this->difference_entropy = difference_entropy; 15 | } 16 | 17 | 18 | Json::Value ReportEntropy::toJson(){ 19 | root["name"] = this->name; 20 | root["result"] = this->result; 21 | root["current_entropy"] = this->current_entropy; 22 | root["difference_entropy_percentage"] = this->difference_entropy; 23 | return root; 24 | } -------------------------------------------------------------------------------- /Code/ReportEntropy.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ReportObject.h" 4 | 5 | class ReportEntropy : public ReportObject 6 | { 7 | 8 | private: 9 | string name; 10 | bool result; 11 | float current_entropy; 12 | float difference_entropy; 13 | 14 | public: 15 | ReportEntropy(void); 16 | ReportEntropy( bool result, float cur_entropy, float difference_entropy); 17 | Json::Value toJson(); 18 | }; 19 | 20 | -------------------------------------------------------------------------------- /Code/ReportGeneralInformation.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportGeneralInformation.h" 2 | #include "ReportMainModule.h" 3 | 4 | ReportGeneralInformation::ReportGeneralInformation(){ 5 | } 6 | ReportGeneralInformation::ReportGeneralInformation(string name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy) 7 | { 8 | this->name = name; 9 | this->entropy = initial_entropy; 10 | this->main_module = new ReportMainModule(startAddr, endAddr); 11 | 12 | } 13 | 14 | 15 | Json::Value ReportGeneralInformation::toJson(){ 16 | root["name"] = this->name; 17 | root["entropy"] =this->entropy; 18 | root["main_module"] = this->main_module->toJson(); 19 | return root; 20 | 21 | } -------------------------------------------------------------------------------- /Code/ReportGeneralInformation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "json.h" 4 | 5 | 6 | class ReportGeneralInformation : public ReportObject 7 | { 8 | 9 | private: 10 | string name; 11 | float entropy; 12 | ReportObject *main_module; 13 | 14 | public: 15 | ReportGeneralInformation(); 16 | ReportGeneralInformation(string name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy); 17 | Json::Value ReportGeneralInformation::toJson(); 18 | 19 | }; 20 | 21 | -------------------------------------------------------------------------------- /Code/ReportImportedFunction.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportImportedFunction.h" 2 | 3 | 4 | ReportImportedFunction::ReportImportedFunction(string module, string function) 5 | { 6 | this->module_name = module; 7 | this->function_name = function; 8 | 9 | } 10 | 11 | 12 | Json::Value ReportImportedFunction::toJson(){ 13 | root["mod"] = this->module_name; 14 | root["func"] = this->function_name; 15 | return root; 16 | } -------------------------------------------------------------------------------- /Code/ReportImportedFunction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | class ReportImportedFunction : public ReportObject 4 | { 5 | private: 6 | string module_name; 7 | string function_name; 8 | public: 9 | ReportImportedFunction(string module, string function); 10 | Json::Value toJson(); 11 | 12 | }; 13 | 14 | -------------------------------------------------------------------------------- /Code/ReportJumpOuterSection.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportJumpOuterSection.h" 2 | 3 | 4 | ReportJumpOuterSection::ReportJumpOuterSection(void) 5 | { 6 | } 7 | 8 | ReportJumpOuterSection::ReportJumpOuterSection( bool res, string prev_sec, string cur_sec){ 9 | this->name = "JumpOuterSectionHeuristic"; 10 | this->result = res; 11 | this->prev_section = prev_sec; 12 | this->cur_section = cur_sec; 13 | } 14 | 15 | 16 | Json::Value ReportJumpOuterSection::toJson(){ 17 | root["name"] = this->name; 18 | root["result"] = this->result; 19 | root["prev_section"] = this->prev_section; 20 | root["current_section"] = this->cur_section; 21 | return root; 22 | } 23 | 24 | 25 | -------------------------------------------------------------------------------- /Code/ReportJumpOuterSection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | 4 | class ReportJumpOuterSection : public ReportObject 5 | { 6 | private: 7 | string name; 8 | bool result; 9 | string prev_section; 10 | string cur_section; 11 | public: 12 | ReportJumpOuterSection(void); 13 | ReportJumpOuterSection(bool res, string prev_sec, string cur_sec); 14 | Json::Value toJson(); 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /Code/ReportLongJump.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportLongJump.h" 2 | 3 | 4 | ReportLongJump::ReportLongJump(void) 5 | { 6 | } 7 | 8 | ReportLongJump::ReportLongJump(bool res,ADDRINT prev_ip, ADDRINT len){ 9 | this->name = "LongJumpHeuristic"; 10 | this->result = res; 11 | this->prev_ip = prev_ip; 12 | this->length = len; 13 | 14 | } 15 | 16 | 17 | Json::Value ReportLongJump::toJson(){ 18 | root["name"] = name; 19 | root["result"] = result; 20 | root["prev_ip"] = prev_ip; 21 | root["length"] = length; 22 | return root; 23 | } -------------------------------------------------------------------------------- /Code/ReportLongJump.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | 4 | class ReportLongJump : public ReportObject 5 | { 6 | 7 | private: 8 | string name; 9 | bool result; 10 | ADDRINT prev_ip; 11 | ADDRINT length; 12 | public: 13 | ReportLongJump(void); 14 | ReportLongJump(bool res, ADDRINT prev_ip, ADDRINT len); 15 | Json::Value toJson(); 16 | 17 | }; 18 | 19 | -------------------------------------------------------------------------------- /Code/ReportMainModule.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportMainModule.h" 2 | 3 | ReportMainModule::ReportMainModule(ADDRINT startAddr, ADDRINT endAddr) 4 | { 5 | this->startAddr = startAddr; 6 | this->endAddr = endAddr; 7 | } 8 | 9 | 10 | Json::Value ReportMainModule::toJson(){ 11 | root["start_address"] = this->startAddr; 12 | root["end_address"] = this->endAddr; 13 | return root; 14 | } -------------------------------------------------------------------------------- /Code/ReportMainModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "json.h" 4 | 5 | 6 | class ReportMainModule : public ReportObject 7 | { 8 | 9 | private: 10 | ADDRINT startAddr; 11 | ADDRINT endAddr; 12 | 13 | public: 14 | ReportMainModule(); 15 | ReportMainModule(ADDRINT startAddr, ADDRINT endAddr); 16 | Json::Value ReportMainModule::toJson(); 17 | 18 | }; 19 | 20 | -------------------------------------------------------------------------------- /Code/ReportObject.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportObject.h" 2 | 3 | 4 | ReportObject::ReportObject(void) 5 | { 6 | } 7 | 8 | 9 | -------------------------------------------------------------------------------- /Code/ReportObject.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "json.h" 4 | 5 | 6 | class ReportObject 7 | { 8 | protected: 9 | Json::Value root; 10 | public: 11 | ReportObject(void); 12 | virtual Json::Value toJson(void) = 0; 13 | }; 14 | 15 | -------------------------------------------------------------------------------- /Code/ReportYaraRules.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportYaraRules.h" 2 | #include 3 | 4 | 5 | ReportYaraRules::ReportYaraRules(void) 6 | { 7 | } 8 | 9 | ReportYaraRules::ReportYaraRules(bool result, vector matched_rules){ 10 | this->name = "YaraRulesHeuristic"; 11 | this->result = result; 12 | this->matched_rules = matched_rules; 13 | } 14 | 15 | Json::Value ReportYaraRules::toJson(){ 16 | root["name"] = name; 17 | root["result"] = result; 18 | root["matched_rules"] = Json::Value(Json::arrayValue); 19 | for(auto rule = matched_rules.begin(); rule != matched_rules.end(); ++rule){ 20 | root["matched_rules"].append(*rule); 21 | } 22 | 23 | return root; 24 | } 25 | -------------------------------------------------------------------------------- /Code/ReportYaraRules.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "Debug.h" 4 | //#include "Log.h" 5 | 6 | class ReportYaraRules : public ReportObject 7 | { 8 | private: 9 | string name; 10 | bool result; 11 | vector matched_rules; 12 | public: 13 | ReportYaraRules(void); 14 | ReportYaraRules(bool result,vector matched_rule); 15 | Json::Value toJson(); 16 | 17 | }; 18 | 19 | -------------------------------------------------------------------------------- /Code/ScyllaWrapper.cpp: -------------------------------------------------------------------------------- 1 | #include "ScyllaWrapper.h" 2 | 3 | ScyllaWrapper* ScyllaWrapper::instance = 0; 4 | 5 | //singleton 6 | ScyllaWrapper* ScyllaWrapper::getInstance() 7 | { 8 | if (instance == 0) 9 | instance = new ScyllaWrapper(); 10 | return instance; 11 | } 12 | 13 | ScyllaWrapper::ScyllaWrapper(void) 14 | { 15 | //init 16 | this->myFunc = 0; 17 | this->hScyllaWrapper = 0; 18 | //load library 19 | this->hScyllaWrapper = W::LoadLibraryW(L"C:\\pin\\PinUnpackerDependencies\\Scylla\\ScyllaWrapper.dll"); 20 | //get proc address 21 | if (this->hScyllaWrapper) 22 | { 23 | this->myFunc = (def_myFunc)W::GetProcAddress((W::HMODULE)this->hScyllaWrapper, "myFunc"); 24 | if(this->myFunc == NULL){ 25 | printf("myFunc is NULL!!!"); 26 | } 27 | this->ScyllaWrapAddSection = (def_ScyllaWrapAddSection)W::GetProcAddress((W::HMODULE)this->hScyllaWrapper, "ScyllaWrapAddSection"); 28 | if(this->ScyllaWrapAddSection == NULL){ 29 | printf("ScyllaWrapAddSection is NULL!!!"); 30 | } 31 | } 32 | } 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /Code/ScyllaWrapper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.H" 4 | 5 | namespace W { 6 | #include 7 | }; 8 | 9 | 10 | 11 | typedef void (WINAPI * def_myFunc)(); 12 | typedef void (WINAPI * def_ScyllaWrapAddSection)(const W::WCHAR * dump_path , const W::CHAR * sectionName, W::DWORD sectionSize, UINT32 offset , W::BYTE * sectionData); 13 | 14 | class ScyllaWrapper 15 | { 16 | 17 | public: 18 | static ScyllaWrapper* getInstance(); 19 | def_myFunc myFunc; 20 | def_ScyllaWrapAddSection ScyllaWrapAddSection; 21 | 22 | private: 23 | ScyllaWrapper::ScyllaWrapper(); 24 | static ScyllaWrapper* instance; 25 | void * hScyllaWrapper; 26 | 27 | }; 28 | 29 | -------------------------------------------------------------------------------- /Code/ServerTCP.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ProcInfo.h" 4 | //#include "HiddenElements.h" 5 | //#include "TaintAnalysis.h" 6 | #include 7 | 8 | 9 | namespace W { 10 | #define WIN32_LEAN_AND_MEAN 11 | #include 12 | #include 13 | #include 14 | } 15 | 16 | #define fd_set W::fd_set 17 | 18 | #ifdef _WIN32 19 | static int (WSAAPI *p_WSAStartup)(W::WORD, W::WSADATA *); 20 | static int (WSAAPI *p_WSAGetLastError)(void); 21 | static W::SOCKET(WSAAPI *p_socket)(int af, int type, int protocol); 22 | static int (WSAAPI *p_bind)(W::SOCKET, const struct W::sockaddr *, int); 23 | static int (WSAAPI *p_setsockopt)(W::SOCKET, int, int, const char *optval, int optlen); 24 | static int (WSAAPI *p_listen)(W::SOCKET s, int backlog); 25 | static W::SOCKET (WSAAPI *p_accept)(W::SOCKET, struct W::sockaddr *, int *); 26 | static int (WSAAPI *p_recv)(W::SOCKET s, char *buf, int len, int flags); 27 | static int (WSAAPI *p_send)(W::SOCKET s, const char *buf, int len, int flags); 28 | static int (WSAAPI *p_select)(int, fd_set *, fd_set *, fd_set *, const struct W::timeval *); 29 | static int (WSAAPI *p_closesocket)(W::SOCKET s); 30 | static W::ULONG (WSAAPI *p_ntohl)(_In_ W::ULONG netlong); 31 | static W::ULONG (WSAAPI *p_htonl)(_In_ W::ULONG hostlong); 32 | static W::USHORT (WSAAPI *p_htons)(u_short hostshort); 33 | // __WSAFDIsSet is used implicitely by FD_ISSET, redefine it 34 | #define __WSAFDIsSet p__WSAFDIsSet 35 | static int (WSAAPI *p__WSAFDIsSet)(W::SOCKET fd, fd_set *); 36 | static int (WSAAPI *p_getaddrinfo)( 37 | _In_opt_ W::PCSTR pNodeName, 38 | _In_opt_ W::PCSTR pServiceName, 39 | _In_opt_ const W::ADDRINFOA *pHints, 40 | _Out_ W::PADDRINFOA *ppResult 41 | ); 42 | static int (WSAAPI *p_WSACleanup)(void); 43 | static void (WSAAPI *p_freeaddrinfo)( 44 | _In_ struct W::addrinfo *ai 45 | ); 46 | #endif 47 | 48 | 49 | VOID pThreadFuncPin(VOID *arg); 50 | VOID ReceiveSocket(W::SOCKET ClientSocket); 51 | 52 | VOID send_bytes(W::SOCKET socket, W::LPSTR buffer, ssize_t n); 53 | VOID get_bytes(W::SOCKET socket, W::LPSTR buffer, ssize_t n); 54 | VOID setGroupByString(char** list, int count); -------------------------------------------------------------------------------- /Code/TimeTracker.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | 5 | extern int divisor; -------------------------------------------------------------------------------- /Code/TracerContextChangeManager.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ProcInfo.h" //Needed for memory range 4 | #include "HookSyscalls.h" //Needed for CLIENT_ID 5 | #include "tls.h" 6 | 7 | namespace W { 8 | #include "windows.h" 9 | #include "Winternl.h" 10 | } 11 | 12 | //Callback Handling Structures 13 | 14 | typedef struct _PEB 15 | { 16 | W::BOOLEAN InheritedAddressSpace; 17 | W::BOOLEAN ReadImageFileExecOptions; 18 | W::BOOLEAN BeingDebugged; 19 | union 20 | { 21 | W::BOOLEAN BitField; 22 | struct 23 | { 24 | W::BOOLEAN ImageUsesLargePages : 1; 25 | W::BOOLEAN IsProtectedProcess : 1; 26 | W::BOOLEAN IsLegacyProcess : 1; 27 | W::BOOLEAN IsImageDynamicallyRelocated : 1; 28 | W::BOOLEAN SkipPatchingUser32Forwarders : 1; 29 | W::BOOLEAN SpareBits : 3; 30 | }; 31 | }; 32 | W::HANDLE Mutant; 33 | 34 | W::PVOID ImageBaseAddress; 35 | W::PVOID Ldr; 36 | W::PVOID ProcessParameters; 37 | W::PVOID SubSystemData; 38 | W::PVOID ProcessHeap; 39 | W::PRTL_CRITICAL_SECTION FastPebLock; 40 | W::PVOID AtlThunkSListPtr; 41 | W::PVOID IFEOKey; 42 | union 43 | { 44 | W::ULONG CrossProcessFlags; 45 | struct 46 | { 47 | W::ULONG ProcessInJob : 1; 48 | W::ULONG ProcessInitializing : 1; 49 | W::ULONG ProcessUsingVEH : 1; 50 | W::ULONG ProcessUsingVCH : 1; 51 | W::ULONG ProcessUsingFTH : 1; 52 | W::ULONG ReservedBits0 : 27; 53 | }; 54 | W::ULONG EnvironmentUpdateCount; 55 | }; 56 | union 57 | { 58 | W::PVOID KernelCallbackTable; 59 | W::PVOID UserSharedInfoPtr; 60 | }; 61 | } *PPEB; 62 | 63 | typedef struct _TEB 64 | { 65 | W::NT_TIB NtTib; 66 | W::PVOID EnvironmentPointer; 67 | CLIENT_ID ClientId; 68 | W::PVOID ActiveRpcHandle; 69 | W::PVOID ThreadLocalStoragePointer; 70 | PPEB ProcessEnvironmentBlock; 71 | W::ULONG LastErrorValue; 72 | W::ULONG CountOfOwnedCriticalSections; 73 | W::PVOID CsrClientThread; 74 | W::PVOID Win32ThreadInfo; 75 | }TEB, *PTEB; 76 | 77 | 78 | class TracerContextChangeManager { 79 | public: 80 | static void tracerOnContextChange(THREADID tid, CONTEXT_CHANGE_REASON reason, const CONTEXT *orig_ctx, CONTEXT *signal_ctx, int32_t info, void*); 81 | 82 | }; -------------------------------------------------------------------------------- /Code/TracerTdataManager.cpp: -------------------------------------------------------------------------------- 1 | #include "TracerTdataManager.h" 2 | 3 | //Init tracer tdata 4 | void TracerTdataManager::initTracerTdata(THREADID tid,bluepill_tls* tdata) { 5 | 6 | //--Init counter--// 7 | tdata->call_number = 0; 8 | 9 | //--Init shadow stack--// 10 | tdata->shadowStack = new vector; 11 | 12 | //--Init syscall struct--// 13 | tdata->syscallEntry = NULL; 14 | 15 | //--Allocate and init buffer--// 16 | tdata->buffer = (buf_info_t*)malloc(sizeof(buf_info_t)); 17 | memset((tdata->buffer)->buf, 0, sizeof(char)*OUTBUF_SIZE); 18 | (tdata->buffer)->sofar = 0; 19 | 20 | //--Initialize output file--// 21 | tdata->OutFile = NULL; 22 | 23 | //--Initialize function pointer to function where file is opened--// 24 | tdata->file_write = &open_file; 25 | 26 | //--Initialize thread id--// 27 | tdata->threadid = tid; 28 | 29 | } 30 | 31 | //Dealloc tracer tdata 32 | void TracerTdataManager::deallocTracerTdata(THREADID tid, bluepill_tls* tdata) { 33 | 34 | //--Dealloc shadow stack--// 35 | //-> Free each element of shadow stack 36 | //-> Empty shadow stack vector 37 | //-> Delete shadowStack 38 | for (std::vector::iterator it = ((*(tdata->shadowStack)).begin()); it != ((*(tdata->shadowStack)).end()); ++it) 39 | { 40 | free(it->apiInfo); 41 | } 42 | vector().swap(*(tdata->shadowStack)); //Force memory deallocation (Altough not rly necessary) 43 | delete(tdata->shadowStack); 44 | 45 | //--Dealloc syscall entry--// 46 | if (tdata->syscallEntry != NULL) { 47 | free(tdata->syscallEntry); 48 | } 49 | 50 | //--Close File--// 51 | //-> Flush leftovers in buffer 52 | //-> Close file 53 | (tdata->file_write)(tid, tdata->buffer, tdata->OutFile, "#eof\n"); 54 | buf_flush(tdata->buffer, tdata->OutFile); //-> Write to file whats left in buffer 55 | fclose(tdata->OutFile); 56 | 57 | //--Dealloc Buffer--// 58 | free(tdata->buffer); 59 | } -------------------------------------------------------------------------------- /Code/TracerTdataManager.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "tls.h" 4 | 5 | class TracerTdataManager { 6 | public: 7 | static void initTracerTdata(THREADID tid, bluepill_tls* tdata); 8 | static void deallocTracerTdata(THREADID tid, bluepill_tls* tdata); 9 | }; -------------------------------------------------------------------------------- /Code/TracerWriteFile.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | //Utility header 3 | #include "pin.H" 4 | 5 | /* 6 | //Memory Range struct 7 | typedef struct _MemoRange { 8 | ADDRINT StartAddress; 9 | ADDRINT EndAddress; 10 | } MemoRange;*/ 11 | //Main Image range 12 | //extern MemoRange mainImg; 13 | //User32.dll range 14 | //extern MemoRange user32Img; 15 | 16 | #define OUTBUF_SIZE 8192 //Buffer size 17 | //Buffer struct 18 | typedef struct _buf_info_t { 19 | char buf[OUTBUF_SIZE]; 20 | size_t sofar; 21 | } buf_info_t; 22 | 23 | //Function for buffer writing 24 | void buf_write(THREADID threadid, buf_info_t* buffer, FILE* OutFile, const char* format, ...); 25 | //Function for flushing 26 | void buf_flush(buf_info_t* buffer, FILE* OutFile); 27 | //Function invoked to carry out the first write to a buffer of a thread 28 | void buf_write_begin(buf_info_t* buffer, FILE* OutFile, const char* format, va_list argptr); 29 | //Function for opening file during instrumentation 30 | void open_file(THREADID threadid, buf_info_t* buffer, FILE* OutFile, const char* format, ...); -------------------------------------------------------------------------------- /Code/WriteInterval.cpp: -------------------------------------------------------------------------------- 1 | #include "WriteInterval.h" 2 | 3 | #define OVERLAP(x1, y1, x2, y2) ( ((x1) <= (y2)) && ((x2) <= (y1)) ) 4 | 5 | // create a WriteInterval for the address interval of the current write 6 | WriteInterval::WriteInterval(ADDRINT addr_begin, ADDRINT addr_end, BOOL heap_flag) { 7 | this->addr_begin = addr_begin; 8 | this->addr_end = addr_end; 9 | this->broken_flag = 0; 10 | this->cur_number_jmp = 0; 11 | this->heap_flag = heap_flag; 12 | this->detectedFunctions = 0; 13 | } 14 | 15 | //----------------------- GETTER / SETTER ----------------------- 16 | 17 | ADDRINT WriteInterval::getAddrBegin(){ 18 | return this->addr_begin; 19 | } 20 | 21 | ADDRINT WriteInterval::getAddrEnd(){ 22 | return this->addr_end; 23 | } 24 | 25 | BOOL WriteInterval::getBrokenFlag(){ 26 | return this->broken_flag; 27 | } 28 | 29 | ADDRINT WriteInterval::getThreshold(){ 30 | return (this->addr_end - this->addr_begin)/20; 31 | } 32 | 33 | UINT32 WriteInterval::getCurrNumberJMP(){ 34 | return this->cur_number_jmp; 35 | } 36 | 37 | BOOL WriteInterval::getHeapFlag(){ 38 | return this->heap_flag; 39 | } 40 | 41 | UINT32 WriteInterval::getDetectedFunctions(){ 42 | return this->detectedFunctions; 43 | } 44 | 45 | 46 | void WriteInterval::setBrokenFlag(BOOL flag){ 47 | this->broken_flag = flag; 48 | } 49 | 50 | void WriteInterval::incrementCurrNumberJMP(){ 51 | this->cur_number_jmp = this->cur_number_jmp +1 ; 52 | } 53 | 54 | void WriteInterval::setDetectedFunctions(UINT32 numberOfFunctions){ 55 | this->detectedFunctions = numberOfFunctions; 56 | } 57 | 58 | 59 | //----------------------- PUBLIC METHODS ----------------------- 60 | 61 | //check if the value of the given address is between addr_begin and addr_end 62 | BOOL WriteInterval::checkUpdate(ADDRINT start_addr, ADDRINT end_addr){ 63 | //if the address interval ISN'T before or after the current interval then we have to udate the instance 64 | 65 | /* TODO: the original check seems naive, unless addr_begin > addr_end 66 | * return !( (start_addr < this->addr_begin && end_addr < this->addr_begin) || 67 | * (start_addr > this->addr_end && end_addr > this->addr_end) ); */ 68 | //return !(end_addr < this->addr_begin || start_addr > this->addr_end); 69 | //return (start_addr <= this->addr_end) && (this->addr_begin <= end_addr) 70 | return OVERLAP(start_addr, end_addr, this->addr_begin, this->addr_end); 71 | } 72 | 73 | //update the current obj 74 | VOID WriteInterval::update(ADDRINT start_addr, ADDRINT end_addr, BOOL heap_flag){ 75 | this->heap_flag = heap_flag; 76 | // if the new write overlaps the WriteInteval at the end we update the end_addr 77 | if ( (start_addr >= this->addr_begin) && (start_addr <= this->addr_end) && (end_addr > this->addr_end) ){ 78 | this->addr_end = end_addr; 79 | } 80 | // if the new write overlaps the WriteInteval at the begin we update the addr_begin 81 | else if ( (start_addr < this->addr_begin) && (end_addr >= this->addr_begin) && (end_addr <= this->addr_end) ){ 82 | this->addr_begin = start_addr; 83 | } 84 | //if the new write contains the Write interval we update both endpoints 85 | else if ( (start_addr < this->addr_begin) && (end_addr > this->addr_begin) ){ 86 | this->addr_begin = start_addr; 87 | this->addr_end = end_addr; 88 | } 89 | } 90 | 91 | //check if the ip reside inside the WriteInterval 92 | BOOL WriteInterval::checkInside(ADDRINT ip){ 93 | return (ip >= this->addr_begin && ip <= this->addr_end); 94 | } -------------------------------------------------------------------------------- /Code/WriteInterval.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | 4 | class WriteInterval 5 | { 6 | 7 | public: 8 | //create a new WriteInterval 9 | WriteInterval(ADDRINT addr_begin, ADDRINT addr_end, BOOL heap_flag); 10 | //check if we have to expand our interval 11 | BOOL checkUpdate(ADDRINT start_addr, ADDRINT end_addr); 12 | //check if a given address is inside our interval 13 | BOOL checkInside(ADDRINT ip); 14 | //update our inteval with the new bounds 15 | VOID update(ADDRINT start_addr, ADDRINT end_addr, BOOL heap_flag); 16 | //getter 17 | ADDRINT getAddrBegin(); 18 | ADDRINT getAddrEnd(); 19 | BOOL getBrokenFlag(); 20 | ADDRINT getThreshold(); 21 | UINT32 getCurrNumberJMP(); 22 | BOOL getHeapFlag(); 23 | UINT32 getDetectedFunctions(); 24 | //setter 25 | void setBrokenFlag(BOOL flag); 26 | void incrementCurrNumberJMP(); 27 | void setDetectedFunctions(UINT32 numberOfFunctions); 28 | 29 | private: 30 | ADDRINT addr_begin; 31 | ADDRINT addr_end; 32 | BOOL broken_flag; 33 | UINT32 cur_number_jmp; 34 | BOOL heap_flag; 35 | UINT32 detectedFunctions; 36 | }; 37 | 38 | -------------------------------------------------------------------------------- /Code/WxorXHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "WriteInterval.h" 4 | #include "pin.H" 5 | #include "Debug.h" 6 | #include "Config.h" 7 | #include "ProcInfo.h" 8 | 9 | class WxorXHandler 10 | { 11 | public: 12 | typedef std::vector WriteSet; 13 | //singleton instance 14 | static WxorXHandler* getInstance(); 15 | 16 | //manage the write set that contains the WriteInterval written by the program 17 | VOID writeSetManager(ADDRINT start_addr, UINT32 size); 18 | 19 | //check if the WxorX law is broken 20 | WriteInterval* getWxorXinterval(ADDRINT ip); 21 | 22 | //manage the write set that contains the WriteInterval written by the program and injected in another process 23 | VOID writeSetManager(ADDRINT startAddr, UINT32 size, W::DWORD pid); 24 | 25 | //check if the W xor X law is broken inside injected process 26 | WriteSet& getWxorXintervalInjected(W::DWORD pid); 27 | 28 | VOID clearWriteSet(W::DWORD pid); 29 | VOID displayWriteSet(W::DWORD pid); 30 | VOID incrementCurrJMPNumber(int writeItemIndex); 31 | 32 | private: 33 | WxorXHandler(); 34 | static WxorXHandler* instance; 35 | 36 | map WriteSetContainer; 37 | W::DWORD pid; 38 | 39 | VOID _writeSetManager(ADDRINT startAddr, UINT32 size, WriteSet ¤tWriteSet); 40 | }; 41 | 42 | -------------------------------------------------------------------------------- /Code/YaraHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "ReportYaraRules.h" 4 | #include "Helper.h" 5 | namespace W{ 6 | #include "windows.h" 7 | } 8 | 9 | //size of the buffer used for communitating with the yara process 10 | #define PIPE_BUFSIZE 4096 11 | 12 | class YaraHeuristic 13 | { 14 | public: 15 | int run(std::vector paths_to_analyse); 16 | 17 | private: 18 | W::HANDLE g_hChildStd_OUT_Rd; 19 | W::HANDLE g_hChildStd_OUT_Wr; 20 | std::string ReadFromPipe(W::PROCESS_INFORMATION piProcInfo); 21 | BOOL launchYara(std::string yara_path, 22 | std::string yara_rules_path, 23 | std::string yara_input_path, 24 | std::string yara_output, 25 | W::PROCESS_INFORMATION *piResults); 26 | //UINT32 getFileSize(FILE *fp); 27 | std::vector parseYaraOutput(std::string output); 28 | std::vector analyseYara(std::string dump_to_analyse); 29 | 30 | }; 31 | -------------------------------------------------------------------------------- /Code/drstrace_named_consts.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* ********************************************************** 3 | * Copyright (c) 2014 Google, Inc. All rights reserved. 4 | * **********************************************************/ 5 | 6 | /* Dr. Memory: the memory debugger 7 | * 8 | * This library is free software; you can redistribute it and/or 9 | * modify it under the terms of the GNU Lesser General Public 10 | * License as published by the Free Software Foundation; 11 | * version 2.1 of the License, and no later version. 12 | 13 | * This library is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 | * Library General Public License for more details. 17 | 18 | * You should have received a copy of the GNU Lesser General Public 19 | * License along with this library; if not, write to the Free Software 20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 21 | */ 22 | 23 | #include 24 | #include 25 | #include 26 | 27 | /* We hardcode each named constant using separate structures for 28 | * each group of constants. We generate each structure name by using 29 | * first constant name in the group of constants. 30 | */ 31 | typedef struct const_values_t { 32 | int value; /* value of the named constant */ 33 | const char *const_name; /* name of the named constant */ 34 | } const_values_t; 35 | 36 | extern const_values_t *const_struct_array[]; 37 | size_t get_const_arrays_num(void); -------------------------------------------------------------------------------- /Code/libdft/branch_pred.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright (c) 2010, 2011, 2012, 2013, Columbia University 3 | * All rights reserved. 4 | * 5 | * This software was developed by Vasileios P. Kemerlis 6 | * at Columbia University, New York, NY, USA, in June 2010. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 11 | * * Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * * Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * * Neither the name of Columbia University nor the 17 | * names of its contributors may be used to endorse or promote products 18 | * derived from this software without specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 | * POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef LIBDFT_BRANCH_PRED_H 34 | #define LIBDFT_BRANCH_PRED_H 35 | 36 | /* compiler directives for branch prediction */ 37 | //#define likely(x) __builtin_expect((x), 1) 38 | //#define unlikely(x) __builtin_expect((x), 0) 39 | 40 | // DCD not really effective on MSVC - shall we use (x) and !(x) instead? 41 | #define likely(x) ((x) ? 1 : 0) 42 | #define unlikely(x) ((!(x)) ? 0 : 1) 43 | 44 | #endif /* LIBDFT_BRANCH_PRED_H */ 45 | -------------------------------------------------------------------------------- /Code/libdft/config.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBDFT_CONFIG_H 2 | #define LIBDFT_CONFIG_H 3 | 4 | // Enable custom taint tags unless default tags are explicitly requested. 5 | #if defined(LIBDFT_DEFAULT_TAG_TYPE) 6 | #undef LIBDFT_TAG_TYPE 7 | #undef USE_CUSTOM_TAG 8 | #elif !defined(LIBDFT_TAG_TYPE) 9 | //#define LIBDFT_TAG_TYPE libdft_tag_set_uint32 10 | #define LIBDFT_TAG_TYPE libdft_tag_uint8 // DCD 11 | #endif 12 | 13 | #ifdef LIBDFT_TAG_TYPE 14 | #define USE_CUSTOM_TAG 15 | #include "tag_traits.h" 16 | 17 | // Currently available tag types: 18 | // libdft_tag_uint8 19 | // libdft_tag_set_uint32 20 | // libdft_tag_set_fdoff 21 | // libdft_tag_bitset 22 | typedef LIBDFT_TAG_TYPE tag_t; 23 | #endif 24 | 25 | #endif /* LIBDFT_CONFIG_H */ 26 | 27 | -------------------------------------------------------------------------------- /Code/libdft/dbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Zed's Awesome Debug Macros 3 | * http://c.learncodethehardway.org/book/ex20.html 4 | */ 5 | #ifndef LIBDFT_DBG_H 6 | #define LIBDFT_DBG_H 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #ifdef NDEBUG 14 | #define debug(M, ...) 15 | #else 16 | #define debug(M, ...) std::fprintf(stderr, "DEBUG %s:%d: " M "\n", __FILE__, __LINE__, ##__VA_ARGS__) 17 | #endif 18 | 19 | #define clean_errno() (errno == 0 ? "None" : strerror(errno)) 20 | 21 | #define log_err(M, ...) std::fprintf(stderr, "[ERROR] (%s:%d: errno: %s) " M "\n", __FILE__, __LINE__, clean_errno(), ##__VA_ARGS__) 22 | 23 | #define log_warn(M, ...) std::fprintf(stderr, "[WARN] (%s:%d: errno: %s) " M "\n", __FILE__, __LINE__, clean_errno(), ##__VA_ARGS__) 24 | 25 | #define log_info(M, ...) std::fprintf(stderr, "[INFO] (%s:%d) " M "\n", __FILE__, __LINE__, ##__VA_ARGS__) 26 | 27 | #define check(A, M, ...) if(!(A)) { log_err(M, ##__VA_ARGS__); errno=0; goto error; } 28 | 29 | #define sentinel(M, ...) { log_err(M, ##__VA_ARGS__); errno=0; goto error; } 30 | 31 | #define check_mem(A) check((A), "Out of memory.") 32 | 33 | #define check_debug(A, M, ...) if(!(A)) { debug(M, ##__VA_ARGS__); errno=0; goto error; } 34 | 35 | #endif 36 | -------------------------------------------------------------------------------- /Code/libdft/libdft_core.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * Copyright (c) 2010, 2011, 2012, 2013, Columbia University 3 | * All rights reserved. 4 | * 5 | * This software was developed by Vasileios P. Kemerlis 6 | * at Columbia University, New York, NY, USA, in June 2010. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 11 | * * Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * * Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * * Neither the name of Columbia University nor the 17 | * names of its contributors may be used to endorse or promote products 18 | * derived from this software without specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 | * POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef LIBDFT_CORE_H 34 | #define LIBDFT_CORE_H 35 | 36 | #include "pin.H" // DCD 37 | 38 | #define VCPU_MASK32 0x0F /* 32-bit VCPU mask */ 39 | #define VCPU_MASK16 0x03 /* 16-bit VCPU mask */ 40 | #define VCPU_MASK8 0x01 /* 8-bit VCPU mask */ 41 | #define MEM_LONG_LEN 32 /* long size (32-bit) */ 42 | #define MEM_WORD_LEN 16 /* word size (16-bit) */ 43 | #define MEM_BYTE_LEN 8 /* byte size (8-bit) */ 44 | #define BIT2BYTE(len) ((len) >> 3) /* scale change; macro */ 45 | 46 | /* extract the EFLAGS.DF bit by applying the corresponding mask */ 47 | #define EFLAGS_DF(eflags) ((eflags & 0x0400)) 48 | 49 | enum { 50 | /* #define */ OP_0 = 0, /* 0th (1st) operand index */ 51 | /* #define */ OP_1 = 1, /* 1st (2nd) operand index */ 52 | /* #define */ OP_2 = 2, /* 2nd (3rd) operand index */ 53 | /* #define */ OP_3 = 3, /* 3rd (4th) operand index */ 54 | /* #define */ OP_4 = 4 /* 4rd (5th) operand index */ 55 | }; 56 | 57 | 58 | /* core API */ 59 | void ins_inspect(INS); 60 | 61 | #endif /* LIBDFT_CORE_H */ 62 | -------------------------------------------------------------------------------- /Code/libdft/tagmap_custom.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBDFT_TAGMAP_CUSTOM_H 2 | #define LIBDFT_TAGMAP_CUSTOM_H 3 | #include "array.hpp" 4 | 5 | const unsigned long DIR_PAGE_BITS = 12; 6 | const unsigned long DIR_PAGE_SZ = 1 << DIR_PAGE_BITS; 7 | const unsigned long DIR_PAGE_MASK = DIR_PAGE_SZ - 1; 8 | const unsigned long DIR_TABLE_BITS = 10; 9 | const unsigned long DIR_TABLE_SZ = 1 << DIR_TABLE_BITS; 10 | const unsigned long DIR_TABLE_MASK = DIR_TABLE_SZ - 1; 11 | const unsigned long DIR_BITS = 10; 12 | const unsigned long DIR_SZ = 1 << DIR_BITS; 13 | const unsigned long DIR_MASK = DIR_SZ - 1; 14 | 15 | inline unsigned long virt2table(unsigned long addr) { 16 | return (addr >> (DIR_PAGE_BITS + DIR_TABLE_BITS)) & DIR_MASK; 17 | } 18 | 19 | inline unsigned long virt2page(unsigned long addr) { 20 | return (addr >> DIR_PAGE_BITS) & DIR_TABLE_MASK; 21 | } 22 | 23 | inline unsigned long virt2offset(unsigned long addr) { 24 | return addr & DIR_PAGE_MASK; 25 | } 26 | 27 | typedef cpp11::array tag_page_t; 28 | typedef cpp11::array tag_table_t; 29 | typedef cpp11::array tag_dir_t; 30 | 31 | extern int tagmap_all_tainted; 32 | extern void libdft_die(); 33 | 34 | inline tag_t const * tag_dir_getb_as_ptr(tag_dir_t const & dir, ADDRINT addr) { 35 | if(dir[virt2table(addr)]) { 36 | tag_table_t * table = dir[virt2table(addr)]; 37 | if ((*table)[virt2page(addr)]) { 38 | tag_page_t * page = (*table)[virt2page(addr)]; 39 | if (page != NULL) 40 | return &(*page)[virt2offset(addr)]; 41 | } 42 | } 43 | return &tag_traits::cleared_val; 44 | } 45 | 46 | inline tag_t tag_dir_getb(tag_dir_t const & dir, ADDRINT addr) { 47 | return *tag_dir_getb_as_ptr(dir, addr); 48 | } 49 | 50 | 51 | inline void tag_dir_setb(tag_dir_t & dir, ADDRINT addr, tag_t const & tag) 52 | { 53 | //LOG("Setting tag "+hexstr(addr)+"\n"); 54 | if(dir[virt2table(addr)] == NULL) 55 | { 56 | //LOG("No tag table for "+hexstr(addr)+" allocating new table\n"); 57 | tag_table_t * new_table = new tag_table_t(); // DCD (nothrow) 58 | if (new_table == NULL) 59 | { 60 | LOG("Failed to allocate tag table!\n"); 61 | libdft_die(); 62 | } 63 | dir[virt2table(addr)] = new_table; 64 | } 65 | 66 | tag_table_t * table = dir[virt2table(addr)]; 67 | if ((*table)[virt2page(addr)] == NULL) 68 | { 69 | //LOG("No tag page for "+hexstr(addr)+" allocating new page\n"); 70 | tag_page_t * new_page = new tag_page_t(); // DCD (nothrow) 71 | if (new_page == NULL) 72 | { 73 | LOG("Failed to allocate tag page!\n"); 74 | libdft_die(); 75 | } 76 | cpp::fill(new_page->begin(), new_page->end(), tag_traits::cleared_val); 77 | (*table)[virt2page(addr)] = new_page; 78 | } 79 | 80 | tag_page_t * page = (*table)[virt2page(addr)]; 81 | //LOG("Writing tag for "+hexstr(addr)+"\n"); 82 | (*page)[virt2offset(addr)] = tag; 83 | } 84 | #endif 85 | -------------------------------------------------------------------------------- /Code/makefile: -------------------------------------------------------------------------------- 1 | ############################################################## 2 | # 3 | # DO NOT EDIT THIS FILE! 4 | # 5 | ############################################################## 6 | 7 | # If the tool is built out of the kit, PIN_ROOT must be specified in the make invocation and point to the kit root. 8 | ifdef PIN_ROOT 9 | CONFIG_ROOT := $(PIN_ROOT)/source/tools/Config 10 | else 11 | CONFIG_ROOT := ../Config 12 | endif 13 | include $(CONFIG_ROOT)/makefile.config 14 | include makefile.rules 15 | include $(TOOLS_ROOT)/Config/makefile.default.rules 16 | 17 | ############################################################## 18 | # 19 | # DO NOT EDIT THIS FILE! 20 | # 21 | ############################################################## 22 | -------------------------------------------------------------------------------- /Code/makefile.rules: -------------------------------------------------------------------------------- 1 | ############################################################## 2 | # 3 | # This file includes all the test targets as well as all the 4 | # non-default build rules and test recipes. 5 | # 6 | ############################################################## 7 | 8 | 9 | ############################################################## 10 | # 11 | # Test targets 12 | # 13 | ############################################################## 14 | 15 | ###### Place all generic definitions here ###### 16 | 17 | # This defines tests which run tools of the same name. This is simply for convenience to avoid 18 | # defining the test name twice (once in TOOL_ROOTS and again in TEST_ROOTS). 19 | # Tests defined here should not be defined in TOOL_ROOTS and TEST_ROOTS. 20 | TEST_TOOL_ROOTS := MyPinTool 21 | 22 | # This defines the tests to be run that were not already defined in TEST_TOOL_ROOTS. 23 | TEST_ROOTS := 24 | 25 | # This defines a list of tests that should run in the "short" sanity. Tests in this list must also 26 | # appear either in the TEST_TOOL_ROOTS or the TEST_ROOTS list. 27 | # If the entire directory should be tested in sanity, assign TEST_TOOL_ROOTS and TEST_ROOTS to the 28 | # SANITY_SUBSET variable in the tests section below (see example in makefile.rules.tmpl). 29 | SANITY_SUBSET := 30 | 31 | # This defines the tools which will be run during the the tests, and were not already defined in 32 | # TEST_TOOL_ROOTS. 33 | TOOL_ROOTS := 34 | 35 | # This defines the static analysis tools which will be run during the the tests. They should not 36 | # be defined in TEST_TOOL_ROOTS. If a test with the same name exists, it should be defined in 37 | # TEST_ROOTS. 38 | # Note: Static analysis tools are in fact executables linked with the Pin Static Analysis Library. 39 | # This library provides a subset of the Pin APIs which allows the tool to perform static analysis 40 | # of an application or dll. Pin itself is not used when this tool runs. 41 | SA_TOOL_ROOTS := 42 | 43 | # This defines all the applications that will be run during the tests. 44 | APP_ROOTS := 45 | 46 | # This defines any additional object files that need to be compiled. 47 | OBJECT_ROOTS := 48 | 49 | # This defines any additional dlls (shared objects), other than the pintools, that need to be compiled. 50 | DLL_ROOTS := 51 | 52 | # This defines any static libraries (archives), that need to be built. 53 | LIB_ROOTS := 54 | 55 | 56 | ############################################################## 57 | # 58 | # Test recipes 59 | # 60 | ############################################################## 61 | 62 | # This section contains recipes for tests other than the default. 63 | # See makefile.default.rules for the default test rules. 64 | # All tests in this section should adhere to the naming convention: .test 65 | 66 | 67 | ############################################################## 68 | # 69 | # Build rules 70 | # 71 | ############################################################## 72 | 73 | # This section contains the build rules for all binaries that have special build rules. 74 | # See makefile.default.rules for the default build rules. 75 | -------------------------------------------------------------------------------- /Code/md5.h: -------------------------------------------------------------------------------- 1 | /* MD5 2 | converted to C++ class by Frank Thilo (thilo@unix-ag.org) 3 | for bzflag (http://www.bzflag.org) 4 | 5 | based on: 6 | 7 | md5.h and md5.c 8 | reference implementation of RFC 1321 9 | 10 | Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 11 | rights reserved. 12 | 13 | License to copy and use this software is granted provided that it 14 | is identified as the "RSA Data Security, Inc. MD5 Message-Digest 15 | Algorithm" in all material mentioning or referencing this software 16 | or this function. 17 | 18 | License is also granted to make and use derivative works provided 19 | that such works are identified as "derived from the RSA Data 20 | Security, Inc. MD5 Message-Digest Algorithm" in all material 21 | mentioning or referencing the derived work. 22 | 23 | RSA Data Security, Inc. makes no representations concerning either 24 | the merchantability of this software or the suitability of this 25 | software for any particular purpose. It is provided "as is" 26 | without express or implied warranty of any kind. 27 | 28 | These notices must be retained in any copies of any part of this 29 | documentation and/or software. 30 | 31 | */ 32 | 33 | #ifndef BZF_MD5_H 34 | #define BZF_MD5_H 35 | 36 | #include 37 | #include 38 | 39 | 40 | // a small class for calculating MD5 hashes of strings or byte arrays 41 | // it is not meant to be fast or secure 42 | // 43 | // usage: 1) feed it blocks of uchars with update() 44 | // 2) finalize() 45 | // 3) get hexdigest() string 46 | // or 47 | // MD5(std::string).hexdigest() 48 | // 49 | // assumes that char is 8 bit and int is 32 bit 50 | class MD5 51 | { 52 | public: 53 | typedef UINT32 size_type; // must be 32bit 54 | 55 | MD5(); 56 | MD5(const std::string& text); 57 | void update(const unsigned char *buf, size_type length); 58 | void update(const char *buf, size_type length); 59 | MD5& finalize(); 60 | std::string hexdigest() const; 61 | friend std::ostream& operator<<(std::ostream&, MD5 md5); 62 | 63 | private: 64 | void init(); 65 | typedef unsigned char uint1; // 8bit 66 | typedef unsigned int uint4; // 32bit 67 | enum {blocksize = 64}; // VC6 won't eat a const static int here 68 | 69 | void transform(const uint1 block[blocksize]); 70 | static void decode(uint4 output[], const uint1 input[], size_type len); 71 | static void encode(uint1 output[], const uint4 input[], size_type len); 72 | 73 | bool finalized; 74 | uint1 buffer[blocksize]; // bytes that didn't fit in last 64 byte chunk 75 | uint4 count[2]; // 64bit counter for number of bits (lo, hi) 76 | uint4 state[4]; // digest so far 77 | uint1 digest[16]; // the result 78 | 79 | // low level logic operations 80 | static inline uint4 F(uint4 x, uint4 y, uint4 z); 81 | static inline uint4 G(uint4 x, uint4 y, uint4 z); 82 | static inline uint4 H(uint4 x, uint4 y, uint4 z); 83 | static inline uint4 I(uint4 x, uint4 y, uint4 z); 84 | static inline uint4 rotate_left(uint4 x, int n); 85 | static inline void FF(uint4 &a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac); 86 | static inline void GG(uint4 &a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac); 87 | static inline void HH(uint4 &a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac); 88 | static inline void II(uint4 &a, uint4 b, uint4 c, uint4 d, uint4 x, uint4 s, uint4 ac); 89 | }; 90 | 91 | std::string md5(const std::string str); 92 | 93 | #endif -------------------------------------------------------------------------------- /Code/porting.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include "Config.h" 6 | 7 | #ifdef __LP64__ 8 | #define S_ADDR_DIFF(start, end) (UINT32)((end)-(start)) 9 | #else 10 | #define S_ADDR_DIFF(start, end) ((end)-(start)) 11 | #endif 12 | 13 | #define ABS_ADDR_DIFF(addr1, addr2) (addr1 > addr2) ? (addr1)-(addr2) : (addr2)-(addr1); 14 | 15 | template 16 | V& map_at(std::map &map, K &k) { 17 | // TODO handle case map.find(k) == map.end() 18 | return map[k]; 19 | } 20 | 21 | template // thanks https://stackoverflow.com/a/947663 22 | std::string to_string(const T& t) 23 | { 24 | std::stringstream ss; 25 | ss << t; 26 | return ss.str(); 27 | } -------------------------------------------------------------------------------- /Code/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by PINdemonium.rc 4 | 5 | // Valori predefiniti successivi per i nuovi oggetti 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /Code/tls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "TracerWriteFile.h" 4 | #include "TracerLibCalls.h" 5 | #include "TracerSysCalls.h" 6 | #include 7 | 8 | // TLS to be used in place of scCallbackArray[] from main.cpp 9 | #define USE_TLS_FOR_SYSCALLS 0 10 | 11 | extern TLS_KEY tls_key; // we put it in main.cpp 12 | 13 | //Padding for thread entry to avoid false sharing problem 14 | //-> 4 because size of function pointer is 4 15 | #if !USE_TLS_FOR_SYSCALLS 16 | #define PAD_SIZE 64-sizeof(vector*)-sizeof(buf_info_t*)-sizeof(syscall_tracer*)-2*sizeof(FILE*)-sizeof(uint)-4-sizeof(THREADID) 17 | #endif 18 | 19 | typedef struct { 20 | #if USE_TLS_FOR_SYSCALLS 21 | syscall_t sc; 22 | #endif 23 | 24 | //Tracer-related fields 25 | vector* shadowStack; // Shadow stack 26 | buf_info_t* buffer; // Buffer for writing to file 27 | syscall_tracer* syscallEntry; // Pointer to syscall entry for printing syscall info after execution 28 | uint call_number; // Counter used to differentiate calls during post-processing 29 | FILE* OutFile; // Output File 30 | void(*file_write)(THREADID, buf_info_t*, FILE*, const char*, ...); // Pointer to function for opening file/writing to file 31 | THREADID threadid; // Threadid 32 | 33 | FILE* threadLogFile; 34 | 35 | #if !USE_TLS_FOR_SYSCALLS 36 | //Padding 37 | UINT8 pad[PAD_SIZE]; 38 | #endif 39 | 40 | } bluepill_tls; -------------------------------------------------------------------------------- /Code/types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | enum { 4 | /* [Arancino] - note that 2-5 were commented out */ 5 | VIRTUALFREE_INDEX = 0, 6 | CREATEPROCESS_INDEX, 7 | VIRTUALALLOC_INDEX, 8 | RTLALLOCATEHEAP_INDEX, 9 | ISDEBUGGERPRESENT_INDEX, 10 | RTLREALLOCATEHEAP_INDEX, 11 | /*SUPPLI*/ 12 | SLEEP_INDEX, 13 | REGQUERYVALUE_INDEX, 14 | REGOPENKEY_INDEX, 15 | GETFILEATTRIBUTES_INDEX, 16 | GETADAPTER_INDEX, 17 | CREATEFILE_INDEX, 18 | FINDWINDOW_INDEX, 19 | WGETNET_INDEX, 20 | NEXTPROC_INDEX, 21 | EXECQUERY_INDEX, 22 | GETTICKCOUNT_INDEX, 23 | SETTIMER_INDEX, 24 | WAITOBJ_INDEX, 25 | ICMPFILE_INDEX, 26 | ICMPECHO_INDEX, 27 | ZWQUERY_INDEX, 28 | SYSALLOC_INDEX, 29 | GETDISKSPACE_INDEX, 30 | GETFIRSTFILE_INDEX, 31 | TIMEASFILE_INDEX, 32 | POPEN_INDEX, 33 | LOADLIB_INDEX, 34 | VPROTECT_INDEX, 35 | DEVICEBASE_INDEX, 36 | WINNAME_INDEX, 37 | GETMODULE_INDEX, 38 | GETMODULEX_INDEX, 39 | LDRHND_INDEX, 40 | ENUMDIS_INDEX, 41 | SETUPDEV_INDEX, 42 | CLOSEH_INDEX, 43 | GETCUR_INDEX, 44 | //SCARD_INDEX, 45 | /********* index for registry report ***********/ 46 | REGOPEN_INDEX = 60, 47 | REGSET_INDEX, 48 | REGCLOSE_INDEX, 49 | REGCREATE_INDEX, 50 | /********* index for special logging hooks ***********/ 51 | NTDELAYEXEC_INDEX = 70, 52 | NTQUERYPERF_INDEX, 53 | /************* index for debug **************/ 54 | CMPSTR_INDEX = 100, 55 | RTLSTR_INDEX, 56 | WCSSTR_INDEX, 57 | WCSCMP_INDEX, 58 | STRSTR_INDEX, 59 | STRCMP_INDEX 60 | }; 61 | 62 | #define MAX_HOOK_FUNCTIONS_INDEX 128 // TODO 63 | -------------------------------------------------------------------------------- /ExpInfo/GenerateExpRanges.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import sys 3 | 4 | # Dependencies: 5 | # - pefile 6 | # - IDA Pro 6.8 7 | # 8 | 9 | DLL_list = [ 10 | "kernel32.dll", 11 | "kernelbase.dll", 12 | ''' 13 | "user32.dll", 14 | "advapi32.dll", 15 | "bcrypt.dll", 16 | "crypt32.dll", 17 | "cryptbase.dll", 18 | "gdi32.dll", 19 | "ntdll.dll", 20 | "shell32.dll", 21 | ''' 22 | ] 23 | 24 | # Check Arguments to look for number of bits 25 | if (len(sys.argv) != 2): 26 | print("Usage is: python GenerateExpRanges.py <32/64>") 27 | exit() 28 | 29 | if(sys.argv[1]!="32" and sys.argv[1]!="64"): 30 | print("Usage is: python GenerateExpRanges.py <32/64>") 31 | exit() 32 | 33 | # Retrieve Number of bits 34 | bits = int(sys.argv[1]) 35 | 36 | if(bits == 32): 37 | Dlldir = "Program Files" 38 | ida = "idaw.exe" 39 | ext = ".idb" 40 | else: 41 | Dlldir = "Program Files (x86)" 42 | ida = "idaw64.exe" 43 | ext = ".i64" 44 | 45 | for DLL in DLL_list: 46 | # No difference between 32 and 64 bits as IDA, by default, loads the 32 bit version of a DLL even when running 47 | # in a 64 bit OS, as it's a 32 bit process. 48 | # TODO: Test in 64-bit OS 49 | 50 | subprocess.call(["C:\\"+Dlldir+"\\IDA 6.8\\"+ida, "-B", "-A", "C:\\Windows\\System32\\"+DLL, "-c", "-o"+DLL], shell=True) 51 | subprocess.call(["C:\\"+Dlldir+"\\IDA 6.8\\"+ida, "-A", "-SReadFuncts.py C:\\Windows\\System32\\"+DLL, (DLL.split(".")[0])+ext], shell=True) 52 | 53 | ''' 54 | else: 55 | # Copy Dll from System32, otherwise IDA loads the 32 bit version 56 | #subprocess.call(["xcopy", "/Y", "C:\\Windows\\System32\\"+DLL], shell=True) 57 | subprocess.call(["C:\\"+Dlldir+"\\IDA 6.8\\"+ida, "-B", "-A", DLL, "-c", "-o"+DLL], shell=True) 58 | subprocess.call(["C:\\"+Dlldir+"\\IDA 6.8\\"+ida, "-A", "-SReadFuncts.py "+DLL, (DLL.split(".")[0])+ext], shell=True) 59 | ''' -------------------------------------------------------------------------------- /Locals.props: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | C:\Pin35 6 | C:\WinDDK\7600.16385.1\ 7 | 8 | 9 | <_PropertySheetDisplayName>Locals 10 | 11 | 12 | 13 | 14 | $(PinFolder) 15 | 16 | 17 | $(WinDDK) 18 | 19 | 20 | --------------------------------------------------------------------------------