├── README.md ├── agafi-rop.png ├── agafi.png └── src ├── agafi-rop.cpp ├── agafi.cpp ├── disassembler.c ├── fsnap.c ├── gisnap ├── dumpinfo │ ├── dumpinfo.py │ └── readme.txt ├── ollydbg_plugin │ ├── readme.txt │ └── src │ │ ├── MemorySnapshot.cpp │ │ ├── MemorySnapshot.h │ │ ├── gisnap.cpp │ │ ├── gisnap.sln │ │ ├── gisnap.v11.suo │ │ ├── gisnap.vcproj │ │ ├── gisnap.vcxproj │ │ ├── ollydbg.lib │ │ ├── plugin.h │ │ └── snapshotformat.h ├── standalone │ └── src │ │ ├── LogWindow.cpp │ │ ├── LogWindow.h │ │ ├── MemorySnapshot.cpp │ │ ├── MemorySnapshot.h │ │ ├── ProcessList.cpp │ │ ├── ProcessList.h │ │ ├── gisnap.cpp │ │ ├── gisnap.h │ │ ├── gisnap.rc │ │ ├── resource.h │ │ ├── resource1.h │ │ ├── snapshotformat.h │ │ ├── stand-alone.rc │ │ ├── stand-alone.sln │ │ ├── stand-alone.suo │ │ ├── stand-alone.v11.suo │ │ ├── stand-alone.vcxproj │ │ ├── stand-alone.vcxproj.filters │ │ ├── stand-alone.vcxproj.user │ │ ├── stdafx.cpp │ │ └── stdafx.h └── windbg_ext │ ├── readme.txt │ └── src │ ├── dllmain.cpp │ ├── gisnap.cpp │ ├── gisnap.h │ ├── snapshotformat.h │ ├── stdafx.cpp │ ├── stdafx.h │ ├── targetver.h │ ├── windbg_ext.cpp │ ├── windbg_ext.def │ ├── windbg_ext.opensdf │ ├── windbg_ext.sln │ ├── windbg_ext.v11.suo │ ├── windbg_ext.vcxproj │ ├── windbg_ext.vcxproj.filters │ └── windbg_ext.vcxproj.user ├── list.cpp ├── make.bat └── qemu.c /README.md: -------------------------------------------------------------------------------- 1 | ##What is Agafi/ROP? 2 | 3 | Agafi/ROP is a Win32 command line tool chain useful to find gadgets and build ROP-Chains used by x86 binary exploits. 4 | 5 | ##What is Agafi? 6 | 7 | Agafi (Advanced Gadget Finder) is a x86 gadget-finder tool useful to find gadgets in programs, modules and running processes. 8 | 9 | The ROP search engine is based on 4 points: 10 | 1. Search by objective 11 | 2. An "executable/module/process/misc" snapshot 12 | 3. x86 code emulation (QEMU support) 13 | 4. Black box gadget analysis 14 | 15 | Implementing the ideas mentioned above, Agafi is able to find very complex gadgets in short time. 16 | 17 | Agafi in action ... 18 | 19 | ![Agafi in action ...](https://github.com/CoreSecurity/Agafi/blob/master/agafi.png) 20 | 21 | ##What is Agafi-rop? 22 | 23 | Agafi-ROP is a x86 ROP-Chainer tool oriented to build ROP chains for win32 programs, modules and running processes. 24 | 25 | Using Agafi as gadget-finder + Agafi-ROP as good and fast ROP-Chainer engine, this tool is able to build ROP-Chains to bypass DEP in binary exploits. 26 | 27 | Agafi-ROP re-building a ROP-Chain with "invalid chars" to "hxds.dll" v2.5.50727.198 ... 28 | 29 | ![Agafi in action ...](https://github.com/CoreSecurity/Agafi/blob/master/agafi-rop.png) 30 | 31 | ##Where can Agafi find gadgets? 32 | 33 | Mainly Win32 binary files although other x86 architectures are also supported as RAW snapshots. 34 | 35 | 36 | ##What APi uses Agafi-ROP to build ROP-Chains to bypass DEP? 37 | 38 | For now, only "kernel32.VirtualProtect" function is used. 39 | 40 | 41 | ##In which Windows versions does Agafi/ROP work? 42 | 43 | Starting from Windows XP SP2 up to the latest Windows version. 44 | 45 | 46 | ##Is it necessary to install Agafi/ROP to use? 47 | 48 | No instalation needed. 49 | 50 | 51 | ##Dependencies 52 | 53 | The only external dependency is the x86 disassembly lib (Distorm v3). 54 | Please, download this from (https://code.google.com/p/distorm/downloads/detail?name=distorm3-3-dlls.zip) and copy the 32 bit "distorm3.dll" library at the same Agafi path. 55 | 56 | 57 | ##Licensing 58 | 59 | Agafi/ROP is released under version 3 of the GNU General Public License. 60 | 61 | 62 | ##Contact 63 | 64 | If you have some suggestion or some bug to report, please contact to the authors. 65 | 66 | Agafi/Agafi-ROP (neconomou@coresecurity.com) 67 | Gisnap modules (djuarez@coresecurity.com) 68 | -------------------------------------------------------------------------------- /agafi-rop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/agafi-rop.png -------------------------------------------------------------------------------- /agafi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/agafi.png -------------------------------------------------------------------------------- /src/disassembler.c: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////////////////////////////////////// 2 | 3 | /* disassembler,c ( DISTORM wrapper ) */ 4 | 5 | //////////////////////////////////////////////////////////////////////////////// 6 | 7 | /* Codigo usado por Distorm */ 8 | 9 | /* Para usar en VC */ 10 | #define uint64_t unsigned __int64 11 | 12 | /* Static size of strings. Do not change this value. Keep Python wrapper in sync. */ 13 | #define MAX_TEXT_SIZE (48) 14 | 15 | typedef struct 16 | { 17 | unsigned int length; 18 | unsigned char p [MAX_TEXT_SIZE]; /* p is a null terminated string. */ 19 | } _WString; 20 | 21 | /* 22 | * Old decoded instruction structure in text format. 23 | * Used only for backward compatibility with diStorm64. 24 | * This structure holds all information the disassembler generates per instruction. 25 | */ 26 | 27 | typedef struct 28 | { 29 | _WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */ 30 | _WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */ 31 | _WString instructionHex; /* Hex dump - little endian, including prefixes. */ 32 | unsigned int size; /* Size of decoded instruction. */ 33 | // _OffsetType offset; /* Start offset of the decoded instruction. */ 34 | unsigned int offset; /* Start offset of the decoded instruction. */ 35 | } _DecodedInst; 36 | 37 | /* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */ 38 | typedef enum { Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2 } _DecodeType; 39 | 40 | /* Return code of the decoding function. */ 41 | typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED } _DecodeResult; 42 | 43 | /* Nombre de la DLL */ 44 | char *disasm_lib = "distorm3.dll"; 45 | 46 | //////////////////////////////////////////////////////////////////////////////// 47 | 48 | char *disassembly ( void *address , unsigned char *bytecodes , unsigned int *instruction_size ) 49 | { 50 | static int ( *distorm_decode32 ) ( void * , unsigned char * , unsigned int , unsigned int , void * , unsigned int , unsigned int * ) = NULL; 51 | static int ( *distorm_decode64 ) ( uint64_t , unsigned char * , unsigned int , unsigned int , void * , unsigned int , unsigned int * ) = NULL; 52 | static char instruction [ 256 ]; 53 | static HMODULE lib; 54 | char *p; 55 | _DecodedInst decodedInstructions [ 256 ]; 56 | unsigned int counter; 57 | int ret; 58 | 59 | /* Si es la primera vez */ 60 | if ( ( distorm_decode32 == NULL ) && ( distorm_decode64 == NULL ) ) 61 | { 62 | /* Resuelvo la direccion de la lib */ 63 | lib = LoadLibrary ( disasm_lib ); 64 | // printf ( "lib = %x\n" , lib ); 65 | 66 | /* Resuelvo la direccion de la funcion */ 67 | distorm_decode32 = ( int ( * ) ( void * , unsigned char * , unsigned int , unsigned int , void * , unsigned int , unsigned int * ) ) GetProcAddress ( lib , "distorm_decode32" ); 68 | distorm_decode64 = ( int ( * ) ( uint64_t , unsigned char * , unsigned int , unsigned int , void * , unsigned int , unsigned int * ) ) GetProcAddress ( lib , "distorm_decode64" ); 69 | // printf ( "%x\n" , distorm_decode32 ); 70 | } 71 | 72 | // asm int 3 73 | 74 | /* Si tengo la DLL que exporta la funcion de 32 bits */ 75 | if ( distorm_decode32 != NULL ) 76 | { 77 | /* Desensamblo la instruccion */ 78 | ret = distorm_decode32 ( address , bytecodes , 16 , Decode32Bits , &decodedInstructions , 16 , &counter ); 79 | } 80 | /* Si tengo la DLL que exporta la funcion de 64 bits */ 81 | else 82 | { 83 | /* Desensamblo la instruccion */ 84 | ret = distorm_decode64 ( ( uint64_t ) address , bytecodes , 16 , Decode32Bits , &decodedInstructions , 16 , &counter ); 85 | } 86 | 87 | // printf ( "ret = %i\n" , ret ); 88 | // printf ( "counter = %i\n" , counter ); 89 | // printf ( "size = %i\n" , decodedInstructions[0].size ); 90 | // printf ( "%s %s\n" , decodedInstructions[0].mnemonic.p , decodedInstructions[0].operands.p ); 91 | 92 | /* Si pude traducir la instruccion */ 93 | if ( decodedInstructions[0].size > 0 ) 94 | { 95 | /* Si la instruccion NO tiene operandos */ 96 | if ( decodedInstructions[0].operands.p [0] == '\x00' ) 97 | { 98 | /* Armo la instruccion a retornar */ 99 | strcpy ( ( char * ) instruction , ( char * ) decodedInstructions[0].mnemonic.p ); 100 | } 101 | /* Si la instruccion tiene operandos */ 102 | else 103 | { 104 | /* Armo la instruccion a retornar */ 105 | sprintf ( instruction , "%s %s" , decodedInstructions[0].mnemonic.p , decodedInstructions[0].operands.p ); 106 | 107 | /* Busco si la instruccion tiene un ", " */ 108 | p = strstr ( instruction , ", " ); 109 | 110 | /* Si encontre ese ESPACIO DEMAS */ 111 | if ( p != NULL ) 112 | { 113 | /* Suprimo el espacio */ 114 | strcpy ( p + 1 , p + 2 ); 115 | } 116 | } 117 | 118 | /* Apunto a la instruccion */ 119 | p = instruction; 120 | 121 | /* Convierto el string a MINUSCULAS */ 122 | while ( *p != 0 ) 123 | { 124 | /* Convierto el caracter a minuscula */ 125 | *p = tolower ( *p ); 126 | 127 | /* Avanzo en el string */ 128 | p ++; 129 | } 130 | } 131 | else 132 | { 133 | /* No pude traducir la instruccion */ 134 | strcpy ( instruction , "???" ); 135 | } 136 | 137 | /* Bytes usados por la instruccion */ 138 | *instruction_size = decodedInstructions[0].size; 139 | 140 | return ( instruction ); 141 | } 142 | 143 | //////////////////////////////////////////////////////////////////////////////// 144 | -------------------------------------------------------------------------------- /src/fsnap.c: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////////////////////////////////////// 2 | 3 | /* fsnap.c ( Snapshoter ) */ 4 | 5 | // Compilation line 6 | // cl.exe fsnap.c /link -SUBSYSTEM:CONSOLE -DYNAMICBASE:NO -BASE:0x08000000 -FIXED 7 | 8 | //////////////////////////////////////////////////////////////////////////////// 9 | 10 | #include 11 | #include 12 | 13 | //////////////////////////////////////////////////////////////////////////////// 14 | 15 | #pragma pack(1) 16 | 17 | #ifdef _MSC_VER 18 | #define snprintf _snprintf 19 | #endif 20 | 21 | //////////////////////////////////////////////////////////////////////////////// 22 | 23 | #define uint64_t unsigned __int64 24 | 25 | #define READABLE 1 26 | #define WRITABLE 2 27 | #define EXECUTABLE 4 28 | 29 | #define FALSE 0 30 | #define TRUE 1 31 | 32 | #define DONT_RESOLVE_DLL_REFERENCE 0x01 33 | #define FILE_MAP_EXECUTE 0x20 34 | 35 | //////////////////////////////////////////////////////////////////////////////// 36 | 37 | typedef struct 38 | { 39 | unsigned int sig; // signature: "snap" or 0x70616E73 in little endian 40 | unsigned int version; // if version == 1: use DUMPBLOCKV10 / version == 2 uses DUMPBLOCKV20 and so on. 41 | unsigned int flags; // 42 | unsigned int blockcount; 43 | } SNAPSHOT_HEADER; 44 | 45 | typedef struct 46 | { 47 | uint64_t BaseAddress; 48 | uint64_t RegionSize; 49 | unsigned int Protect; // see memory protection constants 50 | } DUMPBLOCKV10; 51 | 52 | typedef struct 53 | { 54 | uint64_t BaseAddress; 55 | uint64_t RegionSize; 56 | unsigned int Protect; // see memory protection constants 57 | char name [256]; 58 | } DUMPBLOCKV20; 59 | 60 | //////////////////////////////////////////////////////////////////////////////// 61 | 62 | unsigned int get_file_len ( FILE *f ) 63 | { 64 | unsigned int filelen; 65 | 66 | /* Me posiciono al final del file */ 67 | fseek ( f , 0 , SEEK_END ); 68 | 69 | /* Obtengo la longitud del file */ 70 | filelen = ftell ( f ); 71 | 72 | /* Me vuelvo a posicionar al principio del file */ 73 | fseek ( f , 0 , SEEK_SET ); 74 | 75 | return ( filelen ); 76 | } 77 | 78 | //////////////////////////////////////////////////////////////////////////////// 79 | 80 | int is_filename_ok ( char *filename ) 81 | { 82 | FILE *f; 83 | int ret = FALSE; 84 | 85 | /* Abro el file */ 86 | f = fopen ( filename , "rb" ); 87 | 88 | /* Si el file pudo ser ABIERTO */ 89 | if ( f != NULL ) 90 | { 91 | /* Cierro el file */ 92 | fclose ( f ); 93 | 94 | /* Retorno OK */ 95 | ret = TRUE; 96 | } 97 | 98 | return ( ret ); 99 | } 100 | 101 | //////////////////////////////////////////////////////////////////////////////// 102 | 103 | void get_module_name ( char *fullname , char *name ) 104 | { 105 | char *s; 106 | 107 | /* Busco la ULTIMA BARRA */ 108 | s = strrchr ( fullname , '\\' ); 109 | 110 | /* Si pudo encontrarla */ 111 | if ( s != NULL ) 112 | { 113 | /* Avanzo al SIGUIENTE CARACTER */ 114 | s ++; 115 | } 116 | /* Si NO pudo encontrarla */ 117 | else 118 | { 119 | /* Uso el FULLNAME directamente */ 120 | s = fullname; 121 | } 122 | 123 | /* Retorno el NOMBRE del MODULO */ 124 | strncpy ( name , s , 255 ); 125 | } 126 | 127 | //////////////////////////////////////////////////////////////////////////////// 128 | 129 | int is_windows_module ( char *filename ) 130 | { 131 | char data [ 2 ]; 132 | int ret = FALSE; 133 | FILE *f; 134 | 135 | /* Abro el file */ 136 | f = fopen ( filename , "rb" ); 137 | 138 | /* Si el file pudo ser ABIERTO */ 139 | if ( f != NULL ) 140 | { 141 | /* Leo los primeros 2 bytes */ 142 | fread ( data , 1 , 2 , f ); 143 | 144 | /* Si es un "MZ" */ 145 | if ( memcmp ( data , "MZ" , 2 ) == 0 ) 146 | { 147 | /* Retorno OK */ 148 | ret = TRUE; 149 | } 150 | 151 | /* Cierro el file */ 152 | fclose ( f ); 153 | } 154 | 155 | return ( ret ); 156 | } 157 | 158 | //////////////////////////////////////////////////////////////////////////////// 159 | 160 | void *get_module_base ( char *filename ) 161 | { 162 | IMAGE_NT_HEADERS pe; 163 | unsigned int pe_offset; 164 | void *base = NULL; 165 | FILE *f; 166 | 167 | /* Si el modulo VALID */ 168 | if ( is_windows_module ( filename ) == TRUE ) 169 | { 170 | /* Abro el file */ 171 | f = fopen ( filename , "rb" ); 172 | 173 | /* Me posiciono al PRINCIPIO del PE */ 174 | fseek ( f , 0x3c , SEEK_SET ); 175 | 176 | /* Obtengo el puntero al PE */ 177 | fread ( &pe_offset , 1 , sizeof ( pe_offset ) , f ); 178 | 179 | /* Me posiciono al PRINCIPIO del HEADER del PE */ 180 | fseek ( f , pe_offset , SEEK_SET ); 181 | 182 | /* Obtengo el HEADER del PE */ 183 | fread ( &pe , 1 , sizeof ( IMAGE_NT_HEADERS ) , f ); 184 | 185 | /* Obtengo la BASE del modulo */ 186 | base = ( void * ) pe.OptionalHeader.ImageBase; 187 | // printf ( "BASE en %x\n" , base ); 188 | 189 | /* Cierro el file */ 190 | fclose ( f ); 191 | } 192 | 193 | return ( base ); 194 | } 195 | 196 | //////////////////////////////////////////////////////////////////////////////// 197 | 198 | int is_loadable_module ( char *filename , int force_base , void **base_address ) 199 | { 200 | HANDLE fmapping; 201 | HANDLE module; 202 | void *real_module_base; 203 | void *my_base_address; 204 | int ret = FALSE; 205 | 206 | /* Abro el file */ 207 | module = CreateFile ( filename , GENERIC_READ | GENERIC_EXECUTE , FILE_SHARE_READ , NULL , OPEN_EXISTING , NULL , NULL ); 208 | // printf ( "module = %x\n" , module ); 209 | 210 | /* Si el file pudo ser ABIERTO */ 211 | if ( module != NULL ) 212 | { 213 | /* Intento cargar el modulo */ 214 | fmapping = CreateFileMapping ( module , NULL , PAGE_EXECUTE_READ | SEC_IMAGE , NULL , NULL , "mapped" ); 215 | // printf ( "fmapping = %x\n" , fmapping ); 216 | 217 | /* Si el modulo pudo ser cargado */ 218 | if ( fmapping != NULL ) 219 | { 220 | /* Si Tengo que CARGARLO en la BASE */ 221 | if ( force_base == TRUE ) 222 | { 223 | /* Obtengo la BASE del MODULO */ 224 | real_module_base = get_module_base ( filename ); 225 | } 226 | /* Si NO IMPORTA donde lo carga */ 227 | else 228 | { 229 | /* Dejo que el OS lo cargue donde puede */ 230 | real_module_base = NULL; 231 | } 232 | 233 | /* Intento cargar el modulo */ 234 | my_base_address = MapViewOfFileEx ( fmapping , FILE_MAP_EXECUTE , 0 , 0 , 0 , real_module_base ); 235 | // printf ( "ERROR: %i\n" , GetLastError () ); 236 | // printf ( "my_base_address = %x\n" , my_base_address ); 237 | 238 | /* Si el modulo pudo ser cargado */ 239 | if ( my_base_address != NULL ) 240 | { 241 | /* Retorno la BASE del MODULO */ 242 | *base_address = my_base_address; 243 | 244 | /* Retorno OK */ 245 | ret = TRUE; 246 | } 247 | } 248 | /* Si el FILE NO PUDO ser MAPEADO */ 249 | else 250 | { 251 | /* Si NO IMPORTA donde SE CARGA */ 252 | if ( force_base == FALSE ) 253 | { 254 | /* Si es un modulo VALIDO */ 255 | if ( is_windows_module ( filename ) == TRUE ) 256 | { 257 | /* Cargo el modulo DONDE PUEDO ( solo valido para OSs arcaicos ) */ 258 | module = LoadLibraryEx ( filename , NULL , DONT_RESOLVE_DLL_REFERENCE ); 259 | 260 | /* Si el MODULO pudo ser CARGADO */ 261 | if ( module != NULL ) 262 | { 263 | /* Retorno la BASE del MODULO */ 264 | *base_address = ( void * ) module; 265 | 266 | /* Retorno OK */ 267 | ret = TRUE; 268 | } 269 | } 270 | } 271 | } 272 | } 273 | 274 | return ( ret ); 275 | } 276 | 277 | //////////////////////////////////////////////////////////////////////////////// 278 | 279 | unsigned int get_module_size ( void *base_address ) 280 | { 281 | unsigned int module_size = 0; 282 | 283 | /* Recorro la memoria del modulo saltando de a 4kb */ 284 | while ( IsBadReadPtr ( ( void * ) ( ( unsigned int ) base_address + module_size ) , 1 ) == FALSE ) 285 | { 286 | /* Avanzo a la proxima pagina */ 287 | module_size += 0x1000; 288 | } 289 | 290 | return ( module_size ); 291 | } 292 | 293 | //////////////////////////////////////////////////////////////////////////////// 294 | 295 | unsigned int get_sections_number ( unsigned int module_base , unsigned int module_limit ) 296 | { 297 | MEMORY_BASIC_INFORMATION informacion; 298 | unsigned int sections = 0; 299 | unsigned int pos = 0; 300 | 301 | /* Mientras este dentro del modulo */ 302 | while ( module_base + pos < module_limit ) 303 | { 304 | /* Levanto la siguiente seccion */ 305 | VirtualQueryEx ( GetCurrentProcess () , ( void * ) ( module_base + pos ) , &informacion , sizeof ( MEMORY_BASIC_INFORMATION ) ); 306 | 307 | /* Avanzo a la siguiente seccion de memoria */ 308 | module_base = module_base + informacion.RegionSize; 309 | 310 | /* Incremento la cantidad de secciones */ 311 | sections ++; 312 | } 313 | 314 | return ( sections ); 315 | } 316 | 317 | //////////////////////////////////////////////////////////////////////////////// 318 | 319 | void dump_sections ( FILE *f , char *module_name , unsigned int module_base , unsigned int module_limit ) 320 | { 321 | MEMORY_BASIC_INFORMATION informacion; 322 | DUMPBLOCKV20 block; 323 | unsigned int pos = 0; 324 | int protection; 325 | 326 | /* Mientras este dentro del modulo */ 327 | while ( module_base + pos < module_limit ) 328 | { 329 | /* Levanto la siguiente seccion */ 330 | VirtualQueryEx ( GetCurrentProcess () , ( void * ) ( module_base + pos ) , &informacion , sizeof ( MEMORY_BASIC_INFORMATION ) ); 331 | 332 | /* Por default pongo que la seccion es LEIBLE y ESCRIBIBLE */ 333 | protection = READABLE | WRITABLE; 334 | 335 | /* Si la seccion es EJECUTABLE */ 336 | if ( ( informacion.Protect == PAGE_EXECUTE ) || ( informacion.Protect == PAGE_EXECUTE_READ ) || ( informacion.Protect == PAGE_EXECUTE_READWRITE ) || ( informacion.Protect == PAGE_EXECUTE_WRITECOPY ) ) 337 | { 338 | /* Agrego el permiso de EJECUCION */ 339 | protection = protection | EXECUTABLE; 340 | 341 | // printf ( "ejecucion en %x - %x\n" , module_base + pos , module_base + pos + informacion.RegionSize ); 342 | } 343 | 344 | /* Seteo OTRA SECCION del SNAPSHOT */ 345 | block.BaseAddress = module_base + pos; 346 | block.RegionSize = informacion.RegionSize; 347 | block.Protect = protection; 348 | strncpy ( block.name , module_name , sizeof ( block.name ) - 1 ); 349 | fwrite ( &block , sizeof ( block ) , 1 , f ); 350 | 351 | /* Dumpeo la data */ 352 | fwrite ( ( void * ) block.BaseAddress , block.RegionSize , 1 , f ); 353 | 354 | /* Avanzo a la siguiente seccion de memoria */ 355 | pos += informacion.RegionSize; 356 | } 357 | } 358 | 359 | //////////////////////////////////////////////////////////////////////////////// 360 | 361 | void create_snapshot ( char *file_to_dump , void *module_base , char *snapshot ) 362 | { 363 | SNAPSHOT_HEADER header; 364 | unsigned int sections; 365 | unsigned int filelen; 366 | char module_name [ 256 ]; 367 | FILE *f; 368 | 369 | /* Creo el OUTPUT FILE */ 370 | f = fopen ( snapshot , "wb" ); 371 | 372 | /* Si el file NO pudo ser creado */ 373 | if ( f == NULL ) 374 | { 375 | printf ( "Error: Invalid output_file\n" ); 376 | exit ( 0 ); 377 | } 378 | 379 | /* Obtengo el SIZE del MODULO en MEMORIA */ 380 | filelen = get_module_size ( ( void * ) module_base ); 381 | // printf ( "filelen = %x\n" , filelen ); 382 | 383 | /* Obtengo el numero de secciones del file */ 384 | sections = get_sections_number ( ( unsigned int ) module_base , ( unsigned int ) module_base + filelen ); 385 | printf ( "sections_number = %i\n" , sections ); 386 | 387 | /* Seteo el header del file */ 388 | header.sig = 0x70616E73; 389 | header.version = 2; 390 | header.flags = 0x00000000; 391 | header.blockcount = sections; 392 | fwrite ( &header , sizeof ( header ) , 1 , f ); 393 | 394 | /* Obtengo el nombre LIMPIO del modulo */ 395 | get_module_name ( file_to_dump , module_name ); 396 | // printf ( "name: %s con size = %i\n" , module_name , strlen ( module_name ) ); 397 | 398 | /* Dumpeo TODAS las secciones en el file */ 399 | dump_sections ( f , module_name , ( unsigned int ) module_base , ( unsigned int ) module_base + filelen ); 400 | 401 | /* Mensaje al usuario */ 402 | printf ( "[x] Setting image base at: %.8x\n" , module_base ); 403 | 404 | /* Cierro el file */ 405 | fclose ( f ); 406 | } 407 | 408 | //////////////////////////////////////////////////////////////////////////////// 409 | 410 | int get_valid_loading ( char *module , char *snapshot ) 411 | { 412 | char cmdline [ 1024 ]; 413 | unsigned int cont; 414 | int ret = FALSE; 415 | int res; 416 | 417 | /* Armo la linea a EJECUTAR */ 418 | snprintf ( cmdline , sizeof ( cmdline ) , "fsnap %s %s -force_base" , module , snapshot ); 419 | 420 | /* Hago 10 intentos */ 421 | for ( cont = 0 ; cont < 10 ; cont ++ ) 422 | { 423 | /* Cargo el MODULO en OTRO PROCESO */ 424 | res = system ( cmdline ); 425 | 426 | /* Si el SNAPSHOT pudo ser TOMADO de la BASE REAL del MODULO */ 427 | if ( res == 1 ) 428 | { 429 | /* Retorno OK */ 430 | ret = TRUE; 431 | 432 | /* Dejo de PROBAR */ 433 | break; 434 | } 435 | } 436 | 437 | return ( ret ); 438 | } 439 | 440 | //////////////////////////////////////////////////////////////////////////////// 441 | 442 | int main ( int argc , char *argv [] ) 443 | { 444 | SNAPSHOT_HEADER header; 445 | DUMPBLOCKV10 block; 446 | unsigned int filelen = 0; 447 | unsigned int sections; 448 | void *module_base = 0x10000000; 449 | void *data; 450 | FILE *f1; 451 | FILE *f2; 452 | 453 | /* Chequeo los paramentros */ 454 | if ( ( argc != 3 ) && ( argc != 4 ) ) 455 | { 456 | printf ( "\nfsnap v1.1\n" ); 457 | printf ( "Created by Nicolas A. Economou\n" ); 458 | printf ( "Core Security Technologies, Buenos Aires, Argentina (2015)\n" ); 459 | printf ( "\nUse: fsnap input_file output_file [-force_base]\n" ); 460 | return ( 0 ); 461 | } 462 | 463 | /* Si quiero que CARGUE el MODULO en la BASE ORIGINAL */ 464 | if ( argc == 4 ) 465 | { 466 | /* Si NO es el comando CORRECTO */ 467 | if ( strcmp ( argv [ 3 ] , "-force_base" ) != 0 ) 468 | { 469 | printf ( "\nUse: fsnap input_file output_file [-force_base]\n" ); 470 | return ( 0 ); 471 | } 472 | } 473 | 474 | /* Si el FILE existe */ 475 | if ( is_filename_ok ( argv [ 1 ] ) == TRUE ) 476 | { 477 | /* Si es la PRIMERA CORRIDA */ 478 | if ( argc == 3 ) 479 | { 480 | /* Si pude cargar el MODULO en MEMORIA */ 481 | if ( is_loadable_module ( argv [ 1 ] , FALSE , &module_base ) == TRUE ) 482 | { 483 | /* Si la BASE es DISTINTA de donde ESTA CARGADO */ 484 | if ( get_module_base ( argv [ 1 ] ) != ( void * ) module_base ) 485 | { 486 | /* Si PUDE CARGAR el MODULO en la BASE */ 487 | if ( get_valid_loading ( argv [ 1 ] , argv [ 2 ] ) == TRUE ) 488 | { 489 | /* Salgo OK */ 490 | return ( 1 ); 491 | } 492 | } 493 | 494 | /* Creo un SNAPSHOT del MODULO */ 495 | create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] ); 496 | } 497 | /* Si el file NO ES LOADABLE ( puede ser un file de otro OS, un shellcode, etc ) */ 498 | else 499 | { 500 | /* Creo el OUTPUT FILE */ 501 | f2 = fopen ( argv [ 2 ] , "wb" ); 502 | 503 | /* Si el file NO pudo ser creado */ 504 | if ( f2 == NULL ) 505 | { 506 | printf ( "Error: Invalid output_file\n" ); 507 | return ( 0 ); 508 | } 509 | 510 | /* Abro el file */ 511 | f1 = fopen ( argv [ 1 ] , "rb" ); 512 | 513 | /* Obtengo el size del file */ 514 | filelen = get_file_len ( f1 ); 515 | 516 | /* Seteo el header del file */ 517 | header.sig = 0x70616E73; 518 | header.version = 1; 519 | header.flags = 0x80000000; // Fake memory dump 520 | header.blockcount = 1; 521 | fwrite ( &header , sizeof ( header ) , 1 , f2 ); 522 | 523 | /* Seteo la UNICA SECCION del SNAPSHOT */ 524 | block.BaseAddress = 0x10000000; 525 | block.RegionSize = filelen; 526 | block.Protect = READABLE | WRITABLE | EXECUTABLE; 527 | fwrite ( &block , sizeof ( block ) , 1 , f2 ); 528 | 529 | /* Dumpeo la data */ 530 | data = malloc ( filelen ); 531 | fread ( data , filelen , 1 , f1 ); 532 | fwrite ( data , filelen , 1 , f2 ); 533 | 534 | /* Mensaje al usuario */ 535 | printf ( "[x] Setting ARBITRARY image base at: %.8x\n" , block.BaseAddress ); 536 | 537 | /* Cierro el file */ 538 | fclose ( f1 ); 539 | 540 | /* Cierro el file */ 541 | fclose ( f2 ); 542 | } 543 | } 544 | /* Si es una CORRIDA AUXILIAR (para intentar MAPEAR en la BASE) */ 545 | else 546 | { 547 | /* Si pude cargar el MODULO en MEMORIA */ 548 | if ( is_loadable_module ( argv [ 1 ] , TRUE , &module_base ) == TRUE ) 549 | { 550 | /* Creo un SNAPSHOT del MODULO */ 551 | create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] ); 552 | 553 | /* Retorno OK */ 554 | return ( 1 ); 555 | } 556 | /* Si NO se PUDO MAPEAR en la BASE */ 557 | else 558 | { 559 | /* Salgo con ERROR */ 560 | return ( 0 ); 561 | } 562 | } 563 | } 564 | /* Si hubo algun ERROR */ 565 | else 566 | { 567 | printf ( "Error: Invalid input_file\n" ); 568 | return ( 0 ); 569 | } 570 | 571 | return ( 1 ); 572 | } 573 | 574 | //////////////////////////////////////////////////////////////////////////////// 575 | -------------------------------------------------------------------------------- /src/gisnap/dumpinfo/dumpinfo.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import struct 4 | 5 | M_READ = 0x01 6 | M_WRITE = 0x02 7 | M_EXEC = 0x04 8 | 9 | M_ASLR = 0x08 10 | M_DEP = 0x10 11 | 12 | 13 | #OS flags 14 | OS_WINDOWS = 0x0100 15 | OS_LINUX = 0x0200 16 | OS_MACOS = 0x0400 17 | OS_ANDROID = 0x0800 18 | OS_IOS = 0x1000 19 | 20 | # Arch. flags 21 | ARCH_X86 = 0x10000 22 | ARCH_X64 = 0x20000 23 | ARCH_ARM = 0x40000 24 | ARCH_PPC = 0x80000 25 | 26 | class Reader: 27 | def ReadH(self): 28 | val = struct.unpack(" 3 | #include "plugin.h" 4 | #include "memorysnapshot.h" 5 | 6 | 7 | MemorySnapshot::MemorySnapshot() 8 | { 9 | hprocess = 0; 10 | } 11 | 12 | MemorySnapshot::~MemorySnapshot() 13 | { 14 | hprocess = 0; 15 | } 16 | 17 | uint32_t MemorySnapshot::__getArch() 18 | { 19 | SYSTEM_INFO sysinfo = {0}; 20 | uint32_t res = 0; 21 | 22 | GetSystemInfo(&sysinfo); 23 | 24 | switch(sysinfo.wProcessorArchitecture) { 25 | case PROCESSOR_ARCHITECTURE_AMD64: 26 | res = ARCH_X64; 27 | break; 28 | 29 | case PROCESSOR_ARCHITECTURE_INTEL: 30 | res = ARCH_X86; 31 | break; 32 | 33 | case PROCESSOR_ARCHITECTURE_ARM: 34 | res = ARCH_ARM; 35 | break; 36 | 37 | } 38 | return res; 39 | } 40 | 41 | 42 | void MemorySnapshot::__getName(MEM_BLOCK *tmpblock, char *name) 43 | { 44 | t_module *module = Findmodule(tmpblock->BaseAddress); 45 | if(!module) { 46 | memset(name, 0, 255); 47 | return; 48 | } 49 | 50 | wchar_t fullpath[1024]; 51 | memset(fullpath, 0, sizeof(fullpath)); 52 | 53 | LPWSTR filepart; 54 | if(module) { 55 | if(lstrlen(module->path)) { 56 | GetFullPathName(module->path, 1024, fullpath, &filepart); 57 | wcstombs(name, filepart, 255); 58 | } 59 | } 60 | } 61 | 62 | // sets memory region flags corresponding to ASLR and/or DEP dllCharacteristics 63 | void MemorySnapshot::__setASLRDEP(MEM_BLOCK *tmpblock) 64 | { 65 | 66 | t_module *module = Findmodule(tmpblock->BaseAddress); 67 | if(!module) 68 | return; 69 | 70 | DWORD modbase = module->base; 71 | 72 | IMAGE_DOS_HEADER hdr_mz; 73 | 74 | ReadProcessMemory(hprocess, (LPCVOID)(modbase), &hdr_mz, sizeof(IMAGE_DOS_HEADER), NULL); 75 | if(hdr_mz.e_magic == IMAGE_DOS_SIGNATURE) { 76 | IMAGE_NT_HEADERS hdr_nt; 77 | ReadProcessMemory(hprocess, (LPCVOID)(modbase+hdr_mz.e_lfanew), &hdr_nt, sizeof(IMAGE_NT_HEADERS), NULL); 78 | if(hdr_nt.Signature == IMAGE_NT_SIGNATURE) { 79 | IMAGE_FILE_HEADER hdr_file; 80 | memcpy(&hdr_file, &hdr_nt.FileHeader, sizeof(IMAGE_FILE_HEADER)); 81 | 82 | IMAGE_OPTIONAL_HEADER hdr_optional; 83 | memcpy(&hdr_optional, &hdr_nt.OptionalHeader, sizeof(IMAGE_OPTIONAL_HEADER)); 84 | if((hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) || (hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)) { 85 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { 86 | tmpblock->Protect |= M_ASLR; 87 | } 88 | 89 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { 90 | tmpblock->Protect |= M_DEP; 91 | } 92 | } 93 | } 94 | } 95 | } 96 | 97 | uint32_t MemorySnapshot::__translateProtFlags(uint32_t prot) 98 | { 99 | uint32_t flags=0; 100 | switch(prot & 0xFF) 101 | { 102 | case PAGE_EXECUTE: 103 | flags = M_EXEC; 104 | break; 105 | case PAGE_EXECUTE_READ: 106 | flags = M_EXEC | M_READ; 107 | break; 108 | case PAGE_EXECUTE_READWRITE: 109 | flags = M_EXEC | M_READ | M_WRITE; 110 | break; 111 | case PAGE_EXECUTE_WRITECOPY: 112 | flags = M_EXEC | M_READ | M_WRITE; 113 | break; 114 | case PAGE_READONLY: 115 | flags = M_READ; 116 | break; 117 | case PAGE_READWRITE: 118 | flags = M_READ | M_WRITE; 119 | break; 120 | case PAGE_WRITECOPY: 121 | flags = M_WRITE; 122 | break; 123 | } 124 | return flags; 125 | } 126 | 127 | bool MemorySnapshot::Dump(HANDLE hprocess, char *filename) 128 | { 129 | // open process 130 | // hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 131 | MemorySnapshot::hprocess = hprocess; 132 | BOOL bIs64 = (__getArch() == ARCH_X64) ; 133 | 134 | // fill a vector with valid memory blocks 135 | MEM_BLOCK tmpblock = {0}; 136 | memset(&tmpblock.name, 0, 256); 137 | MEMORY_BASIC_INFORMATION info = {0}; 138 | uint64_t addr=0; 139 | while(VirtualQueryEx((HANDLE)hprocess, (LPVOID)addr, &info, sizeof(info))) { 140 | if((info.State == MEM_COMMIT) || (info.Type == MEM_MAPPED) || (info.Type == MEM_IMAGE)) { 141 | if(bIs64) { 142 | tmpblock.BaseAddress = (uint64_t)info.BaseAddress; 143 | tmpblock.RegionSize = info.RegionSize; 144 | } else { 145 | tmpblock.BaseAddress = (DWORD)info.BaseAddress; //cast takes care of idiotic sign extension on pointers 146 | tmpblock.RegionSize = (DWORD)info.RegionSize; 147 | } 148 | tmpblock.Protect = __translateProtFlags(info.Protect); 149 | __getName(&tmpblock, (char *)&tmpblock.name); 150 | 151 | // if region is part of an executable image we set ASLR and DEP flags accordingly 152 | if(info.Type == MEM_IMAGE) { 153 | __setASLRDEP(&tmpblock); 154 | } 155 | 156 | memblocks.push_back(tmpblock); 157 | } 158 | addr += info.RegionSize; 159 | } 160 | 161 | // write 162 | // create dumpfile 163 | FILE *dumpfile = fopen(filename, "wb" ); 164 | if(!dumpfile) { 165 | return false; 166 | } 167 | 168 | SNAPSHOTFILE snphdr = {0}; 169 | snphdr.sig = 0x70616E73; 170 | snphdr.version = 0x00000002; 171 | snphdr.flags = __getArch() | OS_WINDOWS; 172 | 173 | snphdr.blockcount = (uint32_t)memblocks.size(); 174 | 175 | // write header SNAPSHOTFILE 176 | fwrite ( &snphdr, sizeof(SNAPSHOTFILE) , 1 , dumpfile); 177 | 178 | unsigned int blkcnt=0; 179 | 180 | // SetProgressBar(0); 181 | 182 | for (std::vector::iterator block = memblocks.begin(); block != memblocks.end(); ++block, ++blkcnt) 183 | { 184 | 185 | MEM_BLOCK tmpblock = {0}; 186 | 187 | tmpblock.RegionSize = block->RegionSize; 188 | tmpblock.BaseAddress = block->BaseAddress; 189 | tmpblock.Protect = block->Protect; 190 | strncpy((char *)&tmpblock.name, (char *)&block->name, 255); 191 | 192 | // write MEM_BLOCK 193 | fwrite ( &tmpblock, sizeof(MEM_BLOCK) , 1 , dumpfile); 194 | // write data 195 | uint8_t *buffer = new uint8_t [(unsigned int)block->RegionSize]; 196 | Readmemory(buffer, block->BaseAddress, block->RegionSize, MM_SILENT); 197 | // ReadProcessMemory(hprocess, (LPCVOID)block->BaseAddress, buffer, (ULONG)block->RegionSize, NULL); 198 | fwrite ( buffer , (size_t)block->RegionSize, 1 , dumpfile); 199 | delete buffer; 200 | // SetProgressBar(blkcnt*100/snphdr.blockcount); 201 | } 202 | fclose(dumpfile); 203 | CloseHandle(hprocess); 204 | // SetProgressBar(100); 205 | 206 | return true; 207 | } -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/MemorySnapshot.h: -------------------------------------------------------------------------------- 1 | #ifndef MEMSNAP_H 2 | #define MEMSNAP_H 3 | 4 | 5 | #include "snapshotformat.h" 6 | #include 7 | #include 8 | 9 | 10 | #define MEM_BLOCK DUMPBLOCKV20 11 | 12 | class MemorySnapshot 13 | { 14 | public: 15 | MemorySnapshot(); 16 | ~MemorySnapshot(); 17 | bool MemorySnapshot::Dump(HANDLE hprocess, char *filename); 18 | void MemorySnapshot::__setASLRDEP(MEM_BLOCK *tmpblock); 19 | 20 | private: 21 | uint32_t MemorySnapshot::__getArch(); 22 | uint32_t MemorySnapshot::__translateProtFlags(uint32_t prot); 23 | void MemorySnapshot::__getName(MEM_BLOCK *tmpblock, char *name); 24 | 25 | HANDLE hprocess; 26 | std::vector memblocks; 27 | 28 | }; 29 | #endif -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/gisnap.cpp: -------------------------------------------------------------------------------- 1 | #define _CRT_SECURE_NO_DEPRECATE 2 | 3 | #include 4 | #include "MemorySnapshot.h" 5 | #include 6 | #include 7 | //#include // Only if you call ODBG2_Pluginmainloop 8 | 9 | #include "plugin.h" 10 | 11 | #define PLUGINNAME L"gisnap" // Unique plugin name 12 | #define VERSION L"2.00.01" // Plugin version 13 | 14 | HINSTANCE hdllinst; // Instance of plugin DLL 15 | 16 | 17 | void DumpProcess(HANDLE hprocess) 18 | { 19 | MemorySnapshot *gMemSnap = new MemorySnapshot; 20 | 21 | WCHAR filename[1024]; 22 | char filenameA[1024]; 23 | OPENFILENAME ofln; 24 | memset(&filename, 0, sizeof(filename)); 25 | memset(&ofln, 0, sizeof(OPENFILENAME)); 26 | ofln.lStructSize = sizeof(OPENFILENAME); 27 | ofln.hwndOwner = hwollymain; 28 | ofln.lpstrFile = filename; 29 | ofln.nMaxFile = sizeof(filename); 30 | ofln.lpstrFilter = L"Snapshot\0*.snap\0All\0*.*\0"; 31 | ofln.nFilterIndex = 1; 32 | ofln.lpstrFileTitle = NULL; 33 | ofln.nMaxFileTitle = 0; 34 | ofln.lpstrInitialDir = NULL; 35 | ofln.lpstrDefExt = L".snap"; 36 | ofln.Flags = OFN_PATHMUSTEXIST | OFN_OVERWRITEPROMPT; 37 | 38 | GetSaveFileName(&ofln); 39 | CommDlgExtendedError(); 40 | wcstombs(filenameA, filename, 1024); 41 | gMemSnap->Dump(hprocess, filenameA); 42 | delete gMemSnap; 43 | 44 | MessageBox(hwollymain, L"Snapshot dump finished.", L"Done!", MB_OK); 45 | } 46 | 47 | // main menu click 48 | static int MtakeSnapshot(t_table *pt,wchar_t *name,ulong index,int mode) { 49 | int ret; 50 | 51 | switch(mode) { 52 | case MENU_VERIFY: 53 | ret=MENU_NORMAL; 54 | break; 55 | case MENU_EXECUTE: 56 | ret=MENU_NOREDRAW; 57 | if(run.status == STAT_IDLE) { 58 | MessageBox(hwollymain, L"NO TARGET ATTACHED", L"ERROR", MB_OK); 59 | } else { 60 | DumpProcess(process); 61 | } 62 | break; 63 | default: 64 | ret=MENU_ABSENT; 65 | break; 66 | } 67 | return ret; 68 | }; 69 | 70 | // Plugin menu that will appear in the main OllyDbg menu. 71 | static t_menu mainmenu[] = { 72 | { L"|gisnap", L"take memory snapshot", K_NONE, MtakeSnapshot, NULL, 0 }, 73 | { NULL, NULL, K_NONE, NULL, NULL, 0 } 74 | }; 75 | 76 | // Adds items either to main OllyDbg menu (type=PWM_MAIN) or to popup menu in 77 | extc t_menu * __cdecl ODBG2_Pluginmenu(wchar_t *type) { 78 | if (wcscmp(type,PWM_MAIN)==0) 79 | // Main menu. 80 | return mainmenu; 81 | return NULL; // No menu 82 | }; 83 | 84 | BOOL WINAPI DllEntryPoint(HINSTANCE hi,DWORD reason,LPVOID reserved) { 85 | if (reason==DLL_PROCESS_ATTACH) 86 | hdllinst=hi; // Mark plugin instance 87 | return 1; // Report success 88 | }; 89 | 90 | // ODBG2_Pluginquery() is a "must" for valid OllyDbg plugin. 91 | extc int __cdecl ODBG2_Pluginquery(int ollydbgversion,ulong *features, wchar_t pluginname[SHORTNAME],wchar_t pluginversion[SHORTNAME]) { 92 | if (ollydbgversion<201) 93 | return 0; 94 | // Report name and version to OllyDbg. 95 | wcscpy(pluginname,PLUGINNAME); // Name of plugin 96 | wcscpy(pluginversion,VERSION); // Version of plugin 97 | return PLUGIN_VERSION; // Expected API version 98 | }; 99 | 100 | extc int __cdecl ODBG2_Plugininit(void) { 101 | return 0; 102 | }; 103 | 104 | // Function is called when user opens new or restarts current application. 105 | // Plugin should reset internal variables and data structures to the initial 106 | // state. 107 | extc void __cdecl ODBG2_Pluginreset(void) { 108 | 109 | }; 110 | 111 | extc int __cdecl ODBG2_Pluginclose(void) { 112 | return 0; 113 | }; 114 | 115 | extc void __cdecl ODBG2_Plugindestroy(void) { 116 | 117 | }; 118 | 119 | 120 | -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/gisnap.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gisnap", "gisnap.vcxproj", "{FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7}.Debug|Win32.Build.0 = Debug|Win32 14 | {FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7}.Release|Win32.ActiveCfg = Release|Win32 15 | {FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/gisnap.v11.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/ollydbg_plugin/src/gisnap.v11.suo -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/gisnap.vcproj: -------------------------------------------------------------------------------- 1 |  2 | 9 | 10 | 13 | 14 | 15 | 16 | 17 | 24 | 27 | 30 | 33 | 36 | 39 | 54 | 57 | 60 | 63 | 72 | 75 | 78 | 81 | 84 | 87 | 90 | 93 | 96 | 97 | 104 | 107 | 110 | 113 | 116 | 119 | 130 | 133 | 136 | 139 | 149 | 152 | 155 | 158 | 161 | 164 | 167 | 170 | 173 | 174 | 175 | 176 | 177 | 178 | 183 | 186 | 187 | 188 | 193 | 194 | 199 | 202 | 203 | 204 | 207 | 208 | 209 | 210 | 211 | 212 | -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/gisnap.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {FE3AC8DD-4BFC-4445-8D1D-C37502DE48C7} 15 | Win32Proj 16 | 17 | 18 | 19 | DynamicLibrary 20 | v110_xp 21 | Unicode 22 | 23 | 24 | DynamicLibrary 25 | v110 26 | Unicode 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | <_ProjectFileVersion>11.0.61030.0 40 | 41 | 42 | Debug\ 43 | Debug\ 44 | false 45 | 46 | 47 | Release\ 48 | Release\ 49 | false 50 | 51 | 52 | 53 | Disabled 54 | _CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;_WINDOWS;_USRDLL;GISNAP_EXPORTS;%(PreprocessorDefinitions) 55 | true 56 | EnableFastChecks 57 | MultiThreaded 58 | 1Byte 59 | /J 60 | 61 | Level3 62 | EditAndContinue 63 | CompileAsCpp 64 | 65 | 66 | user32.lib 67 | %(AdditionalOptions) 68 | C:\Programs\Microsoft SDK\Lib;%(AdditionalLibraryDirectories) 69 | true 70 | Windows 71 | MachineX86 72 | dbghelp.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 73 | 74 | 75 | 76 | 77 | _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;GISNAP_EXPORTS;%(PreprocessorDefinitions) 78 | MultiThreaded 79 | 1Byte 80 | /J 81 | 82 | Level3 83 | ProgramDatabase 84 | 85 | 86 | user32.lib 87 | %(AdditionalOptions) 88 | true 89 | Windows 90 | true 91 | true 92 | MachineX86 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | CompileAsCpp 103 | MultiThreadedDebug 104 | 105 | 106 | CompileAsCpp 107 | MultiThreadedDebug 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/ollydbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/ollydbg_plugin/src/ollydbg.lib -------------------------------------------------------------------------------- /src/gisnap/ollydbg_plugin/src/snapshotformat.h: -------------------------------------------------------------------------------- 1 | // standard structures for writting/reading Gadget Inspector snapshots 2 | 3 | #ifndef __SNAPSHOTFORMAT 4 | #define __SNAPSHOTFORMAT 5 | 6 | #include 7 | 8 | // Memory protection flags 9 | #define M_READ 0x01 10 | #define M_WRITE 0x02 11 | #define M_EXEC 0x04 12 | 13 | #define M_ASLR 0x08 // ASLR is enabled 14 | #define M_DEP 0x10 // DEP is enabled 15 | 16 | // OS flags 17 | #define OS_WINDOWS 0x0100 18 | #define OS_LINUX 0x0200 19 | #define OS_MACOS 0x0400 20 | #define OS_ANDROID 0x0800 21 | #define OS_IOS 0x1000 22 | 23 | // Arch. flags 24 | #define ARCH_X86 0x10000 25 | #define ARCH_X64 0x20000 26 | #define ARCH_ARM 0x40000 27 | #define ARCH_PPC 0x80000 28 | 29 | #pragma pack(push) 30 | #pragma pack(1) 31 | typedef struct _SNAPSHOTFILE 32 | { 33 | uint32_t sig; // signature: "snap" or 0x70616E73 in little endian 34 | uint32_t version; // if version == 1: use DUMPBLOCKV10 / version == 2 uses DUMPBLOCKV20 and so on. 35 | uint32_t flags; // 36 | uint32_t blockcount; 37 | } SNAPSHOTFILE, *PSNAPSHOTFILE; 38 | 39 | typedef struct _dumpblockV10 40 | { 41 | uint64_t BaseAddress; 42 | uint64_t RegionSize; 43 | uint32_t Protect; // see memory protection constants 44 | } DUMPBLOCKV10, *PDUMPBLOCKV10; 45 | 46 | typedef struct _dumpblockV20 47 | { 48 | uint64_t BaseAddress; 49 | uint64_t RegionSize; 50 | uint32_t Protect; // see memory protection constants 51 | uint8_t name[256]; 52 | } DUMPBLOCKV20, *PDUMPBLOCKV20; 53 | 54 | #pragma pack(pop) 55 | #endif // __SNAPSHOTFORMAT -------------------------------------------------------------------------------- /src/gisnap/standalone/src/LogWindow.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "logwindow.h" 3 | #include 4 | 5 | LogWindow::LogWindow(HWND hwndDlg, HINSTANCE hInstance) 6 | { 7 | _parent = hwndDlg; 8 | _hinstance = hInstance; 9 | _currentline = 0; 10 | _hwnd = GetDlgItem(hwndDlg, IDC_LOGLIST); 11 | } 12 | 13 | LogWindow::~LogWindow() 14 | { 15 | CloseWindow(_hwnd); 16 | } 17 | 18 | void LogWindow::Clear() 19 | { 20 | SendDlgItemMessage(_parent, IDC_LOGLIST, LB_RESETCONTENT, (WPARAM)0, (LPARAM)0); 21 | } 22 | 23 | void LogWindow::LogPrint(char *formatstring, ...) 24 | { 25 | va_list args; 26 | va_start(args, formatstring); 27 | 28 | char msg[1024]; 29 | 30 | memset(msg, 0, sizeof(msg)); 31 | 32 | _vsnprintf(msg, sizeof(msg)-2, formatstring, args); 33 | SendMessage(_hwnd, LB_INSERTSTRING, _currentline, (LPARAM)msg); 34 | SendMessage(_hwnd, LB_SETTOPINDEX, _currentline, (LPARAM)0); 35 | _currentline++; 36 | lstrcat(msg, "\n"); 37 | FILE *logfile = fopen("roptool.log", "a+"); 38 | fputs(msg, logfile); 39 | fclose(logfile); 40 | SendMessage(_hwnd, WM_PAINT, 0, 0); 41 | } 42 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/LogWindow.h: -------------------------------------------------------------------------------- 1 | #ifndef LOGWINDOW_H 2 | #define LOGWINDOW_H 3 | 4 | class LogWindow 5 | { 6 | public: 7 | LogWindow(HWND parent, HINSTANCE hInstance); 8 | ~LogWindow(); 9 | void LogPrint(char *formatstring, ...); 10 | void Clear(void); 11 | HWND _hwnd; 12 | private: 13 | HINSTANCE _hinstance; 14 | 15 | HWND _parent; 16 | DWORD _currentline; 17 | }; 18 | 19 | 20 | #endif -------------------------------------------------------------------------------- /src/gisnap/standalone/src/MemorySnapshot.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include "memorysnapshot.h" 5 | 6 | #include 7 | 8 | extern int SetProgressBar(unsigned int progress); 9 | 10 | MemorySnapshot::MemorySnapshot() 11 | { 12 | hprocess = 0; 13 | } 14 | 15 | MemorySnapshot::~MemorySnapshot() 16 | { 17 | hprocess = 0; 18 | } 19 | 20 | uint32_t MemorySnapshot::__getArch() 21 | { 22 | SYSTEM_INFO sysinfo = {0}; 23 | uint32_t res = 0; 24 | 25 | GetSystemInfo(&sysinfo); 26 | 27 | switch(sysinfo.wProcessorArchitecture) { 28 | case PROCESSOR_ARCHITECTURE_AMD64: 29 | res = ARCH_X64; 30 | break; 31 | 32 | case PROCESSOR_ARCHITECTURE_INTEL: 33 | res = ARCH_X86; 34 | break; 35 | 36 | case PROCESSOR_ARCHITECTURE_ARM: 37 | res = ARCH_ARM; 38 | break; 39 | 40 | } 41 | return res; 42 | } 43 | 44 | 45 | void MemorySnapshot::__getBlockInfo(MEM_BLOCK *tmpblock, char *name) 46 | { 47 | *name = 0; 48 | HANDLE h_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, hpid); 49 | if(h_snapshot == INVALID_HANDLE_VALUE) 50 | return; 51 | MODULEENTRY32 __modentry; 52 | __modentry.dwSize = sizeof(MODULEENTRY32); 53 | 54 | SetLastError(0); 55 | if(Module32First(h_snapshot, &__modentry) == FALSE) 56 | return; 57 | do { 58 | if((tmpblock->BaseAddress >= (uint64_t)__modentry.modBaseAddr) && (tmpblock->BaseAddress < (uint64_t)(__modentry.modBaseAddr+__modentry.modBaseSize))) { 59 | lstrcpyn(name, __modentry.szModule, 1024); 60 | __setASLRDEP(tmpblock, (uint64_t)__modentry.modBaseAddr); 61 | break; 62 | } 63 | 64 | if(GetLastError() == ERROR_NO_MORE_FILES) 65 | break; 66 | __modulelist.push_back(__modentry); 67 | } while(Module32Next(h_snapshot, &__modentry)); 68 | CloseHandle(h_snapshot); 69 | } 70 | 71 | // sets memory region flags corresponding to ASLR and/or DEP dllCharacteristics 72 | void MemorySnapshot::__setASLRDEP(MEM_BLOCK *tmpblock, uint64_t dllbase) 73 | { 74 | ULONG modidx = 0; 75 | ULONG64 modbase = dllbase; 76 | 77 | IMAGE_DOS_HEADER hdr_mz; 78 | ReadProcessMemory(hprocess, (LPCVOID)modbase, &hdr_mz, sizeof(IMAGE_DOS_HEADER), NULL); 79 | if(hdr_mz.e_magic == IMAGE_DOS_SIGNATURE) { 80 | IMAGE_NT_HEADERS hdr_nt; 81 | ReadProcessMemory(hprocess, (LPCVOID)(modbase+hdr_mz.e_lfanew), &hdr_nt, sizeof(IMAGE_NT_HEADERS), NULL); 82 | if(hdr_nt.Signature == IMAGE_NT_SIGNATURE) { 83 | IMAGE_FILE_HEADER hdr_file; 84 | memcpy(&hdr_file, &hdr_nt.FileHeader, sizeof(IMAGE_FILE_HEADER)); 85 | 86 | IMAGE_OPTIONAL_HEADER hdr_optional; 87 | memcpy(&hdr_optional, &hdr_nt.OptionalHeader, sizeof(IMAGE_OPTIONAL_HEADER)); 88 | if((hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) || (hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)) { 89 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { 90 | tmpblock->Protect |= M_ASLR; 91 | } 92 | 93 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { 94 | tmpblock->Protect |= M_DEP; 95 | } 96 | } 97 | } 98 | } 99 | } 100 | 101 | // try to guess process arch 102 | bool MemorySnapshot::__isProcessSameArch() 103 | { 104 | BOOL res = FALSE; 105 | #ifndef _WIN64 // 32bit process fails to create snapshot of 64bit process 106 | HANDLE h_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, hpid); 107 | if(h_snapshot != INVALID_HANDLE_VALUE) { 108 | res = TRUE; 109 | } 110 | CloseHandle(h_snapshot); 111 | #else 112 | IsWow64Process(hprocess, &res); 113 | res = !res; 114 | #endif 115 | return (bool)res; 116 | } 117 | 118 | 119 | uint32_t MemorySnapshot::__translateProtFlags(uint32_t prot) 120 | { 121 | uint32_t flags=0; 122 | switch(prot & 0xFF) 123 | { 124 | case PAGE_EXECUTE: 125 | flags = M_EXEC; 126 | break; 127 | case PAGE_EXECUTE_READ: 128 | flags = M_EXEC | M_READ; 129 | break; 130 | case PAGE_EXECUTE_READWRITE: 131 | flags = M_EXEC | M_READ | M_WRITE; 132 | break; 133 | case PAGE_EXECUTE_WRITECOPY: 134 | flags = M_EXEC | M_READ | M_WRITE; 135 | break; 136 | case PAGE_READONLY: 137 | flags = M_READ; 138 | break; 139 | case PAGE_READWRITE: 140 | flags = M_READ | M_WRITE; 141 | break; 142 | case PAGE_WRITECOPY: 143 | flags = M_WRITE; 144 | break; 145 | } 146 | return flags; 147 | } 148 | 149 | bool MemorySnapshot::Dump(DWORD pid, char *filename) 150 | { 151 | bool res = false; // return value 152 | 153 | hpid = pid; 154 | 155 | // open process 156 | hprocess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ , FALSE, hpid); 157 | if(hprocess == 0) 158 | return res; 159 | 160 | BOOL bIs64 = (__getArch() == ARCH_X64); 161 | 162 | if(!__isProcessSameArch()) 163 | return res; // we got passed an x64 pid on a 32bit gisnap or vice versa 164 | 165 | // fill a vector with valid memory blocks 166 | MEM_BLOCK tmpblock = {0}; 167 | memset(&tmpblock.name, 0, 256); 168 | MEMORY_BASIC_INFORMATION info = {0}; 169 | uint64_t addr=0; 170 | while(VirtualQueryEx((HANDLE)hprocess, (LPVOID)addr, &info, sizeof(info))) { 171 | if((info.State == MEM_COMMIT) || (info.Type == MEM_MAPPED) || (info.Type == MEM_IMAGE)) { 172 | if(bIs64) { 173 | tmpblock.BaseAddress = (uint64_t)info.BaseAddress; 174 | tmpblock.RegionSize = info.RegionSize; 175 | } else { 176 | tmpblock.BaseAddress = (DWORD)info.BaseAddress; //cast takes care of idiotic sign extension on pointers 177 | tmpblock.RegionSize = (DWORD)info.RegionSize; 178 | } 179 | if(info.Protect) { 180 | tmpblock.Protect = __translateProtFlags(info.Protect); 181 | } else { 182 | tmpblock.Protect = __translateProtFlags(info.AllocationProtect); 183 | } 184 | __getBlockInfo(&tmpblock, (char *)&tmpblock.name); 185 | memblocks.push_back(tmpblock); 186 | } 187 | addr += info.RegionSize+1; 188 | } 189 | 190 | // write 191 | // create dumpfile 192 | FILE *dumpfile = fopen(filename, "wb" ); 193 | if(!dumpfile) { 194 | return res; 195 | } 196 | 197 | SNAPSHOTFILE snphdr = {0}; 198 | snphdr.sig = 0x70616E73; 199 | snphdr.version = 0x00000002; 200 | snphdr.flags = __getArch() | OS_WINDOWS; 201 | 202 | snphdr.blockcount = (uint32_t)memblocks.size(); 203 | if(snphdr.blockcount > 0) 204 | res = true; 205 | 206 | // write header SNAPSHOTFILE 207 | fwrite ( &snphdr, sizeof(SNAPSHOTFILE) , 1 , dumpfile); 208 | 209 | unsigned int blkcnt=0; 210 | 211 | SetProgressBar(0); 212 | 213 | for (std::vector::iterator block = memblocks.begin(); block != memblocks.end(); ++block, ++blkcnt) 214 | { 215 | 216 | MEM_BLOCK tmpblock = {0}; 217 | 218 | tmpblock.RegionSize = block->RegionSize; 219 | tmpblock.BaseAddress = block->BaseAddress; 220 | tmpblock.Protect = block->Protect; 221 | strncpy((char *)&tmpblock.name, (char *)&block->name, 255); 222 | 223 | // write MEM_BLOCK 224 | fwrite ( &tmpblock, sizeof(MEM_BLOCK) , 1 , dumpfile); 225 | // write data 226 | uint8_t *buffer = new uint8_t [(unsigned int)block->RegionSize]; 227 | ReadProcessMemory(hprocess, (LPCVOID)block->BaseAddress, buffer, (ULONG)block->RegionSize, NULL); 228 | fwrite ( buffer , (size_t)block->RegionSize, 1 , dumpfile); 229 | delete buffer; 230 | SetProgressBar(blkcnt*100/snphdr.blockcount); 231 | } 232 | fclose(dumpfile); 233 | CloseHandle(hprocess); 234 | SetProgressBar(100); 235 | 236 | return res; 237 | } -------------------------------------------------------------------------------- /src/gisnap/standalone/src/MemorySnapshot.h: -------------------------------------------------------------------------------- 1 | #ifndef MEMSNAP_H 2 | #define MEMSNAP_H 3 | 4 | #include 5 | 6 | #include 7 | #include "snapshotformat.h" 8 | #include 9 | #include 10 | 11 | 12 | #define MEM_BLOCK DUMPBLOCKV20 13 | 14 | class MemorySnapshot 15 | { 16 | public: 17 | MemorySnapshot(); 18 | ~MemorySnapshot(); 19 | bool MemorySnapshot::Dump(DWORD pid, char *filename); 20 | 21 | private: 22 | void MemorySnapshot::__getBlockInfo(MEM_BLOCK *tmpblock, char *name); 23 | void MemorySnapshot::__setASLRDEP(MEM_BLOCK *tmpblock, uint64_t dllbase); 24 | 25 | uint32_t MemorySnapshot::__getArch(); 26 | bool MemorySnapshot::__isProcessSameArch(); 27 | uint32_t MemorySnapshot::__translateProtFlags(uint32_t prot); 28 | 29 | HANDLE hprocess; 30 | DWORD hpid; 31 | 32 | std::vector memblocks; 33 | std::vector __modulelist; 34 | 35 | }; 36 | #endif -------------------------------------------------------------------------------- /src/gisnap/standalone/src/ProcessList.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "psapi.h" 3 | #include "processlist.h" 4 | #include 5 | #include 6 | 7 | //extern Debugger *gDebugger; 8 | //extern LogWindow *gLog; 9 | 10 | extern LPWSTR *szArglist; 11 | extern int nArgs; 12 | 13 | 14 | #define WM_SETUPWINDOW (WM_USER + 1) 15 | 16 | //------------------------------------------------------------------------------------------------------ 17 | ProcessList::ProcessList(HWND hwndDlg, HINSTANCE hInstance) 18 | //------------------------------------------------------------------------------------------------------ 19 | { 20 | _parent = hwndDlg; 21 | _hinstance = hInstance; 22 | _currentline = 0; 23 | _hwnd = GetDlgItem(hwndDlg, IDC_PROCLIST); 24 | } 25 | 26 | //------------------------------------------------------------------------------------------------------ 27 | void ProcessList::SetSelectionFromPid(DWORD pid) 28 | //------------------------------------------------------------------------------------------------------ 29 | { 30 | unsigned int line=0; 31 | 32 | while(line < sizeof(aListNames)) { 33 | SendMessage(_hwnd, LB_SETCURSEL, (WPARAM)line, (LPARAM)0); 34 | LRESULT res = SendMessage(_hwnd, LB_GETCURSEL, (WPARAM)0, (LPARAM)0); 35 | if(aListNames[res].pid == pid) { 36 | break; 37 | } 38 | line++; 39 | } 40 | } 41 | 42 | //------------------------------------------------------------------------------------------------------ 43 | ProcessList::~ProcessList() 44 | //------------------------------------------------------------------------------------------------------ 45 | { 46 | } 47 | 48 | void ProcessList::EnableDisable(BOOL val) 49 | { 50 | HWND btn1 = GetDlgItem(_parent, IDC_DUMP); 51 | HWND btn2 = GetDlgItem(_parent, IDC_REFRESH); 52 | EnableWindow(_hwnd, val); 53 | EnableWindow(btn1, val); 54 | EnableWindow(btn2, val); 55 | SendDlgItemMessage(_parent, IDC_PROCLIST, WM_PAINT, 0, 0); 56 | } 57 | 58 | //------------------------------------------------------------------------------------------------------ 59 | DWORD ProcessList::GetSelectedPid() 60 | //------------------------------------------------------------------------------------------------------ 61 | { 62 | LRESULT res = SendMessage(_hwnd, LB_GETCURSEL, (WPARAM)0, (LPARAM)0); 63 | if(res == -1) 64 | return (DWORD)res; 65 | return aListNames[res].pid; 66 | } 67 | 68 | //------------------------------------------------------------------------------------------------------ 69 | void ProcessList::ListEmpty() 70 | //------------------------------------------------------------------------------------------------------ 71 | { 72 | SendMessage(_hwnd, LB_RESETCONTENT, (WPARAM)0, (LPARAM)0); 73 | SendMessage(_hwnd, WM_PAINT, 0, 0); 74 | _currentline=0; 75 | } 76 | 77 | void ProcessList::FillList() 78 | { 79 | ListEmpty(); 80 | 81 | HANDLE h_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 82 | if(h_snapshot == INVALID_HANDLE_VALUE) 83 | return; 84 | 85 | DWORD index=0; 86 | PROCESSENTRY32 _tmpProcEntry32; 87 | _tmpProcEntry32.dwSize = sizeof(PROCESSENTRY32); 88 | 89 | HANDLE _tmphProcess = INVALID_HANDLE_VALUE; 90 | BOOL is64b = FALSE; 91 | 92 | if(Process32First(h_snapshot, &_tmpProcEntry32)) { 93 | do { 94 | _tmphProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, _tmpProcEntry32.th32ProcessID); 95 | if(_tmphProcess == 0) 96 | continue; 97 | #ifndef _WIN64 98 | // only list 32bit processes 99 | SYSTEM_INFO sysinfo; 100 | GetNativeSystemInfo(&sysinfo); 101 | if(sysinfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) { 102 | IsWow64Process(_tmphProcess, &is64b); 103 | if(!is64b) { 104 | continue; 105 | } 106 | } 107 | #else 108 | // only list 64bit processes 109 | SYSTEM_INFO sysinfo; 110 | GetNativeSystemInfo(&sysinfo); 111 | if(sysinfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) { 112 | IsWow64Process(_tmphProcess, &is64b); 113 | if(is64b) { 114 | continue; 115 | } 116 | } 117 | #endif 118 | 119 | aListNames[index].pid = _tmpProcEntry32.th32ProcessID; 120 | strncpy(aListNames[index].name, _tmpProcEntry32.szExeFile, 1024); 121 | ListPrint("[%05d] - %s", aListNames[index].pid, aListNames[index].name); 122 | index++; 123 | CloseHandle(_tmphProcess); 124 | } while(Process32Next(h_snapshot, &_tmpProcEntry32)); 125 | } 126 | CloseHandle(h_snapshot); 127 | } 128 | 129 | //------------------------------------------------------------------------------------------------------ 130 | void ProcessList::ListPrint(char *formatstring, ...) 131 | //------------------------------------------------------------------------------------------------------ 132 | { 133 | va_list args; 134 | va_start(args, formatstring); 135 | 136 | char msg[1024]; 137 | 138 | memset(msg, 0, sizeof(msg)); 139 | 140 | _vsnprintf(msg, sizeof(msg), formatstring, args); 141 | SendMessage(_hwnd, LB_INSERTSTRING, _currentline, (LPARAM)msg); 142 | 143 | _currentline++; 144 | } 145 | 146 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/ProcessList.h: -------------------------------------------------------------------------------- 1 | #ifndef PROCLIST_H 2 | #define PROCLIST_H 3 | 4 | 5 | typedef struct _processListEntry { 6 | DWORD pid; 7 | char name[1024]; 8 | } processListEntry; 9 | 10 | class ProcessList 11 | { 12 | public: 13 | ProcessList(HWND hwndDlg, HINSTANCE hInstance); 14 | ~ProcessList(); 15 | DWORD ProcessList::GetSelectedPid(); 16 | void ProcessList::SetSelectionFromPid(DWORD pid); 17 | void ListPrint(char *formatstring, ...); 18 | void ListEmpty(); 19 | void EnableDisable(BOOL val); 20 | static INT_PTR CALLBACK StaticDialogProcedure(HWND pDialog, UINT msg, WPARAM wParam, LPARAM lParam); 21 | INT_PTR CALLBACK DlgProc(HWND hwndDlg, UINT message, WPARAM wParam, LPARAM lParam); 22 | void FillList(); 23 | private: 24 | HWND _hwnd; 25 | HWND _parent; 26 | DWORD _currentline; 27 | DWORD _done; 28 | HINSTANCE _hinstance; 29 | processListEntry aListNames[1024]; 30 | }; 31 | 32 | 33 | #endif -------------------------------------------------------------------------------- /src/gisnap/standalone/src/gisnap.cpp: -------------------------------------------------------------------------------- 1 | // ropstandalone.cpp : Defines the entry point for the application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | #include "gisnap.h" 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | 13 | #define MAX_LOADSTRING 100 14 | 15 | ProcessList *gProcList; 16 | MemorySnapshot *gMemSnap; 17 | 18 | // Global Variables: 19 | HINSTANCE hInst; // current instance 20 | TCHAR szTitle[MAX_LOADSTRING]; // The title bar text 21 | TCHAR szWindowClass[MAX_LOADSTRING]; // the main window class name 22 | 23 | HWND gHWND; 24 | BOOL _done = FALSE; 25 | 26 | LPWSTR *szArglist=0; 27 | int nArgs=0; 28 | 29 | BOOL InitInstance(HINSTANCE hInstance, int nCmdShow); 30 | BOOL SetProcessPrivilege(); 31 | 32 | INT_PTR CALLBACK MainDlgProc(HWND hwndDlg, UINT message, WPARAM wParam, LPARAM lParam); 33 | 34 | int APIENTRY _tWinMain(HINSTANCE hInstance, 35 | HINSTANCE hPrevInstance, 36 | LPTSTR lpCmdLine, 37 | int nCmdShow) 38 | { 39 | UNREFERENCED_PARAMETER(hPrevInstance); 40 | UNREFERENCED_PARAMETER(lpCmdLine); 41 | 42 | // TODO: Place code here. 43 | MSG msg; 44 | HACCEL hAccelTable; 45 | 46 | // Initialize global strings 47 | LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING); 48 | LoadString(hInstance, IDC_GISNAP, szWindowClass, MAX_LOADSTRING); 49 | 50 | // Perform application initialization: 51 | if (!InitInstance (hInstance, nCmdShow)) 52 | { 53 | return FALSE; 54 | } 55 | 56 | hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_GISNAP)); 57 | 58 | BOOL bRet; 59 | 60 | while( (bRet = GetMessage( &msg, gHWND, 0, 0 )) != 0) 61 | { 62 | if(_done) { 63 | break; 64 | } 65 | if (bRet == -1) { 66 | break; 67 | } else { 68 | TranslateMessage(&msg); 69 | DispatchMessage(&msg); 70 | } 71 | } 72 | return (int) msg.wParam; 73 | } 74 | 75 | 76 | BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) 77 | { 78 | TOKEN_PRIVILEGES pTokenPrivileges = {0}; 79 | TOKEN_PRIVILEGES oldTokenPrivileges = {0}; 80 | DWORD cbSize=0; 81 | LUID luid; 82 | 83 | if( !LookupPrivilegeValue( NULL, lpszPrivilege, &luid ) ) { 84 | return FALSE; 85 | } 86 | pTokenPrivileges.PrivilegeCount = 1; 87 | pTokenPrivileges.Privileges[ 0 ].Luid = luid; 88 | if(bEnablePrivilege) { 89 | pTokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 90 | } else { 91 | pTokenPrivileges.Privileges[0].Attributes = 0; 92 | } 93 | if(!AdjustTokenPrivileges(hToken, FALSE, &pTokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { 94 | return FALSE; 95 | } 96 | if(GetLastError()== ERROR_NOT_ALL_ASSIGNED) { 97 | return FALSE; 98 | } 99 | return TRUE; 100 | } 101 | 102 | BOOL SetProcessPrivilege() 103 | { 104 | HANDLE pToken = NULL; 105 | OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &pToken); 106 | return SetPrivilege(pToken, SE_DEBUG_NAME, TRUE); 107 | } 108 | 109 | 110 | BOOL InitInstance(HINSTANCE hInstance, int nCmdShow) 111 | { 112 | 113 | SetProcessPrivilege(); 114 | 115 | hInst = hInstance; // Store instance handle in our global variable 116 | INITCOMMONCONTROLSEX InitCtrlEx; 117 | 118 | InitCtrlEx.dwSize = sizeof(INITCOMMONCONTROLSEX); 119 | InitCtrlEx.dwICC = ICC_PROGRESS_CLASS; 120 | InitCommonControlsEx(&InitCtrlEx); 121 | 122 | gHWND = CreateDialogParam(hInstance, MAKEINTRESOURCE(IDD_MAIN), NULL, MainDlgProc, LPARAM(0)); 123 | return TRUE; 124 | } 125 | 126 | int SetProgressBar(unsigned int progress) 127 | { 128 | HWND progressbar = GetDlgItem(gHWND, IDC_PROGRESS); 129 | if(!progressbar) 130 | return 0; 131 | SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_SETRANGE32, 0, 100); 132 | SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_GETPOS, 0, 0); 133 | UINT old = (UINT)SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_GETPOS, 0, 0); 134 | if(progress < old) { 135 | SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_SETPOS, progress, 0); 136 | SendMessage(progressbar, WM_PAINT, 0, 0); 137 | Sleep(5); 138 | } else { 139 | while(progress > old) { 140 | SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_SETPOS, old+1, 0); 141 | SendDlgItemMessage(gHWND, IDC_PROGRESS, WM_PAINT, 0, 0); 142 | old = (UINT)SendDlgItemMessage(gHWND, IDC_PROGRESS, PBM_GETPOS, 0, 0); 143 | Sleep(3); 144 | } 145 | } 146 | 147 | return progress; 148 | } 149 | 150 | bool DumpProcess(DWORD pid) 151 | { 152 | gMemSnap = new MemorySnapshot; 153 | char filename[1024]; 154 | OPENFILENAME ofln; 155 | 156 | memset(&filename, 0, sizeof(filename)); 157 | memset(&ofln, 0, sizeof(OPENFILENAME)); 158 | ofln.lStructSize = sizeof(OPENFILENAME); 159 | ofln.hwndOwner = gHWND; 160 | ofln.lpstrFile = filename; 161 | ofln.nMaxFile = sizeof(filename); 162 | ofln.lpstrFilter = "snap\0*.snap\0All\0*.*\0"; 163 | ofln.nFilterIndex = 1; 164 | ofln.lpstrFileTitle = NULL; 165 | ofln.nMaxFileTitle = 0; 166 | ofln.lpstrInitialDir = NULL; 167 | ofln.lpstrDefExt = ".snap"; 168 | ofln.Flags = OFN_PATHMUSTEXIST | OFN_OVERWRITEPROMPT; 169 | GetSaveFileName(&ofln); 170 | CommDlgExtendedError(); 171 | return gMemSnap->Dump(pid, filename); 172 | } 173 | 174 | INT_PTR CALLBACK MainDlgProc(HWND hwndDlg, UINT message, WPARAM wParam, LPARAM lParam) 175 | { 176 | int lbItem=0; 177 | HWND hwndList=0; 178 | DWORD pid=0xFFFFFFFF; 179 | 180 | HDC dc = 0; 181 | PAINTSTRUCT ps; 182 | gHWND = hwndDlg; 183 | 184 | char szpid[1024] = {0}; 185 | 186 | switch (message) 187 | { 188 | case WM_INITDIALOG: 189 | // reset progress bar 190 | SetProgressBar(0); 191 | gProcList = new ProcessList(hwndDlg, hInst); 192 | gProcList->FillList(); 193 | szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs); 194 | if(nArgs > 1) { 195 | wsprintf(szpid, "%S", szArglist[1]); 196 | gProcList->SetSelectionFromPid(atoi(szpid)); 197 | if(nArgs >2 ) { 198 | MemorySnapshot *gMemSnap = new MemorySnapshot; 199 | char filename[MAX_PATH]; 200 | wsprintf(filename, "%S", szArglist[2]); 201 | bool res = gMemSnap->Dump(atoi(szpid), filename); 202 | SendMessage(hwndDlg, WM_CLOSE, IDC_DUMP, (LPARAM)res); 203 | } else { 204 | DumpProcess(atoi(szpid)); 205 | } 206 | } 207 | return TRUE; 208 | 209 | case WM_PAINT: 210 | { 211 | BeginPaint(gHWND, &ps); 212 | RECT rc; 213 | GetClientRect(gHWND, &rc); 214 | EndPaint(gHWND, &ps); 215 | } 216 | break; 217 | 218 | case WM_CLOSE: 219 | delete gProcList; 220 | gProcList = 0; 221 | EndDialog(gHWND, 0); 222 | ExitProcess((UINT)lParam); 223 | break; 224 | 225 | case WM_COMMAND: 226 | switch(LOWORD(wParam)) 227 | { 228 | case IDC_DUMP: 229 | pid = gProcList->GetSelectedPid(); 230 | gProcList->EnableDisable(FALSE); 231 | DumpProcess(pid); 232 | gProcList->EnableDisable(TRUE); 233 | break; 234 | 235 | case IDC_REFRESH: 236 | gProcList->FillList(); 237 | break; 238 | 239 | case IDC_EXIT: 240 | SendMessage(gHWND, WM_CLOSE, 0, 0); 241 | break; 242 | 243 | 244 | case IDC_PROCLIST: 245 | if(pid == 0xFFFFFFFF) { 246 | if(gProcList) { 247 | pid = gProcList->GetSelectedPid(); 248 | } 249 | if(pid == 0xFFFFFFFF) 250 | EnableWindow(GetDlgItem(gHWND, IDC_DUMP), TRUE); 251 | } 252 | switch (HIWORD(wParam)) 253 | { 254 | case LBN_DBLCLK: 255 | SendMessage(gHWND, WM_COMMAND, IDC_DUMP, 0); 256 | break; 257 | default: 258 | break; 259 | } 260 | 261 | default: 262 | break; 263 | } 264 | default: 265 | break; 266 | 267 | } 268 | // UpdateWindow(gHWND); 269 | return (INT_PTR)FALSE; 270 | } -------------------------------------------------------------------------------- /src/gisnap/standalone/src/gisnap.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/gisnap.rc: -------------------------------------------------------------------------------- 1 | #include "resource.h" 2 | 3 | 109 MENU 4 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 5 | { 6 | POPUP "&File" 7 | { 8 | MENUITEM "E&xit", 105 9 | } 10 | POPUP "&Help" 11 | { 12 | MENUITEM "&About ...", 104 13 | } 14 | } 15 | 16 | 103 DIALOG 22, 17, 230, 75 17 | STYLE DS_MODALFRAME | WS_CAPTION | WS_SYSMENU 18 | CAPTION "About" 19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 20 | FONT 8, "System" 21 | { 22 | CONTROL 107, 2, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 14, 9, 16, 16 23 | CONTROL "ropstandalone Version 1.0", -1, STATIC, SS_LEFT | SS_NOPREFIX | WS_CHILD | WS_VISIBLE | WS_GROUP, 49, 10, 119, 8 24 | CONTROL "Copyright (C) 2011", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 49, 20, 119, 8 25 | CONTROL "OK", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_GROUP | WS_TABSTOP, 195, 6, 30, 11 26 | } 27 | 28 | 129 DIALOGEX 0, 0, 327, 264 29 | STYLE DS_FIXEDSYS | DS_MODALFRAME | WS_POPUP | WS_CAPTION 30 | CAPTION "Process List" 31 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 32 | FONT 8, "MS Shell Dlg", FW_NORMAL, FALSE, 1 33 | { 34 | CONTROL "OK", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 7, 243, 50, 14 35 | CONTROL "Exit", 2, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 270, 243, 50, 14 36 | CONTROL "", 1000, LISTBOX, LBS_STANDARD | LBS_NOINTEGRALHEIGHT | WS_CHILD | WS_VISIBLE | WS_HSCROLL | WS_TABSTOP, 7, 7, 313, 231 37 | } 38 | 39 | 40 | STRINGTABLE 41 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 42 | { 43 | 103, "gisnap" 44 | 109, "GISNAP" 45 | } 46 | 47 | 48 | 109 ACCELERATORS 49 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 50 | { 51 | "?", 104, ALT 52 | "/", 104, ALT 53 | } 54 | 55 | 107 ICON "Icon_1.ico" 56 | 57 | 108 ICON "Icon_2.ico" 58 | 59 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by ropstandalone.rc 4 | // 5 | #define IDD_ROPSTANDALONE_DIALOG 102 6 | #define IDS_APP_TITLE 103 7 | #define IDM_ABOUT 104 8 | #define IDM_EXIT 105 9 | #define IDI_ROPSTANDALONE 107 10 | #define IDI_SMALL 108 11 | #define IDC_ROPSTANDALONE 109 12 | #define IDC_MAINMENU 109 13 | #define IDR_MAINFRAME 128 14 | #define IDD_MAIN 130 15 | #define IDB_LOGO 131 16 | #define IDC_PROCLIST 1000 17 | #define IDC_LOGLIST 1002 18 | #define IDC_PROGRESS 1003 19 | #define IDC_MODULELIST 1004 20 | #define IDC_REFRESH 1007 21 | #define IDC_ATTACH 1008 22 | #define IDC_SAFESEH 1009 23 | #define IDC_DYNAMICBASE 1010 24 | #define IDC_RELOCATIONS 1011 25 | #define IDC_ASCII 1012 26 | #define IDC_BREAKPOINTADDR 1013 27 | #define IDC_RBREAKPOINT 1014 28 | #define IDC_UNICODE 1015 29 | #define IDC_RADIO3 1016 30 | #define IDC_NOZERO 1016 31 | #define IDC_NONE 1017 32 | #define IDC_REXCEPTION 1018 33 | #define IDC_EXCEPTIONNAMES 1019 34 | #define IDC_COMBOBOXEX1 1020 35 | #define IDC_COMBOBOXEX2 1021 36 | #define ID_FILE_OPEN 32771 37 | #define ID_EDIT_SETTINGS 32772 38 | #define IDM_FILE_OPEN 32773 39 | #define IDC_STATIC -1 40 | 41 | // Next default values for new objects 42 | // 43 | #ifdef APSTUDIO_INVOKED 44 | #ifndef APSTUDIO_READONLY_SYMBOLS 45 | #define _APS_NO_MFC 1 46 | #define _APS_NEXT_RESOURCE_VALUE 133 47 | #define _APS_NEXT_COMMAND_VALUE 32774 48 | #define _APS_NEXT_CONTROL_VALUE 1022 49 | #define _APS_NEXT_SYMED_VALUE 110 50 | #endif 51 | #endif 52 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/resource1.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/standalone/src/resource1.h -------------------------------------------------------------------------------- /src/gisnap/standalone/src/snapshotformat.h: -------------------------------------------------------------------------------- 1 | // standard structures for writting/reading Gadget Inspector snapshots 2 | 3 | #ifndef __SNAPSHOTFORMAT 4 | #define __SNAPSHOTFORMAT 5 | 6 | #include 7 | 8 | // Memory protection flags 9 | #define M_READ 0x01 10 | #define M_WRITE 0x02 11 | #define M_EXEC 0x04 12 | 13 | #define M_ASLR 0x08 // ASLR is enabled 14 | #define M_DEP 0x10 // DEP is enabled 15 | 16 | // OS flags 17 | #define OS_WINDOWS 0x0100 18 | #define OS_LINUX 0x0200 19 | #define OS_MACOS 0x0400 20 | #define OS_ANDROID 0x0800 21 | #define OS_IOS 0x1000 22 | 23 | // Arch. flags 24 | #define ARCH_X86 0x10000 25 | #define ARCH_X64 0x20000 26 | #define ARCH_ARM 0x40000 27 | #define ARCH_PPC 0x80000 28 | 29 | #pragma pack(push) 30 | #pragma pack(1) 31 | typedef struct _SNAPSHOTFILE 32 | { 33 | uint32_t sig; // signature: "snap" or 0x70616E73 in little endian 34 | uint32_t version; // if version == 1: use DUMPBLOCKV10 / version == 2 uses DUMPBLOCKV20 and so on. 35 | uint32_t flags; // 36 | uint32_t blockcount; 37 | } SNAPSHOTFILE, *PSNAPSHOTFILE; 38 | 39 | typedef struct _dumpblockV10 40 | { 41 | uint64_t BaseAddress; 42 | uint64_t RegionSize; 43 | uint32_t Protect; // see memory protection constants 44 | } DUMPBLOCKV10, *PDUMPBLOCKV10; 45 | 46 | typedef struct _dumpblockV20 47 | { 48 | uint64_t BaseAddress; 49 | uint64_t RegionSize; 50 | uint32_t Protect; // see memory protection constants 51 | uint8_t name[256]; 52 | } DUMPBLOCKV20, *PDUMPBLOCKV20; 53 | 54 | #pragma pack(pop) 55 | #endif // __SNAPSHOTFORMAT -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/standalone/src/stand-alone.rc -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "stand-alone", "stand-alone.vcxproj", "{3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Debug|Win32.Build.0 = Debug|Win32 16 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Debug|x64.ActiveCfg = Debug|x64 17 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Debug|x64.Build.0 = Debug|x64 18 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Release|Win32.ActiveCfg = Release|Win32 19 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Release|Win32.Build.0 = Release|Win32 20 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Release|x64.ActiveCfg = Release|x64 21 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/standalone/src/stand-alone.suo -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.v11.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/standalone/src/stand-alone.v11.suo -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {3B0FC55A-CAC6-49DF-B1AE-C6924F98BCBF} 23 | Win32Proj 24 | standalone 25 | 26 | 27 | 28 | Application 29 | true 30 | v110_xp 31 | MultiByte 32 | 33 | 34 | Application 35 | true 36 | v110_xp 37 | MultiByte 38 | 39 | 40 | Application 41 | false 42 | v110_xp 43 | true 44 | MultiByte 45 | 46 | 47 | Application 48 | false 49 | v110_xp 50 | true 51 | MultiByte 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | true 71 | 72 | 73 | true 74 | 75 | 76 | false 77 | 78 | 79 | false 80 | 81 | 82 | 83 | 84 | 85 | Level3 86 | Disabled 87 | _CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 88 | 89 | 90 | Windows 91 | true 92 | dbghelp.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 93 | 94 | 95 | 96 | 97 | 98 | 99 | Level3 100 | Disabled 101 | _CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 102 | 103 | 104 | Windows 105 | true 106 | dbghelp.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 107 | 108 | 109 | 110 | 111 | Level3 112 | 113 | 114 | MaxSpeed 115 | true 116 | true 117 | _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 118 | MultiThreaded 119 | 120 | 121 | Windows 122 | true 123 | true 124 | true 125 | dbghelp.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 126 | 127 | 128 | 129 | 130 | Level3 131 | 132 | 133 | MaxSpeed 134 | true 135 | true 136 | _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 137 | MultiThreaded 138 | 139 | 140 | Windows 141 | true 142 | true 143 | true 144 | dbghelp.lib;comctl32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | 52 | 53 | Resource Files 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stand-alone.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 1604 "c:\pnx\gadget-inspector\gisnap\gisnap_dumpinfo\2.dmp" 5 | WindowsLocalDebugger 6 | 7 | 8 | 9 | 10 | WindowsLocalDebugger 11 | 12 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // ropstandalone.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /src/gisnap/standalone/src/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | // Modify the following defines if you have to target a platform prior to the ones specified below. 9 | // Refer to MSDN for the latest info on corresponding values for different platforms. 10 | #ifndef WINVER // Allow use of features specific to Windows XP or later. 11 | #define WINVER 0x0501 // Change this to the appropriate value to target other versions of Windows. 12 | #endif 13 | 14 | #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. 15 | #define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows. 16 | #endif 17 | 18 | #ifndef _WIN32_WINDOWS // Allow use of features specific to Windows 98 or later. 19 | #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later. 20 | #endif 21 | 22 | #ifndef _WIN32_IE // Allow use of features specific to IE 6.0 or later. 23 | #define _WIN32_IE 0x0600 // Change this to the appropriate value to target other versions of IE. 24 | #endif 25 | 26 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 27 | // Windows Header Files: 28 | #include 29 | 30 | // C RunTime Header Files 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | extern void LogLine(char *formatstring, ...); 37 | 38 | #pragma comment(lib, "psapi.lib") 39 | 40 | #include "processlist.h" 41 | #include "memorysnapshot.h" 42 | #include "resource1.h" 43 | 44 | 45 | // TODO: reference additional headers your program requires here 46 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/readme.txt: -------------------------------------------------------------------------------- 1 | copy appropiate (x86 or x64) dll to %ProgramFiles%\Debugging Tools for Windows\winext 2 | 3 | Windbg/ntsd snapshot dumper extension 4 | 5 | 6 | .load gisnap 7 | 8 | !help 9 | !gisnap 10 | filename = name of the file to store snapshot. 11 | 12 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/dllmain.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/windbg_ext/src/dllmain.cpp -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/gisnap.cpp: -------------------------------------------------------------------------------- 1 | #include "gisnap.h" 2 | 3 | GiSnapDump::GiSnapDump() 4 | { 5 | g_Client = NULL; 6 | HRESULT res = DebugCreate(__uuidof(IDebugClient), (void**)&g_Client); 7 | if(S_OK != res) { 8 | dprintf("ERROR: Cannot talk to dbgeng.dll\n"); 9 | return; 10 | } 11 | 12 | g_Client->QueryInterface(__uuidof(IDebugControl), (void**)&g_Control); 13 | g_Client->QueryInterface(__uuidof(IDebugSymbols), (void**)&g_Symbols); 14 | g_Client->QueryInterface(__uuidof(IDebugSymbols2), (void**)&g_Symbols2); 15 | 16 | g_Client->QueryInterface(__uuidof(IDebugDataSpaces2), (void**)&g_DataSpaces2); 17 | g_Client->QueryInterface(__uuidof(IDebugDataSpaces3), (void**)&g_DataSpaces3); 18 | g_Client->QueryInterface(__uuidof(IDebugDataSpaces4), (void**)&g_DataSpaces4); 19 | 20 | g_Client->QueryInterface(__uuidof(IDebugSystemObjects), (void**)&g_SystemObjects); 21 | 22 | // connect dbgeng.dll to the running debugger session 23 | g_Client->ConnectSession(DEBUG_CONNECT_SESSION_NO_VERSION | DEBUG_CONNECT_SESSION_NO_ANNOUNCE, NULL); 24 | if(S_OK != res) { 25 | dprintf("ERROR: Cannot conntect dbgeng to current debugger session\n"); 26 | return; 27 | } 28 | 29 | ULONG myclass = 0; 30 | ULONG qual = 0; 31 | 32 | g_Control->GetDebuggeeType(&myclass, &qual); 33 | 34 | if(myclass == DEBUG_CLASS_UNINITIALIZED) { 35 | dprintf("ERROR: attach to your target first!\n\n"); 36 | } 37 | } 38 | 39 | 40 | void GiSnapDump::__getStrForNativeProt(uint32_t prot, char *dest) 41 | { 42 | switch(prot & 0xFF) 43 | { 44 | case PAGE_EXECUTE: 45 | strcpy(dest, "EXECUTE"); 46 | break; 47 | case PAGE_EXECUTE_READ: 48 | strcpy(dest, "EXECUTE_READ"); 49 | break; 50 | case PAGE_EXECUTE_READWRITE: 51 | strcpy(dest, "EXECUTE_READWRITE"); 52 | break; 53 | case PAGE_EXECUTE_WRITECOPY: 54 | strcpy(dest, "EXECUTE_WRITECOPY"); 55 | break; 56 | case PAGE_NOACCESS: 57 | strcpy(dest, "NOACCESS"); 58 | break; 59 | case PAGE_READONLY: 60 | strcpy(dest, "READONLY"); 61 | break; 62 | case PAGE_READWRITE: 63 | strcpy(dest, "READWRITE"); 64 | break; 65 | case PAGE_WRITECOPY: 66 | strcpy(dest, "WRITECOPY"); 67 | break; 68 | default: 69 | strcpy(dest, "UNKNOWN"); 70 | break; 71 | } 72 | 73 | if(prot & PAGE_GUARD) 74 | strcat(dest, "|GUARD"); 75 | if(prot & PAGE_NOCACHE) 76 | strcat(dest, "|NOCACHE"); 77 | if(prot & PAGE_GUARD) 78 | strcat(dest, "|WRITECOMBINE"); 79 | } 80 | 81 | void GiSnapDump::__getStrForProt(uint32_t prot, char *dest) 82 | { 83 | if(prot & M_READ) { 84 | strcat(dest, "R"); 85 | } else { 86 | strcat(dest, "-"); 87 | } 88 | 89 | if(prot & M_WRITE) { 90 | strcat(dest, "W"); 91 | } else { 92 | strcat(dest, "-"); 93 | } 94 | 95 | if(prot & M_EXEC) { 96 | strcat(dest, "X"); 97 | } else { 98 | strcat(dest, "-"); 99 | } 100 | 101 | if(prot & M_ASLR) { 102 | strcat(dest, " ASLR"); 103 | } 104 | 105 | if(prot & M_DEP) { 106 | strcat(dest, " DEP"); 107 | } 108 | } 109 | 110 | uint32_t GiSnapDump::__translateProtFlags(uint32_t prot) 111 | { 112 | uint32_t flags=0; 113 | switch(prot & 0xFF) 114 | { 115 | case PAGE_EXECUTE: 116 | flags = M_EXEC; 117 | break; 118 | case PAGE_EXECUTE_READ: 119 | flags = M_EXEC | M_READ; 120 | break; 121 | case PAGE_EXECUTE_READWRITE: 122 | flags = M_EXEC | M_READ | M_WRITE; 123 | break; 124 | case PAGE_EXECUTE_WRITECOPY: 125 | flags = M_EXEC | M_READ | M_WRITE; 126 | break; 127 | case PAGE_READONLY: 128 | flags = M_READ; 129 | break; 130 | case PAGE_READWRITE: 131 | flags = M_READ | M_WRITE; 132 | break; 133 | case PAGE_WRITECOPY: 134 | flags = M_WRITE; 135 | break; 136 | } 137 | return flags; 138 | } 139 | 140 | void GiSnapDump::__getStrForStat(uint32_t stat, char *dest) 141 | { 142 | switch(stat) 143 | { 144 | case MEM_COMMIT: 145 | strcpy(dest, "COMMIT"); 146 | break; 147 | case MEM_RESERVE: 148 | strcpy(dest, "RESERVE"); 149 | break; 150 | case MEM_FREE: 151 | strcpy(dest, "FREE"); 152 | break; 153 | case MEM_PRIVATE: 154 | strcpy(dest, "PRIVATE"); 155 | break; 156 | case MEM_MAPPED: 157 | strcpy(dest, "MAPPED"); 158 | break; 159 | case MEM_IMAGE: 160 | strcpy(dest, "IMAGE"); 161 | break; 162 | } 163 | } 164 | 165 | uint32_t GiSnapDump::__getArch() 166 | { 167 | ULONG processor_type=0; 168 | g_Control->GetExecutingProcessorType(&processor_type); 169 | 170 | uint32_t res = 0; 171 | switch(processor_type) { 172 | case IMAGE_FILE_MACHINE_I386: 173 | res = ARCH_X86; 174 | break; 175 | case IMAGE_FILE_MACHINE_ARM: 176 | res = ARCH_ARM; 177 | break; 178 | case IMAGE_FILE_MACHINE_AMD64: 179 | res = ARCH_X64; 180 | break; 181 | default: 182 | res = 0; 183 | break; 184 | } 185 | return res; 186 | } 187 | 188 | // gets symbol name for a memory address 189 | void GiSnapDump::__getMemRegionName(uint64_t base, char *name) 190 | { 191 | char symname[1024] = {0}; 192 | uint8_t namesize=255; 193 | 194 | HRESULT status = g_Symbols->GetNameByOffset(base, symname, sizeof(symname), NULL, NULL); 195 | if(status == E_FAIL) { 196 | memset(&symname, 0, 1); 197 | } 198 | 199 | char *bang = strstr(symname, "!"); 200 | if(bang) { 201 | if(bang-symname < namesize) 202 | namesize = (uint8_t)(bang-symname); 203 | } 204 | 205 | strncpy(name, symname, namesize); 206 | } 207 | 208 | // print information about a memory block to the debugger console 209 | void GiSnapDump::__printBlockInfo(MEM_BLOCK *tmpblock) 210 | { 211 | char name[1024] = {0}; 212 | // __getMemRegionName(tmpblock->BaseAddress, name); 213 | // strcpy((char *)&tmpblock->name, name); 214 | 215 | char prot[1024] = {0}; 216 | __getStrForProt(tmpblock->Protect, prot); 217 | 218 | dprintf("% 10s base:%08I64x size:%08I64x, prot:%s\n", tmpblock->name, tmpblock->BaseAddress, tmpblock->RegionSize, prot); 219 | } 220 | /* 221 | // sets memory region flags corresponding to ASLR and/or DEP dllCharacteristics 222 | void GiSnapDump::__setASLRDEP(MEM_BLOCK *tmpblock) 223 | { 224 | ULONG modidx = 0; 225 | ULONG64 modbase = 0; 226 | 227 | HRESULT res = g_Symbols->GetModuleByOffset(tmpblock->BaseAddress, 0, &modidx, &modbase); 228 | 229 | IMAGE_DOS_HEADER hdr_mz; 230 | ReadMemory((ULONG_PTR)modbase, &hdr_mz, sizeof(IMAGE_DOS_HEADER), NULL); 231 | if(hdr_mz.e_magic == IMAGE_DOS_SIGNATURE) { 232 | IMAGE_NT_HEADERS hdr_nt; 233 | ReadMemory((ULONG_PTR)(modbase+hdr_mz.e_lfanew), &hdr_nt, sizeof(IMAGE_NT_HEADERS), NULL); 234 | if(hdr_nt.Signature == IMAGE_NT_SIGNATURE) { 235 | IMAGE_FILE_HEADER hdr_file; 236 | memcpy(&hdr_file, &hdr_nt.FileHeader, sizeof(IMAGE_FILE_HEADER)); 237 | 238 | IMAGE_OPTIONAL_HEADER hdr_optional; 239 | memcpy(&hdr_optional, &hdr_nt.OptionalHeader, sizeof(IMAGE_OPTIONAL_HEADER)); 240 | if((hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) || (hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)) { 241 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { 242 | tmpblock->Protect |= M_ASLR; 243 | } 244 | 245 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { 246 | tmpblock->Protect |= M_DEP; 247 | } 248 | } 249 | } 250 | } 251 | } 252 | */ 253 | 254 | void GiSnapDump::__getBlockInfo(MEM_BLOCK *tmpblock, char * name) 255 | { 256 | *name = 0; 257 | ULONG64 hprocess = 0; 258 | g_SystemObjects->GetCurrentProcessHandle(&hprocess); 259 | 260 | HANDLE h_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId((HANDLE)hprocess)); 261 | 262 | if(h_snapshot == INVALID_HANDLE_VALUE) 263 | return; 264 | MODULEENTRY32 __modentry; 265 | __modentry.dwSize = sizeof(MODULEENTRY32); 266 | 267 | SetLastError(0); 268 | if(Module32First(h_snapshot, &__modentry) == FALSE) 269 | return; 270 | do { 271 | if((tmpblock->BaseAddress >= (uint64_t)__modentry.modBaseAddr) && (tmpblock->BaseAddress < (uint64_t)(__modentry.modBaseAddr+__modentry.modBaseSize))) { 272 | // lstrcpyn(name, __modentry.szModule, 1024); 273 | wsprintfA(name, "%S", __modentry.szModule); 274 | __setASLRDEP(tmpblock, (uint64_t)__modentry.modBaseAddr); 275 | break; 276 | } 277 | 278 | if(GetLastError() == ERROR_NO_MORE_FILES) 279 | break; 280 | __modulelist.push_back(__modentry); 281 | } while(Module32Next(h_snapshot, &__modentry)); 282 | CloseHandle(h_snapshot); 283 | } 284 | 285 | 286 | void GiSnapDump::TakeSnapshot(char *filename) 287 | { 288 | ULONG64 hprocess = 0; 289 | g_SystemObjects->GetCurrentProcessHandle(&hprocess); 290 | 291 | BOOL bIs64 = (__getArch() == ARCH_X64) ; 292 | 293 | // fill a vector with valid memory blocks 294 | MEM_BLOCK tmpblock = {0}; 295 | memset(&tmpblock.name, 0, 256); 296 | MEMORY_BASIC_INFORMATION info = {0}; 297 | uint64_t addr=0; 298 | while(VirtualQueryEx((HANDLE)hprocess, (LPVOID)addr, &info, sizeof(info))) { 299 | if((info.State == MEM_COMMIT) || (info.Type == MEM_MAPPED) || (info.Type == MEM_IMAGE)) { 300 | if(bIs64) { 301 | tmpblock.BaseAddress = (uint64_t)info.BaseAddress; 302 | tmpblock.RegionSize = info.RegionSize; 303 | } else { 304 | tmpblock.BaseAddress = (DWORD)info.BaseAddress; //cast takes care of idiotic sign extension on pointers 305 | tmpblock.RegionSize = (DWORD)info.RegionSize; 306 | } 307 | if(info.Protect) { 308 | tmpblock.Protect = __translateProtFlags(info.Protect); 309 | } else { 310 | tmpblock.Protect = __translateProtFlags(info.AllocationProtect); 311 | } 312 | __getBlockInfo(&tmpblock, (char *)&tmpblock.name); 313 | __printBlockInfo(&tmpblock); 314 | memblocks.push_back(tmpblock); 315 | } 316 | addr += info.RegionSize+1; 317 | } 318 | 319 | // write 320 | // create dumpfile 321 | FILE *dumpfile = fopen(filename, "wb" ); 322 | if(!dumpfile) { 323 | return; 324 | } 325 | 326 | SNAPSHOTFILE snphdr = {0}; 327 | snphdr.sig = 0x70616E73; 328 | snphdr.version = 0x00000002; 329 | snphdr.flags = __getArch() | OS_WINDOWS; 330 | 331 | snphdr.blockcount = (uint32_t)memblocks.size(); 332 | 333 | // write header SNAPSHOTFILE 334 | fwrite ( &snphdr, sizeof(SNAPSHOTFILE) , 1 , dumpfile); 335 | 336 | unsigned int blkcnt=0; 337 | 338 | // SetProgressBar(0); 339 | 340 | for (std::vector::iterator block = memblocks.begin(); block != memblocks.end(); ++block, ++blkcnt) 341 | { 342 | 343 | MEM_BLOCK tmpblock = {0}; 344 | 345 | tmpblock.RegionSize = block->RegionSize; 346 | tmpblock.BaseAddress = block->BaseAddress; 347 | tmpblock.Protect = block->Protect; 348 | strncpy((char *)&tmpblock.name, (char *)&block->name, 255); 349 | 350 | // write MEM_BLOCK 351 | fwrite ( &tmpblock, sizeof(MEM_BLOCK) , 1 , dumpfile); 352 | // write data 353 | uint8_t *buffer = new uint8_t [(unsigned int)block->RegionSize]; 354 | ReadProcessMemory((HANDLE)hprocess, (LPCVOID)block->BaseAddress, buffer, (ULONG)block->RegionSize, NULL); 355 | fwrite ( buffer , (size_t)block->RegionSize, 1 , dumpfile); 356 | delete buffer; 357 | // SetProgressBar(blkcnt*100/snphdr.blockcount); 358 | } 359 | fclose(dumpfile); 360 | dprintf("done!\n"); 361 | // CloseHandle(hprocess); 362 | // SetProgressBar(100); 363 | } 364 | 365 | // sets memory region flags corresponding to ASLR and/or DEP dllCharacteristics 366 | void GiSnapDump::__setASLRDEP(MEM_BLOCK *tmpblock, uint64_t dllbase) 367 | { 368 | ULONG modidx = 0; 369 | ULONG64 modbase = dllbase; 370 | 371 | ULONG64 hprocess = 0; 372 | g_SystemObjects->GetCurrentProcessHandle(&hprocess); 373 | 374 | IMAGE_DOS_HEADER hdr_mz; 375 | ReadProcessMemory((HANDLE)hprocess, (LPCVOID)modbase, &hdr_mz, sizeof(IMAGE_DOS_HEADER), NULL); 376 | if(hdr_mz.e_magic == IMAGE_DOS_SIGNATURE) { 377 | IMAGE_NT_HEADERS hdr_nt; 378 | ReadProcessMemory((HANDLE)hprocess, (LPCVOID)(modbase+hdr_mz.e_lfanew), &hdr_nt, sizeof(IMAGE_NT_HEADERS), NULL); 379 | if(hdr_nt.Signature == IMAGE_NT_SIGNATURE) { 380 | IMAGE_FILE_HEADER hdr_file; 381 | memcpy(&hdr_file, &hdr_nt.FileHeader, sizeof(IMAGE_FILE_HEADER)); 382 | 383 | IMAGE_OPTIONAL_HEADER hdr_optional; 384 | memcpy(&hdr_optional, &hdr_nt.OptionalHeader, sizeof(IMAGE_OPTIONAL_HEADER)); 385 | if((hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) || (hdr_optional.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)) { 386 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { 387 | tmpblock->Protect |= M_ASLR; 388 | } 389 | 390 | if(hdr_optional.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { 391 | tmpblock->Protect |= M_DEP; 392 | } 393 | } 394 | } 395 | } 396 | } 397 | 398 | /* 399 | 400 | void GiSnapDump::TakeSnapshot(char *filename) 401 | { 402 | ULONG64 hprocess = 0; 403 | g_SystemObjects->GetCurrentProcessHandle(&hprocess); 404 | 405 | //check x64 406 | BOOL bIs64 = (__getArch() == ARCH_X64); 407 | 408 | MEMORY_BASIC_INFORMATION info = {0}; 409 | 410 | // fill a vector with valid memory blocks 411 | MEM_BLOCK tmpblock = {0}; 412 | 413 | uint64_t addr=0; 414 | while(VirtualQueryEx((HANDLE)hprocess, (LPVOID)addr, &info, sizeof(info))) { 415 | if((info.State == MEM_COMMIT) && ((info.Type == MEM_MAPPED) || (info.Type == MEM_IMAGE))) { 416 | if(bIs64) { 417 | tmpblock.BaseAddress = (uint64_t)info.BaseAddress; 418 | tmpblock.RegionSize = info.RegionSize; 419 | } else { 420 | tmpblock.BaseAddress = (DWORD)info.BaseAddress; //cast takes care of idiotic sign extension on pointers 421 | tmpblock.RegionSize = (DWORD)info.RegionSize; 422 | } 423 | tmpblock.Protect = __translateProtFlags(info.Protect); 424 | 425 | char name[1024] = {0}; 426 | __getMemRegionName(tmpblock.BaseAddress, name); 427 | strncpy((char *)tmpblock.name, name, sizeof(tmpblock.name)); 428 | 429 | // if region is part of an executable image we set ASLR and DEP flags accordingly 430 | if(info.Type == MEM_IMAGE) { 431 | __setASLRDEP(&tmpblock); 432 | } 433 | 434 | // print block info on the console 435 | __printBlockInfo(&tmpblock); 436 | // save for later 437 | memblocks.push_back(tmpblock); 438 | } 439 | addr += info.RegionSize; 440 | } 441 | 442 | // create dumpfile 443 | FILE *dumpfile = fopen(filename, "wb" ); 444 | if(!dumpfile) { 445 | dprintf("ERROR: cannot write %s\r\n", filename); 446 | return; 447 | } 448 | 449 | dprintf("Writting %s...", filename); 450 | SNAPSHOTFILE snphdr = {0}; 451 | snphdr.sig = 0x70616E73; 452 | snphdr.version = 0x00000002; 453 | 454 | snphdr.flags = __getArch() | OS_WINDOWS; 455 | snphdr.blockcount = (uint32_t)memblocks.size(); 456 | 457 | // write header SNAPSHOTFILE 458 | fwrite ( &snphdr, sizeof(SNAPSHOTFILE) , 1 , dumpfile); 459 | 460 | for (std::vector::iterator block = memblocks.begin(); block != memblocks.end(); ++block) 461 | { 462 | 463 | MEM_BLOCK tmpblock = {0}; 464 | 465 | tmpblock.RegionSize = block->RegionSize; 466 | tmpblock.BaseAddress = block->BaseAddress; 467 | strncpy((char *)&tmpblock.name, (char *)block->name, sizeof(tmpblock.name)); 468 | tmpblock.Protect = block->Protect; 469 | 470 | // write MEM_BLOCK 471 | fwrite ( &tmpblock, sizeof(MEM_BLOCK) , 1 , dumpfile); 472 | // write data 473 | uint8_t *buffer = new uint8_t [(unsigned int)block->RegionSize]; 474 | ReadMemory((ULONG)block->BaseAddress, buffer, (ULONG)block->RegionSize, NULL); 475 | fwrite ( buffer , (size_t)block->RegionSize, 1 , dumpfile); 476 | delete buffer; 477 | } 478 | fclose(dumpfile); 479 | dprintf("done!\n"); 480 | } 481 | */ 482 | GiSnapDump::~GiSnapDump() 483 | { 484 | if (g_Client != NULL) 485 | { 486 | g_Client->EndSession(DEBUG_END_PASSIVE); 487 | g_Client->Release(); 488 | g_Client = NULL; 489 | 490 | g_Control->Release(); 491 | g_Symbols->Release(); 492 | g_Symbols2->Release(); 493 | g_DataSpaces2->Release(); 494 | g_DataSpaces3->Release(); 495 | g_DataSpaces4->Release(); 496 | g_SystemObjects->Release(); 497 | 498 | } 499 | 500 | g_Control = NULL; 501 | g_Symbols = NULL; 502 | g_Symbols2 = NULL; 503 | g_DataSpaces2 = NULL; 504 | g_DataSpaces3 = NULL; 505 | g_SystemObjects = NULL; 506 | } 507 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/gisnap.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #ifdef __WIN64 4 | #define KDEXT_64BIT 5 | #endif 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | #include "snapshotformat.h" 18 | 19 | #ifndef __GISNAP__ 20 | #define __GISNAP__ 21 | 22 | //#define MEM_BLOCK DUMPBLOCKV10 23 | #define MEM_BLOCK DUMPBLOCKV20 24 | 25 | class GiSnapDump 26 | { 27 | private: 28 | IDebugClient* g_Client; 29 | 30 | IDebugControl* g_Control; 31 | IDebugSymbols* g_Symbols; 32 | IDebugSymbols2* g_Symbols2; 33 | 34 | IDebugDataSpaces2* g_DataSpaces2; 35 | IDebugDataSpaces3* g_DataSpaces3; 36 | IDebugDataSpaces4* g_DataSpaces4; 37 | 38 | IDebugSystemObjects *g_SystemObjects; 39 | 40 | std::vector memblocks; 41 | std::vector __modulelist; 42 | 43 | void GiSnapDump::__getStrForProt(uint32_t prot, char* dest); 44 | void GiSnapDump::__getStrForNativeProt(uint32_t prot, char *dest); 45 | 46 | void GiSnapDump::__getStrForStat(uint32_t stat, char* dest); 47 | 48 | uint32_t GiSnapDump::__translateProtFlags(uint32_t prot); 49 | void GiSnapDump::__setASLRDEP(MEM_BLOCK *tmpblock, uint64_t dllbase); 50 | 51 | void GiSnapDump::__getBlockInfo(MEM_BLOCK *tmpblock, char * name); 52 | 53 | uint32_t GiSnapDump::__getArch(); 54 | uint32_t GiSnapDump::__getOS(); 55 | 56 | void GiSnapDump::__getMemRegionName(uint64_t, char *symname); 57 | void GiSnapDump::__printBlockInfo(MEM_BLOCK *); 58 | 59 | public: 60 | GiSnapDump::GiSnapDump(); 61 | GiSnapDump::~GiSnapDump(); 62 | void GiSnapDump::TakeSnapshot(char *filename); 63 | }; 64 | 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/snapshotformat.h: -------------------------------------------------------------------------------- 1 | // standard structures for writting/reading Gadget Inspector snapshots 2 | 3 | #ifndef __SNAPSHOTFORMAT 4 | #define __SNAPSHOTFORMAT 5 | 6 | #include 7 | 8 | // Memory protection flags 9 | #define M_READ 0x01 10 | #define M_WRITE 0x02 11 | #define M_EXEC 0x04 12 | 13 | #define M_ASLR 0x08 // ASLR is enabled 14 | #define M_DEP 0x10 // DEP is enabled 15 | 16 | // OS flags 17 | #define OS_WINDOWS 0x0100 18 | #define OS_LINUX 0x0200 19 | #define OS_MACOS 0x0400 20 | #define OS_ANDROID 0x0800 21 | #define OS_IOS 0x1000 22 | 23 | // Arch. flags 24 | #define ARCH_X86 0x10000 25 | #define ARCH_X64 0x20000 26 | #define ARCH_ARM 0x40000 27 | #define ARCH_PPC 0x80000 28 | 29 | #pragma pack(push) 30 | #pragma pack(1) 31 | typedef struct _SNAPSHOTFILE 32 | { 33 | uint32_t sig; // signature: "snap" or 0x70616E73 in little endian 34 | uint32_t version; // if version == 1: use DUMPBLOCKV10 / version == 2 uses DUMPBLOCKV20 and so on. 35 | uint32_t flags; // 36 | uint32_t blockcount; 37 | } SNAPSHOTFILE, *PSNAPSHOTFILE; 38 | 39 | typedef struct _dumpblockV10 40 | { 41 | uint64_t BaseAddress; 42 | uint64_t RegionSize; 43 | uint32_t Protect; // see memory protection constants 44 | } DUMPBLOCKV10, *PDUMPBLOCKV10; 45 | 46 | typedef struct _dumpblockV20 47 | { 48 | uint64_t BaseAddress; 49 | uint64_t RegionSize; 50 | uint32_t Protect; // see memory protection constants 51 | uint8_t name[256]; 52 | } DUMPBLOCKV20, *PDUMPBLOCKV20; 53 | 54 | #pragma pack(pop) 55 | #endif // __SNAPSHOTFORMAT -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // windbg_ext.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | 14 | 15 | 16 | // TODO: reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.cpp: -------------------------------------------------------------------------------- 1 | // SnapshotDumper windbg/ntsd extension. 2 | 3 | #include 4 | #include 5 | 6 | #ifdef __WIN64 7 | #define KDEXT_64BIT 8 | #endif 9 | #include 10 | 11 | #include "gisnap.h" 12 | 13 | // Global Variable Needed For Functions 14 | WINDBG_EXTENSION_APIS ExtensionApis = {0}; 15 | 16 | // Global Variable Needed For Versioning 17 | EXT_API_VERSION g_ExtApiVersion = {1 , 1 , EXT_API_VERSION_NUMBER , 0}; 18 | 19 | // dllmain 20 | BOOL APIENTRY DllMain( HMODULE hModule, 21 | DWORD ul_reason_for_call, 22 | LPVOID lpReserved 23 | ) 24 | { 25 | switch (ul_reason_for_call) 26 | { 27 | case DLL_PROCESS_ATTACH: 28 | case DLL_THREAD_ATTACH: 29 | case DLL_THREAD_DETACH: 30 | case DLL_PROCESS_DETACH: 31 | break; 32 | } 33 | return TRUE; 34 | } 35 | 36 | // ExtensionApiVersion 37 | LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void) 38 | { 39 | return &g_ExtApiVersion; 40 | } 41 | 42 | // WinDbgExtensionDllInit 43 | VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion) 44 | { 45 | ExtensionApis = *lpExtensionApis; 46 | } 47 | 48 | // !help 49 | DECLARE_API (help) 50 | { 51 | dprintf("Gadget Inspector - SnapshotDumper\n\n"); 52 | dprintf("!gisnap \n"); 53 | } 54 | 55 | // !gisnap 56 | DECLARE_API (gisnap) 57 | { 58 | 59 | if (!args || !*args) { 60 | dprintf("Usage: \n\t!gisnap \n"); 61 | return; 62 | } 63 | 64 | GiSnapDump *gsnp = new GiSnapDump; 65 | gsnp->TakeSnapshot((char *)args); 66 | delete gsnp; 67 | } 68 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.def: -------------------------------------------------------------------------------- 1 | LIBRARY "windbg_ext.DLL" 2 | 3 | EXPORTS 4 | WinDbgExtensionDllInit 5 | ExtensionApiVersion 6 | gisnap 7 | help -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.opensdf: -------------------------------------------------------------------------------- 1 | panoramixDATURA-I7 -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "windbg_ext", "windbg_ext.vcxproj", "{5F2AC2EC-E314-49CC-91EB-B240D1AE8833}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Debug|Win32.ActiveCfg = Release|Win32 15 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Debug|Win32.Build.0 = Release|Win32 16 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Debug|x64.ActiveCfg = Release|x64 17 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Debug|x64.Build.0 = Release|x64 18 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Release|Win32.ActiveCfg = Release|Win32 19 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Release|Win32.Build.0 = Release|Win32 20 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Release|x64.ActiveCfg = Release|x64 21 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.v11.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/helpsystems/Agafi/8007d3deaa01a23c03a9e904a3836719a412264e/src/gisnap/windbg_ext/src/windbg_ext.v11.suo -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {5F2AC2EC-E314-49CC-91EB-B240D1AE8833} 23 | Win32Proj 24 | windbg_ext 25 | 26 | 27 | 28 | DynamicLibrary 29 | true 30 | v110 31 | Unicode 32 | 33 | 34 | DynamicLibrary 35 | true 36 | v110 37 | Unicode 38 | 39 | 40 | DynamicLibrary 41 | false 42 | v110 43 | true 44 | Unicode 45 | 46 | 47 | DynamicLibrary 48 | false 49 | v110 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | true 71 | 72 | 73 | true 74 | 75 | 76 | false 77 | 78 | 79 | false 80 | 81 | 82 | 83 | Use 84 | Level3 85 | Disabled 86 | WIN32;_DEBUG;_WINDOWS;_USRDLL;WINDBG_EXT_EXPORTS;%(PreprocessorDefinitions) 87 | true 88 | 89 | 90 | Windows 91 | true 92 | windbg_ext.def 93 | 94 | 95 | 96 | 97 | Use 98 | Level3 99 | Disabled 100 | WIN32;_DEBUG;_WINDOWS;_USRDLL;WINDBG_EXT_EXPORTS;%(PreprocessorDefinitions) 101 | true 102 | 103 | 104 | Windows 105 | true 106 | windbg_ext.def 107 | 108 | 109 | 110 | 111 | Level3 112 | NotUsing 113 | MaxSpeed 114 | true 115 | true 116 | _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;WINDBG_EXT_EXPORTS;%(PreprocessorDefinitions) 117 | true 118 | MultiThreaded 119 | 120 | 121 | Windows 122 | true 123 | true 124 | true 125 | windbg_ext.def 126 | dbgeng.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 127 | 128 | 129 | 130 | 131 | Level3 132 | NotUsing 133 | MaxSpeed 134 | true 135 | true 136 | _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;WINDBG_EXT_EXPORTS;%(PreprocessorDefinitions) 137 | true 138 | MultiThreaded 139 | 140 | 141 | Windows 142 | true 143 | true 144 | true 145 | windbg_ext.def 146 | dbgeng.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Source Files 39 | 40 | 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /src/gisnap/windbg_ext/src/windbg_ext.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /src/list.cpp: -------------------------------------------------------------------------------- 1 | /****************************************************************************/ 2 | /****************************************************************************/ 3 | 4 | /* list.cpp */ 5 | 6 | /****************************************************************************/ 7 | /****************************************************************************/ 8 | 9 | /* Prototipos */ 10 | 11 | class List 12 | { 13 | private: 14 | unsigned int len; 15 | void **elementos; 16 | 17 | private: 18 | int Get_Element_By_Secuential_Search ( void * , unsigned int * ); 19 | int Get_Element_By_Binary_Search ( void * , unsigned int * ); 20 | 21 | public: 22 | int ordenada; 23 | 24 | List (); 25 | ~List (); 26 | unsigned int Len (); 27 | unsigned int Len ( unsigned int ); 28 | unsigned int Add ( void * ); 29 | void Append ( List & ); 30 | void Append ( List * ); 31 | void *Get ( unsigned int ); 32 | int GetPos ( void * , unsigned int * ); 33 | int Set ( unsigned int , void * ); 34 | int Find ( void * ); 35 | int Delete ( unsigned int ); 36 | int DeleteElement ( void * ); 37 | int Clear ( void ); 38 | void Sort ( void ); 39 | void SortCouple ( List & ); 40 | void SortCouple ( List * ); 41 | void SortTuple ( List & , List & ); 42 | int Swap ( unsigned int , unsigned int ); 43 | 44 | /* Metodos para hacer PERSISTENCIA */ 45 | int Save ( FILE * ); 46 | int Load ( FILE * ); 47 | }; 48 | 49 | /****************************************************************************/ 50 | /****************************************************************************/ 51 | 52 | /* Prototipos de funciones */ 53 | 54 | int get_element_by_secuential_search ( void * , unsigned int * ); 55 | int get_element_by_binary_search ( void * , unsigned int * ); 56 | 57 | /****************************************************************************/ 58 | /****************************************************************************/ 59 | 60 | /* Defines */ 61 | 62 | #define FALSE 0 63 | #define TRUE 1 64 | 65 | /* Para mantener la compatibilidad */ 66 | #ifdef _IDA_HPP 67 | #define fread(a,b,c,d) qfread(d,a,b) 68 | #define fwrite(a,b,c,d) qfwrite(d,a,b) 69 | #define malloc(a) my_malloc(a) 70 | #define realloc(a,b) my_realloc(a,b) 71 | #define free(a) my_free(a) 72 | #endif 73 | 74 | /****************************************************************************/ 75 | /****************************************************************************/ 76 | 77 | /* Funciones */ 78 | 79 | List::List () 80 | { 81 | /* Seteo el flag que indica que la lista esta ordenada */ 82 | this -> ordenada = TRUE; 83 | 84 | /* Seteo la longitud de la lista */ 85 | this -> len = 0; 86 | 87 | /* Inicializo la lista */ 88 | this -> elementos = NULL; 89 | } 90 | 91 | /****************************************************************************/ 92 | 93 | List::~List () 94 | { 95 | /* Libero la lista */ 96 | free ( this -> elementos ); 97 | } 98 | 99 | /****************************************************************************/ 100 | 101 | unsigned int List::Len ( void ) 102 | { 103 | /* Retorno la longitud de la lista */ 104 | return ( this -> len ); 105 | } 106 | 107 | /****************************************************************************/ 108 | 109 | unsigned int List::Len ( unsigned int new_len ) 110 | { 111 | unsigned int len = this -> len; 112 | void *new_list; 113 | unsigned int cont; 114 | 115 | /* Seteo el nuevo size */ 116 | new_list = realloc ( this -> elementos , new_len * sizeof ( void * ) ); 117 | 118 | /* Si el nuevo len pudo ser seteado */ 119 | if ( new_list != NULL ) 120 | { 121 | /* Seteo la nueva lista */ 122 | this -> elementos = ( void ** ) new_list; 123 | 124 | /* Seteo el nuevo size */ 125 | this -> len = new_len; 126 | 127 | /* Si la lista fue agrandada */ 128 | if ( len < new_len ) 129 | { 130 | /* PADEO la nueva parte con CEROS */ 131 | for ( cont = len ; cont < new_len ; cont ++ ) 132 | { 133 | /* Seteo la posicion con el valor NULL */ 134 | this -> Set ( cont , NULL ); 135 | } 136 | } 137 | } 138 | 139 | return ( len ); 140 | } 141 | 142 | /****************************************************************************/ 143 | 144 | unsigned int List::Add ( void *elemento ) 145 | { 146 | void *new_list; 147 | unsigned int ultima_pos; 148 | 149 | /* Agrando la lista */ 150 | new_list = realloc ( this -> elementos , ( sizeof ( void * ) ) * ( this -> len + 1 ) ); 151 | 152 | /* Si pude agrandar la lista */ 153 | if ( new_list != NULL ) 154 | { 155 | /* Seteo la nueva lista */ 156 | this -> elementos = ( void ** ) new_list; 157 | 158 | /* Agrego el nuevo elemento */ 159 | this -> elementos [ this -> len ] = elemento; 160 | 161 | /* Agrando la longitud de la lista */ 162 | this -> len ++; 163 | 164 | /* Retorno la posicion donde se agrego el elemento */ 165 | ultima_pos = this -> len - 1; 166 | 167 | /* Si hay mas de 1 elemento en la lista */ 168 | if ( this -> len > 1 ) 169 | { 170 | /* Si el elemento agregado es menor al ultimo elemento */ 171 | if ( this -> elementos [ this -> len - 2 ] > elemento ) 172 | { 173 | /* Pierdo el orden en la lista */ 174 | this -> ordenada = FALSE; 175 | } 176 | } 177 | } 178 | 179 | return ( ultima_pos ); 180 | } 181 | 182 | /****************************************************************************/ 183 | 184 | void List::Append ( List &second_list ) 185 | { 186 | unsigned int pos; 187 | int ret = TRUE; 188 | 189 | /* Recorro toda la lista */ 190 | for ( pos = 0 ; pos < second_list.Len () ; pos ++ ) 191 | { 192 | /* Agrego el elemento a la lista */ 193 | this -> Add ( second_list.Get ( pos ) ); 194 | } 195 | } 196 | 197 | /****************************************************************************/ 198 | 199 | void List::Append ( List *second_list ) 200 | { 201 | unsigned int pos; 202 | int ret = TRUE; 203 | 204 | /* Recorro toda la lista */ 205 | for ( pos = 0 ; pos < second_list -> Len () ; pos ++ ) 206 | { 207 | /* Agrego el elemento a la lista */ 208 | this -> Add ( second_list -> Get ( pos ) ); 209 | } 210 | } 211 | 212 | /****************************************************************************/ 213 | 214 | void *List::Get ( unsigned int pos ) 215 | { 216 | void *elemento = NULL; 217 | 218 | /* Si el elemento esta dentro de la lista */ 219 | if ( pos < this -> len ) 220 | { 221 | /* Retorno el elemento que hay en esa posicion */ 222 | elemento = this -> elementos [ pos ]; 223 | } 224 | 225 | return ( elemento ); 226 | } 227 | 228 | /****************************************************************************/ 229 | 230 | int List::GetPos ( void *elemento , unsigned int *posicion ) 231 | { 232 | int ret; 233 | 234 | /* Si la lista se conserva ordenada y tiene mas de 2 elementos */ 235 | if ( ( this -> ordenada == TRUE ) && ( this -> Len () > 2 ) ) 236 | { 237 | /* Busco el elemento en la lista en forma binaria */ 238 | ret = this -> Get_Element_By_Binary_Search ( elemento , posicion ); 239 | } 240 | else 241 | { 242 | /* Busco el elemento en la lista en forma secuencial */ 243 | ret = this -> Get_Element_By_Secuential_Search ( elemento , posicion ); 244 | } 245 | 246 | return ( ret ); 247 | } 248 | 249 | /****************************************************************************/ 250 | 251 | int List::Set ( unsigned int posicion , void *elemento ) 252 | { 253 | int ret = TRUE; 254 | 255 | /* Si la posicion NO sobrepasa el rango de elementos */ 256 | if ( posicion < this -> Len () ) 257 | { 258 | /* Piso el elemento existente */ 259 | this -> elementos [ posicion ] = elemento; 260 | 261 | /* Apago el orden en la lista ( arreglar en algun momento ) */ 262 | this -> ordenada = FALSE; 263 | } 264 | 265 | return ( ret ); 266 | } 267 | 268 | /****************************************************************************/ 269 | 270 | int List::Find ( void *elemento ) 271 | { 272 | unsigned int pos; 273 | int ret; 274 | 275 | /* Si la lista se conserva ordenada y tiene mas de 2 elementos */ 276 | if ( ( this -> ordenada == TRUE ) && ( this -> Len () > 2 ) ) 277 | { 278 | /* Busco el elemento en la lista en forma binaria */ 279 | ret = this -> Get_Element_By_Binary_Search ( elemento , &pos ); 280 | } 281 | else 282 | { 283 | /* Busco el elemento en la lista en forma secuencial */ 284 | ret = this -> Get_Element_By_Secuential_Search ( elemento , &pos ); 285 | } 286 | 287 | return ( ret ); 288 | } 289 | 290 | /****************************************************************************/ 291 | 292 | int List::Delete ( unsigned int pos ) 293 | { 294 | unsigned int cont; 295 | int ret = FALSE; 296 | 297 | /* Si el elemento esta dentro de la lista */ 298 | if ( pos < this -> len ) 299 | { 300 | /* Compacto la lista */ 301 | for ( cont = ( pos + 1 ) ; cont < this -> len ; cont ++ ) 302 | { 303 | /* Muevo el valor del actual al anterior */ 304 | this -> elementos [ cont - 1 ] = this -> elementos [ cont ]; 305 | } 306 | 307 | /* Achico la lista */ 308 | this -> elementos = ( void ** ) realloc ( this -> elementos , ( sizeof ( void * ) ) * ( this -> len - 1 ) ); 309 | 310 | /* Seteo la nueva longitud de la lista */ 311 | this -> len --; 312 | 313 | /* Retorno OK */ 314 | ret = TRUE; 315 | } 316 | 317 | return ( ret ); 318 | } 319 | 320 | /****************************************************************************/ 321 | 322 | int List::DeleteElement ( void *elemento ) 323 | { 324 | unsigned int pos; 325 | int ret = FALSE; 326 | 327 | /* Si el elemento existe */ 328 | if ( this -> GetPos ( elemento , &pos ) == TRUE ) 329 | { 330 | /* Elimino el elemento de la lista */ 331 | this -> Delete ( pos ); 332 | 333 | /* Retorno OK */ 334 | ret = TRUE; 335 | } 336 | 337 | return ( ret ); 338 | } 339 | 340 | /****************************************************************************/ 341 | 342 | int List::Clear ( void ) 343 | { 344 | int ret = TRUE; 345 | 346 | /* Reinicializo el flag de lista ordenada */ 347 | this -> ordenada = TRUE; 348 | 349 | /* Seteo la longitud de la lista */ 350 | this -> len = 0; 351 | 352 | /* Libero la lista */ 353 | free ( this -> elementos ); 354 | 355 | /* Inicializo la lista */ 356 | this -> elementos = NULL; 357 | 358 | return ( ret ); 359 | } 360 | 361 | /****************************************************************************/ 362 | 363 | void List::Sort ( void ) 364 | { 365 | unsigned int cont1; 366 | unsigned int cont2; 367 | void *elemento_temporal; 368 | 369 | /* Si la lista esta ordenada */ 370 | if ( this -> ordenada == TRUE ) 371 | { 372 | /* Salgo sin hacer nada */ 373 | return; 374 | } 375 | 376 | /* Si NO hay elementos para ordenar */ 377 | if ( this -> Len () < 2 ) 378 | { 379 | /* Salgo sin hacer nada */ 380 | return; 381 | } 382 | 383 | /* Recorro todos los elementos */ 384 | for ( cont1 = 0 ; cont1 < this -> Len () - 1 ; cont1 ++ ) 385 | { 386 | /* Recorro todos los elementos */ 387 | for ( cont2 = cont1 + 1 ; cont2 < this -> Len () ; cont2 ++ ) 388 | { 389 | /* Si elemento1 es mayor que elemento2 */ 390 | if ( this -> elementos [ cont1 ] > this -> elementos [ cont2 ] ) 391 | { 392 | /* Intercambio los elementos */ 393 | elemento_temporal = this -> elementos [ cont1 ]; 394 | this -> elementos [ cont1 ] = this -> elementos [ cont2 ]; 395 | this -> elementos [ cont2 ] = elemento_temporal; 396 | } 397 | } 398 | } 399 | 400 | /* Marco la lista como ordenada */ 401 | this -> ordenada = TRUE; 402 | } 403 | 404 | /****************************************************************************/ 405 | 406 | void List::SortCouple ( List &linked_list ) 407 | { 408 | unsigned int cont1; 409 | unsigned int cont2; 410 | 411 | /* Si NO hay elementos para ordenar */ 412 | if ( this -> Len () < 2 ) 413 | { 414 | /* Salgo sin hacer nada */ 415 | return; 416 | } 417 | 418 | /* Recorro todos los elementos */ 419 | for ( cont1 = 0 ; cont1 < this -> Len () - 1 ; cont1 ++ ) 420 | { 421 | /* Recorro todos los elementos */ 422 | for ( cont2 = cont1 + 1 ; cont2 < this -> Len () ; cont2 ++ ) 423 | { 424 | /* Si elemento1 es mayor que elemento2 */ 425 | if ( this -> elementos [ cont1 ] > this -> elementos [ cont2 ] ) 426 | { 427 | /* Intercambio los elementos en la lista */ 428 | this -> Swap ( cont1 , cont2 ); 429 | 430 | /* Intercambio los elementos en la lista original LINKEADA */ 431 | linked_list.Swap ( cont1 , cont2 ); 432 | } 433 | } 434 | } 435 | 436 | /* Marco la lista como ordenada */ 437 | this -> ordenada = TRUE; 438 | } 439 | 440 | /****************************************************************************/ 441 | 442 | void List::SortCouple ( List *linked_list ) 443 | { 444 | unsigned int cont1; 445 | unsigned int cont2; 446 | 447 | /* Si NO hay elementos para ordenar */ 448 | if ( this -> Len () < 2 ) 449 | { 450 | /* Salgo sin hacer nada */ 451 | return; 452 | } 453 | 454 | /* Recorro todos los elementos */ 455 | for ( cont1 = 0 ; cont1 < this -> Len () - 1 ; cont1 ++ ) 456 | { 457 | /* Recorro todos los elementos */ 458 | for ( cont2 = cont1 + 1 ; cont2 < this -> Len () ; cont2 ++ ) 459 | { 460 | /* Si elemento1 es mayor que elemento2 */ 461 | if ( this -> elementos [ cont1 ] > this -> elementos [ cont2 ] ) 462 | { 463 | /* Intercambio los elementos en la lista */ 464 | this -> Swap ( cont1 , cont2 ); 465 | 466 | /* Intercambio los elementos en la lista original LINKEADA */ 467 | linked_list -> Swap ( cont1 , cont2 ); 468 | } 469 | } 470 | } 471 | 472 | /* Marco la lista como ordenada */ 473 | this -> ordenada = TRUE; 474 | } 475 | 476 | /****************************************************************************/ 477 | 478 | void List::SortTuple ( List &list1 , List &list2 ) 479 | { 480 | unsigned int cont1; 481 | unsigned int cont2; 482 | 483 | /* Si NO hay elementos para ordenar */ 484 | if ( this -> Len () < 2 ) 485 | { 486 | /* Salgo sin hacer nada */ 487 | return; 488 | } 489 | 490 | /* Recorro todos los elementos */ 491 | for ( cont1 = 0 ; cont1 < this -> Len () - 1 ; cont1 ++ ) 492 | { 493 | /* Recorro todos los elementos */ 494 | for ( cont2 = cont1 + 1 ; cont2 < this -> Len () ; cont2 ++ ) 495 | { 496 | /* Si elemento1 es mayor que elemento2 */ 497 | if ( this -> elementos [ cont1 ] > this -> elementos [ cont2 ] ) 498 | { 499 | /* Intercambio los elementos en la lista maestra */ 500 | this -> Swap ( cont1 , cont2 ); 501 | 502 | /* Intercambio los elementos de las listas */ 503 | list1.Swap ( cont1 , cont2 ); 504 | list2.Swap ( cont1 , cont2 ); 505 | } 506 | } 507 | } 508 | 509 | /* Marco la lista como ordenada */ 510 | this -> ordenada = TRUE; 511 | } 512 | 513 | /****************************************************************************/ 514 | 515 | int List::Swap ( unsigned int pos1 , unsigned int pos2 ) 516 | { 517 | void *elemento1; 518 | void *elemento2; 519 | int ret = FALSE; 520 | 521 | /* Si los rangos NO estan fuera de la cantidad de elementos */ 522 | if ( ( pos1 < this -> Len () ) && ( pos2 < this -> Len () ) ) 523 | { 524 | /* Obtengo el primer elemento */ 525 | elemento1 = this -> Get ( pos1 ); 526 | 527 | /* Obtengo el segundo elemento */ 528 | elemento2 = this -> Get ( pos2 ); 529 | 530 | /* Seteo el lugar del primer elemento con el segundo */ 531 | this -> Set ( pos1 , elemento2 ); 532 | 533 | /* Seteo el lugar del segundo elemento con el primero */ 534 | this -> Set ( pos2 , elemento1 ); 535 | 536 | /* Retorno OK */ 537 | ret = TRUE; 538 | } 539 | 540 | return ( ret ); 541 | } 542 | 543 | /****************************************************************************/ 544 | 545 | int List::Get_Element_By_Secuential_Search ( void *elemento , unsigned int *pos ) 546 | { 547 | unsigned int cont; 548 | unsigned int len; 549 | int ret = FALSE; 550 | 551 | /* Averiguo la longitud de la lista */ 552 | len = this -> Len (); 553 | 554 | /* Busco el elemento en la lista */ 555 | for ( cont = 0 ; cont < len ; cont ++ ) 556 | { 557 | /* Si es el elemento que estoy buscando */ 558 | if ( this -> Get ( cont ) == elemento ) 559 | { 560 | /* Retorno la posicion del elemento */ 561 | *pos = cont; 562 | 563 | /* Retorno OK */ 564 | ret = TRUE; 565 | 566 | /* Corto la busqueda */ 567 | break; 568 | } 569 | } 570 | 571 | return ( ret ); 572 | } 573 | 574 | /****************************************************************************/ 575 | 576 | int List::Get_Element_By_Binary_Search ( void *elemento , unsigned int *pos ) 577 | { 578 | unsigned int valor_actual; 579 | int cota_minima; 580 | int cota_maxima; 581 | int pos_actual; 582 | int ret = FALSE; 583 | 584 | /* Seteo la posicion minima */ 585 | cota_minima = 0; 586 | 587 | /* Seteo la posicion maxima */ 588 | cota_maxima = this -> Len () - 1; 589 | 590 | /* Mientras no se junten la minima con la maxima */ 591 | while ( cota_minima <= cota_maxima ) 592 | { 593 | /* Me posiciono en la mitad de las 2 cotas */ 594 | pos_actual = ( cota_minima + cota_maxima ) / 2; 595 | 596 | /* Leo el valor correspondiente a la posicion */ 597 | valor_actual = ( unsigned int ) this -> elementos [ pos_actual ]; 598 | 599 | /* Si es el valor que estaba buscando */ 600 | if ( valor_actual == ( unsigned int ) elemento ) 601 | { 602 | /* Retorno la posicion */ 603 | *pos = pos_actual; 604 | 605 | /* Retorno OK */ 606 | ret = TRUE; 607 | 608 | /* Corto la busqueda */ 609 | break; 610 | } 611 | 612 | /* Si el valor actual es mas chico que el valor que estoy buscando */ 613 | if ( valor_actual < ( unsigned int ) elemento ) 614 | { 615 | /* Muevo la cota minima una posicion mas que la actual */ 616 | cota_minima = pos_actual + 1; 617 | } 618 | /* Si el valor actual es mas grande que el valor que estoy buscando */ 619 | else 620 | { 621 | cota_maxima = pos_actual - 1; 622 | } 623 | } 624 | 625 | return ( ret ); 626 | } 627 | 628 | /****************************************************************************/ 629 | 630 | int List::Save ( FILE *f ) 631 | { 632 | int ret = TRUE; 633 | 634 | /* Guardo las propiedades del objeto */ 635 | fwrite ( this , sizeof ( List ) , 1 , f ); 636 | 637 | /* Guardo la lista de todos los elementos */ 638 | fwrite ( this -> elementos , this -> len * sizeof ( void * ) , 1 , f ); 639 | 640 | return ( ret ); 641 | } 642 | 643 | /****************************************************************************/ 644 | 645 | int List::Load ( FILE *f ) 646 | { 647 | int ret = TRUE; 648 | 649 | /* Reseteo la lista */ 650 | this -> Clear (); 651 | 652 | /* Levanto las propiedades del objeto */ 653 | fread ( this , sizeof ( List ) , 1 , f ); 654 | 655 | /* Alloco espacio para todas las propiedades */ 656 | this -> elementos = ( void ** ) malloc ( this -> len * sizeof ( void * ) ); 657 | 658 | /* Levanto toda la lista de elementos */ 659 | fread ( this -> elementos , this -> len * sizeof ( void * ) , 1 , f ); 660 | 661 | return ( ret ); 662 | } 663 | 664 | /****************************************************************************/ 665 | /****************************************************************************/ 666 | 667 | #undef malloc 668 | #undef realloc 669 | #undef free 670 | 671 | /****************************************************************************/ 672 | /****************************************************************************/ 673 | 674 | -------------------------------------------------------------------------------- /src/make.bat: -------------------------------------------------------------------------------- 1 | 2 | @rem Console makefile for Microsoft Visual Studio C++ 3 | @rem Note: 4 | @rem If you don't have the "Microsoft Visual Studio" path, 5 | @rem Please, execute the "vcvarsall.bat" command in "C:\Program Files\Microsoft Visual Studio XX.X\VC" 6 | 7 | @rem To compile Gisnap use "Microsoft Visual Studio 2012" 8 | cl.exe fsnap.c /link -SUBSYSTEM:CONSOLE -DYNAMICBASE:NO -BASE:0x08000000 -FIXED 9 | cl.exe agafi.cpp /link -SUBSYSTEM:CONSOLE 10 | cl agafi-rop.cpp /link -SUBSYSTEM:CONSOLE 11 | -------------------------------------------------------------------------------- /src/qemu.c: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////////////////////////////////////// 2 | 3 | /* qemu,c ( QEMU wrapper ) */ 4 | 5 | //////////////////////////////////////////////////////////////////////////////// 6 | 7 | /* Estructuras */ 8 | 9 | typedef struct 10 | { 11 | unsigned int padding; 12 | unsigned int base; 13 | unsigned int limit; 14 | unsigned int flags; 15 | } QEMU_SEGMENT; 16 | 17 | typedef struct 18 | { 19 | unsigned int eax; 20 | unsigned int ecx; 21 | unsigned int edx; 22 | unsigned int ebx; 23 | unsigned int esp; 24 | unsigned int ebp; 25 | unsigned int esi; 26 | unsigned int edi; 27 | unsigned int eip; 28 | unsigned int eflags; 29 | unsigned int cc_src; 30 | unsigned int cc_dst; 31 | unsigned int cc_op; 32 | unsigned int df; 33 | unsigned int hflags; 34 | unsigned int hflags2; 35 | QEMU_SEGMENT segments [ 6 ]; // ES,CS,SS,DS,FS,GS 36 | QEMU_SEGMENT ldt; 37 | QEMU_SEGMENT tr; 38 | QEMU_SEGMENT gdt; /* only base and limit are used */ 39 | QEMU_SEGMENT idt; /* only base and limit are used */ 40 | unsigned int cr[5]; /* NOTE: cr1 is unused */ 41 | unsigned int padding [0x214/sizeof (unsigned int)]; 42 | unsigned int operation_code; 43 | unsigned int operation_address; 44 | } QEMU_CONTEXT; 45 | 46 | //////////////////////////////////////////////////////////////////////////////// 47 | 48 | /* Variables globales */ 49 | 50 | HMODULE hqemu = NULL; 51 | char *qemu_module = "pyqemulib.dll"; 52 | 53 | //////////////////////////////////////////////////////////////////////////////// 54 | 55 | /* Funciones */ 56 | 57 | QEMU_CONTEXT *init_vm ( void ) 58 | { 59 | static QEMU_CONTEXT * ( *qemu_init_vm ) ( void ) = NULL; 60 | QEMU_CONTEXT *context; 61 | 62 | /* Si es la primera vez */ 63 | if ( qemu_init_vm == NULL ) 64 | { 65 | /* Resuelvo el simbolo de la funcion */ 66 | qemu_init_vm = ( QEMU_CONTEXT * ( * ) ( void ) ) GetProcAddress ( hqemu , "init_vm" ); 67 | } 68 | 69 | /* Instancio la VM */ 70 | context = qemu_init_vm (); 71 | 72 | return ( context ); 73 | } 74 | 75 | //////////////////////////////////////////////////////////////////////////////// 76 | 77 | void *allocate_memory ( void *address , unsigned int size ) 78 | { 79 | static void * ( *qemu_allocate_memory ) ( void * , unsigned int ) = NULL; 80 | void *new_address; 81 | 82 | /* Si es la primera vez */ 83 | if ( qemu_allocate_memory == NULL ) 84 | { 85 | /* Resuelvo el simbolo de la funcion */ 86 | qemu_allocate_memory = ( void * ( * ) ( void * , unsigned int ) ) GetProcAddress ( hqemu , "allocate_memory" ); 87 | } 88 | 89 | /* Alloco memoria */ 90 | new_address = ( void * ( * ) ( void * , unsigned int ) ) qemu_allocate_memory ( address , size ); 91 | 92 | return ( new_address ); 93 | } 94 | 95 | //////////////////////////////////////////////////////////////////////////////// 96 | 97 | int read_memory ( void *address , void *data , unsigned int size ) 98 | { 99 | static int ( *qemu_cpu_physical_memory_rw ) ( void * , void * , unsigned int , int ) = NULL; 100 | int ret; 101 | int res; 102 | 103 | /* Si es la primera vez */ 104 | if ( qemu_cpu_physical_memory_rw == NULL ) 105 | { 106 | /* Resuelvo el simbolo de la funcion */ 107 | qemu_cpu_physical_memory_rw = ( int ( * ) ( void * , void * , unsigned int , int ) ) GetProcAddress ( hqemu , "cpu_physical_memory_rw" ); 108 | } 109 | 110 | /* Leo la memoria pedida ( read = 0 ) */ 111 | res = qemu_cpu_physical_memory_rw ( address , data , size , 0 ); 112 | // printf ( "READ = %i\n" , res ); 113 | 114 | /* Si pude leer la memoria */ 115 | if ( res != 0 ) 116 | { 117 | /* Retorno OK */ 118 | ret = TRUE; 119 | } 120 | /* Si hubo algun ERROR */ 121 | else 122 | { 123 | /* Salgo con ERROR */ 124 | ret = FALSE; 125 | } 126 | 127 | return ( ret ); 128 | } 129 | 130 | //////////////////////////////////////////////////////////////////////////////// 131 | 132 | void write_memory ( void *data , void *address , unsigned int size ) 133 | { 134 | static int ( *qemu_cpu_physical_memory_write_rom ) ( void * , void * , unsigned int ) = NULL; 135 | 136 | /* Si es la primera vez */ 137 | if ( qemu_cpu_physical_memory_write_rom == NULL ) 138 | { 139 | /* Resuelvo el simbolo de la funcion */ 140 | qemu_cpu_physical_memory_write_rom = ( int ( * ) ( void * , void * , unsigned int ) ) GetProcAddress ( hqemu , "cpu_physical_memory_write_rom" ); 141 | } 142 | 143 | /* Alloco memoria */ 144 | qemu_cpu_physical_memory_write_rom ( data , address , size ); 145 | } 146 | 147 | //////////////////////////////////////////////////////////////////////////////// 148 | 149 | int cpu_reset ( QEMU_CONTEXT *context ) 150 | { 151 | static int ( *qemu_cpu_reset ) ( QEMU_CONTEXT * ) = NULL; 152 | int ret; 153 | 154 | /* Si es la primera vez */ 155 | if ( qemu_cpu_reset == NULL ) 156 | { 157 | /* Resuelvo el simbolo de la funcion */ 158 | qemu_cpu_reset = ( int ( * ) ( QEMU_CONTEXT * ) ) GetProcAddress ( hqemu , "cpu_reset" ); 159 | } 160 | 161 | /* Alloco memoria */ 162 | ret = qemu_cpu_reset ( context ); 163 | 164 | return ( ret ); 165 | } 166 | 167 | //////////////////////////////////////////////////////////////////////////////// 168 | 169 | int do_cpu_init ( QEMU_CONTEXT *context ) 170 | { 171 | static int ( *qemu_do_cpu_init ) ( QEMU_CONTEXT * ) = NULL; 172 | int ret; 173 | 174 | /* Si es la primera vez */ 175 | if ( qemu_do_cpu_init == NULL ) 176 | { 177 | /* Resuelvo el simbolo de la funcion */ 178 | qemu_do_cpu_init = ( int ( * ) ( QEMU_CONTEXT * ) ) GetProcAddress ( hqemu , "do_cpu_init" ); 179 | } 180 | 181 | /* Alloco memoria */ 182 | ret = qemu_do_cpu_init ( context ); 183 | 184 | return ( ret ); 185 | } 186 | 187 | //////////////////////////////////////////////////////////////////////////////// 188 | 189 | int cpu_loop ( QEMU_CONTEXT *context ) 190 | { 191 | static int ( *qemu_cpu_loop ) ( QEMU_CONTEXT * ) = NULL; 192 | int ret; 193 | 194 | /* Si es la primera vez */ 195 | if ( qemu_cpu_loop == NULL ) 196 | { 197 | /* Resuelvo el simbolo de la funcion */ 198 | qemu_cpu_loop = ( int ( * ) ( QEMU_CONTEXT * ) ) GetProcAddress ( hqemu , "cpu_loop" ); 199 | } 200 | 201 | /* Alloco memoria */ 202 | ret = qemu_cpu_loop ( context ); 203 | 204 | return ( ret ); 205 | } 206 | 207 | //////////////////////////////////////////////////////////////////////////////// 208 | 209 | int cpu_x86_exec ( QEMU_CONTEXT *context ) 210 | { 211 | static int ( *qemu_cpu_x86_exec ) ( QEMU_CONTEXT * ) = NULL; 212 | int ret; 213 | 214 | /* Si es la primera vez */ 215 | if ( qemu_cpu_x86_exec == NULL ) 216 | { 217 | /* Resuelvo el simbolo de la funcion */ 218 | qemu_cpu_x86_exec = ( int ( * ) ( QEMU_CONTEXT * ) ) GetProcAddress ( hqemu , "cpu_x86_exec" ); 219 | } 220 | 221 | /* Alloco memoria */ 222 | ret = qemu_cpu_x86_exec ( context ); 223 | 224 | return ( ret ); 225 | } 226 | 227 | //////////////////////////////////////////////////////////////////////////////// 228 | --------------------------------------------------------------------------------