├── release_version.txt ├── screenshot.jpg ├── pe ├── images │ ├── peicon.png │ └── pemain.png ├── pluginsdk │ ├── x32dbg.lib │ ├── x64dbg.lib │ ├── lz4 │ │ ├── lz4_x64.a │ │ ├── lz4_x64.lib │ │ ├── lz4_x86.a │ │ ├── lz4_x86.lib │ │ ├── lz4file.h │ │ └── lz4hc.h │ ├── x32bridge.lib │ ├── x64bridge.lib │ ├── yara │ │ ├── yara_x64.lib │ │ ├── yara_x86.lib │ │ ├── yara │ │ │ ├── object.h │ │ │ ├── globals.h │ │ │ ├── proc.h │ │ │ ├── exefiles.h │ │ │ ├── scan.h │ │ │ ├── sizedstr.h │ │ │ ├── mem.h │ │ │ ├── stream.h │ │ │ ├── threading.h │ │ │ ├── integers.h │ │ │ ├── libyara.h │ │ │ ├── limits.h │ │ │ ├── utils.h │ │ │ ├── strutils.h │ │ │ ├── filemap.h │ │ │ ├── ahocorasick.h │ │ │ ├── atoms.h │ │ │ ├── hash.h │ │ │ ├── re_lexer.h │ │ │ ├── hex_lexer.h │ │ │ ├── parser.h │ │ │ ├── arena.h │ │ │ ├── lexer.h │ │ │ ├── rules.h │ │ │ ├── error.h │ │ │ ├── compiler.h │ │ │ ├── exec.h │ │ │ ├── re.h │ │ │ └── elf.h │ │ └── yara.h │ ├── dbghelp │ │ ├── dbghelp_x64.a │ │ ├── dbghelp_x86.a │ │ ├── dbghelp_x64.lib │ │ └── dbghelp_x86.lib │ ├── jansson │ │ ├── jansson_x64.a │ │ ├── jansson_x86.a │ │ ├── jansson_x64.lib │ │ ├── jansson_x86.lib │ │ ├── jansson_x64dbg.h │ │ └── jansson_config.h │ ├── XEDParse │ │ ├── XEDParse_x64.a │ │ ├── XEDParse_x64.lib │ │ ├── XEDParse_x86.a │ │ ├── XEDParse_x86.lib │ │ └── XEDParse.h │ ├── capstone │ │ ├── capstone_x64.lib │ │ ├── capstone_x86.lib │ │ ├── platform.h │ │ └── xcore.h │ ├── TitanEngine │ │ ├── TitanEngine_x64.a │ │ ├── TitanEngine_x86.a │ │ ├── TitanEngine_x64.lib │ │ └── TitanEngine_x86.lib │ ├── DeviceNameResolver │ │ ├── DeviceNameResolver_x64.a │ │ ├── DeviceNameResolver_x64.lib │ │ ├── DeviceNameResolver_x86.a │ │ ├── DeviceNameResolver_x86.lib │ │ └── DeviceNameResolver.h │ ├── _scriptapi.h │ ├── _scriptapi_stack.h │ ├── _plugin_types.h │ ├── _scriptapi_assembler.h │ ├── _scriptapi_symbol.h │ ├── _scriptapi_pattern.h │ ├── _scriptapi_bookmark.h │ ├── _scriptapi_comment.h │ ├── _scriptapi_debug.h │ ├── _scriptapi_label.h │ ├── _scriptapi_argument.h │ ├── _scriptapi_function.h │ ├── _scriptapi_flag.h │ ├── _scriptapi_memory.h │ ├── _scriptapi_gui.h │ ├── _scriptapi_misc.h │ ├── _scriptapi_module.h │ ├── bridgelist.h │ └── bridgegraph.h ├── resource.qrc ├── PluginMainWindow.cpp ├── QtPlugin.h ├── dialoginfo.cpp ├── dialoginfo.h ├── PluginMainWindow.ui ├── PluginTabWidget.h ├── PluginMainWindow.h ├── pluginmain.h ├── PluginTabWidget.cpp ├── QtPlugin.cpp ├── dialoginfo.ui ├── pluginmain.cpp └── pe.pro ├── clear.bat ├── release.bat ├── README.md ├── LICENSE └── .gitmodules /release_version.txt: -------------------------------------------------------------------------------- 1 | 0.06 -------------------------------------------------------------------------------- /screenshot.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/screenshot.jpg -------------------------------------------------------------------------------- /pe/images/peicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/images/peicon.png -------------------------------------------------------------------------------- /pe/images/pemain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/images/pemain.png -------------------------------------------------------------------------------- /pe/pluginsdk/x32dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/x32dbg.lib -------------------------------------------------------------------------------- /pe/pluginsdk/x64dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/x64dbg.lib -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/lz4/lz4_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/lz4/lz4_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/lz4/lz4_x86.a -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/lz4/lz4_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/x32bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/x32bridge.lib -------------------------------------------------------------------------------- /pe/pluginsdk/x64bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/x64bridge.lib -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/yara/yara_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/yara/yara_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/object.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/yara/yara/object.h -------------------------------------------------------------------------------- /pe/pluginsdk/dbghelp/dbghelp_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/dbghelp/dbghelp_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/dbghelp/dbghelp_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/dbghelp/dbghelp_x86.a -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/jansson/jansson_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/jansson/jansson_x86.a -------------------------------------------------------------------------------- /clear.bat: -------------------------------------------------------------------------------- 1 | rmdir /s /q tmp 2 | rmdir /s /q debug 3 | 4 | del Makefile 5 | del Makefile.Release 6 | del Makefile.Debug 7 | -------------------------------------------------------------------------------- /pe/pluginsdk/XEDParse/XEDParse_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/XEDParse/XEDParse_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/XEDParse/XEDParse_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/XEDParse/XEDParse_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/XEDParse/XEDParse_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/XEDParse/XEDParse_x86.a -------------------------------------------------------------------------------- /pe/pluginsdk/XEDParse/XEDParse_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/XEDParse/XEDParse_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/capstone/capstone_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/capstone/capstone_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/capstone/capstone_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/capstone/capstone_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/dbghelp/dbghelp_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/dbghelp/dbghelp_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/dbghelp/dbghelp_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/dbghelp/dbghelp_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/jansson/jansson_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/jansson/jansson_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/TitanEngine/TitanEngine_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/TitanEngine/TitanEngine_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/TitanEngine/TitanEngine_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/TitanEngine/TitanEngine_x86.a -------------------------------------------------------------------------------- /pe/pluginsdk/TitanEngine/TitanEngine_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/TitanEngine/TitanEngine_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/TitanEngine/TitanEngine_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/TitanEngine/TitanEngine_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a -------------------------------------------------------------------------------- /pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib -------------------------------------------------------------------------------- /pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a -------------------------------------------------------------------------------- /pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/horsicq/pex64dbg/HEAD/pe/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPT_API_H 2 | #define _SCRIPT_API_H 3 | 4 | #include "_plugins.h" 5 | 6 | #define SCRIPT_EXPORT PLUG_IMPEXP 7 | 8 | #endif //_SCRIPT_API_H -------------------------------------------------------------------------------- /pe/resource.qrc: -------------------------------------------------------------------------------- 1 | 2 | 3 | images/peicon.png 4 | images/pemain.png 5 | 6 | 7 | -------------------------------------------------------------------------------- /release.bat: -------------------------------------------------------------------------------- 1 | mkdir release\x32\plugins 2 | mkdir release\x64\plugins 3 | copy bin\x32\peviewer.dll release\x32\plugins\peviewer.dp32 4 | copy bin\x64\peviewer.dll release\x64\plugins\peviewer.dp64 -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_stack.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_STACK_H 2 | #define _SCRIPTAPI_STACK_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Stack 9 | { 10 | SCRIPT_EXPORT duint Pop(); 11 | SCRIPT_EXPORT duint Push(duint value); //returns the previous top, equal to Peek(1) 12 | SCRIPT_EXPORT duint Peek(int offset = 0); //offset is in multiples of Register::Size(), for easy x32/x64 portability 13 | }; //Stack 14 | }; //Script 15 | 16 | #endif //_SCRIPTAPI_STACK_H -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![GitHub tag (latest SemVer)](https://img.shields.io/github/tag/horsicq/pex64dbg.svg)](https://github.com/horsicq/pex64dbg/releases) 2 | [![GitHub All Releases](https://img.shields.io/github/downloads/horsicq/pex64dbg/total.svg)](https://github.com/horsicq/pex64dbg/releases) 3 | 4 | Plugin for x64dbg. 5 | 6 | ![alt text](https://github.com/horsicq/pex64dbg/blob/master/screenshot.jpg "Screenshot") 7 | 8 | More info: https://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html 9 | 10 | ## Special Thanks 11 | 12 | - [PELock Software Protection & Reverse Engineering](https://www.pelock.com) 13 | -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_x64dbg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "jansson.h" 4 | 5 | typedef json_t* JSON; 6 | 7 | static JSON_INLINE 8 | json_t* json_hex(unsigned json_int_t value) 9 | { 10 | char hexvalue[20]; 11 | sprintf_s(hexvalue, "0x%llX", value); 12 | return json_string(hexvalue); 13 | } 14 | 15 | static JSON_INLINE 16 | unsigned json_int_t json_hex_value(const json_t* hex) 17 | { 18 | unsigned json_int_t ret = 0; 19 | const char* hexvalue; 20 | hexvalue = json_string_value(hex); 21 | if(!hexvalue) 22 | return 0; 23 | sscanf_s(hexvalue, "0x%llX", &ret); 24 | return ret; 25 | } 26 | -------------------------------------------------------------------------------- /pe/pluginsdk/_plugin_types.h: -------------------------------------------------------------------------------- 1 | #ifndef _PLUGIN_DATA_H 2 | #define _PLUGIN_DATA_H 3 | 4 | #ifdef BUILD_DBG 5 | 6 | #include "_global.h" 7 | #include "jansson/jansson.h" 8 | #pragma warning(push) 9 | #pragma warning(disable:4091) 10 | #include 11 | #pragma warning(pop) 12 | 13 | #else 14 | 15 | #ifdef __GNUC__ 16 | #include "dbghelp/dbghelp.h" 17 | #else 18 | #pragma warning(push) 19 | #pragma warning(disable:4091) 20 | #include 21 | #pragma warning(pop) 22 | #endif // __GNUC__ 23 | 24 | #ifndef deflen 25 | #define deflen 1024 26 | #endif // deflen 27 | 28 | #include "bridgemain.h" 29 | #include "_dbgfunctions.h" 30 | #include "jansson/jansson.h" 31 | 32 | #endif // BUILD_DBG 33 | 34 | #endif // _PLUGIN_DATA_H 35 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_assembler.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_ASSEMBLER_H 2 | #define _SCRIPTAPI_ASSEMBLER_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Assembler 9 | { 10 | SCRIPT_EXPORT bool Assemble(duint addr, unsigned char* dest, int* size, const char* instruction); //dest[16] 11 | SCRIPT_EXPORT bool AssembleEx(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); //dest[16], error[MAX_ERROR_SIZE] 12 | SCRIPT_EXPORT bool AssembleMem(duint addr, const char* instruction); 13 | SCRIPT_EXPORT bool AssembleMemEx(duint addr, const char* instruction, int* size, char* error, bool fillnop); //error[MAX_ERROR_SIZE] 14 | }; //Assembler 15 | }; //Script 16 | 17 | #endif //_SCRIPTAPI_ASSEMBLER_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_symbol.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_SYMBOL_H 2 | #define _SCRIPTAPI_SYMBOL_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Symbol 9 | { 10 | enum SymbolType 11 | { 12 | Function, //user-defined function 13 | Import, //IAT entry 14 | Export //export 15 | }; 16 | 17 | struct SymbolInfo 18 | { 19 | char mod[MAX_MODULE_SIZE]; 20 | duint rva; 21 | char name[MAX_LABEL_SIZE]; 22 | bool manual; 23 | SymbolType type; 24 | }; 25 | 26 | SCRIPT_EXPORT bool GetList(ListOf(SymbolInfo) list); //caller has the responsibility to free the list 27 | }; //Symbol 28 | }; //Script 29 | 30 | #endif //_SCRIPTAPI_SYMBOL_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_pattern.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_PATTERN_H 2 | #define _SCRIPTAPI_PATTERN_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Pattern 9 | { 10 | SCRIPT_EXPORT duint Find(unsigned char* data, duint datasize, const char* pattern); 11 | SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern); 12 | SCRIPT_EXPORT void Write(unsigned char* data, duint datasize, const char* pattern); 13 | SCRIPT_EXPORT void WriteMem(duint start, duint size, const char* pattern); 14 | SCRIPT_EXPORT bool SearchAndReplace(unsigned char* data, duint datasize, const char* searchpattern, const char* replacepattern); 15 | SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern); 16 | }; 17 | }; 18 | 19 | #endif //_SCRIPTAPI_FIND_H -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4file.h: -------------------------------------------------------------------------------- 1 | #ifndef _LZ4FILE_H 2 | #define _LZ4FILE_H 3 | 4 | typedef enum _LZ4_STATUS 5 | { 6 | LZ4_SUCCESS, 7 | LZ4_FAILED_OPEN_INPUT, 8 | LZ4_FAILED_OPEN_OUTPUT, 9 | LZ4_NOT_ENOUGH_MEMORY, 10 | LZ4_INVALID_ARCHIVE, 11 | LZ4_CORRUPTED_ARCHIVE 12 | } LZ4_STATUS; 13 | 14 | #if defined (__cplusplus) 15 | extern "C" 16 | { 17 | #endif 18 | 19 | __declspec(dllimport) LZ4_STATUS LZ4_compress_file(const char* input_filename, const char* output_filename); 20 | __declspec(dllimport) LZ4_STATUS LZ4_compress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); 21 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_file(const char* input_filename, const char* output_filename); 22 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); 23 | 24 | #if defined (__cplusplus) 25 | } 26 | #endif 27 | 28 | #endif //_LZ4FILE_H -------------------------------------------------------------------------------- /pe/pluginsdk/DeviceNameResolver/DeviceNameResolver.h: -------------------------------------------------------------------------------- 1 | #ifndef _DEVICENAMERESOLVER_H 2 | #define _DEVICENAMERESOLVER_H 3 | 4 | #include 5 | 6 | #ifdef __cplusplus 7 | extern "C" 8 | { 9 | #endif 10 | 11 | __declspec(dllexport) bool DevicePathToPathW(const wchar_t* szDevicePath, wchar_t* szPath, size_t nSizeInChars); 12 | __declspec(dllexport) bool DevicePathToPathA(const char* szDevicePath, char* szPath, size_t nSizeInChars); 13 | __declspec(dllexport) bool DevicePathFromFileHandleW(HANDLE hFile, wchar_t* szDevicePath, size_t nSizeInChars); 14 | __declspec(dllexport) bool DevicePathFromFileHandleA(HANDLE hFile, char* szDevicePath, size_t nSizeInChars); 15 | __declspec(dllexport) bool PathFromFileHandleW(HANDLE hFile, wchar_t* szPath, size_t nSizeInChars); 16 | __declspec(dllexport) bool PathFromFileHandleA(HANDLE hFile, char* szPath, size_t nSizeInChars); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | 22 | #endif // _DEVICENAMERESOLVER_H 23 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_bookmark.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_BOOKMARK_H 2 | #define _SCRIPTAPI_BOOKMARK_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Bookmark 9 | { 10 | struct BookmarkInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | bool manual; 15 | }; 16 | 17 | SCRIPT_EXPORT bool Set(duint addr, bool manual = false); 18 | SCRIPT_EXPORT bool Set(const BookmarkInfo* info); 19 | SCRIPT_EXPORT bool Get(duint addr); 20 | SCRIPT_EXPORT bool GetInfo(duint addr, BookmarkInfo* info); 21 | SCRIPT_EXPORT bool Delete(duint addr); 22 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 23 | SCRIPT_EXPORT void Clear(); 24 | SCRIPT_EXPORT bool GetList(ListOf(BookmarkInfo) list); //caller has the responsibility to free the list 25 | }; //Bookmark 26 | }; //Script 27 | 28 | #endif //_SCRIPTAPI_BOOKMARK_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_comment.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_COMMENT_H 2 | #define _SCRIPTAPI_COMMENT_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Comment 9 | { 10 | struct CommentInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | char text[MAX_LABEL_SIZE]; 15 | bool manual; 16 | }; 17 | 18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); 19 | SCRIPT_EXPORT bool Set(const CommentInfo* info); 20 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_COMMENT_SIZE] 21 | SCRIPT_EXPORT bool GetInfo(duint addr, CommentInfo* info); 22 | SCRIPT_EXPORT bool Delete(duint addr); 23 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 24 | SCRIPT_EXPORT void Clear(); 25 | SCRIPT_EXPORT bool GetList(ListOf(CommentInfo) list); //caller has the responsibility to free the list 26 | }; //Comment 27 | }; //Script 28 | 29 | #endif //_SCRIPTAPI_COMMENT_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_debug.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_DEBUG_H 2 | #define _SCRIPTAPI_DEBUG_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Debug 9 | { 10 | enum HardwareType 11 | { 12 | HardwareAccess, 13 | HardwareWrite, 14 | HardwareExecute 15 | }; 16 | 17 | SCRIPT_EXPORT void Wait(); 18 | SCRIPT_EXPORT void Run(); 19 | SCRIPT_EXPORT void Pause(); 20 | SCRIPT_EXPORT void Stop(); 21 | SCRIPT_EXPORT void StepIn(); 22 | SCRIPT_EXPORT void StepOver(); 23 | SCRIPT_EXPORT void StepOut(); 24 | SCRIPT_EXPORT bool SetBreakpoint(duint address); 25 | SCRIPT_EXPORT bool DeleteBreakpoint(duint address); 26 | SCRIPT_EXPORT bool DisableBreakpoint(duint address); 27 | SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute); 28 | SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address); 29 | }; //Debug 30 | }; //Script 31 | 32 | #endif //_SCRIPTAPI_DEBUG_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_label.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_LABEL_H 2 | #define _SCRIPTAPI_LABEL_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Label 9 | { 10 | struct LabelInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rva; 14 | char text[MAX_LABEL_SIZE]; 15 | bool manual; 16 | }; 17 | 18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); 19 | SCRIPT_EXPORT bool Set(const LabelInfo* info); 20 | SCRIPT_EXPORT bool FromString(const char* label, duint* addr); 21 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_LABEL_SIZE] 22 | SCRIPT_EXPORT bool GetInfo(duint addr, LabelInfo* info); 23 | SCRIPT_EXPORT bool Delete(duint addr); 24 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 25 | SCRIPT_EXPORT void Clear(); 26 | SCRIPT_EXPORT bool GetList(ListOf(LabelInfo) list); //caller has the responsibility to free the list 27 | }; //Label 28 | }; //Script 29 | 30 | #endif //_SCRIPTAPI_LABEL_H -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017-2025 hors 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_argument.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_ARGUMENT_H 2 | #define _SCRIPTAPI_ARGUMENT_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Argument 9 | { 10 | struct ArgumentInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rvaStart; 14 | duint rvaEnd; 15 | bool manual; 16 | duint instructioncount; 17 | }; 18 | 19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0); 20 | SCRIPT_EXPORT bool Add(const ArgumentInfo* info); 21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr); 22 | SCRIPT_EXPORT bool GetInfo(duint addr, ArgumentInfo* info); 23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end); 24 | SCRIPT_EXPORT bool Delete(duint address); 25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual = false); 26 | SCRIPT_EXPORT void Clear(); 27 | SCRIPT_EXPORT bool GetList(ListOf(ArgumentInfo) list); //caller has the responsibility to free the list 28 | }; //Argument 29 | }; //Script 30 | 31 | #endif //_SCRIPTAPI_ARGUMENT_H -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_function.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_FUNCTION_H 2 | #define _SCRIPTAPI_FUNCTION_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Function 9 | { 10 | struct FunctionInfo 11 | { 12 | char mod[MAX_MODULE_SIZE]; 13 | duint rvaStart; 14 | duint rvaEnd; 15 | bool manual; 16 | duint instructioncount; 17 | }; 18 | 19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0); 20 | SCRIPT_EXPORT bool Add(const FunctionInfo* info); 21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr); 22 | SCRIPT_EXPORT bool GetInfo(duint addr, FunctionInfo* info); 23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end); 24 | SCRIPT_EXPORT bool Delete(duint address); 25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual); 26 | SCRIPT_EXPORT void DeleteRange(duint start, duint end); 27 | SCRIPT_EXPORT void Clear(); 28 | SCRIPT_EXPORT bool GetList(ListOf(FunctionInfo) list); //caller has the responsibility to free the list 29 | }; //Function 30 | }; //Script 31 | 32 | #endif //_SCRIPTAPI_FUNCTION_H 33 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_flag.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_FLAG_H 2 | #define _SCRIPTAPI_FLAG_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Flag 9 | { 10 | enum FlagEnum 11 | { 12 | ZF, 13 | OF, 14 | CF, 15 | PF, 16 | SF, 17 | TF, 18 | AF, 19 | DF, 20 | IF 21 | }; 22 | 23 | SCRIPT_EXPORT bool Get(FlagEnum flag); 24 | SCRIPT_EXPORT bool Set(FlagEnum flag, bool value); 25 | 26 | SCRIPT_EXPORT bool GetZF(); 27 | SCRIPT_EXPORT bool SetZF(bool value); 28 | SCRIPT_EXPORT bool GetOF(); 29 | SCRIPT_EXPORT bool SetOF(bool value); 30 | SCRIPT_EXPORT bool GetCF(); 31 | SCRIPT_EXPORT bool SetCF(bool value); 32 | SCRIPT_EXPORT bool GetPF(); 33 | SCRIPT_EXPORT bool SetPF(bool value); 34 | SCRIPT_EXPORT bool GetSF(); 35 | SCRIPT_EXPORT bool SetSF(bool value); 36 | SCRIPT_EXPORT bool GetTF(); 37 | SCRIPT_EXPORT bool SetTF(bool value); 38 | SCRIPT_EXPORT bool GetAF(); 39 | SCRIPT_EXPORT bool SetAF(bool value); 40 | SCRIPT_EXPORT bool GetDF(); 41 | SCRIPT_EXPORT bool SetDF(bool value); 42 | SCRIPT_EXPORT bool GetIF(); 43 | SCRIPT_EXPORT bool SetIF(bool value); 44 | }; 45 | }; 46 | 47 | #endif //_SCRIPTAPI_FLAG_H -------------------------------------------------------------------------------- /pe/pluginsdk/XEDParse/XEDParse.h: -------------------------------------------------------------------------------- 1 | #ifndef _XEDPARSE_H 2 | #define _XEDPARSE_H 3 | 4 | #include 5 | 6 | //XEDParse defines 7 | #ifdef XEDPARSE_BUILD 8 | #define XEDPARSE_EXPORT __declspec(dllexport) 9 | #else 10 | #define XEDPARSE_EXPORT __declspec(dllimport) 11 | #endif //XEDPARSE_BUILD 12 | 13 | #define XEDPARSE_CALL //calling convention 14 | 15 | #define XEDPARSE_MAXBUFSIZE 256 16 | #define XEDPARSE_MAXASMSIZE 16 17 | 18 | //typedefs 19 | typedef bool (XEDPARSE_CALL* CBXEDPARSE_UNKNOWN)(const char* text, ULONGLONG* value); 20 | 21 | //XEDParse enums 22 | enum XEDPARSE_STATUS 23 | { 24 | XEDPARSE_ERROR = 0, 25 | XEDPARSE_OK = 1 26 | }; 27 | 28 | //XEDParse structs 29 | #pragma pack(push,8) 30 | struct XEDPARSE 31 | { 32 | bool x64; // use 64-bit instructions 33 | ULONGLONG cip; //instruction pointer (for relative addressing) 34 | unsigned int dest_size; //destination size (returned by XEDParse) 35 | CBXEDPARSE_UNKNOWN cbUnknown; //unknown operand callback 36 | unsigned char dest[XEDPARSE_MAXASMSIZE]; //destination buffer 37 | char instr[XEDPARSE_MAXBUFSIZE]; //instruction text 38 | char error[XEDPARSE_MAXBUFSIZE]; //error text (in case of an error) 39 | }; 40 | #pragma pack(pop) 41 | 42 | #ifdef __cplusplus 43 | extern "C" 44 | { 45 | #endif 46 | 47 | XEDPARSE_EXPORT XEDPARSE_STATUS XEDPARSE_CALL XEDParseAssemble(XEDPARSE* XEDParse); 48 | 49 | #ifdef __cplusplus 50 | } 51 | #endif 52 | 53 | #endif // _XEDPARSE_H 54 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_memory.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MEMORY_H 2 | #define _SCRIPTAPI_MEMORY_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Memory 9 | { 10 | SCRIPT_EXPORT bool Read(duint addr, void* data, duint size, duint* sizeRead); 11 | SCRIPT_EXPORT bool Write(duint addr, const void* data, duint size, duint* sizeWritten); 12 | SCRIPT_EXPORT bool IsValidPtr(duint addr); 13 | SCRIPT_EXPORT duint RemoteAlloc(duint addr, duint size); 14 | SCRIPT_EXPORT bool RemoteFree(duint addr); 15 | SCRIPT_EXPORT unsigned int GetProtect(duint addr, bool reserved = false, bool cache = true); 16 | SCRIPT_EXPORT duint GetBase(duint addr, bool reserved = false, bool cache = true); 17 | SCRIPT_EXPORT duint GetSize(duint addr, bool reserved = false, bool cache = true); 18 | 19 | SCRIPT_EXPORT unsigned char ReadByte(duint addr); 20 | SCRIPT_EXPORT bool WriteByte(duint addr, unsigned char data); 21 | SCRIPT_EXPORT unsigned short ReadWord(duint addr); 22 | SCRIPT_EXPORT bool WriteWord(duint addr, unsigned short data); 23 | SCRIPT_EXPORT unsigned int ReadDword(duint addr); 24 | SCRIPT_EXPORT bool WriteDword(duint addr, unsigned int data); 25 | SCRIPT_EXPORT unsigned long long ReadQword(duint addr); 26 | SCRIPT_EXPORT bool WriteQword(duint addr, unsigned long long data); 27 | SCRIPT_EXPORT duint ReadPtr(duint addr); 28 | SCRIPT_EXPORT bool WritePtr(duint addr, duint data); 29 | }; //Memory 30 | }; //Script 31 | 32 | #endif //_SCRIPTAPI_MEMORY_H -------------------------------------------------------------------------------- /pe/PluginMainWindow.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #include "PluginMainWindow.h" 22 | #include "ui_PluginMainWindow.h" 23 | 24 | PluginMainWindow::PluginMainWindow(QWidget* parent) : QMainWindow(parent), ui(new Ui::PluginMainWindow) 25 | { 26 | ui->setupUi(this); 27 | 28 | Plugin::pFormResult=ui->widgetResult; 29 | 30 | ui->widgetResult->hide(); 31 | } 32 | 33 | PluginMainWindow::~PluginMainWindow() 34 | { 35 | delete ui; 36 | } 37 | -------------------------------------------------------------------------------- /pe/QtPlugin.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #ifndef QTPLUGIN_H 22 | #define QTPLUGIN_H 23 | 24 | //#include "PluginTabWidget.h" 25 | //#include "PluginMainWindow.h" 26 | 27 | #define plugin_name "PE Viewer" 28 | #define plugin_version 4 // 0.04 29 | #define plugin_version_str "0.04" // 0.04 30 | 31 | namespace QtPlugin 32 | { 33 | void Init(); 34 | void Setup(); 35 | void WaitForSetup(); 36 | void Stop(); 37 | void WaitForStop(); 38 | void ShowTab(); 39 | } //QtPlugin 40 | 41 | #endif // QTPLUGIN_H 42 | -------------------------------------------------------------------------------- /pe/dialoginfo.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #include "dialoginfo.h" 22 | #include "ui_dialoginfo.h" 23 | 24 | DialogInfo::DialogInfo(QWidget *parent) : 25 | QDialog(parent), 26 | ui(new Ui::DialogInfo) 27 | { 28 | ui->setupUi(this); 29 | 30 | ui->labelVersion->setText(tr("Plugin version: %1").arg(plugin_version_str)); 31 | } 32 | 33 | DialogInfo::~DialogInfo() 34 | { 35 | delete ui; 36 | } 37 | 38 | void DialogInfo::on_pushButtonOK_clicked() 39 | { 40 | this->close(); 41 | } 42 | -------------------------------------------------------------------------------- /pe/dialoginfo.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #ifndef DIALOGINFO_H 22 | #define DIALOGINFO_H 23 | 24 | #include 25 | #include "QtPlugin.h" 26 | 27 | namespace Ui 28 | { 29 | class DialogInfo; 30 | } 31 | 32 | class DialogInfo : public QDialog 33 | { 34 | Q_OBJECT 35 | 36 | public: 37 | explicit DialogInfo(QWidget *parent = 0); 38 | ~DialogInfo(); 39 | 40 | private slots: 41 | void on_pushButtonOK_clicked(); 42 | 43 | private: 44 | Ui::DialogInfo *ui; 45 | }; 46 | 47 | #endif // DIALOGINFO_H 48 | -------------------------------------------------------------------------------- /pe/PluginMainWindow.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | PluginMainWindow 4 | 5 | 6 | 7 | 0 8 | 0 9 | 800 10 | 600 11 | 12 | 13 | 14 | QtPlugin 15 | 16 | 17 | 18 | :/icons_peviewer/images/peicon.png:/icons_peviewer/images/peicon.png 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 0 27 | 0 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | &Clear Text 37 | 38 | 39 | Clear Text 40 | 41 | 42 | 43 | 44 | 45 | PEWidget 46 | QWidget 47 |
pewidget.h
48 | 1 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /pe/PluginTabWidget.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #ifndef PLUGINTABWIDGET_H 22 | #define PLUGINTABWIDGET_H 23 | 24 | #include 25 | #include 26 | #include 27 | 28 | #include "PluginMainWindow.h" 29 | #include "pluginmain.h" 30 | 31 | class PluginTabWidget : public QWidget 32 | { 33 | Q_OBJECT 34 | public: 35 | explicit PluginTabWidget(QWidget* parent = 0); 36 | 37 | protected: 38 | void closeEvent(QCloseEvent* event); 39 | 40 | private: 41 | PluginMainWindow* mPluginMainWindow; 42 | }; 43 | 44 | #endif // PLUGINTABWIDGET_H 45 | -------------------------------------------------------------------------------- /pe/PluginMainWindow.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #ifndef PLUGINMAINWINDOW_H 22 | #define PLUGINMAINWINDOW_H 23 | 24 | #include 25 | 26 | #include "pewidget.h" 27 | #include "dialoginfo.h" 28 | #include "pluginmain.h" 29 | 30 | namespace Ui 31 | { 32 | class PluginMainWindow; 33 | } 34 | 35 | class PluginMainWindow : public QMainWindow 36 | { 37 | Q_OBJECT 38 | 39 | public: 40 | explicit PluginMainWindow(QWidget* parent=nullptr); 41 | ~PluginMainWindow(); 42 | 43 | private: 44 | Ui::PluginMainWindow* ui; 45 | }; 46 | 47 | #endif // PLUGINMAINWINDOW_H 48 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_GLOBALS_H 31 | #define YR_GLOBALS_H 32 | 33 | extern char lowercase[256]; 34 | extern char altercase[256]; 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /pe/pluginmain.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #ifndef _PLUGINMAIN_H 22 | #define _PLUGINMAIN_H 23 | 24 | #include 25 | #include "pluginsdk\_plugins.h" 26 | #include "QtPlugin.h" 27 | #include 28 | #include "dialoginfo.h" 29 | #include "pewidget.h" 30 | 31 | namespace Plugin 32 | { 33 | extern int handle; 34 | extern HWND hwndDlg; 35 | extern int hMenu; 36 | extern int hMenuDisasm; 37 | extern int hMenuDump; 38 | extern int hMenuStack; 39 | extern QString sCurrentFileName; 40 | extern PEWidget *pFormResult; 41 | extern FW_DEF::OPTIONS options; 42 | extern QFile *pFile; 43 | 44 | enum PLUGIN_MENU 45 | { 46 | PLUGIN_MENU_ABOUT 47 | }; 48 | } //Plugin 49 | 50 | #endif //_PLUGINMAIN_H 51 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/proc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_PROC_H 31 | #define YR_PROC_H 32 | 33 | #include "types.h" 34 | 35 | int yr_process_open_iterator( 36 | int pid, 37 | YR_MEMORY_BLOCK_ITERATOR* iterator); 38 | 39 | int yr_process_close_iterator( 40 | YR_MEMORY_BLOCK_ITERATOR* iterator); 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /pe/PluginTabWidget.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #include "PluginTabWidget.h" 22 | 23 | 24 | PluginTabWidget::PluginTabWidget(QWidget* parent) : 25 | QWidget(parent) 26 | { 27 | mPluginMainWindow = new PluginMainWindow(parent); 28 | mPluginMainWindow->setAutoFillBackground(true); 29 | QVBoxLayout* layout = new QVBoxLayout(parent); 30 | layout->addWidget(mPluginMainWindow); 31 | layout->setMargin(0); 32 | setLayout(layout); 33 | // setWindowTitle(mPluginMainWindow->windowTitle()); 34 | setWindowTitle(tr("PE Viewer")); 35 | setWindowIcon(QIcon(":/icons_peviewer/images/peicon.png")); 36 | } 37 | 38 | void PluginTabWidget::closeEvent(QCloseEvent* event) 39 | { 40 | Q_UNUSED(event); 41 | mPluginMainWindow->close(); 42 | } 43 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/exefiles.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_EXEFILES_H 31 | #define YR_EXEFILES_H 32 | 33 | uint64_t yr_get_entry_point_offset( 34 | uint8_t* buffer, 35 | size_t buffer_length); 36 | 37 | 38 | uint64_t yr_get_entry_point_address( 39 | uint8_t* buffer, 40 | size_t buffer_length, 41 | size_t base_address); 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_YARA_H 31 | #define YR_YARA_H 32 | 33 | #include "yara/utils.h" 34 | #include "yara/filemap.h" 35 | #include "yara/compiler.h" 36 | #include "yara/modules.h" 37 | #include "yara/object.h" 38 | #include "yara/libyara.h" 39 | #include "yara/error.h" 40 | #include "yara/stream.h" 41 | #include "yara/hash.h" 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/scan.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_SCAN_H 31 | #define YR_SCAN_H 32 | 33 | #include "types.h" 34 | 35 | // Bitmasks for flags. 36 | #define SCAN_FLAGS_FAST_MODE 1 37 | #define SCAN_FLAGS_PROCESS_MEMORY 2 38 | 39 | 40 | int yr_scan_verify_match( 41 | YR_SCAN_CONTEXT* context, 42 | YR_AC_MATCH* ac_match, 43 | uint8_t* data, 44 | size_t data_size, 45 | size_t data_base, 46 | size_t offset); 47 | 48 | #endif 49 | -------------------------------------------------------------------------------- /pe/pluginsdk/jansson/jansson_config.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2010-2016 Petri Lehtinen 3 | * 4 | * Jansson is free software; you can redistribute it and/or modify 5 | * it under the terms of the MIT license. See LICENSE for details. 6 | * 7 | * 8 | * This file specifies a part of the site-specific configuration for 9 | * Jansson, namely those things that affect the public API in 10 | * jansson.h. 11 | * 12 | * The CMake system will generate the jansson_config.h file and 13 | * copy it to the build and install directories. 14 | */ 15 | 16 | #ifndef JANSSON_CONFIG_H 17 | #define JANSSON_CONFIG_H 18 | 19 | /* Define this so that we can disable scattered automake configuration in source files */ 20 | #ifndef JANSSON_USING_CMAKE 21 | #define JANSSON_USING_CMAKE 22 | #endif 23 | 24 | /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used, 25 | * as we will also check for __int64 etc types. 26 | * (the definition was used in the automake system) */ 27 | 28 | /* Bring in the cmake-detected defines */ 29 | #define HAVE_STDINT_H 1 30 | /* #undef HAVE_INTTYPES_H */ 31 | /* #undef HAVE_SYS_TYPES_H */ 32 | 33 | /* Include our standard type header for the integer typedef */ 34 | 35 | #if defined(HAVE_STDINT_H) 36 | # include 37 | #elif defined(HAVE_INTTYPES_H) 38 | # include 39 | #elif defined(HAVE_SYS_TYPES_H) 40 | # include 41 | #endif 42 | 43 | 44 | /* If your compiler supports the inline keyword in C, JSON_INLINE is 45 | defined to `inline', otherwise empty. In C++, the inline is always 46 | supported. */ 47 | #ifdef __cplusplus 48 | #define JSON_INLINE inline 49 | #else 50 | #define JSON_INLINE __inline 51 | #endif 52 | 53 | 54 | #define json_int_t long long 55 | #define json_strtoint strtoll 56 | #define JSON_INTEGER_FORMAT "I64d" 57 | 58 | 59 | /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */ 60 | #define JSON_HAVE_LOCALECONV 1 61 | 62 | 63 | /* Maximum recursion depth for parsing JSON input. 64 | This limits the depth of e.g. array-within-array constructions. */ 65 | #define JSON_PARSER_MAX_DEPTH 2048 66 | 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /pe/QtPlugin.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #include "QtPlugin.h" 22 | 23 | //#include "pluginmain.h" 24 | #include "PluginTabWidget.h" 25 | 26 | static PluginTabWidget* pluginTabWidget; 27 | static HANDLE hSetupEvent; 28 | static HANDLE hStopEvent; 29 | 30 | static QWidget* getParent() 31 | { 32 | return QWidget::find((WId)Plugin::hwndDlg); 33 | } 34 | 35 | void QtPlugin::Init() 36 | { 37 | hSetupEvent = CreateEventW(nullptr, true, false, nullptr); 38 | hStopEvent = CreateEventW(nullptr, true, false, nullptr); 39 | } 40 | 41 | void QtPlugin::Setup() 42 | { 43 | QWidget* parent = getParent(); 44 | pluginTabWidget = new PluginTabWidget(parent); 45 | GuiAddQWidgetTab(pluginTabWidget); 46 | SetEvent(hSetupEvent); 47 | } 48 | 49 | void QtPlugin::WaitForSetup() 50 | { 51 | WaitForSingleObject(hSetupEvent, INFINITE); 52 | } 53 | 54 | void QtPlugin::Stop() 55 | { 56 | GuiCloseQWidgetTab(pluginTabWidget); 57 | pluginTabWidget->close(); 58 | delete pluginTabWidget; 59 | SetEvent(hStopEvent); 60 | } 61 | 62 | void QtPlugin::WaitForStop() 63 | { 64 | WaitForSingleObject(hStopEvent, INFINITE); 65 | } 66 | 67 | void QtPlugin::ShowTab() 68 | { 69 | GuiShowQWidgetTab(pluginTabWidget); 70 | } 71 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/sizedstr.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _SIZEDSTR_H 31 | #define _SIZEDSTR_H 32 | 33 | #include 34 | 35 | #include "integers.h" 36 | 37 | // 38 | // This struct is used to support strings containing null chars. The length of 39 | // the string is stored along the string data. However the string data is also 40 | // terminated with a null char. 41 | // 42 | 43 | #define SIZED_STRING_FLAGS_NO_CASE 1 44 | #define SIZED_STRING_FLAGS_DOT_ALL 2 45 | 46 | #pragma pack(push) 47 | #pragma pack(8) 48 | 49 | 50 | typedef struct _SIZED_STRING 51 | { 52 | uint32_t length; 53 | uint32_t flags; 54 | 55 | char c_string[1]; 56 | 57 | } SIZED_STRING; 58 | 59 | #pragma pack(pop) 60 | 61 | 62 | int sized_string_cmp( 63 | SIZED_STRING* s1, 64 | SIZED_STRING* s2); 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/mem.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MEM_H 31 | #define YR_MEM_H 32 | 33 | #include 34 | 35 | #include "config.h" 36 | 37 | #ifdef DMALLOC 38 | 39 | #define yr_malloc malloc 40 | #define yr_calloc calloc 41 | #define yr_realloc realloc 42 | #define yr_free free 43 | #define yr_strdup strdup 44 | #define yr_strndup strndup 45 | 46 | #include 47 | 48 | #else 49 | 50 | void* yr_calloc( 51 | size_t count, 52 | size_t size); 53 | 54 | void* yr_malloc( 55 | size_t size); 56 | 57 | void* yr_realloc( 58 | void* ptr, 59 | size_t size); 60 | 61 | void yr_free( 62 | void* ptr); 63 | 64 | char* yr_strdup( 65 | const char* str); 66 | 67 | char* yr_strndup( 68 | const char* str, size_t n); 69 | 70 | #endif 71 | 72 | int yr_heap_alloc(void); 73 | 74 | int yr_heap_free(void); 75 | 76 | #endif 77 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/stream.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STREAM_H 31 | #define YR_STREAM_H 32 | 33 | #include 34 | 35 | typedef size_t (*YR_STREAM_READ_FUNC)( 36 | void* ptr, 37 | size_t size, 38 | size_t count, 39 | void* user_data); 40 | 41 | 42 | typedef size_t (*YR_STREAM_WRITE_FUNC)( 43 | const void* ptr, 44 | size_t size, 45 | size_t count, 46 | void* user_data); 47 | 48 | 49 | typedef struct _YR_STREAM 50 | { 51 | void* user_data; 52 | 53 | YR_STREAM_READ_FUNC read; 54 | YR_STREAM_WRITE_FUNC write; 55 | 56 | } YR_STREAM; 57 | 58 | 59 | size_t yr_stream_read( 60 | void* ptr, 61 | size_t size, 62 | size_t count, 63 | YR_STREAM* stream); 64 | 65 | 66 | size_t yr_stream_write( 67 | const void* ptr, 68 | size_t size, 69 | size_t count, 70 | YR_STREAM* stream); 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/threading.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MUTEX_H 31 | #define YR_MUTEX_H 32 | 33 | 34 | 35 | #if defined(_WIN32) || defined(__CYGWIN__) 36 | 37 | #include 38 | 39 | typedef DWORD YR_THREAD_ID; 40 | typedef DWORD YR_THREAD_STORAGE_KEY; 41 | typedef HANDLE YR_MUTEX; 42 | 43 | #else 44 | 45 | #include 46 | 47 | typedef pthread_t YR_THREAD_ID; 48 | typedef pthread_key_t YR_THREAD_STORAGE_KEY; 49 | typedef pthread_mutex_t YR_MUTEX; 50 | 51 | #endif 52 | 53 | YR_THREAD_ID yr_current_thread_id(void); 54 | 55 | int yr_mutex_create(YR_MUTEX*); 56 | int yr_mutex_destroy(YR_MUTEX*); 57 | int yr_mutex_lock(YR_MUTEX*); 58 | int yr_mutex_unlock(YR_MUTEX*); 59 | 60 | int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*); 61 | int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*); 62 | int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*); 63 | void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*); 64 | 65 | #endif 66 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/integers.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_INTEGERS_H 31 | #define YR_INTEGERS_H 32 | 33 | /* Integer type definitions 34 | */ 35 | #if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) 36 | 37 | #ifdef __cplusplus 38 | extern "C" { 39 | #endif 40 | 41 | /* Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of the Borland C++ Builder 42 | * do not support the (u)int#_t type definitions but have __int# defintions instead 43 | */ 44 | typedef __int8 int8_t; 45 | typedef unsigned __int8 uint8_t; 46 | typedef __int16 int16_t; 47 | typedef unsigned __int16 uint16_t; 48 | typedef __int32 int32_t; 49 | typedef unsigned __int32 uint32_t; 50 | typedef __int64 int64_t; 51 | typedef unsigned __int64 uint64_t; 52 | 53 | #ifdef __cplusplus 54 | } 55 | #endif 56 | 57 | #else 58 | 59 | /* Other "compilers" and later versions of Microsoft Visual Studio C++ and 60 | * Borland C/C++ define the types in 61 | */ 62 | #include 63 | 64 | #endif 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/libyara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_LIBYARA_H 31 | #define YR_LIBYARA_H 32 | 33 | #include "utils.h" 34 | 35 | #define YR_MAJOR_VERSION 3 36 | #define YR_MINOR_VERSION 5 37 | #define YR_MICRO_VERSION 0 38 | 39 | // Version as a string 40 | #define YR_VERSION "3.5.0" 41 | 42 | 43 | // Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1. 44 | #define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \ 45 | (YR_MINOR_VERSION << 8) | \ 46 | (YR_MICRO_VERSION << 0)) 47 | 48 | 49 | // Enumerated type listing configuration options 50 | typedef enum _YR_CONFIG_NAME 51 | { 52 | YR_CONFIG_STACK_SIZE, 53 | YR_CONFIG_MAX 54 | 55 | } YR_CONFIG_NAME; 56 | 57 | 58 | #define DEFAULT_STACK_SIZE 16384 59 | 60 | 61 | YR_API int yr_initialize(void); 62 | 63 | 64 | YR_API int yr_finalize(void); 65 | 66 | 67 | YR_API void yr_finalize_thread(void); 68 | 69 | 70 | YR_API int yr_get_tidx(void); 71 | 72 | 73 | YR_API void yr_set_tidx(int); 74 | 75 | 76 | YR_API int yr_set_configuration(YR_CONFIG_NAME, void*); 77 | 78 | 79 | YR_API int yr_get_configuration(YR_CONFIG_NAME, void*); 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/limits.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_LIMITS_H 31 | #define YR_LIMITS_H 32 | 33 | #if defined(_WIN32) || defined(__CYGWIN__) 34 | #include 35 | #endif 36 | 37 | 38 | // MAX_THREADS is the number of threads that can use a YR_RULES 39 | // object simultaneosly. This value is limited by the number of 40 | // bits in tidx_mask. 41 | 42 | #define MAX_THREADS 32 43 | 44 | 45 | #ifndef MAX_PATH 46 | #define MAX_PATH 1024 47 | #endif 48 | 49 | #define MAX_COMPILER_ERROR_EXTRA_INFO 256 50 | #define MAX_ATOM_LENGTH 4 51 | #define MAX_LOOP_NESTING 4 52 | #define MAX_ARENA_PAGES 32 53 | #define MAX_INCLUDE_DEPTH 16 54 | #define MAX_STRING_MATCHES 1000000 55 | #define MAX_FUNCTION_ARGS 128 56 | #define MAX_FAST_HEX_RE_STACK 300 57 | #define MAX_OVERLOADED_FUNCTIONS 10 58 | #define MAX_HEX_STRING_TOKENS 10000 59 | #define MAX_MATCH_DATA 4096 60 | 61 | #define LOOP_LOCAL_VARS 4 62 | #define STRING_CHAINING_THRESHOLD 200 63 | #define LEX_BUF_SIZE 8192 64 | 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_gui.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_GUI_H 2 | #define _SCRIPTAPI_GUI_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Gui 9 | { 10 | namespace Disassembly 11 | { 12 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 13 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 14 | SCRIPT_EXPORT duint SelectionGetStart(); 15 | SCRIPT_EXPORT duint SelectionGetEnd(); 16 | }; //Disassembly 17 | 18 | namespace Dump 19 | { 20 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 21 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 22 | SCRIPT_EXPORT duint SelectionGetStart(); 23 | SCRIPT_EXPORT duint SelectionGetEnd(); 24 | }; //Dump 25 | 26 | namespace Stack 27 | { 28 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); 29 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end); 30 | SCRIPT_EXPORT duint SelectionGetStart(); 31 | SCRIPT_EXPORT duint SelectionGetEnd(); 32 | }; //Stack 33 | 34 | namespace Graph 35 | { 36 | SCRIPT_EXPORT duint SelectionGetStart(); 37 | }; //Graph 38 | 39 | namespace MemMap 40 | { 41 | SCRIPT_EXPORT duint SelectionGetStart(); 42 | }; //MemoryMap 43 | 44 | namespace SymMod 45 | { 46 | SCRIPT_EXPORT duint SelectionGetStart(); 47 | }; //SymMod 48 | }; //Gui 49 | 50 | namespace Gui 51 | { 52 | enum Window 53 | { 54 | DisassemblyWindow, 55 | DumpWindow, 56 | StackWindow, 57 | GraphWindow, 58 | MemMapWindow, 59 | SymModWindow 60 | }; 61 | 62 | SCRIPT_EXPORT bool SelectionGet(Window window, duint* start, duint* end); 63 | SCRIPT_EXPORT bool SelectionSet(Window window, duint start, duint end); 64 | SCRIPT_EXPORT duint SelectionGetStart(Window window); 65 | SCRIPT_EXPORT duint SelectionGetEnd(Window window); 66 | SCRIPT_EXPORT void Message(const char* message); 67 | SCRIPT_EXPORT bool MessageYesNo(const char* message); 68 | SCRIPT_EXPORT bool InputLine(const char* title, char* text); //text[GUI_MAX_LINE_SIZE] 69 | SCRIPT_EXPORT bool InputValue(const char* title, duint* value); 70 | SCRIPT_EXPORT void Refresh(); 71 | SCRIPT_EXPORT void AddQWidgetTab(void* qWidget); 72 | SCRIPT_EXPORT void ShowQWidgetTab(void* qWidget); 73 | SCRIPT_EXPORT void CloseQWidgetTab(void* qWidget); 74 | 75 | }; //Gui 76 | }; //Script 77 | 78 | #endif //_SCRIPTAPI_GUI_H -------------------------------------------------------------------------------- /pe/dialoginfo.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | DialogInfo 4 | 5 | 6 | Qt::ApplicationModal 7 | 8 | 9 | 10 | 0 11 | 0 12 | 351 13 | 307 14 | 15 | 16 | 17 | Information 18 | 19 | 20 | 21 | :/icons_pe/images/peicon.png:/icons_pe/images/peicon.png 22 | 23 | 24 | true 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | :/icons_peviewer/images/pemain.png 34 | 35 | 36 | true 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | <html><head/><body><p align="center">Bugreports: <a href="mailto:horsicq@gmail.com"><span style=" text-decoration: underline; color:#0000ff;">horsicq@gmail.com</span></a><br/></p><p align="center"><span style=" font-weight:600;">2019(C) hors</span></p></body></html> 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | Qt::Horizontal 60 | 61 | 62 | 63 | 40 64 | 20 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | OK 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_misc.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MISC_H 2 | #define _SCRIPTAPI_MISC_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Misc 9 | { 10 | /// 11 | /// Evaluates an expression and returns the result. Analagous to using the Command field in x64dbg. 12 | /// 13 | /// Expressions can consist of memory locations, registers, flags, API names, labels, symbols, variables etc. 14 | /// 15 | /// Example: bool success = ParseExpression("[esp+8]", &val) 16 | /// 17 | /// The expression to evaluate. 18 | /// The result of the expression. 19 | /// True on success, False on failure. 20 | SCRIPT_EXPORT bool ParseExpression(const char* expression, duint* value); 21 | 22 | /// 23 | /// Returns the address of a function in the debuggee's memory space. 24 | /// 25 | /// Example: duint addr = RemoteGetProcAddress("kernel32.dll", "GetProcAddress") 26 | /// 27 | /// The name of the module. 28 | /// The name of the function. 29 | /// The address of the function in the debuggee. 30 | SCRIPT_EXPORT duint RemoteGetProcAddress(const char* module, const char* api); 31 | 32 | /// 33 | /// Returns the address for a label created in the disassembly window. 34 | /// 35 | /// Example: duint addr = ResolveLabel("sneaky_crypto") 36 | /// 37 | /// The name of the label to resolve. 38 | /// The memory address for the label. 39 | SCRIPT_EXPORT duint ResolveLabel(const char* label); 40 | 41 | /// 42 | /// Allocates the requested number of bytes from x64dbg's default process heap. 43 | /// 44 | /// Note: this allocation is in the debugger, not the debuggee. 45 | /// 46 | /// Memory allocated using this function should be Free'd after use. 47 | /// 48 | /// Example: void* addr = Alloc(0x100000) 49 | /// 50 | /// Number of bytes to allocate. 51 | /// A pointer to the newly allocated memory. 52 | SCRIPT_EXPORT void* Alloc(duint size); 53 | 54 | /// 55 | /// Frees memory previously allocated by Alloc. 56 | /// 57 | /// Example: Free(addr) 58 | /// 59 | /// Pointer returned by Alloc. 60 | /// Nothing. 61 | SCRIPT_EXPORT void Free(void* ptr); 62 | }; //Misc 63 | }; //Script 64 | 65 | #endif //_SCRIPTAPI_MISC_H -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | 31 | #ifndef YR_UTILS_H 32 | #define YR_UTILS_H 33 | 34 | #ifndef TRUE 35 | #define TRUE 1 36 | #endif 37 | 38 | #ifndef FALSE 39 | #define FALSE 0 40 | #endif 41 | 42 | #ifndef NULL 43 | #define NULL 0 44 | #endif 45 | 46 | #ifdef __cplusplus 47 | #define EXTERNC extern "C" 48 | #else 49 | #define EXTERNC 50 | #endif 51 | 52 | #if defined(__GNUC__) 53 | #define YR_API EXTERNC __attribute__((visibility("default"))) 54 | #elif defined(_MSC_VER) 55 | #define YR_API EXTERNC __declspec(dllexport) 56 | #else 57 | #define YR_API EXTERNC 58 | #endif 59 | 60 | #if defined(__GNUC__) 61 | #define YR_ALIGN(n) __attribute__((aligned(n))) 62 | #elif defined(_MSC_VER) 63 | #define YR_ALIGN(n) __declspec(align(n)) 64 | #else 65 | #define YR_ALIGN(n) 66 | #endif 67 | 68 | #define yr_min(x, y) ((x < y) ? (x) : (y)) 69 | #define yr_max(x, y) ((x > y) ? (x) : (y)) 70 | 71 | #define PTR_TO_INT64(x) ((int64_t) (size_t) x) 72 | 73 | 74 | #ifdef NDEBUG 75 | 76 | #define assertf(expr, msg, ...) ((void)0) 77 | 78 | #else 79 | 80 | #include 81 | 82 | #define assertf(expr, msg, ...) \ 83 | if(!(expr)) { \ 84 | fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ 85 | abort(); \ 86 | } 87 | 88 | #endif 89 | 90 | #endif 91 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/strutils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STRUTILS_H 31 | #define YR_STRUTILS_H 32 | 33 | #include 34 | #include 35 | 36 | #include "integers.h" 37 | 38 | #include "config.h" 39 | 40 | // Cygwin already has these functions. 41 | #if defined(_WIN32) && !defined(__CYGWIN__) 42 | #if defined(_MSC_VER) && _MSC_VER < 1900 43 | #define snprintf _snprintf 44 | #endif 45 | #define strcasecmp _stricmp 46 | #define strncasecmp _strnicmp 47 | #endif 48 | 49 | 50 | uint64_t xtoi( 51 | const char* hexstr); 52 | 53 | 54 | #if !HAVE_STRLCPY && !defined(strlcpy) 55 | size_t strlcpy( 56 | char* dst, 57 | const char* src, 58 | size_t size); 59 | #endif 60 | 61 | 62 | #if !HAVE_STRLCAT && !defined(strlcat) 63 | size_t strlcat( 64 | char* dst, 65 | const char* src, 66 | size_t size); 67 | #endif 68 | 69 | 70 | #if !HAVE_MEMMEM && !defined(memmem) 71 | void* memmem( 72 | const void* haystack, 73 | size_t haystack_size, 74 | const void* needle, 75 | size_t needle_size); 76 | #endif 77 | 78 | 79 | int strnlen_w( 80 | const char* w_str); 81 | 82 | 83 | int strcmp_w( 84 | const char* w_str, 85 | const char* str); 86 | 87 | 88 | size_t strlcpy_w( 89 | char* dst, 90 | const char* w_src, 91 | size_t n); 92 | 93 | #endif 94 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/filemap.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_FILEMAP_H 31 | #define YR_FILEMAP_H 32 | 33 | #ifdef _MSC_VER 34 | #define off_t int64_t 35 | #else 36 | #include 37 | #endif 38 | 39 | #if defined(_WIN32) || defined(__CYGWIN__) 40 | #include 41 | #define YR_FILE_DESCRIPTOR HANDLE 42 | #else 43 | #define YR_FILE_DESCRIPTOR int 44 | #endif 45 | 46 | #include 47 | 48 | #include "integers.h" 49 | #include "utils.h" 50 | 51 | 52 | typedef struct _YR_MAPPED_FILE 53 | { 54 | YR_FILE_DESCRIPTOR file; 55 | size_t size; 56 | uint8_t* data; 57 | #if defined(_WIN32) || defined(__CYGWIN__) 58 | HANDLE mapping; 59 | #endif 60 | 61 | } YR_MAPPED_FILE; 62 | 63 | 64 | YR_API int yr_filemap_map( 65 | const char* file_path, 66 | YR_MAPPED_FILE* pmapped_file); 67 | 68 | 69 | YR_API int yr_filemap_map_fd( 70 | YR_FILE_DESCRIPTOR file, 71 | off_t offset, 72 | size_t size, 73 | YR_MAPPED_FILE* pmapped_file); 74 | 75 | 76 | YR_API int yr_filemap_map_ex( 77 | const char* file_path, 78 | off_t offset, 79 | size_t size, 80 | YR_MAPPED_FILE* pmapped_file); 81 | 82 | 83 | YR_API void yr_filemap_unmap( 84 | YR_MAPPED_FILE* pmapped_file); 85 | 86 | 87 | YR_API void yr_filemap_unmap_fd( 88 | YR_MAPPED_FILE* pmapped_file); 89 | 90 | #endif 91 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/ahocorasick.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _AHOCORASICK_H 31 | #define _AHOCORASICK_H 32 | 33 | #include "limits.h" 34 | #include "atoms.h" 35 | #include "types.h" 36 | 37 | 38 | #define YR_AC_ROOT_STATE 0 39 | #define YR_AC_NEXT_STATE(t) (t >> 32) 40 | #define YR_AC_INVALID_TRANSITION(t, c) (((t) & 0xFFFF) != c) 41 | 42 | #define YR_AC_MAKE_TRANSITION(state, code, flags) \ 43 | ((uint64_t)((((uint64_t) state) << 32) | ((flags) << 16) | (code))) 44 | 45 | #define YR_AC_USED_FLAG 0x1 46 | 47 | #define YR_AC_USED_TRANSITION_SLOT(x) ((x) & (YR_AC_USED_FLAG << 16)) 48 | #define YR_AC_UNUSED_TRANSITION_SLOT(x) (!YR_AC_USED_TRANSITION_SLOT(x)) 49 | 50 | 51 | typedef struct _YR_AC_TABLES 52 | { 53 | YR_AC_TRANSITION* transitions; 54 | YR_AC_MATCH_TABLE_ENTRY* matches; 55 | 56 | } YR_AC_TABLES; 57 | 58 | 59 | int yr_ac_automaton_create( 60 | YR_AC_AUTOMATON** automaton); 61 | 62 | 63 | int yr_ac_automaton_destroy( 64 | YR_AC_AUTOMATON* automaton); 65 | 66 | 67 | int yr_ac_add_string( 68 | YR_AC_AUTOMATON* automaton, 69 | YR_STRING* string, 70 | YR_ATOM_LIST_ITEM* atom, 71 | YR_ARENA* matches_arena); 72 | 73 | 74 | int yr_ac_compile( 75 | YR_AC_AUTOMATON* automaton, 76 | YR_ARENA* arena, 77 | YR_AC_TABLES* tables); 78 | 79 | 80 | void yr_ac_print_automaton( 81 | YR_AC_AUTOMATON* automaton); 82 | 83 | 84 | #endif 85 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/atoms.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_ATOMS_H 31 | #define YR_ATOMS_H 32 | 33 | #include "limits.h" 34 | #include "re.h" 35 | 36 | #define ATOM_TREE_LEAF 1 37 | #define ATOM_TREE_AND 2 38 | #define ATOM_TREE_OR 3 39 | 40 | 41 | typedef struct _ATOM_TREE_NODE 42 | { 43 | uint8_t type; 44 | uint8_t atom_length; 45 | uint8_t atom[MAX_ATOM_LENGTH]; 46 | 47 | uint8_t* forward_code; 48 | uint8_t* backward_code; 49 | 50 | RE_NODE* recent_nodes[MAX_ATOM_LENGTH]; 51 | 52 | struct _ATOM_TREE_NODE* children_head; 53 | struct _ATOM_TREE_NODE* children_tail; 54 | struct _ATOM_TREE_NODE* next_sibling; 55 | 56 | } ATOM_TREE_NODE; 57 | 58 | 59 | typedef struct _ATOM_TREE 60 | { 61 | ATOM_TREE_NODE* current_leaf; 62 | ATOM_TREE_NODE* root_node; 63 | 64 | } ATOM_TREE; 65 | 66 | 67 | typedef struct _YR_ATOM_LIST_ITEM 68 | { 69 | uint8_t atom_length; 70 | uint8_t atom[MAX_ATOM_LENGTH]; 71 | 72 | uint16_t backtrack; 73 | 74 | uint8_t* forward_code; 75 | uint8_t* backward_code; 76 | 77 | struct _YR_ATOM_LIST_ITEM* next; 78 | 79 | } YR_ATOM_LIST_ITEM; 80 | 81 | 82 | int yr_atoms_extract_from_re( 83 | RE* re, 84 | int flags, 85 | YR_ATOM_LIST_ITEM** atoms); 86 | 87 | 88 | int yr_atoms_extract_from_string( 89 | uint8_t* string, 90 | int string_length, 91 | int flags, 92 | YR_ATOM_LIST_ITEM** atoms); 93 | 94 | 95 | int yr_atoms_min_quality( 96 | YR_ATOM_LIST_ITEM* atom_list); 97 | 98 | 99 | void yr_atoms_list_destroy( 100 | YR_ATOM_LIST_ITEM* list_head); 101 | 102 | #endif 103 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_HASH_H 31 | #define YR_HASH_H 32 | 33 | #include 34 | 35 | #include "utils.h" 36 | 37 | typedef struct _YR_HASH_TABLE_ENTRY 38 | { 39 | void* key; 40 | size_t key_length; 41 | char* ns; 42 | void* value; 43 | 44 | struct _YR_HASH_TABLE_ENTRY* next; 45 | 46 | } YR_HASH_TABLE_ENTRY; 47 | 48 | 49 | typedef struct _YR_HASH_TABLE 50 | { 51 | int size; 52 | 53 | YR_HASH_TABLE_ENTRY* buckets[1]; 54 | 55 | } YR_HASH_TABLE; 56 | 57 | 58 | typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value); 59 | 60 | 61 | YR_API int yr_hash_table_create( 62 | int size, 63 | YR_HASH_TABLE** table); 64 | 65 | 66 | YR_API void yr_hash_table_clean( 67 | YR_HASH_TABLE* table, 68 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value); 69 | 70 | 71 | YR_API void yr_hash_table_destroy( 72 | YR_HASH_TABLE* table, 73 | YR_HASH_TABLE_FREE_VALUE_FUNC free_value); 74 | 75 | 76 | YR_API void* yr_hash_table_lookup( 77 | YR_HASH_TABLE* table, 78 | const char* key, 79 | const char* ns); 80 | 81 | 82 | YR_API int yr_hash_table_add( 83 | YR_HASH_TABLE* table, 84 | const char* key, 85 | const char* ns, 86 | void* value); 87 | 88 | 89 | YR_API void* yr_hash_table_lookup_raw_key( 90 | YR_HASH_TABLE* table, 91 | const void* key, 92 | size_t key_length, 93 | const char* ns); 94 | 95 | 96 | YR_API int yr_hash_table_add_raw_key( 97 | YR_HASH_TABLE* table, 98 | const void* key, 99 | size_t key_length, 100 | const char* ns, 101 | void* value); 102 | 103 | #endif 104 | -------------------------------------------------------------------------------- /pe/pluginsdk/_scriptapi_module.h: -------------------------------------------------------------------------------- 1 | #ifndef _SCRIPTAPI_MODULE_H 2 | #define _SCRIPTAPI_MODULE_H 3 | 4 | #include "_scriptapi.h" 5 | 6 | namespace Script 7 | { 8 | namespace Module 9 | { 10 | struct ModuleInfo 11 | { 12 | duint base; 13 | duint size; 14 | duint entry; 15 | int sectionCount; 16 | char name[MAX_MODULE_SIZE]; 17 | char path[MAX_PATH]; 18 | }; 19 | 20 | struct ModuleSectionInfo 21 | { 22 | duint addr; 23 | duint size; 24 | char name[MAX_SECTION_SIZE * 5]; 25 | }; 26 | 27 | struct ModuleExport 28 | { 29 | duint ordinal; 30 | duint rva; 31 | duint va; 32 | bool forwarded; 33 | char forwardName[MAX_STRING_SIZE]; 34 | char name[MAX_STRING_SIZE]; 35 | char undecoratedName[MAX_STRING_SIZE]; 36 | }; 37 | 38 | struct ModuleImport 39 | { 40 | duint iatRva; 41 | duint iatVa; 42 | duint ordinal; //equal to -1 if imported by name 43 | char name[MAX_STRING_SIZE]; 44 | char undecoratedName[MAX_STRING_SIZE]; 45 | }; 46 | 47 | SCRIPT_EXPORT bool InfoFromAddr(duint addr, ModuleInfo* info); 48 | SCRIPT_EXPORT bool InfoFromName(const char* name, ModuleInfo* info); 49 | SCRIPT_EXPORT duint BaseFromAddr(duint addr); 50 | SCRIPT_EXPORT duint BaseFromName(const char* name); 51 | SCRIPT_EXPORT duint SizeFromAddr(duint addr); 52 | SCRIPT_EXPORT duint SizeFromName(const char* name); 53 | SCRIPT_EXPORT bool NameFromAddr(duint addr, char* name); //name[MAX_MODULE_SIZE] 54 | SCRIPT_EXPORT bool PathFromAddr(duint addr, char* path); //path[MAX_PATH] 55 | SCRIPT_EXPORT bool PathFromName(const char* name, char* path); //path[MAX_PATH] 56 | SCRIPT_EXPORT duint EntryFromAddr(duint addr); 57 | SCRIPT_EXPORT duint EntryFromName(const char* name); 58 | SCRIPT_EXPORT int SectionCountFromAddr(duint addr); 59 | SCRIPT_EXPORT int SectionCountFromName(const char* name); 60 | SCRIPT_EXPORT bool SectionFromAddr(duint addr, int number, ModuleSectionInfo* section); 61 | SCRIPT_EXPORT bool SectionFromName(const char* name, int number, ModuleSectionInfo* section); 62 | SCRIPT_EXPORT bool SectionListFromAddr(duint addr, ListOf(ModuleSectionInfo) list); 63 | SCRIPT_EXPORT bool SectionListFromName(const char* name, ListOf(ModuleSectionInfo) list); 64 | SCRIPT_EXPORT bool GetMainModuleInfo(ModuleInfo* info); 65 | SCRIPT_EXPORT duint GetMainModuleBase(); 66 | SCRIPT_EXPORT duint GetMainModuleSize(); 67 | SCRIPT_EXPORT duint GetMainModuleEntry(); 68 | SCRIPT_EXPORT int GetMainModuleSectionCount(); 69 | SCRIPT_EXPORT bool GetMainModuleName(char* name); //name[MAX_MODULE_SIZE] 70 | SCRIPT_EXPORT bool GetMainModulePath(char* path); //path[MAX_PATH] 71 | SCRIPT_EXPORT bool GetMainModuleSectionList(ListOf(ModuleSectionInfo) list); //caller has the responsibility to free the list 72 | SCRIPT_EXPORT bool GetList(ListOf(ModuleInfo) list); //caller has the responsibility to free the list 73 | SCRIPT_EXPORT bool GetExports(const ModuleInfo* mod, ListOf(ModuleExport) list); //caller has the responsibility to free the list 74 | SCRIPT_EXPORT bool GetImports(const ModuleInfo* mod, ListOf(ModuleImport) list); //caller has the responsibility to free the list 75 | }; //Module 76 | }; //Script 77 | 78 | #endif //_SCRIPTAPI_MODULE_H 79 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/re_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #undef yyparse 31 | #undef yylex 32 | #undef yyerror 33 | #undef yyfatal 34 | #undef yychar 35 | #undef yydebug 36 | #undef yynerrs 37 | #undef yyget_extra 38 | #undef yyget_lineno 39 | 40 | #undef YY_FATAL_ERROR 41 | #undef YY_DECL 42 | #undef LEX_ENV 43 | 44 | 45 | #define yyparse re_yyparse 46 | #define yylex re_yylex 47 | #define yyerror re_yyerror 48 | #define yyfatal re_yyfatal 49 | #define yychar re_yychar 50 | #define yydebug re_yydebug 51 | #define yynerrs re_yynerrs 52 | #define yyget_extra re_yyget_extra 53 | #define yyget_lineno re_yyget_lineno 54 | 55 | 56 | #ifndef YY_TYPEDEF_YY_SCANNER_T 57 | #define YY_TYPEDEF_YY_SCANNER_T 58 | typedef void* yyscan_t; 59 | #endif 60 | 61 | #define YY_EXTRA_TYPE RE* 62 | #define YY_USE_CONST 63 | 64 | 65 | typedef struct _RE_LEX_ENVIRONMENT 66 | { 67 | int negated_class; 68 | uint8_t class_vector[32]; 69 | int last_error_code; 70 | char last_error_message[256]; 71 | 72 | } RE_LEX_ENVIRONMENT; 73 | 74 | 75 | #define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env) 76 | 77 | #define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg) 78 | 79 | #include 80 | 81 | #define YY_DECL int re_yylex \ 82 | (YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env) 83 | 84 | 85 | YY_EXTRA_TYPE yyget_extra( 86 | yyscan_t yyscanner); 87 | 88 | int yylex( 89 | YYSTYPE* yylval_param, 90 | yyscan_t yyscanner, 91 | RE_LEX_ENVIRONMENT* lex_env); 92 | 93 | int yyparse( 94 | void* yyscanner, 95 | RE_LEX_ENVIRONMENT* lex_env); 96 | 97 | void yyerror( 98 | yyscan_t yyscanner, 99 | RE_LEX_ENVIRONMENT* lex_env, 100 | const char* error_message); 101 | 102 | void yyfatal( 103 | yyscan_t yyscanner, 104 | const char* error_message); 105 | 106 | int yr_parse_re_string( 107 | const char* re_string, 108 | int flags, 109 | RE** re, 110 | RE_ERROR* error); 111 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/hex_lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include "re.h" 31 | 32 | #undef yyparse 33 | #undef yylex 34 | #undef yyerror 35 | #undef yyfatal 36 | #undef yychar 37 | #undef yydebug 38 | #undef yynerrs 39 | #undef yyget_extra 40 | #undef yyget_lineno 41 | 42 | #undef YY_FATAL_ERROR 43 | #undef YY_DECL 44 | #undef LEX_ENV 45 | 46 | #define yyparse hex_yyparse 47 | #define yylex hex_yylex 48 | #define yyerror hex_yyerror 49 | #define yyfatal hex_yyfatal 50 | #define yychar hex_yychar 51 | #define yydebug hex_yydebug 52 | #define yynerrs hex_yynerrs 53 | #define yyget_extra hex_yyget_extra 54 | #define yyget_lineno hex_yyget_lineno 55 | 56 | 57 | #ifndef YY_TYPEDEF_YY_SCANNER_T 58 | #define YY_TYPEDEF_YY_SCANNER_T 59 | typedef void* yyscan_t; 60 | #endif 61 | 62 | #define YY_EXTRA_TYPE RE* 63 | #define YY_USE_CONST 64 | 65 | 66 | typedef struct _HEX_LEX_ENVIRONMENT 67 | { 68 | int token_count; 69 | int inside_or; 70 | int last_error_code; 71 | char last_error_message[256]; 72 | 73 | } HEX_LEX_ENVIRONMENT; 74 | 75 | 76 | #define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg) 77 | 78 | #define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env) 79 | 80 | #include 81 | 82 | #define YY_DECL int hex_yylex \ 83 | (YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env) 84 | 85 | 86 | YY_EXTRA_TYPE yyget_extra( 87 | yyscan_t yyscanner); 88 | 89 | int yylex( 90 | YYSTYPE* yylval_param, 91 | yyscan_t yyscanner, 92 | HEX_LEX_ENVIRONMENT* lex_env); 93 | 94 | int yyparse( 95 | void* yyscanner, 96 | HEX_LEX_ENVIRONMENT* lex_env); 97 | 98 | void yyerror( 99 | yyscan_t yyscanner, 100 | HEX_LEX_ENVIRONMENT* lex_env, 101 | const char* error_message); 102 | 103 | void yyfatal( 104 | yyscan_t yyscanner, 105 | const char* error_message); 106 | 107 | int yr_parse_hex_string( 108 | const char* hex_string, 109 | int flags, 110 | RE** re, 111 | RE_ERROR* error); 112 | -------------------------------------------------------------------------------- /pe/pluginsdk/capstone/platform.h: -------------------------------------------------------------------------------- 1 | /* Capstone Disassembly Engine */ 2 | /* By Axel Souchet & Nguyen Anh Quynh, 2014 */ 3 | 4 | #ifndef CAPSTONE_PLATFORM_H 5 | #define CAPSTONE_PLATFORM_H 6 | 7 | 8 | // handle C99 issue (for pre-2013 VisualStudio) 9 | #if !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) 10 | // MSVC 11 | 12 | // stdbool.h 13 | #if (_MSC_VER < 1800) || defined(_KERNEL_MODE) 14 | // this system does not have stdbool.h 15 | #ifndef __cplusplus 16 | typedef unsigned char bool; 17 | #define false 0 18 | #define true 1 19 | #endif // __cplusplus 20 | 21 | #else 22 | // VisualStudio 2013+ -> C99 is supported 23 | #include 24 | #endif // (_MSC_VER < 1800) || defined(_KERNEL_MODE) 25 | 26 | #else 27 | // not MSVC -> C99 is supported 28 | #include 29 | #endif // !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) 30 | 31 | 32 | // handle inttypes.h / stdint.h compatibility 33 | #if defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) 34 | #include "windowsce/stdint.h" 35 | #endif // defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) 36 | 37 | #if defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) 38 | // this system does not have inttypes.h 39 | 40 | #if defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE)) 41 | // this system does not have stdint.h 42 | typedef signed char int8_t; 43 | typedef signed short int16_t; 44 | typedef signed int int32_t; 45 | typedef unsigned char uint8_t; 46 | typedef unsigned short uint16_t; 47 | typedef unsigned int uint32_t; 48 | typedef signed long long int64_t; 49 | typedef unsigned long long uint64_t; 50 | 51 | #define INT8_MIN (-127i8 - 1) 52 | #define INT16_MIN (-32767i16 - 1) 53 | #define INT32_MIN (-2147483647i32 - 1) 54 | #define INT64_MIN (-9223372036854775807i64 - 1) 55 | #define INT8_MAX 127i8 56 | #define INT16_MAX 32767i16 57 | #define INT32_MAX 2147483647i32 58 | #define INT64_MAX 9223372036854775807i64 59 | #define UINT8_MAX 0xffui8 60 | #define UINT16_MAX 0xffffui16 61 | #define UINT32_MAX 0xffffffffui32 62 | #define UINT64_MAX 0xffffffffffffffffui64 63 | #endif // defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE)) 64 | 65 | #define __PRI_8_LENGTH_MODIFIER__ "hh" 66 | #define __PRI_64_LENGTH_MODIFIER__ "ll" 67 | 68 | #define PRId8 __PRI_8_LENGTH_MODIFIER__ "d" 69 | #define PRIi8 __PRI_8_LENGTH_MODIFIER__ "i" 70 | #define PRIo8 __PRI_8_LENGTH_MODIFIER__ "o" 71 | #define PRIu8 __PRI_8_LENGTH_MODIFIER__ "u" 72 | #define PRIx8 __PRI_8_LENGTH_MODIFIER__ "x" 73 | #define PRIX8 __PRI_8_LENGTH_MODIFIER__ "X" 74 | 75 | #define PRId16 "hd" 76 | #define PRIi16 "hi" 77 | #define PRIo16 "ho" 78 | #define PRIu16 "hu" 79 | #define PRIx16 "hx" 80 | #define PRIX16 "hX" 81 | 82 | #if defined(_MSC_VER) && _MSC_VER <= 1700 83 | #define PRId32 "ld" 84 | #define PRIi32 "li" 85 | #define PRIo32 "lo" 86 | #define PRIu32 "lu" 87 | #define PRIx32 "lx" 88 | #define PRIX32 "lX" 89 | #else // OSX 90 | #define PRId32 "d" 91 | #define PRIi32 "i" 92 | #define PRIo32 "o" 93 | #define PRIu32 "u" 94 | #define PRIx32 "x" 95 | #define PRIX32 "X" 96 | #endif // defined(_MSC_VER) && _MSC_VER <= 1700 97 | 98 | #define PRId64 __PRI_64_LENGTH_MODIFIER__ "d" 99 | #define PRIi64 __PRI_64_LENGTH_MODIFIER__ "i" 100 | #define PRIo64 __PRI_64_LENGTH_MODIFIER__ "o" 101 | #define PRIu64 __PRI_64_LENGTH_MODIFIER__ "u" 102 | #define PRIx64 __PRI_64_LENGTH_MODIFIER__ "x" 103 | #define PRIX64 __PRI_64_LENGTH_MODIFIER__ "X" 104 | 105 | #else 106 | // this system has inttypes.h by default 107 | #include 108 | #endif // defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) 109 | 110 | #endif 111 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/parser.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_PARSER_H 31 | #define YR_PARSER_H 32 | 33 | 34 | #include "lexer.h" 35 | 36 | 37 | int yr_parser_emit( 38 | yyscan_t yyscanner, 39 | uint8_t instruction, 40 | uint8_t** instruction_address); 41 | 42 | 43 | int yr_parser_emit_with_arg( 44 | yyscan_t yyscanner, 45 | uint8_t instruction, 46 | int64_t argument, 47 | uint8_t** instruction_address, 48 | int64_t** argument_address); 49 | 50 | 51 | int yr_parser_emit_with_arg_double( 52 | yyscan_t yyscanner, 53 | uint8_t instruction, 54 | double argument, 55 | uint8_t** instruction_address, 56 | double** argument_address); 57 | 58 | 59 | int yr_parser_emit_with_arg_reloc( 60 | yyscan_t yyscanner, 61 | uint8_t instruction, 62 | int64_t argument, 63 | uint8_t** instruction_address, 64 | int64_t** argument_address); 65 | 66 | 67 | int yr_parser_check_types( 68 | YR_COMPILER* compiler, 69 | YR_OBJECT_FUNCTION* function, 70 | const char* actual_args_fmt); 71 | 72 | 73 | YR_STRING* yr_parser_lookup_string( 74 | yyscan_t yyscanner, 75 | const char* identifier); 76 | 77 | 78 | int yr_parser_lookup_loop_variable( 79 | yyscan_t yyscanner, 80 | const char* identifier); 81 | 82 | 83 | YR_RULE* yr_parser_reduce_rule_declaration_phase_1( 84 | yyscan_t yyscanner, 85 | int32_t flags, 86 | const char* identifier); 87 | 88 | 89 | int yr_parser_reduce_rule_declaration_phase_2( 90 | yyscan_t yyscanner, 91 | YR_RULE* rule); 92 | 93 | 94 | YR_STRING* yr_parser_reduce_string_declaration( 95 | yyscan_t yyscanner, 96 | int32_t flags, 97 | const char* identifier, 98 | SIZED_STRING* str); 99 | 100 | 101 | YR_META* yr_parser_reduce_meta_declaration( 102 | yyscan_t yyscanner, 103 | int32_t type, 104 | const char* identifier, 105 | const char* string, 106 | int64_t integer); 107 | 108 | 109 | int yr_parser_reduce_string_identifier( 110 | yyscan_t yyscanner, 111 | const char* identifier, 112 | uint8_t instruction, 113 | uint64_t at_offset); 114 | 115 | 116 | int yr_parser_emit_pushes_for_strings( 117 | yyscan_t yyscanner, 118 | const char* identifier); 119 | 120 | 121 | int yr_parser_reduce_external( 122 | yyscan_t yyscanner, 123 | const char* identifier, 124 | uint8_t intruction); 125 | 126 | 127 | int yr_parser_reduce_import( 128 | yyscan_t yyscanner, 129 | SIZED_STRING* module_name); 130 | 131 | 132 | int yr_parser_reduce_operation( 133 | yyscan_t yyscanner, 134 | const char* operation, 135 | EXPRESSION left_operand, 136 | EXPRESSION right_operand); 137 | 138 | #endif 139 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/arena.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_ARENA_H 31 | #define YR_ARENA_H 32 | 33 | #include 34 | 35 | #include "integers.h" 36 | #include "stream.h" 37 | 38 | #define ARENA_FLAGS_FIXED_SIZE 1 39 | #define ARENA_FLAGS_COALESCED 2 40 | #define ARENA_FILE_VERSION 11 41 | 42 | #define EOL ((size_t) -1) 43 | 44 | 45 | typedef struct _YR_RELOC 46 | { 47 | uint32_t offset; 48 | struct _YR_RELOC* next; 49 | 50 | } YR_RELOC; 51 | 52 | 53 | typedef struct _YR_ARENA_PAGE 54 | { 55 | 56 | uint8_t* new_address; 57 | uint8_t* address; 58 | 59 | size_t size; 60 | size_t used; 61 | 62 | YR_RELOC* reloc_list_head; 63 | YR_RELOC* reloc_list_tail; 64 | 65 | struct _YR_ARENA_PAGE* next; 66 | struct _YR_ARENA_PAGE* prev; 67 | 68 | } YR_ARENA_PAGE; 69 | 70 | 71 | typedef struct _YR_ARENA 72 | { 73 | int flags; 74 | 75 | YR_ARENA_PAGE* page_list_head; 76 | YR_ARENA_PAGE* current_page; 77 | 78 | } YR_ARENA; 79 | 80 | 81 | int yr_arena_create( 82 | size_t initial_size, 83 | int flags, 84 | YR_ARENA** arena); 85 | 86 | 87 | void yr_arena_destroy( 88 | YR_ARENA* arena); 89 | 90 | 91 | void* yr_arena_base_address( 92 | YR_ARENA* arena); 93 | 94 | 95 | void* yr_arena_next_address( 96 | YR_ARENA* arena, 97 | void* address, 98 | size_t offset); 99 | 100 | 101 | int yr_arena_coalesce( 102 | YR_ARENA* arena); 103 | 104 | 105 | int yr_arena_reserve_memory( 106 | YR_ARENA* arena, 107 | size_t size); 108 | 109 | 110 | int yr_arena_allocate_memory( 111 | YR_ARENA* arena, 112 | size_t size, 113 | void** allocated_memory); 114 | 115 | 116 | int yr_arena_allocate_struct( 117 | YR_ARENA* arena, 118 | size_t size, 119 | void** allocated_memory, 120 | ...); 121 | 122 | 123 | int yr_arena_make_relocatable( 124 | YR_ARENA* arena, 125 | void* base, 126 | ...); 127 | 128 | 129 | int yr_arena_write_data( 130 | YR_ARENA* arena, 131 | void* data, 132 | size_t size, 133 | void** written_data); 134 | 135 | 136 | int yr_arena_write_string( 137 | YR_ARENA* arena, 138 | const char* string, 139 | char** written_string); 140 | 141 | 142 | int yr_arena_append( 143 | YR_ARENA* target_arena, 144 | YR_ARENA* source_arena); 145 | 146 | 147 | int yr_arena_load_stream( 148 | YR_STREAM* stream, 149 | YR_ARENA** arena); 150 | 151 | 152 | int yr_arena_save_stream( 153 | YR_ARENA* arena, 154 | YR_STREAM* stream); 155 | 156 | 157 | int yr_arena_duplicate( 158 | YR_ARENA* arena, 159 | YR_ARENA** duplicated); 160 | 161 | 162 | void yr_arena_print( 163 | YR_ARENA* arena); 164 | 165 | #endif 166 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/lexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include "compiler.h" 31 | 32 | 33 | #undef yyparse 34 | #undef yylex 35 | #undef yyerror 36 | #undef yyfatal 37 | #undef yychar 38 | #undef yydebug 39 | #undef yynerrs 40 | #undef yyget_extra 41 | #undef yyget_lineno 42 | 43 | #undef YY_DECL 44 | #undef YY_FATAL_ERROR 45 | #undef YY_EXTRA_TYPE 46 | 47 | #define yyparse yara_yyparse 48 | #define yylex yara_yylex 49 | #define yyerror yara_yyerror 50 | #define yyfatal yara_yyfatal 51 | #define yywarning yara_yywarning 52 | #define yychar yara_yychar 53 | #define yydebug yara_yydebug 54 | #define yynerrs yara_yynerrs 55 | #define yyget_extra yara_yyget_extra 56 | #define yyget_lineno yara_yyget_lineno 57 | 58 | 59 | #ifndef YY_TYPEDEF_YY_SCANNER_T 60 | #define YY_TYPEDEF_YY_SCANNER_T 61 | typedef void* yyscan_t; 62 | #endif 63 | 64 | #ifndef YY_TYPEDEF_EXPRESSION_T 65 | #define YY_TYPEDEF_EXPRESSION_T 66 | 67 | 68 | // Expression type constants are powers of two because they are used as flags. 69 | // For example: 70 | // CHECK_TYPE(whatever, EXPRESSION_TYPE_INTEGER | EXPRESSION_TYPE_FLOAT) 71 | // The expression above is used to ensure that the type of "whatever" is either 72 | // integer or float. 73 | 74 | #define EXPRESSION_TYPE_BOOLEAN 1 75 | #define EXPRESSION_TYPE_INTEGER 2 76 | #define EXPRESSION_TYPE_STRING 4 77 | #define EXPRESSION_TYPE_REGEXP 8 78 | #define EXPRESSION_TYPE_OBJECT 16 79 | #define EXPRESSION_TYPE_FLOAT 32 80 | 81 | typedef struct _EXPRESSION 82 | { 83 | int type; 84 | 85 | union 86 | { 87 | int64_t integer; 88 | YR_OBJECT* object; 89 | SIZED_STRING* sized_string; 90 | } value; 91 | 92 | const char* identifier; 93 | 94 | } EXPRESSION; 95 | 96 | union YYSTYPE; 97 | 98 | #endif 99 | 100 | 101 | #define YY_DECL int yylex( \ 102 | union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler) 103 | 104 | 105 | #define YY_FATAL_ERROR(msg) yara_yyfatal(yyscanner, msg) 106 | 107 | 108 | #define YY_EXTRA_TYPE YR_COMPILER* 109 | #define YY_USE_CONST 110 | 111 | 112 | int yyget_lineno(yyscan_t yyscanner); 113 | 114 | int yylex( 115 | union YYSTYPE* yylval_param, 116 | yyscan_t yyscanner, 117 | YR_COMPILER* compiler); 118 | 119 | int yyparse( 120 | void* yyscanner, 121 | YR_COMPILER* compiler); 122 | 123 | void yyerror( 124 | yyscan_t yyscanner, 125 | YR_COMPILER* compiler, 126 | const char* error_message); 127 | 128 | void yywarning( 129 | yyscan_t yyscanner, 130 | const char* message_fmt, 131 | ...); 132 | 133 | void yyfatal( 134 | yyscan_t yyscanner, 135 | const char* error_message); 136 | 137 | YY_EXTRA_TYPE yyget_extra( 138 | yyscan_t yyscanner); 139 | 140 | int yr_lex_parse_rules_string( 141 | const char* rules_string, 142 | YR_COMPILER* compiler); 143 | 144 | int yr_lex_parse_rules_file( 145 | FILE* rules_file, 146 | YR_COMPILER* compiler); 147 | -------------------------------------------------------------------------------- /pe/pluginmain.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2017-2019 hors 2 | // 3 | // Permission is hereby granted, free of charge, to any person obtaining a copy 4 | // of this software and associated documentation files (the "Software"), to deal 5 | // in the Software without restriction, including without limitation the rights 6 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | // copies of the Software, and to permit persons to whom the Software is 8 | // furnished to do so, subject to the following conditions: 9 | 10 | // The above copyright notice and this permission notice shall be included in all 11 | // copies or substantial portions of the Software. 12 | 13 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | // SOFTWARE. 20 | // 21 | #include "pluginmain.h" 22 | 23 | int Plugin::handle; 24 | HWND Plugin::hwndDlg; 25 | int Plugin::hMenu; 26 | int Plugin::hMenuDisasm; 27 | int Plugin::hMenuDump; 28 | int Plugin::hMenuStack; 29 | QString Plugin::sCurrentFileName; 30 | PEWidget *Plugin::pFormResult=nullptr; 31 | FW_DEF::OPTIONS Plugin::options={}; 32 | QFile *Plugin::pFile=nullptr; 33 | 34 | extern "C" __declspec(dllexport) bool pluginit(PLUG_INITSTRUCT* initStruct) 35 | { 36 | initStruct->pluginVersion = plugin_version; 37 | initStruct->sdkVersion = PLUG_SDKVERSION; 38 | strcpy_s(initStruct->pluginName, plugin_name); 39 | 40 | Plugin::handle = initStruct->pluginHandle; 41 | QtPlugin::Init(); 42 | 43 | Plugin::options={}; 44 | Plugin::pFile=nullptr; 45 | Plugin::options.nImageBase=-1; 46 | 47 | return true; 48 | } 49 | 50 | extern "C" __declspec(dllexport) void plugsetup(PLUG_SETUPSTRUCT* setupStruct) 51 | { 52 | Plugin::hwndDlg = setupStruct->hwndDlg; 53 | Plugin::hMenu = setupStruct->hMenu; 54 | Plugin::hMenuDisasm = setupStruct->hMenuDisasm; 55 | Plugin::hMenuDump = setupStruct->hMenuDump; 56 | Plugin::hMenuStack = setupStruct->hMenuStack; 57 | GuiExecuteOnGuiThread(QtPlugin::Setup); 58 | QtPlugin::WaitForSetup(); 59 | 60 | _plugin_menuaddentry(Plugin::hMenu, 0, "&About..."); 61 | } 62 | 63 | extern "C" __declspec(dllexport) bool plugstop() 64 | { 65 | GuiExecuteOnGuiThread(QtPlugin::Stop); 66 | QtPlugin::WaitForStop(); 67 | return true; 68 | } 69 | 70 | extern "C" __declspec(dllexport) void CBINITDEBUG(CBTYPE cbType, PLUG_CB_INITDEBUG* info) 71 | { 72 | Plugin::sCurrentFileName=info->szFileName; 73 | } 74 | 75 | extern "C" __declspec(dllexport) void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info) 76 | { 77 | switch(info->hEntry) 78 | { 79 | case Plugin::PLUGIN_MENU_ABOUT: 80 | if(Plugin::pFormResult) 81 | { 82 | DialogInfo di(Plugin::pFormResult); 83 | 84 | di.exec(); 85 | } 86 | break; 87 | default: 88 | break; 89 | } 90 | } 91 | 92 | extern "C" __declspec(dllexport) void CBCREATEPROCESS(CBTYPE cbType, PLUG_CB_CREATEPROCESS* info) 93 | { 94 | if(Plugin::pFormResult) 95 | { 96 | if(Plugin::pFile) 97 | { 98 | if(Plugin::pFile->isOpen()) 99 | { 100 | Plugin::pFile->close(); 101 | } 102 | 103 | delete Plugin::pFile; 104 | Plugin::pFile=0; 105 | } 106 | 107 | if(Plugin::sCurrentFileName!="") 108 | { 109 | Plugin::pFile=new QFile; 110 | 111 | Plugin::pFile->setFileName(Plugin::sCurrentFileName); 112 | 113 | if(Plugin::pFile->open(QIODevice::ReadOnly)) 114 | { 115 | Plugin::pFormResult->show(); 116 | Plugin::pFormResult->setData(Plugin::pFile,Plugin::options,0,0,0); 117 | } 118 | } 119 | } 120 | } 121 | 122 | extern "C" __declspec(dllexport) void CBSTOPDEBUG(CBTYPE cbType, PLUG_CB_STOPDEBUG* info) 123 | { 124 | if(Plugin::pFile) 125 | { 126 | if(Plugin::pFile->isOpen()) 127 | { 128 | Plugin::pFile->close(); 129 | } 130 | 131 | delete Plugin::pFile; 132 | Plugin::pFile=0; 133 | } 134 | 135 | Plugin::pFormResult->hide(); 136 | } 137 | 138 | -------------------------------------------------------------------------------- /pe/pe.pro: -------------------------------------------------------------------------------- 1 | CONFIG(debug, debug|release) { 2 | DIR_SUFFIX = d 3 | } else { 4 | DIR_SUFFIX = 5 | } 6 | 7 | !contains(QMAKE_HOST.arch, x86_64) { 8 | X64_BIN_DIR = bin/x32$${DIR_SUFFIX} # BIN path, 32-bit 9 | X64_TMP_DIR = tmp/out32$${DIR_SUFFIX} # QMake temporary generated files, placed inside the build folder. (OBJ, UI, MOC) 10 | } else { 11 | X64_BIN_DIR = bin/x64$${DIR_SUFFIX} # BIN path, 64-bit 12 | X64_TMP_DIR = tmp/out64$${DIR_SUFFIX} # QMake temporary generated files, placed inside the build folder. (OBJ, UI, MOC) 13 | } 14 | 15 | OBJECTS_DIR = $${X64_TMP_DIR} 16 | MOC_DIR = $${X64_TMP_DIR} 17 | RCC_DIR = $${X64_TMP_DIR} 18 | UI_DIR = $${X64_TMP_DIR} 19 | 20 | ### VS compiler 21 | 22 | ## 23 | ## QMake output directories 24 | ## 25 | DESTDIR = $${X64_BIN_DIR} 26 | 27 | QT += core gui widgets 28 | 29 | #generate debug symbols in release mode 30 | QMAKE_CFLAGS_RELEASE += -Zi 31 | QMAKE_LFLAGS_RELEASE += /DEBUG 32 | 33 | # http://www.hexblog.com/?p=991 34 | QMAKE_CXXFLAGS += -DQT_NO_UNICODE_LITERAL 35 | 36 | TARGET = peviewer 37 | TEMPLATE = lib 38 | LIBS += -luser32 -lshlwapi 39 | 40 | !contains(QMAKE_HOST.arch, x86_64) { 41 | LIBS += -lx32dbg -lx32bridge -L"$$PWD/pluginsdk" 42 | } else { 43 | LIBS += -lx64dbg -lx64bridge -L"$$PWD/pluginsdk" 44 | } 45 | 46 | SOURCES +=\ 47 | pluginmain.cpp \ 48 | QtPlugin.cpp \ 49 | PluginMainWindow.cpp \ 50 | PluginTabWidget.cpp \ 51 | dialoginfo.cpp 52 | 53 | HEADERS += \ 54 | pluginmain.h \ 55 | pluginsdk/capstone/arm.h \ 56 | pluginsdk/capstone/arm64.h \ 57 | pluginsdk/capstone/capstone.h \ 58 | pluginsdk/capstone/mips.h \ 59 | pluginsdk/capstone/platform.h \ 60 | pluginsdk/capstone/ppc.h \ 61 | pluginsdk/capstone/sparc.h \ 62 | pluginsdk/capstone/systemz.h \ 63 | pluginsdk/capstone/x86.h \ 64 | pluginsdk/capstone/xcore.h \ 65 | pluginsdk/dbghelp/dbghelp.h \ 66 | pluginsdk/DeviceNameResolver/DeviceNameResolver.h \ 67 | pluginsdk/jansson/jansson.h \ 68 | pluginsdk/jansson/jansson_config.h \ 69 | pluginsdk/jansson/jansson_x64dbg.h \ 70 | pluginsdk/lz4/lz4.h \ 71 | pluginsdk/lz4/lz4file.h \ 72 | pluginsdk/lz4/lz4hc.h \ 73 | pluginsdk/TitanEngine/TitanEngine.h \ 74 | pluginsdk/XEDParse/XEDParse.h \ 75 | pluginsdk/yara/yara/ahocorasick.h \ 76 | pluginsdk/yara/yara/arena.h \ 77 | pluginsdk/yara/yara/atoms.h \ 78 | pluginsdk/yara/yara/compiler.h \ 79 | pluginsdk/yara/yara/elf.h \ 80 | pluginsdk/yara/yara/error.h \ 81 | pluginsdk/yara/yara/exec.h \ 82 | pluginsdk/yara/yara/exefiles.h \ 83 | pluginsdk/yara/yara/filemap.h \ 84 | pluginsdk/yara/yara/globals.h \ 85 | pluginsdk/yara/yara/hash.h \ 86 | pluginsdk/yara/yara/hex_lexer.h \ 87 | pluginsdk/yara/yara/lexer.h \ 88 | pluginsdk/yara/yara/libyara.h \ 89 | pluginsdk/yara/yara/limits.h \ 90 | pluginsdk/yara/yara/mem.h \ 91 | pluginsdk/yara/yara/modules.h \ 92 | pluginsdk/yara/yara/object.h \ 93 | pluginsdk/yara/yara/parser.h \ 94 | pluginsdk/yara/yara/pe.h \ 95 | pluginsdk/yara/yara/proc.h \ 96 | pluginsdk/yara/yara/re.h \ 97 | pluginsdk/yara/yara/re_lexer.h \ 98 | pluginsdk/yara/yara/rules.h \ 99 | pluginsdk/yara/yara/scan.h \ 100 | pluginsdk/yara/yara/sizedstr.h \ 101 | pluginsdk/yara/yara/strutils.h \ 102 | pluginsdk/yara/yara/types.h \ 103 | pluginsdk/yara/yara/utils.h \ 104 | pluginsdk/yara/yara.h \ 105 | pluginsdk/_dbgfunctions.h \ 106 | pluginsdk/_plugin_types.h \ 107 | pluginsdk/_plugins.h \ 108 | pluginsdk/_scriptapi.h \ 109 | pluginsdk/_scriptapi_assembler.h \ 110 | pluginsdk/_scriptapi_debug.h \ 111 | pluginsdk/_scriptapi_gui.h \ 112 | pluginsdk/_scriptapi_memory.h \ 113 | pluginsdk/_scriptapi_misc.h \ 114 | pluginsdk/_scriptapi_module.h \ 115 | pluginsdk/_scriptapi_pattern.h \ 116 | pluginsdk/_scriptapi_register.h \ 117 | pluginsdk/_scriptapi_stack.h \ 118 | pluginsdk/bridgemain.h \ 119 | QtPlugin.h \ 120 | PluginMainWindow.h \ 121 | PluginTabWidget.h \ 122 | pluginsdk/_scriptapi_argument.h \ 123 | pluginsdk/_scriptapi_bookmark.h \ 124 | pluginsdk/_scriptapi_comment.h \ 125 | pluginsdk/_scriptapi_flag.h \ 126 | pluginsdk/_scriptapi_function.h \ 127 | pluginsdk/_scriptapi_label.h \ 128 | pluginsdk/_scriptapi_symbol.h \ 129 | pluginsdk/bridgegraph.h \ 130 | pluginsdk/bridgelist.h \ 131 | dialoginfo.h 132 | 133 | FORMS += \ 134 | PluginMainWindow.ui \ 135 | dialoginfo.ui 136 | 137 | RESOURCES += \ 138 | resource.qrc 139 | 140 | !contains(XCONFIG, formresult) { 141 | XCONFIG += formresult 142 | include(FormatWidgets/PE/pewidget.pri) 143 | } 144 | -------------------------------------------------------------------------------- /pe/pluginsdk/bridgelist.h: -------------------------------------------------------------------------------- 1 | #ifndef _LIST_H 2 | #define _LIST_H 3 | 4 | typedef struct 5 | { 6 | int count; //Number of element in the list. 7 | size_t size; //Size of list in bytes (used for type checking). 8 | void* data; //Pointer to the list contents. Must be deleted by the caller using BridgeFree (or BridgeList::Free). 9 | } ListInfo; 10 | 11 | #define ListOf(Type) ListInfo* 12 | 13 | #ifdef __cplusplus 14 | 15 | #include 16 | 17 | /** 18 | \brief A list object. This object is NOT thread safe. 19 | \tparam Type BridgeList contents type. 20 | */ 21 | template 22 | class BridgeList 23 | { 24 | public: 25 | /** 26 | \brief BridgeList constructor. 27 | \param _freeData (Optional) the free function. 28 | */ 29 | explicit BridgeList() 30 | { 31 | memset(&_listInfo, 0, sizeof(_listInfo)); 32 | } 33 | 34 | /** 35 | \brief BridgeList destructor. 36 | */ 37 | ~BridgeList() 38 | { 39 | Cleanup(); 40 | } 41 | 42 | /** 43 | \brief Gets the list data. 44 | \return Returns ListInfo->data. Can be null if the list was never initialized. Will be destroyed once this object goes out of scope! 45 | */ 46 | Type* Data() const 47 | { 48 | return reinterpret_cast(_listInfo.data); 49 | } 50 | 51 | /** 52 | \brief Gets the number of elements in the list. This will crash the program if the data is not consistent with the specified template argument. 53 | \return The number of elements in the list. 54 | */ 55 | int Count() const 56 | { 57 | if(_listInfo.size != _listInfo.count * sizeof(Type)) //make sure the user is using the correct type. 58 | __debugbreak(); 59 | return _listInfo.count; 60 | } 61 | 62 | /** 63 | \brief Cleans up the list, freeing the list data when it is not null. 64 | */ 65 | void Cleanup() 66 | { 67 | if(_listInfo.data) 68 | { 69 | BridgeFree(_listInfo.data); 70 | _listInfo.data = nullptr; 71 | } 72 | } 73 | 74 | /** 75 | \brief Reference operator (cleans up the previous list) 76 | \return Pointer to the ListInfo. 77 | */ 78 | ListInfo* operator&() 79 | { 80 | Cleanup(); 81 | return &_listInfo; 82 | } 83 | 84 | /** 85 | \brief Array indexer operator. This will crash if you try to access out-of-bounds. 86 | \param index Zero-based index of the item you want to get. 87 | \return Reference to a value at that index. 88 | */ 89 | Type & operator[](size_t index) const 90 | { 91 | if(index >= size_t(Count())) //make sure the out-of-bounds access is caught as soon as possible. 92 | __debugbreak(); 93 | return Data()[index]; 94 | } 95 | 96 | /** 97 | \brief Copies data to a ListInfo structure.. 98 | \param [out] listInfo If non-null, information describing the list. 99 | \param listData Data to copy in the ListInfo structure. 100 | \return true if it succeeds, false if it fails. 101 | */ 102 | static bool CopyData(ListInfo* listInfo, const std::vector & listData) 103 | { 104 | if(!listInfo) 105 | return false; 106 | listInfo->count = int(listData.size()); 107 | listInfo->size = listInfo->count * sizeof(Type); 108 | if(listInfo->count) 109 | { 110 | listInfo->data = BridgeAlloc(listInfo->size); 111 | Type* curItem = reinterpret_cast(listInfo->data); 112 | for(const auto & item : listData) 113 | { 114 | *curItem = item; 115 | ++curItem; 116 | } 117 | } 118 | else 119 | listInfo->data = nullptr; 120 | return true; 121 | } 122 | 123 | static bool Free(const ListInfo* listInfo) 124 | { 125 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) 126 | return false; 127 | BridgeFree(listInfo->data); 128 | return true; 129 | } 130 | 131 | static bool ToVector(const ListInfo* listInfo, std::vector & listData, bool freedata = true) 132 | { 133 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) 134 | return false; 135 | listData.resize(listInfo->count); 136 | for(int i = 0; i < listInfo->count; i++) 137 | listData[i] = ((Type*)listInfo->data)[i]; 138 | if(freedata && listInfo->data) 139 | BridgeFree(listInfo->data); 140 | return true; 141 | } 142 | 143 | private: 144 | ListInfo _listInfo; 145 | }; 146 | 147 | #endif //__cplusplus 148 | 149 | #endif //_LIST_H -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/rules.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_RULES_H 31 | #define YR_RULES_H 32 | 33 | #include "types.h" 34 | #include "utils.h" 35 | #include "filemap.h" 36 | 37 | 38 | #define CALLBACK_MSG_RULE_MATCHING 1 39 | #define CALLBACK_MSG_RULE_NOT_MATCHING 2 40 | #define CALLBACK_MSG_SCAN_FINISHED 3 41 | #define CALLBACK_MSG_IMPORT_MODULE 4 42 | #define CALLBACK_MSG_MODULE_IMPORTED 5 43 | 44 | #define CALLBACK_CONTINUE 0 45 | #define CALLBACK_ABORT 1 46 | #define CALLBACK_ERROR 2 47 | 48 | 49 | #define yr_rule_tags_foreach(rule, tag_name) \ 50 | for (tag_name = rule->tags; \ 51 | tag_name != NULL && *tag_name != '\0'; \ 52 | tag_name += strlen(tag_name) + 1) 53 | 54 | 55 | #define yr_rule_metas_foreach(rule, meta) \ 56 | for (meta = rule->metas; !META_IS_NULL(meta); meta++) 57 | 58 | 59 | #define yr_rule_strings_foreach(rule, string) \ 60 | for (string = rule->strings; !STRING_IS_NULL(string); string++) 61 | 62 | 63 | #define yr_string_matches_foreach(string, match) \ 64 | for (match = STRING_MATCHES(string).head; match != NULL; match = match->next) 65 | 66 | 67 | #define yr_rules_foreach(rules, rule) \ 68 | for (rule = rules->rules_list_head; !RULE_IS_NULL(rule); rule++) 69 | 70 | 71 | 72 | YR_API int yr_rules_scan_mem( 73 | YR_RULES* rules, 74 | uint8_t* buffer, 75 | size_t buffer_size, 76 | int flags, 77 | YR_CALLBACK_FUNC callback, 78 | void* user_data, 79 | int timeout); 80 | 81 | 82 | YR_API int yr_rules_scan_file( 83 | YR_RULES* rules, 84 | const char* filename, 85 | int flags, 86 | YR_CALLBACK_FUNC callback, 87 | void* user_data, 88 | int timeout); 89 | 90 | 91 | YR_API int yr_rules_scan_fd( 92 | YR_RULES* rules, 93 | YR_FILE_DESCRIPTOR fd, 94 | int flags, 95 | YR_CALLBACK_FUNC callback, 96 | void* user_data, 97 | int timeout); 98 | 99 | 100 | YR_API int yr_rules_scan_proc( 101 | YR_RULES* rules, 102 | int pid, 103 | int flags, 104 | YR_CALLBACK_FUNC callback, 105 | void* user_data, 106 | int timeout); 107 | 108 | YR_API int yr_rules_save( 109 | YR_RULES* rules, 110 | const char* filename); 111 | 112 | 113 | YR_API int yr_rules_save_stream( 114 | YR_RULES* rules, 115 | YR_STREAM* stream); 116 | 117 | 118 | YR_API int yr_rules_load( 119 | const char* filename, 120 | YR_RULES** rules); 121 | 122 | 123 | YR_API int yr_rules_load_stream( 124 | YR_STREAM* stream, 125 | YR_RULES** rules); 126 | 127 | 128 | YR_API int yr_rules_destroy( 129 | YR_RULES* rules); 130 | 131 | 132 | YR_API int yr_rules_define_integer_variable( 133 | YR_RULES* rules, 134 | const char* identifier, 135 | int64_t value); 136 | 137 | 138 | YR_API int yr_rules_define_boolean_variable( 139 | YR_RULES* rules, 140 | const char* identifier, 141 | int value); 142 | 143 | 144 | YR_API int yr_rules_define_float_variable( 145 | YR_RULES* rules, 146 | const char* identifier, 147 | double value); 148 | 149 | 150 | YR_API int yr_rules_define_string_variable( 151 | YR_RULES* rules, 152 | const char* identifier, 153 | const char* value); 154 | 155 | 156 | YR_API void yr_rules_print_profiling_info( 157 | YR_RULES* rules); 158 | 159 | #endif 160 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/error.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_ERROR_H 31 | #define YR_ERROR_H 32 | 33 | #include 34 | 35 | #if defined(_WIN32) || defined(__CYGWIN__) 36 | #include 37 | #endif 38 | 39 | #ifndef ERROR_SUCCESS 40 | #define ERROR_SUCCESS 0 41 | #endif 42 | 43 | #define ERROR_INSUFICIENT_MEMORY 1 44 | #define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2 45 | #define ERROR_COULD_NOT_OPEN_FILE 3 46 | #define ERROR_COULD_NOT_MAP_FILE 4 47 | #define ERROR_INVALID_FILE 6 48 | #define ERROR_CORRUPT_FILE 7 49 | #define ERROR_UNSUPPORTED_FILE_VERSION 8 50 | #define ERROR_INVALID_REGULAR_EXPRESSION 9 51 | #define ERROR_INVALID_HEX_STRING 10 52 | #define ERROR_SYNTAX_ERROR 11 53 | #define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12 54 | #define ERROR_DUPLICATED_LOOP_IDENTIFIER 13 55 | #define ERROR_DUPLICATED_IDENTIFIER 14 56 | #define ERROR_DUPLICATED_TAG_IDENTIFIER 15 57 | #define ERROR_DUPLICATED_META_IDENTIFIER 16 58 | #define ERROR_DUPLICATED_STRING_IDENTIFIER 17 59 | #define ERROR_UNREFERENCED_STRING 18 60 | #define ERROR_UNDEFINED_STRING 19 61 | #define ERROR_UNDEFINED_IDENTIFIER 20 62 | #define ERROR_MISPLACED_ANONYMOUS_STRING 21 63 | #define ERROR_INCLUDES_CIRCULAR_REFERENCE 22 64 | #define ERROR_INCLUDE_DEPTH_EXCEEDED 23 65 | #define ERROR_WRONG_TYPE 24 66 | #define ERROR_EXEC_STACK_OVERFLOW 25 67 | #define ERROR_SCAN_TIMEOUT 26 68 | #define ERROR_TOO_MANY_SCAN_THREADS 27 69 | #define ERROR_CALLBACK_ERROR 28 70 | #define ERROR_INVALID_ARGUMENT 29 71 | #define ERROR_TOO_MANY_MATCHES 30 72 | #define ERROR_INTERNAL_FATAL_ERROR 31 73 | #define ERROR_NESTED_FOR_OF_LOOP 32 74 | #define ERROR_INVALID_FIELD_NAME 33 75 | #define ERROR_UNKNOWN_MODULE 34 76 | #define ERROR_NOT_A_STRUCTURE 35 77 | #define ERROR_NOT_INDEXABLE 36 78 | #define ERROR_NOT_A_FUNCTION 37 79 | #define ERROR_INVALID_FORMAT 38 80 | #define ERROR_TOO_MANY_ARGUMENTS 39 81 | #define ERROR_WRONG_ARGUMENTS 40 82 | #define ERROR_WRONG_RETURN_TYPE 41 83 | #define ERROR_DUPLICATED_STRUCTURE_MEMBER 42 84 | #define ERROR_EMPTY_STRING 43 85 | #define ERROR_DIVISION_BY_ZERO 44 86 | #define ERROR_REGULAR_EXPRESSION_TOO_LARGE 45 87 | #define ERROR_TOO_MANY_RE_FIBERS 46 88 | #define ERROR_COULD_NOT_READ_PROCESS_MEMORY 47 89 | #define ERROR_INVALID_EXTERNAL_VARIABLE_TYPE 48 90 | 91 | 92 | #define FAIL_ON_ERROR(x) { \ 93 | int result = (x); \ 94 | if (result != ERROR_SUCCESS) \ 95 | return result; \ 96 | } 97 | 98 | #define FAIL_ON_ERROR_WITH_CLEANUP(x, cleanup) { \ 99 | int result = (x); \ 100 | if (result != ERROR_SUCCESS) { \ 101 | cleanup; \ 102 | return result; \ 103 | } \ 104 | } 105 | 106 | #define FAIL_ON_COMPILER_ERROR(x) { \ 107 | compiler->last_result = (x); \ 108 | if (compiler->last_result != ERROR_SUCCESS) \ 109 | return compiler->last_result; \ 110 | } 111 | 112 | 113 | #ifdef NDEBUG 114 | #define assertf(expr, msg, ...) ((void)0) 115 | #else 116 | #define assertf(expr, msg, ...) \ 117 | if(!(expr)) { \ 118 | fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ 119 | abort(); \ 120 | } 121 | #endif 122 | 123 | #endif 124 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "pe/FormatWidgets"] 2 | path = pe/FormatWidgets 3 | url = https://github.com/horsicq/FormatWidgets.git 4 | [submodule "pe/FormatDialogs"] 5 | path = pe/FormatDialogs 6 | url = https://github.com/horsicq/FormatDialogs.git 7 | [submodule "pe/Controls"] 8 | path = pe/Controls 9 | url = https://github.com/horsicq/Controls.git 10 | [submodule "pe/Formats"] 11 | path = pe/Formats 12 | url = https://github.com/horsicq/Formats.git 13 | [submodule "pe/QHexView"] 14 | path = pe/QHexView 15 | url = https://github.com/horsicq/QHexView.git 16 | [submodule "pe/XMemoryMapWidget"] 17 | path = pe/XMemoryMapWidget 18 | url = https://github.com/horsicq/XMemoryMapWidget.git 19 | [submodule "pe/XEntropyWidget"] 20 | path = pe/XEntropyWidget 21 | url = https://github.com/horsicq/XEntropyWidget.git 22 | [submodule "pe/XQwt"] 23 | path = pe/XQwt 24 | url = https://github.com/horsicq/XQwt.git 25 | [submodule "pe/XHashWidget"] 26 | path = pe/XHashWidget 27 | url = https://github.com/horsicq/XHashWidget.git 28 | [submodule "pe/StaticScan"] 29 | path = pe/StaticScan 30 | url = https://github.com/horsicq/StaticScan.git 31 | [submodule "pe/SpecAbstract"] 32 | path = pe/SpecAbstract 33 | url = https://github.com/horsicq/SpecAbstract.git 34 | [submodule "pe/XArchive"] 35 | path = pe/XArchive 36 | url = https://github.com/horsicq/XArchive.git 37 | [submodule "pe/XDEX"] 38 | path = pe/XDEX 39 | url = https://github.com/horsicq/XDEX.git 40 | [submodule "pe/signatures"] 41 | path = pe/signatures 42 | url = https://github.com/horsicq/signatures.git 43 | [submodule "pe/XDisasmView"] 44 | path = pe/XDisasmView 45 | url = https://github.com/horsicq/XDisasmView.git 46 | [submodule "pe/XHexView"] 47 | path = pe/XHexView 48 | url = https://github.com/horsicq/XHexView.git 49 | [submodule "pe/XShortcuts"] 50 | path = pe/XShortcuts 51 | url = https://github.com/horsicq/XShortcuts.git 52 | [submodule "pe/XHexEdit"] 53 | path = pe/XHexEdit 54 | url = https://github.com/horsicq/XHexEdit.git 55 | [submodule "pe/XDemangle"] 56 | path = pe/XDemangle 57 | url = https://github.com/horsicq/XDemangle.git 58 | [submodule "pe/XDemangleWidget"] 59 | path = pe/XDemangleWidget 60 | url = https://github.com/horsicq/XDemangleWidget.git 61 | [submodule "pe/XLLVMDemangler"] 62 | path = pe/XLLVMDemangler 63 | url = https://github.com/horsicq/XLLVMDemangler.git 64 | [submodule "pe/build_tools"] 65 | path = pe/build_tools 66 | url = https://github.com/horsicq/build_tools 67 | [submodule "pe/XCppfilt"] 68 | path = pe/XCppfilt 69 | url = https://github.com/horsicq/XCppfilt 70 | [submodule "pe/XOptions"] 71 | path = pe/XOptions 72 | url = https://github.com/horsicq/XOptions 73 | [submodule "pe/XDynStructs"] 74 | path = pe/XDynStructs 75 | url = https://github.com/horsicq/XDynStructs 76 | [submodule "pe/XDynStructsEngine"] 77 | path = pe/XDynStructsEngine 78 | url = https://github.com/horsicq/XDynStructsEngine 79 | [submodule "pe/XDynStructsWidget"] 80 | path = pe/XDynStructsWidget 81 | url = https://github.com/horsicq/XDynStructsWidget 82 | [submodule "pe/XCapstone"] 83 | path = pe/XCapstone 84 | url = https://github.com/horsicq/XCapstone 85 | [submodule "pe/XFileInfo"] 86 | path = pe/XFileInfo 87 | url = https://github.com/horsicq/XFileInfo 88 | [submodule "pe/XPDF"] 89 | path = pe/XPDF 90 | url = https://github.com/horsicq/XPDF 91 | [submodule "pe/XStyles"] 92 | path = pe/XStyles 93 | url = https://github.com/horsicq/XStyles 94 | [submodule "pe/XTranslation"] 95 | path = pe/XTranslation 96 | url = https://github.com/horsicq/XTranslation 97 | [submodule "pe/archive_widget"] 98 | path = pe/archive_widget 99 | url = https://github.com/horsicq/archive_widget 100 | [submodule "pe/XInfoDB"] 101 | path = pe/XInfoDB 102 | url = https://github.com/horsicq/XInfoDB 103 | [submodule "pe/XSymbolsWidget"] 104 | path = pe/XSymbolsWidget 105 | url = https://github.com/horsicq/XSymbolsWidget 106 | [submodule "pe/XOnlineTools"] 107 | path = pe/XOnlineTools 108 | url = https://github.com/horsicq/XOnlineTools 109 | [submodule "pe/XAboutWidget"] 110 | path = pe/XAboutWidget 111 | url = https://github.com/horsicq/XAboutWidget 112 | [submodule "pe/die_script"] 113 | path = pe/die_script 114 | url = https://github.com/horsicq/die_script 115 | [submodule "pe/hex_templates"] 116 | path = pe/hex_templates 117 | url = https://github.com/horsicq/hex_templates 118 | [submodule "pe/XExtractor"] 119 | path = pe/XExtractor 120 | url = https://github.com/horsicq/XExtractor 121 | [submodule "pe/XExtractorWidget"] 122 | path = pe/XExtractorWidget 123 | url = https://github.com/horsicq/XExtractorWidget 124 | [submodule "pe/XVisualizationWidget"] 125 | path = pe/XVisualizationWidget 126 | url = https://github.com/horsicq/XVisualizationWidget 127 | [submodule "pe/XDecompiler"] 128 | path = pe/XDecompiler 129 | url = https://github.com/horsicq/XDecompiler 130 | [submodule "pe/XYara"] 131 | path = pe/XYara 132 | url = https://github.com/horsicq/XYara 133 | [submodule "pe/yara_widget"] 134 | path = pe/yara_widget 135 | url = https://github.com/horsicq/yara_widget 136 | [submodule "pe/nfd_widget"] 137 | path = pe/nfd_widget 138 | url = https://github.com/horsicq/nfd_widget 139 | [submodule "pe/die_widget"] 140 | path = pe/die_widget 141 | url = https://github.com/horsicq/die_widget 142 | [submodule "pe/Detect-It-Easy"] 143 | path = pe/Detect-It-Easy 144 | url = https://github.com/horsicq/Detect-It-Easy 145 | [submodule "pe/XDataConvertorWidget"] 146 | path = pe/XDataConvertorWidget 147 | url = https://github.com/horsicq/XDataConvertorWidget 148 | [submodule "pe/XScanEngine"] 149 | path = pe/XScanEngine 150 | url = https://github.com/horsicq/XScanEngine 151 | [submodule "pe/XDisasmCore"] 152 | path = pe/XDisasmCore 153 | url = https://github.com/horsicq/XDisasmCore.git 154 | [submodule "pe/XRegionsWidget"] 155 | path = pe/XRegionsWidget 156 | url = https://github.com/horsicq/XRegionsWidget.git 157 | [submodule "pe/XUpdate"] 158 | path = pe/XUpdate 159 | url = https://github.com/horsicq/XUpdate 160 | [submodule "pe/XGithub"] 161 | path = pe/XGithub 162 | url = https://github.com/horsicq/XGithub 163 | [submodule "pe/XStaticUnpacker"] 164 | path = pe/XStaticUnpacker 165 | url = https://github.com/horsicq/XStaticUnpacker 166 | -------------------------------------------------------------------------------- /pe/pluginsdk/capstone/xcore.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_XCORE_H 2 | #define CAPSTONE_XCORE_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2014-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | #ifdef _MSC_VER 14 | #pragma warning(disable:4201) 15 | #endif 16 | 17 | //> Operand type for instruction's operands 18 | typedef enum xcore_op_type 19 | { 20 | XCORE_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 21 | XCORE_OP_REG, // = CS_OP_REG (Register operand). 22 | XCORE_OP_IMM, // = CS_OP_IMM (Immediate operand). 23 | XCORE_OP_MEM, // = CS_OP_MEM (Memory operand). 24 | } xcore_op_type; 25 | 26 | //> XCore registers 27 | typedef enum xcore_reg 28 | { 29 | XCORE_REG_INVALID = 0, 30 | 31 | XCORE_REG_CP, 32 | XCORE_REG_DP, 33 | XCORE_REG_LR, 34 | XCORE_REG_SP, 35 | XCORE_REG_R0, 36 | XCORE_REG_R1, 37 | XCORE_REG_R2, 38 | XCORE_REG_R3, 39 | XCORE_REG_R4, 40 | XCORE_REG_R5, 41 | XCORE_REG_R6, 42 | XCORE_REG_R7, 43 | XCORE_REG_R8, 44 | XCORE_REG_R9, 45 | XCORE_REG_R10, 46 | XCORE_REG_R11, 47 | 48 | //> pseudo registers 49 | XCORE_REG_PC, // pc 50 | 51 | // internal thread registers 52 | // see The-XMOS-XS1-Architecture(X7879A).pdf 53 | XCORE_REG_SCP, // save pc 54 | XCORE_REG_SSR, // save status 55 | XCORE_REG_ET, // exception type 56 | XCORE_REG_ED, // exception data 57 | XCORE_REG_SED, // save exception data 58 | XCORE_REG_KEP, // kernel entry pointer 59 | XCORE_REG_KSP, // kernel stack pointer 60 | XCORE_REG_ID, // thread ID 61 | 62 | XCORE_REG_ENDING, // <-- mark the end of the list of registers 63 | } xcore_reg; 64 | 65 | // Instruction's operand referring to memory 66 | // This is associated with XCORE_OP_MEM operand type above 67 | typedef struct xcore_op_mem 68 | { 69 | uint8_t base; // base register, can be safely interpreted as 70 | // a value of type `xcore_reg`, but it is only 71 | // one byte wide 72 | uint8_t index; // index register, same conditions apply here 73 | int32_t disp; // displacement/offset value 74 | int direct; // +1: forward, -1: backward 75 | } xcore_op_mem; 76 | 77 | // Instruction operand 78 | typedef struct cs_xcore_op 79 | { 80 | xcore_op_type type; // operand type 81 | union 82 | { 83 | xcore_reg reg; // register value for REG operand 84 | int32_t imm; // immediate value for IMM operand 85 | xcore_op_mem mem; // base/disp value for MEM operand 86 | }; 87 | } cs_xcore_op; 88 | 89 | // Instruction structure 90 | typedef struct cs_xcore 91 | { 92 | // Number of operands of this instruction, 93 | // or 0 when instruction has no operand. 94 | uint8_t op_count; 95 | cs_xcore_op operands[8]; // operands for this instruction. 96 | } cs_xcore; 97 | 98 | //> XCore instruction 99 | typedef enum xcore_insn 100 | { 101 | XCORE_INS_INVALID = 0, 102 | 103 | XCORE_INS_ADD, 104 | XCORE_INS_ANDNOT, 105 | XCORE_INS_AND, 106 | XCORE_INS_ASHR, 107 | XCORE_INS_BAU, 108 | XCORE_INS_BITREV, 109 | XCORE_INS_BLA, 110 | XCORE_INS_BLAT, 111 | XCORE_INS_BL, 112 | XCORE_INS_BF, 113 | XCORE_INS_BT, 114 | XCORE_INS_BU, 115 | XCORE_INS_BRU, 116 | XCORE_INS_BYTEREV, 117 | XCORE_INS_CHKCT, 118 | XCORE_INS_CLRE, 119 | XCORE_INS_CLRPT, 120 | XCORE_INS_CLRSR, 121 | XCORE_INS_CLZ, 122 | XCORE_INS_CRC8, 123 | XCORE_INS_CRC32, 124 | XCORE_INS_DCALL, 125 | XCORE_INS_DENTSP, 126 | XCORE_INS_DGETREG, 127 | XCORE_INS_DIVS, 128 | XCORE_INS_DIVU, 129 | XCORE_INS_DRESTSP, 130 | XCORE_INS_DRET, 131 | XCORE_INS_ECALLF, 132 | XCORE_INS_ECALLT, 133 | XCORE_INS_EDU, 134 | XCORE_INS_EEF, 135 | XCORE_INS_EET, 136 | XCORE_INS_EEU, 137 | XCORE_INS_ENDIN, 138 | XCORE_INS_ENTSP, 139 | XCORE_INS_EQ, 140 | XCORE_INS_EXTDP, 141 | XCORE_INS_EXTSP, 142 | XCORE_INS_FREER, 143 | XCORE_INS_FREET, 144 | XCORE_INS_GETD, 145 | XCORE_INS_GET, 146 | XCORE_INS_GETN, 147 | XCORE_INS_GETR, 148 | XCORE_INS_GETSR, 149 | XCORE_INS_GETST, 150 | XCORE_INS_GETTS, 151 | XCORE_INS_INCT, 152 | XCORE_INS_INIT, 153 | XCORE_INS_INPW, 154 | XCORE_INS_INSHR, 155 | XCORE_INS_INT, 156 | XCORE_INS_IN, 157 | XCORE_INS_KCALL, 158 | XCORE_INS_KENTSP, 159 | XCORE_INS_KRESTSP, 160 | XCORE_INS_KRET, 161 | XCORE_INS_LADD, 162 | XCORE_INS_LD16S, 163 | XCORE_INS_LD8U, 164 | XCORE_INS_LDA16, 165 | XCORE_INS_LDAP, 166 | XCORE_INS_LDAW, 167 | XCORE_INS_LDC, 168 | XCORE_INS_LDW, 169 | XCORE_INS_LDIVU, 170 | XCORE_INS_LMUL, 171 | XCORE_INS_LSS, 172 | XCORE_INS_LSUB, 173 | XCORE_INS_LSU, 174 | XCORE_INS_MACCS, 175 | XCORE_INS_MACCU, 176 | XCORE_INS_MJOIN, 177 | XCORE_INS_MKMSK, 178 | XCORE_INS_MSYNC, 179 | XCORE_INS_MUL, 180 | XCORE_INS_NEG, 181 | XCORE_INS_NOT, 182 | XCORE_INS_OR, 183 | XCORE_INS_OUTCT, 184 | XCORE_INS_OUTPW, 185 | XCORE_INS_OUTSHR, 186 | XCORE_INS_OUTT, 187 | XCORE_INS_OUT, 188 | XCORE_INS_PEEK, 189 | XCORE_INS_REMS, 190 | XCORE_INS_REMU, 191 | XCORE_INS_RETSP, 192 | XCORE_INS_SETCLK, 193 | XCORE_INS_SET, 194 | XCORE_INS_SETC, 195 | XCORE_INS_SETD, 196 | XCORE_INS_SETEV, 197 | XCORE_INS_SETN, 198 | XCORE_INS_SETPSC, 199 | XCORE_INS_SETPT, 200 | XCORE_INS_SETRDY, 201 | XCORE_INS_SETSR, 202 | XCORE_INS_SETTW, 203 | XCORE_INS_SETV, 204 | XCORE_INS_SEXT, 205 | XCORE_INS_SHL, 206 | XCORE_INS_SHR, 207 | XCORE_INS_SSYNC, 208 | XCORE_INS_ST16, 209 | XCORE_INS_ST8, 210 | XCORE_INS_STW, 211 | XCORE_INS_SUB, 212 | XCORE_INS_SYNCR, 213 | XCORE_INS_TESTCT, 214 | XCORE_INS_TESTLCL, 215 | XCORE_INS_TESTWCT, 216 | XCORE_INS_TSETMR, 217 | XCORE_INS_START, 218 | XCORE_INS_WAITEF, 219 | XCORE_INS_WAITET, 220 | XCORE_INS_WAITEU, 221 | XCORE_INS_XOR, 222 | XCORE_INS_ZEXT, 223 | 224 | XCORE_INS_ENDING, // <-- mark the end of the list of instructions 225 | } xcore_insn; 226 | 227 | //> Group of XCore instructions 228 | typedef enum xcore_insn_group 229 | { 230 | XCORE_GRP_INVALID = 0, // = CS_GRP_INVALID 231 | 232 | //> Generic groups 233 | // all jump instructions (conditional+direct+indirect jumps) 234 | XCORE_GRP_JUMP, // = CS_GRP_JUMP 235 | 236 | XCORE_GRP_ENDING, // <-- mark the end of the list of groups 237 | } xcore_insn_group; 238 | 239 | #ifdef __cplusplus 240 | } 241 | #endif 242 | 243 | #endif 244 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/compiler.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_COMPILER_H 31 | #define YR_COMPILER_H 32 | 33 | #include 34 | #include 35 | 36 | #include "ahocorasick.h" 37 | #include "arena.h" 38 | #include "hash.h" 39 | #include "utils.h" 40 | 41 | 42 | #define YARA_ERROR_LEVEL_ERROR 0 43 | #define YARA_ERROR_LEVEL_WARNING 1 44 | 45 | 46 | typedef void (*YR_COMPILER_CALLBACK_FUNC)( 47 | int error_level, 48 | const char* file_name, 49 | int line_number, 50 | const char* message, 51 | void* user_data); 52 | 53 | 54 | typedef struct _YR_FIXUP 55 | { 56 | int64_t* address; 57 | struct _YR_FIXUP* next; 58 | 59 | } YR_FIXUP; 60 | 61 | 62 | typedef struct _YR_COMPILER 63 | { 64 | int errors; 65 | int error_line; 66 | int last_error; 67 | int last_error_line; 68 | int last_result; 69 | 70 | jmp_buf error_recovery; 71 | 72 | YR_ARENA* sz_arena; 73 | YR_ARENA* rules_arena; 74 | YR_ARENA* strings_arena; 75 | YR_ARENA* code_arena; 76 | YR_ARENA* re_code_arena; 77 | YR_ARENA* compiled_rules_arena; 78 | YR_ARENA* externals_arena; 79 | YR_ARENA* namespaces_arena; 80 | YR_ARENA* metas_arena; 81 | YR_ARENA* matches_arena; 82 | YR_ARENA* automaton_arena; 83 | 84 | YR_AC_AUTOMATON* automaton; 85 | YR_HASH_TABLE* rules_table; 86 | YR_HASH_TABLE* objects_table; 87 | YR_HASH_TABLE* strings_table; 88 | YR_NAMESPACE* current_namespace; 89 | YR_RULE* current_rule; 90 | 91 | YR_FIXUP* fixup_stack_head; 92 | 93 | int namespaces_count; 94 | 95 | uint8_t* loop_address[MAX_LOOP_NESTING]; 96 | char* loop_identifier[MAX_LOOP_NESTING]; 97 | int loop_depth; 98 | int loop_for_of_mem_offset; 99 | 100 | int allow_includes; 101 | 102 | char* file_name_stack[MAX_INCLUDE_DEPTH]; 103 | int file_name_stack_ptr; 104 | 105 | FILE* file_stack[MAX_INCLUDE_DEPTH]; 106 | int file_stack_ptr; 107 | 108 | char last_error_extra_info[MAX_COMPILER_ERROR_EXTRA_INFO]; 109 | 110 | char lex_buf[LEX_BUF_SIZE]; 111 | char* lex_buf_ptr; 112 | unsigned short lex_buf_len; 113 | 114 | char include_base_dir[MAX_PATH]; 115 | void* user_data; 116 | 117 | YR_COMPILER_CALLBACK_FUNC callback; 118 | 119 | } YR_COMPILER; 120 | 121 | 122 | #define yr_compiler_set_error_extra_info(compiler, info) \ 123 | strlcpy( \ 124 | compiler->last_error_extra_info, \ 125 | info, \ 126 | sizeof(compiler->last_error_extra_info)); \ 127 | 128 | 129 | #define yr_compiler_set_error_extra_info_fmt(compiler, fmt, ...) \ 130 | snprintf( \ 131 | compiler->last_error_extra_info, \ 132 | sizeof(compiler->last_error_extra_info), \ 133 | fmt, __VA_ARGS__); 134 | 135 | 136 | int _yr_compiler_push_file( 137 | YR_COMPILER* compiler, 138 | FILE* fh); 139 | 140 | 141 | FILE* _yr_compiler_pop_file( 142 | YR_COMPILER* compiler); 143 | 144 | 145 | int _yr_compiler_push_file_name( 146 | YR_COMPILER* compiler, 147 | const char* file_name); 148 | 149 | 150 | void _yr_compiler_pop_file_name( 151 | YR_COMPILER* compiler); 152 | 153 | 154 | YR_API int yr_compiler_create( 155 | YR_COMPILER** compiler); 156 | 157 | 158 | YR_API void yr_compiler_destroy( 159 | YR_COMPILER* compiler); 160 | 161 | 162 | YR_API void yr_compiler_set_callback( 163 | YR_COMPILER* compiler, 164 | YR_COMPILER_CALLBACK_FUNC callback, 165 | void* user_data); 166 | 167 | 168 | YR_API int yr_compiler_add_file( 169 | YR_COMPILER* compiler, 170 | FILE* rules_file, 171 | const char* namespace_, 172 | const char* file_name); 173 | 174 | 175 | YR_API int yr_compiler_add_string( 176 | YR_COMPILER* compiler, 177 | const char* rules_string, 178 | const char* namespace_); 179 | 180 | 181 | YR_API char* yr_compiler_get_error_message( 182 | YR_COMPILER* compiler, 183 | char* buffer, 184 | int buffer_size); 185 | 186 | 187 | YR_API char* yr_compiler_get_current_file_name( 188 | YR_COMPILER* context); 189 | 190 | 191 | YR_API int yr_compiler_define_integer_variable( 192 | YR_COMPILER* compiler, 193 | const char* identifier, 194 | int64_t value); 195 | 196 | 197 | YR_API int yr_compiler_define_boolean_variable( 198 | YR_COMPILER* compiler, 199 | const char* identifier, 200 | int value); 201 | 202 | 203 | YR_API int yr_compiler_define_float_variable( 204 | YR_COMPILER* compiler, 205 | const char* identifier, 206 | double value); 207 | 208 | 209 | YR_API int yr_compiler_define_string_variable( 210 | YR_COMPILER* compiler, 211 | const char* identifier, 212 | const char* value); 213 | 214 | 215 | YR_API int yr_compiler_get_rules( 216 | YR_COMPILER* compiler, 217 | YR_RULES** rules); 218 | 219 | 220 | #endif 221 | -------------------------------------------------------------------------------- /pe/pluginsdk/bridgegraph.h: -------------------------------------------------------------------------------- 1 | #ifndef _GRAPH_H 2 | #define _GRAPH_H 3 | 4 | typedef struct 5 | { 6 | duint addr; //virtual address of the instruction 7 | unsigned char data[15]; //instruction bytes 8 | } BridgeCFInstruction; 9 | 10 | typedef struct 11 | { 12 | duint parentGraph; //function of which this node is a part 13 | duint start; //start of the block 14 | duint end; //end of the block (inclusive) 15 | duint brtrue; //destination if condition is true 16 | duint brfalse; //destination if condition is false 17 | duint icount; //number of instructions in node 18 | bool terminal; //node is a RET 19 | bool split; //node is a split (brtrue points to the next node) 20 | bool indirectcall; //node contains indirect calls (call reg, call [reg+X]) 21 | void* userdata; //user data 22 | ListInfo exits; //exits (including brtrue and brfalse, duint) 23 | ListInfo instrs; //block instructions 24 | } BridgeCFNodeList; 25 | 26 | typedef struct 27 | { 28 | duint entryPoint; //graph entry point 29 | void* userdata; //user data 30 | ListInfo nodes; //graph nodes (BridgeCFNodeList) 31 | } BridgeCFGraphList; 32 | 33 | #ifdef __cplusplus 34 | #if _MSC_VER >= 1700 && !defined(NO_CPP11) 35 | 36 | #include 37 | #include 38 | #include 39 | #include 40 | 41 | struct BridgeCFNode 42 | { 43 | duint parentGraph = 0; //function of which this node is a part 44 | duint start = 0; //start of the block 45 | duint end = 0; //end of the block (inclusive) 46 | duint brtrue = 0; //destination if condition is true 47 | duint brfalse = 0; //destination if condition is false 48 | duint icount = 0; //number of instructions in node 49 | bool terminal = false; //node is a RET 50 | bool split = false; //node is a split (brtrue points to the next node) 51 | bool indirectcall = false; //node contains indirect calls (call reg, call [reg+X]) 52 | void* userdata = nullptr; //user data 53 | std::vector exits; //exits (including brtrue and brfalse) 54 | std::vector instrs; //block instructions 55 | 56 | static void Free(const BridgeCFNodeList* nodeList) 57 | { 58 | if(!BridgeList::Free(&nodeList->exits)) 59 | __debugbreak(); 60 | if(!BridgeList::Free(&nodeList->instrs)) 61 | __debugbreak(); 62 | } 63 | 64 | BridgeCFNode() = default; 65 | 66 | BridgeCFNode(const BridgeCFNodeList* nodeList, bool freedata) 67 | { 68 | if(!nodeList) 69 | __debugbreak(); 70 | parentGraph = nodeList->parentGraph; 71 | start = nodeList->start; 72 | end = nodeList->end; 73 | brtrue = nodeList->brtrue; 74 | brfalse = nodeList->brfalse; 75 | icount = nodeList->icount; 76 | terminal = nodeList->terminal; 77 | indirectcall = nodeList->indirectcall; 78 | split = nodeList->split; 79 | userdata = nodeList->userdata; 80 | if(!BridgeList::ToVector(&nodeList->exits, exits, freedata)) 81 | __debugbreak(); 82 | if(!BridgeList::ToVector(&nodeList->instrs, instrs, freedata)) 83 | __debugbreak(); 84 | } 85 | 86 | BridgeCFNode(duint parentGraph, duint start, duint end) 87 | : parentGraph(parentGraph), 88 | start(start), 89 | end(end) 90 | { 91 | } 92 | 93 | BridgeCFNodeList ToNodeList() const 94 | { 95 | BridgeCFNodeList out; 96 | out.parentGraph = parentGraph; 97 | out.start = start; 98 | out.end = end; 99 | out.brtrue = brtrue; 100 | out.brfalse = brfalse; 101 | out.icount = icount; 102 | out.terminal = terminal; 103 | out.indirectcall = indirectcall; 104 | out.split = split; 105 | out.userdata = userdata; 106 | BridgeList::CopyData(&out.exits, exits); 107 | BridgeList::CopyData(&out.instrs, instrs); 108 | return std::move(out); 109 | } 110 | }; 111 | 112 | struct BridgeCFGraph 113 | { 114 | duint entryPoint; //graph entry point 115 | void* userdata; //user data 116 | std::unordered_map nodes; //CFNode.start -> CFNode 117 | std::unordered_map> parents; //CFNode.start -> parents 118 | 119 | static void Free(const BridgeCFGraphList* graphList) 120 | { 121 | if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList)) 122 | __debugbreak(); 123 | auto data = (BridgeCFNodeList*)graphList->nodes.data; 124 | for(int i = 0; i < graphList->nodes.count; i++) 125 | BridgeCFNode::Free(&data[i]); 126 | BridgeFree(data); 127 | } 128 | 129 | explicit BridgeCFGraph(const BridgeCFGraphList* graphList, bool freedata) 130 | { 131 | if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList)) 132 | __debugbreak(); 133 | entryPoint = graphList->entryPoint; 134 | userdata = graphList->userdata; 135 | auto data = (BridgeCFNodeList*)graphList->nodes.data; 136 | for(int i = 0; i < graphList->nodes.count; i++) 137 | AddNode(BridgeCFNode(&data[i], freedata)); 138 | if(freedata && data) 139 | BridgeFree(data); 140 | } 141 | 142 | explicit BridgeCFGraph(duint entryPoint) 143 | : entryPoint(entryPoint), 144 | userdata(nullptr) 145 | { 146 | } 147 | 148 | void AddNode(const BridgeCFNode & node) 149 | { 150 | nodes[node.start] = node; 151 | AddParent(node.start, node.brtrue); 152 | AddParent(node.start, node.brfalse); 153 | } 154 | 155 | void AddParent(duint child, duint parent) 156 | { 157 | if(!child || !parent) 158 | return; 159 | auto found = parents.find(child); 160 | if(found == parents.end()) 161 | { 162 | parents[child] = std::unordered_set(); 163 | parents[child].insert(parent); 164 | } 165 | else 166 | found->second.insert(parent); 167 | } 168 | 169 | BridgeCFGraphList ToGraphList() const 170 | { 171 | BridgeCFGraphList out; 172 | out.entryPoint = entryPoint; 173 | out.userdata = userdata; 174 | std::vector nodeList; 175 | nodeList.reserve(nodes.size()); 176 | for(const auto & nodeIt : nodes) 177 | nodeList.push_back(nodeIt.second.ToNodeList()); 178 | BridgeList::CopyData(&out.nodes, nodeList); 179 | return std::move(out); 180 | } 181 | }; 182 | 183 | #endif //_MSC_VER 184 | #endif //__cplusplus 185 | 186 | #endif //_GRAPH_H -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/exec.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_EXEC_H 31 | #define YR_EXEC_H 32 | 33 | #include "hash.h" 34 | #include "scan.h" 35 | #include "types.h" 36 | #include "rules.h" 37 | 38 | 39 | #define UNDEFINED 0xFFFABADAFABADAFFLL 40 | #define IS_UNDEFINED(x) ((size_t)(x) == (size_t) UNDEFINED) 41 | 42 | #define OP_ERROR 0 43 | #define OP_HALT 255 44 | 45 | #define OP_AND 1 46 | #define OP_OR 2 47 | #define OP_NOT 3 48 | #define OP_BITWISE_NOT 4 49 | #define OP_BITWISE_AND 5 50 | #define OP_BITWISE_OR 6 51 | #define OP_BITWISE_XOR 7 52 | #define OP_SHL 8 53 | #define OP_SHR 9 54 | #define OP_MOD 10 55 | #define OP_INT_TO_DBL 11 56 | #define OP_STR_TO_BOOL 12 57 | #define OP_PUSH 13 58 | #define OP_POP 14 59 | #define OP_CALL 15 60 | #define OP_OBJ_LOAD 16 61 | #define OP_OBJ_VALUE 17 62 | #define OP_OBJ_FIELD 18 63 | #define OP_INDEX_ARRAY 19 64 | #define OP_COUNT 20 65 | #define OP_LENGTH 21 66 | #define OP_FOUND 22 67 | #define OP_FOUND_AT 23 68 | #define OP_FOUND_IN 24 69 | #define OP_OFFSET 25 70 | #define OP_OF 26 71 | #define OP_PUSH_RULE 27 72 | #define OP_INIT_RULE 28 73 | #define OP_MATCH_RULE 29 74 | #define OP_INCR_M 30 75 | #define OP_CLEAR_M 31 76 | #define OP_ADD_M 32 77 | #define OP_POP_M 33 78 | #define OP_PUSH_M 34 79 | #define OP_SWAPUNDEF 35 80 | #define OP_JNUNDEF 36 81 | #define OP_JLE 37 82 | #define OP_FILESIZE 38 83 | #define OP_ENTRYPOINT 39 84 | #define OP_CONTAINS 40 85 | #define OP_MATCHES 41 86 | #define OP_IMPORT 42 87 | #define OP_LOOKUP_DICT 43 88 | #define OP_JFALSE 44 89 | #define OP_JTRUE 45 90 | 91 | 92 | #define _OP_EQ 0 93 | #define _OP_NEQ 1 94 | #define _OP_LT 2 95 | #define _OP_GT 3 96 | #define _OP_LE 4 97 | #define _OP_GE 5 98 | #define _OP_ADD 6 99 | #define _OP_SUB 7 100 | #define _OP_MUL 8 101 | #define _OP_DIV 9 102 | #define _OP_MINUS 10 103 | 104 | 105 | #define OP_INT_BEGIN 100 106 | #define OP_INT_EQ (OP_INT_BEGIN + _OP_EQ) 107 | #define OP_INT_NEQ (OP_INT_BEGIN + _OP_NEQ) 108 | #define OP_INT_LT (OP_INT_BEGIN + _OP_LT) 109 | #define OP_INT_GT (OP_INT_BEGIN + _OP_GT) 110 | #define OP_INT_LE (OP_INT_BEGIN + _OP_LE) 111 | #define OP_INT_GE (OP_INT_BEGIN + _OP_GE) 112 | #define OP_INT_ADD (OP_INT_BEGIN + _OP_ADD) 113 | #define OP_INT_SUB (OP_INT_BEGIN + _OP_SUB) 114 | #define OP_INT_MUL (OP_INT_BEGIN + _OP_MUL) 115 | #define OP_INT_DIV (OP_INT_BEGIN + _OP_DIV) 116 | #define OP_INT_MINUS (OP_INT_BEGIN + _OP_MINUS) 117 | #define OP_INT_END OP_INT_MINUS 118 | 119 | #define OP_DBL_BEGIN 120 120 | #define OP_DBL_EQ (OP_DBL_BEGIN + _OP_EQ) 121 | #define OP_DBL_NEQ (OP_DBL_BEGIN + _OP_NEQ) 122 | #define OP_DBL_LT (OP_DBL_BEGIN + _OP_LT) 123 | #define OP_DBL_GT (OP_DBL_BEGIN + _OP_GT) 124 | #define OP_DBL_LE (OP_DBL_BEGIN + _OP_LE) 125 | #define OP_DBL_GE (OP_DBL_BEGIN + _OP_GE) 126 | #define OP_DBL_ADD (OP_DBL_BEGIN + _OP_ADD) 127 | #define OP_DBL_SUB (OP_DBL_BEGIN + _OP_SUB) 128 | #define OP_DBL_MUL (OP_DBL_BEGIN + _OP_MUL) 129 | #define OP_DBL_DIV (OP_DBL_BEGIN + _OP_DIV) 130 | #define OP_DBL_MINUS (OP_DBL_BEGIN + _OP_MINUS) 131 | #define OP_DBL_END OP_DBL_MINUS 132 | 133 | #define OP_STR_BEGIN 140 134 | #define OP_STR_EQ (OP_STR_BEGIN + _OP_EQ) 135 | #define OP_STR_NEQ (OP_STR_BEGIN + _OP_NEQ) 136 | #define OP_STR_LT (OP_STR_BEGIN + _OP_LT) 137 | #define OP_STR_GT (OP_STR_BEGIN + _OP_GT) 138 | #define OP_STR_LE (OP_STR_BEGIN + _OP_LE) 139 | #define OP_STR_GE (OP_STR_BEGIN + _OP_GE) 140 | #define OP_STR_END OP_STR_GE 141 | 142 | #define IS_INT_OP(x) ((x) >= OP_INT_BEGIN && (x) <= OP_INT_END) 143 | #define IS_DBL_OP(x) ((x) >= OP_DBL_BEGIN && (x) <= OP_DBL_END) 144 | #define IS_STR_OP(x) ((x) >= OP_STR_BEGIN && (x) <= OP_STR_END) 145 | 146 | #define OP_READ_INT 240 147 | #define OP_INT8 (OP_READ_INT + 0) 148 | #define OP_INT16 (OP_READ_INT + 1) 149 | #define OP_INT32 (OP_READ_INT + 2) 150 | #define OP_UINT8 (OP_READ_INT + 3) 151 | #define OP_UINT16 (OP_READ_INT + 4) 152 | #define OP_UINT32 (OP_READ_INT + 5) 153 | #define OP_INT8BE (OP_READ_INT + 6) 154 | #define OP_INT16BE (OP_READ_INT + 7) 155 | #define OP_INT32BE (OP_READ_INT + 8) 156 | #define OP_UINT8BE (OP_READ_INT + 9) 157 | #define OP_UINT16BE (OP_READ_INT + 10) 158 | #define OP_UINT32BE (OP_READ_INT + 11) 159 | 160 | 161 | #define OPERATION(operator, op1, op2) \ 162 | (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2) 163 | 164 | 165 | #define COMPARISON(operator, op1, op2) \ 166 | (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2) 167 | 168 | 169 | int yr_execute_code( 170 | YR_RULES* rules, 171 | YR_SCAN_CONTEXT* context, 172 | int timeout, 173 | time_t start_time); 174 | 175 | #endif 176 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/re.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_RE_H 31 | #define YR_RE_H 32 | 33 | #include 34 | 35 | #include "arena.h" 36 | #include "sizedstr.h" 37 | 38 | #define RE_NODE_LITERAL 1 39 | #define RE_NODE_MASKED_LITERAL 2 40 | #define RE_NODE_ANY 3 41 | #define RE_NODE_CONCAT 4 42 | #define RE_NODE_ALT 5 43 | #define RE_NODE_RANGE 6 44 | #define RE_NODE_STAR 7 45 | #define RE_NODE_PLUS 8 46 | #define RE_NODE_CLASS 9 47 | #define RE_NODE_WORD_CHAR 10 48 | #define RE_NODE_NON_WORD_CHAR 11 49 | #define RE_NODE_SPACE 12 50 | #define RE_NODE_NON_SPACE 13 51 | #define RE_NODE_DIGIT 14 52 | #define RE_NODE_NON_DIGIT 15 53 | #define RE_NODE_EMPTY 16 54 | #define RE_NODE_ANCHOR_START 17 55 | #define RE_NODE_ANCHOR_END 18 56 | #define RE_NODE_WORD_BOUNDARY 19 57 | #define RE_NODE_NON_WORD_BOUNDARY 20 58 | 59 | 60 | #define RE_OPCODE_ANY 0xA0 61 | #define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1 62 | #define RE_OPCODE_LITERAL 0xA2 63 | #define RE_OPCODE_LITERAL_NO_CASE 0xA3 64 | #define RE_OPCODE_MASKED_LITERAL 0xA4 65 | #define RE_OPCODE_CLASS 0xA5 66 | #define RE_OPCODE_CLASS_NO_CASE 0xA6 67 | #define RE_OPCODE_WORD_CHAR 0xA7 68 | #define RE_OPCODE_NON_WORD_CHAR 0xA8 69 | #define RE_OPCODE_SPACE 0xA9 70 | #define RE_OPCODE_NON_SPACE 0xAA 71 | #define RE_OPCODE_DIGIT 0xAB 72 | #define RE_OPCODE_NON_DIGIT 0xAC 73 | #define RE_OPCODE_MATCH 0xAD 74 | 75 | #define RE_OPCODE_MATCH_AT_END 0xB0 76 | #define RE_OPCODE_MATCH_AT_START 0xB1 77 | #define RE_OPCODE_WORD_BOUNDARY 0xB2 78 | #define RE_OPCODE_NON_WORD_BOUNDARY 0xB3 79 | 80 | #define RE_OPCODE_SPLIT_A 0xC0 81 | #define RE_OPCODE_SPLIT_B 0xC1 82 | #define RE_OPCODE_PUSH 0xC2 83 | #define RE_OPCODE_POP 0xC3 84 | #define RE_OPCODE_JNZ 0xC4 85 | #define RE_OPCODE_JUMP 0xC5 86 | 87 | 88 | #define RE_FLAGS_FAST_HEX_REGEXP 0x02 89 | #define RE_FLAGS_BACKWARDS 0x04 90 | #define RE_FLAGS_EXHAUSTIVE 0x08 91 | #define RE_FLAGS_WIDE 0x10 92 | #define RE_FLAGS_NO_CASE 0x20 93 | #define RE_FLAGS_SCAN 0x40 94 | #define RE_FLAGS_DOT_ALL 0x80 95 | #define RE_FLAGS_NOT_AT_START 0x100 96 | #define RE_FLAGS_GREEDY 0x400 97 | #define RE_FLAGS_UNGREEDY 0x800 98 | 99 | 100 | typedef struct RE RE; 101 | typedef struct RE_NODE RE_NODE; 102 | typedef struct RE_ERROR RE_ERROR; 103 | 104 | typedef uint8_t RE_SPLIT_ID_TYPE; 105 | typedef uint8_t* RE_CODE; 106 | 107 | #define CHAR_IN_CLASS(chr, cls) \ 108 | ((cls)[(chr) / 8] & 1 << ((chr) % 8)) 109 | 110 | 111 | #define IS_WORD_CHAR(chr) \ 112 | (isalnum(chr) || (chr) == '_') 113 | 114 | 115 | struct RE_NODE 116 | { 117 | int type; 118 | 119 | union 120 | { 121 | int value; 122 | int count; 123 | int start; 124 | }; 125 | 126 | union 127 | { 128 | int mask; 129 | int end; 130 | }; 131 | 132 | int greedy; 133 | 134 | uint8_t* class_vector; 135 | 136 | RE_NODE* left; 137 | RE_NODE* right; 138 | 139 | RE_CODE forward_code; 140 | RE_CODE backward_code; 141 | }; 142 | 143 | 144 | struct RE 145 | { 146 | 147 | uint32_t flags; 148 | RE_NODE* root_node; 149 | YR_ARENA* code_arena; 150 | RE_CODE code; 151 | }; 152 | 153 | 154 | struct RE_ERROR 155 | { 156 | 157 | char message[512]; 158 | 159 | }; 160 | 161 | 162 | typedef int RE_MATCH_CALLBACK_FUNC( 163 | uint8_t* match, 164 | int match_length, 165 | int flags, 166 | void* args); 167 | 168 | 169 | int yr_re_create( 170 | RE** re); 171 | 172 | 173 | int yr_re_parse( 174 | const char* re_string, 175 | int flags, 176 | RE** re, 177 | RE_ERROR* error); 178 | 179 | 180 | int yr_re_parse_hex( 181 | const char* hex_string, 182 | int flags, 183 | RE** re, 184 | RE_ERROR* error); 185 | 186 | 187 | int yr_re_compile( 188 | const char* re_string, 189 | int flags, 190 | YR_ARENA* code_arena, 191 | RE** re, 192 | RE_ERROR* error); 193 | 194 | 195 | void yr_re_destroy( 196 | RE* re); 197 | 198 | 199 | void yr_re_print( 200 | RE* re); 201 | 202 | 203 | RE_NODE* yr_re_node_create( 204 | int type, 205 | RE_NODE* left, 206 | RE_NODE* right); 207 | 208 | 209 | void yr_re_node_destroy( 210 | RE_NODE* node); 211 | 212 | 213 | SIZED_STRING* yr_re_extract_literal( 214 | RE* re); 215 | 216 | 217 | int yr_re_contains_dot_star( 218 | RE* re); 219 | 220 | 221 | int yr_re_split_at_chaining_point( 222 | RE* re, 223 | RE** result_re, 224 | RE** remainder_re, 225 | int32_t* min_gap, 226 | int32_t* max_gap); 227 | 228 | 229 | int yr_re_emit_code( 230 | RE* re, 231 | YR_ARENA* arena); 232 | 233 | 234 | int yr_re_exec( 235 | RE_CODE re_code, 236 | uint8_t* input, 237 | size_t input_size, 238 | int flags, 239 | RE_MATCH_CALLBACK_FUNC callback, 240 | void* callback_args); 241 | 242 | 243 | int yr_re_match( 244 | RE_CODE re_code, 245 | const char* target); 246 | 247 | 248 | int yr_re_initialize(void); 249 | 250 | 251 | int yr_re_finalize(void); 252 | 253 | 254 | int yr_re_finalize_thread(void); 255 | 256 | #endif 257 | -------------------------------------------------------------------------------- /pe/pluginsdk/yara/yara/elf.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _ELF_H 31 | #define _ELF_H 32 | 33 | #include "integers.h" 34 | 35 | 36 | // 32-bit ELF base types 37 | 38 | typedef uint32_t elf32_addr_t; 39 | typedef uint16_t elf32_half_t; 40 | typedef uint32_t elf32_off_t; 41 | typedef uint32_t elf32_word_t; 42 | 43 | // 64-bit ELF base types 44 | 45 | typedef uint64_t elf64_addr_t; 46 | typedef uint16_t elf64_half_t; 47 | typedef uint64_t elf64_off_t; 48 | typedef uint32_t elf64_word_t; 49 | typedef uint64_t elf64_xword_t; 50 | 51 | #define ELF_MAGIC 0x464C457F 52 | 53 | #define ELF_ET_NONE 0x0000 // no type 54 | #define ELF_ET_REL 0x0001 // relocatable 55 | #define ELF_ET_EXEC 0x0002 // executeable 56 | #define ELF_ET_DYN 0x0003 // Shared-Object-File 57 | #define ELF_ET_CORE 0x0004 // Corefile 58 | #define ELF_ET_LOPROC 0xFF00 // Processor-specific 59 | #define ELF_ET_HIPROC 0x00FF // Processor-specific 60 | 61 | #define ELF_EM_NONE 0x0000 // no type 62 | #define ELF_EM_M32 0x0001 // AT&T WE 32100 63 | #define ELF_EM_SPARC 0x0002 // SPARC 64 | #define ELF_EM_386 0x0003 // Intel 80386 65 | #define ELF_EM_68K 0x0004 // Motorola 68000 66 | #define ELF_EM_88K 0x0005 // Motorola 88000 67 | #define ELF_EM_860 0x0007 // Intel 80860 68 | #define ELF_EM_MIPS 0x0008 // MIPS I Architecture 69 | #define ELF_EM_MIPS_RS3_LE 0x000A // MIPS RS3000 Little-endian 70 | #define ELF_EM_PPC 0x0014 // PowerPC 71 | #define ELF_EM_PPC64 0x0015 // 64-bit PowerPC 72 | #define ELF_EM_ARM 0x0028 // ARM 73 | #define ELF_EM_X86_64 0x003E // AMD/Intel x86_64 74 | #define ELF_EM_AARCH64 0x00B7 // 64-bit ARM 75 | 76 | #define ELF_CLASS_NONE 0x0000 77 | #define ELF_CLASS_32 0x0001 // 32bit file 78 | #define ELF_CLASS_64 0x0002 // 64bit file 79 | 80 | #define ELF_DATA_NONE 0x0000 81 | #define ELF_DATA_2LSB 0x0001 82 | #define ELF_DATA_2MSB 0x002 83 | 84 | 85 | #define ELF_SHT_NULL 0 // Section header table entry unused 86 | #define ELF_SHT_PROGBITS 1 // Program data 87 | #define ELF_SHT_SYMTAB 2 // Symbol table 88 | #define ELF_SHT_STRTAB 3 // String table 89 | #define ELF_SHT_RELA 4 // Relocation entries with addends 90 | #define ELF_SHT_HASH 5 // Symbol hash table 91 | #define ELF_SHT_DYNAMIC 6 // Dynamic linking information 92 | #define ELF_SHT_NOTE 7 // Notes 93 | #define ELF_SHT_NOBITS 8 // Program space with no data (bss) 94 | #define ELF_SHT_REL 9 // Relocation entries, no addends 95 | #define ELF_SHT_SHLIB 10 // Reserved 96 | #define ELF_SHT_DYNSYM 11 // Dynamic linker symbol table 97 | #define ELF_SHT_NUM 12 // Number of defined types 98 | 99 | #define ELF_SHF_WRITE 0x1 // Section is writable 100 | #define ELF_SHF_ALLOC 0x2 // Section is present during execution 101 | #define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions 102 | 103 | #define ELF_SHN_LORESERVE 0xFF00 104 | 105 | #define ELF_PT_NULL 0 // The array element is unused 106 | #define ELF_PT_LOAD 1 // Loadable segment 107 | #define ELF_PT_DYNAMIC 2 // Segment contains dynamic linking info 108 | #define ELF_PT_INTERP 3 // Contains interpreter pathname 109 | #define ELF_PT_NOTE 4 // Location & size of auxiliary info 110 | #define ELF_PT_SHLIB 5 // Reserved, unspecified semantics 111 | #define ELF_PT_PHDR 6 // Location and size of program header table 112 | #define ELF_PT_TLS 7 // Thread-Local Storage 113 | #define ELF_PT_GNU_EH_FRAME 0x6474e550 114 | #define ELF_PT_GNU_STACK 0x6474e551 115 | 116 | #define ELF_PF_X 0x1 // Segment is executable 117 | #define ELF_PF_W 0x2 // Segment is writable 118 | #define ELF_PF_R 0x4 // Segment is readable 119 | 120 | #define ELF_PN_XNUM 0xffff 121 | 122 | #pragma pack(push,1) 123 | 124 | typedef struct 125 | { 126 | uint32_t magic; 127 | uint8_t _class; 128 | uint8_t data; 129 | uint8_t version; 130 | uint8_t pad[8]; 131 | uint8_t nident; 132 | 133 | } elf_ident_t; 134 | 135 | 136 | typedef struct 137 | { 138 | elf_ident_t ident; 139 | elf32_half_t type; 140 | elf32_half_t machine; 141 | elf32_word_t version; 142 | elf32_addr_t entry; 143 | elf32_off_t ph_offset; 144 | elf32_off_t sh_offset; 145 | elf32_word_t flags; 146 | elf32_half_t header_size; 147 | elf32_half_t ph_entry_size; 148 | elf32_half_t ph_entry_count; 149 | elf32_half_t sh_entry_size; 150 | elf32_half_t sh_entry_count; 151 | elf32_half_t sh_str_table_index; 152 | 153 | } elf32_header_t; 154 | 155 | 156 | typedef struct 157 | { 158 | elf_ident_t ident; 159 | elf64_half_t type; 160 | elf64_half_t machine; 161 | elf64_word_t version; 162 | elf64_addr_t entry; 163 | elf64_off_t ph_offset; 164 | elf64_off_t sh_offset; 165 | elf64_word_t flags; 166 | elf64_half_t header_size; 167 | elf64_half_t ph_entry_size; 168 | elf64_half_t ph_entry_count; 169 | elf64_half_t sh_entry_size; 170 | elf64_half_t sh_entry_count; 171 | elf64_half_t sh_str_table_index; 172 | 173 | } elf64_header_t; 174 | 175 | 176 | typedef struct 177 | { 178 | elf32_word_t type; 179 | elf32_off_t offset; 180 | elf32_addr_t virt_addr; 181 | elf32_addr_t phys_addr; 182 | elf32_word_t file_size; 183 | elf32_word_t mem_size; 184 | elf32_word_t flags; 185 | elf32_word_t alignment; 186 | 187 | } elf32_program_header_t; 188 | 189 | 190 | typedef struct 191 | { 192 | elf64_word_t type; 193 | elf64_word_t flags; 194 | elf64_off_t offset; 195 | elf64_addr_t virt_addr; 196 | elf64_addr_t phys_addr; 197 | elf64_xword_t file_size; 198 | elf64_xword_t mem_size; 199 | elf64_xword_t alignment; 200 | 201 | } elf64_program_header_t; 202 | 203 | 204 | typedef struct 205 | { 206 | elf32_word_t name; 207 | elf32_word_t type; 208 | elf32_word_t flags; 209 | elf32_addr_t addr; 210 | elf32_off_t offset; 211 | elf32_word_t size; 212 | elf32_word_t link; 213 | elf32_word_t info; 214 | elf32_word_t align; 215 | elf32_word_t entry_size; 216 | 217 | } elf32_section_header_t; 218 | 219 | 220 | typedef struct 221 | { 222 | elf64_word_t name; 223 | elf64_word_t type; 224 | elf64_xword_t flags; 225 | elf64_addr_t addr; 226 | elf64_off_t offset; 227 | elf64_xword_t size; 228 | elf64_word_t link; 229 | elf64_word_t info; 230 | elf64_xword_t align; 231 | elf64_xword_t entry_size; 232 | 233 | } elf64_section_header_t; 234 | 235 | 236 | #pragma pack(pop) 237 | 238 | #endif 239 | -------------------------------------------------------------------------------- /pe/pluginsdk/lz4/lz4hc.h: -------------------------------------------------------------------------------- 1 | /* 2 | LZ4 HC - High Compression Mode of LZ4 3 | Header File 4 | Copyright (C) 2011-2014, Yann Collet. 5 | BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are 9 | met: 10 | 11 | * Redistributions of source code must retain the above copyright 12 | notice, this list of conditions and the following disclaimer. 13 | * Redistributions in binary form must reproduce the above 14 | copyright notice, this list of conditions and the following disclaimer 15 | in the documentation and/or other materials provided with the 16 | distribution. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | 30 | You can contact the author at : 31 | - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html 32 | - LZ4 source repository : http://code.google.com/p/lz4/ 33 | */ 34 | #ifndef _LZ4HC_H 35 | #define _LZ4HC_H 36 | 37 | #if defined (__cplusplus) 38 | extern "C" 39 | { 40 | #endif 41 | 42 | 43 | __declspec(dllimport) int LZ4_compressHC(const char* source, char* dest, int inputSize); 44 | /* 45 | LZ4_compressHC : 46 | return : the number of bytes in compressed buffer dest 47 | or 0 if compression fails. 48 | note : destination buffer must be already allocated. 49 | To avoid any problem, size it to handle worst cases situations (input data not compressible) 50 | Worst case size evaluation is provided by function LZ4_compressBound() (see "lz4.h") 51 | */ 52 | 53 | __declspec(dllimport) int LZ4_compressHC_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize); 54 | /* 55 | LZ4_compress_limitedOutput() : 56 | Compress 'inputSize' bytes from 'source' into an output buffer 'dest' of maximum size 'maxOutputSize'. 57 | If it cannot achieve it, compression will stop, and result of the function will be zero. 58 | This function never writes outside of provided output buffer. 59 | 60 | inputSize : Max supported value is 1 GB 61 | maxOutputSize : is maximum allowed size into the destination buffer (which must be already allocated) 62 | return : the number of output bytes written in buffer 'dest' 63 | or 0 if compression fails. 64 | */ 65 | 66 | 67 | __declspec(dllimport) int LZ4_compressHC2(const char* source, char* dest, int inputSize, int compressionLevel); 68 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 69 | /* 70 | Same functions as above, but with programmable 'compressionLevel'. 71 | Recommended values are between 4 and 9, although any value between 0 and 16 will work. 72 | 'compressionLevel'==0 means use default 'compressionLevel' value. 73 | Values above 16 behave the same as 16. 74 | Equivalent variants exist for all other compression functions below. 75 | */ 76 | 77 | /* Note : 78 | Decompression functions are provided within LZ4 source code (see "lz4.h") (BSD license) 79 | */ 80 | 81 | 82 | /************************************** 83 | Using an external allocation 84 | **************************************/ 85 | __declspec(dllimport) int LZ4_sizeofStateHC(void); 86 | __declspec(dllimport) int LZ4_compressHC_withStateHC(void* state, const char* source, char* dest, int inputSize); 87 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize); 88 | 89 | __declspec(dllimport) int LZ4_compressHC2_withStateHC(void* state, const char* source, char* dest, int inputSize, int compressionLevel); 90 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 91 | 92 | /* 93 | These functions are provided should you prefer to allocate memory for compression tables with your own allocation methods. 94 | To know how much memory must be allocated for the compression tables, use : 95 | int LZ4_sizeofStateHC(); 96 | 97 | Note that tables must be aligned for pointer (32 or 64 bits), otherwise compression will fail (return code 0). 98 | 99 | The allocated memory can be provided to the compressions functions using 'void* state' parameter. 100 | LZ4_compress_withStateHC() and LZ4_compress_limitedOutput_withStateHC() are equivalent to previously described functions. 101 | They just use the externally allocated memory area instead of allocating their own (on stack, or on heap). 102 | */ 103 | 104 | 105 | /************************************** 106 | Streaming Functions 107 | **************************************/ 108 | __declspec(dllimport) void* LZ4_createHC(const char* inputBuffer); 109 | __declspec(dllimport) int LZ4_compressHC_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize); 110 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize); 111 | __declspec(dllimport) char* LZ4_slideInputBufferHC(void* LZ4HC_Data); 112 | __declspec(dllimport) int LZ4_freeHC(void* LZ4HC_Data); 113 | 114 | __declspec(dllimport) int LZ4_compressHC2_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int compressionLevel); 115 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); 116 | 117 | /* 118 | These functions allow the compression of dependent blocks, where each block benefits from prior 64 KB within preceding blocks. 119 | In order to achieve this, it is necessary to start creating the LZ4HC Data Structure, thanks to the function : 120 | 121 | void* LZ4_createHC (const char* inputBuffer); 122 | The result of the function is the (void*) pointer on the LZ4HC Data Structure. 123 | This pointer will be needed in all other functions. 124 | If the pointer returned is NULL, then the allocation has failed, and compression must be aborted. 125 | The only parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. 126 | The input buffer must be already allocated, and size at least 192KB. 127 | 'inputBuffer' will also be the 'const char* source' of the first block. 128 | 129 | All blocks are expected to lay next to each other within the input buffer, starting from 'inputBuffer'. 130 | To compress each block, use either LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(). 131 | Their behavior are identical to LZ4_compressHC() or LZ4_compressHC_limitedOutput(), 132 | but require the LZ4HC Data Structure as their first argument, and check that each block starts right after the previous one. 133 | If next block does not begin immediately after the previous one, the compression will fail (return 0). 134 | 135 | When it's no longer possible to lay the next block after the previous one (not enough space left into input buffer), a call to : 136 | char* LZ4_slideInputBufferHC(void* LZ4HC_Data); 137 | must be performed. It will typically copy the latest 64KB of input at the beginning of input buffer. 138 | Note that, for this function to work properly, minimum size of an input buffer must be 192KB. 139 | ==> The memory position where the next input data block must start is provided as the result of the function. 140 | 141 | Compression can then resume, using LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(), as usual. 142 | 143 | When compression is completed, a call to LZ4_freeHC() will release the memory used by the LZ4HC Data Structure. 144 | */ 145 | 146 | __declspec(dllimport) int LZ4_sizeofStreamStateHC(void); 147 | __declspec(dllimport) int LZ4_resetStreamStateHC(void* state, const char* inputBuffer); 148 | 149 | /* 150 | These functions achieve the same result as : 151 | void* LZ4_createHC (const char* inputBuffer); 152 | 153 | They are provided here to allow the user program to allocate memory using its own routines. 154 | 155 | To know how much space must be allocated, use LZ4_sizeofStreamStateHC(); 156 | Note also that space must be aligned for pointers (32 or 64 bits). 157 | 158 | Once space is allocated, you must initialize it using : LZ4_resetStreamStateHC(void* state, const char* inputBuffer); 159 | void* state is a pointer to the space allocated. 160 | It must be aligned for pointers (32 or 64 bits), and be large enough. 161 | The parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. 162 | The input buffer must be already allocated, and size at least 192KB. 163 | 'inputBuffer' will also be the 'const char* source' of the first block. 164 | 165 | The same space can be re-used multiple times, just by initializing it each time with LZ4_resetStreamState(). 166 | return value of LZ4_resetStreamStateHC() must be 0 is OK. 167 | Any other value means there was an error (typically, state is not aligned for pointers (32 or 64 bits)). 168 | */ 169 | 170 | 171 | #if defined (__cplusplus) 172 | } 173 | #endif 174 | 175 | #endif //_LZ4HC_H 176 | --------------------------------------------------------------------------------