├── OpenSC └── 0001-Add-fuzzing-infrastructure-to-OpenSC.patch ├── README.md ├── loadlibrary ├── .gdb_history ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── cardclient.c ├── coverage │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── blacklist.h │ ├── coverage_parse_min.c │ ├── deepcover.cpp │ ├── genidc.sh │ ├── instrument.c │ ├── instrument.h │ ├── tree.c │ └── tree.h ├── doc │ └── annotatedidb.png ├── engine │ ├── README.md │ └── createmap.idc ├── exports.lst ├── genmapsym.sh ├── include │ ├── engineboot.h │ ├── openscan.h │ ├── rsignal.h │ ├── scanreply.h │ └── streambuffer.h ├── input.apdu ├── intercept │ ├── Makefile │ ├── README │ ├── hook.c │ ├── hook.h │ ├── libdis.h │ └── libdisasm │ │ ├── AUTHORS │ │ ├── INSTALL │ │ ├── LICENSE │ │ ├── Makefile │ │ ├── config.h │ │ ├── ia32_implicit.c │ │ ├── ia32_implicit.h │ │ ├── ia32_insn.c │ │ ├── ia32_insn.h │ │ ├── ia32_invariant.c │ │ ├── ia32_invariant.h │ │ ├── ia32_modrm.c │ │ ├── ia32_modrm.h │ │ ├── ia32_opcode_tables.c │ │ ├── ia32_opcode_tables.h │ │ ├── ia32_operand.c │ │ ├── ia32_operand.h │ │ ├── ia32_reg.c │ │ ├── ia32_reg.h │ │ ├── ia32_settings.c │ │ ├── ia32_settings.h │ │ ├── libdis.h │ │ ├── qword.h │ │ ├── x86_disasm.c │ │ ├── x86_format.c │ │ ├── x86_imm.c │ │ ├── x86_imm.h │ │ ├── x86_insn.c │ │ ├── x86_misc.c │ │ ├── x86_operand_list.c │ │ └── x86_operand_list.h ├── javascript.txt ├── mpclient.c ├── mpscript.c ├── mylogs │ └── .log └── peloader │ ├── LICENSE │ ├── Makefile │ ├── cardmod.h │ ├── codealloc.h │ ├── crt.c │ ├── crt_exports.h │ ├── extra.c │ ├── log.c │ ├── log.h │ ├── ntoskernel.h │ ├── pe_linker.c │ ├── pe_linker.h │ ├── util.c │ ├── util.h │ ├── winapi │ ├── CriticalSection.c │ ├── Crypt.c │ ├── Dbghelp.c │ ├── EncodePointer.c │ ├── Environment.c │ ├── Event.c │ ├── EventTracing.c │ ├── Exception.c │ ├── Fibersapi.c │ ├── Files.c │ ├── GetLastError.c │ ├── GetStartupInfoW.c │ ├── GetStdHandle.c │ ├── GetSystemDirectory.c │ ├── Handle.c │ ├── Heap.c │ ├── InitializeSListHead.c │ ├── IsProcessorFeaturePresent.c │ ├── LoadLibrary.c │ ├── Locale.c │ ├── Memory.c │ ├── Ole.c │ ├── Paths.c │ ├── ProcessThreads.c │ ├── Registry.c │ ├── Security.c │ ├── Strings.c │ ├── SystemTime.c │ ├── TlsAlloc.c │ ├── Version.c │ ├── WinBase.c │ ├── WinTrust.c │ ├── Wincon.c │ ├── Winscard.c │ └── Winuser.c │ ├── winerror.h │ ├── winexports.h │ ├── winnt_types.h │ ├── winstrings.c │ └── winstrings.h ├── scard_override └── scard_override.c └── scard_win ├── MinidriverTest ├── MinidriverTest.sln └── MinidriverTest │ ├── MinidriverTest.cpp │ ├── MinidriverTest.vcxproj │ ├── MinidriverTest.vcxproj.filters │ ├── MinidriverTest.vcxproj.user │ ├── Readme.txt │ ├── cardmod.h │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── winscard ├── winscard.sln └── winscard ├── Readme.txt ├── dllmain.cpp ├── stdafx.cpp ├── stdafx.h ├── targetver.h ├── winscard.cpp ├── winscard.def ├── winscard.vcxproj └── winscard.vcxproj.filters /README.md: -------------------------------------------------------------------------------- 1 | Smartcard Driver Fuzzing Tools 2 | ============================== 3 | 4 | This is a collection of several tools that help in fuzzing smartcard 5 | drivers for *nix and windows. As usual for such stuff, it is quite 6 | hackish in some parts and more tested in others :-) 7 | If you have questions or need help, email eric.sesterhenn@x41-dsec.de or 8 | read our blogpost at: 9 | 10 | https://www.x41-dsec.de/lab/blog/smartcards/ 11 | 12 | What is in here? 13 | ---------------- 14 | 15 | /OpenSC/ 16 | 17 | A patch to OpenSC (654ca69c47f98dd6a82b4adc0bb6bb8ead887163) which adds 18 | another reader driver, that retrieves the APDU responses from an external 19 | file. This file can be fed with AFL for efficient fuzzing. 20 | 21 | /scard_override/ 22 | 23 | A Linux library you can preload in order to fuzz smartcard applications, 24 | which use winscard instead of OpenSC. 25 | 26 | /scard_win/ 27 | 28 | A windows library and testcase. The library can be preloaded in front 29 | of your windows smartcard driver. The testcase tries to interact with the 30 | driver. Only rudimentary. 31 | 32 | /loadlibrary/ 33 | 34 | A monkey-patched version of tavisos loadlibrary, which allows to 35 | load certain winscard drivers on linux in order to fuzz them. 36 | -------------------------------------------------------------------------------- /loadlibrary/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | n 3 | ni 4 | x/10x 0xf7c3ba48-8 5 | r 6 | n 7 | ni 8 | bt 9 | si 10 | n 11 | n 12 | ni 13 | q 14 | r 15 | q 16 | r 17 | bt 18 | q 19 | r 20 | q 21 | r 22 | q 23 | r 24 | q 25 | r 26 | q 27 | r 28 | q 29 | r 30 | q 31 | r 32 | bt 33 | info registers 34 | b InterlockedIncrement 35 | r 36 | n 37 | n 38 | q 39 | r 40 | q 41 | q 42 | q 43 | q 44 | q 45 | r 46 | q 47 | r 48 | bz 49 | bt 50 | q 51 | r 52 | b FreeEnvironmentStringsW 53 | r 54 | n 55 | ni 56 | x 57 | q 58 | r 59 | q 60 | b FreeEnvironmentStringsW 61 | r 62 | n 63 | ni 64 | x/s %esi 65 | x/s $esi 66 | ni 67 | b 0xf7d107e1 68 | c 69 | q 70 | q 71 | b HeapFree 72 | c 73 | r 74 | n 75 | n 76 | n 77 | ni 78 | bt 79 | q 80 | b FreeEnvironmentStringsW 81 | r 82 | n 83 | ni 84 | q 85 | r 86 | q 87 | b FreeEnvironmentStringsW 88 | r 89 | n 90 | ni 91 | ni 92 | r 93 | n 94 | ni 95 | x/4 $esp 96 | x/4x $esp 97 | ni 98 | x/4x $esp 99 | ni 100 | x/4x $esp 101 | ni 102 | x/4x $esp 103 | b DllMain 104 | si 105 | ni 106 | r 107 | n 108 | ni 109 | r 110 | n 111 | ni 112 | b 0xf7d070d7 113 | b *0xf7d070d7 114 | si 115 | si 116 | ni 117 | si 118 | si 119 | info registers 120 | maintenance info sections 121 | x/10i 0xf7d02f34-20 122 | x/10i 0xf7d02f34 123 | x/10i 0xf7d02f34-10 124 | x/10i 0xf7d02f34-30 125 | x/10i 0xf7d02f34-34 126 | x/10i 0xf7d02f34-35 127 | x/10i 0xf7d02f34-36 128 | x/10i 0xf7d02f34-37 129 | x/10i 0xf7d02f34-38 130 | x/10i 0xf7d02f34-39 131 | b 0xf7d02f0d 132 | b *0xf7d02f0d 133 | x/10x fs:0 134 | x/10x %fs:0 135 | x/10x $fs:0 136 | r 137 | c 138 | info registers 139 | p fs:9 140 | p fs:0 141 | p %fs:0 142 | p $fs:0 143 | p $fs 144 | p %fs 145 | q 146 | q 147 | r 148 | q 149 | r 150 | q 151 | r 152 | q 153 | r 154 | q 155 | q 156 | r 157 | x/10x $eip 158 | q 159 | r 160 | q 161 | r 162 | n 163 | x/10x 0xf7d64f48-8 164 | x/10i 0xf7d64f48-8 165 | x 0xf7d6a0fc 166 | x *0xf7d6a0fc 167 | x/x 0xf7d6a0fc 168 | x/4x 0xf7d6a0fc 169 | x 0x56560da0 170 | q 171 | r 172 | x/10x 0xf7d64f48 173 | x/10x *0xf7d64f48 174 | x/10i 0xf7d64f48 175 | x/10i 0xf7d64f48-6 176 | x/10x 0xf7d6a0fc 177 | x 0x56567c70 178 | p 0x56560da0 179 | x 0x56560da0 180 | q 181 | r 182 | x/10i 0xf7d64f48 183 | x/10i 0xf7d64f48-6 184 | x/10 0xf7d64f48-6 185 | x/10x 0xf7d64f48-6 186 | x/6c 0xf7d64f48-6 187 | x/6b 0xf7d64f48-6 188 | x/6x 0xf7d64f48-6 189 | x/4x 0xf7d64f48-4 190 | x/4x 0xf7d6a0fc 191 | x/4x *0xf7d6a0fc 192 | x/4x 0xf7d6a0fc 193 | x/4x 0xf7d6a0fc+ 194 | q 195 | r 196 | x/i 0xf7d64f48 197 | x/i 0xf7d64f48-6 198 | x/10x 0xf7d6a0fc 199 | q 200 | r 201 | bt 202 | q 203 | q 204 | bt 205 | r 206 | bt 207 | q 208 | r 209 | bt 210 | q 211 | r 212 | p hModule 213 | up 214 | up 215 | up 216 | p hModule 217 | up 218 | p hModule 219 | up 220 | p hModule 221 | x/s hModule 222 | q 223 | r 224 | q 225 | r 226 | q 227 | r 228 | q 229 | r 230 | q 231 | r 232 | q 233 | r 234 | bt 235 | q 236 | r 237 | q 238 | r 239 | bt 240 | x/0xffffcfe0 241 | x/0xffffcfe0 10 242 | x/10 0xffffcfe0 243 | x/10 *0xffffcfe0 244 | r 245 | q 246 | r 247 | q 248 | r 249 | bt 250 | b RegCloseKey 251 | r 252 | n 253 | ni 254 | c 255 | c 256 | q 257 | -------------------------------------------------------------------------------- /loadlibrary/.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.a 3 | *.sw? 4 | *.dll 5 | *.vdm 6 | *.exe 7 | mpclient 8 | mpscript 9 | -------------------------------------------------------------------------------- /loadlibrary/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS = -O3 -march=native -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -Iinclude -mstackrealign 2 | #CPPFLAGS=-DNDEBUG -D_GNU_SOURCE -I. -Iintercept -Ipeloader 3 | CPPFLAGS= -D_GNU_SOURCE -I. -Iintercept -Ipeloader 4 | LDFLAGS = $(CFLAGS) -m32 -lm -Wl,--dynamic-list=exports.lst 5 | LDLIBS = intercept/libdisasm.a -Wl,--whole-archive,peloader/libpeloader.a,--no-whole-archive 6 | 7 | .PHONY: clean peloader intercept 8 | 9 | TARGETS=mpclient 10 | 11 | all: $(TARGETS) 12 | -mkdir -p faketemp 13 | 14 | intercept: 15 | make -C intercept all 16 | 17 | peloader: 18 | make -C peloader all 19 | 20 | script.h: javascript.txt 21 | hexdump -v -e '8/1 "%#02x," "\n"' < $^ > $@ 22 | 23 | mpscript.o: script.h 24 | 25 | intercept/hook.o: intercept 26 | 27 | mpclient: mpclient.o intercept/hook.o | peloader 28 | $(CC) $(CFLAGS) $^ -o $@ $(LDLIBS) $(LDFLAGS) 29 | 30 | cardclient: cardclient.o intercept/hook.o | peloader 31 | $(CC) $(CFLAGS) $^ -o $@ $(LDLIBS) $(LDFLAGS) 32 | 33 | # mpscript requires libreadline-dev:i386 34 | mpscript: mpscript.o intercept/hook.o | peloader 35 | $(CC) $(CFLAGS) $^ -o $@ $(LDLIBS) $(LDFLAGS) -lreadline 36 | 37 | clean: 38 | rm -f a.out core *.o core.* vgcore.* gmon.out script.h mpclient mpscript cardclient 39 | make -C intercept clean 40 | make -C peloader clean 41 | rm -rf faketemp 42 | -------------------------------------------------------------------------------- /loadlibrary/coverage/.gitignore: -------------------------------------------------------------------------------- 1 | pin 2 | *.idc 3 | coverage_parse_min 4 | deepcover.so 5 | pin-*-gcc-linux/ 6 | pin-*-gcc-linux.tar.gz 7 | -------------------------------------------------------------------------------- /loadlibrary/coverage/Makefile: -------------------------------------------------------------------------------- 1 | PIN_ROOT = $(CURDIR)/$(wildcard pin-*-gcc-linux) 2 | CONFIG_ROOT = $(PIN_ROOT)/source/tools/Config 3 | PIN = $(PIN_ROOT)/pin 4 | TARGET = ia32 5 | KIT = 1 6 | 7 | include $(PIN_ROOT)/source/tools/Config/makefile.config 8 | 9 | CXXFLAGS = -Wall -O3 -fno-stack-protector -fpermissive -march=native 10 | CFLAGS = -O3 -fomit-frame-pointer -Wall -DNDEBUG -fno-stack-protector -fPIC -march=native 11 | LDFLAGS = -Wl,-O1 -Wl,--as-needed 12 | 13 | # I dont need these default targets 14 | dir: 15 | libs: 16 | objects: 17 | dlls: 18 | apps: 19 | libs: 20 | 21 | tools: deepcover.so 22 | @echo \#!/bin/sh > pin 23 | @echo exec $(PIN_ROOT)/pin \$$\@ >> pin 24 | @chmod +x pin 25 | 26 | OBJS = tree.o deepcover.o instrument.o 27 | 28 | %.o : %.cpp 29 | $(CXX) $(COMP_OBJ) $@ $(CXXFLAGS) $(TOOL_CXXFLAGS) $< 30 | 31 | %.o : %.c 32 | $(CC) $(COMP_OBJ) $@ $(CFLAGS) $(TOOL_CFLAGS) $< 33 | 34 | deepcover.so : $(OBJS) 35 | $(CXX) $(LINK_EXE) $@ $(LDFLAGS) $(TOOL_LDFLAGS) $(OBJS) $(TOOL_LPATHS) $(TOOL_LIBS) -static-libgcc -static-libstdc++ 36 | 37 | coverage_parse_min: coverage_parse_min.c 38 | gcc -std=gnu99 $(CFLAGS) $(LDFLAGS) $(shell pkg-config glib-2.0 --cflags) -o $@ $< $(shell pkg-config glib-2.0 --libs) 39 | 40 | clean: 41 | rm -f *.o deepcover.so core *.core pin *.log blocks.txt coverage.txt summary.txt 42 | rm -f coverage_parse_min 43 | -------------------------------------------------------------------------------- /loadlibrary/coverage/README.md: -------------------------------------------------------------------------------- 1 | # Collecting Basic Block Coverage Data 2 | ## Introduction 3 | 4 | This directory contains a simple pintool for collecting code coverage data, and 5 | tools and scripts for processing that data. These tools can assist with corpus 6 | distillation and anti-corpus auditing. 7 | 8 | In it's simplest mode of operation, this tool simply creates a list of basic 9 | blocks executed from the loaded DLL. 10 | 11 | ``` 12 | $ ./coverage/pin -t coverage/deepcover.so -- ./mpclient eicar.com 13 | main(): Scanning eicar.com... 14 | EngineScanCallback(): Scanning input 15 | EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified. 16 | 17 | 18 | ----- COVERAGE ANALYSIS ----- 19 | 58590 Unique Instructions Executed 20 | 10271 Unique Basic Blocks Executed 21 | 3193230 Total Instructions Executed 22 | 590362 Total Basic Blocks Executed 23 | Hottest Basic Block (0x00000000003918e7) 24 | 11731 Executes 25 | 3 Instructions 26 | 27 | $ wc -l coverage.txt 28 | 10271 coverage.txt 29 | ``` 30 | 31 | However, with some simple processing, we can produce annotated IDBs or create a 32 | distilled corpus for fuzzing. 33 | 34 | ![Annotated IDB](https://raw.githubusercontent.com/taviso/loadlibrary/master/doc/annotatedidb.png) 35 | 36 | ## Build 37 | 38 | Download the latest pintool for gcc from the pintool download page, and extract 39 | it in the `coverage` directory. 40 | 41 | * https://software.intel.com/en-us/articles/pintool-downloads 42 | 43 | ``` 44 | $ tar -zxvf pin-3.2-81205-gcc-linux.tar.gz 45 | ``` 46 | 47 | Now type `make`, and the tool should build. 48 | 49 | If you want to do corpus distillation, you can also build the tool 50 | `coverage_parse_min`, note that it requires the `glib-2.0` development package. 51 | 52 | ``` 53 | $ make coverage_parse_min 54 | ``` 55 | 56 | ## Running 57 | 58 | To create a list of all the basic blocks executed, simply do this: 59 | 60 | ``` 61 | $ ./coverage/pin -t coverage/deepcover.so -- ./mpclient eicar.com 62 | main(): Scanning eicar.com... 63 | EngineScanCallback(): Scanning input 64 | EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified. 65 | 66 | 67 | ----- COVERAGE ANALYSIS ----- 68 | 58590 Unique Instructions Executed 69 | 10271 Unique Basic Blocks Executed 70 | 3193230 Total Instructions Executed 71 | 590362 Total Basic Blocks Executed 72 | Hottest Basic Block (0x00000000003918e7) 73 | 11731 Executes 74 | 3 Instructions 75 | ``` 76 | 77 | The report is called `coverage.txt` by default, but you can override it by 78 | setting the `COVERAGE_REPORT_FILE` environment variable. 79 | 80 | If you have a directory of testcases you would like to generate coverage 81 | reports for, you can use `xargs` like this: 82 | 83 | ``` 84 | $ ls samples 85 | sample1.exe 86 | sample2.exe 87 | sample3.zip 88 | ... 89 | $ find samples -type f | xargs -t -I{} -P8 -n1 env COVERAGE_REPORT_FILE={}.txt ./coverage/pin -t coverage/deepcover.so -- ./mpclient {} 90 | ``` 91 | 92 | > The `-P` parameter to xargs specifies how many processes you can run in 93 | > parallel. In general, set this to the number of cores you have available. 94 | 95 | ### Corpus Distillation 96 | 97 | If you have a lot of inputs and want to find the minimal set cover for fuzzing, 98 | first generate coverage reports for all your inputs. 99 | 100 | ``` 101 | $ find samples -type f | xargs -t -I{} -P8 -n1 env COVERAGE_REPORT_FILE={}.txt ./coverage/pin -t coverage/deepcover.so -- ./mpclient {} 102 | ``` 103 | 104 | Now build the tool `coverage_parse_min` 105 | 106 | ``` 107 | $ make -C coverage coverage_parse_min 108 | ``` 109 | 110 | Now you can find a distilled corpus like this: 111 | 112 | ``` 113 | $ grep -H ^ samples/*.txt | awk -F: '{print $2FS$1}' | ./coverage_parse_min | cut -d: -f2 | sort -u 114 | ``` 115 | 116 | ### Anticorpus Auditing 117 | 118 | The "anticorpus" auditing technique is a simple idea, but nevertheless 119 | experience suggests it can be effective on fuzz-clean software. The idea is to 120 | build coverage data, then hilight codepaths that fuzzing isn't reaching. 121 | 122 | A simple script to produce annotated idbs is included, generate coverage 123 | reports for your inputs as above. 124 | 125 | ``` 126 | $ grep -H ^ *.txt | awk -F: '{print $2FS$1}' | ./coverage_parse_min | sed -e 's#:.*/#:#g' -e 's/.txt$//' > minimal.txt 127 | $ bash genidc.sh minimal.txt > coverage.idc 128 | ``` 129 | 130 | Now you can load this file in IDA with `File->Script File...`. 131 | 132 | ## Notes 133 | 134 | * The pintool only starts collecting coverage data once you've called `InstrumentationCallback()`. 135 | * You can blacklist blocks you don't want instrumented by listing them in `blacklist.h`. 136 | 137 | ## License 138 | 139 | GPL2 140 | 141 | -------------------------------------------------------------------------------- /loadlibrary/coverage/blacklist.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/loadlibrary/coverage/blacklist.h -------------------------------------------------------------------------------- /loadlibrary/coverage/coverage_parse_min.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // This utility will try to parse coverage logs of the form : and 7 | // output a minimal set cover. 8 | // 9 | // The algorithm works like this: 10 | // 11 | // Parse all of the input into a hashtable, such that T[H(input)] is a linked 12 | // list of blocks that it touches. The input can be in any order, we will 13 | // always handle it correctly (sorting very large input first is too slow). 14 | // This is just so we can find out which input handles which blocks. 15 | // 16 | // Create an array of all the inputs we've seen, then sort it by size of the 17 | // block list. 18 | // 19 | // Unpack the array into a balanced binary tree, such that lookup(block) == 20 | // input, overwriting each node with the new address. 21 | // 22 | // 23 | // So we effectively end up with: 24 | // 25 | // [0 input1] [0 input2] 26 | // [1 input1] [1 input1] 27 | // [2 input1] -> [2 input1] 28 | // [3 input1] [3 input1] 29 | // [4 input1] [4 input1] 30 | // [5 input2] 31 | // 32 | // etc, etc, until we have an approximate minimal set of inputs. 33 | // 34 | // gcc -std=gnu99 -O2 $(pkg-config glib-2.0 --cflags) $(pkg-config glib-2.0 --libs) -o coverage_parse_min coverage_parse_min.c $(pkg-config glib-2.0 --libs) 35 | // 36 | // 37 | // Input is expected to be bbaddress:filename, example: 38 | // 39 | // 0x123123:file1.txt 40 | // 0x232323:file2.txt 41 | // 42 | // Tavis Ormandy. 43 | 44 | typedef struct { 45 | gchar *input; 46 | GArray *blocks; 47 | } coverage_t; 48 | 49 | static gint block_size_compare(gconstpointer a, gconstpointer b) 50 | { 51 | coverage_t * const *x = a, * const *y = b; 52 | 53 | return (*x)->blocks->len - (*y)->blocks->len; 54 | } 55 | 56 | static gint address_compare(gconstpointer a, gconstpointer b, gpointer user) 57 | { 58 | return GPOINTER_TO_SIZE(a) - GPOINTER_TO_SIZE(b); 59 | } 60 | 61 | static gboolean dump_minimised_tree(gpointer key, gpointer value, gpointer data) 62 | { 63 | g_print("%#010x:%s", GPOINTER_TO_SIZE(key), value); 64 | return false; 65 | } 66 | 67 | static void free_coverage_data(gpointer data) 68 | { 69 | coverage_t *d = data; 70 | g_array_free(d->blocks, true); 71 | g_free(d->input); 72 | g_free(d); 73 | } 74 | 75 | int main(int argc, char **argv) 76 | { 77 | guint lines = 0; 78 | gchar *lineptr = NULL; 79 | gsize linelen = 0; 80 | GHashTable *index = g_hash_table_new(g_str_hash, g_str_equal); 81 | GPtrArray *coverage = g_ptr_array_new_with_free_func(free_coverage_data); 82 | GTree *tree = g_tree_new_full(address_compare, 83 | NULL, 84 | NULL, 85 | NULL); 86 | 87 | while (getline(&lineptr, &linelen, stdin) != -1) { 88 | gchar **input = g_strsplit(lineptr, ":", 2); 89 | gchar *endchar = NULL; 90 | guintptr value = g_ascii_strtoull(input[0], &endchar, 16); 91 | coverage_t *data = g_hash_table_lookup(index, input[1]); 92 | 93 | // Check it parsed okay. 94 | if (value == 0 || *endchar != '\0') { 95 | g_warning("dropped illegal record line %s", lineptr); 96 | g_strfreev(input); 97 | continue; 98 | } 99 | 100 | // Search for input[1] in the coverage array by checking if we have it 101 | // in the hash table. 102 | if (data == NULL) { 103 | // Not found, so add this input to the array. 104 | data = g_new0(coverage_t, 1); 105 | data->input = g_strdup(input[1]); 106 | data->blocks = g_array_new(false, true, sizeof(guintptr)); 107 | 108 | // And add this block we've just seen. 109 | g_array_append_val(data->blocks, value); 110 | 111 | // Record this new input. 112 | g_ptr_array_add(coverage, data); 113 | 114 | // And index it for fast lookup 115 | g_hash_table_insert(index, input[1], data); 116 | } else { 117 | // Match found, this input already has a record, just add the 118 | // block to it's array and continue. 119 | g_array_append_val(data->blocks, value); 120 | } 121 | 122 | // Clear the input line. 123 | g_strfreev(input); 124 | 125 | // Record lines parsed. 126 | lines++; 127 | } 128 | 129 | g_message("completed parsing %u unique input values in %u lines", coverage->len + 1, lines); 130 | 131 | // Now sort array based on blocks size. 132 | g_ptr_array_sort(coverage, block_size_compare); 133 | 134 | // Now insert into a binary tree, which replaces the associative shell 135 | // array I used to use, but has essentially the same effect. 136 | for (guint i = 0; i < coverage->len; i++) { 137 | coverage_t *data = g_ptr_array_index(coverage, i); 138 | 139 | for (guint j = 0; j < data->blocks->len; j++) { 140 | g_tree_replace(tree, GSIZE_TO_POINTER(g_array_index(data->blocks, guintptr, j)), data->input); 141 | } 142 | } 143 | 144 | // Now dump the tree. 145 | g_tree_foreach(tree, dump_minimised_tree, NULL); 146 | 147 | g_hash_table_destroy(index); 148 | g_ptr_array_free(coverage, true); 149 | g_tree_destroy(tree); 150 | free(lineptr); 151 | return 0; 152 | } 153 | -------------------------------------------------------------------------------- /loadlibrary/coverage/deepcover.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "pin.H" 8 | 9 | extern "C" { 10 | #include "xed-interface.h" 11 | #include "instrument.h" 12 | #include "tree.h" 13 | } 14 | 15 | static uintptr_t blacklist[] = { 16 | #include "blacklist.h" 17 | }; 18 | 19 | 20 | static int compare_block_address(const void *a, const void *b) 21 | { 22 | uintptr_t x = (uintptr_t ) a; 23 | uintptr_t y = *(uintptr_t *) b; 24 | 25 | if (x > y) return +1; 26 | if (x < y) return -1; 27 | 28 | return 0; 29 | } 30 | 31 | ADDRINT TraceImageStart; 32 | ADDRINT TraceImageSize; 33 | 34 | VOID SetImageParameters(ADDRINT ImageStart, ADDRINT ImageSize) 35 | { 36 | TraceImageStart = ImageStart; 37 | TraceImageSize = ImageSize; 38 | } 39 | 40 | // Pin calls this function every time a new basic block is encountered 41 | VOID trace(TRACE trace, VOID *ptr) 42 | { 43 | if (!TraceImageStart) 44 | return; 45 | 46 | // Visit every basic block in the trace 47 | for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { 48 | if (BBL_Address(bbl) < TraceImageStart || BBL_Address(bbl) > TraceImageStart + TraceImageSize) 49 | continue; 50 | 51 | // Check if this block is in our blacklist... 52 | if (bsearch((const void *)(BBL_Address(bbl) - TraceImageStart), 53 | blacklist, 54 | sizeof blacklist / sizeof blacklist[0], 55 | sizeof blacklist[0], 56 | compare_block_address)) { 57 | continue; 58 | } 59 | 60 | // Insert a call in every bbl, passing the address of the basic block 61 | BBL_InsertCall(bbl, IPOINT_ANYWHERE, AFUNPTR(instrument_basic_block), 62 | IARG_FAST_ANALYSIS_CALL, 63 | IARG_ADDRINT, BBL_Address(bbl) - TraceImageStart, 64 | IARG_UINT32, BBL_NumIns(bbl), 65 | IARG_END); 66 | } 67 | } 68 | 69 | VOID loadimage(IMG img, VOID *ptr) 70 | { 71 | RTN Callback = RTN_FindByName(img, "InstrumentationCallback"); 72 | 73 | if (RTN_Valid(Callback)) { 74 | RTN_Open(Callback); 75 | RTN_InsertCall(Callback, IPOINT_BEFORE, (AFUNPTR) SetImageParameters, 76 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 77 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 78 | IARG_END); 79 | RTN_Close(Callback); 80 | } 81 | } 82 | 83 | int main(int argc, char **argv) 84 | { 85 | // Initialize pin 86 | PIN_Init(argc, argv); 87 | 88 | // Initialize Symbols 89 | PIN_InitSymbols(); 90 | 91 | // Monitor Image loads 92 | IMG_AddInstrumentFunction(loadimage, NULL); 93 | 94 | // Register Instruction to be called to instrument instructions 95 | TRACE_AddInstrumentFunction(trace, NULL); 96 | 97 | // Register Fini to be called when the application exits 98 | PIN_AddFiniFunction(instrument_fini_callback, NULL); 99 | 100 | // Start the program, never returns 101 | PIN_StartProgram(); 102 | 103 | return 0; 104 | } 105 | 106 | -------------------------------------------------------------------------------- /loadlibrary/coverage/genidc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | cat << EOF 4 | #include 5 | #define PAGE_SIZE 0x1000 6 | static main() { 7 | EOF 8 | 9 | # colour functions with coverage differently 10 | cut -d: -f1 ${1} | sed 's/^\(.*\)$/\tSetColor(MinEA()-PAGE_SIZE+\1, 2, 0xECFCB0);/g' 11 | 12 | # colour block start slightly bolder 13 | cut -d: -f1 ${1} | sed 's/^\(.*\)$/\tSetColor(MinEA()-PAGE_SIZE+\1, 1, 0xD3FE32);/g' 14 | 15 | # insert a comment which file hit this block 16 | sed -e 's/^\(.*\):\(.*\)$/\tMakeComm(MinEA()-PAGE_SIZE+\1, "Sample: \2");/g' ${1} 17 | 18 | cat << EOF 19 | Refresh(); 20 | RefreshLists(); 21 | } 22 | EOF 23 | 24 | -------------------------------------------------------------------------------- /loadlibrary/coverage/instrument.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "xed-interface.h" 11 | #include "tree.h" 12 | 13 | #if defined(TARGET_IA32) && defined(TARGET_LINUX) && !defined(PIN_FAST_ANALYSIS_CALL) 14 | # define PIN_FAST_ANALYSIS_CALL __attribute__((regparm(3))) 15 | #else 16 | # define PIN_FAST_ANALYSIS_CALL 17 | #endif 18 | 19 | static tree_t *blocks; 20 | 21 | typedef struct { 22 | uintptr_t address; // Address of block 23 | size_t size; // Size of block 24 | uint32_t count; // Number of times I've been here 25 | } execution_record_t; 26 | 27 | VOID PIN_FAST_ANALYSIS_CALL instrument_basic_block(ADDRINT address, UINT32 size) 28 | { 29 | static execution_record_t zero, *hblock = &zero; 30 | void **data; 31 | 32 | execution_record_t *record, block = { 33 | .address = address, 34 | .size = size, 35 | .count = 0, 36 | }; 37 | 38 | void __attribute__((constructor)) init() 39 | { 40 | int __attribute__ ((pure)) compare(const void *a, const void *b) 41 | { 42 | const execution_record_t *x = a, *y = b; 43 | return x->address - y->address; 44 | } 45 | 46 | tree_create(&blocks, compare, free); 47 | } 48 | 49 | // Is this a call to my hottest block? 50 | if (hblock->address == address) { 51 | hblock->count++; 52 | return; 53 | } 54 | 55 | // No luck, do a slow btree lookup... 56 | if (tree_find(blocks, &block, &data)) { 57 | record = *data; 58 | } else { 59 | // Create a new record to install 60 | record = malloc(sizeof(execution_record_t)); 61 | memcpy(record, &block, sizeof(execution_record_t)); 62 | tree_add(blocks, record, &data); 63 | } 64 | 65 | // Is this entry now hot? 66 | if (record->count++ >= hblock->count) { 67 | hblock = record; 68 | } 69 | 70 | return; 71 | } 72 | 73 | static const char kCoverageReport[] = "coverage.txt"; 74 | static const char kCoverageVariable[] = "COVERAGE_REPORT_FILE"; 75 | 76 | VOID instrument_fini_callback(INT32 code, VOID *v) 77 | { 78 | unsigned instructions = 0; 79 | unsigned blockcount = 0; 80 | unsigned totalinstructions = 0; 81 | unsigned totalblocks = 0; 82 | const execution_record_t *hblock = NULL; 83 | FILE *output = fopen(getenv(kCoverageVariable) 84 | ? getenv(kCoverageVariable) 85 | : kCoverageReport, "wx"); 86 | 87 | void calculate_block_stats(const void *v) { 88 | const execution_record_t *d = v; 89 | blockcount++; 90 | instructions += d->size; 91 | totalblocks += d->count; 92 | totalinstructions += d->size * d->count; 93 | 94 | if (hblock == NULL || hblock->count < d->count) 95 | hblock = d; 96 | } 97 | 98 | void print_basic_blocks(const void *v) { 99 | register uintptr_t address = ((const execution_record_t *)(v))->address; 100 | fprintf(output, "%#010" PRIxPTR "\n", address); 101 | } 102 | 103 | if (output != NULL) { 104 | tree_walk(blocks, print_basic_blocks); 105 | } 106 | 107 | tree_walk(blocks, calculate_block_stats); 108 | 109 | fprintf(stderr, "\n\n----- COVERAGE ANALYSIS -----\n"); 110 | fprintf(stderr, "\t%10u Unique Instructions Executed\n", instructions); 111 | fprintf(stderr, "\t%10u Unique Basic Blocks Executed\n", blockcount); 112 | fprintf(stderr, "\t%10u Total Instructions Executed\n", totalinstructions); 113 | fprintf(stderr, "\t%10u Total Basic Blocks Executed\n", totalblocks); 114 | 115 | if (hblock) { 116 | fprintf(stderr, "\tHottest Basic Block (%#018" PRIxPTR ")\n", hblock->address); 117 | fprintf(stderr, "\t\t%10u Executes\n", hblock->count); 118 | fprintf(stderr, "\t\t%10u Instructions\n", hblock->size); 119 | } 120 | 121 | tree_destroy(blocks); 122 | 123 | if (output) { 124 | fclose(output); 125 | } 126 | 127 | return; 128 | } 129 | -------------------------------------------------------------------------------- /loadlibrary/coverage/instrument.h: -------------------------------------------------------------------------------- 1 | #ifndef __INSTRUMENT_H 2 | #define __INSTRUMENT_H 3 | VOID instrument_basic_block(ADDRINT address, UINT32 size); 4 | 5 | VOID instrument_repz_cmps_pre(ADDRINT address, ADDRINT count, UINT32 width); 6 | VOID instrument_repz_cmps_post(ADDRINT address, ADDRINT count, UINT32 width); 7 | 8 | VOID instrument_cmp_reg_imm(ADDRINT address, ADDRINT reg, UINT32 imm); 9 | 10 | VOID instrument_fini_callback(INT32 code, VOID *v); 11 | #else 12 | #warning instrument.h multiple inclusion 13 | #endif 14 | -------------------------------------------------------------------------------- /loadlibrary/coverage/tree.c: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _GNU_SOURCE 3 | # define _GNU_SOURCE 4 | #endif 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include "tree.h" 13 | 14 | // Create a new tree with the specified compare routine 15 | bool tree_create(tree_t **tree, int (*compare)(const void *a, const void *b), void (*free)(void *)) 16 | { 17 | assert(compare); 18 | assert(tree); 19 | 20 | if ((*tree = malloc(sizeof(tree_t)))) { 21 | (*tree)->root = NULL; 22 | (*tree)->compare = compare; 23 | (*tree)->free = free; 24 | return true; 25 | } 26 | 27 | return false; 28 | } 29 | 30 | // Execute function for every node of the tree 31 | bool tree_walk(tree_t *tree, void (*function)(const void *)) 32 | { 33 | assert(function); 34 | assert(tree); 35 | 36 | void action(const void *nodep, const VISIT which, const int depth) 37 | { 38 | const void * const * data = nodep; 39 | switch (which) { 40 | case postorder: 41 | case leaf: 42 | function(*data); 43 | break; 44 | case preorder: 45 | case endorder: 46 | break; 47 | default: 48 | assert(false); 49 | break; 50 | } 51 | return; 52 | } 53 | 54 | twalk(tree->root, action); 55 | return true; 56 | } 57 | 58 | // Add new data item to the tree, set node to either data or an 59 | // existing node such that tree->compare(data, node) returns zero. 60 | bool tree_add(tree_t *tree, const void *data, void ***node) 61 | { 62 | assert(tree); 63 | assert(data); 64 | assert(node); 65 | return !! (*node = tsearch(data, &tree->root, tree->compare)); 66 | } 67 | 68 | // As tree_add, but dont add the item in data. 69 | bool tree_find(tree_t *tree, const void *data, void ***node) 70 | { 71 | assert(tree); 72 | assert(data); 73 | assert(node); 74 | return !! (*node = tfind(data, &tree->root, tree->compare)); 75 | } 76 | 77 | // Clear up a tree. 78 | bool tree_destroy(tree_t *tree) 79 | { 80 | tdestroy(tree->root, tree->free); 81 | free(tree); 82 | return true; 83 | } 84 | -------------------------------------------------------------------------------- /loadlibrary/coverage/tree.h: -------------------------------------------------------------------------------- 1 | #ifndef __TREE_H 2 | #define __TREE_H 3 | 4 | typedef struct { 5 | void *root; 6 | int (*compare)(const void *, const void *); 7 | void (*free)(void *); 8 | } tree_t; 9 | 10 | // Routines for managing the execution record using POSIX binary search trees. 11 | bool tree_create(tree_t **tree, int (*compare)(const void *, const void *), void (*free)(void *)); 12 | bool tree_destroy(tree_t *tree); 13 | bool tree_walk(tree_t *tree, void (*function)(const void *)); 14 | bool tree_add(tree_t *tree, const void *data, void ***node); 15 | bool tree_find(tree_t *tree, const void *data, void ***node); 16 | 17 | #else 18 | #warning tree.h multiple inclusion 19 | #endif 20 | -------------------------------------------------------------------------------- /loadlibrary/doc/annotatedidb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/loadlibrary/doc/annotatedidb.png -------------------------------------------------------------------------------- /loadlibrary/engine/README.md: -------------------------------------------------------------------------------- 1 | # mpengine 2 | 3 | Download the 32-bit manual antimalware update file from this page: 4 | 5 | * https://www.microsoft.com/security/portal/definitions/adl.aspx#manual 6 | 7 | This should be a direct link: 8 | 9 | * http://go.microsoft.com/fwlink/?LinkID=121721&arch=x86 10 | 11 | This will download a file called mpam-fe.exe, which is a self-extracting 12 | cabinet file that can be extracted with cabextract. Extract the file into the 13 | engine subdirectory: 14 | 15 | ``` 16 | $ cabextract mpam-fe.exe 17 | Extracting cabinet: mpam-fe.exe 18 | extracting MPSigStub.exe 19 | extracting mpavdlta.vdm 20 | extracting mpasdlta.vdm 21 | extracting mpavbase.vdm 22 | extracting mpasbase.vdm 23 | extracting mpengine.dll 24 | 25 | All done, no errors. 26 | ``` 27 | 28 | If you want to know which version you got, try this: 29 | 30 | ``` 31 | $ exiftool mpengine.dll | grep 'Product Version Number' 32 | Product Version Number : 1.1.13701.0 33 | ``` 34 | -------------------------------------------------------------------------------- /loadlibrary/engine/createmap.idc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static main() 4 | { 5 | auto file; 6 | 7 | // Wait for auto-analysis to complete... 8 | Wait(); 9 | 10 | file = fopen(ARGV[1], "w"); 11 | 12 | // Produce MAP file. 13 | GenerateFile(OFILE_MAP, file, 0, ~0, GENFLG_MAPSEGS | GENFLG_MAPDMNG); 14 | 15 | // Finished. 16 | fclose(file); 17 | Exit(0); 18 | } 19 | -------------------------------------------------------------------------------- /loadlibrary/exports.lst: -------------------------------------------------------------------------------- 1 | { 2 | InstrumentationCallback; 3 | }; 4 | -------------------------------------------------------------------------------- /loadlibrary/genmapsym.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2017 Tavis Ormandy 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 2 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # This script generates a .o file that can be loaded as a symbol-file in gdb 16 | # from an IDA .map file. This allows you to get symbols into a gdb session 17 | # when you're debugging a windows DLL. 18 | # 19 | # Yes, this is insane. However, it actually works. 20 | # 21 | 22 | awk 'BEGIN { printf ".macro symbol name, address\n.set \\name, \\address\n.func \\name\n.endfunc\n.endm\n" } 23 | 24 | /Publics by Value/,/Program entry point/ { 25 | 26 | if (gsub(/^ ....:/,"'${1}'+0x")) { 27 | gsub(/[\"/^}{\[\]$?:@()><`\'\''|~,=!+&*-]/, "_",$2); 28 | printf "symbol %s,%s\n",$2,$1 29 | } 30 | }' | as -o ${2} -gstabs+ --32 31 | -------------------------------------------------------------------------------- /loadlibrary/include/engineboot.h: -------------------------------------------------------------------------------- 1 | #ifndef __ENGINEBOOT_H 2 | #define __ENGINEBOOT_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | #define BOOTENGINE_PARAMS_VERSION 0x8E00 7 | 8 | enum { 9 | BOOT_CACHEENABLED = 1 << 0, 10 | BOOT_NOFILECHANGES = 1 << 3, 11 | BOOT_ENABLECALLISTO = 1 << 6, 12 | BOOT_REALTIMESIGS = 1 << 8, 13 | BOOT_DISABLENOTIFICATION = 1 << 9, 14 | BOOT_CLOUDBHEAVIORBLOCK = 1 << 10, 15 | BOOT_ENABLELOGGING = 1 << 12, 16 | BOOT_ENABLEBETA = 1 << 16, 17 | BOOT_ENABLEIEV = 1 << 17, 18 | BOOT_ENABLEMANAGED = 1 << 19, 19 | }; 20 | 21 | enum { 22 | BOOT_ATTR_NORMAL = 1 << 0, 23 | BOOT_ATTR_ISXBAC = 1 << 2, 24 | }; 25 | 26 | enum { 27 | ENGINE_UNPACK = 1 << 1, 28 | ENGINE_HEURISTICS = 1 << 3, 29 | ENGINE_DISABLETHROTTLING = 1 << 11, 30 | ENGINE_PARANOID = 1 << 12, 31 | ENGINE_DISABLEANTISPYWARE = 1 << 15, 32 | ENGINE_DISABLEANTIVIRUS = 1 << 16, 33 | ENGINE_DISABLENETWORKDRIVES = 1 << 20, 34 | }; 35 | 36 | typedef struct _ENGINE_INFO { 37 | DWORD field_0; 38 | DWORD field_4; // Possibly Signature UNIX time? 39 | DWORD field_8; 40 | DWORD field_C; 41 | } ENGINE_INFO, *PENGINE_INFO; 42 | 43 | typedef struct _ENGINE_CONFIG { 44 | DWORD EngineFlags; 45 | PWCHAR Inclusions; // Example, "*.zip" 46 | PVOID Exceptions; 47 | PWCHAR UnknownString2; 48 | PWCHAR QuarantineLocation; 49 | DWORD field_14; 50 | DWORD field_18; 51 | DWORD field_1C; 52 | DWORD field_20; 53 | DWORD field_24; 54 | DWORD field_28; 55 | DWORD field_2C; // Setting this seems to cause packer to be reported. 56 | DWORD field_30; 57 | DWORD field_34; 58 | PCHAR UnknownAnsiString1; 59 | PCHAR UnknownAnsiString2; 60 | } ENGINE_CONFIG, *PENGINE_CONFIG; 61 | 62 | typedef struct _ENGINE_CONTEXT { 63 | DWORD field_0; 64 | } ENGINE_CONTEXT, *PENGINE_CONTEXT; 65 | 66 | typedef struct _BOOTENGINE_PARAMS { 67 | DWORD ClientVersion; 68 | PWCHAR SignatureLocation; 69 | PVOID SpynetSource; 70 | PENGINE_CONFIG EngineConfig; 71 | PENGINE_INFO EngineInfo; 72 | PWCHAR ScanReportLocation; 73 | DWORD BootFlags; 74 | PWCHAR LocalCopyDirectory; 75 | PWCHAR OfflineTargetOS; 76 | CHAR ProductString[16]; 77 | DWORD field_34; 78 | PVOID GlobalCallback; 79 | PENGINE_CONTEXT EngineContext; 80 | DWORD AvgCpuLoadFactor; 81 | CHAR field_44[16]; 82 | PWCHAR SpynetReportingGUID; 83 | PWCHAR SpynetVersion; 84 | PWCHAR NISEngineVersion; 85 | PWCHAR NISSignatureVersion; 86 | DWORD FlightingEnabled; 87 | DWORD FlightingLevel; 88 | PVOID DynamicConfig; 89 | DWORD AutoSampleSubmission; 90 | DWORD EnableThreatLogging; 91 | PWCHAR ProductName; 92 | DWORD PassiveMode; 93 | DWORD SenseEnabled; 94 | PWCHAR SenseOrgId; 95 | DWORD Attributes; 96 | DWORD BlockAtFirstSeen; 97 | DWORD PUAProtection; 98 | DWORD SideBySidePassiveMode; 99 | } BOOTENGINE_PARAMS, *PBOOTENGINE_PARAMS; 100 | 101 | #pragma pack(pop) 102 | #endif // __ENGINEBOOT_H 103 | -------------------------------------------------------------------------------- /loadlibrary/include/openscan.h: -------------------------------------------------------------------------------- 1 | #ifndef __OPENSCAN_H 2 | #define __OPENSCAN_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | #define OPENSCAN_VERSION 0x2C6D 7 | 8 | enum { 9 | SCANSOURCE_NOTASOURCE = 0, 10 | SCANSOURCE_SCHEDULED = 1, 11 | SCANSOURCE_ONDEMAND = 2, 12 | SCANSOURCE_RTP = 3, 13 | SCANSOURCE_IOAV_WEB = 4, 14 | SCANSOURCE_IOAV_FILE = 5, 15 | SCANSOURCE_CLEAN = 6, 16 | SCANSOURCE_UCL = 7, 17 | SCANSOURCE_RTSIG = 8, 18 | SCANSOURCE_SPYNETREQUEST = 9, 19 | SCANSOURCE_INFECTIONRESCAN = 0x0A, 20 | SCANSOURCE_CACHE = 0x0B, 21 | SCANSOURCE_UNK_TELEMETRY = 0x0C, 22 | SCANSOURCE_IEPROTECT = 0x0D, 23 | SCANSOURCE_ELAM = 0x0E, 24 | SCANSOURCE_LOCAL_ATTESTATION = 0x0F, 25 | SCANSOURCE_REMOTE_ATTESTATION = 0x10, 26 | SCANSOURCE_HEARTBEAT = 0x11, 27 | SCANSOURCE_MAINTENANCE = 0x12, 28 | SCANSOURCE_MPUT = 0x13, 29 | SCANSOURCE_AMSI = 0x14, 30 | SCANSOURCE_STARTUP = 0x15, 31 | SCANSOURCE_ADDITIONAL_ACTIONS = 0x16, 32 | SCANSOURCE_AMSI_UAC = 0x17, 33 | SCANSOURCE_GENSTREAM = 0x18, 34 | SCANSOURCE_REPORTLOWFI = 0x19, 35 | SCANSOURCE_REPORTINTERNALDETECTION = 0x19, 36 | SCANSOURCE_SENSE = 0x1A, 37 | SCANSOURCE_XBAC = 0x1B, 38 | }; 39 | 40 | typedef struct _OPENSCAN_PARAMS { 41 | DWORD Version; 42 | DWORD ScanSource; 43 | DWORD Flags; 44 | DWORD field_C; 45 | DWORD field_10; 46 | DWORD field_14; 47 | DWORD field_18; 48 | DWORD field_1C; 49 | GUID ScanID; 50 | DWORD field_30; 51 | DWORD field_34; 52 | DWORD field_38; 53 | DWORD field_3C; 54 | DWORD field_40; 55 | DWORD field_44; 56 | } OPENSCAN_PARAMS, *POPENSCAN_PARAMS; 57 | 58 | #pragma pack(pop) 59 | #endif // __OPENSCAN_H 60 | -------------------------------------------------------------------------------- /loadlibrary/include/rsignal.h: -------------------------------------------------------------------------------- 1 | #ifndef __RSIGNAL_H 2 | #define __RESIGNAL_H 3 | 4 | #define RSIG_BASE 0x4000 5 | #define RSIG_RESERVED1 0x4003 6 | #define RSIG_GETEINFO 0x4004 7 | #define RSIG_VIRINFO 0x4005 8 | #define RSIG_UNLOADENGINE 0x400A 9 | #define RSIG_RESERVED2 0x400B 10 | #define RSIG_SCANFILE_TS_W 0x4014 11 | #define RSIG_SCANPATH_TS_W 0x4015 12 | #define RSIG_RESERVED3 0x4019 13 | #define RSIG_CONFIGURE_NEW_W 0x401A 14 | #define RSIG_RESERVED4 0x401C 15 | #define RSIG_FIW32_CONFIG 0x401D 16 | #define RSIG_SPLIT_VIRNAME 0x401E 17 | #define RSIG_HOOK_API 0x401F 18 | #define RSIG_INIT_ENGINE_CONTEXT 0x4020 19 | #define RSIG_CLEANUP_ENGINE_CONTEXT 0x4021 20 | #define RSIG_SCANFILE_TS_WCONTEXT 0x4023 21 | #define RSIG_SCANPATH_TS_WCONTEXT 0x4024 22 | #define RSIG_VIRINFO_FILTERED 0x4025 23 | #define RSIG_SCAN_OPEN 0x4026 24 | #define RSIG_SCAN_GETEVENT 0x4027 25 | #define RSIG_SCAN_CLOSE 0x4028 26 | #define RSIG_GET_THREAT_INFO 0x4030 27 | #define RSIG_SCANSTREAMW 0x4031 28 | #define RSIG_SCANSTREAMW_WCONTEXT 0x4032 29 | #define RSIG_CHECK_PRIVILEGES 0x4033 30 | #define RSIG_ADJUST_PRIVILEGES 0x4034 31 | #define RSIG_SET_FILECHANGEQUERY 0x4035 32 | #define RSIG_BOOTENGINE 0x4036 33 | #define RSIG_RTP_GETINITDATA 0x4037 34 | #define RSIG_RTP_SETEVENTCALLBACK 0x4038 35 | #define RSIG_RTP_NOTIFYCHANGE 0x4039 36 | #define RSIG_RTP_GETBEHAVIORCONTEXT 0x403A 37 | #define RSIG_RTP_SETBEHAVIORCONTEXT 0x403B 38 | #define RSIG_RTP_FREEBEHAVIORCONTEXT 0x403C 39 | #define RSIG_SCAN_STREAMBUFFER 0x403D 40 | #define RSIG_RTP_STARTBEHAVIORMONITOR 0x403E 41 | #define RSIG_RTP_STOPBEHAVIORMONITOR 0x403F 42 | #define RSIG_GET_SIG_DATA 0x4041 43 | #define RSIG_VALIDATE_FEATURE 0x4042 44 | #define RSIG_SET_CALLBACK 0x4043 45 | #define RSIG_OBFUSCATE_DATA 0x4044 46 | #define RSIG_DROP_BMDATA 0x4045 47 | #define RSIG_SCANEXTRACT 0x4046 48 | #define RSIG_CHANGE_SETTINGS 0x4047 49 | #define RSIG_RTSIG_DATA 0x4048 50 | #define RSIG_SYSTEM_REBOOT 0x4049 51 | #define RSIG_REVOKE_QUERY 0x4050 52 | #define RSIG_CHECK_EXCLUSIONS 0x4051 53 | #define RSIG_COMPLETE_INITIALIZATION 0x4052 54 | #define RSIG_STATE_CHANGE 0x4053 55 | #define RSIG_SEND_CALLISTO_TELEMETRY 0x4054 56 | #define RSIG_DYNAMIC_CONFIG 0x4055 57 | #define RSIG_SEND_EARLY_BOOT_DATA 0x4056 58 | #define RSIG_SCAN_TCG_LOG 0x4057 59 | #define RSIG_CANCEL_ENGINE_LOAD 0x4058 60 | #define RSIG_SQM_CONFIG 0x4059 61 | #define RSIG_SERVICE_NOTIFICATION 0x405A 62 | #define RSIG_SCAN_TCG_LOG_EX 0x405B 63 | #define RSIG_FREE_TCG_EXTENDED_DATA 0x405C 64 | #define RSIG_NOTIFY_MAINTENANCE_WINDOW_STATE 0x405D 65 | #define RSIG_SEND_REMOTE_ATTESTATION_DATA 0x405E 66 | #define RSIG_SUSPICIOUS_SCAN 0x405F 67 | #define RSIG_ON_CLOUD_COMPLETION 0x4060 68 | #define RSIG_CONTROL_SPLI 0x4061 69 | #define RSIG_THREAT_UPDATE_STATUS 0x4062 70 | #define RSIG_VERIFY_MACHINE_GUID 0x4063 71 | #define RSIG_NRI_UPDATE_STATE 0x4064 72 | #define RSIG_TPM_CONFIG 0x4065 73 | #define RSIG_GET_RESOURCE_INFO 0x4066 74 | #define RSIG_GET_ASYNC_QUEUE_LENGTH 0x4067 75 | #define RSIG_RTP_IMAGENAME_CONFIG 0x4068 76 | #define RSIG_SET_CUSTOM_SET_ID 0x4069 77 | #define RSIG_CONFIGURE_ROLES 0x4070 78 | #define RSIG_HOOK_WOW 0x4071 79 | #define RSIG_AMSI_SESSION_END 0x4072 80 | #define RSIG_RESOURCE_CONTEXT_CONSOLIDATION 0x4073 81 | 82 | #endif 83 | -------------------------------------------------------------------------------- /loadlibrary/include/scanreply.h: -------------------------------------------------------------------------------- 1 | #ifndef __SCANREPLY_H 2 | #define __SCANREPLY_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | // These are just guesses based on observed behaviour. 7 | enum { 8 | SCAN_FILENAME = 1 << 8, 9 | SCAN_ENCRYPTED = 1 << 6, 10 | SCAN_MEMBERNAME = 1 << 7, 11 | SCAN_FILETYPE = 1 << 9, 12 | SCAN_TOPLEVEL = 1 << 18, 13 | SCAN_PACKERSTART = 1 << 19, 14 | SCAN_PACKEREND = 1 << 12, 15 | SCAN_ISARCHIVE = 1 << 16, 16 | SCAN_VIRUSFOUND = 1 << 27, 17 | SCAN_CORRUPT = 1 << 13, 18 | SCAN_UNKNOWN = 1 << 15, // I dunno what this means 19 | }; 20 | 21 | typedef struct _SCANSTRUCT { 22 | DWORD field_0; 23 | DWORD Flags; 24 | PCHAR FileName; 25 | CHAR VirusName[28]; 26 | DWORD field_28; 27 | DWORD field_2C; 28 | DWORD field_30; 29 | DWORD field_34; 30 | DWORD field_38; 31 | DWORD field_3C; 32 | DWORD field_40; 33 | DWORD field_44; 34 | DWORD field_48; 35 | DWORD field_4C; 36 | DWORD FileSize; 37 | DWORD field_54; 38 | DWORD UserPtr; 39 | DWORD field_5C; 40 | PCHAR MaybeFileName2; 41 | PWCHAR StreamName1; 42 | PWCHAR StreamName2; 43 | DWORD field_6C; 44 | DWORD ThreatId; // Can be passed back to GetThreatInfo 45 | } SCANSTRUCT, *PSCANSTRUCT; 46 | 47 | typedef struct _SCAN_REPLY { 48 | DWORD (*EngineScanCallback)(PSCANSTRUCT this); 49 | DWORD field_4; 50 | DWORD UserPtr; 51 | DWORD field_C; 52 | } SCAN_REPLY, *PSCAN_REPLY; 53 | 54 | #pragma pack(pop) 55 | #endif // __SCANREPLY_H 56 | 57 | -------------------------------------------------------------------------------- /loadlibrary/include/streambuffer.h: -------------------------------------------------------------------------------- 1 | #ifndef __STREAMBUFFER_H 2 | #define __STREAMBUFFER_H 3 | #pragma once 4 | #pragma pack(push, 1) 5 | 6 | enum { 7 | STREAM_ATTRIBUTE_INVALID = 0, 8 | STREAM_ATTRIBUTE_SKIPBMNOTIFICATION = 1, 9 | STREAM_ATTRIBUTE_BMDATA = 2, 10 | STREAM_ATTRIBUTE_FILECOPYPERFHINT = 3, 11 | STREAM_ATTRIBUTE_FILECOPYSOURCEPATH = 4, 12 | STREAM_ATTRIBUTE_FILECHANGEPERFHINT = 5, 13 | STREAM_ATTRIBUTE_FILEOPPROCESSID = 6, 14 | STREAM_ATTRIBUTE_FILEBACKUPWRITEPERFHINT = 7, 15 | STREAM_ATTRIBUTE_DONOTCACHESCANRESULT = 8, 16 | STREAM_ATTRIBUTE_SCANREASON = 9, 17 | STREAM_ATTRIBUTE_FILEID = 10, 18 | STREAM_ATTRIBUTE_FILEVOLUMESERIALNUMBER = 11, 19 | STREAM_ATTRIBUTE_FILEUSN = 12, 20 | STREAM_ATTRIBUTE_SCRIPTTYPE = 13, 21 | STREAM_ATTRIBUTE_PRIVATE = 14, 22 | STREAM_ATTRIBUTE_URL = 15, 23 | STREAM_ATTRIBUTE_REFERRALURL = 16, 24 | STREAM_ATTRIBUTE_SCRIPTID = 17, 25 | STREAM_ATTRIBUTE_HOSTAPPVERSION = 18, 26 | STREAM_ATTRIBUTE_THREAT_ID = 19, 27 | STREAM_ATTRIBUTE_THREAT_STATUS = 21, 28 | STREAM_ATTRIBUTE_LOFI = 22, 29 | STREAM_ATTRIBUTE_THREAT_RESOURCES = 25, 30 | STREAM_ATTRIBUTE_LOFI_RESOURCES = 26, 31 | STREAM_ATTRIBUTE_VOLATILE = 29, 32 | STREAM_ATTRIBUTE_REFERRERURL = 30, 33 | STREAM_ATTRIBUTE_REQUESTORMODE = 31, 34 | STREAM_ATTRIBUTE_CI_EA = 33, 35 | STREAM_ATTRIBUTE_CURRENT_FILEUSN = 34, 36 | STREAM_ATTRIBUTE_AVAILABLE_DSS_THREADS = 35, 37 | STREAM_ATTRIBUTE_IO_STATUS_BLOCK_FOR_NEW_FILE = 36, 38 | STREAM_ATTRIBUTE_DESIRED_ACCESS = 37, 39 | STREAM_ATTRIBUTE_FILEOPPROCESSNAME = 38, 40 | STREAM_ATTRIBUTE_DETAILED_SCAN_NEEDED = 39, 41 | STREAM_ATTRIBUTE_URL_HAS_GOOD_REPUTATION = 40, 42 | STREAM_ATTRIBUTE_SITE_HAS_GOOD_REPUTATION = 41, 43 | STREAM_ATTRIBUTE_URL_ZONE = 42, 44 | STREAM_ATTRIBUTE_CONTROL_GUID = 43, 45 | STREAM_ATTRIBUTE_CONTROL_VERSION = 44, 46 | STREAM_ATTRIBUTE_CONTROL_PATH = 45, 47 | STREAM_ATTRIBUTE_CONTROL_HTML = 46, 48 | STREAM_ATTRIBUTE_PAGE_CONTEXT = 47, 49 | STREAM_ATTRIBUTE_FRAME_URL = 48, 50 | STREAM_ATTRIBUTE_FRAME_HTML = 49, 51 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_PAGE = 50, 52 | STREAM_ATTRIBUTE_ACTION_IE_BLOCK_CONTROL = 51, 53 | STREAM_ATTRIBUTE_SHARE_ACCESS = 52, 54 | STREAM_ATTRIBUTE_OPEN_OPTIONS = 53, 55 | STREAM_ATTRIBUTE_DEVICE_CHARACTERISTICS = 54, 56 | STREAM_ATTRIBUTE_FILE_ATTRIBUTES = 55, 57 | STREAM_ATTRIBUTE_HAS_MOTW_ADS = 56, 58 | STREAM_ATTRIBUTE_SE_SIGNING_LEVEL = 57, 59 | STREAM_ATTRIBUTE_SESSION_ID = 58, 60 | STREAM_ATTRIBUTE_AMSI_APP_ID = 59, 61 | STREAM_ATTRIBUTE_AMSI_SESSION_ID = 60, 62 | STREAM_ATTRIBUTE_FILE_OPERATION_PPID = 61, 63 | STREAM_ATTRIBUTE_SECTOR_NUMBER = 62, 64 | STREAM_ATTRIBUTE_AMSI_CONTENT_NAME = 63, 65 | STREAM_ATTRIBUTE_AMSI_UAC_REQUEST_CONTEXT = 64, 66 | STREAM_ATTRIBUTE_RESOURCE_CONTEXT = 65, 67 | STREAM_ATTRIBUTE_OPEN_CREATEPROCESS_HINT = 66, 68 | STREAM_ATTRIBUTE_GENSTREAM_APP_NAME = 67, 69 | STREAM_ATTRIBUTE_GENSTREAM_SESSION_ID = 68, 70 | STREAM_ATTRIBUTE_GENSTREAM_CONTENT_NAME = 69, 71 | STREAM_ATTRIBUTE_OPEN_ACCESS_STATE_FLAGS = 70, 72 | STREAM_ATTRIBUTE_GENSTREAM_EXTERN_GUID = 71, 73 | STREAM_ATTRIBUTE_IS_CONTAINER_FILE = 72, 74 | STREAM_ATTRIBUTE_AMSI_REDIRECT_CHAIN = 75, 75 | }; 76 | 77 | enum { 78 | SCANREASON_UNKNOWN = 0, 79 | SCANREASON_ONMOUNT = 1, 80 | SCANREASON_ONOPEN = 2, 81 | SCANREASON_ONFIRSTREAD = 3, 82 | SCANREASON_ONWRITE = 4, 83 | SCANREASON_ONMODIFIEDHANDLECLOSE = 5, 84 | SCANREASON_INMEMORY = 8, 85 | SCANREASON_VALIDATION_PRESCAN = 9, 86 | SCANREASON_VALIDATION_CONTENTSCAN = 0x0A, 87 | SCANREASON_ONVOLUMECLEANUP = 0x0B, 88 | SCANREASON_AMSI = 0x0C, 89 | SCANREASON_AMSI_UAC = 0x0D, 90 | SCANREASON_GENERICSTREAM = 0x0E, 91 | SCANREASON_IOAVSTREAM = 0x0F, 92 | }; 93 | 94 | typedef struct _STREAMBUFFER_DESCRIPTOR { 95 | PVOID UserPtr; 96 | DWORD (* Read)(PVOID this, uint64_t Offset, PVOID Buffer, DWORD Size, PDWORD SizeRead); 97 | DWORD (* Write)(PVOID this, uint64_t Offset, PVOID Buffer, DWORD Size, PDWORD TotalWritten); 98 | DWORD (* GetSize)(PVOID this, uint64_t *FileSize); 99 | DWORD (* SetSize)(PVOID this, uint64_t *FileSize); 100 | PWCHAR (* GetName)(PVOID this); 101 | DWORD (* SetAttributes)(PVOID this, DWORD Attribute, PVOID Data, DWORD DataSize); 102 | DWORD (* GetAttributes)(PVOID this, DWORD Attribute, PVOID Data, DWORD DataSize, PDWORD DataSizeWritten); 103 | } STREAMBUFFER_DESCRIPTOR, *PSTREAMBUFFER_DESCRIPTOR; 104 | 105 | typedef struct _SCANSTREAM_PARAMS { 106 | PSTREAMBUFFER_DESCRIPTOR Descriptor; 107 | PSCAN_REPLY ScanReply; 108 | DWORD UnknownB; 109 | DWORD UnknownC; 110 | } SCANSTREAM_PARAMS, *PSCANSTREAM_PARAMS; 111 | 112 | #pragma pack(pop) 113 | #endif // __STREAMBUFFER_H 114 | -------------------------------------------------------------------------------- /loadlibrary/input.apdu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/loadlibrary/input.apdu -------------------------------------------------------------------------------- /loadlibrary/intercept/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS = -O0 -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -w 2 | CPPFLAGS= -DNDEBUG 3 | LDFLAGS = $(CFLAGS) -m32 4 | 5 | all: hook.o 6 | make -C libdisasm all 7 | cp libdisasm/libdisasm.a . 8 | 9 | clean: 10 | rm -f *.o *.a 11 | make -C libdisasm clean 12 | -------------------------------------------------------------------------------- /loadlibrary/intercept/README: -------------------------------------------------------------------------------- 1 | This a simple library for hooking and redirecting functions using libdisasm. 2 | -------------------------------------------------------------------------------- /loadlibrary/intercept/hook.h: -------------------------------------------------------------------------------- 1 | #ifndef __HOOK_H 2 | #define __HOOK_H 3 | 4 | bool insert_function_redirect(void *function, void *redirect, uint32_t flags); 5 | bool remove_function_redirect(void *function); 6 | bool redirect_call_within_function(void *function, void *target, void *redirect); 7 | 8 | // Flags recognised by insert_function_redirect. 9 | enum { 10 | HOOK_DEFAULT = 0, 11 | HOOK_REPLACE_FUNCTION = (1 << 0), // Replace call, don't hook. 12 | HOOK_FASTCALL = (1 << 1), // Try to minimize damage to registers. 13 | }; 14 | 15 | // Convenient representation of an x86 near call. The immediate operand is the 16 | // relative, displaced branch target, thus actual address is something like: 17 | // 18 | // target = (uintptr_t)(&call) + sizeof(struct call) + call->operand.i; 19 | // 20 | struct __attribute__((packed)) branch { 21 | uint8_t opcode; 22 | union { 23 | uintptr_t i; 24 | void *p; 25 | } operand; 26 | uint8_t data[0]; // Used to chain instructions together. 27 | }; 28 | 29 | #define X86_OPCODE_CALL_NEAR 0xE8 30 | #define X86_OPCODE_JMP_NEAR 0xE9 31 | 32 | #define X86_OPCODE_NOP 0x90 33 | #define X86_OPCODE_RET 0xC3 34 | #define X86_OPCODE_MOV_EAX_IMM 0xB8 35 | #define X86_OPCODE_PUSH_EBP 0x55 36 | 37 | #define X86_PREFIX_DATA16 0x66 38 | 39 | // This is used to save an arbitrary 2 byte integer in the instuction stream 40 | // without disrupting disassemblers. 41 | struct __attribute__((packed)) encodedsize { 42 | uint8_t prefix; // 0x66 43 | uint8_t opcode; // 0xB8 44 | uint16_t operand; 45 | }; 46 | 47 | static int __stub_zero() { return 0; } 48 | static int __stub_one() { return 1; } 49 | static int __stub_false(){ return false; } 50 | static int __stub_true() { return true; } 51 | static int __stub_neg() { return -1; } 52 | 53 | // Callee clears stubs, common on Windows. 54 | static int __attribute__((stdcall)) __stub_zero_std_4(int a) { return 0; } 55 | static int __attribute__((stdcall)) __stub_zero_std_8(int a, int b) { return 0; } 56 | static int __attribute__((stdcall)) __stub_zero_std_12(int a, int b, int c) { return 0; } 57 | static int __attribute__((stdcall)) __stub_zero_std_16(int a, int b, int c, int d) { return 0; } 58 | 59 | // This allows you to call stubs like __stub_zero_std(4) to specify how many bytes to clear. 60 | #define __stub_zero_std(n) __stub_zero_std_ ## n 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdis.h: -------------------------------------------------------------------------------- 1 | libdisasm/libdis.h -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/AUTHORS: -------------------------------------------------------------------------------- 1 | mammon_, mere coder 2 | ReZiDeNt, Militant Dairy Activist (MIA) 3 | The Grugq, Chief Makefile Architect 4 | MO_K, MIA Libi386 Enthusiast (MIA) 5 | a_p, Invisible Tester 6 | fbj, Visible Tester (MIA) 7 | drb, n0ps 'r us 8 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | The "Clarified Artistic License" 6 | 7 | Preamble 8 | 9 | The intent of this document is to state the conditions under which a 10 | Package may be copied, such that the Copyright Holder maintains some 11 | semblance of artistic control over the development of the package, 12 | while giving the users of the package the right to use and distribute 13 | the Package in a more-or-less customary fashion, plus the right to make 14 | reasonable modifications. 15 | 16 | Definitions: 17 | 18 | "Package" refers to the collection of files distributed by the 19 | Copyright Holder, and derivatives of that collection of files 20 | created through textual modification. 21 | 22 | "Standard Version" refers to such a Package if it has not been 23 | modified, or has been modified in accordance with the wishes 24 | of the Copyright Holder as specified below. 25 | 26 | "Copyright Holder" is whoever is named in the copyright or 27 | copyrights for the package. 28 | 29 | "You" is you, if you're thinking about copying or distributing 30 | this Package. 31 | 32 | "Distribution fee" is a fee you charge for providing a copy of this 33 | Package to another party. 34 | 35 | "Freely Available" means that no fee is charged for the right to use 36 | the item, though there may be fees involved in handling the item. 37 | 38 | 1. You may make and give away verbatim copies of the source form of the 39 | Standard Version of this Package without restriction, provided that you 40 | duplicate all of the original copyright notices and associated disclaimers. 41 | 42 | 2. You may apply bug fixes, portability fixes and other modifications 43 | derived from the Public Domain, or those made Freely Available, or from 44 | the Copyright Holder. A Package modified in such a way shall still be 45 | considered the Standard Version. 46 | 47 | 3. You may otherwise modify your copy of this Package in any way, provided 48 | that you insert a prominent notice in each changed file stating how and 49 | when you changed that file, and provided that you do at least ONE of the 50 | following: 51 | 52 | a) place your modifications in the Public Domain or otherwise make them 53 | Freely Available, such as by posting said modifications to Usenet or 54 | an equivalent medium, or placing the modifications on a major archive 55 | site allowing unrestricted access to them, or by allowing the Copyright 56 | Holder to include your modifications in the Standard Version of the 57 | Package. 58 | 59 | b) use the modified Package only within your corporation or organization. 60 | 61 | c) rename any non-standard executables so the names do not conflict 62 | with standard executables, which must also be provided, and provide 63 | a separate manual page for each non-standard executable that clearly 64 | documents how it differs from the Standard Version. 65 | 66 | d) make other distribution arrangements with the Copyright Holder. 67 | 68 | e) permit and encourge anyone who receives a copy of the modified Package 69 | permission to make your modifications Freely Available in some specific 70 | way. 71 | 72 | 4. You may distribute the programs of this Package in object code or 73 | executable form, provided that you do at least ONE of the following: 74 | 75 | a) distribute a Standard Version of the executables and library files, 76 | together with instructions (in the manual page or equivalent) on where 77 | to get the Standard Version. 78 | 79 | b) accompany the distribution with the machine-readable source of 80 | the Package with your modifications. 81 | 82 | c) give non-standard executables non-standard names, and clearly 83 | document the differences in manual pages (or equivalent), together 84 | with instructions on where to get the Standard Version. 85 | 86 | d) make other distribution arrangements with the Copyright Holder. 87 | 88 | e) offer the machine-readable source of the Package, with your 89 | modifications, by mail order. 90 | 91 | 5. You may charge a distribution fee for any distribution of this Package. 92 | If you offer support for this Package, you may charge any fee you choose 93 | for that support. You may not charge a license fee for the right to use 94 | this Package itself. You may distribute this Package in aggregate with 95 | other (possibly commercial and possibly nonfree) programs as part of a 96 | larger (possibly commercial and possibly nonfree) software distribution, 97 | and charge license fees for other parts of that software distribution, 98 | provided that you do not advertise this Package as a product of your own. 99 | If the Package includes an interpreter, You may embed this Package's 100 | interpreter within an executable of yours (by linking); this shall be 101 | construed as a mere form of aggregation, provided that the complete 102 | Standard Version of the interpreter is so embedded. 103 | 104 | 6. The scripts and library files supplied as input to or produced as 105 | output from the programs of this Package do not automatically fall 106 | under the copyright of this Package, but belong to whoever generated 107 | them, and may be sold commercially, and may be aggregated with this 108 | Package. If such scripts or library files are aggregated with this 109 | Package via the so-called "undump" or "unexec" methods of producing a 110 | binary executable image, then distribution of such an image shall 111 | neither be construed as a distribution of this Package nor shall it 112 | fall under the restrictions of Paragraphs 3 and 4, provided that you do 113 | not represent such an executable image as a Standard Version of this 114 | Package. 115 | 116 | 7. C subroutines (or comparably compiled subroutines in other 117 | languages) supplied by you and linked into this Package in order to 118 | emulate subroutines and variables of the language defined by this 119 | Package shall not be considered part of this Package, but are the 120 | equivalent of input as in Paragraph 6, provided these subroutines do 121 | not change the language in any way that would cause it to fail the 122 | regression tests for the language. 123 | 124 | 8. Aggregation of the Standard Version of the Package with a commercial 125 | distribution is always permitted provided that the use of this Package is 126 | embedded; that is, when no overt attempt is made to make this Package's 127 | interfaces visible to the end user of the commercial distribution. 128 | Such use shall not be construed as a distribution of this Package. 129 | 130 | 9. The name of the Copyright Holder may not be used to endorse or promote 131 | products derived from this software without specific prior written permission. 132 | 133 | 10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR 134 | IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 135 | WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 136 | 137 | The End 138 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS=-O2 -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -w -DHAVE_CONFIG_H -I. 2 | LDFLAGS= $(CFLAGS) -m32 3 | 4 | all: libdisasm.a 5 | 6 | libdisasm.a: ia32_implicit.o \ 7 | ia32_modrm.o \ 8 | ia32_reg.o \ 9 | x86_format.o \ 10 | x86_misc.o \ 11 | ia32_insn.o \ 12 | ia32_opcode_tables.o \ 13 | ia32_settings.o \ 14 | x86_imm.o \ 15 | x86_operand_list.o \ 16 | ia32_invariant.o \ 17 | ia32_operand.o \ 18 | x86_disasm.o \ 19 | x86_insn.o 20 | $(AR) $(ARFLAGS) $@ $^ 21 | 22 | clean: 23 | rm -f *.o *.a 24 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/config.h: -------------------------------------------------------------------------------- 1 | /* config.h. Generated from config.h.in by configure. */ 2 | /* config.h.in. Generated from configure.ac by autoheader. */ 3 | 4 | /* Define to 1 if you have the header file. */ 5 | #define HAVE_DLFCN_H 1 6 | 7 | /* Define to 1 if you have the header file. */ 8 | #define HAVE_INTTYPES_H 1 9 | 10 | /* Define to 1 if you have the header file. */ 11 | #define HAVE_MEMORY_H 1 12 | 13 | /* Define to 1 if you have the header file. */ 14 | #define HAVE_STDINT_H 1 15 | 16 | /* Define to 1 if you have the header file. */ 17 | #define HAVE_STDLIB_H 1 18 | 19 | /* Define to 1 if you have the header file. */ 20 | #define HAVE_STRINGS_H 1 21 | 22 | /* Define to 1 if you have the header file. */ 23 | #define HAVE_STRING_H 1 24 | 25 | /* Define to 1 if you have the header file. */ 26 | #define HAVE_SYS_STAT_H 1 27 | 28 | /* Define to 1 if you have the header file. */ 29 | #define HAVE_SYS_TYPES_H 1 30 | 31 | /* Define to 1 if you have the header file. */ 32 | #define HAVE_UNISTD_H 1 33 | 34 | /* Name of package */ 35 | #define PACKAGE "libdisasm" 36 | 37 | /* Define to the address where bug reports for this package should be sent. */ 38 | #define PACKAGE_BUGREPORT "bastard-libdisasm@lists.sourceforge.net" 39 | 40 | /* Define to the full name of this package. */ 41 | #define PACKAGE_NAME "libdisasm" 42 | 43 | /* Define to the full name and version of this package. */ 44 | #define PACKAGE_STRING "libdisasm 0.23" 45 | 46 | /* Define to the one symbol short name of this package. */ 47 | #define PACKAGE_TARNAME "libdisasm" 48 | 49 | /* Define to the version of this package. */ 50 | #define PACKAGE_VERSION "0.23" 51 | 52 | /* Define to 1 if you have the ANSI C header files. */ 53 | #define STDC_HEADERS 1 54 | 55 | /* Version number of package */ 56 | #define VERSION "0.23" 57 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_implicit.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_IMPLICIT_H 2 | #define IA32_IMPLICIT_H 3 | 4 | #include "libdis.h" 5 | 6 | /* OK, this is a hack to deal with prefixes having implicit operands... 7 | * thought I had removed all the old hackishness ;( */ 8 | 9 | #define IDX_IMPLICIT_REP 41 /* change this if the table changes! */ 10 | 11 | unsigned int ia32_insn_implicit_ops( x86_insn_t *insn, unsigned int impl_idx ); 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_invariant.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_INVARIANT_H 2 | #define IA32_INVARIANT_H 3 | 4 | #include "libdis.h" 5 | 6 | size_t ia32_disasm_invariant( unsigned char *buf, size_t buf_len, 7 | x86_invariant_t *inv); 8 | 9 | size_t ia32_disasm_size( unsigned char *buf, size_t buf_len ); 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_modrm.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_MODRM_H 2 | #define IA32_MODRM_H 3 | 4 | #include "libdis.h" 5 | #include "ia32_insn.h" 6 | 7 | size_t ia32_modrm_decode( unsigned char *buf, unsigned int buf_len, 8 | x86_op_t *op, x86_insn_t *insn, 9 | size_t gen_regs ); 10 | 11 | void ia32_reg_decode( unsigned char byte, x86_op_t *op, size_t gen_regs ); 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_opcode_tables.h: -------------------------------------------------------------------------------- 1 | #define idx_Main 0 2 | #define idx_66 1 3 | #define idx_F2 2 4 | #define idx_F3 3 5 | #define idx_0F 4 6 | #define idx_660F 5 7 | #define idx_F20F 6 8 | #define idx_F30F 7 9 | #define idx_0F00 8 10 | #define idx_0F01 9 11 | #define idx_0F0111 10 12 | #define idx_0F12 11 13 | #define idx_0F16 12 14 | #define idx_0F18 13 15 | #define idx_0F71 14 16 | #define idx_660F71 15 17 | #define idx_0F72 16 18 | #define idx_660F72 17 19 | #define idx_0F73 18 20 | #define idx_660F73 19 21 | #define idx_0FAE 20 22 | #define idx_0FBA 21 23 | #define idx_0FC7 22 24 | #define idx_0FB9 23 25 | #define idx_C6 24 26 | #define idx_C7 25 27 | #define idx_80 26 28 | #define idx_81 27 29 | #define idx_82 28 30 | #define idx_83 29 31 | #define idx_C0 30 32 | #define idx_C1 31 33 | #define idx_D0 32 34 | #define idx_D1 33 35 | #define idx_D2 34 36 | #define idx_D3 35 37 | #define idx_F6 36 38 | #define idx_F7 37 39 | #define idx_FE 38 40 | #define idx_FF 39 41 | #define idx_D8 40 42 | #define idx_D8C0 41 43 | #define idx_D9 42 44 | #define idx_D9C0 43 45 | #define idx_DA 44 46 | #define idx_DAC0 45 47 | #define idx_DB 46 48 | #define idx_DBC0 47 49 | #define idx_DC 48 50 | #define idx_DCC0 49 51 | #define idx_DD 50 52 | #define idx_DDC0 51 53 | #define idx_DE 52 54 | #define idx_DEC0 53 55 | #define idx_DF 54 56 | #define idx_DFC0 55 57 | #define idx_0F0F 56 58 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_operand.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_OPERAND_H 2 | #define IA32_OPERAND_H 3 | 4 | #include "libdis.h" 5 | #include "ia32_insn.h" 6 | 7 | size_t ia32_decode_operand( unsigned char *buf, size_t buf_len, 8 | x86_insn_t *insn, unsigned int raw_op, 9 | unsigned int raw_flags, unsigned int prefixes, 10 | unsigned char modrm ); 11 | #endif 12 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_reg.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_REG_H 2 | #define IA32_REG_H 3 | 4 | #include /* for size_t */ 5 | #include "libdis.h" /* for x86_reg_t */ 6 | 7 | /* NOTE these are used in opcode tables for hard-coded registers */ 8 | #define REG_DWORD_OFFSET 1 /* 0 + 1 */ 9 | #define REG_ECX_INDEX 2 /* 0 + 1 + 1 */ 10 | #define REG_ESP_INDEX 5 /* 0 + 4 + 1 */ 11 | #define REG_EBP_INDEX 6 /* 0 + 5 + 1 */ 12 | #define REG_ESI_INDEX 7 /* 0 + 6 + 1 */ 13 | #define REG_EDI_INDEX 8 /* 0 + 7 + 1 */ 14 | #define REG_WORD_OFFSET 9 /* 1 * 8 + 1 */ 15 | #define REG_BYTE_OFFSET 17 /* 2 * 8 + 1 */ 16 | #define REG_MMX_OFFSET 25 /* 3 * 8 + 1 */ 17 | #define REG_SIMD_OFFSET 33 /* 4 * 8 + 1 */ 18 | #define REG_DEBUG_OFFSET 41 /* 5 * 8 + 1 */ 19 | #define REG_CTRL_OFFSET 49 /* 6 * 8 + 1 */ 20 | #define REG_TEST_OFFSET 57 /* 7 * 8 + 1 */ 21 | #define REG_SEG_OFFSET 65 /* 8 * 8 + 1 */ 22 | #define REG_LDTR_INDEX 71 /* 8 * 8 + 1 + 1 */ 23 | #define REG_GDTR_INDEX 72 /* 8 * 8 + 2 + 1 */ 24 | #define REG_FPU_OFFSET 73 /* 9 * 8 + 1 */ 25 | #define REG_FLAGS_INDEX 81 /* 10 * 8 + 1 */ 26 | #define REG_FPCTRL_INDEX 82 /* 10 * 8 + 1 + 1 */ 27 | #define REG_FPSTATUS_INDEX 83 /* 10 * 8 + 2 + 1 */ 28 | #define REG_FPTAG_INDEX 84 /* 10 * 8 + 3 + 1 */ 29 | #define REG_EIP_INDEX 85 /* 10 * 8 + 4 + 1 */ 30 | #define REG_IP_INDEX 86 /* 10 * 8 + 5 + 1 */ 31 | #define REG_IDTR_INDEX 87 /* 10 * 8 + 6 + 1 */ 32 | #define REG_MXCSG_INDEX 88 /* 10 * 8 + 7 + 1 */ 33 | #define REG_TR_INDEX 89 /* 10 * 8 + 8 + 1 */ 34 | #define REG_CSMSR_INDEX 90 /* 10 * 8 + 9 + 1 */ 35 | #define REG_ESPMSR_INDEX 91 /* 10 * 8 + 10 + 1 */ 36 | #define REG_EIPMSR_INDEX 92 /* 10 * 8 + 11 + 1 */ 37 | 38 | void ia32_handle_register( x86_reg_t *reg, size_t id ); 39 | size_t ia32_true_register_id( size_t id ); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_settings.c: -------------------------------------------------------------------------------- 1 | #include "libdis.h" 2 | #include "ia32_settings.h" 3 | #include "ia32_reg.h" 4 | #include "ia32_insn.h" 5 | 6 | ia32_settings_t ia32_settings = { 7 | 1, 0xF4, 8 | MAX_INSTRUCTION_SIZE, 9 | 4, 4, 8, 4, 8, 10 | REG_ESP_INDEX, REG_EBP_INDEX, REG_EIP_INDEX, REG_FLAGS_INDEX, 11 | REG_DWORD_OFFSET, REG_SEG_OFFSET, REG_FPU_OFFSET, 12 | opt_none 13 | }; 14 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/ia32_settings.h: -------------------------------------------------------------------------------- 1 | #ifndef IA32_SETTINGS_H 2 | #define IA32_SETTINGS_H 3 | 4 | #include "libdis.h" 5 | 6 | typedef struct { 7 | /* options */ 8 | unsigned char endian, /* 0 = big, 1 = little */ 9 | wc_byte, /* wildcard byte */ 10 | max_insn, /* max insn size */ 11 | sz_addr, /* default address size */ 12 | sz_oper, /* default operand size */ 13 | sz_byte, /* # bits in byte */ 14 | sz_word, /* # bytes in machine word */ 15 | sz_dword; /* # bytes in machine dword */ 16 | unsigned int id_sp_reg, /* id of stack pointer */ 17 | id_fp_reg, /* id of frame pointer */ 18 | id_ip_reg, /* id of instruction pointer */ 19 | id_flag_reg, /* id of flags register */ 20 | offset_gen_regs, /* start of general regs */ 21 | offset_seg_regs, /* start of segment regs */ 22 | offset_fpu_regs; /* start of floating point regs */ 23 | /* user-controlled settings */ 24 | enum x86_options options; 25 | } ia32_settings_t; 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/qword.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBDISASM_QWORD_H 2 | #define LIBDISASM_QWORD_H 3 | 4 | #include 5 | 6 | /* platform independent data types */ 7 | 8 | #ifdef _MSC_VER 9 | typedef __int64 qword_t; 10 | #else 11 | typedef int64_t qword_t; 12 | #endif 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_disasm.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "libdis.h" 6 | #include "ia32_insn.h" 7 | #include "ia32_invariant.h" 8 | #include "x86_operand_list.h" 9 | 10 | 11 | #ifdef _MSC_VER 12 | #define snprintf _snprintf 13 | #define inline __inline 14 | #endif 15 | 16 | unsigned int x86_disasm( unsigned char *buf, unsigned int buf_len, 17 | uint32_t buf_rva, unsigned int offset, 18 | x86_insn_t *insn ){ 19 | int len, size; 20 | unsigned char bytes[MAX_INSTRUCTION_SIZE]; 21 | 22 | if ( ! buf || ! insn || ! buf_len ) { 23 | /* caller screwed up somehow */ 24 | return 0; 25 | } 26 | 27 | 28 | /* ensure we are all NULLed up */ 29 | memset( insn, 0, sizeof(x86_insn_t) ); 30 | insn->addr = buf_rva + offset; 31 | insn->offset = offset; 32 | /* default to invalid insn */ 33 | insn->type = insn_invalid; 34 | insn->group = insn_none; 35 | 36 | if ( offset >= buf_len ) { 37 | /* another caller screwup ;) */ 38 | x86_report_error(report_disasm_bounds, (void*)(long)buf_rva+offset); 39 | return 0; 40 | } 41 | 42 | len = buf_len - offset; 43 | 44 | /* copy enough bytes for disassembly into buffer : this 45 | * helps prevent buffer overruns at the end of a file */ 46 | memset( bytes, 0, MAX_INSTRUCTION_SIZE ); 47 | memcpy( bytes, &buf[offset], (len < MAX_INSTRUCTION_SIZE) ? len : 48 | MAX_INSTRUCTION_SIZE ); 49 | 50 | /* actually do the disassembly */ 51 | /* TODO: allow switching when more disassemblers are added */ 52 | size = ia32_disasm_addr( bytes, len, insn); 53 | 54 | /* check and see if we had an invalid instruction */ 55 | if (! size ) { 56 | x86_report_error(report_invalid_insn, (void*)(long)buf_rva+offset ); 57 | return 0; 58 | } 59 | 60 | /* check if we overran the end of the buffer */ 61 | if ( size > len ) { 62 | x86_report_error( report_insn_bounds, (void*)(long)buf_rva + offset ); 63 | MAKE_INVALID( insn, bytes ); 64 | return 0; 65 | } 66 | 67 | /* fill bytes field of insn */ 68 | memcpy( insn->bytes, bytes, size ); 69 | 70 | return size; 71 | } 72 | 73 | unsigned int x86_disasm_range( unsigned char *buf, uint32_t buf_rva, 74 | unsigned int offset, unsigned int len, 75 | DISASM_CALLBACK func, void *arg ) { 76 | x86_insn_t insn; 77 | unsigned int buf_len, size, count = 0, bytes = 0; 78 | 79 | /* buf_len is implied by the arguments */ 80 | buf_len = len + offset; 81 | 82 | while ( bytes < len ) { 83 | size = x86_disasm( buf, buf_len, buf_rva, offset + bytes, 84 | &insn ); 85 | if ( size ) { 86 | /* invoke callback if it exists */ 87 | if ( func ) { 88 | (*func)( &insn, arg ); 89 | } 90 | bytes += size; 91 | count ++; 92 | } else { 93 | /* error */ 94 | bytes++; /* try next byte */ 95 | } 96 | 97 | x86_oplist_free( &insn ); 98 | } 99 | 100 | return( count ); 101 | } 102 | 103 | static inline int follow_insn_dest( x86_insn_t *insn ) { 104 | if ( insn->type == insn_jmp || insn->type == insn_jcc || 105 | insn->type == insn_call || insn->type == insn_callcc ) { 106 | return(1); 107 | } 108 | return(0); 109 | } 110 | 111 | static inline int insn_doesnt_return( x86_insn_t *insn ) { 112 | return( (insn->type == insn_jmp || insn->type == insn_return) ? 1: 0 ); 113 | } 114 | 115 | static int32_t internal_resolver( x86_op_t *op, x86_insn_t *insn ){ 116 | int32_t next_addr = -1; 117 | if ( x86_optype_is_address(op->type) ) { 118 | next_addr = op->data.sdword; 119 | } else if ( op->type == op_relative_near ) { 120 | next_addr = insn->addr + insn->size + op->data.relative_near; 121 | } else if ( op->type == op_relative_far ) { 122 | next_addr = insn->addr + insn->size + op->data.relative_far; 123 | } 124 | return( next_addr ); 125 | } 126 | 127 | unsigned int x86_disasm_forward( unsigned char *buf, unsigned int buf_len, 128 | uint32_t buf_rva, unsigned int offset, 129 | DISASM_CALLBACK func, void *arg, 130 | DISASM_RESOLVER resolver, void *r_arg ){ 131 | x86_insn_t insn; 132 | x86_op_t *op; 133 | int32_t next_addr; 134 | uint32_t next_offset; 135 | unsigned int size, count = 0, bytes = 0, cont = 1; 136 | 137 | while ( cont && bytes < buf_len ) { 138 | size = x86_disasm( buf, buf_len, buf_rva, offset + bytes, 139 | &insn ); 140 | 141 | if ( size ) { 142 | /* invoke callback if it exists */ 143 | if ( func ) { 144 | (*func)( &insn, arg ); 145 | } 146 | bytes += size; 147 | count ++; 148 | } else { 149 | /* error */ 150 | bytes++; /* try next byte */ 151 | } 152 | 153 | if ( follow_insn_dest(&insn) ) { 154 | op = x86_get_dest_operand( &insn ); 155 | next_addr = -1; 156 | 157 | /* if caller supplied a resolver, use it to determine 158 | * the address to disassemble */ 159 | if ( resolver ) { 160 | next_addr = resolver(op, &insn, r_arg); 161 | } else { 162 | next_addr = internal_resolver(op, &insn); 163 | } 164 | 165 | if (next_addr != -1 ) { 166 | next_offset = next_addr - buf_rva; 167 | /* if offset is in this buffer... */ 168 | if ( next_offset >= 0 && 169 | next_offset < buf_len ) { 170 | /* go ahead and disassemble */ 171 | count += x86_disasm_forward( buf, 172 | buf_len, 173 | buf_rva, 174 | next_offset, 175 | func, arg, 176 | resolver, r_arg ); 177 | } else { 178 | /* report unresolved address */ 179 | x86_report_error( report_disasm_bounds, 180 | (void*)(long)next_addr ); 181 | } 182 | } 183 | } /* end follow_insn */ 184 | 185 | if ( insn_doesnt_return(&insn) ) { 186 | /* stop disassembling */ 187 | cont = 0; 188 | } 189 | 190 | x86_oplist_free( &insn ); 191 | } 192 | return( count ); 193 | } 194 | 195 | /* invariant instruction representation */ 196 | size_t x86_invariant_disasm( unsigned char *buf, int buf_len, 197 | x86_invariant_t *inv ){ 198 | if (! buf || ! buf_len || ! inv ) { 199 | return(0); 200 | } 201 | 202 | return ia32_disasm_invariant(buf, buf_len, inv); 203 | } 204 | size_t x86_size_disasm( unsigned char *buf, unsigned int buf_len ) { 205 | if (! buf || ! buf_len ) { 206 | return(0); 207 | } 208 | 209 | return ia32_disasm_size(buf, buf_len); 210 | } 211 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_imm.c: -------------------------------------------------------------------------------- 1 | #include "qword.h" 2 | #include "x86_imm.h" 3 | 4 | #include 5 | 6 | unsigned int x86_imm_signsized( unsigned char * buf, size_t buf_len, 7 | void *dest, unsigned int size ) { 8 | signed char *cp = (signed char *) dest; 9 | signed short *sp = (signed short *) dest; 10 | int32_t *lp = (int32_t *) dest; 11 | qword_t *qp = (qword_t *) dest; 12 | 13 | if ( size > buf_len ) { 14 | return 0; 15 | } 16 | 17 | /* Copy 'size' bytes from *buf to *op 18 | * return number of bytes copied */ 19 | switch (size) { 20 | case 1: /* BYTE */ 21 | *cp = *((signed char *) buf); 22 | break; 23 | case 2: /* WORD */ 24 | *sp = *((signed short *) buf); 25 | break; 26 | case 6: 27 | case 8: /* QWORD */ 28 | *qp = *((qword_t *) buf); 29 | break; 30 | case 4: /* DWORD */ 31 | default: 32 | *lp = *((int32_t *) buf); 33 | break; 34 | } 35 | return (size); 36 | } 37 | 38 | unsigned int x86_imm_sized( unsigned char * buf, size_t buf_len, void *dest, 39 | unsigned int size ) { 40 | unsigned char *cp = (unsigned char *) dest; 41 | unsigned short *sp = (unsigned short *) dest; 42 | uint32_t *lp = (uint32_t *) dest; 43 | qword_t *qp = (qword_t *) dest; 44 | 45 | if ( size > buf_len ) { 46 | return 0; 47 | } 48 | 49 | /* Copy 'size' bytes from *buf to *op 50 | * return number of bytes copied */ 51 | switch (size) { 52 | case 1: /* BYTE */ 53 | *cp = *((unsigned char *) buf); 54 | break; 55 | case 2: /* WORD */ 56 | *sp = *((unsigned short *) buf); 57 | break; 58 | case 6: 59 | case 8: /* QWORD */ 60 | *qp = *((qword_t *) buf); 61 | break; 62 | case 4: /* DWORD */ 63 | default: 64 | *lp = *((uint32_t *) buf); 65 | break; 66 | } 67 | 68 | return (size); 69 | } 70 | 71 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_imm.h: -------------------------------------------------------------------------------- 1 | #ifndef x86_IMM_H 2 | #define x86_IMM_H 3 | 4 | #include "./qword.h" 5 | #include 6 | 7 | #ifdef WIN32 8 | #include 9 | #endif 10 | 11 | /* these are in the global x86 namespace but are not a part of the 12 | * official API */ 13 | unsigned int x86_imm_sized( unsigned char *buf, size_t buf_len, void *dest, 14 | unsigned int size ); 15 | 16 | unsigned int x86_imm_signsized( unsigned char *buf, size_t buf_len, void *dest, 17 | unsigned int size ); 18 | #endif 19 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_insn.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "libdis.h" 5 | 6 | #ifdef _MSC_VER 7 | #define snprintf _snprintf 8 | #define inline __inline 9 | #endif 10 | 11 | int x86_insn_is_valid( x86_insn_t *insn ) { 12 | if ( insn && insn->type != insn_invalid && insn->size > 0 ) { 13 | return 1; 14 | } 15 | 16 | return 0; 17 | } 18 | 19 | uint32_t x86_get_address( x86_insn_t *insn ) { 20 | x86_oplist_t *op_lst; 21 | if (! insn || ! insn->operands ) { 22 | return 0; 23 | } 24 | 25 | for (op_lst = insn->operands; op_lst; op_lst = op_lst->next ) { 26 | if ( op_lst->op.type == op_offset ) { 27 | return op_lst->op.data.offset; 28 | } else if ( op_lst->op.type == op_absolute ) { 29 | if ( op_lst->op.datatype == op_descr16 ) { 30 | return (uint32_t) 31 | op_lst->op.data.absolute.offset.off16; 32 | } 33 | return op_lst->op.data.absolute.offset.off32; 34 | } 35 | } 36 | 37 | return 0; 38 | } 39 | 40 | int32_t x86_get_rel_offset( x86_insn_t *insn ) { 41 | x86_oplist_t *op_lst; 42 | if (! insn || ! insn->operands ) { 43 | return 0; 44 | } 45 | 46 | for (op_lst = insn->operands; op_lst; op_lst = op_lst->next ) { 47 | if ( op_lst->op.type == op_relative_near ) { 48 | return (int32_t) op_lst->op.data.relative_near; 49 | } else if ( op_lst->op.type == op_relative_far ) { 50 | return op_lst->op.data.relative_far; 51 | } 52 | } 53 | 54 | return 0; 55 | } 56 | 57 | x86_op_t * x86_get_branch_target( x86_insn_t *insn ) { 58 | x86_oplist_t *op_lst; 59 | if (! insn || ! insn->operands ) { 60 | return NULL; 61 | } 62 | 63 | for (op_lst = insn->operands; op_lst; op_lst = op_lst->next ) { 64 | if ( op_lst->op.access & op_execute ) { 65 | return &(op_lst->op); 66 | } 67 | } 68 | 69 | return NULL; 70 | } 71 | x86_op_t * x86_get_imm( x86_insn_t *insn ) { 72 | x86_oplist_t *op_lst; 73 | if (! insn || ! insn->operands ) { 74 | return NULL; 75 | } 76 | 77 | for (op_lst = insn->operands; op_lst; op_lst = op_lst->next ) { 78 | if ( op_lst->op.type == op_immediate ) { 79 | return &(op_lst->op); 80 | } 81 | } 82 | 83 | return NULL; 84 | } 85 | 86 | #define IS_PROPER_IMM( x ) \ 87 | x->op.type == op_immediate && ! (x->op.flags & op_hardcode) 88 | 89 | 90 | /* if there is an immediate value in the instruction, return a pointer to 91 | * it */ 92 | unsigned char * x86_get_raw_imm( x86_insn_t *insn ) { 93 | int size, offset; 94 | x86_op_t *op = NULL; 95 | 96 | if (! insn || ! insn->operands ) { 97 | return(NULL); 98 | } 99 | 100 | /* a bit inelegant, but oh well... */ 101 | if ( IS_PROPER_IMM( insn->operands ) ) { 102 | op = &insn->operands->op; 103 | } else if ( insn->operands->next ) { 104 | if ( IS_PROPER_IMM( insn->operands->next ) ) { 105 | op = &insn->operands->next->op; 106 | } else if ( insn->operands->next->next && 107 | IS_PROPER_IMM( insn->operands->next->next ) ) { 108 | op = &insn->operands->next->next->op; 109 | } 110 | } 111 | 112 | if (! op ) { 113 | return( NULL ); 114 | } 115 | 116 | /* immediate data is at the end of the insn */ 117 | size = x86_operand_size( op ); 118 | offset = insn->size - size; 119 | return( &insn->bytes[offset] ); 120 | } 121 | 122 | 123 | unsigned int x86_operand_size( x86_op_t *op ) { 124 | switch (op->datatype ) { 125 | case op_byte: return 1; 126 | case op_word: return 2; 127 | case op_dword: return 4; 128 | case op_qword: return 8; 129 | case op_dqword: return 16; 130 | case op_sreal: return 4; 131 | case op_dreal: return 8; 132 | case op_extreal: return 10; 133 | case op_bcd: return 10; 134 | case op_ssimd: return 16; 135 | case op_dsimd: return 16; 136 | case op_sssimd: return 4; 137 | case op_sdsimd: return 8; 138 | case op_descr32: return 6; 139 | case op_descr16: return 4; 140 | case op_pdescr32: return 6; 141 | case op_pdescr16: return 6; 142 | case op_bounds16: return 4; 143 | case op_bounds32: return 8; 144 | case op_fpuenv16: return 14; 145 | case op_fpuenv32: return 28; 146 | case op_fpustate16: return 94; 147 | case op_fpustate32: return 108; 148 | case op_fpregset: return 512; 149 | case op_fpreg: return 10; 150 | case op_none: return 0; 151 | } 152 | return(4); /* default size */ 153 | } 154 | 155 | void x86_set_insn_addr( x86_insn_t *insn, uint32_t addr ) { 156 | if ( insn ) insn->addr = addr; 157 | } 158 | 159 | void x86_set_insn_offset( x86_insn_t *insn, unsigned int offset ){ 160 | if ( insn ) insn->offset = offset; 161 | } 162 | 163 | void x86_set_insn_function( x86_insn_t *insn, void * func ){ 164 | if ( insn ) insn->function = func; 165 | } 166 | 167 | void x86_set_insn_block( x86_insn_t *insn, void * block ){ 168 | if ( insn ) insn->block = block; 169 | } 170 | 171 | void x86_tag_insn( x86_insn_t *insn ){ 172 | if ( insn ) insn->tag = 1; 173 | } 174 | 175 | void x86_untag_insn( x86_insn_t *insn ){ 176 | if ( insn ) insn->tag = 0; 177 | } 178 | 179 | int x86_insn_is_tagged( x86_insn_t *insn ){ 180 | return insn->tag; 181 | } 182 | 183 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_misc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "libdis.h" 6 | #include "ia32_insn.h" 7 | #include "ia32_reg.h" /* for ia32_reg wrapper */ 8 | #include "ia32_settings.h" 9 | extern ia32_settings_t ia32_settings; 10 | 11 | #ifdef _MSC_VER 12 | #define snprintf _snprintf 13 | #define inline __inline 14 | #endif 15 | 16 | 17 | /* =========================================================== INIT/TERM */ 18 | static DISASM_REPORTER __x86_reporter_func = NULL; 19 | static void * __x86_reporter_arg = NULL; 20 | 21 | int x86_init( enum x86_options options, DISASM_REPORTER reporter, void * arg ) 22 | { 23 | ia32_settings.options = options; 24 | __x86_reporter_func = reporter; 25 | __x86_reporter_arg = arg; 26 | 27 | return 1; 28 | } 29 | 30 | void x86_set_reporter( DISASM_REPORTER reporter, void * arg ) { 31 | __x86_reporter_func = reporter; 32 | __x86_reporter_arg = arg; 33 | } 34 | 35 | void x86_set_options( enum x86_options options ){ 36 | ia32_settings.options = options; 37 | } 38 | 39 | enum x86_options x86_get_options( void ) { 40 | return ia32_settings.options; 41 | } 42 | 43 | int x86_cleanup( void ) 44 | { 45 | return 1; 46 | } 47 | 48 | /* =========================================================== ERRORS */ 49 | void x86_report_error( enum x86_report_codes code, void *data ) { 50 | if ( __x86_reporter_func ) { 51 | (*__x86_reporter_func)(code, data, __x86_reporter_arg); 52 | } 53 | } 54 | 55 | 56 | /* =========================================================== MISC */ 57 | unsigned int x86_endian(void) { return ia32_settings.endian; } 58 | unsigned int x86_addr_size(void) { return ia32_settings.sz_addr; } 59 | unsigned int x86_op_size(void) { return ia32_settings.sz_oper; } 60 | unsigned int x86_word_size(void) { return ia32_settings.sz_word; } 61 | unsigned int x86_max_insn_size(void) { return ia32_settings.max_insn; } 62 | unsigned int x86_sp_reg(void) { return ia32_settings.id_sp_reg; } 63 | unsigned int x86_fp_reg(void) { return ia32_settings.id_fp_reg; } 64 | unsigned int x86_ip_reg(void) { return ia32_settings.id_ip_reg; } 65 | unsigned int x86_flag_reg(void) { return ia32_settings.id_flag_reg; } 66 | 67 | /* wrapper function to hide the IA32 register fn */ 68 | void x86_reg_from_id( unsigned int id, x86_reg_t * reg ) { 69 | ia32_handle_register( reg, id ); 70 | return; 71 | } 72 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_operand_list.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libdis.h" 3 | 4 | 5 | static void x86_oplist_append( x86_insn_t *insn, x86_oplist_t *op ) { 6 | x86_oplist_t *list; 7 | 8 | if (! insn ) { 9 | return; 10 | } 11 | 12 | list = insn->operands; 13 | if (! list ) { 14 | insn->operand_count = 1; 15 | /* Note that we have no way of knowing if this is an 16 | * exlicit operand or not, since the caller fills 17 | * the x86_op_t after we return. We increase the 18 | * explicit count automatically, and ia32_insn_implicit_ops 19 | * decrements it */ 20 | insn->explicit_count = 1; 21 | insn->operands = op; 22 | return; 23 | } 24 | 25 | /* get to end of list */ 26 | for ( ; list->next; list = list->next ) 27 | ; 28 | 29 | insn->operand_count = insn->operand_count + 1; 30 | insn->explicit_count = insn->explicit_count + 1; 31 | list->next = op; 32 | 33 | return; 34 | } 35 | 36 | x86_op_t * x86_operand_new( x86_insn_t *insn ) { 37 | x86_oplist_t *op; 38 | 39 | if (! insn ) { 40 | return(NULL); 41 | } 42 | op = calloc( sizeof(x86_oplist_t), 1 ); 43 | op->op.insn = insn; 44 | x86_oplist_append( insn, op ); 45 | return( &(op->op) ); 46 | } 47 | 48 | void x86_oplist_free( x86_insn_t *insn ) { 49 | x86_oplist_t *op, *list; 50 | 51 | if (! insn ) { 52 | return; 53 | } 54 | 55 | for ( list = insn->operands; list; ) { 56 | op = list; 57 | list = list->next; 58 | free(op); 59 | } 60 | 61 | insn->operands = NULL; 62 | insn->operand_count = 0; 63 | insn->explicit_count = 0; 64 | 65 | return; 66 | } 67 | 68 | /* ================================================== LIBDISASM API */ 69 | /* these could probably just be #defines, but that means exposing the 70 | enum... yet one more confusing thing in the API */ 71 | int x86_operand_foreach( x86_insn_t *insn, x86_operand_fn func, void *arg, 72 | enum x86_op_foreach_type type ){ 73 | x86_oplist_t *list; 74 | char explicit = 1, implicit = 1; 75 | 76 | if (! insn || ! func ) { 77 | return 0; 78 | } 79 | 80 | /* note: explicit and implicit can be ORed together to 81 | * allow an "all" limited by access type, even though the 82 | * user is stupid to do this since it is default behavior :) */ 83 | if ( (type & op_explicit) && ! (type & op_implicit) ) { 84 | implicit = 0; 85 | } 86 | if ( (type & op_implicit) && ! (type & op_explicit) ) { 87 | explicit = 0; 88 | } 89 | 90 | type = type & 0x0F; /* mask out explicit/implicit operands */ 91 | 92 | for ( list = insn->operands; list; list = list->next ) { 93 | if (! implicit && (list->op.flags & op_implied) ) { 94 | /* operand is implicit */ 95 | continue; 96 | } 97 | 98 | if (! explicit && ! (list->op.flags & op_implied) ) { 99 | /* operand is not implicit */ 100 | continue; 101 | } 102 | 103 | switch ( type ) { 104 | case op_any: 105 | break; 106 | case op_dest: 107 | if (! (list->op.access & op_write) ) { 108 | continue; 109 | } 110 | break; 111 | case op_src: 112 | if (! (list->op.access & op_read) ) { 113 | continue; 114 | } 115 | break; 116 | case op_ro: 117 | if (! (list->op.access & op_read) || 118 | (list->op.access & op_write ) ) { 119 | continue; 120 | } 121 | break; 122 | case op_wo: 123 | if (! (list->op.access & op_write) || 124 | (list->op.access & op_read ) ) { 125 | continue; 126 | } 127 | break; 128 | case op_xo: 129 | if (! (list->op.access & op_execute) ) { 130 | continue; 131 | } 132 | break; 133 | case op_rw: 134 | if (! (list->op.access & op_write) || 135 | ! (list->op.access & op_read ) ) { 136 | continue; 137 | } 138 | break; 139 | case op_implicit: case op_explicit: /* make gcc happy */ 140 | break; 141 | } 142 | /* any non-continue ends up here: invoke the callback */ 143 | (*func)( &list->op, insn, arg ); 144 | } 145 | 146 | return 1; 147 | } 148 | 149 | static void count_operand( x86_op_t *op, x86_insn_t *insn, void *arg ) { 150 | size_t * count = (size_t *) arg; 151 | *count = *count + 1; 152 | } 153 | 154 | size_t x86_operand_count( x86_insn_t *insn, enum x86_op_foreach_type type ) { 155 | size_t count = 0; 156 | 157 | /* save us a list traversal for common counts... */ 158 | if ( type == op_any ) { 159 | return insn->operand_count; 160 | } else if ( type == op_explicit ) { 161 | return insn->explicit_count; 162 | } 163 | 164 | x86_operand_foreach( insn, count_operand, &count, type ); 165 | return count; 166 | } 167 | 168 | /* accessor functions */ 169 | x86_op_t * x86_operand_1st( x86_insn_t *insn ) { 170 | if (! insn->explicit_count ) { 171 | return NULL; 172 | } 173 | 174 | return &(insn->operands->op); 175 | } 176 | 177 | x86_op_t * x86_operand_2nd( x86_insn_t *insn ) { 178 | if ( insn->explicit_count < 2 ) { 179 | return NULL; 180 | } 181 | 182 | return &(insn->operands->next->op); 183 | } 184 | 185 | x86_op_t * x86_operand_3rd( x86_insn_t *insn ) { 186 | if ( insn->explicit_count < 3 ) { 187 | return NULL; 188 | } 189 | 190 | return &(insn->operands->next->next->op); 191 | } 192 | -------------------------------------------------------------------------------- /loadlibrary/intercept/libdisasm/x86_operand_list.h: -------------------------------------------------------------------------------- 1 | #ifndef X86_OPERAND_LIST_H 2 | #define X86_OPERAND_LIST_H 3 | #include "libdis.h" 4 | 5 | 6 | x86_op_t * x86_operand_new( x86_insn_t *insn ); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /loadlibrary/mpscript.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2017 Tavis Ormandy 3 | // 4 | // This program is free software; you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation; either version 2 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | 15 | #ifndef _GNU_SOURCE 16 | # define _GNU_SOURCE 17 | #endif 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | 40 | #include "log.h" 41 | #include "winnt_types.h" 42 | #include "pe_linker.h" 43 | #include "ntoskernel.h" 44 | #include "util.h" 45 | #include "hook.h" 46 | #include "rsignal.h" 47 | #include "engineboot.h" 48 | #include "scanreply.h" 49 | #include "streambuffer.h" 50 | #include "openscan.h" 51 | 52 | const char header[] = 53 | "function log(msg) { parseFloat('__log: ' + msg); }\n" 54 | "function dump(obj) { for (i in obj) { log(i); log('\\t' + obj[i]); }; }\n"; 55 | const char footer[] = { 56 | #include "script.h" // Generated by Makefile 57 | 0, // String terminator 58 | }; 59 | 60 | DWORD (* __rsignal)(PHANDLE KernelHandle, DWORD Code, PVOID Params, DWORD Size); 61 | 62 | double JavaScriptLog(const char *nptr, char **endptr) 63 | { 64 | if (strncmp(nptr, "__log: ", 7) == 0) { 65 | LogMessage("%s", nptr + 7); 66 | return 0; 67 | } 68 | return strtod(nptr, endptr); 69 | } 70 | 71 | static DWORD EngineScanCallback(PSCANSTRUCT Scan) 72 | { 73 | return 0; 74 | } 75 | 76 | static DWORD ReadStream(PVOID this, QWORD Offset, PVOID Buffer, DWORD Size, PDWORD SizeRead) 77 | { 78 | memcpy(Buffer, this + Offset, *SizeRead = MIN(strlen(this+Offset), Size)); 79 | return TRUE; 80 | } 81 | 82 | static DWORD GetStreamSize(PVOID this, PQWORD FileSize) 83 | { 84 | *FileSize = strlen(this); 85 | return TRUE; 86 | } 87 | 88 | int main(int argc, char **argv, char **envp) 89 | { 90 | PVOID StrtodPtr; 91 | PIMAGE_DOS_HEADER DosHeader; 92 | PIMAGE_NT_HEADERS PeHeader; 93 | HANDLE KernelHandle; 94 | SCAN_REPLY ScanReply; 95 | BOOTENGINE_PARAMS BootParams; 96 | SCANSTREAM_PARAMS ScanParams; 97 | STREAMBUFFER_DESCRIPTOR ScanDescriptor; 98 | ENGINE_INFO EngineInfo; 99 | ENGINE_CONFIG EngineConfig; 100 | struct pe_image image = { 101 | .entry = NULL, 102 | .name = "engine/mpengine.dll", 103 | }; 104 | 105 | // Load the mpengine module. 106 | if (pe_load_library(image.name, &image.image, &image.size) == false) { 107 | return 1; 108 | } 109 | 110 | // Handle relocations, imports, etc. 111 | link_pe_images(&image, 1); 112 | 113 | // Fetch the headers to get base offsets. 114 | DosHeader = (PIMAGE_DOS_HEADER) image.image; 115 | PeHeader = (PIMAGE_NT_HEADERS)(image.image + DosHeader->e_lfanew); 116 | 117 | // Load any additional exports. 118 | if (!process_extra_exports(image.image, PeHeader->OptionalHeader.BaseOfCode, "engine/mpengine.map")) { 119 | LogMessage("A map file is required to intercept interpreter output. See documentation."); 120 | } 121 | 122 | // Calculate the commands needed to get export and map symbols visible in gdb. 123 | if (xIsDebuggerPresent()) { 124 | LogMessage("GDB: add-symbol-file %s %#x+%#x", 125 | image.name, 126 | image.image, 127 | PeHeader->OptionalHeader.BaseOfCode); 128 | LogMessage("GDB: shell bash genmapsym.sh %#x+%#x symbols_%d.o < %s", 129 | image.image, 130 | PeHeader->OptionalHeader.BaseOfCode, 131 | getpid(), 132 | "engine/mpengine.map"); 133 | LogMessage("GDB: add-symbol-file symbols_%d.o 0", getpid()); 134 | __debugbreak(); 135 | } 136 | 137 | if (get_export("__rsignal", &__rsignal) == -1) { 138 | LogMessage("Cannot resolve mpengine!__rsignal, cannot continue"); 139 | return 1; 140 | } 141 | 142 | if (get_export("_strtod", &StrtodPtr) != -1) { 143 | insert_function_redirect(StrtodPtr, JavaScriptLog, HOOK_REPLACE_FUNCTION); 144 | } else { 145 | LogMessage("Unable to hook output (missing or incomplete map?), but input might still work. See documentation."); 146 | } 147 | 148 | // Call DllMain() 149 | image.entry((PVOID) 'MPEN', DLL_PROCESS_ATTACH, NULL); 150 | 151 | ZeroMemory(&BootParams, sizeof BootParams); 152 | ZeroMemory(&EngineInfo, sizeof EngineInfo); 153 | ZeroMemory(&EngineConfig, sizeof EngineConfig); 154 | 155 | BootParams.ClientVersion = BOOTENGINE_PARAMS_VERSION; 156 | BootParams.Attributes = BOOT_ATTR_NORMAL; 157 | BootParams.SignatureLocation = L"engine"; 158 | BootParams.ProductName = L"Legitimate Antivirus"; 159 | EngineConfig.QuarantineLocation = L"quarantine"; 160 | EngineConfig.Inclusions = L"*.*"; 161 | EngineConfig.EngineFlags = 1 << 1; 162 | BootParams.EngineInfo = &EngineInfo; 163 | BootParams.EngineConfig = &EngineConfig; 164 | KernelHandle = NULL; 165 | 166 | LogMessage("Please wait, initializing engine..."); 167 | 168 | if (__rsignal(&KernelHandle, RSIG_BOOTENGINE, &BootParams, sizeof BootParams) != 0) { 169 | LogMessage("__rsignal(RSIG_BOOTENGINE) returned failure, missing definitions?"); 170 | LogMessage("Make sure the VDM files and mpengine.dll are in the engine directory"); 171 | return 1; 172 | } 173 | 174 | ZeroMemory(&ScanParams, sizeof ScanParams); 175 | ZeroMemory(&ScanDescriptor, sizeof ScanDescriptor); 176 | ZeroMemory(&ScanReply, sizeof ScanReply); 177 | 178 | ScanParams.Descriptor = &ScanDescriptor; 179 | ScanParams.ScanReply = &ScanReply; 180 | ScanReply.EngineScanCallback = EngineScanCallback; 181 | ScanReply.field_C = 0x7fffffff; 182 | ScanDescriptor.Read = ReadStream; 183 | ScanDescriptor.GetSize = GetStreamSize; 184 | 185 | LogMessage("Ready, type javascript (history available, use arrow keys)"); 186 | LogMessage("Try log(msg) or dump(obj), mp.getAttribute() can query scan state booleans."); 187 | while (true) { 188 | CHAR *InputBuf = readline("> "); 189 | 190 | if (InputBuf) { 191 | CHAR *EscapeBuf = calloc(strlen(InputBuf) + 1, 3); 192 | CHAR *p = EscapeBuf; 193 | 194 | if (!EscapeBuf) 195 | break; 196 | 197 | // This is probably not correct. 198 | for (size_t i = 0; InputBuf[i]; i++) { 199 | if (InputBuf[i] == '%') { 200 | *p++ = '%'; *p++ = '2'; *p++ = '5'; 201 | } else if (InputBuf[i] == '"') { 202 | *p++ = '%'; *p++ = '2'; *p++ = '2'; 203 | } else if (InputBuf[i] == '\\') { 204 | *p++ = '%'; *p++ = '5'; *p++ = 'c'; 205 | } else { 206 | *p++ = InputBuf[i]; 207 | } 208 | } 209 | 210 | if (asprintf((PVOID) &ScanDescriptor.UserPtr, 211 | "%s\ntry{log(eval(unescape(\"%s\")))} catch(e) { log(e); }\n%s", 212 | header, 213 | EscapeBuf, 214 | footer) == -1) { 215 | err(EXIT_FAILURE, "memory allocation failure"); 216 | } 217 | free(EscapeBuf); 218 | } else { 219 | break; 220 | } 221 | 222 | if (__rsignal(&KernelHandle, RSIG_SCAN_STREAMBUFFER, &ScanParams, sizeof ScanParams) != 0) { 223 | LogMessage("__rsignal(RSIG_SCAN_STREAMBUFFER) returned failure, file unreadable?"); 224 | return 1; 225 | } 226 | 227 | add_history(InputBuf); 228 | free(ScanDescriptor.UserPtr); 229 | free(InputBuf); 230 | } 231 | 232 | return 0; 233 | } 234 | -------------------------------------------------------------------------------- /loadlibrary/mylogs/.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/loadlibrary/mylogs/.log -------------------------------------------------------------------------------- /loadlibrary/peloader/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS = -O3 -march=native -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -Iinclude -mstackrealign 2 | #CPPFLAGS=-DNDEBUG -D_GNU_SOURCE -I. 3 | CPPFLAGS= -D_GNU_SOURCE -I. 4 | LDFLAGS = $(CFLAGS) -m32 -lm 5 | 6 | .PHONY: clean 7 | 8 | # This glob matches all the winapi exports we provide. 9 | WINAPI = $(patsubst %.c,%.o,$(wildcard winapi/*.c)) 10 | 11 | TARGETS=libpeloader.a 12 | 13 | all: $(TARGETS) 14 | 15 | libpeloader.a: $(WINAPI) winstrings.o pe_linker.o crt.o log.o util.o extra.o 16 | $(AR) $(ARFLAGS) $@ $^ 17 | 18 | clean: 19 | rm -f a.out core *.o core.* vgcore.* gmon.out winapi/*.o $(TARGETS) 20 | -------------------------------------------------------------------------------- /loadlibrary/peloader/crt_exports.h: -------------------------------------------------------------------------------- 1 | 2 | /* automatically generated from src */ 3 | __attribute__((format(printf, 2, 3))) 4 | noregparm INT WIN_FUNC(_win_sprintf,12) 5 | (char *buf, const char *format, ...); 6 | noregparm INT WIN_FUNC(swprintf,12) 7 | (wchar_t *buf, const wchar_t *format, ...); 8 | noregparm INT WIN_FUNC(_win_vsprintf,3) 9 | (char *str, const char *format, va_list ap); 10 | __attribute__((format(printf, 3, 4))) 11 | noregparm INT WIN_FUNC(_win_snprintf,12) 12 | (char *buf, SIZE_T count, const char *format, ...); 13 | __attribute__((format(printf, 3, 4))) 14 | noregparm INT WIN_FUNC(_win__snprintf,12) 15 | (char *buf, SIZE_T count, const char *format, ...); 16 | noregparm INT WIN_FUNC(_win_vsnprintf,4) 17 | (char *str, SIZE_T size, const char *format, va_list ap); 18 | noregparm INT WIN_FUNC(_win__vsnprintf,4) 19 | (char *str, SIZE_T size, const char *format, va_list ap); 20 | noregparm INT WIN_FUNC(_win__vsnwprintf,4) 21 | (wchar_t *str, SIZE_T size, const wchar_t *format, va_list ap); 22 | noregparm char *WIN_FUNC(_win_strncpy,3) 23 | (char *dst, char *src, SIZE_T n); 24 | noregparm SIZE_T WIN_FUNC(_win_strlen,1) 25 | (const char *s); 26 | noregparm INT WIN_FUNC(_win_strncmp,3) 27 | (const char *s1, const char *s2, SIZE_T n); 28 | noregparm INT WIN_FUNC(_win_strcmp,2) 29 | (const char *s1, const char *s2); 30 | noregparm INT WIN_FUNC(_win_stricmp,2) 31 | (const char *s1, const char *s2); 32 | noregparm INT WIN_FUNC(_win_strnicmp,3) 33 | (const char *s1, const char *s2, SIZE_T n); 34 | noregparm char *WIN_FUNC(_win_strncat,3) 35 | (char *dest, const char *src, SIZE_T n); 36 | noregparm INT WIN_FUNC(_win_wcscmp,2) 37 | (const wchar_t *s1, const wchar_t *s2); 38 | noregparm INT WIN_FUNC(_win_wcsicmp,2) 39 | (const wchar_t *s1, const wchar_t *s2); 40 | noregparm SIZE_T WIN_FUNC(_win_wcslen,1) 41 | (const wchar_t *s); 42 | noregparm wchar_t *WIN_FUNC(_win_wcsncpy,3) 43 | (wchar_t *dest, const wchar_t *src, SIZE_T n); 44 | noregparm wchar_t *WIN_FUNC(_win_wcscpy,2) 45 | (wchar_t *dest, const wchar_t *src); 46 | noregparm wchar_t *WIN_FUNC(_win_wcscat,2) 47 | (wchar_t *dest, const wchar_t *src); 48 | noregparm INT WIN_FUNC(_win_towupper,1) 49 | (wchar_t c); 50 | noregparm INT WIN_FUNC(_win_towlower,1) 51 | (wchar_t c); 52 | noregparm INT WIN_FUNC(_win_tolower,1) 53 | (INT c); 54 | noregparm INT WIN_FUNC(_win_toupper,1) 55 | (INT c); 56 | noregparm void *WIN_FUNC(_win_strcpy,2) 57 | (void *to, const void *from); 58 | noregparm char *WIN_FUNC(_win_strstr,2) 59 | (const char *s1, const char *s2); 60 | noregparm char *WIN_FUNC(_win_strchr,2) 61 | (const char *s, int c); 62 | noregparm char *WIN_FUNC(_win_strrchr,2) 63 | (const char *s, int c); 64 | noregparm void *WIN_FUNC(_win_memmove,3) 65 | (void *to, void *from, SIZE_T count); 66 | noregparm void *WIN_FUNC(_win_memchr,3) 67 | (const void *s, INT c, SIZE_T n); 68 | noregparm void *WIN_FUNC(_win_memcpy,3) 69 | (void *to, const void *from, SIZE_T n); 70 | noregparm void *WIN_FUNC(_win_memset,3) 71 | (void *s, char c, SIZE_T count); 72 | noregparm int WIN_FUNC(_win_memcmp,3) 73 | (void *s1, void *s2, SIZE_T n); 74 | noregparm int WIN_FUNC(_win_atoi,1) 75 | (const char *ptr); 76 | noregparm int WIN_FUNC(_win_isdigit,1) 77 | (int c); 78 | noregparm int WIN_FUNC(_win_isxdigit,1) 79 | (int c); 80 | noregparm int WIN_FUNC(_win_isalpha,1) 81 | (int c); 82 | noregparm int WIN_FUNC(_win_isalnum,1) 83 | (int c); 84 | noregparm int WIN_FUNC(_win_islower,1) 85 | (int c); 86 | noregparm int WIN_FUNC(_win_isspace,1) 87 | (int c); 88 | noregparm int WIN_FUNC(_win_isprint,1) 89 | (int c); 90 | wstdcall int64_t WIN_FUNC(_alldiv,2) 91 | (int64_t a, int64_t b); 92 | wstdcall uint64_t WIN_FUNC(_aulldiv,2) 93 | (uint64_t a, uint64_t b); 94 | wstdcall int64_t WIN_FUNC(_allmul,2) 95 | (int64_t a, int64_t b); 96 | wstdcall uint64_t WIN_FUNC(_aullmul,2) 97 | (uint64_t a, uint64_t b); 98 | wstdcall int64_t WIN_FUNC(_allrem,2) 99 | (int64_t a, int64_t b); 100 | wstdcall uint64_t WIN_FUNC(_aullrem,2) 101 | (uint64_t a, uint64_t b); 102 | regparm3 int64_t WIN_FUNC(_allshl,2) 103 | (int64_t a, uint8_t b); 104 | regparm3 uint64_t WIN_FUNC(_aullshl,2) 105 | (uint64_t a, uint8_t b); 106 | regparm3 int64_t WIN_FUNC(_allshr,2) 107 | (int64_t a, uint8_t b); 108 | regparm3 uint64_t WIN_FUNC(_aullshr,2) 109 | (uint64_t a, uint8_t b); 110 | 111 | extern struct wrap_export crt_exports[]; 112 | 113 | struct wrap_export crt_exports[] = { 114 | WIN_SYMBOL(_alldiv, 2), 115 | WIN_SYMBOL(_allmul, 2), 116 | WIN_SYMBOL(_allrem, 2), 117 | WIN_SYMBOL(_allshl, 2), 118 | WIN_SYMBOL(_allshr, 2), 119 | WIN_SYMBOL(_aulldiv, 2), 120 | WIN_SYMBOL(_aullmul, 2), 121 | WIN_SYMBOL(_aullrem, 2), 122 | WIN_SYMBOL(_aullshl, 2), 123 | WIN_SYMBOL(_aullshr, 2), 124 | WIN_SYMBOL(swprintf, 12), 125 | WIN_WIN_SYMBOL(atoi, 1), 126 | WIN_WIN_SYMBOL(isdigit, 1), 127 | WIN_WIN_SYMBOL(isxdigit, 1), 128 | WIN_WIN_SYMBOL(isalpha, 1), 129 | WIN_WIN_SYMBOL(isalnum, 1), 130 | WIN_WIN_SYMBOL(islower, 1), 131 | WIN_WIN_SYMBOL(isprint, 1), 132 | WIN_WIN_SYMBOL(isspace, 1), 133 | WIN_WIN_SYMBOL(memchr, 3), 134 | WIN_WIN_SYMBOL(memcmp, 3), 135 | WIN_WIN_SYMBOL(memcpy, 3), 136 | WIN_WIN_SYMBOL(memmove, 3), 137 | WIN_WIN_SYMBOL(memset, 3), 138 | WIN_WIN_SYMBOL(_snprintf, 12), 139 | WIN_WIN_SYMBOL(snprintf, 12), 140 | WIN_WIN_SYMBOL(sprintf, 12), 141 | WIN_WIN_SYMBOL(strchr, 2), 142 | WIN_WIN_SYMBOL(strcmp, 2), 143 | WIN_WIN_SYMBOL(strcpy, 2), 144 | WIN_WIN_SYMBOL(stricmp, 2), 145 | WIN_WIN_SYMBOL(strnicmp, 3), 146 | WIN_WIN_SYMBOL(strlen, 1), 147 | WIN_WIN_SYMBOL(strncat, 3), 148 | WIN_WIN_SYMBOL(strncmp, 3), 149 | WIN_WIN_SYMBOL(strncpy, 3), 150 | WIN_WIN_SYMBOL(strrchr, 2), 151 | WIN_WIN_SYMBOL(strstr, 2), 152 | WIN_WIN_SYMBOL(tolower, 1), 153 | WIN_WIN_SYMBOL(toupper, 1), 154 | WIN_WIN_SYMBOL(towlower, 1), 155 | WIN_WIN_SYMBOL(towupper, 1), 156 | WIN_WIN_SYMBOL(_vsnprintf, 4), 157 | WIN_WIN_SYMBOL(vsnprintf, 4), 158 | WIN_WIN_SYMBOL(_vsnwprintf, 4), 159 | WIN_WIN_SYMBOL(vsprintf, 3), 160 | WIN_WIN_SYMBOL(wcscat, 2), 161 | WIN_WIN_SYMBOL(wcscmp, 2), 162 | WIN_WIN_SYMBOL(wcscpy, 2), 163 | WIN_WIN_SYMBOL(wcsicmp, 2), 164 | WIN_WIN_SYMBOL(wcslen, 1), 165 | WIN_WIN_SYMBOL(wcsncpy, 3), 166 | { NULL, NULL } 167 | }; 168 | -------------------------------------------------------------------------------- /loadlibrary/peloader/extra.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2017 Tavis Ormandy 3 | // 4 | // This program is free software; you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation; either version 2 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "winnt_types.h" 26 | #include "pe_linker.h" 27 | #include "ntoskernel.h" 28 | #include "util.h" 29 | 30 | #define MAX_EXTRA_EXPORTS 65535 31 | 32 | struct wrap_export extra_exports[MAX_EXTRA_EXPORTS]; 33 | extern struct hsearch_data extraexports; 34 | 35 | static void __destructor cleanup_extra_exports(void) 36 | { 37 | hdestroy_r(&extraexports); 38 | } 39 | 40 | // This code is designed to parse a .MAP file produced by IDA. 41 | bool process_extra_exports(void *imagebase, size_t base, const char *filename) 42 | { 43 | char *name; 44 | uintptr_t address; 45 | size_t num = 0; 46 | FILE *exports; 47 | 48 | if ((exports = fopen(filename, "r")) == NULL) { 49 | return false; 50 | } 51 | 52 | hcreate_r(MAX_EXTRA_EXPORTS, &extraexports); 53 | 54 | while (!feof(exports)) { 55 | if (fscanf(exports, "%*X:%X %m[^\n]", &address, &name) == 2) { 56 | ENTRY e, *ep; 57 | e.key = name; 58 | e.data = (void *)((uintptr_t)(imagebase) + address + base); 59 | hsearch_r(e, ENTER, &ep, &extraexports); 60 | if (++num >= MAX_EXTRA_EXPORTS) { 61 | warn("large number of extra symbols in %s, increase MAX_EXTRA_EXPORTS and rebuild", filename); 62 | break; 63 | } 64 | } else { 65 | fgetc(exports); 66 | } 67 | } 68 | 69 | fclose(exports); 70 | return true; 71 | } 72 | -------------------------------------------------------------------------------- /loadlibrary/peloader/log.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2017 Tavis Ormandy 3 | // 4 | // This program is free software; you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation; either version 2 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include "log.h" 21 | 22 | void l_message_(const char *function, const char *format, ...) 23 | { 24 | va_list ap; 25 | 26 | fprintf(stderr, "%s(): ", function); 27 | va_start(ap, format); 28 | vfprintf(stderr, format, ap); 29 | va_end(ap); 30 | fputc('\n', stderr); 31 | return; 32 | } 33 | 34 | void l_warning_(const char *function, const char *format, ...) 35 | { 36 | va_list ap; 37 | 38 | fprintf(stderr, "%s(): ", function); 39 | 40 | va_start(ap, format); 41 | vfprintf(stderr, format, ap); 42 | va_end(ap); 43 | 44 | fputc('\n', stderr); 45 | 46 | return; 47 | } 48 | 49 | void l_error_(const char *function, const char *format, ...) 50 | { 51 | va_list ap; 52 | 53 | fprintf(stderr, "%s(): ", function); 54 | va_start(ap, format); 55 | vfprintf(stderr, format, ap); 56 | va_end(ap); 57 | fputc('\n', stderr); 58 | return; 59 | } 60 | 61 | void l_debug_(const char *function, const char *format, ...) 62 | { 63 | va_list ap; 64 | 65 | fprintf(stderr, "%s(): ", function); 66 | va_start(ap, format); 67 | vfprintf(stderr, format, ap); 68 | va_end(ap); 69 | fputc('\n', stderr); 70 | return; 71 | } 72 | -------------------------------------------------------------------------------- /loadlibrary/peloader/log.h: -------------------------------------------------------------------------------- 1 | #ifndef __LOG_H 2 | #define __LOG_H 3 | 4 | #ifdef _WIN32 5 | # define LogMessage(fmt, ...) fprintf(stderr, fmt, __VA_ARGS__), fputc('\n', stderr), fflush(stderr) 6 | #else 7 | # ifdef NDEBUG 8 | # define l_debug(format...) 9 | # define DebugLog 10 | # else 11 | # define l_debug(format...) do { \ 12 | l_debug_(__FUNCTION__, ## format); \ 13 | } while (false) 14 | # define DebugLog l_debug 15 | # endif 16 | 17 | # define l_message(format...) do { \ 18 | l_message_(__FUNCTION__, ## format); \ 19 | } while (false) 20 | 21 | # define l_warning(format...) do { \ 22 | l_warning_(__FUNCTION__, ## format); \ 23 | } while (false) 24 | 25 | # define l_error(format...) do { \ 26 | l_error_(__FUNCTION__, ## format); \ 27 | } while (false) 28 | 29 | // A more windowsy looking routine. 30 | # define LogMessage(format...) do { \ 31 | l_message_(__FUNCTION__, ## format); \ 32 | } while (false) 33 | #endif 34 | 35 | void l_message_(const char *function, const char *format, ...); 36 | void l_debug_(const char *function, const char *format, ...); 37 | void l_warning_(const char *function, const char *format, ...); 38 | void l_error_(const char *function, const char *format, ...); 39 | 40 | #endif 41 | -------------------------------------------------------------------------------- /loadlibrary/peloader/ntoskernel.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2003-2005 Pontus Fuchs, Giridhar Pemmasani 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation; either version 2 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | */ 15 | 16 | #ifndef _NTOSKERNEL_H_ 17 | #define _NTOSKERNEL_H_ 18 | 19 | #define ARRAY_SIZE(x) (sizeof((x)) / sizeof((x)[0])) 20 | #ifndef __packed 21 | #define __packed __attribute__((packed)) 22 | #endif 23 | 24 | #define int_div_round(x, y) (((x) + (y - 1)) / (y)) 25 | 26 | typedef void (*generic_func)(void); 27 | 28 | struct wrap_export { 29 | const char *name; 30 | void *func; 31 | }; 32 | 33 | #define WIN_SYMBOL(name, argc) {#name, (generic_func)name} 34 | #define WIN_WIN_SYMBOL(name, argc) {#name, (generic_func)_win_ ## name} 35 | #define WIN_FUNC_DECL(name, argc) 36 | #define WIN_FUNC_PTR(name, argc) name 37 | 38 | #define WIN_FUNC(name, argc) (name) 39 | /* map name s to f - if f is different from s */ 40 | #define WIN_SYMBOL_MAP(s, f) 41 | 42 | struct pe_image { 43 | char name[128]; 44 | BOOL WINAPI (*entry)(PVOID hinstDLL, DWORD fdwReason, PVOID lpvReserved); 45 | void *image; 46 | int size; 47 | int type; 48 | 49 | IMAGE_NT_HEADERS *nt_hdr; 50 | IMAGE_OPTIONAL_HEADER *opt_hdr; 51 | }; 52 | 53 | struct ntos_work_item { 54 | struct nt_list list; 55 | void *arg1; 56 | void *arg2; 57 | NTOS_WORK_FUNC func; 58 | }; 59 | 60 | #define WRAP_DRIVER_CLIENT_ID 1 61 | 62 | 63 | enum hw_status { 64 | HW_INITIALIZED = 1, HW_SUSPENDED, HW_HALTED, HW_DISABLED, 65 | }; 66 | 67 | #define wrap_is_pci_bus(dev_bus) \ 68 | (WRAP_BUS(dev_bus) == WRAP_PCI_BUS || \ 69 | WRAP_BUS(dev_bus) == WRAP_PCMCIA_BUS) 70 | #ifdef ENABLE_USB 71 | /* earlier versions of ndiswrapper used 0 as USB_BUS */ 72 | #define wrap_is_usb_bus(dev_bus) \ 73 | (WRAP_BUS(dev_bus) == WRAP_USB_BUS || \ 74 | WRAP_BUS(dev_bus) == WRAP_INTERNAL_BUS) 75 | #else 76 | #define wrap_is_usb_bus(dev_bus) 0 77 | #endif 78 | #define wrap_is_bluetooth_device(dev_bus) \ 79 | (WRAP_DEVICE(dev_bus) == WRAP_BLUETOOTH_DEVICE1 || \ 80 | WRAP_DEVICE(dev_bus) == WRAP_BLUETOOTH_DEVICE2) 81 | 82 | extern struct workqueue_struct *ntos_wq; 83 | extern struct workqueue_struct *ndis_wq; 84 | extern struct workqueue_struct *wrapndis_wq; 85 | 86 | #define atomic_unary_op(var, size, oper) \ 87 | do { \ 88 | if (size == 1) \ 89 | __asm__ __volatile__( \ 90 | LOCK_PREFIX oper "b %b0\n\t" : "+m" (var)); \ 91 | else if (size == 2) \ 92 | __asm__ __volatile__( \ 93 | LOCK_PREFIX oper "w %w0\n\t" : "+m" (var)); \ 94 | else if (size == 4) \ 95 | __asm__ __volatile__( \ 96 | LOCK_PREFIX oper "l %0\n\t" : "+m" (var)); \ 97 | else if (size == 8) \ 98 | __asm__ __volatile__( \ 99 | LOCK_PREFIX oper "q %q0\n\t" : "+m" (var)); \ 100 | else { \ 101 | extern void _invalid_op_size_(void); \ 102 | _invalid_op_size_(); \ 103 | } \ 104 | } while (0) 105 | 106 | #define atomic_inc_var_size(var, size) atomic_unary_op(var, size, "inc") 107 | 108 | #define atomic_inc_var(var) atomic_inc_var_size(var, sizeof(var)) 109 | 110 | #define atomic_dec_var_size(var, size) atomic_unary_op(var, size, "dec") 111 | 112 | #define atomic_dec_var(var) atomic_dec_var_size(var, sizeof(var)) 113 | 114 | #define pre_atomic_add(var, i) \ 115 | ({ \ 116 | typeof(var) pre; \ 117 | __asm__ __volatile__( \ 118 | LOCK_PREFIX "xadd %0, %1\n\t" \ 119 | : "=r"(pre), "+m"(var) \ 120 | : "0"(i)); \ 121 | pre; \ 122 | }) 123 | 124 | #define post_atomic_add(var, i) (pre_atomic_add(var, i) + i) 125 | 126 | //#define DEBUG_IRQL 1 127 | 128 | #ifdef DEBUG_IRQL 129 | #define assert_irql(cond) \ 130 | do { \ 131 | KIRQL _irql_ = current_irql(); \ 132 | if (!(cond)) { \ 133 | WARNING("assertion '%s' failed: %d", #cond, _irql_); \ 134 | DBG_BLOCK(4) { \ 135 | dump_stack(); \ 136 | } \ 137 | } \ 138 | } while (0) 139 | #else 140 | #define assert_irql(cond) do { } while (0) 141 | #endif 142 | 143 | /* When preempt is enabled, we should preempt_disable to raise IRQL to 144 | * DISPATCH_LEVEL, to be consistent with the semantics. However, using 145 | * a mutex instead, so that only ndiswrapper threads run one at a time 146 | * on a processor when at DISPATCH_LEVEL seems to be enough. So that 147 | * is what we will use until we learn otherwise. If 148 | * preempt_(en|dis)able is required for some reason, comment out 149 | * following #define. */ 150 | 151 | #define WRAP_PREEMPT 1 152 | 153 | #if !defined(CONFIG_PREEMPT) || defined(CONFIG_PREEMPT_RT) 154 | #ifndef WRAP_PREEMPT 155 | #define WRAP_PREEMPT 1 156 | #endif 157 | #endif 158 | 159 | #endif // _NTOSKERNEL_H_ 160 | -------------------------------------------------------------------------------- /loadlibrary/peloader/util.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2017 Tavis Ormandy 3 | // 4 | // This program is free software; you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation; either version 2 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | #ifndef _GNU_SOURCE 15 | # define _GNU_SOURCE 16 | #endif 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "log.h" 27 | #include "winnt_types.h" 28 | #include "pe_linker.h" 29 | #include "ntoskernel.h" 30 | #include "util.h" 31 | 32 | // Quick check if I'm running under GDB. 33 | bool xIsDebuggerPresent() 34 | { 35 | char *statusline; 36 | FILE *status; 37 | size_t len; 38 | bool result; 39 | 40 | if (getenv("NO_DEBUGGER_PRESENT")) { 41 | return false; 42 | } 43 | 44 | statusline = NULL; 45 | status = NULL; 46 | len = 0; 47 | result = true; 48 | 49 | if ((status = fopen("/proc/self/status", "r")) == NULL) { 50 | LogMessage("failed to open status file, cannot determine debug status"); 51 | return false; 52 | } 53 | 54 | while (getline(&statusline, &len, status) != -1) { 55 | if (strcmp(statusline, "TracerPid:\t0\n") == 0) { 56 | result = false; 57 | break; 58 | } 59 | } 60 | 61 | free(statusline); 62 | fclose(status); 63 | 64 | return result; 65 | } 66 | 67 | -------------------------------------------------------------------------------- /loadlibrary/peloader/util.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTIL_H 2 | #define __UTIL_H 3 | #pragma once 4 | 5 | bool xIsDebuggerPresent(); 6 | 7 | #ifdef __linux__ 8 | #define __thiscall __attribute__((thiscall)) 9 | #define __fastcall __attribute__((fastcall)) 10 | #define __stdcall __attribute__((stdcall)) 11 | #define __packed __attribute__((packed)) 12 | #define __detour 13 | #define __constructor __attribute__((constructor)) 14 | #define __destructor __attribute__((destructor)) 15 | #define __debugbreak() __asm__("int3") 16 | #define __cdecl __attribute__((cdecl)) 17 | #define __export __attribute__ ((externally_visible)) 18 | #define __noinline __attribute__ ((noinline)) 19 | #else 20 | #define __noinline 21 | #endif 22 | 23 | #define MIN(x, y) ((x) > (y) ? (y) : (x)) 24 | 25 | static inline void *ZeroMemory(void *s, size_t n) 26 | { 27 | return memset(s, 0, n); 28 | } 29 | 30 | #else 31 | # warning util.h included twice 32 | #endif 33 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/CriticalSection.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "winnt_types.h" 8 | #include "pe_linker.h" 9 | #include "ntoskernel.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | // I don't implement threads, so critical sections are easy. 15 | 16 | STATIC VOID WINAPI DeleteCriticalSection(PVOID lpCriticalSection) 17 | { 18 | return; 19 | } 20 | 21 | STATIC VOID WINAPI EnterCriticalSection(PVOID lpCriticalSection) 22 | { 23 | return; 24 | } 25 | 26 | STATIC VOID WINAPI LeaveCriticalSection(PVOID lpCriticalSection) 27 | { 28 | return; 29 | } 30 | 31 | STATIC BOOL WINAPI InitializeCriticalSectionAndSpinCount(PVOID lpCriticalSection, DWORD dwSpinCount) 32 | { 33 | return TRUE; 34 | } 35 | 36 | STATIC BOOL WINAPI InitializeCriticalSectionEx(PVOID lpCriticalSection, DWORD dwSpinCount, DWORD Flags) 37 | { 38 | return TRUE; 39 | } 40 | 41 | STATIC VOID WINAPI InitializeCriticalSection(PVOID lpCriticalSection) 42 | { 43 | return; 44 | } 45 | 46 | DECLARE_CRT_EXPORT("DeleteCriticalSection", DeleteCriticalSection); 47 | DECLARE_CRT_EXPORT("LeaveCriticalSection", LeaveCriticalSection); 48 | DECLARE_CRT_EXPORT("EnterCriticalSection", EnterCriticalSection); 49 | DECLARE_CRT_EXPORT("InitializeCriticalSectionAndSpinCount", InitializeCriticalSectionAndSpinCount); 50 | DECLARE_CRT_EXPORT("InitializeCriticalSectionEx", InitializeCriticalSectionEx); 51 | DECLARE_CRT_EXPORT("InitializeCriticalSection", InitializeCriticalSection); 52 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Crypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include "winnt_types.h" 14 | #include "pe_linker.h" 15 | #include "ntoskernel.h" 16 | #include "log.h" 17 | #include "winexports.h" 18 | #include "util.h" 19 | #include "winstrings.h" 20 | 21 | typedef struct _CRYPT_BIT_BLOB { 22 | DWORD cbData; 23 | BYTE *pbData; 24 | DWORD cUnusedBits; 25 | } CRYPT_BIT_BLOB, *PCRYPT_BIT_BLOB; 26 | 27 | typedef struct _CRYPTOAPI_BLOB { 28 | DWORD cbData; 29 | BYTE *pbData; 30 | } CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB, 31 | CRYPT_UINT_BLOB, *PCRYPT_UINT_BLOB, 32 | CRYPT_OBJID_BLOB, *PCRYPT_OBJID_BLOB, 33 | CERT_NAME_BLOB, CERT_RDN_VALUE_BLOB, 34 | *PCERT_NAME_BLOB, *PCERT_RDN_VALUE_BLOB, 35 | CERT_BLOB, *PCERT_BLOB, 36 | CRL_BLOB, *PCRL_BLOB, 37 | DATA_BLOB, *PDATA_BLOB, 38 | CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB, 39 | CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB, 40 | CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB, 41 | CRYPT_DER_BLOB, PCRYPT_DER_BLOB, 42 | CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB; 43 | 44 | typedef struct _CRYPT_ALGORITHM_IDENTIFIER { 45 | PVOID pszObjId; 46 | CRYPT_OBJID_BLOB Parameters; 47 | } CRYPT_ALGORITHM_IDENTIFIER, *PCRYPT_ALGORITHM_IDENTIFIER; 48 | 49 | typedef struct _CERT_PUBLIC_KEY_INFO { 50 | CRYPT_ALGORITHM_IDENTIFIER Algorithm; 51 | CRYPT_BIT_BLOB PublicKey; 52 | } CERT_PUBLIC_KEY_INFO, *PCERT_PUBLIC_KEY_INFO; 53 | 54 | typedef struct _CERT_EXTENSION { 55 | PVOID pszObjId; 56 | BOOL fCritical; 57 | CRYPT_OBJID_BLOB Value; 58 | } CERT_EXTENSION, *PCERT_EXTENSION; 59 | 60 | typedef struct _CERT_INFO { 61 | DWORD dwVersion; 62 | CRYPT_INTEGER_BLOB SerialNumber; 63 | CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm; 64 | CERT_NAME_BLOB Issuer; 65 | FILETIME NotBefore; 66 | FILETIME NotAfter; 67 | CERT_NAME_BLOB Subject; 68 | CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo; 69 | CRYPT_BIT_BLOB IssuerUniqueId; 70 | CRYPT_BIT_BLOB SubjectUniqueId; 71 | DWORD cExtension; 72 | PCERT_EXTENSION rgExtension; 73 | } CERT_INFO, *PCERT_INFO; 74 | 75 | typedef struct _CERT_CONTEXT { 76 | DWORD dwCertEncodingType; 77 | BYTE *pbCertEncoded; 78 | DWORD cbCertEncoded; 79 | PCERT_INFO pCertInfo; 80 | HANDLE hCertStore; 81 | } CERT_CONTEXT, *PCERT_CONTEXT; 82 | 83 | static NTSTATUS WINAPI BCryptOpenAlgorithmProvider(PVOID phAlgorithm, PWCHAR pszAlgId, PWCHAR pszImplementation, DWORD dwFlags) 84 | { 85 | return STATUS_SUCCESS; 86 | } 87 | 88 | static NTSTATUS WINAPI BCryptCloseAlgorithmProvider(HANDLE hAlgorithm, ULONG dwFlags) 89 | { 90 | return STATUS_SUCCESS; 91 | } 92 | 93 | static NTSTATUS WINAPI BCryptGenRandom(PVOID phAlgorithm, PUCHAR pbBuffer, ULONG cbBuffer, ULONG dwFlags) 94 | { 95 | static int randomfd = -1; 96 | 97 | void __constructor init() 98 | { 99 | randomfd = open("/dev/urandom", O_RDONLY); 100 | } 101 | 102 | void __destructor fini() 103 | { 104 | close(randomfd); 105 | } 106 | 107 | DebugLog("%p, %p, %lu, %#x [fd=%d]", phAlgorithm, pbBuffer, cbBuffer, dwFlags, randomfd); 108 | 109 | if (read(randomfd, pbBuffer, cbBuffer) != cbBuffer) { 110 | DebugLog("failed to generate random data, %m"); 111 | } 112 | 113 | return STATUS_SUCCESS; 114 | } 115 | 116 | static BOOL WINAPI CertStrToNameW(DWORD dwCertEncodingType, PVOID pszX500, DWORD dwStrType, void *pvReserved, BYTE *pbEncoded, DWORD *pcbEncoded, PVOID ppszError) 117 | { 118 | uint16_t CertName[] = L"Totally Legitimate Certificate Name"; 119 | char *name = CreateAnsiFromWide(pszX500); 120 | 121 | DebugLog("%u, %p [%s], %u, %p, %p, %p, %p", dwCertEncodingType, pszX500, name, dwStrType, pvReserved, pbEncoded, pcbEncoded, ppszError); 122 | free(name); 123 | 124 | *pcbEncoded = sizeof(CertName); 125 | 126 | if (pbEncoded) { 127 | memcpy(pbEncoded, CertName, sizeof(CertName)); 128 | } 129 | 130 | return TRUE; 131 | } 132 | 133 | static HANDLE WINAPI CertOpenStore(PCHAR lpszStoreProvider, DWORD dwMsgAndCertEncodingType, PVOID hCryptProv, DWORD dwFlags, PVOID pvPara) 134 | { 135 | return (HANDLE) 'STOR'; 136 | } 137 | 138 | static PVOID WINAPI CertFindCertificateInStore(HANDLE hCertStore, DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType, PVOID pvFindPara, PVOID pPrevCertContext) 139 | { 140 | static CERT_INFO FakeInfo = {0}; 141 | static CERT_CONTEXT FakeCert = {0}; 142 | 143 | DebugLog("%p, %u, %#x, %#x, %p, %p", hCertStore, dwCertEncodingType, dwFindFlags, dwFindType, pvFindPara, pPrevCertContext); 144 | 145 | FakeCert.pCertInfo = &FakeInfo; 146 | FakeCert.pCertInfo->SubjectPublicKeyInfo.Algorithm.pszObjId = "1.2.840.113549.1.1.1"; 147 | 148 | return &FakeCert; 149 | } 150 | 151 | static BOOL WINAPI CertCloseStore(HANDLE hCertStore, DWORD dwFlags) 152 | { 153 | return TRUE; 154 | } 155 | 156 | static BOOL WINAPI CryptAcquireContextW(PVOID phProv, PWCHAR pszContainer, PWCHAR pszProvider, DWORD dwProvType, DWORD dwFlags) 157 | { 158 | return TRUE; 159 | } 160 | 161 | static BOOL WINAPI CertFreeCertificateContext(PVOID pCertContext) 162 | { 163 | return TRUE; 164 | } 165 | 166 | static BOOL WINAPI CryptCreateHash(PVOID hProv, DWORD Algid, HANDLE hKey, DWORD dwFlags, PDWORD phHash) 167 | { 168 | return TRUE; 169 | } 170 | 171 | enum HashParameters 172 | { 173 | HP_ALGID = 0x0001, // Hash algorithm 174 | HP_HASHVAL = 0x0002, // Hash value 175 | HP_HASHSIZE = 0x0004 // Hash value size 176 | }; 177 | 178 | static BOOL WINAPI CryptGetHashParam(PVOID hHash, DWORD dwParam, PDWORD pbData, PDWORD pdwDataLen, DWORD dwFlags) 179 | { 180 | DebugLog("%p, %u, %p, %p, %#x", hHash, dwParam, pbData, pdwDataLen, dwFlags); 181 | 182 | switch (dwParam) { 183 | case HP_HASHSIZE: 184 | *pdwDataLen = sizeof(DWORD); 185 | *pbData = 20; 186 | break; 187 | } 188 | 189 | return TRUE; 190 | } 191 | 192 | static BOOL WINAPI CryptSetHashParam(PVOID hHash, DWORD dwParam, PVOID pbData, DWORD dwFlags) 193 | { 194 | return TRUE; 195 | } 196 | 197 | static BOOL WINAPI CryptImportPublicKeyInfo(HANDLE hCryptProv, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, HANDLE *phKey) 198 | { 199 | return TRUE; 200 | } 201 | 202 | static BOOL WINAPI CryptVerifySignatureW(HANDLE hHash, PVOID pbSignature, DWORD dwSigLen, HANDLE hPubKey, PVOID sDescription, DWORD dwFlags) 203 | { 204 | DebugLog("Signature verification is not implemented #YOLO"); 205 | return TRUE; 206 | } 207 | 208 | static BOOL WINAPI CertVerifyCertificateChainPolicy(PVOID pszPolicyOID, PVOID pChainContext, PVOID pPolicyPara, PVOID pPolicyStatus) 209 | { 210 | DebugLog("Certificate policy verification is not implemented #YOLO"); 211 | return TRUE; 212 | } 213 | 214 | DECLARE_CRT_EXPORT("CertCloseStore", CertCloseStore); 215 | DECLARE_CRT_EXPORT("CertFindCertificateInStore", CertFindCertificateInStore); 216 | DECLARE_CRT_EXPORT("CertFreeCertificateContext", CertFreeCertificateContext); 217 | DECLARE_CRT_EXPORT("CertOpenStore", CertOpenStore); 218 | DECLARE_CRT_EXPORT("CertStrToNameW", CertStrToNameW); 219 | DECLARE_CRT_EXPORT("CertVerifyCertificateChainPolicy", CertVerifyCertificateChainPolicy); 220 | DECLARE_CRT_EXPORT("CryptImportPublicKeyInfo", CryptImportPublicKeyInfo); 221 | DECLARE_CRT_EXPORT("CryptCreateHash", CryptCreateHash); 222 | DECLARE_CRT_EXPORT("BCryptOpenAlgorithmProvider", BCryptOpenAlgorithmProvider); 223 | DECLARE_CRT_EXPORT("BCryptCloseAlgorithmProvider", BCryptCloseAlgorithmProvider); 224 | DECLARE_CRT_EXPORT("BCryptGenRandom", BCryptGenRandom); 225 | DECLARE_CRT_EXPORT("CryptAcquireContextW", CryptAcquireContextW); 226 | DECLARE_CRT_EXPORT("CryptGetHashParam", CryptGetHashParam); 227 | DECLARE_CRT_EXPORT("CryptSetHashParam", CryptSetHashParam); 228 | DECLARE_CRT_EXPORT("CryptVerifySignatureW", CryptVerifySignatureW); 229 | 230 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Dbghelp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | BOOL WINAPI MakeSureDirectoryPathExists(PCHAR dirpath) { 18 | DebugLog("%s", dirpath); 19 | return TRUE; 20 | } 21 | 22 | DECLARE_CRT_EXPORT("MakeSureDirectoryPathExists", MakeSureDirectoryPathExists); 23 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/EncodePointer.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | 16 | STATIC PVOID WINAPI EncodePointer(PVOID Ptr) 17 | { 18 | DebugLog("%p", Ptr); 19 | 20 | // Super secret high-security encryption algorithm. 21 | return (PVOID)((DWORD)(Ptr) ^ ~0); 22 | } 23 | 24 | STATIC PVOID WINAPI DecodePointer(PVOID Ptr) 25 | { 26 | DebugLog("%p", Ptr); 27 | 28 | return (PVOID)((DWORD)(Ptr) ^ ~0); 29 | } 30 | 31 | 32 | DECLARE_CRT_EXPORT("EncodePointer", EncodePointer); 33 | DECLARE_CRT_EXPORT("DecodePointer", DecodePointer); 34 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Environment.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "winstrings.h" 16 | 17 | WCHAR EnvironmentStrings[] = 18 | L"ALLUSERSPROFILE=AllUsersProfile\0" 19 | L"ALLUSERSAPPDATA=AllUsersAppdata\0" 20 | L"\0\0" 21 | ; 22 | 23 | STATIC PVOID WINAPI GetEnvironmentStringsW(void) 24 | { 25 | DebugLog(""); 26 | 27 | return EnvironmentStrings; 28 | } 29 | 30 | STATIC BOOL WINAPI FreeEnvironmentStringsW(PVOID lpszEnvironmentBlock) 31 | { 32 | DebugLog("%p", lpszEnvironmentBlock); 33 | 34 | return TRUE; 35 | } 36 | 37 | STATIC DWORD WINAPI GetEnvironmentVariableW(PWCHAR lpName, PVOID lpBuffer, DWORD nSize) 38 | { 39 | char *AnsiName = CreateAnsiFromWide(lpName); 40 | 41 | DebugLog("%p [%s], %p, %u", lpName, AnsiName, lpBuffer, nSize); 42 | 43 | memset(lpBuffer, 0, nSize); 44 | 45 | if (strcmp(AnsiName, "MpAsyncWorkMaxThreads") == 0) { 46 | memcpy(lpBuffer, L"1", sizeof(L"1")); 47 | } else if (strcmp(AnsiName, "MP_FOLDERSCAN_THREAD_COUNT") == 0) { 48 | memcpy(lpBuffer, L"1", sizeof(L"1")); 49 | } else if (strcmp(AnsiName, "MP_PERSISTEDSTORE_DISABLE") == 0) { 50 | memcpy(lpBuffer, L"1", sizeof(L"1")); 51 | } else if (strcmp(AnsiName, "MP_METASTORE_DISABLE") == 0) { 52 | memcpy(lpBuffer, L"1", sizeof(L"1")); 53 | } 54 | 55 | free(AnsiName); 56 | return CountWideChars(lpBuffer); 57 | } 58 | 59 | // MPENGINE is very fussy about what ExpandEnvironmentStringsW returns. 60 | STATIC DWORD WINAPI ExpandEnvironmentStringsW(PWCHAR lpSrc, PWCHAR lpDst, DWORD nSize) 61 | { 62 | PCHAR AnsiString = CreateAnsiFromWide(lpSrc); 63 | DWORD Result; 64 | struct { 65 | PCHAR Src; 66 | PWCHAR Dst; 67 | } KnownPaths[] = { 68 | { "%ProgramFiles%", L"C:\\Program Files" }, 69 | { "%AllUsersProfile%", L"C:\\ProgramData" }, 70 | { "%PATH%", L"C:\\Path" }, 71 | { "%windir%", L"C:\\Windows" }, 72 | { "%ProgramFiles(x86)%", L"C:\\Program Files" }, 73 | { "%WINDIR%\\system32\\drivers", L"C:\\WINDOWS\\system32\\drivers" }, 74 | { "%windir%\\temp", L"C:\\WINDOWS\\temp" }, 75 | { "%CommonProgramFiles%", L"C:\\CommonProgramFiles" }, 76 | { NULL }, 77 | }; 78 | 79 | DebugLog("%p [%s], %p, %u", lpSrc, AnsiString, lpDst, nSize); 80 | 81 | for (int i = 0; KnownPaths[i].Src; i++) { 82 | if (strcmp(AnsiString, KnownPaths[i].Src) == 0) { 83 | Result = CountWideChars(KnownPaths[i].Dst) + 1; 84 | if (nSize < Result) { 85 | goto finish; 86 | } 87 | memcpy(lpDst, KnownPaths[i].Dst, Result * 2); 88 | goto finish; 89 | } 90 | } 91 | 92 | free(AnsiString); 93 | 94 | if (nSize < CountWideChars(lpSrc) + 1) { 95 | return CountWideChars(lpSrc) + 1; 96 | } 97 | 98 | memcpy(lpDst, lpSrc, (1 + CountWideChars(lpSrc)) * 2); 99 | 100 | return CountWideChars(lpSrc) + 1; 101 | 102 | finish: 103 | free(AnsiString); 104 | return Result; 105 | } 106 | 107 | static DWORD WINAPI GetEnvironmentVariableA(PCHAR lpName, PVOID lpBuffer, DWORD nSize) 108 | { 109 | DebugLog("%s, %p, %u", lpName, lpBuffer, nSize); 110 | return 0; 111 | } 112 | 113 | DECLARE_CRT_EXPORT("GetEnvironmentStringsW", GetEnvironmentStringsW); 114 | DECLARE_CRT_EXPORT("FreeEnvironmentStringsW", FreeEnvironmentStringsW); 115 | DECLARE_CRT_EXPORT("GetEnvironmentVariableW", GetEnvironmentVariableW); 116 | DECLARE_CRT_EXPORT("ExpandEnvironmentStringsW", ExpandEnvironmentStringsW); 117 | DECLARE_CRT_EXPORT("GetEnvironmentVariableA", GetEnvironmentVariableA); 118 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Event.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "winnt_types.h" 11 | #include "pe_linker.h" 12 | #include "ntoskernel.h" 13 | #include "log.h" 14 | #include "winexports.h" 15 | #include "util.h" 16 | #include "winstrings.h" 17 | 18 | static HANDLE WINAPI CreateEventW(PVOID lpEventAttributes, BOOL bManualReset, BOOL bInitialState, PWCHAR lpName) 19 | { 20 | char *AnsiName; 21 | #ifndef NDEBUG 22 | AnsiName = lpName ? CreateAnsiFromWide(lpName) : NULL; 23 | #else 24 | AnsiName = NULL; 25 | #endif 26 | 27 | DebugLog("%p, %u, %u, %p [%s]", lpEventAttributes, bManualReset, bInitialState, lpName, AnsiName); 28 | 29 | free(AnsiName); 30 | 31 | return (HANDLE) 'EVNT'; 32 | } 33 | 34 | static BOOL WINAPI SetEvent(HANDLE hEvent) 35 | { 36 | DebugLog("%p", hEvent); 37 | return TRUE; 38 | } 39 | 40 | static BOOL WINAPI ResetEvent(HANDLE hEvent) 41 | { 42 | DebugLog("%p", hEvent); 43 | return TRUE; 44 | } 45 | 46 | DECLARE_CRT_EXPORT("CreateEventW", CreateEventW); 47 | DECLARE_CRT_EXPORT("SetEvent", SetEvent); 48 | DECLARE_CRT_EXPORT("ResetEvent", ResetEvent); 49 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/EventTracing.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | STATIC ULONG RegisterTraceGuidsW(PVOID RequestAddress, 16 | PVOID RequestContext, 17 | PVOID ControlGuid, 18 | ULONG GuidCount, 19 | PVOID TraceGuidReg, 20 | PVOID MofImagePath, 21 | PVOID MofResourceName, 22 | PVOID RegistrationHandle) 23 | { 24 | DebugLog("%p, %p, %p, %u, %p, %p, %p, %p", 25 | RequestAddress, 26 | RequestContext, 27 | ControlGuid, 28 | GuidCount, 29 | TraceGuidReg, 30 | MofImagePath, 31 | MofResourceName, 32 | RegistrationHandle); 33 | 34 | return STATUS_SUCCESS; 35 | } 36 | 37 | STATIC ULONG UnregisterTraceGuids(HANDLE RegistrationHandle) 38 | { 39 | DebugLog("%p", RegistrationHandle); 40 | return STATUS_SUCCESS; 41 | } 42 | 43 | DECLARE_CRT_EXPORT("RegisterTraceGuidsW", RegisterTraceGuidsW); 44 | DECLARE_CRT_EXPORT("UnregisterTraceGuids", UnregisterTraceGuids); 45 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Exception.c: -------------------------------------------------------------------------------- 1 | #ifndef __USE_GNU 2 | # define __USE_GNU 3 | #endif 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include "winnt_types.h" 15 | #include "pe_linker.h" 16 | #include "ntoskernel.h" 17 | #include "log.h" 18 | #include "winexports.h" 19 | #include "util.h" 20 | 21 | #ifndef NDEBUG 22 | // You can use `call DumpExceptionChain()` in gdb, like !exchain in windbg if 23 | // you need to debug exception handling. 24 | VOID DumpExceptionChain(VOID) 25 | { 26 | PEXCEPTION_FRAME ExceptionList; 27 | DWORD Depth; 28 | 29 | // Fetch Exception List 30 | asm("mov %%fs:0, %[list]" : [list] "=r"(ExceptionList)); 31 | 32 | DebugLog("ExceptionList %p, Dumping SEH Chain...", ExceptionList); 33 | 34 | for (Depth = 0; ExceptionList; ExceptionList = ExceptionList->prev) { 35 | DebugLog("%*s @%p { Prev: %p, Handler: %p }", 36 | Depth++, "", 37 | ExceptionList, 38 | ExceptionList->prev, 39 | ExceptionList->handler); 40 | } 41 | } 42 | #endif 43 | 44 | static WINAPI PVOID RaiseException(DWORD dwExceptionCode, DWORD dwExceptionFlags, DWORD nNumberOfArguments, PVOID Arguments) 45 | { 46 | PEXCEPTION_FRAME ExceptionList; 47 | PEXCEPTION_FRAME Dispatch = NULL; 48 | DWORD Disposition; 49 | DWORD Depth; 50 | CONTEXT Context = {0}; 51 | EXCEPTION_RECORD Record = { 52 | .ExceptionCode = dwExceptionCode, 53 | .ExceptionFlags = dwExceptionFlags, 54 | .ExceptionAddress = &&finished, 55 | .NumberParameters = nNumberOfArguments, 56 | }; 57 | 58 | // Setup Record 59 | memcpy(&Record.ExceptionInformation, Arguments, nNumberOfArguments * sizeof(ULONG)); 60 | 61 | // No need to log C++ Exceptions, this is the common case. 62 | if (dwExceptionCode != 0xE06D7363) { 63 | LogMessage("%#x, %#x, %u, %p", dwExceptionCode, dwExceptionFlags, nNumberOfArguments, Arguments); 64 | } 65 | 66 | // Fetch Exception List 67 | asm("mov %%fs:0, %[list]" : [list] "=r"(ExceptionList)); 68 | 69 | DebugLog("C++ Exception %#x! ExceptionList %p, Dumping SEH Chain...", dwExceptionCode, ExceptionList); 70 | 71 | for (Depth = 0; ExceptionList; ExceptionList = ExceptionList->prev) { 72 | DWORD Result; 73 | 74 | DebugLog("%*s @%p { Prev: %p, Handler: %p }", 75 | Depth++, "", 76 | ExceptionList, 77 | ExceptionList->prev, 78 | ExceptionList->handler); 79 | 80 | Result = ExceptionList->handler(&Record, ExceptionList, &Context, &Dispatch); 81 | 82 | DebugLog("%*s Handler Result: %u, Dispatch: %p", Depth, "", Result, Dispatch); 83 | 84 | if (Result == ExceptionContinueSearch) { 85 | continue; 86 | } 87 | 88 | // I've never seen any other handler return code with mpengine. 89 | __debugbreak(); 90 | } 91 | 92 | // Unhandled Exception? 93 | DebugLog("%u Element SEH Chain Complete.", Depth); 94 | 95 | finished: 96 | // I've never seen this reached, I'm not sure if it works. 97 | __debugbreak(); 98 | return NULL; 99 | } 100 | 101 | #define EH_NONCONTINUABLE 0x01 102 | #define EH_UNWINDING 0x02 103 | #define EH_EXIT_UNWIND 0x04 104 | #define EH_STACK_INVALID 0x08 105 | #define EH_NESTED_CALL 0x10 106 | 107 | static WINAPI void RtlUnwind(PEXCEPTION_FRAME TargetFrame, PVOID TargetIp, PEXCEPTION_RECORD ExceptionRecord, PVOID ReturnValue) 108 | { 109 | PEXCEPTION_FRAME ExceptionList; 110 | DWORD Depth; 111 | ucontext_t Context; 112 | 113 | DebugLog("%p, %p, %p, %p", TargetFrame, TargetIp, ExceptionRecord, ReturnValue); 114 | 115 | assert(ExceptionRecord); 116 | assert(TargetFrame); 117 | assert(TargetIp); 118 | 119 | ExceptionRecord->ExceptionFlags |= EH_UNWINDING; 120 | 121 | // Save current registers 122 | if (getcontext(&Context) != 0) { 123 | abort(); 124 | } 125 | 126 | // This was suuuuuuper complicated to get right and make mpengine happy. 127 | Context.uc_mcontext.gregs[REG_EBP] = ((uintptr_t *)(__builtin_frame_address(0)))[0]; 128 | Context.uc_mcontext.gregs[REG_EIP] = ((uintptr_t *)(__builtin_frame_address(0)))[1]; 129 | Context.uc_mcontext.gregs[REG_ESP] = ((uintptr_t)(__builtin_frame_address(0))) + 8 + 16; // Find esp (+8) then skip args (+4*4) 130 | Context.uc_mcontext.gregs[REG_EAX] = ((uintptr_t)(ReturnValue)); 131 | 132 | // Fetch Exception List 133 | asm("mov %%fs:0, %[list]" : [list] "=r"(ExceptionList)); 134 | 135 | for (Depth = 0; ExceptionList; ExceptionList = ExceptionList->prev) { 136 | DWORD Result; 137 | DWORD Dispatch = 0; 138 | 139 | DebugLog("%*s @%p { Prev: %p, Handler: %p }", 140 | Depth++, "", 141 | ExceptionList, 142 | ExceptionList->prev, 143 | ExceptionList->handler); 144 | 145 | // You don't call the final handler, you just install the new context. 146 | if (ExceptionList == TargetFrame) { 147 | DebugLog("TargetFrame %p == ExceptionList %p, Restore Context", ExceptionList, TargetFrame); 148 | 149 | setcontext(&Context); 150 | 151 | // Should not reach here. 152 | __debugbreak(); 153 | } 154 | 155 | // Call all handlers before the TargetFrame. 156 | Result = ExceptionList->handler(ExceptionRecord, ExceptionList, NULL, (PVOID) &Dispatch); 157 | 158 | DebugLog("%*s Result: %u, Dispatch: %p", Depth, "", Result, Dispatch); 159 | 160 | if (Result != ExceptionContinueSearch) { 161 | // I've never seen any other handler return code with mpengine. 162 | __debugbreak(); 163 | } 164 | 165 | // Remove handler. 166 | asm("mov %[list], %%fs:0" :: [list] "r"(ExceptionList->prev)); 167 | } 168 | 169 | // Unhandled C++ Exception? 170 | __debugbreak(); 171 | } 172 | 173 | 174 | DECLARE_CRT_EXPORT("RaiseException", RaiseException); 175 | DECLARE_CRT_EXPORT("RtlUnwind", RtlUnwind); 176 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Fibersapi.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | #ifndef FLS_OUT_OF_INDEXES 18 | #define FLS_OUT_OF_INDEXES ((DWORD)0xFFFFFFFF) 19 | #endif 20 | 21 | PVOID flsVal = 0; 22 | 23 | DWORD WINAPI FlsAlloc(PVOID ignore) { 24 | DebugLog("%p", ignore); // TODO: handle callback 25 | return 'FLS0'; 26 | } 27 | 28 | BOOL WINAPI FlsSetValue(DWORD index, PVOID data) { 29 | // DebugLog("%x", index); 30 | flsVal = data; 31 | return 1; 32 | } 33 | 34 | PVOID WINAPI FlsGetValue(DWORD index) { 35 | // DebugLog("%x", index); 36 | return flsVal; 37 | } 38 | 39 | BOOL WINAPI FlsFree(DWORD index) { 40 | DebugLog("%x", index); // TODO: handle callback 41 | return 1; 42 | } 43 | 44 | #if 1 45 | 46 | DECLARE_CRT_EXPORT("FlsAlloc", FlsAlloc); 47 | DECLARE_CRT_EXPORT("FlsSetValue", FlsSetValue); 48 | DECLARE_CRT_EXPORT("FlsGetValue", FlsGetValue); 49 | DECLARE_CRT_EXPORT("FlsFree", FlsFree); 50 | 51 | #endif 52 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/GetLastError.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "winnt_types.h" 8 | #include "pe_linker.h" 9 | #include "ntoskernel.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | STATIC DWORD LastError; 15 | 16 | STATIC DWORD WINAPI GetLastError(void) 17 | { 18 | //DebugLog("GetLastError() => %#x", LastError); 19 | return LastError; 20 | } 21 | 22 | void WINAPI SetLastError(DWORD dwErrCode) 23 | { 24 | //DebugLog("SetLastError(%#x)", dwErrCode); 25 | LastError = dwErrCode; 26 | } 27 | 28 | DECLARE_CRT_EXPORT("GetLastError", GetLastError); 29 | DECLARE_CRT_EXPORT("SetLastError", SetLastError); 30 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/GetStartupInfoW.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "winnt_types.h" 8 | #include "pe_linker.h" 9 | #include "ntoskernel.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | typedef struct _STARTUPINFO { 15 | DWORD cb; 16 | PVOID lpReserved; 17 | PVOID lpDesktop; 18 | PVOID lpTitle; 19 | DWORD dwX; 20 | DWORD dwY; 21 | DWORD dwXSize; 22 | DWORD dwYSize; 23 | DWORD dwXCountChars; 24 | DWORD dwYCountChars; 25 | DWORD dwFillAttribute; 26 | DWORD dwFlags; 27 | WORD wShowWindow; 28 | WORD cbReserved2; 29 | PVOID lpReserved2; 30 | HANDLE hStdInput; 31 | HANDLE hStdOutput; 32 | HANDLE hStdError; 33 | } STARTUPINFO, *LPSTARTUPINFO; 34 | 35 | 36 | STATIC void WINAPI GetStartupInfoA(LPSTARTUPINFO lpStartupInfo) 37 | { 38 | memset(lpStartupInfo, 0, sizeof *lpStartupInfo); 39 | 40 | DebugLog("GetStartupInfoA(%p)", lpStartupInfo); 41 | } 42 | 43 | 44 | STATIC void WINAPI GetStartupInfoW(LPSTARTUPINFO lpStartupInfo) 45 | { 46 | memset(lpStartupInfo, 0, sizeof *lpStartupInfo); 47 | 48 | DebugLog("GetStartupInfoW(%p)", lpStartupInfo); 49 | } 50 | 51 | STATIC PVOID WINAPI GetCommandLineA(void) 52 | { 53 | DebugLog(""); 54 | return "totallylegit.exe notfake very real"; 55 | } 56 | 57 | STATIC PVOID WINAPI GetCommandLineW(void) 58 | { 59 | DebugLog(""); 60 | return L"totallylegit.exe notfake very real"; 61 | } 62 | 63 | DECLARE_CRT_EXPORT("GetStartupInfoA", GetStartupInfoA); 64 | DECLARE_CRT_EXPORT("GetStartupInfoW", GetStartupInfoW); 65 | DECLARE_CRT_EXPORT("GetCommandLineA", GetCommandLineA); 66 | DECLARE_CRT_EXPORT("GetCommandLineW", GetCommandLineW); 67 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/GetStdHandle.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "winnt_types.h" 8 | #include "pe_linker.h" 9 | #include "ntoskernel.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | #define STD_INPUT_HANDLE -10 15 | #define STD_OUTPUT_HANDLE -11 16 | #define STD_ERROR_HANDLE -12 17 | 18 | #define FILE_TYPE_CHAR 0x0002 19 | #define FILE_TYPE_DISK 0x0001 20 | #define FILE_TYPE_PIPE 0x0003 21 | #define FILE_TYPE_REMOTE 0x8000 22 | #define FILE_TYPE_UNKNOWN 0x0000 23 | 24 | STATIC HANDLE WINAPI GetStdHandle(DWORD nStdHandle) 25 | { 26 | DebugLog("%d", nStdHandle); 27 | 28 | switch (nStdHandle) { 29 | case STD_INPUT_HANDLE: 30 | return (HANDLE) 0; 31 | case STD_OUTPUT_HANDLE: 32 | return (HANDLE) 1; 33 | case STD_ERROR_HANDLE: 34 | return (HANDLE) 2; 35 | } 36 | 37 | return INVALID_HANDLE_VALUE; 38 | } 39 | 40 | STATIC DWORD WINAPI GetFileType(HANDLE hFile) 41 | { 42 | DebugLog("%p", hFile); 43 | 44 | if (hFile >= 0 && hFile <= 2) 45 | return FILE_TYPE_CHAR; 46 | else 47 | return FILE_TYPE_DISK; 48 | } 49 | 50 | DECLARE_CRT_EXPORT("GetStdHandle", GetStdHandle); 51 | DECLARE_CRT_EXPORT("GetFileType", GetFileType); 52 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/GetSystemDirectory.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | static uint16_t SystemDirectory[] = L"C:\\SYSTEM32\\"; 16 | 17 | STATIC UINT WINAPI GetSystemDirectoryW(PWCHAR Buffer, UINT uSize) 18 | { 19 | DebugLog("%p, %u", Buffer, uSize); 20 | 21 | // Srsly?! 22 | if (uSize >= ARRAY_SIZE(SystemDirectory)) { 23 | memcpy(Buffer, SystemDirectory, sizeof(SystemDirectory)); 24 | return ARRAY_SIZE(SystemDirectory) - 1; 25 | } else { 26 | return ARRAY_SIZE(SystemDirectory); 27 | } 28 | } 29 | 30 | STATIC UINT WINAPI GetSystemWindowsDirectoryW(PWCHAR Buffer, UINT uSize) 31 | { 32 | DebugLog("%p, %u", Buffer, uSize); 33 | 34 | // Srsly?! 35 | if (uSize >= ARRAY_SIZE(SystemDirectory)) { 36 | memcpy(Buffer, SystemDirectory, sizeof(SystemDirectory)); 37 | return ARRAY_SIZE(SystemDirectory) - 1; 38 | } else { 39 | return ARRAY_SIZE(SystemDirectory); 40 | } 41 | } 42 | 43 | STATIC UINT WINAPI GetSystemWow64DirectoryW(PWCHAR lpBuffer, UINT uSize) 44 | { 45 | DebugLog("%p, %u", lpBuffer, uSize); 46 | return 0; 47 | } 48 | 49 | 50 | DECLARE_CRT_EXPORT("GetSystemDirectoryW", GetSystemDirectoryW); 51 | DECLARE_CRT_EXPORT("GetSystemWindowsDirectoryW", GetSystemWindowsDirectoryW); 52 | DECLARE_CRT_EXPORT("GetSystemWow64DirectoryW", GetSystemWow64DirectoryW); 53 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Handle.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | STATIC BOOL WINAPI DuplicateHandle(HANDLE hSourceProcessHandle, HANDLE hSourceHandle, HANDLE hTargetProcessHandle, PHANDLE lpTargetHandle, DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwOptions) 18 | { 19 | DebugLog("%p, %p, %p, %p, %#x, %u, %#x", hSourceProcessHandle, hSourceHandle, hTargetProcessHandle, lpTargetHandle, dwDesiredAccess, bInheritHandle, dwOptions); 20 | 21 | // lol i dunno 22 | *lpTargetHandle = hSourceProcessHandle; 23 | return TRUE; 24 | } 25 | 26 | STATIC UINT WINAPI SetHandleCount(UINT handleCount) 27 | { 28 | DebugLog("%u", handleCount); 29 | return handleCount; 30 | } 31 | 32 | 33 | DECLARE_CRT_EXPORT("DuplicateHandle", DuplicateHandle); 34 | DECLARE_CRT_EXPORT("SetHandleCount", SetHandleCount); 35 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Heap.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "winnt_types.h" 11 | #include "pe_linker.h" 12 | #include "ntoskernel.h" 13 | #include "log.h" 14 | #include "winexports.h" 15 | #include "util.h" 16 | 17 | #define HEAP_ZERO_MEMORY 8 18 | 19 | STATIC HANDLE WINAPI GetProcessHeap(void) 20 | { 21 | return (HANDLE) 'HEAP'; 22 | } 23 | 24 | STATIC HANDLE WINAPI HeapCreate(DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize) 25 | { 26 | DebugLog("%#x, %u, %u", flOptions, dwInitialSize, dwMaximumSize); 27 | return (HANDLE) 'HEAP'; 28 | } 29 | 30 | STATIC PVOID WINAPI HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes) 31 | { 32 | PVOID Buffer; 33 | 34 | // DebugLog("%p, %#x, %u", hHeap, dwFlags, dwBytes); 35 | 36 | if (dwFlags & HEAP_ZERO_MEMORY) { 37 | Buffer = calloc(dwBytes, 1); 38 | } else { 39 | Buffer = malloc(dwBytes); 40 | } 41 | 42 | return Buffer; 43 | } 44 | 45 | STATIC BOOL WINAPI HeapFree(HANDLE hHeap, DWORD dwFlags, PVOID lpMem) 46 | { 47 | // DebugLog("%p, %#x, %p", hHeap, dwFlags, lpMem); 48 | 49 | free(lpMem); 50 | 51 | return TRUE; 52 | } 53 | 54 | STATIC SIZE_T WINAPI HeapSize(HANDLE hHeap, DWORD dwFlags, PVOID lpMem) 55 | { 56 | return malloc_usable_size(lpMem); 57 | } 58 | 59 | STATIC PVOID WINAPI HeapReAlloc(HANDLE hHeap, DWORD dwFlags, PVOID lpMem, SIZE_T dwBytes) 60 | { 61 | return realloc(lpMem, dwBytes); 62 | } 63 | 64 | STATIC PVOID WINAPI LocalAlloc(UINT uFlags, SIZE_T uBytes) 65 | { 66 | PVOID Buffer = malloc(uBytes); 67 | assert(uFlags == 0); 68 | 69 | DebugLog("%#x, %u => %p", uFlags, uBytes, Buffer); 70 | 71 | return Buffer; 72 | } 73 | 74 | STATIC PVOID WINAPI LocalFree(PVOID hMem) 75 | { 76 | DebugLog("%p", hMem); 77 | free(hMem); 78 | return NULL; 79 | } 80 | 81 | DECLARE_CRT_EXPORT("HeapCreate", HeapCreate); 82 | DECLARE_CRT_EXPORT("GetProcessHeap", GetProcessHeap); 83 | DECLARE_CRT_EXPORT("HeapAlloc", HeapAlloc); 84 | DECLARE_CRT_EXPORT("HeapFree", HeapFree); 85 | DECLARE_CRT_EXPORT("HeapSize", HeapSize); 86 | DECLARE_CRT_EXPORT("HeapReAlloc", HeapReAlloc); 87 | DECLARE_CRT_EXPORT("LocalAlloc", LocalAlloc); 88 | DECLARE_CRT_EXPORT("LocalFree", LocalFree); 89 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/InitializeSListHead.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | 16 | STATIC VOID WINAPI InitializeSListHead(PVOID ListHead) 17 | { 18 | DebugLog("%p", ListHead); 19 | } 20 | 21 | STATIC PVOID WINAPI InterlockedFlushSList(PVOID ListHead) 22 | { 23 | DebugLog("%p", ListHead); 24 | return NULL; 25 | } 26 | 27 | DECLARE_CRT_EXPORT("InitializeSListHead", InitializeSListHead); 28 | DECLARE_CRT_EXPORT("InterlockedFlushSList", InterlockedFlushSList); 29 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/IsProcessorFeaturePresent.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "winnt_types.h" 8 | #include "pe_linker.h" 9 | #include "ntoskernel.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | #define PF_FLOATING_POINT_PRECISION_ERRATA 0 15 | #define PF_XMMI64_INSTRUCTIONS_AVAILABLE 10 16 | #define PF_FASTFAIL_AVAILABLE 23 17 | #define PF_MMX_INSTRUCTIONS_AVAILABLE 3 18 | 19 | STATIC BOOL WINAPI IsProcessorFeaturePresent(DWORD ProcessorFeature) 20 | { 21 | switch (ProcessorFeature) { 22 | case PF_XMMI64_INSTRUCTIONS_AVAILABLE: 23 | case PF_FLOATING_POINT_PRECISION_ERRATA: 24 | DebugLog("IsProcessorFeaturePresent(%u) => FALSE", ProcessorFeature); 25 | return FALSE; 26 | case PF_MMX_INSTRUCTIONS_AVAILABLE: 27 | case PF_FASTFAIL_AVAILABLE: // NOTE: this will cause int 0x29 28 | DebugLog("IsProcessorFeaturePresent(%u) => TRUE", ProcessorFeature); 29 | return TRUE; 30 | } 31 | 32 | DebugLog("IsProcessorFeaturePresent(%u) => FALSE (Unknown)", ProcessorFeature); 33 | return FALSE; 34 | } 35 | 36 | DECLARE_CRT_EXPORT("IsProcessorFeaturePresent", IsProcessorFeaturePresent); 37 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/LoadLibrary.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "winstrings.h" 16 | 17 | 18 | static HANDLE WINAPI LoadLibraryExW(PVOID lpFileName, HANDLE hFile, DWORD dwFlags) 19 | { 20 | char *name = CreateAnsiFromWide(lpFileName); 21 | 22 | DebugLog("%p [%s], %p, %#x", lpFileName, name, hFile, dwFlags); 23 | 24 | free(name); 25 | 26 | return (HANDLE) 'LOAD'; 27 | } 28 | 29 | static HANDLE WINAPI LoadLibraryW(PVOID lpFileName) 30 | { 31 | DebugLog("%p", lpFileName); 32 | 33 | return (HANDLE) 'LOAD'; 34 | } 35 | 36 | static PVOID WINAPI GetProcAddress(HANDLE hModule, PCHAR lpProcName) 37 | { 38 | ENTRY key = { lpProcName }, *item; 39 | 40 | assert(hModule == (HANDLE) NULL || hModule == (HANDLE) 'LOAD' || hModule == (HANDLE) 'MPEN' || hModule == (HANDLE) 'VERS' || hModule == (HANDLE) 'KERN'); 41 | 42 | if (hsearch_r(key, FIND, &item, &crtexports)) { 43 | return item->data; 44 | } 45 | 46 | DebugLog("FIXME: %s unresolved", lpProcName); 47 | 48 | return NULL; 49 | } 50 | 51 | static HANDLE WINAPI GetModuleHandleW(PVOID lpModuleName) 52 | { 53 | char *name = CreateAnsiFromWide(lpModuleName); 54 | 55 | DebugLog("%p [%s]", lpModuleName, name); 56 | 57 | free(name); 58 | 59 | if (lpModuleName && memcmp(lpModuleName, L"ykmd.dll", sizeof(L"ykmd.dll")) == 0) 60 | return (HANDLE) 'YKMD'; 61 | 62 | if (lpModuleName && memcmp(lpModuleName, L"mpengine.dll", sizeof(L"mpengine.dll")) == 0) 63 | return (HANDLE) 'MPEN'; 64 | 65 | if (lpModuleName && memcmp(lpModuleName, L"bcrypt.dll", sizeof(L"bcrypt.dll")) == 0) 66 | return (HANDLE) 'LOAD'; 67 | 68 | if (lpModuleName && memcmp(lpModuleName, L"KERNEL32.DLL", sizeof(L"KERNEL32.DLL")) == 0) 69 | return (HANDLE) 'KERN'; 70 | 71 | if (lpModuleName && memcmp(lpModuleName, L"kernel32.dll", sizeof(L"kernel32.dll")) == 0) 72 | return (HANDLE) 'KERN'; 73 | 74 | if (lpModuleName && memcmp(lpModuleName, L"version.dll", sizeof(L"version.dll")) == 0) 75 | return (HANDLE) 'VERS'; 76 | return (HANDLE) NULL; 77 | } 78 | 79 | static DWORD WINAPI GetModuleFileNameA(HANDLE hModule, PCHAR lpFilename, DWORD nSize) 80 | { 81 | DebugLog("%p, %p, %u", hModule, lpFilename, nSize); 82 | 83 | strncpy(lpFilename, "ykmd.dll", nSize); 84 | 85 | return strlen(lpFilename); 86 | } 87 | 88 | static DWORD WINAPI GetModuleFileNameW(HANDLE hModule, PWCHAR lpFilename, DWORD nSize) 89 | { 90 | DebugLog("%p, %p, %u", hModule, lpFilename, nSize); 91 | 92 | if (nSize > strlen("ykmd.dll")) { 93 | memcpy(lpFilename, L"ykmd.dll", sizeof(L"ykmd.dll")); 94 | } 95 | 96 | return strlen("ykmd.dll"); 97 | } 98 | 99 | static HANDLE WINAPI GetModuleHandleA(PCHAR lpModuleName) 100 | { 101 | DebugLog("%p [%s]", lpModuleName, lpModuleName); 102 | 103 | return (HANDLE) NULL; 104 | } 105 | 106 | static VOID WINAPI FreeLibrary(PVOID hLibModule) 107 | { 108 | DebugLog("FreeLibrary(%p)", hLibModule); 109 | } 110 | 111 | DECLARE_CRT_EXPORT("FreeLibrary", FreeLibrary); 112 | DECLARE_CRT_EXPORT("LoadLibraryExW", LoadLibraryExW); 113 | DECLARE_CRT_EXPORT("LoadLibraryW", LoadLibraryW); 114 | DECLARE_CRT_EXPORT("GetProcAddress", GetProcAddress); 115 | DECLARE_CRT_EXPORT("GetModuleHandleW", GetModuleHandleW); 116 | DECLARE_CRT_EXPORT("GetModuleHandleA", GetModuleHandleA); 117 | DECLARE_CRT_EXPORT("GetModuleFileNameA", GetModuleFileNameA); 118 | DECLARE_CRT_EXPORT("GetModuleFileNameW", GetModuleFileNameW); 119 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Locale.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | #define MAX_DEFAULTCHAR 2 16 | #define MAX_LEADBYTES 12 17 | 18 | typedef struct _cpinfo { 19 | UINT MaxCharSize; 20 | BYTE DefaultChar[MAX_DEFAULTCHAR]; 21 | BYTE LeadByte[MAX_LEADBYTES]; 22 | } CPINFO, *LPCPINFO; 23 | 24 | STATIC UINT GetACP(void) 25 | { 26 | DebugLog(""); 27 | 28 | return 65001; // UTF-8 29 | } 30 | 31 | STATIC WINAPI BOOL IsValidCodePage(UINT CodePage) 32 | { 33 | DebugLog("%u", CodePage); 34 | 35 | return TRUE; 36 | } 37 | 38 | STATIC WINAPI BOOL GetCPInfo(UINT CodePage, LPCPINFO lpCPInfo) 39 | { 40 | DebugLog("%u, %p", CodePage, lpCPInfo); 41 | 42 | memset(lpCPInfo, 0, sizeof *lpCPInfo); 43 | 44 | lpCPInfo->MaxCharSize = 1; 45 | lpCPInfo->DefaultChar[0] = '?'; 46 | 47 | return TRUE; 48 | } 49 | 50 | STATIC DWORD LocaleNameToLCID(PVOID lpName, DWORD dwFlags) 51 | { 52 | DebugLog("%p, %#x", lpName, dwFlags); 53 | return 0; 54 | } 55 | 56 | STATIC WINAPI int LCMapStringW(DWORD Locale, DWORD dwMapFlags, PVOID lpSrcStr, int cchSrc, PVOID lpDestStr, int cchDest) 57 | { 58 | DebugLog("%u, %#x, %p, %d, %p, %d", Locale, dwMapFlags, lpSrcStr, cchSrc, lpDestStr, cchDest); 59 | return 1; 60 | } 61 | 62 | #define LOCALE_NAME_USER_DEFAULT NULL 63 | #define NORM_IGNORENONSPACE 1 64 | #define LCMAP_UPPERCASE 512 65 | STATIC WINAPI int LCMapStringEx(PVOID lpLocaleName, DWORD dwMapFlags, PVOID lpSrcStr, int cchSrc, PVOID lpDestStr, int cchDest, PVOID lpVersionInformation, PVOID lpReserved, PVOID sortHandle) 66 | { 67 | DebugLog("%p, %#x, %p, %d, %p, %d, %p, %p, %p", lpLocaleName, dwMapFlags, lpSrcStr, cchSrc, lpDestStr, cchDest, lpVersionInformation, lpReserved, sortHandle); 68 | 69 | assert(lpLocaleName == LOCALE_NAME_USER_DEFAULT); 70 | 71 | if (lpDestStr == NULL) { 72 | return cchSrc; 73 | } 74 | 75 | memcpy(lpDestStr, lpSrcStr, cchDest > cchSrc ? cchSrc : cchDest); 76 | 77 | return cchDest > cchSrc ? cchSrc : cchDest; 78 | } 79 | 80 | DECLARE_CRT_EXPORT("GetACP", GetACP); 81 | DECLARE_CRT_EXPORT("IsValidCodePage", IsValidCodePage); 82 | DECLARE_CRT_EXPORT("GetCPInfo", GetCPInfo); 83 | DECLARE_CRT_EXPORT("LocaleNameToLCID", LocaleNameToLCID); 84 | DECLARE_CRT_EXPORT("LCMapStringW", LCMapStringW); 85 | DECLARE_CRT_EXPORT("LCMapStringEx", LCMapStringEx); 86 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Memory.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "winnt_types.h" 11 | #include "pe_linker.h" 12 | #include "ntoskernel.h" 13 | #include "log.h" 14 | #include "winexports.h" 15 | #include "util.h" 16 | #include "codealloc.h" 17 | 18 | #define PAGE_READONLY 0x02 19 | #define PAGE_READWRITE 0x04 20 | #define PAGE_EXECUTE_READWRITE 0x40 21 | 22 | #define MEM_COMMIT 0x00001000 23 | #define MEM_RESERVE 0x00002000 24 | 25 | #define MEM_RELEASE 0x8000 26 | 27 | STATIC PVOID WINAPI VirtualAlloc(PVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) 28 | { 29 | if (flAllocationType & ~(MEM_COMMIT | MEM_RESERVE)) { 30 | DebugLog("flAllocationType %#x not implemnted", flAllocationType); 31 | return NULL; 32 | } 33 | 34 | // This VirtualAlloc() always returns PAGE_EXECUTE_READWRITE memory. 35 | if (flProtect == PAGE_READWRITE) 36 | return code_malloc(dwSize); 37 | if (flProtect == PAGE_EXECUTE_READWRITE) { 38 | DebugLog("JIT PAGE_EXECUTE_READWRITE Allocation Requested"); 39 | return code_malloc(dwSize); 40 | } 41 | 42 | DebugLog("flProtect flags %#x not implemented", flProtect); 43 | return NULL; 44 | } 45 | 46 | STATIC BOOL WINAPI VirtualProtect(PVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) 47 | { 48 | if (flNewProtect != PAGE_READONLY) { 49 | DebugLog("unimplemented VirtualProtect() request, %#x", flNewProtect); 50 | } 51 | return TRUE; 52 | } 53 | 54 | STATIC BOOL WINAPI VirtualUnlock(PVOID lpAddress, SIZE_T dwSize) 55 | { 56 | return TRUE; 57 | } 58 | 59 | STATIC BOOL WINAPI VirtualFree(PVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType) 60 | { 61 | if (dwFreeType == MEM_RELEASE) 62 | code_free(lpAddress); 63 | return TRUE; 64 | } 65 | 66 | DECLARE_CRT_EXPORT("VirtualAlloc", VirtualAlloc); 67 | DECLARE_CRT_EXPORT("VirtualProtect", VirtualProtect); 68 | DECLARE_CRT_EXPORT("VirtualUnlock", VirtualUnlock); 69 | DECLARE_CRT_EXPORT("VirtualFree", VirtualFree); 70 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Ole.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | STATIC DWORD WINAPI CoCreateGuid(PVOID pguid) 18 | { 19 | DebugLog("%p", pguid); 20 | memcpy(pguid, "GUIDGUIDGUIDGUIDGUIDGUIDGUIDGUID", 16); 21 | return 0; 22 | } 23 | 24 | STATIC DWORD CoCreateInstance(PVOID rclsid, PVOID pUnkOuter, DWORD dwClsContext, PVOID riid, PVOID *ppv) 25 | { 26 | DebugLog("%p, %p, %u, %p, %p", rclsid, pUnkOuter, dwClsContext, riid, ppv); 27 | return -1; 28 | } 29 | 30 | STATIC DWORD CoInitializeEx(PVOID pvReserved, DWORD dCwoInit) 31 | { 32 | DebugLog("%p, %u", pvReserved, dCwoInit); 33 | return -1; 34 | } 35 | 36 | STATIC DWORD CoSetProxyBlanket(PVOID a) 37 | { 38 | DebugLog(""); 39 | return -1; 40 | } 41 | 42 | STATIC DWORD CoUninitialize(PVOID a) 43 | { 44 | DebugLog(""); 45 | return -1; 46 | } 47 | 48 | STATIC DWORD IIDFromString(PVOID a) 49 | { 50 | DebugLog(""); 51 | return -1; 52 | } 53 | 54 | DECLARE_CRT_EXPORT("CoCreateGuid", CoCreateGuid); 55 | DECLARE_CRT_EXPORT("CoCreateInstance", CoCreateInstance); 56 | DECLARE_CRT_EXPORT("CoInitializeEx", CoInitializeEx); 57 | DECLARE_CRT_EXPORT("CoSetProxyBlanket", CoSetProxyBlanket); 58 | DECLARE_CRT_EXPORT("CoUninitialize", CoUninitialize); 59 | DECLARE_CRT_EXPORT("IIDFromString", IIDFromString); 60 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Paths.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "winstrings.h" 16 | 17 | static const uint16_t kTempPath[] = L".\\FAKETEMP\\"; 18 | 19 | DWORD WINAPI GetTempPathW(DWORD nBufferLength, PVOID lpBuffer) 20 | { 21 | DebugLog("%u, %p", nBufferLength, lpBuffer); 22 | 23 | memcpy(lpBuffer, kTempPath, sizeof(kTempPath)); 24 | 25 | return sizeof(kTempPath) - 2; 26 | } 27 | 28 | DWORD WINAPI GetLogicalDrives(void) 29 | { 30 | DebugLog(""); 31 | 32 | return 1 << 2; 33 | } 34 | 35 | #define DRIVE_FIXED 3 36 | 37 | UINT WINAPI GetDriveTypeW(PWCHAR lpRootPathName) 38 | { 39 | char *path = CreateAnsiFromWide(lpRootPathName); 40 | DebugLog("%p [%s]", lpRootPathName, path); 41 | free(path); 42 | return DRIVE_FIXED; 43 | } 44 | 45 | DECLARE_CRT_EXPORT("GetTempPathW", GetTempPathW); 46 | DECLARE_CRT_EXPORT("GetLogicalDrives", GetLogicalDrives); 47 | DECLARE_CRT_EXPORT("GetDriveTypeW", GetDriveTypeW); 48 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/ProcessThreads.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "winnt_types.h" 12 | #include "pe_linker.h" 13 | #include "ntoskernel.h" 14 | #include "log.h" 15 | #include "winexports.h" 16 | #include "util.h" 17 | #include "winstrings.h" 18 | 19 | static PVOID WINAPI CreateThreadpoolTimer(PVOID pfnti, PVOID pv, PVOID pcbe) 20 | { 21 | // DebugLog("%p, %p, %p", pfnti, pv, pcbe); 22 | return (PVOID) 'POOL'; 23 | } 24 | 25 | static VOID WINAPI InitializeSRWLock(PVOID SRWLock) 26 | { 27 | DebugLog("%p", SRWLock); 28 | } 29 | 30 | static VOID WINAPI SetThreadpoolTimer(PVOID pti, PVOID pftDueTime, DWORD msPeriod, DWORD msWindowLength) 31 | { 32 | DebugLog("%p, %p, %u, %u", pti, pftDueTime, msPeriod, msWindowLength); 33 | 34 | assert(pftDueTime == NULL); 35 | } 36 | 37 | static VOID WINAPI WaitForThreadpoolTimerCallbacks(PVOID pti, BOOL fCancelPendingCallbacks) 38 | { 39 | DebugLog("%p, %u", pti, fCancelPendingCallbacks); 40 | } 41 | 42 | static VOID WINAPI CloseThreadpoolTimer(PVOID pti) 43 | { 44 | DebugLog("%p", pti); 45 | } 46 | 47 | static LONG InterlockedDecrement(PULONG Addend) 48 | { 49 | DebugLog("%p", Addend); 50 | return --*Addend; 51 | } 52 | 53 | static LONG InterlockedIncrement(PULONG Addend) 54 | { 55 | DebugLog("%p", Addend); 56 | return ++*Addend; 57 | } 58 | 59 | static LONG InterlockedCompareExchange(PULONG Destination, LONG Exchange, LONG Comparand) 60 | { 61 | DebugLog("%p", Destination); 62 | if (*Destination == Comparand) { 63 | *Destination = Exchange; 64 | } 65 | return *Destination; 66 | } 67 | 68 | static HANDLE WINAPI CreateSemaphoreW(PVOID lpSemaphoreAttributes, LONG lInitialCount, LONG lMaximumCount, PWCHAR lpName) 69 | { 70 | char *name; 71 | #ifndef NDEBUG 72 | name = CreateAnsiFromWide(lpName); 73 | #else 74 | name = NULL; 75 | #endif 76 | DebugLog("%p, %u, %u, %p [%s]", lpSemaphoreAttributes, lInitialCount, lMaximumCount, lpName, name); 77 | free(name); 78 | return (HANDLE) 'SEMA'; 79 | } 80 | 81 | static HANDLE WINAPI GetCurrentProcess(VOID) 82 | { 83 | return (HANDLE) -1; 84 | } 85 | 86 | static HANDLE WINAPI GetCurrentThread(VOID) 87 | { 88 | return (HANDLE) -1; 89 | } 90 | 91 | static DWORD WINAPI GetCurrentThreadId(VOID) 92 | { 93 | return getpid(); 94 | } 95 | 96 | static DWORD WINAPI GetCurrentProcessId(VOID) 97 | { 98 | return getpid(); 99 | } 100 | 101 | static BOOL WINAPI RegisterWaitForSingleObject(PHANDLE phNewWaitObject, HANDLE hObject, PVOID Callback, PVOID Context, ULONG dwMilliseconds, ULONG dwFlags) 102 | { 103 | DebugLog(""); 104 | return TRUE; 105 | } 106 | 107 | static VOID WINAPI AcquireSRWLockExclusive(PVOID SRWLock) 108 | { 109 | DebugLog("%p", SRWLock); 110 | } 111 | 112 | static VOID WINAPI ReleaseSRWLockExclusive(PVOID SRWLock) 113 | { 114 | DebugLog("%p", SRWLock); 115 | } 116 | 117 | static HANDLE WINAPI CreateMutexW(PVOID lpMutexAttributes, BOOL bInitialOwner, PWCHAR lpName) 118 | { 119 | DebugLog("%p, %u, %p"); 120 | return INVALID_HANDLE_VALUE; 121 | } 122 | 123 | static DWORD WINAPI WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds) 124 | { 125 | DebugLog("%p, %u", hHandle, dwMilliseconds); 126 | return -1; 127 | } 128 | 129 | static ULONG WINAPI LsaNtStatusToWinError(NTSTATUS Status) 130 | { 131 | DebugLog("%#x", Status); 132 | return Status; 133 | } 134 | 135 | static BOOL WINAPI CreateTimerQueueTimer(PHANDLE phNewTimer, 136 | HANDLE TimerQueue, 137 | PVOID Callback, 138 | PVOID Parameter, 139 | DWORD DueTime, 140 | DWORD Period, 141 | ULONG Flags) 142 | { 143 | DebugLog(""); 144 | return TRUE; 145 | } 146 | 147 | static BOOL WINAPI GetThreadTimes(HANDLE hThread, 148 | PFILETIME lpCreationTime, 149 | PFILETIME lpExitTime, 150 | PFILETIME lpKernelTime, 151 | PFILETIME lpUserTime) 152 | { 153 | DebugLog(""); 154 | return TRUE; 155 | } 156 | 157 | static ULONG WINAPI RtlNtStatusToDosError(NTSTATUS Status) 158 | { 159 | DebugLog("%#x", Status); 160 | return 5; 161 | } 162 | 163 | static BOOL WINAPI SetThreadToken(PHANDLE Thread, HANDLE Token) 164 | { 165 | DebugLog(""); 166 | return FALSE; 167 | } 168 | 169 | static BOOL WINAPI ProcessIdToSessionId(DWORD dwProcessId, DWORD *pSessionId) 170 | { 171 | DebugLog(""); 172 | return FALSE; 173 | } 174 | 175 | DECLARE_CRT_EXPORT("RtlNtStatusToDosError", RtlNtStatusToDosError); 176 | DECLARE_CRT_EXPORT("GetThreadTimes", GetThreadTimes); 177 | DECLARE_CRT_EXPORT("GetCurrentThread", GetCurrentThread); 178 | DECLARE_CRT_EXPORT("CreateTimerQueueTimer", CreateTimerQueueTimer); 179 | DECLARE_CRT_EXPORT("RegisterWaitForSingleObject", RegisterWaitForSingleObject); 180 | DECLARE_CRT_EXPORT("WaitForSingleObject", WaitForSingleObject); 181 | DECLARE_CRT_EXPORT("GetCurrentProcess", GetCurrentProcess); 182 | DECLARE_CRT_EXPORT("LsaNtStatusToWinError", LsaNtStatusToWinError); 183 | DECLARE_CRT_EXPORT("SetThreadToken", SetThreadToken); 184 | DECLARE_CRT_EXPORT("InterlockedDecrement", InterlockedDecrement); 185 | DECLARE_CRT_EXPORT("InterlockedIncrement", InterlockedIncrement); 186 | DECLARE_CRT_EXPORT("InterlockedCompareExchange", InterlockedCompareExchange); 187 | DECLARE_CRT_EXPORT("CreateSemaphoreW", CreateSemaphoreW); 188 | DECLARE_CRT_EXPORT("AcquireSRWLockExclusive", AcquireSRWLockExclusive); 189 | DECLARE_CRT_EXPORT("InitializeSRWLock", InitializeSRWLock); 190 | DECLARE_CRT_EXPORT("ReleaseSRWLockExclusive", ReleaseSRWLockExclusive); 191 | DECLARE_CRT_EXPORT("SetThreadpoolTimer", SetThreadpoolTimer); 192 | DECLARE_CRT_EXPORT("WaitForThreadpoolTimerCallbacks", WaitForThreadpoolTimerCallbacks); 193 | DECLARE_CRT_EXPORT("GetCurrentThreadId", GetCurrentThreadId); 194 | DECLARE_CRT_EXPORT("GetCurrentProcessId", GetCurrentProcessId); 195 | DECLARE_CRT_EXPORT("ProcessIdToSessionId", ProcessIdToSessionId); 196 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Security.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | BOOL WINAPI LookupPrivilegeValueW(PVOID lpSystemName, PVOID lpName, PVOID lpLuid) 16 | { 17 | DebugLog("%p, %p, %p", lpSystemName, lpName, lpLuid); 18 | 19 | return FALSE; 20 | } 21 | 22 | DECLARE_CRT_EXPORT("LookupPrivilegeValueW", LookupPrivilegeValueW); 23 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Strings.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "winnt_types.h" 11 | #include "pe_linker.h" 12 | #include "ntoskernel.h" 13 | #include "log.h" 14 | #include "winexports.h" 15 | #include "util.h" 16 | #include "winstrings.h" 17 | 18 | #define MB_ERR_INVALID_CHARS 8 19 | #define MB_PRECOMPOSED 1 20 | 21 | STATIC int WINAPI MultiByteToWideChar(UINT CodePage, DWORD dwFlags, PCHAR lpMultiByteStr, int cbMultiByte, PUSHORT lpWideCharStr, int cchWideChar) 22 | { 23 | size_t i; 24 | 25 | DebugLog("%u, %#x, %p, %u, %p, %u", CodePage, dwFlags, lpMultiByteStr, cbMultiByte, lpWideCharStr, cchWideChar); 26 | 27 | if ((dwFlags & ~(MB_ERR_INVALID_CHARS | MB_PRECOMPOSED)) != 0) { 28 | LogMessage("Unsupported Conversion Flags %#x", dwFlags); 29 | } 30 | 31 | if (CodePage != 0 && CodePage != 65001) { 32 | DebugLog("Unsupported CodePage %u", CodePage); 33 | } 34 | 35 | if (cbMultiByte == 0) 36 | return 0; 37 | 38 | if (cbMultiByte == -1) 39 | cbMultiByte = strlen(lpMultiByteStr) + 1; 40 | 41 | if (cchWideChar == 0) 42 | return cbMultiByte; 43 | 44 | // cbMultibyte is the number of *bytes* to process. 45 | // cchWideChar is the number of output *chars* expected. 46 | if (cbMultiByte > cchWideChar) { 47 | return 0; 48 | } 49 | 50 | for (i = 0; i < cbMultiByte; i++) { 51 | lpWideCharStr[i] = (uint8_t) lpMultiByteStr[i]; 52 | if (dwFlags & MB_ERR_INVALID_CHARS) { 53 | if (!isascii(lpMultiByteStr[i]) || iscntrl(lpMultiByteStr[i])) { 54 | lpWideCharStr[i] = '?'; 55 | } 56 | } 57 | } 58 | 59 | return i; 60 | } 61 | 62 | STATIC int WINAPI WideCharToMultiByte(UINT CodePage, DWORD dwFlags, PVOID lpWideCharStr, int cchWideChar, PVOID lpMultiByteStr, int cbMultiByte, PVOID lpDefaultChar, PVOID lpUsedDefaultChar) 63 | { 64 | char *ansi = NULL; 65 | 66 | DebugLog("%u, %#x, %p, %d, %p, %d, %p, %p", CodePage, dwFlags, lpWideCharStr, cchWideChar, lpMultiByteStr, cbMultiByte, lpDefaultChar, lpUsedDefaultChar); 67 | 68 | if (cchWideChar != -1) { 69 | // Add a nul terminator. 70 | PVOID tmpStr = calloc(cchWideChar + 1, sizeof(USHORT)); 71 | memcpy(tmpStr, lpWideCharStr, cchWideChar); 72 | ansi = CreateAnsiFromWide(tmpStr); 73 | free(tmpStr); 74 | } else { 75 | ansi = CreateAnsiFromWide(lpWideCharStr); 76 | } 77 | 78 | // This really can happen 79 | if (ansi == NULL) { 80 | return 0; 81 | } 82 | 83 | DebugLog("cchWideChar == %d, Ansi: [%s]", cchWideChar, ansi); 84 | 85 | if (lpMultiByteStr && strlen(ansi) < cbMultiByte) { 86 | strcpy(lpMultiByteStr, ansi); 87 | free(ansi); 88 | return strlen(lpMultiByteStr) + 1; 89 | } else if (!lpMultiByteStr && cbMultiByte == 0) { 90 | int len = strlen(ansi) + 1; 91 | free(ansi); 92 | return len; 93 | } 94 | 95 | free(ansi); 96 | return 0; 97 | } 98 | 99 | STATIC BOOL WINAPI GetStringTypeA(DWORD locale, DWORD dwInfoType, PUSHORT lpSrcStr, int cchSrc, PUSHORT lpCharType) 100 | { 101 | DebugLog("%u, %u, %p, %d, %p", locale, dwInfoType, lpSrcStr, cchSrc, lpCharType); 102 | 103 | memset(lpCharType, 1, cchSrc * sizeof(USHORT)); 104 | 105 | return FALSE; 106 | } 107 | 108 | 109 | STATIC BOOL WINAPI GetStringTypeW(DWORD dwInfoType, PUSHORT lpSrcStr, int cchSrc, PUSHORT lpCharType) 110 | { 111 | DebugLog("%u, %p, %d, %p", dwInfoType, lpSrcStr, cchSrc, lpCharType); 112 | 113 | memset(lpCharType, 1, cchSrc * sizeof(USHORT)); 114 | 115 | return FALSE; 116 | } 117 | 118 | STATIC VOID WINAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PWCHAR SourceString) 119 | { 120 | DestinationString->Length = CountWideChars(SourceString) * 2; 121 | DestinationString->MaximumLength = DestinationString->Length; 122 | DestinationString->Buffer = SourceString; 123 | } 124 | 125 | STATIC PVOID WINAPI UuidFromStringW(PUSHORT StringUuid, PBYTE Uuid) 126 | { 127 | int i; 128 | 129 | DebugLog("%S, %p", StringUuid, Uuid); 130 | 131 | for (i = 0; i < 16; i++) { 132 | Uuid[i] = 0x41; 133 | } 134 | 135 | return 0; 136 | } 137 | 138 | DECLARE_CRT_EXPORT("MultiByteToWideChar", MultiByteToWideChar); 139 | DECLARE_CRT_EXPORT("WideCharToMultiByte", WideCharToMultiByte); 140 | DECLARE_CRT_EXPORT("GetStringTypeA", GetStringTypeA); 141 | DECLARE_CRT_EXPORT("GetStringTypeW", GetStringTypeW); 142 | DECLARE_CRT_EXPORT("RtlInitUnicodeString", RtlInitUnicodeString); 143 | DECLARE_CRT_EXPORT("UuidFromStringW", UuidFromStringW); 144 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/SystemTime.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "log.h" 11 | #include "winexports.h" 12 | #include "util.h" 13 | 14 | typedef struct _SYSTEMTIME { 15 | WORD wYear; 16 | WORD wMonth; 17 | WORD wDayOfWeek; 18 | WORD wDay; 19 | WORD wHour; 20 | WORD wMinute; 21 | WORD wSecond; 22 | WORD wMilliseconds; 23 | } SYSTEMTIME, *PSYSTEMTIME; 24 | 25 | // These routines are called to check if signing certificates have expired, so 26 | // should return similar values. 27 | 28 | STATIC VOID WINAPI GetSystemTime(PSYSTEMTIME lpSystemTime) 29 | { 30 | memset(lpSystemTime, 0, sizeof(SYSTEMTIME)); 31 | return; 32 | } 33 | 34 | STATIC BOOL WINAPI SystemTimeToFileTime(SYSTEMTIME *lpSystemTime, PFILETIME lpFileTime) 35 | { 36 | memset(lpFileTime, 0, sizeof(FILETIME)); 37 | return TRUE; 38 | } 39 | 40 | STATIC VOID WINAPI GetSystemTimePreciseAsFileTime(PFILETIME lpSystemTimeAsFileTime) 41 | { 42 | memset(lpSystemTimeAsFileTime, 0, sizeof(FILETIME)); 43 | return; 44 | } 45 | 46 | STATIC VOID WINAPI GetSystemTimeAsFileTime(PVOID lpSystemTimeAsFileTime) 47 | { 48 | memset(lpSystemTimeAsFileTime, 0, sizeof(FILETIME)); 49 | return; 50 | } 51 | 52 | STATIC BOOL WINAPI QueryPerformanceCounter(PVOID lpPerformanceCount) 53 | { 54 | return FALSE; 55 | } 56 | 57 | STATIC DWORD WINAPI GetTickCount(VOID) 58 | { 59 | return 0; 60 | } 61 | 62 | STATIC BOOL WINAPI QueryPerformanceFrequency(PVOID lpFrequency) 63 | { 64 | return FALSE; 65 | } 66 | 67 | STATIC BOOL WINAPI GetProcessTimes(HANDLE hProcess, PFILETIME lpCreationTime, PFILETIME lpExitTime, PFILETIME lpKernelTime, PFILETIME lpUserTime) 68 | { 69 | DebugLog(""); 70 | return FALSE; 71 | } 72 | 73 | DECLARE_CRT_EXPORT("GetSystemTime", GetSystemTime); 74 | DECLARE_CRT_EXPORT("SystemTimeToFileTime", SystemTimeToFileTime); 75 | DECLARE_CRT_EXPORT("GetSystemTimePreciseAsFileTime", GetSystemTimePreciseAsFileTime); 76 | DECLARE_CRT_EXPORT("GetSystemTimeAsFileTime", GetSystemTimeAsFileTime); 77 | DECLARE_CRT_EXPORT("QueryPerformanceCounter", QueryPerformanceCounter); 78 | DECLARE_CRT_EXPORT("QueryPerformanceFrequency", QueryPerformanceFrequency); 79 | DECLARE_CRT_EXPORT("GetTickCount", GetTickCount); 80 | DECLARE_CRT_EXPORT("GetProcessTimes", GetProcessTimes); 81 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/TlsAlloc.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | #ifndef TLS_OUT_OF_INDEXES 16 | # define TLS_OUT_OF_INDEXES 0xFFFFFFFF 17 | #endif 18 | 19 | static int TlsIndex; 20 | uintptr_t LocalStorage[1024]; 21 | 22 | STATIC DWORD WINAPI TlsAlloc(void) 23 | { 24 | if (TlsIndex >= ARRAY_SIZE(LocalStorage) - 1) { 25 | DebugLog("TlsAlloc() => %#x", TlsIndex); 26 | return TLS_OUT_OF_INDEXES; 27 | } 28 | 29 | return TlsIndex++; 30 | } 31 | 32 | STATIC BOOL WINAPI TlsSetValue(DWORD dwTlsIndex, PVOID lpTlsValue) 33 | { 34 | DebugLog("TlsSetValue(%u, %p)", dwTlsIndex, lpTlsValue); 35 | 36 | if (dwTlsIndex < ARRAY_SIZE(LocalStorage)) { 37 | LocalStorage[dwTlsIndex] = (uintptr_t) (lpTlsValue); 38 | return TRUE; 39 | } 40 | 41 | DebugLog("dwTlsIndex higher than current maximum"); 42 | return FALSE; 43 | } 44 | 45 | STATIC DWORD WINAPI TlsGetValue(DWORD dwTlsIndex) 46 | { 47 | if (dwTlsIndex < ARRAY_SIZE(LocalStorage)) { 48 | return LocalStorage[dwTlsIndex]; 49 | } 50 | 51 | return 0; 52 | } 53 | 54 | STATIC BOOL WINAPI TlsFree(DWORD dwTlsIndex) 55 | { 56 | if (dwTlsIndex < ARRAY_SIZE(LocalStorage)) { 57 | LocalStorage[dwTlsIndex] = (uintptr_t) NULL; 58 | return TRUE; 59 | } 60 | 61 | return FALSE; 62 | } 63 | 64 | DECLARE_CRT_EXPORT("TlsFree", TlsFree); 65 | DECLARE_CRT_EXPORT("TlsAlloc", TlsAlloc); 66 | DECLARE_CRT_EXPORT("TlsSetValue", TlsSetValue); 67 | DECLARE_CRT_EXPORT("TlsGetValue", TlsGetValue); 68 | 69 | // These deliberately don't resolve, mpengine redirects to Tls variants. 70 | //DECLARE_CRT_EXPORT("FlsFree", NULL); 71 | //DECLARE_CRT_EXPORT("FlsAlloc", NULL); 72 | //DECLARE_CRT_EXPORT("FlsSetValue", NULL); 73 | //DECLARE_CRT_EXPORT("FlsGetValue", NULL); 74 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Version.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "winnt_types.h" 9 | #include "pe_linker.h" 10 | #include "ntoskernel.h" 11 | #include "log.h" 12 | #include "winexports.h" 13 | #include "util.h" 14 | 15 | typedef struct _OSVERSIONINFOEXW { 16 | ULONG dwOSVersionInfoSize; 17 | ULONG dwMajorVersion; 18 | ULONG dwMinorVersion; 19 | ULONG dwBuildNumber; 20 | ULONG dwPlatformId; 21 | WCHAR szCSDVersion[128]; 22 | USHORT wServicePackMajor; 23 | USHORT wServicePackMinor; 24 | USHORT wSuiteMask; 25 | UCHAR wProductType; 26 | UCHAR wReserved; 27 | } RTL_OSVERSIONINFOEXW, *PRTL_OSVERSIONINFOEXW; 28 | 29 | typedef struct _SYSTEM_INFO { 30 | WORD wProcessorArchitecture; 31 | WORD wReserved; 32 | DWORD dwPageSize; 33 | PVOID lpMinimumApplicationAddress; 34 | PVOID lpMaximumApplicationAddress; 35 | PVOID dwActiveProcessorMask; 36 | DWORD dwNumberOfProcessors; 37 | DWORD dwProcessorType; 38 | DWORD dwAllocationGranularity; 39 | WORD wProcessorLevel; 40 | WORD wProcessorRevision; 41 | } SYSTEM_INFO, *LPSYSTEM_INFO; 42 | 43 | static DWORD WINAPI RtlGetVersion(PRTL_OSVERSIONINFOEXW lpVersionInformation) 44 | { 45 | if (lpVersionInformation->dwOSVersionInfoSize == sizeof (RTL_OSVERSIONINFOEXW)) { 46 | DebugLog("%p (RTL_OSVERSIONINFOEXW)", lpVersionInformation); 47 | } else { 48 | DebugLog("%p (%u dwOSVersionInfoSize)", 49 | lpVersionInformation, 50 | lpVersionInformation->dwOSVersionInfoSize); 51 | } 52 | 53 | // Windows XP 54 | lpVersionInformation->dwMajorVersion = 5; 55 | lpVersionInformation->dwMinorVersion = 1; 56 | 57 | return STATUS_SUCCESS; 58 | } 59 | 60 | #define PROCESSOR_ARCHITECTURE_INTEL 0 61 | 62 | static VOID WINAPI GetSystemInfo(LPSYSTEM_INFO lpSystemInfo) 63 | { 64 | DebugLog("%p", lpSystemInfo); 65 | 66 | lpSystemInfo->wProcessorArchitecture = PROCESSOR_ARCHITECTURE_INTEL; 67 | lpSystemInfo->dwPageSize = 0x1000; 68 | } 69 | 70 | static DWORD GetSystemDefaultLCID(void) 71 | { 72 | DebugLog(""); 73 | return 0x0800; // I dunno 74 | } 75 | 76 | static NTSTATUS WINAPI NtQuerySystemInformation(DWORD SystemInformationClass, 77 | PVOID SystemInformation, 78 | ULONG SystemInformationLength, 79 | PULONG ReturnLength) 80 | { 81 | DebugLog(""); 82 | return -1; 83 | } 84 | 85 | static BOOL WINAPI GetComputerNameExW(DWORD NameType, 86 | PWCHAR lpBuffer, 87 | PDWORD lpnSize) 88 | { 89 | DebugLog(""); 90 | return FALSE; 91 | } 92 | 93 | static BOOL WINAPI GetProductInfo(DWORD dwOSMajorVersion, 94 | DWORD dwOSMinorVersion, 95 | DWORD dwSpMajorVersion, 96 | DWORD dwSpMinorVersion, 97 | PDWORD pdwReturnedProductType) 98 | { 99 | DebugLog(""); 100 | *pdwReturnedProductType = 6; 101 | return TRUE; 102 | } 103 | 104 | static DWORD WINAPI GetVersion(void) 105 | { 106 | DebugLog(""); 107 | return 0x80000000; 108 | } 109 | 110 | static DWORD WINAPI GetVersionExA(PRTL_OSVERSIONINFOEXW lpVersionInformation) 111 | { 112 | DebugLog(""); 113 | return TRUE; 114 | } 115 | 116 | 117 | DECLARE_CRT_EXPORT("GetVersion", GetVersion); 118 | DECLARE_CRT_EXPORT("GetVersionExA", GetVersionExA); 119 | DECLARE_CRT_EXPORT("RtlGetVersion", RtlGetVersion); 120 | DECLARE_CRT_EXPORT("GetSystemInfo", GetSystemInfo); 121 | DECLARE_CRT_EXPORT("GetSystemDefaultLCID", GetSystemDefaultLCID); 122 | DECLARE_CRT_EXPORT("NtQuerySystemInformation", NtQuerySystemInformation); 123 | DECLARE_CRT_EXPORT("GetComputerNameExW", GetComputerNameExW); 124 | DECLARE_CRT_EXPORT("GetProductInfo", GetProductInfo); 125 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/WinBase.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "winnt_types.h" 11 | #include "pe_linker.h" 12 | #include "ntoskernel.h" 13 | #include "log.h" 14 | #include "winexports.h" 15 | #include "util.h" 16 | #include "strings.h" 17 | 18 | DWORD WINAPI FormatMessageA(DWORD flags, PVOID source, DWORD messageid, DWORD languageid, PCHAR buffer, DWORD size) { 19 | DebugLog("%p, %p, %p, %p, %p, %p", flags, source, messageid, languageid, buffer, size); 20 | return snprintf(buffer, size, "%x %x %x %x:", flags, source, messageid, languageid); 21 | } 22 | 23 | BOOL WINAPI AreFileApisANSI(void) { 24 | DebugLog(""); 25 | return 1; 26 | } 27 | 28 | BOOL WINAPI IsDebuggerPresent(void) { 29 | return 0; 30 | } 31 | 32 | VOID WINAPI Sleep(DWORD ms) { 33 | // no sleep ;-) 34 | return; 35 | } 36 | 37 | LONGLONG WINAPI GetTickCount64(void) { 38 | DebugLog(""); 39 | return 0; 40 | } 41 | 42 | VOID WINAPI ExitProcess(UINT uExitCode) { 43 | exit(uExitCode); 44 | } 45 | 46 | 47 | DECLARE_CRT_EXPORT("FormatMessageA", FormatMessageA); 48 | DECLARE_CRT_EXPORT("AreFileApisANSI", AreFileApisANSI); 49 | DECLARE_CRT_EXPORT("IsDebuggerPresent", IsDebuggerPresent); 50 | DECLARE_CRT_EXPORT("Sleep", Sleep); 51 | DECLARE_CRT_EXPORT("GetTickCount64", GetTickCount64); 52 | DECLARE_CRT_EXPORT("ExitProcess", ExitProcess); 53 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/WinTrust.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | 16 | STATIC BOOL CryptCATAdminAcquireContext(PVOID phCatAdmin, PVOID pgSubsystem, DWORD dwFlags) 17 | { 18 | DebugLog("%p, %p, %#x", phCatAdmin, pgSubsystem, dwFlags); 19 | return TRUE; 20 | } 21 | 22 | STATIC HANDLE CryptCATAdminEnumCatalogFromHash(HANDLE hCatAdmin, BYTE *pbHash, DWORD cbHash, DWORD dwFlags, PVOID phPrevCatInfo) 23 | { 24 | DebugLog("%p, %p, %u, %#x, %p", hCatAdmin, pbHash, cbHash, dwFlags, phPrevCatInfo); 25 | return NULL; 26 | } 27 | 28 | STATIC BOOL CryptCATAdminCalcHashFromFileHandle(VOID) { DebugLog("FIXME"); return 0; } 29 | STATIC BOOL CryptCATAdminReleaseCatalogContext(VOID) { DebugLog("FIXME"); return 0; } 30 | STATIC BOOL CryptCATAdminReleaseContext(VOID) { DebugLog("FIXME"); return 0; } 31 | STATIC BOOL CryptCATCatalogInfoFromContext(VOID) { DebugLog("FIXME"); return 0; } 32 | STATIC BOOL WTHelperGetProvCertFromChain(VOID) { DebugLog("FIXME"); return 0; } 33 | STATIC BOOL WTHelperGetProvSignerFromChain(VOID) { DebugLog("FIXME"); return 0; } 34 | STATIC BOOL WTHelperProvDataFromStateData(VOID) { DebugLog("FIXME"); return 0; } 35 | STATIC BOOL WinVerifyTrust(VOID) { DebugLog("FIXME"); return 0; } 36 | 37 | DECLARE_CRT_EXPORT("CryptCATAdminAcquireContext", CryptCATAdminAcquireContext); 38 | DECLARE_CRT_EXPORT("CryptCATAdminCalcHashFromFileHandle", CryptCATAdminCalcHashFromFileHandle); 39 | DECLARE_CRT_EXPORT("CryptCATAdminEnumCatalogFromHash", CryptCATAdminEnumCatalogFromHash); 40 | DECLARE_CRT_EXPORT("CryptCATAdminReleaseCatalogContext", CryptCATAdminReleaseCatalogContext); 41 | DECLARE_CRT_EXPORT("CryptCATAdminReleaseContext", CryptCATAdminReleaseContext); 42 | DECLARE_CRT_EXPORT("CryptCATCatalogInfoFromContext", CryptCATCatalogInfoFromContext); 43 | DECLARE_CRT_EXPORT("WTHelperGetProvCertFromChain", WTHelperGetProvCertFromChain); 44 | DECLARE_CRT_EXPORT("WTHelperGetProvSignerFromChain", WTHelperGetProvSignerFromChain); 45 | DECLARE_CRT_EXPORT("WTHelperProvDataFromStateData", WTHelperProvDataFromStateData); 46 | DECLARE_CRT_EXPORT("WinVerifyTrust", WinVerifyTrust); 47 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Wincon.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | BOOL WINAPI WriteConsoleW(HANDLE hConsoleOutput, VOID *lpBuffer, DWORD nNumberOfCharsToWrite, PDWORD lpNumberOfCharsWritten, PVOID lpReserved) { 18 | DebugLog(""); 19 | return 1; 20 | } 21 | 22 | DECLARE_CRT_EXPORT("WriteConsoleW", WriteConsoleW); 23 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winapi/Winuser.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "winnt_types.h" 10 | #include "pe_linker.h" 11 | #include "ntoskernel.h" 12 | #include "log.h" 13 | #include "winexports.h" 14 | #include "util.h" 15 | #include "strings.h" 16 | 17 | BOOL WINAPI GetWindowInfo(HANDLE hWnd, PVOID pwi) { 18 | DebugLog(""); 19 | return 0; 20 | } 21 | 22 | BOOL WINAPI PostMessageA(HANDLE hWnd, DWORD msg, DWORD param, DWORD lparam) { 23 | DebugLog("%x %x %x %x", hWnd, msg, param, lparam); 24 | return 1; 25 | } 26 | 27 | BOOL WINAPI DestroyWindow(HANDLE hWnd) { 28 | DebugLog(""); 29 | return 1; 30 | } 31 | 32 | UINT WINAPI RegisterWindowMessageA(PCHAR string) { 33 | DebugLog("%s", string); 34 | return 0xC123; 35 | } 36 | 37 | int WINAPI MessageBoxW(HANDLE hWnd, PVOID lpText, PVOID lpCaption, UINT uType) { 38 | DebugLog(""); 39 | return 1; 40 | } 41 | 42 | DECLARE_CRT_EXPORT("GetWindowInfo", GetWindowInfo); 43 | DECLARE_CRT_EXPORT("PostMessageA", PostMessageA); 44 | DECLARE_CRT_EXPORT("DestroyWindow", DestroyWindow); 45 | DECLARE_CRT_EXPORT("RegisterWindowMessageA", RegisterWindowMessageA); 46 | DECLARE_CRT_EXPORT("MessageBoxW", MessageBoxW); 47 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winerror.h: -------------------------------------------------------------------------------- 1 | #ifndef _WINNT_ERROR_H 2 | #define _WINNT_ERROR_H 3 | 4 | #define ERROR_SUCCESS 0L 5 | #define NO_ERROR 0LL 6 | #define ERROR_NO_MORE_ITEMS 259L 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winexports.h: -------------------------------------------------------------------------------- 1 | #ifndef __WINEXPORTS_H 2 | #define __WINEXPORTS_H 3 | 4 | extern struct hsearch_data crtexports; 5 | 6 | #define DECLARE_CRT_EXPORT(_name, _func) \ 7 | static void __constructor __const__ ## _func (void) \ 8 | { \ 9 | ENTRY e = { _name, _func }, *ep; \ 10 | if (crtexports.table == NULL) \ 11 | hcreate_r(1024, &crtexports); \ 12 | hsearch_r(e, ENTER, &ep, &crtexports); \ 13 | return; \ 14 | } 15 | 16 | #else 17 | # warn winexports.h included twice 18 | #endif 19 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winstrings.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2017 Tavis Ormandy 3 | // 4 | // This program is free software; you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation; either version 2 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "strings.h" 20 | 21 | char *string_from_wchar(void *wcharbuf, size_t len) 22 | { 23 | uint16_t *inbuf = wcharbuf; 24 | uint8_t *outbuf = NULL; 25 | void *buf; 26 | size_t count = 0; 27 | 28 | if (wcharbuf == NULL) 29 | return NULL; 30 | 31 | buf = outbuf = malloc(len + 1); 32 | 33 | while (*outbuf++ = *inbuf++) { 34 | if (++count >= len) { 35 | *outbuf = '\0'; 36 | break; 37 | } 38 | } 39 | 40 | return buf; 41 | } 42 | 43 | size_t CountWideChars(void *wcharbuf) 44 | { 45 | size_t i = 0; 46 | uint16_t *p = wcharbuf; 47 | 48 | if (!p) return 0; 49 | 50 | while (*p++) 51 | i++; 52 | 53 | return i; 54 | } 55 | char * CreateAnsiFromWide(void *wcharbuf) 56 | { 57 | return string_from_wchar(wcharbuf, CountWideChars(wcharbuf) * 2); 58 | } 59 | -------------------------------------------------------------------------------- /loadlibrary/peloader/winstrings.h: -------------------------------------------------------------------------------- 1 | #ifndef __STRINGS_H 2 | #define __STRINGS_H 3 | 4 | size_t CountWideChars(void *wcharbuf); 5 | char * CreateAnsiFromWide(void *wcharbuf); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2027 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MinidriverTest", "MinidriverTest\MinidriverTest.vcxproj", "{6583AF5E-3A35-4F41-AE35-AC5632E381A8}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Debug|x64.ActiveCfg = Debug|x64 17 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Debug|x64.Build.0 = Debug|x64 18 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Debug|x86.ActiveCfg = Debug|Win32 19 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Debug|x86.Build.0 = Debug|Win32 20 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Release|x64.ActiveCfg = Release|x64 21 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Release|x64.Build.0 = Release|x64 22 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Release|x86.ActiveCfg = Release|Win32 23 | {6583AF5E-3A35-4F41-AE35-AC5632E381A8}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {F0374379-A503-4B6E-84B8-88D6328BCFC1} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/MinidriverTest.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/MinidriverTest/MinidriverTest/MinidriverTest.cpp -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/MinidriverTest.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/MinidriverTest.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/Readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/MinidriverTest/MinidriverTest/Readme.txt -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/MinidriverTest/MinidriverTest/stdafx.cpp -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/MinidriverTest/MinidriverTest/stdafx.h -------------------------------------------------------------------------------- /scard_win/MinidriverTest/MinidriverTest/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/MinidriverTest/MinidriverTest/targetver.h -------------------------------------------------------------------------------- /scard_win/winscard/winscard.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2027 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winscard", "winscard\winscard.vcxproj", "{A38392FD-D78F-42B2-831F-9945CB17FD89}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Debug|x64.ActiveCfg = Debug|x64 17 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Debug|x64.Build.0 = Debug|x64 18 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Debug|x86.ActiveCfg = Debug|Win32 19 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Debug|x86.Build.0 = Debug|Win32 20 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Release|x64.ActiveCfg = Release|x64 21 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Release|x64.Build.0 = Release|x64 22 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Release|x86.ActiveCfg = Release|Win32 23 | {A38392FD-D78F-42B2-831F-9945CB17FD89}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {3E3D291D-D0CD-4FDB-AFE6-BD7394DBEB17} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /scard_win/winscard/winscard/Readme.txt: -------------------------------------------------------------------------------- 1 | Library to fuzz APDU responses by intercepting calls to SCCard* 2 | 3 | written by Eric Sesterhenn 4 | Released under GPLv3 5 | -------------------------------------------------------------------------------- /scard_win/winscard/winscard/dllmain.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/winscard/winscard/dllmain.cpp -------------------------------------------------------------------------------- /scard_win/winscard/winscard/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/winscard/winscard/stdafx.cpp -------------------------------------------------------------------------------- /scard_win/winscard/winscard/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/winscard/winscard/stdafx.h -------------------------------------------------------------------------------- /scard_win/winscard/winscard/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/winscard/winscard/targetver.h -------------------------------------------------------------------------------- /scard_win/winscard/winscard/winscard.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41sec/x41-smartcard-fuzzing/e7506e0280187b7c2da69fa24fee7d655b5dbb94/scard_win/winscard/winscard/winscard.cpp -------------------------------------------------------------------------------- /scard_win/winscard/winscard/winscard.def: -------------------------------------------------------------------------------- 1 | LIBRARY 2 | EXPORTS 3 | ;SCardReleaseStartedEvent=SCardReleaseStartedEvent @1 4 | ;SCardAccessStartedEvent=SCardAccessStartedEvent @2 5 | SCardCancel=SCardCancel @3 6 | ;ClassInstall32=ClassInstall32 @4 7 | ;SCardAccessNewReaderEvent=SCardAccessNewReaderEvent @5 8 | ;SCardPciRaw=SCardPciRaw @6 9 | ;SCardPciT0=SCardPciT0 @7 10 | ;SCardReleaseAllEvents=SCardReleaseAllEvents @9 11 | ;SCardReleaseNewReaderEvent=SCardReleaseNewReaderEvent @10 12 | ;SCardAudit=SCardAudit @11 13 | SCardBeginTransaction=SCardBeginTransaction @12 14 | SCardControl=SCardControl @13 15 | SCardDisconnect=SCardDisconnect @14 16 | SCardEndTransaction=SCardEndTransaction @15 17 | SCardEstablishContext=SCardEstablishContext @16 18 | SCardFreeMemory=SCardFreeMemory @17 19 | SCardGetAttrib=SCardGetAttrib @18 20 | ;SCardGetTransmitCount=SCardGetTransmitCount @19 21 | SCardIsValidContext=SCardIsValidContext @20 22 | SCardReconnect=SCardReconnect @21 23 | SCardReleaseContext=SCardReleaseContext @22 24 | SCardSetAttrib=SCardSetAttrib @23 25 | ;SCardState=SCardState @24 26 | SCardTransmit=SCardTransmit @25 27 | ;SCardAddReaderToGroupA=SCardAddReaderToGroupA @26 28 | ;SCardConnectA=SCardConnectA @27 29 | ;SCardForgetCardTypeA=SCardForgetCardTypeA @28 30 | ;SCardForgetReaderA=SCardForgetReaderA @29 31 | ;SCardForgetReaderGroupA=SCardForgetReaderGroupA @30 32 | ;SCardGetCardTypeProviderNameA=SCardGetCardTypeProviderNameA @31 33 | ;SCardGetDeviceTypeIdA=SCardGetDeviceTypeIdA @32 34 | ;SCardGetProviderIdA=SCardGetProviderIdA @33 35 | ;SCardGetReaderDeviceInstanceIdA=SCardGetReaderDeviceInstanceIdA @34 36 | ;SCardGetReaderIconA=SCardGetReaderIconA @35 37 | ;SCardGetStatusChangeA=SCardGetStatusChangeA @36 38 | ;SCardIntroduceCardTypeA=SCardIntroduceCardTypeA @37 39 | ;SCardIntroduceReaderA=SCardIntroduceReaderA @38 40 | ;SCardIntroduceReaderGroupA=SCardIntroduceReaderGroupA @39 41 | ;SCardListCardsA=SCardListCardsA @40 42 | ;SCardListInterfacesA=SCardListInterfacesA @41 43 | ;SCardListReaderGroupsA=SCardListReaderGroupsA @42 44 | ;SCardListReadersA=SCardListReadersA @43 45 | ;SCardListReadersWithDeviceInstanceIdA=SCardListReadersWithDeviceInstanceIdA @44 46 | ;SCardLocateCardsA=SCardLocateCardsA @45 47 | ;SCardLocateCardsByATRA=SCardLocateCardsByATRA @46 48 | ;SCardReadCacheA=SCardReadCacheA @47 49 | ;SCardRemoveReaderFromGroupA=SCardRemoveReaderFromGroupA @48 50 | ;SCardSetCardTypeProviderNameA=SCardSetCardTypeProviderNameA @49 51 | SCardStatusA=SCardStatusA @50 52 | ;SCardWriteCacheA=SCardWriteCacheA @51 53 | ;SCardAddReaderToGroupW=SCardAddReaderToGroupW @52 54 | SCardConnectW=SCardConnectW @53 55 | ;SCardForgetCardTypeW=SCardForgetCardTypeW @54 56 | ;SCardForgetReaderGroupW=SCardForgetReaderGroupW @55 57 | ;SCardForgetReaderW=SCardForgetReaderW @56 58 | ;SCardGetCardTypeProviderNameW=SCardGetCardTypeProviderNameW @57 59 | ;SCardGetDeviceTypeIdW=SCardGetDeviceTypeIdW @58 60 | ;SCardGetProviderIdW=SCardGetProviderIdW @59 61 | ;SCardGetReaderDeviceInstanceIdW=SCardGetReaderDeviceInstanceIdW @60 62 | ;SCardGetReaderIconW=SCardGetReaderIconW @61 63 | SCardGetStatusChangeW=SCardGetStatusChangeW @62 64 | ;SCardIntroduceCardTypeW=SCardIntroduceCardTypeW @63 65 | ;SCardIntroduceReaderGroupW=SCardIntroduceReaderGroupW @64 66 | ;SCardIntroduceReaderW=SCardIntroduceReaderW @65 67 | ;SCardListCardsW=SCardListCardsW @66 68 | ;SCardListInterfacesW=SCardListInterfacesW @67 69 | SCardListReaderGroupsW=SCardListReaderGroupsW @68 70 | SCardListReadersW=SCardListReadersW @69 71 | ;SCardListReadersWithDeviceInstanceIdW=SCardListReadersWithDeviceInstanceIdW @70 72 | ;SCardLocateCardsByATRW=SCardLocateCardsByATRW @71 73 | ;SCardLocateCardsW=SCardLocateCardsW @72 74 | SCardReadCacheW=SCardReadCacheW @73 75 | ;SCardRemoveReaderFromGroupW=SCardRemoveReaderFromGroupW @74 76 | ;SCardSetCardTypeProviderNameW=SCardSetCardTypeProviderNameW @75 77 | SCardStatusW=SCardStatusW @76 78 | SCardWriteCacheW=SCardWriteCacheW @77 79 | g_rgSCardT0Pci=g_rgSCardT0Pci @78 80 | g_rgSCardRawPci=g_rgSCardRawPci @79 81 | g_rgSCardT1Pci=g_rgSCardT1Pci @80 82 | -------------------------------------------------------------------------------- /scard_win/winscard/winscard/winscard.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | Source Files 42 | 43 | 44 | --------------------------------------------------------------------------------