2014-02-19 19:13:08 +00:00
|
|
|
# This file is part of Metasm, the Ruby assembly manipulation suite
|
|
|
|
# Copyright (C) 2006-2009 Yoann GUILLOT
|
|
|
|
#
|
|
|
|
# Licence is LGPL, see LICENCE in the top-level directory
|
|
|
|
|
|
|
|
#
|
|
|
|
# Map a PE file under another OS using DynLdr, API imports are redirected to ruby callback for emulation
|
|
|
|
#
|
|
|
|
|
|
|
|
require 'metasm'
|
|
|
|
|
|
|
|
class PeLdr
|
2014-02-19 20:01:20 +00:00
|
|
|
attr_accessor :pe, :load_address
|
|
|
|
DL = Metasm::DynLdr
|
|
|
|
|
|
|
|
# load a PE file, setup basic IAT hooks (raises "unhandled lib!import")
|
|
|
|
def initialize(file, hooktype=:iat)
|
|
|
|
if file.kind_of? Metasm::PE
|
|
|
|
@pe = file
|
|
|
|
elsif file[0, 2] == 'MZ' and file.length > 0x3c
|
|
|
|
@pe = Metasm::PE.decode(file)
|
|
|
|
else # filename
|
|
|
|
@pe = Metasm::PE.decode_file(file)
|
|
|
|
end
|
|
|
|
@load_address = DL.memory_alloc(@pe.optheader.image_size)
|
|
|
|
raise 'malloc' if @load_address == 0xffff_ffff
|
|
|
|
|
|
|
|
puts "map sections" if $DEBUG
|
|
|
|
DL.memory_write(@load_address, @pe.encoded.data[0, @pe.optheader.headers_size].to_str)
|
|
|
|
@pe.sections.each { |s|
|
|
|
|
DL.memory_write(@load_address+s.virtaddr, s.encoded.data.to_str)
|
|
|
|
}
|
|
|
|
|
|
|
|
puts "fixup sections" if $DEBUG
|
|
|
|
off = @load_address - @pe.optheader.image_base
|
|
|
|
@pe.relocations.to_a.each { |rt|
|
|
|
|
base = rt.base_addr
|
|
|
|
rt.relocs.each { |r|
|
|
|
|
if r.type == 'HIGHLOW'
|
|
|
|
ptr = @load_address + base + r.offset
|
|
|
|
old = DL.memory_read(ptr, 4).unpack('V').first
|
|
|
|
DL.memory_write_int(ptr, old + off)
|
|
|
|
end
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@iat_cb = {}
|
|
|
|
@eat_cb = {}
|
|
|
|
case hooktype
|
|
|
|
when :iat
|
|
|
|
puts "hook IAT" if $DEBUG
|
|
|
|
@pe.imports.to_a.each { |id|
|
|
|
|
ptr = @load_address + id.iat_p
|
|
|
|
id.imports.each { |i|
|
|
|
|
n = "#{id.libname}!#{i.name}"
|
|
|
|
cb = DL.callback_alloc_c('void x(void)') { raise "unemulated import #{n}" }
|
|
|
|
DL.memory_write_int(ptr, cb)
|
|
|
|
@iat_cb[n] = cb
|
|
|
|
ptr += 4
|
|
|
|
}
|
|
|
|
}
|
|
|
|
when :eat, :exports
|
|
|
|
puts "hook EAT" if $DEBUG
|
|
|
|
ptr = @load_address + @pe.export.func_p
|
|
|
|
@pe.export.exports.each { |e|
|
|
|
|
n = e.name || e.ordinal
|
|
|
|
cb = DL.callback_alloc_c('void x(void)') { raise "unemulated export #{n}" }
|
|
|
|
DL.memory_write_int(ptr, cb - @load_address) # RVA
|
|
|
|
@eat_cb[n] = cb
|
|
|
|
ptr += 4
|
|
|
|
}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# reset original expected memory protections for the sections
|
|
|
|
# the IAT may reside in a readonly section, so call this only after all hook_imports
|
|
|
|
def reprotect_sections
|
|
|
|
@pe.sections.each { |s|
|
|
|
|
p = ''
|
|
|
|
p << 'r' if s.characteristics.include? 'MEM_READ'
|
|
|
|
p << 'w' if s.characteristics.include? 'MEM_WRITE'
|
|
|
|
p << 'x' if s.characteristics.include? 'MEM_EXECUTE'
|
|
|
|
DL.memory_perm(@load_address + s.virtaddr, s.virtsize, p)
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# add a specific hook for an IAT function
|
|
|
|
# accepts a function pointer in proto
|
|
|
|
# exemple: hook_import('KERNEL32.dll', 'GetProcAddress', '__stdcall int f(int, char*)') { |h, name| puts "getprocaddr #{name}" ; 0 }
|
|
|
|
def hook_import(libname, impname, proto, &b)
|
|
|
|
@pe.imports.to_a.each { |id|
|
|
|
|
next if id.libname != libname
|
|
|
|
ptr = @load_address + id.iat_p
|
|
|
|
id.imports.each { |i|
|
|
|
|
if i.name == impname
|
|
|
|
DL.callback_free(@iat_cb["#{libname}!#{impname}"])
|
|
|
|
if proto.kind_of? Integer
|
|
|
|
cb = proto
|
|
|
|
else
|
|
|
|
cb = DL.callback_alloc_c(proto, &b)
|
|
|
|
@iat_cb["#{libname}!#{impname}"] = cb
|
|
|
|
end
|
|
|
|
DL.memory_write_int(ptr, cb)
|
|
|
|
end
|
|
|
|
ptr += 4
|
|
|
|
}
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# add a specific hook in the export table
|
|
|
|
# exemple: hook_export('ExportedFunc', '__stdcall int f(int, char*)') { |i, p| blabla ; 1 }
|
|
|
|
def hook_export(name, proto, &b)
|
|
|
|
ptr = @load_address + @pe.export.func_p
|
|
|
|
@pe.export.exports.each { |e|
|
|
|
|
n = e.name || e.ordinal
|
|
|
|
if n == name
|
|
|
|
DL.callback_free(@eat_cb[name])
|
|
|
|
if proto.kind_of? Integer
|
|
|
|
cb = proto
|
|
|
|
else
|
|
|
|
cb = DL.callback_alloc_c(proto, &b)
|
|
|
|
@eat_cb[name] = cb
|
|
|
|
end
|
|
|
|
DL.memory_write_int(ptr, cb - @load_address) # RVA
|
|
|
|
end
|
|
|
|
ptr += 4
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# run the loaded PE entrypoint
|
|
|
|
def run_init
|
|
|
|
ptr = @pe.optheader.entrypoint
|
|
|
|
if ptr != 0
|
|
|
|
ptr += @load_address
|
|
|
|
DL.raw_invoke(ptr, [@load_address, 1, 1], 1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# similar to DL.new_api_c for the mapped PE
|
|
|
|
def new_api_c(proto)
|
|
|
|
proto += ';' # allow 'int foo()'
|
|
|
|
cp = DL.host_cpu.new_cparser
|
|
|
|
cp.parse(proto)
|
|
|
|
cp.toplevel.symbol.each_value { |v|
|
|
|
|
next if not v.kind_of? Metasm::C::Variable # enums
|
|
|
|
if e = pe.export.exports.find { |e_| e_.name == v.name and e_.target }
|
|
|
|
DL.new_caller_for(cp, v, v.name.downcase, @load_address + pe.label_rva(e.target))
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
cp.numeric_constants.each { |k, v, f|
|
|
|
|
n = k.upcase
|
|
|
|
n = "C#{n}" if n !~ /^[A-Z]/
|
|
|
|
DL.const_set(n, v) if not DL.const_defined?(n) and v.kind_of? Integer
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# maps a TEB/PEB in the current process, sets the fs register to point to it
|
|
|
|
def self.setup_teb
|
|
|
|
@@teb = DL.memory_alloc(4096)
|
|
|
|
@@peb = DL.memory_alloc(4096)
|
|
|
|
populate_teb
|
|
|
|
populate_peb
|
|
|
|
fs = allocate_ldt_entry_teb
|
|
|
|
DL.new_func_c('__fastcall void set_fs(int i) { asm("mov fs, ecx"); }') { DL.set_fs(fs) }
|
|
|
|
end
|
|
|
|
|
|
|
|
# fills a fake TEB structure
|
|
|
|
def self.populate_teb
|
|
|
|
DL.memory_write(@@teb, 0.chr*4096)
|
|
|
|
set = lambda { |off, val| DL.memory_write_int(@@teb+off, val) }
|
|
|
|
# the stack will probably never go higher than that whenever in the dll...
|
|
|
|
set[0x4, DL.new_func_c('int get_sp(void) { asm("mov eax, esp and eax, ~0xfff"); }') { DL.get_sp }] # stack_base
|
|
|
|
set[0x8, 0x10000] # stack_limit
|
|
|
|
set[0x18, @@teb] # teb
|
|
|
|
set[0x30, @@peb] # peb
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.populate_peb
|
|
|
|
DL.memory_write(@@peb, 0.chr*4096)
|
|
|
|
#set = lambda { |off, val| DL.memory_write_int(@@peb+off, val) }
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.teb ; @@teb ; end
|
|
|
|
def self.peb ; @@peb ; end
|
|
|
|
|
|
|
|
# allocate an LDT entry for the teb, returns a value suitable for the fs selector
|
|
|
|
def self.allocate_ldt_entry_teb
|
|
|
|
entry = 1
|
|
|
|
# ldt_entry base_addr size_in_pages
|
|
|
|
# 32bits:1 type:2 (0=data) readonly:1 limit_in_pages:1 seg_not_present:1 usable:1
|
|
|
|
struct = [entry, @@teb, 1, 0b1_0_1_0_00_1].pack('VVVV')
|
|
|
|
Kernel.syscall(123, 1, DL.str_ptr(struct), struct.length) # __NR_modify_ldt
|
|
|
|
(entry << 3) | 7
|
|
|
|
end
|
|
|
|
|
|
|
|
setup_teb
|
2014-02-19 19:13:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# generate a fake PE which exports stuff found in k32/ntdll
|
|
|
|
# so that other lib may directly scan this PE with their own getprocaddr
|
|
|
|
class FakeWinAPI < PeLdr
|
2014-02-19 20:01:20 +00:00
|
|
|
attr_accessor :win_version
|
|
|
|
attr_accessor :exports
|
|
|
|
|
|
|
|
def initialize(elist=nil)
|
|
|
|
@exports = []
|
|
|
|
@win_version = { :major => 5, :minor => 1, :build => 2600, :sp => 'Service pack 3', :sp_major => 3, :sp_minor => 0 }
|
|
|
|
|
|
|
|
# if you know the exact list you need, put it there (much faster)
|
|
|
|
if not elist
|
|
|
|
elist = Metasm::WindowsExports::EXPORT.map { |k, v| k if v =~ /kernel32|ntdll/i }.compact
|
|
|
|
elist |= ['free', 'malloc', 'memset', '??2@YAPAXI@Z', '_initterm', '_lock', '_unlock', '_wcslwr', '_wcsdup', '__dllonexit']
|
|
|
|
end
|
|
|
|
|
|
|
|
src = ".libname 'emu_winapi'\ndummy: int 3\n" + elist.map { |e| ".export #{e.inspect} dummy" }.join("\n")
|
|
|
|
super(Metasm::PE.assemble(Metasm::Ia32.new, src).encode_string(:lib), :eat) # put 'nil' instead of :eat if all exports are emu
|
|
|
|
|
|
|
|
@heap = {}
|
|
|
|
malloc = lambda { |sz| str = 0.chr*sz ; ptr = DL.str_ptr(str) ; @heap[ptr] = str ; ptr }
|
|
|
|
|
|
|
|
lasterr = 0
|
|
|
|
|
|
|
|
# kernel32
|
|
|
|
hook_export('CloseHandle', '__stdcall int f(int)') { |a| 1 }
|
|
|
|
hook_export('DuplicateHandle', '__stdcall int f(int, int, int, void*, int, int, int)') { |*a| DL.memory_write_int(a[3], a[1]) ; 1 }
|
|
|
|
hook_export('EnterCriticalSection', '__stdcall int f(void*)') { 1 }
|
|
|
|
hook_export('GetCurrentProcess', '__stdcall int f(void)') { -1 }
|
|
|
|
hook_export('GetCurrentProcessId', '__stdcall int f(void)') { Process.pid }
|
|
|
|
hook_export('GetCurrentThreadId', '__stdcall int f(void)') { Process.pid }
|
|
|
|
hook_export('GetEnvironmentVariableW', '__stdcall int f(void*, void*, int)') { |name, resp, sz|
|
|
|
|
next 0 if name == 0
|
|
|
|
s = DL.memory_read_wstrz(name)
|
|
|
|
s = s.unpack('v*').pack('C*') rescue nil
|
2014-02-19 19:13:08 +00:00
|
|
|
puts "GetEnv #{s.inspect}" if $VERBOSE
|
2014-02-19 20:01:20 +00:00
|
|
|
v = ENV[s].to_s
|
|
|
|
if resp and v.length*2+2 <= sz
|
|
|
|
DL.memory_write(resp, (v.unpack('C*') << 0).pack('v*'))
|
|
|
|
v.length*2 # 0 if not found
|
|
|
|
else
|
|
|
|
v.length*2+2
|
|
|
|
end
|
|
|
|
}
|
|
|
|
hook_export('GetLastError', '__stdcall int f(void)') { lasterr }
|
|
|
|
hook_export('GetProcAddress', '__stdcall int f(int, char*)') { |h, v|
|
|
|
|
v = DL.memory_read_strz(v) if v >= 0x10000
|
2014-02-19 19:13:08 +00:00
|
|
|
puts "GetProcAddr #{'0x%x' % h}, #{v.inspect}" if $VERBOSE
|
2014-02-19 20:01:20 +00:00
|
|
|
@eat_cb[v] or raise "unemulated getprocaddr #{v}"
|
|
|
|
}
|
|
|
|
hook_export('GetSystemInfo', '__stdcall void f(void*)') { |ptr|
|
|
|
|
DL.memory_write(ptr, [0, 0x1000, 0x10000, 0x7ffeffff, 1, 1, 586, 0x10000, 0].pack('V*'))
|
|
|
|
1
|
|
|
|
}
|
|
|
|
hook_export('GetSystemTimeAsFileTime', '__stdcall void f(void*)') { |ptr|
|
|
|
|
v = ((Time.now - Time.mktime(1971, 1, 1, 0, 0, 0) + 370*365.25*24*60*60) * 1000 * 1000 * 10).to_i
|
|
|
|
DL.memory_write(ptr, [v & 0xffffffff, (v >> 32 & 0xffffffff)].pack('VV'))
|
|
|
|
1
|
|
|
|
}
|
|
|
|
hook_export('GetTickCount', '__stdcall int f(void)') { (Time.now.to_i * 1000) & 0xffff_ffff }
|
|
|
|
hook_export('GetVersion', '__stdcall int f(void)') { (@win_version[:build] << 16) | (@win_version[:major] << 8) | @win_version[:minor] }
|
|
|
|
hook_export('GetVersionExA', '__stdcall int f(void*)') { |ptr|
|
|
|
|
sz = DL.memory_read(ptr, 4).unpack('V').first
|
|
|
|
data = [@win_version[:major], @win_version[:minor], @win_version[:build], 2, @win_version[:sp], @win_version[:sp_major], @win_version[:sp_minor]].pack('VVVVa128VV')
|
|
|
|
DL.memory_write(ptr+4, data[0, sz-4])
|
|
|
|
1
|
|
|
|
}
|
|
|
|
hook_export('HeapAlloc', '__stdcall int f(int, int, int)') { |h, f, sz| malloc[sz] }
|
|
|
|
hook_export('HeapCreate', '__stdcall int f(int, int, int)') { 1 }
|
|
|
|
hook_export('HeapFree', '__stdcall int f(int, int, int)') { |h, f, p| @heap.delete p ; 1 }
|
|
|
|
hook_export('InterlockedCompareExchange', '__stdcall int f(int*, int, int)'+
|
|
|
|
'{ asm("mov eax, [ebp+16] mov ecx, [ebp+12] mov edx, [ebp+8] lock cmpxchg [edx], ecx"); }')
|
|
|
|
hook_export('InterlockedExchange', '__stdcall int f(int*, int)'+
|
|
|
|
'{ asm("mov eax, [ebp+12] mov ecx, [ebp+8] lock xchg [ecx], eax"); }')
|
|
|
|
hook_export('InitializeCriticalSectionAndSpinCount', '__stdcall int f(int, int)') { 1 }
|
|
|
|
hook_export('InitializeCriticalSection', '__stdcall int f(void*)') { 1 }
|
|
|
|
hook_export('LeaveCriticalSection', '__stdcall int f(void*)') { 1 }
|
|
|
|
hook_export('QueryPerformanceCounter', '__stdcall int f(void*)') { |ptr|
|
|
|
|
v = (Time.now.to_f * 1000 * 1000).to_i
|
|
|
|
DL.memory_write(ptr, [v & 0xffffffff, (v >> 32 & 0xffffffff)].pack('VV'))
|
|
|
|
1
|
|
|
|
}
|
|
|
|
hook_export('SetLastError', '__stdcall int f(int)') { |i| lasterr = i ; 1 }
|
|
|
|
hook_export('TlsAlloc', '__stdcall int f(void)') { 1 }
|
|
|
|
|
|
|
|
# ntdll
|
|
|
|
readustring = lambda { |p| DL.memory_read(*DL.memory_read(p, 8).unpack('vvV').values_at(2, 0)) }
|
|
|
|
hook_export('RtlEqualUnicodeString', '__stdcall int f(void*, void*, int)') { |s1, s2, cs|
|
|
|
|
s1 = readustring[s1]
|
|
|
|
s2 = readustring[s2]
|
2014-02-19 19:13:08 +00:00
|
|
|
puts "RtlEqualUnicodeString #{s1.unpack('v*').pack('C*').inspect}, #{s2.unpack('v*').pack('C*').inspect}, #{cs}" if $VERBOSE
|
2014-02-19 20:01:20 +00:00
|
|
|
if cs == 1
|
|
|
|
s1 = s1.downcase
|
|
|
|
s2 = s2.downcase
|
|
|
|
end
|
|
|
|
s1 == s2 ? 1 : 0
|
|
|
|
}
|
|
|
|
hook_export('MultiByteToWideChar', '__stdcall int f(int, int, void*, int, void*, int)') { |cp, fl, ip, is, op, os|
|
|
|
|
is = DL.memory_read_strz(ip).length if is == 0xffff_ffff
|
|
|
|
if os == 0
|
|
|
|
is
|
|
|
|
elsif os >= is*2 # not sure with this..
|
|
|
|
DL.memory_write(op, DL.memory_read(ip, is).unpack('C*').pack('v*'))
|
|
|
|
is
|
|
|
|
else 0
|
|
|
|
end
|
|
|
|
|
|
|
|
}
|
|
|
|
hook_export('LdrUnloadDll', '__stdcall int f(int)') { 0 }
|
|
|
|
|
|
|
|
# msvcrt
|
|
|
|
hook_export('free', 'void f(int)') { |i| @heap.delete i ; 0}
|
|
|
|
hook_export('malloc', 'int f(int)') { |i| malloc[i] }
|
|
|
|
hook_export('memset', 'char* f(char* p, char c, int n) { while (n--) p[n] = c; return p; }')
|
|
|
|
hook_export('??2@YAPAXI@Z', 'int f(int)') { |i| raise 'fuuu' if i > 0x100000 ; malloc[i] } # at some point we're called with a ptr as arg, may be a peldr bug
|
|
|
|
hook_export('__dllonexit', 'int f(int, int, int)') { |i, ii, iii| i }
|
|
|
|
hook_export('_initterm', 'void f(void (**p)(void), void*p2) { while(p < p2) { if (*p) (**p)(); p++; } }')
|
|
|
|
hook_export('_lock', 'void f(int)') { 0 }
|
|
|
|
hook_export('_unlock', 'void f(int)') { 0 }
|
|
|
|
hook_export('_wcslwr', '__int16* f(__int16* p) { int i=-1; while (p[++i]) p[i] |= 0x20; return p; }')
|
|
|
|
hook_export('_wcsdup', 'int f(__int16* p)') { |p|
|
|
|
|
cp = DL.memory_read_wstrz(p) + "\0\0"
|
|
|
|
p = DL.str_ptr(cp)
|
|
|
|
@heap[p] = cp
|
|
|
|
p
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def hook_export(*a, &b)
|
|
|
|
@exports |= [a.first]
|
|
|
|
super(*a, &b)
|
|
|
|
end
|
|
|
|
|
|
|
|
# take another PeLdr and patch its IAT with functions from our @exports (eg our explicit export hooks)
|
|
|
|
def intercept_iat(ldr)
|
|
|
|
ldr.pe.imports.to_a.each { |id|
|
|
|
|
id.imports.each { |i|
|
|
|
|
next if not @exports.include? i.name or not @eat_cb[i.name]
|
|
|
|
ldr.hook_import(id.libname, i.name, @eat_cb[i.name])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
end
|
2014-02-19 19:13:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if $0 == __FILE__
|
2014-02-19 20:01:20 +00:00
|
|
|
dl = Metasm::DynLdr
|
|
|
|
|
|
|
|
l = PeLdr.new('dbghelp.dll')
|
|
|
|
#dl.memory_write(l.load_address + 0x33b10, "\x90\xcc") # break on SymInitializeW
|
|
|
|
|
|
|
|
puts 'dbghelp@%x' % l.load_address if $VERBOSE
|
|
|
|
|
|
|
|
wapi = FakeWinAPI.new %w[CloseHandle DuplicateHandle EnterCriticalSection GetCurrentProcess GetCurrentProcessId GetCurrentThreadId GetEnvironmentVariableW GetLastError GetProcAddress GetSystemInfo GetSystemTimeAsFileTime GetTickCount GetVersion GetVersionExA HeapAlloc HeapCreate HeapFree InterlockedCompareExchange InterlockedExchange InitializeCriticalSectionAndSpinCount InitializeCriticalSection LeaveCriticalSection QueryPerformanceCounter SetLastError TlsAlloc RtlEqualUnicodeString MultiByteToWideChar free malloc memset ??2@YAPAXI@Z __dllonexit _initterm _lock _unlock _wcslwr _wcsdup GetModuleHandleA LoadLibraryA NtQueryObject NtQueryInformationProcess LdrUnloadDll]
|
|
|
|
puts 'wapi@%x' % wapi.load_address if $VERBOSE
|
|
|
|
|
|
|
|
wapi.hook_export('GetModuleHandleA', '__stdcall int f(char*)') { |ptr|
|
|
|
|
s = dl.memory_read_strz(ptr) if ptr
|
|
|
|
case s
|
|
|
|
when /kernel32|ntdll/i; wapi.load_address
|
|
|
|
else 0
|
|
|
|
end
|
|
|
|
}
|
|
|
|
wapi.hook_export('LoadLibraryA', '__stdcall int f(char*)') { |ptr|
|
|
|
|
s = dl.memory_read_strz(ptr)
|
|
|
|
case s
|
|
|
|
when /kernel32|ntdll/i; wapi.load_address
|
|
|
|
else puts "LoadLibrary #{s.inspect}" ; 0
|
|
|
|
end
|
|
|
|
}
|
|
|
|
wapi.hook_export('NtQueryObject', '__stdcall int f(int, int, void*, int, int*)') { |h, type, resp, sz, psz|
|
2014-02-19 19:13:08 +00:00
|
|
|
puts "NtQueryObject #{h}, #{type}, #{sz}" if $VERBOSE
|
2014-02-19 20:01:20 +00:00
|
|
|
if h == 42 and type == 2 and sz >= 24
|
|
|
|
dl.memory_write(resp, [14, 16, resp+8].pack('vvV') + "Process\0".unpack('C*').pack('v*'))
|
|
|
|
dl.memory_write_int(psz, 24) if psz
|
|
|
|
0
|
|
|
|
else
|
|
|
|
0x8000_0000
|
|
|
|
end
|
|
|
|
}
|
|
|
|
wapi.hook_export('NtQueryInformationProcess', '__stdcall int f(int, int, void*, int, int*)') { |h, type, resp, sz, psz|
|
2014-02-19 19:13:08 +00:00
|
|
|
puts "NtQueryInformationProcess #{h}, #{type}, #{sz}" if $VERBOSE
|
2014-02-19 20:01:20 +00:00
|
|
|
if h == 42 and type == 0
|
|
|
|
# reservd peb res res ptr_to_pid
|
|
|
|
peb = 0xdead0000
|
|
|
|
dl.memory_write(resp, [42, peb, 0, 0, resp, 0].pack('V*'))
|
|
|
|
dl.memory_write_int(psz, 24) if psz
|
|
|
|
0
|
|
|
|
else
|
|
|
|
0x8000_0000
|
|
|
|
end
|
|
|
|
}
|
2014-02-19 19:13:08 +00:00
|
|
|
#puts wapi.exports.join(' ') # generate arglist for FakeWinAPI.new
|
|
|
|
# TODO hook the resolv function of dbghelp to list what it checks
|
|
|
|
|
2014-02-19 20:01:20 +00:00
|
|
|
wapi.intercept_iat(l)
|
2014-02-19 19:13:08 +00:00
|
|
|
|
|
|
|
|
2014-02-19 20:01:20 +00:00
|
|
|
l.reprotect_sections
|
2014-02-19 19:13:08 +00:00
|
|
|
|
2014-02-19 20:01:20 +00:00
|
|
|
l.new_api_c <<EOS
|
2014-02-19 19:13:08 +00:00
|
|
|
#define SYMOPT_CASE_INSENSITIVE 0x00000001
|
|
|
|
#define SYMOPT_UNDNAME 0x00000002
|
|
|
|
#define SYMOPT_DEFERRED_LOADS 0x00000004
|
|
|
|
#define SYMOPT_NO_CPP 0x00000008
|
|
|
|
#define SYMOPT_LOAD_LINES 0x00000010
|
|
|
|
#define SYMOPT_OMAP_FIND_NEAREST 0x00000020
|
|
|
|
#define SYMOPT_LOAD_ANYTHING 0x00000040
|
|
|
|
#define SYMOPT_IGNORE_CVREC 0x00000080
|
|
|
|
#define SYMOPT_NO_UNQUALIFIED_LOADS 0x00000100
|
|
|
|
#define SYMOPT_FAIL_CRITICAL_ERRORS 0x00000200
|
|
|
|
#define SYMOPT_EXACT_SYMBOLS 0x00000400
|
|
|
|
#define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS 0x00000800
|
|
|
|
#define SYMOPT_IGNORE_NT_SYMPATH 0x00001000
|
|
|
|
#define SYMOPT_INCLUDE_32BIT_MODULES 0x00002000
|
|
|
|
#define SYMOPT_PUBLICS_ONLY 0x00004000
|
|
|
|
#define SYMOPT_NO_PUBLICS 0x00008000
|
|
|
|
#define SYMOPT_AUTO_PUBLICS 0x00010000
|
|
|
|
#define SYMOPT_NO_IMAGE_SEARCH 0x00020000
|
|
|
|
#define SYMOPT_SECURE 0x00040000
|
|
|
|
#define SYMOPT_NO_PROMPTS 0x00080000
|
|
|
|
#define SYMOPT_DEBUG 0x80000000
|
|
|
|
|
|
|
|
typedef int BOOL;
|
|
|
|
typedef char CHAR;
|
|
|
|
typedef unsigned long DWORD;
|
|
|
|
typedef unsigned __int64 DWORD64;
|
|
|
|
typedef void *HANDLE;
|
|
|
|
typedef unsigned __int64 *PDWORD64;
|
|
|
|
typedef void *PVOID;
|
|
|
|
typedef unsigned long ULONG;
|
|
|
|
typedef unsigned __int64 ULONG64;
|
|
|
|
typedef const CHAR *PCSTR;
|
|
|
|
typedef CHAR *PSTR;
|
|
|
|
|
|
|
|
struct _SYMBOL_INFO {
|
|
|
|
ULONG SizeOfStruct;
|
|
|
|
ULONG TypeIndex;
|
|
|
|
ULONG64 Reserved[2];
|
|
|
|
ULONG info;
|
|
|
|
ULONG Size;
|
|
|
|
ULONG64 ModBase;
|
|
|
|
ULONG Flags;
|
|
|
|
ULONG64 Value;
|
|
|
|
ULONG64 Address;
|
|
|
|
ULONG Register;
|
|
|
|
ULONG Scope;
|
|
|
|
ULONG Tag;
|
|
|
|
ULONG NameLen;
|
|
|
|
ULONG MaxNameLen;
|
|
|
|
CHAR Name[1];
|
|
|
|
};
|
|
|
|
typedef struct _SYMBOL_INFO *PSYMBOL_INFO;
|
|
|
|
|
|
|
|
typedef __stdcall BOOL (*PSYM_ENUMERATESYMBOLS_CALLBACK)(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext);
|
|
|
|
__stdcall DWORD SymGetOptions(void);
|
|
|
|
__stdcall DWORD SymSetOptions(DWORD SymOptions __attribute__((in)));
|
|
|
|
__stdcall BOOL SymInitialize(HANDLE hProcess __attribute__((in)), PSTR UserSearchPath __attribute__((in)), BOOL fInvadeProcess __attribute__((in)));
|
|
|
|
__stdcall DWORD64 SymLoadModule64(HANDLE hProcess __attribute__((in)), HANDLE hFile __attribute__((in)), PSTR ImageName __attribute__((in)), PSTR ModuleName __attribute__((in)), DWORD64 BaseOfDll __attribute__((in)), DWORD SizeOfDll __attribute__((in)));
|
|
|
|
__stdcall BOOL SymSetSearchPath(HANDLE hProcess __attribute__((in)), PSTR SearchPathA __attribute__((in)));
|
|
|
|
__stdcall BOOL SymFromAddr(HANDLE hProcess __attribute__((in)), DWORD64 Address __attribute__((in)), PDWORD64 Displacement __attribute__((out)), PSYMBOL_INFO Symbol __attribute__((in)) __attribute__((out)));
|
|
|
|
__stdcall BOOL SymEnumSymbols(HANDLE hProcess __attribute__((in)), ULONG64 BaseOfDll __attribute__((in)), PCSTR Mask __attribute__((in)), PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback __attribute__((in)), PVOID UserContext __attribute__((in)));
|
|
|
|
EOS
|
|
|
|
|
|
|
|
|
2014-02-19 20:01:20 +00:00
|
|
|
puts 'run_init'
|
|
|
|
l.run_init
|
|
|
|
|
|
|
|
puts 'sym_init'
|
|
|
|
dl.syminitialize(42, 0, 0)
|
|
|
|
puts 'sym_setopt'
|
|
|
|
dl.symsetoptions(dl.symgetoptions|dl::SYMOPT_DEFERRED_LOADS|dl::SYMOPT_NO_PROMPTS)
|
|
|
|
puts 'sym_setsearch'
|
|
|
|
sympath = ENV['_NT_SYMBOL_PATH'] || 'srv**/tmp/symbols*http://msdl.microsoft.com/download/symbols'
|
|
|
|
dl.symsetsearchpath(42, sympath)
|
|
|
|
|
|
|
|
puts 'sym_loadmod'
|
|
|
|
tg = PeLdr.new('kernel32.dll')
|
|
|
|
dl.symloadmodule64(42, 0, 0, 0, tg.load_address, 0)
|
|
|
|
|
|
|
|
puts 'walk'
|
|
|
|
symstruct = [0x58].pack('L') + 0.chr*4*19 + [512].pack('L') # sizeofstruct, ..., nameszmax
|
|
|
|
text = tg.pe.sections.find { |s| s.name == '.text' }
|
|
|
|
# SymEnumSymbols
|
|
|
|
text.rawsize.times { |o|
|
|
|
|
sym = symstruct + 0.chr*512 # name concat'ed after the struct
|
|
|
|
off = 0.chr*8
|
|
|
|
if dl.symfromaddr(42, tg.load_address+text.virtaddr+o, off, sym) and off.unpack('L').first == 0
|
|
|
|
symnamelen = sym[19*4, 4].unpack('L').first
|
|
|
|
puts ' %x %s' % [text.virtaddr+o, sym[0x54, symnamelen].inspect]
|
2014-02-19 19:13:08 +00:00
|
|
|
break
|
2014-02-19 20:01:20 +00:00
|
|
|
end
|
|
|
|
puts ' %x/%x' % [o, text.rawsize] if $VERBOSE and o & 0xffff == 0
|
|
|
|
}
|
|
|
|
puts
|
2014-02-19 19:13:08 +00:00
|
|
|
end
|