def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("ExitProcess", "RaiseException")):
raise viv_utils.emulator_drivers.StopEmulation()
if fu.contains_funcname(api, ("TerminateProcess", )):
h_process = argv[0]
if h_process == CURRENT_PROCESS_ID:
raise viv_utils.emulator_drivers.StopEmulation()
def __call__(self, emu, api, argv):
if fu.contains_funcname(
api,
("__security_check_cookie", "@__security_check_cookie@4")):
# nop
fu.call_return(emu, api, argv, 0)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(
api,
("__EH_prolog3", "__SEH_prolog4", "seh4_prolog", "__SEH_epilog4")):
# nop
fu.call_return(emu, api, argv, 0)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("memset", )):
ptr, value, num = argv
value = bytes([value] * num)
emu.writeMemory(ptr, value)
fu.call_return(emu, api, argv, ptr)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("memcpy", "memmove")):
dst, src, count = argv
elif fu.contains_funcname(api, ("mempcy_s", "wmemcpy_s")):
dst, dst_size, src, count = argv
else:
return False
if count > MAX_MEMORY_SIZE:
logger.trace("unusually large %s (%s), truncating to: 0x%x",
fu.get_call_funcname(api), argv, count)
count = MAX_MEMORY_SIZE
data = emu.readMemory(src, count)
emu.writeMemory(dst, data)
fu.call_return(emu, api, argv, 0)
return True
def __call__(self, emu, api, argv):
# TODO vfprintf, vfwprintf, vfprintf_s, vfwprintf_s, vsnprintf, vsnwprintf, etc.
if fu.contains_funcname(api, ("vsprintf", "vswprintf", "wvsprintfA")):
buf, format_, *va_list = argv
format_str = fu.readStringAtRva(emu, format_)
# TODO format string
emu.writeMemory(buf, format_str)
fu.call_return(emu, api, argv, buf)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("malloc", "_malloc")):
size = argv[0]
elif fu.contains_funcname(
api, ("VirtualAlloc", "LocalAlloc", "GlobalAlloc")):
size = argv[1]
elif fu.contains_funcname(
api, ("VirtualAllocEx", "HeapAlloc", "RtlAllocateHeap")):
size = argv[2]
elif fu.contains_funcname(api, ("calloc", "calloc_base")):
# size, count
size = argv[0] * argv[1]
else:
# not handled by this hook
return False
va = self._allocate_mem(emu, size)
fu.call_return(emu, api, argv, va)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("strlen", "lstrlena")):
string_va = argv[0]
s = fu.readStringAtRva(emu, string_va, 256)
elif fu.contains_funcname(api, ("wcslen", "lstrlenw")):
string_va = argv[0]
s = fu.readStringAtRva(emu, string_va, 256, 2)
elif fu.contains_funcname(api, ("strnlen", )):
string_va, maxlen = argv
if maxlen > MAX_STR_SIZE:
logger.trace("unusually large %s (%s), truncating to: 0x%x",
fu.get_call_funcname(api), argv, maxlen)
maxlen = MAX_STR_SIZE
s = fu.readStringAtRva(emu, string_va, maxsize=maxlen)
else:
return False
fu.call_return(emu, api, argv, len(s))
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(
api,
(self.ZNWJ, self.ZNWJ, self.YAPAXI_Z_32, self.YAPEAX_K_Z_64)):
if argv and len(argv) > 0:
size = argv[0]
else:
size = self.DEFAULT_SIZE # will allocate a default block size if vivisect failed to extract argv
va = self._allocate_mem(emu, size)
fu.call_return(emu, api, argv, va)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("memchr", )):
ptr, value, num = argv
memory = emu.readMemory(ptr, num)
value = bytes([value])
try:
idx = memory.index(value)
offset = ptr + idx
except ValueError: # substring not found
offset = 0
fu.call_return(emu, api, argv, offset)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("GetModuleFileNameA", )):
unicode = False
hModule, lpFilename, nSize = argv
elif fu.contains_funcname(api, ("GetModuleFileNameW", )):
unicode = True
hModule, lpFilename, nSize = argv
elif fu.contains_funcname(api, ("GetModuleFileNameExA", )):
unicode = False
hProcess, hModule, lpFilename, nSize = argv
elif fu.contains_funcname(api, ("GetModuleFileNameExW", )):
unicode = False
hProcess, hModule, lpFilename, nSize = argv
else:
return False
if hModule == 0:
libname = self.MOD_NAME
else:
libname = self.readLibraryPath(lpLibName, unicode=unicode)
fu.call_return(emu, api, argv, libname)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("strncmp", )):
s1va, s2va, num = argv
if num > MAX_STR_SIZE:
logger.trace("unusually large %s (%s), truncating to: 0x%x",
fu.get_call_funcname(api), argv, num)
num = MAX_STR_SIZE
s1 = fu.readStringAtRva(emu, s1va, maxsize=num)
s2 = fu.readStringAtRva(emu, s2va, maxsize=num)
def cmp(a, b):
return (a > b) - (a < b)
result = cmp(s1, s2)
fu.call_return(emu, api, argv, result)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("GetLastError", )):
# always assuming success
error_success = 0
fu.call_return(emu, api, argv, error_success)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api,
("VirtualFree", "HeapFree", "RtlFreeHeap")):
# If the function succeeds, the return value is nonzero.
fu.call_return(emu, api, argv, 1)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("GetCurrentProcess", )):
fu.call_return(emu, api, argv, CURRENT_PROCESS_ID)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("InitializeCriticalSection", )):
(hsection, ) = argv
emu.writeMemory(hsection, b"CS")
fu.call_return(emu, api, argv, 0)
return True
def __call__(self, emu, api, argv):
if fu.contains_funcname(api, ("GetProcessHeap", )):
fu.call_return(emu, api, argv, 42)
return True
