def retrieveGetCompleteHook(ctx): returnParams = ctx.getArgument(1).rawData() # First 4-byte contains source bitmap handle, while the next contains mask bitmap handle. (bitmapHandle, maskHandle) = struct.unpack('<LL', returnParams[:8]) symemu.emulog('Rendered icon to bitmap handle {}, mask handle {}', bitmapHandle, maskHandle)
def ipcCopyHook(): msgHandle = ctypes.c_long(symemu.Cpu.getReg(0)).value msg = symemu.messageFromHandle(msgHandle) if msg != None: symemu.emulog('Message opcode: {}, sender: {}'.format( msg.function(), msg.sender().getName()))
def retrieveGetSendHook(ctx): params = ctx.getArgument(0).rawData() # First field of the param struct is a static UCS2 descriptor. # That's the name of the file containg icon pool. (fileNameMaxLen, filename) = StringUtils.getStaticUcs2String(params) offsetStart = 8 + fileNameMaxLen * 2 # Extract the bitmap ID and mask ID. These all takes 4 bytes each (bitmapId, maskId) = struct.unpack('<ll', params[offsetStart: offsetStart + 8]) symemu.emulog('From file {}, bitmap ID {}, mask ID {}', filename, bitmapId, maskId)
def serverDoConnectHook(): message2Ptr = cpu.getReg(1) handle = symemu.readDword(message2Ptr) func = symemu.readDword(message2Ptr + 4) verMajor = symemu.readByte(message2Ptr + 8) verMinor = symemu.readByte(message2Ptr + 9) verBuild = symemu.readWord(message2Ptr + 10) sessionPtr = symemu.readDword(message2Ptr + 24) flag = symemu.readDword(message2Ptr + 28) symemu.emulog('Func: {}, Version {}.{}({}), flag: {}', c_int(func), verMajor, verMinor, verBuild, flag)
def scriptEntry(): # Load EUSER DLL. seg = symemu.loadCodeseg('euser.dll') # Print code runtime information symemu.emulog('Runtime code address: 0x{:X}, size: 0x{:X}'.format( seg.codeRunAddress(), seg.codeSize())) symemu.emulog('Runtime data address: 0x{:X}, size: 0x{:X}'.format( seg.dataRunAddress(), seg.dataSize())) symemu.emulog('Runtime bss address: 0x{:X}, size: 0x{:X}'.format( seg.bssRunAddress(), seg.bssSize())) symemu.emulog('Total exports: {}'.format(seg.exportCount())) symemu.emulog('Export 649 loaded address: 0x{:X}'.format(seg.lookup(649)))
def printStr(slot): strPointer = symemu.Cpu.getReg(slot) process = symemu.getCurrentProcess() format = '' while True: temp = process.readProcessMemory(strPointer, 1).decode('utf-8') if temp == '\0': break format += temp strPointer += 1 symemu.emulog(format)
def entryScript(): symemu.emulog('The entry! This means that I have been imported and survived!')
def waitForAnyRequestHook(): symemu.emulog('Just wait for request...., what do you still want?')
def getProcess(): processList = symemu.getProcessesList() for process in processList: symemu.emulog('Name: {}, Path: {}', process.getName(), process.getExecutablePath())
def leaveHook(): # r0, when begging the function, contains the leave code. User is a static class # Since the code is uint32 from C, it must be converted to signed for the leave code # to be visible leaveCode = ctypes.c_long(symemu.Cpu.getReg(0)).value symemu.emulog('Function leaved with code: {}', leaveCode)
def waitForRequestWhoHook(): # Get current thread crrThread = symemu.getCurrentThread() symemu.emulog('Thread {} will wait for any request!'.format(crrThread.getName()))
def scriptEntry(): symemu.emulog('Hello EKA2L1!')
def compareHook(): des1 = Descriptor16(cpu.getReg(0)) des2 = Descriptor16(cpu.getReg(1)) emulog('Target 1: {}, target 2 {}', str(des1), str(des2))
def domainClientPanic(panicCode): errcode = -(panicCode & 0xFFFF) line = (panicCode >> 16) & 0xFFFF symemu.emulog('DomainClient exited with exit code: {} at line {}', errcode, line)