def __call__(self, emu, api, argv): if fu.contains_funcname( api, ("__EH_prolog3", "__SEH_prolog4", "seh4_prolog", "__SEH_epilog4")): # nop fu.call_return(emu, api, argv, 0) return True
def __call__(self, emu, api, argv): if fu.contains_funcname( api, ("__security_check_cookie", "@__security_check_cookie@4")): # nop fu.call_return(emu, api, argv, 0) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("memset", )): ptr, value, num = argv value = bytes([value] * num) emu.writeMemory(ptr, value) fu.call_return(emu, api, argv, ptr) return True
def __call__(self, emu, api, argv): # TODO vfprintf, vfwprintf, vfprintf_s, vfwprintf_s, vsnprintf, vsnwprintf, etc. if fu.contains_funcname(api, ("vsprintf", "vswprintf", "wvsprintfA")): buf, format_, *va_list = argv format_str = fu.readStringAtRva(emu, format_) # TODO format string emu.writeMemory(buf, format_str) fu.call_return(emu, api, argv, buf) return True
def __call__(self, emu, api, argv): if fu.contains_funcname( api, (self.ZNWJ, self.ZNWJ, self.YAPAXI_Z_32, self.YAPEAX_K_Z_64)): if argv and len(argv) > 0: size = argv[0] else: size = self.DEFAULT_SIZE # will allocate a default block size if vivisect failed to extract argv va = self._allocate_mem(emu, size) fu.call_return(emu, api, argv, va) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("memchr", )): ptr, value, num = argv memory = emu.readMemory(ptr, num) value = bytes([value]) try: idx = memory.index(value) offset = ptr + idx except ValueError: # substring not found offset = 0 fu.call_return(emu, api, argv, offset) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("strncmp", )): s1va, s2va, num = argv if num > MAX_STR_SIZE: logger.trace("unusually large %s (%s), truncating to: 0x%x", fu.get_call_funcname(api), argv, num) num = MAX_STR_SIZE s1 = fu.readStringAtRva(emu, s1va, maxsize=num) s2 = fu.readStringAtRva(emu, s2va, maxsize=num) def cmp(a, b): return (a > b) - (a < b) result = cmp(s1, s2) fu.call_return(emu, api, argv, result) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("memcpy", "memmove")): dst, src, count = argv elif fu.contains_funcname(api, ("mempcy_s", "wmemcpy_s")): dst, dst_size, src, count = argv else: return False if count > MAX_MEMORY_SIZE: logger.trace("unusually large %s (%s), truncating to: 0x%x", fu.get_call_funcname(api), argv, count) count = MAX_MEMORY_SIZE data = emu.readMemory(src, count) emu.writeMemory(dst, data) fu.call_return(emu, api, argv, 0) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("malloc", "_malloc")): size = argv[0] elif fu.contains_funcname( api, ("VirtualAlloc", "LocalAlloc", "GlobalAlloc")): size = argv[1] elif fu.contains_funcname( api, ("VirtualAllocEx", "HeapAlloc", "RtlAllocateHeap")): size = argv[2] elif fu.contains_funcname(api, ("calloc", "calloc_base")): # size, count size = argv[0] * argv[1] else: # not handled by this hook return False va = self._allocate_mem(emu, size) fu.call_return(emu, api, argv, va) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("strlen", "lstrlena")): string_va = argv[0] s = fu.readStringAtRva(emu, string_va, 256) elif fu.contains_funcname(api, ("wcslen", "lstrlenw")): string_va = argv[0] s = fu.readStringAtRva(emu, string_va, 256, 2) elif fu.contains_funcname(api, ("strnlen", )): string_va, maxlen = argv if maxlen > MAX_STR_SIZE: logger.trace("unusually large %s (%s), truncating to: 0x%x", fu.get_call_funcname(api), argv, maxlen) maxlen = MAX_STR_SIZE s = fu.readStringAtRva(emu, string_va, maxsize=maxlen) else: return False fu.call_return(emu, api, argv, len(s)) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("GetModuleFileNameA", )): unicode = False hModule, lpFilename, nSize = argv elif fu.contains_funcname(api, ("GetModuleFileNameW", )): unicode = True hModule, lpFilename, nSize = argv elif fu.contains_funcname(api, ("GetModuleFileNameExA", )): unicode = False hProcess, hModule, lpFilename, nSize = argv elif fu.contains_funcname(api, ("GetModuleFileNameExW", )): unicode = False hProcess, hModule, lpFilename, nSize = argv else: return False if hModule == 0: libname = self.MOD_NAME else: libname = self.readLibraryPath(lpLibName, unicode=unicode) fu.call_return(emu, api, argv, libname) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("InitializeCriticalSection", )): (hsection, ) = argv emu.writeMemory(hsection, b"CS") fu.call_return(emu, api, argv, 0) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("GetCurrentProcess", )): fu.call_return(emu, api, argv, CURRENT_PROCESS_ID) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("GetLastError", )): # always assuming success error_success = 0 fu.call_return(emu, api, argv, error_success) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("VirtualFree", "HeapFree", "RtlFreeHeap")): # If the function succeeds, the return value is nonzero. fu.call_return(emu, api, argv, 1) return True
def __call__(self, emu, api, argv): if fu.contains_funcname(api, ("GetProcessHeap", )): fu.call_return(emu, api, argv, 42) return True