예제 #1
0
RTL_REGISTRY_ABSOLUTE = 0
RTL_REGISTRY_SERVICES = 1
RTL_REGISTRY_CONTROL = 2
RTL_REGISTRY_WINDOWS_NT = 3
RTL_REGISTRY_DEVICEMAP = 4
RTL_REGISTRY_USER = 5
RTL_REGISTRY_MAXIMUM = 6

HKEY_CLASSES_ROOT = 0x80000000
HKEY_CURRENT_USER = 0x80000001
HKEY_LOCAL_MACHINE = 0x80000002
HKEY_USERS = 0x80000003
HKEY_CLASSES_ROOT = 0x80000005

KEY_VALUE_INFORMATION_CLASS = Enum()
KEY_VALUE_INFORMATION_CLASS.KeyValueBasicInformation = 0x00
KEY_VALUE_INFORMATION_CLASS.KeyValueFullInformation = 0x01
KEY_VALUE_INFORMATION_CLASS.KeyValuePartialInformation = 0x02
KEY_VALUE_INFORMATION_CLASS.KeyValueFullInformationAlign64 = 0x03
KEY_VALUE_INFORMATION_CLASS.KeyValuePartialInformationAlign64 = 0x04
KEY_VALUE_INFORMATION_CLASS.KeyValueLayerInformation = 0x05
KEY_VALUE_INFORMATION_CLASS.MaxKeyValueInfoClass = 0x06


class KEY_VALUE_PARTIAL_INFORMATION(EmuStruct):
    def __init__(self, ptr_size):
        super().__init__(ptr_size)
        self.TitleIndex = ct.c_uint32
        self.Type = ct.c_uint32
        self.DataLength = ct.c_uint32
예제 #2
0
# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.

import ctypes as ct

import speakeasy.winenv.defs.usb as usbdefs
from speakeasy.struct import EmuStruct, Ptr, EmuUnion, Enum

WdfUsbTargetDeviceSelectConfigType = Enum()
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInvalid = 0
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeDeconfig = 1
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeSingleInterface = 2
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeMultiInterface = 3
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInterfacesPairs = 4
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInterfacesDescriptor = 5
WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeUrb = 6

WdfUsbTargetDeviceSelectSettingType = Enum()
WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeDescriptor = 0x10
WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeSetting = 0x11
WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeUrb = 0x12

WDF_USB_PIPE_TYPE = Enum()
WDF_USB_PIPE_TYPE.WdfUsbPipeTypeInvalid = 0
WDF_USB_PIPE_TYPE.WdfUsbPipeTypeControl = 1
WDF_USB_PIPE_TYPE.WdfUsbPipeTypeIsochronous = 2
WDF_USB_PIPE_TYPE.WdfUsbPipeTypeBulk = 3
WDF_USB_PIPE_TYPE.WdfUsbPipeTypeInterrupt = 4

WDF_USB_DEVICE_TRAIT_SELF_POWERED = 1
WDF_USB_DEVICE_TRAIT_REMOTE_WAKE_CAPABLE = 2
WDF_USB_DEVICE_TRAIT_AT_HIGH_SPEED = 4
예제 #3
0
# Copyright (C) 2020 FireEye, Inc. All Rights Reserved.

import os
import ntpath
import hashlib
from collections import namedtuple

import pefile

import speakeasy.winenv.arch as _arch
import speakeasy.winenv.defs.nt.ddk as ddk
from speakeasy.struct import Enum

# GDT Constants needed to set our emulator into protected mode
# Access bits
GDT_ACCESS_BITS = Enum()
GDT_ACCESS_BITS.ProtMode32 = 0x4
GDT_ACCESS_BITS.PresentBit = 0x80
GDT_ACCESS_BITS.Ring3 = 0x60
GDT_ACCESS_BITS.Ring0 = 0
GDT_ACCESS_BITS.DataWritable = 0x2
GDT_ACCESS_BITS.CodeReadable = 0x2
GDT_ACCESS_BITS.DirectionConformingBit = 0x4
GDT_ACCESS_BITS.Code = 0x18
GDT_ACCESS_BITS.Data = 0x10

GDT_FLAGS = Enum()
GDT_FLAGS.Ring3 = 0x3
GDT_FLAGS.Ring0 = 0

IMPORT_HOOK_ADDR = 0xFEEDFACE
예제 #4
0
FILE_OPEN_IF = 0x00000003
FILE_OVERWRITE = 0x00000004
FILE_OVERWRITE_IF = 0x00000005

# File specific access mask
FILE_READ_DATA = 0x0001  # file & pipe
FILE_WRITE_DATA = 0x0002  # file & pipe
FILE_APPEND_DATA = 0x0004  # file
FILE_READ_EA = 0x0008  # file & directory
FILE_WRITE_EA = 0x0010  # file & directory
FILE_EXECUTE = 0x0020  # file
FILE_DELETE_CHILD = 0x0040  # directory
FILE_READ_ATTRIBUTES = 0x0080  # all
FILE_WRITE_ATTRIBUTES = 0x0100  # all

PROCESSINFOCLASS = Enum()
PROCESSINFOCLASS.ProcessBasicInformation = 0
PROCESSINFOCLASS.ProcessDebugPort = 7
PROCESSINFOCLASS.ProcessWow64Information = 0x1A
PROCESSINFOCLASS.ProcessImageFileName = 0x1B
PROCESSINFOCLASS.ProcessBreakOnTermination = 0x1D
PROCESSINFOCLASS.ProcessDebugObjectHandle = 0x1E
PROCESSINFOCLASS.ProcessProtectionInformation = 0x3D

SYSTEM_INFORMATION_CLASS = Enum()
SYSTEM_INFORMATION_CLASS.SystemBasicInformation = 0x00
SYSTEM_INFORMATION_CLASS.SystemProcessorInformation = 0x01
SYSTEM_INFORMATION_CLASS.SystemPerformanceInformation = 0x02
SYSTEM_INFORMATION_CLASS.SystemTimeOfDayInformation = 0x03
SYSTEM_INFORMATION_CLASS.SystemPathInformation = 0x04
SYSTEM_INFORMATION_CLASS.SystemProcessInformation = 0x05