RTL_REGISTRY_ABSOLUTE = 0
RTL_REGISTRY_SERVICES = 1
RTL_REGISTRY_CONTROL = 2
RTL_REGISTRY_WINDOWS_NT = 3
RTL_REGISTRY_DEVICEMAP = 4
RTL_REGISTRY_USER = 5
RTL_REGISTRY_MAXIMUM = 6
HKEY_CLASSES_ROOT = 0x80000000
HKEY_CURRENT_USER = 0x80000001
HKEY_LOCAL_MACHINE = 0x80000002
HKEY_USERS = 0x80000003
HKEY_CLASSES_ROOT = 0x80000005
KEY_VALUE_INFORMATION_CLASS = Enum()
KEY_VALUE_INFORMATION_CLASS.KeyValueBasicInformation = 0x00
KEY_VALUE_INFORMATION_CLASS.KeyValueFullInformation = 0x01
KEY_VALUE_INFORMATION_CLASS.KeyValuePartialInformation = 0x02
KEY_VALUE_INFORMATION_CLASS.KeyValueFullInformationAlign64 = 0x03
KEY_VALUE_INFORMATION_CLASS.KeyValuePartialInformationAlign64 = 0x04
KEY_VALUE_INFORMATION_CLASS.KeyValueLayerInformation = 0x05
KEY_VALUE_INFORMATION_CLASS.MaxKeyValueInfoClass = 0x06
class KEY_VALUE_PARTIAL_INFORMATION(EmuStruct):
def __init__(self, ptr_size):
super().__init__(ptr_size)
self.TitleIndex = ct.c_uint32
self.Type = ct.c_uint32
self.DataLength = ct.c_uint32
# Copyright (C) 2020 FireEye, Inc. All Rights Reserved. import ctypes as ct import speakeasy.winenv.defs.usb as usbdefs from speakeasy.struct import EmuStruct, Ptr, EmuUnion, Enum WdfUsbTargetDeviceSelectConfigType = Enum() WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInvalid = 0 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeDeconfig = 1 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeSingleInterface = 2 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeMultiInterface = 3 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInterfacesPairs = 4 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeInterfacesDescriptor = 5 WdfUsbTargetDeviceSelectConfigType.WdfUsbTargetDeviceSelectConfigTypeUrb = 6 WdfUsbTargetDeviceSelectSettingType = Enum() WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeDescriptor = 0x10 WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeSetting = 0x11 WdfUsbTargetDeviceSelectSettingType.WdfUsbInterfaceSelectSettingTypeUrb = 0x12 WDF_USB_PIPE_TYPE = Enum() WDF_USB_PIPE_TYPE.WdfUsbPipeTypeInvalid = 0 WDF_USB_PIPE_TYPE.WdfUsbPipeTypeControl = 1 WDF_USB_PIPE_TYPE.WdfUsbPipeTypeIsochronous = 2 WDF_USB_PIPE_TYPE.WdfUsbPipeTypeBulk = 3 WDF_USB_PIPE_TYPE.WdfUsbPipeTypeInterrupt = 4 WDF_USB_DEVICE_TRAIT_SELF_POWERED = 1 WDF_USB_DEVICE_TRAIT_REMOTE_WAKE_CAPABLE = 2 WDF_USB_DEVICE_TRAIT_AT_HIGH_SPEED = 4
# Copyright (C) 2020 FireEye, Inc. All Rights Reserved. import os import ntpath import hashlib from collections import namedtuple import pefile import speakeasy.winenv.arch as _arch import speakeasy.winenv.defs.nt.ddk as ddk from speakeasy.struct import Enum # GDT Constants needed to set our emulator into protected mode # Access bits GDT_ACCESS_BITS = Enum() GDT_ACCESS_BITS.ProtMode32 = 0x4 GDT_ACCESS_BITS.PresentBit = 0x80 GDT_ACCESS_BITS.Ring3 = 0x60 GDT_ACCESS_BITS.Ring0 = 0 GDT_ACCESS_BITS.DataWritable = 0x2 GDT_ACCESS_BITS.CodeReadable = 0x2 GDT_ACCESS_BITS.DirectionConformingBit = 0x4 GDT_ACCESS_BITS.Code = 0x18 GDT_ACCESS_BITS.Data = 0x10 GDT_FLAGS = Enum() GDT_FLAGS.Ring3 = 0x3 GDT_FLAGS.Ring0 = 0 IMPORT_HOOK_ADDR = 0xFEEDFACE
FILE_OPEN_IF = 0x00000003 FILE_OVERWRITE = 0x00000004 FILE_OVERWRITE_IF = 0x00000005 # File specific access mask FILE_READ_DATA = 0x0001 # file & pipe FILE_WRITE_DATA = 0x0002 # file & pipe FILE_APPEND_DATA = 0x0004 # file FILE_READ_EA = 0x0008 # file & directory FILE_WRITE_EA = 0x0010 # file & directory FILE_EXECUTE = 0x0020 # file FILE_DELETE_CHILD = 0x0040 # directory FILE_READ_ATTRIBUTES = 0x0080 # all FILE_WRITE_ATTRIBUTES = 0x0100 # all PROCESSINFOCLASS = Enum() PROCESSINFOCLASS.ProcessBasicInformation = 0 PROCESSINFOCLASS.ProcessDebugPort = 7 PROCESSINFOCLASS.ProcessWow64Information = 0x1A PROCESSINFOCLASS.ProcessImageFileName = 0x1B PROCESSINFOCLASS.ProcessBreakOnTermination = 0x1D PROCESSINFOCLASS.ProcessDebugObjectHandle = 0x1E PROCESSINFOCLASS.ProcessProtectionInformation = 0x3D SYSTEM_INFORMATION_CLASS = Enum() SYSTEM_INFORMATION_CLASS.SystemBasicInformation = 0x00 SYSTEM_INFORMATION_CLASS.SystemProcessorInformation = 0x01 SYSTEM_INFORMATION_CLASS.SystemPerformanceInformation = 0x02 SYSTEM_INFORMATION_CLASS.SystemTimeOfDayInformation = 0x03 SYSTEM_INFORMATION_CLASS.SystemPathInformation = 0x04 SYSTEM_INFORMATION_CLASS.SystemProcessInformation = 0x05