def GetModuleHandleA(self, uc, esp, log, module_name_ptr):
module_name = get_string(module_name_ptr, uc)
log and print(
f"GetModuleHandleA: module_name_ptr 0x{module_name_ptr:02x}: {module_name}"
)
if not module_name_ptr:
pe = pefile.PE(self.sample.path)
loaded = pe.get_memory_mapped_image(ImageBase=self.base_addr)
handle = self.alloc(log, len(loaded), uc)
uc.mem_write(handle, loaded)
return handle
handle = self.base_addr + self.module_handle_offset
self.module_handle_offset += 1
self.module_handles[handle] = get_string(module_name_ptr, uc)
if module_name not in self.load_library_counter:
self.load_library_counter[module_name] = 0
module_name += "#0"
self.sample.dllname_to_functionlist[module_name] = []
else:
self.load_library_counter[module_name] += 1
counter = self.load_library_counter[module_name]
module_name += "#" + str(counter)
self.sample.dllname_to_functionlist[module_name] = []
return handle
def get_imp(uc, rva, base_addr, SizeOfImportTable, read_values=False):
rva += base_addr
entry_size = len(bytes(IMAGE_IMPORT_DESCRIPTOR()))
num_of_dll = SizeOfImportTable // entry_size
imp_info_list = []
imp_struct_list = []
for i in range(num_of_dll):
uc_imp = uc.mem_read(rva, entry_size)
imp_struct = IMAGE_IMPORT_DESCRIPTOR.from_buffer(uc_imp)
imp_struct_list.append(imp_struct)
if read_values:
try:
dll_name = get_string(getattr(imp_struct, "Name") + base_addr, uc, break_on_unprintable=True)
imp_names = []
rva_to_iat = getattr(imp_struct, "FirstThunk")
while True:
new_val = struct.unpack("<I", uc.mem_read(base_addr + rva_to_iat, 4))[0]
if new_val == 0:
break
imp_name = (get_string(new_val + 2 + base_addr, uc, break_on_unprintable=True), rva_to_iat)
imp_names.append(imp_name)
rva_to_iat += 4
imp_info_list.append(ImportValues(imp_struct, dll_name, imp_names))
except UcError as ue:
return imp_info_list
rva += entry_size
if read_values:
return imp_info_list
return imp_struct_list
def GetProcAddress(self, uc, esp, log, module_handle, proc_name_ptr):
if module_handle == 0:
log and print(f"GetProcAddress: invalid module_handle: 0x{module_handle:02x}")
return 0x0
if proc_name_ptr == 0:
log and print(f"GetProcAddress: invalid proc_name_ptr: 0x{proc_name_ptr:02x}")
return 0x0
try:
module_name = self.module_handles[module_handle]
except KeyError:
module_name = "?"
proc_name_ptr2 = proc_name_ptr
if ((proc_name_ptr2 >> 0x10) == 0) and (proc_name_ptr != 0):
proc_name = "ORD/" + module_name + "/" + str(proc_name_ptr)
log and print(f"Import by Ordinal: 0x{proc_name_ptr:02x}, new name: ")
else:
proc_name = get_string(proc_name_ptr, uc)
if proc_name == "":
log and print(f"GetProcAddress: invalid proc_name")
return 0x0
log and print(
f"GetProcAddress: module handle 0x{module_handle:02x}: {module_name}, proc_name_ptr 0x{proc_name_ptr:02x}: {proc_name}")
# TODO Fix print for ordinals
hook_addr = None
for addr, name in self.hooks.items():
if name == proc_name:
hook_addr = addr
log and print(f"\tRe-used previously added hook at 0x{hook_addr:02x}")
break
if hook_addr is None:
hook_addr = self.add_hook(uc, proc_name, module_name)
log and print(f"\tAdded new hook at 0x{hook_addr:02x}")
if proc_name in self.pending_breakpoints:
print(f"\x1b[31mPending breakpoint attached for new dynamic import {proc_name} at 0x{hook_addr:02x}\x1b[0m")
self.breakpoints.add(hook_addr)
self.pending_breakpoints.remove(proc_name)
if module_name is not "?":
try:
counter = self.load_library_counter[module_name]
module_name += "#" + str(counter)
if module_name in self.sample.dllname_to_functionlist:
self.sample.dllname_to_functionlist[module_name].append((proc_name, hook_addr))
else:
self.sample.dllname_to_functionlist[module_name] = [(proc_name, hook_addr)]
except KeyError:
print(f"Error: Accessing method of not registered Library")
return hook_addr
def LoadLibraryA(self, uc, esp, log, mod_name_ptr):
# TODO: does not actually load the library
mod_name = get_string(mod_name_ptr, uc)
log and print(f"LoadLibraryA: mod_name_ptr 0x{mod_name_ptr}: {mod_name}")
handle = self.base_addr + self.module_handle_offset
self.module_handle_offset += 1
self.module_handles[handle] = get_string(mod_name_ptr, uc)
if mod_name not in self.load_library_counter:
self.load_library_counter[mod_name] = 0
mod_name += "#0"
self.sample.dllname_to_functionlist[mod_name] = []
else:
self.load_library_counter[mod_name] += 1
counter = self.load_library_counter[mod_name]
mod_name += "#" + str(counter)
self.sample.dllname_to_functionlist[mod_name] = []
# print(f"LoadLibrary: {mod_name}")
# print_dllname_to_functionlist(self.dllname_to_functionlist)
log and print(f"\tHandle: 0x{handle:02x}")
return handle
def print_mem(self, base, num_elements, t="int", base_alias=""):
if not base_alias:
base_alias = f"0x{base:02x}"
string = None
if t == "str":
string = get_string(base, self.engine.uc)
t = "byte"
num_elements = len(string)
types = {"byte": ("B", 1), "int": ("<I", 4)}
fmt, size = types[t]
for i in range(num_elements):
item, = struct.unpack(
fmt, self.engine.uc.mem_read(base + i * size, size))
print(f"{base_alias}+{i * 4} = 0x{item:02x}")
if string is not None:
print(f"String @0x{base:02x}: {string}")
def MessageBoxA(self, uc, esp, log, owner, text_ptr, title_ptr, type):
text = get_string(text_ptr, uc)
title = get_string(title_ptr, uc)
print(f"{Fore.LIGHTRED_EX}Message Box ({title}): {text}{Fore.RESET}")
return 1
def MessageBoxA(self, uc, esp, log, owner, text_ptr, title_ptr, type):
text = get_string(text_ptr, uc)
title = get_string(title_ptr, uc)
print(f"\x1b[31mMessage Box ({title}): {text}\x1b[0m")
return 1
