diff options
| -rw-r--r-- | miasm/tools/pe_helper.py | 2 | ||||
| -rw-r--r-- | miasm/tools/to_c_helper.py | 39 | ||||
| -rw-r--r-- | miasm/tools/win_api.py | 72 |
3 files changed, 89 insertions, 24 deletions
diff --git a/miasm/tools/pe_helper.py b/miasm/tools/pe_helper.py index 497aff13..c9e166f1 100644 --- a/miasm/tools/pe_helper.py +++ b/miasm/tools/pe_helper.py @@ -387,7 +387,7 @@ class libimp: self.fad2info = {} def lib_get_add_base(self, name): - name = name.lower() + name = name.lower().strip(' ') if not "." in name: print 'warning adding .dll to modulename' name += '.dll' diff --git a/miasm/tools/to_c_helper.py b/miasm/tools/to_c_helper.py index 50d79d0b..3bbb9a24 100644 --- a/miasm/tools/to_c_helper.py +++ b/miasm/tools/to_c_helper.py @@ -1131,11 +1131,25 @@ updw = lambda bbbb: struct.unpack('I', bbbb)[0] pw = lambda x: struct.pack('H', x) upw = lambda x: struct.unpack('H', x)[0] +base_dll_imp = ["ntdll.dll", "kernel32.dll", "user32.dll", + "imm32.dll", "msvcrt.dll", + "oleaut32.dll", "shlwapi.dll", + "version.dll", "advapi32.dll", + "ws2help.dll", + "rpcrt4.dll", "shell32.dll", "winmm.dll", + #"mswsock.dll", + "ws2_32.dll", + "gdi32.dll", "ole32.dll", + "secur32.dll", "comdlg32.dll", + #"wsock32.dll" + ] + def load_pe_in_vm(fname_in, options, all_imp_dll = None, **kargs): import os import seh_helper import win_api + global base_dll_imp from miasm.tools import pe_helper from miasm.tools import codenat @@ -1149,22 +1163,14 @@ def load_pe_in_vm(fname_in, options, all_imp_dll = None, **kargs): codenat_tcc_init() runtime_dll = pe_helper.libimp(kargs.get('runtime_basead', 0x71111000)) - pe_helper.vm_load_pe(e, align_s = False, load_hdr = options.loadhdr) + align_s = False + if 'align_s' in kargs: + align_s = kargs['align_s'] + pe_helper.vm_load_pe(e, align_s = align_s, load_hdr = options.loadhdr) if all_imp_dll == None: if options.loadbasedll: - all_imp_dll = ["ntdll.dll", "kernel32.dll", "user32.dll", - "imm32.dll", "msvcrt.dll", - "oleaut32.dll", "shlwapi.dll", - "version.dll", "advapi32.dll", - "ws2help.dll", - "rpcrt4.dll", "shell32.dll", "winmm.dll", - #"mswsock.dll", - "ws2_32.dll", - "gdi32.dll", "ole32.dll", - "secur32.dll", "comdlg32.dll", - #"wsock32.dll" - ] + all_imp_dll = base_dll_imp else: all_imp_dll = [] @@ -1174,7 +1180,7 @@ def load_pe_in_vm(fname_in, options, all_imp_dll = None, **kargs): for n in mod_list: fname = os.path.join('win_dll', n) ee = pe_init.PE(open(fname, 'rb').read()) - pe_helper.vm_load_pe(ee, align_s = False) + pe_helper.vm_load_pe(ee, align_s = align_s) runtime_dll.add_export_lib(ee, n) exp_funcs = pe_helper.get_export_name_addr_list(ee) exp_func[n] = exp_funcs @@ -1260,10 +1266,11 @@ def vm2pe(fname, runtime_dll = None, e_orig = None, max_addr = 1<<64): # generation open(fname, 'w').write(str(mye)) -def manage_runtime_func(my_eip, api_modues, runtime_dll): +def manage_runtime_func(my_eip, api_modues, runtime_dll, dbg = False): from miasm.tools import win_api fname = runtime_dll.fad2cname[my_eip] - print "call api", fname, hex(updw(vm_get_str(vm_get_gpreg()['esp'], 4))) + if dbg: + print "call api", fname, hex(updw(vm_get_str(vm_get_gpreg()['esp'], 4))) f = None for m in api_modues: if isinstance(m, dict): diff --git a/miasm/tools/win_api.py b/miasm/tools/win_api.py index 97521486..43ca5fe4 100644 --- a/miasm/tools/win_api.py +++ b/miasm/tools/win_api.py @@ -505,7 +505,7 @@ def user32_BlockInput(): regs['eax'] = 1 vm_set_gpreg(regs) -def advapi32_CryptAcquireContextA(): +def advapi32_CryptAcquireContext(funcname, get_str): ret_ad = vm_pop_uint32_t() phprov = vm_pop_uint32_t() pszcontainer = vm_pop_uint32_t() @@ -513,10 +513,12 @@ def advapi32_CryptAcquireContextA(): dwprovtype = vm_pop_uint32_t() dwflags = vm_pop_uint32_t() - print whoami(), hex(ret_ad), '(', hex(phprov), hex(pszcontainer), hex(pszprovider), hex(dwprovtype), hex(dwflags), ')' + print funcname, hex(ret_ad), '(', hex(phprov), hex(pszcontainer), hex(pszprovider), hex(dwprovtype), hex(dwflags), ')' - prov = vm_get_str(pszprovider, 0x100) - prov = prov[:prov.find('\x00')] + if pszprovider: + prov = get_str(pszprovider) + else: + prov = "NONE" print 'prov:', prov vm_set_mem(phprov, pdw(winobjs.cryptcontext_hwnd)) @@ -526,6 +528,12 @@ def advapi32_CryptAcquireContextA(): vm_set_gpreg(regs) +def advapi32_CryptAcquireContextA(): + advapi32_CryptAcquireContext(whoami(), get_str_ansi) +def advapi32_CryptAcquireContextW(): + advapi32_CryptAcquireContext(whoami(), get_str_unic) + + def advapi32_CryptCreateHash(): ret_ad = vm_pop_uint32_t() hprov = vm_pop_uint32_t() @@ -572,6 +580,48 @@ def advapi32_CryptHashData(): vm_set_gpreg(regs) +def advapi32_CryptGetHashParam(): + ret_ad = vm_pop_uint32_t() + hhash = vm_pop_uint32_t() + param = vm_pop_uint32_t() + pbdata = vm_pop_uint32_t() + dwdatalen = vm_pop_uint32_t() + dwflags = vm_pop_uint32_t() + + print whoami(), hex(ret_ad), '(', hex(hhash), hex(pbdata), hex(dwdatalen), hex(dwflags), ')' + + if not hhash in winobjs.cryptcontext: + raise ValueError("unknown crypt context") + + + if param == 2: + # XXX todo: save h state? + h = winobjs.cryptcontext[hhash].h.digest() + else: + raise ValueError('not impl', param) + vm_set_mem(pbdata, h) + vm_set_mem(dwdatalen, pdw(len(h))) + + regs = vm_get_gpreg() + regs['eip'] = ret_ad + regs['eax'] = 1 + vm_set_gpreg(regs) + + + +def advapi32_CryptReleaseContext(): + ret_ad = vm_pop_uint32_t() + hhash = vm_pop_uint32_t() + flags = vm_pop_uint32_t() + + print whoami(), hex(ret_ad), '(', hex(hhash), hex(flags), ')' + + regs = vm_get_gpreg() + regs['eip'] = ret_ad + regs['eax'] = 0 + vm_set_gpreg(regs) + + def advapi32_CryptDeriveKey(): ret_ad = vm_pop_uint32_t() hprov = vm_pop_uint32_t() @@ -667,6 +717,8 @@ def kernel32_CreateFile(funcname, get_str): def kernel32_CreateFileA(): kernel32_CreateFile(whoami(), get_str_ansi) +def kernel32_CreateFileW(): + kernel32_CreateFile(whoami(), lambda x:get_str_unic(x)[::2]) @@ -1051,13 +1103,13 @@ def kernel32_LoadLibraryW(): vm_set_gpreg(regs) -def kernel32_GetModuleHandleA(): +def kernel32_GetModuleHandle(funcname, get_str): ret_ad = vm_pop_uint32_t() dllname = vm_pop_uint32_t() - print whoami(), hex(ret_ad), hex(dllname) + print funcname, hex(ret_ad), hex(dllname) if dllname: - libname = get_str_ansi(dllname) + libname = get_str(dllname) print repr(libname) if libname: eax = winobjs.runtime_dll.lib_get_add_base(libname) @@ -1072,6 +1124,12 @@ def kernel32_GetModuleHandleA(): regs['eax'] = eax vm_set_gpreg(regs) +def kernel32_GetModuleHandleA(): + kernel32_GetModuleHandle(whoami(), get_str_ansi) +def kernel32_GetModuleHandleW(): + kernel32_GetModuleHandle(whoami(), lambda x:get_str_unic(x)[::2]) + + def kernel32_VirtualLock(): ret_ad = vm_pop_uint32_t() lpaddress = vm_pop_uint32_t() |