char* CPEExport::GetNameValue(int nIndex) { DWORD dwNameRva=GetName(nIndex); if (dwNameRva) { DWORD dwNameValueRva=*(DWORD*)RvaToPtr(dwNameRva); return (char*)RvaToPtr(dwNameValueRva); } return NULL; }
int ListDlls(LPSTR exename, ListDllsCallback cb, void*user_data) { HANDLE fh=INVALID_HANDLE_VALUE; HANDLE map=0; LPVOID base=NULL; LPVOID end=NULL; DWORD size=0; DWORD sizehi=0; PIMAGE_NT_HEADERS nt=NULL; PIMAGE_IMPORT_DESCRIPTOR desc=NULL; PIMAGE_SECTION_HEADER sect=NULL; DWORD imports=0; fh = CreateFile(exename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); if ( fh == INVALID_HANDLE_VALUE ) { RETURN(LISTDLL_ERR_CANT_OPEN); } size=GetFileSize(fh,&sizehi); if (sizehi) { RETURN(LISTDLL_ERR_TOO_BIG); } map = CreateFileMapping(fh, NULL, PAGE_READONLY, 0, 0, NULL); if (!map) { RETURN(LISTDLL_ERR_MAP); } base = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0); if (!base) { RETURN(LISTDLL_ERR_MAPVIEW); } end=(char*)base+size; if ( ((PIMAGE_DOS_HEADER)base)->e_magic != IMAGE_DOS_SIGNATURE ) { RETURN(LISTDLL_ERR_NOT_EXE); } nt = (PIMAGE_NT_HEADERS) ((DWORD)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew); if ( (void*)nt > end ) { RETURN(LISTDLL_ERR_BAD_PE); } if ( nt->Signature != IMAGE_NT_SIGNATURE ) { RETURN(LISTDLL_ERR_NOT_PE); } imports = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; if ( (imports==0) || (imports>(DWORD)end) ) { RETURN(LISTDLL_ERR_NO_IMP_SECT); } sect = RvaToHdr(base,imports,nt,end); if (!sect) { RETURN(LISTDLL_ERR_NO_IMP_HDR); } desc = (PIMAGE_IMPORT_DESCRIPTOR) RvaToPtr(base,imports,nt,end); if (!desc) { RETURN(LISTDLL_ERR_NO_IMP_DESC); } while ( within(base,desc,end) && (desc->TimeDateStamp || desc->Name) ) { const char*name=(const char*)RvaToPtr(base,desc->Name,nt,end); if (!name) { continue; } if (!cb(name,user_data)) { break; } desc++; } RETURN(LISTDLL_SUCCESS); }
DWORD CPEExport::GetFuncValue(int nIndex) { DWORD dwFuncRva=GetFunc(nIndex); if (dwFuncRva) { return *(DWORD*)RvaToPtr(dwFuncRva); } return NULL; }
WORD CPEExport::GetNameOrdValue(int nIndex) { DWORD dwNameOrdRva=GetNameOrd(nIndex); if (dwNameOrdRva) { return *(WORD*)RvaToPtr(dwNameOrdRva); } return NULL; }
void * CPEFile::GetDirectoryEntryToData(unsigned short DirectoryEntry) { DWORD dwDataStartRVA; void * pDirData = NULL; PIMAGE_NT_HEADERS32 pNth = NULL; PIMAGE_OPTIONAL_HEADER32 pOh = NULL; pNth = GetNtHeader(); if (!pNth) return NULL; dwDataStartRVA = GetDataDirectory(DirectoryEntry)->VirtualAddress; if (!dwDataStartRVA) return NULL; pDirData = RvaToPtr(dwDataStartRVA); if (!pDirData) return NULL; return pDirData; }
unsigned __stdcall MatchThread(void *pParam) { int FLEN; int n = 0, n1, i; dbQuery sql; ControlFlowGraph *target_cfg; db.attach(); dbCursor<LibM> cursor1; int thread_id = (int)pParam; instruction_count[thread_id] = 0; fn[thread_id] = 0; while ((i = GetM()) != -1) { int startEA = f_info[i].startEA; FLEN = f_info[i].len; // disasm byte *bin = (byte *)RvaToPtr(pImageNtH, stMapFile.ImageBase, startEA - pOH->ImageBase); if (bin == NULL) { continue; } target_cfg = (ControlFlowGraph *)disasm(bin, FLEN, false, NULL); if (target_cfg == NULL || target_cfg->instructions.size() < MIN_INS_LENGTH) { clean(target_cfg); continue; } fn[thread_id]++; instruction_count[thread_id] += target_cfg->instructions.size(); target_cfg->build(); { sql = "MOV_COUNT<=", target_cfg->MOV_COUNT, " and CTI_COUNT<=", target_cfg->CTI_COUNT, " and ARITHMETIC_COUNT<=", target_cfg->ARITHMETIC_COUNT, " and LOGI_COUNT<=", target_cfg->LOGI_COUNT, " and STRING_COUNT<=", target_cfg->STRING_COUNT, " and ETC_COUNT<=", target_cfg->ETC_COUNT, " and instruction_size<=", target_cfg->instructions.size(), "and block_size<=", target_cfg->bb_len, "order by instruction_size desc"; } n1 = cursor1.select(sql); if (n1 == 0) { clean(target_cfg); continue; } CBitSet lib_info(target_cfg->instructions.size()); do { ControlFlowGraph *library_cfg = (ControlFlowGraph *)(cursor1->cfg); target_cfg->buildDepGraph(false); library_cfg->buildDepGraph(true); library_cfg->serialize(); library_cfg->buildVLibGraph(); target_cfg->serialize(); target_cfg->buildVLibGraph(); //r0[thread_id]++; Graph _g(&target_cfg->vlibARGEdit); Graph _m(&library_cfg->vlibARGEdit); _m.SetNodeComparator(new InstructionComparator3); VF2SubState s0(&_m, &_g); int d[4]; d[0] = (int)target_cfg; d[1] = startEA; d[2] = (int)cursor1->lib_name; d[3] = (int)&lib_info; Match m(&s0, my_visitor2, &d); m.match_serial(); } while (cursor1.next()); clean(target_cfg); } db.detach(); printf("#%d done.\n", thread_id); return 0; }
// // process thread // unsigned __stdcall MatchThreadForFull(void *pParam) { int FLEN; int n = 0, n1, i; dbQuery sql; ControlFlowGraph *target_cfg; db.attach(); dbCursor<LibM> cursor1; int thread_id = (int)pParam; instruction_count[thread_id] = 0; fn[thread_id] = 0; while ((i = GetM()) != -1) { int startEA = f_info[i].startEA; FLEN = f_info[i].len; // disasm byte *bin = (byte *)RvaToPtr(pImageNtH, stMapFile.ImageBase, startEA - pOH->ImageBase); if (bin == NULL) { continue; } target_cfg = (ControlFlowGraph *)disasm(bin, FLEN, false, NULL); if (target_cfg == NULL || target_cfg->instructions.size() < MIN_INS_LENGTH) { clean(target_cfg); continue; } fn[thread_id]++; instruction_count[thread_id] += target_cfg->instructions.size(); target_cfg->build(); { sql = "MOV_COUNT=", target_cfg->MOV_COUNT, " and CTI_COUNT=", target_cfg->CTI_COUNT, " and ARITHMETIC_COUNT=", target_cfg->ARITHMETIC_COUNT, " and LOGI_COUNT=", target_cfg->LOGI_COUNT, " and STRING_COUNT=", target_cfg->STRING_COUNT, " and ETC_COUNT=", target_cfg->ETC_COUNT, " and instruction_size=", target_cfg->instructions.size(), "and block_size=", target_cfg->bb_len, "order by instruction_size desc"; } n1 = cursor1.select(sql); if (n1 == 0) { clean(target_cfg); continue; } CBitSet lib_info(target_cfg->instructions.size()); do { ControlFlowGraph *library_cfg = (ControlFlowGraph *)(cursor1->cfg); // BBLR bitset<10240> t = target_cfg->bblen_set; t.flip(); t &= library_cfg->bblen_set; if (t.any()) { continue; } target_cfg->buildDepGraph(false); library_cfg->buildDepGraph(true); //if (bSerialize) { // rule5: BBSR if (!matchBBSF(target_cfg, library_cfg)) { //r5[thread_id]++; continue; } } library_cfg->serialize(); library_cfg->buildVLibGraph(); target_cfg->serialize(); target_cfg->buildVLibGraph(); //r0[thread_id]++; Graph _g(&target_cfg->vlibARGEdit); Graph _m(&library_cfg->vlibARGEdit); _m.SetNodeComparator(new InstructionComparator3); VF2SubState s0(&_m, &_g); Match m(&s0, my_visitor1, &lib_info); m.match_par(); if (m.foundFlg) { printf("%d\t1\t%X\t%s\n", thread_id, startEA, cursor1->lib_name); } } while (cursor1.next()); clean(target_cfg); } db.detach(); printf("#%d done.\n", thread_id); return 0; }