int32_t env_w32_hook__execv(struct emu_env *env, struct emu_env_hook *hook)
{
logDebug(env->emu, "Hook me Captain Cook!\n");
logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__);
struct emu_cpu *c = emu_cpu_get(env->emu);
uint32_t eip_save;
POP_DWORD(c, &eip_save);
/*
intptr_t _execv(
const char *cmdname,
const char *const *argv
);
intptr_t _wexecv(
const wchar_t *cmdname,
const wchar_t *const *argv
);
*/
uint32_t p_cmdname;
POP_DWORD(c, &p_cmdname);
struct emu_string *cmdname = emu_string_new();
emu_memory_read_string(c->mem, p_cmdname, cmdname, 512);
uint32_t p_argv;
POP_DWORD(c, &p_argv);
if ( env->profile != NULL )
{
emu_profile_function_add(env->profile, "_execv");
emu_profile_argument_add_ptr(env->profile, "const char *", "cmdname", p_cmdname);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(cmdname));
emu_profile_argument_add_ptr(env->profile, "const char *const *", "argv", p_argv);
emu_profile_argument_add_none(env->profile);
emu_profile_function_returnvalue_int_set(env->profile, "int ", 0);
}
emu_string_free(cmdname);
emu_cpu_eip_set(c, eip_save);
return 0;
}
int32_t __stdcall new_user_hook_LoadLibraryA(struct emu_env_w32 *win, struct emu_env_w32_dll_export *ex)
{
/* LoadLibraryA(LPCTSTR lpFileName); */
struct emu_string *dllstr = emu_string_new();
uint32_t eip_save;
uint32_t dllname_ptr;
POP_DWORD(cpu, &eip_save);
POP_DWORD(cpu, &dllname_ptr);
emu_memory_read_string(mem, dllname_ptr, dllstr, 256);
char *dllname = emu_string_char(dllstr);
printf("%x\tLoadLibraryA(%s) = 0x7800000\t\n", cpu->eip , dllname);
printf("\t--> HOOK RAN OK returns to: %x\n", eip_save);
cpu->reg[eax] = 0x7800000;
emu_string_free(dllstr);
emu_cpu_eip_set(cpu, eip_save);
return 0;
}
int32_t env_linux_hook_execve(struct emu_env *env, struct emu_env_hook *hook)
{
printf("execve\n");
struct emu_cpu *c = emu_cpu_get(env->emu);
struct emu_string *name = emu_string_new();
emu_memory_read_string(emu_memory_get(c->emu), c->reg[ebx], name, 255);
if ( env->profile != NULL )
{
emu_profile_function_add(env->profile, "execve");
emu_profile_argument_add_ptr(env->profile, "const char *", "dateiname", c->reg[ebx]);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(name));
// emu_profile_argument_add_ptr(env->profile, "", "", c->reg[ecx]);
emu_profile_argument_array_start(env->profile, "const char *", "argv[]");
}
uint32_t p_array = c->reg[ecx];
uint32_t p_arg = -1;
emu_memory_read_dword(emu_memory_get(c->emu), p_array, &p_arg);
int i=1;
// char **argv = NULL;
while (p_arg != 0)
{
// argv = realloc(argv, (i+1) * sizeof(char *));
// argv[i] = NULL;
struct emu_string *arg = emu_string_new();
emu_memory_read_string(emu_memory_get(c->emu), p_arg, arg, 128);
// argv[i-1] = strdup(emu_string_char(arg));
if( emu_string_char(arg) == NULL )
{
emu_string_free(arg);
break;
}
if ( env->profile != NULL )
{
emu_profile_argument_add_ptr(env->profile, "", "", p_array+((i-1)*4));
emu_profile_argument_add_ptr(env->profile, "", "", p_arg);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(arg));
}
emu_string_free(arg);
emu_memory_read_dword(emu_memory_get(c->emu), p_array+(i*4), &p_arg);
i++;
}
if ( env->profile != NULL )
{
emu_profile_argument_add_ptr(env->profile, "", "", p_arg);
emu_profile_argument_add_none(env->profile);
// printf("arg is %s\n", emu_string_char(arg));
emu_profile_argument_array_end(env->profile);
emu_profile_argument_add_ptr(env->profile, "const char *", "envp[]", c->reg[edx]);
emu_profile_argument_add_none(env->profile);
emu_profile_function_returnvalue_int_set(env->profile, "int", 0);
}
printf("int execve (const char *dateiname=%08x={%s}, const char * argv[], const char *envp[]);\n",
c->reg[ebx],
emu_string_char(name));
emu_string_free(name);
return 0;
}
int graph_draw(struct emu_graph *graph)
{
struct emu_vertex *ev;
struct instr_vertex *iv;
FILE *f = fopen(opts.graphfile,"w+");
struct emu_graph *sgraph = emu_graph_new();
struct emu_hashtable *ht = emu_hashtable_new(2047, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp);
struct emu_vertex *nev;
struct instr_vertex *niv=NULL;
printf("copying vertexes\n");
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
iv = (struct instr_vertex *)ev->data;
nev = emu_vertex_new();
emu_graph_vertex_add(sgraph, nev);
niv = instr_vertex_copy(iv);
nev->data = niv;
emu_hashtable_insert(ht, (void *)iv, nev);
ev->color = white;
}
printf("optimizing graph\n");
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
// ignore known
if ( ev->color == black )
continue;
printf("vertex %p\n", (void *)ev);
// find the first in a chain
iv = (struct instr_vertex *)ev->data;
while ( emu_edges_length(ev->backedges) == 1 && emu_edges_length(ev->edges) <= 1 && ev->color == white && iv->dll == NULL && iv->syscall == NULL )
{
ev->color = grey;
struct emu_vertex *xev = emu_edges_first(ev->backedges)->destination;
iv = (struct instr_vertex *)xev->data;
if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 || iv->dll != NULL || iv->syscall != NULL )
break;
ev = xev;
printf(" -> vertex %p\n",(void *)ev);
}
iv = (struct instr_vertex *)ev->data;
// create the new vertex
nev = (struct emu_vertex *)emu_hashtable_search(ht, (void *)iv)->value;
niv = (struct instr_vertex *)nev->data;
iv = (struct instr_vertex *)ev->data;
printf("going forwards from %p\n", (void *)ev);
while ( emu_edges_length(ev->edges) == 1 && emu_edges_length(ev->backedges) <= 1 && ev->color != black && iv->dll == NULL && iv->syscall == NULL )
{
ev->color = black;
struct emu_vertex *xev = emu_edges_first(ev->edges)->destination;
iv = (struct instr_vertex *)xev->data;
if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 ||
iv->dll != NULL || iv->syscall != NULL )
break;
ev = xev;
iv = (struct instr_vertex *)ev->data;
emu_string_append_char(niv->instr_string, emu_string_char(iv->instr_string));
printf(" -> vertex %p\n",(void *)ev);
}
ev->color = black;
printf("copying edges for %p\n",(void *)ev);
struct emu_edge *ee;
for ( ee = emu_edges_first(ev->edges); !emu_edges_attail(ee); ee = emu_edges_next(ee) )
{
struct instr_vertex *ivto = emu_vertex_data_get(ee->destination);
struct emu_hashtable_item *ehi = emu_hashtable_search(ht, (void *)ivto);
struct emu_vertex *to = (struct emu_vertex *)ehi->value;
if ( 1 )// nev != to )//&& to->color != black )
{
struct emu_edge *nee = emu_vertex_edge_add(nev, to);
nee->count = ee->count;
nee->data = ee->data;
printf(" -> %p\n", (void *)to);
}
}
}
graph->vertex_destructor = instr_vertex_destructor;
// emu_graph_free(graph);
graph = sgraph;
emu_hashtable_free(ht);
fprintf(f, "digraph G {\n\t//rankdir=LR\n\tnode [fontname=Courier, labeljust=r];\n");
#if 0
int numdlls=0;
while ( env->loaded_dlls[numdlls] != NULL )
{
int has_dll = 0;
struct emu_string *fs = emu_string_new();
emu_string_append_format(fs, "\t subgraph cluster%i {\n\t\t node [shape=box, style=filled, color=\".7 .3 1.0\"];\n\t\tstyle=filled;\n\t\tcolor=lightgrey;\n\t\tlabel=\"%s\"\n\t\t", numdlls, env->loaded_dlls[numdlls]->dllname);
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
struct instr_vertex *iv = emu_vertex_data_get(ev);
if ( iv->dll == env->loaded_dlls[numdlls] )
{
emu_string_append_format(fs, "\t\%i [label = \"%s\"];\n", iv->eip, emu_string_char(iv->instr_string));
has_dll = 1;
}
}
emu_string_append_char(fs, "\t}\n");
fprintf(f, "%s", emu_string_char(fs));
numdlls++;
}
int32_t env_w32_hook_fopen(struct emu_env *env, struct emu_env_hook *hook)
{
logDebug(env->emu, "Hook me Captain Cook!\n");
logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__);
struct emu_cpu *c = emu_cpu_get(env->emu);
uint32_t eip_save;
POP_DWORD(c, &eip_save);
/*
FILE *fopen( const char *filename, const char *mode );
FILE *_wfopen( const wchar_t *filename, const wchar_t *mode );
*/
uint32_t p_filename;
MEM_DWORD_READ(c, c->reg[esp], &p_filename);
struct emu_string *filename = emu_string_new();
emu_memory_read_string(c->mem, p_filename, filename, 512);
uint32_t p_mode;
MEM_DWORD_READ(c, c->reg[esp]+4, &p_mode);
struct emu_string *mode = emu_string_new();
emu_memory_read_string(c->mem, p_mode, mode, 512);
// printf("fopen(%s, %s)\n", emu_string_char(filename), (char *)mode->data);
uint32_t returnvalue;
if ( hook->hook.win->userhook != NULL )
{
returnvalue = hook->hook.win->userhook(env, hook,
emu_string_char(filename),
emu_string_char(mode));
}else
{
returnvalue = 0x89898989;
}
emu_cpu_reg32_set(c, eax, returnvalue);
if (env->profile != NULL)
{
emu_profile_function_add(env->profile, "fopen");
emu_profile_argument_add_ptr(env->profile, "const char *", "filename", p_filename);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(filename));
emu_profile_argument_add_ptr(env->profile, "const char *", "mode", p_mode);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(mode));
emu_profile_function_returnvalue_ptr_set(env->profile, "FILE *", returnvalue);
emu_profile_argument_add_none(env->profile);
}
emu_string_free(filename);
emu_string_free(mode);
emu_cpu_eip_set(c, eip_save);
return 0;
}
