int32_t env_hook_SHGetSpecialFolderPathA(struct emu_env *env, struct emu_env_hook *hook) { struct emu_cpu *c = emu_cpu_get(env->emu); struct emu_memory *mem = emu_memory_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* CopyBOOL SHGetSpecialFolderPath( HWND hwndOwner, __out LPTSTR lpszPath, __in int csidl, __in BOOL fCreate ); */ uint32_t hwnd; POP_DWORD(c, &hwnd); uint32_t buf; POP_DWORD(c, &buf); uint32_t csidl; POP_DWORD(c, &csidl); uint32_t fCreate; POP_DWORD(c, &fCreate); char buf255[255]; memset(buf255,0,254); GetSHFolderName(csidl, (char*)&buf255); emu_memory_write_block(mem,buf,buf255,strlen(buf255)); emu_cpu_reg32_set(c, eax, 0); if ( env->profile != NULL ) { emu_profile_function_add(env->profile, "SHGetSpecialFolderPath"); emu_profile_argument_add_int(env->profile, "HWND", "hwndOwner", hwnd); emu_profile_argument_add_ptr(env->profile, "LPCSTR", "lpszPath", buf); emu_profile_argument_add_string(env->profile, "", "", buf255); emu_profile_argument_add_int(env->profile, "int", "csidl", csidl); emu_profile_argument_add_int(env->profile, "BOOL", "fCreate", fCreate); emu_profile_function_returnvalue_int_set(env->profile, "BOOL", c->reg[eax]); } emu_cpu_eip_set(c, eip_save); return 0; }
int32_t env_w32_hook__execv(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* intptr_t _execv( const char *cmdname, const char *const *argv ); intptr_t _wexecv( const wchar_t *cmdname, const wchar_t *const *argv ); */ uint32_t p_cmdname; POP_DWORD(c, &p_cmdname); struct emu_string *cmdname = emu_string_new(); emu_memory_read_string(c->mem, p_cmdname, cmdname, 512); uint32_t p_argv; POP_DWORD(c, &p_argv); if ( env->profile != NULL ) { emu_profile_function_add(env->profile, "_execv"); emu_profile_argument_add_ptr(env->profile, "const char *", "cmdname", p_cmdname); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(cmdname)); emu_profile_argument_add_ptr(env->profile, "const char *const *", "argv", p_argv); emu_profile_argument_add_none(env->profile); emu_profile_function_returnvalue_int_set(env->profile, "int ", 0); } emu_string_free(cmdname); emu_cpu_eip_set(c, eip_save); return 0; }
int32_t instr_ret_c3(struct emu_cpu *c, struct emu_cpu_instruction *i) { /* C3 * Near return to calling procedure * RET */ POP_DWORD(c, &c->eip); return 0; }
int32_t __stdcall new_user_hook_LoadLibraryA(struct emu_env_w32 *win, struct emu_env_w32_dll_export *ex) { /* LoadLibraryA(LPCTSTR lpFileName); */ struct emu_string *dllstr = emu_string_new(); uint32_t eip_save; uint32_t dllname_ptr; POP_DWORD(cpu, &eip_save); POP_DWORD(cpu, &dllname_ptr); emu_memory_read_string(mem, dllname_ptr, dllstr, 256); char *dllname = emu_string_char(dllstr); printf("%x\tLoadLibraryA(%s) = 0x7800000\t\n", cpu->eip , dllname); printf("\t--> HOOK RAN OK returns to: %x\n", eip_save); cpu->reg[eax] = 0x7800000; emu_string_free(dllstr); emu_cpu_eip_set(cpu, eip_save); return 0; }
int32_t instr_ret_c2(struct emu_cpu *c, struct emu_cpu_instruction *i) { /* C2 * Near return to calling procedure and pop imm16 bytes from stack * iw RET imm16 */ POP_DWORD(c, &c->eip); #if BYTE_ORDER == BIG_ENDIAN uint16_t val; bcopy(i->imm16, &val, 2); c->reg[esp] += val; #else c->reg[esp] += *i->imm16; #endif return 0; }
int32_t env_w32_hook_fclose(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* int _fcloseall( void ); int fclose( FILE *stream ); */ uint32_t p_stream; MEM_DWORD_READ(c, c->reg[esp], &p_stream); logDebug(env->emu, "fclose(0x%08x)\n", p_stream); emu_cpu_reg32_set(c, eax, 0); if (env->profile != NULL) { emu_profile_function_add(env->profile, "fclose"); emu_profile_argument_add_ptr(env->profile, "FILE *", "stream", p_stream); emu_profile_argument_add_none(env->profile); emu_profile_function_returnvalue_int_set(env->profile, "int", 0); } emu_cpu_eip_set(c, eip_save); return 0; }
int32_t env_w32_hook_fwrite(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* size_t fwrite( const void *buffer, size_t size, size_t count, FILE *stream ); */ uint32_t p_buffer; MEM_DWORD_READ(c, c->reg[esp], &p_buffer); uint32_t size; MEM_DWORD_READ(c, (c->reg[esp]+4), &size); uint32_t count; MEM_DWORD_READ(c, (c->reg[esp]+8), &count); unsigned char *buffer = malloc(size*count); emu_memory_read_block(emu_memory_get(env->emu), p_buffer, buffer, size*count); uint32_t p_stream; MEM_DWORD_READ(c, c->reg[esp]+12, &p_stream); uint32_t returnvalue; if ( hook->hook.win->userhook != NULL ) { returnvalue = hook->hook.win->userhook(env, hook, buffer, size, count, p_stream); }else { returnvalue = size*count; } logDebug(env->emu, "fwrite(0x%08x, %d, %d, 0x%08x)\n", p_buffer, size, count, p_stream); emu_cpu_reg32_set(c, eax, returnvalue); if ( env->profile != NULL ) { emu_profile_function_add(env->profile, "fwrite"); emu_profile_function_returnvalue_int_set(env->profile, "size_t", returnvalue); emu_profile_argument_add_ptr(env->profile, "const void *", "buffer", p_buffer); emu_profile_argument_add_bytea(env->profile, "", "", buffer, size*count); emu_profile_argument_add_int(env->profile, "size_t", "size", size); emu_profile_argument_add_int(env->profile, "count_t", "count", count); emu_profile_argument_add_ptr(env->profile, "FILE *", "stream", p_stream); emu_profile_argument_add_none(env->profile); } free(buffer); emu_cpu_eip_set(c, eip_save); return 0; }
int32_t env_w32_hook_fopen(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* FILE *fopen( const char *filename, const char *mode ); FILE *_wfopen( const wchar_t *filename, const wchar_t *mode ); */ uint32_t p_filename; MEM_DWORD_READ(c, c->reg[esp], &p_filename); struct emu_string *filename = emu_string_new(); emu_memory_read_string(c->mem, p_filename, filename, 512); uint32_t p_mode; MEM_DWORD_READ(c, c->reg[esp]+4, &p_mode); struct emu_string *mode = emu_string_new(); emu_memory_read_string(c->mem, p_mode, mode, 512); // printf("fopen(%s, %s)\n", emu_string_char(filename), (char *)mode->data); uint32_t returnvalue; if ( hook->hook.win->userhook != NULL ) { returnvalue = hook->hook.win->userhook(env, hook, emu_string_char(filename), emu_string_char(mode)); }else { returnvalue = 0x89898989; } emu_cpu_reg32_set(c, eax, returnvalue); if (env->profile != NULL) { emu_profile_function_add(env->profile, "fopen"); emu_profile_argument_add_ptr(env->profile, "const char *", "filename", p_filename); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(filename)); emu_profile_argument_add_ptr(env->profile, "const char *", "mode", p_mode); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(mode)); emu_profile_function_returnvalue_ptr_set(env->profile, "FILE *", returnvalue); emu_profile_argument_add_none(env->profile); } emu_string_free(filename); emu_string_free(mode); emu_cpu_eip_set(c, eip_save); return 0; }