int main( int argc, const char * argv[] )
/*********************************/
{
int contok;
int retcode;
TRMemOpen();
contok = ScanParams( argc, argv );
if (CmdLineParms.PrintHelp) {
PrintUsageMessage( argv[0] );
}
if (contok) {
retcode = DumpFile();
} else {
retcode = 1;
}
FreeParams();
switch (retcode) {
case 1: /* reading parameters */
break;
case 2: /* reading input file */
puts( "Error reading input file" );
break;
}
TRMemClose();
return( retcode );
}
void Decrypt(char *str, char *out) {
DWORD dwSize;
PBYTE data = GetFile(str, &dwSize);
Decrypt_NA_00000000(data);
DumpFile(out, data, dwSize);
}
int main(int argc, char* argv[])
{
if(6 != argc)
{
printf("Syntax: %s dest embedsource pattern symbol define\n", argv[0]);
return 1;
}
const char* pDestArg = argv[1];
const char* pEmbedSourceArg = argv[2];
const char* pPatternArg = argv[3];
const char* pSymbolArg = argv[4];
const char* pDefineArg = argv[5];
char* pEmbedSrc = ReadFile(pEmbedSourceArg);
if(!pEmbedSrc)
{
return 1;
}
char* pEmbedStart = pEmbedSrc;
char* pEmbedStartEnd = strstr(pEmbedStart, pPatternArg);
char* pEmbedEnd = 0;
if(pEmbedStartEnd)
{
pEmbedEnd = pEmbedStartEnd + strlen(pPatternArg);
*pEmbedStartEnd = '\0';
}
FILE* pOut = fopen(pDestArg, "a");
if(!pOut)
{
free(pEmbedSrc);
return 1;
}
fprintf(pOut, "///start file generated from %s\n", pEmbedSourceArg);
fprintf(pOut, "#ifdef %s\n", pDefineArg);
DumpFile(pOut, pEmbedStart, pSymbolArg, "_begin");
DumpFile(pOut, pEmbedEnd, pSymbolArg, "_end");
fprintf(pOut, "#endif //%s\n", pDefineArg);
fprintf(pOut, "\n///end file generated from %s\n", pEmbedSourceArg);
fclose(pOut);
free(pEmbedSrc);
return 0;
}
int main(int argc, char *argv[])
{
DumpFile("dxgi.pdb");
PSTR filename;
if ( argc == 1 )
{
printf( HelpText );
return 1;
}
filename = ProcessCommandLine(argc, argv);
if ( filename )
DumpFile( filename );
return 0;
}
int main( int argc, char **argv )
{
char *dips[16] = { 0 };
int next_dip = 0;
int c;
// char *s;
/* Process command line options */
if( argc < 2 ) {
return( PrintUsage() );
}
while( (c = getopt( argc, argv, ":hd:" )) != EOF ) {
switch( c ) {
case 'd': {
char *dip = optarg;
if( next_dip >= sizeof( dips ) / sizeof( dips[0] ) ) {
return( ErrorMsg( "too many DIPs!\n" ) );
}
dips[next_dip++] = dip;
break;
}
case 'h':
default:
return( PrintUsage() );
}
}
#if 0
/* Add default DIPs at end of list. */
s = DIPDefaults;
while( *s ) {
if( next_dip >= sizeof( dips ) / sizeof( dips[0] ) ) {
return( ErrorMsg( "too many DIPs!\n" ) );
}
dips[next_dip++] = s;
s += strlen( s ) + 1;
}
#endif
/* Try to dump debug info for all remaining arguments */
while( argv[optind] ) {
int rc = DumpFile( argv[optind], dips );
if( rc ) {
return( rc );
}
++optind;
}
return( 0 );
}
INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
ULONG_PTR i;
char text[MAX_PATH];
switch (uMsg)
{
case WM_CLOSE:
EndDialog(hwndDlg, 0);
return 1;
case WM_INITDIALOG:
hCombo = GetDlgItem(hwndDlg, IDC_COMBO1);
hList = GetDlgItem(hwndDlg, IDC_LIST1);
hLogList = GetDlgItem(hwndDlg, IDC_LIST2);
InitColumn(hwndDlg);
ListProcesses();
return 1;
case WM_COMMAND:
switch (LOWORD(wParam))
{
case IDC_COMBO1:
if (HIWORD(wParam) == CBN_SELENDOK)
{
i = SendMessageA(hCombo, CB_GETCURSEL, 0, 0);
SendMessageA(hCombo, CB_GETLBTEXT, i, (LPARAM)&text);
SendMessageA(hList, LVM_DELETEALLITEMS, 0, 0);
SendMessageA(hLogList, LB_RESETCONTENT, 0, 0);
dwPid = strtol(text, NULL, 16);
AnalyzeImports(dwPid);
}
return 0;
case ID_DUMP:
if (dwPid == 0)
{
MessageBoxA(hwndDlg, "[-] Plz select a process", "DaF", MB_ICONERROR);
}
else
{
DumpFile(hwndDlg);
}
return 0;
}
return 0;
default:
return 0;
}
return 0;
}
void Encrypt(char *str, char *out) {
DWORD dwSize;
PBYTE data = GetFile(str, &dwSize);
extern unsigned int dword_834A73A4[];
extern unsigned char unk_835C4AA0[];
extern unsigned char unk_83441544[];
// setting up some stuff
dword_834A73A4[0] = *(unsigned int*)(data + 0x40);
memcpy(unk_835C4AA0, data + 0x44, 0x4CAA4);
memcpy(unk_83441544, data + 0x44, 0x4CAA4);
Encrypt_NA_00000000(data);
DumpFile(out, data, 0x4CAE8);
}
//---------------------------------------------------------------------------
void __fastcall TMainForm::b_fhashClick(TObject *Sender)
{
char* data;
FILE* in = fopen(AnsiString(e_fpath->Text).c_str(), "rb");
if (in == 0) {ShowMessage("File not found or can't be accessed for reading."); return;}
fseek(in, 0, SEEK_END);
unsigned long int size = ftell(in);
fclose(in);
data = new char[size+1];
DumpFile(data, AnsiString(e_fpath->Text).c_str());
e_fhash->Text = UnicodeString(do_md5(data, size));
delete[] data;
}
void GenFiles(char pre, int n, int *ix, int *iy, int *ia, int *ib,
FILENODE **bp)
/*
* Generates all needed files
*/
{
int i;
char *nam, *typ;
char ln[128];
FILE *fpout;
GenMainRout(pre, n, ix, iy, ia, ib, bp);
GenMakefile(pre, n, ix, iy, ia, ib, bp);
for (i=0; i < n; i++)
{
nam = GetNam(pre, ia[i], ib[i], ix[i], iy[i]);
sprintf(ln, "GEN/%s.c", nam);
fpout = fopen(ln, "w");
assert(fpout);
fprintf(fpout, "#define ATL_UAXPBY %s\n\n", nam);
DumpFile(bp[i]->rout, fpout);
fclose(fpout);
}
}
static int
DumpVnode(int dumpfd, struct VnodeDiskObject *v, int volid, int vnodeNumber,
int dumpEverything, struct Volume *vp)
{
int code = 0;
IHandle_t *ihP;
FdHandle_t *fdP;
if (verbose)
fprintf(stderr, "dumping vnode %d\n", vnodeNumber);
if (!v || v->type == vNull)
return code;
if (!code)
code = DumpDouble(dumpfd, D_VNODE, vnodeNumber, v->uniquifier);
if (!dumpEverything)
return code;
if (!code)
code = DumpByte(dumpfd, 't', (byte) v->type);
if (!code)
code = DumpShort(dumpfd, 'l', v->linkCount); /* May not need this */
if (!code)
code = DumpInt32(dumpfd, 'v', v->dataVersion);
if (!code)
code = DumpInt32(dumpfd, 'm', v->unixModifyTime);
if (!code)
code = DumpInt32(dumpfd, 'a', v->author);
if (!code)
code = DumpInt32(dumpfd, 'o', v->owner);
if (!code && v->group)
code = DumpInt32(dumpfd, 'g', v->group); /* default group is 0 */
if (!code)
code = DumpShort(dumpfd, 'b', v->modeBits);
if (!code)
code = DumpInt32(dumpfd, 'p', v->parent);
if (!code)
code = DumpInt32(dumpfd, 's', v->serverModifyTime);
if (v->type == vDirectory) {
acl_HtonACL(VVnodeDiskACL(v));
if (!code)
code =
DumpByteString(dumpfd, 'A', (byte *) VVnodeDiskACL(v),
VAclDiskSize(v));
}
if (VNDISK_GET_INO(v)) {
IH_INIT(ihP, V_device(vp), V_parentId(vp), VNDISK_GET_INO(v));
fdP = IH_OPEN(ihP);
if (fdP == NULL) {
fprintf(stderr,
"Unable to open inode %s for vnode %u (volume %i); not dumped, error %d\n",
PrintInode(NULL, VNDISK_GET_INO(v)), vnodeNumber, volid,
errno);
}
else
{
if (verbose)
fprintf(stderr, "about to dump inode %s for vnode %u\n",
PrintInode(NULL, VNDISK_GET_INO(v)), vnodeNumber);
code = DumpFile(dumpfd, vnodeNumber, fdP, v);
FDH_CLOSE(fdP);
}
IH_RELEASE(ihP);
}
if (verbose)
fprintf(stderr, "done dumping vnode %d\n", vnodeNumber);
return code;
}
void main(int argc, char **argv)
{
char *fargv[1000];
char cmdline[10000];
int i, arg;
FILE *fout;
int pos, len;
int full = 0;
char *outfile = NULL;
if (argc < 3) {
Usage:
fprintf(stderr, "Usage: %s ?-o outfile? ?-f(ull)? <dllname> <object filenames> ..\n", argv[0]);
exit(1);
}
arg = 1;
while (argv[arg][0] == '-') {
if (strcmp(argv[arg], "--") == 0) {
arg++;
break;
} else if (strcmp(argv[arg], "-f") == 0) {
full = 1;
} else if (strcmp(argv[arg], "-o") == 0) {
arg++;
if (arg == argc) {
goto Usage;
}
outfile = argv[arg];
}
arg++;
}
if (arg == argc) {
goto Usage;
}
if (outfile) {
fout = fopen(outfile, "w+");
if (fout == NULL) {
fprintf(stderr, "Unable to open \'%s\' for writing:\n",
argv[arg]);
perror("");
exit(1);
}
} else {
fout = stdout;
}
if (! full) {
char *dllname = argv[arg];
arg++;
if (arg == argc) {
goto Usage;
}
fprintf(fout, "LIBRARY %s\n", dllname);
fprintf(fout, "EXPORTS\n");
}
for (; arg < argc; arg++) {
if (argv[arg][0] == '@') {
FILE *fargs = fopen(&argv[arg][1], "r");
if (fargs == NULL) {
fprintf(stderr, "Unable to open \'%s\' for reading:\n",
argv[arg]);
perror("");
exit(1);
}
pos = 0;
for (i = 0; i < arg; i++) {
strcpy(&cmdline[pos], argv[i]);
pos += strlen(&cmdline[pos]) + 1;
fargv[i] = argv[i];
}
while (fgets(&cmdline[pos], sizeof(cmdline) - pos, fargs) != 0) {
len = strlen(&cmdline[pos]);
cmdline[pos + len - 1] = ' ';
i += GetArgcArgv(&cmdline[pos], &fargv[i]);
pos += len;
}
fclose(fargs);
argc = i;
argv = fargv;
}
DumpFile(argv[arg], fout, full);
}
exit(0);
}
int main(int argc, char **argv)
{
int rcRet = 0;
/*
* Parse arguments.
*/
int fArgsDone = 0;
for (int i = 1; i < argc; i++)
{
const char *psz = argv[i];
if (!fArgsDone && psz[0] == '-' && psz[1])
{
/* convert long option to short. */
if (*++psz == '-')
{
psz++;
if (!*psz) /* -- */
{
fArgsDone = 1;
continue;
}
if (!strcmp(psz, "line-numbers"))
psz = "l";
else if (!strcmp(psz, "no-line-numbers"))
psz = "L";
else if (!strcmp(psz, "global-syms") || !strcmp(psz, "public-syms"))
psz = "g";
else if (!strcmp(psz, "no-global-syms") || !strcmp(psz, "no-public-syms"))
psz = "G";
else if (!strcmp(psz, "privat-syms") || !strcmp(psz, "local-syms"))
psz = "p";
else if (!strcmp(psz, "no-privat-syms") || !strcmp(psz, "no-local-syms"))
psz = "P";
else if (!strcmp(psz, "version"))
psz = "v";
else if (!strcmp(psz, "help"))
psz = "h";
else
{
fprintf(stderr, "%s: syntax error: unknown option '--%s'\n", argv[0], psz);
return 1;
}
}
/* eat short options. */
while (*psz)
switch (*psz++)
{
case 'l': g_fLineNumbers = 1; break;
case 'L': g_fLineNumbers = 0; break;
case 'p': g_fPrivateSyms = 1; break;
case 'P': g_fPrivateSyms = 0; break;
case 'g': g_fGlobalSyms = 1; break;
case 'G': g_fGlobalSyms = 0; break;
case '?':
case 'H':
case 'h': return ShowSyntax(argv[0]);
case 'v': return ShowVersion();
default:
fprintf(stderr, "%s: syntax error: unknown option '-%c'.\n", argv[0], psz[-1]);
return 1;
}
}
else
{
/* Dump does it's own bitching if something goes wrong. */
int rc = DumpFile(psz);
if (rc && !rcRet)
rc = rcRet;
}
}
return rcRet;
}
int main(int argc, char* argv[])
{
try
{
std::cout << "HadesMem Dumper [" << HADESMEM_VERSION_STRING << "]\n";
TCLAP::CmdLine cmd("PE file format dumper", ' ', HADESMEM_VERSION_STRING);
TCLAP::ValueArg<DWORD> pid_arg(
"", "pid", "Target process id", false, 0, "DWORD");
TCLAP::ValueArg<std::string> name_arg(
"", "name", "Target process name", false, "", "string");
TCLAP::MultiArg<std::string> path_arg(
"", "path", "Target path (file or directory)", false, "string");
TCLAP::SwitchArg all_arg("", "all", "No target, dump everything");
std::vector<TCLAP::Arg*> xor_args{&pid_arg, &name_arg, &path_arg, &all_arg};
cmd.xorAdd(xor_args);
TCLAP::SwitchArg warned_arg(
"", "warned", "Dump list of files which cause warnings", cmd);
TCLAP::ValueArg<std::string> warned_file_arg(
"",
"warned-file",
"Dump warned list to file instead of stdout",
false,
"",
"string",
cmd);
TCLAP::SwitchArg warned_file_dynamic_arg(
"",
"warned-file-dynamic",
"Dump warnings to file on the fly rather than at the end",
cmd);
TCLAP::SwitchArg quiet_arg(
"", "quiet", "Only output status messages (no dumping)", cmd);
TCLAP::SwitchArg memonly_arg("", "memonly", "Only do PE memory dumps", cmd);
TCLAP::ValueArg<int> warned_type_arg("",
"warned-type",
"Filter warned file using warned type",
false,
-1,
"int",
cmd);
TCLAP::ValueArg<DWORD> threads_arg(
"", "threads", "Number of threads", false, 0, "size_t", cmd);
TCLAP::ValueArg<DWORD> queue_factor_arg(
"", "queue-factor", "Thread queue factor", false, 0, "size_t", cmd);
TCLAP::SwitchArg strings_arg("", "strings", "Dump strings", cmd);
cmd.parse(argc, argv);
g_quiet = quiet_arg.isSet();
g_strings = strings_arg.isSet();
SetWarningsEnabled(warned_arg.getValue());
SetDynamicWarningsEnabled(warned_file_dynamic_arg.getValue());
if (warned_file_arg.isSet())
{
SetWarnedFilePath(
hadesmem::detail::MultiByteToWideChar(warned_file_arg.getValue()));
}
if (GetDynamicWarningsEnabled() && GetWarnedFilePath().empty())
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error() << hadesmem::ErrorString(
"Please specify a file path for dynamic warnings."));
}
int const warned_type = warned_type_arg.getValue();
switch (warned_type)
{
case static_cast<int>(WarningType::kSuspicious):
SetWarnedType(WarningType::kSuspicious);
break;
case static_cast<int>(WarningType::kUnsupported):
SetWarnedType(WarningType::kUnsupported);
break;
case static_cast<int>(WarningType::kAll):
SetWarnedType(WarningType::kAll);
break;
default:
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error() << hadesmem::ErrorString("Unknown warned type."));
break;
}
try
{
hadesmem::GetSeDebugPrivilege();
std::wcout << "\nAcquired SeDebugPrivilege.\n";
}
catch (std::exception const& /*e*/)
{
std::wcout << "\nFailed to acquire SeDebugPrivilege.\n";
}
auto const threads = threads_arg.isSet() ? threads_arg.getValue() : 1;
auto const queue_factor =
queue_factor_arg.isSet() ? queue_factor_arg.getValue() : 1;
hadesmem::detail::ThreadPool thread_pool{threads, queue_factor};
if (pid_arg.isSet())
{
DWORD const pid = pid_arg.getValue();
hadesmem::ProcessList const processes;
auto iter =
std::find_if(std::begin(processes),
std::end(processes),
[pid](hadesmem::ProcessEntry const& process_entry)
{
return process_entry.GetId() == pid;
});
if (iter != std::end(processes))
{
DumpProcessEntry(*iter, memonly_arg.isSet());
}
else
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error()
<< hadesmem::ErrorString("Failed to find requested process."));
}
}
else if (name_arg.isSet())
{
auto const proc_name =
hadesmem::detail::MultiByteToWideChar(name_arg.getValue());
auto const proc_entry = hadesmem::GetProcessEntryByName(proc_name, false);
DumpProcessEntry(proc_entry, memonly_arg.isSet());
}
else if (path_arg.isSet())
{
// TODO: Use backup semantics flags and try to get backup privilege in
// order to make directory enumeration find more files.
auto const path_args = path_arg.getValue();
for (auto const& path : path_args)
{
auto const path_wide = hadesmem::detail::MultiByteToWideChar(path);
if (hadesmem::detail::IsDirectory(path_wide))
{
DumpDir(path_wide, thread_pool);
}
else
{
DumpFile(path_wide);
}
}
}
else
{
DumpThreads(static_cast<DWORD>(-1));
DumpProcesses(memonly_arg.isSet());
std::wcout << "\nFiles:\n";
// TODO: Enumerate all volumes.
std::wstring const self_path = hadesmem::detail::GetSelfPath();
std::wstring const root_path = hadesmem::detail::GetRootPath(self_path);
DumpDir(root_path, thread_pool);
}
thread_pool.WaitForEmpty();
if (GetWarningsEnabled())
{
if (!GetWarnedFilePath().empty() && !GetDynamicWarningsEnabled())
{
std::unique_ptr<std::wfstream> warned_file_ptr(
hadesmem::detail::OpenFile<wchar_t>(GetWarnedFilePath(),
std::ios::out));
std::wfstream& warned_file = *warned_file_ptr;
if (!warned_file)
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error()
<< hadesmem::ErrorString("Failed to open warned file for output."));
}
DumpWarned(warned_file);
}
else
{
DumpWarned(std::wcout);
}
}
return 0;
}
catch (...)
{
std::cerr << "\nError!\n"
<< boost::current_exception_diagnostic_information() << '\n';
return 1;
}
}
int main(int argc, char* argv[])
{
try
{
std::cout << "HadesMem Dumper [" << HADESMEM_VERSION_STRING << "]\n";
TCLAP::CmdLine cmd("PE file format dumper", ' ', HADESMEM_VERSION_STRING);
TCLAP::ValueArg<DWORD> pid_arg(
"", "pid", "Target process id", false, 0, "DWORD");
TCLAP::ValueArg<std::string> name_arg(
"", "name", "Target process name", false, "", "string");
TCLAP::ValueArg<std::string> path_arg(
"", "path", "Target path (file or directory)", false, "", "string");
TCLAP::SwitchArg all_arg("", "all", "No target, dump everything");
std::vector<TCLAP::Arg*> xor_args{&pid_arg, &name_arg, &path_arg, &all_arg};
cmd.xorAdd(xor_args);
TCLAP::SwitchArg warned_arg(
"", "warned", "Dump list of files which cause warnings", cmd);
TCLAP::ValueArg<std::string> warned_file_arg(
"",
"warned-file",
"Dump warned list to file instead of stdout",
false,
"",
"string",
cmd);
TCLAP::SwitchArg warned_file_dynamic_arg(
"",
"warned-file-dynamic",
"Dump warnings to file on the fly rather than at the end",
cmd);
TCLAP::ValueArg<int> warned_type_arg("",
"warned-type",
"Filter warned file using warned type",
false,
-1,
"int",
cmd);
cmd.parse(argc, argv);
SetWarningsEnabled(warned_arg.getValue());
SetDynamicWarningsEnabled(warned_file_dynamic_arg.getValue());
if (warned_file_arg.isSet())
{
SetWarnedFilePath(
hadesmem::detail::MultiByteToWideChar(warned_file_arg.getValue()));
}
if (GetDynamicWarningsEnabled() && GetWarnedFilePath().empty())
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error() << hadesmem::ErrorString(
"Please specify a file path for dynamic warnings."));
}
int const warned_type = warned_type_arg.getValue();
switch (warned_type)
{
case static_cast<int>(WarningType::kSuspicious):
SetWarnedType(WarningType::kSuspicious);
break;
case static_cast<int>(WarningType::kUnsupported):
SetWarnedType(WarningType::kUnsupported);
break;
case static_cast<int>(WarningType::kAll):
SetWarnedType(WarningType::kAll);
break;
default:
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error() << hadesmem::ErrorString("Unknown warned type."));
break;
}
try
{
hadesmem::GetSeDebugPrivilege();
std::wcout << "\nAcquired SeDebugPrivilege.\n";
}
catch (std::exception const& /*e*/)
{
std::wcout << "\nFailed to acquire SeDebugPrivilege.\n";
}
if (pid_arg.isSet())
{
DWORD const pid = pid_arg.getValue();
hadesmem::ProcessList const processes;
auto iter =
std::find_if(std::begin(processes),
std::end(processes),
[pid](hadesmem::ProcessEntry const& process_entry)
{
return process_entry.GetId() == pid;
});
if (iter != std::end(processes))
{
DumpProcessEntry(*iter);
}
else
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error()
<< hadesmem::ErrorString("Failed to find requested process."));
}
}
else if (name_arg.isSet())
{
auto const proc_name =
hadesmem::detail::MultiByteToWideChar(name_arg.getValue());
auto const proc_entry = hadesmem::GetProcessEntryByName(proc_name, false);
DumpProcessEntry(proc_entry);
}
else if (path_arg.isSet())
{
auto const path =
hadesmem::detail::MultiByteToWideChar(path_arg.getValue());
if (hadesmem::detail::IsDirectory(path))
{
DumpDir(path);
}
else
{
DumpFile(path);
}
}
else
{
DumpThreads(static_cast<DWORD>(-1));
DumpProcesses();
std::wcout << "\nFiles:\n";
std::wstring const self_path = hadesmem::detail::GetSelfPath();
std::wstring const root_path = hadesmem::detail::GetRootPath(self_path);
DumpDir(root_path);
}
if (GetWarningsEnabled())
{
if (!GetWarnedFilePath().empty() && !GetDynamicWarningsEnabled())
{
std::unique_ptr<std::wfstream> warned_file_ptr(
hadesmem::detail::OpenFile<wchar_t>(GetWarnedFilePath(),
std::ios::out));
std::wfstream& warned_file = *warned_file_ptr;
if (!warned_file)
{
HADESMEM_DETAIL_THROW_EXCEPTION(
hadesmem::Error()
<< hadesmem::ErrorString("Failed to open warned file for output."));
}
DumpWarned(warned_file);
}
else
{
DumpWarned(std::wcout);
}
}
return 0;
}
catch (...)
{
std::cerr << "\nError!\n"
<< boost::current_exception_diagnostic_information() << '\n';
if (!g_current_file_path.empty())
{
std::wcerr << "\nCurrent file: " << g_current_file_path << "\n";
}
return 1;
}
}
int main(int argc, char **argv)
{
char *lstname = NULL;
char *outlstname = NULL;
int i=0;
if(argc<2)
{
printf("usage: %s infile (optional: outfolder)\n",argv[0]);
return 0;
}
dat = fopen(argv[1],"rb");
if(!dat)
{
printf("Could not open %s\n",argv[1]);
return -1;
}
lstname = (char*)calloc(strlen(argv[1])+5,sizeof(char));
strcpy(lstname,argv[1]);
strcat(lstname,".lst");
lst = fopen(lstname,"rb");
if(!lst)
{
printf("Could not open %s\n",lstname);
return -1;
}
outlstname = (char*)calloc(strlen(argv[1])+5,sizeof(char));
strcpy(lstname,argv[1]);
strcat(lstname,".txt");
outlst = fopen(lstname,"w");
if(!outlst)
{
printf("Could not open %s\n",outlstname);
return -1;
}
fread(&fcount,1,4,lst);
fcount ^= 0x01010101;
if(argc==3)
{
mkdir(argv[2]);
chdir(argv[2]);
}
Entry = (ENTRY*)calloc(fcount+1,sizeof(ENTRY));
for(i=0; i<fcount; i++)
{
int x=0;
fread(&Entry[i],1,sizeof(ENTRY),lst);
Entry[i].size ^= 0x01010101;
Entry[i].offset ^= 0x01010101;
while(Entry[i].name[x]!='\0')
Entry[i].name[x++] ^= 0x01;
printf("[+] %-30s offset[%08x] size[%08x] type[%d]\n",Entry[i].name,Entry[i].offset,Entry[i].size,Entry[i].type);
DumpFile(Entry[i].name,Entry[i].offset,Entry[i].size,Entry[i].type);
}
return 0;
}
void _tmain(int argc, TCHAR *argv[])
{
int u = 0;
//
// display usage
//
if (argc != 3){
DisplayUsage();
return;
}
//
// Do validation on the user input to help avoid buffer overruns.
//
_try{
//
// argv[1] should be a null terminated string
// of exactly two characters in length (not including the NULL).
//
if ((_T('-') != argv[1][0]) || (_T('\0') == argv[1][1]) || (_T('\0') != argv[1][2])){
DisplayUsage();
return;
}
//
// argv[2] should have at least one non-NULL character before a NULL character.
//
if (_T('\0') == argv[2][0]){
DisplayUsage();
return;
}
//
// argv[2] should not be a string of more than MAX_PATH characters.
//
u = 0;
while (_T('\0') != argv[2][u]){
if (MAX_PATH == u){
DisplayUsage();
return;
}
u++;
}
}
_except(EXCEPTION_EXECUTE_HANDLER){
DisplayUsage();
return;
}
_tprintf(TEXT(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"));
_tprintf(TEXT(">> SECURITY INFORMATION >>\n"));
_tprintf(TEXT(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n\n"));
_tprintf(TEXT("object name ........ %s\n"), argv[2]);
_tprintf(TEXT("object type ........ "));
switch (argv[1][1])
{
case 'a':
_tprintf(TEXT("mailslot\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'e':
_tprintf(TEXT("event\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'f':
_tprintf(TEXT("file\n"));
DumpFile(argv[2], argv[1][1]);
break;
case 'd':
_tprintf(TEXT("directory\n"));
DumpFile(argv[2], argv[1][1]);
break;
case 'm':
_tprintf(TEXT("mutex\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'r':
_tprintf(TEXT("registry\n"));
DumpRegistryKey(argv[2]);
break;
case 's':
_tprintf(TEXT("semaphore\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'p':
_tprintf(TEXT("process\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'i':
_tprintf(TEXT("memory mapped file\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'v':
_tprintf(TEXT("service\n"));
DumpService(NULL, argv[2]);
break;
case 'w':
_tprintf(TEXT("window station\n"));
DumpUserObject(argv[2], argv[1][1]);
break;
case 'k':
_tprintf(TEXT("desktop\n"));
DumpUserObject(argv[2], argv[1][1]);
break;
case 'n':
_tprintf(TEXT("named pipe\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'o':
_tprintf(TEXT("process access token\n"));
DumpKernelObject(argv[2], argv[1][1]);
break;
case 'l':
_tprintf(TEXT("printer\n"));
DumpPrinter(argv[2]);
break;
case 't':
_tprintf(TEXT("network share\n"));
DumpNetShare(argv[2]);
break;
default:
DisplayUsage();
}
}
