struct instr_vertex *instr_vertex_new(uint32_t theeip, const char *instr_string) { struct instr_vertex *iv = (struct instr_vertex *)malloc(sizeof(struct instr_vertex)); memset(iv, 0, sizeof(struct instr_vertex)); iv->eip = theeip; iv->instr_string = emu_string_new(); emu_string_append_format(iv->instr_string, "0x%08x %s\\l",iv->eip, instr_string); return iv; }
struct instr_vertex *instr_vertex_copy(struct instr_vertex *from) { struct instr_vertex *iv = (struct instr_vertex *)malloc(sizeof(struct instr_vertex)); memset(iv, 0, sizeof(struct instr_vertex)); iv->eip = from->eip; iv->instr_string = emu_string_new(); iv->dll = from->dll; iv->syscall = from->syscall; emu_string_append_char(iv->instr_string, from->instr_string->data); return iv; }
int32_t env_w32_hook__execv(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* intptr_t _execv( const char *cmdname, const char *const *argv ); intptr_t _wexecv( const wchar_t *cmdname, const wchar_t *const *argv ); */ uint32_t p_cmdname; POP_DWORD(c, &p_cmdname); struct emu_string *cmdname = emu_string_new(); emu_memory_read_string(c->mem, p_cmdname, cmdname, 512); uint32_t p_argv; POP_DWORD(c, &p_argv); if ( env->profile != NULL ) { emu_profile_function_add(env->profile, "_execv"); emu_profile_argument_add_ptr(env->profile, "const char *", "cmdname", p_cmdname); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(cmdname)); emu_profile_argument_add_ptr(env->profile, "const char *const *", "argv", p_argv); emu_profile_argument_add_none(env->profile); emu_profile_function_returnvalue_int_set(env->profile, "int ", 0); } emu_string_free(cmdname); emu_cpu_eip_set(c, eip_save); return 0; }
int32_t __stdcall new_user_hook_LoadLibraryA(struct emu_env_w32 *win, struct emu_env_w32_dll_export *ex) { /* LoadLibraryA(LPCTSTR lpFileName); */ struct emu_string *dllstr = emu_string_new(); uint32_t eip_save; uint32_t dllname_ptr; POP_DWORD(cpu, &eip_save); POP_DWORD(cpu, &dllname_ptr); emu_memory_read_string(mem, dllname_ptr, dllstr, 256); char *dllname = emu_string_char(dllstr); printf("%x\tLoadLibraryA(%s) = 0x7800000\t\n", cpu->eip , dllname); printf("\t--> HOOK RAN OK returns to: %x\n", eip_save); cpu->reg[eax] = 0x7800000; emu_string_free(dllstr); emu_cpu_eip_set(cpu, eip_save); return 0; }
int32_t env_linux_hook_execve(struct emu_env *env, struct emu_env_hook *hook) { printf("execve\n"); struct emu_cpu *c = emu_cpu_get(env->emu); struct emu_string *name = emu_string_new(); emu_memory_read_string(emu_memory_get(c->emu), c->reg[ebx], name, 255); if ( env->profile != NULL ) { emu_profile_function_add(env->profile, "execve"); emu_profile_argument_add_ptr(env->profile, "const char *", "dateiname", c->reg[ebx]); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(name)); // emu_profile_argument_add_ptr(env->profile, "", "", c->reg[ecx]); emu_profile_argument_array_start(env->profile, "const char *", "argv[]"); } uint32_t p_array = c->reg[ecx]; uint32_t p_arg = -1; emu_memory_read_dword(emu_memory_get(c->emu), p_array, &p_arg); int i=1; // char **argv = NULL; while (p_arg != 0) { // argv = realloc(argv, (i+1) * sizeof(char *)); // argv[i] = NULL; struct emu_string *arg = emu_string_new(); emu_memory_read_string(emu_memory_get(c->emu), p_arg, arg, 128); // argv[i-1] = strdup(emu_string_char(arg)); if( emu_string_char(arg) == NULL ) { emu_string_free(arg); break; } if ( env->profile != NULL ) { emu_profile_argument_add_ptr(env->profile, "", "", p_array+((i-1)*4)); emu_profile_argument_add_ptr(env->profile, "", "", p_arg); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(arg)); } emu_string_free(arg); emu_memory_read_dword(emu_memory_get(c->emu), p_array+(i*4), &p_arg); i++; } if ( env->profile != NULL ) { emu_profile_argument_add_ptr(env->profile, "", "", p_arg); emu_profile_argument_add_none(env->profile); // printf("arg is %s\n", emu_string_char(arg)); emu_profile_argument_array_end(env->profile); emu_profile_argument_add_ptr(env->profile, "const char *", "envp[]", c->reg[edx]); emu_profile_argument_add_none(env->profile); emu_profile_function_returnvalue_int_set(env->profile, "int", 0); } printf("int execve (const char *dateiname=%08x={%s}, const char * argv[], const char *envp[]);\n", c->reg[ebx], emu_string_char(name)); emu_string_free(name); return 0; }
int graph_draw(struct emu_graph *graph) { struct emu_vertex *ev; struct instr_vertex *iv; FILE *f = fopen(opts.graphfile,"w+"); struct emu_graph *sgraph = emu_graph_new(); struct emu_hashtable *ht = emu_hashtable_new(2047, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp); struct emu_vertex *nev; struct instr_vertex *niv=NULL; printf("copying vertexes\n"); for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) ) { iv = (struct instr_vertex *)ev->data; nev = emu_vertex_new(); emu_graph_vertex_add(sgraph, nev); niv = instr_vertex_copy(iv); nev->data = niv; emu_hashtable_insert(ht, (void *)iv, nev); ev->color = white; } printf("optimizing graph\n"); for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) ) { // ignore known if ( ev->color == black ) continue; printf("vertex %p\n", (void *)ev); // find the first in a chain iv = (struct instr_vertex *)ev->data; while ( emu_edges_length(ev->backedges) == 1 && emu_edges_length(ev->edges) <= 1 && ev->color == white && iv->dll == NULL && iv->syscall == NULL ) { ev->color = grey; struct emu_vertex *xev = emu_edges_first(ev->backedges)->destination; iv = (struct instr_vertex *)xev->data; if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 || iv->dll != NULL || iv->syscall != NULL ) break; ev = xev; printf(" -> vertex %p\n",(void *)ev); } iv = (struct instr_vertex *)ev->data; // create the new vertex nev = (struct emu_vertex *)emu_hashtable_search(ht, (void *)iv)->value; niv = (struct instr_vertex *)nev->data; iv = (struct instr_vertex *)ev->data; printf("going forwards from %p\n", (void *)ev); while ( emu_edges_length(ev->edges) == 1 && emu_edges_length(ev->backedges) <= 1 && ev->color != black && iv->dll == NULL && iv->syscall == NULL ) { ev->color = black; struct emu_vertex *xev = emu_edges_first(ev->edges)->destination; iv = (struct instr_vertex *)xev->data; if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 || iv->dll != NULL || iv->syscall != NULL ) break; ev = xev; iv = (struct instr_vertex *)ev->data; emu_string_append_char(niv->instr_string, emu_string_char(iv->instr_string)); printf(" -> vertex %p\n",(void *)ev); } ev->color = black; printf("copying edges for %p\n",(void *)ev); struct emu_edge *ee; for ( ee = emu_edges_first(ev->edges); !emu_edges_attail(ee); ee = emu_edges_next(ee) ) { struct instr_vertex *ivto = emu_vertex_data_get(ee->destination); struct emu_hashtable_item *ehi = emu_hashtable_search(ht, (void *)ivto); struct emu_vertex *to = (struct emu_vertex *)ehi->value; if ( 1 )// nev != to )//&& to->color != black ) { struct emu_edge *nee = emu_vertex_edge_add(nev, to); nee->count = ee->count; nee->data = ee->data; printf(" -> %p\n", (void *)to); } } } graph->vertex_destructor = instr_vertex_destructor; // emu_graph_free(graph); graph = sgraph; emu_hashtable_free(ht); fprintf(f, "digraph G {\n\t//rankdir=LR\n\tnode [fontname=Courier, labeljust=r];\n"); #if 0 int numdlls=0; while ( env->loaded_dlls[numdlls] != NULL ) { int has_dll = 0; struct emu_string *fs = emu_string_new(); emu_string_append_format(fs, "\t subgraph cluster%i {\n\t\t node [shape=box, style=filled, color=\".7 .3 1.0\"];\n\t\tstyle=filled;\n\t\tcolor=lightgrey;\n\t\tlabel=\"%s\"\n\t\t", numdlls, env->loaded_dlls[numdlls]->dllname); for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) ) { struct instr_vertex *iv = emu_vertex_data_get(ev); if ( iv->dll == env->loaded_dlls[numdlls] ) { emu_string_append_format(fs, "\t\%i [label = \"%s\"];\n", iv->eip, emu_string_char(iv->instr_string)); has_dll = 1; } } emu_string_append_char(fs, "\t}\n"); fprintf(f, "%s", emu_string_char(fs)); numdlls++; }
int32_t env_w32_hook_fopen(struct emu_env *env, struct emu_env_hook *hook) { logDebug(env->emu, "Hook me Captain Cook!\n"); logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); struct emu_cpu *c = emu_cpu_get(env->emu); uint32_t eip_save; POP_DWORD(c, &eip_save); /* FILE *fopen( const char *filename, const char *mode ); FILE *_wfopen( const wchar_t *filename, const wchar_t *mode ); */ uint32_t p_filename; MEM_DWORD_READ(c, c->reg[esp], &p_filename); struct emu_string *filename = emu_string_new(); emu_memory_read_string(c->mem, p_filename, filename, 512); uint32_t p_mode; MEM_DWORD_READ(c, c->reg[esp]+4, &p_mode); struct emu_string *mode = emu_string_new(); emu_memory_read_string(c->mem, p_mode, mode, 512); // printf("fopen(%s, %s)\n", emu_string_char(filename), (char *)mode->data); uint32_t returnvalue; if ( hook->hook.win->userhook != NULL ) { returnvalue = hook->hook.win->userhook(env, hook, emu_string_char(filename), emu_string_char(mode)); }else { returnvalue = 0x89898989; } emu_cpu_reg32_set(c, eax, returnvalue); if (env->profile != NULL) { emu_profile_function_add(env->profile, "fopen"); emu_profile_argument_add_ptr(env->profile, "const char *", "filename", p_filename); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(filename)); emu_profile_argument_add_ptr(env->profile, "const char *", "mode", p_mode); emu_profile_argument_add_string(env->profile, "", "", emu_string_char(mode)); emu_profile_function_returnvalue_ptr_set(env->profile, "FILE *", returnvalue); emu_profile_argument_add_none(env->profile); } emu_string_free(filename); emu_string_free(mode); emu_cpu_eip_set(c, eip_save); return 0; }