-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple function implementations #227
base: master
Are you sure you want to change the base?
Conversation
wcsstr towlower tolower strstr
wcsstr towlower tolower strstr
…d leading to memory access errors
[in] NTSTATUS ExitStatus | ||
); | ||
''' | ||
#Copied from TerminateProcess |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#Copied from TerminateProcess | |
# Copied from TerminateProcess |
oProc = emu.get_object_from_id(cid_obj.UniqueProcess) | ||
hProc = emu.get_object_handle(oProc) | ||
if hProc: | ||
emu.mem_write(hnd,(hProc).to_bytes(4, "little")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
emu.mem_write(hnd,(hProc).to_bytes(4, "little")) | |
emu.mem_write(hnd, (hProc).to_bytes(4, "little")) |
emu.mem_write(hnd,(hProc).to_bytes(4, "little")) | ||
rv = ddk.STATUS_SUCCESS | ||
else: | ||
emu.mem_write(hnd,(0).to_bytes(4, "little")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
emu.mem_write(hnd,(0).to_bytes(4, "little")) | |
emu.mem_write(hnd, (0).to_bytes(4, "little")) |
const wchar_t *strSearch | ||
); | ||
""" | ||
#Copied from msvcrt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rather than copying the implementation, could we reuse the one in msvcrt somehow?
[in, out] SHELLEXECUTEINFOW *pExecInfo | ||
); | ||
''' | ||
#Based on ShellExecute |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#Based on ShellExecute | |
# Based on ShellExecute |
print(op) | ||
p_fn = int.from_bytes(self.mem_read(pExecInfo + 0x10, 4), "little") | ||
if p_fn: | ||
fn = self.read_mem_string(p_fn, cw) | ||
print(fn) | ||
p_param = int.from_bytes(self.mem_read(pExecInfo + 0x14, 4),"little") | ||
if p_param: | ||
param = self.read_mem_string(p_param, cw) | ||
print(param) | ||
p_dn = int.from_bytes(self.mem_read(pExecInfo + 0x18,4), "little") | ||
if p_dn: | ||
dn = self.read_mem_string(p_dn, cw) | ||
print(dn) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are these old debugging statements?
proc = emu.create_process(path=fn, cmdline=param) | ||
self.log_process_event(proc, PROC_CREATE) | ||
|
||
return 33 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does this return value mean? maybe its left over from testing?
@williballenthin I would suggest to close the pull request and not merge anything yet. I will address your comments and fix some additional bugs I have found and then I will reopen. I am actually working on couple of malware samples and try to implement the functions to be as real as possible. I dont want them to by just dummy ones. Thanks |
i've converted the PR to a "draft" so that its clear its not ready yet. feel free to keep working here (or, close it if you'd prefer, no problem). once its ready, just comment and press the "Ready for review" button. |
Has any progress been made on these definitions? Great work on them, by the way! |
Implementations for:
ZwTerminateProcess
ZwOpenProcess
ZwDuplicateObject
ShellExecuteExW
copies of strstr, towlow, tolow, wstrstr from msvcrt to ntdll (since often are being called directly by ntdll)