admin/Etw-Syscall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

添加项目文件。

Browse Source
This commit is contained in:
琴心
2022-04-26 15:31:46 +08:00
parent 4f1d4343fe
commit a1b66995e4
134 changed files with 18302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
Etw Syscall/libpeconv-master/tests/CMakeLists.txt Normal file
View File

@@ -0,0 +1,154 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (tests)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
message (STATUS "parser_dir='${PECONV_DIR}'")
message (STATUS "parser_lib='${PECONV_LIB}'")
include_directories ( ${PECONV_DIR}/include )
set (srcs
main.cpp
test_loading.cpp
test_loading_imps.cpp
test_crackme_f4_3.cpp
test_hooking_imps.cpp
test_crackme_f4_6.cpp
test_load_ntdll.cpp
test_replacing_func.cpp
test_delayed_imps.cpp
test_imp_list.cpp
test_hooking_local.cpp
test_peb_lookup.cpp
test_imports_mix.cpp
test_found_base.cpp
test_fix_dotnet.cpp
test_format_detect.cpp
)
set (hdrs
test_loading.h
test_loading_imps.h
test_crackme_f4_3.h
test_hooking_imps.h
test_crackme_f4_6.h
test_load_ntdll.h
test_replacing_func.h
test_delayed_imps.h
test_imp_list.h
test_hooking_local.h
test_peb_lookup.h
test_imports_mix.h
test_found_base.h
test_fix_dotnet.h
test_format_detect.h
resource.h
shellcodes.h
shellc32.h
shellc64.h
)
set (rsrc
resource.rc
)
add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} ${rsrc} )
target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} )
add_dependencies( ${PROJECT_NAME} libpeconv test_case1 test_case3 )
#add the application that will be used for tests:
add_subdirectory ( test_case1 )
add_subdirectory ( test_case3 )
add_subdirectory ( test_case4 )
add_subdirectory ( test_case5 )
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )
enable_testing()
# 0) does the application run
add_test (TestRuns ${CMAKE_INSTALL_PREFIX}/tests)
# 1) compare relocations applied by the loader with relocations applied by Windows Loader
add_test (TestLoadSelf ${CMAKE_INSTALL_PREFIX}/tests 1)
set_tests_properties (TestLoadSelf PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
# 2) load the image of the current process from the disk and deploy it:
add_test (TestDeploySelf ${CMAKE_INSTALL_PREFIX}/tests 2)
set_tests_properties (TestDeploySelf PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
#only for 32bit:
if(CMAKE_SIZEOF_VOID_P EQUAL 4)
# 3) Deploys a brutforcer for FlareOn4 Crackme 3
add_test (TestCrackmeF4_3 ${CMAKE_INSTALL_PREFIX}/tests 3)
set_tests_properties (TestCrackmeF4_3 PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
endif()
# 4) load the image of the current process from the disk and deploy it. Imports are resolved by exports lookup (custom recolver).
add_test (TestDeploySelfExpResolver ${CMAKE_INSTALL_PREFIX}/tests 4)
set_tests_properties (TestDeploySelfExpResolver PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestDeploySelfExpResolver PROPERTIES FAIL_REGULAR_EXPRESSION "Loaded proc is not matching the default one!")
# 5) test hooking a test_case1 application
add_test (TestHookMessageBox ${CMAKE_INSTALL_PREFIX}/tests 5 ${CMAKE_INSTALL_PREFIX}/test_case1.exe )
set_tests_properties (TestHookMessageBox PROPERTIES PASS_REGULAR_EXPRESSION "Hooking test passed")
#only for 64bit:
if(CMAKE_SIZEOF_VOID_P EQUAL 8)
# 6) Solve FlareOn2017 Challenge6
add_test (TestCrackmeF4_6 ${CMAKE_INSTALL_PREFIX}/tests 6 ${CMAKE_INSTALL_PREFIX}/payload.dll )
set_tests_properties (TestCrackmeF4_6 PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
endif()
# 8) Test replacing and redirecting functions
if(CMAKE_SIZEOF_VOID_P EQUAL 8)
add_test (TestReplaceFunc64 ${CMAKE_INSTALL_PREFIX}/tests 8 ${CMAKE_INSTALL_PREFIX}/test_case3_64.exe )
set_tests_properties (TestReplaceFunc64 PROPERTIES PASS_REGULAR_EXPRESSION "Passed!")
set_tests_properties (TestReplaceFunc64 PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
else()
add_test (TestReplaceFunc32 tests 8 ${CMAKE_INSTALL_PREFIX}/test_case3_32.exe )
set_tests_properties (TestReplaceFunc32 PROPERTIES PASS_REGULAR_EXPRESSION "Passed!")
set_tests_properties (TestReplaceFunc32 PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
endif()
# 9) test replacing Delay-Load Imports
add_test (TestDelayedImps ${CMAKE_INSTALL_PREFIX}/tests 9 ${CMAKE_INSTALL_PREFIX}/test_case4.exe )
set_tests_properties (TestDelayedImps PROPERTIES PASS_REGULAR_EXPRESSION "Hooking test passed")
set_tests_properties (TestDelayedImps PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 11) test redirecting local functions (and undoing the redirection)
add_test (TestLocalRedirect tests 11 )
set_tests_properties (TestLocalRedirect PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestLocalRedirect PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 12) test PEB lookup
add_test (TestPEBLookup ${CMAKE_INSTALL_PREFIX}/tests 12 )
set_tests_properties (TestPEBLookup PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestPEBLookup PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 13) test mixed imports
add_test (TestMixImp ${CMAKE_INSTALL_PREFIX}/tests 13 ${CMAKE_INSTALL_PREFIX}/test_case5_exe.exe )
set_tests_properties (TestMixImp PROPERTIES PASS_REGULAR_EXPRESSION "Test Case 5 finished, checks: a0caa919")
set_tests_properties (TestMixImp PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 14) test finding base
add_test (TestFindBase ${CMAKE_INSTALL_PREFIX}/tests 14 ${CMAKE_INSTALL_PREFIX}/test_case5_exe.exe )
set_tests_properties (TestFindBase PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestFindBase PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 15) test finding jumps
add_test (TestFindJumpToDotNet ${CMAKE_INSTALL_PREFIX}/tests 15 )
set_tests_properties (TestFindJumpToDotNet PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestFindJumpToDotNet PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 16.1) test detect virtual/raw: 32
add_test (TestDetectMode32 tests 16 ${CMAKE_INSTALL_PREFIX}/test_case3_32.exe )
set_tests_properties (TestDetectMode32 PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestDetectMode32 PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")
# 16.2) test detect virtual/raw: 64
add_test (TestDetectMode64 tests 16 ${CMAKE_INSTALL_PREFIX}/test_case3_64.exe )
set_tests_properties (TestDetectMode64 PROPERTIES PASS_REGULAR_EXPRESSION "Test passed")
set_tests_properties (TestDetectMode64 PROPERTIES FAIL_REGULAR_EXPRESSION "Failed")

BIN
Etw Syscall/libpeconv-master/tests/greek_to_me.bin Normal file
View File

Binary file not shown.

77
Etw Syscall/libpeconv-master/tests/main.cpp Normal file
View File

@@ -0,0 +1,77 @@
#include <stdio.h>
#include <windows.h>
#include "test_loading.h"
#include "test_loading_imps.h"
#include "test_crackme_f4_3.h"
#include "test_hooking_imps.h"
#include "test_crackme_f4_6.h"
#include "test_load_ntdll.h"
#include "test_replacing_func.h"
#include "test_delayed_imps.h"
#include "test_imp_list.h"
#include "test_hooking_local.h"
#include "test_peb_lookup.h"
#include "test_imports_mix.h"
#include "test_found_base.h"
#include "test_fix_dotnet.h"
#include "test_format_detect.h"
int make_test(int test_id, char *test_arg)
{
switch (test_id) {
case 1: return tests::load_self();
case 2: return tests::deploy_self();
case 3: return tests::brutforce_crackme_f4_3();
case 4:
{
peconv::export_based_resolver *exp_res = new peconv::export_based_resolver();
int res = tests::deploy_self_ex((peconv::t_function_resolver*)exp_res);
delete exp_res;
return res;
}
case 5: return tests::hook_testcase(test_arg);
case 6: return tests::decode_crackme_f4_6(test_arg);
case 7: return tests::test_ntdll(NULL); //manual test
case 8: return tests::replace_func_testcase(test_arg);
case 9: return tests::replace_delayed_imps(test_arg);
case 10: return tests::imp_list(test_arg); //manual test
case 11: return tests::hook_self_local();
case 12: return tests::check_modules();
case 13: return tests::imports_mix(test_arg);
case 14: return tests::load_and_check_base(test_arg);
case 15: return tests::check_finding_jumps();
case 16: return tests::check_pe_format(test_arg);
}
return -1;
}
void print_banner()
{
printf("---------------\n");
printf("TESTS DEPLOYED!\n");
printf("---------------\n");
}
int main(int argc, char *argv[])
{
print_banner();
if (argc < 2) {
printf("Supply the test id!\n");
return 0;
}
int test_id = atoi(argv[1]);
printf("Test ID: %d\n", test_id);
char *test_arg = NULL;
if (argc > 2) {
test_arg = argv[2];
}
int res = make_test(test_id, test_arg);
if (res == 0) {
printf("[+] Test passed!\n");
}
return res;
}

3
Etw Syscall/libpeconv-master/tests/resource.h Normal file
View File

@@ -0,0 +1,3 @@
// resource.h
#define CRACKME_F4_3_32 101

56
Etw Syscall/libpeconv-master/tests/resource.rc Normal file
View File

@@ -0,0 +1,56 @@
// resource.rc :
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "windows.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_PLK)
LANGUAGE LANG_ENGLISH, SUBLANG_DEFAULT
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""windows.h""\r\n"
"\0"
END
3 TEXTINCLUDE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// RCDATA
//
CRACKME_F4_3_32 RCDATA "greek_to_me.bin"
#endif
/////////////////////////////////////////////////////////////////////////////

94
Etw Syscall/libpeconv-master/tests/shellc32.h Normal file
View File

@@ -0,0 +1,94 @@
#pragma once
unsigned char messageBox32bit_sc[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x1C, 0xE8, 0x1C, 0x00, 0x00, 0x00, 0x6B,
0x00, 0x65, 0x00, 0x72, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33,
0x00, 0x32, 0x00, 0x2E, 0x00, 0x64, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x00,
0x00, 0x00, 0x00, 0xE8, 0x60, 0x02, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89,
0x45, 0xFC, 0x83, 0x7D, 0xFC, 0x00, 0x75, 0x0A, 0xB8, 0x01, 0x00, 0x00,
0x00, 0xE9, 0xEC, 0x00, 0x00, 0x00, 0xE8, 0x10, 0x00, 0x00, 0x00, 0x4C,
0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0x00,
0x00, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x50, 0xE8, 0xD2, 0x00, 0x00, 0x00,
0x83, 0xC4, 0x08, 0x89, 0x45, 0xF8, 0x83, 0x7D, 0xF8, 0x00, 0x75, 0x0A,
0xB8, 0x02, 0x00, 0x00, 0x00, 0xE9, 0xB8, 0x00, 0x00, 0x00, 0xE8, 0x10,
0x00, 0x00, 0x00, 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x41, 0x64,
0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x00, 0x8B, 0x4D, 0xFC, 0x51, 0xE8,
0x9E, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xF4, 0x83, 0x7D,
0xF4, 0x00, 0x75, 0x0A, 0xB8, 0x03, 0x00, 0x00, 0x00, 0xE9, 0x84, 0x00,
0x00, 0x00, 0x8B, 0x55, 0xF8, 0x89, 0x55, 0xEC, 0x8B, 0x45, 0xF4, 0x89,
0x45, 0xE4, 0xE8, 0x0C, 0x00, 0x00, 0x00, 0x75, 0x73, 0x65, 0x72, 0x33,
0x32, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0xFF, 0x55, 0xEC, 0x89, 0x45,
0xE8, 0xE8, 0x0C, 0x00, 0x00, 0x00, 0x4D, 0x65, 0x73, 0x73, 0x61, 0x67,
0x65, 0x42, 0x6F, 0x78, 0x57, 0x00, 0x8B, 0x4D, 0xE8, 0x51, 0xFF, 0x55,
0xE4, 0x89, 0x45, 0xF0, 0x83, 0x7D, 0xF0, 0x00, 0x75, 0x07, 0xB8, 0x04,
0x00, 0x00, 0x00, 0xEB, 0x39, 0x6A, 0x00, 0xE8, 0x0C, 0x00, 0x00, 0x00,
0x44, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x6F, 0x00, 0x21, 0x00, 0x00, 0x00,
0xE8, 0x1A, 0x00, 0x00, 0x00, 0x48, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C,
0x00, 0x6F, 0x00, 0x20, 0x00, 0x57, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x6C,
0x00, 0x64, 0x00, 0x21, 0x00, 0x00, 0x00, 0x6A, 0x00, 0xFF, 0x55, 0xF0,
0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x3C,
0x8B, 0x45, 0x08, 0x89, 0x45, 0xEC, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x11,
0x81, 0xFA, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 0xE9, 0x35,
0x01, 0x00, 0x00, 0x8B, 0x45, 0xEC, 0x8B, 0x4D, 0x08, 0x03, 0x48, 0x3C,
0x89, 0x4D, 0xE4, 0xBA, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x00, 0x8B,
0x4D, 0xE4, 0x8D, 0x54, 0x01, 0x78, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xE8,
0x83, 0x38, 0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0x08, 0x01, 0x00, 0x00,
0x8B, 0x4D, 0xE8, 0x8B, 0x11, 0x89, 0x55, 0xE0, 0x8B, 0x45, 0xE0, 0x03,
0x45, 0x08, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xF4, 0x8B, 0x51, 0x18, 0x89,
0x55, 0xDC, 0x8B, 0x45, 0xF4, 0x8B, 0x48, 0x1C, 0x89, 0x4D, 0xD0, 0x8B,
0x55, 0xF4, 0x8B, 0x42, 0x20, 0x89, 0x45, 0xD8, 0x8B, 0x4D, 0xF4, 0x8B,
0x51, 0x24, 0x89, 0x55, 0xD4, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x09, 0x8B, 0x45, 0xF8, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xF8, 0x8B,
0x4D, 0xF8, 0x3B, 0x4D, 0xDC, 0x0F, 0x83, 0xB3, 0x00, 0x00, 0x00, 0x8B,
0x55, 0x08, 0x03, 0x55, 0xD8, 0x8B, 0x45, 0xF8, 0x8D, 0x0C, 0x82, 0x89,
0x4D, 0xC8, 0x8B, 0x55, 0x08, 0x03, 0x55, 0xD4, 0x8B, 0x45, 0xF8, 0x8D,
0x0C, 0x42, 0x89, 0x4D, 0xCC, 0x8B, 0x55, 0x08, 0x03, 0x55, 0xD0, 0x8B,
0x45, 0xCC, 0x0F, 0xB7, 0x08, 0x8D, 0x14, 0x8A, 0x89, 0x55, 0xC4, 0x8B,
0x45, 0xC8, 0x8B, 0x4D, 0x08, 0x03, 0x08, 0x89, 0x4D, 0xF0, 0xC7, 0x45,
0xFC, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x09, 0x8B, 0x55, 0xFC, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xFC, 0x8B,
0x45, 0x0C, 0x03, 0x45, 0xFC, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x74, 0x27,
0x8B, 0x55, 0xF0, 0x03, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x85, 0xC0, 0x74,
0x1A, 0x8B, 0x4D, 0x0C, 0x03, 0x4D, 0xFC, 0x0F, 0xBE, 0x11, 0x8B, 0x45,
0xF0, 0x03, 0x45, 0xFC, 0x0F, 0xBE, 0x08, 0x3B, 0xD1, 0x74, 0x02, 0xEB,
0x02, 0xEB, 0xC3, 0x8B, 0x55, 0x0C, 0x03, 0x55, 0xFC, 0x0F, 0xBE, 0x02,
0x85, 0xC0, 0x75, 0x19, 0x8B, 0x4D, 0xF0, 0x03, 0x4D, 0xFC, 0x0F, 0xBE,
0x11, 0x85, 0xD2, 0x75, 0x0C, 0x8B, 0x45, 0xC4, 0x8B, 0x4D, 0x08, 0x03,
0x08, 0x8B, 0xC1, 0xEB, 0x07, 0xE9, 0x38, 0xFF, 0xFF, 0xFF, 0x33, 0xC0,
0x8B, 0xE5, 0x5D, 0xC3, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x34, 0xC7, 0x45,
0xE4, 0x00, 0x00, 0x00, 0x00, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x89,
0x45, 0xE4, 0x8B, 0x4D, 0xE4, 0x8B, 0x51, 0x0C, 0x89, 0x55, 0xD8, 0x8B,
0x45, 0xD8, 0x8B, 0x48, 0x0C, 0x8B, 0x50, 0x10, 0x89, 0x4D, 0xCC, 0x89,
0x55, 0xD0, 0x8B, 0x45, 0xCC, 0x89, 0x45, 0xD4, 0x8B, 0x4D, 0xD4, 0x89,
0x4D, 0xE8, 0x83, 0x7D, 0xE8, 0x00, 0x0F, 0x84, 0x5A, 0x01, 0x00, 0x00,
0x8B, 0x55, 0xE8, 0x83, 0x7A, 0x18, 0x00, 0x0F, 0x84, 0x4D, 0x01, 0x00,
0x00, 0x8B, 0x45, 0xE8, 0x83, 0x78, 0x30, 0x00, 0x75, 0x02, 0xEB, 0xDE,
0x8B, 0x4D, 0xE8, 0x8B, 0x51, 0x30, 0x89, 0x55, 0xEC, 0xC7, 0x45, 0xF0,
0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xEB,
0x09, 0x8B, 0x45, 0xF0, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xF0, 0x8B, 0x4D,
0xF0, 0x8B, 0x55, 0x08, 0x0F, 0xB7, 0x04, 0x4A, 0x85, 0xC0, 0x0F, 0x84,
0xDD, 0x00, 0x00, 0x00, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xEC, 0x0F, 0xB7,
0x04, 0x4A, 0x85, 0xC0, 0x0F, 0x84, 0xCB, 0x00, 0x00, 0x00, 0x8B, 0x4D,
0xF0, 0x8B, 0x55, 0x08, 0x0F, 0xB7, 0x04, 0x4A, 0x83, 0xF8, 0x5A, 0x7F,
0x37, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0x08, 0x0F, 0xB7, 0x04, 0x4A, 0x83,
0xF8, 0x41, 0x7C, 0x28, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0x08, 0x0F, 0xB7,
0x04, 0x4A, 0x83, 0xC0, 0x20, 0x89, 0x45, 0xE0, 0x8B, 0x4D, 0xF0, 0x8B,
0x55, 0x08, 0x66, 0x8B, 0x45, 0xE0, 0x66, 0x89, 0x04, 0x4A, 0x66, 0x8B,
0x4D, 0xE0, 0x66, 0x89, 0x4D, 0xFE, 0xEB, 0x0E, 0x8B, 0x55, 0xF0, 0x8B,
0x45, 0x08, 0x66, 0x8B, 0x0C, 0x50, 0x66, 0x89, 0x4D, 0xFE, 0x66, 0x8B,
0x55, 0xFE, 0x66, 0x89, 0x55, 0xF8, 0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xEC,
0x0F, 0xB7, 0x14, 0x41, 0x83, 0xFA, 0x5A, 0x7F, 0x37, 0x8B, 0x45, 0xF0,
0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x14, 0x41, 0x83, 0xFA, 0x41, 0x7C, 0x28,
0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x14, 0x41, 0x83, 0xC2,
0x20, 0x89, 0x55, 0xDC, 0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xEC, 0x66, 0x8B,
0x55, 0xDC, 0x66, 0x89, 0x14, 0x41, 0x66, 0x8B, 0x45, 0xDC, 0x66, 0x89,
0x45, 0xFC, 0xEB, 0x0E, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xEC, 0x66, 0x8B,
0x04, 0x4A, 0x66, 0x89, 0x45, 0xFC, 0x66, 0x8B, 0x4D, 0xFC, 0x66, 0x89,
0x4D, 0xF4, 0x0F, 0xB7, 0x55, 0xF8, 0x0F, 0xB7, 0x45, 0xF4, 0x3B, 0xD0,
0x74, 0x02, 0xEB, 0x05, 0xE9, 0x08, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D, 0xF0,
0x8B, 0x55, 0x08, 0x0F, 0xB7, 0x04, 0x4A, 0x85, 0xC0, 0x75, 0x16, 0x8B,
0x4D, 0xF0, 0x8B, 0x55, 0xEC, 0x0F, 0xB7, 0x04, 0x4A, 0x85, 0xC0, 0x75,
0x08, 0x8B, 0x4D, 0xE8, 0x8B, 0x41, 0x18, 0xEB, 0x0F, 0x8B, 0x55, 0xE8,
0x8B, 0x02, 0x89, 0x45, 0xE8, 0xE9, 0x9C, 0xFE, 0xFF, 0xFF, 0x33, 0xC0,
0x8B, 0xE5, 0x5D, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

132
Etw Syscall/libpeconv-master/tests/shellc64.h Normal file
View File

@@ -0,0 +1,132 @@
#pragma once
unsigned char messageBox64bit_sc[] = {
0x56, 0x48, 0x8B, 0xF4, 0x48, 0x83, 0xE4, 0xF0, 0x48, 0x83, 0xEC, 0x20,
0xE8, 0x05, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xE6, 0x5E, 0xC3, 0x48, 0x83,
0xEC, 0x68, 0xE8, 0x20, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x72,
0x00, 0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x2E,
0x00, 0x64, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x59, 0xE8, 0x6A, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44,
0x24, 0x20, 0x48, 0x83, 0x7C, 0x24, 0x20, 0x00, 0x75, 0x0A, 0xB8, 0x01,
0x00, 0x00, 0x00, 0xE9, 0x16, 0x01, 0x00, 0x00, 0xE8, 0x10, 0x00, 0x00,
0x00, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79,
0x41, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x48, 0x8B, 0x4C, 0x24, 0x20, 0xE8,
0xFB, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C,
0x24, 0x28, 0x00, 0x75, 0x0A, 0xB8, 0x02, 0x00, 0x00, 0x00, 0xE9, 0xDF,
0x00, 0x00, 0x00, 0xE8, 0x10, 0x00, 0x00, 0x00, 0x47, 0x65, 0x74, 0x50,
0x72, 0x6F, 0x63, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x00,
0x5A, 0x48, 0x8B, 0x4C, 0x24, 0x20, 0xE8, 0xC4, 0x00, 0x00, 0x00, 0x48,
0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0x7C, 0x24, 0x30, 0x00, 0x75, 0x0A,
0xB8, 0x03, 0x00, 0x00, 0x00, 0xE9, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B,
0x44, 0x24, 0x28, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24,
0x30, 0x48, 0x89, 0x44, 0x24, 0x50, 0xE8, 0x10, 0x00, 0x00, 0x00, 0x75,
0x73, 0x65, 0x72, 0x33, 0x32, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x59, 0xFF, 0x54, 0x24, 0x40, 0x48, 0x89, 0x44, 0x24,
0x48, 0xE8, 0x10, 0x00, 0x00, 0x00, 0x4D, 0x65, 0x73, 0x73, 0x61, 0x67,
0x65, 0x42, 0x6F, 0x78, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x48,
0x8B, 0x4C, 0x24, 0x48, 0xFF, 0x54, 0x24, 0x50, 0x48, 0x89, 0x44, 0x24,
0x38, 0x48, 0x83, 0x7C, 0x24, 0x38, 0x00, 0x75, 0x07, 0xB8, 0x04, 0x00,
0x00, 0x00, 0xEB, 0x42, 0x45, 0x33, 0xC9, 0xE8, 0x10, 0x00, 0x00, 0x00,
0x44, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x6F, 0x00, 0x21, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x41, 0x58, 0xE8, 0x1A, 0x00, 0x00, 0x00, 0x48,
0x00, 0x65, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x6F, 0x00, 0x20, 0x00, 0x57,
0x00, 0x6F, 0x00, 0x72, 0x00, 0x6C, 0x00, 0x64, 0x00, 0x21, 0x00, 0x00,
0x00, 0x5A, 0x33, 0xC9, 0xFF, 0x54, 0x24, 0x38, 0x33, 0xC0, 0x48, 0x83,
0xC4, 0x68, 0xC3, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24,
0x08, 0x48, 0x83, 0xEC, 0x78, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00,
0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x0F,
0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 0xE9,
0x02, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x63, 0x40,
0x3C, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0xB8, 0x08, 0x00, 0x00,
0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x8D,
0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48,
0x8B, 0x44, 0x24, 0x38, 0x83, 0x38, 0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9,
0xBA, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x00, 0x89,
0x44, 0x24, 0x18, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x03, 0x84, 0x24, 0x80,
0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x44, 0x24,
0x10, 0x8B, 0x40, 0x18, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44,
0x24, 0x10, 0x8B, 0x40, 0x1C, 0x89, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x44,
0x24, 0x10, 0x8B, 0x40, 0x20, 0x89, 0x44, 0x24, 0x1C, 0x48, 0x8B, 0x44,
0x24, 0x10, 0x8B, 0x40, 0x24, 0x89, 0x44, 0x24, 0x20, 0x48, 0xC7, 0x44,
0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0D, 0x48, 0x8B, 0x44, 0x24,
0x08, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48, 0x8B, 0x44,
0x24, 0x48, 0x48, 0x39, 0x44, 0x24, 0x08, 0x0F, 0x83, 0x43, 0x01, 0x00,
0x00, 0x8B, 0x44, 0x24, 0x1C, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00,
0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x08,
0x48, 0x8D, 0x04, 0x88, 0x48, 0x89, 0x44, 0x24, 0x58, 0x8B, 0x44, 0x24,
0x20, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x48, 0x8D, 0x04, 0x48,
0x48, 0x89, 0x44, 0x24, 0x50, 0x8B, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x8C,
0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x8B, 0x4C, 0x24, 0x50, 0x0F, 0xB7, 0x09, 0x48, 0x8D, 0x04, 0x88, 0x48,
0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x00, 0x48,
0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B,
0xC1, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0xC7, 0x04, 0x24, 0x00, 0x00,
0x00, 0x00, 0x48, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0B,
0x48, 0x8B, 0x04, 0x24, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x04, 0x24, 0x48,
0x8B, 0x04, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48,
0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x74, 0x45,
0x48, 0x8B, 0x04, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x74, 0x2F, 0x48, 0x8B,
0x04, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03,
0xC8, 0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x48,
0x8B, 0x54, 0x24, 0x28, 0x48, 0x03, 0xD1, 0x48, 0x8B, 0xCA, 0x0F, 0xBE,
0x09, 0x3B, 0xC1, 0x74, 0x02, 0xEB, 0x02, 0xEB, 0x97, 0x48, 0x8B, 0x04,
0x24, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0x2D, 0x48, 0x8B,
0x04, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B,
0xC1, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0x17, 0x48, 0x8B, 0x44, 0x24,
0x60, 0x8B, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xEB, 0x07, 0xE9, 0xA0, 0xFE, 0xFF, 0xFF,
0x33, 0xC0, 0x48, 0x83, 0xC4, 0x78, 0xC3, 0x48, 0x89, 0x4C, 0x24, 0x08,
0x56, 0x57, 0x48, 0x83, 0xEC, 0x68, 0x48, 0xC7, 0x44, 0x24, 0x30, 0x00,
0x00, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00,
0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B,
0x40, 0x18, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8D, 0x44, 0x24, 0x48,
0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x8B, 0xF8, 0x48, 0x8D, 0x71, 0x10,
0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, 0xA4, 0x48, 0x8B, 0x44, 0x24, 0x48,
0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x89,
0x44, 0x24, 0x20, 0x48, 0x83, 0x7C, 0x24, 0x20, 0x00, 0x0F, 0x84, 0xC6,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0x83, 0x78, 0x30,
0x00, 0x0F, 0x84, 0xB6, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x20,
0x48, 0x83, 0x78, 0x60, 0x00, 0x75, 0x02, 0xEB, 0xD6, 0x48, 0x8B, 0x44,
0x24, 0x20, 0x48, 0x8B, 0x40, 0x60, 0x48, 0x89, 0x44, 0x24, 0x18, 0x48,
0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x04, 0x24, 0x00,
0x00, 0x00, 0x00, 0xEB, 0x0B, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xFF, 0xC0,
0x48, 0x89, 0x04, 0x24, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x85, 0xC0, 0x0F, 0x84,
0x23, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x0C,
0x24, 0x0F, 0xB7, 0x04, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0x0E, 0x01, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x0C,
0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83, 0xF8, 0x5A, 0x7F, 0x50, 0x48, 0x8B,
0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
0x04, 0x48, 0x83, 0xF8, 0x41, 0x7C, 0x3B, 0x48, 0x8B, 0x84, 0x24, 0x80,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83,
0xE8, 0x41, 0x83, 0xC0, 0x61, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x84,
0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x54,
0x24, 0x28, 0x66, 0x89, 0x14, 0x48, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0x66,
0x89, 0x44, 0x24, 0x08, 0xEB, 0x15, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00,
0x00, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x66, 0x89,
0x44, 0x24, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x08, 0x66, 0x89, 0x44, 0x24,
0x0C, 0x48, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
0x04, 0x48, 0x83, 0xF8, 0x5A, 0x7F, 0x47, 0x48, 0x8B, 0x44, 0x24, 0x18,
0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x83, 0xF8, 0x41, 0x7C,
0x35, 0x48, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7,
0x04, 0x48, 0x83, 0xE8, 0x41, 0x83, 0xC0, 0x61, 0x89, 0x44, 0x24, 0x2C,
0x48, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x54,
0x24, 0x2C, 0x66, 0x89, 0x14, 0x48, 0x0F, 0xB7, 0x44, 0x24, 0x2C, 0x66,
0x89, 0x44, 0x24, 0x0A, 0xEB, 0x12, 0x48, 0x8B, 0x44, 0x24, 0x18, 0x48,
0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x66, 0x89, 0x44, 0x24, 0x0A,
0x0F, 0xB7, 0x44, 0x24, 0x0A, 0x66, 0x89, 0x44, 0x24, 0x10, 0x0F, 0xB7,
0x44, 0x24, 0x0C, 0x0F, 0xB7, 0x4C, 0x24, 0x10, 0x3B, 0xC1, 0x74, 0x02,
0xEB, 0x05, 0xE9, 0xBA, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x84, 0x24, 0x80,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x0C, 0x24, 0x0F, 0xB7, 0x04, 0x48, 0x85,
0xC0, 0x75, 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x18, 0x48, 0x8B, 0x0C, 0x24,
0x0F, 0xB7, 0x04, 0x48, 0x85, 0xC0, 0x75, 0x0B, 0x48, 0x8B, 0x44, 0x24,
0x20, 0x48, 0x8B, 0x40, 0x30, 0xEB, 0x14, 0x48, 0x8B, 0x44, 0x24, 0x20,
0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0xE9, 0x2E, 0xFE, 0xFF,
0xFF, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x68, 0x5F, 0x5E, 0xC3, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

4
Etw Syscall/libpeconv-master/tests/shellcodes.h Normal file
View File

@@ -0,0 +1,4 @@
#pragma once
#include "shellc32.h"
#include "shellc64.h"

16
Etw Syscall/libpeconv-master/tests/test_case1/CMakeLists.txt Normal file
View File

@@ -0,0 +1,16 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (test_case1)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
set (srcs
main.cpp
)
set (hdrs
)
add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs})
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

29
Etw Syscall/libpeconv-master/tests/test_case1/main.cpp Normal file
View File

@@ -0,0 +1,29 @@
#include <windows.h>
#include <stdio.h>
int popup_message1()
{
SYSTEMTIME SystemTime;
GetSystemTime(&SystemTime);
TCHAR pszDate[200];
GetDateFormatA( LOCALE_USER_DEFAULT, DATE_LONGDATE, &SystemTime, NULL, pszDate, 200 );
return MessageBoxA(NULL, pszDate, "Test Case 1", MB_OK);
}
int popup_message2()
{
return MessageBoxW(NULL, L"Checking wide strings", L"Test Case 1", MB_OK);
}
int main()
{
if (popup_message1() == 1337) {
if (popup_message2() == 1338) {
return MessageBoxW(NULL, L"Hooking test passed", L"Test Case 1", MB_OK);
}
}
printf("Test Case 1 finished\n");
return 0;
}

5
Etw Syscall/libpeconv-master/tests/test_case2/README.md Normal file
View File

@@ -0,0 +1,5 @@
# FlareOn2017 Challenge 6
### Writeup
+ [Solving Flare-On 2017, Challenge 6 with libPeConv](https://hshrzd.wordpress.com/2017/12/01/hook-the-planet-solving-flareon4-challenge6-with-libpeconv/)

BIN
Etw Syscall/libpeconv-master/tests/test_case2/payload.dll Normal file
View File

Binary file not shown.

18
Etw Syscall/libpeconv-master/tests/test_case3/CMakeLists.txt Normal file
View File

@@ -0,0 +1,18 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (test_case3)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
set (srcs
main.cpp
checksum.cpp
)
set (hdrs
checksum.h
)
add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs})
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

35
Etw Syscall/libpeconv-master/tests/test_case3/checksum.cpp Normal file
View File

@@ -0,0 +1,35 @@
#include "checksum.h"
inline DWORD rotl32a(DWORD x, DWORD n)
{
return (x << n) | (x >> (32 - n));
}
inline char to_lower(char c)
{
if (c >= 'A' && c <= 'Z') {
c = c - 'A' + 'a';
}
return c;
}
DWORD calc_checksum(BYTE *str, size_t buf_size, bool enable_tolower)
{
if (str == NULL) return 0;
DWORD checksum = 0;
for (size_t i = 0; i < buf_size; i++) {
checksum = rotl32a(checksum, 7);
char c = str[i];
if (enable_tolower) {
c = to_lower(c);
}
checksum ^= c;
}
return checksum;
}
DWORD calc_checksum(char *str, bool enable_tolower)
{
return calc_checksum((BYTE*)str, strlen(str), enable_tolower);
}

7
Etw Syscall/libpeconv-master/tests/test_case3/checksum.h Normal file
View File

@@ -0,0 +1,7 @@
#pragma once
#include <windows.h>
DWORD calc_checksum(char *str, bool enable_tolower);
DWORD calc_checksum(BYTE *str, size_t buf_size, bool enable_tolower);

46
Etw Syscall/libpeconv-master/tests/test_case3/main.cpp Normal file
View File

@@ -0,0 +1,46 @@
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include "checksum.h"
bool get_rand_string(char *buffer, size_t buffer_size)
{
const char charset[] = "ABCDEFGHIJKLMNOPQRSTUWVXYZabcdefghijklmnopqrstuwvxyz1234567890";
size_t charset_len = strlen(charset);
srand(GetTickCount());
for (size_t i = 0; i < buffer_size - 1; i++) {
size_t c_indx = rand() % charset_len;
buffer[i] = charset[c_indx];
Sleep(1000);
}
buffer[buffer_size - 1] = '\0';
return true;
}
bool is_password_valid(char *str)
{
DWORD checksum = calc_checksum(str, true);
if (checksum == 0x1f561e6a) { //calc_checksum("my_demo_password", true);
return true;
}
return false;
}
int main()
{
char str[14] = { 0 };
get_rand_string(str, 12);
std::cout << str << std::endl;
if (is_password_valid(str)) {
MessageBoxA(NULL, "Passed!", "Test Case 3", MB_OK);
} else {
std::cout << "Failed!" << std::endl;
MessageBoxA(NULL, "Failed!", "Test Case 3", MB_OK);
}
return 0;
}

19
Etw Syscall/libpeconv-master/tests/test_case4/CMakeLists.txt Normal file
View File

@@ -0,0 +1,19 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (test_case4)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
set(DELAYLOAD_FLAG "/DELAYLOAD:\"user32.dll\"" )
set (srcs
main.cpp
)
set (hdrs
)
add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} )
target_link_libraries(${PROJECT_NAME} "delayimp.lib" )
set_property(TARGET ${PROJECT_NAME} APPEND_STRING PROPERTY LINK_FLAGS " ${DELAYLOAD_FLAG}")
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

29
Etw Syscall/libpeconv-master/tests/test_case4/main.cpp Normal file
View File

@@ -0,0 +1,29 @@
#include <windows.h>
#include <stdio.h>
int popup_message1()
{
SYSTEMTIME SystemTime;
GetSystemTime(&SystemTime);
TCHAR pszDate[200];
GetDateFormatA( LOCALE_USER_DEFAULT, DATE_LONGDATE, &SystemTime, NULL, pszDate, 200 );
return MessageBoxA(NULL, pszDate, "Test Case 1", MB_OK);
}
int popup_message2()
{
return MessageBoxW(NULL, L"Checking wide strings", L"Test Case 1", MB_OK);
}
int main()
{
if (popup_message1() == 1337) {
if (popup_message2() == 1338) {
return MessageBoxW(NULL, L"Hooking test passed", L"Test Case 1", MB_OK);
}
}
printf("Test Case 4 finished\n");
return 0;
}

21
Etw Syscall/libpeconv-master/tests/test_case5/CMakeLists.txt Normal file
View File

@@ -0,0 +1,21 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (test_case5_exe)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
set (srcs
main.cpp
)
set (hdrs
)
# libs
add_subdirectory (test_case5_dll)
include_directories ( test_case5_dll/include )
add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} )
target_link_libraries(${PROJECT_NAME} "test_case5_dll" )
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

16
Etw Syscall/libpeconv-master/tests/test_case5/main.cpp Normal file
View File

@@ -0,0 +1,16 @@
#include <Windows.h>
#include <iostream>
#include "api.h"
int main()
{
std::cout << "Test Case 5 started..." << std::endl;
DWORD checks = test_checksum1();
checks += test_checksum2();
checks += test_checksum3();
checks += test_checksum4();
checks += test_checksum5();
std::cout << "Test Case 5 finished, checks: " << std::hex << checks << std::endl;
return checks;
}

18
Etw Syscall/libpeconv-master/tests/test_case5/test_case5_dll/CMakeLists.txt Normal file
View File

@@ -0,0 +1,18 @@
cmake_minimum_required ( VERSION 2.8...3.21 )
project (test_case5_dll)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
include_directories ( include )
set (srcs
main.cpp
)
set (dll_hdrs
include/api.h
)
add_library ( ${PROJECT_NAME} SHARED ${dll_hdrs} ${srcs} main.def)
#install
INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} )

13
Etw Syscall/libpeconv-master/tests/test_case5/test_case5_dll/include/api.h Normal file
View File

@@ -0,0 +1,13 @@
#pragma once
#ifdef DLL_EXPORTS
#define DLL_API __declspec(dllexport) __stdcall
#else
#define DLL_API __declspec(dllimport) __stdcall
#endif
int DLL_API test_checksum1();
int DLL_API test_checksum2();
int DLL_API test_checksum3();
int DLL_API test_checksum4();
int DLL_API test_checksum5();

109
Etw Syscall/libpeconv-master/tests/test_case5/test_case5_dll/main.cpp Normal file
View File

@@ -0,0 +1,109 @@
#include <Windows.h>
#include <iostream>
#define DLL_EXPORTS
#include "api.h"
//#define SHOW_MSGBOX
inline DWORD rotl32a(DWORD x, DWORD n)
{
return (x << n) | (x >> (32 - n));
}
inline char to_lower(char c)
{
if (c >= 'A' && c <= 'Z') {
c = c - 'A' + 'a';
}
return c;
}
DWORD calc_checksum(BYTE *str, size_t buf_size, bool enable_tolower)
{
if (str == NULL) return 0;
DWORD checksum = 0;
for (size_t i = 0; i < buf_size; i++) {
checksum = rotl32a(checksum, 7);
char c = str[i];
if (enable_tolower) {
c = to_lower(c);
}
checksum ^= c;
}
return checksum;
}
int DLL_API test_checksum1()
{
char test1[] = "this is a test!";
DWORD checks = calc_checksum((BYTE*)test1, strlen(test1), true);
std::cout << "Checks 1: " << std::hex << checks << std::endl;
return checks;
}
int DLL_API test_checksum2()
{
wchar_t teststr[] = L"Checking wide strings";
DWORD checks = calc_checksum((BYTE*)teststr, sizeof(teststr), true);
#ifdef SHOW_MSGBOX
MessageBoxW(NULL, teststr, L"Test Case 5", MB_OK);
#endif
std::cout << "Checks 2: " << std::hex << checks << std::endl;
return checks;
}
int DLL_API test_checksum4()
{
wchar_t teststr[] = L"Test checksum 4";
DWORD checks = calc_checksum((BYTE*)teststr, sizeof(teststr), true);
#ifdef SHOW_MSGBOX
MessageBoxW(NULL, teststr, L"Test Case 5", MB_OK);
#endif
std::cout << "Checks 4: " << std::hex << checks << std::endl;
return checks;
}
int DLL_API test_checksum5()
{
wchar_t teststr[] = L"Yet another checksum test: 5";
DWORD checks = calc_checksum((BYTE*)teststr, sizeof(teststr), true);
#ifdef SHOW_MSGBOX
MessageBoxW(NULL, teststr, L"Test Case 5", MB_OK);
#endif
std::cout << "Checks 5: " << std::hex << checks << std::endl;
return checks;
}
int DLL_API test_checksum3()
{
SYSTEMTIME SystemTime;
GetSystemTime(&SystemTime);
TCHAR pszDate[200];
GetDateFormatA(LOCALE_USER_DEFAULT, DATE_LONGDATE, &SystemTime, NULL, pszDate, 200);
wchar_t teststr[] = L"Time func checksum";
DWORD checks = calc_checksum((BYTE*)teststr, sizeof(teststr), true);
std::cout << "Checks 3: " << std::hex << checks << std::endl;
#ifdef SHOW_MSGBOX
MessageBoxA(NULL, pszDate, "Test Case 5", MB_OK);
#endif
return checks;
}
BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
printf("Test Case 5 DLL loaded\n");
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

7
Etw Syscall/libpeconv-master/tests/test_case5/test_case5_dll/main.def Normal file
View File

@@ -0,0 +1,7 @@
LIBRARY test_case5_dll
EXPORTS
test_checksum1
test_checksum2 @2 NONAME
test_checksum3
test_checksum4 @4 NONAME
test_checksum5

127
Etw Syscall/libpeconv-master/tests/test_crackme_f4_3.cpp Normal file
View File

@@ -0,0 +1,127 @@
#include <stdio.h>
#include <windows.h>
#include "test_crackme_f4_3.h"
#include "resource.h"
#include "peconv.h"
namespace test3 {
BYTE *g_Buffer = NULL;
const size_t g_BufferLen = 0x79;
BYTE g_Buffer2[g_BufferLen] = { 0 };
WORD (*calc_checksum) (BYTE *decoded_buffer, size_t buf_size) = NULL;
bool test_val(BYTE xor_val)
{
for (size_t i = 0; i < g_BufferLen; i++) {
BYTE val = g_Buffer[i];
g_Buffer2[i] = (xor_val ^ val) + 0x22;
}
WORD checksum = calc_checksum(g_Buffer2, g_BufferLen);
if (checksum == 0xfb5e) {
return true;
}
return false;
}
BYTE brutforce()
{
BYTE xor_val = 0;
do {
xor_val++;
} while (!test_val(xor_val));
return xor_val;
}
};
//---
int tests::brutforce_crackme_f4_3()
{
#ifdef _WIN64
printf("Compile the loader as 32bit!\n");
return 0;
#endif
BYTE* loaded_pe = NULL;
size_t v_size = 0;
{ //scope1
size_t raw_size = 0;
BYTE *raw_crackme = peconv::load_resource_data(raw_size, CRACKME_F4_3_32);
if (!raw_crackme) {
return -1;
}
loaded_pe = peconv::load_pe_module(raw_crackme, raw_size, v_size, true, false);
if (!loaded_pe) {
peconv::free_resource_data(raw_crackme);
return -1;
}
peconv::free_resource_data(raw_crackme);
}//!scope1
test3::g_Buffer = (BYTE*) (0x107C + (ULONGLONG) loaded_pe);
ULONGLONG func_offset = 0x11e6 + (ULONGLONG) loaded_pe;
test3::calc_checksum = ( WORD (*) (BYTE *, size_t ) ) func_offset;
BYTE found = test3::brutforce();
printf("Found: %x\n", found);
int res = -1;
if (found == 0xa2) {
res = 0;
}
peconv::free_pe_buffer(loaded_pe, v_size);
return res;
}
//For now this is for manual tests only:
int tests::deploy_crackme_f4_3(peconv::t_function_resolver* func_resolver)
{
#ifdef _WIN64
printf("Compile the loader as 32bit!\n");
return 0;
#endif
BYTE* loaded_pe = NULL;
size_t v_size = 0;
{ //scope1
size_t raw_size = 0;
BYTE *raw_crackme = peconv::load_resource_data(raw_size, CRACKME_F4_3_32);
if (!raw_crackme) {
return -1;
}
loaded_pe = peconv::load_pe_executable(raw_crackme, raw_size, v_size, func_resolver);
if (!loaded_pe) {
peconv::free_resource_data(raw_crackme);
return -1;
}
peconv::free_resource_data(raw_crackme);
}//!scope1
test3::g_Buffer = (BYTE*) (0x107C + (ULONGLONG) loaded_pe);
ULONGLONG func_offset = 0x11e6 + (ULONGLONG) loaded_pe;
test3::calc_checksum = ( WORD (*) (BYTE *, size_t ) ) func_offset;
BYTE found = test3::brutforce();
printf("Found: %x\n", found);
int res = -1;
if (found != 0xa2) {
peconv::free_pe_buffer(loaded_pe, v_size);
return -1;
}
ULONGLONG ep_va = peconv::get_entry_point_rva(loaded_pe) + (ULONGLONG) loaded_pe;
printf("Press any key to go to function's entry point\n");
system("pause");
//make pointer to the entry function:
int (*loaded_pe_entry)(void) = (int (*)(void)) ep_va;
res = loaded_pe_entry();
printf("Finished: %d\n", res);
peconv::free_pe_buffer(loaded_pe, v_size);
return 0;
}

12
Etw Syscall/libpeconv-master/tests/test_crackme_f4_3.h Normal file
View File

@@ -0,0 +1,12 @@
#pragma once
#include "peconv.h"
namespace tests {
// Loads the FlareOn4 Crackme 3, brutforces the key value using a function imported from the crackme and verifies it
int brutforce_crackme_f4_3();
//For now this is for manual tests only:
int deploy_crackme_f4_3(peconv::t_function_resolver* func_resolver);
}; //namespace tests

201
Etw Syscall/libpeconv-master/tests/test_crackme_f4_6.cpp Normal file
View File

@@ -0,0 +1,201 @@
#include "test_crackme_f4_6.h"
#include "peconv.h"
#include <iostream>
namespace test6 {
DWORD (_fastcall *imported_func_1)(ULONGLONG a1) = NULL;
DWORD (*display_chunk)(int, int, LPSTR a1) = NULL;
const size_t g_flagLen = 26;
char g_flagBuf[g_flagLen + 1] = { 0 };
int WINAPI my_MessageBoxA(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType)
{
unsigned int key_part = 0;
int key_id = 0;
sscanf(lpText,"key[%d] = %x;", &key_id, &key_part);
g_flagBuf[key_id] = key_part;
return 0;
}
int my_index()
{
static int index = 0;
return (index++) % g_flagLen;
}
class FlagLoader
{
public:
FlagLoader(int _id) : id(_id) {}
virtual bool load_next_char(const char *path) = 0;
bool load_flag(const char *path)
{
memset(test6::g_flagBuf, 0, sizeof(test6::g_flagBuf));
for (int i = 0; i < test6::g_flagLen; i++) {
if (!load_next_char(path)) {
printf("Cannot load next char...\n");
return false;
}
}
printf("%d) %s\n", id, test6::g_flagBuf);
if (strcmp(test6::g_flagBuf, "wuuut-exp0rts@flare-on.com") != 0) {
printf("Invalid flag!\n");
return false;
}
return true;
}
protected:
int id;
};
class FlagLoader1 : public FlagLoader
{
public:
FlagLoader1(int _id) : FlagLoader(_id) {}
virtual bool load_next_char(const char *path)
{
size_t v_size = 0;
peconv::hooking_func_resolver my_res;
my_res.add_hook("MessageBoxA", (FARPROC)&test6::my_MessageBoxA);
BYTE* loaded_pe = peconv::load_pe_executable(path, v_size, (peconv::t_function_resolver*) &my_res);
if (!loaded_pe) {
printf("Cannot load PE\n");
return false;
}
ULONGLONG modifying_func_offset = 0x5d30 + (ULONGLONG)loaded_pe;
//hook local func:
ULONGLONG srand_offset = (ULONGLONG)loaded_pe + 0x7900;
ULONGLONG rand_offset = (ULONGLONG)loaded_pe + 0x78D4;
ULONGLONG calc_index_offset = (ULONGLONG)loaded_pe + 0x4710;
peconv::redirect_to_local64((void*)srand_offset, ULONGLONG(&srand));
peconv::redirect_to_local64((void*)rand_offset, ULONGLONG(&rand));
peconv::redirect_to_local64((void*)calc_index_offset, (ULONGLONG)&my_index);
test6::imported_func_1 = (DWORD(_fastcall *)(ULONGLONG)) (modifying_func_offset);
#ifdef _DEBUG
printf("Calling the main func:\n");
#endif
DWORD returned = test6::imported_func_1((ULONGLONG)loaded_pe);
#ifdef _DEBUG
printf("Returned: %x\n", returned);
#endif
std::vector<std::string> names_set;
if (peconv::get_exported_names(loaded_pe, names_set) > 0) {
#ifdef _DEBUG
std::cout << "exported: " << names_set[0] << std::endl;
#endif
const char *got_name = names_set[0].c_str();
FARPROC exp1 = peconv::get_exported_func(loaded_pe, const_cast<char*>(got_name));
test6::display_chunk = (DWORD(*)(int, int, LPSTR)) exp1;
#ifdef _DEBUG
printf("Calling exported function at: %p\n", exp1);
#endif
test6::display_chunk(0, 0, const_cast<char*>(got_name));
}
peconv::free_pe_buffer(loaded_pe, v_size);
return true;
}
};
class FlagLoader2 : public FlagLoader
{
public:
FlagLoader2(int _id) : FlagLoader(_id) {}
virtual bool load_next_char(const char *path)
{
peconv::hooking_func_resolver my_res;
my_res.add_hook("MessageBoxA", (FARPROC)&my_MessageBoxA);
size_t v_size = 0;
BYTE* loaded_pe = peconv::load_pe_executable(
path, v_size,
(peconv::t_function_resolver*) &my_res
);
if (!loaded_pe) {
printf("Loading module failed!\n");
return false;
}
ULONGLONG modifying_func_offset = (ULONGLONG)loaded_pe + 0x5d30;
ULONGLONG calc_index_offset = (ULONGLONG)loaded_pe + 0x4710;
char(__fastcall *_scrt_initialize_crt)(int a1)
= (char(__fastcall *)(int))((ULONGLONG)loaded_pe + 0x664C);
char(__fastcall *_scrt_uninitialize_crt)(char a1, char a2)
= (char(__fastcall *)(char, char))((ULONGLONG)loaded_pe + 0x6824);
_scrt_initialize_crt(0); //INIT CRT
peconv::redirect_to_local64((void*)calc_index_offset, (ULONGLONG)&my_index);
test6::imported_func_1 = (DWORD(_fastcall *)(ULONGLONG)) (modifying_func_offset);
#ifdef _DEBUG
printf("Calling the main func:\n");
#endif
DWORD returned = test6::imported_func_1((ULONGLONG)loaded_pe);
#ifdef _DEBUG
printf("Returned: %x\n", returned);
#endif
std::vector<std::string> names_set;
if (peconv::get_exported_names(loaded_pe, names_set) > 0) {
#ifdef _DEBUG
std::cout << "exported: " << names_set[0] << std::endl;
#endif
const char *got_name = names_set[0].c_str();
FARPROC exp1 = peconv::get_exported_func(loaded_pe, const_cast<char*>(got_name));
test6::display_chunk = (DWORD(*)(int, int, LPSTR)) exp1;
#ifdef _DEBUG
printf("Calling exported function at: %p\n", exp1);
#endif
test6::display_chunk(0, 0, const_cast<char*>(got_name));
}
_scrt_uninitialize_crt(0, 0); //RELEASE CRT
peconv::free_pe_buffer(loaded_pe, v_size);
return true;
}
};
}; //namespace test6
int tests::decode_crackme_f4_6(char *path)
{
#ifndef _WIN64
printf("Compile the loader as 64bit!\n");
return 0;
#endif
char default_path[] = "payload.dll";
if (!path) {
path = default_path;
}
test6::FlagLoader1 c1(1);
memset(test6::g_flagBuf, 0, sizeof(test6::g_flagBuf));
if (!c1.load_flag(path)) {
return -1;
}
test6::FlagLoader2 c2(2);
if (!c2.load_flag(path)) {
return -1;
}
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_crackme_f4_6.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include "peconv.h"
namespace tests {
int decode_crackme_f4_6(char *path);
}; //namespace tests

64
Etw Syscall/libpeconv-master/tests/test_delayed_imps.cpp Normal file
View File

@@ -0,0 +1,64 @@
#include <stdio.h>
#include <windows.h>
#include "test_delayed_imps.h"
#include "peconv.h"
using namespace peconv;
#include <iostream>
#include <string>
#include <map>
namespace test9 {
int _stdcall my_MessageBoxA(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType)
{
std::cout << "TITLE: [" << lpCaption << "]" << std::endl;
std::cout << "MESSAGE: [" << lpText << "]" << std::endl;
return 1337;
}
int _stdcall my_MessageBoxW(
_In_opt_ HWND hWnd,
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType)
{
std::wcout << L"TITLE: [" << lpCaption << L"]" << std::endl;
std::wcout << L"MESSAGE: [" << lpText << L"]" << std::endl;
return 1338;
}
};
int tests::replace_delayed_imps(char *path)
{
if (path == NULL) {
std::cerr << "Supply the path to the app" << std::endl;
return -1;
}
std::cout << "Trying to load: " << path << std::endl;
size_t v_size = 0;
peconv::hooking_func_resolver my_res;
my_res.add_hook("MessageBoxA", (FARPROC)&test9::my_MessageBoxA);
my_res.add_hook("MessageBoxW", (FARPROC)&test9::my_MessageBoxW);
BYTE* loaded_pe = peconv::load_pe_executable(path, v_size);
if (!loaded_pe) {
return -1;
}
if (!peconv::load_delayed_imports(loaded_pe, (ULONGLONG)loaded_pe, (peconv::t_function_resolver*) &my_res)) {
std::cout << "Failed loading delayed functions!" << std::endl;
peconv::free_pe_buffer(loaded_pe, v_size);
return -1;
}
ULONGLONG ep_exp_offset = (ULONGLONG)loaded_pe + peconv::get_entry_point_rva(loaded_pe);
void(_cdecl *ep_func)() = (void(_cdecl *)()) (ep_exp_offset);
std::cout << "Calling entry point:" << std::endl;
ep_func();
peconv::free_pe_buffer(loaded_pe, v_size);
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_delayed_imps.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include "peconv.h"
namespace tests {
int replace_delayed_imps(char *path);
}; //namespace tests

69
Etw Syscall/libpeconv-master/tests/test_fix_dotnet.cpp Normal file
View File

@@ -0,0 +1,69 @@
#include "test_fix_dotnet.h"
#include <peconv.h>
#include "..\\libpeconv\src\fix_dot_net_ep.h"
namespace tests {
bool test_finding_offset(BYTE *buf, const size_t buf_size, size_t pattern_offset, bool direction_start=true)
{
const BYTE pattern[] = { 0xFF, 0x25, 0x00, 0x20, 0x40, 0x00 };
const ULONGLONG img_base = 0x400000;
const DWORD cor_exe_main_thunk = 0x2000;
// reset buffer:
memset(buf, 0, buf_size);
if (!direction_start) {
pattern_offset = (buf_size - sizeof(pattern)) - pattern_offset;
}
if (buf_size < sizeof(pattern) || (pattern_offset + sizeof(pattern)) > buf_size) {
std::cerr << __FILE__ << " incorrect test data!" << std::endl;
return false;
}
memcpy(buf + pattern_offset, pattern, sizeof(pattern));
BYTE* found = search_jump(buf, buf_size, cor_exe_main_thunk, img_base);
if (!found) {
std::cout << "Not found!\n";
return false;
}
size_t diff = found - buf;
std::cout << "Fount at offset: " << std::hex << diff << "\n";
if (diff == pattern_offset) {
return true;
}
return false;
}
};
int tests::check_finding_jumps()
{
BYTE buf[0x100] = { 0 };
bool is_ok = test_finding_offset(buf, sizeof(buf), 0, true);
if (is_ok) {
std::cout << "Test 1 passed!\n";
} else {
std::cout << "Test 1 failed!\n";
return 1;
}
is_ok = test_finding_offset(buf, sizeof(buf), 0, false);
if (is_ok) {
std::cout << "Test 2 passed!\n";
}
else {
std::cout << "Test 2 failed!\n";
return 1;
}
is_ok = test_finding_offset(buf, sizeof(buf), 30, false);
if (is_ok) {
std::cout << "Test 3 passed!\n";
}
else {
std::cout << "Test 2 failed!\n";
return 1;
}
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_fix_dotnet.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include <peconv.h>
namespace tests {
int check_finding_jumps();
}; //namespace tests

47
Etw Syscall/libpeconv-master/tests/test_format_detect.cpp Normal file
View File

@@ -0,0 +1,47 @@
#include "test_format_detect.h"
using namespace peconv;
void printFromat(bool isRaw)
{
if (isRaw) {
std::cout << "PE is in the RAW format\n";
}
else {
std::cout << "PE is in the VIRTUAL format\n";
}
}
int tests::check_pe_format(const char *my_path)
{
size_t pe_size = 0;
std::cout << "Module: " << my_path << "\n";
// Load the current executable from the file with the help of libpeconv:
BYTE* loaded_pe = peconv::load_file(my_path, pe_size);
if (!loaded_pe) {
std::cout << "Loading failed!\n";
return -1;
}
bool isRaw = peconv::is_pe_raw(loaded_pe, pe_size);
bool isRaw2 = false;
if (isRaw) {
size_t v_size = 0;
BYTE* virtual_pe = peconv::load_pe_module(my_path, v_size, false, false);
if (!virtual_pe) {
std::cout << "Mapping failed!\n";
return -1;
}
isRaw2 = peconv::is_pe_raw(virtual_pe, v_size);
peconv::free_pe_buffer(virtual_pe);
}
peconv::free_pe_buffer(loaded_pe);
std::cout << "Test 1:\n\t";
printFromat(isRaw);
std::cout << "Test 2:\n\t";
printFromat(isRaw2);
if (isRaw && !isRaw2) {
return 0; // status OK
}
return 1;
}

10
Etw Syscall/libpeconv-master/tests/test_format_detect.h Normal file
View File

@@ -0,0 +1,10 @@
#pragma once
#include <peconv.h>
namespace tests {
// check if the supplied PE is in raw or virtual format
int check_pe_format(const char *path);
}; //namespace tests

31
Etw Syscall/libpeconv-master/tests/test_found_base.cpp Normal file
View File

@@ -0,0 +1,31 @@
#include "test_found_base.h"
#include <windows.h>
#include <iostream>
#include <peconv.h>
#include <peconv\find_base.h>
using namespace peconv;
int tests::load_and_check_base(const char *path)
{
if (!path) {
return -1;
}
size_t v_size = 0;
BYTE* pe = peconv::load_pe_module(path, v_size, false, true);
if (!pe) {
return -2;
}
std::cout << "Loaded at: " <<std::hex << (ULONGLONG)pe << "\n";
ULONGLONG found_base = peconv::find_base_candidate(pe, v_size);
bool is_ok = false;
if (found_base == (ULONGLONG)pe) {
is_ok = true;
std::cout << "[+] Success! Correct base found!\n";
}
std::cout << "Load Base: " << std::hex << (ULONGLONG)pe << "\n";
peconv::free_pe_buffer(pe);
std::cout << "Found Base: " << std::hex << found_base << "\n";
return (is_ok) ? 0 : 1;
}

7
Etw Syscall/libpeconv-master/tests/test_found_base.h Normal file
View File

@@ -0,0 +1,7 @@
#pragma once
namespace tests {
int load_and_check_base(const char *path);
}; //namespace tests

61
Etw Syscall/libpeconv-master/tests/test_hooking_imps.cpp Normal file
View File

@@ -0,0 +1,61 @@
#include "test_hooking_imps.h"
#include "peconv.h"
using namespace peconv;
#include <iostream>
#include <string>
#include <map>
namespace test5 {
int _stdcall my_MessageBoxA(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType)
{
std::cout << "TITLE: [" << lpCaption << "]" << std::endl;
std::cout << "MESSAGE: [" << lpText << "]" <<std::endl;
return 1337;
}
int _stdcall my_MessageBoxW(
_In_opt_ HWND hWnd,
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType)
{
std::wcout << L"TITLE: [" << lpCaption << L"]" << std::endl;
std::wcout << L"MESSAGE: [" << lpText << L"]" <<std::endl;
return 1338;
}
};
int tests::hook_testcase(char *path)
{
if (path == NULL) {
std::cerr << "Supply the path to the app" << std::endl;
return -1;
}
std::cout << "Trying to load: " << path << std::endl;
size_t v_size = 0;
peconv::hooking_func_resolver my_res;
my_res.add_hook("MessageBoxA", (FARPROC) &test5::my_MessageBoxA);
my_res.add_hook("MessageBoxW", (FARPROC) &test5::my_MessageBoxW);
BYTE* loaded_pe = peconv::load_pe_executable(path, v_size, (peconv::t_function_resolver*) &my_res);
if (!loaded_pe) {
return -1;
}
ULONGLONG ep_exp_offset = (ULONGLONG) loaded_pe + peconv::get_entry_point_rva(loaded_pe);
DWORD (*imported_func)() = (DWORD (*)()) (ep_exp_offset);
std::cout << "Calling imported function:" <<std::endl;
imported_func();
peconv::free_pe_buffer(loaded_pe, v_size);
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_hooking_imps.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include "peconv.h"
namespace tests {
int hook_testcase(char *path);
}; //namespace tests

96
Etw Syscall/libpeconv-master/tests/test_hooking_local.cpp Normal file
View File

@@ -0,0 +1,96 @@
#include "test_hooking_local.h"
#include <peconv.h>
using namespace peconv;
#include <iostream>
#include <string>
#include <map>
#define FAKE_NAME "fake_module_name"
namespace test11 {
int _stdcall my_MessageBoxA(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType)
{
std::cout << "TITLE: [" << lpCaption << "]" << std::endl;
std::cout << "MESSAGE: [" << lpText << "]" << std::endl;
return 1337;
}
int _stdcall my_MessageBoxW(
_In_opt_ HWND hWnd,
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType)
{
std::wcout << L"TITLE: [" << lpCaption << L"]" << std::endl;
std::wcout << L"MESSAGE: [" << lpText << L"]" << std::endl;
return 1338;
}
int __cdecl my_rand(void)
{
return 44;
}
DWORD
WINAPI
my_GetModuleFileNameA(
IN OPTIONAL HMODULE hModule,
OUT LPSTR lpFilename,
IN DWORD nSize
)
{
const char fake_name[] = FAKE_NAME;
size_t to_copy = strlen(fake_name);
if (to_copy < nSize) to_copy = nSize;
memcpy(lpFilename, fake_name, to_copy);
return to_copy;
}
};
int tests::hook_self_local()
{
char normal_name[MAX_PATH] = { 0 };
GetModuleFileNameA(NULL, normal_name, MAX_PATH);
HMODULE user32_lib = LoadLibraryA("user32.dll");
HMODULE kernel32_lib = LoadLibraryA("kernel32.dll");
PatchBackup backup;
peconv::redirect_to_local(GetProcAddress(user32_lib, "MessageBoxA"), &test11::my_MessageBoxA);
peconv::redirect_to_local(GetProcAddress(kernel32_lib, "GetModuleFileNameA"), &test11::my_GetModuleFileNameA, &backup);
peconv::redirect_to_local(rand, &test11::my_rand);
char module_name[MAX_PATH] = { 0 };
GetModuleFileNameA(NULL, module_name, MAX_PATH);
MessageBoxA(0, module_name, "Module Name", MB_OK);
if (strcmp(FAKE_NAME, module_name) != 0) {
std::cout << "Failed!";
return -1;
}
srand(10000);
int rand_val = rand();
if (rand_val != 44) {
std::cout << "Failed: " << rand_val << "\n";
return -2;
}
if (!backup.applyBackup()) {
std::cout << "Failed! Cannot apply backup.";
return -3;
}
GetModuleFileNameA(NULL, module_name, MAX_PATH);
MessageBoxA(0, module_name, "Module Name", MB_OK);
if (strcmp(normal_name, module_name) != 0) {
std::cout << "Failed!";
return -4;
}
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_hooking_local.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include <peconv.h>
namespace tests {
int hook_self_local();
}; //namespace tests

72
Etw Syscall/libpeconv-master/tests/test_imp_list.cpp Normal file
View File

@@ -0,0 +1,72 @@
#include "test_imp_list.h"
using namespace peconv;
class ListImportThunks : public ImportThunksCallback
{
public:
ListImportThunks(BYTE* _modulePtr, size_t _moduleSize)
: ImportThunksCallback(_modulePtr, _moduleSize)
{
}
virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr)
{
if (this->is64b) {
IMAGE_THUNK_DATA64* desc = reinterpret_cast<IMAGE_THUNK_DATA64*>(origFirstThunkPtr);
ULONGLONG* call_via = reinterpret_cast<ULONGLONG*>(firstThunkPtr);
return processThunks_tpl<ULONGLONG, IMAGE_THUNK_DATA64>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64);
}
IMAGE_THUNK_DATA32* desc = reinterpret_cast<IMAGE_THUNK_DATA32*>(origFirstThunkPtr);
DWORD* call_via = reinterpret_cast<DWORD*>(firstThunkPtr);
return processThunks_tpl<DWORD, IMAGE_THUNK_DATA32>(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32);
}
protected:
template <typename T_FIELD, typename T_IMAGE_THUNK_DATA>
bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA* desc, T_FIELD* call_via, T_FIELD ordinal_flag)
{
ULONG_PTR call_via_rva = (ULONG_PTR)call_via - (ULONG_PTR)this->modulePtr;
std::cout << "via RVA: " << std::hex << call_via_rva << " : " << lib_name << " : ";
bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0;
if (is_by_ord) {
T_FIELD raw_ordinal = desc->u1.Ordinal & (~ordinal_flag);
std::cout << "ord: " << raw_ordinal << std::endl;
}
else {
PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData);
LPSTR func_name = reinterpret_cast<LPSTR>(by_name->Name);
std::cout << "name: " << func_name << std::endl;
}
return true;
}
};
bool list_imports(IN BYTE* modulePtr, IN size_t moduleSize)
{
if (moduleSize == 0) {
moduleSize = peconv::get_image_size((const BYTE*)modulePtr);
}
if (moduleSize == 0) return false;
ListImportThunks callback(modulePtr, moduleSize);
return peconv::process_import_table(modulePtr, moduleSize, &callback);
}
int tests::imp_list(char *my_path)
{
size_t v_size = 0;
std::cout << "Module: " << my_path << "\n";
// Load the current executable from the file with the help of libpeconv:
BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true);
if (!loaded_pe) {
std::cout << "Loading failed!\n";
return -1;
}
bool is_ok = list_imports(loaded_pe, v_size);
peconv::free_pe_buffer(loaded_pe);
return is_ok ? 0 : 1;
}

9
Etw Syscall/libpeconv-master/tests/test_imp_list.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include <peconv.h>
namespace tests {
int imp_list(char *path);
}; //namespace tests

29
Etw Syscall/libpeconv-master/tests/test_imports_mix.cpp Normal file
View File

@@ -0,0 +1,29 @@
#include "test_imports_mix.h"
using namespace peconv;
int tests::imports_mix(const char *my_path)
{
size_t v_size = 0;
std::cout << "Module: " << my_path << "\n";
// Load the current executable from the file with the help of libpeconv:
BYTE* loaded_pe = peconv::load_pe_executable(my_path, v_size);
if (!loaded_pe) {
std::cout << "Loading failed!\n";
return -1;
}
//calculate the Entry Point of the manually loaded module
DWORD ep_rva = peconv::get_entry_point_rva(loaded_pe);
if (!ep_rva) {
return -2;
}
ULONG_PTR ep_va = ep_rva + (ULONG_PTR)loaded_pe;
//assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main:
int(*new_main)() = (int(*)())ep_va;
//call the Entry Point of the manually loaded PE:
new_main();
peconv::free_pe_buffer(loaded_pe);
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_imports_mix.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include <peconv.h>
namespace tests {
int imports_mix(const char *my_path);
}; //namespace tests

67
Etw Syscall/libpeconv-master/tests/test_load_ntdll.cpp Normal file
View File

@@ -0,0 +1,67 @@
#include "test_load_ntdll.h"
#include "peconv.h"
#include <iostream>
#include "shellcodes.h"
int (_cdecl *ntdll_tolower) (int) = NULL;
NTSTATUS (NTAPI *ntdll_ZwAllocateVirtualMemory)(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
) = NULL;
//For now this is for manual tests only:
int tests::test_ntdll(char *path)
{
CHAR ntdllPath[MAX_PATH];
ExpandEnvironmentStrings("%SystemRoot%\\system32\\ntdll.dll", ntdllPath, MAX_PATH);
size_t v_size = 0;
// NTDLL does not need any imports, so we can load it by load_pe_module
// in a normal case we should use load_pe_executable
BYTE *ntdll_module = peconv::load_pe_module(ntdllPath, v_size, true, true);
if (!ntdll_module) {
return -1;
}
bool is64 = peconv::is64bit(ntdll_module);
std::cout << "NTDLL loaded, is64: " << is64 << std::endl;
FARPROC n_offset = peconv::get_exported_func(ntdll_module, "tolower");
if (n_offset == NULL) {
return -1;
}
std::cout << "Got tolower: " << n_offset << std::endl;
ntdll_tolower = (int (_cdecl *) (int)) n_offset;
int out = ntdll_tolower('C');
std::cout << "To lower char: " << (char) out << std::endl;
n_offset = peconv::get_exported_func(ntdll_module, "ZwAllocateVirtualMemory");
if (n_offset == NULL) {
return -1;
}
PVOID base_addr = 0;
SIZE_T buffer_size = 0x200;
ntdll_ZwAllocateVirtualMemory = (NTSTATUS (NTAPI *)(HANDLE, PVOID *, ULONG_PTR, PSIZE_T, ULONG, ULONG)) n_offset;
NTSTATUS status = ntdll_ZwAllocateVirtualMemory(
GetCurrentProcess(), &base_addr, 0, &buffer_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE
);
if (status != S_OK) {
return -1;
}
printf("allocated: %p\n", base_addr);
#ifndef _WIN64
memcpy(base_addr, messageBox32bit_sc, sizeof(messageBox32bit_sc));
#else
memcpy(base_addr, messageBox64bit_sc, sizeof(messageBox64bit_sc));
#endif
void (*shellc)(void) = (void (*)(void))base_addr;
shellc();
return 0;
}

10
Etw Syscall/libpeconv-master/tests/test_load_ntdll.h Normal file
View File

@@ -0,0 +1,10 @@
#pragma once
#include "peconv.h"
namespace tests {
//For now this is for manual tests only:
int test_ntdll(char *path);
}; //namespace tests

52
Etw Syscall/libpeconv-master/tests/test_loading.cpp Normal file
View File

@@ -0,0 +1,52 @@
#include "test_loading.h"
#include <iostream>
#include <peconv.h>
using namespace peconv;
int tests::load_self()
{
char my_path[MAX_PATH] = { 0 };
GetModuleFileNameA(NULL, my_path, MAX_PATH);
size_t v_size = 0;
std::cout << "Module: " << my_path << "\n";
// Load the current executable from the file with the help of libpeconv:
BYTE* loaded_pe = load_pe_module(my_path, v_size, true, true);
if (!loaded_pe) {
std::cout << "Loading failed!\n";
return -1;
}
printf("Loaded at: %p\n", loaded_pe);
// Now try to unmap the loaded image using libpeconv:
size_t raw_size = 0;
BYTE* unmapped = pe_virtual_to_raw(loaded_pe, v_size, (ULONGLONG)loaded_pe, raw_size, true);
if (!unmapped || raw_size == 0) {
std::cout << "Unmapping failed!\n";
return -1;
}
std::cout << "Unmapped at:" << std::hex << (ULONG_PTR)unmapped << "\n";
//Read the original file and compare it with the unmapped module:
size_t read_size = 0;
BYTE* file_content = load_file(my_path, read_size);
if (file_content == NULL) {
printf("Reading file failed!\n");
return -1;
}
std::cout << "Read size: " << std::dec << read_size << "\n";
std::cout << "Unmapped size: " << std::dec << raw_size << "\n";
size_t smaller_size = raw_size < read_size ? raw_size : read_size;
int res = memcmp(unmapped, file_content, smaller_size);
if (loaded_pe) {
free_pe_buffer(loaded_pe, v_size);
free_pe_buffer(unmapped, raw_size);
std::cout << "Unloaded!\n";
}
free_file(file_content);
if (res != 0) {
std::cout << "Unmapped module is NOT the same as the original!\n";
}
return res;
}

9
Etw Syscall/libpeconv-master/tests/test_loading.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include "peconv.h"
namespace tests {
int load_self();
}; //namespace tests

53
Etw Syscall/libpeconv-master/tests/test_loading_imps.cpp Normal file
View File

@@ -0,0 +1,53 @@
#include <stdio.h>
#include <windows.h>
#include "test_loading_imps.h"
int tests::deploy_self_ex(peconv::t_function_resolver* func_resolver)
{
char marker_path[] = "peconv_test_marker";
DWORD current_pid = GetCurrentProcessId();
printf("My PID: %d\n", current_pid);
printf("My ptr: %p\n", &deploy_self_ex);
char my_env[MAX_PATH] = { 0 };
if (GetEnvironmentVariableA(marker_path, my_env, MAX_PATH)) {
int pid = atoi(my_env);
if (pid == current_pid) {
printf("Second iteration: marker found\n");
}
return 0;
} else {
printf("First iteration: marker not found\n");
}
char my_path[MAX_PATH] = { 0 };
GetModuleFileNameA(NULL, my_path, MAX_PATH);
size_t v_size = 0;
printf("Module: %s\n", my_path);
// Load the current executable from the file with the help of libpeconv:
BYTE* loaded_pe = peconv::load_pe_executable(my_path, v_size, func_resolver);
ULONGLONG ep = peconv::get_entry_point_rva(loaded_pe) + (ULONGLONG) loaded_pe;
LPVOID ep_ptr = (LPVOID) ep;
// Deploy itself!
// read the Entry Point from the headers:
int (*loaded_pe_entry)(void);
loaded_pe_entry = (int (*)(void)) ep_ptr;
_itoa_s(current_pid, my_env, 10);
if (SetEnvironmentVariableA(marker_path, my_env)) {
printf ("Env marker set!\n");
}
//call the loaded PE's ep:
printf("Calling the Entry Point of the loaded module:\n");
int ret_val = loaded_pe_entry();
return ret_val;
}
int tests::deploy_self()
{
return tests::deploy_self_ex(NULL);
}

12
Etw Syscall/libpeconv-master/tests/test_loading_imps.h Normal file
View File

@@ -0,0 +1,12 @@
#pragma once
#include "peconv.h"
namespace tests {
// Get the path of the current module and loads it by the custom loader. Then, deploys the module and checks if it runs properly.
int deploy_self();
int deploy_self_ex(peconv::t_function_resolver* func_resolver);
}; //namespace tests

78
Etw Syscall/libpeconv-master/tests/test_peb_lookup.cpp Normal file
View File

@@ -0,0 +1,78 @@
#include "test_peb_lookup.h"
#include <peconv.h>
namespace tests {
int compare_modules_and_sizes(wchar_t* module_name = NULL)
{
std::wcout << "\n[*] Test: ";
if (module_name == NULL) {
std::wcout << "self";
}
else {
std::wcout << module_name;
LoadLibraryW(module_name);
}
std::wcout << "\n";
HMODULE mod1 = peconv::get_module_via_peb(module_name);
HMODULE mod2 = GetModuleHandleW(module_name);
std::cout << "get_module_via_peb: " << std::hex << mod1 << "\n";
std::cout << "GetModuleHandle: " << std::hex << mod2 << "\n";
if (mod1 != mod2) {
return false;
}
size_t size1 = peconv::get_image_size((BYTE*)mod1);
size_t size2 = peconv::get_module_size_via_peb(mod2);
std::cout << "get_image_size: " << std::hex << size1 << "\n";
std::cout << "get_module_size_via_peb: " << std::hex << size2 << "\n";
if (size1 != size2) {
return false;
}
return true;
}
bool check_unexisting_module()
{
std::wcout << "\n[*] Test: unexisting module\n";
wchar_t* module_name = L"unexisting_module";
HMODULE mod1 = peconv::get_module_via_peb(module_name);
HMODULE mod2 = GetModuleHandleW(module_name);
std::cout << "get_module_via_peb: " << std::hex << mod1 << "\n";
std::cout << "GetModuleHandle: " << std::hex << mod2 << "\n";
if (mod1 != mod2) {
return false;
}
return true;
}
};
int tests::check_modules()
{
if (!compare_modules_and_sizes(NULL)) {
return 1;
}
if (!compare_modules_and_sizes(L"ntdll.dll")) {
return 1;
}
if (!compare_modules_and_sizes(L"kernel32.dll")) {
return 1;
}
if (!compare_modules_and_sizes(L"user32.dll")) {
return 1;
}
if (!compare_modules_and_sizes(L"advapi32.dll")) {
return 1;
}
if (!compare_modules_and_sizes(L"ws2_32.dll")) {
return 1;
}
if (!check_unexisting_module()) {
return 1;
}
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_peb_lookup.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include <peconv.h>
namespace tests {
int check_modules();
}; //namespace tests

109
Etw Syscall/libpeconv-master/tests/test_replacing_func.cpp Normal file
View File

@@ -0,0 +1,109 @@
#include "test_replacing_func.h"
#include "peconv.h"
using namespace peconv;
#include <iostream>
#include <string>
#include <map>
namespace test8 {
int _stdcall my_MessageBoxA(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType)
{
std::cout << "TITLE: [" << lpCaption << "]" << std::endl;
std::cout << "MESSAGE: [" << lpText << "]" <<std::endl;
return 1337;
}
VOID WINAPI my_Sleep(_In_ DWORD dwMilliseconds)
{
std::cout << "Sleeping: " << dwMilliseconds << std::endl;
}
VOID WINAPI my_ExitProcess(UINT exitCode)
{
std::cout << "my_ExitProcess: " << exitCode << std::endl;
if (exitCode != 0) {
std::cout << "Failed!" << std::endl;
}
ExitProcess(exitCode);
}
__int64 __fastcall my_calc_checksum64(__int64 a1, char a2)
{
std::cout << "This is my own function" << std::endl;
return 0x1F561E6A;
}
int __cdecl my_calc_checksum32(const char *a1, char a2) //sub_402AB0
{
std::cout << "This is my own function" << std::endl;
return 0x1F561E6A;
}
};
int tests::replace_func_testcase(char *path)
{
if (path == NULL) {
std::cerr << "Supply the path to the app" << std::endl;
return -1;
}
std::cout << "Trying to load: " << path << std::endl;
size_t v_size = 0;
peconv::hooking_func_resolver my_res;
my_res.add_hook("MessageBoxA", (FARPROC) &test8::my_MessageBoxA);
my_res.add_hook("Sleep", (FARPROC) &test8::my_Sleep);
my_res.add_hook("ExitProcess", (FARPROC)&test8::my_ExitProcess);
BYTE* loaded_pe = peconv::load_pe_executable(path, v_size, (peconv::t_function_resolver*) &my_res);
if (!loaded_pe) {
return -1;
}
#ifndef _WIN64
// replace the call target (it replaces the call address at the given offset)
{
ULONGLONG checksum_call_offset = (ULONGLONG)loaded_pe + 0x2A4C;
ULONGLONG dest_addr = (ULONGLONG)&test8::my_calc_checksum32;
if (!peconv::replace_target((BYTE*)checksum_call_offset, dest_addr)) {
std::cout << "Failed replacing target!" << std::endl;
peconv::free_pe_buffer(loaded_pe, v_size);
return -1;
}
}
//if the function was not redirected to local, we can still export and use the original one:
{
ULONGLONG checksum_func_offset = (ULONGLONG)loaded_pe + 0x2AB0;
int(__cdecl *calc_checksum32)(const char *a1, BYTE a2) =
(int(__cdecl *)(const char *, BYTE)) checksum_func_offset;
DWORD checksum = calc_checksum32("my_test_password", true);
if (checksum != 0x9e5619e7) {
std::cout << "Wrong checksum" << std::endl;
peconv::free_pe_buffer(loaded_pe, v_size);
return -1;
}
}
#else
//in case of 64bit binary we cannot replace the target, so we redirect the function to local
ULONGLONG checksum_offset = (ULONGLONG)loaded_pe + 0x2B10;
peconv::redirect_to_local64((BYTE*)checksum_offset, (ULONGLONG)&test8::my_calc_checksum64);
#endif
ULONGLONG ep_exp_offset = (ULONGLONG) loaded_pe + peconv::get_entry_point_rva(loaded_pe);
void (_cdecl *ep_func)() = (void (_cdecl *)()) (ep_exp_offset);
std::cout << "Calling entry point:" <<std::endl;
ep_func();
peconv::free_pe_buffer(loaded_pe, v_size);
return 0;
}

9
Etw Syscall/libpeconv-master/tests/test_replacing_func.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
#include "peconv.h"
namespace tests {
int replace_func_testcase(char *path);
}; //namespace tests