Huge Update

Change Capstone to Zydis, Improve JS Hooking, Improve SEH Handle x32 (x64 soon), partial support for API Forword, Auto update for LDR in PEB with every lib loaded, With more stuff i forget :D And lot of Bug fixes and improvements.
Coldzer0 · Jun 22, 2019 · 21b04df · 21b04df
1 parent 8c58e32
commit 21b04df
Show file tree

Hide file tree

Showing 97 changed files with 7,879 additions and 12,374 deletions.
diff --git a/.gitignore b/.gitignore
@@ -42,6 +42,9 @@ __recovery/
 *.bak
 
 # unwanted folders :D
+samples/VMProtect
+PEParser
+Core/Duktabe
 unicorn-engine-pascal
 CTF
 GDT

diff --git a/Build/API.js b/Build/API.js
@@ -1,4 +1,5 @@
 // this's a global format function
+
 String.prototype.format = function () {
     "use strict";
     var str = this.toString();
@@ -42,11 +43,14 @@ importScripts(
     'hooks/kernel32.js', 
     'hooks/kernel32_self.js',
     'hooks/kernel32_files.js',
+    'hooks/kernel32_desktop.js',
     'hooks/kernel32_threads.js',
     'hooks/kernek32_strings.js',
     'hooks/kernel32_processes.js',
     'hooks/user32.js',
     'hooks/advapi32.js',
+    'hooks/shell32.js',
+    'hooks/shlwapi.js',
     'hooks/urlmon.js',
     'hooks/ws2_32.js',
     'hooks/winhttp.js',
@@ -55,5 +59,14 @@ importScripts(
     'hooks/wtsapi32.js',
     'hooks/uxtheme.js',
     'hooks/ole32.js',
-    'hooks/lpk.js'
+    'hooks/lpk.js',
+    'hooks/crtdll.js',
+    'hooks/powrprof.js',
+    'hooks/gdi32.js',
+    'hooks/wininet.js'
 );
+
+// put custom scripts here :D
+importScripts('hooks/address.js');
+
+
diff --git a/Build/hooks/address.js b/Build/hooks/address.js
@@ -0,0 +1,51 @@
+
+
+// _wcmdln fix
+
+// var Path = '"C:\\pla\\' + Emu.Filename + '"'; // :D 
+// var _wcmdln_ptr = Emu.GetProcAddr(Emu.GetModuleHandle('msvcr90.dll'), '_wcmdln');
+// var po = 
+// Emu.WriteStringW(_wcmdln_ptr,Path) : Emu.WriteStringA(_wcmdln_ptr,Path);
+
+
+
+
+// var tmpx = new ApiHook();
+// tmpx.OnCallBack = function () {
+
+
+// 	info('EDI = ',Emu.ReadReg(REG_EDI).toString(16))
+// 	info('ESI = ',Emu.ReadReg(REG_ESI).toString(16))
+// 	info('Module : ',Emu.ReadStringA(Emu.ReadReg(REG_EAX)))
+
+//     return true;
+// };
+
+// tmpx.install(0x401369);
+
+// var tmpx = new ApiHook();
+// tmpx.OnCallBack = function () {
+
+// 	info('esi = ',Emu.ReadReg(REG_ESI).toString(16))
+// 	info('ecx = ',Emu.ReadReg(REG_ECX).toString(16))
+
+// 	info('Module : ',Emu.ReadStringW(Emu.ReadReg(REG_ESI)))
+
+//     return true;
+// };
+
+// tmpx.install(0x401037);
+
+
+// var tmpz = new ApiHook();
+// tmpz.OnCallBack = function () {
+
+// 	info('esi = ',Emu.ReadReg(REG_ESI).toString(16))
+
+// 	info('API : ',Emu.ReadStringA(Emu.ReadReg(REG_ESI)))
+
+//     return true;
+// };
+
+// tmpz.install(0x401068);
+
diff --git a/Build/hooks/advapi32.js b/Build/hooks/advapi32.js
@@ -267,6 +267,7 @@ RegCloseKey.OnCallBack = function (Emu, API,ret) {
 };
 RegCloseKey.install('advapi32.dll', 'RegCloseKey');
 
+RegCloseKey.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegCloseKey');
 
 /*
 ###################################################################################################
@@ -371,6 +372,10 @@ RegOpenKeyEx.OnCallBack = function (Emu, API, ret) {
 RegOpenKeyEx.install('advapi32.dll', 'RegOpenKeyExA');
 RegOpenKeyEx.install('advapi32.dll', 'RegOpenKeyExW');
 
+
+RegOpenKeyEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegOpenKeyExA');
+RegOpenKeyEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegOpenKeyExW');
+
 /*
 ###################################################################################################
 ###################################################################################################
@@ -429,6 +434,10 @@ RegQueryValueEx.OnCallBack = function (Emu, API, ret) {
 RegQueryValueEx.install('advapi32.dll', 'RegQueryValueExA');
 RegQueryValueEx.install('advapi32.dll', 'RegQueryValueExW');
 
+RegQueryValueEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegQueryValueExA');
+RegQueryValueEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegQueryValueExW');
+
+
 /*
 ###################################################################################################
 ###################################################################################################
@@ -474,17 +483,89 @@ EventRegister.install('advapi32.dll', 'EventRegister');
 */
 
 
+var GetSecurityDescriptorControl = new ApiHook();
+/*
+BOOL GetSecurityDescriptorControl(
+  PSECURITY_DESCRIPTOR         pSecurityDescriptor,
+  PSECURITY_DESCRIPTOR_CONTROL pControl,
+  LPDWORD                      lpdwRevision
+);
+*/
+GetSecurityDescriptorControl.OnCallBack = function (Emu, API, ret) {
 
+	Emu.pop(); // pop return address ..
 
+	var pSecurityDescriptor = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
+	var pControl  			= Emu.isx64 ? Emu.ReadReg(REG_EDX) : Emu.pop();
+	var lpdwRevision 		= Emu.isx64 ? Emu.ReadReg(REG_R8)  : Emu.pop();
 
+	log("GetSecurityDescriptorControl(0x{0}, 0x{1}, 0x{2})".format(
+		pSecurityDescriptor.toString(16),
+		pControl.toString(16),
+		lpdwRevision.toString(16)
+	));
 
+	Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, 1); // Returns nonzero if successful.
+	Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
+	return true; // we handled the Stack and other things :D .
+};
 
+GetSecurityDescriptorControl.install('advapi32.dll', 'GetSecurityDescriptorControl');
 
+/*
+###################################################################################################
+###################################################################################################
+*/
 
 
+var IsTokenRestricted = new ApiHook();
+/*
+BOOL IsTokenRestricted(
+  HANDLE TokenHandle
+);
+*/
+IsTokenRestricted.OnCallBack = function (Emu, API, ret) {
 
+	Emu.pop(); // pop return address ..
 
+	var TokenHandle = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
 
+	log("IsTokenRestricted(0x{0})".format(
+		TokenHandle.toString(16)
+	));
+
+	Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, 0);
+	Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
+	return true; // we handled the Stack and other things :D .
+};
+
+IsTokenRestricted.install('advapi32.dll', 'IsTokenRestricted');
+
+/*
+###################################################################################################
+###################################################################################################
+*/
+
+// advapi32.dll.CryptAcquireContextA
+
+var AdvGen = new ApiHook();
+AdvGen.OnCallBack = function (Emu, API, ret) {
+
+	return true; // we handled the Stack and other things :D .
+};
+AdvGen.OnExit = function(Emu,API){
+
+	warn("CryptAcquireContextA() = 0x", Emu.isx64 ? Emu.ReadReg(REG_RAX) : Emu.ReadReg(REG_EAX))
+}
+
+AdvGen.install('advapi32.dll', 'CryptAcquireContextA');
+AdvGen.install('cryptsp.dll' , 'CryptAcquireContextA');
+
+
+/*
+###################################################################################################
+###################################################################################################
+*/
 
 
 
diff --git a/Build/hooks/crtdll.js b/Build/hooks/crtdll.js
@@ -0,0 +1,36 @@
+// @ts-check
+/// <reference path="./ApiHook.d.ts"/>
+/// <reference path="./const.js" />
+/// <reference path="./API.d.ts"/>
+
+'use strict';
+
+
+var strcat = new ApiHook();
+
+strcat.OnCallBack = function (Emu, API, ret) {
+
+	// i think implementing this in JS is a bit hard so
+	// just let the library handle it :D 
+	info('[!] just let the library handle it :D');
+	return true;
+};
+strcat.install('crtdll.dll', 'strcat');
+
+
+/*
+###################################################################################################
+###################################################################################################
+*/
+
+
+var __GetMainArgs = new ApiHook();
+
+__GetMainArgs.OnCallBack = function (Emu, API, ret) {
+
+	// i think implementing this in JS is a bit hard so
+	// just let the library handle it :D 
+	info('[!] just let the library handle it :D');
+	return true;
+};
+__GetMainArgs.install('crtdll.dll', '__GetMainArgs');
diff --git a/Build/hooks/gdi32.js b/Build/hooks/gdi32.js
@@ -0,0 +1,63 @@
+// @ts-check
+/// <reference path="./ApiHook.d.ts"/>
+/// <reference path="./const.js" />
+/// <reference path="./API.d.ts"/>
+
+'use strict';
+
+var GetPath = new ApiHook();
+/*
+int GetPath(
+  HDC     hdc,
+  LPPOINT apt,
+  LPBYTE  aj,
+  int     cpt
+);
+*/
+GetPath.OnCallBack = function (Emu, API, ret) {
+
+	Emu.pop(); // pop return address ..
+
+	var hdc = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
+	var apt = Emu.isx64 ? Emu.ReadReg(REG_EDX) : Emu.pop();
+	var aj  = Emu.isx64 ? Emu.ReadReg(REG_R8)  : Emu.pop();
+	var cpt	= Emu.isx64 ? Emu.ReadReg(REG_R9)  : Emu.pop();
+
+	Emu.SetReg(REG_EAX, 1); 
+	Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
+	return true;
+};
+GetPath.install('gdi32.dll', 'GetPath');
+
+/*
+###################################################################################################
+###################################################################################################
+*/
+
+
+
+var SelectObject = new ApiHook();
+/*
+HGDIOBJ SelectObject(
+  HDC     hdc,
+  HGDIOBJ h
+);
+*/
+SelectObject.OnCallBack = function (Emu, API, ret) {
+
+	Emu.pop(); // pop return address ..
+
+	var hdc = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
+	var h 	= Emu.isx64 ? Emu.ReadReg(REG_EDX) : Emu.pop();
+
+	Emu.SetReg(REG_EAX, 0); 
+	Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
+	return true;
+};
+SelectObject.install('gdi32.dll', 'SelectObject');
+
+/*
+###################################################################################################
+###################################################################################################
+*/
+