diff --git a/.gitignore b/.gitignore index 1b444a0..7e38390 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ __recovery/ samples/VMProtect PEParser Core/Duktabe +Core/QJS unicorn-engine-pascal CTF GDT diff --git a/Build/Apiset.json b/Build/Apiset.json new file mode 100644 index 0000000..113175c --- /dev/null +++ b/Build/Apiset.json @@ -0,0 +1,843 @@ +{"WIN7_APIS":[ +{name:"MS-Win-Core-Console-L1-1-0", count:1, red: {L:"",F:"kernel32.dll"}}, +{name:"MS-Win-Core-DateTime-L1-1-0", count:1, red: {L:"",F:"kernel32.dll"}}, +{name:"MS-Win-Core-Debug-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-DelayLoad-L1-1-0", count:1, red: {L:"",F:"kernel32.dll"}}, +{name:"MS-Win-Core-ErrorHandling-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Fibers-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-File-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Handle-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Heap-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Interlocked-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-IO-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-LibraryLoader-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Localization-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-LocalRegistry-L1-1-0", count:1, red: {L:"",F:"kernel32.dll"}}, +{name:"MS-Win-Core-Memory-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Misc-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-NamedPipe-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-ProcessEnvironment-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-ProcessThreads-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Profile-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-RtlSupport-L1-1-0", count:1, red: {L:"",F:"ntdll.dll"}}, +{name:"MS-Win-Core-String-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-Synch-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-SysInfo-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-ThreadPool-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-UMS-L1-1-0", count:1, red: {L:"",F:"kernel32.dll"}}, +{name:"MS-Win-Core-Util-L1-1-0", count:2, red: {L:"kernel32.dll",F:"kernelbase.dll"}}, +{name:"MS-Win-Core-XState-L1-1-0", count:1, red: {L:"",F:"ntdll.dll"}}, +{name:"MS-Win-Security-Base-L1-1-0", count:1, red: {L:"",F:"kernelbase.dll"}}, +{name:"MS-Win-Security-LSALookup-L1-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +{name:"MS-Win-Security-SDDL-L1-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +{name:"MS-Win-Service-Core-L1-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +{name:"MS-Win-Service-Management-L1-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +{name:"MS-Win-Service-Management-L2-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +{name:"MS-Win-Service-winsvc-L1-1-0", count:1, red: {L:"",F:"sechost.dll"}}, +],"WIN10_APIS":[{name:"api-ms-onecoreuap-print-render-l1-1-0", count:1, red: ["printrenderapihost.dll"]}, +{name:"api-ms-onecoreuap-settingsync-status-l1-1-0", count:1, red: ["settingsynccore.dll"]}, +{name:"api-ms-win-appmodel-identity-l1-2-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-appmodel-runtime-internal-l1-1-5", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-appmodel-runtime-l1-1-2", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-appmodel-state-l1-1-2", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-appmodel-state-l1-2-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-appmodel-unlock-l1-1-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"api-ms-win-base-bootconfig-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-base-util-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-composition-redirection-l1-1-0", count:1, red: ["dwmredir.dll"]}, +{name:"api-ms-win-composition-windowmanager-l1-1-0", count:1, red: ["udwm.dll"]}, +{name:"api-ms-win-core-apiquery-l1-1-0", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-appcompat-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-appinit-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-atoms-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-backgroundtask-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-bicltapi-l1-1-5", count:1, red: ["bi.dll"]}, +{name:"api-ms-win-core-biplmapi-l1-1-5", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-biptcltapi-l1-1-6", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-calendar-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-com-l1-1-2", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-com-l2-1-1", count:1, red: ["coml2.dll"]}, +{name:"api-ms-win-core-com-midlproxystub-l1-1-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-com-private-l1-1-1", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-com-private-l1-2-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-comm-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-ansi-l2-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-console-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-l2-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-l3-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-console-l3-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-crt-l1-1-0", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-crt-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-datetime-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-datetime-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-debug-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-debug-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-debug-minidump-l1-1-0", count:1, red: ["dbgcore.dll"]}, +{name:"api-ms-win-core-delayload-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-delayload-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-enclave-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-errorhandling-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-errorhandling-l1-1-3", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-featurestaging-l1-1-1", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-core-fibers-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-fibers-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-fibers-l2-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-file-ansi-l2-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-file-fromapp-l1-1-0", count:1, red: ["windows.storage.onecore.dll"]}, +{name:"api-ms-win-core-file-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-l1-2-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-file-l2-1-3", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-firmware-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-guard-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-handle-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-heap-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-heap-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-heap-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-heap-obsolete-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-interlocked-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-interlocked-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-interlocked-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-io-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-io-l1-1-1", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-job-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-job-l2-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-kernel32-legacy-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-kernel32-legacy-l1-1-6", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-kernel32-private-l1-1-2", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-largeinteger-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-libraryloader-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-libraryloader-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-libraryloader-l1-2-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-libraryloader-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-libraryloader-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-localization-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-l1-2-3", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-obsolete-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-obsolete-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-obsolete-l1-3-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localization-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-localregistry-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-marshal-l1-1-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-memory-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-memory-l1-1-6", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-misc-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-multipleproviderrouter-l1-1-0", count:1, red: ["mpr.dll"]}, +{name:"api-ms-win-core-namedpipe-ansi-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-namedpipe-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-namedpipe-l1-2-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-namespace-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-namespace-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-normalization-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-path-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-pcw-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-perfcounters-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-perfcounters-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-perfstm-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-privateprofile-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-processenvironment-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-processenvironment-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processenvironment-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processenvironment-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processsecurity-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-processsnapshot-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processthreads-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-processthreads-l1-1-1", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-processthreads-l1-1-3", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-processtopology-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processtopology-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-processtopology-obsolete-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-processtopology-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-profile-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psapi-ansi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psapi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psapi-obsolete-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psapiansi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psm-app-l1-1-0", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-psm-appnotify-l1-1-0", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-psm-info-l1-1-1", count:1, red: ["appsruprov.dll"]}, +{name:"api-ms-win-core-psm-key-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-psm-plm-l1-1-3", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-psm-plm-l1-2-0", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-psm-rtimer-l1-1-1", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-psm-tc-l1-1-1", count:1, red: ["twinapi.appcore.dll"]}, +{name:"api-ms-win-core-quirks-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-realtime-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-registry-fromapp-l1-1-0", count:1, red: ["reguwpapi.dll"]}, +{name:"api-ms-win-core-registry-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-registry-l2-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-registry-l2-2-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-registry-l2-3-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-registry-private-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-registryuserspecific-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-rtlsupport-l1-1-0", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-rtlsupport-l1-1-1", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-rtlsupport-l1-2-0", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-shlwapi-legacy-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-shlwapi-obsolete-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-shlwapi-obsolete-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-shutdown-ansi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-shutdown-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-sidebyside-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-sidebyside-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-slapi-l1-1-0", count:1, red: ["clipc.dll"]}, +{name:"api-ms-win-core-string-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-string-l2-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-string-obsolete-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-stringansi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-stringloader-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-synch-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-synch-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-synch-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-synch-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-synch-l1-2-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l1-2-4", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l2-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-core-systemtopology-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-textinput-client-l1-1-0", count:1, red: ["textinputframework.dll"]}, +{name:"api-ms-win-core-threadpool-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-threadpool-l1-2-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-threadpool-legacy-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-threadpool-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-timezone-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-timezone-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-toolhelp-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-ums-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-core-url-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-util-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-util-l1-1-1", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-version-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-version-private-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-versionansi-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-windowsceip-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-windowserrorreporting-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-winrt-error-l1-1-1", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-winrt-errorprivate-l1-1-1", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-winrt-l1-1-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-winrt-propertysetprivate-l1-1-1", count:1, red: ["wintypes.dll"]}, +{name:"api-ms-win-core-winrt-registration-l1-1-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-winrt-robuffer-l1-1-0", count:1, red: ["wintypes.dll"]}, +{name:"api-ms-win-core-winrt-roparameterizediid-l1-1-0", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-winrt-string-l1-1-1", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-core-wow64-l1-1-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-xstate-l1-1-2", count:1, red: ["ntdll.dll"]}, +{name:"api-ms-win-core-xstate-l2-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-coremessaging-host-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-coreui-secruntime-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-crt-conio-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-convert-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-environment-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-filesystem-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-heap-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-locale-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-math-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-multibyte-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-private-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-process-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-runtime-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-stdio-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-string-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-time-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-crt-utility-l1-1-0", count:1, red: ["ucrtbase.dll"]}, +{name:"api-ms-win-deprecated-apis-advapi-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-deprecated-apis-legacy-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-deprecated-apis-legacy-l1-2-0", count:1, red: [""]}, +{name:"api-ms-win-deprecated-apis-obsolete-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-devices-config-l1-1-2", count:1, red: ["cfgmgr32.dll"]}, +{name:"api-ms-win-devices-query-l1-1-1", count:1, red: ["cfgmgr32.dll"]}, +{name:"api-ms-win-devices-swdevice-l1-1-1", count:1, red: ["cfgmgr32.dll"]}, +{name:"api-ms-win-downlevel-advapi32-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-downlevel-advapi32-l2-1-1", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-downlevel-advapi32-l3-1-0", count:1, red: ["ntmarta.dll"]}, +{name:"api-ms-win-downlevel-advapi32-l4-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-downlevel-kernel32-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-downlevel-kernel32-l2-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-downlevel-normaliz-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-downlevel-ole32-l1-1-1", count:1, red: ["combase.dll"]}, +{name:"api-ms-win-downlevel-shell32-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-downlevel-shlwapi-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-downlevel-shlwapi-l2-1-1", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-downlevel-user32-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-downlevel-version-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-dwmapi-l1-1-0", count:1, red: ["dwmapi.dll"]}, +{name:"api-ms-win-dx-d3dkmt-l1-1-4", count:1, red: ["gdi32.dll"]}, +{name:"api-ms-win-eventing-classicprovider-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-eventing-consumer-l1-1-1", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-eventing-controller-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-eventing-legacy-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-eventing-obsolete-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-eventing-provider-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-eventing-tdh-l1-1-0", count:2, red: ["tdh.dll", "mintdh.dll"],"alias":"tdh.dll"}, +{name:"api-ms-win-eventlog-legacy-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-eventlog-private-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-gaming-deviceinformation-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-gaming-expandedresources-l1-1-0", count:1, red: ["gamemode.dll"]}, +{name:"api-ms-win-gaming-gamemonitor-l1-1-1", count:1, red: ["gamemonitor.dll"]}, +{name:"api-ms-win-gaming-tcui-l1-1-4", count:1, red: ["gamingtcui.dll"]}, +{name:"api-ms-win-gdi-dpiinfo-l1-1-0", count:1, red: ["gdi32.dll"]}, +{name:"api-ms-win-gdi-internal-uap-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"api-ms-win-http-time-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-input-ie-interactioncontext-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-legacy-shlwapi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-mm-joystick-l1-1-0", count:1, red: ["winmmbase.dll"]}, +{name:"api-ms-win-mm-mci-l1-1-0", count:1, red: ["winmm.dll"]}, +{name:"api-ms-win-mm-misc-l1-1-1", count:1, red: ["winmmbase.dll"]}, +{name:"api-ms-win-mm-misc-l2-1-0", count:1, red: ["winmm.dll"]}, +{name:"api-ms-win-mm-mme-l1-1-0", count:1, red: ["winmmbase.dll"]}, +{name:"api-ms-win-mm-playsound-l1-1-0", count:1, red: ["winmm.dll"]}, +{name:"api-ms-win-mm-time-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-net-isolation-l1-1-1", count:1, red: ["firewallapi.dll"]}, +{name:"api-ms-win-networking-interfacecontexts-l1-1-0", count:1, red: ["ondemandconnroutehelper.dll"]}, +{name:"api-ms-win-ngc-serialization-l1-1-0", count:1, red: ["ngckeyenum.dll"]}, +{name:"api-ms-win-ntuser-ie-message-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-ntuser-ie-window-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-ntuser-ie-wmpointer-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-ntuser-rectangle-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-ntuser-sysparams-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-obsolete-localization-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-obsolete-psapi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-obsolete-shlwapi-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-ole32-ie-l1-1-0", count:1, red: ["ole32.dll"]}, +{name:"api-ms-win-oobe-notification-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"api-ms-win-perf-legacy-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-power-base-l1-1-0", count:1, red: ["powrprof.dll"]}, +{name:"api-ms-win-power-limitsmanagement-l1-1-0", count:1, red: ["powrprof.dll"]}, +{name:"api-ms-win-power-setting-l1-1-0", count:1, red: ["powrprof.dll"]}, +{name:"api-ms-win-ro-typeresolution-l1-1-0", count:1, red: ["wintypes.dll"]}, +{name:"api-ms-win-rtcore-minuser-private-l1-1-1", count:1, red: [""]}, +{name:"api-ms-win-rtcore-navigation-l1-1-0", count:1, red: [""]}, +{name:"api-ms-win-rtcore-ntuser-clipboard-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-draw-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-powermanagement-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-private-l1-1-6", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-shell-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-synch-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-window-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-winevent-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ntuser-wmpointer-l1-1-3", count:1, red: ["user32.dll"]}, +{name:"api-ms-win-rtcore-ole32-clipboard-l1-1-1", count:1, red: ["ole32.dll"]}, +{name:"api-ms-win-rtcore-session-l1-1-1", count:1, red: [""]}, +{name:"api-ms-win-rtcore-session-l1-2-0", count:1, red: [""]}, +{name:"api-ms-win-security-accesshlpr-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-activedirectoryclient-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-appcontainer-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-audit-l1-1-1", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-base-ansi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-base-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-base-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-base-l1-2-2", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-base-private-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-capability-l1-1-1", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-cpwl-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-credentials-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-credentials-l2-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-cryptoapi-l1-1-0", count:1, red: ["cryptsp.dll"]}, +{name:"api-ms-win-security-grouppolicy-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-security-isolatedcontainer-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-security-logon-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-lsalookup-ansi-l2-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-lsalookup-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-lsalookup-l1-1-2", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-lsalookup-l2-1-1", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-lsapolicy-l1-1-1", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-provider-ansi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-provider-l1-1-0", count:1, red: ["ntmarta.dll"]}, +{name:"api-ms-win-security-sddl-ansi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-sddl-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-sddl-private-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-sddlparsecond-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-security-systemfunctions-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-security-trustee-l1-1-2", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-service-core-ansi-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"api-ms-win-service-core-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-core-l1-1-3", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-management-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-management-l2-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-private-l1-1-5", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-winsvc-l1-1-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-service-winsvc-l1-2-0", count:1, red: ["sechost.dll"]}, +{name:"api-ms-win-shcore-comhelpers-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-obsolete-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-path-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-registry-l1-1-1", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-scaling-l1-1-2", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-stream-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-stream-winrt-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-sysinfo-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-thread-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shcore-unicodeansi-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shell-associations-l1-1-1", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-shell-changenotify-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-shell-dataobject-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-shell-namespace-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-shell-shdirectory-l1-1-0", count:1, red: ["shcore.dll"]}, +{name:"api-ms-win-shell-shellcom-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-shell-shellfolders-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-shlwapi-ie-l1-1-0", count:1, red: ["shlwapi.dll"]}, +{name:"api-ms-win-shlwapi-winrt-storage-l1-1-1", count:1, red: ["shlwapi.dll"]}, +{name:"api-ms-win-stateseparation-helpers-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-storage-exports-external-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-storage-exports-internal-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"api-ms-win-winrt-search-folder-l1-1-0", count:1, red: ["windows.storage.search.dll"]}, +{name:"api-ms-win-wsl-api-l1-1-0", count:1, red: ["wslapi.dll"]}, +{name:"ext-ms-mf-pal-l2-1-0", count:1, red: [""]}, +{name:"ext-ms-net-eap-sim-l1-1-0", count:1, red: ["eapsimextdesktop.dll"]}, +{name:"ext-ms-net-vpn-soh-l1-1-0", count:1, red: ["vpnsohdesktop.dll"]}, +{name:"ext-ms-onecore-appchromeapi-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-appdefaults-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-onecore-appmodel-emclient-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-appmodel-emsvcs-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-appmodel-pacmanclient-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-appmodel-plm-l1-1-1", count:1, red: ["execmodelclient.dll"]}, +{name:"ext-ms-onecore-appmodel-staterepository-cache-l1-1-0", count:1, red: ["windows.staterepositorycore.dll"]}, +{name:"ext-ms-onecore-appmodel-staterepository-internal-l1-1-1", count:1, red: ["windows.staterepositoryclient.dll"]}, +{name:"ext-ms-onecore-appmodel-tdlmigration-l1-1-1", count:1, red: ["tdlmigration.dll"]}, +{name:"ext-ms-onecore-comp-dwmmonitor-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-dcomp-l1-1-0", count:1, red: ["dcomp.dll"]}, +{name:"ext-ms-onecore-defaultdiscovery-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-hcap-svf-l1-1-0", count:1, red: ["svf.dll"]}, +{name:"ext-ms-onecore-hlink-l1-1-0", count:1, red: ["hlink.dll"]}, +{name:"ext-ms-onecore-hnetcfg-l1-1-0", count:1, red: ["hnetcfgclient.dll"]}, +{name:"ext-ms-onecore-ipnathlp-l1-1-0", count:1, red: ["ipnathlpclient.dll"]}, +{name:"ext-ms-onecore-mpc-input-l1-1-0", count:1, red: ["hologramcompositor.dll"]}, +{name:"ext-ms-onecore-orientation-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-shellchromeapi-l1-1-2", count:1, red: [""]}, +{name:"ext-ms-onecore-shellremindersapi-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-onecore-shlwapi-l1-1-0", count:1, red: ["shlwapi.dll"]}, +{name:"ext-ms-onecore-spectrumsyncclient-l1-1-0", count:1, red: ["spectrumsyncclient.dll"]}, +{name:"ext-ms-win-adsi-activeds-l1-1-0", count:1, red: ["activeds.dll"]}, +{name:"ext-ms-win-advapi32-auth-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-encryptedfile-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-eventlog-ansi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-eventlog-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-hwprof-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-idletask-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-lsa-l1-1-2", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-msi-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-npusername-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-ntmarta-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-psm-app-l1-1-0", count:1, red: ["twinapi.appcore.dll"]}, +{name:"ext-ms-win-advapi32-registry-l1-1-1", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-safer-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-advapi32-shutdown-l1-1-0", count:1, red: ["advapi32.dll"]}, +{name:"ext-ms-win-appcompat-aepic-l1-1-0", count:1, red: ["aepic.dll"]}, +{name:"ext-ms-win-appcompat-apphelp-l1-1-1", count:1, red: ["apphelp.dll"]}, +{name:"ext-ms-win-appcompat-pcacli-l1-1-0", count:1, red: ["pcacli.dll"]}, +{name:"ext-ms-win-appmodel-activation-l1-1-0", count:1, red: ["activationmanager.dll"]}, +{name:"ext-ms-win-appmodel-appcontainerpath-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-appmodel-appexecutionalias-l1-1-1", count:1, red: ["apisethost.appexecutionalias.dll"]}, +{name:"ext-ms-win-appmodel-datasharingservice-extensions-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-appmodel-daxcore-l1-1-2", count:1, red: ["daxexec.dll"]}, +{name:"ext-ms-win-appmodel-deployment-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-appmodel-deploymentvolumes-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-appmodel-opc-l1-1-0", count:1, red: ["opcservices.dll"]}, +{name:"ext-ms-win-appmodel-restrictedappcontainer-internal-l1-1-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-appmodel-state-ext-l1-2-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-appmodel-usercontext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-appmodel-viewscalefactor-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-appxdeploymentclient-appxdeploy-l1-1-0", count:1, red: ["appxdeploymentclient.dll"]}, +{name:"ext-ms-win-appxdeploymentclient-appxdeployonecore-l1-1-0", count:1, red: ["appxdeploymentclient.dll"]}, +{name:"ext-ms-win-audiocore-coreaudiopolicymanager-l1-1-0", count:1, red: ["coreaudiopolicymanagerext.dll"]}, +{name:"ext-ms-win-audiocore-pal-l1-2-0", count:1, red: [""]}, +{name:"ext-ms-win-audiocore-policymanager-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-audiocore-spatial-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-authz-claimpolicies-l1-1-0", count:1, red: ["authz.dll"]}, +{name:"ext-ms-win-authz-context-l1-1-0", count:1, red: ["authz.dll"]}, +{name:"ext-ms-win-authz-remote-l1-1-0", count:1, red: ["logoncli.dll"]}, +{name:"ext-ms-win-base-psapi-l1-1-0", count:1, red: ["psapi.dll"]}, +{name:"ext-ms-win-base-rstrtmgr-l1-1-0", count:1, red: ["rstrtmgr.dll"]}, +{name:"ext-ms-win-biometrics-winbio-core-l1-1-3", count:1, red: ["winbio.dll"]}, +{name:"ext-ms-win-biometrics-winbio-l1-1-0", count:1, red: ["winbio.dll"]}, +{name:"ext-ms-win-biometrics-winbio-l1-2-0", count:1, red: ["winbioext.dll"]}, +{name:"ext-ms-win-biometrics-winbio-l1-3-0", count:1, red: ["winbioext.dll"]}, +{name:"ext-ms-win-bluetooth-apis-l1-1-0", count:1, red: ["bluetoothapis.dll"]}, +{name:"ext-ms-win-bluetooth-apis-private-l1-1-0", count:1, red: ["bluetoothapis.dll"]}, +{name:"ext-ms-win-branding-winbrand-l1-1-2", count:1, red: ["winbrand.dll"]}, +{name:"ext-ms-win-branding-winbrand-l1-2-0", count:1, red: ["winbrand.dll"]}, +{name:"ext-ms-win-casting-device-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-casting-lockscreen-l1-1-0", count:1, red: ["castingshellext.dll"]}, +{name:"ext-ms-win-casting-receiver-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-casting-shell-l1-1-0", count:1, red: ["castingshellext.dll"]}, +{name:"ext-ms-win-ci-xbox-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-cloudap-tbal-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-clouddomainjoin-usermanagement-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-cluster-clusapi-l1-1-3", count:1, red: ["clusapi.dll"]}, +{name:"ext-ms-win-cluster-resutils-l1-1-1", count:1, red: ["resutils.dll"]}, +{name:"ext-ms-win-cmd-util-l1-1-0", count:1, red: ["cmdext.dll"]}, +{name:"ext-ms-win-cng-rng-l1-1-1", count:1, red: ["bcryptprimitives.dll"]}, +{name:"ext-ms-win-com-clbcatq-l1-1-0", count:1, red: ["clbcatq.dll"]}, +{name:"ext-ms-win-com-coml2-l1-1-1", count:1, red: ["coml2.dll"]}, +{name:"ext-ms-win-com-ole32-l1-1-5", count:1, red: ["ole32.dll"]}, +{name:"ext-ms-win-com-psmregister-l1-1-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-com-psmregister-l1-2-2", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-com-psmregister-l1-3-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-com-suspendresiliency-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-composition-ghost-l1-1-0", count:1, red: ["dwmghost.dll"]}, +{name:"ext-ms-win-composition-holographic-l1-1-0", count:1, red: ["hologramcompositor.dll"]}, +{name:"ext-ms-win-composition-init-l1-1-0", count:1, red: ["dwminit.dll"]}, +{name:"ext-ms-win-compositor-hosting-l1-1-1", count:1, red: ["ism.dll"]}, +{name:"ext-ms-win-compositor-hosting-l1-2-0", count:1, red: ["ism.dll"]}, +{name:"ext-ms-win-core-app-package-registration-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-core-app-package-volume-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-dhcp6client-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-iuri-l1-1-0", count:1, red: ["urlmon.dll"]}, +{name:"ext-ms-win-core-licensemanager-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-psm-extendedresourcemode-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-psm-service-l1-1-4", count:1, red: ["psmserviceexthost.dll"]}, +{name:"ext-ms-win-core-resourcemanager-l1-1-0", count:1, red: ["rmclient.dll"]}, +{name:"ext-ms-win-core-resourcemanager-l1-2-1", count:1, red: ["rmclient.dll"]}, +{name:"ext-ms-win-core-resourcepolicy-l1-1-2", count:1, red: ["resourcepolicyclient.dll"]}, +{name:"ext-ms-win-core-resourcepolicyserver-l1-1-1", count:1, red: ["resourcepolicyserver.dll"]}, +{name:"ext-ms-win-core-stateseparationext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-storelicensing-l1-1-0", count:1, red: ["licensemanagerapi.dll"]}, +{name:"ext-ms-win-core-storelicensing-l1-2-0", count:1, red: ["licensemanagerapi.dll"]}, +{name:"ext-ms-win-core-winrt-remote-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-core-winsrv-l1-1-0", count:1, red: ["winsrvext.dll"]}, +{name:"ext-ms-win-core-xbrm-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-coreui-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-coreui-navshutdown-l1-1-0", count:1, red: ["navshutdown.dll"]}, +{name:"ext-ms-win-crypto-xbox-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-deployment-productenumerator-l1-1-0", count:1, red: ["productenumerator.dll"]}, +{name:"ext-ms-win-desktopappx-l1-1-3", count:1, red: ["daxexec.dll"]}, +{name:"ext-ms-win-devmgmt-dm-l1-1-1", count:1, red: ["dmapisetextimpldesktop.dll"]}, +{name:"ext-ms-win-devmgmt-policy-l1-1-2", count:1, red: ["policymanager.dll"]}, +{name:"ext-ms-win-direct2d-desktop-l1-1-0", count:1, red: ["direct2ddesktop.dll"]}, +{name:"ext-ms-win-domainjoin-netjoin-l1-1-0", count:1, red: ["netjoin.dll"]}, +{name:"ext-ms-win-dwmapi-ext-l1-1-1", count:1, red: ["dwmapi.dll"]}, +{name:"ext-ms-win-dwmapidxgi-ext-l1-1-0", count:1, red: ["dwmapi.dll"]}, +{name:"ext-ms-win-dx-d3d9-l1-1-0", count:1, red: ["d3d9.dll"]}, +{name:"ext-ms-win-dx-ddraw-l1-1-0", count:1, red: ["ddraw.dll"]}, +{name:"ext-ms-win-dx-dinput8-l1-1-0", count:1, red: ["dinput8.dll"]}, +{name:"ext-ms-win-edputil-policy-l1-1-1", count:1, red: ["edputil.dll"]}, +{name:"ext-ms-win-els-elscore-l1-1-0", count:1, red: ["elscore.dll"]}, +{name:"ext-ms-win-eventing-pdh-l1-1-0", count:1, red: ["pdh.dll"]}, +{name:"ext-ms-win-eventing-rundown-l1-1-0", count:1, red: ["etwrundown.dll"]}, +{name:"ext-ms-win-eventing-tdh-ext-l1-1-0", count:1, red: ["tdh.dll"]}, +{name:"ext-ms-win-familysafety-childaccount-l1-1-0", count:1, red: ["familysafetyext.dll"]}, +{name:"ext-ms-win-feclient-encryptedfile-l1-1-1", count:1, red: ["feclient.dll"]}, +{name:"ext-ms-win-firewallapi-webproxy-l1-1-1", count:1, red: ["firewallapi.dll"]}, +{name:"ext-ms-win-font-fontgroups-l1-1-0", count:1, red: ["fontgroupsoverride.dll"]}, +{name:"ext-ms-win-fs-clfs-l1-1-0", count:1, red: ["clfs.sys"]}, +{name:"ext-ms-win-fs-cscapi-l1-1-0", count:1, red: ["cscapi.dll"]}, +{name:"ext-ms-win-fs-vssapi-l1-1-0", count:1, red: ["vssapi.dll"]}, +{name:"ext-ms-win-fsutilext-ifsutil-l1-1-0", count:1, red: ["fsutilext.dll"]}, +{name:"ext-ms-win-fsutilext-ulib-l1-1-0", count:1, red: ["fsutilext.dll"]}, +{name:"ext-ms-win-fveapi-query-l1-1-0", count:1, red: ["fveapi.dll"]}, +{name:"ext-ms-win-gaming-gamechatoverlay-l1-1-0", count:1, red: ["gamechatoverlayext.dll"]}, +{name:"ext-ms-win-gaming-xblgamesave-l1-1-0", count:1, red: ["xblgamesaveext.dll"]}, +{name:"ext-ms-win-gaming-xinput-l1-1-0", count:1, red: ["xinputuap.dll"]}, +{name:"ext-ms-win-gdi-clipping-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-dc-create-l1-1-2", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-dc-l1-2-1", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-devcaps-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-draw-l1-1-3", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-font-l1-1-3", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-gdiplus-l1-1-0", count:1, red: ["gdiplus.dll"]}, +{name:"ext-ms-win-gdi-internal-desktop-l1-1-2", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-metafile-l1-1-2", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-path-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-print-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-private-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-render-l1-1-0", count:1, red: ["gdi32.dll"]}, +{name:"ext-ms-win-gdi-rgn-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-wcs-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-globalization-collation-l1-1-0", count:1, red: ["globcollationhost.dll"]}, +{name:"ext-ms-win-globalization-input-l1-1-1", count:1, red: ["globinputhost.dll"]}, +{name:"ext-ms-win-gpapi-grouppolicy-l1-1-0", count:1, red: ["gpapi.dll"]}, +{name:"ext-ms-win-gpsvc-grouppolicy-l1-1-0", count:1, red: ["gpsvc.dll"]}, +{name:"ext-ms-win-gui-dui70-l1-1-0", count:1, red: ["dui70.dll"]}, +{name:"ext-ms-win-gui-ieui-l1-1-0", count:1, red: ["ieui.dll"]}, +{name:"ext-ms-win-gui-uxinit-l1-1-0", count:1, red: ["uxinit.dll"]}, +{name:"ext-ms-win-hyperv-compute-l1-1-1", count:1, red: ["vmcompute.dll"]}, +{name:"ext-ms-win-hyperv-hgs-l1-1-0", count:1, red: ["vmhgs.dll"]}, +{name:"ext-ms-win-hyperv-hvemulation-l1-1-0", count:1, red: ["winhvemulation.dll"]}, +{name:"ext-ms-win-hyperv-hvplatform-l1-1-0", count:1, red: ["winhvplatform.dll"]}, +{name:"ext-ms-win-imm-l1-1-1", count:1, red: ["imm32.dll"]}, +{name:"ext-ms-win-kernel32-appcompat-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-datetime-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-elevation-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-errorhandling-l1-1-0", count:2, red: ["kernel32.dll", "faultrep.dll"],"alias":"kernel32.dll"}, +{name:"ext-ms-win-kernel32-file-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-localization-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-package-current-l1-1-0", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-kernel32-package-l1-1-2", count:1, red: ["kernel.appcore.dll"]}, +{name:"ext-ms-win-kernel32-process-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-quirks-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-registry-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-sidebyside-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-transacted-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernel32-windowserrorreporting-l1-1-1", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kernelbase-processthread-l1-1-0", count:1, red: ["kernel32.dll"]}, +{name:"ext-ms-win-kioskmode-config-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-mapi-mapi32-l1-1-0", count:1, red: ["mapistub.dll"]}, +{name:"ext-ms-win-media-avi-l1-1-0", count:1, red: ["avifil32.dll"]}, +{name:"ext-ms-win-mf-vfw-l1-1-0", count:1, red: ["mfvfw.dll"]}, +{name:"ext-ms-win-mininput-cursorhost-l1-1-0", count:1, red: ["inputhost.dll"]}, +{name:"ext-ms-win-mininput-extensions-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-mininput-inputhost-l1-1-1", count:1, red: ["inputhost.dll"]}, +{name:"ext-ms-win-mininput-inputhost-l1-2-0", count:1, red: ["inputhost.dll"]}, +{name:"ext-ms-win-mininput-systeminputhost-l1-1-0", count:1, red: ["ism.dll"]}, +{name:"ext-ms-win-mm-io-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-mm-msacm-l1-1-0", count:1, red: ["msacm32.dll"]}, +{name:"ext-ms-win-mm-pehelper-l1-1-0", count:1, red: ["mf.dll"]}, +{name:"ext-ms-win-mm-wmvcore-l1-1-0", count:1, red: ["wmvcore.dll"]}, +{name:"ext-ms-win-mobilecore-deviceinfo-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-mobilecore-ie-textinput-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-moderncore-win32k-base-ntgdi-l1-1-0", count:1, red: ["win32kfull.sys"]}, +{name:"ext-ms-win-moderncore-win32k-base-ntuser-l1-1-0", count:1, red: ["win32kfull.sys"]}, +{name:"ext-ms-win-moderncore-win32k-base-sysentry-l1-1-0", count:1, red: ["win32k.sys"]}, +{name:"ext-ms-win-mpr-multipleproviderrouter-l1-1-0", count:1, red: ["mprext.dll"]}, +{name:"ext-ms-win-mrmcorer-environment-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-mrmcorer-resmanager-l1-1-0", count:1, red: ["mrmcorer.dll"]}, +{name:"ext-ms-win-msa-device-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-msa-ui-l1-1-0", count:1, red: ["msauserext.dll"]}, +{name:"ext-ms-win-msa-user-l1-1-1", count:1, red: ["msauserext.dll"]}, +{name:"ext-ms-win-msi-misc-l1-1-0", count:1, red: ["msi.dll"]}, +{name:"ext-ms-win-msiltcfg-msi-l1-1-0", count:1, red: ["msiltcfg.dll"]}, +{name:"ext-ms-win-msimg-draw-l1-1-0", count:1, red: ["msimg32.dll"]}, +{name:"ext-ms-win-net-cmvpn-l1-1-0", count:1, red: ["cmintegrator.dll"]}, +{name:"ext-ms-win-net-httpproxyext-l1-1-0", count:1, red: ["httpprxc.dll"]}, +{name:"ext-ms-win-net-isoext-l1-1-0", count:1, red: ["firewallapi.dll"]}, +{name:"ext-ms-win-net-netbios-l1-1-0", count:1, red: ["netbios.dll"]}, +{name:"ext-ms-win-net-netshell-l1-1-0", count:1, red: ["netshell.dll"]}, +{name:"ext-ms-win-net-nfdapi-l1-1-0", count:1, red: ["ndfapi.dll"]}, +{name:"ext-ms-win-net-vpn-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-netprovision-netprovfw-l1-1-0", count:1, red: ["netprovfw.dll"]}, +{name:"ext-ms-win-networking-iphlpsvc-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-networking-mpssvc-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-networking-ncsiuserprobe-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-networking-nlaapi-l1-1-0", count:1, red: ["nlaapi.dll"]}, +{name:"ext-ms-win-networking-radiomonitor-l1-1-0", count:1, red: ["windows.devices.radios.dll"]}, +{name:"ext-ms-win-networking-teredo-l1-1-0", count:1, red: ["windows.networking.connectivity.dll"]}, +{name:"ext-ms-win-networking-wcmapi-l1-1-0", count:1, red: ["wcmapi.dll"]}, +{name:"ext-ms-win-networking-winipsec-l1-1-0", count:1, red: ["winipsec.dll"]}, +{name:"ext-ms-win-networking-wlanapi-l1-1-0", count:1, red: ["wlanapi.dll"]}, +{name:"ext-ms-win-networking-wlanstorage-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-networking-xblconnectivity-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-newdev-config-l1-1-3", count:1, red: ["newdev.dll"]}, +{name:"ext-ms-win-nfc-semgr-l1-1-0", count:1, red: ["semgrsvc.dll"]}, +{name:"ext-ms-win-ntdsa-activedirectoryserver-l1-1-0", count:1, red: ["ntdsa.dll"]}, +{name:"ext-ms-win-ntdsapi-activedirectoryclient-l1-1-1", count:1, red: ["ntdsapi.dll"]}, +{name:"ext-ms-win-ntos-clipsp-l1-1-0", count:1, red: ["clipsp.sys"]}, +{name:"ext-ms-win-ntos-kcminitcfg-l1-1-0", count:1, red: ["cmimcext.sys"]}, +{name:"ext-ms-win-ntos-ksecurity-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-ntos-ksigningpolicy-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-ntos-ksr-l1-1-2", count:1, red: [""]}, +{name:"ext-ms-win-ntos-stateseparation-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-ntos-tm-l1-1-0", count:1, red: ["tm.sys"]}, +{name:"ext-ms-win-ntos-ucode-l1-1-0", count:1, red: ["ntosext.sys"]}, +{name:"ext-ms-win-ntos-vmsvc-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-ntos-werkernel-l1-1-1", count:1, red: ["werkernel.sys"]}, +{name:"ext-ms-win-ntuser-caret-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-chartranslation-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-dc-access-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-dialogbox-l1-1-3", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-draw-l1-1-2", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-gui-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-gui-l1-2-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-gui-l1-3-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-keyboard-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-keyboard-l1-2-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-keyboard-l1-3-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-menu-l1-1-3", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-message-l1-1-3", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-misc-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-misc-l1-2-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-misc-l1-3-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-misc-l1-5-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-mit-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-mouse-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-powermanagement-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-private-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-private-l1-2-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-private-l1-3-2", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-rawinput-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-rectangle-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-rim-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-rotationmanager-l1-1-2", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-server-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-string-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-synch-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-sysparams-ext-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-touch-hittest-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-uicontext-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-window-l1-1-4", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-windowclass-l1-1-2", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-windowstation-ansi-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-ntuser-windowstation-l1-1-2", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-odbc-odbc32-l1-1-0", count:1, red: ["odbc32.dll"]}, +{name:"ext-ms-win-ole32-bindctx-l1-1-0", count:1, red: ["ole32.dll"]}, +{name:"ext-ms-win-ole32-ie-ext-l1-1-0", count:1, red: ["ole32.dll"]}, +{name:"ext-ms-win-ole32-oleautomation-l1-1-0", count:1, red: ["ole32.dll"]}, +{name:"ext-ms-win-oleacc-l1-1-2", count:1, red: ["oleacc.dll"]}, +{name:"ext-ms-win-onecore-shutdown-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-parentalcontrols-setup-l1-1-0", count:1, red: ["wpcapi.dll"]}, +{name:"ext-ms-win-pinenrollment-enrollment-l1-1-2", count:1, red: ["pinenrollmenthelper.dll"]}, +{name:"ext-ms-win-printer-prntvpt-l1-1-1", count:1, red: ["prntvpt.dll"]}, +{name:"ext-ms-win-printer-winspool-l1-1-4", count:1, red: ["winspool.drv"]}, +{name:"ext-ms-win-profile-extender-l1-1-0", count:1, red: ["userenv.dll"]}, +{name:"ext-ms-win-profile-load-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-profile-profsvc-l1-1-0", count:1, red: ["profsvcext.dll"]}, +{name:"ext-ms-win-profile-userenv-l1-1-1", count:1, red: ["profext.dll"]}, +{name:"ext-ms-win-provisioning-platform-l1-1-2", count:1, red: ["provplatformdesktop.dll"]}, +{name:"ext-ms-win-ras-rasapi32-l1-1-2", count:1, red: ["rasapi32.dll"]}, +{name:"ext-ms-win-ras-rasdlg-l1-1-0", count:1, red: ["rasdlg.dll"]}, +{name:"ext-ms-win-ras-rasman-l1-1-0", count:1, red: ["rasman.dll"]}, +{name:"ext-ms-win-ras-tapi32-l1-1-1", count:1, red: ["tapi32.dll"]}, +{name:"ext-ms-win-raschapext-eap-l1-1-0", count:1, red: ["raschapext.dll"]}, +{name:"ext-ms-win-rastlsext-eap-l1-1-0", count:1, red: ["rastlsext.dll"]}, +{name:"ext-ms-win-rdr-davhlpr-l1-1-0", count:1, red: ["davhlpr.dll"]}, +{name:"ext-ms-win-reinfo-query-l1-1-0", count:1, red: ["reinfo.dll"]}, +{name:"ext-ms-win-remotewipe-platform-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-resourcemanager-crm-l1-1-0", count:1, red: ["rmclient.dll"]}, +{name:"ext-ms-win-resourcemanager-gamemode-l1-1-0", count:1, red: ["rmclient.dll"]}, +{name:"ext-ms-win-resourcemanager-gamemode-l1-2-1", count:1, red: ["rmclient.dll"]}, +{name:"ext-ms-win-resources-deployment-l1-1-0", count:1, red: ["mrmdeploy.dll"]}, +{name:"ext-ms-win-resources-languageoverlay-l1-1-0", count:1, red: ["languageoverlayutil.dll"]}, +{name:"ext-ms-win-ro-typeresolution-l1-1-0", count:1, red: ["wintypes.dll"]}, +{name:"ext-ms-win-rometadata-dispenser-l1-1-0", count:1, red: ["rometadata.dll"]}, +{name:"ext-ms-win-rpc-firewallportuse-l1-1-0", count:1, red: ["rpcrtremote.dll"]}, +{name:"ext-ms-win-rpc-ssl-l1-1-0", count:1, red: ["rpcrtremote.dll"]}, +{name:"ext-ms-win-rtcore-gdi-devcaps-l1-1-1", count:1, red: ["gdi32.dll"]}, +{name:"ext-ms-win-rtcore-gdi-object-l1-1-0", count:1, red: ["gdi32.dll"]}, +{name:"ext-ms-win-rtcore-gdi-rgn-l1-1-1", count:1, red: ["gdi32.dll"]}, +{name:"ext-ms-win-rtcore-minuser-host-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-rtcore-minuser-input-l1-1-2", count:1, red: [""]}, +{name:"ext-ms-win-rtcore-minuser-private-ext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-rtcore-ntuser-console-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-rtcore-ntuser-controllernavigation-l1-1-1", count:1, red: ["inputhost.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-cursor-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-dc-access-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-dpi-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-dpi-l1-2-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-iam-l1-1-1", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-inputintercept-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-integration-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-mininit-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-rtcore-ntuser-rawinput-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-synch-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-syscolors-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-sysparams-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-window-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-winevent-ext-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-rtcore-ntuser-wmpointer-l1-1-0", count:1, red: ["user32.dll"]}, +{name:"ext-ms-win-samsrv-accountstore-l1-1-0", count:1, red: ["samsrv.dll"]}, +{name:"ext-ms-win-scesrv-server-l1-1-0", count:1, red: ["scesrv.dll"]}, +{name:"ext-ms-win-search-folder-l1-1-0", count:1, red: ["searchfolder.dll"]}, +{name:"ext-ms-win-secur32-translatename-l1-1-1", count:1, red: ["secur32.dll"]}, +{name:"ext-ms-win-security-appinfoext-l1-1-0", count:1, red: ["appinfoext.dll"]}, +{name:"ext-ms-win-security-authbrokerui-l1-1-0", count:1, red: ["authbrokerui.dll"]}, +{name:"ext-ms-win-security-capauthz-ext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-security-capauthz-l1-1-1", count:1, red: ["capauthz.dll"]}, +{name:"ext-ms-win-security-certpoleng-l1-1-0", count:1, red: ["certpoleng.dll"]}, +{name:"ext-ms-win-security-cfl-l1-1-0", count:1, red: ["cflapi.dll"]}, +{name:"ext-ms-win-security-chambers-l1-1-1", count:1, red: [""]}, +{name:"ext-ms-win-security-credui-internal-l1-1-0", count:1, red: ["wincredui.dll"]}, +{name:"ext-ms-win-security-credui-l1-1-1", count:1, red: ["credui.dll"]}, +{name:"ext-ms-win-security-cryptui-l1-1-1", count:1, red: ["cryptui.dll"]}, +{name:"ext-ms-win-security-developerunlock-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-security-deviceid-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-security-efs-l1-1-1", count:1, red: ["efsext.dll"]}, +{name:"ext-ms-win-security-efswrt-l1-1-1", count:1, red: ["efswrt.dll"]}, +{name:"ext-ms-win-security-kerberos-l1-1-0", count:1, red: ["kerberos.dll"]}, +{name:"ext-ms-win-security-ngc-local-l1-1-0", count:1, red: ["ngclocal.dll"]}, +{name:"ext-ms-win-security-shutdownext-l1-1-0", count:1, red: ["shutdownext.dll"]}, +{name:"ext-ms-win-security-slc-l1-1-0", count:1, red: ["slc.dll"]}, +{name:"ext-ms-win-security-srp-l1-1-1", count:1, red: ["srpapi.dll"]}, +{name:"ext-ms-win-security-tokenbrokerui-l1-1-0", count:1, red: ["tokenbrokerui.dll"]}, +{name:"ext-ms-win-security-vaultcli-l1-1-1", count:1, red: ["vaultcli.dll"]}, +{name:"ext-ms-win-security-winscard-l1-1-1", count:1, red: ["winscard.dll"]}, +{name:"ext-ms-win-sensors-core-private-l1-1-3", count:1, red: ["sensorsnativeapi.dll"]}, +{name:"ext-ms-win-sensors-utilities-private-l1-1-2", count:1, red: ["sensorsutilsv2.dll"]}, +{name:"ext-ms-win-session-userinit-l1-1-0", count:1, red: ["userinitext.dll"]}, +{name:"ext-ms-win-session-usermgr-l1-1-0", count:1, red: ["usermgrcli.dll"]}, +{name:"ext-ms-win-session-usermgr-l1-2-0", count:1, red: ["usermgrcli.dll"]}, +{name:"ext-ms-win-session-usertoken-l1-1-0", count:1, red: ["wtsapi32.dll"]}, +{name:"ext-ms-win-session-wininit-l1-1-0", count:1, red: ["wininitext.dll"]}, +{name:"ext-ms-win-session-winlogon-l1-1-1", count:1, red: ["winlogonext.dll"]}, +{name:"ext-ms-win-session-winsta-l1-1-2", count:1, red: ["winsta.dll"]}, +{name:"ext-ms-win-session-wtsapi32-l1-1-0", count:1, red: ["wtsapi32.dll"]}, +{name:"ext-ms-win-setupapi-classinstallers-l1-1-2", count:1, red: ["setupapi.dll"]}, +{name:"ext-ms-win-setupapi-inf-l1-1-1", count:1, red: ["setupapi.dll"]}, +{name:"ext-ms-win-setupapi-logging-l1-1-0", count:1, red: ["setupapi.dll"]}, +{name:"ext-ms-win-shell-aclui-l1-1-0", count:1, red: ["aclui.dll"]}, +{name:"ext-ms-win-shell-browsersettingsync-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-shell-comctl32-da-l1-1-0", count:1, red: ["comctl32.dll"]}, +{name:"ext-ms-win-shell-comctl32-init-l1-1-1", count:1, red: ["comctl32.dll"]}, +{name:"ext-ms-win-shell-comctl32-l1-1-0", count:1, red: ["comctl32.dll"]}, +{name:"ext-ms-win-shell-comctl32-window-l1-1-0", count:1, red: ["comctl32.dll"]}, +{name:"ext-ms-win-shell-comdlg32-l1-1-1", count:1, red: ["comdlg32.dll"]}, +{name:"ext-ms-win-shell-directory-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-shell-efsadu-l1-1-0", count:1, red: ["efsadu.dll"]}, +{name:"ext-ms-win-shell-embeddedmode-l1-1-0", count:1, red: ["embeddedmodesvcapi.dll"]}, +{name:"ext-ms-win-shell-exports-internal-l1-1-0", count:1, red: ["shell32.dll"]}, +{name:"ext-ms-win-shell-knownfolderext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-shell-ntshrui-l1-1-0", count:1, red: ["ntshrui.dll"]}, +{name:"ext-ms-win-shell-propsys-l1-1-0", count:1, red: ["propsys.dll"]}, +{name:"ext-ms-win-shell-settingsync-l1-1-3", count:1, red: ["settingsyncpolicy.dll"]}, +{name:"ext-ms-win-shell-shdocvw-l1-1-0", count:1, red: ["shdocvw.dll"]}, +{name:"ext-ms-win-shell-shell32-l1-2-2", count:1, red: ["shell32.dll"]}, +{name:"ext-ms-win-shell-shlwapi-l1-1-2", count:1, red: ["shlwapi.dll"]}, +{name:"ext-ms-win-shell-shlwapi-l1-2-0", count:1, red: ["shlwapi.dll"]}, +{name:"ext-ms-win-shell-tabbedtitlebar-l1-1-0", count:1, red: ["twinapi.appcore.dll"]}, +{name:"ext-ms-win-shell32-shellcom-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-shell32-shellfolders-l1-1-1", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-shell32-shellfolders-l1-2-0", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-smbshare-browser-l1-1-0", count:1, red: ["browser.dll"]}, +{name:"ext-ms-win-smbshare-browserclient-l1-1-0", count:1, red: ["browcli.dll"]}, +{name:"ext-ms-win-smbshare-sscore-l1-1-0", count:1, red: ["sscoreext.dll"]}, +{name:"ext-ms-win-spinf-inf-l1-1-0", count:1, red: ["spinf.dll"]}, +{name:"ext-ms-win-storage-hbaapi-l1-1-0", count:1, red: ["hbaapi.dll"]}, +{name:"ext-ms-win-storage-iscsidsc-l1-1-0", count:1, red: ["iscsidsc.dll"]}, +{name:"ext-ms-win-storage-sense-l1-1-0", count:1, red: ["storageusage.dll"]}, +{name:"ext-ms-win-storage-sense-l1-2-0", count:1, red: ["storageusage.dll"]}, +{name:"ext-ms-win-sxs-oleautomation-l1-1-0", count:1, red: ["sxs.dll"]}, +{name:"ext-ms-win-test-sys1-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-test-sys2-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-tsf-inputsetting-l1-1-0", count:1, red: ["input.dll"]}, +{name:"ext-ms-win-tsf-msctf-l1-1-2", count:1, red: ["msctf.dll"]}, +{name:"ext-ms-win-ttlsext-eap-l1-1-0", count:1, red: ["ttlsext.dll"]}, +{name:"ext-ms-win-ui-viewmanagement-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-uiacore-l1-1-3", count:1, red: ["uiautomationcore.dll"]}, +{name:"ext-ms-win-umpoext-umpo-l1-1-0", count:1, red: ["umpoext.dll"]}, +{name:"ext-ms-win-usp10-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-uwf-servicing-apis-l1-1-0", count:1, red: ["uwfservicingapi.dll"]}, +{name:"ext-ms-win-uxtheme-themes-l1-1-1", count:1, red: ["uxtheme.dll"]}, +{name:"ext-ms-win-wer-reporting-l1-1-2", count:1, red: ["wer.dll"]}, +{name:"ext-ms-win-wer-ui-l1-1-0", count:1, red: ["werui.dll"]}, +{name:"ext-ms-win-wer-wct-l1-1-0", count:1, red: ["wer.dll"]}, +{name:"ext-ms-win-wer-xbox-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-wevtapi-eventlog-l1-1-3", count:1, red: ["wevtapi.dll"]}, +{name:"ext-ms-win-winlogon-mincreds-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-winrt-device-access-l1-1-0", count:1, red: ["deviceaccess.dll"]}, +{name:"ext-ms-win-winrt-networking-connectivity-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-winrt-storage-fileexplorer-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-winrt-storage-l1-1-0", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-winrt-storage-l1-2-1", count:1, red: ["windows.storage.dll"]}, +{name:"ext-ms-win-winrt-storage-removable-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-wlan-grouppolicy-l1-1-0", count:1, red: ["wlgpclnt.dll"]}, +{name:"ext-ms-win-wlan-onexui-l1-1-0", count:1, red: ["onexui.dll"]}, +{name:"ext-ms-win-wlan-scard-l1-1-0", count:1, red: ["winscard.dll"]}, +{name:"ext-ms-win-wnv-l1-1-0", count:1, red: ["wnv.sys"]}, +{name:"ext-ms-win-wpn-phoneext-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-wrp-sfc-l1-1-0", count:1, red: ["sfc.dll"]}, +{name:"ext-ms-win-wsclient-devlicense-l1-1-1", count:1, red: ["wsclient.dll"]}, +{name:"ext-ms-win-wwaext-misc-l1-1-0", count:1, red: ["wwaext.dll"]}, +{name:"ext-ms-win-wwaext-module-l1-1-0", count:1, red: ["wwaext.dll"]}, +{name:"ext-ms-win-wwan-wwapi-l1-1-3", count:1, red: ["wwapi.dll"]}, +{name:"ext-ms-win-xaml-controls-l1-1-0", count:1, red: ["windows.ui.xaml.phone.dll"]}, +{name:"ext-ms-win-xaml-pal-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-xblauth-console-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-win-xboxlive-xboxnetapisvc-l1-1-0", count:1, red: [""]}, +{name:"ext-ms-windowscore-deviceinfo-l1-1-0", count:1, red: [""]}, +]} diff --git a/Build/hooks/address.js b/Build/hooks/address.js index 4ad5ff5..c77713f 100644 --- a/Build/hooks/address.js +++ b/Build/hooks/address.js @@ -1,4 +1,14 @@ +// var _parse_cmdline = new ApiHook(); +// _parse_cmdline.OnCallBack = function () { +// var PC = Emu.ReadDword(Emu.ReadReg(REG_ESP)); + +// info('PC : 0x',PC.toString(16)); + +// info(Emu.SetReg(REG_EIP, PC)); +// return true; +// }; +// _parse_cmdline.install(0x00403383); // _wcmdln fix diff --git a/Build/hooks/advapi32.js b/Build/hooks/advapi32.js index 8f8c15e..07c9c10 100644 --- a/Build/hooks/advapi32.js +++ b/Build/hooks/advapi32.js @@ -267,8 +267,6 @@ RegCloseKey.OnCallBack = function (Emu, API,ret) { }; RegCloseKey.install('advapi32.dll', 'RegCloseKey'); -RegCloseKey.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegCloseKey'); - /* ################################################################################################### ################################################################################################### @@ -373,9 +371,6 @@ RegOpenKeyEx.install('advapi32.dll', 'RegOpenKeyExA'); RegOpenKeyEx.install('advapi32.dll', 'RegOpenKeyExW'); -RegOpenKeyEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegOpenKeyExA'); -RegOpenKeyEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegOpenKeyExW'); - /* ################################################################################################### ################################################################################################### @@ -434,9 +429,6 @@ RegQueryValueEx.OnCallBack = function (Emu, API, ret) { RegQueryValueEx.install('advapi32.dll', 'RegQueryValueExA'); RegQueryValueEx.install('advapi32.dll', 'RegQueryValueExW'); -RegQueryValueEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegQueryValueExA'); -RegQueryValueEx.install('api-ms-win-core-localregistry-l1-1-0.dll', 'RegQueryValueExW'); - /* ################################################################################################### diff --git a/Build/hooks/c_runtime.js b/Build/hooks/c_runtime.js index c76913d..945ddeb 100644 --- a/Build/hooks/c_runtime.js +++ b/Build/hooks/c_runtime.js @@ -1,20 +1,20 @@ 'use strict'; -var exit = new ApiHook(); -exit.OnCallBack = function (Emu, API,ret) { +// var exit = new ApiHook(); +// exit.OnCallBack = function (Emu, API,ret) { - Emu.Stop(); +// Emu.Stop(); - error('0x{0} : {1}'.format( - ret.toString(16), - API.name - )); +// error('0x{0} : {1}'.format( +// ret.toString(16), +// API.name +// )); - return true; // true if you handle it false if you want Emu to handle it and set PC . -}; -exit.install('api-ms-win-crt-runtime-l1-1-0.dll', 'exit'); -exit.install('api-ms-win-crt-runtime-l1-1-0.dll', '_exit'); +// return true; // true if you handle it false if you want Emu to handle it and set PC . +// }; +// exit.install('api-ms-win-crt-runtime-l1-1-0.dll', 'exit'); +// exit.install('api-ms-win-crt-runtime-l1-1-0.dll', '_exit'); /* ################################################################################################### diff --git a/Build/hooks/kernek32_strings.js b/Build/hooks/kernek32_strings.js index d5be336..aad496e 100644 --- a/Build/hooks/kernek32_strings.js +++ b/Build/hooks/kernek32_strings.js @@ -56,7 +56,6 @@ MultiByteToWideChar.OnCallBack = function (Emu, API, ret) { }; MultiByteToWideChar.install('kernel32.dll', 'MultiByteToWideChar'); -MultiByteToWideChar.install('api-ms-win-core-string-l1-1-0.dll', 'MultiByteToWideChar'); /* ################################################################################################### @@ -114,7 +113,6 @@ WideCharToMultiByte.OnCallBack = function (Emu, API, ret) { }; WideCharToMultiByte.install('kernel32.dll', 'WideCharToMultiByte'); -WideCharToMultiByte.install('api-ms-win-core-string-l1-1-0.dll', 'WideCharToMultiByte'); /* ################################################################################################### @@ -175,8 +173,6 @@ LCMapString.OnCallBack = function (Emu, API, ret) { LCMapString.install('kernel32.dll', 'LCMapStringA'); LCMapString.install('kernel32.dll', 'LCMapStringW'); -LCMapString.install('api-ms-win-core-localization-l1-1-0.dll', 'LCMapStringW'); - /* ################################################################################################### @@ -255,7 +251,6 @@ GetStringTypeW.OnCallBack = function (Emu, API, ret) { }; GetStringTypeW.install('kernel32.dll', 'GetStringTypeW'); -GetStringTypeW.install('api-ms-win-core-string-l1-1-0.dll', 'GetStringTypeW'); /* ################################################################################################### @@ -297,8 +292,6 @@ lstrlen.OnCallBack = function (Emu, API, ret) { lstrlen.install('kernel32.dll', 'lstrlen'); lstrlen.install('kernelbase.dll', 'lstrlenW'); lstrlen.install('kernelbase.dll', 'lstrlenA'); -lstrlen.install('api-ms-win-core-misc-l1-1-0.dll', 'lstrlenW'); -lstrlen.install('api-ms-win-core-misc-l1-1-0.dll', 'lstrlenA'); lstrlen.install('kernel32.dll', 'lstrlenW'); lstrlen.install('kernel32.dll', 'lstrlenA'); diff --git a/Build/hooks/kernel32.js b/Build/hooks/kernel32.js index 3f47b6c..767ecbe 100644 --- a/Build/hooks/kernel32.js +++ b/Build/hooks/kernel32.js @@ -50,6 +50,17 @@ ExitProcess.install('ntdll.dll', 'RtlExitUserProcess'); ExitProcess.install('ucrtbase.dll', 'exit'); ExitProcess.install('ucrtbase.dll', '_Exit'); + +/* +################################################################################################### +################################################################################################### +*/ + + +/* +TerminateProcess +*/ + /* ################################################################################################### ################################################################################################### @@ -71,9 +82,6 @@ IsDebuggerPresent.OnCallBack = function (Emu, API,ret) { IsDebuggerPresent.install('kernel32.dll', 'IsDebuggerPresent'); -// TODO: remove after implementing apisetschema Forwarder . -IsDebuggerPresent.install('api-ms-win-core-debug-l1-1-0.dll', 'IsDebuggerPresent'); - /* ################################################################################################### ################################################################################################### @@ -145,9 +153,8 @@ GetModuleHandleW.OnCallBack = function (Emu, API,ret) { GetModuleHandleW.install('kernel32.dll', 'GetModuleHandleW'); GetModuleHandleW.install('kernel32.dll', 'GetModuleHandleA'); -GetModuleHandleW.install('api-ms-win-core-libraryloader-l1-1-0.dll', 'GetModuleHandleW'); -// api-ms-win-core-libraryloader-l1-1-0.dll.GetModuleHandleW - +GetModuleHandleW.install('kernelbase.dll', 'GetModuleHandleW'); +GetModuleHandleW.install('kernelbase.dll', 'GetModuleHandleA'); /* ################################################################################################### @@ -265,7 +272,7 @@ LoadLibrary.OnCallBack = function (Emu, API,ret) { log("{0}('{1}', 0x{2}, 0x{3}) = 0x{4}".format( API.name, - Libname, + Emu.GetModuleName(handle), hFile.toString(16), dwFlags.toString(16), handle.toString(16) @@ -490,7 +497,7 @@ GetCurrentDirectory.OnCallBack = function (Emu, API, ret) { var lpBuffer = Emu.isx64 ? Emu.ReadReg(REG_RDX) : Emu.pop(); var len = 0; - var tmp = "C:\\pla"; + var tmp = "C:\\Users\\Public\\Desktop"; if (nBufferLength > 0){ len = API.IsWapi ? Emu.WriteStringW(lpBuffer,tmp) : Emu.WriteStringA(lpBuffer,tmp); @@ -717,7 +724,6 @@ typedef struct _OSVERSIONINFOEXA { GetVersionExW.install('kernel32.dll', 'GetVersionEx'); GetVersionExW.install('kernel32.dll', 'GetVersionExA'); GetVersionExW.install('kernel32.dll', 'GetVersionExW'); -GetVersionExW.install('api-ms-win-core-sysinfo-l1-1-0.dll', 'GetVersionExW'); /* ################################################################################################### @@ -825,8 +831,6 @@ LocalAlloc.OnCallBack = function (Emu, API, ret) { }; LocalAlloc.install('kernel32.dll', 'LocalAlloc'); -LocalAlloc.install('api-ms-win-core-misc-l1-1-0.dll', 'LocalAlloc'); - /* ################################################################################################### ################################################################################################### @@ -853,7 +857,6 @@ LocalFree.OnCallBack = function (Emu, API, ret) { return true; // true if you handle it false if you want Emu to handle it and set PC . }; LocalFree.install('kernel32.dll', 'LocalFree'); -LocalFree.install('api-ms-win-core-misc-l1-1-0.dll', 'LocalFree'); /* ################################################################################################### @@ -891,7 +894,6 @@ HeapCreate.OnCallBack = function (Emu, API, ret) { }; HeapCreate.install('kernel32.dll', 'HeapCreate'); -HeapCreate.install('api-ms-win-core-heap-l1-1-0.dll', 'HeapCreate'); /* ################################################################################################### @@ -999,7 +1001,6 @@ HeapAlloc.OnCallBack = function (Emu, API, ret) { }; HeapAlloc.install('kernel32.dll', 'HeapAlloc'); -HeapAlloc.install('api-ms-win-core-heap-l1-1-0.dll', 'HeapAlloc'); /* ################################################################################################### @@ -1289,7 +1290,6 @@ HeapDestroy.OnCallBack = function (Emu, API, ret) { }; HeapDestroy.install('kernel32.dll', 'HeapDestroy'); -HeapDestroy.install('api-ms-win-core-heap-l1-1-0.dll', 'HeapDestroy'); /* ################################################################################################### @@ -1324,7 +1324,6 @@ HeapSize.OnCallBack = function (Emu, API, ret) { }; HeapSize.install('kernel32.dll', 'HeapSize'); -HeapSize.install('api-ms-win-core-heap-l1-1-0.dll', 'HeapSize'); /* ################################################################################################### @@ -1433,7 +1432,6 @@ GetACP.OnCallBack = function (Emu, API, ret) { }; GetACP.install('kernel32.dll', 'GetACP'); -GetACP.install('api-ms-win-core-localization-l1-1-0.dll', 'GetACP'); /* ################################################################################################### @@ -1466,7 +1464,6 @@ GetCPInfo.OnCallBack = function (Emu, API, ret) { }; GetCPInfo.install('kernel32.dll', 'GetCPInfo'); -GetCPInfo.install('api-ms-win-core-localization-l1-1-0.dll', 'GetCPInfo'); /* ################################################################################################### @@ -1517,11 +1514,11 @@ GetModuleFileName.OnCallBack = function (Emu, API, ret) { var nSize = Emu.isx64 ? Emu.ReadReg(REG_R8D) : Emu.pop(); var mName = Emu.GetModuleName(hModule); - var Path = 'C:\\pla\\' + mName; + var Path = 'C:\\Users\\Public\\Desktop\\' + mName; var len = API.IsWapi ? Emu.WriteStringW(lpFilename,Path) : Emu.WriteStringA(lpFilename,Path); - // null byte - mybe needed maybe not :D - i put it anyway :V + // null byte :V API.IsWapi ? Emu.WriteWord(lpFilename + (len * 2),0) : Emu.WriteByte(lpFilename+len,0); print("GetModuleFileName{0}(0x{1}, 0x{2}, 0x{3}) = '{4}'".format( @@ -1540,9 +1537,6 @@ GetModuleFileName.OnCallBack = function (Emu, API, ret) { GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameA'); GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameW'); -GetModuleFileName.install('api-ms-win-core-libraryloader-l1-1-0.dll', 'GetModuleFileNameA'); -GetModuleFileName.install('api-ms-win-core-libraryloader-l1-1-0.dll', 'GetModuleFileNameW'); - /* ################################################################################################### @@ -1574,8 +1568,6 @@ EncodePointer.OnCallBack = function (Emu, API,ret) { }; EncodePointer.install('kernel32.dll', 'EncodePointer'); EncodePointer.install('msvcr90.dll', '_encode_pointer'); -EncodePointer.install('api-ms-win-core-util-l1-1-0.dll', 'EncodePointer'); - EncodePointer.install('ntdll.dll', 'RtlEncodePointer'); /* ################################################################################################### @@ -1607,8 +1599,6 @@ DecodePointer.OnCallBack = function (Emu, API,ret) { return true; }; DecodePointer.install('kernel32.dll', 'DecodePointer'); -DecodePointer.install('api-ms-win-core-util-l1-1-0.dll', 'DecodePointer'); - DecodePointer.install('msvcr90.dll', '_decode_pointer'); @@ -1644,8 +1634,6 @@ InitializeCriticalSectionAndSpinCount.OnCallBack = function (Emu, API,ret) { }; InitializeCriticalSectionAndSpinCount.install('kernel32.dll', 'InitializeCriticalSectionAndSpinCount'); -InitializeCriticalSectionAndSpinCount.install('api-ms-win-core-synch-l1-1-0.dll', 'InitializeCriticalSectionAndSpinCount'); - /* ################################################################################################### ################################################################################################### @@ -1678,7 +1666,6 @@ InitializeCriticalSectionEx.OnCallBack = function (Emu, API,ret) { return true; }; InitializeCriticalSectionEx.install('kernel32.dll', 'InitializeCriticalSectionEx'); -InitializeCriticalSectionEx.install('api-ms-win-core-synch-l1-1-0.dll', 'InitializeCriticalSectionEx'); /* ################################################################################################### @@ -1705,8 +1692,6 @@ InitializeCriticalSection.OnCallBack = function (Emu, API,ret) { }; InitializeCriticalSection.install('kernel32.dll', 'InitializeCriticalSection'); -InitializeCriticalSection.install('api-ms-win-core-synch-l1-1-0.dll', 'InitializeCriticalSection'); - /* ################################################################################################### ################################################################################################### @@ -1757,9 +1742,6 @@ _STARTUPINFOW struc ; (sizeof=0x44, align=0x4, copyof_14) GetStartupInfo.install('kernel32.dll', 'GetStartupInfoA'); GetStartupInfo.install('kernel32.dll', 'GetStartupInfoW'); -GetStartupInfo.install('api-ms-win-core-processthreads-l1-1-0.dll', 'GetStartupInfoW'); - - /* ################################################################################################### ################################################################################################### @@ -1785,8 +1767,7 @@ GetSystemTimeAsFileTime.OnCallBack = function (Emu, API, ret) { return true; // true if you handle it false if you want Emu to handle it and set PC . }; GetSystemTimeAsFileTime.install('kernel32.dll', 'GetSystemTimeAsFileTime'); -GetSystemTimeAsFileTime.install('api-ms-win-core-sysinfo-l1-1-0.dll', 'GetSystemTimeAsFileTime'); - +GetSystemTimeAsFileTime.install('kernelbase.dll', 'GetSystemTimeAsFileTime'); /* ################################################################################################### @@ -1821,8 +1802,7 @@ GetTickCount.OnCallBack = function (Emu, API, ret) { return true; }; GetTickCount.install('kernel32.dll', 'GetTickCount'); -GetTickCount.install('api-ms-win-core-sysinfo-l1-1-0.dll', 'GetTickCount'); - +GetTickCount.install('kernelbase.dll', 'GetTickCount'); /* ################################################################################################### @@ -1850,7 +1830,6 @@ QueryPerformanceCounter.OnCallBack = function (Emu, API, ret) { return true; }; QueryPerformanceCounter.install('kernel32.dll', 'QueryPerformanceCounter'); -QueryPerformanceCounter.install('api-ms-win-core-profile-l1-1-0.dll', 'QueryPerformanceCounter'); /* ################################################################################################### @@ -1868,7 +1847,7 @@ GetCommandLine.OnCallBack = function (Emu, API, ret) { var cmd = API.IsWapi ? (0x40000000 + 0x30000) : (0x40000000 + 0x31000); // TODO implement memory mng . var mName = Emu.GetModuleName(0); // Current module . - var Path = '"C:\\pla\\' + mName + '"'; // :D + var Path = '"C:\\Users\\Public\\Desktop\\' + mName + '"'; // :D API.IsWapi ? Emu.WriteStringW(cmd,Path) : Emu.WriteStringA(cmd,Path); @@ -1887,9 +1866,6 @@ GetCommandLine.OnCallBack = function (Emu, API, ret) { GetCommandLine.install('kernel32.dll', 'GetCommandLineA'); GetCommandLine.install('kernel32.dll', 'GetCommandLineW'); -GetCommandLine.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'GetCommandLineA'); -GetCommandLine.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'GetCommandLineW'); - /* ################################################################################################### ################################################################################################### @@ -1929,9 +1905,6 @@ GetEnvironmentStrings.OnCallBack = function (Emu, API, ret) { GetEnvironmentStrings.install('kernel32.dll', 'GetEnvironmentStringsA'); GetEnvironmentStrings.install('kernel32.dll', 'GetEnvironmentStringsW'); -GetEnvironmentStrings.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'GetEnvironmentStringsA'); -GetEnvironmentStrings.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'GetEnvironmentStringsW'); - /* ################################################################################################### ################################################################################################### @@ -1962,9 +1935,6 @@ FreeEnvironmentStrings.OnCallBack = function (Emu, API, ret) { FreeEnvironmentStrings.install('kernel32.dll', 'FreeEnvironmentStringsA'); FreeEnvironmentStrings.install('kernel32.dll', 'FreeEnvironmentStringsW'); -FreeEnvironmentStrings.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'FreeEnvironmentStringsA'); -FreeEnvironmentStrings.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'FreeEnvironmentStringsW'); - /* ################################################################################################### ################################################################################################### @@ -2116,7 +2086,6 @@ GetSystemTime.OnCallBack = function (Emu, API, ret) { }; GetSystemTime.install('kernel32.dll', 'GetSystemTime'); GetSystemTime.install('kernel32.dll', 'GetLocalTime'); -GetSystemTime.install('api-ms-win-core-sysinfo-l1-1-0.dll', 'GetLocalTime'); /* ################################################################################################### @@ -2165,7 +2134,6 @@ InterlockedCompareExchange.OnCallBack = function (Emu, API,ret) { return true; // let lib handle it }; InterlockedCompareExchange.install('kernel32.dll', 'InterlockedCompareExchange'); -InterlockedCompareExchange.install('api-ms-win-core-interlocked-l1-1-0.dll', 'InterlockedCompareExchange'); /* ################################################################################################### @@ -2180,7 +2148,7 @@ InterlockedExchange.OnCallBack = function (Emu, API,ret) { return true; // let lib handle it }; InterlockedExchange.install('kernel32.dll', 'InterlockedExchange'); -InterlockedExchange.install('api-ms-win-core-interlocked-l1-1-0.dll', 'InterlockedExchange'); +InterlockedExchange.install('kernelbase.dll', 'InterlockedExchange'); /* ################################################################################################### @@ -2207,7 +2175,7 @@ DisableThreadLibraryCalls.OnCallBack = function (Emu, API,ret) { return true; }; DisableThreadLibraryCalls.install('kernel32.dll', 'DisableThreadLibraryCalls'); -DisableThreadLibraryCalls.install('api-ms-win-core-libraryloader-l1-1-0.dll', 'DisableThreadLibraryCalls'); +DisableThreadLibraryCalls.install('kernelbase.dll', 'DisableThreadLibraryCalls'); /* ################################################################################################### @@ -2230,12 +2198,11 @@ GetStdHandle.OnCallBack = function (Emu, API,ret) { nStdHandle.toString(16) )); - Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, 0); + Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, 0xC0C0); Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret); return true; }; GetStdHandle.install('kernel32.dll', 'GetStdHandle'); -GetStdHandle.install('api-ms-win-core-processenvironment-l1-1-0.dll', 'GetStdHandle'); /* ################################################################################################### @@ -2264,7 +2231,6 @@ SetHandleCount.OnCallBack = function (Emu, API,ret) { return true; }; SetHandleCount.install('kernel32.dll', 'SetHandleCount'); -SetHandleCount.install('api-ms-win-core-misc-l1-1-0.dll', 'SetHandleCount'); /* ################################################################################################### @@ -2292,7 +2258,6 @@ GetFileType.OnCallBack = function (Emu, API,ret) { return true; }; GetFileType.install('kernel32.dll', 'GetFileType'); -GetFileType.install('api-ms-win-core-file-l1-1-0.dll', 'GetFileType'); /* ################################################################################################### diff --git a/Build/hooks/kernel32_threads.js b/Build/hooks/kernel32_threads.js index 3c38d3c..649741c 100644 --- a/Build/hooks/kernel32_threads.js +++ b/Build/hooks/kernel32_threads.js @@ -190,8 +190,7 @@ FlsAlloc.OnCallBack = function (Emu, API, ret) { }; FlsAlloc.install('kernel32.dll', 'FlsAlloc'); -FlsAlloc.install('api-ms-win-core-fibers-l1-1-0.dll', 'FlsAlloc'); -FlsAlloc.install('api-ms-win-core-fibers-l1-1-1.dll', 'FlsAlloc'); +FlsAlloc.install('kernelbase.dll', 'FlsAlloc'); /* ################################################################################################### @@ -225,7 +224,6 @@ FlsFree.OnCallBack = function (Emu, API, ret) { }; FlsFree.install('kernel32.dll', 'FlsFree'); -FlsFree.install('api-ms-win-core-fibers-l1-1-0.dll', 'FlsFree'); /* ################################################################################################### @@ -264,8 +262,7 @@ FlsSetValue.OnCallBack = function (Emu, API, ret) { }; FlsSetValue.install('kernel32.dll', 'FlsSetValue'); -FlsSetValue.install('api-ms-win-core-fibers-l1-1-0.dll', 'FlsSetValue'); -FlsSetValue.install('api-ms-win-core-fibers-l1-1-1.dll', 'FlsSetValue'); +FlsSetValue.install('kernelbase.dll', 'FlsSetValue'); /* ################################################################################################### @@ -300,7 +297,6 @@ FlsGetValue.OnCallBack = function (Emu, API, ret) { }; FlsGetValue.install('kernel32.dll', 'FlsGetValue'); -FlsGetValue.install('api-ms-win-core-fibers-l1-1-0.dll', 'FlsGetValue'); /* ################################################################################################### @@ -322,7 +318,7 @@ GetLastError.OnCallBack = function (Emu, API, ret) { }; GetLastError.install('kernel32.dll', 'GetLastError'); -GetLastError.install('api-ms-win-core-errorhandling-l1-1-0.dll', 'GetLastError'); + /* ################################################################################################### ################################################################################################### @@ -344,7 +340,6 @@ SetLastError.OnCallBack = function (Emu, API, ret) { }; SetLastError.install('kernel32.dll', 'SetLastError'); -SetLastError.install('api-ms-win-core-errorhandling-l1-1-0.dll', 'SetLastError'); /* ################################################################################################### @@ -371,7 +366,6 @@ EnterCriticalSection.OnCallBack = function (Emu, API, ret) { }; EnterCriticalSection.install('kernel32.dll', 'EnterCriticalSection'); -EnterCriticalSection.install('api-ms-win-core-synch-l1-1-0.dll', 'EnterCriticalSection'); /* ################################################################################################### @@ -405,7 +399,6 @@ InterlockedIncrement.OnCallBack = function (Emu, API, ret) { }; InterlockedIncrement.install('kernel32.dll', 'InterlockedIncrement'); -InterlockedIncrement.install('api-ms-win-core-interlocked-l1-1-0.dll', 'InterlockedIncrement'); /* @@ -441,8 +434,6 @@ InterlockedDecrement.OnCallBack = function (Emu, API, ret) { }; InterlockedDecrement.install('kernel32.dll', 'InterlockedDecrement'); -InterlockedDecrement.install('api-ms-win-core-interlocked-l1-1-0.dll', 'InterlockedDecrement'); - /* ################################################################################################### @@ -469,7 +460,8 @@ LeaveCriticalSection.OnCallBack = function (Emu, API, ret) { }; LeaveCriticalSection.install('kernel32.dll', 'LeaveCriticalSection'); - +LeaveCriticalSection.install('ntdll.dll', 'RtlLeaveCriticalSection'); +LeaveCriticalSection.install('ntdll.dll', 'RtlEnterCriticalSection'); /* ################################################################################################### @@ -492,7 +484,7 @@ GetCurrentThreadId.OnCallBack = function (Emu, API, ret) { return true; }; GetCurrentThreadId.install('kernel32.dll', 'GetCurrentThreadId'); -GetCurrentThreadId.install('api-ms-win-core-processthreads-l1-1-0.dll', 'GetCurrentThreadId'); +GetCurrentThreadId.install('kernelbase.dll', 'GetCurrentThreadId'); /* ################################################################################################### @@ -515,7 +507,7 @@ GetCurrentProcess.OnCallBack = function (Emu, API, ret) { }; GetCurrentProcess.install('kernel32.dll', 'GetCurrentProcess'); -GetCurrentProcess.install('api-ms-win-core-processthreads-l1-1-0.dll', 'GetCurrentProcess'); +GetCurrentProcess.install('kernelbase.dll', 'GetCurrentProcess'); /* ################################################################################################### @@ -538,7 +530,8 @@ GetCurrentProcessId.OnCallBack = function (Emu, API, ret) { }; GetCurrentProcessId.install('kernel32.dll', 'GetCurrentProcessId'); -GetCurrentProcessId.install('api-ms-win-core-processthreads-l1-1-0.dll', 'GetCurrentProcessId'); +GetCurrentProcessId.install('kernelbase.dll', 'GetCurrentProcessId'); + /* ################################################################################################### ################################################################################################### diff --git a/Build/hooks/kernelbase.js b/Build/hooks/kernelbase.js index fdd546a..71083b9 100644 --- a/Build/hooks/kernelbase.js +++ b/Build/hooks/kernelbase.js @@ -22,19 +22,6 @@ KBGetThreadLocale.OnCallBack = function (Emu, API, ret) { KBGetThreadLocale.install('kernelbase.dll', 'GetThreadLocale'); -/* -################################################################################################### -################################################################################################### -*/ - -var InterlockedCompareExchange = new ApiHook(); -InterlockedCompareExchange.OnCallBack = function (Emu, API, ret) { - - // just let the library handle it :D - return true; -}; - -InterlockedCompareExchange.install('kernelbase.dll', 'InterlockedCompareExchange'); /* ################################################################################################### ################################################################################################### diff --git a/Build/hooks/msvcrt.js b/Build/hooks/msvcrt.js index 6fe07c1..1f3ecb6 100644 --- a/Build/hooks/msvcrt.js +++ b/Build/hooks/msvcrt.js @@ -741,7 +741,7 @@ Generic.install('msvcr90.dll', '_invalid_parameter'); Generic.install('msvcr90.dll', '_initptd'); Generic.install('msvcr90.dll', '_encoded_null'); - +Generic.install('msvcrt.dll', '_except_handler4_common'); Generic.install('vcruntime140.dll', '__telemetry_main_invoke_trigger'); @@ -752,7 +752,7 @@ Generic.install('ucrtbase.dll', '__p___argv'); Generic.install('ucrtbase.dll', '__p___argc'); - +Generic.install('ucrtbase.dll', '__report_gsfailure'); /* ################################################################################################### diff --git a/Build/hooks/ntdll.js b/Build/hooks/ntdll.js index e84d44f..29b7884 100644 --- a/Build/hooks/ntdll.js +++ b/Build/hooks/ntdll.js @@ -224,7 +224,6 @@ DeleteCriticalSection.OnCallBack = function (Emu, API, ret) { }; DeleteCriticalSection.install('kernelbase.dll', 'DeleteCriticalSection'); DeleteCriticalSection.install('kernel32.dll', 'DeleteCriticalSection'); -DeleteCriticalSection.install('api-ms-win-core-synch-l1-1-0.dll', 'DeleteCriticalSection'); /* ################################################################################################### @@ -241,21 +240,13 @@ InitializeSRWLock.OnCallBack = function (Emu, API, ret) { InitializeSRWLock.install('ntdll.dll', 'InitializeSRWLock'); InitializeSRWLock.install('kernel32.dll', 'InitializeSRWLock'); -InitializeSRWLock.install('api-ms-win-core-synch-l1-1-0.dll', 'InitializeSRWLock'); /* ################################################################################################### ################################################################################################### */ -var RtlEnterCriticalSection = new ApiHook(); -RtlEnterCriticalSection.OnCallBack = function (Emu, API, ret) { - // just let the library handle it :D - return true; -}; - -RtlEnterCriticalSection.install('ntdll.dll', 'RtlEnterCriticalSection'); /* ################################################################################################### ################################################################################################### @@ -457,7 +448,9 @@ ntdll_Gen.install('ntdll.dll', 'RtlSetUnhandledExceptionFilter'); ntdll_Gen.install('ntdll.dll', 'RtlCreateTagHeap'); ntdll_Gen.install('ntdll.dll', 'InterlockedPushListSList'); -ntdll_Gen.install('api-ms-win-core-interlocked-l1-1-0.dll', 'InterlockedPushListSList'); + +ntdll_Gen.install('ntdll.dll', 'RtlGetNtGlobalFlags'); + diff --git a/Build/libraries/linux/libZydis.a b/Build/libraries/linux/libZydis.a new file mode 100644 index 0000000..c8d3583 Binary files /dev/null and b/Build/libraries/linux/libZydis.a differ diff --git a/Build/libraries/linux/libcapstone.a b/Build/libraries/linux/libcapstone.a deleted file mode 100644 index b82d305..0000000 Binary files a/Build/libraries/linux/libcapstone.a and /dev/null differ diff --git a/Build/libraries/win32/capstone32.dll b/Build/libraries/win32/capstone32.dll deleted file mode 100644 index 594f519..0000000 Binary files a/Build/libraries/win32/capstone32.dll and /dev/null differ diff --git a/Build/libraries/win32/libZydis32.a b/Build/libraries/win32/libZydis32.a new file mode 100644 index 0000000..213ac1f Binary files /dev/null and b/Build/libraries/win32/libZydis32.a differ diff --git a/Build/libraries/win64/capstone64.dll b/Build/libraries/win64/capstone64.dll deleted file mode 100644 index 48dbbe2..0000000 Binary files a/Build/libraries/win64/capstone64.dll and /dev/null differ diff --git a/Build/libraries/win64/libZydis64.a b/Build/libraries/win64/libZydis64.a new file mode 100644 index 0000000..c628d0c Binary files /dev/null and b/Build/libraries/win64/libZydis64.a differ diff --git a/Cmulator.lpi b/Cmulator.lpi index fac7a12..57cf494 100644 --- a/Cmulator.lpi +++ b/Cmulator.lpi @@ -11,12 +11,13 @@ + <UseAppBundle Value="False"/> <ResourceType Value="res"/> </General> <MacroValues Count="1"> <Macro1 Name="LCLWidgetType" Value="nogui"/> </MacroValues> - <BuildModes Count="6"> + <BuildModes Count="8"> <Item1 Name="Debug_linux" Default="True"/> <Item2 Name="Release_linux"> <MacroValues Count="1"> @@ -29,7 +30,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Capstone;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/linux"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> @@ -40,6 +41,8 @@ </Parsing> <CodeGeneration> <SmartLinkUnit Value="True"/> + <TargetCPU Value="x86_64"/> + <TargetOS Value="linux"/> <Optimizations> <OptimizationLevel Value="3"/> </Optimizations> @@ -50,6 +53,11 @@ </Debugging> <LinkSmart Value="True"/> </Linking> + <Other> + <ConfigFile> + <ConfigFilePath Value="/sw/etc/fpc.cfg"/> + </ConfigFile> + </Other> </CompilerOptions> </Item2> <Item3 Name="OSX_Release"> @@ -63,7 +71,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Capstone;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/generics_collections/src;Core/unicorn;Core/process;Core/Zydis;Core/GUI;Core/JSON;Build/libraries/osx"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> @@ -98,7 +106,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/osx"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> @@ -109,6 +117,9 @@ </Parsing> <CodeGeneration> <SmartLinkUnit Value="True"/> + <Optimizations> + <OptimizationLevel Value="0"/> + </Optimizations> </CodeGeneration> <Linking> <Debugging> @@ -121,7 +132,10 @@ </Linking> </CompilerOptions> </Item4> - <Item5 Name="Debug_windows"> + <Item5 Name="Debug_windows_x32"> + <MacroValues Count="1"> + <Macro1 Name="LCLWidgetType" Value="nogui"/> + </MacroValues> <CompilerOptions> <Version Value="11"/> <Target> @@ -129,7 +143,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Capstone;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/win64"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> @@ -159,7 +173,10 @@ </Linking> </CompilerOptions> </Item5> - <Item6 Name="Release_windows"> + <Item6 Name="Release_windows_x32"> + <MacroValues Count="1"> + <Macro1 Name="LCLWidgetType" Value="nogui"/> + </MacroValues> <CompilerOptions> <Version Value="11"/> <Target> @@ -167,7 +184,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Capstone;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/win32"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> @@ -178,7 +195,8 @@ </Parsing> <CodeGeneration> <SmartLinkUnit Value="True"/> - <TargetCPU Value="x86_64"/> + <TargetCPU Value="i386"/> + <TargetOS Value="win32"/> <Optimizations> <OptimizationLevel Value="3"/> </Optimizations> @@ -191,9 +209,86 @@ </Linking> </CompilerOptions> </Item6> + <Item7 Name="Debug_windows_x64"> + <MacroValues Count="1"> + <Macro1 Name="LCLWidgetType" Value="nogui"/> + </MacroValues> + <CompilerOptions> + <Version Value="11"/> + <Target> + <Filename Value="Build/win/32/Cmulator"/> + </Target> + <SearchPaths> + <IncludeFiles Value="$(ProjOutDir)"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/win64"/> + <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> + </SearchPaths> + <Parsing> + <SyntaxOptions> + <SyntaxMode Value="Delphi"/> + <IncludeAssertionCode Value="True"/> + <CStyleMacros Value="True"/> + </SyntaxOptions> + </Parsing> + <CodeGeneration> + <Checks> + <IOChecks Value="True"/> + <RangeChecks Value="True"/> + <OverflowChecks Value="True"/> + <StackChecks Value="True"/> + </Checks> + <VerifyObjMethodCallValidity Value="True"/> + <TargetCPU Value="x86_64"/> + </CodeGeneration> + <Linking> + <Debugging> + <DebugInfoType Value="dsDwarf2Set"/> + <UseHeaptrc Value="True"/> + <TrashVariables Value="True"/> + <UseExternalDbgSyms Value="True"/> + </Debugging> + </Linking> + </CompilerOptions> + </Item7> + <Item8 Name="Release_windows_x64"> + <MacroValues Count="1"> + <Macro1 Name="LCLWidgetType" Value="nogui"/> + </MacroValues> + <CompilerOptions> + <Version Value="11"/> + <Target> + <Filename Value="Build/win/64/Cmulator"/> + </Target> + <SearchPaths> + <IncludeFiles Value="$(ProjOutDir)"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON;Build/libraries/win64"/> + <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> + </SearchPaths> + <Parsing> + <SyntaxOptions> + <SyntaxMode Value="Delphi"/> + <CStyleMacros Value="True"/> + </SyntaxOptions> + </Parsing> + <CodeGeneration> + <SmartLinkUnit Value="True"/> + <TargetCPU Value="x86_64"/> + <TargetOS Value="win64"/> + <Optimizations> + <OptimizationLevel Value="3"/> + </Optimizations> + </CodeGeneration> + <Linking> + <Debugging> + <GenerateDebugInfo Value="False"/> + </Debugging> + <LinkSmart Value="True"/> + </Linking> + </CompilerOptions> + </Item8> <SharedMatrixOptions Count="2"> - <Item1 ID="917770631570" Modes="Debug_linux,Release_linux,OSX_Release,OSX_Debug" Type="IDEMacro" MacroName="LCLWidgetType" Value="nogui"/> - <Item2 ID="547003491806" Modes="OSX_Debug" Value="-Fl/Users/Coldzer0/cold/DISASM/Cmulator/Build/OSX"/> + <Item1 ID="917770631570" Modes="Debug_linux,Release_linux,OSX_Release,OSX_Debug,Debug_windows_x32,Release_windows_x32,Debug_windows_x64,Release_windows_x64" Type="IDEMacro" MacroName="LCLWidgetType" Value="nogui"/> + <Item2 ID="741569211698" Modes="Release_linux" Value="-st"/> </SharedMatrixOptions> </BuildModes> <PublishOptions> @@ -201,13 +296,13 @@ </PublishOptions> <RunParams> <local> - <CommandLineParams Value="-f ../../samples/obfuscated/obfuscated.exe -ex"/> + <CommandLineParams Value="-f ../../samples/AntiDebugDownloader.exe"/> </local> <FormatVersion Value="2"/> <Modes Count="1"> <Mode0 Name="default"> <local> - <CommandLineParams Value="-f ../../samples/obfuscated/obfuscated.exe -ex"/> + <CommandLineParams Value="-f ../../samples/AntiDebugDownloader.exe"/> </local> </Mode0> </Modes> @@ -304,7 +399,7 @@ </Target> <SearchPaths> <IncludeFiles Value="$(ProjOutDir)"/> - <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Capstone;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> + <OtherUnitFiles Value="Core;Core/JS;Core/PE;Core/pesp;Core/Crypto;Core/unicorn;Core/Zydis;Core/generics_collections/src;Core/process;Core/GUI;Core/JSON"/> <UnitOutputDirectory Value="lib/$(TargetCPU)-$(TargetOS)"/> </SearchPaths> <Parsing> diff --git a/Cmulator.lps b/Cmulator.lps index a731a47..88fbdcb 100644 --- a/Cmulator.lps +++ b/Cmulator.lps @@ -2,13 +2,13 @@ <CONFIG> <ProjectSession> <Version Value="11"/> - <BuildModes Active="OSX_Debug"/> + <BuildModes Active="OSX_Release"/> <Units Count="28"> <Unit0> <Filename Value="Cmulator.pas"/> <IsPartOfProject Value="True"/> - <TopLine Value="81"/> - <CursorPos X="32" Y="207"/> + <TopLine Value="207"/> + <CursorPos X="5" Y="226"/> <UsageCount Value="201"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -17,11 +17,9 @@ <Filename Value="Core/emu.pas"/> <IsPartOfProject Value="True"/> <UnitName Value="Emu"/> - <IsVisibleTab Value="True"/> <EditorIndex Value="1"/> - <TopLine Value="737"/> - <CursorPos X="8" Y="750"/> - <FoldState Value=" T3k50A02221 piatD0t T0z52M0512"/> + <TopLine Value="1395"/> + <CursorPos X="30" Y="1400"/> <UsageCount Value="210"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -41,8 +39,8 @@ <IsPartOfProject Value="True"/> <UnitName Value="Utils"/> <EditorIndex Value="7"/> - <TopLine Value="22"/> - <CursorPos X="21" Y="32"/> + <TopLine Value="51"/> + <CursorPos X="16" Y="61"/> <UsageCount Value="224"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -68,9 +66,8 @@ <IsPartOfProject Value="True"/> <UnitName Value="PE_Loader"/> <EditorIndex Value="4"/> - <TopLine Value="412"/> - <CursorPos X="57" Y="420"/> - <FoldState Value=" T3e0d0132 p0tB0,031v"/> + <TopLine Value="689"/> + <CursorPos X="42" Y="702"/> <UsageCount Value="210"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -79,9 +76,9 @@ <Filename Value="Core/fnhook.pas"/> <IsPartOfProject Value="True"/> <UnitName Value="FnHook"/> - <EditorIndex Value="6"/> - <TopLine Value="57"/> - <CursorPos X="3" Y="55"/> + <EditorIndex Value="8"/> + <TopLine Value="18"/> + <CursorPos X="22" Y="28"/> <UsageCount Value="201"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -91,8 +88,8 @@ <IsPartOfProject Value="True"/> <UnitName Value="Globals"/> <EditorIndex Value="-1"/> - <TopLine Value="17"/> - <CursorPos X="21" Y="33"/> + <TopLine Value="19"/> + <CursorPos X="3" Y="31"/> <UsageCount Value="212"/> <DefaultSyntaxHighlighter Value="Delphi"/> </Unit8> @@ -100,9 +97,8 @@ <Filename Value="Core/jsplugins_bengine.pas"/> <IsPartOfProject Value="True"/> <UnitName Value="JSPlugins_BEngine"/> - <EditorIndex Value="2"/> - <TopLine Value="254"/> - <CursorPos X="83" Y="261"/> + <EditorIndex Value="5"/> + <TopLine Value="57"/> <UsageCount Value="200"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> @@ -164,222 +160,217 @@ <Unit16> <Filename Value="Core/jsemuobj.pas"/> <UnitName Value="JSEmuObj"/> - <EditorIndex Value="3"/> - <TopLine Value="60"/> - <CursorPos X="24" Y="12"/> - <FoldState Value=" T3iQ0Og"/> - <UsageCount Value="96"/> + <EditorIndex Value="6"/> + <TopLine Value="264"/> + <CursorPos X="42" Y="271"/> + <UsageCount Value="114"/> <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> </Unit16> <Unit17> - <Filename Value="Core/JS/BESENObject.pas"/> + <Filename Value="Core/besenunits.inc"/> <EditorIndex Value="-1"/> - <TopLine Value="1554"/> - <CursorPos X="115" Y="1557"/> - <UsageCount Value="46"/> + <TopLine Value="73"/> + <CursorPos X="3" Y="89"/> + <UsageCount Value="212"/> <DefaultSyntaxHighlighter Value="Delphi"/> </Unit17> <Unit18> - <Filename Value="Core/besenunits.inc"/> - <EditorIndex Value="-1"/> - <TopLine Value="72"/> - <CursorPos X="3" Y="87"/> - <UsageCount Value="31"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <EditorIndex Value="3"/> + <TopLine Value="666"/> + <CursorPos X="46" Y="679"/> + <UsageCount Value="14"/> + <Loaded Value="True"/> <DefaultSyntaxHighlighter Value="Delphi"/> </Unit18> <Unit19> - <Filename Value="Core/JS/BESENCodeContext.pas"/> - <EditorIndex Value="-1"/> - <TopLine Value="856"/> - <CursorPos X="66" Y="870"/> - <UsageCount Value="30"/> - <DefaultSyntaxHighlighter Value="Delphi"/> - </Unit19> - <Unit20> - <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> - <EditorIndex Value="-1"/> - <TopLine Value="219"/> - <CursorPos X="3" Y="230"/> - <UsageCount Value="9"/> - <DefaultSyntaxHighlighter Value="Delphi"/> - </Unit20> - <Unit21> <Filename Value="Core/PE/PE.ExportSym.pas"/> - <EditorIndex Value="5"/> + <EditorIndex Value="-1"/> <TopLine Value="14"/> <CursorPos X="5" Y="24"/> - <UsageCount Value="116"/> - <Loaded Value="True"/> + <UsageCount Value="73"/> <DefaultSyntaxHighlighter Value="Delphi"/> - </Unit21> - <Unit22> + </Unit19> + <Unit20> <Filename Value="Core/PE/PE.Common.pas"/> <EditorIndex Value="-1"/> <TopLine Value="133"/> <CursorPos X="3" Y="144"/> - <UsageCount Value="116"/> + <UsageCount Value="18"/> <DefaultSyntaxHighlighter Value="Delphi"/> - </Unit22> - <Unit23> + </Unit20> + <Unit21> <Filename Value="/usr/local/share/fpcsrc/rtl/objpas/sysutils/syshelph.inc"/> <EditorIndex Value="-1"/> <TopLine Value="141"/> <CursorPos X="128" Y="149"/> - <UsageCount Value="116"/> - </Unit23> - <Unit24> + <UsageCount Value="18"/> + </Unit21> + <Unit22> <Filename Value="/usr/local/share/fpcsrc/packages/rtl-objpas/src/inc/strutils.pp"/> <EditorIndex Value="-1"/> <TopLine Value="143"/> <CursorPos X="27" Y="177"/> - <UsageCount Value="116"/> + <UsageCount Value="18"/> + </Unit22> + <Unit23> + <Filename Value="Core/Zydis/Zydis.Formatter.pas"/> + <EditorIndex Value="-1"/> + <TopLine Value="21"/> + <UsageCount Value="197"/> + <DefaultSyntaxHighlighter Value="Delphi"/> + </Unit23> + <Unit24> + <Filename Value="Core/Zydis/Zydis.pas"/> + <IsVisibleTab Value="True"/> + <EditorIndex Value="2"/> + <TopLine Value="1129"/> + <CursorPos X="15" Y="1140"/> + <UsageCount Value="212"/> + <Loaded Value="True"/> + <DefaultSyntaxHighlighter Value="Delphi"/> </Unit24> <Unit25> - <Filename Value="Core/PE/PE.Types.Relocations.pas"/> + <Filename Value="Core/Crypto/xxhash.pas"/> + <UnitName Value="xxHash"/> <EditorIndex Value="-1"/> - <TopLine Value="33"/> - <CursorPos X="3" Y="44"/> - <UsageCount Value="9"/> + <TopLine Value="155"/> + <CursorPos X="69" Y="164"/> + <UsageCount Value="109"/> <DefaultSyntaxHighlighter Value="Delphi"/> </Unit25> <Unit26> - <Filename Value="Core/JS/BESENObjectStringPrototype.pas"/> + <Filename Value="/usr/local/share/fpcsrc/rtl/inc/dynlibs.pas"/> <EditorIndex Value="-1"/> - <TopLine Value="18"/> - <CursorPos X="26" Y="29"/> - <UsageCount Value="10"/> - <DefaultSyntaxHighlighter Value="Delphi"/> + <TopLine Value="44"/> + <CursorPos X="10" Y="53"/> + <UsageCount Value="9"/> </Unit26> <Unit27> - <Filename Value="Core/JS/BESENObjectErrorConstructor.pas"/> + <Filename Value="/Developer/lazarus/packager/registration/fcllaz.pas"/> <EditorIndex Value="-1"/> - <TopLine Value="18"/> - <CursorPos X="26" Y="29"/> + <CursorPos X="3" Y="11"/> <UsageCount Value="10"/> - <DefaultSyntaxHighlighter Value="Delphi"/> </Unit27> </Units> <JumpHistory Count="30" HistoryIndex="29"> <Position1> - <Filename Value="Core/pe_loader.pas"/> - <Caret Line="731" Column="18" TopLine="719"/> + <Filename Value="Core/emu.pas"/> + <Caret Line="1096" Column="15" TopLine="1086"/> </Position1> <Position2> - <Filename Value="Core/jsemuobj.pas"/> - <Caret Line="271" TopLine="265"/> + <Filename Value="Core/emu.pas"/> + <Caret Line="128" Column="23" TopLine="120"/> </Position2> <Position3> - <Filename Value="Core/pe_loader.pas"/> - <Caret Line="438" Column="50" TopLine="420"/> + <Filename Value="Core/emu.pas"/> + <Caret Line="1043" Column="27" TopLine="1033"/> </Position3> <Position4> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="411" Column="58" TopLine="402"/> + <Caret Line="113" Column="56" TopLine="104"/> </Position4> <Position5> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="412" Column="45" TopLine="406"/> + <Caret Line="666" Column="26" TopLine="660"/> </Position5> <Position6> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="119" Column="37" TopLine="109"/> + <Caret Line="701" Column="29" TopLine="685"/> </Position6> <Position7> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="271" Column="31" TopLine="254"/> + <Caret Line="666" Column="26" TopLine="663"/> </Position7> <Position8> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="412" Column="45" TopLine="395"/> + <Caret Line="28" Column="26" TopLine="18"/> </Position8> <Position9> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="523" Column="37" TopLine="506"/> + <Caret Line="666" Column="26" TopLine="650"/> </Position9> <Position10> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="721" Column="37" TopLine="704"/> + <Caret Line="28" Column="26" TopLine="18"/> </Position10> <Position11> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="119" Column="37" TopLine="109"/> + <Caret Line="666" Column="26" TopLine="650"/> </Position11> <Position12> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="271" Column="31" TopLine="254"/> + <Caret Line="22" Column="30" TopLine="18"/> </Position12> <Position13> <Filename Value="Core/pe_loader.pas"/> - <Caret Line="429" Column="73" TopLine="413"/> + <Caret Line="701" Column="29" TopLine="690"/> </Position13> <Position14> <Filename Value="Core/emu.pas"/> - <Caret Line="1092" Column="16" TopLine="769"/> + <Caret Line="1105" Column="14" TopLine="1098"/> </Position14> <Position15> - <Filename Value="Core/emu.pas"/> - <Caret Line="548" Column="16" TopLine="539"/> + <Filename Value="Core/pe_loader.pas"/> + <Caret Line="28" Column="26" TopLine="19"/> </Position15> <Position16> <Filename Value="Core/emu.pas"/> - <Caret Line="473" Column="10" TopLine="537"/> + <Caret Line="1105" Column="14" TopLine="1098"/> </Position16> <Position17> <Filename Value="Core/emu.pas"/> - <Caret Line="463" Column="19" TopLine="452"/> </Position17> <Position18> - <Filename Value="Core/emu.pas"/> - <Caret Line="221" Column="54" TopLine="211"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> </Position18> <Position19> - <Filename Value="Core/emu.pas"/> - <Caret Line="539" Column="55" TopLine="522"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="586" Column="59" TopLine="576"/> </Position19> <Position20> - <Filename Value="Core/emu.pas"/> - <Caret Line="561" Column="57" TopLine="758"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="35" Column="16" TopLine="25"/> </Position20> <Position21> - <Filename Value="Core/emu.pas"/> - <Caret Line="1000" Column="32" TopLine="988"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="29" Column="16" TopLine="25"/> </Position21> <Position22> - <Filename Value="Core/emu.pas"/> - <Caret Line="268" Column="10" TopLine="280"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="32" Column="16" TopLine="25"/> </Position22> <Position23> - <Filename Value="Core/emu.pas"/> - <Caret Line="147" Column="20" TopLine="133"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="35" Column="16" TopLine="25"/> </Position23> <Position24> - <Filename Value="Core/emu.pas"/> - <Caret Line="289" Column="24" TopLine="272"/> + <Filename Value="Core/unicorn/Unicorn_dyn.pas"/> + <Caret Line="672" Column="39" TopLine="666"/> </Position24> <Position25> <Filename Value="Core/emu.pas"/> - <Caret Line="309" Column="24" TopLine="292"/> + <Caret Line="147" Column="25" TopLine="134"/> </Position25> <Position26> - <Filename Value="Core/emu.pas"/> - <Caret Line="886" Column="17" TopLine="869"/> + <Filename Value="Core/Zydis/Zydis.pas"/> </Position26> <Position27> - <Filename Value="Core/emu.pas"/> - <Caret Line="891" Column="17" TopLine="874"/> + <Filename Value="Core/Zydis/Zydis.pas"/> + <Caret Line="1434" TopLine="1422"/> </Position27> <Position28> <Filename Value="Core/emu.pas"/> - <Caret Line="263" Column="26" TopLine="253"/> + <Caret Line="1400" Column="30" TopLine="1395"/> </Position28> <Position29> - <Filename Value="Core/emu.pas"/> - <Caret Line="92" Column="26" TopLine="83"/> + <Filename Value="Core/Zydis/Zydis.pas"/> + <Caret Line="972" Column="19" TopLine="1199"/> </Position29> <Position30> - <Filename Value="Core/emu.pas"/> - <Caret Line="263" Column="26" TopLine="246"/> + <Filename Value="Core/Zydis/Zydis.pas"/> + <Caret Line="1669" Column="5" TopLine="1224"/> </Position30> </JumpHistory> <RunParams> diff --git a/Cmulator.pas b/Cmulator.pas index 72dd9fb..338642d 100644 --- a/Cmulator.pas +++ b/Cmulator.pas @@ -73,16 +73,26 @@ procedure LoadConfig(); JSON : ISuperObject; data : string; begin - conf := TStringList.Create; + if FileExists('./config.json') then begin + conf := TStringList.Create; conf.LoadFromFile('./config.json'); data := conf.Text; + conf.free; + JSON := SO(UnicodeString(data)); win32 := JSON.S['system.win32']; win64 := JSON.S['system.win64']; JSAPI := JSON.S['JS.main']; + ApiSetSchemaPath := JSON.S['system.Apiset']; + + if not FileExists(ApiSetSchemaPath) then + begin + Writeln('ApiSetSchema JSON file not found - Check the config file !'); + halt; + end; if not FileExists(JSAPI) then begin diff --git a/Core/Zydis/Zydis.pas b/Core/Zydis/Zydis.pas index 5492809..15659ec 100644 --- a/Core/Zydis/Zydis.pas +++ b/Core/Zydis/Zydis.pas @@ -32,12 +32,6 @@ interface {$IFDEF FPC} {$MODE DELPHI} - {$IFDEF ZYDIS_DYNAMIC_LINK} - {$LinkLib zydis} - {$ELSE} - {$Link ../libraries/osx/libZydis.a} - {$ENDIF} - {$ENDIF} {* ============================================================================================== *} @@ -1137,35 +1131,25 @@ TZydisFormatter = record {$ENDIF} ZYDIS_SYMBOL_PREFIX = ''; {$ELSE} - {$IFDEF CPUX86} const - ZYDIS_SYMBOL_PREFIX = '_'; - {$L '../Bin32/Decoder.obj'} - {$L '../Bin32/DecoderData.obj'} - {$L '../Bin32/Formatter.obj'} - {$L '../Bin32/MetaInfo.obj'} - {$L '../Bin32/Mnemonic.obj'} - {$L '../Bin32/Register.obj'} - {$L '../Bin32/SharedData.obj'} - {$L '../Bin32/String.obj'} - {$L '../Bin32/Utils.obj'} - {$L '../Bin32/Zydis.obj'} +ZYDIS_SYMBOL_PREFIX = ''; + {$IFDEF Darwin} + {$IFDEF CPUX64} + {$LinkLib './Build/libraries/osx/libZydis.a'} + {$ENDIF} {$ENDIF} - {$IFDEF CPUX64} -const - ZYDIS_SYMBOL_PREFIX = ''; - {$IFDEF Windows} - {$L '../Bin64/Decoder.obj'} - {$L '../Bin64/DecoderData.obj'} - {$L '../Bin64/Formatter.obj'} - {$L '../Bin64/MetaInfo.obj'} - {$L '../Bin64/Mnemonic.obj'} - {$L '../Bin64/Register.obj'} - {$L '../Bin64/SharedData.obj'} - {$L '../Bin64/String.obj'} - {$L '../Bin64/Utils.obj'} - {$L '../Bin64/Zydis.obj'} + {$IFDEF linux} + {$IFDEF CPUX64} + {$LinkLib './Build/libraries/linux/libZydis.a'} + {$ENDIF} {$ENDIF} + {$IFDEF Windows} + {$IFDEF CPUX86} + {$LinkLib './Build/libraries/win32/libZydis32.a'} + {$ENDIF} + {$IFDEF CPUX64} + {$LinkLib './Build/libraries/win64/libZydis64.a'} + {$ENDIF} {$ENDIF} {$ENDIF} @@ -1452,6 +1436,12 @@ procedure ZydisGetAccessedFlags; external name ZYDIS_SYMBOL_PREFIX + 'ZydisGetAccessedFlags'; {$IFDEF CPUX86} + +function c_udivdi3(num,den:uint64):uint64; cdecl; {$ifdef darwin}[public, alias: '___udivdi3'];{$else}[public, alias: '___udivdi3'];{$endif} +begin + result:=num div den; +end; + procedure __allmul; assembler; asm mov eax, dword ptr[esp+8] diff --git a/Core/emu.pas b/Core/emu.pas index ffe7378..0fa2875 100644 --- a/Core/emu.pas +++ b/Core/emu.pas @@ -12,7 +12,7 @@ interface Classes, SysUtils,cmem,Crt, strutils,LazUTF8,math,LazFileUtils, Unicorn_dyn , UnicornConst, X86Const, - Segments,Utils,PE_loader,xxHash, + Segments,Utils,PE_loader,xxHash,superobject, PE.Image, PE.Section, PE.ExportSym, @@ -45,6 +45,15 @@ flush_r = record size : UInt32; end; + TApiRed = record + count : Byte; + first, + last, + &alias : string; + end; + + TApiSetSchema = TFastHashMap<String, TApiRed>; + { TEmu } TEmu = class private @@ -86,7 +95,6 @@ TEmu = class r_cs,r_ss,r_ds,r_es,r_fs,r_gs : DWORD; MemFix : TStack<UInt64>; - FlushMem : TStack<flush_r>; RunOnDll, IsException : Boolean; @@ -98,13 +106,15 @@ TEmu = class stack_size : Cardinal; stack_base,stack_limit : UInt64; + PID : Cardinal; + Img: TPEImage; uc : uc_engine; Hooks : THooks; - PID : Cardinal; + ApiSetSchema : TApiSetSchema; property TEB : UInt64 read TEB_Address write TEB_Address; property PEB : UInt64 read PEB_address write PEB_address; @@ -518,8 +528,8 @@ function CheckHook(uc : uc_engine ; PC : UInt64) : Boolean; so the first Check by name will fail so we need to Check the Ordinal One :D . } - // todo: check this code , i think it should be: "> 0" not "= 0" . - if (Hook.FuncName.IsEmpty) and (Hook.ordinal = 0) then + // todo: check this code with some malformed samples for testing. + if (Hook.FuncName.IsEmpty) and (Hook.ordinal > 0) then Emulator.Hooks.ByOrdinal.TryGetValue(API.ordinal,Hook); end; @@ -553,7 +563,7 @@ function CheckHook(uc : uc_engine ; PC : UInt64) : Boolean; end else begin - if not Emulator.RunOnDll then + if VerboseEx or (not Emulator.RunOnDll) then begin TextColor(Crt.LightRed); Writeln(); @@ -835,7 +845,8 @@ procedure HookCode(uc: uc_engine; address: UInt64; size: Cardinal; user_data: Po reg_write_x32(uc,UC_X86_REG_EAX,RandomRange(100,500)); reg_write_x32(uc,UC_X86_REG_EDX,$0); - Writeln(Format('rdtsc at 0x%x',[PC])); + if not Emulator.RunOnDll then + Writeln(Format('rdtsc at 0x%x',[PC])); PC += size; Emulator.err := uc_reg_write(uc, ifthen(Emulator.Is_x64,UC_X86_REG_RIP,UC_X86_REG_EIP), @PC); @@ -844,7 +855,8 @@ procedure HookCode(uc: uc_engine; address: UInt64; size: Cardinal; user_data: Po if (code[0] = $F) and (code[1] = $A2) then begin reg_write_x32(uc,UC_X86_REG_EAX,0); - Writeln(Format('CPUID at 0x%x',[PC])); + if not Emulator.RunOnDll then + Writeln(Format('CPUID at 0x%x',[PC])); //PC += size; //Emulator.err := uc_reg_write(uc, ifthen(Emulator.Is_x64,UC_X86_REG_RIP,UC_X86_REG_EIP), @PC); end; @@ -1056,7 +1068,7 @@ function TEmu.MapPEtoUC() : Boolean; begin if Assigned(SCode) then begin - Writeln('[*] Writing Shellcode to memory ...'); + Writeln('[√] Writing Shellcode to memory ...'); if uc_mem_write_(uc,img.ImageBase + Img.EntryPointRVA,SCode.Memory,SCode.Size) = UC_ERR_OK then begin Writeln('[√] Shellcode Written to Unicorn'); @@ -1323,6 +1335,41 @@ function TEmu.init_segments() : boolean; Writeln(); end; +procedure LoadApiSetSchema(var ApiSetSchema : TApiSetSchema); +var + Redirect : TApiRed; + JSON : TStrings; + APIS, item : ISuperObject; + name : string; +begin + name := ''; + JSON := TStringList.Create(); + try + JSON.LoadFromFile(string(ApiSetSchemaPath)); + APIS := SO(UnicodeString(JSON.Text)); + for item in APIS['WIN7_APIS'] do + begin + Redirect.first := string(item.S['red.F']); + Redirect.last := string(item.S['red.L']); + Redirect.count := item.I['count']; + name := string(item.S['name']); + ApiSetSchema.AddOrSetValue(LowerCase(name),Redirect); + end; + + for item in APIS['WIN10_APIS'] do + begin + Redirect.first := string(item.S['red[0]']); + Redirect.last := string(item.S['red[1]']); + Redirect.count := item.I['count']; + Redirect.&alias := string(item.S['alias']); + name := string(item.S['name']); + ApiSetSchema.AddOrSetValue(LowerCase(name),Redirect); + end; + finally + JSON.Free; + end; +end; + constructor TEmu.Create(_FilePath : string; _ShellCode, SCx64 : Boolean); begin // Until Unicorn Engine fix it :D @@ -1347,6 +1394,9 @@ constructor TEmu.Create(_FilePath : string; _ShellCode, SCx64 : Boolean); Hooks.ByOrdinal := THookByOrdinal.Create(); Hooks.ByAddr := THookByAddress.Create(); + ApiSetSchema := TFastHashMap<String, TApiRed>.Create(); + LoadApiSetSchema(ApiSetSchema); + if isShellCode then begin FilePath := './shellcode/' + IfThen(SCx64,'sc64.exe','sc32.exe'); // these are empty files with PE header. @@ -1456,6 +1506,12 @@ destructor TEmu.Destroy(); FreeAndNil(FlushMem); end; + if Assigned(ApiSetSchema) then + begin + ApiSetSchema.Clear; + FreeAndNil(ApiSetSchema); + end; + inherited Destroy; end; diff --git a/Core/globals.pas b/Core/globals.pas index 5f8659e..7b4eddb 100644 --- a/Core/globals.pas +++ b/Core/globals.pas @@ -30,7 +30,8 @@ interface win32 : UnicodeString = ''; win64 : UnicodeString = ''; - JSAPI : AnsiString = ''; + JSAPI : UnicodeString = ''; + ApiSetSchemaPath : UnicodeString = ''; implementation diff --git a/Core/jsemuobj.pas b/Core/jsemuobj.pas index 64ad64c..3dd0a9a 100644 --- a/Core/jsemuobj.pas +++ b/Core/jsemuobj.pas @@ -5,10 +5,10 @@ interface uses - Classes, SysUtils, + Classes, SysUtils,strutils, {$I besenunits.inc}, FnHook,Emu,Utils, - Unicorn_dyn, UnicornConst, X86Const, + Unicorn_dyn, UnicornConst, LazFileUtils,LazUTF8,PE_Loader; type @@ -122,7 +122,6 @@ procedure TEmuObj.SetReg(const ThisArgument : TBESENValue; Error(); Emulator.err := uc_reg_write(Emulator.uc,REG,@value); - ResultValue := BESENBooleanValue(Emulator.err = UC_ERR_OK); end; @@ -254,7 +253,7 @@ procedure TEmuObj.LoadLibrary(const ThisArgument : TBESENValue; Arguments : PPBESENValues; CountArguments : integer; var ResultValue : TBESENValue); var - Libname : AnsiString; + Libname, RedirectLib : AnsiString; JSvalue : PBESENValue; Lib : TNewDll; begin @@ -267,7 +266,14 @@ procedure TEmuObj.LoadLibrary(const ThisArgument : TBESENValue; else raise EBESENError.Create('LoadLibrary Arg must be String ! - Ex: LoadLibrary(''kernel32.dll'')'); - Libname := Trim(ExtractFileNameWithoutExt(LowerCase(ExtractFileName(Libname))) + '.dll'); + + RedirectLib := String(GetDllFromApiSet(Libname)); + + // this was here for debugging :P . + //if AnsiContainsStr(Libname,'ms-') then + //Writeln('Resolve lib : ',Libname ,' --> to : ',ExtractFileName(RedirectLib)); + + Libname := Trim(ExtractFileNameWithoutExt(LowerCase(ExtractFileName(RedirectLib))) + '.dll'); if Emulator.Libs.TryGetValue(Libname,Lib) then begin diff --git a/Core/pe_loader.pas b/Core/pe_loader.pas index a4044bb..7d581e7 100644 --- a/Core/pe_loader.pas +++ b/Core/pe_loader.pas @@ -79,7 +79,74 @@ procedure InitTLS(uc : uc_engine; img : TPEImage); end; -{ TODO: implement apisetschema Forwarder.} +procedure InitDll(uc : uc_engine; lib : TNewDll); +var + r_esp : UInt64; + Err : Integer; +begin + if (lib.EntryPoint <> 0) and (not lib.Dllname.StartsWith('ntdll')) + and (not lib.Dllname.StartsWith('crypt32')) then + begin + r_esp := ((Emulator.stack_base + Emulator.stack_size) - $100); // initial stack Pointer . + uc_reg_write(uc, UC_X86_REG_ESP, @r_esp); // + + //TDllEntryProc = function(hinstDLL: HINST; fdwReason: DWORD; lpReserved: Pointer): BOOL; stdcall; + Utils.push(0); // lpReserved + Utils.push(1); // fdwReason + Utils.push(lib.BaseAddress); // HINST + Utils.push($DEADC0DE); // our custom return address so we can stop the execution . + + if VerboseExx then + begin + Writeln(); + TextColor(LightMagenta); + Writeln(Format('Call %s Entry : %x',[lib.Dllname,lib.EntryPoint])); + NormVideo; + end; + + if not VerboseExx then // if not VerboseExx don't show stuff :D . + Emulator.RunOnDll := True; + + Emulator.ResetEFLAGS(); + Err := uc_emu_start(uc,lib.EntryPoint,lib.ImageSize,0,0); + if VerboseExx then + Writeln('[InitDll] Error --> ',uc_strerror(err)); + Emulator.RunOnDll := False; + Emulator.IsException := False; + Emulator.SEH_Handler := 0; + end; +end; + +function GetModulesCount(TLibsArray : TLibs) : Integer; +var + LibItem : TNewDll; +begin + Result := 0; + for LibItem in TLibsArray.Values do + begin + if not LibItem.Dllname.StartsWith('api-ms-win') then + begin + Inc(Result); + end; + end; +end; + +procedure Init_dlls(); +var + lib : TNewDll; +begin + + TextColor(LightMagenta); + Writeln(Format('Initiating %d Libraries ...',[GetModulesCount(Emulator.Libs)])); + NormVideo; + for lib in Emulator.Libs.Values do + begin + if not Lib.Dllname.StartsWith('api-ms-win') then + InitDll(Emulator.uc,lib); + end; +end; + + procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); var SysDll : TNewDll; @@ -89,53 +156,46 @@ procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); Hash : UInt64; rva , FuncAddr : TRVA; err : uc_err; - path : UnicodeString; - Dll : string; + LibName : string; begin - FuncAddr := 0; + FuncAddr := 0; LibName := ''; if VerboseEx then begin Writeln('[---------------------------------------]'); - Writeln('[ Fixing DLL Imports ]');Writeln(); - Writeln('[*] File Name : ',ExtractFileName(Img.FileName)); Writeln(); + Writeln('[ Fixing DLL Imports ]'); + Writeln('[*] File Name : ',ExtractFileName(Img.FileName)); end; // Scan libraries. for Lib in Img.Imports.Libs do begin - Dll := ExtractFileNameWithoutExt(ExtractFileName(lib.Name)) + '.dll'; - - if Emulator.isx64 then - Path := IncludeTrailingPathDelimiter(win64) + UnicodeString(LowerCase(Trim(Dll))) - else - Path := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(Dll))); + LibName := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(lib.Name)) + '.dll'); - if not FileExists(Path) then + if AnsiContainsStr(LibName,'ms-') then begin - Writeln('"',Dll,'" not found ! [1]'); - Writeln(); - halt(-1); + LibName := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(string(GetDllFromApiSet(LibName))))) + '.dll'; end; // If library not loaded then load it . - if not Emulator.Libs.ContainsKey(LowerCase(Dll)) then + + if not Emulator.Libs.ContainsKey(LowerCase(LibName)) then begin if VerboseEx then begin Writeln(); - Writeln('[>] ',ExtractFileName(Img.FileName),' Import : ', Dll,#10); + Writeln('[>] ',ExtractFileName(Img.FileName),' Import : ', LibName,#10); end; - if not load_sys_dll(uc,LowerCase(Dll)) then + if not load_sys_dll(uc,LowerCase(LibName)) then begin - Writeln('Error While Loading Lib : ',Dll); + Writeln('Error While Loading Lib : ',LibName); halt(-1); end; end; rva := DllBase + Lib.IatRva; - if not Emulator.Libs.TryGetValue(LowerCase(Dll),SysDll) then + if not Emulator.Libs.TryGetValue(LowerCase(LibName),SysDll) then begin Writeln('<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>'); - Writeln(Format('>>>> Error %s import table has %s , but not Loaded In Cmulator <<<<',[img.FileName,Dll])); + Writeln(Format('>>>> Error "%s" import table has "%s" , but not Loaded In Cmulator <<<<',[img.FileName,LibName])); Writeln('<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>'); halt(-1); end; @@ -144,7 +204,7 @@ procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); begin if Fn.Name <> '' then begin - Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(Lib.Name))) + '.' + Fn.Name); + Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(LibName))) + '.' + Fn.Name); if SysDll.FnByName.TryGetValue(Hash,HookFn) then begin FuncAddr := HookFn.VAddress; @@ -152,7 +212,7 @@ procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); end else begin - Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(Lib.Name))) + '.' + IntToStr(Fn.Ordinal)); + Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(LibName))) + '.' + IntToStr(Fn.Ordinal)); if SysDll.FnByOrdinal.TryGetValue(Hash,HookFn) then begin FuncAddr := HookFn.VAddress; @@ -161,7 +221,15 @@ procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); if VerboseExx then begin - write(' '); // indent + if FuncAddr = 0 then + begin + TextColor(LightRed); + Writeln(format('Lib name : %s --> %s -> %s',[Lib.Name,LibName,fn.Name])); + Writeln('Please Report this MSG in Github issues'); + NormVideo; + end; + + write(' '); // indent writeln(format('%s : Real rva: 0x%-8x - New : 0x%-8x', [IfThen(fn.Name <> '',fn.Name,('#'+IntToStr(Fn.Ordinal))),rva,FuncAddr])); end; @@ -178,70 +246,6 @@ procedure FixDllImports(uc : uc_engine; var Img: TPEImage; DllBase : UInt64); end; inc(rva, Img.ImageWordSize); // null end; - if VerboseEx then - Writeln('[---------------------------------------]'#10); -end; - -procedure InitDll(uc : uc_engine; lib : TNewDll); -var - r_esp : UInt64; -begin - if (lib.EntryPoint <> 0) and (not lib.Dllname.StartsWith('ntdll')) then - begin - - r_esp := ((Emulator.stack_base + Emulator.stack_size) - $100); // initial stack Pointer . - uc_reg_write(uc, UC_X86_REG_ESP, @r_esp); // - //TDllEntryProc = function(hinstDLL: HINST; fdwReason: DWORD; lpReserved: Pointer): BOOL; stdcall; - Utils.push(0); // lpReserved - Utils.push(1); // fdwReason - Utils.push(lib.BaseAddress); // HINST - Utils.push($DEADC0DE); // our custom return address so we can stop the execution . - - if VerboseExx then - begin - Writeln(); - TextColor(LightMagenta); - Writeln(Format('Call %s Entry : %x',[lib.Dllname,lib.EntryPoint])); - NormVideo; - end; - - if not VerboseExx then // if not VerboseExx don't show stuff :D . - Emulator.RunOnDll := True; - - Emulator.ResetEFLAGS(); - uc_emu_start(uc,lib.EntryPoint,lib.ImageSize,0,0); - Emulator.RunOnDll := False; - end; -end; - - -function GetModulesCount(TLibsArray : TLibs) : Integer; -var - LibItem : TNewDll; -begin - Result := 0; - for LibItem in TLibsArray.Values do - begin - if not LibItem.Dllname.StartsWith('api-ms-win') then - begin - Inc(Result); - end; - end; -end; - -procedure Init_dlls(); -var - lib : TNewDll; -begin - - TextColor(LightMagenta); - Writeln(Format('Initiating %d Libraries ...',[GetModulesCount(Emulator.Libs)])); - NormVideo; - for lib in Emulator.Libs.Values do - begin - if not Lib.Dllname.StartsWith('api-ms-win') then - InitDll(Emulator.uc,lib); - end; end; function load_sys_dll(uc : uc_engine; Dll : string) : boolean; @@ -259,7 +263,6 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; FName, LibName , FWName, FWLib,FWAPI : string; Hash : UInt64; IsOrdinal : Boolean; - //ret : Pointer; begin FLibrary := nil; @@ -267,16 +270,18 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; Result := false; Delta := 0; + // ApiSetMap redirect. + if AnsiContainsStr(Dll,'ms-') then + begin + Dll := String(GetDllFromApiSet(Dll)); + end; + Dll := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(Dll)) + '.dll'); + // if already loaded then return. if Emulator.Libs.ContainsKey(Trim(Dll)) then Exit(True); - if Emulator.isx64 then - Path := IncludeTrailingPathDelimiter(win64) + UnicodeString(LowerCase(Trim(Dll))) - else - Path := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(Dll))); - - + Path := GetFullPath(Dll); if FileExists(Path) then begin //ret := AllocMem(UC_PAGE_SIZE); @@ -300,13 +305,17 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; if VerboseEx then begin Writeln('[---------------------------------------]'); - Writeln('[ Mapping Library Exports ]'); + Writeln('[ Mapping Library ]'); writeln(format('[*] Lib Name : %s',[LibName])); + Writeln(format('[*] File Size : %d',[img.CalcRawSizeOfImage])); writeln(format('[*] Image Base : %x',[img.ImageBase])); + Writeln(Format('[*] Loaded at : %x',[Align(Emulator.DLL_NEXT_LOAD,UC_PAGE_SIZE*2),Emulator.DLL_NEXT_LOAD + img.SizeOfImage])); + + Writeln(format('[*] Entry Point : %x',[img.EntryPointRVA])); Writeln(Format('[*] Image Size : %x',[img.SizeOfImage])); - Writeln(Format('[*] Loaded at : %x - End at %x',[Align(Emulator.DLL_NEXT_LOAD,UC_PAGE_SIZE*2),Emulator.DLL_NEXT_LOAD + img.SizeOfImage])); Writeln(Format('[*] BaseOfCode : %x',[img.ImageBase + img.OptionalHeader.BaseOfCode])); Writeln(Format('[*] SizeOfCode : %x',[img.OptionalHeader.SizeOfCode])); + Writeln('[---------------------------------------]'#10); end; @@ -418,6 +427,15 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; // API is Forwarded .. FWName := sym.ForwarderName; sym.GetForwarderLibAndFuncName(FWLib,FWAPI); + if AnsiContainsStr(FWLib,'ms-') then + begin + FWLib := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(string(GetDllFromApiSet(FWLib))))) + '.dll'; + if not FileExistsUTF8(string(GetFullPath(FWLib))) then + begin + Writeln(Format('Library "%s" not found ! [3]',[GetFullPath(FWLib)])); + halt; + end; + end; VAddr := Utils.GetProcAddr(GetModulehandle(FWLib),FWAPI); end; @@ -447,7 +465,6 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; inc(Emulator.DLL_NEXT_LOAD, img.SizeOfImage); //inc(HOOK_INDEX); - // TODO: implement apisetschema Forwarder . FixDllImports(uc,img,DLL_BASE); // ReBuild Ldr for every new module loaded . @@ -461,7 +478,7 @@ function load_sys_dll(uc : uc_engine; Dll : string) : boolean; end else begin - Writeln(Format('Library "%s" not found ! [2]',[Dll])); Writeln(); + Writeln(Format('Library "%s" not found ! [2]',[Path])); Writeln(); halt(-1); end; @@ -489,16 +506,18 @@ procedure HookImports(uc : uc_engine; Img: TPEImage); for Lib in Img.Imports.Libs do begin Dll := ExtractFileNameWithoutExt(ExtractFileName(lib.Name)) + '.dll'; - if Emulator.isx64 then - Path := IncludeTrailingPathDelimiter(win64) + UnicodeString(LowerCase(Trim(Dll))) - else - Path := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(Dll))); + if AnsiContainsStr(Dll,'ms-') then + begin + Dll := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(string(GetDllFromApiSet(Dll))))) + '.dll'; + end; + Path := GetFullPath(Dll); if not FileExists(Path) then begin Writeln('"',Dll,'" not found ! [3]'); halt(-1); end; + // If library not loaded then load it . if not Emulator.Libs.ContainsKey(LowerCase(Dll)) then begin @@ -584,18 +603,6 @@ function MapToMemory(PE : TPEImage) : TMemoryStream; Result.WriteBuffer(tmp.Memory^,PE.OptionalHeader.SizeOfHeaders); Offset += PE.OptionalHeader.SizeOfHeaders; - if VerboseEx then - begin - Writeln('[---------------------------------------]'); - Writeln('[ Start Mapping ]'); - Writeln('[*] File Name : ' , ExtractFileName(PE.FileName)); - Writeln('[*] File Size : ', tmp.Size, ' Byte'); - Writeln('[*] Image Base : ', hexStr(PE.ImageBase,16)); - Writeln('[*] Address Of Entry : ', hexStr(PE.EntryPointRVA,16)); - Writeln('[*] Size Of Headers : ', hexStr(PE.OptionalHeader.SizeOfHeaders,16)); - Writeln('[*] Size Of Image : ', hexStr(PE.SizeOfImage,16)); - end; - for sec in PE.Sections do begin @@ -622,11 +629,11 @@ function MapToMemory(PE : TPEImage) : TMemoryStream; Result.WriteByte(0); Offset += 1; end; - if VerboseEx then - begin - Writeln('[+] File mapping completed √'); - Writeln('[---------------------------------------]'#10); - end; + //if VerboseEx then + //begin + // Writeln('[+] File mapping completed √'); + // Writeln(''); + //end; end; finally tmp.free @@ -683,14 +690,18 @@ procedure HookImports_Pse(uc : uc_engine; Img : TPEImage; FilePath : string); // Scan libraries. for imp in PseFile.ImportTable do begin + if imp.DllName.IsEmpty then + Continue; + Dll := ExtractFileNameWithoutExt(ExtractFileName(imp.DllName)) + '.dll'; + if AnsiContainsStr(Dll,'ms-') then + begin + Dll := LowerCase(ExtractFileNameWithoutExt(ExtractFileName(string(GetDllFromApiSet(Dll))))) + '.dll'; + end; - Writeln('[+] Fix IAT for : ',Dll); + Writeln(Format('[+] Fix IAT for : %-40s --> %s ',[imp.DllName, Dll])); - if Emulator.isx64 then - Path := IncludeTrailingPathDelimiter(win64) + UnicodeString(LowerCase(Trim(Dll))) - else - Path := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(Dll))); + Path := GetFullPath(Dll); if not FileExists(Path) then begin @@ -720,7 +731,7 @@ procedure HookImports_Pse(uc : uc_engine; Img : TPEImage; FilePath : string); begin if api.Name <> '' then begin - Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(imp.DllName))) + '.' + api.Name); + Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(Dll))) + '.' + api.Name); if SysDll.FnByName.TryGetValue(Hash,HookFn) then begin FuncAddr := HookFn.VAddress; @@ -728,7 +739,7 @@ procedure HookImports_Pse(uc : uc_engine; Img : TPEImage; FilePath : string); end else begin - Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(imp.DllName))) + '.' + IntToStr(api.Hint)); + Hash := xxHash64Calc(LowerCase(ExtractFileNameWithoutExt(ExtractFileName(Dll))) + '.' + IntToStr(api.Hint)); if SysDll.FnByOrdinal.TryGetValue(Hash,HookFn) then begin FuncAddr := HookFn.VAddress; diff --git a/Core/unicorn/Unicorn_dyn.pas b/Core/unicorn/Unicorn_dyn.pas index 7e00cca..6bff039 100755 --- a/Core/unicorn/Unicorn_dyn.pas +++ b/Core/unicorn/Unicorn_dyn.pas @@ -32,7 +32,7 @@ interface UNICORN_LIB = './libunicorn.so'; {$endif} {$ifdef mswindows} - UNICORN_LIB = {$IFDEF CPU64}'./unicorn64.dll'{$ELSE}'./unicorn32.dll'{$ENDIF}; + UNICORN_LIB = {$IFDEF CPU64}'./unicorn64.dll'{$ELSE}'unicorn32.dll'{$ENDIF}; {$endif} type @@ -670,12 +670,12 @@ function loadUC(): Boolean; begin {$IFDEF FPC}TextColor(LightRed);{$ENDIF} LastError := {$IFDEF FPC}GetLoadErrorStr;{$ELSE} - {$ifdef mswindows} + {$ifdef windows} SysErrorMessage(GetLastError,UC_Handle); SetLastError(0); {$ENDIF} {$ENDIF} - WriteLn('error while loading unicorn library : ',LastError,#10); + WriteLn('error while loading unicorn library : ',UNICORN_LIB, ' -> ' ,LastError,#10); {$IFDEF FPC}NormVideo;{$ENDIF} end; end; diff --git a/Core/utils.pas b/Core/utils.pas index 4f788bc..9db7fd0 100644 --- a/Core/utils.pas +++ b/Core/utils.pas @@ -53,12 +53,16 @@ function ReadQword(Addr : UInt64) : Int64; function isprint(const AC: AnsiChar): boolean; +function GetFullPath(name : string) : UnicodeString; +function GetDllFromApiSet(name : string): UnicodeString; + const - UC_PAGE_SIZE = $1000; + UC_PAGE_SIZE = $1000; + EM_IMAGE_BASE = $400000; implementation uses - Globals,math,FnHook; + Globals,math,FnHook,Emu; function isprint(const AC: AnsiChar): boolean; begin @@ -80,6 +84,62 @@ function IsStringPrintable( Str : String): Boolean; end; end; +function GetFullPath(name : string) : UnicodeString; +begin + if Emulator.isx64 then + Result := IncludeTrailingPathDelimiter(win64) + UnicodeString(LowerCase(Trim(name))) + else + Result := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(name))); +end; + +function GetDllFromApiSet(name : string): UnicodeString; +var + API : TApiRed; + Dll : string; + Path : UnicodeString; +begin + Result := name; + Dll := ExtractFileNameWithoutExt(ExtractFileName(name)); + if Emulator.ApiSetSchema.ContainsKey(Dll) then + begin + Emulator.ApiSetSchema.TryGetValue(Dll,API); + if API.count = 2 then + begin + Path := GetFullPath(API.last); + if FileExistsUTF8(string(Path)) then + Result := Path + else + begin + Path := GetFullPath(API.&alias); + if FileExistsUTF8(string(Path)) then + Result := Path + else + begin + Path := GetFullPath(API.first); + if FileExistsUTF8(string(Path)) then + Result := Path + else + begin + Writeln(Format('Library "%s" not found ! [5]',[Path])); + halt; + end; + end; + end; + end + else + begin + Path := GetFullPath(API.first); + if FileExistsUTF8(string(Path)) then + Result := Path + else + begin + Writeln(Format('Library "%s" not found ! [4]',[Path])); + halt; + end; + end; + end; +end; + // this code will read UTF8 string from given Address :D .. function ReadStringW(Addr : UInt64; len : UInt32 = 0) : AnsiString; var diff --git a/README.md b/README.md index 031c715..026dbb5 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Cmulator - Scriptable x86 RE Sandbox Emulator (v0.2 Beta) <h3> <b>Call for LOGO</b> , if you good at design give it a try and Create Logo for Cmulator <br> -your name will apper in <b>Acknowledgements</b> +your name will appear in <b>Acknowledgements</b> [![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0) @@ -35,9 +35,27 @@ Based on Unicorn & Capstone Engine & javascript . * Trace all Executed API ( good for Obfuscated PE). * Displays HexDump with Strings based on referenced memory locations. * Patching the Memory. -* Custome API hooks using Javascript (scripting). +* Custom API hooks using Javascript (scripting). * Handle SEH (still need more work). * [+] Hook Address. +* [+] Apiset map resolver + +<br> +<hr> + + +## [+] Changelog + +- v0.2 beta + - [+] Add Hook Address + - [+] Implementing Api schema forworder + - [+] Change disassembler from **Capstone** to **Zydis** Engine + - [√] improvements for SEH handling + - [√] improvements with JS to API handle + - [√] Improve API detection by address or name or ordinal + +- v0.1 beta + - Init version <br> <hr> @@ -497,8 +515,9 @@ And Try it Your Self , find it at "samples/obfuscated/obfuscated.exe" 😉 <br> ## WIP BY Priority : -* Memory Manager - Next Update -* Checking for Bug & fixing them 👌🏻 +* Memory Manager - Next version +* Checking for Bug & fixing them 👌🏻 +* **Api schema forwarder still need more improvements and testing** <hr> @@ -506,6 +525,7 @@ And Try it Your Self , find it at "samples/obfuscated/obfuscated.exe" 😉 - [x] PC (RIP - EIP) Hook. - [x] improving exception handling. - [x] Native Plugins & API Hook Libs. +- [x] Api schema forwarder. - [ ] Add Memory Manager. - [ ] **Sysenter** / **Syscall** Global Hook in JS. - [ ] Control TEB/PEB in JS. @@ -519,7 +539,7 @@ And Try it Your Self , find it at "samples/obfuscated/obfuscated.exe" 😉 ## Requirements * Freepascal >= v3 * Unicorn Engine -* Capstone Engine +* Zydis Engine <hr> @@ -567,12 +587,14 @@ set the dll folders to where you stored your windows dlls and JS Main File . { "system": { "win32": "../win_dlls/x32_win7", - "win64": "../win_dlls/x64_win7" + "win64": "../win_dlls/x64_win7", + "Apiset": "../Apiset.json" }, "JS": { "main": "../API.JS" } } + ``` ## Run