From dd20a4d52b2bca24f6bc51ca7a9b094eeeebc8b4 Mon Sep 17 00:00:00 2001 From: Coldzer0 Date: Tue, 6 Aug 2019 12:39:51 +0200 Subject: [PATCH] Fix for apisetschema forwarder Hope this will fix it for ever :P --- Build/Apiset.json | 8 ++ Build/hooks/address.js | 66 ++------------ Cmulator.lps | 193 +++++++++++++++++++++++------------------ Cmulator.pas | 11 ++- Core/emu.pas | 8 +- Core/globals.pas | 11 +++ Core/utils.pas | 23 ++++- README.md | 3 + 8 files changed, 166 insertions(+), 157 deletions(-) diff --git a/Build/Apiset.json b/Build/Apiset.json index 113175c..660e82c 100644 --- a/Build/Apiset.json +++ b/Build/Apiset.json @@ -77,6 +77,7 @@ {name:"api-ms-win-core-debug-minidump-l1-1-0", count:1, red: ["dbgcore.dll"]}, {name:"api-ms-win-core-delayload-l1-1-0", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-delayload-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-enclave-l1-1-0", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-enclave-l1-1-1", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-errorhandling-l1-1-0", count:1, red: ["kernel32.dll"]}, {name:"api-ms-win-core-errorhandling-l1-1-3", count:1, red: ["kernelbase.dll"]}, @@ -128,11 +129,14 @@ {name:"api-ms-win-core-localregistry-l1-1-0", count:1, red: ["kernel32.dll"]}, {name:"api-ms-win-core-marshal-l1-1-0", count:1, red: ["combase.dll"]}, {name:"api-ms-win-core-memory-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-memory-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-memory-l1-1-2", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-memory-l1-1-6", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-misc-l1-1-0", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-multipleproviderrouter-l1-1-0", count:1, red: ["mpr.dll"]}, {name:"api-ms-win-core-namedpipe-ansi-l1-1-1", count:1, red: ["kernel32.dll"]}, {name:"api-ms-win-core-namedpipe-l1-1-0", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-namedpipe-l1-2-1", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-namedpipe-l1-2-2", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-namespace-ansi-l1-1-0", count:1, red: ["kernel32.dll"]}, {name:"api-ms-win-core-namespace-l1-1-0", count:1, red: ["kernelbase.dll"]}, @@ -150,6 +154,7 @@ {name:"api-ms-win-core-processsecurity-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, {name:"api-ms-win-core-processsnapshot-l1-1-0", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-processthreads-l1-1-0", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, +{name:"api-ms-win-core-processthreads-l1-1-2", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, {name:"api-ms-win-core-processthreads-l1-1-1", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, {name:"api-ms-win-core-processthreads-l1-1-3", count:2, red: ["kernel32.dll", "kernelbase.dll"],"alias":"kernel32.dll"}, {name:"api-ms-win-core-processtopology-l1-1-0", count:1, red: ["kernelbase.dll"]}, @@ -201,6 +206,8 @@ {name:"api-ms-win-core-synch-l1-2-1", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-sysinfo-l1-1-0", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-sysinfo-l1-1-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l1-2-1", count:1, red: ["kernelbase.dll"]}, +{name:"api-ms-win-core-sysinfo-l1-2-2", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-sysinfo-l1-2-4", count:1, red: ["kernelbase.dll"]}, {name:"api-ms-win-core-sysinfo-l2-1-0", count:1, red: ["advapi32.dll"]}, {name:"api-ms-win-core-systemtopology-l1-1-1", count:1, red: ["kernelbase.dll"]}, @@ -548,6 +555,7 @@ {name:"ext-ms-win-gdi-path-l1-1-0", count:1, red: ["gdi32full.dll"]}, {name:"ext-ms-win-gdi-print-l1-1-0", count:1, red: ["gdi32full.dll"]}, {name:"ext-ms-win-gdi-private-l1-1-0", count:1, red: ["gdi32full.dll"]}, +{name:"ext-ms-win-gdi-desktop-l1-1-0", count:1, red: ["gdi32.dll"]}, {name:"ext-ms-win-gdi-render-l1-1-0", count:1, red: ["gdi32.dll"]}, {name:"ext-ms-win-gdi-rgn-l1-1-0", count:1, red: ["gdi32full.dll"]}, {name:"ext-ms-win-gdi-wcs-l1-1-0", count:1, red: ["gdi32full.dll"]}, diff --git a/Build/hooks/address.js b/Build/hooks/address.js index c77713f..12e77d8 100644 --- a/Build/hooks/address.js +++ b/Build/hooks/address.js @@ -1,61 +1,11 @@ -// var _parse_cmdline = new ApiHook(); -// _parse_cmdline.OnCallBack = function () { +var addr_hook_example = new ApiHook(); +addr_hook_example.OnCallBack = function () { -// var PC = Emu.ReadDword(Emu.ReadReg(REG_ESP)); + info('EDI = ',Emu.ReadReg(REG_EDI).toString(16)) + info('ESI = ',Emu.ReadReg(REG_ESI).toString(16)) + info('Module : ',Emu.ReadStringA(Emu.ReadReg(REG_EAX))) -// info('PC : 0x',PC.toString(16)); - -// info(Emu.SetReg(REG_EIP, PC)); -// return true; -// }; -// _parse_cmdline.install(0x00403383); - -// _wcmdln fix - -// var Path = '"C:\\pla\\' + Emu.Filename + '"'; // :D -// var _wcmdln_ptr = Emu.GetProcAddr(Emu.GetModuleHandle('msvcr90.dll'), '_wcmdln'); -// var po = -// Emu.WriteStringW(_wcmdln_ptr,Path) : Emu.WriteStringA(_wcmdln_ptr,Path); - - - - -// var tmpx = new ApiHook(); -// tmpx.OnCallBack = function () { - - -// info('EDI = ',Emu.ReadReg(REG_EDI).toString(16)) -// info('ESI = ',Emu.ReadReg(REG_ESI).toString(16)) -// info('Module : ',Emu.ReadStringA(Emu.ReadReg(REG_EAX))) - -// return true; -// }; - -// tmpx.install(0x401369); - -// var tmpx = new ApiHook(); -// tmpx.OnCallBack = function () { - -// info('esi = ',Emu.ReadReg(REG_ESI).toString(16)) -// info('ecx = ',Emu.ReadReg(REG_ECX).toString(16)) - -// info('Module : ',Emu.ReadStringW(Emu.ReadReg(REG_ESI))) - -// return true; -// }; - -// tmpx.install(0x401037); - - -// var tmpz = new ApiHook(); -// tmpz.OnCallBack = function () { - -// info('esi = ',Emu.ReadReg(REG_ESI).toString(16)) - -// info('API : ',Emu.ReadStringA(Emu.ReadReg(REG_ESI))) - -// return true; -// }; - -// tmpz.install(0x401068); + return true; +}; +addr_hook_example.install(0x401369); diff --git a/Cmulator.lps b/Cmulator.lps index 88fbdcb..18ce56a 100644 --- a/Cmulator.lps +++ b/Cmulator.lps @@ -3,12 +3,12 @@ - + - - + + @@ -17,9 +17,9 @@ - - - + + + @@ -38,9 +38,9 @@ - - - + + + @@ -65,9 +65,9 @@ - - - + + + @@ -76,7 +76,7 @@ - + @@ -87,17 +87,18 @@ - - - + + + + - + @@ -160,8 +161,8 @@ - - + + @@ -172,15 +173,15 @@ - + - + - - + + @@ -189,7 +190,7 @@ - + @@ -197,7 +198,7 @@ - + @@ -205,28 +206,27 @@ - + - + - + - - + - + @@ -237,7 +237,7 @@ - + @@ -245,132 +245,153 @@ - + - + + + + + + + + + + + + + + + + + + + - - + + - + - - + + - - + + - - + + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - + - - + + - - + + - + + - + + - - + + - - + + - - + + - - + + - - + + - - + + - + - + + - - + + - + - - + + - - + + diff --git a/Cmulator.pas b/Cmulator.pas index 338642d..b60f0d6 100644 --- a/Cmulator.pas +++ b/Cmulator.pas @@ -35,12 +35,12 @@ procedure info(); major, minor : Cardinal; begin major := 0; minor := 0; - Writeln (#10'Cmulator Malware Analyzer - By Coldzer0',#10); - Writeln ( 'Compiled on : ',{$I %DATE%}, ' - ' ,{$I %TIME%}); - Writeln ( 'Target CPU : i386 & x86_x64'); + Writeln(#10'Cmulator Malware Analyzer - By Coldzer0',#10); + Writeln( 'Compiled on : ',{$I %DATE%}, ' - ' ,{$I %TIME%}); + Writeln( 'Target CPU : i386 & x86_x64'); uc_version(major, minor); Writeln(format('Unicorn Engine : v%d.%d ',[major,minor])); - Writeln('Cmulator : v0.1'#10); + Writeln('Cmulator : ',CM_VERSION,#10); end; procedure Help(); @@ -221,6 +221,5 @@ procedure LoadConfig(); Emulator.Start; Writeln(#10#10); - Writeln('Press Enter to Close ¯\_(ツ)_/¯'); - //ReadLn; + Writeln('I just finished ¯\_(ツ)_/¯'); end. diff --git a/Core/emu.pas b/Core/emu.pas index 0fa2875..2532201 100644 --- a/Core/emu.pas +++ b/Core/emu.pas @@ -1352,8 +1352,8 @@ procedure LoadApiSetSchema(var ApiSetSchema : TApiSetSchema); Redirect.first := string(item.S['red.F']); Redirect.last := string(item.S['red.L']); Redirect.count := item.I['count']; - name := string(item.S['name']); - ApiSetSchema.AddOrSetValue(LowerCase(name),Redirect); + name := SplitReg(string(LowerCase(item.S['name']))); + ApiSetSchema.AddOrSetValue(name,Redirect); end; for item in APIS['WIN10_APIS'] do @@ -1362,8 +1362,8 @@ procedure LoadApiSetSchema(var ApiSetSchema : TApiSetSchema); Redirect.last := string(item.S['red[1]']); Redirect.count := item.I['count']; Redirect.&alias := string(item.S['alias']); - name := string(item.S['name']); - ApiSetSchema.AddOrSetValue(LowerCase(name),Redirect); + name := SplitReg(string(LowerCase(item.S['name']))); + ApiSetSchema.AddOrSetValue(name,Redirect); end; finally JSON.Free; diff --git a/Core/globals.pas b/Core/globals.pas index 7b4eddb..ab31c0e 100644 --- a/Core/globals.pas +++ b/Core/globals.pas @@ -8,6 +8,17 @@ interface Classes, SysUtils, Emu,JSPlugins_BEngine, {$I besenunits.inc},Unicorn_dyn; + +{ +Given a version number MAJOR.MINOR.PATCH, increment the: + +MAJOR version when you make incompatible API changes, +MINOR version when you add functionality in a backwards-compatible manner, and +PATCH version when you make backwards-compatible bug fixes. +} +const + CM_VERSION = 'v0.2.1'; + var VerboseExcp : Boolean = False; Verbose : Boolean = False; diff --git a/Core/utils.pas b/Core/utils.pas index 9db7fd0..8bea8dc 100644 --- a/Core/utils.pas +++ b/Core/utils.pas @@ -4,7 +4,7 @@ interface uses - Classes, SysUtils,strutils,LazFileUtils, + Classes, SysUtils,strutils,LazFileUtils,RegExpr, Unicorn_dyn, UnicornConst, X86Const, {$i besenunits.inc}, Zydis, @@ -55,6 +55,7 @@ function isprint(const AC: AnsiChar): boolean; function GetFullPath(name : string) : UnicodeString; function GetDllFromApiSet(name : string): UnicodeString; +function SplitReg(Str : string) : string; const UC_PAGE_SIZE = $1000; @@ -92,14 +93,30 @@ function GetFullPath(name : string) : UnicodeString; Result := IncludeTrailingPathDelimiter(win32) + UnicodeString(LowerCase(Trim(name))); end; +function SplitReg(Str : string) : string; +var + re : TRegExpr; +begin + Result := ''; + re := TRegExpr.Create('^.*-l\d'); + if re.Exec(Str) then + begin + //Writeln('name : ',Str); + //Writeln('[0] : ',re.Match[0].Remove(Length(re.Match[0])-3,3),#10); + Result := re.Match[0].Remove(Length(re.Match[0])-3,3); + end; + re.Free; +end; + function GetDllFromApiSet(name : string): UnicodeString; var API : TApiRed; Dll : string; Path : UnicodeString; begin - Result := name; - Dll := ExtractFileNameWithoutExt(ExtractFileName(name)); + Result := UnicodeString(SplitReg(name)); + Dll := ExtractFileNameWithoutExt(ExtractFileName(SplitReg(name))); + if Emulator.ApiSetSchema.ContainsKey(Dll) then begin Emulator.ApiSetSchema.TryGetValue(Dll,API); diff --git a/README.md b/README.md index bb59a46..8763564 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Cmulator - Scriptable x86 RE Sandbox Emulator (v0.2 Beta) + +[![Join the chat at https://gitter.im/x86_emulator/community](https://badges.gitter.im/x86_emulator/cmulator.svg)](https://gitter.im/x86_emulator/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) +

Call for LOGO , if you good at design give it a try and Create Logo for Cmulator
your name will appear in Acknowledgements