From f0d4c72916d63e9d3179e7a12c0586aa8c955e36 Mon Sep 17 00:00:00 2001 From: dreguera Date: Wed, 14 Jan 2015 16:20:39 +0100 Subject: [PATCH] new test stuff --- tests/Makefile | 17 +- tests/README | 30 +++ tests/apihooks.c | 64 ------ tests/bind-port.c | 17 -- tests/blacklist.c | 18 -- tests/child-sleep.c | 16 -- tests/crash.c | 7 - tests/create-file.c | 24 --- tests/delete-file.c | 150 -------------- tests/functionality/Makefile | 27 +++ tests/functionality/blacklist.c | 38 ++++ tests/{ => functionality}/logging.c | 23 ++- tests/functionality/lookup.c | 51 +++++ tests/functionality/test-lde.c | 40 ++++ tests/general/Makefile | 27 +++ tests/{ => general}/apc-inject.c | 26 ++- tests/general/apihooks.c | 174 +++++++++++++++++ tests/general/bind-port.c | 51 +++++ tests/{unhook.c => general/child-sleep.c} | 26 +-- tests/general/create-file.c | 65 ++++++ tests/general/delete-file.c | 228 ++++++++++++++++++++++ tests/{ => general}/getcursorpos.c | 14 +- tests/general/migrate-process.c | 26 +++ tests/general/mitigate-process.c | 67 +++++++ tests/{ => general}/mousebutton-count.c | 4 +- tests/general/open-protected-pid.c | 29 +++ tests/{ => general}/peb-check.c | 8 +- tests/general/sleep.c | 51 +++++ tests/general/sleep2.c | 46 +++++ tests/general/startup-time.c | 38 ++++ tests/general/suspended-process.c | 67 +++++++ tests/general/test-dns.c | 67 +++++++ tests/{ => general}/test-lasterr.c | 20 ++ tests/general/unhook.c | 63 ++++++ tests/general/wininet.c | 59 ++++++ tests/general/write-file.c | 60 ++++++ tests/lookup.c | 31 --- tests/migrate-process.c | 8 - tests/mitigate-process.c | 32 --- tests/open-protected-pid.c | 10 - tests/others/Makefile | 27 +++ tests/others/crash.c | 27 +++ tests/sleep.c | 30 --- tests/sleep2.c | 24 --- tests/startup-time.c | 16 -- tests/suspended-process.c | 30 --- tests/test-dns.c | 19 -- tests/test-lde.c | 15 -- tests/wininet.c | 33 ---- tests/write-file.c | 30 --- 50 files changed, 1463 insertions(+), 607 deletions(-) create mode 100644 tests/README delete mode 100644 tests/apihooks.c delete mode 100644 tests/bind-port.c delete mode 100644 tests/blacklist.c delete mode 100644 tests/child-sleep.c delete mode 100644 tests/crash.c delete mode 100644 tests/create-file.c delete mode 100644 tests/delete-file.c create mode 100644 tests/functionality/Makefile create mode 100644 tests/functionality/blacklist.c rename tests/{ => functionality}/logging.c (52%) create mode 100644 tests/functionality/lookup.c create mode 100644 tests/functionality/test-lde.c create mode 100644 tests/general/Makefile rename tests/{ => general}/apc-inject.c (65%) create mode 100644 tests/general/apihooks.c create mode 100644 tests/general/bind-port.c rename tests/{unhook.c => general/child-sleep.c} (64%) create mode 100644 tests/general/create-file.c create mode 100644 tests/general/delete-file.c rename tests/{ => general}/getcursorpos.c (81%) create mode 100644 tests/general/migrate-process.c create mode 100644 tests/general/mitigate-process.c rename tests/{ => general}/mousebutton-count.c (96%) create mode 100644 tests/general/open-protected-pid.c rename tests/{ => general}/peb-check.c (84%) create mode 100644 tests/general/sleep.c create mode 100644 tests/general/sleep2.c create mode 100644 tests/general/startup-time.c create mode 100644 tests/general/suspended-process.c create mode 100644 tests/general/test-dns.c rename tests/{ => general}/test-lasterr.c (67%) create mode 100644 tests/general/unhook.c create mode 100644 tests/general/wininet.c create mode 100644 tests/general/write-file.c delete mode 100644 tests/lookup.c delete mode 100644 tests/migrate-process.c delete mode 100644 tests/mitigate-process.c delete mode 100644 tests/open-protected-pid.c create mode 100644 tests/others/Makefile create mode 100644 tests/others/crash.c delete mode 100644 tests/sleep.c delete mode 100644 tests/sleep2.c delete mode 100644 tests/startup-time.c delete mode 100644 tests/suspended-process.c delete mode 100644 tests/test-dns.c delete mode 100644 tests/test-lde.c delete mode 100644 tests/wininet.c delete mode 100644 tests/write-file.c diff --git a/tests/Makefile b/tests/Makefile index 201f863..debec19 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,9 +1,10 @@ MAKEFLAGS = -j8 -CFLAGS = -Wall -std=c99 -s -O2 -LIBS = -ldnsapi -lws2_32 -lwininet -lshlwapi +CFLAGS = -Wall -std=c99 -s -O2 +LIBS = -ldnsapi -lws2_32 -lwininet -lshlwapi +CAPSTONELIB = ../../capstone/capstone.lib ifneq ($(OS),Windows_NT) - CC = i586-mingw32msvc-cc + CC = i686-w64-mingw32-gcc else CC = gcc endif @@ -13,14 +14,14 @@ TESTSEXE = $(TESTS:.c=.exe) # please build all the object files using the main Makefile (in the parent # directory) -CUCKOOOBJ := $(wildcard ../objects/*.o) -CUCKOOOBJ += $(wildcard ../objects/bson/*.o) -CUCKOOOBJ += $(wildcard ../objects/distorm3.2/*.o) +CUCKOOOBJ := $(wildcard ../../objects/*.o) +CUCKOOOBJ += $(wildcard ../../objects/bson/*.o) +CUCKOOOBJ += $(wildcard ../../capstone/*.o) all: $(TESTSEXE) -%.exe: %.c $(CUCKOOOBJ) $(DISTORM3OBJ) - $(CC) $(CFLAGS) -I../distorm3.2-package/include -I.. -o $@ $^ $(LIBS) +%.exe: %.c $(CUCKOOOBJ) $(CAPSTONELIB) + $(CC) $(CFLAGS) -I../.. -I../../capstone -I../../capstone/arch/X86/ -o $@ $^ $(LIBS) clean: rm -f $(TESTSEXE) diff --git a/tests/README b/tests/README new file mode 100644 index 0000000..07ab4f3 --- /dev/null +++ b/tests/README @@ -0,0 +1,30 @@ +Directories: +====== +* cuckooenvironment: The tests must be executed in a cuckoo virtual machine (Like a malware analysis). For example some checks about agent.py or checks about the human interaction. + +* functionality: The tests for a funcionality, for example: testing the hook engine. + +* others: Other kind of test, for example tests without a possible automation using the return. + +Rules for tests: +====== +* Add in the source header a description with: + +** The purpose of the test. +** Why this test is necessary? + +* Return value: A successful tests completion must be return 0. Otherwise return 1. + +* The test must be return ALWAYS (exception for the "others category") to automate the testing process. This is useful using software like jenkins. + +** For example one test make a big Sleep to test the "cuckoom sleep bypass": +*** Make a thread in the process. This thread checks if the Sleep is skipped or not. +*** If the Sleep is not skipped in 1 minute the thread can be terminate the process with return value 1. + +* The test must be compile with Mingw. + +* Use the Makefile If possible. If you need a special Makefile for a test: add a "mingw-make compatible" Makefile. + +* Dont repeat an existent test. Maybe you can improve one. + +* Use stderr to print errors. diff --git a/tests/apihooks.c b/tests/apihooks.c deleted file mode 100644 index 61ac3b0..0000000 --- a/tests/apihooks.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include -#include - -DWORD WINAPI dummy(LPVOID lpValue) -{ - printf("dummy here!\n"); - return 0; -} - -int main() -{ - // there we go - LoadLibrary("../cuckoomon.dll"); - - FILE *fp = fopen("test-hello", "r"); - if(fp != NULL) fclose(fp); - - fp = fopen("test-hello", "wb"); - fwrite("whatsup", 1, 6, fp); - fclose(fp); - - fp = fopen("test-hello", "rb"); - char buf[6]; - fread(buf, 1, 6, fp); - fclose(fp); - - _mkdir("abc"); - - DeleteFile("test-hello"); - - HKEY hKey; - if(RegCreateKeyEx(HKEY_CURRENT_USER, - "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, 0, - KEY_ALL_ACCESS, NULL, &hKey, NULL) == ERROR_SUCCESS) { - RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL); - RegSetValueEx(hKey, "TestApiHooks", 0, REG_SZ, (BYTE *) "Hoi", 3); - RegDeleteValue(hKey, "TestApiHooks"); - RegCloseKey(hKey); - } - - system("echo hai"); - - WinExec("echo hi there", SW_SHOW); - - CreateMutex(NULL, FALSE, "MutexNam3"); - OpenMutex(MUTEX_ALL_ACCESS, FALSE, "OpenMutexName"); - - // just some random dll - LoadLibrary("urlmon.dll"); - - FARPROC sleep = GetProcAddress(GetModuleHandle("kernel32"), "Sleep"); - sleep(1000); - - printf("debugger: %d\n", IsDebuggerPresent()); - - CloseHandle(CreateThread(NULL, 0, &dummy, NULL, 0, NULL)); - - HANDLE thread_handle = CreateRemoteThread(GetCurrentProcess(), NULL, 0, - &dummy, NULL, 0, NULL); - WaitForSingleObject(thread_handle, INFINITE); - CloseHandle(thread_handle); -} diff --git a/tests/bind-port.c b/tests/bind-port.c deleted file mode 100644 index 16d461d..0000000 --- a/tests/bind-port.c +++ /dev/null @@ -1,17 +0,0 @@ -#include -#include - -int main() -{ - WSADATA wsa; - WSAStartup(MAKEWORD(2, 2), &wsa); - - SOCKET s = socket(AF_INET, SOCK_STREAM, 0); - - struct sockaddr_in addr = {}; - addr.sin_family = AF_INET; - addr.sin_addr.s_addr = 0; - addr.sin_port = htons(0x29a); - - bind(s, (struct sockaddr *) &addr, sizeof(addr)); -} diff --git a/tests/blacklist.c b/tests/blacklist.c deleted file mode 100644 index ee4530a..0000000 --- a/tests/blacklist.c +++ /dev/null @@ -1,18 +0,0 @@ -#include -#include -#include -#include "ignore.h" -#include "ntapi.h" - -int main() -{ - const wchar_t *unicode[] = { - L"abcd", - L"\\??\\IDE#what's up bro?", - }; - for (int i = 0; i < ARRAYSIZE(unicode); i++) { - printf("%d <= %S\n", - is_ignored_file_unicode(unicode[i], wcslen(unicode[i])), - unicode[i]); - } -} diff --git a/tests/child-sleep.c b/tests/child-sleep.c deleted file mode 100644 index 40206d3..0000000 --- a/tests/child-sleep.c +++ /dev/null @@ -1,16 +0,0 @@ -#include -#include - -int main(int argc, char *argv[]) -{ - if(argc == 4) { - Sleep(5000); - return 0; - } - - Sleep(10000); - - char buf[256]; - sprintf(buf, "%s a b c", argv[0]); - system(buf); -} diff --git a/tests/crash.c b/tests/crash.c deleted file mode 100644 index 4e8baeb..0000000 --- a/tests/crash.c +++ /dev/null @@ -1,7 +0,0 @@ -#include - -int main() -{ - char *p = NULL; - *p = 0; -} diff --git a/tests/create-file.c b/tests/create-file.c deleted file mode 100644 index 257af06..0000000 --- a/tests/create-file.c +++ /dev/null @@ -1,24 +0,0 @@ -#include -#include - -int main() -{ - const char *modes[] = {"r", "r+", "w", "w+", "a", "a+"}; - const char *fname = "abc"; - - for (int i = 0; i < sizeof(modes)/sizeof(char *); i++) { - DeleteFile(fname); - FILE *fp = fopen(fname, modes[i]); - if(fp != NULL) { - fclose(fp); - } - } - - fclose(fopen(fname, "w")); - for (int i = 0; i < sizeof(modes)/sizeof(char *); i++) { - FILE *fp = fopen(fname, modes[i]); - if(fp != NULL) { - fclose(fp); - } - } -} diff --git a/tests/delete-file.c b/tests/delete-file.c deleted file mode 100644 index 3d7627d..0000000 --- a/tests/delete-file.c +++ /dev/null @@ -1,150 +0,0 @@ -#include -#include -#include "../ntapi.h" - -#define OBJ_CASE_INSENSITIVE 0x00000040 -#define OBJ_KERNEL_HANDLE 0x00000200 - -#define InitializeObjectAttributes(p, n, a, r, s) { \ - (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ - (p)->RootDirectory = r; \ - (p)->Attributes = a; \ - (p)->ObjectName = n; \ - (p)->SecurityDescriptor = s; \ - (p)->SecurityQualityOfService = NULL; \ - } - -VOID (WINAPI *pRtlInitUnicodeString)(PUNICODE_STRING DestinationString, - PCWSTR SourceString); - -NTSTATUS (WINAPI *pZwDeleteFile)(POBJECT_ATTRIBUTES ObjectAttributes); - -NTSTATUS (WINAPI *pZwCreateFile)(PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, PVOID AllocationSize, - ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, - ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); - -NTSTATUS (WINAPI *pZwSetInformationFile)(HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass); - -void write_file(const char *fname, const char *s) -{ - FILE *fp = fopen(fname, "wb"); - if(fp != NULL) { - fputs(s, fp); - fclose(fp); - } -} - -int main() -{ - printf( - "Going to try to delete files using various techiques.\n" - "Note that the MoveFileEx method will fail (see source why)\n" - ); - - write_file("abc.txt", "DeleteFile"); - - // - // delete the file using the well-known DeleteFile function - // - - printf("DeleteFile: %s (0x%08x)\n", DeleteFile("abc.txt") ? - "SUCCESS" : "FAILURE", GetLastError()); - - write_file("abc.txt", "MoveFileEx"); - - // - // delete the file using MoveFileEx, note that a NULL destination filename - // is only supported when the MOVEFILE_DELAY_UNTIL_REBOOT flag is set. - // (so this call will actually fail..) - // - - printf("MoveFileEx: %s (0x%08x)\n", MoveFileEx("abc.txt", NULL, 0) ? - "SUCCESS" : "FAILURE", GetLastError()); - - write_file("abc.txt", "ZwDeleteFile"); - - // - // delete the file using ZwDeleteFile - // - - UNICODE_STRING dir_fname, file_fname; - OBJECT_ATTRIBUTES obj_dir, obj_file; - IO_STATUS_BLOCK io_dir; - HANDLE dir_handle; - - *(FARPROC *) &pRtlInitUnicodeString = GetProcAddress( - GetModuleHandle("ntdll"), "RtlInitUnicodeString"); - *(FARPROC *) &pZwDeleteFile = GetProcAddress( - GetModuleHandle("ntdll"), "ZwDeleteFile"); - *(FARPROC *) &pZwCreateFile = GetProcAddress( - GetModuleHandle("ntdll"), "ZwCreateFile"); - *(FARPROC *) &pZwSetInformationFile = GetProcAddress( - GetModuleHandle("ntdll"), "ZwSetInformationFile"); - - // prepend the path with "\\??\\" - wchar_t cur_dir[MAX_PATH] = L"\\??\\"; - GetCurrentDirectoryW(MAX_PATH-4, cur_dir+4); - - pRtlInitUnicodeString(&dir_fname, cur_dir); - pRtlInitUnicodeString(&file_fname, L"abc.txt"); - - InitializeObjectAttributes(&obj_dir, &dir_fname, - OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); - - // open the directory - NTSTATUS ret = pZwCreateFile(&dir_handle, FILE_TRAVERSE, &obj_dir, - &io_dir, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, - FILE_DIRECTORY_FILE, NULL, 0); - - if(NT_SUCCESS(ret)) { - InitializeObjectAttributes(&obj_file, &file_fname, - OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, dir_handle, NULL); - - // delete the file - ret = pZwDeleteFile(&obj_file); - printf("ZwDeleteFile: %s (0x%08x)\n", NT_SUCCESS(ret) ? - "SUCCESS" : "FAILURE", ret); - CloseHandle(dir_handle); - } - else { - printf("ZwDeleteFile: FAILURE (0x%08x)\n", ret); - } - - write_file("abc.txt", "ZwSetInformationFile"); - - // - // delete the file using ZwSetInformationFile - // - - IO_STATUS_BLOCK io_file; - HANDLE file_handle; - - // prepend the path with "\\??\\" and append "abc.txt" - wchar_t file_name[MAX_PATH] = L"\\??\\"; - GetCurrentDirectoryW(MAX_PATH-4, file_name+4); - lstrcatW(file_name, L"\\abc.txt"); - - pRtlInitUnicodeString(&file_fname, file_name); - InitializeObjectAttributes(&obj_file, &file_fname, - OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); - - // open the file with DELETE access rights - ret = pZwCreateFile(&file_handle, DELETE, &obj_file, &io_file, NULL, - FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, NULL, 0); - if(NT_SUCCESS(ret)) { - BOOLEAN disp_info = TRUE; - ret = pZwSetInformationFile(file_handle, &io_file, &disp_info, - sizeof(disp_info), FileDispositionInformation); - CloseHandle(file_handle); - - printf("ZwSetInformationFile: %s (0x%08x)\n", NT_SUCCESS(ret) ? - "SUCCESS" : "FAILURE", ret); - } - else { - printf("ZwSetInformationFile: FAILURE (0x%08x)\n", ret); - } -} diff --git a/tests/functionality/Makefile b/tests/functionality/Makefile new file mode 100644 index 0000000..debec19 --- /dev/null +++ b/tests/functionality/Makefile @@ -0,0 +1,27 @@ +MAKEFLAGS = -j8 +CFLAGS = -Wall -std=c99 -s -O2 +LIBS = -ldnsapi -lws2_32 -lwininet -lshlwapi +CAPSTONELIB = ../../capstone/capstone.lib + +ifneq ($(OS),Windows_NT) + CC = i686-w64-mingw32-gcc +else + CC = gcc +endif + +TESTS = $(wildcard *.c) +TESTSEXE = $(TESTS:.c=.exe) + +# please build all the object files using the main Makefile (in the parent +# directory) +CUCKOOOBJ := $(wildcard ../../objects/*.o) +CUCKOOOBJ += $(wildcard ../../objects/bson/*.o) +CUCKOOOBJ += $(wildcard ../../capstone/*.o) + +all: $(TESTSEXE) + +%.exe: %.c $(CUCKOOOBJ) $(CAPSTONELIB) + $(CC) $(CFLAGS) -I../.. -I../../capstone -I../../capstone/arch/X86/ -o $@ $^ $(LIBS) + +clean: + rm -f $(TESTSEXE) diff --git a/tests/functionality/blacklist.c b/tests/functionality/blacklist.c new file mode 100644 index 0000000..dbf91c3 --- /dev/null +++ b/tests/functionality/blacklist.c @@ -0,0 +1,38 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include +#include "ignore.h" +#include "ntapi.h" + +int main(void) +{ + const wchar_t *unicode[] = { + L"abcd", + L"\\??\\IDE#what's up bro?", + }; + for (int i = 0; i < ARRAYSIZE(unicode); i++) { + printf("%d <= %S\n", + is_ignored_file_unicode(unicode[i], wcslen(unicode[i])), + unicode[i]); + } + + return 0; +} diff --git a/tests/logging.c b/tests/functionality/logging.c similarity index 52% rename from tests/logging.c rename to tests/functionality/logging.c index 9244248..0c7732e 100644 --- a/tests/logging.c +++ b/tests/functionality/logging.c @@ -1,11 +1,30 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + #include #include -#include "../log.h" +#include "log.h" const char *module_name = "logging"; int main() { + /* int is_success(int ret) { return 1; } int ret = 0; @@ -30,4 +49,6 @@ int main() LOQ("r", "a", REG_DWORD, 4, "\x10\x00\x00\x00"); LOQ("R", "a", REG_SZ, 1337, L"omgz0r"); LOQ("R", "a", REG_BINARY, 8, "Hello World"); +*/ + return 0; } diff --git a/tests/functionality/lookup.c b/tests/functionality/lookup.c new file mode 100644 index 0000000..fcbcaec --- /dev/null +++ b/tests/functionality/lookup.c @@ -0,0 +1,51 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include "lookup.h" + +typedef struct _entry_t { + struct _entry_t *next; + unsigned int id; + unsigned int size; + unsigned char data[0]; +} entry_t; + +int main(void) +{ + lookup_t a; + + lookup_init(&a); + strcpy((char *) lookup_add(&a, 1, 10), "abc"); + strcpy((char *) lookup_add(&a, 2, 20), "def"); + lookup_del(&a, 1); + strcpy((char *) lookup_add(&a, 3, 30), "ghi"); + strcpy((char *) lookup_add(&a, 4, 40), "jkl"); + lookup_del(&a, 4); + + for (int i = 0; i < 5; i++) { + printf("%d -> %p\n", i, lookup_get(&a, i, NULL)); + } + + for (entry_t *p = a.root; p != NULL; p = p->next) { + printf("%p %d %d\n", p, p->id, p->size); + } + + return 0; +} diff --git a/tests/functionality/test-lde.c b/tests/functionality/test-lde.c new file mode 100644 index 0000000..c921279 --- /dev/null +++ b/tests/functionality/test-lde.c @@ -0,0 +1,40 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include "../hooking.h" + +int main(void) +{ + /* + 55 | push ebp + 89 E5 | mov ebp,esp + 83 EC 18 | sub esp,18 + */ + unsigned char b[][8] = { + {0x55}, + {0x89, 0xe5}, + {0x83, 0xec, 0x18}, + }; + + for (int i = 0; i < sizeof(b)/sizeof(b[0]); i++) { + printf("%d\n", lde(b[i])); + } + + return 0; +} diff --git a/tests/general/Makefile b/tests/general/Makefile new file mode 100644 index 0000000..debec19 --- /dev/null +++ b/tests/general/Makefile @@ -0,0 +1,27 @@ +MAKEFLAGS = -j8 +CFLAGS = -Wall -std=c99 -s -O2 +LIBS = -ldnsapi -lws2_32 -lwininet -lshlwapi +CAPSTONELIB = ../../capstone/capstone.lib + +ifneq ($(OS),Windows_NT) + CC = i686-w64-mingw32-gcc +else + CC = gcc +endif + +TESTS = $(wildcard *.c) +TESTSEXE = $(TESTS:.c=.exe) + +# please build all the object files using the main Makefile (in the parent +# directory) +CUCKOOOBJ := $(wildcard ../../objects/*.o) +CUCKOOOBJ += $(wildcard ../../objects/bson/*.o) +CUCKOOOBJ += $(wildcard ../../capstone/*.o) + +all: $(TESTSEXE) + +%.exe: %.c $(CUCKOOOBJ) $(CAPSTONELIB) + $(CC) $(CFLAGS) -I../.. -I../../capstone -I../../capstone/arch/X86/ -o $@ $^ $(LIBS) + +clean: + rm -f $(TESTSEXE) diff --git a/tests/apc-inject.c b/tests/general/apc-inject.c similarity index 65% rename from tests/apc-inject.c rename to tests/general/apc-inject.c index 50e95c1..b4a78c0 100644 --- a/tests/apc-inject.c +++ b/tests/general/apc-inject.c @@ -20,20 +20,38 @@ along with this program. If not, see . #include #include #include +#include -int main() +int main(void) { - LoadLibrary("../cuckoomon.dll"); + if ( LoadLibrary( _T( "../../cuckoomon.dll" ) ) == NULL ) + { + fprintf( stderr, "Error loading cuckoomon.dll" ); + return 1; + } - FARPROC sleep = GetProcAddress(GetModuleHandle("kernel32"), "Sleep"); + FARPROC sleep = GetProcAddress( GetModuleHandle( _T( "kernel32" ) ), "Sleep" ); + if ( sleep == NULL ) + { + fprintf( stderr, "Error getprocaddress Sleep" ); + return 1; + } + + BOOL injected = FALSE; for (uint32_t tid = 2000; ; tid += 4) { HANDLE thread_handle = OpenThread(THREAD_ALL_ACCESS, FALSE, tid); if(thread_handle != NULL) { printf("tid %d .. :)\n", tid); - QueueUserAPC((PAPCFUNC) sleep, thread_handle, 1337); + if ( QueueUserAPC((PAPCFUNC) sleep, thread_handle, 1337) != 0 ) + injected = TRUE; CloseHandle(thread_handle); break; } } + + if ( injected == FALSE ) + fprintf( stderr, "Error QueueUserAPC" ); + + return (injected == TRUE) ? 0 : 1; } diff --git a/tests/general/apihooks.c b/tests/general/apihooks.c new file mode 100644 index 0000000..80e1c9e --- /dev/null +++ b/tests/general/apihooks.c @@ -0,0 +1,174 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include +#include + +DWORD WINAPI dummy(LPVOID lpValue) +{ + printf("dummy here!\n"); + return 0; +} + +int main(void) +{ + // there we go + if ( LoadLibrary(_T("../../cuckoomon.dll")) == NULL ) + { + fprintf( stderr, "Error Loadlibrary cuckoomon" ); + return 1; + } + + FILE *fp = fopen("test-hello", "r"); + if(fp != NULL) + fclose(fp); + else + { + fprintf( stderr, "Error fopen r" ); + return 1; + } + + fp = fopen("test-hello", "wb"); + if(fp != NULL) + { + if ( fwrite("whatsup", 1, 6, fp) != 1 ) + { + fprintf( stderr, "Error fwrite whatsup" ); + return 1; + } + fclose(fp); + } + else + { + fprintf( stderr, "Error fopen wb" ); + return 1; + } + + fp = fopen("test-hello", "rb"); + if(fp == NULL) + { + fprintf( stderr, "Error fopen rb" ); + return 1; + } + + char buf[6]; + if ( fread(buf, 1, 6, fp) != 1 ) + { + fprintf( stderr, "Error fread rb" ); + return 1; + } + fclose(fp); + + if ( _mkdir("abc") == -1 ) + { + fprintf( stderr, "Error mkdir abc" ); + return 1; + } + + if ( DeleteFile(_T("test-hello")) == 0 ) + { + fprintf( stderr, "Error Deletefile test-hello" ); + return 1; + } + + HKEY hKey; + if(RegCreateKeyEx(HKEY_CURRENT_USER, + _T("Software\\Microsoft\\Windows\\CurrentVersion\\Run"), 0, NULL, 0, + KEY_ALL_ACCESS, NULL, &hKey, NULL) == ERROR_SUCCESS) { + + if ( RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL) != ERROR_SUCCESS ) + { + fprintf( stderr, "Error RegQueryInfoKey" ); + return 1; + } + if ( RegSetValueEx(hKey, _T("TestApiHooks"), 0, REG_SZ, (BYTE *) _T("Hoi"), 3) != ERROR_SUCCESS ) + { + fprintf( stderr, "Error RegSetValueEx TestApiHooks" ); + return 1; + } + if ( RegDeleteValue(hKey, _T("TestApiHooks")) != ERROR_SUCCESS ) + { + fprintf( stderr, "Error RegDeleteValue TestApiHooks" ); + return 1; + } + RegCloseKey(hKey); + } + else + { + fprintf( stderr, "Error RegCreateKeyEx" ); + return 1; + } + + if ( system("echo hai") == -1 ) + { + fprintf( stderr, "Error system echo hai" ); + return 1; + } + + if ( WinExec("echo hi there", SW_SHOW) <= 31 ) + { + fprintf( stderr, "Error WinExec" ); + return 1; + } + + if ( CreateMutex(NULL, FALSE, _T("MutexNam3")) == NULL ) + { + fprintf( stderr, "Error CreateMutex" ); + return 1; + } + if ( OpenMutex(MUTEX_ALL_ACCESS, FALSE, _T("OpenMutexName")) == NULL ) + { + fprintf( stderr, "Error OpenMutex" ); + return 1; + } + + // just some random dll + if ( LoadLibrary( _T("urlmon.dll")) == NULL ) + { + fprintf( stderr, "Error Loadlibrary urlmon" ); + return 1; + } + + FARPROC sleep = GetProcAddress(GetModuleHandle(_T("kernel32")), "Sleep"); + if (sleep == NULL) + { + fprintf( stderr, "Error getprocaddress Sleep" ); + return 1; + } + + sleep(1000); + + printf("debugger: %d\n", IsDebuggerPresent()); + + CloseHandle(CreateThread(NULL, 0, &dummy, NULL, 0, NULL)); + + HANDLE thread_handle = CreateRemoteThread(GetCurrentProcess(), NULL, 0, + &dummy, NULL, 0, NULL); + if (thread_handle == NULL) + { + fprintf( stderr, "Error CreateRemoteThread" ); + return 1; + } + WaitForSingleObject(thread_handle, INFINITE); + CloseHandle(thread_handle); + + return 0; +} diff --git a/tests/general/bind-port.c b/tests/general/bind-port.c new file mode 100644 index 0000000..4474981 --- /dev/null +++ b/tests/general/bind-port.c @@ -0,0 +1,51 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main(void) +{ + WSADATA wsa; + if ( WSAStartup(MAKEWORD(2, 2), &wsa) != 0 ) + { + fprintf( stderr, "Error WSAStartup" ); + return 1; + } + + SOCKET s = socket(AF_INET, SOCK_STREAM, 0); + + if ( s == INVALID_SOCKET ) + { + fprintf( stderr, "Error socket" ); + return 1; + } + + struct sockaddr_in addr = {}; + addr.sin_family = AF_INET; + addr.sin_addr.s_addr = 0; + addr.sin_port = htons(0x29a); + + if ( bind(s, (struct sockaddr *) &addr, sizeof(addr)) != 0 ) + { + fprintf( stderr, "Error bind" ); + return 1; + } + + return 0; +} diff --git a/tests/unhook.c b/tests/general/child-sleep.c similarity index 64% rename from tests/unhook.c rename to tests/general/child-sleep.c index 4e9a1ce..61f475b 100644 --- a/tests/unhook.c +++ b/tests/general/child-sleep.c @@ -21,21 +21,21 @@ along with this program. If not, see . int main(int argc, char *argv[]) { - FARPROC fp = GetProcAddress( - GetModuleHandle("kernel32"), "IsDebuggerPresent"); + if(argc == 4) { + Sleep(5000); + return 0; + } - unsigned long old_protect; - VirtualProtect(fp, 0x1000, PAGE_EXECUTE_READWRITE, &old_protect); - - // Corrupt the hook. - memset(fp, 0xcc, 32); - - fp = GetProcAddress(GetModuleHandle("kernel32"), "CopyFileA"); + Sleep(10000); - VirtualProtect(fp, 0x1000, PAGE_EXECUTE_READWRITE, &old_protect); + char buf[256]; + sprintf(buf, "%s a b c", argv[0]); + if ( system(buf) == -1 ) + { + fprintf( stderr, "Error system buf %s\n", buf ); - // Restore the hook. - memcpy(fp, "\x8b\xff\x55\x8b\xec", 5); + return 1; + } - Sleep(10000); + return 0; } diff --git a/tests/general/create-file.c b/tests/general/create-file.c new file mode 100644 index 0000000..ec72756 --- /dev/null +++ b/tests/general/create-file.c @@ -0,0 +1,65 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main(void) +{ + const char *modes[] = {"r", "r+", "w", "w+", "a", "a+"}; + const char *fname = "abc"; + FILE * file; + + for (int i = 0; i < sizeof(modes)/sizeof(char *); i++) + { + if ( DeleteFileA(fname) == 0 ) + { + fprintf( stderr, "Error DeleteFileA" ); + return 1; + } + FILE *fp = fopen(fname, modes[i]); + if(fp != NULL) + fclose(fp); + else + { + fprintf( stderr, "Error fopen %s mode %s\n", fname, modes[i] ); + return 1; + } + } + + file = fopen(fname, "w"); + if ( file == NULL ) + { + fprintf( stderr, "Error fopen %s\n", fname ); + return 1; + } + fclose( file ); + for (int i = 0; i < sizeof(modes)/sizeof(char *); i++) + { + FILE *fp = fopen(fname, modes[i]); + if(fp != NULL) + fclose(fp); + else + { + fprintf( stderr, "Error fopen %s mode %s\n", fname, modes[i] ); + return 1; + } + } + + return 0; +} diff --git a/tests/general/delete-file.c b/tests/general/delete-file.c new file mode 100644 index 0000000..45bced6 --- /dev/null +++ b/tests/general/delete-file.c @@ -0,0 +1,228 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include +#include "ntapi.h" + +#define FILE_OPEN 0x00000001 +#define FILE_DIRECTORY_FILE 0x00000001 + +#define OBJ_CASE_INSENSITIVE 0x00000040 +#define OBJ_KERNEL_HANDLE 0x00000200 + +#define InitializeObjectAttributes(p, n, a, r, s) { \ + (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + +VOID (WINAPI *pRtlInitUnicodeString)(PUNICODE_STRING DestinationString, + PCWSTR SourceString); + +NTSTATUS (WINAPI *pZwDeleteFile)(POBJECT_ATTRIBUTES ObjectAttributes); + +NTSTATUS (WINAPI *pZwCreateFile)(PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, PVOID AllocationSize, + ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, + ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); + +NTSTATUS (WINAPI *pZwSetInformationFile)(HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass); + +int write_file(const char *fname, const char *s) +{ + FILE *fp = fopen(fname, "wb"); + if(fp != NULL) { + fputs(s, fp); + fclose(fp); + + return 0; + } + + fprintf( stderr, "Error writing %s\n", fname ); + + return 1; +} + +int main(void) +{ + UNICODE_STRING dir_fname, file_fname; + OBJECT_ATTRIBUTES obj_dir, obj_file; + IO_STATUS_BLOCK io_dir; + HANDLE dir_handle; + NTSTATUS ret; + + + printf( + "Going to try to delete files using various techiques.\n" + "Note that the MoveFileEx method will fail (see source why)\n" + ); + + if ( write_file("abc.txt", "DeleteFile") == 0 ) + { + // + // delete the file using the well-known DeleteFile function + // + + if ( DeleteFile( _T( "abc.txt" )) != 0 ) + printf("DeleteFile: SUCCESS\n" ); + else + { + fprintf( stderr, "Error DeleteFile LAST ERROR %d\n", GetLastError() ); + return 1; + } + } + else + return 1; + + if ( write_file("abc.txt", "MoveFileEx") == 0 ) + { + // + // delete the file using MoveFileEx, note that a NULL destination filename + // is only supported when the MOVEFILE_DELAY_UNTIL_REBOOT flag is set. + // (so this call will actually fail..) + // + + printf("MoveFileEx: %s (0x%08x)\n", MoveFileEx( _T( "abc.txt" ), NULL, 0 ) ? + "SUCCESS" : "FAILURE", GetLastError()); + } + else + return 1; + + if ( write_file("abc.txt", "ZwDeleteFile") == 0 ) + { + // + // delete the file using ZwDeleteFile + // + *(FARPROC *) &pRtlInitUnicodeString = GetProcAddress( + GetModuleHandle( _T( "ntdll" ) ), "RtlInitUnicodeString"); + *(FARPROC *) &pZwDeleteFile = GetProcAddress( + GetModuleHandle( _T( "ntdll" ) ), "ZwDeleteFile"); + *(FARPROC *) &pZwCreateFile = GetProcAddress( + GetModuleHandle( _T( "ntdll" ) ), "ZwCreateFile"); + *(FARPROC *) &pZwSetInformationFile = GetProcAddress( + GetModuleHandle( _T( "ntdll" ) ), "ZwSetInformationFile"); + + if ( pRtlInitUnicodeString == NULL || pZwDeleteFile == NULL || pZwCreateFile == NULL || pZwSetInformationFile == NULL ) + { + fprintf( stderr, "Error getprocaddress: pRtlInitUnicodeString %x pZwDeleteFile %x pZwCreateFile %x pZwSetInformationFile %x", pRtlInitUnicodeString, pZwDeleteFile, pZwCreateFile, pZwSetInformationFile ); + return 1; + } + + // prepend the path with "\\??\\" + wchar_t cur_dir[MAX_PATH] = L"\\??\\"; + if ( GetCurrentDirectoryW(MAX_PATH-4, cur_dir+4) == 0 ) + { + fprintf( stderr, "Error: GetCurrentDirectoryW" ); + return 1; + } + + pRtlInitUnicodeString(&dir_fname, cur_dir); + pRtlInitUnicodeString(&file_fname, L"abc.txt"); + + InitializeObjectAttributes(&obj_dir, &dir_fname, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + // open the directory + ret = pZwCreateFile(&dir_handle, FILE_TRAVERSE, &obj_dir, + &io_dir, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, + FILE_DIRECTORY_FILE, NULL, 0); + + if(NT_SUCCESS(ret)) + { + InitializeObjectAttributes(&obj_file, &file_fname, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, dir_handle, NULL); + + // delete the file + ret = pZwDeleteFile(&obj_file); + printf("ZwDeleteFile: %s (0x%08x)\n", NT_SUCCESS(ret) ? + "SUCCESS" : "FAILURE", ret); + CloseHandle(dir_handle); + + if (!NT_SUCCESS(ret)) + { + fprintf( stderr, "Error: ZwDeleteFile\n" ); + return 1; + } + } + else { + fprintf( stderr, "ZwDeleteFile: FAILURE (0x%08x)\n", ret); + return 1; + } + } + else + return 1; + + if ( write_file("abc.txt", "ZwSetInformationFile") == 0 ) + { + + // + // delete the file using ZwSetInformationFile + // + + IO_STATUS_BLOCK io_file; + HANDLE file_handle; + + // prepend the path with "\\??\\" and append "abc.txt" + wchar_t file_name[MAX_PATH] = L"\\??\\"; + if ( GetCurrentDirectoryW(MAX_PATH-4, file_name+4) == 0 ) + { + fprintf( stderr, "Error: GetCurrentDirectoryW\n" ); + return 1; + } + lstrcatW(file_name, L"\\abc.txt"); + + pRtlInitUnicodeString(&file_fname, file_name); + InitializeObjectAttributes(&obj_file, &file_fname, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + // open the file with DELETE access rights + ret = pZwCreateFile(&file_handle, DELETE, &obj_file, &io_file, NULL, + FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, NULL, 0); + if(NT_SUCCESS(ret)) { + BOOLEAN disp_info = TRUE; + ret = pZwSetInformationFile(file_handle, &io_file, &disp_info, + sizeof(disp_info), FileDispositionInformation); + CloseHandle(file_handle); + + printf("ZwSetInformationFile: %s (0x%08x)\n", NT_SUCCESS(ret) ? + "SUCCESS" : "FAILURE", ret); + + if ( ! NT_SUCCESS(ret) ) + { + fprintf( stderr, "Error: ZwSetInformationFile\n" ); + return 1; + } + } + else { + fprintf( stderr, "Error: ZwSetInformationFile: FAILURE (0x%08x)\n", ret); + return 1; + } + } + else + return 1; + + return 0; +} diff --git a/tests/getcursorpos.c b/tests/general/getcursorpos.c similarity index 81% rename from tests/getcursorpos.c rename to tests/general/getcursorpos.c index 2773b7e..d996f35 100644 --- a/tests/getcursorpos.c +++ b/tests/general/getcursorpos.c @@ -19,11 +19,19 @@ along with this program. If not, see . #include #include -int main() +int main(void) { - for (int i = 0; i < 10; i++) { - POINT p = {}; GetCursorPos(&p); + for (int i = 0; i < 10; i++) + { + POINT p = {}; + if ( GetCursorPos(&p) == 0 ) + { + fprintf( stderr, "Error getcursorpos" ); + return 1; + } printf("{x: %ld, y: %ld}\n", p.x, p.y); Sleep(100); } + + return 0; } diff --git a/tests/general/migrate-process.c b/tests/general/migrate-process.c new file mode 100644 index 0000000..938ebfc --- /dev/null +++ b/tests/general/migrate-process.c @@ -0,0 +1,26 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main() +{ + // process identifier of explorer.exe on my VM + CloseHandle(OpenProcess(PROCESS_ALL_ACCESS, FALSE, 468)); +} diff --git a/tests/general/mitigate-process.c b/tests/general/mitigate-process.c new file mode 100644 index 0000000..aa984a7 --- /dev/null +++ b/tests/general/mitigate-process.c @@ -0,0 +1,67 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + + +#include +#include + +/* multiple ways to inject into another process */ + +int main(int argc, char *argv[]) +{ + if(argc == 2) { + printf("Child process %s.. exiting..\n", argv[1]); + ExitProcess(0); + } + + char buf[256]; + + // WinExec + sprintf(buf, "\"%s\" a", argv[0]); + if ( WinExec(buf, SW_SHOW) <= 31 ) + { + fprintf( stderr, "Error WinExec" ); + return 1; + } + + // ShellExecute + if ( ShellExecuteA(NULL, NULL, argv[0], "b", NULL, SW_SHOW) <= 32 ) + { + fprintf( stderr, "Error ShellExecute" ); + return 1; + } + + // CreateProcess + sprintf(buf, "\"%s\" c", argv[0]); + STARTUPINFO si = {sizeof(si)}; PROCESS_INFORMATION pi = {}; + if ( CreateProcessA(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi) == 0 ) + { + fprintf( stderr, "Error CreateProcessA"); + return 1; + } + + // system + sprintf(buf, "\"%s\" d", argv[0]); + if ( system(buf) == -1 ) + { + fprintf( stderr, "Error system"); + return 1; + } + + return 0; +} diff --git a/tests/mousebutton-count.c b/tests/general/mousebutton-count.c similarity index 96% rename from tests/mousebutton-count.c rename to tests/general/mousebutton-count.c index 32d7311..b1d27c0 100644 --- a/tests/mousebutton-count.c +++ b/tests/general/mousebutton-count.c @@ -19,7 +19,9 @@ along with this program. If not, see . #include #include -int main() +int main(void) { printf("count: %d\n", GetSystemMetrics(SM_CMOUSEBUTTONS)); + + return 0; } diff --git a/tests/general/open-protected-pid.c b/tests/general/open-protected-pid.c new file mode 100644 index 0000000..4bdec40 --- /dev/null +++ b/tests/general/open-protected-pid.c @@ -0,0 +1,29 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main(void) +{ + // this is the process identifier of agent.py on my VM + HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1576); + printf("process-handle: %p -> %d\n", process_handle, GetLastError()); + + return 0; +} diff --git a/tests/peb-check.c b/tests/general/peb-check.c similarity index 84% rename from tests/peb-check.c rename to tests/general/peb-check.c index 2b01a4d..5c8203f 100644 --- a/tests/peb-check.c +++ b/tests/general/peb-check.c @@ -18,12 +18,14 @@ along with this program. If not, see . #include #include +#include -int main() +int main(void) { - LoadLibrary("../cuckoomon.dll"); + LoadLibrary(_T("../../cuckoomon.dll")); - HMODULE cuckoomon_handle = GetModuleHandle("cuckoomon.dll"); + HMODULE cuckoomon_handle = GetModuleHandle(_T("cuckoomon.dll")); printf("cuckoomon -> 0x%08x\n", cuckoomon_handle); + return 0; } diff --git a/tests/general/sleep.c b/tests/general/sleep.c new file mode 100644 index 0000000..d4c83bd --- /dev/null +++ b/tests/general/sleep.c @@ -0,0 +1,51 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include + +DWORD WINAPI thread(LPVOID lpNothing) +{ + return 0; +} + +int main(void) +{ + LoadLibrary(_T("../../cuckoomon.dll")); + + // sleep for five seconds (skipped) + for (int i = 0; i < 100; i++) { + Sleep(50); + + printf("tick: %ld\n", GetTickCount()); + } + + // sleep for 10 seconds (skipped) + Sleep(10000); + + printf("tick: %ld\n", GetTickCount()); + + printf("starting second thread\n"); + CloseHandle(CreateThread(NULL, 0, &thread, NULL, 0, NULL)); + + // sleep for 5 seconds (not skipped) + Sleep(5000); + + return 0; +} diff --git a/tests/general/sleep2.c b/tests/general/sleep2.c new file mode 100644 index 0000000..8bd67ce --- /dev/null +++ b/tests/general/sleep2.c @@ -0,0 +1,46 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + + +#include +#include +#include + +int main(void) +{ + LoadLibrary( _T("../../cuckoomon.dll")); + + unsigned int start = GetTickCount(); + printf("%d\n", start); + + Sleep(1000); + + printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); + + for (int i = 0; i < 10; i++) { + for (int j = 0; j < 0xfffffff; j++); + } + + printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); + + Sleep(1000); + + printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); + + return 0; +} diff --git a/tests/general/startup-time.c b/tests/general/startup-time.c new file mode 100644 index 0000000..b6276da --- /dev/null +++ b/tests/general/startup-time.c @@ -0,0 +1,38 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + + +#include +#include +#include + +// Idea originally taken from the following article +// http://spth.virii.lu/v4/articles/m0sa/evade.html + +int main(void) +{ + if(GetTickCount() < 10 * 60 * 1000) { + fprintf( stderr, "Running under a VM!\n"); + return 1; + } + else { + printf("This computer is ok! Uptime: %d\n", GetTickCount()); + } + + return 0; +} diff --git a/tests/general/suspended-process.c b/tests/general/suspended-process.c new file mode 100644 index 0000000..e09772f --- /dev/null +++ b/tests/general/suspended-process.c @@ -0,0 +1,67 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main(int argc, char *argv[]) +{ + if(argc != 1) { + printf("arg: %s\n", argv[1]); + fflush(stdout); + return 1; + } + + STARTUPINFO si = {sizeof(si)}; + PROCESS_INFORMATION pi; + char buf[256]; + + sprintf(buf, "\"%s\" a", argv[0]); + + BOOL ret = CreateProcess(argv[0], buf, NULL, NULL, FALSE, + CREATE_SUSPENDED, NULL, NULL, &si, &pi); + + printf("ret: %d\n", ret); + fflush(stdout); + + if ( ret == 0 ) + { + fprintf( stderr, "Error CreateProcess" ); + return 1; + } + + if ( ResumeThread(pi.hThread) == -1 ) + { + fprintf( stderr, "Error ResumeThread" ); + return 1; + } + + WaitForSingleObject(pi.hThread, INFINITE); + WaitForSingleObject(pi.hProcess, INFINITE); + + DWORD exit_code; + if ( GetExitCodeProcess(pi.hProcess, &exit_code) == 0 ) + { + fprintf( stderr, "Error GetExitCodeProcess" ); + return 1; + } + printf("ret: %d\n", exit_code); + fflush(stdout); + + return 0; +} diff --git a/tests/general/test-dns.c b/tests/general/test-dns.c new file mode 100644 index 0000000..f3c7df8 --- /dev/null +++ b/tests/general/test-dns.c @@ -0,0 +1,67 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#define _WIN32_WINNT 0x0501 +#include +#include +#include +#include +#include + +int main(void) +{ + DNS_STATUS status; + int returnf; + struct hostent * returnfhost; + + if ( LoadLibrary(_T("../../cuckoomon.dll")) == NULL ) + { + fprintf( stderr, "Error Loadlibrary cuckoomon" ); + return 1; + } + + status = DnsQuery(_T("jbremer.org"), DNS_TYPE_A, + DNS_QUERY_STANDARD, NULL, NULL, NULL); + printf("DnsQuery -> %d\n", status ); + if (status) + { + fprintf( stderr, "Error" ); + return 1; + } + + struct addrinfo *info = NULL; + returnf = getaddrinfo(_T("jbremer.org"), NULL, NULL,&info); + + printf("getaddrinfo -> %d\n", returnf ); + if ( returnf != 0 ) + { + fprintf( stderr, "Error" ); + return 1; + } + + returnfhost = gethostbyname(_T("jbremer.org")); + printf("gethostbyname -> %p\n", returnfhost); + + if ( returnfhost == NULL ) + { + fprintf( stderr, "Error" ); + return 1; + } + + return 0; +} diff --git a/tests/test-lasterr.c b/tests/general/test-lasterr.c similarity index 67% rename from tests/test-lasterr.c rename to tests/general/test-lasterr.c index dc25663..4c9f177 100644 --- a/tests/test-lasterr.c +++ b/tests/general/test-lasterr.c @@ -1,3 +1,21 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + #include #include #include "hooking.h" @@ -57,4 +75,6 @@ int main() DeleteFile("hoi"); printf("lasterr: %d\n", GetLastError()); + + return 0; } diff --git a/tests/general/unhook.c b/tests/general/unhook.c new file mode 100644 index 0000000..c003c9d --- /dev/null +++ b/tests/general/unhook.c @@ -0,0 +1,63 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include + +int main(void) +{ + FARPROC fp = GetProcAddress( + GetModuleHandle( _T( "kernel32" ) ), "IsDebuggerPresent"); + + if ( fp == NULL ) + { + fprintf( stderr, "Error getprocaddress isdebuggerpresent" ); + return 1; + } + + unsigned long old_protect; + if ( VirtualProtect(fp, 0x1000, PAGE_EXECUTE_READWRITE, &old_protect) == 0 ) + { + fprintf( stderr, "Error VirtualProtect isdebuggerpresent" ); + return 1; + } + + // Corrupt the hook. + memset(fp, 0xcc, 32); + + fp = GetProcAddress(GetModuleHandle(_T("kernel32")), "CopyFileA"); + if ( fp == NULL ) + { + fprintf( stderr, "Error getprocaddress CopyFileA" ); + return 1; + } + + if ( VirtualProtect(fp, 0x1000, PAGE_EXECUTE_READWRITE, &old_protect) == 0 ) + { + fprintf( stderr, "Error VirtualProtect CopyFileA" ); + return 1; + } + + // Restore the hook. + memcpy(fp, "\x8b\xff\x55\x8b\xec", 5); + + Sleep(10000); + + return 0; +} diff --git a/tests/general/wininet.c b/tests/general/wininet.c new file mode 100644 index 0000000..6bfacbf --- /dev/null +++ b/tests/general/wininet.c @@ -0,0 +1,59 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + + +#include +#include +#include + +int print_url_contents(const char *url) +{ + HINTERNET internet_handle, request_handle; + char buffer[1024]; + unsigned long bytes_read; + + internet_handle = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, + NULL, 0); + if(internet_handle == NULL) + { + fprintf( stderr, "Error InternetOpen" ); + return 1; + } + + request_handle = InternetOpenUrlA(internet_handle, url, NULL, 0, 0, 0); + if(request_handle == NULL) { + fprintf( stderr, "Error InternetOpenUrlA" ); + InternetCloseHandle(internet_handle); + return 1; + } + + while (InternetReadFile(request_handle, buffer, sizeof(buffer), + &bytes_read) != FALSE && bytes_read != 0) { + fwrite(buffer, bytes_read, 1, stderr); + } + + InternetCloseHandle(internet_handle); + InternetCloseHandle(request_handle); + + return 0; +} + +int main( void ) +{ + return print_url_contents("http://jbremer.org/"); +} diff --git a/tests/general/write-file.c b/tests/general/write-file.c new file mode 100644 index 0000000..fbaf0a9 --- /dev/null +++ b/tests/general/write-file.c @@ -0,0 +1,60 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include + +int main( void ) +{ + const char *fnames[] = { + "C:\\a.txt", + "C:\\b.txt", + "C:\\c.txt", + "C:\\d.txt", + "C:\\e.txt", + }; + + FILE *fp[5]; + for (int i = 0; i < 5; i++) { + fp[i] = fopen(fnames[i], "w"); + if ( fp[i] == NULL ) + { + fprintf( stderr, "Error fopen" ); + return 1; + } + + } + + for (int i = 0; i < 20; i++) { + if ( fprintf(fp[rand() % 5], "Hello %d\n", i) < 0 ) + { + fprintf( stderr, "Error fprintf" ); + return 1; + } + } + + for (int i = 0; i < 20; i++) { + int idx = rand() % 5; + if(fp[idx] != NULL) { + fclose(fp[idx]); + fp[idx] = NULL; + } + } + + return 0; +} diff --git a/tests/lookup.c b/tests/lookup.c deleted file mode 100644 index cbd43e9..0000000 --- a/tests/lookup.c +++ /dev/null @@ -1,31 +0,0 @@ -#include -#include -#include "lookup.h" - -typedef struct _entry_t { - struct _entry_t *next; - unsigned int id; - unsigned int size; - unsigned char data[0]; -} entry_t; - -int main() -{ - lookup_t a; - - lookup_init(&a); - strcpy((char *) lookup_add(&a, 1, 10), "abc"); - strcpy((char *) lookup_add(&a, 2, 20), "def"); - lookup_del(&a, 1); - strcpy((char *) lookup_add(&a, 3, 30), "ghi"); - strcpy((char *) lookup_add(&a, 4, 40), "jkl"); - lookup_del(&a, 4); - - for (int i = 0; i < 5; i++) { - printf("%d -> %p\n", i, lookup_get(&a, i, NULL)); - } - - for (entry_t *p = a.root; p != NULL; p = p->next) { - printf("%p %d %d\n", p, p->id, p->size); - } -} diff --git a/tests/migrate-process.c b/tests/migrate-process.c deleted file mode 100644 index 9734fe4..0000000 --- a/tests/migrate-process.c +++ /dev/null @@ -1,8 +0,0 @@ -#include -#include - -int main() -{ - // process identifier of explorer.exe on my VM - CloseHandle(OpenProcess(PROCESS_ALL_ACCESS, FALSE, 468)); -} diff --git a/tests/mitigate-process.c b/tests/mitigate-process.c deleted file mode 100644 index 5336c06..0000000 --- a/tests/mitigate-process.c +++ /dev/null @@ -1,32 +0,0 @@ -#include -#include - -/* multiple ways to inject into another process */ - -int main(int argc, char *argv[]) -{ - if(argc == 2) { - printf("Child process %s.. exiting..\n", argv[1]); - ExitProcess(0); - } - - char buf[256]; - - // WinExec - sprintf(buf, "\"%s\" a", argv[0]); - WinExec(buf, SW_SHOW); - - // ShellExecute - ShellExecute(NULL, NULL, argv[0], "b", NULL, SW_SHOW); - - // CreateProcess - sprintf(buf, "\"%s\" c", argv[0]); - STARTUPINFO si = {sizeof(si)}; PROCESS_INFORMATION pi = {}; - CreateProcess(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); - - // system - sprintf(buf, "\"%s\" d", argv[0]); - system(buf); - - return 0; -} diff --git a/tests/open-protected-pid.c b/tests/open-protected-pid.c deleted file mode 100644 index 25f4115..0000000 --- a/tests/open-protected-pid.c +++ /dev/null @@ -1,10 +0,0 @@ -#include -#include - -int main() -{ - // this is the process identifier of agent.py on my VM - HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1576); - printf("process-handle: %p -> %d\n", process_handle, GetLastError()); - return 0; -} diff --git a/tests/others/Makefile b/tests/others/Makefile new file mode 100644 index 0000000..debec19 --- /dev/null +++ b/tests/others/Makefile @@ -0,0 +1,27 @@ +MAKEFLAGS = -j8 +CFLAGS = -Wall -std=c99 -s -O2 +LIBS = -ldnsapi -lws2_32 -lwininet -lshlwapi +CAPSTONELIB = ../../capstone/capstone.lib + +ifneq ($(OS),Windows_NT) + CC = i686-w64-mingw32-gcc +else + CC = gcc +endif + +TESTS = $(wildcard *.c) +TESTSEXE = $(TESTS:.c=.exe) + +# please build all the object files using the main Makefile (in the parent +# directory) +CUCKOOOBJ := $(wildcard ../../objects/*.o) +CUCKOOOBJ += $(wildcard ../../objects/bson/*.o) +CUCKOOOBJ += $(wildcard ../../capstone/*.o) + +all: $(TESTSEXE) + +%.exe: %.c $(CUCKOOOBJ) $(CAPSTONELIB) + $(CC) $(CFLAGS) -I../.. -I../../capstone -I../../capstone/arch/X86/ -o $@ $^ $(LIBS) + +clean: + rm -f $(TESTSEXE) diff --git a/tests/others/crash.c b/tests/others/crash.c new file mode 100644 index 0000000..fe97f67 --- /dev/null +++ b/tests/others/crash.c @@ -0,0 +1,27 @@ +/* +Cuckoo Sandbox - Automated Malware Analysis +Copyright (C) 2010-2014 Cuckoo Sandbox Developers + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include + +int main(void) +{ + char *p = NULL; + *p = 0; + + return 0; +} diff --git a/tests/sleep.c b/tests/sleep.c deleted file mode 100644 index 3e5066e..0000000 --- a/tests/sleep.c +++ /dev/null @@ -1,30 +0,0 @@ -#include -#include - -DWORD WINAPI thread(LPVOID lpNothing) -{ - return 0; -} - -int main() -{ - LoadLibrary("../cuckoomon.dll"); - - // sleep for five seconds (skipped) - for (int i = 0; i < 100; i++) { - Sleep(50); - - printf("tick: %ld\n", GetTickCount()); - } - - // sleep for 10 seconds (skipped) - Sleep(10000); - - printf("tick: %ld\n", GetTickCount()); - - printf("starting second thread\n"); - CloseHandle(CreateThread(NULL, 0, &thread, NULL, 0, NULL)); - - // sleep for 5 seconds (not skipped) - Sleep(5000); -} diff --git a/tests/sleep2.c b/tests/sleep2.c deleted file mode 100644 index 605941b..0000000 --- a/tests/sleep2.c +++ /dev/null @@ -1,24 +0,0 @@ -#include -#include - -int main() -{ - LoadLibrary("../cuckoomon.dll"); - - unsigned int start = GetTickCount(); - printf("%d\n", start); - - Sleep(1000); - - printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); - - for (int i = 0; i < 10; i++) { - for (int j = 0; j < 0xfffffff; j++); - } - - printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); - - Sleep(1000); - - printf("%d -> %d\n", GetTickCount(), GetTickCount() - start); -} diff --git a/tests/startup-time.c b/tests/startup-time.c deleted file mode 100644 index abf33c3..0000000 --- a/tests/startup-time.c +++ /dev/null @@ -1,16 +0,0 @@ -#include -#include -#include - -// Idea originally taken from the following article -// http://spth.virii.lu/v4/articles/m0sa/evade.html - -int main() -{ - if(GetTickCount() < 10 * 60 * 1000) { - printf("Running under a VM!\n"); - } - else { - printf("This computer is ok! Uptime: %d\n", GetTickCount()); - } -} diff --git a/tests/suspended-process.c b/tests/suspended-process.c deleted file mode 100644 index c4b883a..0000000 --- a/tests/suspended-process.c +++ /dev/null @@ -1,30 +0,0 @@ -#include -#include - -int main(int argc, char *argv[]) -{ - if(argc != 1) { - printf("arg: %s\n", argv[1]); - fflush(stdout); - return 1337; - } - - STARTUPINFO si = {sizeof(si)}; PROCESS_INFORMATION pi; char buf[256]; - - sprintf(buf, "\"%s\" a", argv[0]); - - BOOL ret = CreateProcess(argv[0], buf, NULL, NULL, FALSE, - CREATE_SUSPENDED, NULL, NULL, &si, &pi); - - printf("ret: %d\n", ret); - fflush(stdout); - - ResumeThread(pi.hThread); - WaitForSingleObject(pi.hThread, INFINITE); - WaitForSingleObject(pi.hProcess, INFINITE); - - DWORD exit_code; - GetExitCodeProcess(pi.hProcess, &exit_code); - printf("ret: %d\n", exit_code); - fflush(stdout); -} diff --git a/tests/test-dns.c b/tests/test-dns.c deleted file mode 100644 index 58783cf..0000000 --- a/tests/test-dns.c +++ /dev/null @@ -1,19 +0,0 @@ -#define _WIN32_WINNT 0x0501 -#include -#include -#include -#include - -int main() -{ - LoadLibrary("../cuckoomon.dll"); - - printf("DnsQuery -> %d\n", DnsQuery("jbremer.org", DNS_TYPE_A, - DNS_QUERY_STANDARD, NULL, NULL, NULL)); - - struct addrinfo *info = NULL; - printf("getaddrinfo -> %d\n", getaddrinfo("jbremer.org", NULL, NULL, - &info)); - - printf("gethostbyname -> %p\n", gethostbyname("jbremer.org")); -} diff --git a/tests/test-lde.c b/tests/test-lde.c deleted file mode 100644 index 48bc1d0..0000000 --- a/tests/test-lde.c +++ /dev/null @@ -1,15 +0,0 @@ -#include -#include "../hooking.h" - -int main() -{ - unsigned char b[][8] = { - {0x55}, - {0x89, 0xe5}, - {0x83, 0xec, 0x18}, - }; - - for (int i = 0; i < sizeof(b)/sizeof(b[0]); i++) { - printf("%d\n", lde(b[i])); - } -} diff --git a/tests/wininet.c b/tests/wininet.c deleted file mode 100644 index 754c611..0000000 --- a/tests/wininet.c +++ /dev/null @@ -1,33 +0,0 @@ -#include -#include -#include - -int print_url_contents(const char *url) -{ - HINTERNET internet_handle, request_handle; - char buffer[1024]; unsigned long bytes_read; - - internet_handle = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, - NULL, 0); - if(internet_handle == NULL) return FALSE; - - request_handle = InternetOpenUrl(internet_handle, url, NULL, 0, 0, 0); - if(request_handle == NULL) { - InternetCloseHandle(internet_handle); - return FALSE; - } - - while (InternetReadFile(request_handle, buffer, sizeof(buffer), - &bytes_read) != FALSE && bytes_read != 0) { - fwrite(buffer, bytes_read, 1, stderr); - } - - InternetCloseHandle(internet_handle); - InternetCloseHandle(request_handle); - return TRUE; -} - -int main() -{ - print_url_contents("http://jbremer.org/"); -} diff --git a/tests/write-file.c b/tests/write-file.c deleted file mode 100644 index 9c7d279..0000000 --- a/tests/write-file.c +++ /dev/null @@ -1,30 +0,0 @@ -#include -#include - -int main() -{ - const char *fnames[] = { - "C:\\a.txt", - "C:\\b.txt", - "C:\\c.txt", - "C:\\d.txt", - "C:\\e.txt", - }; - - FILE *fp[3]; - for (int i = 0; i < 5; i++) { - fp[i] = fopen(fnames[i], "w"); - } - - for (int i = 0; i < 20; i++) { - fprintf(fp[rand() % 5], "Hello %d\n", i); - } - - for (int i = 0; i < 20; i++) { - int idx = rand() % 5; - if(fp[idx] != NULL) { - fclose(fp[idx]); - fp[idx] = NULL; - } - } -}