forked from kevoreilly/capemon
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmisc.h
More file actions
392 lines (334 loc) · 13.6 KB
/
misc.h
File metadata and controls
392 lines (334 loc) · 13.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
/*
Cuckoo Sandbox - Automated Malware Analysis
Copyright (C) 2010-2014 Cuckoo Sandbox Developers
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
typedef NTSTATUS(WINAPI *_NtQuerySystemInformation)(
_In_ ULONG SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength);
typedef LONG(WINAPI *_NtQueryInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength, PULONG ReturnLength);
typedef LONG(WINAPI *_NtSetInformationProcess)(HANDLE ProcessHandle,
ULONG ProcessInformationClass, PVOID ProcessInformation,
ULONG ProcessInformationLength);
typedef LONG(WINAPI *_NtQueryInformationThread)(HANDLE ThreadHandle,
ULONG ThreadInformationClass, PVOID ThreadInformation,
ULONG ThreadInformationLength, PULONG ReturnLength);
typedef BOOLEAN(WINAPI *_RtlGenRandom)(PVOID RandomBuffer,
ULONG RandomBufferLength);
typedef NTSTATUS(WINAPI *_NtQueryAttributesFile)(
_In_ const OBJECT_ATTRIBUTES *ObjectAttributes,
_Out_ PFILE_BASIC_INFORMATION FileInformation);
typedef NTSTATUS(WINAPI *_NtQueryObject)(
_In_opt_ HANDLE Handle,
_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
_Out_opt_ PVOID ObjectInformation,
_In_ ULONG ObjectInformationLength,
_Out_opt_ PULONG ReturnLength);
typedef NTSTATUS(WINAPI *_NtQueryKey)(
HANDLE KeyHandle,
int KeyInformationClass,
PVOID KeyInformation,
ULONG Length,
PULONG ResultLength);
typedef NTSTATUS(WINAPI *_NtDelayExecution)(
BOOLEAN Alertable,
PLARGE_INTEGER Interval);
typedef NTSTATUS(WINAPI *_NtUnmapViewOfSection)(
HANDLE ProcessHandle,
PVOID BaseAddress);
typedef NTSTATUS(WINAPI *_NtMapViewOfSection)(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
__inout PLARGE_INTEGER SectionOffset,
__inout PSIZE_T ViewSize,
__in UINT InheritDisposition,
__in ULONG AllocationType,
__in ULONG Win32Protect);
typedef NTSTATUS(WINAPI *_RtlAdjustPrivilege)(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled);
typedef NTSTATUS(WINAPI *_RtlEqualUnicodeString)(
const PUNICODE_STRING String1,
const PUNICODE_STRING String2,
BOOLEAN CaseInSensitive);
typedef VOID (WINAPI *_RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString);
typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
ULONG Flags;
const PUNICODE_STRING FullDllName;
const PUNICODE_STRING BaseDllName;
PVOID DllBase;
ULONG SizeOfImage;
} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
ULONG Flags;
const PUNICODE_STRING FullDllName;
const PUNICODE_STRING BaseDllName;
PVOID DllBase;
ULONG SizeOfImage;
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
typedef union _LDR_DLL_NOTIFICATION_DATA {
LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
typedef VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
_In_ ULONG NotificationReason,
_In_ const PLDR_DLL_NOTIFICATION_DATA NotificationData,
_In_opt_ PVOID Context
);
typedef NTSTATUS(WINAPI *_LdrRegisterDllNotification)(
_In_ ULONG Flags,
_In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
_In_opt_ PVOID Context,
_Out_ PVOID *Cookie
);
typedef ULONG(WINAPI *_RtlNtStatusToDosError)(
NTSTATUS Status
);
typedef void (WINAPI *_CoTaskMemFree)(LPVOID pv);
typedef HRESULT (WINAPI *_ProgIDFromCLSID)(
_In_ REFCLSID clsid,
_Out_ LPOLESTR *lplpszProgID
);
typedef SIZE_T (WINAPI *_RtlCompareMemory)(
_In_ const VOID* Source1,
_In_ const VOID* Source2,
_In_ SIZE_T Length
);
typedef enum _EVENT_INFORMATION_CLASS {
EventBasicInformation
} EVENT_INFORMATION_CLASS;
typedef enum _EVENT_TYPE {
NotificationEvent, // manual-reset event
SynchronizationEvent // auto-reset event
} EVENT_TYPE;
typedef struct _EVENT_BASIC_INFORMATION {
EVENT_TYPE EventType;
LONG EventState;
} EVENT_BASIC_INFORMATION, * PEVENT_BASIC_INFORMATION;
typedef NTSTATUS(NTAPI* _NtQueryEvent)(
_In_ HANDLE EventHandle,
_In_ EVENT_INFORMATION_CLASS EventInformationClass,
_Out_writes_bytes_(EventInformationLength) PVOID EventInformation,
_In_ ULONG EventInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef enum {
MemoryBasicInformation = 0,
MemorySectionName = 2,
} MEMORY_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* _NtQueryVirtualMemory)(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_ PVOID Buffer,
_In_ SIZE_T Length,
_Out_opt_ PSIZE_T ResultLength
);
_NtSetInformationProcess pNtSetInformationProcess;
_NtMapViewOfSection pNtMapViewOfSection;
_NtUnmapViewOfSection pNtUnmapViewOfSection;
_NtAllocateVirtualMemory pNtAllocateVirtualMemory;
_NtProtectVirtualMemory pNtProtectVirtualMemory;
_NtFreeVirtualMemory pNtFreeVirtualMemory;
_LdrRegisterDllNotification pLdrRegisterDllNotification;
_RtlNtStatusToDosError pRtlNtStatusToDosError;
_RtlAdjustPrivilege pRtlAdjustPrivilege;
void resolve_runtime_apis(void);
DWORD parent_process_id(); // By Napalm @ NetCore2K (rohitab.com)
DWORD pid_from_process_handle(HANDLE process_handle);
DWORD pid_from_thread_handle(HANDLE thread_handle);
DWORD tid_from_thread_handle(HANDLE thread_handle);
DWORD random();
void raw_sleep(int msecs);
DWORD randint(DWORD min, DWORD max);
BOOL is_directory_objattr(const OBJECT_ATTRIBUTES *obj);
BOOL file_exists(const OBJECT_ATTRIBUTES *obj);
UNICODE_STRING* get_module_name(ULONG_PTR addr);
void hide_module_from_peb(HMODULE module_handle);
int path_is_system(const wchar_t *path_w);
int path_is_program_files(const wchar_t *path_w);
BOOLEAN parent_has_path(char* path);
BOOLEAN can_open_parent();
uint32_t path_from_handle(HANDLE handle, wchar_t *path, uint32_t path_buffer_len);
uint32_t path_from_object_attributes(const OBJECT_ATTRIBUTES *obj, wchar_t *path, uint32_t buffer_length);
BOOL is_path_from_object_attributes(const OBJECT_ATTRIBUTES *obj, wchar_t *path);
struct {
wchar_t *hkcu_string;
unsigned int len;
} g_hkcu;
void hkcu_init(void);
char *ensure_absolute_ascii_path(char *out, const char *in);
wchar_t *ensure_absolute_unicode_path(wchar_t *out, const wchar_t *in);
wchar_t *get_key_path(POBJECT_ATTRIBUTES ObjectAttributes, PKEY_NAME_INFORMATION keybuf, unsigned int len);
wchar_t *get_full_key_pathA(HKEY registry, const char *in, PKEY_NAME_INFORMATION keybuf, unsigned int len);
wchar_t *get_full_key_pathW(HKEY registry, const wchar_t *in, PKEY_NAME_INFORMATION keybuf, unsigned int len);
wchar_t *get_full_keyvalue_pathA(HKEY registry, const char *in, PKEY_NAME_INFORMATION keybuf, unsigned int len);
wchar_t *get_full_keyvalue_pathW(HKEY registry, const wchar_t *in, PKEY_NAME_INFORMATION keybuf, unsigned int len);
wchar_t *get_full_keyvalue_pathUS(HKEY registry, const PUNICODE_STRING in, PKEY_NAME_INFORMATION keybuf, unsigned int len);
int is_shutting_down();
// Define MAX_PATH plus tolerance for windows "tolerance"
#define MAX_PATH_PLUS_TOLERANCE MAX_PATH + 64
#define MAX_KEY_BUFLEN ((16384 + 256) * sizeof(WCHAR))
#ifndef INET_ADDRSTRLEN
#define INET_ADDRSTRLEN 16
#endif
#define CRLF "\r\n"
struct dll_range {
ULONG_PTR start;
ULONG_PTR end;
};
#define MAX_DLLS 500
DWORD get_pid_by_tid(DWORD tid);
DWORD our_getprocessid(HANDLE Process);
BOOL is_in_dll_range(ULONG_PTR addr);
void add_all_dlls_to_dll_ranges(void);
void add_dll_range(ULONG_PTR start, ULONG_PTR end);
wchar_t *get_matching_unicode_specialname(const wchar_t *path, unsigned int *matchlen);
void specialname_map_init(void);
char *convert_address_to_dll_name_and_offset(ULONG_PTR addr, unsigned int *offset);
int is_wow64_fs_redirection_disabled(void);
void set_dll_of_interest(ULONG_PTR BaseAddress);
PCHAR get_exe_basename(PCHAR ModulePath);
PWCHAR get_dll_basename(PWCHAR ModulePath);
void register_dll_notification_manually(PLDR_DLL_NOTIFICATION_FUNCTION notify);
void disassemble(PVOID address, char* buffer, size_t bufferSize);
extern char *our_process_path;
extern wchar_t *our_process_path_w;
extern wchar_t *our_commandline;
BOOLEAN is_valid_address_range(ULONG_PTR start, DWORD len);
extern ULONG_PTR g_our_dll_base;
extern DWORD g_our_dll_size;
BOOLEAN is_address_in_monitor(ULONG_PTR address);
BOOLEAN is_address_in_ntdll(ULONG_PTR address);
BOOLEAN is_address_in_win32u(ULONG_PTR address);
BOOLEAN is_address_in_user32(ULONG_PTR address);
BOOLEAN is_image_base_remapped(HMODULE BaseAddress);
void num_to_string(char *buf, unsigned int buflen, unsigned int num);
DWORD get_image_size(ULONG_PTR base);
ULONG_PTR get_connectex_addr(HMODULE mod);
ULONG_PTR get_jseval_addr(HMODULE mod);
ULONG_PTR get_cdocument_write_addr(HMODULE mod);
ULONG_PTR get_olescript_compile_addr(HMODULE mod);
ULONG_PTR get_olescript_parsescripttext_addr(HMODULE mod);
ULONG_PTR get_vbscript_addr(HMODULE mod, const char * function);
BOOL is_bytes_in_buf(PCHAR buf, ULONG len, PCHAR memstr, ULONG memlen, ULONG maxsearchbytes);
void replace_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr);
void replace_wstring_in_buf(PWCHAR buf, ULONG len, PWCHAR findstr, PWCHAR repstr);
void replace_ci_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr);
void replace_ci_wstring_in_buf(PWCHAR buf, ULONG len, PWCHAR findstr, PWCHAR repstr);
void perform_ascii_registry_fakery(PWCHAR keypath, LPVOID Data, ULONG DataLength);
void perform_unicode_registry_fakery(PWCHAR keypath, LPVOID Data, ULONG DataLength);
void perform_device_fakery(PVOID OutputBuffer, ULONG OutputBufferLength, ULONG IoControlCode);
char* stristr(char* haystack, const char* needle);
wchar_t* wcsistr(wchar_t* haystack, const wchar_t* needle);
unsigned short our_htons(unsigned short num);
unsigned int our_htonl(unsigned int num);
void addr_to_string(const IN_ADDR addr, char *string);
char *num_to_hex(char *buf, unsigned int width, ULONG_PTR num);
void uuid_to_string(IID id, char* idbuf);
PUNICODE_STRING get_basename_of_module(HMODULE module_handle);
BOOL loader_lock_held();
void perform_create_time_fakery(FILETIME *createtime);
wchar_t *ascii_to_unicode_dup(char *str);
int is_stack_pivoted(void);
LONG WINAPI capemon_exception_handler(__in struct _EXCEPTION_POINTERS *ExceptionInfo);
BOOLEAN prevent_module_unloading(PVOID BaseAddress);
void prevent_module_reloading(PVOID *BaseAddress);
void prevent_module_unhooking(PVOID buffer, wchar_t *filename);
struct envstruct {
ULONG k;
ULONG nullval;
LPWSTR envstr;
};
const char* GetLanguageName(LANGID langID);
#define OUR_INET_ADDRSTRLEN 16
typedef struct _in_sockaddr {
short sin_family; // e.g. AF_INET
unsigned short sin_port; // e.g. htons(3490)
unsigned long sin_addr; // see struct in_addr, below
char sin_zero[8]; // zero this if you want to
} in_sockaddr;
typedef struct _AFD_ConnectDataStruct
{
DWORD dwUnknown1;
DWORD dwUnknown2;
DWORD dwUnknown3;
in_sockaddr SockAddr;
} AFD_ConnectDataStruct;
typedef struct _AFD_BindDataStruct
{
DWORD dwUnknown1;
in_sockaddr SockAddr;
} AFD_BindDataStruct, * PAFD_BindDataStruct;
typedef struct _AFD_WSABUF {
ULONG len;
PCHAR buf;
} AFD_WSABUF, * PAFD_WSABUF;
typedef struct _AFD_RECV_INFO {
PAFD_WSABUF AfdBufferArray;
ULONG AfdBufferCount;
ULONG AfdFlags;
ULONG TdiFlags;
} AFD_RECV_INFO, * PAFD_RECV_INFO;
typedef struct _AFD_SEND_INFO {
PAFD_WSABUF AfdBufferArray;
ULONG AfdBufferCount;
ULONG TdiFlags;
} AFD_SEND_INFO, * PAFD_SEND_INFO;
const char* our_inet_ntop(int af, const void* src, char* dst, size_t size);
unsigned short our_ntohs(unsigned short netshort);
DWORD wait_for_event_to_be_signaled(HANDLE hEvent, DWORD dwTimeout);
BOOLEAN our_isbadreadptr(const void* addr, ULONG len);
typedef HANDLE CRTHANDLE;
/*
* Structure defs for FindFixAndSave hook in cmd.exe
* From https://github.com/KingKDot/Exorcism/blob/54a44302469160aa7b93f4b72e93206d06a786ac/cmdtest/cmdtest/dllmain.cpp#L70
*/
struct savtype {
TCHAR* saveptrs[12];
};
struct relem {
CRTHANDLE rdhndl; // handle to be redirected
TCHAR* fname; // filename (or &n)
CRTHANDLE svhndl; // where orig handle is saved
int flag; // Append flag
TCHAR rdop; // Type ('>' | '<')
struct relem* nxt; // Next structure
};
struct node { // Used for operators
int type; // Type of operator
struct savtype save; // FOR processor saves orig strings here
struct relem* rio; // M022 - Linked redirection list
struct node* lhs; // Ptr to left hand side of the operator
struct node* rhs; // Ptr to right hand side of the operator
INT_PTR extra[4]; // M022 - Padding now needed
};
struct cmdnode {
int type; // Type of command
struct savtype save; // FOR processor saves orig strings here
struct relem* rio; // M022 - Linked redirection list
PTCHAR cmdline; // Ptr to command line
PTCHAR argptr; // Ptr to type of command
int flag; // M022 - Valid for cond and goto types
int cmdarg; // M022 - Argument to STRTYP routine
};