public void TryToApplySignature(DataGridViewSelectedRowCollection selectedRows, oFunctionList functionList)
{
DialogResult showDialog = ShowDialog();
if (showDialog == DialogResult.OK)
{
foreach (ListViewItem item in listSignatures.Items)
{
if (item.Checked)
{
EntpackSignature(item.SubItems[1].Text);
if (!BuildIndex())
{
return;
}
foreach (DataGridViewRow selectedRow in selectedRows)
{
oFunction function = functionList.getFunction(selectedRow.Index);
string functionName = GetFunctionName(function.getSignature());
if (functionName != string.Empty)
{
function.name = functionName;
}
}
}
}
}
}
public oTabExportFunction(oTabManager parent, ToolStrip toolStrip, Panel panelMain, ToolStrip mainToolStrip,
string tabTitle, oFunction function)
: base(parent, toolStrip, panelMain, mainToolStrip, tabTitle)
{
ExportFunction exportFunction = new ExportFunction(function) { Dock = DockStyle.Fill };
workingPage.Controls.Add(exportFunction);
}
public oTabExportFunction(oTabManager parent, ToolStrip toolStrip, Panel panelMain, ToolStrip mainToolStrip,
string tabTitle, oFunction function)
: base(parent, toolStrip, panelMain, mainToolStrip, tabTitle)
{
ExportFunction exportFunction = new ExportFunction(function)
{
Dock = DockStyle.Fill
};
workingPage.Controls.Add(exportFunction);
}
public callSender(oFunctionList recordedData)
{
this.recordedData = recordedData;
InitializeComponent();
if (recordedData != null)
{
// Set the call list count
this.dataGridCalls.RowCount = recordedData.getCallCount();
// Make sure only 1 function is in the function list.
if (recordedData.getCount() == 1)
{
// Set this function address
this.address = recordedData.functions[0].address;
// Set this function
this.function = recordedData.functions[0];
// Initialize the arguments data grid view control
this.dataGridArguments.Rows.Add(new string[] { "ecx", "0x0" });
this.dataGridArguments.Rows.Add(new string[] { "edx", "0x0" });
this.dataGridArguments.Rows.Add(new string[] { "eax", "0x0" });
for (int i = 0; i < recordedData.functions[0].getNumParams(); i++)
{
// Add this argument
this.dataGridArguments.Rows.Add(new string[] { "ebp+0x" + (8 + i * 4).ToString("X"), "0x0" });
}
// Load the initial arguments from the most recent function call
if (recordedData.getCallCount() > 0)
{
// Set the register inputs
this.dataGridArguments.Rows[0].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].ecx.ToString("X");
this.dataGridArguments.Rows[1].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].edx.ToString("X");
this.dataGridArguments.Rows[2].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].eax.ToString("X");
// Set the stack inputs
for (int i = 0; i < recordedData.functions[0].getNumParams(); i++)
{
// Set this argument
this.dataGridArguments.Rows[i + 3].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].arguments[i].ToString("X");
}
}
}
}
// Initialize the code text
textCallAssembly.Text = generateCode();
}
public callSender(oFunctionList recordedData)
{
this.recordedData = recordedData;
InitializeComponent();
if( recordedData != null )
{
// Set the call list count
this.dataGridCalls.RowCount = recordedData.getCallCount();
// Make sure only 1 function is in the function list.
if( recordedData.getCount() == 1 )
{
// Set this function address
this.address = recordedData.functions[0].address;
// Set this function
this.function = recordedData.functions[0];
// Initialize the arguments data grid view control
this.dataGridArguments.Rows.Add(new string[] { "ecx", "0x0" });
this.dataGridArguments.Rows.Add(new string[] { "edx", "0x0" });
this.dataGridArguments.Rows.Add(new string[] { "eax", "0x0" });
for (int i = 0; i < recordedData.functions[0].getNumParams(); i++)
{
// Add this argument
this.dataGridArguments.Rows.Add(new string[] {"ebp+0x" + (8+i*4).ToString("X"), "0x0"});
}
// Load the initial arguments from the most recent function call
if (recordedData.getCallCount() > 0)
{
// Set the register inputs
this.dataGridArguments.Rows[0].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].ecx.ToString("X");
this.dataGridArguments.Rows[1].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].edx.ToString("X");
this.dataGridArguments.Rows[2].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].eax.ToString("X");
// Set the stack inputs
for (int i = 0; i < recordedData.functions[0].getNumParams(); i++)
{
// Set this argument
this.dataGridArguments.Rows[i+3].Cells[1].Value = "0x" + recordedData.getData()[recordedData.getCallCount() - 1].arguments[i].ToString("X");
}
}
}
}
// Initialize the code text
textCallAssembly.Text = generateCode();
}
public void setData(oFunction functionBase, oSingleData measuredData)
{
this.functionBase = functionBase;
this.measuredData = measuredData;
if (functionBase == null)
{
this.Rows.Clear();
return;
}
this.argumentClasses = functionBase.getArgumentList();
// Cleanup this datagridview)
this.Rows.Clear();
// Build the combobox selection options
string[] options = Enum.GetNames(typeof(DISPLAY_TYPE));
// Fill out this datagridview based on the supplied data
ARGUMENT_STRING_COLLECTION stringData = functionBase.getArgumentString(measuredData);
DataGridViewRow[] newRows = new DataGridViewRow[argumentClasses.Count];
for (int i = 0; i < argumentClasses.Count; i++)
{
// Add this row
newRows[i] = new DataGridViewRow();
// Add the name cell
newRows[i].Cells[newRows[i].Cells.Add(new DataGridViewTextBoxCell())].Value = stringData.names[i];
// Add the type cell combobox
DataGridViewComboBoxCell comboBox = new DataGridViewComboBoxCell();
comboBox.DisplayStyle = DataGridViewComboBoxDisplayStyle.ComboBox;
comboBox.Value = Enum.GetName(typeof(DISPLAY_TYPE), argumentClasses[i].displayMethod);
comboBox.Items.AddRange(options);
newRows[i].Cells.Add(comboBox);
// Add the value cell
newRows[i].Cells[newRows[i].Cells.Add(new DataGridViewTextBoxCell())].Value = stringData.values[i];
}
// Add the new rows
this.Rows.AddRange(newRows);
}
public void setData(oFunction functionBase, oSingleData measuredData)
{
this.functionBase = functionBase;
this.measuredData = measuredData;
if (functionBase == null)
{
this.Rows.Clear();
return;
}
this.argumentClasses = functionBase.getArgumentList();
// Cleanup this datagridview)
this.Rows.Clear();
// Build the combobox selection options
string[] options = Enum.GetNames(typeof(DISPLAY_TYPE));
// Fill out this datagridview based on the supplied data
ARGUMENT_STRING_COLLECTION stringData = functionBase.getArgumentString(measuredData);
DataGridViewRow[] newRows = new DataGridViewRow[argumentClasses.Count];
for( int i = 0; i < argumentClasses.Count; i++ )
{
// Add this row
newRows[i] = new DataGridViewRow();
// Add the name cell
newRows[i].Cells[newRows[i].Cells.Add(new DataGridViewTextBoxCell())].Value = stringData.names[i];
// Add the type cell combobox
DataGridViewComboBoxCell comboBox = new DataGridViewComboBoxCell();
comboBox.DisplayStyle = DataGridViewComboBoxDisplayStyle.ComboBox;
comboBox.Value = Enum.GetName(typeof(DISPLAY_TYPE), argumentClasses[i].displayMethod);
comboBox.Items.AddRange(options);
newRows[i].Cells.Add(comboBox);
// Add the value cell
newRows[i].Cells[newRows[i].Cells.Add(new DataGridViewTextBoxCell())].Value = stringData.values[i];
}
// Add the new rows
this.Rows.AddRange(newRows);
}
/// <summary>
/// Creates a new export function tab for the specified function.
/// </summary>
/// <param name="name"></param>
/// <param name="select"></param>
/// <param name="function"></param>
public void addExportFunctionTab(string name, bool select, oFunction function)
{
// Create the new oTab class and tab page
oTabExportFunction tabExportFunction = new oTabExportFunction(this, toolStrip, panelMain, mainToolStrip, name, function);
tabs.Add(tabExportFunction);
tabController.TabPages.Add(tabExportFunction.WorkingPage);
tabExportFunction.WorkingPage.ImageIndex = tabController.ImageList.Images.IndexOfKey(@"Export.ico");
if (select)
{
// Deactivate the selected tab
if (tabController.SelectedIndex >= 0 && tabController.SelectedIndex < tabController.TabPages.Count)
{
tabs[tabController.SelectedIndex].deactivate();
}
// Select the new tab page
tabController.SelectedIndex = tabs.Count - 1;
tabs[tabs.Count - 1].activate();
}
}
public static void addCall(uint source, uint destination, oFunction.CALL_TYPE type, string name)
{
if (functions == null)
{
// Initialize
functions = new List<oFunction>(10000);
destinationToFunction = new Hashtable(20000);
}
// The source or destination cannot be in the kernel address space.
if (destination > 0x80000000 || source > 0x80000000)
return;
// Check if this function destination is a jump table call
if (type == oFunction.CALL_TYPE.FIXED_OFFSET || type == oFunction.CALL_TYPE.JUMP_TABLE_PE || type == oFunction.CALL_TYPE.CALLBACK_TABLE)
{
byte[] data = oMemoryFunctions.ReadMemory(oProcess.activeProcess, destination, 2);
// Codes: E9 jump, EB short jump, FF 25 jump off fixed offset
if (data.Length == 2 && (data[0] == 0xE9 || (data[0] == 0xFF && data[1] == 0x25)))
{
// This is a jump table call, we need to extract the actual call destination
if (data[0] == 0xE9)
{
// Far jump
uint offset = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, destination + 1);
destination = destination + offset + 5;
}
else if (data[0] == 0xEB)
{
// Short jump
uint offset = (uint) oMemoryFunctions.ReadMemoryByte(oProcess.activeProcess, destination + 1);
destination = destination + offset + 2;
}
else if (data[0] == 0xFF && data[1] == 0x25)
{
// Read the address
uint address = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, destination + 2);
uint destinationNew = oMemoryFunctions.ReadMemoryDword(oProcess.activeProcess, address);
if (destinationNew == 0)
return;
// This is a PE call jump table call, but the linked address has not been loaded yet.
// Standard PE jump table format
type = oFunction.CALL_TYPE.JUMP_TABLE_PE;
destination = destinationNew;
}
// Recurse this add call, incase we have a jump chain.
addCall(source, destination, type, name);
return;
}
}
// Add the call to the system
if (destinationToFunction.ContainsKey(destination))
{
// Function already exists, add this call source.
((oFunction)destinationToFunction[destination]).addCaller(source, type, name);
numCalls++;
}
else
{
// Function does not exist, create it
numCalls++;
numFunctions++;
// Add the call to the function list
functions.Add(new oFunction(source, destination, type, name));
// Add the function to the hash table
destinationToFunction.Add(destination, functions[functions.Count - 1]);
}
}
public static void addCall(uint source, uint destination, oFunction.CALL_TYPE type)
{
addCall(source, destination, type, ""); // add a call with no known name
}
public ExportFunction(oFunction function)
{
this.function = function;
InitializeComponent();
}
/// <summary>
/// Creates a new export function tab for the specified function.
/// </summary>
/// <param name="name"></param>
/// <param name="select"></param>
/// <param name="function"></param>
public void addExportFunctionTab(string name, bool select, oFunction function)
{
// Create the new oTab class and tab page
oTabExportFunction tabExportFunction = new oTabExportFunction(this, toolStrip, panelMain, mainToolStrip, name, function);
tabs.Add(tabExportFunction);
tabController.TabPages.Add(tabExportFunction.WorkingPage);
tabExportFunction.WorkingPage.ImageIndex = tabController.ImageList.Images.IndexOfKey(@"Export.ico");
if (select)
{
// Deactivate the selected tab
if (tabController.SelectedIndex >= 0 && tabController.SelectedIndex < tabController.TabPages.Count)
tabs[tabController.SelectedIndex].deactivate();
// Select the new tab page
tabController.SelectedIndex = tabs.Count - 1;
tabs[tabs.Count - 1].activate();
}
}
public ExportFunction(oFunction function)
{
this.function = function;
InitializeComponent();
}
