public void SendVerdict(string verdict) { HookEntry entry = hooks.Where(x => x.oep == hookOep).First(); Logger.N(Program.GetResourceString("Threads.Client.Verdict", verdict)); // Verdict string to ID UInt32 verdictId = 0; switch (verdict) { case "approve": verdictId = 0; break; case "reject": verdictId = 1; break; case "terminate": verdictId = 2; break; } // Prepare & send CMD_VERDICT Puppet.PACKET_CMD_VERDICT pktVerdict = new Puppet.PACKET_CMD_VERDICT(0); pktVerdict.verdict = verdictId; this.Send(Puppet.Util.Serialize(pktVerdict)); // If verdict == "reject", send SP offset and AX if (verdictId == 1) { this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(entry.stack))); this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(entry.ret))); } // Expect ACK this.Expect(Puppet.PACKET_TYPE.ACK); // Clear hook status hookOep = 0; hookPhase = 0; Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets()); }
public void RefreshGuiHooks() { Threads.Client client; try { client = Threads.CmdEngine.theInstance.GetTargetClient(false); } catch (ArgumentException) { return; } lstDollHooks.Items.Clear(); for (int i = 0; i < client.hooks.Count; i++) { Threads.HookEntry hook = client.hooks[i]; // Skip the removed hooks if (hook.name == null) { continue; } lstDollHooks.Items.Add(new ListViewItem(new string[] { i.ToString(), client.OepToString(hook.oep), hook.name })); } if (lstDollHooks.Items.Count > 0) { lstDollHooks.Items[0].Selected = true; btnHooksRemove.Enabled = true; } else { btnHooksRemove.Enabled = false; } }
UInt64 eval_poi(UInt64 ptr) { HookEntry entry = hooks.Where(x => x.oep == hookOep).First(); int wordsize = this.bits / 8; // Prepare CMD_MEMORY Puppet.PACKET_CMD_MEMORY pktMem = new Puppet.PACKET_CMD_MEMORY(0); pktMem.len = (UInt32)wordsize; // Send packets this.Send(Puppet.Util.Serialize(pktMem)); this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(ptr))); // Expent ACK Puppet.PACKET_ACK pktAck; pktAck = Puppet.Util.Deserialize <Puppet.PACKET_ACK>(this.Expect(Puppet.PACKET_TYPE.ACK)); if (pktAck.status == 0 || pktAck.status < (UInt32)wordsize) { // Do not allow MemoryReadWarning if (pktAck.status != 0) { this.Expect(Puppet.PACKET_TYPE.BINARY); // Dispose BINARY packet } throw new ArgumentException(Program.GetResourceString("Threads.Client.MemoryReadError")); } // Expect blob byte[] blob = Puppet.Util.DeserializeBinary(this.Expect(Puppet.PACKET_TYPE.BINARY)); if (this.bits == 64) { return(BitConverter.ToUInt64(blob, 0)); } else { return(BitConverter.ToUInt32(blob, 0)); } }
UInt64 eval_arg(uint index) { HookEntry entry = hooks.Where(x => x.oep == hookOep).First(); int wordsize = this.bits / 8; UInt64 val = 0; long ptrOffset = -1; // int * int == long switch (entry.convention) { case "stdcall": case "cdecl": { // stack ptrOffset = (wordsize * index); break; } case "fastcall": { // cx, dx, stack switch (index) { case 0: val = eval_getContext(1); break; case 1: val = eval_getContext(2); break; default: ptrOffset = (wordsize * (index - 2)); break; } break; } case "msvc": { // cx, dx, r8, r9, stack (4 * wordsize offset) switch (index) { case 0: val = eval_getContext(1); break; case 1: val = eval_getContext(2); break; case 2: val = eval_getContext(8); break; case 3: val = eval_getContext(9); break; default: ptrOffset = (wordsize * (index - 4 + 4)); break; } break; } case "gcc": { // di, si, dx, cx, r8, r9, stack switch (index) { case 0: val = eval_getContext(7); break; case 1: val = eval_getContext(6); break; case 2: val = eval_getContext(2); break; case 3: val = eval_getContext(1); break; case 4: val = eval_getContext(8); break; case 5: val = eval_getContext(9); break; default: ptrOffset = (wordsize * (index - 6)); break; } break; } } if (ptrOffset >= 0) { // Value is from stack // Calculate stack ptr UInt64 ptr = eval_getContext(4) // Preserved SP value + (UInt64)wordsize // Skip HookOEP + (UInt64)wordsize // Skip return address + (UInt64)ptrOffset; val = eval_poi(ptr); } return(val); }
void OnHook() { HookEntry entry = hooks.Where(x => x.oep == hookOep).First(); Logger.N(Program.GetResourceString("Threads.Client.Hooked", this.clientName, hooks.IndexOf(entry), entry.name, (hookPhase == 0) ? "before" : "after" )); Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets()); List <Dictionary <string, object> > actions = (hookPhase == 0) ? entry.beforeActions : entry.afterActions; string verdict = (hookPhase == 0) ? entry.beforeVerdict : entry.afterVerdict; Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Clear()); foreach (Dictionary <string, object> action in actions) { try { switch ((string)action["verb"]) { case "echo": { string result = Program.GetResourceString("Threads.Client.Echo", EvalEngine.EvalString(this, (string)action["echo"])); Logger.N(result); Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Text += (result + Environment.NewLine)); break; } case "dump": { object[] evalResults = EvalEngine.Eval(this, new string[] { (string)action["addr"], (string)action["size"] }); UInt64 ptr; if (bits == 64 ? evalResults[0] is UInt64 : evalResults[0] is UInt32) { ptr = Convert.ToUInt64(evalResults[0]); } else { throw new ArgumentException(Program.GetResourceString("Threads.Client.TypeMismatch")); } uint len; try { len = Convert.ToUInt32(evalResults[1]); } catch (InvalidCastException) { throw new ArgumentException(Program.GetResourceString("Threads.Client.TypeMismatch")); } eval_dump(eval_mem(ptr, len)); break; } case "ctx": { string evalKey = EvalEngine.EvalString(this, (string)action["key"]); string evalValue = EvalEngine.EvalString(this, (string)action["value"]); this.context.Add(evalKey, evalValue); string result = Program.GetResourceString("Threads.Client.Ctx", evalKey, evalValue); Logger.N(result); Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Text += (result + Environment.NewLine)); break; } } } catch (ArgumentException e) { Logger.E(Program.GetResourceString("Threads.Client.ActionError", (string)action["verb"], e.Message)); } } if (verdict == null) { Logger.N(Program.GetResourceString("Threads.Client.VerdictWait")); Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets()); } else { SendVerdict(verdict); } }
public void RefreshGuiTargets() { lstListenerTargets.Items.Clear(); for (int i = 0; i < Threads.Client.theInstances.Count; i++) { Threads.Client instance = Threads.Client.theInstances[i]; lstListenerTargets.Items.Add(new ListViewItem(new string[] { (i == Threads.CmdEngine.theInstance.target) ? "*" : " ", i.ToString(), instance.clientName, instance.GetTypeString(), instance.GetStatusString(), instance.pid.ToString(), instance.bits.ToString() })); // Mark dead clients if (instance.isDead) { lstListenerTargets.Items[i].ForeColor = Color.Gray; } } tabPageMonitor.MyHide(); tabPageHooked.MyHide(); tabPageDoll.MyHide(); Threads.Client instanceCurr = Threads.Client.theInstances[Threads.CmdEngine.theInstance.target]; if (!instanceCurr.isDead) { if (instanceCurr.isMonitor) { lblMonitorCurrent.Text = Program.GetResourceString( "UI.Gui.Title.Monitor", Threads.CmdEngine.theInstance.target, instanceCurr.clientName ); tabPageMonitor.MyShow(); } else { lblDollCurrent.Text = Program.GetResourceString( "UI.Gui.Title.Doll", Threads.CmdEngine.theInstance.target, instanceCurr.clientName ); this.RefreshGuiHooks(); tabPageDoll.MyShow(); if (instanceCurr.hookOep != 0) { int idx = instanceCurr.hooks.FindIndex(x => x.oep == instanceCurr.hookOep); Threads.HookEntry entry = instanceCurr.hooks[idx]; lblHookedCurrent.Text = Program.GetResourceString( "UI.Gui.Title.Hooked", idx, entry.name, (instanceCurr.hookPhase == 0) ? "before" : "after" ); btnVerdictReject.Enabled = (instanceCurr.hookPhase == 0); tabPageHooked.MyShow(); } } } }