Exemplo n.º 1
        /// <summary>
        /// Estimates the number of input parameters of each funciton.
        /// </summary>
        /// <param name="retList">Return instruction list.</param>
        public static void estimateFunctionParameters(oAsmRetList retList, oEbpArgumentList ebpAddresses, Form parent)
            if (functions == null)
                functions = new List <oFunction>();

            // Estimate the number of parameters for each function return
            int          count    = 0;
            formProgress progress = new formProgress(parent);

            progress.setMax(oFunctionMaster.numFunctions / 273);
            progress.setTitle("Estimating Number Parameter Counts...");
            progress.setLabel1("Estimating Function Input Parameter Counts: " + count.ToString() + "0 of " + oFunctionMaster.numFunctions.ToString());

            // Loop through each function, estimating the number of parameters
            List <oFunction> invalidFunctions = new List <oFunction>(0);

            foreach (oFunction function in functions)
                // Estimate parameters
                function.estimateNumParameters(retList, ebpAddresses);

                // Check the number of parameters is valid
                if (function.getNumParams() > 50)
                    // Invalid function

                if (count % 273 == 0)
                    progress.setLabel1("Estimating Function Input Parameter Counts: " + count.ToString() + "0 of " + oFunctionMaster.numFunctions.ToString());

            // Remove the invalid functions
            foreach (oFunction function in invalidFunctions)

Exemplo n.º 2
        /// <summary>
        /// This disassmebles all the modules
        /// </summary>
        public static void disassembleProcess(Form parent, List <HEAP_INFO> selectedHeaps)
            // Create the progress bar
            formProgress progress = new formProgress(parent);

            progress.setTitle("Disassembling Modules...");
            progress.setLabel1("Generating Memory Map");
            progress.setLabel2("Total Discovered Internal Calls: 0");

            // Reset the function master

            // Create the return instruction list, for parameter count estimation usage later on
            oAsmRetList      returnAddresses = new oAsmRetList();
            oEbpArgumentList ebpAddresses    = new oEbpArgumentList();

            // Process the selected heaps
            ulong        count        = 0;
            HeaderReader headerReader = null;

            for (int i = 0; i < selectedHeaps.Count; i++)
                HEAP_INFO heap = selectedHeaps[i];

                // Check if it is a PE Header
                if (heap.extra.Contains("PE"))
                    // Process the PE import table
                    headerReader = new HeaderReader(activeProcess, heap.heapAddress);

                    // Set the access rights to this heap so that we can edit the header
                    if (headerReader.importTable.Count > 0)
                        HEAP_INFO tmpHeapInfo = oMemoryFunctions.LookupAddressInMap(map, headerReader.optHeader.DataDirectory13.VirtualAddress + (uint)heap.heapAddress);

                        if (tmpHeapInfo.heapProtection.Contains("EXECUTE"))

                    // Add all the imported functions
                    foreach (IMPORT_FUNCTION importFunction in headerReader.importTable)
                        // Lookup the destination address
                        HEAP_INFO destinationHeap = oMemoryFunctions.LookupAddressInMap(map,

                        // Add this function if it is valid
                        if (destinationHeap.heapProtection.Contains("EXECUTE") && destinationHeap.heapLength > 0)
                            // Valid destination
                            oFunctionMaster.addCall((uint)importFunction.memoryAddress, (uint)importFunction.targetAddress,
                                                    oFunction.CALL_TYPE.PE_TABLE, importFunction.name);

                            // Disasemble only one function and find return (needed for parametar count estimation)
                            uint length =
                                (destinationHeap.heapLength -
                                 (importFunction.targetAddress - destinationHeap.heapAddress));
                            if (length > 0x1000)
                                length = 0x1000;
                            byte[] block = oMemoryFunctions.ReadMemory(activeProcess, importFunction.targetAddress,

                            // Process the function only
                            LengthDecoder.AddFirstRet(block, (int)importFunction.targetAddress, 0, ref returnAddresses);

                    // Add all the exported functions
                    if (headerReader.exports.Count > 0)
                        // Read in this heap
                        HEAP_INFO   tmpHeap;
                        byte[]      block      = null;
                        IEnumerator exportEnum = headerReader.exports.Values.GetEnumerator();
                        if (exportEnum.MoveNext())
                            tmpHeap = oMemoryFunctions.LookupAddressInMap(map, (uint)((export)exportEnum.Current).Address);
                            block   = oMemoryFunctions.ReadMemory(activeProcess, tmpHeap.heapAddress, (uint)tmpHeap.heapLength);

                            // We need to add all the exported functions from this library
                            foreach (export exportFunction in headerReader.exports.Values)
                                if ((exportFunction.Address >= tmpHeap.heapAddress) && (exportFunction.Address <= tmpHeap.heapAddress + tmpHeap.heapLength))
                                    // Add this call
                                    oFunctionMaster.addCall(0, (uint)exportFunction.Address,
                                                            oFunction.CALL_TYPE.PE_EXPORT, exportFunction.Name);

                                    // Disasemble only one function and find return (needed for parameter count estimation)

                                    // Process the function only
                                    LengthDecoder.AddFirstRet(block, (int)tmpHeap.heapAddress,
                                                              (int)(exportFunction.Address - tmpHeap.heapAddress),
                                                              ref returnAddresses);

                // If this contains EXECUTE privileges, instrument this heap even if it is a PE header.
                // Instrument this heap if it has been selected, but not if it is a PE header region without EXECUTE privileges.
                if (!heap.extra.Contains("PE") || heap.heapProtection.Contains("EXECUTE"))
                    // Disassemble this heap as a code region
                    List <jmpInstruction> jmpAddresses = new List <jmpInstruction>(10000);

                    // Let's process this data region
                    if (heap.associatedModule != null)
                        progress.setLabel1("Analyzing code region for module " +
                                           heap.associatedModule.ModuleName + " heap at address 0x" +
                            "Analyzing code region associated with an unknown module at address 0x" +

                    // Read in the heap
                    byte[] block = oMemoryFunctions.ReadMemory(activeProcess, heap.heapAddress, (uint)heap.heapLength);

                    // Process the heap
                    List <SIMPLE_INSTRUCTION> instructions = LengthDecoder.DisassembleBlockCallsOnly(block,
                                                                                                     ref returnAddresses,
                                                                                                     ref ebpAddresses,
                                                                                                     ref jmpAddresses);

                    // Get a list of the return instruction addresses for this heap
                    List <retAddress> retAddresses = returnAddresses.getRets((uint)heap.heapAddress, (uint)(heap.heapAddress + heap.heapLength));

                    // Generate a list of call source-destination pairs.
                    List <SOURCE_DEST_PAIR> callPairs = new List <SOURCE_DEST_PAIR>(1000);
                    for (int n = 0; n < instructions.Count; n++)
                        HEAP_INFO destinationHeap = oMemoryFunctions.LookupAddressInMap(map,

                        if (destinationHeap.heapLength > 0 &&
                            destinationHeap.heapAddress == heap.heapAddress &&
                            isValidCodePointer(activeProcess, instructions[n].address, (uint)instructions[n].jmp_target, headerReader) &&
                            isValidCodeBlock(activeProcess, heap, instructions[n].address, jmpAddresses, retAddresses, 500) &&
                            isValidCodeBlock(activeProcess, heap, instructions[n].jmp_target, jmpAddresses, retAddresses, 500))
                            // Add this call, it may be filtered out later.
                            callPairs.Add(new SOURCE_DEST_PAIR((uint)instructions[n].address,

                    // -----------------------------------
                    // -----------------------------------
                    // The start of the callback table is defined as:
                    // 1. 4 dwords in a row that point to within this heap.
                    // 2. Must point to at least 2 different addresses.
                    // 3. All 4 pointers must point to valid code regions.
                    // The end of the callback table is defined as:
                    // 1. first not heap-internal pointer
                    // 2. or first heap-internal pointer that fails the
                    //    valid function test.
                    bool inCallbackTable = false;
                    for (int n = 0; n < block.Length - 4 * 4; n += 4)
                        // Check if this could be the start of a callback table.
                        uint value1 = oMemoryFunctions.ByteArrayToUint(block, n);
                        if (inCallbackTable)
                            // Check is this value should be added onto the callback table
                            if (value1 >= heap.heapAddress && value1 <= heap.heapAddress + heap.heapLength &&
                                isValidCodePointer(activeProcess, ((uint)n) + (uint)heap.heapAddress, value1, headerReader) &&
                                isValidCodeBlock(activeProcess, heap, value1, jmpAddresses, retAddresses, 500))
                                // Another valid callback entry
                                callPairs.Add(new SOURCE_DEST_PAIR(((uint)n) + (uint)heap.heapAddress,
                                                                   callPairs[callPairs.Count - 1],
                                // End of callback table.
                                inCallbackTable = false;
                        else if (value1 >= heap.heapAddress && value1 <= heap.heapAddress + heap.heapLength)
                            // Check second pointer
                            uint value2 = oMemoryFunctions.ByteArrayToUint(block, n + 4);
                            if (value2 >= heap.heapAddress && value2 <= heap.heapAddress + heap.heapLength)
                                // Check third pointer
                                uint value3 = oMemoryFunctions.ByteArrayToUint(block, n + 4 * 2);
                                if (value3 >= heap.heapAddress && value3 <= heap.heapAddress + heap.heapLength)
                                    // Check fourth pointer
                                    uint value4 = oMemoryFunctions.ByteArrayToUint(block, n + 4 * 3);
                                    if (value4 >= heap.heapAddress && value4 <= heap.heapAddress + heap.heapLength)
                                        // We found four internal pointers in a row. Check that condition #2 is met.
                                        if (!((value1 == value2 && value1 == value3) ||
                                              (value1 == value2 && value1 == value4) ||
                                              (value2 == value3 && value2 == value4)))
                                            // At least two of the values are different

                                            // Check condition #3, all valid code poitners
                                            if (isValidCodePointer(activeProcess, ((uint)n) + (uint)heap.heapAddress, value1, headerReader) &&
                                                isValidCodeBlock(activeProcess, heap, value1, jmpAddresses, retAddresses, 500) &&
                                                isValidCodePointer(activeProcess, ((uint)n + 4 * 1) + (uint)heap.heapAddress, value2, headerReader) &&
                                                isValidCodeBlock(activeProcess, heap, value2, jmpAddresses, retAddresses, 500) &&
                                                isValidCodePointer(activeProcess, ((uint)n + 4 * 2) + (uint)heap.heapAddress, value3, headerReader) &&
                                                isValidCodeBlock(activeProcess, heap, value3, jmpAddresses, retAddresses, 500) &&
                                                isValidCodePointer(activeProcess, ((uint)n + 4 * 3) + (uint)heap.heapAddress, value4, headerReader) &&
                                                isValidCodeBlock(activeProcess, heap, value4, jmpAddresses, retAddresses, 500))
                                                // All pointers are valid, start of callback table
                                                inCallbackTable = true;

                                                // Add these function calls
                                                callPairs.Add(new SOURCE_DEST_PAIR(((uint)n) + (uint)heap.heapAddress,
                                                callPairs.Add(new SOURCE_DEST_PAIR(((uint)n + 4 * 1) + (uint)heap.heapAddress,
                                                                                   callPairs[callPairs.Count - 1],
                                                callPairs.Add(new SOURCE_DEST_PAIR(((uint)n + 4 * 2) + (uint)heap.heapAddress,
                                                                                   callPairs[callPairs.Count - 1],
                                                callPairs.Add(new SOURCE_DEST_PAIR(((uint)n + 4 * 3) + (uint)heap.heapAddress,
                                                                                   callPairs[callPairs.Count - 1],

                                                // Move on to the next callback
                                                n += 4 * 3; // because n+=4

                    // -----------------------------------
                    // -----------------------------------
                    // Condition Description:
                    // - each subroutine is only called from the start of the subroutine, and no call
                    //   can enter the subroutine in the middle of the function. I have yet to see a
                    //   function that violates rule even under obfuscation (except rarely the skipping
                    //   of hotpatching bytes).
                    // Condition Implementation:
                    // - only smallest call destination in range (retAddress[i-1], retAddress[i]] is valid
                    //   for funcion i.
                    // - a destination of min destionation + const, where  0 <= const <= 2 is allowed to support
                    //   some obfuscation methods that skip the hotpatching useless bytes.

                    // Sort the array by the destination

                    // Loop through each return instruction
                    for (int n = 0; n < retAddresses.Count; n++)
                        // Find all destination addresses associated with this function

                        // Find the start destination pair index
                        int indexStart = (n > 0 ? callPairs.BinarySearch(new SOURCE_DEST_PAIR(0, retAddresses[n - 1].address, oFunction.CALL_TYPE.FIXED_OFFSET, null, ""),
                                                                         comparerDest) : 0);
                        if (indexStart < 0)
                            indexStart = ~indexStart;

                        // Find the end destination pair index
                        int indexEnd = callPairs.BinarySearch(new SOURCE_DEST_PAIR(0, retAddresses[n].address, oFunction.CALL_TYPE.FIXED_OFFSET, null, ""),
                        if (indexEnd < 0)
                            indexEnd = ~indexEnd - 1;

                        // If we have more than one call to this procedure, loop through them and maybe filter them out
                        if (indexEnd - indexStart + 1 > 1)
                            // Find the start of the subroutine
                            uint minDestination = uint.MaxValue;
                            for (int m = indexStart; m <= indexEnd; m++)
                                if (callPairs[m].dest < minDestination)
                                    minDestination = callPairs[m].dest;

                            // Loop through these call destinations to make sure they are not entering in the middle of the subroutine
                            for (int m = indexStart; m <= indexEnd; m++)
                                if (callPairs[m].dest > minDestination + 2)
                                    // This is entering the subrouting in the middle! Remove this call as invalid.

                    // Add the calls to the function list)
                    for (int n = 0; n < callPairs.Count; n++)
                        // Add this function call
                        if (disassemblyMode.recordIntramodular)
                            oFunctionMaster.addCall(callPairs[n].source, callPairs[n].dest, callPairs[n].type, callPairs[n].name);
                    count = count + (ulong)instructions.Count;

                progress.setLabel2("Total Discovered Internal Calls: " + count);


            // Estimate number of parameters for each function
            oFunctionMaster.estimateFunctionParameters(returnAddresses, ebpAddresses, parent);
Exemplo n.º 3
        /// <summary>
        /// This function injects the instrumentation code and
        /// redirects the call instructions and pe tables.
        /// </summary>
        public static bool inject(uint bufferSize, uint maxCallCount, List <HEAP_INFO> invalidCallSourceHeaps, Form parent)
            if (functions.Count > 0)
                // Create the progress bar
                formProgress progress = new formProgress(parent);
                progress.setMax(functions.Count / 457);
                progress.setTitle("Injecting Function Instrumentation Code...");
                progress.setLabel1("Allocating buffer space...");

                // Create and setup the circular buffer recording buffer for the visualizations.
                uint visualizationAddress = (uint)oMemoryFunctions.VirtualAllocEx(oProcess.activeProcess.Handle,
                                                                                  20000000 + 1000,
                injectedHeapAddress1 = visualizationAddress;
                injectedHeapSize1    = 20000000 + 1000;

                oMemoryFunctions.WriteMemoryDword(oProcess.activeProcess, visualizationAddress + 4, 0);
                oAssemblyGenerator.addCommonAddress(visualizationAddress + 4, "VIS_AD_CIRCULAR_OFFSET");
                oAssemblyGenerator.addCommonAddress(bufferSize * 1000000 - 8 - 4, "VIS_CIRCULAR_SIZE");
                oAssemblyGenerator.addCommonAddress(visualizationAddress + 16 + 4, "VIS_AD_CIRCULAR_BASE");
                oAssemblyGenerator.addCommonAddress(0, "mainRecordFunction");

                //MessageBox.Show((visualizationAddress + 16).ToString("X"));

                // Create the visualization buffer reader
                reader_visualization = new oCircularBufferReader(visualizationAddress + 16 + 4, bufferSize * 1000000 - 4, visualizationAddress + 4);

                // Set the global buffer parameters
                oMemoryFunctions.WriteMemoryDword(oProcess.activeProcess, visualizationAddress, maxCallCount);
                oAssemblyGenerator.addCommonAddress(visualizationAddress, "MAXCALLS");

                // Determine the size per function
                int sizePerFunc = ((oFunction)functions[0]).generateInstrumentation(10000).Length;

                // Allocate the memory heap for the funciton code injections
                uint currentAddress = (uint)oMemoryFunctions.VirtualAllocEx(oProcess.activeProcess.Handle,
                                                                            functions.Count * sizePerFunc + 1000 + 2 * 0x80000, // 1000 + 2*0x80000 bytes for the mainRecordFunction
                injectedHeapAddress2 = currentAddress;
                injectedHeapSize2    = (uint)(functions.Count * sizePerFunc + 1000 + 2 * 0x80000);

                if (currentAddress == 0)
                    oConsole.printMessageShow("ERROR: Could not allocate memory space in target process for code injections.");

                progress.setLabel1("Injecting common base functions.");

                // Inject the common function
                oAssemblyGenerator.addCommonAddress(currentAddress, "mainRecordFunction");
                uint size = (uint)oFunction.injectCommonCode(currentAddress);

                // Generate and write the valid read pointer table
                progress.setLabel1("Generating and injecting the read pointer dereference lookup table.");

                // Get the address of the table
                table_addressValidReadTable = UInt32.Parse(oMemoryFunctions.ReverseString(oAssemblyGenerator.evaluateCommonAddress("sLOOKUPVALIDPOINTER", 0, currentAddress)), NumberStyles.HexNumber);

                // Generate and write the excluded call source table
                progress.setLabel1("Generating and injecting the exclusion source lookup table.");

                // Get the address of the table
                table_addressInvalidSourceTable = UInt32.Parse(oMemoryFunctions.ReverseString(oAssemblyGenerator.evaluateCommonAddress("sLOOKUPINVALIDSOURCE", 0, currentAddress)), NumberStyles.HexNumber);

                // Set the size to dereference option
                dereferenceSizeAddress = UInt32.Parse(oMemoryFunctions.ReverseString(oAssemblyGenerator.evaluateCommonAddress("sSTRINGDEREFERENCESIZE", 0, currentAddress)), NumberStyles.HexNumber);
                oMemoryFunctions.WriteMemoryDword(oProcess.activeProcess, dereferenceSizeAddress, (uint)Properties.Settings.Default.NumDereferencedBytes);

                currentAddress += size;

                // Perform the intecept function code injection
                int count = 0;
                progress.setLabel1("Injecting instrumentation functions and redirecting functions: " + count.ToString() + " of " + functions.Count.ToString());
                foreach (oFunction function in functions)
                    // Inject the instrumentation functions
                    uint injectionAddress = currentAddress;
                    size = (uint)function.injectInstrumentation(currentAddress);

                    // Update the function parameters
                    function.addressCount  = UInt32.Parse(oMemoryFunctions.ReverseString(oAssemblyGenerator.evaluateCommonAddress("sCOUNT", 0, currentAddress)), NumberStyles.HexNumber);
                    function.addressRecord = UInt32.Parse(oMemoryFunctions.ReverseString(oAssemblyGenerator.evaluateCommonAddress("sSAVEDATA", 0, currentAddress)), NumberStyles.HexNumber);

                    // Redirect the function calls
                    currentAddress += size;

                    // Update the progress bar
                    if ((count % 457) == 0)
                        progress.setLabel1("Injecting instrumentation functions and redirecting functions: " + count.ToString() + " of " + functions.Count.ToString());
