public void SendVerdict(string verdict)
{
HookEntry entry = hooks.Where(x => x.oep == hookOep).First();
Logger.N(Program.GetResourceString("Threads.Client.Verdict", verdict));
// Verdict string to ID
UInt32 verdictId = 0;
switch (verdict)
{
case "approve":
verdictId = 0; break;
case "reject":
verdictId = 1; break;
case "terminate":
verdictId = 2; break;
}
// Prepare & send CMD_VERDICT
Puppet.PACKET_CMD_VERDICT pktVerdict = new Puppet.PACKET_CMD_VERDICT(0);
pktVerdict.verdict = verdictId;
this.Send(Puppet.Util.Serialize(pktVerdict));
// If verdict == "reject", send SP offset and AX
if (verdictId == 1)
{
this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(entry.stack)));
this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(entry.ret)));
}
// Expect ACK
this.Expect(Puppet.PACKET_TYPE.ACK);
// Clear hook status
hookOep = 0;
hookPhase = 0;
Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets());
}
public void RefreshGuiHooks()
{
Threads.Client client;
try
{
client = Threads.CmdEngine.theInstance.GetTargetClient(false);
}
catch (ArgumentException)
{
return;
}
lstDollHooks.Items.Clear();
for (int i = 0; i < client.hooks.Count; i++)
{
Threads.HookEntry hook = client.hooks[i];
// Skip the removed hooks
if (hook.name == null)
{
continue;
}
lstDollHooks.Items.Add(new ListViewItem(new string[]
{
i.ToString(),
client.OepToString(hook.oep),
hook.name
}));
}
if (lstDollHooks.Items.Count > 0)
{
lstDollHooks.Items[0].Selected = true;
btnHooksRemove.Enabled = true;
}
else
{
btnHooksRemove.Enabled = false;
}
}
UInt64 eval_poi(UInt64 ptr)
{
HookEntry entry = hooks.Where(x => x.oep == hookOep).First();
int wordsize = this.bits / 8;
// Prepare CMD_MEMORY
Puppet.PACKET_CMD_MEMORY pktMem = new Puppet.PACKET_CMD_MEMORY(0);
pktMem.len = (UInt32)wordsize;
// Send packets
this.Send(Puppet.Util.Serialize(pktMem));
this.Send(Puppet.Util.Serialize(new Puppet.PACKET_INTEGER(ptr)));
// Expent ACK
Puppet.PACKET_ACK pktAck;
pktAck = Puppet.Util.Deserialize <Puppet.PACKET_ACK>(this.Expect(Puppet.PACKET_TYPE.ACK));
if (pktAck.status == 0 || pktAck.status < (UInt32)wordsize)
{
// Do not allow MemoryReadWarning
if (pktAck.status != 0)
{
this.Expect(Puppet.PACKET_TYPE.BINARY); // Dispose BINARY packet
}
throw new ArgumentException(Program.GetResourceString("Threads.Client.MemoryReadError"));
}
// Expect blob
byte[] blob = Puppet.Util.DeserializeBinary(this.Expect(Puppet.PACKET_TYPE.BINARY));
if (this.bits == 64)
{
return(BitConverter.ToUInt64(blob, 0));
}
else
{
return(BitConverter.ToUInt32(blob, 0));
}
}
UInt64 eval_arg(uint index)
{
HookEntry entry = hooks.Where(x => x.oep == hookOep).First();
int wordsize = this.bits / 8;
UInt64 val = 0;
long ptrOffset = -1; // int * int == long
switch (entry.convention)
{
case "stdcall":
case "cdecl":
{
// stack
ptrOffset = (wordsize * index);
break;
}
case "fastcall":
{
// cx, dx, stack
switch (index)
{
case 0: val = eval_getContext(1); break;
case 1: val = eval_getContext(2); break;
default: ptrOffset = (wordsize * (index - 2)); break;
}
break;
}
case "msvc":
{
// cx, dx, r8, r9, stack (4 * wordsize offset)
switch (index)
{
case 0: val = eval_getContext(1); break;
case 1: val = eval_getContext(2); break;
case 2: val = eval_getContext(8); break;
case 3: val = eval_getContext(9); break;
default: ptrOffset = (wordsize * (index - 4 + 4)); break;
}
break;
}
case "gcc":
{
// di, si, dx, cx, r8, r9, stack
switch (index)
{
case 0: val = eval_getContext(7); break;
case 1: val = eval_getContext(6); break;
case 2: val = eval_getContext(2); break;
case 3: val = eval_getContext(1); break;
case 4: val = eval_getContext(8); break;
case 5: val = eval_getContext(9); break;
default: ptrOffset = (wordsize * (index - 6)); break;
}
break;
}
}
if (ptrOffset >= 0)
{
// Value is from stack
// Calculate stack ptr
UInt64 ptr = eval_getContext(4) // Preserved SP value
+ (UInt64)wordsize // Skip HookOEP
+ (UInt64)wordsize // Skip return address
+ (UInt64)ptrOffset;
val = eval_poi(ptr);
}
return(val);
}
void OnHook()
{
HookEntry entry = hooks.Where(x => x.oep == hookOep).First();
Logger.N(Program.GetResourceString("Threads.Client.Hooked",
this.clientName,
hooks.IndexOf(entry),
entry.name,
(hookPhase == 0) ? "before" : "after"
));
Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets());
List <Dictionary <string, object> > actions = (hookPhase == 0) ? entry.beforeActions : entry.afterActions;
string verdict = (hookPhase == 0) ? entry.beforeVerdict : entry.afterVerdict;
Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Clear());
foreach (Dictionary <string, object> action in actions)
{
try
{
switch ((string)action["verb"])
{
case "echo":
{
string result = Program.GetResourceString("Threads.Client.Echo", EvalEngine.EvalString(this, (string)action["echo"]));
Logger.N(result);
Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Text += (result + Environment.NewLine));
break;
}
case "dump":
{
object[] evalResults = EvalEngine.Eval(this, new string[] { (string)action["addr"], (string)action["size"] });
UInt64 ptr;
if (bits == 64 ? evalResults[0] is UInt64 : evalResults[0] is UInt32)
{
ptr = Convert.ToUInt64(evalResults[0]);
}
else
{
throw new ArgumentException(Program.GetResourceString("Threads.Client.TypeMismatch"));
}
uint len;
try
{
len = Convert.ToUInt32(evalResults[1]);
}
catch (InvalidCastException)
{
throw new ArgumentException(Program.GetResourceString("Threads.Client.TypeMismatch"));
}
eval_dump(eval_mem(ptr, len));
break;
}
case "ctx":
{
string evalKey = EvalEngine.EvalString(this, (string)action["key"]);
string evalValue = EvalEngine.EvalString(this, (string)action["value"]);
this.context.Add(evalKey, evalValue);
string result = Program.GetResourceString("Threads.Client.Ctx", evalKey, evalValue);
Logger.N(result);
Gui.theInstance.InvokeOn((FMain Me) => Me.txtHookedResults.Text += (result + Environment.NewLine));
break;
}
}
}
catch (ArgumentException e)
{
Logger.E(Program.GetResourceString("Threads.Client.ActionError", (string)action["verb"], e.Message));
}
}
if (verdict == null)
{
Logger.N(Program.GetResourceString("Threads.Client.VerdictWait"));
Gui.theInstance.InvokeOn((FMain Me) => Me.RefreshGuiTargets());
}
else
{
SendVerdict(verdict);
}
}
public void RefreshGuiTargets()
{
lstListenerTargets.Items.Clear();
for (int i = 0; i < Threads.Client.theInstances.Count; i++)
{
Threads.Client instance = Threads.Client.theInstances[i];
lstListenerTargets.Items.Add(new ListViewItem(new string[] {
(i == Threads.CmdEngine.theInstance.target) ? "*" : " ",
i.ToString(),
instance.clientName,
instance.GetTypeString(),
instance.GetStatusString(),
instance.pid.ToString(),
instance.bits.ToString()
}));
// Mark dead clients
if (instance.isDead)
{
lstListenerTargets.Items[i].ForeColor = Color.Gray;
}
}
tabPageMonitor.MyHide();
tabPageHooked.MyHide();
tabPageDoll.MyHide();
Threads.Client instanceCurr = Threads.Client.theInstances[Threads.CmdEngine.theInstance.target];
if (!instanceCurr.isDead)
{
if (instanceCurr.isMonitor)
{
lblMonitorCurrent.Text = Program.GetResourceString(
"UI.Gui.Title.Monitor",
Threads.CmdEngine.theInstance.target,
instanceCurr.clientName
);
tabPageMonitor.MyShow();
}
else
{
lblDollCurrent.Text = Program.GetResourceString(
"UI.Gui.Title.Doll",
Threads.CmdEngine.theInstance.target,
instanceCurr.clientName
);
this.RefreshGuiHooks();
tabPageDoll.MyShow();
if (instanceCurr.hookOep != 0)
{
int idx = instanceCurr.hooks.FindIndex(x => x.oep == instanceCurr.hookOep);
Threads.HookEntry entry = instanceCurr.hooks[idx];
lblHookedCurrent.Text = Program.GetResourceString(
"UI.Gui.Title.Hooked",
idx,
entry.name,
(instanceCurr.hookPhase == 0) ? "before" : "after"
);
btnVerdictReject.Enabled = (instanceCurr.hookPhase == 0);
tabPageHooked.MyShow();
}
}
}
}
