elliptic-shiho · June 5, 2016 19:03
diff --git a/geteip.c b/geteip.c
 #include "DECAF_types.h"
 #include "DECAF_main.h"
 #include "DECAF_callback.h"
 #include "DECAF_callback_common.h"
 #include "vmi_callback.h"
 #include "utils/Output.h"
 #include "DECAF_target.h"
 #include "hookapi.h"

 static plugin_interface_t geteip_interface;
 static DECAF_Handle processbegin_handle = DECAF_NULL_HANDLE;
 static DECAF_Handle blockbegin_handle = DECAF_NULL_HANDLE;
 static DECAF_Handle insn_handle = DECAF_NULL_HANDLE;
 static DECAF_Handle Sleep_handle = DECAF_NULL_HANDLE;
 char targetname[512];
 uint32_t st_count = 0;
 uint32_t target_cr3;

 typedef struct {
  uint32_t call_stack[1]; //paramters and return address
  DECAF_Handle hook_handle;
 } hook_context_t;

 #define CALL_HOOK(x) static void x##_call(void *opaque) { \
  DECAF_printf("%s ", #x); \
  hook_context_t *ctx = (hook_context_t*)malloc(sizeof(hook_context_t)); \
  if(!ctx) return; \
  DECAF_read_mem(NULL, cpu_single_env->regs[R_ESP], 4, ctx->call_stack); \
  ctx->hook_handle = hookapi_hook_return(ctx->call_stack[0], x##_ret, ctx, sizeof(*ctx));\
 } \
 static DECAF_Handle x##_handle = DECAF_NULL_HANDLE

 #define RET_HOOK(x,y) static void x##_ret(void *param) { \
  hook_context_t *ctx = (hook_context_t *)param; \
  hookapi_remove_hook(ctx->hook_handle); \
  free(ctx); \
  y;\
 }
 #define HOOK_FUNC(x) x##_handle = hookapi_hook_function_byname("kernel32.dll", #x, 1, target_cr3, x##_call, NULL, 0)

 static void Sleep_call(void *opaque) {
  DECAF_printf("Sleep ");
  int i = 0;
  DECAF_write_mem(NULL, cpu_single_env->regs[R_ESP] + 4, 4, &i);
 }

 RET_HOOK(IsDebuggerPresent, cpu_single_env->regs[R_EAX] = 0);
 CALL_HOOK(IsDebuggerPresent);
 RET_HOOK(GetTickCount, cpu_single_env->regs[R_EAX] = 1000 * st_count++);
 CALL_HOOK(GetTickCount);
 RET_HOOK(GetSystemInfo, int i = 4; DECAF_write_mem(NULL, cpu_single_env->regs[R_EBP] - 0x14, 4, &i));
 CALL_HOOK(GetSystemInfo);

 static void geteip_block_begin_callback(DECAF_Callback_Params* params) {
  if(params->bb.env->cr[3] == target_cr3) {
    target_ulong eip = params->bb.env->eip; 
    target_ulong eax = params->bb.env->regs[R_EAX]; 
    // DECAF_printf("EIP = 0x%08x, EAX = 0x%08x\n", eip, eax);
  }
 }

 static void geteip_insn_callback(DECAF_Callback_Params* params) {
  if (cpu_single_env->eip == 0x401041) {
    cpu_single_env->regs[R_EAX] = 0;
  }
 }

 static void geteip_loadmainmodule_callback(VMI_Callback_Params* params) {
  if(strcmp(params->cp.name,targetname) == 0) {
    DECAF_printf("Process %s you spcecified starts \n", params->cp.name);
    target_cr3 = params->cp.cr3;
    HOOK_FUNC(IsDebuggerPresent);
    HOOK_FUNC(Sleep);
    HOOK_FUNC(GetTickCount);
    HOOK_FUNC(GetSystemInfo);
    blockbegin_handle = DECAF_register_callback(DECAF_BLOCK_BEGIN_CB, &geteip_block_begin_callback, NULL);
    insn_handle = DECAF_register_callback(DECAF_INSN_BEGIN_CB, &geteip_insn_callback, NULL);
  }
 }

 void do_monitor_proc(Monitor* mon, const QDict* qdict) {
  if ((qdict != NULL) && (qdict_haskey(qdict, "procname")))
    strncpy(targetname, qdict_get_str(qdict, "procname"), 512);
  targetname[511] = '\0';
  DECAF_printf("Ready to track %s\n", targetname);
 }

 static int geteip_init(void) {
  processbegin_handle = VMI_register_callback(VMI_CREATEPROC_CB, &geteip_loadmainmodule_callback, NULL);
  if (processbegin_handle == DECAF_NULL_HANDLE)
    DECAF_printf("Could not register for the create or remove proc events\n");  
  return 0;
 }

 static void geteip_cleanup(void) {
  if (processbegin_handle != DECAF_NULL_HANDLE) {
    VMI_unregister_callback(VMI_CREATEPROC_CB, processbegin_handle);  
    processbegin_handle = DECAF_NULL_HANDLE;
  }
  if (blockbegin_handle != DECAF_NULL_HANDLE) {
    DECAF_unregister_callback(DECAF_BLOCK_BEGIN_CB, blockbegin_handle);
    blockbegin_handle = DECAF_NULL_HANDLE;
  }
 }

 static mon_cmd_t geteip_term_cmds[] = 
 {
 #include "plugin_cmds.h"
  {NULL, NULL, },
 };

 plugin_interface_t* init_plugin(void) {
  geteip_interface.mon_cmds = geteip_term_cmds;
  geteip_interface.plugin_cleanup = &geteip_cleanup;
  geteip_init();
  return (&geteip_interface);
 }
	#include "DECAF_types.h"
	#include "DECAF_main.h"
	#include "DECAF_callback.h"
	#include "DECAF_callback_common.h"
	#include "vmi_callback.h"
	#include "utils/Output.h"
	#include "DECAF_target.h"
	#include "hookapi.h"

	static plugin_interface_t geteip_interface;
	static DECAF_Handle processbegin_handle = DECAF_NULL_HANDLE;
	static DECAF_Handle blockbegin_handle = DECAF_NULL_HANDLE;
	static DECAF_Handle insn_handle = DECAF_NULL_HANDLE;
	static DECAF_Handle Sleep_handle = DECAF_NULL_HANDLE;
	char targetname[512];
	uint32_t st_count = 0;
	uint32_t target_cr3;

	typedef struct {
	uint32_t call_stack[1]; //paramters and return address
	DECAF_Handle hook_handle;
	} hook_context_t;

	#define CALL_HOOK(x) static void x##_call(void *opaque) { \
	DECAF_printf("%s ", #x); \
	hook_context_t ctx = (hook_context_t)malloc(sizeof(hook_context_t)); \
	if(!ctx) return; \
	DECAF_read_mem(NULL, cpu_single_env->regs[R_ESP], 4, ctx->call_stack); \
	ctx->hook_handle = hookapi_hook_return(ctx->call_stack[0], x##_ret, ctx, sizeof(*ctx));\
	} \
	static DECAF_Handle x##_handle = DECAF_NULL_HANDLE

	#define RET_HOOK(x,y) static void x##_ret(void *param) { \
	hook_context_t ctx = (hook_context_t )param; \
	hookapi_remove_hook(ctx->hook_handle); \
	free(ctx); \
	y;\
	}
	#define HOOK_FUNC(x) x##_handle = hookapi_hook_function_byname("kernel32.dll", #x, 1, target_cr3, x##_call, NULL, 0)

	static void Sleep_call(void *opaque) {
	DECAF_printf("Sleep ");
	int i = 0;
	DECAF_write_mem(NULL, cpu_single_env->regs[R_ESP] + 4, 4, &i);
	}

	RET_HOOK(IsDebuggerPresent, cpu_single_env->regs[R_EAX] = 0);
	CALL_HOOK(IsDebuggerPresent);
	RET_HOOK(GetTickCount, cpu_single_env->regs[R_EAX] = 1000 * st_count++);
	CALL_HOOK(GetTickCount);
	RET_HOOK(GetSystemInfo, int i = 4; DECAF_write_mem(NULL, cpu_single_env->regs[R_EBP] - 0x14, 4, &i));
	CALL_HOOK(GetSystemInfo);

	static void geteip_block_begin_callback(DECAF_Callback_Params* params) {
	if(params->bb.env->cr[3] == target_cr3) {
	target_ulong eip = params->bb.env->eip;
	target_ulong eax = params->bb.env->regs[R_EAX];
	// DECAF_printf("EIP = 0x%08x, EAX = 0x%08x\n", eip, eax);
	}
	}

	static void geteip_insn_callback(DECAF_Callback_Params* params) {
	if (cpu_single_env->eip == 0x401041) {
	cpu_single_env->regs[R_EAX] = 0;
	}
	}

	static void geteip_loadmainmodule_callback(VMI_Callback_Params* params) {
	if(strcmp(params->cp.name,targetname) == 0) {
	DECAF_printf("Process %s you spcecified starts \n", params->cp.name);
	target_cr3 = params->cp.cr3;
	HOOK_FUNC(IsDebuggerPresent);
	HOOK_FUNC(Sleep);
	HOOK_FUNC(GetTickCount);
	HOOK_FUNC(GetSystemInfo);
	blockbegin_handle = DECAF_register_callback(DECAF_BLOCK_BEGIN_CB, &geteip_block_begin_callback, NULL);
	insn_handle = DECAF_register_callback(DECAF_INSN_BEGIN_CB, &geteip_insn_callback, NULL);
	}
	}

	void do_monitor_proc(Monitor* mon, const QDict* qdict) {
	if ((qdict != NULL) && (qdict_haskey(qdict, "procname")))
	strncpy(targetname, qdict_get_str(qdict, "procname"), 512);
	targetname[511] = '\0';
	DECAF_printf("Ready to track %s\n", targetname);
	}

	static int geteip_init(void) {
	processbegin_handle = VMI_register_callback(VMI_CREATEPROC_CB, &geteip_loadmainmodule_callback, NULL);
	if (processbegin_handle == DECAF_NULL_HANDLE)
	DECAF_printf("Could not register for the create or remove proc events\n");
	return 0;
	}

	static void geteip_cleanup(void) {
	if (processbegin_handle != DECAF_NULL_HANDLE) {
	VMI_unregister_callback(VMI_CREATEPROC_CB, processbegin_handle);
	processbegin_handle = DECAF_NULL_HANDLE;
	}
	if (blockbegin_handle != DECAF_NULL_HANDLE) {
	DECAF_unregister_callback(DECAF_BLOCK_BEGIN_CB, blockbegin_handle);
	blockbegin_handle = DECAF_NULL_HANDLE;
	}
	}

	static mon_cmd_t geteip_term_cmds[] =
	{
	#include "plugin_cmds.h"
	{NULL, NULL, },
	};

	plugin_interface_t* init_plugin(void) {
	geteip_interface.mon_cmds = geteip_term_cmds;
	geteip_interface.plugin_cleanup = &geteip_cleanup;
	geteip_init();
	return (&geteip_interface);
	}