windows

package
v0.0.0-...-49e33ef Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2020 License: GPL-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	GENERIC_ALL      = 0x10000000
	GENERIC_EXECUTE  = 0x20000000
	GENERIC_WRITE    = 0x40000000
	GENERIC_READ     = 0x80000000
	CREATE_NEW       = 0x1
	CREATE_ALWAYS    = 0x2
	CREATE_SUSPENDED = 0x4
	//
	ERROR_SUCCESS        = 0x0
	ERROR_FILE_NOT_FOUND = 0x2
	ERROR_INVALID_HANDLE = 0x6
	ERROR_MORE_DATA      = 0xea
	ERROR_NO_MORE_ITEMS  = 0x103
	//
	REG_NONE      = 0x0
	REG_SZ        = 0x1
	REG_EXPAND_SZ = 0x2
	REG_BINARY    = 0x3
	REG_DWORD     = 0x4
	REG_LINK      = 0x6
	REG_MULTI_SZ  = 0x7
	REG_QWORD     = 0xb
	//
	STACK_SIZE_PARAM_IS_A_RESERVATION = 0x00010000
	//
	STATUS_SUCCESS   = 0x0
	STATUS_WAIT_0    = 0x0
	STATUS_WAIT_1    = 0x1
	STATUS_WAIT_2    = 0x2
	STATUS_WAIT_3    = 0x3
	STATUS_WAIT_63   = 0x3f
	STATUS_ABANDONED = 0x80
)
View Source 
const (
	F_GRANULARITY  = 0x8
	F_PROT_32      = 0x4
	F_LONG         = 0x2
	PRESENT        = 0x80
	PRIV_3         = 0x60
	PRIV_2         = 0x40
	PRIV_1         = 0x20
	PRIV_0         = 0x0
	CODE           = 0x10
	DATA           = 0x10
	TSS            = 0x0
	GATE           = 0x00
	EXEC           = 0x8
	DATA_WRITEABLE = 0x2
	CODE_READABLE  = 0x2
	DIR_CON_BIT    = 0x4
	S_GDT          = 0x0
	S_PRIV_3       = 0x3
	S_PRIV_2       = 0x2
	S_PRIV_1       = 0x1
	S_PRIV_0       = 0x0
)
View Source 
const (
	LogTypeStdout = iota
	LogTypeJSON
	LogTypeSlice
)

defines the basic log types available in winemulator, avaialble to be set via command line flags

Variables

View Source 
var EN_LOCALE = map[int]string{

	0x1004: "utf-8",
	0x1005: "\x00",
	0x1009: "1",
	0x14:   "$",
	0x19:   "2",
	0x1b:   "0",
	0x1c:   "0",
	0x1d:   "/",
	0x1e:   ":",
	0x1f:   "%m/%d/%y",
	0x20:   "%B %d, %Y",
	0x23:   "0",
	0x25:   "0",
	0x28:   "am",
	0x29:   "pm",
	0x2a:   "Monday",
	0x2b:   "Tuesday",
	0x2c:   "Wednesday",
	0x2d:   "Thursday",
	0x2e:   "Friday",
	0x2f:   "Saturday",
	0x30:   "Sunday",
	0x31:   "Mon",
	0x32:   "Tue",
	0x33:   "Wed",
	0x34:   "Thu",
	0x35:   "Fri",
	0x36:   "Sat",
	0x37:   "Sun",
	0x38:   "January",
	0x39:   "February",
	0x3a:   "March",
	0x3b:   "April",
	0x3c:   "May",
	0x3d:   "June",
	0x3e:   "July",
	0x3f:   "August",
	0x40:   "September",
	0x41:   "October",
	0x42:   "November",
	0x43:   "December",
	0x44:   "Jan",
	0x45:   "Feb",
	0x46:   "Mar",
	0x47:   "Apr",
	0x48:   "May",
	0x49:   "Jun",
	0x4a:   "Jul",
	0x4b:   "Aug",
	0x4c:   "Sep",
	0x4d:   "Oct",
	0x4e:   "Nov",
	0x4f:   "Dec",
	0xc:    "'",
	0xe:    ".",
	0xf:    ",",
}

Functions

func AdvApi32Hooks 

func AdvApi32Hooks(emu *WinEmulator)

func ComctlHooks 

func ComctlHooks(emu *WinEmulator)

func Comdlg32Hooks 

func Comdlg32Hooks(emu *WinEmulator)

func EvntprovHooks 

func EvntprovHooks(emu *WinEmulator)

func FileapiHooks 

func FileapiHooks(emu *WinEmulator)

func GetLocale 

func GetLocale(id int) map[int]string

func GetModuleHandle 

func GetModuleHandle(emu *WinEmulator, in *Instruction, wide bool) uint64

func HeapapiHooks 

func HeapapiHooks(emu *WinEmulator)

func HookCode 

func HookCode(emu *WinEmulator) func(mu uc.Unicorn, addr uint64, size uint32)

func HookInterupt 

func HookInterupt(emu *WinEmulator) func(mu uc.Unicorn, intnum uint32)

func HookInvalid 

func HookInvalid(emu *WinEmulator) func(mu uc.Unicorn, access int, addr uint64, size int, value int64) bool

func KernelbaseHooks 

func KernelbaseHooks(emu *WinEmulator)

func LibloaderapiHooks 

func LibloaderapiHooks(emu *WinEmulator)

func MemoryApiHooks 

func MemoryApiHooks(emu *WinEmulator)

func MmapiHooks 

func MmapiHooks(emu *WinEmulator)

func NtdllHooks 

func NtdllHooks(emu *WinEmulator)

func Objbase 

func Objbase(emu *WinEmulator)

func Ole2Hooks 

func Ole2Hooks(emu *WinEmulator)

func OleHooks 

func OleHooks(emu *WinEmulator)

func Oleaut32Hooks 

func Oleaut32Hooks(emu *WinEmulator)

func OledlgHooks 

func OledlgHooks(emu *WinEmulator)

func PowrProf 

func PowrProf(emu *WinEmulator)

func ProcessthreadsapiHooks 

func ProcessthreadsapiHooks(emu *WinEmulator)

func ShellapiHooks 

func ShellapiHooks(emu *WinEmulator)

func ShlobjCoreHooks 

func ShlobjCoreHooks(emu *WinEmulator)

func SkipFunctionCdecl 

func SkipFunctionCdecl(set_return bool, ret uint64) func(emu *WinEmulator, instruction *Instruction) bool

SkipFunctionAdj will step over a function by adjusting the stack accordingly. The set_return and ret parameters will set the RAX/EAX values if nessesary, and the stackadj will adjust the stack properly. Stackadj is used in the appropriate calling convention.

func SkipFunctionStdCall 

func SkipFunctionStdCall(set_return bool, ret uint64) func(emu *WinEmulator, instruction *Instruction) bool

func SyncapiHooks 

func SyncapiHooks(emu *WinEmulator)

func Sysinfoapi 

func Sysinfoapi(emu *WinEmulator)

func UcrtBase32Hooks 

func UcrtBase32Hooks(emu *WinEmulator)

func User32Hooks 

func User32Hooks(emu *WinEmulator)

func UtilapiHooks 

func UtilapiHooks(emu *WinEmulator)

func VcRuntimeHooks 

func VcRuntimeHooks(emu *WinEmulator)

func WdmHooks 

func WdmHooks(emu *WinEmulator)

func WinbaseHooks 

func WinbaseHooks(emu *WinEmulator)

func WinnlsHooks 

func WinnlsHooks(emu *WinEmulator)

func WinregHooks 

func WinregHooks(emu *WinEmulator)

func WinuserHooks 

func WinuserHooks(emu *WinEmulator)

func Wow64apisetHooks 

func Wow64apisetHooks(emu *WinEmulator)

Types

type ClientID 

type ClientID struct {
	ProcessHandle uint32
	ThreadHandle  uint32
}

type Env 

type Env struct {
	Key   string `yaml:"key"`
	Value string `yaml:"value"`
}

Env is the key/value pair for specifying environment variables for the emulated process

type Handle 

type Handle struct {
	Path   string
	Access int32
	Pos    int64
	File   *os.File
	Info   os.FileInfo
	RegKey *RegKey
	Thread *Thread
}

func (*Handle) Close 

func (handle *Handle) Close()

func (*Handle) Read 

func (handle *Handle) Read(out_bytes []byte) (int, error)

func (*Handle) Seek 

func (handle *Handle) Seek(offset int64, whence int) (int64, error)

func (*Handle) Tell 

func (handle *Handle) Tell() int64

func (*Handle) Write 

func (handle *Handle) Write(bytes []byte) (int, error)

type Hook 

type Hook struct {
	Name        string
	Parameters  []string
	Fn          func(*WinEmulator, *Instruction) bool
	Implemented bool
	Values      []interface{}
	Return      uint64
	HookStatus  string
	Lib         string
}

func NopHook 

func NopHook() *Hook

type Instruction 

type Instruction struct {
	Addr  uint64
	Size  uint32
	Args  []uint64
	Stack []byte
	Hook  *Hook

	ThreadID int
	// contains filtered or unexported fields
}

func (*Instruction) Address 

func (self *Instruction) Address() string

func (*Instruction) Disassemble 

func (self *Instruction) Disassemble() string

func (*Instruction) FmtToParameters 

func (self *Instruction) FmtToParameters(fmts []string)

FmtToParameters will take formatters and append to self.Hook.Parameters

func (*Instruction) Log 

func (i *Instruction) Log() *InstructionLog

Log will output a anonymous struct that represents the instruction JSON form

func (*Instruction) MarshalJSON 

func (i *Instruction) MarshalJSON() ([]byte, error)

func (*Instruction) ParseValues 

func (self *Instruction) ParseValues()

func (*Instruction) String 

func (i *Instruction) String() string

StringInstruction will print the instructino disassembly of the current EIP position

func (*Instruction) StringHook 

func (i *Instruction) StringHook() string

StringHook will print the hook string value if a hook is implemented, otherwise empty string

type InstructionLog 

type InstructionLog struct {
	Tid        int           `json:"tid"`
	Addr       uint64        `json:"addr"`
	Size       uint32        `json:"size"`
	Opcode     string        `json:"opcode"`
	Lib        string        `json:"lib,omitempty"`
	Fn         string        `json:"fn,omitempty"`
	Parameters []string      `json:"parameters,omitempty"`
	Values     []interface{} `json:"values,omitempty"`
	Return     uint64        `json:"return,omitempty"`
}

InstructionLog is the exported struct detailing a single instruction. Useful for programmatic access to the emulated output

type MemRegions 

type MemRegions struct {
	ProcInfoSize    uint64
	TibSize         uint64
	GdtSize         uint64
	StackSize       uint64
	HeapSize        uint64
	LibSize         uint64
	ImageSize       uint64
	ProcInfoAddress uint64
	TibAddress      uint64
	GdtAddress      uint64
	StackAddress    uint64
	HeapAddress     uint64
	LibAddress      uint64
	ImageAddress    uint64
	PebAddress      uint64
	TebAddress      uint64
}

type ModuleList 

type ModuleList []ModulePair

func CreateModuleList 

func CreateModuleList(keyvalue map[string]uint64) ModuleList

func (ModuleList) Len 

func (m ModuleList) Len() int

func (ModuleList) Less 

func (m ModuleList) Less(i int, j int) bool

func (ModuleList) Populate 

func (m ModuleList) Populate(keyvalue map[string]uint64)

func (ModuleList) Sort 

func (m ModuleList) Sort()

func (ModuleList) Swap 

func (m ModuleList) Swap(i, j int)

type ModulePair 

type ModulePair struct {
	Module  string
	Address uint64
}

ModulePair is used to keep track of the emulator address of a loaded module. Used to lookup a certain module in the emulator based on its address in memory.

type OpenFileName32 

type OpenFileName32 struct {
	StructSize    uint32
	Owner         uint32
	Instance      uint32
	Filter        uint32
	CustomFilter  uint32
	MaxCustFilter uint32
	FilterIndex   uint32
	File          uint32
	MaxFile       uint32
	FileTitle     uint32
	MaxFileTitle  uint32
	InitialDir    uint32
	Title         uint32
	Flags         uint32
	FileOffset    uint16
	FileExtension uint16
	DefExit       uint32
	CustData      uint32
	Hook          uint32
	TemplateName  uint32
	EditInfo      uint32
	Prompt        uint32
	Reserved      uint32
	Reserved2     uint32
	FlagsEx       uint32
}

type PebLdrData32 

type PebLdrData32 struct {
	Length                          uint32
	Initialized                     uint32 //boolean
	SsHandle                        uint32
	InLoadOrderModuleList           [8]byte
	InMemoryOrderModuleList         [8]byte
	InInitializationOrderModuleList [8]byte
	EntryInProgress                 uint32
	ShutdownInProgress              uint32 //boolean
	ShutdownThreadId                uint32
}

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm

type PebLdrData64 

type PebLdrData64 struct {
	Length                          uint32
	Initialized                     uint32 //boolean
	SsHandle                        uint32
	InLoadOrderModuleList           [16]byte
	InMemoryOrderModuleList         [16]byte
	InInitializationOrderModuleList [16]byte
	EntryInProgress                 uint64
	ShutdownInProgress              uint64 //boolean
	ShutdownThreadId                uint64
}

type PebLdrDataTableEntry32 

type PebLdrDataTableEntry32 struct {
	InOrderLinks               [8]byte
	InMemoryOrderLinks         [8]byte
	InInitializationOrderLinks [8]byte
	DllBase                    uint32
	EntryPoint                 uint32
	SizeOfImage                uint32
	FullDllName                UnicodeString32
	BaseDllName                UnicodeString32
	Flags                      uint32
	LoadCount                  uint16 // named ObseleteLoadCount OS6.2+
	TlsIndex                   uint16
	HashLinks                  [8]byte // increase by PVOID+ULONG if <OS6.2
}

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm

type PebLdrDataTableEntry64 

type PebLdrDataTableEntry64 struct {
	InOrderLinks               [16]byte
	InMemoryOrderLinks         [16]byte
	InInitializationOrderLinks [16]byte
	DllBase                    uint64
	EntryPoint                 uint64
	SizeOfImage                uint64
	FullDllName                UnicodeString64
	BaseDllName                UnicodeString64
	Flags                      uint32
	LoadCount                  uint16 // named ObseleteLoadCount OS6.2+
	TlsIndex                   uint16
	HashLinks                  [16]byte // increase by PVOID+ULONG if <OS6.2
}

type ProcessEnvironmentBlock32 

type ProcessEnvironmentBlock32 struct {
	InheritedAddressSpace              byte
	ReadImageFileExecOptions           byte
	BeingDebugged                      byte
	SpareBool                          byte
	Mutant                             uint32
	ImageBaseAddress                   uint32
	Ldr                                uint32
	ProcessParameters                  uint32
	SubSystemData                      uint32
	ProcessHeap                        uint32
	FastPebLock                        uint32
	FastPebLockRoutine                 uint32
	FastPebUnlockRoutine               uint32
	EnvironmentUpdateCount             uint32
	KernelCallbackTable                uint32
	SystemReserved                     [1]uint32
	ExecuteOptionsSpareBits            uint32
	FreeList                           uint32
	TLSExpansionCounter                uint32
	TLSBitmap                          uint32
	TLSBitmapBits                      [2]uint32
	ReadOnlySharedMemoryBase           uint32
	ReadOnlySharedMemoryHeap           uint32
	ReadOnlyStaticServerData           uint32
	AnsiCodePageData                   uint32
	OemCodePageData                    uint32
	UnicodeCaseTableData               uint32
	NumberOfProcessors                 uint32
	NtlGlobalFlag                      uint32
	CriticalSectionTimeout             uint64
	HeapSegmentReserve                 uint32
	HeapSegmentCommit                  uint32
	HeapDeCommitTotalFreeThreshold     uint32
	HeapDeCommitFreeBlockThreshold     uint32
	NumberOfHeaps                      uint32
	MaximumNumberOfHeaps               uint32
	ProcessHeaps                       uint32
	GdiSharedHandleTable               uint32
	ProcessStarterHelper               uint32
	GdiDCAttributeList                 uint32
	LoaderLock                         uint32
	OsMajorVersion                     int32
	OsMinorVersion                     int32
	OsBuildNumber                      uint16
	OsCSDVersion                       uint16
	OSPlatformID                       uint32
	ImageSubsystem                     uint32
	ImageSubsystemMajorVersion         uint32
	ImageSubsystemMinorVersion         uint32
	ImageProcessAffinityMask           uint32
	GdiHandleBuffer                    [34]uint32
	PostProcessInitRoutine             uint32
	TLSExpansionBitmap                 uint32
	TLSExpansionBitmapBits             [32]uint32
	SessionID                          uint32
	AppCompatFlags                     uint64
	AppCompatFlagsUser                 uint64
	ShimData                           uint32
	AppCompatInfo                      uint32
	CSDVersion                         uint64
	ActivationContextData              uint32
	ProcessAssemblyStorageMap          uint32
	SystemDefaultActivationContextData uint32
	SystemAssemblyStorageMap           uint32
	MinimumStackCommit                 uint32
	FlsCallback                        uint32
	FlsListHead                        uint64
	FlsBitmap                          uint32
	FlsBitmapBits                      [4]uint32
	FlsHighIndex                       uint32
	WerRegistrationData                uint32
	WerShipAssertPtr                   uint32

	CsrServerReadOnlySharedMemoryBase uint64
	TppWorkerListLock                 uint32
	TppWorkerpList                    uint64
	WaitOnAddressHashTable            [0x80]uint32
	TelemetryCoverageHeader           uint32
	CloudFileFlags                    uint32
	// contains filtered or unexported fields
}

type ProcessEnvironmentBlock64 

type ProcessEnvironmentBlock64 struct {
	InheritedAddressSpace    byte
	ReadImageFileExecOptions byte
	BeingDebugged            byte
	SpareBool                byte

	Mutant                 uint64
	ImageBaseAddress       uint64
	Ldr                    uint64
	ProcessParameters      uint64
	SubSystemData          uint64
	ProcessHeap            uint64
	FastPebLock            uint64
	FastPebLockRoutine     uint64
	FastPebUnlockRoutine   uint64
	EnvironmentUpdateCount uint32

	KernelCallbackTable     uint64
	SystemReserved          [1]uint32
	ExecuteOptionsSpareBits uint32
	FreeList                uint64
	TLSExpansionCounter     uint32

	TLSBitmap                      uint64
	TLSBitmapBits                  [2]uint32
	ReadOnlySharedMemoryBase       uint64
	ReadOnlySharedMemoryHeap       uint64
	ReadOnlyStaticServerData       uint64
	AnsiCodePageData               uint64
	OemCodePageData                uint64
	UnicodeCaseTableData           uint64
	NumberOfProcessors             uint32
	NtlGlobalFlag                  uint32
	CriticalSectionTimeout         uint64
	HeapSegmentReserve             uint64
	HeapSegmentCommit              uint64
	HeapDeCommitTotalFreeThreshold uint64
	HeapDeCommitFreeBlockThreshold uint64
	NumberOfHeaps                  uint32
	MaximumNumberOfHeaps           uint32
	ProcessHeaps                   uint64
	GdiSharedHandleTable           uint64
	ProcessStarterHelper           uint64
	GdiDCAttributeList             uint32

	LoaderLock                 uint64
	OsMajorVersion             int32
	OsMinorVersion             int32
	OsBuildNumber              uint16
	OsCSDVersion               uint16
	OSPlatformID               uint32
	ImageSubsystem             uint32
	ImageSubsystemMajorVersion uint32
	ImageSubsystemMinorVersion uint32

	ImageProcessAffinityMask uint32
	GdiHandleBuffer          [60]uint32
	PostProcessInitRoutine   uint64
	TLSExpansionBitmap       uint64
	TLSExpansionBitmapBits   [32]uint32
	SessionID                uint32

	AppCompatFlags                     uint64
	AppCompatFlagsUser                 uint64
	ShimData                           uint64
	AppCompatInfo                      uint64
	CSDVersion                         [16]byte
	ActivationContextData              uint64
	ProcessAssemblyStorageMap          uint64
	SystemDefaultActivationContextData uint64
	SystemAssemblyStorageMap           uint64
	MinimumStackCommit                 uint64
	FlsCallback                        uint64
	FlsListHead                        [16]byte
	FlsBitmap                          uint64
	FlsBitmapBits                      [4]uint32
	FlsHighIndex                       uint64
	WerRegistrationData                uint64
	WerShipAssertPtr                   uint64

	CsrServerReadOnlySharedMemoryBase uint64
	TppWorkerListLock                 uint64
	TppWorkerpList                    [16]byte
	WaitOnAddressHashTable            [0x80]uint64
	TelemetryCoverageHeader           uint64
	CloudFileFlags                    uint64
	// contains filtered or unexported fields
}

type Reg 

type Reg struct {
	Name  string
	Value string
	// contains filtered or unexported fields
}

Reg is the type of each value in the registry, values can be actual values or "folders" within the registry

func NewReg 

func NewReg(name, value string) *Reg

NewReg will create a new Reg object given a registry long name and its value

func (*Reg) Bytes 

func (r *Reg) Bytes() ([]byte, int)

Bytes will turn a Reg object into a byte representation ready to be loaded into the emulator

type RegKey 

type RegKey struct {
	Hkey string
	Name string
}

RegKey used in handles

type Registry 

type Registry struct {
	Size int
	// contains filtered or unexported fields
}

Registry is the primary struct representing the mock registry system

func NewRegistry 

func NewRegistry(temp map[string]string) (*Registry, error)

NewRegistry creates a new registry hive with soje default values

func (*Registry) Enum 

func (r *Registry) Enum(hkey string, name string, index int) (*Reg, error)

Enum is used with MSDN's reg enum, will allow for enumerating a registry key

func (*Registry) Get 

func (r *Registry) Get(hkey string, name string) (*Reg, error)

Get will retrieve some item from the regisry given a key and path

func (*Registry) Insert 

func (r *Registry) Insert(key string, name string, item *Reg) error

Insert will insert 'item' into the key and name provided. Name should be a full path in the registry separated by backslashes

func (*Registry) Update 

func (r *Registry) Update(hkey string, name string, value string) error

Update will update a value within the registry structure

type RtlUserProcessParameters32 

type RtlUserProcessParameters32 struct {
	Reserved1     [16]byte
	Reserved2     [10]uint32
	ImagePathName UnicodeString32
	CommandLine   UnicodeString32
}

type ScheduleManager 

type ScheduleManager struct {
	// contains filtered or unexported fields
}

func NewScheduleManager 

func NewScheduleManager(emu *WinEmulator) *ScheduleManager

func (*ScheduleManager) CurThreadId 

func (self *ScheduleManager) CurThreadId() int

func (*ScheduleManager) DelThread 

func (self *ScheduleManager) DelThread(threadId int)

func (*ScheduleManager) DoSchedule 

func (self *ScheduleManager) DoSchedule()

func (*ScheduleManager) NewThread 

func (self *ScheduleManager) NewThread(eip uint64, stack uint64, parameter uint64, creationFlag uint64) *Handle

func (*ScheduleManager) ThreadEnded 

func (self *ScheduleManager) ThreadEnded(threadId int) uint64

type ServiceTableEntry 

type ServiceTableEntry struct {
	ServiceName string
	ServiceProc uint64
}

type StartupInfo 

type StartupInfo struct {
	Cb          int32
	Reserved    uint32
	Desktop     uint32
	Title       uint32
	X           int32
	Y           int32
	XSize       int32
	YSize       int32
	XCountChars int32
	YCountChars int32
	Flags       int32
	ShowWindow  int16
	Reserved2   int16
	Reserved2a  uint32
	StdInput    uint32
	StdOutput   uint32
	StdError    uint32
}

type Thread 

type Thread struct {
	ThreadId int

	Status int
	// contains filtered or unexported fields
}

type ThreadInformationBlock32 

type ThreadInformationBlock32 struct {
	CurentSEH                   uint32 //0x00
	StackBaseHigh               uint32 //0x04
	StackLimit                  uint32 //0x08
	SubSystemTib                uint32 //0x0c
	FiberData                   uint32 //0x10
	ArbitraryDataSlock          uint32 //0x14
	LinearAddressOfTEB          uint32 //0x18
	EnvPtr                      uint32 //0x1c
	ProcessId                   uint32 //0x20
	CurrentThreadId             uint32 //0x24
	ActiveRPCHandle             uint32 //0x28
	AddressOfThreadLocalStorage uint32 //0x2c
	AddressOfPEB                uint32 //0x30
	LastErrorNumber             uint32 //0x34
	CountOwnedCriticalSections  uint32 //0x38
	AddressOfCSRClientThread    uint32 //0x3c
	Win32ThreadInformation      uint32 //0x40

	CurrentLocale uint32 //0xc4

	TLSSlots [64]uint32
	// contains filtered or unexported fields
}

NOP out large chunks of this structure (padding) until needed

type ThreadInformationBlock64 

type ThreadInformationBlock64 struct {
	CurentSEH                   uint64 //0x00
	StackBaseHigh               uint64 //0x08
	StackLimit                  uint64 //0x10
	SubSystemTib                uint64 //0x18
	FiberData                   uint64 //0x20
	ArbitraryDataSlock          uint64 //0x28
	LinearAddressOfTEB          uint64 //0x30
	EnvPtr                      uint64 //0x38
	ProcessId                   uint64 //0x40
	CurrentThreadId             uint64 //0x48
	ActiveRPCHandle             uint64 //0x50
	AddressOfThreadLocalStorage uint64 //0x58
	AddressOfPEB                uint64 //0x60
	LastErrorNumber             uint32 //0x68
	CountOwnedCriticalSections  uint32 //0x6c
	AddressOfCSRClientThread    uint64 //0x70
	Win32ThreadInformation      uint64 //0x78

	CurrentLocale uint32 //0x108

	TLSSlots [64]uint64
	// contains filtered or unexported fields
}

type UnicodeString32 

type UnicodeString32 struct {
	Length        uint16
	MaximumLength uint16
	Buffer        uint32
}

type UnicodeString64 

type UnicodeString64 struct {
	Length        uint16
	MaximumLength uint16

	Buffer uint64
	// contains filtered or unexported fields
}

https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/why-thunking-is-necessary padding needed to align to 8-byte boundary

type UserProcessParameters32 

type UserProcessParameters32 struct {
	Reserved1         [16]byte
	Reserved2         [10]uint32
	ImagePathLen      uint16
	ImagePathMaxLen   uint16
	ImagePath         uint32
	CommandLineLen    uint16
	CommandLineMaxLen uint16
	CommandLine       uint32
}

type WinEmulator 

type WinEmulator struct {
	UcMode    int
	UcArch    int
	PtrSize   uint64
	Uc        uc.Unicorn
	Timestamp int64
	Ticks     uint64

	InstructionLog []*InstructionLog
	Binary         string
	Verbosity      int
	ShowDll        bool
	Args           []string
	Argc           uint64
	Argv           uint64
	SearchPath     []string
	Seed           int

	EntryPoint     uint64
	NextLibAddress uint64
	MemRegions     *MemRegions
	Handles        map[uint64]*Handle
	LoadedModules  map[string]uint64
	Heap           *core.HeapManager
	Registry       *Registry
	CPU            *core.CpuManager
	Scheduler      *ScheduleManager
	Fls            [64]uint64
	Opts           WinOptions
	// these commands are used to keep state during single step mode
	LastCommand  string
	Breakpoints  map[uint64]uint64
	AutoContinue bool
	// contains filtered or unexported fields
}

WinEmulator type should be a emulator type the eventually will support the Emulator interface. This particular emulator is generic to x86 32/64 bit.

func Load 

func Load(path string, args []string, options *WinEmulatorOptions) (*WinEmulator, error)

Load is the entry point for loading a PE file in the emulated environment

func LoadMem 

func LoadMem(pe *pefile.PeFile, path string, args []string, options *WinEmulatorOptions) (*WinEmulator, error)

LoadMem will load a pefile from an already initiated object

func (*WinEmulator) AddHook 

func (emu *WinEmulator) AddHook(lib string, fname string, hook *Hook)

AddHook makes a new function hook available to the emulated process

func (*WinEmulator) BuildInstruction 

func (emu *WinEmulator) BuildInstruction(addr uint64, size uint32) *Instruction

func (*WinEmulator) CaptureParameters 

func (emu *WinEmulator) CaptureParameters(n int) []uint64

func (*WinEmulator) GetHook 

func (emu *WinEmulator) GetHook(addr uint64) (string, string, *Hook)

GetHook will get a hook from the list of available hooks, returning the dll, function name and hook object

func (*WinEmulator) LoadHooks 

func (emu *WinEmulator) LoadHooks()

func (*WinEmulator) OpenFile 

func (emu *WinEmulator) OpenFile(path string, access int32) (*Handle, error)

func (*WinEmulator) SetupHooks 

func (emu *WinEmulator) SetupHooks() error

func (*WinEmulator) Start 

func (emu *WinEmulator) Start() error

Start will begin emulation at the entry point and continue until error or until the end of execution.

type WinEmulatorOptions 

type WinEmulatorOptions struct {
	RootFolder   string
	RunDLLMain   bool
	ConfigPath   string
	VerboseLevel int
	ShowDLL      bool
	MaxTicks     int64
	LogType      int
}

WinEmulatorOptions will get passed into the WinEmulator

func InitWinEmulatorOptions 

func InitWinEmulatorOptions() *WinEmulatorOptions

InitWinEmulatorOptions will build a default option struct to pass into WinEmulator

type WinOptions 

type WinOptions struct {
	CodePageIdentifier int               `yaml:"code_page_identifier"`
	ComputerName       string            `yaml:"computer_name"`
	CurrentLocale      int               `yaml:"current_locale"`
	DllLoadReason      int               `yaml:"dll_load_reason"`
	Env                []Env             `yaml:"environment"`
	KeyboardType       int               `yaml:"keyboard_type"`
	KeyboardSubType    int               `yaml:"keyboard_subtype"`
	KeyboardFuncKeys   int               `yaml:"keyboard_funckeys"`
	OsMajorVersion     int               `yaml:"os_major_version"`
	OsMinorVersion     int               `yaml:"os_minor_version"`
	ProcessorsCount    int               `yaml:"processors_count"`
	ProcessorType      int               `yaml:"processsor_type"`
	ProcessorLevel     int               `yaml:"processor_level"`
	ProcessorRevision  int               `yaml:"processor_revision"`
	TempRegistry       map[string]string `yaml:"registry"`
	MockRegistry       []Reg
	Root               string `yaml:"root"`
	LocaleSortOrder    int    `yaml:"locale_sort_order"`
	SystemTime         struct {
		Year        int `yaml:"year"`
		Month       int `yaml:"month"`
		DayOfWeek   int `yaml:"day_of_week"`
		Day         int `yaml:"day"`
		Hour        int `yaml:"hour"`
		Minute      int `yaml:"minute"`
		Second      int `yaml:"second"`
		Millisecond int `yaml:"millisecond"`
	} `yaml:"system_time"`
	User string `yaml:"user"`
}

WinOptions struct contains all the yaml definitions for various supported configuration settings. These can be passed to emulation via the `-c` flag. If this yaml is passed in, it will be parsed and override ALL the default settings

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.