Multiple function implementations #227
Conversation
wcsstr towlower tolower strstr
wcsstr towlower tolower strstr
…d leading to memory access errors
| [in] NTSTATUS ExitStatus | ||
| ); | ||
| ''' | ||
| #Copied from TerminateProcess |
There was a problem hiding this comment.
| #Copied from TerminateProcess | |
| # Copied from TerminateProcess |
| oProc = emu.get_object_from_id(cid_obj.UniqueProcess) | ||
| hProc = emu.get_object_handle(oProc) | ||
| if hProc: | ||
| emu.mem_write(hnd,(hProc).to_bytes(4, "little")) |
There was a problem hiding this comment.
| emu.mem_write(hnd,(hProc).to_bytes(4, "little")) | |
| emu.mem_write(hnd, (hProc).to_bytes(4, "little")) |
| emu.mem_write(hnd,(hProc).to_bytes(4, "little")) | ||
| rv = ddk.STATUS_SUCCESS | ||
| else: | ||
| emu.mem_write(hnd,(0).to_bytes(4, "little")) |
There was a problem hiding this comment.
| emu.mem_write(hnd,(0).to_bytes(4, "little")) | |
| emu.mem_write(hnd, (0).to_bytes(4, "little")) |
| const wchar_t *strSearch | ||
| ); | ||
| """ | ||
| #Copied from msvcrt |
There was a problem hiding this comment.
rather than copying the implementation, could we reuse the one in msvcrt somehow?
| [in, out] SHELLEXECUTEINFOW *pExecInfo | ||
| ); | ||
| ''' | ||
| #Based on ShellExecute |
There was a problem hiding this comment.
| #Based on ShellExecute | |
| # Based on ShellExecute |
| print(op) | ||
| p_fn = int.from_bytes(self.mem_read(pExecInfo + 0x10, 4), "little") | ||
| if p_fn: | ||
| fn = self.read_mem_string(p_fn, cw) | ||
| print(fn) | ||
| p_param = int.from_bytes(self.mem_read(pExecInfo + 0x14, 4),"little") | ||
| if p_param: | ||
| param = self.read_mem_string(p_param, cw) | ||
| print(param) | ||
| p_dn = int.from_bytes(self.mem_read(pExecInfo + 0x18,4), "little") | ||
| if p_dn: | ||
| dn = self.read_mem_string(p_dn, cw) | ||
| print(dn) |
There was a problem hiding this comment.
are these old debugging statements?
| proc = emu.create_process(path=fn, cmdline=param) | ||
| self.log_process_event(proc, PROC_CREATE) | ||
|
|
||
| return 33 |
There was a problem hiding this comment.
what does this return value mean? maybe its left over from testing?
|
@williballenthin I would suggest to close the pull request and not merge anything yet. I will address your comments and fix some additional bugs I have found and then I will reopen. I am actually working on couple of malware samples and try to implement the functions to be as real as possible. I dont want them to by just dummy ones. Thanks |
|
i've converted the PR to a "draft" so that its clear its not ready yet. feel free to keep working here (or, close it if you'd prefer, no problem). once its ready, just comment and press the "Ready for review" button. |
|
Has any progress been made on these definitions? Great work on them, by the way! |
Implementations for:
ZwTerminateProcess
ZwOpenProcess
ZwDuplicateObject
ShellExecuteExW
copies of strstr, towlow, tolow, wstrstr from msvcrt to ntdll (since often are being called directly by ntdll)