25 from zlib
import crc32
26 from StringIO
import StringIO
29 from Crypto.Hash
import MD5, SHA
31 print "cannot find crypto, skipping"
36 heap, set_str_ansi, set_str_unic, get_str_ansi, get_str_unic, \
40 log = logging.getLogger(
"win_api_x86_32")
41 console_handler = logging.StreamHandler()
42 console_handler.setFormatter(logging.Formatter(
"%(levelname)-5s: %(message)s"))
43 log.addHandler(console_handler)
44 log.setLevel(logging.WARN)
51 typedef struct tagPROCESSENTRY32 {
55 ULONG_PTR th32DefaultHeapID;
58 DWORD th32ParentProcessID;
61 TCHAR szExeFile[MAX_PATH];
62 } PROCESSENTRY32, *PPROCESSENTRY32;
66 access_dict = {0x0: 0,
69 0x4: PAGE_READ | PAGE_WRITE,
71 0x20: PAGE_EXEC | PAGE_READ,
72 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
73 0x80: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
78 access_dict_inv = dict([(x[1], x[0])
for x
in access_dict.items()])
88 return '<%r %r %r>' % (self.__class__.__name__, self.
name, self.
info)
97 def add(self, name, info=None):
102 log.debug(repr(self))
106 out =
'<%r\n' % self.__class__.__name__
107 ks = self.all_handles.keys()
119 return self.all_handles.__getitem__(item)
122 self.all_handles.__delitem__(item)
182 winobjs.dw_pid_dummy1,
186 winobjs.dw_pid_explorer,
194 winobjs.dw_pid_explorer,
207 winobjs.dw_pid_dummy2,
211 winobjs.dw_pid_explorer,
224 winobjs.dw_pid_explorer,
235 return inspect.stack()[1][3]
249 return struct.pack(
'LL', self.
ad, self.
l)
253 ret_ad, args = jitter.func_args_stdcall([
"heap",
"flags",
"size"])
254 alloc_addr = winobjs.heap.alloc(jitter, args.size)
255 jitter.func_ret_stdcall(ret_ad, alloc_addr)
259 ret_ad, _ = jitter.func_args_stdcall([
"heap",
"flags",
"pmem"])
260 jitter.func_ret_stdcall(ret_ad, 1)
264 ret_ad, args = jitter.func_args_stdcall([
"uflags",
"msize"])
265 alloc_addr = winobjs.heap.alloc(jitter, args.msize)
266 jitter.func_ret_stdcall(ret_ad, alloc_addr)
270 ret_ad, _ = jitter.func_args_stdcall([
"lpvoid"])
271 jitter.func_ret_stdcall(ret_ad, 0)
275 ret_ad, args = jitter.func_args_stdcall([
"uflags",
"msize"])
276 alloc_addr = winobjs.heap.alloc(jitter, args.msize)
277 jitter.func_ret_stdcall(ret_ad, alloc_addr)
281 ret_ad, _ = jitter.func_args_stdcall([
"addr"])
282 jitter.func_ret_stdcall(ret_ad, 0)
286 ret_ad, _ = jitter.func_args_stdcall(0)
287 jitter.func_ret_stdcall(ret_ad, winobjs.dbg_present)
291 ret_ad, _ = jitter.func_args_stdcall([
"dwflags",
"th32processid"])
292 jitter.func_ret_stdcall(ret_ad, winobjs.handle_toolhelpsnapshot)
296 ret_ad, _ = jitter.func_args_stdcall(0)
297 jitter.func_ret_stdcall(ret_ad, winobjs.handle_curprocess)
301 ret_ad, _ = jitter.func_args_stdcall(0)
302 jitter.func_ret_stdcall(ret_ad, winobjs.dw_pid_cur)
306 ret_ad, args = jitter.func_args_stdcall([
"s_handle",
"ad_pentry"])
308 pentry = struct.pack(
309 'IIIIIIIII', *process_list[0][:-1]) + process_list[0][-1]
310 jitter.vm.set_mem(args.ad_pentry, pentry)
311 winobjs.toolhelpsnapshot_info[args.s_handle] = 0
313 jitter.func_ret_stdcall(ret_ad, 1)
317 ret_ad, args = jitter.func_args_stdcall([
"s_handle",
"ad_pentry"])
319 winobjs.toolhelpsnapshot_info[args.s_handle] += 1
320 if winobjs.toolhelpsnapshot_info[args.s_handle] >= len(process_list):
324 n = winobjs.toolhelpsnapshot_info[args.s_handle]
325 pentry = struct.pack(
326 'IIIIIIIII', *process_list[n][:-1]) + process_list[n][-1]
327 jitter.vm.set_mem(args.ad_pentry, pentry)
328 jitter.func_ret_stdcall(ret_ad, ret)
332 ret_ad, _ = jitter.func_args_stdcall(0)
333 winobjs.tickcount += 1
334 jitter.func_ret_stdcall(ret_ad, winobjs.tickcount)
338 ret_ad, _ = jitter.func_args_stdcall(0)
339 jitter.func_ret_stdcall(ret_ad, winobjs.getversion)
343 ret_ad, args = jitter.func_args_stdcall([
"ptr_struct"])
345 s = struct.pack(
"IIIII",
352 t = set_str(
"Service pack 4")
353 t = s + (t +
'\x00' * 128 * 2)[:128 * 2]
354 t += struct.pack(
'HHHBB', 3, 0, 0x100, 1, 0)
356 jitter.vm.set_mem(args.ptr_struct, s)
357 jitter.func_ret_stdcall(ret_ad, 1)
367 ret_ad, _ = jitter.func_args_stdcall([
"hwnd"])
368 jitter.func_ret_stdcall(ret_ad, 0)
372 ret_ad, _ = jitter.func_args_stdcall([
"hwnd",
"dwpclass"])
373 jitter.func_ret_stdcall(ret_ad, 0)
377 ret_ad, _ = jitter.func_args_stdcall([
"hwnd"])
378 jitter.func_ret_stdcall(ret_ad, 1)
382 ret_ad, _ = jitter.func_args_stdcall(0)
383 jitter.func_ret_stdcall(ret_ad, winobjs.getforegroundwindow)
387 ret_ad, _ = jitter.func_args_stdcall([
"pclassname",
"pwindowname"])
388 jitter.func_ret_stdcall(ret_ad, 0)
392 ret_ad, _ = jitter.func_args_stdcall([
"hwnd"])
393 jitter.func_ret_stdcall(ret_ad, 0)
397 ret_ad, _ = jitter.func_args_stdcall([
"blockit"])
398 jitter.func_ret_stdcall(ret_ad, 1)
402 ret_ad, args = jitter.func_args_stdcall([
"phprov",
"pszcontainer",
403 "pszprovider",
"dwprovtype",
405 prov = get_str(jitter, args.pszprovider)
if args.pszprovider
else "NONE"
406 log.debug(
'prov: %r', prov)
407 jitter.vm.set_mem(args.phprov,
pck32(winobjs.cryptcontext_hwnd))
408 jitter.func_ret_stdcall(ret_ad, 1)
420 ret_ad, args = jitter.func_args_stdcall([
"hprov",
"algid",
"hkey",
421 "dwflags",
"phhash"])
423 winobjs.cryptcontext_num += 1
425 if args.algid == 0x00008003:
426 log.debug(
'algo is MD5')
429 pck32(winobjs.cryptcontext_bnum + winobjs.cryptcontext_num)
431 winobjs.cryptcontext[
432 winobjs.cryptcontext_bnum + winobjs.cryptcontext_num] =
hobj()
433 winobjs.cryptcontext[
434 winobjs.cryptcontext_bnum + winobjs.cryptcontext_num].h = MD5.new()
435 elif args.algid == 0x00008004:
436 log.debug(
'algo is SHA1')
439 pck32(winobjs.cryptcontext_bnum + winobjs.cryptcontext_num)
441 winobjs.cryptcontext[
442 winobjs.cryptcontext_bnum + winobjs.cryptcontext_num] =
hobj()
443 winobjs.cryptcontext[
444 winobjs.cryptcontext_bnum + winobjs.cryptcontext_num].h = SHA.new()
446 raise ValueError(
'un impl algo1')
447 jitter.func_ret_stdcall(ret_ad, 1)
451 ret_ad, args = jitter.func_args_stdcall([
"hhash",
"pbdata",
"dwdatalen",
454 if not args.hhash
in winobjs.cryptcontext:
455 raise ValueError(
"unknown crypt context")
457 data = jitter.vm.get_mem(args.pbdata, args.dwdatalen)
458 log.debug(
'will hash %X', args.dwdatalen)
459 log.debug(repr(data[:10]) +
"...")
460 winobjs.cryptcontext[args.hhash].h.update(data)
461 jitter.func_ret_stdcall(ret_ad, 1)
465 ret_ad, args = jitter.func_args_stdcall([
"hhash",
"param",
"pbdata",
466 "dwdatalen",
"dwflags"])
468 if not args.hhash
in winobjs.cryptcontext:
469 raise ValueError(
"unknown crypt context")
473 h = winobjs.cryptcontext[args.hhash].h.digest()
475 raise ValueError(
'not impl', args.param)
476 jitter.vm.set_mem(args.pbdata, h)
477 jitter.vm.set_mem(args.dwdatalen,
pck32(len(h)))
479 jitter.func_ret_stdcall(ret_ad, 1)
483 ret_ad, _ = jitter.func_args_stdcall([
"hhash",
"flags"])
484 jitter.func_ret_stdcall(ret_ad, 0)
488 ret_ad, args = jitter.func_args_stdcall([
"hprov",
"algid",
"hbasedata",
491 if args.algid == 0x6801:
492 log.debug(
'using DES')
494 raise ValueError(
'un impl algo2')
495 h = winobjs.cryptcontext[args.hbasedata].h.digest()
496 log.debug(
'hash %r', h)
497 winobjs.cryptcontext[args.hbasedata].h_result = h
498 jitter.vm.set_mem(args.phkey,
pck32(args.hbasedata))
499 jitter.func_ret_stdcall(ret_ad, 1)
503 ret_ad, _ = jitter.func_args_stdcall([
"hhash"])
504 jitter.func_ret_stdcall(ret_ad, 1)
508 ret_ad, _ = jitter.func_args_stdcall([
"hkey",
"hhash",
"final",
511 raise ValueError(
"Not implemented")
516 ret_ad, args = jitter.func_args_stdcall([
"lpfilename",
"access",
519 "dwcreationdisposition",
522 if args.lpfilename == 0:
523 jitter.func_ret_stdcall(ret_ad, 0xffffffff)
526 fname = get_str(jitter, args.lpfilename)
527 log.debug(
'fname %s', fname)
530 log.debug(
"%r %r", fname.lower(), winobjs.module_path.lower())
531 is_original_file = fname.lower() == winobjs.module_path.lower()
533 if fname.upper()
in [
r"\\.\SICE",
r"\\.\NTICE",
r"\\.\SIWVID"]:
535 elif fname.upper()
in [
'NUL']:
536 ret = winobjs.module_cur_hwnd
540 if args.access & 0x80000000
or args.access == 1:
542 if args.dwcreationdisposition == 2:
544 if os.access(sb_fname, os.R_OK):
548 raise NotImplementedError(
"Untested case")
550 elif args.dwcreationdisposition == 3:
552 if os.access(sb_fname, os.R_OK):
553 s = os.stat(sb_fname)
554 if stat.S_ISDIR(s.st_mode):
555 ret = winobjs.handle_pool.add(sb_fname, 0x1337)
557 h = open(sb_fname,
'r+b')
558 ret = winobjs.handle_pool.add(sb_fname, h)
560 log.warning(
"FILE %r DOES NOT EXIST!", fname)
561 elif args.dwcreationdisposition == 1:
563 if os.access(sb_fname, os.R_OK):
566 winobjs.lastwin32error = 80
569 open(sb_fname,
'w').close()
571 h = open(sb_fname,
'r+b')
572 ret = winobjs.handle_pool.add(sb_fname, h)
573 elif args.dwcreationdisposition == 4:
575 if os.access(sb_fname, os.R_OK):
576 s = os.stat(sb_fname)
577 if stat.S_ISDIR(s.st_mode):
578 ret = winobjs.handle_pool.add(sb_fname, 0x1337)
580 h = open(sb_fname,
'r+b')
581 ret = winobjs.handle_pool.add(sb_fname, h)
583 raise NotImplementedError(
"Untested case")
585 raise NotImplementedError(
"Untested case")
586 elif args.access & 0x40000000:
588 if args.dwcreationdisposition == 3:
593 elif os.access(sb_fname, os.R_OK):
594 s = os.stat(sb_fname)
595 if stat.S_ISDIR(s.st_mode):
597 ret = winobjs.handle_pool.add(sb_fname, 0x1337)
599 h = open(sb_fname,
'r+b')
600 ret = winobjs.handle_pool.add(sb_fname, h)
602 raise NotImplementedError(
"Untested case")
603 elif args.dwcreationdisposition == 5:
608 raise NotImplementedError(
"Untested case")
611 h = open(sb_fname,
'w')
612 ret = winobjs.handle_pool.add(sb_fname, h)
614 raise NotImplementedError(
"Untested case")
618 log.debug(
'ret %x', ret)
619 jitter.func_ret_stdcall(ret_ad, ret)
631 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"lpbuffer",
632 "nnumberofbytestoread",
633 "lpnumberofbytesread",
635 if args.hwnd == winobjs.module_cur_hwnd:
637 elif args.hwnd
in winobjs.handle_pool:
640 raise ValueError(
'unknown hwnd!')
643 if args.hwnd
in winobjs.files_hwnd:
644 data = winobjs.files_hwnd[
645 winobjs.module_cur_hwnd].read(args.nnumberofbytestoread)
646 elif args.hwnd
in winobjs.handle_pool:
647 wh = winobjs.handle_pool[args.hwnd]
648 data = wh.info.read(args.nnumberofbytestoread)
650 raise ValueError(
'unknown filename')
653 if (args.lpnumberofbytesread):
654 jitter.vm.set_mem(args.lpnumberofbytesread,
pck32(len(data)))
655 jitter.vm.set_mem(args.lpbuffer, data)
657 jitter.func_ret_stdcall(ret_ad, 1)
661 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"lpfilesizehight"])
663 if args.hwnd == winobjs.module_cur_hwnd:
664 ret = len(open(winobjs.module_fname_nux).read())
665 elif args.hwnd
in winobjs.handle_pool:
666 wh = winobjs.handle_pool[args.hwnd]
667 ret = len(open(wh.name).read())
669 raise ValueError(
'unknown hwnd!')
671 if args.lpfilesizehight != 0:
672 jitter.vm.set_mem(args.lpfilesizehight,
pck32(ret))
673 jitter.func_ret_stdcall(ret_ad, ret)
677 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"lpfilesizehight"])
679 if args.hwnd == winobjs.module_cur_hwnd:
680 l = len(open(winobjs.module_fname_nux).read())
681 elif args.hwnd
in winobjs.handle_pool:
682 wh = winobjs.handle_pool[args.hwnd]
683 l = len(open(wh.name).read())
685 raise ValueError(
'unknown hwnd!')
687 if args.lpfilesizehight == 0:
688 raise NotImplementedError(
"Untested case")
689 jitter.vm.set_mem(args.lpfilesizehight,
pck32(
690 l & 0xffffffff) +
pck32((l >> 32) & 0xffffffff))
691 jitter.func_ret_stdcall(ret_ad, 1)
695 ret_ad, _ = jitter.func_args_stdcall([
"hprocess",
"lpbasead",
"dwsize"])
696 jitter.func_ret_stdcall(ret_ad, 0x1337)
700 ret_ad, args = jitter.func_args_stdcall([
'lpvoid',
'dwsize',
704 flnewprotect = args.flnewprotect & 0xFFF
705 if not flnewprotect
in access_dict:
706 raise ValueError(
'unknown access dw!')
707 jitter.vm.set_mem_access(args.lpvoid, access_dict[flnewprotect])
710 if args.lpfloldprotect:
711 jitter.vm.set_mem(args.lpfloldprotect,
pck32(0x40))
713 jitter.func_ret_stdcall(ret_ad, 1)
717 ret_ad, args = jitter.func_args_stdcall([
'lpvoid',
'dwsize',
718 'alloc_type',
'flprotect'])
724 0x4: PAGE_READ | PAGE_WRITE,
726 0x20: PAGE_EXEC | PAGE_READ,
727 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
733 if not args.flprotect
in access_dict:
734 raise ValueError(
'unknown access dw!')
737 alloc_addr = winobjs.heap.next_addr(args.dwsize)
738 jitter.vm.add_memory_page(
739 alloc_addr, access_dict[args.flprotect],
"\x00" * args.dwsize)
741 all_mem = jitter.vm.get_all_memory()
742 if args.lpvoid
in all_mem:
743 alloc_addr = args.lpvoid
744 jitter.vm.set_mem_access(args.lpvoid, access_dict[args.flprotect])
746 alloc_addr = winobjs.heap.next_addr(args.dwsize)
748 jitter.vm.add_memory_page(
749 alloc_addr, access_dict[args.flprotect],
"\x00" * args.dwsize)
751 log.debug(
'Memory addr: %x', alloc_addr)
752 jitter.func_ret_stdcall(ret_ad, alloc_addr)
756 ret_ad, _ = jitter.func_args_stdcall([
"lpvoid",
"dwsize",
"alloc_type"])
757 jitter.func_ret_stdcall(ret_ad, 0)
761 ret_ad, _ = jitter.func_args_stdcall([
"hwnd",
"nindex"])
762 jitter.func_ret_stdcall(ret_ad, winobjs.windowlong_dw)
766 ret_ad, _ = jitter.func_args_stdcall([
"hwnd",
"nindex",
"newlong"])
767 jitter.func_ret_stdcall(ret_ad, winobjs.windowlong_dw)
771 ret_ad, args = jitter.func_args_stdcall([
"hmodule",
"lpfilename",
"nsize"])
773 if args.hmodule
in [0, winobjs.hcurmodule]:
774 p = winobjs.module_path[:]
775 elif (winobjs.runtime_dll
and
776 args.hmodule
in winobjs.runtime_dll.name2off.values()):
777 name_inv = dict([(x[1], x[0])
778 for x
in winobjs.runtime_dll.name2off.items()])
779 p = name_inv[args.hmodule]
781 log.warning((
'Unknown module 0x%x.' +
782 'Set winobjs.hcurmodule and retry'), args.hmodule)
787 elif args.nsize < len(p):
794 jitter.vm.set_mem(args.lpfilename, set_str(p))
796 jitter.func_ret_stdcall(ret_ad, l)
808 ret_ad, args = jitter.func_args_stdcall([
"mutexattr",
"initowner",
812 name = get_str(jitter, args.lpname)
817 if name
in winobjs.mutex:
818 raise NotImplementedError(
"Untested case")
821 winobjs.mutex[name] = id(name)
822 ret = winobjs.mutex[name]
824 if name
in winobjs.mutex:
825 raise NotImplementedError(
"Untested case")
828 winobjs.mutex[name] = id(name)
829 ret = winobjs.mutex[name]
830 jitter.func_ret_stdcall(ret_ad, ret)
842 ret_ad, args = jitter.func_args_stdcall([
"hwndowner",
"nfolder",
"ppidl"])
843 jitter.vm.set_mem(args.ppidl,
pck32(args.nfolder))
844 jitter.func_ret_stdcall(ret_ad, 0)
848 ret_ad, args = jitter.func_args_stdcall([
"pidl",
"ppath"])
851 s =
"c:\\doc\\user\\startmenu\\programs\\startup"
854 raise ValueError(
'pidl not implemented', args.pidl)
855 jitter.vm.set_mem(args.ppath, s)
856 jitter.func_ret_stdcall(ret_ad, 1)
868 ret_ad, _ = jitter.func_args_stdcall(0)
869 jitter.func_ret_stdcall(ret_ad, winobjs.lastwin32error)
873 ret_ad, args = jitter.func_args_stdcall([
"errcode"])
877 winobjs.lastwin32error = args.errcode
878 jitter.func_ret_stdcall(ret_ad, 0)
886 ret_ad, args = jitter.func_args_stdcall([
"dllname"])
891 ret = winobjs.runtime_dll.lib_get_add_base(libname)
892 log.info(
"ret %x", ret)
893 jitter.func_ret_stdcall(ret_ad, ret)
897 ret_ad, args = jitter.func_args_stdcall([
"dllname",
"hfile",
"flags"])
900 raise NotImplementedError(
"Untested case")
904 ret = winobjs.runtime_dll.lib_get_add_base(libname)
905 log.info(
"ret %x", ret)
906 jitter.func_ret_stdcall(ret_ad, ret)
910 ret_ad, args = jitter.func_args_stdcall([
"libbase",
"fname"])
919 if fname
is not None:
920 ad = winobjs.runtime_dll.lib_get_add_func(args.libbase, fname)
923 ad = winobjs.runtime_dll.lib_get_add_func(args.libbase, fname)
924 jitter.add_breakpoint(ad, jitter.handle_lib)
925 jitter.func_ret_stdcall(ret_ad, ad)
929 ret_ad, args = jitter.func_args_stdcall([
"dllname"])
934 ret = winobjs.runtime_dll.lib_get_add_base(libname)
935 log.info(
"ret %x", ret)
936 jitter.func_ret_stdcall(ret_ad, ret)
940 ret_ad, args = jitter.func_args_stdcall([
"dllname"])
943 libname = get_str(jitter, args.dllname)
946 ret = winobjs.runtime_dll.lib_get_add_base(libname)
948 log.warning(
'unknown module!')
951 ret = winobjs.current_pe.NThdr.ImageBase
952 log.debug(
"default img base %x", ret)
953 jitter.func_ret_stdcall(ret_ad, ret)
965 ret_ad, _ = jitter.func_args_stdcall([
"lpaddress",
"dwsize"])
966 jitter.func_ret_stdcall(ret_ad, 1)
972 lpMinimumApplicationAddress = 0x10000
973 lpMaximumApplicationAddress = 0x7ffeffff
974 dwActiveProcessorMask = 0x1
975 numberOfProcessors = 0x1
977 dwAllocationgranularity = 0x10000
978 wProcessorLevel = 0x6
979 ProcessorRevision = 0xf0b
982 return struct.pack(
'IIIIIIIIHH',
996 ret_ad, args = jitter.func_args_stdcall([
"sys_ptr"])
998 jitter.vm.set_mem(args.sys_ptr, sysinfo.pack())
999 jitter.func_ret_stdcall(ret_ad, 0)
1003 ret_ad, args = jitter.func_args_stdcall([
"process",
"bool_ptr"])
1004 jitter.vm.set_mem(args.bool_ptr,
pck32(0))
1005 jitter.func_ret_stdcall(ret_ad, 1)
1009 ret_ad, _ = jitter.func_args_stdcall(0)
1010 s = winobjs.module_path +
'\x00'
1012 alloc_addr = winobjs.heap.alloc(jitter, 0x1000)
1013 jitter.vm.set_mem(alloc_addr, s)
1014 jitter.func_ret_stdcall(ret_ad, alloc_addr)
1018 ret_ad, _ = jitter.func_args_stdcall(0)
1019 s = winobjs.module_path +
'\x00'
1021 alloc_addr = winobjs.heap.alloc(jitter, 0x1000)
1022 jitter.vm.set_mem(alloc_addr, s)
1023 jitter.func_ret_stdcall(ret_ad, alloc_addr)
1027 ret_ad, args = jitter.func_args_stdcall([
"pcmd",
"pnumargs"])
1030 tks = cmd.split(
' ')
1031 addr = winobjs.heap.alloc(jitter, len(cmd) * 2 + 4 * len(tks))
1032 addr_ret = winobjs.heap.alloc(jitter, 4 * (len(tks) + 1))
1034 for i, t
in enumerate(tks):
1036 jitter.vm.set_mem(addr_ret + 4 * i,
pck32(addr + o))
1037 jitter.vm.set_mem(addr + o, x)
1040 jitter.vm.set_mem(addr_ret + 4 * i,
pck32(0))
1041 jitter.vm.set_mem(args.pnumargs,
pck32(len(tks)))
1042 jitter.func_ret_stdcall(ret_ad, addr_ret)
1046 ret_ad, args = jitter.func_args_stdcall([
"ad_ctx"])
1047 index = len(winobjs.cryptdll_md5_h)
1049 winobjs.cryptdll_md5_h[index] = h
1051 jitter.vm.set_mem(args.ad_ctx,
pck32(index))
1052 jitter.func_ret_stdcall(ret_ad, 0)
1056 ret_ad, args = jitter.func_args_stdcall([
"ad_ctx",
"ad_input",
"inlen"])
1058 index = jitter.vm.get_mem(args.ad_ctx, 4)
1060 if not index
in winobjs.cryptdll_md5_h:
1061 raise ValueError(
'unknown h context', index)
1063 data = jitter.vm.get_mem(args.ad_input, args.inlen)
1064 winobjs.cryptdll_md5_h[index].update(data)
1067 jitter.func_ret_stdcall(ret_ad, 0)
1071 ret_ad, args = jitter.func_args_stdcall([
"ad_ctx"])
1073 index = jitter.vm.get_mem(args.ad_ctx, 4)
1075 if not index
in winobjs.cryptdll_md5_h:
1076 raise ValueError(
'unknown h context', index)
1077 h = winobjs.cryptdll_md5_h[index].digest()
1078 jitter.vm.set_mem(args.ad_ctx + 88, h)
1079 jitter.func_ret_stdcall(ret_ad, 0)
1083 ret_ad, args = jitter.func_args_stdcall([
"ad_ctx",
"ad_str"])
1087 jitter.vm.set_mem(args.ad_ctx,
1089 jitter.func_ret_stdcall(ret_ad, 0)
1093 ret_ad, args = jitter.func_args_stdcall([
"ad_ctxu",
"case_i",
"h_id",
1097 raise ValueError(
'unk hash unicode', args.h_id)
1099 l1, l2, ptra = struct.unpack(
'HHL', jitter.vm.get_mem(args.ad_ctxu, 8))
1100 s = jitter.vm.get_mem(ptra, l1)
1107 hv = ((65599 * hv) + ord(c)) & 0xffffffff
1108 jitter.vm.set_mem(args.phout,
pck32(hv))
1109 jitter.func_ret_stdcall(ret_ad, 0)
1113 ret_ad, args = jitter.func_args_stdcall([
"ad_dst",
"ad_src",
"m_len"])
1114 data = jitter.vm.get_mem(args.ad_src, args.m_len)
1115 jitter.vm.set_mem(args.ad_dst, data)
1116 jitter.func_ret_stdcall(ret_ad, 0)
1120 ret_ad, args = jitter.func_args_stdcall([
'ad_ad_ch'])
1121 ad_ch =
upck32(jitter.vm.get_mem(args.ad_ad_ch, 4))
1122 ch = ord(jitter.vm.get_mem(ad_ch, 1))
1123 jitter.vm.set_mem(args.ad_ad_ch,
pck32(ad_ch + 1))
1124 jitter.func_ret_stdcall(ret_ad, ch)
1128 ret_ad, args = jitter.func_args_stdcall([
"flags",
"main_str_ad",
1129 "search_chars_ad",
"pos_ad"])
1132 raise ValueError(
'unk flags')
1134 ml1, ml2, mptra = struct.unpack(
'HHL',
1135 jitter.vm.get_mem(args.main_str_ad, 8))
1136 sl1, sl2, sptra = struct.unpack(
1137 'HHL', jitter.vm.get_mem(args.search_chars_ad, 8))
1138 main_data = jitter.vm.get_mem(mptra, ml1)[:-1]
1139 search_data = jitter.vm.get_mem(sptra, sl1)[:-1]
1142 for i, c
in enumerate(main_data):
1143 for s
in search_data:
1151 jitter.vm.set_mem(args.pos_ad,
pck32(0))
1154 jitter.vm.set_mem(args.pos_ad,
pck32(pos))
1156 jitter.func_ret_stdcall(ret_ad, ret)
1160 ret_ad, args = jitter.func_args_stdcall([
"dwinit",
"pdata",
"ilen"])
1161 data = jitter.vm.get_mem(args.pdata, args.ilen)
1162 crc_r = crc32(data, args.dwinit)
1163 jitter.func_ret_stdcall(ret_ad, crc_r)
1167 ret_ad, args = jitter.func_args_stdcall([
'multiplicand_low',
1168 'multiplicand_high',
1170 a = (args.multiplicand_high << 32) + args.multiplicand_low
1171 a = a * args.multiplier
1172 jitter.func_ret_stdcall(ret_ad, a & 0xffffffff, (a >> 32) & 0xffffffff)
1176 ret_ad, args = jitter.func_args_stdcall([
'a_low',
'a_high',
1178 a = (args.a_high << 32) + args.a_low + (args.b_high << 32) + args.b_low
1179 jitter.func_ret_stdcall(ret_ad, a & 0xffffffff, (a >> 32) & 0xffffffff)
1183 ret_ad, args = jitter.func_args_stdcall([
'a_low',
'a_high',
's_count'])
1184 a = ((args.a_high << 32) + args.a_low) >> args.s_count
1185 jitter.func_ret_stdcall(ret_ad, a & 0xffffffff, (a >> 32) & 0xffffffff)
1189 ret_ad, args = jitter.func_args_stdcall([
'a',
'b'])
1191 jitter.func_ret_stdcall(ret_ad, a & 0xffffffff, (a >> 32) & 0xffffffff)
1195 ret_ad, args = jitter.func_args_stdcall([
'a_low',
'a_high',
1197 a = (args.a_high << 32) + args.a_low - (args.b_high << 32) + args.b_low
1198 jitter.func_ret_stdcall(ret_ad, a & 0xffffffff, (a >> 32) & 0xffffffff)
1202 ret_ad, args = jitter.func_args_stdcall([
'ad1',
'ad2',
'm_len'])
1203 data1 = jitter.vm.get_mem(args.ad1, args.m_len)
1204 data2 = jitter.vm.get_mem(args.ad2, args.m_len)
1207 while data1[i] == data2[i]:
1212 jitter.func_ret_stdcall(ret_ad, i)
1216 ret_ad, _ = jitter.func_args_stdcall(0)
1217 jitter.func_ret_stdcall(ret_ad, 0x00110022)
1221 ret_ad, _ = jitter.func_args_stdcall([
't'])
1222 jitter.func_ret_stdcall(ret_ad, 0)
1226 ret_ad, _ = jitter.func_args_stdcall([
'h',
'ad'])
1227 jitter.func_ret_stdcall(ret_ad, 0)
1231 ret_ad, _ = jitter.func_args_stdcall([
'lp',
'ucb'])
1232 jitter.func_ret_stdcall(ret_ad, 0)
1236 ret_ad, args = jitter.func_args_stdcall([
'my_event',
'my_type',
1238 jitter.vm.set_mem(args.my_event,
pck32(winobjs.win_event_num))
1239 winobjs.win_event_num += 1
1241 jitter.func_ret_stdcall(ret_ad, 0)
1245 ret_ad, args = jitter.func_args_stdcall([
'ptr_version'])
1247 s = struct.pack(
"IIIII",
1255 jitter.vm.set_mem(args.ptr_version, s)
1256 jitter.func_ret_stdcall(ret_ad, 0)
1260 ret_ad, args = jitter.func_args_stdcall([
'ptr_version'])
1262 s = jitter.vm.get_mem(args.ptr_version, 0x5 * 4)
1263 s_size, s_majv, s_minv, s_buildn, s_platform = struct.unpack(
'IIIII', s)
1264 raise NotImplementedError(
"Untested case")
1270 ret_ad, _ = jitter.func_args_stdcall(0)
1271 jitter.func_ret_stdcall(ret_ad, 0)
1275 return winobjs.nt_mdl_ad + 0x10 * n
1279 return ((ad - winobjs.nt_mdl_ad) & 0xFFFFFFFFL) / 0x10
1283 ret_ad, args = jitter.func_args_stdcall([
"v_addr",
"l",
"second_buf",
1284 "chargequota",
"pirp"])
1285 m =
mdl(args.v_addr, args.l)
1286 winobjs.nt_mdl[winobjs.nt_mdl_cur] = m
1287 jitter.vm.set_mem(
mdl2ad(winobjs.nt_mdl_cur), str(m))
1288 jitter.func_ret_stdcall(ret_ad,
mdl2ad(winobjs.nt_mdl_cur))
1289 winobjs.nt_mdl_cur += 1
1293 ret_ad, args = jitter.func_args_stdcall([
"p_mdl",
"access_mode",
"op"])
1295 if not ad2mdl(args.p_mdl)
in winobjs.nt_mdl:
1296 raise ValueError(
'unk mdl', hex(args.p_mdl))
1297 jitter.func_ret_stdcall(ret_ad, 0)
1301 ret_ad, args = jitter.func_args_stdcall([
"p_mdl",
"access_mode",
1302 "cache_type",
"base_ad",
1303 "bugcheckonfailure",
1305 if not ad2mdl(args.p_mdl)
in winobjs.nt_mdl:
1306 raise ValueError(
'unk mdl', hex(args.p_mdl))
1308 jitter.func_ret_stdcall(ret_ad, winobjs.nt_mdl[
ad2mdl(args.p_mdl)].ad)
1312 ret_ad, args = jitter.func_args_stdcall([
"p_mdl",
"prot"])
1313 if not ad2mdl(args.p_mdl)
in winobjs.nt_mdl:
1314 raise ValueError(
'unk mdl', hex(args.p_mdl))
1316 jitter.func_ret_stdcall(ret_ad, 0)
1320 ret_ad, args = jitter.func_args_stdcall([
'p_mdl'])
1321 if not ad2mdl(args.p_mdl)
in winobjs.nt_mdl:
1322 raise ValueError(
'unk mdl', hex(args.p_mdl))
1324 jitter.func_ret_stdcall(ret_ad, 0)
1328 ret_ad, args = jitter.func_args_stdcall([
'p_mdl'])
1329 if not ad2mdl(args.p_mdl)
in winobjs.nt_mdl:
1330 raise ValueError(
'unk mdl', hex(args.p_mdl))
1331 del(winobjs.nt_mdl[
ad2mdl(args.p_mdl)])
1332 jitter.func_ret_stdcall(ret_ad, 0)
1336 ret_ad, _ = jitter.func_args_stdcall(0)
1337 jitter.func_ret_stdcall(ret_ad, 0)
1341 ret_ad, args = jitter.func_args_stdcall([
"relativeto",
"path",
1346 jitter.func_ret_stdcall(ret_ad, 0)
1350 ret_ad, args = jitter.func_args_stdcall([
"pool_type",
1353 alloc_addr = winobjs.heap.next_addr(args.nbr_of_bytes)
1354 jitter.vm.add_memory_page(
1355 alloc_addr, PAGE_READ | PAGE_WRITE,
"\x00" * args.nbr_of_bytes)
1357 jitter.func_ret_stdcall(ret_ad, alloc_addr)
1361 ret_ad, args = jitter.func_args_stdcall([
"ptr_str1",
"ptr_str2"])
1362 s1 = get_str(args.ptr_str1)
1363 s2 = get_str(args.ptr_str2)
1364 jitter.func_ret_stdcall(ret_ad,
cmp(s1, s2))
1388 ret_ad, args = jitter.func_args_stdcall([
"ptr_str1",
"ptr_str2"])
1389 s2 = get_str(jitter, args.ptr_str2)
1390 jitter.vm.set_mem(args.ptr_str1, set_str(s2))
1391 jitter.func_ret_stdcall(ret_ad, args.ptr_str1)
1408 ret_ad, args = jitter.func_args_stdcall([
"ptr_str1",
"ptr_str2",
1412 jitter.vm.set_mem(args.ptr_str1, s2)
1413 jitter.func_ret_stdcall(ret_ad, args.ptr_str1)
1417 ret_ad, args = jitter.func_args_stdcall([
"src"])
1418 src = get_str(jitter, args.src)
1419 jitter.func_ret_stdcall(ret_ad, mylen(src))
1435 ret_ad, args = jitter.func_args_stdcall([
'ptr_str1',
'ptr_str2'])
1436 s1 = get_str(jitter, args.ptr_str1)
1437 s2 = get_str(jitter, args.ptr_str2)
1438 jitter.vm.set_mem(args.ptr_str1, s1 + s2)
1439 jitter.func_ret_stdcall(ret_ad, args.ptr_str1)
1451 ret_ad, args = jitter.func_args_stdcall([
"geoclass"])
1452 if args.geoclass == 14:
1454 elif args.geoclass == 16:
1457 raise ValueError(
'unknown geolcass')
1458 jitter.func_ret_stdcall(ret_ad, ret)
1462 ret_ad, args = jitter.func_args_stdcall([
"lprootpathname",
1463 "lpvolumenamebuffer",
1465 "lpvolumeserialnumber",
1466 "lpmaximumcomponentlength",
1467 "lpfilesystemflags",
1468 "lpfilesystemnamebuffer",
1469 "nfilesystemnamesize"])
1470 if args.lprootpathname:
1471 s = get_str(jitter, args.lprootpathname)
1473 if args.lpvolumenamebuffer:
1475 s = s[:args.nvolumenamesize]
1476 jitter.vm.set_mem(args.lpvolumenamebuffer, set_str(s))
1478 if args.lpvolumeserialnumber:
1479 jitter.vm.set_mem(args.lpvolumeserialnumber,
pck32(11111111))
1480 if args.lpmaximumcomponentlength:
1481 jitter.vm.set_mem(args.lpmaximumcomponentlength,
pck32(0xff))
1482 if args.lpfilesystemflags:
1483 jitter.vm.set_mem(args.lpfilesystemflags,
pck32(22222222))
1485 if args.lpfilesystemnamebuffer:
1486 s =
"filesystemname"
1487 s = s[:args.nfilesystemnamesize]
1488 jitter.vm.set_mem(args.lpfilesystemnamebuffer, set_str(s))
1490 jitter.func_ret_stdcall(ret_ad, 1)
1495 jitter,
whoami(), get_str_ansi,
lambda x: x +
"\x00")
1503 ret_ad, args = jitter.func_args_stdcall([
"codepage",
"dwflags",
1508 src =
get_str_ansi(jitter, args.lpmultibytestr) +
'\x00'
1511 src =
"\x00".join(list(src))
1512 jitter.vm.set_mem(args.lpwidecharstr, src)
1513 jitter.func_ret_stdcall(ret_ad, l)
1517 ret_ad, args = jitter.func_args_stdcall([
"lpname",
"lpbuffer",
1520 s = get_str(jitter, args.lpname)
1521 if get_str == get_str_unic:
1523 log.debug(
'variable %r', s)
1524 if s
in winobjs.env_variables:
1525 v = set_str(winobjs.env_variables[s])
1527 log.warning(
'WARNING unknown env variable %r', s)
1529 jitter.vm.set_mem(args.lpbuffer, v)
1530 jitter.func_ret_stdcall(ret_ad, mylen(v))
1534 ret_ad, args = jitter.func_args_stdcall([
"lpbuffer",
"usize"])
1535 s =
"c:\\windows\\system32"
1538 jitter.vm.set_mem(args.lpbuffer, s)
1539 jitter.func_ret_stdcall(ret_ad, l)
1551 ret_ad, args = jitter.func_args_stdcall([
'lppath',
'secattrib'])
1553 jitter.func_ret_stdcall(ret_ad, 0x1337)
1567 lambda x: x +
"\x00",
1574 lambda x:
"\x00".join(list(x +
"\x00")),
1579 ret_ad, args = jitter.func_args_stdcall([
"lpeventattributes",
1583 s = get_str(jitter, args.lpname)
if args.lpname
else None
1584 if not s
in winobjs.events_pool:
1585 winobjs.events_pool[s] = (args.bmanualreset, args.binitialstate)
1587 log.warning(
'WARNING: known event')
1588 jitter.func_ret_stdcall(ret_ad, id(s))
1600 ret_ad, args = jitter.func_args_stdcall([
'handle',
'dwms'])
1602 t_start = time.time() * 1000
1605 if args.dwms
and args.dwms + t_start > time.time() * 1000:
1608 for key, value
in winobjs.events_pool.iteritems():
1609 if key != args.handle:
1616 log.warning(
'unknown handle')
1620 jitter.func_ret_stdcall(ret_ad, ret)
1624 ret_ad, args = jitter.func_args_stdcall([
"lpfilename",
1625 "dwfileattributes"])
1631 jitter.vm.set_mem(FS_0_AD + 0x34,
pck32(3))
1633 jitter.func_ret_stdcall(ret_ad, ret)
1637 ret_ad, args = jitter.func_args_stdcall([
"dst",
"src",
"l"])
1638 s = jitter.vm.get_mem(args.src, args.l)
1639 jitter.vm.set_mem(args.dst, s)
1640 jitter.func_ret_stdcall(ret_ad, 1)
1644 ret_ad, args = jitter.func_args_stdcall([
"systeminformationclass",
1645 "systeminformation",
1646 "systeminformationl",
1648 if args.systeminformationclass == 2:
1650 o = struct.pack(
'II', 0x22222222, 0x33333333)
1651 o +=
"\x00" * args.systeminformationl
1652 o = o[:args.systeminformationl]
1653 jitter.vm.set_mem(args.systeminformation, o)
1655 raise ValueError(
'unknown sysinfo class',
1656 args.systeminformationclass)
1657 jitter.func_ret_stdcall(ret_ad, 0)
1661 ret_ad, args = jitter.func_args_stdcall([
"handle",
"lppvoid",
1666 ad =
upck32(jitter.vm.get_mem(args.lppvoid, 4))
1669 flnewprotect = args.flnewprotect & 0xFFF
1671 if not flnewprotect
in access_dict:
1672 raise ValueError(
'unknown access dw!')
1673 jitter.vm.set_mem_access(ad, access_dict[flnewprotect])
1676 jitter.vm.set_mem(args.lpfloldprotect,
pck32(0x40))
1678 jitter.func_ret_stdcall(ret_ad, 1)
1682 ret_ad, args = jitter.func_args_stdcall([
"handle",
"lppvoid",
1683 "zerobits",
"pdwsize",
1688 dwsize =
upck32(jitter.vm.get_mem(args.pdwsize, 4))
1694 0x4: PAGE_READ | PAGE_WRITE,
1696 0x20: PAGE_EXEC | PAGE_READ,
1697 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
1703 if not args.flprotect
in access_dict:
1704 raise ValueError(
'unknown access dw!')
1706 alloc_addr = winobjs.heap.next_addr(dwsize)
1707 jitter.vm.add_memory_page(
1708 alloc_addr, access_dict[args.flprotect],
"\x00" * dwsize)
1709 jitter.vm.set_mem(args.lppvoid,
pck32(alloc_addr))
1711 jitter.func_ret_stdcall(ret_ad, 0)
1715 ret_ad, args = jitter.func_args_stdcall([
"handle",
"lppvoid",
1716 "pdwsize",
"alloc_type"])
1719 jitter.func_ret_stdcall(ret_ad, 0)
1723 ret_ad, args = jitter.func_args_stdcall([
"pstring",
"source"])
1726 o = struct.pack(
'HHI', l, l, args.source)
1727 jitter.vm.set_mem(args.pstring, o)
1728 jitter.func_ret_stdcall(ret_ad, 0)
1732 ret_ad, args = jitter.func_args_stdcall([
"dst",
"src",
"alloc_str"])
1734 l1, l2, p_src = struct.unpack(
'HHI', jitter.vm.get_mem(args.src, 0x8))
1736 s = (
"\x00".join(s +
"\x00"))
1739 alloc_addr = winobjs.heap.next_addr(l)
1740 jitter.vm.add_memory_page(
1741 alloc_addr, PAGE_READ | PAGE_WRITE,
"\x00" * l)
1744 jitter.vm.set_mem(alloc_addr, s)
1745 o = struct.pack(
'HHI', l, l, alloc_addr)
1746 jitter.vm.set_mem(args.dst, o)
1747 jitter.func_ret_stdcall(ret_ad, 0)
1751 ret_ad, args = jitter.func_args_stdcall([
"path",
"flags",
1752 "modname",
"modhandle"])
1754 l1, l2, p_src = struct.unpack(
'HHI',
1755 jitter.vm.get_mem(args.modname, 0x8))
1759 ad = winobjs.runtime_dll.lib_get_add_base(libname)
1760 jitter.vm.set_mem(args.modhandle,
pck32(ad))
1762 jitter.func_ret_stdcall(ret_ad, 0)
1766 ret_ad, args = jitter.func_args_stdcall([
'src'])
1769 jitter.func_ret_stdcall(ret_ad, 0)
1773 ret_ad, args = jitter.func_args_stdcall([
"libbase",
"pfname",
1776 l1, l2, p_src = struct.unpack(
'HHI', jitter.vm.get_mem(args.pfname, 0x8))
1779 ad = winobjs.runtime_dll.lib_get_add_func(args.libbase, fname)
1781 jitter.vm.set_mem(args.p_ad,
pck32(ad))
1783 jitter.func_ret_stdcall(ret_ad, 0)
1787 ret_ad, args = jitter.func_args_stdcall([
'addr',
'c',
'size'])
1788 jitter.vm.set_mem(args.addr, chr(args.c) * args.size)
1789 jitter.func_ret_stdcall(ret_ad, args.addr)
1793 ret_ad, args = jitter.func_args_cdecl([
'addr',
'c',
'size'])
1794 jitter.vm.set_mem(args.addr, chr(args.c) * args.size)
1795 jitter.func_ret_cdecl(ret_ad, args.addr)
1799 ret_ad, args = jitter.func_args_cdecl([
'dst',
'src',
'size'])
1800 s = jitter.vm.get_mem(args.src, args.size)
1801 jitter.vm.set_mem(args.dst, s)
1802 jitter.func_ret_cdecl(ret_ad, args.dst)
1806 ret_ad, args = jitter.func_args_cdecl([
'ps1',
'ps2',
'size'])
1807 s1 = jitter.vm.get_mem(args.ps1, args.size)
1808 s2 = jitter.vm.get_mem(args.ps2, args.size)
1810 jitter.func_ret_cdecl(ret_ad, ret)
1814 ret_ad, args = jitter.func_args_stdcall([
'path_ad'])
1818 i = args.path_ad + len(path)
1820 i = args.path_ad + i
1821 jitter.func_ret_stdcall(ret_ad, i)
1825 ret_ad, args = jitter.func_args_stdcall([
'path_ad'])
1827 i = path.rfind(
'\\')
1830 jitter.vm.set_mem(args.path_ad + i * 2,
"\x00\x00")
1832 jitter.func_ret_stdcall(ret_ad, 1)
1836 ret_ad, args = jitter.func_args_stdcall([
'ptr_prefix',
'ptr_path'])
1840 if path.startswith(prefix):
1844 jitter.func_ret_stdcall(ret_ad, ret)
1848 ret_ad, args = jitter.func_args_stdcall([
'ptr_path'])
1853 s = os.stat(sb_fname)
1855 if stat.S_ISDIR(s.st_mode):
1858 jitter.func_ret_cdecl(ret_ad, ret)
1862 ret_ad, args = jitter.func_args_stdcall([
'path_ad'])
1863 path = get_str(jitter, args.path_ad)
1864 if path.find(
':') != -1
and path.find(
'\\') != -1:
1869 jitter.func_ret_stdcall(ret_ad, ret)
1873 ret_ad, args = jitter.func_args_stdcall([
'path_ad'])
1874 path = get_str(jitter, args.path_ad)
1875 l = ord(path[0].upper()) - ord(
'A')
1881 jitter.func_ret_stdcall(ret_ad, ret)
1901 ret_ad, args = jitter.func_args_stdcall([
'i_str_ad'])
1906 log.warning(
'WARNING cannot convert int')
1909 jitter.func_ret_stdcall(ret_ad, i)
1913 ret_ad, args = jitter.func_args_stdcall([
'pstr',
'flags',
'pret'])
1914 i_str = get_str(jitter, args.pstr)
1915 if get_str
is get_str_unic:
1920 elif args.flags == 1:
1923 raise ValueError(
'cannot decode int')
1925 jitter.vm.set_mem(args.pret, struct.pack(
'q', r))
1926 jitter.func_ret_stdcall(ret_ad, 1)
1938 ret_ad, args = jitter.func_args_stdcall([
"c"])
1942 log.error(
'bad char %r', args.c)
1944 if c.isalpha(jitter):
1948 jitter.func_ret_stdcall(ret_ad, ret)
1960 ret_ad, args = jitter.func_args_stdcall([
"c"])
1962 if c.isalnum(jitter):
1966 jitter.func_ret_stdcall(ret_ad, ret)
1970 ret_ad, args = jitter.func_args_stdcall([
"ptr_str1",
"ptr_str2",
1974 s1 = s1[:args.nchar]
1975 s2 = s2[:args.nchar]
1976 jitter.func_ret_stdcall(ret_ad,
cmp(s1, s2))
1980 ret_ad, args = jitter.func_args_stdcall([
"hkey",
"subkey",
1981 "reserved",
"access",
1983 s_subkey = get_str(jitter, args.subkey).lower()
if args.subkey
else ""
1987 if args.hkey
in winobjs.hkey_handles:
1989 h = hash(s_subkey) & 0xffffffff
1990 if h
in winobjs.hkey_handles:
1994 log.error(
'unknown skey')
1996 jitter.vm.set_mem(args.phandle,
pck32(ret_hkey))
1998 jitter.func_ret_stdcall(ret_ad, ret)
2010 ret_ad, args = jitter.func_args_stdcall([
"hkey",
"psubkey",
2011 "valuetype",
"pvalue",
2015 jitter.func_ret_stdcall(ret_ad, 0)
2027 ret_ad, _ = jitter.func_args_stdcall(0)
2028 jitter.func_ret_stdcall(ret_ad, 0x40c)
2032 ret_ad, args = jitter.func_args_stdcall([
"localeid",
"lctype",
2033 "lplcdata",
"cchdata"])
2037 if args.localeid == 0x40c:
2038 if args.lctype == 0x3:
2040 buf = buf[:args.cchdata - 1]
2041 jitter.vm.set_mem(args.lplcdata, set_str(buf))
2044 raise ValueError(
'unimpl localeid')
2046 jitter.func_ret_stdcall(ret_ad, ret)
2058 ret_ad, _ = jitter.func_args_stdcall(0)
2059 winobjs.tls_index += 1
2060 jitter.func_ret_stdcall(ret_ad, winobjs.tls_index)
2064 ret_ad, _ = jitter.func_args_stdcall([
"tlsindex"])
2065 jitter.func_ret_stdcall(ret_ad, 0)
2069 ret_ad, args = jitter.func_args_stdcall([
"tlsindex",
"tlsvalue"])
2070 winobjs.tls_values[args.tlsindex] = args.tlsvalue
2071 jitter.func_ret_stdcall(ret_ad, 1)
2075 ret_ad, args = jitter.func_args_stdcall([
"tlsindex"])
2076 if not args.tlsindex
in winobjs.tls_values:
2077 raise ValueError(
"unknown tls val", repr(args.tlsindex))
2078 jitter.func_ret_stdcall(ret_ad, winobjs.tls_values[args.tlsindex])
2082 ret_ad, args = jitter.func_args_stdcall([
"typeflag"])
2085 if args.typeflag == 0:
2088 raise ValueError(
'unimpl keyboard type')
2090 jitter.func_ret_stdcall(ret_ad, ret)
2094 ret_ad, args = jitter.func_args_stdcall([
"ptr"])
2096 s =
"\x00" * 0x2c +
"\x81\x00\x00\x00" +
"\x0a"
2098 jitter.vm.set_mem(args.ptr, s)
2099 jitter.func_ret_stdcall(ret_ad, args.ptr)
2111 ret_ad, _ = jitter.func_args_stdcall(0)
2112 jitter.func_ret_stdcall(ret_ad, 0x113377)
2116 ret_ad, _ = jitter.func_args_stdcall([
"lpcritic"])
2117 jitter.func_ret_stdcall(ret_ad, 0)
2121 ret_ad, args = jitter.func_args_stdcall([
"nindex"])
2124 if args.nindex
in [0x2a, 0x4a]:
2127 raise ValueError(
'unimpl index')
2128 jitter.func_ret_stdcall(ret_ad, ret)
2132 ret_ad, args = jitter.func_args_stdcall([
"version, pwsadata"])
2133 jitter.vm.set_mem(args.pwsadata,
"\x01\x01\x02\x02WinSock 2.0\x00")
2134 jitter.func_ret_stdcall(ret_ad, 0)
2138 ret_ad, args = jitter.func_args_stdcall([
"lpsystemtime"])
2140 s = struct.pack(
'HHHHHHHH',
2150 jitter.vm.set_mem(args.lpsystemtime, s)
2151 jitter.func_ret_stdcall(ret_ad, args.lpsystemtime)
2155 ret_ad, args = jitter.func_args_stdcall([
"lpsystemtime"])
2157 s = struct.pack(
'HHHHHHHH',
2167 jitter.vm.set_mem(args.lpsystemtime, s)
2168 jitter.func_ret_stdcall(ret_ad, args.lpsystemtime)
2172 ret_ad, args = jitter.func_args_stdcall([
"hfile",
"lpattr",
"flprotect",
2173 "dwmaximumsizehigh",
2174 "dwmaximumsizelow",
"lpname"])
2177 if args.hfile == 0xffffffff:
2179 if args.dwmaximumsizehigh:
2180 raise NotImplementedError(
"Untested case")
2181 hmap = StringIO(
"\x00"*args.dwmaximumsizelow)
2182 hmap_handle = winobjs.handle_pool.add(
'filemem', hmap)
2184 ret = winobjs.handle_pool.add(
'filemapping', hmap_handle)
2186 if not args.hfile
in winobjs.handle_pool:
2187 raise ValueError(
'unknown handle')
2188 ret = winobjs.handle_pool.add(
'filemapping', args.hfile)
2189 jitter.func_ret_stdcall(ret_ad, ret)
2201 ret_ad, args = jitter.func_args_stdcall([
"hfile",
"flprotect",
2206 if not args.hfile
in winobjs.handle_pool:
2207 raise ValueError(
'unknown handle')
2208 hmap = winobjs.handle_pool[args.hfile]
2209 if not hmap.info
in winobjs.handle_pool:
2210 raise ValueError(
'unknown file handle')
2212 hfile_o = winobjs.handle_pool[hmap.info]
2214 fd.seek((args.dwfileoffsethigh << 32) | args.dwfileoffsetlow)
2215 data = fd.read(args.length)
if args.length
else fd.read()
2218 log.debug(
'mapp total: %x', len(data))
2223 0x4: PAGE_READ | PAGE_WRITE,
2225 0x20: PAGE_EXEC | PAGE_READ,
2226 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
2231 if not args.flprotect
in access_dict:
2232 raise ValueError(
'unknown access dw!')
2234 alloc_addr = winobjs.heap.alloc(jitter, len(data))
2235 jitter.vm.set_mem(alloc_addr, data)
2237 winobjs.handle_mapped[alloc_addr] = (hfile_o, args.dwfileoffsethigh,
2238 args.dwfileoffsetlow, length)
2240 jitter.func_ret_stdcall(ret_ad, alloc_addr)
2244 ret_ad, args = jitter.func_args_stdcall([
'ad'])
2246 if not args.ad
in winobjs.handle_mapped:
2247 raise NotImplementedError(
"Untested case")
2249 hfile_o, dwfileoffsethigh, dwfileoffsetlow, length = winobjs.handle_mapped[ad]
2250 off = (dwfileoffsethigh<<32) | dwfileoffsetlow
2251 s = jitter.vm.get_mem(ad, length)
2252 hfile_o.info.seek(off)
2253 hfile_o.info.write(s)
2254 hfile_o.info.close()
2256 jitter.func_ret_stdcall(ret_ad, 1)
2260 ret_ad, args = jitter.func_args_stdcall([
'pathname'])
2262 p = get_str(jitter, args.pathname)
2269 jitter.func_ret_stdcall(ret_ad, ret)
2281 ret_ad, args = jitter.func_args_stdcall([
"lprootpathname",
2282 "lpsectorpercluster",
2284 "lpnumberoffreeclusters",
2285 "lptotalnumberofclusters"])
2288 jitter.vm.set_mem(args.lpsectorpercluster,
pck32(8))
2289 jitter.vm.set_mem(args.lpbytespersector,
pck32(0x200))
2290 jitter.vm.set_mem(args.lpnumberoffreeclusters,
pck32(0x222222))
2291 jitter.vm.set_mem(args.lptotalnumberofclusters,
pck32(0x333333))
2292 jitter.func_ret_stdcall(ret_ad, 1)
2304 ret_ad, args = jitter.func_args_stdcall([
"ad",
"lpbuffer",
"dwl"])
2310 0x4: PAGE_READ | PAGE_WRITE,
2312 0x20: PAGE_EXEC | PAGE_READ,
2313 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE,
2316 access_dict_inv = dict([(x[1], x[0])
for x
in access_dict.iteritems()])
2318 all_mem = jitter.vm.get_all_memory()
2320 for basead, m
in all_mem.iteritems():
2321 if basead <= args.ad < basead + m[
'size']:
2325 raise ValueError(
'cannot find mem', hex(args.ad))
2327 if args.dwl != 0x1c:
2328 raise ValueError(
'strange mem len', hex(args.dwl))
2329 s = struct.pack(
'IIIIIII',
2332 access_dict_inv[m[
'access']],
2335 access_dict_inv[m[
'access']],
2337 jitter.vm.set_mem(args.lpbuffer, s)
2338 jitter.func_ret_stdcall(ret_ad, args.dwl)
2342 ret_ad, args = jitter.func_args_stdcall([
"hprocess",
2345 jitter.vm.set_mem(args.procaffmask,
pck32(1))
2346 jitter.vm.set_mem(args.systemaffmask,
pck32(1))
2347 jitter.func_ret_stdcall(ret_ad, 1)
2351 ret_ad, _ = jitter.func_args_cdecl(0)
2352 jitter.func_ret_stdcall(ret_ad, 0x666)
2356 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"distance",
2360 if args.hwnd == winobjs.module_cur_hwnd:
2362 elif args.hwnd
in winobjs.handle_pool:
2365 raise ValueError(
'unknown hwnd!')
2368 if args.hwnd
in winobjs.files_hwnd:
2369 winobjs.files_hwnd[winobjs.module_cur_hwnd].seek(args.distance)
2370 elif args.hwnd
in winobjs.handle_pool:
2371 wh = winobjs.handle_pool[args.hwnd]
2374 raise ValueError(
'unknown filename')
2375 jitter.func_ret_stdcall(ret_ad, args.distance)
2379 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"distance_l",
2383 distance = args.distance_l | (args.distance_h << 32)
2385 raise ValueError(
'Not implemented')
2386 if args.pnewfileptr:
2387 raise ValueError(
'Not implemented')
2388 if args.hwnd == winobjs.module_cur_hwnd:
2390 elif args.hwnd
in winobjs.handle_pool:
2393 raise ValueError(
'unknown hwnd!')
2396 if args.hwnd
in winobjs.files_hwnd:
2397 winobjs.files_hwnd[winobjs.module_cur_hwnd].seek(distance)
2398 elif args.hwnd
in winobjs.handle_pool:
2399 wh = winobjs.handle_pool[args.hwnd]
2402 raise ValueError(
'unknown filename')
2403 jitter.func_ret_stdcall(ret_ad, 1)
2407 ret_ad, args = jitter.func_args_stdcall([
'hwnd'])
2408 if args.hwnd
in winobjs.handle_pool:
2409 wh = winobjs.handle_pool[args.hwnd]
2412 raise ValueError(
'unknown filename')
2413 jitter.func_ret_stdcall(ret_ad, 1)
2417 ret_ad, args = jitter.func_args_stdcall([
'hwnd'])
2418 if args.hwnd
in winobjs.handle_pool:
2421 raise ValueError(
'unknown filename')
2422 jitter.func_ret_stdcall(ret_ad, 1)
2426 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"lpbuffer",
2427 "nnumberofbytestowrite",
2428 "lpnumberofbyteswrite",
2430 data = jitter.vm.get_mem(args.lpbuffer, args.nnumberofbytestowrite)
2432 if args.hwnd == winobjs.module_cur_hwnd:
2434 elif args.hwnd
in winobjs.handle_pool:
2437 raise ValueError(
'unknown hwnd!')
2439 if args.hwnd
in winobjs.files_hwnd:
2440 winobjs.files_hwnd[winobjs.module_cur_hwnd].write(data)
2441 elif args.hwnd
in winobjs.handle_pool:
2442 wh = winobjs.handle_pool[args.hwnd]
2445 raise ValueError(
'unknown filename')
2447 if (args.lpnumberofbyteswrite):
2448 jitter.vm.set_mem(args.lpnumberofbyteswrite,
pck32(len(data)))
2450 jitter.func_ret_stdcall(ret_ad, 1)
2454 ret_ad, args = jitter.func_args_stdcall([
"c"])
2455 ret = 0
if args.c & 0x20
else 1
2456 jitter.func_ret_stdcall(ret_ad, ret)
2460 ret_ad, args = jitter.func_args_stdcall([
"c"])
2461 ret = 1
if args.c & 0x20
else 0
2462 jitter.func_ret_stdcall(ret_ad, ret)
2466 ret_ad, _ = jitter.func_args_stdcall(0)
2467 jitter.func_ret_stdcall(ret_ad, 0x409)
2471 ret_ad, args = jitter.func_args_cdecl([
"msize"])
2472 addr = winobjs.heap.alloc(jitter, args.msize)
2473 jitter.func_ret_cdecl(ret_ad, addr)
2477 ret_ad, _ = jitter.func_args_cdecl([
"ptr"])
2478 jitter.func_ret_cdecl(ret_ad, 0)
2482 ret_ad, args = jitter.func_args_cdecl([
'stream',
'offset',
'orig'])
2483 fd =
upck32(jitter.vm.get_mem(args.stream + 0x10, 4))
2485 if not fd
in winobjs.handle_pool:
2486 raise NotImplementedError(
"Untested case")
2487 o = winobjs.handle_pool[fd]
2488 o.info.seek(args.offset, args.orig)
2489 jitter.func_ret_cdecl(ret_ad, 0)
2493 ret_ad, args = jitter.func_args_cdecl([
"stream"])
2494 fd =
upck32(jitter.vm.get_mem(args.stream + 0x10, 4))
2496 if not fd
in winobjs.handle_pool:
2497 raise NotImplementedError(
"Untested case")
2498 o = winobjs.handle_pool[fd]
2500 jitter.func_ret_cdecl(ret_ad, off)
2504 ret_ad, args = jitter.func_args_cdecl([
"stream"])
2505 fd =
upck32(jitter.vm.get_mem(args.stream + 0x10, 4))
2506 if not fd
in winobjs.handle_pool:
2507 raise NotImplementedError(
"Untested case")
2508 o = winobjs.handle_pool[fd]
2510 jitter.func_ret_cdecl(ret_ad, 0)
2514 ret_ad, args = jitter.func_args_cdecl([
"buf",
"size",
"nmemb",
"stream"])
2515 fd =
upck32(jitter.vm.get_mem(args.stream + 0x10, 4))
2516 if not fd
in winobjs.handle_pool:
2517 raise NotImplementedError(
"Untested case")
2519 data = winobjs.handle_pool[fd].info.read(args.size * args.nmemb)
2520 jitter.vm.set_mem(args.buf, data)
2521 jitter.func_ret_cdecl(ret_ad, args.nmemb)
2525 ret_ad, args = jitter.func_args_cdecl([
'stream'])
2526 fd =
upck32(jitter.vm.get_mem(args.stream + 0x10, 4))
2528 if not fd
in winobjs.handle_pool:
2529 raise NotImplementedError(
"Untested case")
2530 o = winobjs.handle_pool[fd]
2532 jitter.func_ret_cdecl(ret_ad, 0)
2536 ret_ad, _ = jitter.func_args_cdecl([
"func"])
2537 jitter.func_ret_cdecl(ret_ad, 0)
2541 ret_ad, args = jitter.func_args_stdcall([
"hwnd",
"lptext",
2542 "lpcaption",
"utype"])
2547 log.info(
'Caption: %r Text: %r', caption, text)
2549 jitter.func_ret_stdcall(ret_ad, 0)
2553 ret_ad, args = jitter.func_args_stdcall([
"l",
"buf"])
2556 jitter.vm.set_mem(args.buf, func(l +
'\x00'))
2557 jitter.func_ret_stdcall(ret_ad, len(l))
2573 ret_ad, args = jitter.func_args_stdcall([
"path",
"ext",
"unique",
"buf"])
2576 ext =
get_str_ansi(jitter, args.ext)
if args.ext
else 'tmp'
2577 path =
get_str_ansi(jitter, args.path)
if args.path
else "xxx"
2578 fname = path +
"\\" +
"temp%.4d" % temp_num +
"." + ext
2579 jitter.vm.set_mem(args.buf, fname)
2581 jitter.func_ret_stdcall(ret_ad, 0)
2592 dwreserved1 = 0x1337beef
2594 alternamefilename =
""
2597 for k, v
in kargs.items():
2601 s = struct.pack(
'=IQQQIIII',
2610 fname = self.
cfilename +
'\x00' * MAX_PATH
2611 fname = fname[:MAX_PATH]
2628 index = len(self.
flist)
2629 self.flist.append(flist)
2642 findex, index = self.
handles[h]
2643 if index >= len(self.
flist[findex]):
2645 fname = self.
flist[findex][index]
2652 ret_ad, args = jitter.func_args_stdcall([
"pfilepattern",
"pfindfiledata"])
2655 h = winobjs.find_data.findfirst(filepattern)
2657 fname = winobjs.find_data.findnext(h)
2660 jitter.vm.set_mem(args.pfindfiledata, fdata.toStruct())
2661 jitter.func_ret_stdcall(ret_ad, h)
2665 ret_ad, args = jitter.func_args_stdcall([
"handle",
"pfindfiledata"])
2667 fname = winobjs.find_data.findnext(args.handle)
2673 jitter.vm.set_mem(args.pfindfiledata, fdata.toStruct())
2675 jitter.func_ret_stdcall(ret_ad, ret)
2679 ret_ad, args = jitter.func_args_stdcall([
"sys_ptr"])
2681 jitter.vm.set_mem(args.sys_ptr, sysinfo.pack())
2682 jitter.func_ret_stdcall(ret_ad, 0)
2686 o = struct.unpack(
'IHHHBBBBBB', r)
2687 return '{%.8X-%.4X-%.4X-%.4X-%.2X%.2X%.2X%.2X%.2X%.2X}' % o
2690 digs = string.digits + string.lowercase
2703 digits.append(digs[x % base])
2708 return ''.join(digits)
2712 ret_ad, args = jitter.func_args_cdecl([
"value",
"p",
"radix"])
2714 value = args.value & 0xFFFFFFFF
2715 if not args.radix
in [10, 16, 20]:
2716 raise ValueError(
"Not tested")
2719 jitter.func_ret_cdecl(ret_ad, args.p)
2723 ret_ad, args = jitter.func_args_cdecl([
"pfname",
"pmode"])
2725 fname = func(jitter, args.pfname)
2726 rw = func(jitter, args.pmode)
2730 if rw
in [
'r', 'rb', 'wb+']:
2732 h = open(sb_fname, rw)
2733 eax = winobjs.handle_pool.add(sb_fname, h)
2735 alloc_addr = winobjs.heap.alloc(jitter, dwsize)
2738 jitter.vm.set_mem(alloc_addr, pp)
2741 raise ValueError(
'unknown access mode %s' % rw)
2743 jitter.func_ret_cdecl(ret_ad, alloc_addr)
2755 ret_ad, args = jitter.func_args_cdecl([
"src"])
2758 jitter.func_ret_cdecl(ret_ad, len(s))
def ntoskrnl_MmMapLockedPagesSpecifyCache
def shlwapi_PathIsFileSpec
def ntdll_RtlFindCharInUnicodeString
def kernel32_GetFileSizeEx
def kernel32_GetModuleHandleW
def kernel32_VirtualAlloc
def ntdll_RtlLargeIntegerAdd
def kernel32_GetTickCount
def kernel32_SHGetPathFromIDList
def kernel32_GetDriveType
def hal_ExReleaseFastMutex
def user32_GetKeyboardType
def ntdll_RtlEnlargedUnsignedMultiply
def kernel32_FindFirstFileA
def ntdll_RtlAnsiCharToUnicodeChar
def kernel32_VirtualQuery
def advapi32_CryptDeriveKey
def kernel32_CreateToolhelp32Snapshot
def ntdll_ZwAllocateVirtualMemory
int lpMinimumApplicationAddress
def shlwapi_PathRemoveFileSpecW
def kernel32_IsBadReadPtr
def ntoskrnl_MmProtectMdlSystemAddress
def advapi32_RegSetValueW
int lpMaximumApplicationAddress
def kernel32_GetLocaleInfoA
def kernel32_GetDiskFreeSpaceW
def kernel32_GetProcessAffinityMask
def kernel32_GetLocalTime
def ntdll_RtlAnsiStringToUnicodeString
def shell32_SHGetPathFromIDListA
def kernel32_SetFileAttributesA
def kernel32_SetPriorityClass
def kernel32_VirtualProtect
def kernel32_GetCurrentThreadId
def kernel32_GetSystemTime
def shell32_SHGetSpecialFolderLocation
def advapi32_CryptHashData
def kernel32_GetCurrentProcessId
def kernel32_GetDriveTypeW
def kernel32_GetSystemDirectoryW
def kernel32_WaitForSingleObject
def ntdll_RtlInitAnsiString
def shlwapi_PathIsDirectoryW
def shlwapi_PathIsFileSpecW
def shlwapi_PathGetDriveNumber
def user32_GetSystemMetrics
def kernel32_CreateMutexA
def ntdll_LdrGetProcedureAddress
def advapi32_CryptCreateHash
def shlwapi_PathGetDriveNumberA
def kernel32_CreateMutexW
def advapi32_CryptAcquireContextW
def ntdll_RtlLargeIntegerSubtract
def kernel32_GetEnvironmentVariableA
def kernel32_LoadLibraryW
def ntdll_RtlExtendedIntegerMultiply
def kernel32_GetStartupInfoA
def kernel32_GetCommandLineA
def kernel32_Process32Next
def kernel32_GetStartupInfoW
def kernel32_SetLastError
def kernel32_GetModuleFileNameA
def kernel32_RtlMoveMemory
def kernel32_GetLocaleInfo
def kernel32_GetLastError
def my_GetEnvironmentVariable
def shlwapi_PathFindExtensionA
def ntdll_RtlHashUnicodeString
def kernel32_CreateDirectoryA
def advapi32_RegSetValueA
def kernel32_GetNativeSystemInfo
def kernel32_FlushInstructionCache
def kernel32_CreateFileMappingA
def shlwapi_PathIsFileSpecA
def kernel32_GetVolumeInformationA
def kernel32_GetModuleFileName
def ntdll_RtlCompareMemory
def shlwapi_StrToInt64ExW
def advapi32_CryptGetHashParam
def kernel32_GetCommandLineW
def kernel32_FlushFileBuffers
def kernel32_GetSystemDirectoryA
def ntoskrnl_IoAllocateMdl
def kernel32_IsDebuggerPresent
def ntoskrnl_ExAllocatePoolWithTagPriority
def my_GetSystemDirectory
def user32_GetWindowLongA
def ntdll_ZwFreeVirtualMemory
def kernel32_GetDriveTypeA
def ntdll_ZwUnmapViewOfSection
def shlwapi_PathGetDriveNumberW
def kernel32_CreateEventA
def kernel32_GetThreadLocale
def my_GetVolumeInformation
def hal_ExAcquireFastMutex
def shell32_CommandLineToArgvW
def advapi32_CryptReleaseContext
def kernel32_UnmapViewOfFile
def kernel32_SetFilePointerEx
def kernel32_GetLocaleInfoW
def ntoskrnl_RtlGetVersion
def advapi32_CryptDestroyHash
def advapi32_RegOpenKeyExW
def kernel32_CreateEventW
def ntoskrnl_RtlQueryRegistryValues
def kernel32_GetVolumeInformationW
def kernel32_LoadLibraryA
def kernel32_GetStartupInfo
def kernel32_GetTempPathA
int dwActiveProcessorMask
def kernel32_GetTempFileNameA
def advapi32_CryptAcquireContextA
def kernel32_CreateDirectoryW
def kernel32_GetModuleHandle
def advapi32_CryptDecrypt
def kernel32_MultiByteToWideChar
def ntdll_RtlLargeIntegerShiftRight
def user32_IsCharAlphaNumericA
def kernel32_LoadLibraryExA
def kernel32_MapViewOfFile
def kernel32_GetCurrentProcess
def kernel32_FindNextFileA
def kernel32_InitializeCriticalSection
def kernel32_GetProcAddress
def kernel32_GetSystemDefaultLangID
def kernel32_CreateFileMappingW
def kernel32_GetModuleHandleA
def advapi32_CryptAcquireContext
def kernel32_myGetTempPath
def kernel32_GetSystemInfo
def kernel32_SetFilePointer
def ntdll_ZwProtectVirtualMemory
def kernel32_Process32First
def ntdll_ZwQuerySystemInformation
def ntoskrnl_MmUnlockPages
def kernel32_SetEndOfFile
def kernel32_GetPriorityClass
def advapi32_RegOpenKeyEx
def kernel32_GetTempPathW
def ntdll_RtlComputeCrc32
def advapi32_RegOpenKeyExA
def kernel32_IsWow64Process
def kernel32_GetModuleFileNameW
def kernel32_GetDiskFreeSpaceA
def kernel32_GetVersionEx
def kernel32_RestoreLastError
def ntoskrnl_MmProbeAndLockPages
def user32_GetForegroundWindow
def kernel32_GetDiskFreeSpace
def user32_SetWindowLongA
def ntdll_RtlFreeUnicodeString
def shell32_SHGetPathFromIDListW
def ntoskrnl_KeInitializeEvent
def kernel32_GetUserGeoID
def shlwapi_StrToInt64ExA
def kernel32_GetEnvironmentVariableW
def kernel32_CreateFileMapping
int dwAllocationgranularity
def shlwapi_PathIsPrefixW
def ntoskrnl_RtlVerifyVersionInfo