contrast-agent 3.8.4

data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{137ADE63-2489-4235-91C6-6CB664CAB63F}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>diStorm</RootNamespace>
+    <AssemblyName>diStorm</AssemblyName>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <PlatformTarget>x64</PlatformTarget>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <PlatformTarget>x64</PlatformTarget>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="CodeInfo.cs" />
+    <Compile Include="diStorm3.cs" />
+    <Compile Include="Opcodes.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>Opcodes.tt</DependentUpon>
+    </Compile>
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="Opcodes.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>Opcodes.cs</LastGenOutput>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <Service Include="{508349B6-6B84-4DF5-91F0-309BEEBAD82D}" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="DecodedResult.cs" />
+    <Compile Include="DecomposedInst.cs" />
+    <Compile Include="DecodedInst.cs" />
+    <Compile Include="DecomposedResult.cs" />
+    <Compile Include="Operand.cs" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
+       Other similar extension points exist, see Microsoft.Common.targets.
+  <Target Name="BeforeBuild">
+  </Target>
+  <Target Name="AfterBuild">
+  </Target>
+  -->
+</Project>

data/funchook/distorm/examples/cs/readme

@@ -0,0 +1,3 @@
+This is a .NET Wrapper of the distorm project for seamless decompilation of 32-bit and 64-bit intel binaries.
+This project is licensed under the GPLv3.
+By Dan Shechter

data/funchook/distorm/examples/ddk/README

@@ -0,0 +1,48 @@
+diStorm3 for Ring 0
+Gil Dabah Aug 2010
+http://ragestorm.net/distorm/
+
+Tested sample with DDK 7600.16385.1 using WinXPSP2.
+
+Steps of how to build the diStorm64 sample using the DDK.
+
+Warning - Make sure the path you extracted diStorm to does not include any spaces, otherwise you will get an error from the build.
+
+1) Open the DDK's build environment, for example: "Win XP Free Build Environment",
+which readies the evnrionment variables for building a driver. Or run the SETENV.BAT in console.
+
+2) Launch "build", once you're in the directory of the /ddkproj.
+
+3) If everything worked smoothly, you should see a new file named "distorm.sys" under objfre_wxp_x86\i386
+(that's if you use WinXP and the Free Environment).
+
+	- If you experienced any errors, try moving the whole distorm directory to c:\winddk\src\
+	  (or any other directory tree which doesn't contain spaces in its name).
+
+4) Now you will have to register the new driver:
+	a. Copy the distorm.sys file to \windows\system32\drivers\.
+	b. Use the DDK's regini.exe with the supplied distorm.ini.
+	c. Restart Windows for the effect to take place. :(
+
+ **The alternative is to use some tool like KmdManager.exe, which will register the driver without a need for the .ini file, nor a reboot.
+
+
+5) Now open your favorite debug-strings monitor (mine is DebugView).
+Make sure you monitor kernel debug-strings.
+
+6) Launching "net start distorm" from command line, will run the DriverEntry code in "main.c",
+which will disassemble a few instructions from the KeBugcheck routine and dump it using DbgPrint.
+
+
+NOTES:
+-+----
+The sample uses the stack for storing the results from the decode function.
+If you have too many structures on the stack, you better allocate memory before calling the decode function,
+and later on free that memory. Don't use the NONPAGED pool if you don't really need it.
+
+_OffsetType is the type of the DecodedInstruction.Offset field, which defaults to 64bits,
+so make sure that when you print this variable you use %I64X, or when you use it anywhere else, you use the _OffsetType as well.
+Notice that we call directly distorm_decode64, since we SUPPORT_64BIT_OFFSET and because we don't have the macros of distorm.h.
+
+diStorm can be really compiled for all IRQL, it doesn't use any resource or the standard C library at all.
+Although the sample uses diStorm at PASSIVE level.

data/funchook/distorm/examples/ddk/distorm.ini

@@ -0,0 +1,11 @@
+\registry\machine\system\currentcontrolset\services\distorm
+	ImagePath = system32\drivers\distorm.sys
+	DisplayName = "distorm"
+	Type = REG_DWORD 0x1
+	Start = REG_DWORD 0x3
+	Group = Extended base
+	ErrorControl = REG_DWORD 0x1
+\registry\machine\system\currentcontrolset\services\distorm\Parameters
+	BreakOnEntry = REG_DWORD 0x0
+	DebugMask = REG_DWORD 0x0
+	LogEvents = REG_DWORD 0x0

data/funchook/distorm/examples/ddk/dummy.c

@@ -0,0 +1,15 @@
+// Since the DDK's nmake is limited with directories, we will bypass that with this simple hack.
+// Thanks to Razvan Hobeanu.
+// Sep 2009.
+
+
+#include "../src/mnemonics.c"
+#include "../src/wstring.c"
+#include "../src/textdefs.c"
+#include "../src/x86defs.c"
+#include "../src/prefix.c"
+#include "../src/operands.c"
+#include "../src/insts.c"
+#include "../src/instructions.c"
+#include "../src/distorm.c"
+#include "../src/decoder.c"

data/funchook/distorm/examples/ddk/main.c

@@ -0,0 +1,91 @@
+/*
+ * main.c
+ * Sample kernel driver to show how diStorm can be easily compiled and used in Ring 0.
+ *
+ * /// Follow the README file in order to compile diStorm using the DDK. \\\
+ * 
+ * Izik, Gil Dabah
+ * Jan 2007
+ * http://ragestorm.net/distorm/
+ */
+
+#include <ntddk.h>
+#include "../include/distorm.h"
+#include "dummy.c"
+
+// The number of the array of instructions the decoder function will use to return the disassembled instructions.
+// Play with this value for performance...
+#define MAX_INSTRUCTIONS (15)
+
+void DriverUnload(IN PDRIVER_OBJECT DriverObject)
+{
+}
+
+NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
+{
+	UNICODE_STRING pFcnName;
+	
+	// Holds the result of the decoding.
+	_DecodeResult res;
+	// Decoded instruction information.
+	_DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
+	// next is used for instruction's offset synchronization.
+	// decodedInstructionsCount holds the count of filled instructions' array by the decoder.
+	unsigned int decodedInstructionsCount = 0, i, next;
+	// Default decoding mode is 32 bits, could be set by command line.
+	_DecodeType dt = Decode32Bits;
+
+	// Default offset for buffer is 0, could be set in command line.
+	_OffsetType offset = 0;
+	char* errch = NULL;
+
+	// Buffer to disassemble.
+	unsigned char *buf;
+	int len = 100;
+
+	// Register unload routine
+	DriverObject->DriverUnload = DriverUnload;
+
+	DbgPrint("diStorm Loaded!\n");
+
+	// Get address of KeBugCheck
+	RtlInitUnicodeString(&pFcnName, L"KeBugCheck");
+	buf = (char *)MmGetSystemRoutineAddress(&pFcnName);
+	offset = (unsigned) (_OffsetType)buf;
+
+	DbgPrint("Resolving KeBugCheck @ 0x%08x\n", buf);
+	// Decode the buffer at given offset (virtual address).
+
+	while (1) {
+		res = distorm_decode64(offset, (const unsigned char*)buf, len, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
+		if (res == DECRES_INPUTERR) {
+			DbgPrint(("NULL Buffer?!\n"));
+			break;
+		}
+
+		for (i = 0; i < decodedInstructionsCount; i++) {
+			// Note that we print the offset as a 64 bits variable!!!
+			// It might be that you'll have to change it to %08X...
+			DbgPrint("%08I64x (%02d) %s %s %s\n", decodedInstructions[i].offset, decodedInstructions[i].size, 
+				 (char*)decodedInstructions[i].instructionHex.p,
+				 (char*)decodedInstructions[i].mnemonic.p,
+				 (char*)decodedInstructions[i].operands.p);
+		}
+
+		if (res == DECRES_SUCCESS || decodedInstructionsCount == 0) {
+			break; // All instructions were decoded.
+		}
+
+		// Synchronize:
+		next = (unsigned int)(decodedInstructions[decodedInstructionsCount-1].offset - offset);
+		next += decodedInstructions[decodedInstructionsCount-1].size;
+
+		// Advance ptr and recalc offset.
+		buf += next;
+		len -= next;
+		offset += next;
+	}
+
+	DbgPrint(("Done!\n"));
+	return STATUS_UNSUCCESSFUL; // Make sure the driver doesn't stay resident, so we can recompile and run again!
+}

data/funchook/distorm/examples/ddk/makefile

@@ -0,0 +1 @@
+!INCLUDE $(NTMAKEENV)\makefile.def

data/funchook/distorm/examples/ddk/sources

@@ -0,0 +1,10 @@
+TARGETNAME = distorm
+TARGETPATH = obj
+TARGETTYPE = DRIVER
+
+C_DEFINES = $(C_DEFINES) -DSUPPORT_64BIT_OFFSET -DLIBDISTORM
+
+INCLUDES   = %BUILD%\inc;..\src;
+LIBS       = %BUILD%\lib
+
+SOURCES    = main.c

data/funchook/distorm/examples/java/Makefile

@@ -0,0 +1,23 @@
+UNAME_S := $(shell uname -s)
+
+ifeq ($(UNAME_S),Darwin)
+
+JAVA_HOME=$(shell /usr/libexec/java_home)
+
+all: libjdistorm.dylib
+libjdistorm.dylib: jdistorm.c jdistorm.h
+	gcc -dynamiclib -o libjdistorm.dylib jdistorm.c -I ${JAVA_HOME}/include/ -I ${JAVA_HOME}/include/darwin/ -ldistorm3
+
+endif
+
+ifeq ($(UNAME_S),Linux)
+
+all: libjdistorm.so
+jdistorm.o: jdistorm.c jdistorm.h
+        gcc -c jdistorm.c -fPIC -I ${JAVA_HOME}/include -I ${JAVA_HOME}/include/linux
+
+libjdistorm.so: jdistorm.o
+        gcc -shared -o libjdistorm.so -L${JAVA_HOME}/jre/lib -ldistorm3 jdistorm.o
+
+endif
+

data/funchook/distorm/examples/java/distorm/src/Main.java

@@ -0,0 +1,43 @@
+import java.nio.ByteBuffer;
+
+import diStorm3.distorm3.*;
+import diStorm3.CodeInfo;
+import diStorm3.DecodedInst;
+import diStorm3.OpcodeEnum;
+import diStorm3.distorm3;
+import diStorm3.DecodedResult;
+import diStorm3.DecomposedResult;
+import diStorm3.DecomposedInst;
+
+public class Main {
+
+	public static void main(String[] args) {
+		byte[] buf = new byte[4];
+		buf[0] = (byte)0xc3;
+		buf[1] = (byte)0x33;
+		buf[2] = (byte)0xc0;
+		buf[3] = (byte)0xc3;
+		CodeInfo ci = new CodeInfo((long)0x1000, buf, DecodeType.Decode32Bits, 0);
+		DecodedResult dr = new DecodedResult(10);
+		distorm3.Decode(ci, dr);
+
+		for (DecodedInst x : dr.mInstructions) {
+			String s = String.format("%x %s %s", x.getOffset(), x.getMnemonic(), x.getOperands());
+			System.out.println(s);
+		}
+
+		DecomposedResult dr2 = new DecomposedResult(10);
+		distorm3.Decompose(ci, dr2);
+
+		for (DecomposedInst y: dr2.mInstructions) {
+			if (y.getOpcode() != OpcodeEnum.RET) {
+				DecodedInst x = distorm3.Format(ci, y);
+				String s = String.format("%x %s %s", x.getOffset(), x.getMnemonic(), x.getOperands());
+				System.out.println(s);
+			}
+		}
+
+	}
+
+
+}

data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java

@@ -0,0 +1,27 @@
+package diStorm3;
+
+import java.nio.ByteBuffer;
+
+public class CodeInfo {
+	public CodeInfo(long codeOffset, ByteBuffer code, distorm3.DecodeType dt, int features) {
+		mCodeOffset = codeOffset;
+		mCode = code;
+		mDecodeType = dt.ordinal();
+		mFeatures = features;
+	}
+
+	public CodeInfo(long codeOffset, byte[] rawCode, distorm3.DecodeType dt, int features) {
+		mCode = ByteBuffer.allocateDirect(rawCode.length);
+		mCode.put(rawCode);
+
+		mCodeOffset = codeOffset;
+		mDecodeType = dt.ordinal();
+		mFeatures = features;
+	}
+
+	private long mCodeOffset;
+	private long mNextOffset;
+	private ByteBuffer mCode;
+	private int mDecodeType;
+	private int mFeatures;
+}

data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java

@@ -0,0 +1,32 @@
+package diStorm3;
+
+public class DecodedInst {
+	DecodedInst()
+	{
+	}
+	private String mMnemonic;
+	private String mOperands;
+	private String mHex;
+	private int mSize;
+	private long mOffset;
+
+	public String getMnemonic() {
+		return mMnemonic;
+	}
+	
+	public String getOperands() {
+		return mOperands;
+	}
+	
+	public String getHex() {
+		return mHex;
+	}
+	
+	public int getSize() {
+		return mSize;
+	}
+	
+	public long getOffset() {
+		return mOffset;
+	}
+}

data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java

@@ -0,0 +1,11 @@
+package diStorm3;
+
+public class DecodedResult {
+	public DecodedResult(int maxInstructions) {
+		mMaxInstructions = maxInstructions;
+		mInstructions = null;
+	}
+
+	public DecodedInst[] mInstructions;
+	private int mMaxInstructions;
+}

data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java

@@ -0,0 +1,89 @@
+package diStorm3;
+
+import diStorm3.Operand;
+import diStorm3.Opcodes;
+
+public class DecomposedInst {
+	private class ImmVariant {
+		private long mValue;
+		private int mSize;
+
+		public long getImm() {
+			return mValue;
+		}
+
+		public int getSize() {
+			return mSize;
+		}
+	}
+
+	private class DispVariant {
+
+		private long mDisplacement;
+		private int mSize;
+
+		public long getDisplacement() {
+			return mDisplacement;
+		}
+
+		public int getSize() {
+			return mSize;
+		}
+	}
+
+	private long mAddr;
+	private int mSize;
+	private int mFlags;
+	private int mSegment;
+	private int mBase, mScale;
+	private int mOpcode;
+	public Operand[] mOperands;
+	public DispVariant mDisp;
+	public ImmVariant mImm;
+	private int mUnusedPrefixesMask;
+	private int mMeta;
+	private int mRegistersMask;
+	private int mModifiedFlagsMask;
+	private int mTestedFlagsMask;
+	private int mUndefinedFlagsMask;
+
+	public long getAddress() {
+		return mAddr;
+	}
+	public int getSize() {
+		return mSize;
+	}
+	public OpcodeEnum getOpcode() {
+		return Opcodes.lookup(mOpcode);
+	}
+	public int getSegment() {
+		return mSegment & 0x7f;
+	}
+	public boolean isSegmentDefault() {
+		return (mSegment & 0x80) == 0x80;
+	}
+	public int getBase() {
+		return mBase;
+	}
+	public int getScale() {
+		return mScale;
+	}
+	public int getUnusedPrefixesMask() {
+		return mUnusedPrefixesMask;
+	}
+	public int getMeta() {
+		return mMeta;
+	}
+	public int getRegistersMask() {
+		return mRegistersMask;
+	}
+	public int getModifiedFlagsMask() {
+		return mModifiedFlagsMask;
+	}
+	public int getTestedFlagsMask() {
+		return mTestedFlagsMask;
+	}
+	public int getUndefinedFlagsMask() {
+		return mUndefinedFlagsMask;
+	}
+}