FilesExpand file tree

 main

/

apisetmap.py

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

181 lines (140 loc) · 6.26 KB

 main

/

apisetmap.py

Top

File metadata and controls

• Code
• Blame

181 lines (140 loc) · 6.26 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

import ctypes

import windows

import windows.generated_def as gdef

from windows import utils

def get_api_set_map_for_current_process(base):

base = windows.current_process.peb.ApiSetMap

version = windows.current_process.read_dword(base)

if version not in API_SET_MAP_BY_VERSION:

raise NotImplementedError("ApiSetMap version <{0}> not implemented, please contact me, I need a sample to implement it ;)")

return API_SET_MAP_BY_VERSION[version](base)

class ApiSetMap(object):

"""The base class for the ApiSeMap

(see `Runtime DLL name resolution: ApiSetSchema <https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-ii.html>`_)

"""

version = None #: The version of the ApiSetMap

def __init__(self, base):

self.base = base

self.target = windows.current_process

# helpers

def read_apiset_wstring(self, offset, length):

return self.target.read_memory(self.base + offset, length).decode("utf-16")

# Low-level version-dependent parsing function

def entries_array(self):

raise NotImplementedError("Should be implemented by subclasses")

def get_entry_name(self, entry):

raise NotImplementedError("Should be implemented by subclasses")

def get_entry_name_basicimpl(self, entry):

return self.read_apiset_wstring(entry.NameOffset, entry.NameLength)

def values_for_entry(self, entry):

raise NotImplementedError("Should be implemented by subclasses")

@utils.fixedpropety

def apisetmap_dict(self):

"""The apisetmap dll-mapping content extracted from memory as a :class:`dict`

``key -> value example``::

u'ext-ms-win-advapi32-encryptedfile-l1-1-1' -> u'advapi32.dll'

"""

res = {}

for entry in self.entries_array():

values = self.values_for_entry(entry)

if not values:

final_value = None

else:

final_value = values[-1]

res[self.get_entry_name(entry)] = final_value

return res

@utils.fixedpropety

def resolution_dict(self):

"""The :class:`dict` based on :obj:`apisetmap_dict` with only the part checked by ``Windows``.

``Windows`` does not care about what is after the last ``-``

``key -> value example``::

u'ext-ms-win-advapi32-encryptedfile-l1-1-' -> u'advapi32.dll'

"""

res = {}

for name, resolved_name in self.apisetmap_dict.items():

# ApiSetResolveToHost does not care about last version + extension

# It remove everything after the last '-'

# Possible to have no '-' ?

try:

cutname = name[:name.rindex("-") + 1]

except ValueError as e:

cutname = name

res[cutname] = resolved_name

return res

def resolve(self, dllname):

"""The method used to resolve a DLL name using the ApiSetMap.

The behavior should match the non-exported function ``ntdll!ApiSetResolveToHost``

"""

try:

cutname = dllname[:dllname.rindex("-") + 1]

except ValueError as e:

return None

return self.resolution_dict[cutname]

class ApiSetMapVersion2(ApiSetMap):

"""Represent an ApiSetMap version-2"""

version = 2 #: The version of the ApiSetMap

def namespace(self):

return gdef.API_SET_NAMESPACE_ARRAY_V2.from_address(self.base)

def entries_array(self):

namespace = self.namespace()

array_addr = ctypes.addressof(namespace.Array)

array_size = namespace.Count

return (gdef.API_SET_NAMESPACE_ENTRY_V2 * array_size).from_address(array_addr)

get_entry_name = ApiSetMap.get_entry_name_basicimpl

def values_for_entry(self, entry):

values_array_v2 = (gdef.API_SET_VALUE_ARRAY_V2).from_address(self.base + entry.DataOffset)

array_size = values_array_v2.Count

array_addr = ctypes.addressof(values_array_v2.Array)

values_array = (gdef.API_SET_VALUE_ENTRY_V2 * array_size).from_address(array_addr)

res = []

for value in values_array:

if value.ValueLength:

v = self.read_apiset_wstring(value.ValueOffset, value.ValueLength)

res.append(v)

return res

class ApiSetMapVersion4(ApiSetMap):

"""Represent an ApiSetMap version-4"""

version = 4 #: The version of the ApiSetMap

def namespace(self):

return gdef.API_SET_NAMESPACE_ARRAY_V4.from_address(self.base)

def entries_array(self):

namespace = self.namespace()

array_addr = ctypes.addressof(namespace.Array)

array_size = namespace.Count

return (gdef.API_SET_NAMESPACE_ENTRY_V4 * array_size).from_address(array_addr)

get_entry_name = ApiSetMap.get_entry_name_basicimpl

def values_for_entry(self, entry):

values_array_v2 = (gdef.API_SET_VALUE_ARRAY_V4).from_address(self.base + entry.DataOffset)

array_size = values_array_v2.Count

array_addr = ctypes.addressof(values_array_v2.Array)

values_array = (gdef.API_SET_VALUE_ENTRY * array_size).from_address(array_addr)

res = []

for value in values_array:

if value.ValueLength:

v = self.read_apiset_wstring(value.ValueOffset, value.ValueLength)

res.append(v)

return res

class ApiSetMapVersion6(ApiSetMap):

"""Represent an ApiSetMap version-6"""

version = 6 #: The version of the ApiSetMap

def namespace(self):

return gdef.API_SET_NAMESPACE_V6.from_address(self.base)

get_entry_name = ApiSetMap.get_entry_name_basicimpl

def entries_array(self):

namespace = self.namespace()

array_offset = namespace.EntryOffset

array_size = namespace.Count

return (gdef.API_SET_NAMESPACE_ENTRY_V6 * array_size).from_address(self.base + array_offset)

def values_for_entry(self, entry):

values_array = (gdef.API_SET_VALUE_ENTRY * entry.ValueCount).from_address(self.base + entry.ValueOffset)

res = []

for value in values_array:

if value.ValueLength:

v = self.read_apiset_wstring(value.ValueOffset, value.ValueLength)

res.append(v)

return res

API_SET_MAP_BY_VERSION = {

2: ApiSetMapVersion2,

4: ApiSetMapVersion4,

6: ApiSetMapVersion6,

}