-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathmain.inc
261 lines (233 loc) · 6.78 KB
/
main.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
; Extended Win32 programming headers (ASCII)
include 'win32a.inc'
include 'macro/if.inc'
macro allow_nesting
{ macro pushd value
\{ match ,value \\{
pushx equ \\}
match =pushx =invoke proc,pushx value \\{
allow_nesting
invoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =stdcall proc,pushx value \\{
allow_nesting
stdcall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =cinvoke proc,pushx value \\{
allow_nesting
cinvoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =ccall proc,pushx value \\{
allow_nesting
ccall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx,pushx \\{
pushd <value>
pushx equ \\}
restore pushx \}
macro invoke proc,[arg]
\{ \reverse pushd <arg>
\common call [proc] \}
macro stdcall proc,[arg]
\{ \reverse pushd <arg>
\common call proc \}
macro cinvoke proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size+4 \\}
\common end if
call [proc]
if size
add esp,size
end if \}
macro ccall proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size+4 \\}
\common end if
call proc
if size
add esp,size
end if \} }
macro pushd value
{ match first=,more, value \{ \local ..continue
call ..continue
db value,0
..continue:
pushd equ \}
match pushd =addr var,pushd value \{ \local ..opcode,..address
if +var relativeto 0 | +var relativeto $
push var
else
lea edx,[var]
push edx
end if
pushd equ \}
match pushd =double [var],pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double =ptr var,pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double num,pushd value \{ \local ..high,..low
virtual at 0
dq num
load ..low dword from 0
load ..high dword from 4
end virtual
push ..high
push ..low
pushd equ \}
match pushd,pushd \{ \local ..continue
if value eqtype ''
call ..continue
db value,0
..continue:
else
push value
end if
pushd equ \}
restore pushd }
allow_nesting
macro import lib,[functions]
{ common macro import_#lib \{ import lib,functions \} }
macro api [functions]
{ common macro all_api \{ all_api
api functions \} }
macro all_api {}
include 'kernel32.inc'
include 'api/user32.inc'
include 'api/gdi32.inc'
include 'api/advapi32.inc'
include 'api/comctl32.inc'
include 'api/comdlg32.inc'
include 'api/shell32.inc'
include 'api/wsock32.inc'
purge import,api
macro .data { section '.data' data readable writeable }
macro .code { section '.text' code readable executable }
macro .end label
{
entry label
section '.idata' import data readable writeable
library msvcrt, 'msvcrt.dll',\
verdll, 'version.dll',\
ntdll, 'ntdll.dll',\
ole32, 'ole32.dll',\
oleaut32, 'oleaut32.dll',\
urlmon, 'urlmon.dll',\
shlwapi, 'shlwapi.dll',\
kernel32, 'kernel32.dll',\
user32, 'user32.dll',\
gdi32, 'gdi32.dll',\
advapi32, 'advapi32.dll',\
comctl32, 'comctl32.dll',\
comdlg32, 'comdlg32.dll',\
shell32, 'shell32.dll',\
wsock32, 'wsock32.dll',\
crypt32, 'crypt32.dll'
import msvcrt,\
__getmainargs, '__getmainargs',\
malloc, 'malloc',\
realloc, 'realloc',\
calloc, 'calloc',\
free, 'free',\
memset, 'memset',\
strcat, 'strcat',\
setlocale, 'setlocale',\
printf, 'printf',\
sprintf, 'sprintf',\
strstr, 'strstr',\
strncmp, 'strncmp',\
strtol, 'strtol',\
strtod, 'strtod',\
atof,'atof',\
strtoul, 'strtoul',\
wcsstr, 'wcsstr',\
wcscmp, 'wcscmp',\
wcsncmp, 'wcsncmp',\
_wcsicmp, '_wcsicmp',\
_wcsnicmp, '_wcsnicmp',\
_strnicmp, '_strnicmp',\
getchar, 'getchar',\
_getch, '_getch',\
putchar, 'putchar',\
rand, 'rand',\
srand, 'srand',\
time, 'time',\
sqrt, 'sqrt',\
exp, 'exp',\
sin, 'sin',\
sinh, 'sinh',\
cos, 'cos',\
cosh, 'cosh',\
tan, 'tan',\
tanh, 'tanh',\
log, 'log',\
log10, 'log10',\
floor, 'floor',\
ceil, 'ceil',\
fmod, 'fmod',\
pow, 'pow',\
system, 'system'
import verdll,\
GetFileVersionInfoSize, 'GetFileVersionInfoSizeA',\
GetFileVersionInfo, 'GetFileVersionInfoA',\
VerQueryValue, 'VerQueryValueA'
import ntdll,\
RtlGetVersion, 'RtlGetVersion'
import ole32,\
CoInitialize, 'CoInitialize',\
CoInitializeEx, 'CoInitializeEx',\
CoUninitialize, 'CoUninitialize',\
CoCreateInstance, 'CoCreateInstance',\
CoTaskMemFree, 'CoTaskMemFree',\
IsEqualGUID, 'IsEqualGUID'
import oleaut32,\
SysAllocStringLen, 'SysAllocStringLen',\
SysFreeString, 'SysFreeString',\
VariantInit, 'VariantInit'
import urlmon,\
URLDownloadToFile, 'URLDownloadToFileA'
import shlwapi,\
PathIsDirectory, 'PathIsDirectoryA',\
PathFileExists, 'PathFileExistsA',\
PathFindExtension, 'PathFindExtensionA',\
PathFindFileName, 'PathFindFileNameA',\
PathIsURL, 'PathIsURLA'
import crypt32,\
CryptBinaryToString, 'CryptBinaryToStringA',\
CryptStringToBinary, 'CryptStringToBinaryA'
import_kernel32
import_user32
import_gdi32
import_advapi32
import_comctl32
import_comdlg32
import_shell32
import_wsock32
all_api
}
virtual at 0
xchg eax,eax
detected_16bit = $-1
end virtual
if detected_16bit
format PE GUI 4.0
end if