diff --git a/CFFHashes/CFFHashes.aps b/CFFHashes/CFFHashes.aps index de7fbf4..c9d8e1d 100644 Binary files a/CFFHashes/CFFHashes.aps and b/CFFHashes/CFFHashes.aps differ diff --git a/CFFStrings/CFFStrings.aps b/CFFStrings/CFFStrings.aps index c84de7c..c0bca43 100644 Binary files a/CFFStrings/CFFStrings.aps and b/CFFStrings/CFFStrings.aps differ diff --git a/CFFStrings/CFFStrings.c b/CFFStrings/CFFStrings.c index a43d474..58fc80f 100644 --- a/CFFStrings/CFFStrings.c +++ b/CFFStrings/CFFStrings.c @@ -23,6 +23,7 @@ HANDLE g_event = NULL; PVOID g_lastObj = NULL; BOOL g_showOffsets = FALSE; BOOL g_prevascii = FALSE; +BOOL g_showRVA = FALSE; HINSTANCE hInstance; LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam); @@ -34,6 +35,7 @@ typedef struct _THREAD_ARGS BOOL wide; BOOL ascii; BOOL offsets; + BOOL rva; }THREAD_ARGS, *PTHREAD_ARGS; @@ -68,6 +70,8 @@ UINT nCFFApiMask[] = { m_eaGetObjectAddress, m_eaGetObjectSize, + m_eaOffsetToRva, + m_eaIsRvaValid, (UINT)NULL }; @@ -75,6 +79,8 @@ typedef struct _CFFAPI { d_eaGetObjectAddress eaGetObjectAddress; d_eaGetObjectSize eaGetObjectSize; + d_eaOffsetToRva eaOffsetToRva; + d_eaIsRvaValid eaIsRvaValid; } CFFAPI, *PCFFAPI; CFFAPI CFFApi; @@ -132,7 +138,8 @@ _saveListView PCHAR lineFeed = "\r\n"; BOOL type = (g_prevascii && g_prevwide); BOOL offset = g_showOffsets; - BOOL headers = type || offset; + BOOL rva = g_showRVA; + BOOL headers = type || offset || rva; LVITEM lvi = { 0 }; CHAR typeStr[2] = { 0 }; CHAR offsetStr[10] = { 0 }; @@ -153,6 +160,10 @@ _saveListView { WriteFile(hFile, "Offset,", sizeof("Offset,") - 1, &bytesWritten, NULL); } + if (rva) + { + WriteFile(hFile, "RVA,", sizeof("RVA,") - 1, &bytesWritten, NULL); + } WriteFile(hFile, "String", sizeof("String") - 1, &bytesWritten, NULL); WriteFile(hFile, lineFeed, 2, &bytesWritten, NULL); } @@ -192,13 +203,27 @@ _saveListView WriteFile(hFile, ",", 1, &bytesWritten, NULL); } } + if (rva) + { + ZeroMemory(offsetStr, sizeof(offsetStr)); + lvi.mask = LVIF_TEXT; + lvi.iItem = i; + lvi.iSubItem = type + offset; + lvi.cchTextMax = sizeof(offsetStr); + lvi.pszText = offsetStr; + if (0 < (len = (int)SendDlgItemMessageA(hDlg, IDC_STRINGLIST, LVM_GETITEMTEXT, i, (LPARAM)&lvi))) + { + WriteFile(hFile, lvi.pszText, len, &bytesWritten, NULL); + WriteFile(hFile, ",", 1, &bytesWritten, NULL); + } + } } ZeroMemory(string, sizeof(string)); lvi.mask = LVIF_TEXT; lvi.iItem = i; - lvi.iSubItem = offset + type; + lvi.iSubItem = offset + rva + type; lvi.cchTextMax = sizeof(string); lvi.pszText = string; if (0 < (len = (int)SendDlgItemMessageA(hDlg, IDC_STRINGLIST, LVM_GETITEMTEXT, i, (LPARAM)&lvi))) @@ -223,11 +248,7 @@ _saveListView static void _setViewColums -( -HWND hDlg, -BOOL offset, -BOOL type -) + (HWND hDlg, BOOL offset, BOOL type, BOOL rva) { LV_COLUMNA lvc = { 0 }; @@ -241,6 +262,16 @@ BOOL type lvc.cx = PIXELS_PER_CHAR * sizeof("String"); ListView_InsertColumn(GetDlgItem(hDlg, IDC_STRINGLIST), 0, &lvc); + + if (rva) + { + lvc.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT; + lvc.fmt = LVCFMT_LEFT; + lvc.pszText = " RVA "; + lvc.cx = PIXELS_PER_CHAR * sizeof(" RVA "); + ListView_InsertColumn(GetDlgItem(hDlg, IDC_STRINGLIST), 0, &lvc); + ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), 0, LVSCW_AUTOSIZE_USEHEADER); + } ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), 0, LVSCW_AUTOSIZE_USEHEADER); if (offset) @@ -268,16 +299,8 @@ BOOL type static void _insertString -( - HWND hDlg, - PCHAR string, - int stringlen, - BOOL showOffset, - int offset, - BOOL showType, - BOOL wide, - int index -) + (HWND hDlg, PCHAR string, int stringlen, BOOL showOffset, int offset, BOOL showType, BOOL wide, int index, + BOOL showRVA) { LV_ITEMA lvi = { 0 }; CHAR stroffset[10] = { 0 }; @@ -310,6 +333,32 @@ _insertString subitem++; } + if (showRVA) + { + VOID *base = CFFApi.eaGetObjectAddress(hDlg); + UINT size = CFFApi.eaGetObjectSize(hDlg); + DWORD rva = CFFApi.eaOffsetToRva(base, size, offset); + + ZeroMemory(stroffset, sizeof(stroffset)); + if (CFFApi.eaIsRvaValid(base, size, rva)) + { + _snprintf_s(stroffset, sizeof(stroffset), sizeof(stroffset), "%08X", rva); + } + else + { + _snprintf_s(stroffset, sizeof(stroffset), sizeof(stroffset), "%8s", "NULL"); + + } + + lvi.mask = LVIF_TEXT; + lvi.pszText = stroffset; + lvi.cchTextMax = sizeof(stroffset); + lvi.iItem = index; + lvi.iSubItem = subitem; + SendDlgItemMessageA(hDlg, IDC_STRINGLIST, subitem == 0 ? LVM_INSERTITEMA : LVM_SETITEMA, 0, (LPARAM)&lvi); + subitem++; + } + lvi.mask = LVIF_TEXT; lvi.pszText = string; lvi.cchTextMax = stringlen; @@ -334,14 +383,7 @@ HWND hDlg static BOOL _findStrings -( - HWND hDlg, - DWORD minLength, - BOOL ascii, - BOOL wide, - BOOL showOffset, - BOOL searchBoth -) + (HWND hDlg, DWORD minLength, BOOL ascii, BOOL wide, BOOL showOffset, BOOL searchBoth, BOOL showRVA) { PBYTE fileptr = g_object; @@ -392,7 +434,7 @@ _findStrings if ((ascii && !iswide) || (wide && iswide)) { - _insertString(hDlg, str, strlen + 1, showOffset, offset, searchBoth, iswide, index); + _insertString(hDlg, str, strlen + 1, showOffset, offset, searchBoth, iswide, index, showRVA); index++; } } @@ -416,7 +458,7 @@ _findStrings stop = TRUE; } } - ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), showOffset + searchBoth, longestStr * PIXELS_PER_CHAR); + ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), showOffset + searchBoth + showRVA, longestStr * PIXELS_PER_CHAR); if (!stop) { @@ -447,26 +489,30 @@ _findStringThreadFunc hDlg = findStringsArg->hDlg; Edit_SetText(GetDlgItem(hDlg, IDC_STATUS), ""); _resetStringList(hDlg); - _setViewColums(hDlg, findStringsArg->offsets, - findStringsArg->ascii && findStringsArg->wide); + _setViewColums(hDlg, findStringsArg->offsets, + findStringsArg->ascii && findStringsArg->wide, + findStringsArg->rva); SendDlgItemMessageA(hDlg, IDC_PROGRESS, PBM_SETPOS, 0, (LPARAM)0); g_stringsdone = FALSE; g_prevascii = FALSE; g_prevwide = FALSE; g_lastObj = g_object; g_showOffsets = findStringsArg->offsets; + g_showRVA = findStringsArg->rva; if (!stop && findStringsArg->ascii) { stop = _findStrings(findStringsArg->hDlg, findStringsArg->minLen, - findStringsArg->ascii, 0, - findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii); + findStringsArg->ascii, 0, + findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii, + findStringsArg->rva); g_prevascii = TRUE; } if (!stop && findStringsArg->wide) { stop = _findStrings(findStringsArg->hDlg, findStringsArg->minLen, - 0, findStringsArg->wide, - findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii); + 0, findStringsArg->wide, + findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii, + findStringsArg->rva); g_prevwide = TRUE; } g_stringsdone = TRUE; @@ -497,7 +543,7 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) case WM_INITDIALOG: { - _setViewColums(hDlg,FALSE,FALSE); + _setViewColums(hDlg,FALSE,FALSE, FALSE); SendDlgItemMessageA(hDlg, IDC_PROGRESS, PBM_SETSTEP, 1, (LPARAM)0); CheckDlgButton(hDlg, IDC_ASCII, BST_CHECKED); g_object = (PBYTE)CFFApi.eaGetObjectAddress(hDlg); @@ -567,6 +613,11 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) findStringsArg->ascii = TRUE; } + if (IsDlgButtonChecked(hDlg, IDC_RVA) == BST_CHECKED) + { + findStringsArg->rva = TRUE; + } + findStringsArg->hDlg = hDlg; if (NULL == (g_thread = CreateThread(NULL, 0, _findStringThreadFunc, findStringsArg, 0, &threadId))) diff --git a/CFFStrings/CFFStrings.rc b/CFFStrings/CFFStrings.rc index c922a86..0cd8b82 100644 Binary files a/CFFStrings/CFFStrings.rc and b/CFFStrings/CFFStrings.rc differ diff --git a/CFFStrings/resource.h b/CFFStrings/resource.h index 18309a4..09e0040 100644 Binary files a/CFFStrings/resource.h and b/CFFStrings/resource.h differ diff --git a/CFFYara/CFFYara.aps b/CFFYara/CFFYara.aps index adaee75..d2c349b 100644 Binary files a/CFFYara/CFFYara.aps and b/CFFYara/CFFYara.aps differ diff --git a/CFFYara/CFFYara.c b/CFFYara/CFFYara.c index f50c62a..45dca18 100644 --- a/CFFYara/CFFYara.c +++ b/CFFYara/CFFYara.c @@ -23,6 +23,7 @@ typedef struct _YARA_OPTIONS BOOL offsets; UINT maxMatches; UINT matchCount; + BOOL rva; }YARA_OPTIONS, *PYARA_OPTIONS; BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) @@ -53,6 +54,8 @@ UINT nCFFApiMask[] = { m_eaGetObjectAddress, m_eaGetObjectSize, + m_eaOffsetToRva, + m_eaIsRvaValid, (UINT)NULL }; @@ -60,6 +63,8 @@ typedef struct _CFFAPI { d_eaGetObjectAddress eaGetObjectAddress; d_eaGetObjectSize eaGetObjectSize; + d_eaOffsetToRva eaOffsetToRva; + d_eaIsRvaValid eaIsRvaValid; } CFFAPI, *PCFFAPI; @@ -384,13 +389,36 @@ _appendRuleToEditBox if (yrOpts->offsets && doesMatch) { + VOID *base = NULL; + UINT size = 0; + + if (yrOpts->rva) { + base = CFFApi.eaGetObjectAddress(yrOpts->hDlg); + size = CFFApi.eaGetObjectSize(yrOpts->hDlg); + } + yr_rule_strings_foreach(rule, string) { yr_string_matches_foreach(string, match) { ZeroMemory(offset, sizeof(offset)); - _snprintf_s(offset, sizeof(offset), sizeof(offset), "\tOffset: %08X , Identifier: ", match->offset); + _snprintf_s(offset, sizeof(offset), sizeof(offset), "\tOffset: %08X ", match->offset); _appendEditBox(yrOpts->hDlg, IDC_RESULT, offset); + + + if (yrOpts->rva) { + + DWORD rva = CFFApi.eaOffsetToRva(base, size, match->offset); + if (CFFApi.eaIsRvaValid(base, size, rva)) { + ZeroMemory(offset, sizeof(offset)); + _snprintf_s(offset, sizeof(offset), sizeof(offset), ", RVA: %08X ", rva); + _appendEditBox(yrOpts->hDlg, IDC_RESULT, offset); + } else { + _appendEditBox(yrOpts->hDlg, IDC_RESULT, "RVA: NULL "); + } + } + + _appendEditBox(yrOpts->hDlg, IDC_RESULT, ", Identifier: "); _appendEditBox(yrOpts->hDlg, IDC_RESULT, string->identifier); _appendEditBox(yrOpts->hDlg, IDC_RESULT, " , String: "); @@ -599,6 +627,11 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) _saveEditBox(hDlg, IDC_RESULT, "txt", ".txt\0\0"); break; } + case IDC_OFFSETS: + { + EnableWindow(GetDlgItem(hDlg, IDC_RVA), IsDlgButtonChecked(hDlg, IDC_OFFSETS)); + break; + } case IDC_RUNSCAN: { yrOpts.hDlg = hDlg; @@ -622,6 +655,10 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) if (IsDlgButtonChecked(hDlg, IDC_OFFSETS) == BST_CHECKED) { yrOpts.offsets = TRUE; + if (IsDlgButtonChecked(hDlg, IDC_RVA) == BST_CHECKED) + { + yrOpts.rva = TRUE; + } } ZeroMemory(maxRulesStr, sizeof(maxRulesStr)); diff --git a/CFFYara/CFFYara.rc b/CFFYara/CFFYara.rc index ca8e379..55dce51 100644 Binary files a/CFFYara/CFFYara.rc and b/CFFYara/CFFYara.rc differ diff --git a/CFFYara/resource.h b/CFFYara/resource.h index 5ddc28e..8a506ff 100644 Binary files a/CFFYara/resource.h and b/CFFYara/resource.h differ diff --git a/bin/CFFExtensions_1.1.0_setup.exe b/bin/CFFExtensions_1.1.0_setup.exe new file mode 100644 index 0000000..9884d9f Binary files /dev/null and b/bin/CFFExtensions_1.1.0_setup.exe differ diff --git a/bin/x64/Debug/CFFStrings.dll b/bin/x64/Debug/CFFStrings.dll index d4e1551..f021941 100644 Binary files a/bin/x64/Debug/CFFStrings.dll and b/bin/x64/Debug/CFFStrings.dll differ diff --git a/bin/x64/Debug/CFFStrings.exp b/bin/x64/Debug/CFFStrings.exp index 37d9379..8f0da0e 100644 Binary files a/bin/x64/Debug/CFFStrings.exp and b/bin/x64/Debug/CFFStrings.exp differ diff --git a/bin/x64/Debug/CFFStrings.lib b/bin/x64/Debug/CFFStrings.lib index f1a55d8..4aa610b 100644 Binary files a/bin/x64/Debug/CFFStrings.lib and b/bin/x64/Debug/CFFStrings.lib differ diff --git a/bin/x64/Debug/CFFStrings.pdb b/bin/x64/Debug/CFFStrings.pdb index 822d134..121ebd0 100644 Binary files a/bin/x64/Debug/CFFStrings.pdb and b/bin/x64/Debug/CFFStrings.pdb differ diff --git a/bin/x64/Debug/CFFYara.dll b/bin/x64/Debug/CFFYara.dll index 7257e44..0c0a050 100644 Binary files a/bin/x64/Debug/CFFYara.dll and b/bin/x64/Debug/CFFYara.dll differ diff --git a/bin/x64/Debug/CFFYara.exp b/bin/x64/Debug/CFFYara.exp index 9745527..9f5b00f 100644 Binary files a/bin/x64/Debug/CFFYara.exp and b/bin/x64/Debug/CFFYara.exp differ diff --git a/bin/x64/Debug/CFFYara.lib b/bin/x64/Debug/CFFYara.lib index 2f8827f..6c02e6e 100644 Binary files a/bin/x64/Debug/CFFYara.lib and b/bin/x64/Debug/CFFYara.lib differ diff --git a/bin/x64/Debug/CFFYara.pdb b/bin/x64/Debug/CFFYara.pdb index d5fc7fe..efe2452 100644 Binary files a/bin/x64/Debug/CFFYara.pdb and b/bin/x64/Debug/CFFYara.pdb differ diff --git a/bin/x64/Release/CFFStrings.dll b/bin/x64/Release/CFFStrings.dll index 5a8ba5f..e59dfea 100644 Binary files a/bin/x64/Release/CFFStrings.dll and b/bin/x64/Release/CFFStrings.dll differ diff --git a/bin/x64/Release/CFFStrings.exp b/bin/x64/Release/CFFStrings.exp index ba69dbe..e7a179d 100644 Binary files a/bin/x64/Release/CFFStrings.exp and b/bin/x64/Release/CFFStrings.exp differ diff --git a/bin/x64/Release/CFFStrings.lib b/bin/x64/Release/CFFStrings.lib index b763e01..160453d 100644 Binary files a/bin/x64/Release/CFFStrings.lib and b/bin/x64/Release/CFFStrings.lib differ diff --git a/bin/x64/Release/CFFStrings.pdb b/bin/x64/Release/CFFStrings.pdb index 2ac6c02..bb7e05f 100644 Binary files a/bin/x64/Release/CFFStrings.pdb and b/bin/x64/Release/CFFStrings.pdb differ diff --git a/bin/x64/Release/CFFYara.dll b/bin/x64/Release/CFFYara.dll index 7b3b54c..df84203 100644 Binary files a/bin/x64/Release/CFFYara.dll and b/bin/x64/Release/CFFYara.dll differ diff --git a/bin/x64/Release/CFFYara.exp b/bin/x64/Release/CFFYara.exp index 8332dc0..4ea8b1d 100644 Binary files a/bin/x64/Release/CFFYara.exp and b/bin/x64/Release/CFFYara.exp differ diff --git a/bin/x64/Release/CFFYara.lib b/bin/x64/Release/CFFYara.lib index 9af6514..070c641 100644 Binary files a/bin/x64/Release/CFFYara.lib and b/bin/x64/Release/CFFYara.lib differ diff --git a/bin/x64/Release/CFFYara.pdb b/bin/x64/Release/CFFYara.pdb index ffbe4d8..63ee7ea 100644 Binary files a/bin/x64/Release/CFFYara.pdb and b/bin/x64/Release/CFFYara.pdb differ diff --git a/bin/x86/Debug/CFFStrings.dll b/bin/x86/Debug/CFFStrings.dll index 9490606..4e312cd 100644 Binary files a/bin/x86/Debug/CFFStrings.dll and b/bin/x86/Debug/CFFStrings.dll differ diff --git a/bin/x86/Debug/CFFStrings.exp b/bin/x86/Debug/CFFStrings.exp index 3758229..aa9860f 100644 Binary files a/bin/x86/Debug/CFFStrings.exp and b/bin/x86/Debug/CFFStrings.exp differ diff --git a/bin/x86/Debug/CFFStrings.lib b/bin/x86/Debug/CFFStrings.lib index 620b1d8..8dbf7b6 100644 Binary files a/bin/x86/Debug/CFFStrings.lib and b/bin/x86/Debug/CFFStrings.lib differ diff --git a/bin/x86/Debug/CFFStrings.pdb b/bin/x86/Debug/CFFStrings.pdb index 6a95623..4995ec7 100644 Binary files a/bin/x86/Debug/CFFStrings.pdb and b/bin/x86/Debug/CFFStrings.pdb differ diff --git a/bin/x86/Debug/CFFYara.dll b/bin/x86/Debug/CFFYara.dll index 1efc8f5..7f24c27 100644 Binary files a/bin/x86/Debug/CFFYara.dll and b/bin/x86/Debug/CFFYara.dll differ diff --git a/bin/x86/Debug/CFFYara.exp b/bin/x86/Debug/CFFYara.exp index 88f9449..be7e3e5 100644 Binary files a/bin/x86/Debug/CFFYara.exp and b/bin/x86/Debug/CFFYara.exp differ diff --git a/bin/x86/Debug/CFFYara.lib b/bin/x86/Debug/CFFYara.lib index c8f99c5..1c078b2 100644 Binary files a/bin/x86/Debug/CFFYara.lib and b/bin/x86/Debug/CFFYara.lib differ diff --git a/bin/x86/Debug/CFFYara.pdb b/bin/x86/Debug/CFFYara.pdb index 6c818cf..e61e8cb 100644 Binary files a/bin/x86/Debug/CFFYara.pdb and b/bin/x86/Debug/CFFYara.pdb differ diff --git a/bin/x86/Release/CFFStrings.dll b/bin/x86/Release/CFFStrings.dll index 3180606..38cc8db 100644 Binary files a/bin/x86/Release/CFFStrings.dll and b/bin/x86/Release/CFFStrings.dll differ diff --git a/bin/x86/Release/CFFStrings.exp b/bin/x86/Release/CFFStrings.exp index a2a88e3..3a006d9 100644 Binary files a/bin/x86/Release/CFFStrings.exp and b/bin/x86/Release/CFFStrings.exp differ diff --git a/bin/x86/Release/CFFStrings.lib b/bin/x86/Release/CFFStrings.lib index 28315d0..197e15d 100644 Binary files a/bin/x86/Release/CFFStrings.lib and b/bin/x86/Release/CFFStrings.lib differ diff --git a/bin/x86/Release/CFFStrings.pdb b/bin/x86/Release/CFFStrings.pdb index 8b1400f..645381f 100644 Binary files a/bin/x86/Release/CFFStrings.pdb and b/bin/x86/Release/CFFStrings.pdb differ diff --git a/bin/x86/Release/CFFYara.dll b/bin/x86/Release/CFFYara.dll index aebb6c8..2c09e2f 100644 Binary files a/bin/x86/Release/CFFYara.dll and b/bin/x86/Release/CFFYara.dll differ diff --git a/bin/x86/Release/CFFYara.exp b/bin/x86/Release/CFFYara.exp index 52b6163..fb71990 100644 Binary files a/bin/x86/Release/CFFYara.exp and b/bin/x86/Release/CFFYara.exp differ diff --git a/bin/x86/Release/CFFYara.lib b/bin/x86/Release/CFFYara.lib index 85672d6..2f4df31 100644 Binary files a/bin/x86/Release/CFFYara.lib and b/bin/x86/Release/CFFYara.lib differ diff --git a/bin/x86/Release/CFFYara.pdb b/bin/x86/Release/CFFYara.pdb index d7d62fd..e2c1bd0 100644 Binary files a/bin/x86/Release/CFFYara.pdb and b/bin/x86/Release/CFFYara.pdb differ