Skip to content

Added RVA to Strings and YARA #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mordechais wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added RVA to Strings and YARA #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified CFFHashes/CFFHashes.aps
View file
Open in desktop
Binary file not shown.
Binary file modified CFFStrings/CFFStrings.aps
View file
Open in desktop
Binary file not shown.
119 changes: 85 additions & 34 deletions CFFStrings/CFFStrings.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ HANDLE g_event = NULL;
PVOID g_lastObj = NULL;
BOOL g_showOffsets = FALSE;
BOOL g_prevascii = FALSE;
BOOL g_showRVA = FALSE;

HINSTANCE hInstance;
LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam);
Expand All @@ -34,6 +35,7 @@ typedef struct _THREAD_ARGS
BOOL wide;
BOOL ascii;
BOOL offsets;
BOOL rva;
}THREAD_ARGS, *PTHREAD_ARGS;


Expand Down Expand Up @@ -68,13 +70,17 @@ UINT nCFFApiMask[] =
{
m_eaGetObjectAddress,
m_eaGetObjectSize,
m_eaOffsetToRva,
m_eaIsRvaValid,
(UINT)NULL
};

typedef struct _CFFAPI
{
d_eaGetObjectAddress eaGetObjectAddress;
d_eaGetObjectSize eaGetObjectSize;
d_eaOffsetToRva eaOffsetToRva;
d_eaIsRvaValid eaIsRvaValid;
} CFFAPI, *PCFFAPI;

CFFAPI CFFApi;
Expand Down Expand Up @@ -132,7 +138,8 @@ _saveListView
PCHAR lineFeed = "\r\n";
BOOL type = (g_prevascii && g_prevwide);
BOOL offset = g_showOffsets;
BOOL headers = type || offset;
BOOL rva = g_showRVA;
BOOL headers = type || offset || rva;
LVITEM lvi = { 0 };
CHAR typeStr[2] = { 0 };
CHAR offsetStr[10] = { 0 };
Expand All @@ -153,6 +160,10 @@ _saveListView
{
WriteFile(hFile, "Offset,", sizeof("Offset,") - 1, &bytesWritten, NULL);
}
if (rva)
{
WriteFile(hFile, "RVA,", sizeof("RVA,") - 1, &bytesWritten, NULL);
}
WriteFile(hFile, "String", sizeof("String") - 1, &bytesWritten, NULL);
WriteFile(hFile, lineFeed, 2, &bytesWritten, NULL);
}
Expand Down Expand Up @@ -192,13 +203,27 @@ _saveListView
WriteFile(hFile, ",", 1, &bytesWritten, NULL);
}
}
if (rva)
{
ZeroMemory(offsetStr, sizeof(offsetStr));
lvi.mask = LVIF_TEXT;
lvi.iItem = i;
lvi.iSubItem = type + offset;
lvi.cchTextMax = sizeof(offsetStr);
lvi.pszText = offsetStr;
if (0 < (len = (int)SendDlgItemMessageA(hDlg, IDC_STRINGLIST, LVM_GETITEMTEXT, i, (LPARAM)&lvi)))
{
WriteFile(hFile, lvi.pszText, len, &bytesWritten, NULL);
WriteFile(hFile, ",", 1, &bytesWritten, NULL);
}
}
}

ZeroMemory(string, sizeof(string));

lvi.mask = LVIF_TEXT;
lvi.iItem = i;
lvi.iSubItem = offset + type;
lvi.iSubItem = offset + rva + type;
lvi.cchTextMax = sizeof(string);
lvi.pszText = string;
if (0 < (len = (int)SendDlgItemMessageA(hDlg, IDC_STRINGLIST, LVM_GETITEMTEXT, i, (LPARAM)&lvi)))
Expand All @@ -223,11 +248,7 @@ _saveListView
static
void
_setViewColums
(
HWND hDlg,
BOOL offset,
BOOL type
)
(HWND hDlg, BOOL offset, BOOL type, BOOL rva)
{
LV_COLUMNA lvc = { 0 };

Expand All @@ -241,6 +262,16 @@ BOOL type
lvc.cx = PIXELS_PER_CHAR * sizeof("String");

ListView_InsertColumn(GetDlgItem(hDlg, IDC_STRINGLIST), 0, &lvc);

if (rva)
{
lvc.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT;
lvc.fmt = LVCFMT_LEFT;
lvc.pszText = " RVA ";
lvc.cx = PIXELS_PER_CHAR * sizeof(" RVA ");
ListView_InsertColumn(GetDlgItem(hDlg, IDC_STRINGLIST), 0, &lvc);
ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), 0, LVSCW_AUTOSIZE_USEHEADER);
}
ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), 0, LVSCW_AUTOSIZE_USEHEADER);

if (offset)
Expand Down Expand Up @@ -268,16 +299,8 @@ BOOL type
static
void
_insertString
(
HWND hDlg,
PCHAR string,
int stringlen,
BOOL showOffset,
int offset,
BOOL showType,
BOOL wide,
int index
)
(HWND hDlg, PCHAR string, int stringlen, BOOL showOffset, int offset, BOOL showType, BOOL wide, int index,
BOOL showRVA)
{
LV_ITEMA lvi = { 0 };
CHAR stroffset[10] = { 0 };
Expand Down Expand Up @@ -310,6 +333,32 @@ _insertString
subitem++;
}

if (showRVA)
{
VOID *base = CFFApi.eaGetObjectAddress(hDlg);
UINT size = CFFApi.eaGetObjectSize(hDlg);
DWORD rva = CFFApi.eaOffsetToRva(base, size, offset);

ZeroMemory(stroffset, sizeof(stroffset));
if (CFFApi.eaIsRvaValid(base, size, rva))
{
_snprintf_s(stroffset, sizeof(stroffset), sizeof(stroffset), "%08X", rva);
}
else
{
_snprintf_s(stroffset, sizeof(stroffset), sizeof(stroffset), "%8s", "NULL");

}

lvi.mask = LVIF_TEXT;
lvi.pszText = stroffset;
lvi.cchTextMax = sizeof(stroffset);
lvi.iItem = index;
lvi.iSubItem = subitem;
SendDlgItemMessageA(hDlg, IDC_STRINGLIST, subitem == 0 ? LVM_INSERTITEMA : LVM_SETITEMA, 0, (LPARAM)&lvi);
subitem++;
}

lvi.mask = LVIF_TEXT;
lvi.pszText = string;
lvi.cchTextMax = stringlen;
Expand All @@ -334,14 +383,7 @@ HWND hDlg
static
BOOL
_findStrings
(
HWND hDlg,
DWORD minLength,
BOOL ascii,
BOOL wide,
BOOL showOffset,
BOOL searchBoth
)
(HWND hDlg, DWORD minLength, BOOL ascii, BOOL wide, BOOL showOffset, BOOL searchBoth, BOOL showRVA)
{

PBYTE fileptr = g_object;
Expand Down Expand Up @@ -392,7 +434,7 @@ _findStrings

if ((ascii && !iswide) || (wide && iswide))
{
_insertString(hDlg, str, strlen + 1, showOffset, offset, searchBoth, iswide, index);
_insertString(hDlg, str, strlen + 1, showOffset, offset, searchBoth, iswide, index, showRVA);
index++;
}
}
Expand All @@ -416,7 +458,7 @@ _findStrings
stop = TRUE;
}
}
ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), showOffset + searchBoth, longestStr * PIXELS_PER_CHAR);
ListView_SetColumnWidth(GetDlgItem(hDlg, IDC_STRINGLIST), showOffset + searchBoth + showRVA, longestStr * PIXELS_PER_CHAR);

if (!stop)
{
Expand Down Expand Up @@ -447,26 +489,30 @@ _findStringThreadFunc
hDlg = findStringsArg->hDlg;
Edit_SetText(GetDlgItem(hDlg, IDC_STATUS), "");
_resetStringList(hDlg);
_setViewColums(hDlg, findStringsArg->offsets,
findStringsArg->ascii && findStringsArg->wide);
_setViewColums(hDlg, findStringsArg->offsets,
findStringsArg->ascii && findStringsArg->wide,
findStringsArg->rva);
SendDlgItemMessageA(hDlg, IDC_PROGRESS, PBM_SETPOS, 0, (LPARAM)0);
g_stringsdone = FALSE;
g_prevascii = FALSE;
g_prevwide = FALSE;
g_lastObj = g_object;
g_showOffsets = findStringsArg->offsets;
g_showRVA = findStringsArg->rva;
if (!stop && findStringsArg->ascii)
{
stop = _findStrings(findStringsArg->hDlg, findStringsArg->minLen,
findStringsArg->ascii, 0,
findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii);
findStringsArg->ascii, 0,
findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii,
findStringsArg->rva);
g_prevascii = TRUE;
}
if (!stop && findStringsArg->wide)
{
stop = _findStrings(findStringsArg->hDlg, findStringsArg->minLen,
0, findStringsArg->wide,
findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii);
0, findStringsArg->wide,
findStringsArg->offsets, findStringsArg->wide && findStringsArg->ascii,
findStringsArg->rva);
g_prevwide = TRUE;
}
g_stringsdone = TRUE;
Expand Down Expand Up @@ -497,7 +543,7 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)

case WM_INITDIALOG:
{
_setViewColums(hDlg,FALSE,FALSE);
_setViewColums(hDlg,FALSE,FALSE, FALSE);
SendDlgItemMessageA(hDlg, IDC_PROGRESS, PBM_SETSTEP, 1, (LPARAM)0);
CheckDlgButton(hDlg, IDC_ASCII, BST_CHECKED);
g_object = (PBYTE)CFFApi.eaGetObjectAddress(hDlg);
Expand Down Expand Up @@ -567,6 +613,11 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
findStringsArg->ascii = TRUE;
}

if (IsDlgButtonChecked(hDlg, IDC_RVA) == BST_CHECKED)
{
findStringsArg->rva = TRUE;
}

findStringsArg->hDlg = hDlg;

if (NULL == (g_thread = CreateThread(NULL, 0, _findStringThreadFunc, findStringsArg, 0, &threadId)))
Expand Down
Binary file modified CFFStrings/CFFStrings.rc
View file
Open in desktop
Binary file not shown.
Binary file modified CFFStrings/resource.h
View file
Open in desktop
Binary file not shown.
Binary file modified CFFYara/CFFYara.aps
View file
Open in desktop
Binary file not shown.
39 changes: 38 additions & 1 deletion CFFYara/CFFYara.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ typedef struct _YARA_OPTIONS
BOOL offsets;
UINT maxMatches;
UINT matchCount;
BOOL rva;
}YARA_OPTIONS, *PYARA_OPTIONS;

BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
Expand Down Expand Up @@ -53,13 +54,17 @@ UINT nCFFApiMask[] =
{
m_eaGetObjectAddress,
m_eaGetObjectSize,
m_eaOffsetToRva,
m_eaIsRvaValid,
(UINT)NULL
};

typedef struct _CFFAPI
{
d_eaGetObjectAddress eaGetObjectAddress;
d_eaGetObjectSize eaGetObjectSize;
d_eaOffsetToRva eaOffsetToRva;
d_eaIsRvaValid eaIsRvaValid;

} CFFAPI, *PCFFAPI;

Expand Down Expand Up @@ -384,13 +389,36 @@ _appendRuleToEditBox

if (yrOpts->offsets && doesMatch)
{
VOID *base = NULL;
UINT size = 0;

if (yrOpts->rva) {
base = CFFApi.eaGetObjectAddress(yrOpts->hDlg);
size = CFFApi.eaGetObjectSize(yrOpts->hDlg);
}

yr_rule_strings_foreach(rule, string)
{
yr_string_matches_foreach(string, match)
{
ZeroMemory(offset, sizeof(offset));
_snprintf_s(offset, sizeof(offset), sizeof(offset), "\tOffset: %08X , Identifier: ", match->offset);
_snprintf_s(offset, sizeof(offset), sizeof(offset), "\tOffset: %08X ", match->offset);
_appendEditBox(yrOpts->hDlg, IDC_RESULT, offset);


if (yrOpts->rva) {

DWORD rva = CFFApi.eaOffsetToRva(base, size, match->offset);
if (CFFApi.eaIsRvaValid(base, size, rva)) {
ZeroMemory(offset, sizeof(offset));
_snprintf_s(offset, sizeof(offset), sizeof(offset), ", RVA: %08X ", rva);
_appendEditBox(yrOpts->hDlg, IDC_RESULT, offset);
} else {
_appendEditBox(yrOpts->hDlg, IDC_RESULT, "RVA: NULL ");
}
}

_appendEditBox(yrOpts->hDlg, IDC_RESULT, ", Identifier: ");
_appendEditBox(yrOpts->hDlg, IDC_RESULT, string->identifier);
_appendEditBox(yrOpts->hDlg, IDC_RESULT, " , String: ");

Expand Down Expand Up @@ -599,6 +627,11 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
_saveEditBox(hDlg, IDC_RESULT, "txt", ".txt\0\0");
break;
}
case IDC_OFFSETS:
{
EnableWindow(GetDlgItem(hDlg, IDC_RVA), IsDlgButtonChecked(hDlg, IDC_OFFSETS));
break;
}
case IDC_RUNSCAN:
{
yrOpts.hDlg = hDlg;
Expand All @@ -622,6 +655,10 @@ LRESULT CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
if (IsDlgButtonChecked(hDlg, IDC_OFFSETS) == BST_CHECKED)
{
yrOpts.offsets = TRUE;
if (IsDlgButtonChecked(hDlg, IDC_RVA) == BST_CHECKED)
{
yrOpts.rva = TRUE;
}
}

ZeroMemory(maxRulesStr, sizeof(maxRulesStr));
Expand Down
Binary file modified CFFYara/CFFYara.rc
View file
Open in desktop
Binary file not shown.
Binary file modified CFFYara/resource.h
View file
Open in desktop
Binary file not shown.
Binary file added bin/CFFExtensions_1.1.0_setup.exe
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFStrings.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFStrings.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFStrings.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFStrings.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFYara.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFYara.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFYara.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Debug/CFFYara.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFStrings.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFStrings.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFStrings.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFStrings.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFYara.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFYara.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFYara.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x64/Release/CFFYara.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFStrings.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFStrings.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFStrings.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFStrings.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFYara.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFYara.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFYara.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Debug/CFFYara.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFStrings.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFStrings.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFStrings.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFStrings.pdb
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFYara.dll
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFYara.exp
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFYara.lib
View file
Open in desktop
Binary file not shown.
Binary file modified bin/x86/Release/CFFYara.pdb
View file
Open in desktop
Binary file not shown.