1use md5;
2use crate::emu;
3use crate::emu::constants::*;
4use crate::emu::winapi32::helper;
5use crate::emu::winapi32::kernel32;
6
7pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
8 let api = kernel32::guess_api_name(emu, addr);
9 match api.as_str() {
10 "StartServiceCtrlDispatcherA" => StartServiceCtrlDispatcherA(emu),
11 "StartServiceCtrlDispatcherW" => StartServiceCtrlDispatcherW(emu),
12 "LookupPrivilegeValueW" => LookupPrivilegeValueW(emu),
13 "CryptAcquireContextA" => CryptAcquireContextA(emu),
14 "CryptAcquireContextW" => CryptAcquireContextW(emu),
15 "CryptEncrypt" => CryptEncrypt(emu),
16 "CryptDecrypt" => CryptDecrypt(emu),
17 "CryptCreateHash" => CryptCreateHash(emu),
18 "CryptGenKey" => CryptGenKey(emu),
19 "CryptGetHashParam" => CryptGetHashParam(emu),
20 "CryptGetKeyParam" => CryptGetKeyParam(emu),
21 "CryptImportKey" => CryptImportKey(emu),
22 "CryptSignHashA" => CryptSignHashA(emu),
23 "CryptSignHashW" => CryptSignHashW(emu),
24 "CryptReleaseContext" => CryptReleaseContext(emu),
25 "CryptHashData" => CryptHashData(emu),
26 "CryptDeriveKey" => CryptDeriveKey(emu),
27
28 _ => {
29 log::info!(
30 "calling unimplemented advapi32 API 0x{:x} {}",
31 addr, api
32 );
33 return api;
34 }
35 }
36
37 return String::new();
38}
39
40fn StartServiceCtrlDispatcherA(emu: &mut emu::Emu) {
41 let service_table_entry_ptr = emu
42 .maps
43 .read_dword(emu.regs.get_esp())
44 .expect("advapi32!StartServiceCtrlDispatcherA error reading service_table_entry pointer");
45 log::info!(
52 "{}** {} advapi321!StartServiceCtrlDispatcherA {}",
53 emu.colors.light_red, emu.pos, emu.colors.nc
54 );
55
56 emu.stack_pop32(false);
57 emu.regs.set_eax(1);
58}
59
60fn StartServiceCtrlDispatcherW(emu: &mut emu::Emu) {
61 let service_table_entry_ptr = emu
62 .maps
63 .read_dword(emu.regs.get_esp())
64 .expect("advapi32!StartServiceCtrlDispatcherW error reading service_table_entry pointer");
65
66 log::info!(
67 "{}** {} advapi321!StartServiceCtrlDispatcherW {}",
68 emu.colors.light_red, emu.pos, emu.colors.nc
69 );
70
71 emu.stack_pop32(false);
72 emu.regs.set_eax(1);
73}
74
75
76fn CryptAcquireContextA(emu: &mut emu::Emu) {
79 let out_handle =
80 emu.maps
81 .read_dword(emu.regs.get_esp())
82 .expect("advapi32!CryptAcquireContextA error reading handle pointer") as u64;
83 let container = emu
84 .maps
85 .read_dword(emu.regs.get_esp() + 4)
86 .expect("advapi32!CryptAcquireContextA error reading container");
87 let provider = emu
88 .maps
89 .read_dword(emu.regs.get_esp() + 8)
90 .expect("advapi32!CryptAcquireContextA error reading provider");
91 let prov_type = emu
92 .maps
93 .read_dword(emu.regs.get_esp() + 12)
94 .expect("advapi32!CryptAcquireContextA error reading prov_type");
95 let flags = emu
96 .maps
97 .read_dword(emu.regs.get_esp() + 16)
98 .expect("advapi32!CryptAcquireContextA error reading flags");
99
100 let uri = "cryptctx://".to_string();
101 let hndl = helper::handler_create(&uri) as u32;
102 emu.maps.write_dword(out_handle, hndl);
103
104 let mut sflags = String::new();
105 if flags & CRYPT_VERIFYCONTEXT == CRYPT_VERIFYCONTEXT {
106 sflags.push_str("CRYPT_VERIFYCONTEXT ");
107 }
108 if flags & CRYPT_NEWKEYSET == CRYPT_NEWKEYSET {
109 sflags.push_str("CRYPT_NEWKEYSET ");
110 }
111 if flags & CRYPT_DELETEKEYSET == CRYPT_DELETEKEYSET {
112 sflags.push_str("CRYPT_DELETEKEYSET ");
113 }
114 if flags & CRYPT_MACHINE_KEYSET == CRYPT_MACHINE_KEYSET {
115 sflags.push_str("CRYPT_MACHINE_KEYSET ");
116 }
117 if flags & CRYPT_SILENT == CRYPT_SILENT {
118 sflags.push_str("CRYPT_SILENT ");
119 }
120 if flags & CRYPT_DEFAULT_CONTAINER_OPTIONAL == CRYPT_DEFAULT_CONTAINER_OPTIONAL {
121 sflags.push_str("CRYPT_DEFAULT_CONTAINER_OPTIONAL ");
122 }
123
124 log::info!(
125 "{}** {} advapi321!CryptAcquireContextA =0x{:x} type: {} flags: `{}` {}",
126 emu.colors.light_red, emu.pos, hndl, prov_type, &sflags, emu.colors.nc
127 );
128
129 for _ in 0..5 {
130 emu.stack_pop32(false);
131 }
132 emu.regs.rax = 1;
133}
134
135fn CryptAcquireContextW(emu: &mut emu::Emu) {
136 let out_handle =
137 emu.maps
138 .read_dword(emu.regs.get_esp())
139 .expect("advapi32!CryptAcquireContextW error reading handle pointer") as u64;
140 let container = emu
141 .maps
142 .read_dword(emu.regs.get_esp() + 4)
143 .expect("advapi32!CryptAcquireContextW error reading container");
144 let provider = emu
145 .maps
146 .read_dword(emu.regs.get_esp() + 8)
147 .expect("advapi32!CryptAcquireContextW error reading provider");
148 let prov_type = emu
149 .maps
150 .read_dword(emu.regs.get_esp() + 12)
151 .expect("advapi32!CryptAcquireContextW error reading prov_type");
152 let flags = emu
153 .maps
154 .read_dword(emu.regs.get_esp() + 16)
155 .expect("advapi32!CryptAcquireContextW error reading flags");
156
157 let uri = "cryptctx://".to_string();
158 let hndl = helper::handler_create(&uri) as u32;
159 emu.maps.write_dword(out_handle, hndl);
160
161 let mut sflags = String::new();
162 if flags & CRYPT_VERIFYCONTEXT == CRYPT_VERIFYCONTEXT {
163 sflags.push_str("CRYPT_VERIFYCONTEXT ");
164 }
165 if flags & CRYPT_NEWKEYSET == CRYPT_NEWKEYSET {
166 sflags.push_str("CRYPT_NEWKEYSET ");
167 }
168 if flags & CRYPT_DELETEKEYSET == CRYPT_DELETEKEYSET {
169 sflags.push_str("CRYPT_DELETEKEYSET ");
170 }
171 if flags & CRYPT_MACHINE_KEYSET == CRYPT_MACHINE_KEYSET {
172 sflags.push_str("CRYPT_MACHINE_KEYSET ");
173 }
174 if flags & CRYPT_SILENT == CRYPT_SILENT {
175 sflags.push_str("CRYPT_SILENT ");
176 }
177 if flags & CRYPT_DEFAULT_CONTAINER_OPTIONAL == CRYPT_DEFAULT_CONTAINER_OPTIONAL {
178 sflags.push_str("CRYPT_DEFAULT_CONTAINER_OPTIONAL ");
179 }
180
181 log::info!(
182 "{}** {} advapi321!CryptAcquireContextW =0x{:x} type: {} flags: `{}` {}",
183 emu.colors.light_red, emu.pos, hndl, prov_type, &sflags, emu.colors.nc
184 );
185
186 for _ in 0..5 {
187 emu.stack_pop32(false);
188 }
189 emu.regs.rax = 1;
190}
191
192fn LookupPrivilegeValueW(emu: &mut emu::Emu) {
193 let ptr_sysname =
194 emu.maps
195 .read_dword(emu.regs.get_esp())
196 .expect("advapi32!LookupPrivilegeValueW error reading param") as u64;
197 let ptr_name =
198 emu.maps
199 .read_dword(emu.regs.get_esp()+4)
200 .expect("advapi32!LookupPrivilegeValueW error reading param") as u64;
201 let ptr_uid =
202 emu.maps
203 .read_dword(emu.regs.get_esp()+8)
204 .expect("advapi32!LookupPrivilegeValueW error reading param") as u64;
205
206 let sysname = emu.maps.read_wide_string(ptr_sysname);
207 let name = emu.maps.read_wide_string(ptr_name);
208 emu.maps.write_dword(ptr_uid, 123);
209
210 log::info!(
211 "{}** {} advapi321!LookupPrivilegeValueW `{}` `{}` {}",
212 emu.colors.light_red, emu.pos, sysname, name, emu.colors.nc
213 );
214
215 for _ in 0..3 {
216 emu.stack_pop32(false);
217 }
218 emu.regs.rax = 1;
219}
220
221fn CryptEncrypt(emu: &mut emu::Emu) {
222 let hkey =
223 emu.maps
224 .read_dword(emu.regs.get_esp())
225 .expect("advapi32!CryptEncrypt error reading param") as u64;
226 let hhash =
227 emu.maps
228 .read_dword(emu.regs.get_esp()+4)
229 .expect("advapi32!CryptEncrypt error reading param") as u64;
230 let bfinal =
231 emu.maps
232 .read_dword(emu.regs.get_esp()+8)
233 .expect("advapi32!CryptEncrypt error reading param") as u64;
234 let flags =
235 emu.maps
236 .read_dword(emu.regs.get_esp()+12)
237 .expect("advapi32!CryptEncrypt error reading param") as u64;
238 let data_ptr =
239 emu.maps
240 .read_dword(emu.regs.get_esp()+16)
241 .expect("advapi32!CryptEncrypt error reading param") as u64;
242 let data_len_ptr =
243 emu.maps
244 .read_dword(emu.regs.get_esp()+20)
245 .expect("advapi32!CryptEncrypt error reading param") as u64;
246 let buff_len =
247 emu.maps
248 .read_dword(emu.regs.get_esp()+24)
249 .expect("advapi32!CryptEncrypt error reading param") as u64;
250
251 log::info!(
252 "{}** {} advapi32!CryptEncrypt {}",
253 emu.colors.light_red, emu.pos, emu.colors.nc
254 );
255
256 for _ in 0..7 {
257 emu.stack_pop32(false);
258 }
259
260 emu.regs.rax = 1;
261}
262
263
264fn CryptDecrypt(emu: &mut emu::Emu) {
265 let hkey =
266 emu.maps
267 .read_dword(emu.regs.get_esp())
268 .expect("advapi32!CryptDecrypt error reading param") as u64;
269 let hhash =
270 emu.maps
271 .read_dword(emu.regs.get_esp()+4)
272 .expect("advapi32!CryptDecrypt error reading param") as u64;
273 let bfinal =
274 emu.maps
275 .read_dword(emu.regs.get_esp()+8)
276 .expect("advapi32!CryptDecrypt error reading param") as u64;
277 let flags =
278 emu.maps
279 .read_dword(emu.regs.get_esp()+12)
280 .expect("advapi32!CryptDecrypt error reading param") as u64;
281 let data_ptr =
282 emu.maps
283 .read_dword(emu.regs.get_esp()+16)
284 .expect("advapi32!CryptDecrypt error reading param") as u64;
285 let data_len_ptr =
286 emu.maps
287 .read_dword(emu.regs.get_esp()+20)
288 .expect("advapi32!CryptDecrypt error reading param") as u64;
289 let buff_len =
290 emu.maps
291 .read_dword(emu.regs.get_esp()+24)
292 .expect("advapi32!CryptDecrypt error reading param") as u64;
293
294 log::info!(
295 "{}** {} advapi32!CryptDecrypt {}",
296 emu.colors.light_red, emu.pos, emu.colors.nc
297 );
298
299 for _ in 0..7 {
300 emu.stack_pop32(false);
301 }
302
303 emu.regs.rax = 1;
304}
305
306
307fn CryptReleaseContext(emu: &mut emu::Emu) {
308 let hndl =
309 emu.maps
310 .read_dword(emu.regs.get_esp())
311 .expect("advapi32!CryptReleaseContext error reading param") as u64;
312 let flags =
313 emu.maps
314 .read_dword(emu.regs.get_esp()+4)
315 .expect("advapi32!CryptReleaseContext error reading param") as u64;
316
317 log::info!(
318 "{}** {} advapi32!CryptReleaseContext {}",
319 emu.colors.light_red, emu.pos, emu.colors.nc
320 );
321
322 helper::handler_close(hndl);
323
324 emu.stack_pop32(false);
325 emu.stack_pop32(false);
326 emu.regs.rax = 1;
327}
328
329fn CryptCreateHash(emu: &mut emu::Emu) {
330 let hprov =
331 emu.maps
332 .read_dword(emu.regs.get_esp())
333 .expect("advapi32!CryptCreateHash error reading param");
334 let algid =
335 emu.maps
336 .read_dword(emu.regs.get_esp()+4)
337 .expect("advapi32!CryptCreateHash error reading param");
338 let hkey =
339 emu.maps
340 .read_dword(emu.regs.get_esp()+8)
341 .expect("advapi32!CryptCreateHash error reading param");
342 let flags =
343 emu.maps
344 .read_dword(emu.regs.get_esp()+12)
345 .expect("advapi32!CryptCreateHash error reading param");
346 let hash_ptr =
347 emu.maps
348 .read_dword(emu.regs.get_esp()+16)
349 .expect("advapi32!CryptCreateHash error reading param") as u64;
350
351
352 log::info!(
353 "{}** {} advapi32!CryptCreateHash {} {}",
354 emu.colors.light_red, emu.pos, get_cryptoalgorithm_name(algid),
355 emu.colors.nc
356 );
357
358 let hndl = helper::handler_create(get_cryptoalgorithm_name(algid));
359 assert!( hndl < 0x00000001_00000000 );
360 emu.maps.write_dword(hash_ptr, hndl as u32);
361
362 for _ in 0..5 {
363 emu.stack_pop32(false);
364 }
365 emu.regs.rax = 1;
366}
367
368fn CryptGenKey(emu: &mut emu::Emu) {
369 let hprov =
370 emu.maps
371 .read_dword(emu.regs.get_esp())
372 .expect("advapi32!CryptGenKey error reading param");
373 let algid =
374 emu.maps
375 .read_dword(emu.regs.get_esp()+4)
376 .expect("advapi32!CryptGenKey error reading param");
377 let flags =
378 emu.maps
379 .read_dword(emu.regs.get_esp()+8)
380 .expect("advapi32!CryptGenKey error reading param");
381 let hkey_ptr =
382 emu.maps
383 .read_dword(emu.regs.get_esp()+12)
384 .expect("advapi32!CryptGenKey error reading param");
385
386
387 log::info!(
388 "{}** {} advapi32!CryptGenKey {} {}",
389 emu.colors.light_red, emu.pos, get_cryptoalgorithm_name(algid),
390 emu.colors.nc
391 );
392
393 for _ in 0..4 {
394 emu.stack_pop32(false);
395 }
396 emu.regs.rax = 1;
397}
398
399fn CryptGetHashParam(emu: &mut emu::Emu) {
400 let hhash =
401 emu.maps
402 .read_dword(emu.regs.get_esp())
403 .expect("advapi32!CryptGetHashParam error reading param") as u64;
404 let param =
405 emu.maps
406 .read_dword(emu.regs.get_esp()+4)
407 .expect("advapi32!CryptGetHashParam error reading param") as u64;
408 let data_ptr =
409 emu.maps
410 .read_dword(emu.regs.get_esp()+8)
411 .expect("advapi32!CryptGetHashParam error reading param") as u64;
412 let len_ptr =
413 emu.maps
414 .read_dword(emu.regs.get_esp()+12)
415 .expect("advapi32!CryptGetHashParam error reading param") as u64;
416 let flags =
417 emu.maps
418 .read_dword(emu.regs.get_esp()+16)
419 .expect("advapi32!CryptGetHashParam error reading param") as u64;
420
421
422 log::info!(
423 "{}** {} advapi32!CryptGetHashParam {}",
424 emu.colors.light_red, emu.pos, emu.colors.nc
425 );
426
427 for _ in 0..5 {
428 emu.stack_pop32(false);
429 }
430 emu.regs.rax = 1;
431}
432
433
434fn CryptGetKeyParam(emu: &mut emu::Emu) {
435 let hhash =
436 emu.maps
437 .read_dword(emu.regs.get_esp())
438 .expect("advapi32!CryptGetKeyParam error reading param") as u64;
439 let param =
440 emu.maps
441 .read_dword(emu.regs.get_esp()+4)
442 .expect("advapi32!CryptGetKeyParam error reading param") as u64;
443 let data_ptr =
444 emu.maps
445 .read_dword(emu.regs.get_esp()+8)
446 .expect("advapi32!CryptGetKeyParam error reading param") as u64;
447 let len_ptr =
448 emu.maps
449 .read_dword(emu.regs.get_esp()+12)
450 .expect("advapi32!CryptGetKeyParam error reading param") as u64;
451 let flags =
452 emu.maps
453 .read_dword(emu.regs.get_esp()+16)
454 .expect("advapi32!CryptGetKeyParam error reading param") as u64;
455
456
457 log::info!(
458 "{}** {} advapi32!CryptGetKeyParam {}",
459 emu.colors.light_red, emu.pos, emu.colors.nc
460 );
461
462 for _ in 0..5 {
463 emu.stack_pop32(false);
464 }
465 emu.regs.rax = 1;
466}
467
468fn CryptImportKey(emu: &mut emu::Emu) {
469 let hprov =
470 emu.maps
471 .read_dword(emu.regs.get_esp())
472 .expect("advapi32!CryptImportKey error reading param") as u64;
473 let data_ptr =
474 emu.maps
475 .read_dword(emu.regs.get_esp()+4)
476 .expect("advapi32!CryptImportKey error reading param") as u64;
477 let data_len =
478 emu.maps
479 .read_dword(emu.regs.get_esp()+8)
480 .expect("advapi32!CryptImportKey error reading param") as u64;
481 let hpubkey =
482 emu.maps
483 .read_dword(emu.regs.get_esp()+12)
484 .expect("advapi32!CryptImportKey error reading param") as u64;
485 let flags =
486 emu.maps
487 .read_dword(emu.regs.get_esp()+16)
488 .expect("advapi32!CryptImportKey error reading param") as u64;
489 let hkey_ptr =
490 emu.maps
491 .read_dword(emu.regs.get_esp()+16)
492 .expect("advapi32!CryptImportKey error reading param") as u64;
493
494
495 log::info!(
496 "{}** {} advapi32!CryptImportKey {}",
497 emu.colors.light_red, emu.pos, emu.colors.nc
498 );
499
500 for _ in 0..6 {
501 emu.stack_pop32(false);
502 }
503 emu.regs.rax = 1;
504}
505
506fn CryptSignHashA(emu: &mut emu::Emu) {
507 let hhash =
508 emu.maps
509 .read_dword(emu.regs.get_esp())
510 .expect("advapi32!CryptSignHashA error reading param") as u64;
511 let key_spec =
512 emu.maps
513 .read_dword(emu.regs.get_esp()+4)
514 .expect("advapi32!CryptSignHashA error reading param") as u64;
515 let desc_ptr =
516 emu.maps
517 .read_dword(emu.regs.get_esp()+8)
518 .expect("advapi32!CryptSignHashA error reading param") as u64;
519 let flags =
520 emu.maps
521 .read_dword(emu.regs.get_esp()+12)
522 .expect("advapi32!CryptSignHashA error reading param") as u64;
523 let sig_ptr =
524 emu.maps
525 .read_dword(emu.regs.get_esp()+16)
526 .expect("advapi32!CryptSignHashA error reading param") as u64;
527 let sig_len_ptr =
528 emu.maps
529 .read_dword(emu.regs.get_esp()+16)
530 .expect("advapi32!CryptSignHashA error reading param") as u64;
531
532
533 log::info!(
534 "{}** {} advapi32!CryptSignHashA {}",
535 emu.colors.light_red, emu.pos, emu.colors.nc
536 );
537
538 for _ in 0..6 {
539 emu.stack_pop32(false);
540 }
541 emu.regs.rax = 1;
542}
543
544fn CryptSignHashW(emu: &mut emu::Emu) {
545 let hhash =
546 emu.maps
547 .read_dword(emu.regs.get_esp())
548 .expect("advapi32!CryptSignHashW error reading param") as u64;
549 let key_spec =
550 emu.maps
551 .read_dword(emu.regs.get_esp()+4)
552 .expect("advapi32!CryptSignHashW error reading param") as u64;
553 let desc_ptr =
554 emu.maps
555 .read_dword(emu.regs.get_esp()+8)
556 .expect("advapi32!CryptSignHashW error reading param") as u64;
557 let flags =
558 emu.maps
559 .read_dword(emu.regs.get_esp()+12)
560 .expect("advapi32!CryptSignHashW error reading param") as u64;
561 let sig_ptr =
562 emu.maps
563 .read_dword(emu.regs.get_esp()+16)
564 .expect("advapi32!CryptSignHashW error reading param") as u64;
565 let sig_len_ptr =
566 emu.maps
567 .read_dword(emu.regs.get_esp()+16)
568 .expect("advapi32!CryptSignHashW error reading param") as u64;
569
570
571 log::info!(
572 "{}** {} advapi32!CryptSignHashW {}",
573 emu.colors.light_red, emu.pos, emu.colors.nc
574 );
575
576 for _ in 0..6 {
577 emu.stack_pop32(false);
578 }
579 emu.regs.rax = 1;
580}
581
582fn CryptHashData(emu: &mut emu::Emu) {
583 let hhash = emu.maps.read_dword(emu.regs.get_esp())
584 .expect("advapi32!CryptHashData error on param") as u64;
585 let data_ptr = emu.maps.read_dword(emu.regs.get_esp()+4)
586 .expect("advapi32!CryptHashData error on param") as u64;
587 let data_len = emu.maps.read_dword(emu.regs.get_esp()+8)
588 .expect("advapi32!CryptHashData error on param") as usize;
589 let flags = emu.maps.read_dword(emu.regs.get_esp()+12)
590 .expect("advapi32!CryptHashData error on param");
591
592 let data = emu.maps.read_bytes(data_ptr, data_len);
593
594 let mut hex_hash = "".to_string();
595 let algo = helper::handler_get_uri(hhash);
596 if algo == "CALG_MD5" {
597 let digest:md5::Digest = md5::compute(data);
598 let hash_bytes = digest.0;
599 hex_hash = format!("{:x}", digest);
600 helper::handler_put_bytes(hhash, &hash_bytes);
601 } else {
602 helper::handler_put_bytes(hhash, b"deadcafebabe");
603 }
604
605 log::info!(
606 "{}** {} advapi32!CryptHashData {} {}",
607 emu.colors.light_red, emu.pos, hex_hash, emu.colors.nc
608 );
609
610 for _ in 0..4 {
611 emu.stack_pop32(false);
612 }
613 emu.regs.rax = 1;
614}
615
616fn CryptDeriveKey(emu: &mut emu::Emu) {
617 let hprov = emu.maps.read_dword(emu.regs.get_esp())
618 .expect("advapi32!CryptDeriveKey error on param") as u64;
619 let algid = emu.maps.read_dword(emu.regs.get_esp()+4)
620 .expect("advapi32!CryptDeriveKey error on param");
621 let data = emu.maps.read_dword(emu.regs.get_esp()+8)
622 .expect("advapi32!CryptDeriveKey error on param") as usize;
623 let flags = emu.maps.read_dword(emu.regs.get_esp()+12)
624 .expect("advapi32!CryptDeriveKey error on param") as usize;
625 let hkey_ptr = emu.maps.read_dword(emu.regs.get_esp()+16)
626 .expect("advapi32!CryptDeriveKey error on param") as u64;
627
628 let alg = get_cryptoalgorithm_name(algid);
629 let mut alg_len = get_crypto_key_len(algid);
630
631 let handle = helper::handler_create(alg);
632 if alg_len == 0 {
633 alg_len = (flags >> 16) & 0xffff;
634 }
635 helper::handler_put_bytes(handle, &vec![0x41u8;alg_len]);
636
637 log::info!(
638 "{}** {} advapi32!CryptDeriveKey {} {}",
639 emu.colors.light_red, emu.pos, alg, emu.colors.nc
640 );
641
642 for _ in 0..5 {
643 emu.stack_pop32(false);
644 }
645 emu.regs.rax = 1;
646}
647