-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathnotes.txt
116 lines (85 loc) · 4.32 KB
/
notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
If the target is to make a user-friendly Windows API monitor, there are tons of ready-to-use tools lying around:
Huorong Sword: https://www.huorong.cn/
API Monitor: https://www.rohitab.com/apimonitor
Process Monitor from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
So my version of PEDoll will NOT focus on pretty-printing Windows APIs, but on better interoperability with internal procedures
.NET Framework v4.7.2 is preinstalled starting from Windows 10 v1803, and is installable starting from Windows 7 SP1.
v4.5 is similar, but preinstalled starting from Windows 8.
The "binary hooker" PeDoll implements ALSO only work on procedures
And only support 1 instance
put this into FAQ:
https://github.com/microsoft/Detours/wiki/FAQ#why-dont-i-see-any-calls-to-my-detour-of-malloc
----------
registers to preserve:
x86
pushad/popad
eax, ecx, edx, ebx, esp, ebp, esi, edi
x64
rax, rcx, rdx, rbx, rbp, rsp, rdi, rsi, r8, r9
(?) FP registers (sub ebp, 16; movdqu xmmword ptr[ebp], xmm0)
xmm0, xmm1, xmm2, xmm3
calling conventions:
x86
cdecl/stdcall (stack)
fastcall (ecx, edx, stack)
x64
msvc (rcx, rdx, r8, r9, stack)
gcc (rdi, rsi, rdx, rcx, r8, r9, stack)
*IMPORTANT*: Also save/load EFLAGS|RFLAGS with (PUSHFD/POPFD)|(PUSHFQ|POPFQ)?
----------
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/Mono.Options
Detailed information: https://github.com/mono/mono/blob/master/mcs/class/Mono.Options/Mono.Options/Options.cs#L40
custom separator: { "--dump=,", (x, y) => ... }
default parameters: { "<>", x => ... }
----------
C# has "lock(obj) { ...}"
a "nothing-but-a-lock" object: "object theLock = new object();"
----------
Shift-Enter inputs newline in the Visual Studio resource editor
Set Form.Localizable to True
Change Language to write in values
cmdline to search for untranslated strings (// TODO: "...")
grep -r --include=*.cs "// TODO: \"" | sed 's/.*TODO: //g' | sort | uniq
and their locations:
grep -rn --include=*.cs "TODO: \"" | awk '{ print $1 "\t" $4 }' | sort -k2
----------
Examples of command `hook`:
# (x64) Hooks WinExec(), print the command it trys to execute, then reject it
hook WinExec --before --echo="lpCmdLine = {str(arg(0))}" --verdict=reject --after --verdict=approve
# (x86) Binary example (pattern from original PeDoll)
hook *8B5424048B4C240885D2750D --convention=cdecl --stack=0,0 --before --echo="str1 = {str(poi(sp+4+4))}" --echo="str2 = {str(poi(sp+4+8))}" --verdict=reject
# (x86) Reject WriteFile() (shows the usage of context dictionary)
hook CreateFileA --before --verdict=approve --after --ctx="hFile_{ax}","{str(arg(1))}" --verdict=approve
hook CreateFileW --before --verdict=approve --after --ctx="hFile_{ax}","{wstr(arg(1))}" --verdict=approve
hook WriteFile --convention=stdcall --stack=20,1 --before --echo="File: {ctx(\"hFile_\"+ax.ToString())}" --dump={arg(1)},{arg(2)} --verdict=reject
# (x64) Dump all send() and recv() data (shows the usage of "after" hooks)
hook ws2_32!send --before --dump={arg(1)},{(int)arg(2)} --verdict=approve
hook ws2_32!recv --before --verdict=approve --after --dump={arg(1)},{(int)ax} --verdict=approve
----------
*IMPORTANT*: Mark color outputs as a enhancement idea, but not a necessary one
`dump` formats:
"Commands.Dump.Header" => "Dump #{0} from hook \"{1}\" ({2} bytes), under format \"{3}\":\n\n"
hex(default)
Similar to (but not the same as) `hexdump -Cv`, 4 part separated with double spaces:
Offset /\ 8 bytes /\ 8 bytes /\ ASCII or '.'
00000000 5b 4c 6f 63 61 6c 69 7a 65 64 46 69 6c 65 4e 61 [LocalizedFileNa
// ...
00000090 0d 0a ..
00000092
^ Total length
Color: unconverted '.'s are dark gray, bytes are white, others are default color
raw
Console: like ASCII column in "hex", unconverted '.'s are dark gray, others are white
File: untouched
ansi, unicode, utf8
Try Encoding.(Default|Unicode|Utf8).GetString() and give out error if exception thrown
NOTE: Some of the encodings supports replacing unknown characters into '?'s or similar things
x86, x64
Call disassemble engine
Offset /\ n bytes (n <= 8) /\ mnemonic, '\t', operands
0000100a 75 0D jne 0x1019
0000100c 66 66 66 66 66 66 66 .. mov bp, sp
00001018 FF db 0xff
00000019
^ Total length
bytes are dark gray, codes are white, others are default color