❉ Стрим разработки утилиты аудита безопасности кода VPATH ❉

Talomir · 29 Апр 2022

❉ СТРИМ РАЗРАБОТКИ ДИНАМИЧЕСКОГО АНАЛИЗАТОРА КОДА НА УЯЗВИМОСТИ VPATH ❉

Botting Technologies Software Public

Делать нечего и я взялся за игру на батареях, которой занимался лет так 20 назад. Встал вопрос, как всегда, в автоматизации поиска уязвимостей, в так называемом статическом и динамическом анализе кода. IDA конечно повисла на сохранении .ASM файла Discord.exe, и я понял, что надо написать свой инструмент, ультра-надёжный и ультра-умный. И даю ему имя vpath - vulnerabilities paths finder.

Идея, как всегда, искать маршруты в коде от функций чтения сокетов, файлов и аргументов процесса до запрещённых функций, типа strcpy, wcstrcpy, sprintf, wcsprintf и так далее. Если такой маршрут найден - то найдена потенциальная уязвимость, которую останется лишь проверить.

Найденные маршруты, пути, для каждой запрещённой функции, сортируются по длине маршрута, короткие - в начало, и выводятся в файл отчёта. Программа должна как запускать EXE, так и аттачится к запущенному процессу. Также - поддерживать регистрационный ключ, она будет шареваре, ориентировочно $30.

Из системной аналитики за раннее утро стало понятно, что делать её надо под x64dbg, это отладчик с API и скриптовым языком. Вначале пользовать API, если он не пошёл - автоматизацию работы с элементами UI (бота под отладчик), а в последнем случае - скриптовый язык отладчика.

Логика тоже стала понятна: динамическая вставка и удаление брейкпоинтов. Вначале брейки ставятся на сокеты и файлы, жертва выполняется в пошаговом режиме и в текущей функции ищутся вызовы на другие функции, на которые автоматом ставятся брейки. При этом сохраняется трасса вызова функций, как в ltrace/strace.

При достижении запрещённой функции срабатывает DETECT - обнаружена уязвимость, она сохраняется в протокол отчёта.

Вот вся основная идея и аналитика, и можно приступать к кодироdанию, которое, из-за нечего сказать, я и простримлю в этой теме.

Для просмотра ссылки Войди или Зарегистрируйся

Итак, сверху-вниз, набросок интерфейса, работаю по 4 часа в день, день первый - аналитика и интерфейс.

--- Добавлено позже: 29 Апр 2022 ---

Добавил переключатель между статическим и динамическим анализом - в статическом режиме выдаются все трассы без фактических значений аргументов функций, зато не надо вставлять брейкпоинты, проще сделать вначале разработки.

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 29 Апр 2022 ---

Улучшил интерфейс - звёздная программа получается...!

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 29 Апр 2022 ---

Поправил шрифты в окне протокола

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 29 Апр 2022 ---

Несколько дней буду опробовать инструмент WinApiOverride, vpath проще всего сделать под его логи - там всё готово, кроме логики поиска путей к уязвимостям. Надо разобраться в конфигах и в формате txt библиотек, и написать анализатор логов. Так будет бесплатный инструмент vpath, я тогда добавлю WinApiOverride и vpath в свой файловый менеджер CyberFile, как полезные инструменты.

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 29 Апр 2022 ---

РАСПРОСТРАНЕНИЕ МЕТОК ЗНАЧЕНИЙ В ДОКАЗАТЕЛЬНОМ ПОИСКЕ УЯЗВИМОСТЕЙ

Готова математическая теория доказательного поиска уязвимостей динамическим анализатором - монитором библиотечных вызовов.

В файлах протоколов работы мониторов библиотечных вызовов типа WinApiOverride записывается последовательность библиотечных вызовов, с именем функции, значениями её параметров в стеке и значениями регистров до и после вызова.

Задача динамического анализа на уязвимости состоит в поиске таких запрещённых функций, что данные чтения файлов, сокетов и параметров командной строки попадают в эти запрещённые функции неизменными или прошедшими формульную модификацию. Тогда, если параметры запрещённых функций зависят от командного, файлового или сетевого ввода в программу, с большой вероятностью, путём манипуляции входом, можно повлиять на поведение уязвимой функции: вызвать ситуацию строки формата, переполнения буфера, стека, кучи, выхода индекса за пределы массива, целочисленного переполнения и так далее. То есть нас будет интересовать ситуация зависимости параметров уязвимой функции от входа программы, и именно такие ситуации, с сортировкой по вероятности, мы будем автоматически обнаруживать в трассе выполнения исследуемой программы.

Для вероятностного обнаружения зависимости параметра функции от входа можно использовать так называемые метки значений. Метка значения переменной это атрибут, показывающий расстояние этого значения от точки входа в программу: от функции чтения сокета, файла, аргумента командной строки.

В функции чтения все значения аргументов, возвращаемого значениями регистров получают метку 0.

Далее по протоколу вызовов, если параметры или регистры получают значения и функция не является чтением, входом, то метки 0 получают значения, уже имеющиеся в памяти анализатора с метками 0. Иначе, совпадающие значения получают метки, равные минимуму из совпадающих и имеющихся в памяти.

Значение, не совпадающие ни с одним в памяти, получают метки по близости к имеющимся в памяти. Это нужно если данные, например, берутся из середины буфера, а не из начала, и адрес не совпадает с началом буфера, но близок к нему.

Так, если значение является адресом, то оно получает метку, равную разнице в килобайтах к ближайшему в памяти значению, с минимальной меткой.

А если значение является обычным числом, то оно получает метку, равную разнице с ближайшим в памяти числом с минимальной меткой.

Все остальные значения переменных и регистров вызова функции получают метку, равную минимуму из унаследованных.

Просто говоря, метки значений переменных и регистров распространяются вниз по протоколу библиотечных вызовов, и достигают запрещённых функций.

Попав в запрещённую функцию, такая метка говорит нам о том, насколько сильно параметр этой функции зависит от входа программы: 0 - параметр взят из сети или из файла, 10 - параметр очень близок к входу программы, 1000 - параметры запрещённой функции в данном вызове практически не зависят от входа и возможность эксплуатации уязвимости отсутствует.

Кроме числа-метки, метка хранит адрес и имя функции, номер строки в протоколе, где она родилась. Эти атрибуты метки наследуются при распространении.

В запрещённой функции при зависимости её аргументов от входа программы, по этим атрибутам метки определяется начало трассы, с которого началось распространение прочитанных данных по функциям, и номер строки, с которой надо начать копирование протокола.

Участок трассы от функции чтения данных до зависящей от неё запрещённой функции является уязвимым путём выполнения и подлежит выводу в отчёт работы анализатора. Отсортированные с минимальных до максимальных меток пути уязвимого выполнения дают наиболее вероятные узявимости программного кода в начале отчёта анализатора Vpath.

--- Добавлено позже: 29 Апр 2022 ---

В связи с определением с инструментом WinApiOverride и его форматом протокола вызовов, ещё раз исправил интерфейс. Задача оказалась простой (автоматического поиска уязвимостей) из-за наличия хороших мониторов и отладчиков с API.

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

Talomir · 1 Май 2022

Второй день разработки - трах с десятком утилит мониторинга вызовов API: detours, deviare, SpyStudio, WinApiOverride, WinDbg, cdb, и т.д. Ни один нормально не заработал. С больной головой лёг спать а ночью, покурив, решил написать свой API монитор и встроить в него логику поиска уязвимостей, то есть это - динамический анализатор кода на уязвимости.

Третий день разработки - трах с библиотекой EasyHook инжекта своей dll в процесс для перехвата функций. К середине дня - заработало, перехватил пока lstrcpyA и strcpy, дальше просто добавлять шаблоны функций на основе готовых примеров из своего кода.

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 1 Май 2022 ---

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>


int main()
{
    std::cout << "Buggy running...\n";


    char buf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    std::cout << "Buggy finished...";
}

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 1 Май 2022 ---

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>


int main()
{
    std::cout << "Buggy running...\n";


    char buf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";
    
    lstrcpyW((LPWSTR)buf, (LPCWSTR)L"lstrcpyW_source");
    std::cout << "buf=" << buf << "\n";


    std::cout << "Buggy finished...";
}

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 1 Май 2022 ---

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>


int main()
{
    std::cout << "Buggy running...\n";


    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";
    
    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    std::cout << "Buggy finished...";
}

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 2 Май 2022 ---

Четвёртый день разработки: причесал все недостатки кода, добавил аттач к PID запущенного процесса и из общей логики осталось сделать перехвать CreateThread() для хуков новых потоков в адресном пространстве жертвы. А далее - добавлять функции по шаблонам, семейства strcpy, sprintf, malloc, send-recv, Read/Write. Опубликую, после бэкапа, рабочий код основы программы ltrace для Windows.

Program.cs (ltrace.exe)

Код:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using EasyHook;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels.Ipc;


namespace ltrace
{
    class Program
    {
        static string ExeName = "";
        static string Arguments = "";
        static String ChannelName = null;
        static int Pid = -1;


        static IpcServerChannel serverChannel = null;
        static trace.MyInjectInterface IpcInterface { get; set; }


        static void Main(string[] args)
        {
            Console.ForegroundColor = ConsoleColor.Red;


            Console.WriteLine("ltrace for Windows by Talomir Mirotal 2022, Botting Technologies 12 Lab.");


            if (args.Length < 1 || args[0].Equals("-h") || args[0].Equals("--help"))
            {
                Usage();
                return;
            }


            Console.ForegroundColor = ConsoleColor.Green;


            GetExeAndArguments(args, out ExeName, out Arguments, out Pid);


            if (Pid < 0 && ExeName.Length < 1)
            {
                Console.WriteLine("ERROR: no program name or PID");
                Usage();
                return;
            }


            if (!InjectDll())
            {
                Console.WriteLine("ERROR: fail to inject trace.dll");
                return;
            }


            //IpcInterface = new trace.MyInjectInterface();
            //IpcInterface.OnMessagePosted += IpcInterface_OnMessagePosted;


            //serverChannel.StartListening(IpcInterface);


            while (true) Console.ReadLine();
        }




        protected static bool InjectDll()
        {
            try
            {
                string path = Config.GetProcessPath() + "trace.dll";


                serverChannel = RemoteHooking.IpcCreateServer<trace.MyInjectInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);


                if (Pid < 0)
                {
                    RemoteHooking.CreateAndInject(ExeName, Arguments, 0,
                    InjectionOptions.DoNotRequireStrongName, path, path, out Pid, ChannelName);
                }
                else
                {
                    RemoteHooking.Inject(Pid, InjectionOptions.DoNotRequireStrongName, path, path, ChannelName);
                }


                return true;


            } catch (Exception ex) { Console.WriteLine(ex.Message); return false; }
        }


        protected static void GetExeAndArguments(string[] args, out string exe, out string arguments,
            out int pid)
        {
            arguments = "";
            exe = "";
            pid = -1;


            try
            {
                int i = 0;


                while (i < args.Length && args[i][0] == '-') i++;


                if (i == args.Length) return;


                try
                {
                    pid = Int32.Parse(args[i]);
                }
                catch { }


                if (pid >= 0) return;


                exe = args[i++];


                if (i == args.Length) return;


                arguments = args[i];
            }
            catch { }
        }


        static void Usage()
        {
            Console.ForegroundColor = ConsoleColor.Yellow;
            Console.WriteLine("USAGE:");
            Console.WriteLine("ltrace program.exe [program arguments]  - trace program and show library calls");
            Console.WriteLine("ltrace PID  - inject tracer to a running process");
            Console.ForegroundColor = ConsoleColor.Gray;
        }




    }
}

MyInject.cs (trace.dll)

Код:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using EasyHook;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Threading;


namespace trace
{
    public class MyInject : EasyHook.IEntryPoint
    {
        static MyInjectInterface Interface = null;


        static string[] dll = new string[] { };


        //string ChannelName = "";




        public MyInject(RemoteHooking.IContext InContext,
            String InChannelName)
        {
            // connect to host...
            Interface = RemoteHooking.IpcConnectClient<MyInjectInterface>(InChannelName);


            // validate connection...
            Interface.Ping();
        }


        public void Run(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
            string message = "We are in target process, the modules list: ";


            dll = GetModuleList();


            foreach (string d in dll) message += d + " ";


            Interface.ShowMessage(message, ConsoleColor.Yellow);


            Interface.ShowMessage("Trace of program execution...:", ConsoleColor.Blue);


            InstallHooks();


            EnableAclForHooks();


            RemoteHooking.WakeUpProcess();


            while (true) Thread.Sleep(500);
            //Thread.Sleep(3000);           


        }


        static bool IsInDll(string library)
        {
            foreach (string d in dll) if (d.ToLower().Equals(library.ToLower())) return true;
            return false;
        }




        public Int32[] GetAllThreads()
        {
            Process currentProcess = Process.GetCurrentProcess();
            var threads = currentProcess.Threads;
            List<int> ids = new List<int>();
            foreach (ProcessThread t in threads) ids.Add(t.Id);
            return ids.ToArray<int>();
        }


        public static string[] GetModuleList()
        {
            List<string> mod = new List<string>();


            Process p = Process.GetCurrentProcess();


            foreach (ProcessModule m in p.Modules) mod.Add(m.ModuleName);


            return mod.ToArray<string>();
        }       




        public static string GetAsciiString(IntPtr input)
        {
            if (input == null) return "";


            List<byte> list = new List<byte>();


            int i = 0;


            byte[] buf = new byte[1];


            do
            {
                Marshal.Copy(input+i, buf, 0, 1);
                if (buf[0] != 0) list.Add(buf[0]);
                i++;
            } while (buf[0] != 0);


            return Encoding.ASCII.GetString(list.ToArray<byte>());
        }


        public static string GetUnicodeString(IntPtr input)
        {
            if (input == null) return "";


            List<byte> list = new List<byte>();


            int i = 0;


            byte[] buf = new byte[2];


            do
            {
                Marshal.Copy(input + i, buf, 0, 2);
                if (buf[0] != 0)
                {
                    list.Add(buf[0]);
                    list.Add(buf[1]);
                }
                i+=2;
            } while (buf[0] != 0);


            return Encoding.Unicode.GetString(list.ToArray<byte>());
        }




        public static string ToHex(IntPtr addr)
        {
            string str = "";


            if (RemoteHooking.IsX64Process(Process.GetCurrentProcess().Id))
                str = String.Format("0x{0:8x8}", addr);
            else
                str = String.Format("0x{0:4x4}", addr);


            return str;
        }


        //------- Hooking. Duplicate code in this section for each hoocked functions ---------


        LocalHook lstrcpyA_hook = null;
        LocalHook lstrcpyW_hook = null;
        LocalHook strcpy_hook = null;


        protected void EnableAclForHooks()
        {
            int[] tid = GetAllThreads();


            try { lstrcpyA_hook.ThreadACL.SetInclusiveACL(tid); } catch { };
            try { lstrcpyW_hook.ThreadACL.SetInclusiveACL(tid); } catch { };
            try { strcpy_hook.ThreadACL.SetInclusiveACL(tid); } catch { };
        }


        protected void InstallHooks()
        {
            try
            {
                if (IsInDll("kernel32.dll"))
                    lstrcpyA_hook = LocalHook.Create(
                    LocalHook.GetProcAddress("kernel32.dll", "lstrcpyA"),
                    new DlstrcpyA(lstrcpyA_Hooked),
                    this);           
            }
            catch { }


            try
            {
                if (IsInDll("kernel32.dll"))
                    lstrcpyW_hook = LocalHook.Create(
                    LocalHook.GetProcAddress("kernel32.dll", "lstrcpyW"),
                    new DlstrcpyA(lstrcpyW_Hooked),
                    this);
            }
            catch { }


            try
            {
                if (IsInDll("ucrtbased.dll"))
                    strcpy_hook = LocalHook.Create(
                    LocalHook.GetProcAddress("ucrtbased.dll", "strcpy"),
                    new Dstrcpy(strcpy_Hooked),
                    this);               
            }
            catch { }
        }


        [UnmanagedFunctionPointer(CallingConvention.Winapi,
            CharSet = CharSet.Ansi,
            SetLastError = true)]
        delegate IntPtr DlstrcpyA(
        IntPtr dest,
        IntPtr source
        );
        // just use a P-Invoke implementation to get native API access from C# (this step is not necessary for C++.NET)
        [DllImport("kernel32.dll",
            CharSet = CharSet.Ansi,
            SetLastError = true,
            CallingConvention = CallingConvention.Winapi)]
        static extern IntPtr lstrcpyA(
            IntPtr dest,
            IntPtr source);


        // this is where we are intercepting all file accesses!
        static IntPtr lstrcpyA_Hooked(
            IntPtr dest,
            IntPtr source)
        {
            try
            {
                Interface.ShowMessage("UNSAFE CALL: lstrcpyA()", ConsoleColor.Red);


                string msg = "";


                msg = "lstrcpyA(" + ToHex(dest) + ", \"" + GetAsciiString(source) + "\") from kernel32.dll, ret addr " + ToHex(HookRuntimeInfo.ReturnAddress);


                Interface.ShowMessage(msg, ConsoleColor.Cyan);


                // call original API...
                return lstrcpyA(dest, source);
            }
            catch (Exception ex) { Interface.ReportException(ex); return (IntPtr)0; }
        }


        [UnmanagedFunctionPointer(CallingConvention.Winapi,
            CharSet = CharSet.Unicode,
            SetLastError = true)]
            delegate IntPtr DlstrcpyW(
            IntPtr dest,
            IntPtr source
            );
        // just use a P-Invoke implementation to get native API access from C# (this step is not necessary for C++.NET)
        [DllImport("kernel32.dll",
            CharSet = CharSet.Unicode,
            SetLastError = true,
            CallingConvention = CallingConvention.Winapi)]
        static extern IntPtr lstrcpyW(
            IntPtr dest,
            IntPtr source);


        // this is where we are intercepting all file accesses!
        static IntPtr lstrcpyW_Hooked(
            IntPtr dest,
            IntPtr source)
        {
            try
            {
                Interface.ShowMessage("UNSAFE CALL: lstrcpyW()", ConsoleColor.Red);


                string msg = "";


                msg = "lstrcpyW(" + ToHex(dest) + ", \"" + GetUnicodeString(source) + "\") from kernel32.dll, ret addr " + ToHex(HookRuntimeInfo.ReturnAddress);


                Interface.ShowMessage(msg, ConsoleColor.Cyan);


                // call original API...
                return lstrcpyW(dest, source);
            }
            catch (Exception ex) { Interface.ReportException(ex); return (IntPtr)0; }
        }




        [UnmanagedFunctionPointer(CallingConvention.Cdecl,
            CharSet = CharSet.Ansi,
            SetLastError = true)]
            delegate IntPtr Dstrcpy(
            IntPtr dest,
            IntPtr source
            );
        // just use a P-Invoke implementation to get native API access from C# (this step is not necessary for C++.NET)
        [DllImport("ucrtbased.dll",
            CharSet = CharSet.Ansi,
            SetLastError = true,
            CallingConvention = CallingConvention.Cdecl)]
        static extern IntPtr strcpy(
            IntPtr dest,
            IntPtr source);


        // this is where we are intercepting all file accesses!
        static IntPtr strcpy_Hooked(
            IntPtr dest,
            IntPtr source)
        {


            try
            {
                Interface.ShowMessage("UNSAFE CALL: strcpy()", ConsoleColor.Red);


                string msg = "";


                msg = "strcpy(" + ToHex(dest) + ", \"" + GetAsciiString(source) + "\") from ucrtbased.dll, ret addr " + ToHex(HookRuntimeInfo.ReturnAddress);


                Interface.ShowMessage(msg, ConsoleColor.Cyan);


                // call original API...
                return strcpy(dest, source);
            }
            catch (Exception ex) { Interface.ReportException(ex); return (IntPtr)0; }
        }


    }
}

MyInjectInterface.cs (trace.dll)

Код:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using EasyHook;
using System.Diagnostics;




namespace trace
{
    public class MyInjectInterface : MarshalByRefObject
    {
        public void ShowMessage(string s, ConsoleColor color = ConsoleColor.Gray)
        {
            Console.ForegroundColor = color;
            Console.WriteLine(s);
            Console.ForegroundColor = ConsoleColor.Gray;
        }


        public void ReportException(Exception InInfo)
        {
            Console.WriteLine("The target process has reported an error:\r\n" + InInfo.ToString());
        }


        public void Ping() { }


        public override object InitializeLifetimeService()
        {
            return null;
        }
        
    }
}

Talomir · 3 Май 2022

Пятый день разработки: добавлен перехват создания отслеживаемой программой потоков с их последующим хуком, добавляю остаточные функции wcscpy(), _mbscpy() из семейства strcpy/lstrcpy

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <mbstring.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    _mbscpy((unsigned char *)lbuf, (const unsigned char*)L"_mbscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 3 Май 2022 ---

Добавил перехват lstrcpynA, lstrcpynW, теперь надо перехватить wcsncpy, strncpy

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf);
    std::cout << "lbuf=" << lbuf << "\n";
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 3 Май 2022 ---

Семейство strcpy() отслеживается, курю и берусь за семейство strcat().

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x4191084, "strcpy_source") from ucrtbased.dll, ret addr 0x15618967
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x4191084, "lstrcpyA_source") from kernel32.dll, ret addr 0x15619040
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x4189028, "lstrcpyW_source") from kernel32.dll, ret addr 0x15619117
UNSAFE CALL: wcscpy()
wcscpy(0x4189028, "wcscpy_source") from ucrtbased.dll, ret addr 0x15619202
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x4191084, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x15619295
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x4189028, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x15619377
UNSAFE CALL: strncpy()
strncpy(0x4191084, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x15619467
UNSAFE CALL: wcsncpy()
wcsncpy(0x4189028, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x15619552
CreateThread(0x4192100, 0x8192, 0x15601779, 0x4192076, 0x0, 0x4192088) from kernel32.dll, ret addr 0x15620805
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=003FEB64
lbuf=003FEB64
buf=lstrcpynA_source
lbuf=003FEB64
buf=strncpy_source
lbuf=003FEB64
thread id = 4956
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x88734080, "strcpy_source") from ucrtbased.dll, ret addr 0x15618967
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x88734080, "lstrcpyA_source") from kernel32.dll, ret addr 0x15619040
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x88732024, "lstrcpyW_source") from kernel32.dll, ret addr 0x15619117
UNSAFE CALL: wcscpy()
wcscpy(0x88732024, "wcscpy_source") from ucrtbased.dll, ret addr 0x15619202
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x88734080, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x15619295
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x88732024, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x15619377
UNSAFE CALL: strncpy()
strncpy(0x88734080, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x15619467
UNSAFE CALL: wcsncpy()
wcsncpy(0x88732024, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x15619552

--- Добавлено позже: 3 Май 2022 ---

Перехватил strcat, strncat, wcscat, wcsncat из ucrtbased.dll, теперь тоже-самое для kernel32.dll

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";




}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll ucrtbased.dll VCRUNTIME140D.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x5895000, "strcpy_source") from ucrtbased.dll, ret addr 0x10572759
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x5895000, "lstrcpyA_source") from kernel32.dll, ret addr 0x10572832
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x5892944, "lstrcpyW_source") from kernel32.dll, ret addr 0x10572909
UNSAFE CALL: wcscpy()
wcscpy(0x5892944, "wcscpy_source") from ucrtbased.dll, ret addr 0x10572994
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x5895000, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x10573087
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x5892944, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x10573169
UNSAFE CALL: strncpy()
strncpy(0x5895000, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x10573259
UNSAFE CALL: wcsncpy()
wcsncpy(0x5892944, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x10573344
UNSAFE CALL: strcat()
strcat(0x5895000, "strcat_source") from ucrtbased.dll, ret addr 0x10573525
UNSAFE CALL: wcscat()
wcscat(0x5892944, "wcscat_source") from ucrtbased.dll, ret addr 0x10573598
UNSAFE CALL: strncat()
strncat(0x5895000, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x10573691
UNSAFE CALL: wcsncat()
wcsncat(0x5892944, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x10573776
CreateThread(0x5896016, 0x8192, 0x10555507, 0x5895992, 0x0, 0x5896004) from kernel32.dll, ret addr 0x10575141
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0059EB50
lbuf=0059EB50
buf=lstrcpynA_source
lbuf=0059EB50
buf=strncpy_source
lbuf=0059EB50
buf=strcat_source
lbuf=0059EB50
buf=strcat_sourcestrncat_source
lbuf=0059EB50
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0563EC5C
lbuf=0563EC5C
buf=lstrcpynA_source
lbuf=0563EC5C
buf=strncpy_source
lbuf=0563EC5C
buf=strcat_source
lbuf=0563EC5C
buf=strcat_sourcestrncat_source
lbuf=0563EC5C
thread id = 6936
Press q enter...

--- Добавлено позже: 3 Май 2022 ---

Добавил перехват и отслеживание lstrcatA, lstrcatW из kernel32.dll, теперь оттуда-же надо перехватить семейство ua_str...*

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll VCRUNTIME140D.dll ucrtbased.dll MSVCP140D.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x18083720, "strcpy_source") from ucrtbased.dll, ret addr 0x11949031
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x18083720, "lstrcpyA_source") from kernel32.dll, ret addr 0x11949104
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x18081664, "lstrcpyW_source") from kernel32.dll, ret addr 0x11949181
UNSAFE CALL: wcscpy()
wcscpy(0x18081664, "wcscpy_source") from ucrtbased.dll, ret addr 0x11949266
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x18083720, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x11949359
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x18081664, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x11949441
UNSAFE CALL: strncpy()
strncpy(0x18083720, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x11949531
UNSAFE CALL: wcsncpy()
wcsncpy(0x18081664, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x11949616
UNSAFE CALL: strcat()
strcat(0x18083720, "strcat_source") from ucrtbased.dll, ret addr 0x11949797
UNSAFE CALL: wcscat()
wcscat(0x18081664, "wcscat_source") from ucrtbased.dll, ret addr 0x11949870
UNSAFE CALL: strncat()
strncat(0x18083720, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x11949963
UNSAFE CALL: wcsncat()
wcsncat(0x18081664, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x11950048
UNSAFE CALL: lstrcatA()
lstrcatA(0x18083720, "lstrcatA_source") from kernel32.dll, ret addr 0x11950136
UNSAFE CALL: lstrcatW()
lstrcatW(0x18081664, "lstrcatW_source") from kernel32.dll, ret addr 0x11950213
CreateThread(0x18084736, 0x8192, 0x11931763, 0x18084712, 0x0, 0x18084724) from kernel32.dll, ret addr 0x11951621
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0113E780
lbuf=0113E780
buf=lstrcpynA_source
lbuf=0113E780
buf=strncpy_source
lbuf=0113E780
buf=strcat_source
lbuf=0113E780
buf=strcat_sourcestrncat_source
lbuf=0113E780
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0113E780
buf=strcpy_source
buf=lstrcpyA_source
lbuf=05FAF034
lbuf=05FAF034
buf=lstrcpynA_source
lbuf=05FAF034
buf=strncpy_source
lbuf=05FAF034
buf=strcat_source
lbuf=05FAF034
buf=strcat_sourcestrncat_source
lbuf=05FAF034
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=05FAF034
thread id = 3748
Press q enter...

--- Добавлено позже: 3 Май 2022 ---

Добавил перехват и отслеживание CreateFileA(), CreateFileW(), на сегодня - всё.

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("tempA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"tempW.txt", 0, 0, NULL, 0, 0, NULL);
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x9432484, "strcpy_source") from ucrtbased.dll, ret addr 0x12735495
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x9432484, "lstrcpyA_source") from kernel32.dll, ret addr 0x12735568
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x9430428, "lstrcpyW_source") from kernel32.dll, ret addr 0x12735645
UNSAFE CALL: wcscpy()
wcscpy(0x9430428, "wcscpy_source") from ucrtbased.dll, ret addr 0x12735730
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x9432484, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x12735823
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x9430428, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x12735905
UNSAFE CALL: strncpy()
strncpy(0x9432484, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x12735995
UNSAFE CALL: wcsncpy()
wcsncpy(0x9430428, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x12736080
UNSAFE CALL: strcat()
strcat(0x9432484, "strcat_source") from ucrtbased.dll, ret addr 0x12736261
UNSAFE CALL: wcscat()
wcscat(0x9430428, "wcscat_source") from ucrtbased.dll, ret addr 0x12736334
UNSAFE CALL: strncat()
strncat(0x9432484, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x12736427
UNSAFE CALL: wcsncat()
wcsncat(0x9430428, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x12736512
UNSAFE CALL: lstrcatA()
lstrcatA(0x9432484, "lstrcatA_source") from kernel32.dll, ret addr 0x12736600
UNSAFE CALL: lstrcatW()
lstrcatW(0x9430428, "lstrcatW_source") from kernel32.dll, ret addr 0x12736677
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x12736767
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x12736799
CreateThread(0x9433500, 0x2000, 0x12718195, 0x9433476, 0x0000, 0x9433488) from kernel32.dll, ret addr 0x12738165
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=008FE59C
lbuf=008FE59C
buf=lstrcpynA_source
lbuf=008FE59C
buf=strncpy_source
lbuf=008FE59C
buf=strcat_source
lbuf=008FE59C
buf=strcat_sourcestrncat_source
lbuf=008FE59C
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=008FE59C
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0571F2A8
lbuf=0571F2A8
buf=lstrcpynA_source
lbuf=0571F2A8
buf=strncpy_source
lbuf=0571F2A8
buf=strcat_source
lbuf=0571F2A8
buf=strcat_sourcestrncat_source
lbuf=0571F2A8
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0571F2A8
thread id = 3140
Press q enter...CreateThread(0x0, 0x0000, 0x1701596112, 0x11644712, 0x0004, 0x83884800) from kernel32.dll, ret addr 0x1701602300
CreateThread(0x0, 0x40000, 0x1702561424, 0x0, 0x10000, 0x83885080) from kernel32.dll, ret addr 0x1702560805
CreateThread(0x0, 0x0000, 0x1701596112, 0x11644744, 0x0004, 0x87815440) from kernel32.dll, ret addr 0x1701602300

--- Добавлено позже: 3 Май 2022 ---

Следующая цель - POTENTIAL UNSAFE

Create Pipe | NamedPipe | FileMapping | Process (A&W)

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 4 Май 2022 ---

ШЕСТОЙ ДЕНЬ РАЗРАБОТКИ

Начал с перехвата для отслеживания вызовов CreateHardLinkA() / CreateHardLinkW() - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("tempA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"tempW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x15724648, "strcpy_source") from ucrtbased.dll, ret addr 0x9917479
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x15724648, "lstrcpyA_source") from kernel32.dll, ret addr 0x9917552
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x15722592, "lstrcpyW_source") from kernel32.dll, ret addr 0x9917629
UNSAFE CALL: wcscpy()
wcscpy(0x15722592, "wcscpy_source") from ucrtbased.dll, ret addr 0x9917714
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x15724648, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x9917807
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x15722592, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x9917889
UNSAFE CALL: strncpy()
strncpy(0x15724648, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x9917979
UNSAFE CALL: wcsncpy()
wcsncpy(0x15722592, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x9918064
UNSAFE CALL: strcat()
strcat(0x15724648, "strcat_source") from ucrtbased.dll, ret addr 0x9918245
UNSAFE CALL: wcscat()
wcscat(0x15722592, "wcscat_source") from ucrtbased.dll, ret addr 0x9918318
UNSAFE CALL: strncat()
strncat(0x15724648, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x9918411
UNSAFE CALL: wcsncat()
wcsncat(0x15722592, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x9918496
UNSAFE CALL: lstrcatA()
lstrcatA(0x15724648, "lstrcatA_source") from kernel32.dll, ret addr 0x9918584
UNSAFE CALL: lstrcatW()
lstrcatW(0x15722592, "lstrcatW_source") from kernel32.dll, ret addr 0x9918661
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x9918751
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x9918783
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x9918810
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x9918837
CreateThread(0x15725664, 0x2000, 0x9900147, 0x15725640, 0x0000, 0x15725652) from kernel32.dll, ret addr 0x9920213
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=00EFE860
lbuf=00EFE860
buf=lstrcpynA_source
lbuf=00EFE860
buf=strncpy_source
lbuf=00EFE860
buf=strcat_source
lbuf=00EFE860
buf=strcat_sourcestrncat_source
lbuf=00EFE860
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=00EFE860
buf=strcpy_source
buf=lstrcpyA_source
lbuf=05C0EF64
lbuf=05C0EF64
buf=lstrcpynA_source
lbuf=05C0EF64
buf=strncpy_source
lbuf=05C0EF64
buf=strcat_source
lbuf=05C0EF64
buf=strcat_sourcestrncat_source
lbuf=05C0EF64
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=05C0EF64
thread id = 8068
Press q enter...Buggy finished...

--- Добавлено позже: 4 Май 2022 ---

Добавил перехват CreateSymbolicLinkA() / CreateSymbolicLinkW() - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("tempA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"tempW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x7336132, "strcpy_source") from ucrtbased.dll, ret addr 0x11949111
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x7336132, "lstrcpyA_source") from kernel32.dll, ret addr 0x11949184
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x7334076, "lstrcpyW_source") from kernel32.dll, ret addr 0x11949261
UNSAFE CALL: wcscpy()
wcscpy(0x7334076, "wcscpy_source") from ucrtbased.dll, ret addr 0x11949346
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x7336132, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x11949439
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x7334076, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x11949521
UNSAFE CALL: strncpy()
strncpy(0x7336132, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x11949611
UNSAFE CALL: wcsncpy()
wcsncpy(0x7334076, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x11949696
UNSAFE CALL: strcat()
strcat(0x7336132, "strcat_source") from ucrtbased.dll, ret addr 0x11949877
UNSAFE CALL: wcscat()
wcscat(0x7334076, "wcscat_source") from ucrtbased.dll, ret addr 0x11949950
UNSAFE CALL: strncat()
strncat(0x7336132, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x11950043
UNSAFE CALL: wcsncat()
wcsncat(0x7334076, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x11950128
UNSAFE CALL: lstrcatA()
lstrcatA(0x7336132, "lstrcatA_source") from kernel32.dll, ret addr 0x11950216
UNSAFE CALL: lstrcatW()
lstrcatW(0x7334076, "lstrcatW_source") from kernel32.dll, ret addr 0x11950293
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x11950383
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x11950415
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x11950442
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x11950469
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x11950496
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x11950523
CreateThread(0x7337148, 0x2000, 0x11931763, 0x7337124, 0x0000, 0x7337136) from kernel32.dll, ret addr 0x11951909
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=006FE8BC
lbuf=006FE8BC
buf=lstrcpynA_source
lbuf=006FE8BC
buf=strncpy_source
lbuf=006FE8BC
buf=strcat_source
lbuf=006FE8BC
buf=strcat_sourcestrncat_source
lbuf=006FE8BC
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=006FE8BC
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0545ECC4
lbuf=0545ECC4
buf=lstrcpynA_source
lbuf=0545ECC4
buf=strncpy_source
lbuf=0545ECC4
buf=strcat_source
lbuf=0545ECC4
buf=strcat_sourcestrncat_source
lbuf=0545ECC4
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0545ECC4
thread id = 2396
Press q enter...Buggy finished...

--- Добавлено позже: 4 Май 2022 ---

И добавил перехват CreateSymbolicLinkTransactedA(), CreateSymbolicLinkTransactedW() - UNSAFE CALL

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("tempA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"tempW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x11530336, "strcpy_source") from ucrtbased.dll, ret addr 0x4674647
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x11530336, "lstrcpyA_source") from kernel32.dll, ret addr 0x4674720
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x11528280, "lstrcpyW_source") from kernel32.dll, ret addr 0x4674797
UNSAFE CALL: wcscpy()
wcscpy(0x11528280, "wcscpy_source") from ucrtbased.dll, ret addr 0x4674882
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x11530336, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x4674975
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x11528280, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x4675057
UNSAFE CALL: strncpy()
strncpy(0x11530336, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x4675147
UNSAFE CALL: wcsncpy()
wcsncpy(0x11528280, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x4675232
UNSAFE CALL: strcat()
strcat(0x11530336, "strcat_source") from ucrtbased.dll, ret addr 0x4675413
UNSAFE CALL: wcscat()
wcscat(0x11528280, "wcscat_source") from ucrtbased.dll, ret addr 0x4675486
UNSAFE CALL: strncat()
strncat(0x11530336, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x4675579
UNSAFE CALL: wcsncat()
wcsncat(0x11528280, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x4675664
UNSAFE CALL: lstrcatA()
lstrcatA(0x11530336, "lstrcatA_source") from kernel32.dll, ret addr 0x4675752
UNSAFE CALL: lstrcatW()
lstrcatW(0x11528280, "lstrcatW_source") from kernel32.dll, ret addr 0x4675829
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x4675919
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x4675951
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x4675978
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x4676005
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x4676032
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x4676059
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11528268) from kernel32.dll, ret addr 0x4676103
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11528268) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11528268) from kernel32.dll, ret addr 0x4676137
CreateThread(0x11531352, 0x2000, 0x4657267, 0x11531328, 0x0000, 0x11531340) from kernel32.dll, ret addr 0x4677557
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=00AFE858
lbuf=00AFE858
buf=lstrcpynA_source
lbuf=00AFE858
buf=strncpy_source
lbuf=00AFE858
buf=strcat_source
lbuf=00AFE858
buf=strcat_sourcestrncat_source
lbuf=00AFE858
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=00AFE858
buf=strcpy_source
buf=lstrcpyA_source
lbuf=058BEB84
lbuf=058BEB84
buf=lstrcpynA_source
lbuf=058BEB84
buf=strncpy_source
lbuf=058BEB84
buf=strcat_source
lbuf=058BEB84
buf=strcat_sourcestrncat_source
lbuf=058BEB84
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=058BEB84
thread id = 8964
Press q enter...

--- Добавлено позже: 4 Май 2022 ---

Теперь добавил перехват CreateHardLinkTransacted A/W () - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("tempA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"tempW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x10088892, "strcpy_source") from ucrtbased.dll, ret addr 0x10572903
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x10088892, "lstrcpyA_source") from kernel32.dll, ret addr 0x10572976
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x10086836, "lstrcpyW_source") from kernel32.dll, ret addr 0x10573053
UNSAFE CALL: wcscpy()
wcscpy(0x10086836, "wcscpy_source") from ucrtbased.dll, ret addr 0x10573138
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x10088892, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x10573231
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x10086836, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x10573313
UNSAFE CALL: strncpy()
strncpy(0x10088892, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x10573403
UNSAFE CALL: wcsncpy()
wcsncpy(0x10086836, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x10573488
UNSAFE CALL: strcat()
strcat(0x10088892, "strcat_source") from ucrtbased.dll, ret addr 0x10573669
UNSAFE CALL: wcscat()
wcscat(0x10086836, "wcscat_source") from ucrtbased.dll, ret addr 0x10573742
UNSAFE CALL: strncat()
strncat(0x10088892, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x10573835
UNSAFE CALL: wcsncat()
wcsncat(0x10086836, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x10573920
UNSAFE CALL: lstrcatA()
lstrcatA(0x10088892, "lstrcatA_source") from kernel32.dll, ret addr 0x10574008
UNSAFE CALL: lstrcatW()
lstrcatW(0x10086836, "lstrcatW_source") from kernel32.dll, ret addr 0x10574085
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x10574175
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x10574207
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x10574234
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x10574261
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x10574288
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x10574315
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086824) from kernel32.dll, ret addr 0x10574359
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086824) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086824) from kernel32.dll, ret addr 0x10574393
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086824) from kernel32.dll, ret addr 0x10574427
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086824) from kernel32.dll, ret addr 0x1989063228
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086824) from kernel32.dll, ret addr 0x10574461
CreateThread(0x10089908, 0x2000, 0x10555507, 0x10089884, 0x0000, 0x10089896) from kernel32.dll, ret addr 0x10575909
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0099E9B4
lbuf=0099E9B4
buf=lstrcpynA_source
lbuf=0099E9B4
buf=strncpy_source
lbuf=0099E9B4
buf=strcat_source
lbuf=0099E9B4
buf=strcat_sourcestrncat_source
lbuf=0099E9B4
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0099E9B4
buf=strcpy_source
buf=lstrcpyA_source
lbuf=059DF2E4
lbuf=059DF2E4
buf=lstrcpynA_source
lbuf=059DF2E4
buf=strncpy_source
lbuf=059DF2E4
buf=strcat_source
lbuf=059DF2E4
buf=strcat_sourcestrncat_source
lbuf=059DF2E4
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=059DF2E4
thread id = 1656
Press q enter...

--- Добавлено позже: 4 Май 2022 ---

Что нужно сделать теперь... В перехвате создания потока, для добавления нового потока в отслеживание, надо останавливать поток сразу после создания и вставлять в него хуки. Иначе он успевает выполниться до вставки хуков и остаётся неотслеженным. Вот это я и попытаюсь сделать...

Talomir · 4 Май 2022

Исравил CreateThread_Hooked(), теперь без ситуации гонок. Если поток создаётся не остановленным, то вначале правится флаг на остановленный, а затем делается ResumeThread()

Код:

[DllImport("kernel32.dll",
        CharSet = CharSet.Unicode,
        SetLastError = true,
        CallingConvention = CallingConvention.Winapi)]
        static extern UInt32 ResumeThread(IntPtr handle);


        [UnmanagedFunctionPointer(CallingConvention.Winapi,
            CharSet = CharSet.Unicode,
            SetLastError = true)]
        delegate IntPtr DCreateThread(
        IntPtr lpThreadAttributes,
        UInt32 dwStackSize,
        IntPtr lpStartAddress,
        IntPtr lpParametr,
        UInt32 dwCreationFlags,
        IntPtr lpThreadId
        );
        // just use a P-Invoke implementation to get native API access from C# (this step is not necessary for C++.NET)
        [DllImport("kernel32.dll",
            CharSet = CharSet.Unicode,
            SetLastError = true,
            CallingConvention = CallingConvention.Winapi)]
            static extern IntPtr CreateThread(
            IntPtr lpThreadAttributes,
            UInt32 dwStackSize,
            IntPtr lpStartAddress,
            IntPtr lpParametr,
            UInt32 dwCreationFlags,
            IntPtr lpThreadId
            );


        // this is where we are intercepting all file accesses!
        static IntPtr CreateThread_Hooked(
          IntPtr lpThreadAttributes,
          UInt32 dwStackSize,
          IntPtr lpStartAddress,
          IntPtr lpParametr,
          UInt32 dwCreationFlags,
          IntPtr lpThreadId
        )
        {
            try
            {
                string msg = "";


                msg = "CreateThread(" + ToHex(lpThreadAttributes) + ", "+ToHex(dwStackSize)+", "+ToHex(lpStartAddress)+", "+ToHex(lpParametr)+", " + ToHex(dwCreationFlags)+", "+ ToHex(lpThreadId)+") from kernel32.dll, ret addr " + ToHex(HookRuntimeInfo.ReturnAddress);


                Interface.ShowMessage(msg, ConsoleColor.Cyan);


                // call original API...


                bool suspended = ((dwCreationFlags & 0x4) == 1 ? true : false);


                if (!suspended)
                    dwCreationFlags |= 0x4;


                IntPtr handle = CreateThread(lpThreadAttributes, dwStackSize, lpStartAddress, lpParametr, dwCreationFlags, lpThreadId);


                EnableAclForHooks();


                if (!suspended)
                    ResumeThread(handle);


                return handle;
            }
            catch (Exception ex) { Interface.ReportException(ex); return (IntPtr)0; }
        }

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x10088424, "strcpy_source") from ucrtbased.dll, ret addr 0x1660007
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x10088424, "lstrcpyA_source") from kernel32.dll, ret addr 0x1660080
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x10086368, "lstrcpyW_source") from kernel32.dll, ret addr 0x1660157
UNSAFE CALL: wcscpy()
wcscpy(0x10086368, "wcscpy_source") from ucrtbased.dll, ret addr 0x1660242
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x10088424, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x1660335
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x10086368, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x1660417
UNSAFE CALL: strncpy()
strncpy(0x10088424, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x1660507
UNSAFE CALL: wcsncpy()
wcsncpy(0x10086368, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x1660592
UNSAFE CALL: strcat()
strcat(0x10088424, "strcat_source") from ucrtbased.dll, ret addr 0x1660773
UNSAFE CALL: wcscat()
wcscat(0x10086368, "wcscat_source") from ucrtbased.dll, ret addr 0x1660846
UNSAFE CALL: strncat()
strncat(0x10088424, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x1660939
UNSAFE CALL: wcsncat()
wcsncat(0x10086368, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x1661024
UNSAFE CALL: lstrcatA()
lstrcatA(0x10088424, "lstrcatA_source") from kernel32.dll, ret addr 0x1661112
UNSAFE CALL: lstrcatW()
lstrcatW(0x10086368, "lstrcatW_source") from kernel32.dll, ret addr 0x1661189
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1661279
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1661311
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661338
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661365
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661392
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661419
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086356) from kernel32.dll, ret addr 0x1661463
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086356) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x10086356) from kernel32.dll, ret addr 0x1661497
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086356) from kernel32.dll, ret addr 0x1661531
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086356) from kernel32.dll, ret addr 0x1989063228
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x10086356) from kernel32.dll, ret addr 0x1661565
CreateThread(0x10089440, 0x2000, 0x1642611, 0x10089416, 0x0000, 0x10089428) from kernel32.dll, ret addr 0x1663013
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0099E7E0
lbuf=0099E7E0
buf=lstrcpynA_source
lbuf=0099E7E0
buf=strncpy_source
lbuf=0099E7E0
buf=strcat_source
lbuf=0099E7E0
buf=strcat_sourcestrncat_source
lbuf=0099E7E0
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0099E7E0
thread id = 8544
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x94041252, "strcpy_source") from ucrtbased.dll, ret addr 0x1660007
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x94041252, "lstrcpyA_source") from kernel32.dll, ret addr 0x1660080
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x94039196, "lstrcpyW_source") from kernel32.dll, ret addr 0x1660157
UNSAFE CALL: wcscpy()
wcscpy(0x94039196, "wcscpy_source") from ucrtbased.dll, ret addr 0x1660242
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x94041252, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x1660335
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x94039196, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x1660417
UNSAFE CALL: strncpy()
strncpy(0x94041252, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x1660507
UNSAFE CALL: wcsncpy()
wcsncpy(0x94039196, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x1660592
UNSAFE CALL: strcat()
strcat(0x94041252, "strcat_source") from ucrtbased.dll, ret addr 0x1660773
UNSAFE CALL: wcscat()
wcscat(0x94039196, "wcscat_source") from ucrtbased.dll, ret addr 0x1660846
UNSAFE CALL: strncat()
strncat(0x94041252, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x1660939
UNSAFE CALL: wcsncat()
wcsncat(0x94039196, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x1661024
UNSAFE CALL: lstrcatA()
lstrcatA(0x94041252, "lstrcatA_source") from kernel32.dll, ret addr 0x1661112
UNSAFE CALL: lstrcatW()
lstrcatW(0x94039196, "lstrcatW_source") from kernel32.dll, ret addr 0x1661189
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("tempA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1661279
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("tempW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1661311
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661338
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661365
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661392
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1661419
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x94039184) from kernel32.dll, ret addr 0x1661463
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x94039184) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x94039184) from kernel32.dll, ret addr 0x1661497
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x94039184) from kernel32.dll, ret addr 0x1661531
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x94039184) from kernel32.dll, ret addr 0x1989063228
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x94039184) from kernel32.dll, ret addr 0x1661565

--- Добавлено позже: 4 Май 2022 ---

И вот теперь добавил и перехват UNSAFE CALL CreateFile2():

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);


    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x19919968, "strcpy_source") from ucrtbased.dll, ret addr 0x1201271
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x19919968, "lstrcpyA_source") from kernel32.dll, ret addr 0x1201344
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x19917912, "lstrcpyW_source") from kernel32.dll, ret addr 0x1201421
UNSAFE CALL: wcscpy()
wcscpy(0x19917912, "wcscpy_source") from ucrtbased.dll, ret addr 0x1201506
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x19919968, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x1201599
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x19917912, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x1201681
UNSAFE CALL: strncpy()
strncpy(0x19919968, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x1201771
UNSAFE CALL: wcsncpy()
wcsncpy(0x19917912, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x1201856
UNSAFE CALL: strcat()
strcat(0x19919968, "strcat_source") from ucrtbased.dll, ret addr 0x1202037
UNSAFE CALL: wcscat()
wcscat(0x19917912, "wcscat_source") from ucrtbased.dll, ret addr 0x1202110
UNSAFE CALL: strncat()
strncat(0x19919968, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x1202203
UNSAFE CALL: wcsncat()
wcsncat(0x19917912, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x1202288
UNSAFE CALL: lstrcatA()
lstrcatA(0x19919968, "lstrcatA_source") from kernel32.dll, ret addr 0x1202376
UNSAFE CALL: lstrcatW()
lstrcatW(0x19917912, "lstrcatW_source") from kernel32.dll, ret addr 0x1202453
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202543
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202575
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202603
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202630
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202657
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202684
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202711
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19917900) from kernel32.dll, ret addr 0x1202755
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19917900) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19917900) from kernel32.dll, ret addr 0x1202789
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19917900) from kernel32.dll, ret addr 0x1202823
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19917900) from kernel32.dll, ret addr 0x1989063228
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19917900) from kernel32.dll, ret addr 0x1202857
CreateThread(0x19920984, 0x2000, 0x1183859, 0x19920960, 0x0000, 0x19920972) from kernel32.dll, ret addr 0x1204309
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=012FEC58
lbuf=012FEC58
buf=lstrcpynA_source
lbuf=012FEC58
buf=strncpy_source
lbuf=012FEC58
buf=strcat_source
lbuf=012FEC58
buf=strcat_sourcestrncat_source
lbuf=012FEC58
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=012FEC58
thread id = 8212
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x101316684, "strcpy_source") from ucrtbased.dll, ret addr 0x1201271
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x101316684, "lstrcpyA_source") from kernel32.dll, ret addr 0x1201344
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x101314628, "lstrcpyW_source") from kernel32.dll, ret addr 0x1201421
UNSAFE CALL: wcscpy()
wcscpy(0x101314628, "wcscpy_source") from ucrtbased.dll, ret addr 0x1201506
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x101316684, "lstrcpynA_source", 1024) from kernel32.dll, ret addr 0x1201599
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x101314628, "lstrcpynW_source", 1024) from kernel32.dll, ret addr 0x1201681
UNSAFE CALL: strncpy()
strncpy(0x101316684, "strncpy_source", 1024) from ucrtbased.dll, ret addr 0x1201771
UNSAFE CALL: wcsncpy()
wcsncpy(0x101314628, "wcsncpy_source", 1024) from ucrtbased.dll, ret addr 0x1201856
UNSAFE CALL: strcat()
strcat(0x101316684, "strcat_source") from ucrtbased.dll, ret addr 0x1202037
UNSAFE CALL: wcscat()
wcscat(0x101314628, "wcscat_source") from ucrtbased.dll, ret addr 0x1202110
UNSAFE CALL: strncat()
strncat(0x101316684, "strncat_source", 1024) from ucrtbased.dll, ret addr 0x1202203
UNSAFE CALL: wcsncat()
wcsncat(0x101314628, "wcsncat_source", 1024) from ucrtbased.dll, ret addr 0x1202288
UNSAFE CALL: lstrcatA()
lstrcatA(0x101316684, "lstrcatA_source") from kernel32.dll, ret addr 0x1202376
UNSAFE CALL: lstrcatW()
lstrcatW(0x101314628, "lstrcatW_source") from kernel32.dll, ret addr 0x1202453
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202543
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202575
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll, ret addr 0x1202603
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202630
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202657
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202684
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll, ret addr 0x1202711
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x101314616) from kernel32.dll, ret addr 0x1202755
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x101314616) from kernel32.dll, ret addr 0x1989191362
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x101314616) from kernel32.dll, ret addr 0x1202789
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x101314616) from kernel32.dll, ret addr 0x1202823
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x101314616) from kernel32.dll, ret addr 0x1989063228
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x101314616) from kernel32.dll, ret addr 0x1202857

--- Добавлено позже: 4 Май 2022 ---

ПЕРВАЯ ДОБЫЧА АНАЛИЗАТОРА LTRACE: КЛЮЧ ШИФРОВАНИЯ SKYPE (СОЛЬ УСТРОЙСТВА)

Запустил ltrace SKYPE_PIDs для четырёх процессов skype из диспетчера задач, отловил CreateFileW - в них файлы из секретной папки скайпа. Там - ключ шифрования устройства (соль) и список серверов скайпа, которые не так просто найти. Первая добыча уже на шестой день!

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 5 Май 2022 ---

СЕДЬМОЙ ДЕНЬ РАЗРАБОТКИ

Начал с перехвата CreateFileTransactedA(), CreateFileTransactedW() - POTENTIAL UNSAFE

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll ucrtbased.dll VCRUNTIME140D.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x11531208, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x11531208, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x11529152, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x11529152, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x11531208, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x11529152, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x11531208, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x11529152, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x11531208, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x11529152, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x11531208, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x11529152, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x11531208, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x11529152, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11529140, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11529140, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11529140, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11529128) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11529128) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11529128) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11529128) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11529128) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11529128) from kernel32.dll
CreateThread(0x11532224, 0x2000, 0x12849267, 0x11532200, 0x0000, 0x11532212) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=00AFEBC0
lbuf=00AFEBC0
buf=lstrcpynA_source
lbuf=00AFEBC0
buf=strncpy_source
lbuf=00AFEBC0
buf=strcat_source
lbuf=00AFEBC0
buf=strcat_sourcestrncat_source
lbuf=00AFEBC0
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=00AFEBC0
thread id = 1064
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x93125396, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x93125396, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x93123340, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x93123340, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x93125396, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x93123340, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x93125396, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x93123340, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x93125396, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x93123340, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x93125396, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x93123340, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x93125396, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x93123340, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x93123328, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x93123328, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x93123328, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x93123316) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x93123316) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x93123316) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x93123316) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x93123316) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x93123316) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019632, 0x0004, 0x85588560) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019936, 0x0004, 0x89519648) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019760, 0x0004, 0x89519648) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019808, 0x0004, 0x97580256) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019936, 0x0004, 0x98628288) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x85588840) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("\\.\pipe\tbhm8dURYXcseSkhhf51li49Q", 0xc0000000, 0x0003, 0x0, 0x0003, 0x40100080, 0x0) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019632, 0x0004, 0x93124072) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x18019680, 0x0004, 0x93124152) from kernel32.dll

--- Добавлено позже: 5 Май 2022 ---

Добавил перехват CreateFileMappingA() / CreateFileMappingW() - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    u_short us;


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");




    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x7138924, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x7138924, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x7136868, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x7136868, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x7138924, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x7136868, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x7138924, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x7136868, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x7138924, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x7136868, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x7138924, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x7136868, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x7138924, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x7136868, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7136856, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7136856, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7136856, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7136844) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7136844) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7136844) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7136844) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7136844) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7136844) from kernel32.dll
CreateThread(0x7139940, 0x2000, 0x7344243, 0x7139916, 0x0000, 0x7139928) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=006CE664
lbuf=006CE664
buf=lstrcpynA_source
lbuf=006CE664
buf=strncpy_source
lbuf=006CE664
buf=strcat_source
lbuf=006CE664
buf=strcat_sourcestrncat_source
lbuf=006CE664
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=006CE664
thread id = 4692
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x91289860, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x91289860, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x91287804, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x91287804, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x91289860, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x91287804, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x91289860, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x91287804, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x91289860, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x91287804, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x91289860, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x91287804, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x91289860, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x91287804, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x91287792, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x91287792, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x91287792, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x91287780) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x91287780) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x91287780) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x91287780) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x91287780) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x91287780) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x13665192, 0x0004, 0x45677520) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x45677800) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x13665368, 0x0004, 0x87684352) from kernel32.dll

--- Добавлено позже: 5 Май 2022 ---

Добавил перехват CreateFileMappingNumaA(), CreateFileMappingNumaW() - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    u_short us;


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);


    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");
    CreateFileMappingNumaA(NULL, NULL, 0, 1, 1, "fileA", 0x1234);
    CreateFileMappingNumaW(NULL, NULL, 0, 1, 1, L"fileW", 0x1234);




    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll VCRUNTIME140D.dll MSVCP140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x18084380, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x18084380, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x18082324, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x18082324, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x18084380, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x18082324, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x18084380, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x18082324, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x18084380, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x18082324, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x18084380, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x18082324, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x18084380, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x18082324, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x18082312, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x18082312, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x18082312, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x18082300) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x18082300) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x18082300) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x18082300) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x18082300) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x18082300) from kernel32.dll
CreateThread(0x18085396, 0x2000, 0x12521592, 0x18085372, 0x0000, 0x18085384) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0113EA14
lbuf=0113EA14
buf=lstrcpynA_source
lbuf=0113EA14
buf=strncpy_source
lbuf=0113EA14
buf=strcat_source
lbuf=0113EA14
buf=strcat_sourcestrncat_source
lbuf=0113EA14
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0113EA14
thread id = 5316
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x99808820, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x99808820, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x99806764, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x99806764, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x99808820, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x99806764, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x99808820, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x99806764, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x99808820, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x99806764, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x99808820, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x99806764, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x99808820, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x99806764, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x99806752, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x99806752, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x99806752, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x99806740) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x99806740) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x99806740) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x99806740) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x99806740) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x99806740) from kernel32.dll

--- Добавлено позже: 5 Май 2022 ---

Теперь добавил последний на сегодня перехват CreateFileMappingFromApp() - POTENTIAL UNSAFE

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    u_short us;


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);


    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");
    CreateFileMappingNumaA(NULL, NULL, 0, 1, 1, "fileA", 0x1234);
    CreateFileMappingNumaW(NULL, NULL, 0, 1, 1, L"fileW", 0x1234);
    CreateFileMappingFromApp(NULL, NULL, 0, 0x1234, L"fileApp");


    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x3797756, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x3797756, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x3795700, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x3795700, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x3797756, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x3795700, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x3797756, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x3795700, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x3797756, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x3795700, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x3797756, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x3795700, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x3797756, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x3795700, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x3795688, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x3795688, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x3795688, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x3795676) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x3795676) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x3795676) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x3795676) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x3795676) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x3795676) from kernel32.dll
CreateThread(0x3798772, 0x2000, 0x11473016, 0x3798748, 0x0000, 0x3798760) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=0039EAF4
lbuf=0039EAF4
buf=lstrcpynA_source
lbuf=0039EAF4
buf=strncpy_source
lbuf=0039EAF4
buf=strcat_source
lbuf=0039EAF4
buf=strcat_sourcestrncat_source
lbuf=0039EAF4
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=0039EAF4
thread id = 2124
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x87946152, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x87946152, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x87944096, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x87944096, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x87946152, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x87944096, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x87946152, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x87944096, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x87946152, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x87944096, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x87946152, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x87944096, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x87946152, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x87944096, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x87944084, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x87944084, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x87944084, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x87944072) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x87944072) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x87944072) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x87944072) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x87944072) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x87944072) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x9123632, 0x0004, 0x80869720) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x80870000) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x9123504, 0x0004, 0x87946888) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1731218384, 0x9123616, 0x0004, 0x84538800) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1732183696, 0x0, 0x10000, 0x80870000) from kernel32.dll

Итак, на текущий момент седьмого дня разработки перехватываются и отслеживаются следующие функции:

static LocalHook CreateThread_hook = null;

static LocalHook CreateFileA_hook = null;
static LocalHook CreateFileW_hook = null;
static LocalHook CreateFile2_hook = null;
static LocalHook CreateFileTransactedA_hook = null;
static LocalHook CreateFileTransactedW_hook = null;
static LocalHook CreateFileMappingA_hook = null;
static LocalHook CreateFileMappingW_hook = null;
static LocalHook CreateFileMappingNumaA_hook = null;
static LocalHook CreateFileMappingNumaW_hook = null;
static LocalHook CreateFileMappingFromApp_hook = null;

static LocalHook CreateHardLinkA_hook = null;
static LocalHook CreateHardLinkW_hook = null;
static LocalHook CreateSymbolicLinkA_hook = null;
static LocalHook CreateSymbolicLinkW_hook = null;
static LocalHook CreateSymbolicLinkTransactedA_hook = null;
static LocalHook CreateSymbolicLinkTransactedW_hook = null;
static LocalHook CreateHardLinkTransactedA_hook = null;
static LocalHook CreateHardLinkTransactedW_hook = null;

static LocalHook lstrcpyA_hook = null;
static LocalHook lstrcpyW_hook = null;
static LocalHook lstrcpynA_hook = null;
static LocalHook lstrcpynW_hook = null;
//static LocalHook uaw_wcscpy_hook = null;

static LocalHook strcpy_hook = null;
static LocalHook wcscpy_hook = null;
static LocalHook strncpy_hook = null;
static LocalHook wcsncpy_hook = null;

static LocalHook strcat_hook = null;
static LocalHook wcscat_hook = null;
static LocalHook strncat_hook = null;
static LocalHook wcsncat_hook = null;

static LocalHook lstrcatA_hook = null;
static LocalHook lstrcatW_hook = null;

Talomir · 5 Май 2022

ВЗЛОМАННЫЙ LTRACE-ОМ СКАЙП: СДЕЛАН НОРМАЛЬНЫЙ РАЗМЕР ОКНА "КАК БЫЛ"

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 5 Май 2022 ---

РЕЛИЗ LTRACE ДЛЯ WINDOWS

Планирую месяца через полтора, когда будет большая база перехватываемых функций. Ltrace для Windows войдёт бесплатным плагином командной строки в мой файловый менеджер CyberFile-2, я выкину устаревший некачественный и менее мощный Process Monitor от Руссиновича, его кнопку займёт мессенджер Pidgin (я не доволен телеграмом с регистрацией по QR), а функцию ProcMon заменит более функциональный ltrace. так-же, как x64dbg заменил Olly Debugger - современные кодеры прогают лучше стариков!

--- Добавлено позже: 6 Май 2022 ---

СЕДЬМОЙ ДЕНЬ РАЗРАБОТКИ

Начал с перехвата функций CreateNamedPipeA(), CreateNamedPipeW() - UNSAFE CALL (множество нюансов, приводящих к уязвимостям).

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>

void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];

    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";

    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";

    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";

    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";

    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";

    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";

    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";

    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";

    buf[0] = 0;
    lbuf[0] = 0;

    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";

    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";

    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";

    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";

    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";

    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";

//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";

    u_short us;

    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);

    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");
    CreateFileMappingNumaA(NULL, NULL, 0, 1, 1, "fileA", 0x1234);
    CreateFileMappingNumaW(NULL, NULL, 0, 1, 1, L"fileW", 0x1234);
    CreateFileMappingFromApp(NULL, NULL, 0, 0x1234, L"fileApp");

    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);

    u_int handle = 0;

    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);

    CreateNamedPipeA("\\\\.\\pipe\\pipeA", 0, 0, 1, 1024, 1024, 500, NULL);
    CreateNamedPipeW(L"\\\\.\\pipe\\pipeW", 0, 0, 1, 1024, 1024, 500, NULL);
}


void start_thread()
{
    SECURITY_ATTRIBUTES attr;

    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;

    int id = -1, param = 0;

    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);

    std::cout << "thread id = " << id << "\n";

}

int main()
{
    std::cout << "Buggy running...\n";

    functions(NULL);

    start_thread();

    char key[1024];

    std::cout << "Press q enter...";
    std::cin >> key;

    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x17821772, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x17821772, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x17819716, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x17819716, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x17821772, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x17819716, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x17821772, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x17819716, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x17821772, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x17819716, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x17821772, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x17819716, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x17821772, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x17819716, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x17819704, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x17819704, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x17819704, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x17819692) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x17819692) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x17819692) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x17819692) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x17819692) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x17819692) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreateThread(0x17822788, 0x2000, 0x13308024, 0x17822764, 0x0000, 0x17822776) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=010FE844
lbuf=010FE844
buf=lstrcpynA_source
lbuf=010FE844
buf=strncpy_source
lbuf=010FE844
buf=strcat_source
lbuf=010FE844
buf=strcat_sourcestrncat_source
lbuf=010FE844
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=010FE844
thread id = 7488
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x98498216, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x98498216, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x98496160, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x98496160, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x98498216, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x98496160, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x98498216, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x98496160, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x98498216, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x98496160, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x98498216, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x98496160, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x98498216, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x98496160, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x98496148, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x98496148, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x98496148, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x98496136) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x98496136) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x98496136) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x98496136) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x98496136) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x98496136) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1727744976, 0x22341472, 0x0004, 0x91092240) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1728710288, 0x0, 0x10000, 0x91092520) from kernel32.dll

--- Добавлено позже: 6 Май 2022 ---

Добавил перехват CreatePipe() - INFO CALL

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    u_short us;


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);


    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");
    CreateFileMappingNumaA(NULL, NULL, 0, 1, 1, "fileA", 0x1234);
    CreateFileMappingNumaW(NULL, NULL, 0, 1, 1, L"fileW", 0x1234);
    CreateFileMappingFromApp(NULL, NULL, 0, 0x1234, L"fileApp");


    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


    CreateNamedPipeA("\\\\.\\pipe\\pipeA", 0, 0, 1, 1024, 1024, 500, NULL);
    CreateNamedPipeW(L"\\\\.\\pipe\\pipeW", 0, 0, 1, 1024, 1024, 500, NULL);


    u_int hRead, hWrite;


    CreatePipe((PHANDLE)&hRead, (PHANDLE)&hWrite, NULL, 1024);
}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll ucrtbase_clr0400.dll VCRUNTIME140_CLR0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x19918620, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x19918620, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x19916564, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x19916564, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x19918620, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x19916564, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x19918620, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x19916564, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x19918620, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x19916564, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x19918620, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x19916564, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x19918620, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x19916564, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x19916552, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x19916552, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x19916552, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19916540) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19916540) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x19916540) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19916540) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19916540) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x19916540) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreatePipe(0x19916528, 0x19916516, 0x0, 0x0400) from kernel32.dll
CreateThread(0x19919636, 0x2000, 0x2625656, 0x19919612, 0x0000, 0x19919624) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=012FE714
lbuf=012FE714
buf=lstrcpynA_source
lbuf=012FE714
buf=strncpy_source
lbuf=012FE714
buf=strcat_source
lbuf=012FE714
buf=strcat_sourcestrncat_source
lbuf=012FE714
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=012FE714
thread id = 5872
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x100791948, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x100791948, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x100789892, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x100789892, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x100791948, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x100789892, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x100791948, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x100789892, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x100791948, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x100789892, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x100791948, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x100789892, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x100791948, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x100789892, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x100789880, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x100789880, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x100789880, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x100789868) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x100789868) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x100789868) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x100789868) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x100789868) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x100789868) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreatePipe(0x100789856, 0x100789844, 0x0, 0x0400) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1727744976, 0x22936088, 0x0004, 0x93453264) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1728710288, 0x0, 0x10000, 0x93453544) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1727744976, 0x22936168, 0x0004, 0x97253376) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1728710288, 0x0, 0x10000, 0x93453544) from kernel32.dll

--- Добавлено позже: 6 Май 2022 ---

И добавил перехват CreateMailslotA(), CreateMailslotW() - POTENTIAL UNSAFE. На утро сегодня - всё, планирую продолжить вечером, если всё выгорит с сигаретами.

Код:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
#include <winbase.h>
//#include <mbstring.h>
//#include <winapifamily.h>


void functions(char *param)
{
    char buf[1024];
    wchar_t lbuf[1024];


    strcpy(buf, "strcpy_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyA(buf, "lstrcpyA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcpyW(lbuf, L"lstrcpyW_source");
    std::cout << "lbuf=" << lbuf << "\n";


    wcscpy(lbuf, L"wcscpy_source");
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcpynA(buf, "lstrcpynA_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    lstrcpynW(lbuf, L"lstrcpynW_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    strncpy(buf, "strncpy_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncpy(lbuf, L"wcsncpy_source", sizeof lbuf/2);
    std::cout << "lbuf=" << lbuf << "\n";


    buf[0] = 0;
    lbuf[0] = 0;


    strcat(buf, "strcat_source");
    std::cout << "buf=" << buf << "\n";


    wcscat(lbuf, L"wcscat_source");
    std::cout << "lbuf=" << lbuf << "\n";


    strncat(buf, "strncat_source", sizeof buf);
    std::cout << "buf=" << buf << "\n";


    wcsncat(lbuf, L"wcsncat_source", sizeof lbuf / 2);
    std::cout << "lbuf=" << lbuf << "\n";


    lstrcatA(buf, "lstrcatA_source");
    std::cout << "buf=" << buf << "\n";


    lstrcatW(lbuf, L"lstrcatW_source");
    std::cout << "lbuf=" << lbuf << "\n";


//    uaw_wcscpy(lbuf, L"uaw_wcscpy_source");
//    std::cout << "lbuf=" << lbuf << "\n";


    u_short us;


    CreateFileA("fileA.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFileW(L"fileW.txt", 0, 0, NULL, 0, 0, NULL);
    CreateFile2(L"file2.txt", 0, 0, 0, NULL);
    CreateFileTransactedA("fileTransactedA.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);
    CreateFileTransactedW(L"fileTransactedW.txt", 0, 0, NULL, 0, 0, NULL, NULL, &us, NULL);


    CreateFileMappingA(NULL, NULL, 0, 1, 1, "fileA");
    CreateFileMappingW(NULL, NULL, 0, 1, 1, L"fileW");
    CreateFileMappingNumaA(NULL, NULL, 0, 1, 1, "fileA", 0x1234);
    CreateFileMappingNumaW(NULL, NULL, 0, 1, 1, L"fileW", 0x1234);
    CreateFileMappingFromApp(NULL, NULL, 0, 0x1234, L"fileApp");


    CreateHardLinkA("delete1.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateHardLinkW(L"delete2.exe", L"C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkA("delete3.exe", "C:\\Windows\\System32\\calc.exe", NULL);
    CreateSymbolicLinkW(L"delete4.exe", L"C:\\Windows\\System32\\calc.exe", NULL);


    u_int handle = 0;


    CreateSymbolicLinkTransactedA("delete5.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateSymbolicLinkTransactedW(L"delete6.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedA("delete7.exe", "C:\\Windows\\System32\\calc.exe", 0, &handle);
    CreateHardLinkTransactedW(L"delete8.exe", L"C:\\Windows\\System32\\calc.exe", 0, &handle);


    CreateNamedPipeA("\\\\.\\pipe\\pipeA", 0, 0, 1, 1024, 1024, 500, NULL);
    CreateNamedPipeW(L"\\\\.\\pipe\\pipeW", 0, 0, 1, 1024, 1024, 500, NULL);


    u_int hRead, hWrite;


    CreatePipe((PHANDLE)&hRead, (PHANDLE)&hWrite, NULL, 1024);
    CreateMailslotA("\\\\.\\mailslot\\mailslotA", 1024, 500, NULL);
    CreateMailslotW(L"\\\\.\\mailslot\\mailslotW", 1024, 500, NULL);
}




void start_thread()
{
    SECURITY_ATTRIBUTES attr;


    attr.bInheritHandle = true;
    attr.lpSecurityDescriptor = NULL;
    attr.nLength = sizeof attr;


    int id = -1, param = 0;


    CreateThread(&attr, 8192, (LPTHREAD_START_ROUTINE)functions, &param, 0, (LPDWORD)&id);


    std::cout << "thread id = " << id << "\n";


}


int main()
{
    std::cout << "Buggy running...\n";


    functions(NULL);


    start_thread();


    char key[1024];


    std::cout << "Press q enter...";
    std::cin >> key;


    std::cout << "Buggy finished...";
}

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll
Trace of program execution...:
UNSAFE CALL: strcpy()
strcpy(0x7335992, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x7335992, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x7333936, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x7333936, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x7335992, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x7333936, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x7335992, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x7333936, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x7335992, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x7333936, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x7335992, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x7333936, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x7335992, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x7333936, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7333924, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7333924, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x7333924, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7333912) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7333912) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x7333912) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7333912) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7333912) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x7333912) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreatePipe(0x7333900, 0x7333888, 0x0, 0x0400) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotA()
CreateMailslotA("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotW()
CreateMailslotW("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotW()
CreateMailslotW("\\.\mailslot\mailslotW", 0x0400, 0x01f4, 0x0) from kernel32.dll
CreateThread(0x7337008, 0x2000, 0x8917112, 0x7336984, 0x0000, 0x7336996) from kernel32.dll
Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=006FE830
lbuf=006FE830
buf=lstrcpynA_source
lbuf=006FE830
buf=strncpy_source
lbuf=006FE830
buf=strcat_source
lbuf=006FE830
buf=strcat_sourcestrncat_source
lbuf=006FE830
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=006FE830
thread id = 4128
Press q enter...UNSAFE CALL: strcpy()
strcpy(0x88798600, "strcpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpyA()
lstrcpyA(0x88798600, "lstrcpyA_source") from kernel32.dll
UNSAFE CALL: lstrcpyW()
lstrcpyW(0x88796544, "lstrcpyW_source") from kernel32.dll
UNSAFE CALL: wcscpy()
wcscpy(0x88796544, "wcscpy_source") from ucrtbased.dll
UNSAFE CALL: lstrcpynA()
lstrcpynA(0x88798600, "lstrcpynA_source", 1024) from kernel32.dll
UNSAFE CALL: lstrcpynW()
lstrcpynW(0x88796544, "lstrcpynW_source", 1024) from kernel32.dll
UNSAFE CALL: strncpy()
strncpy(0x88798600, "strncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncpy()
wcsncpy(0x88796544, "wcsncpy_source", 1024) from ucrtbased.dll
UNSAFE CALL: strcat()
strcat(0x88798600, "strcat_source") from ucrtbased.dll
UNSAFE CALL: wcscat()
wcscat(0x88796544, "wcscat_source") from ucrtbased.dll
UNSAFE CALL: strncat()
strncat(0x88798600, "strncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: wcsncat()
wcsncat(0x88796544, "wcsncat_source", 1024) from ucrtbased.dll
UNSAFE CALL: lstrcatA()
lstrcatA(0x88798600, "lstrcatA_source") from kernel32.dll
UNSAFE CALL: lstrcatW()
lstrcatW(0x88796544, "lstrcatW_source") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileA()
CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileW()
CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll
UNSAFE CALL: CreateFile2()
CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedA()
CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x88796532, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x88796532, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileTransactedW()
CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x88796532, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingA()
CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingW()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()
CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()
CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()
CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkA()
CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkW()
CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()
CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()
CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedA()
CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x88796520) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x88796520) from kernel32.dll
UNSAFE CALL: CreateSymbolicLinkTransactedW()
CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x88796520) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()
CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x88796520) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x88796520) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()
CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x88796520) from kernel32.dll
UNSAFE CALL: CreateNamedPipeA()
CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
UNSAFE CALL: CreateNamedPipeW()
CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll
CreatePipe(0x88796508, 0x88796496, 0x0, 0x0400) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotA()
CreateMailslotA("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotW()
CreateMailslotW("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll
POTENTIAL UNSAFE CALL: CreateMailslotW()
CreateMailslotW("\\.\mailslot\mailslotW", 0x0400, 0x01f4, 0x0) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1727744976, 0x12169384, 0x0004, 0x43382768) from kernel32.dll
CreateThread(0x0, 0x40000, 0x1728710288, 0x0, 0x10000, 0x43383048) from kernel32.dll
CreateThread(0x0, 0x0000, 0x1727744976, 0x12169784, 0x0004, 0x85260448) from kernel32.dll

Talomir · 6 Май 2022

Добавил простой анализ LPSECURITY_ATTRIBUTES в вызовах kernel32.dll - POTENTIAL UNSAFE

Для просмотра ссылки Войди или Зарегистрируйся
Для просмотра ссылки Войди или Зарегистрируйся

Код:

ltrace for Windows x86 by Talomir Mirotal 2022, Botting Technologies 12 Lab.
We are in target process, the modules list: buggy.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll MSVCP140D.dll VCRUNTIME140D.dll ucrtbased.dll EasyHook32.dll PSAPI.DLL ADVAPI32.dll msvcrt.dll sechost.dll RPCRT4.dll ole32.dll ucrtbase.dll combase.dll GDI32.dll win32u.dll gdi32full.dll msvcp_win.dll USER32.dll SHLWAPI.dll IMM32.DLL EasyLoad32.dll mscoree.dll mscoreei.dll kernel.appcore.dll VERSION.dll clr.dll VCRUNTIME140_CLR0400.dll ucrtbase_clr0400.dll mscorlib.ni.dll CRYPTSP.dll rsaenh.dll bcrypt.dll CRYPTBASE.dll bcryptPrimitives.dll clrjit.dll OLEAUT32.dll System.ni.dll shell32.dll windows.storage.dll Wldp.dll SHCORE.dll profapi.dll System.Runtime.Remoting.ni.dll ws2_32.dll mswsock.dll System.Core.ni.dll System.Configuration.ni.dll System.Xml.ni.dll

Trace of program execution...:

UNSAFE CALL: strcpy()

strcpy(0x11530024, "strcpy_source") from ucrtbased.dll

UNSAFE CALL: lstrcpyA()

lstrcpyA(0x11530024, "lstrcpyA_source") from kernel32.dll

UNSAFE CALL: lstrcpyW()

lstrcpyW(0x11527968, "lstrcpyW_source") from kernel32.dll

UNSAFE CALL: wcscpy()

wcscpy(0x11527968, "wcscpy_source") from ucrtbased.dll

UNSAFE CALL: lstrcpynA()

lstrcpynA(0x11530024, "lstrcpynA_source", 1024) from kernel32.dll

UNSAFE CALL: lstrcpynW()

lstrcpynW(0x11527968, "lstrcpynW_source", 1024) from kernel32.dll

UNSAFE CALL: strncpy()

strncpy(0x11530024, "strncpy_source", 1024) from ucrtbased.dll

UNSAFE CALL: wcsncpy()

wcsncpy(0x11527968, "wcsncpy_source", 1024) from ucrtbased.dll

UNSAFE CALL: strcat()

strcat(0x11530024, "strcat_source") from ucrtbased.dll

UNSAFE CALL: wcscat()

wcscat(0x11527968, "wcscat_source") from ucrtbased.dll

UNSAFE CALL: strncat()

strncat(0x11530024, "strncat_source", 1024) from ucrtbased.dll

UNSAFE CALL: wcsncat()

wcsncat(0x11527968, "wcsncat_source", 1024) from ucrtbased.dll

UNSAFE CALL: lstrcatA()

lstrcatA(0x11530024, "lstrcatA_source") from kernel32.dll

UNSAFE CALL: lstrcatW()

lstrcatW(0x11527968, "lstrcatW_source") from kernel32.dll

POTENTIAL UNSAFE CALL: CreateFileA()

CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll

CreateThread(0x0, 0x2000, 0x1981269904, 0x14659048, 0x0000, 0x11518412) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileW()

CreateFileW("C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_ru_b77a5c561934e089\mscorlib.resources.dll", 0x80000000, 0x0005, 0x0, 0x0003, 0x0080, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileW()

CreateFileW("C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_ru_b77a5c561934e089\mscorlib.resources.dll", 0x80000000, 0x0001, 0x0, 0x0003, 0x0080, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingW()

The target process has reported an error:
System.Exception: Выдано исключение типа "System.Exception".
LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileW()

CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateFile2()

CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll

POTENTIAL UNSAFE CALL: CreateFileTransactedA()

CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11527956, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileTransactedW()

CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11527956, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileTransactedW()

CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x11527956, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingA()

CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingW()

CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()

CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()

CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()

CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkA()

CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkW()

CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()

CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()

CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateSymbolicLinkTransactedA()

CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11527944) from kernel32.dll

UNSAFE CALL: CreateSymbolicLinkTransactedW()

CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11527944) from kernel32.dll

UNSAFE CALL: CreateSymbolicLinkTransactedW()

CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x11527944) from kernel32.dll

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()

CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11527944) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()

CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11527944) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()

CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x11527944) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateNamedPipeA()

CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateNamedPipeW()

CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

CreatePipe(0x11527932, 0x11527920, 0x0, 0x0400) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotA()

CreateMailslotA("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotW()

CreateMailslotW("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotW()

CreateMailslotW("\\.\mailslot\mailslotW", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

CreateThread(0x11531040, 0x2000, 0x13701240, 0x11531016, 0x0000, 0x11531028) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x11531040 readable
    nLength = 12lpSecurityDescriptor Address = 0x8x8 is not redable UNSAFE

Buggy running...
buf=strcpy_source
buf=lstrcpyA_source
lbuf=00AFE720
lbuf=00AFE720
buf=lstrcpynA_source
lbuf=00AFE720
buf=strncpy_source
lbuf=00AFE720
buf=strcat_source
lbuf=00AFE720
buf=strcat_sourcestrncat_source
lbuf=00AFE720
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=00AFE720
thread id = 7144
Press q enter...UNSAFE CALL: strcpy()

strcpy(0x97057108, "strcpy_source") from ucrtbased.dll

UNSAFE CALL: lstrcpyA()

lstrcpyA(0x97057108, "lstrcpyA_source") from kernel32.dll

UNSAFE CALL: lstrcpyW()

lstrcpyW(0x97055052, "lstrcpyW_source") from kernel32.dll

UNSAFE CALL: wcscpy()

wcscpy(0x97055052, "wcscpy_source") from ucrtbased.dll

UNSAFE CALL: lstrcpynA()

lstrcpynA(0x97057108, "lstrcpynA_source", 1024) from kernel32.dll

UNSAFE CALL: lstrcpynW()

lstrcpynW(0x97055052, "lstrcpynW_source", 1024) from kernel32.dll

UNSAFE CALL: strncpy()

strncpy(0x97057108, "strncpy_source", 1024) from ucrtbased.dll

UNSAFE CALL: wcsncpy()

wcsncpy(0x97055052, "wcsncpy_source", 1024) from ucrtbased.dll

UNSAFE CALL: strcat()

strcat(0x97057108, "strcat_source") from ucrtbased.dll

UNSAFE CALL: wcscat()

wcscat(0x97055052, "wcscat_source") from ucrtbased.dll

UNSAFE CALL: strncat()

strncat(0x97057108, "strncat_source", 1024) from ucrtbased.dll

UNSAFE CALL: wcsncat()

wcsncat(0x97055052, "wcsncat_source", 1024) from ucrtbased.dll

UNSAFE CALL: lstrcatA()

lstrcatA(0x97057108, "lstrcatA_source") from kernel32.dll

UNSAFE CALL: lstrcatW()

lstrcatW(0x97055052, "lstrcatW_source") from kernel32.dll

POTENTIAL UNSAFE CALL: CreateFileA()

CreateFileA("fileA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileW()

CreateFileW("fileW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateFile2()

CreateFile2("file2.txt", 0x0000, 0x0000, 0x0000, 0x0) from kernel32.dll

POTENTIAL UNSAFE CALL: CreateFileTransactedA()

CreateFileTransactedA("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x97055040, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileTransactedW()

CreateFileTransactedW("fileTransactedA.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x97055040, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileTransactedW()

CreateFileTransactedW("fileTransactedW.txt", 0x0000, 0x0000, 0x0, 0x0000, 0x0000, 0x0, 0x0, 0x97055040, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingA()

CreateFileMappingA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingW()

CreateFileMappingW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingNumaA()

CreateFileMappingNumaA(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileA", 0x1234) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingNumaW()

CreateFileMappingNumaW(0x0, 0x0, 0x0000, 0x0001, 0x0001, "fileW", 0x1234) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateFileMappingFromApp()

CreateFileMappingW(0x0, 0x0, 0x0000, 0x8x8, "fileApp") from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkA()

CreateHardLinkA("delete1.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkW()

CreateHardLinkW("delete2.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateSymbolicLinkA()

CreateSymbolicLinkA("delete3.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateSymbolicLinkW()

CreateSymbolicLinkW("delete4.exe", "C:\Windows\System32\calc.exe", 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateSymbolicLinkTransactedA()

CreateSymbolicLinkTransactedA("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x97055028) from kernel32.dll

UNSAFE CALL: CreateSymbolicLinkTransactedW()

CreateSymbolicLinkTransactedW("delete5.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x97055028) from kernel32.dll

UNSAFE CALL: CreateSymbolicLinkTransactedW()

CreateSymbolicLinkTransactedW("delete6.exe", "C:\Windows\System32\calc.exe", 0x0000, 0x97055028) from kernel32.dll

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedA()

CreateHardLinkTransactedA("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x97055028) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()

CreateHardLinkTransactedW("delete7.exe", "C:\Windows\System32\calc.exe", 0x0, 0x97055028) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateHardLinkTransactedW()

CreateHardLinkTransactedW("delete8.exe", "C:\Windows\System32\calc.exe", 0x0, 0x97055028) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateNamedPipeA()

CreateNamedPipeA("\\.\pipe\pipeA", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

UNSAFE CALL: CreateNamedPipeW()

CreateNamedPipeW("\\.\pipe\pipeW", 0x0000, 0x0000, 0x0001, 0x0400, 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

CreatePipe(0x97055016, 0x97055004, 0x0, 0x0400) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotA()

CreateMailslotA("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotW()

CreateMailslotW("\\.\mailslot\mailslotA", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

POTENTIAL UNSAFE CALL: CreateMailslotW()

CreateMailslotW("\\.\mailslot\mailslotW", 0x0400, 0x01f4, 0x0) from kernel32.dll

LPSECURITY_ATTRIBUTES analyses:
    Address 0x0 is not readable: UNSAFE

buf=strcpy_source
buf=lstrcpyA_source
lbuf=05C8F14C
lbuf=05C8F14C
buf=lstrcpynA_source
lbuf=05C8F14C
buf=strncpy_source
lbuf=05C8F14C
buf=strcat_source
lbuf=05C8F14C
buf=strcat_sourcestrncat_source
lbuf=05C8F14C
buf=strcat_sourcestrncat_sourcelstrcatA_source
lbuf=05C8F14C
Buggy finished...

--- Добавлено позже: 6 Май 2022 ---

Сделал подсветку синтаксиса на базе классов сообщений: UNSAFE, POTENTIAL UNSAFE, INFO, ANALYSES. Получилось здорово...!

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 7 Май 2022 ---

ВОСЬМОЙ ДЕНЬ РАЗРАБОТКИ

Добавил перехват ReadFile(), ReadFileEx() и сделал распечатку буфера в hex, ASCII, Unicode

Для просмотра ссылки Войди или Зарегистрируйся

--- Добавлено позже: 7 Май 2022 ---

Добавил перехват WriteFile(), WriteFileEx(), и нашёл уязвимость NULL pointer dereference в kernel32.dll

--- Добавлено позже: 7 Май 2022 ---

Добавил защиту от само-протоколирования: трейсер начинал протоколировать свои-же вызовы в вечном цикле, отхватывая вызовы функций протоколирования. Флаг bool IsMyCall.

На сейчас отслеживаются вызовы следующих функций и мне надо отладить код трейсера на прцессах skype, методом комментирования и половинного деления списка функций:

static LocalHook CreateThread_hook = null;

static LocalHook CreateFileA_hook = null;
static LocalHook CreateFileW_hook = null;
static LocalHook CreateFile2_hook = null;
static LocalHook CreateFileTransactedA_hook = null;
static LocalHook CreateFileTransactedW_hook = null;
static LocalHook CreateFileMappingA_hook = null;
static LocalHook CreateFileMappingW_hook = null;
static LocalHook CreateFileMappingNumaA_hook = null;
static LocalHook CreateFileMappingNumaW_hook = null;
static LocalHook CreateFileMappingFromApp_hook = null;

static LocalHook CreateHardLinkA_hook = null;
static LocalHook CreateHardLinkW_hook = null;
static LocalHook CreateSymbolicLinkA_hook = null;
static LocalHook CreateSymbolicLinkW_hook = null;
static LocalHook CreateSymbolicLinkTransactedA_hook = null;
static LocalHook CreateSymbolicLinkTransactedW_hook = null;
static LocalHook CreateHardLinkTransactedA_hook = null;
static LocalHook CreateHardLinkTransactedW_hook = null;

static LocalHook CreateNamedPipeA_hook = null;
static LocalHook CreateNamedPipeW_hook = null;
static LocalHook CreatePipe_hook = null;
static LocalHook CreateMailslotA_hook = null;
static LocalHook CreateMailslotW_hook = null;

static LocalHook ReadFile_hook = null;
static LocalHook ReadFileEx_hook = null;
static LocalHook WriteFile_hook = null;
static LocalHook WriteFileEx_hook = null;

static LocalHook lstrcpyA_hook = null;
static LocalHook lstrcpyW_hook = null;
static LocalHook lstrcpynA_hook = null;
static LocalHook lstrcpynW_hook = null;
//static LocalHook uaw_wcscpy_hook = null;

static LocalHook strcpy_hook = null;
static LocalHook wcscpy_hook = null;
static LocalHook strncpy_hook = null;
static LocalHook wcsncpy_hook = null;

static LocalHook strcat_hook = null;
static LocalHook wcscat_hook = null;
static LocalHook strncat_hook = null;
static LocalHook wcsncat_hook = null;

static LocalHook lstrcatA_hook = null;
static LocalHook lstrcatW_hook = null;

Talomir · 8 Май 2022

ДЕВЯТЫЙ ДЕНЬ РАЗРАБОТКИ

Рабочее время ушло на багфикс в своём трейсере ltrace.exe, была ошибка типа Null Pointer Dereference при попытке чтения имени файла в вызовах, в которых имя файла было NULL.

Следующий день скорее всего уйдёт на ещё один багфикс: recursive lookup при аттаче в скайп и зависание скайпа.

Пока нарыл две уязвимости в Windows 10: нулевые атрибуты безопасности и null pointer dereference в kernel32.dll Это локальные уязвимости утечки данных, пока не подходят для игры на батареях.

❉ Стрим разработки утилиты аудита безопасности кода VPATH ❉

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Talomir

Местный

Похожие темы