122 lines
4.3 KiB
C
122 lines
4.3 KiB
C
#include "dr_api.h"
|
|
#include "dr_ir_opnd.h"
|
|
#include "dr_ir_instr.h"
|
|
#include "dr_ir_opcodes_x86.h"
|
|
#include "dr_ir_macros_x86.h"
|
|
|
|
#include <ctype.h>
|
|
#include <string.h>
|
|
#include <windows.h>
|
|
#include <commdlg.h>
|
|
|
|
char *CUSTOM_FILE = "C:\\Users\\vboxuser\\Downloads\\spoofed_number.txt";
|
|
|
|
static app_pc pc_GetOpenFileNameA = NULL;
|
|
|
|
static app_pc pc_QString_QString = NULL;
|
|
static app_pc pc_QFileDialog_getOpenFileName = NULL;
|
|
|
|
static void intercept_GetOpenFileNameA() {
|
|
void *drcontext = dr_get_current_drcontext();
|
|
|
|
dr_mcontext_t mcontext = { sizeof(mcontext), DR_MC_ALL };
|
|
dr_get_mcontext(drcontext, &mcontext);
|
|
|
|
OPENFILENAME *ofn = (OPENFILENAME *)mcontext.rcx;
|
|
|
|
for (int i = 0; i < strlen(CUSTOM_FILE); i++) ofn->lpstrFile[i] = CUSTOM_FILE[i];
|
|
ofn->lpstrFile[strlen(CUSTOM_FILE)] = 0;
|
|
|
|
mcontext.rax = 1;
|
|
|
|
dr_set_mcontext(drcontext, &mcontext);
|
|
}
|
|
|
|
static void intercept_QFileDialog_getOpenFileName() {
|
|
void *drcontext = dr_get_current_drcontext();
|
|
|
|
dr_mcontext_t mcontext = { sizeof(mcontext), DR_MC_ALL };
|
|
dr_get_mcontext(drcontext, &mcontext);
|
|
|
|
// make use of QString constructor to construct return value
|
|
void *QString = (void *)mcontext.rcx;
|
|
void(*QString_QString)(void *, char *) = (void(*)(void *, char *))pc_QString_QString;
|
|
QString_QString(QString, CUSTOM_FILE);
|
|
}
|
|
|
|
static void event_exit(void) {
|
|
}
|
|
|
|
static void event_module_load(void *drcontext, const module_data_t *mod, bool loaded) {
|
|
char lowerpath[MAX_PATH];
|
|
strcpy(lowerpath, mod->full_path);
|
|
for (int i = 0; i < strlen(lowerpath); i++) {
|
|
lowerpath[i] = tolower(lowerpath[i]);
|
|
}
|
|
|
|
if (strstr(lowerpath, "qt6core.dll")) {
|
|
pc_QString_QString = (app_pc)dr_get_proc_address(mod->handle, "??0QString@@QEAA@PEBD@Z");
|
|
// if (pc_QString_QString) dr_printf("Found QString::QString at %p\n", pc_QString_QString);
|
|
}
|
|
|
|
if (strstr(lowerpath, "qt6widgets.dll")) {
|
|
pc_QFileDialog_getOpenFileName = (app_pc)dr_get_proc_address(mod->handle, "?getOpenFileName@QFileDialog@@SA?AVQString@@PEAVQWidget@@AEBV2@11PEAV2@V?$QFlags@W4Option@QFileDialog@@@@@Z");
|
|
// if (pc_QFileDialog_getOpenFileName) dr_printf("Found QFileDialog::getOpenFileName at %p\n", pc_QFileDialog_getOpenFileName);
|
|
}
|
|
|
|
if (strstr(lowerpath, "comdlg32.dll")) {
|
|
pc_GetOpenFileNameA = (app_pc)dr_get_proc_address(mod->handle, "GetOpenFileNameA");
|
|
// if (pc_GetOpenFileNameA) dr_printf("Found GetOpenFileNameA at %p\n", pc_GetOpenFileNameA);
|
|
}
|
|
}
|
|
|
|
|
|
static dr_emit_flags_t event_basic_block(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating) {
|
|
instr_t *to_remove = NULL, *instr = instrlist_first(bb);
|
|
while (instr) {
|
|
instr_t *next = instr_get_next(instr);
|
|
|
|
app_pc target = NULL;
|
|
|
|
if (instr_is_call_direct(instr)) {
|
|
app_pc target = instr_get_branch_target_pc(instr);
|
|
} else if (instr_is_call_indirect(instr)) {
|
|
opnd_t opnd = instr_get_src(instr, 0);
|
|
if (opnd_is_memory_reference(opnd)) {
|
|
app_pc addr = opnd_compute_address(opnd, drcontext);
|
|
if (addr) dr_safe_read(addr, sizeof(app_pc), &target, NULL);
|
|
}
|
|
}
|
|
|
|
if (!target) {
|
|
instr = next;
|
|
continue;
|
|
}
|
|
|
|
if (target == pc_GetOpenFileNameA) {
|
|
// dr_printf("Call to GetOpenFileNameA detected at %p\n", instr_get_app_pc(instr));
|
|
dr_insert_clean_call(drcontext, bb, instr, (void *)intercept_GetOpenFileNameA, false, 0);
|
|
instrlist_remove(bb, instr);
|
|
instr_destroy(drcontext, instr);
|
|
}
|
|
else if (target == pc_QFileDialog_getOpenFileName) {
|
|
// dr_printf("Call to QFileDialog::getOpenFileName detected at %p\n", instr_get_app_pc(instr));
|
|
dr_insert_clean_call(drcontext, bb, instr, (void *)intercept_QFileDialog_getOpenFileName, false, 0);
|
|
instrlist_remove(bb, instr);
|
|
instr_destroy(drcontext, instr);
|
|
}
|
|
|
|
instr = next;
|
|
}
|
|
|
|
return DR_EMIT_DEFAULT;
|
|
}
|
|
|
|
DR_EXPORT void dr_client_main(client_id_t id, int argc, const char *argv[]) {
|
|
dr_set_client_name("Custom DynamoRIO client", "https://gitea.cloud.lehnert.dev/ludwig/windows-binary-fuzzing");
|
|
dr_register_exit_event(event_exit);
|
|
dr_register_module_load_event(event_module_load);
|
|
dr_register_bb_event(event_basic_block);
|
|
}
|
|
|