Skip to content

Commit

Permalink
+GetAPISetMapping
Browse files Browse the repository at this point in the history
  • Loading branch information
FuzzySecurity committed Jan 16, 2020
1 parent 50e38fa commit 630aa77
Show file tree
Hide file tree
Showing 6 changed files with 402 additions and 0 deletions.
52 changes: 52 additions & 0 deletions GetAPISetMapping/GetAPISetMapping.csproj
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{EACAA2B8-43E5-4888-826D-2F6902E16546}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>GetAPISetMapping</RootNamespace>
<AssemblyName>GetAPISetMapping</AssemblyName>
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Helper.cs" />
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="CommandLineParser">
<Version>1.9.3.15</Version>
</PackageReference>
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
25 changes: 25 additions & 0 deletions GetAPISetMapping/GetAPISetMapping.sln
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.27703.2035
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GetAPISetMapping", "GetAPISetMapping.csproj", "{EACAA2B8-43E5-4888-826D-2F6902E16546}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Debug|Any CPU.Build.0 = Debug|Any CPU
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Release|Any CPU.ActiveCfg = Release|Any CPU
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {CD6202C2-9E5E-4037-952E-47B0788ECDD2}
EndGlobalSection
EndGlobal
102 changes: 102 additions & 0 deletions GetAPISetMapping/Helper.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
using System;
using System.Runtime.InteropServices;

namespace GetAPISetMapping
{
class Helper
{
// API Defs
//--------------------------------------
[DllImport("ntdll.dll")]
public static extern UInt32 RtlGetVersion(
ref OSVERSIONINFOEX VersionInformation);

[DllImport("ntdll.dll")]
public static extern UInt32 NtQueryInformationProcess(
IntPtr processHandle,
UInt32 processInformationClass,
ref PROCESS_BASIC_INFORMATION processInformation,
int processInformationLength,
ref UInt32 returnLength);

// Structs
//--------------------------------------
public struct PROCESS_BASIC_INFORMATION
{
public IntPtr ExitStatus;
public IntPtr PebBaseAddress;
public IntPtr AffinityMask;
public IntPtr BasePriority;
public UIntPtr UniqueProcessId;
public int InheritedFromUniqueProcessId;

public int Size
{
get { return (int)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)); }
}
}

[StructLayout(LayoutKind.Sequential)]
public struct OSVERSIONINFOEX
{
public uint OSVersionInfoSize;
public uint MajorVersion;
public uint MinorVersion;
public uint BuildNumber;
public uint PlatformId;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
public string CSDVersion;
public ushort ServicePackMajor;
public ushort ServicePackMinor;
public ushort SuiteMask;
public byte ProductType;
public byte Reserved;
}

[StructLayout(LayoutKind.Explicit)]
public struct ApiSetNamespace
{
[FieldOffset(0x0C)]
public int Count;

[FieldOffset(0x10)]
public int EntryOffset;
}

[StructLayout(LayoutKind.Explicit, Size = 24)]
public struct ApiSetNamespaceEntry
{
[FieldOffset(0x04)]
public int NameOffset;

[FieldOffset(0x08)]
public int NameLength;

[FieldOffset(0x10)]
public int ValueOffset;
}

[StructLayout(LayoutKind.Explicit)]
public struct ApiSetValueEntry
{
[FieldOffset(0x0C)]
public int ValueOffset;

[FieldOffset(0x10)]
public int ValueCount;
}

// Helpers
//--------------------------------------
public static void PrintHelp()
{
string HelpText = " >--~~--> Args? <--~~--<\n\n" +
"-List (-l) Boolean: List all know API Set mappings.\n" +
"-Search (-s) String: Perform string match based on partial or full API Set name.\n\n" +
" >--~~--> Usage? <--~~--<\n\n" +
"GetAPISetMapping.exe -l\n" +
"GetAPISetMapping.exe -s \"api-ms-win-appmodel-state-l1-2-0.dll\"";
Console.WriteLine(HelpText);
}
}
}
149 changes: 149 additions & 0 deletions GetAPISetMapping/Program.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
using CommandLine;

namespace GetAPISetMapping
{
class Program
{
public static Dictionary<string, string> GetApiSetDict()
{
// Get PEB
Helper.PROCESS_BASIC_INFORMATION pbi = new Helper.PROCESS_BASIC_INFORMATION();
UInt32 RetLen = 0;
Helper.NtQueryInformationProcess((IntPtr)(-1), 0, ref pbi, Marshal.SizeOf(pbi), ref RetLen);

// Are we executing for x86 or x64
UInt32 ApiSetMapOffset = 0;
if (IntPtr.Size == 4)
{
ApiSetMapOffset = 0x38;
}
else
{
ApiSetMapOffset = 0x68;
}

// Create mapping dictionary
Dictionary<string, string> ApiSetDict = new Dictionary<string, string>();

IntPtr pApiSetNamespace = Marshal.ReadIntPtr((IntPtr)((UInt64)pbi.PebBaseAddress + ApiSetMapOffset));
Helper.ApiSetNamespace Namespace = new Helper.ApiSetNamespace();
Namespace = (Helper.ApiSetNamespace)Marshal.PtrToStructure(pApiSetNamespace, typeof(Helper.ApiSetNamespace));
for (var i = 0; i < Namespace.Count; i++)
{
Helper.ApiSetNamespaceEntry SetEntry = new Helper.ApiSetNamespaceEntry();
SetEntry = (Helper.ApiSetNamespaceEntry)Marshal.PtrToStructure((IntPtr)((UInt64)pApiSetNamespace + (UInt64)Namespace.EntryOffset + (UInt64)(i * Marshal.SizeOf(SetEntry))), typeof(Helper.ApiSetNamespaceEntry));
String ApiSetEntryName = Marshal.PtrToStringUni((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetEntry.NameOffset), SetEntry.NameLength / 2) + ".dll";

Helper.ApiSetValueEntry SetValue = new Helper.ApiSetValueEntry();
SetValue = (Helper.ApiSetValueEntry)Marshal.PtrToStructure((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetEntry.ValueOffset), typeof(Helper.ApiSetValueEntry));
String ApiSetValue = String.Empty;
if (SetValue.ValueCount != 0)
{
ApiSetValue = Marshal.PtrToStringUni((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetValue.ValueOffset), SetValue.ValueCount / 2);

}

// Add pair to dict
ApiSetDict.Add(ApiSetEntryName, ApiSetValue);
}

// Return dict
return ApiSetDict;
}

// Read API set
public static void GetAPISet(String Name, Boolean List)
{
// Our parser only supports resolution on the Win10 PEB format
Helper.OSVERSIONINFOEX ovi = new Helper.OSVERSIONINFOEX();
Helper.RtlGetVersion(ref ovi);
if (ovi.MajorVersion != 10)
{
Console.WriteLine("API Set resolution is only supported on Windows 10..");
return;
}

Dictionary<string, string> ApiDict = GetApiSetDict();
if (List)
{
foreach (KeyValuePair<string, string> mapping in ApiDict)
{
if (string.IsNullOrEmpty(mapping.Value))
{
Console.WriteLine("API Set: " + mapping.Key + " --> N/A");
} else
{
Console.WriteLine("API Set: " + mapping.Key + " --> " + mapping.Value);
}
}
} else
{
String SearchResult = String.Empty;
foreach (KeyValuePair<string, string> mapping in ApiDict)
{
if ((mapping.Key).ToLower().Contains(Name.ToLower()))
{
if (SearchResult == String.Empty)
{
SearchResult += "API Set: " + mapping.Key + " --> " + mapping.Value;
} else
{
SearchResult += "\nAPI Set: " + mapping.Key + " --> " + mapping.Value;
}
}
}

if (SearchResult == String.Empty)
{
Console.WriteLine("[!] No matches found..");
} else
{
Console.WriteLine(SearchResult);
}
}
}

// Process arg options
class ArgOptions
{
[Option("s", "Search")]
public string Search { get; set; }

[Option("l", "List")]
public bool List { get; set; }
}

static void Main(string[] args)
{
// Read args
var ArgOptions = new ArgOptions();

// Parse args
if (CommandLineParser.Default.ParseArguments(args, ArgOptions))
{
if (string.IsNullOrEmpty(ArgOptions.Search) && !ArgOptions.List)
{
Helper.PrintHelp();
}
else
{
if (ArgOptions.List)
{
GetAPISet(String.Empty, true);
} else
{
GetAPISet(ArgOptions.Search, false);
}
}
}
else
{
Helper.PrintHelp();
}
}
}
}
36 changes: 36 additions & 0 deletions GetAPISetMapping/Properties/AssemblyInfo.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("GetAPISetMapping")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("GetAPISetMapping")]
[assembly: AssemblyCopyright("Copyright © 2020")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]

// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]

// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("eacaa2b8-43e5-4888-826d-2f6902e16546")]

// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
Loading

0 comments on commit 630aa77

Please sign in to comment.