forked from FuzzySecurity/Sharp-Suite
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
50e38fa
commit 630aa77
Showing
6 changed files
with
402 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" /> | ||
<PropertyGroup> | ||
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration> | ||
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform> | ||
<ProjectGuid>{EACAA2B8-43E5-4888-826D-2F6902E16546}</ProjectGuid> | ||
<OutputType>Exe</OutputType> | ||
<RootNamespace>GetAPISetMapping</RootNamespace> | ||
<AssemblyName>GetAPISetMapping</AssemblyName> | ||
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion> | ||
<FileAlignment>512</FileAlignment> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugSymbols>true</DebugSymbols> | ||
<DebugType>full</DebugType> | ||
<Optimize>false</Optimize> | ||
<OutputPath>bin\Debug\</OutputPath> | ||
<DefineConstants>DEBUG;TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugType>pdbonly</DebugType> | ||
<Optimize>true</Optimize> | ||
<OutputPath>bin\Release\</OutputPath> | ||
<DefineConstants>TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
</PropertyGroup> | ||
<ItemGroup> | ||
<Reference Include="System" /> | ||
<Reference Include="System.Core" /> | ||
<Reference Include="System.Xml.Linq" /> | ||
<Reference Include="System.Data.DataSetExtensions" /> | ||
<Reference Include="System.Data" /> | ||
<Reference Include="System.Xml" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<Compile Include="Helper.cs" /> | ||
<Compile Include="Program.cs" /> | ||
<Compile Include="Properties\AssemblyInfo.cs" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<PackageReference Include="CommandLineParser"> | ||
<Version>1.9.3.15</Version> | ||
</PackageReference> | ||
</ItemGroup> | ||
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" /> | ||
</Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio 15 | ||
VisualStudioVersion = 15.0.27703.2035 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GetAPISetMapping", "GetAPISetMapping.csproj", "{EACAA2B8-43E5-4888-826D-2F6902E16546}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|Any CPU = Debug|Any CPU | ||
Release|Any CPU = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Debug|Any CPU.ActiveCfg = Debug|Any CPU | ||
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Debug|Any CPU.Build.0 = Debug|Any CPU | ||
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
{EACAA2B8-43E5-4888-826D-2F6902E16546}.Release|Any CPU.Build.0 = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
GlobalSection(ExtensibilityGlobals) = postSolution | ||
SolutionGuid = {CD6202C2-9E5E-4037-952E-47B0788ECDD2} | ||
EndGlobalSection | ||
EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
using System; | ||
using System.Runtime.InteropServices; | ||
|
||
namespace GetAPISetMapping | ||
{ | ||
class Helper | ||
{ | ||
// API Defs | ||
//-------------------------------------- | ||
[DllImport("ntdll.dll")] | ||
public static extern UInt32 RtlGetVersion( | ||
ref OSVERSIONINFOEX VersionInformation); | ||
|
||
[DllImport("ntdll.dll")] | ||
public static extern UInt32 NtQueryInformationProcess( | ||
IntPtr processHandle, | ||
UInt32 processInformationClass, | ||
ref PROCESS_BASIC_INFORMATION processInformation, | ||
int processInformationLength, | ||
ref UInt32 returnLength); | ||
|
||
// Structs | ||
//-------------------------------------- | ||
public struct PROCESS_BASIC_INFORMATION | ||
{ | ||
public IntPtr ExitStatus; | ||
public IntPtr PebBaseAddress; | ||
public IntPtr AffinityMask; | ||
public IntPtr BasePriority; | ||
public UIntPtr UniqueProcessId; | ||
public int InheritedFromUniqueProcessId; | ||
|
||
public int Size | ||
{ | ||
get { return (int)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)); } | ||
} | ||
} | ||
|
||
[StructLayout(LayoutKind.Sequential)] | ||
public struct OSVERSIONINFOEX | ||
{ | ||
public uint OSVersionInfoSize; | ||
public uint MajorVersion; | ||
public uint MinorVersion; | ||
public uint BuildNumber; | ||
public uint PlatformId; | ||
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)] | ||
public string CSDVersion; | ||
public ushort ServicePackMajor; | ||
public ushort ServicePackMinor; | ||
public ushort SuiteMask; | ||
public byte ProductType; | ||
public byte Reserved; | ||
} | ||
|
||
[StructLayout(LayoutKind.Explicit)] | ||
public struct ApiSetNamespace | ||
{ | ||
[FieldOffset(0x0C)] | ||
public int Count; | ||
|
||
[FieldOffset(0x10)] | ||
public int EntryOffset; | ||
} | ||
|
||
[StructLayout(LayoutKind.Explicit, Size = 24)] | ||
public struct ApiSetNamespaceEntry | ||
{ | ||
[FieldOffset(0x04)] | ||
public int NameOffset; | ||
|
||
[FieldOffset(0x08)] | ||
public int NameLength; | ||
|
||
[FieldOffset(0x10)] | ||
public int ValueOffset; | ||
} | ||
|
||
[StructLayout(LayoutKind.Explicit)] | ||
public struct ApiSetValueEntry | ||
{ | ||
[FieldOffset(0x0C)] | ||
public int ValueOffset; | ||
|
||
[FieldOffset(0x10)] | ||
public int ValueCount; | ||
} | ||
|
||
// Helpers | ||
//-------------------------------------- | ||
public static void PrintHelp() | ||
{ | ||
string HelpText = " >--~~--> Args? <--~~--<\n\n" + | ||
"-List (-l) Boolean: List all know API Set mappings.\n" + | ||
"-Search (-s) String: Perform string match based on partial or full API Set name.\n\n" + | ||
" >--~~--> Usage? <--~~--<\n\n" + | ||
"GetAPISetMapping.exe -l\n" + | ||
"GetAPISetMapping.exe -s \"api-ms-win-appmodel-state-l1-2-0.dll\""; | ||
Console.WriteLine(HelpText); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
using System; | ||
using System.Collections.Generic; | ||
using System.Runtime.InteropServices; | ||
using System.Text; | ||
using CommandLine; | ||
|
||
namespace GetAPISetMapping | ||
{ | ||
class Program | ||
{ | ||
public static Dictionary<string, string> GetApiSetDict() | ||
{ | ||
// Get PEB | ||
Helper.PROCESS_BASIC_INFORMATION pbi = new Helper.PROCESS_BASIC_INFORMATION(); | ||
UInt32 RetLen = 0; | ||
Helper.NtQueryInformationProcess((IntPtr)(-1), 0, ref pbi, Marshal.SizeOf(pbi), ref RetLen); | ||
|
||
// Are we executing for x86 or x64 | ||
UInt32 ApiSetMapOffset = 0; | ||
if (IntPtr.Size == 4) | ||
{ | ||
ApiSetMapOffset = 0x38; | ||
} | ||
else | ||
{ | ||
ApiSetMapOffset = 0x68; | ||
} | ||
|
||
// Create mapping dictionary | ||
Dictionary<string, string> ApiSetDict = new Dictionary<string, string>(); | ||
|
||
IntPtr pApiSetNamespace = Marshal.ReadIntPtr((IntPtr)((UInt64)pbi.PebBaseAddress + ApiSetMapOffset)); | ||
Helper.ApiSetNamespace Namespace = new Helper.ApiSetNamespace(); | ||
Namespace = (Helper.ApiSetNamespace)Marshal.PtrToStructure(pApiSetNamespace, typeof(Helper.ApiSetNamespace)); | ||
for (var i = 0; i < Namespace.Count; i++) | ||
{ | ||
Helper.ApiSetNamespaceEntry SetEntry = new Helper.ApiSetNamespaceEntry(); | ||
SetEntry = (Helper.ApiSetNamespaceEntry)Marshal.PtrToStructure((IntPtr)((UInt64)pApiSetNamespace + (UInt64)Namespace.EntryOffset + (UInt64)(i * Marshal.SizeOf(SetEntry))), typeof(Helper.ApiSetNamespaceEntry)); | ||
String ApiSetEntryName = Marshal.PtrToStringUni((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetEntry.NameOffset), SetEntry.NameLength / 2) + ".dll"; | ||
|
||
Helper.ApiSetValueEntry SetValue = new Helper.ApiSetValueEntry(); | ||
SetValue = (Helper.ApiSetValueEntry)Marshal.PtrToStructure((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetEntry.ValueOffset), typeof(Helper.ApiSetValueEntry)); | ||
String ApiSetValue = String.Empty; | ||
if (SetValue.ValueCount != 0) | ||
{ | ||
ApiSetValue = Marshal.PtrToStringUni((IntPtr)((UInt64)pApiSetNamespace + (UInt64)SetValue.ValueOffset), SetValue.ValueCount / 2); | ||
|
||
} | ||
|
||
// Add pair to dict | ||
ApiSetDict.Add(ApiSetEntryName, ApiSetValue); | ||
} | ||
|
||
// Return dict | ||
return ApiSetDict; | ||
} | ||
|
||
// Read API set | ||
public static void GetAPISet(String Name, Boolean List) | ||
{ | ||
// Our parser only supports resolution on the Win10 PEB format | ||
Helper.OSVERSIONINFOEX ovi = new Helper.OSVERSIONINFOEX(); | ||
Helper.RtlGetVersion(ref ovi); | ||
if (ovi.MajorVersion != 10) | ||
{ | ||
Console.WriteLine("API Set resolution is only supported on Windows 10.."); | ||
return; | ||
} | ||
|
||
Dictionary<string, string> ApiDict = GetApiSetDict(); | ||
if (List) | ||
{ | ||
foreach (KeyValuePair<string, string> mapping in ApiDict) | ||
{ | ||
if (string.IsNullOrEmpty(mapping.Value)) | ||
{ | ||
Console.WriteLine("API Set: " + mapping.Key + " --> N/A"); | ||
} else | ||
{ | ||
Console.WriteLine("API Set: " + mapping.Key + " --> " + mapping.Value); | ||
} | ||
} | ||
} else | ||
{ | ||
String SearchResult = String.Empty; | ||
foreach (KeyValuePair<string, string> mapping in ApiDict) | ||
{ | ||
if ((mapping.Key).ToLower().Contains(Name.ToLower())) | ||
{ | ||
if (SearchResult == String.Empty) | ||
{ | ||
SearchResult += "API Set: " + mapping.Key + " --> " + mapping.Value; | ||
} else | ||
{ | ||
SearchResult += "\nAPI Set: " + mapping.Key + " --> " + mapping.Value; | ||
} | ||
} | ||
} | ||
|
||
if (SearchResult == String.Empty) | ||
{ | ||
Console.WriteLine("[!] No matches found.."); | ||
} else | ||
{ | ||
Console.WriteLine(SearchResult); | ||
} | ||
} | ||
} | ||
|
||
// Process arg options | ||
class ArgOptions | ||
{ | ||
[Option("s", "Search")] | ||
public string Search { get; set; } | ||
|
||
[Option("l", "List")] | ||
public bool List { get; set; } | ||
} | ||
|
||
static void Main(string[] args) | ||
{ | ||
// Read args | ||
var ArgOptions = new ArgOptions(); | ||
|
||
// Parse args | ||
if (CommandLineParser.Default.ParseArguments(args, ArgOptions)) | ||
{ | ||
if (string.IsNullOrEmpty(ArgOptions.Search) && !ArgOptions.List) | ||
{ | ||
Helper.PrintHelp(); | ||
} | ||
else | ||
{ | ||
if (ArgOptions.List) | ||
{ | ||
GetAPISet(String.Empty, true); | ||
} else | ||
{ | ||
GetAPISet(ArgOptions.Search, false); | ||
} | ||
} | ||
} | ||
else | ||
{ | ||
Helper.PrintHelp(); | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
using System.Reflection; | ||
using System.Runtime.CompilerServices; | ||
using System.Runtime.InteropServices; | ||
|
||
// General Information about an assembly is controlled through the following | ||
// set of attributes. Change these attribute values to modify the information | ||
// associated with an assembly. | ||
[assembly: AssemblyTitle("GetAPISetMapping")] | ||
[assembly: AssemblyDescription("")] | ||
[assembly: AssemblyConfiguration("")] | ||
[assembly: AssemblyCompany("")] | ||
[assembly: AssemblyProduct("GetAPISetMapping")] | ||
[assembly: AssemblyCopyright("Copyright © 2020")] | ||
[assembly: AssemblyTrademark("")] | ||
[assembly: AssemblyCulture("")] | ||
|
||
// Setting ComVisible to false makes the types in this assembly not visible | ||
// to COM components. If you need to access a type in this assembly from | ||
// COM, set the ComVisible attribute to true on that type. | ||
[assembly: ComVisible(false)] | ||
|
||
// The following GUID is for the ID of the typelib if this project is exposed to COM | ||
[assembly: Guid("eacaa2b8-43e5-4888-826d-2f6902e16546")] | ||
|
||
// Version information for an assembly consists of the following four values: | ||
// | ||
// Major Version | ||
// Minor Version | ||
// Build Number | ||
// Revision | ||
// | ||
// You can specify all the values or you can default the Build and Revision Numbers | ||
// by using the '*' as shown below: | ||
// [assembly: AssemblyVersion("1.0.*")] | ||
[assembly: AssemblyVersion("1.0.0.0")] | ||
[assembly: AssemblyFileVersion("1.0.0.0")] |
Oops, something went wrong.