fix(old-parser): getSizeFromAnnotation to return size of struct

saferwall · Sep 2, 2024 · b73e807 · b73e807
1 parent b696984
commit b73e807
Show file tree

Hide file tree

Showing 7 changed files with 337 additions and 261 deletions.
diff --git a/assets/apis.json b/assets/apis.json
@@ -3187,6 +3187,48 @@
     }
    ]
   },
+  "DuplicateHandle": {
+   "callconv": "WINAPI",
+   "name": "DuplicateHandle",
+   "retVal": "BOOL",
+   "params": [
+    {
+     "anno": "_In_",
+     "type": "HANDLE",
+     "name": "hSourceProcessHandle"
+    },
+    {
+     "anno": "_In_",
+     "type": "HANDLE",
+     "name": "hSourceHandle"
+    },
+    {
+     "anno": "_In_",
+     "type": "HANDLE",
+     "name": "hTargetProcessHandle"
+    },
+    {
+     "anno": "_Outptr_",
+     "type": "LPHANDLE",
+     "name": "lpTargetHandle"
+    },
+    {
+     "anno": "_In_",
+     "type": "DWORD",
+     "name": "dwDesiredAccess"
+    },
+    {
+     "anno": "_In_",
+     "type": "BOOL",
+     "name": "bInheritHandle"
+    },
+    {
+     "anno": "_In_",
+     "type": "DWORD",
+     "name": "dwOptions"
+    }
+   ]
+  },
   "ExitProcess": {
    "callconv": "WINAPI",
    "name": "ExitProcess",
@@ -4055,12 +4097,6 @@
     }
    ]
   },
-  "GetLastError": {
-   "callconv": "WINAPI",
-   "name": "GetLastError",
-   "retVal": "DWORD",
-   "params": []
-  },
   "GetLocalTime": {
    "callconv": "WINAPI",
    "name": "GetLocalTime",

diff --git a/assets/hookapis.md b/assets/hookapis.md
@@ -55,6 +55,7 @@ CryptGenRandom
 DeleteFileA
 DeleteFileW
 DeviceIoControl
+DuplicateHandle
 DuplicateToken
 DuplicateTokenEx
 ExitProcess
@@ -292,7 +293,6 @@ GetActiveWindow
 WaitForSingleObject
 WaitForSingleObjectEx
 ResetEvent
-GetLastError
 OutputDebugStringW
 AddVectoredExceptionHandler
 GetWindowsDirectoryA

diff --git a/assets/noisyapis.md b/assets/noisyapis.md
@@ -0,0 +1 @@
+GetLastError
diff --git a/cmd/parse-old.go b/cmd/parse-old.go
@@ -299,7 +299,7 @@ func runOld() {
 
 		if minify {
 			// Minifi APIs.
-			data, _ := json.Marshal(parser.MinifyAPIs(apis, customHookHHandlerAPIs))
+			data, _ := json.Marshal(parser.MinifyAPIs(apis, customHookHHandlerAPIs, winStructs))
 			utils.WriteBytesFile("./assets/mini-apis.json", bytes.NewReader(data))
 
 			// Minify Structs/Unions.

diff --git a/internal/parser/datatype.go b/internal/parser/datatype.go
@@ -8,6 +8,7 @@
 package parser
 
 import (
+	"fmt"
 	"log"
 	"regexp"
 	"strings"
@@ -208,6 +209,9 @@ func InitCustomTypes(winStructs []Struct) {
 
 	// Init struct types.
 	for _, winStruct := range winStructs {
+		if winStruct.Name == "WIN32_FIND_DATAW" {
+			fmt.Print(winStruct.Name)
+		}
 		if len(winStruct.Name) > 0 {
 			dt := dataType{Name: winStruct.Name, Size: 0, Kind: typeStruct}
 			dataTypes[winStruct.Name] = dt
@@ -226,7 +230,7 @@ func InitCustomTypes(winStructs []Struct) {
 	}
 }
 
-func typefromString(t string) dataType {
+func typeFromString(t string) dataType {
 
 	// Remove non-important C language modifiers like CONST ...
 	t = strings.ReplaceAll(t, "CONST ", "")

diff --git a/internal/parser/minify.go b/internal/parser/minify.go
@@ -61,8 +61,9 @@ var (
 	reAnnotationIntOut   = regexp.MustCompile(`(?i)_Inout[\w]+`)
 	reAnnotationReserved = regexp.MustCompile(`(?i)Reserved`)
 
-	reOutWritesBytesTo    = `\w+\((?P<s>[*\w]+), (?P<c>[*\w]+)\)`
-	reInOutReadWriteBytes = `\w+\((?P<s>\w+)\)`
+	reOutWritesBytesTo       = `\w+\((?P<s>[*\w]+), (?P<c>[*\w]+)\)`
+	reInOutReadWriteBytes    = `_In_reads_bytes_opt_\((?P<s>\w+)\)`
+	reOutWritesBytesToSizeOf = `_Out_writes_bytes_\(sizeof\((?P<s>\w+)\)`
 )
 
 func findParamIndexByName(api API, target string) int {
@@ -75,11 +76,15 @@ func findParamIndexByName(api API, target string) int {
 }
 
 func getNameFromAnnotation(param APIParam) string {
+	// Example: "_Out_writes_bytes_opt_(nNumberOfBytesToRead)"
+	// TODO: "_Out_writes_bytes_to_(dwNumberOfBytesToRead, *lpdwNumberOfBytesRead) __out_data_source(NETWORK)",
 	m := utils.RegSubMatchToMapString(reOutWritesBytesTo, param.Annotation)
 	if len(m) > 0 {
 		return m["c"]
 	}
 
+	// "_In_reads_opt_(dwHeadersLength)"
+	// "_In_reads_bytes_opt_(dwOptionalLength)"
 	m = utils.RegSubMatchToMapString(reInOutReadWriteBytes, param.Annotation)
 	if len(m) > 0 {
 		return m["s"]
@@ -88,8 +93,26 @@ func getNameFromAnnotation(param APIParam) string {
 	return ""
 }
 
+func getSizeFromAnnotation(param APIParam, winStructs []Struct, isX64 bool) uint8 {
+	// "_Out_writes_bytes_(sizeof(WIN32_FIND_DATAA))"
+	m := utils.RegSubMatchToMapString(reOutWritesBytesToSizeOf, param.Annotation)
+	if len(m) == 0 {
+		// TODO: what to return here.
+		return 0
+	}
+
+	t := m["s"]
+	for _, winStruct := range winStructs {
+		if winStruct.Name == t {
+			return winStruct.Size(isX64)
+		}
+	}
+	return 0
+
+}
+
 func getBytePtrIndex(api API, param APIParam, dt dataType,
-	parammini *APIParamMini) uint8 {
+	parammini *APIParamMini, winStructs []Struct) uint8 {
 	if dt.Kind == typeBytePtr {
 		// log.Printf("API: %s, Name: %s, Type: %s, Anno: %s\n", api.Name,
 		// 	param.Name, param.Type, param.Annotation)
@@ -112,6 +135,11 @@ func getBytePtrIndex(api API, param APIParam, dt dataType,
 			idx := findParamIndexByName(api, name)
 			parammini.Type = typeBytePtr
 			return uint8(idx)
+		} else {
+			// We have cases also: "_Out_writes_bytes_(sizeof(WIN32_FIND_DATAA))"
+			// Where the size of the buffer is not to be found in another variable.
+			size := getSizeFromAnnotation(param, winStructs)
+			return size
 		}
 
 	}
@@ -120,15 +148,16 @@ func getBytePtrIndex(api API, param APIParam, dt dataType,
 
 }
 
-func MinifyAPIs(apis map[string]map[string]API, customHookHHandlerAPIs []string) map[string]map[string]APIMini {
+func MinifyAPIs(apis map[string]map[string]API, customHookHHandlerAPIs []string,
+	winStructs []Struct) map[string]map[string]APIMini {
 	mapis := make(map[string]map[string]APIMini)
 	for dllname, v := range apis {
 		if _, ok := mapis[dllname]; !ok {
 			mapis[dllname] = make(map[string]APIMini)
 		}
 		for apiname, vv := range v {
-			if apiname == "RpcBindingFree" {
-				log.Print("RpcBindingFree")
+			if apiname == "FindFirstFileExW" {
+				log.Print("FindFirstFileExW")
 			}
 
 			// Return type.
@@ -159,9 +188,9 @@ func MinifyAPIs(apis map[string]map[string]API, customHookHHandlerAPIs []string)
 				}
 
 				// Get the param type.
-				dataType := typefromString(param.Type)
+				dataType := typeFromString(param.Type)
 				parammini.Type = dataType.Kind
-				parammini.BufferSizeOrIndex = getBytePtrIndex(vv, param, dataType, &parammini)
+				parammini.BufferSizeOrIndex = getBytePtrIndex(vv, param, dataType, &parammini, winStructs)
 				parammini.Name = param.Name
 				paramsMini = append(paramsMini, parammini)
 			}