From dc83b611051c8f00c6503d3371549dec3d0b44a0 Mon Sep 17 00:00:00 2001 From: Michael B Date: Tue, 8 Jun 2021 20:16:49 -0400 Subject: [PATCH 1/2] Fix CreateFile emulation The real CreateFile API only reads a DWORD of the disposition value. Therefore it is completely valid for malicious programs/shellcode to pass a QWORD (in x64) with invalid leading bytes and have the system API work (e.g. 0xcccccccc00000003 = OPEN_EXISTING). Without this change, Speakeasy fails to return a handle because it can't match the disposition parameter with any of the windef disposition values. --- speakeasy/winenv/api/usermode/kernel32.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/speakeasy/winenv/api/usermode/kernel32.py b/speakeasy/winenv/api/usermode/kernel32.py index a3aaf06..8047cf3 100644 --- a/speakeasy/winenv/api/usermode/kernel32.py +++ b/speakeasy/winenv/api/usermode/kernel32.py @@ -3286,6 +3286,8 @@ def CreateFile(self, emu, argv, ctx={}): if ad: argv[1] = ' | '.join(ad) + disp_bytes = disp.to_bytes(8, 'little') + disp = int(int.from_bytes(disp_bytes[0:4], 'little') cd = windefs.get_create_disposition(disp) if cd: argv[4] = cd From 079854771822fbeb2549f7f3222e12ce5ed18dc7 Mon Sep 17 00:00:00 2001 From: Michael B Date: Wed, 9 Jun 2021 16:05:14 -0400 Subject: [PATCH 2/2] Added missing parenthesis --- speakeasy/winenv/api/usermode/kernel32.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/speakeasy/winenv/api/usermode/kernel32.py b/speakeasy/winenv/api/usermode/kernel32.py index 8047cf3..1931fa5 100644 --- a/speakeasy/winenv/api/usermode/kernel32.py +++ b/speakeasy/winenv/api/usermode/kernel32.py @@ -3287,7 +3287,7 @@ def CreateFile(self, emu, argv, ctx={}): argv[1] = ' | '.join(ad) disp_bytes = disp.to_bytes(8, 'little') - disp = int(int.from_bytes(disp_bytes[0:4], 'little') + disp = int(int.from_bytes(disp_bytes[0:4], 'little')) cd = windefs.get_create_disposition(disp) if cd: argv[4] = cd