jholowczak
commented
4 years ago Hello,
Thanks for submitting! Just getting back into reviewing PR's and issues for this project. Regarding the full hook implementations in this PR: for any function that is listed within the project that currently does not have a function defined within the code, we consider this a partial hook. With partial hooks, the goal is to capture proper argument names and count for stack manipulation and tracking only, thus allowing the original implementation in the DLL run its code instead. In this instance, the GetCurrentThreadId, GetCurrentProcess, GetCurrentProcessId, and GetLastError all have been made partial hooks as these function reference certain fields within the PEB/TEB. We have a mock structure defined and populated windows/loader.go (see here).
I'll take some time to look at the rest of the PR and make comments if necessary.
Did some changes: Since I was quite bored to have two different sets of dll (I am testing qiling too), i decided to change the Search function to retrieve even dll with camelCase names, like "KernelBase". More, some samples use ".drv" files to load libraries, and we binee didn't check for them before, so i added that too. Then I tried to implement some hooks that were only partially implemented, but to be honest, they need a revision.