diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bd21851 --- /dev/null +++ b/.gitignore @@ -0,0 +1,395 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml diff --git a/XT_VirusTotal.sln b/XT_VirusTotal.sln new file mode 100644 index 0000000..66b84c8 --- /dev/null +++ b/XT_VirusTotal.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.32802.440 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "XT_VirusTotal", "XT_VirusTotal\XT_VirusTotal.vcxproj", "{E778D815-89F7-4783-99F3-064FA465DFF9}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {E778D815-89F7-4783-99F3-064FA465DFF9}.Debug|x64.ActiveCfg = Debug|x64 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Debug|x64.Build.0 = Debug|x64 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Debug|x86.ActiveCfg = Debug|Win32 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Debug|x86.Build.0 = Debug|Win32 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Release|x64.ActiveCfg = Release|x64 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Release|x64.Build.0 = Release|x64 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Release|x86.ActiveCfg = Release|Win32 + {E778D815-89F7-4783-99F3-064FA465DFF9}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E4985B21-49F1-43F3-BFD0-2051E193D7D1} + EndGlobalSection +EndGlobal diff --git a/XT_VirusTotal/VirusTotalWebAPI.cpp b/XT_VirusTotal/VirusTotalWebAPI.cpp new file mode 100644 index 0000000..29cefd5 --- /dev/null +++ b/XT_VirusTotal/VirusTotalWebAPI.cpp @@ -0,0 +1,158 @@ +#include "pch.h" + +extern wchar_t VirusTotalApiKey[128]; + +// Get information from the server +// Returns a char * buffer that is allocated in this function; caller's obligation to free the buffer +char* VT_GetFileReport(const wchar_t* URI) { + + // The buffer to hold the response + char* ResponseBuffer = NULL; + + // Array of accept types + PCWSTR AcceptTypes[] = { L"application/json", NULL }; + + // Return Error Code + DWORD dwErrorCode = ERROR_SUCCESS; + + // Internet handles + HINTERNET hInternet, hConnect, hRequest; + + // Authorization Header + wchar_t* AuthHeader = NULL; + + // Check to make sure that we have a valid API key, server address, and server port + // and build the Authorization Header + if (wcslen(VirusTotalApiKey) > 0) { + AuthHeader = (wchar_t*)malloc(128 * sizeof(wchar_t)); + ZeroMemory(AuthHeader, 128 * sizeof(wchar_t)); + StringCchPrintf(AuthHeader, 128, L"x-apikey: %s", VirusTotalApiKey); + } + // Check to make sure we are connected to the Internet... + DWORD dwInternetConnectionFlags = 0; + if (!InternetGetConnectedState(&dwInternetConnectionFlags, 0)) { + dwErrorCode = VT_ERROR_NO_INTERNET; + SetLastError(dwErrorCode); + return NULL; + } + + // Open the connection + hInternet = InternetOpen(L"VirusTotal X-Ways Forensics Plugin", + INTERNET_OPEN_TYPE_PRECONFIG, + NULL, + NULL, + 0); + + if (hInternet) { + // Connect + hConnect = InternetConnect(hInternet, + L"www.virustotal.com", + INTERNET_DEFAULT_HTTPS_PORT, + NULL, + NULL, + INTERNET_SERVICE_HTTP, + 0, + 0); + + if (hConnect) { + // Make the HTTP SSL connection + hRequest = HttpOpenRequestW(hConnect, + L"GET", + URI, + NULL, + NULL, + AcceptTypes, + INTERNET_FLAG_SECURE | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID, + 0); + + if (hRequest) { + // Send the HTTP request + if (HttpSendRequestW(hRequest, AuthHeader, (DWORD)wcslen(AuthHeader), NULL, 0)) { + DWORD dwContentLength = 0; + DWORD length = sizeof(DWORD); + + // Get the content length and make sure our buffer is big enough to handle it + HttpQueryInfo(hRequest, + HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER, + &dwContentLength, + &length, + NULL); + + // Get the status code + DWORD dwStatusCode = 0; + length = sizeof(DWORD); + + HttpQueryInfo(hRequest, + HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, + &dwStatusCode, + &length, NULL); + + + if (dwStatusCode == 200) { + ResponseBuffer = (char*)malloc(dwContentLength + 1); + ZeroMemory(ResponseBuffer, dwContentLength + 1); + + DWORD dwBytesRead = 0; + DWORD offset = 0; + + // Read the response + DWORD dwBufRemaining = dwContentLength; + + while (dwBufRemaining > 0) { + if (dwBufRemaining > 1024) + InternetReadFile(hRequest, ResponseBuffer + offset, 1024, &dwBytesRead); + else + InternetReadFile(hRequest, ResponseBuffer + offset, dwBufRemaining, &dwBytesRead); + + if (dwBytesRead == 0) { + break; + } + else { + if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { + dwErrorCode = VT_ERROR_BUFFER_OVERRUN; + } + offset += dwBytesRead; + dwBufRemaining -= dwBytesRead; + } + } + } + else if (dwStatusCode == 404) { + dwErrorCode = ERROR_FILE_NOT_FOUND; + } + else if (dwStatusCode == 403) { + dwErrorCode = VT_ERROR_AUTHORIZATION; + } + } + else { + DWORD dwError = GetLastError(); + int foo = 0; + } + InternetCloseHandle(hRequest); + } + else { + DWORD dwError = GetLastError(); + dwErrorCode = VT_ERROR_HTTP; + } + InternetCloseHandle(hConnect); + } + else { + dwErrorCode = VT_ERROR_CONNECTING; + } + InternetCloseHandle(hInternet); + } + else { + dwErrorCode = VT_ERROR_CONNECTING; + } + + // Free the Auth Header + if (AuthHeader != NULL) { + free(AuthHeader); + AuthHeader = NULL; + } + + // Set the error code + SetLastError(dwErrorCode); + + // Return success + return ResponseBuffer; +} \ No newline at end of file diff --git a/XT_VirusTotal/VirusTotalWebAPI.h b/XT_VirusTotal/VirusTotalWebAPI.h new file mode 100644 index 0000000..1c99053 --- /dev/null +++ b/XT_VirusTotal/VirusTotalWebAPI.h @@ -0,0 +1,14 @@ +#pragma once +#define VT_ERROR_CONNECTING 0x00000001 +#define VT_ERROR_AUTHORIZATION 0x00000002 +#define VT_ERROR_HTTP 0x00000003 +#define VT_ERROR_BUFFER_OVERRUN 0x00000004 +#define VT_ERROR_FILE_NOT_FOUND 0x00000005 +#define VT_ERROR_NO_CONFIG 0x00000006 +#define VT_ERROR_NO_INTERNET 0x00000007 +#define VT_ERROR_MEMORY_BUFFER 0x00000008 +#define VT_ERROR_DATA_CONVERSION 0x00000009 +#define VT_ERROR_UNKNOWN 0x00000010 +#define VT_ERROR_INVALID_RESPONSE 0x00000011 + +char* VT_GetFileReport(const wchar_t* URI); diff --git a/XT_VirusTotal/X-Tension.cpp b/XT_VirusTotal/X-Tension.cpp new file mode 100644 index 0000000..cdc688c --- /dev/null +++ b/XT_VirusTotal/X-Tension.cpp @@ -0,0 +1,180 @@ +/////////////////////////////////////////////////////////////////////////////// +// X-Tension API - Implementation of XT_RetrieveFunctionPointers +// Copyright X-Ways Software Technology AG +/////////////////////////////////////////////////////////////////////////////// + +#include "pch.h" +#include "X-Tension.h" +//#include "BGStringTemplates.h" + + +// Please consult +// http://x-ways.com/forensics/x-tensions/api.html +// for current documentation + +//fptr_XWF_GetSize XWF_GetSize; + +/////////////////////////////////////////////////////////////////////////////// +// Variables that store the function pointers + +fptr_XWF_GetSize XWF_GetSize; +fptr_XWF_GetVolumeName XWF_GetVolumeName; +fptr_XWF_GetVolumeInformation XWF_GetVolumeInformation; +fptr_XWF_GetSectorContents XWF_GetSectorContents; +fptr_XWF_Read XWF_Read; +fptr_XWF_SectorIO XWF_SectorIO; +fptr_XWF_SelectVolumeSnapshot XWF_SelectVolumeSnapshot; +fptr_XWF_GetVSProp XWF_GetVSProp; +fptr_XWF_GetItemCount XWF_GetItemCount; +fptr_XWF_GetFileCount XWF_GetFileCount; +fptr_XWF_CreateItem XWF_CreateItem; +fptr_XWF_CreateFile XWF_CreateFile; +fptr_XWF_FindItem1 XWF_FindItem1; +fptr_XWF_GetItemName XWF_GetItemName; +fptr_XWF_GetItemSize XWF_GetItemSize; +fptr_XWF_SetItemSize XWF_SetItemSize; +fptr_XWF_GetItemOfs XWF_GetItemOfs; +fptr_XWF_SetItemOfs XWF_SetItemOfs; +fptr_XWF_GetItemInformation XWF_GetItemInformation; +fptr_XWF_SetItemInformation XWF_SetItemInformation; +fptr_XWF_GetItemType XWF_GetItemType; +fptr_XWF_SetItemType XWF_SetItemType; +fptr_XWF_GetItemParent XWF_GetItemParent; +fptr_XWF_SetItemParent XWF_SetItemParent; +fptr_XWF_GetHashSetAssocs XWF_GetHashSetAssocs; +fptr_XWF_GetReportTableAssocs XWF_GetReportTableAssocs; +fptr_XWF_AddToReportTable XWF_AddToReportTable; +fptr_XWF_GetComment XWF_GetComment; +fptr_XWF_AddComment XWF_AddComment; +fptr_XWF_OutputMessage XWF_OutputMessage; +fptr_XWF_GetUserInput XWF_GetUserInput; +fptr_XWF_ShowProgress XWF_ShowProgress; +fptr_XWF_SetProgressPercentage XWF_SetProgressPercentage; +fptr_XWF_SetProgressDescription XWF_SetProgressDescription; +fptr_XWF_ShouldStop XWF_ShouldStop; +fptr_XWF_HideProgress XWF_HideProgress; +fptr_XWF_ReleaseMem XWF_ReleaseMem; + +fptr_XWF_GetBlock XWF_GetBlock; +fptr_XWF_SetBlock XWF_SetBlock; +fptr_XWF_GetCaseProp XWF_GetCaseProp; +fptr_XWF_GetFirstEvObj XWF_GetFirstEvObj; +fptr_XWF_GetNextEvObj XWF_GetNextEvObj; +fptr_XWF_OpenEvObj XWF_OpenEvObj; +fptr_XWF_CloseEvObj XWF_CloseEvObj; +fptr_XWF_GetEvObj XWF_GetEvObj; +fptr_XWF_GetEvObjProp XWF_GetEvObjProp; +fptr_XWF_GetExtractedMetadata XWF_GetExtractedMetadata; +fptr_XWF_GetMetadataEx XWF_GetMetadataEx; +fptr_XWF_GetRasterImage XWF_GetRasterImage; +fptr_XWF_AddExtractedMetadata XWF_AddExtractedMetadata; +fptr_XWF_GetHashValue XWF_GetHashValue; +fptr_XWF_SetHashValue XWF_SetHashValue; +fptr_XWF_AddEvent XWF_AddEvent; +fptr_XWF_GetEvent XWF_GetEvent; +fptr_XWF_GetReportTableInfo XWF_GetReportTableInfo; +fptr_XWF_GetEvObjReportTableAssocs XWF_GetEvObjReportTableAssocs; + +// Search-Related Functions +fptr_XWF_Search XWF_Search; +fptr_XWF_AddSearchTerm XWF_AddSearchTerm; +fptr_XWF_GetSearchTerm XWF_GetSearchTerm; + +fptr_XWF_GetWindow XWF_GetWindow; +fptr_XWF_GetProp XWF_GetProp; +fptr_XWF_ManageSearchTerm XWF_ManageSearchTerm; + +/////////////////////////////////////////////////////////////////////////////// +// XT_RetrieveFunctionPointers - call this function before calling anything else + +LONG missingFunctionCount; + +void* getFunction(HMODULE Hdl, const char* functionName) +{ + void* result = GetProcAddress(Hdl, functionName); + + if (result == NULL) { + ++missingFunctionCount; + } + + return result; +} + +// Retrieves the function pointers into XWF and returns the number of missing functions +LONG __stdcall XT_RetrieveFunctionPointers() +{ + HMODULE Hdl = GetModuleHandle(NULL); + missingFunctionCount = 0; + + XWF_GetSize = (fptr_XWF_GetSize) getFunction(Hdl, "XWF_GetSize"); + XWF_GetVolumeName = (fptr_XWF_GetVolumeName) getFunction(Hdl, "XWF_GetVolumeName"); + XWF_GetVolumeInformation = (fptr_XWF_GetVolumeInformation) getFunction(Hdl, "XWF_GetVolumeInformation"); + XWF_GetSectorContents = (fptr_XWF_GetSectorContents) getFunction(Hdl, "XWF_GetSectorContents"); + XWF_Read = (fptr_XWF_Read) getFunction(Hdl, "XWF_Read"); + XWF_SectorIO = (fptr_XWF_SectorIO) getFunction(Hdl, "XWF_SectorIO"); + + XWF_SelectVolumeSnapshot = (fptr_XWF_SelectVolumeSnapshot) getFunction(Hdl, "XWF_SelectVolumeSnapshot"); + XWF_GetVSProp = (fptr_XWF_GetVSProp) getFunction(Hdl, "XWF_GetVSProp"); + XWF_GetItemCount = (fptr_XWF_GetItemCount) getFunction(Hdl, "XWF_GetItemCount"); + XWF_GetFileCount = (fptr_XWF_GetFileCount) getFunction(Hdl, "XWF_GetFileCount"); + XWF_CreateFile = (fptr_XWF_CreateFile) getFunction(Hdl, "XWF_CreateFile"); + XWF_FindItem1 = (fptr_XWF_FindItem1) getFunction(Hdl, "XWF_FindItem1"); + + XWF_CreateItem = (fptr_XWF_CreateItem) getFunction(Hdl, "XWF_CreateItem"); + XWF_GetItemName = (fptr_XWF_GetItemName) getFunction(Hdl, "XWF_GetItemName"); + XWF_GetItemSize = (fptr_XWF_GetItemSize) getFunction(Hdl, "XWF_GetItemSize"); + XWF_SetItemSize = (fptr_XWF_SetItemSize) getFunction(Hdl, "XWF_SetItemSize"); + XWF_GetItemOfs = (fptr_XWF_GetItemOfs) getFunction(Hdl, "XWF_GetItemOfs"); + XWF_SetItemOfs = (fptr_XWF_SetItemOfs) getFunction(Hdl, "XWF_SetItemOfs"); + XWF_GetItemInformation = (fptr_XWF_GetItemInformation) getFunction(Hdl, "XWF_GetItemInformation"); + XWF_SetItemInformation = (fptr_XWF_SetItemInformation) getFunction(Hdl, "XWF_SetItemInformation"); + XWF_GetItemType = (fptr_XWF_GetItemType) getFunction(Hdl, "XWF_GetItemType"); + XWF_SetItemType = (fptr_XWF_SetItemType) getFunction(Hdl, "XWF_SetItemType"); + XWF_GetItemParent = (fptr_XWF_GetItemParent) getFunction(Hdl, "XWF_GetItemParent"); + XWF_SetItemParent = (fptr_XWF_SetItemParent) getFunction(Hdl, "XWF_SetItemParent"); + XWF_GetHashSetAssocs = (fptr_XWF_GetHashSetAssocs) getFunction(Hdl, "XWF_GetHashSetAssocs"); + XWF_GetReportTableAssocs = (fptr_XWF_GetReportTableAssocs) getFunction(Hdl, "XWF_GetReportTableAssocs"); + XWF_AddToReportTable = (fptr_XWF_AddToReportTable) getFunction(Hdl, "XWF_AddToReportTable"); + XWF_GetComment = (fptr_XWF_GetComment) getFunction(Hdl, "XWF_GetComment"); + XWF_AddComment = (fptr_XWF_AddComment) getFunction(Hdl, "XWF_AddComment"); + + XWF_OutputMessage = (fptr_XWF_OutputMessage) getFunction(Hdl, "XWF_OutputMessage"); + XWF_GetUserInput = (fptr_XWF_GetUserInput) getFunction(Hdl, "XWF_GetUserInput"); + XWF_ShowProgress = (fptr_XWF_ShowProgress) getFunction(Hdl, "XWF_ShowProgress"); + XWF_SetProgressPercentage = (fptr_XWF_SetProgressPercentage) getFunction(Hdl, "XWF_SetProgressPercentage"); + XWF_SetProgressDescription = (fptr_XWF_SetProgressDescription) getFunction(Hdl, "XWF_SetProgressDescription"); + XWF_ShouldStop = (fptr_XWF_ShouldStop) getFunction(Hdl, "XWF_ShouldStop"); + XWF_HideProgress = (fptr_XWF_HideProgress) getFunction(Hdl, "XWF_HideProgress"); + XWF_ReleaseMem = (fptr_XWF_ReleaseMem) getFunction(Hdl, "XWF_ReleaseMem"); + + XWF_GetBlock = (fptr_XWF_GetBlock) getFunction(Hdl, "XWF_GetBlock"); + XWF_SetBlock = (fptr_XWF_SetBlock) getFunction(Hdl, "XWF_SetBlock"); + XWF_GetCaseProp = (fptr_XWF_GetCaseProp) getFunction(Hdl, "XWF_GetCaseProp"); + XWF_GetFirstEvObj = (fptr_XWF_GetFirstEvObj) getFunction(Hdl, "XWF_GetFirstEvObj"); + XWF_GetNextEvObj = (fptr_XWF_GetNextEvObj) getFunction(Hdl, "XWF_GetNextEvObj"); + XWF_OpenEvObj = (fptr_XWF_OpenEvObj) getFunction(Hdl, "XWF_OpenEvObj"); + XWF_CloseEvObj = (fptr_XWF_CloseEvObj) getFunction(Hdl, "XWF_CloseEvObj"); + XWF_GetEvObj = (fptr_XWF_GetEvObj) getFunction(Hdl, "XWF_GetEvObj"); + XWF_GetEvObjProp = (fptr_XWF_GetEvObjProp) getFunction(Hdl, "XWF_GetEvObjProp"); + XWF_GetExtractedMetadata = (fptr_XWF_GetExtractedMetadata) getFunction(Hdl, "XWF_GetExtractedMetadata"); + XWF_GetMetadataEx = (fptr_XWF_GetMetadataEx) getFunction(Hdl, "XWF_GetMetadataEx"); + XWF_GetRasterImage = (fptr_XWF_GetRasterImage) getFunction(Hdl, "XWF_GetRasterImage"); + XWF_AddExtractedMetadata = (fptr_XWF_AddExtractedMetadata) getFunction(Hdl, "XWF_AddExtractedMetadata"); + XWF_GetHashValue = (fptr_XWF_GetHashValue) getFunction(Hdl, "XWF_GetHashValue"); + XWF_SetHashValue = (fptr_XWF_SetHashValue) getFunction(Hdl, "XWF_SetHashValue"); + XWF_AddEvent = (fptr_XWF_AddEvent) getFunction(Hdl, "XWF_AddEvent"); + XWF_GetEvent = (fptr_XWF_GetEvent) getFunction(Hdl, "XWF_GetEvent"); + XWF_GetReportTableInfo = (fptr_XWF_GetReportTableInfo) getFunction(Hdl, "XWF_GetReportTableInfo"); + XWF_GetEvObjReportTableAssocs = (fptr_XWF_GetEvObjReportTableAssocs) getFunction(Hdl, "XWF_GetEvObjReportTableAssocs"); + + XWF_Search = (fptr_XWF_Search) getFunction(Hdl, "XWF_Search"); + XWF_AddSearchTerm = (fptr_XWF_AddSearchTerm) getFunction(Hdl, "XWF_AddSearchTerm"); + XWF_GetSearchTerm = (fptr_XWF_GetSearchTerm) getFunction(Hdl, "XWF_GetSearchTerm"); + + XWF_GetWindow = (fptr_XWF_GetWindow) getFunction(Hdl, "XWF_GetWindow"); + XWF_GetProp = (fptr_XWF_GetProp) getFunction(Hdl, "XWF_GetProp"); + XWF_ManageSearchTerm = (fptr_XWF_ManageSearchTerm) getFunction(Hdl, "XWF_ManageSearchTerm"); + + return missingFunctionCount; +} + diff --git a/XT_VirusTotal/X-Tension.h b/XT_VirusTotal/X-Tension.h new file mode 100644 index 0000000..5991af6 --- /dev/null +++ b/XT_VirusTotal/X-Tension.h @@ -0,0 +1,534 @@ +/////////////////////////////////////////////////////////////////////////////// +// X-Tension API - Function headers +// Copyright X-Ways Software Technology AG +/////////////////////////////////////////////////////////////////////////////// + +#ifndef X_Tension__h +#define X_Tension__h + +#include + +// Please consult +// http://x-ways.com/forensics/x-tensions/api.html +// for current documentation + +/////////////////////////////////////////////////////////////////////////////// +// Functions that you may call + +// XT_RetrieveFunctionPointers - call this function before calling anything else +LONG __stdcall XT_RetrieveFunctionPointers(); + +// Get list of missing functions +const char* getMissingFunctions(); + +// XWF_GetSize (tested, deprecated, use XWF_GetProp instead) +typedef INT64 (__stdcall *fptr_XWF_GetSize) (HANDLE hVolumeOrItem, LPVOID lpOptional); + +// XWF_GetVolumeName (tested) +typedef void (__stdcall *fptr_XWF_GetVolumeName) (HANDLE hVolume, wchar_t* lpString, + DWORD nType); + +// XWF_GetVolumeInformation (tested) +typedef void (__stdcall *fptr_XWF_GetVolumeInformation) (HANDLE hVolume, + LPLONG lpFileSystem, DWORD* nBytesPerSector, DWORD* nSectorsPerCluster, + INT64* nClusterCount, INT64* nFirstClusterSectorNo); + +// XWF_GetSectorContents +typedef BOOL (__stdcall *fptr_XWF_GetSectorContents) (HANDLE hVolume, INT64 nSectorNo, + wchar_t* lpDescr, LPLONG lpItemID); + +// XWF_Read (tested) +typedef DWORD (__stdcall *fptr_XWF_Read) (HANDLE hVolumeOrItem, INT64 nOffset, BYTE* lpBuffer, + DWORD nNumberOfBytesToRead); + +// XWF_SectorIO +typedef DWORD(__stdcall *fptr_XWF_SectorIO) (LONG nDrive, INT64 nSector, DWORD nCount, + LPVOID lpBuffer, LPDWORD nFlags); + +// XWF_SelectVolumeSnapshot +typedef void (__stdcall *fptr_XWF_SelectVolumeSnapshot) (HANDLE hVolume); + +// XWF_GetItemCount +typedef DWORD (__stdcall *fptr_XWF_GetItemCount) (LPVOID pReserved); + +// XWF_GetFileCount +typedef DWORD(__stdcall *fptr_XWF_GetFileCount) (LONG nDirID); + +// XWF_CreateItem +typedef long int (__stdcall *fptr_XWF_CreateItem) (wchar_t* lpName, DWORD nCreationFlags); + +#pragma pack(push) +#pragma pack(2) +struct SrcInfo { + DWORD nStructSize; + INT64 nBufSize; + LPVOID pBuffer; +}; +#pragma pack(pop) + +// XWF_CreateFile +typedef long int(__stdcall *fptr_XWF_CreateFile) (LPWSTR pName, DWORD nCreationFlags, + LONG nParentItemID, PVOID pSourceInfo); + +// XWF_FindItem1 +typedef long int(__stdcall *fptr_XWF_FindItem1) (LONG nParentItemID, LPWSTR lpName, + DWORD nFlags, LONG nSearchStartItemID); + +// XWF_GetItemName (tested) +typedef const wchar_t* (__stdcall *fptr_XWF_GetItemName) (LONG nItemID); + +// XWF_GetItemSize (tested) +typedef INT64 (__stdcall *fptr_XWF_GetItemSize) (LONG nItemID); + +// XWF_SetItemSize +typedef void (__stdcall *fptr_XWF_SetItemSize) (LONG nItemID, INT64 nSize); + +// XWF_GetItemOfs +typedef void (__stdcall *fptr_XWF_GetItemOfs) (LONG nItemID, INT64* lpDefOfs, + INT64* lpStartSector); + +// XWF_SetItemOfs +typedef void (__stdcall *fptr_XWF_SetItemOfs) (LONG nItemID, INT64 nDefOfs, + INT64 nStartSector); + +// XWF_GetItemInformation +typedef INT64 (__stdcall *fptr_XWF_GetItemInformation) (LONG nItemID, + LONG nInfoType, LPBOOL lpSuccess); + +// XWF_SetItemInformation +typedef BOOL (__stdcall *fptr_XWF_SetItemInformation) (LONG nItemID, + LONG nInfoType, INT64 nInfoValue); + +// XWF_GetItemType +typedef LONG (__stdcall *fptr_XWF_GetItemType) (LONG nItemID, wchar_t*lpTypeDescr, + DWORD nBufferLenAndFlags); + +// XWF_SetItemType +typedef void (__stdcall *fptr_XWF_SetItemType) (LONG nItemID, wchar_t*lpTypeDescr, + LONG nTypeStatus); + +// XWF_GetItemParent +typedef LONG (__stdcall *fptr_XWF_GetItemParent) (LONG nItemID); + +// XWF_SetItemParent +typedef void (__stdcall *fptr_XWF_SetItemParent) (LONG nChildItemID, LONG nParentItemID); + +// XWF_GetHashSetAssocs +typedef LONG (__stdcall *fptr_XWF_GetHashSetAssocs) (LONG nItemID, LPWSTR lpBuffer, + LONG nBufferLen); + +// XWF_GetReportTableAssocs +typedef LONG (__stdcall *fptr_XWF_GetReportTableAssocs) (LONG nItemID, + wchar_t* lpBuffer, LONG nBufferLen); + +// XWF_AddToReportTable +typedef LONG (__stdcall *fptr_XWF_AddToReportTable) (LONG nItemID, + wchar_t* lpReportTableName, DWORD nFlags); + +// XWF_GetComment +typedef wchar_t* (__stdcall *fptr_XWF_GetComment) (LONG nItemID); + +// XWF_AddComment (tested) +typedef BOOL (__stdcall *fptr_XWF_AddComment) (LONG nItemID, wchar_t* lpComment, + DWORD nFlagsHowToAdd); + +// XWF_OutputMessage (tested) +typedef void (__stdcall * fptr_XWF_OutputMessage) (const wchar_t* lpMessage, DWORD nFlags); + +// XWF_GetUserInput +typedef INT64(__stdcall * fptr_XWF_GetUserInput) (LPWSTR lpMessage, LPWSTR lpBuffer, + DWORD nBufferLen, DWORD nFlags); + +// XWF_ShowProgress +typedef void (__stdcall * fptr_XWF_ShowProgress) (wchar_t* lpCaption, DWORD nFlags); + +// XWF_SetProgressPercentage +typedef void (__stdcall * fptr_XWF_SetProgressPercentage) (DWORD nPercent); + +// XWF_SetProgressDescription +typedef void (__stdcall * fptr_XWF_SetProgressDescription) (wchar_t* lpStr); + +// XWF_ShouldStop +typedef BOOL (__stdcall * fptr_XWF_ShouldStop) (void); + +// XWF_HideProgress +typedef void (__stdcall * fptr_XWF_HideProgress) (void); + +// XWF_ReleaseMem +typedef BOOL(__stdcall * fptr_XWF_ReleaseMem) (PVOID lpBuffer); + +// Open item in a volume +typedef HANDLE (__stdcall * fptr_XWF_OpenItem) (HANDLE hVolume, + LONG nItemID, DWORD nFlags); + +// Close item on a volume +typedef void (__stdcall * fptr_XWF_Close) (HANDLE hVolumeOrItem); + +// Create evidence object +typedef HANDLE (__stdcall * fptr_XWF_CreateEvObj) (DWORD nType, LONG nDiskID, + LPWSTR lpPath, PVOID pReserved); + +// Retrieve information about the current volume snapshot +typedef INT64 (__stdcall * fptr_XWF_GetVSProp) (LONG nPropType, PVOID pBuffer); + +#pragma pack(push) +#pragma pack(2) +struct SearchInfo { + LONG iSize; + HANDLE hVolume; + LPWSTR lpSearchTerms; + DWORD nFlags; + DWORD nSearchWindow; +}; + +#pragma pack(2) +struct CodePages { + LONG iSize; + WORD nCodePage1; + WORD nCodePage2; + WORD nCodePage3; + WORD nCodePage4; + WORD nCodePage5; +}; +#pragma pack(pop) + +// XWF_Search +typedef LONG(__stdcall * fptr_XWF_Search) (void/*SearchInfo*/* SInfo, void/*CodePages*/* CPages); + +// XWF_AddSearchTerm +typedef LONG(__stdcall * fptr_XWF_AddSearchTerm) (LPWSTR lpSearchTermName, DWORD nFlags); + +// XWF_GetSearchTerm +typedef LPWSTR(__stdcall * fptr_XWF_GetSearchTerm) (LONG nSearchTermID, LPVOID pReserved); + +// XWF_CreateContainer +typedef HANDLE (__stdcall * fptr_XWF_CreateContainer) (LPWSTR lpFileName, + DWORD nFlags, LPVOID pReserved); + +// XWF_CopyToContainer +typedef LONG (__stdcall * fptr_XWF_CopyToContainer) (HANDLE hContainer, + HANDLE hItem, DWORD nFlags, DWORD nMode, INT64 nStartOfs, + INT64 nEndOfs, LPVOID pReserved); + +// XWF_CloseContainer +typedef LONG (__stdcall * fptr_XWF_CloseContainer) (HANDLE hContainer, + LPVOID pReserved); + +// XWF_GetBlock +typedef BOOL (__stdcall * fptr_XWF_GetBlock) (HANDLE hVolume, INT64* lpStartOfs, INT64* lpEndOfs); + +// XWF_SetBlock +typedef BOOL (__stdcall * fptr_XWF_SetBlock) (HANDLE hVolume, INT64 nStartOfs, INT64 nEndOfs); + +// XWF_GetCaseProp +typedef INT64 (__stdcall * fptr_XWF_GetCaseProp) (LPVOID pReserved, LONG nPropType, PVOID pBuffer, + LONG nBufLen); + +// XWF_GetFirstEvObj +typedef HANDLE (__stdcall * fptr_XWF_GetFirstEvObj) (LPVOID pReserved); + +// XWF_GetNextEvObj +typedef HANDLE (__stdcall * fptr_XWF_GetNextEvObj) (HANDLE hPrevEvidence, LPVOID pReserved); + +// XWF_OpenEvObj +typedef HANDLE (__stdcall * fptr_XWF_OpenEvObj) (HANDLE hEvidence, DWORD nFlags); + +// XWF_CloseEvObj +typedef VOID (__stdcall * fptr_XWF_CloseEvObj) (HANDLE hEvidence); + +// XWF_GetEvObj +typedef HANDLE (__stdcall * fptr_XWF_GetEvObj) (DWORD nEvObjID); + +// XWF_GetEvObjProp +typedef INT64 (__stdcall * fptr_XWF_GetEvObjProp) (HANDLE hEvidence, DWORD nPropType, + PVOID pBuffer); + +// XWF_GetExtractedMetadata +typedef LPWSTR (__stdcall * fptr_XWF_GetExtractedMetadata) (LONG nItemID); + +// XWF_GetMetadataEx +typedef LPVOID (__stdcall * fptr_XWF_GetMetadataEx) (HANDLE hItem, PDWORD lpnFlags); + +// XWF_GetRasterImage +typedef LPVOID(__stdcall * fptr_XWF_GetRasterImage) (struct RasterImageInfo* RIInfo); + +// XWF_AddExtractedMetadata +typedef BOOL (__stdcall * fptr_XWF_AddExtractedMetadata) (LONG nItemID, LPWSTR lpComment, DWORD nFlagsHowToAdd); + +// XWF_GetHashValue +typedef BOOL (__stdcall * fptr_XWF_GetHashValue) (LONG nItemID, LPVOID lpBuffer); + +// XWF_SetHashValue +typedef BOOL (__stdcall * fptr_XWF_SetHashValue) (LONG nItemID, LPVOID lpHash, DWORD nParam); + +#pragma pack(push) +#pragma pack(2) +struct EventInfo { + LONG iSize; + HANDLE hEvidence; + DWORD nEvtType; + DWORD nFlags; + FILETIME TimeStamp; + LONG nItemID; + INT64 nOfs; + LPSTR lpDescr; +}; + +#pragma pack(2) +struct RasterImageInfo { + DWORD nSize; + LONG nItemID; + HANDLE hItem; + DWORD nFlags; + DWORD nWidth; + DWORD nHeight; + DWORD nResSize; +}; + +#pragma pack(2) +struct LicenseInfo { + DWORD nSize; + DWORD nLicFlags; + DWORD nUsers; + FILETIME nExpDate; + BYTE nLicID[16]; +}; + +#pragma pack(pop) + +// XWF_AddEvent +typedef LONG (__stdcall * fptr_XWF_AddEvent) (struct EventInfo* Evt); + +// XWF_GetEvent +typedef DWORD(__stdcall * fptr_XWF_GetEvent) (DWORD nEventNo, struct EventInfo* Evt); + +// XWF_GetReportTableInfo +typedef LPVOID (__stdcall * fptr_XWF_GetReportTableInfo) (LPVOID pReserved, LONG nReportTableID, PLONG lpOptional); + +// XWF_GetEvObjReportTableAssocs +typedef LPVOID (__stdcall * fptr_XWF_GetEvObjReportTableAssocs) (HANDLE hEvidence, LONG nFlags, PLONG lpValue); + +// XWF_GetWindow +typedef HWND (__stdcall * fptr_XWF_GetWindow)(WORD nWndNo, WORD nWndIndex); + +// XWF_GetProp (tested) +typedef INT64 (__stdcall * fptr_XWF_GetProp)(HANDLE hVolumeOrItem, DWORD nPropType, void* lpBuffer); + +// XWF_ManageSearchTerm +typedef DWORD (__stdcall * fptr_XWF_ManageSearchTerm)(LONG nSearchTermID, LONG nProperty, DWORD* pValue); + +/////////////////////////////////////////////////////////////////////////////// +// Variables that store the function pointers + +extern fptr_XWF_GetSize XWF_GetSize; +extern fptr_XWF_GetVolumeName XWF_GetVolumeName; +extern fptr_XWF_GetVolumeInformation XWF_GetVolumeInformation; +extern fptr_XWF_GetSectorContents XWF_GetSectorContents; +extern fptr_XWF_Read XWF_Read; +extern fptr_XWF_SectorIO XWF_SectorIO; +extern fptr_XWF_SelectVolumeSnapshot XWF_SelectVolumeSnapshot; +extern fptr_XWF_GetVSProp XWF_GetVSProp; +extern fptr_XWF_GetItemCount XWF_GetItemCount; +extern fptr_XWF_GetFileCount XWF_GetFileCount; +extern fptr_XWF_CreateItem XWF_CreateItem; +extern fptr_XWF_CreateFile XWF_CreateFile; +extern fptr_XWF_FindItem1 XWF_FindItem1; +extern fptr_XWF_GetItemName XWF_GetItemName; +extern fptr_XWF_GetItemSize XWF_GetItemSize; +extern fptr_XWF_SetItemSize XWF_SetItemSize; +extern fptr_XWF_GetItemOfs XWF_GetItemOfs; +extern fptr_XWF_SetItemOfs XWF_SetItemOfs; +extern fptr_XWF_GetItemInformation XWF_GetItemInformation; +extern fptr_XWF_SetItemInformation XWF_SetItemInformation; +extern fptr_XWF_GetItemType XWF_GetItemType; +extern fptr_XWF_SetItemType XWF_SetItemType; +extern fptr_XWF_GetItemParent XWF_GetItemParent; +extern fptr_XWF_SetItemParent XWF_SetItemParent; +extern fptr_XWF_GetHashSetAssocs XWF_GetHashSetAssocs; +extern fptr_XWF_GetReportTableAssocs XWF_GetReportTableAssocs; +extern fptr_XWF_AddToReportTable XWF_AddToReportTable; +extern fptr_XWF_GetComment XWF_GetComment; +extern fptr_XWF_AddComment XWF_AddComment; +extern fptr_XWF_OutputMessage XWF_OutputMessage; +extern fptr_XWF_GetUserInput XWF_GetUserInput; +extern fptr_XWF_ShowProgress XWF_ShowProgress; +extern fptr_XWF_SetProgressPercentage XWF_SetProgressPercentage; +extern fptr_XWF_SetProgressDescription XWF_SetProgressDescription; +extern fptr_XWF_ShouldStop XWF_ShouldStop; +extern fptr_XWF_HideProgress XWF_HideProgress; +extern fptr_XWF_ReleaseMem XWF_ReleaseMem; + +extern fptr_XWF_OpenItem XWF_OpenItem; +extern fptr_XWF_Close XWF_Close; +extern fptr_XWF_CreateEvObj XWF_CreateEvObj; +extern fptr_XWF_Search XWF_Search; +extern fptr_XWF_CreateContainer XWF_CreateContainer; +extern fptr_XWF_CopyToContainer XWF_CopyToContainer; +extern fptr_XWF_CloseContainer XWF_CloseContainer; + +extern fptr_XWF_GetBlock XWF_GetBlock; +extern fptr_XWF_SetBlock XWF_SetBlock; +extern fptr_XWF_GetCaseProp XWF_GetCaseProp; +extern fptr_XWF_GetFirstEvObj XWF_GetFirstEvObj; +extern fptr_XWF_GetNextEvObj XWF_GetNextEvObj; +extern fptr_XWF_OpenEvObj XWF_OpenEvObj; +extern fptr_XWF_CloseEvObj XWF_CloseEvObj; +extern fptr_XWF_GetEvObj XWF_GetEvObj; +extern fptr_XWF_GetEvObjProp XWF_GetEvObjProp; +extern fptr_XWF_GetExtractedMetadata XWF_GetExtractedMetadata; +extern fptr_XWF_GetMetadataEx XWF_GetMetadataEx; +extern fptr_XWF_GetRasterImage XWF_GetRasterImage; +extern fptr_XWF_AddExtractedMetadata XWF_AddExtractedMetadata; +extern fptr_XWF_GetHashValue XWF_GetHashValue; +extern fptr_XWF_SetHashValue XWF_SetHashValue; +extern fptr_XWF_AddEvent XWF_AddEvent; +extern fptr_XWF_GetEvent XWF_GetEvent; +extern fptr_XWF_GetReportTableInfo XWF_GetReportTableInfo; +extern fptr_XWF_GetEvObjReportTableAssocs XWF_GetEvObjReportTableAssocs; + +extern fptr_XWF_GetWindow XWF_GetWindow; + +extern fptr_XWF_GetProp XWF_GetProp; + +extern fptr_XWF_ManageSearchTerm XWF_ManageSearchTerm; + +extern fptr_XWF_Search XWF_Search; + + +#define XT_INIT_XWF 0x00000001 // X-Ways Forensics +#define XT_INIT_WHX 0x00000002 // WinHex +#define XT_INIT_XWI 0x00000004 // X-Ways Investigator +#define XT_INIT_BETA 0x00000008 // beta version +#define XT_INIT_QUICKCHECK 0x00000020 // called just to check whether the API accepts the calling application (used by v16.5 and later) +#define XT_INIT_ABOUTONLY 0x00000040 // called just to prepare for XT_About (used by v16.5 and later) + +#define XT_ACTION_RUN 0 // simply run directly from the main menu, not for any particular volume, since v16.6 +#define XT_ACTION_RVS 1 // volume snapshot refinement starting +#define XT_ACTION_LSS 2 // logical simultaneous search starting +#define XT_ACTION_PSS 3 // physical simultaneous search starting +#define XT_ACTION_DBC 4 // directory browser context menu command invoked +#define XT_ACTION_SHC 5 // search hit context menu command invoked + +#define XWF_ITEM_INFO_ORIG_ID 1 +#define XWF_ITEM_INFO_ATTR 2 +#define XWF_ITEM_INFO_FLAGS 3 +#define XWF_ITEM_INFO_DELETION 4 +#define XWF_ITEM_INFO_CLASSIFICATION 5 // e.g. extracted e-mail message, alternate data stream, etc. +#define XWF_ITEM_INFO_LINKCOUNT 6 // hard-link count +#define XWF_ITEM_INFO_FILECOUNT 11 // how many child objects exist recursively that are files +#define XWF_ITEM_INFO_CREATIONTIME 32 +#define XWF_ITEM_INFO_MODIFICATIONTIME 33 +#define XWF_ITEM_INFO_LASTACCESSTIME 34 +#define XWF_ITEM_INFO_ENTRYMODIFICATIONTIME 35 +#define XWF_ITEM_INFO_DELETIONTIME 36 +#define XWF_ITEM_INFO_INTERNALCREATIONTIME 37 +#define XWF_ITEM_INFO_FLAGS_SET 64 // indicates only flags that should be set, others remain unchanged +#define XWF_ITEM_INFO_FLAGS_REMOVE 65 // indicates flags that should be removed, others remain unchanged + +#define XWF_SEARCH_LOGICAL 0x00000001 // logical search instead of physical search (only logical search currently available) +#define XWF_SEARCH_TAGGEDOBJ 0x00000004 // tagged objects in volume snapshot only +#define XWF_SEARCH_MATCHCASE 0x00000010 // match case +#define XWF_SEARCH_WHOLEWORDS 0x00000020 // whole words only +#define XWF_SEARCH_GREP 0x00000040 // GREP syntax +#define XWF_SEARCH_OVERLAPPED 0x00000080 // allow overlapping hits +#define XWF_SEARCH_COVERSLACK 0x00000100 // cover slack space +#define XWF_SEARCH_COVERSLACKEX 0x00000200 // cover slack/free space transition +#define XWF_SEARCH_DECODETEXT 0x00000400 // decode text in standard file types +#define XWF_SEARCH_DECODETEXTEX 0x00000800 // decode text in specified file types // not yet supported +#define XWF_SEARCH_1HITPERFILE 0x00001000 // 1 hit per file needed only +#define XWF_SEARCH_OMITIRRELEVANT 0x00010000 // omit files classified as irrelevant +#define XWF_SEARCH_OMITHIDDEN 0x00020000 // omit hidden files +#define XWF_SEARCH_OMITFILTERED 0x00040000 // omit files that are filtered out +#define XWF_SEARCH_DATAREDUCTION 0x00080000 // recommendable data reduction +#define XWF_SEARCH_OMITDIRS 0x00100000 // omit directories +#define XWF_SEARCH_CALLPSH 0x01000000 // see below +#define XWF_SEARCH_DISPLAYHITS 0x04000000 // display search hit list when the search completes + +#define XWF_CTR_OPEN 0x00000001 // opens an existing container, all other flags ignored +#define XWF_CTR_XWFS2 0x00000002 // use new XWFS2 file system +#define XWF_CTR_SECURE 0x00000004 // mark this container as to be filled indirectly/secure +#define XWF_CTR_TOPLEVEL 0x00000008 // include evidence object names as top directory level +#define XWF_CTR_INCLDIRDATA 0x00000010 // include directory data +#define XWF_CTR_FILEPARENTS 0x00000020 // allow files as parents of files +#define XWF_CTR_USERREPORTTABLES 0x00000100 // export associations with user-created report table +#define XWF_CTR_SYSTEMREPORTTABLES 0x00000200 // export associations with system-created report tables (currently requires 0x100) +#define XWF_CTR_ALLCOMMENTS 0x00000800 // pass on comments +#define XWF_CTR_OPTIMIZE1 0x00001000 // optimize for > 1,000 items +#define XWF_CTR_OPTIMIZE2 0x00002000 // optimize for > 50,000 items +#define XWF_CTR_OPTIMIZE3 0x00004000 // optimize for > 250,000 items +#define XWF_CTR_OPTIMIZE4 0x00008000 // optimize for > 1 million items + +#define XWF_VSPROP_SPECIALITEMID 10 +#define XWF_VSPROP_HASHTYPE 11 +#define XWF_VSPROP_HASHTYPE1 20 +#define XWF_VSPROP_HASHTYPE2 21 +#define XWF_VSPROP_SET_HASHTYPE1 25 +#define XWF_VSPROP_SET_HASHTYPE2 26 + +/////////////////////////////////////////////////////////////////////////////// +// Functions that X-Ways Forensics or WinHex may call + +struct CallerInfo { + BYTE lang, ServiceRelease; + WORD version; +}; + +// XT_Init - mandatory export +LONG __stdcall XT_Init(DWORD/*CallerInfo*/ info, DWORD nFlags, HANDLE hMainWnd, struct LicenseInfo* pLicInfo); + +// The following functions are optional for export +// In order to implement the functions, implement them and activate them +// in the module definition file + +// XT_Done +LONG __stdcall XT_Done(void* lpReserved); + +// XT_About +LONG __stdcall XT_About(HANDLE hParentWnd, void* lpReserved); + +// XT_Prepare +LONG __stdcall XT_Prepare(HANDLE hVolume, HANDLE hEvidence, DWORD nOpType, + void* lpReserved); + +// XT_Finalize +LONG __stdcall XT_Finalize(HANDLE hVolume, HANDLE hEvidence, DWORD nOpType, + void* lpReserved); + +// XT_ProcessItem +LONG __stdcall XT_ProcessItem(LONG nItemID, void* lpReserved); + +// XT_ProcessItemEx +LONG __stdcall XT_ProcessItemEx(LONG nItemID, HANDLE hItem, void* lpReserved); + +// XT_ProcessSearchHit +LONG __stdcall XT_ProcessSearchHit(struct SearchHitInfo* info); + +/*#pragma pack(2) +struct PrepareSearchInfo { + LONG iSize, + LPWSTR lpSearchTerms, + DWORD nBufLen, + DWORD nFlags +}; + +#pragma pack(2) +struct CodePages { + LONG iSize, + WORD nCodePage1, + WORD nCodePage2, + WORD nCodePage3, + WORD nCodePage4, + WORD nCodePage5 +};*/ + +// Allows to enter predefined search terms into the dialog window for use with the search +//LONG XT_PrepareSearch(struct PrepareSearchInfo* PSInfo, struct CodePages* CPages); + +// Used for viewer X-Tensions +PVOID XT_View(HANDLE hItem, LONG nItemID, HANDLE hVolume, HANDLE hEvidence, + PVOID lpReserved, PINT64 nResSize); + +// free up memory allocated by a previous call e.g. of XT_View +BOOL XT_ReleaseMem(PVOID lpBuffer); + +#endif \ No newline at end of file diff --git a/XT_VirusTotal/XT_VirusTotal.cpp b/XT_VirusTotal/XT_VirusTotal.cpp new file mode 100644 index 0000000..d7142b1 --- /dev/null +++ b/XT_VirusTotal/XT_VirusTotal.cpp @@ -0,0 +1,508 @@ +#include "pch.h" + +//// Global Variables + +// API key to be used for the querying +wchar_t VirusTotalApiKey[128]; + +// Number of queries to perform per minute (for rate limiting / free API versions) +// 0 means go as fast as possible +unsigned int QueryRate = 0; + +// The base URL for VirusTotal API lookups +std::wstring VirusTotalAPIEndpoint = std::wstring(L"/api/v3/files/"); + +// The std::list that is to be used as a queue for lookups +std::list HashLookupQueue; + +// CRITICAL_SECTION object for syncrhonization on operations on the HashLookupQueue +CRITICAL_SECTION HashLookupQueueCriticalSection; + +// HANDLE for the QueueProcessingThread; intially NULL; thread gets created once the first XWFITEMHASH is inserted +HANDLE hQueueProcessingThread = NULL; + +// Exported function called by X-Ways to initialize us +LONG __stdcall XT_Init(DWORD nVersion, DWORD nFlags, HANDLE hMainWnd, struct LicenseInfo* pLicInfo) { + if (XT_RetrieveFunctionPointers() > 0) { + // Check that the function pointers we need are available else return -1 + return -1; + } + + // Check version. We need 17.4 or later. + if (nVersion < 1740) { + XWF_OutputMessage(L"Error: This XTension requires X-Ways Forensics version 17.4 or later.", 0); + return -1; + } + + // Initialize the CRITICAL_SECTION object for syncrhonization of operations on the queue + InitializeCriticalSection(&HashLookupQueueCriticalSection); + + std::wstringstream ss; + ss << L"Processing hashes through VirusTotal, " << QueryRate << L" hashes per minute. Please wait..."; + XWF_OutputMessage(ss.str().c_str(), 0); + + return 1; +} + +// Exported function called by X-Ways when the user selects the "About" button +LONG __stdcall XT_About(HANDLE hParentWnd, void* lpReserved) { + MessageBox((HWND)hParentWnd, L"Polito, Inc.\nCopyright 2022\nVirusTotal Lookup X-Tension", L"VirusTotal Lookup", MB_OK); + return 0; +} + +// Exported function called by X-Ways when preparing for operations and to determine how we are to be called going forward +LONG __stdcall XT_Prepare(HANDLE hVolume, HANDLE hEvidence, DWORD nOpType, void* lpReserved) { + + + // Only run when refining the volume snapshot or when invoked via the directory browser context menu + if (nOpType == XT_ACTION_RUN || nOpType == XT_ACTION_RVS || nOpType == XT_ACTION_DBC) { + return XT_PREPARE_CALLPI; + } + + return 0; +} + +// Exported function called on each item to be processed +LONG __stdcall XT_ProcessItem(LONG nItemID, void* lpReserved) { + // Ask X-Ways to give us the value of the hash that was computed for this particular item + BOOL bSuccess = FALSE; + // Pointer to our hash string buffer + std::wstring szItemHash; + + // Get the information about the current item + INT64 nResult = XWF_GetItemInformation(nItemID, XWF_ITEM_INFO_FLAGS, &bSuccess); + + // Check if the hash has already been computed + if (nResult & XT_HASH1ALREADYCOMPUTED) { + // retrieve the hash type + INT64 hashType = XWF_GetVSProp(XWF_VSPROP_HASHTYPE1, NULL); + + // Get the hash in string format + if (GetHashString(nItemID, hashType, &szItemHash)) { + // Create a XWFITEMHASH object and add it to the queue + XWFITEMHASH *itemHash = new XWFITEMHASH(); + itemHash->nItemID = nItemID; + itemHash->szHash = szItemHash; + + EnterCriticalSection(&HashLookupQueueCriticalSection); + HashLookupQueue.push_back(itemHash); + LeaveCriticalSection(&HashLookupQueueCriticalSection); + + if (hQueueProcessingThread == NULL) { + hQueueProcessingThread = CreateThread(NULL, 0, QueueProcessingFunc, NULL, 0, NULL); + } + } + else { + XWF_OutputMessage(L"Error converting binary hash to string.", 0); + return 0; + } + } + else { + MessageBox(NULL, L"Hash has not been computed", L"Alert", MB_OK); + // Stop the current operation + return -1; + } + + return 0; +} + +// Exported function called when we are finishing up our work +LONG __stdcall XT_Done(PVOID lpReserved) { + // Wait until the thread processing the queue is done + if (hQueueProcessingThread != NULL) { + WaitForSingleObject(hQueueProcessingThread, INFINITE); + } + + XWF_OutputMessage(L"VirusTotal processing complete!", 0); + + return 0; +} + + +DWORD WINAPI QueueProcessingFunc(LPVOID lpParam) { + // The buffer to hold the response from VirusTotal + char* szVTReport = NULL; + + while (HashLookupQueue.size() > 0) { + // Get the element at the front of the queue + XWFITEMHASH* itemHash = HashLookupQueue.front(); + + // Append the hash to the end of the URL string + std::wstring URI = VirusTotalAPIEndpoint + itemHash->szHash; + + // Query VirusTotal + szVTReport = VT_GetFileReport(URI.c_str()); + + if (szVTReport != NULL) { + // Parse the report + if (!ParseFileReport(szVTReport, itemHash->nItemID)) { + // Print an error message + XWF_OutputMessage(L"Unknown error parsing the VirusTotal response.", 0); + } + } + + free(szVTReport); + + // Remove the XWFITEMHASH we just processed + EnterCriticalSection(&HashLookupQueueCriticalSection); + HashLookupQueue.pop_front(); + LeaveCriticalSection(&HashLookupQueueCriticalSection); + + // Sleep for the appropriate amount of time to prevent rate limiting by VT + if (QueryRate != 0) { + Sleep((60 / QueryRate) * 1000); + } + } + + return 0; +} + +// Read the configuration file; +// This is called when the DLL is first loaded. It loads the API key and query rate values +// into a global variable for later use. +// The configuration file format is expected to be as follows: +// : +BOOL ReadAPIConfigFile(HMODULE hModule) { + // Return value + BOOL bSuccess = FALSE; + + // Zero out the string variables + ZeroMemory(VirusTotalApiKey, 128 * sizeof(wchar_t)); + + // Get the Module Path + wchar_t FilePath[MAX_PATH]; + GetModuleFileName(hModule, FilePath, MAX_PATH); + + // Zero out the module filename and append the config file name + wchar_t* substr = wcsrchr(FilePath, '\\'); + if (substr == NULL) { + return FALSE; + } + + // Get the index of the last backslash character in the file path + // FilePath = pointer to beginning of the string; substr = pointer to last backslash + size_t index = (size_t)(substr - FilePath); + + // Zero out the filename portion of the file path + ZeroMemory(FilePath + index, (size_t)((MAX_PATH - index) * sizeof(wchar_t))); + + // Append the (expected) name of the config file to the path string + StringCchCopy(substr, (size_t)(MAX_PATH - index), L"\\vtconfig.txt"); + + // Open the file + HANDLE hFile = CreateFile(FilePath, + GENERIC_READ, + FILE_SHARE_READ, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL); + + if (hFile != INVALID_HANDLE_VALUE) { + // Get the file size + DWORD dwFileSize = GetFileSize(hFile, NULL); + + if (dwFileSize != INVALID_FILE_SIZE) { + // Read the file contents into a buffer + char* ConfigFileContents = (char*)malloc(dwFileSize); + + if (ConfigFileContents == NULL) { + return FALSE; + } + + // Keep track of the number of bytes we read in + DWORD dwNumberOfBytesRead = 0; + + if (ReadFile(hFile, ConfigFileContents, dwFileSize, &dwNumberOfBytesRead, NULL)) { + // File should contain single line of the format :<# queries per minute> + + // Convert the file from multibyte to wide character + int cchConfigFileString = MultiByteToWideChar(CP_UTF8, + MB_PRECOMPOSED, + ConfigFileContents, + dwNumberOfBytesRead, + NULL, + 0); + + // Allocate the required number of bytes + wchar_t* ConfigString_Converted = (wchar_t*)malloc(cchConfigFileString * sizeof(wchar_t)); + + if (ConfigString_Converted == NULL) { + if (ConfigFileContents != NULL) { + free(ConfigFileContents); + return FALSE; + } + } + + // Convert the contents + int iResult = MultiByteToWideChar(CP_UTF8, + MB_PRECOMPOSED, + ConfigFileContents, + dwNumberOfBytesRead, + ConfigString_Converted, + cchConfigFileString); + + // Check for error + if (iResult == 0) { + DWORD dwError = GetLastError(); + if (ConfigString_Converted != NULL) { + free(ConfigString_Converted); + ConfigString_Converted = NULL; + } + + if (ConfigFileContents != NULL) { + free(ConfigFileContents); + ConfigFileContents = NULL; + } + + return FALSE; + } + + + + // Read the tokenized string from the config string + int index = 0; + wchar_t* nextToken = NULL; + wchar_t* token = wcstok_s(ConfigString_Converted, L":", &nextToken); + + while (token != NULL) { + switch (index) { + case 0: + StringCchCopy(VirusTotalApiKey, 128, token); + break; + case 1: + int result = swscanf_s(token, L"%d", &QueryRate); + if (result == 0 || result == EOF) { + // If we can't successfully read in the query rate value, default to 1 lookup per minute + QueryRate = 1; + } + } + index++; + token = wcstok_s(NULL, L":", &nextToken); + } + + // Free the converted wide character config string + if (ConfigString_Converted != NULL) { + free(ConfigString_Converted); + ConfigString_Converted = NULL; + } + } + + // Free the buffer that held the file contents + if (ConfigFileContents != NULL) { + free(ConfigFileContents); + ConfigFileContents = NULL; + } + } + + CloseHandle(hFile); + bSuccess = TRUE; + } + + return bSuccess; +} + +// Function to convert the binary hash value to human readable format; +// The provided buffer must be large enough to accommodate the requested hash format otherwise +// this function will return an error code +BOOL GetHashString(LONG nItemID, INT64 hashType, std::wstring *itemHash) { + size_t bufSize = 0; + DWORD dwOperation = 0x01; // Flag to XWF_GetHashValue; See https://www.x-ways.net/forensics/x-tensions/XWF_functions.html#A + std::wstringstream ss; + ss << std::hex; + + switch (hashType) { + case XWF_HASHTYPE_MD5: + bufSize = 16; + break; + case XWF_HASHTYPE_SHA1: + bufSize = 20; + break; + case XWF_HASHTYPE_SHA256: + bufSize = 32; + break; + default: + return FALSE; // Invalid + } + + // Get the hash value + BYTE* hashBuf = (BYTE*)malloc(bufSize); + if (hashBuf == NULL) { + return FALSE; + } + + ZeroMemory(hashBuf, bufSize); + memcpy(hashBuf, (const void*)&dwOperation, sizeof(DWORD)); // copy the operation to the buffer to tell X-Ways what we're doing + if (!XWF_GetHashValue(nItemID, hashBuf)) { + free(hashBuf); + return FALSE; + } + + // Convert to human readable string + for (size_t n = 0; n < bufSize; ++n) { + ss << std::setw(2) << std::setfill(L'0') << (unsigned int)hashBuf[n]; + } + + // Append the hash value to the itemHash parameter that was passed in + itemHash->append(ss.str()); + + // Free the hash buffer + free(hashBuf); + + return TRUE; +} + +BOOL ParseFileReport(char* VTJSON, LONG nItemID) { + BOOL bResult = FALSE; + cJSON* vtJSON = cJSON_Parse(VTJSON); + cJSON* data = NULL; + cJSON* attributes = NULL; + cJSON* analysis_stats = NULL; + cJSON* harmless = NULL; + cJSON* suspicious = NULL; + cJSON* malicious = NULL; + cJSON* undetected = NULL; + + // Numerical values from the JSON + int nHarmless = 0; + int nSuspicious = 0; + int nMalicious = 0; + int nUndetected = 0; + + // Format string for the output that will be saved to the X-ways metadata field + const wchar_t* szFormatString = L"[XT_VT]: Malicious: %d, Suspicious: %d, Undetected: %d, Harmless: %d"; + wchar_t* szOutputString = NULL; + size_t cchOutputString = 0; + + if (vtJSON == NULL) { + // Print an error message + XWF_OutputMessage(L"Error parsing JSON response from VirusTotal.", 0); + goto cleanup; + } + + data = cJSON_GetObjectItemCaseSensitive(vtJSON, "data"); + if (data == NULL) { + XWF_OutputMessage(L"Error: Invalid data returned from VirusTotal. Expected object 'data' was not found.", 0); + goto cleanup; + } + + attributes = cJSON_GetObjectItemCaseSensitive(data, "attributes"); + if (attributes == NULL) { + XWF_OutputMessage(L"Error: Invalid data returned from VirusTotal. Expected object 'attributes' was not found.", 0); + goto cleanup; + } + + analysis_stats = cJSON_GetObjectItemCaseSensitive(attributes, "last_analysis_stats"); + if (analysis_stats == NULL) { + XWF_OutputMessage(L"Error: Invalid data returned from VirusTotal. Expected object 'last_analysis_stats' was not found.", 0); + goto cleanup; + } + + // Fields we are interested in are: harmless, suspicious, malicious, and undetected; values are integer + harmless = cJSON_GetObjectItemCaseSensitive(analysis_stats, "harmless"); + if (harmless != NULL) { + nHarmless = harmless->valueint; + } + + suspicious = cJSON_GetObjectItemCaseSensitive(analysis_stats, "suspicious"); + if (suspicious != NULL) { + nSuspicious = suspicious->valueint; + } + + malicious = cJSON_GetObjectItemCaseSensitive(analysis_stats, "malicious"); + if (malicious != NULL) { + nMalicious = malicious->valueint; + } + + undetected = cJSON_GetObjectItemCaseSensitive(analysis_stats, "undetected"); + if (undetected != NULL) { + nUndetected = undetected->valueint; + } + + // Sanity checks + if (nHarmless == 0 && nSuspicious == 0 && nMalicious == 0 && nUndetected == 0) { + // No meaningful results came back from VT. Put out a message and do nothing. + } + + if (nHarmless < 0 || nSuspicious < 0 || nMalicious < 0 || nUndetected < 0) { + // One of the numbers was wildly out of range + } + + // Virustotal only has ~70 scanners currently. 100 should give us a buffer for future additions + if (nHarmless > 100 || nSuspicious > 100 || nMalicious > 100 || nUndetected > 100) { + // One of the numbers was greater than expected + } + + // Field width max = 3 (max 100 scanners) + // Format string characters per field = 2 + // Number of fields = 4 + // Thus we add one character for each of the fields, for a total of 4 extra characters + // Plus a terminating null character = 5 total extra characters we need in the buffer + cchOutputString = wcslen(szFormatString) + 5; + + // Allocate a buffer for the formatted data + szOutputString = (wchar_t*)malloc(cchOutputString * sizeof(wchar_t)); + + if (szOutputString == NULL) { + // Memory allocation failed; write an error message and do nothing + goto cleanup; + } + + // Zero out the output string + ZeroMemory(szOutputString, (cchOutputString * sizeof(wchar_t))); + + // Write the numerical data to the formatted string buffer + StringCchPrintf(szOutputString, cchOutputString, szFormatString, nMalicious, nSuspicious, nUndetected, nHarmless); + + // Add the comment + if (XWF_GetExtractedMetadata(nItemID) == NULL || wcsstr(XWF_GetExtractedMetadata(nItemID), L"[XT_VT]") == NULL) { + XWF_AddExtractedMetadata(nItemID, szOutputString, 2); + bResult = TRUE; + } + + // If the a scanner has reported the file as malicious, use X-Ways internal API to flag the file as "known bad hash category" + if (nMalicious > 0) { + BOOL bSuccess = FALSE; + INT64 iXwFlags = XWF_GetItemInformation(nItemID, XWF_ITEM_INFO_FLAGS, &bSuccess); + if (bSuccess) + XWF_SetItemInformation(nItemID, XWF_ITEM_INFO_FLAGS, iXwFlags | 0x00400000); + } +cleanup: + if (vtJSON != NULL) { + cJSON_free(vtJSON); + } + + if (data != NULL) { + cJSON_free(data); + } + + if (attributes != NULL) { + cJSON_free(attributes); + } + + if (analysis_stats != NULL) { + cJSON_free(analysis_stats); + } + + if (harmless != NULL) { + cJSON_free(harmless); + } + + if (suspicious != NULL) { + cJSON_free(suspicious); + } + + if (malicious != NULL) { + cJSON_free(malicious); + } + + if (undetected != NULL) { + cJSON_free(undetected); + } + + if (szOutputString != NULL) { + free(szOutputString); + } + + return bResult; +} \ No newline at end of file diff --git a/XT_VirusTotal/XT_VirusTotal.def b/XT_VirusTotal/XT_VirusTotal.def new file mode 100644 index 0000000..417793e --- /dev/null +++ b/XT_VirusTotal/XT_VirusTotal.def @@ -0,0 +1,7 @@ +LIBRARY +EXPORTS + XT_Init @1 + XT_About @2 + XT_Prepare @3 + XT_ProcessItem @4 + XT_Done @5 \ No newline at end of file diff --git a/XT_VirusTotal/XT_VirusTotal.h b/XT_VirusTotal/XT_VirusTotal.h new file mode 100644 index 0000000..425ed1a --- /dev/null +++ b/XT_VirusTotal/XT_VirusTotal.h @@ -0,0 +1,41 @@ +#pragma once +#define XT_PREPARE_CALLPI 0x01 +#define XT_PREPARE_CALLPILATE 0x02 +#define XT_PREPARE_EXPECTMOREITEMS 0x04 +#define XT_PREPARE_DONTOMIT 0x08 +#define XT_PREPARE_TARGETDIRS 0x10 +#define XT_PREPARE_TARGETZEROBYTEFILES 0x20 + + +#define XT_ACTION_RUN 0 // simply run directly from the main menu or command line3 +#define XT_ACTION_RVS 1 // volume snapshot refinement starting2 +#define XT_ACTION_LSS 2 // logical simultaneous search starting +#define XT_ACTION_PSS 3 // physical simultaneous search starting +#define XT_ACTION_DBC 4 // directory browser context menu command invoked1 +#define XT_ACTION_SHC 5 // search hit list context menu command invoked +#define XT_ACTION_EVT 6 // event list context menu command invoked (since v20.3 SR-3) + +#define XT_HASH1ALREADYCOMPUTED 0x40000 // Bit flag set if the first hash value has been computed +#define XT_HASH2ALREADYCOMPUTED 0x100000 // Bit flag set if the second hash value has been computed + +#define XWF_VSPROP_HASHTYPE1 20 // Tells XWF_GetVSProp to retrieve the type for the first computed hash +#define XWF_VSPROP_HASHTYPE2 21 // Tells XWF_GetVSProp to retrieve the type for the second computed hash + +#define XWF_HASHTYPE_MD5 7 +#define XWF_HASHTYPE_SHA1 8 +#define XWF_HASHTYPE_SHA256 9 + +#include +#include +#include +#include + +BOOL ReadAPIConfigFile(HMODULE hModule); +int GetHashString(LONG nItemID, INT64 hashType, std::wstring *itemHash); +BOOL ParseFileReport(char* VTJSON, LONG nItemID); +DWORD WINAPI QueueProcessingFunc(LPVOID lpParam); + +typedef struct XWFITEMHASH { + LONG nItemID; // the XWF Item ID corresponding to this hash + std::wstring szHash; +} XWFITEMHASH; \ No newline at end of file diff --git a/XT_VirusTotal/XT_VirusTotal.vcxproj b/XT_VirusTotal/XT_VirusTotal.vcxproj new file mode 100644 index 0000000..7d3e295 --- /dev/null +++ b/XT_VirusTotal/XT_VirusTotal.vcxproj @@ -0,0 +1,200 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {e778d815-89f7-4783-99f3-064fa465dff9} + XTVirusTotal + 10.0 + + + + DynamicLibrary + true + v142 + Unicode + + + DynamicLibrary + false + v142 + true + Unicode + + + DynamicLibrary + true + v142 + Unicode + + + DynamicLibrary + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + _CRT_SECURE_NO_WARNINGS;WIN32;_DEBUG;XTVIRUSTOTAL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + $(SolutionDir)XT_VirusTotal;%(AdditionalIncludeDirectories) + MultiThreadedDebug + CompileAsCpp + + + Windows + true + false + XT_VirusTotal.def + wininet.lib;%(AdditionalDependencies) + + + + + Level3 + true + true + true + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;XTVIRUSTOTAL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + $(SolutionDir)XT_VirusTotal;%(AdditionalIncludeDirectories) + MultiThreaded + CompileAsCpp + + + Windows + true + true + true + false + XT_VirusTotal.def + wininet.lib;%(AdditionalDependencies) + + + + + Level3 + true + _CRT_SECURE_NO_WARNINGS;_DEBUG;XTVIRUSTOTAL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + $(SolutionDir)XT_VirusTotal;%(AdditionalIncludeDirectories) + MultiThreadedDebug + CompileAsCpp + + + Windows + true + false + XT_VirusTotal.def + wininet.lib;%(AdditionalDependencies) + + + + + Level3 + true + true + true + _CRT_SECURE_NO_WARNINGS;NDEBUG;XTVIRUSTOTAL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + Use + pch.h + $(SolutionDir)XT_VirusTotal;%(AdditionalIncludeDirectories) + MultiThreaded + CompileAsCpp + + + Windows + true + true + true + false + XT_VirusTotal.def + wininet.lib;%(AdditionalDependencies) + + + + + + + + + + + + + + + Create + Create + Create + Create + + + + + + + + + + + + \ No newline at end of file diff --git a/XT_VirusTotal/XT_VirusTotal.vcxproj.filters b/XT_VirusTotal/XT_VirusTotal.vcxproj.filters new file mode 100644 index 0000000..eeffd67 --- /dev/null +++ b/XT_VirusTotal/XT_VirusTotal.vcxproj.filters @@ -0,0 +1,62 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + + + Source Files + + + \ No newline at end of file diff --git a/XT_VirusTotal/cJSON.c b/XT_VirusTotal/cJSON.c new file mode 100644 index 0000000..2e14e83 --- /dev/null +++ b/XT_VirusTotal/cJSON.c @@ -0,0 +1,3112 @@ +/* + Copyright (c) 2009-2017 Dave Gamble and cJSON contributors + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ + +/* cJSON */ +/* JSON parser in C. */ +#include "pch.h" + +/* disable warnings about old C89 functions in MSVC */ +#if !defined(_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) +#define _CRT_SECURE_NO_DEPRECATE +#endif + +#ifdef __GNUC__ +#pragma GCC visibility push(default) +#endif +#if defined(_MSC_VER) +#pragma warning (push) +/* disable warning about single line comments in system headers */ +#pragma warning (disable : 4001) +#endif + +#ifdef ENABLE_LOCALES +#include +#endif + +#if defined(_MSC_VER) +#pragma warning (pop) +#endif +#ifdef __GNUC__ +#pragma GCC visibility pop +#endif + +#include "cJSON.h" + +/* define our own boolean type */ +#ifdef true +#undef true +#endif +#define true ((cJSON_bool)1) + +#ifdef false +#undef false +#endif +#define false ((cJSON_bool)0) + +/* define isnan and isinf for ANSI C, if in C99 or above, isnan and isinf has been defined in math.h */ +#ifndef isinf +#define isinf(d) (isnan((d - d)) && !isnan(d)) +#endif +#ifndef isnan +#define isnan(d) (d != d) +#endif + +#ifndef NAN +#ifdef _WIN32 +#define NAN sqrt(-1.0) +#else +#define NAN 0.0/0.0 +#endif +#endif + +typedef struct { + const unsigned char *json; + size_t position; +} error; +static error global_error = { NULL, 0 }; + +CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void) +{ + return (const char*) (global_error.json + global_error.position); +} + +CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) +{ + if (!cJSON_IsString(item)) + { + return NULL; + } + + return item->valuestring; +} + +CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) +{ + if (!cJSON_IsNumber(item)) + { + return (double) NAN; + } + + return item->valuedouble; +} + +/* This is a safeguard to prevent copy-pasters from using incompatible C and header files */ +#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 15) + #error cJSON.h and cJSON.c have different versions. Make sure that both have the same. +#endif + +CJSON_PUBLIC(const char*) cJSON_Version(void) +{ + static char version[15]; + sprintf(version, "%i.%i.%i", CJSON_VERSION_MAJOR, CJSON_VERSION_MINOR, CJSON_VERSION_PATCH); + + return version; +} + +/* Case insensitive string comparison, doesn't consider two NULL pointers equal though */ +static int case_insensitive_strcmp(const unsigned char *string1, const unsigned char *string2) +{ + if ((string1 == NULL) || (string2 == NULL)) + { + return 1; + } + + if (string1 == string2) + { + return 0; + } + + for(; tolower(*string1) == tolower(*string2); (void)string1++, string2++) + { + if (*string1 == '\0') + { + return 0; + } + } + + return tolower(*string1) - tolower(*string2); +} + +typedef struct internal_hooks +{ + void *(CJSON_CDECL *allocate)(size_t size); + void (CJSON_CDECL *deallocate)(void *pointer); + void *(CJSON_CDECL *reallocate)(void *pointer, size_t size); +} internal_hooks; + +#if defined(_MSC_VER) +/* work around MSVC error C2322: '...' address of dllimport '...' is not static */ +static void * CJSON_CDECL internal_malloc(size_t size) +{ + return malloc(size); +} +static void CJSON_CDECL internal_free(void *pointer) +{ + free(pointer); +} +static void * CJSON_CDECL internal_realloc(void *pointer, size_t size) +{ + return realloc(pointer, size); +} +#else +#define internal_malloc malloc +#define internal_free free +#define internal_realloc realloc +#endif + +/* strlen of character literals resolved at compile time */ +#define static_strlen(string_literal) (sizeof(string_literal) - sizeof("")) + +static internal_hooks global_hooks = { internal_malloc, internal_free, internal_realloc }; + +static unsigned char* cJSON_strdup(const unsigned char* string, const internal_hooks * const hooks) +{ + size_t length = 0; + unsigned char *copy = NULL; + + if (string == NULL) + { + return NULL; + } + + length = strlen((const char*)string) + sizeof(""); + copy = (unsigned char*)hooks->allocate(length); + if (copy == NULL) + { + return NULL; + } + memcpy(copy, string, length); + + return copy; +} + +CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks) +{ + if (hooks == NULL) + { + /* Reset hooks */ + global_hooks.allocate = malloc; + global_hooks.deallocate = free; + global_hooks.reallocate = realloc; + return; + } + + global_hooks.allocate = malloc; + if (hooks->malloc_fn != NULL) + { + global_hooks.allocate = hooks->malloc_fn; + } + + global_hooks.deallocate = free; + if (hooks->free_fn != NULL) + { + global_hooks.deallocate = hooks->free_fn; + } + + /* use realloc only if both free and malloc are used */ + global_hooks.reallocate = NULL; + if ((global_hooks.allocate == malloc) && (global_hooks.deallocate == free)) + { + global_hooks.reallocate = realloc; + } +} + +/* Internal constructor. */ +static cJSON *cJSON_New_Item(const internal_hooks * const hooks) +{ + cJSON* node = (cJSON*)hooks->allocate(sizeof(cJSON)); + if (node) + { + memset(node, '\0', sizeof(cJSON)); + } + + return node; +} + +/* Delete a cJSON structure. */ +CJSON_PUBLIC(void) cJSON_Delete(cJSON *item) +{ + cJSON *next = NULL; + while (item != NULL) + { + next = item->next; + if (!(item->type & cJSON_IsReference) && (item->child != NULL)) + { + cJSON_Delete(item->child); + } + if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) + { + global_hooks.deallocate(item->valuestring); + } + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + global_hooks.deallocate(item->string); + } + global_hooks.deallocate(item); + item = next; + } +} + +/* get the decimal point character of the current locale */ +static unsigned char get_decimal_point(void) +{ +#ifdef ENABLE_LOCALES + struct lconv *lconv = localeconv(); + return (unsigned char) lconv->decimal_point[0]; +#else + return '.'; +#endif +} + +typedef struct +{ + const unsigned char *content; + size_t length; + size_t offset; + size_t depth; /* How deeply nested (in arrays/objects) is the input at the current offset. */ + internal_hooks hooks; +} parse_buffer; + +/* check if the given size is left to read in a given parse buffer (starting with 1) */ +#define can_read(buffer, size) ((buffer != NULL) && (((buffer)->offset + size) <= (buffer)->length)) +/* check if the buffer can be accessed at the given index (starting with 0) */ +#define can_access_at_index(buffer, index) ((buffer != NULL) && (((buffer)->offset + index) < (buffer)->length)) +#define cannot_access_at_index(buffer, index) (!can_access_at_index(buffer, index)) +/* get a pointer to the buffer at the position */ +#define buffer_at_offset(buffer) ((buffer)->content + (buffer)->offset) + +/* Parse the input text to generate a number, and populate the result into item. */ +static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_buffer) +{ + double number = 0; + unsigned char *after_end = NULL; + unsigned char number_c_string[64]; + unsigned char decimal_point = get_decimal_point(); + size_t i = 0; + + if ((input_buffer == NULL) || (input_buffer->content == NULL)) + { + return false; + } + + /* copy the number into a temporary buffer and replace '.' with the decimal point + * of the current locale (for strtod) + * This also takes care of '\0' not necessarily being available for marking the end of the input */ + for (i = 0; (i < (sizeof(number_c_string) - 1)) && can_access_at_index(input_buffer, i); i++) + { + switch (buffer_at_offset(input_buffer)[i]) + { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case '+': + case '-': + case 'e': + case 'E': + number_c_string[i] = buffer_at_offset(input_buffer)[i]; + break; + + case '.': + number_c_string[i] = decimal_point; + break; + + default: + goto loop_end; + } + } +loop_end: + number_c_string[i] = '\0'; + + number = strtod((const char*)number_c_string, (char**)&after_end); + if (number_c_string == after_end) + { + return false; /* parse_error */ + } + + item->valuedouble = number; + + /* use saturation in case of overflow */ + if (number >= INT_MAX) + { + item->valueint = INT_MAX; + } + else if (number <= (double)INT_MIN) + { + item->valueint = INT_MIN; + } + else + { + item->valueint = (int)number; + } + + item->type = cJSON_Number; + + input_buffer->offset += (size_t)(after_end - number_c_string); + return true; +} + +/* don't ask me, but the original cJSON_SetNumberValue returns an integer or double */ +CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number) +{ + if (number >= INT_MAX) + { + object->valueint = INT_MAX; + } + else if (number <= (double)INT_MIN) + { + object->valueint = INT_MIN; + } + else + { + object->valueint = (int)number; + } + + return object->valuedouble = number; +} + +CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) +{ + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ + if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) + { + return NULL; + } + if (strlen(valuestring) <= strlen(object->valuestring)) + { + strcpy(object->valuestring, valuestring); + return object->valuestring; + } + copy = (char*) cJSON_strdup((const unsigned char*)valuestring, &global_hooks); + if (copy == NULL) + { + return NULL; + } + if (object->valuestring != NULL) + { + cJSON_free(object->valuestring); + } + object->valuestring = copy; + + return copy; +} + +typedef struct +{ + unsigned char *buffer; + size_t length; + size_t offset; + size_t depth; /* current nesting depth (for formatted printing) */ + cJSON_bool noalloc; + cJSON_bool format; /* is this print a formatted print */ + internal_hooks hooks; +} printbuffer; + +/* realloc printbuffer if necessary to have at least "needed" bytes more */ +static unsigned char* ensure(printbuffer * const p, size_t needed) +{ + unsigned char *newbuffer = NULL; + size_t newsize = 0; + + if ((p == NULL) || (p->buffer == NULL)) + { + return NULL; + } + + if ((p->length > 0) && (p->offset >= p->length)) + { + /* make sure that offset is valid */ + return NULL; + } + + if (needed > INT_MAX) + { + /* sizes bigger than INT_MAX are currently not supported */ + return NULL; + } + + needed += p->offset + 1; + if (needed <= p->length) + { + return p->buffer + p->offset; + } + + if (p->noalloc) { + return NULL; + } + + /* calculate new buffer size */ + if (needed > (INT_MAX / 2)) + { + /* overflow of int, use INT_MAX if possible */ + if (needed <= INT_MAX) + { + newsize = INT_MAX; + } + else + { + return NULL; + } + } + else + { + newsize = needed * 2; + } + + if (p->hooks.reallocate != NULL) + { + /* reallocate with realloc if available */ + newbuffer = (unsigned char*)p->hooks.reallocate(p->buffer, newsize); + if (newbuffer == NULL) + { + p->hooks.deallocate(p->buffer); + p->length = 0; + p->buffer = NULL; + + return NULL; + } + } + else + { + /* otherwise reallocate manually */ + newbuffer = (unsigned char*)p->hooks.allocate(newsize); + if (!newbuffer) + { + p->hooks.deallocate(p->buffer); + p->length = 0; + p->buffer = NULL; + + return NULL; + } + + memcpy(newbuffer, p->buffer, p->offset + 1); + p->hooks.deallocate(p->buffer); + } + p->length = newsize; + p->buffer = newbuffer; + + return newbuffer + p->offset; +} + +/* calculate the new length of the string in a printbuffer and update the offset */ +static void update_offset(printbuffer * const buffer) +{ + const unsigned char *buffer_pointer = NULL; + if ((buffer == NULL) || (buffer->buffer == NULL)) + { + return; + } + buffer_pointer = buffer->buffer + buffer->offset; + + buffer->offset += strlen((const char*)buffer_pointer); +} + +/* securely comparison of floating-point variables */ +static cJSON_bool compare_double(double a, double b) +{ + double maxVal = fabs(a) > fabs(b) ? fabs(a) : fabs(b); + return (fabs(a - b) <= maxVal * DBL_EPSILON); +} + +/* Render the number nicely from the given item into a string. */ +static cJSON_bool print_number(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + double d = item->valuedouble; + int length = 0; + size_t i = 0; + unsigned char number_buffer[26] = {0}; /* temporary buffer to print the number into */ + unsigned char decimal_point = get_decimal_point(); + double test = 0.0; + + if (output_buffer == NULL) + { + return false; + } + + /* This checks for NaN and Infinity */ + if (isnan(d) || isinf(d)) + { + length = sprintf((char*)number_buffer, "null"); + } + else if(d == (double)item->valueint) + { + length = sprintf((char*)number_buffer, "%d", item->valueint); + } + else + { + /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */ + length = sprintf((char*)number_buffer, "%1.15g", d); + + /* Check whether the original double can be recovered */ + if ((sscanf((char*)number_buffer, "%lg", &test) != 1) || !compare_double((double)test, d)) + { + /* If not, print with 17 decimal places of precision */ + length = sprintf((char*)number_buffer, "%1.17g", d); + } + } + + /* sprintf failed or buffer overrun occurred */ + if ((length < 0) || (length > (int)(sizeof(number_buffer) - 1))) + { + return false; + } + + /* reserve appropriate space in the output */ + output_pointer = ensure(output_buffer, (size_t)length + sizeof("")); + if (output_pointer == NULL) + { + return false; + } + + /* copy the printed number to the output and replace locale + * dependent decimal point with '.' */ + for (i = 0; i < ((size_t)length); i++) + { + if (number_buffer[i] == decimal_point) + { + output_pointer[i] = '.'; + continue; + } + + output_pointer[i] = number_buffer[i]; + } + output_pointer[i] = '\0'; + + output_buffer->offset += (size_t)length; + + return true; +} + +/* parse 4 digit hexadecimal number */ +static unsigned parse_hex4(const unsigned char * const input) +{ + unsigned int h = 0; + size_t i = 0; + + for (i = 0; i < 4; i++) + { + /* parse digit */ + if ((input[i] >= '0') && (input[i] <= '9')) + { + h += (unsigned int) input[i] - '0'; + } + else if ((input[i] >= 'A') && (input[i] <= 'F')) + { + h += (unsigned int) 10 + input[i] - 'A'; + } + else if ((input[i] >= 'a') && (input[i] <= 'f')) + { + h += (unsigned int) 10 + input[i] - 'a'; + } + else /* invalid */ + { + return 0; + } + + if (i < 3) + { + /* shift left to make place for the next nibble */ + h = h << 4; + } + } + + return h; +} + +/* converts a UTF-16 literal to UTF-8 + * A literal can be one or two sequences of the form \uXXXX */ +static unsigned char utf16_literal_to_utf8(const unsigned char * const input_pointer, const unsigned char * const input_end, unsigned char **output_pointer) +{ + long unsigned int codepoint = 0; + unsigned int first_code = 0; + const unsigned char *first_sequence = input_pointer; + unsigned char utf8_length = 0; + unsigned char utf8_position = 0; + unsigned char sequence_length = 0; + unsigned char first_byte_mark = 0; + + if ((input_end - first_sequence) < 6) + { + /* input ends unexpectedly */ + goto fail; + } + + /* get the first utf16 sequence */ + first_code = parse_hex4(first_sequence + 2); + + /* check that the code is valid */ + if (((first_code >= 0xDC00) && (first_code <= 0xDFFF))) + { + goto fail; + } + + /* UTF16 surrogate pair */ + if ((first_code >= 0xD800) && (first_code <= 0xDBFF)) + { + const unsigned char *second_sequence = first_sequence + 6; + unsigned int second_code = 0; + sequence_length = 12; /* \uXXXX\uXXXX */ + + if ((input_end - second_sequence) < 6) + { + /* input ends unexpectedly */ + goto fail; + } + + if ((second_sequence[0] != '\\') || (second_sequence[1] != 'u')) + { + /* missing second half of the surrogate pair */ + goto fail; + } + + /* get the second utf16 sequence */ + second_code = parse_hex4(second_sequence + 2); + /* check that the code is valid */ + if ((second_code < 0xDC00) || (second_code > 0xDFFF)) + { + /* invalid second half of the surrogate pair */ + goto fail; + } + + + /* calculate the unicode codepoint from the surrogate pair */ + codepoint = 0x10000 + (((first_code & 0x3FF) << 10) | (second_code & 0x3FF)); + } + else + { + sequence_length = 6; /* \uXXXX */ + codepoint = first_code; + } + + /* encode as UTF-8 + * takes at maximum 4 bytes to encode: + * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */ + if (codepoint < 0x80) + { + /* normal ascii, encoding 0xxxxxxx */ + utf8_length = 1; + } + else if (codepoint < 0x800) + { + /* two bytes, encoding 110xxxxx 10xxxxxx */ + utf8_length = 2; + first_byte_mark = 0xC0; /* 11000000 */ + } + else if (codepoint < 0x10000) + { + /* three bytes, encoding 1110xxxx 10xxxxxx 10xxxxxx */ + utf8_length = 3; + first_byte_mark = 0xE0; /* 11100000 */ + } + else if (codepoint <= 0x10FFFF) + { + /* four bytes, encoding 1110xxxx 10xxxxxx 10xxxxxx 10xxxxxx */ + utf8_length = 4; + first_byte_mark = 0xF0; /* 11110000 */ + } + else + { + /* invalid unicode codepoint */ + goto fail; + } + + /* encode as utf8 */ + for (utf8_position = (unsigned char)(utf8_length - 1); utf8_position > 0; utf8_position--) + { + /* 10xxxxxx */ + (*output_pointer)[utf8_position] = (unsigned char)((codepoint | 0x80) & 0xBF); + codepoint >>= 6; + } + /* encode first byte */ + if (utf8_length > 1) + { + (*output_pointer)[0] = (unsigned char)((codepoint | first_byte_mark) & 0xFF); + } + else + { + (*output_pointer)[0] = (unsigned char)(codepoint & 0x7F); + } + + *output_pointer += utf8_length; + + return sequence_length; + +fail: + return 0; +} + +/* Parse the input text into an unescaped cinput, and populate item. */ +static cJSON_bool parse_string(cJSON * const item, parse_buffer * const input_buffer) +{ + const unsigned char *input_pointer = buffer_at_offset(input_buffer) + 1; + const unsigned char *input_end = buffer_at_offset(input_buffer) + 1; + unsigned char *output_pointer = NULL; + unsigned char *output = NULL; + + /* not a string */ + if (buffer_at_offset(input_buffer)[0] != '\"') + { + goto fail; + } + + { + /* calculate approximate size of the output (overestimate) */ + size_t allocation_length = 0; + size_t skipped_bytes = 0; + while (((size_t)(input_end - input_buffer->content) < input_buffer->length) && (*input_end != '\"')) + { + /* is escape sequence */ + if (input_end[0] == '\\') + { + if ((size_t)(input_end + 1 - input_buffer->content) >= input_buffer->length) + { + /* prevent buffer overflow when last input character is a backslash */ + goto fail; + } + skipped_bytes++; + input_end++; + } + input_end++; + } + if (((size_t)(input_end - input_buffer->content) >= input_buffer->length) || (*input_end != '\"')) + { + goto fail; /* string ended unexpectedly */ + } + + /* This is at most how much we need for the output */ + allocation_length = (size_t) (input_end - buffer_at_offset(input_buffer)) - skipped_bytes; + output = (unsigned char*)input_buffer->hooks.allocate(allocation_length + sizeof("")); + if (output == NULL) + { + goto fail; /* allocation failure */ + } + } + + output_pointer = output; + /* loop through the string literal */ + while (input_pointer < input_end) + { + if (*input_pointer != '\\') + { + *output_pointer++ = *input_pointer++; + } + /* escape sequence */ + else + { + unsigned char sequence_length = 2; + if ((input_end - input_pointer) < 1) + { + goto fail; + } + + switch (input_pointer[1]) + { + case 'b': + *output_pointer++ = '\b'; + break; + case 'f': + *output_pointer++ = '\f'; + break; + case 'n': + *output_pointer++ = '\n'; + break; + case 'r': + *output_pointer++ = '\r'; + break; + case 't': + *output_pointer++ = '\t'; + break; + case '\"': + case '\\': + case '/': + *output_pointer++ = input_pointer[1]; + break; + + /* UTF-16 literal */ + case 'u': + sequence_length = utf16_literal_to_utf8(input_pointer, input_end, &output_pointer); + if (sequence_length == 0) + { + /* failed to convert UTF16-literal to UTF-8 */ + goto fail; + } + break; + + default: + goto fail; + } + input_pointer += sequence_length; + } + } + + /* zero terminate the output */ + *output_pointer = '\0'; + + item->type = cJSON_String; + item->valuestring = (char*)output; + + input_buffer->offset = (size_t) (input_end - input_buffer->content); + input_buffer->offset++; + + return true; + +fail: + if (output != NULL) + { + input_buffer->hooks.deallocate(output); + } + + if (input_pointer != NULL) + { + input_buffer->offset = (size_t)(input_pointer - input_buffer->content); + } + + return false; +} + +/* Render the cstring provided to an escaped version that can be printed. */ +static cJSON_bool print_string_ptr(const unsigned char * const input, printbuffer * const output_buffer) +{ + const unsigned char *input_pointer = NULL; + unsigned char *output = NULL; + unsigned char *output_pointer = NULL; + size_t output_length = 0; + /* numbers of additional characters needed for escaping */ + size_t escape_characters = 0; + + if (output_buffer == NULL) + { + return false; + } + + /* empty string */ + if (input == NULL) + { + output = ensure(output_buffer, sizeof("\"\"")); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "\"\""); + + return true; + } + + /* set "flag" to 1 if something needs to be escaped */ + for (input_pointer = input; *input_pointer; input_pointer++) + { + switch (*input_pointer) + { + case '\"': + case '\\': + case '\b': + case '\f': + case '\n': + case '\r': + case '\t': + /* one character escape sequence */ + escape_characters++; + break; + default: + if (*input_pointer < 32) + { + /* UTF-16 escape sequence uXXXX */ + escape_characters += 5; + } + break; + } + } + output_length = (size_t)(input_pointer - input) + escape_characters; + + output = ensure(output_buffer, output_length + sizeof("\"\"")); + if (output == NULL) + { + return false; + } + + /* no characters have to be escaped */ + if (escape_characters == 0) + { + output[0] = '\"'; + memcpy(output + 1, input, output_length); + output[output_length + 1] = '\"'; + output[output_length + 2] = '\0'; + + return true; + } + + output[0] = '\"'; + output_pointer = output + 1; + /* copy the string */ + for (input_pointer = input; *input_pointer != '\0'; (void)input_pointer++, output_pointer++) + { + if ((*input_pointer > 31) && (*input_pointer != '\"') && (*input_pointer != '\\')) + { + /* normal character, copy */ + *output_pointer = *input_pointer; + } + else + { + /* character needs to be escaped */ + *output_pointer++ = '\\'; + switch (*input_pointer) + { + case '\\': + *output_pointer = '\\'; + break; + case '\"': + *output_pointer = '\"'; + break; + case '\b': + *output_pointer = 'b'; + break; + case '\f': + *output_pointer = 'f'; + break; + case '\n': + *output_pointer = 'n'; + break; + case '\r': + *output_pointer = 'r'; + break; + case '\t': + *output_pointer = 't'; + break; + default: + /* escape and print as unicode codepoint */ + sprintf((char*)output_pointer, "u%04x", *input_pointer); + output_pointer += 4; + break; + } + } + } + output[output_length + 1] = '\"'; + output[output_length + 2] = '\0'; + + return true; +} + +/* Invoke print_string_ptr (which is useful) on an item. */ +static cJSON_bool print_string(const cJSON * const item, printbuffer * const p) +{ + return print_string_ptr((unsigned char*)item->valuestring, p); +} + +/* Predeclare these prototypes. */ +static cJSON_bool parse_value(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_value(const cJSON * const item, printbuffer * const output_buffer); +static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_array(const cJSON * const item, printbuffer * const output_buffer); +static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_object(const cJSON * const item, printbuffer * const output_buffer); + +/* Utility to jump whitespace and cr/lf */ +static parse_buffer *buffer_skip_whitespace(parse_buffer * const buffer) +{ + if ((buffer == NULL) || (buffer->content == NULL)) + { + return NULL; + } + + if (cannot_access_at_index(buffer, 0)) + { + return buffer; + } + + while (can_access_at_index(buffer, 0) && (buffer_at_offset(buffer)[0] <= 32)) + { + buffer->offset++; + } + + if (buffer->offset == buffer->length) + { + buffer->offset--; + } + + return buffer; +} + +/* skip the UTF-8 BOM (byte order mark) if it is at the beginning of a buffer */ +static parse_buffer *skip_utf8_bom(parse_buffer * const buffer) +{ + if ((buffer == NULL) || (buffer->content == NULL) || (buffer->offset != 0)) + { + return NULL; + } + + if (can_access_at_index(buffer, 4) && (strncmp((const char*)buffer_at_offset(buffer), "\xEF\xBB\xBF", 3) == 0)) + { + buffer->offset += 3; + } + + return buffer; +} + +CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated) +{ + size_t buffer_length; + + if (NULL == value) + { + return NULL; + } + + /* Adding null character size due to require_null_terminated. */ + buffer_length = strlen(value) + sizeof(""); + + return cJSON_ParseWithLengthOpts(value, buffer_length, return_parse_end, require_null_terminated); +} + +/* Parse an object - create a new root, and populate. */ +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer_length, const char **return_parse_end, cJSON_bool require_null_terminated) +{ + parse_buffer buffer = { 0, 0, 0, 0, { 0, 0, 0 } }; + cJSON *item = NULL; + + /* reset error position */ + global_error.json = NULL; + global_error.position = 0; + + if (value == NULL || 0 == buffer_length) + { + goto fail; + } + + buffer.content = (const unsigned char*)value; + buffer.length = buffer_length; + buffer.offset = 0; + buffer.hooks = global_hooks; + + item = cJSON_New_Item(&global_hooks); + if (item == NULL) /* memory fail */ + { + goto fail; + } + + if (!parse_value(item, buffer_skip_whitespace(skip_utf8_bom(&buffer)))) + { + /* parse failure. ep is set. */ + goto fail; + } + + /* if we require null-terminated JSON without appended garbage, skip and then check for a null terminator */ + if (require_null_terminated) + { + buffer_skip_whitespace(&buffer); + if ((buffer.offset >= buffer.length) || buffer_at_offset(&buffer)[0] != '\0') + { + goto fail; + } + } + if (return_parse_end) + { + *return_parse_end = (const char*)buffer_at_offset(&buffer); + } + + return item; + +fail: + if (item != NULL) + { + cJSON_Delete(item); + } + + if (value != NULL) + { + error local_error; + local_error.json = (const unsigned char*)value; + local_error.position = 0; + + if (buffer.offset < buffer.length) + { + local_error.position = buffer.offset; + } + else if (buffer.length > 0) + { + local_error.position = buffer.length - 1; + } + + if (return_parse_end != NULL) + { + *return_parse_end = (const char*)local_error.json + local_error.position; + } + + global_error = local_error; + } + + return NULL; +} + +/* Default options for cJSON_Parse */ +CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value) +{ + return cJSON_ParseWithOpts(value, 0, 0); +} + +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLength(const char *value, size_t buffer_length) +{ + return cJSON_ParseWithLengthOpts(value, buffer_length, 0, 0); +} + +#define cjson_min(a, b) (((a) < (b)) ? (a) : (b)) + +static unsigned char *print(const cJSON * const item, cJSON_bool format, const internal_hooks * const hooks) +{ + static const size_t default_buffer_size = 256; + printbuffer buffer[1]; + unsigned char *printed = NULL; + + memset(buffer, 0, sizeof(buffer)); + + /* create buffer */ + buffer->buffer = (unsigned char*) hooks->allocate(default_buffer_size); + buffer->length = default_buffer_size; + buffer->format = format; + buffer->hooks = *hooks; + if (buffer->buffer == NULL) + { + goto fail; + } + + /* print the value */ + if (!print_value(item, buffer)) + { + goto fail; + } + update_offset(buffer); + + /* check if reallocate is available */ + if (hooks->reallocate != NULL) + { + printed = (unsigned char*) hooks->reallocate(buffer->buffer, buffer->offset + 1); + if (printed == NULL) { + goto fail; + } + buffer->buffer = NULL; + } + else /* otherwise copy the JSON over to a new buffer */ + { + printed = (unsigned char*) hooks->allocate(buffer->offset + 1); + if (printed == NULL) + { + goto fail; + } + memcpy(printed, buffer->buffer, cjson_min(buffer->length, buffer->offset + 1)); + printed[buffer->offset] = '\0'; /* just to be sure */ + + /* free the buffer */ + hooks->deallocate(buffer->buffer); + } + + return printed; + +fail: + if (buffer->buffer != NULL) + { + hooks->deallocate(buffer->buffer); + } + + if (printed != NULL) + { + hooks->deallocate(printed); + } + + return NULL; +} + +/* Render a cJSON item/entity/structure to text. */ +CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item) +{ + return (char*)print(item, true, &global_hooks); +} + +CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item) +{ + return (char*)print(item, false, &global_hooks); +} + +CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt) +{ + printbuffer p = { 0, 0, 0, 0, 0, 0, { 0, 0, 0 } }; + + if (prebuffer < 0) + { + return NULL; + } + + p.buffer = (unsigned char*)global_hooks.allocate((size_t)prebuffer); + if (!p.buffer) + { + return NULL; + } + + p.length = (size_t)prebuffer; + p.offset = 0; + p.noalloc = false; + p.format = fmt; + p.hooks = global_hooks; + + if (!print_value(item, &p)) + { + global_hooks.deallocate(p.buffer); + return NULL; + } + + return (char*)p.buffer; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format) +{ + printbuffer p = { 0, 0, 0, 0, 0, 0, { 0, 0, 0 } }; + + if ((length < 0) || (buffer == NULL)) + { + return false; + } + + p.buffer = (unsigned char*)buffer; + p.length = (size_t)length; + p.offset = 0; + p.noalloc = true; + p.format = format; + p.hooks = global_hooks; + + return print_value(item, &p); +} + +/* Parser core - when encountering text, process appropriately. */ +static cJSON_bool parse_value(cJSON * const item, parse_buffer * const input_buffer) +{ + if ((input_buffer == NULL) || (input_buffer->content == NULL)) + { + return false; /* no input */ + } + + /* parse the different types of values */ + /* null */ + if (can_read(input_buffer, 4) && (strncmp((const char*)buffer_at_offset(input_buffer), "null", 4) == 0)) + { + item->type = cJSON_NULL; + input_buffer->offset += 4; + return true; + } + /* false */ + if (can_read(input_buffer, 5) && (strncmp((const char*)buffer_at_offset(input_buffer), "false", 5) == 0)) + { + item->type = cJSON_False; + input_buffer->offset += 5; + return true; + } + /* true */ + if (can_read(input_buffer, 4) && (strncmp((const char*)buffer_at_offset(input_buffer), "true", 4) == 0)) + { + item->type = cJSON_True; + item->valueint = 1; + input_buffer->offset += 4; + return true; + } + /* string */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '\"')) + { + return parse_string(item, input_buffer); + } + /* number */ + if (can_access_at_index(input_buffer, 0) && ((buffer_at_offset(input_buffer)[0] == '-') || ((buffer_at_offset(input_buffer)[0] >= '0') && (buffer_at_offset(input_buffer)[0] <= '9')))) + { + return parse_number(item, input_buffer); + } + /* array */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '[')) + { + return parse_array(item, input_buffer); + } + /* object */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '{')) + { + return parse_object(item, input_buffer); + } + + return false; +} + +/* Render a value to text. */ +static cJSON_bool print_value(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output = NULL; + + if ((item == NULL) || (output_buffer == NULL)) + { + return false; + } + + switch ((item->type) & 0xFF) + { + case cJSON_NULL: + output = ensure(output_buffer, 5); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "null"); + return true; + + case cJSON_False: + output = ensure(output_buffer, 6); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "false"); + return true; + + case cJSON_True: + output = ensure(output_buffer, 5); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "true"); + return true; + + case cJSON_Number: + return print_number(item, output_buffer); + + case cJSON_Raw: + { + size_t raw_length = 0; + if (item->valuestring == NULL) + { + return false; + } + + raw_length = strlen(item->valuestring) + sizeof(""); + output = ensure(output_buffer, raw_length); + if (output == NULL) + { + return false; + } + memcpy(output, item->valuestring, raw_length); + return true; + } + + case cJSON_String: + return print_string(item, output_buffer); + + case cJSON_Array: + return print_array(item, output_buffer); + + case cJSON_Object: + return print_object(item, output_buffer); + + default: + return false; + } +} + +/* Build an array from input text. */ +static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buffer) +{ + cJSON *head = NULL; /* head of the linked list */ + cJSON *current_item = NULL; + + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + + if (buffer_at_offset(input_buffer)[0] != '[') + { + /* not an array */ + goto fail; + } + + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ']')) + { + /* empty array */ + goto success; + } + + /* check if we skipped to the end of the buffer */ + if (cannot_access_at_index(input_buffer, 0)) + { + input_buffer->offset--; + goto fail; + } + + /* step back to character in front of the first element */ + input_buffer->offset--; + /* loop through the comma separated array elements */ + do + { + /* allocate next item */ + cJSON *new_item = cJSON_New_Item(&(input_buffer->hooks)); + if (new_item == NULL) + { + goto fail; /* allocation failure */ + } + + /* attach next item to list */ + if (head == NULL) + { + /* start the linked list */ + current_item = head = new_item; + } + else + { + /* add to the end and advance */ + current_item->next = new_item; + new_item->prev = current_item; + current_item = new_item; + } + + /* parse next value */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_value(current_item, input_buffer)) + { + goto fail; /* failed to parse value */ + } + buffer_skip_whitespace(input_buffer); + } + while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ',')); + + if (cannot_access_at_index(input_buffer, 0) || buffer_at_offset(input_buffer)[0] != ']') + { + goto fail; /* expected end of array */ + } + +success: + input_buffer->depth--; + + if (head != NULL) { + head->prev = current_item; + } + + item->type = cJSON_Array; + item->child = head; + + input_buffer->offset++; + + return true; + +fail: + if (head != NULL) + { + cJSON_Delete(head); + } + + return false; +} + +/* Render an array to text */ +static cJSON_bool print_array(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + size_t length = 0; + cJSON *current_element = item->child; + + if (output_buffer == NULL) + { + return false; + } + + /* Compose the output array. */ + /* opening square bracket */ + output_pointer = ensure(output_buffer, 1); + if (output_pointer == NULL) + { + return false; + } + + *output_pointer = '['; + output_buffer->offset++; + output_buffer->depth++; + + while (current_element != NULL) + { + if (!print_value(current_element, output_buffer)) + { + return false; + } + update_offset(output_buffer); + if (current_element->next) + { + length = (size_t) (output_buffer->format ? 2 : 1); + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ','; + if(output_buffer->format) + { + *output_pointer++ = ' '; + } + *output_pointer = '\0'; + output_buffer->offset += length; + } + current_element = current_element->next; + } + + output_pointer = ensure(output_buffer, 2); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ']'; + *output_pointer = '\0'; + output_buffer->depth--; + + return true; +} + +/* Build an object from the text. */ +static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_buffer) +{ + cJSON *head = NULL; /* linked list head */ + cJSON *current_item = NULL; + + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '{')) + { + goto fail; /* not an object */ + } + + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '}')) + { + goto success; /* empty object */ + } + + /* check if we skipped to the end of the buffer */ + if (cannot_access_at_index(input_buffer, 0)) + { + input_buffer->offset--; + goto fail; + } + + /* step back to character in front of the first element */ + input_buffer->offset--; + /* loop through the comma separated array elements */ + do + { + /* allocate next item */ + cJSON *new_item = cJSON_New_Item(&(input_buffer->hooks)); + if (new_item == NULL) + { + goto fail; /* allocation failure */ + } + + /* attach next item to list */ + if (head == NULL) + { + /* start the linked list */ + current_item = head = new_item; + } + else + { + /* add to the end and advance */ + current_item->next = new_item; + new_item->prev = current_item; + current_item = new_item; + } + + /* parse the name of the child */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_string(current_item, input_buffer)) + { + goto fail; /* failed to parse name */ + } + buffer_skip_whitespace(input_buffer); + + /* swap valuestring and string, because we parsed the name */ + current_item->string = current_item->valuestring; + current_item->valuestring = NULL; + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != ':')) + { + goto fail; /* invalid object */ + } + + /* parse the value */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_value(current_item, input_buffer)) + { + goto fail; /* failed to parse value */ + } + buffer_skip_whitespace(input_buffer); + } + while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ',')); + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '}')) + { + goto fail; /* expected end of object */ + } + +success: + input_buffer->depth--; + + if (head != NULL) { + head->prev = current_item; + } + + item->type = cJSON_Object; + item->child = head; + + input_buffer->offset++; + return true; + +fail: + if (head != NULL) + { + cJSON_Delete(head); + } + + return false; +} + +/* Render an object to text. */ +static cJSON_bool print_object(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + size_t length = 0; + cJSON *current_item = item->child; + + if (output_buffer == NULL) + { + return false; + } + + /* Compose the output: */ + length = (size_t) (output_buffer->format ? 2 : 1); /* fmt: {\n */ + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + + *output_pointer++ = '{'; + output_buffer->depth++; + if (output_buffer->format) + { + *output_pointer++ = '\n'; + } + output_buffer->offset += length; + + while (current_item) + { + if (output_buffer->format) + { + size_t i; + output_pointer = ensure(output_buffer, output_buffer->depth); + if (output_pointer == NULL) + { + return false; + } + for (i = 0; i < output_buffer->depth; i++) + { + *output_pointer++ = '\t'; + } + output_buffer->offset += output_buffer->depth; + } + + /* print key */ + if (!print_string_ptr((unsigned char*)current_item->string, output_buffer)) + { + return false; + } + update_offset(output_buffer); + + length = (size_t) (output_buffer->format ? 2 : 1); + output_pointer = ensure(output_buffer, length); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ':'; + if (output_buffer->format) + { + *output_pointer++ = '\t'; + } + output_buffer->offset += length; + + /* print value */ + if (!print_value(current_item, output_buffer)) + { + return false; + } + update_offset(output_buffer); + + /* print comma if not last */ + length = ((size_t)(output_buffer->format ? 1 : 0) + (size_t)(current_item->next ? 1 : 0)); + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + if (current_item->next) + { + *output_pointer++ = ','; + } + + if (output_buffer->format) + { + *output_pointer++ = '\n'; + } + *output_pointer = '\0'; + output_buffer->offset += length; + + current_item = current_item->next; + } + + output_pointer = ensure(output_buffer, output_buffer->format ? (output_buffer->depth + 1) : 2); + if (output_pointer == NULL) + { + return false; + } + if (output_buffer->format) + { + size_t i; + for (i = 0; i < (output_buffer->depth - 1); i++) + { + *output_pointer++ = '\t'; + } + } + *output_pointer++ = '}'; + *output_pointer = '\0'; + output_buffer->depth--; + + return true; +} + +/* Get Array size/item / object item. */ +CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array) +{ + cJSON *child = NULL; + size_t size = 0; + + if (array == NULL) + { + return 0; + } + + child = array->child; + + while(child != NULL) + { + size++; + child = child->next; + } + + /* FIXME: Can overflow here. Cannot be fixed without breaking the API */ + + return (int)size; +} + +static cJSON* get_array_item(const cJSON *array, size_t index) +{ + cJSON *current_child = NULL; + + if (array == NULL) + { + return NULL; + } + + current_child = array->child; + while ((current_child != NULL) && (index > 0)) + { + index--; + current_child = current_child->next; + } + + return current_child; +} + +CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index) +{ + if (index < 0) + { + return NULL; + } + + return get_array_item(array, (size_t)index); +} + +static cJSON *get_object_item(const cJSON * const object, const char * const name, const cJSON_bool case_sensitive) +{ + cJSON *current_element = NULL; + + if ((object == NULL) || (name == NULL)) + { + return NULL; + } + + current_element = object->child; + if (case_sensitive) + { + while ((current_element != NULL) && (current_element->string != NULL) && (strcmp(name, current_element->string) != 0)) + { + current_element = current_element->next; + } + } + else + { + while ((current_element != NULL) && (case_insensitive_strcmp((const unsigned char*)name, (const unsigned char*)(current_element->string)) != 0)) + { + current_element = current_element->next; + } + } + + if ((current_element == NULL) || (current_element->string == NULL)) { + return NULL; + } + + return current_element; +} + +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string) +{ + return get_object_item(object, string, false); +} + +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string) +{ + return get_object_item(object, string, true); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string) +{ + return cJSON_GetObjectItem(object, string) ? 1 : 0; +} + +/* Utility for array list handling. */ +static void suffix_object(cJSON *prev, cJSON *item) +{ + prev->next = item; + item->prev = prev; +} + +/* Utility for handling references. */ +static cJSON *create_reference(const cJSON *item, const internal_hooks * const hooks) +{ + cJSON *reference = NULL; + if (item == NULL) + { + return NULL; + } + + reference = cJSON_New_Item(hooks); + if (reference == NULL) + { + return NULL; + } + + memcpy(reference, item, sizeof(cJSON)); + reference->string = NULL; + reference->type |= cJSON_IsReference; + reference->next = reference->prev = NULL; + return reference; +} + +static cJSON_bool add_item_to_array(cJSON *array, cJSON *item) +{ + cJSON *child = NULL; + + if ((item == NULL) || (array == NULL) || (array == item)) + { + return false; + } + + child = array->child; + /* + * To find the last item in array quickly, we use prev in array + */ + if (child == NULL) + { + /* list is empty, start new one */ + array->child = item; + item->prev = item; + item->next = NULL; + } + else + { + /* append to the end */ + if (child->prev) + { + suffix_object(child->prev, item); + array->child->prev = item; + } + } + + return true; +} + +/* Add item to array/object. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToArray(cJSON *array, cJSON *item) +{ + return add_item_to_array(array, item); +} + +#if defined(__clang__) || (defined(__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ > 5)))) + #pragma GCC diagnostic push +#endif +#ifdef __GNUC__ +#pragma GCC diagnostic ignored "-Wcast-qual" +#endif +/* helper function to cast away const */ +static void* cast_away_const(const void* string) +{ + return (void*)string; +} +#if defined(__clang__) || (defined(__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ > 5)))) + #pragma GCC diagnostic pop +#endif + + +static cJSON_bool add_item_to_object(cJSON * const object, const char * const string, cJSON * const item, const internal_hooks * const hooks, const cJSON_bool constant_key) +{ + char *new_key = NULL; + int new_type = cJSON_Invalid; + + if ((object == NULL) || (string == NULL) || (item == NULL) || (object == item)) + { + return false; + } + + if (constant_key) + { + new_key = (char*)cast_away_const(string); + new_type = item->type | cJSON_StringIsConst; + } + else + { + new_key = (char*)cJSON_strdup((const unsigned char*)string, hooks); + if (new_key == NULL) + { + return false; + } + + new_type = item->type & ~cJSON_StringIsConst; + } + + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + hooks->deallocate(item->string); + } + + item->string = new_key; + item->type = new_type; + + return add_item_to_array(object, item); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item) +{ + return add_item_to_object(object, string, item, &global_hooks, false); +} + +/* Add an item to an object with constant string as key */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item) +{ + return add_item_to_object(object, string, item, &global_hooks, true); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item) +{ + if (array == NULL) + { + return false; + } + + return add_item_to_array(array, create_reference(item, &global_hooks)); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item) +{ + if ((object == NULL) || (string == NULL)) + { + return false; + } + + return add_item_to_object(object, string, create_reference(item, &global_hooks), &global_hooks, false); +} + +CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name) +{ + cJSON *null = cJSON_CreateNull(); + if (add_item_to_object(object, name, null, &global_hooks, false)) + { + return null; + } + + cJSON_Delete(null); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name) +{ + cJSON *true_item = cJSON_CreateTrue(); + if (add_item_to_object(object, name, true_item, &global_hooks, false)) + { + return true_item; + } + + cJSON_Delete(true_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name) +{ + cJSON *false_item = cJSON_CreateFalse(); + if (add_item_to_object(object, name, false_item, &global_hooks, false)) + { + return false_item; + } + + cJSON_Delete(false_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean) +{ + cJSON *bool_item = cJSON_CreateBool(boolean); + if (add_item_to_object(object, name, bool_item, &global_hooks, false)) + { + return bool_item; + } + + cJSON_Delete(bool_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number) +{ + cJSON *number_item = cJSON_CreateNumber(number); + if (add_item_to_object(object, name, number_item, &global_hooks, false)) + { + return number_item; + } + + cJSON_Delete(number_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string) +{ + cJSON *string_item = cJSON_CreateString(string); + if (add_item_to_object(object, name, string_item, &global_hooks, false)) + { + return string_item; + } + + cJSON_Delete(string_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw) +{ + cJSON *raw_item = cJSON_CreateRaw(raw); + if (add_item_to_object(object, name, raw_item, &global_hooks, false)) + { + return raw_item; + } + + cJSON_Delete(raw_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name) +{ + cJSON *object_item = cJSON_CreateObject(); + if (add_item_to_object(object, name, object_item, &global_hooks, false)) + { + return object_item; + } + + cJSON_Delete(object_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name) +{ + cJSON *array = cJSON_CreateArray(); + if (add_item_to_object(object, name, array, &global_hooks, false)) + { + return array; + } + + cJSON_Delete(array); + return NULL; +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item) +{ + if ((parent == NULL) || (item == NULL)) + { + return NULL; + } + + if (item != parent->child) + { + /* not the first element */ + item->prev->next = item->next; + } + if (item->next != NULL) + { + /* not the last element */ + item->next->prev = item->prev; + } + + if (item == parent->child) + { + /* first element */ + parent->child = item->next; + } + else if (item->next == NULL) + { + /* last element */ + parent->child->prev = item->prev; + } + + /* make sure the detached item doesn't point anywhere anymore */ + item->prev = NULL; + item->next = NULL; + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which) +{ + if (which < 0) + { + return NULL; + } + + return cJSON_DetachItemViaPointer(array, get_array_item(array, (size_t)which)); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which) +{ + cJSON_Delete(cJSON_DetachItemFromArray(array, which)); +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string) +{ + cJSON *to_detach = cJSON_GetObjectItem(object, string); + + return cJSON_DetachItemViaPointer(object, to_detach); +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string) +{ + cJSON *to_detach = cJSON_GetObjectItemCaseSensitive(object, string); + + return cJSON_DetachItemViaPointer(object, to_detach); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string) +{ + cJSON_Delete(cJSON_DetachItemFromObject(object, string)); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string) +{ + cJSON_Delete(cJSON_DetachItemFromObjectCaseSensitive(object, string)); +} + +/* Replace array/object items with new ones. */ +CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem) +{ + cJSON *after_inserted = NULL; + + if (which < 0) + { + return false; + } + + after_inserted = get_array_item(array, (size_t)which); + if (after_inserted == NULL) + { + return add_item_to_array(array, newitem); + } + + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; + if (after_inserted == array->child) + { + array->child = newitem; + } + else + { + newitem->prev->next = newitem; + } + return true; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement) +{ + if ((parent == NULL) || (replacement == NULL) || (item == NULL)) + { + return false; + } + + if (replacement == item) + { + return true; + } + + replacement->next = item->next; + replacement->prev = item->prev; + + if (replacement->next != NULL) + { + replacement->next->prev = replacement; + } + if (parent->child == item) + { + if (parent->child->prev == parent->child) + { + replacement->prev = replacement; + } + parent->child = replacement; + } + else + { /* + * To find the last item in array quickly, we use prev in array. + * We can't modify the last item's next pointer where this item was the parent's child + */ + if (replacement->prev != NULL) + { + replacement->prev->next = replacement; + } + if (replacement->next == NULL) + { + parent->child->prev = replacement; + } + } + + item->next = NULL; + item->prev = NULL; + cJSON_Delete(item); + + return true; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem) +{ + if (which < 0) + { + return false; + } + + return cJSON_ReplaceItemViaPointer(array, get_array_item(array, (size_t)which), newitem); +} + +static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSON *replacement, cJSON_bool case_sensitive) +{ + if ((replacement == NULL) || (string == NULL)) + { + return false; + } + + /* replace the name in the replacement */ + if (!(replacement->type & cJSON_StringIsConst) && (replacement->string != NULL)) + { + cJSON_free(replacement->string); + } + replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); + if (replacement->string == NULL) + { + return false; + } + + replacement->type &= ~cJSON_StringIsConst; + + return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObject(cJSON *object, const char *string, cJSON *newitem) +{ + return replace_item_in_object(object, string, newitem, false); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object, const char *string, cJSON *newitem) +{ + return replace_item_in_object(object, string, newitem, true); +} + +/* Create basic types: */ +CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_NULL; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_True; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_False; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = boolean ? cJSON_True : cJSON_False; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_Number; + item->valuedouble = num; + + /* use saturation in case of overflow */ + if (num >= INT_MAX) + { + item->valueint = INT_MAX; + } + else if (num <= (double)INT_MIN) + { + item->valueint = INT_MIN; + } + else + { + item->valueint = (int)num; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_String; + item->valuestring = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); + if(!item->valuestring) + { + cJSON_Delete(item); + return NULL; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) + { + item->type = cJSON_String | cJSON_IsReference; + item->valuestring = (char*)cast_away_const(string); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) { + item->type = cJSON_Object | cJSON_IsReference; + item->child = (cJSON*)cast_away_const(child); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child) { + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) { + item->type = cJSON_Array | cJSON_IsReference; + item->child = (cJSON*)cast_away_const(child); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_Raw; + item->valuestring = (char*)cJSON_strdup((const unsigned char*)raw, &global_hooks); + if(!item->valuestring) + { + cJSON_Delete(item); + return NULL; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type=cJSON_Array; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item) + { + item->type = cJSON_Object; + } + + return item; +} + +/* Create Arrays: */ +CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber(numbers[i]); + if (!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber((double)numbers[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber(numbers[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (strings == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for (i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateString(strings[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p,n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +/* Duplication */ +CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse) +{ + cJSON *newitem = NULL; + cJSON *child = NULL; + cJSON *next = NULL; + cJSON *newchild = NULL; + + /* Bail on bad ptr */ + if (!item) + { + goto fail; + } + /* Create new item */ + newitem = cJSON_New_Item(&global_hooks); + if (!newitem) + { + goto fail; + } + /* Copy over all vars */ + newitem->type = item->type & (~cJSON_IsReference); + newitem->valueint = item->valueint; + newitem->valuedouble = item->valuedouble; + if (item->valuestring) + { + newitem->valuestring = (char*)cJSON_strdup((unsigned char*)item->valuestring, &global_hooks); + if (!newitem->valuestring) + { + goto fail; + } + } + if (item->string) + { + newitem->string = (item->type&cJSON_StringIsConst) ? item->string : (char*)cJSON_strdup((unsigned char*)item->string, &global_hooks); + if (!newitem->string) + { + goto fail; + } + } + /* If non-recursive, then we're done! */ + if (!recurse) + { + return newitem; + } + /* Walk the ->next chain for the child. */ + child = item->child; + while (child != NULL) + { + newchild = cJSON_Duplicate(child, true); /* Duplicate (with recurse) each item in the ->next chain */ + if (!newchild) + { + goto fail; + } + if (next != NULL) + { + /* If newitem->child already set, then crosswire ->prev and ->next and move on */ + next->next = newchild; + newchild->prev = next; + next = newchild; + } + else + { + /* Set newitem->child and move to it */ + newitem->child = newchild; + next = newchild; + } + child = child->next; + } + if (newitem && newitem->child) + { + newitem->child->prev = newchild; + } + + return newitem; + +fail: + if (newitem != NULL) + { + cJSON_Delete(newitem); + } + + return NULL; +} + +static void skip_oneline_comment(char **input) +{ + *input += static_strlen("//"); + + for (; (*input)[0] != '\0'; ++(*input)) + { + if ((*input)[0] == '\n') { + *input += static_strlen("\n"); + return; + } + } +} + +static void skip_multiline_comment(char **input) +{ + *input += static_strlen("/*"); + + for (; (*input)[0] != '\0'; ++(*input)) + { + if (((*input)[0] == '*') && ((*input)[1] == '/')) + { + *input += static_strlen("*/"); + return; + } + } +} + +static void minify_string(char **input, char **output) { + (*output)[0] = (*input)[0]; + *input += static_strlen("\""); + *output += static_strlen("\""); + + + for (; (*input)[0] != '\0'; (void)++(*input), ++(*output)) { + (*output)[0] = (*input)[0]; + + if ((*input)[0] == '\"') { + (*output)[0] = '\"'; + *input += static_strlen("\""); + *output += static_strlen("\""); + return; + } else if (((*input)[0] == '\\') && ((*input)[1] == '\"')) { + (*output)[1] = (*input)[1]; + *input += static_strlen("\""); + *output += static_strlen("\""); + } + } +} + +CJSON_PUBLIC(void) cJSON_Minify(char *json) +{ + char *into = json; + + if (json == NULL) + { + return; + } + + while (json[0] != '\0') + { + switch (json[0]) + { + case ' ': + case '\t': + case '\r': + case '\n': + json++; + break; + + case '/': + if (json[1] == '/') + { + skip_oneline_comment(&json); + } + else if (json[1] == '*') + { + skip_multiline_comment(&json); + } else { + json++; + } + break; + + case '\"': + minify_string(&json, (char**)&into); + break; + + default: + into[0] = json[0]; + json++; + into++; + } + } + + /* and null-terminate. */ + *into = '\0'; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Invalid; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_False; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xff) == cJSON_True; +} + + +CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & (cJSON_True | cJSON_False)) != 0; +} +CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_NULL; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Number; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_String; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Array; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Object; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Raw; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive) +{ + if ((a == NULL) || (b == NULL) || ((a->type & 0xFF) != (b->type & 0xFF))) + { + return false; + } + + /* check if type is valid */ + switch (a->type & 0xFF) + { + case cJSON_False: + case cJSON_True: + case cJSON_NULL: + case cJSON_Number: + case cJSON_String: + case cJSON_Raw: + case cJSON_Array: + case cJSON_Object: + break; + + default: + return false; + } + + /* identical objects are equal */ + if (a == b) + { + return true; + } + + switch (a->type & 0xFF) + { + /* in these cases and equal type is enough */ + case cJSON_False: + case cJSON_True: + case cJSON_NULL: + return true; + + case cJSON_Number: + if (compare_double(a->valuedouble, b->valuedouble)) + { + return true; + } + return false; + + case cJSON_String: + case cJSON_Raw: + if ((a->valuestring == NULL) || (b->valuestring == NULL)) + { + return false; + } + if (strcmp(a->valuestring, b->valuestring) == 0) + { + return true; + } + + return false; + + case cJSON_Array: + { + cJSON *a_element = a->child; + cJSON *b_element = b->child; + + for (; (a_element != NULL) && (b_element != NULL);) + { + if (!cJSON_Compare(a_element, b_element, case_sensitive)) + { + return false; + } + + a_element = a_element->next; + b_element = b_element->next; + } + + /* one of the arrays is longer than the other */ + if (a_element != b_element) { + return false; + } + + return true; + } + + case cJSON_Object: + { + cJSON *a_element = NULL; + cJSON *b_element = NULL; + cJSON_ArrayForEach(a_element, a) + { + /* TODO This has O(n^2) runtime, which is horrible! */ + b_element = get_object_item(b, a_element->string, case_sensitive); + if (b_element == NULL) + { + return false; + } + + if (!cJSON_Compare(a_element, b_element, case_sensitive)) + { + return false; + } + } + + /* doing this twice, once on a and b to prevent true comparison if a subset of b + * TODO: Do this the proper way, this is just a fix for now */ + cJSON_ArrayForEach(b_element, b) + { + a_element = get_object_item(a, b_element->string, case_sensitive); + if (a_element == NULL) + { + return false; + } + + if (!cJSON_Compare(b_element, a_element, case_sensitive)) + { + return false; + } + } + + return true; + } + + default: + return false; + } +} + +CJSON_PUBLIC(void *) cJSON_malloc(size_t size) +{ + return global_hooks.allocate(size); +} + +CJSON_PUBLIC(void) cJSON_free(void *object) +{ + global_hooks.deallocate(object); +} diff --git a/XT_VirusTotal/cJSON.h b/XT_VirusTotal/cJSON.h new file mode 100644 index 0000000..95a9cf6 --- /dev/null +++ b/XT_VirusTotal/cJSON.h @@ -0,0 +1,300 @@ +/* + Copyright (c) 2009-2017 Dave Gamble and cJSON contributors + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ + +#ifndef cJSON__h +#define cJSON__h + +#ifdef __cplusplus +extern "C" +{ +#endif + +#if !defined(__WINDOWS__) && (defined(WIN32) || defined(WIN64) || defined(_MSC_VER) || defined(_WIN32)) +#define __WINDOWS__ +#endif + +#ifdef __WINDOWS__ + +/* When compiling for windows, we specify a specific calling convention to avoid issues where we are being called from a project with a different default calling convention. For windows you have 3 define options: + +CJSON_HIDE_SYMBOLS - Define this in the case where you don't want to ever dllexport symbols +CJSON_EXPORT_SYMBOLS - Define this on library build when you want to dllexport symbols (default) +CJSON_IMPORT_SYMBOLS - Define this if you want to dllimport symbol + +For *nix builds that support visibility attribute, you can define similar behavior by + +setting default visibility to hidden by adding +-fvisibility=hidden (for gcc) +or +-xldscope=hidden (for sun cc) +to CFLAGS + +then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJSON_EXPORT_SYMBOLS does + +*/ + +#define CJSON_CDECL __cdecl +#define CJSON_STDCALL __stdcall + +/* export symbols by default, this is necessary for copy pasting the C and header file */ +#if !defined(CJSON_HIDE_SYMBOLS) && !defined(CJSON_IMPORT_SYMBOLS) && !defined(CJSON_EXPORT_SYMBOLS) +#define CJSON_EXPORT_SYMBOLS +#endif + +#if defined(CJSON_HIDE_SYMBOLS) +#define CJSON_PUBLIC(type) type CJSON_STDCALL +#elif defined(CJSON_EXPORT_SYMBOLS) +#define CJSON_PUBLIC(type) __declspec(dllexport) type CJSON_STDCALL +#elif defined(CJSON_IMPORT_SYMBOLS) +#define CJSON_PUBLIC(type) __declspec(dllimport) type CJSON_STDCALL +#endif +#else /* !__WINDOWS__ */ +#define CJSON_CDECL +#define CJSON_STDCALL + +#if (defined(__GNUC__) || defined(__SUNPRO_CC) || defined (__SUNPRO_C)) && defined(CJSON_API_VISIBILITY) +#define CJSON_PUBLIC(type) __attribute__((visibility("default"))) type +#else +#define CJSON_PUBLIC(type) type +#endif +#endif + +/* project version */ +#define CJSON_VERSION_MAJOR 1 +#define CJSON_VERSION_MINOR 7 +#define CJSON_VERSION_PATCH 15 + +#include + +/* cJSON Types: */ +#define cJSON_Invalid (0) +#define cJSON_False (1 << 0) +#define cJSON_True (1 << 1) +#define cJSON_NULL (1 << 2) +#define cJSON_Number (1 << 3) +#define cJSON_String (1 << 4) +#define cJSON_Array (1 << 5) +#define cJSON_Object (1 << 6) +#define cJSON_Raw (1 << 7) /* raw json */ + +#define cJSON_IsReference 256 +#define cJSON_StringIsConst 512 + +/* The cJSON structure: */ +typedef struct cJSON +{ + /* next/prev allow you to walk array/object chains. Alternatively, use GetArraySize/GetArrayItem/GetObjectItem */ + struct cJSON *next; + struct cJSON *prev; + /* An array or object item will have a child pointer pointing to a chain of the items in the array/object. */ + struct cJSON *child; + + /* The type of the item, as above. */ + int type; + + /* The item's string, if type==cJSON_String and type == cJSON_Raw */ + char *valuestring; + /* writing to valueint is DEPRECATED, use cJSON_SetNumberValue instead */ + int valueint; + /* The item's number, if type==cJSON_Number */ + double valuedouble; + + /* The item's name string, if this item is the child of, or is in the list of subitems of an object. */ + char *string; +} cJSON; + +typedef struct cJSON_Hooks +{ + /* malloc/free are CDECL on Windows regardless of the default calling convention of the compiler, so ensure the hooks allow passing those functions directly. */ + void *(CJSON_CDECL *malloc_fn)(size_t sz); + void (CJSON_CDECL *free_fn)(void *ptr); +} cJSON_Hooks; + +typedef int cJSON_bool; + +/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them. + * This is to prevent stack overflows. */ +#ifndef CJSON_NESTING_LIMIT +#define CJSON_NESTING_LIMIT 1000 +#endif + +/* returns the version of cJSON as a string */ +CJSON_PUBLIC(const char*) cJSON_Version(void); + +/* Supply malloc, realloc and free functions to cJSON */ +CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks); + +/* Memory Management: the caller is always responsible to free the results from all variants of cJSON_Parse (with cJSON_Delete) and cJSON_Print (with stdlib free, cJSON_Hooks.free_fn, or cJSON_free as appropriate). The exception is cJSON_PrintPreallocated, where the caller has full responsibility of the buffer. */ +/* Supply a block of JSON, and this returns a cJSON object you can interrogate. */ +CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value); +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLength(const char *value, size_t buffer_length); +/* ParseWithOpts allows you to require (and check) that the JSON is null terminated, and to retrieve the pointer to the final byte parsed. */ +/* If you supply a ptr in return_parse_end and parsing fails, then return_parse_end will contain a pointer to the error so will match cJSON_GetErrorPtr(). */ +CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated); +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer_length, const char **return_parse_end, cJSON_bool require_null_terminated); + +/* Render a cJSON entity to text for transfer/storage. */ +CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item); +/* Render a cJSON entity to text for transfer/storage without any formatting. */ +CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item); +/* Render a cJSON entity to text using a buffered strategy. prebuffer is a guess at the final size. guessing well reduces reallocation. fmt=0 gives unformatted, =1 gives formatted */ +CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt); +/* Render a cJSON entity to text using a buffer already allocated in memory with given length. Returns 1 on success and 0 on failure. */ +/* NOTE: cJSON is not always 100% accurate in estimating how much memory it will use, so to be safe allocate 5 bytes more than you actually need */ +CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format); +/* Delete a cJSON entity and all subentities. */ +CJSON_PUBLIC(void) cJSON_Delete(cJSON *item); + +/* Returns the number of items in an array (or object). */ +CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array); +/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */ +CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index); +/* Get item "string" from object. Case insensitive. */ +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string); +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string); +CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string); +/* For analysing failed parses. This returns a pointer to the parse error. You'll probably need to look a few chars back to make sense of it. Defined when cJSON_Parse() returns 0. 0 when cJSON_Parse() succeeds. */ +CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void); + +/* Check item type and return its value */ +CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item); +CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item); + +/* These functions check the type of an item */ +CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item); + +/* These calls create a cJSON item of the appropriate type. */ +CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean); +CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num); +CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string); +/* raw json */ +CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw); +CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void); + +/* Create a string where valuestring references a string so + * it will not be freed by cJSON_Delete */ +CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string); +/* Create an object/array that only references it's elements so + * they will not be freed by cJSON_Delete */ +CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child); +CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child); + +/* These utilities create an Array of count items. + * The parameter count cannot be greater than the number of elements in the number array, otherwise array access will be out of bounds.*/ +CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int count); + +/* Append item to the specified array/object. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToArray(cJSON *array, cJSON *item); +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item); +/* Use this when string is definitely const (i.e. a literal, or as good as), and will definitely survive the cJSON object. + * WARNING: When this function was used, make sure to always check that (item->type & cJSON_StringIsConst) is zero before + * writing to `item->string` */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item); +/* Append reference to item to the specified array/object. Use this when you want to add an existing cJSON to a new cJSON, but don't want to corrupt your existing cJSON. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item); +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item); + +/* Remove/Detach items from Arrays/Objects. */ +CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which); +CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string); +CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string); +CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string); + +/* Update array items. */ +CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem); /* Shifts pre-existing items to the right. */ +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObject(cJSON *object,const char *string,cJSON *newitem); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object,const char *string,cJSON *newitem); + +/* Duplicate a cJSON item */ +CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse); +/* Duplicate will create a new, identical cJSON item to the one you pass, in new memory that will + * need to be released. With recurse!=0, it will duplicate any children connected to the item. + * The item->next and ->prev pointers are always zero on return from Duplicate. */ +/* Recursively compare two cJSON items for equality. If either a or b is NULL or invalid, they will be considered unequal. + * case_sensitive determines if object keys are treated case sensitive (1) or case insensitive (0) */ +CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive); + +/* Minify a strings, remove blank characters(such as ' ', '\t', '\r', '\n') from strings. + * The input pointer json cannot point to a read-only address area, such as a string constant, + * but should point to a readable and writable address area. */ +CJSON_PUBLIC(void) cJSON_Minify(char *json); + +/* Helper functions for creating and adding items to an object at the same time. + * They return the added item or NULL on failure. */ +CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean); +CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number); +CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string); +CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw); +CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name); + +/* When assigning an integer value, it needs to be propagated to valuedouble too. */ +#define cJSON_SetIntValue(object, number) ((object) ? (object)->valueint = (object)->valuedouble = (number) : (number)) +/* helper for the cJSON_SetNumberValue macro */ +CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number); +#define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number)) +/* Change the valuestring of a cJSON_String object, only takes effect when type of object is cJSON_String */ +CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring); + +/* If the object is not a boolean type this does nothing and returns cJSON_Invalid else it returns the new type*/ +#define cJSON_SetBoolValue(object, boolValue) ( \ + (object != NULL && ((object)->type & (cJSON_False|cJSON_True))) ? \ + (object)->type=((object)->type &(~(cJSON_False|cJSON_True)))|((boolValue)?cJSON_True:cJSON_False) : \ + cJSON_Invalid\ +) + +/* Macro for iterating over an array or object */ +#define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next) + +/* malloc/free objects using the malloc/free functions that have been set with cJSON_InitHooks */ +CJSON_PUBLIC(void *) cJSON_malloc(size_t size); +CJSON_PUBLIC(void) cJSON_free(void *object); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/XT_VirusTotal/dllmain.cpp b/XT_VirusTotal/dllmain.cpp new file mode 100644 index 0000000..b519f38 --- /dev/null +++ b/XT_VirusTotal/dllmain.cpp @@ -0,0 +1,20 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "pch.h" + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + ReadAPIConfigFile(hModule); + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/XT_VirusTotal/framework.h b/XT_VirusTotal/framework.h new file mode 100644 index 0000000..54b83e9 --- /dev/null +++ b/XT_VirusTotal/framework.h @@ -0,0 +1,5 @@ +#pragma once + +#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers +// Windows Header Files +#include diff --git a/XT_VirusTotal/pch.cpp b/XT_VirusTotal/pch.cpp new file mode 100644 index 0000000..379204f --- /dev/null +++ b/XT_VirusTotal/pch.cpp @@ -0,0 +1,5 @@ +// pch.cpp: source file corresponding to the pre-compiled header + +#include "pch.h" + +// When you are using pre-compiled headers, this source file is necessary for compilation to succeed. \ No newline at end of file diff --git a/XT_VirusTotal/pch.h b/XT_VirusTotal/pch.h new file mode 100644 index 0000000..c3775ca --- /dev/null +++ b/XT_VirusTotal/pch.h @@ -0,0 +1,27 @@ +// pch.h: This is a precompiled header file. +// Files listed below are compiled only once, improving build performance for future builds. +// This also affects IntelliSense performance, including code completion and many code browsing features. +// However, files listed here are ALL re-compiled if any one of them is updated between builds. +// Do not add files here that you will be updating frequently as this negates the performance advantage. + +#ifndef PCH_H +#define PCH_H + +// add headers that you want to pre-compile here +#include "framework.h" +#include "X-Tension.h" +#include "XT_VirusTotal.h" +#include "VirusTotalWebAPI.h" +#include "cJSON.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#endif //PCH_H \ No newline at end of file diff --git a/doc/response.json b/doc/response.json new file mode 100644 index 0000000..ce1b51d --- /dev/null +++ b/doc/response.json @@ -0,0 +1,1023 @@ +{ + "data": { + "attributes": { + "type_description": "Win32 EXE", + "tlsh": "T135E53331C228956AE613C674A1B9CE4EA92D43073B06B84FAF5C83D36CFB3D5E545932", + "vhash": "03603e0f7d1bz6nz1bz11z", + "exiftool": { + "MIMEType": "application/octet-stream", + "Subsystem": "Windows GUI", + "MachineType": "Intel 386 or later, and compatibles", + "TimeStamp": "2008:11:10 09:40:35+00:00", + "FileType": "Win32 EXE", + "PEType": "PE32", + "CodeSize": "1126400", + "LinkerVersion": "9.0", + "ImageFileCharacteristics": "No relocs, Executable, 32-bit", + "FileTypeExtension": "exe", + "InitializedDataSize": "4096", + "SubsystemVersion": "5.0", + "ImageVersion": "0.0", + "OSVersion": "5.0", + "EntryPoint": "0x277ae0", + "UninitializedDataSize": "1458176" + }, + "trid": [ + { + "file_type": "UPX compressed Win32 Executable", + "probability": 29.3 + }, + { + "file_type": "Win32 EXE Yoda's Crypter", + "probability": 28.7 + }, + { + "file_type": "Microsoft Visual C++ compiled executable (generic)", + "probability": 17.9 + }, + { + "file_type": "Win32 Dynamic Link Library (generic)", + "probability": 7.1 + }, + { + "file_type": "Win16 NE executable (generic)", + "probability": 5.4 + } + ], + "crowdsourced_yara_results": [ + { + "rule_name": "Windows_API_Function", + "description": "This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.", + "author": "InQuest Labs", + "ruleset_id": "0122a7f913", + "ruleset_name": "Windows_API_Function", + "match_in_subfile": true, + "source": "https://github.com/InQuest/yara-rules-vt" + } + ], + "creation_date": 1226310035, + "names": [ + "ImplantCozy.bin", + "FTP_DATA-FbkjVN3rqFc9d4DUHj.exe", + "FTP_DATA-F99gQu7tIuINj96Yf.exe", + "/media/freddie/Seagate Expansion Drive/aptmalware/SampleLibraryAUG2019/APT29,CozyBear/ImplantCozy.bin", + "myfile.exe", + "SeaDaddyImplant (2).bin", + "/home/vega/CONTAGIO/apt/APT28/APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee/E2B98C594961AAE731B0CCEE5F9607080EC57197_pagemgr.exe_", + "/data/cfs/malshare/004b55a66b3a86a1ce0a0b9b69b95976", + "E2B98C594961AAE731B0CCEE5F9607080EC57197_pagemgr.exe_", + "pagemgr.exe", + "e:\\test\\threat_grid-ioc_10_each-exe-no_av_apt_malware-june\\windows-util-systeminfo_6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536", + "C:\\Users\\IEUser\\Documents\\APT_Malware\\APT28-samp\\Armed - APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee\\E2B98C594961AAE731B0CCEE5F9607080EC57197_pagemgr.exe" + ], + "last_modification_date": 1663513707, + "type_tag": "peexe", + "capabilities_tags": [ + "network_udp_sock", + "network_tcp_socket", + "network_tcp_listen", + "screenshot", + "str_win32_winsock2_library", + "win_registry", + "network_dns", + "ldpreload", + "win_files_operation" + ], + "total_votes": { + "harmless": 0, + "malicious": 4 + }, + "size": 3132974, + "popular_threat_classification": { + "suggested_threat_label": "trojan.peaceduke/seaduke", + "popular_threat_category": [ + { + "count": 35, + "value": "trojan" + }, + { + "count": 2, + "value": "pua" + } + ], + "popular_threat_name": [ + { + "count": 10, + "value": "peaceduke" + }, + { + "count": 3, + "value": "seaduke" + }, + { + "count": 2, + "value": "redcap" + } + ] + }, + "authentihash": "64c87025b419114c1d03b7cd11d1b0dced28d9d89fdd88e735d4da463ae1dd76", + "times_submitted": 45, + "last_submission_date": 1663513706, + "sigma_analysis_results": [ + { + "rule_title": "Process Creation Using Sysnative Folder", + "rule_source": "Sigma Integrated Rule Set (GitHub)", + "match_context": [ + { + "values": { + "TerminalSessionId": "1", + "ProcessGuid": "C784477D-C84C-62FD-3A06-000000004100", + "ProcessId": "3800", + "Product": "Microsoft\u00ae Windows\u00ae Operating System", + "Description": "Boot Configuration Data Editor", + "Company": "Microsoft Corporation", + "ParentProcessGuid": "C784477D-C84C-62FD-3706-000000004100", + "User": "DESKTOP-B0T93D6\\george", + "Hashes": "MD5=C46E3768DB01E7DC3B92EF42CC1B9C73,SHA256=3AD26DB8DC988EAD9E73FECF4D8D888A66F7965AC09F8AF4E3CFCD09028A5B59,IMPHASH=5590A306D0FA939852B69E8411CA102B", + "OriginalFileName": "bcdedit.exe", + "ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe", + "FileVersion": "10.0.17134.950 (WinBuild.160101.0800)", + "ParentProcessId": "5988", + "CurrentDirectory": "C:\\Program Files (x86)\\AutoIt3\\", + "CommandLine": "C:\\Windows\\Sysnative\\bcdedit.exe ", + "EventID": "1", + "LogonGuid": "C784477D-C709-62FD-57D3-030000000000", + "LogonId": "250711", + "Image": "C:\\Windows\\System32\\bcdedit.exe", + "IntegrityLevel": "High", + "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\Sysnative\\bcdedit.exe 1> bcdedit 2>&1", + "UtcTime": "2022-08-18 05:04:12.293", + "RuleName": "-" + } + } + ], + "rule_level": "medium", + "rule_id": "1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01", + "rule_author": "Max Altgelt", + "rule_description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)" + }, + { + "rule_title": "Wow6432Node CurrentVersion Autorun Keys Modification", + "rule_source": "Sigma Integrated Rule Set (GitHub)", + "match_context": [ + { + "values": { + "EventID": "13", + "ProcessId": "6608", + "EventType": "SetValue", + "Image": "C:\\Program Files (x86)\\Joebox\\client\\joeboxclient.exe", + "ProcessGuid": "C784477D-C844-62FD-8305-000000004100", + "UtcTime": "2022-09-05 15:15:25.486", + "Details": "x264vfw.dll", + "RuleName": "-", + "TargetObject": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\vidc.x264" + } + }, + { + "values": { + "EventID": "13", + "ProcessId": "6608", + "EventType": "SetValue", + "Image": "C:\\Program Files (x86)\\sandbox\\client\\sandbox-client.exe", + "ProcessGuid": "{C784477D-C844-62FD-8305-000000004100}", + "UtcTime": "1662390925", + "Details": "x264vfw.dll", + "RuleName": "-", + "TargetObject": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\vidc.x264" + } + } + ], + "rule_level": "medium", + "rule_id": "3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c", + "rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "rule_description": "Detects modification of autostart extensibility point (ASEP) in registry." + }, + { + "rule_title": "Failed Code Integrity Checks", + "rule_source": "Sigma Integrated Rule Set (GitHub)", + "match_context": [ + { + "values": { + "EventID": "5038", + "param1": "\\Device\\HarddiskVolume4\\Windows\\System32\\drivers\\filetrace.sys" + } + }, + { + "values": { + "EventID": "5038", + "param1": "\\Device\\HarddiskVolume4\\Program Files (x86)\\sandbox\\driver\\sandbox-driver.sys" + } + } + ], + "rule_level": "low", + "rule_id": "134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1", + "rule_author": "Thomas Patzke", + "rule_description": "Code integrity failures may indicate tampered executables." + } + ], + "meaningful_name": "ImplantCozy.bin", + "downloadable": true, + "sigma_analysis_summary": { + "Sigma Integrated Rule Set (GitHub)": { + "high": 0, + "medium": 2, + "critical": 0, + "low": 1 + } + }, + "sandbox_verdicts": { + "Zenbox": { + "category": "harmless", + "confidence": 1, + "sandbox_name": "Zenbox", + "malware_classification": [ + "CLEAN" + ] + }, + "Yomi Hunter": { + "category": "malicious", + "sandbox_name": "Yomi Hunter", + "malware_classification": [ + "MALWARE" + ] + }, + "DAS-Security Orcas": { + "category": "malicious", + "sandbox_name": "DAS-Security Orcas", + "malware_classification": [ + "MALWARE" + ] + } + }, + "sha256": "6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536", + "autostart_locations": [ + { + "entry": "cmd.exe" + } + ], + "type_extension": "exe", + "tags": [ + "peexe", + "overlay", + "runtime-modules", + "long-sleeps", + "direct-cpu-clock-access", + "upx", + "via-tor" + ], + "last_analysis_date": 1662390862, + "unique_sources": 23, + "first_submission_date": 1466528779, + "sha1": "e2b98c594961aae731b0ccee5f9607080ec57197", + "ssdeep": "49152:ACQAYCdp0wNvATRFt03zOavcye0mz0c3khqt6L2jOwiQAbM7qV3Q7VNb2+f2XEa5:YCzITRFtyOaEz0q6PS8MMQPTf2UaESjz", + "packers": { + "PEiD": "UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", + "F-PROT": "appended, UPX, ZIP" + }, + "md5": "004b55a66b3a86a1ce0a0b9b69b95976", + "pe_info": { + "resource_details": [ + { + "lang": "NEUTRAL", + "entropy": 0.0, + "chi2": -1.0, + "filetype": "unknown", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "type": "PYTHON27.DLL" + }, + { + "lang": "NEUTRAL", + "entropy": 7.817197799682617, + "chi2": 24340.19, + "filetype": "unknown", + "sha256": "7f412a36b160effdd804e03138d6653e15441e29b0451bd0b37f5d3a8c3f48c2", + "type": "PYTHONSCRIPT" + }, + { + "lang": "NEUTRAL", + "entropy": 5.020695209503174, + "chi2": 6079.4, + "filetype": "unknown", + "sha256": "9f2fc067639866642bb1a73fb43006d233e569d25566b16dedec472fe5d3c5c3", + "type": "RT_MANIFEST" + } + ], + "rich_pe_header_hash": "a3ad3c177896703a25488da5c6d894bd", + "imphash": "c0d9834cfeeb38692d50b64900f77acc", + "overlay": { + "entropy": 7.996108055114746, + "offset": 1128448, + "chi2": 11984.01, + "filetype": "ZIP", + "md5": "e27c841407195eeee13ca06c579a0369", + "size": 2004526 + }, + "compiler_product_versions": [ + "id: 150, version: 20413 count=2", + "[IMP] VS2008 build 21022 count=2", + "[ASM] VS2008 build 21022 count=1", + "[C++] VS2008 build 21022 count=2", + "[IMP] VS2005 build 50727 count=5", + "[---] Unmarked objects count=91", + "[ C ] VS2008 build 21022 count=25", + "[RES] VS2008 build 21022 count=1", + "[LNK] VS2008 build 21022 count=1" + ], + "resource_langs": { + "NEUTRAL": 3 + }, + "machine_type": 332, + "timestamp": 1226310035, + "resource_types": { + "PYTHON27.DLL": 1, + "RT_MANIFEST": 1, + "PYTHONSCRIPT": 1 + }, + "sections": [ + { + "name": "UPX0", + "chi2": -1.0, + "virtual_address": 4096, + "entropy": 0.0, + "raw_size": 0, + "flags": "rwx", + "virtual_size": 1458176, + "md5": "d41d8cd98f00b204e9800998ecf8427e" + }, + { + "name": "UPX1", + "chi2": 92876.34, + "virtual_address": 1462272, + "entropy": 7.95, + "raw_size": 1125888, + "flags": "rwx", + "virtual_size": 1126400, + "md5": "f52dfdc6ebea41473080630812a0905b" + }, + { + "name": ".rsrc", + "chi2": 80494.81, + "virtual_address": 2588672, + "entropy": 4.11, + "raw_size": 1536, + "flags": "rw", + "virtual_size": 4096, + "md5": "b13dbbcaa92a40f46e6ce1f9084d80ed" + } + ], + "import_list": [ + { + "library_name": "KERNEL32.DLL", + "imported_functions": [ + "ExitProcess", + "GetProcAddress", + "LoadLibraryA", + "VirtualAlloc", + "VirtualFree", + "VirtualProtect" + ] + }, + { + "library_name": "USER32.dll", + "imported_functions": [ + "GetFocus" + ] + }, + { + "library_name": "MSVCR90.dll", + "imported_functions": [ + "exit" + ] + } + ], + "entry_point": 2587360 + }, + "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit", + "last_analysis_stats": { + "harmless": 0, + "type-unsupported": 4, + "suspicious": 0, + "confirmed-timeout": 0, + "timeout": 0, + "failure": 0, + "malicious": 57, + "undetected": 14 + }, + "last_analysis_results": { + "Bkav": { + "category": "undetected", + "engine_name": "Bkav", + "engine_version": "1.3.0.9899", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "Lionic": { + "category": "malicious", + "engine_name": "Lionic", + "engine_version": "7.5", + "result": "Trojan.Win32.PeaceDuke.trxl", + "method": "blacklist", + "engine_update": "20220905" + }, + "Elastic": { + "category": "malicious", + "engine_name": "Elastic", + "engine_version": "4.0.44", + "result": "malicious (moderate confidence)", + "method": "blacklist", + "engine_update": "20220829" + }, + "DrWeb": { + "category": "malicious", + "engine_name": "DrWeb", + "engine_version": "7.0.56.4040", + "result": "Trojan.Siggen7.31158", + "method": "blacklist", + "engine_update": "20220905" + }, + "MicroWorld-eScan": { + "category": "malicious", + "engine_name": "MicroWorld-eScan", + "engine_version": "14.0.409.0", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220905" + }, + "FireEye": { + "category": "malicious", + "engine_name": "FireEye", + "engine_version": "35.24.1.0", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220905" + }, + "CAT-QuickHeal": { + "category": "undetected", + "engine_name": "CAT-QuickHeal", + "engine_version": "14.00", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "McAfee": { + "category": "malicious", + "engine_name": "McAfee", + "engine_version": "6.0.6.653", + "result": "W32/Pyllage-FCXY!004B55A66B3A", + "method": "blacklist", + "engine_update": "20220905" + }, + "Cylance": { + "category": "malicious", + "engine_name": "Cylance", + "engine_version": "2.3.1.101", + "result": "Unsafe", + "method": "blacklist", + "engine_update": "20220905" + }, + "Zillya": { + "category": "malicious", + "engine_name": "Zillya", + "engine_version": "2.0.0.4705", + "result": "Trojan.GenericKD.Win32.12902", + "method": "blacklist", + "engine_update": "20220905" + }, + "Sangfor": { + "category": "malicious", + "engine_name": "Sangfor", + "engine_version": "2.21.0.0", + "result": "Trojan.Win32.Apt29.IOC", + "method": "blacklist", + "engine_update": "20220905" + }, + "K7AntiVirus": { + "category": "malicious", + "engine_name": "K7AntiVirus", + "engine_version": "12.34.44180", + "result": "Riskware ( 0040eff71 )", + "method": "blacklist", + "engine_update": "20220905" + }, + "Alibaba": { + "category": "malicious", + "engine_name": "Alibaba", + "engine_version": "0.3.0.5", + "result": "Trojan:Win32/PeaceDuke.ad17f760", + "method": "blacklist", + "engine_update": "20190527" + }, + "K7GW": { + "category": "malicious", + "engine_name": "K7GW", + "engine_version": "12.34.44180", + "result": "Riskware ( 0040eff71 )", + "method": "blacklist", + "engine_update": "20220905" + }, + "Cybereason": { + "category": "malicious", + "engine_name": "Cybereason", + "engine_version": "1.2.449", + "result": "malicious.66b3a8", + "method": "blacklist", + "engine_update": "20210330" + }, + "BitDefenderTheta": { + "category": "undetected", + "engine_name": "BitDefenderTheta", + "engine_version": "7.2.37796.0", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "VirIT": { + "category": "undetected", + "engine_name": "VirIT", + "engine_version": "9.5.275", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "Cyren": { + "category": "malicious", + "engine_name": "Cyren", + "engine_version": "6.5.1.2", + "result": "W32/Trojan.UIFW-7205", + "method": "blacklist", + "engine_update": "20220905" + }, + "SymantecMobileInsight": { + "category": "type-unsupported", + "engine_name": "SymantecMobileInsight", + "engine_version": "2.0", + "result": null, + "method": "blacklist", + "engine_update": "20220208" + }, + "Symantec": { + "category": "malicious", + "engine_name": "Symantec", + "engine_version": "1.18.0.0", + "result": "Trojan.Seaduke", + "method": "blacklist", + "engine_update": "20220905" + }, + "tehtris": { + "category": "undetected", + "engine_name": "tehtris", + "engine_version": "v0.1.4", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "ESET-NOD32": { + "category": "malicious", + "engine_name": "ESET-NOD32", + "engine_version": "25875", + "result": "Python/SeaDuke.A", + "method": "blacklist", + "engine_update": "20220905" + }, + "APEX": { + "category": "malicious", + "engine_name": "APEX", + "engine_version": "6.331", + "result": "Malicious", + "method": "blacklist", + "engine_update": "20220904" + }, + "Paloalto": { + "category": "malicious", + "engine_name": "Paloalto", + "engine_version": "0.9.0.1003", + "result": "generic.ml", + "method": "blacklist", + "engine_update": "20220905" + }, + "ClamAV": { + "category": "malicious", + "engine_name": "ClamAV", + "engine_version": "0.105.1.0", + "result": "Win.Trojan.SeaDaddy-6735557-0", + "method": "blacklist", + "engine_update": "20220905" + }, + "Kaspersky": { + "category": "malicious", + "engine_name": "Kaspersky", + "engine_version": "21.0.1.45", + "result": "Trojan.Win32.PeaceDuke.get", + "method": "blacklist", + "engine_update": "20220905" + }, + "BitDefender": { + "category": "malicious", + "engine_name": "BitDefender", + "engine_version": "7.2", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220905" + }, + "NANO-Antivirus": { + "category": "malicious", + "engine_name": "NANO-Antivirus", + "engine_version": "1.0.146.25623", + "result": "Trojan.Win32.PeaceDuke.eyvitd", + "method": "blacklist", + "engine_update": "20220905" + }, + "ViRobot": { + "category": "undetected", + "engine_name": "ViRobot", + "engine_version": "2014.3.20.0", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "Avast": { + "category": "malicious", + "engine_name": "Avast", + "engine_version": "21.1.5827.0", + "result": "Win32:Malware-gen", + "method": "blacklist", + "engine_update": "20220905" + }, + "Rising": { + "category": "malicious", + "engine_name": "Rising", + "engine_version": "25.0.0.27", + "result": "Trojan.SeaDuke!8.57F2 (KTSE)", + "method": "blacklist", + "engine_update": "20220905" + }, + "Ad-Aware": { + "category": "malicious", + "engine_name": "Ad-Aware", + "engine_version": "3.0.21.193", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220905" + }, + "Trustlook": { + "category": "type-unsupported", + "engine_name": "Trustlook", + "engine_version": "1.0", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "TACHYON": { + "category": "malicious", + "engine_name": "TACHYON", + "engine_version": "2022-09-05.02", + "result": "Trojan/W32.PeaceDuke.4568622", + "method": "blacklist", + "engine_update": "20220905" + }, + "Emsisoft": { + "category": "malicious", + "engine_name": "Emsisoft", + "engine_version": "2021.5.0.7597", + "result": "Trojan.GenericKD.3340692 (B)", + "method": "blacklist", + "engine_update": "20220905" + }, + "Comodo": { + "category": "malicious", + "engine_name": "Comodo", + "engine_version": "34962", + "result": "Malware@#1clcf7vbdy13j", + "method": "blacklist", + "engine_update": "20220905" + }, + "F-Secure": { + "category": "malicious", + "engine_name": "F-Secure", + "engine_version": "18.10.978.51", + "result": "Trojan.TR/Redcap.qkmni", + "method": "blacklist", + "engine_update": "20220905" + }, + "Baidu": { + "category": "undetected", + "engine_name": "Baidu", + "engine_version": "1.0.0.2", + "result": null, + "method": "blacklist", + "engine_update": "20190318" + }, + "VIPRE": { + "category": "malicious", + "engine_name": "VIPRE", + "engine_version": "6.0.0.35", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220831" + }, + "TrendMicro": { + "category": "malicious", + "engine_name": "TrendMicro", + "engine_version": "11.0.0.1006", + "result": "TROJ_SEADAD.A", + "method": "blacklist", + "engine_update": "20220905" + }, + "McAfee-GW-Edition": { + "category": "malicious", + "engine_name": "McAfee-GW-Edition", + "engine_version": "v2019.1.2+3728", + "result": "BehavesLike.Win32.Generic.vc", + "method": "blacklist", + "engine_update": "20220905" + }, + "Trapmine": { + "category": "undetected", + "engine_name": "Trapmine", + "engine_version": "3.5.48.101", + "result": null, + "method": "blacklist", + "engine_update": "20220707" + }, + "Sophos": { + "category": "undetected", + "engine_name": "Sophos", + "engine_version": "1.4.1.0", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "SentinelOne": { + "category": "malicious", + "engine_name": "SentinelOne", + "engine_version": "22.2.1.2", + "result": "Static AI - Suspicious PE", + "method": "blacklist", + "engine_update": "20220330" + }, + "GData": { + "category": "malicious", + "engine_name": "GData", + "engine_version": "A:25.33932B:27.28707", + "result": "Trojan.GenericKD.3340692", + "method": "blacklist", + "engine_update": "20220905" + }, + "Jiangmin": { + "category": "malicious", + "engine_name": "Jiangmin", + "engine_version": "16.0.100", + "result": "Backdoor.MSIL.NanoBot.n", + "method": "blacklist", + "engine_update": "20220904" + }, + "Webroot": { + "category": "malicious", + "engine_name": "Webroot", + "engine_version": "1.0.0.403", + "result": "W32.Trojan.GenKD", + "method": "blacklist", + "engine_update": "20220905" + }, + "Google": { + "category": "malicious", + "engine_name": "Google", + "engine_version": "1662386513", + "result": "Detected", + "method": "blacklist", + "engine_update": "20220905" + }, + "Avira": { + "category": "malicious", + "engine_name": "Avira", + "engine_version": "8.3.3.16", + "result": "TR/Redcap.qkmni", + "method": "blacklist", + "engine_update": "20220905" + }, + "Antiy-AVL": { + "category": "malicious", + "engine_name": "Antiy-AVL", + "engine_version": "3.0", + "result": "Trojan/Generic.ASSuf.20E92", + "method": "blacklist", + "engine_update": "20220905" + }, + "Kingsoft": { + "category": "malicious", + "engine_name": "Kingsoft", + "engine_version": "2017.9.26.565", + "result": "Win32.Troj.PeaceDuke.g.(kcloud)", + "method": "blacklist", + "engine_update": "20220905" + }, + "Gridinsoft": { + "category": "undetected", + "engine_name": "Gridinsoft", + "engine_version": "1.0.92.174", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "Arcabit": { + "category": "malicious", + "engine_name": "Arcabit", + "engine_version": "1.0.0.889", + "result": "Trojan.Generic.D32F994", + "method": "blacklist", + "engine_update": "20220905" + }, + "SUPERAntiSpyware": { + "category": "undetected", + "engine_name": "SUPERAntiSpyware", + "engine_version": "5.6.0.1032", + "result": null, + "method": "blacklist", + "engine_update": "20220903" + }, + "ZoneAlarm": { + "category": "malicious", + "engine_name": "ZoneAlarm", + "engine_version": "1.0", + "result": "Trojan.Win32.PeaceDuke.get", + "method": "blacklist", + "engine_update": "20220905" + }, + "Avast-Mobile": { + "category": "type-unsupported", + "engine_name": "Avast-Mobile", + "engine_version": "220905-04", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "Microsoft": { + "category": "malicious", + "engine_name": "Microsoft", + "engine_version": "1.1.19500.2", + "result": "Trojan:Win32/Esulat", + "method": "blacklist", + "engine_update": "20220905" + }, + "Cynet": { + "category": "malicious", + "engine_name": "Cynet", + "engine_version": "4.0.0.27", + "result": "Malicious (score: 99)", + "method": "blacklist", + "engine_update": "20220905" + }, + "BitDefenderFalx": { + "category": "type-unsupported", + "engine_name": "BitDefenderFalx", + "engine_version": "2.0.936", + "result": null, + "method": "blacklist", + "engine_update": "20220103" + }, + "AhnLab-V3": { + "category": "malicious", + "engine_name": "AhnLab-V3", + "engine_version": "3.22.2.10299", + "result": "Trojan/Win32.Generic.C1176435", + "method": "blacklist", + "engine_update": "20220905" + }, + "Acronis": { + "category": "undetected", + "engine_name": "Acronis", + "engine_version": "1.2.0.108", + "result": null, + "method": "blacklist", + "engine_update": "20220426" + }, + "ALYac": { + "category": "malicious", + "engine_name": "ALYac", + "engine_version": "1.1.3.1", + "result": "Trojan.Agent.PeaceDuke", + "method": "blacklist", + "engine_update": "20220905" + }, + "MAX": { + "category": "malicious", + "engine_name": "MAX", + "engine_version": "2019.9.16.1", + "result": "malware (ai score=100)", + "method": "blacklist", + "engine_update": "20220905" + }, + "VBA32": { + "category": "malicious", + "engine_name": "VBA32", + "engine_version": "5.0.0", + "result": "Trojan.PeaceDuke", + "method": "blacklist", + "engine_update": "20220905" + }, + "Malwarebytes": { + "category": "malicious", + "engine_name": "Malwarebytes", + "engine_version": "4.3.3.37", + "result": "Malware.Heuristic.1003", + "method": "blacklist", + "engine_update": "20220905" + }, + "Zoner": { + "category": "undetected", + "engine_name": "Zoner", + "engine_version": "2.2.2.0", + "result": null, + "method": "blacklist", + "engine_update": "20220904" + }, + "TrendMicro-HouseCall": { + "category": "malicious", + "engine_name": "TrendMicro-HouseCall", + "engine_version": "10.0.0.1040", + "result": "TROJ_SEADAD.A", + "method": "blacklist", + "engine_update": "20220905" + }, + "Tencent": { + "category": "malicious", + "engine_name": "Tencent", + "engine_version": "1.0.0.1", + "result": "Win32.Trojan.Peaceduke.Bnv", + "method": "blacklist", + "engine_update": "20220905" + }, + "Yandex": { + "category": "malicious", + "engine_name": "Yandex", + "engine_version": "5.5.2.24", + "result": "Trojan.Igent.bUlxdI.2", + "method": "blacklist", + "engine_update": "20220725" + }, + "Ikarus": { + "category": "undetected", + "engine_name": "Ikarus", + "engine_version": "6.0.26.0", + "result": null, + "method": "blacklist", + "engine_update": "20220905" + }, + "MaxSecure": { + "category": "malicious", + "engine_name": "MaxSecure", + "engine_version": "1.0.0.1", + "result": "Trojan.Malware.9744936.susgen", + "method": "blacklist", + "engine_update": "20220903" + }, + "Fortinet": { + "category": "malicious", + "engine_name": "Fortinet", + "engine_version": "6.4.258.0", + "result": "W32/Pyllage.FCXY!tr", + "method": "blacklist", + "engine_update": "20220905" + }, + "AVG": { + "category": "malicious", + "engine_name": "AVG", + "engine_version": "21.1.5827.0", + "result": "Win32:Malware-gen", + "method": "blacklist", + "engine_update": "20220905" + }, + "Panda": { + "category": "malicious", + "engine_name": "Panda", + "engine_version": "4.6.4.2", + "result": "Trj/CI.A", + "method": "blacklist", + "engine_update": "20220905" + }, + "CrowdStrike": { + "category": "malicious", + "engine_name": "CrowdStrike", + "engine_version": "1.0", + "result": "win/malicious_confidence_100% (W)", + "method": "blacklist", + "engine_update": "20220418" + } + }, + "reputation": -143, + "first_seen_itw_date": 1602175171, + "sigma_analysis_stats": { + "high": 0, + "medium": 2, + "critical": 0, + "low": 1 + } + }, + "type": "file", + "id": "6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536", + "links": { + "self": "https://www.virustotal.com/api/v3/files/6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536" + } + } +} \ No newline at end of file