fix some bugs (#1806)

tklengyel · Sep 12, 2024 · 4d4773c · 4d4773c
1 parent cb60a25
commit 4d4773c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/src/plugins/fileextractor/private.h b/src/plugins/fileextractor/private.h
@@ -123,6 +123,9 @@ namespace fileextractor_ns
 #define FILE_DELETE_ON_CLOSE 0x1000
 #define FILE_WRITE_DATA 2
 #define FILE_APPEND_DATA 4
+#define GENERIC_ALL 0x10000000
+#define GENERIC_WRITE 0x40000000
+#define WRITE_ACCESS ( FILE_WRITE_DATA | GENERIC_ALL | GENERIC_WRITE )
 #define FILE_WRITE_TO_END_OF_FILE 0xffffffff
 #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
 
@@ -293,6 +296,7 @@ struct task_t
     uint64_t file_size{0};
     std::string file_sha256{""};
     uint64_t file_offset{0};
+    addr_t write_offset_addr{0};
     uint64_t write_offset{0};
     uint64_t bytes_to_read{0};
     handle_t section_handle{0};
@@ -304,7 +308,6 @@ struct task_t
 
     // information that is used after extracting the file to complete first NtWriteFile.
     addr_t first_len{0};
-    addr_t first_offset{0};
     addr_t first_str{0};
 
     uint64_t new_eof{0};

diff --git a/src/plugins/fileextractor/win.cpp b/src/plugins/fileextractor/win.cpp
@@ -140,7 +140,7 @@ event_response_t win_fileextractor::openfile_cb(drakvuf_t drakvuf,
     addr_t desired_access = drakvuf_get_function_argument(drakvuf, info, 2);
     addr_t create_options = drakvuf_get_function_argument(drakvuf, info, 6);
 
-    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & FILE_WRITE_DATA );
+    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & WRITE_ACCESS );
     bool del = create_options & FILE_DELETE_ON_CLOSE;
 
     if (del || append)
@@ -158,7 +158,7 @@ event_response_t win_fileextractor::createfile_cb(drakvuf_t drakvuf,
     addr_t handle = drakvuf_get_function_argument(drakvuf, info, 1);
     addr_t desired_access = drakvuf_get_function_argument(drakvuf, info, 2);
     addr_t create_options = drakvuf_get_function_argument(drakvuf, info, 9);
-    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & FILE_WRITE_DATA );
+    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & WRITE_ACCESS );
     bool del = create_options & FILE_DELETE_ON_CLOSE;
 
     if (del || append)
@@ -404,11 +404,11 @@ event_response_t win_fileextractor::writefile_cb(drakvuf_t,
         {
             // save data needed to complete the first NtWriteFile
             task->first_len = len;
-            task->first_offset = offset;
             task->first_str = str;
+            task->write_offset_addr = offset;
             get_file_object_currentbyteoffset(vmi, info, handle, &task->currentbyteoffset);
-            if (offset)
-                get_write_offset(vmi, info, offset, &task->write_offset);
+            if (task->write_offset_addr)
+                get_write_offset(vmi, info, task->write_offset_addr, &task->write_offset);
         }
 
         auto status = dispatch_task(vmi, info, *task);
@@ -453,15 +453,15 @@ event_response_t win_fileextractor::writefile_cb(drakvuf_t,
             // free resourses after extraction and first NtWriteFile result from saved data
             free_resources(info, *task);
             task->extracted = true;
-            task->currentbyteoffset = task->file_size;
             writefile_cb_impl(drakvuf, info, *task, task->first_str, task->first_len);
         }
     }
     // file update
     else
     {
-        if (offset)
-            get_write_offset(vmi, info, offset, &task->write_offset);
+        task->write_offset_addr = offset;
+        if (task->write_offset_addr)
+            get_write_offset(vmi, info, task->write_offset_addr, &task->write_offset);
         get_file_object_currentbyteoffset(vmi, info, handle, &task->currentbyteoffset);
         writefile_cb_impl(drakvuf, info, *task, str, len);
     }
@@ -491,13 +491,13 @@ void win_fileextractor::writefile_cb_impl(drakvuf_t,
     if (!task.append)
     {
         // check for special offset
-        if (!((task.write_offset & 0xffffffff) ^ FILE_USE_FILE_POINTER_POSITION))
+        if (!task.write_offset_addr || !((task.write_offset & 0xffffffff) ^ FILE_USE_FILE_POINTER_POSITION))
             params->byteoffset = task.currentbyteoffset;
         else
             params->byteoffset = task.write_offset;
     }
     else
-        params->byteoffset = task.currentbyteoffset;
+        params->byteoffset = FILE_WRITE_TO_END_OF_FILE;
 
     writefile_ret_hooks[hook_id] = std::move(hook);
 }