From 4d4773c198687267cd992f799f5f501757d92de9 Mon Sep 17 00:00:00 2001
From: Eugene <96109734+EscardosS@users.noreply.github.com>
Date: Thu, 12 Sep 2024 19:33:57 +0300
Subject: [PATCH] fix some bugs (#1806)

---
 src/plugins/fileextractor/private.h |  5 ++++-
 src/plugins/fileextractor/win.cpp   | 20 ++++++++++----------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/plugins/fileextractor/private.h b/src/plugins/fileextractor/private.h
index 2a17730cc..f692210b4 100644
--- a/src/plugins/fileextractor/private.h
+++ b/src/plugins/fileextractor/private.h
@@ -123,6 +123,9 @@ namespace fileextractor_ns
 #define FILE_DELETE_ON_CLOSE 0x1000
 #define FILE_WRITE_DATA 2
 #define FILE_APPEND_DATA 4
+#define GENERIC_ALL 0x10000000
+#define GENERIC_WRITE 0x40000000
+#define WRITE_ACCESS ( FILE_WRITE_DATA | GENERIC_ALL | GENERIC_WRITE )
 #define FILE_WRITE_TO_END_OF_FILE 0xffffffff
 #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
 
@@ -293,6 +296,7 @@ struct task_t
     uint64_t file_size{0};
     std::string file_sha256{""};
     uint64_t file_offset{0};
+    addr_t write_offset_addr{0};
     uint64_t write_offset{0};
     uint64_t bytes_to_read{0};
     handle_t section_handle{0};
@@ -304,7 +308,6 @@ struct task_t
 
     // information that is used after extracting the file to complete first NtWriteFile.
     addr_t first_len{0};
-    addr_t first_offset{0};
     addr_t first_str{0};
 
     uint64_t new_eof{0};
diff --git a/src/plugins/fileextractor/win.cpp b/src/plugins/fileextractor/win.cpp
index 8fb88cf93..bf227bc50 100644
--- a/src/plugins/fileextractor/win.cpp
+++ b/src/plugins/fileextractor/win.cpp
@@ -140,7 +140,7 @@ event_response_t win_fileextractor::openfile_cb(drakvuf_t drakvuf,
     addr_t desired_access = drakvuf_get_function_argument(drakvuf, info, 2);
     addr_t create_options = drakvuf_get_function_argument(drakvuf, info, 6);
 
-    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & FILE_WRITE_DATA );
+    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & WRITE_ACCESS );
     bool del = create_options & FILE_DELETE_ON_CLOSE;
 
     if (del || append)
@@ -158,7 +158,7 @@ event_response_t win_fileextractor::createfile_cb(drakvuf_t drakvuf,
     addr_t handle = drakvuf_get_function_argument(drakvuf, info, 1);
     addr_t desired_access = drakvuf_get_function_argument(drakvuf, info, 2);
     addr_t create_options = drakvuf_get_function_argument(drakvuf, info, 9);
-    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & FILE_WRITE_DATA );
+    bool append = (desired_access & FILE_APPEND_DATA ) && !(desired_access & WRITE_ACCESS );
     bool del = create_options & FILE_DELETE_ON_CLOSE;
 
     if (del || append)
@@ -404,11 +404,11 @@ event_response_t win_fileextractor::writefile_cb(drakvuf_t,
         {
             // save data needed to complete the first NtWriteFile
             task->first_len = len;
-            task->first_offset = offset;
             task->first_str = str;
+            task->write_offset_addr = offset;
             get_file_object_currentbyteoffset(vmi, info, handle, &task->currentbyteoffset);
-            if (offset)
-                get_write_offset(vmi, info, offset, &task->write_offset);
+            if (task->write_offset_addr)
+                get_write_offset(vmi, info, task->write_offset_addr, &task->write_offset);
         }
 
         auto status = dispatch_task(vmi, info, *task);
@@ -453,15 +453,15 @@ event_response_t win_fileextractor::writefile_cb(drakvuf_t,
             // free resourses after extraction and first NtWriteFile result from saved data
             free_resources(info, *task);
             task->extracted = true;
-            task->currentbyteoffset = task->file_size;
             writefile_cb_impl(drakvuf, info, *task, task->first_str, task->first_len);
         }
     }
     // file update
     else
     {
-        if (offset)
-            get_write_offset(vmi, info, offset, &task->write_offset);
+        task->write_offset_addr = offset;
+        if (task->write_offset_addr)
+            get_write_offset(vmi, info, task->write_offset_addr, &task->write_offset);
         get_file_object_currentbyteoffset(vmi, info, handle, &task->currentbyteoffset);
         writefile_cb_impl(drakvuf, info, *task, str, len);
     }
@@ -491,13 +491,13 @@ void win_fileextractor::writefile_cb_impl(drakvuf_t,
     if (!task.append)
     {
         // check for special offset
-        if (!((task.write_offset & 0xffffffff) ^ FILE_USE_FILE_POINTER_POSITION))
+        if (!task.write_offset_addr || !((task.write_offset & 0xffffffff) ^ FILE_USE_FILE_POINTER_POSITION))
             params->byteoffset = task.currentbyteoffset;
         else
             params->byteoffset = task.write_offset;
     }
     else
-        params->byteoffset = task.currentbyteoffset;
+        params->byteoffset = FILE_WRITE_TO_END_OF_FILE;
 
     writefile_ret_hooks[hook_id] = std::move(hook);
 }