-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathcolorize.py
More file actions
55 lines (51 loc) · 25.9 KB
/
colorize.py
File metadata and controls
55 lines (51 loc) · 25.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import re
try:
import binaryninja
except ImportError:
sys.path.append('C:\Program Files\Vector35\BinaryNinja\Python')
import binaryninja
Registry = ["RegCloseKey", "RegConnectRegistryA", "RegConnectRegistryW", "RegCreateKeyA", "RegCreateKeyExA", "RegCreateKeyExW", "RegCreateKeyW", "RegDeleteKeyA", "RegDeleteKeyW", "RegDeleteValueA", "RegDeleteValueW", "RegDisablePredefinedCache", "RegDisablePredefinedCacheEx", "RegEnumKeyA", "RegEnumKeyExA", "RegEnumKeyExW", "RegEnumKeyW", "RegEnumValueA", "RegEnumValueW", "RegFlushKey", "RegGetKeySecurity", "RegLoadKeyA", "RegLoadKeyW", "RegNotifyChangeKeyValue", "RegOpenCurrentUser", "RegOpenKeyA", "RegOpenKeyExA", "RegOpenKeyExW", "RegOpenKeyW", "RegOpenUserClassesRoot", "RegOverridePredefKey", "RegQueryInfoKeyA", "RegQueryInfoKeyW", "RegQueryMultipleValuesA", "RegQueryMultipleValuesW", "RegQueryValueA", "RegQueryValueExA", "RegQueryValueExW", "RegQueryValueW", "RegReplaceKeyA", "RegReplaceKeyW", "RegRestoreKeyA", "RegRestoreKeyW", "RegSaveKeyA", "RegSaveKeyExA", "RegSaveKeyExW", "RegSaveKeyW", "RegSetKeySecurity", "RegSetValueA", "RegSetValueExA", "RegSetValueExW", "RegSetValueW", "RegUnLoadKeyA", "RegUnLoadKeyW", "SHDeleteEmptyKeyA", "SHDeleteEmptyKeyW", "SHDeleteKeyA", "SHDeleteKeyW", "SHOpenRegStream2A", "SHOpenRegStream2W", "SHOpenRegStreamA", "SHOpenRegStreamW", "SHQueryInfoKeyA", "SHQueryInfoKeyW", "SHQueryValueExA", "SHQueryValueExW", "SHRegCloseUSKey", "SHRegCreateUSKeyA", "SHRegCreateUSKeyW", "SHRegDeleteEmptyUSKeyA", "SHRegDeleteEmptyUSKeyW", "SHRegDeleteUSValueA", "SHRegDeleteUSValueW", "SHRegDuplicateHKey", "SHRegEnumUSKeyA", "SHRegEnumUSKeyW", "SHRegEnumUSValueA", "SHRegEnumUSValueW", "SHRegGetBoolUSValueA", "SHRegGetBoolUSValueW", "SHRegGetPathA", "SHRegGetPathW", "SHRegGetUSValueA", "SHRegGetUSValueW", "SHRegGetValueA", "SHRegGetValueW", "SHRegOpenUSKeyA", "SHRegOpenUSKeyW", "SHRegQueryInfoUSKeyA", "SHRegQueryInfoUSKeyW", "SHRegQueryUSValueA", "SHRegQueryUSValueW", "SHRegSetPathA", "SHRegSetPathW", "SHRegSetUSValueA", "SHRegSetUSValueW", "SHRegWriteUSValueA", "SHRegWriteUSValueW", "SHDeleteOrphanKeyA", "SHDeleteOrphanKeyW", "SHDeleteValueA", "SHDeleteValueW", "SHEnumKeyExA", "SHEnumKeyExW", "SHEnumValueA", "SHEnumValueW", "SHGetValueA", "SHGetValueW", "SHOpenRegStream2A", "SHOpenRegStream2W", "SHOpenRegStreamA", "SHOpenRegStreamW", "SHQueryInfoKeyA", "SHQueryInfoKeyW", "SHQueryValueExA", "SHQueryValueExW", "SHRegCloseUSKey", "SHRegCreateUSKeyA", "SHRegCreateUSKeyW", "SHRegDeleteEmptyUSKeyA", "SHRegDeleteEmptyUSKeyW", "SHRegDeleteUSValueA", "SHRegDeleteUSValueW", "SHRegDuplicateHKey", "SHRegEnumUSKeyA", "SHRegEnumUSKeyW", "SHRegEnumUSValueA", "SHRegEnumUSValueW", "SHRegGetBoolUSValueA", "SHRegGetBoolUSValueW", "SHRegGetPathA", "SHRegGetPathW", "SHRegGetUSValueA", "SHRegGetUSValueW", "SHRegGetValueA", "SHRegGetValueW", "SHRegOpenUSKeyA", "SHRegOpenUSKeyW", "SHRegQueryInfoUSKeyA", "SHRegQueryInfoUSKeyW", "SHRegQueryUSValueA", "SHRegQueryUSValueW", "SHRegSetPathA", "SHRegSetPathW", "SHRegSetUSValueA", "SHRegSetUSValueW", "SHRegWriteUSValueA", "SHRegWriteUSValueW"]
Network = ["FreeAddrInfoW", "GetAddrInfoW", "GetNameInfoW", "WEP", "WPUCompleteOverlappedRequest", "WSAAccept", "WSAAddressToStringA", "WSAAddressToStringW", "WSAAsyncGetHostByAddr", "WSAAsyncGetHostByName", "WSAAsyncGetProtoByName", "WSAAsyncGetProtoByNumber", "WSAAsyncGetServByName", "WSAAsyncGetServByPort", "WSAAsyncSelect", "WSACancelAsyncRequest", "WSACancelBlockingCall", "WSACleanup", "WSACloseEvent", "WSAConnect", "WSACreateEvent", "WSADuplicateSocketA", "WSADuplicateSocketW", "WSAEnumNameSpaceProvidersA", "WSAEnumNameSpaceProvidersW", "WSAEnumNetworkEvents", "WSAEnumProtocolsA", "WSAEnumProtocolsW", "WSAEventSelect", "WSAGetLastError", "WSAGetOverlappedResult", "WSAGetQOSByName", "WSAGetServiceClassInfoA", "WSAGetServiceClassInfoW", "WSAGetServiceClassNameByClassIdA", "WSAGetServiceClassNameByClassIdW", "WSAHtonl", "WSAHtons", "WSAInstallServiceClassA", "WSAInstallServiceClassW", "WSAIoctl", "WSAIsBlocking", "WSAJoinLeaf", "WSALookupServiceBeginA", "WSALookupServiceBeginW", "WSALookupServiceEnd", "WSALookupServiceNextA", "WSALookupServiceNextW", "WSANSPIoctl", "WSANtohl", "WSANtohs", "WSAProviderConfigChange", "WSARecv", "WSARecvDisconnect", "WSARecvFrom", "WSARemoveServiceClass", "WSAResetEvent", "WSASend", "WSASendDisconnect", "WSASendTo", "WSASetBlockingHook", "WSASetEvent", "WSASetLastError", "WSASetServiceA", "WSASetServiceW", "WSASocketA", "WSASocketW", "WSAStartup", "WSAStringToAddressA", "WSAStringToAddressW", "WSAUnhookBlockingHook", "WSAWaitForMultipleEvents", "WSApSetPostRoutine", "WSCDeinstallProvider", "WSCEnableNSProvider", "WSCEnumProtocols", "WSCGetProviderPath", "WSCInstallNameSpace", "WSCInstallProvider", "WSCUnInstallNameSpace", "WSCUpdateProvider", "WSCWriteNameSpaceOrder", "WSCWriteProviderOrder", "__WSAFDIsSet", "accept", "bind", "closesocket", "connect", "freeaddrinfo", "getaddrinfo", "gethostbyaddr", "gethostbyname", "gethostname", "getnameinfo", "getpeername", "getprotobyname", "getprotobynumber", "getservbyname", "getservbyport", "getsockname", "getsockopt", "htonl", "htons", "inet_addr", "inet_ntoa", "ioctlsocket", "listen", "ntohl", "ntohs", "recv", "recvfrom", "select", "send", "sendto", "setsockopt", "shutdown", "socket", "CreateMD5SSOHash", "DetectAutoProxyUrl", "DllInstall", "ForceNexusLookup", "ForceNexusLookupExW", "InternetAlgIdToStringA", "InternetAlgIdToStringW", "InternetAttemptConnect", "InternetAutodial", "InternetAutodialCallback", "InternetAutodialHangup", "InternetCanonicalizeUrlA", "InternetCanonicalizeUrlW", "InternetCheckConnectionA", "InternetCheckConnectionW", "InternetClearAllPerSiteCookieDecisions", "InternetCloseHandle", "InternetCombineUrlA", "InternetCombineUrlW", "InternetConfirmZoneCrossing", "InternetConfirmZoneCrossingA", "InternetConfirmZoneCrossingW", "InternetConnectA", "InternetConnectW", "InternetCrackUrlA", "InternetCrackUrlW", "InternetCreateUrlA", "InternetCreateUrlW", "InternetDial", "InternetDialA", "InternetDialW", "InternetEnumPerSiteCookieDecisionA", "InternetEnumPerSiteCookieDecisionW", "InternetErrorDlg", "InternetFindNextFileA", "InternetFindNextFileW", "InternetFortezzaCommand", "InternetGetCertByURL", "InternetGetCertByURLA", "InternetGetConnectedState", "InternetGetConnectedStateEx", "InternetGetConnectedStateExA", "InternetGetConnectedStateExW", "InternetGetCookieA", "InternetGetCookieExA", "InternetGetCookieExW", "InternetGetCookieW", "InternetGetLastResponseInfoA", "InternetGetLastResponseInfoW", "InternetGetPerSiteCookieDecisionA", "InternetGetPerSiteCookieDecisionW", "InternetGoOnline", "InternetGoOnlineA", "InternetGoOnlineW", "InternetHangUp", "InternetInitializeAutoProxyDll", "InternetLockRequestFile", "InternetOpenA", "InternetOpenUrlA", "InternetOpenUrlW", "InternetOpenW", "InternetQueryDataAvailable", "InternetQueryFortezzaStatus", "InternetQueryOptionA", "InternetQueryOptionW", "InternetReadFile", "InternetReadFileExA", "InternetReadFileExW", "InternetSecurityProtocolToStringA", "InternetSecurityProtocolToStringW", "InternetSetCookieA", "InternetSetCookieExA", "InternetSetCookieExW", "InternetSetCookieW", "InternetSetDialState", "InternetSetDialStateA", "InternetSetDialStateW", "InternetSetFilePointer", "InternetSetOptionA", "InternetSetOptionExA", "InternetSetOptionExW", "InternetSetOptionW", "InternetSetPerSiteCookieDecisionA", "InternetSetPerSiteCookieDecisionW", "InternetSetStatusCallback", "InternetSetStatusCallbackA", "InternetSetStatusCallbackW", "InternetShowSecurityInfoByURL", "InternetShowSecurityInfoByURLA", "InternetShowSecurityInfoByURLW", "InternetTimeFromSystemTime", "InternetTimeFromSystemTimeA", "InternetTimeFromSystemTimeW", "InternetTimeToSystemTime", "InternetTimeToSystemTimeA", "InternetTimeToSystemTimeW", "InternetUnlockRequestFile", "InternetWriteFile", "InternetWriteFileExA", "InternetWriteFileExW", "IsHostInProxyBypassList", "ParseX509EncodedCertificateForListBoxEntry", "PrivacyGetZonePreferenceW", "PrivacySetZonePreferenceW", "ResumeSuspendedDownload", "ShowCertificate", "ShowClientAuthCerts", "ShowSecurityInfo", "ShowX509EncodedCertificate", "UrlZonesDetach", "_GetFileExtensionFromUrl", "CommitUrlCacheEntryA", "CommitUrlCacheEntryW", "CreateUrlCacheContainerA", "CreateUrlCacheContainerW", "CreateUrlCacheEntryA", "CreateUrlCacheEntryW", "CreateUrlCacheGroup", "DeleteIE3Cache", "DeleteUrlCacheContainerA", "DeleteUrlCacheContainerW", "DeleteUrlCacheEntry", "DeleteUrlCacheEntryA", "DeleteUrlCacheEntryW", "DeleteUrlCacheGroup", "FindCloseUrlCache", "FindFirstUrlCacheContainerA", "FindFirstUrlCacheContainerW", "FindFirstUrlCacheEntryA", "FindFirstUrlCacheEntryExA", "FindFirstUrlCacheEntryExW", "FindFirstUrlCacheEntryW", "FindFirstUrlCacheGroup", "FindNextUrlCacheContainerA", "FindNextUrlCacheContainerW", "FindNextUrlCacheEntryA", "FindNextUrlCacheEntryExA", "FindNextUrlCacheEntryExW", "FindNextUrlCacheEntryW", "FindNextUrlCacheGroup", "FreeUrlCacheSpaceA", "FreeUrlCacheSpaceW", "GetUrlCacheConfigInfoA", "GetUrlCacheConfigInfoW", "GetUrlCacheEntryInfoA", "GetUrlCacheEntryInfoExA", "GetUrlCacheEntryInfoExW", "GetUrlCacheEntryInfoW", "GetUrlCacheGroupAttributeA", "GetUrlCacheGroupAttributeW", "GetUrlCacheHeaderData", "IncrementUrlCacheHeaderData", "IsUrlCacheEntryExpiredA", "IsUrlCacheEntryExpiredW", "LoadUrlCacheContent", "ReadUrlCacheEntryStream", "RegisterUrlCacheNotification", "RetrieveUrlCacheEntryFileA", "RetrieveUrlCacheEntryFileW", "RetrieveUrlCacheEntryStreamA", "RetrieveUrlCacheEntryStreamW", "RunOnceUrlCache", "SetUrlCacheConfigInfoA", "SetUrlCacheConfigInfoW", "SetUrlCacheEntryGroup", "SetUrlCacheEntryGroupA", "SetUrlCacheEntryGroupW", "SetUrlCacheEntryInfoA", "SetUrlCacheEntryInfoW", "SetUrlCacheGroupAttributeA", "SetUrlCacheGroupAttributeW", "SetUrlCacheHeaderData", "UnlockUrlCacheEntryFile", "UnlockUrlCacheEntryFileA", "UnlockUrlCacheEntryFileW", "UnlockUrlCacheEntryStream", "UpdateUrlCacheContentPath", "FtpCommandA", "FtpCommandW", "FtpCreateDirectoryA", "FtpCreateDirectoryW", "FtpDeleteFileA", "FtpDeleteFileW", "FtpFindFirstFileA", "FtpFindFirstFileW", "FtpGetCurrentDirectoryA", "FtpGetCurrentDirectoryW", "FtpGetFileA", "FtpGetFileEx", "FtpGetFileSize", "FtpGetFileW", "FtpOpenFileA", "FtpOpenFileW", "FtpPutFileA", "FtpPutFileEx", "FtpPutFileW", "FtpRemoveDirectoryA", "FtpRemoveDirectoryW", "FtpRenameFileA", "FtpRenameFileW", "FtpSetCurrentDirectoryA", "FtpSetCurrentDirectoryW", "GopherCreateLocatorA", "GopherCreateLocatorW", "GopherFindFirstFileA", "GopherFindFirstFileW", "GopherGetAttributeA", "GopherGetAttributeW", "GopherGetLocatorTypeA", "GopherGetLocatorTypeW", "GopherOpenFileA", "GopherOpenFileW", "UrlApplySchemeA", "UrlApplySchemeW", "UrlCanonicalizeA", "UrlCanonicalizeW", "UrlCombineA", "UrlCombineW", "UrlCompareA", "UrlCompareW", "UrlCreateFromPathA", "UrlCreateFromPathW", "UrlEscapeA", "UrlEscapeW", "UrlGetLocationA", "UrlGetLocationW", "UrlGetPartA", "UrlGetPartW", "UrlHashA", "UrlHashW", "UrlIsA", "UrlIsNoHistoryA", "UrlIsNoHistoryW", "UrlIsOpaqueA", "UrlIsOpaqueW", "UrlIsW", "UrlUnescapeA", "UrlUnescapeW", "HttpAddRequestHeadersA", "HttpAddRequestHeadersW", "HttpCheckDavCompliance", "HttpEndRequestA", "HttpEndRequestW", "HttpOpenRequestA", "HttpOpenRequestW", "HttpQueryInfoA", "HttpQueryInfoW", "HttpSendRequestA", "HttpSendRequestExA", "HttpSendRequestExW", "HttpSendRequestW"]
File = ["CreateDirectoryA", "CreateDirectoryExA", "CreateDirectoryExW", "CreateDirectoryW", "GetCurrentDirectoryA", "GetCurrentDirectoryW", "GetDllDirectoryA", "GetDllDirectoryW", "GetSystemDirectoryA", "GetSystemDirectoryW", "GetSystemWindowsDirectoryA", "GetSystemWindowsDirectoryW", "GetSystemWow64DirectoryA", "GetSystemWow64DirectoryW", "GetVDMCurrentDirectories", "GetWindowsDirectoryA", "GetWindowsDirectoryW", "ReadDirectoryChangesW", "RemoveDirectoryA", "RemoveDirectoryW", "SetCurrentDirectoryA", "SetCurrentDirectoryW", "SetDllDirectoryA", "SetDllDirectoryW", "SetVDMCurrentDirectories", "SHCreateDirectory", "SHCreateDirectoryExA", "SHCreateDirectoryExW", "CallNamedPipeA", "CallNamedPipeW", "ConnectNamedPipe", "CreateNamedPipeA", "CreateNamedPipeW", "CreatePipe", "DisconnectNamedPipe", "GetNamedPipeHandleStateA", "GetNamedPipeHandleStateW", "GetNamedPipeInfo", "PeekNamedPipe", "SetNamedPipeHandleState", "TransactNamedPipe", "WaitNamedPipeA", "WaitNamedPipeW", "CompareFileTime", "CopyFileA", "CopyFileExA", "CopyFileExW", "CopyFileW", "CopyLZFile", "CreateFileA", "CreateFileMappingA", "CreateFileMappingW", "CreateFileW", "DeleteFileA", "DeleteFileW", "DosDateTimeToFileTime", "FileTimeToDosDateTime", "FileTimeToLocalFileTime", "FileTimeToLocalFileTime", "FileTimeToSystemTime", "FlushFileBuffers", "FlushViewOfFile", "GetCPFileNameFromRegistry", "GetCompressedFileSizeA", "GetCompressedFileSizeW", "GetFileAttributesA", "GetFileAttributesExA", "GetFileAttributesExW", "GetFileAttributesW", "GetFileInformationByHandle", "GetFileSize", "GetFileSizeEx", "GetFileTime", "GetFileType", "GetSystemTimeAsFileTime", "GetTempFileNameA", "GetTempFileNameW", "LZCloseFile", "LZCreateFileW", "LZOpenFileA", "LZOpenFileW", "LocalFileTimeToFileTime", "LocalFileTimeToFileTime", "LockFile", "LockFileEx", "MapViewOfFile", "MapViewOfFileEx", "MoveFileA", "MoveFileExA", "MoveFileExW", "MoveFileW", "MoveFileWithProgressA", "MoveFileWithProgressW", "OpenDataFile", "OpenFile", "OpenFileMappingA", "OpenFileMappingW", "OpenProfileUserMapping", "PrivCopyFileExW", "PrivMoveFileIdentityW", "ReadFile", "ReadFileEx", "ReplaceFile", "ReplaceFileA", "ReplaceFileW", "SetEndOfFile", "SetFileAttributesA", "SetFileAttributesW", "SetFilePointer", "SetFilePointerEx", "SetFileShortNameA", "SetFileShortNameW", "SetFileTime", "SetFileValidData", "SystemTimeToFileTime", "UnlockFile", "UnlockFileEx", "UnmapViewOfFile", "WriteFile", "WriteFileEx", "WriteFileGather", "GetFileSecurityA", "GetFileSecurityW", "SetFileSecurityA", "SetFileSecurityW", "CreateFileU", "FindFirstFileW", "FindNextFileW", "FindClose"]
Execution = ["CreateMutexA", "CreateMutexW", "OpenMutexA", "OpenMutexW", "ReleaseMutex", "CreateToolhelp32Snapshot", "Process32First", "Process32FirstW", "Process32Next", "Process32NextW", "ChangeServiceConfig2A", "ChangeServiceConfig2W", "ChangeServiceConfigA", "ChangeServiceConfigW", "CloseServiceHandle", "ControlService", "CreateServiceA", "CreateServiceW", "DeleteService", "EnumDependentServicesA", "EnumDependentServicesW", "EnumServiceGroupW", "EnumServicesStatusA", "EnumServicesStatusExA", "EnumServicesStatusExW", "EnumServicesStatusW", "GetServiceDisplayNameA", "GetServiceDisplayNameW", "GetServiceKeyNameA", "GetServiceKeyNameW", "I_ScPnPGetServiceName", "I_ScSetServiceBitsA", "I_ScSetServiceBitsW", "LockServiceDatabase", "OpenServiceA", "OpenServiceW", "PrivilegedServiceAuditAlarmA", "PrivilegedServiceAuditAlarmW", "QueryServiceConfig2A", "QueryServiceConfig2W", "QueryServiceConfigA", "QueryServiceConfigW", "QueryServiceLockStatusA", "QueryServiceLockStatusW", "QueryServiceObjectSecurity", "QueryServiceStatus", "QueryServiceStatusEx", "RegisterServiceCtrlHandlerA", "RegisterServiceCtrlHandlerExA", "RegisterServiceCtrlHandlerExW", "RegisterServiceCtrlHandlerW", "SetServiceBits", "SetServiceObjectSecurity", "SetServiceStatus", "StartServiceA", "StartServiceCtrlDispatcherA", "StartServiceCtrlDispatcherW", "StartServiceW", "UnlockServiceDatabase", "WdmWmiServiceMain", "CreateProcessA", "CreateProcessW", "CreateThread", "CreateRemoteThread", "ShellExecute", "ShellExecuteEx", "DeleteCriticalSection", "EnterCriticalSection", "InitializeCriticalSection", "InitializeCriticalSectionAndSpinCount", "LeaveCriticalSection", "SetCriticalSectionSpinCount", "TryEnterCriticalSection", "GetProcAddress", "GetModuleHandle", "LoadLibrary"]
Crypto = ["CryptCreateHash", "CryptDestroyHash", "CryptDuplicateHash", "CryptGetHashParam", "CryptHashData", "CryptHashSessionKey", "CryptSetHashParam", "CryptSignHashA", "CryptSignHashW", "FreeEncryptionCertificateHashList", "CryptAcquireContextA", "CryptAcquireContextW", "CryptContextAddRef", "CryptDecrypt", "CryptDeriveKey", "CryptDestroyKey", "CryptDuplicateKey", "CryptEncrypt", "CryptEnumProviderTypesA", "CryptEnumProviderTypesW", "CryptEnumProvidersA", "CryptEnumProvidersW", "CryptExportKey", "CryptGenKey", "CryptGenRandom", "CryptGetDefaultProviderA", "CryptGetDefaultProviderW", "CryptGetKeyParam", "CryptGetProvParam", "CryptGetUserKey", "CryptImportKey", "CryptReleaseContext", "CryptSetKeyParam", "CryptSetProvParam", "CryptSetProviderA", "CryptSetProviderExA", "CryptSetProviderExW", "CryptSetProviderW", "CryptVerifySignatureA", "CryptVerifySignatureW", "DecryptFileA", "DecryptFileW", "EncryptFileA", "EncryptFileW", "EncryptedFileKeyInfo", "EncryptionDisable", "WriteEncryptedFileRaw", "OpenEncryptedFileRawA", "OpenEncryptedFileRawW", "DuplicateEncryptionInfoFile", "SetUserFileEncryptionKey", "ReadEncryptedFileRaw", "RemoveUsersFromEncryptedFile", "FileEncryptionStatusA", "FileEncryptionStatusW", "FreeEncryptedFileKeyInfo", "CloseEncryptedFileRaw", "AddUsersToEncryptedFile", "QueryRecoveryAgentsOnEncryptedFile", "QueryUsersOnEncryptedFile", "ChainWlxLogoffEvent", "CryptAcquireContextU", "CryptBinaryToStringA", "CryptBinaryToStringW", "CryptCloseAsyncHandle", "CryptCreateAsyncHandle", "CryptDecodeMessage", "CryptDecodeObject", "CryptDecodeObjectEx", "CryptDecryptAndVerifyMessageSignature", "CryptDecryptMessage", "CryptEncodeObject", "CryptEncodeObjectEx", "CryptEncryptMessage", "CryptEnumKeyIdentifierProperties", "CryptEnumOIDFunction", "CryptEnumOIDInfo", "CryptEnumProvidersU", "CryptExportPKCS8", "CryptExportPublicKeyInfo", "CryptExportPublicKeyInfoEx", "CryptFindLocalizedName", "CryptFindOIDInfo", "CryptFormatObject", "CryptFreeOIDFunctionAddress", "CryptGetAsyncParam", "CryptGetDefaultOIDDllList", "CryptGetDefaultOIDFunctionAddress", "CryptGetKeyIdentifierProperty", "CryptGetMessageCertificates", "CryptGetMessageSignerCount", "CryptGetOIDFunctionAddress", "CryptGetOIDFunctionValue", "CryptHashCertificate", "CryptHashMessage", "CryptHashPublicKeyInfo", "CryptHashToBeSigned", "CryptImportPKCS8", "CryptImportPublicKeyInfo", "CryptImportPublicKeyInfoEx", "CryptInitOIDFunctionSet", "CryptInstallDefaultContext", "CryptInstallOIDFunctionAddress", "CryptLoadSip", "CryptMemAlloc", "CryptMemFree", "CryptMemRealloc", "CryptMsgCalculateEncodedLength", "CryptMsgClose", "CryptMsgControl", "CryptMsgCountersign", "CryptMsgCountersignEncoded", "CryptMsgDuplicate", "CryptMsgEncodeAndSignCTL", "CryptMsgGetAndVerifySigner", "CryptMsgGetParam", "CryptMsgOpenToDecode", "CryptMsgOpenToEncode", "CryptMsgSignCTL", "CryptMsgUpdate", "CryptMsgVerifyCountersignatureEncoded", "CryptMsgVerifyCountersignatureEncodedEx", "CryptProtectData", "CryptQueryObject", "CryptRegisterDefaultOIDFunction", "CryptRegisterOIDFunction", "CryptRegisterOIDInfo", "CryptSIPAddProvider", "CryptSIPCreateIndirectData", "CryptSIPGetSignedDataMsg", "CryptSIPLoad", "CryptSIPPutSignedDataMsg", "CryptSIPRemoveProvider", "CryptSIPRemoveSignedDataMsg", "CryptSIPRetrieveSubjectGuid", "CryptSIPRetrieveSubjectGuidForCatalogFile", "CryptSIPVerifyIndirectData", "CryptSetAsyncParam", "CryptSetKeyIdentifierProperty", "CryptSetOIDFunctionValue", "CryptSetProviderU", "CryptSignAndEncodeCertificate", "CryptSignAndEncryptMessage", "CryptSignCertificate", "CryptSignHashU", "CryptSignMessage", "CryptSignMessageWithKey", "CryptStringToBinaryA", "CryptStringToBinaryW", "CryptUninstallDefaultContext", "CryptUnprotectData", "CryptUnregisterDefaultOIDFunction", "CryptUnregisterOIDFunction", "CryptUnregisterOIDInfo", "CryptVerifyCertificateSignature", "CryptVerifyCertificateSignatureEx", "CryptVerifyDetachedMessageHash", "CryptVerifyDetachedMessageSignature", "CryptVerifyMessageHash", "CryptVerifyMessageSignature", "CryptVerifyMessageSignatureWithKey", "CryptVerifySignatureU", "I_CertProtectFunction", "I_CertSrvProtectFunction", "I_CertSyncStore", "I_CertUpdateStore", "I_CryptAddRefLruEntry", "I_CryptAddSmartCardCertToStore", "I_CryptAllocTls", "I_CryptCreateLruCache", "I_CryptCreateLruEntry", "I_CryptDetachTls", "I_CryptDisableLruOfEntries", "I_CryptEnableLruOfEntries", "I_CryptEnumMatchingLruEntries", "I_CryptFindLruEntry", "I_CryptFindLruEntryData", "I_CryptFindSmartCardCertInStore", "I_CryptFlushLruCache", "I_CryptFreeLruCache", "I_CryptFreeTls", "I_CryptGetAsn1Decoder", "I_CryptGetAsn1Encoder", "I_CryptGetDefaultCryptProv", "I_CryptGetDefaultCryptProvForEncrypt", "I_CryptGetFileVersion", "I_CryptGetLruEntryData", "I_CryptGetLruEntryIdentifier", "I_CryptGetOssGlobal", "I_CryptGetTls", "I_CryptInsertLruEntry", "I_CryptInstallAsn1Module", "I_CryptInstallOssGlobal", "I_CryptReadTrustedPublisherDWORDValueFromRegistry", "I_CryptRegisterSmartCardStore", "I_CryptReleaseLruEntry", "I_CryptRemoveLruEntry", "I_CryptSetTls", "I_CryptTouchLruEntry", "I_CryptUninstallAsn1Module", "I_CryptUninstallOssGlobal", "I_CryptUnregisterSmartCardStore", "I_CryptWalkAllLruCacheEntries", "CertAddCRLContextToStore", "CertAddCRLLinkToStore", "CertAddCTLContextToStore", "CertAddCTLLinkToStore", "CertAddCertificateContextToStore", "CertAddCertificateLinkToStore", "CertAddEncodedCRLToStore", "CertAddEncodedCertificateToStore", "CertAddEncodedCertificateToSystemStoreA", "CertAddEncodedCertificateToSystemStoreW", "CertAddEnhancedKeyUsageIdentifier", "CertAddSerializedElementToStore", "CertAddStoreToCollection", "CertAlgIdToOID", "CertCloseStore", "CertCompareCertificate", "CertCompareCertificateName", "CertCompareIntegerBlob", "CertComparePublicKeyInfo", "CertControlStore", "CertCreateCTLContext", "CertCreateCTLEntryFromCertificateContextProperties", "CertCreateCertificateChainEngine", "CertCreateCertificateContext", "CertCreateContext", "CertCreateSelfSignCertificate", "CertDeleteCTLFromStore", "CertDeleteCertificateFromStore", "CertDuplicateCTLContext", "CertDuplicateCertificateChain", "CertDuplicateCertificateContext", "CertDuplicateStore", "CertEnumCRLContextProperties", "CertEnumCRLsInStore", "CertEnumCTLContextProperties", "CertEnumCTLsInStore", "CertEnumCertificateContextProperties", "CertEnumCertificatesInStore", "CertEnumPhysicalStore", "CertEnumSubjectInSortedCTL", "CertEnumSystemStore", "CertEnumSystemStoreLocation", "CertFindAttribute", "CertFindCRLInStore", "CertFindCertificateInCRL", "CertFindCertificateInStore", "CertFindChainInStore", "CertFindExtension", "CertFindRDNAttr", "CertFindSubjectInCTL", "CertFindSubjectInSortedCTL", "CertFreeCRLContext", "CertFreeCertificateChain", "CertFreeCertificateChainEngine", "CertFreeCertificateContext", "CertGetCRLContextProperty", "CertGetCRLFromStore", "CertGetCTLContextProperty", "CertGetCertificateChain", "CertGetCertificateContextProperty", "CertGetEnhancedKeyUsage", "CertGetIssuerCertificateFromStore", "CertGetNameStringA", "CertGetNameStringW", "CertGetPublicKeyLength", "CertGetStoreProperty", "CertGetSubjectCertificateFromStore", "CertGetValidUsages", "CertIsRDNAttrsInCertificateName", "CertIsValidCRLForCertificate", "CertNameToStrA", "CertNameToStrW", "CertOIDToAlgId", "CertOpenStore", "CertOpenSystemStoreA", "CertOpenSystemStoreW", "CertRDNValueToStrA", "CertRDNValueToStrW", "CertRegisterPhysicalStore", "CertRegisterSystemStore", "CertRemoveEnhancedKeyUsageIdentifier", "CertRemoveStoreFromCollection", "CertResyncCertificateChainEngine", "CertSaveStore", "CertSerializeCRLStoreElement", "CertSerializeCertificateStoreElement", "CertSetCRLContextProperty", "CertSetCertificateContextPropertiesFromCTLEntry", "CertSetCertificateContextProperty", "CertSetEnhancedKeyUsage", "CertSetStoreProperty", "CertStrToNameA", "CertStrToNameW", "CertUnregisterPhysicalStore", "CertUnregisterSystemStore", "CertVerifyCRLRevocation", "CertVerifyCRLTimeValidity", "CertVerifyCTLUsage", "CertVerifyCertificateChainPolicy", "CertVerifyCertificateChainPolicy", "CertVerifyRevocation", "CertVerifySubjectCertificateContext", "CertVerifyTimeValidity", "CertVerifyValidityNesting", "CloseCertPerformanceData", "CollectCertPerformanceData", "CryptAcquireCertificatePrivateKey", "CryptFindCertificateKeyProvInfo", "CryptGetMessageCertificates", "CryptHashCertificate", "CryptSignAndEncodeCertificate", "CryptSignCertificate", "CryptVerifyCertificateSignature", "CryptVerifyCertificateSignatureEx", "I_CertProtectFunction", "I_CertSrvProtectFunction", "I_CertSyncStore", "I_CertUpdateStore", "I_CryptAddSmartCardCertToStore", "I_CryptFindSmartCardCertInStore", "OpenCertPerformanceData", "PFXExportCertStore", "PFXExportCertStoreEx", "PFXImportCertStore"]
SysInfo = ["GetComputerNameA", "GetComputerNameExA", "GetComputerNameExW", "GetComputerNameW", "GetDiskFreeSpaceA", "GetDiskFreeSpaceExA", "GetDiskFreeSpaceExW", "GetDiskFreeSpaceW", "GetDriveTypeA", "GetDriveTypeW", "GetVersion", "GetVersionExA", "GetVersionExW", "GetSystemInfo", "GetSystemMetrics", "CheckTokenMembership"]
Memory = ["WriteProcessMemory", "ReadProcessMemory", "sprintf", "strcat", "strcmp", "strncmp", "strcpy", "strncpy", "strstr", "VirtualAlloc", "VirtualAllocEx", "VirtualBufferExceptionHandler", "VirtualFree", "VirtualFreeEx", "VirtualLock", "VirtualProtect", "VirtualProtectEx", "VirtualQuery", "VirtualQueryEx", "VirtualUnlock"]
def SetColor(bv, address, color):
xrefs = bv.get_code_refs(address)
if xrefs:
for xref in xrefs:
bbs = bv.get_basic_blocks_at(xref.address)
print xref.address
print bbs
for bb in bbs:
bb.set_user_highlight(color)
def colorize(bv, addr, lentgh):
symbols = bv.get_symbols()
for symbol in symbols:
pattern = r'!(\w+)@'
n = re.findall(pattern, symbol.name)
if len(n) > 0:
API = n[0]
if API in Registry:
print "Registry: "+API
SetColor(bv, symbol.address, binaryninja.core.BlueHighlightColor)
if API in Network:
print "Network: "+API
SetColor(bv, symbol.address, binaryninja.core.GreenHighlightColor)
if API in File:
print "File: "+API
SetColor(bv, symbol.address, binaryninja.core.CyanHighlightColor)
if API in Execution:
print "Execution: "+API
SetColor(bv, symbol.address, binaryninja.core.RedHighlightColor)
if API in Crypto:
print "Crypto: "+API
SetColor(bv, symbol.address, binaryninja.core.MagentaHighlightColor)
if API in SysInfo:
print "Sysinfo: "+API
SetColor(bv, symbol.address, binaryninja.core.YellowHighlightColor)
if API in Memory:
print "Memory: "+API
SetColor(bv, symbol.address, binaryninja.core.OrangeHighlightColor)
binaryninja.PluginCommand.register_for_range("Set block color behavior", "Set block color behavior.", colorize)