GithubHelp home page GithubHelp logo

hfiref0x / wdextract Goto Github PK

View Code? Open in Web Editor NEW
396.0 14.0 61.0 418 KB

Extract Windows Defender database from vdm files and unpack it

License: BSD 2-Clause "Simplified" License

C++ 23.48% C 76.52%
windows-defender

wdextract's Issues

__signature_type

enum __signature_type {
SIGNATURE_TYPE_UNKNOWN = 0x0,
SIGNATURE_TYPE_RESERVED = 0x1,
SIGNATURE_TYPE_VOLATILE_THREAT_INFO = 0x2,
SIGNATURE_TYPE_POLYVIR32 = 0x21,
SIGNATURE_TYPE_KVIR32 = 0x20,
SIGNATURE_TYPE_PEFILE_CURE = 0x3D,
SIGNATURE_TYPE_PEHSTR = 0x61,
SIGNATURE_TYPE_PEHSTR_EXT = 0x78,
SIGNATURE_TYPE_PEHSTR_EXT2 = 0x85,
SIGNATURE_TYPE_ELFHSTR_EXT = 0x8C,
SIGNATURE_TYPE_MACHOHSTR_EXT = 0x8D,
SIGNATURE_TYPE_DOSHSTR_EXT = 0x8E,
SIGNATURE_TYPE_MACROHSTR_EXT = 0x8F,
SIGNATURE_TYPE_DEXHSTR_EXT = 0xBE,
SIGNATURE_TYPE_JAVAHSTR_EXT = 0xBF,
SIGNATURE_TYPE_PEPCODE = 0x8A,
SIGNATURE_TYPE_BOOT = 0x44,
SIGNATURE_TYPE_MAC_CURE = 0x3E,
SIGNATURE_TYPE_MACRO_PCODE = 0x42,
SIGNATURE_TYPE_MACRO_SOURCE = 0x43,
SIGNATURE_TYPE_KCRCE = 0x80,
SIGNATURE_TYPE_NID = 0x55,
SIGNATURE_TYPE_CKSIMPLEREC = 0x50,
SIGNATURE_TYPE_CKOLDREC = 0x11,
SIGNATURE_TYPE_KPAT = 0xBB,
SIGNATURE_TYPE_BADREC = 0xD,
SIGNATURE_TYPE_DOS_VCL = 0xE0,
SIGNATURE_TYPE_NSCRIPT_NORMAL = 0x27,
SIGNATURE_TYPE_NSCRIPT_SP = 0x28,
SIGNATURE_TYPE_NSCRIPT_BRUTE = 0x29,
SIGNATURE_TYPE_NSCRIPT_CURE = 0x2C,
SIGNATURE_TYPE_RPFROUTINE = 0x53,
SIGNATURE_TYPE_RPFROUTINE_OLD = 0x3F,
SIGNATURE_TYPE_SIGTREE = 0x40,
SIGNATURE_TYPE_SIGTREE_EXT = 0x41,
SIGNATURE_TYPE_CLEANSCRIPT = 0x49,
SIGNATURE_TYPE_DEFAULTS_DEPRECATED = 0x54,
SIGNATURE_TYPE_DEFAULTS = 0x58,
SIGNATURE_TYPE_TITANFLT = 0x30,
SIGNATURE_TYPE_TARGET_SCRIPT = 0x4A,
SIGNATURE_TYPE_TARGET_SCRIPT_PCODE = 0x90,
SIGNATURE_TYPE_TUNNEL = 0x99,
SIGNATURE_TYPE_TUNNEL_X86 = 0x99,
SIGNATURE_TYPE_TUNNEL_X64 = 0x9A,
SIGNATURE_TYPE_TUNNEL_IA64 = 0x9B,
SIGNATURE_TYPE_TUNNEL_ARM = 0xB6,
SIGNATURE_TYPE_GENSFX = 0x56,
SIGNATURE_TYPE_UNPLIB = 0x57,
SIGNATURE_TYPE_PATTMATCH = 0x51,
SIGNATURE_TYPE_PATTMATCH_DEVELOPER = 0x52,
SIGNATURE_TYPE_PATTMATCH_V2 = 0x77,
SIGNATURE_TYPE_PATTMATCH_V2_DEVELOPER = 0x76,
SIGNATURE_TYPE_FULLMD5 = 0x5A,
SIGNATURE_TYPE_DBVAR = 0x5B,
SIGNATURE_TYPE_THREAT_BEGIN = 0x5C,
SIGNATURE_TYPE_THREAT_END = 0x5D,
SIGNATURE_TYPE_FILENAME = 0x5E,
SIGNATURE_TYPE_FILEPATH = 0x5F,
SIGNATURE_TYPE_FOLDERNAME = 0x60,
SIGNATURE_TYPE_LOCALHASH = 0x62,
SIGNATURE_TYPE_REGKEY = 0x63,
SIGNATURE_TYPE_HOSTSENTRY = 0x64,
SIGNATURE_TYPE_MINITHREAT_GROUP = 0x65,
SIGNATURE_TYPE_MINITHREAT = 0x66,
SIGNATURE_TYPE_STATIC = 0x67,
SIGNATURE_TYPE_MINISTATIC = 0xB9,
SIGNATURE_TYPE_DIFFOP = 0x68,
SIGNATURE_TYPE_LATENT_THREAT = 0x69,
SIGNATURE_TYPE_REMOVAL_POLICY = 0x6A,
SIGNATURE_TYPE_WVT_EXCEPTION = 0x6B,
SIGNATURE_TYPE_TRUSTED_PUBLISHER = 0x70,
SIGNATURE_TYPE_ASEP_FILEPATH = 0x71,
SIGNATURE_TYPE_DELTA_BLOB_OLD = 0x72,
SIGNATURE_TYPE_DELTA_BLOB = 0x73,
SIGNATURE_TYPE_DELTA_BLOB_RECINFO = 0x74,
SIGNATURE_TYPE_ASEP_FOLDERNAME = 0x75,
SIGNATURE_TYPE_VDLL = 0x79,
SIGNATURE_TYPE_VERSIONCHECK = 0x7A,
SIGNATURE_TYPE_SAMPLE_REQUEST = 0x7B,
SIGNATURE_TYPE_VDLL_X86 = 0x79,
SIGNATURE_TYPE_VDLL_X64 = 0x7C,
SIGNATURE_TYPE_VDLL_IA64 = 0x91,
SIGNATURE_TYPE_VDLL_ARM = 0x9C,
SIGNATURE_TYPE_RPFROUTINE_V2 = 0x7D,
SIGNATURE_TYPE_SNID = 0x7E,
SIGNATURE_TYPE_FOP = 0x7F,
SIGNATURE_TYPE_FOPEX = 0x89,
SIGNATURE_TYPE_VFILE = 0x83,
SIGNATURE_TYPE_SIGFLAGS = 0x84,
SIGNATURE_TYPE_PEMAIN_LOCATOR = 0x86,
SIGNATURE_TYPE_PESTATIC = 0x87,
SIGNATURE_TYPE_UFSP_DISABLE = 0x88,
SIGNATURE_TYPE_IL_PATTERN = 0x8B,
SIGNATURE_TYPE_IL2_PATTERN = 0xA6,
SIGNATURE_TYPE_UNS = 0x92,
SIGNATURE_TYPE_AEL_RECORD = 0x93,
SIGNATURE_TYPE_SIG_RECORD = 0x94,
SIGNATURE_TYPE_PEBMPAT = 0x95,
SIGNATURE_TYPE_AAGGREGATOR = 0x96,
SIGNATURE_TYPE_SAMPLE_REQUEST_BY_NAME = 0x97,
SIGNATURE_TYPE_KPATEX = 0xBC,
SIGNATURE_TYPE_REMOVAL_POLICY_BY_NAME = 0x98,
SIGNATURE_TYPE_THREAD_X86 = 0x9D,
SIGNATURE_TYPE_THREAD_X64 = 0x9E,
SIGNATURE_TYPE_THREAD_IA64 = 0x9F,
SIGNATURE_TYPE_THREAD_ARM = 0xB7,
SIGNATURE_TYPE_FRIENDLYFILE_SHA256 = 0xA0,
SIGNATURE_TYPE_FRIENDLYFILE_SHA512 = 0xA1,
SIGNATURE_TYPE_SHARED_THREAT = 0xA2,
SIGNATURE_TYPE_VDM_METADATA = 0xA3,
SIGNATURE_TYPE_VSTORE = 0xA4,
SIGNATURE_TYPE_VDLL_SYMINFO = 0xA5,
SIGNATURE_TYPE_BM_STATIC = 0xA7,
SIGNATURE_TYPE_BM_INFO = 0xA8,
SIGNATURE_TYPE_NDAT = 0xA9,
SIGNATURE_TYPE_FASTPATH_DATA = 0xAA,
SIGNATURE_TYPE_FASTPATH_SDN = 0xAB,
SIGNATURE_TYPE_DATABASE_CERT = 0xAC,
SIGNATURE_TYPE_SOURCE_INFO = 0xAD,
SIGNATURE_TYPE_HIDDEN_FILE = 0xAE,
SIGNATURE_TYPE_COMMON_CODE = 0xAF,
SIGNATURE_TYPE_VREG = 0xB0,
SIGNATURE_TYPE_NISBLOB = 0xB1,
SIGNATURE_TYPE_VFILEEX = 0xB2,
SIGNATURE_TYPE_SIGTREE_BM = 0xB3,
SIGNATURE_TYPE_VBFOP = 0xB4,
SIGNATURE_TYPE_VDLL_META = 0xB5,
SIGNATURE_TYPE_PCODEVALIDATOR = 0xB8,
SIGNATURE_TYPE_MSILFOP = 0xBA,
SIGNATURE_TYPE_LUASTANDALONE = 0xBD,
SIGNATURE_TYPE_MAGICCODE = 0xC0,
SIGNATURE_TYPE_CLEANSTORE_RULE = 0xC1,
SIGNATURE_TYPE_VDLL_CHECKSUM = 0xC2,
SIGNATURE_TYPE_THREAT_UPDATE_STATUS = 0xC3,
SIGNATURE_TYPE_VDLL_MSIL = 0xC4,
SIGNATURE_TYPE_ARHSTR_EXT = 0xC5,
SIGNATURE_TYPE_MSILFOPEX = 0xC6,
SIGNATURE_TYPE_VBFOPEX = 0xC7,
SIGNATURE_TYPE_FOP64 = 0xC8,
SIGNATURE_TYPE_FOPEX64 = 0xC9,
SIGNATURE_TYPE_JSINIT = 0xCA,
SIGNATURE_TYPE_PESTATICEX = 0xCB,
SIGNATURE_TYPE_KCRCEX = 0xCC,
SIGNATURE_TYPE_FTRIE_POS = 0xCD,
SIGNATURE_TYPE_NID64 = 0xCE,
SIGNATURE_TYPE_MACRO_PCODE64 = 0xCF,
SIGNATURE_TYPE_BRUTE = 0xD0,
SIGNATURE_TYPE_SWFHSTR_EXT = 0xD1,
SIGNATURE_TYPE_REWSIGS = 0xD2,
SIGNATURE_TYPE_AUTOITHSTR_EXT = 0xD3
};

Request for blog post

Hello hfiref0x,

I am reading through your blogs https://swapcontext.blogspot.com/2019/11/introduction.html

I wanted you to make one more blog post on "WDExtract - Journey", where i am expecting to learn the path you used to reverse the vdm files and how the base structures for RMDX was reversed ?

P.S.
Sorry for using git issues for raising this request, since i dont have any mode of reaching you. Thanks for your excellent works.

Compile 32 bit

Hello
I cannot compile 32bit version. Some errors with zlib. Download 32 bit .lib and .dll, but have such error.

Can you compile it or this is impossible?

about rmod_header

typedef struct rmod_header {
ULONG r_magic;
ULONG r_time;
ULONG r_crc;
ULONG r_flags;
ULONG r_codeoffset;
ULONG r_codelen;
ULONG r_extraoffset;
ULONG r_extralen;
ULONG r_initmodule;
ULONG r_cleanupmodule;
union {
ULONG r_relocno;
ULONG r_dbversion;
} DUMMYUNIONNAME;
ULONG r_importno;
ULONG r_hostos;
ULONG r_exportno;
ULONG r_truecodelen;
ULONG r_numberofrecords;
} rmod_header, *prmod_header;

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.