v1.0

.gitignore

@@ -0,0 +1,288 @@
+# This file is used to ignore files which are generated
+# ----------------------------------------------------------------------------
+
+!core/
+*.*#
+*.a
+*.app
+*.autosave
+*.core
+*.debug
+*.embed.manifest
+*.moc
+*.o
+*.obj
+*.orig
+*.prl
+*.qm
+*.rc
+*.rej
+*.res
+*.so
+*.so.*
+*_pch.h.cpp
+*_resource.rc
+*_wrapper.bat
+*_wrapper.sh
+*~
+.#*
+.DS_Store
+.qmake.cache
+.qmake.stash
+.vscode
+build*/
+Makefile*
+Thumbs.db
+core
+moc_*.cpp
+qrc_*.cpp
+tags
+ui_*.h
+wrapper.bat
+wrapper.sh
+
+# qtcreator generated files
+*.creator.user*
+*.pro.user*
+*.pyqtc.user*
+*.qbs.user*
+*.qmlproject.user*
+CMakeLists.txt.user*
+/share/qtcreator/examples/
+/share/qtcreator/externaltools/
+/share/qtcreator/fonts/
+/share/qtcreator/generic-highlighter/
+/share/qtcreator/qmldesigner/QtProject/
+/src/app/Info.plist
+/src/plugins/**/*.json
+/src/plugins/coreplugin/ide_version.h
+/src/libs/qt-breakpad/bin
+/.cmake/
+app_version.h
+phony.c
+
+# xemacs temporary files
+*.flc
+
+# Vim temporary files
+.*.swp
+
+# Visual Studio generated files
+*.ib_pdb_index
+*.idb
+*.ilk
+*.ncb
+*.opensdf
+*.pdb
+*.sdf
+*.sln
+*.suo
+*.vcproj
+*.vcxproj
+*vcproj.*.*.user
+*vcxproj.*
+
+# gcov files
+*.gcda
+*.gcno
+*.gcov
+
+# MinGW generated files
+*.Debug
+*.Release
+
+# Python byte code
+*.pyc
+
+# translation related:
+/share/qtcreator/translations/*_tr.h
+/share/qtcreator/translations/qtcreator_untranslated.ts
+
+# Qml caching files
+*.jsc
+*.qmlc
+
+# Squish generated files
+/tests/system/suite_*/config.xml
+
+# Clang tooling files
+compile_commands.json
+
+# Directories to ignore
+# ---------------------
+
+.moc/
+.obj/
+.pch/
+.rcc/
+.uic/
+.clangd/
+/*-debug/
+/*-release/
+/dist/gdb/*.gz
+/dist/gdb/python/
+/dist/gdb/qtcreator-*/
+/dist/gdb/source/
+/dist/gdb/staging/
+/doc/qbs/
+/doc/html/qtcreator/
+/doc/html/qtcreator-dev/
+/doc/html/qtdesignstudio/
+/doc/qtdesignstudio/doc/html
+/lib/
+/lib64/
+/libexec/
+debug/
+ipch/
+release/
+tmp/
+# ignore both a directory as well as a symlink
+/share/qtcreator/QtProject
+
+# Binaries
+# --------
+*.dll
+*.exe
+/bin/buildoutputparser
+/bin/clangbackend
+/bin/cpaster
+/bin/cplusplus-ast2png
+/bin/cplusplus-frontend
+/bin/cplusplus-keywordgen
+/bin/cplusplus-mkvisitor
+/bin/cplusplus-update-frontend
+/bin/qbs*
+/bin/qml2puppet
+/bin/qmlpuppet
+/bin/qtcreator
+/bin/qtcreator_crash_handler
+/bin/qtcreator_ctrlc_stub
+/bin/qtcreator_process_stub
+/bin/qtpromaker
+/bin/sdktool
+/share/doc/qtcreator/*.qch
+/share/qtcreator/qbs/
+/src/tools/examplesscanner/examplesscanner
+/src/tools/qml/qmldump/qmldump
+/src/tools/valgrindfake/valgrind-fake
+
+# Tests
+#------
+/tests/auto/aggregation/tst_aggregation
+/tests/auto/algorithm/tst_algorithm
+/tests/auto/changeset/tst_changeset
+/tests/auto/cplusplus/ast/tst_ast
+/tests/auto/cplusplus/c99/tst_c99
+/tests/auto/cplusplus/checksymbols/tst_checksymbols
+/tests/auto/cplusplus/codeformatter/tst_codeformatter
+/tests/auto/cplusplus/codegen/tst_codegen
+/tests/auto/cplusplus/cppselectionchanger/tst_cppselectionchanger
+/tests/auto/cplusplus/cxx11/tst_c99
+/tests/auto/cplusplus/cxx11/tst_cxx11
+/tests/auto/cplusplus/fileiterationorder/tst_fileiterationorder
+/tests/auto/cplusplus/findusages/tst_findusages
+/tests/auto/cplusplus/lexer/tst_lexer
+/tests/auto/cplusplus/lookup/tst_lookup
+/tests/auto/cplusplus/misc/tst_misc
+/tests/auto/cplusplus/preprocessor/tst_preprocessor
+/tests/auto/cplusplus/semantic/tst_semantic
+/tests/auto/cplusplus/simplifytypes/tst_simplifytypes
+/tests/auto/cplusplus/translationunit/tst_translationunit
+/tests/auto/cplusplus/typeprettyprinter/tst_typeprettyprinter
+/tests/auto/debugger/qt_tst_dumpers_*
+/tests/auto/debugger/tst_disassembler
+/tests/auto/debugger/tst_dumpers
+/tests/auto/debugger/tst_gdb
+/tests/auto/debugger/tst_namedemangler
+/tests/auto/debugger/tst_offsets
+/tests/auto/debugger/tst_olddumpers
+/tests/auto/debugger/tst_simplifytypes
+/tests/auto/debugger/tst_version
+/tests/auto/diff/differ/tst_differ
+/tests/auto/environment/tst_environment
+/tests/auto/extensionsystem/pluginmanager/tst_pluginmanager
+/tests/auto/extensionsystem/pluginspec/tst_pluginspec
+/tests/auto/externaltool/tst_externaltool
+/tests/auto/fakevim/tst_fakevim
+/tests/auto/filesearch/tst_filesearch
+/tests/auto/flamegraph/tst_flamegraph
+/tests/auto/generichighlighter/highlighterengine/tst_highlighterengine
+/tests/auto/generichighlighter/specificrules/tst_specificrules
+/tests/auto/ioutils/tst_ioutils
+/tests/auto/json/tst_json
+/tests/auto/mapreduce/tst_mapreduce
+/tests/auto/profilewriter/tst_profilewriter
+/tests/auto/qml/codemodel/check/tst_codemodel_check
+/tests/auto/qml/codemodel/dependencies/tst_dependencies
+/tests/auto/qml/codemodel/importscheck/tst_qml_imports_check
+/tests/auto/qml/persistenttrie/tst_trie_check
+/tests/auto/qml/qmldesigner/bauhaustests/tst_bauhaus
+/tests/auto/qml/qmldesigner/coretests/tst_coretests
+/tests/auto/qml/qmldesigner/coretests/tst_qmldesigner_core
+/tests/auto/qml/qmldesigner/propertyeditortests/tst_propertyeditor
+/tests/auto/qml/qmleditor/qmlcodeformatter/tst_qmlcodeformatter
+/tests/auto/qml/qmljssimplereader/tst_qmljssimplereader
+/tests/auto/qml/qmlprojectmanager/fileformat/tst_fileformat
+/tests/auto/qml/qrcparser/tst_qrcparser
+/tests/auto/qml/reformatter/tst_reformatter
+/tests/auto/qtcprocess/tst_qtcprocess
+/tests/auto/runextensions/tst_runextensions
+/tests/auto/sdktool/tst_sdktool
+/tests/auto/ssh/tst_ssh
+/tests/auto/timeline/timelineabstractrenderer/tst_timelineabstractrenderer
+/tests/auto/timeline/timelineitemsrenderpass/tst_timelineitemsrenderpass
+/tests/auto/timeline/timelinemodel/tst_timelinemodel
+/tests/auto/timeline/timelinemodelaggregator/tst_timelinemodelaggregator
+/tests/auto/timeline/timelinenotesmodel/tst_timelinenotesmodel
+/tests/auto/timeline/timelinenotesrenderpass/tst_timelinenotesrenderpass
+/tests/auto/timeline/timelineoverviewrenderer/tst_timelineoverviewrenderer
+/tests/auto/timeline/timelinerenderer/tst_timelinerenderer
+/tests/auto/timeline/timelinerenderpass/tst_timelinerenderpass
+/tests/auto/timeline/timelinerenderstate/tst_timelinerenderstate
+/tests/auto/timeline/timelineselectionrenderpass/tst_timelineselectionrenderpass
+/tests/auto/timeline/timelinezoomcontrol/tst_timelinezoomcontrol
+/tests/auto/treeviewfind/tst_treeviewfind
+/tests/auto/utils/ansiescapecodehandler/tst_ansiescapecodehandler
+/tests/auto/utils/fileutils/tst_fileutils
+/tests/auto/utils/stringutils/tst_stringutils
+/tests/auto/utils/templateengine/tst_templateengine
+/tests/auto/utils/treemodel/tst_treemodel
+/tests/auto/valgrind/callgrind/tst_callgrindparsertests
+/tests/auto/valgrind/memcheck/modeldemo
+/tests/auto/valgrind/memcheck/testapps/free1/free1
+/tests/auto/valgrind/memcheck/testapps/free2/free2
+/tests/auto/valgrind/memcheck/testapps/invalidjump/invalidjump
+/tests/auto/valgrind/memcheck/testapps/leak1/leak1
+/tests/auto/valgrind/memcheck/testapps/leak2/leak2
+/tests/auto/valgrind/memcheck/testapps/leak3/leak3
+/tests/auto/valgrind/memcheck/testapps/leak4/leak4
+/tests/auto/valgrind/memcheck/testapps/overlap/overlap
+/tests/auto/valgrind/memcheck/testapps/syscall/syscall
+/tests/auto/valgrind/memcheck/testapps/uninit1/uninit1
+/tests/auto/valgrind/memcheck/testapps/uninit2/uninit2
+/tests/auto/valgrind/memcheck/testapps/uninit3/uninit3
+/tests/auto/valgrind/memcheck/tst_parsertests
+/tests/auto/valgrind/memcheck/tst_testrunner
+/tests/manual/debugger/gui/gui
+/tests/manual/debugger/helper/helper
+/tests/manual/debugger/simple/libsimple_test_plugin.*dylib
+/tests/manual/debugger/simple/simple_test_app
+/tests/manual/fakevim/tst_fakevim
+/tests/manual/pluginview/tst_plugindialog
+/tests/manual/preprocessor/pp
+/tests/manual/process/process
+/tests/manual/proparser/testreader
+/tests/manual/qml-ast2dot/qml-ast2dot
+/tests/manual/shootout/shootout
+/tests/manual/ssh/sftpfsmodel/sftpfsmodel
+/tests/manual/ssh/shell/shell
+/tests/tools/qml-ast2dot/qml-ast2dot
+/tests/unit/echoserver/echo
+/tests/unit/unittest/unittest
+
+# qbs builds
+/*-debug/
+/*-release/
+
+x64dbg/
+bin/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "pe-sieve"]
+	path = pe-sieve
+	url = https://github.com/hasherezade/pe-sieve

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2016 x64dbg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,9 +1,13 @@
 # xMalHunter
 
-Plugin demonstrating how to link with Qt.
+![](images/inline_hook.png)
 
-## AppVeyor
+## Features
 
-[![Build status](https://ci.appveyor.com/api/projects/status/gkc9p5993v142kdi/branch/master?svg=true)](https://ci.appveyor.com/project/x64dbg/qtplugin/branch/master)
+* Set breakpoint
+* Follow in Disassembler/Dump
+* Fix IAT and Dump PE
 
-There is an example [AppVeyor](https://ci.appveyor.com) configuration included in this template. When you rename `xMalHunter` to your own project name, you have to update `build.bat` and `appveyor.yml` to match it.
+* Find Reflective Injections, Hollows, Shellcodes, Inline/IAT Hooks using pe-sieve
+
+Powered by [pe-sieve](https://github.com/hasherezade/pe-sieve)

appveyor.yml

@@ -0,0 +1,15 @@
+version: 1.0.{build}
+image: Visual Studio 2013
+environment:
+  QT32PATH: C:\Qt\5.6\msvc2013\bin
+  QT64PATH: C:\Qt\5.6\msvc2013_64\bin
+  QTCREATORPATH: C:\Qt\Tools\QtCreator\bin
+install:
+- cmd: git submodule update --init --recursive --no-recommend-shallow
+build_script:
+- cmd: call build.bat x32
+- cmd: call build.bat x64
+- cmd: call release.bat
+artifacts:
+- path: release
+  name: xMalHunter-%APPVEYOR_REPO_COMMIT%

build.bat

@@ -0,0 +1,36 @@
+@echo off
+
+echo Saving PATH
+if "%OLDPATH%"=="" set OLDPATH=%PATH%
+
+cd %~dp0
+
+if /i "%1"=="x32"	call setenv.bat x32&goto build
+if /i "%1"=="x64"	call setenv.bat x64&goto build
+
+goto usage
+
+
+:build
+rmdir /S /Q build-%1
+mkdir build-%1
+pushd build-%1
+qmake ..\xMalHunter\xMalHunter.pro CONFIG+=release
+if not %ERRORLEVEL%==0 exit /b
+jom
+if not %ERRORLEVEL%==0 exit /b
+popd
+goto :restorepath
+
+:usage
+echo "Usage: build.bat x32/x64"
+echo.
+echo Examples:
+echo   build.bat x32               : builds 32-bit release build
+echo   build.bat x64               : builds 64-bit release build
+goto :restorepath
+
+:restorepath
+echo Resetting PATH
+set PATH=%OLDPATH%
+set OLDPATH=

release.bat

@@ -0,0 +1,4 @@
+mkdir release\x32\plugins
+mkdir release\x64\plugins
+copy bin\x32\*.dp32 release\x32\plugins\
+copy bin\x64\*.dp64 release\x64\plugins\