sefcom · Graymos · Jul 21, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/.gitattributes b/.gitattributes
diff --git a/.gitignore b/.gitignore
@@ -160,3 +160,6 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+#Mango Results
+mango_results/
diff --git a/package/argument_resolver/analysis/base.py b/package/argument_resolver/analysis/base.py
@@ -51,6 +51,7 @@
     StringHandlers,
     UnistdHandlers,
     URLParamHandlers,
+    WinHandlers,
     handler_factory,
 )
 from argument_resolver.handlers.base import HandlerBase
@@ -127,6 +128,7 @@ def __init__(
                 NVRAMHandlers,
                 NetworkHandlers,
                 URLParamHandlers,
+                WinHandlers,
             ]
         )
 

diff --git a/package/argument_resolver/external_function/__init__.py b/package/argument_resolver/external_function/__init__.py
@@ -3,5 +3,14 @@
 from .function_declarations import CUSTOM_DECLS
 
 
+# def is_an_external_input_function(function_name: str) -> bool:
+#     return any(function_name == x for x in INPUT_EXTERNAL_FUNCTIONS)
+
+# In external_function/__init__.py
 def is_an_external_input_function(function_name: str) -> bool:
-    return any(function_name == x for x in INPUT_EXTERNAL_FUNCTIONS)
+    print(f"DEBUG: Checking function name: '{function_name}'")
+    result = any(function_name == x for x in INPUT_EXTERNAL_FUNCTIONS)
+    if result:
+        print(f"DEBUG: MATCH! '{function_name}' is an input function")
+    return result
+
diff --git a/package/argument_resolver/external_function/function_declarations/win32.py b/package/argument_resolver/external_function/function_declarations/win32.py
@@ -1,6 +1,9 @@
-from angr.sim_type import SimTypeFunction, SimTypeLong
+from angr.sim_type import SimTypeFunction, SimTypeLong, SimTypePointer, SimTypeInt, SimTypeBottom, SimTypeChar, SimTypeRef, SimStruct
 
+from angr.procedures.definitions.win32_kernel32 import prototypes
 
+
+# Create our own declaration dicts for each teams areas 
 winreg_decls = {
     #
     # Taken from: https://github.com/firmadyne/libnvram/blob/v1.0c/nvram.c .
@@ -13,9 +16,264 @@
             SimTypeLong(signed=True),
             SimTypeLong(signed=True),
         ],
-        SimTypeLong(signed=True),
+        SimTypeInt(),  # Fix: Use SimTypeInt() for DWORD return type, not SimTypeLong
     ),
     "RegCloseKey": SimTypeFunction(
         [SimTypeLong(signed=True)], SimTypeLong(signed=True)
     ),
+
+    "ReadConsoleA": SimTypeFunction(
+    [
+        SimTypeLong(signed=True),
+        SimTypePointer(SimTypeChar(), offset=0),
+        SimTypeInt(signed=False),
+        SimTypePointer(SimTypeInt(), offset=0),
+        SimTypeLong(signed=True),
+    ], SimTypeLong(signed=True)),
+
+    "CreateProcessA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpApplicationName
+        SimTypePointer(SimTypeChar()),      # lpCommandLine
+        SimTypePointer(SimTypeBottom()),    # lpProcessAttributes
+        SimTypePointer(SimTypeBottom()),    # lpThreadAttributes
+        SimTypeInt(),                       # bInheritHandles
+        SimTypeInt(),                       # dwCreationFlags
+        SimTypePointer(SimTypeBottom()),    # lpEnvironment
+        SimTypePointer(SimTypeChar()),      # lpCurrentDirectory
+        SimTypePointer(SimTypeBottom()),    # lpStartupInfo
+        SimTypePointer(SimTypeBottom()),    # lpProcessInformation
+    ], SimTypeInt()),
+
+    "CreateFileA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpFileName
+        SimTypeInt(),                       # dwDesiredAccess
+        SimTypeInt(),                       # dwShareMode
+        SimTypePointer(SimTypeBottom()),    # lpSecurityAttributes
+        SimTypeInt(),                       # dwCreationDisposition
+        SimTypeInt(),                       # dwFlagsAndAttributes
+        SimTypePointer(SimTypeBottom()),    # hTemplateFile
+    ], SimTypePointer(SimTypeBottom())),   # Returns HANDLE
+
+    "GetCommandLineA": SimTypeFunction([], SimTypePointer(SimTypeChar())),
+
+    # Example: GetEnvironmentVariableA from MSDN
+    "GetEnvironmentVariableA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpName
+        SimTypePointer(SimTypeChar()),      # lpBuffer  
+        SimTypeInt(),                       # nSize
+    ], SimTypeInt()),                       # Return: DWORD
+
+    "GetStdHandle": SimTypeFunction([
+        SimTypeInt(),                      # nStdHandle (DWORD)
+    ], SimTypePointer(SimTypeBottom())),# Returns HANDLE
+
+    "SetEnvironmentVariableA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpName
+        SimTypePointer(SimTypeChar()),      # lpValue
+    ], SimTypeInt()),                       # Return: BOOL (as int)
+
+    "CloseHandle": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hObject (HANDLE)
+    ], SimTypeInt()),                       # Returns BOOL
+    "GlobalAlloc": SimTypeFunction([
+        SimTypeInt(signed=False),           # uFlags - allocation flags
+        SimTypeLong(signed=False),          # dwBytes - size in bytes
+    ], SimTypePointer(SimTypeBottom())),   # Returns: HGLOBAL (memory handle)
+
+    "GlobalFree": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hMem - memory handle to free
+    ], SimTypePointer(SimTypeBottom())),   # Returns: HGLOBAL (NULL on success)
+    "HeapAlloc": SimTypeFunction([
+    SimTypePointer(SimTypeBottom()),       # hHeap (HANDLE)
+    SimTypeInt(),                          # dwFlags (DWORD)
+    SimTypeLong(signed=False),             # dwBytes (SIZE_T)
+    ], SimTypePointer(SimTypeBottom())),   # Returns LPVOID
+
+
+    "HeapFree": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hHeap (HANDLE)
+        SimTypeInt(),                       # dwFlags (DWORD)
+        SimTypePointer(SimTypeBottom()),    # lpMem (LPVOID)
+    ], SimTypeInt()),                       # Returns BOOL
+    "LocalAlloc": SimTypeFunction([
+        SimTypeInt(signed=False),           # uFlags - allocation flags
+        SimTypeLong(signed=False),          # uBytes - size in bytes
+    ], SimTypePointer(SimTypeBottom())),   # Returns: HLOCAL (local memory handle)
+
+    "LocalFree": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hMem - local memory handle to free
+    ], SimTypePointer(SimTypeBottom())),   # Returns: HLOCAL (NULL on success)
+    "lstrcatA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpString1 (destination)
+        SimTypePointer(SimTypeChar()),      # lpString2 (source to append)
+    ], SimTypePointer(SimTypeChar())),      # Returns lpString1
+
+    "lstrcpyA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpString1 (destination)
+        SimTypePointer(SimTypeChar()),      # lpString2 (source)
+    ], SimTypePointer(SimTypeChar())),      # Returns lpString1
+
+
+    "lstrlenA": SimTypeFunction([
+        SimTypePointer(SimTypeChar()),      # lpString
+    ], SimTypeInt()),                       # Returns int (string length)
+
+
+    "VirtualAlloc": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # lpAddress - starting address
+        SimTypeLong(signed=False),          # dwSize - size of allocation
+        SimTypeInt(signed=False),           # flAllocationType - allocation type
+        SimTypeInt(signed=False),           # flProtect - protection flags
+    ], SimTypePointer(SimTypeBottom())),   # Returns: LPVOID (allocated memory pointer)
+
+    "VirtualFree": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # lpAddress - address to free
+        SimTypeLong(signed=False),          # dwSize - size to free
+        SimTypeInt(signed=False),           # dwFreeType - free type flags
+    ], SimTypeInt()),                       # Returns: BOOL
+
+    "GetCurrentProcess": SimTypeFunction([
+    ], SimTypePointer(SimTypeBottom())),
+
+    "AcceptEx": SimTypeFunction([
+        SimTypeInt(),                       # SOCKET       sListenSocket
+        SimTypeInt(),                       # SOCKET       sAcceptSocket
+        SimTypePointer(SimTypeBottom()),    # PVOID        lpOutputBuffer
+        SimTypeInt(),                       # DWORD        dwReceiveDataLength
+        SimTypeInt(),                       # DWORD        dwLocalAddressLength
+        SimTypeInt(),                       # DWORD        dwRemoteAddressLength
+        SimTypePointer(SimTypeInt()),       # LPDWORD      lpdwBytesReceived
+        SimTypePointer(SimTypeBottom()),    # LPOVERLAPPED lpOverlapped
+    ], SimTypeInt()),                       # Return: BOOL
+
+    "InternetWriteFile": SimTypeFunction([
+        SimTypeInt(),                     # HINTERNET hFile
+        SimTypePointer(SimTypeBottom()),  # LPCVOID   lpBuffer
+        SimTypeInt(),                     # DWORD     dwNumberOfBytesToWrite
+        SimTypePointer(SimTypeInt()),     # LPDWORD   lpdwNumberOfBytesWritten
+    ], SimTypeInt()),                     # Return: BOOL
+    "FindFirstFileA": SimTypeFunction([
+        SimTypePointer(SimTypeChar(), label="LPCSTR"),           # lpFileName
+        SimTypePointer(SimTypeBottom(), label="LPWIN32_FIND_DATAA"),  # lpFindFileData
+    ], SimTypePointer(SimTypeBottom(), label="HANDLE")),          # Return
+
+    "GetModuleFileNameA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hModule
+        SimTypePointer(SimTypeChar()),      # lpFilename
+        SimTypeInt(),                       # nSize
+    ], SimTypeInt()),                       # Return: DWORD
+
+    "ReadProcessMemory": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hProcess
+        SimTypePointer(SimTypeBottom()),    # lpBaseAddress
+        SimTypePointer(SimTypeBottom()),    # lpBuffer
+        SimTypeLong(signed=False),         # nSize
+        SimTypePointer(SimTypeLong(signed=False)),     # lpNumberOfBytesRead
+    ], SimTypeInt(signed=False)), 
+
+    "GetClipboardData": SimTypeFunction([
+        SimTypeInt(),                       # uFormat
+    ], SimTypePointer(SimTypeBottom())),      # Returns HANDLE
+
+    "ShellExecuteA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # hwnd
+        SimTypePointer(SimTypeChar()),      # lpOperation
+        SimTypePointer(SimTypeChar()),      # lpFile
+        SimTypePointer(SimTypeChar()),      # lpParameters
+        SimTypePointer(SimTypeChar()),      # lpDirectory
+        SimTypeInt(),                       # nShowCmd
+    ], SimTypePointer(SimTypeInt())),       #Return: HINSTANCE (casts to int ptr)
+
+    "InternetReadFile": SimTypeFunction([
+        SimTypeInt(),                     # HINTERNET hFile
+        SimTypePointer(SimTypeBottom()),  # LPVOID lpBuffer
+        SimTypeInt(),                     # DWORD dwNumberOfBytesToRead
+        SimTypePointer(SimTypeInt()),     # LPDWORD lpdwNumberOfBytesRead
+    ], SimTypeInt()),                     # Return: BOOL
+
+    "WSARecv": SimTypeFunction([
+        SimTypeInt(),                           # SOCKET s
+        SimTypePointer(SimTypeBottom()),        # LPWSABUF lpBuffers
+        SimTypeInt(),                           # DWORD dwBufferCount
+        SimTypePointer(SimTypeInt()),           # LPDWORD lpNumberOfBytesRecvd
+        SimTypePointer(SimTypeInt()),           # LPDWORD lpFlags
+        SimTypePointer(SimTypeBottom()),        # LPWSAOVERLAPPED lpOverlapped
+        SimTypePointer(SimTypeBottom()),        # LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
+    ], SimTypeInt()),                           # Return: int
+
+    "WSARecvFrom": SimTypeFunction([
+        SimTypeInt(),                           # SOCKET s
+        SimTypePointer(SimTypeBottom()),        # LPWSABUF lpBuffers
+        SimTypeInt(),                           # DWORD dwBufferCount
+        SimTypePointer(SimTypeInt()),           # LPDWORD lpNumberOfBytesRecvd
+        SimTypePointer(SimTypeInt()),           # LPDWORD lpFlags
+        SimTypePointer(SimTypeBottom()),        # struct sockaddr *lpFrom
+        SimTypePointer(SimTypeInt()),           # LPINT lpFromlen
+        SimTypePointer(SimTypeBottom()),        # LPWSAOVERLAPPED lpOverlapped
+        SimTypePointer(SimTypeBottom()),        # LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
+    ], SimTypeInt()),                           # Return: int
+
+    "RegQueryValueExA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpValueName
+        SimTypePointer(SimTypeInt()),       # LPDWORD lpReserved
+        SimTypePointer(SimTypeInt()),       # LPDWORD lpType
+        SimTypePointer(SimTypeBottom()),    # LPBYTE lpData
+        SimTypePointer(SimTypeInt()),       # LPDWORD lpcbData
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS (LONG)
+    # Registry deletion functions (ANSI and Unicode)
+    "RegDeleteKeyA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpSubKey
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyW": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCWSTR lpSubKey
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyExA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpSubKey
+        SimTypeInt(),                       # REGSAM samDesired
+        SimTypeLong(signed=True),           # DWORD Reserved
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyExW": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCWSTR lpSubKey
+        SimTypeInt(),                       # REGSAM samDesired
+        SimTypeLong(signed=True),           # DWORD Reserved
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyTransactedA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpSubKey
+        SimTypeInt(),                       # REGSAM samDesired
+        SimTypeLong(signed=True),           # DWORD Reserved
+        SimTypePointer(SimTypeBottom()),    # HANDLE hTransaction
+        SimTypePointer(SimTypeBottom()),    # PVOID pExtendedParameter
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyTransactedW": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCWSTR lpSubKey
+        SimTypeInt(),                       # REGSAM samDesired
+        SimTypeLong(signed=True),           # DWORD Reserved
+        SimTypePointer(SimTypeBottom()),    # HANDLE hTransaction
+        SimTypePointer(SimTypeBottom()),    # PVOID pExtendedParameter
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyValueA": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpSubKey
+        SimTypePointer(SimTypeChar()),      # LPCSTR lpValueName
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
+
+    "RegDeleteKeyValueW": SimTypeFunction([
+        SimTypePointer(SimTypeBottom()),    # HKEY hKey
+        SimTypePointer(SimTypeChar()),      # LPCWSTR lpSubKey
+        SimTypePointer(SimTypeChar()),      # LPCWSTR lpValueName
+    ], SimTypeLong(signed=True)),           # Return: LSTATUS
 }
+
diff --git a/package/argument_resolver/external_function/input_functions.py b/package/argument_resolver/external_function/input_functions.py
@@ -10,8 +10,21 @@
     "recv",
     "recvfrom",
     "custom_param_parser",
+    "ReadConsoleA",
+    "GetCommandLineA",
 } | {x.name for x in VULN_TYPES["getter"]}
 
+INPUT_EXTERNAL_FUNCTIONS.add("GetEnvironmentVariableA")
+INPUT_EXTERNAL_FUNCTIONS.add("AcceptEx")
+INPUT_EXTERNAL_FUNCTIONS.add("FindFirstFileA")
+INPUT_EXTERNAL_FUNCTIONS.add("GetModuleFileNameA")
+INPUT_EXTERNAL_FUNCTIONS.add("ReadProcessMemory")
+INPUT_EXTERNAL_FUNCTIONS.add("GetClipboardData")
+INPUT_EXTERNAL_FUNCTIONS.add("InternetReadFile")
+INPUT_EXTERNAL_FUNCTIONS.add("WSARecv")
+INPUT_EXTERNAL_FUNCTIONS.add("WSARecvFrom")
+INPUT_EXTERNAL_FUNCTIONS.add("RegQueryValueExA")
+
 
 KEY_BEACONS = {
     "REQUEST_METHOD",

diff --git a/package/argument_resolver/external_function/sink/sink_lists.py b/package/argument_resolver/external_function/sink/sink_lists.py
@@ -42,6 +42,11 @@ class Sink:
     Sink(name="SLIBCExecv", vulnerable_parameters=[1]),
     Sink(name="SLIBCPopen", vulnerable_parameters=[1]),
     Sink(name="pegaSystem", vulnerable_parameters=[1]),
+    Sink(name="CreateProcessA", vulnerable_parameters=[2]), #[1,2]  # lpApplicationName, lpCommandLine
+    Sink(name="CreateFileA", vulnerable_parameters=[1]), # [1] lpFileName
+    Sink(name="InternetWriteFile", vulnerable_parameters=[2]),
+
+# Registry deletion sinks (all variants, parameter 2 is lpSubKey, parameter 3 is lpValueName for KeyValue)
 ]
 
 PATH_TRAVERSAL_SINKS: List[Sink] = [
@@ -100,4 +105,23 @@ class Sink:
     Sink(name="PTI_nvram_set", vulnerable_parameters=[2]),
 ]
 
+SETTER_SINKS.append(Sink(name="SetEnvironmentVariableA", vulnerable_parameters=[1, 2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyA", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyW", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyExA", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyExW", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyTransactedA", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyTransactedW", vulnerable_parameters=[2]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyValueA", vulnerable_parameters=[2, 3]))
+SETTER_SINKS.append(Sink(name="RegDeleteKeyValueW", vulnerable_parameters=[2, 3]))
+
 ENV_SINKS: List[Sink] = GETTER_SINKS + SETTER_SINKS
+
+#WIN32_PROCESS_SINKS: List[Sink] = [
+    # Sink(name="CreateProcessW", vulnerable_parameters=[1, 2]),
+    # Sink(name="WinExec", vulnerable_parameters=[1]),
+    # Sink(name="ShellExecuteA", vulnerable_parameters=[3, 4]),  # lpFile, lpParameters
+#]
+
+COMMAND_INJECTION_SINKS.append(Sink(name="ShellExecuteA", vulnerable_parameters=[3]))
+
diff --git a/package/argument_resolver/formatters/closure_formatter.py b/package/argument_resolver/formatters/closure_formatter.py
@@ -161,7 +161,7 @@ def format_multivalue_output(stored_func, atom, target_defn=None):
                     if defn not in val_defns:
                         continue
                     new_mv.add_value(offset, val)
-            if atom not in stored_func.constant_data:
+            if atom not in stored_func.constant_data or stored_func.constant_data[atom] is None or all(x is None for x in stored_func.constant_data[atom]):
                 constant_data = None
             else:
                 constant_data = stored_func.constant_data[atom]

diff --git a/package/argument_resolver/handlers/__init__.py b/package/argument_resolver/handlers/__init__.py
@@ -7,3 +7,4 @@
 from .unistd import UnistdHandlers
 from .network import NetworkHandlers
 from .url_param import URLParamHandlers
+from .win32 import WinHandlers