Beispiel #1
0
    def create(self, func_entry_addr, callback_function):
        """Creates the hook.
        @param func_entry_addr: The address of the function entry to hook
        @type func_entry_addr: int (0<= func_entry_addr < 2**32)
        @param callback_function: Python callback function
        @type callback_function: Python function with parameter 
                                 (ExecutionContext)
        @return: C{True} on success. C{False} on failure
        """

        if not (0 <= func_entry_addr <= 0xffffffff):
            raise ValueError, "Invalid function entry address <> [0, 2**32]"

        # read disassembly and make sure we can at least 5 consecutive bytes
        # longest x86 instruction is 15 bytes:
        # add [ds:esi+ecx*2+0x67452301], 0xEFCDAB89
        code = memorymanager.read_addr(func_entry_addr, 20)
        save_code = ""
        while len(save_code) < 5:
            instr = pydasm.get_instruction(code, pydasm.MODE_32)
            if not instr:
                logging.warn("Cannot hook. Failed to disassemble bytes: \n" + \
                             binascii.hexlify(code))
                return False
            save_code += code[:instr.length]
            code = code[instr.length:]

        # create trampoline
        if not self.create_trampoline(
                func_entry_addr,
                func_entry_addr + len(save_code),
                save_code,
            [1],  #check locking
                callback_function):
            logging.warn("Failed to create trampoline")
            return False

        # overwrite the original code (write hook)
        tramp_offset = ctypes.addressof(
            self.trampoline) - (func_entry_addr + 5)
        hook_code = "\xE9" + struct.pack("I", tramp_offset)
        hook_code += "\x90" * (len(save_code) - 5)
        #hook_code = "\xeb\xfe" + hook_code

        if memorymanager.write_mem(func_entry_addr, hook_code):
            logging.debug("Successfully hooked target address %08x -> %08x" %\
                          (func_entry_addr, ctypes.addressof(self.trampoline)))
        else:
            logging.error("Failed to create hook at address %08x" % \
                          func_entry_addr)
            return False

        return True
Beispiel #2
0
    def create(self, func_entry_addr, callback_function):
        """Creates the hook.
        @param func_entry_addr: The address of the function entry to hook
        @type func_entry_addr: int (0<= func_entry_addr < 2**32)
        @param callback_function: Python callback function
        @type callback_function: Python function with parameter 
                                 (ExecutionContext)
        @return: C{True} on success. C{False} on failure
        """

        if not (0<= func_entry_addr <= 0xffffffff):
            raise ValueError, "Invalid function entry address <> [0, 2**32]"
        
        # read disassembly and make sure we can at least 5 consecutive bytes
        # longest x86 instruction is 15 bytes:
        # add [ds:esi+ecx*2+0x67452301], 0xEFCDAB89 
        code = memorymanager.read_addr(func_entry_addr, 20)
        save_code = ""
        while len(save_code) < 5:
            instr = pydasm.get_instruction(code, pydasm.MODE_32)
            if not instr:
                logging.warn("Cannot hook. Failed to disassemble bytes: \n" + \
                             binascii.hexlify(code))
                return False
            save_code += code[:instr.length]
            code = code[instr.length:]

        # create trampoline
        if not self.create_trampoline(func_entry_addr,
                                      func_entry_addr + len(save_code),
                                      save_code,
                                      [1], #check locking
                                      callback_function):
            logging.warn("Failed to create trampoline")
            return False

        # overwrite the original code (write hook)
        tramp_offset = ctypes.addressof(self.trampoline) - (func_entry_addr + 5)
        hook_code = "\xE9" + struct.pack("I", tramp_offset)
        hook_code += "\x90"*(len(save_code)-5)
        #hook_code = "\xeb\xfe" + hook_code

        if memorymanager.write_mem(func_entry_addr, hook_code):
            logging.debug("Successfully hooked target address %08x -> %08x" %\
                          (func_entry_addr, ctypes.addressof(self.trampoline)))
        else:
            logging.error("Failed to create hook at address %08x" % \
                          func_entry_addr)
            return False
        
        return True
Beispiel #3
0
    def __getattribute__(self, name):
        reg_name = name.upper()
        if not RegisterContext.offsets.has_key(reg_name):
            return object.__getattribute__(self, name)

        offset = RegisterContext.offsets[reg_name]
        data = memorymanager.read_addr(self.base_addr + offset, 4)
        if len(data) != 4:
            logging.warn("Cannot get register contents. Memory addres 0x%08x "\
                         "not readable" %\
                         self.base_addr + offset)
            return None

        return struct.unpack("I", data)[0]
Beispiel #4
0
    def __getattribute__(self, name):
        reg_name = name.upper()
        if not RegisterContext.offsets.has_key(reg_name):
            return object.__getattribute__(self, name)

        offset = RegisterContext.offsets[reg_name]
        data = memorymanager.read_addr(self.base_addr + offset, 4)
        if len(data) != 4:
            logging.warn("Cannot get register contents. Memory addres 0x%08x "\
                         "not readable" %\
                         self.base_addr + offset)
            return None

        return struct.unpack("I", data)[0]