Beispiel #1
0
	def enter_call_back(self,bp):
		self.out = "RtlFreeHeap("
		if arch_bits == 32:
			esp = pykd.reg(stack_pointer)
			self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
			self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
			self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = "
		else:
			self.out += hex(pykd.reg("rcx")) + " , "
			self.out += hex(pykd.reg("rdx")) + " , " 
			self.out += hex(pykd.reg("r8")) + ") = "
		if self.bp_end == None:
			self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
			self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
		return False
Beispiel #2
0
    def onException(self, exceptionInfo):
        '''
        Triggered exception event. This example handler only recoder exception which we interested.

        :param exceptionInfo: Exception information
        :return: For ignore event method must return eventResult.noChange
        '''
        eip = pykd.reg('eip')
        last_exception = str(pykd.getLastException())
        exc_code = exceptionInfo.exceptionCode
        self._target.logger.info("Got Exception Code: %s at eip:%s" % (hex(exc_code), hex(eip)))
        if exc_code in interesting_exception_codes.keys():
            self._target.is_crash.set()
            self._target.crash_dump_finished.clear()
            self._target.report.failed("Got Exception Code: %s:%s at eip:%s" % (
                hex(exc_code), interesting_exception_codes[exc_code], hex(eip)))
            self._target.report.add("Error Code", "%s:%s" % (hex(exc_code), interesting_exception_codes[exc_code]))
            self._target.report.add("Last Event", "%s" % last_exception)
            self._target.report.add("Stacks", str(pykd.dbgCommand("k")))
            self._target.crash_dump_finished.set()
            return pykd.eventResult.Break
        elif exc_code == break_in_exception_code:
            # Handle break in event
            self._target.logger.info("Break in at eip:%s" % hex(eip))
            return pykd.eventResult.Break
        return pykd.eventResult.NoChange
Beispiel #3
0
 def get_registers_sse(self, num=8):
     regs = {}
     for i in range(0, 16):
         try:
             reg = 'xmm{}'.format(i)
             regs[reg] = pykd.reg(reg)
         except:
             break
     return regs
Beispiel #4
0
 def enter_call_back(self, bp):
     self.out = "RtlReAllocateHeap("
     if arch_bits == 32:
         esp = pykd.reg(stack_pointer)
         self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
         self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
     else:
         self.out += hex(pykd.reg("rcx")) + " , "
         self.out += hex(pykd.reg("rdx")) + " , "
         self.out += hex(pykd.reg("r8")) + " , "
         self.out += hex(pykd.reg("r9")) + ") = "
     if self.bp_end == None:
         self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
         self.bp_end = pykd.setBp(int(self.ret_addr, 16),
                                  self.return_call_back)
     return False
Beispiel #5
0
 def get_registers_fpu(self):
     regs = {}
     for i in range(0, 8):
         try:
             reg = 'st{}'.format(i)
             regs[reg] = pykd.reg(reg)
         except:
             break
     return regs
Beispiel #6
0
 def get_registers_sse(self, num=8):
     regs = {}
     for i in range(0, 16):
         try:
             reg = 'xmm{}'.format(i)
             regs[reg] = pykd.reg(reg)
         except:
             break
     return regs
Beispiel #7
0
 def get_registers_fpu(self):
     regs = {}
     for i in range(0, 8):
         try:
             reg = 'st{}'.format(i)
             regs[reg] = pykd.reg(reg)
         except:
             break
     return regs
Beispiel #8
0
def allocHandlerFixedMallocOutOfLineAlloc(rets):
	"""Callback invoked when a FixedMalloc OutOfLine allocation is requested. 
	The function sets a breakpoint on the addresses within the function where 
	the allocation address is returned. """
	global GBP
	req_size = pykd.reg("edx")
	for ret in rets:
		GBP[ret] = pykd.setBp(ret, 
			lambda: allocServedFixedMallocOutOfLineAlloc(req_size, ret))
	return pykd.executionStatus.NoChange
Beispiel #9
0
def hookHandlerInterp():
	"""..."""
	global GBP
	# address of the func name as returned by getMethodName
	address = pykd.ptrPtr(pykd.reg("eax")+0x8) 
	if pykd.isValid(address):
		methodName = pykd.loadCStr(address)
		GBP['INTERP_RET'] = pykd.setBp((NPS["SetInterpRet"]-4), 
			lambda: hookHandlerInterpRet(methodName))
	return pykd.executionStatus.NoChange
Beispiel #10
0
 def enter_call_back(self, bp):
     self.out = "RtlFreeHeap("
     if arch_bits == 32:
         esp = pykd.reg(stack_pointer)
         self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
         self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = "
     else:
         self.out += hex(pykd.reg("rcx")) + " , "
         self.out += hex(pykd.reg("rdx")) + " , "
         self.out += hex(pykd.reg("r8")) + ") = "
     if self.bp_end == None:
         disas = pykd.dbgCommand("uf ntdll!RtlFreeHeap").split("\n")
         for i in disas:
             if "ret" in i:
                 self.ret_addr = i.split()[0]
                 break
         self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
     return False
Beispiel #11
0
 def enter_call_back(self, bp):
     self.out = "RtlAllocateHeap("
     esp = pykd.reg("esp")
     self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
     if self.bp_end == None:
         self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
         self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
     return False
Beispiel #12
0
 def enter_call_back(self, bp):
     self.out = "RtlAllocateHeap("
     esp = pykd.reg("esp")
     self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
     if self.bp_end == None:
         self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
         self.bp_end = pykd.setBp(int(self.ret_addr, 16),
                                  self.return_call_back)
     return False
Beispiel #13
0
	def _get_aim(self, aim):
		try:
			ret = to_int(aim)
		except:
			ret = 0
		if not ret:
			try:
				ret = pykd.reg(aim)
			except:
				ret = 0
		return ret
Beispiel #14
0
 def enter_call_back(self):
     self.out = 'RtlFreeHeap('
     if arch_bits == 32:
         esp = pykd.reg(stack_pointer)
         self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
         self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = "
     else:
         self.out += hex(pykd.reg("rcx")) + " , "
         self.out += hex(pykd.reg("rdx")) + " , "
         self.out += hex(pykd.reg("r8")) + ") = "
         if self.bp_end == None:
             disas = pykd.dbgCommand("uf ntdll!RtlFreeHeap").split('\n')
             for i in disas:
                 if 'ret' in i:
                     self.ret_addr = i.split()[0]
                     break
             self.bp_end = pykd.setBp(pykd.expr(self.ret_addr),
                                      self.return_call_back)
         return False
Beispiel #15
0
def allocHandlerFixedMalloc(ret_addr):
	"""Callback invoked when a FixedMalloc allcoation is requested.The function
	sets a breakpoint on the addresses within the function where the 
	allocation address is returned."""
	global GBP
	try:
		ret = ret_addr[pykd.reg("eip")]
		f_sig = pykd.dbgCommand("u 0x%x L1" % pykd.reg("eip"))
		# "0fdf1b82 81fef0070000    cmp     esi,7F0h"
		reg32 = f_sig.split()[-1].split(",")[0].strip()
		#print "[Debug] Signature: %s reg32: %s" % (signature, reg32)
		req_size = pykd.reg(reg32)
		GBP["FixedMallocBPs"][ret] = pykd.setBp(ret, 
							  lambda: allocServedFixedMalloc(ret, 
										req_size))
		return pykd.executionStatus.NoChange
	except IndexError:
		print "[!] Could not extract the register for the follwing"\
"instruction: %s" % f_sig
		return pykd.executionStatus.Break
Beispiel #16
0
    def update_regs(self):
        for reg_name in self.regs_name + self.seg_regs_name:
            reg_data = pykd.reg(reg_name)
            if reg_data != self.regs[reg_name]:  # is changed
                self.is_changed[reg_name] = True
            else:
                self.is_changed[reg_name] = False

            self.regs[reg_name] = reg_data
        # update sp & pc
        self.sp = self.regs[self.sp_name]
        self.pc = self.regs[self.pc_name]
Beispiel #17
0
def allocServedFixedMallocOutOfLineAlloc(allocsize, ret):
	"""Callback invoked just before the FixedMalloc OutOfLine function returns.
	EAX will store the allocation address"""
	global GBP
	allocaddress = pykd.reg("eax")
	# If allocsize is greater than 0x7f0 the allocation will be served by 
	# FixedMalloc::LargeAlloc
	if allocsize <= 0x7f0:
		if GBP["START_ALLOC_MONITOR"]:
			returned_allocsize = pykd.ptrPtr((allocaddress & 0xfffff000)+0x12)
			# FixedAlloc allocator
			allocator = pykd.ptrPtr((allocaddress & 0xfffff000)+0x1C)
			# FixedAlloc.h#L120
			# GCHeap *m_heap;            	//The heap from which we 
			#				//obtain memory
			# int m_heapPartition;		//The heap partition from which we
			#				//obtain memory
			# uint32_t m_itemsPerBlock;	//Number of items that fit in a block
			# uint32_t m_itemSize;		//Size of each individual item
			# FixedBlock* m_firstBlock;	//First block on list of free blocks
			# FixedBlock* m_lastBlock;	//Last block on list of free blocks
			# FixedBlock* m_firstFree;	//The lowest priority block that has 
			#				//free items
			# size_t    m_numBlocks;	//Number of blocks owned by this 
			#				//allocator
			if IsheapIsolVersion():
				heapPartition =  pykd.ptrPtr(allocator+0x4)
			else:
				heapPartition = "NotImplemented"
			kSizeClass = kSizeClassIndex[((allocsize+7)>>3)]
			MMgc_FixedMalloc_obj =\
				allocator - kSizeClass*NPS["FixedAllocSafeSize"] -\
				NPS["m_allocs_offset"]
			if NPS['ffmsize']:
				if NPS['ffmsize'] == returned_allocsize:
					print "[FixedMalloc::OutOfLineAlloc] Requested Allocation \
of size:0x%x Returned allocation of size:0x%x at address:0x%x \
(MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, 
							returned_allocsize, allocaddress, 
							MMgc_FixedMalloc_obj, heapPartition)
			else:
				print "[FixedMalloc::OutOfLineAlloc] Requested Allocation of \
size:0x%x Returned allocation of size:0x%x at address:0x%x \
(MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, 
							returned_allocsize, allocaddress, 
							MMgc_FixedMalloc_obj, heapPartition)
			GBP["AllocHistory"][allocaddress] = pykd.dbgCommand("kv") +\
			"\n\n" +\
			"\n\nRAW Stack data in case FPO is in place:\n\n" +\
			pykd.dbgCommand("dps esp L100")
	# Delete the breakpoint
	del GBP[ret]
	return pykd.executionStatus.NoChange
Beispiel #18
0
	def program_counter(self, target_id=0, thread_id=None):
		"""
		Get the value of the program counter register.
		"""
		arch = self.get_arch()
		if arch in self.reg_names:
			pc_name = self.reg_names[arch]['pc']
			pc = pykd.reg(pc_name)
		else:
			raise UnknownArchitectureException()

		return pc_name, pc
Beispiel #19
0
	def stack_pointer(self, target_id=0, thread_id=None):
		"""
		Get the value of the stack pointer register.
		"""
		arch = self.get_arch()
		if arch in self.reg_names:
			sp_name = self.reg_names[arch]['sp']
			sp = pykd.reg(sp_name)
		else:
			raise UnknownArchitectureException()

		return sp_name, sp
Beispiel #20
0
        def stack_pointer(self, target_id=0, thread_id=None):
            """
            Get the value of the stack pointer register.
            """
            arch = self.get_arch()
            if arch in self.reg_names:
                sp_name = self.reg_names[arch]['sp']
                sp = pykd.reg(sp_name)
            else:
                raise UnknownArchitectureException()

            return sp_name, sp
Beispiel #21
0
        def program_counter(self, target_id=0, thread_id=None):
            """
            Get the value of the program counter register.
            """
            arch = self.get_arch()
            if arch in self.reg_names:
                pc_name = self.reg_names[arch]['pc']
                pc = pykd.reg(pc_name)
            else:
                raise UnknownArchitectureException()

            return pc_name, pc
Beispiel #22
0
 def enter_call_back(self):
     self.condition = False
     time = datetime.datetime.now()
     current_alloc_size = (hex(pykd.ptrMWord(pykd.reg("esp") +
                                             0x10))).replace('L', '')
     if (current_alloc_size == alloc_size) or "null" in alloc_size:
         self.condition = True
         self.out = str(time)
         self.out += ", RtlReAllocateHeap("
         if arch_bits == 32:
             esp = pykd.reg(stack_pointer)
             self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
             self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
             self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , "
             self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
         else:
             self.out += hex(pykd.reg("rcx")) + " , "
             self.out += hex(pykd.reg("rdx")) + " , "
             self.out += hex(pykd.reg("r8")) + " , "
             self.out += hex(pykd.reg("r9")) + ") = "
         if self.bp_end == None:
             disas = pykd.dbgCommand("uf ntdll!RtlReAllocateHeap").split(
                 '\n')
             for i in disas:
                 if 'ret' in i:
                     self.ret_addr = format64(i.split()[0])
                     break
             self.bp_end = pykd.setBp(int(self.ret_addr, 16),
                                      self.return_call_back)
         return False
Beispiel #23
0
    def get_arguments(self, count):
        arguments = []
        if self.debugger.get_arch() == 'AMD64':
            arguments.append(pykd.reg('rcx'))
            count -= 1

            if count > 0:
                arguments.append(pykd.reg('rdx'))
                count -= 1

            if count > 0:
                arguments.append(pykd.reg('r8'))
                count -= 1

            if count > 0:
                arguments.append(pykd.reg('r9'))
                count -= 1

            if count > 0:
                rsp = pykd.reg('rsp')
                arguments += pykd.loadQWords(int(rsp + 8), count)
        else:
            esp = pykd.reg('esp')
            arguments += pykd.loadDWords(int(esp + 4), count)

        return arguments
Beispiel #24
0
 def testCtor(self):
     if pykd.is64bitSystem():
         pykd.reg("rax")
     else:
         pykd.reg("eax")
          
     pykd.reg( 0 )
Beispiel #25
0
def allocServedHeapAllocSystem():
	"""Callback invoked when HeapAlloc is called."""
	global GBP
	if GBP["START_ALLOC_MONITOR"]:
		# LPVOID WINAPI HeapAlloc(
		  # _In_ HANDLE hHeap,
		  # _In_ DWORD  dwFlags,
		  # _In_ SIZE_T dwBytes
		# );
		size = pykd.ptrPtr(pykd.reg("esp")+0xC)
		heap = pykd.ptrPtr(pykd.reg("esp")+0x4)
		tid  = pykd.getCurrentThreadId() 
		if NPS['ihsize']:
			if NPS['ihsize'] == size:
				# Setup a breakpoint on the return address
				GBP["HeapAllocRet"] = pykd.setBp(pykd.ptrPtr(pykd.reg("esp")), 
					lambda: allocServedHeapAllocSystemRet(size, heap, tid))
		else:
			# Setup a breakpoint on the return address
			GBP["HeapAllocRet"] = pykd.setBp(pykd.ptrPtr(pykd.reg("esp")), 
				lambda: allocServedHeapAllocSystemRet(size, heap, tid))
	return pykd.executionStatus.NoChange
Beispiel #26
0
 def print_eflags(self):
     eflags = pykd.reg('efl')
     eflags_str = color.green("EFLAGS: {:#x}".format(eflags))
     eflags_str += " ["
     for bit, flag_name in self.context.eflags_tbl.items():
         is_set = eflags & (1 << bit)
         eflags_str += " "
         if is_set:
             eflags_str += color.dark_red(flag_name)
         else:
             eflags_str += color.green(flag_name)
     eflags_str += " ]"
     pykd.dprintln(eflags_str, dml=True)
Beispiel #27
0
	def enter_call_back(self,bp):
		self.out = "RtlAllocateHeap(" 
		esp = pykd.reg("esp")
		self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
		self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
		self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
		if self.bp_end == None:
			disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
			for i in disas:
				if 'ret' in i:
					self.ret_addr = i.split()[0]
					break
			self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
		return False
Beispiel #28
0
def hookHandlerJit():
	"""Unlike setNative, setJit is a fairly simple in that the GprMethodProc
	parameted contains the resolved address of the jitted function.
	We simply need to read that register value."""
	global GBP
	# address of the func name as returned by getMethodName
	address = pykd.ptrPtr(pykd.reg("eax")+0x8) 
	# address of the jitted function
	jitfunc = pykd.ptrPtr(pykd.reg("esp")+0x28) 
	if pykd.isValid(address):
		methodName = pykd.loadCStr(address)
		if pykd.isValid(jitfunc):
			print "[&] JITTED METHOD: at 0x%x \t offset: 0x%x \t\tName: %s" %\
				(jitfunc,0,methodName.decode("utf-8","replace"))
			if NPS["TraceJit"] and methodName not in GBP['BP_FUNCS'] and\
					methodName not in GBP['BP_RFUNCS']:
				if NPS["Debug"]:
					print "[Debug] Setting bp for tracing on 0x%x" % jitfunc
				GBP[jitfunc] = pykd.setBp(jitfunc, lambda: functionHandler(methodName))
			func_breakpoints(methodName.decode("utf-8","replace"), jitfunc)		
		else:
			print "[!] No jitted function found. Something is likely wrong!!!"
	return pykd.executionStatus.NoChange
Beispiel #29
0
 def enter_call_back(self):
     time = datetime.datetime.now()
     self.out = str(time)
     self.out += ", VirtualAlloc("
     if arch_bits == 32:
         esp = pykd.reg(stack_pointer)
         self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0xC)) + " , "
         self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
     else:
         self.out += hex(pykd.reg("rcx")) + " , "
         self.out += hex(pykd.reg("rdx")) + " , "
         self.out += hex(pykd.reg("r8")) + " , "
         self.out += hex(pykd.reg("r9")) + ") = "
     if self.bp_end == None:
         disas = pykd.dbgCommand("uf kernelbase!VirtualAlloc").split('\n')
         for i in disas:
             if 'ret' in i:
                 self.ret_addr = format64(i.split()[0])
                 break
         self.bp_end = pykd.setBp(int(self.ret_addr, 16),
                                  self.return_call_back)
     return False
Beispiel #30
0
    def _cb_CIasin_pentium4(self, bp):
        sp = pykd.reg("esp")

        # reversed this a while a go now
        bridge = pykd.loadCStr((pykd.ptrPtr(sp + 0x78) + 0xb))
        print("(+) DEBUG ASIN: %s" % bridge)

        if self.bp_end_asin is None:
            disas = pykd.dbgCommand("uf %x" % self.asin_addr).split('\n')
            for i in disas:
                if 'ret' in i:
                    self.ret_addr = i.split()[0]
                    break
            self.bp_end_asin = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
        return False
Beispiel #31
0
def allocHandlerGCAlloc(rets):
	"""Callback invoked when a GC allocation is requested. The function
	sets a breakpoint on the addresses within the function where the 
	allocation address is returned."""
	global GBP
	req_size = pykd.ptrPtr(pykd.reg("esi")+0x20)
	GCAlloc = pykd.reg("ecx")
	#MMgc::GCAlloc::GCAlloc
	#mov     esi, ecx
	#...
	#mov     ecx, [esp+10h+SmallGCAllocHeapPartition]
	#mov     [esi+38h], edx
	#mov     [esi+3Ch], ecx  ; 0x3c is the partition index
	#mov     [esi+30h], eax
	if IsheapIsolVersion():
		Partition = pykd.ptrPtr(pykd.reg("esi")+0x3c)
	else:
		Partition = "NotImplemented"
	for ret in findAllocRets('GCAlloc::Alloc', func_sigs_ends['GCAllocEnd'], 
							 ["\xC2", "\x04", "\x00"]):
		GBP["GCAllocBPs"][ret] = pykd.setBp(ret, 
						lambda: allocServedGCAlloc(req_size, 
						ret, GCAlloc, Partition))
	return pykd.executionStatus.NoChange
Beispiel #32
0
    def updateView(self):

        s = ""

        try:
            i = 0
            while True:
                reg = pykd.reg(i)
                s += "%s    %x ( %d )\r\n" % (reg.name(), reg, reg)
                i += 1

        except pykd.BaseException:
            pass

        self.textArea.setPlainText(s)
Beispiel #33
0
    def __init__(self, base, config, *args, **kwargs):

         self.as_assert(base == None)
         self.as_assert(config.LOCATION=='windbg')
         self.as_assert(pykd.isKernelDebugging())
         self.dtb = pykd.reg('cr3')
         self.nt = pykd.module('nt')
         config.KDBG = self.nt.KdCopyDataBlock
         self.pageSize = pykd.pageSize()
         self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
         self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
         self.spaces = [ ( self.lowPage*self.pageSize, (self.highPage -self.lowPage )*self.pageSize) ]

         super(PykdAddressSpace,self).__init__(base,config)

         self.name = "WinDBG Address Space"
Beispiel #34
0
    def __init__(self, base, config, *args, **kwargs):

        self.as_assert(base == None)
        self.as_assert(config.LOCATION == 'windbg')
        self.as_assert(pykd.isKernelDebugging())
        self.dtb = pykd.reg('cr3')
        self.nt = pykd.module('nt')
        config.KDBG = self.nt.KdCopyDataBlock
        self.pageSize = pykd.pageSize()
        self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
        self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
        self.spaces = [(self.lowPage * self.pageSize,
                        (self.highPage - self.lowPage) * self.pageSize)]

        super(PykdAddressSpace, self).__init__(base, config)

        self.name = "WinDBG Address Space"
Beispiel #35
0
    def heap_free(self):
        self.chunk_mem = pykd.reg("rsi")
        self.alloc_size = pykd.reg("ebp")

        print("[+] chunk free @ 0x%x, size: 0x%x" %
              (pykd.reg("rsi"), pykd.reg("ebp")))

        for mem in SIG_CHUNK:
            if (mem == self.chunk_mem):
                print(
                    pykd.dbgCommand("db " + hex(pykd.reg("rsi")) + " l" +
                                    hex(pykd.reg("ebp"))))
                SIG_CHUNK.remove(mem)
        self.parse_pool()
Beispiel #36
0
def rewrite_filename():
    """
    Overwrite the terminating NUL-byte for the first filename.

    This effectively concatenates the first two filenames.
    """
    this = pykd.reg("ecx")
    buf = pykd.ptrPtr(this + 1036)
    buf_size = pykd.ptrDWord(this + 1040)

    files = list(Path().iterdir())
    files_hdr = len(files) * 4 * 2
    files_len = files_hdr + sum(len(x.name) + 1 for x in files)

    if files_len == buf_size:
        names = pykd.loadBytes(buf + files_hdr, buf_size - files_hdr)
        for i, byte in enumerate(names):
            if byte == 0:
                pykd.writeBytes(buf + files_hdr + i, [0x41])
                break
Beispiel #37
0
def hookHandlerInterpRet(methodName):
	"""..."""
	global GBP
	interpfunc = pykd.reg("eax") 
	if pykd.isValid(interpfunc):
		print "[#] INTERP STUB: at 0x%x \t offset: 0x%x \t\tName: %s" %\
			(interpfunc,0,methodName.decode("utf-8","replace"))
		if NPS["TraceInterp"] and methodName not in GBP['BP_FUNCS'] and\
				methodName not in GBP['BP_RFUNCS']:
			if NPS["Debug"]:
				print "[Debug] Setting bp for tracing on 0x%x" % interpfunc
			GBP[interpfunc] = pykd.setBp(interpfunc, lambda: functionHandler(methodName))
		func_breakpoints(methodName.decode("utf-8","replace"), interpfunc)		
	else:
		print "[!] No interp stub found. Something is likely wrong!!!"
	try:
		del GBP['INTERP_RET']
	except KeyError:
		pass
	return pykd.executionStatus.NoChange
Beispiel #38
0
def allocServedGCAlloc(req_size, ret, GCAlloc, Partition):
	"""Callback invoked just before the GCAlloc function returns.
	EAX will store the allocation address"""
	global GBP
	allocaddress = pykd.reg("eax")
	GCAllocBase = pykd.ptrPtr((allocaddress & 0xfffff000)+0xC)
	returned_allocsize =  pykd.ptrPtr((allocaddress & 0xfffff000)+0x4)
	if GBP["START_ALLOC_MONITOR"]:
		if NPS['fgcsize']:
			if NPS['fgcsize'] == returned_allocsize:
				print "[GCAlloc::Alloc] Requested allocation 0x%x Returned \
allocation of size:0x%x at address: 0x%x: HeapPartition: %s" %\
				(req_size, returned_allocsize, allocaddress, Partition)
		else:
			print "[GCAlloc::Alloc] Requested allocation 0x%x Returned \
allocation of size:0x%x at address: 0x%x HeapPartition: %s" %\
			(req_size, returned_allocsize, allocaddress, Partition)
		GBP["AllocHistory"][allocaddress] = pykd.dbgCommand("kv") +\
		"\n\nRAW Stack data in case FPO is in place:\n\n" +\
		pykd.dbgCommand("dps esp L100")
	# Delete the breakpoints
	del GBP["GCAllocBPs"][ret]
	return pykd.executionStatus.NoChange
Beispiel #39
0
    def GetCallParameters(self, count, is_syscall=False):
        if is_syscall:
            bits = 64  #TODO: support 32 bit
            parameter_values = pykd.loadQWords(pykd.reg("r10"),
                                               len(parameter_definition))
        else:
            parameters = []
            try:
                bits = 64
                parameters = []

                if count > 0:
                    parameters.append(pykd.reg("rcx"))
                    if count > 1:
                        parameters.append(pykd.reg("rdx"))
                        if count > 2:
                            parameters.append(pykd.reg("r8"))
                            if count > 3:
                                parameters.append(pykd.reg("r9"))
                                if count > 4:
                                    try:
                                        rsp = pykd.reg("rsp")
                                        parameters += pykd.loadQWords(
                                            rsp + 8, count - 4)
                                    except:
                                        self.Logger.info(
                                            'Accessing memory %x failed',
                                            rsp + 8)

            except:
                bits = 32
                esp = pykd.reg("esp")
                try:
                    parameters = pykd.loadDWords(esp + 4, count)
                except:
                    self.Logger.info('Accessing memory %x failed', esp)

        return (bits, parameters)
Beispiel #40
0
        
    lines = r_o.split("\n")

    print lines[len(lines)-2]
    sumFile.write("Crash Inst: " + lines[len(lines)-2])
    sumFile.write("\n")

    # Need to use the full path
    loadRet = pykd.dbgCommand("!load E:/Security/msec.dll")
    expRet = pykd.dbgCommand("!exploitable")
    #print loadRet
    print expRet
    sumFile.write(expRet)
    sumFile.write("\n")

    eip = pykd.reg("eip")
    sumFile.write("eip: " + str(hex(eip)))
    sumFile.write("\n")
    sumFile.write("\n") 

    pykd.killAllProcesses()

    #break
    
    time.sleep(2)

sumFile.close()



#stackList = pykd.getStack()
Beispiel #41
0
	def return_call_back(self,bp):
		self.out += hex(pykd.reg(return_reg))
		print self.out
		return False
Beispiel #42
0
        def registers(self, target_id=0, thread_id=None, registers=[]):
            """
            Get the register values for a given target/thread.
            """
            arch = self.get_arch()

            # if we got 'sp' or 'pc' in registers, change it to whatever the right name is for the current arch
            if arch in self.reg_names:
                if "pc" in registers:
                    registers.remove("pc")
                    registers.append(self.reg_names[arch]["pc"])
                if "sp" in registers:
                    registers.remove("sp")
                    registers.append(self.reg_names[arch]["sp"])
            else:
                raise Exception("Unsupported architecture: {}".format(target["arch"]))

            # get registers
            if registers != []:
                vals = {}
                for reg in registers:
                    vals[reg] = pykd.reg(reg)
            else:
                log.debug("Getting registers for arch {}".format(arch))
                if arch == "x86_64":
                    reg_names = [
                        "rax",
                        "rbx",
                        "rcx",
                        "rdx",
                        "rbp",
                        "rsp",
                        "rdi",
                        "rsi",
                        "rip",
                        "r8",
                        "r9",
                        "r10",
                        "r11",
                        "r12",
                        "r13",
                        "r14",
                        "r15",
                        "cs",
                        "ds",
                        "es",
                        "fs",
                        "gs",
                        "ss",
                    ]
                elif arch == "x86":
                    reg_names = [
                        "eax",
                        "ebx",
                        "ecx",
                        "edx",
                        "ebp",
                        "esp",
                        "edi",
                        "esi",
                        "eip",
                        "cs",
                        "ds",
                        "es",
                        "fs",
                        "gs",
                        "ss",
                    ]
                else:
                    raise UnknownArchitectureException()

                vals = {}
                for reg in reg_names:
                    try:
                        vals[reg] = pykd.reg(reg)
                    except:
                        log.debug("Failed getting reg: " + reg)
                        vals[reg] = "N/A"

                # Get flags
                try:
                    vals["rflags"] = pykd.reg(reg)
                except:
                    log.debug("Failed getting reg: eflags")
                    vals["rflags"] = "N/A"

                # Get SSE registers
                try:
                    vals.update(self.get_registers_sse(16))
                except:
                    log.exception("Failed to get SSE registers")

                # Get FPU registers
                try:
                    vals.update(self.get_registers_fpu())
                except:
                    log.exception("Failed to get FPU registers")

            return vals
Beispiel #43
0
        def registers(self, target_id=0, thread_id=None, registers=[]):
            """
            Get the register values for a given target/thread.
            """
            arch = self.get_arch()

            # if we got 'sp' or 'pc' in registers, change it to whatever the right name is for the current arch
            if arch in self.reg_names:
                if 'pc' in registers:
                    registers.remove('pc')
                    registers.append(self.reg_names[arch]['pc'])
                if 'sp' in registers:
                    registers.remove('sp')
                    registers.append(self.reg_names[arch]['sp'])
            else:
                raise Exception("Unsupported architecture: {}".format(target['arch']))

            # get registers
            if registers != []:
                vals = {}
                for reg in registers:
                    vals[reg] = pykd.reg(reg)
            else:
                log.debug('Getting registers for arch {}'.format(arch))
                if arch == "x86_64":
                    reg_names = ['rax', 'rbx', 'rcx', 'rdx', 'rbp', 'rsp', 'rdi', 'rsi', 'rip', 'r8', 'r9', 'r10',
                                 'r11', 'r12', 'r13', 'r14', 'r15', 'cs', 'ds', 'es', 'fs', 'gs', 'ss']
                elif arch == "x86":
                    reg_names = ['eax', 'ebx', 'ecx', 'edx', 'ebp', 'esp', 'edi', 'esi', 'eip', 'cs', 'ds', 'es',
                                 'fs', 'gs', 'ss']
                else:
                    raise UnknownArchitectureException()

                vals = {}
                for reg in reg_names:
                    try:
                        vals[reg] = pykd.reg(reg)
                    except:
                        log.debug('Failed getting reg: ' + reg)
                        vals[reg] = 'N/A'

                # Get flags
                try:
                    vals['rflags'] = pykd.reg(reg)
                except:
                    log.debug('Failed getting reg: eflags')
                    vals['rflags'] = 'N/A'

                # Get SSE registers
                try:
                    vals.update(self.get_registers_sse(16))
                except:
                    log.exception("Failed to get SSE registers")

                # Get FPU registers
                try:
                    vals.update(self.get_registers_fpu())
                except:
                    log.exception("Failed to get FPU registers")

            return vals
Beispiel #44
0
            self.out += hex(pykd.reg("rdx")) + " , "
            self.out += hex(pykd.reg("r8")) + " , "
            self.out += hex(pykd.reg("r9")) + ") = "
        if self.bp_end == None:
            disas = pykd.dbgCommand("uf ntdll!RtlReAllocateHeap").split("\n")
            for i in disas:
                if "ret" in i:
                    self.ret_addr = i.split()[0]
                    break
            self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
        return False

    def return_call_back(self, bp):
        log.write(self.out + hex(pykd.reg(return_reg)) + "\n")
        return False


log = open(home + "\log.log", "w+")

try:
    pykd.reg("rax")
except:
    arch_bits = 32
    return_reg = "eax"
    stack_pointer = "esp"

handle_allocate_heap()
handle_free_heap()
handle_realloc_heap()
pykd.go()
Beispiel #45
0
 def return_call_back(self, bp):
     log.write(self.out + hex(pykd.reg(return_reg)) + "\n")
     return False
Beispiel #46
0
 def return_call_back(self, bp):
     # returns a BOOLEAN which is a byte under the hood
     ret_val = hex(pykd.reg("al"))
     log.write(self.out + ret_val + "\n")
     return False