def enter_call_back(self,bp): self.out = "RtlFreeHeap(" if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + ") = " if self.bp_end == None: self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1] self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def onException(self, exceptionInfo): ''' Triggered exception event. This example handler only recoder exception which we interested. :param exceptionInfo: Exception information :return: For ignore event method must return eventResult.noChange ''' eip = pykd.reg('eip') last_exception = str(pykd.getLastException()) exc_code = exceptionInfo.exceptionCode self._target.logger.info("Got Exception Code: %s at eip:%s" % (hex(exc_code), hex(eip))) if exc_code in interesting_exception_codes.keys(): self._target.is_crash.set() self._target.crash_dump_finished.clear() self._target.report.failed("Got Exception Code: %s:%s at eip:%s" % ( hex(exc_code), interesting_exception_codes[exc_code], hex(eip))) self._target.report.add("Error Code", "%s:%s" % (hex(exc_code), interesting_exception_codes[exc_code])) self._target.report.add("Last Event", "%s" % last_exception) self._target.report.add("Stacks", str(pykd.dbgCommand("k"))) self._target.crash_dump_finished.set() return pykd.eventResult.Break elif exc_code == break_in_exception_code: # Handle break in event self._target.logger.info("Break in at eip:%s" % hex(eip)) return pykd.eventResult.Break return pykd.eventResult.NoChange
def get_registers_sse(self, num=8): regs = {} for i in range(0, 16): try: reg = 'xmm{}'.format(i) regs[reg] = pykd.reg(reg) except: break return regs
def enter_call_back(self, bp): self.out = "RtlReAllocateHeap(" if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + " , " self.out += hex(pykd.reg("r9")) + ") = " if self.bp_end == None: self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1] self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def get_registers_fpu(self): regs = {} for i in range(0, 8): try: reg = 'st{}'.format(i) regs[reg] = pykd.reg(reg) except: break return regs
def allocHandlerFixedMallocOutOfLineAlloc(rets): """Callback invoked when a FixedMalloc OutOfLine allocation is requested. The function sets a breakpoint on the addresses within the function where the allocation address is returned. """ global GBP req_size = pykd.reg("edx") for ret in rets: GBP[ret] = pykd.setBp(ret, lambda: allocServedFixedMallocOutOfLineAlloc(req_size, ret)) return pykd.executionStatus.NoChange
def hookHandlerInterp(): """...""" global GBP # address of the func name as returned by getMethodName address = pykd.ptrPtr(pykd.reg("eax")+0x8) if pykd.isValid(address): methodName = pykd.loadCStr(address) GBP['INTERP_RET'] = pykd.setBp((NPS["SetInterpRet"]-4), lambda: hookHandlerInterpRet(methodName)) return pykd.executionStatus.NoChange
def enter_call_back(self, bp): self.out = "RtlFreeHeap(" if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlFreeHeap").split("\n") for i in disas: if "ret" in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def enter_call_back(self, bp): self.out = "RtlAllocateHeap(" esp = pykd.reg("esp") self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = " if self.bp_end == None: self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1] self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def _get_aim(self, aim): try: ret = to_int(aim) except: ret = 0 if not ret: try: ret = pykd.reg(aim) except: ret = 0 return ret
def enter_call_back(self): self.out = 'RtlFreeHeap(' if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlFreeHeap").split('\n') for i in disas: if 'ret' in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(pykd.expr(self.ret_addr), self.return_call_back) return False
def allocHandlerFixedMalloc(ret_addr): """Callback invoked when a FixedMalloc allcoation is requested.The function sets a breakpoint on the addresses within the function where the allocation address is returned.""" global GBP try: ret = ret_addr[pykd.reg("eip")] f_sig = pykd.dbgCommand("u 0x%x L1" % pykd.reg("eip")) # "0fdf1b82 81fef0070000 cmp esi,7F0h" reg32 = f_sig.split()[-1].split(",")[0].strip() #print "[Debug] Signature: %s reg32: %s" % (signature, reg32) req_size = pykd.reg(reg32) GBP["FixedMallocBPs"][ret] = pykd.setBp(ret, lambda: allocServedFixedMalloc(ret, req_size)) return pykd.executionStatus.NoChange except IndexError: print "[!] Could not extract the register for the follwing"\ "instruction: %s" % f_sig return pykd.executionStatus.Break
def update_regs(self): for reg_name in self.regs_name + self.seg_regs_name: reg_data = pykd.reg(reg_name) if reg_data != self.regs[reg_name]: # is changed self.is_changed[reg_name] = True else: self.is_changed[reg_name] = False self.regs[reg_name] = reg_data # update sp & pc self.sp = self.regs[self.sp_name] self.pc = self.regs[self.pc_name]
def allocServedFixedMallocOutOfLineAlloc(allocsize, ret): """Callback invoked just before the FixedMalloc OutOfLine function returns. EAX will store the allocation address""" global GBP allocaddress = pykd.reg("eax") # If allocsize is greater than 0x7f0 the allocation will be served by # FixedMalloc::LargeAlloc if allocsize <= 0x7f0: if GBP["START_ALLOC_MONITOR"]: returned_allocsize = pykd.ptrPtr((allocaddress & 0xfffff000)+0x12) # FixedAlloc allocator allocator = pykd.ptrPtr((allocaddress & 0xfffff000)+0x1C) # FixedAlloc.h#L120 # GCHeap *m_heap; //The heap from which we # //obtain memory # int m_heapPartition; //The heap partition from which we # //obtain memory # uint32_t m_itemsPerBlock; //Number of items that fit in a block # uint32_t m_itemSize; //Size of each individual item # FixedBlock* m_firstBlock; //First block on list of free blocks # FixedBlock* m_lastBlock; //Last block on list of free blocks # FixedBlock* m_firstFree; //The lowest priority block that has # //free items # size_t m_numBlocks; //Number of blocks owned by this # //allocator if IsheapIsolVersion(): heapPartition = pykd.ptrPtr(allocator+0x4) else: heapPartition = "NotImplemented" kSizeClass = kSizeClassIndex[((allocsize+7)>>3)] MMgc_FixedMalloc_obj =\ allocator - kSizeClass*NPS["FixedAllocSafeSize"] -\ NPS["m_allocs_offset"] if NPS['ffmsize']: if NPS['ffmsize'] == returned_allocsize: print "[FixedMalloc::OutOfLineAlloc] Requested Allocation \ of size:0x%x Returned allocation of size:0x%x at address:0x%x \ (MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, returned_allocsize, allocaddress, MMgc_FixedMalloc_obj, heapPartition) else: print "[FixedMalloc::OutOfLineAlloc] Requested Allocation of \ size:0x%x Returned allocation of size:0x%x at address:0x%x \ (MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, returned_allocsize, allocaddress, MMgc_FixedMalloc_obj, heapPartition) GBP["AllocHistory"][allocaddress] = pykd.dbgCommand("kv") +\ "\n\n" +\ "\n\nRAW Stack data in case FPO is in place:\n\n" +\ pykd.dbgCommand("dps esp L100") # Delete the breakpoint del GBP[ret] return pykd.executionStatus.NoChange
def program_counter(self, target_id=0, thread_id=None): """ Get the value of the program counter register. """ arch = self.get_arch() if arch in self.reg_names: pc_name = self.reg_names[arch]['pc'] pc = pykd.reg(pc_name) else: raise UnknownArchitectureException() return pc_name, pc
def stack_pointer(self, target_id=0, thread_id=None): """ Get the value of the stack pointer register. """ arch = self.get_arch() if arch in self.reg_names: sp_name = self.reg_names[arch]['sp'] sp = pykd.reg(sp_name) else: raise UnknownArchitectureException() return sp_name, sp
def enter_call_back(self): self.condition = False time = datetime.datetime.now() current_alloc_size = (hex(pykd.ptrMWord(pykd.reg("esp") + 0x10))).replace('L', '') if (current_alloc_size == alloc_size) or "null" in alloc_size: self.condition = True self.out = str(time) self.out += ", RtlReAllocateHeap(" if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + " , " self.out += hex(pykd.reg("r9")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlReAllocateHeap").split( '\n') for i in disas: if 'ret' in i: self.ret_addr = format64(i.split()[0]) break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def get_arguments(self, count): arguments = [] if self.debugger.get_arch() == 'AMD64': arguments.append(pykd.reg('rcx')) count -= 1 if count > 0: arguments.append(pykd.reg('rdx')) count -= 1 if count > 0: arguments.append(pykd.reg('r8')) count -= 1 if count > 0: arguments.append(pykd.reg('r9')) count -= 1 if count > 0: rsp = pykd.reg('rsp') arguments += pykd.loadQWords(int(rsp + 8), count) else: esp = pykd.reg('esp') arguments += pykd.loadDWords(int(esp + 4), count) return arguments
def testCtor(self): if pykd.is64bitSystem(): pykd.reg("rax") else: pykd.reg("eax") pykd.reg( 0 )
def allocServedHeapAllocSystem(): """Callback invoked when HeapAlloc is called.""" global GBP if GBP["START_ALLOC_MONITOR"]: # LPVOID WINAPI HeapAlloc( # _In_ HANDLE hHeap, # _In_ DWORD dwFlags, # _In_ SIZE_T dwBytes # ); size = pykd.ptrPtr(pykd.reg("esp")+0xC) heap = pykd.ptrPtr(pykd.reg("esp")+0x4) tid = pykd.getCurrentThreadId() if NPS['ihsize']: if NPS['ihsize'] == size: # Setup a breakpoint on the return address GBP["HeapAllocRet"] = pykd.setBp(pykd.ptrPtr(pykd.reg("esp")), lambda: allocServedHeapAllocSystemRet(size, heap, tid)) else: # Setup a breakpoint on the return address GBP["HeapAllocRet"] = pykd.setBp(pykd.ptrPtr(pykd.reg("esp")), lambda: allocServedHeapAllocSystemRet(size, heap, tid)) return pykd.executionStatus.NoChange
def print_eflags(self): eflags = pykd.reg('efl') eflags_str = color.green("EFLAGS: {:#x}".format(eflags)) eflags_str += " [" for bit, flag_name in self.context.eflags_tbl.items(): is_set = eflags & (1 << bit) eflags_str += " " if is_set: eflags_str += color.dark_red(flag_name) else: eflags_str += color.green(flag_name) eflags_str += " ]" pykd.dprintln(eflags_str, dml=True)
def enter_call_back(self,bp): self.out = "RtlAllocateHeap(" esp = pykd.reg("esp") self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n') for i in disas: if 'ret' in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def hookHandlerJit(): """Unlike setNative, setJit is a fairly simple in that the GprMethodProc parameted contains the resolved address of the jitted function. We simply need to read that register value.""" global GBP # address of the func name as returned by getMethodName address = pykd.ptrPtr(pykd.reg("eax")+0x8) # address of the jitted function jitfunc = pykd.ptrPtr(pykd.reg("esp")+0x28) if pykd.isValid(address): methodName = pykd.loadCStr(address) if pykd.isValid(jitfunc): print "[&] JITTED METHOD: at 0x%x \t offset: 0x%x \t\tName: %s" %\ (jitfunc,0,methodName.decode("utf-8","replace")) if NPS["TraceJit"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % jitfunc GBP[jitfunc] = pykd.setBp(jitfunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), jitfunc) else: print "[!] No jitted function found. Something is likely wrong!!!" return pykd.executionStatus.NoChange
def enter_call_back(self): time = datetime.datetime.now() self.out = str(time) self.out += ", VirtualAlloc(" if arch_bits == 32: esp = pykd.reg(stack_pointer) self.out += hex(pykd.ptrPtr(esp + 4)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , " self.out += hex(pykd.ptrMWord(esp + 0xC)) + " , " self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = " else: self.out += hex(pykd.reg("rcx")) + " , " self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + " , " self.out += hex(pykd.reg("r9")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf kernelbase!VirtualAlloc").split('\n') for i in disas: if 'ret' in i: self.ret_addr = format64(i.split()[0]) break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def _cb_CIasin_pentium4(self, bp): sp = pykd.reg("esp") # reversed this a while a go now bridge = pykd.loadCStr((pykd.ptrPtr(sp + 0x78) + 0xb)) print("(+) DEBUG ASIN: %s" % bridge) if self.bp_end_asin is None: disas = pykd.dbgCommand("uf %x" % self.asin_addr).split('\n') for i in disas: if 'ret' in i: self.ret_addr = i.split()[0] break self.bp_end_asin = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False
def allocHandlerGCAlloc(rets): """Callback invoked when a GC allocation is requested. The function sets a breakpoint on the addresses within the function where the allocation address is returned.""" global GBP req_size = pykd.ptrPtr(pykd.reg("esi")+0x20) GCAlloc = pykd.reg("ecx") #MMgc::GCAlloc::GCAlloc #mov esi, ecx #... #mov ecx, [esp+10h+SmallGCAllocHeapPartition] #mov [esi+38h], edx #mov [esi+3Ch], ecx ; 0x3c is the partition index #mov [esi+30h], eax if IsheapIsolVersion(): Partition = pykd.ptrPtr(pykd.reg("esi")+0x3c) else: Partition = "NotImplemented" for ret in findAllocRets('GCAlloc::Alloc', func_sigs_ends['GCAllocEnd'], ["\xC2", "\x04", "\x00"]): GBP["GCAllocBPs"][ret] = pykd.setBp(ret, lambda: allocServedGCAlloc(req_size, ret, GCAlloc, Partition)) return pykd.executionStatus.NoChange
def updateView(self): s = "" try: i = 0 while True: reg = pykd.reg(i) s += "%s %x ( %d )\r\n" % (reg.name(), reg, reg) i += 1 except pykd.BaseException: pass self.textArea.setPlainText(s)
def __init__(self, base, config, *args, **kwargs): self.as_assert(base == None) self.as_assert(config.LOCATION=='windbg') self.as_assert(pykd.isKernelDebugging()) self.dtb = pykd.reg('cr3') self.nt = pykd.module('nt') config.KDBG = self.nt.KdCopyDataBlock self.pageSize = pykd.pageSize() self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage) self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage) self.spaces = [ ( self.lowPage*self.pageSize, (self.highPage -self.lowPage )*self.pageSize) ] super(PykdAddressSpace,self).__init__(base,config) self.name = "WinDBG Address Space"
def __init__(self, base, config, *args, **kwargs): self.as_assert(base == None) self.as_assert(config.LOCATION == 'windbg') self.as_assert(pykd.isKernelDebugging()) self.dtb = pykd.reg('cr3') self.nt = pykd.module('nt') config.KDBG = self.nt.KdCopyDataBlock self.pageSize = pykd.pageSize() self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage) self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage) self.spaces = [(self.lowPage * self.pageSize, (self.highPage - self.lowPage) * self.pageSize)] super(PykdAddressSpace, self).__init__(base, config) self.name = "WinDBG Address Space"
def heap_free(self): self.chunk_mem = pykd.reg("rsi") self.alloc_size = pykd.reg("ebp") print("[+] chunk free @ 0x%x, size: 0x%x" % (pykd.reg("rsi"), pykd.reg("ebp"))) for mem in SIG_CHUNK: if (mem == self.chunk_mem): print( pykd.dbgCommand("db " + hex(pykd.reg("rsi")) + " l" + hex(pykd.reg("ebp")))) SIG_CHUNK.remove(mem) self.parse_pool()
def rewrite_filename(): """ Overwrite the terminating NUL-byte for the first filename. This effectively concatenates the first two filenames. """ this = pykd.reg("ecx") buf = pykd.ptrPtr(this + 1036) buf_size = pykd.ptrDWord(this + 1040) files = list(Path().iterdir()) files_hdr = len(files) * 4 * 2 files_len = files_hdr + sum(len(x.name) + 1 for x in files) if files_len == buf_size: names = pykd.loadBytes(buf + files_hdr, buf_size - files_hdr) for i, byte in enumerate(names): if byte == 0: pykd.writeBytes(buf + files_hdr + i, [0x41]) break
def hookHandlerInterpRet(methodName): """...""" global GBP interpfunc = pykd.reg("eax") if pykd.isValid(interpfunc): print "[#] INTERP STUB: at 0x%x \t offset: 0x%x \t\tName: %s" %\ (interpfunc,0,methodName.decode("utf-8","replace")) if NPS["TraceInterp"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % interpfunc GBP[interpfunc] = pykd.setBp(interpfunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), interpfunc) else: print "[!] No interp stub found. Something is likely wrong!!!" try: del GBP['INTERP_RET'] except KeyError: pass return pykd.executionStatus.NoChange
def allocServedGCAlloc(req_size, ret, GCAlloc, Partition): """Callback invoked just before the GCAlloc function returns. EAX will store the allocation address""" global GBP allocaddress = pykd.reg("eax") GCAllocBase = pykd.ptrPtr((allocaddress & 0xfffff000)+0xC) returned_allocsize = pykd.ptrPtr((allocaddress & 0xfffff000)+0x4) if GBP["START_ALLOC_MONITOR"]: if NPS['fgcsize']: if NPS['fgcsize'] == returned_allocsize: print "[GCAlloc::Alloc] Requested allocation 0x%x Returned \ allocation of size:0x%x at address: 0x%x: HeapPartition: %s" %\ (req_size, returned_allocsize, allocaddress, Partition) else: print "[GCAlloc::Alloc] Requested allocation 0x%x Returned \ allocation of size:0x%x at address: 0x%x HeapPartition: %s" %\ (req_size, returned_allocsize, allocaddress, Partition) GBP["AllocHistory"][allocaddress] = pykd.dbgCommand("kv") +\ "\n\nRAW Stack data in case FPO is in place:\n\n" +\ pykd.dbgCommand("dps esp L100") # Delete the breakpoints del GBP["GCAllocBPs"][ret] return pykd.executionStatus.NoChange
def GetCallParameters(self, count, is_syscall=False): if is_syscall: bits = 64 #TODO: support 32 bit parameter_values = pykd.loadQWords(pykd.reg("r10"), len(parameter_definition)) else: parameters = [] try: bits = 64 parameters = [] if count > 0: parameters.append(pykd.reg("rcx")) if count > 1: parameters.append(pykd.reg("rdx")) if count > 2: parameters.append(pykd.reg("r8")) if count > 3: parameters.append(pykd.reg("r9")) if count > 4: try: rsp = pykd.reg("rsp") parameters += pykd.loadQWords( rsp + 8, count - 4) except: self.Logger.info( 'Accessing memory %x failed', rsp + 8) except: bits = 32 esp = pykd.reg("esp") try: parameters = pykd.loadDWords(esp + 4, count) except: self.Logger.info('Accessing memory %x failed', esp) return (bits, parameters)
lines = r_o.split("\n") print lines[len(lines)-2] sumFile.write("Crash Inst: " + lines[len(lines)-2]) sumFile.write("\n") # Need to use the full path loadRet = pykd.dbgCommand("!load E:/Security/msec.dll") expRet = pykd.dbgCommand("!exploitable") #print loadRet print expRet sumFile.write(expRet) sumFile.write("\n") eip = pykd.reg("eip") sumFile.write("eip: " + str(hex(eip))) sumFile.write("\n") sumFile.write("\n") pykd.killAllProcesses() #break time.sleep(2) sumFile.close() #stackList = pykd.getStack()
def return_call_back(self,bp): self.out += hex(pykd.reg(return_reg)) print self.out return False
def registers(self, target_id=0, thread_id=None, registers=[]): """ Get the register values for a given target/thread. """ arch = self.get_arch() # if we got 'sp' or 'pc' in registers, change it to whatever the right name is for the current arch if arch in self.reg_names: if "pc" in registers: registers.remove("pc") registers.append(self.reg_names[arch]["pc"]) if "sp" in registers: registers.remove("sp") registers.append(self.reg_names[arch]["sp"]) else: raise Exception("Unsupported architecture: {}".format(target["arch"])) # get registers if registers != []: vals = {} for reg in registers: vals[reg] = pykd.reg(reg) else: log.debug("Getting registers for arch {}".format(arch)) if arch == "x86_64": reg_names = [ "rax", "rbx", "rcx", "rdx", "rbp", "rsp", "rdi", "rsi", "rip", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15", "cs", "ds", "es", "fs", "gs", "ss", ] elif arch == "x86": reg_names = [ "eax", "ebx", "ecx", "edx", "ebp", "esp", "edi", "esi", "eip", "cs", "ds", "es", "fs", "gs", "ss", ] else: raise UnknownArchitectureException() vals = {} for reg in reg_names: try: vals[reg] = pykd.reg(reg) except: log.debug("Failed getting reg: " + reg) vals[reg] = "N/A" # Get flags try: vals["rflags"] = pykd.reg(reg) except: log.debug("Failed getting reg: eflags") vals["rflags"] = "N/A" # Get SSE registers try: vals.update(self.get_registers_sse(16)) except: log.exception("Failed to get SSE registers") # Get FPU registers try: vals.update(self.get_registers_fpu()) except: log.exception("Failed to get FPU registers") return vals
def registers(self, target_id=0, thread_id=None, registers=[]): """ Get the register values for a given target/thread. """ arch = self.get_arch() # if we got 'sp' or 'pc' in registers, change it to whatever the right name is for the current arch if arch in self.reg_names: if 'pc' in registers: registers.remove('pc') registers.append(self.reg_names[arch]['pc']) if 'sp' in registers: registers.remove('sp') registers.append(self.reg_names[arch]['sp']) else: raise Exception("Unsupported architecture: {}".format(target['arch'])) # get registers if registers != []: vals = {} for reg in registers: vals[reg] = pykd.reg(reg) else: log.debug('Getting registers for arch {}'.format(arch)) if arch == "x86_64": reg_names = ['rax', 'rbx', 'rcx', 'rdx', 'rbp', 'rsp', 'rdi', 'rsi', 'rip', 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15', 'cs', 'ds', 'es', 'fs', 'gs', 'ss'] elif arch == "x86": reg_names = ['eax', 'ebx', 'ecx', 'edx', 'ebp', 'esp', 'edi', 'esi', 'eip', 'cs', 'ds', 'es', 'fs', 'gs', 'ss'] else: raise UnknownArchitectureException() vals = {} for reg in reg_names: try: vals[reg] = pykd.reg(reg) except: log.debug('Failed getting reg: ' + reg) vals[reg] = 'N/A' # Get flags try: vals['rflags'] = pykd.reg(reg) except: log.debug('Failed getting reg: eflags') vals['rflags'] = 'N/A' # Get SSE registers try: vals.update(self.get_registers_sse(16)) except: log.exception("Failed to get SSE registers") # Get FPU registers try: vals.update(self.get_registers_fpu()) except: log.exception("Failed to get FPU registers") return vals
self.out += hex(pykd.reg("rdx")) + " , " self.out += hex(pykd.reg("r8")) + " , " self.out += hex(pykd.reg("r9")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlReAllocateHeap").split("\n") for i in disas: if "ret" in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False def return_call_back(self, bp): log.write(self.out + hex(pykd.reg(return_reg)) + "\n") return False log = open(home + "\log.log", "w+") try: pykd.reg("rax") except: arch_bits = 32 return_reg = "eax" stack_pointer = "esp" handle_allocate_heap() handle_free_heap() handle_realloc_heap() pykd.go()
def return_call_back(self, bp): log.write(self.out + hex(pykd.reg(return_reg)) + "\n") return False
def return_call_back(self, bp): # returns a BOOLEAN which is a byte under the hood ret_val = hex(pykd.reg("al")) log.write(self.out + ret_val + "\n") return False