def pf_hook(vm):
log("info", "Page Fault @ %#x" % vm.cpu.gpr.pc)
return True
#!/usr/bin/env python
#
# We are looking for "argv[1]" running under debian
#
# We install the Linux26.find_process_filter on cr3 writes
# The framework will call our filter Before each write
#
from ramooflax import VM, CPUFamily, OSFactory, OSAffinity, log
import sys
# create logging for this script
log.setup(info=True, fail=True)
if len(sys.argv) < 2:
log("fail", "gimme prog name")
sys.exit(-1)
# Target process
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {
"thread_size": 8192,
"comm": 540,
"next": 240,
"mm": 268,
"pgd": 36
}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)
#!/usr/bin/env python
#
# We are looking for "argv[1]" running under windows 7
#
# We install a filter on cr3 writes
# On each write, the vmm gives us control
# before the write operation
#
from ramooflax import VM, CPUFamily, OSFactory, OSAffinity, log
import sys
# create logging for this script
log.setup(info=True, fail=True)
if len(sys.argv) < 2:
log("fail", "gimme prog name")
sys.exit(-1)
# Target process
process_name = sys.argv[1]
# Some offsets for Windows 7 Premium FR 32 bits
settings = {"kprcb":0x20, "kthread":4,
"eprocess":0x150, "name":0x16c,
"cr3":0x18, "next":0xb8}
os = OSFactory(OSAffinity.Win7, settings)
hook = os.find_process_filter(process_name)
#
# Main
#
def pf_hook(vm):
log("info", "Page Fault @ %#x" % vm.cpu.gpr.pc)
return True
#
# Main
#
vm = VM(CPUFamily.AMD, "192.168.254.254:1234")
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)
while not vm.resume():
continue
vm.cpu.release_write_cr(3)
vm.cpu.set_active_cr3(os.get_process_cr3(), True, OSAffinity.Linux26)
vm.cpu.filter_exception(CPUException.page_fault, pf_hook)
vm.cpu.lbr.enable()
vm.resume()
log("info", vm.cpu.gpr)
log("info", vm.cpu.lbr)
vm.detach()
#
# Main
#
vm = VM(CPUFamily.AMD, "192.168.254.254:1234")
vm.attach()
vm.stop()
vm.cpu.breakpoints.add_data_w(vm.cpu.sr.tr+4, 4, hook)
while not vm.resume():
continue
vm.cpu.breakpoints.remove(1)
vm.cpu.set_active_cr3(os.get_process_cr3(), affinity=OSAffinity.Linux26)
log("foo", "found break process")
#
# Breakpoints handling
#
#1
vm.cpu.breakpoints.remove()
vm.cpu.breakpoints.add_insn(0x804844b)
vm.cpu.breakpoints.add_insn(0x804846b, lambda x:False)
while vm.resume():
continue
if vm.cpu.gpr.pc != 0x804846b:
log("fail", "failure 1")
vm.detach()
#
from ramooflax import VM, CPUFamily, log, disassemble
from amoco.arch.x86 import cpu_x86 as am
# create logging for this script
log.setup(info=True, fail=True)
def disasm_wrapper(addr, data):
return am.disassemble(data, address=addr)
def sstep_disasm(vm):
insns = disassemble(vm, disasm_wrapper, vm.cpu.code_location())
print insns.split('\n')[0]
return True
#
# Main
#
vm = VM(CPUFamily.Intel, "172.16.131.128:1337")
vm.attach()
vm.stop()
vm.cpu.breakpoints.filter(None, sstep_disasm)
log("info", "\n####\n#### type: vm.singlestep()\n####\n")
vm.interact(dict(globals(), **locals()))
vm.detach()
#
from ramooflax import VM, CPUFamily, log, disassemble
from amoco.arch.x86 import cpu_x86 as am
# create logging for this script
log.setup(info=True, fail=True)
def disasm_wrapper(addr, data):
return am.disassemble(data, address=addr)
def sstep_disasm(vm):
insns = disassemble(vm, disasm_wrapper, vm.cpu.code_location())
print insns.split("\n")[0]
return True
#
# Main
#
vm = VM(CPUFamily.Intel, "172.16.131.128:1337")
vm.attach()
vm.stop()
vm.cpu.breakpoints.filter(None, sstep_disasm)
log("info", "\n####\n#### type: vm.singlestep()\n####\n")
vm.interact(dict(globals(), **locals()))
vm.detach()
def pf_hook(vm):
log("info", "Page Fault @ %#x" % vm.cpu.gpr.pc)
return True
# Print eip on raised page fault
#
def pf_hook(vm):
log("info", "Page Fault @ %#x" % vm.cpu.gpr.pc)
return True
#
# Main
#
vm = VM(CPUFamily.AMD, "192.168.254.254:1234")
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)
while not vm.resume():
continue
vm.cpu.release_write_cr(3)
vm.cpu.set_active_cr3(os.get_process_cr3(), True, OSAffinity.Linux26)
vm.cpu.filter_exception(CPUException.page_fault, pf_hook)
vm.cpu.lbr.enable()
vm.resume()
log("info", vm.cpu.gpr)
log("info", vm.cpu.lbr)
vm.detach()
#!/usr/bin/env python
#
# We are looking for "argv[1]" running under debian
#
# We install the Linux26.find_process_filter on cr3 writes
# The framework will call our filter Before each write
#
from ramooflax import VM, CPUFamily, OSFactory, OSAffinity, log
import sys
# create logging for this script
log.setup(info=True, fail=True)
if len(sys.argv) < 2:
log("fail", "gimme prog name")
sys.exit(-1)
# Target process
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {"thread_size":8192, "comm":540, "next":240, "mm":268, "pgd":36}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)
#
# Main
#
vm = VM(CPUFamily.AMD, "192.168.254.254:1234")
vm.attach()
#!/usr/bin/env python
#
# We are looking for "argv[1]" running under debian
#
# We install the Linux26.find_process_filter on cr3 writes
# The framework will call our filter Before each write
#
from ramooflax import VM, CPUFamily, OSFactory, OSAffinity, log
import sys
# create logging for this script
log.setup(info=True, fail=True)
if len(sys.argv) < 2:
log("fail", "gimme prog name")
sys.exit(-1)
# Target process
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {
"thread_size": 8192,
"comm": 540,
"next": 240,
"mm": 268,
"pgd": 36
}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)