def test_impapi_windows(self):
imp = viv_impapi.getImportApi('windows', 'i386')
self.assertEqual(imp.getImpApiCallConv('ntdll.RtlAllocateHeap'),
'stdcall')
imp = viv_impapi.getImportApi('windows', 'arm')
self.assertEqual(imp.getImpApiCallConv('ntdll.RtlAllocateHeap'),
'armcall')
def test_impapi_winkern(self):
imp = viv_impapi.getImportApi('winkern', 'i386')
self.assertEqual(
imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'),
'stdcall')
imp = viv_impapi.getImportApi('winkern', 'arm')
self.assertEqual(
imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'),
'armcall')
def notify(self, event, trace):
if self.impapi != None:
# cached
return
self.impapi = viv_impapi.getImportApi(trace.getMeta('Platform'), trace.getMeta('Architecture'))
cc = self.impapi.getImpApiCallConv(self.vte)
emu = vtrace.getEmu(trace)
self.cc = emu.getCallingConvention(cc)
self.argc = len(self.impapi.getImpApiArgs(self.vte))
def notify(self, event, trace):
if self.impapi is not None:
# cached
return
self.impapi = viv_impapi.getImportApi(trace.getMeta('Platform'),
trace.getMeta('Architecture'))
cc = self.impapi.getImpApiCallConv(self.vte)
emu = vtrace.getEmu(trace)
self.cc = emu.getCallingConvention(cc)
self.argc = len(self.impapi.getImpApiArgs(self.vte))
def render(self, mcanv, va):
trace = mcanv.mem
if va != trace.getStackCounter():
return DerefRenderer.render(self, mcanv, va)
pc = trace.getProgramCounter()
sym, is_thunk = trace.getSymByAddrThunkAware(pc)
if sym is None:
return DerefRenderer.render(self, mcanv, va)
# TODO: this code also exists in win32stealth and in hookbreakpoint
# we should put this somewhere common
platform = trace.getMeta('Platform')
arch = trace.getMeta('Architecture')
impapi = viv_impapi.getImportApi(platform, arch)
cc_name = impapi.getImpApiCallConv(sym)
emu = vtrace.getEmu(trace)
cc = emu.getCallingConvention(cc_name)
args_def = impapi.getImpApiArgs(sym)
if args_def is None:
# sym did not exist in impapi :(
logger.warning('sym but no impapi match: {}'.format(sym))
return DerefRenderer.render(self, mcanv, va)
argc = len(args_def)
curop = trace.parseOpcode(trace.getProgramCounter())
# use the calling convention to retrieve the args
args = None
if curop.isCall() or is_thunk:
args = cc.getPreCallArgs(trace, argc)
else:
args = cc.getCallArgs(trace, argc)
# since we are 'normalizing' the calls by visualizing all calling
# conventions in a stdcall fashion, some args (like the ones in
# registers don't have a stack va.
mcanv.addText('%s :\n' % sym)
fmt = ' arg%%d (%%s) 0x%%0%dx %%s\n' % (trace.getPointerSize() * 2, )
for index, arg in enumerate(args):
argtype = args_def[index][0]
argva = arg
if trace.isValidPointer(arg):
argva = trace.readMemoryFormat(arg, 'P')[0]
smc = e_canvas.StringMemoryCanvas(trace)
e_canvas_rend.AutoBytesRenderer(maxrend=64).render(smc, argva)
desc = str(smc)
mcanv.addText(fmt % (index, argtype, arg, desc))
mcanv.addText('-' * 5)
mcanv.addText('\n')
return DerefRenderer.render(self, mcanv, va)
def render(self, mcanv, va):
trace = mcanv.mem
if va != trace.getStackCounter():
return DerefRenderer.render(self, mcanv, va)
pc = trace.getProgramCounter()
sym, is_thunk = trace.getSymByAddrThunkAware(pc)
if sym == None:
return DerefRenderer.render(self, mcanv, va)
# TODO: this code also exists in win32stealth and in hookbreakpoint
# we should put this somewhere common
platform = trace.getMeta('Platform')
arch = trace.getMeta('Architecture')
impapi = viv_impapi.getImportApi(platform, arch)
cc_name = impapi.getImpApiCallConv(sym)
emu = vtrace.getEmu(trace)
cc = emu.getCallingConvention(cc_name)
args_def = impapi.getImpApiArgs(sym)
if args_def == None:
# sym did not exist in impapi :(
print(('sym but no impapi match: {}'.format(sym)))
return DerefRenderer.render(self, mcanv, va)
argc = len(args_def)
curop = trace.parseOpcode(trace.getProgramCounter())
# use the calling convention to retrieve the args
args = None
if curop.isCall() or is_thunk:
args = cc.getPreCallArgs(trace, argc)
else:
args = cc.getCallArgs(trace, argc)
# since we are 'normalizing' the calls by visualizing all calling
# conventions in a stdcall fashion, some args (like the ones in
# registers don't have a stack va.
mcanv.addText('%s :\n' % sym)
fmt = ' arg%%d (%%s) 0x%%0%dx %%s\n' % (trace.getPointerSize()*2,)
for index, arg in enumerate(args):
argtype = args_def[index][0]
argva = arg
if trace.isValidPointer(arg):
argva = trace.readMemoryFormat(arg, 'P')[0]
smc = e_canvas.StringMemoryCanvas(trace)
e_canvas_rend.AutoBytesRenderer(maxrend=64).render(smc, argva)
desc = str(smc)
mcanv.addText(fmt % (index, argtype, arg, desc))
mcanv.addText('-' * 5)
mcanv.addText('\n')
return DerefRenderer.render(self, mcanv, va)
def resolvedaddr(self, trace, addr):
'''
When we get resolved, lookup in impapi the calling convention and other
details about the function. Do not do this if we were explicitly told
what to do.
'''
# told explicitly what to do, don't go look anything up
if self.cc != None and self.argc != None:
return
# TODO: move this out of here after we move impapi to a top-level
# package.
import vivisect.impapi as viv_impapi
# this code also exists in win32stealth, we should put this somewhere
# common
platform = trace.getMeta('Platform')
arch = trace.getMeta('Architecture')
self.impapi = viv_impapi.getImportApi(platform, arch)
cc = self.impapi.getImpApiCallConv(self.vte)
emu = vtrace.getEmu(trace)
self.cc = emu.getCallingConvention(cc)
apiargs = self.impapi.getImpApiArgs(self.vte)
if apiargs != None:
self.argc = len(apiargs)
def resolvedaddr(self, trace, addr):
'''
When we get resolved, lookup in impapi the calling convention and other
details about the function. Do not do this if we were explicitly told
what to do.
'''
# told explicitly what to do, don't go look anything up
if self.cc != None and self.argc != None:
return
# TODO: move this out of here after we move impapi to a top-level
# package.
import vivisect.impapi as viv_impapi
# this code also exists in win32stealth, we should put this somewhere
# common
platform = trace.getMeta('Platform')
arch = trace.getMeta('Architecture')
self.impapi = viv_impapi.getImportApi(platform, arch)
cc = self.impapi.getImpApiCallConv(self.vte)
emu = vtrace.getEmu(trace)
self.cc = emu.getCallingConvention(cc)
apiargs = self.impapi.getImpApiArgs(self.vte)
if apiargs != None:
self.argc = len(apiargs)
def test_impapi_winkern(self):
imp = viv_impapi.getImportApi('winkern','i386')
self.assertEqual( imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'), 'stdcall')
def test_impapi_windows(self):
imp = viv_impapi.getImportApi('windows','i386')
self.assertEqual( imp.getImpApiCallConv('ntdll.RtlAllocateHeap'), 'stdcall')
