def vsParse(self, bytes, offset):
# FIXME this is not functional yet...
self.vsClearFields()
self.header = GIF_FILE_HEADER()
offset = self.header.vsParse(bytes, offset)
# Do we have a global color table?
if self.header.flags & GIF_F_HAS_CMAP:
bits_per_pixel = (self.header.flags & GIF_F_BPP_MASK) + 1
self.gct = vstruct.VStruct()
for i in range(2**bits_per_pixel):
self.gct.vsAddField('color%d' % i, RGB())
offset = self.gct.vsParse(bytes, offset)
self.images = vstruct.VStruct()
imgidx = 0
while bytes[offset] == GIF_IMG_SEP:
img = vstruct.VStruct()
img.descriptor = GIF_IMAGE_DESCRIPTOR()
offset = img.descriptor.vsParse(bytes, offset)
if img.descriptor.flags & GIF_F_HAS_CMAP:
bits_per_pixel = (img.descriptor.flags & GIF_F_BPP_MASK) + 1
img.cmap = vstruct.VStruct()
for i in range(2**bits_per_pixel):
img.cmap.vsAddField('color%d' % i, RGB())
offset = img.cmap.vsParse(bytes, offset)
def bstruct():
vs = vstruct.VStruct()
vs._vs_name = sinst.name
for cname,chclass in self._getVsChildElements( selem ):
vobj = chclass()
vs.vsAddField(cname, vobj)
return vs
def __init__(self):
vstruct.VStruct.__init__(self)
self._raw_bytes = ''
self._symbols = None
self.mach_header = mach_header()
self.load_commands = vstruct.VStruct()
def __init__(self):
vstruct.VStruct.__init__(self)
self.HEAD_CRC = v_uint16()
self.HEAD_TYPE = v_uint8()
self.HEAD_FLAGS = v_uint16()
self.HEAD_SIZE = v_uint16()
self.ADD_SIZE = v_uint32()
self.BLOCK_DATA = vstruct.VStruct()
def __init__(self):
vstruct.VStruct.__init__(self)
self.dnsname = DnsName()
self.rrtype = v_uint16(bigend=True)
self.dnsclass = v_uint16(bigend=True)
self.ttl = v_uint32(bigend=True)
self.rdlength = v_uint16(bigend=True)
self.rdata = vstruct.VStruct()
def pcb_HEAD_FLAGS(self):
# a proto callback for the header
if self.HEAD_FLAGS & LONG_BLOCK:
self.ADD_SIZE = v_uint32()
else:
self.ADD_SIZE = vstruct.VStruct()
if self.HEAD_TYPE == MAIN_HEAD and self.HEAD_FLAGS & MHD_PASSWORD:
self.BLOCK_DATA.Salt = v_bytes(size=8)
def pcb_HEAD_TYPE(self):
self._known_block = False
if self.HEAD_TYPE == MAIN_HEAD:
self._known_block = True
self.BLOCK_DATA = MainHeader()
if not self.HEAD_FLAGS & MHD_ENCRYPTVER:
self.BLOCK_DATA.EncryptVer = vstruct.VStruct()
def test_vstruct_floats(self):
v = vstruct.VStruct()
v.float4 = v_float()
v.float8 = v_double()
v.float4 = 99.3
v.float8 = -400.2
self.assertEqual(v.vsEmit(), '9a99c64233333333330379c0'.decode('hex'))
def __init__(self):
vstruct.VStruct.__init__(self)
self.Name = v_str(size=16)
self.Date = v_str(size=12)
self.UserID = v_str(size=6)
self.GroupID = v_str(size=6)
self.Mode = v_str(size=8)
self.Size = v_str(size=10)
self.EndHeader = v_str(size=2)
self.FileData = vstruct.VStruct()
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception(
'Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
ctor = self._vs_ctors.get(vsname)
if ctor != None:
return ctor()
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags, fcount in vskids:
fieldval = self._buildVsType(ftypename, fsize, fflags)
if fcount != None:
afields = [copy.deepcopy(fieldval) for i in xrange(fcount)]
fieldval = vstruct.VArray(afields)
cursize = len(vs)
if foffset < cursize:
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset,
vs_prim.v_bytes(size=(foffset - cursize)))
setattr(vs, fname, fieldval)
final_len = len(vs)
if final_len < vssize:
setattr(vs, '_pad%.4x' % vssize,
vs_prim.v_bytes(size=(vssize - final_len)))
return vs
def test_vstruct_basicstruct(self):
v = vstruct.VStruct()
v.uint8 = v_uint8(1)
v.uint16 = v_uint16(2)
v.uint24 = v_uint24(3)
v.uint32 = v_uint32(4)
v.uint64 = v_uint64(5)
v.vbytes = v_bytes(vbytes='ABCD')
answer = '01020003000004000000050000000000000041424344'.decode('hex')
self.assertEqual(v.vsEmit(), answer)
def test_vstruct_fastparse(self):
v = vstruct.VStruct()
v.x = v_uint8()
v.y = v_str(size=4)
v.z = v_uint32()
v.vsParse(b'BAAAAABCD', fast=True)
self.assertEqual(v.x, 0x42)
self.assertEqual(v.y, 'AAAA')
self.assertEqual(v.z, 0x44434241)
def test_vstruct_floats(self):
v = vstruct.VStruct()
v.float4 = v_float()
v.float8 = v_double()
v.float4 = 99.3
v.float8 = -400.2
self.assertEqual(v.vsEmit(),
binascii.unhexlify('9a99c64233333333330379c0'))
def test_vstruct_fastparse_bigend(self):
v = vstruct.VStruct()
v.x = v_uint8()
v.y = v_str(size=4)
v.z = v_uint32(bigend=True)
v.vsParse('BAAAAABCD', fast=True)
self.assertEqual(v.x, 0x42)
self.assertEqual(v.y, 'AAAA')
self.assertEqual(v.z, 0x41424344)
def test_vstruct_lengthcallback(self):
def updatelen(vs):
vs.vsGetField('strfield').vsSetLength(vs.lenfield)
v = vstruct.VStruct()
v.lenfield = v_uint8(0x30)
v.strfield = v_str(size=30)
v.vsAddParseCallback('lenfield', updatelen)
v.vsParse('\x01' + 'A' * 30)
self.assertEqual(v.vsEmit(), binascii.unhexlify('0141'))
def test_vstruct_fieldalign(self):
v = vstruct.VStruct()
v._vs_field_align = True
v.uint8 = v_uint8(0x42, bigend=True)
v.uint16 = v_uint16(0x4243, bigend=True)
v.uint24 = v_uint24(0x424344, bigend=True)
v.uint32 = v_uint32(0x42434445, bigend=True)
v.uint64 = v_uint64(0x4243444546474849, bigend=True)
answer = binascii.unhexlify(
'420042430000424344000000424344454243444546474849')
self.assertEqual(v.vsEmit(), answer)
def test_vstruct_fixedpartialasign(self):
v = vstruct.VStruct()
v.strfield = v_str(size=30)
v.unifield = v_wstr(size=30)
v.strfield = 'wootwoot!'
v.unifield = 'bazbaz'
answer = '776f6f74776f6f7421000000000000000000000000000000000000000000620061007a00620061007a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'.decode(
'hex')
self.assertEqual(v.vsEmit(), answer)
def test_vstruct_basicstruct(self):
v = vstruct.VStruct()
v.uint8 = v_uint8(1)
v.uint16 = v_uint16(2)
v.uint24 = v_uint24(3)
v.uint32 = v_uint32(4)
v.uint64 = v_uint64(5)
v.vbytes = v_bytes(vbytes=b'ABCD')
answer = binascii.unhexlify(
b'01020003000004000000050000000000000041424344')
self.assertEqual(v.vsEmit(), answer)
def __init__(self):
vstruct.VStruct.__init__(self)
#self.length = v_uint16(bigend=True)
self.transid = v_uint16(bigend=True)
self.flags = v_uint16(bigend=True)
self.ques_cnt = v_uint16(bigend=True)
self.answ_cnt = v_uint16(bigend=True)
self.auth_cnt = v_uint16(bigend=True)
self.addt_cnt = v_uint16(bigend=True)
self.records = vstruct.VStruct()
self.records.queries = DnsQueryArray(0)
self.records.answers = DnsAnswerArray(0)
self.records.authns = DnsAnswerArray(0)
self.records.addtl = DnsAnswerArray(0)
def __init__(self):
vstruct.VStruct.__init__(self)
self.u = vstruct.VUnion()
self.u.Name = v_str(size=8)
self.u.lname = vstruct.VStruct()
self.u.lname.Zeros = v_uint32()
self.u.lname.Offset = v_uint32()
self.Value = v_uint32()
self.SectionNumber = v_uint16()
self.Type = v_uint16()
self.StorageClass = v_uint8()
self.NumberOfAuxSymbols = v_uint8()
self.AuxSymbols = vstruct.VArray()
def __init__(self, tcpdns=False):
vstruct.VStruct.__init__(self)
self._tcpdns = tcpdns
if tcpdns:
self.length = v_uint16(bigend=True)
self.transid = v_uint16(bigend=True)
self.flags = v_uint16(bigend=True)
self.qdcount = v_uint16(bigend=True)
self.ancount = v_uint16(bigend=True)
self.nscount = v_uint16(bigend=True)
self.arcount = v_uint16(bigend=True)
self.section = vstruct.VStruct()
self.section.question = DnsQuestionArray(0)
self.section.answer = DnsResourceRecordArray(0)
self.section.authority = DnsResourceRecordArray(0)
self.section.additional = DnsResourceRecordArray(0)
self._nptr = {} # name pointer cache
def test_vstruct_basicreasign(self):
v = vstruct.VStruct()
v.uint8 = v_uint8(1)
v.uint16 = v_uint16(2)
v.uint24 = v_uint24(3)
v.uint32 = v_uint32(4)
v.uint64 = v_uint64(5)
v.vbytes = v_bytes(vbytes='ABCD')
v.uint8 = 99
v.uint16 = 100
v.uint24 = 101
v.uint32 = 102
v.uint64 = 103
v.vbytes = '\x00\x00\x00\x00'
answer = '63640065000066000000670000000000000000000000'.decode('hex')
self.assertEqual(v.vsEmit(), answer)
def __init__(self):
vstruct.VStruct.__init__(self)
self.tag = v_uint8()
self.data = vstruct.VStruct()
def pcb_HEAD_FLAGS(self):
# a proto callback for the header
if self.HEAD_FLAGS & 0x8000:
self.ADD_SIZE = v_uint32()
else:
self.ADD_SIZE = vstruct.VStruct()
import vstruct
from cStringIO import StringIO
from vstruct.primitives import *
def test(vs, hexstr):
vshex = vs.vsEmit().encode('hex')
if vshex != hexstr:
raise Exception('FAIL')
print 'PASS!'
v = vstruct.VStruct()
v.uint8 = v_uint8(1)
v.uint16 = v_uint16(2)
v.uint24 = v_uint24(3)
v.uint32 = v_uint32(4)
v.uint64 = v_uint64(5)
v.vbytes = v_bytes(vbytes='ABCD')
test(v, '01020003000004000000050000000000000041424344')
print v.tree()
v.uint8 = 99
v.uint16 = 100
v.uint24 = 101
v.uint32 = 102
v.uint64 = 103
v.vbytes = '\x00\x00\x00\x00'
def __init__(self):
vstruct.VStruct.__init__(self)
self.alpha = p.v_uint64()
self.beta = vstruct.VStruct()
def __init__(self):
vstruct.VStruct.__init__(self)
self._vs_field_align = True
List = vstruct.VStruct()
List.Flink = v_ptr64()
List.Blink = v_ptr64()
Header = vstruct.VStruct()
Header.List = List
Header.OwnerTag = v_uint32()
Header.Size = v_uint32()
self.Header = Header
self.KernBase = v_ptr64()
self.BreakpointWithStatus = v_ptr64()
self.SavedContext = v_ptr64()
self.ThCallbackStack = v_uint16()
self.NextCallback = v_uint16()
self.FramePointer = v_uint16()
#self.PaeEnabled:1 = v_uint16()
self.PaeEnabled = v_uint16()
self.KiCallUserMode = v_ptr64()
self.KeUserCallbackDispatcher = v_ptr64()
self.PsLoadedModuleList = v_ptr64()
self.PsActiveProcessHead = v_ptr64()
self.PspCidTable = v_ptr64()
self.ExpSystemResourcesList = v_ptr64()
self.ExpPagedPoolDescriptor = v_ptr64()
self.ExpNumberOfPagedPools = v_ptr64()
self.KeTimeIncrement = v_ptr64()
self.KeBugCheckCallbackListHead = v_ptr64()
self.KiBugcheckData = v_ptr64()
self.IopErrorLogListHead = v_ptr64()
self.ObpRootDirectoryObject = v_ptr64()
self.ObpTypeObjectType = v_ptr64()
self.MmSystemCacheStart = v_ptr64()
self.MmSystemCacheEnd = v_ptr64()
self.MmSystemCacheWs = v_ptr64()
self.MmPfnDatabase = v_ptr64()
self.MmSystemPtesStart = v_ptr64()
self.MmSystemPtesEnd = v_ptr64()
self.MmSubsectionBase = v_ptr64()
self.MmNumberOfPagingFiles = v_ptr64()
self.MmLowestPhysicalPage = v_ptr64()
self.MmHighestPhysicalPage = v_ptr64()
self.MmNumberOfPhysicalPages = v_ptr64()
self.MmMaximumNonPagedPoolInBytes = v_ptr64()
self.MmNonPagedSystemStart = v_ptr64()
self.MmNonPagedPoolStart = v_ptr64()
self.MmNonPagedPoolEnd = v_ptr64()
self.MmPagedPoolStart = v_ptr64()
self.MmPagedPoolEnd = v_ptr64()
self.MmPagedPoolInformation = v_ptr64()
self.MmPageSize = v_ptr64()
self.MmSizeOfPagedPoolInBytes = v_ptr64()
self.MmTotalCommitLimit = v_ptr64()
self.MmTotalCommittedPages = v_ptr64()
self.MmSharedCommit = v_ptr64()
self.MmDriverCommit = v_ptr64()
self.MmProcessCommit = v_ptr64()
self.MmPagedPoolCommit = v_ptr64()
self.MmExtendedCommit = v_ptr64()
self.MmZeroedPageListHead = v_ptr64()
self.MmFreePageListHead = v_ptr64()
self.MmStandbyPageListHead = v_ptr64()
self.MmModifiedPageListHead = v_ptr64()
self.MmModifiedNoWritePageListHead = v_ptr64()
self.MmAvailablePages = v_ptr64()
self.MmResidentAvailablePages = v_ptr64()
self.PoolTrackTable = v_ptr64()
self.NonPagedPoolDescriptor = v_ptr64()
self.MmHighestUserAddress = v_ptr64()
self.MmSystemRangeStart = v_ptr64()
self.MmUserProbeAddress = v_ptr64()
self.KdPrintCircularBuffer = v_ptr64()
self.KdPrintCircularBufferEnd = v_ptr64()
self.KdPrintWritePointer = v_ptr64()
self.KdPrintRolloverCount = v_ptr64()
self.MmLoadedUserImageList = v_ptr64()
# NT 5.1 Addition
self.NtBuildLab = v_ptr64()
self.KiNormalSystemCall = v_ptr64()
# NT 5.0 QFE addition
self.KiProcessorBlock = v_ptr64()
self.MmUnloadedDrivers = v_ptr64()
self.MmLastUnloadedDriver = v_ptr64()
self.MmTriageActionTaken = v_ptr64()
self.MmSpecialPoolTag = v_ptr64()
self.KernelVerifier = v_ptr64()
self.MmVerifierData = v_ptr64()
self.MmAllocatedNonPagedPool = v_ptr64()
self.MmPeakCommitment = v_ptr64()
self.MmTotalCommitLimitMaximum = v_ptr64()
self.CmNtCSDVersion = v_ptr64()
# NT 5.1 Addition
self.MmPhysicalMemoryBlock = v_ptr64()
self.MmSessionBase = v_ptr64()
self.MmSessionSize = v_ptr64()
self.MmSystemParentTablePage = v_ptr64()
# Server 2003 addition
self.MmVirtualTranslationBase = v_ptr64()
self.OffsetKThreadNextProcessor = v_uint16()
self.OffsetKThreadTeb = v_uint16()
self.OffsetKThreadKernelStack = v_uint16()
self.OffsetKThreadInitialStack = v_uint16()
self.OffsetKThreadApcProcess = v_uint16()
self.OffsetKThreadState = v_uint16()
self.OffsetKThreadBStore = v_uint16()
self.OffsetKThreadBStoreLimit = v_uint16()
self.SizeEProcess = v_uint16()
self.OffsetEprocessPeb = v_uint16()
self.OffsetEprocessParentCID = v_uint16()
self.OffsetEprocessDirectoryTableBase = v_uint16()
self.SizePrcb = v_uint16()
self.OffsetPrcbDpcRoutine = v_uint16()
self.OffsetPrcbCurrentThread = v_uint16()
self.OffsetPrcbMhz = v_uint16()
self.OffsetPrcbCpuType = v_uint16()
self.OffsetPrcbVendorString = v_uint16()
self.OffsetPrcbProcStateContext = v_uint16()
self.OffsetPrcbNumber = v_uint16()
self.SizeEThread = v_uint16()
self.KdPrintCircularBufferPtr = v_ptr64()
self.KdPrintBufferSize = v_ptr64()
self.KeLoaderBlock = v_ptr64()
self.SizePcr = v_uint16()
self.OffsetPcrSelfPcr = v_uint16()
self.OffsetPcrCurrentPrcb = v_uint16()
self.OffsetPcrContainedPrcb = v_uint16()
self.OffsetPcrInitialBStore = v_uint16()
self.OffsetPcrBStoreLimit = v_uint16()
self.OffsetPcrInitialStack = v_uint16()
self.OffsetPcrStackLimit = v_uint16()
self.OffsetPrcbPcrPage = v_uint16()
self.OffsetPrcbProcStateSpecialReg = v_uint16()
self.GdtR0Code = v_uint16()
self.GdtR0Data = v_uint16()
self.GdtR0Pcr = v_uint16()
self.GdtR3Code = v_uint16()
self.GdtR3Data = v_uint16()
self.GdtR3Teb = v_uint16()
self.GdtLdt = v_uint16()
self.GdtTss = v_uint16()
self.Gdt64R3CmCode = v_uint16()
self.Gdt64R3CmTeb = v_uint16()
self.IopNumTriageDumpDataBlocks = v_ptr64()
self.IopTriageDumpDataBlocks = v_ptr64()
# Longhorn
self.VfCrashDataBlock = v_ptr64()
self.MmBadPagesDetected = v_ptr64()
self.MmZeroedPageSingleBitErrorsDetected = v_ptr64()
# Windows 7
self.MmBadPagesDetected = v_ptr64()
self.OffsetPrcbContext = v_uint16()
def buildVStruct(self, vsname):
# Check for a namespace
parts = vsname.split('.', 1)
if len(parts) == 2:
ns = self._vs_namespaces.get(parts[0])
if ns == None:
raise Exception(
'Namespace %s is not present! (need symbols?)' % parts[0])
# If a module gets added as a namespace, assume it has a class def...
if isinstance(ns, types.ModuleType):
cls = getattr(ns, parts[1])
if cls == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
return cls()
return ns.buildVStruct(parts[1])
vsdef = self._vs_defs.get(vsname)
if vsdef == None:
raise Exception('Unknown VStruct Definition: %s' % vsname)
vsname, vssize, vskids = vsdef
vs = vstruct.VStruct()
vs._vs_name = vsname
for fname, foffset, fsize, ftypename, fflags in vskids:
if fflags & VSFF_POINTER:
# FIXME support pointers with types!
if fsize == 4:
fieldval = vs_prim.v_ptr32()
elif fsize == 8:
fieldval = vs_prim.v_ptr64()
else:
raise Exception('Invalid Pointer Width: %d' % fsize)
elif fflags & VSFF_ARRAY:
if ftypename != None:
fieldval = vstruct.VArray()
while len(fieldval) < fsize:
fieldval.vsAddElement(self.buildVStruct(ftypename))
else:
# FIXME actually handle arrays!
fieldval = vs_prim.v_bytes(size=fsize)
elif ftypename == None:
if fsize not in [1, 2, 4, 8]:
#print 'Primitive Field Size: %d' % fsize
fieldval = v_bytes(size=fsize)
else:
fieldval = prim_types[fsize]()
else:
fieldval = self.buildVStruct(ftypename)
cursize = len(vs)
if foffset < cursize:
#print 'FIXME handle unions, overlaps, etc...'
continue
if foffset > cursize:
setattr(vs, '_pad%.4x' % foffset,
vs_prim.v_bytes(size=(foffset - cursize)))
setattr(vs, fname, fieldval)
return vs
