# Page align
baseaddr = baseaddr & 0xfffff000
maxaddr = baseaddr + 4096
map = vdb.trace.getMemoryMap(baseaddr)
if map == None:
raise Exception("Invalid memory map address 0x%.8x" % map)
if domap:
baseaddr = map[0]
maxaddr = baseaddr + map[1]
bpcode = "trace.getMeta('pagewatch').append((eip,trace.platformGetMemFault()));trace.runAgain()"
vdb.trace.setMeta("pagewatch", [])
while baseaddr < maxaddr:
wp = vtrace.PageWatchpoint(baseaddr, size=4096, perms="w")
wpid = vdb.trace.addBreakpoint(wp)
vdb.trace.setBreakpointCode(wpid, bpcode)
baseaddr += 4096
def stealth(vdb, line):
"""
Enable basic debugger stealth. This has the following effects:
Change PEB to show BeingDebugged == 0
Special breakpoint on CheckRemoteDebuggerPresent
WARNING:
break/sendBreak() behave VERY strange with this because the
kernel aparently doesn't think he needs to post the exception
def pagewatch(vdb, line):
"""
Enable write access watching on a given memory page. This works
by setting the page to read-only and then specially handling the
access violations as though they were hardware Watchpoints.
Usage: pagewatch [options] [<addr_expression>]
-C - Clear the current pagewatch log
-F - Toggle auto-continue behavior (run and record vs. stop on hit)
-L - List the current hits from the pagewatch log
-M - Add page watches to the entire memory map from addr_expression
-R - Use to enable *read* watching while adding a page watch
-S <addr> - Show touches to the specified address
-P <addr> - Show memory touched by specifed program counter (eip)
-u - When listing, show only *unique* entries
"""
argv = e_cli.splitargs(line)
try:
opts, args = getopt.getopt(argv, "CFLMP:RS:u")
except Exception:
return vdb.do_help('pagewatch')
if vdb.trace.getMeta('pagewatch') is None:
vdb.trace.setMeta('pagewatch', [])
if vdb.trace.getMeta('pagerun') is None:
vdb.trace.setMeta('pagerun', False)
domap = False
unique = False
watchread = False
for opt, optarg in opts:
if opt == "-C":
vdb.trace.setMeta("pagewatch", [])
vdb.vprint("Pagewatch log cleared")
return
elif opt == '-F':
pr = vdb.trace.getMeta('pagerun', False)
pr = not pr
vdb.trace.setMeta('pagerun', pr)
vdb.vprint('Pagewatch Auto Continue: %s' % pr)
return
elif opt == "-L":
hits = vdb.trace.getMeta('pagewatch', [])
_printPageHits(vdb, hits, unique=unique)
return
elif opt == "-M":
domap = True
elif opt == '-R':
watchread = True
elif opt == "-S":
saddr = vdb.trace.parseExpression(optarg)
hits = vdb.trace.getMeta("pagewatch")
if hits is None:
vdb.vprint("No pagewatch log!")
return
hits = [h for h in hits if h[1] == saddr]
_printPageHits(vdb, hits, unique=unique)
return
elif opt == "-P":
saddr = vdb.trace.parseExpression(optarg)
hits = vdb.trace.getMeta("pagewatch")
if hits is None:
vdb.vprint("No pagewatch log!")
return
hits = [h for h in hits if h[0] == saddr]
_printPageHits(vdb, hits, unique=unique)
return
elif opt == '-u':
unique = True
if len(args) == 0:
return vdb.do_help('pagewatch')
baseaddr = vdb.trace.parseExpression(args[0])
# Page align
baseaddr = baseaddr & 0xfffff000
maxaddr = baseaddr + 4096
mmap = vdb.trace.getMemoryMap(baseaddr)
if mmap is None:
raise Exception("Invalid memory map address 0x%.8x" % baseaddr)
if domap:
baseaddr = mmap[0]
maxaddr = baseaddr + mmap[1]
bpset = vdb.trace.breakpoints
while baseaddr < maxaddr:
# Skip ones that are already there!
if not bpset.get(baseaddr):
wp = vtrace.PageWatchpoint(baseaddr,
size=4096,
watchread=watchread)
wpid = vdb.trace.addBreakpoint(wp)
baseaddr += 4096
maxaddr = baseaddr + 4096
mmap = vdb.trace.getMemoryMap(baseaddr)
if mmap == None:
raise Exception("Invalid memory map address 0x%.8x" % baseaddr)
if domap:
baseaddr = mmap[0]
maxaddr = baseaddr + mmap[1]
bpset = vdb.trace.breakpoints
while baseaddr < maxaddr:
# Skip ones that are already there!
if not bpset.get(baseaddr):
wp = vtrace.PageWatchpoint(baseaddr,
size=4096,
watchread=watchread)
wpid = vdb.trace.addBreakpoint(wp)
baseaddr += 4096
def stealth(vdb, line):
"""
Enable debugger stealth. See options -l.
stealth <on/off> <options>
Options:
peb - enable/disable static peb + heap offset patching
ZwQueryInformationProcess - patch ZwQueryInformationProcess parameter
CheckRemoteDebuggerPresent - patch CheckRemoteDebuggerPresent