Ejemplo n.º 1
0
    def My_freadEnd(self):

        numBytesRead = idc.GetRegValue("EAX")
        self.logger.info("_fread read %d bytes." % (numBytesRead))

        pBuffer = self.tempStack.pop(0)
        pSize = self.tempStack.pop(0)
        stream = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)

        _buffer = idaapi.dbg_read_memory(pBuffer, pSize)
        self.logger.debug(_buffer)

        inputLoggingList = []

        inputLoggingList.append(pBuffer)
        inputLoggingList.append(pSize)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(stream)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)

        if numBytesRead > 0:
            self.logger.info("_fread succeeded.")
            self.debuggerInstance.callbackProcessing(inputLoggingList)
        else:
            Print("_fread failed.")
            self.logger.info("_fread failed.")

        return 0
Ejemplo n.º 2
0
 def XXXXXXXXXXXXXXXsignalClient(self, norev=False):
     start_eip = idc.GetRegValue(self.PC)
     if not norev:
         simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.rev1()");')
         eip = gdbProt.getEIPWhenStopped()
         if  eip is None or not (type(eip) is int or type(eip) is long):
             print('signalClient got wrong stuff? %s from getEIP' % str(eip))
             return
         #print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString))
     idaapi.step_into()
     idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
     new_eip = idc.GetRegValue(self.PC)
     #print('signalClient back from cont new_eip is 0x%x' % new_eip)
     if new_eip >= self.kernel_base:
         print('in kernel, run to user')
     self.updateStackTrace()
Ejemplo n.º 3
0
 def doStepOver(self):
     #print('in doStepOver')
     idaapi.step_over()
     idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
     cur_addr = idc.GetRegValue(self.PC)
     if cur_addr > self.kernel_base:
         self.runToUserSpace()
Ejemplo n.º 4
0
 def wroteToRegister(self): 
     highlighted = idaapi.get_highlighted_identifier()
     '''
     if highlighted is None  or highlighted not in self.reg_list:
        print('%s not in reg list' % highlighted)
        c=idaapi.Choose([], "Run backward until selected register modified", 1)
        c.width=50
        c.list = self.reg_list
        chose = c.choose()
        if chose == 0:
            print('user canceled')
            return
        else:
            highlighted = self.reg_list[chose-1]
     '''
     print 'Looking for a write to %s...' % highlighted
     command = "@cgc.revToModReg('%s')" % highlighted
     simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
     eip = None
     if self.checkNoRev(simicsString):
         eip = gdbProt.getEIPWhenStopped()
         self.signalClient()
     else:
         return
     curAddr = idc.GetRegValue(self.PC)
     print('Current instruction (0x%x) wrote to reg %s' % (curAddr, highlighted))
     return eip
Ejemplo n.º 5
0
 def trackRegister(self):
     highlighted = idaapi.get_highlighted_identifier()
     if highlighted is None or highlighted not in self.reg_list:
         print('%s not in reg list' % highlighted)
         c = Choose([], "back track to source of selected register", 1)
         c.width = 50
         c.list = self.reg_list
         chose = c.choose()
         if chose == 0:
             print('user canceled')
             return
         else:
             highlighted = self.reg_list[chose - 1]
     print 'backtrack to source of to %s...' % highlighted
     command = "@cgc.revTaintReg('%s')" % highlighted
     simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
     eip = gdbProt.getEIPWhenStopped(2)
     #gdbProt.stepWait()
     self.signalClient()
     curAddr = idc.GetRegValue(self.PC)
     print(
         'Current instruction (0x%x) is as far back as we can trace reg %s'
         % (curAddr, highlighted))
     self.showSimicsMessage()
     bookmark_list = self.bookmark_view.updateBookmarkView()
     return eip
Ejemplo n.º 6
0
    def revBlock(self):
        cur_addr = idc.GetRegValue(self.PC)
        f = idaapi.get_func(cur_addr)
        if f is None:
            print(
                'Ida analysis sees no function, cannot perform this function')
            return
        fc = idaapi.FlowChart(f)
        block_start = None
        prev_addr = None
        prev_block = None
        for block in fc:
            block_start = block.startEA
            #print('block_start 0x%x, cur_addr is 0x%x' % (block_start, cur_addr))
            if block_start > cur_addr:
                break
            prev_addr = block_start
            prev_block = block

        if prev_addr == cur_addr:
            self.doRevStepInto()
        elif prev_addr is not None:
            next_addr = idc.NextHead(prev_addr)
            if next_addr == cur_addr:
                ''' reverse two to get there? '''
                print('revBlock rev two?')
                self.doRevStepInto()
                self.doRevStepInto()
            else:
                print('revBlock rev to 0x%x' % prev_addr)
                self.doRevToAddr(prev_addr, extra_back=0)
        else:
            print('must have been top, uncall')
            self.doRevFinish()
Ejemplo n.º 7
0
 def doReverse(self, extra_back=None):
     print 'in doReverse'
     curAddr = idc.GetRegValue(self.PC)
     #goNowhere()
     #print('doReverse, back from goNowhere curAddr is %x' % curAddr)
     isBpt = idc.CheckBpt(curAddr)
     # if currently at a breakpoint, we need to back an instruction to so we don't break
     # here
     if isBpt > 0:
    	    print 'curAddr is %x, it is a breakpoint, do a rev step over' % curAddr
         addr = self.doRevStepOver()
         if addr is None:
             return None
         print 'in doReverse, did RevStepOver got addr of %x' % addr
         isBpt = idc.CheckBpt(addr)
         if isBpt > 0:
 	        # back up onto a breakpoint, we are done
             print('doReverse backed to breakpoint, we are done')
 	    return addr
 
     #print 'do reverse'
     param = ''
     if extra_back is not None:
         param = extra_back
     command = '@cgc.doReverse(%s)' % param
     simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
     addr = None
     if self.checkNoRev(simicsString):
         addr = gdbProt.getEIPWhenStopped()
         self.signalClient()
 
     return addr
    def readValue(self):
        if self.value != None:
            return self.value

        operandType = self.parser.getOperandType()
        regName = self.parser.getRegName()
        regValue = idc.GetRegValue(regName) if regName != None else None
        if operandType == OperandType.Value64OfRegisterPlusOffset:
            self.value = idc.Qword(regValue + self.opValue)
        elif operandType == OperandType.Value32OfRegisterPlusOffset:
            self.value = idc.Dword(regValue + self.opValue)
        elif operandType == OperandType.Value16OfRegisterPlusOffset:
            self.value = idc.Word(regValue + self.opValue)
        elif operandType == OperandType.Value8OfRegisterPlusOffset:
            self.value = idc.Byte(regValue + self.opValue)
        elif (operandType
              == OperandType.Register64) or (operandType
                                             == OperandType.Register32):
            self.value = regValue
        elif (operandType
              == OperandType.Register16) or (operandType
                                             == OperandType.Register8):
            self.value = regValue
        elif operandType == OperandType.ImmediateUnkown:
            self.value = self.opValue
        else:
            raise Exception("Unknown operand type")

        return self.value
Ejemplo n.º 9
0
 def MyCreateFileAEnd(self):
     """
     Monitors the end of CreateFileA function
     """
     handle = idc.GetRegValue("EAX")
     self.logger.info("MyCreateFileAEnd HANDLE is 0x%x" % handle)
     return 0
Ejemplo n.º 10
0
    def colorize_register(self, reg):
        result = ''
        reduced = False

        reg_val = idc.GetRegValue(reg)
        label, changed = self.get_reg_label(reg, reg_val)
        chain = self.get_ptr_chain(reg_val)

        result += label + self.colorize_value(chain[0])

        if reg == dbg.registers.flagsr:
            return result, changed

        elif reg != dbg.registers.pc:
            vals = chain[1:]
            if len(vals) > config.max_deref_levels:
                vals = vals[:config.max_deref_levels]
                reduced = True

            result += ''.join([self.as_ptr(value) for value in vals])
            if reduced:
                result += self.as_arrow_string("[...]")

        result += self.get_value_info(chain[-1])
        if chain.limit_exceeded:
            result += self.as_arrow_string("[...]")

        return result, changed
Ejemplo n.º 11
0
def IDA_State():
    if get_root_filename() is None:
        return 'empty'
    try:
        a = idc.GetRegValue('esp')
        return 'running'
    except:
        return 'static'
Ejemplo n.º 12
0
    def set_reg(self):
        for i in self.reg_list:
            if 'arg' not in i:
                self.reg[i] = idc.GetRegValue(i)

        self.reg['arg1'] = self.get_stack_arg(1)
        self.reg['arg2'] = self.get_stack_arg(2)
        self.reg['arg3'] = self.get_stack_arg(3)
        self.reg['arg4'] = self.get_stack_arg(4)
Ejemplo n.º 13
0
def get_local_var_value_64(loc_var_name):
    frame = ida_frame.get_frame(idc.here())
    loc_var = ida_struct.get_member_by_name(frame, loc_var_name)
    loc_var_start = loc_var.soff
    loc_var_ea = loc_var_start + idc.GetRegValue("RSP")
    loc_var_value = idc.read_dbg_qword(
        loc_var_ea
    )  # in case the variable is 32bit, just use get_wide_dword() instead
    return loc_var_value
Ejemplo n.º 14
0
def getfpu_tags(name):
    assert (name == 'fptag')
    re = 0
    tag = idc.GetRegValue('TAGS')
    for i in range(8):
        f = (0 if ((tag >> (2 * i)) & 0b11) else 1) << (8 * i)
        re = (re) | f

    return re
Ejemplo n.º 15
0
 def init_segm_mem(self):
     segment = {}
     gdt = gdt32(GDT_MAP_ADDR)
     fs_idx = idc.GetRegValue('fs')
     gs_idx = idc.GetRegValue('gs')
     fs_addr = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
                                               int(cpu.fs))
     gs_addr = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
                                               int(cpu.gs))
     G = 1
     D = 0
     L = 1
     AVL = 0
     gdt.addSegDiscription(fs_idx, fs_addr, 0x1000, 1, 0, 0,
                           (G << 3) | (D << 2) | (L << 1) | AVL)
     gdt.addSegDiscription(gs_idx, gs_addr, 0x1000, 1, 0, 0,
                           (G << 3) | (D << 2) | (L << 1) | AVL)
     return gdt.get_gdt()
Ejemplo n.º 16
0
    def Regs_method(self):
        X86_EFLAGS_CF = 1 << 0
        X86_EFLAGS_FIXED = 1 << 1
        X86_EFLAGS_PF = 1 << 2
        X86_EFLAGS_AF = 1 << 4
        X86_EFLAGS_ZF = 1 << 6
        X86_EFLAGS_SF = 1 << 7
        X86_EFLAGS_TF = 1 << 8
        X86_EFLAGS_IF = 1 << 9
        X86_EFLAGS_DF = 1 << 10
        X86_EFLAGS_OF = 1 << 11
        X86_EFLAGS_IOPL = 1 << 12
        X86_EFLAGS_IOPL_MASK = 3 << 12
        X86_EFLAGS_NT = 1 << 14
        X86_EFLAGS_RF = 1 << 16
        X86_EFLAGS_VM = 1 << 17
        X86_EFLAGS_AC = 1 << 18
        X86_EFLAGS_VIF = 1 << 19
        X86_EFLAGS_VIP = 1 << 20
        X86_EFLAGS_ID = 1 << 21

        getF64 = lambda x: get_fpu_regs("ST%d" % (7 - int(x[2:])))[1]

        method = {
            'mm0': getF64,
            'mm1': getF64,
            'mm2': getF64,
            'mm3': getF64,
            'mm4': getF64,
            'mm5': getF64,
            'mm6': getF64,
            'mm7': getF64,
            'xmm0': get_xmm,
            'xmm1': get_xmm,
            'xmm2': get_xmm,
            'xmm3': get_xmm,
            'xmm4': get_xmm,
            'xmm5': get_xmm,
            'xmm6': get_xmm,
            'xmm7': get_xmm,
            'xmm8': get_xmm,
            'xmm9': get_xmm,
            'xmm10': get_xmm,
            'xmm11': get_xmm,
            'xmm12': get_xmm,
            'xmm13': get_xmm,
            'xmm14': get_xmm,
            'xmm15': get_xmm,
            'd': lambda name: 0xffffffff if idc.GetRegValue("DF") else 0x1,
            'gdt': lambda name: GDT_MAP_ADDR,
            'fpround': getfpround,
            'sseround': getSseRound,
            'ftop': getftop,
            'fptag': getfpu_tags
        }
        return method
Ejemplo n.º 17
0
    def My_fopenEnd(self):
        """
        Not need to call this function here since fopen already contains the handle
        """
        stream = idc.GetRegValue("EAX")

        self.logger.info("HANDLE is 0x%x" % stream)
        self.handleSet.add(stream)

        return 0
Ejemplo n.º 18
0
    def My_fclose(self):
        """
        int fclose ( FILE * stream );          
        """
        stream = Util.GetData(0x4)
        self.logger.info("stream is 0x%x" % (stream))

        retVal = idc.GetRegValue("EAX")

        return 0
Ejemplo n.º 19
0
 def doStepOver(self):
     #print('in doStepOver')
     idaapi.step_over()
     #print('back from step over')
     idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
     #print('back getDebuggerEvent')
     cur_addr = idc.GetRegValue(self.PC)
     #print('cur_addr is 0x%x' % cur_addr)
     if cur_addr > self.kernel_base:
         print('run to user space')
         self.runToUserSpace()
Ejemplo n.º 20
0
 def doRevToCursor(self):
     cursor = idc.ScreenEA()
     curAddr = idc.GetRegValue(self.PC)
     if cursor == curAddr:
         print 'attempt to go back to where you are ignored'
         return
     #doRevToAddr(cursor)
     command = '@cgc.revToAddr(0x%x, extra_back=%d)' % (cursor, 0)
     simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
     eip = gdbProt.getEIPWhenStopped()
     self.signalClient()
Ejemplo n.º 21
0
    def ReadFile(self):
        """
        Monitors the the beginning of ReadFile function
        ReadFile arguments are read from the stack
        This is the function that will trigger the trace
        inputLoggingList holds arguments for 
        """
        """  
        BOOL WINAPI ReadFile(
          _In_         HANDLE hFile,
          _Out_        LPVOID lpBuffer,
          _In_         DWORD nNumberOfBytesToRead,
          _Out_opt_    LPDWORD lpNumberOfBytesRead,
          _Inout_opt_  LPOVERLAPPED lpOverlapped
        ); 
        """

        hFile = Util.GetData(0x0)
        self.logger.info("hFile is 0x%x" % (hFile))

        lpBuffer = Util.GetData(0x4)
        self.logger.info("lpBuffer is 0x%x" % (lpBuffer))

        nNumberOfBytesToRead = Util.GetData(0x8)
        self.logger.info("nNumberOfBytesToRead value is 0x%x" %
                         (nNumberOfBytesToRead))

        lpNumberOfBytesRead = Util.GetData(0xC)
        self.logger.info("lpNumberOfBytesRead value is 0x%x" %
                         (lpNumberOfBytesRead))

        lpOverlapped = Util.GetData(0x10)
        self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))

        ea = idc.GetRegValue("EIP")

        retAddr = ea + idc.ItemSize(ea)

        Print("The return address is 0x%x" % retAddr)

        self.tempStack = []
        self.tempStack.append(lpBuffer)
        self.tempStack.append(lpNumberOfBytesRead)
        self.tempStack.append(hFile)
        self.tempStack.append(ea)

        self.tempStack.append("ReadFile")
        self.tempStack.append(idc.GetCurrentThreadId())

        idc.AddBpt(retAddr)
        idc.SetBptCnd(retAddr, "interactivemodeCallback.ReadFileEnd()")

        return 0
Ejemplo n.º 22
0
def GetData(index):
    """
    Gets the data of the stack
    
    @param path: index of where to pull from
    @return: the address of the stack
    
    """
    import idc

    esp = idc.GetRegValue("ESP")
    return idc.DbgDword(esp + index)
    def beginAnalysis(self):
        if (self.rangeStart == 0) or (self.rangeEnd == 0):
            activeFuncScopeAddr = idc.ScreenEA()

            self.rangeStart = activeFuncScopeAddr
            self.rangeEnd = GetFuncEndAddr(activeFuncScopeAddr)

        # begin automatic debugging
        while idc.GetRegValue(x64Regs.RIP.value) != self.rangeEnd:
            idaapi.step_into()
            idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
            self.analyseStep()
Ejemplo n.º 24
0
 def parseVar(self, obj, hs):
     vr = self.func.lvars[obj.v.idx]
     hs['name'] = vr.name
     hs['var'] = vr
     if obj.ea != idc.BADADDR:
         hs['val'] = obj.ea
     try:
         if vr.is_reg_var():
             regid = vr.get_regnum() / 8
             regname = self.REGS[regid]
             hs['reg'] = [vr.get_regnum(), regname]
             hs['val'] = idc.GetRegValue(regname)
         if vr.is_stk_var():
             ofs = vr.location.calc_offset()
             hs['ofs'] = ofs
             val = idc.Qword(idc.GetRegValue('rsp') + ofs)
             if val != idc.BADADDR:
                 hs['val'] = val
     except Exception:
         pass
     return hs
def scanRegisters(manual = False):
    messagePrefix = "Manual scan" if manual else "Scan"
    scanInitiatedMessage = messagePrefix + " initiated." 
    print(scanInitiatedMessage)

    print("----------------------------------------------------")
    for reg in x64RegCommonList:
        scan_register(reg)
    print("----------------------------------------------------")
    ripValue = idc.GetRegValue(x64Regs.RIP.value)
    scanCompleteMessage = (messagePrefix + " completed at RIP=0x{:X}").format(ripValue)
    print(scanCompleteMessage)
Ejemplo n.º 26
0
 def activate(self, ctx):
     highlighted = idaapi.get_highlighted_identifier()
     current = idc.GetRegValue(highlighted)
     default = '%x' % current
     print('default %s' % default)
     #prompt = 'Value to write to %s (in hex, no prefix)' % highlighted
     #print('prompt is %s' % prompt)
     #enc = prompt.encode('utf-8')
     value = idc.AskStr(default, 'reg value ?')
     if value is None:
         return
     reg_param = "'%s'" % highlighted
     simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeRegValue(%s, 0x%s)");' % (reg_param, value)) 
Ejemplo n.º 27
0
    def MyCreateFileWEnd(self):
        """
        Monitors the end of CreateFileW function
        The return value (handle to the file) for CreateFileW is stored in a set
        """

        Print("Returning from CreateFileW...")
        handle = idc.GetRegValue("EAX")

        self.handleSet.add(handle)
        self.logger.info("HANDLE is 0x%x" % handle)

        return 0
Ejemplo n.º 28
0
 def doRevFinish(self):
     #print 'doRevFinish'
     #doRevCommand('uncall-function')
     cur_addr = idc.GetRegValue(self.PC)
     f = idc.GetFunctionAttr(cur_addr, idc.FUNCATTR_START)
     if f != idaapi.BADADDR: 
         print('doRevFinish got function start at 0x%x, go there, and further back 1' % f) 
         self.doRevToAddr(f, extra_back=1)
     else:
         print('use monitor uncall function')
         simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.uncall()");')
         eip = gdbProt.getEIPWhenStopped()
         self.signalClient()
Ejemplo n.º 29
0
 def wroteToAddress(self, target_addr):
     disabledSet = bpUtils.disableAllBpts(None)
     command = '@cgc.stopAtKernelWrite(0x%x)' % target_addr
     simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
     eip = gdbProt.getEIPWhenStopped()
     #gdbProt.stepWait()
     self.signalClient()
     bpUtils.enableBpts(disabledSet)
     if eip >= self.kernel_base:
         print('previous syscall wrote to address 0x%x' % target_addr)
     else:
         curAddr = idc.GetRegValue(self.PC)
         #print('Current instruction (0x%x) wrote to 0x%x' % (curAddr, target_addr))
         print('Previous instruction  wrote to 0x%x' % (target_addr))
Ejemplo n.º 30
0
    def checkBindEnd(self):
        retVal = idc.GetRegValue("EAX")

        if retVal == 0:
            self.logger.info("checkBindEnd: Bind succeeded.")
            socket = self.tempStack.pop(0)
            port = self.tempStack.pop(0)

            self.logger.info("checkBindEnd: The port is %s." % port)
            self.socket_dict[socket] = port
        else:
            self.logger.info("checkBindEnd: Bind failed.")

        return 0