Ejemplo n.º 1
0
    def taintStart(self):

        Print("Taint Start pressed!")
        #Remove the starting breakpoint
        if self.taintStart is not None:
            idc.DelBpt(self.taintStart)

        #Add a new starting breakpoint
        self.taintStart = idc.here()
        instruction = idc.GetDisasm(self.taintStart)
        Print(instruction)
        idc.AddBpt(self.taintStart)
        idc.SetBptAttr(self.taintStart, idc.BPT_BRK, 0)

        callbackAddr = "interactivemodeCallback.startTrace()"
        customCallbackFuncs = ['ReadFile', 'recv']

        for callbackFunc in customCallbackFuncs:
            if callbackFunc in instruction:
                callbackAddr = "interactivemodeCallback." + callbackFunc + "()"
                Print("Found callback function %s for interactive mode" %
                      callbackAddr)
                break

        idc.SetBptCnd(self.taintStart, callbackAddr)
Ejemplo n.º 2
0
    def checkAccept(self):
        """
        SOCKET accept(
          _In_     SOCKET s,
          _Out_    struct sockaddr *addr,
          _Inout_  int *addrlen
        );
        
        """

        s = Util.GetData(0x4)
        self.logger.info("checkAccept: SOCKET is 0x%x" % (s))

        sockaddr_addr = Util.GetData(0x8)
        self.logger.info("checkAccept: sockaddr_addr is 0x%x" %
                         (sockaddr_addr))

        addrlen = Util.GetData(0xC)
        self.logger.info("checkAccept: *addrlen value is 0x%x" % (addrlen))

        retAddr = Util.GetData(0x0)
        self.tempStack = []
        self.tempStack.append(s)

        idc.AddBpt(retAddr)
        idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
        idc.SetBptCnd(retAddr, "windowsNetworkIO.checkAcceptEnd()")

        return 0
Ejemplo n.º 3
0
    def WSOCK32Bind(self):
        """  
        int bind(
          _In_  SOCKET s,
          _In_  const struct sockaddr *name,
          _In_  int namelen
        );
        
        struct sockaddr_in {
            short   sin_family;
            u_short sin_port;
            struct  in_addr sin_addr;
            char    sin_zero[8];
        };
        """

        s = Util.GetData(0x4)
        self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s))

        sockaddr_name = Util.GetData(0x8)
        self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" %
                         (sockaddr_name))

        port = struct.unpack(">H",
                             idaapi.dbg_read_memory(sockaddr_name + 0x2, 2))
        portName = str(port[0])
        self.logger.info("WSOCK32Bind: port value is %s" % (portName))

        namelen = Util.GetData(0xC)
        self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen))

        retAddr = Util.GetData(0x0)
        Print(self.filter['network'])
        if portName in self.filter['network']:
            self.tempStack = []
            self.tempStack.append(s)
            self.tempStack.append(portName)
            idc.AddBpt(retAddr)
            idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
            idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()")
            self.logger.info(
                "WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging."
            )
            Print(
                "Filter matched. Add handle to the handle's dictionary to start logging."
            )

        else:
            if idc.CheckBpt(retAddr) >= 0:
                Print("Removing un-needed breakpoint.")
                self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.")
                idc.DelBpt(retAddr)

            self.logger.info("WSOCK32Bind: Network Filter did not match.")

        return 0
Ejemplo n.º 4
0
    def taintStop(self):

        Print("Taint Stop pressed!")
        #Remove the stopping breakpoint
        if self.taintStop is not None:
            idc.DelBpt(self.taintStop)
        
        #Add a new stopping breakpoint
        self.taintStop = idc.here()
        Print( idc.GetDisasm(self.taintStop) )
        idc.AddBpt(self.taintStop)
        idc.SetBptAttr(self.taintStop, idc.BPT_BRK, 0)
        idc.SetBptCnd(self.taintStop, "interactivemodeCallback.stopTrace()")
Ejemplo n.º 5
0
    def My_fread(self):
        """  
        old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
        
        size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream )
        
        """

        ptr = Util.GetData(0x4)
        self.logger.info("fp is 0x%x" % (ptr))

        _size = Util.GetData(0x8)
        self.logger.info("size is %d" % (_size))

        _count = Util.GetData(0xc)
        self.logger.info("count is %d" % (_count))

        stream = Util.GetData(0x10)
        self.logger.info("stream is 0x%x" % (stream))

        self.pSize = _size * _count
        self.pBuffer = ptr

        retAddr = Util.GetData(0x0)

        callerAddr = retAddr - idc.ItemSize(retAddr)

        self.tempStack = []
        self.tempStack.append(self.pBuffer)
        self.tempStack.append(self.pSize)
        self.tempStack.append(stream)
        self.tempStack.append(callerAddr)

        self.tempStack.append("fread")
        self.tempStack.append(idc.GetCurrentThreadId())

        if stream in self.handleSet:
            self.logger.info("Found stream 0x%x" % stream)

            idc.AddBpt(retAddr)
            idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
            idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()")
        else:
            self.logger.info("Cannot find handle 0x%x" % stream)
            Print("Removing un-needed fread breakpoint.")
            idc.DelBpt(retAddr)

        return 0
Ejemplo n.º 6
0
    def checkClosesocket(self):
        """
        int closesocket(
          _In_  SOCKET s
        );
        """

        s = Util.GetData(0x4)
        self.logger.info("checkClosesocket: SOCKET is 0x%x" % (s))

        retAddr = Util.GetData(0x0)
        self.tempStack.append(s)

        idc.AddBpt(retAddr)
        idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
        idc.SetBptCnd(retAddr, "windowsNetworkIO.checkClosesocketEnd()")

        return 0
Ejemplo n.º 7
0
    def recv(self):
        """
        int recv(
        _In_   SOCKET s,
        _Out_  char *buf,
        _In_   int len,
        _In_   int flags
         );
        """

        s = Util.GetData(0x0)
        self.logger.info("checkRecv: Socket is 0x%x" % (s))

        buf = Util.GetData(0x4)
        self.logger.info("checkRecv: *buf is 0x%x" % (buf))

        _len = Util.GetData(0x8)
        self.logger.info("checkRecv: len value is %d" % (_len))

        flag = Util.GetData(0xC)
        self.logger.info("checkRecv: flag value is %d" % (flag))

        ea = idc.GetRegValue("EIP")

        retAddr = ea + idc.ItemSize(ea)

        Print("The return address is 0x%x" % retAddr)

        self.tempStack = []
        self.tempStack.append(s)
        self.tempStack.append(buf)
        self.tempStack.append(_len)
        self.tempStack.append(ea)
        self.tempStack.append("recv")
        self.tempStack.append(idc.GetCurrentThreadId())

        idc.AddBpt(retAddr)
        idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
        idc.SetBptCnd(retAddr, "interactivemodeCallback.recvEnd()")

        return 0
Ejemplo n.º 8
0
    def checkRecv(self):
        """
        int recv(
        _In_   SOCKET s,
        _Out_  char *buf,
        _In_   int len,
        _In_   int flags
         );
        """

        s = Util.GetData(0x4)
        self.logger.info("checkRecv: Socket is 0x%x" % (s))

        buf = Util.GetData(0x8)
        self.logger.info("checkRecv: *buf is 0x%x" % (buf))

        _len = Util.GetData(0xC)
        self.logger.info("checkRecv: len value is %d" % (_len))

        flag = Util.GetData(0x10)
        self.logger.info("checkRecv: flag value is %d" % (flag))

        retAddr = Util.GetData(0x0)

        callerAddr = retAddr - idc.ItemSize(retAddr)

        self.tempStack = []
        self.tempStack.append(s)
        self.tempStack.append(buf)
        self.tempStack.append(_len)
        self.tempStack.append(callerAddr)
        self.tempStack.append("recv")
        self.tempStack.append(idc.GetCurrentThreadId())

        idc.AddBpt(retAddr)
        idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
        idc.SetBptCnd(retAddr, "windowsNetworkIO.checkRecvEnd()")

        return 0
Ejemplo n.º 9
0
def define_function_trace(adr):
    return idc.SetBptAttr(adr, idc.BPTATTR_FLAGS,
                          idc.BPT_ENABLED | idc.BPT_TRACE | idc.BPT_TRACEON
                          | idc.BPT_TRACE_FUNC)  #idc.BPT_BRK |
Ejemplo n.º 10
0
def checkLinuxLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
    """
    This function monitors loaded libaries for Linux
    If any of these libaries and functions are loaded
    a conditional breakpoint is set
    
    LIBC - _IO_file_fopen _IO_fread _IO_fclose
    
    @param name: The name of the loaded library
    @param ea: The address of the loaded library
    @param bCheckFileIO: Checks to see if FileIO filtering was turned on
    @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
    @return: None        
    """
    
    import idc
    import logging
    Print ("Found Libc at 0x%x" % ea)
    logger = logging.getLogger('IDATrace')
    
    logger.info( "Found Libc at 0x%x" % ea )
    idc.RefreshDebuggerMemory() 
    library_name = name.upper()
    
    Print( "Checking Linux for library " + library_name )
    
    if "LIBC" in library_name:

        if bCheckFileIO:
            
            fopen_func = idc.LocByName("_IO_file_fopen");
            
            if fopen_func == idc.BADADDR:
                logger.info( "Cannot find _IO_file_fopen" )
                # "Cannot find _IO_file_fopen."
            else:
                logger.info( "We found _IO_file_fopen at 0x%x." % fopen_func )
                Print( "We found _IO_file_fopen at 0x%x." % fopen_func )
                idc.AddBpt(fopen_func)
                idc.SetBptAttr(fopen_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(fopen_func, "linuxFileIO.My_fopen()")
            
            fread_func = idc.LocByName("_IO_fread");
            
            if fread_func == idc.BADADDR:
                logger.info( "Cannot find _IO_fread" )
                Print( "Cannot find _IO_fread." )
            else:
                logger.info( "We found _IO_fread at 0x%x." % fread_func )
                Print( "We found _IO_fread at 0x%x." % fread_func  )
                idc.AddBpt(fread_func)
                idc.SetBptAttr(fread_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(fread_func, "linuxFileIO.My_fread()")
    
            fclose_func = idc.LocByName("_IO_fclose");
            
            if fclose_func == idc.BADADDR:
                logger.info( "Cannot find _IO_fclose" )
                Print( "Cannot find _IO_fclose." )
            else:
                logger.info( "We found _IO_fclose at 0x%x." % fclose_func )
                Print( "We found _IO_fclose at 0x%x." % fclose_func  )
                idc.AddBpt(fclose_func)
                idc.SetBptAttr(fclose_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(fclose_func, "linuxFileIO.My_fclose()")
Ejemplo n.º 11
0
def checkWindowsLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
    """
    This function monitors loaded DLLs for Windows
    If any of these DLLs and functions are loaded
    a conditional breakpoint is set
    
    kernel32.dll - CreateFileW ReadFile CloseHandle
    WS2_32.dll - recv, bind, accept, closesocket
    WSOCK32.dll - recv, bind
    
    @param name: The name of the loaded DLL
    @param ea: The address of the loaded DLL
    @param bCheckFileIO: Checks to see if FileIO filtering was turned on
    @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
    @return: None        
    """
        
    import idc
    import logging
    
    logger = logging.getLogger('IDATrace')
    idc.RefreshDebuggerMemory()
        
    library_name = name.upper()
    
    if "KERNEL32" in library_name:
        logger.info( "Found kernel32 at 0x%x" % ea )
        
        if bCheckFileIO:
            """
            createFileA_func = idc.LocByName("kernel32_CreateFileA");
            
            if createFileA_func == idc.BADADDR:
                logger.info( "Cannot find CreateFileA" )
            else:
                logger.info( "We found CreateFileA at 0x%x." % createFileA_func )
            idc.AddBpt(createFileA_func)
            idc.SetBptAttr(createFileA_func, idc.BPT_BRK, 0)
            idc.SetBptCnd(createFileA_func, "windowsFileIO.MyCreateFileA()")
            """
            createFileW_func = idc.LocByName("kernel32_CreateFileW");
            
            if createFileW_func == idc.BADADDR:
                logger.info( "Cannot find CreateFileW" )
            else:
                logger.info( "We found CreateFileW at 0x%x." % createFileW_func )
            idc.AddBpt(createFileW_func)
            idc.SetBptAttr(createFileW_func, idc.BPT_BRK, 0)
            idc.SetBptCnd(createFileW_func, "windowsFileIO.MyCreateFileW()")
            
            readFile_func = idc.LocByName("kernel32_ReadFile");
            
            if readFile_func == idc.BADADDR:
                logger.info( "Cannot find ReadFile" )
            else:
                logger.info( "We found ReadFile at 0x%x." % readFile_func )
                
                idc.AddBpt(readFile_func)
                idc.SetBptAttr(readFile_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(readFile_func, "windowsFileIO.MyReadFile()")
            
            closeHandle_func = idc.LocByName("kernel32_CloseHandle");
            
            if closeHandle_func == idc.BADADDR:
                logger.info( "Cannot find CloseHandle" )
            else:
                logger.info( "We found CloseHandle at 0x%x." % closeHandle_func )
                
                idc.AddBpt(closeHandle_func)
                idc.SetBptAttr(closeHandle_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(closeHandle_func, "windowsFileIO.MyCloseHandle()")
    
    elif "WS2_32" in library_name:              
        logger.info( "Found Ws2_32 at 0x%x" % ea )
        
        if bCheckNetworkIO:
            
            recv_func = idc.LocByName("ws2_32_recv");
            
            if recv_func == idc.BADADDR:
                logger.info( "Cannot find ws2_32_recv" )
            else:
                logger.info( "We found ws2_32_recv at 0x%x." % recv_func )
                
                idc.AddBpt(recv_func)
                idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(recv_func, "windowsNetworkIO.checkRecv()")
                
            bind_func = idc.LocByName("ws2_32_bind");
            
            if bind_func == idc.BADADDR:
                logger.info( "Cannot find ws2_32_bind" )
            else:
                logger.info( "We found ws2_32_bind at 0x%x." % bind_func )
                
                idc.AddBpt(bind_func)
                idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(bind_func, "windowsNetworkIO.checkBind()")
                
            accept_func = idc.LocByName("ws2_32_accept");
            
            if accept_func == idc.BADADDR:
                logger.info( "Cannot find ws2_32_accept" )
            else:
                logger.info( "We found ws2_32_accept at 0x%x." % accept_func )
                
                idc.AddBpt(accept_func)
                idc.SetBptAttr(accept_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(accept_func, "windowsNetworkIO.checkAccept()")
                
            closesocket_func = idc.LocByName("ws2_32_closesocket");
            
            if closesocket_func == idc.BADADDR:
                logger.info( "Cannot find ws2_32_closesocket" )
            else:
                logger.info( "We found ws2_32_closesocket at 0x%x." % closesocket_func )
                
                idc.AddBpt(closesocket_func)
                idc.SetBptAttr(closesocket_func, idc.BPT_BRK, 0)
                idc.SetBptCnd(closesocket_func, "windowsNetworkIO.checkClosesocket()")
        
    elif "WSOCK32" in library_name:     
        logger.info( "Found wsock32 at 0x%x" % ea )
        
        if bCheckNetworkIO:
            """
            bind_func = idc.LocByName("wsock32_bind");
            
            if bind_func == idc.BADADDR:
                logger.info( "Cannot find wsock32_bind" )
            else:
                logger.info( "We found wsock32_bind at 0x%x." % wsock32_bind )
                
                if idc.isCode(bind_func):
                
                    idc.AddBpt(bind_func)
                    idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
                    idc.SetBptCnd(bind_func, "windowsNetworkIO.WSOCK32Bind()")
                else:
                    logger.info( "wsock32_bind at 0x%x is data not code." % bind_func )
                """
            recv_func = idc.LocByName("wsock32_recv")
            
            if recv_func == idc.BADADDR:
                logger.info( "Cannot find wsock32_recv" )
            else:
                logger.info( "We found wsock32_recv at 0x%x." % recv_func )
                
                if idc.isCode(recv_func):
                    
                    idc.AddBpt(recv_func)
                    idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
                    idc.SetBptCnd(recv_func, "windowsNetworkIO.WSOCK32Recv()")
                else:
                    logger.info( "wsock32_recv at 0x%x is data not code." % recv_func )
Ejemplo n.º 12
0
    def MyCreateFileW(self):
        """
        Monitors the the beginning of CreateFileW function
        CreateFileW arguments are read from the stack
        """
        """
        HANDLE WINAPI CreateFileW(
        _In_      LPCTSTR lpFileName,
        _In_      DWORD dwDesiredAccess,
        _In_      DWORD dwShareMode,
        _In_opt_  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
        _In_      DWORD dwCreationDisposition,
        _In_      DWORD dwFlagsAndAttributes,
        _In_opt_  HANDLE hTemplateFile
        );
        """

        lpFileName = Util.GetData(0x4)
        self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName)

        filePath = "".join(Util.Read(lpFileName, 2))

        self.logger.info("filePath is %s" % filePath)

        dwDesiredAccess = Util.GetData(0x8)
        self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))

        dwShareMode = Util.GetData(0xC)
        self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))

        lpSecurityAttributes = Util.GetData(0x10)
        self.logger.info("lpSecurityAttributes value is 0x%x" %
                         (lpSecurityAttributes))

        dwCreationDisposition = Util.GetData(0x14)
        self.logger.info("dwCreationDisposition value is 0x%x" %
                         (dwCreationDisposition))

        dwFlagsAndAttributes = Util.GetData(0x18)
        hTemplateFile = Util.GetData(0x1C)

        fileName = os.path.basename(filePath)

        self.logger.info("The filename is %s" % fileName)

        retAddr = Util.GetData(0x0)

        if fileName in self.filter['file']:
            idc.AddBpt(retAddr)
            idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
            idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()")
            self.logger.info(
                "Filter matched. Add handle to the handle's dictionary to start logging."
            )
            Print(
                "Filter matched. Add handle to the handle's dictionary to start logging."
            )

        else:
            if idc.CheckBpt(retAddr) >= 0:
                Print("Removing un-needed breakpoint.")
                self.logger.info("Removing un-needed breakpoint.")
                idc.DelBpt(retAddr)

            self.logger.info("Filter did not match.")

        return 0