def checkAccept(self):
"""
SOCKET accept(
_In_ SOCKET s,
_Out_ struct sockaddr *addr,
_Inout_ int *addrlen
);
"""
s = Util.GetData(0x4)
self.logger.info("checkAccept: SOCKET is 0x%x" % (s))
sockaddr_addr = Util.GetData(0x8)
self.logger.info("checkAccept: sockaddr_addr is 0x%x" %
(sockaddr_addr))
addrlen = Util.GetData(0xC)
self.logger.info("checkAccept: *addrlen value is 0x%x" % (addrlen))
retAddr = Util.GetData(0x0)
self.tempStack = []
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkAcceptEnd()")
return 0
def taintStart(self):
Print("Taint Start pressed!")
#Remove the starting breakpoint
if self.taintStart is not None:
idc.DelBpt(self.taintStart)
#Add a new starting breakpoint
self.taintStart = idc.here()
instruction = idc.GetDisasm(self.taintStart)
Print(instruction)
idc.AddBpt(self.taintStart)
idc.SetBptAttr(self.taintStart, idc.BPT_BRK, 0)
callbackAddr = "interactivemodeCallback.startTrace()"
customCallbackFuncs = ['ReadFile', 'recv']
for callbackFunc in customCallbackFuncs:
if callbackFunc in instruction:
callbackAddr = "interactivemodeCallback." + callbackFunc + "()"
Print("Found callback function %s for interactive mode" %
callbackAddr)
break
idc.SetBptCnd(self.taintStart, callbackAddr)
def MyReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x4)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x8)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0xC)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0x10)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x14)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(callerAddr)
#self.tempStack.append(idc.GetDisasm(callerAddr))
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
if hFile in self.handleSet:
self.logger.info("Ready to read from handle 0x%x" % hFile)
Print("Ready to read from handle 0x%x" % hFile)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyReadFileEnd()")
else:
if idc.CheckBpt(retAddr) >= 0:
self.logger.info("Removing un-needed ReadFile breakpoint.")
Print("Removing un-needed ReadFile breakpoint.")
idc.DelBpt(retAddr)
return 0
def WSOCK32Bind(self):
"""
int bind(
_In_ SOCKET s,
_In_ const struct sockaddr *name,
_In_ int namelen
);
struct sockaddr_in {
short sin_family;
u_short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
"""
s = Util.GetData(0x4)
self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s))
sockaddr_name = Util.GetData(0x8)
self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" %
(sockaddr_name))
port = struct.unpack(">H",
idaapi.dbg_read_memory(sockaddr_name + 0x2, 2))
portName = str(port[0])
self.logger.info("WSOCK32Bind: port value is %s" % (portName))
namelen = Util.GetData(0xC)
self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen))
retAddr = Util.GetData(0x0)
Print(self.filter['network'])
if portName in self.filter['network']:
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(portName)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()")
self.logger.info(
"WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("WSOCK32Bind: Network Filter did not match.")
return 0
def bpcond(group=None, cond="", **kwargs):
bp = idaapi.bpt_t()
cond = cond or ''
i = 0
lng = kwargs.get("lang") or "Python"
while idaapi.getn_bpt(i, bp):
idaapi.getn_bpt(i, bp)
i += 1
if group and group != idaapi.get_bpt_group(bp.loc):
continue
idc.SetBptCnd(bp.ea, cond)
def ReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x0)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x4)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0x8)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0xC)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x10)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(ea)
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "interactivemodeCallback.ReadFileEnd()")
return 0
def taintStop(self):
Print("Taint Stop pressed!")
#Remove the stopping breakpoint
if self.taintStop is not None:
idc.DelBpt(self.taintStop)
#Add a new stopping breakpoint
self.taintStop = idc.here()
Print( idc.GetDisasm(self.taintStop) )
idc.AddBpt(self.taintStop)
idc.SetBptAttr(self.taintStop, idc.BPT_BRK, 0)
idc.SetBptCnd(self.taintStop, "interactivemodeCallback.stopTrace()")
def MyCreateFileA(self):
"""
Monitors the beginning of CreateFileA function
CreateFileA arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFile(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileA lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 1))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileAEnd()")
return 0
def My_fread(self):
"""
old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream )
"""
ptr = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % (ptr))
_size = Util.GetData(0x8)
self.logger.info("size is %d" % (_size))
_count = Util.GetData(0xc)
self.logger.info("count is %d" % (_count))
stream = Util.GetData(0x10)
self.logger.info("stream is 0x%x" % (stream))
self.pSize = _size * _count
self.pBuffer = ptr
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(self.pBuffer)
self.tempStack.append(self.pSize)
self.tempStack.append(stream)
self.tempStack.append(callerAddr)
self.tempStack.append("fread")
self.tempStack.append(idc.GetCurrentThreadId())
if stream in self.handleSet:
self.logger.info("Found stream 0x%x" % stream)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()")
else:
self.logger.info("Cannot find handle 0x%x" % stream)
Print("Removing un-needed fread breakpoint.")
idc.DelBpt(retAddr)
return 0
def checkClosesocket(self):
"""
int closesocket(
_In_ SOCKET s
);
"""
s = Util.GetData(0x4)
self.logger.info("checkClosesocket: SOCKET is 0x%x" % (s))
retAddr = Util.GetData(0x0)
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkClosesocketEnd()")
return 0
def recv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x0)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x4)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0x8)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0xC)
self.logger.info("checkRecv: flag value is %d" % (flag))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(ea)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "interactivemodeCallback.recvEnd()")
return 0
def checkRecv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x4)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x8)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0xC)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0x10)
self.logger.info("checkRecv: flag value is %d" % (flag))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(callerAddr)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkRecvEnd()")
return 0
def _set_condition(self, cond):
return idc.SetBptCnd(self.addr, cond)
def checkLinuxLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
"""
This function monitors loaded libaries for Linux
If any of these libaries and functions are loaded
a conditional breakpoint is set
LIBC - _IO_file_fopen _IO_fread _IO_fclose
@param name: The name of the loaded library
@param ea: The address of the loaded library
@param bCheckFileIO: Checks to see if FileIO filtering was turned on
@param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
@return: None
"""
import idc
import logging
Print ("Found Libc at 0x%x" % ea)
logger = logging.getLogger('IDATrace')
logger.info( "Found Libc at 0x%x" % ea )
idc.RefreshDebuggerMemory()
library_name = name.upper()
Print( "Checking Linux for library " + library_name )
if "LIBC" in library_name:
if bCheckFileIO:
fopen_func = idc.LocByName("_IO_file_fopen");
if fopen_func == idc.BADADDR:
logger.info( "Cannot find _IO_file_fopen" )
# "Cannot find _IO_file_fopen."
else:
logger.info( "We found _IO_file_fopen at 0x%x." % fopen_func )
Print( "We found _IO_file_fopen at 0x%x." % fopen_func )
idc.AddBpt(fopen_func)
idc.SetBptAttr(fopen_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fopen_func, "linuxFileIO.My_fopen()")
fread_func = idc.LocByName("_IO_fread");
if fread_func == idc.BADADDR:
logger.info( "Cannot find _IO_fread" )
Print( "Cannot find _IO_fread." )
else:
logger.info( "We found _IO_fread at 0x%x." % fread_func )
Print( "We found _IO_fread at 0x%x." % fread_func )
idc.AddBpt(fread_func)
idc.SetBptAttr(fread_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fread_func, "linuxFileIO.My_fread()")
fclose_func = idc.LocByName("_IO_fclose");
if fclose_func == idc.BADADDR:
logger.info( "Cannot find _IO_fclose" )
Print( "Cannot find _IO_fclose." )
else:
logger.info( "We found _IO_fclose at 0x%x." % fclose_func )
Print( "We found _IO_fclose at 0x%x." % fclose_func )
idc.AddBpt(fclose_func)
idc.SetBptAttr(fclose_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fclose_func, "linuxFileIO.My_fclose()")
def checkWindowsLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
"""
This function monitors loaded DLLs for Windows
If any of these DLLs and functions are loaded
a conditional breakpoint is set
kernel32.dll - CreateFileW ReadFile CloseHandle
WS2_32.dll - recv, bind, accept, closesocket
WSOCK32.dll - recv, bind
@param name: The name of the loaded DLL
@param ea: The address of the loaded DLL
@param bCheckFileIO: Checks to see if FileIO filtering was turned on
@param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
@return: None
"""
import idc
import logging
logger = logging.getLogger('IDATrace')
idc.RefreshDebuggerMemory()
library_name = name.upper()
if "KERNEL32" in library_name:
logger.info( "Found kernel32 at 0x%x" % ea )
if bCheckFileIO:
"""
createFileA_func = idc.LocByName("kernel32_CreateFileA");
if createFileA_func == idc.BADADDR:
logger.info( "Cannot find CreateFileA" )
else:
logger.info( "We found CreateFileA at 0x%x." % createFileA_func )
idc.AddBpt(createFileA_func)
idc.SetBptAttr(createFileA_func, idc.BPT_BRK, 0)
idc.SetBptCnd(createFileA_func, "windowsFileIO.MyCreateFileA()")
"""
createFileW_func = idc.LocByName("kernel32_CreateFileW");
if createFileW_func == idc.BADADDR:
logger.info( "Cannot find CreateFileW" )
else:
logger.info( "We found CreateFileW at 0x%x." % createFileW_func )
idc.AddBpt(createFileW_func)
idc.SetBptAttr(createFileW_func, idc.BPT_BRK, 0)
idc.SetBptCnd(createFileW_func, "windowsFileIO.MyCreateFileW()")
readFile_func = idc.LocByName("kernel32_ReadFile");
if readFile_func == idc.BADADDR:
logger.info( "Cannot find ReadFile" )
else:
logger.info( "We found ReadFile at 0x%x." % readFile_func )
idc.AddBpt(readFile_func)
idc.SetBptAttr(readFile_func, idc.BPT_BRK, 0)
idc.SetBptCnd(readFile_func, "windowsFileIO.MyReadFile()")
closeHandle_func = idc.LocByName("kernel32_CloseHandle");
if closeHandle_func == idc.BADADDR:
logger.info( "Cannot find CloseHandle" )
else:
logger.info( "We found CloseHandle at 0x%x." % closeHandle_func )
idc.AddBpt(closeHandle_func)
idc.SetBptAttr(closeHandle_func, idc.BPT_BRK, 0)
idc.SetBptCnd(closeHandle_func, "windowsFileIO.MyCloseHandle()")
elif "WS2_32" in library_name:
logger.info( "Found Ws2_32 at 0x%x" % ea )
if bCheckNetworkIO:
recv_func = idc.LocByName("ws2_32_recv");
if recv_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_recv" )
else:
logger.info( "We found ws2_32_recv at 0x%x." % recv_func )
idc.AddBpt(recv_func)
idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
idc.SetBptCnd(recv_func, "windowsNetworkIO.checkRecv()")
bind_func = idc.LocByName("ws2_32_bind");
if bind_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_bind" )
else:
logger.info( "We found ws2_32_bind at 0x%x." % bind_func )
idc.AddBpt(bind_func)
idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
idc.SetBptCnd(bind_func, "windowsNetworkIO.checkBind()")
accept_func = idc.LocByName("ws2_32_accept");
if accept_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_accept" )
else:
logger.info( "We found ws2_32_accept at 0x%x." % accept_func )
idc.AddBpt(accept_func)
idc.SetBptAttr(accept_func, idc.BPT_BRK, 0)
idc.SetBptCnd(accept_func, "windowsNetworkIO.checkAccept()")
closesocket_func = idc.LocByName("ws2_32_closesocket");
if closesocket_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_closesocket" )
else:
logger.info( "We found ws2_32_closesocket at 0x%x." % closesocket_func )
idc.AddBpt(closesocket_func)
idc.SetBptAttr(closesocket_func, idc.BPT_BRK, 0)
idc.SetBptCnd(closesocket_func, "windowsNetworkIO.checkClosesocket()")
elif "WSOCK32" in library_name:
logger.info( "Found wsock32 at 0x%x" % ea )
if bCheckNetworkIO:
"""
bind_func = idc.LocByName("wsock32_bind");
if bind_func == idc.BADADDR:
logger.info( "Cannot find wsock32_bind" )
else:
logger.info( "We found wsock32_bind at 0x%x." % wsock32_bind )
if idc.isCode(bind_func):
idc.AddBpt(bind_func)
idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
idc.SetBptCnd(bind_func, "windowsNetworkIO.WSOCK32Bind()")
else:
logger.info( "wsock32_bind at 0x%x is data not code." % bind_func )
"""
recv_func = idc.LocByName("wsock32_recv")
if recv_func == idc.BADADDR:
logger.info( "Cannot find wsock32_recv" )
else:
logger.info( "We found wsock32_recv at 0x%x." % recv_func )
if idc.isCode(recv_func):
idc.AddBpt(recv_func)
idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
idc.SetBptCnd(recv_func, "windowsNetworkIO.WSOCK32Recv()")
else:
logger.info( "wsock32_recv at 0x%x is data not code." % recv_func )
def MyCreateFileW(self):
"""
Monitors the the beginning of CreateFileW function
CreateFileW arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFileW(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 2))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
if fileName in self.filter['file']:
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()")
self.logger.info(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("Filter did not match.")
return 0
