def dump(start, end):
# Make sure that the right mode is set
cfg.memdump = True
requestsize = cfg.max_request_size
size = end - start
# Open file for writing
filename = '{0}_{1}-{2}.bin'.format(cfg.memdump_prefix, hex(start),
hex(end))
file = open(filename, 'wb')
# Ensure correct denomination
if size % cfg.GiB == 0:
s = '{0} GiB'.format(size // cfg.GiB)
elif size % cfg.MiB == 0:
s = '{0} MiB'.format(size // cfg.MiB)
else:
s = '{0} KiB'.format(size // cfg.KiB)
info('Dumping from {0:#x} to {1:#x}, a total of {2}'.format(start, end, s))
# Initialize and lower DMA shield
if not cfg.filemode:
fw = FireWire()
starttime = time.time()
device_index = fw.select_device()
# Print selection
info('Selected device: {0}'.format(fw.vendors[device_index]))
# Lower DMA shield or use a file as input
device = None
if cfg.filemode:
device = MemoryFile(cfg.filename, cfg.PAGESIZE)
else:
elapsed = int(time.time() - starttime)
device = fw.getdevice(device_index, elapsed)
# Progress bar
prog = ProgressBar(min_value=start,
max_value=end,
total_width=cfg.termwidth,
print_data=cfg.verbose)
try:
for i in range(start, end, requestsize):
# Edge case, make sure that we don't read beyond the end
if i + requestsize > end:
requestsize = end - i
# Avoid accessing upper memory area if we are using FireWire
if needtoavoid(i):
data = b'\x00' * requestsize
else:
data = device.read(i, requestsize)
file.write(data)
# Print status
prog.update_amount(i + requestsize, data)
prog.draw()
file.close()
print() # Filler
info('Dumped memory to file {0}'.format(filename))
device.close()
except KeyboardInterrupt:
file.close()
print()
info('Dumped memory to file {0}'.format(filename))
raise KeyboardInterrupt
def searchanddestroy(device, target, memsize):
'''
Main search loop
'''
pageaddress = cfg.startaddress
signatures = target['signatures']
# Add signature lengths in bytes to the dictionary, and replace integer
# representations of the signatures and patches with bytes
for signature in signatures:
signature['length'] = siglen(signature['chunks'])
offsets = signature['offsets'] # Offsets within pages
for chunk in signature['chunks']:
chunk['chunk'] = int2binhex(chunk['chunk'])
try:
chunk['patch'] = int2binhex(chunk['patch'])
except KeyError:
chunk['patch'] = None
# Progress bar
prog = ProgressBar(max_value = memsize, total_width = cfg.termwidth,
print_data = cfg.verbose)
try:
# Build a batch of read requests of the form: [(addr1, len1), ...] and
# a corresponding match vector: [(chunks1, patchoffset1), ...]
j = 0
count = 0
cand = b'\x00'
r = []
p = []
while pageaddress < memsize:
sig_len = len(signatures)
for i in range(sig_len): # Iterate over signatures
offsets = signatures[i]['offsets'] # Offsets within pages
if isinstance(offsets, int):
offsets = [offsets] # Create a list if single offset
chunks = signatures[i]['chunks'] # The chunks that is the sig
length = signatures[i]['length'] # Sig length in bytes
offset_len = len(offsets)
for n in range(offset_len): # Iterate over offsets
address = pageaddress + offsets[n] + cfg.PAGESIZE * j
r.append((address, length))
p.append(chunks)
count += 1
# If we have built a full vector, read from memory and
# compare to the corresponding signatures
if count == cfg.vectorsize:
# Read data from device
m = 0
for caddr, cand in device.readv(r):
if match(cand, p[m]):
print()
return (caddr, p[m])
m += 1
# Jump to next pages (we're finished with these)
mask = ~(cfg.PAGESIZE - 0x01)
pageaddress = address & mask
if sig_len == i and offset_len == n:
pageaddress = pageaddress + cfg.PAGESIZE
# Zero out counters and vectors
j = 0
count = 0
r = []
p = []
# Print status
prog.update_amount(pageaddress, cand)
prog.draw()
j += 1 # Increase read request count
except IOError:
print()
fail('I/O Error, make sure FireWire interfaces are properly connected')
except KeyboardInterrupt:
print()
fail('Aborted')
raise KeyboardInterrupt
# If we get here, we haven't found anything :-/
print()
return (None, None)
def dump(start, end):
# Make sure that the right mode is set
cfg.memdump = True
requestsize = cfg.max_request_size
size = end - start
# Open file for writing
filename = '{0}_{1}-{2}.bin'.format(cfg.memdump_prefix,
hex(start), hex(end))
file = open(filename, 'wb')
# Ensure correct denomination
if size % cfg.GiB == 0:
s = '{0} GiB'.format(size//cfg.GiB)
elif size % cfg.MiB == 0:
s = '{0} MiB'.format(size//cfg.MiB)
else:
s = '{0} KiB'.format(size//cfg.KiB)
info('Dumping from {0:#x} to {1:#x}, a total of {2}'.format(start, end, s))
# Initialize and lower DMA shield
if not cfg.filemode:
fw = FireWire()
starttime = time.time()
device_index = fw.select_device()
# Print selection
info('Selected device: {0}'.format(fw.vendors[device_index]))
# Lower DMA shield or use a file as input
device = None
if cfg.filemode:
device = MemoryFile(cfg.filename, cfg.PAGESIZE)
else:
elapsed = int(time.time() - starttime)
device = fw.getdevice(device_index, elapsed)
# Progress bar
prog = ProgressBar(min_value = start, max_value = end,
total_width = cfg.termwidth, print_data = cfg.verbose)
try:
for i in range(start, end, requestsize):
# Edge case, make sure that we don't read beyond the end
if i + requestsize > end:
requestsize = end - i
# Avoid accessing upper memory area if we are using FireWire
if needtoavoid(i):
data = b'\x00' * requestsize
else:
data = device.read(i, requestsize)
file.write(data)
# Print status
prog.update_amount(i + requestsize, data)
prog.draw()
file.close()
print() # Filler
info('Dumped memory to file {0}'.format(filename))
device.close()
except KeyboardInterrupt:
file.close()
print()
info('Dumped memory to file {0}'.format(filename))
raise KeyboardInterrupt
