def do_writemem(self, *args): """ Write a character array to a location in a process's memory. The SandKit "ps" command will list pids/processes. The SandKit "readmem" command can be used to display the memory region before and after. Usage: writemem <pid> <address> <string to write to memory> Example: writemem 2764 0x7c900000 "\\x90\\x90\\x90\\x90" or writemem 2764 0x7c900000 "This is a test." Note: Please do "all or nothing". In other words, please don't mix and match excaped bytes with non-escaped bytes in the string like: "\\x90ABCDEF\\x90" """ args = self.checkargs(args, 3) if args == None: return if args[2].__contains__('\\x'): #handle escaped bytes args[2] = args[2].replace('"', '') args[2] = args[2].replace('\'', '') args[2] = args[2].replace('\\x', ' ').split(' ') i = 0 for x in args[2]: if x == '': args[2].__delitem__(i) i += 1 args[2] = ''.join([struct.pack("B", int(x, 16)) for x in args[2]]) #print repr(args) #print len(args[2]) if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1], 16) #so we have to do this # If you are wondering why all the attaches and reattaches # I just want to make sure that everything is "fresh" # I was encoutering bugs where not doing so would cause problems. dbg1 = litedbg.LiteDbg(int(args[0])) buf = dbg1.read_memory(int(args[1]), len(args[2])) print "----------------------" print "MEMORY BEFORE CHANGES:" print "----------------------" litedbg.hexdump(buf) del (dbg1) dbg2 = litedbg.LiteDbg(int(args[0])) dbg2.write_memory(int(args[1]), args[2]) del (dbg2) dbg3 = litedbg.LiteDbg(int(args[0])) buf = dbg3.read_memory(int(args[1]), len(args[2])) print "---------------------" print "MEMORY AFTER CHANGES:" print "---------------------" litedbg.hexdump(buf) del (dbg3)
def do_writemem(self, *args): """ Write a character array to a location in a process's memory. The SandKit "ps" command will list pids/processes. The SandKit "readmem" command can be used to display the memory region before and after. Usage: writemem <pid> <address> <string to write to memory> Example: writemem 2764 0x7c900000 "\\x90\\x90\\x90\\x90" or writemem 2764 0x7c900000 "This is a test." Note: Please do "all or nothing". In other words, please don't mix and match excaped bytes with non-escaped bytes in the string like: "\\x90ABCDEF\\x90" """ args = self.checkargs(args, 3) if args == None: return if args[2].__contains__('\\x'): #handle escaped bytes args[2] = args[2].replace('"',''); args[2] = args[2].replace('\'','') args[2] = args[2].replace('\\x',' ').split(' ') i = 0 for x in args[2]: if x == '': args[2].__delitem__(i) i+=1 args[2] = ''.join([struct.pack("B",int(x,16)) for x in args[2]]) #print repr(args) #print len(args[2]) if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1],16) #so we have to do this # If you are wondering why all the attaches and reattaches # I just want to make sure that everything is "fresh" # I was encoutering bugs where not doing so would cause problems. dbg1 = litedbg.LiteDbg(int(args[0])) buf = dbg1.read_memory(int(args[1]), len(args[2])) print "----------------------" print "MEMORY BEFORE CHANGES:" print "----------------------" litedbg.hexdump(buf) del(dbg1) dbg2 = litedbg.LiteDbg(int(args[0])) dbg2.write_memory(int(args[1]), args[2]) del(dbg2) dbg3 = litedbg.LiteDbg(int(args[0])) buf = dbg3.read_memory(int(args[1]), len(args[2])) print "---------------------" print "MEMORY AFTER CHANGES:" print "---------------------" litedbg.hexdump(buf) del(dbg3)
def do_readmem(self, *args): """ Read and display memory from a process. The SandKit "ps" command will list pids/processes. Usage: readmem <pid> <address> <length in bytes> Example: readmem 2764 0x7c900000 20 """ args = self.checkargs(args, 3) if args == None: return if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1], 16) #so we have to do this dbg1 = litedbg.LiteDbg(int(args[0])) buf = dbg1.read_memory(int(args[1]), int(args[2])) litedbg.hexdump(buf) del (dbg1)
def do_readmem(self, *args): """ Read and display memory from a process. The SandKit "ps" command will list pids/processes. Usage: readmem <pid> <address> <length in bytes> Example: readmem 2764 0x7c900000 20 """ args = self.checkargs(args, 3) if args == None: return if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1],16) #so we have to do this dbg1 = litedbg.LiteDbg(int(args[0])) buf = dbg1.read_memory(int(args[1]), int(args[2])) litedbg.hexdump(buf) del(dbg1)
def do_copymem(self, *args): """ Copy memory regions from one process into another. Usage: copymem <source-pid> <address> <length in bytes> <target-pid> <address> Example: copymem 3000 0x7c885000 5 3001 0x7c885000 """ args = self.checkargs(args, 5) if args == None: return if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1], 16) #so we have to do this if args[4].__contains__("0x"): #python f*****g sucks sometimes args[4] = int(args[4], 16) #so we have to do this dbg1 = litedbg.LiteDbg(int(args[0])) dbg2 = litedbg.LiteDbg(int(args[3])) try: buf1 = dbg1.read_memory(int(args[1]), int(args[2])) except: print "Memory read error." return try: buf2 = dbg2.read_memory(int(args[1]), int(args[2])) except: print "Memory read error." return print "------------------------------------------" print "MEMORY FROM SOURCE PID: %d @0x%08X" % (dbg1.pid, int(args[1])) print "------------------------------------------" litedbg.hexdump(buf1) print "----------------------------------------------" print "MEMORY FROM DEST PID %d @0x%08X (before)" % (dbg2.pid, int(args[4])) print "----------------------------------------------" litedbg.hexdump(buf2) try: dbg2.write_memory(int(args[4]), buf1) except: print "Memory write error." return dbg3 = litedbg.LiteDbg(int(args[3])) buf2 = dbg3.read_memory(int(args[4]), int(args[2])) print "----------------------------------------------" print "MEMORY FROM DEST PID %d @0x%08X (after)" % (dbg2.pid, int(args[4])) print "----------------------------------------------" litedbg.hexdump(buf2) del (dbg1) del (dbg2) del (dbg3)
def do_copymem(self, *args): """ Copy memory regions from one process into another. Usage: copymem <source-pid> <address> <length in bytes> <target-pid> <address> Example: copymem 3000 0x7c885000 5 3001 0x7c885000 """ args = self.checkargs(args, 5) if args == None: return if args[1].__contains__("0x"): #python f*****g sucks sometimes args[1] = int(args[1],16) #so we have to do this if args[4].__contains__("0x"): #python f*****g sucks sometimes args[4] = int(args[4],16) #so we have to do this dbg1 = litedbg.LiteDbg(int(args[0])) dbg2 = litedbg.LiteDbg(int(args[3])) try: buf1 = dbg1.read_memory(int(args[1]), int(args[2])) except: print "Memory read error." return try: buf2 = dbg2.read_memory(int(args[1]), int(args[2])) except: print "Memory read error." return print "------------------------------------------" print "MEMORY FROM SOURCE PID: %d @0x%08X" % (dbg1.pid, int(args[1])) print "------------------------------------------" litedbg.hexdump(buf1) print "----------------------------------------------" print "MEMORY FROM DEST PID %d @0x%08X (before)" % (dbg2.pid, int(args[4])) print "----------------------------------------------" litedbg.hexdump(buf2) try: dbg2.write_memory(int(args[4]), buf1) except: print "Memory write error." return dbg3 = litedbg.LiteDbg(int(args[3])) buf2 = dbg3.read_memory(int(args[4]), int(args[2])) print "----------------------------------------------" print "MEMORY FROM DEST PID %d @0x%08X (after)" % (dbg2.pid, int(args[4])) print "----------------------------------------------" litedbg.hexdump(buf2) del(dbg1) del(dbg2) del(dbg3)