def build_ldr_data(jitter, modules_info):
"""
Build Loader informations using following structure:
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
# dummy dll base
+0x024 DllBase : Ptr32 Void
@jitter: jitter instance
@modules_info: LoadedModules instance
"""
# ldr offset pad
offset = 0xC
addr = LDR_AD + peb_ldr_data_offset
ldrdata = PEB_LDR_DATA(jitter.vm, addr)
main_pe = modules_info.name2module.get(main_pe_name, None)
ntdll_pe = modules_info.name2module.get("ntdll.dll", None)
size = 0
if main_pe:
size += ListEntry.sizeof() * 2
main_addr_entry = modules_info.module2entry[main_pe]
if ntdll_pe:
size += ListEntry.sizeof()
ntdll_addr_entry = modules_info.module2entry[ntdll_pe]
jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE,
"\x00" * size,
"Loader struct") # (ldrdata.get_size() - offset))
if main_pe:
ldrdata.InLoadOrderModuleList.flink = main_addr_entry
ldrdata.InLoadOrderModuleList.blink = 0
ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \
LdrDataEntry.get_type().get_offset("InMemoryOrderLinks")
ldrdata.InMemoryOrderModuleList.blink = 0
if ntdll_pe:
ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \
LdrDataEntry.get_type().get_offset("InInitializationOrderLinks")
ldrdata.InInitializationOrderModuleList.blink = 0
# Add dummy dll base
jitter.vm.add_memory_page(peb_ldr_data_address + 0x24,
PAGE_READ | PAGE_WRITE, pck32(0),
"Loader struct dummy dllbase")
def build_ldr_data(jitter, modules_info):
"""
Build Loader informations using following structure:
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
# dummy dll base
+0x024 DllBase : Ptr32 Void
@jitter: jitter instance
@modules_info: LoadedModules instance
"""
# ldr offset pad
offset = 0xC
addr = LDR_AD + peb_ldr_data_offset
ldrdata = PEB_LDR_DATA(jitter.vm, addr)
main_pe = modules_info.name2module.get(main_pe_name, None)
ntdll_pe = modules_info.name2module.get("ntdll.dll", None)
size = 0
if main_pe:
size += ListEntry.sizeof() * 2
main_addr_entry = modules_info.module2entry[main_pe]
if ntdll_pe:
size += ListEntry.sizeof()
ntdll_addr_entry = modules_info.module2entry[ntdll_pe]
jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE,
"\x00" * size,
"Loader struct") # (ldrdata.get_size() - offset))
if main_pe:
ldrdata.InLoadOrderModuleList.flink = main_addr_entry
ldrdata.InLoadOrderModuleList.blink = 0
ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \
LdrDataEntry.get_type().get_offset("InMemoryOrderLinks")
ldrdata.InMemoryOrderModuleList.blink = 0
if ntdll_pe:
ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \
LdrDataEntry.get_type().get_offset("InInitializationOrderLinks")
ldrdata.InInitializationOrderModuleList.blink = 0
# Add dummy dll base
jitter.vm.add_memory_page(peb_ldr_data_address + 0x24,
PAGE_READ | PAGE_WRITE, pck32(0),
"Loader struct dummy dllbase")
def create_modules_chain(jitter, name2module):
"""
Create the modules entries. Those modules are not linked in this function.
@jitter: jitter instance
@name2module: dict containing association between name and its pe instance
"""
modules_info = LoadedModules()
base_addr = LDR_AD + modules_list_offset # XXXX
offset_name = 0x500
offset_path = 0x600
out = ""
for i, (fname, pe_obj) in enumerate(name2module.items(), 1):
if pe_obj is None:
log.warning("Unknown module: ommited from link list (%r)",
fname)
continue
addr = base_addr + i * 0x1000
bpath = fname.replace('/', '\\')
bname_str = os.path.split(fname)[1].lower()
bname = "\x00".join(bname_str) + "\x00"
log.info("Add module %x %r", pe_obj.NThdr.ImageBase, bname_str)
modules_info.add(bname_str, pe_obj, addr)
# Allocate a partial LdrDataEntry (0-Flags)
jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE,
"\x00" * LdrDataEntry.get_offset("Flags"),
"Module info %r" % bname_str)
LdrEntry = LdrDataEntry(jitter.vm, addr)
LdrEntry.DllBase = pe_obj.NThdr.ImageBase
LdrEntry.EntryPoint = pe_obj.Opthdr.AddressOfEntryPoint
LdrEntry.SizeOfImage = pe_obj.NThdr.sizeofimage
LdrEntry.FullDllName.length = len(bname)
LdrEntry.FullDllName.maxlength = len(bname) + 2
LdrEntry.FullDllName.data = addr + offset_path
LdrEntry.BaseDllName.length = len(bname)
LdrEntry.BaseDllName.maxlength = len(bname) + 2
LdrEntry.BaseDllName.data = addr + offset_name
jitter.vm.add_memory_page(addr + offset_name, PAGE_READ | PAGE_WRITE,
bname + "\x00" * 3,
"Module name %r" % bname_str)
jitter.vm.add_memory_page(addr + offset_path, PAGE_READ | PAGE_WRITE,
"\x00".join(bpath) + "\x00" + "\x00" * 3,
"Module path %r" % bname_str)
return modules_info
def create_modules_chain(jitter, name2module):
"""
Create the modules entries. Those modules are not linked in this function.
@jitter: jitter instance
@name2module: dict containing association between name and its pe instance
"""
modules_info = LoadedModules()
base_addr = LDR_AD + modules_list_offset # XXXX
offset_name = 0x500
offset_path = 0x600
out = ""
for i, (fname, pe_obj) in enumerate(name2module.items(), 1):
if pe_obj is None:
log.warning("Unknown module: ommited from link list (%r)",
fname)
continue
addr = base_addr + i * 0x1000
bpath = fname.replace('/', '\\')
bname_str = os.path.split(fname)[1].lower()
bname = "\x00".join(bname_str) + "\x00"
log.info("Add module %x %r", pe_obj.NThdr.ImageBase, bname_str)
modules_info.add(bname_str, pe_obj, addr)
# Allocate a partial LdrDataEntry (0-Flags)
jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE,
"\x00" * LdrDataEntry.get_offset("Flags"),
"Module info %r" % bname_str)
LdrEntry = LdrDataEntry(jitter.vm, addr)
LdrEntry.DllBase = pe_obj.NThdr.ImageBase
LdrEntry.EntryPoint = pe_obj.Opthdr.AddressOfEntryPoint
LdrEntry.SizeOfImage = pe_obj.NThdr.sizeofimage
LdrEntry.FullDllName.length = len(bname)
LdrEntry.FullDllName.maxlength = len(bname) + 2
LdrEntry.FullDllName.data = addr + offset_path
LdrEntry.BaseDllName.length = len(bname)
LdrEntry.BaseDllName.maxlength = len(bname) + 2
LdrEntry.BaseDllName.data = addr + offset_name
jitter.vm.add_memory_page(addr + offset_name, PAGE_READ | PAGE_WRITE,
bname + "\x00" * 3,
"Module name %r" % bname_str)
jitter.vm.add_memory_page(addr + offset_path, PAGE_READ | PAGE_WRITE,
"\x00".join(bpath) + "\x00" + "\x00" * 3,
"Module path %r" % bname_str)
return modules_info
def build_ldr_data(jitter, modules_info):
"""
Build Loader informations using following structure:
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
# dummy dll base
+0x024 DllBase : Ptr32 Void
@jitter: jitter instance
@modules_info: LoadedModules instance
"""
# ldr offset pad
offset = 0xC
addr = LDR_AD + peb_ldr_data_offset
ldrdata = PEB_LDR_DATA(jitter.vm, addr)
main_pe = modules_info.name2module.get(main_pe_name, None)
ntdll_pe = modules_info.name2module.get("ntdll.dll", None)
size = 0
if main_pe:
size += ListEntry.sizeof() * 2
main_addr_entry = modules_info.module2entry[main_pe]
if ntdll_pe:
size += ListEntry.sizeof()
ntdll_addr_entry = modules_info.module2entry[ntdll_pe]
jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE,
"\x00" * size,
"Loader struct") # (ldrdata.get_size() - offset))
if main_pe:
ldrdata.InLoadOrderModuleList.flink = main_addr_entry
ldrdata.InLoadOrderModuleList.blink = 0
ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \
LdrDataEntry.get_type().get_offset("InMemoryOrderLinks")
ldrdata.InMemoryOrderModuleList.blink = 0
if ntdll_pe:
ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \
LdrDataEntry.get_type().get_offset("InInitializationOrderLinks")
ldrdata.InInitializationOrderModuleList.blink = 0
# data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink
"""
# get main pe info
main_pe = modules_info.name2module.get(main_pe_name, None)
if not main_pe:
log.warn('No main pe, ldr data will be unconsistant')
offset, data = offset + 8, ""
else:
main_addr_entry = modules_info.module2entry[main_pe]
log.info('Ldr %x', main_addr_entry)
data = pck32(main_addr_entry) + pck32(0)
data += pck32(main_addr_entry + 0x8) + pck32(0) # XXX TODO fix blink
ntdll_pe = modules_info.name2module.get("ntdll.dll", None)
if not ntdll_pe:
log.warn('No ntdll, ldr data will be unconsistant')
else:
ntdll_addr_entry = modules_info.module2entry[ntdll_pe]
data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink
if data:
jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE,
data,
"Loader struct")
"""
# Add dummy dll base
jitter.vm.add_memory_page(peb_ldr_data_address + 0x24,
PAGE_READ | PAGE_WRITE, pck32(0),
"Loader struct dummy dllbase")
