def main(args):
# Init the speakeasy object, an optional logger can be supplied
se = speakeasy.Speakeasy(logger=get_logger())
module = se.load_module(args.file)
# Begin emulating the DLL at its defined entry point.
# If all_entrypoints is set to True, all exports will be emulated sequentially.
# In this example, lets just run the main entry point and call exports manually.
se.run_module(module, all_entrypoints=False)
# Hook user32!MessageBoxA/W and call our function; wild cards are supported here so we can
# hook both versions with a single hook
se.add_api_hook(hook_messagebox, "user32", "MessageBox*")
# Hook all memory writes as an example
se.add_mem_write_hook(hook_mem_write)
# Set up some fake args
arg0 = 0x0
arg1 = 0x1
# Walk the DLLs exports
for exp in module.get_exports():
if exp.name == "emu_test_one":
# Call an export named 'emu_test_one' and emulate it
se.call(exp.address, [arg0, arg1])
if exp.name == "emu_test_two":
# Call an export named 'emu_test_two' and emulate it
se.call(exp.address, [arg0, arg1])
def __init__(
self, target=None, is_sc=False, arch=None, data=None, logger=None, se_inst=None
):
super(SpeakeasyDebugger, self).__init__()
self.target = target
self.is_sc = is_sc
self.arch = arch
self.logger = logger
if not se_inst:
self.se = speakeasy.Speakeasy(logger=self.logger)
else:
self.se = se_inst
self.loaded_modules = []
self.loaded_shellcode = []
self.targets = []
self.breakpoints = {}
self.init_state()
if self.is_sc and not self.arch:
raise DebuggerException("Architecture required when debugging shellcode")
if self.target:
if not self.is_sc:
# Load the initial target module
self.load_module(self.target)
else:
self.load_shellcode(self.target, self.arch)
def run(self):
results = {}
s = speakeasy.Speakeasy()
m = s.load_module(self.filepath)
s.run_module(m)
results = s.get_report()
return results
def main(args):
# Init the speakeasy object, an optional logger can be supplied
se = speakeasy.Speakeasy(logger=get_logger())
# Hook ntdll!NtReadFile so we can modify the returned buffer
se.add_api_hook(hook_ntreadfile, 'ntdll', 'NtReadFile')
# Load the module into the emulation space
module = se.load_module(args.file)
# Begin emulating the EXE at its defined entry point.
se.run_module(module)
def do_restart(self, arg):
"""
Restart emulation from the entry point
"""
self.se = speakeasy.Speakeasy(logger=self.logger)
if self.target:
if not self.is_sc:
# Load the initial target module
self.load_module(self.target)
else:
self.load_shellcode(self.target, self.arch)
self.init_state()
self.do_run(None)
def run(self):
results = {}
s = speakeasy.Speakeasy()
if self.shellcode:
arch = e_arch.ARCH_AMD64
if self.arch == "x86":
arch = e_arch.ARCH_X86
sc_addr = s.load_shellcode(self.filepath, arch)
s.run_shellcode(sc_addr, offset=self.raw_offset or 0)
else:
m = s.load_module(self.filepath)
s.run_module(m)
results = s.get_report()
return results
def main(args):
se = speakeasy.Speakeasy(logger=get_logger())
module = se.load_module(args.file)
se.run_module(module, all_entrypoints=False)
se.add_code_hook(hook_code)
# Set up some fake args
arg0 = 1
arg1 = 2
# Start the RunDLL export
for exp in module.get_exports():
if exp.name == 'RunDLL':
se.call(exp.address, [arg0, arg1])
def run(self):
results = {}
s = speakeasy.Speakeasy()
try:
m = s.load_module(self.filepath)
s.run_module(m)
results = s.get_report()
except SoftTimeLimitExceeded as e:
error_message = (
f"job_id:{self.job_id} analyzer:{self.analyzer_name} md5:{self.md5}"
f"filename: {self.filename}. Soft Time Limit Exceeded Error {e}"
)
logger.error(error_message)
self.report["errors"].append(str(e))
self.report["success"] = False
return results
def check_shellcode_speakeasy(self, shellcode, sc):
if not SPEAKEASY_MODULE:
return # pragma: no cover
se = speakeasy.Speakeasy()
se.add_api_hook(self.hook_URLDownloadToFile,
'urlmon',
'URLDownloadToFile*')
se.add_api_hook(self.hook_WinExec,
'kernel32',
'WinExec')
address = se.load_shellcode(None, speakeasy.arch.ARCH_X86, data = sc)
se.run_shellcode(address)
if self.snippet is None:
self.snippet = self.build_snippet(shellcode)
self.log_shellcode_profile("SPEAKEASY", se.get_report())
def __init__(self,
target=None,
is_sc=False,
arch=None,
data=None,
logger=None,
se_inst=None):
super(SpeakeasyDebugger, self).__init__()
self.target = target
self.is_sc = is_sc
self.arch = arch
self.logger = logger
if not se_inst:
self.se = speakeasy.Speakeasy(logger=self.logger)
else:
self.se = se_inst
self.loaded_modules = []
self.loaded_shellcode = []
self.targets = []
self.se.add_code_hook(self.code_hook)
self.se.add_api_hook(self.api_hook, '*', '*') # hook every API
self.step = False
self.running = False
self._do_stop = False
self.exit = False
self.step_over = 0
self.next_pc = 0
self.breakpoints = {}
if self.is_sc and not self.arch:
raise DebuggerException(
'Architecture required when debugging shellcode')
if self.target:
if not self.is_sc:
# Load the initial target module
self.load_module(self.target)
else:
self.load_shellcode(self.target, self.arch)
