def parse_float_function(self, b, value, offset): for index in range(0, len(b)): try: structtype, structlen = utils.type_unpack('float') tmpval = struct.unpack(structtype, b[index:index + 4])[0] if int(value) == int(tmpval): soffset = offset + index yield self.Address(soffset, 'float') except Exception as e: pass
def read(self, address, type = 'uint', maxlen = 50): if type == 's' or type == 'string': s = self.read_bytes(int(address), bytes=maxlen) news = '' for c in s: if c == '\x00': return news news += c raise ProcessException('string > maxlen') else: if type == 'bytes' or type == 'b': return self.read_bytes(int(address), bytes=maxlen) s, l = utils.type_unpack(type) return struct.unpack(s, self.read_bytes(int(address), bytes=l))[0]
def mem_search(self, value, ftype = 'match', protec = PAGE_READWRITE | PAGE_READONLY, start_offset = None, end_offset = None): """ iterator returning all indexes where the pattern has been found """ ftype = ftype.lower().strip() if type(value) is list: ftype = 'group' if ftype == 're': if type(value) is str: regex = re.compile(value) else: regex = value if start_offset is None: offset = self.start_offset else: offset = start_offset if end_offset is None: end_offset = self.end_offset if ftype == 'float': structtype, structlen = utils.type_unpack(ftype) elif ftype != 'match' and ftype != 'group' and ftype != 're': structtype, structlen = utils.type_unpack(ftype) value = struct.pack(structtype, value) while True: if offset >= end_offset: break totalread = 0 mbi = self.process.VirtualQueryEx(offset) offset = mbi.BaseAddress chunk = mbi.RegionSize protect = mbi.Protect state = mbi.State if state & MEM_FREE or state & MEM_RESERVE: offset += chunk continue if protec: if not protect & protec or protect & PAGE_NOCACHE or protect & PAGE_WRITECOMBINE or protect & PAGE_GUARD: offset += chunk continue b = '' try: b = self.process.read_bytes(offset, chunk) totalread = len(b) except Exception as e: logger.warning(e) offset += chunk continue if b: if ftype == 're': duplicates_cache = set() for res in regex.findall(b): index = b.find(res) while index != -1: soffset = offset + index if soffset not in duplicates_cache: duplicates_cache.add(soffset) yield self.Address(soffset, 'bytes') index = b.find(res, index + len(res)) elif ftype == 'float': for index in range(0, len(b)): try: tmpval = struct.unpack(structtype, b[index:index + 4])[0] if int(value) == int(tmpval): soffset = offset + index yield self.Address(soffset, 'float') except Exception as e: pass else: index = b.find(value) while index != -1: soffset = offset + index yield self.Address(soffset, 'bytes') index = b.find(value, index + 1) offset += totalread
def write(self, address, data, type = 'uint'): if type != 'bytes': s, l = utils.type_unpack(type) return self.write_bytes(int(address), struct.pack(s, data)) else: return self.write_bytes(int(address), data)
def mem_search(self, value, ftype='match', protec=PAGE_READWRITE | PAGE_READONLY, optimizations=None, start_offset=None, end_offset=None): """ iterator returning all indexes where the pattern has been found """ # pre-compile regex to run faster if ftype == 're' or ftype == 'groups' or ftype == 'ngroups': # value should be an array of regex if type(value) is not list: value = [value] tmp = [] for reg in value: if type(reg) is tuple: name = reg[0] if type(reg[1]) != REGEX_TYPE: regex = re.compile(reg[1], re.IGNORECASE) else: regex = reg[1] elif type(reg) == REGEX_TYPE: name = '' regex = reg else: name = '' regex = re.compile(reg, re.IGNORECASE) tmp.append((name, regex)) value = tmp elif ftype != 'match' and ftype != 'group' and ftype != 're' and ftype != 'groups' and ftype != 'ngroups': structtype, structlen = utils.type_unpack(ftype) value = struct.pack(structtype, value) # different functions avoid if statement before parsing the buffer if ftype == 're': func = self.parse_re_function elif ftype == 'groups': func = self.parse_groups_function elif ftype == 'ngroups': func = self.parse_named_groups_function elif ftype == 'float': func = self.parse_float_function else: func = self.parse_any_function if not self.process.isProcessOpen: raise ProcessException("Can't read_bytes, process %s is not open" % (self.process.pid)) for offset, chunk_size in self.process.iter_region( start_offset=start_offset, end_offset=end_offset, protec=protec, optimizations=optimizations): b = '' current_offset = offset chunk_read = 0 chunk_exc = False while chunk_read < chunk_size: try: b += self.process.read_bytes(current_offset, chunk_size) except IOError as e: print traceback.format_exc() if e.errno == 13: raise else: logger.warning(e) chunk_exc = True break except Exception as e: logger.warning(e) chunk_exc = True break finally: current_offset += chunk_size chunk_read += chunk_size if chunk_exc: continue if b: for res in func(b, value, offset): yield res
def mem_search(self, value, ftype='match', protec=PAGE_READWRITE | PAGE_READONLY, start_offset=None, end_offset=None): """ iterator returning all indexes where the pattern has been found """ ftype = ftype.lower().strip() if type(value) is list: ftype = 'group' if ftype == 're': if type(value) is str: regex = re.compile(value) else: regex = value if ftype == 'float': structtype, structlen = utils.type_unpack(ftype) elif ftype != 'match' and ftype != 'group' and ftype != 're': structtype, structlen = utils.type_unpack(ftype) value = struct.pack(structtype, value) for offset, chunk in self.process.iter_region( start_offset=start_offset, end_offset=end_offset, protec=protec): b = '' totalread = 0 current_offset = offset chunk_size = 10000000 chunk_read = 0 chunk_exc = False while chunk_read < chunk: try: if chunk_size > chunk: chunk_size = chunk b += self.process.read_bytes(current_offset, chunk_size) totalread += chunk_size except IOError as e: print traceback.format_exc() if e.errno == 13: raise else: logger.warning(e) chunk_exc = True break except Exception as e: logger.warning(e) chunk_exc = True break finally: current_offset += chunk_size chunk_read += chunk_size if chunk_exc: continue if b: if ftype == 're': duplicates_cache = set() for res in regex.findall(b): index = b.find(res) while index != -1: soffset = offset + index if soffset not in duplicates_cache: duplicates_cache.add(soffset) yield self.Address(soffset, 'bytes') index = b.find(res, index + len(res)) elif ftype == 'float': for index in range(0, len(b)): try: tmpval = struct.unpack(structtype, b[index:index + 4])[0] if int(value) == int(tmpval): soffset = offset + index yield self.Address(soffset, 'float') except Exception as e: pass else: index = b.find(value) while index != -1: soffset = offset + index yield self.Address(soffset, 'bytes') index = b.find(value, index + 1)
def mem_search(self, value, ftype = 'match', protec = PAGE_READWRITE | PAGE_READONLY, optimizations=None, start_offset = None, end_offset = None): """ iterator returning all indexes where the pattern has been found """ # pre-compile regex to run faster if ftype == 're' or ftype == 'groups' or ftype == 'ngroups': # value should be an array of regex if type(value) is not list: value = [value] tmp = [] for reg in value: if type(reg) is tuple: name = reg[0] if type(reg[1]) != REGEX_TYPE: regex = re.compile(reg[1], re.IGNORECASE) else: regex=reg[1] elif type(reg) == REGEX_TYPE: name = '' regex=reg else: name = '' regex = re.compile(reg, re.IGNORECASE) tmp.append((name, regex)) value = tmp elif ftype != 'match' and ftype != 'group' and ftype != 're' and ftype != 'groups' and ftype != 'ngroups' and ftype != 'lambda': structtype, structlen = utils.type_unpack(ftype) value = struct.pack(structtype, value) # different functions avoid if statement before parsing the buffer if ftype == 're': func = self.parse_re_function elif ftype == 'groups': func = self.parse_groups_function elif ftype == 'ngroups': func = self.parse_named_groups_function elif ftype == 'float': func = self.parse_float_function elif ftype == 'lambda': # use a custm function func = value else: func = self.parse_any_function if not self.process.isProcessOpen: raise ProcessException("Can't read_bytes, process %s is not open" % (self.process.pid)) for offset, chunk_size in self.process.iter_region(start_offset=start_offset, end_offset=end_offset, protec=protec, optimizations=optimizations): b = '' current_offset = offset chunk_read = 0 chunk_exc = False while chunk_read < chunk_size: try: b += self.process.read_bytes(current_offset, chunk_size) except IOError as e: print traceback.format_exc() if e.errno == 13: raise else: logger.warning(e) chunk_exc=True break except Exception as e: logger.warning(e) chunk_exc = True break finally: current_offset += chunk_size chunk_read += chunk_size if chunk_exc: continue if b: if ftype=="lambda": for res in func(b, offset): yield res else: for res in func(b, value, offset): yield res