Example #1
0
 def handle_memtrace(self, event):
     eip = PyFlxInstrument.registers()["eip"]
     if event.writes:
         self.log("Write: 0x%x , Addr: 0x%x, BBL: 0x%x" %
                  (event.value, event.addr, eip))
     else:
         self.log("Read:  0x%x , Addr: 0x%x, BBL: 0x%x" %
                  (event.value, event.addr, eip))
Example #2
0
	def __init__(self, fromaddr, toaddr, nextaddr, process):
		self.fromaddr = fromaddr
		self.toaddr   = toaddr
		self.nextaddr = nextaddr
		self.process = process

		self.entrystate = PyFlxInstrument.registers()
		self.exitstate = None
		self.return_callbacks = []

		self.dllname = None
		self.name = None
Example #3
0
	def handle_syscall(self, syscall):
		# NtCreateThread
		syscall_name = syscalls.getSyscallByNumber(syscall.number)
		if syscall_name is not None:
			if syscall_name == "NtTerminateProcess":
				self.os.terminating_processes.append((self,PyFlxInstrument.registers()["cr3"]))
				self.log(syscall_name)
				self.thread.terminate()
				self.logger.shutdown(self)
			if syscall_name == "NtCreateThread":
				self.logger.info("Creating Thread")
				self.log(syscall_name)
			if syscall_name == "NtTerminateThread":
				self.logger.info("Thread %d terminated"%self.cur_tid)
				self.log(syscall_name)
				self.thread.terminate()
			if syscall_name == "NtCreateProcess" or syscall_name == "NtCreateProcessEx":
				self.logger.info("New Process has been created by %s"%self.name)
				self.log(syscall_name)
Example #4
0
 def handle_syscall(self, syscall):
     # NtCreateThread
     syscall_name = syscalls.getSyscallByNumber(syscall.number)
     if syscall_name is not None:
         if syscall_name == "NtTerminateProcess":
             self.os.terminating_processes.append(
                 (self, PyFlxInstrument.registers()["cr3"]))
             self.log(syscall_name)
             self.thread.terminate()
             self.logger.shutdown(self)
         if syscall_name == "NtCreateThread":
             self.logger.info("Creating Thread")
             self.log(syscall_name)
         if syscall_name == "NtTerminateThread":
             self.logger.info("Thread %d terminated" % self.cur_tid)
             self.log(syscall_name)
             self.thread.terminate()
         if syscall_name == "NtCreateProcess" or syscall_name == "NtCreateProcessEx":
             self.logger.info("New Process has been created by %s" %
                              self.name)
             self.log(syscall_name)
Example #5
0
 def caballero_enable(self, min_icount, threshold):
     PyFlxInstrument.caballero_enable(min_icount, threshold)
Example #6
0
	def vmem_read(self, n):
		return PyFlxInstrument.vmem_read(n, 4096)
Example #7
0
 def filter_filtered(self, addr):
     return PyFlxInstrument.filtered(addr)
Example #8
0
 def filter_add(self, start, stop):
     PyFlxInstrument.filter_add(start, stop)
Example #9
0
	def caballero_disable(self):
		PyFlxInstrument.caballero_disable()
Example #10
0
	def set_context(self, pid, tid):
		PyFlxInstrument.set_context(pid, tid)
Example #11
0
 def functionentropy_enable(self, threshold):
     PyFlxInstrument.functionentropy_enable(threshold)
Example #12
0
	def filter_del(self, start, end):
		PyFlxInstrument.filter_del(start, stop)
Example #13
0
 def functiontrace_disable(self):
     PyFlxInstrument.functiontrace_disable()
Example #14
0
 def set_context(self, pid, tid):
     PyFlxInstrument.set_context(pid, tid)
Example #15
0
 def arithwindow_disable(self):
     PyFlxInstrument.arithwindow_disable()
Example #16
0
 def arithwindow_enable(self, window_size, threshold):
     PyFlxInstrument.arithwindow_enable(window_size, threshold)
Example #17
0
 def caballero_disable(self):
     PyFlxInstrument.caballero_disable()
Example #18
0
	def memtrace_disable(self):
		PyFlxInstrument.memtrace_disable()
Example #19
0
 def functionentropy_disable(self):
     PyFlxInstrument.functionentropy_disable()
Example #20
0
	def filter_disable(self):
		PyFlxInstrument.filter_disable()
Example #21
0
 def codesearch_enable(self):
     PyFlxInstrument.codesearch_enable()
Example #22
0
	def bbltrace_disable(self):
		PyFlxInstrument.bbltrace_disable()
Example #23
0
 def constsearch_pattern(self, pattern):
     PyFlxInstrument.constsearch_pattern(pattern)
Example #24
0
	def arithwindow_disable(self):
		PyFlxInstrument.arithwindow_disable()
Example #25
0
 def constsearch_disable(self):
     PyFlxInstrument.constsearch_disable()
Example #26
0
	def functionentropy_disable(self):
		PyFlxInstrument.functionentropy_disable()
Example #27
0
	def syscall_hook(self, number):
		PyFlxInstrument.syscall_hook(number)
Example #28
0
	def breakpoint_insert(self, addr):
		PyFlxInstrument.breakpoint_insert(addr)
Example #29
0
	def dump_enable(self, path):
		PyFlxInstrument.dump_enable(path)
Example #30
0
 def constsearch_search(self):
     PyFlxInstrument.constsearch_search()
Example #31
0
 def bbltrace_disable(self):
     PyFlxInstrument.bbltrace_disable()
Example #32
0
	def deactivate(self):
		PyFlxInstrument.set_instrumentation_active(0)
Example #33
0
 def breakpoint_insert(self, addr):
     PyFlxInstrument.breakpoint_insert(addr)
Example #34
0
	def dump_disable(self):
		PyFlxInstrument.dump_disable()
Example #35
0
 def breakpoint_delete(self, addr):
     PyFlxInstrument.breakpoint_delete(addr)
Example #36
0
	def read_process(self, process, address, len):
		try:
			return PyFlxInstrument.vmem_read_process(process.cr3, address, len)
		except RuntimeError:
			return None
Example #37
0
 def addBreakpoint(self, addr, handler):
     if not self.has_key(addr):
         self[addr] = set([])
         PyFlxInstrument.breakpoint_insert(addr)
     self[addr].add(handler)
Example #38
0
	def retranslate(self):
		PyFlxInstrument.retranslate()
Example #39
0
 def register(self, register):
     regs = PyFlxInstrument.registers()
     return regs[register]
Example #40
0
	def filter_add(self, start, stop):
		PyFlxInstrument.filter_add(start, stop)
Example #41
0
 def creg(self, register):
     return PyFlxInstrument.creg(register)
Example #42
0
	def filter_filtered(self, addr):
		return PyFlxInstrument.filtered(addr)
Example #43
0
 def eip(self):
     return PyFlxInstrument.eip()
Example #44
0
	def caballero_enable(self, min_icount, threshold):
		PyFlxInstrument.caballero_enable(min_icount, threshold)
Example #45
0
 def genreg(self, index):
     return PyFlxInstrument.genreg(index)
Example #46
0
	def arithwindow_enable(self, window_size, threshold):
		PyFlxInstrument.arithwindow_enable(window_size, threshold)
Example #47
0
 def delBreakpoint(self, addr, handler):
     for addr, hash in self.items():
         if not self[addr].isdisjoint([handler]):
             self[addr] = self[addr] - set([handler])
         if len(self[addr]) == 0:
             PyFlxInstrument.breakpoint_delete(addr)
Example #48
0
	def functiontrace_disable(self):
		PyFlxInstrument.functiontrace_disable()
Example #49
0
	def constsearch_pattern(self, pattern):
		PyFlxInstrument.constsearch_pattern(pattern)
Example #50
0
	def functionentropy_enable(self, threshold):
		PyFlxInstrument.functionentropy_enable(threshold)
Example #51
0
	def activate(self, pid, tid, procname):
		PyFlxInstrument.set_instrumentation_active(1)
		PyFlxInstrument.set_context(pid,tid, str(procname))
Example #52
0
	def codesearch_enable(self):
		PyFlxInstrument.codesearch_enable()
Example #53
0
 def filter_del(self, start, end):
     PyFlxInstrument.filter_del(start, stop)
Example #54
0
	def constsearch_disable(self):
		PyFlxInstrument.constsearch_disable()
Example #55
0
	def doReturn(self):
		self.exitstate = PyFlxInstrument.registers()
		for callback in self.return_callbacks:
			callback(self)
Example #56
0
	def constsearch_search(self):
		PyFlxInstrument.constsearch_search()
Example #57
0
	def retval(self):
		self.exitstate = PyFlxInstrument.registers()
		return self.exitstate["eax"]
Example #58
0
	def breakpoint_delete(self, addr):
		PyFlxInstrument.breakpoint_delete(addr)
Example #59
0
 def filter_disable(self):
     PyFlxInstrument.filter_disable()