Example #1
0
def add_breakpoint(guid: Guid, event: Event):
    """
    Add a software break point on ntdll!EtwEventWrite
    And set a condition on event id and event provider
    """
    bpt = idaapi.bpt_t()
    bpt.set_sym_bpt("ntdll_EtwEventWrite", 0)
    bpt.condition = textwrap.dedent("""
    import idaapi
    import idc

    rdx = idaapi.regval_t()
    idaapi.get_reg_val('RDX',rdx)
    event_id = int.from_bytes(idc.get_bytes(rdx.ival, 2), "little")

    rcx = idaapi.regval_t()
    idaapi.get_reg_val('RCX',rcx)
    provider_guid = idc.get_bytes((rcx.ival & 0xFFFFFFFFFFFF) + 0x20, 16)

    if event_id == %s and provider_guid == %s:
        print(f"[ETWBreaker] break on Provider {{%s}} EventId ({event_id})")
        return True
    else:
        return False
    """ % (event.event_id, guid.raw, guid))
    bpt.elang = "Python"
    idaapi.add_bpt(bpt)
Example #2
0
 def set(self, break_p=False):
     #print "breakpoint on %08x" % self.address
     idaapi.add_bpt(self.address, 0, idc.BPT_SOFT)
     idaapi.enable_bpt(self.address, True)
     #idc.SetBptCnd(self.address, self.condition.get_text())
     bpt = idaapi.bpt_t()
     idaapi.get_bpt(self.address, bpt)
     bpt.elang = self.elang
     bpt.condition = self.condition.get_text()
     idaapi.update_bpt(bpt)
Example #3
0
def set_qira_address(la):
  global qira_address
  ea = 0
  if qira_address is not None and qira_address != BADADDR:
    ea = idaapi.toEA(0, qira_address)
    idaapi.del_bpt(ea)

  qira_address = la
  idaapi.add_bpt(qira_address, 0, BPT_SOFT)
  EnableBpt(qira_address, False)
Example #4
0
File: idbg.py Project: heruix/IDBG
	def AddBp(self, base0_addr, addr):
		if(is_key_down(0x4a) == 0):
			return
	
		WriteToBeginningOfMmap(self.bps_shared_memory, 'a' + struct.pack('<L', base0_addr)) #todo handle 64bit 
		
		if(self.GetWindbgResponse('a')):
			self.bp_list.append(addr)
			idaapi.add_bpt(addr, 0, BPT_SOFT)
			EnableBpt(addr, True)
			print("sent ", 'a' + hex(base0_addr), "to WinDbg")
		else:
			print("Failed to add the Breakpoint on WinDbg, try Breaking before adding a Bp")

		WriteToBeginningOfMmap(self.bps_shared_memory, "\x00")
Example #5
0
 def set_qira_address(self, sea):
     # Check if there is a BreakPoint and delete is before processing.
     if (self.qira_address is not None) and (
             self.qira_address != idc.BADADDR):
         qea = idaapi.toEA(0, self.qira_address)
         if idc.CheckBpt(qea) != -1:
             idaapi.del_bpt(qea)
     # Update qira_address and set BreakPont.
     self.qira_address = sea
     idaapi.add_bpt(self.qira_address, 0, idaapi.BPT_SOFT)
     idc.EnableBpt(self.qira_address, False)
     # debugging
     if DEBUG:
         idaapi.msg(
             "[%s] set_qira_address: 0x%x\n" %
             (self.wanted_name, self.qira_address,))
def iatCallback(
        addr, name,
        ord):  # Don't care about ord, but required for enum_import_names
    global bpflag, codeflag, checked, bannedList  # Function got a bit out of hand. Sorry.

    if name in bannedList and name not in checked:
        checked.append(name)
        loopflag = 0
        xref = XrefsTo(addr, 0)
        for checkXrefType in xref:
            if XrefTypeName(
                    checkXrefType.type) == "Code_Near_Call" and loopflag != 1:
                print "\nFound function %s in IAT at 0x%08x" % (name, addr)
                print "*** calls to %s ***" % name
                loopflag = 1
                codeflag = 1
                xref = CodeRefsTo(addr,
                                  1)  # Ref to IAT should be of type code.
                for lines in xref:
                    if CheckBpt(lines) > 0:  # Adding or deleting BP's
                        idaapi.del_bpt(lines)
                        print "=> 0x%08x - Deleted BP" % lines
                    else:
                        idaapi.add_bpt(lines, 0, BPT_SOFT)
                        EnableBpt(lines, True)
                        checked.append(lines)
                        print "=> 0x%08x - Added BP" % lines
                        bpflag = 1
            elif XrefTypeName(
                    checkXrefType.type) == "Data_Read" and codeflag == 0:
                print "\nFound function %s in IAT at 0x%08x" % (name, addr)
                print "*** calls to %s ***" % name
                xref = DataRefsTo(addr)  # Ref to IAT should be of type data.
                for line in xref:
                    xref2 = CodeRefsTo(line, 1)
                    for lines in xref2:
                        if CheckBpt(lines) > 0:  # Adding or deleting BP's
                            idaapi.del_bpt(lines)
                            print "=> 0x%08x - Deleted BP" % lines
                        else:
                            idaapi.add_bpt(lines, 0, BPT_SOFT)
                            EnableBpt(lines, True)
                            checked.append(lines)
                            print "=> 0x%08x - Added BP" % lines
                            bpflag = 1
            elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump":
                GOT = DataRefsTo(addr)
                for line in GOT:
                    print "\n Found function %s in GOT at 0x%08x" % (name,
                                                                     line)
                    print "*** calls to %s ***" % name
                    codeflag = 2
                xref = CodeRefsTo(addr, 1)
                for line in xref:
                    xref2 = CodeRefsTo(line, 1)
                    for lines in xref2:
                        if CheckBpt(lines) > 0:
                            idaapi.del_bpt(lines)
                            print "=> 0x%08x - Deleted BP" % lines
                        else:
                            idaapi.add_bpt(lines, 0, BPT_SOFT)
                            EnableBpt(lines, True)
                            checked.append(lines)
                            print "=> 0x%08x = Added BP" % lines
                            bpflag = 1
            #elif loopflag != 1:
            #    codeflag = 2
            #	    break
            else:
                continue  #Need to compensate for other xref types.

    return True  #Has to be here for the callback.
def iatCallback(addr, name, ord):   # Don't care about ord, but required for enum_import_names
    global bpflag, codeflag, checked, bannedList  # Function got a bit out of hand. Sorry.

    if name in bannedList and name not in checked:
        checked.append(name)
        loopflag = 0
        xref = XrefsTo(addr, 0)
        for checkXrefType in xref:
            if XrefTypeName(checkXrefType.type) == "Code_Near_Call" and loopflag != 1:
                print "\nFound function %s in IAT at 0x%08x" % (name, addr)
                print "*** calls to %s ***" % name
                loopflag = 1
                codeflag = 1
                xref = CodeRefsTo(addr, 1)      # Ref to IAT should be of type code.
                for lines in xref:
                    if CheckBpt(lines) > 0:     # Adding or deleting BP's
                        idaapi.del_bpt(lines)
                        print "=> 0x%08x - Deleted BP" % lines
                    else:
                        idaapi.add_bpt(lines, 0, BPT_SOFT)
                        EnableBpt(lines, True)
                        checked.append(lines)
                        print "=> 0x%08x - Added BP" % lines
                        bpflag = 1
            elif XrefTypeName(checkXrefType.type) == "Data_Read" and codeflag == 0:
                print "\nFound function %s in IAT at 0x%08x" % (name, addr)
                print "*** calls to %s ***" % name
                xref = DataRefsTo(addr)                # Ref to IAT should be of type data.
                for line in xref:
                    xref2 = CodeRefsTo(line, 1)
                    for lines in xref2:
                        if CheckBpt(lines) > 0:         # Adding or deleting BP's
                            idaapi.del_bpt(lines)
                            print "=> 0x%08x - Deleted BP" % lines
                        else:
                            idaapi.add_bpt(lines, 0, BPT_SOFT)
                            EnableBpt(lines, True)
                            checked.append(lines)
                            print "=> 0x%08x - Added BP" % lines
                            bpflag = 1
            elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump":
                GOT = DataRefsTo(addr)
                for line in GOT:
                    print "\n Found function %s in GOT at 0x%08x" % (name, line)
                    print "*** calls to %s ***" % name
                    codeflag = 2
                xref = CodeRefsTo(addr, 1)
                for line in xref:
                    xref2 = CodeRefsTo(line, 1)
                    for lines in xref2:
                        if CheckBpt(lines) > 0:
                            idaapi.del_bpt(lines)
                            print "=> 0x%08x - Deleted BP" % lines
                        else:
                            idaapi.add_bpt(lines, 0, BPT_SOFT)
                            EnableBpt(lines, True)
                            checked.append(lines)
                            print "=> 0x%08x = Added BP" % lines
                            bpflag = 1							
            #elif loopflag != 1:
            #    codeflag = 2
            #	    break
            else:
                continue    #Need to compensate for other xref types.

    return True				#Has to be here for the callback. 
Example #8
0
print "[+] Address of start function: 0x%08x" % (start)

print "[*] Getting address of VirtualAlloc in code"

virtualAllocInCode = getAddrOfFunctionInCode(API_FUNC_TO_BP_NAME)

print "[+] Address in code of VirtualAlloc: 0x%08X" % (virtualAllocInCode[0])

placeForBreakPoint = idc.NextHead(virtualAllocInCode[0])

print "[+] Address to Set Breakpoint: 0x%08X" % (placeForBreakPoint)

print "[+] Setting Breakpoint"

idaapi.add_bpt(placeForBreakPoint, 0,
               idaapi.BPT_SOFT)  # establecemos el breakpoint
idaapi.enable_bpt(placeForBreakPoint, True)
print "[+] Breakpoint set"

while (1):
    try:
        idc.StartDebugger("", "", "")
        idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
        print "[+] Waiting for the start of debugger..."
        time.sleep(15)
        eax_value = idc.GetRegValue("EAX")

        print "[+] Value of EAX: 0x%08x" % eax_value

        if eax_value == VALUE_TO_GET:
            break