def delete_breakpoint(symbol: str): """ Delete the breakpoint set on ntdll_EtwEventWrite """ location = idaapi.bpt_location_t() location.set_sym_bpt(symbol) if idaapi.find_bpt(location, None): idaapi.del_bpt(location)
def set_qira_address(la): global qira_address ea = 0 if qira_address is not None and qira_address != BADADDR: ea = idaapi.toEA(0, qira_address) idaapi.del_bpt(ea) qira_address = la idaapi.add_bpt(qira_address, 0, BPT_SOFT) EnableBpt(qira_address, False)
def set_qira_address(self, sea): # Check if there is a BreakPoint and delete is before processing. if (self.qira_address is not None) and ( self.qira_address != idc.BADADDR): qea = idaapi.toEA(0, self.qira_address) if idc.CheckBpt(qea) != -1: idaapi.del_bpt(qea) # Update qira_address and set BreakPont. self.qira_address = sea idaapi.add_bpt(self.qira_address, 0, idaapi.BPT_SOFT) idc.EnableBpt(self.qira_address, False) # debugging if DEBUG: idaapi.msg( "[%s] set_qira_address: 0x%x\n" % (self.wanted_name, self.qira_address,))
def delete_bp(adr): idaapi.del_bpt(adr)
def delete(self): idaapi.del_bpt(self.address)
def iatCallback( addr, name, ord): # Don't care about ord, but required for enum_import_names global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry. if name in bannedList and name not in checked: checked.append(name) loopflag = 0 xref = XrefsTo(addr, 0) for checkXrefType in xref: if XrefTypeName( checkXrefType.type) == "Code_Near_Call" and loopflag != 1: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name loopflag = 1 codeflag = 1 xref = CodeRefsTo(addr, 1) # Ref to IAT should be of type code. for lines in xref: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName( checkXrefType.type) == "Data_Read" and codeflag == 0: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name xref = DataRefsTo(addr) # Ref to IAT should be of type data. for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump": GOT = DataRefsTo(addr) for line in GOT: print "\n Found function %s in GOT at 0x%08x" % (name, line) print "*** calls to %s ***" % name codeflag = 2 xref = CodeRefsTo(addr, 1) for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x = Added BP" % lines bpflag = 1 #elif loopflag != 1: # codeflag = 2 # break else: continue #Need to compensate for other xref types. return True #Has to be here for the callback.
def RemoveBp(self, base0_addr, addr): WriteToBeginningOfMmap(self.bps_shared_memory, 'r' + struct.pack('<L', base0_addr)) if(self.GetWindbgResponse('r')): idaapi.del_bpt(addr) self.bp_list.remove(addr) WriteToBeginningOfMmap(self.bps_shared_memory, "\x00")
def iatCallback(addr, name, ord): # Don't care about ord, but required for enum_import_names global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry. if name in bannedList and name not in checked: checked.append(name) loopflag = 0 xref = XrefsTo(addr, 0) for checkXrefType in xref: if XrefTypeName(checkXrefType.type) == "Code_Near_Call" and loopflag != 1: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name loopflag = 1 codeflag = 1 xref = CodeRefsTo(addr, 1) # Ref to IAT should be of type code. for lines in xref: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Data_Read" and codeflag == 0: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name xref = DataRefsTo(addr) # Ref to IAT should be of type data. for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump": GOT = DataRefsTo(addr) for line in GOT: print "\n Found function %s in GOT at 0x%08x" % (name, line) print "*** calls to %s ***" % name codeflag = 2 xref = CodeRefsTo(addr, 1) for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x = Added BP" % lines bpflag = 1 #elif loopflag != 1: # codeflag = 2 # break else: continue #Need to compensate for other xref types. return True #Has to be here for the callback.
idaapi.BPT_SOFT) # establecemos el breakpoint idaapi.enable_bpt(placeForBreakPoint, True) print "[+] Breakpoint set" while (1): try: idc.StartDebugger("", "", "") idc.GetDebuggerEvent(idc.WFNE_SUSP, -1) print "[+] Waiting for the start of debugger..." time.sleep(15) eax_value = idc.GetRegValue("EAX") print "[+] Value of EAX: 0x%08x" % eax_value if eax_value == VALUE_TO_GET: break else: idc.StopDebugger() print "[+] Waiting for the stop of debugger" time.sleep(15) except Exception as e: print "[-] Error trying again" NumberOfErrors += 1 if NumberOfErrors == 4: print "[-] Max Errors, going out" exit(-1) # si salimos aquĆ todo va bien, quitamos el breakpoint y chapĆ³ idaapi.enable_bpt(placeForBreakPoint, False) idaapi.del_bpt(placeForBreakPoint)