def MyReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x4)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x8)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0xC)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0x10)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x14)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(callerAddr)
#self.tempStack.append(idc.GetDisasm(callerAddr))
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
if hFile in self.handleSet:
self.logger.info("Ready to read from handle 0x%x" % hFile)
Print("Ready to read from handle 0x%x" % hFile)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyReadFileEnd()")
else:
if idc.CheckBpt(retAddr) >= 0:
self.logger.info("Removing un-needed ReadFile breakpoint.")
Print("Removing un-needed ReadFile breakpoint.")
idc.DelBpt(retAddr)
return 0
def init_segm_mem(self):
segment = {}
gdt = gdt32(GDT_MAP_ADDR)
fs_idx = idc.GetRegValue('fs')
gs_idx = idc.GetRegValue('gs')
fs_addr = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
int(cpu.fs))
gs_addr = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
int(cpu.gs))
G = 1
D = 0
L = 1
AVL = 0
gdt.addSegDiscription(fs_idx, fs_addr, 0x1000, 1, 0, 0,
(G << 3) | (D << 2) | (L << 1) | AVL)
gdt.addSegDiscription(gs_idx, gs_addr, 0x1000, 1, 0, 0,
(G << 3) | (D << 2) | (L << 1) | AVL)
return gdt.get_gdt()
def ReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x0)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x4)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0x8)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0xC)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x10)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(ea)
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "interactivemodeCallback.ReadFileEnd()")
return 0
def My_fread(self):
"""
old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream )
"""
ptr = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % (ptr))
_size = Util.GetData(0x8)
self.logger.info("size is %d" % (_size))
_count = Util.GetData(0xc)
self.logger.info("count is %d" % (_count))
stream = Util.GetData(0x10)
self.logger.info("stream is 0x%x" % (stream))
self.pSize = _size * _count
self.pBuffer = ptr
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(self.pBuffer)
self.tempStack.append(self.pSize)
self.tempStack.append(stream)
self.tempStack.append(callerAddr)
self.tempStack.append("fread")
self.tempStack.append(idc.GetCurrentThreadId())
if stream in self.handleSet:
self.logger.info("Found stream 0x%x" % stream)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()")
else:
self.logger.info("Cannot find handle 0x%x" % stream)
Print("Removing un-needed fread breakpoint.")
idc.DelBpt(retAddr)
return 0
def recv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x0)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x4)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0x8)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0xC)
self.logger.info("checkRecv: flag value is %d" % (flag))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(ea)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "interactivemodeCallback.recvEnd()")
return 0
def get_sreg_base_x64(name):
sdb = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
int(getattr(cpu, name)))
if not sdb:
for n in xrange(idaapi.get_segm_qty()):
seg = idaapi.getnseg(n)
sgname = idaapi.get_segm_name(seg, 0)
if sgname.startswith('TIB['):
_sdb = seg.startEA + 0x1000
sdb_self = int(
base64.b16encode(
idaapi.dbg_read_memory(_sdb + 0x30, 8)[::-1]), 16)
if (sdb_self == _sdb):
sdb = _sdb
print("\nwarning: the segname:%s is zero,I give %016x" %
(name, sdb))
break
if not sdb:
print(
"\n\nwarning: the segname:%s is zero, U need set it by yourself\n"
% (name))
return sdb
def checkRecv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x4)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x8)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0xC)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0x10)
self.logger.info("checkRecv: flag value is %d" % (flag))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(callerAddr)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkRecvEnd()")
return 0
def Regs_method(self):
method = {
'mm0':
get_xmm,
'mm1':
get_xmm,
'mm2':
get_xmm,
'mm3':
get_xmm,
'mm4':
get_xmm,
'mm5':
get_xmm,
'mm6':
get_xmm,
'mm7':
get_xmm,
'xmm0':
get_xmm,
'xmm1':
get_xmm,
'xmm2':
get_xmm,
'xmm3':
get_xmm,
'xmm4':
get_xmm,
'xmm5':
get_xmm,
'xmm6':
get_xmm,
'xmm7':
get_xmm,
'xmm8':
get_xmm,
'xmm9':
get_xmm,
'xmm10':
get_xmm,
'xmm11':
get_xmm,
'xmm12':
get_xmm,
'xmm13':
get_xmm,
'xmm14':
get_xmm,
'xmm15':
get_xmm,
'fs':
lambda name: idaapi.dbg_get_thread_sreg_base(
idc.GetCurrentThreadId(), int(cpu.fs)),
'gs':
lambda name: idaapi.dbg_get_thread_sreg_base(
idc.GetCurrentThreadId(), int(cpu.gs)),
'fpround':
getfpround,
'sseround':
getSseRound,
'ftop':
getftop
# 'fpu_tags':getfpu_tags
}
return method
def getRegs():
register_names = {
16: 'rax',
24: 'rcx',
32: 'rdx',
40: 'rbx',
48: 'rsp',
56: 'rbp',
64: 'rsi',
72: 'rdi',
80: 'r8',
88: 'r9',
96: 'r10',
104: 'r11',
112: 'r12',
120: 'r13',
128: 'r14',
136: 'r15',
144: 'cc_op',
152: 'cc_dep1',
160: 'cc_dep2',
168: 'cc_ndep',
176: 'd',
184: 'rip',
192: 'ac',
200: 'id',
208: 'fs',
216: 'sseround',
224: 'ymm0',
256: 'ymm1',
288: 'ymm2',
320: 'ymm3',
352: 'ymm4',
384: 'ymm5',
416: 'ymm6',
448: 'ymm7',
480: 'ymm8',
512: 'ymm9',
544: 'ymm10',
576: 'ymm11',
608: 'ymm12',
640: 'ymm13',
672: 'ymm14',
704: 'ymm15',
736: 'ymm16',
768: 'ftop',
776: 'mm0',
784: "mm1",
792: "mm2",
800: "mm3",
808: "mm4",
816: "mm5",
824: "mm6",
832: "mm7",
840: 'fptag',
848: 'fpround',
856: 'fc3210',
864: 'emnote',
872: 'cmstart',
880: 'cmlen',
888: 'nraddr',
904: 'gs',
912: 'ip_at_syscall'
}
values = {}
method = {
'mm0':
get_xmm,
'mm1':
get_xmm,
'mm2':
get_xmm,
'mm3':
get_xmm,
'mm4':
get_xmm,
'mm5':
get_xmm,
'mm6':
get_xmm,
'mm7':
get_xmm,
'xmm0':
get_xmm,
'xmm1':
get_xmm,
'xmm2':
get_xmm,
'xmm3':
get_xmm,
'xmm4':
get_xmm,
'xmm5':
get_xmm,
'xmm6':
get_xmm,
'xmm7':
get_xmm,
'xmm8':
get_xmm,
'xmm9':
get_xmm,
'xmm10':
get_xmm,
'xmm11':
get_xmm,
'xmm12':
get_xmm,
'xmm13':
get_xmm,
'xmm14':
get_xmm,
'xmm15':
get_xmm,
'fs':
lambda name: idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
int(cpu.fs)),
'gs':
lambda name: idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
int(cpu.gs)),
'fpround':
getfpround,
'sseround':
getSseRound,
'ftop':
getftop
# 'fpu_tags':getfpu_tags
}
for regAddress in register_names:
regName = register_names[regAddress]
if regName in method:
values[regAddress] = method[regName](regName)
print("success %-10s %x" % (regName, values[regAddress]))
else:
try:
values[regAddress] = idc.GetRegValue(regName)
print("success %-10s %x" % (regName, values[regAddress]))
except Exception as e:
print("filed read regName %-10s %s" % (regName, e))
pass
return values
