def add_process_parameters(jitter):
"""
Build a process parameters structure
@jitter: jitter instance
"""
o = b""
o += pck32(0x1000) # size
o += b"E" * (0x48 - len(o))
o += pck32(process_environment_address)
jitter.vm.add_memory_page(process_parameters_address,
PAGE_READ | PAGE_WRITE, o, "Process parameters")
def set_link_list_entry(jitter, loaded_modules, modules_info, offset):
for i, module in enumerate(loaded_modules):
cur_module_entry = modules_info.module2entry[module]
prev_module = loaded_modules[(i - 1) % len(loaded_modules)]
next_module = loaded_modules[(i + 1) % len(loaded_modules)]
prev_module_entry = modules_info.module2entry[prev_module]
next_module_entry = modules_info.module2entry[next_module]
if i == 0:
prev_module_entry = peb_ldr_data_address + 0xC
if i == len(loaded_modules) - 1:
next_module_entry = peb_ldr_data_address + 0xC
jitter.vm.set_mem(cur_module_entry + offset,
(pck32(next_module_entry + offset) +
pck32(prev_module_entry + offset)))
def add_process_parameters(jitter):
"""
Build a process parameters structure
@jitter: jitter instance
"""
o = b""
o += pck32(0x1000) # size
o += b"E" * (0x48 - len(o))
o += pck32(process_environment_address)
jitter.vm.add_memory_page(
process_parameters_address,
PAGE_READ | PAGE_WRITE,
o, "Process parameters"
)
def test_init(self):
init_regs(self)
self.buf = b""
for reg_name in reversed(["EAX", "ECX",
"EDX", "EBX",
"ESP", "EBP",
"ESI", "EDI"]):
self.buf += pck32(getattr(self.myjit.cpu, reg_name))
def build_ldr_data(jitter, modules_info):
"""
Build Loader information using following structure:
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
# dummy dll base
+0x024 DllBase : Ptr32 Void
@jitter: jitter instance
@modules_info: LoadedModules instance
"""
# ldr offset pad
offset = 0xC
addr = LDR_AD + peb_ldr_data_offset
ldrdata = PEB_LDR_DATA(jitter.vm, addr)
main_pe = modules_info.name2module.get(main_pe_name, None)
ntdll_pe = modules_info.name2module.get("ntdll.dll", None)
size = 0
if main_pe:
size += ListEntry.sizeof() * 2
main_addr_entry = modules_info.module2entry[main_pe]
if ntdll_pe:
size += ListEntry.sizeof()
ntdll_addr_entry = modules_info.module2entry[ntdll_pe]
jitter.vm.add_memory_page(
addr + offset,
PAGE_READ | PAGE_WRITE,
b"\x00" * size,
"Loader struct"
) # (ldrdata.get_size() - offset))
if main_pe:
ldrdata.InLoadOrderModuleList.flink = main_addr_entry
ldrdata.InLoadOrderModuleList.blink = 0
ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \
LdrDataEntry.get_type().get_offset("InMemoryOrderLinks")
ldrdata.InMemoryOrderModuleList.blink = 0
if ntdll_pe:
ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \
LdrDataEntry.get_type().get_offset("InInitializationOrderLinks")
ldrdata.InInitializationOrderModuleList.blink = 0
# Add dummy dll base
jitter.vm.add_memory_page(peb_ldr_data_address + 0x24,
PAGE_READ | PAGE_WRITE, pck32(0),
"Loader struct dummy dllbase")
def test_SystemInformationFunctions(self):
# DWORD WINAPI GetVersion(void);
jit.push_uint32_t(0) # @return
winapi.kernel32_GetVersion(jit)
dwVer = jit.cpu.EAX
self.assertTrue(dwVer)
# BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
jit.vm.set_mem(jit.stack_base, pck32(0x9c))
jit.push_uint32_t(jit.stack_base) # lpVersionInfo
jit.push_uint32_t(0) # @return
winapi.kernel32_GetVersionExA(jit)
vBool = jit.cpu.EAX
self.assertTrue(vBool)
def test_SystemInformationFunctions(self):
# DWORD WINAPI GetVersion(void);
jit.push_uint32_t(0) # @return
winapi.kernel32_GetVersion(jit)
dwVer = jit.cpu.EAX
self.assertTrue(dwVer)
# BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
jit.vm.set_mem(jit.stack_base, pck32(0x9c))
jit.push_uint32_t(jit.stack_base) # lpVersionInfo
jit.push_uint32_t(0) # @return
winapi.kernel32_GetVersionExA(jit)
vBool = jit.cpu.EAX
self.assertTrue(vBool)
def test_init(self):
self.value = 0x11223344
self.myjit.cpu.SP -= 0x4
self.myjit.vm.set_mem(self.myjit.cpu.SP, pck32(self.value))
init_regs(self)
def test_init(self):
init_regs(self)
self.buf = b""
self.buf += pck32(0x11223344)
def push_uint32_t(self, value):
self.cpu.SP -= 4
self.vm.set_mem(self.cpu.SP, pck32(value))
def func_prepare_stdcall(self, ret_addr, *args):
for index in range(min(len(args), 4)):
setattr(self.cpu, 'A%d' % index, args[index])
for index in range(4, len(args)):
self.vm.set_mem(self.cpu.SP + 4 * (index - 4), pck32(args[index]))
self.cpu.RA = ret_addr
def push_uint32_t(self, value):
self.cpu.SP -= 4
self.vm.set_mem(self.cpu.SP, pck32(value))
def func_prepare_stdcall(self, ret_addr, *args):
for index in range(min(len(args), 4)):
setattr(self.cpu, 'A%d' % index, args[index])
for index in range(4, len(args)):
self.vm.set_mem(self.cpu.SP + 4 * (index - 4), pck32(args[index]))
self.cpu.RA = ret_addr
def test_init(self):
self.value = 0x11223344
self.myjit.cpu.SP -= 0x4
self.myjit.vm.set_mem(self.myjit.cpu.SP, pck32(self.value))
init_regs(self)
def test_init(self):
init_regs(self)
self.buf = b""
for reg_name in reversed(
["EAX", "ECX", "EDX", "EBX", "ESP", "EBP", "ESI", "EDI"]):
self.buf += pck32(getattr(self.myjit.cpu, reg_name))
def test_init(self):
init_regs(self)
self.buf = b""
self.buf += pck32(0x11223344)
