class EXCEPTION_RECORD(MemStruct):
"""
DWORD ExceptionCode;
DWORD ExceptionFlags;
struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress;
DWORD NumberParameters;
ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
"""
EXCEPTION_MAXIMUM_PARAMETERS = 15
fields = [
("ExceptionCode", Num("<I")),
("ExceptionFlags", Num("<I")),
("ExceptionRecord", Ptr("<I", Self())),
("ExceptionAddress", Ptr("<I", Void())),
("NumberParameters", Num("<I")),
("ExceptionInformation", Ptr("<I", Void())),
]
class EXCEPTION_REGISTRATION_RECORD(MemStruct):
"""
+0x00 Next : struct _EXCEPTION_REGISTRATION_RECORD *
+0x04 Handler : Ptr32 Void
"""
fields = [
("Next", Ptr("<I", Self())),
("Handler", Ptr("<I", Void())),
]
class TEB(MemStruct):
"""
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
...
"""
fields = [
("NtTib", NT_TIB),
("EnvironmentPointer", Ptr("<I", Void())),
("ClientId", Array(Num("B"), 0x8)),
("ActiveRpcHandle", Ptr("<I", Void())),
("ThreadLocalStoragePointer", Ptr("<I", Void())),
("ProcessEnvironmentBlock", Ptr("<I", PEB)),
("LastErrorValue", Num("<I")),
]
class NT_TIB(MemStruct):
"""
+00 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList
+04 void *StackBase
+08 void *StackLimit
+0c void *SubSystemTib
+10 void *FiberData
+10 uint32 Version
+14 void *ArbitraryUserPointer
+18 struct _NT_TIB *Self
"""
fields = [
("ExceptionList", Ptr("<I", EXCEPTION_REGISTRATION_RECORD)),
("StackBase", Ptr("<I", Void())),
("StackLimit", Ptr("<I", Void())),
("SubSystemTib", Ptr("<I", Void())),
(None, Union([("FiberData", Ptr("<I", Void())),
("Version", Num("<I"))])),
("ArbitraryUserPointer", Ptr("<I", Void())),
("Self", Ptr("<I", Self())),
]
class PEB_LDR_DATA(MemStruct):
"""
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
"""
fields = [("Length", Num("<I")), ("Initialized", Num("<I")),
("SsHandle", Ptr("<I", Void())),
("InLoadOrderModuleList", ListEntry),
("InMemoryOrderModuleList", ListEntry),
("InInitializationOrderModuleList", ListEntry)]
class LdrDataEntry(MemStruct):
"""
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x008 InMemoryOrderLinks : _LIST_ENTRY
+0x010 InInitializationOrderLinks : _LIST_ENTRY
+0x018 DllBase : Ptr32 Void
+0x01c EntryPoint : Ptr32 Void
+0x020 SizeOfImage : Uint4B
+0x024 FullDllName : _UNICODE_STRING
+0x02c BaseDllName : _UNICODE_STRING
+0x034 Flags : Uint4B
+0x038 LoadCount : Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks : _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp : Uint4B
+0x044 LoadedImports : Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 Void
+0x04c PatchInformation : Ptr32 Void
"""
fields = [
("InLoadOrderLinks", ListEntry),
("InMemoryOrderLinks", ListEntry),
("InInitializationOrderLinks", ListEntry),
("DllBase", Ptr("<I", Void())),
("EntryPoint", Ptr("<I", Void())),
("SizeOfImage", Num("<I")),
("FullDllName", UnicodeString),
("BaseDllName", UnicodeString),
("Flags", Array(Num("B"), 4)),
("LoadCount", Num("H")),
("TlsIndex", Num("H")),
("union1",
Union([
("HashLinks", Ptr("<I", Void())),
("SectionPointer", Ptr("<I", Void())),
])),
("CheckSum", Num("<I")),
("union2",
Union([
("TimeDateStamp", Num("<I")),
("LoadedImports", Ptr("<I", Void())),
])),
("EntryPointActivationContext", Ptr("<I", Void())),
("PatchInformation", Ptr("<I", Void())),
]
class PEB(MemStruct):
"""
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 processparameter
"""
fields = [
("InheritedAddressSpace", Num("B")),
("ReadImageFileExecOptions", Num("B")),
("BeingDebugged", Num("B")),
("SpareBool", Num("B")),
("Mutant", Ptr("<I", Void())),
("ImageBaseAddress", Num("<I")),
("Ldr", Ptr("<I", PEB_LDR_DATA)),
]
class ListNode(MemStruct):
fields = [
# The "<I" is the struct-like format of the pointer in memory, in this
# case a Little Endian 32 bits unsigned int.
# One way to handle reference to ListNode in ListNode is to use the
# special marker Self().
# You could also generate ListNode's fields with ListNode.gen_field
# after the class declaration, so that the ListNode is defined when
# fields are generated.
("next", Ptr("<I", Self())),
# Ptr(_, Void()) is analogous to void*, Void() is a kind of "empty type"
("data", Ptr("<I", Void())),
]
def get_next(self):
if self.next.val == 0:
return None
return self.next.deref
def get_data(self, data_type=None):
if data_type is not None:
return self.data.deref.cast(data_type)
else:
return self.data.deref
assert bit.flags.f4_1 == 1
# Unhealthy ideas
class UnhealthyIdeas(MemStruct):
fields = [
("pastruct", Ptr("I", Array(RawStruct("=Bf")))),
("apstr", Array(Ptr("I", Str()), 10)),
("pself", Ptr("I", Self())),
("apself", Array(Ptr("I", Self()), 2)),
("ppself", Ptr("I", Ptr("I", Self()))),
("pppself", Ptr("I", Ptr("I", Ptr("I", Self())))),
]
p_size = Ptr("I", Void()).size
ideas = UnhealthyIdeas(jitter.vm)
ideas.memset()
ideas.pself = ideas.get_addr()
assert ideas == ideas.pself.deref
ideas.apself[0] = ideas.get_addr()
assert ideas.apself[0].deref == ideas
ideas.apself[1] = my_heap.vm_alloc(jitter.vm, UnhealthyIdeas.sizeof())
ideas.apself[1].deref = ideas
assert ideas.apself[1] != ideas.get_addr()
assert ideas.apself[1].deref == ideas
ideas.ppself = my_heap.vm_alloc(jitter.vm, p_size)
ideas.ppself.deref.val = ideas.get_addr()
class ListEntry(MemStruct):
fields = [
("flink", Ptr("<I", Void())),
("blink", Ptr("<I", Void())),
]