def __init__(self, input) :
self.data = []
self.pid = int(input)
self.debugger = PtraceDebugger()
self.process = self.debugger.addProcess(self.pid, is_attached=False)
atexit.register(self.debugger.quit)
Header = False
Code = False
self.procmaps = readProcessMappings(self.process)
for pm in self.procmaps:
if pm.permissions.find("w") != -1 and pm.pathname == None :
# if Code == False and Header == True :
# data = self.process.readBytes(pm.start, pm.end-pm.start)
# idx = data.find("SourceFile")
# if idx != -1 :
# print "CODE", pm
# self.data.append( (pm, data, idx) )
# Code = True
if Header == False :
data = self.process.readBytes(pm.start, pm.end-pm.start)
idx = data.find(MAGIC_PATTERN)
if idx != -1 :
print "HEADER", pm
self.data.append( (pm, data) )
Header = True
self.dumpMemory( "java_dump_memory" )
def __init__(self, input):
self.data = []
self.pid = int(input)
self.debugger = PtraceDebugger()
self.process = self.debugger.addProcess(self.pid, is_attached=False)
atexit.register(self.debugger.quit)
Header = False
Code = False
self.procmaps = readProcessMappings(self.process)
for pm in self.procmaps:
if pm.permissions.find("w") != -1 and pm.pathname == None:
# if Code == False and Header == True :
# data = self.process.readBytes(pm.start, pm.end-pm.start)
# idx = data.find("SourceFile")
# if idx != -1 :
# print "CODE", pm
# self.data.append( (pm, data, idx) )
# Code = True
if Header == False:
data = self.process.readBytes(pm.start, pm.end - pm.start)
idx = data.find(MAGIC_PATTERN)
if idx != -1:
print "HEADER", pm
self.data.append((pm, data))
Header = True
self.dumpMemory("java_dump_memory")
def isMemOf(addr,mpid):
class p:
pid=mpid
myP=p()
for m in readProcessMappings(myP):
if addr in m:
print myP, m
return True
return False
def do_dump (process, maxmem):
print_process (process, "===")
# Attach to the process
debugger = PtraceDebugger()
try:
d_process = debugger.addProcess(process['pid'], False)
except:
print("Error attaching to the process pid {0}. Aborting".format(process['pid']))
sys.exit(1)
d_process.was_attached = True
procmaps = readProcessMappings(d_process)
# Look for process heap region
for pm in procmaps:
if pm.pathname == None:
mem_start=pm.start
mem_end=pm.end
mem_total=mem_end-mem_start
if maxmem > 0 and mem_total > maxmem :
print("Process memory is {0} but you defined maxmem to {1}".format(mem_total, maxmem))
return False
# Use StringIO to work only in memory. This can be dangerous, because "heap" can be big.
the_mem = StringIO.StringIO()
# Transfer process heap memory to the_mem var.
the_mem.write(d_process.readBytes(mem_start, mem_total))
# We have what we were looking for. Let's detach the process.
d_process.detach()
# Start search
request_end=0
found=False
while True:
hdr_pos=fnd(the_mem, process['request'], request_end)
if hdr_pos==-1: # EOF
break
request_pos=hdr_pos # This is the start of the possible match
request_end=fnd(the_mem, "\x00", request_pos) # This is the end of the possible match
# If we find double new line then this should be a valid request and data block.
if fnd(the_mem,"\x0d\x0a\x0d\x0a", request_pos) < request_end:
found=True
# If valid, print it!
print get_fragment(the_mem, request_pos, request_end)
# Prepare to continue searching
the_mem.seek(request_end+1)
the_mem.close()
if found:
break
def findCipherContext():
dbg=PtraceDebugger()
process=dbg.addProcess(pid,is_attached=False)
if process is None:
log.error("Error initializing Process debugging for %d"% pid)
sys.exit(-1)
mappings=readProcessMappings(process)
stack=process.findStack()
for m in mappings:
#if m.pathname != '[heap]':
# continue
if not abouchet.hasValidPermissions(m):
continue
print m,m.permissions
abouchet.find_struct(process, m, ctypes_openssh.CipherContext, printme)
def debugFindRtld(pid):
dbg = PtraceDebugger()
process = dbg.addProcess(pid, False)
for pm in readProcessMappings(process):
if 'rwx' in pm.permissions:
for addr in pm.search(b'\x78\x56\x34\x12'):
# There are no ret instructions in the CC
memory = process.readBytes(addr, 20)
if b'\xC3' not in memory:
process = None
dbg.quit()
return addr
print('ERROR: Could not find the address of rtld_lock_default_lock_recursive in code cache!')
exit(-1)
def readDsa(addr):
dbg=PtraceDebugger()
process=dbg.addProcess(PID, is_attached=False)
if process is None:
log.error("Error initializing Process debugging for %d"% pid)
sys.exit(-1)
# read where it is
dsa=ctypes_openssl.DSA.from_buffer_copy(process.readStruct(addr,ctypes_openssl.DSA))
mappings=readProcessMappings(process)
print "isValid : ", dsa.isValid(mappings)
#dsa.printValid(maps)
#print 'DSA1 -> ', dsa
#print '------------'
#print 'DSA1.q -> ', dsa.q
print '------------ === Loading members'
dsa.loadMembers(process,mappings)
#print '------------ ===== ==== '
#print 'DSA2.q -> ', dsa.q
#print 'DSA2.q.contents -> ', dsa.q.contents
#print ctypes.byref(rsa.n.contents)
#print dsa
return dsa
def readRsa(addr):
dbg=PtraceDebugger()
process=dbg.addProcess(PID, is_attached=False)
if process is None:
log.error("Error initializing Process debugging for %d"% PID)
sys.exit(-1)
# read where it is
######################### RAAAAAAAAAAAAH
rsa=ctypes_openssl.RSA.from_buffer_copy(process.readStruct(addr,ctypes_openssl.RSA))
mappings=readProcessMappings(process)
print "isValid : ", rsa.isValid(mappings)
#rsa.printValid(maps)
print rsa
#print rsa.n
#print rsa.n.contents
#print ctypes.byref(rsa.n.contents)
#print rsa
print '------------ === Loading members'
ret=rsa.loadMembers(process,mappings)
print '------------ === Loading members finished'
print ret,rsa
return rsa
def readMappings(self):
return readProcessMappings(self)
def _xray(self):
for term in self.followterms:
for process in self.debugger:
for procmap in readProcessMappings(process):
for address in procmap.search(term):
yield (process, procmap, address, term)
def getPointers(process, address):
address = word2bytes(address)
procmaps = readProcessMappings(process)
for pm in procmaps:
for found in pm.search(address):
yield found
def readMappings(self):
return readProcessMappings(self)
def _xray(self):
for term in self.followterms:
for process in self.debugger:
for procmap in readProcessMappings(process):
for address in procmap.search(term):
yield (process, procmap, address, term)
def getPointers(process, address):
address = word2bytes(address)
procmaps = readProcessMappings(process)
for pm in procmaps:
for found in pm.search(address):
yield found
result = pool.apply_async(async_call)
while not isStarted:
for pid in psutil.pids():
if psutil.Process(pid).name() == 'hon-x86_64':
hon_pid = pid
isStarted = True
print('isStarted == True\npid={}'.format(hon_pid))
break
time.sleep(10.0)
print('sleeping...')
print('starting debugger')
dbg = PtraceDebugger()
process = dbg.addProcess(hon_pid, False)
memory_mapping = readProcessMappings(process)
print('found memory mappings')
_next = False
for addr in memory_mapping:
if _next == True:
for a in range(addr.start, addr.end, 4):
value = bytesToFloat(process.readBytes(a, 4))
if value == 1850.:
print("value is {} at addr {}".format(value, hex(a)))
process.writeBytes(a, floatToBytes(2400.))
break
if 'rw' in addr.permissions and addr.pathname and 'libgame_shared' in addr.pathname:
_next = True
