def is_executable(addr):
if pykd.isKernelDebugging():
return False # we need to find a way to get the memory protection information in kernel debug mode
if "Execute" in str(pykd.getVaProtect(addr)):
return True
else:
return False
def is_writable(self, address): if pykd.isKernelDebugging(): return False if "Write" in str(pykd.getVaProtect(address)): return True else: return False
def writeDword(self, addr, val):
cmd = "ed %x %x" % (addr, val)
guard = pykd.getVaProtect(addr)
self.vprotect(addr, 4, 0x40)
cmdr = pykd.dbgCommand(cmd)
self.vprotect(addr, 4, guard)
return 0
def setTemporaryProtection(self):
if self.hitMemory != None:
guard = pykd.getVaProtect(self.hitMemory[0])
self.hitProtection = guard
self.br.vprotect(self.hitMemory[0], self.hitMemory[1],
self.hitMemory[3])
else:
self.br.dbiprintf("[E] Has any memory violations yet")
def setBpMemoryOnWrite(self, addr, size):
guard = pykd.getVaProtect(addr)
end = addr + size
self.lMemGuards.append([addr, size, end, guard])
self.br.dbiprintf(
"[!] Set BP Memory on Write at 0x%08x (0x%x) : Old protection 0x%x"
% (addr, size, guard))
self.br.vprotect(addr, size, 0x2)
def getSectionInfo(self, addr):
cmdDh = "!dh -s "
iParseSection = "SECTION HEADER"
iParseName = "name"
iParseVs = "virtual size"
iParseVa = "virtual address"
lSection = []
self.dbiprintf("[+] Get section information", False)
cmd = cmdDh + "%x" % addr
cmdr = pykd.dbgCommand(cmd)
if type(cmdr) == types.NoneType:
self.dbiprintf(
" - [E] Cannot dump section header at 0x%08x" % addr, False)
return types.NoneType
# add PE header's page
guard = pykd.getVaProtect(addr)
lSection.append([addr, addr + 0x1000, 0, 0x1000, guard])
# add sections' page
tc = cmdr
while True:
if tc.find(iParseSection) == -1:
break
tc = tc[tc.find(iParseName) + len(iParseName):]
strVs = tc[:tc.find(iParseVs)]
vs = int(strVs, 16)
tc = tc[tc.find(iParseVs) + len(iParseVs):]
strVa = tc[:tc.find(iParseVa)]
rva = int(strVa, 16)
va = addr + rva
vaEnd = va + vs
guard = pykd.getVaProtect(va)
self.dbiprintf(" -> Section #%d : 0x%08x ( 0x%08x ) : 0x%x" %
(len(lSection), va, vs, guard))
lSection.append([va, vaEnd, rva, vs, guard])
if len(lSection) == 0:
self.dbiprintf(" - [E] Cannot find section at 0x%08x" % addr,
False)
self.dbiprintf("%s" % (cmdr), False)
return types.NoneType
return lSection
def getSectionInfo(self):
cmdDh = "!dh -s "
iParseSection = "SECTION HEADER"
iParseName = "name"
iParseVs = "virtual size"
iParseVa = "virtual address"
self.dbiprintf("[!] Get section information")
cmd = cmdDh + "%x" % self.procImageBase
cmdr = pykd.dbgCommand(cmd)
if type(cmdr) == types.NoneType:
self.dbiprintf(" - [E] Error on dump section header : 0x%08x" %
self.procImageBase)
return 1
# add PE header's page
guard = pykd.getVaProtect(self.procImageBase)
self.lSection.append([
self.procImageBase, self.procImageBase + 0x1000, 0, 0x1000, guard
])
# add sections' page
tc = cmdr
while True:
if tc.find(iParseSection) == -1:
break
tc = tc[tc.find(iParseName) + len(iParseName):]
strVs = tc[:tc.find(iParseVs)]
vs = int(strVs, 16)
tc = tc[tc.find(iParseVs) + len(iParseVs):]
strVa = tc[:tc.find(iParseVa)]
rva = int(strVa, 16)
va = self.procImageBase + rva
vaEnd = va + vs
guard = pykd.getVaProtect(va)
self.dbiprintf(" -> Section #%d : 0x%08x ( 0x%08x ) : 0x%x" %
(len(self.lSection), va, vs, guard))
self.lSection.append([va, vaEnd, rva, vs, guard])
return 0
def writeMemory(self, addr, data):
cmdDw = "ed %x %x"
cmdB = "eb %x %x"
guard = pykd.getVaProtect(addr)
self.vprotect(addr, len(data), 0x40)
lenData = len(data)
scope = (lenData / 4) * 4
for dst in range(0, scope, 4):
cmdr = pykd.dbgCommand(
cmdDw %
(addr + dst, struct.unpack("<L", data[dst:dst + 4])[0]))
for dst in range(scope, lenData):
cmdr = pykd.dbgCommand(
cmdB % (addr + dst, struct.unpack("<B", data[dst])[0]))
self.vprotect(addr, len(data), guard)
return 0
def setMemBpOnWriteOnIat(self):
guard = pykd.getVaProtect(self.pIatBase)
if guard != 0x2:
self.setBpMemoryOnWrite(self.pIatBase, self.sizeIat)
def getVaProtect(addr):
return pykd.getVaProtect(addr)
def is_executable(addr):
if "Execute" in str(pykd.getVaProtect(addr)):
return True
else:
return False