def hookHandlerNative(): """Address of the func name as returned by getMethodName is pointed by EAX+0x08 However, unlike the published AVM source code claims, setNative function in the NPSWF32 has an additional check before the correct function address is assigned to the MethodInfo object. That logic is reimplemented here.""" global GBP address = pykd.ptrPtr(pykd.reg("eax")+0x8) comp_byte = pykd.ptrByte(pykd.ptrPtr(pykd.reg("esp")+0x18) + 0x38) if comp_byte > 0: nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x28) else: nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x24) if pykd.isValid(address): methodName = pykd.loadCStr(address) if pykd.isValid(nativefunc): print "[^] NATIVE METHOD: at 0x%x \t offset: 0x%x \tName: %s" % \ (nativefunc,nativefunc-NPS['base_addr'], methodName.decode("utf-8","replace")) if NPS["TraceNative"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % nativefunc GBP[nativefunc] = pykd.setBp(nativefunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), nativefunc) else: print "[!] No native function found. Something is likely wrong!!!" return pykd.executionStatus.NoChange
def print_nline_ptrs(self, start_addr, line_num): for i in range(line_num): pykd.dprint("{:02d}:{:04x}| ".format(i, i * PTRSIZE)) addr = start_addr + i * PTRSIZE if not pykd.isValid(addr): print_err("Invalid memory address: {:#x}".format(addr)) break else: self.print_ptrs(addr)
def hookHandlerInterp(): """...""" global GBP # address of the func name as returned by getMethodName address = pykd.ptrPtr(pykd.reg("eax")+0x8) if pykd.isValid(address): methodName = pykd.loadCStr(address) GBP['INTERP_RET'] = pykd.setBp((NPS["SetInterpRet"]-4), lambda: hookHandlerInterpRet(methodName)) return pykd.executionStatus.NoChange
def to_addr(val): """ Convert a value to a memory address """ try: addr = to_int(get_expr(val)) if pykd.isValid(addr): return addr & context.PTRMASK except: pass return None
def print_general_regs(self): for reg_name in self.context.regs_name: reg_data = self.context.regs[reg_name] reg_str = '{:3}: '.format(reg_name.upper()) reg_color = self.set_reg_color(reg_name, color_changed=color.red, color_unchanged=color.lime) pykd.dprint(reg_color(reg_str), dml=True) if pykd.isValid(reg_data): # reg_data is a pointer self.print_ptrs(reg_data) else: pykd.dprintln("{:#x}".format(reg_data))
def hookHandlerJit(): """Unlike setNative, setJit is a fairly simple in that the GprMethodProc parameted contains the resolved address of the jitted function. We simply need to read that register value.""" global GBP # address of the func name as returned by getMethodName address = pykd.ptrPtr(pykd.reg("eax")+0x8) # address of the jitted function jitfunc = pykd.ptrPtr(pykd.reg("esp")+0x28) if pykd.isValid(address): methodName = pykd.loadCStr(address) if pykd.isValid(jitfunc): print "[&] JITTED METHOD: at 0x%x \t offset: 0x%x \t\tName: %s" %\ (jitfunc,0,methodName.decode("utf-8","replace")) if NPS["TraceJit"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % jitfunc GBP[jitfunc] = pykd.setBp(jitfunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), jitfunc) else: print "[!] No jitted function found. Something is likely wrong!!!" return pykd.executionStatus.NoChange
def hookHandlerInterpRet(methodName): """...""" global GBP interpfunc = pykd.reg("eax") if pykd.isValid(interpfunc): print "[#] INTERP STUB: at 0x%x \t offset: 0x%x \t\tName: %s" %\ (interpfunc,0,methodName.decode("utf-8","replace")) if NPS["TraceInterp"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % interpfunc GBP[interpfunc] = pykd.setBp(interpfunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), interpfunc) else: print "[!] No interp stub found. Something is likely wrong!!!" try: del GBP['INTERP_RET'] except KeyError: pass return pykd.executionStatus.NoChange
def is_address(self, value): if is_int(value): return pykd.isValid(value) else: return False
def testVaValid(self): self.assertTrue(pykd.isValid(target.module.begin())) self.assertFalse(pykd.isValid(0)) self.assertFalse(pykd.isValid(0xDEADBEAF))
def _meta_object_id_of_frame(frame): id_addr = _meta_object_addr_of_frame(frame) + 24 if isValid(id_addr): return ptrWord(id_addr) else: return 0
def _meta_object_name_of_frame(frame): name_addr = ptrPtr(_meta_object_addr_of_frame(frame) + 16) if isValid(name_addr): return loadWStr(name_addr) else: return ''
def testEnd(self): self.assertEqual(target.module.size(), target.module.end() - target.module.begin()) self.assertTrue(pykd.isValid(target.module.end() - 1))
def testSize(self): self.assertNotEqual(0, target.module.size()) self.assertTrue( pykd.isValid(target.module.begin() + target.module.size() - 1))