def parse_pool(self): print("[+] from standardalloclist") pool = 0 if self.alloc_size == 0x50: pool = STANDARDALLOCLIST[0] elif self.alloc_size == 0x68: pool = STANDARDALLOCLIST[1] elif self.alloc_size == 0x88: pool = STANDARDALLOCLIST[2] elif self.alloc_size == 0xa0: pool = STANDARDALLOCLIST[3] _free_pool = [] free_ptr = pykd.loadQWords(pool, 1)[0] print("[+] 0x%x" % (free_ptr), end='') col = 0 for i in range(0x55): if free_ptr == 0x0: break _free_pool.append(free_ptr) if pykd.loadBytes(free_ptr + 4, 1)[0] == 0xee: # free next_ptr = pykd.loadQWords(free_ptr + 8, 1)[0] free_ptr = next_ptr print(" -> 0x%x " % (next_ptr), end='') elif pykd.loadBytes(free_ptr + 4, 1)[0] == 0xbb: print(" 0x%x in use" % free_ptr) col = +1 if col >= 8: print("") col = 0 print("")
def disable_signature_verification(pid): target_eprocess = get_eprocess_using_pid(pid) # Windows 10 x64 17134 (RS4) signature_level_offset = 0x6c8 section_signature_level_offset = 0x6c9 current_signature_level_value = pykd.loadBytes( target_eprocess + signature_level_offset, 1)[0] current_section_signature_level_value = pykd.loadBytes( target_eprocess + section_signature_level_offset, 1)[0] print "PID: {0}".format(pid) print "EPROCESS: {0}".format(hex(target_eprocess).rstrip("L")) print "Current SignatureLevel: {0}".format(current_signature_level_value) print "Current SectionSignatureLevel: {0}".format( current_section_signature_level_value) if current_signature_level_value and current_section_signature_level_value: pykd.setByte(target_eprocess + signature_level_offset, 0) pykd.setByte(target_eprocess + section_signature_level_offset, 0) new_signature_level_value = pykd.loadBytes( target_eprocess + signature_level_offset, 1)[0] new_section_signature_level_value = pykd.loadBytes( target_eprocess + section_signature_level_offset, 1)[0] print "New SignatureLevel: {0}".format(new_signature_level_value) print "New SectionSignatureLevel: {0}".format( new_section_signature_level_value) else: print "Signature verification is already disabled"
def get_param_value(self, addr, _type): try: d = '' _type = _type.lower() if _type == "lpcstr" or _type == "lptstr" or _type == "lpctstr": d_list = pykd.loadBytes(addr, 256) last_digit = 1 for j in d_list: try: if j != 0: d += chr(j) else: if last_digit == 0: break last_digit = j except: pass elif _type == "lpcwstr" or _type.lower() == "wchar": d_list = pykd.loadBytes(addr, 512) for j in d_list: try: if j != 0: d += chr(j) else: break except: pass else: return addr return d except: print traceback.print_exc() return "err"
def dereference(self, pointer, target_id=0): """ Recursively dereference a pointer for display """ fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()] addr = pointer chain = [] # recursively dereference for i in range(0, self.max_deref): try: [ptr] = pykd.loadPtrs(addr, 1) if ptr in chain: break chain.append(('pointer', addr)) addr = ptr except: log.exception("Dereferencing pointer 0x{:X}".format(addr)) break # get some info for the last pointer # first try to resolve a symbol context for the address if len(chain): p, addr = chain[-1] output = pykd.findSymbol(addr) sym = True try: # if there's no symbol found, pykd returns a hex string of the address if int(output, 16) == addr: sym = False log.debug("no symbol context") except: pass if sym: chain.append(('symbol', output.strip())) else: log.debug("no symbol context") mem = pykd.loadBytes(addr, 2) if mem[0] < 127: if mem[1] == 0: a = [] for i in range(0, self.max_string, 2): mem = pykd.loadBytes(addr + i, 2) if mem == [0, 0]: break a.extend(mem) output = array.array('B', a).tostring().decode('UTF-16').encode('latin1') chain.append(('unicode', output)) else: output = pykd.loadCStr(addr) chain.append(('string', output)) log.debug("chain: {}".format(chain)) return chain
def testWriteBytes(self): testArray = pykd.loadBytes(target.module.ucharArray, 5) pykd.writeBytes(target.module.ucharArrayPlace, testArray) ucharArray = pykd.loadBytes(target.module.ucharArrayPlace, 5) self.assertEqual( 0, len([ ucharArray[i] for i in range(5) if ucharArray[i] != testArray[i] ]))
def read_bytes(addr, size): try: return bytearray(pykd.loadBytes(addr, size)) except: b = [] off = 0 while len(b) < size: try: b += pykd.loadBytes(addr + off, 0x1000) except: b += [0] * 0x1000 off += 0x1000 return b
def read_binary(self, addr, size): d_list = pykd.loadBytes(addr, size) d = '' for j in d_list: d += chr(j) return d
def get_bytes(self, address, length): bytes = pykd.loadBytes(address, length) byte_str = '' for byte in bytes: byte_str += chr(byte) return byte_str
def read(clx, addr, n): try: rsl = pykd.loadBytes(addr, n) rs = '' for r in rsl: rs += chr(r) return rs except: raise (Exception)
def testLoadBytes(self): ucharArray = pykd.loadBytes(target.module.ucharArray, 5) testArray = [0, 10, 0x78, 128, 0xFF] self.assertEqual(5, len(ucharArray)) self.assertEqual( 0, len([ ucharArray[i] for i in xrange(5) if ucharArray[i] != testArray[i] ]))
def memory(self, address, length, target_id=0): """ Get the register values for . `address` is the address at which to start reading `length` is the number of bytes to read """ # read memory log.debug('Reading 0x{:x} bytes of memory at 0x{:x}'.format(length, address)) memory = array.array('B', pykd.loadBytes(address, length)).tostring() return memory
def get_string(self, addr): bytes = '' found_null = False while 1: for b in pykd.loadBytes(addr, 0x10): if b == 0x0: found_null = True break bytes += chr(b) if found_null: break addr += 0x10 return bytes
def get_wide_string(self, addr): bytes = '' found_null = False while 1: tmp_bytes = pykd.loadBytes(addr, 0x10) for i in range(0, len(tmp_bytes), 2): if tmp_bytes[i] == 0x0 and tmp_bytes[i+1] == 0x0: found_null = True break bytes += chr(tmp_bytes[i])+chr(tmp_bytes[i+1]) if found_null: break addr += 0x10 return bytes
def rewrite_filename(): """ Overwrite the terminating NUL-byte for the first filename. This effectively concatenates the first two filenames. """ this = pykd.reg("ecx") buf = pykd.ptrPtr(this + 1036) buf_size = pykd.ptrDWord(this + 1040) files = list(Path().iterdir()) files_hdr = len(files) * 4 * 2 files_len = files_hdr + sum(len(x.name) + 1 for x in files) if files_len == buf_size: names = pykd.loadBytes(buf + files_hdr, buf_size - files_hdr) for i, byte in enumerate(names): if byte == 0: pykd.writeBytes(buf + files_hdr + i, [0x41]) break
def get_bytes(self, address, length): num_arr = pykd.loadBytes(address, length) return bytearray(num_arr)
def read_virtual_address(self, address, size): return bytes(pykd.loadBytes(address, size))
def read_physical_address(self, address, size): return bytes(pykd.loadBytes(address, size, True))
def consume(self, amount): return ''.join(map(chr,_pykd.loadBytes(self.addr, amount)))
def main(argv): if len(argv) == 0: print "Usage: !py filter.py from_level to_level filtered" print "Filtered syscalls for 5th level: !py filter.py 5 5 1" exit(-1) ntMod = pykd.module("nt") KeServiceDescriptorTableFilter = int(ntMod.KeServiceDescriptorTableFilter) win32Mod = pykd.module("win32k") W32pServiceTableFilter = int(win32Mod.W32pServiceTableFilter) W32pServiceLimitFilter = pykd.loadDWords(win32Mod.W32pServiceLimitFilter, 1)[0] + 0x1000 print '[*]W32pServiceTableFilter Address:' print '[*]'+str(hex(W32pServiceTableFilter)) win32BaseMod = pykd.module("win32kbase") gaWin32KFilterBitmap = int(win32BaseMod.gaWin32KFilterBitmap) print '[*]gaWin32KFilterBitmap Address:' print '[*]'+str(hex(gaWin32KFilterBitmap)) start_level = int(argv[0]) end_level = int(argv[1]) filter = int(argv[2]) sum = 0 syscallsLimit = W32pServiceLimitFilter - 0x1000 for i in range(start_level, end_level + 1): bitmap = pykd.loadQWords(gaWin32KFilterBitmap + i * 8, 1)[0] print '[*]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=' print '[*]Bitmap filter level ' + str(hex(i)) if filter: print '[*]Show Filtered' else: print '[*]Show Unfiltered' if not bitmap: print '[*] None' continue # Check SSSDT ID for 0x1000 for j in range(0x1000, W32pServiceLimitFilter): # bit index in byte syscallNum = j & 0xfff # function offset in W32pServiceTableFilter offset = pykd.loadDWords(W32pServiceTableFilter + syscallNum * 4, 1)[0] offset = (0xfffffffff0000000 | (offset >> 4)) # function address syscall = W32pServiceTableFilter + offset syscall = syscall % 2**64 # check check_byte = pykd.loadBytes(bitmap + (syscallNum >> 3), 1)[0] filtered = check_byte & (1 << (syscallNum & 7)) filtered = filtered != 0 # 1 is filtered,0 is unfiltered if filtered == filter: sum = sum + 1 print '[*]'+pykd.findSymbol(syscall) + ' ' + hex(j) if filter: print "[*]number of filtered system calls" else: print "[*]number of allowed system calls" print '[*]'+str(syscallsLimit) + "/" + str(sum) exit(0)
def memory_access_callback(self, gpa, gva): return bytes(pykd.loadBytes(gpa, 0x1000, True))
def read_memory(addr, size, proc=none): return buf_to_le(pykd.loadBytes(addr, size))
def read_memory(addr, size, proc = none): return buf_to_le(pykd.loadBytes(addr, size))
parser.add_argument('-o', '--offset', help="memory offset to search from") parser.add_argument('-d', '--discard', nargs='*', help="bytes to discard") args = parser.parse_args() if len(sys.argv) < 2: parser.print_help() exit(0) offset = int(args.offset, 16) omitted = [int(x, 16) for x in args.discard] print("omitting: {}".format([b for b in args.discard])) refArray = bytearray(range(256)) # remove the omitted bytes for b in omitted: refArray.remove(b) print("reading {} bytes from offset {}".format(len(refArray), hex(offset))) # compare to the memory offset given memoryDump = loadBytes(offset, len(refArray), False) for x in range(len(refArray)): if refArray[x] != memoryDump[x]: print("unable to find {} in memory!".format(hex(refArray[x]))) break
def loadBytes(addr, len): return pykd.loadBytes(addr, len)
def get_byte(self, addr): try: return int(pykd.loadBytes(addr, 1)[0]) except BaseException: return None
def get_bytes(self, addr, size): try: return "".join(map(chr, pykd.loadBytes(addr, size))) except BaseException: return None