Python loadBytes Examples

Example #1

    def parse_pool(self):
        print("[+] from standardalloclist")
        pool = 0
        if self.alloc_size == 0x50:
            pool = STANDARDALLOCLIST[0]
        elif self.alloc_size == 0x68:
            pool = STANDARDALLOCLIST[1]
        elif self.alloc_size == 0x88:
            pool = STANDARDALLOCLIST[2]
        elif self.alloc_size == 0xa0:
            pool = STANDARDALLOCLIST[3]

        _free_pool = []
        free_ptr = pykd.loadQWords(pool, 1)[0]
        print("[+] 0x%x" % (free_ptr), end='')
        col = 0
        for i in range(0x55):

            if free_ptr == 0x0:
                break
            _free_pool.append(free_ptr)
            if pykd.loadBytes(free_ptr + 4, 1)[0] == 0xee:  # free
                next_ptr = pykd.loadQWords(free_ptr + 8, 1)[0]
                free_ptr = next_ptr
                print(" -> 0x%x " % (next_ptr), end='')
            elif pykd.loadBytes(free_ptr + 4, 1)[0] == 0xbb:
                print(" 0x%x in use" % free_ptr)
            col = +1
            if col >= 8:
                print("")
                col = 0

        print("")

Example #2

def disable_signature_verification(pid):
    target_eprocess = get_eprocess_using_pid(pid)

    # Windows 10 x64 17134 (RS4)
    signature_level_offset = 0x6c8
    section_signature_level_offset = 0x6c9

    current_signature_level_value = pykd.loadBytes(
        target_eprocess + signature_level_offset, 1)[0]
    current_section_signature_level_value = pykd.loadBytes(
        target_eprocess + section_signature_level_offset, 1)[0]

    print "PID: {0}".format(pid)
    print "EPROCESS: {0}".format(hex(target_eprocess).rstrip("L"))
    print "Current SignatureLevel: {0}".format(current_signature_level_value)
    print "Current SectionSignatureLevel: {0}".format(
        current_section_signature_level_value)

    if current_signature_level_value and current_section_signature_level_value:
        pykd.setByte(target_eprocess + signature_level_offset, 0)
        pykd.setByte(target_eprocess + section_signature_level_offset, 0)

        new_signature_level_value = pykd.loadBytes(
            target_eprocess + signature_level_offset, 1)[0]
        new_section_signature_level_value = pykd.loadBytes(
            target_eprocess + section_signature_level_offset, 1)[0]

        print "New SignatureLevel: {0}".format(new_signature_level_value)
        print "New SectionSignatureLevel: {0}".format(
            new_section_signature_level_value)
    else:
        print "Signature verification is already disabled"

Example #3

File: utils.py Project: hasiblatif/arena

    def get_param_value(self, addr, _type):

        try:
            d = ''
            _type = _type.lower()
            if _type == "lpcstr" or _type == "lptstr" or _type == "lpctstr":
                d_list = pykd.loadBytes(addr, 256)
                last_digit = 1
                for j in d_list:
                    try:
                        if j != 0:
                            d += chr(j)
                        else:
                            if last_digit == 0:
                                break
                        last_digit = j
                    except:
                        pass
            elif _type == "lpcwstr" or _type.lower() == "wchar":
                d_list = pykd.loadBytes(addr, 512)
                for j in d_list:
                    try:
                        if j != 0:
                            d += chr(j)
                        else:
                            break
                    except:
                        pass
            else:
                return addr
            return d
        except:
            print traceback.print_exc()
            return "err"

Example #4

File: dbg_windbg.py Project: FredrikAleksander/voltron

        def dereference(self, pointer, target_id=0):
            """
            Recursively dereference a pointer for display
            """
            fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]

            addr = pointer
            chain = []

            # recursively dereference
            for i in range(0, self.max_deref):
                try:
                    [ptr] = pykd.loadPtrs(addr, 1)
                    if ptr in chain:
                        break
                    chain.append(('pointer', addr))
                    addr = ptr
                except:
                    log.exception("Dereferencing pointer 0x{:X}".format(addr))
                    break

            # get some info for the last pointer
            # first try to resolve a symbol context for the address
            if len(chain):
                p, addr = chain[-1]
                output = pykd.findSymbol(addr)
                sym = True
                try:
                    # if there's no symbol found, pykd returns a hex string of the address
                    if int(output, 16) == addr:
                        sym = False
                        log.debug("no symbol context")
                except:
                    pass

                if sym:
                    chain.append(('symbol', output.strip()))
                else:
                    log.debug("no symbol context")
                    mem = pykd.loadBytes(addr, 2)
                    if mem[0] < 127:
                        if mem[1] == 0:
                            a = []
                            for i in range(0, self.max_string, 2):
                                mem = pykd.loadBytes(addr + i, 2)
                                if mem == [0, 0]:
                                    break
                                a.extend(mem)
                            output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
                            chain.append(('unicode', output))
                        else:
                            output = pykd.loadCStr(addr)
                            chain.append(('string', output))

            log.debug("chain: {}".format(chain))
            return chain

Example #5

File: dbg_windbg.py Project: Stenean/voltron

        def dereference(self, pointer, target_id=0):
            """
            Recursively dereference a pointer for display
            """
            fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]

            addr = pointer
            chain = []

            # recursively dereference
            for i in range(0, self.max_deref):
                try:
                    [ptr] = pykd.loadPtrs(addr, 1)
                    if ptr in chain:
                        break
                    chain.append(('pointer', addr))
                    addr = ptr
                except:
                    log.exception("Dereferencing pointer 0x{:X}".format(addr))
                    break

            # get some info for the last pointer
            # first try to resolve a symbol context for the address
            if len(chain):
                p, addr = chain[-1]
                output = pykd.findSymbol(addr)
                sym = True
                try:
                    # if there's no symbol found, pykd returns a hex string of the address
                    if int(output, 16) == addr:
                        sym = False
                        log.debug("no symbol context")
                except:
                    pass

                if sym:
                    chain.append(('symbol', output.strip()))
                else:
                    log.debug("no symbol context")
                    mem = pykd.loadBytes(addr, 2)
                    if mem[0] < 127:
                        if mem[1] == 0:
                            a = []
                            for i in range(0, self.max_string, 2):
                                mem = pykd.loadBytes(addr + i, 2)
                                if mem == [0, 0]:
                                    break
                                a.extend(mem)
                            output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
                            chain.append(('unicode', output))
                        else:
                            output = pykd.loadCStr(addr)
                            chain.append(('string', output))

            log.debug("chain: {}".format(chain))
            return chain

Example #6

 def testWriteBytes(self):
     testArray = pykd.loadBytes(target.module.ucharArray, 5)
     pykd.writeBytes(target.module.ucharArrayPlace, testArray)
     ucharArray = pykd.loadBytes(target.module.ucharArrayPlace, 5)
     self.assertEqual(
         0,
         len([
             ucharArray[i] for i in range(5)
             if ucharArray[i] != testArray[i]
         ]))

Example #7

File: pykd_engine.py Project: CENSUS/shadow

def read_bytes(addr, size):
    try:
        return bytearray(pykd.loadBytes(addr, size))
    except:
        b = []
        off = 0
        while len(b) < size:
            try:
                b += pykd.loadBytes(addr + off, 0x1000)
            except:
                b += [0] * 0x1000
            off += 0x1000
        return b

Example #8

File: pykd_engine.py Project: y-f00l/shadow

def read_bytes(addr, size):
    try:
        return bytearray(pykd.loadBytes(addr, size))
    except:
        b = []
        off = 0
        while len(b) < size:
            try:
                b += pykd.loadBytes(addr + off, 0x1000)
            except:
                b += [0] * 0x1000
            off += 0x1000
        return b

Example #9

File: utils.py Project: hasiblatif/arena

    def read_binary(self, addr, size):
        d_list = pykd.loadBytes(addr, size)
        d = ''
        for j in d_list:
            d += chr(j)

        return d

Example #10

    def get_bytes(self, address, length):
        bytes = pykd.loadBytes(address, length)

        byte_str = ''
        for byte in bytes:
            byte_str += chr(byte)
        return byte_str

Example #11

 def read(clx, addr, n):
     try:
         rsl = pykd.loadBytes(addr, n)
         rs = ''
         for r in rsl:
             rs += chr(r)
         return rs
     except:
         raise (Exception)

Example #12

File: memtest.py Project: QuincyWork/Python-extension-for-WinDbg

 def testLoadBytes(self):
     ucharArray = pykd.loadBytes(target.module.ucharArray, 5)
     testArray = [0, 10, 0x78, 128, 0xFF]
     self.assertEqual(5, len(ucharArray))
     self.assertEqual(
         0,
         len([
             ucharArray[i] for i in xrange(5)
             if ucharArray[i] != testArray[i]
         ]))

Example #13

File: dbg_windbg.py Project: Stenean/voltron

        def memory(self, address, length, target_id=0):
            """
            Get the register values for .

            `address` is the address at which to start reading
            `length` is the number of bytes to read
            """
            # read memory
            log.debug('Reading 0x{:x} bytes of memory at 0x{:x}'.format(length, address))
            memory = array.array('B', pykd.loadBytes(address, length)).tostring()

            return memory

Example #14

File: dbg_windbg.py Project: FredrikAleksander/voltron

        def memory(self, address, length, target_id=0):
            """
            Get the register values for .

            `address` is the address at which to start reading
            `length` is the number of bytes to read
            """
            # read memory
            log.debug('Reading 0x{:x} bytes of memory at 0x{:x}'.format(length, address))
            memory = array.array('B', pykd.loadBytes(address, length)).tostring()

            return memory

Example #15

 def get_string(self, addr):
     bytes = ''
     found_null = False
     while 1:
         for b in pykd.loadBytes(addr, 0x10):
             if b == 0x0:
                 found_null = True
                 break
             bytes += chr(b)
             
         if found_null:
             break
         addr += 0x10
     return bytes

Example #16

 def get_wide_string(self, addr):
     bytes = ''
     found_null = False
     while 1:
         tmp_bytes = pykd.loadBytes(addr, 0x10)
         for i in range(0, len(tmp_bytes), 2):
             if tmp_bytes[i] == 0x0 and tmp_bytes[i+1] == 0x0:
                 found_null = True
                 break
             bytes += chr(tmp_bytes[i])+chr(tmp_bytes[i+1])
             
         if found_null:
             break
         addr += 0x10
     return bytes

Example #17

File: exploit.py Project: illikainen/exploits

def rewrite_filename():
    """
    Overwrite the terminating NUL-byte for the first filename.

    This effectively concatenates the first two filenames.
    """
    this = pykd.reg("ecx")
    buf = pykd.ptrPtr(this + 1036)
    buf_size = pykd.ptrDWord(this + 1040)

    files = list(Path().iterdir())
    files_hdr = len(files) * 4 * 2
    files_len = files_hdr + sum(len(x.name) + 1 for x in files)

    if files_len == buf_size:
        names = pykd.loadBytes(buf + files_hdr, buf_size - files_hdr)
        for i, byte in enumerate(names):
            if byte == 0:
                pykd.writeBytes(buf + files_hdr + i, [0x41])
                break

Example #18

File: debugger.py Project: kernullist/windbgtool

 def get_bytes(self, address, length):
     num_arr = pykd.loadBytes(address, length)
     return bytearray(num_arr)

Example #19

File: pykd_dump_context.py Project: symeonp/whvp

 def read_virtual_address(self, address, size):
     return bytes(pykd.loadBytes(address, size))

Example #20

File: pykd_dump_context.py Project: symeonp/whvp

 def read_physical_address(self, address, size):
     return bytes(pykd.loadBytes(address, size, True))

Example #21

File: provider.py Project: d0c-s4vage/syringe

 def consume(self, amount):
     return ''.join(map(chr,_pykd.loadBytes(self.addr, amount)))

Example #22

def main(argv):
	
	if len(argv) == 0:
		print "Usage: !py filter.py from_level to_level filtered"
		print "Filtered syscalls for 5th level: !py filter.py 5 5 1"
		exit(-1)
		
	ntMod = pykd.module("nt")
	KeServiceDescriptorTableFilter = int(ntMod.KeServiceDescriptorTableFilter)

	win32Mod = pykd.module("win32k")
	W32pServiceTableFilter = int(win32Mod.W32pServiceTableFilter)
	W32pServiceLimitFilter = pykd.loadDWords(win32Mod.W32pServiceLimitFilter, 1)[0] + 0x1000
	print '[*]W32pServiceTableFilter Address:'
	print '[*]'+str(hex(W32pServiceTableFilter))
	
	win32BaseMod = pykd.module("win32kbase")
	gaWin32KFilterBitmap = int(win32BaseMod.gaWin32KFilterBitmap)
	print '[*]gaWin32KFilterBitmap Address:'
	print '[*]'+str(hex(gaWin32KFilterBitmap))
	
	start_level = int(argv[0])
	end_level = int(argv[1])
	filter = int(argv[2])
	sum = 0
	syscallsLimit = W32pServiceLimitFilter - 0x1000
	
	for i in range(start_level, end_level + 1):
		bitmap = pykd.loadQWords(gaWin32KFilterBitmap + i * 8, 1)[0]
		
		print '[*]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='
		print '[*]Bitmap filter level ' + str(hex(i))
		if filter:
			print '[*]Show Filtered'
		else:
			print '[*]Show Unfiltered'
		if not bitmap:
			print '[*] None'
			continue
		  
		# Check SSSDT ID for 0x1000
		for j in range(0x1000, W32pServiceLimitFilter):
			# bit index in byte
			syscallNum = j & 0xfff  
			# function offset in W32pServiceTableFilter
			offset =  pykd.loadDWords(W32pServiceTableFilter + syscallNum * 4, 1)[0]
			offset = (0xfffffffff0000000 | (offset >> 4))
			# function address
			syscall = W32pServiceTableFilter + offset
			syscall = syscall % 2**64
			# check
			check_byte = pykd.loadBytes(bitmap + (syscallNum >> 3), 1)[0]
			filtered = check_byte & (1 << (syscallNum & 7))
			filtered = filtered != 0
			
			# 1 is filtered,0 is unfiltered
			if filtered == filter:
				sum = sum + 1
				print '[*]'+pykd.findSymbol(syscall) + ' ' + hex(j)
		
		if filter:
			print "[*]number of filtered system calls"
		else:
			print "[*]number of allowed system calls"
		print '[*]'+str(syscallsLimit) + "/" + str(sum)

	exit(0)

Example #23

File: snapshot.py Project: symeonp/whvp

 def memory_access_callback(self, gpa, gva):
     return bytes(pykd.loadBytes(gpa, 0x1000, True))

Example #24

def read_memory(addr, size, proc=none):
    return buf_to_le(pykd.loadBytes(addr, size))

Example #25

File: pykd_engine.py Project: HackerTool/shadow

def read_memory(addr, size, proc = none):
    return buf_to_le(pykd.loadBytes(addr, size))

Example #26

parser.add_argument('-o', '--offset', help="memory offset to search from")
parser.add_argument('-d', '--discard', nargs='*', help="bytes to discard")
args = parser.parse_args()

if len(sys.argv) < 2:
    parser.print_help()
    exit(0)

offset = int(args.offset, 16)
omitted = [int(x, 16) for x in args.discard]

print("omitting: {}".format([b for b in args.discard]))

refArray = bytearray(range(256))

# remove the omitted bytes
for b in omitted:
    refArray.remove(b)

print("reading {} bytes from offset {}".format(len(refArray), hex(offset)))

# compare to the memory offset given
memoryDump = loadBytes(offset, len(refArray), False)

for x in range(len(refArray)):
    if refArray[x] != memoryDump[x]:
        print("unable to find {} in memory!".format(hex(refArray[x])))
        break
    

Example #27

File: pykdPackage.py Project: iam0xcc/PycharmPykd

def loadBytes(addr, len):
    return pykd.loadBytes(addr, len)

Example #28

 def get_byte(self, addr):
     try:
         return int(pykd.loadBytes(addr, 1)[0])
     except BaseException:
         return None

Example #29

 def get_bytes(self, addr, size):
     try:
         return "".join(map(chr, pykd.loadBytes(addr, size)))
     except BaseException:
         return None