def parse_WinDbg(db_file, line, etree):
# remove special characters
# hello!__tmainCRTStartup: becomes
# hello __tmainCRTStartup:
line = re.sub(r'[\!]', " ", line)
# remove whitespaces
# i.e WinDbg output
# hello __tmainCRTStartup:
# 0040106b 6a10 push 10h
# becomes
# ['hello', __tmainCRTStartup]
# ['0040106b', '6a10', 'push', '10h']
ins_lst = line.strip().split()
if len(ins_lst) == 0:
return
# Skip lines that start with eax=, eip=, or cs=
reg_str = ins_lst[0][:4]
cs_str = ins_lst[0][:3]
if reg_str == "eax=" or reg_str == "eip=" or cs_str == "cs=":
return
# The thread is on the line above so store that off
# hello mainCRTStartup+0x5:
if (u.is_number_hex(ins_lst[0]) == False):
parse_WinDbg.thread = ins_lst[0]
return
# assign attributes
va = ins_lst[0]
registers = "None"
# ins_lst[1] is the opcode. We are going to skip that as it is not
# important to Virtual Deobfuscator
mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
for item in ins_lst[3:]:
mnemonic += " " + item
create_xml(db_file, etree, parse_WinDbg.thread, va, mnemonic, registers)
def parse_WinDbg(db_file, line, etree):
# remove special characters
# hello!__tmainCRTStartup: becomes
# hello __tmainCRTStartup:
line = re.sub(r'[\!]', " ", line)
# remove whitespaces
# i.e WinDbg output
# hello __tmainCRTStartup:
# 0040106b 6a10 push 10h
# becomes
# ['hello', __tmainCRTStartup]
# ['0040106b', '6a10', 'push', '10h']
ins_lst = line.strip().split()
if len(ins_lst) == 0:
return
# Skip lines that start with eax=, eip=, or cs=
reg_str = ins_lst[0][:4]
cs_str = ins_lst[0][:3]
if reg_str == "eax=" or reg_str == "eip=" or cs_str == "cs=":
return
# The thread is on the line above so store that off
# hello mainCRTStartup+0x5:
if (u.is_number_hex(ins_lst[0]) == False):
parse_WinDbg.thread = ins_lst[0]
return
# assign attributes
va = ins_lst[0]
registers = "None"
# ins_lst[1] is the opcode. We are going to skip that as it is not
# important to Virtual Deobfuscator
mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
for item in ins_lst[3:]:
mnemonic += " " + item
create_xml(db_file, etree, parse_WinDbg.thread, va, mnemonic, registers)
def parse_Immunity_Olly110(db_file, line, etree):
# remove special characters that would hose up the xml output (<, >, &)
line = re.sub(r'[\>\<\&]', " ", line)
# remove whitespaces
# i.e Immunity output
# 00401077 Main XOR EBX,EBX ; EBX=00000000
# becomes
# ['00401077', 'Main', 'XOR', 'EBX,EBX', ';', 'EBX=00000000']
ins_lst = line.strip().split()
if len(ins_lst) == 0:
return
# a special case of how Immunity handles instructions that are API calls
# __security_init_c MOV EDI,ED
# ['__security_init_c', 'MOV', 'EDI,EDI']
if (u.is_number_hex(ins_lst[0]) == False):
ins_lst.insert(1, 'Unknown')
# assign attributes
va = ins_lst[0]
thread = ins_lst[1]
registers = ""
i = 2
# look for register effects of instruction. The delimeter to look for is ;
# otherwise it is part of the mnem
mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
for item in ins_lst[3:]:
i += 1
if item.find(";") != -1:
registers += ' '.join(ins_lst[i:])
#print registers
break
else:
mnemonic += " " + item
create_xml(db_file, etree, thread, va, mnemonic, registers)
def parse_Immunity_Olly110(db_file, line, etree):
# remove special characters that would hose up the xml output (<, >, &)
line = re.sub(r'[\>\<\&]', " ", line)
# remove whitespaces
# i.e Immunity output
# 00401077 Main XOR EBX,EBX ; EBX=00000000
# becomes
# ['00401077', 'Main', 'XOR', 'EBX,EBX', ';', 'EBX=00000000']
ins_lst = line.strip().split()
if len(ins_lst) == 0:
return
# a special case of how Immunity handles instructions that are API calls
# __security_init_c MOV EDI,ED
# ['__security_init_c', 'MOV', 'EDI,EDI']
if (u.is_number_hex(ins_lst[0]) == False):
ins_lst.insert(1, 'Unknown')
# assign attributes
va = ins_lst[0]
thread = ins_lst[1]
registers = ""
i = 2
# look for register effects of instruction. The delimeter to look for is ;
# otherwise it is part of the mnem
mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
for item in ins_lst[3:]:
i += 1
if item.find(";") != -1:
registers += ' '.join(ins_lst[i:])
#print registers
break
else:
mnemonic += " " + item
create_xml(db_file, etree, thread, va, mnemonic, registers)
