def load_binary(filepath, base=None): # Get the current trace object from vtrace trace = vtrace.getTrace() # If attempting to attach to a 64 bit process # 64 bit python is required. trace.execute(filepath) ############################################################### # The notifier class we want to register notif = CustomNotifier() # The list of events we want the notifier to handle eve = vtrace.NOTIFY_ALL # Tell our vtrace object that we want to capture all events with CustomNotifier trace.registerNotifier(eve, notif) ############################################################### # Call a function to set BP on OEP oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) # Start executing the program until you hit a breakpoint or it ends trace.run() ################################################################# # Step 5 times into the program for i in range(5): trace.stepi() # Deregister our notifier trace.deregisterNotifier(eve, notif)
def followCreateProcessA(trace): dwAddr = trace.getRegister(REG_ESP) dwAddr += 4 #remove eip dwAddr += 4 #remove lpApplicationName dwAddr += 4 #remove lpCommandLine dwAddr += 4 #remove procattrs dwAddr += 4 #remove threadattrs dwAddr += 4 #remove inheritHandles dwCreateFlags = struct.unpack("I", trace.readMemory(dwAddr, 4))[0] dwCreateFlags |= 4 dwCreateFlags = struct.pack("I", dwCreateFlags) try: trace.writeMemory(dwCreateFlags, dwAddr) except: pass # Add a breakpoint on the return address from CreateProcessA # Run to it and then call afterCreateProcessA # This is so the PID variable is populated. esp = trace.getRegister(REG_ESP) ret = trace.readMemory(esp, 4) ret2 = struct.unpack("I", ret)[0] bp = vtrace.Breakpoint(None, expression=hex(ret2)) trace.addBreakpoint(bp) printBp(trace) trace.run() esp = trace.getRegister(REG_ESP) dwAddr = esp dwAddr -= 44 #move esp to location of stack from CreateProcessA dwAddr += 24 #move esp to location after some CreateProcessA variables dwAddr += 4 #remove dwCreationFlags dwAddr += 4 #remove lpEnvironment dwAddr += 4 #remove lpCurrentDirectory dwAddr += 4 #remove lsStartupInfo # dwAddr points to lpProcessInformation #print "dwAddr: ", dwAddr procid = trace.readMemory(dwAddr, 4) procid = struct.unpack("I", procid)[0] procid += 4 #remove hProcess procid += 4 #remove hThread # procid points to dwProcessId try: pid = struct.unpack("I", trace.readMemory(procid, 4))[0] print "ProcID: ", pid if pid != None: trace.attach(pid) print "ADD TRACE: ", trace.getPid() except: pass return trace
def main(): import vtrace sym = sys.argv[1] pid = int(sys.argv[2]) t = vtrace.getTrace() t.attach(pid) symaddr = t.parseExpression(sym) t.addBreakpoint(vtrace.Breakpoint(symaddr)) while t.getProgramCounter() != symaddr: t.run() snap = t.takeSnapshot() #snap.saveToFile("woot.snap") # You may open in vdb to follow along emu = emulatorFromTrace(snap) lockStepEmulator(emu, t)
def main(argv): opts = setup().parse_args(argv) t = vtrace.getTrace() t.attach(opts.pid) symaddr = t.parseExpression(opts.expr) t.addBreakpoint(vtrace.Breakpoint(symaddr)) while t.getProgramCounter() != symaddr: t.run() snap = v_snapshot.takeSnapshot(t) if opts.save: # You may open this file in vdb to follow along snap.saveToFile(opts.save) emu = emuFromTrace(snap) lockStepEmulator(emu, t)
def load_binary(filepath, base=None): # Get the current trace object from vtrace trace = vtrace.getTrace() # If attempting to attach to a 64 bit process # 64 bit python is required. trace.execute(filepath) # Call a function to set BP on OEP oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) # Print out all the current breakpoints as well as if they are enabled. for bp in trace.getBreakpoints(): print("%s enabled: %s" % (bp, bp.isEnabled())) # Start executing the program until you hit a breakpoint or it ends trace.run() ############################################################## # At this point you are at OEP of the program # We know that there is a call 5 instructions in # There are ways to programmatically find a call for i in range(5): trace.stepi() # Print the value of EIP as a long and as hex print "\n" print "EIP: ", trace.getRegister(REG_EIP) print "HEX EIP: ", hex(trace.getRegister(REG_EIP)) # Once you are in the function you can read the value of ESP # ESP points to the value of the return address print "\n" esp = trace.getRegister(REG_ESP) retaddr = trace.readMemory(esp, 4) # Returns the exact memory locations # Just in the WRONG order print "RET: ", retaddr.encode('hex') # This returns the address correctly formatted print "RET: ", hex(struct.unpack("I", retaddr)[0])
def load_binary(filepath, base=None): # Get the current trace object from vtrace trace = vtrace.getTrace() trace.execute(filepath) ###################################################################### # Call a function to set BP on OEP oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) # Print out all the current breakpoints as well as if they are enabled. for bp in trace.getBreakpoints(): print("%s enabled: %s" % (bp, bp.isEnabled())) ###################################################################### # Start executing the program until you hit a breakpoint or it ends trace.run() ###################################################################### # print out the value of EIP as a long and as a hex value print "\n" print "EIP: ", trace.getRegister(REG_EIP) print "HEX EIP: ", hex(trace.getRegister(REG_EIP)) # Read the address of EIP eip = trace.getRegister(REG_EIP) # Read the memory values pointed to by EIP s = trace.readMemory(eip, 15) # Determine the opcode of the memory pointed to by EIP op1 = trace.makeOpcode(s, 0, eip) print "OP CODE: ", op1 # print out the value of EAX as a long and as a hex value print "\n" print "EAX: ", trace.getRegister(REG_EAX) print "HEX EAX: ", hex(trace.getRegister(REG_EAX)) # Print out the value of ESP as a long and as a hex value print "\n" print "ESP: ", trace.getRegister(REG_ESP) print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
def load_binary(filepath, base=None): trace = vtrace.getTrace() trace.execute(filepath) ####################################################################### # Call a function to set BP on OEP oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) ###################################################################### # Start executing the program until you hit a breakpoint or it ends trace.run() ####################################################################### # function takes in just filename not the full path to filename.exe exeName = filepath.split(".exe")[0] fileName = exeName.split("\\")[len(exeName.split("\\"))-1] # Get the list of imported functions to compare against base, importTable = v_api.printIAT(trace, fileName, debug)
def load_binary(filepath, base=None): # Get the current trace object from vtrace trace = vtrace.getTrace() # If attempting to attach to a 64 bit process # 64 bit python is required. trace.execute(filepath) oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) # Print out all the current breakpoints as well as if they are enabled. for bp in trace.getBreakpoints(): print("%s enabled: %s" % (bp, bp.isEnabled())) # Start executing the program until you hit a breakpoint or it ends trace.run() print "Holy BreakPoint Batman!"
def load_binary(filepath, base=None): # Get the current trace object from vtrace trace = vtrace.getTrace() # If attempting to attach to a 64 bit process # 64 bit python is required. trace.execute(filepath) ############################################################### # Call a function to set BP on OEP oep = v_api.getOEP(trace, filepath) # Set breakpoint at address bp = vtrace.Breakpoint(oep) trace.addBreakpoint(bp) # Start executing the program until you hit a breakpoint or it ends trace.run() ################################################################# # takes a snapshot of memory snap = vs_snap.takeSnapshot(trace) # saves it to a file snap.saveToFile("zTest.snap")
trace.setMeta('sockets', {}) trace.setMeta('current_socket', {}) trace.setMeta('connections', []) trace.setMeta('recv_bufs', []) notif = CustomNotifier() event = vtrace.NOTIFY_BREAK trace.registerNotifier(event, notif) lib_ws2_32 = trace.getSymByName('ws2_32') send = lib_ws2_32.getSymByName('send') recv = lib_ws2_32.getSymByName('recv') connect = lib_ws2_32.getSymByName('connect') socket = lib_ws2_32.getSymByName('socket') breakpoints = [ vtrace.Breakpoint(send.value), vtrace.Breakpoint(recv.value), vtrace.Breakpoint(connect.value), vtrace.Breakpoint(socket.value), ] for breakpoint in breakpoints: trace.addBreakpoint(breakpoint) try: trace.run() except: pass
def popBreakpoint(self, item, va): bp = vtrace.Breakpoint(va) self.vdbwin.db.trace.addBreakpoint(bp)
def setBpOnPattern(trace, pattern): addr = findFunc(trace, pattern) bp = vtrace.Breakpoint(addr) trace.addBreakpoint(bp)
def do_bp(self, line): """ Show, add, and enable/disable breakpoints USAGE: bp [-d <addr>] [-a <addr>] [-o <addr>] [[-c pycode] <address> ...] -C - Clear All Breakpoints -c "py code" - Set the breakpoint code to the given python string -d <id> - Disable Breakpoint -e <id> - Enable Breakpoint -r <id> - Remove Breakpoint -o <addr> - Create a OneTimeBreak -R <original base>,<original addr>,<Module Name>- rebase and set the break point for module -L <libname> - Add bp's to all functions in <libname> -F <filename> - Load bpcode from file -W perms:size - Set a hardware Watchpoint with perms/size (ie -W rw:4) <address>... - Create Breakpoint NOTE: -c adds python code to the breakpoint. The python code will be run with the following objects mapped into it's namespace automagically: vtrace - the vtrace package trace - the tracer bp - the breakpoint object """ self.trace.requireNotRunning() argv = e_cli.splitargs(line) opts, args = getopt(argv, "F:e:d:o:r:L:R:Cc:W:") pycode = None wpargs = None for opt, optarg in opts: if opt == "-e": self.trace.setBreakpointEnabled(eval(optarg), True) elif opt == "-c": pycode = optarg test = compile(pycode, "test", "exec") elif opt == "-F": bp_lines = file(optarg, "rU").readlines() for line in bp_lines: if line.find("#") > -1: line = line.split('#')[0] if line == "": continue if line.find("-c") > -1: pycode = line.split("-c")[1].split()[0].strip() try: test = compile(pycode, "test", "exec") except: self.vprint( "Error: Not adding BP, bad line entry: %s", line) continue bp_addr = line.split()[-1] try: bp = vtrace.Breakpoint(None, expression=bp_addr) bp.setBreakpointCode(pycode) self.trace.addBreakpoint(bp) except: self.vprint("Error: Not adding BP, bad line entry: %s", line) self.vprint(" [ Breakpoints ]") for bp in self.trace.getBreakpoints(): self.vprint("%s enabled: %s" % (bp, bp.isEnabled())) return elif opt == "-r": self.trace.removeBreakpoint(eval(optarg)) elif opt == "-R": margs = optarg.strip().split(",") original_base = None original_addr = None maps = None if "".join(margs[0][0:2]).lower() == "0x": original_base = int(margs[0], 16) print original_base if "".join(margs[1][0:2]).lower() == "0x": original_addr = int(margs[1], 16) print original_addr if "".join(margs[2][0:2]).lower() == "0x": va = int(margs[2], 16) map = self.memobj.getMemoryMap(va) else: maps = [ i for i in self.trace.platformGetMaps() if i[3].find(margs[2]) > -1 ] if len(maps): map = maps[0] print map if not map or not original_base or not original_addr: self.vprint("Unable to add the breakpoint :-(") print map print original_base print original_addr maddr, size, perm, fname = map rebased_bp = maddr + (original_addr - original_base) args = [] args.append(hex(rebased_bp)) elif opt == "-C": for bp in self.trace.getBreakpoints(): self.trace.removeBreakpoint(bp.id) elif opt == "-d": self.trace.setBreakpointEnabled(eval(optarg), False) elif opt == "-o": self.trace.addBreakpoint( vtrace.OneTimeBreak(None, expression=optarg)) elif opt == "-L": for sym in self.trace.getSymsForFile(optarg): if not isinstance(sym, e_resolv.FunctionSymbol): continue try: bp = vtrace.Breakpoint(None, expression=str(sym)) bp.setBreakpointCode(pycode) self.trace.addBreakpoint(bp) self.vprint("Added: %s" % str(sym)) except Exception, msg: self.vprint("WARNING: %s" % str(msg)) elif opt == "-W": wpargs = optarg.split(":")
self.vprint("Added: %s" % str(sym)) except Exception, msg: self.vprint("WARNING: %s" % str(msg)) elif opt == "-W": wpargs = optarg.split(":") for arg in args: if wpargs != None: size = int(wpargs[1]) bp = vtrace.Watchpoint(None, expression=arg, size=size, perms=wpargs[0]) else: bp = vtrace.Breakpoint(None, expression=arg) bp.setBreakpointCode(pycode) self.trace.addBreakpoint(bp) self.vprint(" [ Breakpoints ]") for bp in self.trace.getBreakpoints(): self.vprint("%s enabled: %s" % (bp, bp.isEnabled())) def do_fds(self, args): """ Show all the open Handles/FileDescriptors for the target process. The "typecode" shown in []'s is the vtrace typecode for that kind of fd/handle. If a string is provided, it will be used to filter results Usage: fds [filter string] """