def test_getset_syswow_context(self, proc32):
addr = proc32.virtual_alloc(0x1000)
remote_python_code = """
import windows
import windows.native_exec.simple_x64 as x64
x64_code = x64.assemble("mov r11, 0x1122334455667788; mov rax, 0x8877665544332211; mov [{0}], rax ;label :loop; jmp :loop; nop; nop; ret")
res = windows.syswow64.execute_64bits_code_from_syswow(x64_code)
windows.current_process.write_qword({0}, res)
""".format(addr)
t = proc32.execute_python_unsafe(textwrap.dedent(remote_python_code))
# Wait for python execution
while proc32.read_qword(addr) != 0x8877665544332211:
pass
ctx = t.context_syswow
# Check the get context
assert ctx.R11 == 0x1122334455667788
assert proc32.read_memory(ctx.Rip,
2) == x64.assemble("label :loop; jmp :loop")
t.suspend()
proc32.write_memory(ctx.Rip, "\x90\x90")
# Check the set context
RETURN_VALUE = 0x4041424344454647
ctx.Rax = RETURN_VALUE
ctx.Rip += 2
t.set_syswow_context(ctx)
t.resume()
t.wait()
assert RETURN_VALUE == proc32.read_qword(addr)
def test_code_x64(code, regs=None, raw=False, **kwargs):
print("Testing x64 code")
if windows.current_process.bitness == 32:
raise ValueError("Cannot debug a 64b process from 32b python")
process = windows.test.pop_proc_64(dwCreationFlags=DEBUG_PROCESS)
if raw:
code = code.replace(" ", "").decode('hex')
else:
code = x64.assemble(code)
start_register = {}
if regs:
for name_value in regs.split(";"):
name, value = name_value.split("=")
name = name.strip().capitalize()
if name == "Eflags":
name = "EFlags"
value = int(value.strip(), 0)
start_register[name] = value
x = CodeTesteur(process, code, start_register)
x.loop()
def test_code_x64(raw=False):
print("Testing x64 code")
if windows.current_process.bitness == 32:
raise ValueError("Cannot debug a 64b process from 32b python")
process = windows.test.pop_calc_64(dwCreationFlags=DEBUG_PROCESS)
if raw:
code = sys.argv[1].replace(" ", "").decode('hex')
else:
code = x64.assemble(sys.argv[1])
start_register = {}
if len(sys.argv) > 2:
for name_value in sys.argv[2].split(";"):
name, value = name_value.split("=")
name = name.strip().capitalize()
if name == "Eflags":
name = "EFlags"
value = int(value.strip(), 0)
start_register[name] = value
x = CodeTesteur(process, code, start_register)
x.loop()
def test_x64_32b_register_lower_upper():
assert x64.assemble("mov eax, 42") == x64.assemble("mov EAX, 42")
assert x64.Mov("eax", 42).get_code() == x64.Mov("EAX", 42).get_code()
assert x64.assemble("mov Eax, [eAx + eaX * 4 + 12]")
def test_exec_syswow(self):
x64_code = x64.assemble(
"mov rax, 0x4040404040404040; mov r11, 0x0202020202020202; add rax, r11; ret"
)
res = windows.syswow64.execute_64bits_code_from_syswow(x64_code)
assert res == 0x4242424242424242
def get_current_process_syswow_peb_addr():
get_peb_64_code = x64.assemble("mov rax, gs:[0x60]; ret")
return execute_64bits_code_from_syswow(get_peb_64_code)
) ## Replaced calc.exe by notepad.exe cause of windows 10.
notepad = windows.utils.create_process(r"C:\windows\system32\notepad.exe")
# You don't need to do that in our case, but it's useful to now
print("Priting threads")
for th in notepad.threads:
print(" * {0}".format(th))
print("Writing some code in memory")
if notepad.bitness == 32:
code = "mov eax, 0x42424242; label :start ; jmp :start; nop; nop; ret"
rawcode = x86.assemble(code)
else:
code = "mov rax, 0x4242424242424242; label :start ; jmp :start; nop; nop; ret"
rawcode = x64.assemble(code)
print("Allocating memory")
with notepad.allocated_memory(0x1000) as addr:
print("Writing code at <{0:#x}>".format(addr))
notepad.write_memory(addr, rawcode)
print("Creating thread on injected code")
t = notepad.create_thread(addr, 0x11223344)
print("New thread is {0}".format(t))
print("Suspending thread")
t.suspend()
ctx = t.context
print("Thread context is {0}".format(ctx))
def get_current_process_syswow_peb_addr():
get_peb_64_code = x64.assemble("mov rax, gs:[0x60]; ret")
return execute_64bits_code_from_syswow(get_peb_64_code)