def test_code_x86(code, regs=None, raw=False, **kwargs):
print("Testing x86 code")
process = windows.test.pop_proc_32(dwCreationFlags=DEBUG_PROCESS)
if raw:
code = code.replace(" ", "").decode('hex')
else:
code = x86.assemble(code)
start_register = {}
if regs:
for name_value in regs.split(";"):
name, value = name_value.split("=")
name = name.strip().capitalize()
if name == "Eflags":
name = "EFlags"
value = int(value.strip(), 0)
start_register[name] = value
x = CodeTesteur(process, code, start_register)
x.loop()
def test_code_x86(raw=False):
print("Testing x86 code")
process = windows.test.pop_calc_32(dwCreationFlags=DEBUG_PROCESS)
if raw:
code = sys.argv[1].replace(" ", "").decode('hex')
else:
code = x86.assemble(sys.argv[1])
start_register = {}
if len(sys.argv) > 2:
for name_value in sys.argv[2].split(";"):
name, value = name_value.split("=")
name = name.strip().capitalize()
if name == "Eflags":
name = "EFlags"
value = int(value.strip(), 0)
start_register[name] = value
x = CodeTesteur(process, code, start_register)
x.loop()
code = self.get_exception_code()
context = self.get_exception_context()
print("EXCEPTION !!!! Got a {0!r} at 0x{1:x}".format(code, context.pc))
self.SINGLE_STEP_COUNT -= 1
if self.SINGLE_STEP_COUNT:
return self.single_step()
return EXCEPTION_CONTINUE_EXECUTION
class RewriteBreakpoint(windows.debug.HXBreakpoint):
def trigger(self, dbg, exc):
context = dbg.get_exception_context()
print("GOT AN HXBP at 0x{0:x}".format(context.pc))
# Rewrite the infinite loop with 2 nop
windows.current_process.write_memory(self.addr, b"\x90\x90")
# Ask for a single stepping
return dbg.single_step()
d = SingleSteppingDebugger()
# Infinite loop + nop + ret
code = x86.assemble("label :begin; jmp :begin; nop; ret")
func = windows.native_exec.create_function(code, [PVOID])
print("Code addr = 0x{0:x}".format(func.code_addr))
# Create a thread that will infinite loop
t = windows.current_process.create_thread(func.code_addr, 0)
# Add a breakpoint on the infitine loop
d.add_bp(RewriteBreakpoint(func.code_addr))
t.wait()
print("Done!")
import windows.native_exec.simple_x64 as x64
print("Creating a notepad"
) ## Replaced calc.exe by notepad.exe cause of windows 10.
notepad = windows.utils.create_process(r"C:\windows\system32\notepad.exe")
# You don't need to do that in our case, but it's useful to now
print("Priting threads")
for th in notepad.threads:
print(" * {0}".format(th))
print("Writing some code in memory")
if notepad.bitness == 32:
code = "mov eax, 0x42424242; label :start ; jmp :start; nop; nop; ret"
rawcode = x86.assemble(code)
else:
code = "mov rax, 0x4242424242424242; label :start ; jmp :start; nop; nop; ret"
rawcode = x64.assemble(code)
print("Allocating memory")
with notepad.allocated_memory(0x1000) as addr:
print("Writing code at <{0:#x}>".format(addr))
notepad.write_memory(addr, rawcode)
print("Creating thread on injected code")
t = notepad.create_thread(addr, 0x11223344)
print("New thread is {0}".format(t))
print("Suspending thread")
t.suspend()
context = self.get_exception_context()
print("EXCEPTION !!!! Got a {0} at 0x{1:x}".format(code, context.pc))
self.SINGLE_STEP_COUNT -= 1
if self.SINGLE_STEP_COUNT:
return self.single_step()
return EXCEPTION_CONTINUE_EXECUTION
class RewriteBreakpoint(windows.debug.HXBreakpoint):
def trigger(self, dbg, exc):
context = dbg.get_exception_context()
print("GOT AN HXBP at 0x{0:x}".format(context.pc))
# Rewrite the infinite loop with 2 nop
windows.current_process.write_memory(self.addr, "\x90\x90")
# Ask for a single stepping
return dbg.single_step()
d = SingleSteppingDebugger()
# Infinite loop + nop + ret
code = x86.assemble("label :begin; jmp :begin; nop; ret")
func = windows.native_exec.create_function(code, [PVOID])
print("Code addr = 0x{0:x}".format(func.code_addr))
# Create a thread that will infinite loop
t = windows.current_process.create_thread(func.code_addr, 0)
# Add a breakpoint on the infitine loop
d.add_bp(RewriteBreakpoint(func.code_addr))
t.wait()
print("Done!")
