def activate(self, ctx): if regFu.isHighlightedEffective(): addr = regFu.getOffset() simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('effective addr 0x%x value %s' % (addr, simicsString)) value = getHex(simicsString) else: highlighted = idaapi.get_highlighted_identifier() addr = getHex(highlighted) if addr is None: print('ModMemoryHandler unable to parse hex from %s' % highlighted) return simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('addr 0x%x value %s' % (addr, simicsString)) value = getHex(simicsString) # Sample form from kernwin.hpp s = """Modify memory Address: %$ <~E~nter value:S:32:16::> """ num = Form.NumericArgument('N', value=value) ok = idaapi.AskUsingForm(s, Form.NumericArgument('$', addr).arg, num.arg) if ok == 1: print("You entered: %x" % num.value) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (addr, num.value)) time.sleep(1) idc.RefreshDebuggerMemory()
def signalClient(self, norev=False): start_eip = idaversion.get_reg_value(self.PC) #print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString)) if norev: idaapi.step_into() idaversion.wait_for_next_event(idc.WFNE_SUSP, -1) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.printRegJson()");') try: regs = json.loads(simicsString) except: try: simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.printRegJson()");') regs = json.loads(simicsString) except: print('failed to get regs from %s' % simicsString) return for reg in regs: r = str(reg.upper()) if r == 'EFLAGS': r = 'EFL' elif r == 'CPSR': r = 'PSR' #print('set %s to 0x%x' % (r, regs[reg])) idaversion.set_reg_value(regs[reg], r) idaversion.refresh_debugger_memory() new_eip = idaversion.get_reg_value(self.PC) #print('signalClient back from cont new_eip is 0x%x' % new_eip) if new_eip >= self.kernel_base: print('in kernel, run to user') self.updateStackTrace()
def revToSyscall(self): simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.revToSyscall()");') eip = gdbProt.getEIPWhenStopped(kernel_ok=True) #print('revtoSyscall, stopped at eip 0x%x, now run to user space.' % eip) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");') eip = gdbProt.getEIPWhenStopped() #print('revtoSyscall, stopped at eip 0x%x, then stepwait.' % eip) #gdbProt.stepWait() self.signalClient() print('revtoSyscall done')
def revToSyscall(self): simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.revToSyscall()");') if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient() else: return simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");') eip = gdbProt.getEIPWhenStopped() self.signalClient() print('revtoSyscall done')
def updateDataWatch(self): print("in updateDataWatch") #self.Close() #self.Create() #print('did create') retval = [] self.ClearLines() #self.Refresh() print('did refresh of clear') command = '@cgc.getWatchMarks()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) if type(simicsString) is int: print('updateStackTrace got an int? %d' % simicsString) return if simicsString.startswith('None'): simicsString = simicsString[5:] try: data_json = json.loads(simicsString) except: print('could not get json from %s' % simicsString) return index = 0 for entry in data_json: instruct = idc.GetDisasm(entry['ip']) uline = '%3d 0x%08x 0x%08x %s' % (index, entry['ip'], entry['cycle'], entry['msg']) line = uline.encode('ascii', 'replace') #print('do %s' % line) if 'return from' in str(line): cline = idaapi.COLSTR(str(line), idaapi.SCOLOR_DREF) elif 'closed FD' in str(line): cline = idaapi.COLSTR(str(line), idaapi.SCOLOR_DREF) else: cline = str(line) #print("added %s" % line) retval.append(str(line)) self.AddLine(cline) index += 1 self.Refresh() command = '@cgc.nextWatchMark()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) try: index = int(simicsString) except: print('%s' % simicsString) return self.Jump(index) #self.Show() return retval
def doRevStepOver(self): #print 'in doRevStepOver' curAddr = idc.GetRegValue(self.PC) prev_eip = idc.PrevHead(curAddr) if prev_eip == idaapi.BADADDR: prev_eip = None simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False)");') else: #print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip)) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False, prev=0x%x)");' % prev_eip) eip = gdbProt.getEIPWhenStopped() #gdbProt.stepWait() self.signalClient() return eip
def doRevStepOver(self): #print 'in doRevStepOver' curAddr = idaversion.get_reg_value(self.PC) prev_eip = idaversion.prev_head(curAddr) eip = None if prev_eip == idaapi.BADADDR: prev_eip = None simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False)");') else: #print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip)) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False, prev=0x%x)");' % prev_eip) if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient() return eip
def updateStackTrace(self): #print "in updateStackTrace" #self.Close() #self.Create() #print('did create') retval = [] self.ClearLines() #self.Refresh() #print('did refresh of clear') command = '@cgc.getStackTrace()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) if type(simicsString) is int: print('updateStackTrace got an int? %d' % simicsString) return try: st_json = json.loads(simicsString) except: print('could not get json from %s' % simicsString) return for entry in st_json: instruct = idc.GetDisasm(entry['ip']) #print('instruct is %s' % str(instruct)) #line = '0x%x %-20s %s' % (entry['ip'], entry['fname'], entry['instruct']) fun = idc.GetFunctionName(entry['ip']) so = str(entry['fname']) fname = os.path.basename(so) line = '0x%08x %-15s %-10s %s' % (entry['ip'], fname, fun, str(instruct)) #print("added %s" % line) retval.append(str(line)) self.AddLine(str(line)) self.Refresh() #self.Show() return retval
def goToBookmarkRefresh(self, mark): if mark != 'origin' and mark != '<None>': simicsString = gdbProt.goToBookmark(mark) if simicsString == "reverse disabled": print('Reverse execution is disabled') return eip = gdbProt.getEIPWhenStopped() #gdbProt.stepWait() print('Now at bookmark: %s' % mark) else: ''' monitor goToFirst will now handle missing page, and it starts in user space ''' ''' TBD will end up at second instruction ''' print('goToBookmarkRefresh, is start_1, goToFirst') #simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.goToFirst()");') simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.goToOrigin()");') eip = gdbProt.getEIPWhenStopped() #gdbProt.stepWait() #print('eip when stopped is 0x%x' % eip) #self.runToUserSpace() #self.runToUserSpace() print('Now at bookmark: %s' % mark) self.isim.showSimicsMessage()
def updateBookmarkView(self): #print "in updateBookmarkView" #self.Close() #self.Create() #print('did create') retval = [] self.ClearLines() self.Refresh() print('did clear and refresh') command = '@cgc.listBookmarks()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) if type(simicsString) is int or type(simicsString) is long: print('listBookmarks got an int? %d' % simicsString) return lines = simicsString.split('\n') for l in lines: if ':' in l: #print l num, bm = l.split(':', 1) entry = bm.strip() if entry.startswith(BT) and START not in entry: entry = '<<<' + entry[len(BT):] self.AddLine(str(entry)) #print("added %s" % entry) retval.append(entry) self.Refresh() self.Show() return retval
def trackRegister(self): highlighted = idaversion.getHighlight() if highlighted is None or not self.isReg(highlighted): print('%s not in reg list' % highlighted) print('%s' % str(self.reg_list)) return c=idaapi.Choose([], "back track to source of selected register", 1) c.width=50 c.list = self.reg_list chose = c.choose() if chose == 0: print('user canceled') return else: highlighted = self.reg_list[chose-1] print 'backtrack to source of to %s...' % highlighted command = "@cgc.revTaintReg('%s')" % highlighted simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) print('trackRegister got simicsString %s' % simicsString) eip = None if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient() else: return curAddr = idaversion.get_reg_value(self.PC) print('Current instruction (0x%x) is as far back as we can trace reg %s' % (curAddr, highlighted)) self.showSimicsMessage() bookmark_list = self.bookmark_view.updateBookmarkView() return eip
def wroteToRegister(self): highlighted = idaversion.getHighlight() ''' if highlighted is None or highlighted not in self.reg_list: print('%s not in reg list' % highlighted) c=idaapi.Choose([], "Run backward until selected register modified", 1) c.width=50 c.list = self.reg_list chose = c.choose() if chose == 0: print('user canceled') return else: highlighted = self.reg_list[chose-1] ''' print 'Looking for a write to %s...' % highlighted command = "@cgc.revToModReg('%s')" % highlighted simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) eip = None if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient() else: return curAddr = idaversion.get_reg_value(self.PC) print('Current instruction (0x%x) wrote to reg %s' % (curAddr, highlighted)) return eip
def reverseStepInstruction(self, num=1): command = "@cgc.reverseStepInstruction(%d)" % num simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient()
def activate(self, ctx): addr = getRefAddr() if addr is None: highlighted = idaversion.getHighlight() addr = getHex(highlighted) ''' if regFu.isHighlightedEffective(): addr = regFu.getOffset() else: highlighted = idaversion.getHighlight() addr = getHex(highlighted) ''' sas = setAddrValue.SetAddrValue() sas.Compile() sas.iAddr.value = addr sas.iOffset.value = 0 sas.iRawHex.value = idaversion.get_wide_dword(sas.iAddr.value) ok = sas.Execute() if ok != 1: return val = sas.iRawHex.value addr = sas.iAddr.value offset = sas.iOffset.value new_addr = addr+offset simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (new_addr, val)) time.sleep(2) self.isim.updateBookmarkView() self.isim.updateDataWatch() idaversion.refresh_debugger_memory() idaversion.refresh_idaview_anyway() idaversion.refresh_choosers() print('Bookmarks cleared -- select origin bookmark to return to this cycle') print('Note: data watches previous to this point are retained, but associated bookmarks are deleted')
def doReverse(self, extra_back=None): print 'in doReverse' curAddr = idaversion.get_reg_value(self.PC) #goNowhere() #print('doReverse, back from goNowhere curAddr is %x' % curAddr) isBpt = idc.CheckBpt(curAddr) # if currently at a breakpoint, we need to back an instruction to so we don't break # here if isBpt > 0: print 'curAddr is %x, it is a breakpoint, do a rev step over' % curAddr addr = self.doRevStepOver() if addr is None: return None print 'in doReverse, did RevStepOver got addr of %x' % addr isBpt = idc.CheckBpt(addr) if isBpt > 0: # back up onto a breakpoint, we are done print('doReverse backed to breakpoint, we are done') return addr #print 'do reverse' param = '' if extra_back is not None: param = extra_back command = '@cgc.doReverse(%s)' % param simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) addr = None if self.checkNoRev(simicsString): addr = gdbProt.getEIPWhenStopped() self.signalClient() return addr
def reverseStepInstruction(self, num=1): command = "@cgc.reverseStepInstruction(%d)" % num simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) #simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True)");') eip = gdbProt.getEIPWhenStopped() return eip
def updateWriteWatch(self): print "in updateWriteWatch" #self.Close() #self.Create() #print('did create') retval = [] self.ClearLines() #self.Refresh() #print('did refresh of clear') command = '@cgc.getWriteMarks()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) if type(simicsString) is int: print('updateStackTrace got an int? %d' % simicsString) return try: data_json = json.loads(simicsString) except: print('could not get json from %s' % simicsString) return index = 0 for entry in data_json: instruct = idc.GetDisasm(entry['ip']) uline = '%3d 0x%08x %s' % (index, entry['ip'], entry['msg']) line = uline.encode('ascii', 'replace') cline = str(line) #print("added %s" % line) retval.append(str(line)) self.AddLine(cline) index += 1 self.Refresh() #self.Show() return retval
def trackRegister(self): highlighted = idaapi.get_highlighted_identifier() if highlighted is None or highlighted not in self.reg_list: print('%s not in reg list' % highlighted) c = Choose([], "back track to source of selected register", 1) c.width = 50 c.list = self.reg_list chose = c.choose() if chose == 0: print('user canceled') return else: highlighted = self.reg_list[chose - 1] print 'backtrack to source of to %s...' % highlighted command = "@cgc.revTaintReg('%s')" % highlighted simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) eip = gdbProt.getEIPWhenStopped(2) #gdbProt.stepWait() self.signalClient() curAddr = idc.GetRegValue(self.PC) print( 'Current instruction (0x%x) is as far back as we can trace reg %s' % (curAddr, highlighted)) self.showSimicsMessage() bookmark_list = self.bookmark_view.updateBookmarkView() return eip
def doRevStepInto(self): #print 'in doRevStepInto' #eip = reverseStepInstruction() curAddr = idc.GetRegValue(self.PC) prev_eip = idc.PrevHead(curAddr) eip = None if prev_eip == idaapi.BADADDR: prev_eip = None simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True)");') else: #print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip)) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True, prev=0x%x)");' % prev_eip) if self.checkNoRev(simicsString): eip = gdbProt.getEIPWhenStopped() self.signalClient() return eip
def getMailbox(self): msg = gdbProt.Evalx('SendGDBMonitor("@cgc.emptyMailbox()");') lines = msg.split('\n') if len(lines) > 1: msg = lines[0] print 'got mailbox message: <%s>' % msg return msg
def watchData(self): command = "@cgc.watchData()" print('called %s' % command) simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) time.sleep(1) eip = gdbProt.getEIPWhenStopped() self.signalClient() self.showSimicsMessage()
def revTo(self): highlighted = idaapi.get_highlighted_identifier() addr = reHooks.getHex(highlighted) command = '@cgc.revToAddr(0x%x, extra_back=0)' % (addr) #print('cmd: %s' % command) simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) eip = gdbProt.getEIPWhenStopped() self.isim.signalClient()
def activate(self, ctx): highlighted = idaversion.getHighlight() addr = getHex(highlighted) command = '@cgc.revToAddr(0x%x, extra_back=0)' % (addr) print('cmd: %s' % command) simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) eip = gdbProt.getEIPWhenStopped() self.isim.signalClient() return 1
def goToOrigin(self): simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.goToOrigin()");') eip = gdbProt.getEIPWhenStopped() if eip is not None: print('goToOrigin eip when stopped is 0x%x' % eip) #gdbProt.stepWait() #print('did step wait') else: print('goToOrigin, getEIPWhenStopped returned None')
def nextWatchMark(self): command = '@cgc.nextWatchMark()' simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) try: index = int(simicsString) except: print('%s' % simicsString) return self.Jump(index)
def recordText(self): for seg_ea in idautils.Segments(): print('seg: %s' % idaversion.get_segm_name(seg_ea)) if idaversion.get_segm_name(seg_ea) == '.text': start = idaversion.get_segm_attr(seg_ea, idc.SEGATTR_START) end = idaversion.get_segm_attr(seg_ea, idc.SEGATTR_END) print('text at 0x%x - 0x%x' % (start, end)) gdbProt.Evalx('SendGDBMonitor("@cgc.recordText(0x%x, 0x%x)");' % (start, end)) break
def recordText(self): for seg_ea in idautils.Segments(): print('seg: %s' % idc.SegName(seg_ea)) if idc.SegName(seg_ea) == '.text': start = idc.SegStart(seg_ea) end = idc.SegEnd(seg_ea) print('text at 0x%x - 0x%x' % (start, end)) gdbProt.Evalx('SendGDBMonitor("@cgc.recordText(0x%x, 0x%x)");' % (start, end)) break
def runToSyscall(self): value = idaversion.ask_long(0, "Syscall number?") print('run to syscall of %d' % value) if value == 0: simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToSyscall()");') else: simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToSyscall(%s)");' % value) eip = gdbProt.getEIPWhenStopped(kernel_ok=True) #print('runtoSyscall, stopped at eip 0x%x, now run to user space.' % eip) self.showSimicsMessage() simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");') eip = gdbProt.getEIPWhenStopped() #print('runtoSyscall, stopped at eip 0x%x, then stepwait.' % eip) #gdbProt.stepWait() self.signalClient(norev=True) eax = idaversion.get_reg_value("EAX") print('Syscall result: %d' % int(eax))
def activate(self, ctx): if regFu.isHighlightedEffective(): addr = regFu.getOffset() simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('effective addr 0x%x value %s' % (addr, simicsString)) value = simicsString else: highlighted = idaapi.get_highlighted_identifier() addr = getHex(highlighted) if addr is None: print('ModMemoryHandler unable to parse hex from %s' % highlighted) return simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('addr 0x%x value %s' % (addr, simicsString)) value = simicsString # Sample form from kernwin.hpp s = """Modify memory Address: %$ <~E~nter value:t40:80:50::> """ ti = idaapi.textctrl_info_t(value) ok = idaapi.AskUsingForm( s, Form.NumericArgument('$', addr).arg, idaapi.pointer(idaapi.c_void_p.from_address(ti.clink_ptr))) ''' string = Form.StringArgument(value) ok = idaapi.AskUsingForm(s, Form.NumericArgument('$', addr).arg, string.arg) ''' if ok == 1: arg = "'%s'" % ti.text.strip() print("You entered: %s <%s>" % (ti.text, arg)) cmd = "@cgc.writeString(0x%x, %s)" % (addr, arg) print cmd simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % (cmd)) time.sleep(1) idc.RefreshDebuggerMemory()
def continueForward(self): simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.continueForward()");') #while True: # simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getEIPWhenStopped(%s)");' % 'True') # time.sleep(2) #idc.PauseProcess() eip = gdbProt.getEIPWhenStopped() print('continueForward got eip 0x%x' % eip) self.signalClient() self.bookmark_list = self.bookmark_view.updateBookmarkView()