def printchunk(self, uselog= None, option=0, dt= None):
ret = []
if self.isRestore():
restore = "<R>"
else:
restore = ""
if self.isLFH:
s = "B"
if self.freeorder != -1:
s="F(%02x)" % self.freeorder
ret.append( (self.addr, "Chunk size: 0x%x lfhflag: 0x%x %s" % ( self.psize, self.lfhflags, s )) )
else:
ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
self.upsize, self.psize, restore) ))
ret.append((self.addr, " heap: *0x%08x* flags: 0x%02x 0x%02x (%s)" % (self.heap_addr, self.flags, self.flags2,\
self.getflags(self.flags))))
if not self.isLFH and not (self.flags2 & self.BUSY[1][1]):
ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
if option & SHOWCHUNK_FULL:
dump = immutils.hexdump(self.sample)
for a in range(0, len(dump)):
if not a:
ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
if dt:
if not self.isLFH or (self.isLFH and self.freeorder == -1) :
result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
for obj in result:
msg = obj.Print()
ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
if uselog:
for adr, msg in ret:
uselog(msg, address = adr)
return ret
def printchunk(self, uselog= None, option=0, dt= None):
ret = []
if self.isRestore():
restore = "<R>"
else:
restore = ""
ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
self.upsize, self.psize, restore) ))
ret.append((self.addr, " heap: *0x%08x* flags: 0x%08x (%s)" % (self.heap_addr, self.flags,\
self.getflags(self.flags))))
#print "unused: 0x%08x flags: 0x%08x (%s)" % (self.field4, self.flags,\
# self.getflags(self.flags))
if not (self.flags & self.BUSY[1][1]):
ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
if option & SHOWCHUNK_FULL:
dump = immutils.hexdump(self.sample)
for a in range(0, len(dump)):
if not a:
ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
if dt:
result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
#self.imm.Log( str(ret ))
for obj in result:
msg = obj.Print()
ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
#imm.Log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address)
if uselog:
for adr, msg in ret:
uselog(msg, address = adr)
return ret
def printchunk(self, uselog= None, option=0, dt= None):
ret = []
if self.isRestore():
restore = "<R>"
else:
restore = ""
if self.isLFH:
s = "B"
if self.freeorder != -1:
s="F(%02x)" % self.freeorder
ret.append( (self.addr, "Chunk size: 0x%x lfhflag: 0x%x %s" % ( self.psize, self.lfhflags, s )) )
else:
ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
self.upsize, self.psize, restore) ))
ret.append((self.addr, " heap: *0x%08x* flags: 0x%02x 0x%02x (%s)" % (self.heap_addr, self.flags, self.flags2,\
self.getflags(self.flags))))
if not self.isLFH and not (self.flags2 & self.BUSY[1][1]):
ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
if option & SHOWCHUNK_FULL:
dump = immutils.hexdump(self.sample)
for a in range(0, len(dump)):
if not a:
ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
if dt:
if not self.isLFH or (self.isLFH and self.freeorder == -1) :
result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
for obj in result:
msg = obj.Print()
ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
if uselog:
for adr, msg in ret:
uselog(msg, address = adr)
return ret
def printchunk(self, uselog= None, option=0, dt= None):
ret = []
if self.isRestore():
restore = "<R>"
else:
restore = ""
ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
self.upsize, self.psize, restore) ))
ret.append((self.addr, " heap: *0x%08x* flags: 0x%08x (%s)" % (self.heap_addr, self.flags,\
self.getflags(self.flags))))
#print "unused: 0x%08x flags: 0x%08x (%s)" % (self.field4, self.flags,\
# self.getflags(self.flags))
if not (self.flags & self.BUSY[1][1]):
ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
if option & SHOWCHUNK_FULL:
dump = immutils.hexdump(self.sample)
for a in range(0, len(dump)):
if not a:
ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
if dt:
result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
#self.imm.log( str(ret ))
for obj in result:
msg = obj.Print()
ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
#imm.log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address)
if uselog:
for adr, msg in ret:
uselog(msg, address = adr)
return ret
def main(args):
imm=immlib.Debugger()
for arg in args:
imm.Log("Arg: %s" % arg)
mod = imm.getModule("ntdll.dll")
addr = mod.getCodebase()
dec = imm.findDecode( addr )
imm.Log("Base address: 0x%08x" % addr)
address = 0x7c93c667
imm.Log( hex(address ) )
imm.Log( str( dec.isJmpDestination( address ) ) )
imm.Log( hex( dec[ address ] ) )
#op = imm.disasmCode( address ) # 0.55
#op = imm.Disasm( address ) # 0.83
#op = imm.disasmData( address ) # 0.83
#op = imm.disasmSizeOnly( address )
#import profile
#foo = imm.disasmFile
import time
start = time.clock()
op = imm.disasmData( address ) # 0.27
stop = time.clock()
imm.Log("DisasmData %.8f usec/pass" % (stop-start) )
imm.Log( "is jmc" + str( op.isConditionalJmp() ) , address = address )
imm.Log( "op dest: 0x%08x" % op.getJmpConst(), address = address )
address += 1
imm.Log( str(immutils.hexdump( dec.data )) )
#ADDR = 0x7C9139ED
#ADDR = 0x7C91D37F # 16
#ADDR = 0x7C920645 # 17
#ADDR = 0x7C9206BB
#ADDR = 0x7C923313 # 21
#ADDR = 0x7C925D96 # 39
#ADDR = 0x7C9260BCL # 36
#import libanalize
ADDR = 0x7C9105D4L
f = imm.getFunction( ADDR )
bb = f.getBasicBlocks()
imm.Log("Basic Blocks")
ida = [0x7c911f49,0x7c93bad1,0x7c911505,0x7c9112f2,0x7c93431e,0x7c9111f1,0x7c9342c5,0x7c9111f6,0x7c91b298,0x7c912221,0x7c911513,0x7c912270,0x7c912343,0x7c93250b,0x7c9114cf,0x7c9115ad,0x7c910c98,0x7c911566,0x7c93b95e,0x7c9116ff,0x7c931a9a,0x7c9342e9,0x7c934312,0x7c910c91,0x7c911441,0x7c911446,0x7c91122e,0x7c91b2a2,0x7c911330,0x7c9113b0,0x7c9117e4,0x7c931ad8,0x7c93b968,0x7c910cd3,0x7c93ba0c,0x7c9111a2,0x7c91222b,0x7c932508,0x7c911790,0x7c93bac9,0x7c911182,0x7c912237,0x7c910649,0x7c912230,0x7c93b89a,0x7c93bbd6,0x7c934278,0x7c911624,0x7c93ba89,0x7c9111fe,0x7c934341,0x7c911676,0x7c911573,0x7c934256,0x7c931a8c,0x7c9342a5,0x7c911570,0x7c93ba01,0x7c91154b,0x7c910cec,0x7c93bc5e,0x7c911342,0x7c934356,0x7c9113f0,0x7c91117a,0x7c910c9f,0x7c912269,0x7c934391,0x7c910ca6,0x7c93b91a,0x7c934302,0x7c934351,0x7c911fe5,0x7c9106a5,0x7c911193,0x7c911615,0x7c9112ca,0x7c911541,0x7c911815,0x7c9115fa,0x7c912243,0x7c93bbe2,0x7c934386,0x7c934380,0x7c9342ce,0x7c91142e,0x7c93437b,0x7c93b999,0x7c91176c,0x7c9115ba,0x7c911633,0x7c91062d,0x7c91153b,0x7c91067b,0x7c9106ab,0x7c93b994,0x7c93430c,0x7c9111e9,0x7c9112c4,0x7c9113a6,0x7c911fe8,0x7c93bc68,0x7c910cab,0x7c934396,0x7c911555,0x7c93bb49,0x7c934314,0x7c9114e5,0x7c93b8d5,0x7c934370,0x7c93bc25,0x7c911764,0x7c910cfa,0x7c934375,0x7c912254,0x7c9116d3,0x7c910625,0x7c911c58,0x7c93bbed,0x7c93bbb4,0x7c9105e3,0x7c93bc59,0x7c93ba63,0x7c93ba99,0x7c93ba66,0x7c9324c7,0x7c93438b,0x7c91182c,0x7c9111b1,0x7c9113b8,0x7c911487,0x7c9115d3,0x7c911484,0x7c91170a,0x7c910cc8,0x7c93b922,0x7c93bb56,0x7c9113ce,0x7c93bb50,0x7c9115ed,0x7c9113fe,0x7c93bc11,0x7c911c65,0x7c910638,0x7c9116c8,0x7c912388,0x7c912260,0x7c911239,0x7c934368,0x7c9324ec,0x7c9105d4,0x7c91130f,0x7c93b99e,0x7c91237a,0x7c91138c,0x7c934280,0x7c9116bf,0x7c931aad,0x7c911f8e,0x7c911414,0x7c911525,0x7c9343a3,0x7c911c6b,0x7c910fdc,0x7c93b9db,0x7c911f8a,0x7c9106d7,0x7c93bc1c,0x7c910687,0x7c911439,0x7c9111bb,0x7c911f77,0x7c910660,0x7c93428c,0x7c911c76,0x7c9115df,0x7c93b8a2,0x7c93bc9d,0x7c911382,0x7c911538,0x7c910609,0x7c93bbcd,0x7c931aa5,0x7c9342d3,0x7c911784,0x7c911309,0x7c93436a,0x7c911c83,0x7c91140b,0x7c91149e,0x7c93b92f,0x7c9117ae,0x7c93439d,0x7c91137a,0x7c9324e1,0x7c93b9ac,0x7c93b8cb,0x7c9106e4,0x7c9106e6,0x7c93268f,0x7c93bb16,0x7c934349,0x7c93b88e,0x7c911f7f,0x7c9113ed,0x7c9115c4,0x7c91b28c,0x7c91159a,0x7c93b9b2,0x7c911588,0x7c9117c5,0x7c91165f,0x7c9117dd,0x7c931ab4,0x7c911394,0x7c910618,0x7c9116a8,0x7c911fbd,0x7c93bb8b,0x7c911503,0x7c911501,0x7c91066e,0x7c911792,0x7c931acb,0x7c911158,0x7c910fca,0x7c93ba38,0x7c91179c,0x7c911315,0x7c910cb6,0x7c91185e,0x7c910c67,0x7c911c8c,0x7c910c61,0x7c93bb3e,0x7c93b883,0x7c91220d,0x7c93b9de,0x7c93bae5,0x7c911596,0x7c9106b8,0x7c9114a7,0x7c93b8c0,0x7c9113dc,0x7c93bb37,0x7c9115c0,0x7c911645,0x7c9106eb,0x7c912356,0x7c93ba3e,0x7c910666,0x7c9122dc,0x7c931ac1,0x7c93b903,0x7c9324fe,0x7c911241,0x7c93b953,0x7c910744,0x7c93b90e,0x7c931a6b,0x7c91139e,0x7c911253,0x7c911324,0x7c9122e8,0x7c911320,0x7c9115a4]
for a in bb:
imm.Log(" (0x%08x, 0x%08x )" % (a[0], a[1]) )
del ida[ ida.index( a[0] ) ]
imm.Log("BB size: %d" % len(bb) )
imm.Log("Resto: %d" % len(ida) )
for a in ida:
op = imm.disasmBackward(a)
imm.Log(" -> 0x%08x %s" % (a, str(op.isCall())), address = a)
def main(args):
imm = immlib.Debugger()
for arg in args:
imm.log("Arg: %s" % arg)
mod = imm.getModule("ntdll.dll")
addr = mod.getCodebase()
dec = imm.findDecode(addr)
imm.log("Base address: 0x%08x" % addr)
address = 0x7c93c667
imm.log(hex(address))
imm.log(str(dec.isJmpDestination(address)))
imm.log(hex(dec[address]))
#op = imm.disasmCode( address ) # 0.55
#op = imm.disasm( address ) # 0.83
#op = imm.disasmData( address ) # 0.83
#op = imm.disasmSizeOnly( address )
#import profile
#foo = imm.disasmFile
import time
start = time.clock()
op = imm.disasmData(address) # 0.27
stop = time.clock()
imm.log("disasmData %.8f usec/pass" % (stop - start))
imm.log("is jmc" + str(op.isConditionalJmp()), address=address)
imm.log("op dest: 0x%08x" % op.getJmpConst(), address=address)
address += 1
imm.log(str(immutils.hexdump(dec.data)))
#ADDR = 0x7C9139ED
#ADDR = 0x7C91D37F # 16
#ADDR = 0x7C920645 # 17
#ADDR = 0x7C9206BB
#ADDR = 0x7C923313 # 21
#ADDR = 0x7C925D96 # 39
#ADDR = 0x7C9260BCL # 36
#import libanalize
ADDR = 0x7C9105D4L
f = imm.getFunction(ADDR)
bb = f.getBasicBlocks()
imm.log("Basic Blocks")
ida = [
0x7c911f49, 0x7c93bad1, 0x7c911505, 0x7c9112f2, 0x7c93431e, 0x7c9111f1,
0x7c9342c5, 0x7c9111f6, 0x7c91b298, 0x7c912221, 0x7c911513, 0x7c912270,
0x7c912343, 0x7c93250b, 0x7c9114cf, 0x7c9115ad, 0x7c910c98, 0x7c911566,
0x7c93b95e, 0x7c9116ff, 0x7c931a9a, 0x7c9342e9, 0x7c934312, 0x7c910c91,
0x7c911441, 0x7c911446, 0x7c91122e, 0x7c91b2a2, 0x7c911330, 0x7c9113b0,
0x7c9117e4, 0x7c931ad8, 0x7c93b968, 0x7c910cd3, 0x7c93ba0c, 0x7c9111a2,
0x7c91222b, 0x7c932508, 0x7c911790, 0x7c93bac9, 0x7c911182, 0x7c912237,
0x7c910649, 0x7c912230, 0x7c93b89a, 0x7c93bbd6, 0x7c934278, 0x7c911624,
0x7c93ba89, 0x7c9111fe, 0x7c934341, 0x7c911676, 0x7c911573, 0x7c934256,
0x7c931a8c, 0x7c9342a5, 0x7c911570, 0x7c93ba01, 0x7c91154b, 0x7c910cec,
0x7c93bc5e, 0x7c911342, 0x7c934356, 0x7c9113f0, 0x7c91117a, 0x7c910c9f,
0x7c912269, 0x7c934391, 0x7c910ca6, 0x7c93b91a, 0x7c934302, 0x7c934351,
0x7c911fe5, 0x7c9106a5, 0x7c911193, 0x7c911615, 0x7c9112ca, 0x7c911541,
0x7c911815, 0x7c9115fa, 0x7c912243, 0x7c93bbe2, 0x7c934386, 0x7c934380,
0x7c9342ce, 0x7c91142e, 0x7c93437b, 0x7c93b999, 0x7c91176c, 0x7c9115ba,
0x7c911633, 0x7c91062d, 0x7c91153b, 0x7c91067b, 0x7c9106ab, 0x7c93b994,
0x7c93430c, 0x7c9111e9, 0x7c9112c4, 0x7c9113a6, 0x7c911fe8, 0x7c93bc68,
0x7c910cab, 0x7c934396, 0x7c911555, 0x7c93bb49, 0x7c934314, 0x7c9114e5,
0x7c93b8d5, 0x7c934370, 0x7c93bc25, 0x7c911764, 0x7c910cfa, 0x7c934375,
0x7c912254, 0x7c9116d3, 0x7c910625, 0x7c911c58, 0x7c93bbed, 0x7c93bbb4,
0x7c9105e3, 0x7c93bc59, 0x7c93ba63, 0x7c93ba99, 0x7c93ba66, 0x7c9324c7,
0x7c93438b, 0x7c91182c, 0x7c9111b1, 0x7c9113b8, 0x7c911487, 0x7c9115d3,
0x7c911484, 0x7c91170a, 0x7c910cc8, 0x7c93b922, 0x7c93bb56, 0x7c9113ce,
0x7c93bb50, 0x7c9115ed, 0x7c9113fe, 0x7c93bc11, 0x7c911c65, 0x7c910638,
0x7c9116c8, 0x7c912388, 0x7c912260, 0x7c911239, 0x7c934368, 0x7c9324ec,
0x7c9105d4, 0x7c91130f, 0x7c93b99e, 0x7c91237a, 0x7c91138c, 0x7c934280,
0x7c9116bf, 0x7c931aad, 0x7c911f8e, 0x7c911414, 0x7c911525, 0x7c9343a3,
0x7c911c6b, 0x7c910fdc, 0x7c93b9db, 0x7c911f8a, 0x7c9106d7, 0x7c93bc1c,
0x7c910687, 0x7c911439, 0x7c9111bb, 0x7c911f77, 0x7c910660, 0x7c93428c,
0x7c911c76, 0x7c9115df, 0x7c93b8a2, 0x7c93bc9d, 0x7c911382, 0x7c911538,
0x7c910609, 0x7c93bbcd, 0x7c931aa5, 0x7c9342d3, 0x7c911784, 0x7c911309,
0x7c93436a, 0x7c911c83, 0x7c91140b, 0x7c91149e, 0x7c93b92f, 0x7c9117ae,
0x7c93439d, 0x7c91137a, 0x7c9324e1, 0x7c93b9ac, 0x7c93b8cb, 0x7c9106e4,
0x7c9106e6, 0x7c93268f, 0x7c93bb16, 0x7c934349, 0x7c93b88e, 0x7c911f7f,
0x7c9113ed, 0x7c9115c4, 0x7c91b28c, 0x7c91159a, 0x7c93b9b2, 0x7c911588,
0x7c9117c5, 0x7c91165f, 0x7c9117dd, 0x7c931ab4, 0x7c911394, 0x7c910618,
0x7c9116a8, 0x7c911fbd, 0x7c93bb8b, 0x7c911503, 0x7c911501, 0x7c91066e,
0x7c911792, 0x7c931acb, 0x7c911158, 0x7c910fca, 0x7c93ba38, 0x7c91179c,
0x7c911315, 0x7c910cb6, 0x7c91185e, 0x7c910c67, 0x7c911c8c, 0x7c910c61,
0x7c93bb3e, 0x7c93b883, 0x7c91220d, 0x7c93b9de, 0x7c93bae5, 0x7c911596,
0x7c9106b8, 0x7c9114a7, 0x7c93b8c0, 0x7c9113dc, 0x7c93bb37, 0x7c9115c0,
0x7c911645, 0x7c9106eb, 0x7c912356, 0x7c93ba3e, 0x7c910666, 0x7c9122dc,
0x7c931ac1, 0x7c93b903, 0x7c9324fe, 0x7c911241, 0x7c93b953, 0x7c910744,
0x7c93b90e, 0x7c931a6b, 0x7c91139e, 0x7c911253, 0x7c911324, 0x7c9122e8,
0x7c911320, 0x7c9115a4
]
for a in bb:
imm.log(" (0x%08x, 0x%08x )" % (a[0], a[1]))
del ida[ida.index(a[0])]
imm.log("BB size: %d" % len(bb))
imm.log("Resto: %d" % len(ida))
for a in ida:
op = imm.disasmBackward(a)
imm.log(" -> 0x%08x %s" % (a, str(op.isCall())), address=a)
