def test_vdb_stalker(self):
plat = self.trace.getMeta('Platform')
symname = breakpoints.get(plat)
entry = self.trace.parseExpression(symname)
v_stalker.addStalkerEntry(self.trace, entry)
self.runUntilExit()
self.assertTrue(v_stalker.getStalkerHits(self.trace) > 2)
def test_vdb_stalker(self):
plat = self.trace.getMeta('Platform')
symname = breakpoints.get(plat)
entry = self.trace.parseExpression(symname)
v_stalker.addStalkerEntry(self.trace, entry)
self.runUntilExit()
self.assertTrue(len(v_stalker.getStalkerHits(self.trace)) > 2)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.setMode("FastBreak", True)
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
print "OEP: %x" % oep
#######################################################################
# Add a breakpoint on CreateProcessA
# Run until the breakpoint
pattern = "kernel32.CreateProcessA"
v_api.setBpOnPattern(trace, pattern)
trace.run()
trace = v_api.followCreateProcessA(trace)
##########################################################
# Stalker
#addr is here since child process doens't start at oep
addr = 0x004015ac
try:
v_stalker.addStalkerEntry(trace, addr)
except:
pass
print('Added 0x%.8x to Stalker list' % addr)
######################################################################
## Beyond this point the debugger is attached to the child process
##
trace.setMode("FastBreak", True)
while trace.isAttached():
trace.run()
f = file("zTest.stalk", "wb")
# Prints out the current stalker hits
# Not currently working....
#print('Current Stalker Hits:')
for hitva in v_stalker.getStalkerHits(trace):
print('\t 0x%.8x' % hitva)
f.write('\t 0x%.8x\n' % hitva)
f.close()
def run(self):
trace = vtrace.getTrace()
trace.execute("c:\\nc.exe -l -p 4040")
trace.setMode("RunForever", True)
notif = libnotify()
trace.registerNotifier(vtrace.NOTIFY_LOAD_LIBRARY, notif)
stalker.addStalkerEntry(trace, 0x00403047)
while trace.isAttached():
trace.run()
hits = stalker.getStalkerHits(trace)
for hit in hits:
print "+ hit: %08x" % hit
data = pickle.dumps(hits)
self.sendResults(data)
def executeTrace(self, cmdline, startVA):
import vtrace
import vdb.stalker as stalker
print "[*] executeTrace: %s %s" % (cmdline, startVA)
self.trace = vtrace.getTrace()
self.trace.execute(cmdline)
self.trace.setMode("RunForever", True)
# stalker.addStalkerEntry(self.trace, 0x00403047)
stalker.addStalkerEntry(self.trace, int(startVA, 16))
while self.trace.isAttached():
self.trace.run()
hits = stalker.getStalkerHits(self.trace)
for hit in hits:
print "[*] hit: %08x" % hit
data = pickle.dumps(hits)
self.sendResults(data)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.setMode("FastBreak", True)
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
print "OEP: %x" % oep
##########################################################
# Stalker
#addr is here since child process doens't start at oep
addr = oep
try:
v_stalker.addStalkerEntry(trace, addr)
except:
pass
print('Added 0x%.8x to Stalker list' % addr)
######################################################################
## Beyond this point the debugger is attached to the child process
##
trace.setMode("FastBreak", True)
while trace.isAttached():
trace.run()
f = file("zTest.stalk", "wb")
# Prints out the current stalker hits
# Not currently working....
#print('Current Stalker Hits:')
for hitva in v_stalker.getStalkerHits(trace):
print('\t 0x%.8x' % hitva)
f.write('\t 0x%.8x\n' % hitva)
f.close()