def add_breakpoint(guid: Guid, event: Event): """ Add a software break point on ntdll!EtwEventWrite And set a condition on event id and event provider """ bpt = idaapi.bpt_t() bpt.set_sym_bpt("ntdll_EtwEventWrite", 0) bpt.condition = textwrap.dedent(""" import idaapi import idc rdx = idaapi.regval_t() idaapi.get_reg_val('RDX',rdx) event_id = int.from_bytes(idc.get_bytes(rdx.ival, 2), "little") rcx = idaapi.regval_t() idaapi.get_reg_val('RCX',rcx) provider_guid = idc.get_bytes((rcx.ival & 0xFFFFFFFFFFFF) + 0x20, 16) if event_id == %s and provider_guid == %s: print(f"[ETWBreaker] break on Provider {{%s}} EventId ({event_id})") return True else: return False """ % (event.event_id, guid.raw, guid)) bpt.elang = "Python" idaapi.add_bpt(bpt)
def set(self, break_p=False): #print "breakpoint on %08x" % self.address idaapi.add_bpt(self.address, 0, idc.BPT_SOFT) idaapi.enable_bpt(self.address, True) #idc.SetBptCnd(self.address, self.condition.get_text()) bpt = idaapi.bpt_t() idaapi.get_bpt(self.address, bpt) bpt.elang = self.elang bpt.condition = self.condition.get_text() idaapi.update_bpt(bpt)
def set_qira_address(la): global qira_address ea = 0 if qira_address is not None and qira_address != BADADDR: ea = idaapi.toEA(0, qira_address) idaapi.del_bpt(ea) qira_address = la idaapi.add_bpt(qira_address, 0, BPT_SOFT) EnableBpt(qira_address, False)
def AddBp(self, base0_addr, addr): if(is_key_down(0x4a) == 0): return WriteToBeginningOfMmap(self.bps_shared_memory, 'a' + struct.pack('<L', base0_addr)) #todo handle 64bit if(self.GetWindbgResponse('a')): self.bp_list.append(addr) idaapi.add_bpt(addr, 0, BPT_SOFT) EnableBpt(addr, True) print("sent ", 'a' + hex(base0_addr), "to WinDbg") else: print("Failed to add the Breakpoint on WinDbg, try Breaking before adding a Bp") WriteToBeginningOfMmap(self.bps_shared_memory, "\x00")
def set_qira_address(self, sea): # Check if there is a BreakPoint and delete is before processing. if (self.qira_address is not None) and ( self.qira_address != idc.BADADDR): qea = idaapi.toEA(0, self.qira_address) if idc.CheckBpt(qea) != -1: idaapi.del_bpt(qea) # Update qira_address and set BreakPont. self.qira_address = sea idaapi.add_bpt(self.qira_address, 0, idaapi.BPT_SOFT) idc.EnableBpt(self.qira_address, False) # debugging if DEBUG: idaapi.msg( "[%s] set_qira_address: 0x%x\n" % (self.wanted_name, self.qira_address,))
def iatCallback( addr, name, ord): # Don't care about ord, but required for enum_import_names global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry. if name in bannedList and name not in checked: checked.append(name) loopflag = 0 xref = XrefsTo(addr, 0) for checkXrefType in xref: if XrefTypeName( checkXrefType.type) == "Code_Near_Call" and loopflag != 1: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name loopflag = 1 codeflag = 1 xref = CodeRefsTo(addr, 1) # Ref to IAT should be of type code. for lines in xref: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName( checkXrefType.type) == "Data_Read" and codeflag == 0: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name xref = DataRefsTo(addr) # Ref to IAT should be of type data. for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump": GOT = DataRefsTo(addr) for line in GOT: print "\n Found function %s in GOT at 0x%08x" % (name, line) print "*** calls to %s ***" % name codeflag = 2 xref = CodeRefsTo(addr, 1) for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x = Added BP" % lines bpflag = 1 #elif loopflag != 1: # codeflag = 2 # break else: continue #Need to compensate for other xref types. return True #Has to be here for the callback.
def iatCallback(addr, name, ord): # Don't care about ord, but required for enum_import_names global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry. if name in bannedList and name not in checked: checked.append(name) loopflag = 0 xref = XrefsTo(addr, 0) for checkXrefType in xref: if XrefTypeName(checkXrefType.type) == "Code_Near_Call" and loopflag != 1: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name loopflag = 1 codeflag = 1 xref = CodeRefsTo(addr, 1) # Ref to IAT should be of type code. for lines in xref: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Data_Read" and codeflag == 0: print "\nFound function %s in IAT at 0x%08x" % (name, addr) print "*** calls to %s ***" % name xref = DataRefsTo(addr) # Ref to IAT should be of type data. for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: # Adding or deleting BP's idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x - Added BP" % lines bpflag = 1 elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump": GOT = DataRefsTo(addr) for line in GOT: print "\n Found function %s in GOT at 0x%08x" % (name, line) print "*** calls to %s ***" % name codeflag = 2 xref = CodeRefsTo(addr, 1) for line in xref: xref2 = CodeRefsTo(line, 1) for lines in xref2: if CheckBpt(lines) > 0: idaapi.del_bpt(lines) print "=> 0x%08x - Deleted BP" % lines else: idaapi.add_bpt(lines, 0, BPT_SOFT) EnableBpt(lines, True) checked.append(lines) print "=> 0x%08x = Added BP" % lines bpflag = 1 #elif loopflag != 1: # codeflag = 2 # break else: continue #Need to compensate for other xref types. return True #Has to be here for the callback.
print "[+] Address of start function: 0x%08x" % (start) print "[*] Getting address of VirtualAlloc in code" virtualAllocInCode = getAddrOfFunctionInCode(API_FUNC_TO_BP_NAME) print "[+] Address in code of VirtualAlloc: 0x%08X" % (virtualAllocInCode[0]) placeForBreakPoint = idc.NextHead(virtualAllocInCode[0]) print "[+] Address to Set Breakpoint: 0x%08X" % (placeForBreakPoint) print "[+] Setting Breakpoint" idaapi.add_bpt(placeForBreakPoint, 0, idaapi.BPT_SOFT) # establecemos el breakpoint idaapi.enable_bpt(placeForBreakPoint, True) print "[+] Breakpoint set" while (1): try: idc.StartDebugger("", "", "") idc.GetDebuggerEvent(idc.WFNE_SUSP, -1) print "[+] Waiting for the start of debugger..." time.sleep(15) eax_value = idc.GetRegValue("EAX") print "[+] Value of EAX: 0x%08x" % eax_value if eax_value == VALUE_TO_GET: break