def doReverse(self, extra_back=None): print 'in doReverse' curAddr = idaversion.get_reg_value(self.PC) #goNowhere() #print('doReverse, back from goNowhere curAddr is %x' % curAddr) isBpt = idc.CheckBpt(curAddr) # if currently at a breakpoint, we need to back an instruction to so we don't break # here if isBpt > 0: print 'curAddr is %x, it is a breakpoint, do a rev step over' % curAddr addr = self.doRevStepOver() if addr is None: return None print 'in doReverse, did RevStepOver got addr of %x' % addr isBpt = idc.CheckBpt(addr) if isBpt > 0: # back up onto a breakpoint, we are done print('doReverse backed to breakpoint, we are done') return addr #print 'do reverse' param = '' if extra_back is not None: param = extra_back command = '@cgc.doReverse(%s)' % param simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) addr = None if self.checkNoRev(simicsString): addr = gdbProt.getEIPWhenStopped() self.signalClient() return addr
def addBP(self, ea, bp_description=None): """ Add a breakpoint @param ea: The location address to add the breakpoint @param bp_description: A breakpoint description @return: True if breakpoint was added, otherwise False. Returns -1 if an error occurred. """ try: if idc.CheckBpt(ea) > 0: # If our breakpoint already exist if ea in self.die_db.bp_list: return False # Must be a user defined breakpoint then.. self.die_db.bp_list[ea] = (WAS_USER_BREAKPOINT, bp_description) else: # Check if breakpoint is not excluded. if self.is_exception_call(ea): return False # TODO: better replace with a named tuple. self.die_db.bp_list[ea] = (0, bp_description) idc.AddBpt(ea) return True except Exception as ex: self.logger.exception("Could not add breakpoint: %s", ex) return -1
def MyReadFile(self): """ Monitors the the beginning of ReadFile function ReadFile arguments are read from the stack This is the function that will trigger the trace inputLoggingList holds arguments for """ """ BOOL WINAPI ReadFile( _In_ HANDLE hFile, _Out_ LPVOID lpBuffer, _In_ DWORD nNumberOfBytesToRead, _Out_opt_ LPDWORD lpNumberOfBytesRead, _Inout_opt_ LPOVERLAPPED lpOverlapped ); """ hFile = Util.GetData(0x4) self.logger.info("hFile is 0x%x" % (hFile)) lpBuffer = Util.GetData(0x8) self.logger.info("lpBuffer is 0x%x" % (lpBuffer)) nNumberOfBytesToRead = Util.GetData(0xC) self.logger.info("nNumberOfBytesToRead value is 0x%x" % (nNumberOfBytesToRead)) lpNumberOfBytesRead = Util.GetData(0x10) self.logger.info("lpNumberOfBytesRead value is 0x%x" % (lpNumberOfBytesRead)) lpOverlapped = Util.GetData(0x14) self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped)) retAddr = Util.GetData(0x0) callerAddr = retAddr - idc.ItemSize(retAddr) self.tempStack = [] self.tempStack.append(lpBuffer) self.tempStack.append(lpNumberOfBytesRead) self.tempStack.append(hFile) self.tempStack.append(callerAddr) #self.tempStack.append(idc.GetDisasm(callerAddr)) self.tempStack.append("ReadFile") self.tempStack.append(idc.GetCurrentThreadId()) if hFile in self.handleSet: self.logger.info("Ready to read from handle 0x%x" % hFile) Print("Ready to read from handle 0x%x" % hFile) idc.AddBpt(retAddr) idc.SetBptCnd(retAddr, "windowsFileIO.MyReadFileEnd()") else: if idc.CheckBpt(retAddr) >= 0: self.logger.info("Removing un-needed ReadFile breakpoint.") Print("Removing un-needed ReadFile breakpoint.") idc.DelBpt(retAddr) return 0
def WSOCK32Bind(self): """ int bind( _In_ SOCKET s, _In_ const struct sockaddr *name, _In_ int namelen ); struct sockaddr_in { short sin_family; u_short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; """ s = Util.GetData(0x4) self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s)) sockaddr_name = Util.GetData(0x8) self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" % (sockaddr_name)) port = struct.unpack(">H", idaapi.dbg_read_memory(sockaddr_name + 0x2, 2)) portName = str(port[0]) self.logger.info("WSOCK32Bind: port value is %s" % (portName)) namelen = Util.GetData(0xC) self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen)) retAddr = Util.GetData(0x0) Print(self.filter['network']) if portName in self.filter['network']: self.tempStack = [] self.tempStack.append(s) self.tempStack.append(portName) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()") self.logger.info( "WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging." ) Print( "Filter matched. Add handle to the handle's dictionary to start logging." ) else: if idc.CheckBpt(retAddr) >= 0: Print("Removing un-needed breakpoint.") self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info("WSOCK32Bind: Network Filter did not match.") return 0
def __init__(self, addr, size=None): if size is None: size = self.BP_SIZE self.addr = addr if idc.CheckBpt(self.addr) != idc.BPTCK_NONE: raise ValueError("There is already a breakpoint at {0}".format(hex(self.addr))) if not idc.AddBptEx(addr, size, self.BP_TYPE): raise ValueError("Failed to create breakpoint at {0}".format(hex(self.addr))) self._set_elang("Python") self._set_condition("return breakpoint.all_breakpoint[{0}].trigger()".format(self.addr)) all_breakpoint[self.addr] = self
def disableAllBpts(exempt): qty = idc.GetBptQty() disabledSet = [] for i in range(qty): bptEA = idc.GetBptEA(i) bptStat = idc.CheckBpt(bptEA) if bptStat > 0: if exempt is None or exempt != bptEA: disabledSet.append(bptEA) idc.EnableBpt(bptEA, False) return disabledSet
def setBreakAtStart(self): ''' keep from reversing past start of process ''' addr = LocByName("_start") if addr is not None: bptEnabled = idc.CheckBpt(addr) if bptEnabled < 0: print('breakAtStart bpt set at 0x%x' % addr) idc.AddBpt(addr) else: print('setBreakAtStart, got no loc for _start') return addr
def doReverse(self, extra_back=None): print 'in doReverse' curAddr = idc.GetRegValue(self.PC) #goNowhere() #print('doReverse, back from goNowhere curAddr is %x' % curAddr) isBpt = idc.CheckBpt(curAddr) # if currently at a breakpoint, we need to back an instruction to so we don't break # here if isBpt > 0: print 'curAddr is %x, it is a breakpoint, do a rev step over' % curAddr addr = self.doRevStepOver() print 'in doReverse, did RevStepOver got addr of %x' % addr isBpt = idc.CheckBpt(addr) if isBpt > 0: # back up onto a breakpoint, we are done print('doReverse backed to breakpoint, we are done') return addr #print 'do reverse' param = '' if extra_back is not None: param = extra_back command = '@cgc.doReverse(%s)' % param simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command) addr = gdbProt.getEIPWhenStopped() self.signalClient() #print 'reverse addr after stop %x' % addr #GetDebuggerEvent(WFNE_SUSP , 5) #print 'back from getdebugevent' #disabledSet = bpUtils.disableAllBpts(None) #print 'after disable' #gdbProt.stepWait() #print 'after stepInto' #bpUtils.enableBpts(disabledSet) #print 'after enable' return addr
def setAndDisable(addr): bptEnabled = idc.CheckBpt(addr) if bptEnabled < 0: # no breakpoint, add one #print 'setAndDisable no bpt at %x, add one' % addr idc.AddBpt(addr) elif bptEnabled == 0: # breakpoint, but not enabled #print 'found bpt at %x, enable it' % addr idc.EnableBpt(addr, True) else: #print 'breakpoint exists, use it' pass # disable all breakpoints, excempting the one we just set/enabled disabledSet = disableAllBpts(addr) return bptEnabled, disabledSet
def check_bpt(bptEA): if idaapi.IDA_SDK_VERSION <= 699: return idc.CheckBpt(bptEA) else: return ida_dbg.check_bpt(bptEA)
def state(self): return idc.CheckBpt(self.addr)
def MyCreateFileW(self): """ Monitors the the beginning of CreateFileW function CreateFileW arguments are read from the stack """ """ HANDLE WINAPI CreateFileW( _In_ LPCTSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile ); """ lpFileName = Util.GetData(0x4) self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName) filePath = "".join(Util.Read(lpFileName, 2)) self.logger.info("filePath is %s" % filePath) dwDesiredAccess = Util.GetData(0x8) self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess)) dwShareMode = Util.GetData(0xC) self.logger.info("dwShareMode value is 0x%x" % (dwShareMode)) lpSecurityAttributes = Util.GetData(0x10) self.logger.info("lpSecurityAttributes value is 0x%x" % (lpSecurityAttributes)) dwCreationDisposition = Util.GetData(0x14) self.logger.info("dwCreationDisposition value is 0x%x" % (dwCreationDisposition)) dwFlagsAndAttributes = Util.GetData(0x18) hTemplateFile = Util.GetData(0x1C) fileName = os.path.basename(filePath) self.logger.info("The filename is %s" % fileName) retAddr = Util.GetData(0x0) if fileName in self.filter['file']: idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()") self.logger.info( "Filter matched. Add handle to the handle's dictionary to start logging." ) Print( "Filter matched. Add handle to the handle's dictionary to start logging." ) else: if idc.CheckBpt(retAddr) >= 0: Print("Removing un-needed breakpoint.") self.logger.info("Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info("Filter did not match.") return 0
# If a string type was returned by the handler, place the string in memory and return a pointer if type(retval) == type(""): retval = self.idbm.malloc(retval) # Map python's True and False to 1 and 0 repsectively elif retval == True: retval = 1 elif retval == False: retval = 0 self.cpu.ReturnValue(retval) self.cpu.ProgramCounter(retaddr) self.cpu.StackCleanup() # Since the PC register is manually manipulated, a breakpoint set on the return # address won't be triggered. In this case, make sure we pause the process manually. if idc.CheckBpt(self.cpu.ProgramCounter()) > 0: idc.PauseProcess() return 0 def RegisterDefaultHandler(self, handler): ''' Register a default "catch-all" handler. @handler - Method/function handler. Returns None. ''' self.DEFAULT_HANDLER = handler def UnregisterDefaultHandler(self):