def StateShot(): idc.RefreshDebuggerMemory() project = load_project() mem = SimSymbolicIdaMemory(memory_backer=project.loader.memory, permissions_backer=None, memory_id="mem") state = project.factory.blank_state(plugins={"memory": mem}) for reg in sorted(project.arch.registers, key=lambda x: project.arch.registers.get(x)[1]): if reg in ("sp", "bp", "ip"): continue try: setattr(state.regs, reg, idc.GetRegValue(reg)) except: pass ## inject code to get brk if we are on linux x86/x86_64 if project.simos.name == "Linux": if project.arch.name in ("AMD64", "X86"): state.posix.set_brk(get_linux_brk()) return state
def activate(self, ctx): if regFu.isHighlightedEffective(): addr = regFu.getOffset() simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('effective addr 0x%x value %s' % (addr, simicsString)) value = getHex(simicsString) else: highlighted = idaapi.get_highlighted_identifier() addr = getHex(highlighted) if addr is None: print('ModMemoryHandler unable to parse hex from %s' % highlighted) return simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('addr 0x%x value %s' % (addr, simicsString)) value = getHex(simicsString) # Sample form from kernwin.hpp s = """Modify memory Address: %$ <~E~nter value:S:32:16::> """ num = Form.NumericArgument('N', value=value) ok = idaapi.AskUsingForm(s, Form.NumericArgument('$', addr).arg, num.arg) if ok == 1: print("You entered: %x" % num.value) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (addr, num.value)) time.sleep(1) idc.RefreshDebuggerMemory()
def decrypt_n_comment(func, func_name): """ Decrypt and comment Shamoon2's strings """ data = {} for xref in XrefsTo(LocByName(func_name)): # init string_ea = search_inst(xref.frm, "push") string_op = GetOperandValue(string_ea, 0) key_ea = PrevHead(string_ea) key_op = GetOperandValue(key_ea, 0) # Call shamoon2's func res = func(string_op, key_op) # Refresh the memory for GetString function idc.RefreshDebuggerMemory() try: # Add comments MakeComm( string_ea, "key[0x{:X}] : '{:s}'".format( key_op, GetString(res, -1, ASCSTR_UNICODE))) except: continue
def signalClient(self, norev=False): start_eip = idc.GetRegValue(self.PC) #print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString)) if norev: idaapi.step_into() idc.GetDebuggerEvent(idc.WFNE_SUSP, -1) simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.printRegJson()");') try: regs = json.loads(simicsString) except: print('failed to get regs from %s' % simicsString) return for reg in regs: r = str(reg.upper()) if r == 'EFLAGS': r = 'EFL' #print('set %s to 0x%x' % (r, regs[reg])) idc.SetRegValue(regs[reg], r) idc.RefreshDebuggerMemory() new_eip = idc.GetRegValue(self.PC) #print('signalClient back from cont new_eip is 0x%x' % new_eip) if new_eip >= self.kernel_base: print('in kernel, run to user') self.updateStackTrace()
def allocate_rwx(size): # this is the explicit way to create an Appcall callable # see also: `Appcall.proto` VirtualAlloc = ida_idd.Appcall.typedobj("int __stdcall VirtualAlloc( int lpAddress, DWORD dwSize, DWORD flAllocationType, DWORD flProtect);") VirtualAlloc.ea = ida_name.get_name_ea(0, "kernel32_VirtualAlloc") ptr = VirtualAlloc(c.NULL, int(size), c.MEM_COMMIT, c.PAGE_EXECUTE_READWRITE) if ptr == 0: print("VirtualAlloc failed: 0x%x" % GetLastError()) raise ValueError("VirtualAlloc failed: 0x%x" % GetLastError()) idc.RefreshDebuggerMemory() return ptr
def dbg_trace(self, tid, ea): if ea >> 12 == 0x18f: self.ctx = 3 if self.ctx == 0: return 1 self.ctx -= 1 idc.RefreshDebuggerMemory() idc.MakeUnknown(ea, 20, 0) idc.MakeCode(ea) mnem = idc.GetDisasm(ea) print(hex(ea), mnem) regs = 'eax ebx ecx edx esi edi eip'.split(' ') regs = {x: idc.GetRegValue(x) for x in regs} self.ins.append(Attributize(None, mnem=mnem, **regs)) return 1
def activate(self, ctx): if regFu.isHighlightedEffective(): addr = regFu.getOffset() simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('effective addr 0x%x value %s' % (addr, simicsString)) value = simicsString else: highlighted = idaapi.get_highlighted_identifier() addr = getHex(highlighted) if addr is None: print('ModMemoryHandler unable to parse hex from %s' % highlighted) return simicsString = gdbProt.Evalx( 'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr) print('addr 0x%x value %s' % (addr, simicsString)) value = simicsString # Sample form from kernwin.hpp s = """Modify memory Address: %$ <~E~nter value:t40:80:50::> """ ti = idaapi.textctrl_info_t(value) ok = idaapi.AskUsingForm( s, Form.NumericArgument('$', addr).arg, idaapi.pointer(idaapi.c_void_p.from_address(ti.clink_ptr))) ''' string = Form.StringArgument(value) ok = idaapi.AskUsingForm(s, Form.NumericArgument('$', addr).arg, string.arg) ''' if ok == 1: arg = "'%s'" % ti.text.strip() print("You entered: %s <%s>" % (ti.text, arg)) cmd = "@cgc.writeString(0x%x, %s)" % (addr, arg) print cmd simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % (cmd)) time.sleep(1) idc.RefreshDebuggerMemory()
def StateShot(): global project idc.RefreshDebuggerMemory() mem = SimSymbolicIdaMemory(memory_backer=project.loader.memory, permissions_backer=None, memory_id="mem") state = project.factory.blank_state(plugins={"memory": mem}) for reg in sorted(project.arch.registers, key=lambda x: project.arch.registers.get(x)[1]): if reg in ("sp", "bp", "ip"): continue try: setattr(state.regs, reg, idc.GetRegValue(reg)) #print reg, hex(idc.GetRegValue(reg)) except: #print "fail to set register", reg pass return state
idc.AddBpt(func_end) idc.AddBpt(func_start) go(func_end) n = 0x25 buf_addr = idc.DbgDword(idautils.cpu.ebp + 0xc) data_addr = idc.DbgDword(idautils.cpu.ebp + 0x8) len_addr = idautils.cpu.ebp + 0x10 assert idc.DbgWrite(len_addr, struct.pack('<I', n)) print 'steaaart', hex(buf_addr) res = '' for i in range(n): for c in range(256): assert idc.DbgWrite(buf_addr + i, chr(c)) == 1 idc.RefreshDebuggerMemory() idautils.cpu.eip = func_start go(func_end) if idautils.cpu.edi != data_addr + n - i: print 'FOUND ONE', c print 'have ', hex(idautils.cpu.edi), hex(data_addr + n - i) res += chr(c) break else: assert 0 print 'on %d: %s' % (i, res)
def refresh_debugger_memory(): if idaapi.IDA_SDK_VERSION <= 699: return idc.RefreshDebuggerMemory() else: return ida_dbg.refresh_debugger_memory()
def checkLinuxLibs(name,ea,bCheckFileIO,bCheckNetworkIO): """ This function monitors loaded libaries for Linux If any of these libaries and functions are loaded a conditional breakpoint is set LIBC - _IO_file_fopen _IO_fread _IO_fclose @param name: The name of the loaded library @param ea: The address of the loaded library @param bCheckFileIO: Checks to see if FileIO filtering was turned on @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on @return: None """ import idc import logging Print ("Found Libc at 0x%x" % ea) logger = logging.getLogger('IDATrace') logger.info( "Found Libc at 0x%x" % ea ) idc.RefreshDebuggerMemory() library_name = name.upper() Print( "Checking Linux for library " + library_name ) if "LIBC" in library_name: if bCheckFileIO: fopen_func = idc.LocByName("_IO_file_fopen"); if fopen_func == idc.BADADDR: logger.info( "Cannot find _IO_file_fopen" ) # "Cannot find _IO_file_fopen." else: logger.info( "We found _IO_file_fopen at 0x%x." % fopen_func ) Print( "We found _IO_file_fopen at 0x%x." % fopen_func ) idc.AddBpt(fopen_func) idc.SetBptAttr(fopen_func, idc.BPT_BRK, 0) idc.SetBptCnd(fopen_func, "linuxFileIO.My_fopen()") fread_func = idc.LocByName("_IO_fread"); if fread_func == idc.BADADDR: logger.info( "Cannot find _IO_fread" ) Print( "Cannot find _IO_fread." ) else: logger.info( "We found _IO_fread at 0x%x." % fread_func ) Print( "We found _IO_fread at 0x%x." % fread_func ) idc.AddBpt(fread_func) idc.SetBptAttr(fread_func, idc.BPT_BRK, 0) idc.SetBptCnd(fread_func, "linuxFileIO.My_fread()") fclose_func = idc.LocByName("_IO_fclose"); if fclose_func == idc.BADADDR: logger.info( "Cannot find _IO_fclose" ) Print( "Cannot find _IO_fclose." ) else: logger.info( "We found _IO_fclose at 0x%x." % fclose_func ) Print( "We found _IO_fclose at 0x%x." % fclose_func ) idc.AddBpt(fclose_func) idc.SetBptAttr(fclose_func, idc.BPT_BRK, 0) idc.SetBptCnd(fclose_func, "linuxFileIO.My_fclose()")
def checkWindowsLibs(name,ea,bCheckFileIO,bCheckNetworkIO): """ This function monitors loaded DLLs for Windows If any of these DLLs and functions are loaded a conditional breakpoint is set kernel32.dll - CreateFileW ReadFile CloseHandle WS2_32.dll - recv, bind, accept, closesocket WSOCK32.dll - recv, bind @param name: The name of the loaded DLL @param ea: The address of the loaded DLL @param bCheckFileIO: Checks to see if FileIO filtering was turned on @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on @return: None """ import idc import logging logger = logging.getLogger('IDATrace') idc.RefreshDebuggerMemory() library_name = name.upper() if "KERNEL32" in library_name: logger.info( "Found kernel32 at 0x%x" % ea ) if bCheckFileIO: """ createFileA_func = idc.LocByName("kernel32_CreateFileA"); if createFileA_func == idc.BADADDR: logger.info( "Cannot find CreateFileA" ) else: logger.info( "We found CreateFileA at 0x%x." % createFileA_func ) idc.AddBpt(createFileA_func) idc.SetBptAttr(createFileA_func, idc.BPT_BRK, 0) idc.SetBptCnd(createFileA_func, "windowsFileIO.MyCreateFileA()") """ createFileW_func = idc.LocByName("kernel32_CreateFileW"); if createFileW_func == idc.BADADDR: logger.info( "Cannot find CreateFileW" ) else: logger.info( "We found CreateFileW at 0x%x." % createFileW_func ) idc.AddBpt(createFileW_func) idc.SetBptAttr(createFileW_func, idc.BPT_BRK, 0) idc.SetBptCnd(createFileW_func, "windowsFileIO.MyCreateFileW()") readFile_func = idc.LocByName("kernel32_ReadFile"); if readFile_func == idc.BADADDR: logger.info( "Cannot find ReadFile" ) else: logger.info( "We found ReadFile at 0x%x." % readFile_func ) idc.AddBpt(readFile_func) idc.SetBptAttr(readFile_func, idc.BPT_BRK, 0) idc.SetBptCnd(readFile_func, "windowsFileIO.MyReadFile()") closeHandle_func = idc.LocByName("kernel32_CloseHandle"); if closeHandle_func == idc.BADADDR: logger.info( "Cannot find CloseHandle" ) else: logger.info( "We found CloseHandle at 0x%x." % closeHandle_func ) idc.AddBpt(closeHandle_func) idc.SetBptAttr(closeHandle_func, idc.BPT_BRK, 0) idc.SetBptCnd(closeHandle_func, "windowsFileIO.MyCloseHandle()") elif "WS2_32" in library_name: logger.info( "Found Ws2_32 at 0x%x" % ea ) if bCheckNetworkIO: recv_func = idc.LocByName("ws2_32_recv"); if recv_func == idc.BADADDR: logger.info( "Cannot find ws2_32_recv" ) else: logger.info( "We found ws2_32_recv at 0x%x." % recv_func ) idc.AddBpt(recv_func) idc.SetBptAttr(recv_func, idc.BPT_BRK, 0) idc.SetBptCnd(recv_func, "windowsNetworkIO.checkRecv()") bind_func = idc.LocByName("ws2_32_bind"); if bind_func == idc.BADADDR: logger.info( "Cannot find ws2_32_bind" ) else: logger.info( "We found ws2_32_bind at 0x%x." % bind_func ) idc.AddBpt(bind_func) idc.SetBptAttr(bind_func, idc.BPT_BRK, 0) idc.SetBptCnd(bind_func, "windowsNetworkIO.checkBind()") accept_func = idc.LocByName("ws2_32_accept"); if accept_func == idc.BADADDR: logger.info( "Cannot find ws2_32_accept" ) else: logger.info( "We found ws2_32_accept at 0x%x." % accept_func ) idc.AddBpt(accept_func) idc.SetBptAttr(accept_func, idc.BPT_BRK, 0) idc.SetBptCnd(accept_func, "windowsNetworkIO.checkAccept()") closesocket_func = idc.LocByName("ws2_32_closesocket"); if closesocket_func == idc.BADADDR: logger.info( "Cannot find ws2_32_closesocket" ) else: logger.info( "We found ws2_32_closesocket at 0x%x." % closesocket_func ) idc.AddBpt(closesocket_func) idc.SetBptAttr(closesocket_func, idc.BPT_BRK, 0) idc.SetBptCnd(closesocket_func, "windowsNetworkIO.checkClosesocket()") elif "WSOCK32" in library_name: logger.info( "Found wsock32 at 0x%x" % ea ) if bCheckNetworkIO: """ bind_func = idc.LocByName("wsock32_bind"); if bind_func == idc.BADADDR: logger.info( "Cannot find wsock32_bind" ) else: logger.info( "We found wsock32_bind at 0x%x." % wsock32_bind ) if idc.isCode(bind_func): idc.AddBpt(bind_func) idc.SetBptAttr(bind_func, idc.BPT_BRK, 0) idc.SetBptCnd(bind_func, "windowsNetworkIO.WSOCK32Bind()") else: logger.info( "wsock32_bind at 0x%x is data not code." % bind_func ) """ recv_func = idc.LocByName("wsock32_recv") if recv_func == idc.BADADDR: logger.info( "Cannot find wsock32_recv" ) else: logger.info( "We found wsock32_recv at 0x%x." % recv_func ) if idc.isCode(recv_func): idc.AddBpt(recv_func) idc.SetBptAttr(recv_func, idc.BPT_BRK, 0) idc.SetBptCnd(recv_func, "windowsNetworkIO.WSOCK32Recv()") else: logger.info( "wsock32_recv at 0x%x is data not code." % recv_func )
def refresh(): idc.RefreshDebuggerMemory()