def __setattr__(self, name, value): """Set register value @param name: Register name (can be upper or lower) @type name: str @param value: The numeric value to put in the register @type value: int ( 0 <= value < 2**32) """ reg_name = name.upper() if not RegisterContext.offsets.has_key(reg_name): return object.__setattr__(self, name, value) if not (0<= value <= 0xffffffff): raise ValueError, "Register value must be inbetween 0 and "\ "0xFFFFFFFF" offset = RegisterContext.offsets[reg_name] reg_val = struct.pack("I", value) memorymanager.write_mem(self.base_addr + offset, reg_val)
def set_return_addr(self, new_ret_addr): """Changes the return address @param new_ret_addr: New return address @type new_ret_addr: int (0<= new_ret_addr <= 0xFFFFFFFF) """ if not (0<= new_ret_addr <= 0xffffffff): raise ValueError, "Return address must be inbetween 0 and "\ "0xFFFFFFFF" rval = struct.pack("I", new_ret_addr) return memorymanager.write_mem(self.retaddr_p, rval)
def set_return_addr(self, new_ret_addr): """Changes the return address @param new_ret_addr: New return address @type new_ret_addr: int (0<= new_ret_addr <= 0xFFFFFFFF) """ if not (0 <= new_ret_addr <= 0xffffffff): raise ValueError, "Return address must be inbetween 0 and "\ "0xFFFFFFFF" rval = struct.pack("I", new_ret_addr) return memorymanager.write_mem(self.retaddr_p, rval)
def __setattr__(self, name, value): """Set register value @param name: Register name (can be upper or lower) @type name: str @param value: The numeric value to put in the register @type value: int ( 0 <= value < 2**32) """ reg_name = name.upper() if not RegisterContext.offsets.has_key(reg_name): return object.__setattr__(self, name, value) if not (0 <= value <= 0xffffffff): raise ValueError, "Register value must be inbetween 0 and "\ "0xFFFFFFFF" offset = RegisterContext.offsets[reg_name] reg_val = struct.pack("I", value) memorymanager.write_mem(self.base_addr + offset, reg_val)
def remove(self): """Removes the hook""" if memorymanager.write_mem(self.identifier, self.original_code): logging.debug("Successfully removed hook at address %08x" % \ self.identifier) else: logging.error("Failed to remove hook at address %08x" % \ self.identifier) return False return True
def create(self, func_entry_addr, callback_function): """Creates the hook. @param func_entry_addr: The address of the function entry to hook @type func_entry_addr: int (0<= func_entry_addr < 2**32) @param callback_function: Python callback function @type callback_function: Python function with parameter (ExecutionContext) @return: C{True} on success. C{False} on failure """ if not (0 <= func_entry_addr <= 0xffffffff): raise ValueError, "Invalid function entry address <> [0, 2**32]" # read disassembly and make sure we can at least 5 consecutive bytes # longest x86 instruction is 15 bytes: # add [ds:esi+ecx*2+0x67452301], 0xEFCDAB89 code = memorymanager.read_addr(func_entry_addr, 20) save_code = "" while len(save_code) < 5: instr = pydasm.get_instruction(code, pydasm.MODE_32) if not instr: logging.warn("Cannot hook. Failed to disassemble bytes: \n" + \ binascii.hexlify(code)) return False save_code += code[:instr.length] code = code[instr.length:] # create trampoline if not self.create_trampoline( func_entry_addr, func_entry_addr + len(save_code), save_code, [1], #check locking callback_function): logging.warn("Failed to create trampoline") return False # overwrite the original code (write hook) tramp_offset = ctypes.addressof( self.trampoline) - (func_entry_addr + 5) hook_code = "\xE9" + struct.pack("I", tramp_offset) hook_code += "\x90" * (len(save_code) - 5) #hook_code = "\xeb\xfe" + hook_code if memorymanager.write_mem(func_entry_addr, hook_code): logging.debug("Successfully hooked target address %08x -> %08x" %\ (func_entry_addr, ctypes.addressof(self.trampoline))) else: logging.error("Failed to create hook at address %08x" % \ func_entry_addr) return False return True
def create(self, func_entry_addr, callback_function): """Creates the hook. @param func_entry_addr: The address of the function entry to hook @type func_entry_addr: int (0<= func_entry_addr < 2**32) @param callback_function: Python callback function @type callback_function: Python function with parameter (ExecutionContext) @return: C{True} on success. C{False} on failure """ if not (0<= func_entry_addr <= 0xffffffff): raise ValueError, "Invalid function entry address <> [0, 2**32]" # read disassembly and make sure we can at least 5 consecutive bytes # longest x86 instruction is 15 bytes: # add [ds:esi+ecx*2+0x67452301], 0xEFCDAB89 code = memorymanager.read_addr(func_entry_addr, 20) save_code = "" while len(save_code) < 5: instr = pydasm.get_instruction(code, pydasm.MODE_32) if not instr: logging.warn("Cannot hook. Failed to disassemble bytes: \n" + \ binascii.hexlify(code)) return False save_code += code[:instr.length] code = code[instr.length:] # create trampoline if not self.create_trampoline(func_entry_addr, func_entry_addr + len(save_code), save_code, [1], #check locking callback_function): logging.warn("Failed to create trampoline") return False # overwrite the original code (write hook) tramp_offset = ctypes.addressof(self.trampoline) - (func_entry_addr + 5) hook_code = "\xE9" + struct.pack("I", tramp_offset) hook_code += "\x90"*(len(save_code)-5) #hook_code = "\xeb\xfe" + hook_code if memorymanager.write_mem(func_entry_addr, hook_code): logging.debug("Successfully hooked target address %08x -> %08x" %\ (func_entry_addr, ctypes.addressof(self.trampoline))) else: logging.error("Failed to create hook at address %08x" % \ func_entry_addr) return False return True
def set_arg(self, arg_index, value): """Assumes that each parameter on the stack is 4-bytes in size. Sets the n-th of those parameters. @param arg_index: Index of function parameters @type arg_index: int @param value: The numeric value to put in the register @type value: int ( 0 <= value < 2**32) """ if not (0<= value <= 0xffffffff): raise ValueError, "Parameter must be inbetween 0 and 0xFFFFFFFF" rval = struct.pack("I", value) return memorymanager.write_mem(self.stack_params + (arg_index <<2), rval)
def set_arg(self, arg_index, value): """Assumes that each parameter on the stack is 4-bytes in size. Sets the n-th of those parameters. @param arg_index: Index of function parameters @type arg_index: int @param value: The numeric value to put in the register @type value: int ( 0 <= value < 2**32) """ if not (0 <= value <= 0xffffffff): raise ValueError, "Parameter must be inbetween 0 and 0xFFFFFFFF" rval = struct.pack("I", value) return memorymanager.write_mem(self.stack_params + (arg_index << 2), rval)