def build_ldr_data(jitter, modules_info): """ Build Loader informations using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE, "\x00" * size, "Loader struct") # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")
def create_modules_chain(jitter, name2module): """ Create the modules entries. Those modules are not linked in this function. @jitter: jitter instance @name2module: dict containing association between name and its pe instance """ modules_info = LoadedModules() base_addr = LDR_AD + modules_list_offset # XXXX offset_name = 0x500 offset_path = 0x600 out = "" for i, (fname, pe_obj) in enumerate(name2module.items(), 1): if pe_obj is None: log.warning("Unknown module: ommited from link list (%r)", fname) continue addr = base_addr + i * 0x1000 bpath = fname.replace('/', '\\') bname_str = os.path.split(fname)[1].lower() bname = "\x00".join(bname_str) + "\x00" log.info("Add module %x %r", pe_obj.NThdr.ImageBase, bname_str) modules_info.add(bname_str, pe_obj, addr) # Allocate a partial LdrDataEntry (0-Flags) jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, "\x00" * LdrDataEntry.get_offset("Flags"), "Module info %r" % bname_str) LdrEntry = LdrDataEntry(jitter.vm, addr) LdrEntry.DllBase = pe_obj.NThdr.ImageBase LdrEntry.EntryPoint = pe_obj.Opthdr.AddressOfEntryPoint LdrEntry.SizeOfImage = pe_obj.NThdr.sizeofimage LdrEntry.FullDllName.length = len(bname) LdrEntry.FullDllName.maxlength = len(bname) + 2 LdrEntry.FullDllName.data = addr + offset_path LdrEntry.BaseDllName.length = len(bname) LdrEntry.BaseDllName.maxlength = len(bname) + 2 LdrEntry.BaseDllName.data = addr + offset_name jitter.vm.add_memory_page(addr + offset_name, PAGE_READ | PAGE_WRITE, bname + "\x00" * 3, "Module name %r" % bname_str) jitter.vm.add_memory_page(addr + offset_path, PAGE_READ | PAGE_WRITE, "\x00".join(bpath) + "\x00" + "\x00" * 3, "Module path %r" % bname_str) return modules_info
def build_ldr_data(jitter, modules_info): """ Build Loader informations using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE, "\x00" * size, "Loader struct") # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink """ # get main pe info main_pe = modules_info.name2module.get(main_pe_name, None) if not main_pe: log.warn('No main pe, ldr data will be unconsistant') offset, data = offset + 8, "" else: main_addr_entry = modules_info.module2entry[main_pe] log.info('Ldr %x', main_addr_entry) data = pck32(main_addr_entry) + pck32(0) data += pck32(main_addr_entry + 0x8) + pck32(0) # XXX TODO fix blink ntdll_pe = modules_info.name2module.get("ntdll.dll", None) if not ntdll_pe: log.warn('No ntdll, ldr data will be unconsistant') else: ntdll_addr_entry = modules_info.module2entry[ntdll_pe] data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink if data: jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data, "Loader struct") """ # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")