Esempi in Python per EmuProcess

Esempio n. 1

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def load_target_proc(self, proc_obj: EmuProcess):
        _pe_ = proc_obj.parsed_pe

        if _pe_.DOS_HEADER.e_magic != struct.unpack("<H", b'MZ')[0]:  # pylint: disable=no-member
            raise Exception("Target file is not PE")

        image_base = _pe_.OPTIONAL_HEADER.ImageBase
        size_of_image = _pe_.OPTIONAL_HEADER.SizeOfImage
        ep = image_base + _pe_.OPTIONAL_HEADER.AddressOfEntryPoint
        image_pages = self.mem_manager.alloc_page(
            pid=proc_obj.pid,
            size=size_of_image,
            allocation_type=PageAllocationType.MEM_COMMIT
            | PageAllocationType.MEM_RESERVE,
            alloc_base=image_base,
            protect=PageProtect.PAGE_EXECUTE_READWRITE,
            page_type=PageType.MEM_IMAGE)
        image_base = image_pages.get_base_addr()

        proc_obj.set_image_base(image_base)
        proc_obj.set_ep(ep)

        pe_image = _pe_.get_memory_mapped_image(ImageBase=image_base)
        self.mem_manager.write_process_memory(proc_obj.pid, image_base,
                                              pe_image)

        del pe_image

Esempio n. 2

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def setup_emulated_dllobj(self, mod_name, proc_obj: EmuProcess):
        def igetattr(obj, attr):
            for a in dir(obj):
                if a.lower() == attr.lower():
                    return getattr(obj, a)
            raise AttributeError

        if mod_name not in sys.modules:
            mod_obj = importlib.import_module("pydll." + mod_name)
            if mod_name not in proc_obj.e_dllobj:
                proc_obj.add_e_dll_obj(mod_name,
                                       igetattr(mod_obj, mod_name)(self))
        pass

Esempio n. 3

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def setup_import_tab(self, proc_obj: EmuProcess):
        def rewrite_iat_table(uc, first_thunk_etry, addr):
            addr = struct.pack("I", addr)
            uc.mem_write(first_thunk_etry, addr)

        for dll in proc_obj.parsed_pe.DIRECTORY_ENTRY_IMPORT:  # pylint: disable=no-member
            dll_name = dll.dll.decode("ascii").lower().split(".")[0]
            proc_obj.set_imports(dll_name, [])
            if dll_name not in pydll.SYSTEM_DLL_BASE:
                dll_name = self.api_handler.api_set_schema(dll_name)
            try:
                dll_base = pydll.SYSTEM_DLL_BASE[dll_name]
            except:
                raise Exception("Unsupported DLL")

            for imp_api in dll.imports:
                api_name = imp_api.name.decode("ascii")
                if "msvcp" in dll_name:
                    # MS cpp runtime lib
                    if not proc_obj.pid in self.api_handler.cpp_procedure:
                        self.api_handler.cpp_procedure[proc_obj.pid] = {}
                    self.api_handler.cpp_procedure[proc_obj.pid][
                        imp_api.address] = api_name
                else:
                    if dll_name not in proc_obj.imports:
                        proc_obj.set_imports(
                            dll_name, [(api_name, dll_base + imp_api.hint)])
                    proc_obj.add_imports(dll_name,
                                         (api_name, dll_base + imp_api.hint))
                proc_obj.set_api_va_dict(dll_base + imp_api.hint,
                                         (dll_name, api_name))
                rewrite_iat_table(proc_obj.uc_eng, imp_api.address,
                                  dll_base + imp_api.hint)
        pass

Esempio n. 4

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def add_module_to_peb(self, proc_obj: EmuProcess, mod_name: str):
        new_ldte = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size)
        new_ldte.DllBase = pydll.SYSTEM_DLL_BASE[mod_name]
        new_ldte.Length = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size).sizeof()

        self.new_unicode_string(proc_obj, new_ldte.BaseDllName, mod_name)
        self.new_unicode_string(proc_obj, new_ldte.FullDllName,
                                "C:\\Windows\\System32\\" + mod_name + ".dll")

        pNew_ldte = self.mem_manager.alloc_heap(proc_obj.peb_heap,
                                                new_ldte.sizeof())
        list_type = ntos.LIST_ENTRY(self.ptr_size)

        # Link created list_entry to LDR_MODULE
        if not proc_obj.ldr_entries:

            pEntry, prev = proc_obj.peb.Ldr, proc_obj.peb_ldr_data

            prev.InLoadOrderModuleList.Flink = pNew_ldte
            prev.InMemoryOrderModuleList.Flink = pNew_ldte + list_type.sizeof()
            prev.InInitializationOrderModuleList.Flink = 0

        else:
            pEntry, prev = proc_obj.ldr_entries[-1]

            prev.InLoadOrderLinks.Flink = pNew_ldte
            prev.InMemoryOrderLinks.Flink = pNew_ldte + list_type.sizeof()
            prev.InInitializationOrderLinks.Flink = 0
        # Not implement Blink

        new_ldte.InLoadOrderLinks.Flink = proc_obj.peb.Ldr + 0xC
        new_ldte.InMemoryOrderLinks.Flink = proc_obj.peb.Ldr + 0xC + list_type.sizeof(
        )

        proc_obj.add_ldr_entry((pNew_ldte, new_ldte))

        proc_obj.write_mem_self(pNew_ldte, new_ldte.get_bytes())
        proc_obj.write_mem_self(pEntry, prev.get_bytes())
        proc_obj.write_mem_self(proc_obj.peb_base, proc_obj.peb.get_bytes())
        proc_obj.write_mem_self(proc_obj.peb.Ldr,
                                proc_obj.peb_ldr_data.get_bytes())

        pass

Esempio n. 5

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def switch_thread_context(self,
                              proc_obj: EmuProcess,
                              thread_obj: EmuThread,
                              ret=0):
        def context_switch_cb(proc_obj: EmuProcess, thread_handle):
            proc_obj.running_thread.save_context()
            proc_obj.push_waiting_queue(proc_obj.running_thread.handle)
            proc_obj.push_waiting_queue(thread_handle)
            proc_obj.uc_eng.hook_del(proc_obj.ctx_switch_hook)
            proc_obj.running_thread.suspend_thread()

        proc_obj.ctx_switch_hook = proc_obj.uc_eng.hook_add(
            UC_HOOK_CODE, self.api_handler.post_api_call_cb_wrapper,
            (proc_obj, (proc_obj, thread_obj.handle), 1, context_switch_cb))
        pass

Esempio n. 6

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def init_vas(self, proc_obj: EmuProcess):
        # This is actually done by ntoskrnl
        self.mem_manager.alloc_page(
            pid=proc_obj.pid,
            alloc_base=0,
            size=0x10000,
            allocation_type=PageAllocationType.MEM_RESERVE)
        peb_heap = self.mem_manager.create_heap(pid=proc_obj.pid,
                                                size=0x2000,
                                                max_size=0)
        peb_base = self.mem_manager.alloc_heap(
            peb_heap,
            ntos.PEB(self.ptr_size).sizeof())
        proc_default_heap = self.mem_manager.create_heap(pid=proc_obj.pid,
                                                         size=1024 * 1024,
                                                         max_size=1024 * 1024)

        proc_obj.set_peb_heap(peb_heap)
        proc_obj.set_peb_base(peb_base)
        proc_obj.set_proc_default_heap(proc_default_heap)

        pass

Esempio n. 7

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

 def context_switch_cb(proc_obj: EmuProcess, thread_handle):
     proc_obj.running_thread.save_context()
     proc_obj.push_waiting_queue(proc_obj.running_thread.handle)
     proc_obj.push_waiting_queue(thread_handle)
     proc_obj.uc_eng.hook_del(proc_obj.ctx_switch_hook)
     proc_obj.running_thread.suspend_thread()

Esempio n. 8

File: pyemulator.py Progetto: orca-eaa5a/winx86emulator

    def init_peb(self, proc_obj: EmuProcess):
        # create new PEB & PEB_LDR & Process Image LDR_ENTRY
        peb = ntos.PEB(self.ptr_size)
        new_ldte = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size)
        peb_ldr_data = ntos.PEB_LDR_DATA(self.ptr_size)

        peb.BeingDebugged = 0
        peb.ImageBaseAddress = proc_obj.image_base
        peb.ProcessHeap = proc_obj.proc_default_heap.get_base_addr()

        # allocate memory space for PEB and PEB_LDR & Process Image LDR_ENTRY
        peb.Ldr = self.mem_manager.alloc_heap(proc_obj.peb_heap,
                                              peb_ldr_data.sizeof())
        pNew_ldte = self.mem_manager.alloc_heap(proc_obj.peb_heap,
                                                new_ldte.sizeof())

        # setup Process Image LDR_ENTRY
        new_ldte.SizeOfImage = proc_obj.parsed_pe.OPTIONAL_HEADER.SizeOfImage
        new_ldte.DllBase = proc_obj.parsed_pe.OPTIONAL_HEADER.ImageBase
        new_ldte.LoadCount = 1

        self.new_unicode_string(proc_obj, new_ldte.BaseDllName, proc_obj.name)
        self.new_unicode_string(proc_obj, new_ldte.FullDllName, proc_obj.path)

        # link PEB_LDR and Process Image LDR_ENTRY
        size_of_list_etry = ntos.LIST_ENTRY(self.ptr_size).sizeof()
        peb_ldr_data.InLoadOrderModuleList.Flink = pNew_ldte
        peb_ldr_data.InMemoryOrderModuleList.Flink = pNew_ldte + size_of_list_etry

        new_ldte.InLoadOrderLinks.Flink = peb.Ldr + 0xC
        new_ldte.InMemoryOrderLinks.Flink = peb.Ldr + 0xC + size_of_list_etry

        proc_obj.write_mem_self(pNew_ldte, new_ldte.get_bytes())
        proc_obj.write_mem_self(peb.Ldr, peb_ldr_data.get_bytes())
        proc_obj.write_mem_self(proc_obj.peb_base, peb.get_bytes())

        proc_obj.add_ldr_entry((pNew_ldte, new_ldte))
        proc_obj.set_peb_ldr(peb_ldr_data)
        proc_obj.set_peb(peb)
        pass