if len(sys.argv) < 2:
    log("fail", "gimme prog name")
    sys.exit(-1)

# Target process
process_name = sys.argv[1]

# Some offsets for debian 2.6.32-5-486 kernel
settings = {
    "thread_size": 8192,
    "comm": 540,
    "next": 240,
    "mm": 268,
    "pgd": 36
}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)

##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)

vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)

while not vm.resume():
    continue
from ramooflax.core  import VM, CPUFamily, log
from ramooflax.utils import OSFactory, OSAffinity

# create logging for this script
log.setup(info=True, fail=True)

if len(sys.argv) < 2:
    log("fail", "gimme prog name")
    sys.exit(-1)

# Target process
process_name = sys.argv[1]

# Some offsets for debian 2.6.32-5-486 kernel
settings = {"thread_size":8192, "comm":540, "next":240, "mm":268, "pgd":36}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)

##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)

vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)

while not vm.resume():
    continue
Esempio n. 3
0
# to_excp    = 0x00000000c103d8bc
# from       = 0x00000000080483d7
#
# We see that eip = 0, without LBR we can't detect
# where the #PF has been triggered
# With the LBR, we can see that we come from "from"
#
from ramooflax.core  import VM, CPUFamily, CPUException, log
from ramooflax.utils import OSFactory, OSAffinity

# create logging for this script
log.setup(info=True, fail=True)

# Some offsets for debian 2.6.32-5-486 kernel
settings = {"thread_size":8192, "comm":540, "next":240, "mm":268, "pgd":36}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter("prog")

# Print eip on raised page fault
def pf_hook(vm):
    log("info", "Page Fault @ %#x" % vm.cpu.gpr.pc)
    return True

##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)

vm.attach()
vm.stop()
#!/usr/bin/env python
#
# We are looking for "break" running under debian
#
from ramooflax.core  import VM, CPUFamily, log, Log
from ramooflax.utils import OSFactory, OSAffinity

# Some offsets for debian 2.6.32-5-486 kernel
#settings = {"thread_size":8192, "comm":540, "next":240, "mm":268, "pgd":36}

# Some offsets for kernel 3.4.1
settings = {"thread_size":8192, "comm":0x1cc, "next":0xc0, "mm":0xc8, "pgd":0x24}

os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter("break")

# create logging for this script
log.setup(info=(True,Log.blue), fail=(True,Log.red),
          brk=True, gdb=True, vm=True, evt=True)

##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)

vm.attach()
vm.stop()
vm.cpu.breakpoints.add_data_w(vm.cpu.sr.tr_base+4, 4, hook)

while not vm.resume():
# create logging for this script
log.setup(info=True, fail=True)

if len(sys.argv) < 2:
    log("fail", "gimme prog name")
    sys.exit(-1)

# Target process
process_name = sys.argv[1]

# Some offsets for Windows 7 Premium FR 32 bits
settings = {"kprcb":0x20, "kthread":4,
            "eprocess":0x150, "name":0x16c,
            "cr3":0x18, "next":0xb8}

os = OSFactory(OSAffinity.Win7, settings)
hook = os.find_process_filter(process_name)

##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)

vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)

while not vm.resume():
    continue