def parse_WinDbg(db_file, line, etree):

    # remove special characters
    # hello!__tmainCRTStartup: becomes
    # hello __tmainCRTStartup:
    line = re.sub(r'[\!]', " ", line)

    # remove whitespaces
    # i.e WinDbg output
    # hello __tmainCRTStartup:
    # 0040106b 6a10            push    10h
    # becomes
    # ['hello', __tmainCRTStartup]
    # ['0040106b', '6a10', 'push', '10h']
    ins_lst = line.strip().split()
    if len(ins_lst) == 0:
        return

    # Skip lines that start with eax=, eip=, or cs=
    reg_str = ins_lst[0][:4]
    cs_str = ins_lst[0][:3]
    if reg_str == "eax=" or reg_str == "eip=" or cs_str == "cs=":
        return

    # The thread is on the line above so store that off
    # hello mainCRTStartup+0x5:
    if (u.is_number_hex(ins_lst[0]) == False):
        parse_WinDbg.thread = ins_lst[0]
        return

    # assign attributes
    va = ins_lst[0]
    registers = "None"

    # ins_lst[1] is the opcode.  We are going to skip that as it is not
    # important to Virtual Deobfuscator

    mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
    for item in ins_lst[3:]:
        mnemonic += " " + item

    create_xml(db_file, etree, parse_WinDbg.thread, va, mnemonic, registers)
Esempio n. 2
0
def parse_WinDbg(db_file, line, etree):

    # remove special characters
    # hello!__tmainCRTStartup: becomes
    # hello __tmainCRTStartup:
    line = re.sub(r'[\!]', " ", line)

    # remove whitespaces
    # i.e WinDbg output
    # hello __tmainCRTStartup:
    # 0040106b 6a10            push    10h
    # becomes
    # ['hello', __tmainCRTStartup]
    # ['0040106b', '6a10', 'push', '10h']
    ins_lst = line.strip().split()
    if len(ins_lst) == 0:
        return

    # Skip lines that start with eax=, eip=, or cs=
    reg_str = ins_lst[0][:4]
    cs_str = ins_lst[0][:3]
    if reg_str == "eax=" or reg_str == "eip=" or cs_str == "cs=":
        return

    # The thread is on the line above so store that off
    # hello mainCRTStartup+0x5:
    if (u.is_number_hex(ins_lst[0]) == False):
        parse_WinDbg.thread = ins_lst[0]
        return

    # assign attributes
    va = ins_lst[0]
    registers = "None"

    # ins_lst[1] is the opcode.  We are going to skip that as it is not
    # important to Virtual Deobfuscator

    mnemonic = ins_lst[2]  # at this pos it is a mnem...now grab the rest of op
    for item in ins_lst[3:]:
        mnemonic += " " + item

    create_xml(db_file, etree, parse_WinDbg.thread, va, mnemonic, registers)
def parse_Immunity_Olly110(db_file, line, etree):

    # remove special characters that would hose up the xml output (<, >, &)
    line = re.sub(r'[\>\<\&]', " ", line)

    # remove whitespaces
    # i.e Immunity output
    # 00401077 Main     XOR EBX,EBX  ; EBX=00000000
    # becomes
    # ['00401077', 'Main', 'XOR', 'EBX,EBX', ';', 'EBX=00000000']
    ins_lst = line.strip().split()
    if len(ins_lst) == 0:
        return

    # a special case of how Immunity handles instructions that are API calls
    # __security_init_c MOV EDI,ED
    # ['__security_init_c', 'MOV', 'EDI,EDI']
    if (u.is_number_hex(ins_lst[0]) == False):
        ins_lst.insert(1, 'Unknown')

    # assign attributes
    va     = ins_lst[0]
    thread = ins_lst[1]
    registers = ""

    i = 2
    # look for register effects of instruction.  The delimeter to look for is ;
    # otherwise it is part of the mnem
    mnemonic = ins_lst[2] # at this pos it is a mnem...now grab the rest of op
    for item in ins_lst[3:]:
        i += 1
        if item.find(";") != -1:
            registers += ' '.join(ins_lst[i:])
            #print registers
            break
        else:
            mnemonic += " " + item

    create_xml(db_file, etree, thread, va, mnemonic, registers)
Esempio n. 4
0
def parse_Immunity_Olly110(db_file, line, etree):

    # remove special characters that would hose up the xml output (<, >, &)
    line = re.sub(r'[\>\<\&]', " ", line)

    # remove whitespaces
    # i.e Immunity output
    # 00401077 Main     XOR EBX,EBX  ; EBX=00000000
    # becomes
    # ['00401077', 'Main', 'XOR', 'EBX,EBX', ';', 'EBX=00000000']
    ins_lst = line.strip().split()
    if len(ins_lst) == 0:
        return

    # a special case of how Immunity handles instructions that are API calls
    # __security_init_c MOV EDI,ED
    # ['__security_init_c', 'MOV', 'EDI,EDI']
    if (u.is_number_hex(ins_lst[0]) == False):
        ins_lst.insert(1, 'Unknown')

    # assign attributes
    va = ins_lst[0]
    thread = ins_lst[1]
    registers = ""

    i = 2
    # look for register effects of instruction.  The delimeter to look for is ;
    # otherwise it is part of the mnem
    mnemonic = ins_lst[2]  # at this pos it is a mnem...now grab the rest of op
    for item in ins_lst[3:]:
        i += 1
        if item.find(";") != -1:
            registers += ' '.join(ins_lst[i:])
            #print registers
            break
        else:
            mnemonic += " " + item

    create_xml(db_file, etree, thread, va, mnemonic, registers)