def parse_float_function(self, b, value, offset):
for index in range(0, len(b)):
try:
structtype, structlen = utils.type_unpack('float')
tmpval = struct.unpack(structtype, b[index:index + 4])[0]
if int(value) == int(tmpval):
soffset = offset + index
yield self.Address(soffset, 'float')
except Exception as e:
pass
def parse_float_function(self, b, value, offset):
for index in range(0, len(b)):
try:
structtype, structlen = utils.type_unpack('float')
tmpval = struct.unpack(structtype, b[index:index + 4])[0]
if int(value) == int(tmpval):
soffset = offset + index
yield self.Address(soffset, 'float')
except Exception as e:
pass
def read(self, address, type = 'uint', maxlen = 50):
if type == 's' or type == 'string':
s = self.read_bytes(int(address), bytes=maxlen)
news = ''
for c in s:
if c == '\x00':
return news
news += c
raise ProcessException('string > maxlen')
else:
if type == 'bytes' or type == 'b':
return self.read_bytes(int(address), bytes=maxlen)
s, l = utils.type_unpack(type)
return struct.unpack(s, self.read_bytes(int(address), bytes=l))[0]
def mem_search(self, value, ftype = 'match', protec = PAGE_READWRITE | PAGE_READONLY, start_offset = None, end_offset = None):
"""
iterator returning all indexes where the pattern has been found
"""
ftype = ftype.lower().strip()
if type(value) is list:
ftype = 'group'
if ftype == 're':
if type(value) is str:
regex = re.compile(value)
else:
regex = value
if start_offset is None:
offset = self.start_offset
else:
offset = start_offset
if end_offset is None:
end_offset = self.end_offset
if ftype == 'float':
structtype, structlen = utils.type_unpack(ftype)
elif ftype != 'match' and ftype != 'group' and ftype != 're':
structtype, structlen = utils.type_unpack(ftype)
value = struct.pack(structtype, value)
while True:
if offset >= end_offset:
break
totalread = 0
mbi = self.process.VirtualQueryEx(offset)
offset = mbi.BaseAddress
chunk = mbi.RegionSize
protect = mbi.Protect
state = mbi.State
if state & MEM_FREE or state & MEM_RESERVE:
offset += chunk
continue
if protec:
if not protect & protec or protect & PAGE_NOCACHE or protect & PAGE_WRITECOMBINE or protect & PAGE_GUARD:
offset += chunk
continue
b = ''
try:
b = self.process.read_bytes(offset, chunk)
totalread = len(b)
except Exception as e:
logger.warning(e)
offset += chunk
continue
if b:
if ftype == 're':
duplicates_cache = set()
for res in regex.findall(b):
index = b.find(res)
while index != -1:
soffset = offset + index
if soffset not in duplicates_cache:
duplicates_cache.add(soffset)
yield self.Address(soffset, 'bytes')
index = b.find(res, index + len(res))
elif ftype == 'float':
for index in range(0, len(b)):
try:
tmpval = struct.unpack(structtype, b[index:index + 4])[0]
if int(value) == int(tmpval):
soffset = offset + index
yield self.Address(soffset, 'float')
except Exception as e:
pass
else:
index = b.find(value)
while index != -1:
soffset = offset + index
yield self.Address(soffset, 'bytes')
index = b.find(value, index + 1)
offset += totalread
def write(self, address, data, type = 'uint'):
if type != 'bytes':
s, l = utils.type_unpack(type)
return self.write_bytes(int(address), struct.pack(s, data))
else:
return self.write_bytes(int(address), data)
def mem_search(self,
value,
ftype='match',
protec=PAGE_READWRITE | PAGE_READONLY,
optimizations=None,
start_offset=None,
end_offset=None):
"""
iterator returning all indexes where the pattern has been found
"""
# pre-compile regex to run faster
if ftype == 're' or ftype == 'groups' or ftype == 'ngroups':
# value should be an array of regex
if type(value) is not list:
value = [value]
tmp = []
for reg in value:
if type(reg) is tuple:
name = reg[0]
if type(reg[1]) != REGEX_TYPE:
regex = re.compile(reg[1], re.IGNORECASE)
else:
regex = reg[1]
elif type(reg) == REGEX_TYPE:
name = ''
regex = reg
else:
name = ''
regex = re.compile(reg, re.IGNORECASE)
tmp.append((name, regex))
value = tmp
elif ftype != 'match' and ftype != 'group' and ftype != 're' and ftype != 'groups' and ftype != 'ngroups':
structtype, structlen = utils.type_unpack(ftype)
value = struct.pack(structtype, value)
# different functions avoid if statement before parsing the buffer
if ftype == 're':
func = self.parse_re_function
elif ftype == 'groups':
func = self.parse_groups_function
elif ftype == 'ngroups':
func = self.parse_named_groups_function
elif ftype == 'float':
func = self.parse_float_function
else:
func = self.parse_any_function
if not self.process.isProcessOpen:
raise ProcessException("Can't read_bytes, process %s is not open" %
(self.process.pid))
for offset, chunk_size in self.process.iter_region(
start_offset=start_offset,
end_offset=end_offset,
protec=protec,
optimizations=optimizations):
b = ''
current_offset = offset
chunk_read = 0
chunk_exc = False
while chunk_read < chunk_size:
try:
b += self.process.read_bytes(current_offset, chunk_size)
except IOError as e:
print traceback.format_exc()
if e.errno == 13:
raise
else:
logger.warning(e)
chunk_exc = True
break
except Exception as e:
logger.warning(e)
chunk_exc = True
break
finally:
current_offset += chunk_size
chunk_read += chunk_size
if chunk_exc:
continue
if b:
for res in func(b, value, offset):
yield res
def mem_search(self,
value,
ftype='match',
protec=PAGE_READWRITE | PAGE_READONLY,
start_offset=None,
end_offset=None):
"""
iterator returning all indexes where the pattern has been found
"""
ftype = ftype.lower().strip()
if type(value) is list:
ftype = 'group'
if ftype == 're':
if type(value) is str:
regex = re.compile(value)
else:
regex = value
if ftype == 'float':
structtype, structlen = utils.type_unpack(ftype)
elif ftype != 'match' and ftype != 'group' and ftype != 're':
structtype, structlen = utils.type_unpack(ftype)
value = struct.pack(structtype, value)
for offset, chunk in self.process.iter_region(
start_offset=start_offset, end_offset=end_offset,
protec=protec):
b = ''
totalread = 0
current_offset = offset
chunk_size = 10000000
chunk_read = 0
chunk_exc = False
while chunk_read < chunk:
try:
if chunk_size > chunk:
chunk_size = chunk
b += self.process.read_bytes(current_offset, chunk_size)
totalread += chunk_size
except IOError as e:
print traceback.format_exc()
if e.errno == 13:
raise
else:
logger.warning(e)
chunk_exc = True
break
except Exception as e:
logger.warning(e)
chunk_exc = True
break
finally:
current_offset += chunk_size
chunk_read += chunk_size
if chunk_exc:
continue
if b:
if ftype == 're':
duplicates_cache = set()
for res in regex.findall(b):
index = b.find(res)
while index != -1:
soffset = offset + index
if soffset not in duplicates_cache:
duplicates_cache.add(soffset)
yield self.Address(soffset, 'bytes')
index = b.find(res, index + len(res))
elif ftype == 'float':
for index in range(0, len(b)):
try:
tmpval = struct.unpack(structtype,
b[index:index + 4])[0]
if int(value) == int(tmpval):
soffset = offset + index
yield self.Address(soffset, 'float')
except Exception as e:
pass
else:
index = b.find(value)
while index != -1:
soffset = offset + index
yield self.Address(soffset, 'bytes')
index = b.find(value, index + 1)
def mem_search(self, value, ftype = 'match', protec = PAGE_READWRITE | PAGE_READONLY, optimizations=None, start_offset = None, end_offset = None):
"""
iterator returning all indexes where the pattern has been found
"""
# pre-compile regex to run faster
if ftype == 're' or ftype == 'groups' or ftype == 'ngroups':
# value should be an array of regex
if type(value) is not list:
value = [value]
tmp = []
for reg in value:
if type(reg) is tuple:
name = reg[0]
if type(reg[1]) != REGEX_TYPE:
regex = re.compile(reg[1], re.IGNORECASE)
else:
regex=reg[1]
elif type(reg) == REGEX_TYPE:
name = ''
regex=reg
else:
name = ''
regex = re.compile(reg, re.IGNORECASE)
tmp.append((name, regex))
value = tmp
elif ftype != 'match' and ftype != 'group' and ftype != 're' and ftype != 'groups' and ftype != 'ngroups' and ftype != 'lambda':
structtype, structlen = utils.type_unpack(ftype)
value = struct.pack(structtype, value)
# different functions avoid if statement before parsing the buffer
if ftype == 're':
func = self.parse_re_function
elif ftype == 'groups':
func = self.parse_groups_function
elif ftype == 'ngroups':
func = self.parse_named_groups_function
elif ftype == 'float':
func = self.parse_float_function
elif ftype == 'lambda': # use a custm function
func = value
else:
func = self.parse_any_function
if not self.process.isProcessOpen:
raise ProcessException("Can't read_bytes, process %s is not open" % (self.process.pid))
for offset, chunk_size in self.process.iter_region(start_offset=start_offset, end_offset=end_offset, protec=protec, optimizations=optimizations):
b = ''
current_offset = offset
chunk_read = 0
chunk_exc = False
while chunk_read < chunk_size:
try:
b += self.process.read_bytes(current_offset, chunk_size)
except IOError as e:
print traceback.format_exc()
if e.errno == 13:
raise
else:
logger.warning(e)
chunk_exc=True
break
except Exception as e:
logger.warning(e)
chunk_exc = True
break
finally:
current_offset += chunk_size
chunk_read += chunk_size
if chunk_exc:
continue
if b:
if ftype=="lambda":
for res in func(b, offset):
yield res
else:
for res in func(b, value, offset):
yield res
