def test_namespaces(self): bldr = vs_builder.VStructBuilder() subb = vs_builder.VStructBuilder() bldr.addVStructNamespace('subname', subb) bldr.addVStructNamespace('dupname', subb) self.assertTrue(bldr.hasVStructNamespace('subname')) self.assertEqual(set(bldr.getVStructNamespaces()), set([('subname', subb), ('dupname', subb)])) self.assertEqual(set(bldr.getVStructNamespaceNames()), set(['subname', 'dupname'])) nested = vs_cparse.ctorFromCSource(csrc_nested) bldr.addVStructCtor('foo', nested) self.assertEqual(bldr.getVStructCtorNames(), ['foo'])
def __init__(self): """ The routine to initialize a tracer's initial internal state. This is used by the initial creation routines, AND on attaches/executes to re-fresh the state of the tracer. WARNING: This will erase all metadata/symbols (modes/notifiers are kept) """ vtrace.Notifier.__init__(self) self.pid = 0 # Attached pid (also used to know if attached) self.exited = False self.breakpoints = {} self.newbreaks = [] self.bpbyid = {} self.bpid = 0 self.curbp = None self.bplock = Lock() self.deferred = [] self.running = False self.runagain = False self.attached = False # A cache for memory maps and fd listings self.mapcache = None self.thread = None # our proxy thread... self.threadcache = None self.fds = None self.signal_ignores = [] self.localvars = {} # Set if we are RunForever until a thread exit... self._join_thread = None self._break_after_bp = True # Do we stop on the instruction *after* the bp? self._bp_saved = {} # Store the saved bytes from breakpoint mem writes self.symcache = None # Set by setSymCachePath() self.vsbuilder = vs_builder.VStructBuilder() self.psize = self.getPointerSize() # From the envi arch mod... # Track which libraries are parsed, and their # normame to full path mappings self.libloaded = {} # True if the library has been loaded already self.libpaths = {} # normname->filename and filename->normname lookup # Set up some globally expected metadata self.setMeta('PendingSignal', None) self.setMeta('SignalInfo', None) self.setMeta("IgnoredSignals", []) self.setMeta("LibraryBases", {}) # name -> base address mappings for binaries self.setMeta("LibraryPaths", {}) # base -> path mappings for binaries self.setMeta("ThreadId", 0) # If you *can* have a thread id put it here plat = platform.system().lower() rel = platform.release().lower() self.setMeta("Platform", plat) self.setMeta("Release", rel) # Use this if we are *expecting* a break # which is caused by us (so we remove the # SIGBREAK from pending_signal self.setMeta("ShouldBreak", False)
def main(argv): opts = setup().parse_args(argv) with open(opts.file, 'rb') as f: p = PE.PE(f) baseaddr = p.IMAGE_NT_HEADERS.OptionalHeader.ImageBase osmajor = p.IMAGE_NT_HEADERS.OptionalHeader.MajorOperatingSystemVersion osminor = p.IMAGE_NT_HEADERS.OptionalHeader.MinorOperatingSystemVersion machine = p.IMAGE_NT_HEADERS.FileHeader.Machine vsver = p.getVS_VERSIONINFO() archname = PE.machine_names.get(machine) parser = vt_win32.Win32SymbolParser(0xffffffff, opts.file, baseaddr) parser.parse() t = parser._sym_types.values() e = parser._sym_enums.values() builder = vs_builder.VStructBuilder(defs=t, enums=e) print('# Version: %d.%d' % (osmajor, osminor)) print('# Architecture: %s' % archname) if vsver is not None: keys = vsver.getVersionKeys() keys.sort() for k in keys: val = vsver.getVersionValue(k) print('# %s: %s' % (k, val)) print(builder.genVStructPyCode())
def initWinkernTrace(trace, kpcrva): # FIXME snap in structs depending on version import vstruct.defs.windows.win_5_1_i386.ntoskrnl as vs_w_ntoskrnl trace.vsbuilder.addVStructNamespace('nt', vs_w_ntoskrnl) # FIXME no remote! b = vs_builder.VStructBuilder() b.addVStructCtor('KDDEBUGGER_DATA64', KDDEBUGGER_DATA64) trace.vsbuilder.addVStructNamespace('winkern', b) # Create a "struct" namespace "winkern" for our custom defined structures. trace.casesens = False kpcr = trace.getStruct('nt.KPCR', kpcrva) kver = trace.getStruct('nt.DBGKD_GET_VERSION64', kpcr.KdVersionBlock) dbgdata64va = trace.readMemoryFormat(kver.DebuggerDataList & trace.bigmask, '<I')[0] dbgdata64 = KDDEBUGGER_DATA64() dbgdata64.vsParse(trace.readMemory(dbgdata64va, len(dbgdata64))) #print dbgdata64.tree(va=dbgdata64va) winver = win_builds.get(kver.MinorVersion) if winver == None: winver = 'Untested Windows Build! (%d)' % kver.MinorVersion print('vtrace (vmware32): Windows Version: %s' % winver) kernbase = kver.KernBase & trace.bigmask modlist = kver.PsLoadedModuleList & trace.bigmask # FIXME hard coded page sizes! trace.setMeta('PAGE_SIZE', 1024) trace.setMeta('PAGE_SHIFT', 12) trace.setVariable('kpcr', kpcrva) trace.setVariable('kddebuggerdata64', dbgdata64va) trace.setVariable('KernelBase', kernbase) trace.setVariable('PsLoadedModuleList', modlist) trace.fireNotifiers(vtrace.NOTIFY_ATTACH) trace.addLibraryBase('nt', kernbase, always=True) ldr_entry = trace.readMemoryFormat(modlist, '<P')[0] while ldr_entry != modlist: ldte = trace.getStruct('nt.LDR_DATA_TABLE_ENTRY', ldr_entry) try: dllname = trace.readMemory( ldte.FullDllName.Buffer, ldte.FullDllName.Length).decode('utf-16le') dllbase = ldte.DllBase & trace.bigmask trace.addLibraryBase(dllname, dllbase, always=True) except Exception, e: print('Trouble while parsing one...') ldr_entry = ldte.InLoadOrderLinks.Flink & trace.bigmask
def test_init(self): simple = vs_cparse.ctorFromCSource(csrc_simple) nested = vs_cparse.ctorFromCSource(csrc_nested) bldr = vs_builder.VStructBuilder() bldr.addVStructCtor('pe.simple', simple) bldr.addVStructCtor('elf.nested', nested) self.assertEqual(set(['pe.simple', 'elf.nested']), set(bldr.getVStructNames())) bldr.delVStructCtor('elf.nested') self.assertEqual(['pe.simple'], bldr.getVStructNames())
def __init__(self): viv_impapi.ImportApi.__init__(self) self.loclist = [] self.locmap = e_page.MapLookup() self.blockmap = e_page.MapLookup() self._mods_loaded = False # Storage for function local symbols self.localsyms = ddict() self._call_graph = viv_codegraph.CallGraph() # Just in case of the GUI... :) self._call_graph.setMeta('bgcolor', '#000') self._call_graph.setMeta('nodecolor', '#00ff00') self._call_graph.setMeta('edgecolor', '#00802b') self._event_list = [] self._event_saved = 0 # The index of the last "save" event... # Give ourself a structure namespace! self.vsbuilder = vs_builder.VStructBuilder() self.vsconsts = vs_const.VSConstResolver()