def __init__(self): vstruct.VStruct.__init__(self) self.Magic = v_bytes(vbytes=IMAGE_ARCHIVE_START) # A set of image archive names is first... self.ImageArchiveMembers = vstruct.VArray(elems=(IMAGE_ARCHIVE_LINKER1(), IMAGE_ARCHIVE_LINKER2()))
def __init__(self): IMAGE_ARCHIVE_MEMBER.__init__(self) self.NumberOfSymbols = v_uint32(bigend=True) self.SymbolOffsets = vstruct.VArray() self.SymbolNames = vstruct.VArray()
def pcb_NumberOfAuxSymbols(self): a = self.NumberOfAuxSymbols self.AuxSymbols = vstruct.VArray(elems=[ v_bytes(size=18) for i in range(a) ])
def __init__(self, bigend=False): IMAGE_ARCHIVE_MEMBER.__init__(self) self.FileHeader = IMAGE_FILE_HEADER() self.SectionHeaders = vstruct.VArray() self.SectionData = v_bytes() self.SymbolTable = vstruct.VArray()
def pcb_descsz(self): elems = [v_uint32() for i in range(self.descsz // 4)] self.desc = vstruct.VArray(elems=elems)
def __init__(self): vstruct.VStruct.__init__(self) self.PrivilegeCount = v_uint32() self.Control = v_uint32() self.Privilege = vstruct.VArray([ LUID_AND_ATTRIBUTES() for i in xrange(3) ])
def __init__(self): vstruct.VStruct.__init__(self) self.Count = v_uint32() self.List = vstruct.VArray([ CM_FULL_RESOURCE_DESCRIPTOR() for i in xrange(1) ])
def pcb_NumberOfSymbols(self): c = self.NumberOfSymbols self.SymbolIndexes = vstruct.VArray( elems=[ v_uint16() for i in range(c) ]) self.SymbolNames = vstruct.VArray( elems=[ v_zstr() for i in range(c) ])
def __init__(self): vstruct.VStruct.__init__(self) self.ExtraData = v_ptr32() self.size = v_uint32() self.trace = vstruct.VArray([ v_ptr32() for i in xrange(6) ])
def __init__(self): vstruct.VStruct.__init__(self) self.Data1 = v_uint32() self.Data2 = v_uint16() self.Data3 = v_uint16() self.Data4 = vstruct.VArray([ v_uint8() for i in xrange(8) ])
def __init__(self): vstruct.VStruct.__init__(self) self.HashBuckets = vstruct.VArray([ v_ptr32() for i in xrange(37) ]) self.Lock = EX_PUSH_LOCK() self.DeviceMap = v_ptr32() self.SessionId = v_uint32()
def buildVStruct(self, vsname): # Check for a namespace parts = vsname.split('.', 1) if len(parts) == 2: ns = self._vs_namespaces.get(parts[0]) if ns == None: raise Exception( 'Namespace %s is not present! (need symbols?)' % parts[0]) # If a module gets added as a namespace, assume it has a class def... if isinstance(ns, types.ModuleType): cls = getattr(ns, parts[1]) if cls == None: raise Exception('Unknown VStruct Definition: %s' % vsname) return cls() return ns.buildVStruct(parts[1]) vsdef = self._vs_defs.get(vsname) if vsdef == None: raise Exception('Unknown VStruct Definition: %s' % vsname) vsname, vssize, vskids = vsdef vs = vstruct.VStruct() vs._vs_name = vsname for fname, foffset, fsize, ftypename, fflags in vskids: if fflags & VSFF_POINTER: # FIXME support pointers with types! if fsize == 4: fieldval = vs_prim.v_ptr32() elif fsize == 8: fieldval = vs_prim.v_ptr64() else: raise Exception('Invalid Pointer Width: %d' % fsize) elif fflags & VSFF_ARRAY: if ftypename != None: fieldval = vstruct.VArray() while len(fieldval) < fsize: fieldval.vsAddElement(self.buildVStruct(ftypename)) else: # FIXME actually handle arrays! fieldval = vs_prim.v_bytes(size=fsize) elif ftypename == None: if fsize not in [1, 2, 4, 8]: #print 'Primitive Field Size: %d' % fsize fieldval = v_bytes(size=fsize) else: fieldval = prim_types[fsize]() else: fieldval = self.buildVStruct(ftypename) cursize = len(vs) if foffset < cursize: #print 'FIXME handle unions, overlaps, etc...' continue if foffset > cursize: setattr(vs, '_pad%.4x' % foffset, vs_prim.v_bytes(size=(foffset - cursize))) setattr(vs, fname, fieldval) return vs
def __init__(self): vstruct.VStruct.__init__(self) self.InheritedAddressSpace = v_uint8() self.ReadImageFileExecOptions = v_uint8() self.BeingDebugged = v_uint8() self.SpareBool = v_uint8() self.Mutant = v_ptr32() self.ImageBaseAddress = v_ptr32() self.Ldr = v_ptr32() self.ProcessParameters = v_ptr32() self.SubSystemData = v_ptr32() self.ProcessHeap = v_ptr32() self.FastPebLock = v_ptr32() self.FastPebLockRoutine = v_ptr32() self.FastPebUnlockRoutine = v_ptr32() self.EnvironmentUpdateCount = v_uint32() self.KernelCallbackTable = v_ptr32() self.SystemReserved = v_uint32() self.AtlThunkSListPtr32 = v_ptr32() self.FreeList = v_ptr32() self.TlsExpansionCounter = v_uint32() self.TlsBitmap = v_ptr32() self.TlsBitmapBits = vstruct.VArray([v_uint32() for i in range(2)]) self.ReadOnlySharedMemoryBase = v_ptr32() self.ReadOnlySharedMemoryHeap = v_ptr32() self.ReadOnlyStaticServerData = v_ptr32() self.AnsiCodePageData = v_ptr32() self.OemCodePageData = v_ptr32() self.UnicodeCaseTableData = v_ptr32() self.NumberOfProcessors = v_uint32() self.NtGlobalFlag = v_uint64() self.CriticalSectionTimeout = v_uint64() self.HeapSegmentReserve = v_uint32() self.HeapSegmentCommit = v_uint32() self.HeapDeCommitTotalFreeThreshold = v_uint32() self.HeapDeCommitFreeBlockThreshold = v_uint32() self.NumberOfHeaps = v_uint32() self.MaximumNumberOfHeaps = v_uint32() self.ProcessHeaps = v_ptr32() self.GdiSharedHandleTable = v_ptr32() self.ProcessStarterHelper = v_ptr32() self.GdiDCAttributeList = v_uint32() self.LoaderLock = v_ptr32() self.OSMajorVersion = v_uint32() self.OSMinorVersion = v_uint32() self.OSBuildNumber = v_uint16() self.OSCSDVersion = v_uint16() self.OSPlatformId = v_uint32() self.ImageSubsystem = v_uint32() self.ImageSubsystemMajorVersion = v_uint32() self.ImageSubsystemMinorVersion = v_uint32() self.ImageProcessAffinityMask = v_uint32() self.GdiHandleBuffer = vstruct.VArray([v_ptr32() for i in range(34)]) self.PostProcessInitRoutine = v_ptr32() self.TlsExpansionBitmap = v_ptr32() self.TlsExpansionBitmapBits = vstruct.VArray( [v_uint32() for i in range(32)]) self.SessionId = v_uint32() self.AppCompatFlags = v_uint64() self.AppCompatFlagsUser = v_uint64() self.pShimData = v_ptr32() self.AppCompatInfo = v_ptr32() self.CSDVersion = v_ptr32() self.UNKNOWN = v_uint32() self.ActivationContextData = v_ptr32() self.ProcessAssemblyStorageMap = v_ptr32() self.SystemDefaultActivationContextData = v_ptr32() self.SystemAssemblyStorageMap = v_ptr32() self.MinimumStackCommit = v_uint32()
def pcb_NumberOfSymbols(self): c = self.NumberOfSymbols self.SymbolOffsets = vstruct.VArray( elems=[ v_uint32(bigend=True) for i in range(c) ]) self.SymbolNames = vstruct.VArray( elems=[ v_zstr() for i in range(c) ])
def __init__(self): vstruct.VStruct.__init__(self) self.Locks = vstruct.VArray([ v_ptr32() for i in xrange(1) ])
def pcb_NumberOfMembers(self): c = self.NumberOfMembers self.MemberOffsets = vstruct.VArray( elems=[ v_uint32() for i in range(c) ] )
def __init__(self): vstruct.VStruct.__init__(self) self.Version = v_uint16() self.Revision = v_uint16() self.Count = v_uint32() self.PartialDescriptors = vstruct.VArray([ CM_PARTIAL_RESOURCE_DESCRIPTOR() for i in xrange(1) ])
def buildVStruct(self, vsname): # Check for a namespace parts = vsname.split('.', 1) if len(parts) == 2: ns = self._vs_namespaces.get(parts[0]) if ns == None: raise Exception('Namespace %s is not present! (need symbols?)' % parts[0]) # If a module gets added as a namespace, assume it has a class def... if isinstance(ns, types.ModuleType): cls = getattr(ns, parts[1]) if cls == None: raise Exception('Unknown VStruct Definition: %s' % vsname) return cls() return ns.buildVStruct(parts[1]) ctor = self._vs_ctors.get(vsname) if ctor != None: return ctor() vsdef = self._vs_defs.get(vsname) # If we still dont have a def, lets ask our namespaces if vsdef == None: for ns in self._vs_namespaces.values(): if isinstance(ns, types.ModuleType): cls = getattr(ns, vsname, None) if cls != None: return cls() else: vsdef = ns._vs_defs.get(vsname) if vsdef != None: break if vsdef == None: return None vsname, vssize, vskids = vsdef vs = vstruct.VStruct() vs._vs_name = vsname for fname, foffset, fsize, ftypename, fflags, fcount in vskids: fieldval = self._buildVsType(ftypename, fsize, fflags) if fcount != None: afields = [copy.deepcopy(fieldval) for i in range(fcount) ] fieldval = vstruct.VArray(afields) cursize = len(vs) if foffset < cursize: continue if foffset > cursize: setattr(vs, '_pad%.4x' % foffset, vs_prim.v_bytes(size=(foffset-cursize))) setattr(vs, fname, fieldval) final_len = len(vs) if final_len < vssize: setattr(vs, '_pad%.4x' % vssize, vs_prim.v_bytes(size=(vssize-final_len))) return vs
def test_vstruct_varray(self): v = vstruct.VArray([v_uint8(i) for i in xrange(20)]) self.assertEqual(v[2], 2) v.vsParse('A' * 20) self.assertEqual(v[2], 0x41)