def register_io_out(self):
out_ioctl = x64.MultipleInstr()
INPUT_BUFFER_SIZE = x64.mem('[RCX]')
INPUT_BUFFER_PORT = x64.mem('[RCX + 8]')
INPUT_BUFFER_VALUE = x64.mem('[RCX + 0x10]')
out_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18) # size indicator / port / value
out_ioctl += x64.Jnz(":FAIL")
out_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
out_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT)
out_ioctl += x64.Mov('RAX', INPUT_BUFFER_VALUE)
out_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE)
out_ioctl += x64.Cmp('RCX', 0x1)
out_ioctl += x64.Jnz(":OUT_2_OR_4")
out_ioctl += x64.Out('DX', 'AL')
out_ioctl += x64.Jmp(':SUCCESS')
out_ioctl += x64.Label(":OUT_2_OR_4")
out_ioctl += x64.Cmp('RCX', 0x2)
out_ioctl += x64.Jnz(":OUT_4")
out_ioctl += x64.Out('DX', 'AX')
out_ioctl += x64.Jmp(':SUCCESS')
out_ioctl += x64.Label(":OUT_4")
out_ioctl += x64.Out('DX', 'EAX')
out_ioctl += x64.Label(":SUCCESS")
out_ioctl += x64.Xor('RAX', 'RAX')
out_ioctl += x64.Ret()
out_ioctl += x64.Label(":FAIL")
out_ioctl += x64.Mov('RAX', 0x0C000000D)
out_ioctl += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_OUT_IOCTL, out_ioctl.get_code())
def register_io_in(self):
in_ioctl = x64.MultipleInstr()
INPUT_BUFFER_SIZE = x64.mem('[RCX]')
INPUT_BUFFER_PORT = x64.mem('[RCX + 8]')
in_ioctl += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x10) # size indicator / port
in_ioctl += x64.Jnz(":FAIL")
in_ioctl += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
in_ioctl += x64.Mov('RDX', INPUT_BUFFER_PORT)
in_ioctl += x64.Mov('RCX', INPUT_BUFFER_SIZE)
in_ioctl += x64.Cmp('RCX', 0x1)
in_ioctl += x64.Jnz(":OUT_2_OR_4")
in_ioctl += x64.In('AL', 'DX')
in_ioctl += x64.Jmp(':SUCCESS')
in_ioctl += x64.Label(":OUT_2_OR_4")
in_ioctl += x64.Cmp('RCX', 0x2)
in_ioctl += x64.Jnz(":OUT_4")
in_ioctl += x64.In('AX', 'DX')
in_ioctl += x64.Jmp(':SUCCESS')
in_ioctl += x64.Label(":OUT_4")
in_ioctl += x64.In('EAX', 'DX')
in_ioctl += x64.Label(":SUCCESS")
in_ioctl += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER)
in_ioctl += x64.Mov(x64.mem('[RDX]'), 'RAX')
in_ioctl += x64.Xor('RAX', 'RAX')
in_ioctl += x64.Ret()
in_ioctl += x64.Label(":FAIL")
in_ioctl += x64.Mov('RAX', 0x0C000000D)
in_ioctl += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_IN_IOCTL, in_ioctl.get_code())
def register_alloc_memory(self):
ExAllocatePoolWithTag = self.kdbg.get_symbol_offset("nt!ExAllocatePoolWithTag")
if ExAllocatePoolWithTag is None:
raise ValueError("Could not resolve <ExAllocatePoolWithTag>")
INPUT_BUFFER_ALLOC_TYPE = x64.mem('[RCX]')
INPUT_BUFFER_ALLOC_SIZE = x64.mem('[RCX + 0x8]')
INPUT_BUFFER_ALLOC_TAG = x64.mem('[RCX + 0x10]')
Alloc_IOCTL = x64.MultipleInstr()
Alloc_IOCTL += x64.Cmp(self.IO_STACK_INPUT_BUFFER_LEN, 0x18)
Alloc_IOCTL += x64.Jnz(':FAIL')
Alloc_IOCTL += x64.Mov('RCX', self.IO_STACK_INPUT_BUFFER)
Alloc_IOCTL += x64.Mov('R8', INPUT_BUFFER_ALLOC_TAG)
Alloc_IOCTL += x64.Mov('RDX', INPUT_BUFFER_ALLOC_SIZE)
Alloc_IOCTL += x64.Mov('RCX', INPUT_BUFFER_ALLOC_TYPE)
Alloc_IOCTL += x64.Mov('RAX', ExAllocatePoolWithTag)
Alloc_IOCTL += x64.Call('RAX')
Alloc_IOCTL += x64.Mov('RBX', self.IRP_OUTPUT_BUFFER)
Alloc_IOCTL += x64.Mov(x64.mem('[RBX]'), 'RAX')
Alloc_IOCTL += x64.Xor('RAX', 'RAX')
Alloc_IOCTL += x64.Ret()
Alloc_IOCTL += x64.Label(":FAIL")
Alloc_IOCTL += x64.Mov('RAX', 0x0C000000D)
Alloc_IOCTL += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_MEMALLOC_IOCTL, Alloc_IOCTL.get_code())
def register_kernel_call(self):
# expect in buffer: the address to call and all dword to push on the stack
CCall_IOCTL = x64.MultipleInstr()
CCall_IOCTL += x64.Mov('RAX', self.IO_STACK_INPUT_BUFFER_LEN)
CCall_IOCTL += x64.Cmp('RAX', 0)
CCall_IOCTL += x64.Jz(":FAIL") # Need at least the function to call
CCall_IOCTL += x64.Mov('R15', 4 * 8) # Size to pop on the stack at the end (4 * push RDI)
CCall_IOCTL += x64.Mov('R10', self.IO_STACK_INPUT_BUFFER)
CCall_IOCTL += x64.Label(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jbe(":SETUP_REG_ARGS")
CCall_IOCTL += x64.Sub('RAX', 8)
INPUT_BUFFER_NEXT_ARG = x64.create_displacement(base='R10', index='RAX')
CCall_IOCTL += x64.Mov('RBX', INPUT_BUFFER_NEXT_ARG)
CCall_IOCTL += x64.Push('RBX')
CCall_IOCTL += x64.Add('R15', 8) # Add at Size to pop on the stack at the end
CCall_IOCTL += x64.Jmp(':PUSH_NEXT_ARG')
CCall_IOCTL += x64.Label(":SETUP_REG_ARGS")
# Could be done in a loop
# But do I really want to generate x86 in a loop..
CCall_IOCTL += x64.Cmp('RAX', (8 * 5))
CCall_IOCTL += x64.Jz(":SETUP_4_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 4))
CCall_IOCTL += x64.Jz(":SETUP_3_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 3))
CCall_IOCTL += x64.Jz(":SETUP_2_ARGS")
CCall_IOCTL += x64.Cmp('RAX', (8 * 2))
CCall_IOCTL += x64.Jz(":SETUP_1_ARGS")
CCall_IOCTL += x64.Jmp(":SETUP_0_ARGS")
CCall_IOCTL += x64.Label(":SETUP_4_ARGS")
CCall_IOCTL += x64.Mov('R9', x64.mem('[R10 + 0x20]'))
CCall_IOCTL += x64.Label(":SETUP_3_ARGS")
CCall_IOCTL += x64.Mov('R8', x64.mem('[R10 + 0x18]'))
CCall_IOCTL += x64.Label(":SETUP_2_ARGS")
CCall_IOCTL += x64.Mov('RDX', x64.mem('[R10 + 0x10]'))
CCall_IOCTL += x64.Label(":SETUP_1_ARGS")
CCall_IOCTL += x64.Mov('RCX', x64.mem('[R10 + 8]'))
CCall_IOCTL += x64.Label(":SETUP_0_ARGS")
CCall_IOCTL += x64.Mov('RAX', x64.mem('[R10]'))
# Fix Reserve space (calling convention)
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Push('RDI')
CCall_IOCTL += x64.Call('RAX')
CCall_IOCTL += x64.Mov('RDX', self.IRP_OUTPUT_BUFFER)
CCall_IOCTL += x64.Mov(x64.mem('[RDX]'), 'RAX')
CCall_IOCTL += x64.Xor('RAX', 'RAX')
CCall_IOCTL += x64.Add('RSP', 'R15')
CCall_IOCTL += x64.Ret()
CCall_IOCTL += x64.Label(":FAIL")
CCall_IOCTL += x64.Mov('RAX', 0x0C000000D)
CCall_IOCTL += x64.Ret()
self.upgrade_driver_add_new_ioctl_handler(DU_KCALL_IOCTL, CCall_IOCTL.get_code())
def get_peb_addr(self):
dest = self.virtual_alloc(0x1000)
if self.bitness == 32:
store_peb = x86.MultipleInstr()
store_peb += x86.Mov('EAX', x86.mem('fs:[0x30]'))
store_peb += x86.Mov(x86.create_displacement(disp=dest), 'EAX')
store_peb += x86.Ret()
get_peb_code = store_peb.get_code()
self.write_memory(dest, "\x00" * 4)
self.write_memory(dest + 4, get_peb_code)
self.create_thread(dest + 4, 0)
time.sleep(0.01)
peb_addr = struct.unpack("<I", self.read_memory(dest, 4))[0]
return peb_addr
else:
store_peb = x64.MultipleInstr()
store_peb += x64.Mov('RAX', x64.mem('gs:[0x60]'))
store_peb += x64.Mov(x64.create_displacement(disp=dest), 'RAX')
store_peb += x64.Ret()
get_peb_code = store_peb.get_code()
self.write_memory(dest, "\x00" * 8)
self.write_memory(dest + 8, get_peb_code)
self.create_thread(dest + 8, 0)
time.sleep(0.01)
peb_addr = struct.unpack("<Q", self.read_memory(dest, 8))[0]
return peb_addr
def perform_manual_getproc_loadlib_64_for_dbg(target, dll_name):
dll = "KERNEL32.DLL\x00".encode("utf-16-le")
api = "LoadLibraryA\x00"
dll_to_load = dll_name + "\x00"
RemoteManualLoadLibray = x64.MultipleInstr()
code = RemoteManualLoadLibray
code += x64.Mov("R15", "RCX")
code += x64.Mov("RCX", x64.mem("[R15 + 0]"))
code += x64.Mov("RDX", x64.mem("[R15 + 8]"))
code += x64.Call(":FUNC_GETPROCADDRESS64")
code += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Push("RCX")
code += x64.Call("RAX") # LoadLibrary
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Pop("RCX")
code += x64.Ret()
RemoteManualLoadLibray += nativeutils.GetProcAddress64
addr = target.virtual_alloc(0x1000)
addr2 = addr + len(dll)
addr3 = addr2 + len(api)
addr4 = addr3 + len(dll_to_load)
target.write_memory(addr, dll)
target.write_memory(addr2, api)
target.write_memory(addr3, dll_to_load)
target.write_qword(addr4, addr)
target.write_qword(addr4 + 8, addr2)
target.write_qword(addr4 + 0x10, addr3)
t = target.execute(RemoteManualLoadLibray.get_code(), addr4)
return t
def test_execute_to_64(self, proc64):
with proc64.allocated_memory(0x1000) as addr:
shellcode = x64.MultipleInstr()
shellcode += x64.Mov('RAX', 0x4242424243434343)
shellcode += x64.Mov(x64.create_displacement(disp=addr), 'RAX')
shellcode += x64.Ret()
proc64.execute(shellcode.get_code())
time.sleep(0.1)
qword = proc64.read_qword(addr)
assert qword == 0x4242424243434343
def test_execute_to_64(self):
with Calc64() as calc:
data = calc.virtual_alloc(0x1000)
shellcode = x64.MultipleInstr()
shellcode += x64.Mov('RAX', 0x4242424243434343)
shellcode += x64.Mov(x64.create_displacement(disp=data), 'RAX')
shellcode += x64.Ret()
calc.execute(shellcode.get_code())
time.sleep(0.1)
dword = struct.unpack("<Q", calc.read_memory(data, 8))[0]
self.assertEqual(dword, 0x4242424243434343)
def test_set_thread_context_64(self, proc64):
code = x64.MultipleInstr()
code += x64.Label(":LOOP")
code += x64.Jmp(":LOOP")
data_len = len(code.get_code())
code += x64.Ret()
t = proc64.execute(code.get_code())
time.sleep(0.1)
assert proc64.is_exit == False
t.suspend()
ctx = t.context
ctx.Rip += data_len
ctx.Rax = 0x11223344
t.set_context(ctx)
t.resume()
time.sleep(0.1)
assert t.exit_code == 0x11223344
def generate_write_at(addr):
res = x64.MultipleInstr()
res += x64.Mov(x64.deref(addr), "RAX")
res += x64.Ret()
return res.get_code()
def generate_read_at(addr):
res = x64.MultipleInstr()
res += x64.Mov("RAX", x64.deref(addr))
res += x64.Ret()
return res.get_code()
RemoteManualLoadLibray = x64.MultipleInstr()
c = RemoteManualLoadLibray
c += x64.Mov("R15", "RCX")
c += x64.Mov("RCX", x64.mem("[R15 + 0]"))
c += x64.Mov("RDX", x64.mem("[R15 + 8]"))
c += x64.Call(":FUNC_GETPROCADDRESS64")
c += x64.Mov("RCX", x64.mem("[R15 + 0x10]"))
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Push("RCX")
c += x64.Call("RAX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Pop("RCX")
c += x64.Ret()
RemoteManualLoadLibray += GetProcAddress64
calc = windows.test.pop_calc_64(dwCreationFlags=CREATE_SUSPENDED)
addr = calc.virtual_alloc(0x1000)
addr2 = addr + len(dll)
addr3 = addr2 + len(api)
addr4 = addr3 + len(dll_to_load)
calc.write_memory(addr, dll)
calc.write_memory(addr2, api)
calc.write_memory(addr3, dll_to_load)
calc.write_qword(addr4, addr)
calc.write_qword(addr4 + 8, addr2)
def generate_syswow64_call(target, errcheck=None):
nb_args = len(target.prototype._argtypes_)
target_addr = get_syswow_ntdll_exports()[target.__name__]
argument_buffer_len = (nb_args * 8)
argument_buffer = windows.current_process.allocator.reserve_size(argument_buffer_len)
alignement_information = windows.current_process.allocator.reserve_size(8)
nb_args_on_stack = max(nb_args - 4, 0)
code_64b = x64.MultipleInstr()
# Save registers
code_64b += x64.Push('RBX')
code_64b += x64.Push('RCX')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RSI')
code_64b += x64.Push('RDI')
code_64b += x64.Push('R8')
code_64b += x64.Push('R9')
code_64b += x64.Push('R10')
code_64b += x64.Push('R11')
code_64b += x64.Push('R12')
code_64b += x64.Push('R13')
# Alignment stuff :)
code_64b += x64.Mov('RCX', 'RSP')
code_64b += x64.And('RCX', 0x0f)
code_64b += x64.Mov(x64.deref(alignement_information), 'RCX')
code_64b += x64.Sub('RSP', 'RCX')
# retrieve argument from the argument buffer
if nb_args >= 1:
code_64b += x64.Mov('RCX', x64.create_displacement(disp=argument_buffer))
if nb_args >= 2:
code_64b += x64.Mov('RDX', x64.create_displacement(disp=argument_buffer + (8 * 1)))
if nb_args >= 3:
code_64b += x64.Mov('R8', x64.create_displacement(disp=argument_buffer + (8 * 2)))
if nb_args >= 4:
code_64b += x64.Mov('R9', x64.create_displacement(disp=argument_buffer + (8 * 3)))
for i in range(nb_args_on_stack):
code_64b += x64.Mov('RAX', x64.create_displacement(disp=argument_buffer + 8 * (nb_args - 1 - i)))
code_64b += x64.Push('RAX')
# reserve space for register (calling convention)
code_64b += x64.Push('R9')
code_64b += x64.Push('R8')
code_64b += x64.Push('RDX')
code_64b += x64.Push('RCX')
# Call
code_64b += x64.Mov('R13', target_addr)
code_64b += x64.Call('R13')
# Realign stack :)
code_64b += x64.Add('RSP', x64.deref(alignement_information))
# Clean stack
code_64b += x64.Add('RSP', (4 + nb_args_on_stack) * 8)
code_64b += x64.Pop('R13')
code_64b += x64.Pop('R12')
code_64b += x64.Pop('R11')
code_64b += x64.Pop('R10')
code_64b += x64.Pop('R9')
code_64b += x64.Pop('R8')
code_64b += x64.Pop('RDI')
code_64b += x64.Pop('RSI')
code_64b += x64.Pop('RDX')
code_64b += x64.Pop('RCX')
code_64b += x64.Pop('RBX')
code_64b += x64.Ret()
return try_generate_stub_target(code_64b.get_code(), argument_buffer, target, errcheck=errcheck)
class CurrentProcess(Process):
"""The current process"""
get_peb = None
get_peb_32_code = x86.MultipleInstr()
get_peb_32_code += x86.Mov('EAX', x86.mem('fs:[0x30]'))
get_peb_32_code += x86.Ret()
get_peb_32_code = get_peb_32_code.get_code()
get_peb_64_code = x64.MultipleInstr()
get_peb_64_code += x64.Mov('RAX', x64.mem('gs:[0x60]'))
get_peb_64_code += x64.Ret()
get_peb_64_code = get_peb_64_code.get_code()
allocator = native_exec.native_function.allocator
def get_peb_builtin(self):
if self.get_peb is not None:
return self.get_peb
if self.bitness == 32:
get_peb = native_exec.create_function(self.get_peb_32_code,
[PVOID])
else:
get_peb = native_exec.create_function(self.get_peb_64_code,
[PVOID])
self.get_peb = get_peb
return get_peb
def _get_handle(self):
return winproxy.GetCurrentProcess()
def __del__(self):
pass
@property
def pid(self):
"""Process ID
:type: int
"""
return os.getpid()
# Is there a better way ?
@utils.fixedpropety
def ppid(self):
"""Parent Process ID
:type: int
"""
return [p for p in windows.system.processes
if p.pid == self.pid][0].ppid
@utils.fixedpropety
def peb(self):
"""The Process Environment Block of the current process
:type: :class:`PEB`
"""
return PEB.from_address(self.get_peb_builtin()())
@utils.fixedpropety
def bitness(self):
"""The bitness of the process
:returns: int -- 32 or 64"""
import platform
bits = platform.architecture()[0]
return int(bits[:2])
def virtual_alloc(self, size):
"""Allocate memory in the current process
:returns: int
"""
return winproxy.VirtualAlloc(dwSize=size)
def write_memory(self, addr, data):
"""Write data at addr"""
buffertype = (c_char * len(data)).from_address(addr)
buffertype[:len(data)] = data
return True
def read_memory(self, addr, size):
"""Read size from adddr"""
dbgprint('Read CurrentProcess Memory', 'READMEM')
buffer = (c_char * size).from_address(addr)
return buffer[:]
def create_thread(self, lpStartAddress, lpParameter, dwCreationFlags=0):
"""Create a new thread
.. note::
CreateThread https://msdn.microsoft.com/en-us/library/windows/desktop/ms682453%28v=vs.85%29.aspx
"""
handle = winproxy.CreateThread(lpStartAddress=lpStartAddress,
lpParameter=lpParameter,
dwCreationFlags=dwCreationFlags)
return WinThread._from_handle(handle)
def exit(self, code=0):
"""Exit the process"""
return winproxy.ExitProcess(code)
StrlenW64 = x64.MultipleInstr()
StrlenW64 += x64.Label(":FUNC_STRLENW64")
StrlenW64 += x64.Push("RCX")
StrlenW64 += x64.Push("RDI")
StrlenW64 += x64.Mov("RDI", "RCX")
StrlenW64 += x64.Xor("RAX", "RAX")
StrlenW64 += x64.Xor("RCX", "RCX")
StrlenW64 += x64.Dec("RCX")
StrlenW64 += x64.Repne + x64.ScasW()
StrlenW64 += x64.Not("RCX")
StrlenW64 += x64.Dec("RCX")
StrlenW64 += x64.Mov("RAX", "RCX")
StrlenW64 += x64.Pop("RDI")
StrlenW64 += x64.Pop("RCX")
StrlenW64 += x64.Ret()
StrlenA64 = x64.MultipleInstr()
StrlenA64 += x64.Label(":FUNC_STRLENA64")
StrlenA64 += x64.Push("RCX")
StrlenA64 += x64.Push("RDI")
StrlenA64 += x64.Mov("RDI", "RCX")
StrlenA64 += x64.Xor("RAX", "RAX")
StrlenA64 += x64.Xor("RCX", "RCX")
StrlenA64 += x64.Dec("RCX")
StrlenA64 += x64.Repne + x64.ScasB()
StrlenA64 += x64.Not("RCX")
StrlenA64 += x64.Dec("RCX")
StrlenA64 += x64.Mov("RAX", "RCX")
StrlenA64 += x64.Pop("RDI")
StrlenA64 += x64.Pop("RCX")
class CurrentProcess(Process):
"""The current process"""
get_peb = None
get_peb_32_code = x86.MultipleInstr()
get_peb_32_code += x86.Mov('EAX', x86.mem('fs:[0x30]'))
get_peb_32_code += x86.Ret()
get_peb_32_code = get_peb_32_code.get_code()
get_peb_64_code = x64.MultipleInstr()
get_peb_64_code += x64.Mov('RAX', x64.mem('gs:[0x60]'))
get_peb_64_code += x64.Ret()
get_peb_64_code = get_peb_64_code.get_code()
allocator = native_exec.native_function.allocator
# Use RtlGetCurrentPeb ?
def get_peb_builtin(self):
if self.get_peb is not None:
return self.get_peb
if self.bitness == 32:
get_peb = native_exec.create_function(self.get_peb_32_code, [PVOID])
else:
get_peb = native_exec.create_function(self.get_peb_64_code, [PVOID])
self.get_peb = get_peb
return get_peb
def _get_handle(self):
return winproxy.GetCurrentProcess()
def __del__(self):
pass
@property
def pid(self):
"""Process ID
:type: :class:`int`
"""
return os.getpid()
# Is there a better way ?
@utils.fixedpropety
def ppid(self):
"""Parent Process ID
:type: :class:`int`
"""
return [p for p in windows.system.processes if p.pid == self.pid][0].ppid
@utils.fixedpropety
def peb(self):
"""The Process Environment Block of the current process
:type: :class:`PEB`
"""
return PEB.from_address(self.get_peb_builtin()())
@utils.fixedpropety
def bitness(self):
"""The bitness of the process
:type: :class:`int` -- 32 or 64
"""
import platform
bits = platform.architecture()[0]
return int(bits[:2])
def virtual_alloc(self, size, prot=PAGE_EXECUTE_READWRITE):
"""Allocate memory in the process
:return: The address of the allocated memory
:rtype: :class:`int`
"""
return winproxy.VirtualAlloc(dwSize=size, flProtect=prot)
def virtual_free(self, addr):
"""Free memory in the process by virtual_alloc"""
return winproxy.VirtualFree(addr)
def write_memory(self, addr, data):
"""Write data at addr"""
buffertype = (c_char * len(data)).from_address(addr)
buffertype[:len(data)] = data
return True
def read_memory(self, addr, size):
"""Read ``size`` from ``addr``
:return: The data read
:rtype: :class:`str`
"""
dbgprint('Read CurrentProcess Memory', 'READMEM')
buffer = (c_char * size).from_address(addr)
return buffer[:]
def create_thread(self, lpStartAddress, lpParameter, dwCreationFlags=0):
"""Create a new thread
:rtype: :class:`WinThread` or :class:`DeadThread`
"""
handle = winproxy.CreateThread(lpStartAddress=lpStartAddress, lpParameter=lpParameter, dwCreationFlags=dwCreationFlags)
return WinThread._from_handle(handle)
def execute(self, code, parameter=0):
"""Execute native code ``code`` in the current thread.
:rtype: :class:`int` the return value of the native code"""
f = windows.native_exec.create_function(code, [PVOID, PVOID])
return f(parameter)
def exit(self, code=0):
"""Exit the process"""
return winproxy.ExitProcess(code)
def wait(self, timeout=INFINITE):
"""Raise :class:`ValueError` to prevent deadlock :D"""
raise ValueError("wait() on current thread")
@utils.fixedpropety
def peb_syswow(self):
"""The 64bits PEB of a SysWow64 process
:type: :class:`PEB`
"""
if not self.is_wow_64:
raise ValueError("Not a syswow process")
return windows.syswow64.get_current_process_syswow_peb()
def test_x64_instr_multiply():
res = x64.MultipleInstr()
res += (x64.Nop() * 5)
res += x64.Ret()
assert res.get_code() == b"\x90\x90\x90\x90\x90\xc3"
print("current process is a SysWow64 process ? <{cp.is_wow_64}>".format(cp=cp))
print("current process pid <{cp.pid}> and ppid <{cp.ppid}>".format(cp=cp))
print("Here are the current process threads: <{cp.threads}>".format(cp=cp))
print("Let's execute some native code ! (0x41 + 1)")
if windows.current_process.bitness == 32:
# Let's generate some native code
code = x86.MultipleInstr()
code += x86.Mov("Eax", 0x41)
code += x86.Inc("EAX")
code += x86.Ret()
else:
code = x64.MultipleInstr()
code += x64.Mov("RAX", 0x41)
code += x64.Inc("RAX")
code += x64.Ret()
native_code = code.get_code()
v = windows.current_process.execute(native_code)
print("Native code returned <{0}>".format(hex(v)))
print("Allocating memory in current process")
addr = cp.virtual_alloc(0x1000) # Default alloc is RWX (so secure !)
print("Allocated memory is at <{0}>".format(hex(addr)))
print("Writing 'SOME STUFF' in allocation memory")
cp.write_memory(addr, "SOME STUFF")
print("Reading memory : <{0}>".format(repr(cp.read_memory(addr, 20))))
