class IDebugDataSpacesTestCase(unittest.TestCase): def setUp(self): pass @classmethod def setUpClass(self): windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0)) self.kdbg = LocalKernelDebugger() modules = windows.utils.get_kernel_modules() self.ntkernelbase = modules[0].Base self.kernelpath = modules[0].ImageName[:] self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%")) self.kernelbuf = open(self.kernelpath, "rb").read() self.kernelmod = winproxy.LoadLibraryA(self.kernelpath) pe = windows.pe_parse.PEFile(self.kernelmod) self.kernel_section_data = [section for section in pe.sections if section.name == ".data"][0] def tearDown(self): #self.kdbg.detach() self.kdbg = None def test_read_byte(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, ord(self.kernelbuf[0])) def test_read_word(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<H", self.kernelbuf[:2])[0]) def test_read_dword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<I", self.kernelbuf[:4])[0]) def test_read_qword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<Q", self.kernelbuf[:8])[0]) def test_read_byte_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_byte_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_word_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_word_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_dword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_dword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_qword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_qword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) @test_32bit_only @RequireSymbol('nt!KiFastCallEntry') def test_read_msr32(self): # IDebugDataSpaces::ReadMsr IA32_SYSENTER_EIP = 0x176 x = self.kdbg.read_msr(IA32_SYSENTER_EIP) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiFastCallEntry') @test_64bit_only @RequireSymbol('nt!KiSystemCall64') def test_read_msr64(self): # IDebugDataSpaces::ReadMsr LSTAR = 0xC0000082 x = self.kdbg.read_msr(LSTAR) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiSystemCall64') @test_32bit_only def test_read_processor_system_data32(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.X86.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.X86.Family, x.X86.Model)) @test_64bit_only def test_read_processor_system_data64(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.Amd64.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.Amd64.Family, x.Amd64.Model)) def test_write_byte(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte(addr, 0x42) x = self.kdbg.read_byte(addr) self.assertEqual(0x42, x) def test_write_byte_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte_p(self.kdbg.virtual_to_physical(addr), 0x43) x = self.kdbg.read_byte(addr) self.assertEqual(0x43, x) def test_write_word(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word(addr, 0x4444) x = self.kdbg.read_word(addr) self.assertEqual(0x4444, x) def test_write_word_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word_p(self.kdbg.virtual_to_physical(addr), 0x4545) x = self.kdbg.read_word(addr) self.assertEqual(0x4545, x) def test_write_dword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword(addr, 0x46464646) x = self.kdbg.read_dword(addr) self.assertEqual(0x46464646, x) def test_write_dword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword_p(self.kdbg.virtual_to_physical(addr), 0x47474747) x = self.kdbg.read_dword(addr) self.assertEqual(0x47474747, x) def test_write_qword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword(addr, 0x4848484848484848) x = self.kdbg.read_qword(addr) self.assertEqual(0x4848484848484848, x) def test_write_qword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword_p(self.kdbg.virtual_to_physical(addr), 0x4949494949494949) x = self.kdbg.read_qword(addr) self.assertEqual(0x4949494949494949, x)