def test_dumpstruct(capsys):
c = cstruct.cstruct()
c.load("""
struct test {
uint32 testval;
};
""",
compiled=False)
data = b'\x39\x05\x00\x00'
a = c.test(data)
cstruct.dumpstruct(c.test, data)
captured_1 = capsys.readouterr()
cstruct.dumpstruct(a)
captured_2 = capsys.readouterr()
assert captured_1.out == captured_2.out
char value[value_length];
};
struct MiraiAttack {
uint16 total_length;
uint32 duration;
uint8 attack_id;
uint8 target_count;
AttackTarget targets[target_count];
uint8 num_opts;
AttackOption attack_options[num_opts];
};
""")
protocol.endian = ">"
if __name__ == '__main__':
data = b"\x000\x00\x00\x00d\n\x01\x08\x08\x08\x08 \x03\x08\x16http://www.example.com\x07\x0280\x18\x045000"
record = protocol.MiraiAttack(data)
print(record)
print('--')
for t in record.targets:
print('TARGET: {}/{}'.format(socket.inet_ntoa(struct.pack('!L', t.ipv4)), t.netmask))
for o in record.attack_options:
print('OPTION: {} - {}'.format(o.type, o.value))
dumpstruct(protocol.MiraiAttack, data)
def VmmPy_Example_ParsePE(dump_file_name):
# INIITALIZE
print(
"--------------------------------------------------------------------")
print(
"Initialize VmmPy with the dump file specified. ")
input("Press Enter to continue...")
print("CALL: VmmPy_InitializeFile()")
VmmPy_InitializeFile(dump_file_name)
print("SUCCESS: VmmPy_InitializeFile()")
#
# EXAMPLE BELOW USE THE FOX-IT DISSECT CSTRUCT PYTHON MODULE TO PARSE THE
# THE PE HEADER OF 'ntdll.dll' in 'explorer.exe'
#
print(
"--------------------------------------------------------------------")
print(
"Parse the PE header of 'explorer.exe'/'ntdll.dll' by using a VmmPy ")
print(
"custom version of the dissect.cstruct parsing library from fox-it. ")
print(
"dissect.cstruct: https://github.com/fox-it/dissect.cstruct ")
input("Press Enter to continue...")
# Call VmmPy to retrieve the actual 0x1000 page containing the PE header.
print("CALL: VmmPy*")
mz_pid = VmmPy_PidGetFromName('explorer.exe')
mz_va = VmmPy_ProcessGetModuleFromName(mz_pid, "ntdll.dll")['va']
mz_bytes = VmmPy_MemRead(mz_pid, mz_va, 0x1000)
print("SUCCESS: VmmPy*")
# Create a stream for convenience
mz_stream = BytesIO(mz_bytes)
# Set up dissect.cstruct
print(
"INITIALIZING dissect.cstruct and parsing PE header structures ... ")
pestruct = cstruct.cstruct()
pestruct.load(PE_STRUCT_DEFINITIONS)
# Load the MZ stream into dissect.struct. NB! loading mz_bytes will work as
# well but will not be as convenient since the 'file pointer' won't move on
# struct reads automatically...
struct_mz = pestruct.IMAGE_DOS_HEADER(mz_stream)
if struct_mz.e_magic != 0x5a4d:
print("MZ HEADER DOES NOT MATCH - ABORTING")
return
print(struct_mz)
print(cstruct.dumpstruct(struct_mz, None, 0, False, True))
# Seek towards the PE signature / magic value and check that it is correct.
mz_stream.seek(struct_mz.e_lfanew)
signature = pestruct.uint32(mz_stream)
if signature != 0x4550:
print("PE HEADER DOES NOT MATCH")
return
# Parse and display the PE file_header struct.
struct_file_header = pestruct.IMAGE_FILE_HEADER(mz_stream)
print(struct_file_header)
print(cstruct.dumpstruct(struct_file_header, None, 0, False, True))
# Parse and display the PE struct_optional_header struct.
struct_optional_header = pestruct.IMAGE_OPTIONAL_HEADER64(
mz_stream
) if struct_file_header.Machine == 0x8664 else pestruct.IMAGE_OPTIONAL_HEADER(
mz_stream)
print(struct_optional_header)
print(cstruct.dumpstruct(struct_optional_header, None, 0, False, True))
# Parse and display the PE sections.
struct_sections = [
pestruct.IMAGE_SECTION_HEADER(mz_stream)
for _ in range(struct_file_header.NumberOfSections)
]
for struct_section in struct_sections:
print(cstruct.dumpstruct(struct_section, None, 0, False, True))
yield part
yield Partition(fh, part_offset, p.sector_size * SECTOR_SIZE, p.type, None)
if __name__ == '__main__':
if len(sys.argv) != 2:
sys.exit("usage: disk.py <disk or image>")
fh = open(sys.argv[1], 'rb')
mbr = c_disk.mbr(fh)
if mbr.bootsig != 0xaa55:
sys.exit("Not a valid MBR")
cstruct.dumpstruct(mbr)
for p in partitions(fh, mbr, 0):
if p.type == 0xee:
fh.seek(p.offset)
gpt = c_disk.GPT_HEADER(fh)
cstruct.dumpstruct(gpt)
fh.seek(gpt.lba_partition_array * SECTOR_SIZE)
for _ in range(gpt.partition_table_count):
p = c_disk.GPT_PARTITION(fh)
if p.first_lba == 0:
break
part = Partition(
fh, p.first_lba * SECTOR_SIZE, (p.last_lba - p.first_lba) * SECTOR_SIZE,
yield y_part
yield Partition(fh_part, part_offset, mbr_p.sector_size * SECTOR_SIZE, mbr_p.type, None)
if __name__ == '__main__':
if len(sys.argv) != 2:
sys.exit("usage: disk.py <disk or image>")
fh = open(sys.argv[1], 'rb')
mbr = c_disk.mbr(fh)
if mbr.bootsig != 0xaa55:
sys.exit("Not a valid MBR")
dumpstruct(mbr)
for p in partitions(fh, mbr, 0):
if p.type == 0xee:
fh.seek(p.offset)
gpt = c_disk.GPT_HEADER(fh)
dumpstruct(gpt)
fh.seek(gpt.lba_partition_array * SECTOR_SIZE)
for _ in range(gpt.partition_table_count):
p = c_disk.GPT_PARTITION(fh)
if p.first_lba == 0:
break
part = Partition(
fh, p.first_lba * SECTOR_SIZE, (p.last_lba - p.first_lba) * SECTOR_SIZE,
if __name__ == '__main__':
if len(sys.argv) != 2:
sys.exit("usage: pe.py <pe file>")
fh = open(sys.argv[1], 'rb')
mz = pestruct.IMAGE_DOS_HEADER(fh)
if mz.e_magic != 0x5a4d:
sys.exit("Invalid PE")
fh.seek(mz.e_lfanew)
signature = pestruct.uint32(fh)
if signature != 0x4550:
sys.exit("Invalid PE")
file_header = pestruct.IMAGE_FILE_HEADER(fh)
if file_header.Machine == 0x8664:
optional_header = pestruct.IMAGE_OPTIONAL_HEADER64(fh)
else:
optional_header = pestruct.IMAGE_OPTIONAL_HEADER(fh)
cstruct.dumpstruct(mz)
cstruct.dumpstruct(file_header)
cstruct.dumpstruct(optional_header)
sections = [pestruct.IMAGE_SECTION_HEADER(fh) for _ in range(file_header.NumberOfSections)]
for s in sections:
cstruct.dumpstruct(s)
if len(sys.argv) != 2:
sys.exit("usage: pe.py <pe file>")
fh = open(sys.argv[1], 'rb')
mz = pestruct.IMAGE_DOS_HEADER(fh)
if mz.e_magic != 0x5a4d:
sys.exit("Invalid PE")
fh.seek(mz.e_lfanew)
signature = pestruct.uint32(fh)
if signature != 0x4550:
sys.exit("Invalid PE")
file_header = pestruct.IMAGE_FILE_HEADER(fh)
if file_header.Machine == 0x8664:
optional_header = pestruct.IMAGE_OPTIONAL_HEADER64(fh)
else:
optional_header = pestruct.IMAGE_OPTIONAL_HEADER(fh)
dumpstruct(mz)
dumpstruct(file_header)
dumpstruct(optional_header)
sections = [
pestruct.IMAGE_SECTION_HEADER(fh)
for _ in range(file_header.NumberOfSections)
]
for s in sections:
dumpstruct(s)