def main(args): imm = immlib.Debugger() if not args: return usage(imm) if len(args) != 2: return usage(imm) addr = int(args[0], 16) size = int(args[1], 16) dt = libdatatype.DataTypes(imm) mem = imm.readMemory(addr, size) if not mem: return "Error: Couldn't read anything at address: 0x%08x" % addr ret = dt.Discover(mem, addr, what='all') imm.log("Found: %d data types" % len(ret)) for obj in ret: t = "obj: %d" % obj.size if obj.data: msg = obj.Print() imm.log("obj: %s: %s %d" % (obj.name, msg, obj.getSize()), address=obj.address) return "Found: %d data types" % len(ret)
def main(args): imm = immlib.Debugger() if not args: return usage(imm) exclude = [] address = None try: opts, argo = getopt.getopt(args, "a:x:") except getopt.GetoptError: usage(imm) return "Wrong Argument (Check Log Window)" for o,a in opts: if o == '-a': address = int( a, 16 ) elif o == '-x': x_list = a.split(',') for x_addr in x_list: try: exclude.append(int(x_addr, 16)) except ValueError: return "Invalid exclude value %s" % str(x_addr) else: usage(imm) return "Invalid option %s" % o if address is None: usage(imm) return "You must specify an address (-a)" page = imm.getMemoryPageByAddress( address ) if not page: return "Failed to grab Memory Page, wrong addres: 0x%08x" % address addr = page.getBaseAddress() mem = imm.readMemory( page.getBaseAddress(), page.getSize() ) ndx = INDEXER fn_ptr = [] # Discovering Function Pointers dt = libdatatype.DataTypes( imm ) ret = dt.Discover( mem, addr, what = 'pointers' ) if ret: for obj in ret: if obj.isFunctionPointer() and obj.address not in exclude: # Writing a dword that would make the Function Pointer crash on AV # and later we will identify on our AV Hook imm.log( "Modifying: 0x%08x" % obj.address ) imm.writeLong( obj.address, ndx ) ndx += 1 fn_ptr.append( obj ) hook = FunctionTriggeredHook( fn_ptr ) hook.add( "modptr_%08x" % addr ) return "Hooking on %d Functions" % len( fn_ptr ) else: return "No Function pointers found on the page of 0x%08x" % address
def run(self, regs): imm = immlib.Debugger() called = imm.getKnowledge("heap_%08x" % self.retaddr) (ahook, fhook) = imm.getKnowledge("end_%08x" % self.retaddr) ahook.UnHook() fhook.UnHook() win = imm.createTable("Function Sniffing", ["Address", "Data"] ) memleak = {} freelist = {} win.Log("Dumping the Heap Flow") if called: for res in called: if res[0] == 1: type, callstack, heap, flag, size, ret = res memleak[ ret ] = (callstack, heap, flag, size, ret) win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\ ( heap, flag, size, ret ), address = callstack ) elif res[0] == 0: type, callstack, heap, flag, size = res if memleak.has_key( size): del memleak[ size ] else: freelist[ size ] = (callstack, heap, flag, size) win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\ ( heap, flag, size ), address = callstack ) win.Log("Chunk freed but not allocated on this heap flow") pheap = PHeap( imm ) dt = libdatatype.DataTypes(imm) for a in freelist.keys(): (callstack, heap, flag, base) = freelist[a] win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\ ( heap, flag, base ), address = callstack ) win.Log("Memleak detected") for a in memleak.keys(): (callstack, heap, flag, size, ret) = memleak[a] win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\ ( heap, flag, size, ret ), address = callstack ) chk = pheap.getChunks( ret - 8, 1)[0] chk.printchunk( uselog = win.Log, dt = dt ) imm.log("Funsniff finished, check the newly created window") self.UnHook()
def run(self, regs): imm = immlib.Debugger() accumulator = 0 second = 0 func = '+' # Calculate the Chunk Address based on the Expression for value in self.Expression: if value in self.Functions.keys(): func = value else: if type(value) == type(0): second = value elif regs.has_key(value.upper()): second = regs[value.upper()] elif value[0] == '[' and value[-1] == ']' and regs.has_key( value[1:-1].upper()): second = imm.readLong(regs[value[1:-1].upper()]) else: self.unHook() accumulator = self.Functions[func](accumulator, second) imm.Log("> Hit Hook 0x%08x, checking chunk: 0x%08x" % (self.address, accumulator), address=accumulator) imm.Log("=" * 47) pheap = PHeap(imm, self.heap) plookaddr = 0 if self.heap: plookaddr = pheap.Lookaside hlook = None if plookaddr: hlook = PHeapLookaside(imm, plookaddr) dt = None if self.discover: dt = libdatatype.DataTypes(imm) pheap = PHeap(imm) for chk in pheap.getChunks(accumulator, self.nchunks): if chk.size < 0x7F and hlook: l = hlook[chk.size] if not l.isEmpty(): if chk.addr + 8 in l.getList(): imm.Log("- LOOKASIDE -") chk.printchunk(uselog=imm.Log, dt=dt) imm.Log("=-" * 0x23 + "=")
def main(args): imm = immlib.Debugger() heap = 0x0 discover = None if not args: usage(imm) return "Wrong args (Check the Log Window)" try: opts, argo = getopt.getopt(args, "h:d") except getopt.GetoptError: usage(imm) return "Bad heap argument %s" % args[0] for o,a in opts: if o == "-h": try: heap = int(a, 16) except ValueError, msg: self.InfoLine("Invalid heap address: %s" % a) return 0 elif o == '-d': discover = libdatatype.DataTypes(imm)
return "Incorrect filter size : %s" % a elif o == "-s": save = True elif o == "-r": restore = True elif o == "-f": freelist = True elif o == "-c": chunksflags = True elif o == "-k": chunkdisplay = SHOWCHUNK_FULL elif o == "-n": opennewwindow = True elif o == "-d": discover = libdatatype.DataTypes(imm) elif o == '-l': LFH = True elif o == '-u': userblock = True elif o == '-z': lfhchunk = True elif o == '-q': showf = False if heap and (heap in imm.getHeapsAddress()): tag = "heap_%08x" % heap if not opennewwindow: window = imm.getKnowledge(tag) if window and not window.isValidHandle():