コード例 #1
0
def test_findbytes():
    payload = b" " * 0x1000 + pad.null(
        b"\xffoo\x00bar thisis0test\n hAAAA\xc3\xc0\xc2\xc4\n\n\x10\x2f\x1f\x1a\x1b\x1f\x1d\xbb\xcc\xdd\xff",
        0x10000)
    buf = procmem(payload, base=0x400000)
    assert list(buf.findbytesv("c? c? c? 0A")) == [0x40101B]
    assert list(buf.findbytesv(b"1f ?? ?b")) == [0x401022, 0x401025]
    assert list(buf.findbytesv("?f ?? ?? 00")) == [0x401000, 0x40102A]
    assert not list(buf.findbytesv(enhex(b"test hAAAA")))
    assert list(buf.findbytesv(enhex(b"test\n hAAAA")))

    assert list(buf.findbytesv(enhex(b"is"), length=0x100b)) == [0x40100a]
    assert list(buf.findbytesv(enhex(b"is"),
                               length=0x100d)) == [0x40100a, 0x40100c]
    assert list(buf.findbytesv(enhex(b"is"), addr=0x40100b,
                               length=0x100d)) == [0x40100c]

    payload = b"".join(
        [b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = procmem(payload, regions=regions)
    assert next(p.findbytesv(enhex(b"dddd"))) == 0x410000
コード例 #2
0
def test_findv():
    payload = b"".join([
        pad.null(
            pad.null(b"a" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
        pad.null(
            pad.null(b"b" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
        b"c" * 0x1000,
        pad.null(
            pad.null(b"d" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000)
    ])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]
    p = procmem(payload, regions=regions)

    assert list(p.findv(b"pattern")) == [
        0x400200, 0x400500, 0x401200, 0x401500, 0x410200, 0x410500
    ]
    assert list(p.findv(b"pattern", 0x401100, 0x405)) == [0x401200]
    assert list(p.findv(b"pattern", length=0x10300)) == [
        0x400200, 0x400500, 0x401200, 0x401500, 0x410200
    ]
    assert list(p.findv(b"pattern", 0x401508)) == [0x410200, 0x410500]
    assert list(p.findv(b"pattern", 0x403508)) == [0x410200, 0x410500]
コード例 #3
0
ファイル: test_procmem.py プロジェクト: MilesQLi/malduck
def test_cuckoomem_methods():
    fd, filepath = tempfile.mkstemp()
    os.write(fd, b"".join((
        struct.pack("QIIII", 0x401000, 0x1000, 0, 0, PAGE_READWRITE),
        pad.null(b"foo\x00bar thisis0test\n hAAAA\xc3", 0x1000),
    )))
    os.close(fd)
    with cuckoomem.from_file(filepath) as buf:
        assert buf.readv(0x401000, 0x1000).endswith(b"\x00"*0x100)
        assert list(buf.regexv(b"thisis(.*)test", 0x401000)) == [0x401008]
        assert list(buf.regexv(b" ", 0x401000)) == [0x401007, 0x401014]
        assert list(buf.regexv(b" ", 0x401000, 0x10)) == [0x401007]
        assert list(buf.regexv(b"test..h", 0x401000)) == [0x40100f]
        assert buf.disasmv(0x401015, 6) == [
            insn("push", 0x41414141, addr=0x401015),
            insn("ret", addr=0x40101a),
        ]
コード例 #4
0
ファイル: test_string.py プロジェクト: MilesQLi/malduck
def test_pad():
    assert pad(b"hello!!1", 8) == b"hello!!1"
    assert pad(b"hello", 8) == b"hello\x03\x03\x03"
    assert pad.pkcs7(b"hello!", 8) == b"hello!\x02\x02"
    assert pad.null(b"hi", 4) == b"hi\x00\x00"
    assert pad.null(b"foo_bar!", 8) == b"foo_bar!"