def __peb(self):
with internalstate.processid(self):
address = self.host.interface.SystemObjects.GetCurrentProcessPeb()
return ndk.PEB(offset=address, source=self.memory).l
handle = getcurrentprocess()
pebaddress = getPBIObj(handle).PebBaseAddress
if True:
"""
.text:7C90E48A 0A C0 or al, al ; hooking here
.text:7C90E48C 74 0C jz short loc_7C90E49A ;
.text:7C90E48C ;
.text:7C90E48E 5B pop ebx
.text:7C90E48F 59 pop ecx
.text:7C90E490 6A 00 push 0
.text:7C90E492 51 push ecx
.text:7C90E493 E8 C6 EB FF FF call _ZwContinue@8 ; ZwContinue(x,x)
"""
import ptypes, ndk
peb = ndk.PEB(offset=pebaddress)
peb = peb.l
mm = memorymanager.new()
data = '\x0a\xc0\x74\x0c\x5b\x59\x6a\x00\x51\xe8\xc6\xeb\xff\xff'
print repr(data)
hook = instrument.instruction(mm)
baseaddress = int(peb.getmodulebyname('ntdll.dll')['DllBase'])
offset = 0x1010f
hook[baseaddress + offset] = '\x90'
# print hex(baseaddress)
hook.commit()
def iterate_imports(filename):
z = pecoff.Executable.File(source=ptypes.prov.file(filename, mode='r')).l
importsDirectory = z['Next']['Header']['DataDirectory'][1]
if importsDirectory['Address'].num() == 0:
raise ValueError, "No imports found in {}".format(filename)
for imp in importsDirectory['Address'].d.l[:-1]:
yield imp['Name'].d.l.str()
return
def iterate_loader(pid):
try:
pebaddr = getProcessEnvironmentBlock(pid)
except Exception, e:
raise OSError, 'Unable to open process id %x (%s)' % (pid, repr(e))
z = ndk.PEB(source=ptypes.prov.WindowsProcessId(pid), offset=pebaddr)
for module in z.l['Ldr'].d.l.walk():
yield module
return
def getProcessEnvironmentBlock(pid):
k32 = ctypes.WinDLL('kernel32.dll')
handle = k32.OpenProcess(0x0400, False, pid)
if handle == 0:
raise OSError, 'Unable to OpenProcess(0x400, 0, %x)' % pid
nt = ctypes.WinDLL('ntdll.dll')
class ProcessBasicInformation(ctypes.Structure):
_fields_ = [('Reserved1', ctypes.c_uint32),
('PebBaseAddress', ctypes.c_uint32),