def testSetValue(self):
pykd.setByte(target.module.ullValuePlace,
pykd.ptrByte(target.module.bigValue))
self.assertEqual(pykd.ptrByte(target.module.bigValue),
pykd.ptrByte(target.module.ullValuePlace))
pykd.setWord(target.module.ullValuePlace,
pykd.ptrWord(target.module.bigValue))
self.assertEqual(pykd.ptrWord(target.module.bigValue),
pykd.ptrWord(target.module.ullValuePlace))
pykd.setDWord(target.module.ullValuePlace,
pykd.ptrDWord(target.module.bigValue))
self.assertEqual(pykd.ptrDWord(target.module.bigValue),
pykd.ptrDWord(target.module.ullValuePlace))
pykd.setQWord(target.module.ullValuePlace,
pykd.ptrQWord(target.module.bigValue))
self.assertEqual(pykd.ptrQWord(target.module.bigValue),
pykd.ptrQWord(target.module.ullValuePlace))
pykd.setSignByte(target.module.ullValuePlace, -128)
self.assertEqual(-128, pykd.ptrSignByte(target.module.ullValuePlace))
pykd.setSignWord(target.module.ullValuePlace,
pykd.ptrSignWord(target.module.bigValue))
self.assertEqual(pykd.ptrSignWord(target.module.bigValue),
pykd.ptrSignWord(target.module.ullValuePlace))
pykd.setSignDWord(target.module.ullValuePlace,
pykd.ptrSignDWord(target.module.bigValue))
self.assertEqual(pykd.ptrSignDWord(target.module.bigValue),
pykd.ptrSignDWord(target.module.ullValuePlace))
pykd.setSignQWord(target.module.ullValuePlace,
pykd.ptrSignQWord(target.module.bigValue))
self.assertEqual(pykd.ptrSignQWord(target.module.bigValue),
pykd.ptrSignQWord(target.module.ullValuePlace))
pykd.setFloat(target.module.floatValuePlace,
pykd.ptrFloat(target.module.floatValue))
self.assertEqual(pykd.ptrFloat(target.module.floatValue),
pykd.ptrFloat(target.module.floatValuePlace))
pykd.setDouble(target.module.doubleValuePlace,
pykd.ptrDouble(target.module.doubleValue))
self.assertEqual(pykd.ptrDouble(target.module.doubleValue),
pykd.ptrDouble(target.module.doubleValuePlace))
def hookHandlerNative():
"""Address of the func name as returned by getMethodName is pointed by
EAX+0x08 However, unlike the published AVM source code claims, setNative
function in the NPSWF32 has an additional check before the correct function
address is assigned to the MethodInfo object. That logic is reimplemented
here."""
global GBP
address = pykd.ptrPtr(pykd.reg("eax")+0x8)
comp_byte = pykd.ptrByte(pykd.ptrPtr(pykd.reg("esp")+0x18) + 0x38)
if comp_byte > 0:
nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x28)
else:
nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x24)
if pykd.isValid(address):
methodName = pykd.loadCStr(address)
if pykd.isValid(nativefunc):
print "[^] NATIVE METHOD: at 0x%x \t offset: 0x%x \tName: %s" % \
(nativefunc,nativefunc-NPS['base_addr'],
methodName.decode("utf-8","replace"))
if NPS["TraceNative"] and methodName not in GBP['BP_FUNCS'] and\
methodName not in GBP['BP_RFUNCS']:
if NPS["Debug"]:
print "[Debug] Setting bp for tracing on 0x%x" % nativefunc
GBP[nativefunc] = pykd.setBp(nativefunc, lambda: functionHandler(methodName))
func_breakpoints(methodName.decode("utf-8","replace"), nativefunc)
else:
print "[!] No native function found. Something is likely wrong!!!"
return pykd.executionStatus.NoChange
def testPtrRead( self ):
self.assertEqual( 0x80, pykd.ptrByte( target.module.g_bigValue ) )
self.assertEqual( 0x8080, pykd.ptrWord( target.module.g_bigValue ) )
self.assertEqual( 0x80808080, pykd.ptrDWord( target.module.g_bigValue ) )
self.assertEqual( 0x8080808080808080, pykd.ptrQWord( target.module.g_bigValue ) )
self.assertEqual( -128, pykd.ptrSignByte( target.module.g_bigValue ) )
self.assertEqual( -32640, pykd.ptrSignWord( target.module.g_bigValue ) )
self.assertEqual( -2139062144, pykd.ptrSignDWord( target.module.g_bigValue ) )
self.assertEqual( -9187201950435737472, pykd.ptrSignQWord( target.module.g_bigValue ) )
def inspectMsgHook():
msglist = []
try:
gSharedInfo = pykd.getOffset('win32k!gSharedInfo')
serverinfo = pykd.ptrPtr(gSharedInfo)
aheList = pykd.ptrPtr(gSharedInfo + g_mwordsize)
if is_2000() or is_xp():
count = pykd.ptrPtr(serverinfo + g_mwordsize * 2)
else:
count = pykd.ptrPtr(serverinfo + g_mwordsize * 1)
for i in xrange(count):
entry = aheList + i * 3 * g_mwordsize
phook = pykd.ptrPtr(entry) #head
type = pykd.ptrByte(entry + 2 * g_mwordsize)
if type != 5:
continue
try:
handle = pykd.ptrPtr(phook)
msgtype = pykd.ptrPtr(phook + 6 * g_mwordsize)
funcoffset = pykd.ptrPtr(phook + 7 * g_mwordsize)
flags = pykd.ptrPtr(phook + 8 * g_mwordsize)
if flags & 1:
bGlobal = 1
else:
bGlobal = 0
pti = pykd.ptrPtr(phook + 2 * g_mwordsize)
threadobjectaddr = pykd.ptrPtr(pti)
threadobject = pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
pid = int(threadobject.Cid.UniqueProcess)
tid = (threadobject.Cid.UniqueThread)
try:
processobject = pykd.typedVar('nt!_EPROCESS',
threadobject.ThreadsProcess)
except Exception, err:
processobject = pykd.typedVar('nt!_EPROCESS',
threadobject.Tcb.Process)
processpath = pykd.loadUnicodeString(
processobject.SeAuditProcessCreationInfo.ImageFileName.Name
)
msginfo = MsgInfo(handle=handle,
pid=pid,
tid=tid,
msgtype=msgtype,
funcoffset=funcoffset,
bGlobal=bGlobal,
processpath=processpath)
msglist.append(msginfo)
except Exception, err:
print err
def testPointerToFunction(self):
tv1 = target.module.typedVar("g_unTypedPtrToFunction")
# if debug: g_unTypedPtrToFunction point to jmp EnumWindowsProc2 (e9 xxxxxxxx)
self.assertTrue((target.module.offset("EnumWindowsProc2") == tv1)
or (0xE9 == pykd.ptrByte(long(tv1))))
tv2 = target.module.typedVar("g_unTypedPtrToFunction")
self.assertEqual(tv1, tv2)
self.assertRaises(pykd.TypeException, tv1.deref)
self.assertRaises(pykd.TypeException, tv2.deref)
def inspectMsgHook():
msglist=[]
try:
gSharedInfo=pykd.getOffset('win32k!gSharedInfo')
serverinfo=pykd.ptrPtr(gSharedInfo)
aheList=pykd.ptrPtr(gSharedInfo+g_mwordsize)
if is_2000() or is_xp():
count=pykd.ptrPtr(serverinfo+g_mwordsize*2)
else:
count=pykd.ptrPtr(serverinfo+g_mwordsize*1)
for i in xrange(count):
entry=aheList+i*3*g_mwordsize
phook=pykd.ptrPtr(entry) #head
type=pykd.ptrByte(entry+2*g_mwordsize)
if type!=5:
continue
try:
handle=pykd.ptrPtr(phook)
msgtype=pykd.ptrPtr(phook+6*g_mwordsize)
funcoffset=pykd.ptrPtr(phook+7*g_mwordsize)
flags=pykd.ptrPtr(phook+8*g_mwordsize)
if flags&1:
bGlobal=1
else:
bGlobal=0
pti=pykd.ptrPtr(phook+2*g_mwordsize)
threadobjectaddr=pykd.ptrPtr(pti)
threadobject=pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
pid=int(threadobject.Cid.UniqueProcess)
tid=(threadobject.Cid.UniqueThread)
try:
processobject=pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess)
except Exception, err:
processobject=pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process)
processpath=pykd.loadUnicodeString(processobject.SeAuditProcessCreationInfo.ImageFileName.Name)
msginfo=MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath)
msglist.append(msginfo)
except Exception, err:
print err
def _element_type_of_raw_frame(frame):
code = ptrByte(frame.stackOffset + 40)
if code in _code_to_element_type:
return _code_to_element_type[code]
else:
return ElementType.xpp_unknown
def get_uint8(pos):
return pykd.ptrByte(pos)
def get_int8(pos):
return struct.unpack("b", struct.pack("B", pykd.ptrByte(pos)))[0]
def _element_type_of_raw_frame(frame):
code = ptrByte(frame.stackOffset + 40)
if code in _code_to_element_type:
return _code_to_element_type[code]
else:
return ElementType.xpp_unknown
