def kernel32_GetProcAddress(jitter):
ret_ad, args = jitter.func_args_stdcall(["libbase", "fname"])
dst_ad = jitter.cpu.EBX
logging.info('EBX ' + hex(dst_ad))
fname = (args.fname if args.fname < 0x10000
else jitter.get_str_ansi(args.fname))
logging.info(fname)
ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad)
jitter.func_ret_stdcall(ret_ad, ad)
parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker")
parser.add_argument("filename", help="PE Filename")
parser.add_argument('-v', "--verbose",
help="verbose mode", action="store_true")
parser.add_argument("--graph",
help="Export the CFG graph in graph.txt",
action="store_true")
options = parser.parse_args()
sb = Sandbox_Win_x86_32(options.filename, options, globals())
if options.verbose is True:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.WARNING)
alloc_addr = args.lpvoid
jitter.vm.set_mem_access(args.lpvoid, ACCESS_DICT[args.flprotect])
else:
#alloc_addr = winobjs.heap.next_addr(args.dwsize)
alloc_addr = args.lpvoid
#jitter.vm.add_memory_page(
#alloc_addr, ACCESS_DICT[args.flprotect], "\x00" * args.dwsize,
#"Alloc in %s ret 0x%X" % (whoami(), ret_ad))
if args.alloc_type == 0x2000:
reservedRegion += [alloc_addr, args.dwsize]
log.info('VirtualAlloc addr: 0x%x', alloc_addr)
jitter.func_ret_stdcall(ret_ad, alloc_addr)
# Parse arguments
parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
parser.add_argument("shellcode", help="shellcode file")
parser.add_argument("outputFile", help="output file")
options = parser.parse_args()
# Create sandbox
sb = Sandbox_Win_x86_32(options.filename, options, globals())
# Read and map the shellcode
with open(options.shellcode) as f:
data = f.read()
run_addr = 0x40000000
sb.jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data)
# Run the shellcode
jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_PRIV_INSTRUCTION)
return True
def deal_exception_illegal_instruction(jitter):
jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_ILLEGAL_INSTRUCTION)
return True
def return_from_seh(jitter):
win_api_x86_32_seh.return_from_seh(jitter)
return True
# Insert here user defined methods
# Parse arguments
parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
options.usesegm = True
options.use_windows_structs = True
# Create sandbox
sb = Sandbox_Win_x86_32(options.filename, options, globals())
# Install Windows SEH callbacks
sb.jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, deal_exception_access_violation)
sb.jitter.add_exception_handler(EXCEPT_SOFT_BP, deal_exception_breakpoint)
sb.jitter.add_exception_handler(EXCEPT_DIV_BY_ZERO, deal_exception_div)
sb.jitter.add_exception_handler(1<<17, deal_exception_privileged_instruction)
sb.jitter.add_exception_handler(EXCEPT_UNK_MNEMO, deal_exception_illegal_instruction)