예제 #1
0
def kernel32_GetProcAddress(jitter):
    ret_ad, args = jitter.func_args_stdcall(["libbase", "fname"])

    dst_ad = jitter.cpu.EBX
    logging.info('EBX ' + hex(dst_ad))

    fname = (args.fname if args.fname < 0x10000
             else jitter.get_str_ansi(args.fname))
    logging.info(fname)

    ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad)
    jitter.func_ret_stdcall(ret_ad, ad)



parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker")
parser.add_argument("filename", help="PE Filename")
parser.add_argument('-v', "--verbose",
                    help="verbose mode", action="store_true")
parser.add_argument("--graph",
                    help="Export the CFG graph in graph.txt",
                    action="store_true")
options = parser.parse_args()
sb = Sandbox_Win_x86_32(options.filename, options, globals())


if options.verbose is True:
    logging.basicConfig(level=logging.INFO)
else:
    logging.basicConfig(level=logging.WARNING)
예제 #2
0
            alloc_addr = args.lpvoid
            jitter.vm.set_mem_access(args.lpvoid, ACCESS_DICT[args.flprotect])
        else:
            #alloc_addr = winobjs.heap.next_addr(args.dwsize)
            alloc_addr = args.lpvoid
            #jitter.vm.add_memory_page(
            #alloc_addr, ACCESS_DICT[args.flprotect], "\x00" * args.dwsize,
            #"Alloc in %s ret 0x%X" % (whoami(), ret_ad))
    if args.alloc_type == 0x2000:
        reservedRegion += [alloc_addr, args.dwsize]
    log.info('VirtualAlloc addr: 0x%x', alloc_addr)
    jitter.func_ret_stdcall(ret_ad, alloc_addr)


# Parse arguments
parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
parser.add_argument("shellcode", help="shellcode file")
parser.add_argument("outputFile", help="output file")
options = parser.parse_args()

# Create sandbox
sb = Sandbox_Win_x86_32(options.filename, options, globals())

# Read and map the shellcode
with open(options.shellcode) as f:
    data = f.read()
run_addr = 0x40000000
sb.jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data)

# Run the shellcode
예제 #3
0
    jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_PRIV_INSTRUCTION)
    return True

def deal_exception_illegal_instruction(jitter):
    jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_ILLEGAL_INSTRUCTION)
    return True


def return_from_seh(jitter):
    win_api_x86_32_seh.return_from_seh(jitter)
    return True

# Insert here user defined methods

# Parse arguments
parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
options.usesegm = True
options.use_windows_structs = True

# Create sandbox
sb = Sandbox_Win_x86_32(options.filename, options, globals())

# Install Windows SEH callbacks
sb.jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, deal_exception_access_violation)
sb.jitter.add_exception_handler(EXCEPT_SOFT_BP, deal_exception_breakpoint)
sb.jitter.add_exception_handler(EXCEPT_DIV_BY_ZERO, deal_exception_div)
sb.jitter.add_exception_handler(1<<17, deal_exception_privileged_instruction)
sb.jitter.add_exception_handler(EXCEPT_UNK_MNEMO, deal_exception_illegal_instruction)