def testSetValue(self): pykd.setByte(target.module.ullValuePlace, pykd.ptrByte(target.module.bigValue)) self.assertEqual(pykd.ptrByte(target.module.bigValue), pykd.ptrByte(target.module.ullValuePlace)) pykd.setWord(target.module.ullValuePlace, pykd.ptrWord(target.module.bigValue)) self.assertEqual(pykd.ptrWord(target.module.bigValue), pykd.ptrWord(target.module.ullValuePlace)) pykd.setDWord(target.module.ullValuePlace, pykd.ptrDWord(target.module.bigValue)) self.assertEqual(pykd.ptrDWord(target.module.bigValue), pykd.ptrDWord(target.module.ullValuePlace)) pykd.setQWord(target.module.ullValuePlace, pykd.ptrQWord(target.module.bigValue)) self.assertEqual(pykd.ptrQWord(target.module.bigValue), pykd.ptrQWord(target.module.ullValuePlace)) pykd.setSignByte(target.module.ullValuePlace, -128) self.assertEqual(-128, pykd.ptrSignByte(target.module.ullValuePlace)) pykd.setSignWord(target.module.ullValuePlace, pykd.ptrSignWord(target.module.bigValue)) self.assertEqual(pykd.ptrSignWord(target.module.bigValue), pykd.ptrSignWord(target.module.ullValuePlace)) pykd.setSignDWord(target.module.ullValuePlace, pykd.ptrSignDWord(target.module.bigValue)) self.assertEqual(pykd.ptrSignDWord(target.module.bigValue), pykd.ptrSignDWord(target.module.ullValuePlace)) pykd.setSignQWord(target.module.ullValuePlace, pykd.ptrSignQWord(target.module.bigValue)) self.assertEqual(pykd.ptrSignQWord(target.module.bigValue), pykd.ptrSignQWord(target.module.ullValuePlace)) pykd.setFloat(target.module.floatValuePlace, pykd.ptrFloat(target.module.floatValue)) self.assertEqual(pykd.ptrFloat(target.module.floatValue), pykd.ptrFloat(target.module.floatValuePlace)) pykd.setDouble(target.module.doubleValuePlace, pykd.ptrDouble(target.module.doubleValue)) self.assertEqual(pykd.ptrDouble(target.module.doubleValue), pykd.ptrDouble(target.module.doubleValuePlace))
def hookHandlerNative(): """Address of the func name as returned by getMethodName is pointed by EAX+0x08 However, unlike the published AVM source code claims, setNative function in the NPSWF32 has an additional check before the correct function address is assigned to the MethodInfo object. That logic is reimplemented here.""" global GBP address = pykd.ptrPtr(pykd.reg("eax")+0x8) comp_byte = pykd.ptrByte(pykd.ptrPtr(pykd.reg("esp")+0x18) + 0x38) if comp_byte > 0: nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x28) else: nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x24) if pykd.isValid(address): methodName = pykd.loadCStr(address) if pykd.isValid(nativefunc): print "[^] NATIVE METHOD: at 0x%x \t offset: 0x%x \tName: %s" % \ (nativefunc,nativefunc-NPS['base_addr'], methodName.decode("utf-8","replace")) if NPS["TraceNative"] and methodName not in GBP['BP_FUNCS'] and\ methodName not in GBP['BP_RFUNCS']: if NPS["Debug"]: print "[Debug] Setting bp for tracing on 0x%x" % nativefunc GBP[nativefunc] = pykd.setBp(nativefunc, lambda: functionHandler(methodName)) func_breakpoints(methodName.decode("utf-8","replace"), nativefunc) else: print "[!] No native function found. Something is likely wrong!!!" return pykd.executionStatus.NoChange
def testPtrRead( self ): self.assertEqual( 0x80, pykd.ptrByte( target.module.g_bigValue ) ) self.assertEqual( 0x8080, pykd.ptrWord( target.module.g_bigValue ) ) self.assertEqual( 0x80808080, pykd.ptrDWord( target.module.g_bigValue ) ) self.assertEqual( 0x8080808080808080, pykd.ptrQWord( target.module.g_bigValue ) ) self.assertEqual( -128, pykd.ptrSignByte( target.module.g_bigValue ) ) self.assertEqual( -32640, pykd.ptrSignWord( target.module.g_bigValue ) ) self.assertEqual( -2139062144, pykd.ptrSignDWord( target.module.g_bigValue ) ) self.assertEqual( -9187201950435737472, pykd.ptrSignQWord( target.module.g_bigValue ) )
def inspectMsgHook(): msglist = [] try: gSharedInfo = pykd.getOffset('win32k!gSharedInfo') serverinfo = pykd.ptrPtr(gSharedInfo) aheList = pykd.ptrPtr(gSharedInfo + g_mwordsize) if is_2000() or is_xp(): count = pykd.ptrPtr(serverinfo + g_mwordsize * 2) else: count = pykd.ptrPtr(serverinfo + g_mwordsize * 1) for i in xrange(count): entry = aheList + i * 3 * g_mwordsize phook = pykd.ptrPtr(entry) #head type = pykd.ptrByte(entry + 2 * g_mwordsize) if type != 5: continue try: handle = pykd.ptrPtr(phook) msgtype = pykd.ptrPtr(phook + 6 * g_mwordsize) funcoffset = pykd.ptrPtr(phook + 7 * g_mwordsize) flags = pykd.ptrPtr(phook + 8 * g_mwordsize) if flags & 1: bGlobal = 1 else: bGlobal = 0 pti = pykd.ptrPtr(phook + 2 * g_mwordsize) threadobjectaddr = pykd.ptrPtr(pti) threadobject = pykd.typedVar('nt!_ETHREAD', threadobjectaddr) pid = int(threadobject.Cid.UniqueProcess) tid = (threadobject.Cid.UniqueThread) try: processobject = pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess) except Exception, err: processobject = pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process) processpath = pykd.loadUnicodeString( processobject.SeAuditProcessCreationInfo.ImageFileName.Name ) msginfo = MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath) msglist.append(msginfo) except Exception, err: print err
def testPointerToFunction(self): tv1 = target.module.typedVar("g_unTypedPtrToFunction") # if debug: g_unTypedPtrToFunction point to jmp EnumWindowsProc2 (e9 xxxxxxxx) self.assertTrue((target.module.offset("EnumWindowsProc2") == tv1) or (0xE9 == pykd.ptrByte(long(tv1)))) tv2 = target.module.typedVar("g_unTypedPtrToFunction") self.assertEqual(tv1, tv2) self.assertRaises(pykd.TypeException, tv1.deref) self.assertRaises(pykd.TypeException, tv2.deref)
def inspectMsgHook(): msglist=[] try: gSharedInfo=pykd.getOffset('win32k!gSharedInfo') serverinfo=pykd.ptrPtr(gSharedInfo) aheList=pykd.ptrPtr(gSharedInfo+g_mwordsize) if is_2000() or is_xp(): count=pykd.ptrPtr(serverinfo+g_mwordsize*2) else: count=pykd.ptrPtr(serverinfo+g_mwordsize*1) for i in xrange(count): entry=aheList+i*3*g_mwordsize phook=pykd.ptrPtr(entry) #head type=pykd.ptrByte(entry+2*g_mwordsize) if type!=5: continue try: handle=pykd.ptrPtr(phook) msgtype=pykd.ptrPtr(phook+6*g_mwordsize) funcoffset=pykd.ptrPtr(phook+7*g_mwordsize) flags=pykd.ptrPtr(phook+8*g_mwordsize) if flags&1: bGlobal=1 else: bGlobal=0 pti=pykd.ptrPtr(phook+2*g_mwordsize) threadobjectaddr=pykd.ptrPtr(pti) threadobject=pykd.typedVar('nt!_ETHREAD', threadobjectaddr) pid=int(threadobject.Cid.UniqueProcess) tid=(threadobject.Cid.UniqueThread) try: processobject=pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess) except Exception, err: processobject=pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process) processpath=pykd.loadUnicodeString(processobject.SeAuditProcessCreationInfo.ImageFileName.Name) msginfo=MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath) msglist.append(msginfo) except Exception, err: print err
def _element_type_of_raw_frame(frame): code = ptrByte(frame.stackOffset + 40) if code in _code_to_element_type: return _code_to_element_type[code] else: return ElementType.xpp_unknown
def get_uint8(pos): return pykd.ptrByte(pos)
def get_int8(pos): return struct.unpack("b", struct.pack("B", pykd.ptrByte(pos)))[0]