def return_call_back(self, bp):
if self.bp_end_atan == bp and self.bp_heap_alloc is None:
# this is where we enable our heap alloc bp
print("(+) enabling heap alloc bp.")
addr = self.get_address("ntdll!RtlAllocateHeap")
disas = pykd.dbgCommand("uf %x" % int(addr, 16)).split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = i.split()[0]
break
self.bp_heap_alloc = pykd.setBp(int(self.ret_addr, 16), self.return_call_back_with_eax)
elif self.bp_end_asin == bp and self.bp_heap_alloc is not None:
# this is where we disable our heap alloc bp
print("(+) disabling heap alloc bp.")
if self.get_pykd_version() == 3:
self.bp_asan.remove()
self.bp_asin.remove()
self.bp_end_asin.remove()
self.bp_end_atan.remove()
self.bp_heap_alloc.remove()
else:
pykd.removeBp(self.bp_asan)
pykd.removeBp(self.bp_asin)
pykd.removeBp(self.bp_end_asin)
pykd.removeBp(self.bp_end_atan)
pykd.removeBp(self.bp_heap_alloc)
return False
def main(init_sym, mem_limit, timeout):
run_time = time.time()
timeout = timeout + time.time()
pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym))
page_size = get_page_size()
pykd.go()
target_pid = get_pid()
pykd.removeBp(get_bp_hit())
pykd.dbgCommand("bm MSVCR*!malloc")
pykd.dbgCommand("bm MSVCR*!realloc")
pykd.dbgCommand("bm MSVCR*!calloc")
log.debug("target pid: %d", target_pid)
while time.time() < timeout:
pykd.go()
cur_mem = get_mem_usage(target_pid)
if cur_mem >= mem_limit:
log.info("missed request! current memory: %d", cur_mem)
break
req = requested_mem_size()
if req == 0:
log.info("unexpected break on: %s", get_current_stack()[0])
continue
if req > page_size:
if req % page_size:
page_req = page_size * ((req / page_size) + 1)
else:
page_req = page_size * (req / page_size)
else:
page_req = page_size
if cur_mem + page_req >= mem_limit:
log.info("request will exceed limit, current: %d, request %d",
cur_mem, req)
break
log.info("*" * 60)
if time.time() < timeout:
set_thread(get_hung_thread())
call_stack = get_current_stack()
if not call_stack:
log.info("Unable to trace!")
for line in call_stack:
log.info("STACK_FRAME:%s" % line)
else:
log.info("Timeout!")
log.info("*" * 60)
log.info("----- STATS -----")
log.info("MEMORY LIMIT: %d MB", mem_limit / 0x100000)
log.info("DGB TIME: %0.2f", time.time() - run_time)
log.info("PROC TIME: %0.2f", get_proc_run_time())
log.info("THREAD TIME: %0.2f",
get_thread_run_time(get_thread_list()[get_hung_thread()]))
def main(init_sym, mem_limit, timeout):
run_time = time.time()
timeout = timeout + time.time()
pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym))
page_size = get_page_size()
pykd.go()
target_pid = get_pid()
pykd.removeBp(get_bp_hit())
pykd.dbgCommand("bm MSVCR*!malloc")
pykd.dbgCommand("bm MSVCR*!realloc")
pykd.dbgCommand("bm MSVCR*!calloc")
log.debug("target pid: %d", target_pid)
while time.time() < timeout:
pykd.go()
cur_mem = get_mem_usage(target_pid)
if cur_mem >= mem_limit:
log.info("missed request! current memory: %d", cur_mem)
break
req = requested_mem_size()
if req == 0:
log.info("unexpected break on: %s", get_current_stack()[0])
continue
if req > page_size:
if req % page_size:
page_req = page_size * ((req/page_size)+1)
else:
page_req = page_size * (req/page_size)
else:
page_req = page_size
if cur_mem + page_req >= mem_limit:
log.info("request will exceed limit, current: %d, request %d", cur_mem, req)
break
log.info("*" * 60)
if time.time() < timeout:
set_thread(get_hung_thread())
call_stack = get_current_stack()
if not call_stack:
log.info("Unable to trace!")
for line in call_stack:
log.info("STACK_FRAME:%s" % line)
else:
log.info("Timeout!")
log.info("*" * 60)
log.info("----- STATS -----")
log.info("MEMORY LIMIT: %d MB", mem_limit/0x100000)
log.info("DGB TIME: %0.2f", time.time()-run_time)
log.info("PROC TIME: %0.2f", get_proc_run_time())
log.info("THREAD TIME: %0.2f", get_thread_run_time(get_thread_list()[get_hung_thread()]))
def unsetBp(self, addr):
cmdBl = "bl"
regBl = "\d +[e|d] +[0-9a-fA-F]+ "
cmdr = pykd.dbgCommand(cmdBl)
if type(cmdr) == types.NoneType:
self.br.dbiprintf(" - [E] Has any breaks")
return -1
#self.br.dbiprintf(cmdr)
bl = re.findall(regBl, cmdr)
for i in bl:
rel = i.split()
bNum = int(rel[0])
bAddr = int(rel[2], 16)
if bAddr == addr:
pykd.removeBp(bNum)
self.bp_end = None
def find_next_sym(next_bp, prev_bp, timeout):
iters = 100
found_sym = False
sample_time = 0
set_bp(next_bp, 0, 1)
set_bp(prev_bp, 1, iters)
while not is_complete():
pykd.go()
curr_bp = get_bp_hit()
target_time = get_proc_run_time()
log.debug("target time %0.2f", target_time)
if curr_bp == 1:
if target_time >= timeout:
break
iter_duration = target_time - sample_time
if iter_duration < 0.5: # optimization
if iters < 25600:
iters *= 2
log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d",
iter_duration, iters)
elif iter_duration >= 0.5 and iter_duration < 0.85: # optimization
iters += 100
log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d",
iter_duration, iters)
set_bp(prev_bp, 1, iters)
elif curr_bp == 0:
found_sym = True
break
else:
log.debug("break not triggered by breakpoint")
if pykd.dbgCommand(".lastevent").find(
"(!!! second chance !!!)") != -1:
raise RuntimeError("Expected Timeout found Access violation!")
sample_time = target_time
pykd.removeBp(1)
pykd.removeBp(0)
return found_sym
def find_next_sym(next_bp, prev_bp, timeout):
iters = 100
found_sym = False
sample_time = 0
set_bp(next_bp, 0, 1)
set_bp(prev_bp, 1, iters)
while not is_complete():
pykd.go()
curr_bp = get_bp_hit()
target_time = get_proc_run_time()
log.debug("target time %0.2f", target_time)
if curr_bp == 1:
if target_time >= timeout:
break
iter_duration = target_time - sample_time
if iter_duration < 0.5: # optimization
if iters < 25600:
iters *= 2
log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d", iter_duration, iters)
elif iter_duration >= 0.5 and iter_duration < 0.85: # optimization
iters += 100
log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d", iter_duration, iters)
set_bp(prev_bp, 1, iters)
elif curr_bp == 0:
found_sym = True
break
else:
log.debug("break not triggered by breakpoint")
if pykd.dbgCommand(".lastevent").find("(!!! second chance !!!)") != -1:
raise RuntimeError("Expected Timeout found Access violation!")
sample_time = target_time
pykd.removeBp(1)
pykd.removeBp(0)
return found_sym