def test_namespaces(self):
bldr = vs_builder.VStructBuilder()
subb = vs_builder.VStructBuilder()
bldr.addVStructNamespace('subname', subb)
bldr.addVStructNamespace('dupname', subb)
self.assertTrue(bldr.hasVStructNamespace('subname'))
self.assertEqual(set(bldr.getVStructNamespaces()),
set([('subname', subb), ('dupname', subb)]))
self.assertEqual(set(bldr.getVStructNamespaceNames()),
set(['subname', 'dupname']))
nested = vs_cparse.ctorFromCSource(csrc_nested)
bldr.addVStructCtor('foo', nested)
self.assertEqual(bldr.getVStructCtorNames(), ['foo'])
def __init__(self):
"""
The routine to initialize a tracer's initial internal state. This
is used by the initial creation routines, AND on attaches/executes
to re-fresh the state of the tracer.
WARNING: This will erase all metadata/symbols (modes/notifiers are kept)
"""
vtrace.Notifier.__init__(self)
self.pid = 0 # Attached pid (also used to know if attached)
self.exited = False
self.breakpoints = {}
self.newbreaks = []
self.bpbyid = {}
self.bpid = 0
self.curbp = None
self.bplock = Lock()
self.deferred = []
self.running = False
self.runagain = False
self.attached = False
# A cache for memory maps and fd listings
self.mapcache = None
self.thread = None # our proxy thread...
self.threadcache = None
self.fds = None
self.signal_ignores = []
self.localvars = {}
# Set if we are RunForever until a thread exit...
self._join_thread = None
self._break_after_bp = True # Do we stop on the instruction *after* the bp?
self._bp_saved = {} # Store the saved bytes from breakpoint mem writes
self.symcache = None # Set by setSymCachePath()
self.vsbuilder = vs_builder.VStructBuilder()
self.psize = self.getPointerSize() # From the envi arch mod...
# Track which libraries are parsed, and their
# normame to full path mappings
self.libloaded = {} # True if the library has been loaded already
self.libpaths = {} # normname->filename and filename->normname lookup
# Set up some globally expected metadata
self.setMeta('PendingSignal', None)
self.setMeta('SignalInfo', None)
self.setMeta("IgnoredSignals", [])
self.setMeta("LibraryBases", {}) # name -> base address mappings for binaries
self.setMeta("LibraryPaths", {}) # base -> path mappings for binaries
self.setMeta("ThreadId", 0) # If you *can* have a thread id put it here
plat = platform.system().lower()
rel = platform.release().lower()
self.setMeta("Platform", plat)
self.setMeta("Release", rel)
# Use this if we are *expecting* a break
# which is caused by us (so we remove the
# SIGBREAK from pending_signal
self.setMeta("ShouldBreak", False)
def main(argv):
opts = setup().parse_args(argv)
with open(opts.file, 'rb') as f:
p = PE.PE(f)
baseaddr = p.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
osmajor = p.IMAGE_NT_HEADERS.OptionalHeader.MajorOperatingSystemVersion
osminor = p.IMAGE_NT_HEADERS.OptionalHeader.MinorOperatingSystemVersion
machine = p.IMAGE_NT_HEADERS.FileHeader.Machine
vsver = p.getVS_VERSIONINFO()
archname = PE.machine_names.get(machine)
parser = vt_win32.Win32SymbolParser(0xffffffff, opts.file, baseaddr)
parser.parse()
t = parser._sym_types.values()
e = parser._sym_enums.values()
builder = vs_builder.VStructBuilder(defs=t, enums=e)
print('# Version: %d.%d' % (osmajor, osminor))
print('# Architecture: %s' % archname)
if vsver is not None:
keys = vsver.getVersionKeys()
keys.sort()
for k in keys:
val = vsver.getVersionValue(k)
print('# %s: %s' % (k, val))
print(builder.genVStructPyCode())
def initWinkernTrace(trace, kpcrva):
# FIXME snap in structs depending on version
import vstruct.defs.windows.win_5_1_i386.ntoskrnl as vs_w_ntoskrnl
trace.vsbuilder.addVStructNamespace('nt',
vs_w_ntoskrnl) # FIXME no remote!
b = vs_builder.VStructBuilder()
b.addVStructCtor('KDDEBUGGER_DATA64', KDDEBUGGER_DATA64)
trace.vsbuilder.addVStructNamespace('winkern', b)
# Create a "struct" namespace "winkern" for our custom defined structures.
trace.casesens = False
kpcr = trace.getStruct('nt.KPCR', kpcrva)
kver = trace.getStruct('nt.DBGKD_GET_VERSION64', kpcr.KdVersionBlock)
dbgdata64va = trace.readMemoryFormat(kver.DebuggerDataList & trace.bigmask,
'<I')[0]
dbgdata64 = KDDEBUGGER_DATA64()
dbgdata64.vsParse(trace.readMemory(dbgdata64va, len(dbgdata64)))
#print dbgdata64.tree(va=dbgdata64va)
winver = win_builds.get(kver.MinorVersion)
if winver == None:
winver = 'Untested Windows Build! (%d)' % kver.MinorVersion
print('vtrace (vmware32): Windows Version: %s' % winver)
kernbase = kver.KernBase & trace.bigmask
modlist = kver.PsLoadedModuleList & trace.bigmask
# FIXME hard coded page sizes!
trace.setMeta('PAGE_SIZE', 1024)
trace.setMeta('PAGE_SHIFT', 12)
trace.setVariable('kpcr', kpcrva)
trace.setVariable('kddebuggerdata64', dbgdata64va)
trace.setVariable('KernelBase', kernbase)
trace.setVariable('PsLoadedModuleList', modlist)
trace.fireNotifiers(vtrace.NOTIFY_ATTACH)
trace.addLibraryBase('nt', kernbase, always=True)
ldr_entry = trace.readMemoryFormat(modlist, '<P')[0]
while ldr_entry != modlist:
ldte = trace.getStruct('nt.LDR_DATA_TABLE_ENTRY', ldr_entry)
try:
dllname = trace.readMemory(
ldte.FullDllName.Buffer,
ldte.FullDllName.Length).decode('utf-16le')
dllbase = ldte.DllBase & trace.bigmask
trace.addLibraryBase(dllname, dllbase, always=True)
except Exception, e:
print('Trouble while parsing one...')
ldr_entry = ldte.InLoadOrderLinks.Flink & trace.bigmask
def test_init(self):
simple = vs_cparse.ctorFromCSource(csrc_simple)
nested = vs_cparse.ctorFromCSource(csrc_nested)
bldr = vs_builder.VStructBuilder()
bldr.addVStructCtor('pe.simple', simple)
bldr.addVStructCtor('elf.nested', nested)
self.assertEqual(set(['pe.simple', 'elf.nested']),
set(bldr.getVStructNames()))
bldr.delVStructCtor('elf.nested')
self.assertEqual(['pe.simple'], bldr.getVStructNames())
def __init__(self):
viv_impapi.ImportApi.__init__(self)
self.loclist = []
self.locmap = e_page.MapLookup()
self.blockmap = e_page.MapLookup()
self._mods_loaded = False
# Storage for function local symbols
self.localsyms = ddict()
self._call_graph = viv_codegraph.CallGraph()
# Just in case of the GUI... :)
self._call_graph.setMeta('bgcolor', '#000')
self._call_graph.setMeta('nodecolor', '#00ff00')
self._call_graph.setMeta('edgecolor', '#00802b')
self._event_list = []
self._event_saved = 0 # The index of the last "save" event...
# Give ourself a structure namespace!
self.vsbuilder = vs_builder.VStructBuilder()
self.vsconsts = vs_const.VSConstResolver()
