def StateShot():
idc.RefreshDebuggerMemory()
project = load_project()
mem = SimSymbolicIdaMemory(memory_backer=project.loader.memory,
permissions_backer=None,
memory_id="mem")
state = project.factory.blank_state(plugins={"memory": mem})
for reg in sorted(project.arch.registers,
key=lambda x: project.arch.registers.get(x)[1]):
if reg in ("sp", "bp", "ip"):
continue
try:
setattr(state.regs, reg, idc.GetRegValue(reg))
except:
pass
## inject code to get brk if we are on linux x86/x86_64
if project.simos.name == "Linux":
if project.arch.name in ("AMD64", "X86"):
state.posix.set_brk(get_linux_brk())
return state
def activate(self, ctx):
if regFu.isHighlightedEffective():
addr = regFu.getOffset()
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('effective addr 0x%x value %s' % (addr, simicsString))
value = getHex(simicsString)
else:
highlighted = idaapi.get_highlighted_identifier()
addr = getHex(highlighted)
if addr is None:
print('ModMemoryHandler unable to parse hex from %s' % highlighted)
return
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('addr 0x%x value %s' % (addr, simicsString))
value = getHex(simicsString)
# Sample form from kernwin.hpp
s = """Modify memory
Address: %$
<~E~nter value:S:32:16::>
"""
num = Form.NumericArgument('N', value=value)
ok = idaapi.AskUsingForm(s,
Form.NumericArgument('$', addr).arg,
num.arg)
if ok == 1:
print("You entered: %x" % num.value)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (addr, num.value))
time.sleep(1)
idc.RefreshDebuggerMemory()
def decrypt_n_comment(func, func_name):
"""
Decrypt and comment Shamoon2's strings
"""
data = {}
for xref in XrefsTo(LocByName(func_name)):
# init
string_ea = search_inst(xref.frm, "push")
string_op = GetOperandValue(string_ea, 0)
key_ea = PrevHead(string_ea)
key_op = GetOperandValue(key_ea, 0)
# Call shamoon2's func
res = func(string_op, key_op)
# Refresh the memory for GetString function
idc.RefreshDebuggerMemory()
try:
# Add comments
MakeComm(
string_ea, "key[0x{:X}] : '{:s}'".format(
key_op, GetString(res, -1, ASCSTR_UNICODE)))
except:
continue
def signalClient(self, norev=False):
start_eip = idc.GetRegValue(self.PC)
#print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString))
if norev:
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.printRegJson()");')
try:
regs = json.loads(simicsString)
except:
print('failed to get regs from %s' % simicsString)
return
for reg in regs:
r = str(reg.upper())
if r == 'EFLAGS':
r = 'EFL'
#print('set %s to 0x%x' % (r, regs[reg]))
idc.SetRegValue(regs[reg], r)
idc.RefreshDebuggerMemory()
new_eip = idc.GetRegValue(self.PC)
#print('signalClient back from cont new_eip is 0x%x' % new_eip)
if new_eip >= self.kernel_base:
print('in kernel, run to user')
self.updateStackTrace()
def allocate_rwx(size):
# this is the explicit way to create an Appcall callable
# see also: `Appcall.proto`
VirtualAlloc = ida_idd.Appcall.typedobj("int __stdcall VirtualAlloc( int lpAddress, DWORD dwSize, DWORD flAllocationType, DWORD flProtect);")
VirtualAlloc.ea = ida_name.get_name_ea(0, "kernel32_VirtualAlloc")
ptr = VirtualAlloc(c.NULL, int(size), c.MEM_COMMIT, c.PAGE_EXECUTE_READWRITE)
if ptr == 0:
print("VirtualAlloc failed: 0x%x" % GetLastError())
raise ValueError("VirtualAlloc failed: 0x%x" % GetLastError())
idc.RefreshDebuggerMemory()
return ptr
def dbg_trace(self, tid, ea):
if ea >> 12 == 0x18f:
self.ctx = 3
if self.ctx == 0:
return 1
self.ctx -= 1
idc.RefreshDebuggerMemory()
idc.MakeUnknown(ea, 20, 0)
idc.MakeCode(ea)
mnem = idc.GetDisasm(ea)
print(hex(ea), mnem)
regs = 'eax ebx ecx edx esi edi eip'.split(' ')
regs = {x: idc.GetRegValue(x) for x in regs}
self.ins.append(Attributize(None, mnem=mnem, **regs))
return 1
def activate(self, ctx):
if regFu.isHighlightedEffective():
addr = regFu.getOffset()
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('effective addr 0x%x value %s' % (addr, simicsString))
value = simicsString
else:
highlighted = idaapi.get_highlighted_identifier()
addr = getHex(highlighted)
if addr is None:
print('ModMemoryHandler unable to parse hex from %s' %
highlighted)
return
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('addr 0x%x value %s' % (addr, simicsString))
value = simicsString
# Sample form from kernwin.hpp
s = """Modify memory
Address: %$
<~E~nter value:t40:80:50::>
"""
ti = idaapi.textctrl_info_t(value)
ok = idaapi.AskUsingForm(
s,
Form.NumericArgument('$', addr).arg,
idaapi.pointer(idaapi.c_void_p.from_address(ti.clink_ptr)))
'''
string = Form.StringArgument(value)
ok = idaapi.AskUsingForm(s,
Form.NumericArgument('$', addr).arg,
string.arg)
'''
if ok == 1:
arg = "'%s'" % ti.text.strip()
print("You entered: %s <%s>" % (ti.text, arg))
cmd = "@cgc.writeString(0x%x, %s)" % (addr, arg)
print cmd
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % (cmd))
time.sleep(1)
idc.RefreshDebuggerMemory()
def StateShot():
global project
idc.RefreshDebuggerMemory()
mem = SimSymbolicIdaMemory(memory_backer=project.loader.memory,
permissions_backer=None,
memory_id="mem")
state = project.factory.blank_state(plugins={"memory": mem})
for reg in sorted(project.arch.registers,
key=lambda x: project.arch.registers.get(x)[1]):
if reg in ("sp", "bp", "ip"):
continue
try:
setattr(state.regs, reg, idc.GetRegValue(reg))
#print reg, hex(idc.GetRegValue(reg))
except:
#print "fail to set register", reg
pass
return state
idc.AddBpt(func_end)
idc.AddBpt(func_start)
go(func_end)
n = 0x25
buf_addr = idc.DbgDword(idautils.cpu.ebp + 0xc)
data_addr = idc.DbgDword(idautils.cpu.ebp + 0x8)
len_addr = idautils.cpu.ebp + 0x10
assert idc.DbgWrite(len_addr, struct.pack('<I', n))
print 'steaaart', hex(buf_addr)
res = ''
for i in range(n):
for c in range(256):
assert idc.DbgWrite(buf_addr + i, chr(c)) == 1
idc.RefreshDebuggerMemory()
idautils.cpu.eip = func_start
go(func_end)
if idautils.cpu.edi != data_addr + n - i:
print 'FOUND ONE', c
print 'have ', hex(idautils.cpu.edi), hex(data_addr + n - i)
res += chr(c)
break
else:
assert 0
print 'on %d: %s' % (i, res)
def refresh_debugger_memory():
if idaapi.IDA_SDK_VERSION <= 699:
return idc.RefreshDebuggerMemory()
else:
return ida_dbg.refresh_debugger_memory()
def checkLinuxLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
"""
This function monitors loaded libaries for Linux
If any of these libaries and functions are loaded
a conditional breakpoint is set
LIBC - _IO_file_fopen _IO_fread _IO_fclose
@param name: The name of the loaded library
@param ea: The address of the loaded library
@param bCheckFileIO: Checks to see if FileIO filtering was turned on
@param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
@return: None
"""
import idc
import logging
Print ("Found Libc at 0x%x" % ea)
logger = logging.getLogger('IDATrace')
logger.info( "Found Libc at 0x%x" % ea )
idc.RefreshDebuggerMemory()
library_name = name.upper()
Print( "Checking Linux for library " + library_name )
if "LIBC" in library_name:
if bCheckFileIO:
fopen_func = idc.LocByName("_IO_file_fopen");
if fopen_func == idc.BADADDR:
logger.info( "Cannot find _IO_file_fopen" )
# "Cannot find _IO_file_fopen."
else:
logger.info( "We found _IO_file_fopen at 0x%x." % fopen_func )
Print( "We found _IO_file_fopen at 0x%x." % fopen_func )
idc.AddBpt(fopen_func)
idc.SetBptAttr(fopen_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fopen_func, "linuxFileIO.My_fopen()")
fread_func = idc.LocByName("_IO_fread");
if fread_func == idc.BADADDR:
logger.info( "Cannot find _IO_fread" )
Print( "Cannot find _IO_fread." )
else:
logger.info( "We found _IO_fread at 0x%x." % fread_func )
Print( "We found _IO_fread at 0x%x." % fread_func )
idc.AddBpt(fread_func)
idc.SetBptAttr(fread_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fread_func, "linuxFileIO.My_fread()")
fclose_func = idc.LocByName("_IO_fclose");
if fclose_func == idc.BADADDR:
logger.info( "Cannot find _IO_fclose" )
Print( "Cannot find _IO_fclose." )
else:
logger.info( "We found _IO_fclose at 0x%x." % fclose_func )
Print( "We found _IO_fclose at 0x%x." % fclose_func )
idc.AddBpt(fclose_func)
idc.SetBptAttr(fclose_func, idc.BPT_BRK, 0)
idc.SetBptCnd(fclose_func, "linuxFileIO.My_fclose()")
def checkWindowsLibs(name,ea,bCheckFileIO,bCheckNetworkIO):
"""
This function monitors loaded DLLs for Windows
If any of these DLLs and functions are loaded
a conditional breakpoint is set
kernel32.dll - CreateFileW ReadFile CloseHandle
WS2_32.dll - recv, bind, accept, closesocket
WSOCK32.dll - recv, bind
@param name: The name of the loaded DLL
@param ea: The address of the loaded DLL
@param bCheckFileIO: Checks to see if FileIO filtering was turned on
@param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on
@return: None
"""
import idc
import logging
logger = logging.getLogger('IDATrace')
idc.RefreshDebuggerMemory()
library_name = name.upper()
if "KERNEL32" in library_name:
logger.info( "Found kernel32 at 0x%x" % ea )
if bCheckFileIO:
"""
createFileA_func = idc.LocByName("kernel32_CreateFileA");
if createFileA_func == idc.BADADDR:
logger.info( "Cannot find CreateFileA" )
else:
logger.info( "We found CreateFileA at 0x%x." % createFileA_func )
idc.AddBpt(createFileA_func)
idc.SetBptAttr(createFileA_func, idc.BPT_BRK, 0)
idc.SetBptCnd(createFileA_func, "windowsFileIO.MyCreateFileA()")
"""
createFileW_func = idc.LocByName("kernel32_CreateFileW");
if createFileW_func == idc.BADADDR:
logger.info( "Cannot find CreateFileW" )
else:
logger.info( "We found CreateFileW at 0x%x." % createFileW_func )
idc.AddBpt(createFileW_func)
idc.SetBptAttr(createFileW_func, idc.BPT_BRK, 0)
idc.SetBptCnd(createFileW_func, "windowsFileIO.MyCreateFileW()")
readFile_func = idc.LocByName("kernel32_ReadFile");
if readFile_func == idc.BADADDR:
logger.info( "Cannot find ReadFile" )
else:
logger.info( "We found ReadFile at 0x%x." % readFile_func )
idc.AddBpt(readFile_func)
idc.SetBptAttr(readFile_func, idc.BPT_BRK, 0)
idc.SetBptCnd(readFile_func, "windowsFileIO.MyReadFile()")
closeHandle_func = idc.LocByName("kernel32_CloseHandle");
if closeHandle_func == idc.BADADDR:
logger.info( "Cannot find CloseHandle" )
else:
logger.info( "We found CloseHandle at 0x%x." % closeHandle_func )
idc.AddBpt(closeHandle_func)
idc.SetBptAttr(closeHandle_func, idc.BPT_BRK, 0)
idc.SetBptCnd(closeHandle_func, "windowsFileIO.MyCloseHandle()")
elif "WS2_32" in library_name:
logger.info( "Found Ws2_32 at 0x%x" % ea )
if bCheckNetworkIO:
recv_func = idc.LocByName("ws2_32_recv");
if recv_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_recv" )
else:
logger.info( "We found ws2_32_recv at 0x%x." % recv_func )
idc.AddBpt(recv_func)
idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
idc.SetBptCnd(recv_func, "windowsNetworkIO.checkRecv()")
bind_func = idc.LocByName("ws2_32_bind");
if bind_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_bind" )
else:
logger.info( "We found ws2_32_bind at 0x%x." % bind_func )
idc.AddBpt(bind_func)
idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
idc.SetBptCnd(bind_func, "windowsNetworkIO.checkBind()")
accept_func = idc.LocByName("ws2_32_accept");
if accept_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_accept" )
else:
logger.info( "We found ws2_32_accept at 0x%x." % accept_func )
idc.AddBpt(accept_func)
idc.SetBptAttr(accept_func, idc.BPT_BRK, 0)
idc.SetBptCnd(accept_func, "windowsNetworkIO.checkAccept()")
closesocket_func = idc.LocByName("ws2_32_closesocket");
if closesocket_func == idc.BADADDR:
logger.info( "Cannot find ws2_32_closesocket" )
else:
logger.info( "We found ws2_32_closesocket at 0x%x." % closesocket_func )
idc.AddBpt(closesocket_func)
idc.SetBptAttr(closesocket_func, idc.BPT_BRK, 0)
idc.SetBptCnd(closesocket_func, "windowsNetworkIO.checkClosesocket()")
elif "WSOCK32" in library_name:
logger.info( "Found wsock32 at 0x%x" % ea )
if bCheckNetworkIO:
"""
bind_func = idc.LocByName("wsock32_bind");
if bind_func == idc.BADADDR:
logger.info( "Cannot find wsock32_bind" )
else:
logger.info( "We found wsock32_bind at 0x%x." % wsock32_bind )
if idc.isCode(bind_func):
idc.AddBpt(bind_func)
idc.SetBptAttr(bind_func, idc.BPT_BRK, 0)
idc.SetBptCnd(bind_func, "windowsNetworkIO.WSOCK32Bind()")
else:
logger.info( "wsock32_bind at 0x%x is data not code." % bind_func )
"""
recv_func = idc.LocByName("wsock32_recv")
if recv_func == idc.BADADDR:
logger.info( "Cannot find wsock32_recv" )
else:
logger.info( "We found wsock32_recv at 0x%x." % recv_func )
if idc.isCode(recv_func):
idc.AddBpt(recv_func)
idc.SetBptAttr(recv_func, idc.BPT_BRK, 0)
idc.SetBptCnd(recv_func, "windowsNetworkIO.WSOCK32Recv()")
else:
logger.info( "wsock32_recv at 0x%x is data not code." % recv_func )
def refresh():
idc.RefreshDebuggerMemory()
