def taintStart(self): Print("Taint Start pressed!") #Remove the starting breakpoint if self.taintStart is not None: idc.DelBpt(self.taintStart) #Add a new starting breakpoint self.taintStart = idc.here() instruction = idc.GetDisasm(self.taintStart) Print(instruction) idc.AddBpt(self.taintStart) idc.SetBptAttr(self.taintStart, idc.BPT_BRK, 0) callbackAddr = "interactivemodeCallback.startTrace()" customCallbackFuncs = ['ReadFile', 'recv'] for callbackFunc in customCallbackFuncs: if callbackFunc in instruction: callbackAddr = "interactivemodeCallback." + callbackFunc + "()" Print("Found callback function %s for interactive mode" % callbackAddr) break idc.SetBptCnd(self.taintStart, callbackAddr)
def checkAccept(self): """ SOCKET accept( _In_ SOCKET s, _Out_ struct sockaddr *addr, _Inout_ int *addrlen ); """ s = Util.GetData(0x4) self.logger.info("checkAccept: SOCKET is 0x%x" % (s)) sockaddr_addr = Util.GetData(0x8) self.logger.info("checkAccept: sockaddr_addr is 0x%x" % (sockaddr_addr)) addrlen = Util.GetData(0xC) self.logger.info("checkAccept: *addrlen value is 0x%x" % (addrlen)) retAddr = Util.GetData(0x0) self.tempStack = [] self.tempStack.append(s) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkAcceptEnd()") return 0
def WSOCK32Bind(self): """ int bind( _In_ SOCKET s, _In_ const struct sockaddr *name, _In_ int namelen ); struct sockaddr_in { short sin_family; u_short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; """ s = Util.GetData(0x4) self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s)) sockaddr_name = Util.GetData(0x8) self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" % (sockaddr_name)) port = struct.unpack(">H", idaapi.dbg_read_memory(sockaddr_name + 0x2, 2)) portName = str(port[0]) self.logger.info("WSOCK32Bind: port value is %s" % (portName)) namelen = Util.GetData(0xC) self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen)) retAddr = Util.GetData(0x0) Print(self.filter['network']) if portName in self.filter['network']: self.tempStack = [] self.tempStack.append(s) self.tempStack.append(portName) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()") self.logger.info( "WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging." ) Print( "Filter matched. Add handle to the handle's dictionary to start logging." ) else: if idc.CheckBpt(retAddr) >= 0: Print("Removing un-needed breakpoint.") self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info("WSOCK32Bind: Network Filter did not match.") return 0
def taintStop(self): Print("Taint Stop pressed!") #Remove the stopping breakpoint if self.taintStop is not None: idc.DelBpt(self.taintStop) #Add a new stopping breakpoint self.taintStop = idc.here() Print( idc.GetDisasm(self.taintStop) ) idc.AddBpt(self.taintStop) idc.SetBptAttr(self.taintStop, idc.BPT_BRK, 0) idc.SetBptCnd(self.taintStop, "interactivemodeCallback.stopTrace()")
def My_fread(self): """ old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream ); size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream ) """ ptr = Util.GetData(0x4) self.logger.info("fp is 0x%x" % (ptr)) _size = Util.GetData(0x8) self.logger.info("size is %d" % (_size)) _count = Util.GetData(0xc) self.logger.info("count is %d" % (_count)) stream = Util.GetData(0x10) self.logger.info("stream is 0x%x" % (stream)) self.pSize = _size * _count self.pBuffer = ptr retAddr = Util.GetData(0x0) callerAddr = retAddr - idc.ItemSize(retAddr) self.tempStack = [] self.tempStack.append(self.pBuffer) self.tempStack.append(self.pSize) self.tempStack.append(stream) self.tempStack.append(callerAddr) self.tempStack.append("fread") self.tempStack.append(idc.GetCurrentThreadId()) if stream in self.handleSet: self.logger.info("Found stream 0x%x" % stream) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()") else: self.logger.info("Cannot find handle 0x%x" % stream) Print("Removing un-needed fread breakpoint.") idc.DelBpt(retAddr) return 0
def checkClosesocket(self): """ int closesocket( _In_ SOCKET s ); """ s = Util.GetData(0x4) self.logger.info("checkClosesocket: SOCKET is 0x%x" % (s)) retAddr = Util.GetData(0x0) self.tempStack.append(s) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkClosesocketEnd()") return 0
def recv(self): """ int recv( _In_ SOCKET s, _Out_ char *buf, _In_ int len, _In_ int flags ); """ s = Util.GetData(0x0) self.logger.info("checkRecv: Socket is 0x%x" % (s)) buf = Util.GetData(0x4) self.logger.info("checkRecv: *buf is 0x%x" % (buf)) _len = Util.GetData(0x8) self.logger.info("checkRecv: len value is %d" % (_len)) flag = Util.GetData(0xC) self.logger.info("checkRecv: flag value is %d" % (flag)) ea = idc.GetRegValue("EIP") retAddr = ea + idc.ItemSize(ea) Print("The return address is 0x%x" % retAddr) self.tempStack = [] self.tempStack.append(s) self.tempStack.append(buf) self.tempStack.append(_len) self.tempStack.append(ea) self.tempStack.append("recv") self.tempStack.append(idc.GetCurrentThreadId()) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "interactivemodeCallback.recvEnd()") return 0
def checkRecv(self): """ int recv( _In_ SOCKET s, _Out_ char *buf, _In_ int len, _In_ int flags ); """ s = Util.GetData(0x4) self.logger.info("checkRecv: Socket is 0x%x" % (s)) buf = Util.GetData(0x8) self.logger.info("checkRecv: *buf is 0x%x" % (buf)) _len = Util.GetData(0xC) self.logger.info("checkRecv: len value is %d" % (_len)) flag = Util.GetData(0x10) self.logger.info("checkRecv: flag value is %d" % (flag)) retAddr = Util.GetData(0x0) callerAddr = retAddr - idc.ItemSize(retAddr) self.tempStack = [] self.tempStack.append(s) self.tempStack.append(buf) self.tempStack.append(_len) self.tempStack.append(callerAddr) self.tempStack.append("recv") self.tempStack.append(idc.GetCurrentThreadId()) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkRecvEnd()") return 0
def define_function_trace(adr): return idc.SetBptAttr(adr, idc.BPTATTR_FLAGS, idc.BPT_ENABLED | idc.BPT_TRACE | idc.BPT_TRACEON | idc.BPT_TRACE_FUNC) #idc.BPT_BRK |
def checkLinuxLibs(name,ea,bCheckFileIO,bCheckNetworkIO): """ This function monitors loaded libaries for Linux If any of these libaries and functions are loaded a conditional breakpoint is set LIBC - _IO_file_fopen _IO_fread _IO_fclose @param name: The name of the loaded library @param ea: The address of the loaded library @param bCheckFileIO: Checks to see if FileIO filtering was turned on @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on @return: None """ import idc import logging Print ("Found Libc at 0x%x" % ea) logger = logging.getLogger('IDATrace') logger.info( "Found Libc at 0x%x" % ea ) idc.RefreshDebuggerMemory() library_name = name.upper() Print( "Checking Linux for library " + library_name ) if "LIBC" in library_name: if bCheckFileIO: fopen_func = idc.LocByName("_IO_file_fopen"); if fopen_func == idc.BADADDR: logger.info( "Cannot find _IO_file_fopen" ) # "Cannot find _IO_file_fopen." else: logger.info( "We found _IO_file_fopen at 0x%x." % fopen_func ) Print( "We found _IO_file_fopen at 0x%x." % fopen_func ) idc.AddBpt(fopen_func) idc.SetBptAttr(fopen_func, idc.BPT_BRK, 0) idc.SetBptCnd(fopen_func, "linuxFileIO.My_fopen()") fread_func = idc.LocByName("_IO_fread"); if fread_func == idc.BADADDR: logger.info( "Cannot find _IO_fread" ) Print( "Cannot find _IO_fread." ) else: logger.info( "We found _IO_fread at 0x%x." % fread_func ) Print( "We found _IO_fread at 0x%x." % fread_func ) idc.AddBpt(fread_func) idc.SetBptAttr(fread_func, idc.BPT_BRK, 0) idc.SetBptCnd(fread_func, "linuxFileIO.My_fread()") fclose_func = idc.LocByName("_IO_fclose"); if fclose_func == idc.BADADDR: logger.info( "Cannot find _IO_fclose" ) Print( "Cannot find _IO_fclose." ) else: logger.info( "We found _IO_fclose at 0x%x." % fclose_func ) Print( "We found _IO_fclose at 0x%x." % fclose_func ) idc.AddBpt(fclose_func) idc.SetBptAttr(fclose_func, idc.BPT_BRK, 0) idc.SetBptCnd(fclose_func, "linuxFileIO.My_fclose()")
def checkWindowsLibs(name,ea,bCheckFileIO,bCheckNetworkIO): """ This function monitors loaded DLLs for Windows If any of these DLLs and functions are loaded a conditional breakpoint is set kernel32.dll - CreateFileW ReadFile CloseHandle WS2_32.dll - recv, bind, accept, closesocket WSOCK32.dll - recv, bind @param name: The name of the loaded DLL @param ea: The address of the loaded DLL @param bCheckFileIO: Checks to see if FileIO filtering was turned on @param bCheckNetworkIO: Checks to see if NetworkIO filtering was turned on @return: None """ import idc import logging logger = logging.getLogger('IDATrace') idc.RefreshDebuggerMemory() library_name = name.upper() if "KERNEL32" in library_name: logger.info( "Found kernel32 at 0x%x" % ea ) if bCheckFileIO: """ createFileA_func = idc.LocByName("kernel32_CreateFileA"); if createFileA_func == idc.BADADDR: logger.info( "Cannot find CreateFileA" ) else: logger.info( "We found CreateFileA at 0x%x." % createFileA_func ) idc.AddBpt(createFileA_func) idc.SetBptAttr(createFileA_func, idc.BPT_BRK, 0) idc.SetBptCnd(createFileA_func, "windowsFileIO.MyCreateFileA()") """ createFileW_func = idc.LocByName("kernel32_CreateFileW"); if createFileW_func == idc.BADADDR: logger.info( "Cannot find CreateFileW" ) else: logger.info( "We found CreateFileW at 0x%x." % createFileW_func ) idc.AddBpt(createFileW_func) idc.SetBptAttr(createFileW_func, idc.BPT_BRK, 0) idc.SetBptCnd(createFileW_func, "windowsFileIO.MyCreateFileW()") readFile_func = idc.LocByName("kernel32_ReadFile"); if readFile_func == idc.BADADDR: logger.info( "Cannot find ReadFile" ) else: logger.info( "We found ReadFile at 0x%x." % readFile_func ) idc.AddBpt(readFile_func) idc.SetBptAttr(readFile_func, idc.BPT_BRK, 0) idc.SetBptCnd(readFile_func, "windowsFileIO.MyReadFile()") closeHandle_func = idc.LocByName("kernel32_CloseHandle"); if closeHandle_func == idc.BADADDR: logger.info( "Cannot find CloseHandle" ) else: logger.info( "We found CloseHandle at 0x%x." % closeHandle_func ) idc.AddBpt(closeHandle_func) idc.SetBptAttr(closeHandle_func, idc.BPT_BRK, 0) idc.SetBptCnd(closeHandle_func, "windowsFileIO.MyCloseHandle()") elif "WS2_32" in library_name: logger.info( "Found Ws2_32 at 0x%x" % ea ) if bCheckNetworkIO: recv_func = idc.LocByName("ws2_32_recv"); if recv_func == idc.BADADDR: logger.info( "Cannot find ws2_32_recv" ) else: logger.info( "We found ws2_32_recv at 0x%x." % recv_func ) idc.AddBpt(recv_func) idc.SetBptAttr(recv_func, idc.BPT_BRK, 0) idc.SetBptCnd(recv_func, "windowsNetworkIO.checkRecv()") bind_func = idc.LocByName("ws2_32_bind"); if bind_func == idc.BADADDR: logger.info( "Cannot find ws2_32_bind" ) else: logger.info( "We found ws2_32_bind at 0x%x." % bind_func ) idc.AddBpt(bind_func) idc.SetBptAttr(bind_func, idc.BPT_BRK, 0) idc.SetBptCnd(bind_func, "windowsNetworkIO.checkBind()") accept_func = idc.LocByName("ws2_32_accept"); if accept_func == idc.BADADDR: logger.info( "Cannot find ws2_32_accept" ) else: logger.info( "We found ws2_32_accept at 0x%x." % accept_func ) idc.AddBpt(accept_func) idc.SetBptAttr(accept_func, idc.BPT_BRK, 0) idc.SetBptCnd(accept_func, "windowsNetworkIO.checkAccept()") closesocket_func = idc.LocByName("ws2_32_closesocket"); if closesocket_func == idc.BADADDR: logger.info( "Cannot find ws2_32_closesocket" ) else: logger.info( "We found ws2_32_closesocket at 0x%x." % closesocket_func ) idc.AddBpt(closesocket_func) idc.SetBptAttr(closesocket_func, idc.BPT_BRK, 0) idc.SetBptCnd(closesocket_func, "windowsNetworkIO.checkClosesocket()") elif "WSOCK32" in library_name: logger.info( "Found wsock32 at 0x%x" % ea ) if bCheckNetworkIO: """ bind_func = idc.LocByName("wsock32_bind"); if bind_func == idc.BADADDR: logger.info( "Cannot find wsock32_bind" ) else: logger.info( "We found wsock32_bind at 0x%x." % wsock32_bind ) if idc.isCode(bind_func): idc.AddBpt(bind_func) idc.SetBptAttr(bind_func, idc.BPT_BRK, 0) idc.SetBptCnd(bind_func, "windowsNetworkIO.WSOCK32Bind()") else: logger.info( "wsock32_bind at 0x%x is data not code." % bind_func ) """ recv_func = idc.LocByName("wsock32_recv") if recv_func == idc.BADADDR: logger.info( "Cannot find wsock32_recv" ) else: logger.info( "We found wsock32_recv at 0x%x." % recv_func ) if idc.isCode(recv_func): idc.AddBpt(recv_func) idc.SetBptAttr(recv_func, idc.BPT_BRK, 0) idc.SetBptCnd(recv_func, "windowsNetworkIO.WSOCK32Recv()") else: logger.info( "wsock32_recv at 0x%x is data not code." % recv_func )
def MyCreateFileW(self): """ Monitors the the beginning of CreateFileW function CreateFileW arguments are read from the stack """ """ HANDLE WINAPI CreateFileW( _In_ LPCTSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile ); """ lpFileName = Util.GetData(0x4) self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName) filePath = "".join(Util.Read(lpFileName, 2)) self.logger.info("filePath is %s" % filePath) dwDesiredAccess = Util.GetData(0x8) self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess)) dwShareMode = Util.GetData(0xC) self.logger.info("dwShareMode value is 0x%x" % (dwShareMode)) lpSecurityAttributes = Util.GetData(0x10) self.logger.info("lpSecurityAttributes value is 0x%x" % (lpSecurityAttributes)) dwCreationDisposition = Util.GetData(0x14) self.logger.info("dwCreationDisposition value is 0x%x" % (dwCreationDisposition)) dwFlagsAndAttributes = Util.GetData(0x18) hTemplateFile = Util.GetData(0x1C) fileName = os.path.basename(filePath) self.logger.info("The filename is %s" % fileName) retAddr = Util.GetData(0x0) if fileName in self.filter['file']: idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()") self.logger.info( "Filter matched. Add handle to the handle's dictionary to start logging." ) Print( "Filter matched. Add handle to the handle's dictionary to start logging." ) else: if idc.CheckBpt(retAddr) >= 0: Print("Removing un-needed breakpoint.") self.logger.info("Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info("Filter did not match.") return 0