Exemplo n.º 1
0
def test_findv():
    payload = b"".join([
        pad.null(
            pad.null(b"a" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
        pad.null(
            pad.null(b"b" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000),
        b"c" * 0x1000,
        pad.null(
            pad.null(b"d" * 0x200 + b"pattern", 0x500) + b"pattern2", 0x1000)
    ])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]
    p = procmem(payload, regions=regions)

    assert list(p.findv(b"pattern")) == [
        0x400200, 0x400500, 0x401200, 0x401500, 0x410200, 0x410500
    ]
    assert list(p.findv(b"pattern", 0x401100, 0x405)) == [0x401200]
    assert list(p.findv(b"pattern", length=0x10300)) == [
        0x400200, 0x400500, 0x401200, 0x401500, 0x410200
    ]
    assert list(p.findv(b"pattern", 0x401508)) == [0x410200, 0x410500]
    assert list(p.findv(b"pattern", 0x403508)) == [0x410200, 0x410500]
Exemplo n.º 2
0
def test_findbytes():
    payload = b" " * 0x1000 + pad.null(
        b"\xffoo\x00bar thisis0test\n hAAAA\xc3\xc0\xc2\xc4\n\n\x10\x2f\x1f\x1a\x1b\x1f\x1d\xbb\xcc\xdd\xff",
        0x10000)
    buf = procmem(payload, base=0x400000)
    assert list(buf.findbytesv("c? c? c? 0A")) == [0x40101B]
    assert list(buf.findbytesv(b"1f ?? ?b")) == [0x401022, 0x401025]
    assert list(buf.findbytesv("?f ?? ?? 00")) == [0x401000, 0x40102A]
    assert not list(buf.findbytesv(enhex(b"test hAAAA")))
    assert list(buf.findbytesv(enhex(b"test\n hAAAA")))

    assert list(buf.findbytesv(enhex(b"is"), length=0x100b)) == [0x40100a]
    assert list(buf.findbytesv(enhex(b"is"),
                               length=0x100d)) == [0x40100a, 0x40100c]
    assert list(buf.findbytesv(enhex(b"is"), addr=0x40100b,
                               length=0x100d)) == [0x40100c]

    payload = b"".join(
        [b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = procmem(payload, regions=regions)
    assert next(p.findbytesv(enhex(b"dddd"))) == 0x410000
Exemplo n.º 3
0
def test_patchv():
    payload = b"".join(
        [b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = procmem(payload, regions=regions)
    with pytest.raises(
            ValueError,
            match=
            "Patched bytes range must be contained within single, existing region"
    ):
        p.patchv(0x3fffff, b"p" * 16)
    p.patchv(0x400000, b"p" * 16)
    assert p.readv(0x400000, 17) == b"p" * 16 + b"a"
    with pytest.raises(
            ValueError,
            match=
            "Patched bytes range must be contained within single, existing region"
    ):
        p.patchv(0x401fff, b"p" * 2)
Exemplo n.º 4
0
def test_readv():
    payload = b"".join([
        b"a" * 0x1000,
        b"b" * 0x1000,
        b"c" * 0x1000,
        b"d" * 0x1000
    ])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = procmem(payload, regions=regions)
    assert p.readv(0x3fffff, 16) == b""
    assert p.readv(0x400000, 16) == b"a" * 16
    assert isinstance(p.readv(0x400000, 16), binary_type)
    assert p.readv(0x400fff, 16) == b"a" + b"b" * 15
    assert p.readv(0x400ffe, 0x1100) == b"aa" + (b"b" * 0x1000) + (b"c" * 0xfe)
    assert p.readv(0x402ffe, 0x1000) == b"cc"
    assert p.readv(0x402ffe) == b"cc"
    assert p.readv(0x403000) == b""
    assert p.readv(0x401000) == b"b" * 0x1000 + b"c" * 0x1000
    assert p.readv(0x40ffff) == b""
    assert p.readv(0x410000) == b"d" * 0x1000
    assert p.readv(0x410ffe) == b"dd"
Exemplo n.º 5
0
def mem():
    #            aaaaaaa  bbbbbbccccccccdddd   eeee
    payload = b"0123456789abcdefghijklmnopqrstuvwxyz"
    regions = [
        Region(0x10000, 7, 0, 0, 0, 1),
        Region(0x10007, 6, 0, 0, 0, 10),
        Region(0x10100, 8, 0, 0, 0, 16),
        Region(0x10108, 4, 0, 0, 0, 24),
        Region(0x10200, 4, 0, 0, 0, 31)
    ]
    #          v---0x10000            v---- 0x10100          v-- 0x10200
    # VM: .....1234567abcdef..........ghijklmnopqr ..........vwxy.......
    return procmem(payload, base=0x10000, regions=regions)
Exemplo n.º 6
0
def test_single_region():
    payload = b"0123456789"
    regions = [Region(0x10000, 8, 0, 0, 0, 1)]
    mem = procmem(payload, regions=regions)
    assert list(mem.iter_regions()) == mem.regions

    assert list(mem.iter_regions(addr=0xffff)) == mem.regions
    assert list(mem.iter_regions(addr=0x10000)) == mem.regions
    assert list(mem.iter_regions(addr=0x10007)) == mem.regions
    assert list(mem.iter_regions(addr=0x10008)) == []

    assert list(mem.iter_regions(offset=0)) == mem.regions
    assert list(mem.iter_regions(offset=1)) == mem.regions
    assert list(mem.iter_regions(offset=8)) == mem.regions
    assert list(mem.iter_regions(offset=9)) == []

    assert list(mem.iter_regions(length=0)) == []
    assert list(mem.iter_regions(length=1)) == mem.regions

    assert list(mem.iter_regions(addr=0xffff, length=1)) == []
    assert list(mem.iter_regions(addr=0xffff, length=2)) == mem.regions
    assert list(mem.iter_regions(addr=0xffff, length=0x10)) == mem.regions
    assert list(mem.iter_regions(addr=0x10007, length=0x10)) == mem.regions
    assert list(mem.iter_regions(addr=0x10008, length=0x10)) == []

    with pytest.raises(ValueError):
        # ValueError("Don't know how to retrieve length-limited regions with offset from unmapped area")
        list(mem.iter_regions(offset=0, length=1))
    assert list(mem.iter_regions(offset=1, length=1)) == mem.regions
Exemplo n.º 7
0
def test_simple_findv():
    payload = b"12ab34cd45ef"
    regions = [
        Region(0x10000, 2, 0, 0, 0, 2),
        Region(0x10002, 2, 0, 0, 0, 6),
        Region(0x10010, 2, 0, 0, 0, 10)
    ]
    p = procmem(payload, regions=regions)

    assert list(p.findv(b"12")) == []
    assert list(p.findv(b"ab")) == [0x10000]
    assert list(p.findv(b"ab", addr=0x10002)) == []
    assert list(p.findv(b"ab34")) == []
    assert list(p.findv(b"abcd")) == [0x10000]
    assert list(p.findv(b"abcdef")) == []
    assert list(p.findv(b"cdef")) == []
    assert list(p.findv(b"ef")) == [0x10010]
Exemplo n.º 8
0
def test_patchv():
    payload = b"".join(
        [b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = procmem(payload, regions=regions)
    with pytest.raises(ValueError,
                       match="Cross-region patching is not supported"):
        p.patchv(0x3fffff, b"p" * 16)
    p.patchv(0x400000, b"p" * 16)
    assert p.readv(0x400000, 17) == b"p" * 16 + b"a"
    with pytest.raises(ValueError,
                       match="Cross-region patching is not supported"):
        p.patchv(0x401fff, b"p" * 2)
Exemplo n.º 9
0
def test_single_region_trim():
    payload = b"0123456789"
    regions = [Region(0x10000, 8, 0, 0, 0, 1)]
    mem = procmem(payload, regions=regions)
    assert list(mem.iter_regions(trim=True)) == mem.regions

    assert list(mem.iter_regions(addr=0xffff, trim=True)) == mem.regions
    assert list(mem.iter_regions(addr=0x10000, trim=True)) == mem.regions
    assert list(mem.iter_regions(
        addr=0x10007, trim=True)) == [Region(0x10007, 1, 0, 0, 0, 8)]
    assert list(mem.iter_regions(addr=0x10008, trim=True)) == []

    assert list(mem.iter_regions(offset=0, trim=True)) == mem.regions
    assert list(mem.iter_regions(offset=1, trim=True)) == mem.regions
    assert list(mem.iter_regions(
        offset=8, trim=True)) == [Region(0x10007, 1, 0, 0, 0, 8)]
    assert list(mem.iter_regions(offset=9, trim=True)) == []

    assert list(mem.iter_regions(length=0, trim=True)) == []
    assert list(mem.iter_regions(
        length=1, trim=True)) == [Region(0x10000, 1, 0, 0, 0, 1)]

    assert list(mem.iter_regions(addr=0xffff, length=1, trim=True)) == []
    assert list(mem.iter_regions(
        addr=0xffff, length=2, trim=True)) == [Region(0x10000, 1, 0, 0, 0, 1)]
    assert list(mem.iter_regions(
        addr=0xffff, length=8, trim=True)) == [Region(0x10000, 7, 0, 0, 0, 1)]
    assert list(
        mem.iter_regions(addr=0x10001, length=4,
                         trim=True)) == [Region(0x10001, 4, 0, 0, 0, 2)]
    assert list(
        mem.iter_regions(addr=0x10007, length=0x10,
                         trim=True)) == [Region(0x10007, 1, 0, 0, 0, 8)]
    assert list(mem.iter_regions(addr=0x10008, length=0x10, trim=True)) == []

    with pytest.raises(ValueError):
        # ValueError("Don't know how to retrieve length-limited regions with offset from unmapped area")
        list(mem.iter_regions(offset=0, length=1, trim=True))
    assert list(mem.iter_regions(
        offset=1, length=1, trim=True)) == [Region(0x10000, 1, 0, 0, 0, 1)]
    assert list(mem.iter_regions(
        offset=4, length=2, trim=True)) == [Region(0x10003, 2, 0, 0, 0, 4)]
Exemplo n.º 10
0
def test_procmem_yara():
    payload = b"".join(
        [b"a" * 0x1000, b"b" * 0x1000, b"c" * 0x1000, b"d" * 0x1000])
    regions = [
        Region(0x400000, 0x1000, 0, 0, 0, 0),
        Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
        Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
        Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
    ]

    p = ProcessMemory(payload, regions=regions)
    ruleset = Yara(
        name="regions",
        strings={
            "a_series": "a" * 64,
            "b_series": "b" * 64,
            "c_series": "c" * 64,
            "d_series": "d" * 64,
            "a_and_b": "a" * 64 + "b" * 64,
            "b_and_c": "b" * 64 + "c" * 64,
            "c_and_d": "c" * 64 + "d" * 64
        },
        condition=
        "$a_series and $b_series and $c_series and $d_series and $a_and_b and ( $b_and_c or $c_and_d )"
    )
    matchp = p.yarap(ruleset)
    matchv = p.yarav(ruleset)

    assert matchp
    assert matchv
    assert set(matchp.regions.keys()).difference(set(
        matchv.regions.keys())) == {"c_and_d"}

    assert [matchv.regions.a_and_b[0],
            matchv.regions.b_and_c[0]] == [0x400fc0, 0x401fc0]
    assert matchv.regions.a_series == list(range(0x400000, 0x401000 - 63))
    assert matchv.regions.b_series == list(range(0x401000, 0x402000 - 63))
    assert matchv.regions.c_series == list(range(0x402000, 0x403000 - 63))
    assert matchv.regions.d_series == list(range(0x410000, 0x411000 - 63))
    assert matchv.regions.get("a_series")
    assert not matchv.regions.get("e_series")
Exemplo n.º 11
0
def test_regions_multi(mem):
    # Test simple enum from specified address
    assert list(mem.iter_regions()) == mem.regions
    assert list(mem.iter_regions(0x1000)) == mem.regions
    assert list(mem.iter_regions(0x10000)) == mem.regions
    assert list(mem.iter_regions(0x10104)) == [
        Region(0x10100, 8, 0, 0, 0, 16),
        Region(0x10108, 4, 0, 0, 0, 24),
        Region(0x10200, 4, 0, 0, 0, 31)
    ]
    assert list(mem.iter_regions(0x10203)) == [Region(0x10200, 4, 0, 0, 0, 31)]
    assert list(mem.iter_regions(0x10204)) == []

    # Test simple enum from specified offset
    assert list(mem.iter_regions(offset=0)) == mem.regions
    assert list(mem.iter_regions(offset=10)) == mem.regions[1:]
    assert list(mem.iter_regions(offset=20)) == mem.regions[2:]
    assert list(
        mem.iter_regions(offset=30)) == [Region(0x10200, 4, 0, 0, 0, 31)]
    assert list(mem.iter_regions(offset=40)) == []

    assert list(mem.iter_regions(0xffff, contiguous=True)) == []
    assert list(mem.iter_regions(0x10000, contiguous=True)) == [
        Region(0x10000, 7, 0, 0, 0, 1),
        Region(0x10007, 6, 0, 0, 0, 10)
    ]
    assert list(mem.iter_regions(0x10002, length=8, contiguous=True,
                                 trim=True)) == [
                                     Region(0x10002, 5, 0, 0, 0, 3),
                                     Region(0x10007, 3, 0, 0, 0, 10)
                                 ]
    assert list(mem.iter_regions(offset=1, contiguous=True)) == [
        Region(0x10000, 7, 0, 0, 0, 1),
        Region(0x10007, 6, 0, 0, 0, 10)
    ]
    assert list(mem.iter_regions(offset=2, length=0x9f)) == [
        Region(0x10000, 7, 0, 0, 0, 1),
        Region(0x10007, 6, 0, 0, 0, 10)
    ]
    assert list(mem.iter_regions(offset=2, length=0x100)) == [
        Region(0x10000, 7, 0, 0, 0, 1),
        Region(0x10007, 6, 0, 0, 0, 10),
        Region(0x10100, 8, 0, 0, 0, 16)
    ]
    assert list(mem.iter_regions(offset=2, length=0x100, trim=True)) == [
        Region(0x10001, 6, 0, 0, 0, 2),
        Region(0x10007, 6, 0, 0, 0, 10),
        Region(0x10100, 1, 0, 0, 0, 16)
    ]