def CompareCommand(cmd, cmdsize, cmdip, model, nmodel):
"""
Compare command, used to search instruction accross the memory
"""
a, b = 0, 0
return api.Comparecommand(cmd, cmdsize, cmdip, model.cast(), nmodel, a, b, api.t_disasm())
def disasm(ea, mem=None, size=api.MAXCMDSIZE):
if mem is None:
mem = safe_read_chunked_memory_region_as_one(ea, size)
if not mem:
print >> sys.stderr, 'Unable to read specified memory (0x%08X of size 0x%08X)' % (ea, size)
return None, None
mem = buffer(mem[1])
cmd = bytearray(mem[:min(api.MAXCMDSIZE, len(mem))])
dis = api.t_disasm()
n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY, api.t_reg(), api.t_predict())
if n <= 0 or dis.errors != api.DAE_NOERR:
return 0, None
return n, dis
def disasm(ea, mem=None, size=api.MAXCMDSIZE):
if mem is None:
mem = safe_read_chunked_memory_region_as_one(ea, size)
if not mem:
print >> sys.stderr, 'Unable to read specified memory (0x%08X of size 0x%08X)' % (
ea, size)
return None, None
mem = buffer(mem[1])
cmd = bytearray(mem[:min(api.MAXCMDSIZE, len(mem))])
dis = api.t_disasm()
n = api.Disasm(cmd, len(cmd), ea, None, dis,
api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
api.t_reg(), api.t_predict())
if n <= 0 or dis.errors != api.DAE_NOERR:
return 0, None
return n, dis
def CompareCommand(cmd, cmdsize, cmdip, model, nmodel):
"""
Compare command, used to search instruction accross the memory
"""
a, b = 0, 0
return api.Comparecommand(
cmd,
cmdsize,
cmdip,
model.cast(),
nmodel,
a,
b,
api.t_disasm()
)
def Disasm_(c, address=0):
"""
Disassemble some x86 code (only one instruction though) thanks to the OllyDbg2 engine
"""
buff = bytearray(c)
di = api.t_disasm()
size_instr = api.Disasm(
buff,
len(buff),
address,
None,
di,
api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
api.t_reg(),
api.t_predict()
)
return size_instr, str(di.result)
def Disasm_(c, address=0):
"""
Disassemble some x86 code (only one instruction though) thanks to the OllyDbg2 engine
"""
buff = bytearray(c)
di = api.t_disasm()
size_instr = api.Disasm(
buff,
len(buff),
address,
None,
di,
api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
api.t_reg(),
api.t_predict(),
)
return size_instr, str(di.result)
def scan_for_ref_api_calls(ea_from, ea_to, increment, rv, base, mem):
# import inspect
if ea_from > ea_to:
print >> sys.stderr, 'Invalid arguments passed'
return None
logger.info((
'scan_for_ref_api_calls(ea_from=0x%08X, ea_to=0x%08X, increment=0x%08X, base=0x%08X)\n'
+ 'getting modules meta') % (ea_from, ea_to, increment, base))
global modules_meta
global modules_exports
logger.info('scan_for_ref_api_calls() modules_meta got')
this_module_exports = set()
for name, info in modules_meta.items():
for i in xrange(len(info['base'])):
if info['base'][i] <= ea_from < info['base'][i] + info['size'][i]:
this_module_exports = set(
map(lambda x: x['ea'], info['apis'][i]))
print 'module found: %s, len of exports: %u' % (
name, len(this_module_exports))
break
def isPointsToExternalDll(addr):
if addr in modules_exports and (not this_module_exports
or addr not in this_module_exports):
return modules_exports[addr]
return False
for ea in xrange(ea_from, ea_to, increment):
try:
l = ea_to - ea
offs = ea - ea_from
cmd = bytearray(mem[offs:offs + min(api.MAXCMDSIZE, l)])
dis = api.t_disasm()
n = api.Disasm(
cmd, len(cmd), ea, None, dis,
api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
api.t_reg(), api.t_predict())
if n <= 0 or dis.errors != api.DAE_NOERR:
continue
if dis.immfixup != __MINUS_ONE_32BIT: # TODO: check this
v = isPointsToExternalDll(dis.immfixup)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_IMMCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.immfixup
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.immfixup points to %s at %08X as %s bytes: %s' % (
v, ea, dis.result, dis.dump)
continue
if dis.memconst:
v = isPointsToExternalDll(dis.memconst)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_ADDRCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.memconst
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.memconst points to %s at %08X as %s bytes: %s' % (
v, ea, dis.result, dis.dump)
continue
if dis.jmpaddr:
v = isPointsToExternalDll(dis.jmpaddr)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_JMPCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.jmpaddr
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.jmpaddr points to %s at %08X as %s bytes: %s' % (
v, ea, dis.result, dis.dump)
continue
#for k, v in inspect.getmembers(dis):
# if '_' not in k:
# print "%r: %r" % (k, v)
except Exception as exc:
print >> sys.stderr, 'Exception: %r\r\n%s' % (
exc, traceback.format_exc().replace('\n', '\r\n'))
def scan_for_ref_api_calls(ea_from, ea_to, increment, rv, base, mem):
# import inspect
if ea_from > ea_to:
print >> sys.stderr, 'Invalid arguments passed'
return None
logger.info(('scan_for_ref_api_calls(ea_from=0x%08X, ea_to=0x%08X, increment=0x%08X, base=0x%08X)\n' +
'getting modules meta') % (ea_from, ea_to, increment, base))
global modules_meta
global modules_exports
logger.info('scan_for_ref_api_calls() modules_meta got')
this_module_exports = set()
for name, info in modules_meta.items():
for i in xrange(len(info['base'])):
if info['base'][i] <= ea_from < info['base'][i] + info['size'][i]:
this_module_exports = set(map(lambda x: x['ea'], info['apis'][i]))
print 'module found: %s, len of exports: %u' % (name, len(this_module_exports))
break
def isPointsToExternalDll(addr):
if addr in modules_exports and (not this_module_exports or addr not in this_module_exports):
return modules_exports[addr]
return False
for ea in xrange(ea_from, ea_to, increment):
try:
l = ea_to - ea
offs = ea - ea_from
cmd = bytearray(mem[offs: offs + min(api.MAXCMDSIZE, l)])
dis = api.t_disasm()
n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
api.t_reg(), api.t_predict())
if n <= 0 or dis.errors != api.DAE_NOERR:
continue
if dis.immfixup != __MINUS_ONE_32BIT: # TODO: check this
v = isPointsToExternalDll(dis.immfixup)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_IMMCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.immfixup
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.immfixup points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
if dis.memconst:
v = isPointsToExternalDll(dis.memconst)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_ADDRCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.memconst
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.memconst points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
if dis.jmpaddr:
v = isPointsToExternalDll(dis.jmpaddr)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_JMPCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.jmpaddr
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.jmpaddr points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
#for k, v in inspect.getmembers(dis):
# if '_' not in k:
# print "%r: %r" % (k, v)
except Exception as exc:
print >> sys.stderr, 'Exception: %r\r\n%s' % (exc, traceback.format_exc().replace('\n', '\r\n'))