Exemplo n.º 1
0
def CompareCommand(cmd, cmdsize, cmdip, model, nmodel):
    """
    Compare command, used to search instruction accross the memory
    """
    a, b = 0, 0

    return api.Comparecommand(cmd, cmdsize, cmdip, model.cast(), nmodel, a, b, api.t_disasm())
Exemplo n.º 2
0
def disasm(ea, mem=None, size=api.MAXCMDSIZE):
    if mem is None:
        mem = safe_read_chunked_memory_region_as_one(ea, size)
        if not mem:
            print >> sys.stderr, 'Unable to read specified memory (0x%08X of size 0x%08X)' % (ea, size)
            return None, None
        mem = buffer(mem[1])
    cmd = bytearray(mem[:min(api.MAXCMDSIZE, len(mem))])
    dis = api.t_disasm()
    n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY, api.t_reg(), api.t_predict())
    if n <= 0 or dis.errors != api.DAE_NOERR:
        return 0, None
    return n, dis
Exemplo n.º 3
0
def disasm(ea, mem=None, size=api.MAXCMDSIZE):
    if mem is None:
        mem = safe_read_chunked_memory_region_as_one(ea, size)
        if not mem:
            print >> sys.stderr, 'Unable to read specified memory (0x%08X of size 0x%08X)' % (
                ea, size)
            return None, None
        mem = buffer(mem[1])
    cmd = bytearray(mem[:min(api.MAXCMDSIZE, len(mem))])
    dis = api.t_disasm()
    n = api.Disasm(cmd, len(cmd), ea, None, dis,
                   api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
                   api.t_reg(), api.t_predict())
    if n <= 0 or dis.errors != api.DAE_NOERR:
        return 0, None
    return n, dis
Exemplo n.º 4
0
def CompareCommand(cmd, cmdsize, cmdip, model, nmodel):
    """
    Compare command, used to search instruction accross the memory
    """
    a, b = 0, 0

    return api.Comparecommand(
        cmd,
        cmdsize,
        cmdip,
        model.cast(),
        nmodel,
        a,
        b,
        api.t_disasm()
    )
Exemplo n.º 5
0
def Disasm_(c, address=0):
    """
    Disassemble some x86 code (only one instruction though) thanks to the OllyDbg2 engine
    """
    buff = bytearray(c)
    di = api.t_disasm()
    size_instr = api.Disasm(
        buff,
        len(buff),
        address,
        None,
        di,
        api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
        api.t_reg(),
        api.t_predict()
    )

    return size_instr, str(di.result)
Exemplo n.º 6
0
def Disasm_(c, address=0):
    """
    Disassemble some x86 code (only one instruction though) thanks to the OllyDbg2 engine
    """
    buff = bytearray(c)
    di = api.t_disasm()
    size_instr = api.Disasm(
        buff,
        len(buff),
        address,
        None,
        di,
        api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
        api.t_reg(),
        api.t_predict(),
    )

    return size_instr, str(di.result)
Exemplo n.º 7
0
def scan_for_ref_api_calls(ea_from, ea_to, increment, rv, base, mem):
    # import inspect
    if ea_from > ea_to:
        print >> sys.stderr, 'Invalid arguments passed'
        return None
    logger.info((
        'scan_for_ref_api_calls(ea_from=0x%08X, ea_to=0x%08X, increment=0x%08X, base=0x%08X)\n'
        + 'getting modules meta') % (ea_from, ea_to, increment, base))

    global modules_meta
    global modules_exports
    logger.info('scan_for_ref_api_calls() modules_meta got')

    this_module_exports = set()
    for name, info in modules_meta.items():
        for i in xrange(len(info['base'])):
            if info['base'][i] <= ea_from < info['base'][i] + info['size'][i]:
                this_module_exports = set(
                    map(lambda x: x['ea'], info['apis'][i]))
                print 'module found: %s, len of exports: %u' % (
                    name, len(this_module_exports))
                break

    def isPointsToExternalDll(addr):
        if addr in modules_exports and (not this_module_exports
                                        or addr not in this_module_exports):
            return modules_exports[addr]
        return False

    for ea in xrange(ea_from, ea_to, increment):
        try:
            l = ea_to - ea
            offs = ea - ea_from
            cmd = bytearray(mem[offs:offs + min(api.MAXCMDSIZE, l)])
            dis = api.t_disasm()
            n = api.Disasm(
                cmd, len(cmd), ea, None, dis,
                api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
                api.t_reg(), api.t_predict())
            if n <= 0 or dis.errors != api.DAE_NOERR:
                continue
            if dis.immfixup != __MINUS_ONE_32BIT:  # TODO: check this
                v = isPointsToExternalDll(dis.immfixup)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_IMMCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.immfixup
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.immfixup points to %s at %08X as %s bytes: %s' % (
                        v, ea, dis.result, dis.dump)
                continue
            if dis.memconst:
                v = isPointsToExternalDll(dis.memconst)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_ADDRCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.memconst
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.memconst points to %s at %08X as %s bytes: %s' % (
                        v, ea, dis.result, dis.dump)
                continue
            if dis.jmpaddr:
                v = isPointsToExternalDll(dis.jmpaddr)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_JMPCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.jmpaddr
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.jmpaddr points to %s at %08X as %s bytes: %s' % (
                        v, ea, dis.result, dis.dump)
                continue

                #for k, v in inspect.getmembers(dis):
                #    if '_' not in k:
                #        print "%r: %r" % (k, v)
        except Exception as exc:
            print >> sys.stderr, 'Exception: %r\r\n%s' % (
                exc, traceback.format_exc().replace('\n', '\r\n'))
Exemplo n.º 8
0
def scan_for_ref_api_calls(ea_from, ea_to, increment, rv, base, mem):
    # import inspect
    if ea_from > ea_to:
        print >> sys.stderr, 'Invalid arguments passed'
        return None
    logger.info(('scan_for_ref_api_calls(ea_from=0x%08X, ea_to=0x%08X, increment=0x%08X, base=0x%08X)\n' +
                'getting modules meta') % (ea_from, ea_to, increment, base))

    global modules_meta
    global modules_exports
    logger.info('scan_for_ref_api_calls() modules_meta got')

    this_module_exports = set()
    for name, info in modules_meta.items():
        for i in xrange(len(info['base'])):
            if info['base'][i] <= ea_from < info['base'][i] + info['size'][i]:
                this_module_exports = set(map(lambda x: x['ea'], info['apis'][i]))
                print 'module found: %s, len of exports: %u' % (name, len(this_module_exports))
                break

    def isPointsToExternalDll(addr):
        if addr in modules_exports and (not this_module_exports or addr not in this_module_exports):
            return modules_exports[addr]
        return False

    for ea in xrange(ea_from, ea_to, increment):
        try:
            l = ea_to - ea
            offs = ea - ea_from
            cmd = bytearray(mem[offs: offs + min(api.MAXCMDSIZE, l)])
            dis = api.t_disasm()
            n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DA_TEXT | api.DA_OPCOMM | api.DA_DUMP | api.DA_MEMORY,
                           api.t_reg(), api.t_predict())
            if n <= 0 or dis.errors != api.DAE_NOERR:
                continue
            if dis.immfixup != __MINUS_ONE_32BIT:  # TODO: check this
                v = isPointsToExternalDll(dis.immfixup)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_IMMCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.immfixup
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.immfixup points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
                continue
            if dis.memconst:
                v = isPointsToExternalDll(dis.memconst)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_ADDRCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.memconst
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.memconst points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
                continue
            if dis.jmpaddr:
                v = isPointsToExternalDll(dis.jmpaddr)
                if v:
                    ref = rv.refs.add()
                    ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_JMPCONST
                    ref.module, ref.proc = v.split('.')
                    ref.v = dis.jmpaddr
                    ref.ea = ea
                    ref.len = n
                    ref.dis = dis.result
                    print 'dis.jmpaddr points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
                continue

                #for k, v in inspect.getmembers(dis):
                #    if '_' not in k:
                #        print "%r: %r" % (k, v)
        except Exception as exc:
            print >> sys.stderr, 'Exception: %r\r\n%s' % (exc, traceback.format_exc().replace('\n', '\r\n'))