Exemplo n.º 1
0
 def print_nline_ptrs(self, start_addr, line_num):
     for i in range(line_num):
         pykd.dprint("{:02d}:{:04x}| ".format(i, i * PTRSIZE))
         addr = start_addr + i * PTRSIZE
         if not pykd.isValid(addr):
             print_err("Invalid memory address: {:#x}".format(addr))
             break
         else:
             self.print_ptrs(addr)
Exemplo n.º 2
0
    def print_general_regs(self):
        for reg_name in self.context.regs_name:
            reg_data = self.context.regs[reg_name]
            reg_str = '{:3}: '.format(reg_name.upper())
            reg_color = self.set_reg_color(reg_name,
                                           color_changed=color.red,
                                           color_unchanged=color.lime)
            pykd.dprint(reg_color(reg_str), dml=True)

            if pykd.isValid(reg_data):  # reg_data is a pointer
                self.print_ptrs(reg_data)
            else:
                pykd.dprintln("{:#x}".format(reg_data))
Exemplo n.º 3
0
    def print_seg_regs(self):
        first_print = True
        for reg_name in self.context.seg_regs_name:
            reg_data = self.context.regs[reg_name]
            reg_str = '{:2}={:#x}'.format(reg_name.upper(), reg_data)
            reg_color = self.set_reg_color(reg_name,
                                           color_changed=color.red,
                                           color_unchanged=color.green)

            if first_print:
                pykd.dprint(reg_color(reg_str), dml=True)
                first_print = False
            else:
                pykd.dprint(" | " + reg_color(reg_str), dml=True)
        pykd.dprintln("")
def printSample(sampleName):

    try:
        packageName, moduleName = sampleName.split(".")

        module = __import__(name=sampleName, fromlist=moduleName)

        fileName = os.path.dirname(module.__dict__["__file__"])
        fileName = os.path.join(fileName, moduleName + ".py")

        with open(fileName) as f:
            for line in f:
                dprint(line)

    except ImportError:
        dprintln("import error")
        pass

    dprintln("")
    dprintln("<link cmd=\"!py samples\">Sample list</link>", True)
    dprintln("")
Exemplo n.º 5
0
    def dumpMemory(self, dumpPath, addr, size):
        lineNumber = 0x40
        mapSize = 0x1000
        cmdDd = "dd %x L%x"
        regDd = "[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+"

        if size <= 0:
            self.winBr.dbiprintf("[E] Invalid dump size : 0x%08x" % size)
            return
        pykd.dprint("[+] Dump 0x%08x ( 0x%08x )" % (addr, size))
        dSize = size / mapSize
        if size % mapSize != 0:
            dSize = dSize + 1
        dSize = dSize * mapSize
        fileName = "dump_0x%x (0x%x).bin" % (addr, dSize)
        self.lDumpNames.append(fileName)
        fullPath = dumpPath + fileName
        f = open(fullPath, "wb")
        fullLoop = dSize / (lineNumber * 4)
        ta = addr
        for l in range(fullLoop):
            #self.winBr.dbiprintf(" -> 0x%08x" % ta)
            pykd.dprint(".")
            cmd = cmdDd % (ta, lineNumber)
            cmdr = pykd.dbgCommand(cmd)
            #self.winBr.dbiprintf(cmdr)
            ta = ta + (lineNumber * 4)

            bl = re.findall(regDd, cmdr)
            for i in bl:
                #self.winBr.dbiprintf(i)
                rel = i.split()
                f.write(struct.pack("<L", int(rel[1], 16)))
                f.write(struct.pack("<L", int(rel[2], 16)))
                f.write(struct.pack("<L", int(rel[3], 16)))
                f.write(struct.pack("<L", int(rel[4], 16)))
        self.winBr.dbiprintf("")
        f.close()
        self.winBr.dbiprintf(" -> %s" % fullPath)
Exemplo n.º 6
0
import pykd

# Parsing the ProcessList with pykd

if __name__ == "__main__":

    if not pykd.isWindbgExt():
        print("Script cannot be launched outside Windbg")
        quit(0)

    pActiveProcessList = pykd.module("nt").PsActiveProcessHead
    # pActiveProcessList = pykd.getOffset("nt!PsActiveProcessHead") -> slower than using module("nt")...
    processList = pykd.typedVarList(pActiveProcessList, "nt!_EPROCESS",
                                    "ActiveProcessLinks")

    for i, process in enumerate(processList):
        pykd.dprint("Process " + str(i) + ":")
        name = pykd.loadCStr(process.ImageFileName)
        print(name)
Exemplo n.º 7
0
    def searchIatCandidate(self, addr, size):
        lineNumber = 0x40
        mapSize = 0x1000
        cmdDd = "dd %x L%x"
        regDd = "[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+"

        dictCandIat = {}
        baseAddr = 0
        nullCnt = 0

        if size <= 0:
            self.dbiprintf("[E] Invalid dump size : 0x%08x" % size, False)
            return types.NoneType
        self.dbiprintf("[+] Searching IAT candidates in 0x%08x ( 0x%08x )" %
                       (addr, size))
        dSize = size / mapSize
        if size % mapSize != 0:
            dSize = dSize + 1
            dSize = dSize * mapSize

        fullLoop = dSize / (lineNumber * 4)
        ta = addr
        for l in range(fullLoop):
            pykd.dprint(".")
            cmd = cmdDd % (ta, lineNumber)
            cmdr = pykd.dbgCommand(cmd)
            ta = ta + (lineNumber * 4)

            bl = re.findall(regDd, cmdr)
            for i in bl:
                rel = i.split()
                for j in range(1, len(rel)):
                    valIn = int(rel[j], 16)
                    if valIn == 0:
                        if baseAddr != 0:
                            if nullCnt > 0:
                                nullCnt = 0
                                baseAddr = 0
                            else:
                                nullCnt = nullCnt + 1
                                dictCandIat[
                                    baseAddr] = dictCandIat[baseAddr] + 1
                        continue

                    nullCnt = 0
                    sym = self.getSymbolFromAddr(valIn, True)
                    if sym != "":
                        if baseAddr == 0:
                            baseAddr = int(rel[0], 16) + ((j - 1) * 4)
                            dictCandIat[baseAddr] = 1
                        else:
                            dictCandIat[baseAddr] = dictCandIat[baseAddr] + 1

        self.dbiprintf("")
        maxCnt = -1
        maxAddr = 0
        if len(dictCandIat) == 0:
            return types.NoneType
        self.dbiprintf("[+] Candidates of IAT")
        for i in dictCandIat.keys():
            self.dbiprintf(" - 0x%08x : %d" % (i, dictCandIat[i]))
            if maxCnt < dictCandIat[i]:
                maxCnt = dictCandIat[i]
                maxAddr = i
        self.dbiprintf(" -> Longest hit : 0x%08x" % maxAddr)
        self.dbiprintf("")
        return [maxAddr, maxCnt]