Exemplo n.º 1
0
 def return_call_back(self, bp):
     if self.bp_end_atan == bp and self.bp_heap_alloc is None:
         # this is where we enable our heap alloc bp
         print("(+) enabling heap alloc bp.")
         addr = self.get_address("ntdll!RtlAllocateHeap")
         disas = pykd.dbgCommand("uf %x" % int(addr, 16)).split('\n')
         for i in disas:
             if 'ret' in i:
                 self.ret_addr = i.split()[0]
                 break
         self.bp_heap_alloc = pykd.setBp(int(self.ret_addr, 16), self.return_call_back_with_eax)
     elif self.bp_end_asin == bp and self.bp_heap_alloc is not None:
         # this is where we disable our heap alloc bp
         print("(+) disabling heap alloc bp.")
         if self.get_pykd_version() == 3:
             self.bp_asan.remove()
             self.bp_asin.remove()
             self.bp_end_asin.remove()
             self.bp_end_atan.remove()
             self.bp_heap_alloc.remove()
         else:
             pykd.removeBp(self.bp_asan)
             pykd.removeBp(self.bp_asin)
             pykd.removeBp(self.bp_end_asin)
             pykd.removeBp(self.bp_end_atan)
             pykd.removeBp(self.bp_heap_alloc)
     return False
Exemplo n.º 2
0
def main(init_sym, mem_limit, timeout):
    run_time = time.time()
    timeout = timeout + time.time()
    pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym))
    page_size = get_page_size()
    pykd.go()
    target_pid = get_pid()
    pykd.removeBp(get_bp_hit())
    pykd.dbgCommand("bm MSVCR*!malloc")
    pykd.dbgCommand("bm MSVCR*!realloc")
    pykd.dbgCommand("bm MSVCR*!calloc")
    log.debug("target pid: %d", target_pid)
    while time.time() < timeout:
        pykd.go()
        cur_mem = get_mem_usage(target_pid)
        if cur_mem >= mem_limit:
            log.info("missed request! current memory: %d", cur_mem)
            break
        req = requested_mem_size()
        if req == 0:
            log.info("unexpected break on: %s", get_current_stack()[0])
            continue
        if req > page_size:
            if req % page_size:
                page_req = page_size * ((req / page_size) + 1)
            else:
                page_req = page_size * (req / page_size)
        else:
            page_req = page_size
        if cur_mem + page_req >= mem_limit:
            log.info("request will exceed limit, current: %d, request %d",
                     cur_mem, req)
            break

    log.info("*" * 60)
    if time.time() < timeout:
        set_thread(get_hung_thread())
        call_stack = get_current_stack()
        if not call_stack:
            log.info("Unable to trace!")
        for line in call_stack:
            log.info("STACK_FRAME:%s" % line)
    else:
        log.info("Timeout!")
    log.info("*" * 60)
    log.info("----- STATS -----")
    log.info("MEMORY LIMIT: %d MB", mem_limit / 0x100000)
    log.info("DGB TIME: %0.2f", time.time() - run_time)
    log.info("PROC TIME: %0.2f", get_proc_run_time())
    log.info("THREAD TIME: %0.2f",
             get_thread_run_time(get_thread_list()[get_hung_thread()]))
Exemplo n.º 3
0
def main(init_sym, mem_limit, timeout):
    run_time = time.time()
    timeout = timeout + time.time()
    pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym))
    page_size = get_page_size()
    pykd.go()
    target_pid = get_pid()
    pykd.removeBp(get_bp_hit())
    pykd.dbgCommand("bm MSVCR*!malloc")
    pykd.dbgCommand("bm MSVCR*!realloc")
    pykd.dbgCommand("bm MSVCR*!calloc")
    log.debug("target pid: %d", target_pid)
    while time.time() < timeout:
        pykd.go()
        cur_mem = get_mem_usage(target_pid)
        if cur_mem >= mem_limit:
            log.info("missed request! current memory: %d", cur_mem)
            break
        req = requested_mem_size()
        if req == 0:
            log.info("unexpected break on: %s", get_current_stack()[0])
            continue
        if req > page_size:
            if req % page_size:
                page_req = page_size * ((req/page_size)+1)
            else:
                page_req = page_size * (req/page_size)
        else:
            page_req = page_size
        if cur_mem + page_req >= mem_limit:
            log.info("request will exceed limit, current: %d, request %d", cur_mem, req)
            break

    log.info("*" * 60)
    if time.time() < timeout:
        set_thread(get_hung_thread())
        call_stack = get_current_stack()
        if not call_stack:
            log.info("Unable to trace!")
        for line in call_stack:
            log.info("STACK_FRAME:%s" % line)
    else:
        log.info("Timeout!")
    log.info("*" * 60)
    log.info("----- STATS -----")
    log.info("MEMORY LIMIT: %d MB", mem_limit/0x100000)
    log.info("DGB TIME: %0.2f", time.time()-run_time)
    log.info("PROC TIME: %0.2f", get_proc_run_time())
    log.info("THREAD TIME: %0.2f", get_thread_run_time(get_thread_list()[get_hung_thread()]))
Exemplo n.º 4
0
    def unsetBp(self, addr):
        cmdBl = "bl"
        regBl = "\d +[e|d] +[0-9a-fA-F]+ "

        cmdr = pykd.dbgCommand(cmdBl)
        if type(cmdr) == types.NoneType:
            self.br.dbiprintf(" - [E] Has any breaks")
            return -1
        #self.br.dbiprintf(cmdr)
        bl = re.findall(regBl, cmdr)

        for i in bl:
            rel = i.split()
            bNum = int(rel[0])
            bAddr = int(rel[2], 16)
            if bAddr == addr:
                pykd.removeBp(bNum)
                self.bp_end = None
Exemplo n.º 5
0
def find_next_sym(next_bp, prev_bp, timeout):
    iters = 100
    found_sym = False
    sample_time = 0

    set_bp(next_bp, 0, 1)
    set_bp(prev_bp, 1, iters)
    while not is_complete():
        pykd.go()
        curr_bp = get_bp_hit()
        target_time = get_proc_run_time()
        log.debug("target time %0.2f", target_time)
        if curr_bp == 1:
            if target_time >= timeout:
                break
            iter_duration = target_time - sample_time
            if iter_duration < 0.5:  # optimization
                if iters < 25600:
                    iters *= 2
                    log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d",
                              iter_duration, iters)
            elif iter_duration >= 0.5 and iter_duration < 0.85:  # optimization
                iters += 100
                log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d",
                          iter_duration, iters)
            set_bp(prev_bp, 1, iters)
        elif curr_bp == 0:
            found_sym = True
            break
        else:
            log.debug("break not triggered by breakpoint")
            if pykd.dbgCommand(".lastevent").find(
                    "(!!! second chance !!!)") != -1:
                raise RuntimeError("Expected Timeout found Access violation!")
        sample_time = target_time

    pykd.removeBp(1)
    pykd.removeBp(0)
    return found_sym
Exemplo n.º 6
0
def find_next_sym(next_bp, prev_bp, timeout):
    iters = 100
    found_sym = False
    sample_time = 0

    set_bp(next_bp, 0, 1)
    set_bp(prev_bp, 1, iters)
    while not is_complete():
        pykd.go()
        curr_bp = get_bp_hit()
        target_time = get_proc_run_time()
        log.debug("target time %0.2f", target_time)
        if curr_bp == 1:
            if target_time >= timeout:
                break
            iter_duration = target_time - sample_time
            if iter_duration < 0.5:  # optimization
                if iters < 25600:
                    iters *= 2
                    log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d", iter_duration, iters)
            elif iter_duration >= 0.5 and iter_duration < 0.85:  # optimization
                iters += 100
                log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d", iter_duration, iters)
            set_bp(prev_bp, 1, iters)
        elif curr_bp == 0:
            found_sym = True
            break
        else:
            log.debug("break not triggered by breakpoint")
            if pykd.dbgCommand(".lastevent").find("(!!! second chance !!!)") != -1:
                raise RuntimeError("Expected Timeout found Access violation!")
        sample_time = target_time

    pykd.removeBp(1)
    pykd.removeBp(0)
    return found_sym