def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
###############################################################
# The notifier class we want to register
notif = CustomNotifier()
# The list of events we want the notifier to handle
eve = vtrace.NOTIFY_ALL
# Tell our vtrace object that we want to capture all events with CustomNotifier
trace.registerNotifier(eve, notif)
###############################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#################################################################
# Step 5 times into the program
for i in range(5):
trace.stepi()
# Deregister our notifier
trace.deregisterNotifier(eve, notif)
def followCreateProcessA(trace):
dwAddr = trace.getRegister(REG_ESP)
dwAddr += 4 #remove eip
dwAddr += 4 #remove lpApplicationName
dwAddr += 4 #remove lpCommandLine
dwAddr += 4 #remove procattrs
dwAddr += 4 #remove threadattrs
dwAddr += 4 #remove inheritHandles
dwCreateFlags = struct.unpack("I", trace.readMemory(dwAddr, 4))[0]
dwCreateFlags |= 4
dwCreateFlags = struct.pack("I", dwCreateFlags)
try:
trace.writeMemory(dwCreateFlags, dwAddr)
except:
pass
# Add a breakpoint on the return address from CreateProcessA
# Run to it and then call afterCreateProcessA
# This is so the PID variable is populated.
esp = trace.getRegister(REG_ESP)
ret = trace.readMemory(esp, 4)
ret2 = struct.unpack("I", ret)[0]
bp = vtrace.Breakpoint(None, expression=hex(ret2))
trace.addBreakpoint(bp)
printBp(trace)
trace.run()
esp = trace.getRegister(REG_ESP)
dwAddr = esp
dwAddr -= 44 #move esp to location of stack from CreateProcessA
dwAddr += 24 #move esp to location after some CreateProcessA variables
dwAddr += 4 #remove dwCreationFlags
dwAddr += 4 #remove lpEnvironment
dwAddr += 4 #remove lpCurrentDirectory
dwAddr += 4 #remove lsStartupInfo
# dwAddr points to lpProcessInformation
#print "dwAddr: ", dwAddr
procid = trace.readMemory(dwAddr, 4)
procid = struct.unpack("I", procid)[0]
procid += 4 #remove hProcess
procid += 4 #remove hThread
# procid points to dwProcessId
try:
pid = struct.unpack("I", trace.readMemory(procid, 4))[0]
print "ProcID: ", pid
if pid != None:
trace.attach(pid)
print "ADD TRACE: ", trace.getPid()
except:
pass
return trace
def main():
import vtrace
sym = sys.argv[1]
pid = int(sys.argv[2])
t = vtrace.getTrace()
t.attach(pid)
symaddr = t.parseExpression(sym)
t.addBreakpoint(vtrace.Breakpoint(symaddr))
while t.getProgramCounter() != symaddr:
t.run()
snap = t.takeSnapshot()
#snap.saveToFile("woot.snap") # You may open in vdb to follow along
emu = emulatorFromTrace(snap)
lockStepEmulator(emu, t)
def main(argv):
opts = setup().parse_args(argv)
t = vtrace.getTrace()
t.attach(opts.pid)
symaddr = t.parseExpression(opts.expr)
t.addBreakpoint(vtrace.Breakpoint(symaddr))
while t.getProgramCounter() != symaddr:
t.run()
snap = v_snapshot.takeSnapshot(t)
if opts.save:
# You may open this file in vdb to follow along
snap.saveToFile(opts.save)
emu = emuFromTrace(snap)
lockStepEmulator(emu, t)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
# Start executing the program until you hit a breakpoint or it ends
trace.run()
##############################################################
# At this point you are at OEP of the program
# We know that there is a call 5 instructions in
# There are ways to programmatically find a call
for i in range(5):
trace.stepi()
# Print the value of EIP as a long and as hex
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Once you are in the function you can read the value of ESP
# ESP points to the value of the return address
print "\n"
esp = trace.getRegister(REG_ESP)
retaddr = trace.readMemory(esp, 4)
# Returns the exact memory locations
# Just in the WRONG order
print "RET: ", retaddr.encode('hex')
# This returns the address correctly formatted
print "RET: ", hex(struct.unpack("I", retaddr)[0])
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.execute(filepath)
######################################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
######################################################################
# Start executing the program until you hit a breakpoint or it ends
trace.run()
######################################################################
# print out the value of EIP as a long and as a hex value
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Read the address of EIP
eip = trace.getRegister(REG_EIP)
# Read the memory values pointed to by EIP
s = trace.readMemory(eip, 15)
# Determine the opcode of the memory pointed to by EIP
op1 = trace.makeOpcode(s, 0, eip)
print "OP CODE: ", op1
# print out the value of EAX as a long and as a hex value
print "\n"
print "EAX: ", trace.getRegister(REG_EAX)
print "HEX EAX: ", hex(trace.getRegister(REG_EAX))
# Print out the value of ESP as a long and as a hex value
print "\n"
print "ESP: ", trace.getRegister(REG_ESP)
print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
def load_binary(filepath, base=None):
trace = vtrace.getTrace()
trace.execute(filepath)
#######################################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
######################################################################
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#######################################################################
# function takes in just filename not the full path to filename.exe
exeName = filepath.split(".exe")[0]
fileName = exeName.split("\\")[len(exeName.split("\\"))-1]
# Get the list of imported functions to compare against
base, importTable = v_api.printIAT(trace, fileName, debug)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
# Start executing the program until you hit a breakpoint or it ends
trace.run()
print "Holy BreakPoint Batman!"
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
###############################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#################################################################
# takes a snapshot of memory
snap = vs_snap.takeSnapshot(trace)
# saves it to a file
snap.saveToFile("zTest.snap")
trace.setMeta('sockets', {})
trace.setMeta('current_socket', {})
trace.setMeta('connections', [])
trace.setMeta('recv_bufs', [])
notif = CustomNotifier()
event = vtrace.NOTIFY_BREAK
trace.registerNotifier(event, notif)
lib_ws2_32 = trace.getSymByName('ws2_32')
send = lib_ws2_32.getSymByName('send')
recv = lib_ws2_32.getSymByName('recv')
connect = lib_ws2_32.getSymByName('connect')
socket = lib_ws2_32.getSymByName('socket')
breakpoints = [
vtrace.Breakpoint(send.value),
vtrace.Breakpoint(recv.value),
vtrace.Breakpoint(connect.value),
vtrace.Breakpoint(socket.value),
]
for breakpoint in breakpoints:
trace.addBreakpoint(breakpoint)
try:
trace.run()
except:
pass
def popBreakpoint(self, item, va):
bp = vtrace.Breakpoint(va)
self.vdbwin.db.trace.addBreakpoint(bp)
def setBpOnPattern(trace, pattern):
addr = findFunc(trace, pattern)
bp = vtrace.Breakpoint(addr)
trace.addBreakpoint(bp)
def do_bp(self, line):
"""
Show, add, and enable/disable breakpoints
USAGE: bp [-d <addr>] [-a <addr>] [-o <addr>] [[-c pycode] <address> ...]
-C - Clear All Breakpoints
-c "py code" - Set the breakpoint code to the given python string
-d <id> - Disable Breakpoint
-e <id> - Enable Breakpoint
-r <id> - Remove Breakpoint
-o <addr> - Create a OneTimeBreak
-R <original base>,<original addr>,<Module Name>- rebase and set the break point for module
-L <libname> - Add bp's to all functions in <libname>
-F <filename> - Load bpcode from file
-W perms:size - Set a hardware Watchpoint with perms/size (ie -W rw:4)
<address>... - Create Breakpoint
NOTE: -c adds python code to the breakpoint. The python code will
be run with the following objects mapped into it's namespace
automagically:
vtrace - the vtrace package
trace - the tracer
bp - the breakpoint object
"""
self.trace.requireNotRunning()
argv = e_cli.splitargs(line)
opts, args = getopt(argv, "F:e:d:o:r:L:R:Cc:W:")
pycode = None
wpargs = None
for opt, optarg in opts:
if opt == "-e":
self.trace.setBreakpointEnabled(eval(optarg), True)
elif opt == "-c":
pycode = optarg
test = compile(pycode, "test", "exec")
elif opt == "-F":
bp_lines = file(optarg, "rU").readlines()
for line in bp_lines:
if line.find("#") > -1:
line = line.split('#')[0]
if line == "":
continue
if line.find("-c") > -1:
pycode = line.split("-c")[1].split()[0].strip()
try:
test = compile(pycode, "test", "exec")
except:
self.vprint(
"Error: Not adding BP, bad line entry: %s",
line)
continue
bp_addr = line.split()[-1]
try:
bp = vtrace.Breakpoint(None, expression=bp_addr)
bp.setBreakpointCode(pycode)
self.trace.addBreakpoint(bp)
except:
self.vprint("Error: Not adding BP, bad line entry: %s",
line)
self.vprint(" [ Breakpoints ]")
for bp in self.trace.getBreakpoints():
self.vprint("%s enabled: %s" % (bp, bp.isEnabled()))
return
elif opt == "-r":
self.trace.removeBreakpoint(eval(optarg))
elif opt == "-R":
margs = optarg.strip().split(",")
original_base = None
original_addr = None
maps = None
if "".join(margs[0][0:2]).lower() == "0x":
original_base = int(margs[0], 16)
print original_base
if "".join(margs[1][0:2]).lower() == "0x":
original_addr = int(margs[1], 16)
print original_addr
if "".join(margs[2][0:2]).lower() == "0x":
va = int(margs[2], 16)
map = self.memobj.getMemoryMap(va)
else:
maps = [
i for i in self.trace.platformGetMaps()
if i[3].find(margs[2]) > -1
]
if len(maps):
map = maps[0]
print map
if not map or not original_base or not original_addr:
self.vprint("Unable to add the breakpoint :-(")
print map
print original_base
print original_addr
maddr, size, perm, fname = map
rebased_bp = maddr + (original_addr - original_base)
args = []
args.append(hex(rebased_bp))
elif opt == "-C":
for bp in self.trace.getBreakpoints():
self.trace.removeBreakpoint(bp.id)
elif opt == "-d":
self.trace.setBreakpointEnabled(eval(optarg), False)
elif opt == "-o":
self.trace.addBreakpoint(
vtrace.OneTimeBreak(None, expression=optarg))
elif opt == "-L":
for sym in self.trace.getSymsForFile(optarg):
if not isinstance(sym, e_resolv.FunctionSymbol):
continue
try:
bp = vtrace.Breakpoint(None, expression=str(sym))
bp.setBreakpointCode(pycode)
self.trace.addBreakpoint(bp)
self.vprint("Added: %s" % str(sym))
except Exception, msg:
self.vprint("WARNING: %s" % str(msg))
elif opt == "-W":
wpargs = optarg.split(":")
self.vprint("Added: %s" % str(sym))
except Exception, msg:
self.vprint("WARNING: %s" % str(msg))
elif opt == "-W":
wpargs = optarg.split(":")
for arg in args:
if wpargs != None:
size = int(wpargs[1])
bp = vtrace.Watchpoint(None,
expression=arg,
size=size,
perms=wpargs[0])
else:
bp = vtrace.Breakpoint(None, expression=arg)
bp.setBreakpointCode(pycode)
self.trace.addBreakpoint(bp)
self.vprint(" [ Breakpoints ]")
for bp in self.trace.getBreakpoints():
self.vprint("%s enabled: %s" % (bp, bp.isEnabled()))
def do_fds(self, args):
"""
Show all the open Handles/FileDescriptors for the target process.
The "typecode" shown in []'s is the vtrace typecode for that kind of
fd/handle. If a string is provided, it will be used to filter results
Usage: fds [filter string]
"""