def alloc_string(pid, addr, value): x = int(addr, 16) process = Process(pid) lpNewAddr = process.malloc(len(value) + 1) newval = value + '\x0a' print HexDump.hexadecimal(newval, '\\x') try: process.write(lpNewAddr, newval) except Exception, e: process.free(lpNewAddr) raise
def read_string(pid, addr): x = int(addr, 16) process = Process(pid) # print "get_main_module:", process.get_main_module() # print "get_peb:", hex(process.get_peb().ImageBaseAddress) print "read: ", x print print "string :" read = process.peek_string(x) print read print HexDump.hexadecimal(read, '\\x')
def decode(self, address, code): # Decode each instruction in the buffer. result = [] offset = 0 while offset < len(code): # Decode the current instruction. opcode = libdisassemble.Opcode(code[offset:offset + 32]) length = opcode.getSize() disasm = opcode.printOpcode('INTEL') hexdump = HexDump.hexadecimal(code[offset:offset + length]) # Add the decoded instruction to the list. result.append(( address + offset, length, disasm, hexdump, )) # Move to the next instruction. offset += length # Return the list of decoded instructions. return result
def decode(self, address, code): # Decode each instruction in the buffer. result = [] offset = 0 while offset < len(code): # Decode the current instruction. opcode = libdisassemble.Opcode( code[offset:offset+32] ) length = opcode.getSize() disasm = opcode.printOpcode('INTEL') hexdump = HexDump.hexadecimal( code[offset:offset+length] ) # Add the decoded instruction to the list. result.append(( address + offset, length, disasm, hexdump, )) # Move to the next instruction. offset += length # Return the list of decoded instructions. return result
def decode(self, address, code): # Decode each instruction in the buffer. result = [] offset = 0 while offset < len(code): # Try to decode the current instruction. instruction = pydasm.get_instruction(code[offset:offset + 32], pydasm.MODE_32) # Get the memory address of the current instruction. current = address + offset # Illegal opcode or opcode longer than remaining buffer. if not instruction or instruction.length + offset > len(code): hexdump = '%.2X' % ord(code[offset]) disasm = 'db 0x%s' % hexdump ilen = 1 # Correctly decoded instruction. else: disasm = pydasm.get_instruction_string(instruction, pydasm.FORMAT_INTEL, current) ilen = instruction.length hexdump = HexDump.hexadecimal(code[offset:offset + ilen]) # Add the decoded instruction to the list. result.append(( current, ilen, disasm, hexdump, )) # Move to the next instruction. offset += ilen # Return the list of decoded instructions. return result
def decode(self, address, code): # Decode each instruction in the buffer. result = [] offset = 0 while offset < len(code): # Try to decode the current instruction. instruction = pydasm.get_instruction(code[offset:offset+32], pydasm.MODE_32) # Get the memory address of the current instruction. current = address + offset # Illegal opcode or opcode longer than remaining buffer. if not instruction or instruction.length + offset > len(code): hexdump = '%.2X' % ord(code[offset]) disasm = 'db 0x%s' % hexdump ilen = 1 # Correctly decoded instruction. else: disasm = pydasm.get_instruction_string(instruction, pydasm.FORMAT_INTEL, current) ilen = instruction.length hexdump = HexDump.hexadecimal(code[offset:offset+ilen]) # Add the decoded instruction to the list. result.append(( current, ilen, disasm, hexdump, )) # Move to the next instruction. offset += ilen # Return the list of decoded instructions. return result
def hex_string(pid, addr, size, flag=1): x = int(addr, 16) process = Process(pid) data = process.read(x, size * 8) #hexdump = HexDump.printable( data ) if flag == 3: print HexDump.hexblock_dword(data, address=True, width=16) elif flag == 2: print HexDump.hexblock_word(data, address=True, width=16) else: print HexDump.hexblock(data, address=True, width=16)
def decode(self, address, code): # Get the constants for the requested architecture. arch, mode = self.__constants[self.arch] # Get the decoder function outside the loop. decoder = capstone.cs_disasm_quick # If the buggy version of the bindings are being used, we need to catch # all exceptions broadly. If not, we only need to catch CsError. if self.__bug: CsError = Exception else: CsError = capstone.CsError # Create the variables for the instruction length, mnemonic and # operands. That way they won't be created within the loop, # minimizing the chances data might be overwritten. # This only makes sense for the buggy vesion of the bindings, normally # memory accesses are safe). length = mnemonic = op_str = None # For each instruction... result = [] offset = 0 while offset < len(code): # Disassemble a single instruction, because disassembling multiple # instructions may cause excessive memory usage (Capstone allocates # approximately 1K of metadata per each decoded instruction). instr = None try: instr = decoder(arch, mode, code[offset:offset + 16], address + offset, 1)[0] except IndexError: pass # No instructions decoded. except CsError: pass # Any other error. # On success add the decoded instruction. if instr is not None: # Get the instruction length, mnemonic and operands. # Copy the values quickly before someone overwrites them, # if using the buggy version of the bindings (otherwise it's # irrelevant in which order we access the properties). length = instr.size mnemonic = instr.mnemonic op_str = instr.op_str # Concatenate the mnemonic and the operands. if op_str: disasm = "%s %s" % (mnemonic, op_str) else: disasm = mnemonic # Get the instruction bytes as a hexadecimal dump. hexdump = HexDump.hexadecimal(code[offset:offset + length]) # On error add a "define constant" instruction. # The exact instruction depends on the architecture. else: # The number of bytes to skip depends on the architecture. # On Intel processors we'll skip one byte, since we can't # really know the instruction length. On the rest of the # architectures we always know the instruction length. if self.arch in (win32.ARCH_I386, win32.ARCH_AMD64): length = 1 else: length = 4 # Get the skipped bytes as a hexadecimal dump. skipped = code[offset:offset + length] hexdump = HexDump.hexadecimal(skipped) # Build the "define constant" instruction. # On Intel processors it's "db". # On ARM processors it's "dcb". if self.arch in (win32.ARCH_I386, win32.ARCH_AMD64): mnemonic = "db " else: mnemonic = "dcb " bytes = [] for b in skipped: if b.isalpha(): bytes.append("'%s'" % b) else: bytes.append("0x%x" % ord(b)) op_str = ", ".join(bytes) disasm = mnemonic + op_str # Add the decoded instruction to the list. result.append(( address + offset, length, disasm, hexdump, )) # Update the offset. offset += length # Return the list of decoded instructions. return result
def decode(self, address, code): # Get the constants for the requested architecture. arch, mode = self.__constants[self.arch] # Get the decoder function outside the loop. decoder = capstone.cs_disasm_quick # If the buggy version of the bindings are being used, we need to catch # all exceptions broadly. If not, we only need to catch CsError. if self.__bug: CsError = Exception else: CsError = capstone.CsError # Create the variables for the instruction length, mnemonic and # operands. That way they won't be created within the loop, # minimizing the chances data might be overwritten. # This only makes sense for the buggy vesion of the bindings, normally # memory accesses are safe). length = mnemonic = op_str = None # For each instruction... result = [] offset = 0 while offset < len(code): # Disassemble a single instruction, because disassembling multiple # instructions may cause excessive memory usage (Capstone allocates # approximately 1K of metadata per each decoded instruction). instr = None try: instr = decoder( arch, mode, code[offset:offset+16], address+offset, 1)[0] except IndexError: pass # No instructions decoded. except CsError: pass # Any other error. # On success add the decoded instruction. if instr is not None: # Get the instruction length, mnemonic and operands. # Copy the values quickly before someone overwrites them, # if using the buggy version of the bindings (otherwise it's # irrelevant in which order we access the properties). length = instr.size mnemonic = instr.mnemonic op_str = instr.op_str # Concatenate the mnemonic and the operands. if op_str: disasm = "%s %s" % (mnemonic, op_str) else: disasm = mnemonic # Get the instruction bytes as a hexadecimal dump. hexdump = HexDump.hexadecimal( code[offset:offset+length] ) # On error add a "define constant" instruction. # The exact instruction depends on the architecture. else: # The number of bytes to skip depends on the architecture. # On Intel processors we'll skip one byte, since we can't # really know the instruction length. On the rest of the # architectures we always know the instruction length. if self.arch in (win32.ARCH_I386, win32.ARCH_AMD64): length = 1 else: length = 4 # Get the skipped bytes as a hexadecimal dump. skipped = code[offset:offset+length] hexdump = HexDump.hexadecimal(skipped) # Build the "define constant" instruction. # On Intel processors it's "db". # On ARM processors it's "dcb". if self.arch in (win32.ARCH_I386, win32.ARCH_AMD64): mnemonic = "db " else: mnemonic = "dcb " bytes = [] for b in skipped: if b.isalpha(): bytes.append("'%s'" % b) else: bytes.append("0x%x" % ord(b)) op_str = ", ".join(bytes) disasm = mnemonic + op_str # Add the decoded instruction to the list. result.append(( address + offset, length, disasm, hexdump, )) # Update the offset. offset += length # Return the list of decoded instructions. return result
lpNewAddr = process.malloc(len(value) + 1) newval = value + '\x0a' print HexDump.hexadecimal(newval, '\\x') try: process.write(lpNewAddr, newval) except Exception, e: process.free(lpNewAddr) raise print "lpNewAddr:", hex(lpNewAddr) read = process.peek_string(lpNewAddr) print read print HexDump.hexadecimal(read, '\\x') return lpNewAddr def push_addr(pid, addr, value): x = int(addr, 16) process = Process(pid) code = '\x68' + struct.pack('<L', int(value, 16)) print "code:", code print "addr:", x try: process.write(x, code)