def parse_methode_call_record(data, start): record = {} r_type = ord(data[start]) if r_type == 1: # ClassWithId return parse_record_classwithid(data, start) elif r_type == 3: # ClassWithMembers return parse_record_classwithmembers(data, start) elif r_type == 4: # SystemClassWithMembersAndTypes return parse_record_systemclasswithmembersandtypes(data, start) elif r_type == 5: # ClassWithMembersAndTypes return parse_record_classwithmembersandtypes(data, start) elif r_type == 6: # BinaryObjectString return parse_record_binaryobjectstring(data, start) elif r_type == 7: # BinaryArray return parse_record_binaryarray(data, start) elif r_type == 8: # MemberPrimitiveType return parse_record_memberprimitivetype(data, start) elif r_type == 9: # MemberReference return parse_record_memberreference(data, start) elif r_type == 10: # ObjectNull return parse_record_objectnull(data, start) # 11 == messageend elif r_type == 12: # BinaryLibrary return parse_record_binarylibrary(data, start) # 13 == ObjectNullMultible256 # 14 == ObjectNullMultible elif r_type == 15: # ArraySinglePrimitive return parse_record_arraysingleprimitive(data, start) elif r_type == 16: # ArraySingleObject return parse_record_arraysingleobject(data, start) Log.error("Unkown Record Type: %d" % r_type) Log.print_hex(data[start:]) return None, start + 1
def parse_record_memberprimitivetype(data, start): record = {} record["Type"] = "MemberPrimitiveType" record["PrimitiveType"] = get_type_enum(ord(data[start+1])) pos = start + 2 if record["PrimitiveType"] in ["Boolean"]: record["Value"] = ord(data[pos:pos+1]) pos += 1 else: error(" Type=%s" % record["PrimitiveType"]) Log.print_hex(data[start:start+16]) record["Value"] = None pos += 1 return record, pos
def parse_record_classwithmembers(data, start): record = {} record["Type"] = "ClassWithMembers" x = 59 record["Data"] = data[start:start+x] Log.print_hex(data[start+x:start+x+64]) return record, start+x record["ObjectId"] = get_number(data[start+1:start+5]) record["ObjectName"], pos = get_string(data[start+5:]) pos += start + 5 record["MemberCount"] = get_number(data[pos:pos+4]) pos += 4 i = 0 record["MemberNames"] = [] while i < record["MemberCount"]: name, t = get_string(data[pos:]) record["MemberNames"].append(name) i += 1 pos += t record["LibraryId"] = get_number(data[pos:pos+4]) Log.error(record) return record, pos + 4
def parse_methode_call_array(c, data): Log.info(" MethodeCallArray:") carray = [] type_list = [] pos = 0 while len(data) > pos: if len(type_list) > 0: item = type_list.pop() Log.debug(" # Item %s" % item) #print_hex(data[pos:pos+16]) extra = 0 if item == "Array": item = type_list.pop() if item == "Int64": extra += 7 elif item == "Byte": extra += 4 else: error("Unkown Size of Array Prefix.") exit(1) Log.debug(" # ArrayType: %s" % item) if item == "Byte": record, pos = parse_record_memberprimitiveuntyped(data, pos, 1 + extra) elif item == "Int32": record, pos = parse_record_memberprimitiveuntyped(data, pos, 4 + extra) elif item == "Int64": record, pos = parse_record_memberprimitiveuntyped(data, pos, 8 + extra) elif item == "Boolean": #print_hex(data[pos:pos+16]) record, pos = parse_record_memberprimitiveuntyped(data, pos, 1 + extra) elif item == "DateTime": Log.print_hex(data[pos:pos+8]) record, pos = parse_record_memberprimitiveuntyped(data, pos, 8 + extra) elif item == "TimeSpan": Log.print_hex(data[pos:pos+8]) record, pos = parse_record_memberprimitiveuntyped(data, pos, 8 + extra) #elif type(item) == dict: # class # record, pos = parse_record_memberprimitiveuntyped(data, pos, 19 + extra) else: record, pos = parse_methode_call_record(data,pos) else: record, pos = parse_methode_call_record(data,pos) if record == None: return False carray.append(record) if record["Type"] == "BinaryObjectString": Log.info(" BinaryObjectString(%d): %s" % (record["ObjectId"], record["Value"])) elif record["Type"] == "ClassWithId": Log.info(" ClassWithId(%d) => %d" % (record["ObjectId"], record["MetadataId"])) elif record["Type"] == "MemberReference": Log.info(" MemberReference(%d)" % record["IdRef"]) elif record["Type"] == "BinaryLibrary": Log.info(" BinaryLibrary(%d) - %s" % (record["LibraryId"], record["LibraryName"])) elif record["Type"] in ["SystemClassWithMembersAndTypes", "ClassWithMembersAndTypes"]: Log.info(" %s(%d) %s" % (record["Type"], record["ObjectId"], record["MemberNames"])) Log.debug(record) elif record["Type"] == "MemberPrimitiveUnTyped": Log.info(" %s" % record["Type"]) Log.print_hex(record["Value"]) elif record["Type"] in ["ArraySinglePrimitive", "ArraySingleObject", "BinaryArray"]: Log.info(" %s(%d) - %d" % (record["Type"], record["ObjectId"], record["Length"])) if record["Type"] == "ArraySinglePrimitive": Log.print_hex(record["Value"], 32) else: Log.info(" %s" % record["Type"]) if record["Type"] in ["ClassWithMembersAndTypes", "SystemClassWithMembersAndTypes"]: t = get_definition_list(record) if len(type_list) > 0 and len(t) > 0: skip = 19 #Log.error("conflict: list %s and %s" % (type_list, t)) #error("skip %d bytes and add them to record and empty list" % skip) Log.print_hex(data[pos:pos+skip]) #record["skip3"] = data[pos:pos+skip] #pos += skip #type_list = [] type_list += t else: type_list = t c["CallArray"] = carray return True
def parse_record_systemclasswithmembersandtypes(data, start): record = {} record["Type"] = "SystemClassWithMembersAndTypes" record["ObjectId"] = get_number(data[start+1:start+5]) Log.print_hex(data[start:start+32]) # stupid workaround if record["ObjectId"] > 0x01000000: Log.error(" Skip 9 Bytes in SystemClassWithMembersAndTypes parser") record["skip1"] = data[start+5:start+14] start += 9 record["ObjectName"], pos = get_string(data[start+5:]) Log.dbg(" # Systemobjectname=%s" % record["ObjectName"]) pos += start + 5 record["MemberCount"] = get_number(data[pos:pos+4]) pos += 4 i = 0 record["MemberNames"] = [] while i < record["MemberCount"]: name, t = get_string(data[pos:]) record["MemberNames"].append(name) i += 1 pos += t # stupid bugfix record["MemberTypeInfo"] = [] i = 0 additional = [] while i < record["MemberCount"]: t = get_binary_type_enum(ord(data[pos])) if t == None: return None, 0 if t in ["Primitive", "SystemClass", "Class", "PrimitiveArray", "System.Object"]: additional.append(t) record["MemberTypeInfo"].append(t) i += 1 pos += 1 for i in additional: if i in ["Primitive", "PrimitiveArray"]: t = get_type_enum(ord(data[pos])) if t == None: return None, 0 record["MemberTypeInfo"].append(t) pos += 1 if i in ["Class", "SystemClass"]: name, t = get_string(data[pos:]) pos += t c = {} if i == "Class": c["Type"] = "Class" c["TypeName"] = name c["LibraryId"] = get_number(data[pos:pos+4]) pos += 4 else: c["Type"] = "SystemClass" c["TypeName"] = name record["MemberTypeInfo"].append(c) if get_number(data[pos:pos+4]) == 7: Log.error(" Found Library - fix 4 bytes - this is not in the specs") record["skip2"] = data[pos:pos+4] pos += 4 return record, pos