import sys
'''
Quick utility to generate ord lookups from DLL exports.
'''
import PE
p = PE.PE(open(sys.argv[1], 'rb'))
base = int(p.IMAGE_EXPORT_DIRECTORY.Base)
ords = {}
for fva, ord, name in p.getExports():
ords[ord + base] = name
keys = list(ords.keys())
keys.sort()
for k in keys:
print(''' %d:'%s',''' % (k, ords.get(k)))
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = vdb.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), -1)
path = paths.get(base, "unknown")
mem = PE.MemObjFile(t, base)
pobj = PE.PE(mem, inmem=True)
if showimps:
ldeps = {}
for rva, lname, fname in pobj.getImports():
ldeps[lname.lower()] = True
lnames = ldeps.keys()
lnames.sort()
vdb.vprint('0x%.8x - %.30s %s' % (base, libname, ' '.join(lnames)))
elif showvers:
vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path))
elif showtime:
tstamp = pobj.IMAGE_NT_HEADERS.FileHeader.TimeDateStamp
vdb.vprint('0x%.8x - %.30s 0x%.8x' % (base, libname, tstamp))
else:
vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path))
def parseFd(vw, fd, filename=None):
fd.seek(0)
pe = PE.PE(fd)
return loadPeIntoWorkspace(vw, pe, filename=filename)
return ret
if __name__ == '__main__':
# Parse windows structures from dll symbols...
import os
import sys
import platform
from pprint import pprint
import PE
import vtrace.platforms.win32 as vt_win32
p = PE.PE(file(sys.argv[1], 'rb'))
baseaddr = p.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
osmajor = p.IMAGE_NT_HEADERS.OptionalHeader.MajorOperatingSystemVersion
osminor = p.IMAGE_NT_HEADERS.OptionalHeader.MinorOperatingSystemVersion
machine = p.IMAGE_NT_HEADERS.FileHeader.Machine
archname = PE.machine_names.get(machine)
parser = vt_win32.Win32SymbolParser(0xffffffff, sys.argv[1], baseaddr)
parser.parse()
t = list(parser._sym_types.values())
e = list(parser._sym_enums.values())
builder = VStructBuilder(defs=t, enums=e)
print('# Version: %d.%d' % (osmajor, osminor))
def parseFile(vw, filename):
pe = PE.PE(file(filename, "rb"))
return loadPeIntoWorkspace(vw, pe, filename)
def parseBytes(vw, bytes):
fd = StringIO.StringIO(bytes)
fd.seek(0)
pe = PE.PE(fd)
return loadPeIntoWorkspace(vw, pe, filename=filename)
import sys
import os
CURRENT_DIR = os.getcwd()
PE_DIR = "\\".join(CURRENT_DIR.split("\\")[:-1])
print "[+] Current position: %s" % (CURRENT_DIR)
print "[+] PE class position: %s" % (PE_DIR)
print
# add PE class folder
sys.path.append(PE_DIR)
from PE import *
exe = PE_DIR + "\\vuln\\ImageLoad.dll"
pe = PE(exe)
print "[+] Analysis %s." % (pe.Name)
print "[*] Format is %s." % (pe.Format)
print "[*] Type is %s." % (pe.Type)
print "[*] Arch is %s." % (pe.Arch)
print "[*] Bits is %d." % (pe.Bits)
print "[*] EntryPoint is 0x%08x." % (pe.EntryPoint)
print "[*] Rebase is", "on." if pe.Rebase else "off."
print
print "[+] DataSections:"
print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size")
for section in pe.DataSections:
print " %-8s 0x%-08x 0x%-08x 0x%-08x" % (
section["name"], section["vaddr"], section["offset"], section["size"])
def parseFile(vw, filename, baseaddr=None):
pe = PE.PE(file(filename,"rb"))
return loadPeIntoWorkspace(vw, pe, filename, baseaddr=baseaddr)
def hooks(vdb, line):
'''
Check the executable regions of the target process for any
hooks by comparing against the PE on disk. This will
account for relocations and import entries.
'''
t = vdb.getTrace()
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
found = False
for bname in bases.keys():
base = bases.get(bname)
fpath = paths.get(base)
with open(fpath, 'rb') as fd:
pobj = PE.PE(fpath)
filebase = pobj.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
skips = {}
# Get relocations for skipping
r = list(range(t.getPointerSize()))
for relrva, reltype in pobj.getRelocations():
for i in r:
skips[base + relrva + i] = True
# Add the import entries to skip
for iva, libname, name in pobj.getImports():
for i in r:
skips[base + iva + i] = True
for sec in pobj.getSections():
if sec.Characteristics & PE.IMAGE_SCN_MEM_EXECUTE:
size = sec.VirtualSize
va = base + sec.VirtualAddress
fileva = filebase + sec.VirtualAddress
filebytes = pobj.readAtRva(sec.VirtualAddress,
sec.VirtualSize)
procbytes = t.readMemory(va, size)
for off, size in bindiff(filebytes, procbytes):
difva = va + off
fdifva = fileva + off
# Check for a relocation covering this...
if skips.get(difva):
continue
found = True
dmem = e_common.hexify(procbytes[off:off + size])[:10]
dfil = e_common.hexify(filebytes[off:off + size])[:10]
vdb.canvas.addVaText('0x%.8x' % difva, difva)
vdb.canvas.addText(' (0x%.8x) (%d)' % (fdifva, size))
vdb.canvas.addText(' mem: %s file: %s ' % (dmem, dfil))
sym = vdb.symobj.getSymByAddr(difva, exact=False)
if sym is not None:
vdb.canvas.addText(' ')
vdb.canvas.addVaText(
'%s + %d' % (repr(sym), difva - int(sym)),
difva)
vdb.canvas.addText('\n')
if not found:
vdb.canvas.addText('No Hooks Found!\n')
def parseBytes(vw, bytes, baseaddr=None):
fd = BytesIO(bytes)
fd.seek(0)
pe = PE.PE(fd)
return loadPeIntoWorkspace(vw, pe, baseaddr=baseaddr)
from PE import *
from util import *
from Gadget import *
exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
module_list = getModuleList(exe_path)
module_list.append(exe_path)
# Get all usable gadgets.
collect_gadgets = {}
for module in module_list:
pe = PE(module)
if (not pe.ASLR) and (not pe.SafeSEH) and (not pe.Rebase):
print "[+] Module %s add." % module
module_gadget = Gadget(pe)
classify_gadget(module_gadget.retGadgets, module_gadget.jmpGadgets, collect_gadgets)
print
for types in collect_gadgets.keys():
print "+" + "-"*(len(types)+2) + "+"
print "| " + types + " |"
print "+" + "-"*(len(types)+2) + "+"
print
for addr, gadget in collect_gadgets[types].items():
print "[*] 0x%08x : %s." % (addr, gadget)
print
