def handle_memtrace(self, event):
eip = PyFlxInstrument.registers()["eip"]
if event.writes:
self.log("Write: 0x%x , Addr: 0x%x, BBL: 0x%x" %
(event.value, event.addr, eip))
else:
self.log("Read: 0x%x , Addr: 0x%x, BBL: 0x%x" %
(event.value, event.addr, eip))
def __init__(self, fromaddr, toaddr, nextaddr, process): self.fromaddr = fromaddr self.toaddr = toaddr self.nextaddr = nextaddr self.process = process self.entrystate = PyFlxInstrument.registers() self.exitstate = None self.return_callbacks = [] self.dllname = None self.name = None
def handle_syscall(self, syscall):
# NtCreateThread
syscall_name = syscalls.getSyscallByNumber(syscall.number)
if syscall_name is not None:
if syscall_name == "NtTerminateProcess":
self.os.terminating_processes.append((self,PyFlxInstrument.registers()["cr3"]))
self.log(syscall_name)
self.thread.terminate()
self.logger.shutdown(self)
if syscall_name == "NtCreateThread":
self.logger.info("Creating Thread")
self.log(syscall_name)
if syscall_name == "NtTerminateThread":
self.logger.info("Thread %d terminated"%self.cur_tid)
self.log(syscall_name)
self.thread.terminate()
if syscall_name == "NtCreateProcess" or syscall_name == "NtCreateProcessEx":
self.logger.info("New Process has been created by %s"%self.name)
self.log(syscall_name)
def handle_syscall(self, syscall):
# NtCreateThread
syscall_name = syscalls.getSyscallByNumber(syscall.number)
if syscall_name is not None:
if syscall_name == "NtTerminateProcess":
self.os.terminating_processes.append(
(self, PyFlxInstrument.registers()["cr3"]))
self.log(syscall_name)
self.thread.terminate()
self.logger.shutdown(self)
if syscall_name == "NtCreateThread":
self.logger.info("Creating Thread")
self.log(syscall_name)
if syscall_name == "NtTerminateThread":
self.logger.info("Thread %d terminated" % self.cur_tid)
self.log(syscall_name)
self.thread.terminate()
if syscall_name == "NtCreateProcess" or syscall_name == "NtCreateProcessEx":
self.logger.info("New Process has been created by %s" %
self.name)
self.log(syscall_name)
def caballero_enable(self, min_icount, threshold):
PyFlxInstrument.caballero_enable(min_icount, threshold)
def vmem_read(self, n): return PyFlxInstrument.vmem_read(n, 4096)
def filter_filtered(self, addr):
return PyFlxInstrument.filtered(addr)
def filter_add(self, start, stop):
PyFlxInstrument.filter_add(start, stop)
def caballero_disable(self): PyFlxInstrument.caballero_disable()
def set_context(self, pid, tid): PyFlxInstrument.set_context(pid, tid)
def functionentropy_enable(self, threshold):
PyFlxInstrument.functionentropy_enable(threshold)
def filter_del(self, start, end): PyFlxInstrument.filter_del(start, stop)
def functiontrace_disable(self):
PyFlxInstrument.functiontrace_disable()
def set_context(self, pid, tid):
PyFlxInstrument.set_context(pid, tid)
def arithwindow_disable(self):
PyFlxInstrument.arithwindow_disable()
def arithwindow_enable(self, window_size, threshold):
PyFlxInstrument.arithwindow_enable(window_size, threshold)
def caballero_disable(self):
PyFlxInstrument.caballero_disable()
def memtrace_disable(self): PyFlxInstrument.memtrace_disable()
def functionentropy_disable(self):
PyFlxInstrument.functionentropy_disable()
def filter_disable(self): PyFlxInstrument.filter_disable()
def codesearch_enable(self):
PyFlxInstrument.codesearch_enable()
def bbltrace_disable(self): PyFlxInstrument.bbltrace_disable()
def constsearch_pattern(self, pattern):
PyFlxInstrument.constsearch_pattern(pattern)
def arithwindow_disable(self): PyFlxInstrument.arithwindow_disable()
def constsearch_disable(self):
PyFlxInstrument.constsearch_disable()
def functionentropy_disable(self): PyFlxInstrument.functionentropy_disable()
def syscall_hook(self, number): PyFlxInstrument.syscall_hook(number)
def breakpoint_insert(self, addr): PyFlxInstrument.breakpoint_insert(addr)
def dump_enable(self, path): PyFlxInstrument.dump_enable(path)
def constsearch_search(self):
PyFlxInstrument.constsearch_search()
def bbltrace_disable(self):
PyFlxInstrument.bbltrace_disable()
def deactivate(self): PyFlxInstrument.set_instrumentation_active(0)
def breakpoint_insert(self, addr):
PyFlxInstrument.breakpoint_insert(addr)
def dump_disable(self): PyFlxInstrument.dump_disable()
def breakpoint_delete(self, addr):
PyFlxInstrument.breakpoint_delete(addr)
def read_process(self, process, address, len): try: return PyFlxInstrument.vmem_read_process(process.cr3, address, len) except RuntimeError: return None
def addBreakpoint(self, addr, handler):
if not self.has_key(addr):
self[addr] = set([])
PyFlxInstrument.breakpoint_insert(addr)
self[addr].add(handler)
def retranslate(self): PyFlxInstrument.retranslate()
def register(self, register):
regs = PyFlxInstrument.registers()
return regs[register]
def filter_add(self, start, stop): PyFlxInstrument.filter_add(start, stop)
def creg(self, register):
return PyFlxInstrument.creg(register)
def filter_filtered(self, addr): return PyFlxInstrument.filtered(addr)
def eip(self):
return PyFlxInstrument.eip()
def caballero_enable(self, min_icount, threshold): PyFlxInstrument.caballero_enable(min_icount, threshold)
def genreg(self, index):
return PyFlxInstrument.genreg(index)
def arithwindow_enable(self, window_size, threshold): PyFlxInstrument.arithwindow_enable(window_size, threshold)
def delBreakpoint(self, addr, handler):
for addr, hash in self.items():
if not self[addr].isdisjoint([handler]):
self[addr] = self[addr] - set([handler])
if len(self[addr]) == 0:
PyFlxInstrument.breakpoint_delete(addr)
def functiontrace_disable(self): PyFlxInstrument.functiontrace_disable()
def constsearch_pattern(self, pattern): PyFlxInstrument.constsearch_pattern(pattern)
def functionentropy_enable(self, threshold): PyFlxInstrument.functionentropy_enable(threshold)
def activate(self, pid, tid, procname): PyFlxInstrument.set_instrumentation_active(1) PyFlxInstrument.set_context(pid,tid, str(procname))
def codesearch_enable(self): PyFlxInstrument.codesearch_enable()
def filter_del(self, start, end):
PyFlxInstrument.filter_del(start, stop)
def constsearch_disable(self): PyFlxInstrument.constsearch_disable()
def doReturn(self): self.exitstate = PyFlxInstrument.registers() for callback in self.return_callbacks: callback(self)
def constsearch_search(self): PyFlxInstrument.constsearch_search()
def retval(self): self.exitstate = PyFlxInstrument.registers() return self.exitstate["eax"]
def breakpoint_delete(self, addr): PyFlxInstrument.breakpoint_delete(addr)
def filter_disable(self):
PyFlxInstrument.filter_disable()