def read_mmap_token(mmap_area, index=DEFAULT_TOKEN_INDEX, count=DEFAULT_TOKEN_BYTES): assert count>0 v = 0 for i in range(0, count): v = v<<8 peek = c_ubyte.from_buffer(mmap_area, index+count-1-i) v += peek.value log("read_mmap_token(%s, %#x, %#x)=%#x", mmap_area, index, count, v) return v
def write_mmap_token(mmap_area, token, index=DEFAULT_TOKEN_INDEX, count=DEFAULT_TOKEN_BYTES): assert count>0 #write the token one byte at a time - no endianness log("write_mmap_token(%s, %#x, %#x, %#x)", mmap_area, token, index, count) v = token for i in range(0, count): poke = c_ubyte.from_buffer(mmap_area, index+i) poke.value = v % 256 v = v>>8 assert v==0, "token value is too big"
import ctypes import os from ctypes import c_ubyte, c_int code = bytes([0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3]) code_size = len(code) # copy code into an executable buffer if (os.name == 'posix'): import mmap executable_map = mmap.mmap(-1, code_size, mmap.MAP_PRIVATE | mmap.MAP_ANON, mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC) # we must keep a reference to executable_map until the call, to avoid freeing the mapped memory executable_map.write(code) # the mmap object won't tell us the actual address of the mapping, but we can fish it out by allocating # some ctypes object over its buffer, then asking the address of that func_address = ctypes.addressof(c_ubyte.from_buffer(executable_map)) elif (os.name == 'nt'): # the mmap module doesn't support protection flags on Windows, so execute VirtualAlloc instead code_buffer = ctypes.create_string_buffer(code) PAGE_EXECUTE_READWRITE = 0x40 # Windows constants that would usually come from header files MEM_COMMIT = 0x1000 executable_buffer_address = ctypes.windll.kernel32.VirtualAlloc(0, code_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE) if (executable_buffer_address == 0): print('Warning: Failed to enable code execution, call will likely cause a protection fault.') func_address = ctypes.addressof(code_buffer) else: ctypes.memmove(executable_buffer_address, code_buffer, code_size) func_address = executable_buffer_address else: # for other platforms, we just hope DEP isn't enabled code_buffer = ctypes.create_string_buffer(code)
from ctypes import c_ubyte, c_int code = bytes([0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3]) code_size = len(code) # copy code into an executable buffer if (os.name == 'posix'): import mmap executable_map = mmap.mmap( -1, code_size, mmap.MAP_PRIVATE | mmap.MAP_ANON, mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC) # we must keep a reference to executable_map until the call, to avoid freeing the mapped memory executable_map.write(code) # the mmap object won't tell us the actual address of the mapping, but we can fish it out by allocating # some ctypes object over its buffer, then asking the address of that func_address = ctypes.addressof(c_ubyte.from_buffer(executable_map)) elif (os.name == 'nt'): # the mmap module doesn't support protection flags on Windows, so execute VirtualAlloc instead code_buffer = ctypes.create_string_buffer(code) PAGE_EXECUTE_READWRITE = 0x40 # Windows constants that would usually come from header files MEM_COMMIT = 0x1000 executable_buffer_address = ctypes.windll.kernel32.VirtualAlloc( 0, code_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE) if (executable_buffer_address == 0): print( 'Warning: Failed to enable code execution, call will likely cause a protection fault.' ) func_address = ctypes.addressof(code_buffer) else: ctypes.memmove(executable_buffer_address, code_buffer, code_size) func_address = executable_buffer_address