def main(args):
regProps={}
memProps={}
flagProps={}
imm=Debugger()
sm=StateMachine(solver=PrettySolver())
#define the module/s to use in the search and all the database information here
gf=GadgetFinder(imm, "explorer.exe")
#gf._debug=True
##### DEFINE YOUR SEARCHING CONSTRAINS HERE #######
#search for a SUB ESP, <range>
for x in xrange(0x100,0x200):
sm.push() #push SM state before modifing it so we can go back to the initial empty state in the next iteration
sm.regs["ESP"]-=x
results=gf.searchByHashes(sm)
if results:
for info in results:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
sm.pop() #go back to the initial empty state
imm.log("########################################################################")
#search for EAX = 0
sm.regs["EAX"] = Expression(0)
result=gf.searchByHashes(sm)
if result:
for info in result:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
imm.log("########################################################################")
#typical stack pivot to EAX
regProps["ESP"]="EAX"
memProps["EIP"]="EAX"
results = gf.searchByProperties(regProps, memProps, flagProps)
if results:
for info in results:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
else:
imm.log("Nothing found")
else:
usage(imm)
return "Unknown option"
if not exp:
usage(imm)
imm.log("[!] -e is mandatory")
return "Error, check script usemode"
if logfile:
imm = MyDebugger(template="findpivot-log-")
sm = StateMachine(solver=PrettySolver())
#define the module/s to use in the search and all the database information here
gf = GadgetFinder(imm, modules, dbname, dbtype, host, username, passwd)
gf._debug = debug
if debug:
imm.log("[*] RAW Expression: %s" % str(exp))
exp = parseExpression(exp, sm)
if exp == None:
imm.log("[!] Expression could not be parsed, please review it")
return "Error, check usemode"
imm.log("[*] Parsed Expression: %s" % str(exp))
imm.log("[*] Stopping after %d results" % results_count)
findings = []
else:
usage(imm)
return "Unknown option"
if not exp:
usage(imm)
imm.log("[!] -e is mandatory")
return "Error, check script usemode"
if logfile:
imm = MyDebugger(template="findpivot-log-")
sm=StateMachine(solver=PrettySolver())
#define the module/s to use in the search and all the database information here
gf=GadgetFinder(imm, modules, dbname, dbtype, host, username, passwd)
gf._debug=debug
if debug:
imm.log("[*] RAW Expression: %s"%str(exp))
exp=parseExpression(exp, sm)
if exp == None:
imm.log("[!] Expression could not be parsed, please review it")
return "Error, check usemode"
imm.log("[*] Parsed Expression: %s"%str(exp))
imm.log("[*] Stopping after %d results"%results_count)
findings=[]