def checkAccept(self):
"""
SOCKET accept(
_In_ SOCKET s,
_Out_ struct sockaddr *addr,
_Inout_ int *addrlen
);
"""
s = Util.GetData(0x4)
self.logger.info("checkAccept: SOCKET is 0x%x" % (s))
sockaddr_addr = Util.GetData(0x8)
self.logger.info("checkAccept: sockaddr_addr is 0x%x" %
(sockaddr_addr))
addrlen = Util.GetData(0xC)
self.logger.info("checkAccept: *addrlen value is 0x%x" % (addrlen))
retAddr = Util.GetData(0x0)
self.tempStack = []
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkAcceptEnd()")
return 0
def WSOCK32Bind(self):
"""
int bind(
_In_ SOCKET s,
_In_ const struct sockaddr *name,
_In_ int namelen
);
struct sockaddr_in {
short sin_family;
u_short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
"""
s = Util.GetData(0x4)
self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s))
sockaddr_name = Util.GetData(0x8)
self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" %
(sockaddr_name))
port = struct.unpack(">H",
idaapi.dbg_read_memory(sockaddr_name + 0x2, 2))
portName = str(port[0])
self.logger.info("WSOCK32Bind: port value is %s" % (portName))
namelen = Util.GetData(0xC)
self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen))
retAddr = Util.GetData(0x0)
Print(self.filter['network'])
if portName in self.filter['network']:
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(portName)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()")
self.logger.info(
"WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("WSOCK32Bind: Network Filter did not match.")
return 0
def ReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x0)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x4)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0x8)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0xC)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x10)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(ea)
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "interactivemodeCallback.ReadFileEnd()")
return 0
def My_fread(self):
"""
old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream )
"""
ptr = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % (ptr))
_size = Util.GetData(0x8)
self.logger.info("size is %d" % (_size))
_count = Util.GetData(0xc)
self.logger.info("count is %d" % (_count))
stream = Util.GetData(0x10)
self.logger.info("stream is 0x%x" % (stream))
self.pSize = _size * _count
self.pBuffer = ptr
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(self.pBuffer)
self.tempStack.append(self.pSize)
self.tempStack.append(stream)
self.tempStack.append(callerAddr)
self.tempStack.append("fread")
self.tempStack.append(idc.GetCurrentThreadId())
if stream in self.handleSet:
self.logger.info("Found stream 0x%x" % stream)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()")
else:
self.logger.info("Cannot find handle 0x%x" % stream)
Print("Removing un-needed fread breakpoint.")
idc.DelBpt(retAddr)
return 0
def checkClosesocket(self):
"""
int closesocket(
_In_ SOCKET s
);
"""
s = Util.GetData(0x4)
self.logger.info("checkClosesocket: SOCKET is 0x%x" % (s))
retAddr = Util.GetData(0x0)
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkClosesocketEnd()")
return 0
def My_fclose(self):
"""
int fclose ( FILE * stream );
"""
stream = Util.GetData(0x4)
self.logger.info("stream is 0x%x" % (stream))
retVal = idc.GetRegValue("EAX")
return 0
def recv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x0)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x4)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0x8)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0xC)
self.logger.info("checkRecv: flag value is %d" % (flag))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(ea)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "interactivemodeCallback.recvEnd()")
return 0
def MyCreateFileA(self):
"""
Monitors the beginning of CreateFileA function
CreateFileA arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFile(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileA lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 1))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileAEnd()")
return 0
def checkRecv(self):
"""
int recv(
_In_ SOCKET s,
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
"""
s = Util.GetData(0x4)
self.logger.info("checkRecv: Socket is 0x%x" % (s))
buf = Util.GetData(0x8)
self.logger.info("checkRecv: *buf is 0x%x" % (buf))
_len = Util.GetData(0xC)
self.logger.info("checkRecv: len value is %d" % (_len))
flag = Util.GetData(0x10)
self.logger.info("checkRecv: flag value is %d" % (flag))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(buf)
self.tempStack.append(_len)
self.tempStack.append(callerAddr)
self.tempStack.append("recv")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkRecvEnd()")
return 0
def MyReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x4)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x8)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0xC)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0x10)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x14)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(callerAddr)
#self.tempStack.append(idc.GetDisasm(callerAddr))
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
if hFile in self.handleSet:
self.logger.info("Ready to read from handle 0x%x" % hFile)
Print("Ready to read from handle 0x%x" % hFile)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyReadFileEnd()")
else:
if idc.CheckBpt(retAddr) >= 0:
self.logger.info("Removing un-needed ReadFile breakpoint.")
Print("Removing un-needed ReadFile breakpoint.")
idc.DelBpt(retAddr)
return 0
def My_fopen(self):
"""
old - FILE * fopen ( const char * filename, const char * mode );
FILE * _IO_file_fopen (fp, filename, mode, is32not64)
"""
fp = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % fp)
filename = Util.GetData(0x8)
filePath = "".join(Util.Read(filename, 1))
self.logger.info("filePath is %s" % filePath)
mode = Util.GetData(0xC)
self.logger.info("mode is 0x%x" % (mode))
is32not64 = Util.GetData(0x10)
self.logger.info("is32not64 is %d" % (is32not64))
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
if fileName in self.filter['file']:
self.handleSet.add(fp)
self.logger.info(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
self.logger.info("Filter did not match.")
return 0
def MyCloseHandle(self):
"""
Monitors the the beginning of CloseHandle function
hObject is the handle being closed, we will remove this value from the set
"""
"""
BOOL WINAPI CloseHandle(
_In_ HANDLE hObject
);
"""
hObject = Util.GetData(0x4)
if hObject in self.handleSet:
self.handleSet.remove(hObject)
self.logger.info("Removing handle 0x%x from Handle Set" % hObject)
return 0
def MyCreateFileW(self):
"""
Monitors the the beginning of CreateFileW function
CreateFileW arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFileW(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileW lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 2))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
if fileName in self.filter['file']:
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileWEnd()")
self.logger.info(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("Filter did not match.")
return 0