def printchunk(self, uselog= None, option=0, dt= None): ret = [] if self.isRestore(): restore = "<R>" else: restore = "" if self.isLFH: s = "B" if self.freeorder != -1: s="F(%02x)" % self.freeorder ret.append( (self.addr, "Chunk size: 0x%x lfhflag: 0x%x %s" % ( self.psize, self.lfhflags, s )) ) else: ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \ self.upsize, self.psize, restore) )) ret.append((self.addr, " heap: *0x%08x* flags: 0x%02x 0x%02x (%s)" % (self.heap_addr, self.flags, self.flags2,\ self.getflags(self.flags)))) if not self.isLFH and not (self.flags2 & self.BUSY[1][1]): ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk))) if option & SHOWCHUNK_FULL: dump = immutils.hexdump(self.sample) for a in range(0, len(dump)): if not a: ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1]))) if dt: if not self.isLFH or (self.isLFH and self.freeorder == -1) : result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr) for obj in result: msg = obj.Print() ret.append((obj.address, " > %s: %s " % (obj.name, msg) )) if uselog: for adr, msg in ret: uselog(msg, address = adr) return ret
def printchunk(self, uselog= None, option=0, dt= None): ret = [] if self.isRestore(): restore = "<R>" else: restore = "" ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \ self.upsize, self.psize, restore) )) ret.append((self.addr, " heap: *0x%08x* flags: 0x%08x (%s)" % (self.heap_addr, self.flags,\ self.getflags(self.flags)))) #print "unused: 0x%08x flags: 0x%08x (%s)" % (self.field4, self.flags,\ # self.getflags(self.flags)) if not (self.flags & self.BUSY[1][1]): ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk))) if option & SHOWCHUNK_FULL: dump = immutils.hexdump(self.sample) for a in range(0, len(dump)): if not a: ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1]))) if dt: result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr) #self.imm.Log( str(ret )) for obj in result: msg = obj.Print() ret.append((obj.address, " > %s: %s " % (obj.name, msg) )) #imm.Log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address) if uselog: for adr, msg in ret: uselog(msg, address = adr) return ret
def printchunk(self, uselog= None, option=0, dt= None): ret = [] if self.isRestore(): restore = "<R>" else: restore = "" ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \ self.upsize, self.psize, restore) )) ret.append((self.addr, " heap: *0x%08x* flags: 0x%08x (%s)" % (self.heap_addr, self.flags,\ self.getflags(self.flags)))) #print "unused: 0x%08x flags: 0x%08x (%s)" % (self.field4, self.flags,\ # self.getflags(self.flags)) if not (self.flags & self.BUSY[1][1]): ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk))) if option & SHOWCHUNK_FULL: dump = immutils.hexdump(self.sample) for a in range(0, len(dump)): if not a: ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1]))) if dt: result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr) #self.imm.log( str(ret )) for obj in result: msg = obj.Print() ret.append((obj.address, " > %s: %s " % (obj.name, msg) )) #imm.log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address) if uselog: for adr, msg in ret: uselog(msg, address = adr) return ret
def main(args): imm=immlib.Debugger() for arg in args: imm.Log("Arg: %s" % arg) mod = imm.getModule("ntdll.dll") addr = mod.getCodebase() dec = imm.findDecode( addr ) imm.Log("Base address: 0x%08x" % addr) address = 0x7c93c667 imm.Log( hex(address ) ) imm.Log( str( dec.isJmpDestination( address ) ) ) imm.Log( hex( dec[ address ] ) ) #op = imm.disasmCode( address ) # 0.55 #op = imm.Disasm( address ) # 0.83 #op = imm.disasmData( address ) # 0.83 #op = imm.disasmSizeOnly( address ) #import profile #foo = imm.disasmFile import time start = time.clock() op = imm.disasmData( address ) # 0.27 stop = time.clock() imm.Log("DisasmData %.8f usec/pass" % (stop-start) ) imm.Log( "is jmc" + str( op.isConditionalJmp() ) , address = address ) imm.Log( "op dest: 0x%08x" % op.getJmpConst(), address = address ) address += 1 imm.Log( str(immutils.hexdump( dec.data )) ) #ADDR = 0x7C9139ED #ADDR = 0x7C91D37F # 16 #ADDR = 0x7C920645 # 17 #ADDR = 0x7C9206BB #ADDR = 0x7C923313 # 21 #ADDR = 0x7C925D96 # 39 #ADDR = 0x7C9260BCL # 36 #import libanalize ADDR = 0x7C9105D4L f = imm.getFunction( ADDR ) bb = f.getBasicBlocks() imm.Log("Basic Blocks") ida = [0x7c911f49,0x7c93bad1,0x7c911505,0x7c9112f2,0x7c93431e,0x7c9111f1,0x7c9342c5,0x7c9111f6,0x7c91b298,0x7c912221,0x7c911513,0x7c912270,0x7c912343,0x7c93250b,0x7c9114cf,0x7c9115ad,0x7c910c98,0x7c911566,0x7c93b95e,0x7c9116ff,0x7c931a9a,0x7c9342e9,0x7c934312,0x7c910c91,0x7c911441,0x7c911446,0x7c91122e,0x7c91b2a2,0x7c911330,0x7c9113b0,0x7c9117e4,0x7c931ad8,0x7c93b968,0x7c910cd3,0x7c93ba0c,0x7c9111a2,0x7c91222b,0x7c932508,0x7c911790,0x7c93bac9,0x7c911182,0x7c912237,0x7c910649,0x7c912230,0x7c93b89a,0x7c93bbd6,0x7c934278,0x7c911624,0x7c93ba89,0x7c9111fe,0x7c934341,0x7c911676,0x7c911573,0x7c934256,0x7c931a8c,0x7c9342a5,0x7c911570,0x7c93ba01,0x7c91154b,0x7c910cec,0x7c93bc5e,0x7c911342,0x7c934356,0x7c9113f0,0x7c91117a,0x7c910c9f,0x7c912269,0x7c934391,0x7c910ca6,0x7c93b91a,0x7c934302,0x7c934351,0x7c911fe5,0x7c9106a5,0x7c911193,0x7c911615,0x7c9112ca,0x7c911541,0x7c911815,0x7c9115fa,0x7c912243,0x7c93bbe2,0x7c934386,0x7c934380,0x7c9342ce,0x7c91142e,0x7c93437b,0x7c93b999,0x7c91176c,0x7c9115ba,0x7c911633,0x7c91062d,0x7c91153b,0x7c91067b,0x7c9106ab,0x7c93b994,0x7c93430c,0x7c9111e9,0x7c9112c4,0x7c9113a6,0x7c911fe8,0x7c93bc68,0x7c910cab,0x7c934396,0x7c911555,0x7c93bb49,0x7c934314,0x7c9114e5,0x7c93b8d5,0x7c934370,0x7c93bc25,0x7c911764,0x7c910cfa,0x7c934375,0x7c912254,0x7c9116d3,0x7c910625,0x7c911c58,0x7c93bbed,0x7c93bbb4,0x7c9105e3,0x7c93bc59,0x7c93ba63,0x7c93ba99,0x7c93ba66,0x7c9324c7,0x7c93438b,0x7c91182c,0x7c9111b1,0x7c9113b8,0x7c911487,0x7c9115d3,0x7c911484,0x7c91170a,0x7c910cc8,0x7c93b922,0x7c93bb56,0x7c9113ce,0x7c93bb50,0x7c9115ed,0x7c9113fe,0x7c93bc11,0x7c911c65,0x7c910638,0x7c9116c8,0x7c912388,0x7c912260,0x7c911239,0x7c934368,0x7c9324ec,0x7c9105d4,0x7c91130f,0x7c93b99e,0x7c91237a,0x7c91138c,0x7c934280,0x7c9116bf,0x7c931aad,0x7c911f8e,0x7c911414,0x7c911525,0x7c9343a3,0x7c911c6b,0x7c910fdc,0x7c93b9db,0x7c911f8a,0x7c9106d7,0x7c93bc1c,0x7c910687,0x7c911439,0x7c9111bb,0x7c911f77,0x7c910660,0x7c93428c,0x7c911c76,0x7c9115df,0x7c93b8a2,0x7c93bc9d,0x7c911382,0x7c911538,0x7c910609,0x7c93bbcd,0x7c931aa5,0x7c9342d3,0x7c911784,0x7c911309,0x7c93436a,0x7c911c83,0x7c91140b,0x7c91149e,0x7c93b92f,0x7c9117ae,0x7c93439d,0x7c91137a,0x7c9324e1,0x7c93b9ac,0x7c93b8cb,0x7c9106e4,0x7c9106e6,0x7c93268f,0x7c93bb16,0x7c934349,0x7c93b88e,0x7c911f7f,0x7c9113ed,0x7c9115c4,0x7c91b28c,0x7c91159a,0x7c93b9b2,0x7c911588,0x7c9117c5,0x7c91165f,0x7c9117dd,0x7c931ab4,0x7c911394,0x7c910618,0x7c9116a8,0x7c911fbd,0x7c93bb8b,0x7c911503,0x7c911501,0x7c91066e,0x7c911792,0x7c931acb,0x7c911158,0x7c910fca,0x7c93ba38,0x7c91179c,0x7c911315,0x7c910cb6,0x7c91185e,0x7c910c67,0x7c911c8c,0x7c910c61,0x7c93bb3e,0x7c93b883,0x7c91220d,0x7c93b9de,0x7c93bae5,0x7c911596,0x7c9106b8,0x7c9114a7,0x7c93b8c0,0x7c9113dc,0x7c93bb37,0x7c9115c0,0x7c911645,0x7c9106eb,0x7c912356,0x7c93ba3e,0x7c910666,0x7c9122dc,0x7c931ac1,0x7c93b903,0x7c9324fe,0x7c911241,0x7c93b953,0x7c910744,0x7c93b90e,0x7c931a6b,0x7c91139e,0x7c911253,0x7c911324,0x7c9122e8,0x7c911320,0x7c9115a4] for a in bb: imm.Log(" (0x%08x, 0x%08x )" % (a[0], a[1]) ) del ida[ ida.index( a[0] ) ] imm.Log("BB size: %d" % len(bb) ) imm.Log("Resto: %d" % len(ida) ) for a in ida: op = imm.disasmBackward(a) imm.Log(" -> 0x%08x %s" % (a, str(op.isCall())), address = a)
def main(args): imm = immlib.Debugger() for arg in args: imm.log("Arg: %s" % arg) mod = imm.getModule("ntdll.dll") addr = mod.getCodebase() dec = imm.findDecode(addr) imm.log("Base address: 0x%08x" % addr) address = 0x7c93c667 imm.log(hex(address)) imm.log(str(dec.isJmpDestination(address))) imm.log(hex(dec[address])) #op = imm.disasmCode( address ) # 0.55 #op = imm.disasm( address ) # 0.83 #op = imm.disasmData( address ) # 0.83 #op = imm.disasmSizeOnly( address ) #import profile #foo = imm.disasmFile import time start = time.clock() op = imm.disasmData(address) # 0.27 stop = time.clock() imm.log("disasmData %.8f usec/pass" % (stop - start)) imm.log("is jmc" + str(op.isConditionalJmp()), address=address) imm.log("op dest: 0x%08x" % op.getJmpConst(), address=address) address += 1 imm.log(str(immutils.hexdump(dec.data))) #ADDR = 0x7C9139ED #ADDR = 0x7C91D37F # 16 #ADDR = 0x7C920645 # 17 #ADDR = 0x7C9206BB #ADDR = 0x7C923313 # 21 #ADDR = 0x7C925D96 # 39 #ADDR = 0x7C9260BCL # 36 #import libanalize ADDR = 0x7C9105D4L f = imm.getFunction(ADDR) bb = f.getBasicBlocks() imm.log("Basic Blocks") ida = [ 0x7c911f49, 0x7c93bad1, 0x7c911505, 0x7c9112f2, 0x7c93431e, 0x7c9111f1, 0x7c9342c5, 0x7c9111f6, 0x7c91b298, 0x7c912221, 0x7c911513, 0x7c912270, 0x7c912343, 0x7c93250b, 0x7c9114cf, 0x7c9115ad, 0x7c910c98, 0x7c911566, 0x7c93b95e, 0x7c9116ff, 0x7c931a9a, 0x7c9342e9, 0x7c934312, 0x7c910c91, 0x7c911441, 0x7c911446, 0x7c91122e, 0x7c91b2a2, 0x7c911330, 0x7c9113b0, 0x7c9117e4, 0x7c931ad8, 0x7c93b968, 0x7c910cd3, 0x7c93ba0c, 0x7c9111a2, 0x7c91222b, 0x7c932508, 0x7c911790, 0x7c93bac9, 0x7c911182, 0x7c912237, 0x7c910649, 0x7c912230, 0x7c93b89a, 0x7c93bbd6, 0x7c934278, 0x7c911624, 0x7c93ba89, 0x7c9111fe, 0x7c934341, 0x7c911676, 0x7c911573, 0x7c934256, 0x7c931a8c, 0x7c9342a5, 0x7c911570, 0x7c93ba01, 0x7c91154b, 0x7c910cec, 0x7c93bc5e, 0x7c911342, 0x7c934356, 0x7c9113f0, 0x7c91117a, 0x7c910c9f, 0x7c912269, 0x7c934391, 0x7c910ca6, 0x7c93b91a, 0x7c934302, 0x7c934351, 0x7c911fe5, 0x7c9106a5, 0x7c911193, 0x7c911615, 0x7c9112ca, 0x7c911541, 0x7c911815, 0x7c9115fa, 0x7c912243, 0x7c93bbe2, 0x7c934386, 0x7c934380, 0x7c9342ce, 0x7c91142e, 0x7c93437b, 0x7c93b999, 0x7c91176c, 0x7c9115ba, 0x7c911633, 0x7c91062d, 0x7c91153b, 0x7c91067b, 0x7c9106ab, 0x7c93b994, 0x7c93430c, 0x7c9111e9, 0x7c9112c4, 0x7c9113a6, 0x7c911fe8, 0x7c93bc68, 0x7c910cab, 0x7c934396, 0x7c911555, 0x7c93bb49, 0x7c934314, 0x7c9114e5, 0x7c93b8d5, 0x7c934370, 0x7c93bc25, 0x7c911764, 0x7c910cfa, 0x7c934375, 0x7c912254, 0x7c9116d3, 0x7c910625, 0x7c911c58, 0x7c93bbed, 0x7c93bbb4, 0x7c9105e3, 0x7c93bc59, 0x7c93ba63, 0x7c93ba99, 0x7c93ba66, 0x7c9324c7, 0x7c93438b, 0x7c91182c, 0x7c9111b1, 0x7c9113b8, 0x7c911487, 0x7c9115d3, 0x7c911484, 0x7c91170a, 0x7c910cc8, 0x7c93b922, 0x7c93bb56, 0x7c9113ce, 0x7c93bb50, 0x7c9115ed, 0x7c9113fe, 0x7c93bc11, 0x7c911c65, 0x7c910638, 0x7c9116c8, 0x7c912388, 0x7c912260, 0x7c911239, 0x7c934368, 0x7c9324ec, 0x7c9105d4, 0x7c91130f, 0x7c93b99e, 0x7c91237a, 0x7c91138c, 0x7c934280, 0x7c9116bf, 0x7c931aad, 0x7c911f8e, 0x7c911414, 0x7c911525, 0x7c9343a3, 0x7c911c6b, 0x7c910fdc, 0x7c93b9db, 0x7c911f8a, 0x7c9106d7, 0x7c93bc1c, 0x7c910687, 0x7c911439, 0x7c9111bb, 0x7c911f77, 0x7c910660, 0x7c93428c, 0x7c911c76, 0x7c9115df, 0x7c93b8a2, 0x7c93bc9d, 0x7c911382, 0x7c911538, 0x7c910609, 0x7c93bbcd, 0x7c931aa5, 0x7c9342d3, 0x7c911784, 0x7c911309, 0x7c93436a, 0x7c911c83, 0x7c91140b, 0x7c91149e, 0x7c93b92f, 0x7c9117ae, 0x7c93439d, 0x7c91137a, 0x7c9324e1, 0x7c93b9ac, 0x7c93b8cb, 0x7c9106e4, 0x7c9106e6, 0x7c93268f, 0x7c93bb16, 0x7c934349, 0x7c93b88e, 0x7c911f7f, 0x7c9113ed, 0x7c9115c4, 0x7c91b28c, 0x7c91159a, 0x7c93b9b2, 0x7c911588, 0x7c9117c5, 0x7c91165f, 0x7c9117dd, 0x7c931ab4, 0x7c911394, 0x7c910618, 0x7c9116a8, 0x7c911fbd, 0x7c93bb8b, 0x7c911503, 0x7c911501, 0x7c91066e, 0x7c911792, 0x7c931acb, 0x7c911158, 0x7c910fca, 0x7c93ba38, 0x7c91179c, 0x7c911315, 0x7c910cb6, 0x7c91185e, 0x7c910c67, 0x7c911c8c, 0x7c910c61, 0x7c93bb3e, 0x7c93b883, 0x7c91220d, 0x7c93b9de, 0x7c93bae5, 0x7c911596, 0x7c9106b8, 0x7c9114a7, 0x7c93b8c0, 0x7c9113dc, 0x7c93bb37, 0x7c9115c0, 0x7c911645, 0x7c9106eb, 0x7c912356, 0x7c93ba3e, 0x7c910666, 0x7c9122dc, 0x7c931ac1, 0x7c93b903, 0x7c9324fe, 0x7c911241, 0x7c93b953, 0x7c910744, 0x7c93b90e, 0x7c931a6b, 0x7c91139e, 0x7c911253, 0x7c911324, 0x7c9122e8, 0x7c911320, 0x7c9115a4 ] for a in bb: imm.log(" (0x%08x, 0x%08x )" % (a[0], a[1])) del ida[ida.index(a[0])] imm.log("BB size: %d" % len(bb)) imm.log("Resto: %d" % len(ida)) for a in ida: op = imm.disasmBackward(a) imm.log(" -> 0x%08x %s" % (a, str(op.isCall())), address=a)