def my_function(cpu_index, cpu, tb, cur_pc, next_pc):
global cm
import api
from ipython_shell import start_shell
pgd = api.get_running_process(cpu_index)
pyrebox_print("Block end at (%x) %x -> %x\n" % (pgd, cur_pc, next_pc))
start_shell()
def new_proc(params):
'''
Process creation callback. Receives 3 parameters:
:param pid: The pid of the process
:type pid: int
:param pgd: The PGD of the process
:type pgd: int
:param name: The name of the process
:type name: str
'''
global pyrebox_print
global procs_created
global target_procname
global cm
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
pyrebox_print("New process created! pid: %x, pgd: %x, name: %s" % (pid, pgd, name))
procs_created += 1
# For instance, we can start the shell whenever a process is created
if target_procname != "" and target_procname.lower() in name.lower():
# At this point, the process has been created, but
# the main module (and dlls) have not been loaded yet.
# We put a callback on the context changes, and wait for
# the calc to start executing.
cm.add_callback(CallbackManager.CONTEXTCHANGE_CB, functools.partial(context_change, pgd, name), name="context_change")
# In order to start a shell, we just need to call start_shell()
pyrebox_print("Starting a shell after the %s process has been created" % name)
start_shell()
def block_begin(cpu_index, cpu, tb):
global cm
from api import CallbackManager
import api
from ipython_shell import start_shell
pgd = api.get_running_process(cpu_index)
start_shell()
if api.get_os_bits() == 32:
pyrebox_print("Adding optimized callback at 0x100218f\n")
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
optimized_block_begin,
name="block_begin_optimized",
addr=0x100218f,
pgd=pgd)
elif api.get_os_bits() == 64:
pyrebox_print("Adding optimized callback at 0xfffff96000139f20\n")
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
optimized_block_begin,
name="block_begin_optimized",
addr=0xfffff96000139f20,
pgd=pgd)
api.stop_monitoring_process(pgd)
pyrebox_print("Stopped monitoring process\n")
cm.rm_callback("block_begin")
pyrebox_print("Unregistered callback\n")
def block_begin(params):
global cm
from api import CallbackManager
import api
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
cpu = params["cpu"]
tb = params["tb"]
pgd = api.get_running_process(cpu_index)
start_shell()
if api.get_os_bits() == 32:
pyrebox_print("Adding optimized callback at 0x100218f\n")
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
optimized_block_begin,
name="block_begin_optimized",
addr=0x100218f, pgd=pgd)
elif api.get_os_bits() == 64:
pyrebox_print("Adding optimized callback at 0xfffff96000139f20\n")
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
optimized_block_begin,
name="block_begin_optimized",
addr=0xfffff96000139f20, pgd=pgd)
api.stop_monitoring_process(pgd)
pyrebox_print("Stopped monitoring process\n")
cm.rm_callback("block_begin")
pyrebox_print("Unregistered callback\n")
def new_proc(pid, pgd, name):
'''
Process creation callback. Receives 3 parameters:
:param pid: The pid of the process
:type pid: int
:param pgd: The PGD of the process
:type pgd: int
:param name: The name of the process
:type name: str
'''
global pyrebox_print
global procs_created
global target_procname
global cm
pyrebox_print("New process created! pid: %x, pgd: %x, name: %s" %
(pid, pgd, name))
procs_created += 1
# For instance, we can start the shell whenever a process is created
if target_procname != "" and target_procname.lower() in name.lower():
# At this point, the process has been created, but
# the main module (and dlls) have not been loaded yet.
# We put a callback on the context changes, and wait for
# the calc to start executing.
cm.add_callback(CallbackManager.CONTEXTCHANGE_CB,
functools.partial(context_change, pgd, name),
name="context_change")
# In order to start a shell, we just need to call start_shell()
pyrebox_print(
"Starting a shell after the %s process has been created" % name)
start_shell()
def my_function(cpu_index, cpu):
global cm
import api
from ipython_shell import start_shell
pgd = api.get_running_process(cpu_index)
pyrebox_print("Insn end at (%x) %x\n" % (pgd, cpu.PC))
start_shell()
def opcode_range(cpu_index, cpu, cur_pc, next_pc):
global cm
from ipython_shell import start_shell
import api
pgd = api.get_running_process(cpu_index)
pyrebox_print("Opcode range callback (%x) PGD %x cur_pc %x next_pc %x\n" %
(cpu_index, pgd, cur_pc, next_pc))
start_shell()
def pyrebox_ipython_shell():
finished = False
while not finished:
try:
from ipython_shell import start_shell
start_shell()
finished = True
except Exception as e:
pp_error(str(e) + "\n")
traceback.print_exc(file=sys.stdout)
def pyrebox_ipython_shell():
finished = False
while not finished:
try:
from ipython_shell import start_shell
start_shell()
finished = True
except Exception as e:
pp_error(str(e) + "\n")
traceback.print_exc(file=sys.stdout)
def update_symbols(cpu_index, cpu):
global cm
global target_pgd
pgd = api.get_running_process(cpu_index)
start_shell()
if pgd == target_pgd:
api.get_symbol_list()
cm.rm_callback("update_symbols")
def my_function(params):
global cm
import api
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
cpu = params["cpu"]
pgd = api.get_running_process(cpu_index)
pyrebox_print("Insn end at (%x) %x\n" % (pgd, cpu.PC))
start_shell()
def mem_write(cpu_index, addr, size, haddr, data):
global cm
global counter
global memwrite_breakpoint
pyrebox_print("Mem write at cpu %x, addr %x size %x\n" %
(cpu_index, addr, size))
counter += 1
# Remove the callback after 5 writes
if counter >= 5:
pyrebox_print("Breakpoint hit 5 times, disabling breakpoint...\n")
memwrite_breakpoint.disable()
start_shell()
def bp_func(bp_num, params):
'''
Function to use as a callback on breakpoints
'''
from ipython_shell import start_shell
import api
from utils import pp_print
# The first argument of insn begin and mem write/read callbacks should
# always be cpu_index
cpu_index = params["cpu_index"]
cpu = api.r_cpu(cpu_index)
pp_print("[!] Breakpoint %s hit at address %x\n" % (bp_num, cpu.PC))
start_shell()
def ep_hit(cpu_index, cpu):
global target_pgd
api.start_monitoring_process(target_pgd)
simbols = api.get_symbol_list(target_pgd)
for sim in simbols:
if sim["name"] == "GetDiskFreeSpaceExW" or sim[
"name"] == "GetDiskFreeSpaceExA":
pyrebox_print("found! %s" % sim["addr"])
cm.add_callback(CallbackManager.INSN_BEGIN_CB,
GetFreeSpaceCalled,
addr=sim["addr"],
pgd=target_pgd)
start_shell()
def bp_func(bp_num, params):
'''
Function to use as a callback on breakpoints
'''
from ipython_shell import start_shell
import api
from utils import pp_print
# The first argument of insn begin and mem write/read callbacks should
# always be cpu_index
cpu_index = params["cpu_index"]
cpu = api.r_cpu(cpu_index)
pp_print("[!] Breakpoint %s hit at address %x\n" % (bp_num, cpu.PC))
start_shell()
def opcode_range(params):
global cm
from ipython_shell import start_shell
import api
cpu_index = params["cpu_index"]
cpu = params["cpu"]
cur_pc = params["cur_pc"]
next_pc = params["next_pc"]
pgd = api.get_running_process(cpu_index)
pyrebox_print("Opcode range callback (%x) PGD %x cur_pc %x next_pc %x\n" %
(cpu_index, pgd, cur_pc, next_pc))
start_shell()
def my_function(params):
global cm
import api
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
cpu = params["cpu"]
tb = params["tb"]
cur_pc = params["cur_pc"]
next_pc = params["next_pc"]
pgd = api.get_running_process(cpu_index)
pyrebox_print("Block end at (%x) %x -> %x\n" % (pgd, cur_pc, next_pc))
start_shell()
def mem_write(params):
global cm
global counter
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
addr = params["vaddr"]
size = params["size"]
haddr = params["haddr"]
data = params["data"]
pyrebox_print("Mem write at cpu %x, addr %x size %x\n" % (cpu_index, addr, size))
start_shell()
counter += 1
# Remove the callback after 5 writes
if counter == 5:
cm.rm_callback("mem_write")
def mem_write(params):
global cm
global counter
global memwrite_breakpoint
cpu_index = params["cpu_index"]
addr = params["vaddr"]
size = params["size"]
haddr = params["haddr"]
data = params["data"]
pyrebox_print("Mem write at cpu %x, addr %x size %x\n" % (cpu_index, addr, size))
counter += 1
# Remove the callback after 5 writes
if counter >= 5:
pyrebox_print("Breakpoint hit 5 times, disabling breakpoint...\n")
memwrite_breakpoint.disable()
start_shell()
def new_proc(pid, pgd, name):
'''
Process creation callback. Receives 3 parameters:
:param pid: The pid of the process
:type pid: int
:param pgd: The PGD of the process
:type pgd: int
:param name: The name of the process
:type name: str
'''
global pyrebox_print
global cm
# Print a message.
pyrebox_print("New process created! pid: %x, pgd: %x, name: %s" %
(pid, pgd, name))
# Start a PyREBox shell exactly when a new process is created
start_shell()
def mem_write(params):
global cm
global counter
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
addr = params["vaddr"]
size = params["size"]
haddr = params["haddr"]
data = params["data"]
pyrebox_print("Mem write at cpu %x, addr %x size %x\n" %
(cpu_index, addr, size))
start_shell()
counter += 1
# Remove the callback after 5 writes
if counter == 5:
cm.rm_callback("mem_write")
def mem_write(params):
global cm
global counter
global memwrite_breakpoint
cpu_index = params["cpu_index"]
addr = params["vaddr"]
size = params["size"]
haddr = params["haddr"]
data = params["data"]
pyrebox_print("Mem write at cpu %x, addr %x size %x\n" %
(cpu_index, addr, size))
counter += 1
# Remove the callback after 5 writes
if counter >= 5:
pyrebox_print("Breakpoint hit 5 times, disabling breakpoint...\n")
memwrite_breakpoint.disable()
start_shell()
def opcode_range(callback_name, params):
global cm
from ipython_shell import start_shell
import api
cpu_index = params["cpu_index"]
cpu = params["cpu"]
cur_pc = params["cur_pc"]
next_pc = params["next_pc"]
insn_size = params["insn_size"]
pgd = api.get_running_process(cpu_index)
opcode = cm.get_trigger_var(callback_name, "opcode")
if TARGET_LONG_SIZE == 4:
pyrebox_print("Stack not matching at %08x: %08x PGD: %x" %
(cur_pc, next_pc, pgd))
else:
pyrebox_print("Stack not matching at %016x: %016x PGD: %x" %
(cur_pc, next_pc, pgd))
start_shell()
def block_exec(params):
global cm
global page_status
global vads
global stacks
import api
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
cpu = params["cpu"]
tb = params["tb"]
cur_pc = params["cur_pc"]
next_pc = params["next_pc"]
in_stack = False
for s in stacks:
if cpu.ESP >= s[1] and cpu.ESP <= s[0]:
in_stack = True
break
# Second chance, re-compute list of stacks
if not in_stack:
stacks = get_stacks(cpu.CR3)
for s in stacks:
if cpu.ESP >= s[1] and cpu.ESP <= s[0]:
in_stack = True
break
if not in_stack:
vads = get_vads(cpu.CR3)
pyrebox_print("=============================================================================")
for v in vads:
if cpu.ESP >= v.start and cpu.ESP < v.end:
pyrebox_print(str(v))
pyrebox_print("=============================================================================")
for s1,s2 in stacks:
pyrebox_print("Stack Base: %x - Stack Limit: %x" % (s1,s2))
pyrebox_print("=============================================================================")
pyrebox_print("Stack pivot detected: (TIB: %x) - %x" % (cpu.FS['base'], cpu.ESP))
start_shell()
def block_exec(params):
global cm
global page_status
global vads
global stacks
import api
from ipython_shell import start_shell
cpu_index = params["cpu_index"]
cpu = params["cpu"]
tb = params["tb"]
cur_pc = cpu.EIP
vad = None
for v in vads:
if cpu.EIP >= v.start and cpu.EIP <= v.end:
vad = v
break
# Second chance, re-compute list of VADS
if vad is None:
vads = get_vads(cpu.CR3)
for v in vads:
if cpu.EIP >= v.start and cpu.EIP <= v.end:
vad = v
break
if vad is not None and vad.type != "M":
pyrebox_print(
"============================================================================="
)
pyrebox_print(str(vad))
pyrebox_print(
"============================================================================="
)
pyrebox_print("Shellcode detected at: %x" % (cpu.EIP))
start_shell()
def my_function(cpu_index, cpu):
start_shell()
def GetFreeSpaceCalled(addr, pgd):
start_shell()
cm.add_callback(CallbackManager.INSN_BEGIN_CB,
my_function,
addr=addr,
pgd=pgd)