def main(args):
imm = immlib.Debugger()
if not args:
return usage(imm)
if len(args) != 2:
return usage(imm)
addr = int(args[0], 16)
size = int(args[1], 16)
dt = libdatatype.DataTypes(imm)
mem = imm.readMemory(addr, size)
if not mem:
return "Error: Couldn't read anything at address: 0x%08x" % addr
ret = dt.Discover(mem, addr, what='all')
imm.log("Found: %d data types" % len(ret))
for obj in ret:
t = "obj: %d" % obj.size
if obj.data:
msg = obj.Print()
imm.log("obj: %s: %s %d" % (obj.name, msg, obj.getSize()),
address=obj.address)
return "Found: %d data types" % len(ret)
def main(args):
imm = immlib.Debugger()
if not args:
return usage(imm)
exclude = []
address = None
try:
opts, argo = getopt.getopt(args, "a:x:")
except getopt.GetoptError:
usage(imm)
return "Wrong Argument (Check Log Window)"
for o,a in opts:
if o == '-a':
address = int( a, 16 )
elif o == '-x':
x_list = a.split(',')
for x_addr in x_list:
try:
exclude.append(int(x_addr, 16))
except ValueError:
return "Invalid exclude value %s" % str(x_addr)
else:
usage(imm)
return "Invalid option %s" % o
if address is None:
usage(imm)
return "You must specify an address (-a)"
page = imm.getMemoryPageByAddress( address )
if not page:
return "Failed to grab Memory Page, wrong addres: 0x%08x" % address
addr = page.getBaseAddress()
mem = imm.readMemory( page.getBaseAddress(), page.getSize() )
ndx = INDEXER
fn_ptr = []
# Discovering Function Pointers
dt = libdatatype.DataTypes( imm )
ret = dt.Discover( mem, addr, what = 'pointers' )
if ret:
for obj in ret:
if obj.isFunctionPointer() and obj.address not in exclude:
# Writing a dword that would make the Function Pointer crash on AV
# and later we will identify on our AV Hook
imm.log( "Modifying: 0x%08x" % obj.address )
imm.writeLong( obj.address, ndx )
ndx += 1
fn_ptr.append( obj )
hook = FunctionTriggeredHook( fn_ptr )
hook.add( "modptr_%08x" % addr )
return "Hooking on %d Functions" % len( fn_ptr )
else:
return "No Function pointers found on the page of 0x%08x" % address
def run(self, regs):
imm = immlib.Debugger()
called = imm.getKnowledge("heap_%08x" % self.retaddr)
(ahook, fhook) = imm.getKnowledge("end_%08x" % self.retaddr)
ahook.UnHook()
fhook.UnHook()
win = imm.createTable("Function Sniffing", ["Address", "Data"] )
memleak = {}
freelist = {}
win.Log("Dumping the Heap Flow")
if called:
for res in called:
if res[0] == 1:
type, callstack, heap, flag, size, ret = res
memleak[ ret ] = (callstack, heap, flag, size, ret)
win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\
( heap, flag, size, ret ), address = callstack )
elif res[0] == 0:
type, callstack, heap, flag, size = res
if memleak.has_key( size):
del memleak[ size ]
else:
freelist[ size ] = (callstack, heap, flag, size)
win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\
( heap, flag, size ), address = callstack )
win.Log("Chunk freed but not allocated on this heap flow")
pheap = PHeap( imm )
dt = libdatatype.DataTypes(imm)
for a in freelist.keys():
(callstack, heap, flag, base) = freelist[a]
win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\
( heap, flag, base ), address = callstack )
win.Log("Memleak detected")
for a in memleak.keys():
(callstack, heap, flag, size, ret) = memleak[a]
win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\
( heap, flag, size, ret ), address = callstack )
chk = pheap.getChunks( ret - 8, 1)[0]
chk.printchunk( uselog = win.Log, dt = dt )
imm.log("Funsniff finished, check the newly created window")
self.UnHook()
def run(self, regs):
imm = immlib.Debugger()
accumulator = 0
second = 0
func = '+'
# Calculate the Chunk Address based on the Expression
for value in self.Expression:
if value in self.Functions.keys():
func = value
else:
if type(value) == type(0):
second = value
elif regs.has_key(value.upper()):
second = regs[value.upper()]
elif value[0] == '[' and value[-1] == ']' and regs.has_key(
value[1:-1].upper()):
second = imm.readLong(regs[value[1:-1].upper()])
else:
self.unHook()
accumulator = self.Functions[func](accumulator, second)
imm.Log("> Hit Hook 0x%08x, checking chunk: 0x%08x" %
(self.address, accumulator),
address=accumulator)
imm.Log("=" * 47)
pheap = PHeap(imm, self.heap)
plookaddr = 0
if self.heap:
plookaddr = pheap.Lookaside
hlook = None
if plookaddr:
hlook = PHeapLookaside(imm, plookaddr)
dt = None
if self.discover:
dt = libdatatype.DataTypes(imm)
pheap = PHeap(imm)
for chk in pheap.getChunks(accumulator, self.nchunks):
if chk.size < 0x7F and hlook:
l = hlook[chk.size]
if not l.isEmpty():
if chk.addr + 8 in l.getList():
imm.Log("- LOOKASIDE -")
chk.printchunk(uselog=imm.Log, dt=dt)
imm.Log("=-" * 0x23 + "=")
def main(args):
imm = immlib.Debugger()
heap = 0x0
discover = None
if not args:
usage(imm)
return "Wrong args (Check the Log Window)"
try:
opts, argo = getopt.getopt(args, "h:d")
except getopt.GetoptError:
usage(imm)
return "Bad heap argument %s" % args[0]
for o,a in opts:
if o == "-h":
try:
heap = int(a, 16)
except ValueError, msg:
self.InfoLine("Invalid heap address: %s" % a)
return 0
elif o == '-d':
discover = libdatatype.DataTypes(imm)
return "Incorrect filter size : %s" % a
elif o == "-s":
save = True
elif o == "-r":
restore = True
elif o == "-f":
freelist = True
elif o == "-c":
chunksflags = True
elif o == "-k":
chunkdisplay = SHOWCHUNK_FULL
elif o == "-n":
opennewwindow = True
elif o == "-d":
discover = libdatatype.DataTypes(imm)
elif o == '-l':
LFH = True
elif o == '-u':
userblock = True
elif o == '-z':
lfhchunk = True
elif o == '-q':
showf = False
if heap and (heap in imm.getHeapsAddress()):
tag = "heap_%08x" % heap
if not opennewwindow:
window = imm.getKnowledge(tag)
if window and not window.isValidHandle():