def add_process_parameters(jitter): """ Build a process parameters structure @jitter: jitter instance """ o = b"" o += pck32(0x1000) # size o += b"E" * (0x48 - len(o)) o += pck32(process_environment_address) jitter.vm.add_memory_page(process_parameters_address, PAGE_READ | PAGE_WRITE, o, "Process parameters")
def set_link_list_entry(jitter, loaded_modules, modules_info, offset): for i, module in enumerate(loaded_modules): cur_module_entry = modules_info.module2entry[module] prev_module = loaded_modules[(i - 1) % len(loaded_modules)] next_module = loaded_modules[(i + 1) % len(loaded_modules)] prev_module_entry = modules_info.module2entry[prev_module] next_module_entry = modules_info.module2entry[next_module] if i == 0: prev_module_entry = peb_ldr_data_address + 0xC if i == len(loaded_modules) - 1: next_module_entry = peb_ldr_data_address + 0xC jitter.vm.set_mem(cur_module_entry + offset, (pck32(next_module_entry + offset) + pck32(prev_module_entry + offset)))
def add_process_parameters(jitter): """ Build a process parameters structure @jitter: jitter instance """ o = b"" o += pck32(0x1000) # size o += b"E" * (0x48 - len(o)) o += pck32(process_environment_address) jitter.vm.add_memory_page( process_parameters_address, PAGE_READ | PAGE_WRITE, o, "Process parameters" )
def test_init(self): init_regs(self) self.buf = b"" for reg_name in reversed(["EAX", "ECX", "EDX", "EBX", "ESP", "EBP", "ESI", "EDI"]): self.buf += pck32(getattr(self.myjit.cpu, reg_name))
def build_ldr_data(jitter, modules_info): """ Build Loader information using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page( addr + offset, PAGE_READ | PAGE_WRITE, b"\x00" * size, "Loader struct" ) # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")
def test_SystemInformationFunctions(self): # DWORD WINAPI GetVersion(void); jit.push_uint32_t(0) # @return winapi.kernel32_GetVersion(jit) dwVer = jit.cpu.EAX self.assertTrue(dwVer) # BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo); jit.vm.set_mem(jit.stack_base, pck32(0x9c)) jit.push_uint32_t(jit.stack_base) # lpVersionInfo jit.push_uint32_t(0) # @return winapi.kernel32_GetVersionExA(jit) vBool = jit.cpu.EAX self.assertTrue(vBool)
def test_init(self): self.value = 0x11223344 self.myjit.cpu.SP -= 0x4 self.myjit.vm.set_mem(self.myjit.cpu.SP, pck32(self.value)) init_regs(self)
def test_init(self): init_regs(self) self.buf = b"" self.buf += pck32(0x11223344)
def push_uint32_t(self, value): self.cpu.SP -= 4 self.vm.set_mem(self.cpu.SP, pck32(value))
def func_prepare_stdcall(self, ret_addr, *args): for index in range(min(len(args), 4)): setattr(self.cpu, 'A%d' % index, args[index]) for index in range(4, len(args)): self.vm.set_mem(self.cpu.SP + 4 * (index - 4), pck32(args[index])) self.cpu.RA = ret_addr
def test_init(self): init_regs(self) self.buf = b"" for reg_name in reversed( ["EAX", "ECX", "EDX", "EBX", "ESP", "EBP", "ESI", "EDI"]): self.buf += pck32(getattr(self.myjit.cpu, reg_name))