def build_ldr_data(jitter, modules_info): """ Build Loader informations using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE, "\x00" * size, "Loader struct") # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")
def build_ldr_data(jitter, modules_info): """ Build Loader informations using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE, "\x00" * size, "Loader struct") # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")
def build_ldr_data(jitter, modules_info): """ Build Loader informations using following structure: +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01C InInitializationOrderModuleList : _LIST_ENTRY # dummy dll base +0x024 DllBase : Ptr32 Void @jitter: jitter instance @modules_info: LoadedModules instance """ # ldr offset pad offset = 0xC addr = LDR_AD + peb_ldr_data_offset ldrdata = PEB_LDR_DATA(jitter.vm, addr) main_pe = modules_info.name2module.get(main_pe_name, None) ntdll_pe = modules_info.name2module.get("ntdll.dll", None) size = 0 if main_pe: size += ListEntry.sizeof() * 2 main_addr_entry = modules_info.module2entry[main_pe] if ntdll_pe: size += ListEntry.sizeof() ntdll_addr_entry = modules_info.module2entry[ntdll_pe] jitter.vm.add_memory_page(addr + offset, PAGE_READ | PAGE_WRITE, "\x00" * size, "Loader struct") # (ldrdata.get_size() - offset)) if main_pe: ldrdata.InLoadOrderModuleList.flink = main_addr_entry ldrdata.InLoadOrderModuleList.blink = 0 ldrdata.InMemoryOrderModuleList.flink = main_addr_entry + \ LdrDataEntry.get_type().get_offset("InMemoryOrderLinks") ldrdata.InMemoryOrderModuleList.blink = 0 if ntdll_pe: ldrdata.InInitializationOrderModuleList.flink = ntdll_addr_entry + \ LdrDataEntry.get_type().get_offset("InInitializationOrderLinks") ldrdata.InInitializationOrderModuleList.blink = 0 # data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink """ # get main pe info main_pe = modules_info.name2module.get(main_pe_name, None) if not main_pe: log.warn('No main pe, ldr data will be unconsistant') offset, data = offset + 8, "" else: main_addr_entry = modules_info.module2entry[main_pe] log.info('Ldr %x', main_addr_entry) data = pck32(main_addr_entry) + pck32(0) data += pck32(main_addr_entry + 0x8) + pck32(0) # XXX TODO fix blink ntdll_pe = modules_info.name2module.get("ntdll.dll", None) if not ntdll_pe: log.warn('No ntdll, ldr data will be unconsistant') else: ntdll_addr_entry = modules_info.module2entry[ntdll_pe] data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix blink if data: jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data, "Loader struct") """ # Add dummy dll base jitter.vm.add_memory_page(peb_ldr_data_address + 0x24, PAGE_READ | PAGE_WRITE, pck32(0), "Loader struct dummy dllbase")