def check_pe_headers(base, size):
update_modules_meta()
rv = rpc.CheckPEHeadersResult()
rv.pe_valid = False
mem = safe_read_chunked_memory_region_as_one(base, size)
if not mem:
print >> sys.stderr, 'unable to read memory: 0x%08X, size: 0x%08X' % (base, size)
return rv
mem = mem[1]
p = PEHelper(base, '', data=mem)
rv.pe_valid = p.parse_headers(True)
if not rv.pe_valid:
print >> sys.stderr, 'PE headers are invalid'
return rv
exports = p.get_exports()
for e in exports:
ex = rv.exps.add()
ex.ea = e['ea']
ex.ord = e['ord']
if e['name']:
ex.name = e['name']
sections = p.get_sections()
for sec in sections:
s = rv.sections.add()
s.name = sec['name']
s.va = sec['va']
s.v_size = sec['v_size']
s.raw = sec['raw']
s.raw_size = sec['raw_size']
s.characteristics = sec['ch']
return rv
def check_pe_headers(base, size):
update_modules_meta()
rv = rpc.CheckPEHeadersResult()
rv.pe_valid = False
mem = safe_read_chunked_memory_region_as_one(base, size)
if not mem:
print >> sys.stderr, 'unable to read memory: 0x%08X, size: 0x%08X' % (
base, size)
return rv
mem = mem[1]
p = PEHelper(base, '', data=mem)
rv.pe_valid = p.parse_headers(True)
if not rv.pe_valid:
print >> sys.stderr, 'PE headers are invalid'
return rv
exports = p.get_exports()
for e in exports:
ex = rv.exps.add()
ex.ea = e['ea']
ex.ord = e['ord']
if e['name']:
ex.name = e['name']
sections = p.get_sections()
for sec in sections:
s = rv.sections.add()
s.name = sec['name']
s.va = sec['va']
s.v_size = sec['v_size']
s.raw = sec['raw']
s.raw_size = sec['raw_size']
s.characteristics = sec['ch']
return rv
def update_modules_meta():
global modules_meta
global modules_exports
modules_meta = dict()
modules_exports = dict()
me32 = D.MODULEENTRY32()
me32.dwSize = C.sizeof(D.MODULEENTRY32)
pid = oa.Plugingetvalue(oa.VAL_PROCESSID)
h_snap = C.windll.kernel32.CreateToolhelp32Snapshot(D.TH32CS_SNAPMODULE, pid)
if h_snap == 0xFFFFFFFF:
print >> sys.stderr, 'get_modules_meta(): Unable to open Toolhelp32 snapshot'
return modules_meta
# available_modules = set()
ret = C.windll.kernel32.Module32First(h_snap, C.pointer(me32))
if ret == 0:
C.windll.kernel32.CloseHandle(h_snap)
print >> sys.stderr, 'get_modules_meta(): Module32First() failed'
return modules_meta
while ret:
modname = path.splitext(path.basename(me32.szExePath))[0].lower()
if modname not in modules_meta or modules_meta[modname]['base'] != me32.modBaseAddr:
mem = safe_read_chunked_memory_region_as_one(me32.modBaseAddr, me32.modBaseSize)
print 'get_modules_meta(): %s at 0x%08X' % (modname, me32.modBaseAddr)
if mem:
pe = PEHelper(me32.modBaseAddr, modname, mem[1])
exps = pe.get_exports()
if modname in modules_meta:
modules_meta[modname]['base'].append(me32.modBaseAddr)
modules_meta[modname]['size'].append(me32.modBaseSize)
modules_meta[modname]['end'].append(me32.modBaseAddr + me32.modBaseSize)
modules_meta[modname]['apis'].append(exps)
# re_match_mod_ordinals = re.compile(r'%s\.#\d+' % modname, re.I)
modules_exports.update(pe.get_ea_to_longname_map())
# modules_exports = dict(filter(lambda (k, v): not re_match_mod_ordinals.match(v), modules_exports.items()))
else:
mi = {
'path': [me32.szExePath],
'base': [me32.modBaseAddr],
'size': [me32.modBaseSize],
'apis': [exps],
'end': [me32.modBaseAddr + me32.modBaseSize]
}
modules_meta[modname] = mi
modules_exports.update(pe.get_ea_to_longname_map())
ret = C.windll.kernel32.Module32Next(h_snap, C.pointer(me32))
C.windll.kernel32.CloseHandle(h_snap)
# t = oa.pluginvalue_to_t_table(oa.Plugingetvalue(oa.VAL_MODULES))
#
# for i in xrange(t.data.n):
# m = oa.void_to_t_module(oa.Getsortedbyselection(t.data, i))
# modname = path.splitext(path.basename(m.path))[0].lower()
# if modname in modules_meta and modules_meta[modname]['base'] == m.base:
# continue
# available_modules.add(modname)
# externals = list()
# for off in xrange(m.codesize):
# name = bytearray(oa.TEXTLEN)
# if oa.Findname(m.codebase + off, oa.NM_EXPORT, name):
# name = str(name.replace('\x00', ''))
# externals.append({'ea': m.codebase + off, 'name': name})
# modules_exports[m.codebase + off] = '%s.%s' % (modname, name)
# mi = {
# 'path': m.path,
# 'base': m.base,
# 'size': m.size,
# 'apis': externals,
# 'end': m.base + m.size
# }
#
# modules_meta[modname] = mi
# for name in filter(lambda x: x not in available_modules, modules_meta.keys()):
# del modules_meta[name]
return modules_meta # sorted(rv, key=lambda x: x['base'])
def update_modules_meta():
global modules_meta
global modules_exports
modules_meta = dict()
modules_exports = dict()
me32 = D.MODULEENTRY32()
me32.dwSize = C.sizeof(D.MODULEENTRY32)
pid = oa.Plugingetvalue(oa.VAL_PROCESSID)
h_snap = C.windll.kernel32.CreateToolhelp32Snapshot(
D.TH32CS_SNAPMODULE, pid)
if h_snap == 0xFFFFFFFF:
print >> sys.stderr, 'get_modules_meta(): Unable to open Toolhelp32 snapshot'
return modules_meta
# available_modules = set()
ret = C.windll.kernel32.Module32First(h_snap, C.pointer(me32))
if ret == 0:
C.windll.kernel32.CloseHandle(h_snap)
print >> sys.stderr, 'get_modules_meta(): Module32First() failed'
return modules_meta
while ret:
modname = path.splitext(path.basename(me32.szExePath))[0].lower()
if modname not in modules_meta or modules_meta[modname][
'base'] != me32.modBaseAddr:
mem = safe_read_chunked_memory_region_as_one(
me32.modBaseAddr, me32.modBaseSize)
print 'get_modules_meta(): %s at 0x%08X' % (modname,
me32.modBaseAddr)
if mem:
pe = PEHelper(me32.modBaseAddr, modname, mem[1])
exps = pe.get_exports()
if modname in modules_meta:
modules_meta[modname]['base'].append(me32.modBaseAddr)
modules_meta[modname]['size'].append(me32.modBaseSize)
modules_meta[modname]['end'].append(me32.modBaseAddr +
me32.modBaseSize)
modules_meta[modname]['apis'].append(exps)
# re_match_mod_ordinals = re.compile(r'%s\.#\d+' % modname, re.I)
modules_exports.update(pe.get_ea_to_longname_map())
# modules_exports = dict(filter(lambda (k, v): not re_match_mod_ordinals.match(v), modules_exports.items()))
else:
mi = {
'path': [me32.szExePath],
'base': [me32.modBaseAddr],
'size': [me32.modBaseSize],
'apis': [exps],
'end': [me32.modBaseAddr + me32.modBaseSize]
}
modules_meta[modname] = mi
modules_exports.update(pe.get_ea_to_longname_map())
ret = C.windll.kernel32.Module32Next(h_snap, C.pointer(me32))
C.windll.kernel32.CloseHandle(h_snap)
# t = oa.pluginvalue_to_t_table(oa.Plugingetvalue(oa.VAL_MODULES))
#
# for i in xrange(t.data.n):
# m = oa.void_to_t_module(oa.Getsortedbyselection(t.data, i))
# modname = path.splitext(path.basename(m.path))[0].lower()
# if modname in modules_meta and modules_meta[modname]['base'] == m.base:
# continue
# available_modules.add(modname)
# externals = list()
# for off in xrange(m.codesize):
# name = bytearray(oa.TEXTLEN)
# if oa.Findname(m.codebase + off, oa.NM_EXPORT, name):
# name = str(name.replace('\x00', ''))
# externals.append({'ea': m.codebase + off, 'name': name})
# modules_exports[m.codebase + off] = '%s.%s' % (modname, name)
# mi = {
# 'path': m.path,
# 'base': m.base,
# 'size': m.size,
# 'apis': externals,
# 'end': m.base + m.size
# }
#
# modules_meta[modname] = mi
# for name in filter(lambda x: x not in available_modules, modules_meta.keys()):
# del modules_meta[name]
return modules_meta # sorted(rv, key=lambda x: x['base'])
