Пример #1
0
    def handler_onRet(self):
        self.unsetBpOnEip()

        #self.br.dbiprintf(" -> after pAlloc : 0x%08x" % self.iVmPAllocAddr)
        cmdr = pykd.dbgCommand("dd %x L1" % self.iVmPAllocAddr)
        if cmdr == None:
            self.br.dbiprintf("[E] After %s : Cannot dump memory" %
                              self.symAllocateVirtualMemory)
            return pykd.eventResult.Break
        strAllocAddr = cmdr[cmdr.find(" "):]
        iAllocAddr = int(strAllocAddr, 16)
        self.iVmAllocAddr = iAllocAddr
        #self.br.dbiprintf(" -> after pSize : 0x%08x" % self.iVmPAllocSize)
        cmdr = pykd.dbgCommand("dd %x L1" % self.iVmPAllocSize)
        if cmdr == None:
            self.br.dbiprintf("[E] After %s : Cannot dump memory" %
                              self.symAllocateVirtualMemory)
            return pykd.eventResult.Break
        strAllocSize = cmdr[cmdr.find(" "):]
        iAllocSize = int(strAllocSize, 16)
        self.iVmAllocSize = iAllocSize
        self.lObfusMem[iAllocAddr] = iAllocSize
        self.memh.setBpMemoryOnWrite(iAllocAddr, iAllocSize)
        self.br.dbiprintf(
            "[+] Allocating obfuscation memory(0x%08x) = 0x%08x" %
            (iAllocSize, iAllocAddr))
        self.memh.setMemBpOnWriteOnIat()

        self.pRet = 0
        self.bp_end = None
        return pykd.eventResult.Proceed
Пример #2
0
    def check_sections_mem_rights(self):
        exe_handle = pykd.dbgCommand("lm").split("\n")[1].split(" ")[0]
        dh_info = pykd.dbgCommand("!dh " + exe_handle)
        sec_data = ''
        start = dh_info.find("SECTION HEADER #")
        sec = ''
        sec_data = dh_info[start:len(dh_info)]

        for i in sec_data.split("\n"):
            sec += i + "\n"
            if len(i) == 0:

                if "Execute Read Write" in sec or "Execute Write" in sec or "Execute Write Copy" in sec:
                    addr = hex(
                        int(exe_handle, 16) + int(
                            sec.split("\n")[3].strip("    ").split(" ")[0], 16)
                    )[2:]
                    if pykd.dbgCommand("u " + addr).split(" ")[1] == "0000":
                        self.allocated_pointers.update({
                            addr:
                            int(
                                sec.split("\n")[2].strip("    ").split(" ")[0],
                                16)
                        })
                    else:
                        pass
                    sec = ''
                elif "Execute Read" in sec:
                    sec = ''
                else:
                    sec = ''
Пример #3
0
 def alias(clx, cmd, func):
     print("as {} !py -g {} {}".format(
         cmd,
         os.path.dirname(sys.argv[0]) + "\\bywin.py", func))
     pykd.dbgCommand("as {} !py -g {} {}".format(
         cmd,
         os.path.dirname(sys.argv[0]) + "\\bywin.py", func))
Пример #4
0
    def getImageInfo(self):
        iPImageBaseBegin = "ImageBaseAddress:"
        iPImageBaseEnd = "Ldr"
        iPImageNameBegin = "ImageFile:"
        iPImageNameEnd = "CommandLine"

        self.dbiprintf("[!] Get image information")
        cmdr = pykd.dbgCommand("!peb")
        if type(cmdr) == types.NoneType:
            self.dbiprintf(" - [E] Error on get PEB")
            return 1
        # get image base from PEB
        if cmdr.find(iPImageBaseBegin) == -1:
            self.dbiprintf(" - [E] Error on get image base address")
            self.dbiprintf(cmdr)
            return 2
        strBase = cmdr[cmdr.find(iPImageBaseBegin) +
                       len(iPImageBaseBegin):cmdr.find(iPImageBaseEnd)]
        base = int(strBase, 16)
        self.procImageBase = base
        # get image name from PEB
        if cmdr.find(iPImageNameBegin) == -1:
            self.dbiprintf(" - [E] Error on get image name")
            self.dbiprintf(cmdr)
            return 3
        path = cmdr[cmdr.find(iPImageNameBegin) +
                    len(iPImageNameBegin):cmdr.find(iPImageNameEnd)]
        name = path[path.rfind("\\") + 1:path.rfind("'")]
        self.imageName = name

        # get image end from module list
        cmdr = pykd.dbgCommand("lm")
        if type(cmdr) == types.NoneType:
            self.dbiprintf(" - [E] Error on get module list")
            return 4
        if cmdr.find("%08x" % base) == -1:
            self.dbiprintf(
                " - [E] Error to find image base address from module list")
            self.dbiprintf(cmdr)
            return 5
        strImage = cmdr[cmdr.find("%08x" % base):]
        lImage = strImage.split()
        try:
            if base != int(lImage[0], 16):
                self.dbiprintf(
                    " - [E] Error to find image base address from module list")
                self.dbiprintf(cmdr)
                return 6
            self.procImageEnd = int(lImage[1], 16)
            self.procImageSize = self.procImageEnd - self.procImageBase
        except:
            self.dbiprintf(
                " - [E] Error to find image base address from module list")
            self.dbiprintf(cmdr)
            return 7

        self.dbiprintf(
            " -> Image name : %s ( 0x%08x ~ 0x%08x ( 0x%08x ) )" %
            (name, self.procImageBase, self.procImageEnd, self.procImageSize))
        return 0
Пример #5
0
def main(args):
    modules = pykd.dbgCommand('lm')

    for mod_line in modules.splitlines():
        module = Module(mod_line)

        if module.name.lower() not in [mod.lower() for mod in args.modules]:
            continue

        print(f'[+] searching {module.name} for pop r32; pop r32; ret')

        for pop1 in range(0x58, 0x60):

            for pop2 in range(0x58, 0x60):
                command = f's-[1]b {module.start} {module.end} {hex(pop1)} {hex(pop2)} c3'
                result = pykd.dbgCommand(command)

                if result is None:
                    continue

                for addr in result.splitlines():
                    try:
                        print(
                            f'[+] {module.name}::{addr}: pop {PopR32(pop1).name}; pop {PopR32(pop2).name}; ret'
                        )
                    except ValueError:
                        # not a valid pop r32
                        pass
Пример #6
0
def inspectKernelTimer():
    try:
        cmdline = '.reload;'
        r = pykd.dbgCommand(cmdline)
        cmdline = r'!timer'
        r = pykd.dbgCommand(cmdline)
        r = r.splitlines()
        start = 0
        idx = 0
        for i in r:
            i = i.strip()
            if i.startswith('List Timer'):
                start = 1
                continue

            if start != 1:
                continue

            data = i.strip()
            pos = data.find('(DPC @ ')
            if pos != -1:
                endpos = data.find(')', pos)
                data = data[pos + len('(DPC @ '):endpos]
                dpc = pykd.addr64(int(data, 16))
                if dpc <= int(mmhighestuseraddress):
                    print i, '!!!!!!!!'
                else:
                    dpcobj = pykd.typedVar('nt!_KDPC', dpc)
                    symbolname = pykd.findSymbol(dpcobj.DeferredRoutine)
                    print '%d dpc:%x timerfunc:%x %s' % (
                        idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
                idx += 1
    except Exception, err:
        print traceback.format_exc()
Пример #7
0
def writeHookInterp(hook_address):
	"""Write the code for the setNative hook"""
	# 0:  60              pusha  				# save registers
	# 1:  89 D9           mov  ecx,ebx			# ebx = MethodInfo
	# 1:  8b 4c 24 24     mov  ecx,[esp+24]			# poi(esp+24) = address of
	#							# the func we want
	#							# to name
	# 3:  30 d2           xor  dl,dl
	# 5:  b8 ff ff ff ff  mov  eax,0xffffffff		# load getMethodName 
	#							# address
	# a:  ff d0           call eax				# call getMethodName
	# c:  61              popa				# restore registers
	# d:  33 C0      	  xor eax, eax			# first inst of setInterp
	#
	global NPS
	NPS["SetInterpRet"] = findAllocRets('setInterp', None, 
						 ["\xC2", "\x0C", "\x00"], True)[0]
	absaddr = setInterp = ""
	for b in struct.pack("<L",(func_addr['getMethodName'])):
		absaddr += hex(struct.unpack("B",b)[0]).split("0x")[1] + " "
	# plus 2 so we dont hit the BP again
	jmp = calcJmp(hook_address+0x11, func_addr['setInterp']+0x2) 
	for b in jmp:
		setInterp += hex(ord(b)).split("0x")[1] + " "
	xbytes = "60 8b 4c 24 24 30 D2 B8 " + absaddr + "ff d0 61 33 C0 " + setInterp
	ebcmd = "eb 0x%x %s" % (hook_address, xbytes)
	pykd.dbgCommand(ebcmd)
Пример #8
0
def bpHandlerJit():
	"""Create and Install getMethodName hook
	void BaseExecMgr::setJit(MethodInfo* m, GprMethodProc p)
	Stringp MethodInfo::getMethodName(bool includeAllNamesplaces) const"""
	global NPS, GBP
	if not NPS['HOOK_JIT']:
		# Setting up alloc monitor if requested
		if NPS['list_gcallocs']:
			if not GBP["StartMonitorOnFunc"] :
				GBP["START_ALLOC_MONITOR"] = True
				monitorGCAlloc()
		if NPS['list_fmallocs']:
			if not GBP["StartMonitorOnFunc"] :
				GBP["START_ALLOC_MONITOR"] = True
				monitorFixedMallocOutOfLineAlloc()
				monitorFixedMallocLargeAlloc()
				monitorFixedMalloc()
		if NPS['list_HeapAlloc']:
			if not GBP["StartMonitorOnFunc"] :
				GBP["START_ALLOC_MONITOR"] = True
				monitorHeapAlloc()
		# Allocate memory for our hook
		getMethodNameHook = int((pykd.dbgCommand(".dvalloc 1000").\
								split()[-1]),16)
		print "[+] Jit Hook setup at address 0x%x" % getMethodNameHook
		# Write the Jit hook
		writeHookJit(getMethodNameHook)
		NPS['HOOK_JIT'] = getMethodNameHook
		print "[+] Start hooking Jitted Flash functions..."
	# Set the breakpoit right after getMethodName returns so that
	# we can read the resolved function name and address
	GBP['HOOK_JIT'] = pykd.setBp(NPS['HOOK_JIT']+0xc, hookHandlerJit)
	# Redirect to our Jit hook
	pykd.dbgCommand("r eip=0x%x" % NPS['HOOK_JIT'])
	return pykd.executionStatus.NoChange
Пример #9
0
    def log_parameters(self, api, ret_addr, eip, api_name_only):
        on_ret = False
        ts = int(time.time())
        try:
            if self.mainClass.apis_dict[api_name_only] == "yes":
                on_ret = True
        except Exception as e:
            print "Exception in reading ret:", e
        if "_completed" in api:
            self.log_api_params(api_name_only)
            # flush the previous api name
            self.prev_api = ''
            # remove one time breakpoints from bl
            bl = pykd.dbgCommand("bl")
            index_of_breakpoint = bl.find(eip)
            tmp = bl[index_of_breakpoint - 8:index_of_breakpoint -
                     3].split("\n")[1]
            pykd.dbgCommand("bc " + tmp)
            #sys.exit(1)
        elif on_ret == True:
            self.mainClass.bp_init.append(
                pykd.setBp(int(ret_addr, 16), self.mainClass.break_hit))
            a = ''
            a = pykd.dbgCommand("dd esp")
            self.mainClass.prev_stack = a
            self.mainClass.prev_addr = a.split(" ")[4]
            self.mainClass.prev_size = a.split(" ")[5]
            self.mainClass.breakpoints_info.update(
                {ret_addr: api + "_completed"})
            self.mainClass.apis_dict.update({api + "_completed": "1"})

        else:
            # log parameters values to dict and save to json file
            self.log_api_params(api_name_only)
Пример #10
0
def allocServedFixedMallocLargeAlloc(req_size, ret, FixedMalloc):
	"""Callback invoked just before the FixedMalloc Large function returns.
	EAX will store the allocation address"""
	global GBP
	# FixedMalloc::InitInstance
	# this->m_heap = MMgc::GCHeap;
	# this->m_largeAllocHeapPartition = fixedPartitionMap[partition];
	# m_largeAllocHeapPartition is at offset + 0x4
	if IsheapIsolVersion():
		Partition = pykd.ptrPtr((FixedMalloc+0x4))
	else:
		Partition = "NotImplemented"
	if GBP["START_ALLOC_MONITOR"]:
		returned_allocsize = ((req_size + 0xfff)>>0xC)*0x1000
		if NPS['ffmsize']:
			if NPS['ffmsize'] == returned_allocsize:
				print "[FixedMalloc::LargeAlloc] Requested Allocation of \
size:0x%x Returned allocation of size:0x%x at address:0x%x FixedMalloc:0x%x \
Partition: %s" %\
 (req_size, returned_allocsize, pykd.reg("eax"), FixedMalloc, Partition)
		else:
			print "[FixedMalloc::LargeAlloc] Requested Allocation of \
size:0x%x Returned allocation of size:0x%x at address:0x%x FixedMalloc:0x%x \
Partition: %s" %\
 (req_size, returned_allocsize, pykd.reg("eax"), FixedMalloc, Partition)
		GBP["AllocHistory"][pykd.reg("eax")] = pykd.dbgCommand("kv") +\
		"\n\nRAW Stack data in case FPO is in place:\n\n" +\
		pykd.dbgCommand("dps esp L100")
	return pykd.executionStatus.NoChange
Пример #11
0
def get_alias(name):
	ret = pykd.dbgCommand(".echo %s"%(name)).strip()
	pykd.dbgCommand(".echo") # clear last command
	if ret == name:
		return ''
	else:
		return ret
Пример #12
0
def inspectKernelTimer():
    try:
        cmdline='.reload;'
        r=pykd.dbgCommand(cmdline)
        cmdline=r'!timer'
        r=pykd.dbgCommand(cmdline)
        r=r.splitlines()
        start=0
        idx=0
        for i in r:   
            i=i.strip() 
            if i.startswith('List Timer'):
                start=1
                continue
            
            if start!=1:
                continue
            
            data=i.strip()
            pos=data.find('(DPC @ ')
            if pos!=-1:
                endpos=data.find(')', pos)
                data=data[pos+len('(DPC @ '):endpos]
                dpc=pykd.addr64(int(data, 16))
                if dpc<=int(mmhighestuseraddress):
                    print i, '!!!!!!!!'
                else:
                    dpcobj=pykd.typedVar('nt!_KDPC', dpc)
                    symbolname=pykd.findSymbol(dpcobj.DeferredRoutine)
                    print '%d dpc:%x timerfunc:%x %s' % (idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
                idx+=1
    except Exception, err:
        print traceback.format_exc()     
Пример #13
0
def main(args):
    modules = pykd.dbgCommand("lm")
    totalGadgets = 0  # This tracks all the total number of usable gadgets
    modGadgetCount = {}  # This tracks the number of gadgets per module
    for mod_line in modules.splitlines():
        module = Module(mod_line)

        if module.name.lower() not in [mod.lower() for mod in args.modules]:
            continue
        numGadgets = 0  # This is the number of gadgets found in this module
        print(f"[+] searching {module.name} for pop r32; pop r32; ret")
        print("[+] BADCHARS: ", end="")
        for i in args.bad:
            print("\\x{:02X}".format(i), end="")
        print()

        for pop1 in range(0x58, 0x60):

            for pop2 in range(0x58, 0x60):
                command = (
                    f"s-[1]b {module.start} {module.end} {hex(pop1)} {hex(pop2)} c3"
                )
                result = pykd.dbgCommand(command)

                if result is None:
                    continue

                for addr in result.splitlines():
                    try:
                        bAddr = int(addr, 16).to_bytes(4, "little")
                        bcChk = checkBadChars(bAddr, args.bad)
                        bAddrEsc = ""  # This is the escaped string containing the little endian addr for shellcode output
                        for b in bAddr:
                            bAddrEsc += "\\x{:02X}".format(b)
                        if args.showbc and bcChk == "--":
                            print(
                                f"[{bcChk}] {module.name}::{addr}: pop {PopR32(pop1).name}; pop {PopR32(pop2).name}; ret ; {bAddrEsc}"
                            )
                        elif bcChk == "OK":
                            print(
                                f"[{bcChk}] {module.name}::{addr}: pop {PopR32(pop1).name}; pop {PopR32(pop2).name}; ret ; {bAddrEsc}"
                            )
                            numGadgets = numGadgets + 1
                    except ValueError:
                        # not a valid pop r32
                        pass
        print(f"[+] {module.name}: Found {numGadgets} usable gadgets!")
        modGadgetCount[module.name] = numGadgets  # Add to the dict
        totalGadgets = (totalGadgets + numGadgets
                        )  # Increment total number of gadgets found
    print("\n---- STATS ----")  # Print out all the stats
    print(">> BADCHARS: ", end="")
    for i in args.bad:
        print("\\x{:02X}".format(i), end="")
    print()
    print(f">> Usable Gadgets Found: {totalGadgets}")
    print(">> Module Gadget Counts")
    for m, c in modGadgetCount.items():
        print("   - {}: {} ".format(m, c))
Пример #14
0
def InitTracer():
    global DriverObject
    global ImageBase
    global NtImageEnd

    NtModule    = pykd.module("nt")
    NtImageBase = NtModule.begin()
    NtImageEnd  = NtModule.end()

    pykd.dbgCommand("ba e1 IopLoadDriver+4bd")
    pykd.dbgCommand("ba e1 IopLoadDriver+4c2")
    pykd.go()

    while(1):
        regPath = pykd.dbgCommand("du /c40 @rdx+10")
        if "VmpDriver.vmp" in regPath:
            print "[*] Find VMP Driver"
            DriverObject = pykd.reg("rcx")
            print "\t[-] Driver Object : 0x{:X}".format(DriverObject)
            ImageBase =pykd.ptrPtr(DriverObject+0x18)    # DriverObject.DriverStart
            print "\t[-] ImageBase Address : 0x{:X}".format(ImageBase)
            VMPTracingSub.GetSectionInfo(ImageBase)
            EntryPoint = ImageBase + VMPTracingSub.EntryPoint_Off
            strEntryPoint = hex(EntryPoint).rstrip("L")
            pykd.dbgCommand("ba e1 "+strEntryPoint)
            pykd.go()
            pykd.dbgCommand("bc 2")
            return

        pykd.go()
Пример #15
0
def inspectInlineHook(modulepath, modulebase):
    try:
        print '='*10, 'scan inlinehook in %s' % modulepath, '='*10
        driversdir=os.path.join(g_system32dir, 'drivers')
        symbolpath=g_sympath
        symbolpath=add_symbolpath(symbolpath, driversdir)
        symbolpath=add_symbolpath(symbolpath, os.path.dirname(modulepath))
       
        cmdline='.sympath %s' % symbolpath
        r=pykd.dbgCommand(cmdline)
        cmdline='.reload;'
        r=pykd.dbgCommand(cmdline)
        
        filedata=open(modulepath, 'rb').read()
        pe = pefile.PE(data=filedata, fast_load=True)
        if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
            raise Exception("%s is not a pe file" % modulepath)
        for i in pe.sections:
            try:
                if pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_DISCARDABLE']&i.Characteristics:
                    #print i.Name, 'discard'
                    continue
                elif not (pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_EXECUTE']&i.Characteristics):
                    #print i.Name, 'not executable'
                    continue
                
                comparesize=i.Misc_VirtualSize
                fileoffsetstart=i.PointerToRawData
                fileoffsetend=fileoffsetstart+comparesize
                memoffsetstart=modulebase+ i.VirtualAddress
                memoffsetend=memoffsetstart+comparesize
                print '-'*10
                print '%s :%x-%x <--> %x-%x  size:%d' % (i.Name, fileoffsetstart, fileoffsetend, memoffsetstart, memoffsetend, comparesize)
                if modulepath.lower()==g_kernelpath.lower():
                    cmdline='!chkimg nt -r %x %x -v -d' % (memoffsetstart, memoffsetend)
                else:
                    name=os.path.splitext(os.path.basename(modulepath))[0]
                    cmdline='!chkimg %s -r %x %x -v -d' % (name, memoffsetstart, memoffsetend)
                    #repair cmdline='!chkimg %s -r %x %x -v -d -f' % (os.path.basename(modulepath), startaddr, endaddr)
                #print cmdline
                r=pykd.dbgCommand(cmdline)
                if r.find('[')!=-1:
                    print '!!!!hooklist'
                    r=r.splitlines()
                    for i in r:
                        print i
                else:
                    print 'no hooks'
                    
            except Exception, err:
                print traceback.format_exc()
     
    except Exception, err:
        print traceback.format_exc()
Пример #16
0
def allocServedHeapAllocSystemRet(size, heap, tid):
	"""Callback invoked before HeapAlloc returns to intercept the 
	allocation address"""
	global GBP
	print "[HeapAlloc] Requested Allocation of size 0x%x \
on Heap 0x%x address 0x%x Thread: 0x%x" %\
		(size, heap, pykd.reg("eax"), tid)
	GBP["AllocHistory"][pykd.reg("eax")] = pykd.dbgCommand("kv") +\
	"\n\nRAW Stack data in case FPO is in place:\n\n" +\
	pykd.dbgCommand("dps esp L100")
	del GBP["HeapAllocRet"]
Пример #17
0
def allocServedFixedMallocOutOfLineAlloc(allocsize, ret):
	"""Callback invoked just before the FixedMalloc OutOfLine function returns.
	EAX will store the allocation address"""
	global GBP
	allocaddress = pykd.reg("eax")
	# If allocsize is greater than 0x7f0 the allocation will be served by 
	# FixedMalloc::LargeAlloc
	if allocsize <= 0x7f0:
		if GBP["START_ALLOC_MONITOR"]:
			returned_allocsize = pykd.ptrPtr((allocaddress & 0xfffff000)+0x12)
			# FixedAlloc allocator
			allocator = pykd.ptrPtr((allocaddress & 0xfffff000)+0x1C)
			# FixedAlloc.h#L120
			# GCHeap *m_heap;            	//The heap from which we 
			#				//obtain memory
			# int m_heapPartition;		//The heap partition from which we
			#				//obtain memory
			# uint32_t m_itemsPerBlock;	//Number of items that fit in a block
			# uint32_t m_itemSize;		//Size of each individual item
			# FixedBlock* m_firstBlock;	//First block on list of free blocks
			# FixedBlock* m_lastBlock;	//Last block on list of free blocks
			# FixedBlock* m_firstFree;	//The lowest priority block that has 
			#				//free items
			# size_t    m_numBlocks;	//Number of blocks owned by this 
			#				//allocator
			if IsheapIsolVersion():
				heapPartition =  pykd.ptrPtr(allocator+0x4)
			else:
				heapPartition = "NotImplemented"
			kSizeClass = kSizeClassIndex[((allocsize+7)>>3)]
			MMgc_FixedMalloc_obj =\
				allocator - kSizeClass*NPS["FixedAllocSafeSize"] -\
				NPS["m_allocs_offset"]
			if NPS['ffmsize']:
				if NPS['ffmsize'] == returned_allocsize:
					print "[FixedMalloc::OutOfLineAlloc] Requested Allocation \
of size:0x%x Returned allocation of size:0x%x at address:0x%x \
(MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, 
							returned_allocsize, allocaddress, 
							MMgc_FixedMalloc_obj, heapPartition)
			else:
				print "[FixedMalloc::OutOfLineAlloc] Requested Allocation of \
size:0x%x Returned allocation of size:0x%x at address:0x%x \
(MMgc::FixedMalloc Instance: 0x%x HeapPartition: %s)" % (allocsize, 
							returned_allocsize, allocaddress, 
							MMgc_FixedMalloc_obj, heapPartition)
			GBP["AllocHistory"][allocaddress] = pykd.dbgCommand("kv") +\
			"\n\n" +\
			"\n\nRAW Stack data in case FPO is in place:\n\n" +\
			pykd.dbgCommand("dps esp L100")
	# Delete the breakpoint
	del GBP[ret]
	return pykd.executionStatus.NoChange
Пример #18
0
def listFrameDetails():
    print 'Listing frame details...'
    FRAME_NUM = 30
    out = ''
    for j in range(0, FRAME_NUM):
        out = pykd.dbgCommand('.frame ' + str(j))
        if out is None:
            return
        pykd.dprintln(out)
        out = pykd.dbgCommand('dv /i/t/V')
        if out is None:
            return
        pykd.dprintln(out)
Пример #19
0
    def sig_memcpy(self):
        print("[+] memcpy")
        if self.alloc_mem != pykd.reg("rsi") - 0x10:
            print("[!!!!!] something wrong")

        print(
            pykd.dbgCommand("db " + hex(pykd.reg("rsi") - 0x10) + " l" +
                            hex(self.alloc_size)))
        print("[+] Next Chunk")
        print(
            pykd.dbgCommand("db " +
                            hex(pykd.reg("rsi") - 0x10 + self.alloc_size) +
                            " l" + hex(self.alloc_size)))
Пример #20
0
def listModuleByVadRoot(eprocessaddr):
    modulelist = []
    try:
        cmdline = '.process /P %x;.reload;' % eprocessaddr
        r = pykd.dbgCommand(cmdline)
        eprocess = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
        VadRoot = int(eprocess.VadRoot)
        if not VadRoot:
            return []
        cmdline = '!vad %x' % VadRoot
        r = pykd.dbgCommand(cmdline).splitlines()
        for i in r:
            i = i.strip()
            pos = i.find('Exe  EXECUTE_')
            if pos == -1:
                continue

            a = i[pos + len('Exe  '):]
            pos = a.find(' ')
            if pos == -1:
                continue

            type = a[:pos].strip()
            filepath = a[pos + len('  '):].strip()

            pos = i.find(')')
            if pos == -1:
                continue
            a = i[pos + 1:].lstrip()
            pos = a.find(' ')
            if pos == -1:
                continue

            baseaddr = a[:pos].strip()
            baseaddr = int(baseaddr, 16) * 0x1000

            a = a[pos + 1:].lstrip()
            pos = a.find(' ')
            if pos == -1:
                continue

            endaddr = a[:pos].strip()
            endaddr = int(endaddr, 16) * 0x1000
            info = ModuleInfo()
            if info.init2(baseaddr=baseaddr,
                          endaddr=endaddr,
                          filepath=filepath):
                modulelist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #21
0
	def load_init(self):
		init_file = os.path.dirname(FILEPATH) + "\cdbinit"
		try:
			cdbinit = open(init_file).readlines()
		except:
			cdbinit = []

		for cmd in cdbinit:
			cmd = cmd.strip()
			try:
				pykd.dbgCommand(cmd)
				print(cmd)
			except:
				pass
Пример #22
0
def listModuleByVadRoot(eprocessaddr):
    modulelist = []
    try:
        cmdline = ".process /P %x;.reload;" % eprocessaddr
        r = pykd.dbgCommand(cmdline)
        eprocess = pykd.typedVar("nt!_EPROCESS", eprocessaddr)
        VadRoot = int(eprocess.VadRoot)
        if not VadRoot:
            return []
        cmdline = "!vad %x" % VadRoot
        r = pykd.dbgCommand(cmdline).splitlines()
        for i in r:
            i = i.strip()
            pos = i.find("Exe  EXECUTE_")
            if pos == -1:
                continue

            a = i[pos + len("Exe  ") :]
            pos = a.find(" ")
            if pos == -1:
                continue

            type = a[:pos].strip()
            filepath = a[pos + len("  ") :].strip()

            pos = i.find(")")
            if pos == -1:
                continue
            a = i[pos + 1 :].lstrip()
            pos = a.find(" ")
            if pos == -1:
                continue

            baseaddr = a[:pos].strip()
            baseaddr = int(baseaddr, 16) * 0x1000

            a = a[pos + 1 :].lstrip()
            pos = a.find(" ")
            if pos == -1:
                continue

            endaddr = a[:pos].strip()
            endaddr = int(endaddr, 16) * 0x1000
            info = ModuleInfo()
            if info.init2(baseaddr=baseaddr, endaddr=endaddr, filepath=filepath):
                modulelist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #23
0
def Monitor():
    testcase = "Testcases\\Test.txt"
    try:
        pykd.initialize()
        Handler = ExceptionHandler()
        print "[*] Starting Scan64.exe"
        pykd.startProcess(
            "C:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\x64\\Scan64.Exe "
            + testcase)
        pykd.dbgCommand(".childdbg 1")
    except:
        print "[!] Error starting process"
        sys.exit(1)
    print "[*] Success!"
    pykd.go()
Пример #24
0
    def sig_copycountname(self):

        if self.alloc_mem != pykd.reg("rsi") - 0x10:
            print("[!!!!!] something wrong")

        print("[+] ptr: 0x%x" % (pykd.reg("rsi") - 0x10))
        print(
            pykd.dbgCommand("db " + hex(pykd.reg("rsi") - 0x10) + " l" +
                            hex(self.alloc_size)))

        print("[+] Next Chunk")
        print(
            pykd.dbgCommand("db " +
                            hex(pykd.reg("rsi") - 0x10 + self.alloc_size) +
                            " l" + hex(self.alloc_size)))
Пример #25
0
 def onCommandInput(self):
     self.inCmd.setReadOnly(True)
     cmdLine = self.inCmd.text()
     self.inCmd.setText("running %s" % cmdLine)
     self.outCmd.append(pykd.dbgCommand(cmdLine))
     self.inCmd.setText("")
     self.inCmd.setReadOnly(False)
Пример #26
0
def crawl_object_by_directory(callback, param, dirname='\\'):
    cmdline='!object '+dirname
    #print cmdline
    r=pykd.dbgCommand(cmdline)
    r=r.splitlines()
    startlist=0
    for i in r:
        i=i.lstrip()
        if i.startswith('--'):
            startlist=1
            continue
            
        if not startlist:
            continue
        data=i.split()
        if len(data)>3:
            obj=data[1]
            type=data[2]
            name=data[3]
        else:
            obj=data[0]
            type=data[1]
            name=data[2]

        if not callback(obj, type, param):
            return False
            
        if type=='Directory':
            childname=dirname+name+'\\'
            if not crawl_object_by_directory(callback, param, childname):
                return False
                
    return True
Пример #27
0
def inspectProcessInlineHook(eprocessaddr=None):
    if eprocessaddr:
        eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
        eprocessinfo=ProcessInfo()
        if not eprocessinfo.init(eprocessobj):
            print 'it is not a eprocess'
            return
        processlist=[eprocessinfo]   
    else:
        processlist=listProcessByPsActiveProcessHead()
        if not processlist:
            print 'can not get process list'
            return

    for eprocessinfo in processlist:
        print '='*10, 'process:%x pid:%d %s' % (eprocessinfo.eprocessaddr, eprocessinfo.pid, eprocessinfo.filepath), '='*10
        modulelist=listModuleByVadRoot(eprocessinfo.eprocessaddr)
        if not modulelist:
            print 'the process has no modules(vadroot is null)'
            continue
        
        cmdline='.process /P %x' % eprocessinfo.eprocessaddr
        r=pykd.dbgCommand(cmdline)
        for i in modulelist:
            modulepath=i.filepath
            modulebase=i.baseaddr
            if not os.path.exists(modulepath):
                print "can't find file:%s" % modulepath
                continue

            inspectInlineHook(modulepath, modulebase)
            print
            
    print 
    print 'inspect completely'
Пример #28
0
def listModuleByLdrHash(eprocessaddr):
    modulelist = {}
    try:
        cmdline = ".process /P %x;.reload;" % eprocessaddr
        r = pykd.dbgCommand(cmdline)
        try:
            LdrpHashTable = pykd.getOffset("ntdll!LdrpHashTable")
        except:
            print "get LdrpHashTable symbol fail, maybe ldr is null"
            return []
        if int(LdrpHashTable) != 0:
            for i in xrange(26):
                listhead = LdrpHashTable + i * 2 * g_mwordsize
                hashlink = listhead
                while 1:
                    hashlink = pykd.ptrPtr(hashlink)
                    if hashlink == listhead:
                        break
                    ldr = pykd.containingRecord(hashlink, "nt!_LDR_DATA_TABLE_ENTRY", "HashLinks")
                    if int(ldr) not in modulelist:
                        info = ModuleInfo()
                        if info.init1(ldr):
                            modulelist[int(ldr)] = info

    except Exception, err:
        print traceback.format_exc()
Пример #29
0
def runCmdLog(cmd, cmdVerbose=True, retVerbose=True):
    cmdLog = pyLog if cmdVerbose else pyLog2File
    retLog = pyLog if retVerbose else pyLog2File
    cmdLog('\n> %s\n%s' % (cmd, '-'*20))
    ret = pykd.dbgCommand(cmd)
    retLog(ret)
    return ret
Пример #30
0
 def writeDword(self, addr, val):
     cmd = "ed %x %x" % (addr, val)
     guard = pykd.getVaProtect(addr)
     self.vprotect(addr, 4, 0x40)
     cmdr = pykd.dbgCommand(cmd)
     self.vprotect(addr, 4, guard)
     return 0
Пример #31
0
 def getRegVal(self, regName):
     cmdReg = "r %s" % regName
     iParseBegin = "%s=" % regName
     cmdr = pykd.dbgCommand(cmdReg)
     strReg = cmdr[cmdr.find(iParseBegin) + len(iParseBegin):]
     regVal = int(strReg, 16)
     return regVal
Пример #32
0
    def onException(self, exceptionInfo):
        '''
        Triggered exception event. This example handler only recoder exception which we interested.

        :param exceptionInfo: Exception information
        :return: For ignore event method must return eventResult.noChange
        '''
        eip = pykd.reg('eip')
        last_exception = str(pykd.getLastException())
        exc_code = exceptionInfo.exceptionCode
        self._target.logger.info("Got Exception Code: %s at eip:%s" %
                                 (hex(exc_code), hex(eip)))
        if exc_code in interesting_exception_codes.keys():
            self._target.is_crash.set()
            self._target.crash_dump_finished.clear()
            self._target.report.failed(
                "Got Exception Code: %s:%s at eip:%s" %
                (hex(exc_code), interesting_exception_codes[exc_code],
                 hex(eip)))
            self._target.report.add(
                "Error Code", "%s:%s" %
                (hex(exc_code), interesting_exception_codes[exc_code]))
            self._target.report.add("Last Event", "%s" % last_exception)
            self._target.report.add("Stacks", str(pykd.dbgCommand("k")))
            self._target.crash_dump_finished.set()
            return pykd.eventResult.Break
        elif exc_code == break_in_exception_code:
            # Handle break in event
            self._target.logger.info("Break in at eip:%s" % hex(eip))
            return pykd.eventResult.Break
        return pykd.eventResult.NoChange
Пример #33
0
 def return_call_back(self, bp):
     if self.bp_end_atan == bp and self.bp_heap_alloc is None:
         # this is where we enable our heap alloc bp
         print("(+) enabling heap alloc bp.")
         addr = self.get_address("ntdll!RtlAllocateHeap")
         disas = pykd.dbgCommand("uf %x" % int(addr, 16)).split('\n')
         for i in disas:
             if 'ret' in i:
                 self.ret_addr = i.split()[0]
                 break
         self.bp_heap_alloc = pykd.setBp(int(self.ret_addr, 16), self.return_call_back_with_eax)
     elif self.bp_end_asin == bp and self.bp_heap_alloc is not None:
         # this is where we disable our heap alloc bp
         print("(+) disabling heap alloc bp.")
         if self.get_pykd_version() == 3:
             self.bp_asan.remove()
             self.bp_asin.remove()
             self.bp_end_asin.remove()
             self.bp_end_atan.remove()
             self.bp_heap_alloc.remove()
         else:
             pykd.removeBp(self.bp_asan)
             pykd.removeBp(self.bp_asin)
             pykd.removeBp(self.bp_end_asin)
             pykd.removeBp(self.bp_end_atan)
             pykd.removeBp(self.bp_heap_alloc)
     return False
Пример #34
0
    def onException(self, exceptionInfo):
        '''
        Triggered exception event. This example handler only recoder exception which we interested.

        :param exceptionInfo: Exception information
        :return: For ignore event method must return eventResult.noChange
        '''
        eip = pykd.reg('eip')
        last_exception = str(pykd.getLastException())
        exc_code = exceptionInfo.exceptionCode
        self._target.logger.info("Got Exception Code: %s at eip:%s" % (hex(exc_code), hex(eip)))
        if exc_code in interesting_exception_codes.keys():
            self._target.is_crash.set()
            self._target.crash_dump_finished.clear()
            self._target.report.failed("Got Exception Code: %s:%s at eip:%s" % (
                hex(exc_code), interesting_exception_codes[exc_code], hex(eip)))
            self._target.report.add("Error Code", "%s:%s" % (hex(exc_code), interesting_exception_codes[exc_code]))
            self._target.report.add("Last Event", "%s" % last_exception)
            self._target.report.add("Stacks", str(pykd.dbgCommand("k")))
            self._target.crash_dump_finished.set()
            return pykd.eventResult.Break
        elif exc_code == break_in_exception_code:
            # Handle break in event
            self._target.logger.info("Break in at eip:%s" % hex(eip))
            return pykd.eventResult.Break
        return pykd.eventResult.NoChange
Пример #35
0
	def watch(self, dc, aim='', num=16):
		"""
		Run command every step.
		Args:
			- display_command(string): eg. dd,dw . Or you can disable it by inputing 'clear'
			- address(hex)/register(string): the address to be watch.
			- num (int) : the number of line to be watch. (optional)
		"""
		aim = self._get_aim(aim)
		if dc=='clear':
			pykd.dbgCommand("ad watch_command")
		else:
			if re.match("d[a-z]",dc):
				set_alias("watch_command", "%s %s %s"%(dc, to_hex(aim), num))
			else:
				return self._error_args()
Пример #36
0
	def grep(self, command, regex_string, a='', b=''):
		"""
		Grep regex_string in the result of command
		Args:
			- command(string)
			- regex_string (string)
			- after_context(int) (optional)
			- before_context(int) (optional)
		"""
		try:
			a = to_int(a)
			b = to_int(b)
		except:
			return self._error_args()

		result = pykd.dbgCommand(command)
		lines = result.splitlines()
		for idx,line in enumerate(lines):
			if regex_string in line:
				print("="*50)
				if a:
					print('\n'.join(lines[idx-a:idx]))
				wprint(lines[idx]+"\n", "lightred")
				if b:
					print('\n'.join(lines[idx+1:idx+b+1]))
Пример #37
0
def listObjectCallback():
    try:
        cmdline='!object \objecttypes'
        r=pykd.dbgCommand(cmdline)
        featurestr='----\n'
        pos=r.find(featurestr)
        if pos==-1:
            return
        r=r[pos+len(featurestr):].splitlines()
        for i in r:
            if i.find('Type'):
                typeobjectaddr, name=i.split(' Type ')
                pos=typeobjectaddr.rfind(' ')
                if pos==-1:
                    return
                name=name.strip()
                typeobjectaddr=typeobjectaddr[pos+1:]
                typeobjectaddr=int(typeobjectaddr, 16)
                print '-'*20
                print 'typeobject "%s":%x' % (name, typeobjectaddr)
                typeobject=pykd.typedVar('nt!_OBJECT_TYPE', typeobjectaddr) 
                TypeInfo=pykd.typedVar('nt!_OBJECT_TYPE_INITIALIZER', typeobject.TypeInfo)
                for membername, membervalue in TypeInfo:
                    if membername.endswith('Procedure'):
                        funcaddr=int(membervalue)
                        if funcaddr:
                            symbolname=pykd.findSymbol(funcaddr)
                        else:
                            symbolname=''
                        print '%s %x %s' % (membername, funcaddr, symbolname)
                        
    except Exception, err:
        print traceback.format_exc()
Пример #38
0
def get_address(localAddr):
	res = pykd.dbgCommand("x " + localAddr)
	result_count = res.count("\n")
	if result_count == 0:
		print localAddr + " not found."
		return None
	if result_count > 1:
		print "[-] Warning, more than one result for", localAddr	
	return res.split()[0]
Пример #39
0
def listReg(regpath='System\CurrentControlSet\Services\Tcpip!*'):
    try:
        cmdline='!dreg %s' % regpath
        r=pykd.dbgCommand(cmdline)
        r=r.splitlines()
        for i in r:
            print i
    except Exception, err:
        print err
Пример #40
0
def main():
    """
    injectfind searches process memory for potentially injected code
    """

    process = flaredbg.get_process_obj()
    found = False

    for mbi in process.get_memory_map():
        if mbi.is_executable() and mbi.is_private():
            base_addr = mbi.BaseAddress
            size = mbi.RegionSize
                
            print '-' * 0x40
            print "Path: %s Pid: %s Region: 0x%x - 0x%x Length: 0x%x" % (process.get_image_name(), process.get_pid(), base_addr, (base_addr+size-1), size)
            
            db_res = pykd.dbgCommand('db %x' % base_addr)
            dis_res = pykd.dbgCommand('u %x' % base_addr)
            mem_bytes = process.read(base_addr, size)
            
            # Check for stripped header
            if mem_bytes[:0x1000].count('\0') > 0xfe0:
                if size > 0x2000 and mem_bytes[0x1000:0x2000].count('\0') < 0x200:
                    print "  !!! Possible stripped PE header at 0x%x\n  Showing address: 0x%x\n" % (base_addr, base_addr+0x1000)
                    db_res = pykd.dbgCommand('db %x' % (base_addr+0x1000))
                    dis_res = pykd.dbgCommand('u %x' % (base_addr+0x1000))

            # Check for legit PE
            elif utils.is_legit_pe(mem_bytes[:0x1000]):
                print "  Found legit PE at 0x%x\n" % (base_addr)
                dis_res = None

            if db_res:
                print "Hex dump:"
                print db_res
            if dis_res:
                print "Disassembly:"
                print dis_res
            print

            found = True

    if not found:
        print "Nothing found!"
Пример #41
0
  def disasm_around(self):
    lines = pykd.dbgCommand("u %s-c L12" % self.pc_register)
    for line in lines.split("\n"):
      tmp = re.findall("([a-f0-9]{1,}) ([a-f0-9]{2,}) (.*)", line)
      if len(tmp) > 0:
        line = tmp[0]

        addr = line[0]
        dis = line[2]
        self.crash_data.add_data("disassembly", int(addr, 16), dis)
Пример #42
0
def get_current_stack():
    call_stack = []
    for line in pykd.dbgCommand("k").splitlines()[1:]:
        try:
            _, ret_addr, sym = line.split()
            _ = int(ret_addr, 16)
        except ValueError:
            continue
        call_stack.append(sym)
    return call_stack
Пример #43
0
def offsetof(struct_name, member_name):
    sval = pykd.dbgCommand('?? #FIELD_OFFSET(%s, %s)' \
            % (struct_name, member_name))

    if sval.startswith('long 0n'):
        return int(sval[len('long 0n'):])
    elif sval.startswith('long 0x'):
        return int(sval[len('long 0x'):], 16)
    else:
        return int(sval)
Пример #44
0
	def enter_call_back(self,bp):
		print "RtlAllocateHeap called." 
		if self.bp_end == None:
			disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
			for i in disas:
				if 'ret' in i:
					self.ret_addr = i.split()[0]
					break
			self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
		return False
Пример #45
0
def search(start_addr, end_addr, dword):
    search_expr = 's -[1]d %x %x %s'
    results = []
    search_str = search_expr % (start_addr, end_addr, dword)
    out_str = pykd.dbgCommand(search_str)
    str_results = out_str.split('\n')
    for str_result in str_results:
        if str_result.startswith('0x'):
            results.append((str_result, start_addr))
    return results
Пример #46
0
 def enter_call_back(self, bp):
     self.out = "RtlAllocateHeap("
     esp = pykd.reg("esp")
     self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
     self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
     if self.bp_end == None:
         self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
         self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
     return False
Пример #47
0
        def version(self):
            """
            Get the debugger's version.

            Returns a string containing the debugger's version
            (e.g. 'Microsoft (R) Windows Debugger Version whatever, pykd 0.3.0.38')
            """
            try:
                [windbg] = [line for line in pykd.dbgCommand('version').split('\n') if 'Microsoft (R) Windows Debugger Version' in line]
            except:
                windbg = 'WinDbg <unknown>'
            return '{}, {}'.format(windbg, 'pykd {}'.format(pykd.version))
Пример #48
0
        def command(self, command=None):
            """
            Execute a command in the debugger.

            `command` is the command string to execute.
            """
            if command:
                res = pykd.dbgCommand(command)
            else:
                raise Exception("No command specified")

            return res
Пример #49
0
def listThreadByThreadListEntry(eprocessaddr):
    threadlist=[]
    try:
        cmdline='.process /P %x;.reload;' % eprocessaddr
        r=pykd.dbgCommand(cmdline)
        eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr) 
        l=pykd.typedVarList(eprocessobj.ThreadListHead, 'nt!_ETHREAD', 'ThreadListEntry')
        for i in l:
            info=ThreadInfo(i)
            threadlist.append(info)
    except Exception, err:
        print traceback.format_exc()
Пример #50
0
def main(init_sym, mem_limit, timeout):
    run_time = time.time()
    timeout = timeout + time.time()
    pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym))
    page_size = get_page_size()
    pykd.go()
    target_pid = get_pid()
    pykd.removeBp(get_bp_hit())
    pykd.dbgCommand("bm MSVCR*!malloc")
    pykd.dbgCommand("bm MSVCR*!realloc")
    pykd.dbgCommand("bm MSVCR*!calloc")
    log.debug("target pid: %d", target_pid)
    while time.time() < timeout:
        pykd.go()
        cur_mem = get_mem_usage(target_pid)
        if cur_mem >= mem_limit:
            log.info("missed request! current memory: %d", cur_mem)
            break
        req = requested_mem_size()
        if req == 0:
            log.info("unexpected break on: %s", get_current_stack()[0])
            continue
        if req > page_size:
            if req % page_size:
                page_req = page_size * ((req/page_size)+1)
            else:
                page_req = page_size * (req/page_size)
        else:
            page_req = page_size
        if cur_mem + page_req >= mem_limit:
            log.info("request will exceed limit, current: %d, request %d", cur_mem, req)
            break

    log.info("*" * 60)
    if time.time() < timeout:
        set_thread(get_hung_thread())
        call_stack = get_current_stack()
        if not call_stack:
            log.info("Unable to trace!")
        for line in call_stack:
            log.info("STACK_FRAME:%s" % line)
    else:
        log.info("Timeout!")
    log.info("*" * 60)
    log.info("----- STATS -----")
    log.info("MEMORY LIMIT: %d MB", mem_limit/0x100000)
    log.info("DGB TIME: %0.2f", time.time()-run_time)
    log.info("PROC TIME: %0.2f", get_proc_run_time())
    log.info("THREAD TIME: %0.2f", get_thread_run_time(get_thread_list()[get_hung_thread()]))
Пример #51
0
	def enter_call_back(self,bp):
		self.out = "RtlAllocateHeap(" 
		esp = pykd.reg("esp")
		self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
		self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
		self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
		if self.bp_end == None:
			disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
			for i in disas:
				if 'ret' in i:
					self.ret_addr = i.split()[0]
					break
			self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
		return False
Пример #52
0
	def enter_call_back(self,bp):
		self.out = "RtlFreeHeap("
		if arch_bits == 32:
			esp = pykd.reg(stack_pointer)
			self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
			self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
			self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = "
		else:
			self.out += hex(pykd.reg("rcx")) + " , "
			self.out += hex(pykd.reg("rdx")) + " , " 
			self.out += hex(pykd.reg("r8")) + ") = "
		if self.bp_end == None:
			self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
			self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
		return False
Пример #53
0
def listIDT():
    idt_symbol_table={}
    try:
        for cpuidx in xrange(g_cpunumber):
            print '='*20
            cmdline='!pcr %d' % cpuidx
            r=pykd.dbgCommand(cmdline) 
            r=r.splitlines()
            for i in r:
                i=i.strip()
                if i.startswith('IDT'):
                    idtaddr=i.split(':')[1].strip()
                    #interrupts=pykd.loadPtrs(int(idtaddr, 16), 256)
                    print 'cpu %d idtaddr:%s' % (cpuidx, idtaddr)
    except Exception, err:
        print err
Пример #54
0
        def version(self):
            """
            Get the debugger's version.

            Returns a string containing the debugger's version
            (e.g. 'Microsoft (R) Windows Debugger Version whatever, pykd 0.3.0.38')
            """
            try:
                [windbg] = [
                    line
                    for line in pykd.dbgCommand("version").split("\n")
                    if "Microsoft (R) Windows Debugger Version" in line
                ]
            except:
                windbg = "WinDbg <unknown>"
            return "{}, {}".format(windbg, "pykd {}".format(pykd.version))
Пример #55
0
        def disassemble(self, target_id=0, address=None, count=16):
            """
            Get a disassembly of the instructions at the given address.

            `address` is the address at which to disassemble. If None, the
            current program counter is used.
            `count` is the number of instructions to disassemble.
            """
            # make sure we have an address
            if address is None:
                pc_name, address = self.program_counter(target_id=target_id)

            # disassemble
            output = pykd.dbgCommand('u 0x{:x} l{}'.format(address, count))

            return output
Пример #56
0
def get_proc_run_time():
    # Debug session time: Tue Aug 21 16:27:31.971 2012 (UTC - 4:00)
    # System Uptime: 5 days 13:06:34.062
    # Process Uptime: 0 days 0:00:02.718
    # Kernel time: 0 days 0:00:00.000
    # User time: 0 days 0:00:00.000
    duration = 0
    for line in pykd.dbgCommand(".time").splitlines()[-2:]:
        line = line.strip().split()
        duration += int(line[2]) * 86400  # days
        line = line[-1].split(".")
        duration += float("0.%s" % line[-1])
        line = line[0].split(":")
        duration += int(line[0]) * 3600  # hours
        duration += int(line[1]) * 60  # minutes
        duration += int(line[2])  # seconds
    return duration
Пример #57
0
def listProcessByPspcidTable():
    processlist=[]
    try:
        cmdline='!process 0 0'
        r=pykd.dbgCommand(cmdline)
        r=r.splitlines()
        for i in r:
            if i.startswith('PROCESS '):
                startpos=len('PROCESS ')
                endpos=i.find(' ', startpos)
                eprocessaddr=int(i[startpos:endpos], 16)
                eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr) 
                info=ProcessInfo()
                if info.init(eprocessobj):
                    processlist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #58
0
def inspectShadowSSDT():
    r=pykd.dbgCommand('dd win32k L1').split(' ')
    win32kbase=pykd.addr64(int(r[0],16))
    print 'wink32.sys baseaddr:0x%x' % win32kbase
    
    W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
    print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
        
    W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
    W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
    print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
    shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
    
    table_rva=(W32pServiceTable-win32kbase)
    print 'W32pServiceTable rva:0x%x' % table_rva
    
    win32kname='win32k.sys'
    windowsdir=win32api.GetWindowsDirectory()
    filepath=os.path.join(windowsdir, 'system32', win32kname)
    if not os.path.exists(filepath):
        raise Exception('%s not exists!' % win32kname)

    print 'win32k.sys path:', filepath
    filedata=open(filepath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset=pe.get_offset_from_rva(table_rva)
    print 'W32pServiceTable file offset:0x%x' % table_fileoffset
    d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
    number=0
    for i in xrange(W32pServiceLimit):
        source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
        source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
        symbolname=pykd.findSymbol(source)
        current=shadowssdttable[i]
        if source==current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname=pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
            number+=1
    print 'hooked function number:', number
Пример #59
0
def get_addr_list():
    addr_list = []
    addr_list.append(pykd.getContext().ip())
    for line in pykd.dbgCommand("k").splitlines()[1:]:
        skip = False
        try:
            _, ret_addr, sym = line.split()
            ret_addr = int(ret_addr, 16)
        except ValueError:
            continue
        for noise in BLACKLIST_LIBS:
            if sym.startswith(noise):
                skip = True
                break
        if skip:
            continue
        addr_list.append(ret_addr)
    addr_list.pop()  # remove 0 from the list
    return addr_list