def load_binary(filepath, base=None):
    opList = {}
    trace = vtrace.getTrace()

    trace.execute(filepath)
#######################################################################
# Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    trace.registerNotifier(eve, notif)
#######################################################################
# Set a breakpoint on CreateProcessA and run until it is hit
    pattern = "CreateProcessA()"
    v_api.setBpOnPattern(trace, pattern)
    v_api.printBp(trace)
    trace.run()

#######################################################################
# Functions sets child process to start suspended and attaches to it
# as soon as it returns to userland by setting the Entry Point page
# as non executable and catching the exception that is thrown.
    print "followCreateProcessA"
    v_api.followCreateProcessA(trace)
    
    addr = v_api.getOEP(trace, "pwnables100")
    v_api.nxMemPerm(trace, addr)
#####################################################################
# Beyond this point the debugger is attached to the child process
# 
    print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
    print "HOLY BREAKPOINT BATMAN!"
    print "EIP: ", v_api.printableEIP(trace)
Пример #2
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)
###############################################################
    # The notifier class we want to register
    notif = CustomNotifier()
    # The list of events we want the notifier to handle
    eve = vtrace.NOTIFY_ALL
    # Tell our vtrace object that we want to capture all events with CustomNotifier
    trace.registerNotifier(eve, notif)
###############################################################
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
#################################################################

    # Step 5 times into the program
    for i in range(5):
        trace.stepi()

    # Deregister our notifier
    trace.deregisterNotifier(eve, notif)
Пример #3
0
def load_binary(filepath, base=None):
    opList = {}
    trace = vtrace.getTrace()

    trace.execute(filepath)
    #######################################################################
    # Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    trace.registerNotifier(eve, notif)
    #######################################################################
    # Set a breakpoint on CreateProcessA and run until it is hit
    pattern = "CreateProcessA()"
    v_api.setBpOnPattern(trace, pattern)
    v_api.printBp(trace)
    trace.run()

    #######################################################################
    # Functions sets child process to start suspended and attaches to it
    # as soon as it returns to userland by setting the Entry Point page
    # as non executable and catching the exception that is thrown.
    print "followCreateProcessA"
    v_api.followCreateProcessA(trace)

    addr = v_api.getOEP(trace, "pwnables100")
    v_api.nxMemPerm(trace, addr)
    #####################################################################
    # Beyond this point the debugger is attached to the child process
    #
    print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
    print "HOLY BREAKPOINT BATMAN!"
    print "EIP: ", v_api.printableEIP(trace)
Пример #4
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)
    ###############################################################
    # The notifier class we want to register
    notif = CustomNotifier()
    # The list of events we want the notifier to handle
    eve = vtrace.NOTIFY_ALL
    # Tell our vtrace object that we want to capture all events with CustomNotifier
    trace.registerNotifier(eve, notif)
    ###############################################################
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
    #################################################################

    # Step 5 times into the program
    for i in range(5):
        trace.stepi()

    # Deregister our notifier
    trace.deregisterNotifier(eve, notif)
Пример #5
0
def load_binary(filepath, base=None):

    # Get the current trace object from vtrace
    trace = vtrace.getTrace()
    trace.setMode("FastBreak", True)

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)
    print "OEP: %x" % oep

    #######################################################################
    # Add a breakpoint on CreateProcessA
    # Run until the breakpoint
    pattern = "kernel32.CreateProcessA"
    v_api.setBpOnPattern(trace, pattern)
    trace.run()
    trace = v_api.followCreateProcessA(trace)
    ##########################################################
    # Stalker
    #addr is here since child process doens't start at oep
    addr = 0x004015ac

    try:
        v_stalker.addStalkerEntry(trace, addr)
    except:
        pass
    print('Added 0x%.8x to Stalker list' % addr)
    ######################################################################
    ## Beyond this point the debugger is attached to the child process
    ##
    trace.setMode("FastBreak", True)
    while trace.isAttached():
        trace.run()

    f = file("zTest.stalk", "wb")

    # Prints out the current stalker hits
    # Not currently working....
    #print('Current Stalker Hits:')
    for hitva in v_stalker.getStalkerHits(trace):
        print('\t 0x%.8x' % hitva)
        f.write('\t 0x%.8x\n' % hitva)
    f.close()
Пример #6
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
##############################################################
# At this point you are at OEP of the program

    # We know that there is a call 5 instructions in
    # There are ways to programmatically find a call
    for i in range(5):
        trace.stepi()

    # Print the value of EIP as a long and as hex
    print "\n"
    print "EIP: ", trace.getRegister(REG_EIP)
    print "HEX EIP: ", hex(trace.getRegister(REG_EIP))

    # Once you are in the function you can read the value of ESP
    # ESP points to the value of the return address
    print "\n"
    esp = trace.getRegister(REG_ESP)
    retaddr = trace.readMemory(esp, 4)

    # Returns the exact memory locations
    # Just in the WRONG order 
    print "RET: ", retaddr.encode('hex')

    # This returns the address correctly formatted
    print "RET: ", hex(struct.unpack("I",retaddr)[0])
Пример #7
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
    ##############################################################
    # At this point you are at OEP of the program

    # We know that there is a call 5 instructions in
    # There are ways to programmatically find a call
    for i in range(5):
        trace.stepi()

    # Print the value of EIP as a long and as hex
    print "\n"
    print "EIP: ", trace.getRegister(REG_EIP)
    print "HEX EIP: ", hex(trace.getRegister(REG_EIP))

    # Once you are in the function you can read the value of ESP
    # ESP points to the value of the return address
    print "\n"
    esp = trace.getRegister(REG_ESP)
    retaddr = trace.readMemory(esp, 4)

    # Returns the exact memory locations
    # Just in the WRONG order
    print "RET: ", retaddr.encode('hex')

    # This returns the address correctly formatted
    print "RET: ", hex(struct.unpack("I", retaddr)[0])
Пример #8
0
    def notify(self, event, trace):
        if event == vtrace.NOTIFY_ALL:
            print "WTF, how did we get a vtrace.NOTIFY_ALL event?!?!"

        elif event == vtrace.NOTIFY_SIGNAL:
            print "vtrace.NOTIFY_SIGNAL"
            print "PendingSignal", trace.getMeta("PendingSignal")
            print "PendingException", trace.getMeta("PendingException")
            if trace.getMeta("Platform") == "Windows":
                win32event = trace.getMeta("Win32Event")
                #print repr(win32event)
                print "ExceptionAddress: %(ExceptionAddress)x" % win32event

                addr = v_api.getOEP(trace, "pwnables100")
                memMap = trace.getMemoryMap(addr)
                begin = memMap[0]
                size = memMap[1]
                trace.protectMemory(begin, size, envi.memory.MM_READ_EXEC)

                win32 = trace.getMeta("Win32Event", None)
                if win32:
                    code = win32["ExceptionCode"]
                    print "Win32 ExceptCode: ", code

        elif event == vtrace.NOTIFY_BREAK:
            print "vtrace.NOTIFY_BREAK", v_api.printableEIP(trace)
            #print "BESTNAME: ", trace.getSymByAddr(v_api.getEIP(trace), exact=False)
            #pass
        elif event == vtrace.NOTIFY_EXIT:
            print "vtrace.NOTIFY_EXIT"
            print "ExitCode", trace.getMeta("ExitCode")
        elif event == vtrace.NOTIFY_ATTACH:
            print "vtrace.NOTIFY_ATTACH"
            #pass
        elif event == vtrace.NOTIFY_DETACH:
            print "vtrace.NOTIFY_DETACH"
            #pass
        elif event == vtrace.NOTIFY_STEP:
            #print "vtrace.NOTIFY_STEP"
            # print "BESTNAME: ", trace.getSymByAddr(getEIP(trace), exact=False)
            # print "Current Thread: ", trace.getCurrentThread()
            # print "THREADS: ", trace.getThreads()
            pass
        else:
            pass
    def notify(self, event, trace):
        if event == vtrace.NOTIFY_ALL:
            print "WTF, how did we get a vtrace.NOTIFY_ALL event?!?!"

        elif event == vtrace.NOTIFY_SIGNAL:
            print "vtrace.NOTIFY_SIGNAL"
            print "PendingSignal",trace.getMeta("PendingSignal")
            print "PendingException",trace.getMeta("PendingException")
            if trace.getMeta("Platform") == "Windows":
                win32event = trace.getMeta("Win32Event")
                #print repr(win32event)
                print "ExceptionAddress: %(ExceptionAddress)x" % win32event

                addr = v_api.getOEP(trace, "pwnables100")
                memMap = trace.getMemoryMap(addr)
                begin = memMap[0]
                size = memMap[1]
                trace.protectMemory(begin, size, envi.memory.MM_READ_EXEC)

                win32 = trace.getMeta("Win32Event", None)
                if win32:
                    code = win32["ExceptionCode"]
                    print "Win32 ExceptCode: ", code

        elif event == vtrace.NOTIFY_BREAK:
            print "vtrace.NOTIFY_BREAK", v_api.printableEIP(trace)
            #print "BESTNAME: ", trace.getSymByAddr(v_api.getEIP(trace), exact=False)
            #pass
        elif event == vtrace.NOTIFY_EXIT:
            print "vtrace.NOTIFY_EXIT"
            print "ExitCode",trace.getMeta("ExitCode")
        elif event == vtrace.NOTIFY_ATTACH:
            print "vtrace.NOTIFY_ATTACH"
            #pass
        elif event == vtrace.NOTIFY_DETACH:
            print "vtrace.NOTIFY_DETACH"
            #pass
        elif event == vtrace.NOTIFY_STEP:
            #print "vtrace.NOTIFY_STEP"
            # print "BESTNAME: ", trace.getSymByAddr(getEIP(trace), exact=False)
            # print "Current Thread: ", trace.getCurrentThread()
            # print "THREADS: ", trace.getThreads()
            pass
        else:
            pass
Пример #10
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()
    trace.execute(filepath)
    ######################################################################
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))
######################################################################
# Start executing the program until you hit a breakpoint or it ends
    trace.run()
    ######################################################################
    # print out the value of EIP as a long and as a hex value
    print "\n"
    print "EIP: ", trace.getRegister(REG_EIP)
    print "HEX EIP: ", hex(trace.getRegister(REG_EIP))

    # Read the address of EIP
    eip = trace.getRegister(REG_EIP)
    # Read the memory values pointed to by EIP
    s = trace.readMemory(eip, 15)
    # Determine the opcode of the memory pointed to by EIP
    op1 = trace.makeOpcode(s, 0, eip)
    print "OP CODE: ", op1

    # print out the value of EAX as a long and as a hex value
    print "\n"
    print "EAX: ", trace.getRegister(REG_EAX)
    print "HEX EAX: ", hex(trace.getRegister(REG_EAX))

    # Print out the value of ESP as a long and as a hex value
    print "\n"
    print "ESP: ", trace.getRegister(REG_ESP)
    print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
Пример #11
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()
    trace.execute(filepath)
######################################################################
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))
######################################################################
    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
######################################################################
    # print out the value of EIP as a long and as a hex value
    print "\n"
    print "EIP: ", trace.getRegister(REG_EIP)
    print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
    
    # Read the address of EIP
    eip = trace.getRegister(REG_EIP)
    # Read the memory values pointed to by EIP
    s = trace.readMemory(eip,15)
    # Determine the opcode of the memory pointed to by EIP
    op1 = trace.makeOpcode(s, 0, eip)
    print "OP CODE: ", op1

    # print out the value of EAX as a long and as a hex value
    print "\n"
    print "EAX: ", trace.getRegister(REG_EAX)
    print "HEX EAX: ", hex(trace.getRegister(REG_EAX))

    # Print out the value of ESP as a long and as a hex value
    print "\n"
    print "ESP: ", trace.getRegister(REG_ESP)
    print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
Пример #12
0
def load_binary(filepath, base=None):

    trace.setMode("FastStep", 1)

    filepath = trace.getMeta('ExeName')
    fileName = os.path.basename(filepath).split('.')[0]

    # Call a function to set BP on OEP
    oep = getOEP(trace, filepath)

    #######################################################################
    # Get the list of imported functions to compare against
    base, importTable = printIAT(trace, fileName)

    base, poff, psize = getIATLocation(trace, fileName, debug)

    # Store the IAT under the meta name IATInfo
    store_IAT(trace, base, importTable, "IATInfo")

    psize = trace.arch.getPointerSize()

    memMap = trace.getMemoryMap(base + poff)
    begin = memMap[0]
    size = len(importTable) * psize

    # put begin in size into the meta data
    trace.setMeta("IATBegin", begin)
    trace.setMeta("IATSize", size)

    print "[*] Protecting Memory Location: %s" % hex(begin)
    print "[*] Memory Size: %s" % size

    trace.protectMemory(begin, size, envi.memory.MM_NONE)

    #######################################################################
    # Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    #eve = vtrace.NOTIFY_SIGNAL
    trace.registerNotifier(eve, notif)
def load_binary(filepath, base=None):
    
    trace.setMode("FastStep", 1)

    filepath = trace.getMeta('ExeName')
    fileName = os.path.basename(filepath).split('.')[0]

    # Call a function to set BP on OEP
    oep = getOEP(trace, filepath)

    #######################################################################
    # Get the list of imported functions to compare against
    base, importTable = printIAT(trace, fileName)
    
    base, poff, psize = getIATLocation(trace, fileName, debug)

    # Store the IAT under the meta name IATInfo
    store_IAT(trace, base, importTable, "IATInfo")
    
    psize = trace.arch.getPointerSize()

    memMap = trace.getMemoryMap(base+poff)
    begin = memMap[0]
    size = len(importTable) * psize

    # put begin in size into the meta data
    trace.setMeta("IATBegin", begin)
    trace.setMeta("IATSize", size)

    print "[*] Protecting Memory Location: %s" % hex(begin)
    print "[*] Memory Size: %s" % size

    trace.protectMemory(begin, size, envi.memory.MM_NONE)

    #######################################################################
    # Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    #eve = vtrace.NOTIFY_SIGNAL
    trace.registerNotifier(eve, notif)
Пример #14
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()

    print "Holy BreakPoint Batman!"
Пример #15
0
def load_binary(filepath, base=None):
    
    trace = vtrace.getTrace()
    trace.execute(filepath)
    #######################################################################
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    ######################################################################
    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
    #######################################################################
    # function takes in just filename not the full path to filename.exe
    exeName = filepath.split(".exe")[0]
    fileName = exeName.split("\\")[len(exeName.split("\\"))-1]

    # Get the list of imported functions to compare against
    base, importTable = v_api.printIAT(trace, fileName, debug)
Пример #16
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Print out all the current breakpoints as well as if they are enabled.
    for bp in trace.getBreakpoints():
        print("%s enabled: %s" % (bp, bp.isEnabled()))

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()

    print "Holy BreakPoint Batman!"
Пример #17
0
def load_binary(filepath, base=None):
    
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()
    trace.setMode("FastBreak", True)

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)

    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)
    print "OEP: %x" % oep
##########################################################
    # Stalker
    #addr is here since child process doens't start at oep
    addr = oep

    try:
        v_stalker.addStalkerEntry(trace, addr)
    except:
        pass
    print('Added 0x%.8x to Stalker list' % addr)
######################################################################
## Beyond this point the debugger is attached to the child process
##
    trace.setMode("FastBreak", True)
    while trace.isAttached():
        trace.run()
    
    f = file("zTest.stalk", "wb")

    # Prints out the current stalker hits
    # Not currently working.... 
    #print('Current Stalker Hits:')
    for hitva in v_stalker.getStalkerHits(trace):
        print('\t 0x%.8x' % hitva)
        f.write('\t 0x%.8x\n' % hitva)
    f.close()
Пример #18
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)
###############################################################
    
    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
#################################################################

    # takes a snapshot of memory
    snap = vs_snap.takeSnapshot(trace)
    # saves it to a file
    snap.saveToFile("zTest.snap")
Пример #19
0
def load_binary(filepath, base=None):
    # Get the current trace object from vtrace
    trace = vtrace.getTrace()

    # If attempting to attach to a 64 bit process
    # 64 bit python is required.
    trace.execute(filepath)
    ###############################################################

    # Call a function to set BP on OEP
    oep = v_api.getOEP(trace, filepath)

    # Set breakpoint at address
    bp = vtrace.Breakpoint(oep)
    trace.addBreakpoint(bp)

    # Start executing the program until you hit a breakpoint or it ends
    trace.run()
    #################################################################

    # takes a snapshot of memory
    snap = vs_snap.takeSnapshot(trace)
    # saves it to a file
    snap.saveToFile("zTest.snap")
Пример #20
0
def load_binary(filepath, base=None):
    trace = vtrace.getTrace()
    trace.execute(filepath)

    trace.setMode("FastStep", 1)

    filepath = trace.getMeta('ExeName')
    fileName = os.path.basename(filepath).split('.')[0]

    # Call a function to set BP on OEP
    oep = getOEP(trace, filepath)

    #######################################################################
    # Get the list of imported functions to compare against
    base, importTable = printIAT(trace, fileName)

    base, poff, psize = getIATLocation(trace, fileName, debug)

    # Store the IAT under the meta name IATInfo
    store_IAT(trace, base, importTable, "IATInfo")

    psize = trace.arch.getPointerSize()

    memMap = trace.getMemoryMap(base + poff)
    begin = memMap[0]
    size = len(importTable) * psize

    # put begin in size into the meta data
    trace.setMeta("IATBegin", begin)
    trace.setMeta("IATSize", size)

    print "[*] Protecting Memory Location: %s" % hex(begin)
    print "[*] Memory Size: %s" % size

    trace.protectMemory(begin, size, envi.memory.MM_NONE)

    #######################################################################
    # Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    #eve = vtrace.NOTIFY_SIGNAL
    trace.registerNotifier(eve, notif)
    #######################################################################
    #trace.run()
    count = 0
    lst = trace.getMeta('IATList')

    # Until you hit Ctrl+C keep looping and printing out IAT calls
    # On termination print out all the calls in the order that they were called
    while True:
        try:
            trace.run()
            count += 1
            lst = trace.getMeta('IATList')
        except KeyboardInterrupt:
            for i in lst:
                a = i.split(':')
                print "\t[*] %s \t %s \t %s" % (a[0], a[1], a[2])
            sys.exit(1)
        except:
            x = pprint.pformat(lst)

            a = x.lstrip('[')
            a = a.rstrip(']')
            a = a.split('\n')

            for i in a:
                i = i.replace("'", "")
                i = i.replace("\'", "")

                b = i.split(':')
                print "\t[*] %s \t %s \t %s" % (b[0].lstrip(), b[1],
                                                b[2].rstrip('\','))

            sys.exit(2)
Пример #21
0
def load_binary(filepath, base=None):
    trace = vtrace.getTrace()
    trace.execute(filepath)
    
    trace.setMode("FastStep", 1)

    filepath = trace.getMeta('ExeName')
    fileName = os.path.basename(filepath).split('.')[0]

    # Call a function to set BP on OEP
    oep = getOEP(trace, filepath)

    #######################################################################
    # Get the list of imported functions to compare against
    base, importTable = printIAT(trace, fileName)
    
    base, poff, psize = getIATLocation(trace, fileName, debug)

    # Store the IAT under the meta name IATInfo
    store_IAT(trace, base, importTable, "IATInfo")
    
    psize = trace.arch.getPointerSize()

    memMap = trace.getMemoryMap(base+poff)
    begin = memMap[0]
    size = len(importTable) * psize

    # put begin in size into the meta data
    trace.setMeta("IATBegin", begin)
    trace.setMeta("IATSize", size)

    print "[*] Protecting Memory Location: %s" % hex(begin)
    print "[*] Memory Size: %s" % size

    trace.protectMemory(begin, size, envi.memory.MM_NONE)

    #######################################################################
    # Enable the notifier.  Used later to catch the page execute exception.
    notif = CustomNotifier()
    eve = vtrace.NOTIFY_ALL
    #eve = vtrace.NOTIFY_SIGNAL
    trace.registerNotifier(eve, notif)
    #######################################################################
    #trace.run()
    count = 0
    lst = trace.getMeta('IATList')
    
    # Until you hit Ctrl+C keep looping and printing out IAT calls
    # On termination print out all the calls in the order that they were called
    while True:
        try:
            trace.run()
            count += 1
            lst = trace.getMeta('IATList')
        except KeyboardInterrupt:
            for i in lst:
                a = i.split(':')
                print "\t[*] %s \t %s \t %s" % (a[0], a[1], a[2])
            sys.exit(1)
        except:
            x = pprint.pformat(lst)

            a = x.lstrip('[')
            a = a.rstrip(']')
            a = a.split('\n')

            for i in a:
                i = i.replace("'", "")
                i = i.replace("\'", "")

                b = i.split(':')
                print "\t[*] %s \t %s \t %s" % (b[0].lstrip(), b[1], b[2].rstrip('\','))
            
            sys.exit(2)