def test_impapi_windows(self): imp = viv_impapi.getImportApi('windows', 'i386') self.assertEqual(imp.getImpApiCallConv('ntdll.RtlAllocateHeap'), 'stdcall') imp = viv_impapi.getImportApi('windows', 'arm') self.assertEqual(imp.getImpApiCallConv('ntdll.RtlAllocateHeap'), 'armcall')
def test_impapi_winkern(self): imp = viv_impapi.getImportApi('winkern', 'i386') self.assertEqual( imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'), 'stdcall') imp = viv_impapi.getImportApi('winkern', 'arm') self.assertEqual( imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'), 'armcall')
def notify(self, event, trace): if self.impapi != None: # cached return self.impapi = viv_impapi.getImportApi(trace.getMeta('Platform'), trace.getMeta('Architecture')) cc = self.impapi.getImpApiCallConv(self.vte) emu = vtrace.getEmu(trace) self.cc = emu.getCallingConvention(cc) self.argc = len(self.impapi.getImpApiArgs(self.vte))
def notify(self, event, trace): if self.impapi is not None: # cached return self.impapi = viv_impapi.getImportApi(trace.getMeta('Platform'), trace.getMeta('Architecture')) cc = self.impapi.getImpApiCallConv(self.vte) emu = vtrace.getEmu(trace) self.cc = emu.getCallingConvention(cc) self.argc = len(self.impapi.getImpApiArgs(self.vte))
def render(self, mcanv, va): trace = mcanv.mem if va != trace.getStackCounter(): return DerefRenderer.render(self, mcanv, va) pc = trace.getProgramCounter() sym, is_thunk = trace.getSymByAddrThunkAware(pc) if sym is None: return DerefRenderer.render(self, mcanv, va) # TODO: this code also exists in win32stealth and in hookbreakpoint # we should put this somewhere common platform = trace.getMeta('Platform') arch = trace.getMeta('Architecture') impapi = viv_impapi.getImportApi(platform, arch) cc_name = impapi.getImpApiCallConv(sym) emu = vtrace.getEmu(trace) cc = emu.getCallingConvention(cc_name) args_def = impapi.getImpApiArgs(sym) if args_def is None: # sym did not exist in impapi :( logger.warning('sym but no impapi match: {}'.format(sym)) return DerefRenderer.render(self, mcanv, va) argc = len(args_def) curop = trace.parseOpcode(trace.getProgramCounter()) # use the calling convention to retrieve the args args = None if curop.isCall() or is_thunk: args = cc.getPreCallArgs(trace, argc) else: args = cc.getCallArgs(trace, argc) # since we are 'normalizing' the calls by visualizing all calling # conventions in a stdcall fashion, some args (like the ones in # registers don't have a stack va. mcanv.addText('%s :\n' % sym) fmt = ' arg%%d (%%s) 0x%%0%dx %%s\n' % (trace.getPointerSize() * 2, ) for index, arg in enumerate(args): argtype = args_def[index][0] argva = arg if trace.isValidPointer(arg): argva = trace.readMemoryFormat(arg, 'P')[0] smc = e_canvas.StringMemoryCanvas(trace) e_canvas_rend.AutoBytesRenderer(maxrend=64).render(smc, argva) desc = str(smc) mcanv.addText(fmt % (index, argtype, arg, desc)) mcanv.addText('-' * 5) mcanv.addText('\n') return DerefRenderer.render(self, mcanv, va)
def render(self, mcanv, va): trace = mcanv.mem if va != trace.getStackCounter(): return DerefRenderer.render(self, mcanv, va) pc = trace.getProgramCounter() sym, is_thunk = trace.getSymByAddrThunkAware(pc) if sym == None: return DerefRenderer.render(self, mcanv, va) # TODO: this code also exists in win32stealth and in hookbreakpoint # we should put this somewhere common platform = trace.getMeta('Platform') arch = trace.getMeta('Architecture') impapi = viv_impapi.getImportApi(platform, arch) cc_name = impapi.getImpApiCallConv(sym) emu = vtrace.getEmu(trace) cc = emu.getCallingConvention(cc_name) args_def = impapi.getImpApiArgs(sym) if args_def == None: # sym did not exist in impapi :( print(('sym but no impapi match: {}'.format(sym))) return DerefRenderer.render(self, mcanv, va) argc = len(args_def) curop = trace.parseOpcode(trace.getProgramCounter()) # use the calling convention to retrieve the args args = None if curop.isCall() or is_thunk: args = cc.getPreCallArgs(trace, argc) else: args = cc.getCallArgs(trace, argc) # since we are 'normalizing' the calls by visualizing all calling # conventions in a stdcall fashion, some args (like the ones in # registers don't have a stack va. mcanv.addText('%s :\n' % sym) fmt = ' arg%%d (%%s) 0x%%0%dx %%s\n' % (trace.getPointerSize()*2,) for index, arg in enumerate(args): argtype = args_def[index][0] argva = arg if trace.isValidPointer(arg): argva = trace.readMemoryFormat(arg, 'P')[0] smc = e_canvas.StringMemoryCanvas(trace) e_canvas_rend.AutoBytesRenderer(maxrend=64).render(smc, argva) desc = str(smc) mcanv.addText(fmt % (index, argtype, arg, desc)) mcanv.addText('-' * 5) mcanv.addText('\n') return DerefRenderer.render(self, mcanv, va)
def resolvedaddr(self, trace, addr): ''' When we get resolved, lookup in impapi the calling convention and other details about the function. Do not do this if we were explicitly told what to do. ''' # told explicitly what to do, don't go look anything up if self.cc != None and self.argc != None: return # TODO: move this out of here after we move impapi to a top-level # package. import vivisect.impapi as viv_impapi # this code also exists in win32stealth, we should put this somewhere # common platform = trace.getMeta('Platform') arch = trace.getMeta('Architecture') self.impapi = viv_impapi.getImportApi(platform, arch) cc = self.impapi.getImpApiCallConv(self.vte) emu = vtrace.getEmu(trace) self.cc = emu.getCallingConvention(cc) apiargs = self.impapi.getImpApiArgs(self.vte) if apiargs != None: self.argc = len(apiargs)
def resolvedaddr(self, trace, addr): ''' When we get resolved, lookup in impapi the calling convention and other details about the function. Do not do this if we were explicitly told what to do. ''' # told explicitly what to do, don't go look anything up if self.cc != None and self.argc != None: return # TODO: move this out of here after we move impapi to a top-level # package. import vivisect.impapi as viv_impapi # this code also exists in win32stealth, we should put this somewhere # common platform = trace.getMeta('Platform') arch = trace.getMeta('Architecture') self.impapi = viv_impapi.getImportApi(platform, arch) cc = self.impapi.getImpApiCallConv(self.vte) emu = vtrace.getEmu(trace) self.cc = emu.getCallingConvention(cc) apiargs = self.impapi.getImpApiArgs(self.vte) if apiargs != None: self.argc = len(apiargs)
def test_impapi_winkern(self): imp = viv_impapi.getImportApi('winkern','i386') self.assertEqual( imp.getImpApiCallConv('ntoskrnl.ObReferenceObjectByHandle'), 'stdcall')
def test_impapi_windows(self): imp = viv_impapi.getImportApi('windows','i386') self.assertEqual( imp.getImpApiCallConv('ntdll.RtlAllocateHeap'), 'stdcall')