class IDebugSymbolsTestCase(unittest.TestCase): def setUp(self): pass @classmethod def setUpClass(self): windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0)) self.kdbg = LocalKernelDebugger() modules = windows.utils.get_kernel_modules() self.modules = modules self.ntkernelbase = modules[0].Base self.kernelpath = modules[0].ImageName[:] self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%")) self.kernelmod = winproxy.LoadLibraryA(self.kernelpath) pe = windows.pe_parse.PEFile(self.kernelmod) self.NtCreateFileVA = pe.exports['NtCreateFile'] - self.kernelmod + self.ntkernelbase def tearDown(self): #self.kdbg.detach() self.kdbg = None def test_get_symbol_offset(self): # IDebugSymbols::GetOffsetByName x = self.kdbg.get_symbol_offset("nt") self.assertEqual(x, self.ntkernelbase) @RequireSymbol("ntdll!NtCreateFile") def test_get_symbol_offset_user(self): # IDebugSymbols::GetOffsetByName x = windows.utils.get_func_addr("ntdll", "NtCreateFile") y = self.kdbg.get_symbol_offset("ntdll!NtCreateFile") self.assertEqual(x, y) @RequireSymbol("nt!NtCreateFile") def test_get_symbol(self): # IDebugSymbols::GetNameByOffset x = self.kdbg.get_symbol(self.NtCreateFileVA) self.assertEqual(x[0], 'nt!NtCreateFile') self.assertEqual(x[1], 0x00) @RequireSymbol("ntdll!NtCreateFile") def test_get_symbol_user(self): # IDebugSymbols::GetNameByOffset x = windows.utils.get_func_addr("ntdll", "NtCreateFile") y = self.kdbg.get_symbol(x) self.assertIn(y[0], ["ntdll!NtCreateFile", "ntdll!ZwCreateFile"]) def test_get_number_modules(self): # IDebugSymbols::GetNumberModules loaded, unloaded = self.kdbg.get_number_modules() def test_get_module_by_index(self): # IDebugSymbols::GetModuleByIndex for i in range(self.kdbg.get_number_modules()[0]): x = self.kdbg.get_module_by_index(i) if x == self.ntkernelbase: return raise AssertionError("ntoskrnl not found") def test_get_module_name_by_index(self): # IDebugSymbols::GetModuleNames for i in range(self.kdbg.get_number_modules()[0]): x = self.kdbg.get_module_name_by_index(i) if x[1] == "nt": return raise AssertionError("ntoskrnl not found") def test_symbol_match(self): # IDebugSymbols::StartSymbolMatch | IDebugSymbols::GetNextSymbolMatch | IDebugSymbols::EndSymbolMatch x = list(self.kdbg.symbol_match("nt!NtCreateF*")) self.assertEqual(x[0][0], 'nt!NtCreateFile') self.assertEqual(x[0][1], self.NtCreateFileVA)
l_idt.append((None, None)) continue addr = (idt32.ExtendedOffset << 16) | idt32.Offset if (addr < addr_nt_KiStartUnexpectedRange or addr > addr_nt_KiEndUnexpectedRange): l_idt.append((addr, get_kinterrupt(kdbg, addr, kpcr_addr, i))) else: addr_kinterrupt = get_kinterrupt(kdbg, addr, kpcr_addr, i) if addr_kinterrupt is None: addr = None l_idt.append((addr, addr_kinterrupt)) return l_idt if __name__ == '__main__': kdbg = LocalKernelDebugger() if windows.current_process.bitness == 32: l_idt = get_idt_32(kdbg) else: l_idt = get_idt_64(kdbg) for i in range(len(l_idt)): if l_idt[i][0] is not None: if l_idt[i][1] is not None: print("0x{0:02X} {1} {2} (KINTERRUPT {3})".format( i, hex(l_idt[i][0]), kdbg.get_symbol(l_idt[i][0])[0], hex(l_idt[i][1]))) else: print("0x{0:02X} {1} {2}".format( i, hex(l_idt[i][0]), kdbg.get_symbol(l_idt[i][0])[0]))
class IDebugDataSpacesTestCase(unittest.TestCase): def setUp(self): pass @classmethod def setUpClass(self): windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0)) self.kdbg = LocalKernelDebugger() modules = windows.utils.get_kernel_modules() self.ntkernelbase = modules[0].Base self.kernelpath = modules[0].ImageName[:] self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%")) self.kernelbuf = open(self.kernelpath, "rb").read() self.kernelmod = winproxy.LoadLibraryA(self.kernelpath) pe = windows.pe_parse.PEFile(self.kernelmod) self.kernel_section_data = [section for section in pe.sections if section.name == ".data"][0] def tearDown(self): #self.kdbg.detach() self.kdbg = None def test_read_byte(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, ord(self.kernelbuf[0])) def test_read_word(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<H", self.kernelbuf[:2])[0]) def test_read_dword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<I", self.kernelbuf[:4])[0]) def test_read_qword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<Q", self.kernelbuf[:8])[0]) def test_read_byte_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_byte_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_word_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_word_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_dword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_dword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_qword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_qword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) @test_32bit_only @RequireSymbol('nt!KiFastCallEntry') def test_read_msr32(self): # IDebugDataSpaces::ReadMsr IA32_SYSENTER_EIP = 0x176 x = self.kdbg.read_msr(IA32_SYSENTER_EIP) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiFastCallEntry') @test_64bit_only @RequireSymbol('nt!KiSystemCall64') def test_read_msr64(self): # IDebugDataSpaces::ReadMsr LSTAR = 0xC0000082 x = self.kdbg.read_msr(LSTAR) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiSystemCall64') @test_32bit_only def test_read_processor_system_data32(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.X86.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.X86.Family, x.X86.Model)) @test_64bit_only def test_read_processor_system_data64(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.Amd64.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.Amd64.Family, x.Amd64.Model)) def test_write_byte(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte(addr, 0x42) x = self.kdbg.read_byte(addr) self.assertEqual(0x42, x) def test_write_byte_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte_p(self.kdbg.virtual_to_physical(addr), 0x43) x = self.kdbg.read_byte(addr) self.assertEqual(0x43, x) def test_write_word(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word(addr, 0x4444) x = self.kdbg.read_word(addr) self.assertEqual(0x4444, x) def test_write_word_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word_p(self.kdbg.virtual_to_physical(addr), 0x4545) x = self.kdbg.read_word(addr) self.assertEqual(0x4545, x) def test_write_dword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword(addr, 0x46464646) x = self.kdbg.read_dword(addr) self.assertEqual(0x46464646, x) def test_write_dword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword_p(self.kdbg.virtual_to_physical(addr), 0x47474747) x = self.kdbg.read_dword(addr) self.assertEqual(0x47474747, x) def test_write_qword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword(addr, 0x4848484848484848) x = self.kdbg.read_qword(addr) self.assertEqual(0x4848484848484848, x) def test_write_qword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword_p(self.kdbg.virtual_to_physical(addr), 0x4949494949494949) x = self.kdbg.read_qword(addr) self.assertEqual(0x4949494949494949, x)
idt_base = kdbg.read_ptr(kpcr_addr + idt_base_offset) for i in xrange(0, 0xFF): idt32 = IDT32() kdbg.read_virtual_memory_into(idt_base + i * sizeof(IDT32), idt32) if (idt32.ExtendedOffset == 0 or idt32.Offset == 0): l_idt.append((None, None)) continue addr = (idt32.ExtendedOffset << 16) | idt32.Offset if (addr < addr_nt_KiStartUnexpectedRange or addr > addr_nt_KiEndUnexpectedRange): l_idt.append((addr, get_kinterrupt(kdbg, addr, kpcr_addr, i))) else: addr_kinterrupt = get_kinterrupt(kdbg, addr, kpcr_addr, i) if addr_kinterrupt is None: addr = None l_idt.append((addr, addr_kinterrupt)) return l_idt if __name__ == '__main__': kdbg = LocalKernelDebugger() if windows.current_process.bitness == 32: l_idt = get_idt_32(kdbg) else: l_idt = get_idt_64(kdbg) for i in range(len(l_idt)): if l_idt[i][0] is not None: if l_idt[i][1] is not None: print("0x{0:02X} {1} {2} (KINTERRUPT {3})".format(i, hex(l_idt[i][0]), kdbg.get_symbol(l_idt[i][0])[0], hex(l_idt[i][1]))) else: print("0x{0:02X} {1} {2}".format(i, hex(l_idt[i][0]), kdbg.get_symbol(l_idt[i][0])[0]))