class DriverUpgradeTestCase(unittest.TestCase): @classmethod def setUpClass(self): self.kdbg = LocalKernelDebugger() def test_alloc_memory(self): addr = self.kdbg.alloc_memory(0x1000) self.kdbg.write_byte(addr, 0x42) self.assertEqual(self.kdbg.read_byte(addr), 0x42) self.kdbg.write_byte(addr + 0xfff, 0x42) self.assertEqual(self.kdbg.read_byte(addr + 0xfff), 0x42) def test_full_driver_upgrade(self): upgrader = self.kdbg.upgrader upgrader.registered_ioctl = [] upgrader.full_driver_upgrade() self.test_alloc_memory() def test_retrieve_driver_upgrade(self): # Get current registered IO registered_io = self.kdbg.upgrader.registered_ioctl # Verif that some IO are registered self.assertTrue(registered_io) new_upgrader = type(self.kdbg.upgrader)(self.kdbg) # Verif that new upgrader see that driver is upgraded self.assertTrue(new_upgrader.is_driver_already_upgraded()) # Verif IOCTL retrieving new_upgrader.retrieve_upgraded_info() self.assertItemsEqual(registered_io, new_upgrader.registered_ioctl) def test_map_page_to_userland(self): kpage = self.kdbg.alloc_memory(0x1000) userpage = self.kdbg.map_page_to_userland(kpage, 0x1000) self.kdbg.write_dword(kpage, 0x11223344) self.assertEqual(ctypes.c_uint.from_address(userpage).value, 0x11223344) ctypes.c_uint.from_address(userpage + 4).value = 0x12345678 self.assertEqual(self.kdbg.read_dword(kpage + 4), 0x12345678)
class IDebugDataSpacesTestCase(unittest.TestCase): def setUp(self): pass @classmethod def setUpClass(self): windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0)) self.kdbg = LocalKernelDebugger() modules = windows.utils.get_kernel_modules() self.ntkernelbase = modules[0].Base self.kernelpath = modules[0].ImageName[:] self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%")) self.kernelbuf = open(self.kernelpath, "rb").read() self.kernelmod = winproxy.LoadLibraryA(self.kernelpath) pe = windows.pe_parse.PEFile(self.kernelmod) self.kernel_section_data = [section for section in pe.sections if section.name == ".data"][0] def tearDown(self): #self.kdbg.detach() self.kdbg = None def test_read_byte(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, ord(self.kernelbuf[0])) def test_read_word(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<H", self.kernelbuf[:2])[0]) def test_read_dword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<I", self.kernelbuf[:4])[0]) def test_read_qword(self): # IDebugDataSpaces::ReadVirtual x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) self.assertEqual(x, struct.unpack("<Q", self.kernelbuf[:8])[0]) def test_read_byte_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_byte_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_word_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_word_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_dword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_dword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) def test_read_qword_p(self): # IDebugDataSpaces::ReadPhysical x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt")) y = self.kdbg.read_qword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt"))) self.assertEqual(x, y) @test_32bit_only @RequireSymbol('nt!KiFastCallEntry') def test_read_msr32(self): # IDebugDataSpaces::ReadMsr IA32_SYSENTER_EIP = 0x176 x = self.kdbg.read_msr(IA32_SYSENTER_EIP) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiFastCallEntry') @test_64bit_only @RequireSymbol('nt!KiSystemCall64') def test_read_msr64(self): # IDebugDataSpaces::ReadMsr LSTAR = 0xC0000082 x = self.kdbg.read_msr(LSTAR) y = self.kdbg.get_symbol(x) self.assertEqual(y[0], 'nt!KiSystemCall64') @test_32bit_only def test_read_processor_system_data32(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.X86.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.X86.Family, x.X86.Model)) @test_64bit_only def test_read_processor_system_data64(self): # IDebugDataSpaces::ReadProcessorSystemData DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4 x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION) self.assertEqual(cpuid.get_vendor_id(), x.Amd64.VendorString) self.assertEqual(cpuid.get_proc_family_model(), (x.Amd64.Family, x.Amd64.Model)) def test_write_byte(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte(addr, 0x42) x = self.kdbg.read_byte(addr) self.assertEqual(0x42, x) def test_write_byte_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1 self.kdbg.write_byte_p(self.kdbg.virtual_to_physical(addr), 0x43) x = self.kdbg.read_byte(addr) self.assertEqual(0x43, x) def test_write_word(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word(addr, 0x4444) x = self.kdbg.read_word(addr) self.assertEqual(0x4444, x) def test_write_word_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2 self.kdbg.write_word_p(self.kdbg.virtual_to_physical(addr), 0x4545) x = self.kdbg.read_word(addr) self.assertEqual(0x4545, x) def test_write_dword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword(addr, 0x46464646) x = self.kdbg.read_dword(addr) self.assertEqual(0x46464646, x) def test_write_dword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4 self.kdbg.write_dword_p(self.kdbg.virtual_to_physical(addr), 0x47474747) x = self.kdbg.read_dword(addr) self.assertEqual(0x47474747, x) def test_write_qword(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword(addr, 0x4848484848484848) x = self.kdbg.read_qword(addr) self.assertEqual(0x4848484848484848, x) def test_write_qword_p(self): kernel_base = self.kdbg.get_symbol_offset("nt") addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8 self.kdbg.write_qword_p(self.kdbg.virtual_to_physical(addr), 0x4949494949494949) x = self.kdbg.read_qword(addr) self.assertEqual(0x4949494949494949, x)