class IDebugDataSpacesTestCase(unittest.TestCase):
def setUp(self):
pass
@classmethod
def setUpClass(self):
windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0))
self.kdbg = LocalKernelDebugger()
modules = windows.utils.get_kernel_modules()
self.ntkernelbase = modules[0].Base
self.kernelpath = modules[0].ImageName[:]
self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%"))
self.kernelbuf = open(self.kernelpath, "rb").read()
self.kernelmod = winproxy.LoadLibraryA(self.kernelpath)
pe = windows.pe_parse.PEFile(self.kernelmod)
self.kernel_section_data = [section for section in pe.sections if section.name == ".data"][0]
def tearDown(self):
#self.kdbg.detach()
self.kdbg = None
def test_read_byte(self):
# IDebugDataSpaces::ReadVirtual
x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt"))
self.assertEqual(x, ord(self.kernelbuf[0]))
def test_read_word(self):
# IDebugDataSpaces::ReadVirtual
x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt"))
self.assertEqual(x, struct.unpack("<H", self.kernelbuf[:2])[0])
def test_read_dword(self):
# IDebugDataSpaces::ReadVirtual
x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt"))
self.assertEqual(x, struct.unpack("<I", self.kernelbuf[:4])[0])
def test_read_qword(self):
# IDebugDataSpaces::ReadVirtual
x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt"))
self.assertEqual(x, struct.unpack("<Q", self.kernelbuf[:8])[0])
def test_read_byte_p(self):
# IDebugDataSpaces::ReadPhysical
x = self.kdbg.read_byte(self.kdbg.get_symbol_offset("nt"))
y = self.kdbg.read_byte_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt")))
self.assertEqual(x, y)
def test_read_word_p(self):
# IDebugDataSpaces::ReadPhysical
x = self.kdbg.read_word(self.kdbg.get_symbol_offset("nt"))
y = self.kdbg.read_word_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt")))
self.assertEqual(x, y)
def test_read_dword_p(self):
# IDebugDataSpaces::ReadPhysical
x = self.kdbg.read_dword(self.kdbg.get_symbol_offset("nt"))
y = self.kdbg.read_dword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt")))
self.assertEqual(x, y)
def test_read_qword_p(self):
# IDebugDataSpaces::ReadPhysical
x = self.kdbg.read_qword(self.kdbg.get_symbol_offset("nt"))
y = self.kdbg.read_qword_p(self.kdbg.virtual_to_physical(self.kdbg.get_symbol_offset("nt")))
self.assertEqual(x, y)
@test_32bit_only
@RequireSymbol('nt!KiFastCallEntry')
def test_read_msr32(self):
# IDebugDataSpaces::ReadMsr
IA32_SYSENTER_EIP = 0x176
x = self.kdbg.read_msr(IA32_SYSENTER_EIP)
y = self.kdbg.get_symbol(x)
self.assertEqual(y[0], 'nt!KiFastCallEntry')
@test_64bit_only
@RequireSymbol('nt!KiSystemCall64')
def test_read_msr64(self):
# IDebugDataSpaces::ReadMsr
LSTAR = 0xC0000082
x = self.kdbg.read_msr(LSTAR)
y = self.kdbg.get_symbol(x)
self.assertEqual(y[0], 'nt!KiSystemCall64')
@test_32bit_only
def test_read_processor_system_data32(self):
# IDebugDataSpaces::ReadProcessorSystemData
DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4
x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION)
self.assertEqual(cpuid.get_vendor_id(), x.X86.VendorString)
self.assertEqual(cpuid.get_proc_family_model(), (x.X86.Family, x.X86.Model))
@test_64bit_only
def test_read_processor_system_data64(self):
# IDebugDataSpaces::ReadProcessorSystemData
DEBUG_DATA_PROCESSOR_IDENTIFICATION = 4
x = self.kdbg.read_processor_system_data(0, DEBUG_DATA_PROCESSOR_IDENTIFICATION)
self.assertEqual(cpuid.get_vendor_id(), x.Amd64.VendorString)
self.assertEqual(cpuid.get_proc_family_model(), (x.Amd64.Family, x.Amd64.Model))
def test_write_byte(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1
self.kdbg.write_byte(addr, 0x42)
x = self.kdbg.read_byte(addr)
self.assertEqual(0x42, x)
def test_write_byte_p(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 1
self.kdbg.write_byte_p(self.kdbg.virtual_to_physical(addr), 0x43)
x = self.kdbg.read_byte(addr)
self.assertEqual(0x43, x)
def test_write_word(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2
self.kdbg.write_word(addr, 0x4444)
x = self.kdbg.read_word(addr)
self.assertEqual(0x4444, x)
def test_write_word_p(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 2
self.kdbg.write_word_p(self.kdbg.virtual_to_physical(addr), 0x4545)
x = self.kdbg.read_word(addr)
self.assertEqual(0x4545, x)
def test_write_dword(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4
self.kdbg.write_dword(addr, 0x46464646)
x = self.kdbg.read_dword(addr)
self.assertEqual(0x46464646, x)
def test_write_dword_p(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 4
self.kdbg.write_dword_p(self.kdbg.virtual_to_physical(addr), 0x47474747)
x = self.kdbg.read_dword(addr)
self.assertEqual(0x47474747, x)
def test_write_qword(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8
self.kdbg.write_qword(addr, 0x4848484848484848)
x = self.kdbg.read_qword(addr)
self.assertEqual(0x4848484848484848, x)
def test_write_qword_p(self):
kernel_base = self.kdbg.get_symbol_offset("nt")
addr = kernel_base + self.kernel_section_data.VirtualAddress + self.kernel_section_data.VirtualSize - 8
self.kdbg.write_qword_p(self.kdbg.virtual_to_physical(addr), 0x4949494949494949)
x = self.kdbg.read_qword(addr)
self.assertEqual(0x4949494949494949, x)
