def test_disas_alias_u(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401000, "marker = u(None, 1)") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'][0] == 'push ebp'
def test_rundll_dll_intercept_CURRENTLY_FAILS(): dbg = Qdb() locs = {'marker': None} dbg.add_query('dll.Add+0xd', "marker = r('eax')") result = dbg.run(r'rundll32.exe dll.dll,Add dummytext', locs) assert result is True assert locs['marker'] == 0
def test_vexpr_alias(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x40101b, "marker = ?('poi(ebp-0x4)')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == 14
def test_getsym_invalid(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401000, "marker = getsym('eip')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == '(unknown)'
def test_vexpr_retval(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'] == 14
def test_getsym_alias_ln(): dbg = Qdb() locs = {'marker': None} dbg.add_query('kernel32.GetCommandLineA', "marker = ln('eip')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == 'kernel32.GetCommandLineA'
def test_getsym_valid(): dbg = Qdb() locs = {'marker': None} dbg.add_query('kernel32.GetCommandLineA', "marker = getsym('eip')") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'] == 'kernel32.GetCommandLineA'
def test_disas(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401000, "marker = disas(None, 1, False)") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'][0] == 'push ebp'
def test_setreg_alias_r_get(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401015, "marker = r('eax');") dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'] == 14 # Length of hello world string
def test_setreg(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401015, "setreg('eax', 42);") dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'] == 42
def test_dw(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401010, "marker = dw('poi(esp)', 1)") result = dbg.run(hello_exe_path, locs) assert result is True # DWORD of beginning of "Hello, world!" assert locs['marker'][0] == struct.unpack('H', 'He')[0]
def test_setreg_alias_r_set(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401015, "r('eax', 42);") dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == 42
def test_gu(): dbg = Qdb() locs = {'location': None} dbg.add_query(0x401022, "print(hex(r('eip'))); gu(); location = r('eip'); print(hex(location))") # At _printf result = dbg.run(hello_exe_path, locs) assert result is True assert locs['location'] assert locs['location'] == 0x401015 # Right after call _printf
def test_cond_false(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')", "0 || esp && eax!=14") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] is None
def test_cond_true(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x40101b, "marker = vex('poi(ebp-0x4)')", "0 or (esp and eax==14)") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == 14
def test_bp(): """FIXME: This test will break if da breaks, which is confusing.""" dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401000, "bp(0x401010, 'marker = da(\\\'poi(esp)\\\', 5)')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == 'Hello'
def test_get_pc(): dbg = Qdb() locs = {'marker': None} pc = 0x401000 dbg.add_query(pc, 'marker = get_pc()') result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == pc
def test_stepo(): dbg = Qdb() locs = {'location': None} dbg.add_query(0x401010, "stepo(); location = r('eip')") # call _printf result = dbg.run(hello_exe_path, locs) assert result is True assert locs['location'] assert locs['location'] == 0x401015 # Right after call _printf
def test_kill(): dbg = Qdb() locs = {'marker1': None, 'marker2': None} dbg.add_query(0x401010, "marker1 = kill()") dbg.add_query(0x40101b, "marker2 = vex('poi(ebp-0x4)')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker1'] is True assert locs['marker2'] is None
def test_python_ctypes_dll_intercept(): cmdline = (sys.executable + ' -c "import ctypes; ctypes.cdll.dll.Add(40, 2)"') dbg = Qdb() locs = {'marker': None} dbg.add_query('dll.Add+0xd', "marker = r('eax')") result = dbg.run(cmdline, locs) assert result is True assert locs['marker'] == 42
def test_retset(): cmdline = (sys.executable + ' -c "import ctypes; ctypes.cdll.dll.Add(1, 1)"') dbg = Qdb() locs = {'marker': None} dbg.add_query('dll.Add', "marker = retset('eax+1', 8)") result = dbg.run(cmdline, locs) assert result is True assert locs['marker'] == 3
def test_da(): dbg = Qdb() locs = {'marker': None} dbg.add_query(0x401010, "marker = da('poi(esp)'); print('Marker = ' + str(marker))") result = dbg.run(hello_exe_path, locs) assert result is True # DWORD of beginning of "Hello, world!" assert locs['marker'] == 'Hello, world!\n\0'
def test_eb1(): sentinel_value = 0x0f dbg = Qdb() locs = {'marker': None} # [ebp-4] here is equal to the length of the string "Hello, world!\n" dbg.add_query(0x40101b, "eb('ebp-4', " + str(sentinel_value) + ")") dbg.add_query(0x40101e, "marker = r('eax')") result = dbg.run('hello.exe', locs) assert result is True assert locs['marker'] == sentinel_value
def test_eb2(): sentinel_value = 0xffff dbg = Qdb() locs = {'marker': None} # [ebp-4] here is equal to the length of the string "Hello, world!\n" dbg.add_query(0x40101b, "eb('ebp-4', '\xff\xff')") dbg.add_query(0x40101e, "marker = r('eax')") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] == sentinel_value
def test_memcpy(): """FIXME: This test will break if dd breaks, which is confusing.""" dbg = Qdb() locs = {'marker': None} dbg.add_query( 0x401010, "memcpy('poi(esp)', 'poi(esp)+4', 4); " + "marker = dd('poi(esp)', 1)") result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'][0] == struct.unpack('@I', 'Hello, world!'[4:8])[0]
def test_one_mb_read_limit(): ONE_MB = 1024 * 1024 MORE = ONE_MB + 10 PAGE_READWRITE = 0x4 MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 locs = {'location': None, 'size': None} args = ( ' -c "import ctypes; ' 'm = ctypes.windll.kernel32.VirtualAlloc(' + hex(0).rstrip('L') + ', ' + hex(MORE).rstrip('L') + ', ' + hex(MEM_COMMIT | MEM_RESERVE).rstrip('L') + ', ' + hex(PAGE_READWRITE).rstrip('L') + '); ' # Disclose the location of the memory returned by VirtualAlloc 'ctypes.windll.kernel32.VirtualQuery(m, 0, 0);' # Trigger one more breakpoint for clarity 'ctypes.windll.kernel32.VirtualFree(' + 'm, ' + hex(MORE).rstrip('L') + ', ' + '0x8000' + ');') # When running under py.test.exe, sys.executable is python.exe cmdline = sys.executable + args dbg = Qdb() dbg.add_query( 'kernel32.VirtualQuery', # If lpBuffer + dwLength == NULL, then this is the Python # script's indication to qdb of where the memory is located. # Read it. "if not sum(dd('esp+8', 2)): location = dd('esp+4', 1)[0]; ") # VirtualFree is called by the debuggee (above) to trigger this code. dbg.add_query( 'kernel32.VirtualFree', "m = readmem(" "location, " + hex(MORE).rstrip('L') + ", " "1, " "None" ");" "size = len(m)" # Collect the length that was read ) result = dbg.run(cmdline, locs) assert result is True # If we did not get the location, that is useful to know for diagnosing # test failure. assert locs['location'] # Check that ONE_MB of data was returned despite having tried to read MORE assert locs['size'] == ONE_MB
def test_get_push_arg(): cmdline = (sys.executable + ' -c "import ctypes; ctypes.cdll.dll.Add(12, 34)"') dbg = Qdb() locs = {'arg_12': None, 'arg_34': None} dbg.add_query('dll.Add', "arg_12 = get_push_arg(0); arg_34 = get_push_arg(1)") result = dbg.run(cmdline, locs) assert result is True assert locs['arg_12'] == 12 assert locs['arg_34'] == 34
def test_callback_gets_context_with_pc_and_locals_as_arg(*args, **kwargs): dbg = Qdb() def callback(p, **kwargs): p['marker'] = True locs = {'marker': False} dbg.add_query(0x401010, callback) result = dbg.run(hello_exe_path, locs) assert result is True assert locs['marker'] is True
def test_syms(): cmdline = 'cmd /c net helpmsg 0' dbg = Qdb() locs = {'marker1': None, 'marker2': None} bytevalue = 0xa5 dbg.setInitCode("loadSyms(); eb('cmd.fDumpParse', %d)" % (bytevalue)) dbg.add_query('cmd.Dispatch', "marker1 = True; marker2 = db('cmd.fDumpParse', 1)[0]") dbg.run(cmdline, locs) assert locs['marker1'] is True assert locs['marker2'] == bytevalue
def test_get_pcs(): dbg = Qdb() locs = {'pcs': None, 'tid': None} pc = 0x401000 dbg.add_query(pc, 'pcs = get_pcs(); tid = q._trace.getCurrentThread()') result = dbg.run(hello_exe_path, locs) assert result is True # hello.exe is single-threaded for k, v in locs['pcs'].iteritems(): assert k == locs['tid'] assert v == pc