def task_struct_loadMembers(self, mappings, maxDepth=99): listHeads= [('cg_list', task_struct), ('children', None), # core dump on 'task_struct' ('cpu_timers', None), # array of 3 ('perf_event_list', None), ('pi_state_list', None), ('pi_waiters', None), ('preempt_notifiers', None), # ? ('ptraced', None), ('ptrace_entry', None), ('robust_list', None), ('sibling', task_struct), ('tasks', task_struct), ('thread_group', None), ] offsets=dict() for attrname, attrtype in listHeads: if attrtype is not None: # save next and prev from differential offset offsets[(attrname, attrtype)] = getattr(self,attrname).getOffsets(mappings, attrtype, attrname) #now, we can map in local space // kinda useless, but hey... we wont hack into ctypes.. maxDepth = 5 LoadableMembers.loadMembers(self,mappings, maxDepth) log.debug("Loaded task_struct for process '%s'"%(self.comm)) # copy real list members memory space size, offseting from list_head member for head,addrs in offsets.items(): attrname, attrtype = head # load that list_head members getattr(self,attrname).loadRealMembers(mappings, maxDepth, attrtype, attrname, addrs) return True
def task_struct_loadMembers(self, mappings, maxDepth=99): listHeads = [ ('cg_list', task_struct), ('children', None), # core dump on 'task_struct' ('cpu_timers', None), # array of 3 ('perf_event_list', None), ('pi_state_list', None), ('pi_waiters', None), ('preempt_notifiers', None), # ? ('ptraced', None), ('ptrace_entry', None), ('robust_list', None), ('sibling', task_struct), ('tasks', task_struct), ('thread_group', None), ] offsets = dict() for attrname, attrtype in listHeads: if attrtype is not None: # save next and prev from differential offset offsets[(attrname, attrtype)] = getattr(self, attrname).getOffsets( mappings, attrtype, attrname) #now, we can map in local space // kinda useless, but hey... we wont hack into ctypes.. maxDepth = 5 LoadableMembers.loadMembers(self, mappings, maxDepth) log.debug("Loaded task_struct for process '%s'" % (self.comm)) # copy real list members memory space size, offseting from list_head member for head, addrs in offsets.items(): attrname, attrtype = head # load that list_head members getattr(self, attrname).loadRealMembers(mappings, maxDepth, attrtype, attrname, addrs) return True
def DSA_loadMembers(self, mappings, maxDepth): # clean other structs # r and kinv can be null self.meth = None self._method_mod_p = None #self.engine = None if not LoadableMembers.loadMembers(self, mappings, maxDepth): log.debug('DSA not loaded') return False return True
def RSA_loadMembers(self, mappings, maxDepth): #self.meth = 0 # from_address(0) # ignore bignum_data. #self.bignum_data = 0 self.bignum_data.ptr.value = 0 #self.blinding = 0 #self.mt_blinding = 0 if not LoadableMembers.loadMembers(self, mappings, maxDepth): log.debug('RSA not loaded') return False return True
def loadMembers(self, mappings, maxDepth): if not LoadableMembers.loadMembers(self, mappings, maxDepth): return False # Load and memcopy key log.debug('Memcopying a Key with %d bytes'%self.key_len) attr_obj_address=getaddress(self.key) memoryMap = is_valid_address_value( attr_obj_address, mappings) array=(ctypes.c_ubyte*self.key_len).from_buffer_copy(memoryMap.readArray(attr_obj_address, ctypes.c_ubyte, self.key_len)) self.key.contents=ctypes.c_ubyte.from_buffer(array) log.debug('unmac_ctx has been nulled and ignored. its not often used by any ssh impl. Not useful for us anyway.') log.debug('MAC KEY(%d bytes) acquired'%(self.key_len)) return True
def loadMembers(self, mappings, maxDepth): if not LoadableMembers.loadMembers(self, mappings, maxDepth): return False # Load and memcopy key and iv log.debug('Memcopying a Key with %d bytes'%self.key_len) attr_obj_address=getaddress(self.key) memoryMap = is_valid_address_value( attr_obj_address, mappings) array=(ctypes.c_ubyte*self.key_len).from_buffer_copy(memoryMap.readArray(attr_obj_address, ctypes.c_ubyte, self.key_len)) self.key.contents=ctypes.c_ubyte.from_buffer(array) log.debug('Memcopying a IV with %d bytes'%( self.block_size) ) attr_obj_address=getaddress(self.iv) memoryMap = is_valid_address_value( attr_obj_address, mappings) array=(ctypes.c_ubyte*self.block_size).from_buffer_copy(memoryMap.readArray(attr_obj_address, ctypes.c_ubyte,self.block_size)) self.iv.contents=ctypes.c_ubyte.from_buffer(array) log.debug('ENC KEY(%d bytes) and IV(%d bytes) acquired'%(self.key_len,self.block_size)) return True
def loadMembers(self, mappings, maxDepth): if not LoadableMembers.loadMembers(self, mappings, maxDepth): return False #log.debug('evp app_data attr_obj_address=0x%lx'%(self.evp.app_data) ) #log.debug('evp cipher_data attr_obj_address=0x%lx'%(self.evp.cipher_data) ) ##none #log.debug('cipher app_data attr_obj_address=0x%lx'%(getaddress(self.cipher.contents.cipher_data)) ) # cast evp.app_data into a valid struct if self.cipher.contents.name.string in self.cipherContexts: struct,fieldname=self.cipherContexts[self.cipher.contents.name.string] if(struct is None): log.warning("Unsupported cipher %s"%(self.cipher.contents.name.string)) return True attr=getattr(self.evp,fieldname) #attr_obj_address=getaddress(attr) or attr # c_void_p is a basic type. attr_obj_address = attr #print attr memoryMap = is_valid_address_value( attr_obj_address, mappings, struct) log.debug( "CipherContext CAST %s into : %s "%(fieldname, struct) ) if not memoryMap: log.warning('On second toughts, %s seems to be at an invalid address. That should not happen (often).'%(fieldname)) log.warning('%s addr:0x%lx size:0x%lx addr+size:0x%lx '%(is_valid_address_value( attr_obj_address, mappings), attr_obj_address, ctypes.sizeof(struct), attr_obj_address+ctypes.sizeof(struct))) log.warning('%s : %s'%(fieldname, attr)) return False # DEBUG kill it #st=struct.from_buffer_copy(memoryMap.readStruct(attr_obj_address, struct ) ) # XXX CAST do not copy buffer when casting, sinon on perds des bytes ## attr.contents=(type(attr.contents)).from_buffer(st) ### c_void_p -> allocate local_mem and change value ### XXX dangling pointer ? #attr.value = ctypes.addressof(st) #setattr(self.evp, fieldname, ctypes.c_void_p(ctypes.addressof(st)) ) st=memoryMap.readStruct(attr_obj_address, struct ) model.keepRef(st) setattr(self.evp, fieldname, ctypes.c_void_p(ctypes.addressof(st)) ) attr=getattr(self.evp,fieldname) log.debug('Copied 0x%lx into %s (0x%lx)'%(ctypes.addressof(st), fieldname, attr)) log.debug('LOADED app_data evp.%s as %s from 0x%lx (%s) into 0x%lx'%(fieldname,struct, attr_obj_address, is_valid_address_value(attr_obj_address,mappings,struct), attr )) log.debug('\t\t---------\n%s\t\t---------'%st.toString()) else: log.warning("Unknown cipher %s, can't load a data struct for the EVP_CIPHER_CTX->app_data"%(self.cipher.contents.name.string)) return True
def CRYPTO_EX_DATA_loadMembers(self, mappings, maxDepth): ''' erase self.sk''' #self.sk=ctypes.POINTER(STACK)() return LoadableMembers.loadMembers(self, mappings, maxDepth)