def delete_breakpoint(symbol: str):
"""
Delete the breakpoint set on ntdll_EtwEventWrite
"""
location = idaapi.bpt_location_t()
location.set_sym_bpt(symbol)
if idaapi.find_bpt(location, None):
idaapi.del_bpt(location)
def set_qira_address(la):
global qira_address
ea = 0
if qira_address is not None and qira_address != BADADDR:
ea = idaapi.toEA(0, qira_address)
idaapi.del_bpt(ea)
qira_address = la
idaapi.add_bpt(qira_address, 0, BPT_SOFT)
EnableBpt(qira_address, False)
def set_qira_address(self, sea):
# Check if there is a BreakPoint and delete is before processing.
if (self.qira_address is not None) and (
self.qira_address != idc.BADADDR):
qea = idaapi.toEA(0, self.qira_address)
if idc.CheckBpt(qea) != -1:
idaapi.del_bpt(qea)
# Update qira_address and set BreakPont.
self.qira_address = sea
idaapi.add_bpt(self.qira_address, 0, idaapi.BPT_SOFT)
idc.EnableBpt(self.qira_address, False)
# debugging
if DEBUG:
idaapi.msg(
"[%s] set_qira_address: 0x%x\n" %
(self.wanted_name, self.qira_address,))
def delete_bp(adr):
idaapi.del_bpt(adr)
def delete(self):
idaapi.del_bpt(self.address)
def iatCallback(
addr, name,
ord): # Don't care about ord, but required for enum_import_names
global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry.
if name in bannedList and name not in checked:
checked.append(name)
loopflag = 0
xref = XrefsTo(addr, 0)
for checkXrefType in xref:
if XrefTypeName(
checkXrefType.type) == "Code_Near_Call" and loopflag != 1:
print "\nFound function %s in IAT at 0x%08x" % (name, addr)
print "*** calls to %s ***" % name
loopflag = 1
codeflag = 1
xref = CodeRefsTo(addr,
1) # Ref to IAT should be of type code.
for lines in xref:
if CheckBpt(lines) > 0: # Adding or deleting BP's
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x - Added BP" % lines
bpflag = 1
elif XrefTypeName(
checkXrefType.type) == "Data_Read" and codeflag == 0:
print "\nFound function %s in IAT at 0x%08x" % (name, addr)
print "*** calls to %s ***" % name
xref = DataRefsTo(addr) # Ref to IAT should be of type data.
for line in xref:
xref2 = CodeRefsTo(line, 1)
for lines in xref2:
if CheckBpt(lines) > 0: # Adding or deleting BP's
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x - Added BP" % lines
bpflag = 1
elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump":
GOT = DataRefsTo(addr)
for line in GOT:
print "\n Found function %s in GOT at 0x%08x" % (name,
line)
print "*** calls to %s ***" % name
codeflag = 2
xref = CodeRefsTo(addr, 1)
for line in xref:
xref2 = CodeRefsTo(line, 1)
for lines in xref2:
if CheckBpt(lines) > 0:
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x = Added BP" % lines
bpflag = 1
#elif loopflag != 1:
# codeflag = 2
# break
else:
continue #Need to compensate for other xref types.
return True #Has to be here for the callback.
def RemoveBp(self, base0_addr, addr):
WriteToBeginningOfMmap(self.bps_shared_memory, 'r' + struct.pack('<L', base0_addr))
if(self.GetWindbgResponse('r')):
idaapi.del_bpt(addr)
self.bp_list.remove(addr)
WriteToBeginningOfMmap(self.bps_shared_memory, "\x00")
def iatCallback(addr, name, ord): # Don't care about ord, but required for enum_import_names
global bpflag, codeflag, checked, bannedList # Function got a bit out of hand. Sorry.
if name in bannedList and name not in checked:
checked.append(name)
loopflag = 0
xref = XrefsTo(addr, 0)
for checkXrefType in xref:
if XrefTypeName(checkXrefType.type) == "Code_Near_Call" and loopflag != 1:
print "\nFound function %s in IAT at 0x%08x" % (name, addr)
print "*** calls to %s ***" % name
loopflag = 1
codeflag = 1
xref = CodeRefsTo(addr, 1) # Ref to IAT should be of type code.
for lines in xref:
if CheckBpt(lines) > 0: # Adding or deleting BP's
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x - Added BP" % lines
bpflag = 1
elif XrefTypeName(checkXrefType.type) == "Data_Read" and codeflag == 0:
print "\nFound function %s in IAT at 0x%08x" % (name, addr)
print "*** calls to %s ***" % name
xref = DataRefsTo(addr) # Ref to IAT should be of type data.
for line in xref:
xref2 = CodeRefsTo(line, 1)
for lines in xref2:
if CheckBpt(lines) > 0: # Adding or deleting BP's
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x - Added BP" % lines
bpflag = 1
elif XrefTypeName(checkXrefType.type) == "Code_Near_Jump":
GOT = DataRefsTo(addr)
for line in GOT:
print "\n Found function %s in GOT at 0x%08x" % (name, line)
print "*** calls to %s ***" % name
codeflag = 2
xref = CodeRefsTo(addr, 1)
for line in xref:
xref2 = CodeRefsTo(line, 1)
for lines in xref2:
if CheckBpt(lines) > 0:
idaapi.del_bpt(lines)
print "=> 0x%08x - Deleted BP" % lines
else:
idaapi.add_bpt(lines, 0, BPT_SOFT)
EnableBpt(lines, True)
checked.append(lines)
print "=> 0x%08x = Added BP" % lines
bpflag = 1
#elif loopflag != 1:
# codeflag = 2
# break
else:
continue #Need to compensate for other xref types.
return True #Has to be here for the callback.
idaapi.BPT_SOFT) # establecemos el breakpoint
idaapi.enable_bpt(placeForBreakPoint, True)
print "[+] Breakpoint set"
while (1):
try:
idc.StartDebugger("", "", "")
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
print "[+] Waiting for the start of debugger..."
time.sleep(15)
eax_value = idc.GetRegValue("EAX")
print "[+] Value of EAX: 0x%08x" % eax_value
if eax_value == VALUE_TO_GET:
break
else:
idc.StopDebugger()
print "[+] Waiting for the stop of debugger"
time.sleep(15)
except Exception as e:
print "[-] Error trying again"
NumberOfErrors += 1
if NumberOfErrors == 4:
print "[-] Max Errors, going out"
exit(-1)
# si salimos aquí todo va bien, quitamos el breakpoint y chapó
idaapi.enable_bpt(placeForBreakPoint, False)
idaapi.del_bpt(placeForBreakPoint)
