def deserialize(self, data):
try:
off = 0
self['dword0'] = struct.unpack('<L', data[off:off + 4])[0]
off += 4
self.payload = ipcPayload(data[off:])
return self
except Exception as e:
return None
def deserialize(self, data):
try:
off = 0
self['dword0'], self['dword1'], self['dword2'] = struct.unpack(
'<LLL', data[off:off + 12])
off += 12
self.payload = ipcPayload(data[off:])
return self
except Exception as e:
return None
def deserialize(self, data):
try:
off = 0
self['length'] = struct.unpack('<L', data[off:off + 4])[0]
off += 4
self['string0'] = data[off:off + self['length']]
off += self['length']
self.payload = ipcPayload(data[off:])
return self
except Exception as e:
return None
def deserialize(self, data):
try:
off = 0
self['nr_dwords'] = struct.unpack('<L', data[off:off + 4])[0]
off += 4
self['unknown_byte0'] = struct.unpack('<B', data[off:off + 1])[0]
off += 1
self['dwords'] = []
for i in xrange(self['nr_dwords']):
self['dwords'] += [struct.unpack('<L', data[off:off + 4])[0]]
off += 4
self.payload = ipcPayload(data[off:])
return self
except Exception as e:
return None
def vbox_read_mem(target_iid, addr, addr_len):
logging.info("-------- VBoxManage debugvm %s ??? (no cmd) ---------" %
target_iid)
ipcc = vboxmanage.IPC_class()
ret, e = ipcc.start()
if ret:
logging.error('Failed to contact VboxSVC! [err=%s]' % str(e))
return -1
ipcc.send_clienthello()
ipcc.define_target()
ipcc.resolve_clientname(name='VBoxSVC-5.2.18_Ubuntu')
ret, pIVirtualBox = ipcc.dconnect_setup_newinstclassid(
iid=IVIRTUALBOX_IID_v5)
if ret:
logging.error('dconnect_setup_newinstclassid() failed [err=0x%x]' %
(ret & 0xffffffff))
return -2
ipcc.dconnect_invoke(instance=pIVirtualBox, method_index=5)
ret, ptr1 = ipcc.dconnect_setup_queryinterface(iid=IVIRTUALBOX_IID_v5,
instance=pIVirtualBox)
if ret:
logging.error('dconnect_setup_queryinterface() failed [err=0x%x]' %
(ret & 0xffffffff))
return -3
ret = ipcc.dconnect_release(instance=pIVirtualBox)
if ret:
logging.error('dconnect_release() failed [err=0x%x]' %
(ret & 0xffffffff))
return -4
ret, pTargetMachine = ipcc.dconnect_ivirtualbox_findmachine(
pIVirtualBox, machine_iid=target_iid)
if ret:
logging.error('dconnect_release() failed [err=0x%x]' %
(ret & 0xffffffff))
return -5
pTargetMachine &= (~1)
ret, pISession, dco_seqnum = ipcc.dconnect_imachine_lockmachine(
pTargetMachine, instance=pTargetMachine | 1)
if ret:
logging.error('dconnect_imachine_lockmachine() failed [err=0x%x]' %
(ret & 0xffffffff))
return -6
status, ans = ipcc.dconnect_setup_reply(
0x7f72cc000f80,
0,
dconnect_request_id=(dco_seqnum + 1),
ret_class=Session_AssignRemoteMachine_Ret)
if status:
logging.error('dconnect_setup_reply() failed [err=0x%x]' %
(status & 0xffffffff))
return -8, None
dco_seq_num = ans.get_dconnect_header().get_header().get_request_index()
payload = ans.get_payload()
pIMachine = payload.get_imachine_ptr(with_flag=False)
pIConsole = payload.get_iconsole_ptr(with_flag=False)
status, ptr1 = ipcc.dconnect_setup_queryinterface(
iid=IINTERNAL_MACHINE_CONTROL_IID, instance=pIMachine)
if status:
logging.error('dconnect_setup_queryinterface() failed [err=0x%x]' %
(status & 0xffffffff))
return -9
# Packet 32
status, ans = ipcc.dconnect_invoke(instance=pIMachine, method_index=3)
if status:
logging.error('dconnect_invoke() failed [err=0x%x]' %
(status & 0xffffffff))
return -10
# Packet 35
status, ans = ipcc.dconnect_invoke_reply(0, dco_req_index=dco_seq_num)
if status:
logging.error('dconnect_invoke_reply() failed [err=0x%x]' %
(status & 0xffffffff))
return -11
status, ptr1 = ipcc.dconnect_setup_queryinterface(iid=ICONSOLE_IID,
instance=pIConsole)
if status:
logging.error('dconnect_setup_queryinterface() failed [err=0x%x]' %
(status & 0xffffffff))
return -12
status, ptr1 = ipcc.dconnect_setup_queryinterface(iid=IMACHINE_IID_v5,
instance=pIMachine)
if status:
logging.error('dconnect_setup_queryinterface() failed [err=0x%x]' %
(status & 0xffffffff))
return -13
# GetDebugger()
status, ans = ipcc.dconnect_invoke(instance=pIConsole, method_index=9)
if status:
logging.error('dconnect_invoke() failed [err=0x%x]' %
(status & 0xffffffff))
return -14
payload = ans.get_payload()
pIMachineDebugger = (struct.unpack('<Q', str(payload))[0] & (~1))
logging.debug("pIMachineDebugger = %x" % pIMachineDebugger)
# readPhysicalMemory()
arg = ipcPayload(struct.pack('<QL', addr, addr_len))
status, ans = ipcc.dconnect_invoke(instance=pIMachineDebugger,
method_index=56,
arg_class=arg)
time.sleep(0.005)
print status, ans #80004001
# writePhysicalMemory()
arg = ipcPayload(struct.pack('<QL', addr, 0))
status, ans = ipcc.dconnect_invoke(instance=pIMachineDebugger,
method_index=57,
arg_class=arg)
time.sleep(0.005)
print ans #80004001
# readVirtualMemory()
arg = ipcPayload(struct.pack('<LQL', 0, addr, addr_len))
status, ans = ipcc.dconnect_invoke(instance=pIMachineDebugger,
method_index=58,
arg_class=arg)
time.sleep(0.005)
print ans #80004001
# writePhysicalMemory()
arg = ipcPayload(struct.pack('<LQL', 0, addr, 0))
status, ans = ipcc.dconnect_invoke(instance=pIMachineDebugger,
method_index=59,
arg_class=arg)
time.sleep(0.005)
print ans #80004001
# pIMachineDebugger
ret = ipcc.dconnect_release(instance=pIMachineDebugger)
if ret:
logging.error('dconnect_release() failed [err=0x%x]' %
(ret & 0xffffffff))
return -15
ret = ipcc.dconnect_release(instance=pIMachine)
if ret:
logging.error('dconnect_release() failed [err=0x%x]' %
(ret & 0xffffffff))
return -16
ret = ipcc.dconnect_release(instance=pIConsole)
if ret:
logging.error('dconnect_release() failed [err=0x%x]' %
(ret & 0xffffffff))
return -17
return 0
def test_serialize():
print "-------- test_serialize() ---------"
# 1
print "=== TEST #1 ==="
req1 = t0[0]
clienthello = vboxmanage.ipcmMessageClientHello(request_index=1)
logging.debug(req1.encode('hex'))
logging.debug(clienthello.pack().encode('hex'))
if clienthello.pack() != req1:
print "[-] ipcmMessageClientHello failed!"
print clienthello.pack().encode('hex')
print req1.encode('hex')
# 2
print "=== TEST #2 ==="
req2 = t0[2]
addtarget = vboxmanage.ipcmMessageClientAddTarget(
request_index=2, target=vboxmanage.DCONNECT_IPC_TARGETID)
logging.debug(req2.encode('hex'))
logging.debug(addtarget.pack().encode('hex'))
if addtarget.pack() != req2:
print "[-] ipcmMessageClientAddTarget failed!"
print addtarget.pack().encode('hex')
print req2.encode('hex')
# 3
print "=== TEST #3 ==="
req3 = t0[4]
queryclient = vboxmanage.ipcmMessageQueryClientByName(
request_index=3, client_name='VBoxSVC-5.2.18_Ubuntu')
logging.debug(req3.encode('hex'))
logging.debug(queryclient.pack().encode('hex'))
if queryclient.pack() != req3:
print "[-] ipcmMessageQueryClientByName failed!"
print queryclient.pack().encode('hex')
print req3.encode('hex')
# 4
print "=== TEST #4 ==="
req4 = t0[6]
forward = vboxmanage.ipcmMessageReqForward(
request_index=4,
client_id=2,
ipcm_target=vboxmanage.DCONNECT_IPC_TARGETID,
payload=ipcPayload(
'0101000001000000d5b97095a1f18a4410c5e12f5285adadf2a4a7b1b9471e4a82b207ccd5323c3f'
.decode('hex')))
logging.debug(req4.encode('hex'))
logging.debug(forward.pack().encode('hex'))
if forward.pack() != req4:
print "[-] ipcmMessageReqForward failed!"
print forward.pack().encode('hex')
print req4.encode('hex')
# 4-bis: The same test but more layer oriented.
print "=== TEST #4 (bis) ==="
req4 = t0[6]
# First we need to create the forward object
forward = vboxmanage.ipcmMessageReqForward(
request_index=4,
client_id=2,
ipcm_target=vboxmanage.DCONNECT_IPC_TARGETID)
# Then we add DConnect headers
decoobj = vboxmanage.DConnectOp(forward, request_index=1)
# Finally, we can add the arguments from the DConnectSetupClassID
iid = vboxmanage.ipcGuid(
data='d5b97095a1f18a4410c5e12f5285adad'.decode('hex'))
classid = vboxmanage.ipcGuid(
data='f2a4a7b1b9471e4a82b207ccd5323c3f'.decode('hex'))
setupclassidobj = vboxmanage.DConnectSetupClassID(decoobj,
iid=iid,
classid=classid)
logging.debug(req4.encode('hex'))
logging.debug(setupclassidobj.serialize().encode('hex'))
if setupclassidobj.serialize() != req4:
print "ipcmMessageReqForward failed!"
print forward.pack().encode('hex'), req4.encode('hex')