def check_pe_headers(base, size): update_modules_meta() rv = rpc.CheckPEHeadersResult() rv.pe_valid = False mem = safe_read_chunked_memory_region_as_one(base, size) if not mem: print >> sys.stderr, 'unable to read memory: 0x%08X, size: 0x%08X' % (base, size) return rv mem = mem[1] p = PEHelper(base, '', data=mem) rv.pe_valid = p.parse_headers(True) if not rv.pe_valid: print >> sys.stderr, 'PE headers are invalid' return rv exports = p.get_exports() for e in exports: ex = rv.exps.add() ex.ea = e['ea'] ex.ord = e['ord'] if e['name']: ex.name = e['name'] sections = p.get_sections() for sec in sections: s = rv.sections.add() s.name = sec['name'] s.va = sec['va'] s.v_size = sec['v_size'] s.raw = sec['raw'] s.raw_size = sec['raw_size'] s.characteristics = sec['ch'] return rv
def check_pe_headers(base, size): update_modules_meta() rv = rpc.CheckPEHeadersResult() rv.pe_valid = False mem = safe_read_chunked_memory_region_as_one(base, size) if not mem: print >> sys.stderr, 'unable to read memory: 0x%08X, size: 0x%08X' % ( base, size) return rv mem = mem[1] p = PEHelper(base, '', data=mem) rv.pe_valid = p.parse_headers(True) if not rv.pe_valid: print >> sys.stderr, 'PE headers are invalid' return rv exports = p.get_exports() for e in exports: ex = rv.exps.add() ex.ea = e['ea'] ex.ord = e['ord'] if e['name']: ex.name = e['name'] sections = p.get_sections() for sec in sections: s = rv.sections.add() s.name = sec['name'] s.va = sec['va'] s.v_size = sec['v_size'] s.raw = sec['raw'] s.raw_size = sec['raw_size'] s.characteristics = sec['ch'] return rv
def update_modules_meta(): global modules_meta global modules_exports modules_meta = dict() modules_exports = dict() me32 = D.MODULEENTRY32() me32.dwSize = C.sizeof(D.MODULEENTRY32) pid = oa.Plugingetvalue(oa.VAL_PROCESSID) h_snap = C.windll.kernel32.CreateToolhelp32Snapshot(D.TH32CS_SNAPMODULE, pid) if h_snap == 0xFFFFFFFF: print >> sys.stderr, 'get_modules_meta(): Unable to open Toolhelp32 snapshot' return modules_meta # available_modules = set() ret = C.windll.kernel32.Module32First(h_snap, C.pointer(me32)) if ret == 0: C.windll.kernel32.CloseHandle(h_snap) print >> sys.stderr, 'get_modules_meta(): Module32First() failed' return modules_meta while ret: modname = path.splitext(path.basename(me32.szExePath))[0].lower() if modname not in modules_meta or modules_meta[modname]['base'] != me32.modBaseAddr: mem = safe_read_chunked_memory_region_as_one(me32.modBaseAddr, me32.modBaseSize) print 'get_modules_meta(): %s at 0x%08X' % (modname, me32.modBaseAddr) if mem: pe = PEHelper(me32.modBaseAddr, modname, mem[1]) exps = pe.get_exports() if modname in modules_meta: modules_meta[modname]['base'].append(me32.modBaseAddr) modules_meta[modname]['size'].append(me32.modBaseSize) modules_meta[modname]['end'].append(me32.modBaseAddr + me32.modBaseSize) modules_meta[modname]['apis'].append(exps) # re_match_mod_ordinals = re.compile(r'%s\.#\d+' % modname, re.I) modules_exports.update(pe.get_ea_to_longname_map()) # modules_exports = dict(filter(lambda (k, v): not re_match_mod_ordinals.match(v), modules_exports.items())) else: mi = { 'path': [me32.szExePath], 'base': [me32.modBaseAddr], 'size': [me32.modBaseSize], 'apis': [exps], 'end': [me32.modBaseAddr + me32.modBaseSize] } modules_meta[modname] = mi modules_exports.update(pe.get_ea_to_longname_map()) ret = C.windll.kernel32.Module32Next(h_snap, C.pointer(me32)) C.windll.kernel32.CloseHandle(h_snap) # t = oa.pluginvalue_to_t_table(oa.Plugingetvalue(oa.VAL_MODULES)) # # for i in xrange(t.data.n): # m = oa.void_to_t_module(oa.Getsortedbyselection(t.data, i)) # modname = path.splitext(path.basename(m.path))[0].lower() # if modname in modules_meta and modules_meta[modname]['base'] == m.base: # continue # available_modules.add(modname) # externals = list() # for off in xrange(m.codesize): # name = bytearray(oa.TEXTLEN) # if oa.Findname(m.codebase + off, oa.NM_EXPORT, name): # name = str(name.replace('\x00', '')) # externals.append({'ea': m.codebase + off, 'name': name}) # modules_exports[m.codebase + off] = '%s.%s' % (modname, name) # mi = { # 'path': m.path, # 'base': m.base, # 'size': m.size, # 'apis': externals, # 'end': m.base + m.size # } # # modules_meta[modname] = mi # for name in filter(lambda x: x not in available_modules, modules_meta.keys()): # del modules_meta[name] return modules_meta # sorted(rv, key=lambda x: x['base'])
def update_modules_meta(): global modules_meta global modules_exports modules_meta = dict() modules_exports = dict() me32 = D.MODULEENTRY32() me32.dwSize = C.sizeof(D.MODULEENTRY32) pid = oa.Plugingetvalue(oa.VAL_PROCESSID) h_snap = C.windll.kernel32.CreateToolhelp32Snapshot( D.TH32CS_SNAPMODULE, pid) if h_snap == 0xFFFFFFFF: print >> sys.stderr, 'get_modules_meta(): Unable to open Toolhelp32 snapshot' return modules_meta # available_modules = set() ret = C.windll.kernel32.Module32First(h_snap, C.pointer(me32)) if ret == 0: C.windll.kernel32.CloseHandle(h_snap) print >> sys.stderr, 'get_modules_meta(): Module32First() failed' return modules_meta while ret: modname = path.splitext(path.basename(me32.szExePath))[0].lower() if modname not in modules_meta or modules_meta[modname][ 'base'] != me32.modBaseAddr: mem = safe_read_chunked_memory_region_as_one( me32.modBaseAddr, me32.modBaseSize) print 'get_modules_meta(): %s at 0x%08X' % (modname, me32.modBaseAddr) if mem: pe = PEHelper(me32.modBaseAddr, modname, mem[1]) exps = pe.get_exports() if modname in modules_meta: modules_meta[modname]['base'].append(me32.modBaseAddr) modules_meta[modname]['size'].append(me32.modBaseSize) modules_meta[modname]['end'].append(me32.modBaseAddr + me32.modBaseSize) modules_meta[modname]['apis'].append(exps) # re_match_mod_ordinals = re.compile(r'%s\.#\d+' % modname, re.I) modules_exports.update(pe.get_ea_to_longname_map()) # modules_exports = dict(filter(lambda (k, v): not re_match_mod_ordinals.match(v), modules_exports.items())) else: mi = { 'path': [me32.szExePath], 'base': [me32.modBaseAddr], 'size': [me32.modBaseSize], 'apis': [exps], 'end': [me32.modBaseAddr + me32.modBaseSize] } modules_meta[modname] = mi modules_exports.update(pe.get_ea_to_longname_map()) ret = C.windll.kernel32.Module32Next(h_snap, C.pointer(me32)) C.windll.kernel32.CloseHandle(h_snap) # t = oa.pluginvalue_to_t_table(oa.Plugingetvalue(oa.VAL_MODULES)) # # for i in xrange(t.data.n): # m = oa.void_to_t_module(oa.Getsortedbyselection(t.data, i)) # modname = path.splitext(path.basename(m.path))[0].lower() # if modname in modules_meta and modules_meta[modname]['base'] == m.base: # continue # available_modules.add(modname) # externals = list() # for off in xrange(m.codesize): # name = bytearray(oa.TEXTLEN) # if oa.Findname(m.codebase + off, oa.NM_EXPORT, name): # name = str(name.replace('\x00', '')) # externals.append({'ea': m.codebase + off, 'name': name}) # modules_exports[m.codebase + off] = '%s.%s' % (modname, name) # mi = { # 'path': m.path, # 'base': m.base, # 'size': m.size, # 'apis': externals, # 'end': m.base + m.size # } # # modules_meta[modname] = mi # for name in filter(lambda x: x not in available_modules, modules_meta.keys()): # del modules_meta[name] return modules_meta # sorted(rv, key=lambda x: x['base'])