def __init__(self, input) : self.data = [] self.pid = int(input) self.debugger = PtraceDebugger() self.process = self.debugger.addProcess(self.pid, is_attached=False) atexit.register(self.debugger.quit) Header = False Code = False self.procmaps = readProcessMappings(self.process) for pm in self.procmaps: if pm.permissions.find("w") != -1 and pm.pathname == None : # if Code == False and Header == True : # data = self.process.readBytes(pm.start, pm.end-pm.start) # idx = data.find("SourceFile") # if idx != -1 : # print "CODE", pm # self.data.append( (pm, data, idx) ) # Code = True if Header == False : data = self.process.readBytes(pm.start, pm.end-pm.start) idx = data.find(MAGIC_PATTERN) if idx != -1 : print "HEADER", pm self.data.append( (pm, data) ) Header = True self.dumpMemory( "java_dump_memory" )
def __init__(self, input): self.data = [] self.pid = int(input) self.debugger = PtraceDebugger() self.process = self.debugger.addProcess(self.pid, is_attached=False) atexit.register(self.debugger.quit) Header = False Code = False self.procmaps = readProcessMappings(self.process) for pm in self.procmaps: if pm.permissions.find("w") != -1 and pm.pathname == None: # if Code == False and Header == True : # data = self.process.readBytes(pm.start, pm.end-pm.start) # idx = data.find("SourceFile") # if idx != -1 : # print "CODE", pm # self.data.append( (pm, data, idx) ) # Code = True if Header == False: data = self.process.readBytes(pm.start, pm.end - pm.start) idx = data.find(MAGIC_PATTERN) if idx != -1: print "HEADER", pm self.data.append((pm, data)) Header = True self.dumpMemory("java_dump_memory")
def isMemOf(addr,mpid): class p: pid=mpid myP=p() for m in readProcessMappings(myP): if addr in m: print myP, m return True return False
def do_dump (process, maxmem): print_process (process, "===") # Attach to the process debugger = PtraceDebugger() try: d_process = debugger.addProcess(process['pid'], False) except: print("Error attaching to the process pid {0}. Aborting".format(process['pid'])) sys.exit(1) d_process.was_attached = True procmaps = readProcessMappings(d_process) # Look for process heap region for pm in procmaps: if pm.pathname == None: mem_start=pm.start mem_end=pm.end mem_total=mem_end-mem_start if maxmem > 0 and mem_total > maxmem : print("Process memory is {0} but you defined maxmem to {1}".format(mem_total, maxmem)) return False # Use StringIO to work only in memory. This can be dangerous, because "heap" can be big. the_mem = StringIO.StringIO() # Transfer process heap memory to the_mem var. the_mem.write(d_process.readBytes(mem_start, mem_total)) # We have what we were looking for. Let's detach the process. d_process.detach() # Start search request_end=0 found=False while True: hdr_pos=fnd(the_mem, process['request'], request_end) if hdr_pos==-1: # EOF break request_pos=hdr_pos # This is the start of the possible match request_end=fnd(the_mem, "\x00", request_pos) # This is the end of the possible match # If we find double new line then this should be a valid request and data block. if fnd(the_mem,"\x0d\x0a\x0d\x0a", request_pos) < request_end: found=True # If valid, print it! print get_fragment(the_mem, request_pos, request_end) # Prepare to continue searching the_mem.seek(request_end+1) the_mem.close() if found: break
def findCipherContext(): dbg=PtraceDebugger() process=dbg.addProcess(pid,is_attached=False) if process is None: log.error("Error initializing Process debugging for %d"% pid) sys.exit(-1) mappings=readProcessMappings(process) stack=process.findStack() for m in mappings: #if m.pathname != '[heap]': # continue if not abouchet.hasValidPermissions(m): continue print m,m.permissions abouchet.find_struct(process, m, ctypes_openssh.CipherContext, printme)
def debugFindRtld(pid): dbg = PtraceDebugger() process = dbg.addProcess(pid, False) for pm in readProcessMappings(process): if 'rwx' in pm.permissions: for addr in pm.search(b'\x78\x56\x34\x12'): # There are no ret instructions in the CC memory = process.readBytes(addr, 20) if b'\xC3' not in memory: process = None dbg.quit() return addr print('ERROR: Could not find the address of rtld_lock_default_lock_recursive in code cache!') exit(-1)
def readDsa(addr): dbg=PtraceDebugger() process=dbg.addProcess(PID, is_attached=False) if process is None: log.error("Error initializing Process debugging for %d"% pid) sys.exit(-1) # read where it is dsa=ctypes_openssl.DSA.from_buffer_copy(process.readStruct(addr,ctypes_openssl.DSA)) mappings=readProcessMappings(process) print "isValid : ", dsa.isValid(mappings) #dsa.printValid(maps) #print 'DSA1 -> ', dsa #print '------------' #print 'DSA1.q -> ', dsa.q print '------------ === Loading members' dsa.loadMembers(process,mappings) #print '------------ ===== ==== ' #print 'DSA2.q -> ', dsa.q #print 'DSA2.q.contents -> ', dsa.q.contents #print ctypes.byref(rsa.n.contents) #print dsa return dsa
def readRsa(addr): dbg=PtraceDebugger() process=dbg.addProcess(PID, is_attached=False) if process is None: log.error("Error initializing Process debugging for %d"% PID) sys.exit(-1) # read where it is ######################### RAAAAAAAAAAAAH rsa=ctypes_openssl.RSA.from_buffer_copy(process.readStruct(addr,ctypes_openssl.RSA)) mappings=readProcessMappings(process) print "isValid : ", rsa.isValid(mappings) #rsa.printValid(maps) print rsa #print rsa.n #print rsa.n.contents #print ctypes.byref(rsa.n.contents) #print rsa print '------------ === Loading members' ret=rsa.loadMembers(process,mappings) print '------------ === Loading members finished' print ret,rsa return rsa
def readMappings(self): return readProcessMappings(self)
def _xray(self): for term in self.followterms: for process in self.debugger: for procmap in readProcessMappings(process): for address in procmap.search(term): yield (process, procmap, address, term)
def getPointers(process, address): address = word2bytes(address) procmaps = readProcessMappings(process) for pm in procmaps: for found in pm.search(address): yield found
def readMappings(self): return readProcessMappings(self)
def _xray(self): for term in self.followterms: for process in self.debugger: for procmap in readProcessMappings(process): for address in procmap.search(term): yield (process, procmap, address, term)
def getPointers(process, address): address = word2bytes(address) procmaps = readProcessMappings(process) for pm in procmaps: for found in pm.search(address): yield found
result = pool.apply_async(async_call) while not isStarted: for pid in psutil.pids(): if psutil.Process(pid).name() == 'hon-x86_64': hon_pid = pid isStarted = True print('isStarted == True\npid={}'.format(hon_pid)) break time.sleep(10.0) print('sleeping...') print('starting debugger') dbg = PtraceDebugger() process = dbg.addProcess(hon_pid, False) memory_mapping = readProcessMappings(process) print('found memory mappings') _next = False for addr in memory_mapping: if _next == True: for a in range(addr.start, addr.end, 4): value = bytesToFloat(process.readBytes(a, 4)) if value == 1850.: print("value is {} at addr {}".format(value, hex(a))) process.writeBytes(a, floatToBytes(2400.)) break if 'rw' in addr.permissions and addr.pathname and 'libgame_shared' in addr.pathname: _next = True