def is_executable(addr): if pykd.isKernelDebugging(): return False # we need to find a way to get the memory protection information in kernel debug mode if "Execute" in str(pykd.getVaProtect(addr)): return True else: return False
def is_writable(self, address): if pykd.isKernelDebugging(): return False if "Write" in str(pykd.getVaProtect(address)): return True else: return False
def writeDword(self, addr, val): cmd = "ed %x %x" % (addr, val) guard = pykd.getVaProtect(addr) self.vprotect(addr, 4, 0x40) cmdr = pykd.dbgCommand(cmd) self.vprotect(addr, 4, guard) return 0
def setTemporaryProtection(self): if self.hitMemory != None: guard = pykd.getVaProtect(self.hitMemory[0]) self.hitProtection = guard self.br.vprotect(self.hitMemory[0], self.hitMemory[1], self.hitMemory[3]) else: self.br.dbiprintf("[E] Has any memory violations yet")
def setBpMemoryOnWrite(self, addr, size): guard = pykd.getVaProtect(addr) end = addr + size self.lMemGuards.append([addr, size, end, guard]) self.br.dbiprintf( "[!] Set BP Memory on Write at 0x%08x (0x%x) : Old protection 0x%x" % (addr, size, guard)) self.br.vprotect(addr, size, 0x2)
def getSectionInfo(self, addr): cmdDh = "!dh -s " iParseSection = "SECTION HEADER" iParseName = "name" iParseVs = "virtual size" iParseVa = "virtual address" lSection = [] self.dbiprintf("[+] Get section information", False) cmd = cmdDh + "%x" % addr cmdr = pykd.dbgCommand(cmd) if type(cmdr) == types.NoneType: self.dbiprintf( " - [E] Cannot dump section header at 0x%08x" % addr, False) return types.NoneType # add PE header's page guard = pykd.getVaProtect(addr) lSection.append([addr, addr + 0x1000, 0, 0x1000, guard]) # add sections' page tc = cmdr while True: if tc.find(iParseSection) == -1: break tc = tc[tc.find(iParseName) + len(iParseName):] strVs = tc[:tc.find(iParseVs)] vs = int(strVs, 16) tc = tc[tc.find(iParseVs) + len(iParseVs):] strVa = tc[:tc.find(iParseVa)] rva = int(strVa, 16) va = addr + rva vaEnd = va + vs guard = pykd.getVaProtect(va) self.dbiprintf(" -> Section #%d : 0x%08x ( 0x%08x ) : 0x%x" % (len(lSection), va, vs, guard)) lSection.append([va, vaEnd, rva, vs, guard]) if len(lSection) == 0: self.dbiprintf(" - [E] Cannot find section at 0x%08x" % addr, False) self.dbiprintf("%s" % (cmdr), False) return types.NoneType return lSection
def getSectionInfo(self): cmdDh = "!dh -s " iParseSection = "SECTION HEADER" iParseName = "name" iParseVs = "virtual size" iParseVa = "virtual address" self.dbiprintf("[!] Get section information") cmd = cmdDh + "%x" % self.procImageBase cmdr = pykd.dbgCommand(cmd) if type(cmdr) == types.NoneType: self.dbiprintf(" - [E] Error on dump section header : 0x%08x" % self.procImageBase) return 1 # add PE header's page guard = pykd.getVaProtect(self.procImageBase) self.lSection.append([ self.procImageBase, self.procImageBase + 0x1000, 0, 0x1000, guard ]) # add sections' page tc = cmdr while True: if tc.find(iParseSection) == -1: break tc = tc[tc.find(iParseName) + len(iParseName):] strVs = tc[:tc.find(iParseVs)] vs = int(strVs, 16) tc = tc[tc.find(iParseVs) + len(iParseVs):] strVa = tc[:tc.find(iParseVa)] rva = int(strVa, 16) va = self.procImageBase + rva vaEnd = va + vs guard = pykd.getVaProtect(va) self.dbiprintf(" -> Section #%d : 0x%08x ( 0x%08x ) : 0x%x" % (len(self.lSection), va, vs, guard)) self.lSection.append([va, vaEnd, rva, vs, guard]) return 0
def writeMemory(self, addr, data): cmdDw = "ed %x %x" cmdB = "eb %x %x" guard = pykd.getVaProtect(addr) self.vprotect(addr, len(data), 0x40) lenData = len(data) scope = (lenData / 4) * 4 for dst in range(0, scope, 4): cmdr = pykd.dbgCommand( cmdDw % (addr + dst, struct.unpack("<L", data[dst:dst + 4])[0])) for dst in range(scope, lenData): cmdr = pykd.dbgCommand( cmdB % (addr + dst, struct.unpack("<B", data[dst])[0])) self.vprotect(addr, len(data), guard) return 0
def setMemBpOnWriteOnIat(self): guard = pykd.getVaProtect(self.pIatBase) if guard != 0x2: self.setBpMemoryOnWrite(self.pIatBase, self.sizeIat)
def getVaProtect(addr): return pykd.getVaProtect(addr)
def is_executable(addr): if "Execute" in str(pykd.getVaProtect(addr)): return True else: return False