def display_seh_chain():
"""
Walk on the stack to find the SEH handlers
"""
addr_teb = threads.GetCurrentTEB()
seh_addr = memory.ReadDwordMemory(addr_teb)
if seh_addr == 0:
return None
seh_entries = []
# This is the last entry if SEH.Next = -1
while seh_addr != 0xffffffff:
if memory.IsMemoryExists(seh_addr) == False:
break
seh_next, seh_handler = memory.ReadDwordMemory(
seh_addr), memory.ReadDwordMemory(seh_addr + 4)
seh_entries.append({
'handler': seh_handler,
'symbol': sym.GetSymbolFromAddress(seh_handler),
'next': seh_next
})
seh_addr = seh_next
i = 0
for entry in seh_entries:
print '#%.2d - Handler: %s (%#.8x) - Next @ %#.8x' % (
i, entry['symbol'], entry['handler'], entry['next'])
i += 1
def display_call_stack(nb_max_frame=100):
"""
Walk on the stack & generate a call stack
"""
frames_info = []
args = []
ebp = threads.GetEbp()
for i in range(nb_max_frame):
# IsMemoryExists recognizes kernel memory, so we have to manually check it
if memory.IsMemoryExists(ebp) == False or ebp >= 0x80000000:
break
# at EBP we have the SEBP
sebp = memory.ReadDwordMemory(ebp)
# and right after the SEIP
seip = memory.ReadDwordMemory(ebp + 4)
if sebp == 0 or seip == 0 or memory.IsMemoryExists(
sebp) == False or memory.IsMemoryExists(seip) == False:
break
symbol = sym.GetSymbolFromAddress(seip)
frames_info.append({
'return-address':
seip,
'address':
sebp + 4,
'symbol':
symbol if symbol != None else 'no symbol found',
})
ebp = sebp
eip = threads.GetEip()
print "#%.2d %#.8x : %s" % (len(frames_info), eip,
sym.GetSymbolFromAddress(eip))
for i in range(len(frames_info)):
c = frames_info[i]
ri = len(frames_info) - i - 1
print '#%.2d %#.8x : %s (found @%#.8x)' % (ri, c['return-address'],
c['symbol'], c['address'])