diff options
| -rw-r--r-- | miasm2/analysis/sandbox.py | 12 | ||||
| -rw-r--r-- | miasm2/core/utils.py | 29 | ||||
| -rw-r--r-- | miasm2/jitter/jitload.py | 21 | ||||
| -rw-r--r-- | miasm2/jitter/loader/elf.py | 6 | ||||
| -rw-r--r-- | miasm2/jitter/loader/pe.py | 12 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr.c | 51 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr.h | 3 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr_py.c | 13 | ||||
| -rw-r--r-- | miasm2/os_dep/common.py | 9 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32.py | 22 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32_seh.py | 45 |
11 files changed, 134 insertions, 89 deletions
diff --git a/miasm2/analysis/sandbox.py b/miasm2/analysis/sandbox.py index eef83e85..5132406c 100644 --- a/miasm2/analysis/sandbox.py +++ b/miasm2/analysis/sandbox.py @@ -164,7 +164,7 @@ class OS_Win(OS): ALL_IMP_DLL = ["ntdll.dll", "kernel32.dll", "user32.dll", "ole32.dll", "urlmon.dll", "ws2_32.dll", 'advapi32.dll', "psapi.dll", - ] + ] modules_path = "win_dll" def __init__(self, custom_methods, *args, **kwargs): @@ -187,7 +187,9 @@ class OS_Win(OS): # Load main pe with open(self.fname) as fstream: self.pe = vm_load_pe(self.jitter.vm, fstream.read(), - load_hdr=self.options.load_hdr, **kwargs) + load_hdr=self.options.load_hdr, + name=self.fname, + **kwargs) self.name2module[fname_basename] = self.pe # Load library @@ -258,7 +260,8 @@ class OS_Linux(OS): self.libs = libimp_elf() with open(self.fname) as fstream: - self.elf = vm_load_elf(self.jitter.vm, fstream.read(), **kwargs) + self.elf = vm_load_elf(self.jitter.vm, fstream.read(), + name=self.fname, **kwargs) preload_elf(self.jitter.vm, self.elf, self.libs) self.entry_point = self.elf.Ehdr.entry @@ -284,7 +287,8 @@ class OS_Linux_str(OS): data = open(self.fname).read() self.options.load_base_addr = int(self.options.load_base_addr, 0) self.jitter.vm.add_memory_page( - self.options.load_base_addr, PAGE_READ | PAGE_WRITE, data) + self.options.load_base_addr, PAGE_READ | PAGE_WRITE, data, + "Initial Str") # Library calls handler self.jitter.add_lib_handler(libs, methods) diff --git a/miasm2/core/utils.py b/miasm2/core/utils.py index 70520c1b..35ddbb82 100644 --- a/miasm2/core/utils.py +++ b/miasm2/core/utils.py @@ -13,10 +13,25 @@ pck32 = lambda x: struct.pack('I', x) pck64 = lambda x: struct.pack('Q', x) -pck = {8:pck8, - 16:pck16, - 32:pck32, - 64:pck64} +pck = {8: pck8, + 16: pck16, + 32: pck32, + 64: pck64} + + +def get_caller_name(caller_num=0): + """Get the nth caller's name + @caller_num: 0 = the caller of get_caller_name, 1 = next parent, ...""" + pystk = inspect.stack() + if len(pystk) > 1 + caller_num: + return pystk[1 + caller_num][3] + else: + return "Bad caller num" + + +def whoami(): + """Returns the caller's name""" + return get_caller_name(1) class Disasm_Exception(Exception): @@ -48,11 +63,9 @@ class keydefaultdict(collections.defaultdict): value = self[key] = self.default_factory(key) return value -def whoami(): - return inspect.stack()[2][3] - class BoundedDict(UserDict.DictMixin): + """Limited in size dictionary. To reduce combinatory cost, once an upper limit @max_size is reached, @@ -94,7 +107,7 @@ class BoundedDict(UserDict.DictMixin): self._delete_cb(key) # Keep only the most @_min_size used - self._data = {key:self._data[key] + self._data = {key: self._data[key] for key, _ in most_common[:self._min_size - 1]} self._size = self._min_size diff --git a/miasm2/jitter/jitload.py b/miasm2/jitter/jitload.py index aeb917d8..05a8575e 100644 --- a/miasm2/jitter/jitload.py +++ b/miasm2/jitter/jitload.py @@ -20,6 +20,7 @@ log_func = logging.getLogger('jit function call') log_func.addHandler(hnd) log_func.setLevel(logging.CRITICAL) + try: from miasm2.jitter.jitcore_tcc import JitCore_Tcc except ImportError: @@ -58,16 +59,17 @@ def named_arguments(func): arg_vals = namedtuple("args", args)(*arg_vals) # func_name(arguments) return address log_func.info('%s(%s) ret addr: %s', - whoami(), - ', '.join("%s=0x%x" % (field, value) - for field, value in arg_vals._asdict().iteritems()), - hex(ret_ad)) + get_caller_name(1), + ', '.join("%s=0x%x" % (field, value) + for field, value in arg_vals._asdict( + ).iteritems()), + hex(ret_ad)) return ret_ad, namedtuple("args", args)(*arg_vals) else: ret_ad, arg_vals = func(self, args) # func_name(arguments) return address log_func.info('%s(%s) ret addr: %s', - whoami(), + get_caller_name(1), ', '.join(hex(arg) for arg in arg_vals), hex(ret_ad)) return ret_ad, arg_vals @@ -231,7 +233,6 @@ class jitter: self.stack_size = 0x10000 self.stack_base = 0x1230000 - # Init callback handler self.breakpoints_handler = CallbackHandler() self.exceptions_handler = CallbackHandlerBitflag() @@ -268,7 +269,6 @@ class jitter: self.jit.addr_mod = interval([(addr, addr)]) self.jit.updt_automod_code(self.vm) - def set_breakpoint(self, addr, *args): """Set callbacks associated with addr. @addr: breakpoint address @@ -362,7 +362,8 @@ class jitter: def init_stack(self): self.vm.add_memory_page( - self.stack_base, PAGE_READ | PAGE_WRITE, "\x00" * self.stack_size) + self.stack_base, PAGE_READ | PAGE_WRITE, "\x00" * self.stack_size, + "Stack") sp = self.arch.getsp(self.attrib) setattr(self.cpu, sp.name, self.stack_base + self.stack_size) # regs = self.cpu.get_gpreg() @@ -380,7 +381,7 @@ class jitter: l = 0 tmp = addr while ((max_char is None or l < max_char) and - self.vm.get_mem(tmp, 1) != "\x00"): + self.vm.get_mem(tmp, 1) != "\x00"): tmp += 1 l += 1 return self.vm.get_mem(addr, l) @@ -392,7 +393,7 @@ class jitter: l = 0 tmp = addr while ((max_char is None or l < max_char) and - self.vm.get_mem(tmp, 2) != "\x00\x00"): + self.vm.get_mem(tmp, 2) != "\x00\x00"): tmp += 2 l += 2 s = self.vm.get_mem(addr, l) diff --git a/miasm2/jitter/loader/elf.py b/miasm2/jitter/loader/elf.py index 08df632a..db0f1cb7 100644 --- a/miasm2/jitter/loader/elf.py +++ b/miasm2/jitter/loader/elf.py @@ -47,7 +47,7 @@ def preload_elf(vm, e, runtime_lib, patch_vm_imp=True): return runtime_lib, dyn_funcs -def vm_load_elf(vm, fdata, **kargs): +def vm_load_elf(vm, fdata, name="", **kargs): """ Very dirty elf loader TODO XXX: implement real loader @@ -56,6 +56,7 @@ def vm_load_elf(vm, fdata, **kargs): e = elf_init.ELF(fdata, **kargs) i = interval() all_data = {} + for p in e.ph.phlist: if p.ph.type != elf_csts.PT_LOAD: continue @@ -72,7 +73,8 @@ def vm_load_elf(vm, fdata, **kargs): i += [(a_addr, b_addr - 2)] for a, b in i.intervals: # print hex(a), hex(b) - vm.add_memory_page(a, PAGE_READ | PAGE_WRITE, "\x00" * (b + 2 - a)) + vm.add_memory_page(a, PAGE_READ | PAGE_WRITE, "\x00" * (b + 2 - a), + repr(name)) for r_vaddr, data in all_data.items(): vm.set_mem(r_vaddr, data) diff --git a/miasm2/jitter/loader/pe.py b/miasm2/jitter/loader/pe.py index 1d33f9b8..2d80c8df 100644 --- a/miasm2/jitter/loader/pe.py +++ b/miasm2/jitter/loader/pe.py @@ -101,7 +101,7 @@ def get_export_name_addr_list(e): return out -def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): +def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, name="", **kargs): """Load a PE in memory (@vm) from a data buffer @fdata @vm: VmMngr instance @fdata: data buffer to parse @@ -136,7 +136,7 @@ def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): pe_hdr = pe.content[:hdr_len] + max( 0, (min_len - hdr_len)) * "\x00" vm.add_memory_page(pe.NThdr.ImageBase, PAGE_READ | PAGE_WRITE, - pe_hdr) + pe_hdr, "%r: PE Header" % name) # Align sections size if align_s: @@ -160,7 +160,8 @@ def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): attrib = PAGE_READ if section.flags & 0x80000000: attrib |= PAGE_WRITE - vm.add_memory_page(pe.rva2virt(section.addr), attrib, data) + vm.add_memory_page(pe.rva2virt(section.addr), attrib, data, + "%r: %r" % (name, section.name)) return pe @@ -217,7 +218,7 @@ def vm_load_pe_lib(vm, fname_in, libs, lib_path_base, **kargs): fname = os.path.join(lib_path_base, fname_in) with open(fname) as fstream: - pe = vm_load_pe(vm, fstream.read(), **kargs) + pe = vm_load_pe(vm, fstream.read(), name=fname_in, **kargs) libs.add_export_lib(pe, fname_in) return pe @@ -484,7 +485,8 @@ def vm_load_pe_and_dependencies(vm, fname, name2module, runtime_lib, try: with open(fname) as fstream: log.info('Loading module name %r', fname) - pe_obj = vm_load_pe(vm, fstream.read(), **kwargs) + pe_obj = vm_load_pe( + vm, fstream.read(), name=fname, **kwargs) except IOError: log.error('Cannot open %s' % fname) name2module[name] = None diff --git a/miasm2/jitter/vm_mngr.c b/miasm2/jitter/vm_mngr.c index fd5b870d..a0c2f5a3 100644 --- a/miasm2/jitter/vm_mngr.c +++ b/miasm2/jitter/vm_mngr.c @@ -1268,26 +1268,35 @@ uint64_t double_to_mem_64(double d) return m; } -struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access) +struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access, char* name) { struct memory_page_node * mpn; - void* p; + void* ad_hp; mpn = malloc(sizeof(*mpn)); if (!mpn){ fprintf(stderr, "Error: cannot alloc mpn\n"); return NULL; } - p = malloc(size); - if (!p){ + ad_hp = malloc(size); + if (!ad_hp){ free(mpn); fprintf(stderr, "Error: cannot alloc %d\n", size); return NULL; } + mpn->name = malloc(strlen(name) + 1); + if (!mpn->name){ + free(mpn); + free(ad_hp); + fprintf(stderr, "Error: cannot alloc\n"); + return NULL; + } + mpn->ad = ad; mpn->size = size; mpn->access = access; - mpn->ad_hp = p; + mpn->ad_hp = ad_hp; + strcpy(mpn->name, name); return mpn; } @@ -1440,31 +1449,41 @@ void add_memory_page(vm_mngr_t* vm_mngr, struct memory_page_node* mpn_a) /* Return a char* representing the repr of vm_mngr_t object */ char* dump(vm_mngr_t* vm_mngr) { - char buf[100]; + char buf[0x100]; int length; - int total_len = 0; char *buf_final; int i; + char buf_addr[0x20]; + char buf_size[0x20]; struct memory_page_node * mpn; + /* 0x1234567812345678 0x1234567812345678 */ + char* intro = "Addr Size Access Comment\n"; + int total_len = strlen(intro) + 1; - buf_final = malloc(1); + buf_final = malloc(total_len); if (buf_final == NULL) { fprintf(stderr, "Error: cannot alloc\n"); exit(0); } - buf_final[0] = '\x00'; - + strcpy(buf_final, intro); for (i=0; i< vm_mngr->memory_pages_number; i++) { mpn = &vm_mngr->memory_pages_array[i]; - length = snprintf(buf, sizeof(buf), - "ad 0x%"PRIX64" size 0x%"PRIX64" %c%c%c\n", - (uint64_t)mpn->ad, - (uint64_t)mpn->size, + snprintf(buf_addr, sizeof(buf_addr), + "0x%"PRIX64, (uint64_t)mpn->ad); + snprintf(buf_size, sizeof(buf_size), + "0x%"PRIX64, (uint64_t)mpn->size); + + length = snprintf(buf, sizeof(buf) - 1, + "%-18s %-18s %c%c%c %s", + buf_addr, + buf_size, mpn->access & PAGE_READ? 'R':'_', mpn->access & PAGE_WRITE? 'W':'_', - mpn->access & PAGE_EXEC? 'X':'_' + mpn->access & PAGE_EXEC? 'X':'_', + mpn->name ); - total_len += length+1; + strcat(buf, "\n"); + total_len += length + 1 + 1; buf_final = realloc(buf_final, total_len); if (buf_final == NULL) { fprintf(stderr, "Error: cannot alloc\n"); diff --git a/miasm2/jitter/vm_mngr.h b/miasm2/jitter/vm_mngr.h index 02b5de73..acea4875 100644 --- a/miasm2/jitter/vm_mngr.h +++ b/miasm2/jitter/vm_mngr.h @@ -70,6 +70,7 @@ struct memory_page_node { uint64_t size; uint64_t access; void* ad_hp; + char* name; }; @@ -258,7 +259,7 @@ void hexdump(char* m, unsigned int l); struct code_bloc_node * create_code_bloc_node(uint64_t ad_start, uint64_t ad_stop); void add_code_bloc(vm_mngr_t* vm_mngr, struct code_bloc_node* cbp); -struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access);//memory_page* mp); +struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access, char* name);//memory_page* mp); void init_memory_page_pool(vm_mngr_t* vm_mngr); void init_code_bloc_pool(vm_mngr_t* vm_mngr); void reset_memory_page_pool(vm_mngr_t* vm_mngr); diff --git a/miasm2/jitter/vm_mngr_py.c b/miasm2/jitter/vm_mngr_py.c index 0a22c397..fdadf7f1 100644 --- a/miasm2/jitter/vm_mngr_py.c +++ b/miasm2/jitter/vm_mngr_py.c @@ -86,16 +86,18 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) PyObject *addr; PyObject *access; PyObject *item_str; + PyObject *name=NULL; uint64_t buf_size; char* buf_data; Py_ssize_t length; uint64_t ret = 0x1337beef; uint64_t page_addr; uint64_t page_access; + char* name_ptr; struct memory_page_node * mpn; - if (!PyArg_ParseTuple(args, "OOO", &addr, &access, &item_str)) + if (!PyArg_ParseTuple(args, "OOO|O", &addr, &access, &item_str, &name)) return NULL; PyGetInt(addr, page_addr); @@ -107,7 +109,14 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) buf_size = PyString_Size(item_str); PyString_AsStringAndSize(item_str, &buf_data, &length); - mpn = create_memory_page_node(page_addr, buf_size, page_access); + if (name == NULL) { + name_ptr = (char*)""; + } else { + if (!PyString_Check(name)) + RAISE(PyExc_TypeError,"name must be str"); + name_ptr = PyString_AsString(name); + } + mpn = create_memory_page_node(page_addr, buf_size, page_access, name_ptr); if (mpn == NULL) RAISE(PyExc_TypeError,"cannot create page"); if (is_mpn_in_tab(&self->vm_mngr, mpn)) { diff --git a/miasm2/os_dep/common.py b/miasm2/os_dep/common.py index d70cdccf..ecb6d821 100644 --- a/miasm2/os_dep/common.py +++ b/miasm2/os_dep/common.py @@ -1,6 +1,7 @@ import os from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE +from miasm2.core.utils import get_caller_name BASE_SB_PATH = "file_sb" @@ -38,6 +39,7 @@ def set_str_unic(s): class heap(object): + "Light heap simulation" addr = 0x20000000 @@ -55,7 +57,7 @@ class heap(object): self.addr &= self.mask ^ (self.align - 1) return ret - def alloc(self, jitter, size, perm=PAGE_READ|PAGE_WRITE): + def alloc(self, jitter, size, perm=PAGE_READ | PAGE_WRITE): """ @jitter: a jitter instance @size: the size to allocate @@ -63,7 +65,7 @@ class heap(object): """ return self.vm_alloc(jitter.vm, size, perm) - def vm_alloc(self, vm, size, perm=PAGE_READ|PAGE_WRITE): + def vm_alloc(self, vm, size, perm=PAGE_READ | PAGE_WRITE): """ @vm: a VmMngr instance @size: the size to allocate @@ -71,7 +73,8 @@ class heap(object): combination of them); default is PAGE_READ|PAGE_WRITE """ addr = self.next_addr(size) - vm.add_memory_page(addr, perm, "\x00" * size) + vm.add_memory_page(addr, perm, "\x00" * size, + "Heap alloc by %s" % get_caller_name(2)) return addr diff --git a/miasm2/os_dep/win_api_x86_32.py b/miasm2/os_dep/win_api_x86_32.py index ef2cfc38..a6041b15 100644 --- a/miasm2/os_dep/win_api_x86_32.py +++ b/miasm2/os_dep/win_api_x86_32.py @@ -16,7 +16,6 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # import struct -import inspect import os import stat import time @@ -31,7 +30,7 @@ except ImportError: print "cannot find crypto, skipping" from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE, PAGE_EXEC -from miasm2.core.utils import pck16, pck32, upck32, hexdump +from miasm2.core.utils import pck16, pck32, upck32, hexdump, whoami from miasm2.os_dep.common import \ heap, set_str_ansi, set_str_unic, get_str_ansi, get_str_unic, \ windows_to_sbpath @@ -231,10 +230,6 @@ process_list = [ ] -def whoami(): - return inspect.stack()[1][3] - - class hobj: pass @@ -743,7 +738,8 @@ def kernel32_VirtualAlloc(jitter): if args.lpvoid == 0: alloc_addr = winobjs.heap.next_addr(args.dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) else: all_mem = jitter.vm.get_all_memory() if args.lpvoid in all_mem: @@ -753,7 +749,8 @@ def kernel32_VirtualAlloc(jitter): alloc_addr = winobjs.heap.next_addr(args.dwsize) # alloc_addr = args.lpvoid jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) log.debug('Memory addr: %x', alloc_addr) jitter.func_ret_stdcall(ret_ad, alloc_addr) @@ -1359,7 +1356,8 @@ def ntoskrnl_ExAllocatePoolWithTagPriority(jitter): "tag", "priority"]) alloc_addr = winobjs.heap.next_addr(args.nbr_of_bytes) jitter.vm.add_memory_page( - alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * args.nbr_of_bytes) + alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * args.nbr_of_bytes, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) jitter.func_ret_stdcall(ret_ad, alloc_addr) @@ -1712,7 +1710,8 @@ def ntdll_ZwAllocateVirtualMemory(jitter): alloc_addr = winobjs.heap.next_addr(dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) jitter.vm.set_mem(args.lppvoid, pck32(alloc_addr)) jitter.func_ret_stdcall(ret_ad, 0) @@ -1745,7 +1744,8 @@ def ntdll_RtlAnsiStringToUnicodeString(jitter): if args.alloc_str: alloc_addr = winobjs.heap.next_addr(l) jitter.vm.add_memory_page( - alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * l) + alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * l, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) else: alloc_addr = p_src jitter.vm.set_mem(alloc_addr, s) diff --git a/miasm2/os_dep/win_api_x86_32_seh.py b/miasm2/os_dep/win_api_x86_32_seh.py index 58cc48af..f90198f9 100644 --- a/miasm2/os_dep/win_api_x86_32_seh.py +++ b/miasm2/os_dep/win_api_x86_32_seh.py @@ -72,13 +72,8 @@ default_seh = PEB_AD + 0x20000 process_environment_address = 0x10000 process_parameters_address = 0x200000 -context_address = 0x201000 -exception_record_address = context_address + 0x1000 return_from_exception = 0x6eadbeef -FAKE_SEH_B_AD = context_address + 0x2000 - -cur_seh_ad = FAKE_SEH_B_AD name2module = [] main_pe = None @@ -112,7 +107,7 @@ def build_teb(jitter, teb_address): o += pck32(peb_address) o += pck32(0x11223344) - jitter.vm.add_memory_page(teb_address, PAGE_READ | PAGE_WRITE, o) + jitter.vm.add_memory_page(teb_address, PAGE_READ | PAGE_WRITE, o, "TEB") def build_peb(jitter, peb_address): @@ -140,7 +135,7 @@ def build_peb(jitter, peb_address): offset += 4 o += pck32(peb_ldr_data_address) o += pck32(process_parameters_address) - jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, o) + jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, o, "PEB") def build_ldr_data(jitter, modules_info): @@ -180,7 +175,8 @@ def build_ldr_data(jitter, modules_info): data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix prev if data: - jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data) + jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data, + "Loader struct") class LoadedModules(object): @@ -275,19 +271,22 @@ def create_modules_chain(jitter, name2module): m_o += pck32(addr + offset_path) m_o += struct.pack('HH', len(bname), len(bname) + 2) m_o += pck32(addr + offset_name) - jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, m_o) + jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, m_o, + "Module info %r" % bname_str) m_o = "" m_o += bname m_o += "\x00" * 3 jitter.vm.add_memory_page( - addr + offset_name, PAGE_READ | PAGE_WRITE, m_o) + addr + offset_name, PAGE_READ | PAGE_WRITE, m_o, + "Module name %r" % bname_str) m_o = "" m_o += "\x00".join(bpath) + "\x00" m_o += "\x00" * 3 jitter.vm.add_memory_page( - addr + offset_path, PAGE_READ | PAGE_WRITE, m_o) + addr + offset_path, PAGE_READ | PAGE_WRITE, m_o, + "Module path %r" % bname_str) return modules_info @@ -307,7 +306,8 @@ def fix_InLoadOrderModuleList(jitter, modules_info): dummy_pe = modules_info.name2module.get("", None) special_modules = [main_pe, kernel32_pe, ntdll_pe, dummy_pe] if not all(special_modules): - log.warn('No main pe, ldr data will be unconsistant %r', special_modules) + log.warn( + 'No main pe, ldr data will be unconsistant %r', special_modules) loaded_modules = modules_info.modules else: loaded_modules = [module for module in modules_info.modules @@ -411,7 +411,8 @@ def add_process_env(jitter): env_str += "\x00" * 0x10 jitter.vm.add_memory_page(process_environment_address, PAGE_READ | PAGE_WRITE, - env_str) + env_str, + "Process environment") jitter.vm.set_mem(process_environment_address, env_str) @@ -427,11 +428,9 @@ def add_process_parameters(jitter): o += pck32(process_environment_address) jitter.vm.add_memory_page(process_parameters_address, PAGE_READ | PAGE_WRITE, - o) + o, "Process parameters") -all_seh_ad = dict([(x, None) - for x in xrange(FAKE_SEH_B_AD, FAKE_SEH_B_AD + 0x1000, 0x20)]) # http://blog.fireeye.com/research/2010/08/download_exec_notes.html seh_count = 0 @@ -457,15 +456,9 @@ def init_seh(jitter): add_process_parameters(jitter) jitter.vm.add_memory_page(default_seh, PAGE_READ | PAGE_WRITE, pck32( - 0xffffffff) + pck32(0x41414141) + pck32(0x42424242)) - - jitter.vm.add_memory_page( - context_address, PAGE_READ | PAGE_WRITE, '\x00' * 0x2cc) - jitter.vm.add_memory_page( - exception_record_address, PAGE_READ | PAGE_WRITE, '\x00' * 200) + 0xffffffff) + pck32(0x41414141) + pck32(0x42424242), + "Default seh handler") - jitter.vm.add_memory_page( - FAKE_SEH_B_AD, PAGE_READ | PAGE_WRITE, 0x10000 * "\x00") # http://www.codeproject.com/KB/system/inject2exe.aspx#RestorethefirstRegistersContext5_1 @@ -565,7 +558,7 @@ def fake_seh_handler(jitter, except_code): @except_code: x86 exception code """ - global seh_count, context_address + global seh_count regs = jitter.cpu.get_gpreg() log.warning('Exception at %x %r', jitter.cpu.EIP, seh_count) seh_count += 1 @@ -638,8 +631,6 @@ def fake_seh_handler(jitter, except_code): return eh -fake_seh_handler.base = FAKE_SEH_B_AD - def dump_seh(jitter): """ |