1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
from miasm.core.types import MemStruct, Num, Ptr, Str, \
Array, RawStruct, Union, \
BitField, Self, Void, Bits, \
set_allocator, MemUnion, Struct
class UnicodeString(MemStruct):
fields = [
("length", Num("H")),
("maxlength", Num("H")),
("data", Ptr("<I", Str("utf16"))),
]
class ListEntry(MemStruct):
fields = [
("flink", Ptr("<I", Void())),
("blink", Ptr("<I", Void())),
]
class LdrDataEntry(MemStruct):
"""
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x008 InMemoryOrderLinks : _LIST_ENTRY
+0x010 InInitializationOrderLinks : _LIST_ENTRY
+0x018 DllBase : Ptr32 Void
+0x01c EntryPoint : Ptr32 Void
+0x020 SizeOfImage : Uint4B
+0x024 FullDllName : _UNICODE_STRING
+0x02c BaseDllName : _UNICODE_STRING
+0x034 Flags : Uint4B
+0x038 LoadCount : Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks : _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp : Uint4B
+0x044 LoadedImports : Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 Void
+0x04c PatchInformation : Ptr32 Void
"""
fields = [
("InLoadOrderLinks", ListEntry),
("InMemoryOrderLinks", ListEntry),
("InInitializationOrderLinks", ListEntry),
("DllBase", Ptr("<I", Void())),
("EntryPoint", Ptr("<I", Void())),
("SizeOfImage", Num("<I")),
("FullDllName", UnicodeString),
("BaseDllName", UnicodeString),
("Flags", Array(Num("B"), 4)),
("LoadCount", Num("H")),
("TlsIndex", Num("H")),
("union1", Union([
("HashLinks", Ptr("<I", Void())),
("SectionPointer", Ptr("<I", Void())),
])),
("CheckSum", Num("<I")),
("union2", Union([
("TimeDateStamp", Num("<I")),
("LoadedImports", Ptr("<I", Void())),
])),
("EntryPointActivationContext", Ptr("<I", Void())),
("PatchInformation", Ptr("<I", Void())),
]
class PEB_LDR_DATA(MemStruct):
"""
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01C InInitializationOrderModuleList : _LIST_ENTRY
"""
fields = [
("Length", Num("<I")),
("Initialized", Num("<I")),
("SsHandle", Ptr("<I", Void())),
("InLoadOrderModuleList", ListEntry),
("InMemoryOrderModuleList", ListEntry),
("InInitializationOrderModuleList", ListEntry)
]
class PEB(MemStruct):
"""
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 processparameter
"""
fields = [
("InheritedAddressSpace", Num("B")),
("ReadImageFileExecOptions", Num("B")),
("BeingDebugged", Num("B")),
("SpareBool", Num("B")),
("Mutant", Ptr("<I", Void())),
("ImageBaseAddress", Num("<I")),
("Ldr", Ptr("<I", PEB_LDR_DATA)),
]
class EXCEPTION_REGISTRATION_RECORD(MemStruct):
"""
+0x00 Next : struct _EXCEPTION_REGISTRATION_RECORD *
+0x04 Handler : Ptr32 Void
"""
fields = [
("Next", Ptr("<I", Self())),
("Handler", Ptr("<I", Void())),
]
class EXCEPTION_RECORD(MemStruct):
"""
DWORD ExceptionCode;
DWORD ExceptionFlags;
struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress;
DWORD NumberParameters;
ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
"""
EXCEPTION_MAXIMUM_PARAMETERS = 15
fields = [
("ExceptionCode", Num("<I")),
("ExceptionFlags", Num("<I")),
("ExceptionRecord", Ptr("<I", Self())),
("ExceptionAddress", Ptr("<I", Void())),
("NumberParameters", Num("<I")),
("ExceptionInformation", Ptr("<I", Void())),
]
class NT_TIB(MemStruct):
"""
+00 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList
+04 void *StackBase
+08 void *StackLimit
+0c void *SubSystemTib
+10 void *FiberData
+10 uint32 Version
+14 void *ArbitraryUserPointer
+18 struct _NT_TIB *Self
"""
fields = [
("ExceptionList", Ptr("<I", EXCEPTION_REGISTRATION_RECORD)),
("StackBase", Ptr("<I", Void())),
("StackLimit", Ptr("<I", Void())),
("SubSystemTib", Ptr("<I", Void())),
(None, Union([
("FiberData", Ptr("<I", Void())),
("Version", Num("<I"))
])),
("ArbitraryUserPointer", Ptr("<I", Void())),
("Self", Ptr("<I", Self())),
]
class TEB(MemStruct):
"""
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
...
"""
fields = [
("NtTib", NT_TIB),
("EnvironmentPointer", Ptr("<I", Void())),
("ClientId", Array(Num("B"), 0x8)),
("ActiveRpcHandle", Ptr("<I", Void())),
("ThreadLocalStoragePointer", Ptr("<I", Void())),
("ProcessEnvironmentBlock", Ptr("<I", PEB)),
("LastErrorValue", Num("<I")),
]
class ContextException(MemStruct):
fields = [
("ContextFlags", Num("<I")),
("dr0", Num("<I")),
("dr1", Num("<I")),
("dr2", Num("<I")),
("dr3", Num("<I")),
("dr4", Num("<I")),
("dr5", Num("<I")),
("Float", Array(Num("B"), 112)),
("gs", Num("<I")),
("fs", Num("<I")),
("es", Num("<I")),
("ds", Num("<I")),
("edi", Num("<I")),
("esi", Num("<I")),
("ebx", Num("<I")),
("edx", Num("<I")),
("ecx", Num("<I")),
("eax", Num("<I")),
("ebp", Num("<I")),
("eip", Num("<I")),
("cs", Num("<I")),
("eflags", Num("<I")),
("esp", Num("<I")),
("ss", Num("<I")),
]
|