Miasm2
 All Classes Namespaces Files Functions Variables Typedefs Properties Macros
Functions | Variables
miasm2.os_dep.win_api_x86_32_seh Namespace Reference

Functions

def build_teb
 
def build_peb
 
def build_ldr_data
 
def create_modules_chain
 
def fix_InLoadOrderModuleList
 
def fix_InMemoryOrderModuleList
 
def fix_InInitializationOrderModuleList
 
def add_process_env
 
def add_process_parameters
 
def init_seh
 
def regs2ctxt
 
def ctxt2regs
 
def fake_seh_handler
 
def dump_seh
 
def set_win_fs_0
 
def add_modules_info
 
def return_from_seh
 

Variables

int EXCEPTION_BREAKPOINT = 0x80000003
 
int EXCEPTION_ACCESS_VIOLATION = 0xc0000005
 
int EXCEPTION_INT_DIVIDE_BY_ZERO = 0xc0000094
 
int EXCEPTION_PRIV_INSTRUCTION = 0xc0000096
 
int EXCEPTION_ILLEGAL_INSTRUCTION = 0xc000001d
 
tuple log = logging.getLogger("seh_helper")
 
tuple console_handler = logging.StreamHandler()
 
int FS_0_AD = 0x7ff70000
 
int PEB_AD = 0x7ffdf000
 
int LDR_AD = 0x340000
 
int MAX_MODULES = 0x40
 
 tib_address = FS_0_AD
 
 peb_address = PEB_AD
 
int peb_ldr_data_offset = 0x1ea0
 
 peb_ldr_data_address = LDR_AD+peb_ldr_data_offset
 
int modules_list_offset = 0x1f00
 
int InInitializationOrderModuleList_offset = 0x1ee0
 
 InInitializationOrderModuleList_address = LDR_AD+\
 
int InLoadOrderModuleList_offset = 0x1ee0
 
 InLoadOrderModuleList_address = LDR_AD+\
 
int default_seh = PEB_AD+0x20000
 
int process_environment_address = 0x10000
 
int process_parameters_address = 0x200000
 
int context_address = 0x201000
 
int exception_record_address = context_address+0x1000
 
int return_from_exception = 0x6eadbeef
 
int FAKE_SEH_B_AD = context_address+0x2000
 
 cur_seh_ad = FAKE_SEH_B_AD
 
list loaded_modules = ["ntdll.dll", "kernel32.dll"]
 
 main_pe = None
 
string main_pe_name = "c:\\xxx\\toto.exe"
 
int MAX_SEH = 5
 
tuple dummy_e = pe_init.PE()
 
tuple all_seh_ad
 
int seh_count = 0
 

Function Documentation

def miasm2.os_dep.win_api_x86_32_seh.add_modules_info (   pe_in,
  pe_in_name = "toto.exe",
  all_pe = None 
)

Definition at line 645 of file win_api_x86_32_seh.py.

646 def add_modules_info(pe_in, pe_in_name="toto.exe", all_pe=None):
647  global main_pe, main_pe_name, loaded_modules
648  if all_pe is None:
649  all_pe = []
650  main_pe = pe_in
651  main_pe_name = pe_in_name
652  loaded_modules = all_pe
653 
def miasm2.os_dep.win_api_x86_32_seh.add_process_env (   myjit)

Definition at line 397 of file win_api_x86_32_seh.py.

398 def add_process_env(myjit):
399  env_str = 'ALLUSEESPROFILE=C:\\Documents and Settings\\All Users\x00'
400  env_str = '\x00'.join(env_str)
401  env_str += "\x00" * 0x10
402  myjit.vm.add_memory_page(process_environment_address,
403  PAGE_READ | PAGE_WRITE,
404  env_str)
405  myjit.vm.set_mem(process_environment_address, env_str)
406 

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.add_process_parameters (   myjit)

Definition at line 407 of file win_api_x86_32_seh.py.

408 def add_process_parameters(myjit):
409  o = ""
410  o += pck32(0x1000) # size
411  o += "E" * (0x48 - len(o))
412  o += pck32(process_environment_address)
413  myjit.vm.add_memory_page(process_parameters_address,
414  PAGE_READ | PAGE_WRITE,
415  o)
416 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.build_ldr_data (   myjit,
  modules_info 
)
+0x000 Length                          : Uint4B
+0x004 Initialized                     : UChar
+0x008 SsHandle                        : Ptr32 Void
+0x00c InLoadOrderModuleList           : _LIST_ENTRY
+0x014 InMemoryOrderModuleList         : _LIST_ENTRY
+0x01C InInitializationOrderModuleList         : _LIST_ENTRY

Definition at line 136 of file win_api_x86_32_seh.py.

137 def build_ldr_data(myjit, modules_info):
138  """
139  +0x000 Length : Uint4B
140  +0x004 Initialized : UChar
141  +0x008 SsHandle : Ptr32 Void
142  +0x00c InLoadOrderModuleList : _LIST_ENTRY
143  +0x014 InMemoryOrderModuleList : _LIST_ENTRY
144  +0x01C InInitializationOrderModuleList : _LIST_ENTRY
145  """
146  o = ""
147  # ldr offset pad
148  offset = LDR_AD + peb_ldr_data_offset + 0xC
149 
150  # get main pe info
151  m_e = None
152  for bname, (addr, e) in modules_info.items():
153  if e == main_pe:
154  m_e = (e, bname, addr)
155  break
156  if not m_e:
157  log.warn('No main pe, ldr data will be unconsistant')
158  offset, data = offset + 8, ""
159  else:
160  log.info('Ldr %x', m_e[2])
161  data = pck32(m_e[2]) + pck32(0)
162 
163  # get ntdll
164  ntdll_e = None
165  for bname, (addr, e) in modules_info.items():
166  if bname[::2].lower() == "ntdll.dll":
167  ntdll_e = (e, bname, addr)
168  continue
169  if not ntdll_e:
170  log.warn('No ntdll, ldr data will be unconsistant')
171  else:
172  data += pck32(ntdll_e[2] + 0x8) + pck32(0) # XXX TODO
173  data += pck32(ntdll_e[2] + 0x10) + pck32(0)
174 
175  if data:
176  myjit.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data)
177 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.build_peb (   myjit,
  peb_address 
)
+0x000 InheritedAddressSpace    : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged            : UChar
+0x003 SpareBool                : UChar
+0x004 Mutant                   : Ptr32 Void
+0x008 ImageBaseAddress         : Ptr32 Void
+0x00c Ldr                      : Ptr32 _PEB_LDR_DATA
+0x010 processparameter

Definition at line 113 of file win_api_x86_32_seh.py.

114 def build_peb(myjit, peb_address):
115  """
116  +0x000 InheritedAddressSpace : UChar
117  +0x001 ReadImageFileExecOptions : UChar
118  +0x002 BeingDebugged : UChar
119  +0x003 SpareBool : UChar
120  +0x004 Mutant : Ptr32 Void
121  +0x008 ImageBaseAddress : Ptr32 Void
122  +0x00c Ldr : Ptr32 _PEB_LDR_DATA
123  +0x010 processparameter
124  """
125 
126  offset = peb_address + 8
127  o = ""
128  if main_pe:
129  o += pck32(main_pe.NThdr.ImageBase)
130  else:
131  offset += 4
132  o += pck32(peb_ldr_data_address)
133  o += pck32(process_parameters_address)
134  myjit.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, o)
135 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.build_teb (   myjit,
  teb_address 
)
+0x000 NtTib                     : _NT_TIB
+0x01c EnvironmentPointer        : Ptr32 Void
+0x020 ClientId                  : _CLIENT_ID
+0x028 ActiveRpcHandle           : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock   : Ptr32 _PEB
+0x034 LastErrorValue            : Uint4B
...

Definition at line 90 of file win_api_x86_32_seh.py.

90 
91 def build_teb(myjit, teb_address):
92  """
93  +0x000 NtTib : _NT_TIB
94  +0x01c EnvironmentPointer : Ptr32 Void
95  +0x020 ClientId : _CLIENT_ID
96  +0x028 ActiveRpcHandle : Ptr32 Void
97  +0x02c ThreadLocalStoragePointer : Ptr32 Void
98  +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
99  +0x034 LastErrorValue : Uint4B
100  ...
101  """
102  o = ""
103  o += pck32(default_seh)
104  o += (0x18 - len(o)) * "\x00"
105  o += pck32(tib_address)
106 
107  o += (0x30 - len(o)) * "\x00"
108  o += pck32(peb_address)
109  o += pck32(0x11223344)
110 
111  myjit.vm.add_memory_page(teb_address, PAGE_READ | PAGE_WRITE, o)
112 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.create_modules_chain (   myjit,
  modules_name 
)
kd> dt nt!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x008 InMemoryOrderLinks : _LIST_ENTRY
+0x010 InInitializationOrderLinks : _LIST_ENTRY
+0x018 DllBase : Ptr32 Void
+0x01c EntryPoint : Ptr32 Void
+0x020 SizeOfImage : Uint4B
+0x024 FullDllName : _UNICODE_STRING
+0x02c BaseDllName : _UNICODE_STRING
+0x034 Flags : Uint4B
+0x038 LoadCount : Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks : _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp : Uint4B
+0x044 LoadedImports : Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 Void
+0x04c PatchInformation : Ptr32 Void

Definition at line 184 of file win_api_x86_32_seh.py.

185 def create_modules_chain(myjit, modules_name):
186  """
187  kd> dt nt!_LDR_DATA_TABLE_ENTRY
188  +0x000 InLoadOrderLinks : _LIST_ENTRY
189  +0x008 InMemoryOrderLinks : _LIST_ENTRY
190  +0x010 InInitializationOrderLinks : _LIST_ENTRY
191  +0x018 DllBase : Ptr32 Void
192  +0x01c EntryPoint : Ptr32 Void
193  +0x020 SizeOfImage : Uint4B
194  +0x024 FullDllName : _UNICODE_STRING
195  +0x02c BaseDllName : _UNICODE_STRING
196  +0x034 Flags : Uint4B
197  +0x038 LoadCount : Uint2B
198  +0x03a TlsIndex : Uint2B
199  +0x03c HashLinks : _LIST_ENTRY
200  +0x03c SectionPointer : Ptr32 Void
201  +0x040 CheckSum : Uint4B
202  +0x044 TimeDateStamp : Uint4B
203  +0x044 LoadedImports : Ptr32 Void
204  +0x048 EntryPointActivationContext : Ptr32 Void
205  +0x04c PatchInformation : Ptr32 Void
206  """
207 
208  modules_info = {}
209  base_addr = LDR_AD + modules_list_offset # XXXX
210  offset_name = 0x500
211  offset_path = 0x600
212 
213  out = ""
214  for i, m in enumerate([(main_pe_name, main_pe),
215  ("", dummy_e)] + modules_name):
216  addr = base_addr + i * 0x1000
217  if isinstance(m, tuple):
218  fname, e = m
219  else:
220  fname, e = m, None
221  bpath = fname.replace('/', '\\')
222  bname_str = os.path.split(fname)[1].lower()
223  bname = "\x00".join(bname_str) + "\x00"
224  if e is None:
225  if i == 0:
226  full_name = fname
227  else:
228  full_name = os.path.join("win_dll", fname)
229  try:
230  e = pe_init.PE(open(full_name, 'rb').read())
231  except IOError:
232  log.error('No main pe, ldr data will be unconsistant!')
233  e = None
234  if e is None:
235  continue
236  log.info("Add module %x %r", e.NThdr.ImageBase, bname_str)
237 
238  modules_info[bname] = addr, e
239 
240  m_o = ""
241  m_o += pck32(0)
242  m_o += pck32(0)
243  m_o += pck32(0)
244  m_o += pck32(0)
245  m_o += pck32(0)
246  m_o += pck32(0)
247  m_o += pck32(e.NThdr.ImageBase)
248  m_o += pck32(e.rva2virt(e.Opthdr.AddressOfEntryPoint))
249  m_o += pck32(e.NThdr.sizeofimage)
250  m_o += struct.pack('HH', len(bname), len(bname) + 2)
251  m_o += pck32(addr + offset_path)
252  m_o += struct.pack('HH', len(bname), len(bname) + 2)
253  m_o += pck32(addr + offset_name)
254  myjit.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, m_o)
255 
256  m_o = ""
257  m_o += bname
258  m_o += "\x00" * 3
259  myjit.vm.add_memory_page(
260  addr + offset_name, PAGE_READ | PAGE_WRITE, m_o)
261 
262  m_o = ""
263  m_o += "\x00".join(bpath) + "\x00"
264  m_o += "\x00" * 3
265  myjit.vm.add_memory_page(
266  addr + offset_path, PAGE_READ | PAGE_WRITE, m_o)
267 
268  return modules_info
269 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.ctxt2regs (   ctxt,
  myjit 
)
Restore x86_32 registers from an exception context
@ctxt: the serialized context
@myjit: jitload instance

Definition at line 485 of file win_api_x86_32_seh.py.

486 def ctxt2regs(ctxt, myjit):
487  """
488  Restore x86_32 registers from an exception context
489  @ctxt: the serialized context
490  @myjit: jitload instance
491  """
492 
493  ctxt = ctxt[:]
494  # ContextFlags
495  ctxt = ctxt[4:]
496  # DRX XXX TODO
497  ctxt = ctxt[4 * 6:]
498  # Float context XXX TODO
499  ctxt = ctxt[112:]
500  # gs
501  myjit.cpu.GS = upck32(ctxt[:4])
502  ctxt = ctxt[4:]
503  # fs
504  myjit.cpu.FS = upck32(ctxt[:4])
505  ctxt = ctxt[4:]
506  # es
507  myjit.cpu.ES = upck32(ctxt[:4])
508  ctxt = ctxt[4:]
509  # ds
510  myjit.cpu.DS = upck32(ctxt[:4])
511  ctxt = ctxt[4:]
512 
513  # Gpregs
514  myjit.cpu.EDI = upck32(ctxt[:4])
515  ctxt = ctxt[4:]
516  myjit.cpu.ESI = upck32(ctxt[:4])
517  ctxt = ctxt[4:]
518  myjit.cpu.EBX = upck32(ctxt[:4])
519  ctxt = ctxt[4:]
520  myjit.cpu.EDX = upck32(ctxt[:4])
521  ctxt = ctxt[4:]
522  myjit.cpu.ECX = upck32(ctxt[:4])
523  ctxt = ctxt[4:]
524  myjit.cpu.EAX = upck32(ctxt[:4])
525  ctxt = ctxt[4:]
526  myjit.cpu.EBP = upck32(ctxt[:4])
527  ctxt = ctxt[4:]
528  myjit.cpu.EIP = upck32(ctxt[:4])
529  ctxt = ctxt[4:]
530 
531  # CS
532  myjit.cpu.CS = upck32(ctxt[:4])
533  ctxt = ctxt[4:]
534  # Eflag XXX TODO
535  ctxt = ctxt[4:]
536  # ESP
537  myjit.cpu.ESP = upck32(ctxt[:4])
538  ctxt = ctxt[4:]
539 
tuple upck32
Definition: utils.py:8

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.dump_seh (   myjit)

Definition at line 617 of file win_api_x86_32_seh.py.

618 def dump_seh(myjit):
619  log.info('Dump_seh. Tib_address: %x', tib_address)
620  cur_seh_ptr = upck32(myjit.vm.get_mem(tib_address, 4))
621  indent = 1
622  loop = 0
623  while True:
624  if loop > MAX_SEH:
625  log.warn("Too many seh, quit")
626  return
627  prev_seh, eh = struct.unpack('II', myjit.vm.get_mem(cur_seh_ptr, 8))
628  log.info('\t' * indent + 'seh_ptr: %x { prev_seh: %x eh %x }',
629  cur_seh_ptr, prev_seh, eh)
630  if prev_seh in [0xFFFFFFFF, 0]:
631  break
632  cur_seh_ptr = prev_seh
633  indent += 1
634  loop += 1
635 
tuple upck32
Definition: utils.py:8

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.fake_seh_handler (   myjit,
  except_code 
)

Definition at line 540 of file win_api_x86_32_seh.py.

541 def fake_seh_handler(myjit, except_code):
542  global seh_count, context_address
543  regs = myjit.cpu.get_gpreg()
544  log.warning('Exception at %x %r', myjit.cpu.EIP, seh_count)
545  seh_count += 1
546 
547  # Help lambda
548  p = lambda s: struct.pack('I', s)
549 
550  # Forge a CONTEXT
551  ctxt = regs2ctxt(myjit)
552 
553  # Get current seh (fs:[0])
554  seh_ptr = upck32(myjit.vm.get_mem(tib_address, 4))
555 
556  # Retrieve seh fields
557  old_seh, eh, safe_place = struct.unpack(
558  'III', myjit.vm.get_mem(seh_ptr, 0xc))
559 
560  # Get space on stack for exception handling
561  myjit.cpu.ESP -= 0x3c8
562  exception_base_address = myjit.cpu.ESP
563  exception_record_address = exception_base_address + 0xe8
564  context_address = exception_base_address + 0xfc
565  fake_seh_address = exception_base_address + 0x14
566 
567  log.info('seh_ptr %x { old_seh %x eh %x safe_place %x} ctx_addr %x',
568  seh_ptr, old_seh, eh, safe_place, context_address)
569 
570  # Write context
571  myjit.vm.set_mem(context_address, ctxt)
572 
573  # Write exception_record
574 
575  """
576  #http://msdn.microsoft.com/en-us/library/aa363082(v=vs.85).aspx
577 
578  typedef struct _EXCEPTION_RECORD {
579  DWORD ExceptionCode;
580  DWORD ExceptionFlags;
581  struct _EXCEPTION_RECORD *ExceptionRecord;
582  PVOID ExceptionAddress;
583  DWORD NumberParameters;
584  ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
585  } EXCEPTION_RECORD, *PEXCEPTION_RECORD;
586  """
587 
588  myjit.vm.set_mem(exception_record_address,
589  pck32(except_code) + pck32(0) + pck32(0) +
590  pck32(myjit.cpu.EIP) + pck32(0))
591 
592  # Prepare the stack
593  myjit.push_uint32_t(context_address) # Context
594  myjit.push_uint32_t(seh_ptr) # SEH
595  myjit.push_uint32_t(exception_record_address) # ExceptRecords
596  myjit.push_uint32_t(return_from_exception) # Ret address
597 
598  # Set fake new current seh for exception
599  log.info("Fake seh ad %x", fake_seh_address)
600  myjit.vm.set_mem(fake_seh_address, pck32(seh_ptr) + pck32(
601  0xaaaaaaaa) + pck32(0xaaaaaabb) + pck32(0xaaaaaacc))
602  myjit.vm.set_mem(tib_address, pck32(fake_seh_address))
603 
604  dump_seh(myjit)
605 
606  log.info('Jumping at %x', eh)
607  myjit.vm.set_exception(0)
608  myjit.cpu.set_exception(0)
609 
610  # XXX set ebx to nul?
611  myjit.cpu.EBX = 0
612 
613  return eh
614 
615 fake_seh_handler.base = FAKE_SEH_B_AD
616 
tuple upck32
Definition: utils.py:8
tuple pck32
Definition: utils.py:12

+ Here is the call graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.fix_InInitializationOrderModuleList (   myjit,
  module_info 
)

Definition at line 361 of file win_api_x86_32_seh.py.

362 def fix_InInitializationOrderModuleList(myjit, module_info):
363  # first binary is ntdll
364  # second binary is kernel32
365  olist = []
366  ntdll_e = None
367  kernel_e = None
368  for bname, (addr, e) in module_info.items():
369  if bname[::2].lower() == "ntdll.dll":
370  ntdll_e = (e, bname, addr)
371  continue
372  elif bname[::2].lower() == "kernel32.dll":
373  kernel_e = (e, bname, addr)
374  continue
375  elif e == dummy_e:
376  d_e = (e, bname, addr)
377  continue
378  elif e == main_pe:
379  continue
380  olist.append((e, bname, addr))
381  if not ntdll_e or not kernel_e or not d_e:
382  log.warn('No kernel ntdll, ldr data will be unconsistant')
383  else:
384  olist[0:0] = [ntdll_e]
385  olist[1:1] = [kernel_e]
386 
387  olist.append(d_e)
388 
389  last_addr = 0
390  for i in xrange(len(olist)):
391  e, bname, addr = olist[i]
392  p_e, p_bname, p_addr = olist[(i - 1) % len(olist)]
393  n_e, n_bname, n_addr = olist[(i + 1) % len(olist)]
394  myjit.vm.set_mem(
395  addr + 0x10, pck32(n_addr + 0x10) + pck32(p_addr + 0x10))
396 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.fix_InLoadOrderModuleList (   myjit,
  module_info 
)

Definition at line 270 of file win_api_x86_32_seh.py.

271 def fix_InLoadOrderModuleList(myjit, module_info):
272  log.debug("Fix InLoadOrderModuleList")
273  # first binary is PE
274  # last is dumm_e
275  olist = []
276  m_e = None
277  d_e = None
278  for m in [main_pe_name, ""] + loaded_modules:
279 
280  if isinstance(m, tuple):
281  fname, e = m
282  else:
283  fname, e = m, None
284 
285  if "/" in fname:
286  fname = fname[fname.rfind("/") + 1:]
287  bname_str = fname
288  bname = '\x00'.join(bname_str) + '\x00'
289  if not bname.lower() in module_info:
290  log.warn('Module not found, ldr data will be unconsistant')
291  continue
292 
293  addr, e = module_info[bname.lower()]
294  log.debug(bname_str)
295  if e == main_pe:
296  m_e = (e, bname, addr)
297  continue
298  elif e == dummy_e:
299  d_e = (e, bname, addr)
300  continue
301  olist.append((e, bname, addr))
302  if not m_e or not d_e:
303  log.warn('No main pe, ldr data will be unconsistant')
304  else:
305  olist[0:0] = [m_e]
306  olist.append(d_e)
307 
308  last_addr = 0
309  for i in xrange(len(olist)):
310  e, bname, addr = olist[i]
311  p_e, p_bname, p_addr = olist[(i - 1) % len(olist)]
312  n_e, n_bname, n_addr = olist[(i + 1) % len(olist)]
313  myjit.vm.set_mem(addr + 0, pck32(n_addr) + pck32(p_addr))
314 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.fix_InMemoryOrderModuleList (   myjit,
  module_info 
)

Definition at line 315 of file win_api_x86_32_seh.py.

316 def fix_InMemoryOrderModuleList(myjit, module_info):
317  log.debug("Fix InMemoryOrderModuleList")
318  # first binary is PE
319  # last is dumm_e
320  olist = []
321  m_e = None
322  d_e = None
323  for m in [main_pe_name, ""] + loaded_modules:
324 
325  if isinstance(m, tuple):
326  fname, e = m
327  else:
328  fname, e = m, None
329 
330  if "/" in fname:
331  fname = fname[fname.rfind("/") + 1:]
332  bname_str = fname
333  bname = '\x00'.join(bname_str) + '\x00'
334  if not bname.lower() in module_info:
335  log.warn('Module not found, ldr data will be unconsistant')
336  continue
337  addr, e = module_info[bname.lower()]
338  log.debug(bname_str)
339  if e == main_pe:
340  m_e = (e, bname, addr)
341  continue
342  elif e == dummy_e:
343  d_e = (e, bname, addr)
344  continue
345  olist.append((e, bname, addr))
346  if not m_e or not d_e:
347  log.warn('No main pe, ldr data will be unconsistant')
348  else:
349  olist[0:0] = [m_e]
350  olist.append(d_e)
351 
352  last_addr = 0
353 
354  for i in xrange(len(olist)):
355  e, bname, addr = olist[i]
356  p_e, p_bname, p_addr = olist[(i - 1) % len(olist)]
357  n_e, n_bname, n_addr = olist[(i + 1) % len(olist)]
358  myjit.vm.set_mem(
359  addr + 0x8, pck32(n_addr + 0x8) + pck32(p_addr + 0x8))
360 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.init_seh (   myjit)

Definition at line 423 of file win_api_x86_32_seh.py.

424 def init_seh(myjit):
425  global seh_count
426  seh_count = 0
427  build_teb(myjit, FS_0_AD)
428  build_peb(myjit, peb_address)
429 
430  module_info = create_modules_chain(myjit, loaded_modules)
431  fix_InLoadOrderModuleList(myjit, module_info)
432  fix_InMemoryOrderModuleList(myjit, module_info)
433  fix_InInitializationOrderModuleList(myjit, module_info)
434 
435  build_ldr_data(myjit, module_info)
436  add_process_env(myjit)
438 
439  myjit.vm.add_memory_page(default_seh, PAGE_READ | PAGE_WRITE, pck32(
440  0xffffffff) + pck32(0x41414141) + pck32(0x42424242))
441 
442  myjit.vm.add_memory_page(
443  context_address, PAGE_READ | PAGE_WRITE, '\x00' * 0x2cc)
444  myjit.vm.add_memory_page(
445  exception_record_address, PAGE_READ | PAGE_WRITE, '\x00' * 200)
446 
447  myjit.vm.add_memory_page(
448  FAKE_SEH_B_AD, PAGE_READ | PAGE_WRITE, 0x10000 * "\x00")
449 
450 # http://www.codeproject.com/KB/system/inject2exe.aspx#RestorethefirstRegistersContext5_1
451 
tuple pck32
Definition: utils.py:12

+ Here is the call graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.regs2ctxt (   myjit)
Build x86_32 cpu context for exception handling
@myjit: jitload instance

Definition at line 452 of file win_api_x86_32_seh.py.

453 def regs2ctxt(myjit):
454  """
455  Build x86_32 cpu context for exception handling
456  @myjit: jitload instance
457  """
458 
459  ctxt = []
460  # ContextFlags
461  ctxt += [pck32(0x0)]
462  # DRX
463  ctxt += [pck32(0x0)] * 6
464  # Float context
465  ctxt += ['\x00' * 112]
466  # Segment selectors
467  ctxt += [pck32(reg) for reg in (myjit.cpu.GS, myjit.cpu.FS,
468  myjit.cpu.ES, myjit.cpu.DS)]
469  # Gpregs
470  ctxt += [pck32(reg) for reg in (myjit.cpu.EDI, myjit.cpu.ESI,
471  myjit.cpu.EBX, myjit.cpu.EDX,
472  myjit.cpu.ECX, myjit.cpu.EAX,
473  myjit.cpu.EBP, myjit.cpu.EIP)]
474  # CS
475  ctxt += [pck32(myjit.cpu.CS)]
476  # Eflags
477  # XXX TODO real eflag
478  ctxt += [pck32(0x0)]
479  # ESP
480  ctxt += [pck32(myjit.cpu.ESP)]
481  # SS
482  ctxt += [pck32(myjit.cpu.SS)]
483  return "".join(ctxt)
484 
tuple pck32
Definition: utils.py:12

+ Here is the caller graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.return_from_seh (   myjit)

Definition at line 654 of file win_api_x86_32_seh.py.

655 def return_from_seh(myjit):
656  "Handle return after a call to fake seh handler"
657 
658  # Get current context
659  context_address = upck32(myjit.vm.get_mem(myjit.cpu.ESP + 0x8, 4))
660  log.info('Context address: %x', context_address)
661  myjit.cpu.ESP = upck32(myjit.vm.get_mem(context_address + 0xc4, 4))
662  log.info('New esp: %x', myjit.cpu.ESP)
663 
664  # Rebuild SEH
665  old_seh = upck32(myjit.vm.get_mem(tib_address, 4))
666  new_seh = upck32(myjit.vm.get_mem(old_seh, 4))
667  log.info('Old seh: %x New seh: %x', old_seh, new_seh)
668  myjit.vm.set_mem(tib_address, pck32(new_seh))
669 
670  dump_seh(myjit)
671 
672  if myjit.cpu.EAX == 0x0:
673  # ExceptionContinueExecution
674  ctxt_ptr = context_address
675  log.info('Seh continues Context: %x', ctxt_ptr)
676 
677  # Get registers changes
678  ctxt_str = myjit.vm.get_mem(ctxt_ptr, 0x2cc)
679  ctxt2regs(ctxt_str, myjit)
680  myjit.pc = myjit.cpu.EIP
681  log.info('Context::Eip: %x', myjit.pc)
682 
683  elif myjit.cpu.EAX == -1:
684  raise NotImplementedError("-> seh try to go to the next handler")
685 
686  elif myjit.cpu.EAX == 1:
687  # ExceptionContinueSearch
688  raise NotImplementedError("-> seh, gameover")
tuple upck32
Definition: utils.py:8
tuple pck32
Definition: utils.py:12

+ Here is the call graph for this function:

def miasm2.os_dep.win_api_x86_32_seh.set_win_fs_0 (   myjit,
  fs = 4 
)

Definition at line 636 of file win_api_x86_32_seh.py.

637 def set_win_fs_0(myjit, fs=4):
638  regs = myjit.cpu.get_gpreg()
639  regs['FS'] = 0x4
640  myjit.cpu.set_gpreg(regs)
641  myjit.cpu.set_segm_base(regs['FS'], FS_0_AD)
642  segm_to_do = set([x86_regs.FS])
643  return segm_to_do
644 

Variable Documentation

tuple miasm2.os_dep.win_api_x86_32_seh.all_seh_ad
Initial value:
1 = dict([(x, None)
2  for x in xrange(FAKE_SEH_B_AD, FAKE_SEH_B_AD + 0x1000, 0x20)])

Definition at line 417 of file win_api_x86_32_seh.py.

tuple miasm2.os_dep.win_api_x86_32_seh.console_handler = logging.StreamHandler()

Definition at line 41 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.context_address = 0x201000

Definition at line 75 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.cur_seh_ad = FAKE_SEH_B_AD

Definition at line 81 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.default_seh = PEB_AD+0x20000

Definition at line 70 of file win_api_x86_32_seh.py.

tuple miasm2.os_dep.win_api_x86_32_seh.dummy_e = pe_init.PE()

Definition at line 178 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.EXCEPTION_ACCESS_VIOLATION = 0xc0000005

Definition at line 34 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.EXCEPTION_BREAKPOINT = 0x80000003

Definition at line 33 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.EXCEPTION_ILLEGAL_INSTRUCTION = 0xc000001d

Definition at line 37 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.EXCEPTION_INT_DIVIDE_BY_ZERO = 0xc0000094

Definition at line 35 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.EXCEPTION_PRIV_INSTRUCTION = 0xc0000096

Definition at line 36 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.exception_record_address = context_address+0x1000

Definition at line 76 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.FAKE_SEH_B_AD = context_address+0x2000

Definition at line 79 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.FS_0_AD = 0x7ff70000

Definition at line 46 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.InInitializationOrderModuleList_address = LDR_AD+\

Definition at line 62 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.InInitializationOrderModuleList_offset = 0x1ee0

Definition at line 61 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.InLoadOrderModuleList_address = LDR_AD+\

Definition at line 67 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.InLoadOrderModuleList_offset = 0x1ee0

Definition at line 65 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.LDR_AD = 0x340000

Definition at line 48 of file win_api_x86_32_seh.py.

list miasm2.os_dep.win_api_x86_32_seh.loaded_modules = ["ntdll.dll", "kernel32.dll"]

Definition at line 83 of file win_api_x86_32_seh.py.

tuple miasm2.os_dep.win_api_x86_32_seh.log = logging.getLogger("seh_helper")

Definition at line 40 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.main_pe = None

Definition at line 84 of file win_api_x86_32_seh.py.

string miasm2.os_dep.win_api_x86_32_seh.main_pe_name = "c:\\xxx\\toto.exe"

Definition at line 85 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.MAX_MODULES = 0x40

Definition at line 50 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.MAX_SEH = 5

Definition at line 87 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.modules_list_offset = 0x1f00

Definition at line 59 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.PEB_AD = 0x7ffdf000

Definition at line 47 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.peb_address = PEB_AD

Definition at line 54 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.peb_ldr_data_address = LDR_AD+peb_ldr_data_offset

Definition at line 56 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.peb_ldr_data_offset = 0x1ea0

Definition at line 55 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.process_environment_address = 0x10000

Definition at line 72 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.process_parameters_address = 0x200000

Definition at line 73 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.return_from_exception = 0x6eadbeef

Definition at line 77 of file win_api_x86_32_seh.py.

int miasm2.os_dep.win_api_x86_32_seh.seh_count = 0

Definition at line 420 of file win_api_x86_32_seh.py.

miasm2.os_dep.win_api_x86_32_seh.tib_address = FS_0_AD

Definition at line 53 of file win_api_x86_32_seh.py.