import immlib
import immutils
def getRet(imm,allocaddr,max_opcodes = 300):
addr = allocaddr
for a in range(0,max_opcodes):
op = imm.disasmForward(addr)
if op.isRet():
if op.getImmConst() == 0xC:
op = imm.disasmBackward(addr,3)
return op.getAddress()
addr = op.getAddress()
return 0x0
def showresult(imm,a,rtlallocate):
if a[0] == rtlallocate:
imm.log("RtlAllocateHeap(0x%08x,0x%08x,0x%08x) <- 0x%08x %s" % (a[1][0],a[1][1],a[1][2],a[1][3],extra),address=a[1][3])
return "Done."
else:
imm.log("RtlFreeHeap(0x%08x,0x%08x,0x%08x)" % (a[1][0],a[1][1],a[1][2]))
def main(args):
imm = immlib.Debugger()
Name = "hippie"
fast = imm.getKnowledge(Name)
if fast:
hook_list = fast.getAllLog()
rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
for a in hook_list:
ret = showresult(imm,a,rtlallocate)
return "Logged: %d hook hits." % len(hook_list)
imm.Pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")
module = imm.getModule("ntdll.dll")
if not module.isAnalysed():
imm.analyseCode(module.getCodebase())
rtlallocate - getRet(imm,rtlallocate,1000)
imm.Log("RtlAllocateHeap hook : 0x%08x" % rtlallocate)
imm.addKnowledge("FuncNames",(rtlallocate,rtlfree))
fast = immlib.STDCALLFASTLOGHOOK(imm)
imm.log("Logging on Alloc 0x%08x" % rtlallocate)
fast.logFunction(rtlallocate)
fast.logBaseDisplacement("EBP",8)
fast.logBaseDisplacement("EBP",0xC)
fast.logBaseDisplacement("EBP",0x10)
fast.logRegister("EAX")
imm.Log("Logging on RtlFreeHeap 0x%08x" % rtlfree)
fast.logFunction(rtlfree,3)
fast.Hook()
imm.addKnowledge(Name,fast,force_add = 1)
return "Hooks set, Press F9 to continue the process."
'스터디 > └ 소스파일들' 카테고리의 다른 글
| ioctl_fuzzer.py (0) | 2015.02.23 |
|---|---|
| firfox_hook.py (0) | 2015.01.26 |
| 8시간의 대장정. (0) | 2015.01.26 |
| 책 원본 소스파일 (0) | 2015.01.20 |
| Memory Breakpoint 까지의 소스 (0) | 2015.01.17 |