Package Libs :: Module debugtypes
[hide private]
[frames] | no frames]

Source Code for Module Libs.debugtypes

   1  #!/usr/bin/env python
 
   2  #
 
   3  # vim: sw=4 ts=4 expandtab
 
   4  
 
   5  """
 
   6  (c) Immunity, Inc. 2004-2007
 
   7  
 
   8  
 
   9  U{Immunity Inc.<http://www.immunityinc.com>}
 
  10  
 
  11  
 
  12  """ 
  13  
 
  14  __version__ = '1.0' 
  15  
 
  16  import debugger 
  17  import struct 
  18  
 
  19  ###ulong
 
  20  #    handle = handle
 
  21  #    handles[handle][0]=type
 
  22  #    handles[handle][1]=access
 
  23  #    handles[handle][2]=data1
 
  24  #    handles[handle][3]=data2
 
  25  ### int
 
  26  #    handles[handle][4]=refcount
 
  27  ###char
 
  28  #    handles[handle][5]=htype
 
  29  #    handles[handle][6]=username   
 
  30  #    handles[handle][7]=nativename
 
  31  
 
32 -class Handle:
33 - def __init__(self, handle):
34 self.handle = handle 35 self.type = 0 36 self.access = 0 37 self.data1 = 0 38 self.data2 = 0 39 self.refcount = 0 40 self.htype = "" 41 self.username = "" 42 self.nativename = ""
43
44 - def _getfromtuple(self, mem):
45 self.type = mem[0] 46 self.access = mem[1] 47 self.data1 = mem[2] 48 self.data2 = mem[3] 49 self.refcount = mem[4] 50 self.htype = mem[5] 51 self.username = mem[6] 52 self.nativename = mem[7]
53
54 - def getHandle(self):
55 return self.handle
56
57 - def getType(self):
58 return self.type
59
60 - def getAccess(self):
61 return self.access
62
63 - def getData1(self):
64 return self.data1
65
66 - def getData2(self):
67 return self.data2
68
69 - def getRefCount(self):
70 return self.refcount
71
72 - def getHtype(self):
73 return self.htype
74
75 - def getUserName(self):
76 return self.username
77
78 - def getNativeName(self):
79 return self.nativename
80
81 -class Thread:
82 - def __init__(self):
83 self.tid = 0 84 self.entry = 0 85 self.datablock = 0 86 self.stacktop = 0 87 self.stackbottom = 0 88 self.status = 0
89
90 - def _getfromtuple(self, tup):
91 self.tid = tup[0] 92 self.entry = tup[1] 93 self.datablock = tup[2] 94 self.stacktop = tup[3] 95 self.stackbottom = tup[4] 96 self.status = tup[5]
97
98 - def getId(self):
99 return self.tid
100
101 - def getTEB(self):
102 return self.datablock
103
104 - def getStackTop(self):
105 return self.stacktop
106
107 - def getStackBottom(self):
108 return self.stackbottom
109
110 - def getStatus(self):
111 return self.status
112
113 -class Symbol:
114 - def __init__(self, addr):
115 self.address = addr 116 self.section = "" 117 self.type = "" 118 self.name = "" 119 self.comment = "" 120 self.module = ""
121
122 - def _getfromtuple(self, tup):
123 self.module = tup[0].strip() 124 self.module = self.module.lower() 125 126 self.section = tup[1] 127 self.type = tup[2] 128 self.name = tup[3] 129 self.comment = tup[4]
130
131 - def getAddress(self):
132 return self.address
133
134 - def getModule(self):
135 return self.module
136
137 - def getSection(self):
138 return self.section
139
140 - def getType(self):
141 return self.type
142
143 - def getName(self):
144 return self.name
145
146 - def getComment(self):
147 return self.comment
148 149 150 #Base address of module: base 151 #Size occupied by module: size 152 #service information, TY_xxx: type 153 #base address of module code block: codebase 154 #size of module code block: codesize 155 #Base address of resources: resbase 156 #Size of resources: ressize 157 #Address of <ModuleEntryPoint> or NULL: entry 158 #Base address of module data block: database 159 #Base address of import data table: idatatable 160 #Base address of import data block: idatabase 161 #Base address of export data table: edatatable 162 #Size of export data table: edatasize 163 #Base address of relocation table: reloctable 164 #Size of relocation table: relocsize 165 #Short name of the module: name 166 #Full name of the module: path 167 #Number of sections in the module: nsect 168 #Total size of headers in executable: headersize 169 #Base of image in executable file: fixupbase 170 #Decoded code features or NULL: codedec 171 #Code CRC for actual decoding: codecrc 172 #Hit tracing data or NULL: hittrace 173 #Decoded data features or NULL: datadec 174 #Global types from debug info: globaltypes 175 #Address of WinMain() etc. in dbg data: mainentry 176 #Entry of packed code or NULL: realsfxentry 177 #Original size of module code block: origcodesize 178 #Base of memory block with SFX: sfxbase 179 #Size of memory block with SFX: sfxsize 180 #Whether system DLL: issystemdll 181 #Version of executable file: version
182 -class Module:
183 - def __init__(self, name, baseaddress, size, entrypoint):
184 """ 185 Module Information 186 187 @type name: STRING 188 @param name: Name of the module 189 190 @type baseaddress: DWORD 191 @param baseaddress: Base Address of the Module 192 193 @type size: DWORD 194 @param size: Size of the Module 195 196 @type entrypoint: DWORD 197 @param entrypoint: Entry Point 198 """ 199 # for modulos in mods.keys(): 200 # name : modulos 201 # base addy: mods[modulos][0] 202 # size : mods[modulos][1] 203 # entry : mods[modulos][2] 204 # full path: mods[modulos][3] 205 206 self.name = name.lower() 207 self.baseaddress = baseaddress 208 self.size = size 209 self.entrypoint = entrypoint 210 self.modDict = None 211 self.symbols = [] 212 self.XREFto = {} 213 self.XREFfrom = {}
214
215 - def getFunctions(self):
216 """ 217 Get the all the functions from Module 218 219 @rtype: LIST of DWORD 220 @return: A List of the address of all function 221 """ 222 return debugger.get_all_functions(self.baseaddress)
223
224 - def _xrefs(self, address, XREF, debugger_callback):
225 code = self.getCodebase() 226 codesize = self.getCodesize() 227 228 # We first check check if address is inside this module code 229 if address >= code and address <= (code+codesize): 230 return [] 231 232 # If we didn't get the whole xref list from debugger, we get it 233 if not XREF: 234 XREF = debugger_callback(address) 235 236 # returning the xrefs as a list of (addy, type) 237 try: 238 return XREF[address] 239 except KeyError: 240 return []
241
242 - def getXrefTo(self, address):
243 """ 244 Get the Xreference to the given address 245 246 @type address: DWORD 247 @param address: Address in the Module to get Xref to 248 249 @rtype: LIST of DWORD 250 @return: List of Address 251 """ 252 return self._xrefs(address, self.XREFto, debugger.get_xref_to)
253
254 - def getXrefFrom(self, address):
255 """ 256 Get the Xreference from the given address 257 258 @type address: DWORD 259 @param address: Address in the Module to get Xref from 260 261 @rtype: LIST of DWORD 262 @return: List of Address 263 """ 264 return self._xrefs(address, self.XREFfrom, debugger.get_xref_from)
265
266 - def getBaseAddress(self):
267 """ 268 Get the Base Address 269 270 @rtype: DWORD 271 @return: Base Address 272 """ 273 return self.baseaddress
274
275 - def getReferencedStrings(self):
276 return debugger.get_referenced_strings(self.entrypoint)
277
278 - def setModuleExtension(self, mod_dict):
279 self.modDict = mod_dict
280
281 - def setSymbols(self, symbol):
282 self.symbols = symbol
283
284 - def Analyse(self):
285 """ 286 Analize the Current Module 287 """ 288 return debugger.analyse_code(self.baseaddress)
289
290 - def get(self, name):
291 name = name.lower() 292 if not self.modDict.has_key(name): 293 return None 294 return self.modDict[name][0]
295
296 - def getSymbols(self):
297 return self.symbols
298
299 - def getBase(self):
300 """ 301 Get Base from module 302 303 @rtype: DWORD 304 @return: Base from the module 305 """ 306 try: 307 return self.modDict['base'][0] 308 except KeyError: 309 return None
310
311 - def getSize(self):
312 """ 313 Get Size from module 314 """ 315 try: 316 return self.modDict['size'][0] 317 except KeyError: 318 return None
319
320 - def getType(self):
321 """ 322 Get Type from module 323 """ 324 try: 325 return self.modDict['type'][0] 326 except KeyError: 327 return None
328
329 - def getCodebase(self):
330 """ 331 Get Codebase from module 332 """ 333 try: 334 return self.modDict['codebase'][0] 335 except KeyError: 336 return None
337
338 - def getCodesize(self):
339 """ 340 Get Codesize from module 341 342 @rtype: DWORD 343 @return: Code Size 344 """ 345 try: 346 return self.modDict['codesize'][0] 347 except KeyError: 348 return None
349
350 - def getResbase(self):
351 """ 352 Get Resbase from module 353 354 @rtype: DWORD 355 @return: Res Base 356 357 """ 358 try: 359 return self.modDict['resbase'][0] 360 except KeyError: 361 return None
362
363 - def getRessize(self):
364 """ 365 Get Ressize from module 366 367 @rtype: DWORD 368 @return: Res Size 369 """ 370 try: 371 return self.modDict['ressize'][0] 372 except KeyError: 373 return None
374
375 - def getEntry(self):
376 """ 377 Get Entry from module 378 379 @rtype: DWORD 380 @return: Entry 381 """ 382 try: 383 return self.modDict['entry'][0] 384 except KeyError: 385 return None
386
387 - def getDatabase(self):
388 """ 389 Get Database from module 390 391 @rtype: DWORD 392 @return: Database 393 """ 394 try: 395 return self.modDict['database'][0] 396 except KeyError: 397 return None
398
399 - def getIdatatable(self):
400 """ 401 Get Idatatable from module 402 """ 403 try: 404 return self.modDict['idatatable'][0] 405 except KeyError: 406 return None
407
408 - def getIdatabase(self):
409 """Get Idatabase from module""" 410 try: 411 return self.modDict['idatabase'][0] 412 except KeyError: 413 return None
414
415 - def getEdatatable(self):
416 """ 417 Get Edatatable from module 418 """ 419 try: 420 return self.modDict['edatatable'][0] 421 except KeyError: 422 return None
423
424 - def getEdatasize(self):
425 """ 426 Get Edatasize from module 427 """ 428 try: 429 return self.modDict['edatasize'][0] 430 except KeyError: 431 return None
432
433 - def getReloctable(self):
434 """ 435 Get Reloctable from module 436 """ 437 try: 438 return self.modDict['reloctable'][0] 439 except KeyError: 440 return None
441
442 - def getRelocsize(self):
443 """ 444 Get Relocsize from module 445 """ 446 try: 447 return self.modDict['relocsize'][0] 448 except KeyError: 449 return None
450
451 - def getName(self):
452 """ 453 Get Name from module 454 """ 455 try: 456 return self.name 457 except KeyError: 458 return None
459
460 - def getPath(self):
461 """ 462 Get Path from module 463 """ 464 try: 465 return self.modDict['path'][0] 466 except KeyError: 467 return None
468
469 - def getNsect(self):
470 """ 471 Get Nsect from module 472 """ 473 try: 474 return self.modDict['nsect'][0] 475 except KeyError: 476 return None
477
478 - def getHeadersize(self):
479 """ 480 Get Headersize from module 481 """ 482 try: 483 return self.modDict['headersize'][0] 484 except KeyError: 485 return None
486
487 - def getFixupbase(self):
488 """ 489 Get Fixupbase from module 490 """ 491 try: 492 return self.modDict['fixupbase'][0] 493 except KeyError: 494 return None
495
496 - def getCodedec(self):
497 """ 498 Get Codedec from module 499 """ 500 try: 501 return self.modDict['codedec'][0] 502 except KeyError: 503 return None
504
505 - def getCodecrc(self):
506 """ 507 Get Codecrc from module 508 """ 509 try: 510 return self.modDict['codecrc'][0] 511 except KeyError: 512 return None
513
514 - def getHittrace(self):
515 """ 516 Get Hittrace from module 517 """ 518 try: 519 return self.modDict['hittrace'][0] 520 except KeyError: 521 return None
522
523 - def getDatadec(self):
524 """ 525 Get Datadec from module 526 """ 527 try: 528 return self.modDict['datadec'][0] 529 except KeyError: 530 return None
531
532 - def getGlobaltypes(self):
533 """ 534 Get Globaltypes from module 535 """ 536 try: 537 return self.modDict['globaltypes'][0] 538 except KeyError: 539 return None
540
541 - def getMainentry(self):
542 """ 543 Get Mainentry from module 544 """ 545 try: 546 return self.modDict['mainentry'][0] 547 except KeyError: 548 return None
549
550 - def getRealsfxentry(self):
551 """ 552 Get Realsfxentry from module 553 """ 554 try: 555 return self.modDict['realsfxentry'][0] 556 except KeyError: 557 return None
558
559 - def getOrigcodesize(self):
560 """ 561 Get Origcodesize from module 562 """ 563 try: 564 return self.modDict['origcodesize'][0] 565 except KeyError: 566 return None
567
568 - def getSfxbase(self):
569 """ 570 Get Sfxbase from module 571 """ 572 try: 573 return self.modDict['sfxbase'][0] 574 except KeyError: 575 return None
576
577 - def getSfxsize(self):
578 """ 579 Get Sfxsize from module 580 """ 581 try: 582 return self.modDict['sfxsize'][0] 583 except KeyError: 584 return None
585
586 - def getIssystemdll(self):
587 """ 588 Get Issystemdll from module 589 """ 590 try: 591 return self.modDict['issystemdll'][0] 592 except KeyError: 593 return None
594
595 - def getVersion(self):
596 """ 597 Get Version from module 598 """ 599 try: 600 return self.modDict['version'][0] 601 except KeyError: 602 return None
603
604 - def isAnalysed(self):
605 """ 606 Check if module was analysed 607 """ 608 # we should check every time, cause the module might be analysed. Since modules are cached sometimes 609 return debugger.is_analysed(self.baseaddress)
610
611 - def getJumpList(self):
612 """ 613 get jump list from analysed module 614 """ 615 #jumplist[0] = from 616 #jumplist[1] = to 617 #jumplist[2] = type 618 #type is one of 619 #define JT_JUMP 0 // Unconditional jump 620 #define JT_COND 1 // Conditional jump 621 #define qJT_SWITCH 2 // Jump via switch table 622 #define JT_CALL 3 // Local (intramodular) call 623 #define CALL_INTER 4 // intermodular call 624 #jmpTypeFlags = {"JUMP":0,\ 625 #"JUMP_COND":1,\ 626 #"JUMP_SWITCH":2,\ 627 #"CALL":3,\ 628 #"CALL_INTER":4} 629 try: 630 return self.modDict['jumplist'][0] 631 except KeyError: 632 return None
633 634
635 -class Stack:
636 - def __init__(self):
637 self.address = 0 # stack pointer 638 self.stack = 0 639 self.procedure = "" 640 self.calledfrom = 0 641 self.frame = 0 # frame pointer 642 # args 643 self.stackdump1 = 0 644 self.stackdump2 = 0 645 self.stackdump3 = 0
646
647 - def _setfromtuple(self, s):
648 self.address = s[0] # stack pointer 649 self.stack = s[1] 650 self.procedure = str(s[2]) 651 self.calledfrom = s[3] 652 self.frame = s[4] # frame pointer 653 self.stackdump1 = s[5] 654 self.stackdump2 = s[6] 655 self.stackdump3 = s[7]
656
657 - def __str__(self):
658 return "0x%.8X %s 0x%.8X 0x%.8X [0x%.8X 0x%.8X 0x%.8X]" % \ 659 (self.address, self.procedure, self.calledfrom, \ 660 self.frame, self.stackdump1, self.stackdump2, \ 661 self.stackdump3)
662
663 - def getStackDump(self):
664 return (self.stackdump1,self.stackdump2,self.stackdump3)
665
666 - def getAddress(self):
667 return self.address
668
669 - def getStack(self):
670 return self.stack
671
672 - def getProcedure(self):
673 return self.procedure
674
675 - def getFrame(self):
676 return self.frame
677
678 - def getCalledFrom(self):
679 return self.calledfrom
680 681
682 -class Table:
683 - def __init__(self,imm,title,col_titles):
684 """ 685 Create a GUI Window Table 686 687 @type imm: Debugger Object 688 @param imm: Debugger 689 690 @type title: STRING 691 @param title: Title for the Window 692 693 @type col_titles: LIST of STRINGs 694 @param col_titles: List of the Column's Name 695 """ 696 self.instance=self.createTable(title,col_titles)
697
698 - def createTable(self,title,col_titles):
699 title1="" 700 title2="" 701 title3="" 702 title4="" 703 title5="" 704 if len(col_titles) > 5: 705 maxcol=5 706 else: 707 maxcol=len(col_titles) 708 try: 709 title1=col_titles[0] 710 except: 711 pass 712 try: 713 title2=col_titles[1] 714 except: 715 pass 716 try: 717 title3=col_titles[2] 718 except: 719 pass 720 try: 721 title4=col_titles[3] 722 except: 723 pass 724 try: 725 title5=col_titles[4] 726 except: 727 pass 728 return debugger.create_table(title,maxcol,title1,title2,title3,title4,title5)
729 730 # Focus not implemented yet
731 - def Log(self, data, address=0, focus = False):
732 """ 733 Add a message into a column 734 735 @type data: STRING 736 @param data: Message for the column 737 738 @type address: DWORD 739 @param address: (Optional, Default: 0) Address related to the message 740 741 @type focus: BOOLEAN 742 @param focus: (Optional, Default: False) Whether or not give focus to the window 743 """ 744 return debugger.add_to_table(self.instance,address,"0x%08x" % address, data,"","","")
745 746
747 - def isValidHandle(self):
748 return debugger.is_valid_handle(self.instance)
749 750
751 - def add(self,address,data):
752 """ 753 Add Data to the Window 754 755 @type address: DWORD 756 @param address: Address related to the Data 757 758 @type data: LIST OF STRING 759 @param data: Data to add on the different columns 760 """ 761 col1="" 762 col2="" 763 col3="" 764 col4="" 765 col5="" 766 if not address: 767 address=0x0 768 try: 769 col1=data[0] 770 except: 771 pass 772 try: 773 col2=data[1] 774 except: 775 pass 776 try: 777 col3=data[2] 778 except: 779 pass 780 try: 781 col4=data[3] 782 except: 783 pass 784 try: 785 col5=data[4] 786 except: 787 pass 788 return debugger.add_to_table(self.instance,address,col1,col2,col3,col4,col5)
789 790 791 MemoryProtection = { 0x10 : "PAGE_EXECUTE", 0x20 : "PAGE_EXECUTE_READ", 0x40: "PAGE_EXECUTE_READWRITE",\ 792 0x80 : "PAGE_EXECUTE_WRITECOPY", 0x01: "PAGE_NOACCESS", 0x02: "PAGE_READONLY",\ 793 0x04 : "PAGE_READWRITE", 0x08: "PAGE_WRITECOPY" } 794
795 -class MemoryPage:
796 - def __init__(self, baseaddress, imm):
797 """ 798 Memory Page Information 799 800 @type baseaddress: DWORD 801 @param baseaddress: Base Address of the Memory Page 802 803 @type imm: Debugger OBJECT 804 @param imm: Debugger 805 """ 806 self.baseaddress = baseaddress 807 self.imm = imm 808 self.size = 0 809 self.type = 0 810 self.owner = 0 811 self.initaccess = 0 812 self.access = 0 813 self.threadid = 0 814 self.section = "" 815 self.mem = ""
816
817 - def _getfromtuple(self, mem):
818 requery = debugger.vm_query(self.baseaddress) 819 self.size = mem[0] 820 self.type = mem[1] 821 self.owner = mem[2] 822 self.initaccess = requery[4] 823 self.access = requery[3] 824 self.threadid = mem[5] 825 self.section = mem[6]
826
827 - def getBaseAddress(self):
828 return self.baseaddress
829
830 - def getSize(self):
831 return self.size
832
833 - def getType(self):
834 """ 835 Get Type of Memory Page 836 837 @rtype: DWORD 838 @return: Type of Page 839 """ 840 return self.type
841
842 - def getOwner(self):
843 """ 844 Get the Owner of the Memory Page 845 846 @rtype: STRING 847 @return: Owner of the Page 848 """ 849 # use to use getModuleByAddress 850 mod = self.imm.findModule(self.owner) 851 if not mod: 852 return "0x%08x" % self.owner 853 else: 854 return mod[0]
855
856 - def _getflags(self, page):
857 try: 858 return PageFlags[page] 859 except KeyError: 860 return " "
861
862 - def getInitAccess(self,human=0):
863 """ 864 Get the Intial Access Flag of the Memory Page 865 866 @type human: Human Readable String Flag 867 @param human: Boolean 868 869 @rtype: DWORD 870 @return: Initial Access Flag 871 872 873 """ 874 if human == 0: 875 return self.initaccess 876 else: 877 return MemoryProtection[self.initaccess & 0xFF]
878
879 - def getAccess(self,human=0):
880 """ 881 Get the Access Flag of the Memory Page 882 883 @type human: Human Readable String Flag 884 @param human: Boolean 885 886 @rtype: DWORD 887 @return: Access Flag 888 """ 889 if human == 0: 890 return self.access 891 else: 892 return MemoryProtection[self.access & 0xFF]
893 894 895
896 - def getThreadID(self):
897 """ 898 Get the ID of the Thread 899 900 @rtype: DWORD 901 @return: Thread ID 902 """ 903 return self.threadid
904
905 - def getMemory(self):
906 """ 907 Get the Memory of the Page 908 909 @rtype: BUFFER 910 @return: Page Memory 911 """ 912 if not self.mem: 913 self.mem = self.imm.readMemory(self.baseaddress, self.size) 914 return self.mem
915
916 - def getBaseAddress(self):
917 """ 918 Get the Base Address of the Memory Page 919 920 @rtype: DWORD 921 @return: Base Address 922 """ 923 return self.baseaddress
924
925 - def getSection(self):
926 """ 927 Get the Section from the Memory Page 928 929 @rtype: STRING 930 @return: Section 931 """ 932 return self.section
933
934 - def search(self, buf):
935 """ 936 Search string in this memory page. 937 938 @param buf: Buffer to search for 939 @return: A list of address where the string was found on this memory page 940 """ 941 942 self.getMemory() 943 if not self.mem: 944 return [] 945 ndx = 0 946 find = [] 947 buf_size = len(buf) 948 while 1: 949 f = self.mem[ndx:].find( buf ) 950 if f == -1 : break 951 find.append( ndx + f + self.baseaddress ) 952 ndx += f + buf_size 953 return find
954 955 956 957 #PEB class (taken for bas's PDB)
958 -class PEB:
959 - def __init__(self, imm):
960 """ 961 Process Environment Block 962 963 @type imm: Debugger OBJECT 964 @param imm: Debugger 965 """ 966 # PEB struct is 488 bytes (win2k) located at 0x7ffdf000 967 # can also use NTQueryProcessInformation to locate PEB base 968 self.base = imm.getPEBAddress() 969 970 try: 971 self.PEB = imm.readMemory(self.base, 488) 972 except: 973 error = "can't read PEB struct" 974 raise Exception, error 975 976 """ 977 0:000> !kdex2x86.strct PEB 978 Loaded kdex2x86 extension DLL 979 struct _PEB (sizeof=488) 980 +000 byte InheritedAddressSpace 981 +001 byte ReadImageFileExecOptions 982 +002 byte BeingDebugged 983 +003 byte SpareBool 984 +004 void *Mutant 985 +008 void *ImageBaseAddress 986 +00c struct _PEB_LDR_DATA *Ldr 987 +010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters 988 +014 void *SubSystemData 989 +018 void *ProcessHeap 990 +01c void *FastPebLock 991 +020 void *FastPebLockRoutine 992 +024 void *FastPebUnlockRoutine 993 +028 uint32 EnvironmentUpdateCount 994 +02c void *KernelCallbackTable 995 +030 uint32 SystemReserved[2] 996 +038 struct _PEB_FREE_BLOCK *FreeList 997 +03c uint32 TlsExpansionCounter 998 +040 void *TlsBitmap 999 +044 uint32 TlsBitmapBits[2] 1000 +04c void *ReadOnlySharedMemoryBase 1001 +050 void *ReadOnlySharedMemoryHeap 1002 +054 void **ReadOnlyStaticServerData 1003 +058 void *AnsiCodePageData 1004 +05c void *OemCodePageData 1005 +060 void *UnicodeCaseTableData 1006 +064 uint32 NumberOfProcessors 1007 +068 uint32 NtGlobalFlag 1008 +070 union _LARGE_INTEGER CriticalSectionTimeout 1009 +070 uint32 LowPart 1010 +074 int32 HighPart 1011 +070 struct __unnamed3 u 1012 +070 uint32 LowPart 1013 +074 int32 HighPart 1014 +070 int64 QuadPart 1015 +078 uint32 HeapSegmentReserve 1016 +07c uint32 HeapSegmentCommit 1017 +080 uint32 HeapDeCommitTotalFreeThreshold 1018 +084 uint32 HeapDeCommitFreeBlockThreshold 1019 +088 uint32 NumberOfHeaps 1020 +08c uint32 MaximumNumberOfHeaps 1021 +090 void **ProcessHeaps 1022 +094 void *GdiSharedHandleTable 1023 +098 void *ProcessStarterHelper 1024 +09c uint32 GdiDCAttributeList 1025 +0a0 void *LoaderLock 1026 +0a4 uint32 OSMajorVersion 1027 +0a8 uint32 OSMinorVersion 1028 +0ac uint16 OSBuildNumber 1029 +0ae uint16 OSCSDVersion 1030 +0b0 uint32 OSPlatformId 1031 +0b4 uint32 ImageSubsystem 1032 +0b8 uint32 ImageSubsystemMajorVersion 1033 +0bc uint32 ImageSubsystemMinorVersion 1034 +0c0 uint32 ImageProcessAffinityMask 1035 +0c4 uint32 GdiHandleBuffer[34] 1036 +14c function *PostProcessInitRoutine 1037 +150 void *TlsExpansionBitmap 1038 +154 uint32 TlsExpansionBitmapBits[32] 1039 +1d4 uint32 SessionId 1040 +1d8 void *AppCompatInfo 1041 +1dc struct _UNICODE_STRING CSDVersion 1042 +1dc uint16 Length 1043 +1de uint16 MaximumLength 1044 +1e0 uint16 *Buffer 1045 """ 1046 # init PEB struct 1047 index = 0x000 1048 self.InheritedAddressSpace = struct.unpack("B",self.PEB[index])[0] 1049 index = 0x001 1050 self.ReadImageFileExecOptions = struct.unpack("B",self.PEB[index])[0] 1051 index = 0x002 1052 self.BeingDebugged = struct.unpack("B",self.PEB[index])[0] 1053 index = 0x003 1054 self.SpareBool = struct.unpack("B",self.PEB[index])[0] 1055 index = 0x004 1056 self.Mutant = struct.unpack("<L",self.PEB[index:index+4])[0] 1057 index = 0x008 1058 self.ImageBaseAddress = struct.unpack("<L",self.PEB[index:index+4])[0] 1059 index = 0x00c 1060 self.Ldr = struct.unpack("<L",self.PEB[index:index+4])[0] 1061 index = 0x010 1062 self.ProcessParameters = struct.unpack("<L",self.PEB[index:index+4])[0] 1063 index = 0x014 1064 self.SubSystemData = struct.unpack("<L",self.PEB[index:index+4])[0] 1065 index = 0x018 1066 self.ProcessHeap = struct.unpack("<L",self.PEB[index:index+4])[0] 1067 index = 0x01c 1068 self.FastPebLock = struct.unpack("<L",self.PEB[index:index+4])[0] 1069 index = 0x020 1070 self.FastPebLockRoutine = struct.unpack("<L",self.PEB[index:index+4])[0] 1071 index = 0x024 1072 self.FastPebUnlockRoutine = struct.unpack("<L",self.PEB[index:index+4])[0] 1073 index = 0x028 1074 self.EnviromentUpdateCount = struct.unpack("<L",self.PEB[index:index+4])[0] 1075 index = 0x02c 1076 self.KernelCallbackTable = struct.unpack("<L",self.PEB[index:index+4])[0] 1077 index = 0x030 1078 self.SystemReserved = [] 1079 for i in range(0,2): 1080 self.SystemReserved.append(struct.unpack("<L",self.PEB[index:index+4])[0]) 1081 index += 4 1082 index = 0x038 1083 self.FreeList = struct.unpack("<L",self.PEB[index:index+4])[0] 1084 index = 0x03c 1085 self.TlsExpansionCounter = struct.unpack("<L",self.PEB[index:index+4])[0] 1086 index = 0x040 1087 self.TlsBitmap = struct.unpack("<L",self.PEB[index:index+4])[0] 1088 index = 0x044 1089 self.TlsBitmapBits = [] 1090 for i in range(0,2): 1091 self.TlsBitmapBits.append(struct.unpack("<L",self.PEB[index:index+4])[0]) 1092 index += 4 1093 index = 0x04c 1094 self.ReadOnlySharedMemoryBase = struct.unpack("<L",self.PEB[index:index+4])[0] 1095 index = 0x050 1096 self.ReadOnlySharedMemoryheap = struct.unpack("<L",self.PEB[index:index+4])[0] 1097 index = 0x054 1098 self.ReadOnlyStaticServerData = struct.unpack("<L",self.PEB[index:index+4])[0] 1099 index = 0x058 1100 self.AnsiCodePageData = struct.unpack("<L",self.PEB[index:index+4])[0] 1101 index = 0x05c 1102 self.OemCodePageData = struct.unpack("<L",self.PEB[index:index+4])[0] 1103 index = 0x060 1104 self.UnicodeCaseTableData = struct.unpack("<L",self.PEB[index:index+4])[0] 1105 index = 0x064 1106 self.NumberOfProcessors = struct.unpack("<L",self.PEB[index:index+4])[0] 1107 index = 0x068 1108 self.NtGlobalFlag = struct.unpack("<L",self.PEB[index:index+4])[0] 1109 1110 # ??? WHAT HAPPENS TO THE 4 bytes here ? 1111 1112 index = 0x070 1113 self.CriticalSectionTimeout_LowPart = struct.unpack("<L",self.PEB[index:index+4])[0] 1114 index = 0x074 1115 self.CriticalSectionTimeout_HighPart = struct.unpack("<L",self.PEB[index:index+4])[0] 1116 index = 0x078 1117 self.HeapSegmentReserve = struct.unpack("<L",self.PEB[index:index+4])[0] 1118 index = 0x07c 1119 self.HeapSegmentCommit = struct.unpack("<L",self.PEB[index:index+4])[0] 1120 index = 0x080 1121 self.HeapDeCommitTotalFreeThreshold = struct.unpack("<L",self.PEB[index:index+4])[0] 1122 index = 0x084 1123 self.HeapDeCommitFreeBlockThreshold = struct.unpack("<L",self.PEB[index:index+4])[0] 1124 index = 0x088 1125 self.NumberOfHeaps = struct.unpack("<L",self.PEB[index:index+4])[0] 1126 index = 0x08c 1127 self.MaximumNumberOfHeaps = struct.unpack("<L",self.PEB[index:index+4])[0] 1128 index = 0x090 1129 self.ProcessHeaps = struct.unpack("<L",self.PEB[index:index+4])[0] 1130 index = 0x094 1131 self.GdiSharedHandleTable = struct.unpack("<L",self.PEB[index:index+4])[0] 1132 index = 0x098 1133 self.ProcessStarterHelper = struct.unpack("<L",self.PEB[index:index+4])[0] 1134 index = 0x09c 1135 self.GdiDCAttributeList = struct.unpack("<L",self.PEB[index:index+4])[0] 1136 index = 0x0a0 1137 self.LoaderLock = struct.unpack("<L",self.PEB[index:index+4])[0] 1138 index = 0x0a4 1139 self.OSMajorVersion = struct.unpack("<L",self.PEB[index:index+4])[0] 1140 index = 0x0a8 1141 self.OSMinorVersion = struct.unpack("<L",self.PEB[index:index+4])[0] 1142 index = 0x0ac 1143 self.OSBuildNumber = struct.unpack("<H",self.PEB[index:index+2])[0] 1144 index = 0x0ae 1145 self.OSCSDVersion = struct.unpack("<H",self.PEB[index:index+2])[0] 1146 index = 0x0b0 1147 self.OSPlatformId = struct.unpack("<L",self.PEB[index:index+4])[0] 1148 index = 0x0b4 1149 self.ImageSubsystem = struct.unpack("<L",self.PEB[index:index+4])[0] 1150 index = 0x0b8 1151 self.ImageSubsystemMajorVersion = struct.unpack("<L",self.PEB[index:index+4])[0] 1152 index = 0x0bc 1153 self.ImageSubsystemMinorVersion = struct.unpack("<L",self.PEB[index:index+4])[0] 1154 index = 0x0c0 1155 self.ImageProcessAffinityMask = struct.unpack("<L",self.PEB[index:index+4])[0] 1156 index = 0x0c4 1157 # uint32 GdiHandleBuffer[34] 1158 self.GdiHandleBuffer = [] 1159 for i in range(0,34): 1160 self.GdiHandleBuffer.append(struct.unpack("<L",self.PEB[index:index+4])[0]) 1161 index += 4 1162 index = 0x14c 1163 self.PostProcessInitRoutine = struct.unpack("<L",self.PEB[index:index+4])[0] 1164 index = 0x150 1165 self.TlsExpansionBitmap = struct.unpack("<L",self.PEB[index:index+4])[0] 1166 index = 0x154 1167 # uint32 TlsExpansionBitmapBits[32] 1168 self.TlsExpansionBitmapBits = [] 1169 for i in range(0,32): 1170 self.TlsExpansionBitmapBits.append(struct.unpack("<L",self.PEB[index:index+4])[0]) 1171 index += 4 1172 index = 0x1d4 1173 self.SessionId = struct.unpack("<L",self.PEB[index:index+4])[0] 1174 index = 0x1d8 1175 self.AppCompatInfo = struct.unpack("<L",self.PEB[index:index+4])[0] 1176 index = 0x1dc 1177 # struct _UNICODE_STRING CSDVersion 1178 self.CSDVersion_Length = struct.unpack("<H",self.PEB[index:index+2])[0] 1179 index += 2 1180 self.CSDVersion_MaximumLength = struct.unpack("<H",self.PEB[index:index+2])[0] 1181 index += 2 1182 self.CSDVersion_Buffer = struct.unpack("<H",self.PEB[index:index+2])[0] 1183 index += 2
1184