forked from OpenRCE/paimei
-
Notifications
You must be signed in to change notification settings - Fork 5
/
null_selector_mem_monitor_poc.py
85 lines (62 loc) · 2.45 KB
/
null_selector_mem_monitor_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!c:\\python\\python.exe
"""
Null Selector Mem-Monitor Proof of Concept
Copyright (C) 2007 Pedram Amini <[email protected]>
$Id: null_selector_mem_monitor_poc.py 214 2007-08-23 05:48:44Z pedram $
Description:
Pydbg implementation of skape's null selector mem-monitor technique:
http://www.uninformed.org/?v=7&a=1
I forget how functional this is, or if it even really works.
TODO (performance improvements):
- intelligently skip over REP sequences
"""
from pydbg import *
from pydbg.defines import *
def evaluate_expression (dbg):
expression = dbg.disasm(dbg.exception_address)
for reg in ["eax", "ebx", "ecx", "edx", "ebp", "esi", "edi"]:
expression = expression.replace(reg, "%d" % dbg.get_register(reg))
return eval(expression[expression.index('[')+1:expression.index(']')])
def set_selectors(dbg, val, thread_id=None):
if thread_id:
thread_ids = [thread_id]
else:
thread_ids = dbg.enumerate_threads()
for tid in thread_ids:
handle = dbg.open_thread(tid)
context = dbg.get_thread_context(handle)
context.SegDs = val
context.SegEs = val
dbg.set_thread_context(context, handle)
dbg.close_handle(handle)
def entry_point (dbg):
print "%08x: %s" % (dbg.exception_address, dbg.disasm(dbg.exception_address))
print "%08x" % dbg.context.SegDs
set_selectors(dbg, 0)
return DBG_CONTINUE
def av_handler (dbg):
if dbg.write_violation:
direction = "write to"
else:
direction = "read from"
#print "AV: %08x via %s %08x" % (dbg.exception_address, direction, evaluate_expression(dbg))
#print dbg.dump_context()
set_selectors(dbg, 0x23, dbg.dbg.dwThreadId)
if dbg.mnemonic.startswith("rep"):
dbg.bp_set(dbg.exception_address + dbg.instruction.length, handler=nullify_selectors)
else:
dbg.single_step(True)
return DBG_CONTINUE
def nullify_selectors (dbg):
set_selectors(dbg, 0, dbg.dbg.dwThreadId)
return DBG_CONTINUE
def thread_handler (dbg):
set_selectors(dbg, 0, dbg.dbg.dwThreadId)
return DBG_CONTINUE
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, av_handler)
dbg.set_callback(EXCEPTION_SINGLE_STEP, nullify_selectors)
dbg.set_callback(CREATE_THREAD_DEBUG_EVENT, thread_handler)
dbg.load(r"c:\windows\system32\calc.exe")
dbg.bp_set(0x01012475, handler=entry_point)
dbg.run()