recon Package

recon Package

The recon subsystem for monitoring well known library calls and identifying dangerous calling mechanisms.

NOTE: This subsystem pretty much assumes some intel-like conventions...

Recon Format Chars:

A - A NULL terminated ascii string W - A NULL terminated utf-16le string P - A platform width pointer I - An integer (32 bits for now...)

class vdb.recon.ReconBreak(symname, reconfmt)

Bases: vtrace.breakpoints.Breakpoint

getName()

notify(event, trace)

vdb.recon.addReconBreak(trace, symname, reconfmt)

vdb.recon.clearReconHits(trace)

Clear the current list of recon hits.

vdb.recon.getReconHits(trace)

Get the list of recon “hits” entries. Each hit entry is a tuple of (threadid, savedeip, symname, argtup, argreprtup).

vdb.recon.reprargs(trace, fmt, args)

dopestack Module

A quick set of tools for doing stack doping.

class vdb.recon.dopestack.ThreadDopeNotifier

Bases: vtrace.notifiers.Notifier

notify(event, trace)

vdb.recon.dopestack.disableEventDoping(trace)

vdb.recon.dopestack.dopeAllThreadStacks(trace)

Apply stack doping to all thread stacks.

vdb.recon.dopestack.dopeThreadStack(trace, threadid)

vdb.recon.dopestack.enableEventDoping(trace)

sniper Module

Specialized breakpoints which identify dangerous calling mechanisms and tag them.

class vdb.recon.sniper.SniperArgValueBreak(symname, argidx, argval)

Bases: vtrace.breakpoints.Breakpoint

A breakpoint for monitoring an API for being called with a particular value.

class vdb.recon.sniper.SniperDynArgBreak(symname, argidx)

Bases: vtrace.breakpoints.Breakpoint

A breakpoint for use in determining if an API was called with a dynamic pointer.

getName()

notify(event, trace)

vdb.recon.sniper.getStackArg(trace, argidx)

Assuming we are at the instruction after a call, grab the stack argument at the specified index (skipping the saved instruction pointer).

vdb.recon.sniper.snipeDynArg(trace, symname, argidx)

Construct a SnyperDynArgBreak and snap it in.