tools Package

tools Package

Extra tools (mostly for windows)

iathook Module

Code for hooking import address tables by making them invalid pointers and catching the exceptions...

class vtrace.tools.iathook.IatHook(ptraddr, iatname)

Bases: vtrace.watchpoints.Watchpoint

Abuse the PageWatch subsystem to allow function pointers to be frob’d to create breakpoint like behavior.

activate(trace)

deactivate(trace)

getName()

newptr = 4227592192L

notify(event, trace)

resolveAddr(trace, addr)

vtrace.tools.iathook.hookIat(trace, libname, implib='*', impfunc='*', fast=False)

Hook the IAT with special “breakpoint” like objects which handle the memory access errors and document the calls... Set fast=True for them to be “Fastbreak” breakpoints.

This returns a list of (name, bpid) tuples...

Example:

for impname, bpid in hookIat(t, ‘ws2_32’)

t.setBreakpointCode(bpid, codestr) ...

win32alloc Module

A module with some cute toys for monitoring allocations.

class vtrace.tools.win32alloc.ReturnBreak(addr, chsize, chflags)

Bases: vtrace.breakpoints.Breakpoint

notify(event, trace)

class vtrace.tools.win32alloc.RtlAllocateHeapBreak(addr)

Bases: vtrace.breakpoints.Breakpoint

notify(event, trace)

vtrace.tools.win32alloc.clearHeapAllocs(trace)

vtrace.tools.win32alloc.getHeapAllocs(trace)

Return a list of (caller_eip, heap_chunk, size, flags) tuples

vtrace.tools.win32alloc.watchHeapAllocs(trace)

Add a breakpoint to ntdll.RtlAllocateHeap to watch for allocations and track who made them...

win32aslr Module

Utilities for windows tracer objects.

vtrace.tools.win32aslr.deAslr(trace, va)

Given an address in an ASLR’d library, rebase it back to the address as it would be if the given PE were at it’s suggested address...

win32heap Module

Windows heap allocation helper module

exception vtrace.tools.win32heap.ChunkNotFound

Bases: exceptions.Exception

exception vtrace.tools.win32heap.FreeListCorruption(heap, index, prevchunk, badchunk)

Bases: exceptions.Exception

exception vtrace.tools.win32heap.HeapCorruptionException(heap, segment, prevchunk, badchunk)

Bases: exceptions.Exception

class vtrace.tools.win32heap.Win32Chunk(trace, heap, address)

getDataAddress()

getDataBytes(maxsize=None)

getDataSize()

getFlinkBlink()

isBusy()

isLast()

reprFlags()

class vtrace.tools.win32heap.Win32Heap(trace, address)

getFlagNames()

getFreeLists()

Return a list of the free lists in this heap. (Not including look-aside)

getLookAsideLists()

Return a list of the lookaside list for this heap

getSegments()

Return a list of Win32Segment objects.

getUCRDict()

Retrieve a dictionary of <ucr_address>:<ucr_size> items.

(If this windows version doesn’t support UCRs, the dict will be empty)

hasLookAside()

Does this heap have a lookaside?

class vtrace.tools.win32heap.Win32Segment(trace, heap, address)

getChunks()

getLastChunk()

getSegmentEnd()

vtrace.tools.win32heap.getHeapSegChunk(trace, address)

Find and return the heap, segment, and chunk for the given addres (or exception).

vtrace.tools.win32heap.getHeaps(trace)

Get the win32 heaps (returns a list of Win32Heap objects)

vtrace.tools.win32heap.reprHeapFlags(flags)

win32stealth Module

Try to prevent an executable from knowing it’s being debugged.

class vtrace.tools.win32stealth.StealthBreak(address, expression=None)

Bases: vtrace.breakpoints.Breakpoint

A breakpoint to fake out CheckRemoteDebuggerPresent.

notify(event, trace)

vtrace.tools.win32stealth.stealthify(trace)

vtrace.tools.win32stealth.unstealthify(trace)

vtrace.tools.win32stealth.writeBeingDebugged(trace, val)