Source Code for Package vdb.recon

  1  '''
 
  2  The recon subsystem for monitoring well known library
 
  3  calls and identifying dangerous calling mechanisms.
 
  4  
 
  5  NOTE: This subsystem pretty much assumes some intel-like
 
  6  conventions...
 
  7  
 
  8  Recon Format Chars:
 
  9      A - A NULL terminated ascii string
 
 10      W - A NULL terminated utf-16le string
 
 11      P - A platform width pointer
 
 12      I - An integer (32 bits for now...)
 
 13  ''' 
 14  
 
 15  import vtrace.breakpoints as vt_breakpoints 
 16  
 
 17 -def reprargs(trace, fmt, args): 
 18  
 
 19      r = [] 
 20      for i in xrange(len(fmt)): 
 21          fchr = fmt[i] 
 22          arg  = args[i] 
 23  
 
 24          if fchr == 'P': 
 25              sym = trace.getSymByAddr(arg) 
 26              if sym != None: 
 27                  rstr = repr(sym) 
 28              else: 
 29                  rstr = '0x%.8x' 
 30  
 
 31          elif fchr == 'I': 
 32              rstr = repr(arg) 
 33  
 
 34          elif fchr == 'U': 
 35  
 
 36              if arg == 0: 
 37                  rstr = 'NULL' 
 38  
 
 39              elif not trace.isValidPointer(arg): 
 40                  rstr = '0x%.8x' % arg 
 41  
 
 42              else: 
 43                  buf = trace.readMemory(arg, 260*2) 
 44                  ubuf = buf.decode('utf-16le','ignore') 
 45                  rstr = repr(ubuf.split('\x00')[0]) 
 46                  
 
 47          elif fchr == 'S': 
 48  
 
 49              if arg == 0: 
 50                  rstr = 'NULL' 
 51  
 
 52              elif not trace.isValidPointer(arg): 
 53                  rstr = '0x%.8x' % arg 
 54  
 
 55              else: 
 56                  buf = trace.readMemory(arg, 260) 
 57                  rstr = repr(buf.split('\x00')[0]) 
 58  
 
 59          elif fchr == 'C': 
 60              rstr = repr(chr( arg & 0xff )) 
 61  
 
 62          elif fchr == 'X': 
 63              rstr = '0x%.8x' % arg 
 64  
 
 65          else: 
 66              raise Exception('Unknown Recon Format: %s' % fchr) 
 67  
 
 68          r.append(rstr) 
 69      return r 
 70  
 
 71 -class ReconBreak(vt_breakpoints.Breakpoint): 
 72      '''
 
 73      ''' 
 74 -    def __init__(self, symname, reconfmt): 
 75          vt_breakpoints.Breakpoint.__init__(self, None, expression=symname) 
 76          self.fastbreak = True # We are a fast-break, don't notify the trace 
 77          self._symname = symname 
 78          self._reconfmt = reconfmt 
 79  
 
 80 -    def getName(self): 
 81          return '%s(%s)' % (self._symname, self._reconfmt) 
 82  
 
 83 -    def notify(self, event, trace): 
 84          thid = trace.getMeta('ThreadId') 
 85          stackptr = trace.getStackCounter() 
 86  
 
 87          rawargs = trace.readMemoryFormat(stackptr, '<%dP' % (len(self._reconfmt) + 1)) 
 88          savedeip = rawargs[0] 
 89          args = rawargs[1:] 
 90  
 
 91          recon_hits = trace.getMeta('recon_hits') 
 92  
 
 93          argrep = reprargs(trace, self._reconfmt, args) 
 94          recon_hits.append((thid, savedeip, self._symname, args, argrep)) 
 95  
 
 96          if not trace.getMeta('recon_quiet'): 
 97              argstr = '(%s)' % ', '.join(argrep) 
 98              print 'RECON: %.4d 0x%.8x %s%s' % (thid, savedeip, self._symname, argstr) 
 99  
 
100 -def addReconBreak(trace, symname, reconfmt): 
101      if trace.getMeta('recon_hits') == None: 
102          trace.setMeta('recon_hits', []) 
103      bp = ReconBreak(symname, reconfmt) 
104      bpid = trace.addBreakpoint(bp) 
105      return bpid 
106  
 
107 -def clearReconHits(trace): 
108      '''
 
109      Clear the current list of recon hits.
 
110      ''' 
111      trace.setMeta('recon_hits', []) 
112  
 
113 -def getReconHits(trace): 
114      '''
 
115      Get the list of recon "hits" entries.  Each hit entry is a tuple
 
116      of (threadid, savedeip, symname, argtup, argreprtup).
 
117      ''' 
118      return trace.getMeta('recon_hits', []) 
119