| Trees | Indices | Help |
|---|
|
|
1 """
2 Win32 Platform Module
3 """
4 # Copyright (C) 2007 Invisigoth - See LICENSE file for details
5 import os
6 import sys
7 import struct
8 import traceback
9 import platform
10
11 import PE
12
13 import vstruct
14 import vstruct.builder as vs_builder
15 import vstruct.defs.win32 as vs_win32
16 import vstruct.defs.windows as vs_windows
17
18 import vtrace
19 import vtrace.archs.i386 as v_i386
20 import vtrace.archs.amd64 as v_amd64
21 import vtrace.platforms.base as v_base
22
23 import envi
24 import envi.bits as e_bits
25 import envi.memory as e_mem
26 import envi.resolver as e_resolv
27 import envi.archs.i386 as e_i386
28 import envi.archs.amd64 as e_amd64
29
30 from ctypes import *
31 #from ctypes.wintypes import *
32
33 platdir = os.path.dirname(__file__)
34
35 kernel32 = None
36 dbghelp = None
37 psapi = None
38 ntdll = None
39 advapi32 = None
40
41 IsWow64Process = None
42
43 # Setup some ctypes helpers:
44 # NOTE: we don't use LPVOID because it can return None.
45 # c_size_t is the designated platform word width int.
46 LPVOID = c_size_t
47 HANDLE = LPVOID
48 SIZE_T = LPVOID
49 QWORD = c_ulonglong
50 DWORD = c_ulong
51 WORD = c_ushort
52 BOOL = c_ulong
53 BYTE = c_ubyte
54 NULL = 0
55
56 INFINITE = 0xffffffff
57 EXCEPTION_MAXIMUM_PARAMETERS = 15
58
59 # Debug Event Types
60 EXCEPTION_DEBUG_EVENT =1
61 CREATE_THREAD_DEBUG_EVENT =2
62 CREATE_PROCESS_DEBUG_EVENT =3
63 EXIT_THREAD_DEBUG_EVENT =4
64 EXIT_PROCESS_DEBUG_EVENT =5
65 LOAD_DLL_DEBUG_EVENT =6
66 UNLOAD_DLL_DEBUG_EVENT =7
67 OUTPUT_DEBUG_STRING_EVENT =8
68 RIP_EVENT =9
69
70 # Symbol Flags
71 SYMFLAG_VALUEPRESENT = 0x00000001
72 SYMFLAG_REGISTER = 0x00000008
73 SYMFLAG_REGREL = 0x00000010
74 SYMFLAG_FRAMEREL = 0x00000020
75 SYMFLAG_PARAMETER = 0x00000040
76 SYMFLAG_LOCAL = 0x00000080
77 SYMFLAG_CONSTANT = 0x00000100
78 SYMFLAG_EXPORT = 0x00000200
79 SYMFLAG_FORWARDER = 0x00000400
80 SYMFLAG_FUNCTION = 0x00000800
81 SYMFLAG_VIRTUAL = 0x00001000
82 SYMFLAG_THUNK = 0x00002000
83 SYMFLAG_TLSREL = 0x00004000
84
85 # Symbol Resolution Options
86 SYMOPT_CASE_INSENSITIVE = 0x00000001
87 SYMOPT_UNDNAME = 0x00000002
88 SYMOPT_DEFERRED_LOADS = 0x00000004
89 SYMOPT_NO_CPP = 0x00000008
90 SYMOPT_LOAD_LINES = 0x00000010
91 SYMOPT_OMAP_FIND_NEAREST = 0x00000020
92 SYMOPT_LOAD_ANYTHING = 0x00000040
93 SYMOPT_IGNORE_CVREC = 0x00000080
94 SYMOPT_NO_UNQUALIFIED_LOADS = 0x00000100
95 SYMOPT_FAIL_CRITICAL_ERRORS = 0x00000200
96 SYMOPT_EXACT_SYMBOLS = 0x00000400
97 SYMOPT_ALLOW_ABSOLUTE_SYMBOLS = 0x00000800
98 SYMOPT_IGNORE_NT_SYMPATH = 0x00001000
99 SYMOPT_INCLUDE_32BIT_MODULES = 0x00002000
100 SYMOPT_PUBLICS_ONLY = 0x00004000
101 SYMOPT_NO_PUBLICS = 0x00008000
102 SYMOPT_AUTO_PUBLICS = 0x00010000
103 SYMOPT_NO_IMAGE_SEARCH = 0x00020000
104 SYMOPT_SECURE = 0x00040000
105 SYMOPT_NO_PROMPTS = 0x00080000
106 SYMOPT_OVERWRITE = 0x00100000
107 SYMOPT_DEBUG = 0x80000000
108
109 # Exception Types
110 EXCEPTION_WAIT_0 = 0x00000000L
111 EXCEPTION_ABANDONED_WAIT_0 = 0x00000080L
112 EXCEPTION_USER_APC = 0x000000C0L
113 EXCEPTION_TIMEOUT = 0x00000102L
114 EXCEPTION_PENDING = 0x00000103L
115 DBG_EXCEPTION_HANDLED = 0x00010001L
116 DBG_CONTINUE = 0x00010002L
117 EXCEPTION_SEGMENT_NOTIFICATION = 0x40000005L
118 DBG_TERMINATE_THREAD = 0x40010003L
119 DBG_TERMINATE_PROCESS = 0x40010004L
120 DBG_CONTROL_C = 0x40010005L
121 DBG_CONTROL_BREAK = 0x40010008L
122 DBG_COMMAND_EXCEPTION = 0x40010009L
123 EXCEPTION_GUARD_PAGE_VIOLATION = 0x80000001L
124 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002L
125 EXCEPTION_BREAKPOINT = 0x80000003L
126 EXCEPTION_SINGLE_STEP = 0x80000004L
127 DBG_EXCEPTION_NOT_HANDLED = 0x80010001L
128 EXCEPTION_ACCESS_VIOLATION = 0xC0000005L
129 EXCEPTION_IN_PAGE_ERROR = 0xC0000006L
130 EXCEPTION_INVALID_HANDLE = 0xC0000008L
131 EXCEPTION_NO_MEMORY = 0xC0000017L
132 EXCEPTION_ILLEGAL_INSTRUCTION = 0xC000001DL
133 EXCEPTION_NONCONTINUABLE_EXCEPTION = 0xC0000025L
134 EXCEPTION_INVALID_DISPOSITION = 0xC0000026L
135 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008CL
136 EXCEPTION_FLOAT_DENORMAL_OPERAND = 0xC000008DL
137 EXCEPTION_FLOAT_DIVIDE_BY_ZERO = 0xC000008EL
138 EXCEPTION_FLOAT_INEXACT_RESULT = 0xC000008FL
139 EXCEPTION_FLOAT_INVALID_OPERATION = 0xC0000090L
140 EXCEPTION_FLOAT_OVERFLOW = 0xC0000091L
141 EXCEPTION_FLOAT_STACK_CHECK = 0xC0000092L
142 EXCEPTION_FLOAT_UNDERFLOW = 0xC0000093L
143 EXCEPTION_INTEGER_DIVIDE_BY_ZERO = 0xC0000094L
144 EXCEPTION_INTEGER_OVERFLOW = 0xC0000095L
145 EXCEPTION_PRIVILEGED_INSTRUCTION = 0xC0000096L
146 EXCEPTION_STACK_OVERFLOW = 0xC00000FDL
147 EXCEPTION_CONTROL_C_EXIT = 0xC000013AL
148 EXCEPTION_FLOAT_MULTIPLE_FAULTS = 0xC00002B4L
149 EXCEPTION_FLOAT_MULTIPLE_TRAPS = 0xC00002B5L
150 EXCEPTION_REG_NAT_CONSUMPTION = 0xC00002C9L
151
152 # Context Info
153 CONTEXT_i386 = 0x00010000 # this assumes that i386 and
154 CONTEXT_i486 = 0x00010000 # i486 have identical context records
155 CONTEXT_AMD64 = 0x00100000 # For amd x64...
156
157 CONTEXT_CONTROL = 0x00000001L # SS:SP, CS:IP, FLAGS, BP
158 CONTEXT_INTEGER = 0x00000002L # AX, BX, CX, DX, SI, DI
159 CONTEXT_SEGMENTS = 0x00000004L # DS, ES, FS, GS
160 CONTEXT_FLOATING_POINT = 0x00000008L # 387 state
161 CONTEXT_DEBUG_REGISTERS = 0x00000010L # DB 0-3,6,7
162 CONTEXT_EXTENDED_REGISTERS = 0x00000020L # cpu specific extensions
163 CONTEXT_FULL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS)
164 CONTEXT_ALL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS)
165
166
167 # Thread Permissions
168 THREAD_ALL_ACCESS = 0x001f03ff
169 PROCESS_ALL_ACCESS = 0x001f0fff
170
171 # Memory Permissions
172 PAGE_NOACCESS = 0x01
173 PAGE_READONLY = 0x02
174 PAGE_READWRITE = 0x04
175 PAGE_WRITECOPY = 0x08
176 PAGE_EXECUTE = 0x10
177 PAGE_EXECUTE_READ = 0x20
178 PAGE_EXECUTE_READWRITE = 0x40
179 PAGE_EXECUTE_WRITECOPY = 0x80
180 PAGE_GUARD = 0x100
181 PAGE_NOCACHE = 0x200
182 PAGE_WRITECOMBINE = 0x400
183
184 # Map win32 permissions to envi permissions
185 perm_lookup = {
186 PAGE_NOACCESS:0,
187 PAGE_READONLY:e_mem.MM_READ,
188 PAGE_READWRITE: e_mem.MM_READ | e_mem.MM_WRITE,
189 PAGE_WRITECOPY: e_mem.MM_READ | e_mem.MM_WRITE,
190 PAGE_EXECUTE: e_mem.MM_EXEC,
191 PAGE_EXECUTE_READ: e_mem.MM_EXEC | e_mem.MM_READ,
192 PAGE_EXECUTE_READWRITE: e_mem.MM_EXEC | e_mem.MM_READ | e_mem.MM_WRITE,
193 PAGE_EXECUTE_WRITECOPY: e_mem.MM_EXEC | e_mem.MM_READ | e_mem.MM_WRITE,
194 }
195
196 # To get win32 permssions from envi permissions
197 perm_rev_lookup = {
198 0:PAGE_NOACCESS,
199 e_mem.MM_READ:PAGE_READONLY,
200 e_mem.MM_READ|e_mem.MM_WRITE:PAGE_READWRITE,
201 e_mem.MM_EXEC:PAGE_EXECUTE,
202 e_mem.MM_EXEC|e_mem.MM_READ:PAGE_EXECUTE_READ,
203 e_mem.MM_EXEC|e_mem.MM_READ|e_mem.MM_WRITE:PAGE_EXECUTE_READWRITE,
204 }
205
206 # Memory States
207 MEM_COMMIT = 0x1000
208 MEM_FREE = 0x10000
209 MEM_RESERVE = 0x2000
210
211 # Memory Types
212 MEM_IMAGE = 0x1000000
213 MEM_MAPPED = 0x40000
214 MEM_PRIVATE = 0x20000
215
216 # Process Creation Flags
217 DEBUG_ONLY_THIS_PROCESS = 0x02
218
219 MAX_PATH=260
226
227 # The enum of NtSystemDebugControl operations
228 SysDbgQueryModuleInformation = 0
229 SysDbgQueryTraceInformation = 1
230 SysDbgSetTracepoint = 2
231 SysDbgSetSpecialCall = 3
232 SysDbgClearSpecialCalls = 4
233 SysDbgQuerySpecialCalls = 5
234 SysDbgBreakPoint = 6
235 SysDbgQueryVersion = 7
236 SysDbgReadVirtual = 8
237 SysDbgWriteVirtual = 9
238 SysDbgReadPhysical = 10
239 SysDbgWritePhysical = 11
240 SysDbgReadControlSpace = 12
241 SysDbgWriteControlSpace = 13
242 SysDbgReadIoSpace = 14
243 SysDbgWriteIoSpace = 15
244 SysDbgReadMsr = 16
245 SysDbgWriteMsr = 17
246 SysDbgReadBusData = 18
247 SysDbgWriteBusData = 19
248 SysDbgCheckLowMemory = 20
249 SysDbgEnableKernelDebugger = 21
250 SysDbgDisableKernelDebugger = 22
251 SysDbgGetAutoKdEnable = 23
252 SysDbgSetAutoKdEnable = 24
253 SysDbgGetPrintBufferSize = 25
254 SysDbgSetPrintBufferSize = 26
255 SysDbgGetKdUmExceptionEnable = 27
256 SysDbgSetKdUmExceptionEnable = 28
257 SysDbgGetTriageDump = 29
258 SysDbgGetKdBlockEnable = 30
259 SysDbgSetKdBlockEnable = 31
260 SysDbgRegisterForUmBreakInfo = 32
261 SysDbgGetUmBreakPid = 33
262 SysDbgClearUmBreakPid = 34
263 SysDbgGetUmAttachPid = 35
264 SysDbgClearUmAttachPid = 36
267 m = MSR()
268 m.msr = msrid
269 m.value = value
270 mptr = addressof(m)
271 x = ntdll.NtSystemDebugControl(SysDbgWriteMsr, mptr, sizeof(m), 0, 0, 0)
272 if x != 0:
273 raise vtrace.PlatformException('NtSystemDebugControl Failed: 0x%.8x' % kernel32.GetLastError())
274 return 0
275
277 m = MSR()
278 m.msr = msrid
279 m.value = 0
280
281 mptr = addressof(m)
282 msize = sizeof(m)
283
284 x = ntdll.NtSystemDebugControl(SysDbgReadMsr, mptr, msize, mptr, msize, 0)
285 if x != 0:
286 raise vtrace.PlatformException('NtSystemDebugControl Failed: 0x%.8x' % kernel32.GetLastError())
287 return m.value
288
289 SC_MANAGER_ALL_ACCESS = 0xF003F
290 SC_MANAGER_CREATE_SERVICE = 0x0002
291 SC_MANAGER_CONNECT = 0x0001
292 SC_MANAGER_ENUMERATE_SERVICE = 0x0004
293 SC_MANAGER_LOCK = 0x0008
294 SC_MANAGER_MODIFY_BOOT_CONFIG = 0x0020
295 SC_MANAGER_QUERY_LOCK_STATUS = 0x0010
296
297 SC_ENUM_PROCESS_INFO = 0
298
299 SERVICE_WIN32 = 0x30
300
301 SERVICE_ACTIVE = 0x01
302 SERVICE_INNACTIVE = 0x02
303 SERVICE_STATE_ALL = 0x03
306 _fields_ = [
307 ('dwServiceType', DWORD),
308 ('dwCurrentState', DWORD),
309 ('dwControlsAccepted', DWORD),
310 ('dwWin32ExitCode', DWORD),
311 ('dwServiceSpecificExitCode',DWORD),
312 ('dwCheckPoint', DWORD),
313 ('dwWaitHint', DWORD),
314 ('dwProcessId', DWORD),
315 ('dwServiceFlags', DWORD)
316 ]
317
319 _fields_ = [
320 ('lpServiceName', c_wchar_p),
321 ('lpDisplayName', c_wchar_p),
322 ('ServiceStatusProcess', SERVICE_STATUS_PROCESS),
323 ]
324
326 _fields_ = [
327 ("ExceptionCode", DWORD),
328 ("ExceptionFlags", DWORD),
329 ("ExceptionRecord", LPVOID),
330 ("ExceptionAddress", LPVOID),
331 ("NumberParameters", c_ulong),
332 ("ExceptionInformation", LPVOID * EXCEPTION_MAXIMUM_PARAMETERS)
333 ]
334
340
342 _fields_ = [
343 ("Thread", HANDLE),
344 ("ThreadLocalBase", LPVOID),
345 ("StartAddress", LPVOID)
346 ]
347
349 _fields_ = [
350 ("File", HANDLE),
351 ("Process", HANDLE),
352 ("Thread", HANDLE),
353 ("BaseOfImage", LPVOID),
354 ("DebugInfoFileOffset", c_ulong),
355 ("DebugInfoSize", c_ulong),
356 ("ThreadLocalBase", LPVOID),
357 ("StartAddress", LPVOID),
358 ("ImageName", LPVOID),
359 ("Unicode", c_short),
360 ]
361
363 _fields_ = [("ExitCode", c_ulong),]
364
366 _fields_ = [("ExitCode", c_ulong),]
367
369 _fields_ = [
370 ("File", HANDLE),
371 ("BaseOfDll", LPVOID),
372 ("DebugInfoFileOffset", c_ulong),
373 ("DebugInfoSize", c_ulong),
374 ("ImageName", LPVOID),
375 ("Unicode", c_ushort),
376 ]
382 _fields_ = [
383 ("DebugStringData", LPVOID),
384 ("Unicode", c_ushort),
385 ("DebugStringLength", c_ushort),
386 ]
392
394 _fields_ = [ ("Exception",EXCEPTION_DEBUG_INFO),
395 ("CreateThread", CREATE_THREAD_DEBUG_INFO),
396 ("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
397 ("ExitThread", EXIT_THREAD_DEBUG_INFO),
398 ("ExitProcess", EXIT_PROCESS_DEBUG_INFO),
399 ("LoadDll", LOAD_DLL_DEBUG_INFO),
400 ("UnloadDll", UNLOAD_DLL_DEBUG_INFO),
401 ("DebugString", OUTPUT_DEBUG_STRING_INFO),
402 ("RipInfo", RIP_INFO)]
403
405 _fields_ = [
406 ("DebugEventCode", c_ulong),
407 ("ProcessId", c_ulong),
408 ("ThreadId", c_ulong),
409 ("u", DBG_EVENT_UNION),
410 ]
411
413 _fields_ = [("ControlWord", c_ulong),
414 ("StatusWord", c_ulong),
415 ("TagWord", c_ulong),
416 ("ErrorOffset", c_ulong),
417 ("ErrorSelector", c_ulong),
418 ("DataOffset", c_ulong),
419 ("DataSelector", c_ulong),
420 ("RegisterSave", c_byte*80),
421 ("Cr0NpxState", c_ulong),
422 ]
423
425 _fields_ = [
426
427 ("P1Home",c_ulonglong),
428 ("P2Home",c_ulonglong),
429 ("P3Home",c_ulonglong),
430 ("P4Home",c_ulonglong),
431 ("P5Home",c_ulonglong),
432 ("P6Home",c_ulonglong),
433
434 ("ContextFlags", DWORD),
435 ("MxCsr",DWORD),
436
437 ("cs",WORD),
438 ("ds",WORD),
439 ("es",WORD),
440 ("fs", WORD),
441 ("gs",WORD),
442 ("ss",WORD),
443 ("eflags",DWORD),
444
445 ("debug0",c_ulonglong),
446 ("debug1",c_ulonglong),
447 ("debug2",c_ulonglong),
448 ("debug3",c_ulonglong),
449 ("debug6",c_ulonglong),
450 ("debug7",c_ulonglong),
451
452 ("rax",c_ulonglong),
453 ("rcx",c_ulonglong),
454 ("rdx",c_ulonglong),
455 ("rbx",c_ulonglong),
456 ("rsp",c_ulonglong),
457 ("rbp",c_ulonglong),
458 ("rsi",c_ulonglong),
459 ("rdi",c_ulonglong),
460 ("r8",c_ulonglong),
461 ("r9",c_ulonglong),
462 ("r10",c_ulonglong),
463 ("r11",c_ulonglong),
464 ("r12",c_ulonglong),
465 ("r13",c_ulonglong),
466 ("r14",c_ulonglong),
467 ("r15",c_ulonglong),
468 ("rip",c_ulonglong),
469
470 ("foo",c_ulonglong*200),
471
472 #union {
473 #XMM_SAVE_AREA32 FltSave,
474 #struct {
475 #M128A Header[2],
476 #M128A Legacy[8],
477 #M128A Xmm0,
478 #M128A Xmm1,
479 #M128A Xmm2,
480 #M128A Xmm3,
481 #M128A Xmm4,
482 #M128A Xmm5,
483 #M128A Xmm6,
484 #M128A Xmm7,
485 #M128A Xmm8,
486 #M128A Xmm9,
487 #M128A Xmm10,
488 #M128A Xmm11,
489 #M128A Xmm12,
490 #M128A Xmm13,
491 #M128A Xmm14,
492 #M128A Xmm15,
493 #},
494 #},
495
496 #M128A VectorRegister[26],
497 #(VectorControl,c_ulonglong),
498
499 #(DebugControl,c_ulonglong),
500 #(LastBranchToRip,c_ulonglong),
501 #(LastBranchFromRip,c_ulonglong),
502 #(LastExceptionToRip,c_ulonglong),
503 #(LastExceptionFromRip,c_ulonglong),
504 ]
505
508
515
517 _fields_ = [
518 ('Header', M128A * 2),
519 ('Legacy', M128A * 8),
520 ('_xmm0', M128A),
521 ('_xmm1', M128A),
522 ('_xmm2', M128A),
523 ('_xmm3', M128A),
524 ('_xmm4', M128A),
525 ('_xmm5', M128A),
526 ('_xmm6', M128A),
527 ('_xmm7', M128A),
528 ("Pad", c_byte * 224),
529 ]
530
532 _fields_ = [ ("ContextFlags", c_ulong),
533 ("debug0", c_ulong),
534 ("debug1", c_ulong),
535 ("debug2", c_ulong),
536 ("debug3", c_ulong),
537 ("debug6", c_ulong),
538 ("debug7", c_ulong),
539 ("FloatSave", FloatSavex86),
540 ("gs", c_ulong),
541 ("fs", c_ulong),
542 ("es", c_ulong),
543 ("ds", c_ulong),
544 ("edi", c_ulong),
545 ("esi", c_ulong),
546 ("ebx", c_ulong),
547 ("edx", c_ulong),
548 ("ecx", c_ulong),
549 ("eax", c_ulong),
550 ("ebp", c_ulong),
551 ("eip", c_ulong),
552 ("cs", c_ulong),
553 ("eflags", c_ulong),
554 ("esp", c_ulong),
555 ("ss", c_ulong),
556
557 #("Extension", c_byte * 512),
558 ('Extension', ExtendedXmmx86),
559
560 #M128A Header[2],
561 #M128A Legacy[8],
562 #M128A Xmm0,
563 #M128A Xmm1,
564 #M128A Xmm2,
565 #M128A Xmm3,
566 #M128A Xmm4,
567 #M128A Xmm5,
568 #M128A Xmm6,
569 #M128A Xmm7,
570 ]
571
573 self.xmm0 = (self.Extension._xmm0.High << 8) + self.Extension._xmm0.Low
574 self.xmm1 = (self.Extension._xmm1.High << 8) + self.Extension._xmm1.Low
575 self.xmm2 = (self.Extension._xmm2.High << 8) + self.Extension._xmm2.Low
576 self.xmm3 = (self.Extension._xmm3.High << 8) + self.Extension._xmm3.Low
577 self.xmm4 = (self.Extension._xmm4.High << 8) + self.Extension._xmm4.Low
578 self.xmm5 = (self.Extension._xmm5.High << 8) + self.Extension._xmm5.Low
579 self.xmm6 = (self.Extension._xmm6.High << 8) + self.Extension._xmm6.Low
580 self.xmm7 = (self.Extension._xmm7.High << 8) + self.Extension._xmm7.Low
581
583 _fields_ = [
584 ("BaseAddress", SIZE_T),
585 ("AllocationBase", SIZE_T),
586 ("AllocationProtect", DWORD),
587 ("RegionSize", SIZE_T),
588 ("State", DWORD),
589 ("Protect", DWORD),
590 ("Type", DWORD),
591 ]
592
594 """
595 Passed into CreateProcess
596 """
597 _fields_ = [
598 ("db", c_ulong),
599 ("Reserved", c_char_p),
600 ("Desktop", c_char_p),
601 ("Title", c_char_p),
602 ("X", c_ulong),
603 ("Y", c_ulong),
604 ("XSize", c_ulong),
605 ("YSize", c_ulong),
606 ("XCountChars", c_ulong),
607 ("YCountChars", c_ulong),
608 ("FillAttribute", c_ulong),
609 ("Flags", c_ulong),
610 ("ShowWindow", c_ushort),
611 ("Reserved2", c_ushort),
612 ("Reserved3", LPVOID),
613 ("StdInput", c_ulong),
614 ("StdOutput", c_ulong),
615 ("StdError", c_ulong),
616 ]
617
619 _fields_ = [
620 ("Process", HANDLE),
621 ("Thread", HANDLE),
622 ("ProcessId", c_ulong),
623 ("ThreadId", c_ulong),
624 ]
625
627 _fields_ = [
628 ("SizeOfStruct", c_ulong),
629 ("TypeIndex", c_ulong),
630 ("Reserved1", c_ulonglong),
631 ("Reserved2", c_ulonglong),
632 ("Index", c_ulong),
633 ("Size", c_ulong),
634 ("ModBase", c_ulonglong),
635 ("Flags", c_ulong),
636 ("Value", c_ulonglong),
637 ("Address", c_ulonglong),
638 ("Register", c_ulong),
639 ("Scope", c_ulong),
640 ("Tag", c_ulong),
641 ("NameLen", c_ulong),
642 ("MaxNameLen", c_ulong),
643 ("Name", c_char * 2000), # MAX_SYM_NAME
644 ]
645
647 _fields_ = [
648 ("SizeOfStruct", c_ulong),
649 ("BaseOfImage", c_ulonglong),
650 ("ImageSize", c_ulong),
651 ("TimeDateStamp", c_ulong),
652 ("CheckSum", c_ulong),
653 ("NumSyms", c_ulong),
654 ("SymType", c_ulong),
655 ("ModuleName", c_char*32),
656 ("ImageName", c_char*256),
657 ("LoadedImageName", c_char*256),
658 ("LoadedPdbName", c_char*256),
659 ("CvSig", c_ulong),
660 ("CvData", c_char*(MAX_PATH*3)),
661 ("PdbSig", c_ulong),
662 ("PdbSig70", c_char * 16), #GUID
663 ("PdbAge", c_ulong),
664 ("PdbUnmatched", c_ulong),
665 ("DbgUnmatched", c_ulong),
666 ("LineNumbers", c_ulong),
667 ("GlobalSymbols", c_ulong),
668 ("TypeInfo", c_ulong),
669 ]
670
672 _fields_ = [
673 ('InstructionOffset', QWORD),
674 ('ReturnOffset', QWORD),
675 ('FrameOffset', QWORD),
676 ('StackOffset', QWORD),
677 ('BackingStoreOffset', QWORD),
678 ('FuncTableEntry', QWORD),
679 ('Params', QWORD*4),
680 ('Reserved', QWORD*5),
681 ('Virtual', BOOL),
682 ('Reserved2', DWORD),
683 ]
684
685 IMAGE_DIRECTORY_ENTRY_EXPORT =0 # Export Directory
686 IMAGE_DIRECTORY_ENTRY_IMPORT =1 # Import Directory
687 IMAGE_DIRECTORY_ENTRY_RESOURCE =2 # Resource Directory
688 IMAGE_DIRECTORY_ENTRY_EXCEPTION =3 # Exception Directory
689 IMAGE_DIRECTORY_ENTRY_SECURITY =4 # Security Directory
690 IMAGE_DIRECTORY_ENTRY_BASERELOC =5 # Base Relocation Table
691 IMAGE_DIRECTORY_ENTRY_DEBUG =6 # Debug Directory
692 IMAGE_DIRECTORY_ENTRY_COPYRIGHT =7 # (X86 usage)
693 IMAGE_DIRECTORY_ENTRY_ARCHITECTURE =7 # Architecture Specific Data
694 IMAGE_DIRECTORY_ENTRY_GLOBALPTR =8 # RVA of GP
695 IMAGE_DIRECTORY_ENTRY_TLS =9 # TLS Directory
696 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG =10 # Load Configuration Directory
697 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT =11 # Bound Import Directory in headers
698 IMAGE_DIRECTORY_ENTRY_IAT =12 # Import Address Table
699 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT =13 # Delay Load Import Descriptors
700 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR =14 # COM Runtime descriptor
701
702 IMAGE_DEBUG_TYPE_UNKNOWN =0
703 IMAGE_DEBUG_TYPE_COFF =1
704 IMAGE_DEBUG_TYPE_CODEVIEW =2
705 IMAGE_DEBUG_TYPE_FPO =3
706 IMAGE_DEBUG_TYPE_MISC =4
707 IMAGE_DEBUG_TYPE_EXCEPTION =5
708 IMAGE_DEBUG_TYPE_FIXUP =6
709 IMAGE_DEBUG_TYPE_OMAP_TO_SRC =7
710 IMAGE_DEBUG_TYPE_OMAP_FROM_SRC =8
711 IMAGE_DEBUG_TYPE_BORLAND =9
712 IMAGE_DEBUG_TYPE_RESERVED10 =10
713 IMAGE_DEBUG_TYPE_CLSID =11
714
715 SSRVOPT_CALLBACK = 0x0001
716 SSRVOPT_DWORD = 0x0002
717 SSRVOPT_DWORDPTR = 0x0004
718 SSRVOPT_GUIDPTR = 0x0008
719 SSRVOPT_OLDGUIDPTR = 0x0010
720 SSRVOPT_UNATTENDED = 0x0020
721 SSRVOPT_NOCOPY = 0x0040
722 SSRVOPT_PARENTWIN = 0x0080
723 SSRVOPT_PARAMTYPE = 0x0100
724 SSRVOPT_SECURE = 0x0200
725 SSRVOPT_TRACE = 0x0400
726 SSRVOPT_SETCONTEXT = 0x0800
727 SSRVOPT_PROXY = 0x1000
728 SSRVOPT_DOWNSTREAM_STORE = 0x2000
729
730 TI_GET_SYMTAG = 0
731 TI_GET_SYMNAME = 1
732 TI_GET_LENGTH = 2
733 TI_GET_TYPE = 3
734 TI_GET_TYPEID = 4
735 TI_GET_BASETYPE = 5
736 TI_GET_ARRAYINDEXTYPEID = 6
737 TI_FINDCHILDREN = 7
738 TI_GET_DATAKIND = 8
739 TI_GET_ADDRESSOFFSET = 9
740 TI_GET_OFFSET = 10
741 TI_GET_VALUE = 11
742 TI_GET_COUNT = 12
743 TI_GET_CHILDRENCOUNT = 13
744 TI_GET_BITPOSITION = 14
745 TI_GET_VIRTUALBASECLASS = 15
746 TI_GET_VIRTUALTABLESHAPEID = 16
747 TI_GET_VIRTUALBASEPOINTEROFFSET = 17
748 TI_GET_CLASSPARENTID = 18
749 TI_GET_NESTED = 19
750 TI_GET_SYMINDEX = 20
751 TI_GET_LEXICALPARENT = 21
752 TI_GET_ADDRESS = 22
753 TI_GET_THISADJUST = 23
754 TI_GET_UDTKIND = 24
755 TI_IS_EQUIV_TO = 25
756 TI_GET_CALLING_CONVENTION = 26
757
758 SymTagNull = 0
759 SymTagExe = 1
760 SymTagCompiland = 2
761 SymTagCompilandDetails = 3
762 SymTagCompilandEnv = 4
763 SymTagFunction = 5
764 SymTagBlock = 6
765 SymTagData = 7
766 SymTagAnnotation = 8
767 SymTagLabel = 9
768 SymTagPublicSymbol = 10
769 SymTagUDT = 11
770 SymTagEnum = 12
771 SymTagFunctionType = 13
772 SymTagPointerType = 14
773 SymTagArrayType = 15
774 SymTagBaseType = 16
775 SymTagTypedef = 17
776 SymTagBaseClass = 18
777 SymTagFriend = 19
778 SymTagFunctionArgType = 20
779 SymTagFuncDebugStart = 21
780 SymTagFuncDebugEnd = 22
781 SymTagUsingNamespace = 23
782 SymTagVTableShape = 24
783 SymTagVTable = 25
784 SymTagCustom = 26
785 SymTagThunk = 27
786 SymTagCustomType = 28
787 SymTagManagedType = 29
788 SymTagDimension = 30
789 SymTagMax = 31
792 _fields_ = [
793 ("Characteristics", c_ulong),
794 ("TimeDateStamp", c_ulong),
795 ("MajorVersion", c_ushort),
796 ("MinorVersion", c_ushort),
797 ("Type", c_ulong),
798 ("SizeOfData", c_ulong),
799 ("AddressOfRawData", c_ulong),
800 ("PointerToRawData", c_ulong),
801 ]
802
803 NT_LIST_HANDLES = 16
804
805 ACCESS_MASK = DWORD
807 _fields_ = [
808 ('ProcessID' , c_ulong),
809 ('HandleType' , c_byte),
810 ('Flags' , c_byte),
811 ('HandleNumber' , c_ushort),
812 ('KernelAddress' , LPVOID),
813 ('GrantedAccess' , ACCESS_MASK),
814 ]
815 PSYSTEM_HANDLE = POINTER(SYSTEM_HANDLE)
816
817 # OBJECT_INFORMATION_CLASS
818 ObjectBasicInformation = 0
819 ObjectNameInformation = 1
820 ObjectTypeInformation = 2
821 ObjectAllTypesInformation = 3
822 ObjectHandleInformation = 4
823
824 # ProcessInformationClass
825 ProcessBasicInformation = 0 # Get pointer to PEB
826 ProcessDebugPort = 7 # Get DWORD_PTR to debug port number
827 ProcessWow64Information = 26 # Get WOW64 status
828 # FIXME may be more reliable to use this! \|/
829 ProcessImageFileName = 27 # Get a UNICODE_STRING of the filename
830 ProcessExecuteFlags = 34 # Get DWORD of execute status (including DEP) (bug: your process only)
833 _fields_ = (
834 ("Length",c_ushort),
835 ("MaximumLength", c_ushort),
836 ("Buffer", c_wchar_p)
837 )
838 PUNICODE_STRING = POINTER(UNICODE_STRING)
845
846 object_type_map = {
847 "File":vtrace.FD_FILE,
848 "Directory":vtrace.FD_FILE,
849 "Event":vtrace.FD_EVENT,
850 "KeyedEvent":vtrace.FD_EVENT,
851 "Mutant":vtrace.FD_LOCK,
852 "Semaphore":vtrace.FD_LOCK,
853 "Key":vtrace.FD_REGKEY,
854 "Port":vtrace.FD_UNKNOWN,
855 "Section":vtrace.FD_UNKNOWN,
856 "IoCompletion":vtrace.FD_UNKNOWN,
857 "Desktop":vtrace.FD_UNKNOWN,
858 "WindowStation":vtrace.FD_UNKNOWN,
859 }
866
868 # This isn't really universal, more just for one priv use
869 _fields_ = (
870 ("PrivilegeCount", c_ulong), # Always one
871 ("Privilege", LUID),
872 ("PrivilegeAttribute", c_ulong)
873 )
874
875 # All platforms must be able to import this module (for exceptions etc..)
876 # (do this stuff *after* we define some types...)
877 if sys.platform == "win32":
878
879 kernel32 = windll.kernel32
880 # We need to inform some of the APIs about their args
881 kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD]
882 kernel32.OpenProcess.restype = HANDLE
883 kernel32.CreateProcessA.argtypes = [LPVOID, c_char_p, LPVOID, LPVOID, c_uint, DWORD, LPVOID, LPVOID, LPVOID, LPVOID]
884 kernel32.ReadProcessMemory.argtypes = [HANDLE, LPVOID, LPVOID, SIZE_T, LPVOID]
885 kernel32.WriteProcessMemory.argtypes = [HANDLE, LPVOID, c_char_p, SIZE_T, LPVOID]
886 kernel32.GetThreadContext.argtypes = [HANDLE, LPVOID]
887 kernel32.SetThreadContext.argtypes = [HANDLE, LPVOID]
888 kernel32.CreateRemoteThread.argtypes = [HANDLE, LPVOID, SIZE_T, LPVOID, LPVOID, DWORD, LPVOID]
889 kernel32.SuspendThread.argtypes = [HANDLE,]
890 kernel32.ResumeThread.argtypes = [HANDLE,]
891 kernel32.VirtualQueryEx.argtypes = [HANDLE, LPVOID, LPVOID, SIZE_T]
892 kernel32.DebugBreakProcess.argtypes = [HANDLE,]
893 kernel32.CloseHandle.argtypes = [HANDLE,]
894 kernel32.GetLogicalDriveStringsA.argtypes = [DWORD, LPVOID]
895 kernel32.TerminateProcess.argtypes = [HANDLE, DWORD]
896 kernel32.VirtualProtectEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD, LPVOID]
897 kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD, DWORD]
898 kernel32.VirtualFreeEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD]
899 kernel32.DuplicateHandle.argtypes = [HANDLE, HANDLE, HANDLE, LPVOID, DWORD, DWORD, DWORD]
900 kernel32.SetEvent.argtypes = [HANDLE, ]
901
902 IsWow64Process = getattr(kernel32, 'IsWow64Process', None)
903 if IsWow64Process != None:
904 IsWow64Process.argtypes = [HANDLE, LPVOID]
905
906
907
908 psapi = windll.psapi
909 psapi.GetModuleFileNameExW.argtypes = [HANDLE, HANDLE, LPVOID, DWORD]
910 psapi.GetMappedFileNameW.argtypes = [HANDLE, LPVOID, LPVOID, DWORD]
911
912 ntdll = windll.ntdll
913 ntdll.NtQuerySystemInformation.argtypes = [DWORD, LPVOID, DWORD, LPVOID]
914 ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, c_void_p, DWORD, LPVOID]
915 ntdll.NtQueryInformationProcess.argtypes = [HANDLE, DWORD, c_void_p, DWORD, LPVOID]
916 ntdll.NtSystemDebugControl.restype = SIZE_T
917
918
919 try:
920
921 SYMCALLBACK = WINFUNCTYPE(BOOL, POINTER(SYMBOL_INFO), c_ulong, LPVOID)
922 PDBCALLBACK = WINFUNCTYPE(BOOL, c_char_p, LPVOID)
923
924 arch_name = envi.getCurrentArch()
925 symsrv = windll.LoadLibrary(os.path.join(platdir, "windll", arch_name, "symsrv.dll"))
926 dbghelp = windll.LoadLibrary(os.path.join(platdir, "windll", arch_name, "dbghelp.dll"))
927 dbghelp.SymInitialize.argtypes = [HANDLE, c_char_p, BOOL]
928 dbghelp.SymInitialize.restype = BOOL
929 dbghelp.SymSetOptions.argtypes = [DWORD]
930 dbghelp.SymSetOptions.restype = DWORD
931 dbghelp.SymCleanup.argtypes = [HANDLE]
932 dbghelp.SymCleanup.restype = BOOL
933 dbghelp.SymLoadModule64.argtypes = [HANDLE, HANDLE, c_char_p, c_char_p, QWORD, DWORD]
934 dbghelp.SymLoadModule64.restype = QWORD
935 dbghelp.SymGetModuleInfo64.argtypes = [HANDLE, QWORD, POINTER(IMAGEHLP_MODULE64)]
936 dbghelp.SymSetContext.restype = BOOL
937 dbghelp.SymSetContext.argtypes = [ HANDLE, POINTER(IMAGEHLP_STACK_FRAME), LPVOID ]
938 dbghelp.SymGetModuleInfo64.restype = BOOL
939 dbghelp.SymEnumSymbols.argtypes = [HANDLE, QWORD, c_char_p, SYMCALLBACK, LPVOID]
940 dbghelp.SymEnumSymbols.restype = BOOL
941 dbghelp.SymEnumTypes.argtypes = [HANDLE, QWORD, SYMCALLBACK, LPVOID]
942 dbghelp.SymEnumTypes.restype = BOOL
943 dbghelp.SymGetTypeInfo.argtypes = [HANDLE, QWORD, DWORD, DWORD, c_void_p]
944 dbghelp.SymGetTypeInfo.restype = BOOL
945 dbghelp.SymFromAddr.argtypes = [HANDLE, QWORD, POINTER(QWORD), POINTER(SYMBOL_INFO) ]
946
947 except Exception, e:
948 print "WARNING: Failed to import dbghelp/symsrv: %s" % e
949
950 advapi32 = windll.advapi32
951 advapi32.LookupPrivilegeValueA.argtypes = [LPVOID, c_char_p, LPVOID]
952 advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD, HANDLE]
953 advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, DWORD, LPVOID, DWORD, LPVOID, LPVOID]
954 advapi32.OpenSCManagerA.argtypes = [ LPVOID, LPVOID, DWORD ]
955 advapi32.OpenSCManagerA.restype = HANDLE
956 advapi32.EnumServicesStatusExW.argtypes = [ HANDLE,
957 LPVOID,
958 DWORD,
959 DWORD,
960 LPVOID,
961 DWORD,
962 LPVOID,
963 LPVOID,
964 LPVOID,
965 LPVOID ]
966 advapi32.EnumServicesStatusExW.restype = BOOL
967 advapi32.CloseServiceHandle.argtypes = [ HANDLE, ]
968 advapi32.CloseServiceHandle.restype = BOOL
969 advapi32.GetTokenInformation.argtypes = [HANDLE, DWORD, LPVOID, DWORD, LPVOID]
970 advapi32.GetTokenInformation.restype = BOOL
974 '''
975 Get a list of (pid, servicename, displayname) tuples for the
976 currently running services.
977 '''
978
979 ret = []
980 scmh = advapi32.OpenSCManagerA(NULL, NULL, SC_MANAGER_ENUMERATE_SERVICE)
981
982 try:
983 dwSvcSize = DWORD(0)
984 dwSvcCount = DWORD(0)
985
986 advapi32.EnumServicesStatusExW( scmh,
987 SC_ENUM_PROCESS_INFO,
988 SERVICE_WIN32,
989 SERVICE_ACTIVE,
990 NULL,
991 0,
992 addressof(dwSvcSize),
993 addressof(dwSvcCount),
994 NULL,
995 NULL)
996
997 buf = create_string_buffer(dwSvcSize.value)
998
999 #print 'NEEDED',dwSvcSize
1000 #print 'COUNT',dwSvcCount
1001
1002 advapi32.EnumServicesStatusExW( scmh,
1003 SC_ENUM_PROCESS_INFO,
1004 SERVICE_WIN32,
1005 SERVICE_ACTIVE,
1006 addressof(buf),
1007 dwSvcSize.value,
1008 addressof(dwSvcSize),
1009 addressof(dwSvcCount),
1010 NULL,
1011 NULL)
1012
1013 #p = POINTER(ENUM_SERVICE_STATUS_PROCESS)(addressof(buf))
1014 p = cast(buf, POINTER(ENUM_SERVICE_STATUS_PROCESS))
1015
1016 for i in xrange(dwSvcCount.value):
1017 pid = p[i].ServiceStatusProcess.dwProcessId
1018 name = p[i].lpServiceName
1019 descr = p[i].lpDisplayName
1020 ret.append((pid, name, descr))
1021
1022 finally:
1023 advapi32.CloseServiceHandle(scmh)
1024
1025 return ret
1026
1027 x = '''
1028 BOOL WINAPI EnumServicesStatusEx(
1029 __in SC_HANDLE hSCManager,
1030 __in SC_ENUM_TYPE InfoLevel,
1031 __in DWORD dwServiceType,
1032 __in DWORD dwServiceState,
1033 __out_opt LPBYTE lpServices,
1034 __in DWORD cbBufSize,
1035 __out LPDWORD pcbBytesNeeded,
1036 __out LPDWORD lpServicesReturned,
1037 __inout_opt LPDWORD lpResumeHandle,
1038 __in_opt LPCTSTR pszGroupName
1039 );
1040 '''
1041
1042 SE_PRIVILEGE_ENABLED = 0x00000002
1043 TOKEN_ADJUST_PRIVILEGES = 0x00000020
1044 TOKEN_QUERY = 0x00000008
1045 dbgprivdone = False
1046
1047 # TOKEN_INFORMATION_CLASS
1048 TokenUser = 1
1049 TokenGroups = 2
1050 TokenPrivileges = 3
1051 TokenOwner = 4
1052 TokenPrimaryGroup = 5
1053 TokenDefaultDacl = 6
1054 TokenSource = 7
1055 TokenType = 8
1056 TokenImpersonationLevel = 9
1057 TokenStatistics = 10
1058 TokenRestrictedSids = 11
1059 TokenSessionId = 12
1060 TokenGroupsAndPrivileges = 13
1061 TokenSessionReference = 14
1062 TokenSandBoxInert = 15
1063 TokenAuditPolicy = 16
1064 TokenOrigin = 17
1065 TokenElevationType = 18
1066 TokenLinkedToken = 19
1067 TokenElevation = 20
1068 TokenHasRestrictions = 21
1069 TokenAccessInformation = 22
1070 TokenVirtualizationAllowed = 23
1071 TokenVirtualizationEnabled = 24
1072 TokenIntegrityLevel = 25
1073 TokenUIAccess = 26
1074 TokenMandatoryPolicy = 27
1075 TokenLogonSid = 28
1076 MaxTokenInfoClass = 29
1077
1078 # TOKEN_ELEVATION_TYPE
1079 TokenElevationTypeDefault = 1
1080 TokenElevationTypeFull = 2
1081 TokenElevationTypeLimited = 3
1084
1085 token = HANDLE(0)
1086 etype = DWORD(0)
1087 outsize = DWORD(0)
1088 if not advapi32.OpenProcessToken(handle, TOKEN_QUERY, addressof(token)):
1089 raise Exception('Invalid Process Handle: %d' % handle)
1090
1091 advapi32.GetTokenInformation(token, TokenElevationType, addressof(etype), 4, addressof(outsize))
1092
1093 return etype.value
1094
1095 if __name__ == '__main__':
1096 print getTokenElevationType()
1099 tokprivs = TOKEN_PRIVILEGES()
1100 dbgluid = LUID()
1101 token = HANDLE(0)
1102
1103 if not advapi32.LookupPrivilegeValueA(0, "seDebugPrivilege", addressof(dbgluid)):
1104 print "LookupPrivilegeValue Failed: %d" % kernel32.GetLastError()
1105 return False
1106
1107 if not advapi32.OpenProcessToken(-1, TOKEN_ADJUST_PRIVILEGES, addressof(token)):
1108 print "kernel32.OpenProcessToken Failed: %d" % kernel32.GetLastError()
1109 return False
1110
1111 tokprivs.PrivilegeCount = 1
1112 tokprivs.Privilege = dbgluid
1113 tokprivs.PrivilegeAttribute = SE_PRIVILEGE_ENABLED
1114
1115 if not advapi32.AdjustTokenPrivileges(token, 0, addressof(tokprivs), 0, 0, 0):
1116 kernel32.CloseHandle(token)
1117 print "AdjustTokenPrivileges Failed: %d" % kernel32.GetLastError()
1118 return False
1119
1120 kernel32.CloseHandle(token)
1121
1123 """
1124 Dynamically build the structure definition for the
1125 handle info list.
1126 """
1127 class SYSTEM_HANDLE_INFORMATION(Structure):
1128 _fields_ = [ ('Count', c_ulong), ('Handles', SYSTEM_HANDLE * count), ]
1129 return SYSTEM_HANDLE_INFORMATION()
1130
1132 class TI_FINDCHILDREN_PARAMS(Structure):
1133 _fields_ = [ ('Count', c_ulong), ('Start', c_ulong), ("Children",c_ulong * count),]
1134 tif = TI_FINDCHILDREN_PARAMS()
1135 tif.Count = count
1136 return tif
1137
1140
1142
1143 buf = create_unicode_buffer(1024)
1144 psapi.GetModuleFileNameExW(phandle, mhandle, addressof(buf), 1024)
1145 return buf.value
1146
1147 av_einfo_perms = [e_mem.MM_READ, e_mem.MM_WRITE, None, None, None, None, None, None, e_mem.MM_EXEC]
1150
1151 """
1152 A mixin to handle all non-arch specific win32 stuff.
1153 """
1154
1156
1157 self.casesens = False
1158
1159 self.phandle = None
1160 self.thandles = {}
1161 self.win32threads = {}
1162 self.dosdevs = []
1163 self.flushcache = False
1164 self.faultaddr = None
1165 global dbgprivdone
1166 if not dbgprivdone:
1167 dbgprivdone = getDebugPrivileges()
1168
1169 self._is_wow64 = False # 64 bit trace uses this...
1170 self._step_suspends = set() # Threads we have suspended for single stepping
1171
1172 # Skip the attach event and plow through to the first
1173 # injected breakpoint (cause libs are loaded by then)
1174 self.enableAutoContinue(vtrace.NOTIFY_ATTACH)
1175
1176 self.setupDosDeviceMaps()
1177
1178 # Setup our binary format meta
1179 self.setMeta('Format','pe')
1180
1181 # Setup some win32_ver info in metadata
1182 rel,ver,csd,ptype = platform.win32_ver()
1183 self.setMeta("WindowsRelease",rel)
1184 self.setMeta("WindowsVersion", ver)
1185 self.setMeta("WindowsCsd", csd)
1186 self.setMeta("WindowsProcessorType", ptype)
1187
1188 # Setup modes which only apply to windows systems
1189 self.initMode('BlockStep', False, 'Single step to branch entry points')
1190
1191 # If possible, get a default set of struct definitions
1192 # for ntdll...
1193 nt = vs_windows.getCurrentDef('ntdll')
1194 if nt != None:
1195 self.vsbuilder.addVStructNamespace('ntdll', nt)
1196
1197 # Either way, add the fallback "win32" namespace
1198 self.vsbuilder.addVStructNamespace('win32', vs_win32)
1199
1200 # We need thread proxying for a few calls...
1201 self.fireTracerThread()
1202
1204 ret = []
1205 hinfo = self.getHandles()
1206 for x in range(hinfo.Count):
1207 if hinfo.Handles[x].ProcessID != self.pid:
1208 continue
1209 hand = hinfo.Handles[x].HandleNumber
1210 myhand = self.dupHandle(hand)
1211 typestr = self.getHandleInfo(myhand, ObjectTypeInformation)
1212 wait = False
1213 if typestr == "File":
1214 wait = True
1215 namestr = self.getHandleInfo(myhand, ObjectNameInformation, wait=wait)
1216 kernel32.CloseHandle(myhand)
1217 htype = object_type_map.get(typestr, vtrace.FD_UNKNOWN)
1218 ret.append( (hand, htype, "%s: %s" % (typestr,namestr)) )
1219 return ret
1220
1222 kernel32.SetEvent(handle)
1223
1225 """
1226 Duplicate the handle (who's id is in the currently attached
1227 target process) and return our own copy.
1228 """
1229 hret = c_uint(0)
1230 kernel32.DuplicateHandle(self.phandle, handle,
1231 kernel32.GetCurrentProcess(), addressof(hret),
1232 0, False, 2) # DUPLICATE_SAME_ACCESS
1233 return hret.value
1234
1236
1237 retSiz = c_uint(0)
1238 buf = create_string_buffer(100)
1239
1240 # Some NtQueryObject calls will hang, lets figgure out which...
1241 if wait:
1242 if kernel32.WaitForSingleObject(handle, 150) == EXCEPTION_TIMEOUT:
1243 return "_TIMEOUT_"
1244
1245 x = ntdll.NtQueryObject(handle, itype,
1246 buf, sizeof(buf), addressof(retSiz))
1247 if x != 0:
1248 return 'Error 0x%.8x' % (e_bits.unsigned(x, self.psize))
1249
1250 realbuf = create_string_buffer(retSiz.value)
1251
1252 if ntdll.NtQueryObject(handle, itype,
1253 realbuf, sizeof(realbuf), addressof(retSiz)) == 0:
1254
1255 uString = cast(realbuf, PUNICODE_STRING).contents
1256 return uString.Buffer
1257 return "Unknown"
1258
1260
1261 hinfo = buildSystemHandleInformation(1)
1262 hsize = c_ulong(sizeof(hinfo))
1263
1264 ntdll.NtQuerySystemInformation(NT_LIST_HANDLES, addressof(hinfo), hsize, addressof(hsize))
1265
1266 count = (hsize.value-4) / sizeof(SYSTEM_HANDLE)
1267 hinfo = buildSystemHandleInformation(count)
1268 hsize = c_ulong(sizeof(hinfo))
1269
1270 ntdll.NtQuerySystemInformation(NT_LIST_HANDLES, addressof(hinfo), hsize, 0)
1271
1272 return hinfo
1273
1274
1276 self.dosdevs = []
1277 dname = (c_char * 512)()
1278 size = kernel32.GetLogicalDriveStringsA(512, addressof(dname))
1279 devs = dname.raw[:size-1].split("\x00")
1280 for dev in devs:
1281 dosname = "%s:" % dev[0]
1282 kernel32.QueryDosDeviceA("%s:" % dev[0], pointer(dname), 512)
1283 self.dosdevs.append( (dosname, dname.value) )
1284
1286 kernel32.TerminateProcess(self.phandle, 0)
1287
1288 @v_base.threadwrap
1290 sinfo = STARTUPINFO()
1291 pinfo = PROCESS_INFORMATION()
1292 if not kernel32.CreateProcessA(0, cmdline, 0, 0, 0,
1293 DEBUG_ONLY_THIS_PROCESS, 0, 0, addressof(sinfo), addressof(pinfo)):
1294 raise Exception("CreateProcess failed!")
1295
1296 # When launching an app, we're guaranteed to get a breakpoint
1297 # Unless we want to fail checkBreakpoints, we'll need to set ShouldBreak
1298 self.setMeta('ShouldBreak', True)
1299
1300 kernel32.CloseHandle(pinfo.Process)
1301 kernel32.CloseHandle(pinfo.Thread)
1302
1303 return pinfo.ProcessId
1304
1306 tid = c_uint32()
1307 x = self.parseExpression('kernel32.LoadLibraryA')
1308 memaddr = self.allocateMemory(4096)
1309 self.writeMemory(memaddr, '%s\x00' % filename)
1310 t = kernel32.CreateRemoteThread(self.phandle, 0, 0, x, memaddr, 0, addressof(tid))
1311 self.joinThread(tid.value)
1312 kernel32.CloseHandle(t)
1313 kernel32.VirtualFreeEx(self.phandle, memaddr, 0, 0x8000) # MEM_RELEASE 0x8000 MEM_DECOMMIT 0x4000
1314
1315 @v_base.threadwrap
1319
1320 @v_base.threadwrap
1322 # Do the crazy "can't supress exceptions from detach" dance.
1323 if ((not self.exited) and
1324 self.getCurrentBreakpoint() != None):
1325 self._cleanupBreakpoints()
1326 self.platformContinue()
1327 self.platformSendBreak()
1328 self.platformWait()
1329 if not kernel32.DebugActiveProcessStop(self.pid):
1330 raiseWin32Error("DebugActiveProcessStop")
1331 kernel32.CloseHandle(self.phandle)
1332 self.phandle = None
1333
1335 pret = c_uint(0)
1336 pval = perm_rev_lookup.get(perms, PAGE_EXECUTE_READWRITE)
1337 ret = kernel32.VirtualProtectEx(self.phandle, va, size, pval, addressof(pret))
1338 if ret == 0:
1339 raiseWin32Error("kernel32.VirtualProtectEx")
1340
1342 pval = perm_rev_lookup.get(perms, PAGE_EXECUTE_READWRITE)
1343 ret = kernel32.VirtualAllocEx(self.phandle,
1344 suggestaddr, size, MEM_COMMIT, pval)
1345 if ret == 0:
1346 raiseWin32Error("kernel32.VirtualAllocEx")
1347 return ret
1348
1350 btype = c_char * size
1351 buf = btype()
1352 ret = c_ulong(0)
1353 if not kernel32.ReadProcessMemory(self.phandle, address, addressof(buf), size, addressof(ret)):
1354 raiseWin32Error("kernel32.ReadProcessMemory %s" % hex(address))
1355 return buf.raw
1356
1357 @v_base.threadwrap
1359
1360 # If there is anything in _step_suspends, un-suspend them
1361 for thrid in self._step_suspends:
1362 kernel32.ResumeThread(thrid)
1363
1364 self._step_suspends.clear()
1365
1366 self._continueDebugEvent()
1367
1369
1370 magic = DBG_CONTINUE
1371
1372 if self.getCurrentSignal() != None:
1373 magic = DBG_EXCEPTION_NOT_HANDLED
1374
1375 if self.flushcache:
1376 self.flushcache = False
1377 kernel32.FlushInstructionCache(self.phandle, 0, 0)
1378
1379 if not kernel32.ContinueDebugEvent(self.pid, self.getMeta("StoppedThreadId"), magic):
1380 raiseWin32Error("ContinueDebugEvent")
1381
1382 @v_base.threadwrap
1384 # We have some flag fields broken out as meta regs
1385 self.setRegisterByName("TF", 1)
1386 if self.getMode('BlockStep'):
1387 wrmsr(e_i386.MSR_DEBUGCTL, e_i386.MSR_DEBUGCTL_BTF)
1388
1389 self._syncRegs()
1390
1391 # For single step, suspend all the threads except the current
1392 for thrid in self.getThreads().keys():
1393
1394 # If this thread is the "current thread" don't suspend it
1395 if thrid == self.getCurrentThread():
1396 # If it was suspended because of stepping another thread
1397 # resume it.
1398 if thrid in self._step_suspends:
1399 kernel32.ResumeThread(thrid)
1400 continue
1401
1402 # Check for "already suspended"
1403 if self.sus_threads.get( thrid ):
1404 continue
1405
1406 # Check if we're returning in a step loop
1407 if thrid in self._step_suspends:
1408 continue
1409
1410 # Call suspend thread directly for speed
1411 kernel32.SuspendThread(thrid)
1412 self._step_suspends.add( thrid )
1413
1414 self._continueDebugEvent()
1415
1417 ret = c_ulong(0)
1418 if not kernel32.WriteProcessMemory(self.phandle, address, buf, len(buf), addressof(ret)):
1419 raiseWin32Error("kernel32.WriteProcessMemory")
1420 # If we wrote memory, flush the instruction cache...
1421 self.flushcache = True
1422 return ret.value
1423
1425 #FIXME make this support windows 2000
1426 if not kernel32.DebugBreakProcess(self.phandle):
1427 raiseWin32Error("kernel32.DebugBreakProcess")
1428
1430 ret = []
1431 pcount = 1024
1432 pids = (c_int * pcount)()
1433 needed = c_int(0)
1434 hmodule = HANDLE()
1435
1436 psapi.EnumProcesses(addressof(pids), 4*pcount, addressof(needed))
1437 if needed.value > pcount:
1438 # If the array was too small, lets up the size to needed + 128
1439 pcount = needed.value + 128
1440 pids = (c_int * pcount)()
1441 psapi.EnumProcesses(addressof(pids), 4*pcount, addressof(needed))
1442
1443 for i in range(needed.value/4):
1444 fname = (c_wchar * 512)()
1445 phandle = kernel32.OpenProcess(PROCESS_ALL_ACCESS, 0, pids[i])
1446 if not phandle: # If we get 0, we failed to open it (perms)
1447 continue
1448 psapi.EnumProcessModules(phandle, addressof(hmodule), 4, addressof(needed))
1449 psapi.GetModuleBaseNameW(phandle, hmodule, fname, 512)
1450 ret.append( (pids[i], fname.value))
1451 kernel32.CloseHandle(phandle)
1452 kernel32.CloseHandle(hmodule)
1453 return ret
1454
1455 @v_base.threadwrap
1457 event = DEBUG_EVENT()
1458 if not kernel32.WaitForDebugEvent(addressof(event), INFINITE):
1459 raiseWin32Error("WaitForDebugEvent")
1460 return event
1461
1464
1466
1467 self.faultaddr = None
1468 self.faultperm = None
1469
1470 if event.ProcessId != self.pid:
1471 raise Exception("event.ProcessId != self.pid (%d != %d)" %
1472 (event.ProcessId,self.pid))
1473
1474 ThreadId = event.ThreadId
1475 eventdict = {} # Each handler fills this in
1476 self.setMeta("Win32Event", eventdict)
1477 self.setMeta("StoppedThreadId", ThreadId)
1478 self.setMeta("ThreadId", ThreadId)
1479
1480 if event.DebugEventCode == CREATE_PROCESS_DEBUG_EVENT:
1481 self.phandle = event.u.CreateProcessInfo.Process
1482 baseaddr = event.u.CreateProcessInfo.BaseOfImage
1483 ImageName = GetModuleFileNameEx(self.phandle, 0)
1484 if not ImageName:
1485 # If it fails, fall back on getMappedFileName
1486 ImageName = self.getMappedFileName(baseaddr)
1487 self.setMeta("ExeName", ImageName)
1488
1489 teb = event.u.CreateProcessInfo.ThreadLocalBase
1490 self.win32threads[ThreadId] = teb
1491 self.thandles[ThreadId] = event.u.CreateProcessInfo.Thread
1492
1493 tobj = self.getStruct("ntdll.TEB", teb)
1494 peb = tobj.ProcessEnvironmentBlock
1495
1496 self.setMeta("PEB", peb)
1497 self.setVariable("peb", peb)
1498
1499 eventdict["ImageName"] = ImageName
1500 eventdict["StartAddress"] = event.u.CreateProcessInfo.StartAddress
1501 eventdict["ThreadLocalBase"] = teb
1502
1503 self._is_wow64 = False
1504 if IsWow64Process != None:
1505 b = BOOL()
1506 IsWow64Process(self.phandle, addressof(b))
1507 if b.value:
1508 self._is_wow64 = True
1509
1510 self.setMeta('IsWow64', self._is_wow64)
1511
1512 self.fireNotifiers(vtrace.NOTIFY_ATTACH)
1513 self.addLibraryBase(ImageName, baseaddr)
1514
1515 elif event.DebugEventCode == CREATE_THREAD_DEBUG_EVENT:
1516 self.thandles[ThreadId] = event.u.CreateThread.Thread
1517 teb = event.u.CreateThread.ThreadLocalBase
1518 startaddr = event.u.CreateThread.StartAddress
1519 # Setup the event dictionary for notifiers
1520 eventdict["ThreadLocalBase"] = teb
1521 eventdict["StartAddress"] = startaddr
1522 self.win32threads[ThreadId] = teb
1523 self.fireNotifiers(vtrace.NOTIFY_CREATE_THREAD)
1524
1525 elif event.DebugEventCode == EXCEPTION_DEBUG_EVENT:
1526 excode = event.u.Exception.ExceptionRecord.ExceptionCode
1527 exflags = event.u.Exception.ExceptionRecord.ExceptionFlags
1528 exaddr = event.u.Exception.ExceptionRecord.ExceptionAddress
1529 exparam = event.u.Exception.ExceptionRecord.NumberParameters
1530 firstChance = event.u.Exception.FirstChance
1531
1532 plist = []
1533 for i in range(exparam):
1534 plist.append(long(event.u.Exception.ExceptionRecord.ExceptionInformation[i]))
1535
1536 eventdict["ExceptionCode"] = excode
1537 eventdict["ExceptionFlags"] = exflags
1538 eventdict["ExceptionAddress"] = exaddr
1539 eventdict["NumberParameters"] = exparam
1540 eventdict["FirstChance"] = bool(firstChance)
1541 eventdict["ExceptionInformation"] = plist
1542
1543 if firstChance:
1544
1545 if excode == EXCEPTION_BREAKPOINT:
1546
1547 if not self.checkBreakpoints():
1548 # On first attach, all the library load
1549 # events occur, then we hit a CC. So,
1550 # if we don't find a breakpoint, notify
1551 # break anyay....
1552 self.fireNotifiers(vtrace.NOTIFY_BREAK)
1553
1554 elif excode == EXCEPTION_SINGLE_STEP:
1555
1556 if not self.checkWatchpoints():
1557 self._fireStep()
1558
1559 else:
1560 if excode == 0xc0000005:
1561 self.faultaddr = plist[1]
1562 self.faultperm = av_einfo_perms[plist[0]]
1563
1564 # First we check for PageWatchpoint faults
1565 if not self.checkPageWatchpoints():
1566 self._fireSignal(excode, siginfo=plist)
1567
1568 else:
1569 self._fireSignal(excode, siginfo=plist)
1570
1571 elif event.DebugEventCode == EXIT_PROCESS_DEBUG_EVENT:
1572 ecode = event.u.ExitProcess.ExitCode
1573 eventdict["ExitCode"] = ecode
1574 self._fireExit(ecode)
1575 self.platformDetach()
1576
1577 elif event.DebugEventCode == EXIT_THREAD_DEBUG_EVENT:
1578 self.win32threads.pop(ThreadId, None)
1579 ecode = event.u.ExitThread.ExitCode
1580 eventdict["ExitCode"] = ecode
1581 self._fireExitThread(ThreadId, ecode)
1582
1583 elif event.DebugEventCode == LOAD_DLL_DEBUG_EVENT:
1584 baseaddr = event.u.LoadDll.BaseOfDll
1585 ImageName = GetModuleFileNameEx(self.phandle, baseaddr)
1586 if not ImageName:
1587 # If it fails, fall back on getMappedFileName
1588 ImageName = self.getMappedFileName(baseaddr)
1589 self.addLibraryBase(ImageName, baseaddr)
1590 kernel32.CloseHandle(event.u.LoadDll.File)
1591
1592 elif event.DebugEventCode == UNLOAD_DLL_DEBUG_EVENT:
1593 baseaddr = event.u.UnloadDll.BaseOfDll
1594 eventdict["BaseOfDll"] = baseaddr
1595 self.delLibraryBase(baseaddr)
1596
1597 elif event.DebugEventCode == OUTPUT_DEBUG_STRING_EVENT:
1598 # Gotta have a way to continue these...
1599 d = event.u.DebugString
1600 sdata = d.DebugStringData
1601 ssize = d.DebugStringLength
1602
1603 # FIXME possibly make a gofast option that
1604 # doesn't get the string
1605 mem = self.readMemory(sdata, ssize)
1606 if d.Unicode:
1607 mem = mem.decode("utf-16-le")
1608 eventdict["DebugString"] = mem
1609 self.fireNotifiers(vtrace.NOTIFY_DEBUG_PRINT)
1610
1611 else:
1612 print "Currently unhandled event",code
1613
1614 # NOTE: Not everbody falls through to here
1615
1616
1618 self.requireAttached()
1619 fname = (c_wchar * 512)()
1620 x = psapi.GetMappedFileNameW(self.phandle, address, addressof(fname), 512)
1621 if not x:
1622 return ""
1623 name = fname.value
1624 for dosname, devname in self.dosdevs:
1625 if name.startswith(devname):
1626 return name.replace(devname, dosname)
1627 return name
1628
1630 ret = []
1631 base = 0
1632
1633 mbi = MEMORY_BASIC_INFORMATION()
1634
1635 while kernel32.VirtualQueryEx(self.phandle, base, addressof(mbi), sizeof(mbi)) > 0:
1636 if mbi.State == MEM_COMMIT:
1637 prot = mbi.Protect & 0xff
1638 perm = perm_lookup.get(prot, 0)
1639 base = mbi.BaseAddress
1640 mname = self.getMappedFileName(base)
1641 # If it fails, fall back on getmodulefilename
1642 if mname == "":
1643 mname = GetModuleFileNameEx(self.phandle, base)
1644 ret.append( (base, mbi.RegionSize, perm, mname) )
1645
1646 base += mbi.RegionSize
1647
1648 return ret
1649
1652
1656
1660
1662 if dbghelp != None:
1663 self.parseWithDbgHelp(filename, baseaddr, normname)
1664 else:
1665 self.parseWithPE(filename, baseaddr, normname)
1666
1668 funcflags = (SYMFLAG_FUNCTION | SYMFLAG_EXPORT)
1669
1670 sympath = self.getMeta('NtSymbolPath')
1671 parser = Win32SymbolParser(self.phandle, filename, baseaddr, sympath=sympath)
1672 parser.parse()
1673 parser.loadSymsIntoTrace(self, normname)
1674
1676 pe = PE.peFromMemoryObject(self, baseaddr)
1677 for rva, ord, name in pe.getExports():
1678 self.addSymbol(e_resolv.Symbol(name, baseaddr+rva, 0, normname))
1679
1680 @v_base.threadwrap
1682 ctx = self.archGetRegCtx()
1683 c = self._winGetRegStruct()
1684
1685 thandle = self.thandles.get(threadid, None)
1686 if not thandle:
1687 raise Exception("Getting registers for unknown thread")
1688
1689 if not kernel32.GetThreadContext(thandle, addressof(c)):
1690 raiseWin32Error("kernel32.GetThreadContext")
1691
1692 c.regPostProcess()
1693
1694 ctx._rctx_Import(c)
1695 return ctx
1696
1697 @v_base.threadwrap
1699
1700 c = self._winGetRegStruct()
1701
1702 thandle = self.thandles.get(threadid, None)
1703 if not thandle:
1704 raise Exception("Getting registers for unknown thread: %d" % threadid)
1705
1706 if not kernel32.GetThreadContext(thandle, addressof(c)):
1707 raiseWin32Error("kernel32.GetThreadContext (tid: %d)" % threadid)
1708
1709 ctx._rctx_Export(c)
1710
1711 if not kernel32.SetThreadContext(thandle, addressof(c)):
1712 raiseWin32Error("kernel32.SetThreadContext (tid: %d)" % threadid)
1713
1715 '''
1716 Expose the getServicesList via the trace for remote...
1717 '''
1718 return getServicesList()
1719
1721 return getTokenElevationType(self.phandle)
1722
1723 # NOTE: The order of the constructors vs inheritance is very important...
1724
1725 -class Windowsi386Trace(
1726 vtrace.Trace,
1727 WindowsMixin,
1728 v_i386.i386Mixin,
1729 v_base.TracerBase,
1730 ):
1731
1733 vtrace.Trace.__init__(self)
1734 v_base.TracerBase.__init__(self)
1735 v_i386.i386Mixin.__init__(self)
1736 WindowsMixin.__init__(self)
1737
1739 c = CONTEXTx86()
1740 c.ContextFlags = (CONTEXT_i386 |
1741 CONTEXT_FULL |
1742 CONTEXT_DEBUG_REGISTERS |
1743 CONTEXT_EXTENDED_REGISTERS)
1744 return c
1745
1746 -class WindowsAmd64Trace(
1747 vtrace.Trace,
1748 WindowsMixin,
1749 v_amd64.Amd64Mixin,
1750 v_base.TracerBase,
1751 ):
1752
1754 vtrace.Trace.__init__(self)
1755 v_base.TracerBase.__init__(self)
1756 WindowsMixin.__init__(self)
1757 v_amd64.Amd64Mixin.__init__(self)
1758
1760 c = CONTEXTx64()
1761 c.ContextFlags = (CONTEXT_AMD64 | CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS)
1762 return c
1763
1764 reserved = {
1765 'None': True,
1766 'True': True,
1767 'False': True,
1768 }
1769
1770 VT_EMPTY = 0
1771 VT_NULL = 1
1772 VT_I2 = 2
1773 VT_I4 = 3
1774 VT_R4 = 4
1775 VT_R8 = 5
1776 VT_CY = 6
1777 VT_DATE = 7
1778 VT_BSTR = 8
1779 VT_DISPATCH = 9
1780 VT_ERROR = 10
1781 VT_BOOL = 11
1782 VT_VARIANT = 12
1783 VT_UNKNOWN = 13
1784 VT_I1 = 16
1785 VT_UI1 = 17
1786 VT_UI2 = 18
1787 VT_UI4 = 19
1788 VT_INT = 20
1789 VT_UINT = 21
1792 _fields_ = [
1793 ('ui1', c_uint8),
1794 ('ui2', c_uint16),
1795 ('ui4', c_uint32),
1796 ('i1', c_int8),
1797 ('i2', c_int16),
1798 ('i4', c_int32),
1799 ('pad', BYTE*32),
1800 ]
1801
1803 _fields_ = [
1804 ('vt', WORD),
1805 ('res1', WORD),
1806 ('res2', WORD),
1807 ('res3', WORD),
1808 ('u', VARIANT_guts),
1809 ]
1810
1812
1814 self.phandle = phandle
1815 self.filename = filename
1816 self.loadbase = loadbase
1817 self.sympath = sympath
1818 self.symbols = []
1819 self.symopts = (SYMOPT_UNDNAME | SYMOPT_NO_PROMPTS | SYMOPT_NO_CPP)
1820 self._sym_types = {}
1821 self._sym_enums = {}
1822 self._sym_locals = {}
1823
1825 # Just a helper function for "reversing" how dbghelp works
1826 for n,t in info.__class__._fields_:
1827 print n,repr(getattr(info, n))
1828
1830 x = dbghelp.SymGetTypeInfo(self.phandle, self.loadbase,
1831 tindex, tinfo, tparam)
1832 if x == 0:
1833 return False
1834 return True
1835
1837 n = c_wchar_p()
1838 self.symGetTypeInfo(typeid, TI_GET_SYMNAME, pointer(n))
1839 val = n.value
1840 # Strip leading / trailing _'s
1841 if val != None:
1842 val = val.strip('_')
1843 if val == '<unnamed-tag>' or val == 'unnamed':
1844 val = '_unnamed_%d' % typeid
1845 #print repr(val)
1846 return val
1847
1849 offset = c_ulong(0)
1850 self.symGetTypeInfo(typeid, TI_GET_UDTKIND, pointer(offset))
1851 return offset.value
1852
1854 offset = c_ulong(0)
1855 self.symGetTypeInfo(typeid, TI_GET_OFFSET, pointer(offset))
1856 return offset.value
1857
1859 size = c_ulonglong(0)
1860 self.symGetTypeInfo(typeid, TI_GET_LENGTH, pointer(size))
1861 return size.value
1862
1864 offset = c_ulong(0)
1865 self.symGetTypeInfo(typeid, TI_GET_ARRAYINDEXTYPEID, pointer(offset))
1866 return offset.value
1867
1869 #size = c_ulonglong(0)
1870 v = VARIANT()
1871 self.symGetTypeInfo(typeid, TI_GET_VALUE, pointer(v))
1872
1873 vt = v.vt
1874
1875 # Messy, but gotta do it...
1876 if vt == VT_I1: return v.u.i1
1877 if vt == VT_I2: return v.u.i2
1878 if vt == VT_I4: return v.u.i4
1879 if vt == VT_UI1: return v.u.ui1
1880 if vt == VT_UI2: return v.u.ui2
1881 if vt == VT_UI4: return v.u.ui4
1882
1883 raise Exception('Unhandled Variant Type: %d' % v.vt)
1884
1886 btype = c_ulong(typeid)
1887 # Resolve the deepest base type
1888 while self.symGetTypeTag(btype.value) == SymTagTypedef:
1889 self.symGetTypeInfo(btype.value, TI_GET_BASETYPE, pointer(btype))
1890 return btype.value
1891
1893 ktype = c_ulong(0)
1894 self.symGetTypeInfo(child, TI_GET_TYPE, pointer(ktype))
1895 return ktype.value
1896
1898 btype = c_ulong(0)
1899 self.symGetTypeInfo(typeid, TI_GET_SYMTAG, pointer(btype))
1900 return btype.value
1901
1903
1904 if kidname and kidname[0].isdigit():
1905 kidname = '_%s' % kidname
1906
1907 if reserved.get(kidname):
1908 kidname = '_%s' % kidname
1909
1910 return kidname
1911
1913 size = self.symGetTypeLength(tidx)
1914 kids = []
1915 for child in self._symGetChildren(tidx):
1916 kidname = self.symGetTypeName(child)
1917 kidval = self.symGetTypeValue(child)
1918 kidname = self._fixKidName(kidname)
1919 kids.append((kidname, kidval))
1920
1921 self._sym_enums[name] = (name, size, kids)
1922
1924 size = self.symGetTypeLength(tidx)
1925 kids = []
1926 for child in self._symGetChildren(tidx):
1927 kidname = self.symGetTypeName(child)
1928 kidoff = self.symGetTypeOffset(child)
1929 ktype = self.symGetTypeType(child)
1930 ksize = self.symGetTypeLength(ktype)
1931 ktag = self.symGetTypeTag(ktype)
1932
1933 kidname = self._fixKidName(kidname)
1934 kflags = 0
1935 ktypename = None
1936 kcount = None
1937
1938 if ktag == SymTagPointerType:
1939 kflags |= vs_builder.VSFF_POINTER
1940 ptype = self.symGetTypeType(ktype)
1941 ktypename = self.symGetTypeName(ptype)
1942
1943 elif ktag == SymTagArrayType:
1944 atype = self.symGetTypeType(ktype)
1945 asize = self.symGetTypeLength(atype)
1946 kcount = ksize / asize
1947
1948 # Now, we setup our *child* to be the type
1949 ktypename = self.symGetTypeName(atype)
1950 ksize = asize
1951
1952 if self.symGetTypeTag(atype) == SymTagPointerType:
1953 kflags |= vs_builder.VSFF_POINTER
1954
1955 elif ktag == SymTagEnum:
1956 #ktypename = self.symGetTypeName(ktype)
1957 pass
1958
1959 elif ktag == SymTagUDT:
1960 ktypename = self.symGetTypeName(ktype)
1961
1962 elif ktag == SymTagBaseType:
1963 pass
1964
1965 elif ktag == SymTagFunctionType:
1966 # Function pointer types...
1967 pass
1968
1969 elif ktag == SymTagNull:
1970 pass
1971
1972 else:
1973 print '%s:%s Unknown Type Tag: %d' % (name, kidname, ktag)
1974
1975 kids.append((kidname, kidoff, ksize, ktypename, kflags, kcount))
1976
1977 self._sym_types[name] = (name, size, kids)
1978
1980
1981 s = c_ulong(0)
1982 self.symGetTypeInfo(typeIndex, TI_GET_CHILDRENCOUNT, pointer(s))
1983 tif = buildFindChildrenParams(s.value)
1984 self.symGetTypeInfo(typeIndex, TI_FINDCHILDREN, pointer(tif))
1985 for i in range(s.value):
1986 child = tif.Children[i]
1987 yield child
1988
1990 sym = psym.contents
1991
1992 myname = self.symGetTypeName(sym.TypeIndex)
1993 mytag = self.symGetTypeTag(sym.TypeIndex)
1994
1995 if mytag == SymTagUDT:
1996 self._symTypeUserDefined(myname, sym.TypeIndex)
1997 return True
1998
1999 if mytag == SymTagEnum:
2000 self._symTypeEnum(myname, sym.TypeIndex)
2001 return True
2002
2003 return True
2004
2006 sym = psym.contents
2007
2008 if sym.Tag == SymTagFunction:
2009 sym.Flags |= SYMFLAG_FUNCTION
2010
2011 self.symbols.append((sym.Name, int(sym.Address), int(sym.Size), sym.Flags))
2012 return True
2013
2015 si = SYMBOL_INFO()
2016 si.SizeOfStruct = sizeof(si) - 2000
2017 si.MaxNameLen = 2000
2018 disp = QWORD()
2019 dbghelp.SymFromAddr(self.phandle, address, pointer(disp), pointer(si))
2020 return si
2021
2023
2024 dbghelp.SymInitialize(self.phandle, self.sympath, False)
2025 dbghelp.SymSetOptions(self.symopts)
2026
2027 x = dbghelp.SymLoadModule64(self.phandle,
2028 0,
2029 self.filename,
2030 None,
2031 self.loadbase,
2032 os.path.getsize(self.filename))
2033
2034
2035 # This is for debugging which pdb got loaded
2036 #imghlp = IMAGEHLP_MODULE64()
2037 #imghlp.SizeOfStruct = sizeof(imghlp)
2038 #dbghelp.SymGetModuleInfo64(self.phandle, x, pointer(imghlp))
2039 #print "PDB",repr(imghlp.LoadedPdbName)
2040
2042 dbghelp.SymCleanup(self.phandle)
2043
2045 sym = psym.contents
2046 address = c_int32(sym.Address).value
2047 self._cur_locs.append( (sym.Name, address, sym.Size, sym.Flags) )
2048
2049 return True
2050
2052
2053 for name, addr, size, flags in self.symbols:
2054
2055 si = self.symFromAddr(addr)
2056 if si.Tag != SymTagFunction:
2057 continue
2058
2059 self._cur_locs = []
2060
2061 sframe = IMAGEHLP_STACK_FRAME()
2062 sframe.InstructionOffset = addr
2063 dbghelp.SymSetContext(self.phandle, pointer(sframe), 0)
2064 dbghelp.SymEnumSymbols(self.phandle,
2065 0,
2066 None,
2067 SYMCALLBACK(self.symLocalCallback),
2068 0)
2069
2070 if len(self._cur_locs):
2071 self._sym_locals[addr] = self._cur_locs
2072
2074 try:
2075
2076 self.symInit()
2077
2078 dbghelp.SymEnumSymbols(self.phandle,
2079 self.loadbase,
2080 None,
2081 SYMCALLBACK(self.symEnumCallback),
2082 NULL)
2083
2084 self.parseTypes()
2085 #self.parseArgs()
2086
2087 self.symCleanup()
2088
2089 except Exception, e:
2090 traceback.print_exc()
2091 raise
2092
2094 #self.symInit()
2095 # This is how you enumerate type information
2096 dbghelp.SymEnumTypes(self.phandle,
2097 self.loadbase,
2098 SYMCALLBACK(self.typeEnumCallback),
2099 NULL)
2100
2101 #self.symCleanup()
2102
2104
2105 funcflags = (SYMFLAG_FUNCTION | SYMFLAG_EXPORT)
2106
2107 for name, addr, size, flags in self.symbols:
2108 symclass = e_resolv.Symbol
2109 if flags & funcflags:
2110 symclass = e_resolv.FunctionSymbol
2111 sym = symclass(name, addr, size, normname)
2112 trace.addSymbol(sym)
2113
2114 t = self._sym_types.values()
2115 e = self._sym_enums.values()
2116
2117 # Only add the namespace if we have values...
2118 if len(t):
2119 builder = vs_builder.VStructBuilder(defs=t, enums=e)
2120 trace.vsbuilder.addVStructNamespace(normname, builder)
2121
| Trees | Indices | Help |
|---|
| Generated by Epydoc 3.0.1 on Fri Nov 16 18:22:32 2012 | http://epydoc.sourceforge.net |