Trees       Indices       Help   
Package vtrace :: Package tools :: Module iathook
[hide private]
[frames] | no frames]

Source Code for Module vtrace.tools.iathook

 1  '''
 
 2  Code for hooking import address tables by making them invalid
 
 3  pointers and catching the exceptions...
 
 4  ''' 
 5  import PE 
 6  import vtrace 
 7  import vtrace.watchpoints as vt_watchpoints 
 8  
 

 9 -class IatHook(vt_watchpoints.Watchpoint): 

10      '''
 
11      Abuse the PageWatch subsystem to allow function pointers to be
 
12      frob'd to create breakpoint like behavior.
 
13      ''' 
14  
 
15      newptr = 0xfbfbf000 
16  
 

17 -    def __init__(self, ptraddr, iatname): 

18          fakeptr = IatHook.newptr 
19          IatHook.newptr += 4096 # FIXME race... sigh... 
20  
 
21          vt_watchpoints.Watchpoint.__init__(self, fakeptr) 
22          self.ptraddr = ptraddr 
23          self.fakeptr = fakeptr 
24          self.iatname = iatname 
25          self.origptr = None 

26  
 

27 -    def getName(self): 

28          #bname = Breakpoint.getName(self)
 
29          return self.iatname 

30  
 

31 -    def resolveAddr(self, trace, addr): 

32          pass 

33  
 

34 -    def activate(self, trace): 

35          if self.origptr == None: 
36              self.origptr = trace.readMemoryFormat(self.ptraddr, '<P')[0] 
37          trace.writeMemoryFormat(self.ptraddr, '<P', self.fakeptr) 

38  
 

39 -    def deactivate(self, trace): 

40          if self.origptr != None: 
41              trace.writeMemoryFormat(self.ptraddr, '<P', self.origptr) 

42  
 

43 -    def notify(self, event, trace): 

44          # We have to fake out the program counter...
 
45          trace.setProgramCounter(self.origptr) 
46          trace.setCurrentSignal(None) 
47          return vt_watchpoints.Watchpoint.notify(self, event, trace) 

48  
 
49  
 

50 -def hookIat(trace, libname, implib='*', impfunc='*', fast=False): 

51      '''
 
52      Hook the IAT with special "breakpoint" like objects which
 
53      handle the memory access errors and document the calls...
 
54      Set fast=True for them to be "Fastbreak" breakpoints.
 
55  
 
56      This returns a list of (name, bpid) tuples...
 
57  
 
58      Example:
 
59          for impname, bpid in hookIat(t, 'ws2_32')
 
60              t.setBreakpointCode(bpid, codestr)
 
61              ...
 
62      ''' 
63      ret = [] 
64      baseaddr = trace.parseExpression(libname) 
65      pe = PE.peFromMemoryObject(trace, baseaddr) 
66      origs = {} 
67  
 
68      implib = implib.lower() 
69      impfunc = impfunc.lower() 
70  
 
71      for rva, ilib, ifunc in pe.getImports(): 
72          ilib = ilib.lower().replace('.dll', '') 
73  
 
74          if ilib != implib and implib != '*': 
75              continue 
76  
 
77          if ifunc.lower() != impfunc and impfunc!='*': 
78              continue 
79  
 
80          iatname = '%s.%s.%s' % (libname, ilib, ifunc) 
81          wp = IatHook(baseaddr + rva, iatname) 
82          wp.fastbreak = fast 
83          bpid = trace.addBreakpoint(wp) 
84          ret.append( (iatname, bpid) ) 
85      return ret 

86

   Trees       Indices       Help   
Generated by Epydoc 3.0.1 on Fri Nov 16 18:22:33 2012 http://epydoc.sourceforge.net