-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
hexblog_adapted.py
151 lines (132 loc) · 4.99 KB
/
hexblog_adapted.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Helper script for Windows kernel debugging with IDA Pro on VMware + GDB stub
# https://github.com/therealdreg/ida_vmware_windows_gdb
# GNU General Public License v3.0
#
# by David Reguera Garcia aka Dreg
# Twitter @therealdreg
# https://www.fr33project.org
# https://github.com/therealdreg
#
# Based on original vmware_modules.py from Hex Blog article: http://www.hexblog.com/?p=94
# Based on original IDA-VMware-GDB By Oleksiuk Dmytro (aka Cr4sh) https://github.com/Cr4sh/IDA-VMware-GDB
#
# WARNING: Currently only works in old x86 versions (simple port from vmware_modules.py)
#
# 2022/07/31 by Dreg
# - project renamed to ida_bochs_windows.py
# - ported to python3
# - ported to idapython 7.4:
# - https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
# - https://www.hex-rays.com/products/ida/support/idapython_docs/index.html
# - ida_dbg.send_dbg_command('sreg')
# - added ida_kernwin.open_segments_window(0) and ida_kernwin.open_names_window(0)
# - fixed bug in get_unistr with len
# - code style fixed using black
# - added changelog
# - added some prints
# - set all segments with +rwx
# - lincense GNU General Public License v3.0
# - comestic changes (new header...)
# - ported to new pdb: netnode using $ pdb + altset 0 + supset 0
# - import new ida modules for inteli
# - tested:
# - hosts: windows 10.0.19044 Build 19044
# - ida pro 7.7, idapython 7.4
# - targets: windows xp sp3 x86
# - bochs debugger 2.7
# -
# for inteli: set ENV VAR PYTHONPATH=C:\Program Files\IDA Pro 7.7\python\3
import idc
import ida_dbg
import ida_idaapi
import ida_netnode
import ida_loader
import ida_kernwin
# path to the local copy of System32 directory
local_sys32 = r"C:\dreg\system32"
# just comment the next line to load all PDB symbols
auto_pdb = [
x.lower()
for x in ["hal.dll", "ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe"]
]
cred = '''
Helper script for Windows kernel debugging with IDA Pro on native Bochs debugger
https://github.com/therealdreg/ida_bochs_windows
GNU General Public License v3.0
-
By Oleksiuk Dmytro (aka Cr4sh)
Twitter @d_olex
http://blog.cr4.sh
https://github.com/Cr4sh
-
Mod by David Reguera Garcia aka Dreg
Twitter @therealdreg
https://www.fr33project.org
https://github.com/therealdreg
WARNING: BEFORE OPEN IDA your must set env var: _NT_SYMBOL_PATH to windows symbols, ex: SRV*C:\winsymbols*
'''
print(cred)
def get_unistr(addr):
length = idc.read_dbg_word(addr)
start = idc.read_dbg_dword(addr + 4)
print("length: ", length)
if length > 1000:
raise Exception("get_unistr(): String too long")
res = ""
while length > 0:
c = idc.read_dbg_word(start)
if c == b"\x00\x00":
break
res += chr(c).encode('utf-16', 'surrogatepass').decode('utf-16')
start += 2
length -= 2
return res
fs_str = str(ida_dbg.send_dbg_command('sreg')[1].encode('ascii',errors='ignore'))
fs_str = fs_str.split("fs:")[1].split("base=")[1].split(",")[0]
print("fs_str: ", fs_str)
kpcr = int(fs_str, 16)
print("kpcr: 0x%08X" % kpcr)
kdversionblock = idc.read_dbg_dword(kpcr + 0x34)
print("kdversionblock: 0x%08X" % kdversionblock)
PsLoadedModuleList = idc.read_dbg_dword(kdversionblock + 0x18)
print("PsLoadedModuleList: 0x%08X" % PsLoadedModuleList)
cur_mod = idc.read_dbg_dword(PsLoadedModuleList)
print("first cur_mod: 0x%08X" % cur_mod)
while cur_mod != PsLoadedModuleList and cur_mod != ida_idaapi.BADADDR:
BaseAddress = idc.read_dbg_dword(cur_mod + 0x18)
print("BaseAddress: 0x%08X" % BaseAddress)
SizeOfImage = idc.read_dbg_dword(cur_mod + 0x20)
print("SizeOfImage: 0x%08X" % SizeOfImage)
FullDllName = get_unistr(cur_mod + 0x24)
print("FullDllName: ", str(FullDllName))
BaseDllName = get_unistr(cur_mod + 0x2C)
print("BaseDllName: ", str(BaseDllName))
# create a segment for the module
idc.AddSeg(BaseAddress, BaseAddress + SizeOfImage, 0, 1, idc.saRelByte, idc.scPriv)
idc.set_segm_attr(BaseAddress, idc.SEGATTR_PERM, 7)
# set its name
idc.set_segm_name(BaseAddress, BaseDllName)
# get next entry
cur_mod = idc.read_dbg_dword(cur_mod)
print("++++++++++")
filename = ""
if FullDllName.lower().startswith("\\windows\\system32"):
FullDllName = "\\SystemRoot\\system32" + FullDllName[17:]
if FullDllName.find("\\") == -1:
FullDllName = "\\SystemRoot\\system32\\DRIVERS\\" + FullDllName
if FullDllName.lower().startswith("\\systemroot\\system32"):
filename = local_sys32 + "\\" + FullDllName[20:]
print("filename: ", str(filename))
if len(auto_pdb) == 0 or BaseDllName.lower() in auto_pdb:
print("autoloading pdb...")
node = ida_netnode.netnode()
node.create("$ pdb")
node.altset(0, BaseAddress)
node.supset(0, filename)
ida_loader.load_and_run_plugin("pdb", 3)
print("------------")
ida_kernwin.open_segments_window(0)
ida_kernwin.open_names_window(0)