Kiran Bandla
84 lines
4.9 KiB
Python
Executable File
84 lines
4.9 KiB
Python
Executable File
#!/usr/bin/env python
|
|
|
|
"""
|
|
(c) Immunity, Inc. 2004-2007
|
|
|
|
|
|
U{Immunity Inc.<http://www.immunityinc.com>}
|
|
|
|
Pycommand example
|
|
|
|
"""
|
|
|
|
__VERSION__ = '1.0'
|
|
|
|
DESC="""PyCommands example - Params: arg1 arg2"""
|
|
|
|
import immlib
|
|
import immutils
|
|
|
|
import time
|
|
|
|
def get_time_1():
|
|
start = time.clock()
|
|
stop = time.clock()
|
|
duration = (stop - start ) * 1000
|
|
return duration
|
|
|
|
def main(args):
|
|
imm=immlib.Debugger()
|
|
for arg in args:
|
|
imm.Log("Arg: %s" % arg)
|
|
|
|
mod = imm.getModule("ntdll.dll")
|
|
addr = mod.getCodebase()
|
|
dec = imm.findDecode( addr )
|
|
imm.Log("Base address: 0x%08x" % addr)
|
|
address = 0x7c93c667
|
|
imm.Log( hex(address ) )
|
|
imm.Log( str( dec.isJmpDestination( address ) ) )
|
|
imm.Log( hex( dec[ address ] ) )
|
|
#op = imm.disasmCode( address ) # 0.55
|
|
#op = imm.Disasm( address ) # 0.83
|
|
#op = imm.disasmData( address ) # 0.83
|
|
#op = imm.disasmSizeOnly( address )
|
|
|
|
#import profile
|
|
|
|
#foo = imm.disasmFile
|
|
import time
|
|
|
|
start = time.clock()
|
|
op = imm.disasmData( address ) # 0.27
|
|
stop = time.clock()
|
|
imm.Log("DisasmData %.8f usec/pass" % (stop-start) )
|
|
|
|
|
|
imm.Log( "is jmc" + str( op.isConditionalJmp() ) , address = address )
|
|
imm.Log( "op dest: 0x%08x" % op.getJmpConst(), address = address )
|
|
address += 1
|
|
imm.Log( str(immutils.hexdump( dec.data )) )
|
|
#ADDR = 0x7C9139ED
|
|
#ADDR = 0x7C91D37F # 16
|
|
#ADDR = 0x7C920645 # 17
|
|
#ADDR = 0x7C9206BB
|
|
#ADDR = 0x7C923313 # 21
|
|
#ADDR = 0x7C925D96 # 39
|
|
#ADDR = 0x7C9260BCL # 36
|
|
#import libanalize
|
|
ADDR = 0x7C9105D4L
|
|
|
|
f = imm.getFunction( ADDR )
|
|
bb = f.getBasicBlocks()
|
|
imm.Log("Basic Blocks")
|
|
ida = [0x7c911f49,0x7c93bad1,0x7c911505,0x7c9112f2,0x7c93431e,0x7c9111f1,0x7c9342c5,0x7c9111f6,0x7c91b298,0x7c912221,0x7c911513,0x7c912270,0x7c912343,0x7c93250b,0x7c9114cf,0x7c9115ad,0x7c910c98,0x7c911566,0x7c93b95e,0x7c9116ff,0x7c931a9a,0x7c9342e9,0x7c934312,0x7c910c91,0x7c911441,0x7c911446,0x7c91122e,0x7c91b2a2,0x7c911330,0x7c9113b0,0x7c9117e4,0x7c931ad8,0x7c93b968,0x7c910cd3,0x7c93ba0c,0x7c9111a2,0x7c91222b,0x7c932508,0x7c911790,0x7c93bac9,0x7c911182,0x7c912237,0x7c910649,0x7c912230,0x7c93b89a,0x7c93bbd6,0x7c934278,0x7c911624,0x7c93ba89,0x7c9111fe,0x7c934341,0x7c911676,0x7c911573,0x7c934256,0x7c931a8c,0x7c9342a5,0x7c911570,0x7c93ba01,0x7c91154b,0x7c910cec,0x7c93bc5e,0x7c911342,0x7c934356,0x7c9113f0,0x7c91117a,0x7c910c9f,0x7c912269,0x7c934391,0x7c910ca6,0x7c93b91a,0x7c934302,0x7c934351,0x7c911fe5,0x7c9106a5,0x7c911193,0x7c911615,0x7c9112ca,0x7c911541,0x7c911815,0x7c9115fa,0x7c912243,0x7c93bbe2,0x7c934386,0x7c934380,0x7c9342ce,0x7c91142e,0x7c93437b,0x7c93b999,0x7c91176c,0x7c9115ba,0x7c911633,0x7c91062d,0x7c91153b,0x7c91067b,0x7c9106ab,0x7c93b994,0x7c93430c,0x7c9111e9,0x7c9112c4,0x7c9113a6,0x7c911fe8,0x7c93bc68,0x7c910cab,0x7c934396,0x7c911555,0x7c93bb49,0x7c934314,0x7c9114e5,0x7c93b8d5,0x7c934370,0x7c93bc25,0x7c911764,0x7c910cfa,0x7c934375,0x7c912254,0x7c9116d3,0x7c910625,0x7c911c58,0x7c93bbed,0x7c93bbb4,0x7c9105e3,0x7c93bc59,0x7c93ba63,0x7c93ba99,0x7c93ba66,0x7c9324c7,0x7c93438b,0x7c91182c,0x7c9111b1,0x7c9113b8,0x7c911487,0x7c9115d3,0x7c911484,0x7c91170a,0x7c910cc8,0x7c93b922,0x7c93bb56,0x7c9113ce,0x7c93bb50,0x7c9115ed,0x7c9113fe,0x7c93bc11,0x7c911c65,0x7c910638,0x7c9116c8,0x7c912388,0x7c912260,0x7c911239,0x7c934368,0x7c9324ec,0x7c9105d4,0x7c91130f,0x7c93b99e,0x7c91237a,0x7c91138c,0x7c934280,0x7c9116bf,0x7c931aad,0x7c911f8e,0x7c911414,0x7c911525,0x7c9343a3,0x7c911c6b,0x7c910fdc,0x7c93b9db,0x7c911f8a,0x7c9106d7,0x7c93bc1c,0x7c910687,0x7c911439,0x7c9111bb,0x7c911f77,0x7c910660,0x7c93428c,0x7c911c76,0x7c9115df,0x7c93b8a2,0x7c93bc9d,0x7c911382,0x7c911538,0x7c910609,0x7c93bbcd,0x7c931aa5,0x7c9342d3,0x7c911784,0x7c911309,0x7c93436a,0x7c911c83,0x7c91140b,0x7c91149e,0x7c93b92f,0x7c9117ae,0x7c93439d,0x7c91137a,0x7c9324e1,0x7c93b9ac,0x7c93b8cb,0x7c9106e4,0x7c9106e6,0x7c93268f,0x7c93bb16,0x7c934349,0x7c93b88e,0x7c911f7f,0x7c9113ed,0x7c9115c4,0x7c91b28c,0x7c91159a,0x7c93b9b2,0x7c911588,0x7c9117c5,0x7c91165f,0x7c9117dd,0x7c931ab4,0x7c911394,0x7c910618,0x7c9116a8,0x7c911fbd,0x7c93bb8b,0x7c911503,0x7c911501,0x7c91066e,0x7c911792,0x7c931acb,0x7c911158,0x7c910fca,0x7c93ba38,0x7c91179c,0x7c911315,0x7c910cb6,0x7c91185e,0x7c910c67,0x7c911c8c,0x7c910c61,0x7c93bb3e,0x7c93b883,0x7c91220d,0x7c93b9de,0x7c93bae5,0x7c911596,0x7c9106b8,0x7c9114a7,0x7c93b8c0,0x7c9113dc,0x7c93bb37,0x7c9115c0,0x7c911645,0x7c9106eb,0x7c912356,0x7c93ba3e,0x7c910666,0x7c9122dc,0x7c931ac1,0x7c93b903,0x7c9324fe,0x7c911241,0x7c93b953,0x7c910744,0x7c93b90e,0x7c931a6b,0x7c91139e,0x7c911253,0x7c911324,0x7c9122e8,0x7c911320,0x7c9115a4]
|
|
for a in bb:
|
|
imm.Log(" (0x%08x, 0x%08x )" % (a[0], a[1]) )
|
|
del ida[ ida.index( a[0] ) ]
|
|
imm.Log("BB size: %d" % len(bb) )
|
|
imm.Log("Resto: %d" % len(ida) )
|
|
for a in ida:
|
|
op = imm.disasmBackward(a)
|
|
|
|
imm.Log(" -> 0x%08x %s" % (a, str(op.isCall())), address = a)
|