serpilliere
commented
5 years ago Hi! Here is a target:
main:
MOV EAX, DWORD PTR [0x11223344]
RET(assemble it with: shellcode.py --PE x86_32 test_mem_except.S test_mem_except.bin)
Here is a python code which hooks access violations, and display last instruction accesses:
import os
from pdb import pm
from miasm.analysis.sandbox import Sandbox_Win_x86_32
from miasm.jitter.csts import EXCEPT_ACCESS_VIOL
def deal_exception_access_violation(jitter):
print('Memory breakpoint at %s' % hex(jitter.pc))
jitter.vm.set_exception(0)
print("\t", "MEM READ: ")
for start, stop in sb.jitter.vm.get_memory_read():
print("\t"*2, hex(start), hex(stop))
print("\t", "MEM WRITE:")
for start, stop in sb.jitter.vm.get_memory_write():
print("\t"*2, hex(start), hex(stop))
sb.jitter.vm.reset_memory_access()
return False
parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
sb = Sandbox_Win_x86_32(
options.filename, options, globals(),
parse_reloc=False
)
sb.jitter.add_exception_handler(
EXCEPT_ACCESS_VIOL,
deal_exception_access_violation
)
sb.run()run it with python -i get_mem_access.py test_mem_except.bin
Here is the result:
$ python -i get_mem_access.py test_mem_except.bin -z
cannot find crypto, skipping
[WARNING]: Create dummy entry for b'user32.dll'
00401000 MOV EAX, DWORD PTR [0x11223344]
WARNING: address 0x11223344 is not mapped in virtual memory:
Exception at 0x401000
MEM READ:
0x11223344 0x11223348
MEM WRITE:
>>>
I think your comment raises the fact that we need an example here. If this one is clear for you, I will add it to the examples of miasm API.
BlackLuny
I want to get the exception memory address and length.So I can map the memory to jitter dynamicaly.But how can I get the exception address and length in the exception handler for EXCEPT_ACCESS_VIOL?All I want to do is mapping memory as jitter really need while running.