search

x64dbg / x64dbgpy

Automating x64dbg using Python, Snapshots:
https://ci.appveyor.com/project/mrexodia/x64dbg-python/build/artifacts
MIT License
1.47k stars 70 forks source link

An improvement idea for BPMAP() and MEMMAP() #42

Closed herosi closed 4 years ago

herosi commented 4 years ago

Hi @mrexodia , would you accept this patch?

diff -u bridgemain.i.orig bridgemain.i
--- bridgemain.i.orig   2019-09-04 03:15:23.000000000 +0900
+++ bridgemain.i    2019-11-16 01:29:04.902831000 +0900
@@ -30,6 +30,54 @@
 }
 %}

+%inline %{
+typedef struct
+{
+    duint BaseAddress;
+    duint AllocationBase;
+    DWORD AllocationProtect;
+    duint RegionSize;
+    DWORD State;
+    DWORD Protect;
+    DWORD Type;
+} PY_MEMORY_BASIC_INFORMATION;
+
+//Debugger structs
+typedef struct
+{
+    PY_MEMORY_BASIC_INFORMATION mbi;
+    char info[MAX_MODULE_SIZE];
+} PY_MEMPAGE;
+%}
+
+%template(MemPageVector) std::vector<PY_MEMPAGE>;
+
+%inline %{
+std::vector<PY_MEMPAGE> GetMemPageList(MEMMAP* mm)
+{
+    std::vector<PY_MEMPAGE> vec(
+        (PY_MEMPAGE *) mm->page,
+        (PY_MEMPAGE *) mm->page + mm->count
+    );
+    BridgeFree(mm->page);
+    return vec;
+}
+%}
+
+%template(BpVector) std::vector<BRIDGEBP>;
+
+%inline %{
+std::vector<BRIDGEBP> GetBpList(BPMAP* bm)
+{
+    std::vector<BRIDGEBP> vec(
+        bm->bp,
+        bm->bp + bm->count
+    );
+    BridgeFree(bm->bp);
+    return vec;
+}
+%}
+
 %include <windows.i>
 #define DECLSPEC_ALIGN(x) __declspec(align(x))
 %include "..\pluginsdk\bridgemain.h"

Then, we can access each breakpoint record and memory section with this script like.

import x64dbgpy

bm = x64dbgpy.pluginsdk.x64dbg.BPMAP()
x64dbgpy.pluginsdk.x64dbg.DbgGetBpList(x64dbgpy.pluginsdk.x64dbg.bp_memory, bm)
if bm.bp is not None:
    for bp in x64dbgpy.pluginsdk.x64dbg.GetBpList(bm):
        print("%x: %s, %x, %d, %x, %x" % (bp.addr, bp.mod, bp.active, bp.type, bp.hitCount, bp.slot))

mm = x64dbgpy.pluginsdk.x64dbg.MEMMAP()
x64dbgpy.pluginsdk.x64dbg.DbgMemMap(mm)
for mp in x64dbgpy.pluginsdk.x64dbg.GetMemPageList(mm):
    print("%x: %x, %x, %x, %x, %x, %x, %s" % (mp.mbi.BaseAddress, mp.mbi.RegionSize, mp.mbi.Protect, mp.mbi.AllocationBase, mp.mbi.AllocationProtect, mp.mbi.State, mp.mbi.Type, mp.info))
herosi commented 4 years ago

This is the result when I executed the script above with the patch.

[PYTHON] Executing script: "C:\Users\xxxx\desktop\test.py"
7ff6eac61000: dllloader64_71f7.exe, 1, 4, 0, 0
7ff6eac66000: dllloader64_71f7.exe, 1, 4, 0, 0
f60000: 10000, 4, f60000, 4, 1000, 40000, 
f80000: 1a000, 2, f80000, 2, 1000, 40000, 
fa0000: 4000, 2, fa0000, 2, 1000, 40000, 
fb0000: 2000, 4, fb0000, 4, 1000, 20000, 
1000000: 3b000, 0, 1000000, 4, 2000, 20000, Reserved
103b000: 5000, 4, 1000000, 4, 1000, 20000, PEB
1040000: 1c0000, 0, 1000000, 4, 2000, 20000, Reserved (0000000001000000)
1200000: f8000, 0, 1200000, 4, 2000, 20000, Reserved
12f8000: 8000, 104, 1200000, 4, 1000, 20000, Thread 1404 Stack
1370000: c000, 4, 1370000, 4, 1000, 20000, 
137c000: f4000, 0, 1370000, 4, 2000, 20000, Reserved (0000000001370000)
1470000: c5000, 2, 1470000, 2, 1000, 40000, \Device\HarddiskVolume2\Windows\System32\locale.nls
1540000: fc000, 0, 1540000, 4, 2000, 20000, Reserved
163c000: 4000, 104, 1540000, 4, 1000, 20000, 
7ffe0000: 1000, 2, 7ffe0000, 2, 1000, 20000, KUSER_SHARED_DATA
7ffec000: 1000, 2, 7ffec000, 2, 1000, 20000, 
7ff448d40000: 5000, 2, 7ff448d40000, 2, 1000, 40000, 
7ff448d45000: fb000, 0, 7ff448d40000, 2, 2000, 40000, Reserved (00007FF448D40000)
7ff448e40000: 100020000, 0, 7ff448e40000, 4, 2000, 20000, Reserved
7ff548e60000: 2000000, 0, 7ff548e60000, 4, 2000, 20000, Reserved
7ff54ae60000: 1000, 4, 7ff548e60000, 4, 1000, 20000, 
7ff54ae70000: 1000, 2, 7ff54ae70000, 2, 1000, 40000, 
7ff54ae80000: 23000, 2, 7ff54ae80000, 2, 1000, 40000, 
7ff6eac60000: 1000, 2, 7ff6eac60000, 80, 1000, 1000000, dllloader64_71f7.exe
7ff6eac61000: 5000, 120, 7ff6eac60000, 80, 1000, 1000000,  ".text"
7ff6eac66000: 3000, 102, 7ff6eac60000, 80, 1000, 1000000,  ".rdata"
7ff6eac69000: 3000, 8, 7ff6eac60000, 80, 1000, 1000000,  ".data"
7ff6eac6c000: 1000, 2, 7ff6eac60000, 80, 1000, 1000000,  ".pdata"
7ff6eac6d000: 1000, 2, 7ff6eac60000, 80, 1000, 1000000,  ".reloc"
7fffc47b0000: 1000, 2, 7fffc47b0000, 80, 1000, 1000000, apphelp.dll
7fffc47b1000: 4b000, 20, 7fffc47b0000, 80, 1000, 1000000,  ".text"
7fffc47fc000: 21000, 2, 7fffc47b0000, 80, 1000, 1000000,  ".rdata"
7fffc481d000: 3000, 4, 7fffc47b0000, 80, 1000, 1000000,  ".data"
7fffc4820000: 4000, 2, 7fffc47b0000, 80, 1000, 1000000,  ".pdata"
7fffc4824000: 17000, 2, 7fffc47b0000, 80, 1000, 1000000,  ".rsrc"
7fffc483b000: 1000, 2, 7fffc47b0000, 80, 1000, 1000000,  ".reloc"
7fffc67a0000: 1000, 2, 7fffc67a0000, 80, 1000, 1000000, gdi32full.dll
7fffc67a1000: d1000, 20, 7fffc67a0000, 80, 1000, 1000000,  ".text"
7fffc6872000: a6000, 2, 7fffc67a0000, 80, 1000, 1000000,  ".rdata"
7fffc6918000: 5000, 4, 7fffc67a0000, 80, 1000, 1000000,  ".data"
7fffc691d000: 8000, 2, 7fffc67a0000, 80, 1000, 1000000,  ".pdata"
7fffc6925000: 1000, 2, 7fffc67a0000, 80, 1000, 1000000,  ".didat"
7fffc6926000: 12000, 2, 7fffc67a0000, 80, 1000, 1000000,  ".rsrc"
7fffc6938000: 2000, 2, 7fffc67a0000, 80, 1000, 1000000,  ".reloc"
7fffc6940000: 1000, 2, 7fffc6940000, 80, 1000, 1000000, kernelbase.dll
7fffc6941000: 103000, 20, 7fffc6940000, 80, 1000, 1000000,  ".text"
7fffc6a44000: 156000, 2, 7fffc6940000, 80, 1000, 1000000,  ".rdata"
7fffc6b9a000: 5000, 4, 7fffc6940000, 80, 1000, 1000000,  ".data"
7fffc6b9f000: f000, 2, 7fffc6940000, 80, 1000, 1000000,  ".pdata"
7fffc6bae000: 1000, 2, 7fffc6940000, 80, 1000, 1000000,  ".didat"
7fffc6baf000: 1000, 2, 7fffc6940000, 80, 1000, 1000000,  ".rsrc"
7fffc6bb0000: 23000, 2, 7fffc6940000, 80, 1000, 1000000,  ".reloc"
7fffc6be0000: 1000, 2, 7fffc6be0000, 80, 1000, 1000000, ucrtbase.dll
7fffc6be1000: b2000, 20, 7fffc6be0000, 80, 1000, 1000000,  ".text"
7fffc6c93000: 38000, 2, 7fffc6be0000, 80, 1000, 1000000,  ".rdata"
7fffc6ccb000: 3000, 4, 7fffc6be0000, 80, 1000, 1000000,  ".data"
7fffc6cce000: c000, 2, 7fffc6be0000, 80, 1000, 1000000,  ".pdata"
7fffc6cda000: 1000, 2, 7fffc6be0000, 80, 1000, 1000000,  ".rsrc"
7fffc6cdb000: 1000, 2, 7fffc6be0000, 80, 1000, 1000000,  ".reloc"
7fffc7430000: 1000, 2, 7fffc7430000, 80, 1000, 1000000, win32u.dll
7fffc7431000: a000, 20, 7fffc7430000, 80, 1000, 1000000,  ".text"
7fffc743b000: e000, 2, 7fffc7430000, 80, 1000, 1000000,  ".rdata"
7fffc7449000: 1000, 4, 7fffc7430000, 80, 1000, 1000000,  ".data"
7fffc744a000: 4000, 2, 7fffc7430000, 80, 1000, 1000000,  ".pdata"
7fffc744e000: 1000, 2, 7fffc7430000, 80, 1000, 1000000,  ".rsrc"
7fffc744f000: 1000, 2, 7fffc7430000, 80, 1000, 1000000,  ".reloc"
7fffc7560000: 1000, 2, 7fffc7560000, 80, 1000, 1000000, msvcp_win.dll
7fffc7561000: 55000, 20, 7fffc7560000, 80, 1000, 1000000,  ".text"
7fffc75b6000: 3e000, 2, 7fffc7560000, 80, 1000, 1000000,  ".rdata"
7fffc75f4000: 4000, 8, 7fffc7560000, 80, 1000, 1000000,  ".data"
7fffc75f8000: 5000, 2, 7fffc7560000, 80, 1000, 1000000,  ".pdata"
7fffc75fd000: 1000, 2, 7fffc7560000, 80, 1000, 1000000,  ".didat"
7fffc75fe000: 1000, 2, 7fffc7560000, 80, 1000, 1000000,  ".rsrc"
7fffc75ff000: 1000, 2, 7fffc7560000, 80, 1000, 1000000,  ".reloc"
7fffc7840000: 1000, 2, 7fffc7840000, 80, 1000, 1000000, user32.dll
7fffc7841000: 87000, 20, 7fffc7840000, 80, 1000, 1000000,  ".text"
7fffc78c8000: 21000, 2, 7fffc7840000, 80, 1000, 1000000,  ".rdata"
7fffc78e9000: 2000, 4, 7fffc7840000, 80, 1000, 1000000,  ".data"
7fffc78eb000: 8000, 2, 7fffc7840000, 80, 1000, 1000000,  ".pdata"
7fffc78f3000: 1000, 2, 7fffc7840000, 80, 1000, 1000000,  ".didat"
7fffc78f4000: e2000, 2, 7fffc7840000, 80, 1000, 1000000,  ".rsrc"
7fffc79d6000: 1000, 2, 7fffc7840000, 80, 1000, 1000000,  ".reloc"
7fffc7aa0000: 1000, 2, 7fffc7aa0000, 80, 1000, 1000000, kernel32.dll
7fffc7aa1000: 76000, 20, 7fffc7aa0000, 80, 1000, 1000000,  ".text"
7fffc7b17000: 32000, 2, 7fffc7aa0000, 80, 1000, 1000000,  ".rdata"
7fffc7b49000: 2000, 4, 7fffc7aa0000, 80, 1000, 1000000,  ".data"
7fffc7b4b000: 6000, 2, 7fffc7aa0000, 80, 1000, 1000000,  ".pdata"
7fffc7b51000: 1000, 2, 7fffc7aa0000, 80, 1000, 1000000,  ".rsrc"
7fffc7b52000: 1000, 2, 7fffc7aa0000, 80, 1000, 1000000,  ".reloc"
7fffca390000: 1000, 2, 7fffca390000, 80, 1000, 1000000, gdi32.dll
7fffca391000: e000, 20, 7fffca390000, 80, 1000, 1000000,  ".text"
7fffca39f000: 14000, 2, 7fffca390000, 80, 1000, 1000000,  ".rdata"
7fffca3b3000: 1000, 4, 7fffca390000, 80, 1000, 1000000,  ".data"
7fffca3b4000: 1000, 2, 7fffca390000, 80, 1000, 1000000,  ".pdata"
7fffca3b5000: 2000, 2, 7fffca390000, 80, 1000, 1000000,  ".didat"
7fffca3b7000: 1000, 2, 7fffca390000, 80, 1000, 1000000,  ".rsrc"
7fffca3b8000: 1000, 2, 7fffca390000, 80, 1000, 1000000,  ".reloc"
7fffca3f0000: 1000, 2, 7fffca3f0000, 80, 1000, 1000000, ntdll.dll
7fffca3f1000: 116000, 20, 7fffca3f0000, 80, 1000, 1000000,  ".text"
7fffca507000: 1000, 20, 7fffca3f0000, 80, 1000, 1000000,  "RT"
7fffca508000: 47000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".rdata"
7fffca54f000: b000, 4, 7fffca3f0000, 80, 1000, 1000000,  ".data"
7fffca55a000: e000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".pdata"
7fffca568000: 4000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".mrdata"
7fffca56c000: 1000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".00cfg"
7fffca56d000: 6f000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".rsrc"
7fffca5dc000: 1000, 2, 7fffca3f0000, 80, 1000, 1000000,  ".reloc"
[PYTHON] Execution is done!
mrexodia commented 4 years ago

I will add you as a collaborator so you can push the changes you would like :)

Anyway you might be interested in the scriptapi: https://github.com/x64dbg/x64dbgpy/blob/v25/scriptapi/scriptapi.cpp

In a script:

import scriptapi print(help(scriptapi))

herosi commented 4 years ago

Wow, I didn't know the grate module and functions. Thanks for sharing the information. I was able to get the memory map with scriptapi.Memory.map instead of using MEMMAP().

herosi commented 4 years ago

I will push the patch for BPMAP() if you add me as a collaborator.

mrexodia commented 4 years ago

I added you :slightly_smiling_face:

herosi commented 4 years ago

Thanks! I applied the change.