functions/kernel32.py (516 lines of code) (raw):
#coding: utf-8
import ida_dbg
import idc
import idaapi
import funcutils
GENERIC_ALL = 0x10000000
GENERIC_EXECUTE = 0x20000000
GENERIC_WRITE = 0x40000000
GENERIC_READ = 0x80000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
FILE_SHARE_DELETE = 0x00000004
CREATE_NEW = 1
CREATE_ALWAYS = 2
OPEN_EXISTING = 3
OPEN_ALWAYS = 4
TRUNCATE_EXISTING = 5
FILE_ATTRIBUTE_READONLY = 0x00000001
FILE_ATTRIBUTE_HIDDEN = 0x00000002
FILE_ATTRIBUTE_SYSTEM = 0x00000004
FILE_ATTRIBUTE_ARCHIVE = 0x0000020
FILE_ATTRIBUTE_NORMAL = 0x00000080
FILE_ATTRIBUTE_TEMPORARY = 0x00000100
FILE_ATTRIBUTE_OFFLINE = 0x00001000
FILE_ATTRIBUTE_ENCRYPTED = 0x00004000
class Kernel32:
def __init__(self):
self.is_64bit = True if idaapi.BADADDR == 0xffffffffffffffff else False
self.total_func = {
# file
"CreateFileA" : self.CreateFileA,
"CreateFileW" : self.CreateFileW,
"ReadFile" : self.ReadFile,
"WriteFile" : self.WriteFile,
# thread & process
"CreateThread" : self.CreateThread,
"CreateProcessA": self.CreateProcessA,
"CreateProcessW": self.CreateProcessW,
# memory
"VirtualAlloc":self.VirtualAlloc,
"VirtualFree":self.VirtualFree,
"VirtualProtect":self.VirtualProtect,
# debug
"IsDebuggerPresent":self.IsDebuggerPresent
}
def get_result(self):
if self.is_64bit:
res = idc.get_reg_value("RAX")
else:
res = idc.get_reg_value("EAX")
return res
def get_func_args(self, nth):
ida_dbg.refresh_debugger_memory()
if self.is_64bit:
four_args = ["RCX", "RDX", "R8", "R9"]
if nth == 0:
rsp = idc.get_reg_value("RSP")
result = idc.get_qword(rsp)
elif nth < 5:
result = idc.get_reg_value(four_args[nth - 1])
else:
rsp = idc.get_reg_value("RSP")
result = idc.get_qword(rsp + nth * 8)
else:
esp = idc.get_reg_value("ESP")
result = idc.get_wide_dword(esp + nth * 4)
return result
def CreateFileA(self, is_return = False):
if is_return == True:
return f"{hex(funcutils.get_result(self.is_64bit))} -> HANDLE"
lpFileNameAddr = funcutils.get_func_args(1, self.is_64bit)
_debug_info = f"lpFileName=" + idc.get_strlit_contents(lpFileNameAddr).decode('utf-8')
access = funcutils.get_func_args(2, self.is_64bit) & 0xffffffff
access_result = str()
if access == GENERIC_ALL:
access_result = "GENERIC_ALL"
else:
if access & GENERIC_READ:
access_result += "GENERIC_READ|"
if access & GENERIC_WRITE:
access_result += "GENERIC_WRITE|"
if access & GENERIC_EXECUTE:
access_result += "GENERIC_EXECUTE|"
if access_result.endswith('|'):
access_result = access_result[:-1]
_debug_info += f", dwDesiredAccess={access_result}"
shared_mode = funcutils.get_func_args(3, self.is_64bit) & 0xffffffff
shared_mode_result = str()
if shared_mode == 0:
shared_mode_result = "0"
else:
if shared_mode & FILE_SHARE_READ:
shared_mode_result += "FILE_SHARE_READ|"
if shared_mode & FILE_SHARE_WRITE:
shared_mode_result += "FILE_SHARE_WRITE|"
if shared_mode & FILE_SHARE_DELETE:
shared_mode_result += "FILE_SHARE_DELETE|"
if shared_mode_result.endswith("|"):
shared_mode_result = shared_mode_result[:-1]
_debug_info += f", dwShareMode={shared_mode_result}"
lpSecurityAttributes = funcutils.get_func_args(4, self.is_64bit)
_debug_info += f", lpSecurityAttributes={hex(lpSecurityAttributes)}"
dwCreationDisposition = funcutils.get_func_args(5, self.is_64bit) & 0xffffffff
creation_result = str()
if dwCreationDisposition == CREATE_NEW:
creation_result = "CREATE_NEW"
elif dwCreationDisposition == CREATE_ALWAYS:
creation_result = "CREATE_ALWAYS"
elif dwCreationDisposition == OPEN_EXISTING:
creation_result = "OPEN_EXISTING"
elif dwCreationDisposition == OPEN_ALWAYS:
creation_result = "OPEN_ALWAYS"
elif dwCreationDisposition == TRUNCATE_EXISTING:
creation_result = "TRUNCATE_EXISTING"
_debug_info += f", dwCreationDisposition={creation_result}"
dwFlagsAndAttributes = funcutils.get_func_args(6, self.is_64bit) & 0xffffffff
attr_result = str()
if dwFlagsAndAttributes & FILE_ATTRIBUTE_READONLY:
attr_result += "FILE_ATTRIBUTE_READONLY|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_HIDDEN:
attr_result += "FILE_ATTRIBUTE_HIDDEN|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_SYSTEM:
attr_result += "FILE_ATTRIBUTE_SYSTEM|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_ARCHIVE:
attr_result += "FILE_ATTRIBUTE_ARCHIVE|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_NORMAL:
attr_result += "FILE_ATTRIBUTE_NORMAL|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_TEMPORARY:
attr_result += "FILE_ATTRIBUTE_TEMPORARY|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_OFFLINE:
attr_result += "FILE_ATTRIBUTE_OFFLINE|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_ENCRYPTED:
attr_result += "FILE_ATTRIBUTE_ENCRYPTED|"
if attr_result.endswith('|'):
attr_result = attr_result[:-1]
_debug_info += f", dwFlagsAndAttributes={attr_result}"
hTemplateFile = funcutils.get_func_args(7, self.is_64bit)
_debug_info += f", hTemplateFile={hex(hTemplateFile)}) = "
return _debug_info
def CreateFileW(self, is_return = False):
if is_return == True:
return f"{hex(funcutils.get_result(self.is_64bit))} => HANDLE"
lpFileNameAddr = funcutils.get_func_args(1, self.is_64bit)
_debug_info = f"lpFileName=" + idc.get_strlit_contents(ea = lpFileNameAddr, strtype=idc.STRTYPE_C16).decode("utf-8")
access = funcutils.get_func_args(2, self.is_64bit) & 0xffffffff
access_result = str()
if access == GENERIC_ALL:
access_result = "GENERIC_ALL"
else:
if access & GENERIC_READ:
access_result += "GENERIC_READ|"
if access & GENERIC_WRITE:
access_result += "GENERIC_WRITE|"
if access & GENERIC_EXECUTE:
access_result += "GENERIC_EXECUTE|"
if access_result.endswith('|'):
access_result = access_result[:-1]
_debug_info += f", dwDesiredAccess={access_result}"
shared_mode = funcutils.get_func_args(3, self.is_64bit) & 0xffffffff
shared_mode_result = str()
if shared_mode == 0:
shared_mode_result = "0"
else:
if shared_mode & FILE_SHARE_READ:
shared_mode_result += "FILE_SHARE_READ|"
if shared_mode & FILE_SHARE_WRITE:
shared_mode_result += "FILE_SHARE_WRITE|"
if shared_mode & FILE_SHARE_DELETE:
shared_mode_result += "FILE_SHARE_DELETE|"
if shared_mode_result.endswith("|"):
shared_mode_result = shared_mode_result[:-1]
_debug_info += f", dwShareMode={shared_mode_result}"
lpSecurityAttributes = funcutils.get_func_args(4, self.is_64bit)
_debug_info += f", lpSecurityAttributes={hex(lpSecurityAttributes)}"
dwCreationDisposition = funcutils.get_func_args(5, self.is_64bit) & 0xffffffff
creation_result = str()
if dwCreationDisposition == CREATE_NEW:
creation_result = "CREATE_NEW"
elif dwCreationDisposition == CREATE_ALWAYS:
creation_result = "CREATE_ALWAYS"
elif dwCreationDisposition == OPEN_EXISTING:
creation_result = "OPEN_EXISTING"
elif dwCreationDisposition == OPEN_ALWAYS:
creation_result = "OPEN_ALWAYS"
elif dwCreationDisposition == TRUNCATE_EXISTING:
creation_result = "TRUNCATE_EXISTING"
_debug_info += f", dwCreationDisposition={creation_result}"
dwFlagsAndAttributes = funcutils.get_func_args(6, self.is_64bit) & 0xffffffff
attr_result = str()
if dwFlagsAndAttributes & FILE_ATTRIBUTE_READONLY:
attr_result += "FILE_ATTRIBUTE_READONLY|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_HIDDEN:
attr_result += "FILE_ATTRIBUTE_HIDDEN|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_SYSTEM:
attr_result += "FILE_ATTRIBUTE_SYSTEM|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_ARCHIVE:
attr_result += "FILE_ATTRIBUTE_ARCHIVE|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_NORMAL:
attr_result += "FILE_ATTRIBUTE_NORMAL|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_TEMPORARY:
attr_result += "FILE_ATTRIBUTE_TEMPORARY|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_OFFLINE:
attr_result += "FILE_ATTRIBUTE_OFFLINE|"
if dwFlagsAndAttributes & FILE_ATTRIBUTE_ENCRYPTED:
attr_result += "FILE_ATTRIBUTE_ENCRYPTED|"
if attr_result.endswith('|'):
attr_result = attr_result[:-1]
_debug_info += f", dwFlagsAndAttributes={attr_result}"
hTemplateFile = funcutils.get_func_args(7, self.is_64bit)
_debug_info += f", hTemplateFile={hex(hTemplateFile)}) = "
return _debug_info
def ReadFile(self, is_return = False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> BOOL"
hFile = funcutils.get_func_args(1, self.is_64bit)
lpBuffer = funcutils.get_func_args(2, self.is_64bit)
nNumberOfBytesToRead = funcutils.get_func_args(3, self.is_64bit)
lpNumberOfBytesRead = funcutils.get_func_args(4, self.is_64bit)
lpOverlapped = funcutils.get_func_args(5, self.is_64bit)
_debug_info = f"hFile={hex(hFile)}, "
_debug_info += f"lpBuffer={hex(lpBuffer)}, "
_debug_info += f"nNumberOfBytesToRead={nNumberOfBytesToRead}, "
_debug_info += f"lpNumberOfBytesRead={hex(lpNumberOfBytesRead)}, "
_debug_info += f"lpOverlapped={hex(lpOverlapped)}) = "
return _debug_info
def WriteFile(self, is_return = False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> BOOL"
hFile = funcutils.get_func_args(1, self.is_64bit)
lpBuffer = funcutils.get_func_args(2, self.is_64bit)
nNumberOfBytesToWrite = funcutils.get_func_args(3, self.is_64bit)
lpNumberOfBytesWritten = funcutils.get_func_args(4, self.is_64bit)
lpOverlapped = funcutils.get_func_args(5, self.is_64bit)
buffer_preview = ""
if lpBuffer != 0:
buffer_bytes = idc.get_bytes(lpBuffer, min(5, nNumberOfBytesToWrite))
if buffer_bytes:
buffer_preview = " ".join(f"{b:02X}" for b in buffer_bytes)
if nNumberOfBytesToWrite > 5:
buffer_preview += " ..."
_debug_info = f"hFile={hex(hFile)}, "
_debug_info += f"lpBuffer={hex(lpBuffer)}, Buffer Preview: [{buffer_preview}], "
_debug_info += f"nNumberOfBytesToWrite={nNumberOfBytesToWrite}, "
_debug_info += f"lpNumberOfBytesWritten={hex(lpNumberOfBytesWritten)}, "
_debug_info += f"lpOverlapped={hex(lpOverlapped)}) = "
return _debug_info
def CloseHandle(self, is_return=False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> BOOL"
hObject = self.get_func_args(1)
_debug_info = f"hObject={hex(hObject)}) = "
return _debug_info
def CreateThread(self, is_return = False):
if is_return:
lpThreadId = funcutils.get_func_args(5, self.is_64bit)
if lpThreadId != 0:
thread_id = idc.get_wide_dword(lpThreadId)
return f"{hex(funcutils.get_result(self.is_64bit))} -> HANDLE, tid = {hex(thread_id)}"
return f"{hex(funcutils.get_result(self.is_64bit))} -> HANDLE"
lpThreadAttributes = funcutils.get_func_args(1, self.is_64bit)
dwStackSize = funcutils.get_func_args(2, self.is_64bit)
lpStartAddress = funcutils.get_func_args(3, self.is_64bit)
lpParameter = funcutils.get_func_args(4, self.is_64bit)
dwCreationFlags = funcutils.get_func_args(5, self.is_64bit)
lpThreadId = funcutils.get_func_args(6, self.is_64bit)
creation_flags_descr = []
if dwCreationFlags & 0x00000004: # CREATE_SUSPENDED
creation_flags_descr.append("CREATE_SUSPENDED")
if dwCreationFlags & 0x00010000: # STACK_SIZE_PARAM_IS_A_RESERVATION
creation_flags_descr.append("STACK_SIZE_PARAM_IS_A_RESERVATION")
if creation_flags_descr:
creation_flags_descr = '|'.join(creation_flags_descr)
else:
creation_flags_descr = '0'
_debug_info = f"lpThreadAttributes={hex(lpThreadAttributes)}, "
_debug_info += f"dwStackSize={dwStackSize}, "
_debug_info += f"lpStartAddress={hex(lpStartAddress)}, "
_debug_info += f"lpParameter={hex(lpParameter)}, "
_debug_info += f"dwCreationFlags={creation_flags_descr}, "
_debug_info += f"lpThreadId={hex(lpThreadId)}) = "
return _debug_info
def CreateRemoteThread(self, is_return=False):
if is_return:
lpThreadIdAddr = funcutils.get_func_args(6, self.is_64bit)
if lpThreadIdAddr != 0:
thread_id = idc.get_wide_dword(lpThreadIdAddr)
return f"{hex(funcutils.get_result(self.is_64bit))} -> HANDLE, tid = {hex(thread_id)}"
return f"{hex(funcutils.get_result(self.is_64bit))} -> HANDLE"
# 获取参数
hProcess = funcutils.get_func_args(1, self.is_64bit)
lpThreadAttributes = funcutils.get_func_args(2, self.is_64bit)
dwStackSize = funcutils.get_func_args(3, self.is_64bit)
lpStartAddress = funcutils.get_func_args(4, self.is_64bit)
lpParameter = funcutils.get_func_args(5, self.is_64bit)
dwCreationFlags = funcutils.get_func_args(6, self.is_64bit)
lpThreadId = funcutils.get_func_args(7, self.is_64bit)
# 解析 dwCreationFlags 标志
creation_flags_descr = []
if dwCreationFlags & 0x00000004: # CREATE_SUSPENDED
creation_flags_descr.append("CREATE_SUSPENDED")
if dwCreationFlags & 0x00010000: # STACK_SIZE_PARAM_IS_A_RESERVATION
creation_flags_descr.append("STACK_SIZE_PARAM_IS_A_RESERVATION")
creation_flags_str = '|'.join(creation_flags_descr) if creation_flags_descr else '0'
_debug_info = (f"hProcess={hex(hProcess)}, "
f"lpThreadAttributes={hex(lpThreadAttributes)}, "
f"dwStackSize={dwStackSize}, "
f"lpStartAddress={hex(lpStartAddress)}, "
f"lpParameter={hex(lpParameter)}, "
f"dwCreationFlags={creation_flags_str}, "
f"lpThreadId={hex(lpThreadId)}) = ")
return _debug_info
def CreateProcessA(self, is_return=False):
def parse_creation_flags(dwCreationFlags):
flags = []
if dwCreationFlags & 0x04000000:
flags.append("CREATE_DEFAULT_ERROR_MODE")
if dwCreationFlags & 0x00000010:
flags.append("CREATE_NEW_CONSOLE")
if dwCreationFlags & 0x00000200:
flags.append("CREATE_NEW_PROCESS_GROUP")
if dwCreationFlags & 0x08000000:
flags.append("CREATE_NO_WINDOW")
if dwCreationFlags & 0x00000004:
flags.append("CREATE_SUSPENDED")
if dwCreationFlags & 0x00000002:
flags.append("DEBUG_ONLY_THIS_PROCESS")
if dwCreationFlags & 0x00000001:
flags.append("DEBUG_PROCESS")
if dwCreationFlags & 0x00000008:
flags.append("DETACHED_PROCESS")
if dwCreationFlags & 0x00010000:
flags.append("INHERIT_PARENT_AFFINITY")
return '|'.join(flags) if flags else '0'
if is_return:
return_value = funcutils.get_result(self.is_64bit)
success = "Success" if return_value else "Failure"
return f"{success} -> BOOL"
lpApplicationName = funcutils.get_func_args(1, self.is_64bit)
lpCommandLine = funcutils.get_func_args(2, self.is_64bit)
lpProcessAttributes = funcutils.get_func_args(3, self.is_64bit)
lpThreadAttributes = funcutils.get_func_args(4, self.is_64bit)
bInheritHandles = funcutils.get_func_args(5, self.is_64bit)
dwCreationFlags = funcutils.get_func_args(6, self.is_64bit)
lpEnvironment = funcutils.get_func_args(7, self.is_64bit)
lpCurrentDirectory = funcutils.get_func_args(8, self.is_64bit)
lpStartupInfo = funcutils.get_func_args(9, self.is_64bit)
lpProcessInformation = funcutils.get_func_args(10, self.is_64bit)
app_name = idc.get_strlit_contents(lpApplicationName).decode('utf-8') if lpApplicationName else "null"
cmd_line = idc.get_strlit_contents(lpCommandLine).decode('utf-8') if lpCommandLine else "null"
process_attr = f"{hex(lpProcessAttributes)}"
thread_attr = f"{hex(lpThreadAttributes)}"
inherit_handles = "TRUE" if bInheritHandles else "FALSE"
creation_flags = parse_creation_flags(dwCreationFlags)
environment = f"{hex(lpEnvironment)}"
current_dir = idc.get_strlit_contents(lpCurrentDirectory).decode('utf-8') if lpCurrentDirectory else "null"
startup_info = f"{hex(lpStartupInfo)}"
process_info = f"{hex(lpProcessInformation)}"
_debug_info = (f"lpApplicationName={app_name}, "
f"lpCommandLine={cmd_line}, "
f"lpProcessAttributes={process_attr}, "
f"lpThreadAttributes={thread_attr}, "
f"bInheritHandles={inherit_handles}, "
f"dwCreationFlags={creation_flags}, "
f"lpEnvironment={environment}, "
f"lpCurrentDirectory={current_dir}, "
f"lpStartupInfo={startup_info}, "
f"lpProcessInformation={process_info}) = ")
return _debug_info
def CreateProcessW(self, is_return=False):
def parse_creation_flags(dwCreationFlags):
flags = []
if dwCreationFlags & 0x04000000:
flags.append("CREATE_DEFAULT_ERROR_MODE")
if dwCreationFlags & 0x00000010:
flags.append("CREATE_NEW_CONSOLE")
if dwCreationFlags & 0x00000200:
flags.append("CREATE_NEW_PROCESS_GROUP")
if dwCreationFlags & 0x08000000:
flags.append("CREATE_NO_WINDOW")
if dwCreationFlags & 0x00000004:
flags.append("CREATE_SUSPENDED")
if dwCreationFlags & 0x00000002:
flags.append("DEBUG_ONLY_THIS_PROCESS")
if dwCreationFlags & 0x00000001:
flags.append("DEBUG_PROCESS")
if dwCreationFlags & 0x00000008:
flags.append("DETACHED_PROCESS")
if dwCreationFlags & 0x00010000:
flags.append("INHERIT_PARENT_AFFINITY")
return '|'.join(flags) if flags else '0'
if is_return:
return_value = funcutils.get_result(self.is_64bit)
success = "Success" if return_value else "Failure"
return f"{success} -> BOOL"
lpApplicationName = funcutils.get_func_args(1, self.is_64bit)
lpCommandLine = funcutils.get_func_args(2, self.is_64bit)
lpProcessAttributes = funcutils.get_func_args(3, self.is_64bit)
lpThreadAttributes = funcutils.get_func_args(4, self.is_64bit)
bInheritHandles = funcutils.get_func_args(5, self.is_64bit)
dwCreationFlags = funcutils.get_func_args(6, self.is_64bit)
lpEnvironment = funcutils.get_func_args(7, self.is_64bit)
lpCurrentDirectory = funcutils.get_func_args(8, self.is_64bit)
lpStartupInfo = funcutils.get_func_args(9, self.is_64bit)
lpProcessInformation = funcutils.get_func_args(10, self.is_64bit)
app_name = idc.get_strlit_contents(ea = lpApplicationName, strtype=idc.STRTYPE_C16).decode('utf-8') if lpApplicationName else "null"
cmd_line = idc.get_strlit_contents(ea = lpCommandLine, strtype=idc.STRTYPE_C16).decode('utf-8') if lpCommandLine else "null"
process_attr = f"{hex(lpProcessAttributes)}"
thread_attr = f"{hex(lpThreadAttributes)}"
inherit_handles = "TRUE" if bInheritHandles else "FALSE"
creation_flags = parse_creation_flags(dwCreationFlags)
environment = f"{hex(lpEnvironment)}"
current_dir = idc.get_strlit_contents(ea=lpCurrentDirectory, strtype=idc.STRTYPE_C16).decode('utf-8') if lpCurrentDirectory else "null"
startup_info = f"{hex(lpStartupInfo)}"
process_info = f"{hex(lpProcessInformation)}"
_debug_info = (f"lpApplicationName={app_name}, "
f"lpCommandLine={cmd_line}, "
f"lpProcessAttributes={process_attr}, "
f"lpThreadAttributes={thread_attr}, "
f"bInheritHandles={inherit_handles}, "
f"dwCreationFlags={creation_flags}, "
f"lpEnvironment={environment}, "
f"lpCurrentDirectory={current_dir}, "
f"lpStartupInfo={startup_info}, "
f"lpProcessInformation={process_info}) = ")
return _debug_info # anti debug
def IsDebuggerPresent(self, is_return = False):
if is_return:
idc.set_reg_value(0, "EAX")
return f"0 -> BOOL"
_debug_info = ")="
return _debug_info
def GetProcAddress(self, is_return = False):
if is_return == True:
return f" = {hex(funcutils.get_result(self.is_64bit))} -> FARPROC"
hModule = funcutils.get_func_args(1, self.is_64bit)
_debug_info = "kernel32!GetProcAddress("
_debug_info += f"hModule={hex(hModule)}, "
lpProcNameAddr = funcutils.get_func_args(2, self.is_64bit)
func_name += idc.get_strlit_contents(lpProcNameAddr).decode("utf-8")
_debug_info += f"lpProcName={func_name})"
return _debug_info
# memory
def VirtualAlloc(self, is_return=False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> LPVOID"
lpAddress = funcutils.get_func_args(1, self.is_64bit)
dwSize = funcutils.get_func_args(2, self.is_64bit)
flAllocationType = funcutils.get_func_args(3, self.is_64bit)
flProtect = funcutils.get_func_args(4, self.is_64bit)
allocation_flags = []
if flAllocationType & 0x00001000:
allocation_flags.append("MEM_COMMIT")
if flAllocationType & 0x00002000:
allocation_flags.append("MEM_RESERVE")
if flAllocationType & 0x00008000:
allocation_flags.append("MEM_RESET")
allocation_flags_str = '|'.join(allocation_flags) if allocation_flags else '0'
protection_flags = []
if flProtect & 0x01:
protection_flags.append("PAGE_NOACCESS")
if flProtect & 0x02:
protection_flags.append("PAGE_READONLY")
if flProtect & 0x04:
protection_flags.append("PAGE_READWRITE")
if flProtect & 0x08:
protection_flags.append("PAGE_WRITECOPY")
protection_flags_str = '|'.join(protection_flags) if protection_flags else '0'
_debug_info = (f"lpAddress={hex(lpAddress)}, "
f"dwSize={dwSize}, "
f"flAllocationType={allocation_flags_str}, "
f"flProtect={protection_flags_str}) = ")
return _debug_info
def VirtualFree(self, is_return=False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> BOOL"
lpAddress = funcutils.get_func_args(1, self.is_64bit)
dwSize = funcutils.get_func_args(2, self.is_64bit)
dwFreeType = funcutils.get_func_args(3, self.is_64bit)
free_flags = []
if dwFreeType & 0x00008000:
free_flags.append("MEM_DECOMMIT")
if dwFreeType & 0x00004000:
free_flags.append("MEM_RELEASE")
free_flags_str = '|'.join(free_flags) if free_flags else '0'
_debug_info = (f"lpAddress={hex(lpAddress)}, "
f"dwSize={dwSize}, "
f"dwFreeType={free_flags_str}) = ")
return _debug_info
def VirtualProtect(self, is_return=False):
if is_return:
return f"{hex(funcutils.get_result(self.is_64bit))} -> BOOL"
lpAddress = funcutils.get_func_args(1, self.is_64bit)
dwSize = funcutils.get_func_args(2, self.is_64bit)
flNewProtect = funcutils.get_func_args(3, self.is_64bit)
lpflOldProtect = funcutils.get_func_args(4, self.is_64bit)
protection_flags = []
if flNewProtect & 0x01:
protection_flags.append("PAGE_NOACCESS")
if flNewProtect & 0x02:
protection_flags.append("PAGE_READONLY")
if flNewProtect & 0x04:
protection_flags.append("PAGE_READWRITE")
if flNewProtect & 0x08:
protection_flags.append("PAGE_WRITECOPY")
if flNewProtect & 0x10:
protection_flags.append("PAGE_EXECUTE")
if flNewProtect & 0x20:
protection_flags.append("PAGE_EXECUTE_READ")
if flNewProtect & 0x40:
protection_flags.append("PAGE_EXECUTE_READWRITE")
if flNewProtect & 0x80:
protection_flags.append("PAGE_EXECUTE_WRITECOPY")
if flNewProtect & 0x100:
protection_flags.append("PAGE_GUARD")
if flNewProtect & 0x200:
protection_flags.append("PAGE_NOCACHE")
if flNewProtect & 0x400:
protection_flags.append("PAGE_WRITECOMBINE")
protection_flags_str = '|'.join(protection_flags) if protection_flags else 'UNKNOWN'
_debug_info = (f"lpAddress={hex(lpAddress)}, "
f"dwSize={dwSize}, "
f"flNewProtect={protection_flags_str}, "
f"lpflOldProtect={hex(lpflOldProtect)}) = ")
return _debug_info