Last active
March 29, 2019 11:34
-
-
Save timnew/acde0dc33430edad6205d0fb1ee239b1 to your computer and use it in GitHub Desktop.
TimNew's BitSlicer Single Code Block Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Edit Me! | |
#Introduction to scripting: https://github.com/zorgiepoo/Bit-Slicer/wiki/Introduction-to-Scripting | |
from bitslicer import VirtualMemoryError, DebuggerError | |
def locateSignature(signature): | |
debug.log("Searching signature...") | |
scanResult = vm.scanByteString(signature) | |
if len(scanResult) == 0: | |
debug.log("Signature cannot be found.") | |
return None | |
debug.log("Found address: " + str(scanResult)) | |
return scanResult | |
def assembleCodeWithSize(code, size): | |
codeBuffer = bytes(debug.assemble(code)) | |
nopCount = size - len(codeBuffer) | |
if nopCount < 0: | |
raise ValueError('spaceOverflow') | |
nops = b'\x90' * nopCount | |
fullCode = codeBuffer + nops | |
return fullCode | |
def codeSizeFromSignature(signature): | |
return (len(signature) + 1) // 3 | |
class SignatureNotFound(Exception): | |
"""Signautre block cannot be found""" | |
pass | |
class AmbiguousSignature(Exception): | |
"""More than one signature is found""" | |
pass | |
class CodeBlock(object): | |
SIGNATURE = '' | |
CODE_SIZE = 0 | |
HIJACK_CODE = """ """ | |
CRITICAL = True | |
UNIQUE = True | |
def name(self): | |
return self.__class__.__name__ | |
def scan(self): | |
debug.log("Scanning " + self.name() + " ..." ) | |
self.addresses = locateSignature(self.SIGNATURE) | |
if self.CRITICAL and self.addresses is None: | |
raise SignatureNotFound | |
if self.UNIQUE and len(self.addresses) > 1: | |
raise AmbiguousSignature | |
def overwriteCode(self): | |
debug.log("Backing up original codes...") | |
self.originalCodes = [debug.readBytes(address, self.CODE_SIZE) for address in self.addresses] | |
code = assembleCodeWithSize(self.HIJACK_CODE, self.CODE_SIZE) | |
for address in self.addresses: | |
debug.log("Overwriting code:\n[" + hex(address) + "]: " + code.hex()) | |
debug.writeBytes(address, code) | |
def restoreCode(self): | |
for address, code in zip(self.addresses, self.originalCodes): | |
debug.log("Restoring code [" + hex(address) + "]") | |
debug.writeBytes(address, code) | |
def enable(self, scan = True): | |
debug.log("Enabling " + self.name() + " ..." ) | |
if scan: | |
self.scan() | |
if self.addresses is None: | |
debug.log("[Warning] Non critical block" + self.name() + " cannot be found.") | |
debug.notify(self.name(), "Non critical block not found.") | |
return | |
self.overwriteCode() | |
debug.log(self.name() + " is enabled.") | |
def disable(self): | |
debug.log("Disabling " + self.name() + " ...") | |
if self.addresses is None: | |
debug.log(self.name() + "is ignored") | |
return | |
self.restoreCode() | |
debug.log(self.name() + " is disabled") | |
class CodeInjectionBlock(CodeBlock): | |
OFFSET_IN_SIGNATURE = 0 | |
def overwriteCode(self): | |
self.originalCodes = [] | |
self.allocates = [] | |
hijackCodeBytes = bytes(debug.assemble(self.HIJACK_CODE)) | |
for address in self.addresses: | |
debug.log("Injecting code:") | |
newCodeAddress = vm.allocate(256) | |
self.allocates.append(newCodeAddress) | |
addressToInject = address + self.OFFSET_IN_SIGNATURE | |
originalCode = bytes(debug.bytesBeforeInjection(addressToInject, newCodeAddress)) | |
self.originalCodes.append(originalCode) | |
finalCode = originalCode + hijackCodeBytes | |
debug.injectCode(addressToInject, newCodeAddress, finalCode) | |
debug.log("-- [" + hex(addressToInject) + "]: " + originalCode.hex()) | |
debug.log("++ [" + hex(newCodeAddress) + "]: " + finalCode.hex()) | |
def restoreCode(self): | |
for address, code in zip(self.addresses, self.originalCodes): | |
debug.log("Restoring code at " + hex(address) + " ...") | |
debug.writeBytes(address + self.OFFSET_IN_SIGNATURE, code) | |
for address in self.allocates: | |
debug.log("Releasing memory at " + hex(address) + " ...") | |
vm.deallocate(address) | |
class MultiBlockScript(object): | |
codeBlocks = [ | |
] | |
def enable(self): | |
debug.log("Enabling...") | |
debug.log("Scanning....") | |
for block in self.codeBlocks: | |
block.scan() | |
debug.log("Apply....") | |
for block in self.codeBlocks: | |
block.enable(False) | |
debug.log("Enabled") | |
def disable(self): | |
debug.log("Disabling...") | |
for block in self.codeBlocks: | |
block.disable() | |
debug.log("Disabled") | |
def __init__(self): | |
self.enable() | |
def finish(self): | |
self.disable() | |
class Script(MultiBlockScript): | |
class SpendMoney(CodeInjectionBlock): | |
""" | |
0x1DCDB9F1E movsxd rdi, dword [r14+0xcc] 49 63 BE CC 00 00 00 | |
0x1DCDB9F25 movsxd rsi, dword [r15+0x18] 49 63 77 18 | |
0x1DCDB9F29 lea rsp, [rsp] 48 8D 64 24 00 | |
0x1DCDB9F2E mov r11, 0x1da4b6ef0 49 BB F0 6E 4B DA 01 00 00 00 | |
0x1DCDB9F38 call r11 41 FF D3 | |
0x1DCDB9F3B mov [r14+0xcc], eax 41 89 86 CC 00 00 00 | |
""" | |
""" | |
0x1DA7B74EE movsxd rdi, dword [r14+0xcc] 49 63 BE CC 00 00 00 | |
0x1DA7B74F5 movsxd rsi, dword [r15+0x18] 49 63 77 18 | |
0x1DA7B74F9 lea rsp, [rsp] 48 8D 64 24 00 | |
0x1DA7B74FE mov r11, 0x1d8696460 49 BB 60 64 69 D8 01 00 00 00 | |
0x1DA7B7508 call r11 41 FF D3 | |
""" | |
SIGNATURE = '49 63 BE CC 00 00 00 49 63 77 18 48 8D 64 24 00 49 BB ?? ?? ?? ?? ?? ?? ?? ?? 41 FF D3 41 89 86 CC 00 00 00' | |
OFFSET_IN_SIGNATURE = 0x1DCDB9F2E - 0x1DCDB9F1E | |
HIJACK_CODE = """ | |
mov eax, 0xffff | |
mov [r14+0xcc], eax | |
""" | |
codeBlocks = [ | |
SpendMoney() | |
] | |
def __init__(self): | |
super().__init__() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Introduction to scripting: https://github.com/zorgiepoo/Bit-Slicer/wiki/Introduction-to-Scripting | |
from bitslicer import VirtualMemoryError, DebuggerError | |
def locateSignature(signature): | |
debug.log("Searching signature...") | |
scanResult = vm.scanByteString(signature) | |
if len(scanResult) == 0: | |
debug.log("Signature cannot be found.") | |
return None | |
debug.log("Found address: " + str(scanResult)) | |
return scanResult | |
def assembleCodeWithSize(code, size): | |
codeBuffer = bytes(debug.assemble(code)) | |
nopCount = size - len(codeBuffer) | |
if nopCount < 0: | |
raise ValueError('spaceOverflow') | |
nops = b'\x90' * nopCount | |
fullCode = codeBuffer + nops | |
return fullCode | |
def codeSizeFromSignature(signature): | |
return (len(signature) + 1) // 3 | |
class SignatureNotFound(Exception): | |
"""Signautre block cannot be found""" | |
pass | |
class CodeBlock(object): | |
SIGNATURE = '' | |
CODE_SIZE = 0 | |
HIJACK_CODE = """ """ | |
CRITICAL = True | |
def name(self): | |
return self.__class__.__name__ | |
def scan(self): | |
debug.log("Scanning " + self.name() + " ..." ) | |
self.addresses = locateSignature(self.SIGNATURE) | |
if self.CRITICAL and self.addresses is None: | |
raise SignatureNotFound | |
def backupCode(self): | |
self.originalCodes = [debug.readBytes(address, self.CODE_SIZE) for address in self.addresses] | |
def restoreCode(self): | |
for address, code in zip(self.addresses, self.originalCodes): | |
debug.writeBytes(address, code) | |
def overwriteCode(self): | |
code = assembleCodeWithSize(self.HIJACK_CODE, self.CODE_SIZE) | |
for address in self.addresses: | |
debug.writeBytes(address, code) | |
def enable(self, scan = True): | |
debug.log("Enabling " + self.name() + " ..." ) | |
if scan: | |
self.scan() | |
if self.addresses is None: | |
debug.log("[Warning] Non critical block" + self.name() + " cannot be found.") | |
debug.notify(self.name(), "Non critical block not found.") | |
return | |
self.backupCode() | |
self.overwriteCode() | |
debug.log(self.name() + " is enabled.") | |
def disable(self): | |
debug.log("Disabling " + self.name() + " ...") | |
if self.addresses is None: | |
debug.log(self.name() + "is ignored") | |
return | |
self.restoreCode() | |
debug.log(self.name() + " is disabled") | |
class MultiBlockScript(object): | |
codeBlocks = [ | |
] | |
def enable(self): | |
debug.log("Enabling...") | |
debug.log("Scanning....") | |
for block in self.codeBlocks: | |
block.scan() | |
debug.log("Apply....") | |
for block in self.codeBlocks: | |
block.enable(False) | |
debug.log("Enabled") | |
def disable(self): | |
debug.log("Disabling...") | |
for block in self.codeBlocks: | |
block.disable() | |
debug.log("Disabled") | |
def __init__(self): | |
self.enable() | |
def finish(self): | |
self.disable() | |
class Script(MultiBlockScript): | |
class AcCollect(CodeBlock): | |
""" | |
0x1126F2C9C movsxd rax, dword [r14+0x38] 49 63 46 38 | |
0x1126F2CA0 inc eax FF C0 | |
0x1126F2CA2 mov [r14+0x38], eax 41 89 46 38 | |
""" | |
SIGNATURE = '49 63 46 38 FF C0 41 89 46 38' | |
CODE_SIZE = codeSizeFromSignature(SIGNATURE) | |
HIJACK_CODE = """ | |
mov eax, 0xffff | |
mov [r14+0x38], eax | |
""" | |
class AcConsume(CodeBlock): | |
""" | |
0x11D984913 movsxd rax, dword [r14+0x38] 49 63 46 38 | |
0x11D984917 dec eax FF C8 | |
0x11D984919 mov [r14+0x38], eax 41 89 46 38 | |
""" | |
SIGNATURE = '49 63 46 38 FF C8 41 89 46 38' | |
CODE_SIZE = codeSizeFromSignature(SIGNATURE) | |
HIJACK_CODE = """ | |
mov eax, 0xffff | |
mov [r14+0x38], eax | |
""" | |
CRITICAL = False | |
codeBlocks = [ | |
AcCollect(), | |
AcConsume() | |
] | |
def __init__(self): | |
super().__init__() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Edit ?? ?? | |
#Introduction to scripting: https://github.com/zorgiepoo/Bit-Slicer/wiki/Introduction-to-Scripting | |
from bitslicer import VirtualMemoryError, DebuggerError | |
def locateSignature(signature): | |
debug.log("Searching signature...") | |
scanResult = vm.scanByteString(signature) | |
if len(scanResult) == 0: | |
debug.log("Signature cannot be found.") | |
return None | |
debug.log("Found address: " + str(scanResult)) | |
return scanResult | |
def assembleCodeWithSize(code, size): | |
codeBuffer = bytes(debug.assemble(code)) | |
nopCount = size - len(codeBuffer) | |
if nopCount < 0: | |
raise ValueError('spaceOverflow') | |
nops = b'\x90' * nopCount | |
fullCode = codeBuffer + nops | |
return fullCode | |
def codeSizeFromSignature(signature): | |
return (len(signature) + 1) // 3 | |
class SignatureNotFound(Exception): | |
"""Signautre block cannot be found""" | |
pass | |
class CodeBlock(object): | |
SIGNATURE = '' | |
CODE_SIZE = 0 | |
HIJACK_CODE = """ """ | |
CRITICAL = True | |
def name(self): | |
return self.__class__.__name__ | |
def scan(self): | |
debug.log("Scanning " + self.name() + " ..." ) | |
self.addresses = locateSignature(self.SIGNATURE) | |
if self.CRITICAL and self.addresses is None: | |
raise SignatureNotFound | |
def backupCode(self): | |
self.originalCodes = [debug.readBytes(address, self.CODE_SIZE) for address in self.addresses] | |
def restoreCode(self): | |
for address, code in zip(self.addresses, self.originalCodes): | |
debug.writeBytes(address, code) | |
def overwriteCode(self): | |
code = assembleCodeWithSize(self.HIJACK_CODE, self.CODE_SIZE) | |
for address in self.addresses: | |
debug.writeBytes(address, code) | |
def enable(self, scan = True): | |
debug.log("Enabling " + self.name() + " ..." ) | |
if scan: | |
self.scan() | |
if self.addresses is None: | |
debug.log("[Warning] Non critical block" + self.name() + " cannot be found.") | |
debug.notify(self.name(), "Non critical block not found.") | |
return | |
self.backupCode() | |
self.overwriteCode() | |
debug.log(self.name() + " is enabled.") | |
def disable(self): | |
debug.log("Disabling " + self.name() + " ...") | |
if self.addresses is None: | |
debug.log(self.name() + "is ignored") | |
return | |
self.restoreCode() | |
debug.log(self.name() + " is disabled") | |
class Script(CodeBlock): | |
""" | |
<mem dump here> | |
""" | |
SIGNATURE = '<signature>' | |
CODE_SIZE = codeSizeFromSignature(SIGNATURE) | |
HIJACK_CODE = ''' | |
<hijack code> | |
''' | |
def __init__(self): | |
debug.log("Initializing...") | |
self.enable() | |
def finish(self): | |
debug.log("Cleaning up...") | |
self.disable() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment