包含未知值的内存搜索
包含未知值的内存搜索
提问于 2014-01-06 13:59:10
在WinDbg中,我可以使用s命令搜索内存中的字节。
s 0012ff40 L?2000 48 65 6c 6c 6f是否也有一种方法在搜索序列中包含未知字节,例如
s 0012ff40 L?2000 48 65 ?? ?? ?? 6c 6f其中??是一个具有任意值的字节?
Idea
做(内存、异或、48 65 00 00 00 6c 6f和FF FF 00 00 00 FF FF)并与00 00 00 00 00 00 00进行比较如何?但我也不知道如何在WinDbg中做到这一点。
Stack Overflow用户
回答已采纳
发布于 2020-04-02 17:59:15
我们可以使用皮克来实现这一点。查找从PyKD维基或PyKD下载链接的下载。使用WinDbg预览时,将DLL复制到
%LOCALAPPDATA%\DBG\EngineExtensions为64位或
%LOCALAPPDATA%\DBG\EngineExtensions32就32点。
因为这只是WinDbg扩展,所以您还需要Python模块:
pip install pykd使用Python的强大功能来完成WinDbg无法完成的任务。将以下脚本保存在WinDbg的一个好位置,即在没有空格的短路径中。
from pykd import *
import sys
import re
import struct
if len(sys.argv)<4:
print("Wildcard search for memory")
print("Usage:", sys.argv[0], "<address> <length> <pattern> [-v]", sep=" ")
print(" <address>: Memory address where searching begins.")
print(" This can be a WinDbg expression like ntdll!NtCreateThreadEx.")
print(" <length> : Number of bytes that will be considered as the haystack.")
print(" <pattern>: Bytes that you're looking for. May contain ?? for unknown bytes.")
print(" [-v] : (optional) Verbose output")
print()
print("Examples:")
print(" ", sys.argv[0], "00770000 L50 01 02 03 ?? 05")
print(" will find 01 02 03 04 05 or 01 02 03 FF 05, if present in memory")
sys.exit(0)
verbose = False
if sys.argv[-1][0:2] == "-v":
verbose = True
if verbose:
for n in range(1, len(sys.argv)):
print(f"param {n}: " + sys.argv[n])
address = expr(sys.argv[1])
if verbose: print("Start address:", "0x{:08x}".format(address), sep=" ")
length = sys.argv[2]
length = length.replace("L?","") # consider large address range syntax
length = length.replace("L","") # consider address range syntax
length = expr(length)
if verbose: print("Length:", "0n"+str(length), "bytes", sep=" ")
regex = b""
for n in range(3, len(sys.argv) - 1 if verbose else 0):
if sys.argv[n] == "??":
regex += bytes(".", "ascii")
else:
char = struct.pack("B", expr(sys.argv[n]))
if char == b".":
regex += struct.pack("B", ord("\\"))
regex += char
if verbose: print("Regex:", regex, sep=" ")
memorycontent = loadBytes(address, length)
if verbose: print("Memory:", memorycontent, sep=" ")
result = re.search(regex, bytes(memorycontent))
print("Found:", ' '.join("0x{:02x}".format(x) for x in result.group(0)), "at address", "0x{:08x}".format(address+result.start()))该脚本为Bytes对象构造一个Regex。它对通配符使用.,并将文字.转义到\.。
让我们在WinDbg中准备一个适当的示例:
0:006> .dvalloc 1000
Allocated 1000 bytes starting at 00900000
0:000> eu 0x00900000 "Test.with.regex"
0:000> db 0x00900000 L0n30
00900000 54 00 65 00 73 00 74 00-2e 00 77 00 69 00 74 00 T.e.s.t...w.i.t.
00900010 68 00 2e 00 72 00 65 00-67 00 65 00 78 00 h...r.e.g.e.x.加载PyKD扩展,这样我们就能够运行脚本了:
0:006> .load pykd然后运行脚本:
0:000> !py d:\debug\scripts\memwild.py 00900000 L10 2e ?? 77
Found: 0x2e 0x00 0x77 at address 0x00900008页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/20951573
复制相关文章
相似问题
腾讯云开发者
