Flag: Tornado!
Hurricane!
|
|
Topic created on: March 14, 2007 20:31 CDT by apridgen  .
I am reversing an application's file format, and I wanted to search for the magic bytes of the file in memory after the file is mapped and then identify the applications reference to that file.
I know this function on memory in the memory window, but the search seems to be limited to the windows scope, and I wanted to extend the range a little bit. This application is my first real reversing experience, so I apologize in advance for such a rudimentary question.
Thanks in advance for any pointers and help.
i'm not getting you do you want to search the whole process memory for a certain bytes ?
windbg has a a very exhaustive search mechanism though i cant quote those cryptic commands off my head without referring to the help file. i think it starts with ?? for c++ some thing pattern and @?$M$ something for masm patterns
if you would change your debugger to ollydbg then its pretty simple
view -> memory --> right click --> search for bytes (aascii, hex,unicode) ok -->
and keep hitting ctrl+L till the complete process memory is over :) whenever you find the bytes you are looking for right click --> follow in dump, Follow in disassembler, whatever and do ctrl+r (find referances to this address , byte, dword, etc etc
or there is a memoryhacker which can search for patterns of bytes allover (those things that the game hackers use for locating guns , babes and bottles)
|
anonymouse thanks for your reply. I finally found the !search cmd when I was looking for something unrelated.
I am giving OllyDbg a shot right now.
|
|
The game hacking tools could definitely be interesting to use here. Recently heard mention of ArtMoney from Hoglund. If you need to progamatically search memory for a specific value drop me a line and I can help you whip up a quick PyDbg script to do it. Or check out the sample code from Skape's article on Temporal Return Addresses
|
Normally I use Softice for any kind of memory searches, more out of habit than anything else, but a nice utility for browsing the entire usermode memory map of a process (0x0001000 - 0x7FFFFFFF) is TopToBottomNt
http://www.smidgeonsoft.prohosting.com/toptobottomnt-system-explorer.html
The handy thing about it is it shows any heap allocations which might be executable, allowing you to search them individually by hex or text. From my own shenanigans I know that includes MDL memory blocks mapped into the process address space via IoAllocateMdl/MmMapLockedPages.
Other methods are no doubt just as effective, but this utility gives a nice visual overview of what you are dealing with.
Cheers,
Kayaker
|
Ive coded a quick script with pydbg some time ago to patch a process on-the-fly.
Actually, to implement it with pydbg is quite simple. Hope it helps
this is the code:
import sys, os
from pydbg import *
from pydbg.defines import *
value = "\x41\x41" # Set the value to search
def main():
if len(sys.argv) != 2:
print "Usage: python seeker.py pid value_to_find"
sys.exit(1)
try:
pid = int(sys.argv[1])
except:
print "Usage: python searcher.py pid"
sys.exit(1)
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, initial_breakpoint_handler)
dbg.attach(pid)
dbg.run()
def initial_breakpoint_handler (dbg):
global value
for module in dbg.iterate_modules():
if module.szModule.lower().endswith(".exe"):
start = module.modBaseAddr
end = module.modBaseAddr + module.modBaseSize
print "[+] Scanning for %s" % value
for cur_pos in range(start, end): #
byte_code = dbg.read_process_memory(cur_pos, 1) # Obviously, you can improve the search :P
if byte_code.find(value) != -1: #
print "Value found at %08xh" % cur_pos
#write_process_memory(self, address, data, length=0)
sys.exit(1)
print "Value not found"
dbg.detach()
return DBG_CONTINUE
if __name__ == "__main__":
main()
|
WinDBG SDK, ReadMemory()
/* WinDBG Extension testing */
/* Diego Bauche */
#include <windows.h>
#include <imagehlp.h>
#include <wdbgexts.h>
WINDBG_EXTENSION_APIS ExtensionApis = {0};
EXT_API_VERSION g_ExtApiVersion = {5, 5, EXT_API_VERSION_NUMBER, 0} ;
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, PVOID pReserved) {
return TRUE;
}
LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void) {
return &g_ExtApiVersion;
}
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion) {
ExtensionApis = *lpExtensionApis;
}
DECLARE_API(uref) {
static ULONG addr = 0;
ULONG getaddr = 0, stringaddr, len;
UCHAR stringdasm[64];
char *p;
getaddr = GetExpression(args);
if(getaddr != 0) {
addr = getaddr;
}
len = 0;
ReadMemory(addr, &stringaddr, sizeof(stringaddr), &len);
if(len) {
memset(stringdasm,0,sizeof(stringdasm));
len = Disassm(&stringaddr,stringdasm,0);
if(!len) {
len = 0;
ReadMemory(stringaddr,&getaddr,sizeof(getaddr),&len);
if(!len) {
dprintf("Address %08x not valid\n",stringaddr);
} else {
dprintf("%08x -> %08x: Not valid Assembler\n");
}
return;
}
p = strchr(stringdasm,' ');
if(p) {
*p++=0;
dprintf("%08x -> %s:\n%s",addr,stringdasm,p);
}
} else {
dprintf("Address %08x not valid\n",addr);
}
}
Cheers
|
> MohammadHosein: i found this tool very handful when it comes to file format reversing and data type recognition : http://www.memoryhacking.com/feature.php
Nice tool, what a huge feature list. Thanks for the link!
|
yeah that was what i was referring in my post
but like i said and like three post above windbg is quiet capable of searching entire process memory
saphex blogged here about locating embedded executable in module
https://www.openrce.org/blog/view/819/Embedded_Portable_Executable_File
i just chunked a script that does it autmagically even without manually opening windbg :)
test:\>c:\progra~1\debugg~1\windbg -Q -c ".logopen c:\automagic.txt;.foreach (pl
ace {s -[1]d 0 L?7fffffff 00905a4d}) {!lmi place;.echo ====================};.lo
gclose ; q" "Dbgview.exe"
and you can find the output
test:\>type c:\automagic.txt | more
Opened log file 'c:\automagic.txt'
Loaded Module Info: [0x00400000]
Module: Dbgview
Base Address: 00400000
Image Name: Dbgview.exe
Machine Type: 332 (I386)
Time Stamp: 45a2c09a Tue Jan 09 03:37:22 2007
Size: 86000
CheckSum: 78175
Characteristics: 103
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 3f, 38780, 38780 RSDS - GUID: {D4AC6D7A-9E7F-4E78-BAE
B-B6E7E7 357CB}
Age: 5, Pdb: e:\Src\DbgView\Exe\Release\Dbgview.pdb
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded
====================
Loaded Module Info: [0x00457568] <------- embedded driver here
Module: Dbgview
Base Address: 00400000
Image Name: Dbgview.exe
Machine Type: 332 (I386)
Time Stamp: 45a2c09a Tue Jan 09 03:37:22 2007
Size: 86000
-- More --
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}