Created
December 10, 2019 08:33
-
-
Save tahaconfiant/b13c3d55ce253bcb2f1b25ee138cfdfc to your computer and use it in GitHub Desktop.
write_callback
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def write_callback(frame, bp_loc, dict): | |
| print ("write() detected!") | |
| print ("dumping python code from $rsi register") | |
| memory_address = 0 | |
| registerSet = frame.GetRegisters() # Returns an SBValueList. | |
| for regs in registerSet: | |
| if 'general purpose registers' in regs.name.lower(): | |
| GPRs = regs | |
| break | |
| print('%s (number of children = %d):' % (GPRs.name, GPRs.num_children)) | |
| for reg in GPRs: | |
| if reg.name == "rsi": | |
| memory_address = int(reg.value, 0) | |
| bytes_count = 0 | |
| if memory_address: | |
| error = lldb.SBError() | |
| while frame.thread.process.ReadUnsignedFromMemory(memory_address, 1, error): | |
| c = frame.thread.process.ReadUnsignedFromMemory(memory_address, 1, error) | |
| open('/tmp/dumped.py', 'ab').write(bytes([c])) | |
| memory_address += 1 | |
| bytes_count +=1 | |
| if error.Success(): | |
| print("sucessfully written %i bytes" % bytes_count) | |
| else: | |
| print('error: %s\n' % error) | |
| else: | |
| print ('error getting memory address') | |
| frame.thread.process.Continue() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment