pydbg中关于process_snapshot的质疑

文章由Byrx.net分享于2019-03-22 12:03:44评论(152)

pydbg中关于process_snapshot的质疑


保存快照和恢复快照 其实是个比较复杂的事情,因为快照前后,内存可能分配了释放,保护属性可能也改变,或内存释放了被分配,

所以,只是简单的保存commit且是带写熟悉的内存还是不够的。其二是前后可能涉及句柄的关闭问题,快照前打开的句柄,只是一个数字,恢复了之后,可能在

快照后被关闭过,内核已经清楚这个对象,造成打开句柄失败,影响流程。


所以,要感知内存的变化,屏蔽掉句柄的关闭操作,或许可能还有其它未想到的。


def process_snapshot (self):

        '''
        Take memory / context snapshot of the debuggee. All threads must be suspended before calling this routine.

        @raise pdx: An exception is raised on failure.
        @rtype:     pydbg
        @return:    Self
        '''

        self.pydbg_log("taking debuggee snapshot")

        do_not_snapshot = [PAGE_READONLY, PAGE_EXECUTE_READ,PAGE_GUARD, PAGE_NOACCESS]
        cursor          = 0

        # reset the internal snapshot data structure lists.
        self.memory_snapshot_blocks   = []
        self.memory_snapshot_contexts = []

        # enumerate the running threads and save a copy of their contexts.
        for thread_id in self.enumerate_threads():
            context = self.get_thread_context(None, thread_id)

            self.memory_snapshot_contexts.append(memory_snapshot_context(thread_id, context))

            self.pydbg_log("saving thread context of thread id: %08x" % thread_id)

        # scan through the entire memory range and save a copy of suitable memory blocks.
        while cursor < 0xFFFFFFFF:
            save_block = True

            try:
                mbi = self.virtual_query(cursor)
            except:
                break

            # do not snapshot blocks of memory that match the following characteristics.
            # XXX - might want to drop the MEM_IMAGE check to accomodate for self modifying code.
            # or mbi.Type == MEM_IMAGE
            if mbi.State != MEM_COMMIT:
                save_block = False

            for has_protection in do_not_snapshot:
                if mbi.Protect & has_protection:
                    save_block = False
                    break

            if save_block:
                self.pydbg_log("Adding %08x +%d to memory snapsnot." % (mbi.BaseAddress, mbi.RegionSize))

                # read the raw bytes from the memory block.
                data = self.read_process_memory(mbi.BaseAddress, mbi.RegionSize)

                self.memory_snapshot_blocks.append(memory_snapshot_block(mbi, data))

            cursor += mbi.RegionSize

        return self.ret_self()


摘自 winsunxu的专栏

相关内容

    暂无相关文章

评论关闭

最新python教程

python~HOT