/
monitor_codechange.py
56 lines (45 loc) · 1.5 KB
/
monitor_codechange.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import gdb
baseline = None
decrypted = None
start = None
size = None
class MonitorCodechangeEvent(gdb.Command):
def __init__ (self):
super (MonitorCodechangeEvent, self).__init__ ("monitor-codechange-event", gdb.COMMAND_USER)
def invoke (self, arg, from_tty):
inf = gdb.inferiors()[0]
current = inf.read_memory(start,size)
global baseline
global decrypted
for i in range(size):
if current[i] != baseline[i]:
decrypted[i] = current[i]
#gdb.execute("c")
class MonitorCodechange(gdb.Command):
"""
Take a baseline view of memory that can later be used by 'monitor-codechange-event'
"""
def __init__ (self):
super (MonitorCodechange, self).__init__ ("monitor-codechange", gdb.COMMAND_USER)
def invoke (self, arg, from_tty):
global start
global size
start, size = arg.split(" ")
start = int(start,0)
size = int(size,0)
# get baseline
inf = gdb.inferiors()[0]
global baseline
baseline = inf.read_memory(start,size)
# initialise baseline copy
global decrypted
decrypted = inf.read_memory(start,size)
class MonitorDump(gdb.Command):
def __init__ (self):
super (MonitorDump, self).__init__ ("monitor-dump", gdb.COMMAND_USER)
def invoke (self, arg, from_tty):
with open(arg,"wb") as f:
f.write(decrypted.tobytes())
MonitorCodechange()
MonitorCodechangeEvent()
MonitorDump()