ragweed 0.1.7.3 → 0.2.0.pre1

data/lib/ragweed/wrap32/debugging.rb

@@ -1,3 +1,5 @@
+require 'ffi'
+
 module Ragweed::Wrap32
   module DebugCodes
     CREATE_PROCESS = 3
@@ -35,64 +37,169 @@ module Ragweed::Wrap32
   end
 end
 
-class Ragweed::Wrap32::DebugEvent
-  (FIELDS = [ :code,
-              :pid,
-              :tid,
-              :file_handle,
-              :process_handle,
-              :thread_handle,
-              :base,
-              :offset,
-              :info_size,
-              :thread_base,
-              :start_address,
-              :image_name,
-              :unicode,
-              :exception_code,
-              :exception_flags,
-              :exception_record,
-              :exception_address,
-              :parameters,
-              :exit_code,
-              :dll_base,
-              :rip_error,
-              :rip_type]).each {|x| attr_accessor x}
-
-  def initialize(str)
-    @code, @pid, @tid = str.unpack("LLL")
-    str.shift 12
-    case @code
+class Ragweed::Wrap32::RipInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :error, :ulong,
+    :type, :ulong
+end
+
+class Ragweed::Wrap32::OutputDebugStringInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :debug_string_data, :ulong, # pointer
+    :unicode, :uint16,
+    :debug_string_length, :uint16
+end
+
+class Ragweed::Wrap32::UnloadDLLDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :base_of_dll, :ulong
+end
+
+class Ragweed::Wrap32::LoadDLLDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :file_handle, :ulong,
+    :base_of_dll, :ulong,
+    :debug_info_file_offset, :ulong,
+    :debug_info_size, :ulong,
+    :image_name, :pointer,
+    :unicode, :uint16
+end
+
+class Ragweed::Wrap32::ExitProcessDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :exit_code, :ulong
+end
+
+class Ragweed::Wrap32::ExitThreadDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :exit_code, :ulong
+end
+
+class Ragweed::Wrap32::CreateProcessDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :file_handle, :ulong,
+    :process_handle, :ulong,
+    :thread_handle, :ulong,
+    :base_of_image, :pointer,
+    :debug_info_file_offset, :ulong,
+    :debug_info_size, :ulong,
+    :thread_local_base, :pointer,
+    :start_address, :pointer,
+    :image_name, :pointer,
+    :unicode, :uint16
+end
+
+class Ragweed::Wrap32::CreateThreadDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :thread_handle, :ulong,
+    :thread_local_base, :ulong,
+    :start_address, :pointer
+end
+
+class Ragweed::Wrap32::ExceptionRecord < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :exception_code, :ulong,
+    :exception_flags, :ulong,
+    :exception_record, :pointer,
+    :exception_address, :ulong,
+    :number_of_parameters, :ulong,
+    :exception_information, [:uint8, 15] ## EXCEPTION_MAXIMUM_PARAMETERS
+end
+
+class Ragweed::Wrap32::ExceptionDebugInfo < FFI::Struct
+    include Ragweed::FFIStructInclude
+    layout :exception_record, Ragweed::Wrap32::ExceptionRecord,
+    :first_chance, :ulong
+end
+
+class Ragweed::Wrap32::DebugEventU < FFI::Union
+    include Ragweed::FFIStructInclude
+    layout :exception_debug_info, Ragweed::Wrap32::ExceptionDebugInfo,
+    :create_thread_debug_info, Ragweed::Wrap32::CreateThreadDebugInfo,
+    :create_process_debug_info, Ragweed::Wrap32::CreateProcessDebugInfo,
+    :exit_thread_debug_info, Ragweed::Wrap32::ExitThreadDebugInfo,
+    :exit_process_debug_info, Ragweed::Wrap32::ExitProcessDebugInfo,
+    :load_dll_debug_info,  Ragweed::Wrap32::LoadDLLDebugInfo,
+    :unload_dll_debug_info, Ragweed::Wrap32::UnloadDLLDebugInfo,
+    :output_debug_string_info, Ragweed::Wrap32::OutputDebugStringInfo,
+    :rip_info, Ragweed::Wrap32::RipInfo
+end
+
+class Ragweed::Wrap32::DebugEvent < FFI::Struct
+    include Ragweed::FFIStructInclude
+
+    layout :code, :ulong,
+    :pid, :ulong,
+    :tid, :ulong,
+    :u, Ragweed::Wrap32::DebugEventU
+
+    ## We have rubified this FFI structure by creating a bunch of instance
+    ## variables that are normally only accessible via self.u.x.y which is
+    ## a lot to type. You can still use that method however these instance
+    ## variables should allow for considerably clearer code
+    attr_accessor :base_of_dll, :base_of_image, :debug_info_file_offset, :debug_info_size, :exception_address, :exception_code,
+                  :exception_flags, :exception_record, :exit_code, :file_handle, :image_name, :number_of_parameters, :parameters,
+                  :process_handle, :rip_error, :rip_type, :start_address, :thread_local_base, :thread_handle, :thread_local_base,
+                  :unicode
+
+  def initialize(buf)
+    super buf
+
+    case self.code
     when Ragweed::Wrap32::DebugCodes::CREATE_PROCESS 
-      @file_handle, @process_handle, @thread_handle,
-      @base, @offset,
-      @info_size, @thread_base, @start_address,
-      @image_name, @unicode = str.unpack("LLLLLLLLLH")
+      @file_handle = self.u.create_process_debug_info.file_handle
+      @process_handle = self.u.create_process_debug_info.process_handle
+      @thread_handle = self.u.create_process_debug_info.thread_handle
+      @base_of_image = self.u.create_process_debug_info.base_of_image
+      @debug_info_file_offset = self.u.create_process_debug_info.debug_info_file_offset
+      @debug_info_size = self.u.create_process_debug_info.debug_info_size
+      @thread_local_base = self.u.create_process_debug_info.thread_local_base
+      @start_address = self.u.create_process_debug_info.start_address
+      @image_name = self.u.create_process_debug_info.image_name
+      @unicode = self.u.create_process_debug_info.unicode
+
     when Ragweed::Wrap32::DebugCodes::CREATE_THREAD 
-      @thread_handle, @thread_base, @start_address = str.unpack("LLL")
-    when Ragweed::Wrap32::DebugCodes::EXCEPTION 
-      @exception_code, @exception_flags,
-      @exception_record, @exception_address, @parameter_count = str.unpack("LLLLL")
-      str = str[20..-1]
+      @thread_handle = self.u.create_thread_debug_info.thread_handle
+      @thread_local_base = self.u.create_thread_debug_info.thread_local_base
+      @start_address = self.u.create_thread_debug_info.start_address
+
+    when Ragweed::Wrap32::DebugCodes::EXCEPTION
+      @exception_code = self.u.exception_debug_info.exception_record.exception_code
+      @exception_flags = self.u.exception_debug_info.exception_record.exception_flags
+      @exception_record = self.u.exception_debug_info.exception_record.exception_record
+      @exception_address = self.u.exception_debug_info.exception_record.exception_address
+      @number_of_parameters = self.u.exception_debug_info.exception_record.number_of_parameters
+
       @parameters = []
-      @parameter_count.times do
-        begin
-          @parameters << (str.unpack("L").first)
-          str = str[4..-1]
-        rescue;end
+
+      self.number_of_parameters.times do |i|
+            @parameters << self.u.exception_debug_info.exception_record.exception_information[i]
       end
+
     when Ragweed::Wrap32::DebugCodes::EXIT_PROCESS 
-      @exit_code = str.unpack("L").first
+        @exit_code = self.u.exit_process_debug_info.exit_code
+
     when Ragweed::Wrap32::DebugCodes::EXIT_THREAD 
-      @exit_code = str.unpack("L").first
-    when Ragweed::Wrap32::DebugCodes::LOAD_DLL 
-      @file_handle, @dll_base, @offset,
-      @info_size, @image_name, @unicode = str.unpack("LLLLLH")
+        @exit_code = self.u.exit_thread_debug_info.exit_code
+
+    when Ragweed::Wrap32::DebugCodes::LOAD_DLL
+        @file_handle = self.u.load_dll_debug_info.file_handle
+        @base_of_dll = self.u.load_dll_debug_info.base_of_dll
+        @debug_info_file_offset = self.u.load_dll_debug_info.debug_info_file_offset
+        @debug_info_size = self.u.load_dll_debug_info.debug_info_size
+        @image_name = self.u.load_dll_debug_info.image_name
+        @unicode = self.u.load_dll_debug_info.unicode
+
     when Ragweed::Wrap32::DebugCodes::OUTPUT_DEBUG_STRING 
+        ## 
+
     when Ragweed::Wrap32::DebugCodes::RIP 
-      @rip_error, @rip_type = str.unpack("LL")
+        @rip_error = self.u.rip_info.rip_error
+        @rip_type = self.u.rip_info.rip_type
+
     when Ragweed::Wrap32::DebugCodes::UNLOAD_DLL 
-      @dll_base = str.unpack("L").first
+        @base_of_dll = self.u.unload_dll_debug_info.base_of_dll
+
     else
       raise WinX.new(:wait_for_debug_event)
     end
@@ -111,53 +218,66 @@ class Ragweed::Wrap32::DebugEvent
   end
 
   def inspect
-    body = lambda do 
-      FIELDS.map do |f| 
-        if (v = send(f))
-          f.to_s + "=" + (try("inspect_#{f.to_s}".intern, v) || v.to_i.to_s(16))
-        end
-      end.compact.join(" ")
-    end
-    
+      body = lambda do
+          self.members.each_with_index do |m,i|
+             "#{self.values[i].to_s.hexify} #{self.values[i].to_s.hexify}"
+          end.join(", ")
+      end
     "#<DebugEvent #{body.call}>"
   end
 end
 
+## Wrap the Win32 debugging specific APIs
 module Ragweed::Wrap32
+  module Win
+    extend FFI::Library
+
+    ffi_lib 'kernel32'
+    ffi_convention :stdcall
+
+    attach_function 'WaitForDebugEvent', [ :pointer, :ulong ], :ulong
+    attach_function 'ContinueDebugEvent', [ :ulong, :ulong, :ulong ], :ulong
+    attach_function 'DebugActiveProcess', [ :ulong ], :ulong
+    attach_function 'DebugSetProcessKillOnExit', [ :ulong ], :ulong
+    attach_function 'DebugActiveProcessStop', [ :ulong ], :ulong
+    attach_function 'FlushInstructionCache', [ :ulong, :ulong, :ulong ], :ulong
+  end
+
   class << self
     def wait_for_debug_event(ms=1000)
-      buf = "\x00" * 1024
-      r = CALLS["kernel32!WaitForDebugEvent:PL=L"].call(buf, ms)
+#      buf = FFI::MemoryPointer.new(Ragweed::Wrap32::DebugEvent, 1)
+      buf = FFI::MemoryPointer.from_string("\x00" * 1024)
+      r = Win.WaitForDebugEvent(buf, ms)
       raise WinX.new(:wait_for_debug_event) if r == 0 and get_last_error != 121
       return Ragweed::Wrap32::DebugEvent.new(buf) if r != 0
       return nil
     end
 
     def continue_debug_event(pid, tid, code)
-      r = CALLS["kernel32!ContinueDebugEvent:LLL=L"].call(pid, tid, code)
+      r = Win.ContinueDebugEvent(pid, tid, code)
       raise WinX.new(:continue_debug_event) if r == 0
       return r
     end
 
     def debug_active_process(pid)
-      r = CALLS["kernel32!DebugActiveProcess:L=L"].call(pid)
+      r = Win.DebugActiveProcess(pid)
       raise WinX.new(:debug_active_process) if r == 0
       return r
     end
 
     def debug_set_process_kill_on_exit(val=0)
-      r = CALLS["kernel32!DebugSetProcessKillOnExit:L=L"].call(val)
+      r = Win.DebugSetProcessKillOnExit(val)
       raise WinX.new(:debug_set_process_kill_on_exit) if r == 0
       return r
     end
 
     def debug_active_process_stop(pid)
       # don't care about failure
-      CALLS["kernel32!DebugActiveProcessStop:L=L"].call(pid)
+      Win.DebugActiveProcessStop(pid)
     end
 
     def flush_instruction_cache(h, v1=0, v2=0)
-      CALLS["kernel32!FlushInstructionCache:LLL=L"].call(h, v1, v2)
+      Win.FlushInstructionCache(h, v1, v2)
     end
   end
 end

data/lib/ragweed/wrap32/hooks.rb

@@ -4,20 +4,36 @@ class Ragweed::Debugger32
   # callable/block is called with ev, ctx, dir (:enter or :leave), and args Array (see examples/hook_notepad.rb)
   # default handler prints arguments
   def hook(ip, nargs, callable=nil, &block)
-    callable ||= block || lambda do |ev, ctx,dir,args|
-      puts "#{dir} #{ip.to_s(16) rescue ip.to_s}"
-      puts args.map{|a| "%08x" % a}.join(',')
+
+    callable ||= block || lambda do |ev,ctx,dir,args|
+      #puts args.map{|a| "%08x" % a}.join(',')
     end
 
     breakpoint_set(ip) do |ev,ctx|
-      args = (1..nargs).map {|i| process.read32(ctx.esp + 4*i)}
-      retp = process.read32(ctx.esp)
-      # set exit bpoint
-      breakpoint_set(retp) do |ev,ctx|
-        callable.call(ev, ctx, :leave, args)
-        breakpoint_clear(retp)
-      end.install
+      esp = process.read32(ctx.esp)
+      nargs = nargs.to_i
+
+      if nargs >= 1
+        args = (1..nargs).map {|i| process.read32(ctx.esp + 4*i)}
+      end
+
+      ## set exit bpoint
+      ## We cant always set a leave bp due to
+      ## calling conventions but we can avoid
+      ## a crash by setting a breakpoint on
+      ## the wrong address. So we attempt to
+      ## get an idea of where the instruction
+      ## is mapped.
+      eip = ctx.eip
+      if esp != 0 and esp > (eip & 0xf0000000)
+        breakpoint_set(esp) do |ev,ctx|
+          callable.call(ev, ctx, :leave, args)
+          breakpoint_clear(esp)
+        end.install
+      end
+
+      ## Call the block sent to hook()
       callable.call(ev, ctx, :enter, args)
     end
   end
-end
+end

data/lib/ragweed/wrap32/process.rb

@@ -1,5 +1,3 @@
-# TODO - PORT ME!!
-
 class Ragweed::Process
   def handle; @h; end
   attr_reader :pid
@@ -34,16 +32,125 @@ class Ragweed::Process
     ptr(Ragweed::Wrap32::get_proc_address(name))
   end
 
+  def is_hex(s)
+    s = s.strip
+
+    ## Strip leading 0s and 0x prefix
+    while s[0..1] == '0x' or s[0..1] == '00'
+        s = s[2..-1]
+    end
+
+    o = s
+
+    if s.hex.to_s(16) == o
+        return true
+    end
+        return false
+  end
+
+  ## This only gets called for breakpoints in modules
+  ## that have just been loaded and detected by a LOAD_DLL
+  ## event. It is called from on_load_dll() -> deferred_install()
+  def get_deferred_proc_remote(name, handle, base_of_dll)
+    if !name.kind_of?String
+        return name
+    end
+
+    mod, meth = name.split "!"
+
+    if mod.nil? or meth.nil?
+        raise "can not set this breakpoint: #{name}"
+    end
+
+    modh = handle
+
+    ## Location is an offset
+    if is_hex(meth)
+        baseaddr = 0
+        modules.each do |m|
+            if m.szModule == mod
+                break
+            end
+        end
+
+        ret = base_of_dll + meth.hex
+    else
+        ## Location is a symbolic name
+        ## Win32 should have successfully loaded the DLL
+        ret = remote_call "kernel32!GetProcAddress", modh, meth
+    end
+    ret
+  end
+
+  ## This only gets called for breakpoints
+  ## in modules that are already loaded
   def get_proc_remote(name)
+    if !name.kind_of?String
+        return name
+    end
+
     mod, meth = name.split "!"
-    modh = remote_call "kernel32!GetModuleHandleW", mod.to_utf16
+
+    if mod.nil? or meth.nil?
+        raise "can not set this breakpoint: #{name}"
+    end
+
+#    modh = remote_call "kernel32!GetModuleHandleW", mod.to_utf16
+    modh = remote_call "kernel32!GetModuleHandleA", mod
     raise "no such module #{ mod }" if not modh
-    ret = remote_call "kernel32!GetProcAddress", modh, meth
+
+    ## Location is an offset
+    if is_hex(meth)
+        baseaddr = 0
+        modules.each do |m|
+            if m.szModule == mod
+                baseaddr = m.modBaseAddr
+                break
+            end
+        end
+
+        ## Somehow the module does not appear to be
+        ## loaded. This should have been caught by
+        ## Process::is_breakpoint_deferred either way
+        ## Process::initialize should catch this return
+        if baseaddr == 0 or baseaddr == -1
+            return name
+        end
+
+        ret = baseaddr + meth.hex
+    else
+        ## Location is a symbolic name
+        ret = remote_call "kernel32!GetProcAddress", modh, meth
+    end
     ret
   end
 
-  # Look up a process by name or regex, returning an array of all
-  # matching processes, as objects.
+  ## Check if breakpoint location is deferred
+  ## This method expects a string 'module!function'
+  ## true is the module is not yet loaded
+  ## false is the module is loaded
+  def is_breakpoint_deferred(ip)
+    if !ip.kind_of? String
+        return false
+    end
+
+    m,f = ip.split('!')
+
+    if f.nil? or m.nil?
+        return true
+    end
+
+    modules.each do |d|
+        if d.szModule.to_s.match(/#{m}/)
+            return false
+        end
+      end
+
+    return true
+  end
+
+  ## Look up a process by name or regex, returning an array of all
+  ## matching processes, as objects.
   def self.by_name(n)
     n = Regexp.new(n) if not n.kind_of? Regexp
     p = []
@@ -126,7 +233,7 @@ class Ragweed::Process
     loc = Ragweed::Ptr.new loc
     raise "bad proc name" if loc.null?
     t = Trampoline.new(self, loc)
-    t.call *args      
+    t.call *args
   end
 
   # Can I write to this address in the process?

data/lib/ragweed/wrap32/process_token.rb

@@ -20,28 +20,44 @@ module Ragweed::Wrap32
     USED_FOR_ACCESS = 0x80000000
   end
 
+  module Win
+    extend FFI::Library
+
+    ffi_lib 'kernel32','Advapi32'
+    ffi_convention :stdcall
+    attach_function 'OpenProcess', [ :long, :long, :long ], :long
+    attach_function 'OpenProcessToken', [:long, :long, :pointer ], :long
+
+    # ffi_lib 'advapi32'
+    # ffi_convention :stdcall
+    attach_function 'AdjustTokenPrivileges', [ :long, :long, :pointer, :long, :pointer, :pointer ], :long
+    attach_function 'LookupPrivilegeValueA', [ :pointer, :pointer, :pointer ] ,:long
+  end
+
   class << self
+
     def open_process_token(h, access=Ragweed::Wrap32::TokenAccess::ADJUST_PRIVILEGES)
       outw = "\x00" * 4
-      r = CALLS["advapi32!OpenProcessToken:LLP=L"].call(h, access, outw)
+      r = Win.OpenProcessToken(h, access, outw)
       raise WinX.new(:open_process_token) if r == 0
       return outw.unpack("L").first
     end
 
     def adjust_token_privileges(t, disable, *args)
-      buf = [args.size].pack("L") + (args.map {|tup| tup.pack("QL") }.join(""))
+      buf = FFI::MemoryPointer.from_string( [args.size].pack("L") + (args.map {|tup| tup.pack("QL") }.join("")) )
 
-      r = CALLS["advapi32!AdjustTokenPrivileges:LLPLPP=L"].
-        call(t, disable, buf, buf.size, NULL, NULL)
+      r = Win.AdjustTokenPrivileges(t, disable, buf, buf.size, nil, nil)
 
       raise WinX.new(:adjust_token_privileges) if r == 0
     end
 
     def lookup_privilege_value(name)
-      outw = "\x00" * 8
-      r = CALLS["advapi32!LookupPrivilegeValueA:PPP=L"].call(NULL, name, outw)
+      namep = FFI::MemoryPointer.from_string(name)
+      outw = FFI::MemoryPointer.new(:int64, 1)
+      r = Win.LookupPrivilegeValueA(nil, namep, outw)
+      r = Win.LookupPrivilegeValueA(nil, name, outw)
       raise WinX.new(:lookup_privilege_value) if r == 0
-      return outw.unpack("Q").first
+      outw.read_long_long
     end
   end
 end