-
Notifications
You must be signed in to change notification settings - Fork 568
/
Copy pathload_syms64
executable file
·56 lines (53 loc) · 2.51 KB
/
load_syms64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$$ **********************************************************
$$ Copyright (c) 2011-2013 Google, Inc. All rights reserved.
$$ **********************************************************
$$ Redistribution and use in source and binary forms, with or without
$$ modification, are permitted provided that the following conditions are met:
$$
$$ * Redistributions of source code must retain the above copyright notice,
$$ this list of conditions and the following disclaimer.
$$
$$ * Redistributions in binary form must reproduce the above copyright notice,
$$ this list of conditions and the following disclaimer in the documentation
$$ and/or other materials provided with the distribution.
$$
$$ * Neither the name of Google, Inc. nor the names of its contributors may be
$$ used to endorse or promote products derived from this software without
$$ specific prior written permission.
$$
$$ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
$$ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
$$ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
$$ ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
$$ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
$$ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
$$ SERVICES LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION) HOWEVER
$$ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
$$ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
$$ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
$$ DAMAGE.
$$ Loads symbols for DynamoRIO and all libraries loaded by its private loader
r $t0=ntdll!KiUserCallbackDispatcher+1
$$ I don't know how to deref and cast to int via asm syntax
r $t0=@@(*(int*)@$t0) + ntdll!KiUserCallbackDispatcher+5
r $t1=(qwo(@$t0-8) & 0xfffffffffffff000)
$$ Check magic values to avoid executing random command w/o DynamoRIO
.if (dwo(@$t1) = b1d2ae58) {
.if (dwo(@$t1 + 4) = ca50c356) {
.if (dwo(@$t1 + 8) = 63000089) {
.if (dwo(@$t1 + c) = 3fa898f0) {
aS /c ${/v:loadpriv} .printf "%ma", @$t1 + 40
.block { ${loadpriv} }
ad ${/v:loadpriv}
} .else {
.echo "DynamoRIO not detected"
}
} .else {
.echo "DynamoRIO not detected"
}
} .else {
.echo "DynamoRIO not detected"
}
} .else {
.echo "DynamoRIO not detected"
}