pydbg中关于process_snapshot的质疑
保存快照和恢复快照 其实是个比较复杂的事情,因为快照前后,内存可能分配了释放,保护属性可能也改变,或内存释放了被分配,
所以,只是简单的保存commit且是带写熟悉的内存还是不够的。其二是前后可能涉及句柄的关闭问题,快照前打开的句柄,只是一个数字,恢复了之后,可能在
快照后被关闭过,内核已经清楚这个对象,造成打开句柄失败,影响流程。
所以,要感知内存的变化,屏蔽掉句柄的关闭操作,或许可能还有其它未想到的。
def process_snapshot (self):
'''
Take memory / context snapshot of the debuggee. All threads must be suspended before calling this routine.
@raise pdx: An exception is raised on failure.
@rtype: pydbg
@return: Self
'''
self.pydbg_log("taking debuggee snapshot")
do_not_snapshot = [PAGE_READONLY, PAGE_EXECUTE_READ,PAGE_GUARD, PAGE_NOACCESS]
cursor = 0
# reset the internal snapshot data structure lists.
self.memory_snapshot_blocks = []
self.memory_snapshot_contexts = []
# enumerate the running threads and save a copy of their contexts.
for thread_id in self.enumerate_threads():
context = self.get_thread_context(None, thread_id)
self.memory_snapshot_contexts.append(memory_snapshot_context(thread_id, context))
self.pydbg_log("saving thread context of thread id: %08x" % thread_id)
# scan through the entire memory range and save a copy of suitable memory blocks.
while cursor < 0xFFFFFFFF:
save_block = True
try:
mbi = self.virtual_query(cursor)
except:
break
# do not snapshot blocks of memory that match the following characteristics.
# XXX - might want to drop the MEM_IMAGE check to accomodate for self modifying code.
# or mbi.Type == MEM_IMAGE
if mbi.State != MEM_COMMIT:
save_block = False
for has_protection in do_not_snapshot:
if mbi.Protect & has_protection:
save_block = False
break
if save_block:
self.pydbg_log("Adding %08x +%d to memory snapsnot." % (mbi.BaseAddress, mbi.RegionSize))
# read the raw bytes from the memory block.
data = self.read_process_memory(mbi.BaseAddress, mbi.RegionSize)
self.memory_snapshot_blocks.append(memory_snapshot_block(mbi, data))
cursor += mbi.RegionSize
return self.ret_self()
摘自 winsunxu的专栏
补充:Web开发 , Python ,
