Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix version parsing issue in offsets extractor

Browse Source 
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
This commit is contained in:
laxa
2022-12-01 18:43:40 +01:00
committed by Maxime Meignan
parent 45d3ff5486
commit a561976b5d
1 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Offsets/ExtractOffsets.py
+16 -3
View File
@@ -17,6 +17,14 @@ machineType = dict(x86=332, x64=34404)
knownImageVersions = dict(ntoskrnl=list(), wdigest=list())
extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll")
def find(key, value):
for k, v in value.items():
if k == key:
return v
elif isinstance(v, dict):
return find(key, v)
return None
def printl(s, lock, **kwargs):
with lock:
print(s, **kwargs)
@@ -47,9 +55,14 @@ def downloadSpecificFile(entry, pe_basename, pe_ext, knownPEVersions, output_fol
virtual_size = entry['fileInfo']['virtualSize']
file_id = hex(timestamp).replace('0x','').zfill(8).upper() + hex(virtual_size).replace('0x','')
url = 'https://msdl.microsoft.com/download/symbols/' + pe_name + '/' + file_id + '/' + pe_name
if "version" not in entry['fileInfo']:
return "SKIP"
try:
version = entry['fileInfo']['version'].split(' ')[0]
except:
version = find('version', entry).split(' ')[0]
if not version:
printl(f'[*] Error parsing version', lock)
return "SKIP"
# Output file format: <PE>_build-revision.<exe | dll>
output_version = '-'.join(version.split('.')[-2:])
@@ -257,7 +270,7 @@ if __name__ == '__main__':
* a simple tag "5.8.2-158-gca9763f20d"
"""
ma,me,mi = map(int, output.splitlines()[0].split(" ")[0].split("-")[0].split("."))
if (ma, me, mi) < (5,0,0):
if (ma, me, mi) < (5, 0, 0):
print("WARNING : This script has been tested with radare2 5.0.0 (works) and 4.3.1 (does NOT work)")
print(f"You have version {ma}.{me}.{mi}, if is does not work correctly, meaning most of the offsets are not found (i.e. 0), check radare2's 'idpi' command output and modify get_symbol_offset() & get_field_offset() to parse symbols correctly")
input("Press enter to continue")