Memory and Register Modifiers

It is extremely important that you are able to set and retrieve register and memory values when running your emulation scripts. PyEmu breaks the modifiers into four separate categories: memory, stack variables, stack arguments, and registers. To set or retrieve memory values, you use the get_memory() and set_memory() functions, which have the following prototypes:

get_memory( address, size ) set_memory( address, value, size=0 )

The get_memory() function takes two parameters: the address parameter tells PyEmu what memory address to query, and the size parameter determines the length of the data retrieved. The set_memory() function takes the address of the memory to write to, the value parameter determines the value of the data being written, and the optional size parameter tells PyEmu the length of the data to be stored.

The two stack-based modification categories behave similarly and are used for modifying function arguments and local variables in a stack frame. They use the following function prototypes:

set_stack_argument( offset, value, name="" ) get_stack_argument( offset=0x0, name="" ) set_stack_variable( offset, value, name="" ) get_stack_variable( offset=0x0, name="" )

For the set_stack_argument(), you provide an offset from the ESP variable and a value to set the stack argument to. Optionally you can provide a name for the stack argument. Using the get_stack_argument() function, you then can use either the offset parameter to retrieve the value or the name argument if you have provided a custom name for the stack argument. An example of this usage is shown here:

set_stack_argument( 0x8, 0x12345678, name="arg_0" ) get_stack_argument( 0x8 ) get_stack_argument( "arg_0" )

The set_stack_variable() and get_stack_variable() functions operate in the exact same manner, except you are providing an offset from the EBP register (when available) to set the value of local variables in the function's scope.

Was this article helpful?

0 0

Post a comment