zelos.api.memory_api module¶
-
class
zelos.api.memory_api.
MemoryApi
(zelos)¶ Bases:
object
-
read
(addr: int, size: int) → bytearray¶ Copies specified region of memory. Requires that the specified address is mapped.
- Parameters
addr – Address to start reading from.
size – Number of bytes to read.
- Returns
Bytes corresponding to data held in memory.
-
write
(addr: int, data: bytearray) → None¶ Writes specified bytes to memory. Requires that the specified address is mapped.
- Parameters
addr – Address to start writing data to.
data – Bytes to write in memory.
-
read_int
(addr: int, size: int = None, signed: bool = False) → int¶ Reads an integer value from the specified address. Can handle multiple sizes and representations of integers.
- Parameters
addr – Address to begin reading int from.
size – Size (# of bytes) of integer representation. If None, uses the architecture to determine size (32 bit -> 4, 64bit -> 8). Default is None.
signed – If true, interpret bytes as signed integer. Default false.
- Returns
Integer represntation of bytes read.
-
write_int
(addr: int, value: int, size: int = None, signed: bool = False) → int¶ Writes an integer value to the specified address. Can handle multiple sizes and representations of integers.
- Parameters
addr – Address in memory to write integer to.
value – Integer to write into memory.
size – Size (# of bytes) to write into memory. If None, uses the architecture to determine size (32 bit -> 4, 64bit -> 8). Default is None.
signed – If true, write number as signed integer. Default false.
- Returns
Number of bytes written to memory.
-
read_string
(addr: int, size: int = 1024) → str¶ Reads a utf-8 string from memory. Stops at null terminator. Fails if a byte is uninterpretable.
- Parameters
addr – Address in memory to start reading from.
size – Maximum size of string to read from memory.
- Returns
String read from memory.
-
read_wstring
(addr: int, size: int = 1024) → str¶ Reads a utf-16 string from memory. Stops at null terminator. Fails if a byte is uninterpretable.
- Parameters
addr – Address in memory to start reading from.
size – Maximum size of string to read from memory.
- Returns
String read from memory.
-
read_punicode_string
(addr: int) → str¶ Given the address of a pointer to a unicode string, returns the string that was pointed to as a python string.
- Parameters
addr – Address of the unicode string pointer
- Returns
String read from memory
-
read_pansi_string
(addr: int) → int¶ Given the address of a pointer to a ANSI string, returns the string that was pointed to as a python string.
- Parameters
addr – Address of the ANSI string pointer
- Returns
String read from memory
-
write_string
(addr: int, value: str, terminal_null_byte: bool = True) → int¶ Writes a string to a specified address as utf-8. By default, adds a terminal null byte.
- Parameters
addr – Address in memory to begin writing string to.
value – String to write to memory.
terminal_null_byte – If True, adds terminal null byte. Default True.
- Returns
Number of bytes written.
-
write_wstring
(addr: int, value: int, terminal_null_byte: bool = True) → int¶ Writes a string to a specified address as utf-16-le. By default, adds a terminal null byte.
- Parameters
addr – Address in memory to begin writing string to.
value – String to write to memory.
terminal_null_byte – If True, adds terminal null byte. Default True.
- Returns
Number of bytes written.
-
readstruct
(addr: int, obj: _ctypes.Structure) → _ctypes.Structure¶ Reads a ctypes structure from memory.
- Parameters
addr – Address in memory to begin reading structure from.
obj – An instance of the structure to create from memory.
- Returns
Instance of structure read from memory.
Example
class SIGACTION(ctypes.Structure): _fields_ = [ ("sa_handler", ctypes.c_uint64), ("sa_flags", ctypes.c_uint64), ("sa_restorer", ctypes.c_uint64), ("sa_mask", ctypes.c_uint64), ] # Pointer to sigaction struct pointer = 0xdeadbeef sigaction = api.memory.readstruct(pointer, SIGACTION()) print(sigaction.sa_handler)
-
writestruct
(address: int, structure: _ctypes.Structure) → int¶ Write a ctypes Structure to memory.
- Parameters
addr – Address in memory to begin writing to.
structure – An instance of the structure to write to memory.
- Returns
Number of bytes written to memory.
Example
class SIGACTION(ctypes.Structure): _fields_ = [ ("sa_handler", ctypes.c_uint64), ("sa_flags", ctypes.c_uint64), ("sa_restorer", ctypes.c_uint64), ("sa_mask", ctypes.c_uint64), ] sigaction = SIGACTION() sigaction.handler = 0xdeadbeef # Memory address to write struct to destination = 0xb0bad00d bytes_written = api.memory.writestruct(destination, sigaction)
-
map
(address: int, size: int, name: str = '', kind: str = '', module_name: str = '', prot: int = <ProtType.RWX: 7>, ptr: Optional[_ctypes.POINTER] = None, reserve: bool = False) → None¶ Maps a region of memory at the specified address.
- Parameters
address – Address to map.
size – # of bytes to map. This will be rounded up to the nearest 0x1000.
name – String used to identify mapped region. Used for debugging.
kind – String used to identify the purpose of the mapped region. Used for debugging.
module_name – String used to identify the module that mapped this region.
prot – An integer representing the RWX protection to be set on the mapped region.
ptr – If specified, creates a memory map from the pointer.
reserve – Reserves memory to prepare for mapping. An option used in Windows.
-
read_ptr
(addr: int) → int¶ Reads a pointer at addr. The number of bytes read is dependent on the architecture of the binary.
-
read_size_t
(addr: int) → int¶ Reads a value of type size_t at addr.
-
pack
(x: int, bytes: int = None, little_endian: bool = None, signed: bool = False) → bytes¶ Unpacks an integer from a byte format. Defaults to the current architecture bytes and endianness.
-
unpack
(x: bytes, bytes: int = None, little_endian: bool = None, signed: bool = False) → int¶ Unpacks an integer from a byte format. Defaults to the current architecture bytes and endianness.
-
read_int64
(addr: int) → int¶
-
read_uint64
(addr: int) → int¶
-
read_int32
(addr: int) → int¶
-
read_uint32
(addr: int) → int¶
-
read_int16
(addr: int) → int¶
-
read_uint16
(addr: int) → int¶
-
read_int8
(addr: int) → int¶
-
read_uint8
(addr: int) → int¶
-
write_ptr
(addr: int, value: int) → int¶
-
write_size_t
(addr: int, value: int) → int¶
-
write_int64
(addr: int, value: int) → int¶
-
write_uint64
(addr: int, value: int) → int¶
-
write_int32
(addr: int, value: int) → int¶
-
write_uint32
(addr: int, value: int) → int¶
-
write_int16
(addr: int, value: int) → int¶
-
write_uint16
(addr: int, value: int) → int¶
-
write_int8
(addr: int, value: int) → int¶
-
write_uint8
(addr: int, value: int) → int¶
-