Fixing some doc / samples

Author: hakril

TODO

@@ -34,7 +34,7 @@ TODO:
     - winobject\exception.py
         - large part could be rewritten with ctypes-generation extended-def
 
-    - add wonobject/window.py + wonobject/kernobj.py to System()
+    - add winobject/window.py + winobject/kernobj.py to System()
         - Some test/doc on both
 
 
@@ -44,6 +44,12 @@ TODO:
     - COM:
         - test https://msdn.microsoft.com/en-us/library/vs/alm/hh846255(v=vs.85).aspx
 
+    - Hook
+        - Probleme with enabled hook + gc
+            - Prevent GC of enabled hook ?
+            - Raise on deletion of enabled hook ?
+                - if I implem __del__ -> we have a __del__ cycle -> no gc (gc.garbage instead..)
+
 
 Documentation
     * verif samples

docs/build/html/_modules/index.html

@@ -38,6 +38,7 @@ <h3>Navigation</h3>
   <h1>All modules for which code is available</h1>
 <ul><li><a href="ctypes.html">ctypes</a></li>
 <li><a href="windows/alpc.html">windows.alpc</a></li>
+<li><a href="windows/com.html">windows.com</a></li>
 <li><a href="windows/crypto/certificate.html">windows.crypto.certificate</a></li>
 <li><a href="windows/crypto/cryptmsg.html">windows.crypto.cryptmsg</a></li>
 <li><a href="windows/crypto/encrypt_decrypt.html">windows.crypto.encrypt_decrypt</a></li>

docs/build/html/_modules/windows/com.html

@@ -90,7 +90,7 @@ <h1>Source code for windows.hooks</h1><div class="highlight"><pre>
 
 <div class="viewcode-block" id="IATHook"><a class="viewcode-back" href="../../iat_hook.html#windows.hooks.IATHook">[docs]</a><span class="k">class</span> <span class="nc">IATHook</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
     <span class="sd">&quot;&quot;&quot;Look at my hook &lt;3&quot;&quot;&quot;</span>
-    <span class="n">yolo</span> <span class="o">=</span> <span class="p">[]</span>
+    <span class="c1"># yolo = []</span>
 
     <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">IAT_entry</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">types</span><span class="o">=</span><span class="kc">None</span><span class="p">):</span>
         <span class="k">if</span> <span class="n">types</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
@@ -101,10 +101,16 @@ <h1>Source code for windows.hooks</h1><div class="highlight"><pre>
         <span class="bp">self</span><span class="o">.</span><span class="n">callback_types</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">transform_arguments</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">original_types</span><span class="p">)</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">entry</span> <span class="o">=</span> <span class="n">IAT_entry</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">callback</span> <span class="o">=</span> <span class="n">callback</span>
+        <span class="c1">## No more circular ref -&gt; but stub is destroyed -&gt; segv :(</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">stub</span> <span class="o">=</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">WINFUNCTYPE</span><span class="p">(</span><span class="o">*</span><span class="bp">self</span><span class="o">.</span><span class="n">callback_types</span><span class="p">)(</span><span class="bp">self</span><span class="o">.</span><span class="n">hook_callback</span><span class="p">)</span>
-        <span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span> <span class="o">=</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">cast</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">stub</span><span class="p">,</span> <span class="n">PVOID</span><span class="p">)</span><span class="o">.</span><span class="n">value</span>
+        <span class="c1"># stub = ctypes.WINFUNCTYPE(*self.callback_types)(self.hook_callback)</span>
+        <span class="c1"># self.stub_addr = ctypes.cast(stub, PVOID) # Same problem as keep stub... (GC..)</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span> <span class="o">=</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">cast</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">stub</span><span class="p">,</span> <span class="n">PVOID</span><span class="p">)</span><span class="o">.</span><span class="n">value</span> <span class="c1"># Same problem as keep stub... (GC..)</span>
+        <span class="c1"># IAT_entry.stub = stub</span>
+        <span class="nb">print</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span><span class="p">)</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">realfunction</span> <span class="o">=</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">WINFUNCTYPE</span><span class="p">(</span><span class="o">*</span><span class="n">types</span><span class="p">)(</span><span class="n">IAT_entry</span><span class="o">.</span><span class="n">nonhookvalue</span><span class="p">)</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">is_enable</span> <span class="o">=</span> <span class="kc">False</span>
+        <span class="c1"># import pdb;pdb.set_trace()</span>
         <span class="c1">#IATHook.yolo.append(self)</span>
 
     <span class="k">def</span> <span class="nf">transform_arguments</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">types</span><span class="p">):</span>
@@ -119,14 +125,17 @@ <h1>Source code for windows.hooks</h1><div class="highlight"><pre>
 <div class="viewcode-block" id="IATHook.enable"><a class="viewcode-back" href="../../iat_hook.html#windows.hooks.IATHook.enable">[docs]</a>    <span class="k">def</span> <span class="nf">enable</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
         <span class="sd">&quot;&quot;&quot;Enable the IAT hook: you MUST keep a reference to the IATHook while the hook is enabled&quot;&quot;&quot;</span>
         <span class="k">with</span> <span class="n">utils</span><span class="o">.</span><span class="n">VirtualProtected</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">addr</span><span class="p">,</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">sizeof</span><span class="p">(</span><span class="n">PVOID</span><span class="p">),</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">):</span>
-            <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">value</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span></div>
-        <span class="bp">self</span><span class="o">.</span><span class="n">is_enable</span> <span class="o">=</span> <span class="kc">True</span>
+            <span class="nb">print</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span><span class="p">)</span>
+            <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">value</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">stub_addr</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">is_enable</span> <span class="o">=</span> <span class="kc">True</span></div>
+        <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">enabled</span> <span class="o">=</span> <span class="kc">True</span>
 
 <div class="viewcode-block" id="IATHook.disable"><a class="viewcode-back" href="../../iat_hook.html#windows.hooks.IATHook.disable">[docs]</a>    <span class="k">def</span> <span class="nf">disable</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
         <span class="sd">&quot;&quot;&quot;Disable the IAT hook&quot;&quot;&quot;</span>
         <span class="k">with</span> <span class="n">utils</span><span class="o">.</span><span class="n">VirtualProtected</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">addr</span><span class="p">,</span> <span class="n">ctypes</span><span class="o">.</span><span class="n">sizeof</span><span class="p">(</span><span class="n">PVOID</span><span class="p">),</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">):</span>
-            <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">value</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">nonhookvalue</span></div>
-        <span class="bp">self</span><span class="o">.</span><span class="n">is_enable</span> <span class="o">=</span> <span class="kc">False</span>
+            <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">value</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">nonhookvalue</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">is_enable</span> <span class="o">=</span> <span class="kc">False</span></div>
+        <span class="bp">self</span><span class="o">.</span><span class="n">entry</span><span class="o">.</span><span class="n">enabled</span> <span class="o">=</span> <span class="kc">True</span>
 
     <span class="k">def</span> <span class="nf">hook_callback</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">):</span>
         <span class="n">adapted_args</span> <span class="o">=</span> <span class="p">[]</span>
@@ -145,9 +154,10 @@ <h1>Source code for windows.hooks</h1><div class="highlight"><pre>
         <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">callback</span><span class="p">(</span><span class="o">*</span><span class="n">adapted_args</span><span class="p">,</span> <span class="n">real_function</span><span class="o">=</span><span class="n">real_function</span><span class="p">)</span>
 
     <span class="c1"># Use this tricks to prevent garbage collection of hook ?</span>
-    <span class="c1">#def __del__(self):</span>
-    <span class="c1">#    pass</span>
-
+    <span class="c1"># That&#39;s dirty..</span>
+    <span class="c1"># def __del__(self):</span>
+        <span class="c1"># print(&quot;HAHAHA {0}&quot;.format(self.is_enable))</span>
+        <span class="c1"># print(&quot;HELLO&quot;)</span>
 
 <span class="c1">## New simple hook API based on winproxy</span>
 <span class="k">def</span> <span class="nf">setup_hook</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hook</span><span class="p">,</span> <span class="n">dll_to_hook</span><span class="p">):</span>

docs/build/html/_modules/windows/debug/debugger.html

@@ -500,15 +500,21 @@ <h1>Source code for windows.pe_parse</h1><div class="highlight"><pre>
         <span class="k">return</span> <span class="bp">self</span>
 
 
+<span class="k">class</span> <span class="nc">IATPtr</span><span class="p">(</span><span class="n">PVOID</span><span class="p">):</span>
+    <span class="nd">@classmethod</span>
+    <span class="k">def</span> <span class="nf">from_iatentry</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">iat_entry</span><span class="p">):</span>
+        <span class="bp">self</span> <span class="o">=</span> <span class="bp">cls</span><span class="o">.</span><span class="n">from_address</span><span class="p">(</span><span class="n">iat_entry</span><span class="o">.</span><span class="n">addr</span><span class="p">)</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">addr</span> <span class="o">=</span> <span class="n">iat_entry</span><span class="o">.</span><span class="n">addr</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">nonhookvalue</span> <span class="o">=</span> <span class="n">iat_entry</span><span class="o">.</span><span class="n">nonhookvalue</span>
+        <span class="k">return</span> <span class="bp">self</span>
+
 <div class="viewcode-block" id="IATEntry"><a class="viewcode-back" href="../../process.html#windows.pe_parse.IATEntry">[docs]</a><span class="k">class</span> <span class="nc">IATEntry</span><span class="p">(</span><span class="n">ctypes</span><span class="o">.</span><span class="n">Structure</span><span class="p">):</span>
     <span class="sd">&quot;&quot;&quot;Represent an entry in the IAT of a module</span>
 <span class="sd">    Can be used to get resolved value and setup hook</span>
 <span class="sd">    &quot;&quot;&quot;</span>
     <span class="n">_fields_</span> <span class="o">=</span> <span class="p">[</span>
         <span class="p">(</span><span class="s2">&quot;value&quot;</span><span class="p">,</span> <span class="n">PVOID</span><span class="p">)]</span>
 
-
-
     <span class="nd">@classmethod</span>
     <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="nb">ord</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">target</span><span class="p">,</span> <span class="n">transformers</span><span class="p">):</span>
         <span class="bp">self</span> <span class="o">=</span> <span class="n">transformers</span><span class="o">.</span><span class="n">create_structure_at</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">addr</span><span class="p">)</span>
@@ -543,10 +549,18 @@ <h1>Source code for windows.pe_parse</h1><div class="highlight"><pre>
             <span class="k">raise</span> <span class="ne">NotImplementedError</span><span class="p">(</span><span class="s2">&quot;Setting hook in remote process (use python code injection)&quot;</span><span class="p">)</span>
 
         <span class="n">hook</span> <span class="o">=</span> <span class="n">hooks</span><span class="o">.</span><span class="n">IATHook</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">types</span><span class="p">)</span>
+        <span class="kn">import</span> <span class="nn">weakref</span>
+        <span class="bp">self</span><span class="o">.</span><span class="n">whook</span> <span class="o">=</span> <span class="n">weakref</span><span class="o">.</span><span class="n">ref</span><span class="p">(</span><span class="n">hook</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">on_destroy</span><span class="p">)</span>
         <span class="bp">self</span><span class="o">.</span><span class="n">hook</span> <span class="o">=</span> <span class="n">hook</span>
         <span class="n">hook</span><span class="o">.</span><span class="n">enable</span><span class="p">()</span></div>
         <span class="k">return</span> <span class="n">hook</span>
 
+    <span class="k">def</span> <span class="nf">on_destroy</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">):</span>
+        <span class="c1"># We cannot know if the hook was enabled here..</span>
+        <span class="nb">print</span><span class="p">(</span><span class="s2">&quot;DESTROY: </span><span class="si">{0}</span><span class="s2"> -&gt; &quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">enabled</span><span class="p">))</span>
+        <span class="c1"># import pdb;pdb.set_trace()</span>
+        <span class="c1"># print(args[0]())</span>
+
 <div class="viewcode-block" id="IATEntry.remove_hook"><a class="viewcode-back" href="../../process.html#windows.pe_parse.IATEntry.remove_hook">[docs]</a>    <span class="k">def</span> <span class="nf">remove_hook</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
         <span class="sd">&quot;&quot;&quot;Remove the hook on the entry&quot;&quot;&quot;</span>
         <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">hook</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
@@ -555,6 +569,11 @@ <h1>Source code for windows.pe_parse</h1><div class="highlight"><pre>
         <span class="bp">self</span><span class="o">.</span><span class="n">hook</span> <span class="o">=</span> <span class="kc">None</span></div></div>
         <span class="k">return</span> <span class="kc">True</span>
 
+    <span class="c1"># def __del__(self):</span>
+        <span class="c1"># print(self.hook)</span>
+        <span class="c1"># if self.hook:</span>
+            <span class="c1"># print(&quot;LOL BYE {0}&quot;.format(self.hook))</span>
+
 
 <span class="k">class</span> <span class="nc">IMAGE_IMPORT_DESCRIPTOR</span><span class="p">(</span><span class="n">IMAGE_IMPORT_DESCRIPTOR</span><span class="p">):</span> <span class="c1"># TODO: use explicite name winstructs.IMAGE_IMPORT_DESCRIPTOR</span>
     <span class="k">def</span> <span class="nf">get_INT</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>