#!only_win32
#-----------------------------------------------+
#                      ._____________________.  |
#   Coded by slav0nic  | slav0nic0@gmail.com |  |    
#                      ^---------------------^  |
# Site: slav0nic.xss.ru                         |
#-----------------------------------------------+
# sl_win_findjsp
# program for searching addresses of "jmp esp/call esp" instructions in DLL-libraries
#ps: for python "exploiters/shellcoders" :)

def help_():
    doc="""\nUsage: sl_win_findjsp.py [library_name]\n
        For analysing all libraries (from lib_name) run without parametrs
        """
    print doc
    
import sys
try:
    import platform             #python >= 2.3
    release=platform.release()
except:
    release="Unknown"
import locale
try:
    from ctypes import *
except:
    print "[-]ctypes module needed"
    print "Download:  http://starship.python.net/crew/theller/ctypes/"
    sys.exit(1)

###############__DEFAULT_CONFIG__############################
lib_name=("comctl32.dll",
          "netapi32.dll",
          "kernel32.dll",
          "advapi32.dll",
          "user32.dll",
          "msvcrt.dll",
          "ws2_32.dll",
          "gdi32.dll"                              
          )
find={"\xff\xd4":"call esp", "\xff\xe4":"jmp esp"}  #format: {instruction : comment}
#!!!! instruction <= "\xff\xff" (2 bytes) & lower case :)
#####################################################
inst=0
PROCESS_ALL_ACCESS = 0x1F0FFF
#import functions from dlls##########################
OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle
#####################################################

if len(sys.argv)>1:
    if sys.argv[1] == "-h":help_();sys.exit(0)
    else:  lib_name = (sys.argv[1],);print lib_name
 
win_ver = sys.getwindowsversion()
win_lang = locale.getdefaultlocale()[0][:3].upper()
pid = windll.kernel32.GetCurrentProcessId()
buffer = c_char_p("_"*2)  
bytesRead = c_ulong(0)
bufferSize =  len(buffer.value)
print "MS %s %s %s %i.%i.%i %s\n"\
    %(sys.platform.capitalize(),release,win_lang,win_ver[0],win_ver[1],win_ver[2],win_ver[4])
processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
for i in range(len(lib_name)):
    address = windll.kernel32.LoadLibraryA(lib_name[i])
    if not address:
        print "[-]Can't load lib %s"%lib_name[i]
        break       
    print "%s[0x%x]\n\t\."%(lib_name[i],address)
    while(1):
        if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)):
            pass
        else:
           #print "\t|[!debug]End scan addr=%x"%address
            print "\t|"+"-"*25
            break
        for j in range(len(find)):
            if (find.keys()[j] in  buffer.value):
                 print "\t|[+] [0x%x] %s"%(address,find.get(find.keys()[j]))
                 inst += 1
                 #print  "\t|[debug] opcode %r"%buffer.value
            elif ((buffer.value[:1]==find.keys()[j][1]) and  (tmpbuf[1:]==find.keys()[j][0])):                                            
                 print "\t|[+] [0x%x] %s"%(address-1,find.get(find.keys()[j]))  # repr(buffer.value)
                 inst += 1
        tmpbuf = buffer.value #previous buffer
        address += bytesRead.value

CloseHandle(processHandle)
print "[!]Founded %i addresses"%inst