import icebox
vm = icebox.attach("win10")
# list current processes
for proc in vm.processes():
print("%d: %s" % (proc.pid(), proc.name()))
proc = vm.processes.current() # get current process
proc = vm.processes.find_name("explorer.exe") # get explorer.exe
proc = vm.processes.find_name("Taskmgr.exe", icebox.flags_x86)
proc = vm.processes.find_pid(4) # get process by pid
proc = vm.processes.wait("Taskmgr.exe") # get or wait for process to begin
assert(proc.is_valid())
assert(proc.name() == "Taskmgr.exe")
assert(proc.pid() > 0)
assert(proc.flags() == icebox.flags_x86)
assert(proc.parent())
proc.join_kernel()
print(hex(vm.registers.rip))
proc.join_user()
print(hex(vm.registers.rip))
counter = icebox.counter()
def on_create(proc):
print("+ %d: %s" % (proc.pid(), proc.name()))
import icebox
vm = icebox.attach("win10") # attach to vm named "win10"
proc = vm.processes.find_name("dwm.exe") # find process named 'dwm'
print("%s pid:%d" % (proc.name(), proc.pid()))
for mod in ["kernel32", "kernelbase"]:
proc.symbols.load_module(mod) # load some symbols
counter = icebox.counter() # run the vm until we've updated this counter twice
def dump_callstack(): # dump the current proc callstack
print() # skip a line
for addr in proc.callstack(): # read current dwm.exe callstack
print(proc.symbols.string(addr)) # convert & print callstack address
counter.add() # update counter
# set a breakpoint on ntdll!NtWaitForSingleObject
with vm.break_on_process(proc, "ntdll!NtWaitForSingleObject", dump_callstack):
while counter.read() < 2: # run until dump_callstack is called twice
vm.exec()
