proc = vm.processes.find_pid(4) # get process by pid proc = vm.processes.wait("Taskmgr.exe") # get or wait for process to begin assert(proc.is_valid()) assert(proc.name() == "Taskmgr.exe") assert(proc.pid() > 0) assert(proc.flags() == icebox.flags_x86) assert(proc.parent()) proc.join_kernel() print(hex(vm.registers.rip)) proc.join_user() print(hex(vm.registers.rip)) counter = icebox.counter() def on_create(proc): print("+ %d: %s" % (proc.pid(), proc.name())) counter.add() def on_delete(proc): print("- %d: %s" % (proc.pid(), proc.name())) counter.add() # put breakpoints on process creation & deletion with vm.processes.break_on_create(on_create): with vm.processes.break_on_delete(on_delete):
import icebox vm = icebox.attach("win10") # attach to vm named "win10" proc = vm.processes.find_name("dwm.exe") # find process named 'dwm' print("%s pid:%d" % (proc.name(), proc.pid())) for mod in ["kernel32", "kernelbase"]: proc.symbols.load_module(mod) # load some symbols counter = icebox.counter() # run the vm until we've updated this counter twice def dump_callstack(): # dump the current proc callstack print() # skip a line for addr in proc.callstack(): # read current dwm.exe callstack print(proc.symbols.string(addr)) # convert & print callstack address counter.add() # update counter # set a breakpoint on ntdll!NtWaitForSingleObject with vm.break_on_process(proc, "ntdll!NtWaitForSingleObject", dump_callstack): while counter.read() < 2: # run until dump_callstack is called twice vm.exec()