Beispiel #1
0
proc = vm.processes.find_pid(4)  # get process by pid
proc = vm.processes.wait("Taskmgr.exe")  # get or wait for process to begin

assert(proc.is_valid())
assert(proc.name() == "Taskmgr.exe")
assert(proc.pid() > 0)
assert(proc.flags() == icebox.flags_x86)
assert(proc.parent())

proc.join_kernel()
print(hex(vm.registers.rip))

proc.join_user()
print(hex(vm.registers.rip))

counter = icebox.counter()


def on_create(proc):
    print("+ %d: %s" % (proc.pid(), proc.name()))
    counter.add()


def on_delete(proc):
    print("- %d: %s" % (proc.pid(), proc.name()))
    counter.add()


# put breakpoints on process creation & deletion
with vm.processes.break_on_create(on_create):
    with vm.processes.break_on_delete(on_delete):
Beispiel #2
0
import icebox

vm = icebox.attach("win10")  # attach to vm named "win10"
proc = vm.processes.find_name("dwm.exe")  # find process named 'dwm'
print("%s pid:%d" % (proc.name(), proc.pid()))
for mod in ["kernel32", "kernelbase"]:
    proc.symbols.load_module(mod)  # load some symbols

counter = icebox.counter()  # run the vm until we've updated this counter twice


def dump_callstack():  # dump the current proc callstack
    print()  # skip a line
    for addr in proc.callstack():  # read current dwm.exe callstack
        print(proc.symbols.string(addr))  # convert & print callstack address
    counter.add()  # update counter


# set a breakpoint on ntdll!NtWaitForSingleObject
with vm.break_on_process(proc, "ntdll!NtWaitForSingleObject", dump_callstack):
    while counter.read() < 2:  # run until dump_callstack is called twice
        vm.exec()