def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") # Make -r and -pid mutually exclusive group = parser.add_mutually_exclusive_group() group.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") group.add_argument("-pid", "--attach-pid", type=int, dest="pid", help="pid of process to attach and instrument") group.add_argument("-pname", "--attach-process-name", dest="pname", help="pid of process to attach and instrument") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") # Add optional log file parser.add_argument("-o", "--output", dest="output", help="log filename") args = parser.parse_args() # Setup logging # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 # Log to file global logger if args.output: # verbose=False disables printing to stdout logger = winappdbg.Logger(args.output, verbose=False) else: logger = winappdbg.Logger() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("%s not found." % (args.run[0])) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) logger.log_text(table.getOutput()) exit() if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(args.pid) logger.log_text("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("pid %d not found." % (args.pid)) exit() # find a process by name and attach to it if (args.pname): debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): logger.log_text("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) logger.log_text("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." exit() # If no arguments, logger.log_text(running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) logger.log_text(table.getOutput())
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") # Make -r and -pid mutually exclusive group = parser.add_mutually_exclusive_group() group.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") group.add_argument("-pid", "--attach-pid", type=int, dest="pid", help="pid of process to attach and instrument") group.add_argument("-pname", "--attach-process-name", dest="pname", help="pid of process to attach and instrument") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") # Add optional log file parser.add_argument("-o", "--output", dest="output", help="log filename") args = parser.parse_args() # Setup logging # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 global 1 if args.output: # verbose=False disables printing to stdout mylogger = winappdbg.Logger(args.output, verbose=False) else: mylogger = winappdbg.Logger() # Create an instance of our eventhandler class myeventhandler = DebugEvents() if (args.run): try: myutil = winapputil.WinAppUtil(cmd=args.run, eventhandler=myeventhandler, logger=mylogger) debug = myutil.debug() debug.loop() except winapputil.DebugError as error: mylogger.log_text("Exception in %s: %s" % (error.pid_pname, error.msg)) except KeyboardInterrupt: debug.stop() mylogger.log_text("Killed process") elif args.pid: try: myutil = winapputil.WinAppUtil(pid_pname=args.pid, logger=mylogger, eventhandler=myeventhandler, attach=True) debug = myutil.debug() debug.loop() except winapputil.DebugError as error: mylogger.log_text("Exception in %s: %s" % (error.pid_pname, error.msg)) except KeyboardInterrupt: debug.stop() mylogger.log_text("Killed process") elif args.pname: try: myutil = winapputil.WinAppUtil(pid_pname=args.pname, logger=mylogger, eventhandler=myeventhandler, attach=True) debug = myutil.debug() debug.loop() except winapputil.DebugError as error: mylogger.log_text("Exception in %s: %s" % (error.pid_pname, error.msg)) except KeyboardInterrupt: debug.stop() mylogger.log_text("Killed process") elif args.sysinfo: myutil = winapputil.WinAppUtil() print (myutil.sysinfo()) else: myutil = winapputil.WinAppUtil() print (myutil.get_processes()) pass
import winappdbg import threading import time import winapputil global key, memory_snapshot, context_snapshot, first_time, memory_blob mylogger = winappdbg.Logger() # Takes a memory snapshot of the process and returns it def get_memory(event): myProcess = event.get_process() myProcess.suspend() # take_memory_snapshot: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L3261 memory = myProcess.take_memory_snapshot() myProcess.resume() return memory # Restores the memory snapshot of the process def set_memory(event, memory): myProcess = event.get_process() myProcess.suspend() # restore_memory_snapshot: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L3301 # bSkipMappedFiles: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L3317 myProcess.restore_memory_snapshot(memory, bSkipMappedFiles=True) myProcess.resume()