def print_state( process_name ):
# Request debug privileges.
System.request_debug_privileges()
# Find the first process that matches the requested name.
system = System()
process, filename = system.find_processes_by_filename( process_name )[ 0 ]
# Suspend the process execution.
process.suspend()
try:
# For each thread in the process...
for thread in process.iter_threads():
# Get the thread state.
tid = thread.get_tid()
eip = thread.get_pc()
code = thread.disassemble_around( eip )
context = thread.get_context()
# Display the thread state.
print
print "-" * 79
print "Thread: %s" % HexDump.integer( tid )
print
print CrashDump.dump_registers( context )
print CrashDump.dump_code( code, eip ),
print "-" * 79
# Resume the process execution.
finally:
process.resume()
def print_thread_disassembly(tid):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Thread object.
thread = Thread(tid)
# Suspend the thread execution.
thread.suspend()
# Get the thread's currently running code.
try:
eip = thread.get_pc()
code = thread.disassemble_around(eip)
# You can also do this:
# code = thread.disassemble_around_pc()
# Or even this:
# process = thread.get_process()
# code = process.disassemble_around( eip )
# Resume the thread execution.
finally:
thread.resume()
# Display the disassembled code.
print
print CrashDump.dump_code(code, eip),
def print_thread_disassembly( tid ):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Thread object.
thread = Thread( tid )
# Suspend the thread execution.
thread.suspend()
# Get the thread's currently running code.
try:
eip = thread.get_pc()
code = thread.disassemble_around( eip )
# You can also do this:
# code = thread.disassemble_around_pc()
# Or even this:
# process = thread.get_process()
# code = process.disassemble_around( eip )
# Resume the thread execution.
finally:
thread.resume()
# Display the disassembled code.
print
print CrashDump.dump_code( code, eip ),
def print_thread(title, thread):
tid = thread.get_tid()
eip = thread.get_pc()
context = thread.get_context()
handle = thread.get_handle()
code = thread.disassemble_around(eip)
print("%s %s - %s " % (title, HexDump.integer(tid), handle))
print CrashDump.dump_registers(context)
print CrashDump.dump_code(code, eip),
def access_violation(self, evt):
thread = evt.get_thread()
tid = thread.get_tid()
code = thread.disassemble_around_pc()
context = thread.get_context()
print
print "-" * 79
print "Thread: %s" % HexDump.integer(tid)
print
print CrashDump.dump_registers(context)
print CrashDump.dump_code(code)
print "-" * 79
def single_step(self, evt):
if not self.crash_encountered:
return
print "single step"
proc = evt.get_process()
if self.instruction_count == MAX_INSTRUCTIONS:
evt.debug.stop_tracing_process(proc.get_pid())
else:
thread = evt.get_thread()
pc = thread.get_pc()
code = proc.disassemble(pc, 0x10)
print CrashDump.dump_code(code, pc)
self.instruction_count += 1
def print_thread_disassembly(tid):
System.request_debug_privileges()
thread = Thread(tid)
thread.suspend()
try:
eip = thread.get_pc()
code = thread.disassemble_around(eip)
#or code = thread.disassemble_around_pc()
#or process = thread.get_process()
# code = process.disassemble_around(eip)
finally:
thread.resume()
print
print CrashDump.dump_code(code, eip)
def pre_Sleep(event):
thread = event.get_thread()
process = event.get_process()
print "Intercepted Sleep call of %d milliseconds"
print_module_load(event)
code, eip = dump_thread_range(thread)
print CrashDump.dump_code(code, eip)
n = 10000
#kernel32!start+0xd52c6
# Access first parameter on the stack: EBP + 4
stack_offset = thread.get_sp() + 4
# Write the new value at that address (e.g. 0 milliseconds)
process.write_dword(stack_offset, n)
offset = 0
try:
size = HexInput.integer(argv[3])
except IndexError:
size = 0
try:
arch = argv[4]
except IndexError:
arch = None
try:
engine = argv[5]
except IndexError:
engine = None
# Load the requested disassembler engine.
disasm = Disassembler(arch, engine)
# Load the binary code.
with open(filename, 'rb') as fd:
fd.seek(offset)
if size:
code = fd.read(size)
else:
code = fd.read()
# Disassemble the code.
disassembly = disasm.decode(offset, code)
# Show the disassembly.
print CrashDump.dump_code(disassembly, offset)
offset = 0
try:
size = HexInput.integer( argv[3] )
except IndexError:
size = 0
try:
arch = argv[4]
except IndexError:
arch = None
try:
engine = argv[5]
except IndexError:
engine = None
# Load the requested disassembler engine.
disasm = Disassembler( arch, engine )
# Load the binary code.
with open( filename, 'rb' ) as fd:
fd.seek( offset )
if size:
code = fd.read( size )
else:
code = fd.read()
# Disassemble the code.
disassembly = disasm.decode( offset, code )
# Show the disassembly.
print CrashDump.dump_code( disassembly, offset )
