def main(argv):
print "Hex dumper using WinAppDbg"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(argv) != 2:
import os
script = os.path.basename(argv[0])
print " %s <filename>" % script
return
with open(argv[1], "rb") as fd:
fd.seek(0, 2)
size = fd.tell()
fd.seek(0, 0)
if bit_length(size) > 32:
width = 8
else:
width = 16
address = 0
while 1:
data = fd.read(16)
if not data:
break
print HexDump.hexblock(data, address=address, width=width),
address = address + len(data)
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p, n in pl:
print "\t%s: %s" % (HexDump.integer(p), n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width=width)
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width = width)
def check_args_callback(event):
'''
This will be called when our breakpoint is hit. Checks if our string is a parameter.
@param event: Event information, dear Watson.
@todo: dereference the values in registers as well {eax, ebx, ecx, esi, edi}
'''
nrOfArguments = 5 # TODO: Take this parameter from IDA
MAX_USERSPACE_ADDRESS = 0x7FFFFFFF
MIN_USERSPACE_ADDRESS = 0x1000
MAX_ARGUMENT_LEN = 100 # somehow arbitrary
process = event.get_process()
thread = event.get_thread()
Eip = thread.get_pc()
Esp = thread.get_context()['Esp']
stackAddress = Esp + 4
for idx in xrange(nrOfArguments):
stackAddress += idx * 4
# Dereference at address and look for searchPattern
# NOTE: read() returns a string, not a number (unpack does the trick)
suspectedPointer = struct.unpack('<L', process.read(stackAddress, 4))[0]
if suspectedPointer > MIN_USERSPACE_ADDRESS and suspectedPointer < MAX_USERSPACE_ADDRESS:
try:
possibleString = process.read(suspectedPointer, MAX_ARGUMENT_LEN) # This is already a string, cool
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
except KeyboardInterrupt:
fd.close()
sys.exit(1)
except:
# Access violation. Log only by debugging (huge overhead due to I/O)
pass
# Let's search for the string in UNICODE
possibleStringU = process.peek_string(suspectedPointer, fUnicode = True)
if searchPattern in possibleStringU:
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
def scanBtnClk(self):
if hack == None: return
text = str(self.searchtext.toPlainText())
if text.strip() == '': return
self.searchlistwidget.clear()
if valuetype == 'byte':
num = memprc.d2h(int(text), 1)
if valuetype == '2byte':
num = memprc.d2h(int(text), 2)
if valuetype == '4bytes':
num = memprc.d2h(int(text), 4)
if valuetype == '8bytes':
num = memprc.d2h(int(text), 8)
if valuetype == 'String':
pass
#num = memprc.d2h(int(text), 4)
result = hack.hwnd.search_hexa(num, hack.base_address,
hack.last_address)
cnt = 0
for address, data in result:
item = QtGui.QListWidgetItem(self.searchlistwidget)
item.setText(HexDump.hexblock(data, address=address))
#print HexDump.hexblock(data, address=address)
cnt += 1
self.searchcntlabel.setText(str(cnt))
def main(argv):
print("Hex dumper using WinAppDbg")
print("by Mario Vilas (mvilas at gmail.com)")
print()
if len(argv) != 2:
import os
script = os.path.basename(argv[0])
print(" %s <filename>" % script)
return
with open(argv[1], 'rb') as fd:
fd.seek(0, 2)
size = fd.tell()
fd.seek(0, 0)
if bit_length(size) > 32:
width = 8
else:
width = 16
address = 0
while 1:
data = fd.read(16)
if not data:
break
print(HexDump.hexblock(data, address=address, width=width),
end=' ')
address = address + len(data)
def wildcard_search(pid, pattern):
#
# Hex patterns must be in this form:
# "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world"
#
# Spaces are optional. Capitalization of hex digits doesn't matter.
# This is exactly equivalent to the previous example:
# "68656C6C6F20776F726C64" # "hello world"
#
# Wildcards are allowed, in the form of a "?" sign in any hex digit:
# "5? 5? c3" # pop register / pop register / ret
# "b8 ?? ?? ?? ??" # mov eax, immediate value
#
# Instance a Process object.
process = Process(pid)
# Search for the hexadecimal pattern in the process memory.
for address, data in process.search_hexa(pattern):
# Print a hex dump for each memory location found.
print HexDump.hexblock(data, address=address)
def wildcard_search( pid, pattern ):
#
# Hex patterns must be in this form:
# "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world"
#
# Spaces are optional. Capitalization of hex digits doesn't matter.
# This is exactly equivalent to the previous example:
# "68656C6C6F20776F726C64" # "hello world"
#
# Wildcards are allowed, in the form of a "?" sign in any hex digit:
# "5? 5? c3" # pop register / pop register / ret
# "b8 ?? ?? ?? ??" # mov eax, immediate value
#
# Instance a Process object.
process = Process( pid )
# Search for the hexadecimal pattern in the process memory.
for address, data in process.search_hexa( pattern ):
# Print a hex dump for each memory location found.
print HexDump.hexblock(data, address = address)
def message(self, pid, address, data=None):
if self.start < 0:
raise StopIteration
count = self.count + 1 # NOQA
address = address + self.start
where = HexDump.address(address) # NOQA
size = self.end - self.start # NOQA
msg = self.showfmt % vars()
if data is not None:
msg += "\n"
p = self.start & (~0xF)
q = (self.end & (~0xF)) + 0x10
msg += HexDump.hexblock(data[p:q], address & (~0xF))
if msg.endswith('\n'):
msg = msg[:-len('\n')]
return msg
def action_callback_create_process(event):
print('hit break')
global c2_list, cfg, rsa_pub_key
process = event.get_process()
thread = event.get_thread()
# Get the address of the top of the stack.
stack = thread.get_sp()
# Get the return address of the call.
ret_address = process.read_pointer(stack)
print('caller addr:{:08x}'.format(ret_address))
# Get the process and thread IDs.
pid = event.get_pid()
tid = event.get_tid()
extract_done = False
failed_reason = 'unknown'
max_c2_counter = 400
shell_data = 0
sig_addr_list = []
for address, data in process.search_hexa('68 00 80 00 00 6a 6a 68'):
# Print a hex dump for each memory location found.
if ret_address & 0xFFFF0000 == address & 0xFFFF0000:
print('hit sig at:')
print(HexDump.hexblock(data, address=address))
sig_addr_list.append(address)
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)
# For each memory block in the map...
for mbi in memoryMap:
# Address and size of memory block.
BaseAddress = mbi.BaseAddress
RegionSize = mbi.RegionSize
for address in sig_addr_list:
if address > BaseAddress and address < BaseAddress + RegionSize:
print('Hit shell code block!\n{:08x}\t{:08x}'.format(
BaseAddress, RegionSize))
shell_data = process.read(BaseAddress, RegionSize)
# no hit, just kill and return
if shell_data != 0:
# dump shell code block
print('dump shell code!')
with open('shell.dump', 'wb') as fh:
fh.write(shell_data)
# dump final payload
dump_pe_path = 'pe.dump'
pe_offset = shell_data.find('\x4D\x5A\x90')
print('dump final payload!')
with open(dump_pe_path, 'wb') as fh:
fh.write(shell_data[pe_offset:])
print('\n-----------------------------')
c2_list, rsa_pub_key = extract_ioc(dump_pe_path, 0x400000)
print('\nc2 list:')
for c2 in c2_list:
print('{}'.format(c2))
print('\nrsa key:\n{}'.format(rsa_pub_key))
# Show a message to the user.
message = "kernel32!CreateProcessW called from %s by thread %d at process %d"
print message % (HexDump.address(ret_address,
process.get_bits()), tid, pid)
process.kill()
