def print_thread_disassembly( tid ): # Request debug privileges. System.request_debug_privileges() # Instance a Thread object. thread = Thread( tid ) # Suspend the thread execution. thread.suspend() # Get the thread's currently running code. try: eip = thread.get_pc() code = thread.disassemble_around( eip ) # You can also do this: # code = thread.disassemble_around_pc() # Or even this: # process = thread.get_process() # code = process.disassemble_around( eip ) # Resume the thread execution. finally: thread.resume() # Display the disassembled code. print print CrashDump.dump_code( code, eip ),
def print_state( process_name ): # Request debug privileges. System.request_debug_privileges() # Find the first process that matches the requested name. system = System() process, filename = system.find_processes_by_filename( process_name )[ 0 ] # Suspend the process execution. process.suspend() try: # For each thread in the process... for thread in process.iter_threads(): # Get the thread state. tid = thread.get_tid() eip = thread.get_pc() code = thread.disassemble_around( eip ) context = thread.get_context() # Display the thread state. print print "-" * 79 print "Thread: %s" % HexDump.integer( tid ) print print CrashDump.dump_registers( context ) print CrashDump.dump_code( code, eip ), print "-" * 79 # Resume the process execution. finally: process.resume()
def print_thread_disassembly(tid): # Request debug privileges. System.request_debug_privileges() # Instance a Thread object. thread = Thread(tid) # Suspend the thread execution. thread.suspend() # Get the thread's currently running code. try: eip = thread.get_pc() code = thread.disassemble_around(eip) # You can also do this: # code = thread.disassemble_around_pc() # Or even this: # process = thread.get_process() # code = process.disassemble_around( eip ) # Resume the thread execution. finally: thread.resume() # Display the disassembled code. print print CrashDump.dump_code(code, eip),
def __dump(self, event, label = None): thread = event.get_thread() trace = thread.get_stack_trace_with_labels() ctx = thread.get_context(win32.CONTEXT_FULL) if not label: label = thread.get_label_at_pc() print label print CrashDump.dump_registers(ctx) print CrashDump.dump_stack_trace_with_labels(trace), print "-" * 79
def __dump(self, event, label=None): thread = event.get_thread() trace = thread.get_stack_trace_with_labels() ctx = thread.get_context(win32.CONTEXT_FULL) if not label: label = thread.get_label_at_pc() print(label) print(CrashDump.dump_registers(ctx)) print(CrashDump.dump_stack_trace_with_labels(trace), ) print("-" * 79)
def print_thread(title, thread): tid = thread.get_tid() eip = thread.get_pc() context = thread.get_context() handle = thread.get_handle() code = thread.disassemble_around(eip) print("%s %s - %s " % (title, HexDump.integer(tid), handle)) print CrashDump.dump_registers(context) print CrashDump.dump_code(code, eip),
def access_violation(self, evt): thread = evt.get_thread() tid = thread.get_tid() code = thread.disassemble_around_pc() context = thread.get_context() print print "-" * 79 print "Thread: %s" % HexDump.integer(tid) print print CrashDump.dump_registers(context) print CrashDump.dump_code(code) print "-" * 79
def print_thread_context(tid): System.request_debug_privileges() thread = Thread(tid) thread.suspend() try: context = thread.get_context() finally: thread.resume() print print CrashDump.dump_registers(context)
def single_step(self, evt): if not self.crash_encountered: return print "single step" proc = evt.get_process() if self.instruction_count == MAX_INSTRUCTIONS: evt.debug.stop_tracing_process(proc.get_pid()) else: thread = evt.get_thread() pc = thread.get_pc() code = proc.disassemble(pc, 0x10) print CrashDump.dump_code(code, pc) self.instruction_count += 1
def print_thread_disassembly(tid): System.request_debug_privileges() thread = Thread(tid) thread.suspend() try: eip = thread.get_pc() code = thread.disassemble_around(eip) #or code = thread.disassemble_around_pc() #or process = thread.get_process() # code = process.disassemble_around(eip) finally: thread.resume() print print CrashDump.dump_code(code, eip)
def danger_handler(self, evt): thread = evt.get_thread() proc = evt.get_process() pc = thread.get_pc() registers = thread.get_context() if pc in self.resolved_funcs: print "[*] hit %s" % self.resolved_funcs[pc] CrashDump.dump_registers(registers) # record process memory try: proc.suspend() self.snapshot = proc.take_memory_snapshot() finally: proc.resume()
def pre_Sleep(event): thread = event.get_thread() process = event.get_process() print "Intercepted Sleep call of %d milliseconds" print_module_load(event) code, eip = dump_thread_range(thread) print CrashDump.dump_code(code, eip) n = 10000 #kernel32!start+0xd52c6 # Access first parameter on the stack: EBP + 4 stack_offset = thread.get_sp() + 4 # Write the new value at that address (e.g. 0 milliseconds) process.write_dword(stack_offset, n)
def __disasm(self, event): thread = event.get_thread() tid = thread.get_tid() try: pc = event.get_exception_address() except Exception: pc = thread.get_pc() code = thread.disassemble( pc, 0x10 ) [0] line = CrashDump.dump_code_line(code, dwDumpWidth=8*2) print "~%d %s" % ( tid, line )
def __disasm(self, event): thread = event.get_thread() tid = thread.get_tid() try: pc = event.get_exception_address() except Exception: pc = thread.get_pc() code = thread.disassemble(pc, 0x10)[0] line = CrashDump.dump_code_line(code, dwDumpWidth=8 * 2) print("~%d %s" % (tid, line))
def print_thread_context( tid ): # Request debug privileges. System.request_debug_privileges() # Instance a Thread object. thread = Thread( tid ) # Suspend the thread execution. thread.suspend() # Get the thread context. try: context = thread.get_context() # Resume the thread execution. finally: thread.resume() # Display the thread context. print print CrashDump.dump_registers( context ),
def create_thread(self, event): process = event.get_process() thread = event.get_thread() context = thread.get_context() eip = thread.get_pc() tid = event.get_tid() filename = process.get_filename() print "process:%s" % filename # pid = event.get_pid() start = event.get_start_address() if start: with warnings.catch_warnings(): warnings.simplefilter("ignore") start = event.get_process().get_label_at_address(start) print "Started thread %d at %s" % (tid, start) else: print "Attached to thread %d" % tid print CrashDump.dump_registers(context) #print_thread('asm', thread) """
def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or '-h' in sys.argv or '--help' in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print(" %%%ds bytes of readable memory" % width) % number(readable) print(" %%%ds bytes of writeable memory" % width) % number(writeable) print(" %%%ds bytes of executable memory" % width) % number(executable) print(" %%%ds bytes of private memory" % width) % number(private) print(" %%%ds bytes of mapped memory" % width) % number(mapped) print(" %%%ds bytes of image memory" % width) % number(image) print(" %%%ds bytes of total memory" % width) % number(total) print
offset = 0 try: size = HexInput.integer( argv[3] ) except IndexError: size = 0 try: arch = argv[4] except IndexError: arch = None try: engine = argv[5] except IndexError: engine = None # Load the requested disassembler engine. disasm = Disassembler( arch, engine ) # Load the binary code. with open( filename, 'rb' ) as fd: fd.seek( offset ) if size: code = fd.read( size ) else: code = fd.read() # Disassemble the code. disassembly = disasm.decode( offset, code ) # Show the disassembly. print CrashDump.dump_code( disassembly, offset )
def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or "-h" in sys.argv or "--help" in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print (" %%%ds bytes of readable memory" % width) % number(readable) print (" %%%ds bytes of writeable memory" % width) % number(writeable) print (" %%%ds bytes of executable memory" % width) % number(executable) print (" %%%ds bytes of private memory" % width) % number(private) print (" %%%ds bytes of mapped memory" % width) % number(mapped) print (" %%%ds bytes of image memory" % width) % number(image) print (" %%%ds bytes of total memory" % width) % number(total) print
offset = 0 try: size = HexInput.integer(argv[3]) except IndexError: size = 0 try: arch = argv[4] except IndexError: arch = None try: engine = argv[5] except IndexError: engine = None # Load the requested disassembler engine. disasm = Disassembler(arch, engine) # Load the binary code. with open(filename, 'rb') as fd: fd.seek(offset) if size: code = fd.read(size) else: code = fd.read() # Disassemble the code. disassembly = disasm.decode(offset, code) # Show the disassembly. print CrashDump.dump_code(disassembly, offset)