def function():
self.debugger = Debug(HookingEventHandler(self.hooks,
self.api_hooks),
bKillOnExit=kill_process_on_exit,
bHostileCode=anti_anti_debugger)
self.debugger.attach(pid)
self._loop()
def simple_debugger(argv):
with Debug(ScriptExecutionMonitorEventHandler(),
bKillOnExit=False) as debug:
if len(argv) == 0:
attached = False
logging.info("Try to attach to WINWORD.EXE...")
while not attached:
for process in System():
filename = process.get_filename()
if filename and "WINWORD.EXE" in filename:
logging.info("Attaching to: %s (%d)" %
(filename, process.get_pid()))
debug.attach(process.get_pid())
attached = True
if attached:
debug.loop()
else:
logging.error("Unabel to find a WINWORD.exe process")
elif argv[0].isdigit():
# attach via PID
pid = int(argv[0])
debug.attach(pid)
logging.info("Attaching to: %d" % pid)
debug.loop()
else:
logging.error("Usage: %s [PID]" % sys.argv[0])
def __init__(self,pFilename):
System.request_debug_privileges()
self.hSendAddress = "0x2"
self.hRecvAddress = "0x4"
self.bQueueStarted = False
self.bStartLog = False
self.bSend = False
self.bBlock = False
self.lBlockSend = []
self.lBlockRecv =[]
self.lBlock = []
try:
self.oDebug = Debug(self.handlerEvent)
self.oDebug.system.scan_processes()
for ( process, name ) in self.oDebug.system.find_processes_by_filename( pFilename ):
self.oDebug.attach(process.get_pid())
stackDbg.put("MSG_INJECTED")
self.bQueueStarted = True
self.checkThread = threading.Thread(target=self.handleQueue)
self.checkThread.start()
self.oDebug.loop()
finally:
stackDbg.put("MSG_NOT_INJECTED")
self.bQueueStarted = False
self.oDebug.stop()
def __init__(self,
name,
process_path,
process_args=[],
sql_crash_db="sqlite:///crashes.sqlite",
logger=None):
"""
:param name: name of the object
:param process_path: path to the target executable
:param process_args: arguments to pass to the process
:param sql_crash_db: sql alchemy connection string to crash db (default:sqlite:///crashes.sqlite)
:param logger: logger for this object (default: None)
"""
super(WinAppDbgTarget, self).__init__(name, logger)
assert process_path
assert (os.path.exists(process_path))
self._process_path = process_path
self._process_name = os.path.basename(process_path)
self._process_args = process_args
self._process = None
self._sql_crash_db = sql_crash_db
self._crash_event_complete = threading.Event()
self._server_is_up = threading.Event()
self._crash_event_complete.set()
self._debug = Debug(lambda x: _my_event_handler(self, x),
bKillOnExit=True)
def intercept_wsmprovhost(pid, eventHandler):
debug = Debug(eventHandler, bKillOnExit=True)
try:
debug.attach(int(pid))
debug.loop()
except Exception, e:
print "Error: ", str(e)
def simple_debugger(address_file, program_file, arg_check):
process = None
debug = Debug(HitTracerEventHandler(address_file, program_file, arg_check))
try:
# Lookup currently running processes
debug.system.scan_processes()
for (process, name) in debug.system.find_processes_by_filename(program_file):
print "[*] Found %d: %s" % (process.get_pid(), name)
# Attach to it
debug.attach(process.get_pid())
if process == None:
print "[*] Fatal. Process not found. Is it running?"
sys.exit(1)
# Wait for all debugees to finish
debug.loop()
# Cleanup actions
finally:
debug.stop()
def simple_debugger(argv):
# Instance a Debug object using the "with" statement.
# Note how we don't need to call "debug.stop()" anymore.
with Debug(None, bKillOnExit = True) as debug:
try:
# Start a new process for debugging.
debug.execv(argv)
set_breakpoint(debug, 0x010153F6, breakpoint_010153F6)
# set_breakpoint(debug, 0x40103B, breakpoint_40103B)
set_breakpoint(debug, 0x010153FF, breakpoint_010153FF)
# Wait for the debugee to finish.
debug.loop()
except KeyboardInterrupt:
logging.debug("Ctrl+C -ed.")
# Stop debugging. This kills all debugged processes.
debug.stop()
# Stop the debugger.
finally:
debug.stop()
class TraceInstructions(Thread):
"""
Setups and starts the debugger used to trace assembly instructions.
"""
def __init__(self, pid):
"""
Initializes the thread.
@param pid: PID of the original process to monitor
"""
Thread.__init__(self)
self.pid = pid
def run(self):
"""
Main thread procedure.
"""
log = logging.getLogger("Debugger.TraceInstructions")
if not os.path.exists(TRACE_PATH):
try:
os.mkdir(TRACE_PATH)
except (IOError, os.error), why:
log.error("Unable to create folder \"%s\": %s" %
(TRACE_PATH, why))
return False
debug = Debug(DumpInstruction(), bKillOnExit=True, bHostileCode=True)
try:
debug.attach(self.pid)
debug.loop()
finally:
debug.stop()
return True
def main(argv):
# Parse the command line arguments
options = parse_cmdline(argv)
# Create the event handler object
eventHandler = Tracer()
eventHandler.options = options
# Create the debug object
debug = Debug(eventHandler, bHostileCode=options.hostile)
try:
# Attach to the targets
for pid in options.attach:
debug.attach(pid)
for argv in options.console:
debug.execv(argv, bConsole=True, bFollow=options.follow)
for argv in options.windowed:
debug.execv(argv, bConsole=False, bFollow=options.follow)
# Make sure the debugees die if the debugger dies unexpectedly
debug.system.set_kill_on_exit_mode(True)
# Run the debug loop
debug.loop()
# Stop the debugger
finally:
if not options.autodetach:
debug.kill_all(bIgnoreExceptions=True)
debug.stop()
def function():
os.chdir(os.path.dirname(path))
self.debugger = Debug(HookingEventHandler(self.hooks,
self.api_hooks),
bKillOnExit=kill_process_on_exit,
bHostileCode=anti_anti_debugger)
self.debugger.execv([path])
self._loop()
def simple_debugger():
handler = EventSift(MyEventHandler)
# handler = MyEventHandler() # try uncommenting this line...
with Debug(handler) as debug:
debug.execl("calc.exe")
debug.execl("notepad.exe")
debug.execl("charmap.exe")
debug.loop()
def exit_process(self, event):
print "Detached from %s" % self.name
handler = EventSift(MyEventHandler)
#handler = MyEventHandler() # try uncommenting this line...
with Debug(handler) as debug:
debug.execl(self.name)
debug.loop()
def simple_debugger(argv):
# Instance a Debug object, passing it the MyEventHandler instance.
with Debug(MyEventHandler(), bKillOnExit=True) as debug:
# Start a new process for debugging.
debug.execv(argv)
# Wait for the debugee to finish.
debug.loop()
def start_debug(self):
self.debug = Debug(
self.debug_loop, bKillOnExit=True
) # If True debugged processes are killed when the debugger is stopped.
self.debug.execv(
command_line
) # execute target program (prameter command_line --> target program, mutate file)
self.debug.loop()
def each_with_type(self, target, file_type):
self.paths = {
'word': "{}\\{}".format(self.office_path, "WINWORD.EXE"),
'rtf': "{}\\{}".format(self.office_path, "WINWORD.EXE"),
'html': "{}\\{}".format(self.office_path, "WINWORD.EXE"),
'excel': "{}\\{}".format(self.office_path, "EXCEL.EXE"),
'powerpoint': "{}\\{}".format(self.office_path, "POWERPOINT.EXE"),
'javascript': 'C:\\Windows\\system32\\wscript.exe',
'vbscript': 'C:\\Windows\\system32\\wscript.exe'
}
self.files = set()
self.results = {"actions": []}
monkey = ClickThread()
monkey.click_on(
"Microsoft Excel", "Yes",
"is in a different format than specified by the file extension")
monkey.click_on(
"Microsoft Word", "OK",
"command cannot be performed because a dialog box is open")
monkey.click_on("Microsoft Word", "No", "start Word in safe mode")
monkey.click_on("Microsoft Word", "Yes", "caused a serious error")
monkey.click_on("File In Use", "OK", "locked for editing")
monkey.click_on("Microsoft Word", "Yes",
"that may refer to other files")
monkey.click_on("Microsoft Excel", "Yes",
"that may refer to other files")
monkey.click_on("Microsoft Word", "Yes", "Do you want to start")
monkey.click_on("Microsoft Excel", "Yes", "Do you want to start")
monkey.close("Activation Wizard")
monkey.start()
target = self.set_extension(target, file_type)
args = [self.paths[file_type], target]
pids = []
maxtime = time() + self.timeout
with Debug(self, bKillOnExit=False) as debug:
debug.execv(args)
pids = debug.get_debugee_pids()
while debug and time() < maxtime:
try:
debug.wait(1000)
except WindowsError, e:
if e.winerror in (win32.ERROR_SEM_TIMEOUT,
win32.WAIT_TIMEOUT):
continue
raise
try:
debug.dispatch()
finally:
debug.cont()
def simple_debugger(pid):
# Instance a Debug object, passing it the MyEventHandler instance.
with Debug(MyEventHandler(), bKillOnExit=True) as debug:
try:
debug.attach(pid)
debug.loop()
finally:
debug.stop()
def simple_debugger( pid ):
# Instance a Debug object, passing it the MyEventHandler instance.
with Debug( MyEventHandler(), bKillOnExit = False ) as debug:
# Start a new process for debugging.
debug.attach( pid )
# Wait for the debugee to finish.
debug.loop()
def simple_debugger(argv):
# Instance a Debug object using the "with" statement.
# Note how we don't need to call "debug.stop()" anymore.
with Debug(MyEventHandler(), bKillOnExit=True) as debug:
# Start a new process for debugging.
debug.execv(argv)
# Wait for the debugee to finish.
debug.loop()
def simple_debugger(argv):
# Instance a Debug object.
debug = Debug()
try:
# Start a new process for debugging.
debug.execv(argv)
# Launch the interactive debugger.
debug.interactive()
# Stop the debugger.
finally:
debug.stop()
return
def extract_payload(file_path):
"""
Function that'll handle winappdbg debug
:param file_path: path of QuantLoader
:return: bool
"""
debug = Debug(QHandler())
try:
debug.execv([file_path])
debug.loop()
finally:
debug.stop()
def simple_debugger(argv):
with Debug(MyEventHandler(), bKillOnExit=True) as debug:
try:
# Start a new process for debugging.
print('start', argv)
debug.execv(argv)
debug.loop()
except:
pass
return c2_list
def simple_debugger(argv):
# Instance a Debug object, passing it the MyEventHandler instance.
with Debug(MyEventHandler(), bKillOnExit=True) as debug:
# Start a new process for debugging.
debug.execv(argv)
# If you start the new process like this instead, the
# debugger will automatically attach to the child processes.
#
# debug.execv( argv, bFollow = True )
# Wait for the debugee to finish.
debug.loop()
def simple_debugger(argv):
# Instance a Debug object, passing it the MyEventHandler instance
debug = Debug(MyEventHandler())
try:
debug.execv(argv)
debug.loop()
# Stop the debugger
finally:
debug.stop()
def create_debugger(self):
# Instance a debugger
debug = Debug(self, bHostileCode=self.options.hostile)
# Make sure the remote symbol store is set
System.fix_symbol_store_path(remote=True, force=False)
# Populate the snapshot of processes
debug.system.scan()
# Use this debugger
self.start_using_debugger(debug)
def execute(self):
print "# {} Opening mutate file to target by bbcFuzzer".format(self.test_number)
print(["{}".format(self.target_path), "{}\\{}.{}".format(self.mutate_path, self.test_number, self.file_type)])
try:
with Debug(self.check_crash, bKillOnExit = True) as _debug:
self.debug_time = time.time()
_debug.execv(["{}".format(self.target_path), "{}\\{}.{}".format(self.mutate_path, self.test_number, self.file_type)])
_debug.loop()
except WindowsError:
self.communicationManager.alert("Failed execute")
print "Failed execute"
finally:
self.add_test_number()
def debug_ovas(ovas_pid, test_payload, test_char, good_chars):
# Instance a Debug object.
debug = Debug(functools.partial(bad_characters_handler, test_payload,
test_char, good_chars),
bKillOnExit=True)
try:
# Attach to a running process.
debug.attach(ovas_pid)
# Wait for the debugee to finish.
debug.loop()
finally:
# Stop the debugger.
debug.stop()
def simple_debugger(argv):
# Instance a Debug object, passing it the event handler callback.
debug = Debug(my_event_handler, bKillOnExit=True)
try:
# Start a new process for debugging.
debug.execv(argv)
# Wait for the debugee to finish.
debug.loop()
# Stop the debugger.
finally:
debug.stop()
def run_within_debugger_with_timeout(args):
print '[+] running testcase...'
with Debug(crash_handler, bKillOnExit=True) as debug:
debug.execv(args, bConsole=True)
System.set_kill_on_exit_mode(True)
maxTime = time.time() + 15
while debug and time.time() < maxTime:
try:
debug.wait(1000)
except WindowsError, e:
if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
continue
raise
try:
debug.dispatch()
finally:
debug.cont()
def monitor(self):
_killer = Debug()
while True:
if int(time.time()) - int(self.debug_time) > 10:
try:
for (process, name) in _killer.system.find_processes_by_filename(os.path.split(self.target_path)[1]):
if not process:
sleep(5)
self.kill_test_process()
except (WindowsError, AttributeError):
sleep(5)
self.kill_test_process()
#for (process, name) in _killer.system.find_processes_by_filename(os.path.split(self.target_path)[1]):
# _killer.kill(process.get_pid())
# print "Kill {} {}".format(process.get_pid(), name)
break
def main_loop():
debug_procList = []
est_conn_procList, reverse_http_procList, cmd_procList, suspicious_veil_procList = extract_est_conn(
)
hookcounter = 0
hookFlag = False
detachflag = False
mdlog.print_console(mdlog.INFO_LEVEL,
"-------- Start Monitoring ------------")
while ((len(est_conn_procList) > 0) or (len(cmd_procList) > 0)):
inScopeList = verify_debugger(debug_procList, est_conn_procList,
reverse_http_procList, cmd_procList)
mdlog.print_console(mdlog.INFO_LEVEL,
"[*] InscopeList: " + str(inScopeList))
mdlog.print_console(mdlog.INFO_LEVEL,
"[*] Enumerating ESTABLISHED_Process")
for proc in est_conn_procList:
traceFlag = False
try:
if (proc.pid not in inScopeList):
#print "Established %d", proc.pid
traceFlag = find_meterpreter_trace(
proc.pid, DEFAULT_MEMORY_TRACE_LINE_LIMIT)
except WindowsError, e:
pass
except Exception, e:
mdlog.print_console(
mdlog.ERROR_LEVEL,
("[-] Tracing PID:" + str(proc.pid) + " " + str(e)))
if (traceFlag):
mdlog.print_console(
mdlog.INFO_LEVEL, "[*] tcp_Meterpreter " + str(proc.pid) +
" " + str(proc.name) + " " + str(proc.connections()))
myhandler = md_tcp_meterpreter.hook_handler()
debug = Debug(myhandler, bKillOnExit=True)
debug_procList.append([proc.pid, debug])
thread = Thread(target=intercept_windowapi,
args=(debug, proc.pid))
thread.start()
time.sleep(1) #sleep for smooth debugger console
hookFlag = True
