def fnAPI_send(dbg, args):
'''
int send(
__in SOCKET s,
__in const char* buf,
__in int len,
__in int flags
);
'''
print(args)
hSocket = args[0]
pBuf = args[1]
nLen = args[2]
lstMemory = dbg.read_process_memory(pBuf, nLen)
strFunName = sys._getframe().f_code.co_name
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
strLog = CPacketHookBase.m_strLogFormat % (
dbg.h_thread, strFunName, addrRetFun, hSocket, nLen, pBuf,
mkString2Binary(lstMemory, nLen))
khzLog(strLog)
return DBG_CONTINUE
pass
def fnAPI_WSASend(dbg, args):
'''
int WSASend(
__in SOCKET s,
__in LPWSABUF lpBuffers,
__in DWORD dwBufferCount,
__out LPDWORD lpNumberOfBytesSent,
__in DWORD dwFlags,
__in LPWSAOVERLAPPED lpOverlapped,
__in LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
'''
'''判断是否退出调试状态'''
'''
dbg.debugger_active = GeneralTools.isActiveDbg()
if not dbg.debugger_active:
return DBG_CONTINUE
'''
if args[2] > 1:
khzLog(
u"------------------ WARNNING - (args[2] > 1) ------------------"
)
strWSABUF = dbg.read_process_memory(args[1], 0x08)
lstParams = struct.unpack("LL", strWSABUF)
nLen = lstParams[0]
pBuf = lstParams[1]
'''获得发送的WSABUF.buf'''
lstMemory = dbg.read_process_memory(pBuf, nLen)
# mkString2Binary
strFunName = sys._getframe().f_code.co_name
#strBuf = ctypes.string_at(dbg.context.Esp, 4)
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
strLog = CPacketHookBase.m_strLogFormat % (
dbg.h_thread, strFunName, addrRetFun, args[0], nLen, pBuf,
mkString2Binary(lstMemory, nLen))
khzLog(strLog)
return DBG_CONTINUE
pass
def __init__(self, strGameExeName):
self.dbg = pydbg()
dbg = self.dbg
# 设置断点容器
self.hooks = utils.hook_container()
# 获得进程ID
#nPID = khztools.getProcID(self.dbg, strGameExeName) #"FightersClub.exe"
nPID = None
for pid, name in dbg.enumerate_processes():
#print pid,name
if name.lower() == strGameExeName.lower():
nPID = pid
if not nPID:
khztools.khzLog(u"[*]目标进程ID为空,退出程序")
exit(-1)
else:
khztools.khzLog(u"[*]目标进程ID为:%d" % nPID)
self.dbg.attach(nPID)
pass
def __init__(self, strGameExeName):
self.dbg = pydbg()
dbg = self.dbg
# 设置断点容器
self.hooks = utils.hook_container()
# 获得进程ID
#nPID = khztools.getProcID(self.dbg, strGameExeName) #"FightersClub.exe"
nPID = None
for pid, name in dbg.enumerate_processes():
#print pid,name
if name.lower() == strGameExeName.lower():
nPID = pid
if not nPID:
khztools.khzLog(u"[*]目标进程ID为空,退出程序")
exit(-1)
else:
khztools.khzLog(u"[*]目标进程ID为:%d" % nPID)
self.dbg.attach(nPID)
pass
def fnHook_Encrypt(dbg, args):
if not CPacketHookBase.isActiveDbg():
dbg.debugger_active = False
return DBG_CONTINUE
hSocket = 0
pBuf = args[1]
nLen = args[2]
# 获得函数返回地址
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
# 获得buffer内容
lstMemory = dbg.read_process_memory(pBuf, nLen)
strBinary = mkString2Binary(lstMemory, nLen)
# 过滤心跳包
if addrRetFun == 0x008C550C:
return DBG_CONTINUE
if (nLen == 0x0010) or (
strBinary
== "61 08 4C 75 03 00 00 00 02 15 FD 41 D3 FC AE 43 "):
return DBG_CONTINUE
if (nLen == 0x0004) or (strBinary == "7E 04 EB 23 "):
return DBG_CONTINUE
if g_BufMap.has_key(lstMemory):
dbg.write_process_memory(pBuf, g_BufMap[lstMemory])
strFunName = sys._getframe().f_code.co_name
# 组合strLog
strLog = CPacketHookBase.m_strLogFormat % (dbg.h_thread, strFunName,
addrRetFun, hSocket, nLen,
pBuf, strBinary)
khzLog(strLog)
return DBG_CONTINUE
pass
def fnAPI_WSASend( dbg, args ):
'''
int WSASend(
__in SOCKET s,
__in LPWSABUF lpBuffers,
__in DWORD dwBufferCount,
__out LPDWORD lpNumberOfBytesSent,
__in DWORD dwFlags,
__in LPWSAOVERLAPPED lpOverlapped,
__in LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
'''
'''判断是否退出调试状态'''
'''
dbg.debugger_active = GeneralTools.isActiveDbg()
if not dbg.debugger_active:
return DBG_CONTINUE
'''
if args[2] > 1:
khzLog(u"------------------ WARNNING - (args[2] > 1) ------------------")
strWSABUF = dbg.read_process_memory( args[1], 0x08 )
lstParams = struct.unpack("LL", strWSABUF)
nLen = lstParams[0]
pBuf = lstParams[1]
'''获得发送的WSABUF.buf'''
lstMemory = dbg.read_process_memory( pBuf, nLen )
# mkString2Binary
strFunName = sys._getframe().f_code.co_name
#strBuf = ctypes.string_at(dbg.context.Esp, 4)
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
strLog = CPacketHookBase.m_strLogFormat % (dbg.h_thread, strFunName, addrRetFun,
args[0], nLen, pBuf, mkString2Binary(lstMemory, nLen))
khzLog(strLog)
return DBG_CONTINUE
pass
def fnHook_Encrypt( dbg, args ):
if not CPacketHookBase.isActiveDbg():
dbg.debugger_active = False
return DBG_CONTINUE
hSocket = 0
pBuf = args[1]
nLen = args[2]
# 获得函数返回地址
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
# 获得buffer内容
lstMemory = dbg.read_process_memory(pBuf, nLen)
strBinary = mkString2Binary(lstMemory, nLen)
# 过滤心跳包
if addrRetFun == 0x008C550C:
return DBG_CONTINUE
if (nLen == 0x0010) or (strBinary == "61 08 4C 75 03 00 00 00 02 15 FD 41 D3 FC AE 43 "):
return DBG_CONTINUE
if (nLen == 0x0004) or (strBinary == "7E 04 EB 23 "):
return DBG_CONTINUE
if g_BufMap.has_key(lstMemory):
dbg.write_process_memory(pBuf, g_BufMap[lstMemory])
strFunName = sys._getframe().f_code.co_name
# 组合strLog
strLog = CPacketHookBase.m_strLogFormat % (dbg.h_thread, strFunName, addrRetFun,
hSocket, nLen, pBuf, strBinary)
khzLog(strLog)
return DBG_CONTINUE
pass
def fnAPI_send( dbg, args ):
'''
int send(
__in SOCKET s,
__in const char* buf,
__in int len,
__in int flags
);
'''
print(args)
hSocket = args[0]
pBuf = args[1]
nLen = args[2]
lstMemory = dbg.read_process_memory(pBuf, nLen)
strFunName = sys._getframe().f_code.co_name
strBuf = dbg.read_process_memory(dbg.context.Esp, 4)
addrRetFun = struct.unpack("I", strBuf)[0]
strLog = CPacketHookBase.m_strLogFormat % (dbg.h_thread, strFunName, addrRetFun,
hSocket, nLen, pBuf, mkString2Binary(lstMemory, nLen))
khzLog(strLog)
return DBG_CONTINUE
pass