def __init__(self, addresses):
self.dbg = pydbg.pydbg()
self.addresses = addresses
self.libraries = {}
self.dbg.set_callback(pydbg.LOAD_DLL_DEBUG_EVENT, self.library_loaded)
self.dbg.set_callback(pydbg.EXCEPTION_BREAKPOINT, self.bp_handler)
def __init__(self, process_monitor, process, pid_to_ignore=None):
"""
Instantiate a new PyDbg instance and register user and access violation callbacks.
"""
threading.Thread.__init__(self)
self.process_monitor = process_monitor
self.proc_name = process
self.ignore_pid = pid_to_ignore
self.access_violation = False
self.active = True
self.dbg = pydbg.pydbg()
self.pid = None
# give this thread a unique name.
self.setName("%d" % time.time())
self.process_monitor.log(
"debugger thread initialized with UID: %s" % self.getName(), 5)
# set the user callback which is response for checking if this thread has been killed.
self.dbg.set_callback(pydbg.defines.USER_CALLBACK_DEBUG_EVENT,
self.dbg_callback_user)
self.dbg.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,
self.dbg_callback_access_violation)
def __init__(self, addresses):
self.dbg = pydbg.pydbg()
self.addresses = addresses
self.libraries = {}
self.dbg.set_callback(pydbg.LOAD_DLL_DEBUG_EVENT, self.library_loaded)
self.dbg.set_callback(pydbg.EXCEPTION_BREAKPOINT, self.bp_handler)
def monitor_browser_crash(browser_path,command_line) :
debugger=pydbg.pydbg()
debugger.load(browser_path,command_line)
debugger.set_callback(pydbg.defines.CREATE_PROCESS_DEBUG_EVENT,create_process_debug_event_handle)
debugger.run()
debugger.wait_for_process_exit()
debugger.detach()
kill_all_process()
def __init__ (self, pid):
"""
instantiate an internal pydbg instance and open a handle to the target process. we are not actually attaching!
"""
self.dbg = pydbg.pydbg()
self.snapshots = {}
# get debug privileges and open the target process.
self.dbg.get_debug_privileges()
self.dbg.open_process(int(pid))
def __init__(self, pid):
"""
instantiate an internal pydbg instance and open a handle to the target process. we are not actually attaching!
"""
self.dbg = pydbg.pydbg()
self.snapshots = {}
# get debug privileges and open the target process.
self.dbg.get_debug_privileges()
self.dbg.open_process(int(pid))
def add(self, proc_name):
for proc in psutil.process_iter():
if proc.name().lower() == proc_name.lower():
print '[{}] {}'.format(proc.pid, proc.name())
dbg = pydbg.pydbg()
dbg.attach(proc.pid)
hook_addr = dbg.func_resolve_debuggee('kernel32.dll',
'DeviceIoControl')
self.hooks.add(dbg, hook_addr, 8, self.log, None)
dbg.run()
'''
def __init__(self,file=None):
self.file = file
self.pe = None
# Load signature file
self.loadutil = peutils.SignatureDatabase("userdb.txt")
if self.file:
self.pe = pefile.PE(file)
# variables required for pydbg
self.dbg = pydbg.pydbg()
# elevate overall privilege
self.dbg.get_debug_privileges()
self.h_process = None
self.volimage = None
def __init__(self, file=None):
self.file = file
self.pe = None
# Load signature file
self.loadutil = peutils.SignatureDatabase("userdb.txt")
if self.file:
self.pe = pefile.PE(file)
# variables required for pydbg
self.dbg = pydbg.pydbg()
# elevate overall privilege
self.dbg.get_debug_privileges()
self.h_process = None
self.volimage = None
def main() :
browser_process=create_process(BROWSER_PATH+' '+BROWSER_ARG_LIST+' '+FUZZING_URL)
global BROWSER_PID
global debugger
BROWSER_PID=browser_process[2] # browser_process[2] === PID
time.sleep(0.2)
debugger=pydbg.pydbg()
# try :
debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0])
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,crash_recall_access_violation)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,crash_recall_guard_page)
debugger.set_callback(EXCEPTION_STACK_OVEWFLOW,crash_recall_stack_overflow)
debugger.run()
win32event.WaitForSingleObject(browser_process[0],-1) # browser_process[0] === Process Handle
def run(self):
while 1:
os.system('taskkill /T /F /IM '+ self.cf.image + '> logs/null')
time.sleep(3)
dbg = pydbg.pydbg()
dbg.load(self.cf.targetpath, command_line=self.InitPage)
self.tellme(self.cf.image + ' running...' + 'pid='+str(dbg.pid))
time.sleep(1)
dbg_browser = self.crasher.hook(dbg)
if dbg_browser!=None:
dbg_browser.run()
self.tellme(self.cf.target + ' crash... ')
dosfile = self.cf.logspath + '\\dos-' + hashlib.md5(str(datetime.datetime.now())).hexdigest() + '.html'
dosurl = 'http://'+self.cf.host + ':' + self.cf.port + '/cur'
urllib.urlretrieve(dosurl, dosfile)
def run(self):
while 1:
os.system('taskkill /T /F /IM ' + self.cf.image + '> logs/null')
time.sleep(3)
dbg = pydbg.pydbg()
dbg.load(self.cf.targetpath, command_line=self.InitPage)
self.tellme(self.cf.image + ' running...' + 'pid=' + str(dbg.pid))
time.sleep(1)
dbg_browser = self.crasher.hook(dbg)
if dbg_browser != None:
dbg_browser.run()
self.tellme(self.cf.target + ' crash... ')
dosfile = self.cf.logspath + '\\dos-' + hashlib.md5(
str(datetime.datetime.now())).hexdigest() + '.html'
dosurl = 'http://' + self.cf.host + ':' + self.cf.port + '/cur'
urllib.urlretrieve(dosurl, dosfile)
def monitor_browser_crash(browser_path, command_line):
debugger = pydbg.pydbg()
debugger.load(browser_path, command_line)
debugger.set_callback(pydbg.defines.CREATE_PROCESS_DEBUG_EVENT,
create_process_debug_event_handle)
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,
access_exception_debug_event_handle)
debugger.set_callback(pydbg.defines.EXCEPTION_BREAKPOINT,
breakpoint_exception_debug_event_handle)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,
access_exception_debug_event_handle)
debugger.set_callback(pydbg.defines.EXCEPTION_STACK_OVEWFLOW,
access_exception_debug_event_handle)
debugger.run()
debugger.wait_for_process_exit()
debugger.detach()
def main() :
browser_process=create_process(BROWSER_PATH+' '+BROWSER_ARG_LIST+' '+FUZZING_URL)
global BROWSER_PID
global debugger
BROWSER_PID=browser_process[2] # browser_process[2] === PID
time.sleep(0.2)
debugger=pydbg.pydbg()
try :
debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0])
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,dump_process_and_restart)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,dump_process_and_restart)
debugger.set_callback(EXCEPTION_STACK_OVEWFLOW,dump_process_and_restart)
debugger.run()
win32event.WaitForSingleObject(browser_process[0],-1) # browser_process[0] === Process Handle
except :
print 'WARNING! pydbg can not attach to this process ,maybe you attach to a 64-bit process ,pydbg jut support attach to 32-bit process!'
exit()
def main():
browser_process = create_process(BROWSER_PATH + ' ' + BROWSER_ARG_LIST +
' ' + FUZZING_URL)
global BROWSER_PID
global debugger
BROWSER_PID = browser_process[2] # browser_process[2] === PID
time.sleep(0.2)
debugger = pydbg.pydbg()
# try :
debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0])
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,
crash_recall_access_violation)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,
crash_recall_guard_page)
debugger.set_callback(EXCEPTION_STACK_OVEWFLOW,
crash_recall_stack_overflow)
debugger.run()
win32event.WaitForSingleObject(
browser_process[0], -1) # browser_process[0] === Process Handle
def stop_target(self):
"""
Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands.
"""
# give the debugger thread a chance to exit.
time.sleep(1)
self.log("stopping target process")
for command in self.stop_commands:
if command == "TERMINATE_PID":
dbg = pydbg.pydbg()
for (pid, name) in dbg.enumerate_processes():
if name.lower() == self.proc_name.lower():
os.system("taskkill /pid %d" % pid)
break
else:
os.system(command)
def stop_target (self):
"""
Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands.
"""
# give the debugger thread a chance to exit.
time.sleep(1)
self.log("stopping target process")
for command in self.stop_commands:
if command == "TERMINATE_PID":
dbg = pydbg.pydbg()
for (pid, name) in dbg.enumerate_processes():
if name.lower() == self.proc_name.lower():
os.system("taskkill /pid %d" % pid)
break
else:
os.system(command)
def __init__ (self, process_monitor, process, pid_to_ignore=None):
"""
Instantiate a new PyDbg instance and register user and access violation callbacks.
"""
threading.Thread.__init__(self)
self.process_monitor = process_monitor
self.proc_name = process
self.ignore_pid = pid_to_ignore
self.access_violation = False
self.active = True
self.dbg = pydbg.pydbg()
self.pid = None
# give this thread a unique name.
self.setName("%d" % time.time())
self.process_monitor.log("debugger thread initialized with UID: %s" % self.getName(), 5)
# set the user callback which is response for checking if this thread has been killed.
self.dbg.set_callback(pydbg.defines.USER_CALLBACK_DEBUG_EVENT, self.dbg_callback_user)
self.dbg.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, self.dbg_callback_access_violation)
def test_create_pydbg(self):
import pydbg
from pydbg import defines
from pydbg import utils
tst_pydbg = pydbg.pydbg()
def __init__(self): self.dbg = pydbg() self.config = Config() self.process = Process(self) self.gameState = GameState(self) self.renderer = Renderer(self)
output.v_tmp_is_pt_stacks_before_api_parse = False # is pt callstacks before parsing api
output.v_tmp_is_pt_parse_api_summary_collision = False # is pt api summary collision when parsing api records
debugee.v_tmp_is_pt_func_invoke = False # is pt func invoke
# pt when process exit
apis.v_tmp_is_pt_process_exit_call_stacks = True # is pt call stacks when process exit
apis.v_tmp_is_pt_process_exit_api_summary = True # is pt api summary when process exit
apis.v_tmp_is_pt_manual_resolved_funcs = False # is pt debugee manual resolved funcs. we use this to enrich functionality of xrkpydbg.
debugee.v_tmp_is_pt_func_tree_when_process_exit = True # is pt func tree when process exit
debugee.v_tmp_is_pt_func_cnt_when_process_exit = True # is pt func cnt when process exit
log.v_tmp_is_save_process_exit_log = False # is save log record to file
# ---------------------------------------------------------------------------
# dbg session
dbg = pydbg.pydbg(is_log=False)
dbg.set_callback(defines.LOAD_DLL_DEBUG_EVENT,
callback_func=callback_load_sys_dll)
dbg.set_callback(defines.EXIT_PROCESS_DEBUG_EVENT,
callback_func=callback_process_exit)
dbg.set_callback(defines.EXCEPTION_DEBUG_EVENT,
callback_func=callback_any_exception)
dbg.load(target_file, command_line=cmd_line)
# actually, len(dbg.system_dlls) == 0, so we don't install hook here
dbg.run()
print "xrkpydbg - debug session finish"
# ---------------------------------------------------------------------------
output.export_api_summary()
print "xrkpydbg - export api summary finish"
print "=" * 200
def crash_recall_access_violation(self):
check_valueble_crash(self, pydbg.defines.EXCEPTION_ACCESS_VIOLATION)
def crash_recall_exit_process(self):
check_valueble_crash(self, pydbg.defines.EXIT_PROCESS_DEBUG_EVENT)
def crash_recall_stack_overflow(self):
check_valueble_crash(self, EXCEPTION_STACK_OVERFLOW)
if __name__ == '__main__':
poc_count = int(requests.get(POC_COUNT_URL).text)
debugger = pydbg.pydbg()
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,
crash_recall_access_violation)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,
crash_recall_guard_page)
debugger.set_callback(pydbg.defines.EXIT_PROCESS_DEBUG_EVENT,
crash_recall_exit_process)
debugger.set_callback(EXCEPTION_STACK_OVERFLOW,
crash_recall_stack_overflow)
browser_process = None
if len(sys.argv) == 3 and str.isdigit(
sys.argv[1]) and sys.argv[2] == 'debug':
if poc_count >= int(sys.argv[1]):
browser_process = create_process(BROWSER_PATH + ' ' + POC_URL +
str(sys.argv[1]))
def crash_recall_guard_page(self) :
check_valueble_crash(self,pydbg.defines.EXCEPTION_GUARD_PAGE)
def crash_recall_access_violation(self) :
check_valueble_crash(self,pydbg.defines.EXCEPTION_ACCESS_VIOLATION)
def crash_recall_exit_process(self) :
check_valueble_crash(self,pydbg.defines.EXIT_PROCESS_DEBUG_EVENT)
def crash_recall_stack_overflow(self) :
check_valueble_crash(self,EXCEPTION_STACK_OVERFLOW)
if __name__=='__main__' :
poc_count=int(requests.get(POC_COUNT_URL).text)
debugger=pydbg.pydbg()
debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,crash_recall_access_violation)
debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,crash_recall_guard_page)
debugger.set_callback(pydbg.defines.EXIT_PROCESS_DEBUG_EVENT,crash_recall_exit_process)
debugger.set_callback(EXCEPTION_STACK_OVERFLOW,crash_recall_stack_overflow)
browser_process=None
if len(sys.argv)==3 and str.isdigit(sys.argv[1]) and sys.argv[2]=='debug' :
if poc_count>=int(sys.argv[1]) :
browser_process=create_process(BROWSER_PATH+' '+POC_URL+str(sys.argv[1]))
exploit_index=int(sys.argv[1])
debugger_state=True
elif len(sys.argv)==2 and str.isdigit(sys.argv[1]) :
if poc_count>int(sys.argv[1]) :
browser_process=create_process(BROWSER_PATH+' '+POC_URL+str(sys.argv[1]))
exploit_index=int(sys.argv[1])
port = htons(info[1])
print "ws2_32.connect() called from thread %d @%#x" % (pydbg.dbg.dwThreadId, pydbg.exception_address)
if (config.port == port or config.port == 0):
print "socket: %x, port: %d" % (s, port)
conn = connection(s, 0, port)
conf.sniff.add_conn(conn)
return DBG_CONTINUE
def _CreateThread(pydbg):
print "kernel32.CreateThread() called from thread %d @%x" % (pydbg.dbg.dwThreadId, pydbg.exception_address)
return DBG_CONTINUE
dbg = pydbg()
def main():
global conf
# try:
# proc_name = sys.argv[1]
# except:
# print "usage: %s <proc_name>" % sys.argv[0]
# return -1
# proc_name="firefox.exe"
proc_name = "plugin-container.exe"
found = False
idle_max = 60*1 # 1 min TESTING
email_addr="" # change me! preferably a phone email address!
# list of programs to monitor for/kill
deny_program_list = ["sc2.exe", "iw5mp.exe", "smplayer.exe"]
# list of window titles to monitor for/kill
deny_title_list = ["slashdot", "reddit", "starcraft", "facebook"]
###########################################################################################
last_input = 0
timer = 0
idle=False
message_sent = False
pydb = pydbg.pydbg()
w=win32gui
#currently I've only tested this against *@gmail.com so be warned if it doesnt work
# for your specific email address... Also any help appreciated.. :)
def send_msg(email, msg):
try:
domain = email[email.find("@")+1:]
servers = dns.resolver.query(domain, 'MX')
except:
return -2
msg = MIMEText(msg)
msg['Subject'] = 'Idle time exceeded max!'
msg['From'] = "*****@*****.**"
msg['To'] = email
import sys
print sys.path
import os
print os.path
import os
import time
import thread
import injection
import ctypes
from pydbg import pydbg
dbg = pydbg(False)
inject = injection.inject()
#thread.start_new_thread(dbg.load, (r"c:\windows\system32\calc.exe", None, True))
thread.start_new_thread(dbg.load, (r"c:\python27\python.exe", None, True))
while not dbg.pid:
time.sleep(0.01)
#dbg.pid = 0x11ac
#dbg.open_process(dbg.pid)
print dbg.pid, os.getcwd() + r"\bootstrap.dll"
base = inject.inject_dll(os.getcwd() + r"\bootstrap.dll", dbg.pid)
print "Injected"
#alternatively use base-local=delta
import os
import pydbg
# If we want to be clever about dumping the right stuff...
#
# import pefile
exe_path = "calc-aspack.exe"
print '> starting process...'
process_handle = os.spawnl(os.P_NOWAIT, exe_path, exe_path)
print '> process started. Process Handle %d' % process_handle
dbg = pydbg.pydbg()
print dbg.enumerate_processes()
process_pid = None
for pid, name in dbg.enumerate_processes():
if exe_path in name:
process_pid = pid
if process_pid is None:
print 'Could not attach, process not found'
os.sys.exit(1)
print '> found proces with PID %d' % process_pid
print '> attaching'
dbg.attach(process_pid)
def __init__(self): self.dbg = pydbg() self.viewer = HitboxViewer(self) self.renderer = Renderer(self)
import utils
gimme=[]
HKEY_CLASSES_ROOT = '0x80000000L'
HKEY_CURRENT_USER = '******'
HKEY_LOCAL_MACHINE = '0x80000002L'
HKEY_USERS = '0x80000003L'
hkeys={}
hkeys[HKEY_CLASSES_ROOT] = "HKEY_CLASSES_ROOT"
hkeys[HKEY_CURRENT_USER] = "HKEY_CURRENT_USER"
hkeys[HKEY_LOCAL_MACHINE] = "HKEY_LOCAL_MACHINE"
hkeys[HKEY_USERS] = "HKEY_USERS"
pyd = pydbg.pydbg()
hooks = utils.hook_container()
# KISS for now...
def read_arg_str(pyd, args, arg_num):
arg_num -= 1
buffer = ""
offset = 0
if args == 0: # NULL case
return 0
while 1:
byte = pyd.read_process_memory(args[arg_num]+offset, 1)
if(byte != "\x00"):
buffer += byte
offset += 1
