def __init__(self, addresses): self.dbg = pydbg.pydbg() self.addresses = addresses self.libraries = {} self.dbg.set_callback(pydbg.LOAD_DLL_DEBUG_EVENT, self.library_loaded) self.dbg.set_callback(pydbg.EXCEPTION_BREAKPOINT, self.bp_handler)
def __init__(self, process_monitor, process, pid_to_ignore=None): """ Instantiate a new PyDbg instance and register user and access violation callbacks. """ threading.Thread.__init__(self) self.process_monitor = process_monitor self.proc_name = process self.ignore_pid = pid_to_ignore self.access_violation = False self.active = True self.dbg = pydbg.pydbg() self.pid = None # give this thread a unique name. self.setName("%d" % time.time()) self.process_monitor.log( "debugger thread initialized with UID: %s" % self.getName(), 5) # set the user callback which is response for checking if this thread has been killed. self.dbg.set_callback(pydbg.defines.USER_CALLBACK_DEBUG_EVENT, self.dbg_callback_user) self.dbg.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, self.dbg_callback_access_violation)
def monitor_browser_crash(browser_path,command_line) : debugger=pydbg.pydbg() debugger.load(browser_path,command_line) debugger.set_callback(pydbg.defines.CREATE_PROCESS_DEBUG_EVENT,create_process_debug_event_handle) debugger.run() debugger.wait_for_process_exit() debugger.detach() kill_all_process()
def __init__ (self, pid): """ instantiate an internal pydbg instance and open a handle to the target process. we are not actually attaching! """ self.dbg = pydbg.pydbg() self.snapshots = {} # get debug privileges and open the target process. self.dbg.get_debug_privileges() self.dbg.open_process(int(pid))
def __init__(self, pid): """ instantiate an internal pydbg instance and open a handle to the target process. we are not actually attaching! """ self.dbg = pydbg.pydbg() self.snapshots = {} # get debug privileges and open the target process. self.dbg.get_debug_privileges() self.dbg.open_process(int(pid))
def add(self, proc_name): for proc in psutil.process_iter(): if proc.name().lower() == proc_name.lower(): print '[{}] {}'.format(proc.pid, proc.name()) dbg = pydbg.pydbg() dbg.attach(proc.pid) hook_addr = dbg.func_resolve_debuggee('kernel32.dll', 'DeviceIoControl') self.hooks.add(dbg, hook_addr, 8, self.log, None) dbg.run() '''
def __init__(self,file=None): self.file = file self.pe = None # Load signature file self.loadutil = peutils.SignatureDatabase("userdb.txt") if self.file: self.pe = pefile.PE(file) # variables required for pydbg self.dbg = pydbg.pydbg() # elevate overall privilege self.dbg.get_debug_privileges() self.h_process = None self.volimage = None
def __init__(self, file=None): self.file = file self.pe = None # Load signature file self.loadutil = peutils.SignatureDatabase("userdb.txt") if self.file: self.pe = pefile.PE(file) # variables required for pydbg self.dbg = pydbg.pydbg() # elevate overall privilege self.dbg.get_debug_privileges() self.h_process = None self.volimage = None
def main() : browser_process=create_process(BROWSER_PATH+' '+BROWSER_ARG_LIST+' '+FUZZING_URL) global BROWSER_PID global debugger BROWSER_PID=browser_process[2] # browser_process[2] === PID time.sleep(0.2) debugger=pydbg.pydbg() # try : debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0]) debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,crash_recall_access_violation) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,crash_recall_guard_page) debugger.set_callback(EXCEPTION_STACK_OVEWFLOW,crash_recall_stack_overflow) debugger.run() win32event.WaitForSingleObject(browser_process[0],-1) # browser_process[0] === Process Handle
def run(self): while 1: os.system('taskkill /T /F /IM '+ self.cf.image + '> logs/null') time.sleep(3) dbg = pydbg.pydbg() dbg.load(self.cf.targetpath, command_line=self.InitPage) self.tellme(self.cf.image + ' running...' + 'pid='+str(dbg.pid)) time.sleep(1) dbg_browser = self.crasher.hook(dbg) if dbg_browser!=None: dbg_browser.run() self.tellme(self.cf.target + ' crash... ') dosfile = self.cf.logspath + '\\dos-' + hashlib.md5(str(datetime.datetime.now())).hexdigest() + '.html' dosurl = 'http://'+self.cf.host + ':' + self.cf.port + '/cur' urllib.urlretrieve(dosurl, dosfile)
def run(self): while 1: os.system('taskkill /T /F /IM ' + self.cf.image + '> logs/null') time.sleep(3) dbg = pydbg.pydbg() dbg.load(self.cf.targetpath, command_line=self.InitPage) self.tellme(self.cf.image + ' running...' + 'pid=' + str(dbg.pid)) time.sleep(1) dbg_browser = self.crasher.hook(dbg) if dbg_browser != None: dbg_browser.run() self.tellme(self.cf.target + ' crash... ') dosfile = self.cf.logspath + '\\dos-' + hashlib.md5( str(datetime.datetime.now())).hexdigest() + '.html' dosurl = 'http://' + self.cf.host + ':' + self.cf.port + '/cur' urllib.urlretrieve(dosurl, dosfile)
def monitor_browser_crash(browser_path, command_line): debugger = pydbg.pydbg() debugger.load(browser_path, command_line) debugger.set_callback(pydbg.defines.CREATE_PROCESS_DEBUG_EVENT, create_process_debug_event_handle) debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, access_exception_debug_event_handle) debugger.set_callback(pydbg.defines.EXCEPTION_BREAKPOINT, breakpoint_exception_debug_event_handle) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE, access_exception_debug_event_handle) debugger.set_callback(pydbg.defines.EXCEPTION_STACK_OVEWFLOW, access_exception_debug_event_handle) debugger.run() debugger.wait_for_process_exit() debugger.detach()
def main() : browser_process=create_process(BROWSER_PATH+' '+BROWSER_ARG_LIST+' '+FUZZING_URL) global BROWSER_PID global debugger BROWSER_PID=browser_process[2] # browser_process[2] === PID time.sleep(0.2) debugger=pydbg.pydbg() try : debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0]) debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,dump_process_and_restart) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,dump_process_and_restart) debugger.set_callback(EXCEPTION_STACK_OVEWFLOW,dump_process_and_restart) debugger.run() win32event.WaitForSingleObject(browser_process[0],-1) # browser_process[0] === Process Handle except : print 'WARNING! pydbg can not attach to this process ,maybe you attach to a 64-bit process ,pydbg jut support attach to 32-bit process!' exit()
def main(): browser_process = create_process(BROWSER_PATH + ' ' + BROWSER_ARG_LIST + ' ' + FUZZING_URL) global BROWSER_PID global debugger BROWSER_PID = browser_process[2] # browser_process[2] === PID time.sleep(0.2) debugger = pydbg.pydbg() # try : debugger.attach(BROWSER_PID) # get_sub_process(BROWSER_PID)[0]) debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, crash_recall_access_violation) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE, crash_recall_guard_page) debugger.set_callback(EXCEPTION_STACK_OVEWFLOW, crash_recall_stack_overflow) debugger.run() win32event.WaitForSingleObject( browser_process[0], -1) # browser_process[0] === Process Handle
def stop_target(self): """ Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands. """ # give the debugger thread a chance to exit. time.sleep(1) self.log("stopping target process") for command in self.stop_commands: if command == "TERMINATE_PID": dbg = pydbg.pydbg() for (pid, name) in dbg.enumerate_processes(): if name.lower() == self.proc_name.lower(): os.system("taskkill /pid %d" % pid) break else: os.system(command)
def stop_target (self): """ Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands. """ # give the debugger thread a chance to exit. time.sleep(1) self.log("stopping target process") for command in self.stop_commands: if command == "TERMINATE_PID": dbg = pydbg.pydbg() for (pid, name) in dbg.enumerate_processes(): if name.lower() == self.proc_name.lower(): os.system("taskkill /pid %d" % pid) break else: os.system(command)
def __init__ (self, process_monitor, process, pid_to_ignore=None): """ Instantiate a new PyDbg instance and register user and access violation callbacks. """ threading.Thread.__init__(self) self.process_monitor = process_monitor self.proc_name = process self.ignore_pid = pid_to_ignore self.access_violation = False self.active = True self.dbg = pydbg.pydbg() self.pid = None # give this thread a unique name. self.setName("%d" % time.time()) self.process_monitor.log("debugger thread initialized with UID: %s" % self.getName(), 5) # set the user callback which is response for checking if this thread has been killed. self.dbg.set_callback(pydbg.defines.USER_CALLBACK_DEBUG_EVENT, self.dbg_callback_user) self.dbg.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, self.dbg_callback_access_violation)
def test_create_pydbg(self): import pydbg from pydbg import defines from pydbg import utils tst_pydbg = pydbg.pydbg()
def __init__(self): self.dbg = pydbg() self.config = Config() self.process = Process(self) self.gameState = GameState(self) self.renderer = Renderer(self)
output.v_tmp_is_pt_stacks_before_api_parse = False # is pt callstacks before parsing api output.v_tmp_is_pt_parse_api_summary_collision = False # is pt api summary collision when parsing api records debugee.v_tmp_is_pt_func_invoke = False # is pt func invoke # pt when process exit apis.v_tmp_is_pt_process_exit_call_stacks = True # is pt call stacks when process exit apis.v_tmp_is_pt_process_exit_api_summary = True # is pt api summary when process exit apis.v_tmp_is_pt_manual_resolved_funcs = False # is pt debugee manual resolved funcs. we use this to enrich functionality of xrkpydbg. debugee.v_tmp_is_pt_func_tree_when_process_exit = True # is pt func tree when process exit debugee.v_tmp_is_pt_func_cnt_when_process_exit = True # is pt func cnt when process exit log.v_tmp_is_save_process_exit_log = False # is save log record to file # --------------------------------------------------------------------------- # dbg session dbg = pydbg.pydbg(is_log=False) dbg.set_callback(defines.LOAD_DLL_DEBUG_EVENT, callback_func=callback_load_sys_dll) dbg.set_callback(defines.EXIT_PROCESS_DEBUG_EVENT, callback_func=callback_process_exit) dbg.set_callback(defines.EXCEPTION_DEBUG_EVENT, callback_func=callback_any_exception) dbg.load(target_file, command_line=cmd_line) # actually, len(dbg.system_dlls) == 0, so we don't install hook here dbg.run() print "xrkpydbg - debug session finish" # --------------------------------------------------------------------------- output.export_api_summary() print "xrkpydbg - export api summary finish" print "=" * 200
def crash_recall_access_violation(self): check_valueble_crash(self, pydbg.defines.EXCEPTION_ACCESS_VIOLATION) def crash_recall_exit_process(self): check_valueble_crash(self, pydbg.defines.EXIT_PROCESS_DEBUG_EVENT) def crash_recall_stack_overflow(self): check_valueble_crash(self, EXCEPTION_STACK_OVERFLOW) if __name__ == '__main__': poc_count = int(requests.get(POC_COUNT_URL).text) debugger = pydbg.pydbg() debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION, crash_recall_access_violation) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE, crash_recall_guard_page) debugger.set_callback(pydbg.defines.EXIT_PROCESS_DEBUG_EVENT, crash_recall_exit_process) debugger.set_callback(EXCEPTION_STACK_OVERFLOW, crash_recall_stack_overflow) browser_process = None if len(sys.argv) == 3 and str.isdigit( sys.argv[1]) and sys.argv[2] == 'debug': if poc_count >= int(sys.argv[1]): browser_process = create_process(BROWSER_PATH + ' ' + POC_URL + str(sys.argv[1]))
def crash_recall_guard_page(self) : check_valueble_crash(self,pydbg.defines.EXCEPTION_GUARD_PAGE) def crash_recall_access_violation(self) : check_valueble_crash(self,pydbg.defines.EXCEPTION_ACCESS_VIOLATION) def crash_recall_exit_process(self) : check_valueble_crash(self,pydbg.defines.EXIT_PROCESS_DEBUG_EVENT) def crash_recall_stack_overflow(self) : check_valueble_crash(self,EXCEPTION_STACK_OVERFLOW) if __name__=='__main__' : poc_count=int(requests.get(POC_COUNT_URL).text) debugger=pydbg.pydbg() debugger.set_callback(pydbg.defines.EXCEPTION_ACCESS_VIOLATION,crash_recall_access_violation) debugger.set_callback(pydbg.defines.EXCEPTION_GUARD_PAGE,crash_recall_guard_page) debugger.set_callback(pydbg.defines.EXIT_PROCESS_DEBUG_EVENT,crash_recall_exit_process) debugger.set_callback(EXCEPTION_STACK_OVERFLOW,crash_recall_stack_overflow) browser_process=None if len(sys.argv)==3 and str.isdigit(sys.argv[1]) and sys.argv[2]=='debug' : if poc_count>=int(sys.argv[1]) : browser_process=create_process(BROWSER_PATH+' '+POC_URL+str(sys.argv[1])) exploit_index=int(sys.argv[1]) debugger_state=True elif len(sys.argv)==2 and str.isdigit(sys.argv[1]) : if poc_count>int(sys.argv[1]) : browser_process=create_process(BROWSER_PATH+' '+POC_URL+str(sys.argv[1])) exploit_index=int(sys.argv[1])
port = htons(info[1]) print "ws2_32.connect() called from thread %d @%#x" % (pydbg.dbg.dwThreadId, pydbg.exception_address) if (config.port == port or config.port == 0): print "socket: %x, port: %d" % (s, port) conn = connection(s, 0, port) conf.sniff.add_conn(conn) return DBG_CONTINUE def _CreateThread(pydbg): print "kernel32.CreateThread() called from thread %d @%x" % (pydbg.dbg.dwThreadId, pydbg.exception_address) return DBG_CONTINUE dbg = pydbg() def main(): global conf # try: # proc_name = sys.argv[1] # except: # print "usage: %s <proc_name>" % sys.argv[0] # return -1 # proc_name="firefox.exe" proc_name = "plugin-container.exe" found = False
idle_max = 60*1 # 1 min TESTING email_addr="" # change me! preferably a phone email address! # list of programs to monitor for/kill deny_program_list = ["sc2.exe", "iw5mp.exe", "smplayer.exe"] # list of window titles to monitor for/kill deny_title_list = ["slashdot", "reddit", "starcraft", "facebook"] ########################################################################################### last_input = 0 timer = 0 idle=False message_sent = False pydb = pydbg.pydbg() w=win32gui #currently I've only tested this against *@gmail.com so be warned if it doesnt work # for your specific email address... Also any help appreciated.. :) def send_msg(email, msg): try: domain = email[email.find("@")+1:] servers = dns.resolver.query(domain, 'MX') except: return -2 msg = MIMEText(msg) msg['Subject'] = 'Idle time exceeded max!' msg['From'] = "*****@*****.**" msg['To'] = email
import sys print sys.path import os print os.path import os import time import thread import injection import ctypes from pydbg import pydbg dbg = pydbg(False) inject = injection.inject() #thread.start_new_thread(dbg.load, (r"c:\windows\system32\calc.exe", None, True)) thread.start_new_thread(dbg.load, (r"c:\python27\python.exe", None, True)) while not dbg.pid: time.sleep(0.01) #dbg.pid = 0x11ac #dbg.open_process(dbg.pid) print dbg.pid, os.getcwd() + r"\bootstrap.dll" base = inject.inject_dll(os.getcwd() + r"\bootstrap.dll", dbg.pid) print "Injected" #alternatively use base-local=delta
import os import pydbg # If we want to be clever about dumping the right stuff... # # import pefile exe_path = "calc-aspack.exe" print '> starting process...' process_handle = os.spawnl(os.P_NOWAIT, exe_path, exe_path) print '> process started. Process Handle %d' % process_handle dbg = pydbg.pydbg() print dbg.enumerate_processes() process_pid = None for pid, name in dbg.enumerate_processes(): if exe_path in name: process_pid = pid if process_pid is None: print 'Could not attach, process not found' os.sys.exit(1) print '> found proces with PID %d' % process_pid print '> attaching' dbg.attach(process_pid)
def __init__(self): self.dbg = pydbg() self.viewer = HitboxViewer(self) self.renderer = Renderer(self)
import utils gimme=[] HKEY_CLASSES_ROOT = '0x80000000L' HKEY_CURRENT_USER = '******' HKEY_LOCAL_MACHINE = '0x80000002L' HKEY_USERS = '0x80000003L' hkeys={} hkeys[HKEY_CLASSES_ROOT] = "HKEY_CLASSES_ROOT" hkeys[HKEY_CURRENT_USER] = "HKEY_CURRENT_USER" hkeys[HKEY_LOCAL_MACHINE] = "HKEY_LOCAL_MACHINE" hkeys[HKEY_USERS] = "HKEY_USERS" pyd = pydbg.pydbg() hooks = utils.hook_container() # KISS for now... def read_arg_str(pyd, args, arg_num): arg_num -= 1 buffer = "" offset = 0 if args == 0: # NULL case return 0 while 1: byte = pyd.read_process_memory(args[arg_num]+offset, 1) if(byte != "\x00"): buffer += byte offset += 1