def attach(clx, target, script="", sysroot=None): showbanner('attaching', 'purple', '[=]') windbgxPath = 'windbgx' load_windbg = [windbgxPath, '-p'] if isinstance(target, int): load_windbg.append(str(target)) # target is pid else: load_windbg.append(str(target.pid)) script = context.dbginit + '\n' + script + '\n' tmp = tempfile.NamedTemporaryFile(prefix='winpwn_', suffix='.dbg', delete=False) tmp.write(Latin1_encode(script)) tmp.flush() tmp.close() load_windbg += ['-c'] # exec command load_windbg += [ '"$$><{}'.format(tmp.name) + ';.shell -x del {}"'.format(tmp.name) ] # print('script:',script) # print('load:',load_windbg) ter = subprocess.Popen(' '.join(load_windbg)) while (os.path.exists(tmp.name)): # wait_for_debugger pass target.debugger = ter # mark('attached') return ter.pid
def attach(clx, target, script="", sysroot=None): showbanner('attaching', 'purple', '[=]') if context.windbg_path is None: raise Exception( color("can't find windbg.exe, plz set context.windbg_path", 'red')) else: windbgPath = context.windbg load_windbg = [windbgPath, '-p'] if isinstance(target, int): load_windbg.append(str(target)) else: load_windbg.append(str(target.pid)) script = context.dbginit + '\n' + script + '\n' tmp = tempfile.NamedTemporaryFile(prefix='winpwn_', suffix='.dbg', delete=False) tmp.write(Latin1_encode(script)) tmp.flush() tmp.close() load_windbg += ['-c'] # exec command load_windbg += [ '$$><{}'.format(tmp.name) + ';.shell -x del {}'.format(tmp.name) ] # print('script:',script) # print('load:',load_windbg) ter = subprocess.Popen(load_windbg) while (os.path.exists(tmp.name)): # wait_for_debugger pass target.debugger = ter return ter.pid
def recvn(self, n, timeout=None): # must recv n bytes within timeout showbanner("Recv") buf = self.read(n, timeout) if len(buf) != n: raise (EOFError(color("[-]: Timeout when use recvn", 'red'))) showbuf(buf) return buf
def recv_thread(): try: while not go.is_set(): buf = self.read(0x10000, 0.125, interactive=True) if buf: showbuf(buf, is_noout=False) showbanner('Interacting', is_noout=False) go.wait(0.2) except KeyboardInterrupt: go.set() print(color('[-]: Exited', 'red'))
def __init__(self, ip, port, family=socket.AF_INET, socktype=socket.SOCK_STREAM): tube.__init__(self) self.sock = socket.socket(family, socktype) # self.ip = ip # self.port = port self._is_exit = False try: showbanner("Connecting to ({},{})".format(ip, port)) self.sock.settimeout(self.timeout) self.sock.connect((ip, port)) except: raise (EOFError( color("[-]: Connect to ({},{}) failed".format(ip, port), 'red')))
def interactive(self): # it exited, contrl+C, timeout showbanner('Interacting', is_noout=False) go = threading.Event() go.clear() def recv_thread(): try: while not go.is_set(): buf = self.read(0x10000, 0.125, interactive=True) if buf: showbuf(buf, is_noout=False) showbanner('Interacting', is_noout=False) go.wait(0.2) except KeyboardInterrupt: go.set() print(color('[-]: Exited', 'red')) t = threading.Thread(target=recv_thread) t.daemon = True t.start() try: while not go.is_set(): go.wait(0.2) try: if self.is_exit(): time.sleep(0.2) # wait for time to read output buf = sys.stdin.readline() if buf: self.write(buf) # remote.write() may cause exception except: go.set() print(color('[-]: Exited', 'red')) break except KeyboardInterrupt: # control+C go.set() print(color('[-]: Exited', 'red')) while t.is_alive(): t.join(timeout=0.1)
def create(self, argv, cwd=None, flags=None): lpCurrentDirectory = cwd lpEnvironment = None dwCreationFlags = flags bInheritHandles = True lpProcessAttributes = None lpThreadAttributes = None lpProcessInformation = PROCESS_INFORMATION() StartupInfo = STARTUPINFO() StartupInfo.cb = sizeof(StartupInfo) StartupInfo.dwFlags = STARTF_USESTDHANDLES StartupInfo.hStdInput = self.child_hReadPipe StartupInfo.hStdOutput = self.child_hWritePipe StartupInfo.hStdError = self.child_hWritePipe lpStartupInfo = byref(StartupInfo) lpCommandLine = None lpApplicationName = None if not isinstance(argv, list): lpApplicationName = Latin1_encode(argv) else: lpCommandLine = Latin1_encode((" ".join([str(a) for a in argv]))) try: bs = windll.kernel32.CreateProcessA( lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, byref(StartupInfo), byref(lpProcessInformation)) self.pid = lpProcessInformation.dwProcessId self.phandle = lpProcessInformation.hProcess self.tid = lpProcessInformation.dwThreadId self.thandle = lpProcessInformation.hThread showbanner('Create process success #pid 0x{:x}'.format(self.pid)) except: raise (EOFError(color("[-]: Create process error", 'red')))
def recvuntil(self, delim, drop=True, timeout=None): showbanner("Recv") if timeout is None: if self.timeout: timeout = self.timeout else: timeout = context.timeout buf = '' st = time.time() xt = st while (buf[-len(delim):] != delim): buf += self.read(1, timeout=timeout - (xt - st)) if self.debugger is None: xt = time.time() if (xt - st) >= timeout: break if not buf.endswith(delim): raise (EOFError(color("[-]: Recvuntil error", 'red'))) if drop: buf = buf[:-len(delim)] showbuf(buf) return buf
def recvall(self, timeout=None): showbanner('Recv') buf = self.read(0x100000, timeout) showbuf(buf) return buf
def recv(self, n, timeout=None): # try to read n bytes, no exception showbanner('Recv') buf = self.read(n, timeout) showbuf(buf) return buf
def send(self, buf): showbanner('Send') rs = self.write(buf) showbuf(buf) return rs