def get_processes(self): """ Returns a table of all running processes with their pid and filename. @rtype: str @return: A table listing all running processes. """ system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) return table.getOutput()
def post_RegQueryValueExW(self, event, retval): process = event.get_process() process.suspend() table = winappdbg.Table("\t") table.addRow("", "") # Need to watch out for optional parameters if self.lpType is not 0: keyType = process.read_dword(self.lpType) table.addRow("keyType", keyType) valueName = process.peek_string(self.lpValueName, fUnicode=True) size = process.read_dword(self.lpcbData) table.addRow("valueName", valueName) table.addRow("size", size) if self.lpData is not 0: data = process.read(self.lpData, size) table.addRow("data", data) table.addRow("data-hex", data.encode("hex")) mylogger.log_text(table.getOutput()) mylogger.log_text("-"*30) process.resume()
def sysinfo(self): """ Returns information about the system. @rtype: str @return: A table populated with system information. """ # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in Table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) return table.getOutput()
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", help="path to application") parser.add_argument("-s", "--sysinfo",action='store_true', help="get System module 's information") parser.add_argument("-p","--process",action='store_true', help="get all running processes") parser.add_argument("-pname","--attach-pname",type=str,dest="pname", help="attach to th pname process") args = parser.parse_args() # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # Debug the app # First item is program and the rest are arguments # execv: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L274 my_process = debug.execv([args.run]) print("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print("Debugger stopped.") elif args.sysinfo: # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print(table.getOutput()) table1 = winappdbg.Table("\t") table1.addRow( "Right justified column text", "Left justified column text" ) table1.addRow( "---------------------------", "--------------------------" ) table1.addRow( "example", "text" ) table1.addRow( "jabberwocky", "snark" ) table1.addRow( "Trillian", "Zaphod", "Arthur Dent" ) # one extra! table1.addRow( "Dalek", "Cyberman" ) # By default all columns are left justified. Let's change that. table1.justify( 0, 1 ) # column 0 is now right justified # Let's find out how wide the table is. print("Table width: %d" % table1.getWidth()) # Let's find out how many bytes would it be if written to a file. print("Text size in characters: %d" % len( table1.getOutput() )) print(table1.getOutput()) elif args.process: system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.keys()): table.addRow(key, processes[key]) print(table.getOutput()) elif args.pname: debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): print("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) print("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: debug.stop() else: print("%s not found." % (args.run))
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") # Make -r and -pid mutually exclusive group = parser.add_mutually_exclusive_group() group.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") group.add_argument("-pid", "--attach-pid", type=int, dest="pid", help="pid of process to attach and instrument") group.add_argument("-pname", "--attach-process-name", dest="pname", help="pid of process to attach and instrument") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") # Add optional log file parser.add_argument("-o", "--output", dest="output", help="log filename") args = parser.parse_args() # Setup logging # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 # Log to file global logger if args.output: # verbose=False disables printing to stdout logger = winappdbg.Logger(args.output, verbose=False) else: logger = winappdbg.Logger() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("%s not found." % (args.run[0])) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) logger.log_text(table.getOutput()) exit() if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(args.pid) logger.log_text("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("pid %d not found." % (args.pid)) exit() # find a process by name and attach to it if (args.pname): debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): logger.log_text("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) logger.log_text("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." exit() # If no arguments, logger.log_text(running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) logger.log_text(table.getOutput())
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") args = parser.parse_args() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) print "Started %d - %s" % (my_process.get_pid(), my_process.get_filename()) # kKep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "%s not found." % (args.run[0]) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print table.getOutput() exit() # If no arguments, print running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) print table.getOutput()
import winappdbg # If no arguments, print running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) print table.getOutput()