def AccessViolationHandlerWINAPPDBG(event):
'''
Handle access violation while using winappdbg
'''
global curr_input
code = event.get_event_code()
if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
crash = Crash(event)
crash.fetch_extra_data(event)
details = crash.fullReport(bShowNotes=True)
violation_addr = hex(crash.registers['Eip'])
thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S")
exe_name = event.get_process().get_filename().split('\\')[-1]
crashfilename = 'crash_'+'_'+ curr_input.split('fuzz-')[1] +'.'+curr_input.split('.')[-1]
synfilename = crash_dir+exe_name+'\\'+ violation_addr +'\\'+crashfilename + '.txt'
if not os.path.exists(crash_dir+exe_name):
os.makedirs(crash_dir+exe_name)
if not os.path.exists(crash_dir+exe_name+'\\'+violation_addr):
os.makedirs(crash_dir+exe_name+'\\'+violation_addr)
shutil.copyfile(curr_input,crash_dir+exe_name+'\\'+violation_addr+'\\'+curr_input.split('fuzz-')[1])
logger.info('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'BOOM!! APP Crashed :','Crash file Copied to ',(exe_name+'\\'+violation_addr+'\\'+crashfilename))
syn = open(synfilename,'w')
syn.write(details)
syn.close()
logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process')
try:
event.get_process().kill()
except:
ForceKillOffice()
def debug_loop(self, e):
code = e.get_event_code()
self.event = e
if code == win32.EXCEPTION_DEBUG_EVENT and e.is_last_chance():
try:
crash = Crash(e)
crash.fetch_extra_data(e)
dump_log = crash.fullReport(False)
except:
pass
crash_type = dump_log.split('\n')[2].split(':')[1]
dirname = '/' + crash_type + '_' + str(time.time())
os.mkdir('./logs' + dirname)
original_seed = copyfile(r"seed/%s" % self.seed_name,
r"logs%s/%s" % (dirname, "original_seed"))
mutated_seed = copyfile(r"./%s" % self.mutated_name,
r"logs%s/%s" % (dirname, "mutated_bin"))
crash_path = "./logs" + dirname + "/crash_dump.txt"
f = open(crash_path, 'w')
f.write(dump_log)
f.close()
print "[***] Exception Occurred -> saved in \"%s\" folder" % dirname
self.access_vi = True
e.get_process().kill()
self.debug.stop()
def my_event_handler(event):
global result_dir, g_cur_file
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print " [*]:Crash detected with %s, storing crash dump ..." % g_cur_file
crash = Crash(event)
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
crash.fetch_extra_data(event,
takeMemorySnapshot=1) # small memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump
result_file = os.path.join(result_dir,
"%s.result" % os.path.basename(g_cur_file))
print result_file
with open(result_file, mode='w') as f:
f.write(crash.fullReport())
f.close()
print " [*]:Crash result saved in %s !" % result_file
# Kill the process.
event.get_process().kill()
def my_event_handler( event ):
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Get the value of EIP at the thread.
pc = event.get_thread().get_pc()
# Show something to the user.
bits = event.get_process().get_bits()
format_string = "%s (%s) at address %s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(pc, bits),
pid,
tid )
print message
# If the event is a crash...
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print "Crash detected, storing crash dump in database..."
# Generate a minimal crash dump.
crash = Crash( event )
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO( "sqlite:///crashes.sqlite" )
#dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" )
# Store the crash dump in the database.
dao.add( crash )
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
# dao.add( crash, allow_duplicates = False )
# You can also launch the interactive debugger from here. Try it! :)
# event.debug.interactive()
# Kill the process.
event.get_process().kill()
def my_event_handler( event ):
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Get the value of EIP at the thread.
pc = event.get_thread().get_pc()
# Show something to the user.
bits = event.get_process().get_bits()
format_string = "%s (%s) at address %s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(pc, bits),
pid,
tid )
print(message)
# If the event is a crash...
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print("Crash detected, storing crash dump in database...")
# Generate a minimal crash dump.
crash = Crash( event )
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO( "sqlite:///crashes.sqlite" )
#dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" )
# Store the crash dump in the database.
dao.add( crash )
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
# dao.add( crash, allow_duplicates = False )
# You can also launch the interactive debugger from here. Try it! :)
# event.debug.interactive()
# Kill the process.
event.get_process().kill()
def handler(self, event):
if (
event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT
and event.get_exception_code() != win32.STATUS_BREAKPOINT
and (event.is_last_chance() or event.get_exception_code() in self.alwaysCatchExceptions)
):
crash = Crash(event)
report = CrashReport()
crash = Crash(event)
(exploitable, type, info) = crash.isExploitable()
try:
report.code = event.get_thread().disassemble(crash.pc, 0x10)[0][2]
except:
report.code = "Could not disassemble"
if crash.faultAddress is None or MemoryAddresses.align_address_to_page_start(crash.faultAddress) == 0:
report.nearNull = True
else:
report.nearNull = False
report.type = type
lib = event.get_thread().get_process().get_module_at_address(crash.pc)
if lib != None:
report.location = lib.get_label_at_address(crash.pc)
else:
report.location = HexDump.address(crash.pc, event.get_thread().get_process().get_bits())[-4:]
if crash.faultAddress == None:
crash.faultAddress = 0
report.faultAddr = HexDump.address(crash.faultAddress, event.get_thread().get_process().get_bits())
report.stack = ""
stList = self.getStackTraceRelList(event.get_thread())
if len(stList) > 0:
for ra in stList:
lib = event.get_thread().get_process().get_module_at_address(ra)
if lib != None:
report.stack += (
lib.get_label_at_address(ra)
+ " "
+ HexDump.address(ra, event.get_thread().get_process().get_bits())
+ "\n"
)
else:
report.stack += HexDump.address(ra, event.get_thread().get_process().get_bits()) + "\n"
if report.stack == "":
report.stack = "NO_STACK"
report.info = crash.fullReport()
return report
return None
def debuggerEventHandler(self, event):
code = event.get_event_code()
crash = Crash(event)
if code == win32.EXCEPTION_DEBUG_EVENT and crash.firstChance:
status, rule, description = crash.isExploitable()
if rule=='Unknown' or rule=='Breakpoint':
return
print 'WindowsDebugEngine: We found interesting exception'
print 'WindowsDebugEngine: %08x, %s, %s, %s' % (code, rule, description, status)
self.executorQueue.put({'fin':'exception', 'rule': rule, 'description': description, 'status': status})
def AccessViolationHandlerWINAPPDBG(event): # Handle access violation while using winappdbg #todo: correct error codes # hardik code = event.get_event_code() if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): global does_crash does_crash = True crash = Crash(event) crash.fetch_extra_data(event) details =r""" _____ / ____| | | /\ | | /_ | / _ \ | | _ __ __ _ ___| |__ / \ _ __ __ _| |_ _ _______ _ __ __ _| || | | | | | | '__/ _` / __| '_ \ / /\ \ | '_ \ / _` | | | | |_ / _ \ '__| \ \ / / || | | | | |____| | | (_| \__ \ | | |/ ____ \| | | | (_| | | |_| |/ / __/ | \ V /| || |_| | \_____|_| \__,_|___/_| |_/_/ \_\_| |_|\__,_|_|\__, /___\___|_| \_/ |_(_)___/ __/ | |___/ email: [email protected] web: http://hardik05.wordpress.com """ details = details + "\r\n" + crash.fullReport(bShowNotes=True) violation_addr = hex(crash.registers['Eip']) label = crash.labelPC Crash_Function_Name = label.split('+')[0] Crash_Function_Name = re.sub('[^A-Za-z0-9]+', '_', Crash_Function_Name) thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") exe_name = event.get_process().get_filename().split('\\')[-1] #crashfilename is the file containing the crash details crashfilename = 'crash_'+TestCaseName+'_'+'_'+ thetime #syncfilename is the file containig crash details synfilename = OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+ Crash_Function_Name +'\\crash_'+ TestCaseName + '_details.txt' + '_' + thetime + ".txt" if not os.path.exists(OUTPUT_DIR + '\\crashes\\'+exe_name): os.makedirs(OUTPUT_DIR + '\\crashes\\'+exe_name) if not os.path.exists(OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name): os.makedirs(OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name) syn = open(synfilename,'w+') syn.write(details) syn.close() #print '[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process' try: event.get_process().kill() shutil.move(filepath,OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name+'\\'+crashfilename) print RED + 'Program is crashing at :'+ END, Crash_Function_Name print 'Crash file moved to : ', (OUTPUT_DIR + '\\crashes\\'+ exe_name+'\\'+Crash_Function_Name+'\\'+crashfilename) except: print "error"
def do(self, arg):
".exploitable - Determine the approximate exploitability rating"
from winappdbg import Crash
event = self.debug.lastEvent
crash = Crash(event)
crash.fetch_extra_data(event)
status, rule, description = crash.isExploitable()
print "-" * 79
print "Exploitability: %s" % status
print "Matched rule: %s" % rule
print "Description: %s" % description
print "-" * 79
def do(self, arg):
".exploitable - Determine the approximate exploitability rating"
from winappdbg import Crash
event = self.debug.lastEvent
crash = Crash(event)
crash.fetch_extra_data(event)
status, rule, description = crash.isExploitable()
print "-" * 79
print "Exploitability: %s" % status
print "Matched rule: %s" % rule
print "Description: %s" % description
print "-" * 79
def debuggerEventHandler(self, event):
code = event.get_event_code()
crash = Crash(event)
if code == win32.EXCEPTION_DEBUG_EVENT and crash.firstChance:
status, rule, description = crash.isExploitable()
if rule == 'Unknown' or rule == 'Breakpoint':
return
print 'WindowsDebugEngine: We found interesting exception'
print 'WindowsDebugEngine: %08x, %s, %s, %s' % (
code, rule, description, status)
self.executorQueue.put({
'fin': 'exception',
'rule': rule,
'description': description,
'status': status
})
def dump(self):
crash = Crash(self.event)
crash.fetch_extra_data(self.event)
report = crash.fullReport(False)
crash_type = report.split('\n')[2].split(':')[1]
self.work_summary = crash_type + '_' + str(time.time())
report_descriptor = open("{}/{}/report.txt".format(self.crash_path, self.work_summary), 'w')
report_descriptor.write(report)
report_descriptor.close()
self.save_report(crash_type, report)
self.copy_case()
print "Exception Occurred"
self.communicationManager.alert("Exception Occurred")
self.communicationManager.alert(report)
self.kill_test_process()
def AccessViolationHandlerWINAPPDBG(self, event):
# Handle access violation while using winappdbg
code = event.get_event_code()
if event.get_event_code(
) == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
crash = Crash(event)
crash.fetch_extra_data(event)
details = crash.fullReport(bShowNotes=True)
violation_addr = hex(crash.registers['Eip'])
thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S")
exe_name = event.get_process().get_filename().split('\\')[-1]
crashfilename = 'crash_' + self.CurrentTestCaseName + '_' + '_' + thetime + '.' + self.CurrentTestCaseName.split(
'.')[-1]
synfilename = 'crashes\\' + exe_name + '\\' + violation_addr + '\\crash_' + self.CurrentTestCaseName + '_' + '_' + thetime + '.txt'
if not os.path.exists('crashes\\' + exe_name):
os.makedirs('crashes\\' + exe_name)
if not os.path.exists('crashes\\' + exe_name + '\\' +
violation_addr):
os.makedirs('crashes\\' + exe_name + '\\' + violation_addr)
shutil.copyfile(
self.conf.fuzztempfolder + '\\' + self.CurrentTestCaseName,
'crashes\\' + exe_name + '\\' + violation_addr + '\\' +
crashfilename)
print '[+]', datetime.now().strftime(
"%Y:%m:%d::%H:%M:%S"
), 'BOOM!! APP Crashed :', 'Crash file Copied to ', (
exe_name + '\\' + violation_addr + '\\' + crashfilename)
syn = open(synfilename, 'w')
syn.write(details)
syn.close()
#print '[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process'
try:
event.get_process().kill()
except:
self.ForceKillOffice()
def _my_event_handler(self, event):
"""
handle debugger events
"""
code = event.get_event_code()
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
self._crash_event_complete.clear()
self.logger.warning(
"Crash detected, storing crash dump in database...")
self.report.failed("crash detected")
self.report.add("event name", event.get_event_name())
self.report.add("event code", code)
# Generate a minimal crash dump.
crash = Crash(event)
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data(event, takeMemorySnapshot=2) # full memory dump
self.report.add("crash_isExploitable", crash.isExploitable())
self.report.add("crash_briefReport", crash.briefReport())
self.report.add("crash_fullReport", crash.fullReport())
self.report.add("crash_timestamp", crash.timeStamp)
self.report.add("crash_signature", crash.signature)
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO(self._sql_crash_db)
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren"t added to the database.
dao.add(crash, allow_duplicates=False)
# Kill the process.
self._process.kill()
# DO WE NEED THIS ???
if "Process termination event" == event.get_event_name():
self.logger.debug("detected process termination event code=%d" % code)
self.logger.debug("debugee count=%s" % self._debug.get_debugee_count())
self.logger.debug("debugee pids=%s" % self._debug.get_debugee_pids())
def handler(self, event): if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.get_exception_code() != win32.STATUS_BREAKPOINT and (event.is_last_chance() or event.get_exception_code() in self.alwaysCatchExceptions): crash = Crash(event) report = CrashReport() crash = Crash(event) (exploitable, type, info) = crash.isExploitable() try: report.code = event.get_thread().disassemble( crash.pc, 0x10 ) [0][2] except: report.code = "Could not disassemble" if crash.faultAddress is None or MemoryAddresses.align_address_to_page_start(crash.faultAddress) == 0: report.nearNull = True else: report.nearNull = False report.type = type lib = event.get_thread().get_process().get_module_at_address(crash.pc) if lib != None: report.location = lib.get_label_at_address(crash.pc) else: report.location = HexDump.address(crash.pc, event.get_thread().get_process().get_bits())[-4:] if crash.faultAddress == None: crash.faultAddress = 0 report.faultAddr = HexDump.address(crash.faultAddress, event.get_thread().get_process().get_bits()) report.stack = "" stList = self.getStackTraceRelList(event.get_thread()) if len(stList)>0: for ra in stList: lib = event.get_thread().get_process().get_module_at_address(ra) if lib != None: report.stack += lib.get_label_at_address(ra) + " " + HexDump.address(ra, event.get_thread().get_process().get_bits()) + "\n" else: report.stack += HexDump.address(ra, event.get_thread().get_process().get_bits()) + "\n" if report.stack == "": report.stack = "NO_STACK" report.info= crash.fullReport() return report return None
def _my_event_handler(self, event):
'''
handle debugger events
'''
code = event.get_event_code()
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
self._crash_event_complete.clear()
self.logger.warning("Crash detected, storing crash dump in database...")
self.report.failed('crash detected')
self.report.add('event name', event.get_event_name())
self.report.add('event code', code)
# Generate a minimal crash dump.
crash = Crash(event)
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data(event, takeMemorySnapshot=2) # full memory dump
self.report.add('crash_isExploitable', crash.isExploitable())
self.report.add('crash_briefReport', crash.briefReport())
self.report.add('crash_fullReport', crash.fullReport())
self.report.add('crash_timestamp', crash.timeStamp)
self.report.add('crash_signature', crash.signature)
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO(self._sql_crash_db)
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
dao.add(crash, allow_duplicates=False)
# Kill the process.
self._process.kill()
# DO WE NEED THIS ???
if 'Process termination event' == event.get_event_name():
self.logger.debug('detected process termination event code=%d' % code)
self.logger.debug('debugee count=%s' % self._debug.get_debugee_count())
self.logger.debug('debugee pids=%s' % self._debug.get_debugee_pids())
def crash_event_handler(event):
"""
This implements the whole logic.
The code below triggered by an access violation
is responsible for storing / doing whatever with the crash info
"""
code = event.get_event_code()
# TODO: use this to distinguish between Eip and Rip?
bits = event.get_process().get_bits()
# If the event is a crash...
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print "=== [*] Crash detected, analyzing..."
name = event.get_exception_description()
pc = event.get_thread().get_pc()
# Get the offending address.
address = event.get_exception_address()
# TODO: Get the register values
#thread = event.get_thread()
#registers = thread.get_context()
# Generate a minimal crash dump.
crash = Crash(event)
if crash.exceptionLabel:
c_label = crash.exceptionLabel
else:
c_label = 'Not available'
# Crashing file contents in Base64
if file_info:
bin = file_info
else:
bin = None
crash_properties = dict()
crash_properties['victim'] = victim_filename
crash_properties['processor'] = crash.arch
crash_properties['event_name'] = name
crash_properties['ip'] = address # pc, registers['Eip'], etc.
crash_properties['crash_label'] = c_label
crash_properties['stacktrace'] = crash.stackTraceLabels
crash_properties['exploitability'] = crash.isExploitable()
crash_properties['bin'] = bin
# TODO: Calculate some kind of metric in order to discard already
# found crashes (or minimal variations of them)
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
# crash.fetch_extra_data(event, takeMemorySnapshot = 2) # full memory dump
# TODO: do not hardcode this directory
dao = CrashDAO("sqlite:///crashes/crashes.sqlite")
# Store the crash dump in the database.
print "=== [*] Storing crash dump in (local) database..."
# NOTE: If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
# dao.add( crash, allow_duplicates = False )
dao.add(crash)
#
# Store the crash, locally and in server
#
# Kill the process.
event.get_process().kill()
communications.add_crash(crash_properties)
fileops.save_crash_file(crash_filename, 'crashes')
