def intercept_wsmprovhost(pid,eventHandler): debug = Debug(eventHandler,bKillOnExit=True) try: debug.attach(int(pid)) debug.loop() except Exception,e: print "Error: ",str(e)
def main(argv): # Parse the command line arguments options = parse_cmdline(argv) # Create the event handler object eventHandler = Tracer() eventHandler.options = options # Create the debug object debug = Debug(eventHandler, bHostileCode=options.hostile) try: # Attach to the targets for pid in options.attach: debug.attach(pid) for argv in options.console: debug.execv(argv, bConsole=True, bFollow=options.follow) for argv in options.windowed: debug.execv(argv, bConsole=False, bFollow=options.follow) # Make sure the debugees die if the debugger dies unexpectedly debug.system.set_kill_on_exit_mode(True) # Run the debug loop debug.loop() # Stop the debugger finally: if not options.autodetach: debug.kill_all(bIgnoreExceptions=True) debug.stop()
def simple_debugger(address_file, program_file, arg_check): process = None debug = Debug(HitTracerEventHandler(address_file, program_file, arg_check)) try: # Lookup currently running processes debug.system.scan_processes() for (process, name) in debug.system.find_processes_by_filename(program_file): print "[*] Found %d: %s" % (process.get_pid(), name) # Attach to it debug.attach(process.get_pid()) if process == None: print "[*] Fatal. Process not found. Is it running?" sys.exit(1) # Wait for all debugees to finish debug.loop() # Cleanup actions finally: debug.stop()
def main( argv ): # Parse the command line arguments options = parse_cmdline(argv) # Create the event handler object eventHandler = Tracer() eventHandler.options = options # Create the debug object debug = Debug(eventHandler, bHostileCode = options.hostile) try: # Attach to the targets for pid in options.attach: debug.attach(pid) for argv in options.console: debug.execv(argv, bConsole = True, bFollow = options.follow) for argv in options.windowed: debug.execv(argv, bConsole = False, bFollow = options.follow) # Make sure the debugees die if the debugger dies unexpectedly debug.system.set_kill_on_exit_mode(True) # Run the debug loop debug.loop() # Stop the debugger finally: if not options.autodetach: debug.kill_all(bIgnoreExceptions = True) debug.stop()
def intercept_wsmprovhost(pid, eventHandler): debug = Debug(eventHandler, bKillOnExit=True) try: debug.attach(int(pid)) debug.loop() except Exception, e: print "Error: ", str(e)
class Process(object): def __init__(self, api_hooks=None): System.request_debug_privileges() self.api_hooks = api_hooks self.hooks = [] self.debugger = None def _loop(self): try: self.debugger.loop() except KeyboardInterrupt: self.debugger.stop() def hook_function(self, address, pre_callback=None, post_callback=None, signature=None): if not pre_callback and not post_callback: return self.hooks.append((address, pre_callback, post_callback, signature)) def start(self, path, kill_process_on_exit=True, anti_anti_debugger=False, blocking=True): def function(): os.chdir(os.path.dirname(path)) self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger) self.debugger.execv([path]) self._loop() if blocking: function() start_new_thread(function) def attach(self, pid, kill_process_on_exit=False, anti_anti_debugger=False, blocking=True): def function(): self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger) self.debugger.attach(pid) self._loop() if blocking: function() start_new_thread(function)
def debug_ovas(ovas_pid, test_payload, test_char, good_chars): # Instance a Debug object. debug = Debug(functools.partial(bad_characters_handler, test_payload, test_char, good_chars), bKillOnExit=True) try: # Attach to a running process. debug.attach(ovas_pid) # Wait for the debugee to finish. debug.loop() finally: # Stop the debugger. debug.stop()
def main(): set_logger() args = parse_args() pid = get_pid(args) logging.debug("about to connect to pid %(pid)s" % locals()) dbg = None try: dbg = Debug(event_handler.RPCEventHandler(), bKillOnExit=False) dbg.attach(pid) dbg.loop() finally: if dbg != None: logging.debug("About to detach from pid %(pid)s" % locals()) dbg.detach(pid) logging.info("Finished")
def main( ): set_logger() args = parse_args() pid = get_pid(args) logging.debug( "about to connect to pid %(pid)s" % locals() ) dbg = None try: dbg = Debug( event_handler.RPCEventHandler(), bKillOnExit = False) dbg.attach(pid) dbg.loop() finally: if dbg != None: logging.debug ("About to detach from pid %(pid)s" % locals() ) dbg.detach(pid) logging.info("Finished")
def main(argv): options = parse_cmdline(argv) # Create the event handler object eventHandler = EventForwarder(MemoryWatcher, options) # Create the debug object debug = Debug(eventHandler, bKillOnExit=True) try: # Attach to the targets for pid in options.attach: logger.log_text("Attaching to %d" % pid) debug.attach(pid) # Run the debug loop debug.loop() # Stop the debugger finally: debug.stop()
class Process(object): def __init__(self, api_hooks=None): System.request_debug_privileges() self.api_hooks = api_hooks self.hooks = [] self.debugger = None def _loop(self): try: self.debugger.loop() except KeyboardInterrupt: self.debugger.stop() def hook_function(self, address, pre_callback=None, post_callback=None, signature=None): if not pre_callback and not post_callback: return self.hooks.append((address, pre_callback, post_callback, signature)) def start(self, path, kill_process_on_exit=True, anti_anti_debugger=False, blocking=True): def function(): os.chdir(os.path.dirname(path)) self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger) self.debugger.execv([path]) self._loop() if blocking: function() start_new_thread(function) def attach(self, pid, kill_process_on_exit=False, anti_anti_debugger=False, blocking=True): def function(): self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger) self.debugger.attach(pid) self._loop() if blocking: function() start_new_thread(function)
class WinBasic: debugger = None mainProc = None alwaysCatchExceptions = [ win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED, ] def __init__(self, killOnExit=True): self.debugger = Debug(bKillOnExit=killOnExit) self.mainProcs = [] def run(self, executable, children=True): tmp = self.debugger.execv(executable, bFollow=children) self.mainProcs.append(tmp) return tmp.get_pid() def attachPid(self, pid): self.mainProcs.append(self.debugger.attach(pid)) def attachImg(self, img): self.debugger.system.scan_processes() for (process, name) in self.debugger.system.find_processes_by_filename(img): self.attachPid(process.get_pid()) def close(self, kill=True, taskkill=True, forced=True): pids = self.debugger.get_debugee_pids() self.debugger.detach_from_all(True) for pid in pids: if kill: try: proc = self.debugger.system.get_process(pid) proc.kill() except: pass # Taskkill if taskkill and not forced: subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if taskkill and forced: subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def waitForCrash(self, waitTime=4, checkAlive=False): event = None endDebuging = False endTime = time() + waitTime while time() < endTime: if checkAlive: for proc in self.mainProcs: if not proc.is_alive(): return None try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise crash = self.handler(event) if crash != None: return crash else: try: self.debugger.dispatch() except: pass finally: self.debugger.cont() return None
if options.functions: hooks = parse_hook_spec(options.functions) if len(hooks) == 0: sys.exit() else: myevent.set_hooks(hooks) # Instance a Debug object, passing it the MyEventHandler instance debug = Debug( myevent ) try: if options.pid: debug.attach(options.pid) print_threads_and_modules(options.pid, debug) elif options.program: procs = list_processes(options.program) if len(procs) == 0: print "[E] no matching process" elif len(procs) == 1: debug.attach(procs[0].get_pid()) print_threads_and_modules(procs[0].get_pid(), debug) else: print "[E] ambigious" elif options.command: p = debug.execv( options.command, bFollow = True ) # Wait for the debugee to finish
class MyEventHandler( EventHandler ): def load_dll( self, event ): module = event.get_module() # modulebis gatoleba if module.match_name("nss3.dll"): # vnaxulobt tu aris nss3.dll pid = event.get_pid() address = module.resolve( "PR_Write" ) # vigebt PR_Write funqcii misamart print '[+] Found PR_Write at addr ' + str(address) event.debug.hook_function( pid, address, preCB=PR_Write, postCB=None ,paramCount=3,signature=None) # movaxditon egred wodebuli funqciis mokauweba (hook) rodesac kodi sheexeba breakpoint -is # da funqciis 3 parametris mnishvneloba gadavcet chvnes call back funqcias romelsac igeve saxeli vuwodet PR_Write while True: time.sleep(2) # yovel 2 wamshi sheamowmos aris tu ara gashvebui firefox brauzeri debug = Debug(MyEventHandler()) # vqmnit degub obieqts if debug.system.find_processes_by_filename( "firefox.exe" ): # tu ar aris jer firefox gashebuli velodebit time.sleep(3) # rom agmoachens rom gashvebulia daicados 3 wami ( rom yvelaferi chaitvirtos da erro ar miigot ) try: for ( process, name ) in debug.system.find_processes_by_filename( "firefox.exe" ): # vigebt procesis shesabamis PID -s da saxels print '[+] Found Firefox PID is ' + str (process.get_pid()) debug.attach( process.get_pid() ) # vaketebt procesiss Attach -s debug.loop() finally: debug.stop()
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import Debug import sys # Get the process filename from the command line. filename = sys.argv[1] # Instance a Debug object. debug = Debug() try: # Lookup the currently running processes. debug.system.scan_processes() # For all processes that match the requested filename... for (process, name) in debug.system.find_processes_by_filename(filename): print process.get_pid(), name # Attach to the process. debug.attach(process.get_pid()) # Wait for all the debugees to finish. debug.loop() # Stop the debugger. finally: debug.stop()
"PR_Write") # vigebt PR_Write funqcii misamart print '[+] Found PR_Write at addr ' + str(address) event.debug.hook_function(pid, address, preCB=PR_Write, postCB=None, paramCount=3, signature=None) # movaxditon egred wodebuli funqciis mokauweba (hook) rodesac kodi sheexeba breakpoint -is # da funqciis 3 parametris mnishvneloba gadavcet chvnes call back funqcias romelsac igeve saxeli vuwodet PR_Write while True: time.sleep( 2) # yovel 2 wamshi sheamowmos aris tu ara gashvebui firefox brauzeri debug = Debug(MyEventHandler()) # vqmnit degub obieqts if debug.system.find_processes_by_filename( "firefox.exe"): # tu ar aris jer firefox gashebuli velodebit time.sleep( 3 ) # rom agmoachens rom gashvebulia daicados 3 wami ( rom yvelaferi chaitvirtos da erro ar miigot ) try: for (process, name) in debug.system.find_processes_by_filename( "firefox.exe" ): # vigebt procesis shesabamis PID -s da saxels print '[+] Found Firefox PID is ' + str(process.get_pid()) debug.attach(process.get_pid()) # vaketebt procesiss Attach -s debug.loop() finally: debug.stop()
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import Debug import sys # Get the process filename from the command line. filename = sys.argv[1] # Instance a Debug object. debug = Debug() try: # Lookup the currently running processes. debug.system.scan_processes() # For all processes that match the requested filename... for ( process, name ) in debug.system.find_processes_by_filename( filename ): print process.get_pid(), name # Attach to the process. debug.attach( process.get_pid() ) # Wait for all the debugees to finish. debug.loop() # Stop the debugger. finally: debug.stop()
class WinBasic: debugger = None mainProc = None alwaysCatchExceptions=[win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED] def __init__(self, killOnExit = True): self.debugger = Debug(bKillOnExit = killOnExit) self.mainProcs = [] def run(self, executable, children = True): tmp = self.debugger.execv(executable, bFollow = children ) self.mainProcs.append(tmp) return tmp.get_pid() def attachPid(self, pid): self.mainProcs.append(self.debugger.attach(pid)) def attachImg(self, img): self.debugger.system.scan_processes() for ( process, name ) in self.debugger.system.find_processes_by_filename( img ): self.attachPid(process.get_pid()) def close(self, kill = True, taskkill = True, forced = True): pids = self.debugger.get_debugee_pids() self.debugger.detach_from_all( True ) for pid in pids: if kill: try: proc = self.debugger.system.get_process(pid) proc.kill() except: pass #Taskkill if taskkill and not forced: subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if taskkill and forced: subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def waitForCrash(self, waitTime = 4, checkAlive = False): event = None endDebuging = False endTime = time() + waitTime while time() < endTime: if checkAlive: for proc in self.mainProcs: if not proc.is_alive(): return None try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise crash = self.handler(event) if crash != None: return crash else: try: self.debugger.dispatch() except: pass finally: self.debugger.cont() return None
class CEdenEternalDebugger(): def __init__(self,pFilename): System.request_debug_privileges() self.hSendAddress = "0x2" self.hRecvAddress = "0x4" self.bQueueStarted = False self.bStartLog = False self.bSend = False self.bBlock = False self.lBlockSend = [] self.lBlockRecv =[] self.lBlock = [] try: self.oDebug = Debug(self.handlerEvent) self.oDebug.system.scan_processes() for ( process, name ) in self.oDebug.system.find_processes_by_filename( pFilename ): self.oDebug.attach(process.get_pid()) stackDbg.put("MSG_INJECTED") self.bQueueStarted = True self.checkThread = threading.Thread(target=self.handleQueue) self.checkThread.start() self.oDebug.loop() finally: stackDbg.put("MSG_NOT_INJECTED") self.bQueueStarted = False self.oDebug.stop() def handleQueue(self): while self.bQueueStarted: sMsg = gui.stackGui.get() if(sMsg == "MSG_START_LOG"): self.bStartLog = True elif(sMsg == "MSG_STOP_LOG"): self.bStartLog = False elif(sMsg == "MSG_EXIT"): self.oDebug.stop() elif(sMsg[:8] == "MSG_SEND"): sSend = sMsg.split('|') self.bSend = True self.sSendMsg = sSend[1] elif(sMsg[:9] == "MSG_BLOCK"): sBlock = sMsg[10:] split = sBlock.split('|') if(split[0]=="[C->S]"): self.lBlockSend.append(split[1]) elif(split[0]=="[S->C]"): self.lBlockRecv.append(split[1]) elif(sMsg == "MSG_RBLOCK"): self.bBlock = True elif(sMsg == "MSG_SBLOCK"): self.bBlock = False del self.lBlock[:] del self.lBlockRecv[:] del self.lBlockSend[:] def handlerEvent(self,event): nPid = event.get_pid() if(self.bStartLog ==True): event.debug.break_at(nPid,self.hSendAddress,self.recvOutPackets) event.debug.break_at(nPid,self.hRecvAddress,self.recvInPackets) else: event.debug.dont_break_at(nPid,self.hSendAddress) event.debug.dont_break_at(nPid,self.hRecvAddress) def recvOutPackets(self,event): nPid = event.get_pid() oProcess = Process(nPid) if(self.bStartLog ==True): stackMem = event.get_thread().get_sp() address = event.get_process().read_pointer( stackMem+0x4 ) if(oProcess.is_address_readable(address)): hPacket = self.checkOutPacket(address,oProcess) if(self.bBlock==True): if(len(self.lBlockSend)>0): for pck in self.lBlockSend: if(hPacket == pck): bytes = len(hPacket)/2 packie = hPacket[:4] for i in range(0,bytes-2): packie +="00" if(len(packie) % 2 == 0): blockPacket = binascii.unhexlify(packie) oProcess.write(address,blockPacket) else: packie +="0" blockPacket = binascii.unhexlify(packie) oProcess.write(address,blockPacket) hPacket = self.checkOutPacket(address,oProcess) if(hPacket[:2]=="01"): if(self.bSend==True): sSendPacket = self.sendPacket(oProcess,address) if(sSendPacket!="NOWRITE"): if(sSendPacket!=None): stackDbg.put("SND|"+sSendPacket) else: stackDbg.put("SND|"+hPacket) else: stackDbg.put("SND|"+hPacket) else: stackDbg.put("SND|"+hPacket) else: event.debug.dont_break_at(nPid,self.hSendAddress) def recvInPackets(self,event): nPid = event.get_pid() oProcess = Process(nPid) if(self.bStartLog ==True): #RECV_LENGTH_ADDRESS = 0x0018FC04 #RECV_ADDRESS = 0x0018FC10 RECV_LENGTH_ADDRESS = 0x0018FC14 RECV_ADDRESS = 0x0018FC20 if(oProcess.is_address_readable(RECV_ADDRESS)): address = oProcess.read_pointer(RECV_ADDRESS) if(oProcess.is_address_readable(address)): sLength = oProcess.read(RECV_LENGTH_ADDRESS,1) nLength = int(toHex(sLength),16) if(nLength>0): file = open("config/recv.cfg", "r") hPacket = self.checkInPacket(address,oProcess,nLength) if(self.bBlock==True): if(len(self.lBlockRecv)>0): for pck in self.lBlockRecv: if(hPacket == pck): bytes = len(hPacket)/2 packie = "" for i in range(0,bytes): packie +="00" print packie blockPacket = binascii.unhexlify(packie) oProcess.write(address,blockPacket) hPacket = self.checkInPacket(address,oProcess,nLength) if(hPacket[0:4]=='2901'): stackDbg.put("RCV|"+hPacket) self.recvQuests(hPacket) elif(hPacket[0:4]=='5401'): stackDbg.put("RCV|"+hPacket) self.editQuests(hPacket) elif(hPacket[0:2]=='36'): stackDbg.put("RCV|"+hPacket) else: stackDbg.put("RCV|"+hPacket) else: event.debug.dont_break_at(nPid,self.hRecvAddress) def checkOutPacket(self,pAddress,pProcess): sLength = pProcess.read(pAddress-2,1) nLength = int(toHex(sLength),16) sPacket = pProcess.read(pAddress,nLength) hPacket = HexDump.hexadecimal(sPacket) return hPacket def checkInPacket(self,pAddress,pProcess,pLength): sPacket = pProcess.read(pAddress,pLength) hPacket = HexDump.hexadecimal(sPacket) return hPacket def recvQuests(self,pPacket): i = 8 sQuests = "" bRecv = True while bRecv: sWord = pPacket[i:i+4] i +=8 if(sWord=="0106"): bRecv = False else: sQuests +=sWord i = 0 for z in range(len(sQuests)/4): sLeft = sQuests[i*4:(i*4)+2] sRight = sQuests[(i*4)+2:(i*4)+4] sID = sRight + sLeft stackDbg.put("QUEST_RCV|"+sID) i += 1 def editQuests(self,pPacket): sQuest = pPacket[6:10] sAction = pPacket[14:16] sLeft = sQuest[:2] sRight = sQuest[2:] sID = sRight+sLeft stackDbg.put("EDIT_QUEST|"+sID+"|"+sAction) def sendPacket(self,pProcess,pAddress): sText = self.sSendMsg sPackets = sText.split("\n") nLength = len(sPackets) global nPacketCounter sHeader = "1a00" try: sSendPacket = sHeader+str(sPackets[nPacketCounter]) if(str(sPackets[nPacketCounter])!=""): if((len(sSendPacket)/2)<26): for i in range(1, 31-(len(sSendPacket)/2)): sSendPacket +="00" hPacket = binascii.unhexlify(sSendPacket) pProcess.write(pAddress-2,hPacket) nPacketCounter += 1 if nPacketCounter == nLength-1: self.bSend=False self.sSendMsg = "" nPacketCounter = 0 if(str(sPackets[nPacketCounter])!=""): return sSendPacket[4:] else: return "NOWRITE" except IndexError: print "packet sending error!" self.bSend = False self.sSendMsg = "" nPacketCounter = 0
myevent.myself = os.path.basename(sys.argv[1]) if options.functions: hooks = parse_hook_spec(options.functions) if len(hooks) == 0: sys.exit() else: myevent.set_hooks(hooks) # Instance a Debug object, passing it the MyEventHandler instance debug = Debug(myevent) try: if options.pid: debug.attach(options.pid) print_threads_and_modules(options.pid, debug) elif options.program: procs = list_processes(options.program) if len(procs) == 0: print "[E] no matching process" elif len(procs) == 1: debug.attach(procs[0].get_pid()) print_threads_and_modules(procs[0].get_pid(), debug) else: print "[E] ambigious" elif options.command: p = debug.execv(options.command, bFollow=True) # Wait for the debugee to finish
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import Debug import sys # Get the process ID from the command line. pid = int(sys.argv[1]) # Instance a Debug object. debug = Debug() try: # Attach to a running process. debug.attach(pid) # Wait for the debugee to finish. debug.loop() # Stop the debugger. finally: debug.stop()
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import Debug import sys # Get the process ID from the command line. pid = int( sys.argv[1] ) # Instance a Debug object. debug = Debug() try: # Attach to a running process. debug.attach( pid ) # Wait for the debugee to finish. debug.loop() # Stop the debugger. finally: debug.stop()
class MyEventHandler(EventHandler): def load_dll(self, event): module = event.get_module() # Get the module object if module.match_name("nss3.dll"): # If it's nss3.dll ,then pid = event.get_pid() # Get the process ID address = module.resolve("PR_Write") # Get the address of PR_Write print '[+] Found PR_Write at addr ' + str(address) event.debug.hook_function(pid, address, preCB=PR_Write, postCB=None, paramCount=3, signature=None) # Hook the PR_Write function, when we the breakpoint occured, three paramaeters (paramCount=3) # should be returned to the call back function (which i also name it to PR_Write) debug = Debug(MyEventHandler()) # Create a debug object instance try: for (process, name) in debug.system.find_processes_by_filename( "firefox.exe"): # Search for Firefox.exe proces, if found print '[+] Found Firefox PID is ' + str( process.get_pid()) # Grab the Process ID (PID) debug.attach(process.get_pid()) # Attach to the process. debug.loop() finally: debug.stop()