def intercept_wsmprovhost(pid,eventHandler):
debug = Debug(eventHandler,bKillOnExit=True)
try:
debug.attach(int(pid))
debug.loop()
except Exception,e:
print "Error: ",str(e)
def main(argv):
# Parse the command line arguments
options = parse_cmdline(argv)
# Create the event handler object
eventHandler = Tracer()
eventHandler.options = options
# Create the debug object
debug = Debug(eventHandler, bHostileCode=options.hostile)
try:
# Attach to the targets
for pid in options.attach:
debug.attach(pid)
for argv in options.console:
debug.execv(argv, bConsole=True, bFollow=options.follow)
for argv in options.windowed:
debug.execv(argv, bConsole=False, bFollow=options.follow)
# Make sure the debugees die if the debugger dies unexpectedly
debug.system.set_kill_on_exit_mode(True)
# Run the debug loop
debug.loop()
# Stop the debugger
finally:
if not options.autodetach:
debug.kill_all(bIgnoreExceptions=True)
debug.stop()
def simple_debugger(address_file, program_file, arg_check):
process = None
debug = Debug(HitTracerEventHandler(address_file, program_file, arg_check))
try:
# Lookup currently running processes
debug.system.scan_processes()
for (process, name) in debug.system.find_processes_by_filename(program_file):
print "[*] Found %d: %s" % (process.get_pid(), name)
# Attach to it
debug.attach(process.get_pid())
if process == None:
print "[*] Fatal. Process not found. Is it running?"
sys.exit(1)
# Wait for all debugees to finish
debug.loop()
# Cleanup actions
finally:
debug.stop()
def main( argv ):
# Parse the command line arguments
options = parse_cmdline(argv)
# Create the event handler object
eventHandler = Tracer()
eventHandler.options = options
# Create the debug object
debug = Debug(eventHandler, bHostileCode = options.hostile)
try:
# Attach to the targets
for pid in options.attach:
debug.attach(pid)
for argv in options.console:
debug.execv(argv, bConsole = True, bFollow = options.follow)
for argv in options.windowed:
debug.execv(argv, bConsole = False, bFollow = options.follow)
# Make sure the debugees die if the debugger dies unexpectedly
debug.system.set_kill_on_exit_mode(True)
# Run the debug loop
debug.loop()
# Stop the debugger
finally:
if not options.autodetach:
debug.kill_all(bIgnoreExceptions = True)
debug.stop()
def intercept_wsmprovhost(pid, eventHandler):
debug = Debug(eventHandler, bKillOnExit=True)
try:
debug.attach(int(pid))
debug.loop()
except Exception, e:
print "Error: ", str(e)
class Process(object):
def __init__(self, api_hooks=None):
System.request_debug_privileges()
self.api_hooks = api_hooks
self.hooks = []
self.debugger = None
def _loop(self):
try:
self.debugger.loop()
except KeyboardInterrupt:
self.debugger.stop()
def hook_function(self,
address,
pre_callback=None,
post_callback=None,
signature=None):
if not pre_callback and not post_callback:
return
self.hooks.append((address, pre_callback, post_callback, signature))
def start(self,
path,
kill_process_on_exit=True,
anti_anti_debugger=False,
blocking=True):
def function():
os.chdir(os.path.dirname(path))
self.debugger = Debug(HookingEventHandler(self.hooks,
self.api_hooks),
bKillOnExit=kill_process_on_exit,
bHostileCode=anti_anti_debugger)
self.debugger.execv([path])
self._loop()
if blocking:
function()
start_new_thread(function)
def attach(self,
pid,
kill_process_on_exit=False,
anti_anti_debugger=False,
blocking=True):
def function():
self.debugger = Debug(HookingEventHandler(self.hooks,
self.api_hooks),
bKillOnExit=kill_process_on_exit,
bHostileCode=anti_anti_debugger)
self.debugger.attach(pid)
self._loop()
if blocking:
function()
start_new_thread(function)
def debug_ovas(ovas_pid, test_payload, test_char, good_chars):
# Instance a Debug object.
debug = Debug(functools.partial(bad_characters_handler, test_payload,
test_char, good_chars),
bKillOnExit=True)
try:
# Attach to a running process.
debug.attach(ovas_pid)
# Wait for the debugee to finish.
debug.loop()
finally:
# Stop the debugger.
debug.stop()
def main():
set_logger()
args = parse_args()
pid = get_pid(args)
logging.debug("about to connect to pid %(pid)s" % locals())
dbg = None
try:
dbg = Debug(event_handler.RPCEventHandler(), bKillOnExit=False)
dbg.attach(pid)
dbg.loop()
finally:
if dbg != None:
logging.debug("About to detach from pid %(pid)s" % locals())
dbg.detach(pid)
logging.info("Finished")
def main( ):
set_logger()
args = parse_args()
pid = get_pid(args)
logging.debug( "about to connect to pid %(pid)s" % locals() )
dbg = None
try:
dbg = Debug( event_handler.RPCEventHandler(), bKillOnExit = False)
dbg.attach(pid)
dbg.loop()
finally:
if dbg != None:
logging.debug ("About to detach from pid %(pid)s" % locals() )
dbg.detach(pid)
logging.info("Finished")
def main(argv):
options = parse_cmdline(argv)
# Create the event handler object
eventHandler = EventForwarder(MemoryWatcher, options)
# Create the debug object
debug = Debug(eventHandler, bKillOnExit=True)
try:
# Attach to the targets
for pid in options.attach:
logger.log_text("Attaching to %d" % pid)
debug.attach(pid)
# Run the debug loop
debug.loop()
# Stop the debugger
finally:
debug.stop()
class Process(object):
def __init__(self, api_hooks=None):
System.request_debug_privileges()
self.api_hooks = api_hooks
self.hooks = []
self.debugger = None
def _loop(self):
try:
self.debugger.loop()
except KeyboardInterrupt:
self.debugger.stop()
def hook_function(self, address, pre_callback=None, post_callback=None, signature=None):
if not pre_callback and not post_callback:
return
self.hooks.append((address, pre_callback, post_callback, signature))
def start(self, path, kill_process_on_exit=True, anti_anti_debugger=False, blocking=True):
def function():
os.chdir(os.path.dirname(path))
self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger)
self.debugger.execv([path])
self._loop()
if blocking:
function()
start_new_thread(function)
def attach(self, pid, kill_process_on_exit=False, anti_anti_debugger=False, blocking=True):
def function():
self.debugger = Debug(HookingEventHandler(self.hooks, self.api_hooks), bKillOnExit=kill_process_on_exit, bHostileCode=anti_anti_debugger)
self.debugger.attach(pid)
self._loop()
if blocking:
function()
start_new_thread(function)
class WinBasic:
debugger = None
mainProc = None
alwaysCatchExceptions = [
win32.STATUS_ACCESS_VIOLATION,
win32.STATUS_ILLEGAL_INSTRUCTION,
win32.STATUS_ARRAY_BOUNDS_EXCEEDED,
]
def __init__(self, killOnExit=True):
self.debugger = Debug(bKillOnExit=killOnExit)
self.mainProcs = []
def run(self, executable, children=True):
tmp = self.debugger.execv(executable, bFollow=children)
self.mainProcs.append(tmp)
return tmp.get_pid()
def attachPid(self, pid):
self.mainProcs.append(self.debugger.attach(pid))
def attachImg(self, img):
self.debugger.system.scan_processes()
for (process, name) in self.debugger.system.find_processes_by_filename(img):
self.attachPid(process.get_pid())
def close(self, kill=True, taskkill=True, forced=True):
pids = self.debugger.get_debugee_pids()
self.debugger.detach_from_all(True)
for pid in pids:
if kill:
try:
proc = self.debugger.system.get_process(pid)
proc.kill()
except:
pass
# Taskkill
if taskkill and not forced:
subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if taskkill and forced:
subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
def waitForCrash(self, waitTime=4, checkAlive=False):
event = None
endDebuging = False
endTime = time() + waitTime
while time() < endTime:
if checkAlive:
for proc in self.mainProcs:
if not proc.is_alive():
return None
try:
event = self.debugger.wait(1000)
except WindowsError, e:
if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
continue
raise
crash = self.handler(event)
if crash != None:
return crash
else:
try:
self.debugger.dispatch()
except:
pass
finally:
self.debugger.cont()
return None
if options.functions:
hooks = parse_hook_spec(options.functions)
if len(hooks) == 0:
sys.exit()
else:
myevent.set_hooks(hooks)
# Instance a Debug object, passing it the MyEventHandler instance
debug = Debug( myevent )
try:
if options.pid:
debug.attach(options.pid)
print_threads_and_modules(options.pid, debug)
elif options.program:
procs = list_processes(options.program)
if len(procs) == 0:
print "[E] no matching process"
elif len(procs) == 1:
debug.attach(procs[0].get_pid())
print_threads_and_modules(procs[0].get_pid(), debug)
else:
print "[E] ambigious"
elif options.command:
p = debug.execv( options.command, bFollow = True )
# Wait for the debugee to finish
class MyEventHandler( EventHandler ):
def load_dll( self, event ):
module = event.get_module() # modulebis gatoleba
if module.match_name("nss3.dll"): # vnaxulobt tu aris nss3.dll
pid = event.get_pid()
address = module.resolve( "PR_Write" ) # vigebt PR_Write funqcii misamart
print '[+] Found PR_Write at addr ' + str(address)
event.debug.hook_function( pid, address, preCB=PR_Write, postCB=None ,paramCount=3,signature=None)
# movaxditon egred wodebuli funqciis mokauweba (hook) rodesac kodi sheexeba breakpoint -is
# da funqciis 3 parametris mnishvneloba gadavcet chvnes call back funqcias romelsac igeve saxeli vuwodet PR_Write
while True:
time.sleep(2) # yovel 2 wamshi sheamowmos aris tu ara gashvebui firefox brauzeri
debug = Debug(MyEventHandler()) # vqmnit degub obieqts
if debug.system.find_processes_by_filename( "firefox.exe" ): # tu ar aris jer firefox gashebuli velodebit
time.sleep(3) # rom agmoachens rom gashvebulia daicados 3 wami ( rom yvelaferi chaitvirtos da erro ar miigot )
try:
for ( process, name ) in debug.system.find_processes_by_filename( "firefox.exe" ): # vigebt procesis shesabamis PID -s da saxels
print '[+] Found Firefox PID is ' + str (process.get_pid())
debug.attach( process.get_pid() ) # vaketebt procesiss Attach -s
debug.loop()
finally:
debug.stop()
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
from winappdbg import Debug
import sys
# Get the process filename from the command line.
filename = sys.argv[1]
# Instance a Debug object.
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# For all processes that match the requested filename...
for (process, name) in debug.system.find_processes_by_filename(filename):
print process.get_pid(), name
# Attach to the process.
debug.attach(process.get_pid())
# Wait for all the debugees to finish.
debug.loop()
# Stop the debugger.
finally:
debug.stop()
"PR_Write") # vigebt PR_Write funqcii misamart
print '[+] Found PR_Write at addr ' + str(address)
event.debug.hook_function(pid,
address,
preCB=PR_Write,
postCB=None,
paramCount=3,
signature=None)
# movaxditon egred wodebuli funqciis mokauweba (hook) rodesac kodi sheexeba breakpoint -is
# da funqciis 3 parametris mnishvneloba gadavcet chvnes call back funqcias romelsac igeve saxeli vuwodet PR_Write
while True:
time.sleep(
2) # yovel 2 wamshi sheamowmos aris tu ara gashvebui firefox brauzeri
debug = Debug(MyEventHandler()) # vqmnit degub obieqts
if debug.system.find_processes_by_filename(
"firefox.exe"): # tu ar aris jer firefox gashebuli velodebit
time.sleep(
3
) # rom agmoachens rom gashvebulia daicados 3 wami ( rom yvelaferi chaitvirtos da erro ar miigot )
try:
for (process, name) in debug.system.find_processes_by_filename(
"firefox.exe"
): # vigebt procesis shesabamis PID -s da saxels
print '[+] Found Firefox PID is ' + str(process.get_pid())
debug.attach(process.get_pid()) # vaketebt procesiss Attach -s
debug.loop()
finally:
debug.stop()
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
from winappdbg import Debug
import sys
# Get the process filename from the command line.
filename = sys.argv[1]
# Instance a Debug object.
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# For all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
print process.get_pid(), name
# Attach to the process.
debug.attach( process.get_pid() )
# Wait for all the debugees to finish.
debug.loop()
# Stop the debugger.
finally:
debug.stop()
class WinBasic: debugger = None mainProc = None alwaysCatchExceptions=[win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED] def __init__(self, killOnExit = True): self.debugger = Debug(bKillOnExit = killOnExit) self.mainProcs = [] def run(self, executable, children = True): tmp = self.debugger.execv(executable, bFollow = children ) self.mainProcs.append(tmp) return tmp.get_pid() def attachPid(self, pid): self.mainProcs.append(self.debugger.attach(pid)) def attachImg(self, img): self.debugger.system.scan_processes() for ( process, name ) in self.debugger.system.find_processes_by_filename( img ): self.attachPid(process.get_pid()) def close(self, kill = True, taskkill = True, forced = True): pids = self.debugger.get_debugee_pids() self.debugger.detach_from_all( True ) for pid in pids: if kill: try: proc = self.debugger.system.get_process(pid) proc.kill() except: pass #Taskkill if taskkill and not forced: subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if taskkill and forced: subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def waitForCrash(self, waitTime = 4, checkAlive = False): event = None endDebuging = False endTime = time() + waitTime while time() < endTime: if checkAlive: for proc in self.mainProcs: if not proc.is_alive(): return None try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise crash = self.handler(event) if crash != None: return crash else: try: self.debugger.dispatch() except: pass finally: self.debugger.cont() return None
class CEdenEternalDebugger():
def __init__(self,pFilename):
System.request_debug_privileges()
self.hSendAddress = "0x2"
self.hRecvAddress = "0x4"
self.bQueueStarted = False
self.bStartLog = False
self.bSend = False
self.bBlock = False
self.lBlockSend = []
self.lBlockRecv =[]
self.lBlock = []
try:
self.oDebug = Debug(self.handlerEvent)
self.oDebug.system.scan_processes()
for ( process, name ) in self.oDebug.system.find_processes_by_filename( pFilename ):
self.oDebug.attach(process.get_pid())
stackDbg.put("MSG_INJECTED")
self.bQueueStarted = True
self.checkThread = threading.Thread(target=self.handleQueue)
self.checkThread.start()
self.oDebug.loop()
finally:
stackDbg.put("MSG_NOT_INJECTED")
self.bQueueStarted = False
self.oDebug.stop()
def handleQueue(self):
while self.bQueueStarted:
sMsg = gui.stackGui.get()
if(sMsg == "MSG_START_LOG"):
self.bStartLog = True
elif(sMsg == "MSG_STOP_LOG"):
self.bStartLog = False
elif(sMsg == "MSG_EXIT"):
self.oDebug.stop()
elif(sMsg[:8] == "MSG_SEND"):
sSend = sMsg.split('|')
self.bSend = True
self.sSendMsg = sSend[1]
elif(sMsg[:9] == "MSG_BLOCK"):
sBlock = sMsg[10:]
split = sBlock.split('|')
if(split[0]=="[C->S]"):
self.lBlockSend.append(split[1])
elif(split[0]=="[S->C]"):
self.lBlockRecv.append(split[1])
elif(sMsg == "MSG_RBLOCK"):
self.bBlock = True
elif(sMsg == "MSG_SBLOCK"):
self.bBlock = False
del self.lBlock[:]
del self.lBlockRecv[:]
del self.lBlockSend[:]
def handlerEvent(self,event):
nPid = event.get_pid()
if(self.bStartLog ==True):
event.debug.break_at(nPid,self.hSendAddress,self.recvOutPackets)
event.debug.break_at(nPid,self.hRecvAddress,self.recvInPackets)
else:
event.debug.dont_break_at(nPid,self.hSendAddress)
event.debug.dont_break_at(nPid,self.hRecvAddress)
def recvOutPackets(self,event):
nPid = event.get_pid()
oProcess = Process(nPid)
if(self.bStartLog ==True):
stackMem = event.get_thread().get_sp()
address = event.get_process().read_pointer( stackMem+0x4 )
if(oProcess.is_address_readable(address)):
hPacket = self.checkOutPacket(address,oProcess)
if(self.bBlock==True):
if(len(self.lBlockSend)>0):
for pck in self.lBlockSend:
if(hPacket == pck):
bytes = len(hPacket)/2
packie = hPacket[:4]
for i in range(0,bytes-2):
packie +="00"
if(len(packie) % 2 == 0):
blockPacket = binascii.unhexlify(packie)
oProcess.write(address,blockPacket)
else:
packie +="0"
blockPacket = binascii.unhexlify(packie)
oProcess.write(address,blockPacket)
hPacket = self.checkOutPacket(address,oProcess)
if(hPacket[:2]=="01"):
if(self.bSend==True):
sSendPacket = self.sendPacket(oProcess,address)
if(sSendPacket!="NOWRITE"):
if(sSendPacket!=None):
stackDbg.put("SND|"+sSendPacket)
else:
stackDbg.put("SND|"+hPacket)
else:
stackDbg.put("SND|"+hPacket)
else:
stackDbg.put("SND|"+hPacket)
else:
event.debug.dont_break_at(nPid,self.hSendAddress)
def recvInPackets(self,event):
nPid = event.get_pid()
oProcess = Process(nPid)
if(self.bStartLog ==True):
#RECV_LENGTH_ADDRESS = 0x0018FC04
#RECV_ADDRESS = 0x0018FC10
RECV_LENGTH_ADDRESS = 0x0018FC14
RECV_ADDRESS = 0x0018FC20
if(oProcess.is_address_readable(RECV_ADDRESS)):
address = oProcess.read_pointer(RECV_ADDRESS)
if(oProcess.is_address_readable(address)):
sLength = oProcess.read(RECV_LENGTH_ADDRESS,1)
nLength = int(toHex(sLength),16)
if(nLength>0):
file = open("config/recv.cfg", "r")
hPacket = self.checkInPacket(address,oProcess,nLength)
if(self.bBlock==True):
if(len(self.lBlockRecv)>0):
for pck in self.lBlockRecv:
if(hPacket == pck):
bytes = len(hPacket)/2
packie = ""
for i in range(0,bytes):
packie +="00"
print packie
blockPacket = binascii.unhexlify(packie)
oProcess.write(address,blockPacket)
hPacket = self.checkInPacket(address,oProcess,nLength)
if(hPacket[0:4]=='2901'):
stackDbg.put("RCV|"+hPacket)
self.recvQuests(hPacket)
elif(hPacket[0:4]=='5401'):
stackDbg.put("RCV|"+hPacket)
self.editQuests(hPacket)
elif(hPacket[0:2]=='36'):
stackDbg.put("RCV|"+hPacket)
else:
stackDbg.put("RCV|"+hPacket)
else:
event.debug.dont_break_at(nPid,self.hRecvAddress)
def checkOutPacket(self,pAddress,pProcess):
sLength = pProcess.read(pAddress-2,1)
nLength = int(toHex(sLength),16)
sPacket = pProcess.read(pAddress,nLength)
hPacket = HexDump.hexadecimal(sPacket)
return hPacket
def checkInPacket(self,pAddress,pProcess,pLength):
sPacket = pProcess.read(pAddress,pLength)
hPacket = HexDump.hexadecimal(sPacket)
return hPacket
def recvQuests(self,pPacket):
i = 8
sQuests = ""
bRecv = True
while bRecv:
sWord = pPacket[i:i+4]
i +=8
if(sWord=="0106"):
bRecv = False
else:
sQuests +=sWord
i = 0
for z in range(len(sQuests)/4):
sLeft = sQuests[i*4:(i*4)+2]
sRight = sQuests[(i*4)+2:(i*4)+4]
sID = sRight + sLeft
stackDbg.put("QUEST_RCV|"+sID)
i += 1
def editQuests(self,pPacket):
sQuest = pPacket[6:10]
sAction = pPacket[14:16]
sLeft = sQuest[:2]
sRight = sQuest[2:]
sID = sRight+sLeft
stackDbg.put("EDIT_QUEST|"+sID+"|"+sAction)
def sendPacket(self,pProcess,pAddress):
sText = self.sSendMsg
sPackets = sText.split("\n")
nLength = len(sPackets)
global nPacketCounter
sHeader = "1a00"
try:
sSendPacket = sHeader+str(sPackets[nPacketCounter])
if(str(sPackets[nPacketCounter])!=""):
if((len(sSendPacket)/2)<26):
for i in range(1, 31-(len(sSendPacket)/2)):
sSendPacket +="00"
hPacket = binascii.unhexlify(sSendPacket)
pProcess.write(pAddress-2,hPacket)
nPacketCounter += 1
if nPacketCounter == nLength-1:
self.bSend=False
self.sSendMsg = ""
nPacketCounter = 0
if(str(sPackets[nPacketCounter])!=""):
return sSendPacket[4:]
else:
return "NOWRITE"
except IndexError:
print "packet sending error!"
self.bSend = False
self.sSendMsg = ""
nPacketCounter = 0
myevent.myself = os.path.basename(sys.argv[1])
if options.functions:
hooks = parse_hook_spec(options.functions)
if len(hooks) == 0:
sys.exit()
else:
myevent.set_hooks(hooks)
# Instance a Debug object, passing it the MyEventHandler instance
debug = Debug(myevent)
try:
if options.pid:
debug.attach(options.pid)
print_threads_and_modules(options.pid, debug)
elif options.program:
procs = list_processes(options.program)
if len(procs) == 0:
print "[E] no matching process"
elif len(procs) == 1:
debug.attach(procs[0].get_pid())
print_threads_and_modules(procs[0].get_pid(), debug)
else:
print "[E] ambigious"
elif options.command:
p = debug.execv(options.command, bFollow=True)
# Wait for the debugee to finish
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
from winappdbg import Debug
import sys
# Get the process ID from the command line.
pid = int(sys.argv[1])
# Instance a Debug object.
debug = Debug()
try:
# Attach to a running process.
debug.attach(pid)
# Wait for the debugee to finish.
debug.loop()
# Stop the debugger.
finally:
debug.stop()
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
from winappdbg import Debug
import sys
# Get the process ID from the command line.
pid = int( sys.argv[1] )
# Instance a Debug object.
debug = Debug()
try:
# Attach to a running process.
debug.attach( pid )
# Wait for the debugee to finish.
debug.loop()
# Stop the debugger.
finally:
debug.stop()
class MyEventHandler(EventHandler):
def load_dll(self, event):
module = event.get_module() # Get the module object
if module.match_name("nss3.dll"): # If it's nss3.dll ,then
pid = event.get_pid() # Get the process ID
address = module.resolve("PR_Write") # Get the address of PR_Write
print '[+] Found PR_Write at addr ' + str(address)
event.debug.hook_function(pid,
address,
preCB=PR_Write,
postCB=None,
paramCount=3,
signature=None)
# Hook the PR_Write function, when we the breakpoint occured, three paramaeters (paramCount=3)
# should be returned to the call back function (which i also name it to PR_Write)
debug = Debug(MyEventHandler()) # Create a debug object instance
try:
for (process, name) in debug.system.find_processes_by_filename(
"firefox.exe"): # Search for Firefox.exe proces, if found
print '[+] Found Firefox PID is ' + str(
process.get_pid()) # Grab the Process ID (PID)
debug.attach(process.get_pid()) # Attach to the process.
debug.loop()
finally:
debug.stop()
