def action_WriteProcessMemoryW(event): # Get the return address of the call address = event.get_thread().read_stack_dwords(1)[0] fo = open("C:/unpacked.bin", "w") # Get the process and thread IDs pid = event.get_pid() tid = event.get_tid() process = Process(pid) bufferAddr = event.get_thread().read_stack_dwords( 6 )[3] #6 is no of dwords grabbed from stack [0] is retuen addr [3] is 3rd argument print hex(bufferAddr) print "xxxxxxx" memoryMap = process.get_memory_map() readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: #print hex(mbi.BaseAddress) if mbi.BaseAddress == bufferAddr: print "dumping data" print hex(mbi.BaseAddress) print hex(mbi.RegionSize) data = process_read(pid, mbi.BaseAddress, mbi.RegionSize) fo.write(data) fo.close()
def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or '-h' in sys.argv or '--help' in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print(" %%%ds bytes of readable memory" % width) % number(readable) print(" %%%ds bytes of writeable memory" % width) % number(writeable) print(" %%%ds bytes of executable memory" % width) % number(executable) print(" %%%ds bytes of private memory" % width) % number(private) print(" %%%ds bytes of mapped memory" % width) % number(mapped) print(" %%%ds bytes of image memory" % width) % number(image) print(" %%%ds bytes of total memory" % width) % number(total) print
class Main(object): def __init__(self, argv): self.argv = argv def parse_cmdline(self): # An empty command line causes the help message to be shown if len(self.argv) == 1: self.argv = self.argv + ['-h'] # Usage string usage = "%prog [options] <target process IDs or names...>" self.parser = optparse.OptionParser(usage=usage) # Options to set the search method search = optparse.OptionGroup( self.parser, "What to search", "(at least one of these switches must be used)") search.add_option("-s", "--string", action="append", metavar="VALUE", help="where VALUE is case sensitive text") search.add_option("-i", "--istring", action="append", metavar="VALUE", help="where VALUE is case insensitive text") search.add_option("-x", "--hexa", action="append", metavar="VALUE", help="where VALUE is hexadecimal data") search.add_option("-p", "--pattern", action="append", metavar="VALUE", help="where VALUE is an hexadecimal pattern") self.parser.add_option_group(search) # Options to control the search internals engine = optparse.OptionGroup(self.parser, "How to search") engine.add_option("-m", "--memory-pages", action="store", type="int", metavar="NUMBER", help="maximum number of consecutive memory pages" \ " to read (matches larger than this won't" \ " be found) " \ "[default: 2, use 0 for no limit]") self.parser.add_option_group(engine) # Options to set the output type output = optparse.OptionGroup(self.parser, "What to show") output.add_option("-v", "--verbose", action="store_true", dest="verbose", help="verbose output") output.add_option("-q", "--quiet", action="store_false", dest="verbose", help="brief output [default]") self.parser.add_option_group(output) # Default values self.parser.set_defaults( string=[], istring=[], hexa=[], pattern=[], regexp=[], memory_pages=2, verbose=False, ) # Parse the command line and check for validity (self.options, self.targets) = self.parser.parse_args(self.argv) # Our script's filename is not a target, skip it self.targets = self.targets[1:] # Fail if no search query was entered if not self.options.string and \ not self.options.istring and \ not self.options.hexa and \ not self.options.pattern: self.parser.error("at least one search switch must be used") def prepare_input(self): # Build the lists of search objects self.build_searchers_list(StringSearch) self.build_searchers_list(TextSearch) self.build_searchers_list(HexSearch) self.build_searchers_list(PatternSearch) # Build the list of target pids self.build_targets_list() def build_searchers_list(self, cls): searchers = getattr(self.options, cls.name) for index in range(len(searchers)): try: searchers[index] = cls(searchers[index], index) except Exception as e: msg = cls.init_error_msg(index, searchers[index], e) self.parser.error(msg) def build_targets_list(self): # Take a process snapshot self.system = System() self.system.request_debug_privileges() self.system.scan_processes() # If no targets were given, search on all processes if not self.targets: self.targets = self.system.get_process_ids() # If targets were given, search only on those processes else: expanded_targets = set() for token in self.targets: try: pid = HexInput.integer(token) if not self.system.has_process(pid): self.parser.error("process not found: %s" % token) expanded_targets.add(pid) except ValueError: found = self.system.find_processes_by_filename(token) pidlist = [process.get_pid() for (process, _) in found] if not pidlist: self.parser.error("process not found: %s" % token) expanded_targets.update(pidlist) self.targets = list(expanded_targets) # Sort the targets list self.targets.sort() def do_search(self): # For each target process... for self.pid in self.targets: # Try to open the process, skip on error try: self.process = Process(self.pid) self.process.get_handle() except WindowsError: print("Can't open process %d, skipping" % self.pid) if self.options.verbose: print continue # Get a list of allocated memory regions memory = list() for mbi in self.process.get_memory_map(): if mbi.State == win32.MEM_COMMIT and \ not mbi.Protect & win32.PAGE_GUARD: memory.append((mbi.BaseAddress, mbi.RegionSize)) # If no allocation limit is set, # read entire regions and search on them if self.options.memory_pages <= 0: for (address, size) in memory: try: data = self.process.read(address, size) except WindowsError as e: begin = HexDump.address(address) end = HexDump.address(address + size) msg = "Error reading %s-%s: %s" msg = msg % (begin, end, str(e)) print(msg) if self.options.verbose: print continue self.search_block(data, address, 0) # If an allocation limit is set, # read blocks within regions to search else: step = self.system.pageSize size = step * self.options.memory_pages for (address, total_size) in memory: try: end = address + total_size shift = 0 buffer = self.process.read(address, min(size, total_size)) while 1: self.search_block(buffer, address, shift) shift = step address = address + step if address >= end: break buffer = buffer[step:] buffer = buffer + self.process.read(address, step) except WindowsError as e: begin = HexDump.address(address) end = HexDump.address(address + total_size) msg = "Error reading %s-%s: %s" msg = msg % (begin, end, str(e)) print(msg) if self.options.verbose: print def search_block(self, data, address, shift): self.search_block_with(self.options.string, data, address, shift) self.search_block_with(self.options.istring, data, address, shift) self.search_block_with(self.options.hexa, data, address, shift) self.search_block_with(self.options.pattern, data, address, shift) def search_block_with(self, searchers_list, data, address, shift): for searcher in searchers_list: if shift == 0: searcher.restart() else: searcher.shift(shift) while 1: searcher.search(data) if not searcher.found(): break if self.options.verbose: print(searcher.message(self.pid, address - shift, data)) print else: print(searcher.message(self.pid, address - shift)) def run(self): # Banner print("Process memory finder") print("by Mario Vilas (mvilas at gmail.com)") print # Parse the command line self.parse_cmdline() # Prepare the input self.prepare_input() # Perform the search on the selected targets self.do_search()
def openProc(pid): ''' return proc maps ''' process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines = [] for mbi in memoryMap: if not mbi.is_readable(): continue addr = '' perm = '--- ' offset = '' device = '' inode = '' filename = '' # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress) RegionSize = HexDump.address(mbi.RegionSize) # State (free or allocated). mbiState = mbi.State if mbiState == win32.MEM_RESERVE: State = "Reserved" elif mbiState == win32.MEM_COMMIT: State = "Commited" elif mbiState == win32.MEM_FREE: State = "Free" else: State = "Unknown" # Page protection bits (R/W/X/G). if mbiState != win32.MEM_COMMIT: Protect = "--- " else: mbiProtect = mbi.Protect if mbiProtect & win32.PAGE_NOACCESS: Protect = "--- " elif mbiProtect & win32.PAGE_READONLY: Protect = "R-- " elif mbiProtect & win32.PAGE_READWRITE: Protect = "RW- " elif mbiProtect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbiProtect & win32.PAGE_EXECUTE: Protect = "--X " elif mbiProtect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbiProtect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " ''' if mbiProtect & win32.PAGE_GUARD: Protect += "G" #else: # Protect += "-" if mbiProtect & win32.PAGE_NOCACHE: Protect += "N" #else: # Protect += "-" if mbiProtect & win32.PAGE_WRITECOMBINE: Protect += "W" #else: # Protect += "-" ''' perm = Protect # Type (file mapping, executable image, or private memory). mbiType = mbi.Type if mbiType == win32.MEM_IMAGE: Type = "Image" elif mbiType == win32.MEM_MAPPED: Type = "Mapped" elif mbiType == win32.MEM_PRIVATE: Type = "Private" elif mbiType == 0: Type = "" else: Type = "Unknown" log.debug(BaseAddress) addr = '%08x-%08x' % (int(BaseAddress, 16), int(BaseAddress, 16) + int(RegionSize, 16)) perm = perm.lower() offset = '00000000' device = 'fe:01' inode = 24422442 filename = mappedFilenames.get(mbi.BaseAddress, ' ') # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines.append( '%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) log.debug( '%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) ##generate_memory_snapshot(self, minAddr=None, maxAddr=None) return lines # process.suspend() # try: # snapshot = process.generate_memory_snapshot() # for mbi in snapshot: # print HexDump.hexblock(mbi.content, mbi.BaseAddress) # finally: # process.resume() # process.read_structure() process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: log.debug("MemoryHandler map for %d (%s):" % (pid, fileName)) else: log.debug("MemoryHandler map for %d:" % pid) log.debug('%d filenames' % len(mappedFilenames)) log.debug('') log.debug('%d memorymap' % len(memoryMap)) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(str(total)) log.debug(" %%%ds bytes of readable memory" % width) % int(readable) log.debug(" %%%ds bytes of writeable memory" % width) % int(writeable) log.debug(" %%%ds bytes of executable memory" % width) % int(executable) log.debug(" %%%ds bytes of private memory" % width) % int(private) log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped) log.debug(" %%%ds bytes of image memory" % width) % int(image) log.debug(" %%%ds bytes of total memory" % width) % int(total) log.debug('') return
def print_memory_map(pid): # Instance a Process object. process = Process(pid) # Find out if it's a 32 or 64 bit process. bits = process.get_bits() # Get the process memory map. memoryMap = process.get_memory_map() # Now you could do this... # # from winappdbg import CrashDump # print CrashDump.dump_memory_map( memoryMap ), # # ...but let's do it the hard way: # For each memory block in the map... print("Address \tSize \tState \tAccess \tType") for mbi in memoryMap: # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress, bits) RegionSize = HexDump.address(mbi.RegionSize, bits) # State (free or allocated). if mbi.State == win32.MEM_RESERVE: State = "Reserved " elif mbi.State == win32.MEM_COMMIT: State = "Commited " elif mbi.State == win32.MEM_FREE: State = "Free " else: State = "Unknown " # Page protection bits (R/W/X/G). if mbi.State != win32.MEM_COMMIT: Protect = " " else: ## Protect = "0x%.08x" % mbi.Protect if mbi.Protect & win32.PAGE_NOACCESS: Protect = "--- " elif mbi.Protect & win32.PAGE_READONLY: Protect = "R-- " elif mbi.Protect & win32.PAGE_READWRITE: Protect = "RW- " elif mbi.Protect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbi.Protect & win32.PAGE_EXECUTE: Protect = "--X " elif mbi.Protect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " if mbi.Protect & win32.PAGE_GUARD: Protect += "G" else: Protect += "-" if mbi.Protect & win32.PAGE_NOCACHE: Protect += "N" else: Protect += "-" if mbi.Protect & win32.PAGE_WRITECOMBINE: Protect += "W" else: Protect += "-" Protect += " " # Type (file mapping, executable image, or private memory). if mbi.Type == win32.MEM_IMAGE: Type = "Image " elif mbi.Type == win32.MEM_MAPPED: Type = "Mapped " elif mbi.Type == win32.MEM_PRIVATE: Type = "Private " elif mbi.Type == 0: Type = "Free " else: Type = "Unknown " # Print the memory block information. fmt = "%s\t%s\t%s\t%s\t%s" print(fmt % (BaseAddress, RegionSize, State, Protect, Type))
def openProc(pid): ''' return proc maps ''' process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines = [] for mbi in memoryMap: if not mbi.is_readable(): continue addr = '' perm = '--- ' offset = '' device = '' inode = '' filename = '' # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress) RegionSize = HexDump.address(mbi.RegionSize) # State (free or allocated). mbiState = mbi.State if mbiState == win32.MEM_RESERVE: State = "Reserved" elif mbiState == win32.MEM_COMMIT: State = "Commited" elif mbiState == win32.MEM_FREE: State = "Free" else: State = "Unknown" # Page protection bits (R/W/X/G). if mbiState != win32.MEM_COMMIT: Protect = "--- " else: mbiProtect = mbi.Protect if mbiProtect & win32.PAGE_NOACCESS: Protect = "--- " elif mbiProtect & win32.PAGE_READONLY: Protect = "R-- " elif mbiProtect & win32.PAGE_READWRITE: Protect = "RW- " elif mbiProtect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbiProtect & win32.PAGE_EXECUTE: Protect = "--X " elif mbiProtect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbiProtect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " ''' if mbiProtect & win32.PAGE_GUARD: Protect += "G" #else: # Protect += "-" if mbiProtect & win32.PAGE_NOCACHE: Protect += "N" #else: # Protect += "-" if mbiProtect & win32.PAGE_WRITECOMBINE: Protect += "W" #else: # Protect += "-" ''' perm = Protect # Type (file mapping, executable image, or private memory). mbiType = mbi.Type if mbiType == win32.MEM_IMAGE: Type = "Image" elif mbiType == win32.MEM_MAPPED: Type = "Mapped" elif mbiType == win32.MEM_PRIVATE: Type = "Private" elif mbiType == 0: Type = "" else: Type = "Unknown" log.debug(BaseAddress) addr = '%08x-%08x' % (int( BaseAddress, 16), int(BaseAddress, 16) + int(RegionSize, 16)) perm = perm.lower() offset = '00000000' device = 'fe:01' inode = 24422442 filename = mappedFilenames.get(mbi.BaseAddress, ' ') # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines.append('%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) log.debug('%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) ##generate_memory_snapshot(self, minAddr=None, maxAddr=None) return lines # process.suspend() # try: # snapshot = process.generate_memory_snapshot() # for mbi in snapshot: # print HexDump.hexblock(mbi.content, mbi.BaseAddress) # finally: # process.resume() # process.read_structure() process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: log.debug("MemoryHandler map for %d (%s):" % (pid, fileName)) else: log.debug("MemoryHandler map for %d:" % pid) log.debug('%d filenames' % len(mappedFilenames)) log.debug('') log.debug('%d memorymap' % len(memoryMap)) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(str(total)) log.debug(" %%%ds bytes of readable memory" % width) % int(readable) log.debug( " %%%ds bytes of writeable memory" % width) % int(writeable) log.debug( " %%%ds bytes of executable memory" % width) % int(executable) log.debug(" %%%ds bytes of private memory" % width) % int(private) log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped) log.debug(" %%%ds bytes of image memory" % width) % int(image) log.debug(" %%%ds bytes of total memory" % width) % int(total) log.debug('') return
def print_memory_map(pid): process = Process(pid) bits = process.get_bits() memoryMap = process.get_memory_map() #print CrashDump.dump_memory_dump(memoryMap) print "Address \tSize \tState \tAccess \Type" for mbi in memoryMap: # Address and size of memory block BaseAddress = HexDump.address(mbi.BaseAddress, bits) RegionSize = HexDump.address(mbi.RegionSize, bits) if mbi.State == win32.MEM_RESERVE: State = "Reserved " elif mbi.State == win32.MEM_COMMIT: State = "commited " elif mbi.State == win32.MEM_FREE: State = "Free " else: State = "Unknown " if mbi.State != win32.MEM_COMMIT: Protect = " " else: ## Protect = "0x%.08x" % mbi.Protect if mbi.Protect & win32.PAGE_NOACCESS: Protect = "--- " elif mbi.Protect & win32.PAGE_READONLY: Protect = "R-- " elif mbi.Protect & win32.PAGE_READWRITE: Protect = "RW- " elif mbi.Protect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbi.Protect & win32.PAGE_EXECUTE: Protect = "--X " elif mbi.Protect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " if mbi.Protect & win32.PAGE_GUARD: Protect += "G" else: Protect += "-" if mbi.Protect & win32.PAGE_NOCACHE: Protect += "N" else: Protect += "-" if mbi.Protect & win32.PAGE_WRITECOMBINE: Protect += "W" else: Protect += "-" Protect += " " # Type (file mapping, executable image, or private memory). if mbi.Type == win32.MEM_IMAGE: Type = "Image " elif mbi.Type == win32.MEM_MAPPED: Type = "Mapped " elif mbi.Type == win32.MEM_PRIVATE: Type = "Private " elif mbi.Type == 0: Type = "Free " else: Type = "Unknown " # Print the memory block information. fmt = "%s\t%s\t%s\t%s\t%s" print fmt % (BaseAddress, RegionSize, State, Protect, Type)
def print_memory_map( pid ): # Instance a Process object. process = Process( pid ) # Find out if it's a 32 or 64 bit process. bits = process.get_bits() # Get the process memory map. memoryMap = process.get_memory_map() # Now you could do this... # # from winappdbg import CrashDump # print CrashDump.dump_memory_map( memoryMap ), # # ...but let's do it the hard way: # For each memory block in the map... print "Address \tSize \tState \tAccess \tType" for mbi in memoryMap: # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress, bits) RegionSize = HexDump.address(mbi.RegionSize, bits) # State (free or allocated). if mbi.State == win32.MEM_RESERVE: State = "Reserved " elif mbi.State == win32.MEM_COMMIT: State = "Commited " elif mbi.State == win32.MEM_FREE: State = "Free " else: State = "Unknown " # Page protection bits (R/W/X/G). if mbi.State != win32.MEM_COMMIT: Protect = " " else: ## Protect = "0x%.08x" % mbi.Protect if mbi.Protect & win32.PAGE_NOACCESS: Protect = "--- " elif mbi.Protect & win32.PAGE_READONLY: Protect = "R-- " elif mbi.Protect & win32.PAGE_READWRITE: Protect = "RW- " elif mbi.Protect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbi.Protect & win32.PAGE_EXECUTE: Protect = "--X " elif mbi.Protect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " if mbi.Protect & win32.PAGE_GUARD: Protect += "G" else: Protect += "-" if mbi.Protect & win32.PAGE_NOCACHE: Protect += "N" else: Protect += "-" if mbi.Protect & win32.PAGE_WRITECOMBINE: Protect += "W" else: Protect += "-" Protect += " " # Type (file mapping, executable image, or private memory). if mbi.Type == win32.MEM_IMAGE: Type = "Image " elif mbi.Type == win32.MEM_MAPPED: Type = "Mapped " elif mbi.Type == win32.MEM_PRIVATE: Type = "Private " elif mbi.Type == 0: Type = "Free " else: Type = "Unknown " # Print the memory block information. fmt = "%s\t%s\t%s\t%s\t%s" print fmt % ( BaseAddress, RegionSize, State, Protect, Type )
def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or "-h" in sys.argv or "--help" in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print (" %%%ds bytes of readable memory" % width) % number(readable) print (" %%%ds bytes of writeable memory" % width) % number(writeable) print (" %%%ds bytes of executable memory" % width) % number(executable) print (" %%%ds bytes of private memory" % width) % number(private) print (" %%%ds bytes of mapped memory" % width) % number(mapped) print (" %%%ds bytes of image memory" % width) % number(image) print (" %%%ds bytes of total memory" % width) % number(total) print
def RC4_dec(key, msg): return ARC4.new(key).decrypt(msg) if len(sys.argv) < 2: print "Provide PID" exit() system = winappdbg.System() system.request_debug_privileges() system.scan_processes() pid = int(sys.argv[1]) process = Process(pid) memory_map = process.get_memory_map() for mM in memory_map: if mM.Protect == win32.PAGE_EXECUTE_READWRITE: base_addr = mM.baseAddress reg_size = mM.RegionSize #pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00" pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??" f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size) try: enc_con_addr = f_data.next()[0] + 0x18 except: