def action_WriteProcessMemoryW(event):
# Get the return address of the call
address = event.get_thread().read_stack_dwords(1)[0]
fo = open("C:/unpacked.bin", "w")
# Get the process and thread IDs
pid = event.get_pid()
tid = event.get_tid()
process = Process(pid)
bufferAddr = event.get_thread().read_stack_dwords(
6
)[3] #6 is no of dwords grabbed from stack [0] is retuen addr [3] is 3rd argument
print hex(bufferAddr)
print "xxxxxxx"
memoryMap = process.get_memory_map()
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
#print hex(mbi.BaseAddress)
if mbi.BaseAddress == bufferAddr:
print "dumping data"
print hex(mbi.BaseAddress)
print hex(mbi.RegionSize)
data = process_read(pid, mbi.BaseAddress, mbi.RegionSize)
fo.write(data)
fo.close()
def main():
print "Process memory map"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) < 2 or '-h' in sys.argv or '--help' in sys.argv:
script = os.path.basename(sys.argv[0])
print "Usage:"
print " %s <pid>..." % script
print " %s <process.exe>..." % script
return
s = System()
s.request_debug_privileges()
s.scan_processes()
targets = set()
for token in sys.argv[1:]:
try:
pid = HexInput.integer(token)
if not s.has_process(pid):
print "Process not found: %s" % token
return
targets.add(pid)
except ValueError:
pl = s.find_processes_by_filename(token)
if not pl:
print "Process not found: %s" % token
return
for p, n in pl:
pid = p.get_pid()
targets.add(pid)
targets = list(targets)
targets.sort()
for pid in targets:
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
print "Memory map for %d (%s):" % (pid, fileName)
else:
print "Memory map for %d:" % pid
print
## print CrashDump.dump_memory_map(memoryMap),
print CrashDump.dump_memory_map(memoryMap, mappedFilenames)
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(number(total))
print(" %%%ds bytes of readable memory" % width) % number(readable)
print(" %%%ds bytes of writeable memory" % width) % number(writeable)
print(" %%%ds bytes of executable memory" %
width) % number(executable)
print(" %%%ds bytes of private memory" % width) % number(private)
print(" %%%ds bytes of mapped memory" % width) % number(mapped)
print(" %%%ds bytes of image memory" % width) % number(image)
print(" %%%ds bytes of total memory" % width) % number(total)
print
class Main(object):
def __init__(self, argv):
self.argv = argv
def parse_cmdline(self):
# An empty command line causes the help message to be shown
if len(self.argv) == 1:
self.argv = self.argv + ['-h']
# Usage string
usage = "%prog [options] <target process IDs or names...>"
self.parser = optparse.OptionParser(usage=usage)
# Options to set the search method
search = optparse.OptionGroup(
self.parser, "What to search",
"(at least one of these switches must be used)")
search.add_option("-s",
"--string",
action="append",
metavar="VALUE",
help="where VALUE is case sensitive text")
search.add_option("-i",
"--istring",
action="append",
metavar="VALUE",
help="where VALUE is case insensitive text")
search.add_option("-x",
"--hexa",
action="append",
metavar="VALUE",
help="where VALUE is hexadecimal data")
search.add_option("-p",
"--pattern",
action="append",
metavar="VALUE",
help="where VALUE is an hexadecimal pattern")
self.parser.add_option_group(search)
# Options to control the search internals
engine = optparse.OptionGroup(self.parser, "How to search")
engine.add_option("-m", "--memory-pages",
action="store", type="int", metavar="NUMBER",
help="maximum number of consecutive memory pages" \
" to read (matches larger than this won't" \
" be found) " \
"[default: 2, use 0 for no limit]")
self.parser.add_option_group(engine)
# Options to set the output type
output = optparse.OptionGroup(self.parser, "What to show")
output.add_option("-v",
"--verbose",
action="store_true",
dest="verbose",
help="verbose output")
output.add_option("-q",
"--quiet",
action="store_false",
dest="verbose",
help="brief output [default]")
self.parser.add_option_group(output)
# Default values
self.parser.set_defaults(
string=[],
istring=[],
hexa=[],
pattern=[],
regexp=[],
memory_pages=2,
verbose=False,
)
# Parse the command line and check for validity
(self.options, self.targets) = self.parser.parse_args(self.argv)
# Our script's filename is not a target, skip it
self.targets = self.targets[1:]
# Fail if no search query was entered
if not self.options.string and \
not self.options.istring and \
not self.options.hexa and \
not self.options.pattern:
self.parser.error("at least one search switch must be used")
def prepare_input(self):
# Build the lists of search objects
self.build_searchers_list(StringSearch)
self.build_searchers_list(TextSearch)
self.build_searchers_list(HexSearch)
self.build_searchers_list(PatternSearch)
# Build the list of target pids
self.build_targets_list()
def build_searchers_list(self, cls):
searchers = getattr(self.options, cls.name)
for index in range(len(searchers)):
try:
searchers[index] = cls(searchers[index], index)
except Exception as e:
msg = cls.init_error_msg(index, searchers[index], e)
self.parser.error(msg)
def build_targets_list(self):
# Take a process snapshot
self.system = System()
self.system.request_debug_privileges()
self.system.scan_processes()
# If no targets were given, search on all processes
if not self.targets:
self.targets = self.system.get_process_ids()
# If targets were given, search only on those processes
else:
expanded_targets = set()
for token in self.targets:
try:
pid = HexInput.integer(token)
if not self.system.has_process(pid):
self.parser.error("process not found: %s" % token)
expanded_targets.add(pid)
except ValueError:
found = self.system.find_processes_by_filename(token)
pidlist = [process.get_pid() for (process, _) in found]
if not pidlist:
self.parser.error("process not found: %s" % token)
expanded_targets.update(pidlist)
self.targets = list(expanded_targets)
# Sort the targets list
self.targets.sort()
def do_search(self):
# For each target process...
for self.pid in self.targets:
# Try to open the process, skip on error
try:
self.process = Process(self.pid)
self.process.get_handle()
except WindowsError:
print("Can't open process %d, skipping" % self.pid)
if self.options.verbose:
print
continue
# Get a list of allocated memory regions
memory = list()
for mbi in self.process.get_memory_map():
if mbi.State == win32.MEM_COMMIT and \
not mbi.Protect & win32.PAGE_GUARD:
memory.append((mbi.BaseAddress, mbi.RegionSize))
# If no allocation limit is set,
# read entire regions and search on them
if self.options.memory_pages <= 0:
for (address, size) in memory:
try:
data = self.process.read(address, size)
except WindowsError as e:
begin = HexDump.address(address)
end = HexDump.address(address + size)
msg = "Error reading %s-%s: %s"
msg = msg % (begin, end, str(e))
print(msg)
if self.options.verbose:
print
continue
self.search_block(data, address, 0)
# If an allocation limit is set,
# read blocks within regions to search
else:
step = self.system.pageSize
size = step * self.options.memory_pages
for (address, total_size) in memory:
try:
end = address + total_size
shift = 0
buffer = self.process.read(address,
min(size, total_size))
while 1:
self.search_block(buffer, address, shift)
shift = step
address = address + step
if address >= end:
break
buffer = buffer[step:]
buffer = buffer + self.process.read(address, step)
except WindowsError as e:
begin = HexDump.address(address)
end = HexDump.address(address + total_size)
msg = "Error reading %s-%s: %s"
msg = msg % (begin, end, str(e))
print(msg)
if self.options.verbose:
print
def search_block(self, data, address, shift):
self.search_block_with(self.options.string, data, address, shift)
self.search_block_with(self.options.istring, data, address, shift)
self.search_block_with(self.options.hexa, data, address, shift)
self.search_block_with(self.options.pattern, data, address, shift)
def search_block_with(self, searchers_list, data, address, shift):
for searcher in searchers_list:
if shift == 0:
searcher.restart()
else:
searcher.shift(shift)
while 1:
searcher.search(data)
if not searcher.found():
break
if self.options.verbose:
print(searcher.message(self.pid, address - shift, data))
print
else:
print(searcher.message(self.pid, address - shift))
def run(self):
# Banner
print("Process memory finder")
print("by Mario Vilas (mvilas at gmail.com)")
print
# Parse the command line
self.parse_cmdline()
# Prepare the input
self.prepare_input()
# Perform the search on the selected targets
self.do_search()
def openProc(pid):
''' return proc maps '''
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
# 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile
lines = []
for mbi in memoryMap:
if not mbi.is_readable():
continue
addr = ''
perm = '--- '
offset = ''
device = ''
inode = ''
filename = ''
# Address and size of memory block.
BaseAddress = HexDump.address(mbi.BaseAddress)
RegionSize = HexDump.address(mbi.RegionSize)
# State (free or allocated).
mbiState = mbi.State
if mbiState == win32.MEM_RESERVE:
State = "Reserved"
elif mbiState == win32.MEM_COMMIT:
State = "Commited"
elif mbiState == win32.MEM_FREE:
State = "Free"
else:
State = "Unknown"
# Page protection bits (R/W/X/G).
if mbiState != win32.MEM_COMMIT:
Protect = "--- "
else:
mbiProtect = mbi.Protect
if mbiProtect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbiProtect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbiProtect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbiProtect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbiProtect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbiProtect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbiProtect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
'''
if mbiProtect & win32.PAGE_GUARD:
Protect += "G"
#else:
# Protect += "-"
if mbiProtect & win32.PAGE_NOCACHE:
Protect += "N"
#else:
# Protect += "-"
if mbiProtect & win32.PAGE_WRITECOMBINE:
Protect += "W"
#else:
# Protect += "-"
'''
perm = Protect
# Type (file mapping, executable image, or private memory).
mbiType = mbi.Type
if mbiType == win32.MEM_IMAGE:
Type = "Image"
elif mbiType == win32.MEM_MAPPED:
Type = "Mapped"
elif mbiType == win32.MEM_PRIVATE:
Type = "Private"
elif mbiType == 0:
Type = ""
else:
Type = "Unknown"
log.debug(BaseAddress)
addr = '%08x-%08x' % (int(BaseAddress, 16),
int(BaseAddress, 16) + int(RegionSize, 16))
perm = perm.lower()
offset = '00000000'
device = 'fe:01'
inode = 24422442
filename = mappedFilenames.get(mbi.BaseAddress, ' ')
# 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile
lines.append(
'%s %s %s %s %s %s\n' %
(addr, perm, offset, device, inode, filename))
log.debug(
'%s %s %s %s %s %s\n' %
(addr, perm, offset, device, inode, filename))
##generate_memory_snapshot(self, minAddr=None, maxAddr=None)
return lines
# process.suspend()
# try:
# snapshot = process.generate_memory_snapshot()
# for mbi in snapshot:
# print HexDump.hexblock(mbi.content, mbi.BaseAddress)
# finally:
# process.resume()
# process.read_structure()
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
log.debug("MemoryHandler map for %d (%s):" % (pid, fileName))
else:
log.debug("MemoryHandler map for %d:" % pid)
log.debug('%d filenames' % len(mappedFilenames))
log.debug('')
log.debug('%d memorymap' % len(memoryMap))
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(str(total))
log.debug(" %%%ds bytes of readable memory" % width) % int(readable)
log.debug(" %%%ds bytes of writeable memory" %
width) % int(writeable)
log.debug(" %%%ds bytes of executable memory" %
width) % int(executable)
log.debug(" %%%ds bytes of private memory" % width) % int(private)
log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped)
log.debug(" %%%ds bytes of image memory" % width) % int(image)
log.debug(" %%%ds bytes of total memory" % width) % int(total)
log.debug('')
return
def print_memory_map(pid):
# Instance a Process object.
process = Process(pid)
# Find out if it's a 32 or 64 bit process.
bits = process.get_bits()
# Get the process memory map.
memoryMap = process.get_memory_map()
# Now you could do this...
#
# from winappdbg import CrashDump
# print CrashDump.dump_memory_map( memoryMap ),
#
# ...but let's do it the hard way:
# For each memory block in the map...
print("Address \tSize \tState \tAccess \tType")
for mbi in memoryMap:
# Address and size of memory block.
BaseAddress = HexDump.address(mbi.BaseAddress, bits)
RegionSize = HexDump.address(mbi.RegionSize, bits)
# State (free or allocated).
if mbi.State == win32.MEM_RESERVE:
State = "Reserved "
elif mbi.State == win32.MEM_COMMIT:
State = "Commited "
elif mbi.State == win32.MEM_FREE:
State = "Free "
else:
State = "Unknown "
# Page protection bits (R/W/X/G).
if mbi.State != win32.MEM_COMMIT:
Protect = " "
else:
## Protect = "0x%.08x" % mbi.Protect
if mbi.Protect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbi.Protect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbi.Protect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbi.Protect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbi.Protect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbi.Protect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
if mbi.Protect & win32.PAGE_GUARD:
Protect += "G"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_NOCACHE:
Protect += "N"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_WRITECOMBINE:
Protect += "W"
else:
Protect += "-"
Protect += " "
# Type (file mapping, executable image, or private memory).
if mbi.Type == win32.MEM_IMAGE:
Type = "Image "
elif mbi.Type == win32.MEM_MAPPED:
Type = "Mapped "
elif mbi.Type == win32.MEM_PRIVATE:
Type = "Private "
elif mbi.Type == 0:
Type = "Free "
else:
Type = "Unknown "
# Print the memory block information.
fmt = "%s\t%s\t%s\t%s\t%s"
print(fmt % (BaseAddress, RegionSize, State, Protect, Type))
def openProc(pid):
''' return proc maps '''
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
# 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile
lines = []
for mbi in memoryMap:
if not mbi.is_readable():
continue
addr = ''
perm = '--- '
offset = ''
device = ''
inode = ''
filename = ''
# Address and size of memory block.
BaseAddress = HexDump.address(mbi.BaseAddress)
RegionSize = HexDump.address(mbi.RegionSize)
# State (free or allocated).
mbiState = mbi.State
if mbiState == win32.MEM_RESERVE:
State = "Reserved"
elif mbiState == win32.MEM_COMMIT:
State = "Commited"
elif mbiState == win32.MEM_FREE:
State = "Free"
else:
State = "Unknown"
# Page protection bits (R/W/X/G).
if mbiState != win32.MEM_COMMIT:
Protect = "--- "
else:
mbiProtect = mbi.Protect
if mbiProtect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbiProtect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbiProtect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbiProtect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbiProtect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbiProtect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbiProtect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
'''
if mbiProtect & win32.PAGE_GUARD:
Protect += "G"
#else:
# Protect += "-"
if mbiProtect & win32.PAGE_NOCACHE:
Protect += "N"
#else:
# Protect += "-"
if mbiProtect & win32.PAGE_WRITECOMBINE:
Protect += "W"
#else:
# Protect += "-"
'''
perm = Protect
# Type (file mapping, executable image, or private memory).
mbiType = mbi.Type
if mbiType == win32.MEM_IMAGE:
Type = "Image"
elif mbiType == win32.MEM_MAPPED:
Type = "Mapped"
elif mbiType == win32.MEM_PRIVATE:
Type = "Private"
elif mbiType == 0:
Type = ""
else:
Type = "Unknown"
log.debug(BaseAddress)
addr = '%08x-%08x' % (int(
BaseAddress, 16), int(BaseAddress, 16) + int(RegionSize, 16))
perm = perm.lower()
offset = '00000000'
device = 'fe:01'
inode = 24422442
filename = mappedFilenames.get(mbi.BaseAddress, ' ')
# 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile
lines.append('%s %s %s %s %s %s\n' %
(addr, perm, offset, device, inode, filename))
log.debug('%s %s %s %s %s %s\n' %
(addr, perm, offset, device, inode, filename))
##generate_memory_snapshot(self, minAddr=None, maxAddr=None)
return lines
# process.suspend()
# try:
# snapshot = process.generate_memory_snapshot()
# for mbi in snapshot:
# print HexDump.hexblock(mbi.content, mbi.BaseAddress)
# finally:
# process.resume()
# process.read_structure()
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
log.debug("MemoryHandler map for %d (%s):" % (pid, fileName))
else:
log.debug("MemoryHandler map for %d:" % pid)
log.debug('%d filenames' % len(mappedFilenames))
log.debug('')
log.debug('%d memorymap' % len(memoryMap))
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(str(total))
log.debug(" %%%ds bytes of readable memory" % width) % int(readable)
log.debug(
" %%%ds bytes of writeable memory" % width) % int(writeable)
log.debug(
" %%%ds bytes of executable memory" % width) % int(executable)
log.debug(" %%%ds bytes of private memory" % width) % int(private)
log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped)
log.debug(" %%%ds bytes of image memory" % width) % int(image)
log.debug(" %%%ds bytes of total memory" % width) % int(total)
log.debug('')
return
def print_memory_map(pid):
process = Process(pid)
bits = process.get_bits()
memoryMap = process.get_memory_map()
#print CrashDump.dump_memory_dump(memoryMap)
print "Address \tSize \tState \tAccess \Type"
for mbi in memoryMap:
# Address and size of memory block
BaseAddress = HexDump.address(mbi.BaseAddress, bits)
RegionSize = HexDump.address(mbi.RegionSize, bits)
if mbi.State == win32.MEM_RESERVE:
State = "Reserved "
elif mbi.State == win32.MEM_COMMIT:
State = "commited "
elif mbi.State == win32.MEM_FREE:
State = "Free "
else:
State = "Unknown "
if mbi.State != win32.MEM_COMMIT:
Protect = " "
else:
## Protect = "0x%.08x" % mbi.Protect
if mbi.Protect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbi.Protect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbi.Protect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbi.Protect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbi.Protect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbi.Protect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
if mbi.Protect & win32.PAGE_GUARD:
Protect += "G"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_NOCACHE:
Protect += "N"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_WRITECOMBINE:
Protect += "W"
else:
Protect += "-"
Protect += " "
# Type (file mapping, executable image, or private memory).
if mbi.Type == win32.MEM_IMAGE:
Type = "Image "
elif mbi.Type == win32.MEM_MAPPED:
Type = "Mapped "
elif mbi.Type == win32.MEM_PRIVATE:
Type = "Private "
elif mbi.Type == 0:
Type = "Free "
else:
Type = "Unknown "
# Print the memory block information.
fmt = "%s\t%s\t%s\t%s\t%s"
print fmt % (BaseAddress, RegionSize, State, Protect, Type)
def print_memory_map( pid ):
# Instance a Process object.
process = Process( pid )
# Find out if it's a 32 or 64 bit process.
bits = process.get_bits()
# Get the process memory map.
memoryMap = process.get_memory_map()
# Now you could do this...
#
# from winappdbg import CrashDump
# print CrashDump.dump_memory_map( memoryMap ),
#
# ...but let's do it the hard way:
# For each memory block in the map...
print "Address \tSize \tState \tAccess \tType"
for mbi in memoryMap:
# Address and size of memory block.
BaseAddress = HexDump.address(mbi.BaseAddress, bits)
RegionSize = HexDump.address(mbi.RegionSize, bits)
# State (free or allocated).
if mbi.State == win32.MEM_RESERVE:
State = "Reserved "
elif mbi.State == win32.MEM_COMMIT:
State = "Commited "
elif mbi.State == win32.MEM_FREE:
State = "Free "
else:
State = "Unknown "
# Page protection bits (R/W/X/G).
if mbi.State != win32.MEM_COMMIT:
Protect = " "
else:
## Protect = "0x%.08x" % mbi.Protect
if mbi.Protect & win32.PAGE_NOACCESS:
Protect = "--- "
elif mbi.Protect & win32.PAGE_READONLY:
Protect = "R-- "
elif mbi.Protect & win32.PAGE_READWRITE:
Protect = "RW- "
elif mbi.Protect & win32.PAGE_WRITECOPY:
Protect = "RC- "
elif mbi.Protect & win32.PAGE_EXECUTE:
Protect = "--X "
elif mbi.Protect & win32.PAGE_EXECUTE_READ:
Protect = "R-X "
elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE:
Protect = "RWX "
elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY:
Protect = "RCX "
else:
Protect = "??? "
if mbi.Protect & win32.PAGE_GUARD:
Protect += "G"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_NOCACHE:
Protect += "N"
else:
Protect += "-"
if mbi.Protect & win32.PAGE_WRITECOMBINE:
Protect += "W"
else:
Protect += "-"
Protect += " "
# Type (file mapping, executable image, or private memory).
if mbi.Type == win32.MEM_IMAGE:
Type = "Image "
elif mbi.Type == win32.MEM_MAPPED:
Type = "Mapped "
elif mbi.Type == win32.MEM_PRIVATE:
Type = "Private "
elif mbi.Type == 0:
Type = "Free "
else:
Type = "Unknown "
# Print the memory block information.
fmt = "%s\t%s\t%s\t%s\t%s"
print fmt % ( BaseAddress, RegionSize, State, Protect, Type )
def main():
print "Process memory map"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) < 2 or "-h" in sys.argv or "--help" in sys.argv:
script = os.path.basename(sys.argv[0])
print "Usage:"
print " %s <pid>..." % script
print " %s <process.exe>..." % script
return
s = System()
s.request_debug_privileges()
s.scan_processes()
targets = set()
for token in sys.argv[1:]:
try:
pid = HexInput.integer(token)
if not s.has_process(pid):
print "Process not found: %s" % token
return
targets.add(pid)
except ValueError:
pl = s.find_processes_by_filename(token)
if not pl:
print "Process not found: %s" % token
return
for p, n in pl:
pid = p.get_pid()
targets.add(pid)
targets = list(targets)
targets.sort()
for pid in targets:
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
print "Memory map for %d (%s):" % (pid, fileName)
else:
print "Memory map for %d:" % pid
print
## print CrashDump.dump_memory_map(memoryMap),
print CrashDump.dump_memory_map(memoryMap, mappedFilenames)
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(number(total))
print (" %%%ds bytes of readable memory" % width) % number(readable)
print (" %%%ds bytes of writeable memory" % width) % number(writeable)
print (" %%%ds bytes of executable memory" % width) % number(executable)
print (" %%%ds bytes of private memory" % width) % number(private)
print (" %%%ds bytes of mapped memory" % width) % number(mapped)
print (" %%%ds bytes of image memory" % width) % number(image)
print (" %%%ds bytes of total memory" % width) % number(total)
print
def RC4_dec(key, msg):
return ARC4.new(key).decrypt(msg)
if len(sys.argv) < 2:
print "Provide PID"
exit()
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
pid = int(sys.argv[1])
process = Process(pid)
memory_map = process.get_memory_map()
for mM in memory_map:
if mM.Protect == win32.PAGE_EXECUTE_READWRITE:
base_addr = mM.baseAddress
reg_size = mM.RegionSize
#pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00"
pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??"
f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size)
try:
enc_con_addr = f_data.next()[0] + 0x18
except:
