Python Process.search_hexa Examples

Example #1

File: 12_wildcard_search.py Project: MarioVilas/winappdbg

def wildcard_search( pid, pattern ):

    #
    # Hex patterns must be in this form:
    #     "68 65 6c 6c 6f 20 77 6f 72 6c 64"  # "hello world"
    #
    # Spaces are optional. Capitalization of hex digits doesn't matter.
    # This is exactly equivalent to the previous example:
    #     "68656C6C6F20776F726C64"            # "hello world"
    #
    # Wildcards are allowed, in the form of a "?" sign in any hex digit:
    #     "5? 5? c3"          # pop register / pop register / ret
    #     "b8 ?? ?? ?? ??"    # mov eax, immediate value
    #

    # Instance a Process object.
    process = Process( pid )

    # Search for the hexadecimal pattern in the process memory.
    for address, data in process.search_hexa( pattern ):

        # Print a hex dump for each memory location found.
        print HexDump.hexblock(data, address = address)

Example #2

File: 12_wildcard_search.py Project: pho3be/winappdbg

def wildcard_search(pid, pattern):

    #
    # Hex patterns must be in this form:
    #     "68 65 6c 6c 6f 20 77 6f 72 6c 64"  # "hello world"
    #
    # Spaces are optional. Capitalization of hex digits doesn't matter.
    # This is exactly equivalent to the previous example:
    #     "68656C6C6F20776F726C64"            # "hello world"
    #
    # Wildcards are allowed, in the form of a "?" sign in any hex digit:
    #     "5? 5? c3"          # pop register / pop register / ret
    #     "b8 ?? ?? ?? ??"    # mov eax, immediate value
    #

    # Instance a Process object.
    process = Process(pid)

    # Search for the hexadecimal pattern in the process memory.
    for address, data in process.search_hexa(pattern):

        # Print a hex dump for each memory location found.
        print HexDump.hexblock(data, address=address)

Example #3

File: tool_0x00.py Project: tomHCF/Zloader_config_dumper

system.scan_processes()

pid = int(sys.argv[1])
process = Process(pid)
memory_map = process.get_memory_map()

for mM in memory_map:
    if mM.Protect == win32.PAGE_EXECUTE_READWRITE:
        base_addr = mM.baseAddress
        reg_size = mM.RegionSize

        #pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00"

        pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??"

        f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size)

        try:
            enc_con_addr = f_data.next()[0] + 0x18
        except:
            print "Not found"
            exit()

        print "[*] Encrypted config address: 0x%s" % HexDump.address(
            enc_con_addr, 32)
        enc_con = process.read(enc_con_addr, 0x2EF)
        RC4_key = process.read(enc_con_addr + 0x2EF, 0x39).rstrip('\x00')
        print "[*] RC4 key: %s" % RC4_key
        dec_con = RC4_dec(RC4_key, enc_con)
        conf = re.split("\x00+", dec_con)
        print "[*] Config: "