def print_state( process_name ): # Request debug privileges. System.request_debug_privileges() # Find the first process that matches the requested name. system = System() process, filename = system.find_processes_by_filename( process_name )[ 0 ] # Suspend the process execution. process.suspend() try: # For each thread in the process... for thread in process.iter_threads(): # Get the thread state. tid = thread.get_tid() eip = thread.get_pc() code = thread.disassemble_around( eip ) context = thread.get_context() # Display the thread state. print print "-" * 79 print "Thread: %s" % HexDump.integer( tid ) print print CrashDump.dump_registers( context ) print CrashDump.dump_code( code, eip ), print "-" * 79 # Resume the process execution. finally: process.resume()
def print_thread_disassembly(tid): # Request debug privileges. System.request_debug_privileges() # Instance a Thread object. thread = Thread(tid) # Suspend the thread execution. thread.suspend() # Get the thread's currently running code. try: eip = thread.get_pc() code = thread.disassemble_around(eip) # You can also do this: # code = thread.disassemble_around_pc() # Or even this: # process = thread.get_process() # code = process.disassemble_around( eip ) # Resume the thread execution. finally: thread.resume() # Display the disassembled code. print print CrashDump.dump_code(code, eip),
def print_thread_disassembly( tid ): # Request debug privileges. System.request_debug_privileges() # Instance a Thread object. thread = Thread( tid ) # Suspend the thread execution. thread.suspend() # Get the thread's currently running code. try: eip = thread.get_pc() code = thread.disassemble_around( eip ) # You can also do this: # code = thread.disassemble_around_pc() # Or even this: # process = thread.get_process() # code = process.disassemble_around( eip ) # Resume the thread execution. finally: thread.resume() # Display the disassembled code. print print CrashDump.dump_code( code, eip ),
def print_thread(title, thread): tid = thread.get_tid() eip = thread.get_pc() context = thread.get_context() handle = thread.get_handle() code = thread.disassemble_around(eip) print("%s %s - %s " % (title, HexDump.integer(tid), handle)) print CrashDump.dump_registers(context) print CrashDump.dump_code(code, eip),
def access_violation(self, evt): thread = evt.get_thread() tid = thread.get_tid() code = thread.disassemble_around_pc() context = thread.get_context() print print "-" * 79 print "Thread: %s" % HexDump.integer(tid) print print CrashDump.dump_registers(context) print CrashDump.dump_code(code) print "-" * 79
def single_step(self, evt): if not self.crash_encountered: return print "single step" proc = evt.get_process() if self.instruction_count == MAX_INSTRUCTIONS: evt.debug.stop_tracing_process(proc.get_pid()) else: thread = evt.get_thread() pc = thread.get_pc() code = proc.disassemble(pc, 0x10) print CrashDump.dump_code(code, pc) self.instruction_count += 1
def print_thread_disassembly(tid): System.request_debug_privileges() thread = Thread(tid) thread.suspend() try: eip = thread.get_pc() code = thread.disassemble_around(eip) #or code = thread.disassemble_around_pc() #or process = thread.get_process() # code = process.disassemble_around(eip) finally: thread.resume() print print CrashDump.dump_code(code, eip)
def pre_Sleep(event): thread = event.get_thread() process = event.get_process() print "Intercepted Sleep call of %d milliseconds" print_module_load(event) code, eip = dump_thread_range(thread) print CrashDump.dump_code(code, eip) n = 10000 #kernel32!start+0xd52c6 # Access first parameter on the stack: EBP + 4 stack_offset = thread.get_sp() + 4 # Write the new value at that address (e.g. 0 milliseconds) process.write_dword(stack_offset, n)
offset = 0 try: size = HexInput.integer(argv[3]) except IndexError: size = 0 try: arch = argv[4] except IndexError: arch = None try: engine = argv[5] except IndexError: engine = None # Load the requested disassembler engine. disasm = Disassembler(arch, engine) # Load the binary code. with open(filename, 'rb') as fd: fd.seek(offset) if size: code = fd.read(size) else: code = fd.read() # Disassemble the code. disassembly = disasm.decode(offset, code) # Show the disassembly. print CrashDump.dump_code(disassembly, offset)
offset = 0 try: size = HexInput.integer( argv[3] ) except IndexError: size = 0 try: arch = argv[4] except IndexError: arch = None try: engine = argv[5] except IndexError: engine = None # Load the requested disassembler engine. disasm = Disassembler( arch, engine ) # Load the binary code. with open( filename, 'rb' ) as fd: fd.seek( offset ) if size: code = fd.read( size ) else: code = fd.read() # Disassemble the code. disassembly = disasm.decode( offset, code ) # Show the disassembly. print CrashDump.dump_code( disassembly, offset )