def attached_handler(process):
bpRegOpenKeyEx = _ptrace.breakpoint_sw("advapi32!RegOpenKeyExW",
regOpenKeyEx)
#bpRegGetValue = _ptrace.breakpoint_sw("advapi32!RegGetValueW", regGetValue)
bpRegQueryValueEx = _ptrace.breakpoint_sw("advapi32!RegQueryValueExW",
regQueryValueEx)
process.breakpoint_set(bpRegOpenKeyEx)
process.breakpoint_set(bpRegQueryValueEx)
def attached_handler(process):
print "Attached to process %d." % process.id
# Hook DispatchMessageW(...)
bp = _ptrace.breakpoint_sw("user32!DispatchMessageW",
dispatch_message_hook)
process.breakpoint_set(bp)
# And hook PeekMessageW(..., PM_REMOVE)
bp = _ptrace.breakpoint_sw("user32!PeekMessageW", peek_message_hook)
process.breakpoint_set(bp)
def handler_mainmain(breakpoint, thread):
global functab
for func in functab.keys():
if "main.main" in functab[func]:
continue
bp_func = _ptrace.breakpoint_sw(func, handler_func)
thread.process.breakpoint_set(bp_func)
def attached_handler(process):
global functab
for yy in functab:
if "main.main" == functab[yy]:
addr_mainmain = yy
print("[{}] Attached".format(process.id))
bp_main_main = _ptrace.breakpoint_sw(addr_mainmain, handler_mainmain)
process.breakpoint_set(bp_main_main)
print("[{}] BreakPoint Set at 0x{:08x}".format(process.id, addr_mainmain))
def alloc(breakpoint, thread):
regs = thread.registers
retaddr = _ptrace.cconv.retaddr_get(thread)
(heap, flags, size) = _ptrace.cconv.args_get(thread, "%p%lu%zu")
print "T%d: RtlAllocateHeap(0x%x, 0x%x, 0x%x)" % (thread.id, heap, flags,
size),
# Set breakpoint after function returns, so we can print the results.
if thread.proces.breakpoint_find(retaddr) is None:
bp_end = _ptrace.breakpoint_sw(retaddr, alloc_end)
thread.process.breakpoint_set(bp_end)
def alloc(breakpoint, thread):
retaddr = _ptrace.cconv.retaddr_get(thread)
(heap, flags, size) = _ptrace.cconv.args_get(thread, "%p%lu%zu")
print("T{}: RtlAllocateHeap(0x{:x}, 0x{:x}, 0x{:x})".format(
thread.id, heap, flags, size),
end='')
# Set breakpoint after function returns, so we can print the results.
if thread.process.breakpoint_find(retaddr) is None:
bp_end = _ptrace.breakpoint_sw(retaddr, alloc_end)
thread.process.breakpoint_set(bp_end)
def peek_message_hook(breakpoint, thread):
(lpmsg, _, _, _, rem) = _ptrace.cconv.args_get(thread, "%p%p%u%u%u")
if rem & PM_REMOVE:
ret = _ptrace.cconv.retaddr_get(thread)
thread.lpmsg = lpmsg
if not hasattr(thread.process, 'bp_table'):
thread.process.bp_table = {}
# Have we set a breakpoint at the same address?
if ret not in thread.process.bp_table:
bp = _ptrace.breakpoint_sw(ret, peek_message_ret_hook)
thread.process.breakpoint_set(bp)
thread.process.bp_table[ret] = bp
def regOpenKeyEx(breakpoint, thread):
retaddr = _ptrace.cconv.retaddr_get(thread)
(key, subkey, options, sam,
result) = _ptrace.cconv.args_get(thread, "%u%p%u%u%p")
if key in keys:
key = keys[key]
else:
key = "0x{:08x}".format(key)
subkey = thread.process.read_utf16(subkey)
print "T%d: RegOpenKeyEx(%s, \"%s\", 0x%08x, 0x%08x, 0x%08x)" % \
(thread.id, key, subkey, options, sam, result),
# Set breakpoint after function returns, so we can print the results.
if thread.process.breakpoint_find(retaddr) is None:
bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler)
thread.process.breakpoint_set(bp_end)
def regQueryValueEx(breakpoint, thread):
retaddr = _ptrace.cconv.retaddr_get(thread)
(key, value, reserved, type, data,
size) = _ptrace.cconv.args_get(thread, "%u%p%p%p%p%p")
if key in keys:
key = keys[key]
else:
key = "0x{:08x}".format(key)
value = thread.process.read_utf16(value)
print "T%d: RegQueryValueEx(%s, \"%s\", 0x%.8x, 0x%.8x 0x%.8x 0x%.8x)" % \
(thread.id, key, value, reserved, type, data, size),
# Set breakpoint after function returns, so we can print the results.
if thread.process.breakpoint_find(retaddr) is None:
bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler)
thread.process.breakpoint_set(bp_end)
def regGetValue(breakpoint, thread):
retaddr = _ptrace.cconv.retaddr_get(thread)
(key, subkey, value, flags, type, data,
size) = _ptrace.cconv.args_get(thread, "%p%p%p%u%p%p%p")
if key in keys:
key = keys[key]
else:
key = "0x{:08x}".format(key)
subkey = thread.process.read_utf16(subkey)
value = thread.process.read_utf16(value)
print('T{}: RegGetValue({}, "{}", "{}")'.format(thread.id, key, subkey,
value),
end='')
# Set breakpoint after function returns, so we can print the results.
if thread.process.breakpoint_find(retaddr) is None:
bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler)
thread.process.breakpoint_set(bp_end)
def attached_handler(process):
bp_alloc = _ptrace.breakpoint_sw("ntdll!RtlAllocateHeap", alloc)
bp_free = _ptrace.breakpoint_sw("ntdll!RtlFreeHeap", free)
process.breakpoint_set(bp_alloc)
process.breakpoint_set(bp_free)
