def attach(clx, target, script="", sysroot=None):
showbanner('attaching', 'purple', '[=]')
windbgxPath = 'windbgx'
load_windbg = [windbgxPath, '-p']
if isinstance(target, int):
load_windbg.append(str(target)) # target is pid
else:
load_windbg.append(str(target.pid))
script = context.dbginit + '\n' + script + '\n'
tmp = tempfile.NamedTemporaryFile(prefix='winpwn_',
suffix='.dbg',
delete=False)
tmp.write(Latin1_encode(script))
tmp.flush()
tmp.close()
load_windbg += ['-c'] # exec command
load_windbg += [
'"$$><{}'.format(tmp.name) + ';.shell -x del {}"'.format(tmp.name)
]
# print('script:',script)
# print('load:',load_windbg)
ter = subprocess.Popen(' '.join(load_windbg))
while (os.path.exists(tmp.name)): # wait_for_debugger
pass
target.debugger = ter
# mark('attached')
return ter.pid
def attach(clx, target, script="", sysroot=None):
showbanner('attaching', 'purple', '[=]')
if context.windbg_path is None:
raise Exception(
color("can't find windbg.exe, plz set context.windbg_path",
'red'))
else:
windbgPath = context.windbg
load_windbg = [windbgPath, '-p']
if isinstance(target, int):
load_windbg.append(str(target))
else:
load_windbg.append(str(target.pid))
script = context.dbginit + '\n' + script + '\n'
tmp = tempfile.NamedTemporaryFile(prefix='winpwn_',
suffix='.dbg',
delete=False)
tmp.write(Latin1_encode(script))
tmp.flush()
tmp.close()
load_windbg += ['-c'] # exec command
load_windbg += [
'$$><{}'.format(tmp.name) + ';.shell -x del {}'.format(tmp.name)
]
# print('script:',script)
# print('load:',load_windbg)
ter = subprocess.Popen(load_windbg)
while (os.path.exists(tmp.name)): # wait_for_debugger
pass
target.debugger = ter
return ter.pid
def recvn(self, n, timeout=None):
# must recv n bytes within timeout
showbanner("Recv")
buf = self.read(n, timeout)
if len(buf) != n:
raise (EOFError(color("[-]: Timeout when use recvn", 'red')))
showbuf(buf)
return buf
def recv_thread():
try:
while not go.is_set():
buf = self.read(0x10000, 0.125, interactive=True)
if buf:
showbuf(buf, is_noout=False)
showbanner('Interacting', is_noout=False)
go.wait(0.2)
except KeyboardInterrupt:
go.set()
print(color('[-]: Exited', 'red'))
def __init__(self,
ip,
port,
family=socket.AF_INET,
socktype=socket.SOCK_STREAM):
tube.__init__(self)
self.sock = socket.socket(family, socktype)
# self.ip = ip
# self.port = port
self._is_exit = False
try:
showbanner("Connecting to ({},{})".format(ip, port))
self.sock.settimeout(self.timeout)
self.sock.connect((ip, port))
except:
raise (EOFError(
color("[-]: Connect to ({},{}) failed".format(ip, port),
'red')))
def interactive(self):
# it exited, contrl+C, timeout
showbanner('Interacting', is_noout=False)
go = threading.Event()
go.clear()
def recv_thread():
try:
while not go.is_set():
buf = self.read(0x10000, 0.125, interactive=True)
if buf:
showbuf(buf, is_noout=False)
showbanner('Interacting', is_noout=False)
go.wait(0.2)
except KeyboardInterrupt:
go.set()
print(color('[-]: Exited', 'red'))
t = threading.Thread(target=recv_thread)
t.daemon = True
t.start()
try:
while not go.is_set():
go.wait(0.2)
try:
if self.is_exit():
time.sleep(0.2) # wait for time to read output
buf = sys.stdin.readline()
if buf:
self.write(buf) # remote.write() may cause exception
except:
go.set()
print(color('[-]: Exited', 'red'))
break
except KeyboardInterrupt: # control+C
go.set()
print(color('[-]: Exited', 'red'))
while t.is_alive():
t.join(timeout=0.1)
def create(self, argv, cwd=None, flags=None):
lpCurrentDirectory = cwd
lpEnvironment = None
dwCreationFlags = flags
bInheritHandles = True
lpProcessAttributes = None
lpThreadAttributes = None
lpProcessInformation = PROCESS_INFORMATION()
StartupInfo = STARTUPINFO()
StartupInfo.cb = sizeof(StartupInfo)
StartupInfo.dwFlags = STARTF_USESTDHANDLES
StartupInfo.hStdInput = self.child_hReadPipe
StartupInfo.hStdOutput = self.child_hWritePipe
StartupInfo.hStdError = self.child_hWritePipe
lpStartupInfo = byref(StartupInfo)
lpCommandLine = None
lpApplicationName = None
if not isinstance(argv, list):
lpApplicationName = Latin1_encode(argv)
else:
lpCommandLine = Latin1_encode((" ".join([str(a) for a in argv])))
try:
bs = windll.kernel32.CreateProcessA(
lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, dwCreationFlags,
lpEnvironment, lpCurrentDirectory, byref(StartupInfo),
byref(lpProcessInformation))
self.pid = lpProcessInformation.dwProcessId
self.phandle = lpProcessInformation.hProcess
self.tid = lpProcessInformation.dwThreadId
self.thandle = lpProcessInformation.hThread
showbanner('Create process success #pid 0x{:x}'.format(self.pid))
except:
raise (EOFError(color("[-]: Create process error", 'red')))
def recvuntil(self, delim, drop=True, timeout=None):
showbanner("Recv")
if timeout is None:
if self.timeout:
timeout = self.timeout
else:
timeout = context.timeout
buf = ''
st = time.time()
xt = st
while (buf[-len(delim):] != delim):
buf += self.read(1, timeout=timeout - (xt - st))
if self.debugger is None:
xt = time.time()
if (xt - st) >= timeout:
break
if not buf.endswith(delim):
raise (EOFError(color("[-]: Recvuntil error", 'red')))
if drop:
buf = buf[:-len(delim)]
showbuf(buf)
return buf
def recvall(self, timeout=None):
showbanner('Recv')
buf = self.read(0x100000, timeout)
showbuf(buf)
return buf
def recv(self, n, timeout=None):
# try to read n bytes, no exception
showbanner('Recv')
buf = self.read(n, timeout)
showbuf(buf)
return buf
def send(self, buf):
showbanner('Send')
rs = self.write(buf)
showbuf(buf)
return rs
