def load_binary(filepath, base=None):
opList = {}
trace = vtrace.getTrace()
trace.execute(filepath)
#######################################################################
# Enable the notifier. Used later to catch the page execute exception.
notif = CustomNotifier()
eve = vtrace.NOTIFY_ALL
trace.registerNotifier(eve, notif)
#######################################################################
# Set a breakpoint on CreateProcessA and run until it is hit
pattern = "CreateProcessA()"
v_api.setBpOnPattern(trace, pattern)
v_api.printBp(trace)
trace.run()
#######################################################################
# Functions sets child process to start suspended and attaches to it
# as soon as it returns to userland by setting the Entry Point page
# as non executable and catching the exception that is thrown.
print "followCreateProcessA"
v_api.followCreateProcessA(trace)
addr = v_api.getOEP(trace, "pwnables100")
v_api.nxMemPerm(trace, addr)
#####################################################################
# Beyond this point the debugger is attached to the child process
#
print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
print "HOLY BREAKPOINT BATMAN!"
print "EIP: ", v_api.printableEIP(trace)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
###############################################################
# The notifier class we want to register
notif = CustomNotifier()
# The list of events we want the notifier to handle
eve = vtrace.NOTIFY_ALL
# Tell our vtrace object that we want to capture all events with CustomNotifier
trace.registerNotifier(eve, notif)
###############################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#################################################################
# Step 5 times into the program
for i in range(5):
trace.stepi()
# Deregister our notifier
trace.deregisterNotifier(eve, notif)
def prepTest(self):
self.proc = subprocess.Popen([sys.executable, '-m', self.modname],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
assert (self.proc.stdout.readline().strip() == 'testwait')
self.trace = vtrace.getTrace()
self.trace.attach(self.proc.pid)
def load_binary(filepath, base=None):
opList = {}
trace = vtrace.getTrace()
trace.execute(filepath)
#######################################################################
# Enable the notifier. Used later to catch the page execute exception.
notif = CustomNotifier()
eve = vtrace.NOTIFY_ALL
trace.registerNotifier(eve, notif)
#######################################################################
# Set a breakpoint on CreateProcessA and run until it is hit
pattern = "CreateProcessA()"
v_api.setBpOnPattern(trace, pattern)
v_api.printBp(trace)
trace.run()
#######################################################################
# Functions sets child process to start suspended and attaches to it
# as soon as it returns to userland by setting the Entry Point page
# as non executable and catching the exception that is thrown.
print "followCreateProcessA"
v_api.followCreateProcessA(trace)
addr = v_api.getOEP(trace, "pwnables100")
v_api.nxMemPerm(trace, addr)
#####################################################################
# Beyond this point the debugger is attached to the child process
#
print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
print "HOLY BREAKPOINT BATMAN!"
print "EIP: ", v_api.printableEIP(trace)
def getTrace(self):
trace = vtrace.getTrace()
host,port = cobra.getLocalInfo()
unique = md5.md5(os.urandom(20)).hexdigest()
vtrace.cobra_daemon.shareObject(trace, unique)
trace.proxy = cobra.CobraProxy("cobra://%s:%d/%s" % (host,port,unique))
return unique
def __init__(self, trace=None):
v_notif.Notifier.__init__(self)
v_util.TraceManager.__init__(self)
if trace == None:
trace = vtrace.getTrace()
arch = trace.getMeta("Architecture")
self.arch = envi.getArchModule(arch)
self.difftracks = {}
self.setMode("NonBlocking", True)
self.manageTrace(trace)
self.registerNotifier(vtrace.NOTIFY_ALL, self)
# FIXME if config verbose
#self.registerNotifier(vtrace.NOTIFY_ALL, vtrace.VerboseNotifier())
self.vdbhome = e_config.gethomedir(".vdb")
self.loadConfig()
self.setupSignalLookups()
# Ok... from here down we're handing everybody the crazy
# on-demand-resolved trace object.
trace = vdb.VdbTrace(self)
e_cli.EnviMutableCli.__init__(self, trace, self.config, symobj=trace)
self.prompt = "vdb > "
self.banner = "Welcome To VDB!\n"
self.loadDefaultRenderers(trace)
self.loadExtensions(trace)
def run(self): self.trace = vtrace.getTrace() self.trace.registerNotifier(vtrace.NOTIFY_SIGNAL, PeachNotifier()) self.trace.execute(self._command + " " + self._params) UnixDebugger.started.set() self.trace.run()
def run_with_vivisect(binary, args, ttl):
trace = vtrace.getTrace()
logger.debug('Building Thread [{}]'.format(load_binary))
t = Thread(target=load_binary, args=(trace, binary, args))
t.start()
logger.debug('Sleeping for {} seconds.'.format(ttl))
sleep(ttl)
if trace.isRunning():
trace.sendBreak()
# print_info(trace)
logger.info("Death to the process {}".format(trace.getPid()))
logger.debug(" (\ /)")
logger.debug(" ( . .)")
logger.debug("C(\") (\"), done and no crash. Bunny is sad..")
trace.kill()
trace.detach()
return NO_CRASH_RETURN
else:
# TODO: Seems that isRunning isn't working that well.
logger.info("{} crashed!".format(binary))
logger.info("Arguments: {}".format(', '.join(args)))
print_info(trace)
return CRASH_RETURN
def run_with_vivisect(binary, args, ttl):
trace = vtrace.getTrace()
logger.debug("Building Thread [{}]".format(load_binary))
t = Thread(target=load_binary, args=(trace, binary, args))
t.start()
logger.debug("Sleeping for {} seconds.".format(ttl))
sleep(ttl)
if trace.isRunning():
trace.sendBreak()
# print_info(trace)
logger.info("Death to the process {}".format(trace.getPid()))
logger.debug(" (\ /)")
logger.debug(" ( . .)")
logger.debug('C(") ("), done and no crash. Bunny is sad..')
trace.kill()
trace.detach()
return NO_CRASH_RETURN
else:
# TODO: Seems that isRunning isn't working that well.
logger.info("{} crashed!".format(binary))
logger.info("Arguments: {}".format(", ".join(args)))
print_info(trace)
return CRASH_RETURN
def run(self): self.trace = vtrace.getTrace() self.trace.registerNotifier(vtrace.NOTIFY_SIGNAL, PeachNotifier()) self.trace.execute(self._command + " " + self._params) UnixDebugger.started.set() self.trace.run()
def getTrace(self):
trace = vtrace.getTrace()
host, port = cobra.getLocalInfo()
unique = vtrace.cobra_daemon.shareObject(trace)
trace.proxy = cobra.CobraProxy("cobra://%s:%d/%s" %
(host, port, unique))
return unique
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
###############################################################
# The notifier class we want to register
notif = CustomNotifier()
# The list of events we want the notifier to handle
eve = vtrace.NOTIFY_ALL
# Tell our vtrace object that we want to capture all events with CustomNotifier
trace.registerNotifier(eve, notif)
###############################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#################################################################
# Step 5 times into the program
for i in range(5):
trace.stepi()
# Deregister our notifier
trace.deregisterNotifier(eve, notif)
def getTrace(self):
trace = vtrace.getTrace()
host, port = cobra.getLocalInfo()
unique = md5(os.urandom(20)).hexdigest()
vtrace.cobra_daemon.shareObject(trace, unique)
trace.proxy = cobra.CobraProxy("cobra://%s:%d/%s" %
(host, port, unique))
return unique
def setUp(self):
self.exitrun = False
self.proc = subprocess.Popen([sys.executable, self.pypath],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
assert (self.proc.stdout.readline().strip() == 'testwait')
self.trace = vtrace.getTrace()
self.trace.attach(self.proc.pid)
def load_binary(filepath, base=None):
# Get the current vtrace object
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Start the program executing
trace.run()
def load_binary(filepath, base=None):
# Get the current vtrace object
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Start the program executing
trace.run()
def __init__(self, trace=None, parent=None):
vq_tree.VQTreeView.__init__(self, parent=parent)
if trace is None:
trace = vtrace.getTrace()
self.trace = trace
model = VQProcessListModel(parent=self)
self.setModel(model)
self.setAlternatingRowColors(True)
for pid, name in self.trace.ps():
model.append((pid, name))
def __init__(self, trace=None, parent=None):
vq_tree.VQTreeView.__init__(self, parent=parent)
if trace == None:
trace = vtrace.getTrace()
self.trace = trace
model = VQProcessListModel(parent=self)
self.setModel(model)
self.setAlternatingRowColors(True)
for pid,name in self.trace.ps():
model.append((pid,name))
def main():
if len(sys.argv) < 3:
print("dreifuzz -- a effortlessly uncomplicated fuzzer\n"
"usage: ./dreifuzz.py [executable] [file]")
return
exepath = sys.argv[1]
filepath = sys.argv[2]
trace = vtrace.getTrace()
load_binary(trace, exepath, filepath)
def load_binary(filePID, base=None):
# Ask for the current trace object so we can play with it
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
if pid != None:
trace.attach(filePID)
# Start executing the program.
# Will not stop until it finishes or is killed
trace.run()
def load_binary(filePID, base=None):
# Ask for the current trace object so we can play with it
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
if pid != None:
trace.attach(filePID)
# Start executing the program.
# Will not stop until it finishes or is killed
trace.run()
def main(binary, breakpoint, memory, size):
trace = vtrace.getTrace()
try:
trace.execute(binary)
except:
print "[EE] No such file"
try:
trace.addBreakByAddr(breakpoint)
except:
print "[EE] Invalide addr %s" %(hex(breakpoint))
return
trace.run()
dump_memory(trace, memory, size)
return (0)
def main(binary, breakpoint, arg_number):
trace = vtrace.getTrace()
try:
trace.execute(binary)
except:
print "[EE] No such file"
try:
trace.addBreakByAddr(breakpoint)
except:
print "[EE] Invalide addr %s" %(hex(breakpoint))
return
trace.run()
print_stack(trace, arg_number)
return (0)
def main(binary, breakpoint, memory, size):
trace = vtrace.getTrace()
try:
trace.execute(binary)
except:
print "[EE] No such file"
try:
trace.addBreakByAddr(breakpoint)
except:
print "[EE] Invalide addr %s" % (hex(breakpoint))
return
trace.run()
dump_memory(trace, memory, size)
return (0)
def main(binary, breakpoint, arg_number):
trace = vtrace.getTrace()
try:
trace.execute(binary)
except:
print "[EE] No such file"
try:
trace.addBreakByAddr(breakpoint)
except:
print "[EE] Invalide addr %s" % (hex(breakpoint))
return
trace.run()
print_stack(trace, arg_number)
return (0)
def main():
import vtrace
sym = sys.argv[1]
pid = int(sys.argv[2])
t = vtrace.getTrace()
t.attach(pid)
symaddr = t.parseExpression(sym)
t.addBreakpoint(vtrace.Breakpoint(symaddr))
while t.getProgramCounter() != symaddr:
t.run()
snap = t.takeSnapshot()
#snap.saveToFile("woot.snap") # You may open in vdb to follow along
emu = emulatorFromTrace(snap)
lockStepEmulator(emu, t)
def main(argv):
opts = setup().parse_args(argv)
t = vtrace.getTrace()
t.attach(opts.pid)
symaddr = t.parseExpression(opts.expr)
t.addBreakpoint(vtrace.Breakpoint(symaddr))
while t.getProgramCounter() != symaddr:
t.run()
snap = v_snapshot.takeSnapshot(t)
if opts.save:
# You may open this file in vdb to follow along
snap.saveToFile(opts.save)
emu = emuFromTrace(snap)
lockStepEmulator(emu, t)
def main():
import vtrace
sym = sys.argv[1]
pid = int(sys.argv[2])
t = vtrace.getTrace()
t.attach(pid)
symaddr = t.parseExpression(sym)
t.addBreakpoint(vtrace.Breakpoint(symaddr))
while t.getProgramCounter() != symaddr:
t.run()
snap = t.takeSnapshot()
#snap.saveToFile("woot.snap") # You may open in vdb to follow along
emu = emulatorFromTraceSnapshot(snap)
lockStepEmulator(emu, t)
def main(argv):
global exepath
if len(argv) != 2:
print "Usage: %s <test files>" % sys.argv[0]
sys.exit(1)
# verify that the path to test files is valid
filepath = sys.argv[1]
if os.path.isdir(filepath) == False:
sys.exit("Invalid Input Directory")
# Get the current vtrace object
trace = vtrace.getTrace()
threads = []
crashes = []
count = 1
print("[*] Starting fuzz process")
# call load_binary on the filenames stored in the directory
for fname in os.listdir(filepath):
#print fname
cmdline = filepath + "\\" + fname
t = threading.Thread(target=load_binary, args=(
trace,
cmdline,
))
threads.append(t)
t.start()
time.sleep(10)
if trace.isRunning():
trace.sendBreak()
printInfo(trace)
print("[*] Death to the process %d") % (trace.getPid())
trace.kill()
else:
print("[*] %s crashed") % (fname)
time.sleep(1)
count += 1
print("")
print("[*] Death to all %d of %d processes") % (
(count - len(crashes)), count)
print("[*] %d files caused crashes") % (len(crashes))
for i in crashes:
print("\t filename: %s") % (i)
def newTrace(self):
"""
Generate a new trace for this vdb instance. This fixes many of
the new attach/exec data munging issues because tracer re-use is
*very* sketchy...
"""
oldtrace = self.getTrace()
if oldtrace.isRunning():
oldtrace.sendBreak()
if oldtrace.isAttached():
oldtrace.detach()
self.trace = vtrace.getTrace()
self.manageTrace(self.trace)
return self.trace
def newTrace(self):
"""
Generate a new trace for this vdb instance. This fixes many of
the new attach/exec data munging issues because tracer re-use is
*very* sketchy...
"""
oldtrace = self.getTrace()
if oldtrace.isRunning():
oldtrace.sendBreak()
if oldtrace.isAttached():
oldtrace.detach()
self.trace = vtrace.getTrace()
self.manageTrace(self.trace)
return self.trace
def load_binary(shellcode, fileLoc, base=None):
trace = vtrace.getTrace()
if shellcode is not None:
v_api.disasm(trace, binascii.unhexlify(shellcode))
else:
print "FILE LOCATION: %s" % fileLoc
f = open(fileLoc, 'rb')
tmp = f.read()
f.close()
shell = binascii.unhexlify(tmp)
v_api.disasm(trace, shell)
trace.release()
def load_binary(shellcode, fileLoc, base=None):
trace = vtrace.getTrace()
if shellcode is not None:
v_api.disasm(trace, binascii.unhexlify(shellcode))
else:
print "FILE LOCATION: %s" % fileLoc
f = open(fileLoc, 'rb')
tmp = f.read()
f.close()
shell = binascii.unhexlify(tmp)
v_api.disasm(trace, shell)
trace.release()
def main(argv):
global trace
trace = vtrace.getTrace()
if len(argv) != 2:
print "Usage: %s <KeePass.exe>" % sys.argv[0]
sys.exit(1)
pid = find_pid_by_name(sys.argv[1])
if pid:
print "Found PID: %i" % pid
else:
print "Program not running"
trace.release()
sys.exit(1)
attach(pid)
def run_trace(binary, args):
trace = vtrace.getTrace()
trace.setMode("FastStep", True)
execute_path = " ".join([binary] + args)
trace.execute(execute_path)
while trace.isRunning():
pass
# print(trace.getRegister(REG_EIP))
# run till call
# Now the program has quit.
# make a fuzzy hash.
fuzzy_hash = None
return fuzzy_hash
def run_trace(binary, args):
trace = vtrace.getTrace()
trace.setMode("FastStep", True)
execute_path = " ".join([binary] + args)
trace.execute(execute_path)
while trace.isRunning():
pass
# print(trace.getRegister(REG_EIP))
# run till call
# Now the program has quit.
# make a fuzzy hash.
fuzzy_hash = None
return fuzzy_hash
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.setMode("FastBreak", True)
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
print "OEP: %x" % oep
#######################################################################
# Add a breakpoint on CreateProcessA
# Run until the breakpoint
pattern = "kernel32.CreateProcessA"
v_api.setBpOnPattern(trace, pattern)
trace.run()
trace = v_api.followCreateProcessA(trace)
##########################################################
# Stalker
#addr is here since child process doens't start at oep
addr = 0x004015ac
try:
v_stalker.addStalkerEntry(trace, addr)
except:
pass
print('Added 0x%.8x to Stalker list' % addr)
######################################################################
## Beyond this point the debugger is attached to the child process
##
trace.setMode("FastBreak", True)
while trace.isAttached():
trace.run()
f = file("zTest.stalk", "wb")
# Prints out the current stalker hits
# Not currently working....
#print('Current Stalker Hits:')
for hitva in v_stalker.getStalkerHits(trace):
print('\t 0x%.8x' % hitva)
f.write('\t 0x%.8x\n' % hitva)
f.close()
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
# Start executing the program until you hit a breakpoint or it ends
trace.run()
##############################################################
# At this point you are at OEP of the program
# We know that there is a call 5 instructions in
# There are ways to programmatically find a call
for i in range(5):
trace.stepi()
# Print the value of EIP as a long and as hex
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Once you are in the function you can read the value of ESP
# ESP points to the value of the return address
print "\n"
esp = trace.getRegister(REG_ESP)
retaddr = trace.readMemory(esp, 4)
# Returns the exact memory locations
# Just in the WRONG order
print "RET: ", retaddr.encode('hex')
# This returns the address correctly formatted
print "RET: ", hex(struct.unpack("I", retaddr)[0])
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
# Start executing the program until you hit a breakpoint or it ends
trace.run()
##############################################################
# At this point you are at OEP of the program
# We know that there is a call 5 instructions in
# There are ways to programmatically find a call
for i in range(5):
trace.stepi()
# Print the value of EIP as a long and as hex
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Once you are in the function you can read the value of ESP
# ESP points to the value of the return address
print "\n"
esp = trace.getRegister(REG_ESP)
retaddr = trace.readMemory(esp, 4)
# Returns the exact memory locations
# Just in the WRONG order
print "RET: ", retaddr.encode('hex')
# This returns the address correctly formatted
print "RET: ", hex(struct.unpack("I",retaddr)[0])
def run(self):
trace = vtrace.getTrace()
trace.execute("c:\\nc.exe -l -p 4040")
trace.setMode("RunForever", True)
notif = libnotify()
trace.registerNotifier(vtrace.NOTIFY_LOAD_LIBRARY, notif)
stalker.addStalkerEntry(trace, 0x00403047)
while trace.isAttached():
trace.run()
hits = stalker.getStalkerHits(trace)
for hit in hits:
print "+ hit: %08x" % hit
data = pickle.dumps(hits)
self.sendResults(data)
def main(argv):
global exepath
if len(argv) != 2:
print "Usage: %s <test files>" % sys.argv[0]
sys.exit(1)
# verify that the path to test files is valid
filepath = sys.argv[1]
if os.path.isdir(filepath) == False:
sys.exit("Invalid Input Directory")
# Get the current vtrace object
trace = vtrace.getTrace()
threads = []
crashes = []
count = 1
print ("[*] Starting fuzz process")
# call load_binary on the filenames stored in the directory
for fname in os.listdir(filepath):
#print fname
cmdline = filepath + "\\" + fname
t = threading.Thread(target = load_binary, args = (trace, cmdline,))
threads.append(t)
t.start()
time.sleep(10)
if trace.isRunning():
trace.sendBreak()
printInfo(trace)
print ("[*] Death to the process %d") % (trace.getPid())
trace.kill()
else:
print ("[*] %s crashed") % (fname)
time.sleep(1)
count += 1
print ("")
print ("[*] Death to all %d of %d processes") % ( (count-len(crashes)), count )
print ("[*] %d files caused crashes") % (len(crashes))
for i in crashes:
print ("\t filename: %s") % (i)
def main():
print '='*80
print "start"
print '='*80
trace=vtrace.getTrace()
print "got trace"
trace.execute("tcb")
print "open"
myNotifier = BreakOnce()
trace.registerNotifier(vtrace.NOTIFY_BREAK, myNotifier)
print "registered notifier"
trace.run()
#trace.run()
#trace.run()
print '='*80
print "end"
print '='*80
def __init__(self, process_monitor, proc_name, ignore_pid=None):
'''
Instantiate a new vtrace instance and register user and access violation
callbacks.
'''
threading.Thread.__init__(self)
self.process_monitor = process_monitor
self.proc_name = proc_name
self.ignore_pid = ignore_pid
self.access_violation = False
self.active = True
self.trace = vtrace.getTrace()
self.pid = None
#print self.trace.ps()
# give this thread a unique name.
self.setName("%d" % time.time())
self.process_monitor.log("debugger thread initialized with UID: %s" % self.getName(), 5)
def stop_target (self):
'''
Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands.
'''
# give the debugger thread a chance to exit.
time.sleep(1)
self.log("stopping target process")
for command in self.stop_commands:
if command == "TERMINATE_PID":
trace = vtrace.getTrace()
for (pid, name) in trace.ps():
if name.find(self.proc_name.lower()) != -1:
os.system("taskkill /pid %d" % pid)
break
else:
os.system(command)
def stop_target(self):
'''
Kill the current debugger thread and stop the target process by issuing the commands in self.stop_commands.
'''
# give the debugger thread a chance to exit.
time.sleep(1)
self.log("stopping target process")
for command in self.stop_commands:
if command == "TERMINATE_PID":
trace = vtrace.getTrace()
for (pid, name) in trace.ps():
if name.find(self.proc_name.lower()) != -1:
os.system("taskkill /pid %d" % pid)
break
else:
os.system(command)
def executeTrace(self, cmdline, startVA):
import vtrace
import vdb.stalker as stalker
print "[*] executeTrace: %s %s" % (cmdline, startVA)
self.trace = vtrace.getTrace()
self.trace.execute(cmdline)
self.trace.setMode("RunForever", True)
# stalker.addStalkerEntry(self.trace, 0x00403047)
stalker.addStalkerEntry(self.trace, int(startVA, 16))
while self.trace.isAttached():
self.trace.run()
hits = stalker.getStalkerHits(self.trace)
for hit in hits:
print "[*] hit: %08x" % hit
data = pickle.dumps(hits)
self.sendResults(data)
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.execute(filepath)
######################################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
######################################################################
# Start executing the program until you hit a breakpoint or it ends
trace.run()
######################################################################
# print out the value of EIP as a long and as a hex value
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Read the address of EIP
eip = trace.getRegister(REG_EIP)
# Read the memory values pointed to by EIP
s = trace.readMemory(eip, 15)
# Determine the opcode of the memory pointed to by EIP
op1 = trace.makeOpcode(s, 0, eip)
print "OP CODE: ", op1
# print out the value of EAX as a long and as a hex value
print "\n"
print "EAX: ", trace.getRegister(REG_EAX)
print "HEX EAX: ", hex(trace.getRegister(REG_EAX))
# Print out the value of ESP as a long and as a hex value
print "\n"
print "ESP: ", trace.getRegister(REG_ESP)
print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.execute(filepath)
######################################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
######################################################################
# Start executing the program until you hit a breakpoint or it ends
trace.run()
######################################################################
# print out the value of EIP as a long and as a hex value
print "\n"
print "EIP: ", trace.getRegister(REG_EIP)
print "HEX EIP: ", hex(trace.getRegister(REG_EIP))
# Read the address of EIP
eip = trace.getRegister(REG_EIP)
# Read the memory values pointed to by EIP
s = trace.readMemory(eip,15)
# Determine the opcode of the memory pointed to by EIP
op1 = trace.makeOpcode(s, 0, eip)
print "OP CODE: ", op1
# print out the value of EAX as a long and as a hex value
print "\n"
print "EAX: ", trace.getRegister(REG_EAX)
print "HEX EAX: ", hex(trace.getRegister(REG_EAX))
# Print out the value of ESP as a long and as a hex value
print "\n"
print "ESP: ", trace.getRegister(REG_ESP)
print "HEX ESP: ", hex(trace.getRegister(REG_ESP))
def __init__(self, trace=None):
v_notif.Notifier.__init__(self)
v_util.TraceManager.__init__(self)
if trace == None:
trace = vtrace.getTrace()
arch = trace.getMeta("Architecture")
self.arch = envi.getArchModule(arch)
self.difftracks = {}
# We hangn on to an opcode renderer instance
self.opcoderend = None
# If a VdbGui instance is present it will set this.
self.gui = None
self.setMode("NonBlocking", True)
self.manageTrace(trace)
self.registerNotifier(vtrace.NOTIFY_ALL, self)
# FIXME if config verbose
#self.registerNotifier(vtrace.NOTIFY_ALL, vtrace.VerboseNotifier())
self.vdbhome = e_config.gethomedir(".vdb")
self.loadConfig()
self.setupSignalLookups()
# Ok... from here down we're handing everybody the crazy
# on-demand-resolved trace object.
trace = vdb.VdbTrace(self)
e_cli.EnviMutableCli.__init__(self, trace, self.config, symobj=trace)
self.prompt = "vdb > "
self.banner = "Welcome To VDB!\n"
self.loadDefaultRenderers(trace)
self.loadExtensions(trace)
def load_binary(filepath, pattern, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
pattern = pattern.lower()
# Get the list of all library names
# Iterate over the list of function names for values that match pattern
libs = trace.getNormalizedLibNames()
libs.sort()
for libname in libs:
for sym in trace.getSymsForFile(libname):
r = repr(sym)
if pattern != None:
if r.lower().find(pattern) == -1:
continue
print("0x%.8x %s" % (sym.value, r))
def load_binary(filepath, pattern, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
pattern = pattern.lower()
# Get the list of all library names
# Iterate over the list of function names for values that match pattern
libs = trace.getNormalizedLibNames()
libs.sort()
for libname in libs:
for sym in trace.getSymsForFile(libname):
r = repr(sym)
if pattern != None:
if r.lower().find(pattern) == -1:
continue
print("0x%.8x %s" % (sym.value, r))
def main(self):
timeout = 5
self.command = ''
for i in range(1, len(sys.argv)):
self.command += "%s " % sys.argv[i]
print self.command
self.vtracer = vtrace.getTrace()
self.vtracer.setMode("NonBlocking", True)
self.vtracer.execute(self.command)
self.log("Executed\n")
if self.vtracer.isAttached():
self.vtracer.registerNotifier(vtrace.NOTIFY_SIGNAL, self)
self.log("Running\n")
self.vtracer.run()
time.sleep(timeout)
if self.vtracer.isAttached() and self.vtracer.isRunning():
self.log("Killing\n")
self.vtracer.kill()
self.vtracer.detach()
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
# Print out all the current breakpoints as well as if they are enabled.
for bp in trace.getBreakpoints():
print("%s enabled: %s" % (bp, bp.isEnabled()))
# Start executing the program until you hit a breakpoint or it ends
trace.run()
print "Holy BreakPoint Batman!"
def get_state(program, breakpoint, x86_64=False):
s = None
trace = vtrace.getTrace()
print '[*] starting process'
trace.execute(program)
class Tracepoint(vtrace.Breakpoint):
def __init__(self):
vtrace.Breakpoint.__init__(self, breakpoint)
def notify(self, event, trace):
if x86_64:
p = VdbX86_64Process(trace)
else:
p = VdbX86Process(trace)
print '[*] reached breakpoint, dumping state'
s = p.state()
while True:
pass
# yay exceptions for control flow
raise ValueError()
trace.addBreakpoint(Tracepoint())
print '[*] debugger attached'
try:
trace.run()
except ValueError:
trace.kill()
return s
def load_binary(filepath, base=None):
# Get the current trace object from vtrace
trace = vtrace.getTrace()
trace.setMode("FastBreak", True)
# If attempting to attach to a 64 bit process
# 64 bit python is required.
trace.execute(filepath)
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
print "OEP: %x" % oep
##########################################################
# Stalker
#addr is here since child process doens't start at oep
addr = oep
try:
v_stalker.addStalkerEntry(trace, addr)
except:
pass
print('Added 0x%.8x to Stalker list' % addr)
######################################################################
## Beyond this point the debugger is attached to the child process
##
trace.setMode("FastBreak", True)
while trace.isAttached():
trace.run()
f = file("zTest.stalk", "wb")
# Prints out the current stalker hits
# Not currently working....
#print('Current Stalker Hits:')
for hitva in v_stalker.getStalkerHits(trace):
print('\t 0x%.8x' % hitva)
f.write('\t 0x%.8x\n' % hitva)
f.close()
def load_binary(filepath, base=None):
trace = vtrace.getTrace()
trace.execute(filepath)
#######################################################################
# Call a function to set BP on OEP
oep = v_api.getOEP(trace, filepath)
# Set breakpoint at address
bp = vtrace.Breakpoint(oep)
trace.addBreakpoint(bp)
######################################################################
# Start executing the program until you hit a breakpoint or it ends
trace.run()
#######################################################################
# function takes in just filename not the full path to filename.exe
exeName = filepath.split(".exe")[0]
fileName = exeName.split("\\")[len(exeName.split("\\"))-1]
# Get the list of imported functions to compare against
base, importTable = v_api.printIAT(trace, fileName, debug)
