def print_thread_disassembly( tid ):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Thread object.
thread = Thread( tid )
# Suspend the thread execution.
thread.suspend()
# Get the thread's currently running code.
try:
eip = thread.get_pc()
code = thread.disassemble_around( eip )
# You can also do this:
# code = thread.disassemble_around_pc()
# Or even this:
# process = thread.get_process()
# code = process.disassemble_around( eip )
# Resume the thread execution.
finally:
thread.resume()
# Display the disassembled code.
print
print CrashDump.dump_code( code, eip ),
def print_state( process_name ):
# Request debug privileges.
System.request_debug_privileges()
# Find the first process that matches the requested name.
system = System()
process, filename = system.find_processes_by_filename( process_name )[ 0 ]
# Suspend the process execution.
process.suspend()
try:
# For each thread in the process...
for thread in process.iter_threads():
# Get the thread state.
tid = thread.get_tid()
eip = thread.get_pc()
code = thread.disassemble_around( eip )
context = thread.get_context()
# Display the thread state.
print
print "-" * 79
print "Thread: %s" % HexDump.integer( tid )
print
print CrashDump.dump_registers( context )
print CrashDump.dump_code( code, eip ),
print "-" * 79
# Resume the process execution.
finally:
process.resume()
def print_thread_disassembly(tid):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Thread object.
thread = Thread(tid)
# Suspend the thread execution.
thread.suspend()
# Get the thread's currently running code.
try:
eip = thread.get_pc()
code = thread.disassemble_around(eip)
# You can also do this:
# code = thread.disassemble_around_pc()
# Or even this:
# process = thread.get_process()
# code = process.disassemble_around( eip )
# Resume the thread execution.
finally:
thread.resume()
# Display the disassembled code.
print
print CrashDump.dump_code(code, eip),
def __dump(self, event, label = None):
thread = event.get_thread()
trace = thread.get_stack_trace_with_labels()
ctx = thread.get_context(win32.CONTEXT_FULL)
if not label:
label = thread.get_label_at_pc()
print label
print CrashDump.dump_registers(ctx)
print CrashDump.dump_stack_trace_with_labels(trace),
print "-" * 79
def __dump(self, event, label=None):
thread = event.get_thread()
trace = thread.get_stack_trace_with_labels()
ctx = thread.get_context(win32.CONTEXT_FULL)
if not label:
label = thread.get_label_at_pc()
print(label)
print(CrashDump.dump_registers(ctx))
print(CrashDump.dump_stack_trace_with_labels(trace), )
print("-" * 79)
def print_thread(title, thread):
tid = thread.get_tid()
eip = thread.get_pc()
context = thread.get_context()
handle = thread.get_handle()
code = thread.disassemble_around(eip)
print("%s %s - %s " % (title, HexDump.integer(tid), handle))
print CrashDump.dump_registers(context)
print CrashDump.dump_code(code, eip),
def access_violation(self, evt):
thread = evt.get_thread()
tid = thread.get_tid()
code = thread.disassemble_around_pc()
context = thread.get_context()
print
print "-" * 79
print "Thread: %s" % HexDump.integer(tid)
print
print CrashDump.dump_registers(context)
print CrashDump.dump_code(code)
print "-" * 79
def print_thread_context(tid):
System.request_debug_privileges()
thread = Thread(tid)
thread.suspend()
try:
context = thread.get_context()
finally:
thread.resume()
print
print CrashDump.dump_registers(context)
def single_step(self, evt):
if not self.crash_encountered:
return
print "single step"
proc = evt.get_process()
if self.instruction_count == MAX_INSTRUCTIONS:
evt.debug.stop_tracing_process(proc.get_pid())
else:
thread = evt.get_thread()
pc = thread.get_pc()
code = proc.disassemble(pc, 0x10)
print CrashDump.dump_code(code, pc)
self.instruction_count += 1
def print_thread_disassembly(tid):
System.request_debug_privileges()
thread = Thread(tid)
thread.suspend()
try:
eip = thread.get_pc()
code = thread.disassemble_around(eip)
#or code = thread.disassemble_around_pc()
#or process = thread.get_process()
# code = process.disassemble_around(eip)
finally:
thread.resume()
print
print CrashDump.dump_code(code, eip)
def danger_handler(self, evt):
thread = evt.get_thread()
proc = evt.get_process()
pc = thread.get_pc()
registers = thread.get_context()
if pc in self.resolved_funcs:
print "[*] hit %s" % self.resolved_funcs[pc]
CrashDump.dump_registers(registers)
# record process memory
try:
proc.suspend()
self.snapshot = proc.take_memory_snapshot()
finally:
proc.resume()
def pre_Sleep(event):
thread = event.get_thread()
process = event.get_process()
print "Intercepted Sleep call of %d milliseconds"
print_module_load(event)
code, eip = dump_thread_range(thread)
print CrashDump.dump_code(code, eip)
n = 10000
#kernel32!start+0xd52c6
# Access first parameter on the stack: EBP + 4
stack_offset = thread.get_sp() + 4
# Write the new value at that address (e.g. 0 milliseconds)
process.write_dword(stack_offset, n)
def __disasm(self, event):
thread = event.get_thread()
tid = thread.get_tid()
try:
pc = event.get_exception_address()
except Exception:
pc = thread.get_pc()
code = thread.disassemble( pc, 0x10 ) [0]
line = CrashDump.dump_code_line(code, dwDumpWidth=8*2)
print "~%d %s" % ( tid, line )
def __disasm(self, event):
thread = event.get_thread()
tid = thread.get_tid()
try:
pc = event.get_exception_address()
except Exception:
pc = thread.get_pc()
code = thread.disassemble(pc, 0x10)[0]
line = CrashDump.dump_code_line(code, dwDumpWidth=8 * 2)
print("~%d %s" % (tid, line))
def print_thread_context( tid ):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Thread object.
thread = Thread( tid )
# Suspend the thread execution.
thread.suspend()
# Get the thread context.
try:
context = thread.get_context()
# Resume the thread execution.
finally:
thread.resume()
# Display the thread context.
print
print CrashDump.dump_registers( context ),
def create_thread(self, event):
process = event.get_process()
thread = event.get_thread()
context = thread.get_context()
eip = thread.get_pc()
tid = event.get_tid()
filename = process.get_filename()
print "process:%s" % filename
# pid = event.get_pid()
start = event.get_start_address()
if start:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
start = event.get_process().get_label_at_address(start)
print "Started thread %d at %s" % (tid, start)
else:
print "Attached to thread %d" % tid
print CrashDump.dump_registers(context)
#print_thread('asm', thread)
"""
def main():
print "Process memory map"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) < 2 or '-h' in sys.argv or '--help' in sys.argv:
script = os.path.basename(sys.argv[0])
print "Usage:"
print " %s <pid>..." % script
print " %s <process.exe>..." % script
return
s = System()
s.request_debug_privileges()
s.scan_processes()
targets = set()
for token in sys.argv[1:]:
try:
pid = HexInput.integer(token)
if not s.has_process(pid):
print "Process not found: %s" % token
return
targets.add(pid)
except ValueError:
pl = s.find_processes_by_filename(token)
if not pl:
print "Process not found: %s" % token
return
for p, n in pl:
pid = p.get_pid()
targets.add(pid)
targets = list(targets)
targets.sort()
for pid in targets:
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
print "Memory map for %d (%s):" % (pid, fileName)
else:
print "Memory map for %d:" % pid
print
## print CrashDump.dump_memory_map(memoryMap),
print CrashDump.dump_memory_map(memoryMap, mappedFilenames)
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(number(total))
print(" %%%ds bytes of readable memory" % width) % number(readable)
print(" %%%ds bytes of writeable memory" % width) % number(writeable)
print(" %%%ds bytes of executable memory" %
width) % number(executable)
print(" %%%ds bytes of private memory" % width) % number(private)
print(" %%%ds bytes of mapped memory" % width) % number(mapped)
print(" %%%ds bytes of image memory" % width) % number(image)
print(" %%%ds bytes of total memory" % width) % number(total)
print
offset = 0
try:
size = HexInput.integer( argv[3] )
except IndexError:
size = 0
try:
arch = argv[4]
except IndexError:
arch = None
try:
engine = argv[5]
except IndexError:
engine = None
# Load the requested disassembler engine.
disasm = Disassembler( arch, engine )
# Load the binary code.
with open( filename, 'rb' ) as fd:
fd.seek( offset )
if size:
code = fd.read( size )
else:
code = fd.read()
# Disassemble the code.
disassembly = disasm.decode( offset, code )
# Show the disassembly.
print CrashDump.dump_code( disassembly, offset )
def main():
print "Process memory map"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) < 2 or "-h" in sys.argv or "--help" in sys.argv:
script = os.path.basename(sys.argv[0])
print "Usage:"
print " %s <pid>..." % script
print " %s <process.exe>..." % script
return
s = System()
s.request_debug_privileges()
s.scan_processes()
targets = set()
for token in sys.argv[1:]:
try:
pid = HexInput.integer(token)
if not s.has_process(pid):
print "Process not found: %s" % token
return
targets.add(pid)
except ValueError:
pl = s.find_processes_by_filename(token)
if not pl:
print "Process not found: %s" % token
return
for p, n in pl:
pid = p.get_pid()
targets.add(pid)
targets = list(targets)
targets.sort()
for pid in targets:
process = Process(pid)
fileName = process.get_filename()
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames()
if fileName:
print "Memory map for %d (%s):" % (pid, fileName)
else:
print "Memory map for %d:" % pid
print
## print CrashDump.dump_memory_map(memoryMap),
print CrashDump.dump_memory_map(memoryMap, mappedFilenames)
readable = 0
writeable = 0
executable = 0
private = 0
mapped = 0
image = 0
total = 0
for mbi in memoryMap:
size = mbi.RegionSize
if not mbi.is_free():
total += size
if mbi.is_readable():
readable += size
if mbi.is_writeable():
writeable += size
if mbi.is_executable():
executable += size
if mbi.is_private():
private += size
if mbi.is_mapped():
mapped += size
if mbi.is_image():
image += size
width = len(number(total))
print (" %%%ds bytes of readable memory" % width) % number(readable)
print (" %%%ds bytes of writeable memory" % width) % number(writeable)
print (" %%%ds bytes of executable memory" % width) % number(executable)
print (" %%%ds bytes of private memory" % width) % number(private)
print (" %%%ds bytes of mapped memory" % width) % number(mapped)
print (" %%%ds bytes of image memory" % width) % number(image)
print (" %%%ds bytes of total memory" % width) % number(total)
print
offset = 0
try:
size = HexInput.integer(argv[3])
except IndexError:
size = 0
try:
arch = argv[4]
except IndexError:
arch = None
try:
engine = argv[5]
except IndexError:
engine = None
# Load the requested disassembler engine.
disasm = Disassembler(arch, engine)
# Load the binary code.
with open(filename, 'rb') as fd:
fd.seek(offset)
if size:
code = fd.read(size)
else:
code = fd.read()
# Disassemble the code.
disassembly = disasm.decode(offset, code)
# Show the disassembly.
print CrashDump.dump_code(disassembly, offset)
