class WinAppDbgTarget(ServerTarget):
def __init__(self,
name,
process_path,
process_args=[],
sql_crash_db='sqlite:///crashes.sqlite',
logger=None):
'''
:param name: name of the object
:param process_path: path to the target executable
:param process_args: arguments to pass to the process
:param attach: try to attach if process path
:param sql_crash_db: sql alchemy connection string to crash db (default:sqlite:///crashes.sqlite)
:param logger: logger for this object (default: None)
'''
super(WinAppDbgTarget, self).__init__(name, logger)
assert (process_path)
assert (os.path.exists(process_path))
self._process_path = process_path
self._process_name = os.path.basename(process_path)
self._process_args = process_args
self._process = None
self._sql_crash_db = sql_crash_db
self._crash_event_complete = threading.Event()
self._server_is_up = threading.Event()
self._crash_event_complete.set()
self._debug = Debug(lambda x: _my_event_handler(self, x),
bKillOnExit=True)
def _debug_server(self):
'''
debugger thread
'''
try:
self._process = None
# Start a new process for debugging.
argv = [self._process_path] + self._process_args
self.logger.debug('debugger starting server: %s' % argv)
try:
self._process = self._debug.execv(argv, bFollow=True)
except WindowsError:
self.logger.error('debug_server received exception',
traceback.fmt_exc())
self._pid = self._process.get_pid()
self.logger.info('process started. pid=%d' % self._pid)
# Wait for the debugee to finish.
self._server_is_up.set()
self._debug.loop()
except:
self.logger.error('Got an exception in _debug_server')
self.logger.error(traceback.format_exc())
# Stop the debugger.
finally:
self._debug.stop()
self._process = None
self._pid = -1
self._crash_event_complete.set()
def _start_server_thread(self):
'''
start the server thread
'''
self._server_is_up.clear()
self.server_thread = FuncThread(self._debug_server)
self.server_thread.start()
self.logger.info('waiting for server to be up')
self._server_is_up.wait()
self.logger.info('server should be up')
def _kill_all_processes(self):
'''
kill all processes with the same name
:return: True if all matching processes were killed properly, False otherwise
'''
res = True
# Lookup the currently running processes.
self._debug.system.scan_processes()
# For all processes that match the requested filename...
for (process, name) in self._debug.system.find_processes_by_filename(
self._process_name):
process_pid = process.get_pid()
self.logger.info('found process %s (%d) - trying to kill it' %
(name, process_pid))
try:
process.kill()
self.logger.info('successfully killed %s (%d)' %
(name, process_pid))
except:
self.logger.error('failed to kill %s (%d) [%s]' %
(name, process_pid, traceback.format_exc()))
res = False
return res
def teardown(self):
self._stop_process()
self._process = None
super(WinAppDbgTarget, self).teardown()
def pre_test(self, test_number):
# we need kill all process before fuzzing
super(WinAppDbgTarget, self).pre_test(test_number)
self._stop_process()
def post_test(self, test_num):
self.logger.debug('in')
time.sleep(1)
self.logger.debug('after sleep')
res = self._crash_event_complete.wait()
self.logger.debug('after wait')
if not res:
self.report.failed('incomplete crash detected')
super(WinAppDbgTarget, self).post_test(test_num)
self.logger.debug('out')
def _send_to_target(self, data):
'''
this is the key off windbgtarget
:param data: data is the file path
'''
self.logger.info('send called')
'''
starting
'''
self._process_args = [data] # this may need implement
self._start_server_thread()
def _stop_process(self):
'''
Stop the process (if running)
'''
return self._kill_all_processes()
def _stop_process_old(self):
'''
:return: True if process was killed, False otherwise
'''
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
raise Exception('Failed to kill client process')
self._debug.stop()
return True
else:
self._debug.stop()
return False
def _restart(self):
'''
restart the process
'''
self._stop_process()
self.server_thread.join(1)
time.sleep(3)
self._server_is_up.clear()
self._start_server_thread()
def _is_victim_alive(self):
'''
check if process running
'''
if self._process:
self.logger.debug('process pid: %d' % self._pid)
is_alive = self._process.is_alive()
is_debugee_started = self._debug.is_debugee_started(self._pid)
self.logger.debug('is_alive = %s' % is_alive)
self.logger.debug('is_debugee_started = %s' % is_debugee_started)
return (is_alive and is_debugee_started)
else:
self.logger.debug('_process is None')
return False
class WinAppDbgTarget(ServerTarget):
def __init__(self,
name,
process_path,
process_args=[],
sql_crash_db="sqlite:///crashes.sqlite",
logger=None):
"""
:param name: name of the object
:param process_path: path to the target executable
:param process_args: arguments to pass to the process
:param sql_crash_db: sql alchemy connection string to crash db (default:sqlite:///crashes.sqlite)
:param logger: logger for this object (default: None)
"""
super(WinAppDbgTarget, self).__init__(name, logger)
assert process_path
assert (os.path.exists(process_path))
self._process_path = process_path
self._process_name = os.path.basename(process_path)
self._process_args = process_args
self._process = None
self._sql_crash_db = sql_crash_db
self._crash_event_complete = threading.Event()
self._server_is_up = threading.Event()
self._crash_event_complete.set()
self._debug = Debug(lambda x: _my_event_handler(self, x),
bKillOnExit=True)
def _debug_server(self):
"""
debugger thread
"""
try:
self._process = None
# Start a new process for debugging.
argv = [self._process_path] + self._process_args
self.logger.debug("debugger starting server: %s" % argv)
try:
self._process = self._debug.execv(argv, bFollow=True)
except WindowsError:
self.logger.error("debug_server received exception",
traceback.fmt_exc())
self._pid = self._process.get_pid()
self.logger.info("process started. pid=%d" % self._pid)
# Wait for the debugee to finish.
self._server_is_up.set()
self._debug.loop()
except:
self.logger.error("Got an exception in _debug_server")
self.logger.error(traceback.format_exc())
# Stop the debugger.
finally:
self._debug.stop()
self._process = None
self._pid = -1
self._crash_event_complete.set()
def _start_server_thread(self):
"""
start the server thread
"""
self._server_is_up.clear()
self.server_thread = FuncThread(self._debug_server)
self.server_thread.start()
self.logger.info("waiting for server to be up")
self._server_is_up.wait()
self.logger.info("server should be up")
def _kill_all_processes(self):
"""
kill all processes with the same name
:return: True if all matching processes were killed properly, False otherwise
"""
res = True
# Lookup the currently running processes.
self._debug.system.scan_processes()
# For all processes that match the requested filename...
for (process, name) in self._debug.system.find_processes_by_filename(
self._process_name):
process_pid = process.get_pid()
self.logger.info("found process %s (%d) - trying to kill it" %
(name, process_pid))
try:
process.kill()
self.logger.info("successfully killed %s (%d)" %
(name, process_pid))
except:
self.logger.error("failed to kill %s (%d) [%s]" %
(name, process_pid, traceback.format_exc()))
res = False
return res
def teardown(self):
self._stop_process()
self._process = None
super(WinAppDbgTarget, self).teardown()
def pre_test(self, test_number):
super(WinAppDbgTarget, self).pre_test(test_number)
if not self._is_victim_alive():
self.logger.error("victim is dead, restarting...")
# self.report.failed("server is down during pre_test - failure it probably from previous test (%d)" % (test_number-1))
self._restart()
self._crash_event_complete.set()
else:
self.logger.debug("victim is alive (pid=%d)" % self._pid)
def post_test(self, test_num):
self.logger.debug("in")
time.sleep(1)
self.logger.debug("after sleep")
res = self._crash_event_complete.wait()
self.logger.debug("after wait")
if not res:
self.report.failed("incomplete crash detected")
super(WinAppDbgTarget, self).post_test(test_num)
self.logger.debug("out")
def _send_to_target(self, data):
"""
this is the key off windbgtarget
:param data: data is the file path
"""
self.logger.info("send called")
"""
starting
"""
self._process_args = [] # this may need implement
self._start_server_thread()
def _stop_process(self):
"""
Stop the process (if running)
"""
return self._kill_all_processes()
def _stop_process_old(self):
"""
:return: True if process was killed, False otherwise
"""
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
raise Exception("Failed to kill client process")
self._debug.stop()
return True
else:
self._debug.stop()
return False
def _restart(self):
"""
restart the process
"""
self._stop_process()
# self.server_thread.join(1)
time.sleep(3)
self._server_is_up.clear()
self._start_server_thread()
def _is_victim_alive(self):
"""
check if process running
"""
if self._process:
self.logger.debug("process pid: %d" % self._pid)
is_alive = self._process.is_alive()
is_debugee_started = self._debug.is_debugee_started(self._pid)
self.logger.debug("is_alive = %s" % is_alive)
self.logger.debug("is_debugee_started = %s" % is_debugee_started)
return is_alive and is_debugee_started
else:
self.logger.debug("_process is None")
return False
class WinAppDbgController(BaseController):
'''
WinAppDbgController controls a server process
by starting it on setup making sure it stays up.
It uses winappdbg to attach to the target processes.
'''
def __init__(self, name, process_path, process_args=[], sql_crash_db='sqlite:///crashes.sqlite', logger=None):
'''
:param name: name of the object
:param process_path: path to the target executable
:param process_args: arguments to pass to the process
:param attach: try to attach if process path
:param sql_crash_db: sql alchemy connection string to crash db (default:sqlite:///crashes.sqlite)
:param logger: logger for this object (default: None)
'''
super(WinAppDbgController, self).__init__(name, logger)
assert(process_path)
assert(os.path.exists(process_path))
self._process_path = process_path
self._process_name = os.path.basename(process_path)
self._process_args = process_args
self._process = None
self._sql_crash_db = sql_crash_db
self._crash_event_complete = threading.Event()
self._server_is_up = threading.Event()
self._crash_event_complete.set()
self._debug = Debug(lambda x: _my_event_handler(self, x), bKillOnExit=True)
def _debug_server(self):
'''
debugger thread
'''
try:
self._process = None
# Start a new process for debugging.
argv = [self._process_path] + self._process_args
self.logger.debug('debugger starting server: %s' % argv)
try:
self._process = self._debug.execv(argv, bFollow=True)
except WindowsError:
self.logger.error('debug_server received exception', traceback.fmt_exc())
self._pid = self._process.get_pid()
self.logger.info('process started. pid=%d' % self._pid)
# Wait for the debugee to finish.
self._server_is_up.set()
self._debug.loop()
except:
self.logger.error('Got an exception in _debug_server')
self.logger.error(traceback.format_exc())
# Stop the debugger.
finally:
self._debug.stop()
self._process = None
self._pid = -1
self._crash_event_complete.set()
def _start_server_thread(self):
'''
start the server thread
'''
self._server_is_up.clear()
self.server_thread = FuncThread(self._debug_server)
self.server_thread.start()
self.logger.info('waiting for server to be up')
self._server_is_up.wait()
self.logger.info('server should be up')
def _kill_all_processes(self):
'''
kill all processes with the same name
:return: True if all matching processes were killed properly, False otherwise
'''
res = True
# Lookup the currently running processes.
self._debug.system.scan_processes()
# For all processes that match the requested filename...
for (process, name) in self._debug.system.find_processes_by_filename(self._process_name):
process_pid = process.get_pid()
self.logger.info('found process %s (%d) - trying to kill it' % (name, process_pid))
try:
process.kill()
self.logger.info('successfully killed %s (%d)' % (name, process_pid))
except:
self.logger.error('failed to kill %s (%d) [%s]' % (name, process_pid, traceback.format_exc()))
res = False
return res
def setup(self):
'''
Called at the beginning of a fuzzing session.
Will start the server up.
'''
self._stop_process()
self._start_server_thread()
def teardown(self):
self._stop_process()
self._process = None
super(WinAppDbgController, self).teardown()
def pre_test(self, test_number):
super(WinAppDbgController, self).pre_test(test_number)
if not self._is_victim_alive():
self.logger.error('victim is dead, restarting...')
# self.report.failed('server is down during pre_test - failure it probably from previous test (%d)' % (test_number-1))
self._restart()
self._crash_event_complete.set()
else:
self.logger.debug('victim is alive (pid=%d)' % self._pid)
def post_test(self):
self.logger.debug('in')
time.sleep(1)
self.logger.debug('after sleep')
res = self._crash_event_complete.wait()
self.logger.debug('after wait')
if not res:
self.report.failed('incomplete crash detected')
super(WinAppDbgController, self).post_test()
self.logger.debug('out')
def _stop_process(self):
'''
Stop the process (if running)
'''
return self._kill_all_processes()
def _stop_process_old(self):
'''
:return: True if process was killed, False otherwise
'''
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
self._process.kill()
time.sleep(0.5)
if self._is_victim_alive():
raise Exception('Failed to kill client process')
self._debug.stop()
return True
else:
self._debug.stop()
return False
def _restart(self):
'''
restart the process
'''
self._stop_process()
self.server_thread.join(1)
time.sleep(3)
self._server_is_up.clear()
self._start_server_thread()
def _is_victim_alive(self):
'''
check if process running
'''
if self._process:
self.logger.debug('process pid: %d' % self._pid)
is_alive = self._process.is_alive()
is_debugee_started = self._debug.is_debugee_started(self._pid)
self.logger.debug('is_alive = %s' % is_alive)
self.logger.debug('is_debugee_started = %s' % is_debugee_started)
return (is_alive and is_debugee_started)
else:
self.logger.debug('_process is None')
return False
