def show_window( window ): # Get the window coordinates. rect = window.get_screen_rect() position = (rect.left, rect.top, rect.right, rect.bottom) size = (rect.right - rect.left, rect.bottom - rect.top) # Print the window information. print ("Handle: %s" % HexDump.integer( window.get_handle() )) print ("Caption: %s" % window.text) print ("Class: %s" % window.classname) print ("Style: %s" % HexDump.integer( window.style )) print ("ExStyle: %s" % HexDump.integer( window.exstyle )) print ("Position: (%i, %i) - (%i, %i)" % position) print ("Size: (%i, %i)" % size)
def show_window(window): # Get the window coordinates. rect = window.get_screen_rect() position = (rect.left, rect.top, rect.right, rect.bottom) size = (rect.right - rect.left, rect.bottom - rect.top) # Print the window information. print "Handle: %s" % HexDump.integer(window.get_handle()) print "Caption: %s" % window.text print "Class: %s" % window.classname print "Style: %s" % HexDump.integer(window.style) print "ExStyle: %s" % HexDump.integer(window.exstyle) print "Position: (%i, %i) - (%i, %i)" % position print "Size: (%i, %i)" % size
def print_state( process_name ): # Request debug privileges. System.request_debug_privileges() # Find the first process that matches the requested name. system = System() process, filename = system.find_processes_by_filename( process_name )[ 0 ] # Suspend the process execution. process.suspend() try: # For each thread in the process... for thread in process.iter_threads(): # Get the thread state. tid = thread.get_tid() eip = thread.get_pc() code = thread.disassemble_around( eip ) context = thread.get_context() # Display the thread state. print print "-" * 79 print "Thread: %s" % HexDump.integer( tid ) print print CrashDump.dump_registers( context ) print CrashDump.dump_code( code, eip ), print "-" * 79 # Resume the process execution. finally: process.resume()
def main(): print("Process memory reader") print("by Mario Vilas (mvilas at gmail.com)") print if len(sys.argv) not in (4, 5): script = os.path.basename(sys.argv[0]) print(" %s <pid> <address> <size> [binary output file]" % script) print(" %s <process.exe> <address> <size> [binary output file]" % script) return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print("Process not found: %s" % sys.argv[1]) return if len(pl) > 1: print("Multiple processes found for %s" % sys.argv[1]) for p, n in pl: print("\t%s: %s" % (HexDump.integer(p), n)) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print("Invalid value for address: %s" % sys.argv[2]) return try: size = HexInput.integer(sys.argv[3]) except Exception: print("Invalid value for size: %s" % sys.argv[3]) return p = Process(pid) data = p.read(address, size) ## data = p.peek(address, size) print("Read %d bytes from PID %d" % (len(data), pid)) if len(sys.argv) == 5: filename = sys.argv[4] open(filename, 'wb').write(data) print("Written %d bytes to %s" % (len(data), filename)) else: if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD): width = 16 else: width = 8 print print(HexDump.hexblock(data, address, width=width))
def main(): print "Process memory reader" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) not in (4, 5): script = os.path.basename(sys.argv[0]) print " %s <pid> <address> <size> [binary output file]" % script print " %s <process.exe> <address> <size> [binary output file]" % script return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p,n in pl: print "\t%s: %s" % (HexDump.integer(p),n) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print "Invalid value for address: %s" % sys.argv[2] return try: size = HexInput.integer(sys.argv[3]) except Exception: print "Invalid value for size: %s" % sys.argv[3] return p = Process(pid) data = p.read(address, size) ## data = p.peek(address, size) print "Read %d bytes from PID %d" % (len(data), pid) if len(sys.argv) == 5: filename = sys.argv[4] open(filename, 'wb').write(data) print "Written %d bytes to %s" % (len(data), filename) else: if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD): width = 16 else: width = 8 print print HexDump.hexblock(data, address, width = width)
def my_event_handler( event ): # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Get the value of EIP at the thread. pc = event.get_thread().get_pc() # Show something to the user. bits = event.get_process().get_bits() format_string = "%s (%s) at address %s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(pc, bits), pid, tid ) print(message) # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print("Crash detected, storing crash dump in database...") # Generate a minimal crash dump. crash = Crash( event ) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO( "sqlite:///crashes.sqlite" ) #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" ) # Store the crash dump in the database. dao.add( crash ) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) # You can also launch the interactive debugger from here. Try it! :) # event.debug.interactive() # Kill the process. event.get_process().kill()
def my_event_handler( event ): # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Get the value of EIP at the thread. pc = event.get_thread().get_pc() # Show something to the user. bits = event.get_process().get_bits() format_string = "%s (%s) at address %s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(pc, bits), pid, tid ) print message # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print "Crash detected, storing crash dump in database..." # Generate a minimal crash dump. crash = Crash( event ) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO( "sqlite:///crashes.sqlite" ) #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" ) # Store the crash dump in the database. dao.add( crash ) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) # You can also launch the interactive debugger from here. Try it! :) # event.debug.interactive() # Kill the process. event.get_process().kill()
def my_event_handler( event ): # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Find out if it's a 32 or 64 bit process. bits = event.get_process().get_bits() # Get the value of EIP at the thread. address = event.get_thread().get_pc() # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # If the event is an exception... if code == win32.EXCEPTION_DEBUG_EVENT: # Get the exception user-friendly description. name = event.get_exception_description() # Get the exception code. code = event.get_exception_code() # Get the address where the exception occurred. try: address = event.get_fault_address() except NotImplementedError: address = event.get_exception_address() # If the event is a process creation or destruction, # or a DLL being loaded or unloaded... elif code in ( win32.CREATE_PROCESS_DEBUG_EVENT, win32.EXIT_PROCESS_DEBUG_EVENT, win32.LOAD_DLL_DEBUG_EVENT, win32.UNLOAD_DLL_DEBUG_EVENT ): # Get the filename. filename = event.get_filename() if filename: name = "%s [%s]" % ( name, filename ) # Show a descriptive message to the user. print "-" * 79 format_string = "%s (0x%s) at address 0x%s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(address, bits), pid, tid ) print message
def print_handle_caption(): system = System() for window in system.get_windows(): handle = HexDump.integer(window.get_handle()) caption = window.get_text() if not caption in None: print "%s\t%s" % (handle, caption)
def print_event(event): code = HexDump.integer(event.get_event_code()) name = event.get_event_name() desc = event.get_event_description() if code in desc: print print "%s: %s" % (name, desc) else: print print "%s (%s): %s" % (name, code, desc)
def print_thread(title, thread): tid = thread.get_tid() eip = thread.get_pc() context = thread.get_context() handle = thread.get_handle() code = thread.disassemble_around(eip) print("%s %s - %s " % (title, HexDump.integer(tid), handle)) print CrashDump.dump_registers(context) print CrashDump.dump_code(code, eip),
def post_CreateThread(self, event, retval): bits = event.get_process().get_bits() params = event.hook.get_params(event.get_tid()) dwStackSize = params[1] StackSize = int(HexDump.integer(dwStackSize, bits), 16) lpStartAddress = params[2] StartAddress = "0x" + HexDump.address(lpStartAddress, bits) lpThreadId = retval buf = "StackSize: {}, StartAddress: {}, ThreadId: {}".format(StackSize, StartAddress, lpThreadId) hd.dispatch(event, "CreateThread", buf, "thread", StartAddress)
def post_CreateRemoteThread(self, event, retval): bits = event.get_process().get_bits() params = event.hook.get_params(event.get_tid()) dwStackSize = params[2] StackSize = int(HexDump.integer(dwStackSize, bits)) lpStartAddress = params[3] StartAddress = "0x" + HexDump.address(lpStartAddress, bits) lpThreadId = params[6] #ThreadId = event.get_process().read_uint(lpThreadId) #ThreadId = "0x" + HexDump.integer(ThreadId, bits) # TODO buf = "StackSize: {}, StartAddress: {}".format(StackSize, StartAddress) hd.dispatch(event, "CreateRemoteThread", buf, "thread", StartAddress)
def access_violation(self, evt): thread = evt.get_thread() tid = thread.get_tid() code = thread.disassemble_around_pc() context = thread.get_context() print print "-" * 79 print "Thread: %s" % HexDump.integer(tid) print print CrashDump.dump_registers(context) print CrashDump.dump_code(code) print "-" * 79
def main(): print("Process memory writer") print("by Mario Vilas (mvilas at gmail.com)") print() if len(sys.argv) < 4: script = os.path.basename(sys.argv[0]) print(" %s <pid> <address> {binary input file / hex data}" % script) print(" %s <process.exe> <address> {binary input file / hex data}" % script) return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except Exception: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print("Process not found: %s" % sys.argv[1]) return if len(pl) > 1: print("Multiple processes found for %s" % sys.argv[1]) for p, n in pl: print("\t%s: %s" % (HexDump.integer(p), n)) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print("Invalid value for address: %s" % sys.argv[2]) return filename = ' '.join(sys.argv[3:]) if os.path.exists(filename): data = open(filename, 'rb').read() print("Read %d bytes from %s" % (len(data), filename)) else: try: data = HexInput.hexadecimal(filename) except Exception: print("Invalid filename or hex block: %s" % filename) return p = Process(pid) p.write(address, data) print("Written %d bytes to PID %d" % (len(data), pid))
def main(): print "Process memory writer" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 4: script = os.path.basename(sys.argv[0]) print " %s <pid> <address> {binary input file / hex data}" % script print " %s <process.exe> <address> {binary input file / hex data}" % script return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except Exception: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p,n in pl: print "\t%s: %s" % (HexDump.integer(p),n) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print "Invalid value for address: %s" % sys.argv[2] return filename = ' '.join(sys.argv[3:]) if os.path.exists(filename): data = open(filename, 'rb').read() print "Read %d bytes from %s" % (len(data), filename) else: try: data = HexInput.hexadecimal(filename) except Exception: print "Invalid filename or hex block: %s" % filename return p = Process(pid) p.write(address, data) print "Written %d bytes to PID %d" % (len(data), pid)
def get_window(self): from winappdbg import HexDump, System, Table import sqlite3 system = winappdbg.System() process = self.hwnd caption = [] removeNull = None for window in process.get_windows(): handle = HexDump.integer(window.get_handle()) rootNames = window.get_root() caption.insert(0, rootNames.get_text()) while removeNull in caption: caption.remove(removeNull) caption = caption[0] print caption return caption
def show_window_tree( window, indent = 0 ): # Show this window's handle and caption. # Use some ASCII art to show the layout. :) handle = HexDump.integer( window.get_handle() ) caption = window.get_text() line = "" if indent > 0: print "| " * indent line = "| " * (indent - 1) + "|---" else: print "|" if caption is not None: line += handle + ": " + caption else: line += handle print line # Recursively show the child windows. for child in window.get_children(): show_window_tree( child, indent + 1 )
def show_window_tree(window, indent=0): # Show this window's handle and caption. # Use some ASCII art to show the layout. :) handle = HexDump.integer(window.get_handle()) caption = window.get_text() line = "" if indent > 0: print("| " * indent) line = "| " * (indent - 1) + "|---" else: print("|") if caption is not None: line += str(handle) + ": " + str(caption) else: line += handle print(line) # Recursively show the child windows. for child in window.get_children(): show_window_tree(child, indent + 1)
# * Redistributions in binary form must reproduce the above copyright # notice,this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the copyright holder nor the names of its # contributors may be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import System, HexDump # Create a system snaphot. system = System() # Now we can enumerate the top-level windows. for window in system.get_windows(): handle = HexDump.integer( window.get_handle() ) caption = window.get_text() if caption is not None: print "%s:\t%s" % ( handle, caption )
# POSSIBILITY OF SUCH DAMAGE. from winappdbg import System, HexDump import sys try: # Get the coordinates from the command line. x = int( sys.argv[1] ) y = int( sys.argv[2] ) # Get the window at the requested position. window = System.get_window_at( x, y ) # Get the window coordinates. rect = window.get_screen_rect() position = (rect.left, rect.top, rect.right, rect.bottom) size = (rect.right - rect.left, rect.bottom - rect.top) # Print the window information. print "Handle: %s" % HexDump.integer( window.get_handle() ) print "Caption: %s" % window.text print "Class: %s" % window.classname print "Style: %s" % HexDump.integer( window.style ) print "ExStyle: %s" % HexDump.integer( window.exstyle ) print "Position: (%i, %i) - (%i, %i)" % position print "Size: (%i, %i)" % size except WindowsError: print "No window at those coordinates!"
# * Redistributions in binary form must reproduce the above copyright # notice,this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the copyright holder nor the names of its # contributors may be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from winappdbg import System, HexDump # Create a system snaphot. system = System() # Now we can enumerate the top-level windows. for window in system.get_windows(): handle = HexDump.integer(window.get_handle()) caption = window.get_text() if caption is not None: print "%s:\t%s" % (handle, caption)
# POSSIBILITY OF SUCH DAMAGE. from winappdbg import System, HexDump import sys try: # Get the coordinates from the command line. x = int(sys.argv[1]) y = int(sys.argv[2]) # Get the window at the requested position. window = System.get_window_at(x, y) # Get the window coordinates. rect = window.get_screen_rect() position = (rect.left, rect.top, rect.right, rect.bottom) size = (rect.right - rect.left, rect.bottom - rect.top) # Print the window information. print "Handle: %s" % HexDump.integer(window.get_handle()) print "Caption: %s" % window.text print "Class: %s" % window.classname print "Style: %s" % HexDump.integer(window.style) print "ExStyle: %s" % HexDump.integer(window.exstyle) print "Position: (%i, %i) - (%i, %i)" % position print "Size: (%i, %i)" % size except WindowsError: print "No window at those coordinates!"
def post_scanf(self, event, retval): print 'Return value from scanf is %s' % HexDump.integer(retval)