def search_mem(process): system = winappdbg.System() system.request_debug_privileges() system.scan_processes() pshmemTbl = dict() for address, size, data in process.strings(4, 2048): data = data.strip() m = re.match(r"(.*)(<S N=\"History\">)(\S+)(</S>)", data) if (m != None): #print "hist:", m.group(3) add_pshmemTbl(pshmemTbl, '<S N="History">', m.group(3)) m = re.match(r"(.*?)(<S N=\"Cmd\">)(\S+)(</S>)", data) if (m != None): #print "cmd:", m.group(3) add_pshmemTbl(pshmemTbl, '<S N="Cmd">', m.group(3)) if (data.find('<rsp:CommandLine') >= 0): add_pshmemTbl(pshmemTbl, 'rsp:CommandLine', data) if (data.find('<rsp:Command') >= 0): #print "rsp:",data add_pshmemTbl(pshmemTbl, 'rsp:Command', data) if (data.find('<rsp:Arguments') >= 0): add_pshmemTbl(pshmemTbl, 'rsp:Arguments', data) return pshmemTbl
def ui_select_process_id(pattern=''): processes = [(p.get_pid(), p.get_filename()) for p in winappdbg.System() if p.get_filename() and pattern in p.get_filename()] if len(processes) == 0: raise ValueError, "No such process: %s" % pattern if len(processes) == 1: return processes[0][0] print "===== Please pick a process to monitor =====" print "Choice | Process Name (PID)" for i, (pid, name) in enumerate(processes): print "[%3d] %s (%d)" % (i + 1, name, pid) while 1: try: index = int(raw_input("Choose wise: ")) if 1 <= index <= len(processes): break break except KeyboardInterrupt: raise except: print "\nIncorrect input." continue return processes[index - 1][0]
def find_process(self, name=None, pid=None): """ If a processName is not passed, then it will return the list of running processes. Do NOT call this method(function) directly. It is called by the __init__ class method. If you want to list all running process do the following: ins = Hack() print ins.running :processName: (string) Window title or process name. """ system = winappdbg.System() for process in system: filename = process.get_filename() if filename is None: continue _name = filename.split("\\")[-1] _pid = process.get_pid() if pid is not None and _pid == pid: self.process = process self.name = _name self.pid = _pid elif name is not None and name == _name: self.process = process self.name = _name self.pid = _pid self.running.append((name, process.get_pid()))
def get_processes(self): """ Returns a table of all running processes with their pid and filename. @rtype: str @return: A table listing all running processes. """ system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) return table.getOutput()
def sysinfo(self): """ Returns information about the system. @rtype: str @return: A table populated with system information. """ # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in Table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) return table.getOutput()
def find_process(self, process): """ self define for given process name """ system = winappdbg.System() system.request_debug_privileges() for system_process in system: if system_process.get_filename() is not None: name = system_process.get_filename().split("\\")[-1] if name == process: self.hwnd = system.find_processes_by_filename(name)[0][0] break
def monitor_wsmprovhost(pid, ref): system = winappdbg.System() system.request_debug_privileges() system.scan_processes() pshutils.print_console(pshutils.SUCCESS_LEVEL, ("hooking " + str(pid))) #print "hooking",pid myHandler = WSMProvHostEventHandler() myHandler.attackers = get_pshconnection(5985) thread = Thread(target=intercept_wsmprovhost, args=(pid, myHandler)) thread.start() time.sleep(1) pshutils.print_console(pshutils.INFO_LEVEL, ("back to main from " + str(pid)))
def get_process_handle(pid): """ Returns a handle to the process with pid. @type pid: int @param pid: ID of the target process. @rtype: winappdbg.process @return: A handle to the process associated with pid. """ system = winappdbg.System() if system.has_process(pid): return system.get_process(pid) else: raise DebugError(pid, "Process not found")
def main(): # print_drivers(True) parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-p", "--pid", help="process id") args = parser.parse_args() args.pid = long(args.pid) if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() print pids if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(int(args.pid)) print "Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename()) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "pid %d not found." % (args.pid) exit() else: print "%s not found." % (args.pid)
def findProcess(self, processName=None): """ If a processName is not passed, then it will return the list of running processes. Do NOT call this method(function) directly. It is called by the __init__ class method. If you want to list all running process do the following: ins = Hack() print ins.running """ system = winappdbg.System() for process in system: if process.get_filename() is not None: name = process.get_filename().split("\\")[-1] if processName is None: self.running.append((name, process.get_pid())) else: if name == processName: self.hwnd = process break
def get_window(self): from winappdbg import HexDump, System, Table import sqlite3 system = winappdbg.System() process = self.hwnd caption = [] removeNull = None for window in process.get_windows(): handle = HexDump.integer(window.get_handle()) rootNames = window.get_root() caption.insert(0, rootNames.get_text()) while removeNull in caption: caption.remove(removeNull) caption = caption[0] print caption return caption
# POSSIBILITY OF SUCH DAMAGE. import os import sys import zlib import ntpath import winappdbg from winappdbg import win32 try: import sqlite3 as sqlite except ImportError: from pysqlite2 import dbapi2 as sqlite # Create a snaphot of running processes. system = winappdbg.System() system.request_debug_privileges() system.scan_processes() # Get all processes that match the requested filenames. for filename in sys.argv[1:]: print "Looking for: %s" % filename for process, pathname in system.find_processes_by_filename(filename): pid = process.get_pid() bits = process.get_bits() print "Dumping memory for process ID %d (%d bits)" % (pid, bits) # Parse the database filename. dbfile = '%d.db' % pid if ntpath.exists(dbfile): counter = 1
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", help="path to application") parser.add_argument("-s", "--sysinfo",action='store_true', help="get System module 's information") parser.add_argument("-p","--process",action='store_true', help="get all running processes") parser.add_argument("-pname","--attach-pname",type=str,dest="pname", help="attach to th pname process") args = parser.parse_args() # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # Debug the app # First item is program and the rest are arguments # execv: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L274 my_process = debug.execv([args.run]) print("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print("Debugger stopped.") elif args.sysinfo: # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print(table.getOutput()) table1 = winappdbg.Table("\t") table1.addRow( "Right justified column text", "Left justified column text" ) table1.addRow( "---------------------------", "--------------------------" ) table1.addRow( "example", "text" ) table1.addRow( "jabberwocky", "snark" ) table1.addRow( "Trillian", "Zaphod", "Arthur Dent" ) # one extra! table1.addRow( "Dalek", "Cyberman" ) # By default all columns are left justified. Let's change that. table1.justify( 0, 1 ) # column 0 is now right justified # Let's find out how wide the table is. print("Table width: %d" % table1.getWidth()) # Let's find out how many bytes would it be if written to a file. print("Text size in characters: %d" % len( table1.getOutput() )) print(table1.getOutput()) elif args.process: system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.keys()): table.addRow(key, processes[key]) print(table.getOutput()) elif args.pname: debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): print("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) print("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: debug.stop() else: print("%s not found." % (args.run))
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") # Make -r and -pid mutually exclusive group = parser.add_mutually_exclusive_group() group.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") group.add_argument("-pid", "--attach-pid", type=int, dest="pid", help="pid of process to attach and instrument") group.add_argument("-pname", "--attach-process-name", dest="pname", help="pid of process to attach and instrument") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") # Add optional log file parser.add_argument("-o", "--output", dest="output", help="log filename") args = parser.parse_args() # Setup logging # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 # Log to file global logger if args.output: # verbose=False disables printing to stdout logger = winappdbg.Logger(args.output, verbose=False) else: logger = winappdbg.Logger() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("%s not found." % (args.run[0])) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) logger.log_text(table.getOutput()) exit() if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(args.pid) logger.log_text("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("pid %d not found." % (args.pid)) exit() # find a process by name and attach to it if (args.pname): debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): logger.log_text("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) logger.log_text("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." exit() # If no arguments, logger.log_text(running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) logger.log_text(table.getOutput())
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") args = parser.parse_args() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) print "Started %d - %s" % (my_process.get_pid(), my_process.get_filename()) # kKep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "%s not found." % (args.run[0]) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print table.getOutput() exit() # If no arguments, print running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) print table.getOutput()
def getProcess(self): system = winappdbg.System() for process in system: print process.get_pid(), process.get_filename() '''