def search_mem(process):
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
pshmemTbl = dict()
for address, size, data in process.strings(4, 2048):
data = data.strip()
m = re.match(r"(.*)(<S N=\"History\">)(\S+)(</S>)", data)
if (m != None):
#print "hist:", m.group(3)
add_pshmemTbl(pshmemTbl, '<S N="History">', m.group(3))
m = re.match(r"(.*?)(<S N=\"Cmd\">)(\S+)(</S>)", data)
if (m != None):
#print "cmd:", m.group(3)
add_pshmemTbl(pshmemTbl, '<S N="Cmd">', m.group(3))
if (data.find('<rsp:CommandLine') >= 0):
add_pshmemTbl(pshmemTbl, 'rsp:CommandLine', data)
if (data.find('<rsp:Command') >= 0):
#print "rsp:",data
add_pshmemTbl(pshmemTbl, 'rsp:Command', data)
if (data.find('<rsp:Arguments') >= 0):
add_pshmemTbl(pshmemTbl, 'rsp:Arguments', data)
return pshmemTbl
def ui_select_process_id(pattern=''):
processes = [(p.get_pid(), p.get_filename()) for p in winappdbg.System()
if p.get_filename() and pattern in p.get_filename()]
if len(processes) == 0:
raise ValueError, "No such process: %s" % pattern
if len(processes) == 1:
return processes[0][0]
print "===== Please pick a process to monitor ====="
print "Choice | Process Name (PID)"
for i, (pid, name) in enumerate(processes):
print "[%3d] %s (%d)" % (i + 1, name, pid)
while 1:
try:
index = int(raw_input("Choose wise: "))
if 1 <= index <= len(processes): break
break
except KeyboardInterrupt:
raise
except:
print "\nIncorrect input."
continue
return processes[index - 1][0]
def find_process(self, name=None, pid=None):
"""
If a processName is not passed, then it will return the list of running processes.
Do NOT call this method(function) directly. It is called by the __init__ class method.
If you want to list all running process do the following:
ins = Hack()
print ins.running
:processName: (string) Window title or process name.
"""
system = winappdbg.System()
for process in system:
filename = process.get_filename()
if filename is None:
continue
_name = filename.split("\\")[-1]
_pid = process.get_pid()
if pid is not None and _pid == pid:
self.process = process
self.name = _name
self.pid = _pid
elif name is not None and name == _name:
self.process = process
self.name = _name
self.pid = _pid
self.running.append((name, process.get_pid()))
def get_processes(self):
"""
Returns a table of all running processes with their pid and
filename.
@rtype: str
@return: A table listing all running processes.
"""
system = winappdbg.System()
# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")
header = ("pid", "process")
table.addRow(*header)
table.addRow("----", "----------")
processes = {}
# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()
# Iterate through processes sorted by pid
for key in sorted(processes.iterkeys()):
table.addRow(key, processes[key])
return table.getOutput()
def sysinfo(self):
"""
Returns information about the system.
@rtype: str
@return: A table populated with system information.
"""
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()
# Use the built-in Table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")
# New line
table.addRow("", "")
# Header
title = ("System Information", "")
table.addRow(*title)
# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())
return table.getOutput()
def find_process(self, process):
"""
self define for given process name
"""
system = winappdbg.System()
system.request_debug_privileges()
for system_process in system:
if system_process.get_filename() is not None:
name = system_process.get_filename().split("\\")[-1]
if name == process:
self.hwnd = system.find_processes_by_filename(name)[0][0]
break
def monitor_wsmprovhost(pid, ref):
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
pshutils.print_console(pshutils.SUCCESS_LEVEL, ("hooking " + str(pid)))
#print "hooking",pid
myHandler = WSMProvHostEventHandler()
myHandler.attackers = get_pshconnection(5985)
thread = Thread(target=intercept_wsmprovhost, args=(pid, myHandler))
thread.start()
time.sleep(1)
pshutils.print_console(pshutils.INFO_LEVEL,
("back to main from " + str(pid)))
def get_process_handle(pid):
"""
Returns a handle to the process with pid.
@type pid: int
@param pid: ID of the target process.
@rtype: winappdbg.process
@return: A handle to the process associated with pid.
"""
system = winappdbg.System()
if system.has_process(pid):
return system.get_process(pid)
else:
raise DebugError(pid, "Process not found")
def main():
# print_drivers(True)
parser = argparse.ArgumentParser(description="WinAppDbg stuff.")
parser.add_argument("-p", "--pid", help="process id")
args = parser.parse_args()
args.pid = long(args.pid)
if (args.pid):
system = winappdbg.System()
# Get all pids
pids = system.get_process_ids()
print pids
if args.pid in pids:
# pid exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# Attach to pid
# attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
my_process = debug.attach(int(args.pid))
print "Attached to %d - %s" % (my_process.get_pid(),
my_process.get_filename())
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
else:
print "pid %d not found." % (args.pid)
exit()
else:
print "%s not found." % (args.pid)
def findProcess(self, processName=None):
"""
If a processName is not passed, then it will return the list of running processes.
Do NOT call this method(function) directly. It is called by the __init__ class method.
If you want to list all running process do the following:
ins = Hack()
print ins.running
"""
system = winappdbg.System()
for process in system:
if process.get_filename() is not None:
name = process.get_filename().split("\\")[-1]
if processName is None:
self.running.append((name, process.get_pid()))
else:
if name == processName:
self.hwnd = process
break
def get_window(self):
from winappdbg import HexDump, System, Table
import sqlite3
system = winappdbg.System()
process = self.hwnd
caption = []
removeNull = None
for window in process.get_windows():
handle = HexDump.integer(window.get_handle())
rootNames = window.get_root()
caption.insert(0, rootNames.get_text())
while removeNull in caption:
caption.remove(removeNull)
caption = caption[0]
print caption
return caption
# POSSIBILITY OF SUCH DAMAGE.
import os
import sys
import zlib
import ntpath
import winappdbg
from winappdbg import win32
try:
import sqlite3 as sqlite
except ImportError:
from pysqlite2 import dbapi2 as sqlite
# Create a snaphot of running processes.
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
# Get all processes that match the requested filenames.
for filename in sys.argv[1:]:
print "Looking for: %s" % filename
for process, pathname in system.find_processes_by_filename(filename):
pid = process.get_pid()
bits = process.get_bits()
print "Dumping memory for process ID %d (%d bits)" % (pid, bits)
# Parse the database filename.
dbfile = '%d.db' % pid
if ntpath.exists(dbfile):
counter = 1
def main():
parser = argparse.ArgumentParser(description="WinAppDbg stuff.")
parser.add_argument("-r", "--run", help="path to application")
parser.add_argument("-s", "--sysinfo",action='store_true', help="get System module 's information")
parser.add_argument("-p","--process",action='store_true', help="get all running processes")
parser.add_argument("-pname","--attach-pname",type=str,dest="pname", help="attach to th pname process")
args = parser.parse_args()
# Use Win32 API functions provided by WinAppDbg
if win32.PathFileExists(args.run) is True:
# File exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# Debug the app
# First item is program and the rest are arguments
# execv: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L274
my_process = debug.execv([args.run])
print("Attached to %d - %s" % (my_process.get_pid(),
my_process.get_filename()))
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
print("Debugger stopped.")
elif args.sysinfo:
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()
# Use the built-in WinAppDbg table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")
# New line
table.addRow("", "")
# Header
title = ("System Information", "")
table.addRow(*title)
# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())
print(table.getOutput())
table1 = winappdbg.Table("\t")
table1.addRow( "Right justified column text", "Left justified column text" )
table1.addRow( "---------------------------", "--------------------------" )
table1.addRow( "example", "text" )
table1.addRow( "jabberwocky", "snark" )
table1.addRow( "Trillian", "Zaphod", "Arthur Dent" ) # one extra!
table1.addRow( "Dalek", "Cyberman" )
# By default all columns are left justified. Let's change that.
table1.justify( 0, 1 ) # column 0 is now right justified
# Let's find out how wide the table is.
print("Table width: %d" % table1.getWidth())
# Let's find out how many bytes would it be if written to a file.
print("Text size in characters: %d" % len( table1.getOutput() ))
print(table1.getOutput())
elif args.process:
system = winappdbg.System()
# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")
header = ("pid", "process")
table.addRow(*header)
table.addRow("----", "----------")
processes = {}
# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()
# Iterate through processes sorted by pid
for key in sorted(processes.keys()):
table.addRow(key, processes[key])
print(table.getOutput())
elif args.pname:
debug = winappdbg.Debug()
# example 3:
# https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py
try:
debug.system.scan()
for (process, name) in debug.system.find_processes_by_filename(args.pname):
print("Found %d, %s" % (process.get_pid(),
process.get_filename()))
debug.attach(process.get_pid())
print("Attached to %d-%s" % (process.get_pid(),
process.get_filename()))
debug.loop()
finally:
debug.stop()
else:
print("%s not found." % (args.run))
def main():
parser = argparse.ArgumentParser(description="WinAppDbg stuff.")
# Make -r and -pid mutually exclusive
group = parser.add_mutually_exclusive_group()
group.add_argument("-r", "--run", nargs="+",
help="path to application followed by parameters")
group.add_argument("-pid", "--attach-pid", type=int, dest="pid",
help="pid of process to attach and instrument")
group.add_argument("-pname", "--attach-process-name", dest="pname",
help="pid of process to attach and instrument")
parser.add_argument("-i", "--sysinfo", action="store_true",
help="print system information")
# Add optional log file
parser.add_argument("-o", "--output", dest="output", help="log filename")
args = parser.parse_args()
# Setup logging
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766
# Log to file
global logger
if args.output:
# verbose=False disables printing to stdout
logger = winappdbg.Logger(args.output, verbose=False)
else:
logger = winappdbg.Logger()
if (args.run):
# Concat all arguments into a string
myargs = " ".join(args.run)
# Use Win32 API functions provided by WinAppDbg
if win32.PathFileExists(args.run[0]) is True:
# File exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# We will talk about this in a minute
# Debug the app
# debug.execv([args.app])
# execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
my_process = debug.execl(myargs)
logger.log_text("Started %d - %s" %
(my_process.get_pid(), my_process.get_filename()))
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
logger.log_text("Debugger stopped.")
else:
logger.log_text("%s not found." % (args.run[0]))
exit()
if(args.sysinfo):
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()
# Use the built-in WinAppDbg table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")
# New line
table.addRow("", "")
# Header
title = ("System Information", "")
table.addRow(*title)
# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())
logger.log_text(table.getOutput())
exit()
if (args.pid):
system = winappdbg.System()
# Get all pids
pids = system.get_process_ids()
if args.pid in pids:
# pid exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# Attach to pid
# attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
my_process = debug.attach(args.pid)
logger.log_text("Attached to %d - %s" %
(my_process.get_pid(), my_process.get_filename()))
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
logger.log_text("Debugger stopped.")
else:
logger.log_text("pid %d not found." % (args.pid))
exit()
# find a process by name and attach to it
if (args.pname):
debug = winappdbg.Debug()
# example 3:
# https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py
try:
debug.system.scan()
for (process, name) in debug.system.find_processes_by_filename(args.pname):
logger.log_text("Found %d, %s" %
(process.get_pid(), process.get_filename()))
debug.attach(process.get_pid())
logger.log_text("Attached to %d-%s" %
(process.get_pid(), process.get_filename()))
debug.loop()
finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
exit()
# If no arguments, logger.log_text(running processes
system = winappdbg.System()
# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")
header = ("pid", "process")
table.addRow(*header)
table.addRow("----", "----------")
processes = {}
# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()
# Iterate through processes sorted by pid
for key in sorted(processes.iterkeys()):
table.addRow(key, processes[key])
logger.log_text(table.getOutput())
def main():
parser = argparse.ArgumentParser(description="WinAppDbg stuff.")
parser.add_argument("-r", "--run", nargs="+",
help="path to application followed by parameters")
parser.add_argument("-i", "--sysinfo", action="store_true",
help="print system information")
args = parser.parse_args()
if (args.run):
# Concat all arguments into a string
myargs = " ".join(args.run)
# Use Win32 API functions provided by WinAppDbg
if win32.PathFileExists(args.run[0]) is True:
# File exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# We will talk about this in a minute
# Debug the app
# debug.execv([args.app])
# execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
my_process = debug.execl(myargs)
print "Started %d - %s" % (my_process.get_pid(),
my_process.get_filename())
# kKep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
else:
print "%s not found." % (args.run[0])
exit()
if(args.sysinfo):
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()
# Use the built-in WinAppDbg table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")
# New line
table.addRow("", "")
# Header
title = ("System Information", "")
table.addRow(*title)
# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())
print table.getOutput()
exit()
# If no arguments, print running processes
system = winappdbg.System()
# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")
header = ("pid", "process")
table.addRow(*header)
table.addRow("----", "----------")
processes = {}
# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()
# Iterate through processes sorted by pid
for key in sorted(processes.iterkeys()):
table.addRow(key, processes[key])
print table.getOutput()
def getProcess(self):
system = winappdbg.System()
for process in system:
print process.get_pid(), process.get_filename()
'''
