def __init__(self): # store the allocations we find self.allocs = [] self.ret_addr = None self.bp_heap_alloc = None # offsets to these symbols via reversing # tested on FoxitReader.exe v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68) # you will need to update this on different versions self.__CIatan_pentium4 = 0x13dc840 self.__CIasin_pentium4 = 0x13dcb30 addr = self.get_address("FoxitReader!CertFreeCertificateChain") if addr is None: return # address offsets for later use self.asan_addr = (int(addr, 16) + self.__CIatan_pentium4) self.asin_addr = (int(addr, 16) + self.__CIasin_pentium4) print("(+) setting up __CIatan_pentium4 bp") self.bp_asan = pykd.setBp((int(addr, 16) + self.__CIatan_pentium4), self._cb_CIatan_pentium4) print("(+) setting up __CIasin_pentium4 bp") self.bp_asin = pykd.setBp((int(addr, 16) + self.__CIasin_pentium4), self._cb_CIasin_pentium4) self.bp_end_atan = None self.bp_end_asin = None pykd.go()
def _run(process_id, log_file): """ _run(process_id, log_file) -> None _run() takes the process_id of the process to attach to. The collected debugger data is saved to log_file. returns None """ with open(log_file, "w") as out_fp: out_fp.write("\nAttaching WinDBG debugger...\n") try: session_id = pykd.attachProcess(process_id) while True: pykd.go() if not pykd.getLastException().firstChance: break dbg_info = pykd.dbgCommand(".lastevent;r;k") if dbg_info is not None: out_fp.write("%s\n" % dbg_info) pykd.detachProcess(session_id) out_fp.write("Debugger detached.\n") except pykd.DbgException as dbg_e: out_fp.write("DbgException: %s\n" % dbg_e) except KeyboardInterrupt: pass
def run_until_crash(self): while True: if self._exception_handler.got_bp(): self.shell() # You can have crash while interacting with shell. if self._exception_handler.got_crash(): break pykd.go()
def main(init_sym, mem_limit, timeout): run_time = time.time() timeout = timeout + time.time() pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym)) page_size = get_page_size() pykd.go() target_pid = get_pid() pykd.removeBp(get_bp_hit()) pykd.dbgCommand("bm MSVCR*!malloc") pykd.dbgCommand("bm MSVCR*!realloc") pykd.dbgCommand("bm MSVCR*!calloc") log.debug("target pid: %d", target_pid) while time.time() < timeout: pykd.go() cur_mem = get_mem_usage(target_pid) if cur_mem >= mem_limit: log.info("missed request! current memory: %d", cur_mem) break req = requested_mem_size() if req == 0: log.info("unexpected break on: %s", get_current_stack()[0]) continue if req > page_size: if req % page_size: page_req = page_size * ((req / page_size) + 1) else: page_req = page_size * (req / page_size) else: page_req = page_size if cur_mem + page_req >= mem_limit: log.info("request will exceed limit, current: %d, request %d", cur_mem, req) break log.info("*" * 60) if time.time() < timeout: set_thread(get_hung_thread()) call_stack = get_current_stack() if not call_stack: log.info("Unable to trace!") for line in call_stack: log.info("STACK_FRAME:%s" % line) else: log.info("Timeout!") log.info("*" * 60) log.info("----- STATS -----") log.info("MEMORY LIMIT: %d MB", mem_limit / 0x100000) log.info("DGB TIME: %0.2f", time.time() - run_time) log.info("PROC TIME: %0.2f", get_proc_run_time()) log.info("THREAD TIME: %0.2f", get_thread_run_time(get_thread_list()[get_hung_thread()]))
def run_pykd(py, dll, output, align): cmd = [ sys.executable, py, f"--dll=\"{dll}\"", f"--output=\"{output}\"", f"--align=\"{align}\"", ] base = get_image_base(dll) breakpoints = {"yz1": [(0x10011270 - base, rewrite_filename)]} pykd.initialize() pykd.handler = EventHandler(breakpoints) pykd.startProcess(" ".join(str(x) for x in cmd)) pykd.go()
def _debug_server(self): ''' debugger thread ''' self._system_pid = None self.logger.info('Init pykd environment') pykd.initialize() try: # Start a new process for debugging argv = [self._process_path ] + self._process_args + self.process_data argv = ' '.join(argv) self.logger.debug('Debugger starting server: %s' % argv) try: self.logger.info('Start running program with cmd:"%s"' % argv) self.report.add('cmd', argv) self._pid = pykd.startProcess(argv) self._get_correct_process_id() self.logger.debug('Process started. pykd_pid=%d' % self._pid) self._process = pykd.getCurrentProcess() self.logger.debug('Process is %s' % hex(self._process)) except WindowsError: self.logger.error('debug_server received exception', traceback.fmt_exc()) # Get Process System ID self._wait_break() while self._system_pid is None: try: self._system_pid = pykd.getProcessSystemID(self._pid) self.logger.info('process system_id=%d' % self._system_pid) except Exception as err: self.logger.debug("Get system id fail because of: %s" % err) continue # Set break points if self._wait_break(): self.logger.info( "Server is in break status setting break points") for bp in self._break_points: pykd.setBp(bp) self.logger.info("Start register event handle") # This will register our handle handler = self._handler(self) self.logger.debug('Handler object is : %s' % handler) self.logger.info('Go !!!!!') pykd.go() except: self.logger.error('Got an exception in _debug_server') self.logger.error(traceback.format_exc())
def main(init_sym, mem_limit, timeout): run_time = time.time() timeout = timeout + time.time() pykd.dbgCommand("bu %x" % sym_off_to_addr(init_sym)) page_size = get_page_size() pykd.go() target_pid = get_pid() pykd.removeBp(get_bp_hit()) pykd.dbgCommand("bm MSVCR*!malloc") pykd.dbgCommand("bm MSVCR*!realloc") pykd.dbgCommand("bm MSVCR*!calloc") log.debug("target pid: %d", target_pid) while time.time() < timeout: pykd.go() cur_mem = get_mem_usage(target_pid) if cur_mem >= mem_limit: log.info("missed request! current memory: %d", cur_mem) break req = requested_mem_size() if req == 0: log.info("unexpected break on: %s", get_current_stack()[0]) continue if req > page_size: if req % page_size: page_req = page_size * ((req/page_size)+1) else: page_req = page_size * (req/page_size) else: page_req = page_size if cur_mem + page_req >= mem_limit: log.info("request will exceed limit, current: %d, request %d", cur_mem, req) break log.info("*" * 60) if time.time() < timeout: set_thread(get_hung_thread()) call_stack = get_current_stack() if not call_stack: log.info("Unable to trace!") for line in call_stack: log.info("STACK_FRAME:%s" % line) else: log.info("Timeout!") log.info("*" * 60) log.info("----- STATS -----") log.info("MEMORY LIMIT: %d MB", mem_limit/0x100000) log.info("DGB TIME: %0.2f", time.time()-run_time) log.info("PROC TIME: %0.2f", get_proc_run_time()) log.info("THREAD TIME: %0.2f", get_thread_run_time(get_thread_list()[get_hung_thread()]))
def Monitor(): print "[*] Attaching to TaniumReceiver.exe" process = filter(lambda p: p.name() == "TaniumReceiver.exe", psutil.process_iter()) for process_id in process: print "[*] PID: %s" % process_id.pid pykd.initialize() Handler = ExceptionHandler() try: pykd.attachProcess(process_id.pid) except: print "[!] Error attaching to process" sys.exit(1) print "[*] Success!" pykd.go()
def Monitor(): testcase = "Testcases\\Test.txt" try: pykd.initialize() Handler = ExceptionHandler() print "[*] Starting Scan64.exe" pykd.startProcess( "C:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\x64\\Scan64.Exe " + testcase) pykd.dbgCommand(".childdbg 1") except: print "[!] Error starting process" sys.exit(1) print "[*] Success!" pykd.go()
def __init__(self): self.instruction_list = [] if DEBUG: print("[+] Acquiring assembly code...") print(f" [=] Setting breakpoint at {hex(shellcodeAddress)}") self.bp = pykd.setBp(shellcodeAddress, self.acquire_next_instruction) while True: try: pykd.go() except: break if DEBUG: print("[+] Finished getting assembly!") self.instruction_list = self.instruction_list[len(lengthInstruction.split("\n")):]
def main(): pykd.initialize() pykd.handler = ExceptionHandler() pykd.startProcess("hello.exe") targetModule = pykd.module("hello") targetModule.reload() breakCount = callCounter() b1 = pykd.setBp(targetModule.offset('add'), breakCount) # The b1 cannot be commented print "There is %d breakpoint" % pykd.getNumberBreakpoints() pykd.go() print breakCount.count targetModule = None pykd.killAllProcesses()
def testRemoveAllBp(self): bp1 = pykd.setBp(self.targetModule.CdeclFunc) bp2 = pykd.setBp(self.targetModule.CdeclFunc + 1) bp3 = pykd.setBp(self.targetModule.CdeclFunc + 2) self.assertEqual(3, pykd.getNumberBreakpoints()) pykd.removeAllBp() self.assertEqual(0, pykd.getNumberBreakpoints()) self.assertEqual(pykd.executionStatus.NoDebuggee, pykd.go())
def testSecondChance(self): class ExceptionHandler(pykd.eventHandler): def __init__(self): pykd.eventHandler.__init__(self) def onException(self, exceptInfo): self.exceptInfo = exceptInfo return pykd.eventResult.Proceed processId = pykd.startProcess(target.appPath + " exception") with testutils.ContextCallIt( testutils.KillProcess(processId)) as killStartedProcess: exceptionHandler = ExceptionHandler() self.assertEqual(pykd.Break, pykd.go()) self.assertEqual(True, exceptionHandler.exceptInfo.firstChance) self.assertEqual(pykd.Break, pykd.go()) self.assertEqual(False, exceptionHandler.exceptInfo.firstChance)
def _debug_server(self): ''' debugger thread ''' self._system_pid = None self.logger.info('Init pykd environment') pykd.initialize() try: # Start a new process for debugging argv = [self._process_path] + self._process_args + self.process_data argv = ' '.join(argv) self.logger.debug('Debugger starting server: %s' % argv) try: self.logger.info('Start running program with cmd:"%s"' % argv) self.report.add('cmd', argv) self._pid = pykd.startProcess(argv) self._get_correct_process_id() self.logger.debug('Process started. pykd_pid=%d' % self._pid) self._process = pykd.getCurrentProcess() self.logger.debug('Process is %s' % hex(self._process)) except WindowsError: self.logger.error('debug_server received exception', traceback.fmt_exc()) # Get Process System ID self._wait_break() while self._system_pid is None: try: self._system_pid = pykd.getProcessSystemID(self._pid) self.logger.info('process system_id=%d' % self._system_pid) except Exception as err: self.logger.debug("Get system id fail because of: %s" % err) continue # Set break points if self._wait_break(): self.logger.info("Server is in break status setting break points") for bp in self._break_points: pykd.setBp(bp) self.logger.info("Start register event handle") # This will register our handle handler = self._handler(self) self.logger.debug('Handler object is : %s' % handler) self.logger.info('Go !!!!!') pykd.go() except: self.logger.error('Got an exception in _debug_server') self.logger.error(traceback.format_exc())
def testException(self): """Start new process and track exceptions""" _locProcessId = pykd.startProcess(target.appPath + " -testChangeStatus") with testutils.ContextCallIt( testutils.KillProcess(_locProcessId)) as killStartedProcess: pykd.go() #skip initial break statusChangeHandler = StatusChangeHandler() self.assertRaises(pykd.WaitEventException, testutils.infGo) self.assertEqual(2, statusChangeHandler.breakCount) self.assertEqual(1, statusChangeHandler.noDebuggee) self.assertEqual( statusChangeHandler.breakCount + statusChangeHandler.noDebuggee, statusChangeHandler.goCount)
def run(self): self.winBr.initLog() self.winBr.dbiprintf("< WinDbg DBI >") if self.winBr.getImageInfo() != 0: self.winBr.dbiprintf( "[!] Check the symbol path ( Recommended : %s )" % self.symPath) return 1 if self.winBr.getSectionInfo() != 0: return 2 if self.winBr.procImageBase != -1 and self.winBr.procImageEnd != -1 and self.winBr.procImageSize != 0: memBpHandler = MemBpHandler(self.lObfusMem, self.winBr) memBpHandler.forceSetIat(self.winBr.procImageBase + 0x2000, 0xa00) # IAT memBpHandler.forceSetCode(self.winBr.lSection[1][0], self.winBr.lSection[1][3]) handler_AllocateVirtualMemory = Handler_AllocateVirtualMemory( self.lObfusMem, self.winBr, memBpHandler) handler_FreeVirtualMemory = Handler_FreeVirtualMemory( self.lObfusMem, self.winBr, memBpHandler) pykd.go() self.winBr.dbiprintf("[!] PYKD retake the control") self.patchCall(memBpHandler.lIatCodePatch) self.winBr.dbiprintf("[+] Dump %d sections" % self.maxDumpSectionNum) for i in range(self.maxDumpSectionNum): s = self.winBr.lSection[i] self.dumpMemory(self.dumpPath, s[0], s[3]) self.rebuild(self.dumpPath) self.winBr.dbiprintf("[!] PE info") self.winBr.dbiprintf(" -> OEP : 0x%08x ( 0x%08x + 0x%08x )" % (memBpHandler.oep, self.winBr.procImageBase, memBpHandler.oep - self.winBr.procImageBase)) self.winBr.dbiprintf( " -> IAT : 0x%08x ( 0x%08x + 0x%08x )" % (memBpHandler.pIatBase, self.winBr.procImageBase, memBpHandler.pIatBase - self.winBr.procImageBase)) self.winBr.dbiprintf(" -> IAT size : 0x%08x" % (memBpHandler.sizeIat)) return 0
def testLoadUnload(self): """Start new process and track loading and unloading modules""" pykd.startProcess(target.appPath + " loadunloadmodule") with testutils.ContextCallIt(pykd.killProcess) as contextCallIt: pykd.go() # skip initail break modLoadHandler = ModuleLoadHandler("ws2_32*") pykd.go() #with testutils.ContextCallIt( getattr(modLoadHandler, "reset") ) as resetEventHandler: # try: # while True: # pykd.go() # except pykd.WaitEventException: # pass self.assertTrue(modLoadHandler.wasLoad) self.assertTrue(modLoadHandler.wasUnload)
def testException(self): """Start new process and track exceptions""" _locProcessId = pykd.startProcess(target.appPath + " -testExceptions") with testutils.ContextCallIt( testutils.KillProcess(_locProcessId)) as killStartedProcess: exceptionHandler = ExceptionHandler() while not exceptionHandler.accessViolationOccured: pykd.go() self.assertEqual(pykd.lastEvent(), pykd.eventType.Exception) self.assertTrue(exceptionHandler.accessViolationOccured) self.assertEqual(exceptionHandler.param0, 1) # write self.assertEqual(exceptionHandler.param1, 2) # addr exceptInfo = pykd.lastException() self.assertEqual(exceptInfo.ExceptionCode, 0xC0000005) self.assertEqual(exceptionHandler.param0, exceptInfo.Parameters[0]) self.assertEqual(exceptionHandler.param1, exceptInfo.Parameters[1])
def InitTracer(): global DriverObject global ImageBase global NtImageEnd NtModule = pykd.module("nt") NtImageBase = NtModule.begin() NtImageEnd = NtModule.end() pykd.dbgCommand("ba e1 IopLoadDriver+4bd") pykd.dbgCommand("ba e1 IopLoadDriver+4c2") pykd.go() while(1): regPath = pykd.dbgCommand("du /c40 @rdx+10") if "VmpDriver.vmp" in regPath: print "[*] Find VMP Driver" DriverObject = pykd.reg("rcx") print "\t[-] Driver Object : 0x{:X}".format(DriverObject) ImageBase =pykd.ptrPtr(DriverObject+0x18) # DriverObject.DriverStart print "\t[-] ImageBase Address : 0x{:X}".format(ImageBase) VMPTracingSub.GetSectionInfo(ImageBase) EntryPoint = ImageBase + VMPTracingSub.EntryPoint_Off strEntryPoint = hex(EntryPoint).rstrip("L") pykd.dbgCommand("ba e1 "+strEntryPoint) pykd.go() pykd.dbgCommand("bc 2") return pykd.go()
def find_next_sym(next_bp, prev_bp, timeout): iters = 100 found_sym = False sample_time = 0 set_bp(next_bp, 0, 1) set_bp(prev_bp, 1, iters) while not is_complete(): pykd.go() curr_bp = get_bp_hit() target_time = get_proc_run_time() log.debug("target time %0.2f", target_time) if curr_bp == 1: if target_time >= timeout: break iter_duration = target_time - sample_time if iter_duration < 0.5: # optimization if iters < 25600: iters *= 2 log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d", iter_duration, iters) elif iter_duration >= 0.5 and iter_duration < 0.85: # optimization iters += 100 log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d", iter_duration, iters) set_bp(prev_bp, 1, iters) elif curr_bp == 0: found_sym = True break else: log.debug("break not triggered by breakpoint") if pykd.dbgCommand(".lastevent").find( "(!!! second chance !!!)") != -1: raise RuntimeError("Expected Timeout found Access violation!") sample_time = target_time pykd.removeBp(1) pykd.removeBp(0) return found_sym
def testBreakpointCondition2(self): def makebpcallback(n): def bpcallback(): if pykd.getParam("b") > n: return pykd.eventResult.Break return pykd.eventResult.Proceed return bpcallback bp = pykd.setBp( self.targetModule.typedVar("CdeclFunc").getDebugStart(), makebpcallback(100)) self.assertEqual(pykd.executionStatus.NoDebuggee, pykd.go())
def Monitor(self): Generator = TestcaseGenerator() Generator.CheckDir() pykd.initialize() Handler = ExceptionHandler() testcase = os.listdir("Queue")[0] try: print "[*] Starting Scan64.exe" pykd.startProcess("C:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\x64\\Scan64.Exe " + testcase) pykd.dbgCommand(".childdbg 1") except: print "[!] Error starting process" sys.exit(1) try: while Handler.keep_running: self.GetProcess() # Get PID print "[*] Attaching Debugger" print "[*] Success!" pykd.go() print "[*] Killing pykd..." pykd.killAllProcesses() finally: return
def testBreakpointHandler(self): class BreakpointHandler(pykd.eventHandler): def __init__(self): super(BreakpointHandler, self).__init__() self.count = 0 def onBreakpoint(self, bpid_): self.count = self.count + 1 return True handler = BreakpointHandler() bp = pykd.setBp(self.targetModule.CdeclFunc) self.assertEqual(pykd.executionStatus.Break, pykd.go()) self.assertEqual(1, handler.count)
def testBreakpointClass(self): class MyBreakpoint(pykd.breakpoint): def __init__(self, offset): super(MyBreakpoint, self).__init__(offset) self.count = 0 def onHit(self): self.count = self.count + 1 return True bp = MyBreakpoint( self.targetModule.typedVar("CdeclFunc").getDebugStart()) self.assertEqual(pykd.executionStatus.Break, pykd.go()) self.assertEqual(1, bp.count)
def find_next_sym(next_bp, prev_bp, timeout): iters = 100 found_sym = False sample_time = 0 set_bp(next_bp, 0, 1) set_bp(prev_bp, 1, iters) while not is_complete(): pykd.go() curr_bp = get_bp_hit() target_time = get_proc_run_time() log.debug("target time %0.2f", target_time) if curr_bp == 1: if target_time >= timeout: break iter_duration = target_time - sample_time if iter_duration < 0.5: # optimization if iters < 25600: iters *= 2 log.debug("iter duration: %0.2f, (x2) prev_bp iters: %d", iter_duration, iters) elif iter_duration >= 0.5 and iter_duration < 0.85: # optimization iters += 100 log.debug("iter duration: %0.2f, (+100) prev_bp iters: %d", iter_duration, iters) set_bp(prev_bp, 1, iters) elif curr_bp == 0: found_sym = True break else: log.debug("break not triggered by breakpoint") if pykd.dbgCommand(".lastevent").find("(!!! second chance !!!)") != -1: raise RuntimeError("Expected Timeout found Access violation!") sample_time = target_time pykd.removeBp(1) pykd.removeBp(0) return found_sym
def testExceptionHandler(self): class ExceptionHandler(pykd.eventHandler): def __init__(self): pykd.eventHandler.__init__(self) def onException(self, exceptInfo): self.exceptInfo = exceptInfo return pykd.eventResult.Break processId = pykd.startProcess(target.appPath + " exception") with testutils.ContextCallIt( testutils.KillProcess(processId)) as killStartedProcess: exceptionHandler = ExceptionHandler() self.assertEqual(pykd.Break, pykd.go()) self.assertEqual(0xC0000005, exceptionHandler.exceptInfo. exceptionCode) #0xC0000005 = Access violation
def testLocalVariable(self): """Start new process and test local variables""" _locProcessId = pykd.startProcess(target.appPath + " -testEnumWindows") with testutils.ContextCallIt( testutils.KillProcess(_locProcessId)) as killStartedProcess: pykd.go() # initial breakpoint -> wmain pykd.go() # wmain -> targetapp!EnumWindowsProc1 testEnumWindowsProc1Locals(self, pykd.getLocals()) pykd.go( ) # targetapp!EnumWindowsProc1 -> targetapp!functionCalledFromEnumWindowsProc1 testEnumWindowsProc1Locals(self, pykd.getStack()[1].locals) pykd.go( ) # targetapp!EnumWindowsProc1 -> targetapp!EnumWindowsProc2 locals = pykd.getLocals() self.assertEqual(len(locals), 2) self.assertTrue(locals[0] == 7 or locals[1] == 7) funcParams = pykd.getParams() self.assertEqual(len(funcParams), 2) self.assertTrue(funcParams[0] == 7 or funcParams[1] == 7)
def setUp(self): self.processId = pykd.startProcess(target.appPath + " stacktest") pykd.go() # skip initial breakpoint
def run(self): if self.timeout != 0: self.timer = Timer(self.timeout, self.timeout_func) self.timer.start() self.do_stop = False self.id = pykd.startProcess(self.program, debugChildren=True) while not self.handler.exception_occurred and not self.do_stop: try: pykd.go() except: break if self.do_stop: try: pykd.dbgCommand(".kill") except: log("Exception killing target: %s" % str(sys.exc_info()[1])) return None if self.timer is not None: self.timer.cancel() ret = None if self.handler.exception_occurred: stack_trace = pykd.dbgCommand("k") registers = pykd.dbgCommand("r") exploitable = None msec_path = None if self.exploitable_path is None: if self.mode == 32: msec_path = os.path.join(self.windbg_path, r"Debuggers\x86\winext") elif self.mode == 64: msec_path = os.path.join(self.windbg_path, r"Debuggers\x64\winext") elif self.mode == "arm": msec_path = os.path.join(self.windbg_path, r"Debuggers\arm\winext") else: raise Exception("Unknown mode %s, known ones are 32, 64 or 'arm'." % self.mode) else: msec_path = self.exploitable_path print msec_path if msec_path is not None: full_msec_path = os.path.join(msec_path, r"msec.dll") print full_msec_path if os.path.exists(full_msec_path): print "bai?" os.chdir(msec_path) msec_handle = pykd.loadExt(full_msec_path) commandOutput = pykd.callExt(msec_handle, "exploitable", "") exploitable = commandOutput print "exploitable?", exploitable ret = self.create_crash_data(registers, stack_trace, exploitable) print pykd.dbgCommand("k 8") print pykd.dbgCommand("r") print exploitable crash_data_buf = self.crash_data.dump_json() ret = self.crash_data.dump_dict() print print "Yep, we got a crash! \o/" print return ret
self.out += hex(pykd.reg("r9")) + ") = " if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlReAllocateHeap").split( '\n') for i in disas: if 'ret' in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(pykd.expr(self.ret_addr), self.return_call_back) return False def return_call_back(self): log.write(self.out + hex(pykd.reg(return_reg)) + "\n") return False log = open(home + "\log.log", "w+") try: pykd.reg("rax") except: arch_bits = 32 return_reg = "eax" stack_pointer = "esp" handle_allocate_heap() handle_free_heap() handle_realloc_heap() pykd.go()
def run(self): while not self._event_handler.exceptionOccurred(): pykd.go() self._logger.debug("Crash occurred") self._crash_occurred = True
return None if result_count > 1: print "[-] Warning, more than one result for", localAddr return res.split()[0] class handle_allocate_heap(pykd.eventHandler): def __init__(self): addr = get_address("ntdll!RtlAllocateHeap") if addr == None: return self.bp_init = pykd.setBp(int(addr, 16), self.enter_call_back) self.bp_end = None def enter_call_back(self,bp): print "RtlAllocateHeap called." if self.bp_end == None: disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n') for i in disas: if 'ret' in i: self.ret_addr = i.split()[0] break self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back) return False def return_call_back(self,bp): print "RtlAllocateHeap returned." return False handle_allocate_heap() pykd.go()
def go(self): pykd.go()
def run(self): if self.timeout != 0: self.timer = Timer(self.timeout, self.timeout_func) self.timer.start() self.do_stop = False self.id = pykd.startProcess(self.program, debugChildren=True) if self.handler is None: self.handler = ExceptionHandler() while not self.handler.exception_occurred and not self.do_stop: try: pykd.go() except: break if self.do_stop: try: pykd.dbgCommand(".kill") except: log("Exception killing target: %s" % str(sys.exc_info()[1])) return None if self.timer is not None: self.timer.cancel() ret = None if self.handler.exception_occurred: tmp = pykd.dbgCommand("k 1") if tmp.find("Wow64NotifyDebugger") > -1: pykd.dbgCommand(".effmach x86") stack_trace = pykd.dbgCommand("k") registers = pykd.dbgCommand("r") exploitable = None msec_path = None if self.exploitable_path is None: if self.mode == 32: msec_path = os.path.join(self.windbg_path, r"Debuggers\x86\winext") elif self.mode == 64: msec_path = os.path.join(self.windbg_path, r"Debuggers\x64\winext") elif self.mode == "arm": msec_path = os.path.join(self.windbg_path, r"Debuggers\arm\winext") else: raise Exception( "Unknown mode %s, known ones are 32, 64 or 'arm'." % self.mode) else: msec_path = self.exploitable_path if msec_path is not None: full_msec_path = os.path.join(msec_path, r"msec.dll") if os.path.exists(full_msec_path): try: msec_handle = pykd.loadExt(full_msec_path) commandOutput = pykd.callExt(msec_handle, "exploitable", "") exploitable = commandOutput except: log("Error loading extension: " + str(sys.exc_info()[1])) try: if self.minidump_path is not None: pykd.dbgCommand(r".dump /m /u %s\\" % self.minidump_path) log("*** Minidump written at %s" % self.minidump_path) except: log("!!! Error saving minidump:" + str(sys.exc_info()[1])) ret = self.create_crash_data(registers, stack_trace, exploitable) print pykd.dbgCommand("k 10") print pykd.dbgCommand("r") print exploitable crash_data_buf = self.crash_data.dump_json() ret = self.crash_data.dump_dict() print print "Yep, we got a crash! \o/" print return ret
def run(self): if self.timeout != 0: self.timer = Timer(self.timeout, self.timeout_func) self.timer.start() self.do_stop = False self.id = pykd.startProcess(self.program, debugChildren=True) if self.handler is None: self.handler = ExceptionHandler() while not self.handler.exception_occurred and not self.do_stop: try: pykd.go() except: break if self.do_stop: try: pykd.dbgCommand(".kill") except: log("Exception killing target: %s" % str(sys.exc_info()[1])) return None if self.timer is not None: self.timer.cancel() ret = None if self.handler.exception_occurred: tmp = pykd.dbgCommand("k 1") if tmp.find("Wow64NotifyDebugger") > -1: pykd.dbgCommand(".effmach x86") stack_trace = pykd.dbgCommand("k") registers = pykd.dbgCommand("r") exploitable = None msec_path = None if self.exploitable_path is None: if self.mode == 32: msec_path = os.path.join(self.windbg_path, r"Debuggers\x86\winext") elif self.mode == 64: msec_path = os.path.join(self.windbg_path, r"Debuggers\x64\winext") elif self.mode == "arm": msec_path = os.path.join(self.windbg_path, r"Debuggers\arm\winext") else: raise Exception("Unknown mode %s, known ones are 32, 64 or 'arm'." % self.mode) else: msec_path = self.exploitable_path if msec_path is not None: full_msec_path = os.path.join(msec_path, r"msec.dll") if os.path.exists(full_msec_path): try: msec_handle = pykd.loadExt(full_msec_path) commandOutput = pykd.callExt(msec_handle, "exploitable", "") exploitable = commandOutput except: log("Error loading extension: " + str(sys.exc_info()[1])) try: if self.minidump_path is not None: pykd.dbgCommand(r".dump /m /u %s\\" % self.minidump_path) log("*** Minidump written at %s" % self.minidump_path) except: log("!!! Error saving minidump:" + str(sys.exc_info()[1])) ret = self.create_crash_data(registers, stack_trace, exploitable) print pykd.dbgCommand("k 10") print pykd.dbgCommand("r") print exploitable crash_data_buf = self.crash_data.dump_json() ret = self.crash_data.dump_dict() print print "Yep, we got a crash! \o/" print return ret
def testStart(self): target.processId = pykd.startProcess( target.appPath ) target.module = pykd.module( target.moduleName ) target.module.reload(); # print "\n" + str( pykd.getSystemVersion() ) pykd.go()