Exemplo n.º 1
0
def DebugProgram(filepath):
	#Instance a Debug object.
	debug_args = list()
	debug_args.insert(0,PROGRAM_PATH)
	debug_args.insert(len(debug_args),filepath)

	debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True)
	#debug.system.load_dbghelp("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll")
	System.fix_symbol_store_path(symbol_store_path = "C:\\ProgramData\\Dbg\\sym",remote = True,force = True) #enter local symbol path here if you have downloaded symbols
	System.set_kill_on_exit_mode(True)
	try:
		 # The execution time limit is 5 seconds.
		maxTime = time() + 5
		# Start a new process for debugging.
		debug.execv(debug_args)

		# Wait for the debugee to finish.
		#debug.loop()
		 # Loop while calc.exe is alive and the time limit wasn't reached.
		while debug and time() < maxTime:
			try:

				# Get the next debug event.
				debug.wait(1000)  # 1 second accuracy

				# Show the current time on screen.
				#print time()

			# If wait() times out just try again.
			# On any other error stop debugging.
			except WindowsError, e:
				if e.winerror in (win32.ERROR_SEM_TIMEOUT,
								  win32.WAIT_TIMEOUT):
					continue
				raise

			# Dispatch the event and continue execution.
			try:
				debug.dispatch()
			finally:
				debug.cont()
		# Stop the debugger.
	finally:
		debug.stop()
Exemplo n.º 2
0
        version = versions[hashlib.md5(file(
            path, "rb").read()).hexdigest()]  #raise if version not supported

    print "Adobe Reader X %s" % version
    semantics = semantics[version]

    #Run the reader!
    debug.execl(path)
    debug.pmf = pmf
    broker = Process(debug.get_debugee_pids()[0])
    print "Broker PID: %d" % broker.get_pid()

    # Loop while calc.exe is alive and the time limit wasn't reached.
    while debug:
        # Get the next debug event.
        event = debug.wait()

        # Dispatch the event and continue execution.
        try:
            debug.dispatch(event)
            # add breakpoint when acrord32 gets loaded
            if event.get_event_code() == 3:
                process = event.get_process()
                base_address = event.get_image_base()
                print "AcroRd32 Main module found at %08x" % base_address

                # Hint: Use the string "Check failed: policy_." to hunt
                # the function that adds a new policy
                breakpoint_offsets = {
                    "10.1.3": 0x21260,
                    "10.1.4": 0x21630,
Exemplo n.º 3
0
class WinBasic:
	debugger = None
	mainProc = None
	alwaysCatchExceptions=[win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED]
	
	def __init__(self, killOnExit = True):
		self.debugger = Debug(bKillOnExit = killOnExit)
		self.mainProcs = []
		
		
	def run(self, executable, children = True):
		tmp = self.debugger.execv(executable, bFollow = children )
		self.mainProcs.append(tmp)
		return tmp.get_pid()
		
		
	def attachPid(self, pid):	
		self.mainProcs.append(self.debugger.attach(pid))
		

	def attachImg(self, img):	
		self.debugger.system.scan_processes()
		for ( process, name ) in self.debugger.system.find_processes_by_filename( img ):
			self.attachPid(process.get_pid())		
				
	def close(self, kill = True, taskkill = True, forced = True):	
		pids = self.debugger.get_debugee_pids()
		
		self.debugger.detach_from_all( True )	
		for pid in pids:				
			if kill:
				try:
					proc = self.debugger.system.get_process(pid)
					proc.kill()
				except:
					pass
			
			#Taskkill
			if taskkill and not forced:
				subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
			if taskkill and forced:
				subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
				
				
	def waitForCrash(self, waitTime = 4, checkAlive = False):
		event = None
		endDebuging = False
		endTime = time() + waitTime
		
		while time() < endTime:
			if checkAlive:
				for proc in self.mainProcs:
					if not proc.is_alive():
						return None
		
			try:
				event = self.debugger.wait(1000)
			except WindowsError, e:
				if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
					continue
				raise
			
			crash = self.handler(event)
			if crash != None:			
				return crash
			else:
				try:
					self.debugger.dispatch()
				except:
					pass
				finally:
					self.debugger.cont()
		return None
Exemplo n.º 4
0
class WinBasic:
    debugger = None
    mainProc = None
    alwaysCatchExceptions = [
        win32.STATUS_ACCESS_VIOLATION,
        win32.STATUS_ILLEGAL_INSTRUCTION,
        win32.STATUS_ARRAY_BOUNDS_EXCEEDED,
    ]

    def __init__(self, killOnExit=True):
        self.debugger = Debug(bKillOnExit=killOnExit)
        self.mainProcs = []

    def run(self, executable, children=True):
        tmp = self.debugger.execv(executable, bFollow=children)
        self.mainProcs.append(tmp)
        return tmp.get_pid()

    def attachPid(self, pid):
        self.mainProcs.append(self.debugger.attach(pid))

    def attachImg(self, img):
        self.debugger.system.scan_processes()
        for (process, name) in self.debugger.system.find_processes_by_filename(img):
            self.attachPid(process.get_pid())

    def close(self, kill=True, taskkill=True, forced=True):
        pids = self.debugger.get_debugee_pids()

        self.debugger.detach_from_all(True)
        for pid in pids:
            if kill:
                try:
                    proc = self.debugger.system.get_process(pid)
                    proc.kill()
                except:
                    pass

                    # Taskkill
            if taskkill and not forced:
                subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            if taskkill and forced:
                subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

    def waitForCrash(self, waitTime=4, checkAlive=False):
        event = None
        endDebuging = False
        endTime = time() + waitTime

        while time() < endTime:
            if checkAlive:
                for proc in self.mainProcs:
                    if not proc.is_alive():
                        return None

            try:
                event = self.debugger.wait(1000)
            except WindowsError, e:
                if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
                    continue
                raise

            crash = self.handler(event)
            if crash != None:
                return crash
            else:
                try:
                    self.debugger.dispatch()
                except:
                    pass
                finally:
                    self.debugger.cont()
        return None
Exemplo n.º 5
0
class Coverage:
    verbose = False
    bbFiles = {}
    bbFilesBreakpints = []
    bbFilesData = {}
    bbOriginalName = {}
    modules = []
    fileOutput = None

    #Construct
    def __init__(self):
        self.debugger = Debug(bKillOnExit=True)

    def setVerbose(self, val):
        self.verbose = val

    #cuts after .
    def cutDot(self, input):
        if input.find(".") == -1:
            return input
        return input[0:input.find(".")]

    #load basic blocks
    def loadBB(self, baseBbDir):
        self.bbFiles = {}
        count = 0
        for bbFile in os.listdir(baseBbDir):
            f = open(baseBbDir + "/" + bbFile, "r")
            fname = f.readline().strip().lower()
            fnameOrig = fname
            if ".dll" not in fname and ".exe" not in fname:  #Stupid hack to avoid problems in loading libs with other extensions then .dll
                fname = self.cutDot(fname) + ".dll"
            self.bbOriginalName[fname] = fnameOrig
            self.bbFiles[fname] = count
            self.bbFilesBreakpints.append({})
            rvaHighest = 0
            for line in f:
                rva = int(line[0:8], 16)
                val = int(line[18:20], 16)
                self.bbFilesBreakpints[count][rva] = val
                if rva > rvaHighest:
                    rvaHighest = rva
            self.bbFilesData[fname] = [rvaHighest + 10, count]
            if self.verbose:
                print "Loaded breakpoints for %s with index %02X" % (fname,
                                                                     count)
            count += 1
            f.close()

    #Register module (original exe image or dll)
    def registerModule(self, filename, baseaddr):
        filename = filename.lower()
        if ".dll" not in filename and ".exe" not in filename:  #Stupid hack to avoid problems in loading libs with other extensions then .dll
            filename = self.cutDot(filename) + ".dll"
        if filename not in self.bbFiles:
            return
        if self.verbose:
            print "  Image %s has breakpoints defined" % filename
        self.modules.append([
            baseaddr, baseaddr + self.bbFilesData[filename][0],
            self.bbFilesData[filename][1]
        ])
        if self.verbose:
            print "  Image has breakpoints from %08X to %08X with index %02X" % (
                baseaddr, baseaddr + self.bbFilesData[filename][0],
                self.bbFilesData[filename][1])

    #Handle a breakpoint
    def breakpoint(self, location):
        index = None
        for i in xrange(len(self.modules)):
            if location >= self.modules[i][0] and location <= self.modules[i][
                    1]:
                index = i
                break
        if index == None:
            return None
        rva = location - self.modules[index][0]
        index = self.modules[index][2]
        if rva not in self.bbFilesBreakpints[index]:
            return None
        self.fileOutput.write("%02X|%08X\n" % (index, rva))
        return self.bbFilesBreakpints[index][rva]

    def startFileRec(self, filename):
        self.modules = []
        self.fileOutput = open(filename, "w")
        for image in self.bbFiles:
            self.fileOutput.write(
                "%s|%02X\n" %
                (self.bbOriginalName[image], self.bbFiles[image]))

    def endFileRec(self):
        self.fileOutput.close()

    #Start program
    def start(self, execFile, waitTime=6, recFilename="output.txt", kill=True):
        self.startFileRec(recFilename)
        mainProc = self.debugger.execv(execFile, bFollow=True)
        event = None
        endTime = time() + waitTime
        while time() < endTime:
            if not mainProc.is_alive():
                break
            try:
                event = self.debugger.wait(1000)
            except WindowsError, e:
                if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
                    continue
                raise

            if event.get_event_code() == win32.LOAD_DLL_DEBUG_EVENT:
                module = event.get_module()
                if self.verbose:
                    print "DLL %s loaded on base %08X" % (module.get_name(),
                                                          module.get_base())
                self.registerModule(
                    self.cutDot(module.get_name()) + ".dll", module.get_base())
            elif event.get_event_code() == win32.CREATE_PROCESS_DEBUG_EVENT:
                tmp = event.get_filename().split("\\")
                modName = tmp[len(tmp) - 1]
                if self.verbose:
                    print "Process %s loaded on base %08X" % (
                        modName, event.raw.u.CreateProcessInfo.lpBaseOfImage)
                self.registerModule(
                    modName, event.raw.u.CreateProcessInfo.lpBaseOfImage)
            elif event.get_event_code(
            ) == win32.EXCEPTION_DEBUG_EVENT and event.get_exception_code(
            ) == win32.STATUS_BREAKPOINT:
                pc = event.get_thread().get_pc() - 1
                val = self.breakpoint(pc)
                if val != None:
                    event.get_process().write(pc, chr(val))
                    event.get_thread().set_pc(pc)
                    endTime = time() + waitTime

            try:
                self.debugger.dispatch()
            except:
                pass
            finally:
                self.debugger.cont()
        self.endFileRec()
        if kill:
            self.kill()
Exemplo n.º 6
0
class Coverage:
	verbose = False
	bbFiles = {}
	bbFilesBreakpints = []
	bbFilesData = {}
	bbOriginalName = {}
	modules = []
	fileOutput = None
		
	#Construct
	def __init__(self):
		self.debugger = Debug( bKillOnExit = True )
		
	def setVerbose(self, val):
		self.verbose = val
		
	#cuts after .
	def cutDot(self, input):
		if (input.find(".") == -1):
			return input
		return input[0:input.find(".")]

	#load basic blocks
	def loadBB(self, baseBbDir):
		self.bbFiles = {}
		count = 0
		print "baseBbDir:"+baseBbDir
		for bbFile in os.listdir(baseBbDir):
			print "bbFile:" + bbFile
			f = open(baseBbDir + "/" + bbFile, "r")
			fname = f.readline().strip().lower()
			#fname = f.readline().strip()
			fnameOrig = fname
			if ".dll" not in fname and ".exe" not in fname:  #Stupid hack to avoid problems in loading libs with other extensions then .dll
				fname = self.cutDot(fname) + ".dll"
			self.bbOriginalName[fname] = fnameOrig
			self.bbFiles[fname] = count
			self.bbFilesBreakpints.append({})
			rvaHighest = 0
			for line in f:
				try:
					rva = int(line[0:8], 16)
					val = int(line[18:20], 16)
					self.bbFilesBreakpints[count][rva] = val
					if rva > rvaHighest:
						rvaHighest = rva
				except Exception:
					continue
			self.bbFilesData[fname] = [rvaHighest + 10, count]
			if self.verbose:
				print "Loaded breakpoints for %s with index %02X" % (fname, count)
			count += 1
			f.close()
	
	#Register module (original exe image or dll)
	def registerModule(self, filename, baseaddr):
		filename = filename.lower()
		if ".dll" not in filename and ".exe" not in filename:  #Stupid hack to avoid problems in loading libs with other extensions then .dll
			filename = self.cutDot(filename) + ".dll"
		if filename not in self.bbFiles:
			return
		if self.verbose:
			print "  Image %s has breakpoints defined" % filename
		self.modules.append([baseaddr,baseaddr+self.bbFilesData[filename][0], self.bbFilesData[filename][1]])
		if self.verbose:
			print "  Image has breakpoints from %08X to %08X with index %02X" % (baseaddr,baseaddr+self.bbFilesData[filename][0],self.bbFilesData[filename][1])
		
	#Handle a breakpoint
	def breakpoint(self, location):
		index = None
		for i in xrange(len(self.modules)):
			if location>=self.modules[i][0] and location<=self.modules[i][1]:
				index = i
				break
		if index == None:
			return None	
		rva = location - self.modules[index][0]
		index = self.modules[index][2]
		if rva not in self.bbFilesBreakpints[index]:
			return None
		self.fileOutput.write("%02X|%08X\n" % (index, rva))
		return self.bbFilesBreakpints[index][rva]
		
	def startFileRec(self, filename):
		self.modules = []
		self.fileOutput = open(filename, "w")
		for image in self.bbFiles:
			self.fileOutput.write("%s|%02X\n" % (self.bbOriginalName[image], self.bbFiles[image]))
		
	def endFileRec(self):
		self.fileOutput.close()		
	
	#Start program
	def start(self, execFile, waitTime = 6, recFilename = "output.txt", kill = True):	
		self.startFileRec(recFilename)
		mainProc = self.debugger.execv( execFile, bFollow = True )
		event = None
		endTime = time() + waitTime
		while time() < endTime:
			if not mainProc.is_alive():
				break
			try:
				event = self.debugger.wait(1000)
			except WindowsError, e:
				if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT):
					continue
				raise
			
			if event.get_event_code() == win32.LOAD_DLL_DEBUG_EVENT:
				module = event.get_module()
				if self.verbose:
					print "DLL %s loaded on base %08X" % (module.get_name(), module.get_base())
				self.registerModule(self.cutDot(module.get_name())+".dll", module.get_base())
			elif event.get_event_code() == win32.CREATE_PROCESS_DEBUG_EVENT:
				tmp = event.get_filename().split("\\")
				modName = tmp[len(tmp)-1]
				if self.verbose:
					print "Process %s loaded on base %08X" % (modName, event.raw.u.CreateProcessInfo.lpBaseOfImage)
				self.registerModule(modName,event.raw.u.CreateProcessInfo.lpBaseOfImage)
			elif event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.get_exception_code() == win32.STATUS_BREAKPOINT:
				pc = event.get_thread().get_pc()-1
				val = self.breakpoint(pc)
				if val != None:
					event.get_process().write(pc, chr(val))
					event.get_thread().set_pc(pc)
					endTime = time() + waitTime
					
			try:
				self.debugger.dispatch()
			except:
				pass
			finally:
				self.debugger.cont()
		self.endFileRec()
		if kill:
			self.kill()
        path = program_files+r"\Adobe\Reader 10.0\Reader\AcroRd32.exe"
        version = versions[hashlib.md5(file(path,"rb").read()).hexdigest()]  #raise if version not supported

    print "Adobe Reader X %s"%version
    semantics = semantics[version]

    #Run the reader!
    debug.execl(path)
    debug.pmf = pmf
    broker = Process(debug.get_debugee_pids()[0])
    print "Broker PID: %d"%broker.get_pid()

    # Loop while calc.exe is alive and the time limit wasn't reached.
    while debug:
        # Get the next debug event.
        event = debug.wait()

        # Dispatch the event and continue execution.
        try:
            debug.dispatch(event)
            # add breakpoint when acrord32 gets loaded
            if event.get_event_code() == 3:
                process = event.get_process()
                base_address = event.get_image_base()
                print "AcroRd32 Main module found at %08x"%base_address

                # Hint: Use the string "Check failed: policy_." to hunt 
                # the function that adds a new policy
                breakpoint_offsets = { "10.1.3": 0x21260,
                                       "10.1.4": 0x21630,
                                       "10.1.5": 0x1fca0,