def main():
pid = int(sys.argv[1])
proc = Process(pid)
#= info
print "pid;", proc.get_pid()
print "is_alive;", proc.is_alive()
print "is_debugged;", proc.is_debugged()
print "is_wow;", proc.is_wow64()
print "arch;", proc.get_arch()
print "bits;", proc.get_bits()
print "filename:", proc.get_filename()
print "exit_time;", proc.get_exit_time()
print "running_time;", proc.get_running_time()
print "service;", proc.get_services()
print "policy;", proc.get_dep_policy()
print "peb;", proc.get_peb()
print "main_module;", proc.get_main_module()
print "peb_address", proc.get_peb_address()
print "entry_point;", proc.get_entry_point()
print "image_base;", proc.get_image_base()
print "image_name;", proc.get_image_name()
print "command_line;", proc.get_command_line()
print "environment;", proc.get_environment()
print "handle;", proc.get_handle()
print "resume;",proc.resume()
def print_modules(pid):
# Instance a Process object.
process = Process(pid)
print "Process %d" % process.get_pid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def print_threads_and_modules(pid):
process = Process(pid)
print "Process %d" % process.get_pid()
print "Threads:"
for thread in process.iter_threads():
print "\t %d" % thread.get_tid()
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def print_threads_and_modules(pid):
# Instance a Process object.
process = Process(pid)
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (HexDump.address(module.get_base(),
bits), module.get_filename())
def print_threads_and_modules( pid ):
# Instance a Process object.
process = Process( pid )
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (
HexDump.address( module.get_base(), bits ), module.get_filename()
)
def print_threads_and_modules(pid, debug):
# Instance a Process object.
process = Process(pid)
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\thas module: %s\t%s" % (HexDump.address(
module.get_base(), bits), module.get_filename())
print "Breakpoints:"
for i in debug.get_all_breakpoints():
bp = i[2]
print "breakpoint: %s %x" % (bp.get_state_name(), bp.get_address())
def print_threads_and_modules( pid, debug ):
# Instance a Process object.
process = Process( pid )
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\thas module: %s\t%s" % (
HexDump.address( module.get_base(), bits ),
module.get_filename()
)
print "Breakpoints:"
for i in debug.get_all_breakpoints():
bp = i[2]
print "breakpoint: %s %x" % (bp.get_state_name(), bp.get_address())
def parse_cmdline(argv):
# Help message and version string
version = ("Process execution tracer\n"
"by Mario Vilas (mvilas at gmail.com)\n"
"%s\n") % winappdbg.version
usage = (
"\n"
"\n"
" Create a new process (parameters for the target must be escaped):\n"
" %prog [options] -c <executable> [parameters for the target]\n"
" %prog [options] -w <executable> [parameters for the target]\n"
"\n"
" Attach to a running process (by filename):\n"
" %prog [options] -a <executable>\n"
"\n"
" Attach to a running process (by ID):\n"
" %prog [options] -a <process id>")
## formatter = optparse.IndentedHelpFormatter()
## formatter = optparse.TitledHelpFormatter()
parser = optparse.OptionParser(
usage=usage,
version=version,
## formatter=formatter,
)
# Commands
commands = optparse.OptionGroup(parser, "Commands")
commands.add_option("-a",
"--attach",
action="append",
type="string",
metavar="PROCESS",
help="Attach to a running process")
commands.add_option("-w",
"--windowed",
action="callback",
type="string",
metavar="CMDLINE",
callback=callback_execute_target,
help="Create a new windowed process")
commands.add_option("-c",
"--console",
action="callback",
type="string",
metavar="CMDLINE",
callback=callback_execute_target,
help="Create a new console process [default]")
parser.add_option_group(commands)
# Tracing options
tracing = optparse.OptionGroup(parser, "Tracing options")
tracing.add_option("--trace",
action="store_const",
const="trace",
dest="mode",
help="Set the single step mode [default]")
if System.arch == win32.ARCH_I386:
tracing.add_option(
"--branch",
action="store_const",
const="branch",
dest="mode",
help=
"Set the step-on-branch mode (doesn't work on virtual machines)")
tracing.add_option("--syscall",
action="store_const",
const="syscall",
dest="mode",
help="Set the syscall trap mode")
## tracing.add_options("--module", action="append", metavar="MODULES",
## dest="modules",
## help="only trace into these modules (comma-separated)")
## debugging.add_option("--from-start", action="store_true",
## help="start tracing when the process is created [default]")
## debugging.add_option("--from-entry", action="store_true",
## help="start tracing when the entry point is reached")
parser.add_option_group(tracing)
# Debugging options
debugging = optparse.OptionGroup(parser, "Debugging options")
debugging.add_option(
"--autodetach",
action="store_true",
help="automatically detach from debugees on exit [default]")
debugging.add_option(
"--follow",
action="store_true",
help="automatically attach to child processes [default]")
debugging.add_option("--trusted",
action="store_false",
dest="hostile",
help="treat debugees as trusted code [default]")
debugging.add_option(
"--dont-autodetach",
action="store_false",
dest="autodetach",
help="don't automatically detach from debugees on exit")
debugging.add_option("--dont-follow",
action="store_false",
dest="follow",
help="don't automatically attach to child processes")
debugging.add_option("--hostile",
action="store_true",
help="treat debugees as hostile code")
parser.add_option_group(debugging)
# Defaults
parser.set_defaults(
autodetach=True,
follow=True,
hostile=False,
windowed=list(),
console=list(),
attach=list(),
## modules = list(),
mode="trace",
)
# Parse and validate the command line options
if len(argv) == 1:
argv = argv + ['--help']
(options, args) = parser.parse_args(argv)
args = args[1:]
if not options.windowed and not options.console and not options.attach:
if not args:
parser.error("missing target application(s)")
options.console = [args]
else:
if args:
parser.error("don't know what to do with extra parameters: %s" %
args)
# Get the list of attach targets
system = System()
system.request_debug_privileges()
system.scan_processes()
attach_targets = list()
for token in options.attach:
try:
dwProcessId = HexInput.integer(token)
except ValueError:
dwProcessId = None
if dwProcessId is not None:
if not system.has_process(dwProcessId):
parser.error("can't find process %d" % dwProcessId)
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError as e:
parser.error("can't open process %d: %s" % (dwProcessId, e))
attach_targets.append(dwProcessId)
else:
matched = system.find_processes_by_filename(token)
if not matched:
parser.error("can't find process %s" % token)
for process, name in matched:
dwProcessId = process.get_pid()
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError as e:
parser.error("can't open process %d: %s" %
(dwProcessId, e))
attach_targets.append(process.get_pid())
options.attach = attach_targets
# Get the list of console programs to execute
console_targets = list()
for vector in options.console:
if not vector:
parser.error("bad use of --console")
filename = vector[0]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError as e:
parser.error("error searching for %s: %s" % (filename, str(e)))
vector[0] = filename
console_targets.append(vector)
options.console = console_targets
# Get the list of windowed programs to execute
windowed_targets = list()
for vector in options.windowed:
if not vector:
parser.error("bad use of --windowed")
filename = vector[0]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError as e:
parser.error("error searching for %s: %s" % (filename, str(e)))
vector[0] = filename
windowed_targets.append(vector)
options.windowed = windowed_targets
# If no targets were set at all, show an error message
if not options.attach and not options.console and not options.windowed:
parser.error("no targets found!")
return options
def parse_cmdline( argv ):
# Help message and version string
version = (
"Process execution tracer\n"
"by Mario Vilas (mvilas at gmail.com)\n"
"%s\n"
) % winappdbg.version
usage = (
"\n"
"\n"
" Create a new process (parameters for the target must be escaped):\n"
" %prog [options] -c <executable> [parameters for the target]\n"
" %prog [options] -w <executable> [parameters for the target]\n"
"\n"
" Attach to a running process (by filename):\n"
" %prog [options] -a <executable>\n"
"\n"
" Attach to a running process (by ID):\n"
" %prog [options] -a <process id>"
)
## formatter = optparse.IndentedHelpFormatter()
## formatter = optparse.TitledHelpFormatter()
parser = optparse.OptionParser(
usage=usage,
version=version,
## formatter=formatter,
)
# Commands
commands = optparse.OptionGroup(parser, "Commands")
commands.add_option("-a", "--attach", action="append", type="string",
metavar="PROCESS",
help="Attach to a running process")
commands.add_option("-w", "--windowed", action="callback", type="string",
metavar="CMDLINE", callback=callback_execute_target,
help="Create a new windowed process")
commands.add_option("-c", "--console", action="callback", type="string",
metavar="CMDLINE", callback=callback_execute_target,
help="Create a new console process [default]")
parser.add_option_group(commands)
# Tracing options
tracing = optparse.OptionGroup(parser, "Tracing options")
tracing.add_option("--trace", action="store_const", const="trace",
dest="mode",
help="Set the single step mode [default]")
if System.arch == win32.ARCH_I386:
tracing.add_option("--branch", action="store_const", const="branch",
dest="mode",
help="Set the step-on-branch mode (doesn't work on virtual machines)")
tracing.add_option("--syscall", action="store_const", const="syscall",
dest="mode",
help="Set the syscall trap mode")
## tracing.add_options("--module", action="append", metavar="MODULES",
## dest="modules",
## help="only trace into these modules (comma-separated)")
## debugging.add_option("--from-start", action="store_true",
## help="start tracing when the process is created [default]")
## debugging.add_option("--from-entry", action="store_true",
## help="start tracing when the entry point is reached")
parser.add_option_group(tracing)
# Debugging options
debugging = optparse.OptionGroup(parser, "Debugging options")
debugging.add_option("--autodetach", action="store_true",
help="automatically detach from debugees on exit [default]")
debugging.add_option("--follow", action="store_true",
help="automatically attach to child processes [default]")
debugging.add_option("--trusted", action="store_false", dest="hostile",
help="treat debugees as trusted code [default]")
debugging.add_option("--dont-autodetach", action="store_false",
dest="autodetach",
help="don't automatically detach from debugees on exit")
debugging.add_option("--dont-follow", action="store_false",
dest="follow",
help="don't automatically attach to child processes")
debugging.add_option("--hostile", action="store_true",
help="treat debugees as hostile code")
parser.add_option_group(debugging)
# Defaults
parser.set_defaults(
autodetach = True,
follow = True,
hostile = False,
windowed = list(),
console = list(),
attach = list(),
## modules = list(),
mode = "trace",
)
# Parse and validate the command line options
if len(argv) == 1:
argv = argv + [ '--help' ]
(options, args) = parser.parse_args(argv)
args = args[1:]
if not options.windowed and not options.console and not options.attach:
if not args:
parser.error("missing target application(s)")
options.console = [ args ]
else:
if args:
parser.error("don't know what to do with extra parameters: %s" % args)
# Get the list of attach targets
system = System()
system.request_debug_privileges()
system.scan_processes()
attach_targets = list()
for token in options.attach:
try:
dwProcessId = HexInput.integer(token)
except ValueError:
dwProcessId = None
if dwProcessId is not None:
if not system.has_process(dwProcessId):
parser.error("can't find process %d" % dwProcessId)
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError, e:
parser.error("can't open process %d: %s" % (dwProcessId, e))
attach_targets.append(dwProcessId)
else:
matched = system.find_processes_by_filename(token)
if not matched:
parser.error("can't find process %s" % token)
for process, name in matched:
dwProcessId = process.get_pid()
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError, e:
parser.error("can't open process %d: %s" % (dwProcessId, e))
attach_targets.append( process.get_pid() )
path = program_files + r"\Adobe\Reader 11.0\Reader\AcroRd32.exe"
version = versions[hashlib.md5(file(
path, "rb").read()).hexdigest()] #raise if version not supported
except:
path = program_files + r"\Adobe\Reader 10.0\Reader\AcroRd32.exe"
version = versions[hashlib.md5(file(
path, "rb").read()).hexdigest()] #raise if version not supported
print "Adobe Reader X %s" % version
semantics = semantics[version]
#Run the reader!
debug.execl(path)
debug.pmf = pmf
broker = Process(debug.get_debugee_pids()[0])
print "Broker PID: %d" % broker.get_pid()
# Loop while calc.exe is alive and the time limit wasn't reached.
while debug:
# Get the next debug event.
event = debug.wait()
# Dispatch the event and continue execution.
try:
debug.dispatch(event)
# add breakpoint when acrord32 gets loaded
if event.get_event_code() == 3:
process = event.get_process()
base_address = event.get_image_base()
print "AcroRd32 Main module found at %08x" % base_address
def parse_cmdline(argv):
# Help message and version string
version = ("In Memory fuzzer\n")
usage = ("\n"
"\n"
" Attach to a running process (by filename):\n"
" %prog [options] -a <executable>\n"
"\n"
" Attach to a running process (by ID):\n"
" %prog [options] -a <process id>")
parser = optparse.OptionParser(
usage=usage,
version=version,
)
# Commands
commands = optparse.OptionGroup(parser, "Commands")
commands.add_option("-a",
"--attach",
action="append",
type="string",
metavar="PROCESS",
help="Attach to a running process")
parser.add_option_group(commands)
# SEH test options
fuzzer_opts = optparse.OptionGroup(parser, "Fuzzer options")
fuzzer_opts.add_option("--snapshot_address",
metavar="ADDRESS",
help="take snapshot point address")
fuzzer_opts.add_option("--restore_address",
metavar="ADDRESS",
help="restore snapshot point address")
fuzzer_opts.add_option(
"--buffer_address",
metavar="ADDRESS",
help="address of the buffer to be modified in memory")
fuzzer_opts.add_option("--buffer_size",
metavar="ADDRESS",
help="size of the buffer to be modified in memory")
fuzzer_opts.add_option("-o",
"--output",
metavar="FILE",
help="write the output to FILE")
fuzzer_opts.add_option("--debuglog",
metavar="FILE",
help="set FILE as a debug log (extremely verbose!)")
parser.add_option_group(fuzzer_opts)
# Debugging options
debugging = optparse.OptionGroup(parser, "Debugging options")
debugging.add_option(
"--follow",
action="store_true",
help="automatically attach to child processes [default]")
debugging.add_option("--dont-follow",
action="store_false",
dest="follow",
help="don't automatically attach to child processes")
parser.add_option_group(debugging)
# Defaults
parser.set_defaults(
follow=True,
attach=list(),
output=None,
debuglog=None,
)
# Parse and validate the command line options
if len(argv) == 1:
argv = argv + ['--help']
(options, args) = parser.parse_args(argv)
args = args[1:]
if not options.attach:
if not args:
parser.error("missing target application(s)")
options.console = [args]
else:
if args:
parser.error("don't know what to do with extra parameters: %s" %
args)
if not options.snapshot_address:
parser.error("Snapshot address not specified")
if not options.restore_address:
parser.error("Restore address not specified")
if not options.buffer_address:
parser.error("Buffer address not specified")
if not options.buffer_size:
parser.error("Buffser size not specified")
global logger
if options.output:
logger = Logger(logfile=options.output, verbose=logger.verbose)
# Open the debug log file if requested
if options.debuglog:
logger = Logger(logfile=options.debuglog, verbose=logger.verbose)
# Get the list of attach targets
system = System()
system.request_debug_privileges()
system.scan_processes()
attach_targets = list()
for token in options.attach:
try:
dwProcessId = HexInput.integer(token)
except ValueError:
dwProcessId = None
if dwProcessId is not None:
if not system.has_process(dwProcessId):
parser.error("can't find process %d" % dwProcessId)
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError, e:
parser.error("can't open process %d: %s" % (dwProcessId, e))
attach_targets.append(dwProcessId)
else:
matched = system.find_processes_by_filename(token)
if not matched:
parser.error("can't find process %s" % token)
for process, name in matched:
dwProcessId = process.get_pid()
try:
process = Process(dwProcessId)
process.open_handle()
process.close_handle()
except WindowsError, e:
parser.error("can't open process %d: %s" %
(dwProcessId, e))
attach_targets.append(process.get_pid())
program_files = r"C:\Program Files (x86)"
try:
path = program_files+r"\Adobe\Reader 11.0\Reader\AcroRd32.exe"
version = versions[hashlib.md5(file(path,"rb").read()).hexdigest()] #raise if version not supported
except:
path = program_files+r"\Adobe\Reader 10.0\Reader\AcroRd32.exe"
version = versions[hashlib.md5(file(path,"rb").read()).hexdigest()] #raise if version not supported
print "Adobe Reader X %s"%version
semantics = semantics[version]
#Run the reader!
debug.execl(path)
debug.pmf = pmf
broker = Process(debug.get_debugee_pids()[0])
print "Broker PID: %d"%broker.get_pid()
# Loop while calc.exe is alive and the time limit wasn't reached.
while debug:
# Get the next debug event.
event = debug.wait()
# Dispatch the event and continue execution.
try:
debug.dispatch(event)
# add breakpoint when acrord32 gets loaded
if event.get_event_code() == 3:
process = event.get_process()
base_address = event.get_image_base()
print "AcroRd32 Main module found at %08x"%base_address
