def attached_handler(process): bpRegOpenKeyEx = _ptrace.breakpoint_sw("advapi32!RegOpenKeyExW", regOpenKeyEx) #bpRegGetValue = _ptrace.breakpoint_sw("advapi32!RegGetValueW", regGetValue) bpRegQueryValueEx = _ptrace.breakpoint_sw("advapi32!RegQueryValueExW", regQueryValueEx) process.breakpoint_set(bpRegOpenKeyEx) process.breakpoint_set(bpRegQueryValueEx)
def attached_handler(process): print "Attached to process %d." % process.id # Hook DispatchMessageW(...) bp = _ptrace.breakpoint_sw("user32!DispatchMessageW", dispatch_message_hook) process.breakpoint_set(bp) # And hook PeekMessageW(..., PM_REMOVE) bp = _ptrace.breakpoint_sw("user32!PeekMessageW", peek_message_hook) process.breakpoint_set(bp)
def handler_mainmain(breakpoint, thread): global functab for func in functab.keys(): if "main.main" in functab[func]: continue bp_func = _ptrace.breakpoint_sw(func, handler_func) thread.process.breakpoint_set(bp_func)
def attached_handler(process): global functab for yy in functab: if "main.main" == functab[yy]: addr_mainmain = yy print("[{}] Attached".format(process.id)) bp_main_main = _ptrace.breakpoint_sw(addr_mainmain, handler_mainmain) process.breakpoint_set(bp_main_main) print("[{}] BreakPoint Set at 0x{:08x}".format(process.id, addr_mainmain))
def alloc(breakpoint, thread): regs = thread.registers retaddr = _ptrace.cconv.retaddr_get(thread) (heap, flags, size) = _ptrace.cconv.args_get(thread, "%p%lu%zu") print "T%d: RtlAllocateHeap(0x%x, 0x%x, 0x%x)" % (thread.id, heap, flags, size), # Set breakpoint after function returns, so we can print the results. if thread.proces.breakpoint_find(retaddr) is None: bp_end = _ptrace.breakpoint_sw(retaddr, alloc_end) thread.process.breakpoint_set(bp_end)
def alloc(breakpoint, thread): retaddr = _ptrace.cconv.retaddr_get(thread) (heap, flags, size) = _ptrace.cconv.args_get(thread, "%p%lu%zu") print("T{}: RtlAllocateHeap(0x{:x}, 0x{:x}, 0x{:x})".format( thread.id, heap, flags, size), end='') # Set breakpoint after function returns, so we can print the results. if thread.process.breakpoint_find(retaddr) is None: bp_end = _ptrace.breakpoint_sw(retaddr, alloc_end) thread.process.breakpoint_set(bp_end)
def peek_message_hook(breakpoint, thread): (lpmsg, _, _, _, rem) = _ptrace.cconv.args_get(thread, "%p%p%u%u%u") if rem & PM_REMOVE: ret = _ptrace.cconv.retaddr_get(thread) thread.lpmsg = lpmsg if not hasattr(thread.process, 'bp_table'): thread.process.bp_table = {} # Have we set a breakpoint at the same address? if ret not in thread.process.bp_table: bp = _ptrace.breakpoint_sw(ret, peek_message_ret_hook) thread.process.breakpoint_set(bp) thread.process.bp_table[ret] = bp
def regOpenKeyEx(breakpoint, thread): retaddr = _ptrace.cconv.retaddr_get(thread) (key, subkey, options, sam, result) = _ptrace.cconv.args_get(thread, "%u%p%u%u%p") if key in keys: key = keys[key] else: key = "0x{:08x}".format(key) subkey = thread.process.read_utf16(subkey) print "T%d: RegOpenKeyEx(%s, \"%s\", 0x%08x, 0x%08x, 0x%08x)" % \ (thread.id, key, subkey, options, sam, result), # Set breakpoint after function returns, so we can print the results. if thread.process.breakpoint_find(retaddr) is None: bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler) thread.process.breakpoint_set(bp_end)
def regQueryValueEx(breakpoint, thread): retaddr = _ptrace.cconv.retaddr_get(thread) (key, value, reserved, type, data, size) = _ptrace.cconv.args_get(thread, "%u%p%p%p%p%p") if key in keys: key = keys[key] else: key = "0x{:08x}".format(key) value = thread.process.read_utf16(value) print "T%d: RegQueryValueEx(%s, \"%s\", 0x%.8x, 0x%.8x 0x%.8x 0x%.8x)" % \ (thread.id, key, value, reserved, type, data, size), # Set breakpoint after function returns, so we can print the results. if thread.process.breakpoint_find(retaddr) is None: bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler) thread.process.breakpoint_set(bp_end)
def regGetValue(breakpoint, thread): retaddr = _ptrace.cconv.retaddr_get(thread) (key, subkey, value, flags, type, data, size) = _ptrace.cconv.args_get(thread, "%p%p%p%u%p%p%p") if key in keys: key = keys[key] else: key = "0x{:08x}".format(key) subkey = thread.process.read_utf16(subkey) value = thread.process.read_utf16(value) print('T{}: RegGetValue({}, "{}", "{}")'.format(thread.id, key, subkey, value), end='') # Set breakpoint after function returns, so we can print the results. if thread.process.breakpoint_find(retaddr) is None: bp_end = _ptrace.breakpoint_sw(retaddr, bp_end_handler) thread.process.breakpoint_set(bp_end)
def attached_handler(process): bp_alloc = _ptrace.breakpoint_sw("ntdll!RtlAllocateHeap", alloc) bp_free = _ptrace.breakpoint_sw("ntdll!RtlFreeHeap", free) process.breakpoint_set(bp_alloc) process.breakpoint_set(bp_free)