def __handle_breakpoint(self, Bp):
"""handle breakpoints"""
Param = Bp.GetParameters()
if Param.BreakType == DbgEng.DEBUG_BREAKPOINT_CODE:
print 'Breakpoint:', hex(Param.Offset)
buffer_size = Param.OffsetExpressionSize + 1
buffer = create_string_buffer(buffer_size)
expression_size = c_ulong(0)
hr = Bp._IDebugBreakpoint__com_GetOffsetExpression(buffer, buffer_size, byref(expression_size))
if S_OK != hr:
raise Exception('GetOffsetExpression() fail.')
if expression_size.value > 1:
expression = buffer.value
print 'Expression:', expression
if -1 != expression.find('CreateFileW'):
debug_client = Bp.GetAdder()
r = Registers(debug_client)
esp = r.get_stack()
m = DataSpace(debug_client)
data = m.read_memory(esp+4, 4)
addr = struct.unpack('<I', data)[0]
data = m.read_wide_string(addr)
print 'File Created:', data.decode('utf16')
if m.can_write(addr):
m.write_memory(addr, 'this_is_a_test_file.txt\x00'.encode('utf16')[2:])
data = m.read_wide_string(addr)
print 'New FileName:', data.decode('utf16')
self.__pydbgx.remove_software_breakpoint_by_id(BpId)
def __handle_breakpoint(self, Bp):
"""handle breakpoints"""
Param = Bp.GetParameters()
if Param.BreakType == DbgEng.DEBUG_BREAKPOINT_CODE:
print 'Breakpoint:', hex(Param.Offset)
buffer_size = Param.OffsetExpressionSize + 1
buffer = create_string_buffer(buffer_size)
expression_size = c_ulong(0)
hr = Bp._IDebugBreakpoint__com_GetOffsetExpression(buffer, buffer_size, byref(expression_size))
if S_OK != hr:
raise Exception('GetOffsetExpression() fail.')
if expression_size.value > 1:
expression = buffer.value
print 'Expression:', expression
debug_client = Bp.GetAdder()
r = Registers(debug_client)
m = DataSpace(debug_client)
esp = r.get_stack()
logger.debug('[D] esp: ' + hex(esp))
if -1 != expression.find('InternetOpenW'):
data = m.read_memory(esp+0x04, 4)
param1 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter1: ' + hex(param1))
data = m.read_wide_string(param1)
print 'Agent:', data.decode('utf16')
data = m.read_memory(esp+0x0C, 4)
param2 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter2: ' + hex(param2))
if 0 != param2:
data = m.read_wide_string(param2)
print 'ProxyName:', data.decode('utf16')
data = m.read_memory(esp+0x10, 4)
param3 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter3: ' + hex(param3))
if 0 != param3:
data = m.read_wide_string(param3)
print 'ProxyBypass:'******'utf16')
if -1 != expression.find('InternetConnectW'):
data = m.read_memory(esp+0x04, 4)
param1 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter1: ' + hex(param1))
print 'hInternet:', hex(param1)
data = m.read_memory(esp+0x08, 4)
param2 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter2: ' + hex(param2))
if 0 != param2:
data = m.read_wide_string(param2)
print 'ServerName:', data.decode('utf16')
data = m.read_memory(esp+0x0C, 4)
param3 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter3: ' + hex(param3))
print 'ServerPort:', param3
data = m.read_memory(esp+0x10, 4)
param4 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter4: ' + hex(param4))
if 0 != param4:
data = m.read_wide_string(param4)
print 'Username:'******'utf16')
data = m.read_memory(esp+0x14, 4)
param5 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter5: ' + hex(param5))
if 0 != param5:
data = m.read_wide_string(param5)
print 'Password:'******'utf16')
if -1 != expression.find('HttpOpenRequestW'):
data = m.read_memory(esp+0x04, 4)
param1 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter1: ' + hex(param1))
print 'hConnect:', hex(param1)
data = m.read_memory(esp+0x08, 4)
param2 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter2: ' + hex(param2))
if 0 != param2:
data = m.read_wide_string(param2)
print 'Verb:', data.decode('utf16')
data = m.read_memory(esp+0x0C, 4)
param3 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter3: ' + hex(param3))
if 0 != param3:
data = m.read_wide_string(param3)
print 'ObjectName:', data.decode('utf16')
data = m.read_memory(esp+0x10, 4)
param4 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter4: ' + hex(param4))
if 0 != param4:
data = m.read_wide_string(param4)
print 'Version:', data.decode('utf16')
data = m.read_memory(esp+0x14, 4)
param5 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter5: ' + hex(param5))
if 0 != param5:
data = m.read_wide_string(param5)
print 'Referer:', data.decode('utf16')
if -1 != expression.find('HttpSendRequestW'):
data = m.read_memory(esp+0x04, 4)
param1 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter1: ' + hex(param1))
print 'hRequest:', hex(param1)
data = m.read_memory(esp+0x08, 4)
param2 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter2: ' + hex(param2))
if 0 != param2:
data = m.read_wide_string(param2)
print 'Headers:', data.decode('utf16')
data = m.read_memory(esp+0x14, 4)
param3 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter3: ' + hex(param3))
if 0 != param3:
data = m.read_memory(esp+0x10, 4)
param4 = struct.unpack('<I', data)[0]
logger.debug('[D] Parameter4: ' + hex(param4))
if 0 != param4:
data = m.read_memory(param4, param3)
print 'Optional:', data
