Пример #1
0
def my_event_handler( event ):

    # Get the event name.
    name = event.get_event_name()

    # Get the event code.
    code = event.get_event_code()

    # Get the process ID where the event occured.
    pid = event.get_pid()

    # Get the thread ID where the event occured.
    tid = event.get_tid()

    # Get the value of EIP at the thread.
    pc = event.get_thread().get_pc()

    # Show something to the user.
    bits = event.get_process().get_bits()
    format_string = "%s (%s) at address %s, process %d, thread %d"
    message = format_string % ( name,
                                HexDump.integer(code, bits),
                                HexDump.address(pc, bits),
                                pid,
                                tid )
    print message

    # If the event is a crash...
    if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
        print "Crash detected, storing crash dump in database..."

        # Generate a minimal crash dump.
        crash = Crash( event )

        # You can turn it into a full crash dump (recommended).
        # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
        # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
        crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump

        # Connect to the database. You can use any URL supported by SQLAlchemy.
        # For more details see the reference documentation.
        dao = CrashDAO( "sqlite:///crashes.sqlite" )
        #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" )

        # Store the crash dump in the database.
        dao.add( crash )

        # If you do this instead, heuristics are used to detect duplicated
        # crashes so they aren't added to the database.
        # dao.add( crash, allow_duplicates = False )

        # You can also launch the interactive debugger from here. Try it! :)
        # event.debug.interactive()

        # Kill the process.
        event.get_process().kill()
Пример #2
0
def my_event_handler( event ):

    # Get the event name.
    name = event.get_event_name()

    # Get the event code.
    code = event.get_event_code()

    # Get the process ID where the event occured.
    pid = event.get_pid()

    # Get the thread ID where the event occured.
    tid = event.get_tid()

    # Get the value of EIP at the thread.
    pc = event.get_thread().get_pc()

    # Show something to the user.
    bits = event.get_process().get_bits()
    format_string = "%s (%s) at address %s, process %d, thread %d"
    message = format_string % ( name,
                                HexDump.integer(code, bits),
                                HexDump.address(pc, bits),
                                pid,
                                tid )
    print(message)

    # If the event is a crash...
    if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
        print("Crash detected, storing crash dump in database...")

        # Generate a minimal crash dump.
        crash = Crash( event )

        # You can turn it into a full crash dump (recommended).
        # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
        # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
        crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump

        # Connect to the database. You can use any URL supported by SQLAlchemy.
        # For more details see the reference documentation.
        dao = CrashDAO( "sqlite:///crashes.sqlite" )
        #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" )

        # Store the crash dump in the database.
        dao.add( crash )

        # If you do this instead, heuristics are used to detect duplicated
        # crashes so they aren't added to the database.
        # dao.add( crash, allow_duplicates = False )

        # You can also launch the interactive debugger from here. Try it! :)
        # event.debug.interactive()

        # Kill the process.
        event.get_process().kill()
Пример #3
0
def _my_event_handler(self, event):
    """
    handle debugger events
    """

    code = event.get_event_code()

    if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
        self._crash_event_complete.clear()
        self.logger.warning(
            "Crash detected, storing crash dump in database...")
        self.report.failed("crash detected")
        self.report.add("event name", event.get_event_name())
        self.report.add("event code", code)

        # Generate a minimal crash dump.
        crash = Crash(event)

        # You can turn it into a full crash dump (recommended).
        # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
        # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
        crash.fetch_extra_data(event, takeMemorySnapshot=2)  # full memory dump

        self.report.add("crash_isExploitable", crash.isExploitable())

        self.report.add("crash_briefReport", crash.briefReport())
        self.report.add("crash_fullReport", crash.fullReport())
        self.report.add("crash_timestamp", crash.timeStamp)
        self.report.add("crash_signature", crash.signature)

        # Connect to the database. You can use any URL supported by SQLAlchemy.
        # For more details see the reference documentation.
        dao = CrashDAO(self._sql_crash_db)

        # If you do this instead, heuristics are used to detect duplicated
        # crashes so they aren"t added to the database.
        dao.add(crash, allow_duplicates=False)

        # Kill the process.
        self._process.kill()

    # DO WE NEED THIS ???
    if "Process termination event" == event.get_event_name():
        self.logger.debug("detected process termination event code=%d" % code)
        self.logger.debug("debugee count=%s" % self._debug.get_debugee_count())
        self.logger.debug("debugee pids=%s" % self._debug.get_debugee_pids())
Пример #4
0
def _my_event_handler(self, event):
    '''
    handle debugger events
    '''

    code = event.get_event_code()

    if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
        self._crash_event_complete.clear()
        self.logger.warning("Crash detected, storing crash dump in database...")
        self.report.failed('crash detected')
        self.report.add('event name', event.get_event_name())
        self.report.add('event code', code)

        # Generate a minimal crash dump.
        crash = Crash(event)

        # You can turn it into a full crash dump (recommended).
        # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
        # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
        crash.fetch_extra_data(event, takeMemorySnapshot=2)  # full memory dump

        self.report.add('crash_isExploitable', crash.isExploitable())

        self.report.add('crash_briefReport', crash.briefReport())
        self.report.add('crash_fullReport', crash.fullReport())
        self.report.add('crash_timestamp', crash.timeStamp)
        self.report.add('crash_signature', crash.signature)

        # Connect to the database. You can use any URL supported by SQLAlchemy.
        # For more details see the reference documentation.
        dao = CrashDAO(self._sql_crash_db)

        # If you do this instead, heuristics are used to detect duplicated
        # crashes so they aren't added to the database.
        dao.add(crash, allow_duplicates=False)

        # Kill the process.
        self._process.kill()

    # DO WE NEED THIS ???
    if 'Process termination event' == event.get_event_name():
        self.logger.debug('detected process termination event code=%d' % code)
        self.logger.debug('debugee count=%s' % self._debug.get_debugee_count())
        self.logger.debug('debugee pids=%s' % self._debug.get_debugee_pids())
Пример #5
0
def crash_event_handler(event):
    """
    This implements the whole logic.
    The code below triggered by an access violation
    is responsible for storing / doing whatever with the crash info
    """

    code = event.get_event_code()

    # TODO: use this to distinguish between Eip and Rip?
    bits = event.get_process().get_bits()

    # If the event is a crash...
    if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
        print "=== [*] Crash detected, analyzing..."

        name = event.get_exception_description()
        pc = event.get_thread().get_pc()

        # Get the offending address.
        address = event.get_exception_address()

        # TODO: Get the register values
        #thread = event.get_thread()
        #registers = thread.get_context()

        # Generate a minimal crash dump.
        crash = Crash(event)

        if crash.exceptionLabel:
            c_label = crash.exceptionLabel

        else:
            c_label = 'Not available'

        # Crashing file contents in Base64
        if file_info:
            bin = file_info

        else:
            bin = None

        crash_properties = dict()
        crash_properties['victim'] = victim_filename
        crash_properties['processor'] = crash.arch
        crash_properties['event_name'] = name
        crash_properties['ip'] = address     # pc, registers['Eip'], etc.
        crash_properties['crash_label'] = c_label
        crash_properties['stacktrace'] = crash.stackTraceLabels
        crash_properties['exploitability'] = crash.isExploitable()
        crash_properties['bin'] = bin

        # TODO: Calculate some kind of metric in order to discard already
        # found crashes (or minimal variations of them)
        # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        # You can turn it into a full crash dump (recommended).
        # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
        crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
        # crash.fetch_extra_data(event, takeMemorySnapshot = 2) # full memory dump

        # TODO: do not hardcode this directory
        dao = CrashDAO("sqlite:///crashes/crashes.sqlite")

        # Store the crash dump in the database.
        print "=== [*] Storing crash dump in (local) database..."
        # NOTE: If you do this instead, heuristics are used to detect duplicated
        # crashes so they aren't added to the database.
        # dao.add( crash, allow_duplicates = False )
        dao.add(crash)

        #
        # Store the crash, locally and in server
        #

        # Kill the process.
        event.get_process().kill()

        communications.add_crash(crash_properties)
        fileops.save_crash_file(crash_filename, 'crashes')