def my_event_handler( event ): # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Get the value of EIP at the thread. pc = event.get_thread().get_pc() # Show something to the user. bits = event.get_process().get_bits() format_string = "%s (%s) at address %s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(pc, bits), pid, tid ) print(message) # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print("Crash detected, storing crash dump in database...") # Generate a minimal crash dump. crash = Crash( event ) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO( "sqlite:///crashes.sqlite" ) #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" ) # Store the crash dump in the database. dao.add( crash ) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) # You can also launch the interactive debugger from here. Try it! :) # event.debug.interactive() # Kill the process. event.get_process().kill()
def _my_event_handler(self, event): """ handle debugger events """ code = event.get_event_code() if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): self._crash_event_complete.clear() self.logger.warning( "Crash detected, storing crash dump in database...") self.report.failed("crash detected") self.report.add("event name", event.get_event_name()) self.report.add("event code", code) # Generate a minimal crash dump. crash = Crash(event) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data(event, takeMemorySnapshot=2) # full memory dump self.report.add("crash_isExploitable", crash.isExploitable()) self.report.add("crash_briefReport", crash.briefReport()) self.report.add("crash_fullReport", crash.fullReport()) self.report.add("crash_timestamp", crash.timeStamp) self.report.add("crash_signature", crash.signature) # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO(self._sql_crash_db) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren"t added to the database. dao.add(crash, allow_duplicates=False) # Kill the process. self._process.kill() # DO WE NEED THIS ??? if "Process termination event" == event.get_event_name(): self.logger.debug("detected process termination event code=%d" % code) self.logger.debug("debugee count=%s" % self._debug.get_debugee_count()) self.logger.debug("debugee pids=%s" % self._debug.get_debugee_pids())