def DebugProgram(filepath): #Instance a Debug object. debug_args = list() debug_args.insert(0,PROGRAM_PATH) debug_args.insert(len(debug_args),filepath) debug = Debug(AccessViolationHandlerWINAPPDBG, bKillOnExit = True) #debug.system.load_dbghelp("C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll") System.fix_symbol_store_path(symbol_store_path = "C:\\ProgramData\\Dbg\\sym",remote = True,force = True) #enter local symbol path here if you have downloaded symbols System.set_kill_on_exit_mode(True) try: # The execution time limit is 5 seconds. maxTime = time() + 5 # Start a new process for debugging. debug.execv(debug_args) # Wait for the debugee to finish. #debug.loop() # Loop while calc.exe is alive and the time limit wasn't reached. while debug and time() < maxTime: try: # Get the next debug event. debug.wait(1000) # 1 second accuracy # Show the current time on screen. #print time() # If wait() times out just try again. # On any other error stop debugging. except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise # Dispatch the event and continue execution. try: debug.dispatch() finally: debug.cont() # Stop the debugger. finally: debug.stop()
version = versions[hashlib.md5(file( path, "rb").read()).hexdigest()] #raise if version not supported print "Adobe Reader X %s" % version semantics = semantics[version] #Run the reader! debug.execl(path) debug.pmf = pmf broker = Process(debug.get_debugee_pids()[0]) print "Broker PID: %d" % broker.get_pid() # Loop while calc.exe is alive and the time limit wasn't reached. while debug: # Get the next debug event. event = debug.wait() # Dispatch the event and continue execution. try: debug.dispatch(event) # add breakpoint when acrord32 gets loaded if event.get_event_code() == 3: process = event.get_process() base_address = event.get_image_base() print "AcroRd32 Main module found at %08x" % base_address # Hint: Use the string "Check failed: policy_." to hunt # the function that adds a new policy breakpoint_offsets = { "10.1.3": 0x21260, "10.1.4": 0x21630,
class WinBasic: debugger = None mainProc = None alwaysCatchExceptions=[win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED] def __init__(self, killOnExit = True): self.debugger = Debug(bKillOnExit = killOnExit) self.mainProcs = [] def run(self, executable, children = True): tmp = self.debugger.execv(executable, bFollow = children ) self.mainProcs.append(tmp) return tmp.get_pid() def attachPid(self, pid): self.mainProcs.append(self.debugger.attach(pid)) def attachImg(self, img): self.debugger.system.scan_processes() for ( process, name ) in self.debugger.system.find_processes_by_filename( img ): self.attachPid(process.get_pid()) def close(self, kill = True, taskkill = True, forced = True): pids = self.debugger.get_debugee_pids() self.debugger.detach_from_all( True ) for pid in pids: if kill: try: proc = self.debugger.system.get_process(pid) proc.kill() except: pass #Taskkill if taskkill and not forced: subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if taskkill and forced: subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def waitForCrash(self, waitTime = 4, checkAlive = False): event = None endDebuging = False endTime = time() + waitTime while time() < endTime: if checkAlive: for proc in self.mainProcs: if not proc.is_alive(): return None try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise crash = self.handler(event) if crash != None: return crash else: try: self.debugger.dispatch() except: pass finally: self.debugger.cont() return None
class WinBasic: debugger = None mainProc = None alwaysCatchExceptions = [ win32.STATUS_ACCESS_VIOLATION, win32.STATUS_ILLEGAL_INSTRUCTION, win32.STATUS_ARRAY_BOUNDS_EXCEEDED, ] def __init__(self, killOnExit=True): self.debugger = Debug(bKillOnExit=killOnExit) self.mainProcs = [] def run(self, executable, children=True): tmp = self.debugger.execv(executable, bFollow=children) self.mainProcs.append(tmp) return tmp.get_pid() def attachPid(self, pid): self.mainProcs.append(self.debugger.attach(pid)) def attachImg(self, img): self.debugger.system.scan_processes() for (process, name) in self.debugger.system.find_processes_by_filename(img): self.attachPid(process.get_pid()) def close(self, kill=True, taskkill=True, forced=True): pids = self.debugger.get_debugee_pids() self.debugger.detach_from_all(True) for pid in pids: if kill: try: proc = self.debugger.system.get_process(pid) proc.kill() except: pass # Taskkill if taskkill and not forced: subprocess.call(["taskkill", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if taskkill and forced: subprocess.call(["taskkill", "/f", "/pid", str(pid)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def waitForCrash(self, waitTime=4, checkAlive=False): event = None endDebuging = False endTime = time() + waitTime while time() < endTime: if checkAlive: for proc in self.mainProcs: if not proc.is_alive(): return None try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise crash = self.handler(event) if crash != None: return crash else: try: self.debugger.dispatch() except: pass finally: self.debugger.cont() return None
class Coverage: verbose = False bbFiles = {} bbFilesBreakpints = [] bbFilesData = {} bbOriginalName = {} modules = [] fileOutput = None #Construct def __init__(self): self.debugger = Debug(bKillOnExit=True) def setVerbose(self, val): self.verbose = val #cuts after . def cutDot(self, input): if input.find(".") == -1: return input return input[0:input.find(".")] #load basic blocks def loadBB(self, baseBbDir): self.bbFiles = {} count = 0 for bbFile in os.listdir(baseBbDir): f = open(baseBbDir + "/" + bbFile, "r") fname = f.readline().strip().lower() fnameOrig = fname if ".dll" not in fname and ".exe" not in fname: #Stupid hack to avoid problems in loading libs with other extensions then .dll fname = self.cutDot(fname) + ".dll" self.bbOriginalName[fname] = fnameOrig self.bbFiles[fname] = count self.bbFilesBreakpints.append({}) rvaHighest = 0 for line in f: rva = int(line[0:8], 16) val = int(line[18:20], 16) self.bbFilesBreakpints[count][rva] = val if rva > rvaHighest: rvaHighest = rva self.bbFilesData[fname] = [rvaHighest + 10, count] if self.verbose: print "Loaded breakpoints for %s with index %02X" % (fname, count) count += 1 f.close() #Register module (original exe image or dll) def registerModule(self, filename, baseaddr): filename = filename.lower() if ".dll" not in filename and ".exe" not in filename: #Stupid hack to avoid problems in loading libs with other extensions then .dll filename = self.cutDot(filename) + ".dll" if filename not in self.bbFiles: return if self.verbose: print " Image %s has breakpoints defined" % filename self.modules.append([ baseaddr, baseaddr + self.bbFilesData[filename][0], self.bbFilesData[filename][1] ]) if self.verbose: print " Image has breakpoints from %08X to %08X with index %02X" % ( baseaddr, baseaddr + self.bbFilesData[filename][0], self.bbFilesData[filename][1]) #Handle a breakpoint def breakpoint(self, location): index = None for i in xrange(len(self.modules)): if location >= self.modules[i][0] and location <= self.modules[i][ 1]: index = i break if index == None: return None rva = location - self.modules[index][0] index = self.modules[index][2] if rva not in self.bbFilesBreakpints[index]: return None self.fileOutput.write("%02X|%08X\n" % (index, rva)) return self.bbFilesBreakpints[index][rva] def startFileRec(self, filename): self.modules = [] self.fileOutput = open(filename, "w") for image in self.bbFiles: self.fileOutput.write( "%s|%02X\n" % (self.bbOriginalName[image], self.bbFiles[image])) def endFileRec(self): self.fileOutput.close() #Start program def start(self, execFile, waitTime=6, recFilename="output.txt", kill=True): self.startFileRec(recFilename) mainProc = self.debugger.execv(execFile, bFollow=True) event = None endTime = time() + waitTime while time() < endTime: if not mainProc.is_alive(): break try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise if event.get_event_code() == win32.LOAD_DLL_DEBUG_EVENT: module = event.get_module() if self.verbose: print "DLL %s loaded on base %08X" % (module.get_name(), module.get_base()) self.registerModule( self.cutDot(module.get_name()) + ".dll", module.get_base()) elif event.get_event_code() == win32.CREATE_PROCESS_DEBUG_EVENT: tmp = event.get_filename().split("\\") modName = tmp[len(tmp) - 1] if self.verbose: print "Process %s loaded on base %08X" % ( modName, event.raw.u.CreateProcessInfo.lpBaseOfImage) self.registerModule( modName, event.raw.u.CreateProcessInfo.lpBaseOfImage) elif event.get_event_code( ) == win32.EXCEPTION_DEBUG_EVENT and event.get_exception_code( ) == win32.STATUS_BREAKPOINT: pc = event.get_thread().get_pc() - 1 val = self.breakpoint(pc) if val != None: event.get_process().write(pc, chr(val)) event.get_thread().set_pc(pc) endTime = time() + waitTime try: self.debugger.dispatch() except: pass finally: self.debugger.cont() self.endFileRec() if kill: self.kill()
class Coverage: verbose = False bbFiles = {} bbFilesBreakpints = [] bbFilesData = {} bbOriginalName = {} modules = [] fileOutput = None #Construct def __init__(self): self.debugger = Debug( bKillOnExit = True ) def setVerbose(self, val): self.verbose = val #cuts after . def cutDot(self, input): if (input.find(".") == -1): return input return input[0:input.find(".")] #load basic blocks def loadBB(self, baseBbDir): self.bbFiles = {} count = 0 print "baseBbDir:"+baseBbDir for bbFile in os.listdir(baseBbDir): print "bbFile:" + bbFile f = open(baseBbDir + "/" + bbFile, "r") fname = f.readline().strip().lower() #fname = f.readline().strip() fnameOrig = fname if ".dll" not in fname and ".exe" not in fname: #Stupid hack to avoid problems in loading libs with other extensions then .dll fname = self.cutDot(fname) + ".dll" self.bbOriginalName[fname] = fnameOrig self.bbFiles[fname] = count self.bbFilesBreakpints.append({}) rvaHighest = 0 for line in f: try: rva = int(line[0:8], 16) val = int(line[18:20], 16) self.bbFilesBreakpints[count][rva] = val if rva > rvaHighest: rvaHighest = rva except Exception: continue self.bbFilesData[fname] = [rvaHighest + 10, count] if self.verbose: print "Loaded breakpoints for %s with index %02X" % (fname, count) count += 1 f.close() #Register module (original exe image or dll) def registerModule(self, filename, baseaddr): filename = filename.lower() if ".dll" not in filename and ".exe" not in filename: #Stupid hack to avoid problems in loading libs with other extensions then .dll filename = self.cutDot(filename) + ".dll" if filename not in self.bbFiles: return if self.verbose: print " Image %s has breakpoints defined" % filename self.modules.append([baseaddr,baseaddr+self.bbFilesData[filename][0], self.bbFilesData[filename][1]]) if self.verbose: print " Image has breakpoints from %08X to %08X with index %02X" % (baseaddr,baseaddr+self.bbFilesData[filename][0],self.bbFilesData[filename][1]) #Handle a breakpoint def breakpoint(self, location): index = None for i in xrange(len(self.modules)): if location>=self.modules[i][0] and location<=self.modules[i][1]: index = i break if index == None: return None rva = location - self.modules[index][0] index = self.modules[index][2] if rva not in self.bbFilesBreakpints[index]: return None self.fileOutput.write("%02X|%08X\n" % (index, rva)) return self.bbFilesBreakpints[index][rva] def startFileRec(self, filename): self.modules = [] self.fileOutput = open(filename, "w") for image in self.bbFiles: self.fileOutput.write("%s|%02X\n" % (self.bbOriginalName[image], self.bbFiles[image])) def endFileRec(self): self.fileOutput.close() #Start program def start(self, execFile, waitTime = 6, recFilename = "output.txt", kill = True): self.startFileRec(recFilename) mainProc = self.debugger.execv( execFile, bFollow = True ) event = None endTime = time() + waitTime while time() < endTime: if not mainProc.is_alive(): break try: event = self.debugger.wait(1000) except WindowsError, e: if e.winerror in (win32.ERROR_SEM_TIMEOUT, win32.WAIT_TIMEOUT): continue raise if event.get_event_code() == win32.LOAD_DLL_DEBUG_EVENT: module = event.get_module() if self.verbose: print "DLL %s loaded on base %08X" % (module.get_name(), module.get_base()) self.registerModule(self.cutDot(module.get_name())+".dll", module.get_base()) elif event.get_event_code() == win32.CREATE_PROCESS_DEBUG_EVENT: tmp = event.get_filename().split("\\") modName = tmp[len(tmp)-1] if self.verbose: print "Process %s loaded on base %08X" % (modName, event.raw.u.CreateProcessInfo.lpBaseOfImage) self.registerModule(modName,event.raw.u.CreateProcessInfo.lpBaseOfImage) elif event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.get_exception_code() == win32.STATUS_BREAKPOINT: pc = event.get_thread().get_pc()-1 val = self.breakpoint(pc) if val != None: event.get_process().write(pc, chr(val)) event.get_thread().set_pc(pc) endTime = time() + waitTime try: self.debugger.dispatch() except: pass finally: self.debugger.cont() self.endFileRec() if kill: self.kill()
path = program_files+r"\Adobe\Reader 10.0\Reader\AcroRd32.exe" version = versions[hashlib.md5(file(path,"rb").read()).hexdigest()] #raise if version not supported print "Adobe Reader X %s"%version semantics = semantics[version] #Run the reader! debug.execl(path) debug.pmf = pmf broker = Process(debug.get_debugee_pids()[0]) print "Broker PID: %d"%broker.get_pid() # Loop while calc.exe is alive and the time limit wasn't reached. while debug: # Get the next debug event. event = debug.wait() # Dispatch the event and continue execution. try: debug.dispatch(event) # add breakpoint when acrord32 gets loaded if event.get_event_code() == 3: process = event.get_process() base_address = event.get_image_base() print "AcroRd32 Main module found at %08x"%base_address # Hint: Use the string "Check failed: policy_." to hunt # the function that adds a new policy breakpoint_offsets = { "10.1.3": 0x21260, "10.1.4": 0x21630, "10.1.5": 0x1fca0,