def main(): # print_drivers(True) parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", help="path to application") args = parser.parse_args() if win32.PathFileExists(args.run) is True: debug = winappdbg.Debug() try: my_process = debug.execv([args.run]) print "Attached to %d -%s " % (my_process.get_pid(), my_process.get_filename()) print_modules(my_process.get_pid()) debug.loop() finally: debug.stop() print "debugger stopped" else: print "%s not found." % (args.run)
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", help="path to application") args = parser.parse_args() # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # Debug the app # First item is program and the rest are arguments # execv: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L274 my_process = debug.execv([args.run]) print "Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename()) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "%s not found." % (args.run)
def run(self): dbg = winappdbg.Debug() dbg.attach(self.pid) for addr in self.functions: dbg.hook_function(self.pid, addr, self.trace_call, paramCount=10) self.log("%s hooks added" % len(self.functions)) self.log("") dbg.loop()
def __attach(self): """ Attaches to a process based on pid or process name. @rtype: winappdbg.Debug @return: WinAppDbg Debug object that can be used to interact with the application. """ debugger = winappdbg.Debug(self.eventhandler, bKillOnExit=self.kill_on_exit) if type(self.pid_pname) is int: # Get all running pids pids = debugger.system.get_process_ids() if self.pid_pname in pids: # pid exists then attach to the pid # attach: # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 debugger.attach(self.pid_pname) return debugger else: raise DebugError(self.pid_pname, "pid not found") elif type(self.pid_pname) is str: # Example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py debugger.system.scan() # Search for all processes with that name rslt = debugger.system.find_processes_by_filename(self.pid_pname) if len(rslt) is not 0: # Process found # Attach to all processes for (process, name) in rslt: debugger.attach(process.get_pid()) return debugger else: # Process not found raise DebugError(self.pid_pname, "Process not found") else: # pid_pname is neither int nor str raise DebugError(self.pid_pname, "Invalid parameter passed")
def simple_debugger(filename): global logfile try: handler = MyEventHandler() except: traceback.print_exc() with winappdbg.Debug(handler, bKillOnExit=True) as debug: abspath = os.path.abspath(filename) debug.execl(os.path.join(os.path.dirname(abspath), filename)) debug.loop()
def hook(self): """Hook onto one or more of the processes module functions. I.E.: hook_dict = {'ws2_32.dll': ['send', 'sendto']}; Hack('process_name.exe').hook(hook_dict)""" if self.hwnd is None: raise ValueError, "You need to specify the process name, i.e.: Hack('process_name.exe').hook()" if len(self.hook_dict.keys()) == 0: raise ValueError, "You need to call Hack().add_hook() first! You currently haven't added any hooks!" debug = winappdbg.Debug(BasicEventHandler(self.hook_dict)) try: debug.attach(self.hwnd.get_pid()) debug.loop() finally: debug.stop()
def main(): pid = int(sys.argv[1]) addr = sys.argv[2] debug = winappdbg.Debug(winappdbg.EventHandler()) try: debug.attach(pid) #debug.break_at(pid, addr) #debug.interactive() #self.debug.loop() finally: debug.stop()
def hook(self): if self.hwnd is None: raise ValueError, "You need to specify the process name, i.e.: Hack('process_name.exe').hook()" if len(self.hook_dict.keys()) == 0: raise ValueError, "You need to call Hack().add_hook() first! You currently haven't added any hooks!" #debug = winappdbg.Debug( BasicEventHandler(self.hook_dict) ) self.debug = winappdbg.Debug(EventHandler(self.hook_dict)) try: self.debug.attach(self.hwnd.get_pid()) self.debug.interactive() #self.debug.loop() finally: self.debug.stop()
def hook(self): """Hook onto one or more of the processes module functions""" if self.hwnd is None: raise ValueError, "You need to specify the process name" if len(self.hook_dict.keys()) == 0: raise ValueError, "You currently haven't added any hooks!" debug = winappdbg.Debug(BasicEventHandler(self.hook_dict)) try: debug.attach(self.hwnd.get_pid()) debug.loop() finally: debug.stop()
def main(): # print_drivers(True) parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-p", "--pid", help="process id") args = parser.parse_args() args.pid = long(args.pid) if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() print pids if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(int(args.pid)) print "Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename()) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "pid %d not found." % (args.pid) exit() else: print "%s not found." % (args.pid)
def simple_debugger(filename): #global logfile try: handler = MyEventHandler() except: traceback.print_exc() with winappdbg.Debug(handler, bKillOnExit=True) as debug: print "[*] Starting %s" % filename debug.execl(filename) print "[*] Starting debug loop" debug.loop() print "[*] Terminating"
def simple_debugger(filename): global logfile try: handler = MyEventHandler() #logfile = winappdbg.textio.Logger(filename + ".log",verbose = True) except: traceback.print_exc() with winappdbg.Debug(handler, bKillOnExit=True, bHostileCode=False) as debug: log("[*] Starting %s" % filename) debug.execl(filename, bFollow=False) log("[*] Starting debug loop") debug.loop() log("[*] Terminating") log("[D] Number of created processes: %d" % len(handler.createdprocesses)) for i in range(0, len(handler.eventlog)): log("%s" % handler.eventlog[i])
def main(): myevent = DebugEvents() debug = winappdbg.Debug(myevent) try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename('w3wp.exe'): print "Found %d, %s" % (process.get_pid(), process.get_filename()) debug.attach(process.get_pid()) print "Attached to %d-%s" % (process.get_pid(), process.get_filename()) debug.loop() finally: debug.stop() exit()
def simple_debugger(filename): try: handler = MyEventHandler(filename) except: traceback.print_exc() with winappdbg.Debug(handler, bKillOnExit = True, bHostileCode = False) as debug: log("[*] Starting {:s}".format(filename)) debug.execl(filename, bFollow = False) log("[*] Starting debug loop") debug.loop() log("[*] Terminating") log("[D] Number of created processes: {:d}".format(len(handler.createdprocesses))) for i in range(0, len(handler.eventlog)): log("{:s}".format(handler.eventlog[i])) return
def wait(self, add_time): self.debug = winappdbg.Debug() try: self.debug.attach(self.hwnd.get_pid()) #System.set_kill_on_exit_mode(True) maxTime = time.time() + add_time while self.debug and time.time() < maxTime: try: self.debug.wait(1000) print time.time() except WindowsError, e: continue raise try: self.debug.dispatch() finally: self.debug.cont() except Exception, e: print e pass
def main1(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") args = parser.parse_args() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # Debug the app # Debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) print("Started %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print("Debugger stopped.") else: print("%s not found." % (args.run[0]))
def main(): import sys if len(sys.argv) < 3: usage(sys) command = sys.argv[1].lower() pid = int(sys.argv[2]) func = sys.argv[2] if len(sys.argv) > 2 else "" addr = sys.argv[3] if len(sys.argv) > 3 else hex( Process(pid).get_entry_point()) print "addr:", addr, "" size = sys.argv[4] if len(sys.argv) > 4 else 10 if command == 'l' or command == 'll': Flag = False if command == 'll': Flag = True str = show_disassemble(pid, addr, int(size), Flag) print hex_string(pid, addr, int(size)) print print strhex(str) process = Process(pid) for tid in process.iter_thread_ids(): print tid elif command == 'i': proces_info(pid, addr) elif command == 'rs': read_string(pid, addr) elif command == 'ws': write_string(pid, addr, size) print read_string(pid, addr) elif command == 'wa': alloc_string(pid, addr, size) elif command == 'ps': push_addr(pid, addr, size) elif command == 'h': hex_string(pid, addr, int(size), 1) print hex_string(pid, addr, int(size), 2) print hex_string(pid, addr, int(size), 3) elif command == 'hs': hex_string(pid, addr, int(size), 1) elif command == 'hw': hex_string(pid, addr, int(size), 2) elif command == 'hd': hex_string(pid, addr, int(size), 3) elif command == 's': address = search_string(pid, addr, int(size)) #print "bp :", hex(address), " : ", address #show_disassemble(pid, address, 10) #hex_string(pid, address, 10, 1) elif command == 'b': set_bp(pid, addr, int(size)) elif command == 'bb': debug = winappdbg.Debug() debug.attach(pid) debug.break_at(pid, addr)
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", help="path to application") parser.add_argument("-s", "--sysinfo",action='store_true', help="get System module 's information") parser.add_argument("-p","--process",action='store_true', help="get all running processes") parser.add_argument("-pname","--attach-pname",type=str,dest="pname", help="attach to th pname process") args = parser.parse_args() # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # Debug the app # First item is program and the rest are arguments # execv: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L274 my_process = debug.execv([args.run]) print("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print("Debugger stopped.") elif args.sysinfo: # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print(table.getOutput()) table1 = winappdbg.Table("\t") table1.addRow( "Right justified column text", "Left justified column text" ) table1.addRow( "---------------------------", "--------------------------" ) table1.addRow( "example", "text" ) table1.addRow( "jabberwocky", "snark" ) table1.addRow( "Trillian", "Zaphod", "Arthur Dent" ) # one extra! table1.addRow( "Dalek", "Cyberman" ) # By default all columns are left justified. Let's change that. table1.justify( 0, 1 ) # column 0 is now right justified # Let's find out how wide the table is. print("Table width: %d" % table1.getWidth()) # Let's find out how many bytes would it be if written to a file. print("Text size in characters: %d" % len( table1.getOutput() )) print(table1.getOutput()) elif args.process: system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.keys()): table.addRow(key, processes[key]) print(table.getOutput()) elif args.pname: debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): print("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) print("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: debug.stop() else: print("%s not found." % (args.run))
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") # Make -r and -pid mutually exclusive group = parser.add_mutually_exclusive_group() group.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") group.add_argument("-pid", "--attach-pid", type=int, dest="pid", help="pid of process to attach and instrument") group.add_argument("-pname", "--attach-process-name", dest="pname", help="pid of process to attach and instrument") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") # Add optional log file parser.add_argument("-o", "--output", dest="output", help="log filename") args = parser.parse_args() # Setup logging # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 # Log to file global logger if args.output: # verbose=False disables printing to stdout logger = winappdbg.Logger(args.output, verbose=False) else: logger = winappdbg.Logger() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("%s not found." % (args.run[0])) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) logger.log_text(table.getOutput()) exit() if (args.pid): system = winappdbg.System() # Get all pids pids = system.get_process_ids() if args.pid in pids: # pid exists # Create a Debug object debug = winappdbg.Debug() try: # Attach to pid # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 my_process = debug.attach(args.pid) logger.log_text("Attached to %d - %s" % (my_process.get_pid(), my_process.get_filename())) # Keep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() logger.log_text("Debugger stopped.") else: logger.log_text("pid %d not found." % (args.pid)) exit() # find a process by name and attach to it if (args.pname): debug = winappdbg.Debug() # example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py try: debug.system.scan() for (process, name) in debug.system.find_processes_by_filename(args.pname): logger.log_text("Found %d, %s" % (process.get_pid(), process.get_filename())) debug.attach(process.get_pid()) logger.log_text("Attached to %d-%s" % (process.get_pid(), process.get_filename())) debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." exit() # If no arguments, logger.log_text(running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) logger.log_text(table.getOutput())
def main(): parser = argparse.ArgumentParser(description="WinAppDbg stuff.") parser.add_argument("-r", "--run", nargs="+", help="path to application followed by parameters") parser.add_argument("-i", "--sysinfo", action="store_true", help="print system information") args = parser.parse_args() if (args.run): # Concat all arguments into a string myargs = " ".join(args.run) # Use Win32 API functions provided by WinAppDbg if win32.PathFileExists(args.run[0]) is True: # File exists # Create a Debug object debug = winappdbg.Debug() try: # We will talk about this in a minute # Debug the app # debug.execv([args.app]) # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358 my_process = debug.execl(myargs) print "Started %d - %s" % (my_process.get_pid(), my_process.get_filename()) # kKep debugging until the debugger stops debug.loop() finally: # Stop the debugger debug.stop() print "Debugger stopped." else: print "%s not found." % (args.run[0]) exit() if(args.sysinfo): # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in WinAppDbg table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) print table.getOutput() exit() # If no arguments, print running processes system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) print table.getOutput()
def run(self): self.dbg = winappdbg.Debug(self) self.dbg.attach(self.pid) self.next_hook()
class WinAppUtil(object): """ Main class for WinAppUtil. Contains most of the helper functions and utilities. TODO: group stuff """ def __init__(self, cmd=None, logger=None, pid_pname=None, eventhandler=None, attach=False, kill_on_exit=True): """ Create a WinAppUtil object. @type pid_pname: str or int @param pid_pname: (Optional) Process id or process name to debug. Only used if attach is True. If int, debugger will try to attach to pid. If str, debugger will search for running processes with that name and try to attach to them. @type cmd: list of str @param cmd: (Optional) Contains command line to execute or attach. If attach is False, first item contains the application name and path if any. The rest contain command line parameters to pass to the newly started application. If attach is True, first item of the list must contain the pid or process name of the application to attach to. @type logger: winappdbg.logger @param logger: (Optional) An instance of WinAppDbg logger. The winappdbg.logger can be used as follows: logger = winappdbg.Logger(filename, verbose) filename if provided will be the location of the log file. If verbose is True, logs will also be printed to stdout. If no arguments are provided, logs will be printed to stdout. for example: logger = winappdbg.Logger("mylog.txt") or logger = winappdbg.Logger("mylog.txt", verbose=True) Logs will be stored in "mylog.txt" AND printed to stdout. logger = winappdbg.Logger("mylog.txt", verbose=False) Logs will only be stored in the file. logger = winappdbg.Logger() Logs will be printed to stdout. More info: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1766 @type eventhandler: winappdbg.eventhandler param eventhandler: (Optional) An instance of a EventHandler class. This way we can customize our own eventhandler without having to write a lot of code to do it in the class. @type attach: bool @type attach: (Optional) Attach or start a new process. If True, try to attach to the pid or pname. If False, start a new process. @type kill_on_exit: bool @param kill_on_exit: (Optional) Kill the process when debugger exits. We generally just pass this to bkillOnExit in WinAppDbg. @rtype: winapputil.WinAppUtil @return: Returns an instance of WinAppUtil. """ self.cmdline = cmd self.logger = logger self.eventhandler = eventhandler self.attach = attach self.kill_on_exit = kill_on_exit self.pid_pname = pid_pname if attach is False and cmd is not None: self.pid_pname = cmd[0] def sysinfo(self): """ Returns information about the system. @rtype: str @return: A table populated with system information. """ # Create a System object # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66 system = winappdbg.System() # Use the built-in Table # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094 table = winappdbg.Table("\t") # New line table.addRow("", "") # Header title = ("System Information", "") table.addRow(*title) # Add system information table.addRow("------------------") table.addRow("Bits", system.bits) table.addRow("OS", system.os) table.addRow("Architecture", system.arch) table.addRow("32-bit Emulation", system.wow64) table.addRow("Admin", system.is_admin()) table.addRow("WinAppDbg", winappdbg.version) table.addRow("Process Count", system.get_process_count()) return table.getOutput() def get_processes(self): """ Returns a table of all running processes with their pid and filename. @rtype: str @return: A table listing all running processes. """ system = winappdbg.System() # We can reuse example 02 from the docs # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes table = winappdbg.Table("\t") table.addRow("", "") header = ("pid", "process") table.addRow(*header) table.addRow("----", "----------") processes = {} # Add all processes to a dictionary then sort them by pid for process in system: processes[process.get_pid()] = process.get_filename() # Iterate through processes sorted by pid for key in sorted(processes.iterkeys()): table.addRow(key, processes[key]) return table.getOutput() def get_process_handle(pid): """ Returns a handle to the process with pid. @type pid: int @param pid: ID of the target process. @rtype: winappdbg.process @return: A handle to the process associated with pid. """ system = winappdbg.System() if system.has_process(pid): return system.get_process(pid) else: raise DebugError(pid, "Process not found") def debug(self): """ Starts a new process or attaches to a running process. @rtype: winappdbg.Debug @return: WinAppDbg Debug object that can be used to interact with the application. """ if self.attach is True: if self.logger is not None: self.logger.log_text("Attaching to %s" % (str(self.pid_pname))) return self.__attach() else: if self.logger is not None: self.logger.log_text("Starting %s" % (" ".join(self.cmdline))) return self.__start() def __attach(self): """ Attaches to a process based on pid or process name. @rtype: winappdbg.Debug @return: WinAppDbg Debug object that can be used to interact with the application. """ debugger = winappdbg.Debug(self.eventhandler, bKillOnExit=self.kill_on_exit) if type(self.pid_pname) is int: # Get all running pids pids = debugger.system.get_process_ids() if self.pid_pname in pids: # pid exists then attach to the pid # attach: # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219 debugger.attach(self.pid_pname) return debugger else: raise DebugError(self.pid_pname, "pid not found") elif type(self.pid_pname) is str: # Example 3: # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py debugger.system.scan() # Search for all processes with that name rslt = debugger.system.find_processes_by_filename(self.pid_pname) if len(rslt) is not 0: # Process found # Attach to all processes for (process, name) in rslt: debugger.attach(process.get_pid()) return debugger else: # Process not found raise DebugError(self.pid_pname, "Process not found") else: # pid_pname is neither int nor str raise DebugError(self.pid_pname, "Invalid parameter passed") def __start(self): """ Start and debug a program with (or without) parameters @rtype: winappdbg.Debug @return: WinAppDbg Debug object that can be used to interact with the application. @raise DebugError: Raises an exception on error. File was not found. """ # First check if file exists (in case we have passed a full path) # If we cannot find the full path, search in %PATH% if win32.PathFileExists(self.pid_pname) is False: try: # Search for file using win32.SearchPath # If file does not exist, then an exception is raised # Works: win32.SearchPath(None, "notepad.exe", ".exe") # Works: win32.SearchPath(None, "notepad.exe", None) # Doesn't work: win32.SearchPath(None, "notepad", None) _, _ = win32.SearchPath(None, self.pid_pname, ".exe") # An exception will be raised if file was not found except WindowsError, e: raise DebugError(self.pid_pname, e) # Either fullpath is passed or file exists in %PATH% # In both cases we can just pass it to execv debugger = winappdbg.Debug(self.eventhandler, bKillOnExit=self.kill_on_exit) debugger.execv(self.cmdline, bFollow=True) return debugger