def my_event_handler(event): global result_dir, g_cur_file # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print " [*]:Crash detected with %s, storing crash dump ..." % g_cur_file crash = Crash(event) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump crash.fetch_extra_data(event, takeMemorySnapshot=1) # small memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump result_file = os.path.join(result_dir, "%s.result" % os.path.basename(g_cur_file)) print result_file with open(result_file, mode='w') as f: f.write(crash.fullReport()) f.close() print " [*]:Crash result saved in %s !" % result_file # Kill the process. event.get_process().kill()
def AccessViolationHandlerWINAPPDBG(event): ''' Handle access violation while using winappdbg ''' global curr_input code = event.get_event_code() if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): crash = Crash(event) crash.fetch_extra_data(event) details = crash.fullReport(bShowNotes=True) violation_addr = hex(crash.registers['Eip']) thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") exe_name = event.get_process().get_filename().split('\\')[-1] crashfilename = 'crash_'+'_'+ curr_input.split('fuzz-')[1] +'.'+curr_input.split('.')[-1] synfilename = crash_dir+exe_name+'\\'+ violation_addr +'\\'+crashfilename + '.txt' if not os.path.exists(crash_dir+exe_name): os.makedirs(crash_dir+exe_name) if not os.path.exists(crash_dir+exe_name+'\\'+violation_addr): os.makedirs(crash_dir+exe_name+'\\'+violation_addr) shutil.copyfile(curr_input,crash_dir+exe_name+'\\'+violation_addr+'\\'+curr_input.split('fuzz-')[1]) logger.info('[+]',datetime.now().strftime("%Y:%m:%d::%H:%M:%S"),'BOOM!! APP Crashed :','Crash file Copied to ',(exe_name+'\\'+violation_addr+'\\'+crashfilename)) syn = open(synfilename,'w') syn.write(details) syn.close() logger.debug('[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process') try: event.get_process().kill() except: ForceKillOffice()
def debug_loop(self, e): code = e.get_event_code() self.event = e if code == win32.EXCEPTION_DEBUG_EVENT and e.is_last_chance(): try: crash = Crash(e) crash.fetch_extra_data(e) dump_log = crash.fullReport(False) except: pass crash_type = dump_log.split('\n')[2].split(':')[1] dirname = '/' + crash_type + '_' + str(time.time()) os.mkdir('./logs' + dirname) original_seed = copyfile(r"seed/%s" % self.seed_name, r"logs%s/%s" % (dirname, "original_seed")) mutated_seed = copyfile(r"./%s" % self.mutated_name, r"logs%s/%s" % (dirname, "mutated_bin")) crash_path = "./logs" + dirname + "/crash_dump.txt" f = open(crash_path, 'w') f.write(dump_log) f.close() print "[***] Exception Occurred -> saved in \"%s\" folder" % dirname self.access_vi = True e.get_process().kill() self.debug.stop()
def my_event_handler( event ): # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Get the value of EIP at the thread. pc = event.get_thread().get_pc() # Show something to the user. bits = event.get_process().get_bits() format_string = "%s (%s) at address %s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(pc, bits), pid, tid ) print message # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print "Crash detected, storing crash dump in database..." # Generate a minimal crash dump. crash = Crash( event ) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO( "sqlite:///crashes.sqlite" ) #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" ) # Store the crash dump in the database. dao.add( crash ) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) # You can also launch the interactive debugger from here. Try it! :) # event.debug.interactive() # Kill the process. event.get_process().kill()
def my_event_handler( event ): # Get the event name. name = event.get_event_name() # Get the event code. code = event.get_event_code() # Get the process ID where the event occured. pid = event.get_pid() # Get the thread ID where the event occured. tid = event.get_tid() # Get the value of EIP at the thread. pc = event.get_thread().get_pc() # Show something to the user. bits = event.get_process().get_bits() format_string = "%s (%s) at address %s, process %d, thread %d" message = format_string % ( name, HexDump.integer(code, bits), HexDump.address(pc, bits), pid, tid ) print(message) # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print("Crash detected, storing crash dump in database...") # Generate a minimal crash dump. crash = Crash( event ) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO( "sqlite:///crashes.sqlite" ) #dao = CrashDAO( "mysql+MySQLdb://root:toor@localhost/crashes" ) # Store the crash dump in the database. dao.add( crash ) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) # You can also launch the interactive debugger from here. Try it! :) # event.debug.interactive() # Kill the process. event.get_process().kill()
def AccessViolationHandlerWINAPPDBG(event): # Handle access violation while using winappdbg #todo: correct error codes # hardik code = event.get_event_code() if event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): global does_crash does_crash = True crash = Crash(event) crash.fetch_extra_data(event) details =r""" _____ / ____| | | /\ | | /_ | / _ \ | | _ __ __ _ ___| |__ / \ _ __ __ _| |_ _ _______ _ __ __ _| || | | | | | | '__/ _` / __| '_ \ / /\ \ | '_ \ / _` | | | | |_ / _ \ '__| \ \ / / || | | | | |____| | | (_| \__ \ | | |/ ____ \| | | | (_| | | |_| |/ / __/ | \ V /| || |_| | \_____|_| \__,_|___/_| |_/_/ \_\_| |_|\__,_|_|\__, /___\___|_| \_/ |_(_)___/ __/ | |___/ email: [email protected] web: http://hardik05.wordpress.com """ details = details + "\r\n" + crash.fullReport(bShowNotes=True) violation_addr = hex(crash.registers['Eip']) label = crash.labelPC Crash_Function_Name = label.split('+')[0] Crash_Function_Name = re.sub('[^A-Za-z0-9]+', '_', Crash_Function_Name) thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") exe_name = event.get_process().get_filename().split('\\')[-1] #crashfilename is the file containing the crash details crashfilename = 'crash_'+TestCaseName+'_'+'_'+ thetime #syncfilename is the file containig crash details synfilename = OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+ Crash_Function_Name +'\\crash_'+ TestCaseName + '_details.txt' + '_' + thetime + ".txt" if not os.path.exists(OUTPUT_DIR + '\\crashes\\'+exe_name): os.makedirs(OUTPUT_DIR + '\\crashes\\'+exe_name) if not os.path.exists(OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name): os.makedirs(OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name) syn = open(synfilename,'w+') syn.write(details) syn.close() #print '[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process' try: event.get_process().kill() shutil.move(filepath,OUTPUT_DIR + '\\crashes\\'+exe_name+'\\'+Crash_Function_Name+'\\'+crashfilename) print RED + 'Program is crashing at :'+ END, Crash_Function_Name print 'Crash file moved to : ', (OUTPUT_DIR + '\\crashes\\'+ exe_name+'\\'+Crash_Function_Name+'\\'+crashfilename) except: print "error"
def do(self, arg): ".exploitable - Determine the approximate exploitability rating" from winappdbg import Crash event = self.debug.lastEvent crash = Crash(event) crash.fetch_extra_data(event) status, rule, description = crash.isExploitable() print "-" * 79 print "Exploitability: %s" % status print "Matched rule: %s" % rule print "Description: %s" % description print "-" * 79
def _my_event_handler(self, event): """ handle debugger events """ code = event.get_event_code() if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): self._crash_event_complete.clear() self.logger.warning( "Crash detected, storing crash dump in database...") self.report.failed("crash detected") self.report.add("event name", event.get_event_name()) self.report.add("event code", code) # Generate a minimal crash dump. crash = Crash(event) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data(event, takeMemorySnapshot=2) # full memory dump self.report.add("crash_isExploitable", crash.isExploitable()) self.report.add("crash_briefReport", crash.briefReport()) self.report.add("crash_fullReport", crash.fullReport()) self.report.add("crash_timestamp", crash.timeStamp) self.report.add("crash_signature", crash.signature) # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO(self._sql_crash_db) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren"t added to the database. dao.add(crash, allow_duplicates=False) # Kill the process. self._process.kill() # DO WE NEED THIS ??? if "Process termination event" == event.get_event_name(): self.logger.debug("detected process termination event code=%d" % code) self.logger.debug("debugee count=%s" % self._debug.get_debugee_count()) self.logger.debug("debugee pids=%s" % self._debug.get_debugee_pids())
def _my_event_handler(self, event): ''' handle debugger events ''' code = event.get_event_code() if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): self._crash_event_complete.clear() self.logger.warning("Crash detected, storing crash dump in database...") self.report.failed('crash detected') self.report.add('event name', event.get_event_name()) self.report.add('event code', code) # Generate a minimal crash dump. crash = Crash(event) # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump # crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump crash.fetch_extra_data(event, takeMemorySnapshot=2) # full memory dump self.report.add('crash_isExploitable', crash.isExploitable()) self.report.add('crash_briefReport', crash.briefReport()) self.report.add('crash_fullReport', crash.fullReport()) self.report.add('crash_timestamp', crash.timeStamp) self.report.add('crash_signature', crash.signature) # Connect to the database. You can use any URL supported by SQLAlchemy. # For more details see the reference documentation. dao = CrashDAO(self._sql_crash_db) # If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. dao.add(crash, allow_duplicates=False) # Kill the process. self._process.kill() # DO WE NEED THIS ??? if 'Process termination event' == event.get_event_name(): self.logger.debug('detected process termination event code=%d' % code) self.logger.debug('debugee count=%s' % self._debug.get_debugee_count()) self.logger.debug('debugee pids=%s' % self._debug.get_debugee_pids())
def dump(self): crash = Crash(self.event) crash.fetch_extra_data(self.event) report = crash.fullReport(False) crash_type = report.split('\n')[2].split(':')[1] self.work_summary = crash_type + '_' + str(time.time()) report_descriptor = open("{}/{}/report.txt".format(self.crash_path, self.work_summary), 'w') report_descriptor.write(report) report_descriptor.close() self.save_report(crash_type, report) self.copy_case() print "Exception Occurred" self.communicationManager.alert("Exception Occurred") self.communicationManager.alert(report) self.kill_test_process()
def AccessViolationHandlerWINAPPDBG(self, event): # Handle access violation while using winappdbg code = event.get_event_code() if event.get_event_code( ) == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): crash = Crash(event) crash.fetch_extra_data(event) details = crash.fullReport(bShowNotes=True) violation_addr = hex(crash.registers['Eip']) thetime = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") exe_name = event.get_process().get_filename().split('\\')[-1] crashfilename = 'crash_' + self.CurrentTestCaseName + '_' + '_' + thetime + '.' + self.CurrentTestCaseName.split( '.')[-1] synfilename = 'crashes\\' + exe_name + '\\' + violation_addr + '\\crash_' + self.CurrentTestCaseName + '_' + '_' + thetime + '.txt' if not os.path.exists('crashes\\' + exe_name): os.makedirs('crashes\\' + exe_name) if not os.path.exists('crashes\\' + exe_name + '\\' + violation_addr): os.makedirs('crashes\\' + exe_name + '\\' + violation_addr) shutil.copyfile( self.conf.fuzztempfolder + '\\' + self.CurrentTestCaseName, 'crashes\\' + exe_name + '\\' + violation_addr + '\\' + crashfilename) print '[+]', datetime.now().strftime( "%Y:%m:%d::%H:%M:%S" ), 'BOOM!! APP Crashed :', 'Crash file Copied to ', ( exe_name + '\\' + violation_addr + '\\' + crashfilename) syn = open(synfilename, 'w') syn.write(details) syn.close() #print '[+] '+ datetime.now().strftime("%Y:%m:%d::%H:%M:%S")+' Killing half dead process' try: event.get_process().kill() except: self.ForceKillOffice()
def crash_event_handler(event): """ This implements the whole logic. The code below triggered by an access violation is responsible for storing / doing whatever with the crash info """ code = event.get_event_code() # TODO: use this to distinguish between Eip and Rip? bits = event.get_process().get_bits() # If the event is a crash... if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance(): print "=== [*] Crash detected, analyzing..." name = event.get_exception_description() pc = event.get_thread().get_pc() # Get the offending address. address = event.get_exception_address() # TODO: Get the register values #thread = event.get_thread() #registers = thread.get_context() # Generate a minimal crash dump. crash = Crash(event) if crash.exceptionLabel: c_label = crash.exceptionLabel else: c_label = 'Not available' # Crashing file contents in Base64 if file_info: bin = file_info else: bin = None crash_properties = dict() crash_properties['victim'] = victim_filename crash_properties['processor'] = crash.arch crash_properties['event_name'] = name crash_properties['ip'] = address # pc, registers['Eip'], etc. crash_properties['crash_label'] = c_label crash_properties['stacktrace'] = crash.stackTraceLabels crash_properties['exploitability'] = crash.isExploitable() crash_properties['bin'] = bin # TODO: Calculate some kind of metric in order to discard already # found crashes (or minimal variations of them) # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # You can turn it into a full crash dump (recommended). # crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump # crash.fetch_extra_data(event, takeMemorySnapshot = 2) # full memory dump # TODO: do not hardcode this directory dao = CrashDAO("sqlite:///crashes/crashes.sqlite") # Store the crash dump in the database. print "=== [*] Storing crash dump in (local) database..." # NOTE: If you do this instead, heuristics are used to detect duplicated # crashes so they aren't added to the database. # dao.add( crash, allow_duplicates = False ) dao.add(crash) # # Store the crash, locally and in server # # Kill the process. event.get_process().kill() communications.add_crash(crash_properties) fileops.save_crash_file(crash_filename, 'crashes')