def main(argv): print "Hex dumper using WinAppDbg" print "by Mario Vilas (mvilas at gmail.com)" print if len(argv) != 2: import os script = os.path.basename(argv[0]) print " %s <filename>" % script return with open(argv[1], "rb") as fd: fd.seek(0, 2) size = fd.tell() fd.seek(0, 0) if bit_length(size) > 32: width = 8 else: width = 16 address = 0 while 1: data = fd.read(16) if not data: break print HexDump.hexblock(data, address=address, width=width), address = address + len(data)
def main(): print "Process memory reader" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) not in (4, 5): script = os.path.basename(sys.argv[0]) print " %s <pid> <address> <size> [binary output file]" % script print " %s <process.exe> <address> <size> [binary output file]" % script return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p, n in pl: print "\t%s: %s" % (HexDump.integer(p), n) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print "Invalid value for address: %s" % sys.argv[2] return try: size = HexInput.integer(sys.argv[3]) except Exception: print "Invalid value for size: %s" % sys.argv[3] return p = Process(pid) data = p.read(address, size) ## data = p.peek(address, size) print "Read %d bytes from PID %d" % (len(data), pid) if len(sys.argv) == 5: filename = sys.argv[4] open(filename, 'wb').write(data) print "Written %d bytes to %s" % (len(data), filename) else: if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD): width = 16 else: width = 8 print print HexDump.hexblock(data, address, width=width)
def main(): print "Process memory reader" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) not in (4, 5): script = os.path.basename(sys.argv[0]) print " %s <pid> <address> <size> [binary output file]" % script print " %s <process.exe> <address> <size> [binary output file]" % script return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p,n in pl: print "\t%s: %s" % (HexDump.integer(p),n) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print "Invalid value for address: %s" % sys.argv[2] return try: size = HexInput.integer(sys.argv[3]) except Exception: print "Invalid value for size: %s" % sys.argv[3] return p = Process(pid) data = p.read(address, size) ## data = p.peek(address, size) print "Read %d bytes from PID %d" % (len(data), pid) if len(sys.argv) == 5: filename = sys.argv[4] open(filename, 'wb').write(data) print "Written %d bytes to %s" % (len(data), filename) else: if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD): width = 16 else: width = 8 print print HexDump.hexblock(data, address, width = width)
def check_args_callback(event): ''' This will be called when our breakpoint is hit. Checks if our string is a parameter. @param event: Event information, dear Watson. @todo: dereference the values in registers as well {eax, ebx, ecx, esi, edi} ''' nrOfArguments = 5 # TODO: Take this parameter from IDA MAX_USERSPACE_ADDRESS = 0x7FFFFFFF MIN_USERSPACE_ADDRESS = 0x1000 MAX_ARGUMENT_LEN = 100 # somehow arbitrary process = event.get_process() thread = event.get_thread() Eip = thread.get_pc() Esp = thread.get_context()['Esp'] stackAddress = Esp + 4 for idx in xrange(nrOfArguments): stackAddress += idx * 4 # Dereference at address and look for searchPattern # NOTE: read() returns a string, not a number (unpack does the trick) suspectedPointer = struct.unpack('<L', process.read(stackAddress, 4))[0] if suspectedPointer > MIN_USERSPACE_ADDRESS and suspectedPointer < MAX_USERSPACE_ADDRESS: try: possibleString = process.read(suspectedPointer, MAX_ARGUMENT_LEN) # This is already a string, cool if searchPattern in possibleString: if Eip not in logged_functions: logged_functions.append(Eip) print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip) fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip)) fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer)) except KeyboardInterrupt: fd.close() sys.exit(1) except: # Access violation. Log only by debugging (huge overhead due to I/O) pass # Let's search for the string in UNICODE possibleStringU = process.peek_string(suspectedPointer, fUnicode = True) if searchPattern in possibleStringU: if searchPattern in possibleString: if Eip not in logged_functions: logged_functions.append(Eip) print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip) fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip)) fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
def scanBtnClk(self): if hack == None: return text = str(self.searchtext.toPlainText()) if text.strip() == '': return self.searchlistwidget.clear() if valuetype == 'byte': num = memprc.d2h(int(text), 1) if valuetype == '2byte': num = memprc.d2h(int(text), 2) if valuetype == '4bytes': num = memprc.d2h(int(text), 4) if valuetype == '8bytes': num = memprc.d2h(int(text), 8) if valuetype == 'String': pass #num = memprc.d2h(int(text), 4) result = hack.hwnd.search_hexa(num, hack.base_address, hack.last_address) cnt = 0 for address, data in result: item = QtGui.QListWidgetItem(self.searchlistwidget) item.setText(HexDump.hexblock(data, address=address)) #print HexDump.hexblock(data, address=address) cnt += 1 self.searchcntlabel.setText(str(cnt))
def main(argv): print("Hex dumper using WinAppDbg") print("by Mario Vilas (mvilas at gmail.com)") print() if len(argv) != 2: import os script = os.path.basename(argv[0]) print(" %s <filename>" % script) return with open(argv[1], 'rb') as fd: fd.seek(0, 2) size = fd.tell() fd.seek(0, 0) if bit_length(size) > 32: width = 8 else: width = 16 address = 0 while 1: data = fd.read(16) if not data: break print(HexDump.hexblock(data, address=address, width=width), end=' ') address = address + len(data)
def wildcard_search(pid, pattern): # # Hex patterns must be in this form: # "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world" # # Spaces are optional. Capitalization of hex digits doesn't matter. # This is exactly equivalent to the previous example: # "68656C6C6F20776F726C64" # "hello world" # # Wildcards are allowed, in the form of a "?" sign in any hex digit: # "5? 5? c3" # pop register / pop register / ret # "b8 ?? ?? ?? ??" # mov eax, immediate value # # Instance a Process object. process = Process(pid) # Search for the hexadecimal pattern in the process memory. for address, data in process.search_hexa(pattern): # Print a hex dump for each memory location found. print HexDump.hexblock(data, address=address)
def wildcard_search( pid, pattern ): # # Hex patterns must be in this form: # "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world" # # Spaces are optional. Capitalization of hex digits doesn't matter. # This is exactly equivalent to the previous example: # "68656C6C6F20776F726C64" # "hello world" # # Wildcards are allowed, in the form of a "?" sign in any hex digit: # "5? 5? c3" # pop register / pop register / ret # "b8 ?? ?? ?? ??" # mov eax, immediate value # # Instance a Process object. process = Process( pid ) # Search for the hexadecimal pattern in the process memory. for address, data in process.search_hexa( pattern ): # Print a hex dump for each memory location found. print HexDump.hexblock(data, address = address)
def message(self, pid, address, data=None): if self.start < 0: raise StopIteration count = self.count + 1 # NOQA address = address + self.start where = HexDump.address(address) # NOQA size = self.end - self.start # NOQA msg = self.showfmt % vars() if data is not None: msg += "\n" p = self.start & (~0xF) q = (self.end & (~0xF)) + 0x10 msg += HexDump.hexblock(data[p:q], address & (~0xF)) if msg.endswith('\n'): msg = msg[:-len('\n')] return msg
def action_callback_create_process(event): print('hit break') global c2_list, cfg, rsa_pub_key process = event.get_process() thread = event.get_thread() # Get the address of the top of the stack. stack = thread.get_sp() # Get the return address of the call. ret_address = process.read_pointer(stack) print('caller addr:{:08x}'.format(ret_address)) # Get the process and thread IDs. pid = event.get_pid() tid = event.get_tid() extract_done = False failed_reason = 'unknown' max_c2_counter = 400 shell_data = 0 sig_addr_list = [] for address, data in process.search_hexa('68 00 80 00 00 6a 6a 68'): # Print a hex dump for each memory location found. if ret_address & 0xFFFF0000 == address & 0xFFFF0000: print('hit sig at:') print(HexDump.hexblock(data, address=address)) sig_addr_list.append(address) memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames(memoryMap) # For each memory block in the map... for mbi in memoryMap: # Address and size of memory block. BaseAddress = mbi.BaseAddress RegionSize = mbi.RegionSize for address in sig_addr_list: if address > BaseAddress and address < BaseAddress + RegionSize: print('Hit shell code block!\n{:08x}\t{:08x}'.format( BaseAddress, RegionSize)) shell_data = process.read(BaseAddress, RegionSize) # no hit, just kill and return if shell_data != 0: # dump shell code block print('dump shell code!') with open('shell.dump', 'wb') as fh: fh.write(shell_data) # dump final payload dump_pe_path = 'pe.dump' pe_offset = shell_data.find('\x4D\x5A\x90') print('dump final payload!') with open(dump_pe_path, 'wb') as fh: fh.write(shell_data[pe_offset:]) print('\n-----------------------------') c2_list, rsa_pub_key = extract_ioc(dump_pe_path, 0x400000) print('\nc2 list:') for c2 in c2_list: print('{}'.format(c2)) print('\nrsa key:\n{}'.format(rsa_pub_key)) # Show a message to the user. message = "kernel32!CreateProcessW called from %s by thread %d at process %d" print message % (HexDump.address(ret_address, process.get_bits()), tid, pid) process.kill()