本文整理汇总了Python中winappdbg.HexDump类的典型用法代码示例。如果您正苦于以下问题:Python HexDump类的具体用法?Python HexDump怎么用?Python HexDump使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了HexDump类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: main
def main(argv):
print "Hex dumper using WinAppDbg"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(argv) != 2:
import os
script = os.path.basename(argv[0])
print " %s <filename>" % script
return
with open(argv[1], "rb") as fd:
fd.seek(0, 2)
size = fd.tell()
fd.seek(0, 0)
if bit_length(size) > 32:
width = 8
else:
width = 16
address = 0
while 1:
data = fd.read(16)
if not data:
break
print HexDump.hexblock(data, address=address, width=width),
address = address + len(data)示例2: main
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width = width)示例3: my_event_handler
def my_event_handler( event ):
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Get the value of EIP at the thread.
pc = event.get_thread().get_pc()
# Show something to the user.
bits = event.get_process().get_bits()
format_string = "%s (%s) at address %s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(pc, bits),
pid,
tid )
print message
# If the event is a crash...
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print "Crash detected, storing crash dump in database..."
# Generate a minimal crash dump.
crash = Crash( event )
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO( "sqlite:///crashes.sqlite" )
#dao = CrashDAO( "mysql+MySQLdb://root:[email protected]/crashes" )
# Store the crash dump in the database.
dao.add( crash )
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
# dao.add( crash, allow_duplicates = False )
# You can also launch the interactive debugger from here. Try it! :)
# event.debug.interactive()
# Kill the process.
event.get_process().kill()示例4: my_event_handler
def my_event_handler( event ):
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Find out if it's a 32 or 64 bit process.
bits = event.get_process().get_bits()
# Get the value of EIP at the thread.
address = event.get_thread().get_pc()
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# If the event is an exception...
if code == win32.EXCEPTION_DEBUG_EVENT:
# Get the exception user-friendly description.
name = event.get_exception_description()
# Get the exception code.
code = event.get_exception_code()
# Get the address where the exception occurred.
try:
address = event.get_fault_address()
except NotImplementedError:
address = event.get_exception_address()
# If the event is a process creation or destruction,
# or a DLL being loaded or unloaded...
elif code in ( win32.CREATE_PROCESS_DEBUG_EVENT,
win32.EXIT_PROCESS_DEBUG_EVENT,
win32.LOAD_DLL_DEBUG_EVENT,
win32.UNLOAD_DLL_DEBUG_EVENT ):
# Get the filename.
filename = event.get_filename()
if filename:
name = "%s [%s]" % ( name, filename )
# Show a descriptive message to the user.
print "-" * 79
format_string = "%s (0x%s) at address 0x%s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(address, bits),
pid,
tid )
print message示例5: memory_search
def memory_search( pid, bytes ):
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
for address in process.search_bytes( bytes ):
# Print the memory address where it was found.
print HexDump.address( address )示例6: handler
def handler(self, event):
if (
event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT
and event.get_exception_code() != win32.STATUS_BREAKPOINT
and (event.is_last_chance() or event.get_exception_code() in self.alwaysCatchExceptions)
):
crash = Crash(event)
report = CrashReport()
crash = Crash(event)
(exploitable, type, info) = crash.isExploitable()
try:
report.code = event.get_thread().disassemble(crash.pc, 0x10)[0][2]
except:
report.code = "Could not disassemble"
if crash.faultAddress is None or MemoryAddresses.align_address_to_page_start(crash.faultAddress) == 0:
report.nearNull = True
else:
report.nearNull = False
report.type = type
lib = event.get_thread().get_process().get_module_at_address(crash.pc)
if lib != None:
report.location = lib.get_label_at_address(crash.pc)
else:
report.location = HexDump.address(crash.pc, event.get_thread().get_process().get_bits())[-4:]
if crash.faultAddress == None:
crash.faultAddress = 0
report.faultAddr = HexDump.address(crash.faultAddress, event.get_thread().get_process().get_bits())
report.stack = ""
stList = self.getStackTraceRelList(event.get_thread())
if len(stList) > 0:
for ra in stList:
lib = event.get_thread().get_process().get_module_at_address(ra)
if lib != None:
report.stack += (
lib.get_label_at_address(ra)
+ " "
+ HexDump.address(ra, event.get_thread().get_process().get_bits())
+ "\n"
)
else:
report.stack += HexDump.address(ra, event.get_thread().get_process().get_bits()) + "\n"
if report.stack == "":
report.stack = "NO_STACK"
report.info = crash.fullReport()
return report
return None示例7: do
def do(self, arg):
".exchain - Show the SEH chain"
thread = self.get_thread_from_prefix()
print("Exception handlers for thread %d" % thread.get_tid())
table = Table()
table.addRow("Block", "Function")
bits = thread.get_bits()
for (seh, seh_func) in thread.get_seh_chain():
if seh is not None:
seh = HexDump.address(seh, bits)
if seh_func is not None:
seh_func = HexDump.address(seh_func, bits)
table.addRow(seh, seh_func)
print(table.getOutput())示例8: check_args_callback
def check_args_callback(event):
'''
This will be called when our breakpoint is hit. Checks if our string is a parameter.
@param event: Event information, dear Watson.
@todo: dereference the values in registers as well {eax, ebx, ecx, esi, edi}
'''
nrOfArguments = 5 # TODO: Take this parameter from IDA
MAX_USERSPACE_ADDRESS = 0x7FFFFFFF
MIN_USERSPACE_ADDRESS = 0x1000
MAX_ARGUMENT_LEN = 100 # somehow arbitrary
process = event.get_process()
thread = event.get_thread()
Eip = thread.get_pc()
Esp = thread.get_context()['Esp']
stackAddress = Esp + 4
for idx in xrange(nrOfArguments):
stackAddress += idx * 4
# Dereference at address and look for searchPattern
# NOTE: read() returns a string, not a number (unpack does the trick)
suspectedPointer = struct.unpack('<L', process.read(stackAddress, 4))[0]
if suspectedPointer > MIN_USERSPACE_ADDRESS and suspectedPointer < MAX_USERSPACE_ADDRESS:
try:
possibleString = process.read(suspectedPointer, MAX_ARGUMENT_LEN) # This is already a string, cool
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
except KeyboardInterrupt:
fd.close()
sys.exit(1)
except:
# Access violation. Log only by debugging (huge overhead due to I/O)
pass
# Let's search for the string in UNICODE
possibleStringU = process.peek_string(suspectedPointer, fUnicode = True)
if searchPattern in possibleStringU:
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))示例9: show_window
def show_window(window):
# Get the window coordinates.
rect = window.get_screen_rect()
position = (rect.left, rect.top, rect.right, rect.bottom)
size = (rect.right - rect.left, rect.bottom - rect.top)
# Print the window information.
print "Handle: %s" % HexDump.integer(window.get_handle())
print "Caption: %s" % window.text
print "Class: %s" % window.classname
print "Style: %s" % HexDump.integer(window.style)
print "ExStyle: %s" % HexDump.integer(window.exstyle)
print "Position: (%i, %i) - (%i, %i)" % position
print "Size: (%i, %i)" % size示例10: print_state
def print_state( process_name ):
# Request debug privileges.
System.request_debug_privileges()
# Find the first process that matches the requested name.
system = System()
process, filename = system.find_processes_by_filename( process_name )[ 0 ]
# Suspend the process execution.
process.suspend()
try:
# For each thread in the process...
for thread in process.iter_threads():
# Get the thread state.
tid = thread.get_tid()
eip = thread.get_pc()
code = thread.disassemble_around( eip )
context = thread.get_context()
# Display the thread state.
print
print "-" * 79
print "Thread: %s" % HexDump.integer( tid )
print
print CrashDump.dump_registers( context )
print CrashDump.dump_code( code, eip ),
print "-" * 79
# Resume the process execution.
finally:
process.resume()示例11: single_step
def single_step( self, event ):
# Show the user where we're running.
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble( pc, 0x10 ) [0]
bits = event.get_process().get_bits()
print "%s: %s" % ( HexDump.address(code[0], bits), code[2].lower() )示例12: log_eip_callback
def log_eip_callback(event):
'''
This will be called when our breakpoint is hit. It writes the current EIP.
@param event: Event information, dough!
'''
address = event.get_thread().get_pc()
fd.write(HexDump.address(address) + '\n')示例13: single_step
def single_step(self, event):
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble(pc, 0x10)[0]
trace_file = open(os.path.join(TRACE_PATH, "%s.csv" % event.get_pid()), "a")
trace_file.write("\"0x%s\",\"%s\"\n"
% (HexDump.address(code[0]), code[2]))
trace_file.close()示例14: accessed
def accessed( self, event ):
# Show the user where we're running.
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble( pc, 0x10 ) [0]
print "%s: %s" % (
HexDump.address(code[0], thread.get_bits()),
code[2].lower()
)示例15: strings
def strings( pid ):
# Instance a Process object.
process = Process( pid )
# For each ASCII string found in the process memory...
for address, size, data in process.strings():
# Print the string and the memory address where it was found.
print "%s: %s" % ( HexDump.address(address), data )