本文整理汇总了Python中winappdbg.HexDump.hexblock方法的典型用法代码示例。如果您正苦于以下问题:Python HexDump.hexblock方法的具体用法?Python HexDump.hexblock怎么用?Python HexDump.hexblock使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类winappdbg.HexDump
的用法示例。
在下文中一共展示了HexDump.hexblock方法的4个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: main
# 需要导入模块: from winappdbg import HexDump [as 别名]
# 或者: from winappdbg.HexDump import hexblock [as 别名]
def main(argv):
print "Hex dumper using WinAppDbg"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(argv) != 2:
import os
script = os.path.basename(argv[0])
print " %s <filename>" % script
return
with open(argv[1], "rb") as fd:
fd.seek(0, 2)
size = fd.tell()
fd.seek(0, 0)
if bit_length(size) > 32:
width = 8
else:
width = 16
address = 0
while 1:
data = fd.read(16)
if not data:
break
print HexDump.hexblock(data, address=address, width=width),
address = address + len(data)
示例2: main
# 需要导入模块: from winappdbg import HexDump [as 别名]
# 或者: from winappdbg.HexDump import hexblock [as 别名]
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width = width)
示例3: check_args_callback
# 需要导入模块: from winappdbg import HexDump [as 别名]
# 或者: from winappdbg.HexDump import hexblock [as 别名]
def check_args_callback(event):
'''
This will be called when our breakpoint is hit. Checks if our string is a parameter.
@param event: Event information, dear Watson.
@todo: dereference the values in registers as well {eax, ebx, ecx, esi, edi}
'''
nrOfArguments = 5 # TODO: Take this parameter from IDA
MAX_USERSPACE_ADDRESS = 0x7FFFFFFF
MIN_USERSPACE_ADDRESS = 0x1000
MAX_ARGUMENT_LEN = 100 # somehow arbitrary
process = event.get_process()
thread = event.get_thread()
Eip = thread.get_pc()
Esp = thread.get_context()['Esp']
stackAddress = Esp + 4
for idx in xrange(nrOfArguments):
stackAddress += idx * 4
# Dereference at address and look for searchPattern
# NOTE: read() returns a string, not a number (unpack does the trick)
suspectedPointer = struct.unpack('<L', process.read(stackAddress, 4))[0]
if suspectedPointer > MIN_USERSPACE_ADDRESS and suspectedPointer < MAX_USERSPACE_ADDRESS:
try:
possibleString = process.read(suspectedPointer, MAX_ARGUMENT_LEN) # This is already a string, cool
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
except KeyboardInterrupt:
fd.close()
sys.exit(1)
except:
# Access violation. Log only by debugging (huge overhead due to I/O)
pass
# Let's search for the string in UNICODE
possibleStringU = process.peek_string(suspectedPointer, fUnicode = True)
if searchPattern in possibleStringU:
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
示例4: wildcard_search
# 需要导入模块: from winappdbg import HexDump [as 别名]
# 或者: from winappdbg.HexDump import hexblock [as 别名]
def wildcard_search( pid, pattern ):
#
# Hex patterns must be in this form:
# "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world"
#
# Spaces are optional. Capitalization of hex digits doesn't matter.
# This is exactly equivalent to the previous example:
# "68656C6C6F20776F726C64" # "hello world"
#
# Wildcards are allowed, in the form of a "?" sign in any hex digit:
# "5? 5? c3" # pop register / pop register / ret
# "b8 ?? ?? ?? ??" # mov eax, immediate value
#
# Instance a Process object.
process = Process( pid )
# Search for the hexadecimal pattern in the process memory.
for address, data in process.search_hexa( pattern ):
# Print a hex dump for each memory location found.
print HexDump.hexblock(data, address = address)