本文整理汇总了Python中winappdbg.HexDump类的典型用法代码示例。如果您正苦于以下问题:Python HexDump类的具体用法?Python HexDump怎么用?Python HexDump使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了HexDump类的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: main
def main(argv):
print "Hex dumper using WinAppDbg"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(argv) != 2:
import os
script = os.path.basename(argv[0])
print " %s <filename>" % script
return
with open(argv[1], "rb") as fd:
fd.seek(0, 2)
size = fd.tell()
fd.seek(0, 0)
if bit_length(size) > 32:
width = 8
else:
width = 16
address = 0
while 1:
data = fd.read(16)
if not data:
break
print HexDump.hexblock(data, address=address, width=width),
address = address + len(data)
开发者ID:hatRiot,项目名称:winappdbg,代码行数:25,代码来源:hexdump.py
示例2: main
def main():
print "Process memory reader"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) not in (4, 5):
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> <size> [binary output file]" % script
print " %s <process.exe> <address> <size> [binary output file]" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
try:
size = HexInput.integer(sys.argv[3])
except Exception:
print "Invalid value for size: %s" % sys.argv[3]
return
p = Process(pid)
data = p.read(address, size)
## data = p.peek(address, size)
print "Read %d bytes from PID %d" % (len(data), pid)
if len(sys.argv) == 5:
filename = sys.argv[4]
open(filename, 'wb').write(data)
print "Written %d bytes to %s" % (len(data), filename)
else:
if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD):
width = 16
else:
width = 8
print
print HexDump.hexblock(data, address, width = width)
开发者ID:MarioVilas,项目名称:winappdbg,代码行数:57,代码来源:pread.py
示例3: my_event_handler
def my_event_handler( event ):
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Get the value of EIP at the thread.
pc = event.get_thread().get_pc()
# Show something to the user.
bits = event.get_process().get_bits()
format_string = "%s (%s) at address %s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(pc, bits),
pid,
tid )
print message
# If the event is a crash...
if code == win32.EXCEPTION_DEBUG_EVENT and event.is_last_chance():
print "Crash detected, storing crash dump in database..."
# Generate a minimal crash dump.
crash = Crash( event )
# You can turn it into a full crash dump (recommended).
# crash.fetch_extra_data( event, takeMemorySnapshot = 0 ) # no memory dump
# crash.fetch_extra_data( event, takeMemorySnapshot = 1 ) # small memory dump
crash.fetch_extra_data( event, takeMemorySnapshot = 2 ) # full memory dump
# Connect to the database. You can use any URL supported by SQLAlchemy.
# For more details see the reference documentation.
dao = CrashDAO( "sqlite:///crashes.sqlite" )
#dao = CrashDAO( "mysql+MySQLdb://root:[email protected]/crashes" )
# Store the crash dump in the database.
dao.add( crash )
# If you do this instead, heuristics are used to detect duplicated
# crashes so they aren't added to the database.
# dao.add( crash, allow_duplicates = False )
# You can also launch the interactive debugger from here. Try it! :)
# event.debug.interactive()
# Kill the process.
event.get_process().kill()
开发者ID:Kent1,项目名称:winappdbg,代码行数:56,代码来源:07_crash_dump.py
示例4: my_event_handler
def my_event_handler( event ):
# Get the process ID where the event occured.
pid = event.get_pid()
# Get the thread ID where the event occured.
tid = event.get_tid()
# Find out if it's a 32 or 64 bit process.
bits = event.get_process().get_bits()
# Get the value of EIP at the thread.
address = event.get_thread().get_pc()
# Get the event name.
name = event.get_event_name()
# Get the event code.
code = event.get_event_code()
# If the event is an exception...
if code == win32.EXCEPTION_DEBUG_EVENT:
# Get the exception user-friendly description.
name = event.get_exception_description()
# Get the exception code.
code = event.get_exception_code()
# Get the address where the exception occurred.
try:
address = event.get_fault_address()
except NotImplementedError:
address = event.get_exception_address()
# If the event is a process creation or destruction,
# or a DLL being loaded or unloaded...
elif code in ( win32.CREATE_PROCESS_DEBUG_EVENT,
win32.EXIT_PROCESS_DEBUG_EVENT,
win32.LOAD_DLL_DEBUG_EVENT,
win32.UNLOAD_DLL_DEBUG_EVENT ):
# Get the filename.
filename = event.get_filename()
if filename:
name = "%s [%s]" % ( name, filename )
# Show a descriptive message to the user.
print "-" * 79
format_string = "%s (0x%s) at address 0x%s, process %d, thread %d"
message = format_string % ( name,
HexDump.integer(code, bits),
HexDump.address(address, bits),
pid,
tid )
print message
开发者ID:Kent1,项目名称:winappdbg,代码行数:56,代码来源:06_debug_events.py
示例5: memory_search
def memory_search( pid, bytes ):
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
for address in process.search_bytes( bytes ):
# Print the memory address where it was found.
print HexDump.address( address )
开发者ID:cgiogkarakis,项目名称:winappdbg,代码行数:10,代码来源:11_memory_search.py
示例6: handler
def handler(self, event):
if (
event.get_event_code() == win32.EXCEPTION_DEBUG_EVENT
and event.get_exception_code() != win32.STATUS_BREAKPOINT
and (event.is_last_chance() or event.get_exception_code() in self.alwaysCatchExceptions)
):
crash = Crash(event)
report = CrashReport()
crash = Crash(event)
(exploitable, type, info) = crash.isExploitable()
try:
report.code = event.get_thread().disassemble(crash.pc, 0x10)[0][2]
except:
report.code = "Could not disassemble"
if crash.faultAddress is None or MemoryAddresses.align_address_to_page_start(crash.faultAddress) == 0:
report.nearNull = True
else:
report.nearNull = False
report.type = type
lib = event.get_thread().get_process().get_module_at_address(crash.pc)
if lib != None:
report.location = lib.get_label_at_address(crash.pc)
else:
report.location = HexDump.address(crash.pc, event.get_thread().get_process().get_bits())[-4:]
if crash.faultAddress == None:
crash.faultAddress = 0
report.faultAddr = HexDump.address(crash.faultAddress, event.get_thread().get_process().get_bits())
report.stack = ""
stList = self.getStackTraceRelList(event.get_thread())
if len(stList) > 0:
for ra in stList:
lib = event.get_thread().get_process().get_module_at_address(ra)
if lib != None:
report.stack += (
lib.get_label_at_address(ra)
+ " "
+ HexDump.address(ra, event.get_thread().get_process().get_bits())
+ "\n"
)
else:
report.stack += HexDump.address(ra, event.get_thread().get_process().get_bits()) + "\n"
if report.stack == "":
report.stack = "NO_STACK"
report.info = crash.fullReport()
return report
return None
开发者ID:JaanusFuzzing,项目名称:Vanapagan,代码行数:52,代码来源:WinBasic.py
示例7: do
def do(self, arg):
".exchain - Show the SEH chain"
thread = self.get_thread_from_prefix()
print("Exception handlers for thread %d" % thread.get_tid())
table = Table()
table.addRow("Block", "Function")
bits = thread.get_bits()
for (seh, seh_func) in thread.get_seh_chain():
if seh is not None:
seh = HexDump.address(seh, bits)
if seh_func is not None:
seh_func = HexDump.address(seh_func, bits)
table.addRow(seh, seh_func)
print(table.getOutput())
开发者ID:SeanFarrow,项目名称:intellij-community,代码行数:14,代码来源:do_exchain.py
示例8: check_args_callback
def check_args_callback(event):
'''
This will be called when our breakpoint is hit. Checks if our string is a parameter.
@param event: Event information, dear Watson.
@todo: dereference the values in registers as well {eax, ebx, ecx, esi, edi}
'''
nrOfArguments = 5 # TODO: Take this parameter from IDA
MAX_USERSPACE_ADDRESS = 0x7FFFFFFF
MIN_USERSPACE_ADDRESS = 0x1000
MAX_ARGUMENT_LEN = 100 # somehow arbitrary
process = event.get_process()
thread = event.get_thread()
Eip = thread.get_pc()
Esp = thread.get_context()['Esp']
stackAddress = Esp + 4
for idx in xrange(nrOfArguments):
stackAddress += idx * 4
# Dereference at address and look for searchPattern
# NOTE: read() returns a string, not a number (unpack does the trick)
suspectedPointer = struct.unpack('<L', process.read(stackAddress, 4))[0]
if suspectedPointer > MIN_USERSPACE_ADDRESS and suspectedPointer < MAX_USERSPACE_ADDRESS:
try:
possibleString = process.read(suspectedPointer, MAX_ARGUMENT_LEN) # This is already a string, cool
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
except KeyboardInterrupt:
fd.close()
sys.exit(1)
except:
# Access violation. Log only by debugging (huge overhead due to I/O)
pass
# Let's search for the string in UNICODE
possibleStringU = process.peek_string(suspectedPointer, fUnicode = True)
if searchPattern in possibleStringU:
if searchPattern in possibleString:
if Eip not in logged_functions:
logged_functions.append(Eip)
print "[*] Found! %s is the parameter nr. %d of %08x" % (searchPattern, idx + 1, Eip)
fd.write("[*] Found! %s is the %d parameter of %08x\n" % (searchPattern, idx + 1, Eip))
fd.write("%s\n" % HexDump.hexblock(possibleString, suspectedPointer))
开发者ID:buhtig314,项目名称:Python-to-the-rescue,代码行数:49,代码来源:Tracer.py
示例9: show_window
def show_window(window):
# Get the window coordinates.
rect = window.get_screen_rect()
position = (rect.left, rect.top, rect.right, rect.bottom)
size = (rect.right - rect.left, rect.bottom - rect.top)
# Print the window information.
print "Handle: %s" % HexDump.integer(window.get_handle())
print "Caption: %s" % window.text
print "Class: %s" % window.classname
print "Style: %s" % HexDump.integer(window.style)
print "ExStyle: %s" % HexDump.integer(window.exstyle)
print "Position: (%i, %i) - (%i, %i)" % position
print "Size: (%i, %i)" % size
开发者ID:proxymoron,项目名称:winappdbg,代码行数:15,代码来源:21_find_window.py
示例10: print_state
def print_state( process_name ):
# Request debug privileges.
System.request_debug_privileges()
# Find the first process that matches the requested name.
system = System()
process, filename = system.find_processes_by_filename( process_name )[ 0 ]
# Suspend the process execution.
process.suspend()
try:
# For each thread in the process...
for thread in process.iter_threads():
# Get the thread state.
tid = thread.get_tid()
eip = thread.get_pc()
code = thread.disassemble_around( eip )
context = thread.get_context()
# Display the thread state.
print
print "-" * 79
print "Thread: %s" % HexDump.integer( tid )
print
print CrashDump.dump_registers( context )
print CrashDump.dump_code( code, eip ),
print "-" * 79
# Resume the process execution.
finally:
process.resume()
开发者ID:cgiogkarakis,项目名称:winappdbg,代码行数:34,代码来源:04_dump.py
示例11: single_step
def single_step( self, event ):
# Show the user where we're running.
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble( pc, 0x10 ) [0]
bits = event.get_process().get_bits()
print "%s: %s" % ( HexDump.address(code[0], bits), code[2].lower() )
开发者ID:hatRiot,项目名称:winappdbg,代码行数:8,代码来源:08_tracing.py
示例12: log_eip_callback
def log_eip_callback(event):
'''
This will be called when our breakpoint is hit. It writes the current EIP.
@param event: Event information, dough!
'''
address = event.get_thread().get_pc()
fd.write(HexDump.address(address) + '\n')
开发者ID:buhtig314,项目名称:Python-to-the-rescue,代码行数:8,代码来源:Tracer.py
示例13: single_step
def single_step(self, event):
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble(pc, 0x10)[0]
trace_file = open(os.path.join(TRACE_PATH, "%s.csv" % event.get_pid()), "a")
trace_file.write("\"0x%s\",\"%s\"\n"
% (HexDump.address(code[0]), code[2]))
trace_file.close()
开发者ID:Gigia,项目名称:cuckoo,代码行数:9,代码来源:debugger.py
示例14: accessed
def accessed( self, event ):
# Show the user where we're running.
thread = event.get_thread()
pc = thread.get_pc()
code = thread.disassemble( pc, 0x10 ) [0]
print "%s: %s" % (
HexDump.address(code[0], thread.get_bits()),
code[2].lower()
)
开发者ID:Debug-Orz,项目名称:winappdbg,代码行数:10,代码来源:14_watch_buffer.py
示例15: strings
def strings( pid ):
# Instance a Process object.
process = Process( pid )
# For each ASCII string found in the process memory...
for address, size, data in process.strings():
# Print the string and the memory address where it was found.
print "%s: %s" % ( HexDump.address(address), data )
开发者ID:cgiogkarakis,项目名称:winappdbg,代码行数:10,代码来源:12_strings.py
示例16: entering
def entering( event ):
# Get the thread object.
thread = event.get_thread()
# Get the thread ID.
tid = thread.get_tid()
# Get the return address location (the top of the stack).
stack_top = thread.get_sp()
# Get the return address and the parameters from the stack.
bits = event.get_process().get_bits()
if bits == 32:
return_address, hModule, lpProcName = thread.read_stack_dwords( 3 )
else:
return_address = thread.read_stack_qwords( 1 )
registers = thread.get_context()
hModule = registers['Rcx']
lpProcName = registers['Rdx']
# Get the string from the process memory.
procedure_name = event.get_process().peek_string( lpProcName )
# Show a message to the user.
message = "%s: GetProcAddress(%s, %r);"
print message % (
HexDump.address(return_address, bits),
HexDump.address(hModule, bits),
procedure_name
)
# Watch the DWORD at the top of the stack.
try:
event.debug.stalk_variable( tid, stack_top, 4, returning )
#event.debug.watch_variable( tid, stack_top, 4, returning )
# If no more slots are available, set a code breakpoint at the return address.
except RuntimeError:
event.debug.stalk_at( event.get_pid(), return_address, returning_2 )
开发者ID:cgiogkarakis,项目名称:winappdbg,代码行数:40,代码来源:13_watch_variable.py
示例17: wildcard_search
def wildcard_search( pid, pattern ):
#
# Hex patterns must be in this form:
# "68 65 6c 6c 6f 20 77 6f 72 6c 64" # "hello world"
#
# Spaces are optional. Capitalization of hex digits doesn't matter.
# This is exactly equivalent to the previous example:
# "68656C6C6F20776F726C64" # "hello world"
#
# Wildcards are allowed, in the form of a "?" sign in any hex digit:
# "5? 5? c3" # pop register / pop register / ret
# "b8 ?? ?? ?? ??" # mov eax, immediate value
#
# Instance a Process object.
process = Process( pid )
# Search for the hexadecimal pattern in the process memory.
for address, data in process.search_hexa( pattern ):
# Print a hex dump for each memory location found.
print HexDump.hexblock(data, address = address)
开发者ID:MarioVilas,项目名称:winappdbg,代码行数:23,代码来源:12_wildcard_search.py
示例18: main
def main():
print "Process memory writer"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) < 4:
script = os.path.basename(sys.argv[0])
print " %s <pid> <address> {binary input file / hex data}" % script
print " %s <process.exe> <address> {binary input file / hex data}" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except Exception:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%s: %s" % (HexDump.integer(p),n)
return
pid = pl[0][0].get_pid()
try:
address = HexInput.integer(sys.argv[2])
except Exception:
print "Invalid value for address: %s" % sys.argv[2]
return
filename = ' '.join(sys.argv[3:])
if os.path.exists(filename):
data = open(filename, 'rb').read()
print "Read %d bytes from %s" % (len(data), filename)
else:
try:
data = HexInput.hexadecimal(filename)
except Exception:
print "Invalid filename or hex block: %s" % filename
return
p = Process(pid)
p.write(address, data)
print "Written %d bytes to PID %d" % (len(data), pid)
开发者ID:Debug-Orz,项目名称:winappdbg,代码行数:49,代码来源:pwrite.py
示例19: print_threads_and_modules
def print_threads_and_modules( pid ):
# Instance a Process object.
process = Process( pid )
print "Process %d" % process.get_pid()
# Now we can enumerate the threads in the process...
print "Threads:"
for thread in process.iter_threads():
print "\t%d" % thread.get_tid()
# ...and the modules in the process.
print "Modules:"
bits = process.get_bits()
for module in process.iter_modules():
print "\t%s\t%s" % (
HexDump.address( module.get_base(), bits ), module.get_filename()
)
开发者ID:vkremez,项目名称:WinAPI-Debugger,代码行数:15,代码来源:EnumerateThreadsDLLModulesInProcess.py
示例20: action_callback
def action_callback( event ):
process = event.get_process()
thread = event.get_thread()
# Get the address of the top of the stack.
stack = thread.get_sp()
# Get the return address of the call.
address = process.read_pointer( stack )
# Get the process and thread IDs.
pid = event.get_pid()
tid = event.get_tid()
# Show a message to the user.
message = "kernel32!CreateFileW called from %s by thread %d at process %d"
print message % ( HexDump.address(address, process.get_bits()), tid, pid )
开发者ID:Kent1,项目名称:winappdbg,代码行数:17,代码来源:11_breakpoint.py
注:本文中的winappdbg.HexDump类示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
请发表评论