import os
import pykd
import sys
import threading
import time
debug = True
result = 'nothing'
writing_files_set = set([])
using_files_dict = {}
writing_files_dict = {}
p_using_file_handle = 0
nt_key_str = ''
using_file_name = ''
bp_nt_use_file_retn = 0
def exception_func(func):
print 'in exception_func', func
def NtUseFile(id): #NtCreateFile or NtOpenFile
#print_disasm('ntdll', 'NtCreateFile')
p_object_attributes = pykd.ptrDWord(pykd.reg('esp') + 4 * 3)
p_unicode_string = pykd.ptrDWord(p_object_attributes + 8)
global using_file_name
using_file_name = pykd.loadWStr(pykd.ptrDWord(p_unicode_string + 4))
if not os.path.isdir(using_file_name):
#print ''
#print using_file_name
#writing_files_set.add(unicode(using_file_name))
global p_using_file_handle
p_using_file_handle = pykd.ptrDWord(pykd.reg('esp') + 4)
#print p_using_file_handle
return_addr = pykd.ptrDWord(pykd.reg('esp'))
#print '0x%x' % return_addr
global bp_nt_use_file_retn
bp_nt_use_file_retn = pykd.setBp(return_addr, NtUseFile_retn)
#print bp_nt_use_file_retn
return True
def NtUseFile_retn(id):
global using_file_name
if not os.path.isdir(using_file_name):
#print 'NtUseFile_retn'
#print using_file_name
#global p_using_file_handle
#print p_using_file_handle
#global bp_nt_use_file_retn
try:
file_handle = pykd.ptrDWord(p_using_file_handle)
#print file_handle
if not file_handle == 0:
using_files_dict[str(file_handle)] = using_file_name
except:
#print 'ERROR!!! Invalid file_handle'
pass
try:
global bp_nt_use_file_retn
pykd.removeBp(bp_nt_use_file_retn)
except:
pass
return True
#------------------------------------------------
class DllHandler(pykd.eventHandler):
def onModuleLoad(self, arg, image_path_name):
print 'onModuleLoad: %s %s' % (str(image_path_name), str(hex(pykd.reg('esp'))))
if str(image_path_name) == 'ntdll':
nt = pykd.module('ntdll')
try:
print 'Set break on NtCreateFile'
pykd.setBp(nt.offset('NtCreateFile'), NtUseFile)
except:
print 'Can\'t break on NtCreateFile'
try:
print 'Set break on NtOpenFile'
pykd.setBp(nt.offset('NtOpenFile'), NtUseFile)
except:
print 'Can\'t break on NtOpenFile'
return pykd.eventResult.NoChange
def onException(self, arg):
if arg.ExceptionCode == 0xc0000005: # 0xc0000005
print 'Access Violation !!!'
if arg.FirstChance is True:
pass
else:
exception_func('Access Violation')
def onExecutionStatusChange(self, arg):
if arg == 7:
exception_func('No Debuggee')
class BreakinThread(threading.Thread):
def run(self):
print str(time.asctime(time.gmtime(time.time())))
time.sleep(150)
print 'breakin ', time.asctime(time.gmtime(time.time()))
global debug
debug = False
pykd.breakin()
return
if not pykd.isWindbgExt():
print ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::'
print 'Analyzer began to work'
# sys.argv[1] - path to exe-file
# sys.argv[2] - local_path
dll_handler = DllHandler()
debug = True
str_process = '"%s" "%s"' % (sys.argv[1], sys.argv[2])
print str_process
writing_files_set.clear()
pykd.startProcess(str_process, debugChildren=True)
#attachProcess(2788)
breakin_thread = BreakinThread()
breakin_thread.start()
time.sleep(1)
print pykd.getProcessThreads()
print threading.enumerate()
while debug:
try:
pykd.go()
except:
exception_func('go')
break
print 'EXIT '
breakin_thread.join()
if result == 'nothing':
print 'result: nothing'
time.sleep(1)
print 'FINISHED: '
else:
pykd.dprintln( 'The debugger must be connected to live usermode process' )↧
New Post: InternetExplorer: проблемы с получением аргументов из функций при отладке дочерних процессов
↧