grayhat_python_redux/chapter04/danger_track.py at master · stavinski/grayhat_python_redux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import ctypes.util

from winappdbg import Debug, EventHandler, Crash, CrashDump, HexDump

# keep a reference to this
MSVCRT_DLL = ctypes.util.find_msvcrt()

MAX_INSTRUCTIONS = 10

# plenty more to add to this!
dangerous_funcs = [
    "strcpy",
    "strncpy",
    "sprintf",
    "vsprintf"
]


class DangerousFunctionEventHandler(EventHandler):

    def __init__(self):
        self.resolved_funcs = {}
        self.snapshot = None
        self.crash_encountered = False
        self.instruction_count = 0

    def load_dll(self, evt):
        module = evt.get_module()
        if not module.match_name(MSVCRT_DLL):
            return

        for func in dangerous_funcs:
            addr = module.resolve(func)
            if addr:
                self.resolved_funcs[addr] = func
                evt.debug.break_at(evt.get_pid(), addr, self.danger_handler)
                print "[*] resolved dangerous func: %s -> %d" % (func, addr)

    def danger_handler(self, evt):
        thread = evt.get_thread()
        proc = evt.get_process()
        pc = thread.get_pc()
        registers = thread.get_context()

        if pc in self.resolved_funcs:
            print "[*] hit %s" % self.resolved_funcs[pc]

            CrashDump.dump_registers(registers)

            # record process memory
            try:
                proc.suspend()
                self.snapshot = proc.take_memory_snapshot()
            finally:
                proc.resume()

    def access_violation(self, evt):
        if evt.is_first_chance():
            return

        #crash = Crash(evt)
        #crash.fetch_extra_data(evt)
        #print crash.fullReport()

        proc = evt.get_process()

        if not self.crash_encountered:
            proc.restore_memory_snapshot(self.snapshot)
            self.crash_encountered = True

            evt.debug.start_tracing_process(proc.get_pid())
        else:
            proc.kill()

    def single_step(self, evt):
        if not self.crash_encountered:
            return

        print "single step"

        proc = evt.get_process()

        if self.instruction_count == MAX_INSTRUCTIONS:
            evt.debug.stop_tracing_process(proc.get_pid())
        else:
            thread = evt.get_thread()
            pc = thread.get_pc()
            code = proc.disassemble(pc, 0x10)
            print CrashDump.dump_code(code, pc)
            self.instruction_count += 1

pid = raw_input("Enter PID of process to monitor: ")

with Debug(DangerousFunctionEventHandler(), bKillOnExit=True) as debug:
    debug.attach(int(pid))

    try:
        debug.loop()
    except KeyboardInterrupt:
        debug.stop()