More examples¶
Set a debugging timeout¶
Sometimes you’ll want to set a maximum time to debug your target, especially when fuzzing or analyzing malware. This is an example on how to code a custom debugging loop with a timeout. It launches the Windows Calculator and stops when the target process is closed or after a 5 seconds timeout.
Dump the memory of a process¶
This is an example on how to dump the memory map and contents of a process into an SQLite database. A table is created where each row is a memory region, and the columns are the properties of that region (address, size, mapped filename, etc.) and it’s data. The data is compressed using zlib to reduce the database size, but simply commenting out line 160 stores the data in uncompressed form.
Find alphanumeric addresses to jump to¶
This example will find all memory addresses in a target process that are executable and whose address consists of alphanumeric characters only. This is useful when exploiting a stack buffer overflow and the input string is limited to alphanumeric characters only.
Note that in 64 bit processors most memory addresses are not alphanumeric, so this example is meaningful for 32 bits only.
from struct import pack
from winappdbg import System, Process, HexDump
# Iterator of alphanumeric executable addresses.
def iterate_alnum_jump_addresses(process):
# Determine the size of a pointer in the current architecture.
if System.bits == 32:
fmt = 'L'
elif System.bits == 64:
fmt = 'Q'
print "Warning! 64 bit addresses are not likely to be alphanumeric!"
else:
raise NotImplementedError
# Get an iterator for the target process memory.
iterator = process.generate_memory_snapshot()
# Iterate the memory regions of the target process.
for mbi in iterator:
# Discard non executable memory.
if not mbi.is_executable():
continue
# Get the module that owns this memory region, if any.
address = mbi.BaseAddress
module = process.get_module_at_address(address)
# Yield each alphanumeric address in this memory region.
max_address = address + mbi.RegionSize
while address < max_address:
packed = pack(fmt, address)
if packed.isalnum():
yield address, packed, module
address = address + 1
# Iterate and print alphanumeric executable addresses.
def print_alnum_jump_addresses(pid):
# Request debug privileges so we can inspect the memory of services too.
System.request_debug_privileges()
# Suspend the process so there are no malloc's and free's while iterating.
process = Process(pid)
process.suspend()
try:
# For each executable alphanumeric address...
for address, packed, module in iterate_alnum_jump_addresses(process):
# Format the address for printing.
numeric = HexDump.address(address, process.get_bits())
ascii = repr(packed)
# Format the module name for printing.
if module:
modname = module.get_name()
else:
modname = ""
# Try to disassemble the code at this location.
try:
code = process.disassemble(address, 16)[0][2]
except NotImplementedError:
code = ""
# Print it.
print numeric, ascii, modname, code
# Resume the process when we're done.
# This is inside a "finally" block, so if the program is interrupted
# for any reason we don't leave the process suspended.
finally:
process.resume()
Show processes DEP settings¶
Beginning with Windows XP SP3, it’s possible to query a process and find out its Data Execution Prevention (DEP) settings. It may have DEP enabled or disabled, DEP-ATL thunking emulation enabled or disabled, and these settings may be changeable on runtime or permanent for the lifetime of the process.
This example shows all 32 bits processes the current user has permission to access and shows their DEP settings.
Choose the disassembler you want to use¶
WinAppDbg supports several disassembler engines. When more than one compatible engine is installed a default one is picked. However, you can manually select which one you want to use.
This example shows you how to list the supported disassembler engines for the desired architecture and pick one.
Enumerate all named global atoms¶
Global atoms are WORD numeric values that can be associated to arbitrary strings. They are used primarily for IPC purposes on Windows XP (Vista and 7 don’t seem to be using them anymore). This example shows how to retrieve the string from any atom value.
from winappdbg.win32 import GlobalGetAtomName, MAXINTATOM
# print all valid named global atoms to standard output.
def print_atoms():
for x in xrange(0, MAXINTATOM):
try:
n = GlobalGetAtomName(x)
if n == "#%d" % x: # comment out to print
continue # valid numeric atoms
print "Atom %4x: %r" % (x, n)
except WindowsError:
pass