pydbg
A pure-python win32 debugger interface.
Using pydbg I'm opening files(ex. c:\\myfile.mnp) within a win32 application(Ex. c:\\myprog.exe) in this way.
dbg = pydbg()
dbg.load("c:\\myprog.exe", "c:\\myfile1.mnp")
If the target application is already running then, is it possible to open a another file(For example c:\myfile2.mnp ) within the same application which is already running without closing that process/apps, using pydbg?
Source: (StackOverflow)
I've tried posting this in the reverse-engineering stack-exchange, but I thought I'd cross-post it here for more visibility.
I'm having trouble switching from debugging one thread to another in pydbg. I don't have much experience with multithreading, so I'm hoping that I'm just missing something obvious.
Basically, I want to suspend all threads, then start single stepping in one thread. In my case, there are two threads.
First, I suspend all threads. Then, I set a breakpoint on the location where EIP will be when thread 2 is resumed. (This location is confirmed by using IDA). Then, I enable single-stepping as I would in any other context, and resume Thread 2.
However, pydbg doesn't seem to catch the breakpoint exception! Thread 2 seems to resume and even though it MUST hit that address, there is no indication that pydbg is catching the breakpoint exception. I included a "print "HIT BREAKPOINT" inside pydbg's internal breakpoint handler, and that never seems to be called after resuming Thread 2.
I'm not too sure about where to go next, so any suggestions are appreciated!
dbg.suspend_all_threads()
print dbg.enumerate_threads()[0]
oldcontext = dbg.get_thread_context(thread_id=dbg.enumerate_threads()[0])
if (dbg.disasm(oldcontext.Eip) == "ret"):
print disasm_at(dbg,oldcontext.Eip)
print "Thread EIP at a ret"
addrstr = int("0x"+(dbg.read(oldcontext.Esp + 4,4))[::-1].encode("hex"),16)
print hex(addrstr)
dbg.bp_set(0x7C90D21A,handler=Thread_Start_bp_Handler)
print dbg.read(0x7C90D21A,1).encode("hex")
dbg.bp_set(oldcontext.Eip + dbg.instruction.length,handler=Thread_Start_bp_Handler)
dbg.set_thread_context(oldcontext,thread_id=dbg.enumerate_threads()[0])
dbg.context = oldcontext
dbg.resume_thread(dbg.enumerate_threads()[0])
dbg.single_step(enable=True)
return DBG_CONTINUE
Sorry about the "magic numbers", but they are correct as far as I can tell.
Source: (StackOverflow)
Using a python based disassembler + debugger I've found below instructions(example). Now I want to parse Microsoft provided public symbols to find exact functions its calling.
I want to know what are the available options/ modules to do the same. Can we just simply get the info from a static PDB files or its required to load that in memory while debugging ?
call ntdll!0x33dec
call ntdll!0x22280
call ntdll!0x2df40
call ntdll!0x33cdb
call ntdll!0x2df29
call ntdll!0x325a0
call ntdll!0x32a96
call ntdll!0x32a79
call ntdll!0x220a4
Source: (StackOverflow)
This is possibly more of a ctypes question than a pydbg question, but I still don't understand why the results are inconsistent in the way they are.
I have an exit_hook set on LoadLibraryA using pydbg and its utils.hook_container class like this:
def exit_LoadLibraryA(dbg, args, ret):
libname = c_char_p(args[0])
# or: libname = ctypes.cast(args[0], ctypes.c_char_p)
print "LoadLibraryA(%s) -> %08X" % (str(libname), ret)
return DBG_CONTINUE
unfortunately the output is inconsistent. While some of the values get converted to (and shown as) strings, some others get shown as numbers like this:
LoadLibraryA(c_char_p(2007516492)) -> 7C800000
LoadLibraryA(c_char_p(17426164)) -> 77DD0000
LoadLibraryA(c_char_p(17426164)) -> 76C30000
LoadLibraryA(c_char_p('UxTheme.dll')) -> 5AD70000
LoadLibraryA(c_char_p('IMM32.dll')) -> 76390000
LoadLibraryA(c_char_p('COMCTL32.dll')) -> 773D0000
LoadLibraryA(c_char_p('Secur32.dll')) -> 77FE0000
LoadLibraryA(c_char_p(1033757216)) -> 7C9C0000
what I would like is to reliably convert the char* (and later the wchar_t* of LoadLibraryW) to a Python string to output it.
Source: (StackOverflow)
I am writing multi-threaded python application.
The main thread create a Thread pool of 5 Worker Threads.
The main thread also create a Monitor Thread.
Total: 6 threads + 1 Main Thread = 7
All Threads talk with a MySQL server (mysqldb -> libmysqlclient_r)
In my SQL wrapper i have added a Threading.Lock to the DB query function.
This Lock is a Global lock and all the Threads that query the DB, uses it.
def query(self, query):
with lock:
execute Query Here
Everything works well, until at some point, the main thread stuck (and so does all the threads)
I attached the GDB debugger and noticed that: (info threads)
7 Thread 0x7f555c386700 (LWP 16077) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
6 Thread 0x7f555bb85700 (LWP 16078) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
5 Thread 0x7f555b384700 (LWP 16079) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
4 Thread 0x7f555ab83700 (LWP 16080) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
3 Thread 0x7f555a382700 (LWP 16081) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
2 Thread 0x7f5559b81700 (LWP 16083) 0x00007f55609141a3 in select () from /lib/libc.so.6
1 Thread 0x7f5561e6f700 (LWP 16061) 0x00007f5561a503c0 in sem_wait () from /lib/libpthread.so.0
Th1 = Main Thread, Th2 = Monitor Thread, Th3-Th7 - Worker Threads
I noticed that All the threads beside the monitor thread are waiting on sem_wait():
(gdb) bt
#0 0x00007f5561a503c0 in **sem_wait** () from /lib/libpthread.so.0
#1 0x00000000004d44e8 in **PyThread_acquire_lock** ()
#2 0x00000000004d8982 in ?? ()
#3 0x00000000004a7ba5 in PyEval_EvalFrameEx ()
However, the monitor thread is capable of acquiring and releasing the lock (it runs every 30 sec, the select() you see is due to the sleep(30)).
I do not understand , why the rest of the threads are stuck on sem_wait(), since no one acquired the lock.
Any ideas how to solve this? how to debug this?
Thank you
Source: (StackOverflow)
I'm following Gray Hat Python book and have copied their code for the process snapshots using PyDBG. When I run the script I get no errors and expected output however my program is not actually reverting to the snapshot. When I go in debug it seems like values are in the snapshot variables as if it is storing snapshot info but I don't really know enough to say for sure.
Here is code:
from pydbg import *
from pydbg.defines import *
import threading
import time
import sys
class snapshotter(object):
def __init__(self,exe_path):
self.exe_path = exe_path
self.pid = None
self.dbg = None
self.running = True
pydbg_thread = threading.Thread(target=self.start_debugger)
pydbg_thread.setDaemon(0)
pydbg_thread.start()
while self.pid == None:
time.sleep(1)
monitor_thread = threading.Thread(target=self.monitor_debugger)
monitor_thread.setDaemon(0)
monitor_thread.start()
def monitor_debugger(self):
while self.running == True:
input = raw_input("Enter: 'snap','restore' or 'quit'")
input = input.lower().strip()
if input == "quit":
print "[*] Exiting the snapshotter."
self.running = False
self.dbg.terminate_process()
elif input == "snap":
print "[*] Suspending all threads."
self.dbg.suspend_all_threads()
print "[*] Obtaining snapshot."
self.dbg.process_snapshot()
print "[*] Resuming operation."
self.dbg.resume_all_threads()
elif input == "restore":
print "[*] Suspending all threads."
self.dbg.suspend_all_threads()
print "[*] Restoring snapshot."
self.dbg.process_restore()
print "[*] Resuming operation."
self.dbg.resume_all_threads()
def start_debugger(self):
self.dbg = pydbg()
pid = self.dbg.load(self.exe_path)
self.pid = self.dbg.pid
self.dbg.run()
exe_path = "C:\\WINDOWS\\System32\\calc.exe"
snapshotter(exe_path)
Source: (StackOverflow)
I'm using python 2.5(x86) in Windows7 x64.
I wrote the code following this book.
http://nostarch.com/ghpython.htm
But it doesn't work in my environment.
PDBG_ERR> -- IGNORING ERROR --
PDBG_ERR> process_restore: [87] WriteProcessMemory
I suppose the problem comes from Windows version because somebody mentioned it in the below url page and I heard it works in Windows XP.
http://bbs.csdn.net/topics/380255167
PyDBG process snapshots not working
from pydbg import *
from pydbg.defines import *
import threading
import time
import sys
class snapshotter(object):
def __init__(self,exe_path):
self.exe_path = exe_path
self.pid = None
self.dbg = None
self.running = True
pydbg_thread = threading.Thread(target=self.start_debugger)
pydbg_thread.setDaemon(0)
pydbg_thread.start()
while self.pid == None:
time.sleep(1)
monitor_thread = threading.Thread(target=self.monitor_debugger)
monitor_thread.setDaemon(0)
monitor_thread.start()
def monitor_debugger(self):
while self.running == True:
input = raw_input("Enter: 'snap','restore' or 'quit'")
input = input.lower().strip()
if input == "quit":
print "[*] Exiting the snapshotter."
self.running = False
self.dbg.terminate_process()
elif input == "snap":
print "[*] Suspending all threads."
self.dbg.suspend_all_threads()
print "[*] Obtaining snapshot."
self.dbg.process_snapshot()
print "[*] Resuming operation."
self.dbg.resume_all_threads()
elif input == "restore":
print "[*] Suspending all threads."
self.dbg.suspend_all_threads()
print "[*] Restoring snapshot."
self.dbg.process_restore()
print "[*] Resuming operation."
self.dbg.resume_all_threads()
def start_debugger(self):
self.dbg = pydbg()
pid = self.dbg.load(self.exe_path)
self.pid = self.dbg.pid
self.dbg.run()
exe_path = "C:\\WINDOWS\\System32\\calc.exe"
snapshotter(exe_path)
How can I avoid this error and make it work?
Source: (StackOverflow)
I'm looking for some external library which will allow me to attach to some other running process.
I actually want to detect all the API Functions that the process is using.
I can do it through Python (with the module PyDbg), but I want to do this task in C#.
Is there any library that can do this work? I will be glad to hear about some libraries which can do this.
Thank you.
Source: (StackOverflow)
I want to see the dlls that are hooked to any process using python. Is it possible by pdb?
Is there any way to attach to a process or open a process from python debugger and view the dlls hooked?
Source: (StackOverflow)
I'm working on a program, where in some part of it, it needs to listen to the OP for when files are created/saved, so I can work on said file.
I know the basic concept of hooking, but I don't know exactly how to implement it in this specific use(I know how to attach a hook to a specific PID, but here I need to listen to all processes and see if one of them is creating a file).
I'm using pydbg for my hooking needs, but if your answer uses something different, feel free to still answer.
Thanks :)
Source: (StackOverflow)
I am trying to use PyDBG with Python 2.7. I believe it is installed correctly.
import pydbg
dbg = pydbg()
Produces error when run:
Traceback (most recent call last):
File "[path removed..]\pydbg.py", line 1, in <module>
import pydbg
File "[path removed..]\pydbg.py", line 5, in <module>
dbg = pydbg()
TypeError: 'module' object is not callable
Source: (StackOverflow)
I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.
Example :
Debugger attached to arbitrary running "Process A".
When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.
So how can I get the PID of process B from process A??
Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.
Thanks in Advance,
Source: (StackOverflow)
Here is a snippets from my python shell, i can't understand what is wrong there, if somebody has any suggestion i would be glad to hear.
>>> import pydbg
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Python27\lib\pydbg\__init__.py", line 47, in <module>
from pydbg import *
File "C:\Python27\lib\pydbg\pydbg.py", line 32, in <module>
import pydasm
ImportError: DLL load failed: The specified module could not be found.
>>> import pydasm
>>>
how come that i can't import pydbg since there it can't import pydasm, and i can import pydasm directly ?
Source: (StackOverflow)