OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 6 2007 01:14.20 CST Modified: Tuesday, February 6 2007 18:06.06 CST

Printer Friendly ...

The Greatness of PyDbg

Author: drew

# Views: 7400

For the past few years I've been using a debugger I wrote in C#. Recently I gave Pedram's PyDbg, a part of PaiMei, a spin. PyDbg did exactly what I wanted! Even though I'm not particularly fond of Python, it looks like I'll have to use PyDbg more and probably learn a bit of Python along the way. You can download PyDbg as a part of PaiMei from our download section.

One function that I stole from Igor Skochinsky's QTFairUse is find_pid. It takes in a process name and returns the process id. Simple enough, but useful. :) Here's a dump of the code:



def find_pid(dbg, name):

    namel = name.lower()

    found_target = False

    for (pid, proc_name) in dbg.enumerate_processes():

        if proc_name.lower() == namel:

            return pid

    return -1





#and a simple use example:



dbg = pydbg()



pid = find_pid(dbg, "notepad.exe")

if pid!=-1:

    print ("Attaching to %d") % (pid)

    dbg.attach(pid)

else:

    error("process not found.")

Blog Comments

drew	Posted: Wednesday, February 28 2007 09:16.24 CST
By the way, it appears that hardware breakpoints (bp_set_hw) don't work in the current version of pydbg. Pedram fixed it in his current copy of the code, so expect a working version sometime in the future.

p0l	Posted: Wednesday, February 28 2007 11:54.26 CST
What a coincidence... I've been writing a script for the last couple of hours and wondering what I'm doing wrong because bp_set_hw doesn't work, and now I see this :)

pedram	Posted: Friday, March 2 2007 18:18.57 CST
Yeah I need develop some unit testing ;-) In the SVN repository I've since merged pydbg and pydbg_core to ease the burden of debugging the class. I am currently working on ironing out a few details and will then make an updated release with a number of new features etc... Out of town until end of next week so please be patient with me.

ricnar456

Posted: Tuesday, February 12 2008 04:07.52 CST

In the current release of PYDBG the HARDWARE BREAKPOINTS work?

I have this error and i don't know if this was fixed or not

File "c:\ejemplo4.py", line 13, in ?
  dbg.bp_set_hw(4198400,4,3,False,False)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

ricnar

jms	Posted: Tuesday, February 12 2008 12:25.13 CST
This looks like either you don't have a valid thread handle, as it's the get_thread_context() that appears to be failing. Can you post some of your code?

ricnar456

Posted: Tuesday, February 12 2008 17:28.35 CST

is a simple script load the crackme and reach the Entry Point and put a Breakpoint in MessageBoxA and reach this api, if i put a dbg.bp_set in MessageboxA the script works fine, but i cannot make the same thing with a Hardware Breakpoint in MessageboxA.

-------------------------------------------------------
import sys
from pydbg import *

dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()

dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()

print 'LLEGUE a EP'

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)                  ##NOT WORK
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

-----------------------------------------------------------

always i can put a hardware bpx i have the same error. I try all posibilities but always is the same

this is teh error

>>> dbg.bp_set_hw(recv,4,3)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
    context = self.get_thread_context(self.h_thread)
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.

Thanks for all
ricnar

ricnar456

Posted: Tuesday, February 12 2008 17:30.23 CST

some indentation lost when copy paste

import sys
from pydbg import *

# cargamos el programa

dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()      # dejamos que realmente empiece

# ponemos un breakpoint en MessageBoxA
dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()

print 'LLEGUE a EP'

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

ricnar

ricnar456	Posted: Tuesday, February 12 2008 17:32.13 CST
well the indentation is perfect, when i copy paste here the script lost the indentation before dbg.debug_event_iteration() recv = dbg.func_resolve("user32", "MessageBoxA") dbg.bp_set_hw(recv,4,3) while not dbg.context.Eip ==recv: dbg.debug_event_iteration() print'LLEGUE a MessageBoxA'

ricnar456	Posted: Tuesday, February 12 2008 17:43.10 CST
when i reach the point in WING in DEBUG PROBE i put dbg.enumerate_threads() and have a numerical value [120L] is the thread valid and existent and why i cannot put a hardware bpx in this thread, if when i debug with ollydbg have no problem to put HBP. ricnar

ricnar456

Posted: Tuesday, February 12 2008 18:11.56 CST

When i use  a funcion named pepe defined previously

pdx: [0] GetThreadContext(): La operaci�n se ha completado correctamente.
File "C:\ejemplo4.py", line 21, in ?
  dbg.bp_set_hw(recv,4,3,True,pepe)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

And if i look for the values of self.h_thread

>>> self.h_thread
1868

>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>> self.h_thread
1868
>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>>

ricnar

ricnar456	Posted: Thursday, February 14 2008 03:05.55 CST
any help? ricnar

ricnar456	Posted: Thursday, February 14 2008 03:29.27 CST
in anybody have time to help me here is two scripts and the crackme. http://storage2.ricardonarvaja.com.ar/web/example.rar there are two scripts the old script with breakpoints (int3) working perfectly, and the new script with hardware breakpoints with the errors descripted before. thanks in advance ricnar

ricnar456	Posted: Thursday, February 14 2008 11:12.43 CST
Thanks i solve using the svn version ricnar

There are 28,631 total registered users.

Recently Created Topics
windbg - olly/immunity	May/14
Reverse a WinRAR pac...	May/13
Add comments to resu...	May/10
can we code script ...	May/09
Type Casting Structu...	May/07
How to Reverse Engin...	May/03
Sulley on OS X (10.7)	May/01
Help me guys	May/01
IDA Resource Viewer ...	Apr/28
How do i use plugins...	Apr/27

Recent Forum Posts
windbg - olly/immunity	blowcheck
Help me guys	Olivier
Reverse a WinRAR pac...	NirIzr
windbg - olly/immunity	anonymouse
Reverse a WinRAR pac...	DriEm
Add comments to resu...	phn1x
IDA Resource Viewer ...	DriEm
Add comments to resu...	qiuhan
IDA Resource Viewer ...	waleeda...
IDA Resource Viewer ...	DriEm

Recent Blog Entries
	waleedassar	Apr/20
OllyDbg NumberOfSections Crash
	icegood	Apr/13
Advanced labels plugin for ...
	waleedassar	Mar/31
GetModuleFileNameEx And Inf...
	waleedassar	Mar/31
OllyDbg v1.10 And Wow64
	waleedassar	Mar/29
OllyDbg Resource Table Pars...
More ...

Recent Blog Comments
	raxen on:	Mar/27
Anti-Dumping
	Dallas on:	Mar/22
ChapljaVM Code Obfuscator
	Dallas on:	Mar/22
Hack stuff, get paid
	Dallas on:	Mar/22
Exe Packer TAGGANT system f...
	Dallas on:	Mar/22
Olly2 SystemTray Plugin
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit