Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Pydbg unable to trace Internet Explorer

Topic created on: January 20, 2013 12:07 CST by darkaccess .

Hello everybody,

I was working on a Python script to trace the behavior of Internet Explorer while it loads an html page stored on my HD.

I tryed different approaches but no results with all of them.
For example, 2 approaches here below:

1. Execute and Attach.
- Use WinExec to run IE, and then enumerate processes (dbg.enumerate_processes) and after that attach to the process and start setting BPs. It works quite well.. The problem is that the page gets loaded too fast and I cannot debug all the functions that I need to look at.

2. Load IE and start placing BPs.
The problem in this case is that, I place a BP on the entrypoint, and once I am there I add the BP CreateFileA.
It works 5 times (I am able to see 5 CreateFileA accesses); and after that the program crashes.
I get exception 0x80000003 (EXCEPTION_BREAKPOINT) at address CreateFileA.
I check with Olly what's at that address and I find:

7C801A28 > CC               INT3
7C801A29   FF55 8B          CALL DWORD PTR SS:[EBP-75]
7C801A2C   EC               IN AL,DX                                 ; I/O command
7C801A2D   FF75 08          PUSH DWORD PTR SS:[EBP+8]

That looks very weird, the BP there should be handled by pydbg.. Do you guys know why?

Here below the output of my script.

BP EP: 0x402bc5
EP add CreateFileA BP
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
-> IE CRASHES HERE


Just to give you more info I pasted my code here below (I use WinXP SP3 32 bit):
from pydbg import *
from pydbg.defines import *
import pefile
import struct

proc = 'C:\\Program Files\\Internet Explorer\\iexplore.exe'
procEP = None

def breakpoint_handler(dbg):
if dbg.context.Eip == dbg.func_resolve('kernel32','CreateFileA'):
try:
print '[+] BP on CreateFileA'
except:
pass
elif dbg.context.Eip == procEP:
print 'EP add CreateFileA BP'
try:
dbg.bp_set(dbg.func_resolve('kernel32','CreateFileA'))
except:
print "Error BP CreateFileA"

return DBG_CONTINUE

if __name__ == '__main__':
try:
progpe = pefile.PE(proc)
procEP = progpe.OPTIONAL_HEADER.AddressOfEntryPoint + progpe.OPTIONAL_HEADER.ImageBase
debug = pydbg()
debug.load(proc)
debug.bp_set(procEP)
debug.set_callback(EXCEPTION_BREAKPOINT, breakpoint_handler)
print "BP EP: 0x%x" % procEP
debug.run()
except:
pass

Any ideas on how to solve this problem?


PS if I execute IE, and then I attach to it, I am able to set breakpoints correctly and everything work fine; but working this way I cannot trace my web page stored in my HD.

Ideas?

Thanks in advance.

  codeinject     January 25, 2013 02:05.10 CST
seems like the debug trap ( 7C801A28 > CC               INT3 ) creates a BreakPoint Exception. Just patch the byte (0xcc -> 0x90).

Hope it helps.

  darkaccess   March 13, 2013 06:55.40 CDT
Yes, but the problem is why?

Well, I think I solved the problem in another way.

Thanks anyway.

Note: Registration is required to post to the forums.

There are 31,054 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit