Topic created on: June 12, 2007 13:55 CDT by
mborohovski 
.
So I'm trying to use PaiMei to do some API call tracing and all is working out well, except for the following: I want to be able to spawn a process from within my script and attach to that with pydbg. Now, I can spawn a process just fine, but I have to sleep or wait before I attach to it until it has a PID, and by that point if the process is a short one it may have completed execution.
I'm wondering if there's a way to have PaiMei start a process "inside" pydbg so to speak, so it's attached right as soon as the process begins as opposed to having to wait.
Anyone have any experience with this or useful insights?
Hey man,
1) Us the callback from the LOAD_DLL_DEBUG_EVENT to do the handling, you just do a:
last_dll = dbg.get_system_dll(-1);
So whenever the DLL's are loaded, it waits until the DLL is loaded up and then you can access it. As a fail-safe if the DLL is loaded on its own then -1 will not return it correctly, but adding an enumerate_modules() call in your handler will accurately check for it.
2) To get the arguments passed to the function call you use the hooks() container:
hooks = utils.hooks_container()
send = dbg.func_resolve("ws2_32","send");
hooks.add(dbg,send,4,None,sendCallback);
def sendCallback(dbg,args,ret):
print "You sent to:" + args[2]
return DBG_CONTINUE
Now if you are looking at some of the more complex examples in a socket call where there are structs being passed around, etc. you have to use :
dbg.read(args[x], length_of_read);
It can get tricky, but I have wrapped most of ws2_32 and successfully pulled IP's, ports, data, etc. and udraw'd it. Thanks to Pedram for helping me with that of course :)
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}