OpenRCE Blog Entry

Cody Pierce (codypierce) <cpierce

tippingpoint

com>

Sunday, November 12 2006 04:26.57 CST

I just wrote a pydbg class for providing an interactive console for controlling the debugger. This can be especially useful in complex pydbg scripts that you need to interact with in certain cases. This of course is not supposed to be a replacement for the real debuggers like windbg (or even close) but whatever. One of the best features is the ability to single step backwards in the process. Ill upload it next week after some cosmetic changes and bug fixes.



C:\Code\Python\paimei>pydbgc.py notepad.exe 1

[*] Trying to attach to existing notepad.exe

[*] Attaching to notepad.exe (2996)



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c901231 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c901231  ret



pydbgc>

The "1" specifies whether to break on initial attach, and would probably not be needed if tied into your own pydbg script.



pydbgc> help



        bp:     Set a breakpoint (ex: bp 7ffdb000)

        bl:     List breakpoints

        bc:     Clear breakpoints

        bd:     Delete a breakpoint (ex: db 2)

        s:      Single Step

        sb:     Single Step Backwards

        r:      Modify a register (ex: r eax=10)

        dd:     Dump Data

        dc:     Dump Data Charactes

        k:      Call Stack

        seh:    Current SEH

        g:      Resume Execution

        quit:   Quit

        help:   Help



pydbgc>

Not much but if your doing more than this use a real debugger...or let me know and ill try and include it.



pydbgc> bp 7c9507bb



pydbgc> g



Continuing



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff



pydbgc> bl

[0] ntdll.dll!7c9507bb



pydbgc> bd 0



pydbgc> bl



pydbgc>

I named stuff after windbg cause thats what Im use to.



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> r



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc> r ebx=1000



pydbgc> r



eax=7ffdb000 ebx=000003e8 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc>

Some single step action and register modification...I didnt use "t" for single step cause I like "s"



pydbgc> g



Continuing



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c919126 esp=0092ffc0 ebp=0092ffc4



ntdll.dll!7c919126  push 0x44



pydbgc> dd 0092ffc0



0092ffc0: 7c961bed 0092fff4 7c9507c6 00000000 00000005 00000004 00000001 0092ffd0

0092ffe0: 00000000 ffffffff 7c90ee18 7c9507c8 ffffffff 00000000 00000000 00000000

00930000: 00000008 00004060 00000000 ffffffff 00002fa0 00000001 00000000 00000000

00930020: 00000000 00000000 00000058 00001050 28c7f1d0 11d2de25 1000ddaf b599275a

00930040: 0000000b



pydbgc> dd esp



0092ffc0: 7c961bed 0092fff4 7c9507c6 00000000 00000005 00000004 00000001 0092ffd0

0092ffe0: 00000000 ffffffff 7c90ee18 7c9507c8 ffffffff 00000000 00000000 00000000

00930000: 00000008 00004060 00000000 ffffffff 00002fa0 00000001 00000000 00000000

00930020: 00000000 00000000 00000058 00001050 28c7f1d0 11d2de25 1000ddaf b599275a

00930040: 0000000b



pydbgc> dd eax



7ffdb000: 00010000 ffffffff 01000000 001a1e90 00020000 00000000 000a0000 7c97e4c0

7ffdb020: 7c901005 7c9010ed 00000001 77d42980 00000000 00000000 00000000 00000000

7ffdb040: 7c97e480 0007ffff 00000000 7f6f0000 7f6f0000 7f6f0688 7ffb0000 7ffc1000

7ffdb060: 7ffd2000 00000001 00000000 00000000 079b8000 ffffe86d 00100000 00002000

7ffdb080: 00010000



pydbgc> dd eax+100



7ffdb064: 00000001 00000000 00000000 079b8000 ffffe86d 00100000 00002000 00010000

7ffdb084: 00001000 0000000a 00000010 7c97de80 00420000 00000000 00000014 7c97c0d8

7ffdb0a4: 00000005 00000001 02000a28 00000002 00000002 00000004 00000000 00000000

7ffdb0c4: 00000000 00000000 00000000 00000001 00000000 00000000 00000000 00000000

7ffdb0e4: 00000000



pydbgc> dd 1



00000001: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000021: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000041: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000061: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000081: ????????



pydbgc>

Fancy "?" marks just like my hero.



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507a8 esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507a8  jmp 0x7c9507bb



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507c1 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c9507c1  call 0x7c961be3



pydbgc> dd esp



0092ffcc: 00000000 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18

0092ffec: 7c9507c8 ffffffff 00000000 00000000 00000000 00000008 00004060 00000000

0093000c: ffffffff 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058

0093002c: 00001050 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000

0093004c: 00000f48



pydbgc> sb



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc> dd esp



0092ffd0: 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18 7c9507c8

0092fff0: ffffffff 00000000 00000000 00000000 00000008 00004060 00000000 ffffffff

00930010: 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058 00001050

00930030: 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000 00000f48

00930050: 00000574



pydbgc> sb



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff





pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507c1 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c9507c1  call 0x7c961be3



pydbgc> dd esp



0092ffcc: 00000000 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18

0092ffec: 7c9507c8 ffffffff 00000000 00000000 00000000 00000008 00004060 00000000

0093000c: ffffffff 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058

0093002c: 00001050 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000

0093004c: 00000f48



pydbgc>

And some backwards stepping action...some quirks in it but ill work em out. Hit me up on here.

	Posted: Wednesday, December 31 1969 18:00.00 CST