The Greatness of PyDbg
Drew Hintz (drew) <openrceguhnu> Tuesday, February 6 2007 01:14.20 CST


For the past few years I've been using a debugger I wrote in C#.  Recently I gave Pedram's PyDbg, a part of PaiMei, a spin.  PyDbg did exactly what I wanted!  Even though I'm not particularly fond of Python, it looks like I'll have to use PyDbg more and probably learn a bit of Python along the way.  You can download PyDbg as a part of PaiMei from our download section.

One function that I stole from Igor Skochinsky's QTFairUse is find_pid.  It takes in a process name and returns the process id.  Simple enough, but useful. :)  Here's a dump of the code:

def find_pid(dbg, name):
    namel = name.lower()
    found_target = False
    for (pid, proc_name) in dbg.enumerate_processes():
        if proc_name.lower() == namel:
            return pid
    return -1


#and a simple use example:

dbg = pydbg()

pid = find_pid(dbg, "notepad.exe")
if pid!=-1:
    print ("Attaching to %d") % (pid)
    dbg.attach(pid)
else:
    error("process not found.")

Comments
drew Posted: Wednesday, February 28 2007 09:16.24 CST
By the way, it appears that hardware breakpoints (bp_set_hw) don't work in the current version of pydbg.  Pedram fixed it in his current copy of the code, so expect a working version sometime in the future.

p0l Posted: Wednesday, February 28 2007 11:54.26 CST
What a coincidence... I've been writing a script for the last couple of hours and wondering what I'm doing wrong because bp_set_hw doesn't work, and now I see this :)

pedram Posted: Friday, March 2 2007 18:18.57 CST
Yeah I need develop some unit testing ;-)

In the SVN repository I've since merged pydbg and pydbg_core to ease the burden of debugging the class. I am currently working on ironing out a few details and will then make an updated release with a number of new features etc...

Out of town until end of next week so please be patient with me.

ricnar456 Posted: Tuesday, February 12 2008 04:07.52 CST
In the current release of PYDBG the HARDWARE BREAKPOINTS work?

I have this error and i don't know if this was fixed or not

File "c:\ejemplo4.py", line 13, in ?
  dbg.bp_set_hw(4198400,4,3,False,False)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

ricnar

jms Posted: Tuesday, February 12 2008 12:25.13 CST
This looks like either you don't have a valid thread handle, as it's the get_thread_context() that appears to be failing. Can you post some of your code?

ricnar456 Posted: Tuesday, February 12 2008 17:28.35 CST
is a simple script load the crackme and reach the Entry Point and put a Breakpoint in MessageBoxA and reach this api, if i put a dbg.bp_set in MessageboxA the script works fine, but i cannot make the same thing with a Hardware Breakpoint in MessageboxA.

-------------------------------------------------------
import sys
from pydbg import *


dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()    


dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()    

print 'LLEGUE a EP'    

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)                  ##NOT WORK
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

-----------------------------------------------------------

always i can put a hardware bpx i have the same error. I try all posibilities but always is the same

this is teh error

>>> dbg.bp_set_hw(recv,4,3)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
    context = self.get_thread_context(self.h_thread)
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.

Thanks for all
ricnar

ricnar456 Posted: Tuesday, February 12 2008 17:30.23 CST
some indentation lost when copy paste

import sys
from pydbg import *

# cargamos el programa

dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()      # dejamos que realmente empiece

# ponemos un breakpoint en MessageBoxA
dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()    

print 'LLEGUE a EP'    

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

ricnar

ricnar456 Posted: Tuesday, February 12 2008 17:32.13 CST
well the indentation is perfect, when i copy paste here the script lost the indentation before dbg.debug_event_iteration()

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

ricnar456 Posted: Tuesday, February 12 2008 17:43.10 CST
when i reach the point in WING in DEBUG PROBE i put

dbg.enumerate_threads() and have a numerical value

[120L]

is the thread valid and existent and why i cannot put a hardware bpx in this thread, if when i debug with ollydbg have no problem to put HBP.

ricnar

ricnar456 Posted: Tuesday, February 12 2008 18:11.56 CST
When i use  a funcion named pepe defined previously

pdx: [0] GetThreadContext(): La operaci�n se ha completado correctamente.
File "C:\ejemplo4.py", line 21, in ?
  dbg.bp_set_hw(recv,4,3,True,pepe)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

And if i look for the values of self.h_thread


>>> self.h_thread
1868

>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>> self.h_thread
1868
>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>>

ricnar

ricnar456 Posted: Thursday, February 14 2008 03:05.55 CST
any help?

ricnar

ricnar456 Posted: Thursday, February 14 2008 03:29.27 CST
in anybody have time to help me here is two scripts and the crackme.

http://storage2.ricardonarvaja.com.ar/web/example.rar

there are two scripts the old script with breakpoints (int3) working perfectly, and the new script with hardware breakpoints with the errors descripted before.

thanks in advance
ricnar

ricnar456 Posted: Thursday, February 14 2008 11:12.43 CST
Thanks i solve using the svn version

ricnar