OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, November 12 2006 04:26.57 CST

Printer Friendly ...

Pydbg Console Class

Author: codypierce

# Views: 2300

I just wrote a pydbg class for providing an interactive console for controlling the debugger. This can be especially useful in complex pydbg scripts that you need to interact with in certain cases. This of course is not supposed to be a replacement for the real debuggers like windbg (or even close) but whatever. One of the best features is the ability to single step backwards in the process. Ill upload it next week after some cosmetic changes and bug fixes.



C:\Code\Python\paimei>pydbgc.py notepad.exe 1

[*] Trying to attach to existing notepad.exe

[*] Attaching to notepad.exe (2996)



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c901231 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c901231  ret



pydbgc>

The "1" specifies whether to break on initial attach, and would probably not be needed if tied into your own pydbg script.



pydbgc> help



        bp:     Set a breakpoint (ex: bp 7ffdb000)

        bl:     List breakpoints

        bc:     Clear breakpoints

        bd:     Delete a breakpoint (ex: db 2)

        s:      Single Step

        sb:     Single Step Backwards

        r:      Modify a register (ex: r eax=10)

        dd:     Dump Data

        dc:     Dump Data Charactes

        k:      Call Stack

        seh:    Current SEH

        g:      Resume Execution

        quit:   Quit

        help:   Help



pydbgc>

Not much but if your doing more than this use a real debugger...or let me know and ill try and include it.



pydbgc> bp 7c9507bb



pydbgc> g



Continuing



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff



pydbgc> bl

[0] ntdll.dll!7c9507bb



pydbgc> bd 0



pydbgc> bl



pydbgc>

I named stuff after windbg cause thats what Im use to.



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> r



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc> r ebx=1000



pydbgc> r



eax=7ffdb000 ebx=000003e8 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc>

Some single step action and register modification...I didnt use "t" for single step cause I like "s"



pydbgc> g



Continuing



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c919126 esp=0092ffc0 ebp=0092ffc4



ntdll.dll!7c919126  push 0x44



pydbgc> dd 0092ffc0



0092ffc0: 7c961bed 0092fff4 7c9507c6 00000000 00000005 00000004 00000001 0092ffd0

0092ffe0: 00000000 ffffffff 7c90ee18 7c9507c8 ffffffff 00000000 00000000 00000000

00930000: 00000008 00004060 00000000 ffffffff 00002fa0 00000001 00000000 00000000

00930020: 00000000 00000000 00000058 00001050 28c7f1d0 11d2de25 1000ddaf b599275a

00930040: 0000000b



pydbgc> dd esp



0092ffc0: 7c961bed 0092fff4 7c9507c6 00000000 00000005 00000004 00000001 0092ffd0

0092ffe0: 00000000 ffffffff 7c90ee18 7c9507c8 ffffffff 00000000 00000000 00000000

00930000: 00000008 00004060 00000000 ffffffff 00002fa0 00000001 00000000 00000000

00930020: 00000000 00000000 00000058 00001050 28c7f1d0 11d2de25 1000ddaf b599275a

00930040: 0000000b



pydbgc> dd eax



7ffdb000: 00010000 ffffffff 01000000 001a1e90 00020000 00000000 000a0000 7c97e4c0

7ffdb020: 7c901005 7c9010ed 00000001 77d42980 00000000 00000000 00000000 00000000

7ffdb040: 7c97e480 0007ffff 00000000 7f6f0000 7f6f0000 7f6f0688 7ffb0000 7ffc1000

7ffdb060: 7ffd2000 00000001 00000000 00000000 079b8000 ffffe86d 00100000 00002000

7ffdb080: 00010000



pydbgc> dd eax+100



7ffdb064: 00000001 00000000 00000000 079b8000 ffffe86d 00100000 00002000 00010000

7ffdb084: 00001000 0000000a 00000010 7c97de80 00420000 00000000 00000014 7c97c0d8

7ffdb0a4: 00000005 00000001 02000a28 00000002 00000002 00000004 00000000 00000000

7ffdb0c4: 00000000 00000000 00000000 00000001 00000000 00000000 00000000 00000000

7ffdb0e4: 00000000



pydbgc> dd 1



00000001: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000021: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000041: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000061: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????

00000081: ????????



pydbgc>

Fancy "?" marks just like my hero.



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507a8 esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507a8  jmp 0x7c9507bb



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507c1 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c9507c1  call 0x7c961be3



pydbgc> dd esp



0092ffcc: 00000000 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18

0092ffec: 7c9507c8 ffffffff 00000000 00000000 00000000 00000008 00004060 00000000

0093000c: ffffffff 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058

0093002c: 00001050 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000

0093004c: 00000f48



pydbgc> sb



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0





pydbgc> dd esp



0092ffd0: 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18 7c9507c8

0092fff0: ffffffff 00000000 00000000 00000000 00000008 00004060 00000000 ffffffff

00930010: 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058 00001050

00930030: 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000 00000f48

00930050: 00000574



pydbgc> sb



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bb esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bb  or dword [ebp-0x4],0xffffffff





pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507bf esp=0092ffd0 ebp=0092fff4



ntdll.dll!7c9507bf  push 0x0



pydbgc> s



eax=7ffdb000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c9507c1 esp=0092ffcc ebp=0092fff4



ntdll.dll!7c9507c1  call 0x7c961be3



pydbgc> dd esp



0092ffcc: 00000000 00000005 00000004 00000001 0092ffd0 00000000 ffffffff 7c90ee18

0092ffec: 7c9507c8 ffffffff 00000000 00000000 00000000 00000008 00004060 00000000

0093000c: ffffffff 00002fa0 00000001 00000000 00000000 00000000 00000000 00000058

0093002c: 00001050 28c7f1d0 11d2de25 1000ddaf b599275a 0000000b 00000001 00000000

0093004c: 00000f48



pydbgc>

And some backwards stepping action...some quirks in it but ill work em out. Hit me up on here.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit