OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 6 2007 01:14.20 CST Modified: Tuesday, February 6 2007 18:06.06 CST

Printer Friendly ...

The Greatness of PyDbg

Author: drew

# Views: 15425

For the past few years I've been using a debugger I wrote in C#. Recently I gave Pedram's PyDbg, a part of PaiMei, a spin. PyDbg did exactly what I wanted! Even though I'm not particularly fond of Python, it looks like I'll have to use PyDbg more and probably learn a bit of Python along the way. You can download PyDbg as a part of PaiMei from our download section.

One function that I stole from Igor Skochinsky's QTFairUse is find_pid. It takes in a process name and returns the process id. Simple enough, but useful. :) Here's a dump of the code:



def find_pid(dbg, name):

    namel = name.lower()

    found_target = False

    for (pid, proc_name) in dbg.enumerate_processes():

        if proc_name.lower() == namel:

            return pid

    return -1





#and a simple use example:



dbg = pydbg()



pid = find_pid(dbg, "notepad.exe")

if pid!=-1:

    print ("Attaching to %d") % (pid)

    dbg.attach(pid)

else:

    error("process not found.")

Blog Comments

drew	Posted: Wednesday, February 28 2007 09:16.24 CST
By the way, it appears that hardware breakpoints (bp_set_hw) don't work in the current version of pydbg. Pedram fixed it in his current copy of the code, so expect a working version sometime in the future.

p0l	Posted: Wednesday, February 28 2007 11:54.26 CST
What a coincidence... I've been writing a script for the last couple of hours and wondering what I'm doing wrong because bp_set_hw doesn't work, and now I see this :)

pedram	Posted: Friday, March 2 2007 18:18.57 CST
Yeah I need develop some unit testing ;-) In the SVN repository I've since merged pydbg and pydbg_core to ease the burden of debugging the class. I am currently working on ironing out a few details and will then make an updated release with a number of new features etc... Out of town until end of next week so please be patient with me.

ricnar456

Posted: Tuesday, February 12 2008 04:07.52 CST

In the current release of PYDBG the HARDWARE BREAKPOINTS work?

I have this error and i don't know if this was fixed or not

File "c:\ejemplo4.py", line 13, in ?
  dbg.bp_set_hw(4198400,4,3,False,False)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

ricnar

jms	Posted: Tuesday, February 12 2008 12:25.13 CST
This looks like either you don't have a valid thread handle, as it's the get_thread_context() that appears to be failing. Can you post some of your code?

ricnar456

Posted: Tuesday, February 12 2008 17:28.35 CST

is a simple script load the crackme and reach the Entry Point and put a Breakpoint in MessageBoxA and reach this api, if i put a dbg.bp_set in MessageboxA the script works fine, but i cannot make the same thing with a Hardware Breakpoint in MessageboxA.

-------------------------------------------------------
import sys
from pydbg import *

dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()

dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()

print 'LLEGUE a EP'

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)                  ##NOT WORK
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

-----------------------------------------------------------

always i can put a hardware bpx i have the same error. I try all posibilities but always is the same

this is teh error

>>> dbg.bp_set_hw(recv,4,3)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
    context = self.get_thread_context(self.h_thread)
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.

Thanks for all
ricnar

ricnar456

Posted: Tuesday, February 12 2008 17:30.23 CST

some indentation lost when copy paste

import sys
from pydbg import *

# cargamos el programa

dbg = pydbg()
dbg.load(r'C:\CRACKME.EXE')
dbg.debug_event_iteration()      # dejamos que realmente empiece

# ponemos un breakpoint en MessageBoxA
dbg.bp_set(0x401000)

while not dbg.context.Eip ==0x401000:
    dbg.debug_event_iteration()

print 'LLEGUE a EP'

recv = dbg.func_resolve("user32", "MessageBoxA")
dbg.bp_set_hw(recv,4,3)
while not dbg.context.Eip ==recv:
dbg.debug_event_iteration()

print'LLEGUE a MessageBoxA'

ricnar

ricnar456	Posted: Tuesday, February 12 2008 17:32.13 CST
well the indentation is perfect, when i copy paste here the script lost the indentation before dbg.debug_event_iteration() recv = dbg.func_resolve("user32", "MessageBoxA") dbg.bp_set_hw(recv,4,3) while not dbg.context.Eip ==recv: dbg.debug_event_iteration() print'LLEGUE a MessageBoxA'

ricnar456	Posted: Tuesday, February 12 2008 17:43.10 CST
when i reach the point in WING in DEBUG PROBE i put dbg.enumerate_threads() and have a numerical value [120L] is the thread valid and existent and why i cannot put a hardware bpx in this thread, if when i debug with ollydbg have no problem to put HBP. ricnar

ricnar456

Posted: Tuesday, February 12 2008 18:11.56 CST

When i use  a funcion named pepe defined previously

pdx: [0] GetThreadContext(): La operaci�n se ha completado correctamente.
File "C:\ejemplo4.py", line 21, in ?
  dbg.bp_set_hw(recv,4,3,True,pepe)
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 490, in bp_set_hw
  context = self.get_thread_context(self.h_thread)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
  raise pdx("GetThreadContext()", True)

And if i look for the values of self.h_thread

>>> self.h_thread
1868

>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>> self.h_thread
1868
>>> self.get_thread_context(self.h_thread)
Traceback (most recent call last):
  File "C:\<string>", line 1, in ?
  File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 745, in get_thread_context
    raise pdx("GetThreadContext()", True)
pdx: [6] GetThreadContext(): Controlador no v�lido.
>>>

ricnar

ricnar456	Posted: Thursday, February 14 2008 03:05.55 CST
any help? ricnar

ricnar456	Posted: Thursday, February 14 2008 03:29.27 CST
in anybody have time to help me here is two scripts and the crackme. http://storage2.ricardonarvaja.com.ar/web/example.rar there are two scripts the old script with breakpoints (int3) working perfectly, and the new script with hardware breakpoints with the errors descripted before. thanks in advance ricnar

ricnar456	Posted: Thursday, February 14 2008 11:12.43 CST
Thanks i solve using the svn version ricnar

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit