Skip to content

Instantly share code, notes, and snippets.

@macostag
Last active May 7, 2018 00:33
Show Gist options
  • Select an option

  • Save macostag/8a27e9c23cc5099840228d31d094656d to your computer and use it in GitHub Desktop.

Select an option

Save macostag/8a27e9c23cc5099840228d31d094656d to your computer and use it in GitHub Desktop.
DLL function hooking example
from winappdbg import Debug, EventHandler, System, Process
import sys
# this is the call back function
def YYYY( event, ra ,arg1 ,arg2, arg3):
# read 1 KB of the memory content
print process.read( arg2,1024 )
class MyEventHandler( EventHandler ):
def load_dll( self, event ):
# Get the module object
module = event.get_module()
# If it's xxx.dll
if module.match_name("xxx.dll"):
# Get the process ID
pid = event.get_pid()
# Get the address of YYYY function
address = module.resolve( "YYYY" )
print '[+] Found YYYY at addr ' + str(address)
event.debug.hook_function( pid, address, preCB=PR_Write, postCB=None ,paramCount=3,signature=None)
# Hook the YYYY function, when we the breakpoint occured, three paramaeters (paramCount=3)
# should be returned to the call back function (which i also name it to PR_Write)
# Create a debug object instance
debug = Debug(MyEventHandler())
try:
# Search for process
for ( process, name ) in debug.system.find_processes_by_filename( "process.exe" ):
print '[+] Found process PID is ' + str (process.get_pid())
# Attach to the process
debug.attach( process.get_pid() )
debug.loop()
finally:
debug.stop()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment