Last active
May 7, 2018 00:33
-
-
Save macostag/8a27e9c23cc5099840228d31d094656d to your computer and use it in GitHub Desktop.
DLL function hooking example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from winappdbg import Debug, EventHandler, System, Process | |
| import sys | |
| # this is the call back function | |
| def YYYY( event, ra ,arg1 ,arg2, arg3): | |
| # read 1 KB of the memory content | |
| print process.read( arg2,1024 ) | |
| class MyEventHandler( EventHandler ): | |
| def load_dll( self, event ): | |
| # Get the module object | |
| module = event.get_module() | |
| # If it's xxx.dll | |
| if module.match_name("xxx.dll"): | |
| # Get the process ID | |
| pid = event.get_pid() | |
| # Get the address of YYYY function | |
| address = module.resolve( "YYYY" ) | |
| print '[+] Found YYYY at addr ' + str(address) | |
| event.debug.hook_function( pid, address, preCB=PR_Write, postCB=None ,paramCount=3,signature=None) | |
| # Hook the YYYY function, when we the breakpoint occured, three paramaeters (paramCount=3) | |
| # should be returned to the call back function (which i also name it to PR_Write) | |
| # Create a debug object instance | |
| debug = Debug(MyEventHandler()) | |
| try: | |
| # Search for process | |
| for ( process, name ) in debug.system.find_processes_by_filename( "process.exe" ): | |
| print '[+] Found process PID is ' + str (process.get_pid()) | |
| # Attach to the process | |
| debug.attach( process.get_pid() ) | |
| debug.loop() | |
| finally: | |
| debug.stop() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment