Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ''' From http://blog.binamuse.com/ '''
- from winappdbg import Debug, Process, version
- import sys, hashlib, struct
- def print_policy(event):
- #get process, thread and stak pointer
- process = event.get_process()
- thread = event.get_thread()
- stack = thread.get_sp()
- #read the 3 arguments from the debugee memory
- subsystem = process.read_pointer(stack+0x4)
- semantic = process.read_pointer(stack+0x8)
- value_p = process.read_pointer(stack+0xC)
- value = process.read(value_p, 2)
- while value[-2:] != '\x00\x00':
- value += process.read(value_p+len(value),2)
- value = value.decode('utf-16')
- print "Rule: %d, %d, %s"%(subsystem,semantic,value)
- if __name__ == '__main__':
- print "Wellcome. Using Winappdbg version", version
- #Instantiate the debugger
- debug = Debug(bKillOnExit=True, bHostileCode=True)
- path = r"C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"
- version = '11.0.0'
- print "Adobe Reader X %s"%version
- #Run the reader!
- debug.execl(path)
- # Loop while is alive
- while debug:
- # Get the next debug event.
- event = debug.wait()
- # Dispatch the event and continue execution.
- try:
- debug.dispatch(event)
- # add breakpoint when acrord32 gets loaded
- if event.get_event_code() == 3:
- process = event.get_process()
- base_address = event.get_image_base()
- print "AcroRd32 Main module found at %08x"%base_address
- # Hint: Use the string "Check failed: policy_." to hunt
- # the function that adds a new policy
- breakpoint_address = base_address + 0x20370
- #setting breakpoint
- print "Setting breakpoint at %08x"%breakpoint_address
- debug.break_at(process.get_pid(), breakpoint_address, print_policy)
- except Exception,e:
- print "Exception in user code:",e
- finally:
- debug.cont(event)
- # Stop the debugger.
- debug.stop()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement