''' From http://blog.binamuse.com/ '''
from winappdbg import Debug, Process, version
import sys, hashlib, struct

def print_policy(event):
    #get process, thread and stak pointer
    process = event.get_process()
    thread = event.get_thread()
    stack = thread.get_sp()

    #read the 3 arguments from the debugee memory
    subsystem = process.read_pointer(stack+0x4)
    semantic = process.read_pointer(stack+0x8)
    value_p = process.read_pointer(stack+0xC)
    value = process.read(value_p, 2)
    while value[-2:] != '\x00\x00':
        value += process.read(value_p+len(value),2)
    value = value.decode('utf-16')

    print "Rule: %d, %d, %s"%(subsystem,semantic,value)

if __name__ == '__main__':
    print "Wellcome. Using Winappdbg version", version
    #Instantiate the debugger
    debug = Debug(bKillOnExit=True, bHostileCode=True)

    path = r"C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"
    version = '11.0.0'

    print "Adobe Reader X %s"%version

    #Run the reader!
    debug.execl(path)

    # Loop while is alive
    while debug:
        # Get the next debug event.
        event = debug.wait()

        # Dispatch the event and continue execution.
        try:
            debug.dispatch(event)
            # add breakpoint when acrord32 gets loaded
            if event.get_event_code() == 3:
                process = event.get_process()
                base_address = event.get_image_base()
                print "AcroRd32 Main module found at %08x"%base_address

                # Hint: Use the string "Check failed: policy_." to hunt 
                # the function that adds a new policy
                breakpoint_address = base_address + 0x20370

                #setting breakpoint
                print "Setting breakpoint at %08x"%breakpoint_address
                debug.break_at(process.get_pid(), breakpoint_address, print_policy)

        except Exception,e:
            print "Exception in user code:",e
        finally:
            debug.cont(event)

    # Stop the debugger.
    debug.stop()