#以前在window xp下學習過一段時間pydbg,現在在window 7 下發現有些新問題,將pydbg實現windbg中一條簡單的“bu”命令測試了下:
#在此留個記號,免得下次有的從頭再來
# coding gb2312 -*- from ctypes import * from pydbg import * from pydbg.defines import * from pefile import * import sys def handler_UpdateMarkupContentsVersion(dbg): print "************" print "edx=%08x"%dbg.get_register("edx") print "eax=%08x"%dbg.get_register("eax") buf = dbg.read_process_memory(dbg.get_register("edx"),0x100) for i in range(0,0x100): print "%02x "%ord(buf[i]), if (i%16)==15: print "" print "************" sys.stdout.flush() return DBG_CONTINUE def my_event_handler_load_dll(dbg): last_dll = dbg.get_system_dll(-1) print "loading:%s from %s into: %08x size: %x"%(last_dll.name,last_dll.path,last_dll.base,last_dll.size) if last_dll.name == 'mshtml.dll': dbg.bp_set(last_dll.base+0x24943e,"mshtml!CMarkup::UpdateMarkupContentsVersion",restore = True,handler =handler_UpdateMarkupContentsVersion ) return DBG_CONTINUE def main(): debug_file = 'c:\\program files\\internet explorer\\iexplore.exe' debug_module = "c:\\windows\\system32\\mshtml.dll" params = "http://192.168.0.12/cve-2014-0322/ie10_0day.html" pe = PE(debug_file) #print "%x"%pe.OPTIONAL_HEADER.AddressOfEntryPoint #base_addr = windll.LoadLibraryW(debug_file) #print base_addr dbg = pydbg() dbg.load(debug_file,params) baseaddr = windll.kernel32.LoadLibraryA(debug_file) print dbg.get_instruction(baseaddr+pe.OPTIONAL_HEADER.AddressOfEntryPoint) dbg.set_callback(LOAD_DLL_DEBUG_EVENT,my_event_handler_load_dll) dbg.run() if __name__ == '__main__': main()