在 pydbg 中,是否可以设置寄存器而无需先遇到断点?考虑以下示例断点处理程序:
def handler_breakpoint(mdbg):
print "[+]Hit breakpoint"
mdbg.set_register("EIP", 0)
return DBG_CONTINUE
此代码有效,但如果我从断点处理程序外部调用mdbg.set_register("EIP", 0)(注意,在处理程序外部它将是dbg.set_register("EIP", 0)),它将返回pdx: [6] GetThreadContext(): The handle is invalid。我怎么能写这个?
在没有事件的情况下更改寄存器从根本上是不可能重新思考和重新制定您的查询
如果您不想在任何调试器的断点处理程序中执行此操作,则必须挂起进程,获取线程的上下文并设置线程的上下文并恢复进程
pydbg 可以在断点处理程序之外的脚本主体中完成所有这些 iirc
编辑添加了一个示例脚本
from pydbg import *
from pydbg.defines import *
def handler_breakpoint (pydbg):
if pydbg.first_breakpoint:
return DBG_CONTINUE
def handler_access_violation (pydbg):
if pydbg.dbg.u.Exception.dwFirstChance:
print "crashed and land here on FirstChance"
else:
print "crashed and land here on SecondChancee"
return DBG_EXCEPTION_NOT_HANDLED
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_breakpoint)
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, handler_access_violation)
dbg.load("c:\windows\system32\calc.exe")
print "pid of calc.exe is = %d" % dbg.pid
dbg.suspend_all_threads()
for thread_id in dbg.enumerate_threads():
thread_handle = dbg.open_thread(thread_id)
thread_context = dbg.get_thread_context(thread_handle)
print "eax = 0x%08x" % thread_context.Eax
thread_context.Eax=0xdeadbeef
dbg.set_thread_context(thread_context,0,thread_id)
thread_context = dbg.get_thread_context(thread_handle)
print "new eax = 0x%08x" % thread_context.Eax
print "yay we are going to crash now accessing random crap in eax"
dbg.resume_all_threads()
pydbg.debug_event_loop(dbg)
被执行
:\>python changereg.py
pid of calc.exe is = 1940
eax = 0x00b52d6c
new eax = 0xdeadbeef
yay we are going to crash now accessing random crap in eax
crashed and land here on FirstChance
crashed and land here on SecondChancee