我正在使用 PyDBG 库编写 python 调试器和反汇编器我有反汇编器部分工作,但不是所有调试器。是否可以使用它来返回类似于以下内容的内容:
[*] 线程 ID 的转储寄存器:0x00000550 [**] EIP:0x7c90eb94 [**] ESP:0x0007fde0 [**] EBP:0x0007fdfc [**] EAX:0x006ee208 [**] EBX:0x00000000 [**] ECX:0x0007fdd8 [**] EDX:0x7c90eb94 [*] 结束转储 [*] 线程 ID 的转储寄存器:0x000005c0 [**] EIP:0x7c95077b [**] ESP:0x0094fff8 [**] EBP:0x00000000 [**] EAX:0x00000000 [**] EBX:0x00000001 [**] ECX:0x00000002 [**] EDX:0x00000003 [*] 结束转储
我需要每个正在运行的线程的注册状态。thread_contextPyDBG 中有几个函数,但我不确定如何使用它们来获得该结果。谢谢你的帮助!
:>wmic 进程获取 Name,ThreadCount,ProcessId | 火
firefox.exe 3944 49
:>cat dtregs.py
from pydbg import *
from pydbg.defines import *
def handler_breakpoint (pydbg):
if pydbg.first_breakpoint:
print "hello did i dump tid and eax for each thread ?"
return DBG_CONTINUE
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_breakpoint)
dbg.attach(3944)
i = 0;
for thread_id in dbg.enumerate_threads():
thread_handle = dbg.open_thread(thread_id)
context = dbg.get_thread_context(thread_handle)
print "%03d TID: %08x EAX: %08x" % (i,thread_handle,context.Eax)
i = i+1
pydbg.debug_event_loop(dbg)
dbg.detach()
:>python dtregs.py
000 TID: 00000690 EAX: 00000000
001 TID: 0000068c EAX: 0158c385
002 TID: 00000688 EAX: 001b4008
003 TID: 00000684 EAX: 000000e5
004 TID: 00000680 EAX: 00000000
005 TID: 0000067c EAX: 001800a3
006 TID: 00000678 EAX: 00000000
007 TID: 00000674 EAX: 000000e5
...............................
048 TID: 000005d0 EAX: 77e76c7d
049 TID: 000005cc EAX: 00000000
hello did i dump tid and eax for each thread ?
只是为了确认它在一定程度上是否正确让我们将windbg附加到pid
:>cdb -p 3944
0:049> ~* er eax
eax=09b6a201
eax=0158c385
eax=001b4008
eax=000000e5
eax=0036ee80
eax=00000171
eax=00000000
--------------
eax=098f3ec0
eax=000000e5
eax=150ff530
eax=11d5ff00
eax=111fff00
eax=77e76c7d
eax=7ffdd000
0:049> .detach
Detached
NoTarget> q