#!/usr/bin/env python import sys import PyDbgEng from multiprocessing import * # --------------------------------------------------------------------------------------------------------------------- class DbgEventHandler(PyDbgEng.IDebugOutputCallbacksSink, PyDbgEng.IDebugEventCallbacksSink): def GetInterestMask(self): return PyDbgEng.DbgEng.DEBUG_EVENT_LOAD_MODULE | PyDbgEng.DbgEng.DEBUG_FILTER_INITIAL_BREAKPOINT def Output(self, this, Mask, Text): sys.stdout.write(Text) pass def LoadModule(self, dbg, ImageFileHandle, BaseOffset, ModuleSize, ModuleName, ImageName, CheckSum, TimeDateStamp): #print "> ImageName: %s" % ImageName.rpartition('\\')[2] if (ImageName.rpartition('\\')[2].lower() == "kernel32.dll"): # Hook with parameters address = dbg.resolve_symbol("kernel32!WriteConsoleW") hooks.add( dbg = dbg, address = address, num_args = 5, entry_hook=hook_myHook, exit_hook=None) # Just set a breakpoint ## dbg.bp_set( ## address = "kernel32!WriteConsoleW", ## preferred_id = PyDbgEng.DbgEng.DEBUG_ANY_ID, ## restore = True, ## handler = handler_myHandler) return PyDbgEng.DbgEng.DEBUG_STATUS_NO_CHANGE # --------------------------------------------------------------------------------------------------------------------- # Functions def hook_myHook(dbg, params): sys.stdout.write("hook_myHook() called\n") def handler_myHandler(dbg): sys.stdout.write("handler_myHandler() called\n") # Start event_handler = DbgEventHandler() hooks = PyDbgEng.Hooking.hook_container() dbg = PyDbgEng.ProcessCreator( command_line = "C:\\Windows\\System32\\cmd.exe", follow_forks = True, event_callbacks_sink = event_handler, output_callbacks_sink = event_handler, dbg_eng_dll_path = None, symbols_path = "SRV*http://msdl.microsoft.com/download/symbols") dbg.event_loop_with_quit_event(Event())