Skip to content

Instantly share code, notes, and snippets.

@Demonslay335
Last active March 1, 2024 08:01
Show Gist options
  • Save Demonslay335/4c8e29c3b85b08a6d979179c771307f9 to your computer and use it in GitHub Desktop.
Save Demonslay335/4c8e29c3b85b08a6d979179c771307f9 to your computer and use it in GitHub Desktop.
Dumps a PE from VirtualAlloc/VirtualProtect
import os
import sys
import time
import winappdbg
import traceback
class MyEventHandler(winappdbg.EventHandler):
last_alloc_memory = 0
first_alloc_memory = 0
address_of_alloc_memory = 0
first_post = 0
start_routine=0
me=0
catch_now=0
virtualallocarea=[]
memory_protection = {
'0x01':'PAGE_NOACCESS',
'0x02':'PAGE_READONLY',
'0x04':'PAGE_READWRITE',
'0x08':'PAGE_WRITECOPY',
'0x10':'PAGE_EXECUTE',
'0x20': 'PAGE_EXECUTE_READ',
'0x40':'PAGE_EXECUTE_READWRITE',
'0x80':'PAGE_EXECUTE_WRITECOPY'
}
openprocess_desiredaccess = {
'0x01':'PROCESS_TERMINATE',
'0x02':'PROCESS_CREATE_THREAD',
'0x08':'PROCESS_VM_OPERATION',
'0x10':'PROCESS_VM_READ',
'0x20':'PROCESS_VM_WRITE',
'0x40':'PROCESS_DUP_HANDLE',
'0x80':'PROCESS_CREATE_PROCESS',
'0x100':'PROCESS_SET_QUOTA',
'0x200':'PROCESS_SET_INFORMATION',
'0x400':'PROCESS_QUERY_INFORMATION',
'0x800':'PROCESS_SUSPEND_RESUME',
'0x1000':'PROCESS_QUERY_LIMITED_INFORMATION',
'0x100000':'SYNCHRONIZE'
}
apiHooks = {
"kernel32.dll":[
("VirtualAlloc",4),
("VirtualAllocEx",5),
("VirtualProtect",4),
]
}
def print_param(self,param):
ind=0
print(len(param))
for par in param:
print("Param {}: {}".format(ind,par))
ind=ind+1
def print_retval(self,retval):
print("{}".format(retval))
def pre_VirtualAlloc(self, event, *argv):
print("------------------------------ VirtualAlloc {}----------------------------".format(hex(argv[0])))
print("""
_In_opt_ LPVOID lpAddress: {}
_In_ SIZE_T dwSize: {}
_In_ DWORD flAllocationType: {}
_In_ DWORD flProtect:{}""".format(hex(argv[1]),argv[2],argv[3],argv[4]))
self.virtualallocarea.append(argv[2])
if argv[2] == 56832:
print("Write MEM {} ({})".format(argv[1],hex(argv[1])))
self.mem = argv[1]
self.catch_now=1
def post_VirtualAlloc(self, event, *argv):
print("\tReturn:{}".format(hex(argv[0])))
self.virtualallocarea.append(argv[0])
if self.catch_now == 1:
self.mem = argv[0]
self.catch_now=0
def pre_VirtualProtect(self, event, *argv):
if self.first_alloc_memory == 0:
self.address_of_alloc_memory = argv[1]
self.first_alloc_memory = 1
else:
self.last_alloc_memory = argv[1]#+argv[2]
print("------------------------------ VirtualProtect ({})----------------------------".format(hex(argv[0])))
print("""
_In_ LPVOID lpAddress: {}
_In_ SIZE_T dwSize: {}
_In_ DWORD flNewProtect: {}
_Out_ PDWORD lpflOldProtect: {}""".format(hex(argv[1]),argv[2], self.memory_protection[("0x%.2x") %argv[3]],hex(argv[4])))
self.print_param(argv)
def post_VirtualProtect(self, event, *argv):
p = event.get_process()
z=self.virtualallocarea
for i in range(0,len(z)):
if i%2==0:
try:
data = p.read(z[i+1],z[i])
if data[:2]=='MZ':
memfilename=str("dump-")+str(z[i+1])+".mem.exe"
f=open(memfilename,'wb')
f.write(data)
f.close()
print("Succes dump memory {} to file:{}".format(hex(z[i+1]),memfilename))
time.sleep(1000)
sys.exit()
except:
pass
def pre_VirtualProtectEx(self, event, *argv):
print("------------------------------ VirtualProtectEx ----------------------------")
self.print_param(argv)
def my_event_handler(event):
pid= event.get_pid()
System.request_debug_privileges()
process = Process(pid)
def simple_debugger(filename):
global logfile
try:
handler = MyEventHandler()
except:
traceback.print_exc()
with winappdbg.Debug(handler,bKillOnExit = True) as debug:
abspath = os.path.abspath(filename)
debug.execl(os.path.join(os.path.dirname(abspath), filename))
debug.loop()
simple_debugger(sys.argv[1])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment