Demonslay335/dump.py

## 141 changes: 141 additions & 0 deletions dump.py
@@ -0,0 +1,141 @@

    import os
import os

    import sys
import sys

    import time
import time

    import winappdbg
import winappdbg

    import traceback
import traceback


    class MyEventHandler(winappdbg.EventHandler):
class MyEventHandler(winappdbg.EventHandler):


        last_alloc_memory = 0
    last_alloc_memory = 0

        first_alloc_memory = 0
    first_alloc_memory = 0

        address_of_alloc_memory = 0
    address_of_alloc_memory = 0

        first_post = 0
    first_post = 0

        start_routine=0
    start_routine=0

        me=0
    me=0

        catch_now=0
    catch_now=0


        virtualallocarea=[]
    virtualallocarea=[]

        memory_protection = {
    memory_protection = {

            '0x01':'PAGE_NOACCESS',
        '0x01':'PAGE_NOACCESS',

            '0x02':'PAGE_READONLY',
        '0x02':'PAGE_READONLY',

            '0x04':'PAGE_READWRITE',
        '0x04':'PAGE_READWRITE',

            '0x08':'PAGE_WRITECOPY',
        '0x08':'PAGE_WRITECOPY',

            '0x10':'PAGE_EXECUTE',
        '0x10':'PAGE_EXECUTE',

            '0x20': 'PAGE_EXECUTE_READ',
        '0x20': 'PAGE_EXECUTE_READ',

            '0x40':'PAGE_EXECUTE_READWRITE',
        '0x40':'PAGE_EXECUTE_READWRITE',

            '0x80':'PAGE_EXECUTE_WRITECOPY'
        '0x80':'PAGE_EXECUTE_WRITECOPY'

            }
        }


        openprocess_desiredaccess = {
    openprocess_desiredaccess = {

            '0x01':'PROCESS_TERMINATE',
        '0x01':'PROCESS_TERMINATE',

            '0x02':'PROCESS_CREATE_THREAD',
        '0x02':'PROCESS_CREATE_THREAD',

            '0x08':'PROCESS_VM_OPERATION',
        '0x08':'PROCESS_VM_OPERATION',

            '0x10':'PROCESS_VM_READ',
        '0x10':'PROCESS_VM_READ',

            '0x20':'PROCESS_VM_WRITE',
        '0x20':'PROCESS_VM_WRITE',

            '0x40':'PROCESS_DUP_HANDLE',
        '0x40':'PROCESS_DUP_HANDLE',

            '0x80':'PROCESS_CREATE_PROCESS',
        '0x80':'PROCESS_CREATE_PROCESS',

            '0x100':'PROCESS_SET_QUOTA',
        '0x100':'PROCESS_SET_QUOTA',

            '0x200':'PROCESS_SET_INFORMATION',
        '0x200':'PROCESS_SET_INFORMATION',

            '0x400':'PROCESS_QUERY_INFORMATION',
        '0x400':'PROCESS_QUERY_INFORMATION',

            '0x800':'PROCESS_SUSPEND_RESUME',
        '0x800':'PROCESS_SUSPEND_RESUME',

            '0x1000':'PROCESS_QUERY_LIMITED_INFORMATION',
        '0x1000':'PROCESS_QUERY_LIMITED_INFORMATION',

            '0x100000':'SYNCHRONIZE'
        '0x100000':'SYNCHRONIZE'

            }
        }


        apiHooks = {
    apiHooks = {

            "kernel32.dll":[
        "kernel32.dll":[

                ("VirtualAlloc",4),
            ("VirtualAlloc",4),

                ("VirtualAllocEx",5),
            ("VirtualAllocEx",5),

                ("VirtualProtect",4),
            ("VirtualProtect",4),

            ]
        ]

        }
    }


        def print_param(self,param):
    def print_param(self,param):

            ind=0
        ind=0

            print(len(param))
        print(len(param))

            for par in param:
        for par in param:

                print("Param {}: {}".format(ind,par))
            print("Param {}: {}".format(ind,par))

                ind=ind+1
            ind=ind+1


        def print_retval(self,retval):
    def print_retval(self,retval):

            print("{}".format(retval))
        print("{}".format(retval))


        def pre_VirtualAlloc(self, event, *argv):
    def pre_VirtualAlloc(self, event, *argv):

            print("------------------------------ VirtualAlloc {}----------------------------".format(hex(argv[0])))
        print("------------------------------ VirtualAlloc {}----------------------------".format(hex(argv[0])))

            print("""
        print("""

                _In_opt_ LPVOID lpAddress: {}
            _In_opt_ LPVOID lpAddress: {}

                _In_     SIZE_T dwSize: {}
            _In_     SIZE_T dwSize: {}

                _In_     DWORD  flAllocationType: {}
            _In_     DWORD  flAllocationType: {}

                _In_     DWORD  flProtect:{}""".format(hex(argv[1]),argv[2],argv[3],argv[4]))
            _In_     DWORD  flProtect:{}""".format(hex(argv[1]),argv[2],argv[3],argv[4]))

            self.virtualallocarea.append(argv[2])
        self.virtualallocarea.append(argv[2])

            if argv[2] == 56832:
        if argv[2] == 56832:

                print("Write  MEM {} ({})".format(argv[1],hex(argv[1])))
            print("Write  MEM {} ({})".format(argv[1],hex(argv[1])))

                self.mem = argv[1]
            self.mem = argv[1]

                self.catch_now=1
            self.catch_now=1


        def post_VirtualAlloc(self, event, *argv):
    def post_VirtualAlloc(self, event, *argv):

            print("\tReturn:{}".format(hex(argv[0])))
        print("\tReturn:{}".format(hex(argv[0])))

            self.virtualallocarea.append(argv[0])
        self.virtualallocarea.append(argv[0])


            if self.catch_now == 1:
        if self.catch_now == 1:

                self.mem = argv[0]
            self.mem = argv[0]

            self.catch_now=0
        self.catch_now=0


        def pre_VirtualProtect(self, event, *argv):
    def pre_VirtualProtect(self, event, *argv):

            if self.first_alloc_memory == 0:
        if self.first_alloc_memory == 0:

                self.address_of_alloc_memory = argv[1]
            self.address_of_alloc_memory = argv[1]

                self.first_alloc_memory = 1
            self.first_alloc_memory = 1

            else:
        else:

                self.last_alloc_memory = argv[1]#+argv[2]
            self.last_alloc_memory = argv[1]#+argv[2]

            print("------------------------------ VirtualProtect ({})----------------------------".format(hex(argv[0])))
        print("------------------------------ VirtualProtect ({})----------------------------".format(hex(argv[0])))

            print("""
        print("""

                _In_  LPVOID lpAddress: {}
            _In_  LPVOID lpAddress: {}

                _In_  SIZE_T dwSize: {}
            _In_  SIZE_T dwSize: {}

                _In_  DWORD  flNewProtect: {}
            _In_  DWORD  flNewProtect: {}

                _Out_ PDWORD lpflOldProtect: {}""".format(hex(argv[1]),argv[2], self.memory_protection[("0x%.2x") %argv[3]],hex(argv[4])))
            _Out_ PDWORD lpflOldProtect: {}""".format(hex(argv[1]),argv[2], self.memory_protection[("0x%.2x") %argv[3]],hex(argv[4])))

            self.print_param(argv)
        self.print_param(argv)


        def post_VirtualProtect(self, event, *argv):
    def post_VirtualProtect(self, event, *argv):

            p = event.get_process()
        p = event.get_process()

            z=self.virtualallocarea
        z=self.virtualallocarea

            for i in range(0,len(z)):
        for i in range(0,len(z)):

                if i%2==0:
            if i%2==0:

                    try:
                try:

                        data = p.read(z[i+1],z[i])
                    data = p.read(z[i+1],z[i])

                        if data[:2]=='MZ':
                    if data[:2]=='MZ':

                            memfilename=str("dump-")+str(z[i+1])+".mem.exe"
                        memfilename=str("dump-")+str(z[i+1])+".mem.exe"

                            f=open(memfilename,'wb')
                        f=open(memfilename,'wb')

                            f.write(data)
                        f.write(data)

                            f.close()
                        f.close()

                            print("Succes dump memory {} to file:{}".format(hex(z[i+1]),memfilename))
                        print("Succes dump memory {} to file:{}".format(hex(z[i+1]),memfilename))

                            time.sleep(1000)
                        time.sleep(1000)

                            sys.exit()
                        sys.exit()

                    except:
                except:

                        pass
                    pass


        def pre_VirtualProtectEx(self, event, *argv):
    def pre_VirtualProtectEx(self, event, *argv):

            print("------------------------------ VirtualProtectEx ----------------------------")
        print("------------------------------ VirtualProtectEx ----------------------------")

            self.print_param(argv)
        self.print_param(argv)


        def my_event_handler(event):
    def my_event_handler(event):

            pid= event.get_pid()
        pid= event.get_pid()


            System.request_debug_privileges()
        System.request_debug_privileges()

            process = Process(pid)
        process = Process(pid)


    def simple_debugger(filename):
def simple_debugger(filename):

      global logfile
  global logfile


      try:
  try:

        handler = MyEventHandler()
    handler = MyEventHandler()

      except:
  except:

        traceback.print_exc()
    traceback.print_exc()

      with winappdbg.Debug(handler,bKillOnExit = True) as debug:
  with winappdbg.Debug(handler,bKillOnExit = True) as debug:

        abspath = os.path.abspath(filename)
    abspath = os.path.abspath(filename)

        debug.execl(os.path.join(os.path.dirname(abspath), filename))
    debug.execl(os.path.join(os.path.dirname(abspath), filename))

        debug.loop()
    debug.loop()


    simple_debugger(sys.argv[1])
simple_debugger(sys.argv[1])