annidy/notepad2.py

## notepad2.py
# -*- coding:utf-8 -*-
from pydbg import *
from pydbg.defines import *
import os
import sys

__author__ = 'fengxing <anndiy(at)gmail.com>'
__date__   = '2012-9-28'

def handler_MapViewOfFile(dbg):
    module = dbg.addr_to_module(dbg.get_arg(0))
    if module.szModule == 'notepad.exe':
        # dump process
        map_size = dbg.get_arg(5)
        ptr      = dbg.get_register('EAX')
        write_new_file(dbg.read_process_memory(ptr, map_size), dbg.file_mirror)
        dbg.terminate_process() # close the process
    return DBG_CONTINUE

def func_ret_MapViewOfFileEx(dbg):
    base = dbg.func_resolve('kernel32.dll', 'MapViewOfFile')
    return base + 0x1C

def handler_load_dll(dbg):
    last_dll = dbg.get_system_dll(-1)
    if last_dll.name == 'kernel32.dll':
        dbg.bp_set(func_ret_MapViewOfFileEx(dbg), handler=handler_MapViewOfFile)
    return DBG_CONTINUE

def write_new_file(file_content, file_mirror):
    if file_mirror:
        with open(file_mirror, 'wb+') as fd:
            fd.write(file_content)
    else:
        print file_content

def dump_file(file_origin, file_mirror):
    try:
        if os.path.getsize(file_origin) == 0:
            write_new_file("", file_mirror)
            return # notepad not call MapViewOfFile if size is 0 or no-exist
    except OSError:
        return
    dbg = pydbg()
    dbg.file_mirror = file_mirror
    dbg.set_callback(LOAD_DLL_DEBUG_EVENT, handler_load_dll)
    dbg.load(r"c:\windows\system32\notepad.exe", command_line=file_origin, show_window=False)
    dbg.run()

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print 'Usage: %s file_origin <file_mirror>'%sys.argv[0]
        exit(1)
    elif len(sys.argv) == 2:
        dump_file(sys.argv[1], None)
    else:
        dump_file(sys.argv[1], sys.argv[2])

## notepad2dir.py
import os
import sys
import notepad2


if len(sys.argv) != 3:
    print '%s path1 path2'%sys.argv[0]
    exit(1)

def walk_visit(arg, dirname, names):
    for fn in names:
        path = os.path.join(dirname, fn)
        newpath = path.replace(sys.argv[1], sys.argv[2])
        if os.path.isfile(path):
            print path
            notepad2.dump_file(path, newpath)
        if os.path.isdir(path):
            os.mkdir(newpath)

sys.argv[1] = os.path.normpath(sys.argv[1])
sys.argv[2] = os.path.normpath(sys.argv[2])
os.path.walk(sys.argv[1], walk_visit, sys.argv[2])
	# -- coding:utf-8 --
	from pydbg import *
	from pydbg.defines import *
	import os
	import sys

	__author__ = 'fengxing <anndiy(at)gmail.com>'
	__date__ = '2012-9-28'

	def handler_MapViewOfFile(dbg):
	module = dbg.addr_to_module(dbg.get_arg(0))
	if module.szModule == 'notepad.exe':
	# dump process
	map_size = dbg.get_arg(5)
	ptr = dbg.get_register('EAX')
	write_new_file(dbg.read_process_memory(ptr, map_size), dbg.file_mirror)
	dbg.terminate_process() # close the process
	return DBG_CONTINUE

	def func_ret_MapViewOfFileEx(dbg):
	base = dbg.func_resolve('kernel32.dll', 'MapViewOfFile')
	return base + 0x1C

	def handler_load_dll(dbg):
	last_dll = dbg.get_system_dll(-1)
	if last_dll.name == 'kernel32.dll':
	dbg.bp_set(func_ret_MapViewOfFileEx(dbg), handler=handler_MapViewOfFile)
	return DBG_CONTINUE

	def write_new_file(file_content, file_mirror):
	if file_mirror:
	with open(file_mirror, 'wb+') as fd:
	fd.write(file_content)
	else:
	print file_content

	def dump_file(file_origin, file_mirror):
	try:
	if os.path.getsize(file_origin) == 0:
	write_new_file("", file_mirror)
	return # notepad not call MapViewOfFile if size is 0 or no-exist
	except OSError:
	return
	dbg = pydbg()
	dbg.file_mirror = file_mirror
	dbg.set_callback(LOAD_DLL_DEBUG_EVENT, handler_load_dll)
	dbg.load(r"c:\windows\system32\notepad.exe", command_line=file_origin, show_window=False)
	dbg.run()

	if __name__ == '__main__':
	if len(sys.argv) < 2:
	print 'Usage: %s file_origin <file_mirror>'%sys.argv[0]
	exit(1)
	elif len(sys.argv) == 2:
	dump_file(sys.argv[1], None)
	else:
	dump_file(sys.argv[1], sys.argv[2])
	import os
	import sys
	import notepad2


	if len(sys.argv) != 3:
	print '%s path1 path2'%sys.argv[0]
	exit(1)

	def walk_visit(arg, dirname, names):
	for fn in names:
	path = os.path.join(dirname, fn)
	newpath = path.replace(sys.argv[1], sys.argv[2])
	if os.path.isfile(path):
	print path
	notepad2.dump_file(path, newpath)
	if os.path.isdir(path):
	os.mkdir(newpath)

	sys.argv[1] = os.path.normpath(sys.argv[1])
	sys.argv[2] = os.path.normpath(sys.argv[2])
	os.path.walk(sys.argv[1], walk_visit, sys.argv[2])