I'm a big fan of Pydbg. Although it has many awesome features , it also has few limitations. One of them is lack of control over process heap. For a long time I'm thinking of writing something which makes Heap Manipulation / Heap parsing / Traversing using pydbg little easier for reverse engineers. So finally last weekend I wrote couple of small py scripts which can parse Windows 7 process heaps on the fly.
In this blog post I'm going to share one of them.
In this blog post I'm going to share one of them.
This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
Right now best available tool available for heap analysis is windbg. The script I'm going to share does something similar to windbg's "!heap -a 0xmyheaphandle" command.
You can use the function HeapWalk() [@ Line 103] as break point hander in your pydbg script. In below example actually I did something similar.
First I'm running an application (on 32 bit Windows 7) which uses user32!MessageBoxA API somewhere.
After that I'm attaching my pydbg script with that process and setting up a break point at user32!MessageBoxA and also setting up HeapWalk() as the breakpoint handler.
Now whenever the application will make a call to MessageBoxA api our breakpoint handler HeapWalk() will be invoked and it will start traversing all the available process heap and their segments.
Script 1:
First I'm running an application (on 32 bit Windows 7) which uses user32!MessageBoxA API somewhere.
After that I'm attaching my pydbg script with that process and setting up a break point at user32!MessageBoxA and also setting up HeapWalk() as the breakpoint handler.
Now whenever the application will make a call to MessageBoxA api our breakpoint handler HeapWalk() will be invoked and it will start traversing all the available process heap and their segments.
Script 1:
The output of this script will be something similar: https://gist.github.com/debasishm89/1264d7a6726b9e910a5d
Since this script will give you addresses of all all heap blocks and their size, now you should have more control over process heap. You should be able to search for string/data / byets / pointer in process heaps very easily.
Thank you for reading. Hope you've enjoyed :)
Cheers,
For instance, organizations can move tedious information rich errands from workers to virtual robots. machine learning course in pune
ReplyDeleteBihar School Education Board has released the 12th Model Papers for the year 2022. (BSEB). The question papers from prior years are available in pdf format. Students studying for Inter examinations should practise model or sample papers to gain a sense of the types of Bihar Board 12th Model Paper 2022 questions that will be asked. They will gain familiarity with the marking structure and amount of questions by solving BSEB 12th model paper 2022. Furthermore, completing these Model papers in the allotted time will aid pupils in boosting their problem-solving speed.
ReplyDeleteWonderful blog! I found it while surfing around on Yahoo News.
ReplyDeleteDo you have any suggestions on how to get listed in Yahoo News?
I’ve been trying for a while but I never seem to get there!
Cheers
My homepage :: 부산달리기
(jk)