May 10, 2013 at 12:41 AM
Edited May 10, 2013 at 1:35 AM
I want to say that this is an awesome project! Thanks for the hard work!
I have been using immlib for Immunity Debugger recently, but wanted the ability to script a debugger for 64 bit executables. immlib has a few nice functions like writeMemory() for writing a buffer to a memory address and remoteVirtualAlloc() for allocating
memory to the debugged process and setReg() to modify the value in a register.
Is there any current ways to do this within pykd?
May 11, 2013 at 7:18 AM
Edited May 11, 2013 at 7:19 AM
1) Pykd is not supported "nativly" writting into memory/regsity. Maybe, it will be implemented within 0.3.x version
2) For modifying traget memory you can use this approach:
from ctypes import *
PAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
kernel32 = windll.kernel32
pid = pykd.getCurrentProcessId()
hprocess = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, pid )
vaddr = kernel32.VirtualAllocEx(hprocess, 0, 0x1000, VIRTUAL_MEM, PAGE_READWRITE)
written = c_int(0)
buffer = "a"*100
kernel32.WriteProcessMemory(hprocess, vaddr, buffer, len(buffer), byref(written))
readChars = pykd.loadChars( vaddr, len(buffer) ) #check memory is filled as expected
3) and you can use all windbg command through dbgCommand routine:
dbgCommand( "r rip=%x" % 0xdeadcode ) # set register value
dbgCommend( "ed %x 0xFFFF0000" % addr ) # place 0xFFFF0000 by address
Great, thanks for your quick reply! I will use the methods you described above.