Allocating and Writing Memory

May 10, 2013 at 1:41 AM
Edited May 10, 2013 at 2:35 AM
I want to say that this is an awesome project! Thanks for the hard work!

I have been using immlib for Immunity Debugger recently, but wanted the ability to script a debugger for 64 bit executables. immlib has a few nice functions like writeMemory() for writing a buffer to a memory address and remoteVirtualAlloc() for allocating memory to the debugged process and setReg() to modify the value in a register.

Is there any current ways to do this within pykd?

Thanks!
May 11, 2013 at 8:18 AM
Edited May 11, 2013 at 8:19 AM
1) Pykd is not supported "nativly" writting into memory/regsity. Maybe, it will be implemented within 0.3.x version

2) For modifying traget memory you can use this approach:

import sys
import pykd
from ctypes import *

PAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )

kernel32 = windll.kernel32
pid = pykd.getCurrentProcessId()

hprocess = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, pid )

print hprocess

vaddr = kernel32.VirtualAllocEx(hprocess, 0, 0x1000, VIRTUAL_MEM, PAGE_READWRITE)

print hex(vaddr)

written = c_int(0)
buffer = "a"*100

kernel32.WriteProcessMemory(hprocess, vaddr, buffer, len(buffer), byref(written))

readChars = pykd.loadChars( vaddr, len(buffer) ) #check memory is filled as expected

print readChars

3) and you can use all windbg command through dbgCommand routine:
dbgCommand( "r rip=%x" % 0xdeadcode ) # set register value
dbgCommend( "ed %x 0xFFFF0000" % addr ) # place 0xFFFF0000 by address
May 11, 2013 at 5:25 PM
Great, thanks for your quick reply! I will use the methods you described above.