pydbg测试实例（二）内存崩溃信息的输出

转自《python灰帽子》第4章

目标：测试非法内存访问，输出崩溃地址，上下文和崩溃地址前后的指令

脚本一：access_violation_handler.py

（utils工具不包含在pydbg中，而是包含在paimei中，下载地址：https://github.com/OpenRCE/paimei，解压到python的site-packages即可）

from pydbg import *
from pydbg.defines import *

# Utility libraries included with PyDbg
import utils

# This is our access violation handler
def check_accessv(dbg):
    
    # We skip first-chance exceptions
    if dbg.dbg.u.Exception.dwFirstChance:
            return DBG_EXCEPTION_NOT_HANDLED

    crash_bin = utils.crash_binning.crash_binning()
    crash_bin.record_crash(dbg)
    print crash_bin.crash_synopsis()
    
    dbg.terminate_process()
    
    return DBG_EXCEPTION_NOT_HANDLED

pid = raw_input("Enter the Process ID: ")

dbg = pydbg()
dbg.attach(int(pid))
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION,check_accessv)
dbg.run()

脚本二：buffer_overflow.py

from ctypes import *
import os

print os.getpid()

msvcrt = cdll.msvcrt

# Give the debugger time to attach, then hit a button
raw_input("Once the debugger is attached, press any key.")

# Create the 5-byte destination buffer
buffer = c_char_p("AAAAA")

# The overflow string
overflow = "A" * 100

# Run the overflow
msvcrt.strcpy(buffer, overflow)

测试输出

先在控制台运行脚本二，然后运行脚本一，输入进程pid，再回到脚本一的控制台敲击一下，此时会得到如下的输出

Enter the Process ID: 1212
python27.dll:1e02a33f test dword [eax+0x54],0x4000 from thread 1024 caused access violation
when attempting to read from 0x41414195

CONTEXT DUMP
  EIP: 1e02a33f test dword [eax+0x54],0x4000
  EAX: 41414141 (1094795585) -> N/A
  EBX: 00000002 (         2) -> N/A
  ECX: 00c17b8c (  12680076) -> -9 xKg(8x,`8|&L{O h]=@$  8 (heap)
  EDX: 0021fe90 (   2227856) -> (8 (stack)
  EDI: 1e1fba08 ( 505395720) -> eenable() -> NoneEnable automatic garbage collection.isenabled() -> statusReturns true if automatic garbage collection is enabled.collect([generation]) -> nWith no arguments, run a full collection.  The optional argu (python27.dll.data)
  ESI: 00c06700 (  12609280) -> >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
  EBP: 0021fe94 (   2227860) -> !p{7=kTxX:(Glmb!|!,m|!A-dt3h={=s[xoP@P>P"Tx!`h=.; (stack)
  ESP: 0021fe78 (   2227832) -> `{ (stack)
  +00: 00c17b60 (  12680032) -> Pc8{&-9 xKg(8x,`8|&L{O h] (heap)
  +04: 1e074347 ( 503792455) -> N/A
  +08: 00c06700 (  12609280) -> >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
  +0c: 00000000 (         0) -> N/A
  +10: 00000004 (         4) -> N/A
  +14: 00c06700 (  12609280) -> >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)

disasm around:
0x1e02a328 jmp 0x1e02a332
0x1e02a32a mov edx,[eax+0x10]
0x1e02a32d mov [eax+0x8],edx
0x1e02a330 mov eax,[eax]
0x1e02a332 cmp eax,ecx
0x1e02a334 jnz 0x1e02a32a
0x1e02a336 ret
0x1e02a337 push esi
0x1e02a338 mov esi,[esp+0x8]
0x1e02a33c mov eax,[esi+0x4]
0x1e02a33f test dword [eax+0x54],0x4000
0x1e02a346 jz 0x1e02a365
0x1e02a348 mov eax,[eax+0xa4]
0x1e02a34e test eax,eax
0x1e02a350 jz 0x1e02a35a
0x1e02a352 push esi
0x1e02a353 call eax
0x1e02a355 pop ecx
0x1e02a356 test eax,eax
0x1e02a358 jz 0x1e02a365
0x1e02a35a mov eax,[esi-0x8]

stack unwind:
python27.dll:1e02a37f
python27.dll:1e02af41
python.exe:1d001160
kernel32.dll:7c816d4f

SEH unwind:
0021ffe0 -> python.exe:1d0015d5 mov edi,edi
ffffffff -> kernel32.dll:7c8399f3 push ebp