python 软件漏斗挖掘脚本

排版有问题，修改了以下。官网无法下载。

把这个作为摸班了把

from pydbg import *from pydbg.defines import *import utils# This is the maximum number of instructions we will log# after an access violation MAX_INSTRUCTIONS = 10# This is far from an exhaustive list; add more for bonus pointsdangerous_functions = {                         "strcpy"  :  "msvcrt.dll",                        "strncpy" :  "msvcrt.dll",                        "sprintf" :  "msvcrt.dll",                        "vsprintf":  "msvcrt.dll",                        "MessageBoxA": "User32.dll"                                               }dangerous_functions_resolved = {}crash_encountered            = Falseinstruction_count            = 0def danger_handler(dbg):        # We want to print out the contents of the stack; that's about it    # Generally there are only going to be a few parameters, so we will    # take everything from ESP to ESP+20, which should give us enough    # information to determine if we own any of the data      esp_offset = 0    print "[*] Hit %s" % dangerous_functions_resolved[dbg.context.Eip]    print "================================================================="        while esp_offset <= 20:        parameter = dbg.smart_dereference(dbg.context.Esp + esp_offset)        print "[ESP + %d] => %s" % (esp_offset, parameter)        esp_offset += 4        print "=================================================================\n"    dbg.suspend_all_threads()    dbg.process_snapshot()    dbg.resume_all_threads()        return DBG_CONTINUEdef access_violation_handler(dbg):    global crash_encountered        # Something bad happened, which means something good happened :)    # Let's handle the access violation and then restore the process    # back to the last dangerous function that was called        if dbg.dbg.u.Exception.dwFirstChance:            return DBG_EXCEPTION_NOT_HANDLED    crash_bin = utils.crash_binning.crash_binning()    crash_bin.record_crash(dbg)    print crash_bin.crash_synopsis()        if crash_encountered == False:        dbg.suspend_all_threads()        dbg.process_restore()        crash_encountered = True                # We flag each thread to single step        for thread_id in dbg.enumerate_threads():                        print "[*] Setting single step for thread: 0x%08x" % thread_id            h_thread = dbg.open_thread(thread_id)            dbg.single_step(True, h_thread)            dbg.close_handle(h_thread)                # Now resume execution, which will pass control to our        # single step handler        dbg.resume_all_threads()        return DBG_CONTINUE    else:        dbg.terminate_process()            return DBG_EXCEPTION_NOT_HANDLED   def single_step_handler(dbg):    global instruction_count    global crash_encountered        if crash_encountered:        if instruction_count == MAX_INSTRUCTIONS:            dbg.single_step(False)            return DBG_CONTINUE        else:                        # Disassemble this instruction            instruction = dbg.disasm(dbg.context.Eip)            print "#%d\t0x%08x : %s" % (instruction_count,dbg.context.Eip,instruction)             instruction_count += 1            dbg.single_step(True)                return DBG_CONTINUE    dbg = pydbg()#pid = int(raw_input("Enter the PID you wish to monitor: "))findpid=Trueprint "Finding ...\n"while findpid:    for i in dbg.enumerate_processes():        if i[1]=='aa.exe':            dbg.attach(i[0])            findpid=False            print "Find The Pid\n"            #dbg.attach(pid)# Track down all of the dangerous functions and set breakpointsfor func in dangerous_functions.keys():        func_address = dbg.func_resolve( dangerous_functions[func],func )    print "[*] Resolved breakpoint: %s -> 0x%08x" % ( func, func_address )    dbg.bp_set( func_address, handler = danger_handler )    dangerous_functions_resolved[func_address] = funcdbg.set_callback( EXCEPTION_ACCESS_VIOLATION, access_violation_handler )dbg.set_callback( EXCEPTION_SINGLE_STEP, single_step_handler )dbg.run()