Python WinAppDbg Template Constructs

Source: https://gitlab.com/vitali.kremez/winappdbg_contruct
Credit: WinappDbg; Parsia
###########################
#### WinAppDbg  ###########
##########################

I.  GetRunnerProcess

    if (args.run):
# Concat all arguments into a string
myargs = " ".join(args.run)

if win32.PathFileExists(args.run[0]) is True:
# File exists
# Create a Debug object
debug = winappdbg.Debug()

try:
# Debug the app
# First item is program and the rest are arguments
# execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
my_process = debug.execl(myargs)

print("Attached to {0} - {1}".format(my_process.get_pid(),
my_process.get_filename()))

# Keep debugging until the debugger stops
debug.loop()

finally:
# Stop the debugger
debug.stop()
print("[*] Debugger stopped.")

else:
print("{0} not found.".format(args.run[0]))
exit()

II. GetSystemInformation()
    if(args.sysinfo):
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()

# Use the built-in WinAppDbg table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")

# New line
table.addRow("", "")

# Header
title = ("System Information", "")
table.addRow(*title)

# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())

print table.getOutput()
exit()

III. GetProcessList
    if (args.getprocesses):

system = winappdbg.System()

# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")

header = ("pid", "process")
table.addRow(*header)

table.addRow("----", "----------")

processes = {}

# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()

# Iterate through processes sorted by pid
for key in sorted(processes.iterkeys()):
table.addRow(key, processes[key])

print table.getOutput()
exit()

IV.AttachByProcessID
    if (args.pid):
system = winappdbg.System()

# Get all pids
pids = system.get_process_ids()

if args.pid in pids:
# pid exists

# Create a Debug object
debug = winappdbg.Debug()

try:
# Attach to pid
# attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
my_process = debug.attach(args.pid)

print "Attached to %d - %s" % (my_process.get_pid(),
my_process.get_filename())

# Keep debugging until the debugger stops
debug.loop()

finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."

else:
print "pid %d not found." % (args.pid)

exit()

V. AttachByProcessName
    if (args.pname):
debug = winappdbg.Debug()

# example 3:
# https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py

try:
debug.system.scan()
for (process, name) in debug.system.find_processes_by_filename(args.pname):
print "Found %d, %s" % (process.get_pid(),
process.get_filename())

debug.attach(process.get_pid())

print "Attached to %d-%s" % (process.get_pid(),
process.get_filename())

debug.loop()

finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
exit()

VI. WriteLoggerOutput
    global logger
if args.output:
# verbose=False disables printing to stdout
logger = winappdbg.Logger(args.output, verbose=False)
else:
logger = winappdbg.Logger()

# Example
# logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename()))

VII. GetLoadedModules
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

def load_dll(self, event):
"""
Called when a new module is loaded.
"""
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/module.py#L71

"""
Module object methods:
get_base, get_filename, get_name, get_size, get_entry_point,
get_process, set_process, get_pid,
get_handle, set_handle, open_handle, close_handle

get_size and get_entry_point do not work because WinAppDbg internally
uses GetModuleInformation.
https://msdn.microsoft.com/en-us/library/ms683201(v=VS.85).aspx
And it cannot get info on files with "that were loaded with the
LOAD_LIBRARY_AS_DATAFILE flag.""

This is related:
https://blogs.msdn.microsoft.com/oldnewthing/20150716-00/?p=45131
"""
module = event.get_module()

logstring = "\nLoaded DLL:\nName: %s\nFilename: %s\nBase Addr: %s\n" % \
(module.get_name(), module.get_filename(), hex(module.get_base()))

mylogger.log_text(logstring)

# _ = module.get_size()

print module.get_handle()

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

VIII. GetProcessCreateProcessInfo
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

def create_process(self, event):
process = event.get_process()
pid = event.get_pid()
# pid = process.get_pid()
filename = process.get_filename()

mylogger.log_text("CreateProcess %d - %s" % (pid, filename))

def exit_process(self, event):
process = event.get_process()
pid = event.get_pid()
# pid = process.get_pid()
filename = process.get_filename()

mylogger.log_text("ExitProcess %d - %s" % (pid, filename))

def create_thread(self, event):
process = event.get_process()
thread = event.get_thread()

tid = thread.get_tid()
name = thread.get_name()

mylogger.log_text("CreateThread %d - %s" % (tid, name))

def exit_thread(self, event):
process = event.get_process()
thread = event.get_thread()

tid = thread.get_tid()
name = thread.get_name()

mylogger.log_text("ExitThread %d - %s" % (tid, name))

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

IX. BasicHookFunction
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

def load_dll(self, event):
module = event.get_module()

if module.match_name("kernel32.dll"):

# Resolve function addresses
address_CreateFileA = module.resolve("CreateFileA")
address_CreateFileW = module.resolve("CreateFileW")

# Types are here
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/defines.py#L380
sig_CreateFileA = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
sig_CreateFileW = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)

pid = event.get_pid()

# Hook function(pid, address, preCB, postCB, paramCount, signature)
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/breakpoint.py#L3969
event.debug.hook_function(pid, address_CreateFileA,
preCB=pre_CreateFileA,
postCB=post_CreateFileA,
signature=sig_CreateFileA)

event.debug.hook_function(pid, address_CreateFileW,
preCB=pre_CreateFileW,
postCB=post_CreateFileW,
signature=sig_CreateFileW)

# Another way of setting up hooks without signature

"""
event.debug.hook_function(pid, address_CreateFileA,
preCB=pre_CreateFileA,
postCB=post_CreateFileA,
paramCount=7)

event.debug.hook_function(pid, address_CreateFileW,
preCB=pre_CreateFileW,
postCB=post_CreateFileW,
paramCount=7)
"""

# Callback functions
# -------------------

# Callback function parameters are always
# (event, ra (return address), then function parameters)
# self is first if part of the eventhandler class


def pre_CreateFileW(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):

"""
This will be called as soon as we enter the function and before the
function stack frame is created.
"""

process = event.get_process()

# Suspend the process because why not
process.suspend()
    mylogger.log_text("Hit kernel32!CreateFileW")

# 32-bit so all parameters are on stack

# In case you want a pointer to the top of the stack
# thread = event.get_thread()

# All memory read stuff are at
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L125

# fUnicode=True because we are in the Wide or Unicode version of the API
myFileName = process.peek_string(lpFileName, fUnicode=True)

mylogger.log_text("lpFilename: %s" % (myFileName))

# Resume the process
process.resume()


def pre_CreateFileA(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):

process = event.get_process()

# Suspend the process because why not
process.suspend()

mylogger.log_text("Hit kernel32!CreateFileA")

# fUnicode=False because we are in the ANSI version
myFileName = process.peek_string(lpFileName, fUnicode=False)

mylogger.log_text("lpFilename: %s" % (myFileName))

process.resume()


def post_CreateFileW(event, retval):

mylogger.log_text("Leaving kernel32!CreateFileW")
mylogger.log_text("Return value: %x" % (retval))


def post_CreateFileA(event, retval):

mylogger.log_text("Leaving kernel32!CreateFileA")
mylogger.log_text("Return value: %x" % (retval))

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

X. BetterHookFunction
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

apiHooks = {

# Hooks for the kernel32 library.
"kernel32.dll": [

# We have seen these before
# Function Signature
("CreateFileA", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
("CreateFileW", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),

# Can also pass parameter count
# ("CreateFileA", 6),
# ("CreateFileW", 6),
],
}

# Now we can simply define a method for each hooked API.
# "pre_" methods are called when entering the hooked function.
# "post_" methods are called when returning from the hooked function.

def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):

process = event.get_process()
myFileName = process.peek_string(lpFileName, fUnicode=True)
mylogger.log_text("pre_CreateFileW opening file %s" % (myFileName))

def post_CreateFileW(self, event, retval):
mylogger.log_text("Return value: %x" % retval)

def pre_CreateFileA(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):

process = event.get_process()
myFileName = process.peek_string(lpFileName, fUnicode=False)
mylogger.log_text("pre_CreateFileA opening file %s" % (myFileName))

def post_CreateFileA(self, event, retval):
mylogger.log_text("Return value: %x" % retval)

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XI. HookInternetExplorer HttpSendRequestW
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

"""
BOOL HttpSendRequest(
_In_ HINTERNET hRequest,
_In_ LPCTSTR lpszHeaders,
_In_ DWORD dwHeadersLength,
_In_ LPVOID lpOptional,
_In_ DWORD dwOptionalLength
);
"""

apiHooks = {

# Hooks for the wininet.dll library - note this is case-sensitive
"wininet.dll": [

# Function Signature
("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
],
}

def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength):

process = event.get_process()

if dwHeadersLength != 0:
mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpSendRequestW")

headers = process.peek_string(lpszHeaders, fUnicode=True)
mylogger.log_text("Headers %s" % (headers))

if dwOptionalLength != 0:
# This is not unicode - see the pointer name (lp vs. lpsz)
# fUnicode is set to False (default) then
optional = process.peek_string(lpOptional, fUnicode=False)

mylogger.log_text("Optional %s" % (optional))
mylogger.log_text(winapputil.utils.get_line())

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XII. HookInternetExplorer HttpSendRequestW/HttpOpenRequest
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

"""
BOOL HttpSendRequest(
_In_ HINTERNET hRequest,
_In_ LPCTSTR lpszHeaders,
_In_ DWORD dwHeadersLength,
_In_ LPVOID lpOptional,
_In_ DWORD dwOptionalLength
);

HINTERNET HttpOpenRequest(
_In_ HINTERNET hConnect,
_In_ LPCTSTR lpszVerb,
_In_ LPCTSTR lpszObjectName,
_In_ LPCTSTR lpszVersion,
_In_ LPCTSTR lpszReferer,
_In_ LPCTSTR *lplpszAcceptTypes,
_In_ DWORD dwFlags,
_In_ DWORD_PTR dwContext
);
"""

apiHooks = {

# Hooks for the wininet.dll library - note this is case-sensitive
"wininet.dll": [

# Function Signature
("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
("HttpOpenRequestW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID,
DWORD, PVOID)),
],
}

def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength):

process = event.get_process()

if dwHeadersLength != 0:
mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpSendRequestW")

headers = process.peek_string(lpszHeaders, fUnicode=True)
mylogger.log_text("Headers %s" % (headers))

if dwOptionalLength != 0:
# This is not unicode - see the pointer name dummy (lp vs. lpsz)
# False by default but a good idea to include it for clarity
optional = process.peek_string(lpOptional, fUnicode=False)

mylogger.log_text("Optional %s" % (optional))
mylogger.log_text(winapputil.utils.get_line())

def pre_HttpOpenRequestW(self, event, ra, hConnect, lpszVerb,
lpszObjectName, lpszVersion, lpszReferer,
lplpszAcceptTypes, dwFlags, dwContext):

process = event.get_process()

verb = process.peek_string(lpszVerb, fUnicode=True)
if verb is None:
verb = "GET"

obj = process.peek_string(lpszObjectName, fUnicode=True)

mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpOpenRequestW")
mylogger.log_text("verb: %s" % verb)
mylogger.log_text("obj : %s" % obj)
mylogger.log_text(winapputil.utils.get_line())

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XIII. HoookFireFoxFunction PR_Write
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

"""
PRInt32 PR_Write(
PRFileDesc *fd,
const void *buf,
PRInt32 amount);

fd: A pointer to the PRFileDesc object for a file or socket
buf: A pointer to the buffer holding the data to be written
amount: The amount of data, in bytes, to be written from the buffer
"""

apiHooks = {

# Hooks for the nss3.dll library
'nss3.dll': [

('PR_Write', (PVOID, PVOID, PVOID)),
],
}

def pre_PR_Write(self, event, ra, fd, buf, amount):

process = event.get_process()

if (amount > 100) and (amount < 1000):
mylogger.log_text("PR_Write")

# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L1581
contents = process.read(buf, amount)

mylogger.log_text("%s" % str(contents))

mylogger.log_text(winapputil.utils.get_line())

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XIV. ModifySleep on x86/X64
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

"""
VOID WINAPI Sleep(
_In_ DWORD dwMilliseconds
);
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686298(v=vs.85).aspx
"""

apiHooks = {

# Hooks for the kernel32.dll library
"kernel32.dll": [

# Note how are passing only one parameter
("Sleep", (DWORD, )),

# We can also pass the number of arguments instead of signature
# ("Sleep", 1),
],
}

def pre_Sleep(self, event, ra, dwMilliseconds):

process = event.get_process()
process.suspend()

thread = event.get_thread()

bits = thread.get_bits()
emulation = thread.is_wow64()

logstring = "Original dwMilliseconds %d" % dwMilliseconds

mylogger.log_text(logstring)

# If running on a 32-bit machine or 32-bit process on 64-bit machine
if bits == 32 or emulation is True:
top_of_stack = thread.get_sp()

# return_address, dwMilliseconds = thread.read_stack_dwords(2)
# logstring = "Return Address %s" % \
# winappdbg.HexDump.address(return_address, bits)

# mylogger.log_text(logstring)

process.write_dword(top_of_stack+((bits/8)*1), 0)

# AMD64 calling convention on Windows uses fastcall
# rcx, rdx, r8, r9 then stack

elif bits == 64:
thread.set_register("Rcx", 10000)

process.resume()
# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XV. ModifyDomainFunction in IE InternetConnectW
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

"""
HINTERNET InternetConnect(
_In_ HINTERNET hInternet,
_In_ LPCTSTR lpszServerName,
_In_ INTERNET_PORT nServerPort,
_In_ LPCTSTR lpszUsername,
_In_ LPCTSTR lpszPassword,
_In_ DWORD dwService,
_In_ DWORD dwFlags,
_In_ DWORD_PTR dwContext
);
"""

apiHooks = {

# Hooks for the wininet.dll library
"wininet.dll": [

# InternetConnectW
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa384363(v=vs.85).aspx
# ("InternetConnectW", (HANDLE, PVOID, WORD, PVOID, PVOID, DWORD, DWORD, PVOID)),
("InternetConnectW", 8),

],
}

# Now we can simply define a method for each hooked API.
# Methods beginning with "pre_" are called when entering the API,
# and methods beginning with "post_" when returning from the API.

def pre_InternetConnectW(self, event, ra, hInternet, lpszServerName,
nServerPort, lpszUsername, lpszPassword,
dwService, dwFlags, dwContext):

process = event.get_process()
process.suspend()
thread = event.get_thread()

server_name = process.peek_string(lpszServerName, fUnicode=True)
print(server_name)

if server_name == "example.com":

# mylogger.log_text(server_name)

# Encoding as UTF16
new_server_name = "google.com".encode("utf-16le")

# Get length of new payload
payload_length = len(new_server_name)

# Allocate memory in target process and get a pointer
new_payload_addr = event.get_process().malloc(payload_length)

# Write the new payload to that pointer
process.write(new_payload_addr, new_server_name)

top_of_stack = thread.get_sp()

bits = thread.get_bits()
emulation = thread.is_wow64()

if bits == 32 or emulation is True:

# Write the pointer to the new payload with the old one
process.write_dword(top_of_stack + 8, new_payload_addr)

elif bits == 64:
thread.set_register("Rdx", new_payload_addr)

process.resume()

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()
XVI. RegistryReader RegQueryValueExW
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

"""
LONG WINAPI RegQueryValueEx(
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpValueName,
_Reserved_ LPDWORD lpReserved,
_Out_opt_ LPDWORD lpType,
_Out_opt_ LPBYTE lpData,
_Inout_opt_ LPDWORD lpcbData
);
"""

apiHooks = {

# Hooks for the adviapi32.dll library
# Can also hook kernel32.dll
"advapi32.dll": [

# RegQueryValueEx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
# ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
("RegQueryValueExW", 6),

],
}

def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
lpType, lpData, lpcbData):

# Store the pointer for later use
self.hKey = hKey
self.lpValueName = lpValueName
self.lpType = lpType
self.lpData = lpData
self.lpcbData = lpcbData

def post_RegQueryValueExW(self, event, retval):
process = event.get_process()

process.suspend()

table = winappdbg.Table("\t")
table.addRow("", "")

# Need to watch out for optional parameters
if self.lpType is not 0:
keyType = process.read_dword(self.lpType)
table.addRow("keyType", keyType)

valueName = process.peek_string(self.lpValueName, fUnicode=True)
size = process.read_dword(self.lpcbData)

table.addRow("valueName", valueName)
table.addRow("size", size)

if self.lpData is not 0:
data = process.read(self.lpData, size)
table.addRow("data", data)
table.addRow("data-hex", data.encode("hex"))

mylogger.log_text(table.getOutput())
mylogger.log_text("-"*30)

process.resume()

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XVII RegistryWriter
class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""

# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

"""
LONG WINAPI RegQueryValueEx(
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpValueName,
_Reserved_ LPDWORD lpReserved,
_Out_opt_ LPDWORD lpType,
_Out_opt_ LPBYTE lpData,
_Inout_opt_ LPDWORD lpcbData
);
"""

apiHooks = {

# Hooks for the advapi32.dll library
"advapi32.dll": [

# RegQueryValueEx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
# ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
("RegQueryValueExW", 6),

],
}

def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
lpType, lpData, lpcbData):

# Store the pointer for later use
self.hKey = hKey
self.lpValueName = lpValueName
self.lpType = lpType
self.lpData = lpData
self.lpcbData = lpcbData

def post_RegQueryValueExW(self, event, retval):
process = event.get_process()

process.suspend()

valueName = process.peek_string(self.lpValueName, fUnicode=True)

if valueName == "layout":
# size = process.read_dword(self.lpcbData)
# data = process.read(self.lpData, size)

newLayout = 0x00

process.write_dword(self.lpData, newLayout)

# OR
# process.write(self.lpData, "00".decode("hex"))

process.resume()
# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s