Source: https://gitlab.com/vitali.kremez/winappdbg_contruct
Credit: WinappDbg; Parsia
###########################
#### WinAppDbg ###########
##########################
I. GetRunnerProcess
if (args.run):
# Concat all arguments into a string
myargs = " ".join(args.run)
if win32.PathFileExists(args.run[0]) is True:
# File exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# Debug the app
# First item is program and the rest are arguments
# execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
my_process = debug.execl(myargs)
print("Attached to {0} - {1}".format(my_process.get_pid(),
my_process.get_filename()))
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
print("[*] Debugger stopped.")
else:
print("{0} not found.".format(args.run[0]))
exit()
II. GetSystemInformation()
if(args.sysinfo):
# Create a System object
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
system = winappdbg.System()
# Use the built-in WinAppDbg table
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = winappdbg.Table("\t")
# New line
table.addRow("", "")
# Header
title = ("System Information", "")
table.addRow(*title)
# Add system information
table.addRow("------------------")
table.addRow("Bits", system.bits)
table.addRow("OS", system.os)
table.addRow("Architecture", system.arch)
table.addRow("32-bit Emulation", system.wow64)
table.addRow("Admin", system.is_admin())
table.addRow("WinAppDbg", winappdbg.version)
table.addRow("Process Count", system.get_process_count())
print table.getOutput()
exit()III. GetProcessListif (args.getprocesses):
system = winappdbg.System()
# We can reuse example 02 from the docs
# https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
table = winappdbg.Table("\t")
table.addRow("", "")
header = ("pid", "process")
table.addRow(*header)
table.addRow("----", "----------")
processes = {}
# Add all processes to a dictionary then sort them by pid
for process in system:
processes[process.get_pid()] = process.get_filename()
# Iterate through processes sorted by pid
for key in sorted(processes.iterkeys()):
table.addRow(key, processes[key])
print table.getOutput()
exit()IV.AttachByProcessIDif (args.pid):
system = winappdbg.System()
# Get all pids
pids = system.get_process_ids()
if args.pid in pids:
# pid exists
# Create a Debug object
debug = winappdbg.Debug()
try:
# Attach to pid
# attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
my_process = debug.attach(args.pid)
print "Attached to %d - %s" % (my_process.get_pid(),
my_process.get_filename())
# Keep debugging until the debugger stops
debug.loop()
finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
else:
print "pid %d not found." % (args.pid)
exit()V. AttachByProcessNameif (args.pname):
debug = winappdbg.Debug()
# example 3:
# https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py
try:
debug.system.scan()
for (process, name) in debug.system.find_processes_by_filename(args.pname):
print "Found %d, %s" % (process.get_pid(),
process.get_filename())
debug.attach(process.get_pid())
print "Attached to %d-%s" % (process.get_pid(),
process.get_filename())
debug.loop()
finally:
# Stop the debugger
debug.stop()
print "Debugger stopped."
exit()VI. WriteLoggerOutputglobal logger
if args.output:
# verbose=False disables printing to stdout
logger = winappdbg.Logger(args.output, verbose=False)
else:
logger = winappdbg.Logger()# Example# logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename()))VII. GetLoadedModulesclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
def load_dll(self, event):
"""
Called when a new module is loaded.
"""
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/module.py#L71
"""
Module object methods:
get_base, get_filename, get_name, get_size, get_entry_point,
get_process, set_process, get_pid,
get_handle, set_handle, open_handle, close_handle
get_size and get_entry_point do not work because WinAppDbg internally
uses GetModuleInformation.
https://msdn.microsoft.com/en-us/library/ms683201(v=VS.85).aspx
And it cannot get info on files with "that were loaded with the
LOAD_LIBRARY_AS_DATAFILE flag.""
This is related:
https://blogs.msdn.microsoft.com/oldnewthing/20150716-00/?p=45131
"""
module = event.get_module()
logstring = "\nLoaded DLL:\nName: %s\nFilename: %s\nBase Addr: %s\n" % \
(module.get_name(), module.get_filename(), hex(module.get_base()))
mylogger.log_text(logstring)
# _ = module.get_size()
print module.get_handle()
# Create an instance of our eventhandler class
myeventhandler = DebugEvents()VIII. GetProcessCreateProcessInfoclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
def create_process(self, event):
process = event.get_process()
pid = event.get_pid()
# pid = process.get_pid()
filename = process.get_filename()
mylogger.log_text("CreateProcess %d - %s" % (pid, filename))
def exit_process(self, event):
process = event.get_process()
pid = event.get_pid()
# pid = process.get_pid()
filename = process.get_filename()
mylogger.log_text("ExitProcess %d - %s" % (pid, filename))
def create_thread(self, event):
process = event.get_process()
thread = event.get_thread()
tid = thread.get_tid()
name = thread.get_name()
mylogger.log_text("CreateThread %d - %s" % (tid, name))
def exit_thread(self, event):
process = event.get_process()
thread = event.get_thread()
tid = thread.get_tid()
name = thread.get_name()
mylogger.log_text("ExitThread %d - %s" % (tid, name))# Create an instance of our eventhandler class
myeventhandler = DebugEvents()IX. BasicHookFunctionclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
def load_dll(self, event):
module = event.get_module()
if module.match_name("kernel32.dll"):
# Resolve function addresses
address_CreateFileA = module.resolve("CreateFileA")
address_CreateFileW = module.resolve("CreateFileW")
# Types are here
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/defines.py#L380
sig_CreateFileA = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
sig_CreateFileW = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
pid = event.get_pid()
# Hook function(pid, address, preCB, postCB, paramCount, signature)
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/breakpoint.py#L3969
event.debug.hook_function(pid, address_CreateFileA,
preCB=pre_CreateFileA,
postCB=post_CreateFileA,
signature=sig_CreateFileA)
event.debug.hook_function(pid, address_CreateFileW,
preCB=pre_CreateFileW,
postCB=post_CreateFileW,
signature=sig_CreateFileW)
# Another way of setting up hooks without signature
"""
event.debug.hook_function(pid, address_CreateFileA,
preCB=pre_CreateFileA,
postCB=post_CreateFileA,
paramCount=7)
event.debug.hook_function(pid, address_CreateFileW,
preCB=pre_CreateFileW,
postCB=post_CreateFileW,
paramCount=7)
"""
# Callback functions
# -------------------
# Callback function parameters are always
# (event, ra (return address), then function parameters)
# self is first if part of the eventhandler class
def pre_CreateFileW(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
"""
This will be called as soon as we enter the function and before the
function stack frame is created.
"""
process = event.get_process()
# Suspend the process because why not
process.suspend()mylogger.log_text("Hit kernel32!CreateFileW")
# 32-bit so all parameters are on stack
# In case you want a pointer to the top of the stack
# thread = event.get_thread()
# All memory read stuff are at
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L125
# fUnicode=True because we are in the Wide or Unicode version of the API
myFileName = process.peek_string(lpFileName, fUnicode=True)
mylogger.log_text("lpFilename: %s" % (myFileName))
# Resume the process
process.resume()
def pre_CreateFileA(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
process = event.get_process()
# Suspend the process because why not
process.suspend()
mylogger.log_text("Hit kernel32!CreateFileA")
# fUnicode=False because we are in the ANSI version
myFileName = process.peek_string(lpFileName, fUnicode=False)
mylogger.log_text("lpFilename: %s" % (myFileName))
process.resume()
def post_CreateFileW(event, retval):
mylogger.log_text("Leaving kernel32!CreateFileW")
mylogger.log_text("Return value: %x" % (retval))
def post_CreateFileA(event, retval):
mylogger.log_text("Leaving kernel32!CreateFileA")
mylogger.log_text("Return value: %x" % (retval))# Create an instance of our eventhandler class
myeventhandler = DebugEvents()X. BetterHookFunctionclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
apiHooks = {
# Hooks for the kernel32 library.
"kernel32.dll": [
# We have seen these before
# Function Signature
("CreateFileA", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
("CreateFileW", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
# Can also pass parameter count
# ("CreateFileA", 6),
# ("CreateFileW", 6),
],
}
# Now we can simply define a method for each hooked API.
# "pre_" methods are called when entering the hooked function.
# "post_" methods are called when returning from the hooked function.
def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
process = event.get_process()
myFileName = process.peek_string(lpFileName, fUnicode=True)
mylogger.log_text("pre_CreateFileW opening file %s" % (myFileName))
def post_CreateFileW(self, event, retval):
mylogger.log_text("Return value: %x" % retval)
def pre_CreateFileA(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
process = event.get_process()
myFileName = process.peek_string(lpFileName, fUnicode=False)
mylogger.log_text("pre_CreateFileA opening file %s" % (myFileName))
def post_CreateFileA(self, event, retval):
mylogger.log_text("Return value: %x" % retval)# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XI. HookInternetExplorer HttpSendRequestWclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
"""
BOOL HttpSendRequest(
_In_ HINTERNET hRequest,
_In_ LPCTSTR lpszHeaders,
_In_ DWORD dwHeadersLength,
_In_ LPVOID lpOptional,
_In_ DWORD dwOptionalLength
);
"""
apiHooks = {
# Hooks for the wininet.dll library - note this is case-sensitive
"wininet.dll": [
# Function Signature
("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
],
}
def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength):
process = event.get_process()
if dwHeadersLength != 0:
mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpSendRequestW")
headers = process.peek_string(lpszHeaders, fUnicode=True)
mylogger.log_text("Headers %s" % (headers))
if dwOptionalLength != 0:
# This is not unicode - see the pointer name (lp vs. lpsz)
# fUnicode is set to False (default) then
optional = process.peek_string(lpOptional, fUnicode=False)
mylogger.log_text("Optional %s" % (optional))
mylogger.log_text(winapputil.utils.get_line())# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XII. HookInternetExplorer HttpSendRequestW/HttpOpenRequestclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
"""
BOOL HttpSendRequest(
_In_ HINTERNET hRequest,
_In_ LPCTSTR lpszHeaders,
_In_ DWORD dwHeadersLength,
_In_ LPVOID lpOptional,
_In_ DWORD dwOptionalLength
);
HINTERNET HttpOpenRequest(
_In_ HINTERNET hConnect,
_In_ LPCTSTR lpszVerb,
_In_ LPCTSTR lpszObjectName,
_In_ LPCTSTR lpszVersion,
_In_ LPCTSTR lpszReferer,
_In_ LPCTSTR *lplpszAcceptTypes,
_In_ DWORD dwFlags,
_In_ DWORD_PTR dwContext
);
"""
apiHooks = {
# Hooks for the wininet.dll library - note this is case-sensitive
"wininet.dll": [
# Function Signature
("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
("HttpOpenRequestW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID,
DWORD, PVOID)),
],
}
def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength):
process = event.get_process()
if dwHeadersLength != 0:
mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpSendRequestW")
headers = process.peek_string(lpszHeaders, fUnicode=True)
mylogger.log_text("Headers %s" % (headers))
if dwOptionalLength != 0:
# This is not unicode - see the pointer name dummy (lp vs. lpsz)
# False by default but a good idea to include it for clarity
optional = process.peek_string(lpOptional, fUnicode=False)
mylogger.log_text("Optional %s" % (optional))
mylogger.log_text(winapputil.utils.get_line())
def pre_HttpOpenRequestW(self, event, ra, hConnect, lpszVerb,
lpszObjectName, lpszVersion, lpszReferer,
lplpszAcceptTypes, dwFlags, dwContext):
process = event.get_process()
verb = process.peek_string(lpszVerb, fUnicode=True)
if verb is None:
verb = "GET"
obj = process.peek_string(lpszObjectName, fUnicode=True)
mylogger.log_text(winapputil.utils.get_line())
mylogger.log_text("HttpOpenRequestW")
mylogger.log_text("verb: %s" % verb)
mylogger.log_text("obj : %s" % obj)
mylogger.log_text(winapputil.utils.get_line())
myeventhandler = DebugEvents()XIII. HoookFireFoxFunction PR_Writeclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
"""
PRInt32 PR_Write(
PRFileDesc *fd,
const void *buf,
PRInt32 amount);
fd: A pointer to the PRFileDesc object for a file or socket
buf: A pointer to the buffer holding the data to be written
amount: The amount of data, in bytes, to be written from the buffer
"""
apiHooks = {
# Hooks for the nss3.dll library
'nss3.dll': [
('PR_Write', (PVOID, PVOID, PVOID)),
],
}
def pre_PR_Write(self, event, ra, fd, buf, amount):
process = event.get_process()
if (amount > 100) and (amount < 1000):
mylogger.log_text("PR_Write")
# https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L1581
contents = process.read(buf, amount)
mylogger.log_text("%s" % str(contents))
mylogger.log_text(winapputil.utils.get_line())# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XIV. ModifySleep on x86/X64class DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
"""
VOID WINAPI Sleep(
_In_ DWORD dwMilliseconds
);
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686298(v=vs.85).aspx
"""
apiHooks = {
# Hooks for the kernel32.dll library
"kernel32.dll": [
# Note how are passing only one parameter
("Sleep", (DWORD, )),
# We can also pass the number of arguments instead of signature
# ("Sleep", 1),
],
}
def pre_Sleep(self, event, ra, dwMilliseconds):
process = event.get_process()
process.suspend()
thread = event.get_thread()
bits = thread.get_bits()
emulation = thread.is_wow64()
logstring = "Original dwMilliseconds %d" % dwMilliseconds
mylogger.log_text(logstring)
# If running on a 32-bit machine or 32-bit process on 64-bit machine
if bits == 32 or emulation is True:
top_of_stack = thread.get_sp()
# return_address, dwMilliseconds = thread.read_stack_dwords(2)
# logstring = "Return Address %s" % \
# winappdbg.HexDump.address(return_address, bits)
# mylogger.log_text(logstring)
process.write_dword(top_of_stack+((bits/8)*1), 0)
# AMD64 calling convention on Windows uses fastcall
# rcx, rdx, r8, r9 then stack
elif bits == 64:
thread.set_register("Rcx", 10000)
process.resume()# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XV. ModifyDomainFunction in IE InternetConnectWclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
"""
HINTERNET InternetConnect(
_In_ HINTERNET hInternet,
_In_ LPCTSTR lpszServerName,
_In_ INTERNET_PORT nServerPort,
_In_ LPCTSTR lpszUsername,
_In_ LPCTSTR lpszPassword,
_In_ DWORD dwService,
_In_ DWORD dwFlags,
_In_ DWORD_PTR dwContext
);
"""
apiHooks = {
# Hooks for the wininet.dll library
"wininet.dll": [
# InternetConnectW
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa384363(v=vs.85).aspx
# ("InternetConnectW", (HANDLE, PVOID, WORD, PVOID, PVOID, DWORD, DWORD, PVOID)),
("InternetConnectW", 8),
],
}
# Now we can simply define a method for each hooked API.
# Methods beginning with "pre_" are called when entering the API,
# and methods beginning with "post_" when returning from the API.
def pre_InternetConnectW(self, event, ra, hInternet, lpszServerName,
nServerPort, lpszUsername, lpszPassword,
dwService, dwFlags, dwContext):
process = event.get_process()
process.suspend()
thread = event.get_thread()
server_name = process.peek_string(lpszServerName, fUnicode=True)
print(server_name)
if server_name == "example.com":
# mylogger.log_text(server_name)
# Encoding as UTF16
new_server_name = "google.com".encode("utf-16le")
# Get length of new payload
payload_length = len(new_server_name)
# Allocate memory in target process and get a pointer
new_payload_addr = event.get_process().malloc(payload_length)
# Write the new payload to that pointer
process.write(new_payload_addr, new_server_name)
top_of_stack = thread.get_sp()
bits = thread.get_bits()
emulation = thread.is_wow64()
if bits == 32 or emulation is True:
# Write the pointer to the new payload with the old one
process.write_dword(top_of_stack + 8, new_payload_addr)
elif bits == 64:
thread.set_register("Rdx", new_payload_addr)
process.resume()# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XVI. RegistryReader RegQueryValueExWclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
"""
LONG WINAPI RegQueryValueEx(
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpValueName,
_Reserved_ LPDWORD lpReserved,
_Out_opt_ LPDWORD lpType,
_Out_opt_ LPBYTE lpData,
_Inout_opt_ LPDWORD lpcbData
);
"""
apiHooks = {
# Hooks for the adviapi32.dll library
# Can also hook kernel32.dll
"advapi32.dll": [
# RegQueryValueEx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
# ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
("RegQueryValueExW", 6),
],
}
def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
lpType, lpData, lpcbData):
# Store the pointer for later use
self.hKey = hKey
self.lpValueName = lpValueName
self.lpType = lpType
self.lpData = lpData
self.lpcbData = lpcbData
def post_RegQueryValueExW(self, event, retval):
process = event.get_process()
process.suspend()
table = winappdbg.Table("\t")
table.addRow("", "")
# Need to watch out for optional parameters
if self.lpType is not 0:
keyType = process.read_dword(self.lpType)
table.addRow("keyType", keyType)
valueName = process.peek_string(self.lpValueName, fUnicode=True)
size = process.read_dword(self.lpcbData)
table.addRow("valueName", valueName)
table.addRow("size", size)
if self.lpData is not 0:
data = process.read(self.lpData, size)
table.addRow("data", data)
table.addRow("data-hex", data.encode("hex"))
mylogger.log_text(table.getOutput())
mylogger.log_text("-"*30)
process.resume()# Create an instance of our eventhandler class
myeventhandler = DebugEvents()XVII RegistryWriterclass DebugEvents(winappdbg.EventHandler):
"""
Event handler class.
event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
"""
# Better hooking
# https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls
"""
LONG WINAPI RegQueryValueEx(
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpValueName,
_Reserved_ LPDWORD lpReserved,
_Out_opt_ LPDWORD lpType,
_Out_opt_ LPBYTE lpData,
_Inout_opt_ LPDWORD lpcbData
);
"""
apiHooks = {
# Hooks for the advapi32.dll library
"advapi32.dll": [
# RegQueryValueEx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
# ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
("RegQueryValueExW", 6),
],
}
def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
lpType, lpData, lpcbData):
# Store the pointer for later use
self.hKey = hKey
self.lpValueName = lpValueName
self.lpType = lpType
self.lpData = lpData
self.lpcbData = lpcbData
def post_RegQueryValueExW(self, event, retval):
process = event.get_process()
process.suspend()
valueName = process.peek_string(self.lpValueName, fUnicode=True)
if valueName == "layout":
# size = process.read_dword(self.lpcbData)
# data = process.read(self.lpData, size)
newLayout = 0x00
process.write_dword(self.lpData, newLayout)
# OR
# process.write(self.lpData, "00".decode("hex"))
process.resume()# Create an instance of our eventhandler class
myeventhandler = DebugEvents()
Reverse Engineering, Malware Deep Insight 