该博客介绍了使用IDA Pro进行动态调试,通过实现自定义调试钩子类`MyDbgHook`来监控进程的启动、退出、模块加载与卸载等事件。在调试过程中,它能检测到`libUserEnv.so`库的加载,并在其基础上设置断点,同时具备清除所有断点的功能。此外,博客还展示了如何初始化模块列表,获取模块基址等功能。
#-*- coding=utf-8 -*-
__author__ = "weishuai"
from idaapi import *
from idc import *
from idautils import *
from capstone import *
from capstone.x86 import *
import os
import time
class SoMoudle:
def __init__(self,name,base,end):
self._name = name
self._base = base
self._end = end
find_library_ret_bpt = 0x3a640
moudle_list = []
def find_module(mod_name):
addr = get_first_module()
while addr !=None :
if mod_name in get_module_name(addr):
print("Found Module %s base:0x%x" %(mod_name,addr))
return addr
addr=get_next_module(addr)
return -1
def is_in_module_list(base):
global moudle_list
for module in moudle_list:
if base == module._base:
return True
return False
def init_module_list():
global so_base_list
base = get_first_module()
while base != None :
name = get_module_name(base)
size = get_module_size(base)
end = base + size
if not is_in_module_list(base):
moudle_list.append(SoMoudle(name,base,end))
base = get_next_module(base)
def get_module_base(addr):
for module in module_list:
if module._base <= addr <= module._end:
return module._base
#can't find module
print("[*]can't re init mould list")
init_module_list()
for module in module_list:
if module._base <= addr <= module._end:
return module._base
print("[*]can't find this module please check error!!!!!!!!!!!")
return -1
def clear_all_bpt():
bp_count = get_bpt_qty();
print("BP count: %d\r\n" %(bp_count))
for i in range(bp_count):
if (del_bpt(get_bpt_ea(i))):
print("Del BP: %d\r\n" %(i))
def show_all_reg():
print("pc->",hex(cpu.pc - get_module_base()))
class MyDbgHook(idaapi.DBG_Hooks):
""" Own debug hook class that implementd the callback functions """
def dbg_library_unload(self, pid, tid, ea, info):
print("MyDbgHook Library unloaded: pid=%d tid=%d ea=0x%x info=%s" % (pid, tid, ea, info))
return 0
def dbg_process_start(self, pid, tid, ea, name, base, size):
print("MyDbgHook Process start pid=%d tid=%d ea=0x%x name=%s base=%x size=%x" % (pid, tid, ea, name, base, size))
def dbg_process_exit(self, pid, tid, ea, exit_code):
"""
dbg_process_exit(self, pid, tid, ea, exit_code)
"""
global debughook
clear_all_bpt()
print("Removing previous hook ...")
debughook.unhook()
print("MyDbgHook Process exit pid=%d tid=%d ea=0x%x exit_code=%x" % (pid, tid, ea, exit_code))
def dbg_process_attach(self, pid, tid, ea, name, base, size):
#so_base = FindModule("libUserEnv.so")
#BL to init waite load so for adding bpt "lib zhangxin No init table, just start from jni_onload"
add_bpt(FindModule("linker64") + find_library_ret_bpt)
print("MyDbgHook Process attach pid=%d tid=%d ea=0x%x name=%s base=%x size=%x" % (pid, tid, ea, name, base, size))
def dbg_process_detach(self, pid, tid, ea):
global debughook
clear_all_bpt()
#print("Removing previous hook ...")
#debughook.unhook()
print("MyDbgHook Process detached, pid=%d tid=%d ea=0x%x" % (pid, tid, ea))
return 0
def dbg_bpt (self,tid,ea):
#ShowAllReg()
return 1
def dbg_library_load(self, pid, tid, ea, name, base, size):
print("MyDbgHook Library loaded: pid=%d tid=%d name=%s base=%x" % (pid, tid, name, base))
def dbg_suspend_process(self):
ev_ea = get_event_ea()
show_all_reg()
try:
if debughook:
print("Removing previous hook ...")
debughook.unhook()
except:
pass
# Install the debug hook
debughook = MyDbgHook()
debughook.hook()
load_and_run_plugin('python', 3)
'''
Load the debugger
dbgname - debugger module name
Examples: win32, linux, mac.
use_remote - 0/1: use remote debugger or not
This function is needed only when running idc scripts from the command line.
In other cases IDA loads the debugger module automatically.
success load_debugger(string dbgname, long use_remote);
'''
扫一扫
12-26
2548
2548
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
