Breaking Code

August 24, 2010

WinAppDbg 1.4 is out!

Filed under: Tools — Tags: , , , , , , , , , , , , , , — Mario Vilas @ 12:44 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

What’s new in this version?

In a nutshell…

  • fully supports Python 2.4 through 2.7
  • fully supports Windows XP through Windows 7, 32 and 64 bit editions
  • crash report tool now supports MSSQL (requires pyodbc)
  • now supports downloading debugging symbols from Microsoft (thanks Neitsa!)
  • new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou)
  • the tutorial is now available in chm and pdf formats
  • now with only one MSI installer for all supported Python versions
  • added support for diStorm 3 (falls back to the old version if not found)
  • now using cerealizer instead of pickle whenever possible
  • added new command to the command line debugger to show the exception handlers
  • a few more anti-anti-debug tricks were added, still more to go!
  • several improvements to the Window instrumentation classes
  • more code examples
  • more Win32 API wrappers
  • lots of miscellaneous improvements, more documentation and bugfixes as usual!

Entire changelog for all versions (slow!):

Where can I find WinAppDbg?

Project homepage

Windows installer (32 bits)

Windows installer (64 bits)

Source code

Online documentation

Offline documentation

December 1, 2009

WinAppDbg 1.3 is out!

Filed under: Tools — Tags: , , , , , , , , , , , , , — Mario Vilas @ 4:12 am

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

Project homepage

Windows installer (32 bits)

Windows installer (64 bits)

Source code

Online documentation

Offline documentation

What’s new in this version?

In a nutshell…

  • 64 bits support.
  • Windows Vista and 7 support.
  • Memory dumping support.
  • Wait chain support.
  • New tool: SelectMyParent (based on the tool by Didier Stevens).
  • More code examples.
  • Supports detecting the current processor architecture and Windows version.
  • Crash logger works with SQLite databases in addition to the old DBM format. It also has a smaller memory footprint now.
  • Win32 API wrappers were refactored and improved. Many new definitions and API calls were added, up to Windows 7.
  • Many bugfixes as usual… 🙂 also several improvements to make the code more robust.

Here’s the full changelog.

August 31, 2009

Using diStorm with Python 2.6 and Python 3.x, revisited

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 10:01 pm

In a previous post, we’ve seen how to wrap the diStorm disassembler library in Python, using ctypes. This still left us with the task of building the dynamic link library for our platform and installing it manually, which is not as easy as it may seem – among other small problems you may find, the new versions of Visual Studio try to force the use of the latest C++ runtime redistributables, which may not be present in most Windows installations.

Today, I’m introducing a new ctypes wrapper for diStorm, this time with all binaries prebuilt and packaged together. The installer script automatically detects the target platform and installs the right binary. It comes with the following prebuilt binaries:

  • Windows on x86 and AMD64 processors
  • Linux on x86 and AMD64 processors (built using Ubuntu, but should work in other distros)
  • Mac OS X on x86 and PowerPC processors (untested, I don’t have a Mac to play with yet)

Since the installer code is pretty much generic, it should be easy to add new platforms by simply creating the corresponding subdirectory and placing the python code and prebuilt binary in it. Contributions are welcome! 🙂

Download

Python 2.x

Python 3.x

June 16, 2009

WinAppDbg version 1.2 is out!

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 7:23 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

The WinAppDbg project is currently hosted at Sourceforge, and can be found at:

http://winappdbg.sourceforge.net/

It’s also hosted at the Python Package Index (PyPi):

http://pypi.python.org/pypi/winappdbg/1.2

May 27, 2009

Using diStorm with Python 2.6 and Python 3.x

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 12:14 am

diStorm is currently my favorite disassember for Intel platforms. It’s small, fast, compiles virtually anywhere, and it’s got Python bindings for 2.3, 2.4 and 2.5. The only problem so far was trying to use it with Python 2.6 and above – the library has to be recompiled for each new version. To solve this problem a pure Python module using ctypes is shipped – but it’s interface is different from the C module, forcing us to code different routines.

So my solution was to code my own ctypes-based diStorm bindings. It’s compatible with the C version and it works in all Python 2.x versions. The DLL library has to be present in the path for it to work.

I’ve also ported it to Python 3.x. Both versions are tested under Windows only, however it should work correctly under Linux – let me know if you try it!

Here is also an example script using diStorm to disassemble a raw binary file. Could come in handy for example to disassemble the shellcode contained in an exploit, or to find anything that resembles shellcode in a packet capture.

Update

(more…)

May 18, 2009

WinAppDbg 1.1 released

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 1:18 am

New version of WinAppDbg!

New features include:

  • New tool: a simple command line debugger that supports plugins.
  • Added support for Microsoft debugging symbols.
  • Added support for py2exe, to generate standalone executables.
  • New Win32 API functions added to win32.py
  • Improvements to the breakpoints support, now “stalking” works for memory buffers and variables too.

This new version contains some bugfixes, so if you were using 1.0 I very much recommend to upgrade.

Download

Create a free website or blog at WordPress.com.

Design a site like this with WordPress.com
Get started