WinAppDbg
Main guide is here: http://winappdbg.readthedocs.io/en/latest/ProgrammingGuide.html
32-bit and 64-bit Python
Generally you want to debug 32-bit applications in 32-bit Python. You can have both of them together on one machine. When installing the 2nd Python, uncheck register extensions in the installer. On a VM it does not really matter because you can install/uninstall Python 32 and 64 bit versions at will.
Installation
Pip installed version 1.5.
To get 1.6, we use the github repo at https://github.com/MarioVilas/winappdbg. Clone and run install.bat.
According to the installation documentation we may benefit from additional software.
- Capstone:
python -m pip install capstone-windows - distorm3: Download binaries from release page https://github.com/gdabah/distorm/releases
https://breakingcode.wordpress.com/2012/04/08/quickpost-installer-for-beaenginepython/
Has installers for the rest.
Debugging
This is what I want:
from winappdbg.win32 import *
# Create a snapshot of the process, only take the heap list.
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPHEAPLIST, pid )
- HexDump:
- take_memory_snapshot:
- restore_memory_snapshot:
- bSkipMappedFiles:
- break_at:
- get_context:
- set_context:
- All memory read stuff are at:
- Use built-in Table:
- https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
table = Table("|")we can add separator here.
- Logger class: