/// <summary>
        /// Starts the characterbuilder and modifies the in-memory representation of LOADED_FILE to
        /// support unencrypted data.
        /// </summary>
        /// <param name="patchFile"></param>
        public static void StartProcessAndPatchMemory()
        {
            Log.Debug("About to start loading character builder.");
            //// start character builder
            NativePipeline np = new NativePipeline();

            Log.Debug("Creating process and attaching debugger");
            NativeDbgProcess proc = np.CreateProcessDebug(EXECUTABLE, EXECUTABLE_ARGS);

            while (true)
            {
                Log.Debug("Waiting for next event");
                NativeEvent ne = np.WaitForDebugEventInfinite();
                Log.Debug(ne.ToString());
                ne.Process.HandleIfLoaderBreakpoint(ne);
                if (ne.EventCode == NativeDebugEventCode.LOAD_DLL_DEBUG_EVENT)
                {
                    DllBaseNativeEvent ev = (DllBaseNativeEvent)ne;
                    if (ev.Module.Name.Contains(LOADED_FILE))
                    {
                        patchMemory(ev, (uint)proc.Id);
                        np.ContinueEvent(ne);
                        np.Detach(proc);
                        break;
                    }
                }
                np.ContinueEvent(ne);
            }
        }
예제 #2
0
        public void DebugEventHandler()
        {
            NativePipeline   dbg     = new NativePipeline();
            NativeDbgProcess process = dbg.Attach(_pid);

            _attached = true;

            // Tell the process it is ready to resume
            try
            {
                _process.PyProcess.on_handle_first_bp();
            }
            catch (Exception ex)
            {
                Console.WriteLine(string.Format("ERROR: Python class 'Process' {0} failed when executing 'on_handle_first_bp()':", _process.GetName()));
                Console.WriteLine(ex.ToString());
                // attempt to continue anyways
            }


            // Initialize the printing variables
            DateTime  numEvents_lastPrintTime = DateTime.Now;
            Hashtable numEventsByTarget       = new Hashtable(0x1000);

            _breakpointInfo = new Hashtable(10);
            bool printReport              = false;
            bool processReady             = false;
            bool loaderBreakpointReceived = false;
            bool wx86BreakpointReceived   = false;

            while (_processingEvents)
            {
                if (DateTime.Now.Subtract(numEvents_lastPrintTime).TotalSeconds >= 1)
                {
                    // Print the number of events in the last second
                    if (printReport && numEventsByTarget.Count > 0)
                    {
                        PrintReport(numEventsByTarget);
                    }

                    numEvents_lastPrintTime = DateTime.Now;
                    numEventsByTarget.Clear();
                }

                // Check to see if the process has loaded
                if (!processReady)
                {
                    processReady = HandleProcessReady(wx86BreakpointReceived);
                }

                NativeEvent e = dbg.WaitForDebugEvent(100);

                // Check to see if the process has loaded
                if (!processReady)
                {
                    processReady = HandleProcessReady(wx86BreakpointReceived);
                }

                if (_keepOnExit && dbg.KillOnExit)
                {
                    dbg.KillOnExit = false;
                }

                if (e != null)
                {
                    //Console.WriteLine(e.ToString());
                    e.Process.HandleIfLoaderBreakpoint(e, ref loaderBreakpointReceived);

                    switch (e.EventCode)
                    {
                    case NativeDebugEventCode.EXCEPTION_DEBUG_EVENT:
                        HandleNativeDebugEvent((ExceptionNativeEvent)e, ref numEventsByTarget, ref wx86BreakpointReceived);
                        break;

                    case NativeDebugEventCode.LOAD_DLL_DEBUG_EVENT:
                        // Start of the process, ntdll.dll and kernel32.dll should now be loaded. Trigger a Process.HandleProcessLoaded() event.
                        if (_process.PyProcess.print_debugger_messages)
                        {
                            Console.WriteLine(e.ToString());
                        }

                        //Console.WriteLine(((LoadDllNativeEvent)e).Module.Name );
                        _process.HandleModuleLoaded((LoadDllNativeEvent)e);

                        break;

                    case NativeDebugEventCode.EXIT_PROCESS_DEBUG_EVENT:
                        // Process crashed, send Process.ProcessTerminated() event and finish.
                        if (printReport && numEventsByTarget.Count > 0)
                        {
                            PrintReport(numEventsByTarget);
                        }
                        _process.HandleProcessTerminated();
                        dbg.Dispose();
                        _attached = false;
                        return;

                    default:
                        break;
                    }

                    // Resume event
                    dbg.ContinueEvent(e);
                }
            }

            // Detach
            dbg.KillOnExit = false;
            _attached      = false;
        }