Added symbol sample + SymbolDebugger

Author: hakril

samples/debug/symbol_debugger.py

@@ -0,0 +1,36 @@
+import argparse
+import os
+
+import windows
+import windows.debug
+import windows.test
+
+
+parser = argparse.ArgumentParser(prog=__file__, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument('--dbghelp', help='The path of DBG help to use (default use env:PFW_DBGHELP_PATH)')
+args = parser.parse_args()
+print(args)
+
+if args.dbghelp:
+    symbols.set_dbghelp_path(args.dbghelp)
+else:
+    if "PFW_DBGHELP_PATH" not in os.environ:
+        print("Not dbghelp path given and no environ var 'PFW_DBGHELP_PATH' sample may fail")
+
+
+class MyInfoBP(windows.debug.Breakpoint):
+    COUNT = 0
+    def trigger(self, dbg, exc):
+        cursym = dbg.current_resolver[exc.ExceptionRecord.ExceptionAddress]
+        print("Breakpoint triggered at: {0}".format(cursym))
+        print(repr(cursym))
+        MyInfoBP.COUNT += 1
+        if MyInfoBP.COUNT == 4:
+            print("Quitting")
+            dbg.current_process.exit()
+        print("")
+
+dbg = windows.debug.SymbolDebugger.debug(r"c:\windows\system32\notepad.exe")
+dbg.add_bp(MyInfoBP("kernelbase!CreateFileInternal+2"))
+dbg.add_bp(MyInfoBP("ntdll!LdrpInitializeProcess"))
+dbg.loop()

samples/debug/symbols/processsymdemo.py

@@ -0,0 +1,50 @@
+import os
+import argparse
+
+import windows
+import windows.test
+import windows.generated_def as gdef
+from windows.debug import symbols
+
+
+parser = argparse.ArgumentParser(prog=__file__, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument('--dbghelp', help='The path of DBG help to use (default use env:PFW_DBGHELP_PATH)')
+args = parser.parse_args()
+print(args)
+
+if args.dbghelp:
+    symbols.set_dbghelp_path(args.dbghelp)
+else:
+    if "PFW_DBGHELP_PATH" not in os.environ:
+        print("Not dbghelp path given and no environ var 'PFW_DBGHELP_PATH' sample may fail")
+
+
+if windows.current_process.bitness == 32:
+    target = windows.test.pop_proc_32()
+else:
+    target = windows.test.pop_proc_64()
+
+print("Target is {0}".format(target))
+sh = symbols.ProcessSymbolHandler(target)
+import time;time.sleep(0.1) # Just wait for the process initialisation
+sh.refresh() # Refresh symbol list (Only meaningful for ProcessSymbolHandler)
+
+print("Some loaded modules are:".format())
+for sm in sh.modules[:3]:
+    print(" * {0}".format(sm))
+
+createserv = sh["advapi32!CreateServiceEx"]
+
+print("")
+TEST_FUNCTION = "advapi32!CreateServiceEx"
+print("Resolving function <{0}>".format(TEST_FUNCTION))
+createserv = sh[TEST_FUNCTION]
+print("Symbol found !")
+print("  * __repr__: {0!r}".format(createserv))
+print("  * __str__: {0}".format(createserv))
+print("  * addr: {0:#x}".format(createserv.addr))
+print("  * name: {0}".format(createserv.name))
+print("  * fullname: {0}".format(createserv.fullname))
+print("  * module: {0}".format(createserv.module))
+
+target.exit()

samples/debug/symbols/symsearch.py

@@ -0,0 +1,28 @@
+import argparse
+import os
+
+import windows
+import windows.debug.symbols as symbols
+
+
+parser = argparse.ArgumentParser(prog=__file__, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument('pattern')
+parser.add_argument('file', help="The PE file to load")
+parser.add_argument('--addr', type=lambda x: int(x, 0), default=0, help="The load address of the PE")
+parser.add_argument('--tag', type=lambda x: int(x, 0), default=0)
+parser.add_argument('--dbghelp', help='The path of DBG help to use (default use env:PFW_DBGHELP_PATH)')
+
+args = parser.parse_args()
+if args.dbghelp:
+    symbols.set_dbghelp_path(args.dbghelp)
+else:
+    if "PFW_DBGHELP_PATH" not in os.environ:
+        print("Not dbghelp path given and no environ var 'PFW_DBGHELP_PATH' sample may fail")
+
+
+sh = symbols.VirtualSymbolHandler()
+mod = sh.load_file(path=args.file, addr=args.addr)
+res = sh.search(args.pattern, mod=mod, tag=args.tag)
+print("{0} symbols found:".format(len(res)))
+for sym in res:
+    print(" * {0!r}".format(sym))

samples/debug/symbols/virtsymdemo.py

@@ -0,0 +1,59 @@
+import os
+import windows
+import windows.generated_def as gdef
+from windows.debug import symbols
+import argparse
+
+
+parser = argparse.ArgumentParser(prog=__file__, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument('--dbghelp', help='The path of DBG help to use (default use env:PFW_DBGHELP_PATH)')
+args = parser.parse_args()
+print(args)
+
+if args.dbghelp:
+    symbols.set_dbghelp_path(args.dbghelp)
+else:
+    if "PFW_DBGHELP_PATH" not in os.environ:
+        print("Not dbghelp path given and no environ var 'PFW_DBGHELP_PATH' sample may fail")
+
+
+symbols.engine.options = 0 # Disable defered load
+sh = symbols.VirtualSymbolHandler()
+
+ntmod = sh.load_file(r"c:\windows\system32\ntdll.dll", addr=0x420000)
+
+print("Ntdll module is: {0}".format(ntmod))
+print("  * name = {0}".format(ntmod.name))
+print("  * addr = {0:#x}".format(ntmod.addr))
+print("  * path = {0:}".format(ntmod.path))
+print("  * type = {0:}".format(ntmod.type))
+print("  * pdb = {0:}".format(ntmod.pdb))
+
+print("")
+TEST_FUNCTION = "LdrLoadDll"
+print("Resolving function <{0}>".format(TEST_FUNCTION))
+loaddll = sh["ntdll!" + TEST_FUNCTION]
+print("Symbol found !")
+print("  * __repr__: {0!r}".format(loaddll))
+print("  * __str__: {0}".format(loaddll))
+print("  * addr: {0:#x}".format(loaddll.addr))
+print("  * name: {0}".format(loaddll.name))
+print("  * fullname: {0}".format(loaddll.fullname))
+print("  * module: {0}".format(loaddll.module))
+
+print("")
+print("Loading kernelbase")
+kbasemod = sh.load_file(r"c:\windows\system32\kernelbase.dll", addr=0x1230000)
+print("Loaded modules are: {0}".format(sh.modules))
+LOOKUP_ADDR = 0x1231242
+print("Looking up address: {0:#x}".format(LOOKUP_ADDR))
+lookupsym = sh[LOOKUP_ADDR]
+print("Symbol resolved !")
+print("  * __repr__: {0!r}".format(lookupsym))
+print("  * __str__: {0}".format(lookupsym))
+print("  * start: {0:#x}".format(lookupsym.start))
+print("  * addr: {0:#x}".format(lookupsym.addr))
+print("  * displacement: {0:#x}".format(lookupsym.displacement))
+print("  * name: {0}".format(lookupsym.name))
+print("  * fullname: {0}".format(lookupsym.fullname))
+print("  * module: {0}".format(lookupsym.module))

windows/debug/debugger.py

@@ -771,6 +771,7 @@ def _handle_create_process(self, debug_event):
         self.breakpoints[self.current_process.pid] = {}
         self._memory_save[self.current_process.pid] = {}
         self._module_by_process[self.current_process.pid] = {}
+        self._internal_on_create_process(create_process) # Allow hook for symbol-debugger
         self._update_debugger_state(debug_event)
         self._add_exe_to_module_list(create_process)
         self._setup_pending_breakpoints_new_process(self.current_process)
@@ -836,6 +837,9 @@ def _handle_exit_thread(self, debug_event):
         del self._breakpoint_to_reput[self.current_thread.tid]
         return retvalue
 
+    def _internal_on_create_process(self, create_process):
+        return None
+
     def _internal_on_load_dll(self, load_dll):
         return None
 

windows/debug/symboldbg.py

@@ -0,0 +1,48 @@
+import windows
+import windows.generated_def as gdef
+from windows.pycompat import int_types
+
+from . import Debugger
+from . import symbols
+
+class SymbolDebugger(Debugger):
+    """A debugger using the symbol API (hence PDB) for name resolution.
+    To use PDB, a correct version of dbghelp should be configured as well as ``_NT_SYMBOL_PATH``.
+    (See :ref:`debug_symbols_module`)
+
+    This debugger add a ``current_resolver`` variable (A :class:`~windows.debug.symbols.ProcessSymbolHandler`) for the ``current_process``.
+    """
+    def __init__(self, *args, **kwargs):
+        super(SymbolDebugger, self).__init__(*args, **kwargs)
+        self._resolvers = {}
+
+    def _internal_on_load_dll(self, load_dll):
+        path = self._get_loaded_dll(load_dll)
+        # Path is used instead of name for naming the module (and can be set to whatever if using file handle)
+        x = self.current_resolver.load_module(load_dll.hFile, path=path, addr=load_dll.lpBaseOfDll)
+
+    def _internal_on_create_process(self, create_process):
+        # Create and setup a symbol resolver for the new process
+        resolver = symbols.ProcessSymbolHandler(self.current_process)
+        self._resolvers[self.current_process.pid] = resolver
+        self.current_resolver = resolver
+
+    def _update_debugger_state(self, debug_event):
+        super(SymbolDebugger, self)._update_debugger_state(debug_event)
+        self.current_resolver = self._resolvers[debug_event.dwProcessId]
+
+    def _resolve(self, addr, target):
+        if isinstance(addr, int_types):
+            return addr
+        if "+" in addr:
+            symbol, deplacement = addr.split("+", 1)
+            deplacement = int(deplacement, 0)
+        else:
+            symbol = addr
+            deplacement = 0
+        try:
+            return self.current_resolver[symbol].addr + deplacement
+        except WindowsError as e:
+            if not e.winerror in (gdef.ERROR_NOT_FOUND, gdef.ERROR_MOD_NOT_FOUND):
+                raise
+            return None