for CTF windows pwn and IAT/EAT hook
- support python2 and python3
- support windbg/windbgx/x64dbg/mingw-gdb
- pip/pip3 install winpwn
- optional:
- for debug, copy file .winpwn to windows HOMEDIR, then configure it.
- pip install pefile
- pip install keystone
- pip install capstone
1. process
+ process("./pwn")
+ process(["./pwn","argv[1]","argv[2]"])
+ p.readm(addr,n) # read process memory
+ p.writem(addr,con="") # write process memory
2. remote
+ remote("127.0.0.1", 65535)
3. context
+ context.timeout=512
+ context.debugger="gdb" # or "windbg" or "x64dbg"
+ context.endian="little"
+ context.log_level="" # or "debug"
+ context.terminal=[ ]
+ context.newline="\r\n"
+ context.arch="i386" # or "amd64"
+ content.pie=None
+ context.dbginit=None # used to set debugger init script
+ context.windbg=None # set debugger path, or use .winpwn to find debugger path
+ context.windbgx=None
+ content.gdb=None
+ context.x64dbg=None
+ context.nocolor=None # if set, will print non-colorful output to terminal
4. dbg: windbgx, windbg, gdb, x64dbg
+ windbgx.attach(p,script="bp 0x401000")
+ windbg.attach(p,script="bp 0x401000")
+ gdb.attach(p, script="b *0x401000")
+ x64dbg.attach(p) #can not parse script file yet
5. disable PIE:
+ PIE(exe_fpath="")
+ NOPIE(exe_fpath="")
6. asm/disasm:
+ asm("push ebp")
+ disasm("\x55")
7. winfile(fpath="./main.exe"):
+ winfile.symbols["CreateProcessA"] # return symbol's IAT/EAT offset of CreateProcessA by image base
8. wincs(ip,port)
+ wincs(ip=None,port=512): run a server to asm/disasm in remote machine for client where does not install keystone/capstone
+ wincs(ip='123.123.123.123',512): create a client to connet to server
+ wincs.asm(asmcode='push ebp')
+ wincs.disasm(machinecpde='\x55')
if you want to use debugger like gdb-peda, you need to deal with the deps yourself
because lacks some commandline options, so just can use x64dbg attach to process and can not deliver init script yet