.Hello everybody,
I was working on a Python script to trace the behavior of Internet Explorer while it loads an html page stored on my HD.
I tryed different approaches but no results with all of them.
For example, 2 approaches here below:
1. Execute and Attach.
- Use WinExec to run IE, and then enumerate processes (dbg.enumerate_processes) and after that attach to the process and start setting BPs. It works quite well.. The problem is that the page gets loaded too fast and I cannot debug all the functions that I need to look at.
2. Load IE and start placing BPs.
The problem in this case is that, I place a BP on the entrypoint, and once I am there I add the BP CreateFileA.
It works 5 times (I am able to see 5 CreateFileA accesses); and after that the program crashes.
I get exception 0x80000003 (EXCEPTION_BREAKPOINT) at address CreateFileA.
I check with Olly what's at that address and I find:
7C801A28 > CC INT3
7C801A29 FF55 8B CALL DWORD PTR SS:[EBP-75]
7C801A2C EC IN AL,DX ; I/O command
7C801A2D FF75 08 PUSH DWORD PTR SS:[EBP+8]
That looks very weird, the BP there should be handled by pydbg.. Do you guys know why?
Here below the output of my script.
BP EP: 0x402bc5
EP add CreateFileA BP
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
[+] BP on CreateFileA
-> IE CRASHES HERE
Just to give you more info I pasted my code here below (I use WinXP SP3 32 bit):
from pydbg import *
from pydbg.defines import *
import pefile
import struct
proc = 'C:\\Program Files\\Internet Explorer\\iexplore.exe'
procEP = None
def breakpoint_handler(dbg):
if dbg.context.Eip == dbg.func_resolve('kernel32','CreateFileA'):
try:
print '[+] BP on CreateFileA'
except:
pass
elif dbg.context.Eip == procEP:
print 'EP add CreateFileA BP'
try:
dbg.bp_set(dbg.func_resolve('kernel32','CreateFileA'))
except:
print "Error BP CreateFileA"
return DBG_CONTINUE
if __name__ == '__main__':
try:
progpe = pefile.PE(proc)
procEP = progpe.OPTIONAL_HEADER.AddressOfEntryPoint + progpe.OPTIONAL_HEADER.ImageBase
debug = pydbg()
debug.load(proc)
debug.bp_set(procEP)
debug.set_callback(EXCEPTION_BREAKPOINT, breakpoint_handler)
print "BP EP: 0x%x" % procEP
debug.run()
except:
pass
Any ideas on how to solve this problem?
PS if I execute IE, and then I attach to it, I am able to set breakpoints correctly and everything work fine; but working this way I cannot trace my web page stored in my HD.
Ideas?
Thanks in advance.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}