Before I get started, let me just express my unbound love for Python and pydbg. In case you don't already know about this little gem, pydbg allows you to debug windows programs from Python. No more fiddling with Olly plugins or API tracers. So... I've been playing with pydbg on a Windows XP build and everything's honkey dorey (spelling?). Naturally, like all other software, at some point it needs to run inside VMWare. I have a little script I use just to make sure pydbg is installed correctly and working. The script attaches to a running instance of notepad and sets a breakpoint on CreateFileW. Whenever a file is opened the script displays the name of the file.
When i'm in VMware, I get the error show below:
Traceback (most recent call last):
File "test_pydbg.py", line 68, in ?
dbg.debug_event_loop()
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 332, in debug_event_loop
self.debug_event_iteration()
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 264, in debug_event_iteration
continue_status = self.event_handler_load_dll()
File "C:\Python24\Lib\site-packages\pydbg\pydbg.py", line 953, in event_handler_load_dll
core_ret = pydbg_core.event_handler_load_dll(self)
File "C:\Python24\Lib\site-packages\pydbg\pydbg_core.py", line 554, in event_handler_load_dll
dll = system_dll(self.dbg.u.LoadDll.hFile, self.dbg.u.LoadDll.lpBaseOfDll)
File "C:\Python24\Lib\site-packages\pydbg\system_dll.py", line 87, in __init__
self.path = "\\" + filename.value.split("\\", 3)[3]
IndexError: list index out of range
After briefly poking around in the source, I found a work around. The problem seems to be related to the manner in which pydbg queries for the name of a DLL. Under vmware, the name returned is sometimes the empty string, which sends pydbg into a tizzy. I made the problem "go away", by modifying "\Python24\Lib\site-packages\pydbg\system_dll.py". Modify line 87 to look like:
try:
self.path = "\\" + filename.value.split("\\", 3)[3]
except:
pass
This should leave you with a working pydbg. Leave a comment if it doesn't or if you know of another work around.
0 comments:
Post a Comment