winappdbg
winappdbg copied to clipboard
MarioVilas
Example 14 in the tutorial no longer works
Hi,
"Example #14: watching a buffer" from http://winappdbg.readthedocs.io/en/latest/Debugging.html doesn't work as expected. Entry/Leave callbacks are correctly called when "ReadFile" is called, however, the read buffer is not watched (the access callback is never called).
I modified the script to print the return value of watch_buffer. It always returns None:
C:\winappdbg> python 14_watch_buffer.py notepad.exe
[... open a file in notepad...]
ReadFile:
Handle a14
Expected bytes: 1024
ReadFile:
Status: SUCCESS
Read bytes: 1024
watch_buffer returned 'None'
My setup:
C:\winappdbg> ver
Microsoft Windows [Version 10.0.14393]
C:\winappdbg> python
Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] on win32
C:\winappdbg> pip show winappdbg
Name: winappdbg
Version: 1.6
Summary: Windows application debugging engine
Home-page: http://winappdbg.readthedocs.io/en/latest/
Author: Mario Vilas
Author-email: [email protected]
License: UNKNOWN
Location: c:\python27\lib\site-packages
Requires:
Hi,
The watch_buffer method does not have a return value - it will always return None, that's normal.
As for the reason why the access callback is never called, I'll try reproducing the problem on my side and get back to you.
Thanks for the very detailed bug report! I appreciate that :)
Thanks for your answer,
The watch_buffer method does not have a return value - it will always return None, that's normal.
Ok, but this page says it should return a "Buffer Watch Identifier" : http://winappdbg.sourceforge.net/doc/v1.5/reference/winappdbg.breakpoint._BreakpointContainer-class.html#watch_buffer
Oops, that should not be there. The buffer watch identifier thing was meant to be internally used only. I'll fix the docs...
It was never actually returned by that method, as you can see in the sources: http://winappdbg.sourceforge.net/doc/v1.5/reference/winappdbg.breakpoint-pysrc.html#_BreakpointContainer.watch_buffer