PyDbgEng is a python compact wrapper from PyDbgEng for microsoft debug engine.

• The automated monitoring module specially developed for Fuzzing
• Using dbgeng.dll and dbghelp.dll of the house
• Supports !Exploitable plug-ins MSEC.dll which is v1.6.0

• Required
  • Python >= 3.0
  • psutil
  • comtypes
  • Visual C++ Redistributable 2012

Download psutil from https://pypi.python.org/pypi/psutil and setup.

Download comtypes from https://github.com/enthought/comtypes and setup.

Download Visual C++ Redistributable 2012 from https://www.microsoft.com/en-us/download/details.aspx?id=30679 and setup.

Download PyDbgEng3 from https://github.com/walkerfuz/PyDbgEng3 adn setup.

from PyDbgEng3 import Debugger
proc_args = b"C:/Program Files/Internet Explorer/iexplore.exe"
crashInfo = Debugger.Run(proc_args, minorHash=True, mode="M"/"S", trace=None)
print(crashInfo['bucket'])
print(crashInfo['description'])

If set minorHash is True, you will get crashInfo['bucket']like this:

PROBABLY_NOT_EXPLOITABLE_ReadAVNearNull_0x76da4b51_0x429cabbb

and if set minorHash is False, you will get crashInfo['bucket']like this:

PROBABLY_NOT_EXPLOITABLE_ReadAVNearNull_0x76da4b51

When target process is multiprocess like chrome and IEx64, you should set mode to 'M' which is equal to Multiprocess, and when target process is singleprocess like firefox, you should set mode to 'S' whick is equal to Singleprocess.

You can set trace to one folder to save crash info which name like this:

PROBABLY_NOT_EXPLOITABLE_ReadAVNearNull_0x76da4b51.crash

crashInfo['description which is in crash file like this:

|.
.  1	id: d58	child	name: iexplore.exe
r
rax=000061bee3327a7a rbx=0000000000000000 rcx=0000000005c99dc0
rdx=0000000005c99db0 rsi=000000000b05ed08 rdi=0000000005c99dc0
rip=000007feee0f07dd rsp=0000000005c99ca0 rbp=0000000005c99d10
 r8=0000000000000000  r9=0000000000000000 r10=00000000002b7730
r11=0000000005c99bc8 r12=0000000000000000 r13=0000000000467a20
r14=0000000000000000 r15=0000000004312b20
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CreateCoreWebView+0x7074d:
000007fe`ee0f07dd 4439b39c000000  cmp     dword ptr [rbx+9Ch],r14d ds:00000000`0000009c=????????
INSTRUCTION_ADDRESS:0x000007fabd1c96e1
INVOKING_STACK_FRAME:0
DESCRIPTION:Read Access Violation near NULL
SHORT_DESCRIPTION:ReadAVNearNull
CLASSIFICATION:PROBABLY_NOT_EXPLOITABLE
BUG_TITLE:Read Access Violation near NULL starting at MSHTML!DllCanUnloadNow+0x01 
Hash=0x76da4b51.0x429cabbb
EXPLANATION:This is a user mode read access violation near null, and is probably not exploitable.

• v0.0.3
  • fix bugs when process is singleprocess or multiprocess.
• v0.0.2
  • fix bugs when comtypes.gen isn't exist.
  • add Visual C++ Redistributable 2012 setup to install steps.
• v0.0.1
  • change pydbgeng for python 3.x.

If you have any bug or suggestions, please e-mail contact walkerfuz#outlook.com.