Reimplemented strings() fixing #47 plus made all the other tools use exit codes consistently.

Author: MarioVilas

winappdbg/process.py

@@ -54,7 +54,15 @@
 from .win32.version import _machine_to_arch_map
 from .disasm import Disassembler
 from .module import _ModuleContainer
-from .search import HexPattern, IStringPattern, Pattern, Search, StringPattern
+from .search import (
+    AsciiStringsPattern,
+    HexPattern,
+    IStringPattern,
+    Pattern,
+    Search,
+    StringPattern,
+    UnicodeStringsPattern,
+)
 from .textio import HexDump, HexInput
 from .thread import Thread, _ThreadContainer
 from .util import MemoryAddresses, PathOperations, Regenerator
@@ -1358,6 +1366,96 @@ def search_hexa(self, hexa, minAddr=None, maxAddr=None):
         pattern = HexPattern(hexa)
         return Search.search_process(self, [pattern], minAddr, maxAddr)
 
+    def strings(
+        self, minLength=4, encoding="both", minAddr=None, maxAddr=None, bufferPages=None
+    ):
+        """
+        Extract printable strings from the process memory.
+
+        This method extracts readable strings from the process memory, similar to
+        the Unix ``strings`` command. It can extract both ASCII and Unicode strings.
+
+        :param int minLength: Minimum length of strings to extract, in characters.
+            Defaults to 4.
+        :param str encoding: Type of strings to extract. Valid values are:
+
+            - ``"ascii"`` - Extract only ASCII strings (8-bit)
+            - ``"unicode"`` - Extract only Unicode strings (UTF-16LE, 16-bit)
+            - ``"both"`` - Extract both ASCII and Unicode strings (default)
+
+        :param int minAddr: Optional. Start the search at this memory address.
+        :param int maxAddr: Optional. Stop the search at this memory address.
+        :param int bufferPages: Optional. Number of memory pages to buffer when
+            performing the search. See :meth:`~.search.Search.search_process` for
+            details on this parameter.
+        :rtype: iterator[tuple[int, str]]
+        :return: An iterator of tuples. Each tuple contains the following:
+
+            - The memory address where the string was found.
+            - The string that was extracted (decoded as a Python str).
+
+        :raises ValueError: If an invalid encoding parameter is provided.
+        :raises WindowsError: An error occurred when querying or reading the
+            process memory.
+
+        Example::
+
+            from winappdbg import Process
+
+            # Open a process
+            process = Process(1234)
+
+            # Extract all strings from the process memory
+            for address, string in process.strings():
+                print(f"0x{address:08x}: {string}")
+
+            # Extract only ASCII strings of at least 8 characters
+            for address, string in process.strings(minLength=8, encoding="ascii"):
+                print(f"0x{address:08x}: {string}")
+
+        .. note::
+
+            This method uses :class:`~.search.AsciiStringsPattern` and
+            :class:`~.search.UnicodeStringsPattern` to extract strings.
+            Only printable ASCII characters (0x20-0x7E) are considered.
+        """
+        # Validate encoding parameter
+        encoding = encoding.lower()
+        if encoding not in ("ascii", "unicode", "both"):
+            raise ValueError(
+                f"Invalid encoding: {encoding!r}. "
+                "Valid values are: 'ascii', 'unicode', 'both'"
+            )
+
+        # Build list of patterns based on encoding
+        patterns = []
+        if encoding in ("ascii", "both"):
+            patterns.append(AsciiStringsPattern(minLength))
+        if encoding in ("unicode", "both"):
+            patterns.append(UnicodeStringsPattern(minLength))
+
+        # Search for strings in process memory
+        for address, data in Search.search_process(
+            self, patterns, minAddr, maxAddr, bufferPages, overlapping=False
+        ):
+            # Decode the extracted bytes
+            try:
+                # Try to detect if this is ASCII or Unicode
+                if b"\x00" in data and len(data) >= 2:
+                    # Likely Unicode (UTF-16LE) - has null bytes
+                    # Remove trailing null bytes if present
+                    if data[-1] == 0:
+                        data = data[:-1]
+                    decoded = data.decode("utf-16-le")
+                else:
+                    # ASCII string
+                    decoded = data.decode("latin-1")
+                yield (address, decoded)
+            except (UnicodeDecodeError, UnicodeError):
+                # If decoding fails, skip this string
+                # This shouldn't happen with our patterns, but be defensive
+                continue
+
     # ------------------------------------------------------------------------------
 
     def __read_c_type(self, address, format, c_type):

winappdbg/search.py

@@ -39,6 +39,8 @@
     "StringPattern",
     "IStringPattern",
     "HexPattern",
+    "AsciiStringsPattern",
+    "UnicodeStringsPattern",
     "MemoryAccessWarning",
 ]
 
@@ -267,6 +269,106 @@ def next_match(self):
         return -1
 
 
+# ------------------------------------------------------------------------------
+
+
+class AsciiStringsPattern(Pattern):
+    """
+    Pattern matching for extracting ASCII strings from binary data.
+
+    This pattern extracts printable ASCII strings similar to the Unix
+    ``strings`` command. Only characters in the range 0x20-0x7E (space to
+    tilde) are considered printable.
+    """
+
+    def __init__(self, minLength=4):
+        """
+        Class constructor.
+
+        :type  minLength: int
+        :param minLength: Minimum length of strings to extract.
+            Defaults to 4 characters.
+        """
+        # Pattern to match sequences of printable ASCII characters
+        # Printable ASCII: space (0x20) to tilde (0x7E)
+        pattern = rb"[\x20-\x7E]{%d,}" % minLength
+        super().__init__(pattern)
+        self.minLength = minLength
+        self.compiled = re.compile(pattern)
+        self.match = None
+
+    def __len__(self):
+        """
+        Return the length of the last match.
+        """
+        if self.match is not None:
+            return len(self.match.group(0))
+        return self.minLength
+
+    def next_match(self):
+        """
+        Find the next ASCII string in the data buffer.
+
+        :rtype:  int
+        :return: Position in the buffer where the string was found,
+            or -1 if not found.
+        """
+        self.match = self.compiled.search(self.data, self.pos)
+        if self.match is not None:
+            return self.match.start()
+        return -1
+
+
+# ------------------------------------------------------------------------------
+
+
+class UnicodeStringsPattern(Pattern):
+    """
+    Pattern matching for extracting Unicode (UTF-16LE) strings from binary data.
+
+    This pattern extracts printable Unicode strings encoded as UTF-16LE
+    (little-endian), which is the standard Unicode encoding on Windows.
+    """
+
+    def __init__(self, minLength=4):
+        """
+        Class constructor.
+
+        :type  minLength: int
+        :param minLength: Minimum length of strings to extract (in characters).
+            Defaults to 4 characters.
+        """
+        # Pattern to match sequences of printable ASCII characters as UTF-16LE
+        # Each character is represented as: char byte followed by null byte
+        # Printable ASCII range: 0x20-0x7E
+        pattern = rb"(?:[\x20-\x7E]\x00){%d,}" % minLength
+        super().__init__(pattern)
+        self.minLength = minLength * 2  # Each Unicode char is 2 bytes
+        self.compiled = re.compile(pattern)
+        self.match = None
+
+    def __len__(self):
+        """
+        Return the length of the last match.
+        """
+        if self.match is not None:
+            return len(self.match.group(0))
+        return self.minLength
+
+    def next_match(self):
+        """
+        Find the next Unicode string in the data buffer.
+
+        :rtype:  int
+        :return: Position in the buffer where the string was found,
+            or -1 if not found.
+        """
+        self.match = self.compiled.search(self.data, self.pos)
+        if self.match is not None:
+            return self.match.start()
+        return -1
+
+
 # ==============================================================================
 
 

winappdbg/tools/SelectMyParent.py

@@ -55,7 +55,7 @@ def main():
     if len(argv) < 3:
         script = os.path.basename(argv[0])
         print("  %s <pid> <process.exe> [arguments]" % script)
-        return
+        return 1
 
     # Request debug privileges.
     system = System()
@@ -72,18 +72,18 @@ def main():
             system.scan_processes_fast()
             if not system.has_process(dwParentProcessId):
                 print("Can't find process ID %d" % dwParentProcessId)
-                return
+                return 1
     else:
         system.scan_processes()
         process_list = system.find_processes_by_filename(argv[1])
         if not process_list:
             print("Can't find process %r" % argv[1])
-            return
+            return 1
         if len(process_list) > 1:
             print("Too many processes found:")
             for process, name in process_list:
                 print("\t%d:\t%s" % (process.get_pid(), name))
-            return
+            return 1
         dwParentProcessId = process_list[0][0].get_pid()
 
     # Parse the target process argument.
@@ -93,7 +93,7 @@ def main():
             filename = win32.SearchPath(None, filename, ".exe")[0]
         except WindowsError as e:
             print("Error searching for %s: %s" % (filename, str(e)))
-            return
+            return 1
         argv = list(argv)
         argv[2] = filename
 
@@ -111,13 +111,16 @@ def main():
             print("This tool requires Windows Vista or above.")
         else:
             print("Error starting new process: %s" % str(e))
-        return
+        return 1
     except WindowsError as e:
         print("Error starting new process: %s" % str(e))
-        return
+        return 1
     print("Process created: %d" % dwProcessId)
-    return dwProcessId
+    return 0
 
 
 if __name__ == "__main__":
-    main()
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        sys.exit(130)

winappdbg/tools/crash_logger.py

@@ -1013,9 +1013,11 @@ def run_from_cmdline(self, args):
 
         # Catch errors and show them on screen
         except Exception as e:
-            print("Runtime error: %s" % str(e))
+            print("Runtime error: %s" % str(e), file=sys.stderr)
             traceback.print_exc()
-            return
+            return 1
+
+        return 0
 
     def install_as_jit(self, config):
         # Not yet compatible with Cygwin.
@@ -1234,7 +1236,8 @@ def main():
         return cl.run_from_cmdline(sys.argv)
     except KeyboardInterrupt:
         print("Interrupted by the user!")
+        return 130
 
 
 if __name__ == "__main__":
-    main()
+    sys.exit(main())

winappdbg/tools/crash_report.py

@@ -157,6 +157,11 @@ def main():
         cc = open_database(filename)
         print_report_for_database(cc, options)
 
+    return 0
+
 
 if __name__ == "__main__":
-    main()
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        sys.exit(130)

winappdbg/tools/hexdump.py

@@ -44,23 +44,30 @@ def main():
 
         script = os.path.basename(argv[0])
         print("  %s <filename>" % script)
-        return
-    with open(argv[1], "rb") as fd:
-        fd.seek(0, 2)
-        size = fd.tell()
-        fd.seek(0, 0)
-        if size.bit_length() > 32:
-            width = 8
-        else:
-            width = 16
-        address = 0
-        while True:
-            data = fd.read(16)
-            if not data:
-                break
-            print(HexDump.hexblock(data, address=address, width=width))
-            address = address + len(data)
+        return 1
+    try:
+        with open(argv[1], "rb") as fd:
+            fd.seek(0, 2)
+            size = fd.tell()
+            fd.seek(0, 0)
+            if size.bit_length() > 32:
+                width = 8
+            else:
+                width = 16
+            address = 0
+            while True:
+                data = fd.read(16)
+                if not data:
+                    break
+                print(HexDump.hexblock(data, address=address, width=width))
+                address = address + len(data)
+        return 0
+    except KeyboardInterrupt:
+        return 130
+    except Exception as e:
+        print("Error: %s" % e, file=sys.stderr)
+        return 1
 
 
 if __name__ == "__main__":
-    main()
+    sys.exit(main())

winappdbg/tools/pdebug.py

@@ -68,6 +68,7 @@ def run(self, argv):
             self.loop()
         finally:
             self.finalize()
+        return 0
 
     # Initialize the debugger.
     def initialize(self):
@@ -300,4 +301,7 @@ def main():
 
 
 if __name__ == "__main__":
-    main()
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        sys.exit(130)