winappdbg debug + api挂钩+ cpu precent

Question

我正在使用winappdbg调试，创建一个在我附加到调试器的进程上挂起createfile函数的eventhandler。我不能使用“loop”函数，因为这样调试器是不可停止的，所以我使用其他函数。在deataching并查看发生了多少个createfile调用之后，我正在尝试获得进程的cpu precent，并且它们会自动转到0.我认为它是因为调试器但不确定原因

虽然是真的：         hooked = []

    eventhandelerobject = hooking4.EventReciever()
    debugger = Debug(eventhandelerobject,False)


    """hooking"""
    for procid in psutil.pids():
        if not whitelist5.inlist(procid):
            print procid
            try:
                debugger.attach(procid)
                hooked.append(procid)
                print "Initialized!"+str(procid)

                errorfile.write("Initialized!"+str(procid))

            except Exception as ex:
                print ex
                errorfile.write(str(ex)+str(procid))
    run_time = 60

    start = time.clock()

    time_passed = 10
    print "start"
    while time.clock()-start<60:
        #############################
        if time.clock()-start>time_passed:
            for procid in psutil.pids():
                if not whitelist5.inlist(procid) and procid not in hooked:
                    try:
                        debugger.attach(procid)
                        hooked.append(procid)
                        print "Initialized!"+str(procid)
                    except:
                        continue
                ######################################

            time_passed+=10

        try:
            #debugger.next()
            event = debugger.wait(1000)
            debugger.dispatch(event)
            debugger.cont(event)
        except:
            continue
    print "stop"



    print "part2"

    over_cpu_mem_id = cpu_mem4.dangerous_cpu_and_mem(0,0)
    counter = hooking_count.Count.counterdict
    print "counter:"
    print counter
    sorted_counter = sorted(counter.items(), key=operator.itemgetter(1))
    if over_cpu_mem_id >= 1:
        if registry4.manage() and not whitelist5.inlist(over_cpu_mem_id):
            print "cpu+registry , not in whitelist"
            pid_being_suspected = over_cpu_mem_id
            if file4.mannge(filesnumber, timeinseconds):
                print "files are changing..."


                if len(sorted_counter)>0:
                    most_createfiles = sorted_counter[0][1]
                    pid = sorted_counter[0][0]
                    #############################
                    exe = psutil.Process(pid).exe()
                    print exe
                    cpuexe = psutil.Process(over_cpu_mem_id).exe()
                    print cpuexe
                    ######################

                    if most_createfiles >= 100 and pid == over_cpu_mem_id:
                        process_control5.process_dealing(pid)
        elif pid_being_suspected >0 and len(sorted_counter)>0:
            most_createfiles = sorted_counter[0][1]
            pid = sorted_counter[0][0]
            if most_createfiles >= 100 and pid == pid_being_suspected:
                process_control5.process_dealing(pid)
            pid_being_suspected = -1



    print "no danger"


    hooking_count.Count.reset_dict()


    time.sleep(10)
    debugger.stop()

Answer 1

我不太确定，因为我从未试图获得调试过程的CPU使用率，但我怀疑这是因为当您尝试测量时，调试过程暂停。通常，当您的调试器获得控制权时，调试过程将被冻结，因此您将始终看到0％的使用率。

如果是这种情况，解决方案相当复杂。您必须编写两个脚本（或者单个脚本，但运行两次）。调试目标的人，收集所有进程ID和正在打开的文件。另一个是并行测量CPU使用率。