winappdbg NtWriteVirtualMemory处理错误

时间:2014-09-21 17:22:27

标签: python debugging winapi windbg

我正在使用winappdbg在ntdll上设置断点!NtWriteVirtualMemory。

我的目标是检查远程进程的内存保护是否为page_execute。

所以我在NtWriteVirtualMemory上成功设置了断点,问题是我得到了处理 函数中的一个参数(例如0x20),但是当我在脚本中使用它时它是无效的。

我尝试过使用winappdbg.win32.VirtualQueryEx(句柄无效)

有什么想法吗?

def action_callback( event ):
    print "ntdll!NtWriteVirtualMemory was called!" 
    process = event.get_process()
    thread  = event.get_thread()
    # Get the address of the top of the stack.
    stack   = thread.get_sp()

    # Get the return address of the call.
    retAddress = process.read_pointer( stack)
    print "ret address " + hex(retAddress) 
    processHandle = process.read_pointer( stack+4 )
    print "processHandle " + hex(processHandle) 
    BaseAddress = process.read_pointer( stack+8 )
    print "BaseAddress " + hex(BaseAddress)
    Buffer = process.read_pointer( stack+12 )
    print "Buffer " + hex(Buffer)
    NumberOfBytesToWrite = process.read_pointer( stack+16 )
    print "NumberOfBytesToWrite " + hex(NumberOfBytesToWrite)
    NumberOfBytesWritten = process.read_pointer( stack+16 )
    print "NumberOfBytesWritten " + hex(NumberOfBytesWritten)
    print "====================="
    print "virtualQuery - " + VirtualQueryEx(int(processHandle), BaseAddress)

谢谢!

2 个答案:

答案 0 :(得分:0)

我担心您尝试做的事情永远无法工作 - Win32句柄仅在创建它们的过程中有效,并且您尝试在脚本中使用句柄由您正在调试的过程创建。

您需要做的是尝试获取进程ID。进程ID是全局的,您可以使用OpenProcess()为它们创建自己的句柄。您必须挂钩所有可以返回进程句柄,获取其参数和返回值的函数,然后您可以将外部句柄映射到进程ID。

另一种选择是尝试通过在目标进程中调用GetProcessID()来将句柄解析为进程ID(如果您从脚本执行此操作将失败,原因与上述相同)。这有点棘手,因为代码注入有时会失败,我建议使用更多的钩子。但是如果你想尝试一下,event.get_process()。inject_code()是你的朋友:http://winappdbg.sourceforge.net/doc/latest/reference/winappdbg.process.Process-class.html#inject_code

答案 1 :(得分:0)

最后我使用了DuplicateHandle。它工作正常!

source_pid = event.get_process().get_pid()
print 'source pid =', source_pid
source_phandle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, FALSE, source_pid)
print 'source phandle =', source_phandle
current_phandle = win32process.GetCurrentProcess()
print 'current phandle =', current_phandle
duplicated_handle = win32api.DuplicateHandle(source_phandle, processHandle, current_phandle,
                        0, FALSE, win32con.DUPLICATE_SAME_ACCESS)                   
print 'dup h =', duplicated_handle
source_process_name = win32process.GetModuleFileNameEx(source_phandle, 0)
print "source_process_name - ",  (source_process_name)

q = VirtualQueryEx(duplicated_handle.handle, BaseAddress)
print "virtualQuery - is_executable()  " + str(q.is_executable())
target_process_name = win32process.GetModuleFileNameEx(duplicated_handle.handle, 0)
print "target_process_name - ",  (target_process_name)

VirtualQueryEx工作正常!

现在问题是GetModulefileNameEx到了重复的句柄返回我"句柄无效"。

如何显示目标流程名称?

谢谢!

相关问题
最新问题