我正在学习如何在Windows 7中使用ctypes在python中创建一个简单的调试器。我的问题是下面给出的代码似乎返回了一个无效的地址(这是我对问题的猜测),但我可以弄清楚原因。我想也许是因为我的代码使用它时返回的句柄不再有效,或者我可能会返回一个与我的脚本无关的句柄,因为我只是提供了“msvcrt.dll”作为模块。我已经做了很多修补,但还没有找到解决方案。
编辑:地址返回为False。我从下面的代码段中收到以下错误:
错误126:找不到指定的模块。
def func_resolve(self, dll, function):
error = None
handle = kernel32.GetModuleHandleA(dll)
if handle == False:
print "Handle is FALSE"
error = GetLastError()
address = kernel32.GetProcAddress(handle, function)
if address == False:
print "Address is FALSE"
error = GetLastError()
if error is not None:
print "ERROR %d : %s" % (error, FormatError(error))
return False
kernel32.CloseHandle(handle)
return address
从这个简短的测试脚本中调用上面的代码:
import my_debugger
debugger = my_debugger.debugger()
pid = raw_input("Input PID of process to attach to: ")
debugger.attach(int(pid))
printf_address = debugger.func_resolve("msvcrt.dll", "printf")
print "[*] Address of printf: 0x%08x" % printf_address
debugger.bp_set(printf_address)
debugger.run()
debugger.detach()
这是我附加过程的脚本:
from ctypes import *
import time
msvcrt = cdll.msvcrt
counter = 0
while True:
msvcrt.printf("Loop iteration %d /n", counter)
time.sleep(2)
counter += 1
所以我运行上面的脚本,在任务管理器中找到PID,然后运行我的测试脚本并给它PID。我每次都得到以下输出。从未到达printf处的用户定义断点,并且它的地址始终为0x00000000,这似乎不正确。
Input PID of process to attach to: 8124
Process PID: 8124
[*] Address of printf: 0x00000000
[*] Setting breakpoint at 0x00000000
[*] Waiting for debug events...
[*] Event Code: 3 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 6 Thread ID: 7664
[*] Event Code: 2 Thread ID: 7124
[*] Event Code: 1 Thread ID: 7124
[*] Exception address: 0x76e00590
[*] Hit the first breakpoint
[*] Event Code: 4 Thread ID: 7124
谁能看到我做错了什么?如果需要,我可以提供所有代码..
答案 0 :(得分:1)
我也一直在研究GreyHat Python书籍,并顽固地转换了my_debugger.py文件以支持64位调试。我找到了解决这个问题的方法。
将你的func_resolve设置为:
#include <stdio.h>
#include <math.h>
int main(void) {
int operation, number1, number2, result;
printf("Please enter the number of the operation you would like to perform:\n"
"1. Bitwise OR\n"
"2. Bitwise NOT\n"
"3. Bitwise COMPARE\n"
"4. Exit\n");
if (scanf("%i", &operation) != 1)
return 1;
if (operation == 1) {
printf("You chose Bitwise OR operation.\n");
printf("Please enter the first number: ");
if (scanf("%i", &number1) != 1)
return 1;
printf("Please enter the second number: ");
if (scanf("%i", &number2) != 1)
return 1;
result = number1 | number2;
printf("%d (0x%x) | %d (0x%x) = %d (0x%x)\n",
number1, number1, number2, number2, result, result);
}
return 0;
}
这应该为函数返回一个有效的64位地址。
答案 1 :(得分:1)
我一直在使用本书作为模板在github中建立一个存储库,但更改为在Windows 10 https://github.com/stavinski/grayhat_python_redux/tree/master/chapter03上支持x64,我遇到了与其他注释中提到的相同的问题,使用了错误的DLL,我使用以下方法解决了该问题:
msvcrt = cdll[ctypes.util.find_msvcrt()]
如果您确定要在解析MSVCRT的任何时候都使用此功能,那应该很好。