GetModuleHandleA在附加到另一个进程时无法获取python.exe未使用的模块
目前我正在使用Grey Hat Python book。它描述了如何在python中创建调试器。到目前为止,我的调试器能够启动进程并附加到它。当我试图从进程中检索模块句柄时,就会出现问题。根据OllyDbg,DLL存在于程序中,但GetModuleHandleA在附加到另一个进程时无法获取python.exe未使用的模块,python,code-injection,ctypes,kernel32,Python,Code Injection,Ctypes,Kernel32,目前我正在使用Grey Hat Python book。它描述了如何在python中创建调试器。到目前为止,我的调试器能够启动进程并附加到它。当我试图从进程中检索模块句柄时,就会出现问题。根据OllyDbg,DLL存在于程序中,但GetModuleHandleA无法获得句柄。我对书中的一段代码做了一点改进,以便在GetModuleHandleA无法检索句柄的情况下,该函数将尝试创建一个远程线程,并强制将该模块加载到进程中。但即便如此,它GetModuleHandleA还是失败了(其他一切都正常工
GetModuleHandleAGetModuleHandleAGetModuleHandleAdef func_resolve(self,dll,function):
handle = kernel32.GetModuleHandleA(dll)
print "%s module handle is at 0x%08x" % (dll, handle)
error = kernel32.GetLastError()
if error:
print "There was an error in func_resolve::GetModuleHandleA(%s): %d" % (dll, error)
print "Loading library into the process"
pLibRemote = kernel32.VirtualAllocEx(self.h_process, 0, len(dll), 0x00001000, 0x04)
print "Allocated %d bytes of memory at 0x%08x" % (len(dll), pLibRemote)
written = c_int(0)
kernel32.WriteProcessMemory(self.h_process, pLibRemote, dll, len(dll), byref(written))
print "Written %d bytes" % written.value
handle = kernel32.GetModuleHandleA("kernel32.dll")
print "Kernel module handle is 0x%08x" % handle
address = kernel32.GetProcAddress(handle, "LoadLibraryA")
print "LoadLibraryA address is 0x%08x" % address
thread_id = c_ulong(0)
kernel32.CreateRemoteThread(self.h_process, None, 0, address, pLibRemote, 0, byref(thread_id))
print "Created thread %d" % thread_id.value
handle = kernel32.GetModuleHandleA(dll)
address = kernel32.GetProcAddress(handle, function)
kernel32.CloseHandle(handle)
return address
[*] We have successfully launched the process!
[*] The Process ID I have is: 10380
Proces handle is 228
opengl32.dll module handle is at 0x00000000
There was an error in func_resolve::GetModuleHandleA(opengl32.dll): 126
Loading library into the process
Allocated 12 bytes of memory at 0x002c0000
Written 12 bytes
Kernel module handle is 0x772c0000
LoadLibraryA address is 0x772d498f
Created thread 11136
[*] Address of func: 0x00000000
[*] Setting breakpoint at: 0x00000000
def my_func_resolve(self, dll, function):
module32 = MODULEENTRY32()
CreateToolhelp32Snapshot = kernel32.CreateToolhelp32Snapshot
CreateToolhelp32Snapshot.restype = HANDLE
CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD]
Module32First = kernel32.Module32First
Module32First.restype = BOOL
Module32First.argtypes = [HANDLE, POINTER(MODULEENTRY32)]
Module32Next = kernel32.Module32Next
Module32Next.restype = BOOL
Module32Next.argtypes = [HANDLE, POINTER(MODULEENTRY32)]
thandle = 24
while thandle == 24:
thandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, self.pid)
if thandle == 0 or thandle == 0xFFFFFFFF:
print "Failed to create a snapshot. Error: %d" % kernel32.GetLastError()
exit()
if not Module32First(thandle, byref(module32)):
print "Module32First failed. Error: %d" % kernel32.GetLastError()
kernel32.CloseHandle(thandle)
exit()
while module32:
print "DLL %s is loaded at 0x%08x" % (module32.szModule, module32.modBaseAddr)
Module32Next(thandle, byref(module32))
kernel32.CloseHandle(thandle)
return True
[*] We have successfully launched the process!
[*] The Process ID I have is: 9584
Proces handle is 228
Failed create snapshot. Error: 299
TH32CS\u SNAPMODULE0x000000080x00000010if kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print "[*] We have successfully launched the process!"
print "[*] The Process ID I have is: %d" % \
process_information.dwProcessId
self.pid = process_information.dwProcessId
self.h_process = self.open_process(process_information.dwProcessId)
print "Proces handle is %d" % self.h_process
根据上的文档,错误代码126是
error\u MOD\u NOT\u FOUNDGetModuleHandleAGetModuleHandleAGetModuleHandleWAWGetModuleHandleEnumProcessModulesExGetModuleBaseNameCreateToolhelp32SnapshotModule32FirstModule32NextLoadLibraryExdon\u RESOLVE\u DLL\u引用HMODULEGetProcAddressfreebrary请注意,
HMODULErestypeargtypesintimport os
import ctypes
from ctypes import wintypes
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
wintypes.LPBOOL = ctypes.POINTER(wintypes.BOOL)
ERROR_NO_MORE_FILES = 0x0012
ERROR_BAD_LENGTH = 0x0018
ERROR_MOD_NOT_FOUND = 0x007E
INVALID_HANDLE_VALUE = wintypes.HANDLE(-1).value
DONT_RESOLVE_DLL_REFERENCES = 0x00000001
MAX_PATH = 260
MAX_MODULE_NAME32 = 255
TH32CS_SNAPMODULE = 0x00000008
class MODULEENTRY32W(ctypes.Structure):
_fields_ = (('dwSize', wintypes.DWORD),
('th32ModuleID', wintypes.DWORD),
('th32ProcessID', wintypes.DWORD),
('GlblcntUsage', wintypes.DWORD),
('ProccntUsage', wintypes.DWORD),
('modBaseAddr', wintypes.LPVOID),
('modBaseSize', wintypes.DWORD),
('hModule', wintypes.HMODULE),
('szModule', wintypes.WCHAR * (MAX_MODULE_NAME32 + 1)),
('szExePath', wintypes.WCHAR * MAX_PATH))
def __init__(self, *args, **kwds):
super(MODULEENTRY32W, self).__init__(*args, **kwds)
self.dwSize = ctypes.sizeof(self)
LPMODULEENTRY32W = ctypes.POINTER(MODULEENTRY32W)
def errcheck_bool(result, func, args):
if not result:
raise ctypes.WinError(ctypes.get_last_error())
return args
def errcheck_ihv(result, func, args):
if result == INVALID_HANDLE_VALUE:
raise ctypes.WinError(ctypes.get_last_error())
return args
kernel32.LoadLibraryExW.errcheck = errcheck_bool
kernel32.LoadLibraryExW.restype = wintypes.HMODULE
kernel32.LoadLibraryExW.argtypes = (wintypes.LPCWSTR,
wintypes.HANDLE,
wintypes.DWORD)
kernel32.FreeLibrary.errcheck = errcheck_bool
kernel32.FreeLibrary.argtypes = (wintypes.HMODULE,)
kernel32.GetProcAddress.errcheck = errcheck_bool
kernel32.GetProcAddress.restype = wintypes.LPVOID
kernel32.GetProcAddress.argtypes = (wintypes.HMODULE,
wintypes.LPCSTR)
kernel32.CloseHandle.errcheck = errcheck_bool
kernel32.CloseHandle.argtypes = (wintypes.HANDLE,)
kernel32.CreateToolhelp32Snapshot.errcheck = errcheck_ihv
kernel32.CreateToolhelp32Snapshot.restype = wintypes.HANDLE
kernel32.CreateToolhelp32Snapshot.argtypes = (wintypes.DWORD,
wintypes.DWORD)
kernel32.Module32FirstW.errcheck = errcheck_bool
kernel32.Module32FirstW.argtypes = (wintypes.HANDLE,
LPMODULEENTRY32W)
kernel32.Module32NextW.errcheck = errcheck_bool
kernel32.Module32NextW.argtypes = (wintypes.HANDLE,
LPMODULEENTRY32W)
def GetRemoteProcAddress(pid, filename, procname):
procname = procname.encode('utf-8')
hLocal = kernel32.LoadLibraryExW(filename, None,
DONT_RESOLVE_DLL_REFERENCES)
try:
procaddr = kernel32.GetProcAddress(hLocal, procname)
finally:
kernel32.FreeLibrary(hLocal)
modname = os.path.basename(filename)
hRemote = GetRemoteModuleHandle(pid, modname)
return hRemote - hLocal + procaddr
def GetRemoteModuleHandle(pid, modname):
modname = modname.upper()
if '.' not in modname:
modname += '.DLL'
while True:
try:
hProcessSnap = kernel32.CreateToolhelp32Snapshot(
TH32CS_SNAPMODULE, pid)
break
except OSError as e:
if e.winerror != ERROR_BAD_LENGTH:
raise
try:
modentry = MODULEENTRY32W()
kernel32.Module32FirstW(hProcessSnap,
ctypes.byref(modentry))
while True:
if modentry.szModule.upper() == modname:
return modentry.hModule
try:
kernel32.Module32NextW(hProcessSnap,
ctypes.byref(modentry))
except OSError as e:
if e.winerror == ERROR_NO_MORE_FILES:
break
raise
raise ctypes.WinError(ERROR_MOD_NOT_FOUND)
finally:
kernel32.CloseHandle(hProcessSnap)
LoadLibraryExW错误\u部分\u复制所有提到的案例都与我无关,但可能会帮助其他人解决同样的问题,所以我提出了它。我已经看到过有类似问题的帖子,并验证了Unicode和dll路径不是我的原因。我从系统路径中尝试了几个不同的dll,也是我自己的dll,用于链接可执行二进制测试文件,结果总是一样的-GetModuleHandleA失败。我也使用Python2.7,所以ANSI标准适合我。上一篇文章似乎与Python 3 Unicode问题有关。
GetModuleHandleEnumProcessModulesExGetModuleBaseNameCreateToolhelp32SnapshotModule32FirstModule32NextHMODULErestypeargtypesintLoadLibraryEx不解析DLL\u引用将DLL加载到当前进程中,并在调用GetProcAddress
时使用此HMODULE
。然后根据目标进程中的DLLHMODULE
(基址)调整函数地址
if __name__ == '__main__':
import sys
import subprocess
if len(sys.argv) > 1:
# child process
import time
hEvent = int(sys.argv[1])
kernel32.SetEvent(hEvent)
time.sleep(120)
sys.exit(0)
wintypes.SIZE_T = ctypes.c_size_t
kernel32.ReadProcessMemory.argtypes = (wintypes.HANDLE,
wintypes.LPVOID,
wintypes.LPVOID,
wintypes.SIZE_T,
ctypes.POINTER(wintypes.SIZE_T))
class SECURITY_ATTRIBUTES(ctypes.Structure):
_fields_ = (('nLength', wintypes.DWORD),
('lpSecurityDescriptor', wintypes.LPVOID),
('bInheritHandle', wintypes.BOOL))
def __init__(self, *args, **kwds):
super(SECURITY_ATTRIBUTES, self).__init__(*args, **kwds)
self.nLength = ctypes.sizeof(self)
WAIT_OBJECT_0 = 0
CREATE_NO_WINDOW = 0x08000000
sa = SECURITY_ATTRIBUTES(bInheritHandle=True)
hEvent = kernel32.CreateEventW(ctypes.byref(sa), 0, 0, None)
script = os.path.abspath(__file__)
p = subprocess.Popen([sys.executable, script, str(hEvent)],
close_fds=False,
creationflags=CREATE_NO_WINDOW)
try:
result = kernel32.WaitForSingleObject(hEvent, 60 * 1000)
if result != WAIT_OBJECT_0:
sys.exit('wait failed')
# kernel32 should load at the same address in a given session.
hModule = GetRemoteModuleHandle(p.pid, 'kernel32')
assert hModule == kernel32._handle
remote_addr = GetRemoteProcAddress(p.pid,
'kernel32',
'LoadLibraryExW')
local_addr = ctypes.c_void_p.from_buffer(
kernel32.LoadLibraryExW).value
assert remote_addr == local_addr
remote_bytes = (ctypes.c_char * 1000)()
read = wintypes.SIZE_T()
kernel32.ReadProcessMemory(int(p._handle),
remote_addr,
remote_bytes, 1000,
ctypes.byref(read))
local_bytes = ctypes.string_at(kernel32.LoadLibraryExW, 1000)
assert remote_bytes[:] == local_bytes
finally:
p.terminate()