Windows API将python挂接到msvbvm60.dll(rtcMsgBox)
我想截取进程的API调用,以了解进程何时调用msvbvm60 dll的API rtcMsgBox。 我用这个代码试过了,但似乎不起作用:Windows API将python挂接到msvbvm60.dll(rtcMsgBox),python,api,dll,hook,Python,Api,Dll,Hook,我想截取进程的API调用,以了解进程何时调用msvbvm60 dll的API rtcMsgBox。 我用这个代码试过了,但似乎不起作用: from winappdbg import Debug, EventHandler import sys import os class MyEventHandler( EventHandler ): # Add the APIs you want to hook apiHooks = { 'msvbvm60.dll' :
from winappdbg import Debug, EventHandler
import sys
import os
class MyEventHandler( EventHandler ):
# Add the APIs you want to hook
apiHooks = {
'msvbvm60.dll' : [( 'rtcMsgBox' , 7 ),],'kernel32.dll' : [( 'CreateFileW' , 7 ),],
}
# The pre_ functions are called upon entering the API
def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
fname = event.get_process().peek_string(lpFileName, fUnicode=True)
print "CreateFileW: %s" % (fname)
# The post_ functions are called upon exiting the API
def post_CreateFileW(self, event, retval):
if retval:
print 'Suceeded (handle value: %x)' % (retval)
else:
print 'Failed!'
if __name__ == "__main__":
if len(sys.argv) < 2 or not os.path.isfile(sys.argv[1]):
print sys.argv[1]
print "\nUsage: %s <File to monitor> [arg1, arg2, ...]\n" % sys.argv[0]
sys.exit()
# Instance a Debug object, passing it the MyEventHandler instance
debug = Debug( MyEventHandler() )
try:
# Start a new process for debugging
p = debug.execv(sys.argv[1:], bFollow=True)
# Wait for the debugged process to finish
debug.loop()
# Stop the debugger
finally:
debug.stop()
来自winappdbg导入调试,EventHandler
导入系统
导入操作系统
类MyEventHandler(EventHandler):
#添加要挂接的API
apiHooks={
'msvbvm60.dll':[('rtcMsgBox',7),],'kernel32.dll':[('CreateFileW',7),],
}
#pre_uu函数在进入API时被调用
def pre_CreateFileW(self、event、ra、lpFileName、dwDesiredAccess、,
dwShareMode、lpSecurityAttributes、dwCreationDisposition、,
dwFlagsAndAttributes,hTemplateFile):
fname=event.get_process().peek_字符串(lpFileName,fUnicode=True)
打印“CreateFileW:%s”%(fname)
#退出API时调用post_uu函数
def post_CreateFileW(自我、事件、检索):
如果返回:
打印“成功(句柄值:%x)”(返回)
其他:
打印“失败!”
如果名称=“\uuuuu main\uuuuuuuu”:
如果len(sys.argv)<2或不是os.path.isfile(sys.argv[1]):
打印系统argv[1]
打印“\n用法:%s[arg1,arg2,…]\n”%sys.argv[0]
sys.exit()
#实例一个调试对象,将MyEventHandler实例传递给它
调试=调试(MyEventHandler())
尝试:
#启动新的调试进程
p=debug.execv(sys.argv[1:],bFollow=True)
#等待已调试的进程完成
debug.loop()
#停止调试器
最后:
debug.stop()
它可以与Kernel32.dll的CreateFileW API一起使用,但不能与msvbvm60.dll的rtcMsgBox一起使用。为什么?我做错了什么
编辑:顺便说一下,我不知道为什么我粘贴的代码被分成两段代码。webapp无法正确解析它,但它只是一段代码。
谢谢FYI,整个代码部分必须缩进4个空格-我刚才为您做了这件事。最简单的方法是选择整个代码块,然后按Ctrl+K。