Python::ctypes::GetProcAddress()返回

2024-10-01 09:25:18 发布

您现在位置:Python中文网/ 问答频道 /正文
10894 3

以下是调试器类的一部分。下面是在debugee中枚举进程的代码。首先,它枚举现有被调试器进程的句柄并将其加载到数组中。然后我试图得到特定模块中特定函数的地址。在本例中,我试图从msvcr100.dll中获取printf()的地址 


def enumerate_module(self,pid):


    lphModule = (c_void_p * 1024)()
    lpcbNeeded = c_ulong(0)

    if psapi.EnumProcessModules(self.h_process,lphModule,sizeof(c_void_p)*1024, byref(lpcbNeeded)):
        print "[*] EnumProcessModules: %d modules detected" % int(lpcbNeeded.value / sizeof(c_void_p))
        for i in range(int(lpcbNeeded.value / sizeof(c_void_p))):
            FileName = ""
            ReadBuffer = create_string_buffer(MAX_PATH)
            psapi.GetModuleFileNameExA(self.h_process,lphModule[i],ReadBuffer,MAX_PATH)
            FileName += ReadBuffer.value
            print "[*] %d - 0x%08x - %s" % (i,lphModule[i],FileName)
        address = kernel32.GetProcAddress(lphModule[3],"printf")
        if address == False:
            error = GetLastError()
            print "[*] GetProcAddress() ERROR: %d - %s" % (error, FormatError(error))    
        print "[**] Getting printf() address is: 0x%008x" % address
        return True
    else:
        error = GetLastError()
        print "[*] GetModuleHandleA: %d - %s" % (error, FormatError(error))
        return False

因为一些奇怪的原因,我不能让它工作。GetPorcAddress()返回: 

ERROR: 126 - The specified module could not be found.
Any ideas???
PS.
This might clarify my question a little:
Script output



Enter the PID of the process to attach to: 2476
Opening process: 2476
[*] DebugActiveProcess: 0 - The operation completed successfully.
[*] EnumProcessModules: 4 modules detected
[*] 0 - 0x00400000 - printf.exe
[*] 1 - 0x7c900000 - ntdll.dll
[*] 2 - 0x7c800000 - kernel32.dll
[*] 3 - 0x78aa0000 - MSVCR100.dll
[*] GetProcAddress() ERROR: 126 - The specified module could not be found.
[**] Getting printf() address is: 0x00000000
[*] Finished debugging. Exitng...

如您所见,msvcr100.dll加载于0x78aa0000。据我所知 它的地址空间中应该有printf(),我应该能够 找到它的地址。而且,我装了很多东西printf.exe在OllyDbg也有同样的表现 你在我的脚本输出上看到的东西,我可以在中看到printf() msvcr100.dll的导出列表。在


Tags: selfaddress地址errorprocessmoduledllprint
2条回答
网友
1楼 · 编辑于 2024-10-01 09:25:18

我相信这意味着它在你的系统上找不到特定的DLL。下面是一个简单的函数,它将返回printf地址:

from ctypes import *

kernel32 = windll.kernel32

def resolve_function(dll, func):
    handle = kernel32.GetModuleHandleA(dll)
    address = kernel32.GetProcAddress(handle, func)
    kernel32.CloseHandle(handle)
    return address

address = resolve_function('msvcrt.dll','printf')

print(address)

我还在学习这些东西,我不太确定msvcrt.dll和{}之间的区别。但是,我相信您需要链接到msvcrt.dll,而微软则会做一些魔术来找到msvcrXX.dll。查看此页以了解更多信息:http://msdn.microsoft.com/en-us/library/abx4dbyh

网友
2楼 · 编辑于 2024-10-01 09:25:18

GetProcAddress获取加载到进程的DLL中的函数的地址,而不是在其他进程中。你应该看看Debug Help Library。在

根据你关于GetProcAddress的要求,我的推荐人:

GetProcAddress

hModule [in]
A handle to the DLL module that contains the function or variable. The LoadLibrary, LoadLibraryEx, or GetModuleHandle function returns this handle.

LoadLibrary

Loads the specified module into the address space of the calling process....

LoadLibraryEx

Loads the specified module into the address space of the calling process....

GetModuleHandle

Retrieves a module handle for the specified module. The module must have been loaded by the calling process.

相关问题 更多 >

    编程相关推荐