<p>主要问题是WOW64实际上是32位上下文,而不是64位上下文。您需要实现一个64位结构,类似于:</p>
<pre><code>class CONTEXT64(Structure):
_pack_ = 16
_fields_ = [
("P1Home", DWORD64),
("P2Home", DWORD64),
("P3Home", DWORD64),
("P4Home", DWORD64),
("P5Home", DWORD64),
("P6Home", DWORD64),
("ContextFlags", DWORD),
("MxCsr", DWORD),
("SegCs", WORD),
("SegDs", WORD),
("SegEs", WORD),
("SegFs", WORD),
("SegGs", WORD),
("SegSs", WORD),
("EFlags", DWORD),
("Dr0", DWORD64),
("Dr1", DWORD64),
("Dr2", DWORD64),
("Dr3", DWORD64),
("Dr6", DWORD64),
("Dr7", DWORD64),
("Rax", DWORD64),
("Rcx", DWORD64),
("Rdx", DWORD64),
("Rbx", DWORD64),
("Rsp", DWORD64),
("Rbp", DWORD64),
("Rsi", DWORD64),
("Rdi", DWORD64),
("R8", DWORD64),
("R9", DWORD64),
("R10", DWORD64),
("R11", DWORD64),
("R12", DWORD64),
("R13", DWORD64),
("R14", DWORD64),
("R15", DWORD64),
("Rip", DWORD64),
("DebugControl", DWORD64),
("LastBranchToRip", DWORD64),
("LastBranchFromRip", DWORD64),
("LastExceptionToRip", DWORD64),
("LastExceptionFromRip", DWORD64),
("DUMMYUNIONNAME", DUMMYUNIONNAME),
("VectorRegister", M128A * 26),
("VectorControl", DWORD64)
]
</code></pre>
<p>注意:这个定义位于WinNT.h中,如果您安装了VC++,它将位于安装它的/include目录中。在</p>
<p>一旦构建了这个结构,您就可以使用它来代替您构建的CONTEXT/WOW64上下文。你还得把寄存器改成RAX等等</p>
<p>(注意:在Python ctypes中还需要实现4个其他功能:DWORD64、M128A、DUMMYUNIONNAME、DUMMYSTRUCTNAME和XMM_SAVE_AREA32。为了简洁起见,我排除了它们,但是您可以在以下位置找到它们的定义,以便自己构建它们:</p>
<p>德沃德64:只是一个乌龙龙龙</p>
<p>DUMMYUNIONNAME,DUMMYSTRUCTNAME:在\u CONTEXT结构的WinNT.h中</p>
<p>M128A:<a href="http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.defines.M128A-class.html" rel="nofollow">http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.defines.M128A-class.html</a></p>
<p>XMM_SAVE_区域32:<a href="http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.context_amd64.XMM_SAVE_AREA32-class.html" rel="nofollow">http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.context_amd64.XMM_SAVE_AREA32-class.html</a></p>