Win 64位GetThreadContext返回零输出寄存器，或0x57 errocd问题的回答

Win 64位GetThreadContext返回零输出寄存器，或0x57 errocd

回答此问题可获得 20 贡献值，回答如果被采纳可获得 50 分。

我在Windows7 64位计算机上工作（我有管理员权限）。在 我使用python2.7（64位）和PyDev cypes for Eclipse来尝试读取与特定PID相关联的所有线程中的寄存器值（尝试了在64位和32位模式下运行的进程的PID），但是当我这样做时，寄存器的值都是零。当我使用<code>Wow64GetThreadContext</code>时，调用失败，<code>GetLastError</code>返回0x00000057（'根据MSDN，'无效参数'） 我成功地附加到进程，枚举线程（通过<code>CreateToolhelp32Snapshot</code>），找到进程拥有的线程，并尝试获取线程上下文。下面是我打开线程并获取线程上下文的代码： 打开线程： <pre><code>def open_thread(self, thread_id): h_thread = kernel32.OpenThread(THREAD_ALL_ACCESS, None, thread_id) </code></pre> 获取上下文： ^{pr2}$ 我将此代码称为： <pre><code>debugger.attach(int(pid)) #debugger.run() list = debugger.enumerate_threads() for thread in list: thread_context = debugger.get_thread_context(thread) if thread_context == False: print "[*] Thread context is false..." else: print "[*] Dumping registers for thread ID: 0x%08x" % thread print "[**] Eip: 0x%016x" % thread_context.Eip print "[**] Esp: 0x%016x" % thread_context.Esp print "[**] Ebp: 0x%016x" % thread_context.Ebp print "[**] Eax: 0x%016x" % thread_context.Eax print "[**] Ebx: 0x%016x" % thread_context.Ebx print "[**] Ecx: 0x%016x" % thread_context.Ecx print "[**] Edx: 0x%016x" % thread_context.Edx print "[*] End DUMP" debugger.detach() </code></pre> 当我使用<code>GetThreadContext</code>和上下文结构运行这段代码时，我会为每个线程返回上下文对象，但是寄存器值都是零。在 我尝试过将<code>GetThreadContext</code>替换为<code>Wow64GetThreadContext</code>（并且分别将<code>SuspendThread</code>替换为<code>Wow64SuspendThread</code>），但是当我这样做时，调用失败，并出现错误“invalid parameters”。我给<code>Wow64GetThreadContext</code>的参数与我给<code>GetThreadContext</code>的参数相同，而不是我提供的代码中变量的名称（这是因为当我在WinNT.h中查看它们的定义时，它们是等价的（除非我遗漏了什么）。我用以下方式定义了这些结构： <pre><code>class WOW64_CONTEXT(Structure): _fields_ = [ ("ContextFlags", DWORD), ("Dr0", DWORD), ("Dr1", DWORD), ("Dr2", DWORD), ("Dr3", DWORD), ("Dr6", DWORD), ("Dr7", DWORD), ("FloatSave", WOW64_FLOATING_SAVE_AREA), ("SegGs", DWORD), ("SegFs", DWORD), ("SegEs", DWORD), ("SegDs", DWORD), ("Edi", DWORD), ("Esi", DWORD), ("Ebx", DWORD), ("Edx", DWORD), ("Ecx", DWORD), ("Eax", DWORD), ("Ebp", DWORD), ("Eip", DWORD), ("SegCs", DWORD), ("EFlags", DWORD), ("Esp", DWORD), ("SegSs", DWORD), ("ExtendedRegisters", BYTE * 512), ] class WOW64_FLOATING_SAVE_AREA(Structure): _fields_ = [ ("ControlWord", DWORD), ("StatusWord", DWORD), ("TagWord", DWORD), ("ErrorOffset", DWORD), ("ErrorSelector", DWORD), ("DataOffset", DWORD), ("DataSelector", DWORD), ("RegisterArea", BYTE * 80), ("Cr0NpxState", DWORD), ] class CONTEXT(Structure): _fields_ = [ ("ContextFlags", DWORD), ("Dr0", DWORD), ("Dr1", DWORD), ("Dr2", DWORD), ("Dr3", DWORD), ("Dr6", DWORD), ("Dr7", DWORD), ("FloatSave", FLOATING_SAVE_AREA), ("SegGs", DWORD), ("SegFs", DWORD), ("SegEs", DWORD), ("SegDs", DWORD), ("Edi", DWORD), ("Esi", DWORD), ("Ebx", DWORD), ("Edx", DWORD), ("Ecx", DWORD), ("Eax", DWORD), ("Ebp", DWORD), ("Eip", DWORD), ("SegCs", DWORD), ("EFlags", DWORD), ("Esp", DWORD), ("SegSs", DWORD), ("ExtendedRegisters", BYTE * 512), ] class FLOATING_SAVE_AREA(Structure): _fields_ = [ ("ControlWord", DWORD), ("StatusWord", DWORD), ("TagWord", DWORD), ("ErrorOffset", DWORD), ("ErrorSelector", DWORD), ("DataOffset", DWORD), ("DataSelector", DWORD), ("RegisterArea", BYTE * 80), ("Cr0NpxState", DWORD), ] </code></pre> 关于这个问题，我在谷歌上做了大量的搜索，但没有成功： <ul> <li>根据MSDN上的一条评论：<code>CONTEXT_FULL</code>应该是 <code>CONTEXT_AMD64 | CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT</code>与Win64一起正确使用。</li> <li>我试着在我的上下文和WOW_64CONTEXT中重命名寄存器结构，将寄存器名中的“E”替换为“R”（Eax -&gt；Rax等）</li> </ul> 有没有人用Python和cypes成功地获取了Windows上64位线程的上下文？在

0 条评论
分类：Python问答

默认排序时间排序

1 个回答

匿名 1天前

　擅长：python、mysql、java

我也有这个问题，我现在有了这个问题，我假设这是从格雷帽子的python书，经过大量的google搜索，发现Wow64GetThreadContext用于检索64位系统上的32位线程上下文，我使用了原始的GetThreadContext函数，但我传递给它的是一个定义如下的Wow64Context结构： <pre><code>class M128A(Structure): _fields_ = [ ("Low", DWORD64), ("High", DWORD64) ] class XMM_SAVE_AREA32(Structure): _pack_ = 1 _fields_ = [ ('ControlWord', WORD), ('StatusWord', WORD), ('TagWord', BYTE), ('Reserved1', BYTE), ('ErrorOpcode', WORD), ('ErrorOffset', DWORD), ('ErrorSelector', WORD), ('Reserved2', WORD), ('DataOffset', DWORD), ('DataSelector', WORD), ('Reserved3', WORD), ('MxCsr', DWORD), ('MxCsr_Mask', DWORD), ('FloatRegisters', M128A * 8), ('XmmRegisters', M128A * 16), ('Reserved4', BYTE * 96) ] class DUMMYSTRUCTNAME(Structure): _fields_=[ ("Header", M128A * 2), ("Legacy", M128A * 8), ("Xmm0", M128A), ("Xmm1", M128A), ("Xmm2", M128A), ("Xmm3", M128A), ("Xmm4", M128A), ("Xmm5", M128A), ("Xmm6", M128A), ("Xmm7", M128A), ("Xmm8", M128A), ("Xmm9", M128A), ("Xmm10", M128A), ("Xmm11", M128A), ("Xmm12", M128A), ("Xmm13", M128A), ("Xmm14", M128A), ("Xmm15", M128A) ] class DUMMYUNIONNAME(Union): _fields_=[ ("FltSave", XMM_SAVE_AREA32), ("DummyStruct", DUMMYSTRUCTNAME) ] class CONTEXT64(Structure): _pack_ = 16 _fields_ = [ ("P1Home", DWORD64), ("P2Home", DWORD64), ("P3Home", DWORD64), ("P4Home", DWORD64), ("P5Home", DWORD64), ("P6Home", DWORD64), ("ContextFlags", DWORD), ("MxCsr", DWORD), ("SegCs", WORD), ("SegDs", WORD), ("SegEs", WORD), ("SegFs", WORD), ("SegGs", WORD), ("SegSs", WORD), ("EFlags", DWORD), ("Dr0", DWORD64), ("Dr1", DWORD64), ("Dr2", DWORD64), ("Dr3", DWORD64), ("Dr6", DWORD64), ("Dr7", DWORD64), ("Rax", DWORD64), ("Rcx", DWORD64), ("Rdx", DWORD64), ("Rbx", DWORD64), ("Rsp", DWORD64), ("Rbp", DWORD64), ("Rsi", DWORD64), ("Rdi", DWORD64), ("R8", DWORD64), ("R9", DWORD64), ("R10", DWORD64), ("R11", DWORD64), ("R12", DWORD64), ("R13", DWORD64), ("R14", DWORD64), ("R15", DWORD64), ("Rip", DWORD64), ("DebugControl", DWORD64), ("LastBranchToRip", DWORD64), ("LastBranchFromRip", DWORD64), ("LastExceptionToRip", DWORD64), ("LastExceptionFromRip", DWORD64), ("DUMMYUNIONNAME", DUMMYUNIONNAME), ("VectorRegister", M128A * 26), ("VectorControl", DWORD64) ] </code></pre> 当然，我还没有检查寄存器中返回的值是正确的还是只是垃圾，但是值存在而不是0x00000000或错误0x57这一事实令人放心。在 访问寄存器仍然是通过线程完成的_上下文。Rip等等，不是eip

Win 64位GetThreadContext返回零输出寄存器，或0x57 errocd

1 个回答

相关Python问题