GetModuleHandleA无法获取未由使用的模块python.exe连接到另一个进程时问题的回答

GetModuleHandleA无法获取未由使用的模块python.exe连接到另一个进程时

回答此问题可获得 20 贡献值，回答如果被采纳可获得 50 分。

我现在在用灰色帽子Python书。它描述了如何在python中创建调试器。到目前为止，我的调试器能够启动进程并附加到它。当我试图从进程中检索模块句柄时，会出现问题。根据OllyDbg，DLL存在于程序中，但是<code>GetModuleHandleA</code>无法获得句柄。我对书中的一段代码做了一点改进，以防<code>GetModuleHandleA</code>检索不到句柄，函数将尝试创建一个远程线程并强制将此模块加载到进程中。但即使如此，它<code>GetModuleHandleA</code>还是失败了（而其他一切都很好）。所以也许有人可以快速浏览一下代码并发现其中的问题？在 <pre><code>def func_resolve(self,dll,function): handle = kernel32.GetModuleHandleA(dll) print "%s module handle is at 0x%08x" % (dll, handle) error = kernel32.GetLastError() if error: print "There was an error in func_resolve::GetModuleHandleA(%s): %d" % (dll, error) print "Loading library into the process" pLibRemote = kernel32.VirtualAllocEx(self.h_process, 0, len(dll), 0x00001000, 0x04) print "Allocated %d bytes of memory at 0x%08x" % (len(dll), pLibRemote) written = c_int(0) kernel32.WriteProcessMemory(self.h_process, pLibRemote, dll, len(dll), byref(written)) print "Written %d bytes" % written.value handle = kernel32.GetModuleHandleA("kernel32.dll") print "Kernel module handle is 0x%08x" % handle address = kernel32.GetProcAddress(handle, "LoadLibraryA") print "LoadLibraryA address is 0x%08x" % address thread_id = c_ulong(0) kernel32.CreateRemoteThread(self.h_process, None, 0, address, pLibRemote, 0, byref(thread_id)) print "Created thread %d" % thread_id.value handle = kernel32.GetModuleHandleA(dll) address = kernel32.GetProcAddress(handle, function) kernel32.CloseHandle(handle) return address </code></pre> 输出如下： ^{pr2}$ 如果使用了模块句柄，则可以很好地检索它python.exe（在python.exe过程）。但不在python.exe进程失败。也许这和操作系统Windows7（64位）有关，但我测试的应用程序还是用32位编译器编译的。在 更新2：根据评论中的建议，我编写了自己的函数： <pre><code>def my_func_resolve(self, dll, function): module32 = MODULEENTRY32() CreateToolhelp32Snapshot = kernel32.CreateToolhelp32Snapshot CreateToolhelp32Snapshot.restype = HANDLE CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD] Module32First = kernel32.Module32First Module32First.restype = BOOL Module32First.argtypes = [HANDLE, POINTER(MODULEENTRY32)] Module32Next = kernel32.Module32Next Module32Next.restype = BOOL Module32Next.argtypes = [HANDLE, POINTER(MODULEENTRY32)] thandle = 24 while thandle == 24: thandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, self.pid) if thandle == 0 or thandle == 0xFFFFFFFF: print "Failed to create a snapshot. Error: %d" % kernel32.GetLastError() exit() if not Module32First(thandle, byref(module32)): print "Module32First failed. Error: %d" % kernel32.GetLastError() kernel32.CloseHandle(thandle) exit() while module32: print "DLL %s is loaded at 0x%08x" % (module32.szModule, module32.modBaseAddr) Module32Next(thandle, byref(module32)) kernel32.CloseHandle(thandle) return True </code></pre> 但它失败了 <pre><code>[*] We have successfully launched the process! [*] The Process ID I have is: 9584 Proces handle is 228 Failed create snapshot. Error: 299 </code></pre> 如果我们试图从32位进程中检索64位进程，则会发生此错误。我有32位python。我的操作系统是64位的。我编译的测试程序.exe使用mingw 32位编译器。我怎么会得到这个错误？对于<code>TH32CS_SNAPMODULE</code>，我同时使用了<code>0x00000008</code>和{<cd6>} 以防万一，流程是这样创建的： <pre><code>if kernel32.CreateProcessA(path_to_exe, None, None, None, None, creation_flags, None, None, byref(startupinfo), byref(process_information)): print "[*] We have successfully launched the process!" print "[*] The Process ID I have is: %d" % \ process_information.dwProcessId self.pid = process_information.dwProcessId self.h_process = self.open_process(process_information.dwProcessId) print "Proces handle is %d" % self.h_process </code></pre>

0 条评论
分类：Python问答

默认排序时间排序

1 个回答

匿名 1天前

　擅长：python、mysql、java

<code>GetModuleHandle</code>在当前进程中查找模块。要在另一个进程中查找模块，您需要使用PSAPI函数<code>EnumProcessModulesEx</code>&amp；<code>GetModuleBaseName</code>或工具帮助函数<code>CreateToolhelp32Snapshot</code>，<code>Module32First</code>，<code>Module32Next</code>。在 如果目标进程具有与当前进程相同的体系结构，则可以在其加载的DLL中间接查找过程地址。首先，通过<code>LoadLibraryEx</code>和<code>DONT_RESOLVE_DLL_REFERENCES</code>在当前进程中加载DLL。然后用这个本地的<code>HMODULE</code>调用<code>GetProcAddress</code>来获得本地地址。最后，在目标进程中调整相对于模块基址的本地地址。记住调用<code>FreeLibrary</code>从当前进程卸载DLL。在 注意，<code>HMODULE</code>句柄实际上是指针，因此您需要为所有ctypes函数设置<code>restype</code>和{<cd14>}。这可以防止将64位指针值截断为32位C<code>int</code>值。在 下面是一个使用工具帮助函数的示例。在 <pre><code>import os import ctypes from ctypes import wintypes kernel32 = ctypes.WinDLL('kernel32', use_last_error=True) wintypes.LPBOOL = ctypes.POINTER(wintypes.BOOL) ERROR_NO_MORE_FILES = 0x0012 ERROR_BAD_LENGTH = 0x0018 ERROR_MOD_NOT_FOUND = 0x007E INVALID_HANDLE_VALUE = wintypes.HANDLE(-1).value DONT_RESOLVE_DLL_REFERENCES = 0x00000001 MAX_PATH = 260 MAX_MODULE_NAME32 = 255 TH32CS_SNAPMODULE = 0x00000008 class MODULEENTRY32W(ctypes.Structure): _fields_ = (('dwSize', wintypes.DWORD), ('th32ModuleID', wintypes.DWORD), ('th32ProcessID', wintypes.DWORD), ('GlblcntUsage', wintypes.DWORD), ('ProccntUsage', wintypes.DWORD), ('modBaseAddr', wintypes.LPVOID), ('modBaseSize', wintypes.DWORD), ('hModule', wintypes.HMODULE), ('szModule', wintypes.WCHAR * (MAX_MODULE_NAME32 + 1)), ('szExePath', wintypes.WCHAR * MAX_PATH)) def __init__(self, *args, **kwds): super(MODULEENTRY32W, self).__init__(*args, **kwds) self.dwSize = ctypes.sizeof(self) LPMODULEENTRY32W = ctypes.POINTER(MODULEENTRY32W) def errcheck_bool(result, func, args): if not result: raise ctypes.WinError(ctypes.get_last_error()) return args def errcheck_ihv(result, func, args): if result == INVALID_HANDLE_VALUE: raise ctypes.WinError(ctypes.get_last_error()) return args kernel32.LoadLibraryExW.errcheck = errcheck_bool kernel32.LoadLibraryExW.restype = wintypes.HMODULE kernel32.LoadLibraryExW.argtypes = (wintypes.LPCWSTR, wintypes.HANDLE, wintypes.DWORD) kernel32.FreeLibrary.errcheck = errcheck_bool kernel32.FreeLibrary.argtypes = (wintypes.HMODULE,) kernel32.GetProcAddress.errcheck = errcheck_bool kernel32.GetProcAddress.restype = wintypes.LPVOID kernel32.GetProcAddress.argtypes = (wintypes.HMODULE, wintypes.LPCSTR) kernel32.CloseHandle.errcheck = errcheck_bool kernel32.CloseHandle.argtypes = (wintypes.HANDLE,) kernel32.CreateToolhelp32Snapshot.errcheck = errcheck_ihv kernel32.CreateToolhelp32Snapshot.restype = wintypes.HANDLE kernel32.CreateToolhelp32Snapshot.argtypes = (wintypes.DWORD, wintypes.DWORD) kernel32.Module32FirstW.errcheck = errcheck_bool kernel32.Module32FirstW.argtypes = (wintypes.HANDLE, LPMODULEENTRY32W) kernel32.Module32NextW.errcheck = errcheck_bool kernel32.Module32NextW.argtypes = (wintypes.HANDLE, LPMODULEENTRY32W) def GetRemoteProcAddress(pid, filename, procname): procname = procname.encode('utf-8') hLocal = kernel32.LoadLibraryExW(filename, None, DONT_RESOLVE_DLL_REFERENCES) try: procaddr = kernel32.GetProcAddress(hLocal, procname) finally: kernel32.FreeLibrary(hLocal) modname = os.path.basename(filename) hRemote = GetRemoteModuleHandle(pid, modname) return hRemote - hLocal + procaddr def GetRemoteModuleHandle(pid, modname): modname = modname.upper() if '.' not in modname: modname += '.DLL' while True: try: hProcessSnap = kernel32.CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid) break except OSError as e: if e.winerror != ERROR_BAD_LENGTH: raise try: modentry = MODULEENTRY32W() kernel32.Module32FirstW(hProcessSnap, ctypes.byref(modentry)) while True: if modentry.szModule.upper() == modname: return modentry.hModule try: kernel32.Module32NextW(hProcessSnap, ctypes.byref(modentry)) except OSError as e: if e.winerror == ERROR_NO_MORE_FILES: break raise raise ctypes.WinError(ERROR_MOD_NOT_FOUND) finally: kernel32.CloseHandle(hProcessSnap) </code></pre> 下面是一个测试，它创建另一个Python进程，并验证kernel32.dll是否加载到与当前进程相同的地址；<code>LoadLibraryExW</code>是否在同一地址解析；前1000个字节是否相等。在 请注意，我使用Windows事件对象等待子进程完成加载，然后再尝试读取其模块表。这避免了<code>ERROR_PARTIAL_COPY</code>的问题。如果目标是具有消息队列的GUI进程，则可以改为使用<a href="https://msdn.microsoft.com/en-us/library/ms687022" rel="nofollow">^{<cd18>}</a>。在 ^{pr2}$

GetModuleHandleA无法获取未由使用的模块python.exe连接到另一个进程时

1 个回答

相关Python问题