回答此问题可获得 20 贡献值,回答如果被采纳可获得 50 分。
<p>我现在在用灰色帽子Python书。它描述了如何在python中创建调试器。到目前为止,我的调试器能够启动进程并附加到它。当我试图从进程中检索模块句柄时,会出现问题。根据OllyDbg,DLL存在于程序中,但是<code>GetModuleHandleA</code>无法获得句柄。我对书中的一段代码做了一点改进,以防<code>GetModuleHandleA</code>检索不到句柄,函数将尝试创建一个远程线程并强制将此模块加载到进程中。但即使如此,它<code>GetModuleHandleA</code>还是失败了(而其他一切都很好)。所以也许有人可以快速浏览一下代码并发现其中的问题?在</p>
<pre><code>def func_resolve(self,dll,function):
handle = kernel32.GetModuleHandleA(dll)
print "%s module handle is at 0x%08x" % (dll, handle)
error = kernel32.GetLastError()
if error:
print "There was an error in func_resolve::GetModuleHandleA(%s): %d" % (dll, error)
print "Loading library into the process"
pLibRemote = kernel32.VirtualAllocEx(self.h_process, 0, len(dll), 0x00001000, 0x04)
print "Allocated %d bytes of memory at 0x%08x" % (len(dll), pLibRemote)
written = c_int(0)
kernel32.WriteProcessMemory(self.h_process, pLibRemote, dll, len(dll), byref(written))
print "Written %d bytes" % written.value
handle = kernel32.GetModuleHandleA("kernel32.dll")
print "Kernel module handle is 0x%08x" % handle
address = kernel32.GetProcAddress(handle, "LoadLibraryA")
print "LoadLibraryA address is 0x%08x" % address
thread_id = c_ulong(0)
kernel32.CreateRemoteThread(self.h_process, None, 0, address, pLibRemote, 0, byref(thread_id))
print "Created thread %d" % thread_id.value
handle = kernel32.GetModuleHandleA(dll)
address = kernel32.GetProcAddress(handle, function)
kernel32.CloseHandle(handle)
return address
</code></pre>
<p>输出如下:</p>
^{pr2}$
<p>如果使用了模块句柄,则可以很好地检索它python.exe(在python.exe过程)。但不在python.exe进程失败。也许这和操作系统Windows7(64位)有关,但我测试的应用程序还是用32位编译器编译的。在</p>
<p>更新2:根据评论中的建议,我编写了自己的函数:</p>
<pre><code>def my_func_resolve(self, dll, function):
module32 = MODULEENTRY32()
CreateToolhelp32Snapshot = kernel32.CreateToolhelp32Snapshot
CreateToolhelp32Snapshot.restype = HANDLE
CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD]
Module32First = kernel32.Module32First
Module32First.restype = BOOL
Module32First.argtypes = [HANDLE, POINTER(MODULEENTRY32)]
Module32Next = kernel32.Module32Next
Module32Next.restype = BOOL
Module32Next.argtypes = [HANDLE, POINTER(MODULEENTRY32)]
thandle = 24
while thandle == 24:
thandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, self.pid)
if thandle == 0 or thandle == 0xFFFFFFFF:
print "Failed to create a snapshot. Error: %d" % kernel32.GetLastError()
exit()
if not Module32First(thandle, byref(module32)):
print "Module32First failed. Error: %d" % kernel32.GetLastError()
kernel32.CloseHandle(thandle)
exit()
while module32:
print "DLL %s is loaded at 0x%08x" % (module32.szModule, module32.modBaseAddr)
Module32Next(thandle, byref(module32))
kernel32.CloseHandle(thandle)
return True
</code></pre>
<p>但它失败了</p>
<pre><code>[*] We have successfully launched the process!
[*] The Process ID I have is: 9584
Proces handle is 228
Failed create snapshot. Error: 299
</code></pre>
<p>如果我们试图从32位进程中检索64位进程,则会发生此错误。我有32位python。我的操作系统是64位的。我编译的测试程序.exe使用mingw 32位编译器。我怎么会得到这个错误?
对于<code>TH32CS_SNAPMODULE</code>,我同时使用了<code>0x00000008</code>和{<cd6>}</p>
<p>以防万一,流程是这样创建的:</p>
<pre><code>if kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print "[*] We have successfully launched the process!"
print "[*] The Process ID I have is: %d" % \
process_information.dwProcessId
self.pid = process_information.dwProcessId
self.h_process = self.open_process(process_information.dwProcessId)
print "Proces handle is %d" % self.h_process
</code></pre>