I followed the Grey Hat Python and made a debugger, but it can't work well.
I ran the calc.exe and find the PID. However, the debugger can't attach to the process. I copied the code from the book and also downloaded the code from the Internet. Both of them gave me the same result.Here is my code:
from ctypes import *
from my_debugger_defines import *
kernel32 = windll.kernel32
class debugger():
def __init__(self):
self.h_process = None
self.pid = None
self.debugger_active = False
def load(self, path_to_exe):
#dwCreation flag determines how to create the process
#set creation_flags = CREATE_NEW_CONSOLE if you want
#to see the calculator GUI
creation_flags = DEBUG_PROCESS
#instantiate the structs
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()
#The following two options allow the started process
#to be shown as a separate window. This also illustrates
#how different settings in the STARTUPINFO struct can affect
#the debugger.
startupinfo.dwFlags =0x1
startupinfo.wShowWindow =0x0
#We then initialize the cb variable in the STARTUPINFO struct
#which is just the size of the struct itself
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print "[*] We have successfully launched the process!"
print "[*] PID: %d" % process_information.dwProcessId
#Obtain a valid handle to the newly created process
#and store it for future access
self.h_process = self.open_process(process_information.dwProcessId)
else:
print "[*] Error:0x%08x."%kernel32.GetLastError()
def open_process(self, pid):
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
return h_process
def attach(self, pid):
self.h_process = self.open_process(pid)
#We attempt to attach to the process
#if this fails we exit the callable
if kernel32.DebugActiveProcess(pid):
self.debugger_active = True
self.pid = int(pid)
self.run()
else:
print "[*] Unable to attach to the process."
def run(self):
#Now we have to poll the debugger for debugging events
while self.debugger_active == True:
self.get_debug_event()
def get_debug_event(self):
debug_event = DEBUG_EVENT()
continue_status = DBG_CONTINUE
if kernel32.WaitForDebugEvent(byref(debug_event), INFINITE):
#We aren't going to build any event handlers just yet.
#Let's just resume the process for now.
raw_input("press a key to continue...")
self.debugger_active = False
kernel32.ContinueDebugEvent(\
debug_event.dwProcessId, \
debug_event.dwThreadId, \
continue_status )
def detach(self):
if kernel32.DebugActiveProcessStop(self.pid):
print "[*] Finished debugging. Exiting..."
return True
else:
print "There was an error"
return False
Everytime I run the program, it print "[*]Unable to attach to the process." and "There was an error".
Here is my test.py.
import my_debugger
debugger = my_debugger.debugger()
pid = raw_input("Enter the PID of the process to attach to: ")
debugger.attach(int(pid))
debugger.detach()
Why? Is it my computer system's problem? Can win8.1 use kernel32? How to fix it?
This code from the book works only on a 32-bit platform, so you can't attach to 64-bit process calc.exe.
Look at the answers to the question Python WaitForDebugEvent & ContinueDebugEvent (Gray Hat Python). May be they'll help you.
The content of "my_debugger_defines.py" file should be as follows ...
And It works on a 64-bit platform
from ctypes import *
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
DEBUG_PROCESS = 0x00000001
PROCESS_ALL_ACCESS = 0x001F0FFF
INFINITE = 0xFFFFFFFF
DBG_CONTINUE = 0x00010002
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
class EXCEPTION_RECORD(Structure):
pass
EXCEPTION_RECORD._fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class _EXCEPTION_RECORD(Structure):
_fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class EXCEPTION_DEBUG_INFO(Structure):
_fields_ = [
("ExceptionRecord", EXCEPTION_RECORD),
("dwFirstChance", DWORD),
]
class CREATE_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("hProcess", HANDLE),
("hThread", HANDLE),
("lpBaseOfImage", LPVOID),
("dwDebugInfoFileOffset",DWORD),
("nDebugInfoSize", DWORD),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class CREATE_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("hThread", HANDLE),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE)
]
class EXIT_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class EXIT_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class LOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("lpBaseOfDll", LPVOID),
("dwDebugInfoFileOffset", DWORD),
("nDebugInfoSize", DWORD),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class UNLOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("lpBaseOfDll", LPVOID)
]
class OUTPUT_DEBUG_STRING_INFO(Structure):
_fields_ = [
("lpDebugStringData", LPTSTR),
("fUnicode", WORD),
("nDebugStringLength", WORD)
]
class RIP_INFO(Structure):
_fields_ = [
("dwError", DWORD),
("dwType", DWORD)
]
class DEBUG_EVENT_UNION(Union):
_fields_ = [
("Exception", EXCEPTION_DEBUG_INFO),
("CreateThread", CREATE_THREAD_DEBUG_INFO),
("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
("ExitThread", EXIT_THREAD_DEBUG_INFO),
("ExitProcess", EXIT_PROCESS_DEBUG_INFO),
("LoadDll", LOAD_DLL_DEBUG_INFO),
("UnloadDll", UNLOAD_DLL_DEBUG_INFO),
("DebugString", OUTPUT_DEBUG_STRING_INFO),
("RipInfo", RIP_INFO),
]
class DEBUG_EVENT(Structure):
_fields_ = [
("dwDebugEventCode", DWORD),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
("u", DEBUG_EVENT_UNION),
]
Related
def writepmc(self, type_a, type_d, datano_s, datano_e, value):
# datano_s & datano_e = start & end number
length = 8 + (datano_e - datano_s + 1)
# c union datatype
class UnionC(ctypes.Union):
_fields_ = [
('cdata[N]', ctypes.c_char),
('idata[N]', ctypes.c_short),
('ldata[N]', ctypes.c_long),
('fdata[N]', ctypes.c_float),
('dfdata[N]', ctypes.c_double),
]
union = UnionC()
union.ldata[0] = value
class Iodbpmc(ctypes.Structure):
_fields_ = [("type_a", ctypes.c_short),
("type_d", ctypes.c_short),
("datano_s", ctypes.c_short),
("datano_e", ctypes.c_short),
("u", union)]
iodbpmc = Iodbpmc()
iodbpmc.type_a = type_a
iodbpmc.type_d = type_d
iodbpmc.datano_s = datano_s
iodbpmc.datano_e = datano_e
ret = focas.pmc_wrpmcrng(libh, length, ctypes.byref(iodbpmc))
self.wrpmc_errorcheck(ret)
return ret
I'm working on a Universal Robot and have to use Python 2.7. I am also using the CTypes lib. I keep getting the error in the title and am not sure what I'm doing wrong.
I don't have a lot of experience with CTypes or OOP in Python. Does anyone know what's causing the error?
I managed to solve the issue myself.
I wrote:
class UnionC(ctypes.Union):
_fields_ = [
('cdata', ctypes.c_char),
('idata', ctypes.c_short),
('ldata', ctypes.c_long),
('fdata', ctypes.c_float),
('dfdata', ctypes.c_double),
]
And I removed :
union = UnionC()
union.ldata[0] = value
These changes solved the problem for me. I'm pretty sure the line two lines above were causing the issue.
I'm trying to adapt sigaction to be used with ctypes:
import signal
import ctypes as c
import os
libc = c.cdll.LoadLibrary("libc.so.6")
class sig_value(c.Union):
_fields_ = [
("sival_int", c.c_int),
("sival_ptr", c.c_void_p)
]
class siginfo_t(c.Structure):
_fields_ = [
("si_signo", c.c_int),
("si_code", c.c_int),
("si_value", sig_value),
("si_errno", c.c_int),
("si_pid", c.c_int),
("si_uid", c.c_int),
("si_addr", c.c_void_p),
("si_status", c.c_int),
("si_band", c.c_int),
]
handler_c_type = c.CFUNCTYPE(None, c.c_int, c.POINTER(siginfo_t), c.c_void_p)
class sigaction_t(c.Structure):
_fields_ = [
("sa_handler", c.c_void_p),
("sa_sigaction", handler_c_type),
("sa_mask", c.c_int),
("sa_flags", c.c_int),
("sa_restorer", c.c_void_p),
]
libc.sigaction.argtypes = c.c_int,c.POINTER(sigaction_t),c.POINTER(sigaction_t)
libc.sigemptyset.argtypes = c.POINTER(c.c_int),
def py_handler(sig, siginfo, ucontext):
print(sig, siginfo, ucontext)
handler = handler_c_type(py_handler)
sa = sigaction_t()
sa_mask = c.c_int(0)
sa.sa_mask = sa_mask
libc.sigemptyset(c.byref(sa_mask))
sa.sa_sigaction = handler
sa.sa_flags = 0x4 #SA_SIGINFO
libc.sigaction(c.c_int(signal.SIGUSR2), c.byref(sa), None)
In this code, I'm just setting a handler to receive SIGUSR2 signal with a value issued by sigqueue. Even though this code is not crashing, python's default handler for SIGUSR2 is the one that's being called. So when I receive the signal, the script exits. What could I be missing here?
I have below files
my_test.py
import my_debugger
debugger =my_debugger.debugger()
debugger.load("C:\\windows\\system32\\calc.exe")
my_debugger.py
from ctypes import *
from my_debugger_defines import *
kernel32 = windll.kernel32
class debugger():
def __init__(self):
pass
def load(self, path_to_exe):
creation_flags = DEBUG_PROCESS
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION
startupinfo.dwflags =0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe, None, None, None, None, byref(startupinfo),byref(process_information)):
print( "[*] we have succedfully lanunched the prcoess")
print ("[*] PID: %d" % process_information.dwProcessId)
else:
print("[*} error: 0x%08x." % kernel32.GetLastError())
my_debugger_defines.py
from ctypes import *
# mirosoft types to ctypes
WORD = c_ushort
DWORD =c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
#constants
DEBUG_PROCESS = 0X00000001
CREATE_NEW_CONSOLE = 0X00000010
#structures for createpressa() fuction
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYsize", DWORD),
("dsXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute", DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("HtHREAD", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
when I run my_test.py I got below error
C:\download\New folder (6) (1)\Programowanie>python my_test.py
Traceback (most recent call last):
File "my_test.py", line 3, in
debugger.load("C:\windows\system32\calc.exe")
File "C:\download\New folder (6) (1)\Programowanie\my_debugger.py", line 19, in load
if kernel32.CreateProcessA(path_to_exe, None, None, None, None, byref(startupinfo),byref(process_information)):
TypeError: byref() argument must be a ctypes instance, not '_ctypes.PyCStructType'
C:\download\New folder (6) (1)\Programowanie>
do you know how to fix error?
I would like to write a general method for all operating systems (Win, MacOS, Unix, ...) that changes a folder's icon.
I would like to extend the following implementation
import os
import warnings
import ctypes
from ctypes import POINTER, Structure, c_wchar, c_int, sizeof, byref
from ctypes.wintypes import BYTE, WORD, DWORD, LPWSTR, LPSTR
import win32api
class SetFolderIcon(object):
def __init__(self, folderPath, iconPath, reset=False):
assert os.path.isdir(folderPath), "folderPath '%s' is not a valid folder"%folderPath
self.__folderPath = unicode(os.path.abspath(folderPath), 'mbcs')
assert os.path.isfile(iconPath), "iconPath '%s' does not exist"%iconPath
self.__iconPath = unicode(os.path.abspath(iconPath), 'mbcs')
assert isinstance(reset, bool), "reset must be boolean"
self.__reset = reset
# set icon if system is windows
if os.name == 'nt':
try:
self.__set_icon_on_windows()
except Exception as e:
warnings.warn("Unable to set folder icon (%s)"%e)
elif os.name == 'posix':
raise Exception('posix system not implemented yet')
elif os.name == 'mac':
raise Exception('mac system not implemented yet')
elif os.name == 'os2':
raise Exception('os2 system not implemented yet')
elif os.name == 'ce':
raise Exception('ce system not implemented yet')
elif os.name == 'java':
raise Exception('java system not implemented yet')
elif os.name == 'riscos':
raise Exception('riscos system not implemented yet')
def __set_icon_on_windows(self):
HICON = c_int
LPTSTR = LPWSTR
TCHAR = c_wchar
MAX_PATH = 260
FCSM_ICONFILE = 0x00000010
FCS_FORCEWRITE = 0x00000002
SHGFI_ICONLOCATION = 0x000001000
class GUID(Structure):
_fields_ = [ ('Data1', DWORD),
('Data2', WORD),
('Data3', WORD),
('Data4', BYTE * 8) ]
class SHFOLDERCUSTOMSETTINGS(Structure):
_fields_ = [ ('dwSize', DWORD),
('dwMask', DWORD),
('pvid', POINTER(GUID)),
('pszWebViewTemplate', LPTSTR),
('cchWebViewTemplate', DWORD),
('pszWebViewTemplateVersion', LPTSTR),
('pszInfoTip', LPTSTR),
('cchInfoTip', DWORD),
('pclsid', POINTER(GUID)),
('dwFlags', DWORD),
('pszIconFile', LPTSTR),
('cchIconFile', DWORD),
('iIconIndex', c_int),
('pszLogo', LPTSTR),
('cchLogo', DWORD) ]
class SHFILEINFO(Structure):
_fields_ = [ ('hIcon', HICON),
('iIcon', c_int),
('dwAttributes', DWORD),
('szDisplayName', TCHAR * MAX_PATH),
('szTypeName', TCHAR * 80) ]
shell32 = ctypes.windll.shell32
fcs = SHFOLDERCUSTOMSETTINGS()
fcs.dwSize = sizeof(fcs)
fcs.dwMask = FCSM_ICONFILE
fcs.pszIconFile = self.__iconPath
fcs.cchIconFile = 0
fcs.iIconIndex = self.__reset
hr = shell32.SHGetSetFolderCustomSettings(byref(fcs), self.__folderPath, FCS_FORCEWRITE)
if hr:
raise WindowsError(win32api.FormatMessage(hr))
sfi = SHFILEINFO()
hr = shell32.SHGetFileInfoW(self.__folderPath, 0, byref(sfi), sizeof(sfi), SHGFI_ICONLOCATION)
#if hr == 0:
# raise WindowsError(win32api.FormatMessage(hr))
index = shell32.Shell_GetCachedImageIndexW(sfi.szDisplayName, sfi.iIcon, 0)
shell32.SHUpdateImageW(sfi.szDisplayName, sfi.iIcon, 0, index)
iconPath = 'C:\\Users\\myself\\Desktop\\icon.ico'
#iconPath = "C:\\Windows\\system32\\SHELL32.dll"
SetFolderIcon('C:\\Users\\myself\\Desktop\\Newfolder',iconPath, reset=False)
# reset icon
SetFolderIcon('C:\\Users\\myself\\Desktop\\Newfolder',iconPath, reset=True)
As you can see I only implemented the windows version using __set_icon_on_windows method. similar methods such as __set_icon_on_mac ... must be implemented
Thanks
I'm trying to find the base address of render.dll used in the process process.exe. I have modified the code in this question, and I'm able to get a result for the base address of render.dll.
from ctypes import *
from ctypes.wintypes import *
import psutil
class MODULEENTRY32(Structure):
_fields_ = [( 'dwSize', DWORD),
( 'th32ModuleID', DWORD),
( 'th32ProcessID', DWORD),
( 'GlblcntUsage', DWORD),
( 'ProccntUsage', DWORD),
( 'modBaseAddr', POINTER(BYTE)),
( 'modBaseSize', DWORD),
( 'hModule', HMODULE),
( 'szModule', c_char * 256),
( 'szExePath', c_char * 260)]
CreateToolhelp32Snapshot = windll.kernel32.CreateToolhelp32Snapshot
Module32First = windll.kernel32.Module32First
Module32Next = windll.kernel32.Module32Next
CloseHandle = windll.kernel32.CloseHandle
TH32CS_SNAPMODULE = 0x00000008
TH32CS_SNAPMODULE32 = 0x00000010
def getpid(processname):
for proc in psutil.process_iter():
if str(processname) in str(proc.name):
return proc.pid
def GetModuleByName(name):
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE32 | TH32CS_SNAPMODULE, getpid('process.exe'))
entry = MODULEENTRY32()
entry.dwSize = sizeof(MODULEENTRY32)
if Module32First(snapshot, pointer(entry)):
while Module32Next(snapshot, entry):
if entry.szModule == name:
CloseHandle(snapshot)
return entry.modBaseAddr
CloseHandle(snapshot)
return None
baseAddr = GetModuleByName('render.dll')
print baseAddr
Which results in <__main__.LP_c_byte object at 0x00000000023C9348>. I know this is to do with the result being a POINTER(BYTE) type, but I am not sure how to get from this type to a normal hex memory address that I can use to read the process memory at this location.
I found an answer here. Turns out I had the same misunderstanding as the other poster and that using ctypes.addressof(baseAddr.contents) returns the correct memory address for the .dll.