Python: kernel32.CreateProcessA() What is it doing?

3

I am currently learning about debuggers and how they stop processes.

Here is my code:

    from ctypes import *
    WORD = c_ushort
    DWORD = c_ulong
    LPBYTE = POINTER(c_ubyte)
    LPTSTR = POINTER(c_char)
    HANDLE = c_void_p
    DEBUG_PROCESS = 0x00000001
    CREATE_NEW_CONSOLE = 0x00000010
    class STARTUPINFO(Structure):
        _fields_ = [
        ("cb", DWORD),
        ("lpReserved", LPTSTR),
        ("lpDesktop", LPTSTR),
        ("lpTitle", LPTSTR),
        ("dwX", DWORD),
        ("dwY", DWORD),
        ("dwXSize", DWORD),
        ("dwYSize", DWORD),
        ("dwXCountChars", DWORD),
        ("dwYCountChars", DWORD),
        ("dwFillAttribute",DWORD),
        ("dwFlags", DWORD),
        ("wShowWindow", WORD),
        ("cbReserved2", WORD),
        ("lpReserved2", LPBYTE),
        ("hStdInput", HANDLE),
        ("hStdOutput", HANDLE),
        ("hStdError", HANDLE),
        ]
    class PROCESS_INFORMATION(Structure):
        _fields_ = [
        ("hProcess", HANDLE),
        ("hThread", HANDLE),
        ("dwProcessId", DWORD),
        ("dwThreadId", DWORD),
        ]


    kernel32 = windll.kernel32
    class debugger():
        def __init__(self):
            pass

        def load(path_to_exe):
            creation_flags = DEBUG_PROCESS
            startupinfo = STARTUPINFO()
            processinfo = PROCESS_INFORMATION()
            startupinfo.dwFlags = 0x1
            startupinfo.wShowWindow = 0x0
            startupinfo.cb = sizeof(startupinfo)
            if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
                print("[*] Process launched")
                print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
            else:
                print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

    debugger.load("C:\\WINDOWS\\system32\\calc.exe")

Whenever I run it, it goes to the error. :( I figured out that the reason that it is going to that error is because the kernel32.CreateProcessA is returning false. I'm actually following along Gray hat python right now, and I'm converting this code to python 3 as I read it.

My question is, what is the kernel32.CreateProcessA doing, why is it returning false, and how can I prevent it from returning false?

Any help would be much appreciated!

python
ctypes
asked on Stack Overflow Mar 2, 2013 by Norton Penguinion • edited Nov 6, 2013 by glglgl

6 Answers

3

You have several error in your code:

The first error is load method of debugger class defined wrong. The most probably in your case it should be staticmethod:

# . . .

# This decorator required to make method static
@staticmethod
def load(path_to_exe):
    creation_flags = DEBUG_PROCESS
    startupinfo = STARTUPINFO()
    processinfo = PROCESS_INFORMATION()
    startupinfo.dwFlags = 0x1

# . . .

The second error is at print if process was created:

if kernel32.CreateProcessA(path_to_exe,None,None,None,None,
                           creation_flags,None,None,
                           byref(startupinfo),byref(processinfo)):
    print("[*] Process launched")

    # ERROR AT THE LINE BELOW
    # Your variant: print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
    # But it should be the structure itself not it "type"
    print("[*] PID: %d" % (processinfo.dwProcessId))  
else:
    print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

In my case it's works (Windows XP). If your process not really started and you get in console message something like that:

[*] Error: 0x00000002

Then if you use Python 3.x you should use not CreateProcessA but CreateProcessW function because all string in Python 3.x is in unicode (in WinAPI all functions ends with 'A' accept asci-strings, ends with 'W' accept unicode-strings). More exactly answer can be if you write what error or exception occurred in your case.

answered on Stack Overflow May 2, 2014 by Alexei
2

I have a problm when I run a program like you on win64.But when I changed kernel32.CreateProcessA to kernel32.CreateProcessW,the program run sucessfully.

answered on Stack Overflow Mar 1, 2014 by xue1
1

Switch your first two parameters so you have something like:

kernel32.CreateProcessA(c_char_p(0),c_char_p(path_to_exe),0,0,0,creation_flags,0,0,bytef(startupinfo),byref(processinfo))
answered on Stack Overflow Dec 7, 2013 by redblacktree
1

You should call GetLastError function to know what the error really is.

ctypes.windll.kernel32.GetLastError

And I found this detailed post explaining how to debugg and fix error caused by CreateProcessA: Python CreateProcessA returns FALSE

answered on Stack Overflow May 2, 2014 by Mark Ma
0
  1. this line must be brackets: debugger().load("C:\WINDOWS\system32\calc.exe")

  2. this line must be contain self: def load(self,path_to_exe)

  3. if static must not contain self : @staticmethod def load(path_to_exe)

  4. this line must be: print("[*] PID: %d" % processinfo.dwProcessId)
answered on Stack Overflow Oct 18, 2016 by Atec
0
  1. According to a quick sum-up of differences between Python 2xx vs 3xx : Python 2 has separated ASCII str() types and unicode()type. Python 3 has only Unicode (utf-8) string type.

  2. According to WinAPI docs, CreateProcess() has an unicode version which is defined as CreateProcessW() with the same params.

So if you use Python 2xx, using CreateProcessA() . In case of python 3xx, using CreateProcessW().

answered on Stack Overflow Jan 23, 2018 by MiDi

User contributions licensed under CC BY-SA 3.0