me again. I'm continuing my journey with C and Python.
Today, I happened to be making a debugger. Currently, this is what I have
from ctypes import *
from Debugdeclares import *
kernel32 = windll.kernel32
class debugger():
def __init__(self):
self.h_process = None
self.pid = None
self.debugger_active = False
def load(self, path_to_exe):
creation_flags = DEBUG_PROCESS
startupinfo = STARTUPINFO()
processinfo = PROCESS_INFORMATION()
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
print("[n] Process launched")
print("[n] Process location: %s" % (path_to_exe))
print("[n] PID: %d" % (processinfo.dwProcessId))
self.h_process = self.open_process(processinfo.dwProcessId)
return processinfo.dwProcessId
else:
print("[n] Error: 0x%08x." % (kernel32.GetLastError()))
def open_process(self, pid):
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,pid,False)
This is where the error spot is, PROCESS_ALL_ACCESS is not defined. However, in the ctypes library, there is an input of that keyword. I have attempted using strings, byte strings, but to no avail. Here is some additional information about the OpenProcess function and about the Process Security and Access Rights
return h_process
def attach(self, pid):
self.h_process = self.open_process(pid)
if kernel32.DebugActiveProcess(pid) == True:
self.debugger_active = True
self.pid = int(pid)
self.run()
else:
print("[n] Unable to Attach Process")
def run(self):
while self.debugger_active == True:
self.get_debug_event()
def get_debug_event(self):
debug_event = DEBUG_EVENT()
continue_status = DBG_CONTINUE
if kernel32.WaitForDebugEvent(byref(debug_event), INFINITE):
input("[n] Nothing to see yet...")
self.debugger_active = False
kernel32.ContinueDebugEvent( \
debug_event.dwProcessId, \
debug_event.dwThreadId, \
continue_status )
def detach(self):
if kernel32.DebugActiveProcessStop(self.pid):
print("[n] Finished debugging. Exiting...")
return True
else:
print("[n] There was an error")
return False
debugger = debugger()
pid = debugger.load(b"C:\\WINDOWS\\system32\\calc.exe")
debugger.attach(pid)
debugger.detach()
So really, I'm asking: What's a bug fix?
Much Appreciated! -Norton
EDIT: Oh yes! here is my Debugdeclares script:
from ctypes import *
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
Your error message tells you exactly what's wrong: PROCESS_ALL_ACCESS
isn't defined, because you haven't defined it anywhere. I don't know what "in the ctypes library, there is an input of that keyword" is supposed to mean, but ctypes
doesn't define it for you.
In fact, the only place in the Python standard library where PROCESS_ALL_ACCESS
is mentioned is in an undocumented C extension used by the multiprocessing
module:
>>> from _multiprocessing import win32
>>> win32.PROCESS_ALL_ACCESS
2035711
Using that is probably a bad idea, because it is, as said, undocumented.
Because PROCESS_ALL_ACCESS
is a macro, there's no way to find out its value through something like ctypes
at runtime, so if you want it, you'll have to look up what it is for your system and define it yourself in your code. Though it's probably a better idea to heed the warning in the documentation you linked and figure out a minimum set of access rights instead.
PROCESS_ALL_ACCESS = (0x000F0000L | 0x00100000L | 0xFFF)
done.
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,pid,False)
this should be.
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
checkout MSDN reference.
http://msdn.microsoft.com/es-es/library/windows/desktop/ms684320(v=vs.85).aspx
For Gray Hat Python book, you gotta read WARNING on page 30.
Download my_debugger_defines.py and replace it with your current copy.
There can be two ways to define the value to the PROCESS_ALL_ACCESS :
Either define its value as :
PROCESS_ALL_ACCESS = 0x001F0FFF
OR
Use _multiprocessing library:
from _multiprocessing import win32
h_process = kernel32.OpenProcess(win32.PROCESS_ALL_ACCESS,False,pid)
User contributions licensed under CC BY-SA 3.0