Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19912056
  • 博文数量: 679
  • 博客积分: 10495
  • 博客等级: 上将
  • 技术积分: 9308
  • 用 户 组: 普通用户
  • 注册时间: 2006-07-18 10:51
文章分类

全部博文(679)

文章存档

2012年(5)

2011年(38)

2010年(86)

2009年(145)

2008年(170)

2007年(165)

2006年(89)

分类: Python/Ruby

2011-04-19 17:26:52

构建windows调试器

 

2011-4-19磁针石 草译,略有删节

#承接软件自动化实施与培训等gtalk ouyangchongwu#gmail.com qq 37391319 博客:oychw.cublog.cn

#版权所有,转载刊登请来函联系
#python qq group: 深圳自动化测试python群:113938272
#武冈深圳qq群:66250781

参考资料:《Gray Hat Python Python Programming for Hackers and Reverse Engineers 2009

 

可以通过windows API CreateProcessA()启动一个进程,函数定义如下:

BOOL WINAPI CreateProcessA(

LPCSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

);

CreateProcess的详细介绍参见:

重要的参数:lpApplicationName,lpCommandLine, dwCreationFlags, lpStartupInfo, and lpProcessInformation.其他的可以设置为NULL。这些参数为应用程序名,命令行参数,dwCreationFlags可以指示创建为调试进程,最后两个是结构体指针,分别是STARTUPINFOPROCESS_INFORMATIONSTARTUPINFO参见参见

新建2python文件:my_debugger.py my_debugger_defines.py

 

my_debugger_defines.py

 

from ctypes import *

# Let's map the Microsoft types to ctypes for clarity

WORD = c_ushort

DWORD = c_ulong

LPBYTE = POINTER(c_ubyte)

LPTSTR = POINTER(c_char)

HANDLE = c_void_p

# Constants

DEBUG_PROCESS = 0x00000001

CREATE_NEW_CONSOLE = 0x00000010

# Structures for CreateProcessA() function

class STARTUPINFO(Structure):

    _fields_ = [

    ("cb", DWORD),

    ("lpReserved", LPTSTR),

    ("lpDesktop", LPTSTR),

    ("lpTitle", LPTSTR),

    ("dwX", DWORD),

    ("dwY", DWORD),

    ("dwXSize", DWORD),

    ("dwYSize", DWORD),

    ("dwXCountChars", DWORD),

    ("dwYCountChars", DWORD),

    ("dwFillAttribute",DWORD),

    ("dwFlags", DWORD),

    ("wShowWindow", WORD),

    ("cbReserved2", WORD),

    ("lpReserved2", LPBYTE),

    ("hStdInput", HANDLE),

    ("hStdOutput", HANDLE),

    ("hStdError", HANDLE),

    ]

class PROCESS_INFORMATION(Structure):

    _fields_ = [

    ("hProcess", HANDLE),

    ("hThread", HANDLE),

    ("dwProcessId", DWORD),

    ("dwThreadId", DWORD),

]

 

my_debugger.py

from ctypes import *

from my_debugger_defines import *

kernel32 = windll.kernel32

class debugger():

    def __init__(self):

        pass

    def load(self,path_to_exe):

        # dwCreation flag determines how to create the process

        # set creation_flags = CREATE_NEW_CONSOLE if you want

        # to see the calculator GUI

        creation_flags = DEBUG_PROCESS

        # instantiate the structs

        startupinfo = STARTUPINFO()

        process_information = PROCESS_INFORMATION()

        # The following two options allow the started process

        # to be shown as a separate window. This also illustrates

        # how different settings in the STARTUPINFO struct can affect

        # the debuggee.

        startupinfo.dwFlags = 0x1

        startupinfo.wShowWindow = 0x0

        # We then initialize the cb variable in the STARTUPINFO struct

        # which is just the size of the struct itself

        startupinfo.cb = sizeof(startupinfo)

        if kernel32.CreateProcessA(path_to_exe,

        None,

        None,

        None,

        None,

        creation_flags,

        None,

        None,

        byref(startupinfo),

        byref(process_information)):

            print "[*] We have successfully launched the process!"

            print "[*] PID: %d" % process_information.dwProcessId

        else:

            print "[*] Error: 0x%08x." % kernel32.GetLastError()

 调用:

my_test.py

import my_debugger

debugger = my_debugger.debugger()

debugger.load("C:\\WINDOWS\\system32\\calc.exe")

 执行结果:

[*] We have successfully launched the process!

[*] PID: 8376

 

这样就完成了发起一个进程。代码参见附件

文件:1.rar
大小:2KB
下载:下载

 

阅读(7603) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~