无法附加到调试器中的进程
Unable to attach to the process in the debuggeer
我跟着灰帽Python做了一个调试器,但效果不佳。
我 运行 calc.exe 并找到 PID。但是,调试器无法附加到进程。我从书上复制了代码,也从网上下载了代码。他们都给了我相同的 result.Here 是我的代码:
from ctypes import *
from my_debugger_defines import *
kernel32 = windll.kernel32
class debugger():
def __init__(self):
self.h_process = None
self.pid = None
self.debugger_active = False
def load(self, path_to_exe):
#dwCreation flag determines how to create the process
#set creation_flags = CREATE_NEW_CONSOLE if you want
#to see the calculator GUI
creation_flags = DEBUG_PROCESS
#instantiate the structs
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()
#The following two options allow the started process
#to be shown as a separate window. This also illustrates
#how different settings in the STARTUPINFO struct can affect
#the debugger.
startupinfo.dwFlags =0x1
startupinfo.wShowWindow =0x0
#We then initialize the cb variable in the STARTUPINFO struct
#which is just the size of the struct itself
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print "[*] We have successfully launched the process!"
print "[*] PID: %d" % process_information.dwProcessId
#Obtain a valid handle to the newly created process
#and store it for future access
self.h_process = self.open_process(process_information.dwProcessId)
else:
print "[*] Error:0x%08x."%kernel32.GetLastError()
def open_process(self, pid):
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
return h_process
def attach(self, pid):
self.h_process = self.open_process(pid)
#We attempt to attach to the process
#if this fails we exit the callable
if kernel32.DebugActiveProcess(pid):
self.debugger_active = True
self.pid = int(pid)
self.run()
else:
print "[*] Unable to attach to the process."
def run(self):
#Now we have to poll the debugger for debugging events
while self.debugger_active == True:
self.get_debug_event()
def get_debug_event(self):
debug_event = DEBUG_EVENT()
continue_status = DBG_CONTINUE
if kernel32.WaitForDebugEvent(byref(debug_event), INFINITE):
#We aren't going to build any event handlers just yet.
#Let's just resume the process for now.
raw_input("press a key to continue...")
self.debugger_active = False
kernel32.ContinueDebugEvent(\
debug_event.dwProcessId, \
debug_event.dwThreadId, \
continue_status )
def detach(self):
if kernel32.DebugActiveProcessStop(self.pid):
print "[*] Finished debugging. Exiting..."
return True
else:
print "There was an error"
return False
每次我 运行 程序时,它都会打印“[*]无法附加到进程。”和 "There was an error"。
这是我的 test.py.
import my_debugger
debugger = my_debugger.debugger()
pid = raw_input("Enter the PID of the process to attach to: ")
debugger.attach(int(pid))
debugger.detach()
为什么?是我电脑系统的问题吗? win8.1可以用kernel32吗?如何解决?
本书中的这段代码仅适用于 32 位平台,因此您无法附加到 64 位进程 calc.exe。
查看问题Python WaitForDebugEvent & ContinueDebugEvent (Gray Hat Python)的答案。也许他们会帮助你。
“my_debugger_defines.py”文件的内容应该如下...
它适用于 64 位平台
from ctypes import *
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
DEBUG_PROCESS = 0x00000001
PROCESS_ALL_ACCESS = 0x001F0FFF
INFINITE = 0xFFFFFFFF
DBG_CONTINUE = 0x00010002
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
class EXCEPTION_RECORD(Structure):
pass
EXCEPTION_RECORD._fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class _EXCEPTION_RECORD(Structure):
_fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class EXCEPTION_DEBUG_INFO(Structure):
_fields_ = [
("ExceptionRecord", EXCEPTION_RECORD),
("dwFirstChance", DWORD),
]
class CREATE_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("hProcess", HANDLE),
("hThread", HANDLE),
("lpBaseOfImage", LPVOID),
("dwDebugInfoFileOffset",DWORD),
("nDebugInfoSize", DWORD),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class CREATE_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("hThread", HANDLE),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE)
]
class EXIT_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class EXIT_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class LOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("lpBaseOfDll", LPVOID),
("dwDebugInfoFileOffset", DWORD),
("nDebugInfoSize", DWORD),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class UNLOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("lpBaseOfDll", LPVOID)
]
class OUTPUT_DEBUG_STRING_INFO(Structure):
_fields_ = [
("lpDebugStringData", LPTSTR),
("fUnicode", WORD),
("nDebugStringLength", WORD)
]
class RIP_INFO(Structure):
_fields_ = [
("dwError", DWORD),
("dwType", DWORD)
]
class DEBUG_EVENT_UNION(Union):
_fields_ = [
("Exception", EXCEPTION_DEBUG_INFO),
("CreateThread", CREATE_THREAD_DEBUG_INFO),
("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
("ExitThread", EXIT_THREAD_DEBUG_INFO),
("ExitProcess", EXIT_PROCESS_DEBUG_INFO),
("LoadDll", LOAD_DLL_DEBUG_INFO),
("UnloadDll", UNLOAD_DLL_DEBUG_INFO),
("DebugString", OUTPUT_DEBUG_STRING_INFO),
("RipInfo", RIP_INFO),
]
class DEBUG_EVENT(Structure):
_fields_ = [
("dwDebugEventCode", DWORD),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
("u", DEBUG_EVENT_UNION),
]
我跟着灰帽Python做了一个调试器,但效果不佳。 我 运行 calc.exe 并找到 PID。但是,调试器无法附加到进程。我从书上复制了代码,也从网上下载了代码。他们都给了我相同的 result.Here 是我的代码:
from ctypes import *
from my_debugger_defines import *
kernel32 = windll.kernel32
class debugger():
def __init__(self):
self.h_process = None
self.pid = None
self.debugger_active = False
def load(self, path_to_exe):
#dwCreation flag determines how to create the process
#set creation_flags = CREATE_NEW_CONSOLE if you want
#to see the calculator GUI
creation_flags = DEBUG_PROCESS
#instantiate the structs
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()
#The following two options allow the started process
#to be shown as a separate window. This also illustrates
#how different settings in the STARTUPINFO struct can affect
#the debugger.
startupinfo.dwFlags =0x1
startupinfo.wShowWindow =0x0
#We then initialize the cb variable in the STARTUPINFO struct
#which is just the size of the struct itself
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print "[*] We have successfully launched the process!"
print "[*] PID: %d" % process_information.dwProcessId
#Obtain a valid handle to the newly created process
#and store it for future access
self.h_process = self.open_process(process_information.dwProcessId)
else:
print "[*] Error:0x%08x."%kernel32.GetLastError()
def open_process(self, pid):
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
return h_process
def attach(self, pid):
self.h_process = self.open_process(pid)
#We attempt to attach to the process
#if this fails we exit the callable
if kernel32.DebugActiveProcess(pid):
self.debugger_active = True
self.pid = int(pid)
self.run()
else:
print "[*] Unable to attach to the process."
def run(self):
#Now we have to poll the debugger for debugging events
while self.debugger_active == True:
self.get_debug_event()
def get_debug_event(self):
debug_event = DEBUG_EVENT()
continue_status = DBG_CONTINUE
if kernel32.WaitForDebugEvent(byref(debug_event), INFINITE):
#We aren't going to build any event handlers just yet.
#Let's just resume the process for now.
raw_input("press a key to continue...")
self.debugger_active = False
kernel32.ContinueDebugEvent(\
debug_event.dwProcessId, \
debug_event.dwThreadId, \
continue_status )
def detach(self):
if kernel32.DebugActiveProcessStop(self.pid):
print "[*] Finished debugging. Exiting..."
return True
else:
print "There was an error"
return False
每次我 运行 程序时,它都会打印“[*]无法附加到进程。”和 "There was an error"。 这是我的 test.py.
import my_debugger
debugger = my_debugger.debugger()
pid = raw_input("Enter the PID of the process to attach to: ")
debugger.attach(int(pid))
debugger.detach()
为什么?是我电脑系统的问题吗? win8.1可以用kernel32吗?如何解决?
本书中的这段代码仅适用于 32 位平台,因此您无法附加到 64 位进程 calc.exe。
查看问题Python WaitForDebugEvent & ContinueDebugEvent (Gray Hat Python)的答案。也许他们会帮助你。
“my_debugger_defines.py”文件的内容应该如下...
它适用于 64 位平台
from ctypes import *
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
DEBUG_PROCESS = 0x00000001
PROCESS_ALL_ACCESS = 0x001F0FFF
INFINITE = 0xFFFFFFFF
DBG_CONTINUE = 0x00010002
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
class EXCEPTION_RECORD(Structure):
pass
EXCEPTION_RECORD._fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class _EXCEPTION_RECORD(Structure):
_fields_ = [
("ExceptionCode", DWORD),
("ExceptionFlags", DWORD),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", PVOID),
("NumberParameters", DWORD),
("ExceptionInformation", UINT_PTR * 15),
]
class EXCEPTION_DEBUG_INFO(Structure):
_fields_ = [
("ExceptionRecord", EXCEPTION_RECORD),
("dwFirstChance", DWORD),
]
class CREATE_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("hProcess", HANDLE),
("hThread", HANDLE),
("lpBaseOfImage", LPVOID),
("dwDebugInfoFileOffset",DWORD),
("nDebugInfoSize", DWORD),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class CREATE_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("hThread", HANDLE),
("lpThreadLocalBase", LPVOID),
("lpStartAddress", HANDLE)
]
class EXIT_THREAD_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class EXIT_PROCESS_DEBUG_INFO(Structure):
_fields_ = [
("dwExitCode", DWORD)
]
class LOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("hFile", HANDLE),
("lpBaseOfDll", LPVOID),
("dwDebugInfoFileOffset", DWORD),
("nDebugInfoSize", DWORD),
("lpImageName", LPVOID),
("fUnicode", WORD)
]
class UNLOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [
("lpBaseOfDll", LPVOID)
]
class OUTPUT_DEBUG_STRING_INFO(Structure):
_fields_ = [
("lpDebugStringData", LPTSTR),
("fUnicode", WORD),
("nDebugStringLength", WORD)
]
class RIP_INFO(Structure):
_fields_ = [
("dwError", DWORD),
("dwType", DWORD)
]
class DEBUG_EVENT_UNION(Union):
_fields_ = [
("Exception", EXCEPTION_DEBUG_INFO),
("CreateThread", CREATE_THREAD_DEBUG_INFO),
("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
("ExitThread", EXIT_THREAD_DEBUG_INFO),
("ExitProcess", EXIT_PROCESS_DEBUG_INFO),
("LoadDll", LOAD_DLL_DEBUG_INFO),
("UnloadDll", UNLOAD_DLL_DEBUG_INFO),
("DebugString", OUTPUT_DEBUG_STRING_INFO),
("RipInfo", RIP_INFO),
]
class DEBUG_EVENT(Structure):
_fields_ = [
("dwDebugEventCode", DWORD),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
("u", DEBUG_EVENT_UNION),
]