winappdbg NtWriteVirtualMemory手

2024-04-16 17:02:05 发布

您现在位置:Python中文网/ 问答频道 /正文
1090 3

我正在使用winappdbg在ntdll上设置断点!NtWriteVirtualMemory。在

我的目标是检查远程进程的内存保护是否是page_execute。在

所以我成功地在NtWriteVirtualMemory上设置了断点,问题是我得到了句柄 函数中的一个参数(例如0x20),但当我在脚本中使用它时,它是无效的。在

我试着用winappdbg.win32.VirtualQueryEx(获取句柄无效)

有什么想法吗?在

def action_callback( event ):
    print "ntdll!NtWriteVirtualMemory was called!" 
    process = event.get_process()
    thread  = event.get_thread()
    # Get the address of the top of the stack.
    stack   = thread.get_sp()

    # Get the return address of the call.
    retAddress = process.read_pointer( stack)
    print "ret address " + hex(retAddress) 
    processHandle = process.read_pointer( stack+4 )
    print "processHandle " + hex(processHandle) 
    BaseAddress = process.read_pointer( stack+8 )
    print "BaseAddress " + hex(BaseAddress)
    Buffer = process.read_pointer( stack+12 )
    print "Buffer " + hex(Buffer)
    NumberOfBytesToWrite = process.read_pointer( stack+16 )
    print "NumberOfBytesToWrite " + hex(NumberOfBytesToWrite)
    NumberOfBytesWritten = process.read_pointer( stack+16 )
    print "NumberOfBytesWritten " + hex(NumberOfBytesWritten)
    print "====================="
    print "virtualQuery - " + VirtualQueryEx(int(processHandle), BaseAddress)

谢谢!!在


Tags: oftheeventreadgetstackaddressprocess
2条回答
网友
1楼 · 编辑于 2024-04-16 17:02:05

恐怕您要做的事情永远不会起作用-Win32句柄只在创建它们的进程中有效,而您正试图在脚本中使用由调试的进程创建的句柄。在

您需要做的是尝试获取进程ID。进程id是全局的,您可以使用OpenProcess()为它们创建自己的句柄。您必须钩住所有可以返回进程句柄的函数,获取它们的参数和返回值,然后从中可以将外部句柄映射到进程id。在

另一种选择是通过在目标进程中调用GetProcessID()来尝试将句柄解析为进程ID(如果出于与上述相同的原因从脚本执行此操作,则会失败)。这有点棘手,因为代码注入有时可能会失败,我建议使用更多的钩子。但如果你想试试这个,event.get_过程().inject\u code()是您的朋友:http://winappdbg.sourceforge.net/doc/latest/reference/winappdbg.process.Process-class.html#inject_code

网友
2楼 · 编辑于 2024-04-16 17:02:05

最后我用了DuplicateHandle。效果很好!在

source_pid = event.get_process().get_pid()
print 'source pid =', source_pid
source_phandle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, FALSE, source_pid)
print 'source phandle =', source_phandle
current_phandle = win32process.GetCurrentProcess()
print 'current phandle =', current_phandle
duplicated_handle = win32api.DuplicateHandle(source_phandle, processHandle, current_phandle,
                        0, FALSE, win32con.DUPLICATE_SAME_ACCESS)                   
print 'dup h =', duplicated_handle
source_process_name = win32process.GetModuleFileNameEx(source_phandle, 0)
print "source_process_name - ",  (source_process_name)

q = VirtualQueryEx(duplicated_handle.handle, BaseAddress)
print "virtualQuery - is_executable()  " + str(q.is_executable())
target_process_name = win32process.GetModuleFileNameEx(duplicated_handle.handle, 0)
print "target_process_name - ",  (target_process_name)

VirtualQueryEx很好用!在

现在的问题是GetModulefileNameEx返回给重复的句柄“句柄无效”。在

如何显示目标进程名称?在

谢谢!在

相关问题 更多 >

    编程相关推荐