2

我正在尝试使用 Python 的 Ctypes 执行 DLL 注入。我将 Olly 附加到我尝试注入的进程,并且我尝试创建的线程给出了错误“ERROR_INVALID_PARAMETER 00000057”。我一直在做一些研究,我发现当我调用 CreateRemoteThread 时,错误表明我的参数之一是错误的。我似乎无法弄清楚哪个参数不好,因为我发送的所有值似乎都是有效的。我在调用 LoadLibrary 时设置了一个 Olly 条件断点,并且 dll 名称和(完整)路径是正确的。我也没有看到我的自定义 dll 加载到进程的内存空间中(在 Olly 中)。我想知道这是否与当我将它们作为参数发送时我的 dll 和路径是 unicode 的事实有关。尽管 LoadLibrary 上的条件断点说明了正确的名称和路径。我还设置了 argtype,据我了解,如果它是错误的类型,则会引发错误,并且它会在可能的情况下尝试将其转换为正确的类型。

import sys
from ctypes import *
from ctypes import wintypes
import ctypes

BYTE      = c_ubyte
WORD      = c_ushort
DWORD     = c_ulong
LPBYTE    = POINTER(c_ubyte)
LPTSTR    = POINTER(c_char) 
HANDLE    = c_void_p
PVOID     = c_void_p
LPVOID    = c_void_p
UNIT_PTR  = c_ulong
SIZE_T    = c_ulong
LPTHREAD_START_ROUTINE = c_void_p

class SECURITY_ATTRIBUTES(ctypes.Structure):
_fields_ = [("nLength", DWORD),
            ("lpSecurityDescriptor", LPVOID),
            ("bInheritHandle", wintypes.BOOL)]

LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)

kernel32.CreateRemoteThread.retype = wintypes.HANDLE
kernel32.CreateRemoteThread.argtypes = [wintypes.HANDLE, LPSECURITY_ATTRIBUTES, ctypes.c_size_t, LPTHREAD_START_ROUTINE, wintypes.LPVOID, wintypes.DWORD, wintypes.LPDWORD]

pid     = sys.argv[1]
dll_path    = sys.argv[2]  #'myDLL.dll'
dll_len = len(dll_path) * 2 #Multiplied by 2 so it would take into account the unicode characters

h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid))
arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE)

written = c_ubyte(0)
bSuccess = kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written))
h_kernel32 = kernel32.GetModuleHandleW('kernel32.dll')
h_loadlib = kernel32.GetProcAddress(h_kernel32, b"LoadLibraryW")

thread_id = c_ulong(0)

h_thread = kernel32.CreateRemoteThread(h_process, #404
                                   None, 
                                   0, 
                                   h_loadlib,     #0x770a0000
                                   arg_address,   #0x770eef42
                                   0, 
                                   byref(thread_id))

h_threadError = GetLastError()    #This says ERROR 0 - Operation completed Successfully

h_dllToHook = kernel32.GetModuleHandleW('myDLL.dll')  #h_dllToHook returns '0'
error = GetLastError()            #This says ERORR 0 - Operation completed Successfully

另一个奇怪的事情是我注入的可执行文件是一个控制台应用程序并打印出一些东西。我正在注入的 dll 有一个从 DLLMAIN 调用的导出函数,该函数也可以打印出一些东西。当我检查控制台时,它看起来成功运行了,因为注入的 DLL 中的内容也被打印出来了。此外,当我在 CreateRemoteThread 上放置条件日志断点时,它永远不会被命中。所以我的问题是它是否成功注入,因为它似乎是 1)为什么我不能使用 GetModuleHandleW 获得注入的 DLL 的句柄和 2)为什么 Ollydbg 没有显示注入的 DLL 没有映射到进程中'内存空间。我正在单步执行我的代码并中断,所以它不像线程正在运行和退出。我' 已经研究了一段时间,非常感谢任何帮助!谢谢。

4

1 回答 1

3
  • 使用ctypes.get_last_error而不是GetLastError. 这需要use_last_error选项,例如WinDLL('kernel32.dll', use_last_error=True).
  • GetModuleHandleWGetProcAddress步骤是不必要的。ctypes 已经为您做到了。只需使用kernel32.LoadLibraryW. 这取决于 kernel32.dll 在每个进程中始终映射到相同的基地址,我认为这对于现有版本的 Windows 是正确的。
  • 通常,在复制字符串时,您应该考虑空终止符,例如使用len(dll_path) + 1. 在这种情况下,您将提交一个新的内存页面(在 x86 和 x64 系统上为 4 KiB),最初全为零。
  • 我不确定您是如何定义VIRTUAL_MEM分配类型的。这包括MEM_COMMIT吗?
  • 注意拼写错误。你写retype的不是restypefor 的原型CreateRemoteThread,这意味着返回值仍然是默认的 32 位 C int

以下对我有用,将 DLL 加载到 Python 进程中。

dllinject.py(ctypes 定义):

import ctypes
from ctypes import wintypes

kernel32 = ctypes.WinDLL('kernel32.dll', use_last_error=True)

PROCESS_VM_OPERATION = 0x0008
PROCESS_VM_WRITE = 0x0020
PROCESS_CREATE_THREAD = 0x0002
MEM_COMMIT = 0x1000
MEM_RELEASE = 0x8000
PAGE_READWRITE = 0x0004
INFINITE = -1

SIZE_T = ctypes.c_size_t
LPSIZE_T = ctypes.POINTER(SIZE_T)
WCHAR_SIZE = ctypes.sizeof(wintypes.WCHAR)
LPSECURITY_ATTRIBUTES = wintypes.LPVOID
LPTHREAD_START_ROUTINE = wintypes.LPVOID

class BOOL_CHECKED(ctypes._SimpleCData):
    _type_ = "l"
    def _check_retval_(retval):
        if retval == 0:
            raise ctypes.WinError(ctypes.get_last_error())
        return retval

class LPVOID_CHECKED(ctypes._SimpleCData):
    _type_ = "P"
    def _check_retval_(retval):
        if retval is None:
            raise ctypes.WinError(ctypes.get_last_error())
        return retval

HANDLE_CHECKED = LPVOID_CHECKED  # not file handles

kernel32.OpenProcess.restype = HANDLE_CHECKED
kernel32.OpenProcess.argtypes = (
    wintypes.DWORD, # dwDesiredAccess
    wintypes.BOOL,  # bInheritHandle
    wintypes.DWORD) # dwProcessId

kernel32.VirtualAllocEx.restype = LPVOID_CHECKED
kernel32.VirtualAllocEx.argtypes = (
    wintypes.HANDLE, # hProcess
    wintypes.LPVOID, # lpAddress
    SIZE_T,          # dwSize
    wintypes.DWORD,  # flAllocationType
    wintypes.DWORD)  # flProtect

kernel32.VirtualFreeEx.argtypes = (
    wintypes.HANDLE, # hProcess
    wintypes.LPVOID, # lpAddress
    SIZE_T,          # dwSize
    wintypes.DWORD)  # dwFreeType

kernel32.WriteProcessMemory.restype = BOOL_CHECKED
kernel32.WriteProcessMemory.argtypes = (
    wintypes.HANDLE,  # hProcess
    wintypes.LPVOID,  # lpBaseAddress
    wintypes.LPCVOID, # lpBuffer
    SIZE_T,           # nSize
    LPSIZE_T)         # lpNumberOfBytesWritten _Out_

kernel32.CreateRemoteThread.restype = HANDLE_CHECKED
kernel32.CreateRemoteThread.argtypes = (
    wintypes.HANDLE,        # hProcess
    LPSECURITY_ATTRIBUTES,  # lpThreadAttributes
    SIZE_T,                 # dwStackSize
    LPTHREAD_START_ROUTINE, # lpStartAddress
    wintypes.LPVOID,        # lpParameter
    wintypes.DWORD,         # dwCreationFlags
    wintypes.LPDWORD)       # lpThreadId _Out_

kernel32.WaitForSingleObject.argtypes = (
    wintypes.HANDLE, # hHandle
    wintypes.DWORD)  # dwMilliseconds

kernel32.CloseHandle.argtypes = (
    wintypes.HANDLE,) # hObject

dllinject.py ( injectdll):

def injectdll(pid, dllpath):
    size = (len(dllpath) + 1) * WCHAR_SIZE
    hproc = hthrd = addr = None
    try:
        hproc = kernel32.OpenProcess(
            PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
            PROCESS_VM_WRITE, False, pid)
        addr = kernel32.VirtualAllocEx(
            hproc, None, size, MEM_COMMIT, PAGE_READWRITE)
        kernel32.WriteProcessMemory(
            hproc, addr, dllpath, size, None)
        hthrd = kernel32.CreateRemoteThread(
            hproc, None, 0, kernel32.LoadLibraryW, addr, 0, None)
        kernel32.WaitForSingleObject(hthrd, INFINITE)
    finally:
        if addr is not None:
            kernel32.VirtualFreeEx(hproc, addr, 0, MEM_RELEASE)
        if hthrd is not None:
            kernel32.CloseHandle(hthrd)
        if hproc is not None:
            kernel32.CloseHandle(hproc)

测试.c:

#include <Windows.h>                  
#include <stdio.h>                 

BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, PVOID fImpLoad)
{                                                
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH:
            printf("DLL Attach\n");
            break;
        case DLL_PROCESS_DETACH:
            printf("DLL Detach\n");
    }                                                        
    return TRUE;               
}

演示:

>>> import sys
>>> from subprocess import Popen, PIPE
>>> from dllinject import injectdll
>>> cmd = [sys.executable, '-c', 'import time; time.sleep(10)']
>>> p = Popen(cmd, stdout=PIPE); injectdll(p.pid, 'test.dll')
>>> r = p.wait(); print(p.stdout.read().decode())
DLL Attach
DLL Detach
于 2013-07-08T10:11:39.877 回答