python - Python Ctypes Read/WriteProcessMemory() - 错误 5/998 求助！

Question

请不要害怕，但是下面的代码，如果你熟悉 ctypes 或 C 应该很容易阅读。

我一直试图让我的 ReadProcessMemory() 和 WriteProcessMemory() 函数工作这么久，并且尝试了几乎所有的可能性，但正确的一个。

它启动目标程序，返回它的 PID 并处理得很好。但我总是收到错误代码 5 - ERROR_ACCESS_DENIED。当我运行读取功能时（暂时忘记写入）。我正在启动这个程序，因为我认为它是一个带有 PROCESS_ALL_ACCESS 或 CREATE_PRESERVE_CODE_AUTHZ_LEVEL 的 CHILD 进程。

当我打开句柄时，我也尝试过 PROCESS_ALL_ACCESS 和 PROCESS_VM_READ。

我也可以说它是一个有效的内存位置，因为我可以使用 CheatEngine 在正在运行的程序中找到它。

至于 VirtualQuery() 我得到一个错误代码 998 - ERROR_NOACCESS 这进一步证实了我怀疑它是一些安全/特权问题。

任何帮助或想法将不胜感激，再次，这是我到目前为止的整个程序，不要让它吓到你 =P。

from ctypes import *
from ctypes.wintypes import BOOL
import binascii


BYTE      = c_ubyte
WORD      = c_ushort
DWORD     = c_ulong
LPBYTE    = POINTER(c_ubyte)
LPTSTR    = POINTER(c_char) 
HANDLE    = c_void_p
PVOID     = c_void_p
LPVOID    = c_void_p
UNIT_PTR  = c_ulong
SIZE_T    = c_ulong

class STARTUPINFO(Structure):
    _fields_ = [("cb",            DWORD),        
                ("lpReserved",    LPTSTR), 
                ("lpDesktop",     LPTSTR),  
                ("lpTitle",       LPTSTR),
                ("dwX",           DWORD),
                ("dwY",           DWORD),
                ("dwXSize",       DWORD),
                ("dwYSize",       DWORD),
                ("dwXCountChars", DWORD),
                ("dwYCountChars", DWORD),
                ("dwFillAttribute",DWORD),
                ("dwFlags",       DWORD),
                ("wShowWindow",   WORD),
                ("cbReserved2",   WORD),
                ("lpReserved2",   LPBYTE),
                ("hStdInput",     HANDLE),
                ("hStdOutput",    HANDLE),
                ("hStdError",     HANDLE),]

class PROCESS_INFORMATION(Structure):
    _fields_ = [("hProcess",    HANDLE),
                ("hThread",     HANDLE),
                ("dwProcessId", DWORD),
                ("dwThreadId",  DWORD),]

class MEMORY_BASIC_INFORMATION(Structure):
    _fields_ = [("BaseAddress", PVOID),
                ("AllocationBase", PVOID),
                ("AllocationProtect", DWORD),
                ("RegionSize", SIZE_T),
                ("State", DWORD),
                ("Protect", DWORD),
                ("Type", DWORD),]

class SECURITY_ATTRIBUTES(Structure):
    _fields_ = [("Length", DWORD),
                ("SecDescriptor", LPVOID),
                ("InheritHandle", BOOL)]

class Main():
    def __init__(self):
        self.h_process = None
        self.pid = None

    def launch(self, path_to_exe):
        CREATE_NEW_CONSOLE = 0x00000010
        CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000

        startupinfo = STARTUPINFO()
        process_information = PROCESS_INFORMATION()
        security_attributes = SECURITY_ATTRIBUTES()

        startupinfo.dwFlags = 0x1
        startupinfo.wShowWindow = 0x0


        startupinfo.cb = sizeof(startupinfo)
        security_attributes.Length = sizeof(security_attributes)
        security_attributes.SecDescriptior = None
        security_attributes.InheritHandle = True

        if windll.kernel32.CreateProcessA(path_to_exe,
                                   None,
                                   byref(security_attributes),
                                   byref(security_attributes),
                                   True,
                                   CREATE_PRESERVE_CODE_AUTHZ_LEVEL,
                                   None,
                                   None,
                                   byref(startupinfo),
                                   byref(process_information)):

            self.pid = process_information.dwProcessId
            print "Success: CreateProcess - ", path_to_exe
        else:
            print "Failed: Create Process - Error code: ", windll.kernel32.GetLastError()

    def get_handle(self, pid):
        PROCESS_ALL_ACCESS = 0x001F0FFF
        PROCESS_VM_READ = 0x0010
        self.h_process = windll.kernel32.OpenProcess(PROCESS_VM_READ, False, pid)
        if self.h_process:
            print "Success: Got Handle - PID:", self.pid
        else:
            print "Failed: Get Handle - Error code: ", windll.kernel32.GetLastError()
            windll.kernel32.SetLastError(10000)

    def read_memory(self, address):
        buffer = c_char_p("The data goes here")
        bufferSize = len(buffer.value)
        bytesRead = c_ulong(0)
        if windll.kernel32.ReadProcessMemory(self.h_process, address, buffer, bufferSize, byref(bytesRead)):
            print "Success: Read Memory - ", buffer.value
        else:
            print "Failed: Read Memory - Error Code: ", windll.kernel32.GetLastError()
            windll.kernel32.CloseHandle(self.h_process)
            windll.kernel32.SetLastError(10000)

    def write_memory(self, address, data):
        count = c_ulong(0)
        length = len(data)
        c_data = c_char_p(data[count.value:])
        null = c_int(0)
        if not windll.kernel32.WriteProcessMemory(self.h_process, address, c_data, length, byref(count)):
            print  "Failed: Write Memory - Error Code: ", windll.kernel32.GetLastError()
            windll.kernel32.SetLastError(10000)
        else:
            return False

    def virtual_query(self, address):
        basic_memory_info = MEMORY_BASIC_INFORMATION()
        windll.kernel32.SetLastError(10000)
        result = windll.kernel32.VirtualQuery(address, byref(basic_memory_info), byref(basic_memory_info))
        if result:
            return True
        else:
            print  "Failed: Virtual Query - Error Code: ", windll.kernel32.GetLastError()


main = Main()
address = None
main.launch("C:\Program Files\ProgramFolder\Program.exe")
main.get_handle(main.pid)
#main.write_memory(address, "\x61")
while 1:
    print '1 to enter an address'
    print '2 to virtual query address'
    print '3 to read address'
    choice = raw_input('Choice: ')
    if choice == '1':
        address = raw_input('Enter and address: ')
    if choice == '2':
        main.virtual_query(address)
    if choice == '3':
        main.read_memory(address)

谢谢！

score 2 · Accepted Answer

您应该尝试为您的进程设置调试权限。在尝试打开/创建进程之前，请使用以下代码一次。

class TOKEN_PRIVILEGES( Structure ):
    _fields_ = [
            ('PrivilegeCount',  c_uint),
            ('Luid',            LUID),
            ('Attributes',      c_uint) ]

OpenProcessToken = windll.advapi32.OpenProcessToken
OpenProcessToken.argtypes = [
    c_int,      # HANDLE ProcessHandle
    c_uint,     # DWORD DesiredAccess
    c_void_p ]  # PHANDLE TokenHandle
OpenProcessToken.restype = ErrorIfZero

AdjustTokenPrivileges = windll.advapi32.AdjustTokenPrivileges
AdjustTokenPrivileges.argtypes = [
    c_int,      # HANDLE TokenHandle
    c_int,      # BOOL DisableAllPrivileges
    c_void_p,   # PTOKEN_PRIVILEGES NewState
    c_uint,     # DWORD BufferLength
    c_void_p,   # PTOKEN_PRIVILEGES PreviousState
    c_void_p ]  # PDWORD ReturnLength
AdjustTokenPrivileges.restype = ErrorIfZero

LookupPrivilegeValue = windll.advapi32.LookupPrivilegeValueA
LookupPrivilegeValue.argtypes = [
c_char_p,   # LPCTSTR lpSystemName
c_char_p,   # LPCTSTR lpName
c_void_p ]  # PLUID lpLuid
LookupPrivilegeValue.restype = ErrorIfZero

access_token = c_int(0)
privileges = TOKEN_PRIVILEGES()

OpenProcessToken( GetCurrentProcess(), win32con.TOKEN_QUERY | win32con.TOKEN_ADJUST_PRIVILEGES, byref(access_token) )
access_token = access_token.value
LookupPrivilegeValue( None, "SeDebugPrivilege", byref(privileges.Luid) )
privileges.PrivilegeCount = 1
privileges.Attributes = 2
AdjustTokenPrivileges(
        access_token,
        0,
        byref(privileges),
        0,
        None,
        None )
CloseHandle( access_token )

score 1 · Accepted Answer

1

也许这会对您有所帮助：Creating a Security Descriptor for a New Object in C++

于 2010-06-05T15:05:33.073 回答

score 0 · Accepted Answer

访问被拒绝错误的一个可能原因是运行 WriteProcessMemory 的用户需要具有 DEBUG 权限。

从 Vista 开始，此权限仅对管理员激活，并且仅在使用“以管理员身份运行”运行应用程序时激活。

您可以将权限添加到任何帐户。

score 0 · Accepted Answer

我发现您的代码有几个问题，很难知道哪一个是您的确切问题的根本原因。例如，该行：

address = raw_input('Enter and address: ')

应该是这样的：

address = long(raw_input('Enter and address: '), 0)

正如代码所示，每次address通过 ctypes 传递给函数时，您实际上所做的是创建一个临时缓冲区，其中包含用户键入的字符串，并在 Python 进程中传入该缓冲区的地址。绝对不是你想要的。如果我解决了这个问题，那么您的程序似乎大部分时间都在工作。

根据我有限的测试，大多数（全部？）其余故障可以通过设置正确argtypes的ReadProcessMemory. 这是我在 ctypes 代码中看到的最大问题，ctypes.c_voidp在intPython 中处理会加剧这个问题。如果argtypes未指定，则所有参数都被视为ctypes.c_int. 任何超出有符号整数范围的内容（例如，设置了高位的指针或句柄）都会被静默截断。

不是你的错误的原因，但次优的是这些行：

buffer = c_char_p("The data goes here")
bufferSize = len(buffer.value)

ctypes 模块提供了创建缓冲区的函数：

bufferSize = 32
buffer = ctypes.create_string_buffer(bufferSize)

希望这会让你走上正确的道路。

score 0 · Accepted Answer

PROCESS_VM_READ还不够：尝试同时使用PROCESS_VM_WRITE+ PROCESS_VM_OPERATION。我也收到了错误违规，但进程内存仍然改变。添加 try catch 以使您的程序保持活动状态。

PROCESS_VM_READ = 0x0010
PROCESS_VM_WRITE = 0x0020
PROCESS_VM_OPERATION = 0x0008
PROCESS_ALL_ACCESS = 0x1F0FFF

对我来说PROCESS_VM_WRITE还不够，我还需要添加PROCESS_VM_OPERATION 。

python - Python Ctypes Read/WriteProcessMemory() - 错误 5/998 求助！

5 回答 5

Related

Reference