Skip to content Skip to sidebar Skip to footer
Home / Debugging / Kernel32 / Python / Python 2.7

Python Waitfordebugevent & Continuedebugevent (gray Hat Python)

Post a Comment
I'm reading 'Gray Hat Python.' There's an example where we get the thread of the process and dump all the register values. I copied down the source from the book, and it won't work

Solution 1:

It's confirmed that the code for this book only works on a 32 bit platform. Also, there are a few bugs in the source which are noted on the books website which will stop the programs from working. If you download the source from the site, these bugs have been removed.

If you want to get the code to run on your machine and you run x64, you can download "Windows XP mode" which is a virtual 32 bit windows XP environment made available for free by microsoft. http://www.microsoft.com/en-us/download/details.aspx?id=3702. Install your Python IDE there and the code should run.

Solution 2:

There is a solution for running the debugger from 64bit python instance on 64 bit windows. But you should stick to debugging 32 bit applications or implement 64 bit debugger, there is a difference between 64 a 32 bit registers ofc.

I added some code to run it under 64 bit system. 1. whe you wanna debug / run 32 bit application on 64 bit windows. Windows uses Wow64 for it so you have to use some other functions which are explained on msdn.

To test if process is run as 32 bit in wow64:

 i = c_int()
 kernel32.IsWow64Process(self.h_process,byref(i))
 if i:
     print('[*] 32 bit process')

Example:

defwow64_get_thread_context(self,thread_id=None,h_thread=None):
    context = CONTEXT()
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
    if h_thread isNone:
        h_thread = self.open_thread(thread_id)
    if kernel32.Wow64SuspendThread(h_thread) != -1:
        if kernel32.Wow64GetThreadContext(h_thread,byref(context)) != 0:
            kernel32.ResumeThread(h_thread) 
            kernel32.CloseHandle(h_thread)
            return context
        else:
            testWinError()
            returnFalseelse:
        testWinError()
        returnFalse

For testing win errors use:

def testWinError():
    if kernel32.GetLastError() != 0:
        raise WinError()

Solution 3:

OpenProcess has another signature. 

HANDLE OpenProcess(
  DWORD dwDesiredAccess,
  BOOL  bInheritHandle,
  DWORD dwProcessId
);

So you should change openprocess into

defopen_process(self, pid):

    # h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, pid, False)
    h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    return h_process

You may like these posts

Post a Comment for "Python Waitfordebugevent & Continuedebugevent (gray Hat Python)"