my_debugger_defines.py

1 #encoding:utf-8 2  3 from ctypes import * 4 from sys import version as py_ver 5  6 # In python 2.7.6, LPBYTE is not defined in ctypes.wintypes 7 if py_ver.startswith('2'): 8     LPBYTE = POINTER(c_byte) 9     10 # 为ctypes创建匿名11 WORD = c_ushort12 DWORD = c_ulong13 LPBYTE = POINTER(c_ubyte)14 LPTSTR = POINTER(c_byte)15 HANDLE = c_void_p16 17 # 常量定义18 DEBUG_PROCESS = 0x0000000119 CREATE_NEW_CONSOLE = 0x0000001020 DBG_EXCEPTION_NOT_HANDLED = 0x8001000121 22 # 定义行数CreateProcessA()所需要的结构体23 class STARTUPINFO(Structure):24     _fields_ = [25         ("cb",  DWORD),26         ("lpReserved",  LPTSTR),27         ("lpDesktop",   LPTSTR),28         ("lpTitle",     LPTSTR),29         ("dwX",         DWORD),30         ("dwY",         DWORD),31         ("dwXSize",     DWORD),32         ("dwYSize",     DWORD),33         ("dwXCountChars", DWORD),34         ("dwYCountChars", DWORD),35         ("dwFillAttribute", DWORD),36         ("dwFlags",     DWORD),37         ("wShowWindow", WORD),38         ("cbReserved2", WORD),39         ("lpReserved2", LPBYTE),40         ("hStdInput",   HANDLE),41         ("hStdOutput",  HANDLE),42         ("hStdError",   HANDLE),43     ]44     45 class PROCESS_INFORMATION(Structure):46     _fields_ = [47         ("hProcess",    HANDLE),48         ("hThread",     HANDLE),49         ("dwProcessId", DWORD),50         ("dwThreadId",  DWORD),51     ]

my_debugger.py

#encoding:utf-8from ctypes import *from my_debugger_defines import *kernel32 = windll.kernel32class debugger():    def __init__(self):        pass        def load(self, path_to_exe):                # 参数dwCreationFlags中标志位控制着进程的创建方式        # 若需要创建的进程独占一个新的控制台窗口，而不是与父进程公用同-        # - 一个控制台可以加上标志位 CREATE_NEW_CONSOLE        creation_flags = DEBUG_PROCESS                #实例化之前的结构体        startupinfo = STARTUPINFO()        process_information = PROCESS_INFORMATION()                # 在以下两位成员变量的共同作用下，新建的进程将单独的窗体中被显示        # 可以通过结构体 STARTUPINFO 中各个成员变量的值来控制debugee的进程行为        startupinfo.dwFlags = 0x1        startupinfo.wShowWindow = 0x0                # 设置结构体 STARTUPINFO的值        # cb的值，表示结构体本身的大小        startupinfo.cb = sizeof(startupinfo)        #print(startupinfo.cb)        ## On 64-bit windows, sizeof(STARTUPINFO) == 104.        ## On 32-bit windows, sizeof(STARTUPINFO) == 68.        #print(STARTUPINFO.cb.offset)        #print(STARTUPINFO.lpReserved.offset)        #print(STARTUPINFO.lpDesktop.offset)        #print(STARTUPINFO.lpTitle.offset)        #print(STARTUPINFO.dwX.offset)        #print(STARTUPINFO.dwY.offset)        #print(STARTUPINFO.dwXSize.offset)        #print(STARTUPINFO.dwYSize.offset)        #print(STARTUPINFO.dwXCountChars.offset)        #print(STARTUPINFO.dwYCountChars.offset)        #print(STARTUPINFO.dwFillAttribute.offset)        #print(STARTUPINFO.dwFlags.offset)        #print(STARTUPINFO.wShowWindow.offset)        #print(STARTUPINFO.cbReserved2.offset)        #print(STARTUPINFO.lpReserved2.offset)        #print(STARTUPINFO.hStdInput.offset)        #print(STARTUPINFO.hStdOutput.offset)        #print(STARTUPINFO.hStdError.offset)        if kernel32.CreateProcessW(c_wchar_p(path_to_exe),                                   c_wchar_p(0),                                   0,                                   0,                                   0,                                   creation_flags,                                   0,                                   0,                                   byref(startupinfo),                                   byref(process_information)):            print ("[*] we have successfully launched the process!")            print ("[PID] :%d " %process_information.dwProcessId)                else:            print("[*] Error:0x%08x. " %kernel32.GetLastError())

my_test.py

#!encoding:utf-8import my_debuggerdebugger = my_debugger.debugger()debugger.load("C:\\Windows\\system32\\calc.exe")

 

 

参考：Python灰帽子-黑客与逆向工程师的Python编程之道