hakril / pythonforwindows Goto Github PK
View Code? Open in Web Editor NEWA codebase aimed to make interaction with Windows and native execution easier
License: BSD 3-Clause "New" or "Revised" License
A codebase aimed to make interaction with Windows and native execution easier
License: BSD 3-Clause "New" or "Revised" License
Can you implement external thread tracing using OpenThread, GetThreadContext, many threads and a disassembler to stitch together the trace log?
It would be awesome for finding functions in a program with only 1 thread handle. Think function call count etc. All the ways I have seen require you to have a breakpoint at all calls or a module inside the process.
The issue #26 noticed that there is no documentation about available instructions in simple_x86
& simple_x64
.
This information should be available in the sphinx documentation.
OK so I can see that you have written wrappers for various portions of the Windows API.
I am also in the process of doing the same..well sort of. I am not writing wrappers I am converting the entire Windows 10 SDK to python.
it can be viewed here.
https://github.com/kdschlosser/pyWinAPI
I am not done with it yet. and I still have quite a bit to do. I thought you may be interested. I have also written a C/C++ code parser. it handles h and idl files. it is about 90% accurate in file conversions and it also handles preprocessor macro definitions. The output files do need to be visually inspected and any corrections made. But it sure is a hell of a time saver.
I thought you might want to have a look and maybe you might have some suggestions and comments. I am always looking for feedback.
sorry , l search RtlMoveMemory is null ,how to use?
Sorry for asking it here. Is it possible to add a certificate (from .crt file) to windows certificate store using certificate.py module?
Hello,
There is apparently a problem with the refcount when getting the module using the windows.utils.get_kernel_modules
function. The _SYSTEM_MODULE64
objects seems to not be correctly kept in memory. This leads to invalid data being recuperated when accessing members of the objects.
The following code allow to reproduce:
import windows.utils as wutils
import gc
mods = wutils.get_kernel_modules()
gc.collect() # gc to collect, for more reliable reproduction
print([x.ImageName for x in mods]) # need to do stuff for triggering bug
print([x.ImageName for x in mods])
print([x.ImageName for x in mods])
print("LAST IMAGE NAME: {}".format(mods[0].ImageName))
Python version: Python 3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 23:03:10) [MSC v.1916 64 bit (AMD64)] on win32
, test done using the dev
branch commit 5c3b0cd
.
I use PythonForWindows to hack a game. Execute some assembly code to inject the game program.
This is my simplified code:
import windows.winobject.process
import windows.native_exec.simple_x86 as x86
wp = windows.winobject.process.WinProcess(pid=int(0x59A4))
code = x86.MultipleInstr()
code += x86.Mov("EBP", "ESP")
code += x86.Push(0x018006D4)
code += x86.Push(0x00)
code += x86.Push(0x64)
code += x86.Mov("ECX", 0x119DF58)
code += x86.Mov("EBX", 0xAD9C50)
code += x86.Call("EBX")
code += x86.Mov("esp", "ebp")
code += x86.Ret()
wp.execute(code.get_code())
The code works perfectly.
But every time it runs, it will apply for a small memory space, and the memory space is not released after the code is executed. After running similar codes hundreds of times, the memory footprint of the game becomes very large.
Hope that the execute() function can be improved to automatically release memory space.
By the way, is there a list of assembly instructions for PythonForWindows? I read the document, there are only some assembly examples, and there is no complete assembly instruction list.
PythonForWindows makes it possible to use python to hack game! Thank you!
Hi, I'm here again. I'm continuing to hack my game, now I am studying how to control the game characters to walk. This part of the work requires the construction of several floating-point stack parameters.
Now i have a new problem. It seems that PythonForWindows cannot assemble float correctly.
this is my python code:
def call_template(self, ebx, arg1=None, arg2=None, arg3=None, arg4=None,
arg5=None, arg6=None, arg7=None, arg8=None, arg9=None):
code = x86.MultipleInstr()
code += x86.Pushad()
code += x86.Mov("EBP", "ESP")
if arg9 is not None:
code += x86.Push(arg9)
if arg8 is not None:
code += x86.Push(arg8)
if arg7 is not None:
code += x86.Push(arg7)
if arg7 is not None:
code += x86.Push(arg6)
if arg5 is not None:
code += x86.Push(arg5)
if arg4 is not None:
code += x86.Push(arg4)
if arg3 is not None:
code += x86.Push(arg3)
if arg2 is not None:
code += x86.Push(arg2)
if arg1 is not None:
code += x86.Push(arg1)
code += x86.Mov("ECX", address['call_ecx'])
code += x86.Mov("EBX", ebx)
code += x86.Call("EBX")
code += x86.Mov("esp", "ebp")
code += x86.Popad()
code += x86.Ret()
logger.info(f"""asm run""")
run_asm(code, pid=self.pid)
pos_cur_x = read_addr(address['player_pos_cur_x'], data_type='float')
pos_cur_y = read_addr(address['player_pos_cur_y'], data_type='float')
ebx = address['call_city_go']
arg1 = pos_dst_x
arg2 = read_addr(address['player_pos_cur_x'] + 4, data_type="float")
arg3 = pos_dst_y
arg4 = read_addr(address['player_pos_cur_y'] + 4, data_type="float")
arg5 = get_sin(pos_dst_x, pos_dst_y, pos_cur_x, pos_cur_y)
arg6 = 0
arg7 = get_cos(pos_dst_x, pos_dst_y, pos_cur_x, pos_cur_y)
arg8 = 0
arg9 = read_addr(address['status_base_turn'], data_type="float", offset_list=[0xF4])
print(ebx, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)
call_template(ebx, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)
In game, the assembly stack of the game itself is like this, float 32bit:
But if running the code through python, the stack parameter becomes unsigned short 16bit:
debug in pycharm, it is still float variable:
So, how can I correctly assemble floating-point numbers?
By the way, could you update the version on Pypi? It will be very convenient for users to update
Thanks.
The class windows.debug.FunctionCallBP
(breakpoints.py
) does not seems to be documented. This is the parent class of windows.debug.FunctionBP
. This class is useful when putting "by hand" a breakpoint on the start of a function and want to manipulate its return value when we do not have symbols or don't know the argument of the function. Simple example and documentation could be a potential improvement for this.
Hey
Looking to query an AD over the LAN i'm curious if PythonForWindows supports this. The idea is to query installed software, users and their privileges for data colletion and then parse this data into an excel.
br,
JL
wrong type error occurred when I run https://github.com/hakril/PythonForWindows/blob/master/samples/security/query_sacl.py with python3
[NO-PRIV] Querying <C:\windows\notepad.exe> SecurityDescriptor without SACL
Traceback (most recent call last):
File "test.py", line 11, in <module>
sd = windows.security.SecurityDescriptor.from_filename(TARGET)
File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\security.py", line 877, in from_filename
return cls._from_name_and_type(filename, gdef.SE_FILE_OBJECT, flags=flags, query_sacl=query_sacl)
File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\security.py", line 823, in _from_name_and_type
winproxy.GetNamedSecurityInfoA(
File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\winproxy\apis\advapi32.py", line 176, in GetNamedSecurityInfoA
return GetNamedSecurityInfoA.ctypes_function(pObjectName, ObjectType, SecurityInfo, ppsidOwner, ppsidGroup, ppDacl, ppSacl, ppSecurityDescriptor)
File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\winproxy\apiproxy.py", line 99, in perform_call
return self._cprototyped(*args)
ctypes.ArgumentError: argument 1: <class 'TypeError'>: wrong type
The padding of a parameter depends on its size and should not always be aligned on 4 bytes.
cf Alignment of Primitive Types - DCE 1.1
An example of a RPC server to test this bug : RPC_Test.zip
The request is accepted but the RPC server does not receive the correct parameter values.
I'm wondering if there are any windows APIs available to monitor the CPU usage and per process CPU, memory, disk usage as shown by the Windows Task Manager. The solution may not be quite straight forward, but this will be a good addition to the library and I really liked the simple interface provided by this library to work with windows from python.
Thanks for the library, and expecting more awesome feature additions.
Using Api ReadFile() can't be blocked before server writes data.
Client, python ver.
pipe_name = "dotnetest_py"
pipe_full_name = windows.pipe.full_pipe_address(pipe_name)
pipe_handle = windows.winproxy.CreateFileA(pipe_full_name,
dwDesiredAccess=gdef.GENERIC_READ | gdef.GENERIC_WRITE,
dwShareMode=gdef.FILE_SHARE_WRITE | gdef.FILE_SHARE_READ)
bool_receive = ctypes.create_string_buffer(ctypes.sizeof(ctypes.c_bool))
windows.winproxy.ReadFile(pipe_handle, bool_receive)
test1= ctypes.c_bool.from_buffer(bool_receive).value
# print True
print(test1)
if test1:
windows.winproxy.ReadFile(pipe_handle, bool_receive)
test2 = ctypes.c_bool.from_buffer(bool_receive).value
# print False
print(test2)
Server, c++ ver.
TCHAR pipeName[255] = "\\\\.\\pipe\\dotnetest_py";
pipehandle=CreateNamedPipeW(pipename, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, 255,256*1024, 16, INFINITE, NULL);
BOOL result = true;
ULONG byteswritten;
// write twice
WriteFile(pipehandle, &result, sizeof(result), &byteswritten, NULL);
WriteFile(pipehandle, &result, sizeof(result), &byteswritten, NULL);
I try write client with c++, It's ok, the client would be blocked, and when I try to debug the python program, I found it can't be blocked.
What is the problem? I am new to python. I think the pipe is something like system mechanics and it couldn't be wrong. Is there something miss in my code?
The latest version of PythonForWndows fix some bugs. I need it on pipy to avoid to install the git version on setup.py for my software.
Could you make a new release on pipy please?
I have an issue with this library. In order to keep it simple I minimized the code with an example from PythonForWindows.
The following code works on python2:
import windows
from windows.dbgprint import dbgprint
from windows.generated_def import PROCESS_INFORMATION, STARTUPINFOA
def create_process(path, args=None, dwCreationFlags=0, show_windows=True):
"""A convenient wrapper arround :func:`windows.winproxy.CreateProcessA`"""
proc_info = PROCESS_INFORMATION()
lpStartupInfo = None
if show_windows:
StartupInfo = STARTUPINFOA()
StartupInfo.cb = ctypes.sizeof(StartupInfo)
StartupInfo.dwFlags = 0
lpStartupInfo = ctypes.byref(StartupInfo)
lpCommandLine = None
if args:
lpCommandLine = (b" ".join([a for a in args]))
windows.winproxy.CreateProcessA(path, lpCommandLine=lpCommandLine, dwCreationFlags=dwCreationFlags, lpProcessInformation=ctypes.byref(proc_info), lpStartupInfo=lpStartupInfo)
dbgprint("CreateProcessA new process handle {:#x}".format(proc_info.hProcess), "HANDLE")
dbgprint("CreateProcessA new thread handle {:#x}".format(proc_info.hThread), "HANDLE")
dbgprint("Automatic close of thread handle {:#x}".format(proc_info.hThread), "HANDLE")
windows.winproxy.CloseHandle(proc_info.hThread) # Give access to a WinThread in addition of the WinProcess ?
return windows.winobject.process.WinProcess(pid=proc_info.dwProcessId, handle=proc_info.hProcess)
create_process("C:/Users/MYNAME-TRUNCATED/Desktop/coucou-printf.exe")
I can see the expected output ("hello world").
Sadly, launched with python3.9, the same code returns:
File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\main.py", line 26, in <module>
create_process("C:/Users/MYNAME-TRUNCATED/Desktop/coucou-printf.exe")
File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\main.py", line 19, in create_process
windows.winproxy.CreateProcessA(path, lpCommandLine=lpCommandLine, dwCreationFlags=dwCreationFlags, lpProcessInformation=ctypes.byref(proc_info), lpStartupInfo=lpStartupInfo)
File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\venv\lib\site-packages\windows\winproxy\apis\kernel32.py", line 50, in CreateProcessA
return CreateProcessA.ctypes_function(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation)
File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\venv\lib\site-packages\windows\winproxy\apiproxy.py", line 99, in perform_call
return self._cprototyped(*args)
ctypes.ArgumentError: argument 1: <class 'TypeError'>: wrong type
Process finished with exit code 1
Then I realize we have to fix this issue in this library in order to fix my issue in my project.
Hey,
winproxy.py
is not present in the dev branch, is that expected? Is it supposed to be generated?
I added some stuff to kernel32.py
, ran generate.py
and setup.py
but since winproxy.py
is missing I am not able to use my newly added functions.
$ python LoadLibrary.py
Traceback (most recent call last):
File "LoadLibrary.py", line 4, in <module>
import windows
File "C:\Python27\lib\site-packages\pythonforwindows-0.4-py2.7.egg\windows\__init__.py", line 19, in <module>
from windows import winproxy
ImportError: cannot import name winproxy
So I edited setup.py
to include windows.winproxy
and windows.winproxy.apis
to the packages list:
setup(
# [...]
packages = ['windows',
'windows.crypto',
'windows.debug',
'windows.generated_def',
'windows.native_exec',
'windows.rpc',
'windows.utils',
'windows.winobject',
'windows.winproxy', # <----- Added package
'windows.winproxy.apis'], # <----- Added package
classifiers = ['Programming Language :: Python :: 2 :: Only',
'Programming Language :: Python :: 2.7']
)
Now it works, but I am not sure if it is the intended way?
Thanks
After my program I got
windows\winobject\handle.py", line 117, in del
AttributeError: 'NoneType' object has no attribute 'CloseHandle'
Exception ignored in: <function Process.del at 0x000002812A617E50>
Traceback (most recent call last):
I think this is an issue in the library PythonForWindows at the line https://github.com/hakril/PythonForWindows/blob/master/windows/winobject/handle.py#L117 because del is tricky and should be avoided.
I did not locate my error in my code where the issue occures yet. I have to spend timme to find it. This could be a typo for _handle
.
Hi,
There still some basestring
uses in the codebase without the corresponding pycompat
import, making it raise an Exception when used on python3.
Files impacted :
I didn't test all of them, only several (event_log.py and process.py)
Hello,
Sorry if this package is not intended for ARM64, but I had to use it on that architecture and unfortunately I got some errors.
When trying to get the PEB for a process, I get the following error:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_bitness'. Did you mean: 'bitness'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_is_wow_64'. Did you mean: 'is_wow_64'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
return getattr(self, cache_name)
AttributeError: 'CurrentProcess' object has no attribute '_peb'. Did you mean: 'peb'?
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<pyshell#1>", line 1, in <module>
peb = windows.WinProcess(5148).peb
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 1155, in peb
if windows.current_process.bitness == 64 and self.bitness == 32:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 84, in bitness
if self.is_wow_64:
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 74, in is_wow_64
return utils.is_wow_64(self.limited_handle)
File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 41, in is_wow_64
fnIsWow64Process = get_func_addr("kernel32.dll", "IsWow64Process")
File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 24, in get_func_addr
modules = windows.current_process.peb.modules
File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
setattr(self, cache_name, f(self))
File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 649, in peb
return PEB.from_address(self.get_peb_builtin()())
OSError: [WinError -1073741795] Windows Error 0xc000001d
From what I can see, the PEB is retrieved from FS:[0x30]
on Win32 and from GS:[0x60]
on x64. However, for ARM64, a __getReg(18)
on 0x60
would be needed.
https://gist.github.com/ReneNyffenegger/74d1416242750e002ba4bb8fb1f4681e
Could you please add this code for getting the PEB on ARM64?
Thank you!
At the end of my program that uses an instance of WinProcess, I get this bug:
Exception ignored in: <function Process.del at 0x000001F608807160>
Traceback (most recent call last):
File "C:\Users\ME\Desktop\pwntools\venv\lib\site-packages\windows\winobject\process.py", line 513, in del
TypeError: super() argument 1 must be type, not None
The line in question is super(Process, self).del() because the class process is already clened when deleted again.
I see a patch like:
if self is not None:
super(Process, self).__del__()
Hi there,
Is there any option to use a client certificate for x509 purposes using these libraries ?
Hey there - cool project!
I want to use this in a project I'm working on, but am unsure how I would go about hooking the IAT in a remote process.
I've followed your example to see if it would work for me, but I see that this is not (yet?) implemented:
Traceback (most recent call last):
File "<redacted>", line 74, in <module>
iat_create_file[0].set_hook(createfile_callback)
File "<redacted>\venv\lib\site-packages\windows\pe_parse.py", line 181, in set_hook
raise NotImplementedError("Setting hook in remote process (use python code injection)")
NotImplementedError: Setting hook in remote process (use python code injection)
use python code injection
Do you have an example of how you would go about replicating your sample code via python code injection the same way?
Specifically, how would I go about hooking CreateFileA
like you've done locally:
@CreateFileACallback
def createfile_callback(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile, real_function):
print("Trying to open {0}".format(lpFileName))
if "secret" in lpFileName:
return 0xffffffff
return real_function()
but in a remote process?
It seems like in the file samples/alpc/simple_alpc.py
there is an error which causes it not to run.
For one, there are many references to print without parentheses, not sure if this is intended but it does not run without them, so I added them beforehand.
Second, every time I run it unmodified, (apart from the edit as mentioned above) I get this error:
C:\####\pywin\samples\alpc>py simple_alpc.py
[SERV] PORT <\RPC Control\PythonForWindowsPORT> CREATED
Client pid = 2836
[SERV] Message type = 0x200a
[SERV] Received data: <b''>
[SERV] Connection request
[CLIENT] Connected: <windows.alpc.AlpcClient object at 0x000001DFF3AAE7D0>
Traceback (most recent call last):
File "C:\####\pywin\samples\alpc\simple_alpc.py", line 48, in <module>
alpc_client()
File "C:\####\pywin\samples\alpc\simple_alpc.py", line 39, in alpc_client
response = client.send_receive("Hello world !")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\####\Python\Python311\site-packages\windows\alpc.py", line 310, in send_receive
alpc_message.port_message.data = raw_alpc_message
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\####\Python\Python311\site-packages\windows\alpc.py", line 164, in write_data
self.raw_buffer[self.header_size: self.header_size + len(data)] = data
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: one character bytes, bytearray or integer expected
It seems like you cannot use regular strings with the message data and must instead use bytes.
So, the solution is simply to replace any time msg.data
is set with a string with bytes:
response = client.send_receive(b"Hello world !") # ln 39
msg.data = str.encode("REQUEST '{0}' DONE".format(msg.data)) # ln 28
If you approve this issue, I will create a pull request so that this can be updated.
It seems like this is related to #38
The author of the pull request attempts to solve the issue by modifying the alpc.py
API, whereas my solution was to modify the sample simple_alpc.py
Hello,
Thank you for this project 👍
For information, do you know when a python 3 version will be released ?
Regards,
I have a program that works perfectly when tested on 32 bits binaries but fails on 64 bits.
On the 64 bits binary, this part https://github.com/gogo2464/pwintools/blob/port_to_python3/pwintools.py#L562 fails and prints:
[*] ReadProcessMemory: [WinError 299] Seule une partie d’une requête ReadProcessMemory ou WriteProcessMemory a été effectuée.
[*] Process <Process "MYEXE.exe" pid 15236 (DEAD) at 0x15b6a2c00a0> not initialized ...
I think then this is an issue with PythonForWindows.
There's some sort of syntax error when running python .\setup.py install
:
[2:49:17 PM] ~/Documents/Code/PythonForWindows> python .\setup.py install
Extracting PythonForWindows-0.4-py3.6.egg to c:\python36\lib\site-packages
File "c:\python36\lib\site-packages\PythonForWindows-0.4-py3.6.egg\windows\generated_def\windef.py", line 2038
ERROR_EVT_INVALID_CHANNEL_PATH = make_flag("ERROR_EVT_INVALID_CHANNEL_PATH", 15000L)
^
SyntaxError: invalid syntax
Adding PythonForWindows 0.4 to easy-install.pth file
Installed c:\python36\lib\site-packages\pythonforwindows-0.4-py3.6.egg
Processing dependencies for PythonForWindows==0.4
Finished processing dependencies for PythonForWindows==0.4
[2:48:26 PM] ~/Documents/Code/PythonForWindows>
Hello,
I am using python 2.7 (X86 version) and the version 0.5 of PythonForWindows (on pip) on Windows 10.
When I try to use create_thread() from x86 process, more exactly NtCreateThreadEx_32_to_64(), for creating/executing a new thread on (another) x64 process, I have a the following error:
[...]
File ".\test.py", line 193, in testRemoteThread
winProcess.create_thread(addr=reflectiveLoader, param=0)
File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\winobject\process.py", line 1040, in create_thread
windows.syswow64.NtCreateThreadEx_32_to_64(ThreadHandle=byref(thread_handle) ,ProcessHandle=self.handle, lpStartAddress=addr, lpParameter=param)
File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 260, in NtCreateThreadEx_32_to_64
return NtCreateThreadEx_32_to_64.ctypes_function(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, dwStackSize, Unknown1, Unknown2, Unknown3)
File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 232, in perform_call
return self.raw_call(*args)
File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 138, in wrapper
return native_caller()
WindowsError: exception: access violation writing 0x00000000
The targeted process is a notepad.exe (x64) for example.
There is no one error before this function when I use virtual_alloc(), write_memory() and virtual_protect() for example.
Do you have an idea? There is a problem with NtCreateThreadEx_32_to_64() from x86 process to x64 process?
Thank you in advance for your help,
Regards,
Hi, I'm not an expert but I think the definition of Test Instruction does not match the x86 documentation.
https://en.wikipedia.org/wiki/X86_instruction_listings#Original_8086/8088_instructions
Instruction | Meaning | Notes | Opcode |
---|---|---|---|
TEST | Logical compare (AND) | (1) r/m & r/imm; (2) r & m/imm; | 0x84, 0x84, 0xA8, 0xA9, 0xF6/0, 0xF7/0 |
class Test(Instruction):
encoding = [(RawBits.from_int(8, 0xf7), Slash(7), Imm32()),
(RawBits.from_int(8, 0x85), ModRM([ModRM_REG__REG, ModRM_REG__MEM], has_direction_bit=False))]
I think it should be (notice Slash(0))
class Test(Instruction):
encoding = [(RawBits.from_int(8, 0xf7), Slash(0), Imm32()),
(RawBits.from_int(8, 0x85), ModRM([ModRM_REG__REG, ModRM_REG__MEM], has_direction_bit=False))]
Snippet:
x86.Test("EBX", 0x01) should produce: f7c3 0100 0000
Again as I said I'm not an expert, but if I'm right it should be fixed for x64 too i guess.
My Windows is 64bit, and when runing 64bit process , thread.teb_base is okay.
But when I run 32bit process, thread.teb_base is wrong, because it is not same as x32dbg result:
My code resuit
My python code:
targetProcess = None
processList = windows.system.enumerate_processes()
for process in processList:
print("process name:", process.name)
# HWorks32.exe
if process.name == "HWorks32.exe":
targetProcess = process
threadList = targetProcess.threads
for thread in threadList:
teb = thread.teb_base
print("teb:", hex(teb))
I sure the x32dbg result is true, because I actually wanna get stackBaseAddress from teb:
stackBaseAddress = process.read_ptr(teb + 4)
The above code would get some 0x0 stackBaseAddress and would throw exception if I read it, but In x32dbg, I search it manually, the result is okay.
And you can find that the difference x32dbg teb between code result is 0x2000! It mean that I can add 0x2000 to very teb in my code and can get the true teb!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.