Comments (3)
langway
commented on July 30, 2024
BTW:
My OS is windows10 X64,
Anaconda python 2.7.13 32 bits
thanks
from winappdbg.
MarioVilas
commented on July 30, 2024
Hi! The problem here is in using the ctypes pointer types. Ctypes assumes all pointer types point to data within your own process memory (a reasonable assumption!) which is not true in this case - your string is in another process, so you cannot read it directly with ctypes.
You need to use WinAppDbg to fetch the string from the debugee's memory. You can define your hook to use void* types for all pointers so ctypes will just give you the address but not try to access the memory. Then just pass the address to process.read_string() to get the actual string.
http://winappdbg.sourceforge.net/doc/v1.5/reference/winappdbg.process.Process-class.html#read_string
Cheers!
from winappdbg.
langway
commented on July 30, 2024
Hi,Mario Vilas:
Thanks a lot for your rapidlly response! I understand that the string is really a pointer which should be used to "extract" the real string from the process. But when I use process.read_string(), I found another problem appears: character "a" will be extract as "D", "b" will be extract as "E", "1" will be extract as "x14",and so on.
I use your code in "WinAppDbg Documentation Release 1.4",only change peek() to read_string() :
#------------------------------------------------------------------------------
# BOOL TextOut(
# __in HDC hdc,
# __in int nXStart,
# __in int nYStart,
# __in LPCTSTR lpString,
# __in int cbString
# );
def TextOutA(event, ra, hdc, nXStart, nYStart, lpString, cbString):
log_ansi(event, "TextOutA", lpString, cbString)
def TextOutW(event, ra, hdc, nXStart, nYStart, lpString, cbString):
log_wide(event, "TextOutW", lpString, cbString)
# BOOL ExtTextOut(
# __in HDC hdc,
# __in int X,
# __in int Y,
# __in UINT fuOptions,
# __in const RECT * lprc,
# __in LPCTSTR lpString,
# __in UINT cbCount,
# __in const INT * lpDx
# );
def ExtTextOutA(event, ra, hdc, X, Y, fuOptions, lprc, lpString, cbCount, lpDx):
log_ansi(event, "ExtTextOutA", lpString, cbCount)
def ExtTextOutW(event, ra, hdc, X, Y, fuOptions, lprc, lpString, cbCount, lpDx):
log_wide(event, "ExtTextOutW", lpString, cbCount)
# typedef struct _POLYTEXT {
# int x;
# int y;
# UINT n;
# LPCTSTR lpstr;
# UINT uiFlags;
# RECT rcl;
# int * pdx;
# } POLYTEXT,* PPOLYTEXT;
class POLYTEXT(Structure):
_fields_ = [
('x', c_int),
('y', c_int),
('n', c_uint),
('lpstr', c_void_p),
('uiFlags', c_uint),
('rcl', c_uint*4),
('pdx', POINTER(c_int)),
]
# BOOL PolyTextOut(
# __in HDC hdc,
# __in const POLYTEXT * pptxt,
# __in int cStrings
# );
def PolyTextOutA(event, ra, hdc, pptxt, cStrings):
process = event.get_process()
sizeof_polytext = sizeof(POLYTEXT)
while cStrings:
txt = process.read_structure(pptxt, POLYTEXT)
log_ansi(event, "PolyTextOutA", txt.lpstr, txt.n)
pptxt = pptxt + sizeof_polytext
cStrings = cStrings - 1
def PolyTextOutW(event, ra, hdc, pptxt, cStrings):
process = event.get_process()
sizeof_polytext = sizeof(POLYTEXT)
while cStrings:
txt = process.read_structure(pptxt, POLYTEXT)
log_wide(event, "PolyTextOutW", txt.lpstr, txt.n)
pptxt = pptxt + sizeof_polytext
cStrings = cStrings - 1
#------------------------------------------------------------------------------
def log_ansi(event, fn, lpString, nCount):
if lpString and nCount:
if c_int(nCount).value == -1:
lpString = event.get_process().read_string(lpString, fUnicode = False)
else:
lpString = event.get_process().read_string(lpString, nCount)
print (DebugLog.log_text("%s( %r );" % (fn, lpString)))
def log_wide(event, fn, lpString, nCount):
if lpString and nCount:
if c_int(nCount).value == -1:
lpString = event.get_process().read_string(lpString, fUnicode = True)
else:
# lpString = event.get_process().peek(lpString, nCount * 2)
# lpString = unicode(lpString, 'U16', 'strict')
lpString=event.get_process().read_string(lpString, nCount,fUnicode = True)
print (DebugLog.log_text("%s( %r );" % (fn, lpString)))
class MyEventHandler( EventHandler ):
def load_dll(self, event):
pid = event.get_pid()
module = event.get_module()
if module.match_name("gdi32.dll"):
event.debug.hook_function(pid, module.resolve("TextOutA"), TextOutA, paramCount = 5)
event.debug.hook_function(pid, module.resolve("TextOutW"), TextOutW, paramCount = 5)
event.debug.hook_function(pid, module.resolve("ExtTextOutA"), ExtTextOutA, paramCount = 8)
event.debug.hook_function(pid, module.resolve("ExtTextOutW"), ExtTextOutW, paramCount = 8)
event.debug.hook_function(pid, module.resolve("PolyTextOutA"), PolyTextOutA, paramCount = 2)
event.debug.hook_function(pid, module.resolve("PolyTextOutW"), PolyTextOutW, paramCount = 2)
def simple_debugger(argv):
print (DebugLog.log_text("Trace started on %s" % argv[0]))
debug = Debug(MyEventHandler())
try:
debug.execv(argv)
debug.loop()
finally:
debug.stop()
print (DebugLog.log_text("Trace stopped on %s" % argv[0]))
if __name__=="__main__":
program_to_debug="c:\\windows\\system32\\notepad.exe"
sys.argv.append(program_to_debug)
simple_debugger(sys.argv[1:])
Can you help me to figure it out where I was wrong! Thanks!
Alex Liang
from winappdbg.
Related Issues (20)
- Missing write_string function HOT 1
- Re-implement the strings() feature
- unresolved references in gdi32.py HOT 3
- typo in breakpoint.py HOT 1
- Hooks cleared HOT 9
- read_word, read_ushort
- [question] Can I attach process at starting time? HOT 2
- Thread.get_linear_address could also take a numeric selector HOT 1
- Thread.get_linear_address doesn't take into account the segment's granularity HOT 2
- no unicode write for process write HOT 1
- Module.get_symbol_from_list: local variable 'SymbolStartName' referenced before assignment HOT 5
- Has any plan to support python 3.x? HOT 1
- How to write hex data๏ผ HOT 5
- anomaly api_hook signature HOT 2
- Is there any function to read pointer data such as [rax]? HOT 1
- WinAppDbg shuts down before programm finishes HOT 1
- sql code is broken HOT 4
- .NET CLR exception filtering? HOT 1
- Can't concat str to bytes error when using _peek_c_type in the Process class HOT 3
- does this project port to python 3? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from winappdbg.