我正在使用 ctypes
并尝试使用 NtQueryInformationProcess
函数获取 PEB
地址。
返回值为0,表示函数成功完成。
但 PROCESS_BASIC_INFORMATION
结构(作为第三个参数给出)不包含 PEB
地址。
class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [
("Reserved1", c_void_p),
("PebBaseAddress", DWORD),
("Reserved2", c_void_p * 2),
("UniqueProcessId", DWORD),
("Reserved3", c_void_p)]
ntdll = WinDLL('ntdll')
NTSTATUS = LONG
ntdll.argtypes = [HANDLE, DWORD, c_void_p, DWORD, PDWORD]
ntdll.restype = NTSTATUS
processInformation = PROCESS_BASIC_INFORMATION()
processInformationLength = sizeof(PROCESS_BASIC_INFORMATION)
result = ntdll.NtQueryInformationProcess(hProcess, 0, processInformation, processInformationLength, byref(DWORD(0)))
考虑一下返回值为 0 的事实,可能是什么问题?
最佳答案
列表[Python 3.Docs]: ctypes - A foreign function library for Python .
您为错误对象 (ntdll) 定义了argtypes 和restype。您应该为
ntdll.NtQueryInformationProcess
定义它们。当我们在这里时,很明显您喜欢DWORD。即使在这种情况下没有什么区别,请保持函数签名与来自 C 的函数签名一致:ntdll.NtQueryInformationProcess.argtypes = [HANDLE, c_int, c_void_p, ULONG, PULONG] ntdll.NtQueryInformationProcess.restype = NTSTATUS
未能在函数上定义argtypes和restype(或做得不正确),可能(并且很可能会)导致:
根据[MS.Docs]: NtQueryInformationProcess function (强调是我的):
ProcessInformation
A pointer to a buffer supplied by the calling application into which the function writes the requested information.
因此,您的调用应该类似于(通过引用传递processInformation):
result = ntdll.NtQueryInformationProcess(hProcess, 0, byref(processInformation), processInformationLength, byref(DWORD(0)))
根据同一页面,您的结构定义不正确。应该是:
class PROCESS_BASIC_INFORMATION(Structure): _fields_ = [ ("Reserved1", c_void_p), ("PebBaseAddress", c_void_p), ("Reserved2", c_void_p * 2), ("UniqueProcessId", c_void_p), ("Reserved3", c_void_p), ]
您的版本(在64位上)短了8个字节(因为DWORD和指针之间的(2)大小差异),导致传递的缓冲区太短函数,这是U未定义的B行为(它可能导致崩溃)。
关于python - Ctypes-无法使用 NtQueryInformationProcess 获取 PEB 地址,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57740201/