这是我的代码:
from ctypes import *
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
kernel32 = windll.kernel32
class debugger():
def __init__(self):
pass
def load(path_to_exe):
creation_flags = DEBUG_PROCESS
startupinfo = STARTUPINFO()
processinfo = PROCESS_INFORMATION()
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
print("[*] Process launched")
print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
else:
print("[*] Error: 0x%08x." % (kernel32.GetLastError()))
debugger.load("C:\\WINDOWS\\system32\\calc.exe")
我现在实际上正在关注灰帽Python,当我阅读它时,我正在将这段代码转换为python2.7。
每当我运行它时,都会出现错误:[*]错误:0x000003e6。
但是当我的朋友在他的计算机上尝试这段代码时,他可以得到: []我们已成功启动该流程! []PID:1208
我们的系统都是64位windows7。
任何帮助将不胜感激!
你们都安装了 64 位 Python 吗?
.argtypes.restypectypesbyref作为参考,这里有一个经过全面测试的版本,适用于 Python 2 和 3(32 位和 64 位):
from __future__ import print_function, unicode_literals
from ctypes import *
from ctypes.wintypes import BYTE, WORD, DWORD, LPWSTR, LPCWSTR, HANDLE, LPVOID, BOOL
LPBYTE = POINTER(BYTE)
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
STARTF_USESHOWWINDOW = 0x00000001
SW_HIDE = 0
class STARTUPINFOW(Structure):
_fields_ = [('cb', DWORD),
('lpReserved', LPWSTR),
('lpDesktop', LPWSTR),
('lpTitle', LPWSTR),
('dwX', DWORD),
('dwY', DWORD),
('dwXSize', DWORD),
('dwYSize', DWORD),
('dwXCountChars', DWORD),
('dwYCountChars', DWORD),
('dwFillAttribute', DWORD),
('dwFlags', DWORD),
('wShowWindow', WORD),
('cbReserved2', WORD),
('lpReserved2', LPBYTE),
('hStdInput', HANDLE),
('hStdOutput', HANDLE),
('hStdError', HANDLE)]
class PROCESS_INFORMATION(Structure):
_fields_ = [('hProcess', HANDLE),
('hThread', HANDLE),
('dwProcessId', DWORD),
('dwThreadId', DWORD)]
class SECURITY_ATTRIBUTES(Structure):
_fields_ = [('nLength', DWORD),
('lpSecurityDescriptor', LPVOID),
('bInheritHandle', BOOL)]
LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)
LPSTARTUPINFOW = POINTER(STARTUPINFOW)
LPPROCESS_INFORMATION = POINTER(PROCESS_INFORMATION)
def boolcheck(result, func, args):
if not result:
raise WinError(get_last_error())
return None
kernel32 = WinDLL('kernel32', use_last_error=True)
CreateProcess = kernel32.CreateProcessW
CreateProcess.argtypes = (LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES,
BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION)
CreateProcess.restype = BOOL
CreateProcess.errcheck = boolcheck
def load(path_to_exe):
creation_flags = DEBUG_PROCESS
startupinfo = STARTUPINFOW()
processinfo = PROCESS_INFORMATION()
startupinfo.dwFlags = STARTF_USESHOWWINDOW
startupinfo.wShowWindow = SW_HIDE
startupinfo.cb = sizeof(startupinfo)
CreateProcess(path_to_exe, None, None, None, False, creation_flags, None, None, byref(startupinfo), byref(processinfo))
print('[*] Process launched')
print('[*] PID: {}'.format(processinfo.dwProcessId))
load(r'C:\windows\system32\calc.exe')
请注意,OP使用了
SW_HIDEDEBUG_PROCESSinput()