灰帽子Python 学习记录 6

啊啊啊啊啊今天搞了一天总算tm搞定了


topic:软件中断INT3


首先回顾一下理论原理。INT3中断就是将断点位置的操作码的第一个字符替换为CC,然后将原来的字符保存起来。这样遇到CC开头的就会停下,等中断处理完后再用原来的字符替换回去。


实验:运行print_loop.py,里面的内容为一个死循环,不断地调用msvcrt里的printf函数打印数据。然后找到printf函数的地址,在该处设置软件中断


这里需要用到的api有:

GetModuleHandle:通过dll的名字来获取模块的handle

GetProcAddress:通过handle以及函数名来找到对应函数的地址

ReadProcessMemory:对目标进程的内存进行读取操作

WriteProcessMemory:对目标进程的内存进行写入操作


然后遇到的问题如下:

1. 一开始attach python.exe的时候,一直报50号错误。原因:我装的python3.4为32位的。cmd里调用的python却是之前装的64位python2.7,而32位调试器是没法调试64位程序的。后来手动把print_loop.py放到python34文件夹下调用解决。

2. printf打印出的什么东西,都是L,嗯嗯,跟前面说的一样,换成wprintf 

3. GetModuleHandleA不能获取handle。哎,又是宽字符你懂的,改成GetModuleHandleW

4. GetProcAddress不能获取函数地址。这个函数没有A和W的后缀,但是输入参数里的函数名也是字符串,所以还是要转化为byte编码,输入为func_resolve("msvcrt.dll",b"wprintf")

5. c_data = c_char_p((data[count.value:])) 报错:

TypeError: bytes or integer address expected instead of str instance

这个搞了我好久,原因还是一样,呵呵,data是输入的一个字符串"\xCC",python3默认宽字符编码,转化为byte编码就行了。b"\xCC"


最后贴一下实验结果:

Enter pid:282432
OpenProcess Successful, HANDLE 512
Get Module Handle 1963786240
Get Address: 0x75147960
[*]Address of wprintf: 0x75147960
[*] Setting breakpoint at: 0x75147960
Event Code: 3 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 2 Thread ID: 266556
Event Code: 2 Thread ID: 271532
Event Code: 2 Thread ID: 292040
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 6 Thread ID: 261240
Event Code: 2 Thread ID: 263080
Event Code: 1 Thread ID: 263080
[*] Exception address: 0x77e68d20
[*] Hit the first breakpoint.
Event Code: 4 Thread ID: 263080
Event Code: 1 Thread ID: 261240
[*] Exception address: 0x75147960
[*] Hit user defined breakpoint.
Event Code: 2 Thread ID: 307348
Event Code: 2 Thread ID: 262828
Event Code: 4 Thread ID: 292040
Event Code: 4 Thread ID: 271532
Event Code: 4 Thread ID: 266556
Event Code: 2 Thread ID: 277180
Event Code: 4 Thread ID: 262828
Event Code: 4 Thread ID: 307348
可以看到它找到了wprintf函数的地址0x75147960,随后捕捉并处理(就是打印了出来)了该位置发生的中断。


今天的6个小时告诉我,用python3的字符串一定要记得转换编码

你可能感兴趣的:(学习记录)