devbox
小小林熬夜学编程
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

关于Python灰帽子中debugger.attach()不成功解决方法_debugger attached package报错

作者:小小林熬夜学编程 | 2024-03-22 11:49:49

debugger attached package报错
本人第一次写博客,写的不好见谅。


最近在做PythonGreyHat中的实验,发现第三章的debugger.attach()一直不成功,返回信息一直为

[*]unable to attach to the process.

[*]ErrorCode:0x0000005


ErrorCode是kernel32.GetLastError()返回的,查得是拒绝访问。


解决方法是提权。我在my_debugger.py中定义了提权方法:enableDebugPrivilege()


我的my_debugger_defines.py:

  1. from ctypes import *
  2.  
  3. BYTE 	=	c_ubyte
  4. WORD 	= 	c_ushort
  5. DWORD   = 	c_ulong
  6. LPBYTE 	= 	POINTER(c_ubyte)
  7. LPTSTR 	=	POINTER(c_char)
  8. HANDLE 	=	c_void_p
  9. PVOID 	=	c_void_p
  10. LPVOID 	= 	c_void_p
  11. UINT_PTR=	c_ulong
  12. SIZE_T	=	c_ulong
  13.  
  14. LONG = c_long
  15.  
  16.  
  17. DEBUG_PROCESS 	= 	0x01
  18. CREATE_NEW_CONSOLE	=	0X010
  19. PROCESS_ALL_ACCESS	=	0x001f0fff
  20. INFINITE			=	0xFFFFFFFF
  21. DBG_CONTINUE		=	0x00010002
  22.  
  23. EXCEPTION_DEBUG_EVENT      =    0x1
  24. CREATE_THREAD_DEBUG_EVENT  =    0x2
  25. CREATE_PROCESS_DEBUG_EVENT =    0x3
  26. EXIT_THREAD_DEBUG_EVENT    =    0x4
  27. EXIT_PROCESS_DEBUG_EVENT   =    0x5
  28. LOAD_DLL_DEBUG_EVENT       =    0x6
  29. UNLOAD_DLL_DEBUG_EVENT     =    0x7
  30. OUTPUT_DEBUG_STRING_EVENT  =    0x8
  31. RIP_EVENT                  =    0x9
  32.  
  33. EXCEPTION_ACCESS_VIOLATION     = 0xC0000005
  34. EXCEPTION_BREAKPOINT           = 0x80000003
  35. EXCEPTION_GUARD_PAGE           = 0x80000001
  36. EXCEPTION_SINGLE_STEP          = 0x80000004
  37.  
  38. TH32CS_SNAPHEAPLIST = 0x00000001
  39. TH32CS_SNAPPROCESS  = 0x00000002
  40. TH32CS_SNAPTHREAD   = 0x00000004
  41. TH32CS_SNAPMODULE   = 0x00000008
  42. TH32CS_INHERIT      = 0x80000000
  43. TH32CS_SNAPALL      = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
  44. THREAD_ALL_ACCESS   = 0x001F03FF
  45.  
  46. CONTEXT_FULL                   = 0x00010007
  47. CONTEXT_DEBUG_REGISTERS        = 0x00010010
  48.  
  49. PAGE_EXECUTE_READWRITE         = 0x00000040
  50.  
  51. HW_ACCESS                      = 0x00000003
  52. HW_EXECUTE                     = 0x00000000
  53. HW_WRITE                       = 0x00000001
  54.  
  55. PAGE_NOACCESS                  = 0x00000001
  56. PAGE_READONLY                  = 0x00000002
  57. PAGE_READWRITE                 = 0x00000004
  58. PAGE_WRITECOPY                 = 0x00000008
  59. PAGE_EXECUTE                   = 0x00000010
  60. PAGE_EXECUTE_READ              = 0x00000020
  61. PAGE_EXECUTE_READWRITE         = 0x00000040
  62. PAGE_EXECUTE_WRITECOPY         = 0x00000080
  63. PAGE_GUARD                     = 0x00000100
  64. PAGE_NOCACHE                   = 0x00000200
  65. PAGE_WRITECOMBINE              = 0x00000400
  66.  
  67.  
  68.  
  69. class EXCEPTION_RECORD(Structure):
  70.     pass
  71.    
  72. EXCEPTION_RECORD._fields_ = [
  73.         ("ExceptionCode",        DWORD),
  74.         ("ExceptionFlags",       DWORD),
  75.         ("ExceptionRecord",      POINTER(EXCEPTION_RECORD)),
  76.         ("ExceptionAddress",     PVOID),
  77.         ("NumberParameters",     DWORD),
  78.         ("ExceptionInformation", UINT_PTR * 15),
  79.         ]
  80.  
  81. class _EXCEPTION_RECORD(Structure):
  82.     _fields_ = [
  83.         ("ExceptionCode",        DWORD),
  84.         ("ExceptionFlags",       DWORD),
  85.         ("ExceptionRecord",      POINTER(EXCEPTION_RECORD)),
  86.         ("ExceptionAddress",     PVOID),
  87.         ("NumberParameters",     DWORD),
  88.         ("ExceptionInformation", UINT_PTR * 15),
  89.         ]
  90.  
  91. # Exceptions
  92. class EXCEPTION_DEBUG_INFO(Structure):
  93.     _fields_ = [
  94.         ("ExceptionRecord",    EXCEPTION_RECORD),
  95.         ("dwFirstChance",      DWORD),
  96.         ]
  97.    
  98. # it populates this union appropriately
  99. class DEBUG_EVENT_UNION(Union):
  100.     _fields_ = [
  101.         ("Exception",         EXCEPTION_DEBUG_INFO),
  102. #        ("CreateThread",      CREATE_THREAD_DEBUG_INFO),
  103. #        ("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
  104. #        ("ExitThread",        EXIT_THREAD_DEBUG_INFO),
  105. #        ("ExitProcess",       EXIT_PROCESS_DEBUG_INFO),
  106. #        ("LoadDll",           LOAD_DLL_DEBUG_INFO),
  107. #        ("UnloadDll",         UNLOAD_DLL_DEBUG_INFO),
  108. #        ("DebugString",       OUTPUT_DEBUG_STRING_INFO),
  109. #        ("RipInfo",           RIP_INFO),
  110.         ]  
  111.  
  112. # DEBUG_EVENT describes a debugging event
  113. # that the debugger has trapped
  114. class DEBUG_EVENT(Structure):
  115.     _fields_ = [
  116.         ("dwDebugEventCode", DWORD),
  117.         ("dwProcessId",      DWORD),
  118.         ("dwThreadId",       DWORD),
  119.         ("u",                DEBUG_EVENT_UNION),
  120.         ]
  121.  
  122. class STARTUPINFO(Structure):
  123. 	_fields_=[
  124. 		("cb",			DWORD),
  125. 		("lpReserved",	LPTSTR),
  126. 		("lpDesktop",	LPTSTR),
  127. 		("lpTitle",		LPTSTR),
  128. 		("dwX",			DWORD),
  129. 		("dwY",			DWORD),
  130. 		("dwXSize",		DWORD),
  131. 		("dwYSize",		DWORD),
  132. 		("dwXCountChars",DWORD),
  133. 		("dwYCountChars",DWORD),
  134. 		("dwFillAttribute",DWORD),
  135. 		("dwFlags",		DWORD),
  136. 		("wShowWindow",	WORD),
  137. 		("cbReserved2",	WORD),
  138. 		("lpReserved2",	LPBYTE),
  139. 		("hStdInput",	HANDLE),
  140. 		("hStdOutput",	HANDLE),
  141. 		("hStdError",	HANDLE),
  142. 	]
  143.  
  144. class PROCESS_INFORMATION(Structure):
  145. 	_fields_=[
  146. 		("hProcess",	HANDLE),
  147. 		("hThread",		HANDLE),
  148. 		("dwProcessId",	DWORD),
  149. 		("dwThreadId",	DWORD),
  150. 	]
  151.  
  152.  
  153. class DEBUG_EVENT(Structure):
  154. 	_fields_=[
  155. 		("dwDebugEventCode",DWORD),
  156. 		("dwProcessId",DWORD),
  157. 		("dwThreadId",DWORD),
  158. 		]
  159. class FLOATING_SAVE_AREA(Structure):
  160. 	_fields_=[
  161. 		("ControlWord",	c_ulong),
  162. 		("StatusWord",	c_ulong),
  163. 		("TagWord",	c_ulong),
  164. 		("ErrorOffset",	c_ulong),
  165. 		("ErrorSelector",	c_ulong),
  166. 		("DataOffset",	c_ulong),
  167. 		("DataSelector",	c_ulong),
  168. 		("RegisterArea",	80*c_ubyte),
  169. 		("Cr0NpxState",	c_ulong),
  170. 	]
  171.  
  172. class CONTEXT(Structure):
  173. 	_fields_=[
  174. 		("ContextFlags",	DWORD),
  175. 		("Dr0", DWORD),
  176. 		("Dr1", DWORD),
  177. 		("Dr2", DWORD),
  178. 		("Dr3", DWORD),
  179. 		("Dr6", DWORD),
  180. 		("Dr7", DWORD),
  181. 		("FloatSave",	FLOATING_SAVE_AREA),
  182. 		("SegGs",DWORD),
  183. 		("SegFs",DWORD),
  184. 		("SegEs",DWORD),
  185. 		("SegDs",DWORD),
  186. 		("Edi",DWORD),
  187. 		("Esi",DWORD),
  188. 		("Ebx",DWORD),
  189. 		("Edx",DWORD),
  190. 		("Ecx",DWORD),
  191. 		("Eax",DWORD),
  192. 		("Ebp",DWORD),
  193. 		("Eip",DWORD),
  194. 		("SegCs",DWORD),
  195. 		("EFlags",DWORD),
  196. 		("Esp",DWORD),
  197. 		("SegSs",DWORD),
  198. 		("ExtendedRegisters",512*BYTE),
  199. 	]
  200.  
  201. class LUID(Structure):
  202. 	_fields_=[
  203. 		("LowPart",DWORD),
  204. 		("HighPart",LONG),
  205. 	]
  206.  
  207. class LUID_AND_ATTRIBUTES(Structure):
  208. 	_fields_=[
  209. 		("Luid", LUID),
  210. 		("Attributes",DWORD),
  211. 	]
  212. class TOKEN_PRIVILEGES(Structure):
  213. 	_fields_=[
  214. 		("PrivilegeCount",DWORD),
  215. 		("Privileges",LUID_AND_ATTRIBUTES*1),
  216. 	]

我的my_debugger.py中:

1.class debugger()增加的内容:

  1. 	def enableDebugPrivilege(self):
  2. 		advapi32 = windll.LoadLibrary("Advapi32.dll")
  3. 		hToken=HANDLE()
  4.  
  5. 		if advapi32.OpenProcessToken(kernel32.GetCurrentProcess(),0x20,byref(hToken)):
  6. 			tp=TOKEN_PRIVILEGES()
  7. 			tp.PrivilegeCount=1
  8. 			if not advapi32.LookupPrivilegeValueA(0,"SeDebugPrivilege",byref(tp.Privileges[0].Luid)):
  9. 				print("[*]can't lookup privilege value.")
  10. 				print("[*]errorcode:0x%08x."%kernel32.GetLastError())
  11. 				return False
  12.  
  13. 			tp.Privileges[0].Attributes=0X02
  14. 			if not advapi32.AdjustTokenPrivileges(hToken,0,byref(tp),sizeof(tp),0,0):
  15. 				print("[*]can't adjust privilege value.")
  16. 				print("[*]errorcode:0x%08x."%kernel32.GetLastError())
  17. 				return False
  18.  
  19. 			kernel32.CloseHandle(hToken)
  20. 			return True
  21. 		else:
  22. 			print("[*]can't open process token.")
  23. 			print("[*]error code:0x%08x."%kernel32.GetLastError())
  24. 			return False

2.将debugger()中attach的定义添加一句: 

  1. 	def attach(self,pid):
  2.  
  3. 		if not self.enableDebugPrivilege():
  4. 			return False
  5.  
  6. 		self.h_process=self.open_process(pid)

本人较粗心,上述代码可能有错误,所以请纠正。希望能帮到你。



声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小小林熬夜学编程/article/detail/287949?site
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号