[Tutor] ctypes wintypes
Michael C
mysecretrobotfactory at gmail.com
Fri Oct 6 18:36:23 EDT 2017
I think I pieced together what you have been helping me with, but this
still raise a error
I have been loosely following this guide:
https://www.codeproject.com/articles/716227/csharp-how-to-scan-a-process-memory
>code start.
import ctypes
from ctypes.wintypes import WORD, DWORD, LPVOID
PVOID = LPVOID
SIZE_T = ctypes.c_size_t
# https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
DWORD_PTR = ctypes.c_ulonglong
elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
DWORD_PTR = ctypes.c_ulong
class SYSTEM_INFO(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/ms724958"""
class _U(ctypes.Union):
class _S(ctypes.Structure):
_fields_ = (('wProcessorArchitecture', WORD),
('wReserved', WORD))
_fields_ = (('dwOemId', DWORD), # obsolete
('_s', _S))
_anonymous_ = ('_s',)
_fields_ = (('_u', _U),
('dwPageSize', DWORD),
('lpMinimumApplicationAddress', LPVOID),
('lpMaximumApplicationAddress', LPVOID),
('dwActiveProcessorMask', DWORD_PTR),
('dwNumberOfProcessors', DWORD),
('dwProcessorType', DWORD),
('dwAllocationGranularity', DWORD),
('wProcessorLevel', WORD),
('wProcessorRevision', WORD))
_anonymous_ = ('_u',)
LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
Kernel32.GetSystemInfo.restype = None
Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
sysinfo = SYSTEM_INFO()
Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
print(sysinfo.lpMinimumApplicationAddress)
print(sysinfo.lpMaximumApplicationAddress)
# maybe it will change, maybe it won't. Assuming it won't.
# 2nd, get Open process.
PID = 1234
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
False, PID)
print('process:', Process)
# 3rd
class MEMORY_BASIC_INFORMATION(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/aa366775"""
_fields_ = (('BaseAddress', PVOID),
('AllocationBase', PVOID),
('AllocationProtect', DWORD),
('RegionSize', SIZE_T),
('State', DWORD),
('Protect', DWORD),
('Type', DWORD))
##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
mbi = MEMORY_BASIC_INFORMATION()
##sysinfo.lpMinimumApplicationAddress
print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
None, ctypes.byref(mbi),ctypes.sizeof(mbi)))
# sysinfo.lpMinimumApplicationAddress replaced by None
print('')
print('mbi start')
print('mbi.BaseAddress: ',mbi.BaseAddress)
print('mbi.AllocationBase: ',mbi.AllocationBase)
print('mbi.AllocationProtect: ',mbi.AllocationProtect)
print('mbi.RegionSize: ',mbi.RegionSize)
print('mbi.State: ',mbi.State)
print('mbi.Protect: ', mbi.Protect)
print('mbi.Type: ',mbi.Type)
buffer = ctypes.create_string_buffer(mbi.RegionSize)
nread = SIZE_T()
start = ctypes.c_void_p(mbi.BaseAddress)
##start_pointer = ctypes.byref(start)
ReadProcessMemory = Kernel32.ReadProcessMemory
if ReadProcessMemory(Process, start, ctypes.byref(buffer), \
ctypes.sizeof(buffer), ctypes.byref(nread)):
print('buffer is: ',buffer)
else:
raise ctypes.WinError(ctypes.get_last_error())
# once I figure out read process memory, I'll combine it with virtual
process memory.
# if they don't equal to that, then it's time to move to the next thing?
# Don't do read memory yet.
# make it traverse through all memory and print out when protect and state
# are both true.
##
##MEM_COMMIT = 0x00001000;
##PAGE_READWRITE = 0x04;
##
##current_address = sysinfo.lpMinimumApplicationAddress
##end_address = sysinfo.lpMaximumApplicationAddress
##
##while current_address < end_address:
## Kernel32.VirtualQueryEx(Process, \
## current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
##
## if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
## print(current_address)
## print('Both are true')
##
##
## current_address += mbi.RegionSize
On Fri, Oct 6, 2017 at 3:29 PM, eryk sun <eryksun at gmail.com> wrote:
> On Fri, Oct 6, 2017 at 11:05 PM, Michael C
> <mysecretrobotfactory at gmail.com> wrote:
> > For this read process memory, if I am trying compose a LPCVOID
> > lpBaseAddress, am I not making a variable that equals to
> mbi.BaseAddress,
> > and then making a pointer pointing to it?
> >
> > start_address = mbi.BaseAddress
> > LPCVOID = ctypes.byref(start_address)
>
> LPCVOID is a pointer type; don't use it as a variable name because
> it's confusing to someone who's reading your code.
>
> The `BaseAddress` field is an LPVOID, which is an alias for
> ctypes.c_void_p. Simple C types such as c_void_p are automatically
> converted to Python native types such as int, bytes, and str. It's
> fine that mbi.BaseAddress is a Python int. With argtypes defined for
> ReadProcessMemory, ctypes will convert the int back to a void pointer
> for you automatically.
>
More information about the Tutor
mailing list