1. 首页
  2. 问答
  3. Win 64bit GetThreadContext返回zeroe'd输出寄存器,或0x57错误代码

Win 64bit GetThreadContext返回zeroe'd输出寄存器,或0x57错误代码

2013-07-06 117 views
3

我正在使用Windows 7 64位机器(我有管理员权限)。我使用PyDev ctypes for Python的Python 2.7(64位)来尝试读取与特定PID关联的所有线程中的寄存器值(尝试了在64和32位模式下运行的进程的PID) ,但是当我这样做时,寄存器的值全部为零。当我使用Wow64GetThreadContext,呼叫失败,GetLastError返回0x00000057(“无效参数”根据MSDN)Win 64bit GetThreadContext返回zeroe'd输出寄存器,或0x57错误代码

我连接到进程顺利,枚举线程(通过CreateToolhelp32Snapshot),发现了由过程与所拥有的线程适当的PID,并尝试获取线程上下文。这里是我开的线程和获取线程上下文代码:

打开一个线程:

def open_thread(self, thread_id): 
    h_thread = kernel32.OpenThread(THREAD_ALL_ACCESS, None, thread_id)

获取上下文:

def get_thread_context(self, thread_id = None, h_thread = None): 

    context = CONTEXT() 
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS 

    #alternatively, for 64 
    context64 = WOW64_CONTEXT() 
    context64.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS 

    #Obtain a handle to the thread 
    if h_thread is None: 
     self.h_thread = self.open_thread(thread_id) 

    kernel32.SuspendThread(self.h_thread) 

    if kernel32.GetThreadContext(self.h_thread, byref(context)): 
     kernel32.ResumeThread(self.h_thread) 
     return context 
    else: 
     kernel32.ResumeThread(self.h_thread) 
     return False

我打电话使用此代码:

debugger.attach(int(pid)) 

#debugger.run() 

list = debugger.enumerate_threads() 

for thread in list: 
thread_context = debugger.get_thread_context(thread) 

    if thread_context == False: 
     print "[*] Thread context is false..." 
    else: 
     print "[*] Dumping registers for thread ID: 0x%08x" % thread 
     print "[**] Eip: 0x%016x" % thread_context.Eip 
     print "[**] Esp: 0x%016x" % thread_context.Esp 
     print "[**] Ebp: 0x%016x" % thread_context.Ebp 
     print "[**] Eax: 0x%016x" % thread_context.Eax 
     print "[**] Ebx: 0x%016x" % thread_context.Ebx 
     print "[**] Ecx: 0x%016x" % thread_context.Ecx 
     print "[**] Edx: 0x%016x" % thread_context.Edx 
     print "[*] End DUMP" 

debugger.detach()

当我使用CONTEXT结构使用GetThreadContext运行此代码时,我得到上下文对象bac k为每个线程,但寄存器值都为零。

我曾尝试(与Wow64SuspendThread和分别为SuspendThread)取代GetThreadContextWow64GetThreadContext,但我这样做的时候,呼叫失败,错误“无效参数”。我给Wow64GetThreadContext的参数与我给GetThreadContext的参数相同,除了我提供的代码中的变量名称(这是因为当我在WinNT.h中查看它们的定义时,它们是相同的(除非我错过了。东西),我定义这些结构方式如下:

class WOW64_CONTEXT(Structure): 
_fields_ = [ 

    ("ContextFlags", DWORD), 
    ("Dr0", DWORD), 
    ("Dr1", DWORD), 
    ("Dr2", DWORD), 
    ("Dr3", DWORD), 
    ("Dr6", DWORD), 
    ("Dr7", DWORD), 
    ("FloatSave", WOW64_FLOATING_SAVE_AREA), 
    ("SegGs", DWORD), 
    ("SegFs", DWORD), 
    ("SegEs", DWORD), 
    ("SegDs", DWORD), 
    ("Edi", DWORD), 
    ("Esi", DWORD), 
    ("Ebx", DWORD), 
    ("Edx", DWORD), 
    ("Ecx", DWORD), 
    ("Eax", DWORD), 
    ("Ebp", DWORD), 
    ("Eip", DWORD), 
    ("SegCs", DWORD), 
    ("EFlags", DWORD), 
    ("Esp", DWORD), 
    ("SegSs", DWORD), 
    ("ExtendedRegisters", BYTE * 512), 
] 

class WOW64_FLOATING_SAVE_AREA(Structure): 
_fields_ = [ 

    ("ControlWord", DWORD), 
    ("StatusWord", DWORD), 
    ("TagWord", DWORD), 
    ("ErrorOffset", DWORD), 
    ("ErrorSelector", DWORD), 
    ("DataOffset", DWORD), 
    ("DataSelector", DWORD), 
    ("RegisterArea", BYTE * 80), 
    ("Cr0NpxState", DWORD), 
] 

class CONTEXT(Structure): 
_fields_ = [ 

    ("ContextFlags", DWORD), 
    ("Dr0", DWORD), 
    ("Dr1", DWORD), 
    ("Dr2", DWORD), 
    ("Dr3", DWORD), 
    ("Dr6", DWORD), 
    ("Dr7", DWORD), 
    ("FloatSave", FLOATING_SAVE_AREA), 
    ("SegGs", DWORD), 
    ("SegFs", DWORD), 
    ("SegEs", DWORD), 
    ("SegDs", DWORD), 
    ("Edi", DWORD), 
    ("Esi", DWORD), 
    ("Ebx", DWORD), 
    ("Edx", DWORD), 
    ("Ecx", DWORD), 
    ("Eax", DWORD), 
    ("Ebp", DWORD), 
    ("Eip", DWORD), 
    ("SegCs", DWORD), 
    ("EFlags", DWORD), 
    ("Esp", DWORD), 
    ("SegSs", DWORD), 
    ("ExtendedRegisters", BYTE * 512), 
] 

class FLOATING_SAVE_AREA(Structure): 
_fields_ = [ 

    ("ControlWord", DWORD), 
    ("StatusWord", DWORD), 
    ("TagWord", DWORD), 
    ("ErrorOffset", DWORD), 
    ("ErrorSelector", DWORD), 
    ("DataOffset", DWORD), 
    ("DataSelector", DWORD), 
    ("RegisterArea", BYTE * 80), 
    ("Cr0NpxState", DWORD), 
]

我已经做了谷歌搜索在这个问题上有相当数量,并曾尝试以下无济于事:

  • 根据对MSDN发表评论:CONTEXT_FULL应该是 CONTEXT_AMD64 | CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT可以正确使用Win64。

  • 我已经尝试通过用 'R' 的寄存器名称替换 'E' 重命名寄存器我的上下文和WOW_64CONTEXT内部 结构(EAX - > RAX等)

是否有其他人使用Python与ctypes成功获取Windows上的64位线程的上下文?

来源

2013-07-06 bl4ckmes4

+0

@cghlke是的,我只是试过这个无济于事。我仍然看到0x57错误代码。 – bl4ckmes4

+0

http://go4answers.webhost4life.com/Example/visual-studio-2010-101539.aspx:一个谷歌结果(0x57 = 87),表明这不太可能与Python相关 –

+0

我同意。有谁知道如何解决这个问题,或者如果上面贴出的代码是错误/不完整的? – bl4ckmes4

回答

4

你的主要问题是,WOW64实际上是32位的上下文,而不是64位。您需要实现一个64位的结构,与此类似:

class CONTEXT64(Structure): 
_pack_ = 16 
_fields_ = [ 
    ("P1Home", DWORD64), 
    ("P2Home", DWORD64), 
    ("P3Home", DWORD64), 
    ("P4Home", DWORD64), 
    ("P5Home", DWORD64), 
    ("P6Home", DWORD64), 

    ("ContextFlags", DWORD), 
    ("MxCsr", DWORD), 

    ("SegCs", WORD), 
    ("SegDs", WORD), 
    ("SegEs", WORD), 
    ("SegFs", WORD), 
    ("SegGs", WORD), 
    ("SegSs", WORD), 
    ("EFlags", DWORD), 

    ("Dr0", DWORD64), 
    ("Dr1", DWORD64), 
    ("Dr2", DWORD64), 
    ("Dr3", DWORD64), 
    ("Dr6", DWORD64), 
    ("Dr7", DWORD64), 

    ("Rax", DWORD64), 
    ("Rcx", DWORD64), 
    ("Rdx", DWORD64), 
    ("Rbx", DWORD64), 
    ("Rsp", DWORD64), 
    ("Rbp", DWORD64), 
    ("Rsi", DWORD64), 
    ("Rdi", DWORD64), 
    ("R8", DWORD64), 
    ("R9", DWORD64), 
    ("R10", DWORD64), 
    ("R11", DWORD64), 
    ("R12", DWORD64), 
    ("R13", DWORD64), 
    ("R14", DWORD64), 
    ("R15", DWORD64), 
    ("Rip", DWORD64), 

    ("DebugControl", DWORD64), 
    ("LastBranchToRip", DWORD64), 
    ("LastBranchFromRip", DWORD64), 
    ("LastExceptionToRip", DWORD64), 
    ("LastExceptionFromRip", DWORD64), 

    ("DUMMYUNIONNAME", DUMMYUNIONNAME), 

    ("VectorRegister", M128A * 26), 
    ("VectorControl", DWORD64) 
]

注:这个定义是位于WINNT.H - 如果你有VC++安装,它会在/包括在那里的安装目录。

一旦谁建立了这个结构,你就可以用它来代替你已经构建的CONTEXT/WOW64语境。您还必须明确地将寄存器更改为RAX等。

(注意:还有其他4件事情您也必须在Python ctypes中实现:DWORD64,M128A,DUMMYUNIONNAME,DUMMYSTRUCTNAME和XMM_SAVE_AREA32。为简洁起见,我已经排除它们,但你可以找到在以下位置及其定义自己构建它们:

DWORD64:仅仅是一个c_ulonglong

DUMMYUNIONNAME,DUMMYSTRUCTNAME:在WINNT.H在_CONTEXT结构

M128A:http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.defines.M128A-class.html

XMM_SAVE_AREA32:http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.context_amd64.XMM_SAVE_AREA32-class.html

来源

2013-09-04 19:25:00 Justin

+0

您还需要检查您的目标进程是32位还是64位。如果你是一个64位的进程,你的目标是32位,那么使用Wow64GetThreadContext并传入一个WOW64_CONTEXT。如果你是一个64位的进程,你的目标是64位,那么使用GetThreadContext并通过一个64位的CONTEXT(如上)。如果你是一个32位的进程,你的目标是32位,那么使用GetThreadContext并传入一个32位的CONTEXT(与WOW64_CONTEXT相同)。如果你是一个32位的进程,你的目标是64位,我认为你运气不好。 – Sam

1

我也有这个问题,我现在有这方面的工作,我想这是从灰帽蟒蛇的书,经过多次使用Google就显得Wow64GetThreadContext用于上检索32个线程上下文64位系统中,我使用的原始GetThreadContext功能,但我通过它一个Wow64Context结构定义如下:

class M128A(Structure): 
    _fields_ = [ 
      ("Low", DWORD64), 
      ("High", DWORD64) 
      ] 

class XMM_SAVE_AREA32(Structure): 
    _pack_ = 1 
    _fields_ = [ 
       ('ControlWord', WORD), 
       ('StatusWord', WORD), 
       ('TagWord', BYTE), 
       ('Reserved1', BYTE), 
       ('ErrorOpcode', WORD), 
       ('ErrorOffset', DWORD), 
       ('ErrorSelector', WORD), 
       ('Reserved2', WORD), 
       ('DataOffset', DWORD), 
       ('DataSelector', WORD), 
       ('Reserved3', WORD), 
       ('MxCsr', DWORD), 
       ('MxCsr_Mask', DWORD), 
       ('FloatRegisters', M128A * 8), 
       ('XmmRegisters', M128A * 16), 
       ('Reserved4', BYTE * 96) 
       ] 

class DUMMYSTRUCTNAME(Structure): 
    _fields_=[ 
       ("Header", M128A * 2), 
       ("Legacy", M128A * 8), 
       ("Xmm0", M128A), 
       ("Xmm1", M128A), 
       ("Xmm2", M128A), 
       ("Xmm3", M128A), 
       ("Xmm4", M128A), 
       ("Xmm5", M128A), 
       ("Xmm6", M128A), 
       ("Xmm7", M128A), 
       ("Xmm8", M128A), 
       ("Xmm9", M128A), 
       ("Xmm10", M128A), 
       ("Xmm11", M128A), 
       ("Xmm12", M128A), 
       ("Xmm13", M128A), 
       ("Xmm14", M128A), 
       ("Xmm15", M128A) 
       ] 


class DUMMYUNIONNAME(Union): 
    _fields_=[ 
       ("FltSave", XMM_SAVE_AREA32), 
       ("DummyStruct", DUMMYSTRUCTNAME) 
       ] 

class CONTEXT64(Structure): 
    _pack_ = 16 
    _fields_ = [ 
       ("P1Home", DWORD64), 
       ("P2Home", DWORD64), 
       ("P3Home", DWORD64), 
       ("P4Home", DWORD64), 
       ("P5Home", DWORD64), 
       ("P6Home", DWORD64), 
       ("ContextFlags", DWORD), 
       ("MxCsr", DWORD), 
       ("SegCs", WORD), 
       ("SegDs", WORD), 
       ("SegEs", WORD), 
       ("SegFs", WORD), 
       ("SegGs", WORD), 
       ("SegSs", WORD), 
       ("EFlags", DWORD), 
       ("Dr0", DWORD64), 
       ("Dr1", DWORD64), 
       ("Dr2", DWORD64), 
       ("Dr3", DWORD64), 
       ("Dr6", DWORD64), 
       ("Dr7", DWORD64), 
       ("Rax", DWORD64), 
       ("Rcx", DWORD64), 
       ("Rdx", DWORD64), 
       ("Rbx", DWORD64), 
       ("Rsp", DWORD64), 
       ("Rbp", DWORD64), 
       ("Rsi", DWORD64), 
       ("Rdi", DWORD64), 
       ("R8", DWORD64), 
       ("R9", DWORD64), 
       ("R10", DWORD64), 
       ("R11", DWORD64), 
       ("R12", DWORD64), 
       ("R13", DWORD64), 
       ("R14", DWORD64), 
       ("R15", DWORD64), 
       ("Rip", DWORD64), 
       ("DebugControl", DWORD64), 
       ("LastBranchToRip", DWORD64), 
       ("LastBranchFromRip", DWORD64), 
       ("LastExceptionToRip", DWORD64), 
       ("LastExceptionFromRip", DWORD64), 
       ("DUMMYUNIONNAME", DUMMYUNIONNAME), 
       ("VectorRegister", M128A * 26), 
       ("VectorControl", DWORD64) 
]
当然

我还没有检查是否在寄存器返回的值是正确的,或只是垃圾,但值的存在,而不是0x00000000或错误0x57的事实是令人放心的。

访问寄存器仍然通过thread_context.Rip等进行,而不是EIP

来源

2013-09-15 16:10:09 ali2992

+0

DWORD64 = c_uint64 – 2014-02-12 11:53:24

+0

请注意,这不是WOW64上下文,而是64位上下文。 WOW64上下文用于从64位应用程序访问32位进程的线程上下文。 – Sam

0

检查您ContextFlags中常量的值。我从python模块win32con得到的值忽略了依赖于架构的位。这是从我的WINNT.H提取物(从Windows SDK Server2003SP1):

#define CONTEXT_AMD64 0x100000 

// end_wx86 

#define CONTEXT_CONTROL (CONTEXT_AMD64 | 0x1L) 
#define CONTEXT_INTEGER (CONTEXT_AMD64 | 0x2L) 
#define CONTEXT_SEGMENTS (CONTEXT_AMD64 | 0x4L) 
#define CONTEXT_FLOATING_POINT (CONTEXT_AMD64 | 0x8L) 
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_AMD64 | 0x10L) 

#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT) 

#define CONTEXT_ALL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS) 

[...] 

#define CONTEXT_i386 0x00010000 // this assumes that i386 and 
#define CONTEXT_i486 0x00010000 // i486 have identical context records 

// end_wx86 

#define CONTEXT_CONTROL   (CONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP 
#define CONTEXT_INTEGER   (CONTEXT_i386 | 0x00000002L) // AX, BX, CX, DX, SI, DI 
#define CONTEXT_SEGMENTS  (CONTEXT_i386 | 0x00000004L) // DS, ES, FS, GS 
#define CONTEXT_FLOATING_POINT (CONTEXT_i386 | 0x00000008L) // 387 state 
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7 
#define CONTEXT_EXTENDED_REGISTERS (CONTEXT_i386 | 0x00000020L) // cpu specific extensions 

#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER |\ 
         CONTEXT_SEGMENTS) 

#define CONTEXT_ALL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS)

如果它不为你工作,检查WINNT.H为您的Windows版本。

来源

2013-09-22 12:35:16 user2804197

相关问题

 相关问题