关于Python灰帽子中debugger.attach()不成功解决方法

最新推荐文章于 2024-04-15 20:11:53 发布

拉面大王

最新推荐文章于 2024-04-15 20:11:53 发布

阅读量2.6k

点赞数

CC 4.0 BY-SA版权

分类专栏： python灰帽子文章标签： python 灰帽子

本文链接：https://blog.youkuaiyun.com/u013518365/article/details/40667117

python灰帽子专栏收录该内容

0 篇文章

订阅专栏

本人第一次写博客，写的不好见谅。

最近在做PythonGreyHat中的实验，发现第三章的debugger.attach()一直不成功，返回信息一直为

[*]unable to attach to the process.

[*]ErrorCode:0x0000005

ErrorCode是kernel32.GetLastError()返回的，查得是拒绝访问。

解决方法是提权。我在my_debugger.py中定义了提权方法：enableDebugPrivilege()

我的my_debugger_defines.py:

from ctypes import *

BYTE 	=	c_ubyte
WORD 	= 	c_ushort
DWORD   = 	c_ulong
LPBYTE 	= 	POINTER(c_ubyte)
LPTSTR 	=	POINTER(c_char)
HANDLE 	=	c_void_p
PVOID 	=	c_void_p
LPVOID 	= 	c_void_p
UINT_PTR=	c_ulong
SIZE_T	=	c_ulong

LONG = c_long


DEBUG_PROCESS 	= 	0x01
CREATE_NEW_CONSOLE	=	0X010
PROCESS_ALL_ACCESS	=	0x001f0fff
INFINITE			=	0xFFFFFFFF
DBG_CONTINUE		=	0x00010002

EXCEPTION_DEBUG_EVENT      =    0x1
CREATE_THREAD_DEBUG_EVENT  =    0x2
CREATE_PROCESS_DEBUG_EVENT =    0x3
EXIT_THREAD_DEBUG_EVENT    =    0x4
EXIT_PROCESS_DEBUG_EVENT   =    0x5
LOAD_DLL_DEBUG_EVENT       =    0x6
UNLOAD_DLL_DEBUG_EVENT     =    0x7
OUTPUT_DEBUG_STRING_EVENT  =    0x8
RIP_EVENT                  =    0x9

EXCEPTION_ACCESS_VIOLATION     = 0xC0000005
EXCEPTION_BREAKPOINT           = 0x80000003
EXCEPTION_GUARD_PAGE           = 0x80000001
EXCEPTION_SINGLE_STEP          = 0x80000004
 
TH32CS_SNAPHEAPLIST = 0x00000001
TH32CS_SNAPPROCESS  = 0x00000002
TH32CS_SNAPTHREAD   = 0x00000004
TH32CS_SNAPMODULE   = 0x00000008
TH32CS_INHERIT      = 0x80000000
TH32CS_SNAPALL      = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
THREAD_ALL_ACCESS   = 0x001F03FF

CONTEXT_FULL                   = 0x00010007
CONTEXT_DEBUG_REGISTERS        = 0x00010010

PAGE_EXECUTE_READWRITE         = 0x00000040

HW_ACCESS                      = 0x00000003
HW_EXECUTE                     = 0x00000000
HW_WRITE                       = 0x00000001

PAGE_NOACCESS                  = 0x00000001
PAGE_READONLY                  = 0x00000002
PAGE_READWRITE                 = 0x00000004
PAGE_WRITECOPY                 = 0x00000008
PAGE_EXECUTE                   = 0x00000010
PAGE_EXECUTE_READ              = 0x00000020
PAGE_EXECUTE_READWRITE         = 0x00000040
PAGE_EXECUTE_WRITECOPY         = 0x00000080
PAGE_GUARD                     = 0x00000100
PAGE_NOCACHE                   = 0x00000200
PAGE_WRITECOMBINE              = 0x00000400


 
class EXCEPTION_RECORD(Structure):
    pass
   
EXCEPTION_RECORD._fields_ = [
        ("ExceptionCode",        DWORD),
        ("ExceptionFlags",       DWORD),
        ("ExceptionRecord",      POINTER(EXCEPTION_RECORD)),
        ("ExceptionAddress",     PVOID),
        ("NumberParameters",     DWORD),
        ("ExceptionInformation", UINT_PTR * 15),
        ]
 
class _EXCEPTION_RECORD(Structure):
    _fields_ = [
        ("ExceptionCode",        DWORD),
        ("ExceptionFlags",       DWORD),
        ("ExceptionRecord",      POINTER(EXCEPTION_RECORD)),
        ("ExceptionAddress",     PVOID),
        ("NumberParameters",     DWORD),
        ("ExceptionInformation", UINT_PTR * 15),
        ]
 
# Exceptions
class EXCEPTION_DEBUG_INFO(Structure):
    _fields_ = [
        ("ExceptionRecord",    EXCEPTION_RECORD),
        ("dwFirstChance",      DWORD),
        ]
   
# it populates this union appropriately
class DEBUG_EVENT_UNION(Union):
    _fields_ = [
        ("Exception",         EXCEPTION_DEBUG_INFO),
#        ("CreateThread",      CREATE_THREAD_DEBUG_INFO),
#        ("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
#        ("ExitThread",        EXIT_THREAD_DEBUG_INFO),
#        ("ExitProcess",       EXIT_PROCESS_DEBUG_INFO),
#        ("LoadDll",           LOAD_DLL_DEBUG_INFO),
#        ("UnloadDll",         UNLOAD_DLL_DEBUG_INFO),
#        ("DebugString",       OUTPUT_DEBUG_STRING_INFO),
#        ("RipInfo",           RIP_INFO),
        ]  
 
# DEBUG_EVENT describes a debugging event
# that the debugger has trapped
class DEBUG_EVENT(Structure):
    _fields_ = [
        ("dwDebugEventCode", DWORD),
        ("dwProcessId",      DWORD),
        ("dwThreadId",       DWORD),
        ("u",                DEBUG_EVENT_UNION),
        ]

class STARTUPINFO(Structure):
	_fields_=[
		("cb",			DWORD),
		("lpReserved",	LPTSTR),
		("lpDesktop",	LPTSTR),
		("lpTitle",		LPTSTR),
		("dwX",			DWORD),
		("dwY",			DWORD),
		("dwXSize",		DWORD),
		("dwYSize",		DWORD),
		("dwXCountChars",DWORD),
		("dwYCountChars",DWORD),
		("dwFillAttribute",DWORD),
		("dwFlags",		DWORD),
		("wShowWindow",	WORD),
		("cbReserved2",	WORD),
		("lpReserved2",	LPBYTE),
		("hStdInput",	HANDLE),
		("hStdOutput",	HANDLE),
		("hStdError",	HANDLE),
	]

class PROCESS_INFORMATION(Structure):
	_fields_=[
		("hProcess",	HANDLE),
		("hThread",		HANDLE),
		("dwProcessId",	DWORD),
		("dwThreadId",	DWORD),
	]


class DEBUG_EVENT(Structure):
	_fields_=[
		("dwDebugEventCode",DWORD),
		("dwProcessId",DWORD),
		("dwThreadId",DWORD),
		]
class FLOATING_SAVE_AREA(Structure):
	_fields_=[
		("ControlWord",	c_ulong),
		("StatusWord",	c_ulong),
		("TagWord",	c_ulong),
		("ErrorOffset",	c_ulong),
		("ErrorSelector",	c_ulong),
		("DataOffset",	c_ulong),
		("DataSelector",	c_ulong),
		("RegisterArea",	80*c_ubyte),
		("Cr0NpxState",	c_ulong),
	]

class CONTEXT(Structure):
	_fields_=[
		("ContextFlags",	DWORD),
		("Dr0", DWORD),
		("Dr1", DWORD),
		("Dr2", DWORD),
		("Dr3", DWORD),
		("Dr6", DWORD),
		("Dr7", DWORD),
		("FloatSave",	FLOATING_SAVE_AREA),
		("SegGs",DWORD),
		("SegFs",DWORD),
		("SegEs",DWORD),
		("SegDs",DWORD),
		("Edi",DWORD),
		("Esi",DWORD),
		("Ebx",DWORD),
		("Edx",DWORD),
		("Ecx",DWORD),
		("Eax",DWORD),
		("Ebp",DWORD),
		("Eip",DWORD),
		("SegCs",DWORD),
		("EFlags",DWORD),
		("Esp",DWORD),
		("SegSs",DWORD),
		("ExtendedRegisters",512*BYTE),
	]

class LUID(Structure):
	_fields_=[
		("LowPart",DWORD),
		("HighPart",LONG),
	]

class LUID_AND_ATTRIBUTES(Structure):
	_fields_=[
		("Luid", LUID),
		("Attributes",DWORD),
	]
class TOKEN_PRIVILEGES(Structure):
	_fields_=[
		("PrivilegeCount",DWORD),
		("Privileges",LUID_AND_ATTRIBUTES*1),
	]

我的my_debugger.py中：

1.class debugger()增加的内容：

	def enableDebugPrivilege(self):
		advapi32 = windll.LoadLibrary("Advapi32.dll")
		hToken=HANDLE()

		if advapi32.OpenProcessToken(kernel32.GetCurrentProcess(),0x20,byref(hToken)):
			tp=TOKEN_PRIVILEGES()
			tp.PrivilegeCount=1
			if not advapi32.LookupPrivilegeValueA(0,"SeDebugPrivilege",byref(tp.Privileges[0].Luid)):
				print("[*]can't lookup privilege value.")
				print("[*]errorcode:0x%08x."%kernel32.GetLastError())
				return False

			tp.Privileges[0].Attributes=0X02
			if not advapi32.AdjustTokenPrivileges(hToken,0,byref(tp),sizeof(tp),0,0):
				print("[*]can't adjust privilege value.")
				print("[*]errorcode:0x%08x."%kernel32.GetLastError())
				return False

			kernel32.CloseHandle(hToken)
			return True
		else:
			print("[*]can't open process token.")
			print("[*]error code:0x%08x."%kernel32.GetLastError())
			return False

2.将debugger()中attach的定义添加一句：

	def attach(self,pid):

		if not self.enableDebugPrivilege():
			return False

		self.h_process=self.open_process(pid)

本人较粗心，上述代码可能有错误，所以请纠正。希望能帮到你。