debuggee python

my_debugger_defines.py

#encoding:utf-8

from ctypes import *
from sys import version as py_ver

# In python 2.7.6, LPBYTE is not defined in ctypes.wintypes
if py_ver.startswith('2'):
    LPBYTE = POINTER(c_byte)
    
# 为ctypes创建匿名
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_byte)
HANDLE = c_void_p

# 常量定义
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
DBG_EXCEPTION_NOT_HANDLED = 0x80010001

# 定义行数CreateProcessA()所需要的结构体
class STARTUPINFO(Structure):
    _fields_ = [
        ("cb",  DWORD),
        ("lpReserved",  LPTSTR),
        ("lpDesktop",   LPTSTR),
        ("lpTitle",     LPTSTR),
        ("dwX",         DWORD),
        ("dwY",         DWORD),
        ("dwXSize",     DWORD),
        ("dwYSize",     DWORD),
        ("dwXCountChars", DWORD),
        ("dwYCountChars", DWORD),
        ("dwFillAttribute", DWORD),
        ("dwFlags",     DWORD),
        ("wShowWindow", WORD),
        ("cbReserved2", WORD),
        ("lpReserved2", LPBYTE),
        ("hStdInput",   HANDLE),
        ("hStdOutput",  HANDLE),
        ("hStdError",   HANDLE),
    ]
    
class PROCESS_INFORMATION(Structure):
    _fields_ = [
        ("hProcess",    HANDLE),
        ("hThread",     HANDLE),
        ("dwProcessId", DWORD),
        ("dwThreadId",  DWORD),
    ]

my_debugger.py

#encoding:utf-8

from ctypes import *
from my_debugger_defines import *

kernel32 = windll.kernel32

class debugger():
    def __init__(self):
        pass
    
    def load(self, path_to_exe):
        
        # 参数dwCreationFlags中标志位控制着进程的创建方式
        # 若需要创建的进程独占一个新的控制台窗口，而不是与父进程公用同-
        # - 一个控制台可以加上标志位 CREATE_NEW_CONSOLE
        creation_flags = DEBUG_PROCESS
        
        #实例化之前的结构体
        startupinfo = STARTUPINFO()
        process_information = PROCESS_INFORMATION()
        
        # 在以下两位成员变量的共同作用下，新建的进程将单独的窗体中被显示
        # 可以通过结构体 STARTUPINFO 中各个成员变量的值来控制debugee的进程行为
        startupinfo.dwFlags = 0x1
        startupinfo.wShowWindow = 0x0
        
        # 设置结构体 STARTUPINFO的值
        # cb的值，表示结构体本身的大小
        startupinfo.cb = sizeof(startupinfo)
        #print(startupinfo.cb)
        ## On 64-bit windows, sizeof(STARTUPINFO) == 104.
        ## On 32-bit windows, sizeof(STARTUPINFO) == 68.
        #print(STARTUPINFO.cb.offset)
        #print(STARTUPINFO.lpReserved.offset)
        #print(STARTUPINFO.lpDesktop.offset)
        #print(STARTUPINFO.lpTitle.offset)
        #print(STARTUPINFO.dwX.offset)
        #print(STARTUPINFO.dwY.offset)
        #print(STARTUPINFO.dwXSize.offset)
        #print(STARTUPINFO.dwYSize.offset)
        #print(STARTUPINFO.dwXCountChars.offset)
        #print(STARTUPINFO.dwYCountChars.offset)
        #print(STARTUPINFO.dwFillAttribute.offset)
        #print(STARTUPINFO.dwFlags.offset)
        #print(STARTUPINFO.wShowWindow.offset)
        #print(STARTUPINFO.cbReserved2.offset)
        #print(STARTUPINFO.lpReserved2.offset)
        #print(STARTUPINFO.hStdInput.offset)
        #print(STARTUPINFO.hStdOutput.offset)
        #print(STARTUPINFO.hStdError.offset)
        if kernel32.CreateProcessW(c_wchar_p(path_to_exe),
                                   c_wchar_p(0),
                                   0,
                                   0,
                                   0,
                                   creation_flags,
                                   0,
                                   0,
                                   byref(startupinfo),
                                   byref(process_information)):
            print ("[*] we have successfully launched the process!")
            print ("[PID] :%d " %process_information.dwProcessId)
        
        else:
            print("[*] Error:0x%08x. " %kernel32.GetLastError())
        

my_test.py

#!encoding:utf-8

import my_debugger

debugger = my_debugger.debugger()
debugger.load("C:\\Windows\\system32\\calc.exe")    

 

 

参考：Python灰帽子-黑客与逆向工程师的Python编程之道