ctypes-users Mailing List for ctypes (Page 4)
Brought to you by:
theller
Menu
▾
▴
ctypes-users — Discussion forum for ctypes users
You can subscribe to this list here.
| 2003 |
Jan
(3) |
Feb
(97) |
Mar
(38) |
Apr
(50) |
May
(68) |
Jun
(67) |
Jul
(184) |
Aug
(58) |
Sep
(30) |
Oct
(40) |
Nov
(41) |
Dec
(53) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(81) |
Feb
(48) |
Mar
(35) |
Apr
(85) |
May
(47) |
Jun
(56) |
Jul
(60) |
Aug
(103) |
Sep
(46) |
Oct
(39) |
Nov
(19) |
Dec
(50) |
| 2005 |
Jan
(36) |
Feb
(65) |
Mar
(119) |
Apr
(132) |
May
(93) |
Jun
(71) |
Jul
(42) |
Aug
(69) |
Sep
(41) |
Oct
(61) |
Nov
(31) |
Dec
(42) |
| 2006 |
Jan
(59) |
Feb
(112) |
Mar
(60) |
Apr
(64) |
May
(116) |
Jun
(128) |
Jul
(68) |
Aug
(92) |
Sep
(58) |
Oct
(91) |
Nov
(73) |
Dec
(52) |
| 2007 |
Jan
(37) |
Feb
(59) |
Mar
(26) |
Apr
(30) |
May
(37) |
Jun
(25) |
Jul
(20) |
Aug
(54) |
Sep
(68) |
Oct
(16) |
Nov
(34) |
Dec
(34) |
| 2008 |
Jan
(72) |
Feb
(40) |
Mar
(25) |
Apr
(54) |
May
(61) |
Jun
(22) |
Jul
(41) |
Aug
(26) |
Sep
(26) |
Oct
(66) |
Nov
(42) |
Dec
(58) |
| 2009 |
Jan
(100) |
Feb
(48) |
Mar
(20) |
Apr
(13) |
May
(10) |
Jun
(33) |
Jul
(9) |
Aug
|
Sep
(17) |
Oct
(9) |
Nov
(4) |
Dec
(64) |
| 2010 |
Jan
(18) |
Feb
(8) |
Mar
(37) |
Apr
(14) |
May
(9) |
Jun
(21) |
Jul
(1) |
Aug
(18) |
Sep
(12) |
Oct
(8) |
Nov
(4) |
Dec
(4) |
| 2011 |
Jan
(31) |
Feb
(3) |
Mar
(6) |
Apr
(1) |
May
(10) |
Jun
(9) |
Jul
(16) |
Aug
(5) |
Sep
(1) |
Oct
(5) |
Nov
(1) |
Dec
(11) |
| 2012 |
Jan
(4) |
Feb
(8) |
Mar
(14) |
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
(10) |
Sep
(5) |
Oct
|
Nov
(4) |
Dec
(2) |
| 2013 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(4) |
Jun
|
Jul
(3) |
Aug
(5) |
Sep
(12) |
Oct
|
Nov
|
Dec
(3) |
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(4) |
Jul
|
Aug
|
Sep
(5) |
Oct
|
Nov
|
Dec
(2) |
| 2015 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
(7) |
Nov
|
Dec
(2) |
| 2016 |
Jan
(3) |
Feb
(6) |
Mar
(3) |
Apr
|
May
|
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
|
Oct
|
Nov
(28) |
Dec
(31) |
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
(10) |
May
(28) |
Jun
(2) |
Jul
(3) |
Aug
(2) |
Sep
(4) |
Oct
(31) |
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Michael C <mys...@gm...> - 2017-04-29 00:33:00
|
Hi all: I have my own code that samples pixel colour, https://pastebin.com/4EMd765h and now I am trying to add the feature of saving the Device Context to a .bmp file, so I found this code https://books.google.ca/books?id=9MS9BQAAQBAJ however there is one problem: The book example screenshots the whole desktop and I only want a screenshot of a given window. Is there a way to modify the black hat example into something that only screenshot a window given its handle? namely, these 4 lines. width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN) height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN) left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN) top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN) Thanks! On Fri, Apr 28, 2017 at 5:28 PM, Michael C <mys...@gm...> wrote: > Hi all: > > I have my own code that samples pixel colour, > https://pastebin.com/4EMd765h > > and now I am trying to add the feature of saving the Device Context to a > .bmp file, so I found this code > > https://books.google.ca/books?id=9MS9BQAAQBAJ > > however there is one problem: The book example screenshots the whole > desktop and I only want a screenshot of a given window. Is there a way to > modify the black hat example into something that only screenshot a window > given its handle? > > Thanks! > > > > On Sat, Apr 22, 2017 at 2:29 PM, Michael C <mys...@gm... > > wrote: > >> neat-o >> >> >> On Sat, Apr 22, 2017 at 2:27 PM, eryk sun <er...@gm...> wrote: >> >>> On Sat, Apr 22, 2017 at 7:15 PM, Michael C >>> <mys...@gm...> wrote: >>> > Never mind, I found this >>> > https://books.google.ca/books?id=9MS9BQAAQBAJ >>> >>> Thankfully a lot of the Windows code in Black Hat Python uses PyWin32. >>> The few ctypes examples aren't top notch. For example, the author >>> calls >>> >>> user32.GetWindowThreadProcessId(hwnd, byref(pid)) >>> >>> without setting the prototype of GetWindowThreadProcessId. In 64-bit >>> Python 2, the value of the hwnd argument may get corrupted if the >>> prototype isn't defined. It's only by luck of the draw that it usually >>> works. >>> >>> Some WinAPI pseudohandles are non-zero in the upper DWORD, such as >>> HWND_TOPMOST, which is defined as (HWND)(-1), i.e. 0xFFFFFFFFFFFFFFFF >>> on a 64-bit system. This has the same problem in Python 2 if you >>> forget to set the prototype or manually wrap the value in a pointer >>> type. Python 3 ctypes doesn't have this problem, since it sign extends >>> a negative argument as an intptr_t. >>> >>> Here's another problem in the book's example code. The default restype >>> is a signed c_int, and here the author is calling GetTickCount without >>> first setting GetTickCount.restype = ctypes.c_uint: >>> >>> run_time = kernel32.GetTickCount() >>> elapsed = run_time - struct_lastinputinfo.dwTime >>> >>> After 24.86 days system uptime, the tick count reaches 0x80000000 >>> (milliseconds), and the signed return value wraps around to >>> -2147483648 <(214)%20748-3648>, incrementing toward 0. The value of >>> `elapsed` will be >>> nonsense. >>> >> >> > |
|
From: Michael C <mys...@gm...> - 2017-04-29 00:32:01
|
Hi all: I have my own code that samples pixel colour, https://pastebin.com/4EMd765h and now I am trying to add the feature of saving the Device Context to a .bmp file, so I found this code https://books.google.ca/books?id=9MS9BQAAQBAJ however there is one problem: The book example screenshots the whole desktop and I only want a screenshot of a given window. Is there a way to modify the black hat example into something that only screenshot a window given its handle? Thanks! On Sat, Apr 22, 2017 at 12:15 PM, Michael C <mys...@gm...> wrote: > Never mind, I found this > https://books.google.ca/books?id=9MS9BQAAQBAJ&pg=PA116&lpg= > PA116&dq=python+device+context+save&source=bl&ots=tYhl4K1K6J&sig= > zgzJmOFeOIZL2C5eGrZ-Oa_QRB4&hl=en&sa=X&ved=0ahUKEwijjIvX37jTAhVQ42MKHVIFC > HEQ6AEIOjAE#v=onepage&q=python%20device%20context%20save&f=false > > thanks all > > On Sat, Apr 22, 2017 at 11:52 AM, Michael C <mysecretrobotfactory@gmail. > com> wrote: > >> Quick Question: >> I am using this code, and I have tried to find answers with google, and I >> have read through MSDN. >> >> How do I save the DC into a png file or bmp? >> >> thanks! >> >> >> import time >> import ctypes >> ##from ctypes import * >> ## I don't like this. I like to import. >> >> time.sleep(2) >> >> # Set up the User32 and GDI32 >> User32 = ctypes.WinDLL('User32', use_last_error=True) >> GDI32 = ctypes.WinDLL('GDI32', use_last_error=True) >> >> # Set up Fx to be used. >> GetForegroundWindow = User32.GetForegroundWindow >> GetWindowDC = User32.GetWindowDC >> GetPixel = GDI32.GetPixel >> ReleaseDC = User32.ReleaseDC >> >> >> # main code >> foreground_window = GetForegroundWindow() >> dc = GetWindowDC(foreground_window) >> >> # set timer to see how fast it runs. >> t0 = time.clock() >> >> for i in range(50): >> rgb = GetPixel(dc, 10, 10) >> #print(rgb) >> r = rgb & 0xff >> g = (rgb >> 8) & 0xff >> b = (rgb >> 16) & 0xff >> ## print("RGB(%d, %d, %d)" % (r, g, b)) >> >> print(time.clock() - t0) >> ReleaseDC(foreground_window, dc) >> >> > |
|
From: eryk s. <er...@gm...> - 2017-04-22 21:28:26
|
On Sat, Apr 22, 2017 at 7:15 PM, Michael C <mys...@gm...> wrote: > Never mind, I found this > https://books.google.ca/books?id=9MS9BQAAQBAJ Thankfully a lot of the Windows code in Black Hat Python uses PyWin32. The few ctypes examples aren't top notch. For example, the author calls user32.GetWindowThreadProcessId(hwnd, byref(pid)) without setting the prototype of GetWindowThreadProcessId. In 64-bit Python 2, the value of the hwnd argument may get corrupted if the prototype isn't defined. It's only by luck of the draw that it usually works. Some WinAPI pseudohandles are non-zero in the upper DWORD, such as HWND_TOPMOST, which is defined as (HWND)(-1), i.e. 0xFFFFFFFFFFFFFFFF on a 64-bit system. This has the same problem in Python 2 if you forget to set the prototype or manually wrap the value in a pointer type. Python 3 ctypes doesn't have this problem, since it sign extends a negative argument as an intptr_t. Here's another problem in the book's example code. The default restype is a signed c_int, and here the author is calling GetTickCount without first setting GetTickCount.restype = ctypes.c_uint: run_time = kernel32.GetTickCount() elapsed = run_time - struct_lastinputinfo.dwTime After 24.86 days system uptime, the tick count reaches 0x80000000 (milliseconds), and the signed return value wraps around to -2147483648, incrementing toward 0. The value of `elapsed` will be nonsense. |
|
From: Michael C <mys...@gm...> - 2017-04-22 19:15:45
|
Never mind, I found this https://books.google.ca/books?id=9MS9BQAAQBAJ&pg=PA116&lpg=PA116&dq=python+device+context+save&source=bl&ots=tYhl4K1K6J&sig=zgzJmOFeOIZL2C5eGrZ-Oa_QRB4&hl=en&sa=X&ved=0ahUKEwijjIvX37jTAhVQ42MKHVIFCHEQ6AEIOjAE#v=onepage&q=python%20device%20context%20save&f=false thanks all On Sat, Apr 22, 2017 at 11:52 AM, Michael C <mys...@gm...> wrote: > Quick Question: > I am using this code, and I have tried to find answers with google, and I > have read through MSDN. > > How do I save the DC into a png file or bmp? > > thanks! > > > import time > import ctypes > ##from ctypes import * > ## I don't like this. I like to import. > > time.sleep(2) > > # Set up the User32 and GDI32 > User32 = ctypes.WinDLL('User32', use_last_error=True) > GDI32 = ctypes.WinDLL('GDI32', use_last_error=True) > > # Set up Fx to be used. > GetForegroundWindow = User32.GetForegroundWindow > GetWindowDC = User32.GetWindowDC > GetPixel = GDI32.GetPixel > ReleaseDC = User32.ReleaseDC > > > # main code > foreground_window = GetForegroundWindow() > dc = GetWindowDC(foreground_window) > > # set timer to see how fast it runs. > t0 = time.clock() > > for i in range(50): > rgb = GetPixel(dc, 10, 10) > #print(rgb) > r = rgb & 0xff > g = (rgb >> 8) & 0xff > b = (rgb >> 16) & 0xff > ## print("RGB(%d, %d, %d)" % (r, g, b)) > > print(time.clock() - t0) > ReleaseDC(foreground_window, dc) > > |
|
From: Michael C <mys...@gm...> - 2017-04-22 18:52:36
|
Quick Question:
I am using this code, and I have tried to find answers with google, and I
have read through MSDN.
How do I save the DC into a png file or bmp?
thanks!
import time
import ctypes
##from ctypes import *
## I don't like this. I like to import.
time.sleep(2)
# Set up the User32 and GDI32
User32 = ctypes.WinDLL('User32', use_last_error=True)
GDI32 = ctypes.WinDLL('GDI32', use_last_error=True)
# Set up Fx to be used.
GetForegroundWindow = User32.GetForegroundWindow
GetWindowDC = User32.GetWindowDC
GetPixel = GDI32.GetPixel
ReleaseDC = User32.ReleaseDC
# main code
foreground_window = GetForegroundWindow()
dc = GetWindowDC(foreground_window)
# set timer to see how fast it runs.
t0 = time.clock()
for i in range(50):
rgb = GetPixel(dc, 10, 10)
#print(rgb)
r = rgb & 0xff
g = (rgb >> 8) & 0xff
b = (rgb >> 16) & 0xff
## print("RGB(%d, %d, %d)" % (r, g, b))
print(time.clock() - t0)
ReleaseDC(foreground_window, dc)
|
|
From: eryk s. <er...@gm...> - 2017-04-22 18:30:59
|
On Sat, Apr 22, 2017 at 5:24 PM, Michael C <mys...@gm...> wrote: > Apparently all I have to do was to run the script I posted in Admin mode. > lolz. Yes, that's what I told you, but I also explained why that's the case, which is more important than fixing the immediate problem. |
|
From: eryk s. <er...@gm...> - 2017-04-22 03:36:06
|
On Fri, Apr 21, 2017 at 11:19 PM, Michael C
<mys...@gm...> wrote:
> Hi all,
>
> I am trying to move and resize a window of a video game, but the following
> code doesn't work for some reason. How it works is that it acquire the
> handle to the foreground window, and then move it to the specified location
> and size. Since it works on notepad, but not my game window, i used
> Kernel32.GetLastError() to find out what went wrong.
Since you've loaded the library with use_last_error=True, you should
use the more reliable function, ctypes.get_last_error() to get the
thread's last WinAPI error. But probably in this case GetLastError()
has returned the right error value.
In a reply you mentioned you're getting the error code
ERROR_ACCESS_DENIED (5). This is to be expected when the target window
is at a higher integrity level. With UAC enabled, standard users and
administrators are logged on with a medium integrity-level access
token. You'll have to elevate your script or run it from an elevated
command prompt if you need to work with high integrity windows.
> import ctypes
> import time
>
> time.sleep(2)
>
> User32 = ctypes.WinDLL('User32', use_last_error=True)
> Kernel32 = ctypes.WinDLL('Kernel32', use_last_error=True)
>
> handle = User32.GetForegroundWindow()
>
> print(User32.MoveWindow(handle, 50, 50, 500, 500, False))
If this is running in 64-bit Python 2, avoid passing integer handle
arguments without defining the prototype. Handles are 64-bit pointers
in 64-bit Windows (though the actual values of real handles are
limited to 32-bit), but for ctypes the default integer argument type
is a 32-bit C int. In Python 2, ctypes doesn't zero the call stack
when copying the 32-bit integer value, so it's possible for garbage to
be passed in the high DWORD, which will be read as an invalid handle
value. Python 3 overwrites the full 64-bit QWORD in this case by
casting the value to intptr_t, so it doesn't have this problem.
Plus it's better in general to define a function's prototype and set
an errcheck handler. You'll get a safer, more pythonic interface. It's
not free though. ctypes is pretty clunky. You can write functions to
paper over some of the awkwardness. Here's an example DEF function.
import ctypes
from ctypes import wintypes
user32 = ctypes.WinDLL('user32', use_last_error=True)
def DEF(name, lib, restype=Ellipsis, errcheck=None, argtypes=(),
use_last_error=None):
base = lib._FuncPtr
if restype is Ellipsis:
restype = base._restype_
if use_last_error is None:
use_last_error = bool(base._flags_ & ctypes._FUNCFLAG_USE_LASTERROR)
if (argtypes and isinstance(argtypes[0], (tuple, list)) and
len(argtypes[0]) > 1):
paramflags = tuple(tuple(p[1:]) if isinstance(p[1], int) else
(0,) + tuple(p[1:]) for p in argtypes)
argtypes = tuple(a[0] for a in argtypes)
else:
paramflags = None
proto = ctypes.WINFUNCTYPE(restype, *argtypes,
use_last_error=use_last_error)
func = proto((name, lib), paramflags)
if errcheck:
func.errcheck = errcheck
setattr(lib, name, func)
def _check_bool(result, func, args):
if not result:
err = ctypes.get_last_error()
if err:
raise ctypes.WinError(err)
return args
DEF('GetForegroundWindow', user32, wintypes.HWND)
DEF('MoveWindow', user32, wintypes.BOOL, _check_bool,
[(wintypes.HWND, 'hWnd'),
(ctypes.c_int, 'X'),
(ctypes.c_int, 'Y'),
(ctypes.c_int, 'nWidth'),
(ctypes.c_int, 'nHeight'),
(wintypes.BOOL, 'bRepaint')])
def get_foreground_window():
while True:
hwnd = user32.GetForegroundWindow()
if hwnd is not None:
return hwnd
if __name__ == '__main__':
import time
time.sleep(2)
hwnd = get_foreground_window()
user32.MoveWindow(hwnd, X=50, Y=50, nWidth=500, nHeight=500,
bRepaint=False)
|
|
From: Michael C <mys...@gm...> - 2017-04-21 23:21:17
|
Oh and the error code from print(Kernel32.GetLastError()) was "5"
On Fri, Apr 21, 2017 at 4:19 PM, Michael C <mys...@gm...>
wrote:
> Hi all,
>
> I am trying to move and resize a window of a video game, but the following
> code doesn't work for some reason. How it works is that it acquire the
> handle to the foreground window, and then move it to the specified location
> and size. Since it works on notepad, but not my game window, i used
> Kernel32.GetLastError() to find out what went wrong.
>
> Now, I am still a 1st year CS student, so my school hasn't taught me what
> exceptions are yet, any pointers on what to read up?
>
> Thanks!
>
>
>
> import ctypes
> import time
>
> time.sleep(2)
>
> User32 = ctypes.WinDLL('User32', use_last_error=True)
> Kernel32 = ctypes.WinDLL('Kernel32', use_last_error=True)
>
> handle = User32.GetForegroundWindow()
>
> print(User32.MoveWindow(handle, 50, 50, 500, 500, False))
> print(Kernel32.GetLastError())
>
> #https://msdn.microsoft.com/en-us/library/windows/desktop/
> ms633534(v=vs.85).aspx
>
|
|
From: Michael C <mys...@gm...> - 2017-04-21 23:19:48
|
Hi all,
I am trying to move and resize a window of a video game, but the following
code doesn't work for some reason. How it works is that it acquire the
handle to the foreground window, and then move it to the specified location
and size. Since it works on notepad, but not my game window, i used
Kernel32.GetLastError() to find out what went wrong.
Now, I am still a 1st year CS student, so my school hasn't taught me what
exceptions are yet, any pointers on what to read up?
Thanks!
import ctypes
import time
time.sleep(2)
User32 = ctypes.WinDLL('User32', use_last_error=True)
Kernel32 = ctypes.WinDLL('Kernel32', use_last_error=True)
handle = User32.GetForegroundWindow()
print(User32.MoveWindow(handle, 50, 50, 500, 500, False))
print(Kernel32.GetLastError())
#
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633534(v=vs.85).aspx
|
|
From: Michael C <mys...@gm...> - 2016-12-13 21:35:50
|
ok On Tue, Dec 13, 2016 at 1:32 PM, eryk sun <er...@gm...> wrote: > On Tue, Dec 13, 2016 at 8:49 PM, Michael C > <mys...@gm...> wrote: > > in this case, what do i put down for lpAddress? > > I suggest experimenting with Sysinterals VMMap [1] to first > familiarize yourself with the address space of processes. > > [1]: https://technet.microsoft.com/en-us/sysinternals/vmmap > |
|
From: eryk s. <er...@gm...> - 2016-12-13 21:33:25
|
On Tue, Dec 13, 2016 at 8:49 PM, Michael C <mys...@gm...> wrote: > in this case, what do i put down for lpAddress? I suggest experimenting with Sysinterals VMMap [1] to first familiarize yourself with the address space of processes. [1]: https://technet.microsoft.com/en-us/sysinternals/vmmap |
|
From: Michael C <mys...@gm...> - 2016-12-13 20:49:38
|
in this case, what do i put down for lpAddress? thx On Tue, Dec 13, 2016 at 12:46 PM, eryk sun <er...@gm...> wrote: > On Tue, Dec 13, 2016 at 8:06 PM, Michael C > <mys...@gm...> wrote: > > I am trying to sort of whether or not my basic memory information > parameter > > has received the proper values for each of the attritubes, so far, this > is > > my print out of them, and I don't know if they are right. please take a > > look: > > [snip] > > > kernel32.VirtualQueryEx(handle, None, ctypes.byref(mbi), > > ctypes.sizeof(mbi)) > > > > print(mbi.BaseAddress) > > print(mbi.AllocationBase) > > print(mbi.AllocationProtect) > > print(mbi.RegionSize) > > print(mbi.State) > > print(mbi.Protect) > > print(mbi.Type) > > > > ------- print out------ > > > > None > > None > > 0 > > 2228224 > > 65536 > > 1 > > 0 > > You passed NULL (0) for lpAddress. In this case the region BaseAddress > is 0, and the RegionSize is a bit more than 2 MB. The region State is > 0x10000 (MEM_FREE), so the fields AllocationBase, AllocationProtect, > Protect, and Type are undefined. Windows defaults to leaving this > region unallocated, which helps to ensure bad pointers (e.g. a NULL > pointer) raise an access violation. > |
|
From: eryk s. <er...@gm...> - 2016-12-13 20:46:53
|
On Tue, Dec 13, 2016 at 8:06 PM, Michael C <mys...@gm...> wrote: > I am trying to sort of whether or not my basic memory information parameter > has received the proper values for each of the attritubes, so far, this is > my print out of them, and I don't know if they are right. please take a > look: [snip] > kernel32.VirtualQueryEx(handle, None, ctypes.byref(mbi), > ctypes.sizeof(mbi)) > > print(mbi.BaseAddress) > print(mbi.AllocationBase) > print(mbi.AllocationProtect) > print(mbi.RegionSize) > print(mbi.State) > print(mbi.Protect) > print(mbi.Type) > > ------- print out------ > > None > None > 0 > 2228224 > 65536 > 1 > 0 You passed NULL (0) for lpAddress. In this case the region BaseAddress is 0, and the RegionSize is a bit more than 2 MB. The region State is 0x10000 (MEM_FREE), so the fields AllocationBase, AllocationProtect, Protect, and Type are undefined. Windows defaults to leaving this region unallocated, which helps to ensure bad pointers (e.g. a NULL pointer) raise an access violation. |
|
From: Michael C <mys...@gm...> - 2016-12-13 20:06:12
|
I am trying to sort of whether or not my basic memory information parameter
has received the proper values for each of the attritubes, so far, this is
my print out of them, and I don't know if they are right. please take a
look:
import ctypes
from ctypes import wintypes
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PROCESS_VM_READ = 0x0010
PROCESS_QUERY_INFORMATION = 0x0400
if not hasattr(wintypes, 'PVOID'):
wintypes.PVOID = wintypes.LPVOID
if not hasattr(wintypes, 'SIZE_T'):
wintypes.SIZE_T = ctypes.c_size_t
if not hasattr(wintypes, 'PSIZE_T'):
wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
class MEMORY_BASIC_INFORMATION(ctypes.Structure):
_fields_ = (('BaseAddress', wintypes.PVOID),
('AllocationBase', wintypes.PVOID),
('AllocationProtect', wintypes.DWORD),
('RegionSize', wintypes.SIZE_T),
('State', wintypes.DWORD),
('Protect', wintypes.DWORD),
('Type', wintypes.DWORD))
PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
dtype = ctypes.c_double
handle = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, False, 9552)
mbi = MEMORY_BASIC_INFORMATION()
kernel32.VirtualQueryEx(handle, None, ctypes.byref(mbi),
ctypes.sizeof(mbi))
print(mbi.BaseAddress)
print(mbi.AllocationBase)
print(mbi.AllocationProtect)
print(mbi.RegionSize)
print(mbi.State)
print(mbi.Protect)
print(mbi.Type)
------- print out------
None
None
0
2228224
65536
1
0
On Tue, Dec 13, 2016 at 11:00 AM, Michael C <mys...@gm...>
wrote:
> I get that this part would basically ensure the scanner find the address
> of source
> array itself, but I have been trying for several days to change that into
> a generic
> description so I can find any value I want, without success. What should I
> put down
> instead for "source_array"?
>
> ph = kernel32.GetCurrentProcess()
> count = 10
> source_array = (dtype * count)(*range(10))
> address = ctypes.addressof(source_array)
>
>
> block_size here means the size of the memory the target process uses right?
> Or does it mean something else?
>
> block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
> ctypes.sizeof(dtype) * count)
>
>
> thx!
>
> On Sat, Dec 10, 2016 at 3:26 PM, Michael C <mys...@gm...
> > wrote:
>
>> i have to go to work, will take a look later!
>>
>> thx!
>>
>> On Sat, Dec 10, 2016 at 3:25 PM eryk sun <er...@gm...> wrote:
>>
>>> On Sat, Dec 10, 2016 at 9:30 PM, Michael C
>>>
>>> <mys...@gm...> wrote:
>>>
>>> > I am stuck on which line of information to feed to ReadmemoryProcess
>>> with
>>>
>>> > this, I think I properly retrieved the information from Virtualqueryex
>>>
>>>
>>>
>>> Here's an example that uses VirtualQueryEx to determine whether the
>>>
>>> specified address is allocated and readable. If so, it reads up to
>>>
>>> `count` double-precision floats via ReadProcessMemory, but it won't
>>>
>>> read past the allocated region size.
>>>
>>>
>>>
>>> import ctypes
>>>
>>> from ctypes import wintypes
>>>
>>>
>>>
>>> kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>>>
>>>
>>>
>>> PROCESS_VM_READ = 0x0010
>>>
>>> PROCESS_QUERY_INFORMATION = 0x0400
>>>
>>>
>>>
>>> MEM_COMMIT = 0x00001000
>>>
>>> MEM_RESERVE = 0x00002000
>>>
>>> MEM_FREE = 0x00010000
>>>
>>> MEM_PRIVATE = 0x00020000
>>>
>>> MEM_MAPPED = 0x00040000
>>>
>>> MEM_IMAGE = 0x01000000
>>>
>>>
>>>
>>> PAGE_NOACCESS = 0x00000001
>>>
>>> PAGE_READONLY = 0x00000002
>>>
>>> PAGE_READWRITE = 0x00000004
>>>
>>> PAGE_WRITECOPY = 0x00000008
>>>
>>> PAGE_EXECUTE = 0x00000010
>>>
>>> PAGE_EXECUTE_READ = 0x00000020
>>>
>>> PAGE_EXECUTE_READWRITE = 0x00000040
>>>
>>> PAGE_EXECUTE_WRITECOPY = 0x00000080
>>>
>>> PAGE_GUARD = 0x00000100
>>>
>>> PAGE_NOCACHE = 0x00000200
>>>
>>> PAGE_WRITECOMBINE = 0x00000400
>>>
>>> PAGE_TARGETS_INVALID = 0x40000000
>>>
>>>
>>>
>>> if not hasattr(wintypes, 'PVOID'):
>>>
>>> wintypes.PVOID = wintypes.LPVOID
>>>
>>>
>>>
>>> if not hasattr(wintypes, 'SIZE_T'):
>>>
>>> wintypes.SIZE_T = ctypes.c_size_t
>>>
>>>
>>>
>>> if not hasattr(wintypes, 'PSIZE_T'):
>>>
>>> wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
>>>
>>>
>>>
>>> class MEMORY_BASIC_INFORMATION(ctypes.Structure):
>>>
>>> _fields_ = (('BaseAddress', wintypes.PVOID),
>>>
>>> ('AllocationBase', wintypes.PVOID),
>>>
>>> ('AllocationProtect', wintypes.DWORD),
>>>
>>> ('RegionSize', wintypes.SIZE_T),
>>>
>>> ('State', wintypes.DWORD),
>>>
>>> ('Protect', wintypes.DWORD),
>>>
>>> ('Type', wintypes.DWORD))
>>>
>>>
>>>
>>> PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
>>>
>>>
>>>
>>> def _check_zero(result, func, args):
>>>
>>> """ Check for zero or NULL return value. """
>>>
>>> if not result:
>>>
>>> raise ctypes.WinError(ctypes.get_last_error())
>>>
>>> return args
>>>
>>>
>>>
>>> # https://msdn.microsoft.com/en-us/library/ms683179
>>>
>>> kernel32.GetCurrentProcess.restype = wintypes.HANDLE
>>>
>>>
>>>
>>> # https://msdn.microsoft.com/en-us/library/ms684320
>>>
>>> kernel32.OpenProcess.errcheck = _check_zero
>>>
>>> kernel32.OpenProcess.restype = wintypes.HANDLE
>>>
>>>
>>>
>>> # https://msdn.microsoft.com/en-us/library/ms680553
>>>
>>> kernel32.ReadProcessMemory.errcheck = _check_zero
>>>
>>> kernel32.ReadProcessMemory.argtypes = (
>>>
>>> wintypes.HANDLE, # _In_ hProcess
>>>
>>> wintypes.LPCVOID, # _In_ lpBaseAddress
>>>
>>> wintypes.LPVOID, # _Out_ lpBuffer
>>>
>>> wintypes.SIZE_T, # _In_ nSize
>>>
>>> wintypes.PSIZE_T) # _Out_ lpNumberOfBytesRead
>>>
>>>
>>>
>>> # https://msdn.microsoft.com/en-us/library/aa366907
>>>
>>> kernel32.VirtualQueryEx.errcheck = _check_zero
>>>
>>> kernel32.VirtualQueryEx.restype = wintypes.SIZE_T
>>>
>>> kernel32.VirtualQueryEx.argtypes = (
>>>
>>> wintypes.HANDLE, # _In_ hProcess
>>>
>>> wintypes.LPCVOID, # _In_opt_ lpAddress
>>>
>>> PMEMORY_BASIC_INFORMATION, # _Out_ lpBuffer
>>>
>>> wintypes.SIZE_T) # _In_ dwLength
>>>
>>>
>>>
>>> if __name__ == '__main__':
>>>
>>> import sys
>>>
>>>
>>>
>>> dtype = ctypes.c_double
>>>
>>>
>>>
>>> if len(sys.argv) == 4:
>>>
>>> ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
>>>
>>> PROCESS_VM_READ, False, int(sys.argv[1]))
>>>
>>> address = int(sys.argv[2], 16)
>>>
>>> count = int(sys.argv[3])
>>>
>>> elif len(sys.argv) == 1:
>>>
>>> ph = kernel32.GetCurrentProcess()
>>>
>>> count = 10
>>>
>>> source_array = (dtype * count)(*range(10))
>>>
>>> address = ctypes.addressof(source_array)
>>>
>>> else:
>>>
>>> sys.exit('Usage: %s pid address count' % sys.argv[0])
>>>
>>>
>>>
>>> mbi = MEMORY_BASIC_INFORMATION()
>>>
>>> kernel32.VirtualQueryEx(ph, address, ctypes.byref(mbi),
>>>
>>> ctypes.sizeof(mbi))
>>>
>>>
>>>
>>> if mbi.State & MEM_FREE:
>>>
>>> sys.exit('Address not allocated')
>>>
>>> if mbi.State & MEM_RESERVE:
>>>
>>> sys.exit('Address reserved but not committed')
>>>
>>> if mbi.Protect & PAGE_NOACCESS:
>>>
>>> sys.exit('Address not accessible')
>>>
>>>
>>>
>>> block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
>>>
>>> ctypes.sizeof(dtype) * count)
>>>
>>> address_list = range(address, address + block_size,
>>>
>>> ctypes.sizeof(dtype))
>>>
>>>
>>>
>>> input('Press enter to list %d values, or Ctrl+Break to quit\n'
>>>
>>> % len(address_list))
>>>
>>>
>>>
>>> data = dtype()
>>>
>>> for address in address_list:
>>>
>>> kernel32.ReadProcessMemory(ph, address, ctypes.byref(data),
>>>
>>> ctypes.sizeof(data), None)
>>>
>>> print('%x: %f' % (address, data.value))
>>>
>>>
>
|
|
From: Michael C <mys...@gm...> - 2016-12-13 19:00:58
|
I get that this part would basically ensure the scanner find the address of
source
array itself, but I have been trying for several days to change that into a
generic
description so I can find any value I want, without success. What should I
put down
instead for "source_array"?
ph = kernel32.GetCurrentProcess()
count = 10
source_array = (dtype * count)(*range(10))
address = ctypes.addressof(source_array)
block_size here means the size of the memory the target process uses right?
Or does it mean something else?
block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
ctypes.sizeof(dtype) * count)
thx!
On Sat, Dec 10, 2016 at 3:26 PM, Michael C <mys...@gm...>
wrote:
> i have to go to work, will take a look later!
>
> thx!
>
> On Sat, Dec 10, 2016 at 3:25 PM eryk sun <er...@gm...> wrote:
>
>> On Sat, Dec 10, 2016 at 9:30 PM, Michael C
>>
>> <mys...@gm...> wrote:
>>
>> > I am stuck on which line of information to feed to ReadmemoryProcess
>> with
>>
>> > this, I think I properly retrieved the information from Virtualqueryex
>>
>>
>>
>> Here's an example that uses VirtualQueryEx to determine whether the
>>
>> specified address is allocated and readable. If so, it reads up to
>>
>> `count` double-precision floats via ReadProcessMemory, but it won't
>>
>> read past the allocated region size.
>>
>>
>>
>> import ctypes
>>
>> from ctypes import wintypes
>>
>>
>>
>> kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>>
>>
>>
>> PROCESS_VM_READ = 0x0010
>>
>> PROCESS_QUERY_INFORMATION = 0x0400
>>
>>
>>
>> MEM_COMMIT = 0x00001000
>>
>> MEM_RESERVE = 0x00002000
>>
>> MEM_FREE = 0x00010000
>>
>> MEM_PRIVATE = 0x00020000
>>
>> MEM_MAPPED = 0x00040000
>>
>> MEM_IMAGE = 0x01000000
>>
>>
>>
>> PAGE_NOACCESS = 0x00000001
>>
>> PAGE_READONLY = 0x00000002
>>
>> PAGE_READWRITE = 0x00000004
>>
>> PAGE_WRITECOPY = 0x00000008
>>
>> PAGE_EXECUTE = 0x00000010
>>
>> PAGE_EXECUTE_READ = 0x00000020
>>
>> PAGE_EXECUTE_READWRITE = 0x00000040
>>
>> PAGE_EXECUTE_WRITECOPY = 0x00000080
>>
>> PAGE_GUARD = 0x00000100
>>
>> PAGE_NOCACHE = 0x00000200
>>
>> PAGE_WRITECOMBINE = 0x00000400
>>
>> PAGE_TARGETS_INVALID = 0x40000000
>>
>>
>>
>> if not hasattr(wintypes, 'PVOID'):
>>
>> wintypes.PVOID = wintypes.LPVOID
>>
>>
>>
>> if not hasattr(wintypes, 'SIZE_T'):
>>
>> wintypes.SIZE_T = ctypes.c_size_t
>>
>>
>>
>> if not hasattr(wintypes, 'PSIZE_T'):
>>
>> wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
>>
>>
>>
>> class MEMORY_BASIC_INFORMATION(ctypes.Structure):
>>
>> _fields_ = (('BaseAddress', wintypes.PVOID),
>>
>> ('AllocationBase', wintypes.PVOID),
>>
>> ('AllocationProtect', wintypes.DWORD),
>>
>> ('RegionSize', wintypes.SIZE_T),
>>
>> ('State', wintypes.DWORD),
>>
>> ('Protect', wintypes.DWORD),
>>
>> ('Type', wintypes.DWORD))
>>
>>
>>
>> PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
>>
>>
>>
>> def _check_zero(result, func, args):
>>
>> """ Check for zero or NULL return value. """
>>
>> if not result:
>>
>> raise ctypes.WinError(ctypes.get_last_error())
>>
>> return args
>>
>>
>>
>> # https://msdn.microsoft.com/en-us/library/ms683179
>>
>> kernel32.GetCurrentProcess.restype = wintypes.HANDLE
>>
>>
>>
>> # https://msdn.microsoft.com/en-us/library/ms684320
>>
>> kernel32.OpenProcess.errcheck = _check_zero
>>
>> kernel32.OpenProcess.restype = wintypes.HANDLE
>>
>>
>>
>> # https://msdn.microsoft.com/en-us/library/ms680553
>>
>> kernel32.ReadProcessMemory.errcheck = _check_zero
>>
>> kernel32.ReadProcessMemory.argtypes = (
>>
>> wintypes.HANDLE, # _In_ hProcess
>>
>> wintypes.LPCVOID, # _In_ lpBaseAddress
>>
>> wintypes.LPVOID, # _Out_ lpBuffer
>>
>> wintypes.SIZE_T, # _In_ nSize
>>
>> wintypes.PSIZE_T) # _Out_ lpNumberOfBytesRead
>>
>>
>>
>> # https://msdn.microsoft.com/en-us/library/aa366907
>>
>> kernel32.VirtualQueryEx.errcheck = _check_zero
>>
>> kernel32.VirtualQueryEx.restype = wintypes.SIZE_T
>>
>> kernel32.VirtualQueryEx.argtypes = (
>>
>> wintypes.HANDLE, # _In_ hProcess
>>
>> wintypes.LPCVOID, # _In_opt_ lpAddress
>>
>> PMEMORY_BASIC_INFORMATION, # _Out_ lpBuffer
>>
>> wintypes.SIZE_T) # _In_ dwLength
>>
>>
>>
>> if __name__ == '__main__':
>>
>> import sys
>>
>>
>>
>> dtype = ctypes.c_double
>>
>>
>>
>> if len(sys.argv) == 4:
>>
>> ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
>>
>> PROCESS_VM_READ, False, int(sys.argv[1]))
>>
>> address = int(sys.argv[2], 16)
>>
>> count = int(sys.argv[3])
>>
>> elif len(sys.argv) == 1:
>>
>> ph = kernel32.GetCurrentProcess()
>>
>> count = 10
>>
>> source_array = (dtype * count)(*range(10))
>>
>> address = ctypes.addressof(source_array)
>>
>> else:
>>
>> sys.exit('Usage: %s pid address count' % sys.argv[0])
>>
>>
>>
>> mbi = MEMORY_BASIC_INFORMATION()
>>
>> kernel32.VirtualQueryEx(ph, address, ctypes.byref(mbi),
>>
>> ctypes.sizeof(mbi))
>>
>>
>>
>> if mbi.State & MEM_FREE:
>>
>> sys.exit('Address not allocated')
>>
>> if mbi.State & MEM_RESERVE:
>>
>> sys.exit('Address reserved but not committed')
>>
>> if mbi.Protect & PAGE_NOACCESS:
>>
>> sys.exit('Address not accessible')
>>
>>
>>
>> block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
>>
>> ctypes.sizeof(dtype) * count)
>>
>> address_list = range(address, address + block_size,
>>
>> ctypes.sizeof(dtype))
>>
>>
>>
>> input('Press enter to list %d values, or Ctrl+Break to quit\n'
>>
>> % len(address_list))
>>
>>
>>
>> data = dtype()
>>
>> for address in address_list:
>>
>> kernel32.ReadProcessMemory(ph, address, ctypes.byref(data),
>>
>> ctypes.sizeof(data), None)
>>
>> print('%x: %f' % (address, data.value))
>>
>>
|
|
From: Michael C <mys...@gm...> - 2016-12-10 23:27:08
|
i have to go to work, will take a look later!
thx!
On Sat, Dec 10, 2016 at 3:25 PM eryk sun <er...@gm...> wrote:
> On Sat, Dec 10, 2016 at 9:30 PM, Michael C
>
> <mys...@gm...> wrote:
>
> > I am stuck on which line of information to feed to ReadmemoryProcess with
>
> > this, I think I properly retrieved the information from Virtualqueryex
>
>
>
> Here's an example that uses VirtualQueryEx to determine whether the
>
> specified address is allocated and readable. If so, it reads up to
>
> `count` double-precision floats via ReadProcessMemory, but it won't
>
> read past the allocated region size.
>
>
>
> import ctypes
>
> from ctypes import wintypes
>
>
>
> kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>
>
>
> PROCESS_VM_READ = 0x0010
>
> PROCESS_QUERY_INFORMATION = 0x0400
>
>
>
> MEM_COMMIT = 0x00001000
>
> MEM_RESERVE = 0x00002000
>
> MEM_FREE = 0x00010000
>
> MEM_PRIVATE = 0x00020000
>
> MEM_MAPPED = 0x00040000
>
> MEM_IMAGE = 0x01000000
>
>
>
> PAGE_NOACCESS = 0x00000001
>
> PAGE_READONLY = 0x00000002
>
> PAGE_READWRITE = 0x00000004
>
> PAGE_WRITECOPY = 0x00000008
>
> PAGE_EXECUTE = 0x00000010
>
> PAGE_EXECUTE_READ = 0x00000020
>
> PAGE_EXECUTE_READWRITE = 0x00000040
>
> PAGE_EXECUTE_WRITECOPY = 0x00000080
>
> PAGE_GUARD = 0x00000100
>
> PAGE_NOCACHE = 0x00000200
>
> PAGE_WRITECOMBINE = 0x00000400
>
> PAGE_TARGETS_INVALID = 0x40000000
>
>
>
> if not hasattr(wintypes, 'PVOID'):
>
> wintypes.PVOID = wintypes.LPVOID
>
>
>
> if not hasattr(wintypes, 'SIZE_T'):
>
> wintypes.SIZE_T = ctypes.c_size_t
>
>
>
> if not hasattr(wintypes, 'PSIZE_T'):
>
> wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
>
>
>
> class MEMORY_BASIC_INFORMATION(ctypes.Structure):
>
> _fields_ = (('BaseAddress', wintypes.PVOID),
>
> ('AllocationBase', wintypes.PVOID),
>
> ('AllocationProtect', wintypes.DWORD),
>
> ('RegionSize', wintypes.SIZE_T),
>
> ('State', wintypes.DWORD),
>
> ('Protect', wintypes.DWORD),
>
> ('Type', wintypes.DWORD))
>
>
>
> PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
>
>
>
> def _check_zero(result, func, args):
>
> """ Check for zero or NULL return value. """
>
> if not result:
>
> raise ctypes.WinError(ctypes.get_last_error())
>
> return args
>
>
>
> # https://msdn.microsoft.com/en-us/library/ms683179
>
> kernel32.GetCurrentProcess.restype = wintypes.HANDLE
>
>
>
> # https://msdn.microsoft.com/en-us/library/ms684320
>
> kernel32.OpenProcess.errcheck = _check_zero
>
> kernel32.OpenProcess.restype = wintypes.HANDLE
>
>
>
> # https://msdn.microsoft.com/en-us/library/ms680553
>
> kernel32.ReadProcessMemory.errcheck = _check_zero
>
> kernel32.ReadProcessMemory.argtypes = (
>
> wintypes.HANDLE, # _In_ hProcess
>
> wintypes.LPCVOID, # _In_ lpBaseAddress
>
> wintypes.LPVOID, # _Out_ lpBuffer
>
> wintypes.SIZE_T, # _In_ nSize
>
> wintypes.PSIZE_T) # _Out_ lpNumberOfBytesRead
>
>
>
> # https://msdn.microsoft.com/en-us/library/aa366907
>
> kernel32.VirtualQueryEx.errcheck = _check_zero
>
> kernel32.VirtualQueryEx.restype = wintypes.SIZE_T
>
> kernel32.VirtualQueryEx.argtypes = (
>
> wintypes.HANDLE, # _In_ hProcess
>
> wintypes.LPCVOID, # _In_opt_ lpAddress
>
> PMEMORY_BASIC_INFORMATION, # _Out_ lpBuffer
>
> wintypes.SIZE_T) # _In_ dwLength
>
>
>
> if __name__ == '__main__':
>
> import sys
>
>
>
> dtype = ctypes.c_double
>
>
>
> if len(sys.argv) == 4:
>
> ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
>
> PROCESS_VM_READ, False, int(sys.argv[1]))
>
> address = int(sys.argv[2], 16)
>
> count = int(sys.argv[3])
>
> elif len(sys.argv) == 1:
>
> ph = kernel32.GetCurrentProcess()
>
> count = 10
>
> source_array = (dtype * count)(*range(10))
>
> address = ctypes.addressof(source_array)
>
> else:
>
> sys.exit('Usage: %s pid address count' % sys.argv[0])
>
>
>
> mbi = MEMORY_BASIC_INFORMATION()
>
> kernel32.VirtualQueryEx(ph, address, ctypes.byref(mbi),
>
> ctypes.sizeof(mbi))
>
>
>
> if mbi.State & MEM_FREE:
>
> sys.exit('Address not allocated')
>
> if mbi.State & MEM_RESERVE:
>
> sys.exit('Address reserved but not committed')
>
> if mbi.Protect & PAGE_NOACCESS:
>
> sys.exit('Address not accessible')
>
>
>
> block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
>
> ctypes.sizeof(dtype) * count)
>
> address_list = range(address, address + block_size,
>
> ctypes.sizeof(dtype))
>
>
>
> input('Press enter to list %d values, or Ctrl+Break to quit\n'
>
> % len(address_list))
>
>
>
> data = dtype()
>
> for address in address_list:
>
> kernel32.ReadProcessMemory(ph, address, ctypes.byref(data),
>
> ctypes.sizeof(data), None)
>
> print('%x: %f' % (address, data.value))
>
>
|
|
From: eryk s. <er...@gm...> - 2016-12-10 23:25:24
|
On Sat, Dec 10, 2016 at 9:30 PM, Michael C
<mys...@gm...> wrote:
> I am stuck on which line of information to feed to ReadmemoryProcess with
> this, I think I properly retrieved the information from Virtualqueryex
Here's an example that uses VirtualQueryEx to determine whether the
specified address is allocated and readable. If so, it reads up to
`count` double-precision floats via ReadProcessMemory, but it won't
read past the allocated region size.
import ctypes
from ctypes import wintypes
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PROCESS_VM_READ = 0x0010
PROCESS_QUERY_INFORMATION = 0x0400
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
MEM_FREE = 0x00010000
MEM_PRIVATE = 0x00020000
MEM_MAPPED = 0x00040000
MEM_IMAGE = 0x01000000
PAGE_NOACCESS = 0x00000001
PAGE_READONLY = 0x00000002
PAGE_READWRITE = 0x00000004
PAGE_WRITECOPY = 0x00000008
PAGE_EXECUTE = 0x00000010
PAGE_EXECUTE_READ = 0x00000020
PAGE_EXECUTE_READWRITE = 0x00000040
PAGE_EXECUTE_WRITECOPY = 0x00000080
PAGE_GUARD = 0x00000100
PAGE_NOCACHE = 0x00000200
PAGE_WRITECOMBINE = 0x00000400
PAGE_TARGETS_INVALID = 0x40000000
if not hasattr(wintypes, 'PVOID'):
wintypes.PVOID = wintypes.LPVOID
if not hasattr(wintypes, 'SIZE_T'):
wintypes.SIZE_T = ctypes.c_size_t
if not hasattr(wintypes, 'PSIZE_T'):
wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
class MEMORY_BASIC_INFORMATION(ctypes.Structure):
_fields_ = (('BaseAddress', wintypes.PVOID),
('AllocationBase', wintypes.PVOID),
('AllocationProtect', wintypes.DWORD),
('RegionSize', wintypes.SIZE_T),
('State', wintypes.DWORD),
('Protect', wintypes.DWORD),
('Type', wintypes.DWORD))
PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
def _check_zero(result, func, args):
""" Check for zero or NULL return value. """
if not result:
raise ctypes.WinError(ctypes.get_last_error())
return args
# https://msdn.microsoft.com/en-us/library/ms683179
kernel32.GetCurrentProcess.restype = wintypes.HANDLE
# https://msdn.microsoft.com/en-us/library/ms684320
kernel32.OpenProcess.errcheck = _check_zero
kernel32.OpenProcess.restype = wintypes.HANDLE
# https://msdn.microsoft.com/en-us/library/ms680553
kernel32.ReadProcessMemory.errcheck = _check_zero
kernel32.ReadProcessMemory.argtypes = (
wintypes.HANDLE, # _In_ hProcess
wintypes.LPCVOID, # _In_ lpBaseAddress
wintypes.LPVOID, # _Out_ lpBuffer
wintypes.SIZE_T, # _In_ nSize
wintypes.PSIZE_T) # _Out_ lpNumberOfBytesRead
# https://msdn.microsoft.com/en-us/library/aa366907
kernel32.VirtualQueryEx.errcheck = _check_zero
kernel32.VirtualQueryEx.restype = wintypes.SIZE_T
kernel32.VirtualQueryEx.argtypes = (
wintypes.HANDLE, # _In_ hProcess
wintypes.LPCVOID, # _In_opt_ lpAddress
PMEMORY_BASIC_INFORMATION, # _Out_ lpBuffer
wintypes.SIZE_T) # _In_ dwLength
if __name__ == '__main__':
import sys
dtype = ctypes.c_double
if len(sys.argv) == 4:
ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, False, int(sys.argv[1]))
address = int(sys.argv[2], 16)
count = int(sys.argv[3])
elif len(sys.argv) == 1:
ph = kernel32.GetCurrentProcess()
count = 10
source_array = (dtype * count)(*range(10))
address = ctypes.addressof(source_array)
else:
sys.exit('Usage: %s pid address count' % sys.argv[0])
mbi = MEMORY_BASIC_INFORMATION()
kernel32.VirtualQueryEx(ph, address, ctypes.byref(mbi),
ctypes.sizeof(mbi))
if mbi.State & MEM_FREE:
sys.exit('Address not allocated')
if mbi.State & MEM_RESERVE:
sys.exit('Address reserved but not committed')
if mbi.Protect & PAGE_NOACCESS:
sys.exit('Address not accessible')
block_size = min(mbi.RegionSize - (address - mbi.BaseAddress),
ctypes.sizeof(dtype) * count)
address_list = range(address, address + block_size,
ctypes.sizeof(dtype))
input('Press enter to list %d values, or Ctrl+Break to quit\n'
% len(address_list))
data = dtype()
for address in address_list:
kernel32.ReadProcessMemory(ph, address, ctypes.byref(data),
ctypes.sizeof(data), None)
print('%x: %f' % (address, data.value))
|
|
From: Michael C <mys...@gm...> - 2016-12-10 21:30:29
|
I am stuck on which line of information to feed to ReadmemoryProcess with
this, I think I properly retrieved the information from Virtualqueryex
from ctypes import c_long, c_uint, c_char, c_ushort
from ctypes import Structure
from ctypes import *
import ctypes
from ctypes import wintypes
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
SIZE_T = c_ulong
class MEMORY_BASIC_INFORMATION(Structure):
_fields_ = [
("BaseAddress", PVOID),
("AllocationBase", PVOID),
("AllocationProtect", DWORD),
("RegionSize", SIZE_T),
("State", DWORD),
("Protect", DWORD),
("Type", DWORD),
]
user32 = ctypes.WinDLL('user32', use_last_error=True)
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
base = 0
memory_basic_information = MEMORY_BASIC_INFORMATION()
ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,False,
4900)
kernel32.VirtualQueryEx(ph, base, byref(memory_basic_information),
sizeof(memory_basic_information))
print(memory_basic_information.BaseAddress)
print(memory_basic_information.AllocationBase)
print(memory_basic_information.AllocationProtect)
print(memory_basic_information.RegionSize)
print(memory_basic_information.State)
print(memory_basic_information.Protect)
print(memory_basic_information.Type)
On Sat, Dec 10, 2016 at 1:25 PM, eryk sun <er...@gm...> wrote:
> On Sat, Dec 10, 2016 at 7:52 PM, Michael C
> <mys...@gm...> wrote:
> > Shouldn't I use VirtualQueryEX to find out these values?
> >
> > ph = kernel32.GetCurrentProcess()
> > source_array = (wintypes.DWORD * 10)(*range(10))
> > base_address = ctypes.addressof(source_array)
> > block_size = ctypes.sizeof(source_array)
>
> VirtualQueryEx is used to query for information about a memory block
> (e.g. the allocation base address, region size, and protection). You
> would call it to get the base address and size if you wanted to read
> an entire allocated region, which would typically be a block of memory
> that's managed by a heap or some other allocator (e.g. Python's
> small-object allocator).
>
|
|
From: eryk s. <er...@gm...> - 2016-12-10 21:26:36
|
On Sat, Dec 10, 2016 at 7:52 PM, Michael C <mys...@gm...> wrote: > Shouldn't I use VirtualQueryEX to find out these values? > > ph = kernel32.GetCurrentProcess() > source_array = (wintypes.DWORD * 10)(*range(10)) > base_address = ctypes.addressof(source_array) > block_size = ctypes.sizeof(source_array) VirtualQueryEx is used to query for information about a memory block (e.g. the allocation base address, region size, and protection). You would call it to get the base address and size if you wanted to read an entire allocated region, which would typically be a block of memory that's managed by a heap or some other allocator (e.g. Python's small-object allocator). |
|
From: Michael C <mys...@gm...> - 2016-12-10 21:23:26
|
I believe the memory_basic_information in my code off of VirtualQueryEx
somehow turns into something to feed ReadProcessMemory, but I am lost there.
I know I have to fix this somehow:
source_array = (wintypes.DWORD * 10)(*range(10))
On Sat, Dec 10, 2016 at 1:19 PM, Michael C <mys...@gm...>
wrote:
> oh I see, it finds itself in its own process.
>
> Can you tell me how to use VirtualQueryEx to get the parameters to feed
> ReadprocessMemory? Here is what I have
>
>
> code:
>
> from ctypes import c_long, c_uint, c_char, c_ushort
> from ctypes import Structure
> from ctypes import *
> import ctypes
> from ctypes import wintypes
>
> BYTE = c_ubyte
> WORD = c_ushort
> DWORD = c_ulong
> LPBYTE = POINTER(c_ubyte)
> LPTSTR = POINTER(c_char)
> HANDLE = c_void_p
> PVOID = c_void_p
> LPVOID = c_void_p
> UINT_PTR = c_ulong
> SIZE_T = c_ulong
>
>
>
> class MEMORY_BASIC_INFORMATION(Structure):
> _fields_ = [
> ("BaseAddress", PVOID),
> ("AllocationBase", PVOID),
> ("AllocationProtect", DWORD),
> ("RegionSize", SIZE_T),
> ("State", DWORD),
> ("Protect", DWORD),
> ("Type", DWORD),
> ]
>
>
>
> user32 = ctypes.WinDLL('user32', use_last_error=True)
> kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>
> PROCESS_QUERY_INFORMATION = 0x0400
> PROCESS_VM_READ = 0x0010
>
> base = 0
> memory_basic_information = MEMORY_BASIC_INFORMATION()
>
> ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,False,
> 4900)
>
> print(kernel32.VirtualQueryEx(ph, base, byref(memory_basic_information),
> sizeof(memory_basic_information)))
>
>
>
>
>
>
>
>
>
> On Sat, Dec 10, 2016 at 1:16 PM, eryk sun <er...@gm...> wrote:
>
>> On Sat, Dec 10, 2016 at 7:44 PM, Michael C
>> <mys...@gm...> wrote:
>> > what does this do?
>> >
>> > source_array = (wintypes.DWORD * 10)(*range(10))
>>
>> That's creating an array of 10 DWORD values, {0,1,2,3,4,5,6,7,8,9},
>> which is used for the the demo. ctypes arrays are initialized with
>> positional arguments, which is why it uses the splat (*) operator on
>> range(10).
>>
>
>
|
|
From: Michael C <mys...@gm...> - 2016-12-10 21:19:10
|
oh I see, it finds itself in its own process.
Can you tell me how to use VirtualQueryEx to get the parameters to feed
ReadprocessMemory? Here is what I have
code:
from ctypes import c_long, c_uint, c_char, c_ushort
from ctypes import Structure
from ctypes import *
import ctypes
from ctypes import wintypes
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
SIZE_T = c_ulong
class MEMORY_BASIC_INFORMATION(Structure):
_fields_ = [
("BaseAddress", PVOID),
("AllocationBase", PVOID),
("AllocationProtect", DWORD),
("RegionSize", SIZE_T),
("State", DWORD),
("Protect", DWORD),
("Type", DWORD),
]
user32 = ctypes.WinDLL('user32', use_last_error=True)
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
base = 0
memory_basic_information = MEMORY_BASIC_INFORMATION()
ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,False,
4900)
print(kernel32.VirtualQueryEx(ph, base, byref(memory_basic_information),
sizeof(memory_basic_information)))
On Sat, Dec 10, 2016 at 1:16 PM, eryk sun <er...@gm...> wrote:
> On Sat, Dec 10, 2016 at 7:44 PM, Michael C
> <mys...@gm...> wrote:
> > what does this do?
> >
> > source_array = (wintypes.DWORD * 10)(*range(10))
>
> That's creating an array of 10 DWORD values, {0,1,2,3,4,5,6,7,8,9},
> which is used for the the demo. ctypes arrays are initialized with
> positional arguments, which is why it uses the splat (*) operator on
> range(10).
>
|
|
From: eryk s. <er...@gm...> - 2016-12-10 21:17:10
|
On Sat, Dec 10, 2016 at 7:44 PM, Michael C
<mys...@gm...> wrote:
> what does this do?
>
> source_array = (wintypes.DWORD * 10)(*range(10))
That's creating an array of 10 DWORD values, {0,1,2,3,4,5,6,7,8,9},
which is used for the the demo. ctypes arrays are initialized with
positional arguments, which is why it uses the splat (*) operator on
range(10).
|
|
From: Michael C <mys...@gm...> - 2016-12-10 21:13:54
|
Quick question: how do you make the object drop down menu pop when you type "wintypes." ? On Sat, Dec 10, 2016 at 1:07 PM, eryk sun <er...@gm...> wrote: > On Sat, Dec 10, 2016 at 7:40 PM, Michael C > <mys...@gm...> wrote: > > How do I tell it to scan for double? > > I left it as an exercise for you to figure out how to read other data > types. If you understand what it's doing, then reading double values > should be simple. > > > Also, how do I specify the target process? > > You should be able to figure out how the script uses sys.argv. > |
|
From: eryk s. <er...@gm...> - 2016-12-10 21:08:45
|
On Sat, Dec 10, 2016 at 7:40 PM, Michael C <mys...@gm...> wrote: > How do I tell it to scan for double? I left it as an exercise for you to figure out how to read other data types. If you understand what it's doing, then reading double values should be simple. > Also, how do I specify the target process? You should be able to figure out how the script uses sys.argv. |
|
From: Michael C <mys...@gm...> - 2016-12-10 20:05:55
|
this is what i use at the moment for virtualqueryEX
from ctypes import c_long, c_uint, c_char, c_ushort
from ctypes import Structure
from ctypes import *
import ctypes
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
SIZE_T = c_ulong
class MEMORY_BASIC_INFORMATION(Structure):
_fields_ = [
("BaseAddress", PVOID),
("AllocationBase", PVOID),
("AllocationProtect", DWORD),
("RegionSize", SIZE_T),
("State", DWORD),
("Protect", DWORD),
("Type", DWORD),
]
user32 = ctypes.WinDLL('user32', use_last_error=True)
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
base = 0
memory_basic_information = MEMORY_BASIC_INFORMATION()
ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,False,
4900)
print(kernel32.VirtualQueryEx(ph, base, byref(memory_basic_information),
sizeof(memory_basic_information)))
On Sat, Dec 10, 2016 at 11:52 AM, Michael C <mys...@gm...>
wrote:
> Shouldn't I use VirtualQueryEX to find out these values?
>
> ph = kernel32.GetCurrentProcess()
> source_array = (wintypes.DWORD * 10)(*range(10))
> base_address = ctypes.addressof(source_array)
> block_size = ctypes.sizeof(source_array)
>
>
>
> On Sat, Dec 10, 2016 at 11:44 AM, Michael C <mysecretrobotfactory@gmail.
> com> wrote:
>
>> what does this do?
>>
>> source_array = (wintypes.DWORD * 10)(*range(10))
>>
>> On Sat, Dec 10, 2016 at 11:40 AM, Michael C <
>> mys...@gm...> wrote:
>>
>>> How do I tell it to scan for double?
>>> Also, how do I specify the target process?
>>>
>>> Thax
>>>
>>> On Sat, Dec 10, 2016 at 6:30 AM, eryk sun <er...@gm...> wrote:
>>>
>>>> On Sat, Dec 10, 2016 at 12:12 AM, Michael C
>>>> <mys...@gm...> wrote:
>>>> > Here is my entire current work in progress:
>>>> >
>>>> > #import modules
>>>> > import ctypes
>>>> > import time
>>>>
>>>> [snip]
>>>>
>>>> Here's a working example for ReadProcessMemory.
>>>>
>>>> import ctypes
>>>> from ctypes import wintypes
>>>>
>>>> kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>>>>
>>>> PROCESS_VM_READ = 0x0010
>>>> PROCESS_QUERY_INFORMATION = 0x0400
>>>>
>>>> if not hasattr(wintypes, 'SIZE_T'):
>>>> wintypes.SIZE_T = ctypes.c_size_t
>>>>
>>>> if not hasattr(wintypes, 'PSIZE_T'):
>>>> wintypes.PSIZE_T = ctypes.POINTER(wintypes.SIZE_T)
>>>>
>>>> def _check_zero(result, func, args):
>>>> """ Check for zero or NULL return value. """
>>>> if not result:
>>>> raise ctypes.WinError(ctypes.get_last_error())
>>>> return args
>>>>
>>>> # https://msdn.microsoft.com/en-us/library/ms683179
>>>> kernel32.GetCurrentProcess.restype = wintypes.HANDLE
>>>>
>>>> # https://msdn.microsoft.com/en-us/library/ms684320
>>>> kernel32.OpenProcess.errcheck = _check_zero
>>>> kernel32.OpenProcess.restype = wintypes.HANDLE
>>>>
>>>> # https://msdn.microsoft.com/en-us/library/ms680553
>>>> kernel32.ReadProcessMemory.errcheck = _check_zero
>>>> kernel32.ReadProcessMemory.argtypes = (
>>>> wintypes.HANDLE, # _In_ hProcess
>>>> wintypes.LPCVOID, # _In_ lpBaseAddress
>>>> wintypes.LPVOID, # _Out_ lpBuffer
>>>> wintypes.SIZE_T, # _In_ nSize
>>>> wintypes.PSIZE_T) # _Out_ lpNumberOfBytesRead
>>>>
>>>> if __name__ == '__main__':
>>>> import sys
>>>>
>>>> if len(sys.argv) == 4:
>>>> ph = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION |
>>>> PROCESS_VM_READ, False, int(sys.argv[1]))
>>>> base_address = int(sys.argv[2])
>>>> block_size = int(sys.argv[3])
>>>> elif len(sys.argv) == 1:
>>>> ph = kernel32.GetCurrentProcess()
>>>> source_array = (wintypes.DWORD * 10)(*range(10))
>>>> base_address = ctypes.addressof(source_array)
>>>> block_size = ctypes.sizeof(source_array)
>>>> else:
>>>> sys.exit('Usage: %s pid base_address block_size' %
>>>> sys.argv[0])
>>>>
>>>> address_list = range(base_address, base_address + block_size,
>>>> ctypes.sizeof(wintypes.DWORD))
>>>> data = wintypes.DWORD()
>>>>
>>>> for address in address_list:
>>>> kernel32.ReadProcessMemory(ph, address, ctypes.byref(data),
>>>> ctypes.sizeof(data), None)
>>>> print('%x: %d' % (address, data.value))
>>>>
>>>> This script defaults to a demo that reads an array of DWORD values
>>>> from its own process. You can also provide it the PID, base address,
>>>> and block size to read from another process. You could extend this
>>>> with another option to configure the type of data read (e.g. char,
>>>> float) based on simple ctypes format codes, e.g. "L" for a DWORD,
>>>> where "L" is the value of `wintypes.DWORD._type_`. Or instead follow
>>>> WinDbg conventions (e.g. db, dw, dd).
>>>>
>>>> Note that I assign an errcheck function for the OpenProcess and
>>>> ReadProcessMemory function pointers. In this case both use the same
>>>> _check_zero function, which raises an OSError (or WindowsError in 2.x)
>>>> when the call fails. Idiomatic Python programming uses exceptions for
>>>> error handling and resource management (i.e. try/except/finally). Get
>>>> the error code from the exception's `winerror` attribute when handling
>>>> it. Here's the complete list of WinAPI error codes:
>>>>
>>>> https://msdn.microsoft.com/en-us/library/ms681381
>>>>
>>>
>>>
>>
>
|
119 messages has been excluded from this view by a project administrator.
