Win 64bit GetThreadContext 返回归零的寄存器,或 0x57 错误代码
Posted
技术标签:
【中文标题】Win 64bit GetThreadContext 返回归零的寄存器,或 0x57 错误代码【英文标题】:Win 64bit GetThreadContext returns zeroe'd out registers, or 0x57 errorcode 【发布时间】:2013-07-04 11:01:35 【问题描述】:我正在使用 Windows 7 64 位机器(我有管理员权限)。
我正在使用 Python 2.7(64 位)和 PyDev ctypes for Eclipse 来尝试读取与特定 PID 关联的所有线程中的寄存器值(尝试了在 64 位和 32 位模式下运行的进程的 PID),但是当我这样做时,寄存器的值全部归零。当我使用Wow64GetThreadContext 时,调用失败,GetLastError 返回 0x00000057(根据 MSDN 的“无效参数”)
我成功地附加到进程,枚举线程(通过CreateToolhelp32Snapshot),找到具有适当PID 的进程拥有的线程,并尝试获取线程上下文。这是我打开线程并获取线程上下文的代码:
打开一个线程:
def open_thread(self, thread_id):
h_thread = kernel32.OpenThread(THREAD_ALL_ACCESS, None, thread_id)
获取上下文:
def get_thread_context(self, thread_id = None, h_thread = None):
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
#alternatively, for 64
context64 = WOW64_CONTEXT()
context64.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
#Obtain a handle to the thread
if h_thread is None:
self.h_thread = self.open_thread(thread_id)
kernel32.SuspendThread(self.h_thread)
if kernel32.GetThreadContext(self.h_thread, byref(context)):
kernel32.ResumeThread(self.h_thread)
return context
else:
kernel32.ResumeThread(self.h_thread)
return False
我使用以下代码调用此代码:
debugger.attach(int(pid))
#debugger.run()
list = debugger.enumerate_threads()
for thread in list:
thread_context = debugger.get_thread_context(thread)
if thread_context == False:
print "[*] Thread context is false..."
else:
print "[*] Dumping registers for thread ID: 0x%08x" % thread
print "[**] Eip: 0x%016x" % thread_context.Eip
print "[**] Esp: 0x%016x" % thread_context.Esp
print "[**] Ebp: 0x%016x" % thread_context.Ebp
print "[**] Eax: 0x%016x" % thread_context.Eax
print "[**] Ebx: 0x%016x" % thread_context.Ebx
print "[**] Ecx: 0x%016x" % thread_context.Ecx
print "[**] Edx: 0x%016x" % thread_context.Edx
print "[*] End DUMP"
debugger.detach()
当我使用 GetThreadContext 和 CONTEXT 结构运行此代码时,我为每个线程取回了上下文对象,但寄存器值全为零。
我尝试将GetThreadContext 替换为Wow64GetThreadContext(以及分别将SuspendThread 替换为Wow64SuspendThread),但是当我这样做时,调用失败并出现错误“参数无效”。我提供给Wow64GetThreadContext 的参数与我提供给GetThreadContext 的参数相同,除了我提供的代码中的变量名称(这是因为当我在 WinNT.h 中查看它们的定义时,它们是等价的(除非我遗漏了什么)。我已经通过以下方式定义了这些结构:
class WOW64_CONTEXT(Structure):
_fields_ = [
("ContextFlags", DWORD),
("Dr0", DWORD),
("Dr1", DWORD),
("Dr2", DWORD),
("Dr3", DWORD),
("Dr6", DWORD),
("Dr7", DWORD),
("FloatSave", WOW64_FLOATING_SAVE_AREA),
("SegGs", DWORD),
("SegFs", DWORD),
("SegEs", DWORD),
("SegDs", DWORD),
("Edi", DWORD),
("Esi", DWORD),
("Ebx", DWORD),
("Edx", DWORD),
("Ecx", DWORD),
("Eax", DWORD),
("Ebp", DWORD),
("Eip", DWORD),
("SegCs", DWORD),
("EFlags", DWORD),
("Esp", DWORD),
("SegSs", DWORD),
("ExtendedRegisters", BYTE * 512),
]
class WOW64_FLOATING_SAVE_AREA(Structure):
_fields_ = [
("ControlWord", DWORD),
("StatusWord", DWORD),
("TagWord", DWORD),
("ErrorOffset", DWORD),
("ErrorSelector", DWORD),
("DataOffset", DWORD),
("DataSelector", DWORD),
("RegisterArea", BYTE * 80),
("Cr0NpxState", DWORD),
]
class CONTEXT(Structure):
_fields_ = [
("ContextFlags", DWORD),
("Dr0", DWORD),
("Dr1", DWORD),
("Dr2", DWORD),
("Dr3", DWORD),
("Dr6", DWORD),
("Dr7", DWORD),
("FloatSave", FLOATING_SAVE_AREA),
("SegGs", DWORD),
("SegFs", DWORD),
("SegEs", DWORD),
("SegDs", DWORD),
("Edi", DWORD),
("Esi", DWORD),
("Ebx", DWORD),
("Edx", DWORD),
("Ecx", DWORD),
("Eax", DWORD),
("Ebp", DWORD),
("Eip", DWORD),
("SegCs", DWORD),
("EFlags", DWORD),
("Esp", DWORD),
("SegSs", DWORD),
("ExtendedRegisters", BYTE * 512),
]
class FLOATING_SAVE_AREA(Structure):
_fields_ = [
("ControlWord", DWORD),
("StatusWord", DWORD),
("TagWord", DWORD),
("ErrorOffset", DWORD),
("ErrorSelector", DWORD),
("DataOffset", DWORD),
("DataSelector", DWORD),
("RegisterArea", BYTE * 80),
("Cr0NpxState", DWORD),
]
我已经在这个问题上进行了大量的谷歌搜索,并尝试了以下方法无济于事:
根据 MSDN 上的评论:CONTEXT_FULL 应该是
CONTEXT_AMD64 | CONTEXT_CONTROL | CONTEXT_INTEGER |
CONTEXT_FLOATING_POINT 可以在 Win64 下正常使用。
我尝试重命名我的 CONTEXT 和 WOW_64CONTEXT 中的寄存器 通过将寄存器名称中的“E”替换为“R”(Eax -> 拉克斯等)
有没有其他人使用 Python 和 ctypes 成功获取 Windows 上 64 位线程的上下文?
【问题讨论】:
@cghlke 是的,我只是尝试过,但无济于事。我仍然看到 0x57 错误代码。 go4answers.webhost4life.com/Example/… : google 结果 (0x57 = 87) 表明这不太可能与 Python 相关 我同意。有谁知道如何解决这个问题,或者上面发布的代码是否不正确/不完整? 【参考方案1】:检查 ContextFlags 常量的值。我从 python 模块 win32con 获得的值错过了与架构相关的位。这是我的 WinNT.h 的摘录(来自 Windows SDK Server2003SP1):
#define CONTEXT_AMD64 0x100000
// end_wx86
#define CONTEXT_CONTROL (CONTEXT_AMD64 | 0x1L)
#define CONTEXT_INTEGER (CONTEXT_AMD64 | 0x2L)
#define CONTEXT_SEGMENTS (CONTEXT_AMD64 | 0x4L)
#define CONTEXT_FLOATING_POINT (CONTEXT_AMD64 | 0x8L)
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_AMD64 | 0x10L)
#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT)
#define CONTEXT_ALL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS)
[...]
#define CONTEXT_i386 0x00010000 // this assumes that i386 and
#define CONTEXT_i486 0x00010000 // i486 have identical context records
// end_wx86
#define CONTEXT_CONTROL (CONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP
#define CONTEXT_INTEGER (CONTEXT_i386 | 0x00000002L) // AX, BX, CX, DX, SI, DI
#define CONTEXT_SEGMENTS (CONTEXT_i386 | 0x00000004L) // DS, ES, FS, GS
#define CONTEXT_FLOATING_POINT (CONTEXT_i386 | 0x00000008L) // 387 state
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7
#define CONTEXT_EXTENDED_REGISTERS (CONTEXT_i386 | 0x00000020L) // cpu specific extensions
#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER |\
CONTEXT_SEGMENTS)
#define CONTEXT_ALL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS)
如果它不适合您,请检查您的 Windows 版本的 WinNT.h。
【讨论】:
【参考方案2】:我也有这个问题,我现在有这个工作,我假设这是来自 Grey Hat python 书,经过多次谷歌搜索,Wow64GetThreadContext 似乎用于在 64 位系统上检索 32 位线程上下文,我使用了原始的 GetThreadContext 函数,但我传递了一个 Wow64Context 结构,定义如下:
class M128A(Structure):
_fields_ = [
("Low", DWORD64),
("High", DWORD64)
]
class XMM_SAVE_AREA32(Structure):
_pack_ = 1
_fields_ = [
('ControlWord', WORD),
('StatusWord', WORD),
('TagWord', BYTE),
('Reserved1', BYTE),
('ErrorOpcode', WORD),
('ErrorOffset', DWORD),
('ErrorSelector', WORD),
('Reserved2', WORD),
('DataOffset', DWORD),
('DataSelector', WORD),
('Reserved3', WORD),
('MxCsr', DWORD),
('MxCsr_Mask', DWORD),
('FloatRegisters', M128A * 8),
('XmmRegisters', M128A * 16),
('Reserved4', BYTE * 96)
]
class DUMMYSTRUCTNAME(Structure):
_fields_=[
("Header", M128A * 2),
("Legacy", M128A * 8),
("Xmm0", M128A),
("Xmm1", M128A),
("Xmm2", M128A),
("Xmm3", M128A),
("Xmm4", M128A),
("Xmm5", M128A),
("Xmm6", M128A),
("Xmm7", M128A),
("Xmm8", M128A),
("Xmm9", M128A),
("Xmm10", M128A),
("Xmm11", M128A),
("Xmm12", M128A),
("Xmm13", M128A),
("Xmm14", M128A),
("Xmm15", M128A)
]
class DUMMYUNIONNAME(Union):
_fields_=[
("FltSave", XMM_SAVE_AREA32),
("DummyStruct", DUMMYSTRUCTNAME)
]
class CONTEXT64(Structure):
_pack_ = 16
_fields_ = [
("P1Home", DWORD64),
("P2Home", DWORD64),
("P3Home", DWORD64),
("P4Home", DWORD64),
("P5Home", DWORD64),
("P6Home", DWORD64),
("ContextFlags", DWORD),
("MxCsr", DWORD),
("SegCs", WORD),
("SegDs", WORD),
("SegEs", WORD),
("SegFs", WORD),
("SegGs", WORD),
("SegSs", WORD),
("EFlags", DWORD),
("Dr0", DWORD64),
("Dr1", DWORD64),
("Dr2", DWORD64),
("Dr3", DWORD64),
("Dr6", DWORD64),
("Dr7", DWORD64),
("Rax", DWORD64),
("Rcx", DWORD64),
("Rdx", DWORD64),
("Rbx", DWORD64),
("Rsp", DWORD64),
("Rbp", DWORD64),
("Rsi", DWORD64),
("Rdi", DWORD64),
("R8", DWORD64),
("R9", DWORD64),
("R10", DWORD64),
("R11", DWORD64),
("R12", DWORD64),
("R13", DWORD64),
("R14", DWORD64),
("R15", DWORD64),
("Rip", DWORD64),
("DebugControl", DWORD64),
("LastBranchToRip", DWORD64),
("LastBranchFromRip", DWORD64),
("LastExceptionToRip", DWORD64),
("LastExceptionFromRip", DWORD64),
("DUMMYUNIONNAME", DUMMYUNIONNAME),
("VectorRegister", M128A * 26),
("VectorControl", DWORD64)
]
当然,我还没有检查寄存器中返回的值是正确的还是只是垃圾,但是值在那里而不是 0x00000000 或错误 0x57 的事实令人放心。
访问寄存器仍然是通过thread_context.Rip等,而不是eip
【讨论】:
请注意,这不是 WOW64 上下文,而是 64 位上下文。 WOW64 上下文用于从 64 位应用程序访问 32 位进程的线程上下文。【参考方案3】:您的主要问题是 WOW64 实际上是 32 位上下文,而不是 64 位。你需要实现一个64位的结构,类似这样:
class CONTEXT64(Structure):
_pack_ = 16
_fields_ = [
("P1Home", DWORD64),
("P2Home", DWORD64),
("P3Home", DWORD64),
("P4Home", DWORD64),
("P5Home", DWORD64),
("P6Home", DWORD64),
("ContextFlags", DWORD),
("MxCsr", DWORD),
("SegCs", WORD),
("SegDs", WORD),
("SegEs", WORD),
("SegFs", WORD),
("SegGs", WORD),
("SegSs", WORD),
("EFlags", DWORD),
("Dr0", DWORD64),
("Dr1", DWORD64),
("Dr2", DWORD64),
("Dr3", DWORD64),
("Dr6", DWORD64),
("Dr7", DWORD64),
("Rax", DWORD64),
("Rcx", DWORD64),
("Rdx", DWORD64),
("Rbx", DWORD64),
("Rsp", DWORD64),
("Rbp", DWORD64),
("Rsi", DWORD64),
("Rdi", DWORD64),
("R8", DWORD64),
("R9", DWORD64),
("R10", DWORD64),
("R11", DWORD64),
("R12", DWORD64),
("R13", DWORD64),
("R14", DWORD64),
("R15", DWORD64),
("Rip", DWORD64),
("DebugControl", DWORD64),
("LastBranchToRip", DWORD64),
("LastBranchFromRip", DWORD64),
("LastExceptionToRip", DWORD64),
("LastExceptionFromRip", DWORD64),
("DUMMYUNIONNAME", DUMMYUNIONNAME),
("VectorRegister", M128A * 26),
("VectorControl", DWORD64)
]
注意:此定义位于 WinNT.h 中——如果您安装了 VC++,它将位于安装它的 /include 目录中。
一旦谁构建了这个结构,你就可以使用它来代替你已经构建的 CONTEXT / WOW64 CONTEXT。您还必须显然将寄存器更改为 RAX 等。
(注意:您还必须在 Python ctypes 中实现 4 项其他内容:DWORD64、M128A、DUMMYUNIONNAME、DUMMYSTRUCTNAME 和 XMM_SAVE_AREA32。为简洁起见,我已将它们排除在外,但您可以在下面找到它们的定义自己建造的地点:
DWORD64:只是一个 c_ulonglong
DUMMYUNIONNAME, DUMMYSTRUCTNAME:在 WinNT.h 中的 _CONTEXT 结构中
M128A:http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.defines.M128A-class.html
XMM_SAVE_AREA32:http://winappdbg.sourceforge.net/doc/v1.3/winappdbg.win32.context_amd64.XMM_SAVE_AREA32-class.html
【讨论】:
您还需要检查您的目标进程是32位还是64位。如果您是 64 位进程并且您的目标是 32 位,则使用 Wow64GetThreadContext 并传入 WOW64_CONTEXT。如果您是 64 位进程并且您的目标是 64 位,则使用 GetThreadContext 并传入 64 位 CONTEXT(如上)。如果您是 32 位进程并且您的目标是 32 位,则使用 GetThreadContext 并传入 32 位 CONTEXT(与 WOW64_CONTEXT 相同)。如果您是 32 位进程,而您的目标是 64 位,我认为您不走运。以上是关于Win 64bit GetThreadContext 返回归零的寄存器,或 0x57 错误代码的主要内容,如果未能解决你的问题,请参考以下文章
为啥在 Win7 64bit 中不能通过 'ntQuerySystemInformation' 获取超过 65535 的进程 ID?