灰帽子Python 学习记录 4
2016-05-15 22:44
519 查看
今天一直在撸,以及有点别的事,所幸晚上有点愧疚,还是抽出半个小时搞了一下。
本篇的课题是读取CPU寄存器的值,步骤如下:
1. CreateToolhelp32Snapshot:根据pid获取进程详细信息,如堆、线程、模块等,返回值为一个句柄
2. Thread32First:根据1中句柄获得一个指针,指向包含第一个线程信息的结构
3. Thread32Next:下一个线程的条目,结构跟first一样,通过这个可以写个while循环把进程里所有的线程全遍历出来
4. GetThreadContext获取寄存器的值
5. SetThreadContext改变寄存器的值
这里暂时不改变,只做1~4步。
用notepad ++做实验,结果如下:
Enter pid:75160
OpenProcess Successful, HANDLE 484
Press AnyKey to Continue ...
[*]DumpingregistersforthreadID:0x00016970
[**]EIP:0x75c5896c
[**]ESP:0x0013aec0
[**]EBP:0x0013aed8
[**]EAX:0x00000000
[**]EBX:0x0064be01
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00027494
[**]EIP:0x77e66bfc
[**]ESP:0x081cf988
[**]EBP:0x081cf9f8
[**]EAX:0x00000000
[**]EBX:0x77be67a0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0001240c
[**]EIP:0x77e66bfc
[**]ESP:0x0844f9a8
[**]EBP:0x0844fa18
[**]EAX:0x00000000
[**]EBX:0x00000434
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000137a4
[**]EIP:0x77e66f1c
[**]ESP:0x0a71fe8c
[**]EBP:0x0a71fef0
[**]EAX:0x00000000
[**]EBX:0x0a71fecc
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00056ca4
[**]EIP:0x77e6876c
[**]ESP:0x0062fb34
[**]EBP:0x0062fcec
[**]EAX:0x00000000
[**]EBX:0x00678390
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00058fe0
[**]EIP:0x77e6718c
[**]ESP:0x009ffa60
[**]EBP:0x009ffbf0
[**]EAX:0x00000244
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00006778
[**]EIP:0x77e6718c
[**]ESP:0x010ff6d4
[**]EBP:0x010ff864
[**]EAX:0x00000560
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000574dc
[**]EIP:0x77e6718c
[**]ESP:0x0329fb58
[**]EBP:0x0329fce8
[**]EAX:0x000005e0
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057738
[**]EIP:0x77e6876c
[**]ESP:0x0382fb54
[**]EBP:0x0382fd0c
[**]EAX:0x00000000
[**]EBX:0x00677fe0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057724
[**]EIP:0x77e6718c
[**]ESP:0x0399f5b0
[**]EBP:0x0399f740
[**]EAX:0x000005f8
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0000b8c0
[**]EIP:0x77e68f00
[**]ESP:0x0311f854
[**]EBP:0x00000000
[**]EAX:0x77e99d20
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*] Finished debugging. Exiting...
竟然有11个线程。
本篇的课题是读取CPU寄存器的值,步骤如下:
1. CreateToolhelp32Snapshot:根据pid获取进程详细信息,如堆、线程、模块等,返回值为一个句柄
2. Thread32First:根据1中句柄获得一个指针,指向包含第一个线程信息的结构
3. Thread32Next:下一个线程的条目,结构跟first一样,通过这个可以写个while循环把进程里所有的线程全遍历出来
4. GetThreadContext获取寄存器的值
5. SetThreadContext改变寄存器的值
这里暂时不改变,只做1~4步。
用notepad ++做实验,结果如下:
Enter pid:75160
OpenProcess Successful, HANDLE 484
Press AnyKey to Continue ...
[*]DumpingregistersforthreadID:0x00016970
[**]EIP:0x75c5896c
[**]ESP:0x0013aec0
[**]EBP:0x0013aed8
[**]EAX:0x00000000
[**]EBX:0x0064be01
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00027494
[**]EIP:0x77e66bfc
[**]ESP:0x081cf988
[**]EBP:0x081cf9f8
[**]EAX:0x00000000
[**]EBX:0x77be67a0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0001240c
[**]EIP:0x77e66bfc
[**]ESP:0x0844f9a8
[**]EBP:0x0844fa18
[**]EAX:0x00000000
[**]EBX:0x00000434
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000137a4
[**]EIP:0x77e66f1c
[**]ESP:0x0a71fe8c
[**]EBP:0x0a71fef0
[**]EAX:0x00000000
[**]EBX:0x0a71fecc
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00056ca4
[**]EIP:0x77e6876c
[**]ESP:0x0062fb34
[**]EBP:0x0062fcec
[**]EAX:0x00000000
[**]EBX:0x00678390
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00058fe0
[**]EIP:0x77e6718c
[**]ESP:0x009ffa60
[**]EBP:0x009ffbf0
[**]EAX:0x00000244
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00006778
[**]EIP:0x77e6718c
[**]ESP:0x010ff6d4
[**]EBP:0x010ff864
[**]EAX:0x00000560
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000574dc
[**]EIP:0x77e6718c
[**]ESP:0x0329fb58
[**]EBP:0x0329fce8
[**]EAX:0x000005e0
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057738
[**]EIP:0x77e6876c
[**]ESP:0x0382fb54
[**]EBP:0x0382fd0c
[**]EAX:0x00000000
[**]EBX:0x00677fe0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057724
[**]EIP:0x77e6718c
[**]ESP:0x0399f5b0
[**]EBP:0x0399f740
[**]EAX:0x000005f8
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0000b8c0
[**]EIP:0x77e68f00
[**]ESP:0x0311f854
[**]EBP:0x00000000
[**]EAX:0x77e99d20
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*] Finished debugging. Exiting...
竟然有11个线程。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- python中filter, map, reduce, lambda
- Python中unittest用法实例
- python04-判断与循环语句
- python ConfigParser操作配置文件
- 【Windows】Python脚本随机启动
- vim python插件
- Python学习笔记:函数
- Python中Function(函数)和methon(方法)
- Python学习笔记
- 数据挖掘算法---KNN(附python代码)
- Debian中如何切换默认Python版本
- 第三章 Python基础
- 用nohup重定向python输出到文件不成功的解决办法
- Window64位 Win7 Python配置opencv
- python环境下SVD++推荐系统wooflix的安装
- python 安装scikit!!!
- Python Cookbook 学习笔记 第一章Data Structures and Algorithms
- Spark Programming Guide (Python) Spark编程指南 (三)
- Python正则表达式指南
- python使用deco进行多进程编程