灰帽子Python 学习记录 6

啊啊啊啊啊今天搞了一天总算tm搞定了

topic：软件中断INT3

首先回顾一下理论原理。INT3中断就是将断点位置的操作码的第一个字符替换为CC，然后将原来的字符保存起来。这样遇到CC开头的就会停下，等中断处理完后再用原来的字符替换回去。

实验：运行print_loop.py，里面的内容为一个死循环，不断地调用msvcrt里的printf函数打印数据。然后找到printf函数的地址，在该处设置软件中断

这里需要用到的api有：

GetModuleHandle：通过dll的名字来获取模块的handle
GetProcAddress：通过handle以及函数名来找到对应函数的地址
ReadProcessMemory：对目标进程的内存进行读取操作
WriteProcessMemory：对目标进程的内存进行写入操作

然后遇到的问题如下：
1. 一开始attach python.exe的时候，一直报50号错误。原因：我装的python3.4为32位的。cmd里调用的python却是之前装的64位python2.7，而32位调试器是没法调试64位程序的。后来手动把print_loop.py放到python34文件夹下调用解决。
2. printf打印出的什么东西，都是L，嗯嗯，跟前面说的一样，换成wprintf
3. GetModuleHandleA不能获取handle。哎，又是宽字符你懂的，改成GetModuleHandleW
4. GetProcAddress不能获取函数地址。这个函数没有A和W的后缀，但是输入参数里的函数名也是字符串，所以还是要转化为byte编码，输入为func_resolve("msvcrt.dll",b"wprintf")
5. c_data = c_char_p((data[count.value:])) 报错：

TypeError: bytes
or integer address expected instead of str instance

这个搞了我好久，原因还是一样，呵呵，data是输入的一个字符串"\xCC"，python3默认宽字符编码，转化为byte编码就行了。b"\xCC"

最后贴一下实验结果：
Enter pid:282432

OpenProcess Successful, HANDLE 512

Get Module Handle 1963786240

Get Address: 0x75147960

[*]Address of wprintf: 0x75147960

[*] Setting breakpoint at: 0x75147960

Event Code: 3 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 2 Thread ID: 266556

Event Code: 2 Thread ID: 271532

Event Code: 2 Thread ID: 292040

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 6 Thread ID: 261240

Event Code: 2 Thread ID: 263080

Event Code: 1 Thread ID: 263080

[*] Exception address: 0x77e68d20

[*] Hit the first breakpoint.

Event Code: 4 Thread ID: 263080

Event Code: 1 Thread ID: 261240

[*] Exception address: 0x75147960

[*] Hit user defined breakpoint.

Event Code: 2 Thread ID: 307348

Event Code: 2 Thread ID: 262828

Event Code: 4 Thread ID: 292040

Event Code: 4 Thread ID: 271532

Event Code: 4 Thread ID: 266556

Event Code: 2 Thread ID: 277180

Event Code: 4 Thread ID: 262828

Event Code: 4 Thread ID: 307348

可以看到它找到了wprintf函数的地址0x75147960，随后捕捉并处理（就是打印了出来）了该位置发生的中断。

今天的6个小时告诉我，用python3的字符串一定要记得转换编码