hakril / pythonforwindows Goto Github PK

View Code? Open in Web Editor NEW

563.0 563.0 114.0 14.73 MB

A codebase aimed to make interaction with Windows and native execution easier

License: BSD 3-Clause "New" or "Revised" License

Python 100.00%

python rpc windows wmi

pythonforwindows's Issues

PythonForWindows & python 3

Hello,

Thank you for this project 👍

For information, do you know when a python 3 version will be released ?

Regards,

mistake done while porting PythonForWindows from python2 to python3

I have an issue with this library. In order to keep it simple I minimized the code with an example from PythonForWindows.
The following code works on python2:

import windows
from windows.dbgprint import dbgprint
from windows.generated_def import PROCESS_INFORMATION, STARTUPINFOA


def create_process(path, args=None, dwCreationFlags=0, show_windows=True):
    """A convenient wrapper arround :func:`windows.winproxy.CreateProcessA`"""
    proc_info = PROCESS_INFORMATION()
    lpStartupInfo = None
    if show_windows:
        StartupInfo = STARTUPINFOA()
        StartupInfo.cb = ctypes.sizeof(StartupInfo)
        StartupInfo.dwFlags = 0
        lpStartupInfo = ctypes.byref(StartupInfo)
    lpCommandLine = None
    if args:
        lpCommandLine = (b" ".join([a for a in args]))
    windows.winproxy.CreateProcessA(path, lpCommandLine=lpCommandLine, dwCreationFlags=dwCreationFlags, lpProcessInformation=ctypes.byref(proc_info), lpStartupInfo=lpStartupInfo)
    dbgprint("CreateProcessA new process handle {:#x}".format(proc_info.hProcess), "HANDLE")
    dbgprint("CreateProcessA new thread handle {:#x}".format(proc_info.hThread), "HANDLE")
    dbgprint("Automatic close of thread handle {:#x}".format(proc_info.hThread), "HANDLE")
    windows.winproxy.CloseHandle(proc_info.hThread)  # Give access to a WinThread in addition of the WinProcess ?
    return windows.winobject.process.WinProcess(pid=proc_info.dwProcessId, handle=proc_info.hProcess)

create_process("C:/Users/MYNAME-TRUNCATED/Desktop/coucou-printf.exe")

I can see the expected output ("hello world").

Sadly, launched with python3.9, the same code returns:

  File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\main.py", line 26, in <module>
    create_process("C:/Users/MYNAME-TRUNCATED/Desktop/coucou-printf.exe")
  File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\main.py", line 19, in create_process
    windows.winproxy.CreateProcessA(path, lpCommandLine=lpCommandLine, dwCreationFlags=dwCreationFlags, lpProcessInformation=ctypes.byref(proc_info), lpStartupInfo=lpStartupInfo)
  File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\venv\lib\site-packages\windows\winproxy\apis\kernel32.py", line 50, in CreateProcessA
    return CreateProcessA.ctypes_function(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation)
  File "C:\Users\MYNAME-TRUNCATED\PycharmProjects\pythonProject\venv\lib\site-packages\windows\winproxy\apiproxy.py", line 99, in perform_call
    return self._cprototyped(*args)
ctypes.ArgumentError: argument 1: <class 'TypeError'>: wrong type

Process finished with exit code 1

Then I realize we have to fix this issue in this library in order to fix my issue in my project.

[DOC] FunctionCallBP not documented

The class windows.debug.FunctionCallBP (breakpoints.py) does not seems to be documented. This is the parent class of windows.debug.FunctionBP. This class is useful when putting "by hand" a breakpoint on the start of a function and want to manipulate its return value when we do not have symbols or don't know the argument of the function. Simple example and documentation could be a potential improvement for this.

x86 Test Instruction encoding does not match specification

Hi, I'm not an expert but I think the definition of Test Instruction does not match the x86 documentation.
https://en.wikipedia.org/wiki/X86_instruction_listings#Original_8086/8088_instructions

Instruction	Meaning	Notes	Opcode
TEST	Logical compare (AND)	(1) r/m & r/imm; (2) r & m/imm;	0x84, 0x84, 0xA8, 0xA9, 0xF6/0, 0xF7/0

class Test(Instruction):
    encoding = [(RawBits.from_int(8, 0xf7), Slash(7), Imm32()),
                (RawBits.from_int(8, 0x85), ModRM([ModRM_REG__REG, ModRM_REG__MEM], has_direction_bit=False))]

I think it should be (notice Slash(0))

class Test(Instruction):
    encoding = [(RawBits.from_int(8, 0xf7), Slash(0), Imm32()),
                (RawBits.from_int(8, 0x85), ModRM([ModRM_REG__REG, ModRM_REG__MEM], has_direction_bit=False))]

Snippet:
x86.Test("EBX", 0x01) should produce: f7c3 0100 0000

Again as I said I'm not an expert, but if I'm right it should be fixed for x64 too i guess.

Is there something wrong in thread.teb_base？

My Windows is 64bit, and when runing 64bit process , thread.teb_base is okay.
But when I run 32bit process, thread.teb_base is wrong, because it is not same as x32dbg result:
My code resuit

x32dbg views:

My python code:

    targetProcess = None
    processList = windows.system.enumerate_processes()
    for process in processList:
        print("process name:", process.name)
        # HWorks32.exe
        if process.name == "HWorks32.exe":
            targetProcess = process

    threadList = targetProcess.threads

    for thread in threadList:
        teb = thread.teb_base
        print("teb:", hex(teb))

I sure the x32dbg result is true, because I actually wanna get stackBaseAddress from teb:

stackBaseAddress = process.read_ptr(teb + 4)

The above code would get some 0x0 stackBaseAddress and would throw exception if I read it, but In x32dbg, I search it manually, the result is okay.

And you can find that the difference x32dbg teb between code result is 0x2000! It mean that I can add 0x2000 to very teb in my code and can get the true teb!

Parameter padding problems in the ndr class

The padding of a parameter depends on its size and should not always be aligned on 4 bytes.
cf Alignment of Primitive Types - DCE 1.1

An example of a RPC server to test this bug : RPC_Test.zip

The request is accepted but the RPC server does not receive the correct parameter values.

Getting PEB on ARM64 fails with error code 0xc000001d

Hello,

Sorry if this package is not intended for ARM64, but I had to use it on that architecture and unfortunately I got some errors.

When trying to get the PEB for a process, I get the following error:

  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_bitness'. Did you mean: 'bitness'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'WinProcess' object has no attribute '_is_wow_64'. Did you mean: 'is_wow_64'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 18, in prop
    return getattr(self, cache_name)
AttributeError: 'CurrentProcess' object has no attribute '_peb'. Did you mean: 'peb'?

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    peb = windows.WinProcess(5148).peb
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 1155, in peb
    if windows.current_process.bitness == 64 and self.bitness == 32:
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 84, in bitness
    if self.is_wow_64:
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 74, in is_wow_64
    return utils.is_wow_64(self.limited_handle)
  File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 41, in is_wow_64
    fnIsWow64Process = get_func_addr("kernel32.dll", "IsWow64Process")
  File "C:\Python311\Lib\site-packages\windows\utils\winutils.py", line 24, in get_func_addr
    modules = windows.current_process.peb.modules
  File "C:\Python311\Lib\site-packages\windows\utils\pythonutils.py", line 20, in prop
    setattr(self, cache_name, f(self))
  File "C:\Python311\Lib\site-packages\windows\winobject\process.py", line 649, in peb
    return PEB.from_address(self.get_peb_builtin()())
OSError: [WinError -1073741795] Windows Error 0xc000001d

From what I can see, the PEB is retrieved from FS:[0x30] on Win32 and from GS:[0x60] on x64. However, for ARM64, a __getReg(18) on 0x60 would be needed.

https://gist.github.com/ReneNyffenegger/74d1416242750e002ba4bb8fb1f4681e

https://vuls.cert.org/confluence/pages/viewpage.action?pageId=90210320#Creatingaarch64(ARM64)WindowsShellcode:Part2ASLRsupport-GettingtheTEBonARM64

Could you please add this code for getting the PEB on ARM64?

Thank you!

Add certificate to windows certificate store

Sorry for asking it here. Is it possible to add a certificate (from .crt file) to windows certificate store using certificate.py module?

wrong type error occurred when I run query_sacl.py with python3

wrong type error occurred when I run https://github.com/hakril/PythonForWindows/blob/master/samples/security/query_sacl.py with python3

[NO-PRIV] Querying <C:\windows\notepad.exe> SecurityDescriptor without SACL
Traceback (most recent call last):
  File "test.py", line 11, in <module>
    sd = windows.security.SecurityDescriptor.from_filename(TARGET)
  File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\security.py", line 877, in from_filename
    return cls._from_name_and_type(filename, gdef.SE_FILE_OBJECT, flags=flags, query_sacl=query_sacl)
  File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\security.py", line 823, in _from_name_and_type
    winproxy.GetNamedSecurityInfoA(
  File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\winproxy\apis\advapi32.py", line 176, in GetNamedSecurityInfoA
    return GetNamedSecurityInfoA.ctypes_function(pObjectName, ObjectType, SecurityInfo, ppsidOwner, ppsidGroup, ppDacl, ppSacl, ppSecurityDescriptor)
  File "C:\Users\admin\AppData\Local\Programs\Python\Python38\lib\site-packages\pythonforwindows-0.6.0-py3.8.egg\windows\winproxy\apiproxy.py", line 99, in perform_call
    return self._cprototyped(*args)
ctypes.ArgumentError: argument 1: <class 'TypeError'>: wrong type

Bug while delete the process WinProcess: TypeError: super() argument 1 must be type, not None

At the end of my program that uses an instance of WinProcess, I get this bug:

Exception ignored in: <function Process.del at 0x000001F608807160>
Traceback (most recent call last):
File "C:\Users\ME\Desktop\pwntools\venv\lib\site-packages\windows\winobject\process.py", line 513, in del
TypeError: super() argument 1 must be type, not None

The line in question is super(Process, self).del() because the class process is already clened when deleted again.

I see a patch like:

if self is not None:
    super(Process, self).__del__()

An error occurred from python2 to python3

File "D:\Python39\lib\site-packages\windows\rpc\ndr.py", line 404, in pack
packed_member = member.pack(memberdata)
File "D:\Python39\lib\site-packages\windows\rpc\ndr.py", line 279, in pack
return struct.pack("<I", 0) + str(bytearray(data))
TypeError: can't concat str to bytes
python-BaseException

Implementing new function calls

I see that NtReadFile is missing from the meta file. I want to use this as a decorator for a hook I'm writing, so I'd like to add it.

I copied the same construct of adding this function per 77dad71, but it doesn't seem to find it.

NameError: name 'NtReadFileCallback' is not defined

bug on handle: AttributeError: 'NoneType' object has no attribute 'CloseHandle'

After my program I got

windows\winobject\handle.py", line 117, in del
AttributeError: 'NoneType' object has no attribute 'CloseHandle'
Exception ignored in: <function Process.del at 0x000002812A617E50>
Traceback (most recent call last):

I think this is an issue in the library PythonForWindows at the line https://github.com/hakril/PythonForWindows/blob/master/windows/winobject/handle.py#L117 because del is tricky and should be avoided.

I did not locate my error in my code where the issue occures yet. I have to spend timme to find it. This could be a typo for _handle.

[Feature Request] Task manager to find CPU usage

I'm wondering if there are any windows APIs available to monitor the CPU usage and per process CPU, memory, disk usage as shown by the Windows Task Manager. The solution may not be quite straight forward, but this will be a good addition to the library and I really liked the simple interface provided by this library to work with windows from python.

Thanks for the library, and expecting more awesome feature additions.

meeting of the minds..

OK so I can see that you have written wrappers for various portions of the Windows API.
I am also in the process of doing the same..well sort of. I am not writing wrappers I am converting the entire Windows 10 SDK to python.

it can be viewed here.
https://github.com/kdschlosser/pyWinAPI

I am not done with it yet. and I still have quite a bit to do. I thought you may be interested. I have also written a C/C++ code parser. it handles h and idl files. it is about 90% accurate in file conversions and it also handles preprocessor macro definitions. The output files do need to be visually inspected and any corrections made. But it sure is a hell of a time saver.

I thought you might want to have a look and maybe you might have some suggestions and comments. I am always looking for feedback.

samples/alpc/simple_alpc.py | TypeError: one character bytes, bytearray or integer expected

It seems like in the file samples/alpc/simple_alpc.py there is an error which causes it not to run.

For one, there are many references to print without parentheses, not sure if this is intended but it does not run without them, so I added them beforehand.

Second, every time I run it unmodified, (apart from the edit as mentioned above) I get this error:

C:\####\pywin\samples\alpc>py simple_alpc.py
[SERV] PORT <\RPC Control\PythonForWindowsPORT> CREATED
Client pid = 2836
[SERV] Message type = 0x200a
[SERV] Received data: <b''>
[SERV] Connection request
[CLIENT] Connected: <windows.alpc.AlpcClient object at 0x000001DFF3AAE7D0>
Traceback (most recent call last):
  File "C:\####\pywin\samples\alpc\simple_alpc.py", line 48, in <module>
    alpc_client()
  File "C:\####\pywin\samples\alpc\simple_alpc.py", line 39, in alpc_client
    response = client.send_receive("Hello world !")
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\####\Python\Python311\site-packages\windows\alpc.py", line 310, in send_receive
    alpc_message.port_message.data = raw_alpc_message
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\####\Python\Python311\site-packages\windows\alpc.py", line 164, in write_data
    self.raw_buffer[self.header_size: self.header_size + len(data)] = data
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: one character bytes, bytearray or integer expected

Solution

It seems like you cannot use regular strings with the message data and must instead use bytes.
So, the solution is simply to replace any time msg.data is set with a string with bytes:

    response = client.send_receive(b"Hello world !") # ln 39

    msg.data = str.encode("REQUEST '{0}' DONE".format(msg.data)) # ln 28

End

If you approve this issue, I will create a pull request so that this can be updated.

Upon further examination

It seems like this is related to #38
The author of the pull request attempts to solve the issue by modifying the alpc.py API, whereas my solution was to modify the sample simple_alpc.py

fix access to PEB on 64 bits binaries

I have a program that works perfectly when tested on 32 bits binaries but fails on 64 bits.

On the 64 bits binary, this part https://github.com/gogo2464/pwintools/blob/port_to_python3/pwintools.py#L562 fails and prints:

[*] ReadProcessMemory: [WinError 299] Seule une partie d’une requête ReadProcessMemory ou WriteProcessMemory a été effectuée.
[*] Process <Process "MYEXE.exe" pid 15236 (DEAD) at 0x15b6a2c00a0> not initialized ...

I think then this is an issue with PythonForWindows.

How to use SetProcessMitigationPolicy?

Hello, I need to transfer this C++ code to python, I decided to use your module, but I didn't understand how to use it.

I tried to make such an implementation, but nothing worked out for me. Could you help me? I would be very grateful!

Python3 get_kernel_modules refcount problem

Hello,

There is apparently a problem with the refcount when getting the module using the windows.utils.get_kernel_modules function. The _SYSTEM_MODULE64 objects seems to not be correctly kept in memory. This leads to invalid data being recuperated when accessing members of the objects.

The following code allow to reproduce:

import windows.utils as wutils
import gc

mods = wutils.get_kernel_modules()

gc.collect() # gc to collect, for more reliable reproduction

print([x.ImageName for x in mods]) # need to do stuff for triggering bug
print([x.ImageName for x in mods])
print([x.ImageName for x in mods])
print("LAST IMAGE NAME: {}".format(mods[0].ImageName))

Python version: Python 3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 23:03:10) [MSC v.1916 64 bit (AMD64)] on win32, test done using the dev branch commit 5c3b0cd.

winproxy.py missing in dev branch?

Hey,

winproxy.py is not present in the dev branch, is that expected? Is it supposed to be generated?

I added some stuff to kernel32.py, ran generate.py and setup.py but since winproxy.py is missing I am not able to use my newly added functions.

$ python LoadLibrary.py
Traceback (most recent call last):
  File "LoadLibrary.py", line 4, in <module>
    import windows
  File "C:\Python27\lib\site-packages\pythonforwindows-0.4-py2.7.egg\windows\__init__.py", line 19, in <module>
    from windows import winproxy
ImportError: cannot import name winproxy

So I edited setup.py to include windows.winproxy and windows.winproxy.apis to the packages list:

setup(
    # [...]
    packages = ['windows',
                'windows.crypto',
                'windows.debug',
                'windows.generated_def',
                'windows.native_exec',
                'windows.rpc',
                'windows.utils',
                'windows.winobject',
                'windows.winproxy',           # <----- Added package
                'windows.winproxy.apis'],     # <----- Added package
    classifiers = ['Programming Language :: Python :: 2 :: Only',
                   'Programming Language :: Python :: 2.7']
)

Now it works, but I am not sure if it is the intended way?

Thanks

Use non-exportable in memory certificate from certificate store

Hi there,

Is there any option to use a client certificate for x509 purposes using these libraries ?

Idea: External thread trace

Can you implement external thread tracing using OpenThread, GetThreadContext, many threads and a disassembler to stitch together the trace log?

It would be awesome for finding functions in a program with only 1 thread handle. Think function call count etc. All the ways I have seen require you to have a breakpoint at all calls or a module inside the process.

hwo to correctly assemble hexadecimal float?

Hi, I'm here again. I'm continuing to hack my game, now I am studying how to control the game characters to walk. This part of the work requires the construction of several floating-point stack parameters.

Now i have a new problem. It seems that PythonForWindows cannot assemble float correctly.

this is my python code:

    def call_template(self, ebx, arg1=None, arg2=None, arg3=None, arg4=None,
                      arg5=None, arg6=None, arg7=None, arg8=None, arg9=None):
        code = x86.MultipleInstr()
        code += x86.Pushad()
        code += x86.Mov("EBP", "ESP")
        if arg9 is not None:
            code += x86.Push(arg9)
        if arg8 is not None:
            code += x86.Push(arg8)
        if arg7 is not None:
            code += x86.Push(arg7)
        if arg7 is not None:
            code += x86.Push(arg6)
        if arg5 is not None:
            code += x86.Push(arg5)
        if arg4 is not None:
            code += x86.Push(arg4)
        if arg3 is not None:
            code += x86.Push(arg3)
        if arg2 is not None:
            code += x86.Push(arg2)
        if arg1 is not None:
            code += x86.Push(arg1)
        code += x86.Mov("ECX", address['call_ecx'])
        code += x86.Mov("EBX", ebx)
        code += x86.Call("EBX")
        code += x86.Mov("esp", "ebp")
        code += x86.Popad()
        code += x86.Ret()
        logger.info(f"""asm run""")
        run_asm(code, pid=self.pid)

pos_cur_x = read_addr(address['player_pos_cur_x'], data_type='float')
pos_cur_y = read_addr(address['player_pos_cur_y'], data_type='float')

ebx = address['call_city_go']
arg1 = pos_dst_x
arg2 = read_addr(address['player_pos_cur_x'] + 4, data_type="float")
arg3 = pos_dst_y
arg4 = read_addr(address['player_pos_cur_y'] + 4, data_type="float")
arg5 = get_sin(pos_dst_x, pos_dst_y, pos_cur_x, pos_cur_y)
arg6 = 0
arg7 = get_cos(pos_dst_x, pos_dst_y, pos_cur_x, pos_cur_y)
arg8 = 0
arg9 = read_addr(address['status_base_turn'], data_type="float", offset_list=[0xF4])
print(ebx, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)
call_template(ebx, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)

In game, the assembly stack of the game itself is like this, float 32bit:

But if running the code through python, the stack parameter becomes unsigned short 16bit:

debug in pycharm, it is still float variable:

So, how can I correctly assemble floating-point numbers?

By the way, could you update the version on Pypi? It will be very convenient for users to update

Thanks.

NameError: name 'basestring' is not defined

Hi,

There still some basestring uses in the codebase without the corresponding pycompat import, making it raise an Exception when used on python3.

Files impacted :

windows/winobject/event_trace.py
windows/debug/breakpoints.py
windows/crypto/cryptmsg.py
windows/utils/improved_buffer.py
windows/utils/pythonutils.py
windows/winobject/service.py
windows/debug/symbols.py
windows/winproxy/ntdll.py
windows/security.py
windows/winobject/event_log.py
windows/winobject/process.py

I didn't test all of them, only several (event_log.py and process.py)

Syntax error when installing

There's some sort of syntax error when running python .\setup.py install:

[2:49:17 PM] ~/Documents/Code/PythonForWindows> python .\setup.py install
Extracting PythonForWindows-0.4-py3.6.egg to c:\python36\lib\site-packages
  File "c:\python36\lib\site-packages\PythonForWindows-0.4-py3.6.egg\windows\generated_def\windef.py", line 2038
    ERROR_EVT_INVALID_CHANNEL_PATH = make_flag("ERROR_EVT_INVALID_CHANNEL_PATH", 15000L)
                                                                                      ^
SyntaxError: invalid syntax

Adding PythonForWindows 0.4 to easy-install.pth file

Installed c:\python36\lib\site-packages\pythonforwindows-0.4-py3.6.egg
Processing dependencies for PythonForWindows==0.4
Finished processing dependencies for PythonForWindows==0.4
[2:48:26 PM] ~/Documents/Code/PythonForWindows>

how to use RtlMoveMemory?

sorry , l search RtlMoveMemory is null ,how to use?

make a new release on pipy

The latest version of PythonForWndows fix some bugs. I need it on pipy to avoid to install the git version on setup.py for my software.

Could you make a new release on pipy please?

create_thread & NtCreateThreadEx_32_to_64

Hello,

I am using python 2.7 (X86 version) and the version 0.5 of PythonForWindows (on pip) on Windows 10.

When I try to use create_thread() from x86 process, more exactly NtCreateThreadEx_32_to_64(), for creating/executing a new thread on (another) x64 process, I have a the following error:

[...]
  File ".\test.py", line 193, in testRemoteThread
    winProcess.create_thread(addr=reflectiveLoader, param=0)
  File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\winobject\process.py", line 1040, in create_thread
    windows.syswow64.NtCreateThreadEx_32_to_64(ThreadHandle=byref(thread_handle) ,ProcessHandle=self.handle, lpStartAddress=addr, lpParameter=param)
  File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 260, in NtCreateThreadEx_32_to_64
    return NtCreateThreadEx_32_to_64.ctypes_function(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, dwStackSize, Unknown1, Unknown2, Unknown3)
  File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 232, in perform_call
    return self.raw_call(*args)
  File "C:\Python27\lib\site-packages\pythonforwindows-0.5-py2.7.egg\windows\syswow64.py", line 138, in wrapper
    return native_caller()
WindowsError: exception: access violation writing 0x00000000

The targeted process is a notepad.exe (x64) for example.
There is no one error before this function when I use virtual_alloc(), write_memory() and virtual_protect() for example.

Do you have an idea? There is a problem with NtCreateThreadEx_32_to_64() from x86 process to x64 process?

Thank you in advance for your help,

Regards,

Reading from Pipe can't be blocked

Using Api ReadFile() can't be blocked before server writes data.
Client, python ver.

pipe_name = "dotnetest_py"
pipe_full_name = windows.pipe.full_pipe_address(pipe_name)
pipe_handle = windows.winproxy.CreateFileA(pipe_full_name,
                            dwDesiredAccess=gdef.GENERIC_READ | gdef.GENERIC_WRITE,
                             dwShareMode=gdef.FILE_SHARE_WRITE | gdef.FILE_SHARE_READ)

bool_receive = ctypes.create_string_buffer(ctypes.sizeof(ctypes.c_bool))
windows.winproxy.ReadFile(pipe_handle, bool_receive)
test1= ctypes.c_bool.from_buffer(bool_receive).value
# print True
print(test1)
if test1:
  windows.winproxy.ReadFile(pipe_handle, bool_receive)
  test2 = ctypes.c_bool.from_buffer(bool_receive).value
 # print False
  print(test2)

Server, c++ ver.

TCHAR pipeName[255] = "\\\\.\\pipe\\dotnetest_py";

pipehandle=CreateNamedPipeW(pipename, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, 255,256*1024, 16, INFINITE, NULL);
BOOL result = true;
ULONG byteswritten;
// write twice
WriteFile(pipehandle, &result, sizeof(result), &byteswritten, NULL);
WriteFile(pipehandle, &result, sizeof(result), &byteswritten, NULL);

I try write client with c++, It's ok, the client would be blocked, and when I try to debug the python program, I found it can't be blocked.
What is the problem? I am new to python. I think the pipe is something like system mechanics and it couldn't be wrong. Is there something miss in my code?

Documenting available instructions in assemblers

The issue #26 noticed that there is no documentation about available instructions in simple_x86 & simple_x64.
This information should be available in the sphinx documentation.

curious question about querying AD/WMI over the network

Hey

Looking to query an AD over the LAN i'm curious if PythonForWindows supports this. The idea is to query installed software, users and their privileges for data colletion and then parse this data into an excel.

br,

function execute() lack of virtual_free() and taking up a lot of memory space

I use PythonForWindows to hack a game. Execute some assembly code to inject the game program.

This is my simplified code:

import windows.winobject.process
import windows.native_exec.simple_x86 as x86

wp = windows.winobject.process.WinProcess(pid=int(0x59A4))

code = x86.MultipleInstr()
code += x86.Mov("EBP", "ESP")
code += x86.Push(0x018006D4)
code += x86.Push(0x00)
code += x86.Push(0x64)
code += x86.Mov("ECX", 0x119DF58)
code += x86.Mov("EBX", 0xAD9C50)
code += x86.Call("EBX")
code += x86.Mov("esp", "ebp")
code += x86.Ret()

wp.execute(code.get_code())

The code works perfectly.

But every time it runs, it will apply for a small memory space, and the memory space is not released after the code is executed. After running similar codes hundreds of times, the memory footprint of the game becomes very large.

Hope that the execute() function can be improved to automatically release memory space.

By the way, is there a list of assembly instructions for PythonForWindows? I read the document, there are only some assembly examples, and there is no complete assembly instruction list.

PythonForWindows makes it possible to use python to hack game! Thank you!

Hooking remote process?

Hey there - cool project!

I want to use this in a project I'm working on, but am unsure how I would go about hooking the IAT in a remote process.

I've followed your example to see if it would work for me, but I see that this is not (yet?) implemented:

Traceback (most recent call last):
  File "<redacted>", line 74, in <module>
    iat_create_file[0].set_hook(createfile_callback)
  File "<redacted>\venv\lib\site-packages\windows\pe_parse.py", line 181, in set_hook
    raise NotImplementedError("Setting hook in remote process (use python code injection)")
NotImplementedError: Setting hook in remote process (use python code injection)

use python code injection

Do you have an example of how you would go about replicating your sample code via python code injection the same way?

Specifically, how would I go about hooking CreateFileA like you've done locally:

@CreateFileACallback
def createfile_callback(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile, real_function):
    print("Trying to open {0}".format(lpFileName))
    if "secret" in lpFileName:
        return 0xffffffff
    return real_function()

but in a remote process?

hakril / pythonforwindows Goto Github PK

pythonforwindows's Issues

Solution

End

Upon further examination

Recommend Projects

Recommend Topics

Recommend Org