阅读笔记&&实现代码_of_Python灰帽子(一)

from ctypes import *

#为符合汇编变量名风格
WORD    = c_ushort
DWORD   = c_ulong
LPBYTE  = POINTER(c_ubyte)
LPTSTR  = POINTER(c_char)
HANDLE  = c_void_p

DEBUG_PROCESS       = 0x00000001
CREATE_NEW_CONSOLE  = 0x00000010

class STARTUPINFO(Structure):
_fields_ = [
("cb",              DWORD),
("lpReserved",      LPTSTR),
("lpDesktop",       LPTSTR),
("lpTitle",         LPTSTR),
("dwX",             DWORD),
("dwY",             DWORD),
("dwXCountChars",   DWORD),
("dwYCountChars",   DWORD),
("dwFillAttribute", DWORD),
("dwFlags",         DWORD),
("wShowWindow",     WORD),
("cbReserved2",     WORD),
("lpReserved2",     LPTSTR),
("hStdInput",       HANDLE),
("hStdOutput",      HANDLE),
("hStdError",       HANDLE),
]

class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess",        HANDLE),
("hThread",         HANDLE),
("dwProcessId",     DWORD),
("dwThreadId",      DWORD),
]

from ctypes import *
from my_debugger_defines import *

kernel32 = windll.kernel32

class debugger():
def __init__(self):
pass

def load(self, path_to_exe):

creation_flags = DEBUG_PROCESS #该标志位控制着进程的创建方式

#实例化结构体
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()

#在以下两个成员变量的共同作用下，新进程将在一个单独的窗体被显示
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0

startupinfo.cb = sizeof(startupinfo)

#CreateProcessA应有10个参数，书中的代码只写了七个，会运行报错
#参考了https://msdn.microsoft.com/library/ms682425.aspx，
#大体了解了各个参数的意思，用了三个None以补全
if kernel32.CreateProcessA(path_to_exe, None, None, None,None,creation_flags,
None, None, byref(startupinfo), byref(process_information)):

#byref用以传递变量对应的指针，比pointer()更快

print 'We have successfully launched the process!'
print 'PID:%d' % process_information.dwProcessId

else:
print 'Error: 0x%08x' %kernel32.GetLastError()

# -*- coding: utf-8 -*-
import my_debugger

debugger = my_debugger.debugger()
debugger.load('C:\\WINDOWS\\SYSTEM32\\calc.exe')