2

Here is my code:

from ctypes import *
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
class STARTUPINFO(Structure):
    _fields_ = [
    ("cb", DWORD),
    ("lpReserved", LPTSTR),
    ("lpDesktop", LPTSTR),
    ("lpTitle", LPTSTR),
    ("dwX", DWORD),
    ("dwY", DWORD),
    ("dwXSize", DWORD),
    ("dwYSize", DWORD),
    ("dwXCountChars", DWORD),
    ("dwYCountChars", DWORD),
    ("dwFillAttribute",DWORD),
    ("dwFlags", DWORD),
    ("wShowWindow", WORD),
    ("cbReserved2", WORD),
    ("lpReserved2", LPBYTE),
    ("hStdInput", HANDLE),
    ("hStdOutput", HANDLE),
    ("hStdError", HANDLE),
    ]
class PROCESS_INFORMATION(Structure):
    _fields_ = [
    ("hProcess", HANDLE),
    ("hThread", HANDLE),
    ("dwProcessId", DWORD),
    ("dwThreadId", DWORD),
    ]


kernel32 = windll.kernel32
class debugger():
    def __init__(self):
        pass

    def load(path_to_exe):
        creation_flags = DEBUG_PROCESS
        startupinfo = STARTUPINFO()
        processinfo = PROCESS_INFORMATION()
        startupinfo.dwFlags = 0x1
        startupinfo.wShowWindow = 0x0
        startupinfo.cb = sizeof(startupinfo)
        if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
            print("[*] Process launched")
            print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
        else:
            print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

debugger.load("C:\\WINDOWS\\system32\\calc.exe")

I'm actually following along Gray hat python right now, and I'm converting this code to python2.7 as I read it.

Whenever I run it, it goes to the error: [*] Error: 0x000003e6.

but when my friend try this code in his computer, he can get: []We have successfully launched the process! []PID: 1208

and both our systems are 64-bit windows7.

Any help would be much appreciated!

Mark Tolonen
  • 166,664
  • 26
  • 169
  • 251
ttfy
  • 23
  • 2
  • Check [\[SO\]: C function called from Python via ctypes returns incorrect value (@CristiFati's answer)](https://stackoverflow.com/a/58611011/4788546) for a common pitfall when working with *CTypes* (calling functions). – CristiFati Feb 07 '23 at 07:57

1 Answers1

1

Do you both have 64-bit Python installed? .argtypes and .restype should be set on your function or ctypes defaults to passing 32-bit parameters. On 64-bit Python that truncates your byref values, which are 64-bit pointers.

As a reference, here's a fully tested version that works on Python 2 and 3, both 32- and 64-bit:

from __future__ import print_function,unicode_literals

from ctypes import *
from ctypes.wintypes import BYTE,WORD,DWORD,LPWSTR,LPCWSTR,HANDLE,LPVOID,BOOL

LPBYTE = POINTER(BYTE)

DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010

class STARTUPINFOW(Structure):
    _fields_ = [('cb', DWORD),
                ('lpReserved', LPWSTR),
                ('lpDesktop', LPWSTR),
                ('lpTitle', LPWSTR),
                ('dwX', DWORD),
                ('dwY', DWORD),
                ('dwXSize', DWORD),
                ('dwYSize', DWORD),
                ('dwXCountChars', DWORD),
                ('dwYCountChars', DWORD),
                ('dwFillAttribute',DWORD),
                ('dwFlags', DWORD),
                ('wShowWindow', WORD),
                ('cbReserved2', WORD),
                ('lpReserved2', LPBYTE),
                ('hStdInput', HANDLE),
                ('hStdOutput', HANDLE),
                ('hStdError', HANDLE)]

class PROCESS_INFORMATION(Structure):
    _fields_ = [('hProcess', HANDLE),
                ('hThread', HANDLE),
                ('dwProcessId', DWORD),
                ('dwThreadId', DWORD)]

class SECURITY_ATTRIBUTES(Structure):
    _fields_ = [('nLength', DWORD),
                ('lpSecurityDescriptor', LPVOID),
                ('bInheritHandle', BOOL)]

LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)
LPSTARTUPINFOW = POINTER(STARTUPINFOW)
LPPROCESS_INFORMATION = POINTER(PROCESS_INFORMATION)

kernel32 = WinDLL('kernel32',use_last_error=True)
kernel32.CreateProcessW.argtypes = (LPCWSTR,LPWSTR,LPSECURITY_ATTRIBUTES,LPSECURITY_ATTRIBUTES,
                                    BOOL,DWORD,LPVOID,LPCWSTR,LPSTARTUPINFOW,LPPROCESS_INFORMATION)
kernel32.restype = BOOL

def load(path_to_exe):
    creation_flags = DEBUG_PROCESS
    startupinfo = STARTUPINFOW()
    processinfo = PROCESS_INFORMATION()
    startupinfo.dwFlags = 0x1
    startupinfo.wShowWindow = 0x0
    startupinfo.cb = sizeof(startupinfo)
    if kernel32.CreateProcessW(path_to_exe,None,None,None,False,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
        print('[*] Process launched')
        print('[*] PID: {}'.format(processinfo.dwProcessId))
    else:
        print('[*] Error: 0x{:08x}.'.format(get_last_error()))

load(r'C:\WINDOWS\System32\calc.exe')
Mark Tolonen
  • 166,664
  • 26
  • 169
  • 251
  • thanks for help,I can create new process by using your code.but I do have 64-bit Python installed before – ttfy Nov 07 '18 at 09:17