CODEWITHSUNDEEP
pythonctypes
Norton Penguinion
Norton Penguinion

Reputation: 161

Python: kernel32.CreateProcessA() What is it doing?

I am currently learning about debuggers and how they stop processes.

Here is my code:

    from ctypes import *
    WORD = c_ushort
    DWORD = c_ulong
    LPBYTE = POINTER(c_ubyte)
    LPTSTR = POINTER(c_char)
    HANDLE = c_void_p
    DEBUG_PROCESS = 0x00000001
    CREATE_NEW_CONSOLE = 0x00000010
    class STARTUPINFO(Structure):
        _fields_ = [
        ("cb", DWORD),
        ("lpReserved", LPTSTR),
        ("lpDesktop", LPTSTR),
        ("lpTitle", LPTSTR),
        ("dwX", DWORD),
        ("dwY", DWORD),
        ("dwXSize", DWORD),
        ("dwYSize", DWORD),
        ("dwXCountChars", DWORD),
        ("dwYCountChars", DWORD),
        ("dwFillAttribute",DWORD),
        ("dwFlags", DWORD),
        ("wShowWindow", WORD),
        ("cbReserved2", WORD),
        ("lpReserved2", LPBYTE),
        ("hStdInput", HANDLE),
        ("hStdOutput", HANDLE),
        ("hStdError", HANDLE),
        ]
    class PROCESS_INFORMATION(Structure):
        _fields_ = [
        ("hProcess", HANDLE),
        ("hThread", HANDLE),
        ("dwProcessId", DWORD),
        ("dwThreadId", DWORD),
        ]


    kernel32 = windll.kernel32
    class debugger():
        def __init__(self):
            pass

        def load(path_to_exe):
            creation_flags = DEBUG_PROCESS
            startupinfo = STARTUPINFO()
            processinfo = PROCESS_INFORMATION()
            startupinfo.dwFlags = 0x1
            startupinfo.wShowWindow = 0x0
            startupinfo.cb = sizeof(startupinfo)
            if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
                print("[*] Process launched")
                print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
            else:
                print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

    debugger.load("C:\\WINDOWS\\system32\\calc.exe")

Whenever I run it, it goes to the error. :( I figured out that the reason that it is going to that error is because the kernel32.CreateProcessA is returning false. I'm actually following along Gray hat python right now, and I'm converting this code to python 3 as I read it.

My question is, what is the kernel32.CreateProcessA doing, why is it returning false, and how can I prevent it from returning false?

Any help would be much appreciated!

Upvotes: 5

Views: 5564

Answers (6)

MiDi
MiDi

Reputation: 1

  1. According to a quick sum-up of differences between Python 2xx vs 3xx : Python 2 has separated ASCII str() types and unicode()type. Python 3 has only Unicode (utf-8) string type.

  2. According to WinAPI docs, CreateProcess() has an unicode version which is defined as CreateProcessW() with the same params.

So if you use Python 2xx, using CreateProcessA() . In case of python 3xx, using CreateProcessW().

Upvotes: 0

Atec
Atec

Reputation: 1

  1. this line must be brackets: debugger().load("C:\WINDOWS\system32\calc.exe")

  2. this line must be contain self: def load(self,path_to_exe)

  3. if static must not contain self : @staticmethod def load(path_to_exe)

  4. this line must be: print("[*] PID: %d" % processinfo.dwProcessId)

Upvotes: 0

mblw
mblw

Reputation: 1798

You have several error in your code:

The first error is load method of debugger class defined wrong. The most probably in your case it should be staticmethod:

# . . .

# This decorator required to make method static
@staticmethod
def load(path_to_exe):
    creation_flags = DEBUG_PROCESS
    startupinfo = STARTUPINFO()
    processinfo = PROCESS_INFORMATION()
    startupinfo.dwFlags = 0x1

# . . .

The second error is at print if process was created:

if kernel32.CreateProcessA(path_to_exe,None,None,None,None,
                           creation_flags,None,None,
                           byref(startupinfo),byref(processinfo)):
    print("[*] Process launched")

    # ERROR AT THE LINE BELOW
    # Your variant: print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
    # But it should be the structure itself not it "type"
    print("[*] PID: %d" % (processinfo.dwProcessId))  
else:
    print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

In my case it's works (Windows XP). If your process not really started and you get in console message something like that:

[*] Error: 0x00000002

Then if you use Python 3.x you should use not CreateProcessA but CreateProcessW function because all string in Python 3.x is in unicode (in WinAPI all functions ends with 'A' accept asci-strings, ends with 'W' accept unicode-strings). More exactly answer can be if you write what error or exception occurred in your case.

Upvotes: 5

Mark Ma
Mark Ma

Reputation: 1362

You should call GetLastError function to know what the error really is.

ctypes.windll.kernel32.GetLastError

And I found this detailed post explaining how to debugg and fix error caused by CreateProcessA: Python CreateProcessA returns FALSE

Upvotes: 1

xue1
xue1

Reputation: 49

I have a problm when I run a program like you on win64.But when I changed kernel32.CreateProcessA to kernel32.CreateProcessW,the program run sucessfully.

Upvotes: 4

redblacktree
redblacktree

Reputation: 29

Switch your first two parameters so you have something like:

kernel32.CreateProcessA(c_char_p(0),c_char_p(path_to_exe),0,0,0,creation_flags,0,0,bytef(startupinfo),byref(processinfo))

Upvotes: 1

Related Questions