如何在Python的进程中查找多级指针的值? [英] How do I look up the value of a multi-level pointer inside a process in Python?

问题描述

我有一个进程，我想在该进程中查找一个地址的值，但是该地址是一个多级指针，并附加了一些偏移量.如何在Python中执行此操作?

I have a process, and I want to look up a value of an address inside that process but that address is a multi-level pointer and has a few offsets attached to it. How do I do this in Python?

推荐答案

我正在回答自己的问题，以记录在Python 3中执行此操作的方法.

I'm answering my own question to document a way of doing this in Python 3.

首先，您需要某种方法来查找我们正在处理的过程的pid.

First you need some way to look up the pid of the process we are working on.

我使用psutil模块执行此操作，但是也有其他方法可以执行此操作.

I used the module psutil to do this, but there are other ways to do it too.

import psutil

def get_pid(process_name):
    pid = None
    for proc in psutil.process_iter():
        try:
            if (proc.name() == process_name):
                pid = proc.pid
        except (PermissionError, psutil.AccessDenied):
            pass
    return pid

现在，我们有了要进行的过程的pid.稍后我们将使用它来处理我们要处理的过程.

Now we have the pid of the process we want to work on. We'll use that later to get the handle of the process we want to work on.

现在我说这是一个多级指针.运作方式是我们有一个初始地址.以及偏移量列表.我们首先查找初始地址的值.然后，我们将第一个偏移量应用于该值以获取下一个地址.我们查找该地址的值，将下一个偏移量应用于该值，然后获取要查找的下一个地址.这可以继续进行，具体取决于您的偏移量列表的大小，但是要说最后一次查找是最后一次查找，因此可以给我们最后的地址.当我们得到那个值时，我们得到的是实际值.

Now I said it's a multi-level pointer. How that works is that we have an initial address. and a list of offsets. We first of all look up the value of our initial address. We then apply the first offset to that value to get the next address. We look up the value of that address, apply the next offset to that value and get the next address to look up. This can keep going depending on the size of your list of offsets, but say that last look up was the last one and that gives us our final address. When we get the value of that we get the actual value that we are after.

要以编程方式执行此操作，我们需要pid(例如4045)，地址(例如0x0163B4D8)，偏移量列表(例如[0x37C，0x3C])和数据大小(例如unsigned int是4个字节，所以这就是我们数据的大小.

To do this programmatically, we need the pid(For example 4045), the address(For example 0x0163B4D8), the list of offsets(For example [0x37C, 0x3C]) and the size of data(For example an unsigned int is 4 bytes, so that's the size of our data).

from ctypes import *
from ctypes.wintypes import *

PROCESS_ALL_ACCESS = 0x1F0FFF

def read_process_memory(pid, address, offsets, size_of_data):
    # Open the process and get the handle.
    process_handle = windll.kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    size_of_data = 4 # Size of your data
    data = ""
    read_buff = create_string_buffer(size_of_data)
    count = c_ulong(0)
    current_address = address
    offsets.append(None) # We want a final loop where we actually get the data out, this lets us do that in one go.
    for offset in offsets:
        if not windll.kernel32.ReadProcessMemory(process_handle, current_address, cast(read_buff, LPVOID), size_of_data, byref(count)):
            return -1 # Error, so we're quitting.
        else:
            val = read_buff.value
            result = int.from_bytes(val, byteorder='little')
            # Here that None comes into play.
            if(offset != None):
                current_address = result+offset
            else:
                windll.kernel32.CloseHandle(process_handle)
                return result

这是基本概念，当然可以改进代码.

That's the basic concept, and of course the code could be improved.

这篇关于如何在Python的进程中查找多级指针的值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！