简体繁体 English

在Python中设置一个x86寄存器以在调用的DLL函数中使用

[英]Set an x86 register in Python to be used in a called DLL function

原文 2014-06-27 13:12:32 1 1 python/ winapi/ reverse-engineering/ ctypes

Background 背景

To use Python to call a non-exported DLL function. 使用Python调用未导出的DLL函数。 The function to be called assumes that one of the General Registers is already set to the location of a buffer - it is not set through stack variables. 要调用的函数假定通用寄存器之一已设置为缓冲区的位置-尚未通过堆栈变量设置。 The buffer will be owned by the Python script. 缓冲区将归Python脚本所有。 Ideally, the solution should run stand-alone, rather than within the context of a debugger. 理想情况下，该解决方案应独立运行，而不是在调试器的上下文中运行。

Problem 问题

Is it possible to use Python to set one of the x86 registers, in this case ECX, to the memory location of a Python variable prior to calling the DLL function? 在调用DLL函数之前，是否可以使用Python将x86寄存器之一（在本例中为ECX）设置为Python变量的存储位置？ (and without the process of obtaining/storing the register trashing it). （并且没有获取/存储寄存器的过程将其垃圾）。

Considered Approaches 考虑的方法

I have looked at several approaches, all of which seem relatively heavyweight, and I quickly reach the extent of my knowledge: 我研究了几种方法，所有这些方法似乎都比较繁重，并且很快达到了我的知识水平：

Using GetThreadContext - I presume this would require running the DLL function in a separate thread, obtaining and updating the thread context - if this would be a good way to go, it would be good to have a high-level approach 使用GetThreadContext-我认为这将需要在单独的线程中运行DLL函数，获取并更新线程上下文-如果这是一个好方法，那么最好有一个高级方法
Using some form of corepy/pyasm to build a small program - may risk trashing registers prior to calling DLL function. 使用某种形式的corepy / pyasm来构建一个小程序-可能会在调用DLL函数之前冒着破坏寄存器的风险。
Using the Python script within a debugger such as Immunity Debugger - this would solve most of the issues, but ideally we would like the script to run stand-alone. 在诸如Immunity Debugger之类的调试器中使用Python脚本-这样可以解决大多数问题，但是理想情况下，我们希望脚本独立运行。

I would be very grateful for any suggestions on how to approach this. 对于如何解决此问题，我将不胜感激。

1 个解决方案

I think the only practical way to do this is to write the code that calls the function in asm. 我认为唯一可行的方法是编写在asm中调用该函数的代码。 Only by controlling it at that level can you be sure that no other party will modify a register. 只有在该级别进行控制，您才能确保没有其他方会修改寄存器。

One way would be to do it statically and have a compiler/linker build a DLL that you can call from your Python code, passing whatever information is needed. 一种方法是静态执行此操作，并让编译器/链接器构建一个DLL，您可以从Python代码中调用该DLL，并传递所需的任何信息。 Specifically the function address and any parameters needed to pass to the function. 特别是函数地址和传递给函数所需的任何参数。

Another way would be to generate the code at runtime with some sort of jitter like dynamic code generator. 另一种方法是在运行时生成带有某种抖动的代码，例如动态代码生成器。 This approach is probably harder to get right, although it offers the prospect of greater flexibility. 尽管这种方法提供了更大的灵活性，但它可能更难正确。