Python: kernel32.CreateProcessA() What is it doing?

Question

I am currently learning about debuggers and how they stop processes.

Here is my code:

    from ctypes import *
    WORD = c_ushort
    DWORD = c_ulong
    LPBYTE = POINTER(c_ubyte)
    LPTSTR = POINTER(c_char)
    HANDLE = c_void_p
    DEBUG_PROCESS = 0x00000001
    CREATE_NEW_CONSOLE = 0x00000010
    class STARTUPINFO(Structure):
        _fields_ = [
        ("cb", DWORD),
        ("lpReserved", LPTSTR),
        ("lpDesktop", LPTSTR),
        ("lpTitle", LPTSTR),
        ("dwX", DWORD),
        ("dwY", DWORD),
        ("dwXSize", DWORD),
        ("dwYSize", DWORD),
        ("dwXCountChars", DWORD),
        ("dwYCountChars", DWORD),
        ("dwFillAttribute",DWORD),
        ("dwFlags", DWORD),
        ("wShowWindow", WORD),
        ("cbReserved2", WORD),
        ("lpReserved2", LPBYTE),
        ("hStdInput", HANDLE),
        ("hStdOutput", HANDLE),
        ("hStdError", HANDLE),
        ]
    class PROCESS_INFORMATION(Structure):
        _fields_ = [
        ("hProcess", HANDLE),
        ("hThread", HANDLE),
        ("dwProcessId", DWORD),
        ("dwThreadId", DWORD),
        ]


    kernel32 = windll.kernel32
    class debugger():
        def __init__(self):
            pass

        def load(path_to_exe):
            creation_flags = DEBUG_PROCESS
            startupinfo = STARTUPINFO()
            processinfo = PROCESS_INFORMATION()
            startupinfo.dwFlags = 0x1
            startupinfo.wShowWindow = 0x0
            startupinfo.cb = sizeof(startupinfo)
            if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
                print("[*] Process launched")
                print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
            else:
                print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

    debugger.load("C:\\WINDOWS\\system32\\calc.exe")

Whenever I run it, it goes to the error. :( I figured out that the reason that it is going to that error is because the kernel32.CreateProcessA is returning false. I'm actually following along Gray hat python right now, and I'm converting this code to python 3 as I read it.

My question is, what is the kernel32.CreateProcessA doing, why is it returning false, and how can I prevent it from returning false?

Any help would be much appreciated!

Answer 1

You have several error in your code:

The first error is load method of debugger class defined wrong. The most probably in your case it should be staticmethod:

# . . .

# This decorator required to make method static
@staticmethod
def load(path_to_exe):
    creation_flags = DEBUG_PROCESS
    startupinfo = STARTUPINFO()
    processinfo = PROCESS_INFORMATION()
    startupinfo.dwFlags = 0x1

# . . .

The second error is at print if process was created:

if kernel32.CreateProcessA(path_to_exe,None,None,None,None,
                           creation_flags,None,None,
                           byref(startupinfo),byref(processinfo)):
    print("[*] Process launched")

    # ERROR AT THE LINE BELOW
    # Your variant: print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
    # But it should be the structure itself not it "type"
    print("[*] PID: %d" % (processinfo.dwProcessId))  
else:
    print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

In my case it's works (Windows XP). If your process not really started and you get in console message something like that:

[*] Error: 0x00000002

Then if you use Python 3.x you should use not CreateProcessA but CreateProcessW function because all string in Python 3.x is in unicode (in WinAPI all functions ends with 'A' accept asci-strings, ends with 'W' accept unicode-strings). More exactly answer can be if you write what error or exception occurred in your case.

Answer 2

当我在win64上运行像你这样的程序时，我有一个问题。但是当我将kernel32.CreateProcessA更改为kernel32.CreateProcessW时，程序运行成功。

Answer 3

切换前两个参数，以便您具有以下内容：

kernel32.CreateProcessA(c_char_p(0),c_char_p(path_to_exe),0,0,0,creation_flags,0,0,bytef(startupinfo),byref(processinfo))

Answer 4

You should call GetLastError function to know what the error really is.

ctypes.windll.kernel32.GetLastError

And I found this detailed post explaining how to debugg and fix error caused by CreateProcessA: Python CreateProcessA returns FALSE

Answer 5

1. this line must be brackets: debugger().load("C:\\WINDOWS\\system32\\calc.exe")

2. this line must be contain self: def load(self,path_to_exe)

3. if static must not contain self : @staticmethod def load(path_to_exe)

4. this line must be: print("[*] PID: %d" % processinfo.dwProcessId)

Answer 6

1. According to a quick sum-up of differences between Python 2xx vs 3xx : Python 2 has separated ASCII str() types and unicode()type. Python 3 has only Unicode (utf-8) string type .

2. According to WinAPI docs, CreateProcess() has an unicode version which is defined as CreateProcessW() with the same params.

So if you use Python 2xx, using CreateProcessA() . In case of python 3xx, using CreateProcessW() .