windows7下面运行脚本的顺序:
1 启动脚本
2 修改calc的显示内容
3 snap
4 再次修改calc的显示内容,注意:最小化calc窗口
5 restore,会报以下错误:
PDBG_ERR> -- IGNORING ERROR --
PDBG_ERR> process_restore: [87] WriteProcessMemory(000e0000, ..., 212992): 参数错误。
resuming operation.
6 恢复calc窗口,会发现显示内容已经恢复了
应该是权限的问题。虚拟机的windows xp测试了一下,正常工作,没有错误。
#filename:snapshot.py
from pydbg import *
from pydbg.defines import *
import threading
import time
import sys
class snapshotter(object):
def __init__(self, exe_path):
self.exe_path = exe_path
self.pid = None
self.dbg = None
self.running = True
pydbg_thread = threading.Thread(target=self.start_debugger)
pydbg_thread.setDaemon(0)
pydbg_thread.start()
while self.pid == None:
time.sleep(1)
monitor_thread = threading.Thread(target=self.monitor_debugger)
monitor_thread.setDaemon(0)
monitor_thread.start()
def monitor_debugger(self):
while self.running == True:
input = raw_input("enter: 'snap', 'restore', 'quit'")
input = input.lower().strip()
self.process_pid(input)
if input == 'quit':
print "exiting the snapshotter."
self.running = False
self.dbg.terminate_process()
def process_pid(self, input):
print "suspending all threads"
self.dbg.suspend_all_threads()
if input == 'snap':
print "obtaining snapshot."
self.dbg.process_snapshot()
elif input == 'restore':
print "restore operation."
self.dbg.process_restore()
else:
None
print "resuming operation."
self.dbg.resume_all_threads()
def start_debugger(self):
self.dbg = pydbg()
pid = self.dbg.load(self.exe_path)
self.pid = self.dbg.pid
self.dbg.run()
exe_path = "c:\\windows\\system32\\calc.exe"
snapshotter(exe_path)
345
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
