I'm trying to perform DLL injection using Python's Ctypes. I attach Olly to the process that I'm trying to inject and the thread that I'm trying to creates gives the error, "ERROR_INVALID_PARAMETER 00000057". I've been doing some research and I've found that as the error says one of my parameters is bad when I call CreateRemoteThread. I can't seem to figure out what parameter is bad as all the values that I send in seem valid. I set an Olly conditional break point on the call to LoadLibrary and the dll name and (full) path are correct. I also don't see my custom dll loaded in the memory space of the process (in Olly). I'm wondering if it has to do with the fact that my dll and path are unicode when I send them in as a parameter. Although the conditional breakpoint on LoadLibrary says the correct name and path. I also set the argtype and as I understand it an error would be thrown if it was the wrong type and it would try to convert it to the correct type when possible.
import sys
from ctypes import *
from ctypes import wintypes
import ctypes
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UNIT_PTR = c_ulong
SIZE_T = c_ulong
LPTHREAD_START_ROUTINE = c_void_p
class SECURITY_ATTRIBUTES(ctypes.Structure):
_fields_ = [("nLength", DWORD),
("lpSecurityDescriptor", LPVOID),
("bInheritHandle", wintypes.BOOL)]
LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)
kernel32.CreateRemoteThread.retype = wintypes.HANDLE
kernel32.CreateRemoteThread.argtypes = [wintypes.HANDLE, LPSECURITY_ATTRIBUTES, ctypes.c_size_t, LPTHREAD_START_ROUTINE, wintypes.LPVOID, wintypes.DWORD, wintypes.LPDWORD]
pid = sys.argv[1]
dll_path = sys.argv[2] #'myDLL.dll'
dll_len = len(dll_path) * 2 #Multiplied by 2 so it would take into account the unicode characters
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid))
arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE)
written = c_ubyte(0)
bSuccess = kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written))
h_kernel32 = kernel32.GetModuleHandleW('kernel32.dll')
h_loadlib = kernel32.GetProcAddress(h_kernel32, b"LoadLibraryW")
thread_id = c_ulong(0)
h_thread = kernel32.CreateRemoteThread(h_process, #404
None,
0,
h_loadlib, #0x770a0000
arg_address, #0x770eef42
0,
byref(thread_id))
h_threadError = GetLastError() #This says ERROR 0 - Operation completed Successfully
h_dllToHook = kernel32.GetModuleHandleW('myDLL.dll') #h_dllToHook returns '0'
error = GetLastError() #This says ERORR 0 - Operation completed Successfully
Another weird thing is the fact that the executable I'm injected is a console application and prints some stuff out. The dll that I'm injecting has an exported function that is called from DLLMAIN that prints stuff out as well. When I check the console it looks like it successfully ran as the stuff in the injected DLL was printed out as well. Also when I put a conditional logging breakpoint on CreateRemoteThread it never gets hit. So my questions are if it is successfully injecting as it seems to be 1) why can't I get a handle to the injected DLL using GetModuleHandleW and 2) why isn't Ollydbg showing that the injected DLL isn't mapped into the process' memory space. I'm stepping through my code and breaking so it's not like the thread is running through and exiting. I've been researching for a while so any help is greatly appreciated! Thanks.
- Use
ctypes.get_last_errorinstead ofGetLastError. This requires theuse_last_erroroption, e.g.WinDLL('kernel32.dll', use_last_error=True). - The
GetModuleHandleWandGetProcAddresssteps are unnecessary. ctypes already does this for you. Just usekernel32.LoadLibraryW. This depends on kernel32.dll always being mapped to the same base address in each process, which I think is true for existing versions of Windows. - In general you should factor in the null terminator when copying a string, e.g. use
len(dll_path) + 1. In this case you're committing a new page of memory (4 KiB on x86 and x64 systems), which is initially all zeros. - I'm not sure how you've defined the
VIRTUAL_MEMallocation type. Does that includeMEM_COMMIT? - Watch out for spelling errors. You wrote
retypeinstead ofrestypefor the prototype ofCreateRemoteThread, which means the return value is still the default 32-bit Cint.
The following works for me, loading a DLL into a Python process.
dllinject.py (ctypes defintions):
import ctypes
from ctypes import wintypes
kernel32 = ctypes.WinDLL('kernel32.dll', use_last_error=True)
PROCESS_VM_OPERATION = 0x0008
PROCESS_VM_WRITE = 0x0020
PROCESS_CREATE_THREAD = 0x0002
MEM_COMMIT = 0x1000
MEM_RELEASE = 0x8000
PAGE_READWRITE = 0x0004
INFINITE = -1
SIZE_T = ctypes.c_size_t
LPSIZE_T = ctypes.POINTER(SIZE_T)
WCHAR_SIZE = ctypes.sizeof(wintypes.WCHAR)
LPSECURITY_ATTRIBUTES = wintypes.LPVOID
LPTHREAD_START_ROUTINE = wintypes.LPVOID
class BOOL_CHECKED(ctypes._SimpleCData):
_type_ = "l"
def _check_retval_(retval):
if retval == 0:
raise ctypes.WinError(ctypes.get_last_error())
return retval
class LPVOID_CHECKED(ctypes._SimpleCData):
_type_ = "P"
def _check_retval_(retval):
if retval is None:
raise ctypes.WinError(ctypes.get_last_error())
return retval
HANDLE_CHECKED = LPVOID_CHECKED # not file handles
kernel32.OpenProcess.restype = HANDLE_CHECKED
kernel32.OpenProcess.argtypes = (
wintypes.DWORD, # dwDesiredAccess
wintypes.BOOL, # bInheritHandle
wintypes.DWORD) # dwProcessId
kernel32.VirtualAllocEx.restype = LPVOID_CHECKED
kernel32.VirtualAllocEx.argtypes = (
wintypes.HANDLE, # hProcess
wintypes.LPVOID, # lpAddress
SIZE_T, # dwSize
wintypes.DWORD, # flAllocationType
wintypes.DWORD) # flProtect
kernel32.VirtualFreeEx.argtypes = (
wintypes.HANDLE, # hProcess
wintypes.LPVOID, # lpAddress
SIZE_T, # dwSize
wintypes.DWORD) # dwFreeType
kernel32.WriteProcessMemory.restype = BOOL_CHECKED
kernel32.WriteProcessMemory.argtypes = (
wintypes.HANDLE, # hProcess
wintypes.LPVOID, # lpBaseAddress
wintypes.LPCVOID, # lpBuffer
SIZE_T, # nSize
LPSIZE_T) # lpNumberOfBytesWritten _Out_
kernel32.CreateRemoteThread.restype = HANDLE_CHECKED
kernel32.CreateRemoteThread.argtypes = (
wintypes.HANDLE, # hProcess
LPSECURITY_ATTRIBUTES, # lpThreadAttributes
SIZE_T, # dwStackSize
LPTHREAD_START_ROUTINE, # lpStartAddress
wintypes.LPVOID, # lpParameter
wintypes.DWORD, # dwCreationFlags
wintypes.LPDWORD) # lpThreadId _Out_
kernel32.WaitForSingleObject.argtypes = (
wintypes.HANDLE, # hHandle
wintypes.DWORD) # dwMilliseconds
kernel32.CloseHandle.argtypes = (
wintypes.HANDLE,) # hObject
dllinject.py (injectdll):
def injectdll(pid, dllpath):
size = (len(dllpath) + 1) * WCHAR_SIZE
hproc = hthrd = addr = None
try:
hproc = kernel32.OpenProcess(
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE, False, pid)
addr = kernel32.VirtualAllocEx(
hproc, None, size, MEM_COMMIT, PAGE_READWRITE)
kernel32.WriteProcessMemory(
hproc, addr, dllpath, size, None)
hthrd = kernel32.CreateRemoteThread(
hproc, None, 0, kernel32.LoadLibraryW, addr, 0, None)
kernel32.WaitForSingleObject(hthrd, INFINITE)
finally:
if addr is not None:
kernel32.VirtualFreeEx(hproc, addr, 0, MEM_RELEASE)
if hthrd is not None:
kernel32.CloseHandle(hthrd)
if hproc is not None:
kernel32.CloseHandle(hproc)
test.c:
#include <Windows.h>
#include <stdio.h>
BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, PVOID fImpLoad)
{
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
printf("DLL Attach\n");
break;
case DLL_PROCESS_DETACH:
printf("DLL Detach\n");
}
return TRUE;
}
demo:
>>> import sys
>>> from subprocess import Popen, PIPE
>>> from dllinject import injectdll
>>> cmd = [sys.executable, '-c', 'import time; time.sleep(10)']
>>> p = Popen(cmd, stdout=PIPE); injectdll(p.pid, 'test.dll')
>>> r = p.wait(); print(p.stdout.read().decode())
DLL Attach
DLL Detach
来源:https://stackoverflow.com/questions/17392721/error-invalid-parameter-error-57-when-calling-createremotethread-with-python-3-2