2回答

慕侠2389804

清单[Python 3.Docs]：ctypes - Python 的外部函数库。有很多问题（除了缺少一些信息的问题）：在使用ctypes函数（例如ctypes.addressof）时，您应该考虑到它们对ctypes（而不是Python）类型进行操作。因此，number必须转换为ctypes类型（应该适合其值）。从其值创建指针是灾难的秘诀通常，导入当前命名空间中的所有内容不是一个好主意（[SO]：使用通配符导入的原因是什么？（@CristiFati 的回答））您的[MS.Docs]: WriteProcessMemory 函数定义有点错误（不是关键），但最好使用现有别名（为了便于阅读）这是一个工作变体。代码00.py：#!/usr/bin/env python3import sysimport ctypesfrom ctypes import wintypesdef main():    kernel32 = ctypes.WinDLL("kernel32.dll")    GetCurrentProcess = kernel32.GetCurrentProcess    GetCurrentProcess.argtypes = []    GetCurrentProcess.restype = wintypes.HANDLE    WriteProcessMemory = kernel32.WriteProcessMemory    WriteProcessMemory.argtypes = [wintypes.HANDLE, wintypes.LPVOID, wintypes.LPCVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)]    WriteProcessMemory.restypes = wintypes.BOOL    buf = ctypes.create_string_buffer(b"0123456789")    print("Buffer INITIAL contents: [{0:}]".format(buf.value))    number = ctypes.c_ulonglong(0x4847464544434241)  # 8 bytes: ASCII codes H .. A    address = ctypes.addressof(buf)  # Mimic your address - which is the above buffer's    bytes_to_write = ctypes.sizeof(number)    bytes_written = ctypes.c_size_t(0)    print("Attempting to write ({0:d} bytes) number {1:d} (0x{2:016X}) to address {3:} (0x{4:016X}) ...".format(bytes_to_write, number.value, number.value, address, address))    res = WriteProcessMemory(GetCurrentProcess(), address, ctypes.addressof(number), bytes_to_write, ctypes.byref(bytes_written))    if res:        print("Wrote {0:d} bytes".format(bytes_written.value))        print("Buffer FINAL contents: [{0:}]".format(buf.value))if __name__ == "__main__":    print("Python {0:s} {1:d}bit on {2:s}\n".format(" ".join(item.strip() for item in sys.version.split("\n")), 64 if sys.maxsize > 0x100000000 else 32, sys.platform))    main()    print("\nDone.")输出：[cfati@CFATI-5510-0:e:\Work\Dev\StackOverflow\q057768711]> "e:\Work\Dev\VEnvs\py_064_03.07.03_test0\Scripts\python.exe" code00.pyPython 3.7.3 (v3.7.3:ef4ec6ed12, Mar 25 2019, 22:22:05) [MSC v.1916 64 bit (AMD64)] 64bit on win32Buffer INITIAL contents: [b'0123456789']Attempting to write (8 bytes) number 5208208757389214273 (0x4847464544434241) to address 1807564046992 (0x000001A4DB368290) ...Wrote 8 bytesBuffer FINAL contents: [b'ABCDEFGH89']Done.备注：可以看到，指定地址的内存内容被成功写入唯一“异常”的事情是该数字具有ASCII代码['H' .. 'A']，但在缓冲区中它们看起来是相反的。那是因为我的电脑是Little-endian。如果您愿意看一下，我在[SO] 中介绍了这个主题：Python struct.pack() 行为（@CristiFati 的回答）

0 0

0

HUWWW

第一的， sizeof(c_void_p) = 4;因为0x140000000超过四个字节，会被截断。可以看到，在同样的环境下，0x40000000和的结果0x140000000是一样的。您需要更改sizeof(c_void_p)为sizeof(c_longlong)二、根据WriteProcessMemory的函数原型BOOL WriteProcessMemory(  HANDLE  hProcess,  LPVOID  lpBaseAddress,  LPCVOID lpBuffer,  SIZE_T  nSize,  SIZE_T  *lpNumberOfBytesWritten);你可以看到的类型lpBuffer是VOID*所以你需要windll.kernel32.WriteProcessMemory.argtypes = [c_void_p, c_void_p, c_char_p, c_int, c_void_p]改为windll.kernel32.WriteProcessMemory.argtypes = [c_void_p, c_void_p, c_void_p, c_int, c_void_p]最后，这是修改后的代码。windll.kernel32.WriteProcessMemory.argtypes = [c_void_p, c_void_p, c_void_p, c_int, c_void_p]windll.kernel32.WriteProcessMemory.restype = c_void_paddress1 = 0xa9a010number1 = 0x140000000lpNumberOfBytesWritten = c_size_t(0)if windll.kernel32.WriteProcessMemory(        hProcess,        c_char_p(address1),        addressof(c_longlong(number1)),        sizeof(c_longlong),        byref(lpNumberOfBytesWritten)) == 0:    error()注意：在检查* address1时hProcess，还要注意类型，使用长类型检查address1。

0 0

0