#### 说明：
$\bullet\quad$本章主要涉及的Python文件是：$\text{debugger_defines.py}$，$\text{debugger.py}$和$\text{test.py}$  

$\bullet\quad$$\text{debugger_defines.py}$存放调试器所需的结构体、联合体和常量，直接使用源代码包中的文件

$\bullet\quad$$\text{debugger.py}$实现我们的Windows下的轻量级调试器，逐步完善

$\bullet\quad$$\text{test.py}$是调试器逐步完善过程中的测试脚本(测试套件)，逐步完善

## 1.调试器直接调用程序

In [None]:
# debugger.py
# Run the executable from the debugger itself

from ctypes import *
from debugger_defines import *

kernel32 = windll.kernel32

class debugger():

    def __init__(self):
        pass

    def load(self, path_to_exe):
        
        # dwCreation flag determines how to create the process
        # set creation_flags = CREATE_NEW_CONSOLE if you want
        # to see the calculator GUI
        creation_flags = DEBUG_PROCESS
        
        # instantiate the structs
        startupinfo         = STARTUPINFO()
        process_information = PROCESS_INFORMATION()
        
        # The following two options allow the started process
        # to be shown as a separate window. This also illustrates
        # how different settings in the STARTUPINFO struct can affect
        # the debuggee.
        startupinfo.dwFlags     = 0x1
        startupinfo.wShowWindow = 0x0
        
        # We then initialize the cb variable in the STARTUPINFO struct
        # which is just the size of the struct itself
        startupinfo.cb = sizeof(startupinfo)
        
        if kernel32.CreateProcessA(path_to_exe,
                                    None,
                                    None,
                                    None,
                                    None,
                                    creation_flags,
                                    None,
                                    None,
                                    byref(startupinfo),
                                    byref(process_information)):
            print "[*] we have successfully launched the process!"
            print "[*] PID:%d" % process_information.dwProcessId
        else:
            print "[*] Error:0x%08x." % kernel32.GetLastError()

In [None]:
# test.py
# run the executable from the debugger itself

import debugger

debugger = debugger.debugger()

debugger.load(r"C:\Windows\System32\calc.exe")

#### 说明：
$\bullet\quad$由于$\text{debugger_defines.py}$使用的是源代码包中的文件，较长，故暂时不展示出来

$\bullet\quad$$\text{debugger_defines.py}$中定义的结构体、联合体和常量，将有另外的文档进行说明

$\bullet\quad$$\text{debugger.py}$中调用的$\text{Microsoft Win32 API}$，将有另外的文档进行说明

#### 运行测试：

If you execute this Python file either via the command line or from your IDE, it will spawn the process you entered, report the process identifier (PID), and then exit. If you use my example of calc.exe, you will not see the calculator’s GUI appear. The reason you won’t see the GUI is because the process hasn’t painted it to the screen yet, because it is waiting for the debugger to continue execution. We haven’t built the logic to do that yet, but it’s coming soon! You now know how to spawn a process that is ready to be debugged. It’s time to whip up some code that attaches a debugger to a running process.

## 2.调试器附加到指定进程

In [None]:
# debugger.py
# Attach the debugger to the specified process
# Such as calc.exe

from ctypes import *
from debugger_defines import *

kernel32 = windll.kernel32

class debugger():

    def __init__(self):
        pass


    def load(self, path_to_exe):

        # dwCreation flag determines how to create the process
        # set creation_flags = CREATE_NEW_CONSOLE if you want
        # to see the calculator GUI
        creation_flags = DEBUG_PROCESS

        # instantiate the structs
        startupinfo         = STARTUPINFO()
        process_information = PROCESS_INFORMATION()

        # The following two options allow the started process
        # to be shown as a separate window. This also illustrates
        # how different settings in the STARTUPINFO struct can affect
        # the debuggee.
        startupinfo.dwFlags     = 0x1
        startupinfo.wShowWindow = 0x0

        # We then initialize the cb variable in the STARTUPINFO struct
        # which is just the size of the struct itself
        startupinfo.cb = sizeof(startupinfo)

        if kernel32.CreateProcessA(path_to_exe,
                                    None,
                                    None,
                                    None,
                                    None,
                                    creation_flags,
                                    None,
                                    None,
                                    byref(startupinfo),
                                    byref(process_information)):
            print "[*] we have successfully launched the process!"
            print "[*] PID:%d" % process_information.dwProcessId
        else:
            print "[*] Error:0x%08x." % kernel32.GetLastError()

# --------------------------- Start New Codes ---------------------------
    def open_process(self, pid):

        h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, pid, False)
        return h_process


    def attach(self, pid):

        self.h_process = self.open_process(pid)

        # We attempt to attach to the process
        # if this fails we exit the call
        if kernel32.DebugActiveProcess(pid):
            self.debugger_active = True
            self.pid             = int(pid)
            self.run()
        else:
            print "[*] Unable to attach to the process."


    def run(self):

        # Now we have to poll the debuggee for
        # debugging events
        while self.debugger_active == True:
            self.get_debug_event()


    def get_debug_event(self):

        debug_event     = DEBUG_EVENT()
        continue_status = DBG_CONTINUE

        if kernel32.WaitForDebugEvent(byref(debug_event), INFINITE):
            # We aren't going to build any event handlers
            # just yet. Let's just resume the process for now.
            raw_input("Press a key to continue...")
            self.debugger_active = False
            kernel32.ContinueDebugEvent(debug_event.dwProcessId,debug_event.dwThreadId, continue_status)


    def detach(self):

        if kernel32.DebugActiveProcessStop(self.pid):
            print "[*] Finished debugging. Exiting..."
        else:
            print "There was an error!"
            return False
# ---------------------------  End  New Codes ---------------------------

#### 说明：

$\bullet\quad$新增的类函数：$\text{open_process}$、$\text{attach}$、$\text{run}$、$\text{get_debug_event}$、$\text{detach}$

In [None]:
# test.py
# Attach the debugger to the specified process
# Such as calc.exe

import debugger

debugger = debugger.debugger()

#debugger.load(r"C:\Windows\System32\calc.exe")                          # Comment out

# --------------------------- Start New Codes ---------------------------
pid = raw_input("Enter the PID of the process to attach to: ")

debugger.attach(int(pid))

debugger.detach()
# ---------------------------  End  New Codes ---------------------------

#### 说明：

$\bullet\quad$注释掉行$\text{debugger.load(r"C:\Windows\System32\calc.exe")}$

$\bullet\quad$新增最后三行

#### 运行测试：

$\bullet\quad$运行VMware中的Windows XP系统的计算器程序

$\bullet\quad$运行任务管理，查看计算器进程(calc.exe)的PID

$\bullet\quad$执行$\text{test.py}$脚本，出现$\text{Enter the PID of the process to attach to:}$时输入上述PID

$\bullet\quad$当出现$\text{Press a key to continue...}$的提示时，尝试操作计算器，没有任何响应

$\bullet\quad$在控制台中输入任意键，屏幕打印$\text{[*] Finished debugging. Exiting...}$， 然后$\text{test.py}$执行结束

$\bullet\quad$现在能正常操作计算器