waitfordebugevent
這個函式是等待除錯事件,每次捕捉到的時候就返回乙個debug_event
然後同樣用notepad ++ 做實驗,記錄每次的eventcode:
enter pid:75160
openprocess successful, handle 504
event code: 3 thread id: 92528
event code: 6 thread id: 92528
event code: 2 thread id: 160916
event code: 2 thread id: 74764
event code: 2 thread id: 79780
event code: 2 thread id: 355492
event code: 2 thread id: 364512
event code: 2 thread id: 26488
event code: 2 thread id: 357596
event code: 2 thread id: 358200
event code: 2 thread id: 358180
event code: 2 thread id: 353488
event code: 2 thread id: 26904
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 6 thread id: 92528
event code: 2 thread id: 48852
event code: 1 thread id: 48852
[*] exception address: 0x77e68d20
[*] hit the first breakpoint.
event code: 4 thread id: 48852
可見一開始的時候,捕捉到3號事件碼,對應含義為建立乙個新程序。然後6號,載入dll。隨後一連串的2號碼建立新執行緒,剛好和上文的11個執行緒對應。隨後又是一連串6號碼載入dll,估計和這個exe關聯的dll個數也是對應的。最後214發生例外,結束。
這樣,根據eventcode可以得知不同的例外事件型別。
奇怪的是明明程式早就開啟了,為什麼還會捕捉到一堆建立程式時的執行緒呢?對這方面不怎麼懂。
Python灰帽子筆記一
動態鏈結庫本身是一些經過編譯的二進位制檔案,之在執行時才會被連線進主程序。在windows下這些二進位制檔案被稱為動態鏈結庫 dll 而在linux下這些庫檔案被稱為共享物件 so,shared object 無論哪種平台,這些二進位制檔案都是通過匯出函式名稱的方式來呈現它們所包含的函式。這些由鏈結...
Python灰帽子筆記二
通用暫存器 暫存器可以被認為是位於cpu上的小型儲存器。cpu獲取資料的最快方式是直接訪問暫存器。在x86指令集中,乙個cpu具有8個通用暫存器 eax,edx,ecx,esi,edi,ebp,esp,ebx。每乙個都被安排了特定用途。cpu在執行某些指令時需要特點的暫存器協作以高效地完成其指令執行...
灰帽子python 讀書筆記 1
交上去坐等答辯畢業,於是閒來看看這本書。書裡的 用python 2.5 win32系統,我手頭的是python3.4 win64系統,所以會有點不一樣,就當做是讀後實踐的考驗了。在這裡記錄一下遇到的問題,也方便後來參考吧。廢話不多說,第一章,匯入ctypes並呼叫printf。書中 from cty...