从 DrawTextA 记录 lpRect 和 uFormat

逆向工程 Python
2021-06-17 13:07:25

使用Rohitab的 APIMonitor 我发现 DrawTextA 有一些我想使用 Python 和Pydbg记录的额外参数(我目前正在记录 lpchText,如下所示)。

绘制文本A

我当前的挂钩代码如下所示:

def DrawTextHook(dbg, args):
   # Log lpchText
   text = dbg.get_ascii_string(incremental_read(dbg, args[1], 255))

我想记录的参数是lpRectuFormat如何扩展我的当前代码以记录这两个参数?

1个回答

如果你really问我,我会说dump pydbg并开始使用logged ollydbg conditional break points它会给你函数的参数,它会被清晰地格式化到它的组件中,甚至是windbg

你在这里问 pydbg 是如何在 pydbg 中做到的

from pydbg import *
from pydbg.defines import *

def handler_breakpoint (pydbg):   
   if pydbg.first_breakpoint:
    return DBG_CONTINUE

   arg1 =   dbg.get_arg(1,dbg.context)
   arg2 =   dbg.get_arg(2,dbg.context)
   arg3 =   dbg.get_arg(3,dbg.context)
   arg4 =   dbg.get_arg(4,dbg.context)
   arg5 =   dbg.get_arg(5,dbg.context)
   text =   dbg.read_process_memory(arg2,0x20)
   lprect = dbg.read_process_memory(arg4,0x10)

   print "hDc = %08x\nText = %08x %s\nCount = %08x\nlpRect = %08x %s\nuFormat = %08x\n" % (arg1,arg2,pydbg.get_unicode_string(text),arg3,arg4,lprect,arg5)
   return DBG_CONTINUE

dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_breakpoint)
dbg.attach(2708)
DrawTextW = dbg.func_resolve("user32", "DrawTextW")
dbg.bp_set(DrawTextW)
pydbg.debug_event_loop(dbg)

以及 calc.exe 的输出(使用 DrawTextW 而不是 A)

C:\Python27\Lib\site-packages>python calc.py

hDc = 48010f0d
Text = 000b85fe Sta
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = 4b010f0d
Text = 000b85fe Sta
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = 6c010ea9
Text = 000b8668 tan
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = 79010ea9
Text = 000b8668 tan
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = 7c010f0d
Text = 000b8688 x^2
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = 8e010f0d
Text = 000b8688 x^2
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = ab010ea9
Text = 000b869e 1/x
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

hDc = bf010ea9
Text = 000b869e 1/x
Count = ffffffff
lpRect = 0007fa7c         $   ↔
uFormat = 00000025

如果你想改成ollydbg

c:> ollydbg.exe calc.exe

alt+e -> select calc.exe -> ctrl+N ->Start typing Draw->select and rightclick ->follow import in disassembler ->shift + f4-> enable radio log function arguments to always 
leave all else to default and hit ok and f9 to run the exe

ollydbg 将记录所有参数(您也可以选择性地仅记录您想要的参数),例如 log only if hDc = XXX and Text == X^2 and Uformat != y

从 ollydbg 运行 calc.ex 和记录函数参数到 DrawTextW 的示例输出

7E42D7E2   CALL to DrawTextW from calc.010061F1
             hDC = DA011041
             Text = "Sta"
             Count = FFFFFFFF (-1.)
             pRect = 0007FA28 {0.,0.,36.,29.}
             Flags = DT_CENTER|DT_VCENTER|DT_SINGLELINE
7E42D7E2   CALL to DrawTextW from calc.010061F1
             hDC = DB010B34
             Text = "Ave"
             Count = FFFFFFFF (-1.)
             pRect = 0007FA28 {0.,0.,36.,29.}
             Flags = DT_CENTER|DT_VCENTER|DT_SINGLELINE
7E42D7E2   CALL to DrawTextW from calc.010061F1
             hDC = A0010D69
             Text = "Sum"
             Count = FFFFFFFF (-1.)
             pRect = 0007FA28 {0.,0.,36.,29.}
             Flags = DT_CENTER|DT_VCENTER|DT_SINGLELINE
7E42D7E2   CALL to DrawTextW from calc.010061F1

用windbg做这个 

bp USER32!DrawTextW ".printf \"Text=%mu\\nRect.L=%x\\nRect.R=%x\\n\",poi(esp+8),poi(poi(esp+10)+8),poi(poi(esp+10)+c);gc"

windbg 条件 bp 输出

0:001> g
Text=F-E
Rect.L=24
Rect.R=1d
Text=dms
Rect.L=24
Rect.R=1d
Text=sin
Rect.L=24
Rect.R=1d
Text=cos
Rect.L=24
Rect.R=1d
Text=tan
Rect.L=24
Rect.R=1d
Text=(
Rect.L=24
其它你可能感兴趣的问题
上一篇恶意软件内容的详细描述 下一篇在 64 位操作系统中调试 32 位应用程序的有效方法是什么?