Python: kernel32.CreateProcessA() What is it doing?

Question

I am currently learning about debuggers and how they stop processes.

Here is my code:

    from ctypes import *
    WORD = c_ushort
    DWORD = c_ulong
    LPBYTE = POINTER(c_ubyte)
    LPTSTR = POINTER(c_char)
    HANDLE = c_void_p
    DEBUG_PROCESS = 0x00000001
    CREATE_NEW_CONSOLE = 0x00000010
    class STARTUPINFO(Structure):
        _fields_ = [
        ("cb", DWORD),
        ("lpReserved", LPTSTR),
        ("lpDesktop", LPTSTR),
        ("lpTitle", LPTSTR),
        ("dwX", DWORD),
        ("dwY", DWORD),
        ("dwXSize", DWORD),
        ("dwYSize", DWORD),
        ("dwXCountChars", DWORD),
        ("dwYCountChars", DWORD),
        ("dwFillAttribute",DWORD),
        ("dwFlags", DWORD),
        ("wShowWindow", WORD),
        ("cbReserved2", WORD),
        ("lpReserved2", LPBYTE),
        ("hStdInput", HANDLE),
        ("hStdOutput", HANDLE),
        ("hStdError", HANDLE),
        ]
    class PROCESS_INFORMATION(Structure):
        _fields_ = [
        ("hProcess", HANDLE),
        ("hThread", HANDLE),
        ("dwProcessId", DWORD),
        ("dwThreadId", DWORD),
        ]


    kernel32 = windll.kernel32
    class debugger():
        def __init__(self):
            pass

        def load(path_to_exe):
            creation_flags = DEBUG_PROCESS
            startupinfo = STARTUPINFO()
            processinfo = PROCESS_INFORMATION()
            startupinfo.dwFlags = 0x1
            startupinfo.wShowWindow = 0x0
            startupinfo.cb = sizeof(startupinfo)
            if kernel32.CreateProcessA(path_to_exe,None,None,None,None,creation_flags,None,None,byref(startupinfo),byref(processinfo)):
                print("[*] Process launched")
                print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
            else:
                print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

    debugger.load("C:\\WINDOWS\\system32\\calc.exe")

Whenever I run it, it goes to the error. :( I figured out that the reason that it is going to that error is because the kernel32.CreateProcessA is returning false. I'm actually following along Gray hat python right now, and I'm converting this code to python 3 as I read it.

My question is, what is the kernel32.CreateProcessA doing, why is it returning false, and how can I prevent it from returning false?

Any help would be much appreciated!

Answer 1

You have several error in your code:

The first error is load method of debugger class defined wrong. The most probably in your case it should be staticmethod:

# . . .

# This decorator required to make method static
@staticmethod
def load(path_to_exe):
    creation_flags = DEBUG_PROCESS
    startupinfo = STARTUPINFO()
    processinfo = PROCESS_INFORMATION()
    startupinfo.dwFlags = 0x1

# . . .

The second error is at print if process was created:

if kernel32.CreateProcessA(path_to_exe,None,None,None,None,
                           creation_flags,None,None,
                           byref(startupinfo),byref(processinfo)):
    print("[*] Process launched")

    # ERROR AT THE LINE BELOW
    # Your variant: print("[*] PID: %d" % (PROCESS_INFORMATION.dwProcessId))
    # But it should be the structure itself not it "type"
    print("[*] PID: %d" % (processinfo.dwProcessId))  
else:
    print("[*] Error: 0x%08x." % (kernel32.GetLastError()))

In my case it's works (Windows XP). If your process not really started and you get in console message something like that:

[*] Error: 0x00000002

Then if you use Python 3.x you should use not CreateProcessA but CreateProcessW function because all string in Python 3.x is in unicode (in WinAPI all functions ends with 'A' accept asci-strings, ends with 'W' accept unicode-strings). More exactly answer can be if you write what error or exception occurred in your case.