Accessing windows structures through ctypes.

[Rajat]

Hi,

Using ctypes can I access the windows structures like:

PROCESS_INFORMATION_BLOCK, Process Environment Block(PEB),
PEB_LDR_DATA, etc?


Regards,
Rajat

 

[alex23]

Using ctypes can I access the windows structures like:

PROCESS_INFORMATION_BLOCK, Process Environment Block(PEB),
PEB_LDR_DATA, etc?

ctypes.wintypes lists all of the Windows structures included with the
module.

You should be able to use ctypes.Structure class to roll your own:

http://docs.python.org/library/ctypes.html#structured-data-types
http://code.activestate.com/recipes/208699/
http://msdn.microsoft.com/en-us/library/ms684855(VS.85).aspx

 

[Rajat]

ctypes.wintypes lists all of the Windows structures included with the
module.

You should be able to use ctypes.Structure class to roll your own:

Thanks Alex. As you suggested, I'm trying to implemenet the below
structure, windows PEB, in Python:

typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[21];
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[520];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved4[136];
ULONG SessionId;
} PEB;

My equivalent Python structure is:
class PEB(Structure):
_fields_ = [("Reserved1", wintypes.BYTE * 2),
("BeingDebugged", wintypes.BYTE),
("Reserved2", wintypes.BYTE * 2),
("Reserved3", c_void_p),
("Ldr", pointer(PEB_LDR_DATA)),
("ProcessParameters", pointer
(RTL_USER_PROCESS_PARAMETERS)),
("Reserved4", wintypes.BYTE * 104),
("Reserved5", c_void_p),
(),
("Reserved6", wintypes.BYTE),
("Reserved7", c_void_p),
("SessionId", c_ulong)]

I'm not sure what needs to go in the above empty tuple for
"PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine" (in Original
PEB).

Please suggest.