[Tutor] ctypes wintypes

[Michael C]

Sorry but I dont understand this line:

mbi = MEMORY_BASIC_INFORMATION()

This creates a instance of the class?

Also, I thought with VirtualQueryEx, what you need for it
is a handle, which I acquire from this

Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
False, PID)

and then feed it to the function like so:

VirtualQuery(Process, ctypes.byref(mbi), ctypes.sizeof(mbi))

I know it doesn't work. But what are these lines for? They don't look like
handle to me:

VirtualQuery = kernel32.VirtualQuery
VirtualQuery.restype = SIZE_T
VirtualQuery.argtypes = (LPVOID, PMEMORY_BASIC_INFORMATION, SIZE_T)



thanks !

On Thu, Oct 5, 2017 at 1:13 PM, eryk sun <eryksun at gmail.com> wrote:

> On Thu, Oct 5, 2017 at 8:27 PM, Michael C
> <mysecretrobotfactory at gmail.com> wrote:
> >
> > How do I see the values of each field? This doesn't work.
> >
> > print(PMEMORY_BASIC_INFORMATION.Protect)
>
> Create an instance of MEMORY_BASIC_INFORMATION and pass a pointer to
> it via byref(). For example, the following queries the region of
> memory of the VirtualQuery function itself.
>
>     kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
>
>     MEM_COMMIT = 0x1000
>     PAGE_EXECUTE_READ = 0x20
>     PAGE_EXECUTE_WRITECOPY = 0x80
>
>     VirtualQuery = kernel32.VirtualQuery
>     VirtualQuery.restype = SIZE_T
>     VirtualQuery.argtypes = (LPVOID, PMEMORY_BASIC_INFORMATION, SIZE_T)
>
>     mbi = MEMORY_BASIC_INFORMATION()
>     VirtualQuery(VirtualQuery, ctypes.byref(mbi), ctypes.sizeof(mbi))
>
>     >>> mbi.AllocationBase == kernel32._handle
>     True
>     >>> mbi.AllocationProtect == PAGE_EXECUTE_WRITECOPY
>     True
>     >>> mbi.BaseAddress
>     140703181352960
>     >>> mbi.RegionSize
>     364544
>     >>> mbi.State == MEM_COMMIT
>     True
>     >>> mbi.Protect ==  PAGE_EXECUTE_READ
>     True
>