[Tutor] ctypes wintypes

Michael C mysecretrobotfactory at gmail.com
Fri Oct 6 16:12:32 EDT 2017

Hi all:

How do I create a buffer, or rather, is a buffer just a variable?
How do I create a pointer to it?

This code ran fine (thanks to you, Eryk, I now know about how to work
VirtualQueryEx work)
until when I ran the read process memory part.

I think I am not feeding the function properly.

Please look at the red part of this code


>code starts here


print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \

print('mbi start')
print('mbi.BaseAddress: ',mbi.BaseAddress)
print('mbi.AllocationBase: ',mbi.AllocationBase)
print('mbi.AllocationProtect: ',mbi.AllocationProtect)
print('mbi.RegionSize: ',mbi.RegionSize)
print('mbi.State: ',mbi.State)
print('mbi.Protect: ', mbi.Protect)
print('mbi.Type: ',mbi.Type)

buffer = ctypes.create_string_buffer(4)
bufferSize = (ctypes.sizeof(buffer))

ReadProcessMemory = Kernel32.ReadProcessMemory

if ReadProcessMemory(Process, ctypes.byref(mbi), buffer, bufferSize, None):
        print('buffer is: ',buffer)
        print('something is wrong')

On Fri, Oct 6, 2017 at 12:03 PM, eryk sun <eryksun at gmail.com> wrote:

> On Fri, Oct 6, 2017 at 7:43 PM, Michael C
> <mysecretrobotfactory at gmail.com> wrote:
> > Sorry but I dont understand this line:
> >
> >
> > This creates a instance of the class?
> Yes, and this allocates sizeof(MEMORY_BASIC_INFORMATION) bytes at
> addressof(mbi), which you pass to a function by reference via
> byref(mbi).
> > Also, I thought with VirtualQueryEx, what you need for it
> > is a handle, which I acquire from this
> > Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_
> > False, PID)
> My example called VirtualQuery, not VirtualQueryEx. Internally
> VirtualQuery calls VirtualQueryEx using the pseudo handle
> (HANDLE)(-1), which refers to the current process.
> > and then feed it to the function like so:
> >
> > VirtualQuery(Process, ctypes.byref(mbi), ctypes.sizeof(mbi))
> >
> > I know it doesn't work. But what are these lines for? They don't look
> like
> > handle to me:
> >
> > VirtualQuery = kernel32.VirtualQuery
> > VirtualQuery.restype = SIZE_T
> In the above, I'm setting the function pointer's argtypes attribute to
> the types of the 3 parameters that VirtualQuery takes: the target
> address (i.e. LPVOID), a pointer to the buffer (i.e.
> PMEMORY_BASIC_INFORMATION), and the size of the buffer (SIZE_T). This
> is to allow ctypes to correctly check and convert arguments passed to
> the function.
> VirtualQueryEx has four parameters, starting with the handle to the
> target process, hProcess. The remaining 3 are the same as
> VirtualQuery.

More information about the Tutor mailing list