[CODE] Dumping Python Modules (from an injected DLL)

[GliderPro]

What I'm trying to accomplish with this is dumping all the modules from a program written in Python.

In this case the Python library I was trying to use was delivered in DLL form. To make my life easier I made an import library so I didn't have to GetProcAddress a bunch of functions. To create an import library from a DLL you do the following.

1)

Code:

DUMPBIN /EXPORTS python25.dll > python25.def

2) Edit the DEF file to remove all C++ exports and add the following header

Code:

LIBRARY PYTHON25

EXPORTS

3)

Code:

LIB /DEF:python25.def

This only works for exported functions that are declared with the _cdecl calling convention. You can build an export library with C++ objects but it takes some extra work. See this page for more info. How To Create 32-bit Import Libraries Without .OBJs or Source

Now you can make an injected DLL that will call into Python directly. I used the header files from the corresponding Python distribution in my code but I had to trick the header into thinking it was a retail build when I was doing a debug build.

Code:

#ifdef _DEBUG
#undef _DEBUG 
#include <python.h>
#include <stackless_api.h>
#define _DEBUG
#else
#include <python.h>
#include <stackless_api.h>
#endif

Next I created a ThreadProc within my DLL that would dump all of the objects. This code locks down the stack so other threads aren't changing things. Then it gets the global module dictionary and dumps it.

Code:

DWORD WINAPI ThreadProc(LPVOID unused)
{
  Sleep(5000);

  PyGILState_STATE gil_state = PyGILState_Ensure();

  PyObject *modules = PyImport_GetModuleDict();

  if( modules != NULL )
  {
    dbg_printf("PyImport_GetModuleDict returned 0x%08X\n",modules);
    dump_dict(modules);
  }

  PyGILState_Release(gil_state);  

  return 1;
}

The next step is to dump the contents of the dictionary object. I had to keep track of all the dictionaries I've dumped or this code recurses until the stack is depleted.

Code:

void dump_dict(PyObject *obj_ptr)
{
  Py_ssize_t i;
  PyObject *key, *value;
  std::set<PyObject *>::const_iterator iter;

  try
  {
    if( PyDict_CheckExact(obj_ptr) == true )
    {
      dump_obj(obj_ptr);

      iter = dict_set.find(obj_ptr);
      if( iter == dict_set.end() )
      {
        dict_set.insert(obj_ptr);

        i = 0;
        while( PyDict_Next((PyObject *)obj_ptr, &i, &key, &value) ) 
        {
          Py_INCREF(value);
          Py_INCREF(key);
          dbg_printf("=== key ===\n");
          dump_obj(key);
          dbg_printf("=== value ===\n");
          dump_obj(value);

          if( PyModule_CheckExact(value) == true )
          {
            dump_module(value);
          }
          
          Py_DECREF(value);
        }
      }
    }
  }
  catch(...)  // catch all
  {
    dbg_printf("exception in dump_dict!\n");
  }
}

The final step is to dump the module objects. I also had to keep track of what was previously dumped here to prevent recursion.

Code:

void dump_module(PyObject *obj_ptr)
{
  PyObject *moddict;
  std::set<PyObject *>::const_iterator iter;

  try
  {
    iter = mod_set.find(obj_ptr);
    if( iter == mod_set.end() )
    {
      mod_set.insert(obj_ptr);

      if( PyModule_CheckExact(obj_ptr) == true )
      {
        moddict = PyModule_GetDict(obj_ptr);
        dbg_printf("=== module dict ===\n");
        dump_dict(moddict);
      }
    }
  }
  catch(...)  // catch all
  {
    dbg_printf("exception in dump_module!\n");
  }
}