CreateToolhelp32Snapshot()で各種レジスタの値を取得できない

前提・実現したいこと

Pythonで簡易的なデバッガを作っています。
アタッチしたプロせス内のスレッドから、レジスタ情報をCreateToolhelp32Snapshot()で取得したいのですが、失敗してしまいます。

出力

[*] Dumping registers for thread ID: 0x00001204
[**] EIP: 0x00000000
[**] ESP: 0x00000000
[**] EBP: 0x00000000
[**] EAX: 0x00000000
[**] EBX: 0x00000000
[**] ECX: 0x00000000
[**] EDX: 0x00000000
[*] END DUMP
...

該当のソースコード

debugger_error.py

python
1from ctypes import *
2from debugger_defines import *
3
4kernel32 = windll.kernel32
5
6
7class debugger():
8    def __init__(self):
9        self.h_process = None
10        self.pid = None
11        self.debugger_active = False
12
13    def attach(self, pid):
14        self.h_process = self.open_process(pid)
15
16        if kernel32.DebugActiveProcess(pid):
17            self.debugger_active = True
18            self.pid = int(pid)
19        else:
20            print("[*] Unable to Attach to the process")
21
22    def detach(self):
23        if (kernel32.DebugActiveProcessStop(self.pid)):
24            print("[*] Finished debugging Exiting ...")
25            return True
26        else:
27            print("There was an Error")
28            return False
29
30    def open_process(self, pid):
31        h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
32        return h_process
33
34    def open_thread(self, thread_id):
35        h_thread = kernel32.OpenThread(THREAD_ALL_ACCESS, None, thread_id)
36        if h_thread is not 0:
37            return h_thread
38        else:
39            print("[*] Could not obtain a valid thread handle.")
40            return False
41
42    def enumerate_threads(self):
43        thread_entry = THREADENTRY32()
44        thread_list = []
45        snapshot = kernel32.CreateToolhelp32Snapshot(
46            TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE32, self.pid)
47
48        if snapshot is not None:
49            thread_entry.dwSize = sizeof(thread_entry)
50            success = kernel32.Thread32First(snapshot, byref(thread_entry))
51
52            while success:
53                if thread_entry.th32OwnerProcessID == self.pid:
54                    thread_list.append(thread_entry.th32ThreadID)
55                success = kernel32.Thread32Next(snapshot, byref(thread_entry))
56
57            kernel32.CloseHandle(snapshot)
58            return thread_list
59
60        else:
61            return False
62
63    def get_thread_context(self, thread_id=None, h_thread=None):
64        context = CONTEXT()
65        context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
66
67        if h_thread is None:
68            h_thread = self.open_thread(thread_id)
69        if kernel32.GetThreadContext(h_thread, byref(context)):
70            kernel32.CloseHandle(h_thread)
71            return context
72        else:
73            return False
74

test.py

python
1import debugger_error
2
3debugger = debugger_error.debugger()
4
5pid = input("Enter the PID of the process to attach to: ")
6
7debugger.attach(int(pid))
8list_ = debugger.enumerate_threads()
9
10for thread in list_:
11    thread_context = debugger.get_thread_context(thread)
12    print("[*] Dumping registers for thread ID: 0x%08x" % thread)
13    print("[**] EIP: 0x%08x" % thread_context.Eip)
14    print("[**] ESP: 0x%08x" % thread_context.Esp)
15    print("[**] EBP: 0x%08x" % thread_context.Ebp)
16    print("[**] EAX: 0x%08x" % thread_context.Eax)
17    print("[**] EBX: 0x%08x" % thread_context.Ebx)
18    print("[**] ECX: 0x%08x" % thread_context.Ecx)
19    print("[**] EDX: 0x%08x" % thread_context.Edx)
20    print("[*] END DUMP")
21
22# debugger.run()
23debugger.detach()

debugger_defines.py

python
1from ctypes import *
2
3BYTE = c_ubyte
4WORD = c_ushort
5DWORD = c_ulong
6LPBYTE = POINTER(c_ubyte)
7LPTSTR = POINTER(c_char)
8HANDLE = c_void_p
9PVOID = c_void_p
10LPVOID = c_void_p
11UINT_PTR = c_ulong
12SIZE_T = c_ulong
13
14DEBUG_PROCESS = 0x00000001
15CREATE_NEW_CONSOLE = 0x00000010
16PROCESS_ALL_ACCESS = 0x001F0FFF
17INFINITE = 0xFFFFFFFF
18DBG_CONTINUE = 0x00010002
19DBG_EXCEPTION_NOT_HANDLED = 0x80010001
20
21EXCEPTION_DEBUG_EVENT = 0x1
22CREATE_THREAD_DEBUG_EVENT = 0x2
23CREATE_PROCESS_DEBUG_EVENT = 0x3
24EXIT_THREAD_DEBUG_EVENT = 0x4
25EXIT_PROCESS_DEBUG_EVENT = 0x5
26LOAD_DLL_DEBUG_EVENT = 0x6
27UNLOAD_DLL_DEBUG_EVENT = 0x7
28OUTPUT_DEBUG_STRING_EVENT = 0x8
29RIP_EVENT = 0x9
30
31EXCEPTION_ACCESS_VIOLATION = 0xC0000005
32EXCEPTION_BREAKPOINT = 0x80000003
33EXCEPTION_GUARD_PAGE = 0x80000001
34EXCEPTION_SINGLE_STEP = 0x80000004
35
36TH32CS_SNAPHEAPLIST = 0x00000001
37TH32CS_SNAPPROCESS = 0x00000002
38TH32CS_SNAPTHREAD = 0x00000004
39TH32CS_SNAPMODULE = 0x00000008
40TH32CS_SNAPMODULE32 = 0x00000010
41TH32CS_INHERIT = 0x80000000
42TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS |
43                  TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
44THREAD_ALL_ACCESS = 0x001F03FF
45
46CONTEXT_FULL = 0x00010007
47CONTEXT_DEBUG_REGISTERS = 0x00010010
48
49PAGE_EXECUTE_READWRITE = 0x00000040
50
51HW_ACCESS = 0x00000003
52HW_EXECUTE = 0x00000000
53HW_WRITE = 0x00000001
54
55PAGE_NOACCESS = 0x00000001
56PAGE_READONLY = 0x00000002
57PAGE_READWRITE = 0x00000004
58PAGE_WRITECOPY = 0x00000008
59PAGE_EXECUTE = 0x00000010
60PAGE_EXECUTE_READ = 0x00000020
61PAGE_EXECUTE_READWRITE = 0x00000040
62PAGE_EXECUTE_WRITECOPY = 0x00000080
63PAGE_GUARD = 0x00000100
64PAGE_NOCACHE = 0x00000200
65PAGE_WRITECOMBINE = 0x00000400
66
67
68class STARTUPINFO(Structure):
69    _fields_ = [
70        ("cb",            DWORD),
71        ("lpReserved",    LPTSTR),
72        ("lpDesktop",     LPTSTR),
73        ("lpTitle",       LPTSTR),
74        ("dwX",           DWORD),
75        ("dwY",           DWORD),
76        ("dwXSize",       DWORD),
77        ("dwYSize",       DWORD),
78        ("dwXCountChars", DWORD),
79        ("dwYCountChars", DWORD),
80        ("dwFillAttribute", DWORD),
81        ("dwFlags",       DWORD),
82        ("wShowWindow",   WORD),
83        ("cbReserved2",   WORD),
84        ("lpReserved2",   LPBYTE),
85        ("hStdInput",     HANDLE),
86        ("hStdOutput",    HANDLE),
87        ("hStdError",     HANDLE),
88    ]
89
90
91class PROCESS_INFORMATION(Structure):
92    _fields_ = [
93        ("hProcess",    HANDLE),
94        ("hThread",     HANDLE),
95        ("dwProcessId", DWORD),
96        ("dwThreadId",  DWORD),
97    ]
98
99
100class FLOATING_SAVE_AREA(Structure):
101    _fields_ = [
102        ("ControlWord", DWORD),
103        ("StatusWord", DWORD),
104        ("TagWord", DWORD),
105        ("ErrorOffset", DWORD),
106        ("ErrorSelector", DWORD),
107        ("DataOffset", DWORD),
108        ("DataSelector", DWORD),
109        ("RegisterArea", BYTE * 80),
110        ("Cr0NpxState", DWORD),
111    ]
112
113
114class CONTEXT(Structure):
115    _fields_ = [
116
117        ("ContextFlags", DWORD),
118        ("Dr0", DWORD),
119        ("Dr1", DWORD),
120        ("Dr2", DWORD),
121        ("Dr3", DWORD),
122        ("Dr6", DWORD),
123        ("Dr7", DWORD),
124        ("FloatSave", FLOATING_SAVE_AREA),
125        ("SegGs", DWORD),
126        ("SegFs", DWORD),
127        ("SegEs", DWORD),
128        ("SegDs", DWORD),
129        ("Edi", DWORD),
130        ("Esi", DWORD),
131        ("Ebx", DWORD),
132        ("Edx", DWORD),
133        ("Ecx", DWORD),
134        ("Eax", DWORD),
135        ("Ebp", DWORD),
136        ("Eip", DWORD),
137        ("SegCs", DWORD),
138        ("EFlags", DWORD),
139        ("Esp", DWORD),
140        ("SegSs", DWORD),
141        ("ExtendedRegisters", BYTE * 512),
142    ]
143
144
145class THREADENTRY32(Structure):
146    _fields_ = [
147        ("dwSize",             DWORD),
148        ("cntUsage",           DWORD),
149        ("th32ThreadID",       DWORD),
150        ("th32OwnerProcessID", DWORD),
151        ("tpBasePri",          DWORD),
152        ("tpDeltaPri",         DWORD),
153        ("dwFlags",            DWORD),
154    ]
155