Python :: ctypes :: GetProcAddress() returns error

The following is a part of a debugger class. I've got the following code for enumerating processes in debugee. First it enumerates and loads handles of the existing debugee's processes into an array. Then I'm trying to get an address of particular function in particular module. In this case i'm trying to get address of printf() out of msvcr100.dll

def enumerate_module(self,pid):


    lphModule = (c_void_p * 1024)()
    lpcbNeeded = c_ulong(0)

    if psapi.EnumProcessModules(self.h_process,lphModule,sizeof(c_void_p)*1024, byref(lpcbNeeded)):
        print "[*] EnumProcessModules: %d modules detected" % int(lpcbNeeded.value / sizeof(c_void_p))
        for i in range(int(lpcbNeeded.value / sizeof(c_void_p))):
            FileName = ""
            ReadBuffer = create_string_buffer(MAX_PATH)
            psapi.GetModuleFileNameExA(self.h_process,lphModule[i],ReadBuffer,MAX_PATH)
            FileName += ReadBuffer.value
            print "[*] %d - 0x%08x - %s" % (i,lphModule[i],FileName)
        address = kernel32.GetProcAddress(lphModule[3],"printf")
        if address == False:
            error = GetLastError()
            print "[*] GetProcAddress() ERROR: %d - %s" % (error, FormatError(error))    
        print "[**] Getting printf() address is: 0x%008x" % address
        return True
    else:
        error = GetLastError()
        print "[*] GetModuleHandleA: %d - %s" % (error, FormatError(error))
        return False

For some odd reason I cannot get it to work. GetPorcAddress() returns:

ERROR: 126 - The specified module could not be found.


Any ideas???

PS.
This might clarify my question a little:
Script output


Enter the PID of the process to attach to: 2476
Opening process: 2476
[*] DebugActiveProcess: 0 - The operation completed successfully.
[*] EnumProcessModules: 4 modules detected
[*] 0 - 0x00400000 - printf.exe
[*] 1 - 0x7c900000 - ntdll.dll
[*] 2 - 0x7c800000 - kernel32.dll
[*] 3 - 0x78aa0000 - MSVCR100.dll
[*] GetProcAddress() ERROR: 126 - The specified module could not be found.
[**] Getting printf() address is: 0x00000000
[*] Finished debugging. Exitng...

As you can see msvcr100.dll is loaded at 0x78aa0000. As far as I understand it should have printf() within its address spaces, where I should be able to get its address. Moreover, I loaded up printf.exe in Olly开发者_运维问答Dbg and it showed the same thing that you see on my script's output, and I was able to see printf() in msvcr100.dll's exports list.

GetProcAddress gets the address of a function in a DLL loaded in your process, not in a different process. You should check out the Debug Help Library.

Per your request about GetProcAddress, my references:

GetProcAddress

hModule [in]
A handle to the DLL module that contains the function or variable. The LoadLibrary, LoadLibraryEx, or GetModuleHandle function returns this handle.

LoadLibrary

Loads the specified module into the address space of the calling process....

LoadLibraryEx

Loads the specified module into the address space of the calling process....

GetModuleHandle

Retrieves a module handle for the specified module. The module must have been loaded by the calling process.

I believe that means that it can't find that particular DLL on your system. Here's a simple function that will return the printf address:

from ctypes import *

kernel32 = windll.kernel32

def resolve_function(dll, func):
    handle = kernel32.GetModuleHandleA(dll)
    address = kernel32.GetProcAddress(handle, func)
    kernel32.CloseHandle(handle)
    return address

address = resolve_function('msvcrt.dll','printf')

print(address)

I'm still learning this stuff as well, and I'm not quite sure of the difference between msvcrt.dll and msvcr100.dll. However, I believe you need to link against msvcrt.dll instead and microsoft does some magic to find msvcrXX.dll. Take a look at this page for more info: http://msdn.microsoft.com/en-us/library/abx4dbyh