def main(argv): # Print the banner. print "SelectMyParent: Start a program with a selected parent process" print "by Mario Vilas (mvilas at gmail.com)" print "based on a Didier Stevens tool (https://DidierStevens.com)" print # Check the command line arguments. if len(argv) < 3: script = os.path.basename(argv[0]) print " %s <pid> <process.exe> [arguments]" % script return # Request debug privileges. system = System() system.request_debug_privileges() # Parse the parent process argument. try: dwParentProcessId = HexInput.integer(argv[1]) except ValueError: dwParentProcessId = None if dwParentProcessId is not None: dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess()) if dwParentProcessId != dwMyProcessId: system.scan_processes_fast() if not system.has_process(dwParentProcessId): print "Can't find process ID %d" % dwParentProcessId return else: system.scan_processes() process_list = system.find_processes_by_filename(argv[1]) if not process_list: print "Can't find process %r" % argv[1] return if len(process_list) > 1: print "Too many processes found:" for process, name in process_list: print "\t%d:\t%s" % (process.get_pid(), name) return dwParentProcessId = process_list[0][0].get_pid() # Parse the target process argument. filename = argv[2] if not ntpath.exists(filename): try: filename = win32.SearchPath(None, filename, '.exe')[0] except WindowsError, e: print "Error searching for %s: %s" % (filename, str(e)) return argv = list(argv) argv[2] = filename
def adjust_privilege(self, priv): try: flags = win32.TOKEN_ADJUST_PRIVILEGES | win32.TOKEN_QUERY htoken = win32.OpenProcessToken(win32.GetCurrentProcess(), flags) priv_value = win32.LookupPrivilegeValue(None, priv) new_privs = [(priv_value, win32.SE_PRIVILEGE_ENABLED)] win32.AdjustTokenPrivileges(htoken, new_privs) self.logger.debug( 'Success - AdjustTokenPrivileges(%s)'.format(priv)) except win32.WindowsError as err: self.logger.warning('Exception - AdjustTokenPrivileges') self.logger.warning(err) except Exception as err: self.logger.critical('Exception - general error') self.logger.critical(err)
def adjust_privileges(state, privileges): """ Requests or drops privileges. @type state: bool @param state: C{True} to request, C{False} to drop. @type privileges: list(int) @param privileges: Privileges to request or drop. @raise WindowsError: Raises an exception on error. """ with win32.OpenProcessToken(win32.GetCurrentProcess(), win32.TOKEN_ADJUST_PRIVILEGES) as hToken: NewState = ( (priv, state) for priv in privileges ) win32.AdjustTokenPrivileges(hToken, NewState)
def HookZwWriteVirtualMemory(event): print("[+]HookZwWriteVirtualMemory") global g_ImageBase global g_HandleChild curHandle = win32.GetCurrentProcess() process = event.get_process() thread = event.get_thread() stackData = thread.read_stack_dwords(6) #Read Parameters from Stack processHandle = stackData[1] baseAddress = stackData[2] buffer = stackData[3] numberOfBytesToWrite = stackData[4] numberOfBytesWritten = stackData[5] #4th to 8th calls should be dumped to file #Dump if wiriting to remote process and memory around imagebase if curHandle != processHandle and (baseAddress & 0xFFF00000) == ( g_ImageBase & 0xFFF00000): try: # Dump Parameters print("[+]Dumping") print("\tHANDLE ProcessHandle 0x%08X" % processHandle) print("\tPVOID BaseAddress 0x%08X" % baseAddress) print("\tPVOID Buffer 0x%08X" % buffer) print("\tULONG NumberOfBytesToWrite 0x%08X" % numberOfBytesToWrite) print("\tPULONG NumberOfBytesWritten 0x%08X" % numberOfBytesWritten) print("") memdump = process.read(buffer, numberOfBytesToWrite) #Append to our Binary File f = open(g_szDump, 'ab') f.write(memdump) f.close() #Save Child Handle for Termination if g_HandleChild == 0: g_HandleChild = processHandle except Exception, e: print(str(e)) print("[+]Failed at HookdwNtWriteVirtualMemory")
def main(argv): # print(the banner.) print("SelectMyParent: Start a program with a selected parent process") print("by Mario Vilas (mvilas at gmail.com)") print("based on a Didier Stevens tool (https://DidierStevens.com)") print # Check the command line arguments. if len(argv) < 3: script = os.path.basename(argv[0]) print(" %s <pid> <process.exe> [arguments]" % script) return # Request debug privileges. system = System() system.request_debug_privileges() # Parse the parent process argument. try: dwParentProcessId = HexInput.integer(argv[1]) except ValueError: dwParentProcessId = None if dwParentProcessId is not None: dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess()) if dwParentProcessId != dwMyProcessId: system.scan_processes_fast() if not system.has_process(dwParentProcessId): print("Can't find process ID %d" % dwParentProcessId) return else: system.scan_processes() process_list = system.find_processes_by_filename(argv[1]) if not process_list: print("Can't find process %r" % argv[1]) return if len(process_list) > 1: print("Too many processes found:") for process, name in process_list: print("\t%d:\t%s" % (process.get_pid(), name)) return dwParentProcessId = process_list[0][0].get_pid() # Parse the target process argument. filename = argv[2] if not ntpath.exists(filename): try: filename = win32.SearchPath(None, filename, '.exe')[0] except WindowsError as e: print("Error searching for %s: %s" % (filename, str(e))) return argv = list(argv) argv[2] = filename # Start the new process. try: process = system.start_process(system.argv_to_cmdline(argv[2:]), bConsole=True, bInheritHandles=True, dwParentProcessId=dwParentProcessId) dwProcessId = process.get_pid() except AttributeError as e: if "InitializeProcThreadAttributeList" in str(e): print("This tool requires Windows Vista or above.") else: print("Error starting new process: %s" % str(e)) return except WindowsError as e: print("Error starting new process: %s" % str(e)) return print("Process created: %d" % dwProcessId) return dwProcessId
def request_privileges(self, privileges, state=True): with win32.OpenProcessToken(win32.GetCurrentProcess(), win32.TOKEN_ADJUST_PRIVILEGES) as hToken: NewState = ((priv, state) for priv in privileges) win32.AdjustTokenPrivileges(hToken, NewState)