def main(argv):
# Print the banner.
print "SelectMyParent: Start a program with a selected parent process"
print "by Mario Vilas (mvilas at gmail.com)"
print "based on a Didier Stevens tool (https://DidierStevens.com)"
print
# Check the command line arguments.
if len(argv) < 3:
script = os.path.basename(argv[0])
print " %s <pid> <process.exe> [arguments]" % script
return
# Request debug privileges.
system = System()
system.request_debug_privileges()
# Parse the parent process argument.
try:
dwParentProcessId = HexInput.integer(argv[1])
except ValueError:
dwParentProcessId = None
if dwParentProcessId is not None:
dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess())
if dwParentProcessId != dwMyProcessId:
system.scan_processes_fast()
if not system.has_process(dwParentProcessId):
print "Can't find process ID %d" % dwParentProcessId
return
else:
system.scan_processes()
process_list = system.find_processes_by_filename(argv[1])
if not process_list:
print "Can't find process %r" % argv[1]
return
if len(process_list) > 1:
print "Too many processes found:"
for process, name in process_list:
print "\t%d:\t%s" % (process.get_pid(), name)
return
dwParentProcessId = process_list[0][0].get_pid()
# Parse the target process argument.
filename = argv[2]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError, e:
print "Error searching for %s: %s" % (filename, str(e))
return
argv = list(argv)
argv[2] = filename
def adjust_privilege(self, priv):
try:
flags = win32.TOKEN_ADJUST_PRIVILEGES | win32.TOKEN_QUERY
htoken = win32.OpenProcessToken(win32.GetCurrentProcess(), flags)
priv_value = win32.LookupPrivilegeValue(None, priv)
new_privs = [(priv_value, win32.SE_PRIVILEGE_ENABLED)]
win32.AdjustTokenPrivileges(htoken, new_privs)
self.logger.debug(
'Success - AdjustTokenPrivileges(%s)'.format(priv))
except win32.WindowsError as err:
self.logger.warning('Exception - AdjustTokenPrivileges')
self.logger.warning(err)
except Exception as err:
self.logger.critical('Exception - general error')
self.logger.critical(err)
def adjust_privileges(state, privileges):
"""
Requests or drops privileges.
@type state: bool
@param state: C{True} to request, C{False} to drop.
@type privileges: list(int)
@param privileges: Privileges to request or drop.
@raise WindowsError: Raises an exception on error.
"""
with win32.OpenProcessToken(win32.GetCurrentProcess(),
win32.TOKEN_ADJUST_PRIVILEGES) as hToken:
NewState = ( (priv, state) for priv in privileges )
win32.AdjustTokenPrivileges(hToken, NewState)
def HookZwWriteVirtualMemory(event):
print("[+]HookZwWriteVirtualMemory")
global g_ImageBase
global g_HandleChild
curHandle = win32.GetCurrentProcess()
process = event.get_process()
thread = event.get_thread()
stackData = thread.read_stack_dwords(6)
#Read Parameters from Stack
processHandle = stackData[1]
baseAddress = stackData[2]
buffer = stackData[3]
numberOfBytesToWrite = stackData[4]
numberOfBytesWritten = stackData[5]
#4th to 8th calls should be dumped to file
#Dump if wiriting to remote process and memory around imagebase
if curHandle != processHandle and (baseAddress & 0xFFF00000) == (
g_ImageBase & 0xFFF00000):
try:
# Dump Parameters
print("[+]Dumping")
print("\tHANDLE ProcessHandle 0x%08X" % processHandle)
print("\tPVOID BaseAddress 0x%08X" % baseAddress)
print("\tPVOID Buffer 0x%08X" % buffer)
print("\tULONG NumberOfBytesToWrite 0x%08X" % numberOfBytesToWrite)
print("\tPULONG NumberOfBytesWritten 0x%08X" %
numberOfBytesWritten)
print("")
memdump = process.read(buffer, numberOfBytesToWrite)
#Append to our Binary File
f = open(g_szDump, 'ab')
f.write(memdump)
f.close()
#Save Child Handle for Termination
if g_HandleChild == 0:
g_HandleChild = processHandle
except Exception, e:
print(str(e))
print("[+]Failed at HookdwNtWriteVirtualMemory")
def main(argv):
# print(the banner.)
print("SelectMyParent: Start a program with a selected parent process")
print("by Mario Vilas (mvilas at gmail.com)")
print("based on a Didier Stevens tool (https://DidierStevens.com)")
print
# Check the command line arguments.
if len(argv) < 3:
script = os.path.basename(argv[0])
print(" %s <pid> <process.exe> [arguments]" % script)
return
# Request debug privileges.
system = System()
system.request_debug_privileges()
# Parse the parent process argument.
try:
dwParentProcessId = HexInput.integer(argv[1])
except ValueError:
dwParentProcessId = None
if dwParentProcessId is not None:
dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess())
if dwParentProcessId != dwMyProcessId:
system.scan_processes_fast()
if not system.has_process(dwParentProcessId):
print("Can't find process ID %d" % dwParentProcessId)
return
else:
system.scan_processes()
process_list = system.find_processes_by_filename(argv[1])
if not process_list:
print("Can't find process %r" % argv[1])
return
if len(process_list) > 1:
print("Too many processes found:")
for process, name in process_list:
print("\t%d:\t%s" % (process.get_pid(), name))
return
dwParentProcessId = process_list[0][0].get_pid()
# Parse the target process argument.
filename = argv[2]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError as e:
print("Error searching for %s: %s" % (filename, str(e)))
return
argv = list(argv)
argv[2] = filename
# Start the new process.
try:
process = system.start_process(system.argv_to_cmdline(argv[2:]),
bConsole=True,
bInheritHandles=True,
dwParentProcessId=dwParentProcessId)
dwProcessId = process.get_pid()
except AttributeError as e:
if "InitializeProcThreadAttributeList" in str(e):
print("This tool requires Windows Vista or above.")
else:
print("Error starting new process: %s" % str(e))
return
except WindowsError as e:
print("Error starting new process: %s" % str(e))
return
print("Process created: %d" % dwProcessId)
return dwProcessId
def request_privileges(self, privileges, state=True):
with win32.OpenProcessToken(win32.GetCurrentProcess(),
win32.TOKEN_ADJUST_PRIVILEGES) as hToken:
NewState = ((priv, state) for priv in privileges)
win32.AdjustTokenPrivileges(hToken, NewState)
