def test_declare_function(self):
get_current_process_id = declarer.declare(declarer.KERNEL, 'GetCurrentProcessId', [], c_uint)
assert callable(get_current_process_id)
assert get_current_process_id.restype == c_uint
assert get_current_process_id.argtypes is None
# check the function result
pid = os.getpid()
assert get_current_process_id() == pid
class TRACE_GUID_REGISTRATION(Structure):
_fields_ = [('guid', POINTER(GUID)), ('reg_handle', HANDLE)]
class EVENT_FILTER_DESCRIPTOR(Structure):
_fields_ = [('Ptr', c_ulonglong), ('Size', c_ulong), ('Type', c_ulong)]
class ENABLE_TRACE_PARAMETERS(Structure):
_fields_ = [('Version', c_ulong), ('EnableProperty', c_ulong),
('ControlFlags', c_ulong), ('SourceId', GUID),
('EnableFilterDesc', POINTER(EVENT_FILTER_DESCRIPTOR)),
('FilterDescCount', c_ulong)]
start_trace = declarer.declare(
declarer.ADVAPI, 'StartTraceW',
[POINTER(TRACEHANDLE), c_wchar_p,
POINTER(EVENT_TRACE_PROPERTIES)], c_ulong)
control_trace = declarer.declare(
declarer.ADVAPI, 'ControlTraceW',
[TRACEHANDLE, c_wchar_p,
POINTER(EVENT_TRACE_PROPERTIES), c_ulong], c_ulong)
enable_trace_ex = declarer.declare(declarer.ADVAPI, 'EnableTraceEx2', [
TRACEHANDLE,
POINTER(GUID), c_ulong, c_ubyte, c_ulonglong, c_ulonglong, c_ulong,
POINTER(ENABLE_TRACE_PARAMETERS)
], c_ulong)
('access_mask', DWORD)]
class SYSTEM_HANDLE_INFORMATION(Structure):
_fields_ = [('number_of_handles', ULONG),
('handles', SYSTEM_HANDLE * 1)]
class OBJECT_TYPE_INFORMATION(Structure):
_fields_ = [('type_name', UNICODE_STRING),
('reserved', ULONG * 22)]
# retrieves the specified system information
zw_query_system_information = declarer.declare(declarer.NT, 'ZwQuerySystemInformation',
[DWORD, PVOID, ULONG, PULONG],
DWORD)
# memory alloc/free functions
malloc = declarer.declare(declarer.C, 'malloc', [c_size_t], c_void_p)
realloc = declarer.declare(declarer.C, 'realloc', [c_void_p, c_size_t], c_void_p)
free = declarer.declare(declarer.C, 'free', [], None)
# object handle cleanup
close_handle = declarer.declare(declarer.KERNEL, 'CloseHandle', [HANDLE], BOOL)
# duplicate object handle
duplicate_handle = declarer.declare(declarer.KERNEL, 'DuplicateHandle',
[HANDLE, HANDLE, HANDLE, POINTER(HANDLE), DWORD, ULONG, ULONG],
DWORD)
# query object name / type
('process_parameters', POINTER(RTL_USER_PROCESS_PARAMETERS)),
('reserved3', BYTE * 520),
('post_process_init_routine', PVOID),
('reserved4', BYTE * 136),
('session_id', ULONG)]
class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [('reserved1', PVOID),
('peb_base_address', POINTER(PEB)),
('reserved2', PVOID * 2),
('unique_process_id', PULONG),
('inherited_from_unique_process_id', ULONG)]
open_process = declarer.declare(declarer.KERNEL, 'OpenProcess',
[DWORD, BOOL, DWORD],
HANDLE)
open_thread = declarer.declare(declarer.KERNEL, 'OpenThread',
[DWORD, BOOL, DWORD],
HANDLE)
_read_process_memory = declarer.declare(declarer.KERNEL, 'ReadProcessMemory',
[HANDLE, LPVOID, LPVOID, SIZE_T, POINTER(SIZE_T)],
BOOL)
zw_query_information_process = declarer.declare(declarer.NT, 'ZwQueryInformationProcess',
[HANDLE, DWORD, PVOID, ULONG, PULONG],
DWORD)
query_full_process_image_name = declarer.declare(declarer.KERNEL, 'QueryFullProcessImageNameW',
[HANDLE, DWORD, LPTSTR, PDWORD],
_fields_ = [('process_id', ULONG), ('object_type_number', UCHAR),
('flags', UCHAR), ('handle', USHORT), ('object', PVOID),
('access_mask', DWORD)]
class SYSTEM_HANDLE_INFORMATION(Structure):
_fields_ = [('number_of_handles', ULONG), ('handles', SYSTEM_HANDLE * 1)]
class OBJECT_TYPE_INFORMATION(Structure):
_fields_ = [('type_name', UNICODE_STRING), ('reserved', ULONG * 22)]
# retrieves the specified system information
zw_query_system_information = declarer.declare(declarer.NT,
'ZwQuerySystemInformation',
[DWORD, PVOID, ULONG, PULONG],
DWORD)
# memory alloc/free functions
malloc = declarer.declare(declarer.C, 'malloc', [c_size_t], c_void_p)
realloc = declarer.declare(declarer.C, 'realloc', [c_void_p, c_size_t],
c_void_p)
free = declarer.declare(declarer.C, 'free', [c_void_p], None)
# object handle cleanup
close_handle = declarer.declare(declarer.KERNEL, 'CloseHandle', [HANDLE], BOOL)
# duplicate object handle
duplicate_handle = declarer.declare(
declarer.KERNEL, 'DuplicateHandle',
[HANDLE, HANDLE, HANDLE,
POINTER(HANDLE), DWORD, ULONG, ULONG], DWORD)
class PEB(Structure):
_fields_ = [('reserved1', BYTE * 2), ('being_debugged', BYTE),
('reserved2', BYTE * 21), ('ldr', POINTER(PEB_LDR_DATA)),
('process_parameters', POINTER(RTL_USER_PROCESS_PARAMETERS)),
('reserved3', BYTE * 520),
('post_process_init_routine', PVOID),
('reserved4', BYTE * 136), ('session_id', ULONG)]
class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [('reserved1', PVOID), ('peb_base_address', POINTER(PEB)),
('reserved2', PVOID * 2), ('unique_process_id', PULONG),
('inherited_from_unique_process_id', ULONG)]
open_process = declarer.declare(declarer.KERNEL, 'OpenProcess',
[DWORD, BOOL, DWORD], HANDLE)
open_thread = declarer.declare(declarer.KERNEL, 'OpenThread',
[DWORD, BOOL, DWORD], HANDLE)
_read_process_memory = declarer.declare(
declarer.KERNEL, 'ReadProcessMemory',
[HANDLE, LPVOID, LPVOID, SIZE_T,
POINTER(SIZE_T)], BOOL)
zw_query_information_process = declarer.declare(
declarer.NT, 'ZwQueryInformationProcess',
[HANDLE, DWORD, PVOID, ULONG, PULONG], DWORD)
query_full_process_image_name = declarer.declare(
declarer.KERNEL, 'QueryFullProcessImageNameW',
[HANDLE, DWORD, LPTSTR, PDWORD], BOOL)
from fibratus.apidefs.cdefs import *
import fibratus.ctypes_declarer as declarer
# query type flags
RRF_RT_ANY = 0x0000ffff
# reserved key handles
HKEY_CLASSES_ROOT = HKEY(0x80000000)
HKEY_CURRENT_USER = HKEY(0x80000001)
HKEY_LOCAL_MACHINE = HKEY(0x80000002)
HKEY_USERS = HKEY(0x80000003)
MAX_BUFFER_SIZE = 4096
reg_get_value = declarer.declare(
declarer.ADVAPI, 'RegGetValueW',
[HKEY, LPCWSTR, LPCWSTR, DWORD, LPDWORD, PVOID, LPDWORD], LONG)
class ValueType(Enum):
REG_NONE = 0
REG_SZ = 1
REG_EXPAND_SZ = 2
REG_BINARY = 3
REG_DWORD = 4
REG_DWORD_BIG_ENDIAN = 5
REG_LINK = 6
REG_MULTI_SZ = 7
REG_RESOURCE_LIST = 8
REG_FULL_RESOURCE_DESCRIPTOR = 9
REG_RESOURCE_REQUIREMENTS_LIST = 10
from fibratus.apidefs.cdefs import *
import fibratus.ctypes_declarer as declarer
# query type flags
RRF_RT_ANY = 0x0000ffff
# reserved key handles
HKEY_CLASSES_ROOT = HKEY(0x80000000)
HKEY_CURRENT_USER = HKEY(0x80000001)
HKEY_LOCAL_MACHINE = HKEY(0x80000002)
HKEY_USERS = HKEY(0x80000003)
MAX_BUFFER_SIZE = 4096
reg_get_value = declarer.declare(declarer.ADVAPI, 'RegGetValueW',
[HKEY, LPCWSTR, LPCWSTR,
DWORD, LPDWORD, PVOID, LPDWORD],
LONG)
class ValueType(Enum):
REG_NONE = 0
REG_SZ = 1
REG_EXPAND_SZ = 2
REG_BINARY = 3
REG_DWORD = 4
REG_DWORD_BIG_ENDIAN = 5
REG_LINK = 6
REG_MULTI_SZ = 7
REG_RESOURCE_LIST = 8
REG_FULL_RESOURCE_DESCRIPTOR = 9
REG_RESOURCE_REQUIREMENTS_LIST = 10
('reg_handle', HANDLE)]
class EVENT_FILTER_DESCRIPTOR(Structure):
_fields_ = [('Ptr', c_ulonglong),
('Size', c_ulong),
('Type', c_ulong)]
class ENABLE_TRACE_PARAMETERS(Structure):
_fields_ = [('Version', c_ulong),
('EnableProperty', c_ulong),
('ControlFlags', c_ulong),
('SourceId', GUID),
('EnableFilterDesc', POINTER(EVENT_FILTER_DESCRIPTOR)),
('FilterDescCount', c_ulong)]
start_trace = declarer.declare(declarer.ADVAPI, 'StartTraceW',
[POINTER(TRACEHANDLE), c_wchar_p, POINTER(EVENT_TRACE_PROPERTIES)],
c_ulong)
control_trace = declarer.declare(declarer.ADVAPI, 'ControlTraceW',
[TRACEHANDLE, c_wchar_p, POINTER(EVENT_TRACE_PROPERTIES), c_ulong],
c_ulong)
enable_trace_ex = declarer.declare(declarer.ADVAPI, 'EnableTraceEx2',
[TRACEHANDLE, POINTER(GUID), c_ulong, c_ubyte, c_ulonglong,
c_ulonglong, c_ulong, POINTER(ENABLE_TRACE_PARAMETERS)],
c_ulong)
# if the file already exists, fail the request and do not create or open the given file.
# If it does not, create the given file.
FILE_CREATE = 0x00000002
# If the file already exists, open it. If it does not, create the given file.
FILE_OPEN_IF = 0x00000003
# If the file already exists, open it and overwrite it. If it does not, fail the request.
FILE_OVERWRITE = 0x00000004
# If the file already exists, open it and overwrite it. If it does not, create the given file.
FILE_OVERWRITE_IF = 0x00000005
# the file being created or opened is a directory file
FILE_DIRECTORY_FILE = 0x00000001
# open a file with a reparse point and bypass normal reparse point processing for the file
FILE_OPEN_REPARSE_POINT = 0x00200000
class FILE_NAME_INFO(Structure):
_fields_ = [('file_name_length', DWORD), ('filename', WCHAR * 1)]
get_file_info_by_handle = declarer.declare(declarer.KERNEL,
'GetFileInformationByHandleEx',
[HANDLE, DWORD, LPVOID, DWORD],
BOOL)
query_dos_device = declarer.declare(declarer.KERNEL, 'QueryDosDeviceW',
[LPTSTR, LPTSTR, DWORD], DWORD)
_get_osfhandle = declarer.declare(declarer.C, '_get_osfhandle', [DWORD], LONG)
get_file_type = declarer.declare(declarer.KERNEL, 'GetFileType', [HANDLE],
DWORD)
FILE_OPEN_IF = 0x00000003
# If the file already exists, open it and overwrite it. If it does not, fail the request.
FILE_OVERWRITE = 0x00000004
# If the file already exists, open it and overwrite it. If it does not, create the given file.
FILE_OVERWRITE_IF = 0x00000005
# the file being created or opened is a directory file
FILE_DIRECTORY_FILE = 0x00000001
# open a file with a reparse point and bypass normal reparse point processing for the file
FILE_OPEN_REPARSE_POINT = 0x00200000
class FILE_NAME_INFO(Structure):
_fields_ = [('file_name_length', DWORD),
('filename', WCHAR * 1)]
get_file_info_by_handle = declarer.declare(declarer.KERNEL, 'GetFileInformationByHandleEx',
[HANDLE, DWORD, LPVOID, DWORD],
BOOL)
query_dos_device = declarer.declare(declarer.KERNEL, 'QueryDosDeviceW',
[LPTSTR, LPTSTR, DWORD],
DWORD)
_get_osfhandle = declarer.declare(declarer.C, '_get_osfhandle',
[DWORD],
LONG)
get_file_type = declarer.declare(declarer.KERNEL, 'GetFileType',
[HANDLE],
DWORD)