def get_filepath(self): """Get process image file path. @return: decoded file path. """ if not self.h_process: self.open() pbi = create_string_buffer(530) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find(b"\0\0") + 1] return fbuf.decode("utf16", errors="ignore") except Exception as e: log.info(e) return ""
def get_filepath(self): """Get process image file path. @return: decoded file path. """ process_handle = self.open_process() NT_SUCCESS = lambda val: val >= 0 pbi = create_string_buffer(200) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(process_handle, 27, byref(pbi), sizeof(pbi), byref(size)) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find("\x00\x00") + 1] return fbuf.decode("utf16", errors="ignore") except: return "" return ""
def get_filepath(self): """Get process image file path. @return: decoded file path. """ if not self.h_process: self.open() NT_SUCCESS = lambda val: val >= 0 pbi = create_string_buffer(200) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find('\0\0') + 1] return fbuf.decode('utf16', errors="ignore") except: return "" return ""
def get_parent_pid(self): """Get the Parent Process ID.""" class PROCESS_BASIC_INFORMATION(Structure): _fields_ = [ ("ExitStatus", c_void_p), ("PebBaseAddress", c_void_p), ("AffinityMask", c_void_p), ("BasePriority", c_void_p), ("UniqueProcessId", c_void_p), ("InheritedFromUniqueProcessId", c_void_p), ] NT_SUCCESS = lambda val: val >= 0 pbi = PROCESS_BASIC_INFORMATION() size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int process_handle = self.open_process() ret = NTDLL.NtQueryInformationProcess( process_handle, 0, byref(pbi), sizeof(pbi), byref(size) ) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi.InheritedFromUniqueProcessId
def is_critical(self): """Determines if process is 'critical' or not, so we can prevent terminating it""" if not self.h_process: self.open() val = c_ulong(0) retlen = c_ulong(0) ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen)) if NT_SUCCESS(ret) and val.value: return True return False
def load_driver(self): regkey = (u"\\Registry\\Machine\\System" u"\\CurrentControlSet\\Services\\%s" % self.install_name) us = UNICODE_STRING() us.Buffer = regkey us.Length = len(regkey) * 2 us.MaximumLength = us.Length status = NTDLL.NtLoadDriver(ctypes.byref(us)) % 2**32 if status: raise CuckooError("Unable to load the %s driver: 0x%x" % (self.driver_name, status))
def get_parent_pid(self): """Get the Parent Process ID.""" if not self.h_process: self.open() pbi = (ULONG_PTR * 6)() size = c_ulong() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 0, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi[5] return None
def get_parent_pid(self): """Get the Parent Process ID.""" process_handle = self.open_process() NT_SUCCESS = lambda val: val >= 0 pbi = (c_int * 6)() size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(process_handle, 0, byref(pbi), sizeof(pbi), byref(size)) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi[5] return None
def pids_from_process_name_list(self, namelist): proclist = [] pidlist = [] buf = create_string_buffer(1024 * 1024) p = cast(buf, c_void_p) retlen = c_ulong(0) retval = NTDLL.NtQuerySystemInformation(5, buf, 1024 * 1024, byref(retlen)) if retval: return [] proc = cast(p, POINTER(SYSTEM_PROCESS_INFORMATION)).contents while proc.NextEntryOffset: p.value += proc.NextEntryOffset proc = cast(p, POINTER(SYSTEM_PROCESS_INFORMATION)).contents proclist.append((proc.ImageName.Buffer[:proc.ImageName.Length/2], proc.UniqueProcessId)) for proc in proclist: lowerproc = proc[0].lower() for name in namelist: if lowerproc == name: pidlist.append(proc[1]) break return pidlist